Squashed 'lib/mbedtls/external/mbedtls/' content from commit 2ca6c285a0dd
git-subtree-dir: lib/mbedtls/external/mbedtls
git-subtree-split: 2ca6c285a0dd3f33982dd57299012dacab1ff206
diff --git a/library/.gitignore b/library/.gitignore
new file mode 100644
index 0000000..3351e8b
--- /dev/null
+++ b/library/.gitignore
@@ -0,0 +1,11 @@
+libmbed*
+*.sln
+*.vcxproj
+
+####START_COMMENTED_GENERATED_FILES###
+#/error.c
+#/version_features.c
+#/ssl_debug_helpers_generated.c
+#/psa_crypto_driver_wrappers.h
+#/psa_crypto_driver_wrappers_no_static.c
+####END_COMMENTED_GENERATED_FILES###
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
new file mode 100644
index 0000000..e6705de
--- /dev/null
+++ b/library/CMakeLists.txt
@@ -0,0 +1,357 @@
+option(USE_STATIC_MBEDTLS_LIBRARY "Build Mbed TLS static library." ON)
+option(USE_SHARED_MBEDTLS_LIBRARY "Build Mbed TLS shared library." OFF)
+option(LINK_WITH_PTHREAD "Explicitly link Mbed TLS library to pthread." OFF)
+option(LINK_WITH_TRUSTED_STORAGE "Explicitly link Mbed TLS library to trusted_storage." OFF)
+
+# Set the project root directory if it's not already defined, as may happen if
+# the library folder is included directly by a parent project, without
+# including the top level CMakeLists.txt.
+if(NOT DEFINED MBEDTLS_DIR)
+ set(MBEDTLS_DIR ${CMAKE_SOURCE_DIR})
+endif()
+
+set(src_crypto
+ aes.c
+ aesni.c
+ aesce.c
+ aria.c
+ asn1parse.c
+ asn1write.c
+ base64.c
+ bignum.c
+ bignum_core.c
+ bignum_mod.c
+ bignum_mod_raw.c
+ block_cipher.c
+ camellia.c
+ ccm.c
+ chacha20.c
+ chachapoly.c
+ cipher.c
+ cipher_wrap.c
+ constant_time.c
+ cmac.c
+ ctr_drbg.c
+ des.c
+ dhm.c
+ ecdh.c
+ ecdsa.c
+ ecjpake.c
+ ecp.c
+ ecp_curves.c
+ ecp_curves_new.c
+ entropy.c
+ entropy_poll.c
+ error.c
+ gcm.c
+ hkdf.c
+ hmac_drbg.c
+ lmots.c
+ lms.c
+ md.c
+ md5.c
+ memory_buffer_alloc.c
+ nist_kw.c
+ oid.c
+ padlock.c
+ pem.c
+ pk.c
+ pk_ecc.c
+ pk_wrap.c
+ pkcs12.c
+ pkcs5.c
+ pkparse.c
+ pkwrite.c
+ platform.c
+ platform_util.c
+ poly1305.c
+ psa_crypto.c
+ psa_crypto_aead.c
+ psa_crypto_cipher.c
+ psa_crypto_client.c
+ psa_crypto_driver_wrappers_no_static.c
+ psa_crypto_ecp.c
+ psa_crypto_ffdh.c
+ psa_crypto_hash.c
+ psa_crypto_mac.c
+ psa_crypto_pake.c
+ psa_crypto_rsa.c
+ psa_crypto_se.c
+ psa_crypto_slot_management.c
+ psa_crypto_storage.c
+ psa_its_file.c
+ psa_util.c
+ ripemd160.c
+ rsa.c
+ rsa_alt_helpers.c
+ sha1.c
+ sha256.c
+ sha512.c
+ sha3.c
+ threading.c
+ timing.c
+ version.c
+ version_features.c
+)
+
+set(src_x509
+ pkcs7.c
+ x509.c
+ x509_create.c
+ x509_crl.c
+ x509_crt.c
+ x509_csr.c
+ x509write.c
+ x509write_crt.c
+ x509write_csr.c
+)
+
+set(src_tls
+ debug.c
+ mps_reader.c
+ mps_trace.c
+ net_sockets.c
+ ssl_cache.c
+ ssl_ciphersuites.c
+ ssl_client.c
+ ssl_cookie.c
+ ssl_debug_helpers_generated.c
+ ssl_msg.c
+ ssl_ticket.c
+ ssl_tls.c
+ ssl_tls12_client.c
+ ssl_tls12_server.c
+ ssl_tls13_keys.c
+ ssl_tls13_server.c
+ ssl_tls13_client.c
+ ssl_tls13_generic.c
+)
+
+if(GEN_FILES)
+ find_package(Perl REQUIRED)
+
+ file(GLOB error_headers ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/*.h)
+ add_custom_command(
+ OUTPUT
+ ${CMAKE_CURRENT_BINARY_DIR}/error.c
+ COMMAND
+ ${PERL_EXECUTABLE}
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_errors.pl
+ ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files
+ ${CMAKE_CURRENT_BINARY_DIR}/error.c
+ DEPENDS
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_errors.pl
+ ${error_headers}
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/error.fmt
+ )
+
+ add_custom_command(
+ OUTPUT
+ ${CMAKE_CURRENT_BINARY_DIR}/version_features.c
+ COMMAND
+ ${PERL_EXECUTABLE}
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_features.pl
+ ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files
+ ${CMAKE_CURRENT_BINARY_DIR}/version_features.c
+ DEPENDS
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_features.pl
+ ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/mbedtls_config.h
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/version_features.fmt
+ )
+
+ add_custom_command(
+ OUTPUT
+ ${CMAKE_CURRENT_BINARY_DIR}/ssl_debug_helpers_generated.c
+ COMMAND
+ ${MBEDTLS_PYTHON_EXECUTABLE}
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_ssl_debug_helpers.py
+ --mbedtls-root ${CMAKE_CURRENT_SOURCE_DIR}/..
+ ${CMAKE_CURRENT_BINARY_DIR}
+ DEPENDS
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_ssl_debug_helpers.py
+ ${error_headers}
+ )
+
+ add_custom_command(
+ OUTPUT
+ ${CMAKE_CURRENT_BINARY_DIR}/psa_crypto_driver_wrappers.h
+ ${CMAKE_CURRENT_BINARY_DIR}/psa_crypto_driver_wrappers_no_static.c
+ COMMAND
+ ${MBEDTLS_PYTHON_EXECUTABLE}
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_driver_wrappers.py
+ ${CMAKE_CURRENT_BINARY_DIR}
+ DEPENDS
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_driver_wrappers.py
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
+ )
+
+
+else()
+ link_to_source(error.c)
+ link_to_source(version_features.c)
+ link_to_source(ssl_debug_helpers_generated.c)
+ link_to_source(psa_crypto_driver_wrappers_no_static.c)
+endif()
+
+if(CMAKE_COMPILER_IS_GNUCC)
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes")
+endif(CMAKE_COMPILER_IS_GNUCC)
+
+if(CMAKE_COMPILER_IS_CLANG)
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code")
+endif(CMAKE_COMPILER_IS_CLANG)
+
+if(CMAKE_COMPILER_IS_MSVC)
+ option(MSVC_STATIC_RUNTIME "Build the libraries with /MT compiler flag" OFF)
+ if(MSVC_STATIC_RUNTIME)
+ foreach(flag_var
+ CMAKE_C_FLAGS CMAKE_C_FLAGS_DEBUG CMAKE_C_FLAGS_RELEASE
+ CMAKE_C_FLAGS_MINSIZEREL CMAKE_C_FLAGS_RELWITHDEBINFO
+ CMAKE_C_FLAGS_CHECK)
+ string(REGEX REPLACE "/MD" "/MT" ${flag_var} "${${flag_var}}")
+ endforeach(flag_var)
+ endif()
+endif()
+
+if(WIN32)
+ set(libs ${libs} ws2_32 bcrypt)
+endif(WIN32)
+
+if(${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
+ SET(CMAKE_C_ARCHIVE_CREATE "<CMAKE_AR> Scr <TARGET> <LINK_FLAGS> <OBJECTS>")
+ SET(CMAKE_CXX_ARCHIVE_CREATE "<CMAKE_AR> Scr <TARGET> <LINK_FLAGS> <OBJECTS>")
+ SET(CMAKE_C_ARCHIVE_FINISH "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
+ SET(CMAKE_CXX_ARCHIVE_FINISH "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
+endif()
+
+if(HAIKU)
+ set(libs ${libs} network)
+endif(HAIKU)
+
+if(LINK_WITH_PTHREAD)
+ set(libs ${libs} ${CMAKE_THREAD_LIBS_INIT})
+endif()
+
+if(LINK_WITH_TRUSTED_STORAGE)
+ set(libs ${libs} trusted_storage)
+endif()
+
+if (NOT USE_STATIC_MBEDTLS_LIBRARY AND NOT USE_SHARED_MBEDTLS_LIBRARY)
+ message(FATAL_ERROR "Need to choose static or shared mbedtls build!")
+endif(NOT USE_STATIC_MBEDTLS_LIBRARY AND NOT USE_SHARED_MBEDTLS_LIBRARY)
+
+set(mbedtls_target "${MBEDTLS_TARGET_PREFIX}mbedtls")
+set(mbedx509_target "${MBEDTLS_TARGET_PREFIX}mbedx509")
+set(mbedcrypto_target "${MBEDTLS_TARGET_PREFIX}mbedcrypto")
+
+set(mbedtls_target ${mbedtls_target} PARENT_SCOPE)
+set(mbedx509_target ${mbedx509_target} PARENT_SCOPE)
+set(mbedcrypto_target ${mbedcrypto_target} PARENT_SCOPE)
+
+if (USE_STATIC_MBEDTLS_LIBRARY)
+ set(mbedtls_static_target ${mbedtls_target})
+ set(mbedx509_static_target ${mbedx509_target})
+ set(mbedcrypto_static_target ${mbedcrypto_target})
+endif()
+
+set(target_libraries ${mbedcrypto_target} ${mbedx509_target} ${mbedtls_target})
+
+if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
+ string(APPEND mbedtls_static_target "_static")
+ string(APPEND mbedx509_static_target "_static")
+ string(APPEND mbedcrypto_static_target "_static")
+
+ list(APPEND target_libraries
+ ${mbedcrypto_static_target}
+ ${mbedx509_static_target}
+ ${mbedtls_static_target})
+endif()
+
+set(p256m_target "${MBEDTLS_TARGET_PREFIX}p256m")
+set(everest_target "${MBEDTLS_TARGET_PREFIX}everest")
+
+if(USE_STATIC_MBEDTLS_LIBRARY)
+ add_library(${mbedcrypto_static_target} STATIC ${src_crypto})
+ set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto)
+ target_link_libraries(${mbedcrypto_static_target} PUBLIC ${libs})
+
+ if(TARGET ${everest_target})
+ target_link_libraries(${mbedcrypto_static_target} PUBLIC ${everest_target})
+ endif()
+
+ if(TARGET ${p256m_target})
+ target_link_libraries(${mbedcrypto_static_target} PUBLIC ${p256m_target})
+ endif()
+
+ add_library(${mbedx509_static_target} STATIC ${src_x509})
+ set_target_properties(${mbedx509_static_target} PROPERTIES OUTPUT_NAME mbedx509)
+ target_link_libraries(${mbedx509_static_target} PUBLIC ${libs} ${mbedcrypto_static_target})
+
+ add_library(${mbedtls_static_target} STATIC ${src_tls})
+ set_target_properties(${mbedtls_static_target} PROPERTIES OUTPUT_NAME mbedtls)
+ target_link_libraries(${mbedtls_static_target} PUBLIC ${libs} ${mbedx509_static_target})
+endif(USE_STATIC_MBEDTLS_LIBRARY)
+
+if(USE_SHARED_MBEDTLS_LIBRARY)
+ set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
+ add_library(${mbedcrypto_target} SHARED ${src_crypto})
+ set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.6.0 SOVERSION 16)
+ target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
+
+ if(TARGET ${everest_target})
+ target_link_libraries(${mbedcrypto_target} PUBLIC ${everest_target})
+ endif()
+
+ if(TARGET ${p256m_target})
+ target_link_libraries(${mbedcrypto_target} PUBLIC ${p256m_target})
+ endif()
+
+ add_library(${mbedx509_target} SHARED ${src_x509})
+ set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.6.0 SOVERSION 7)
+ target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
+
+ add_library(${mbedtls_target} SHARED ${src_tls})
+ set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.6.0 SOVERSION 21)
+ target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
+endif(USE_SHARED_MBEDTLS_LIBRARY)
+
+foreach(target IN LISTS target_libraries)
+ add_library(MbedTLS::${target} ALIAS ${target}) # add_subdirectory support
+ # Include public header files from /include and other directories
+ # declared by /3rdparty/**/CMakeLists.txt. Include private header files
+ # from /library and others declared by /3rdparty/**/CMakeLists.txt.
+ # /library needs to be listed explicitly when building .c files outside
+ # of /library (which currently means: under /3rdparty).
+ target_include_directories(${target}
+ PUBLIC $<BUILD_INTERFACE:${MBEDTLS_DIR}/include/>
+ $<INSTALL_INTERFACE:include/>
+ PRIVATE ${MBEDTLS_DIR}/library/
+ # Needed to include psa_crypto_driver_wrappers.h
+ ${CMAKE_CURRENT_BINARY_DIR})
+ # Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
+ if(MBEDTLS_CONFIG_FILE)
+ target_compile_definitions(${target}
+ PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
+ endif()
+ if(MBEDTLS_USER_CONFIG_FILE)
+ target_compile_definitions(${target}
+ PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
+ endif()
+ install(
+ TARGETS ${target}
+ EXPORT MbedTLSTargets
+ ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}
+ LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}
+ RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
+ PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
+endforeach(target)
+
+set(lib_target "${MBEDTLS_TARGET_PREFIX}lib")
+
+add_custom_target(${lib_target} DEPENDS ${mbedcrypto_target} ${mbedx509_target} ${mbedtls_target})
+if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
+ add_dependencies(${lib_target} ${mbedcrypto_static_target} ${mbedx509_static_target} ${mbedtls_static_target})
+endif()
diff --git a/library/Makefile b/library/Makefile
new file mode 100644
index 0000000..a5e023e
--- /dev/null
+++ b/library/Makefile
@@ -0,0 +1,403 @@
+ifndef MBEDTLS_PATH
+MBEDTLS_PATH := ..
+endif
+
+GENERATED_FILES := \
+ error.c version_features.c \
+ ssl_debug_helpers_generated.c \
+ psa_crypto_driver_wrappers.h \
+ psa_crypto_driver_wrappers_no_static.c
+
+ifneq ($(GENERATED_FILES),$(wildcard $(GENERATED_FILES)))
+ ifeq (,$(wildcard $(MBEDTLS_PATH)/framework/exported.make))
+ # Use the define keyword to get a multi-line message.
+ # GNU make appends ". Stop.", so tweak the ending of our message accordingly.
+ define error_message
+$(MBEDTLS_PATH)/framework/exported.make not found.
+Run `git submodule update --init` to fetch the submodule contents.
+This is a fatal error
+ endef
+ $(error $(error_message))
+ endif
+ include $(MBEDTLS_PATH)/framework/exported.make
+endif
+
+# Also see "include/mbedtls/mbedtls_config.h"
+
+CFLAGS ?= -O2
+WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
+LDFLAGS ?=
+
+# Include ../include for public headers and . for private headers.
+# Note that . needs to be included explicitly for the sake of library
+# files that are not in the /library directory (which currently means
+# under /3rdparty).
+LOCAL_CFLAGS = $(WARNING_CFLAGS) -I. -I../include -D_FILE_OFFSET_BITS=64
+LOCAL_LDFLAGS =
+
+ifdef DEBUG
+LOCAL_CFLAGS += -g3
+endif
+
+# MicroBlaze specific options:
+# CFLAGS += -mno-xl-soft-mul -mxl-barrel-shift
+
+# To compile on Plan9:
+# CFLAGS += -D_BSD_EXTENSION
+
+PERL ?= perl
+
+ifdef WINDOWS
+PYTHON ?= python
+else
+PYTHON ?= $(shell if type python3 >/dev/null 2>/dev/null; then echo python3; else echo python; fi)
+endif
+
+# if were running on Windows build for Windows
+ifdef WINDOWS
+WINDOWS_BUILD=1
+else ifeq ($(shell uname -s),Darwin)
+ifeq ($(AR),ar)
+APPLE_BUILD ?= 1
+endif
+endif
+
+ifdef WINDOWS_BUILD
+LOCAL_LDFLAGS += -lbcrypt
+endif
+
+# To compile as a shared library:
+ifdef SHARED
+# all code is position-indep with mingw, avoid warning about useless flag
+ifndef WINDOWS_BUILD
+LOCAL_CFLAGS += -fPIC -fpic
+endif
+endif
+
+SOEXT_TLS?=so.21
+SOEXT_X509?=so.7
+SOEXT_CRYPTO?=so.16
+
+# Set AR_DASH= (empty string) to use an ar implementation that does not accept
+# the - prefix for command line options (e.g. llvm-ar)
+AR_DASH ?= -
+
+ARFLAGS = $(AR_DASH)src
+ifdef APPLE_BUILD
+ifneq ($(APPLE_BUILD),0)
+ARFLAGS = $(AR_DASH)Src
+RLFLAGS = -no_warning_for_no_symbols -c
+RL ?= ranlib
+endif
+endif
+
+DLEXT ?= so
+ifdef WINDOWS_BUILD
+# Windows shared library extension:
+DLEXT = dll
+else ifdef APPLE_BUILD
+ifneq ($(APPLE_BUILD),0)
+# Mac OS X shared library extension:
+DLEXT = dylib
+endif
+endif
+
+OBJS_CRYPTO= \
+ aes.o \
+ aesni.o \
+ aesce.o \
+ aria.o \
+ asn1parse.o \
+ asn1write.o \
+ base64.o \
+ bignum.o \
+ bignum_core.o \
+ bignum_mod.o \
+ bignum_mod_raw.o \
+ block_cipher.o \
+ camellia.o \
+ ccm.o \
+ chacha20.o \
+ chachapoly.o \
+ cipher.o \
+ cipher_wrap.o \
+ cmac.o \
+ constant_time.o \
+ ctr_drbg.o \
+ des.o \
+ dhm.o \
+ ecdh.o \
+ ecdsa.o \
+ ecjpake.o \
+ ecp.o \
+ ecp_curves.o \
+ ecp_curves_new.o \
+ entropy.o \
+ entropy_poll.o \
+ error.o \
+ gcm.o \
+ hkdf.o \
+ hmac_drbg.o \
+ lmots.o \
+ lms.o \
+ md.o \
+ md5.o \
+ memory_buffer_alloc.o \
+ nist_kw.o \
+ oid.o \
+ padlock.o \
+ pem.o \
+ pk.o \
+ pk_ecc.o \
+ pk_wrap.o \
+ pkcs12.o \
+ pkcs5.o \
+ pkparse.o \
+ pkwrite.o \
+ platform.o \
+ platform_util.o \
+ poly1305.o \
+ psa_crypto.o \
+ psa_crypto_aead.o \
+ psa_crypto_cipher.o \
+ psa_crypto_client.o \
+ psa_crypto_driver_wrappers_no_static.o \
+ psa_crypto_ecp.o \
+ psa_crypto_ffdh.o \
+ psa_crypto_hash.o \
+ psa_crypto_mac.o \
+ psa_crypto_pake.o \
+ psa_crypto_rsa.o \
+ psa_crypto_se.o \
+ psa_crypto_slot_management.o \
+ psa_crypto_storage.o \
+ psa_its_file.o \
+ psa_util.o \
+ ripemd160.o \
+ rsa.o \
+ rsa_alt_helpers.o \
+ sha1.o \
+ sha256.o \
+ sha512.o \
+ sha3.o \
+ threading.o \
+ timing.o \
+ version.o \
+ version_features.o \
+ # This line is intentionally left blank
+
+include ../3rdparty/Makefile.inc
+LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
+OBJS_CRYPTO+=$(THIRDPARTY_CRYPTO_OBJECTS)
+
+OBJS_X509= \
+ x509.o \
+ x509_create.o \
+ x509_crl.o \
+ x509_crt.o \
+ x509_csr.o \
+ x509write.o \
+ x509write_crt.o \
+ x509write_csr.o \
+ pkcs7.o \
+ # This line is intentionally left blank
+
+OBJS_TLS= \
+ debug.o \
+ mps_reader.o \
+ mps_trace.o \
+ net_sockets.o \
+ ssl_cache.o \
+ ssl_ciphersuites.o \
+ ssl_client.o \
+ ssl_cookie.o \
+ ssl_debug_helpers_generated.o \
+ ssl_msg.o \
+ ssl_ticket.o \
+ ssl_tls.o \
+ ssl_tls12_client.o \
+ ssl_tls12_server.o \
+ ssl_tls13_keys.o \
+ ssl_tls13_client.o \
+ ssl_tls13_server.o \
+ ssl_tls13_generic.o \
+ # This line is intentionally left blank
+
+.SILENT:
+
+.PHONY: all static shared clean
+
+ifndef SHARED
+all: static
+else
+all: shared static
+endif
+
+static: libmbedcrypto.a libmbedx509.a libmbedtls.a
+ cd ../tests && echo "This is a seedfile that contains 64 bytes (65 on Windows)......" > seedfile
+
+shared: libmbedcrypto.$(DLEXT) libmbedx509.$(DLEXT) libmbedtls.$(DLEXT)
+
+# Windows builds under Mingw can fail if make tries to create archives in the same
+# directory at the same time - see https://bugs.launchpad.net/gcc-arm-embedded/+bug/1848002.
+# This forces builds of the .a files to be serialised.
+ifdef WINDOWS
+libmbedtls.a: | libmbedx509.a
+libmbedx509.a: | libmbedcrypto.a
+endif
+
+# tls
+libmbedtls.a: $(OBJS_TLS)
+ echo " AR $@"
+ $(AR) $(ARFLAGS) $@ $(OBJS_TLS)
+ifdef APPLE_BUILD
+ifneq ($(APPLE_BUILD),0)
+ echo " RL $@"
+ $(RL) $(RLFLAGS) $@
+endif
+endif
+
+libmbedtls.$(SOEXT_TLS): $(OBJS_TLS) libmbedx509.so
+ echo " LD $@"
+ $(CC) -shared -Wl,-soname,$@ -o $@ $(OBJS_TLS) -L. -lmbedx509 -lmbedcrypto $(LOCAL_LDFLAGS) $(LDFLAGS)
+
+ifneq ($(SOEXT_TLS),so)
+libmbedtls.so: libmbedtls.$(SOEXT_TLS)
+ echo " LN $@ -> $<"
+ ln -sf $< $@
+endif
+
+libmbedtls.dylib: $(OBJS_TLS) libmbedx509.dylib
+ echo " LD $@"
+ $(CC) -dynamiclib -o $@ $(OBJS_TLS) -L. -lmbedx509 -lmbedcrypto $(LOCAL_LDFLAGS) $(LDFLAGS)
+
+libmbedtls.dll: $(OBJS_TLS) libmbedx509.dll
+ echo " LD $@"
+ $(CC) -shared -Wl,-soname,$@ -Wl,--out-implib,$@.a -o $@ $(OBJS_TLS) -lws2_32 -lwinmm -lgdi32 -L. -lmbedx509 -lmbedcrypto -static-libgcc $(LOCAL_LDFLAGS) $(LDFLAGS)
+
+# x509
+libmbedx509.a: $(OBJS_X509)
+ echo " AR $@"
+ $(AR) $(ARFLAGS) $@ $(OBJS_X509)
+ifdef APPLE_BUILD
+ifneq ($(APPLE_BUILD),0)
+ echo " RL $@"
+ $(RL) $(RLFLAGS) $@
+endif
+endif
+
+libmbedx509.$(SOEXT_X509): $(OBJS_X509) libmbedcrypto.so
+ echo " LD $@"
+ $(CC) -shared -Wl,-soname,$@ -o $@ $(OBJS_X509) -L. -lmbedcrypto $(LOCAL_LDFLAGS) $(LDFLAGS)
+
+ifneq ($(SOEXT_X509),so)
+libmbedx509.so: libmbedx509.$(SOEXT_X509)
+ echo " LN $@ -> $<"
+ ln -sf $< $@
+endif
+
+libmbedx509.dylib: $(OBJS_X509) libmbedcrypto.dylib
+ echo " LD $@"
+ $(CC) -dynamiclib -o $@ $(OBJS_X509) -L. -lmbedcrypto $(LOCAL_LDFLAGS) $(LDFLAGS)
+
+libmbedx509.dll: $(OBJS_X509) libmbedcrypto.dll
+ echo " LD $@"
+ $(CC) -shared -Wl,-soname,$@ -Wl,--out-implib,$@.a -o $@ $(OBJS_X509) -lws2_32 -lwinmm -lgdi32 -L. -lmbedcrypto -static-libgcc $(LOCAL_LDFLAGS) $(LDFLAGS)
+
+# crypto
+libmbedcrypto.a: $(OBJS_CRYPTO)
+ echo " AR $@"
+ $(AR) $(ARFLAGS) $@ $(OBJS_CRYPTO)
+ifdef APPLE_BUILD
+ifneq ($(APPLE_BUILD),0)
+ echo " RL $@"
+ $(RL) $(RLFLAGS) $@
+endif
+endif
+
+libmbedcrypto.$(SOEXT_CRYPTO): $(OBJS_CRYPTO)
+ echo " LD $@"
+ $(CC) -shared -Wl,-soname,$@ -o $@ $(OBJS_CRYPTO) $(LOCAL_LDFLAGS) $(LDFLAGS)
+
+ifneq ($(SOEXT_CRYPTO),so)
+libmbedcrypto.so: libmbedcrypto.$(SOEXT_CRYPTO)
+ echo " LN $@ -> $<"
+ ln -sf $< $@
+endif
+
+libmbedcrypto.dylib: $(OBJS_CRYPTO)
+ echo " LD $@"
+ $(CC) -dynamiclib -o $@ $(OBJS_CRYPTO) $(LOCAL_LDFLAGS) $(LDFLAGS)
+
+libmbedcrypto.dll: $(OBJS_CRYPTO)
+ echo " LD $@"
+ $(CC) -shared -Wl,-soname,$@ -Wl,--out-implib,$@.a -o $@ $(OBJS_CRYPTO) -lws2_32 -lwinmm -lgdi32 -static-libgcc $(LOCAL_LDFLAGS) $(LDFLAGS)
+
+.c.o:
+ echo " CC $<"
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -o $@ -c $<
+
+.PHONY: generated_files
+generated_files: $(GENERATED_FILES)
+
+# See root Makefile
+GEN_FILES ?=
+ifdef GEN_FILES
+gen_file_dep =
+else
+gen_file_dep = |
+endif
+
+error.c: $(gen_file_dep) ../scripts/generate_errors.pl
+error.c: $(gen_file_dep) ../scripts/data_files/error.fmt
+error.c: $(gen_file_dep) $(filter-out %config%,$(wildcard ../include/mbedtls/*.h))
+error.c:
+ echo " Gen $@"
+ $(PERL) ../scripts/generate_errors.pl
+
+ssl_debug_helpers_generated.c: $(gen_file_dep) ../scripts/generate_ssl_debug_helpers.py
+ssl_debug_helpers_generated.c: $(gen_file_dep) $(filter-out %config%,$(wildcard ../include/mbedtls/*.h))
+ssl_debug_helpers_generated.c:
+ echo " Gen $@"
+ $(PYTHON) ../scripts/generate_ssl_debug_helpers.py --mbedtls-root .. .
+
+version_features.c: $(gen_file_dep) ../scripts/generate_features.pl
+version_features.c: $(gen_file_dep) ../scripts/data_files/version_features.fmt
+## The generated file only depends on the options that are present in mbedtls_config.h,
+## not on which options are set. To avoid regenerating this file all the time
+## when switching between configurations, don't declare mbedtls_config.h as a
+## dependency. Remove this file from your working tree if you've just added or
+## removed an option in mbedtls_config.h.
+#version_features.c: ../include/mbedtls/mbedtls_config.h
+version_features.c:
+ echo " Gen $@"
+ $(PERL) ../scripts/generate_features.pl
+
+GENERATED_WRAPPER_FILES = \
+ psa_crypto_driver_wrappers.h \
+ psa_crypto_driver_wrappers_no_static.c
+$(GENERATED_WRAPPER_FILES): ../scripts/generate_driver_wrappers.py
+$(GENERATED_WRAPPER_FILES): ../scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
+$(GENERATED_WRAPPER_FILES): ../scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
+$(GENERATED_WRAPPER_FILES):
+ echo " Gen $(GENERATED_WRAPPER_FILES)"
+ $(PYTHON) ../scripts/generate_driver_wrappers.py
+
+psa_crypto.o:psa_crypto_driver_wrappers.h
+
+clean:
+ifndef WINDOWS
+ rm -f *.o libmbed*
+ rm -f $(THIRDPARTY_CRYPTO_OBJECTS)
+else
+ if exist *.o del /Q /F *.o
+ if exist libmbed* del /Q /F libmbed*
+ del /Q /F del_errors_out_if_the_file_list_is_empty_but_not_if_a_file_does_not_exist $(subst /,\,$(THIRDPARTY_CRYPTO_OBJECTS))
+endif
+
+neat: clean
+ifndef WINDOWS
+ rm -f $(GENERATED_FILES)
+else
+ for %f in ($(subst /,\,$(GENERATED_FILES))) if exist %f del /Q /F %f
+endif
diff --git a/library/aes.c b/library/aes.c
new file mode 100644
index 0000000..b1a5c3e
--- /dev/null
+++ b/library/aes.c
@@ -0,0 +1,2294 @@
+/*
+ * FIPS-197 compliant AES implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
+ *
+ * https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf
+ * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_AES_C)
+
+#include <string.h>
+
+#include "mbedtls/aes.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+#if !((defined(MBEDTLS_ARCH_IS_ARMV8_A) && defined(MBEDTLS_AESCE_C)) || \
+ (defined(MBEDTLS_ARCH_IS_X64) && defined(MBEDTLS_AESNI_C)) || \
+ (defined(MBEDTLS_ARCH_IS_X86) && defined(MBEDTLS_AESNI_C)))
+#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites"
+#endif
+#endif
+
+#if defined(MBEDTLS_ARCH_IS_X86)
+#if defined(MBEDTLS_PADLOCK_C)
+#if !defined(MBEDTLS_HAVE_ASM)
+#error "MBEDTLS_PADLOCK_C defined, but not all prerequisites"
+#endif
+#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+#error "MBEDTLS_AES_USE_HARDWARE_ONLY cannot be defined when " \
+ "MBEDTLS_PADLOCK_C is set"
+#endif
+#endif
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C)
+#include "padlock.h"
+#endif
+#if defined(MBEDTLS_AESNI_C)
+#include "aesni.h"
+#endif
+#if defined(MBEDTLS_AESCE_C)
+#include "aesce.h"
+#endif
+
+#include "mbedtls/platform.h"
+#include "ctr.h"
+
+/*
+ * This is a convenience shorthand macro to check if we need reverse S-box and
+ * reverse tables. It's private and only defined in this file.
+ */
+#if (!defined(MBEDTLS_AES_DECRYPT_ALT) || \
+ (!defined(MBEDTLS_AES_SETKEY_DEC_ALT) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY))) && \
+ !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+#define MBEDTLS_AES_NEED_REVERSE_TABLES
+#endif
+
+#if !defined(MBEDTLS_AES_ALT)
+
+#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
+static int aes_padlock_ace = -1;
+#endif
+
+#if defined(MBEDTLS_AES_ROM_TABLES)
+/*
+ * Forward S-box
+ */
+MBEDTLS_MAYBE_UNUSED static const unsigned char FSb[256] =
+{
+ 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
+ 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
+ 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
+ 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
+ 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
+ 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
+ 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
+ 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
+ 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
+ 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
+ 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
+ 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
+ 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
+ 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
+ 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
+ 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
+ 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
+ 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
+ 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
+ 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
+ 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
+ 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
+ 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
+ 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
+ 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
+ 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
+ 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
+ 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
+ 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
+ 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
+ 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
+ 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
+};
+
+/*
+ * Forward tables
+ */
+#define FT \
+\
+ V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), V(8D, 7B, 7B, F6), \
+ V(0D, F2, F2, FF), V(BD, 6B, 6B, D6), V(B1, 6F, 6F, DE), V(54, C5, C5, 91), \
+ V(50, 30, 30, 60), V(03, 01, 01, 02), V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), \
+ V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), V(9A, 76, 76, EC), \
+ V(45, CA, CA, 8F), V(9D, 82, 82, 1F), V(40, C9, C9, 89), V(87, 7D, 7D, FA), \
+ V(15, FA, FA, EF), V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), \
+ V(EC, AD, AD, 41), V(67, D4, D4, B3), V(FD, A2, A2, 5F), V(EA, AF, AF, 45), \
+ V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), V(96, 72, 72, E4), V(5B, C0, C0, 9B), \
+ V(C2, B7, B7, 75), V(1C, FD, FD, E1), V(AE, 93, 93, 3D), V(6A, 26, 26, 4C), \
+ V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), V(4F, CC, CC, 83), \
+ V(5C, 34, 34, 68), V(F4, A5, A5, 51), V(34, E5, E5, D1), V(08, F1, F1, F9), \
+ V(93, 71, 71, E2), V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), \
+ V(0C, 04, 04, 08), V(52, C7, C7, 95), V(65, 23, 23, 46), V(5E, C3, C3, 9D), \
+ V(28, 18, 18, 30), V(A1, 96, 96, 37), V(0F, 05, 05, 0A), V(B5, 9A, 9A, 2F), \
+ V(09, 07, 07, 0E), V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \
+ V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), V(9F, 75, 75, EA), \
+ V(1B, 09, 09, 12), V(9E, 83, 83, 1D), V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), \
+ V(2D, 1B, 1B, 36), V(B2, 6E, 6E, DC), V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), \
+ V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), V(CE, B3, B3, 7D), \
+ V(7B, 29, 29, 52), V(3E, E3, E3, DD), V(71, 2F, 2F, 5E), V(97, 84, 84, 13), \
+ V(F5, 53, 53, A6), V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \
+ V(60, 20, 20, 40), V(1F, FC, FC, E3), V(C8, B1, B1, 79), V(ED, 5B, 5B, B6), \
+ V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), V(D9, BE, BE, 67), V(4B, 39, 39, 72), \
+ V(DE, 4A, 4A, 94), V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), V(4A, CF, CF, 85), \
+ V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), V(16, FB, FB, ED), \
+ V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), V(55, 33, 33, 66), V(94, 85, 85, 11), \
+ V(CF, 45, 45, 8A), V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), \
+ V(F0, 50, 50, A0), V(44, 3C, 3C, 78), V(BA, 9F, 9F, 25), V(E3, A8, A8, 4B), \
+ V(F3, 51, 51, A2), V(FE, A3, A3, 5D), V(C0, 40, 40, 80), V(8A, 8F, 8F, 05), \
+ V(AD, 92, 92, 3F), V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \
+ V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), V(63, 21, 21, 42), \
+ V(30, 10, 10, 20), V(1A, FF, FF, E5), V(0E, F3, F3, FD), V(6D, D2, D2, BF), \
+ V(4C, CD, CD, 81), V(14, 0C, 0C, 18), V(35, 13, 13, 26), V(2F, EC, EC, C3), \
+ V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), V(39, 17, 17, 2E), \
+ V(57, C4, C4, 93), V(F2, A7, A7, 55), V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), \
+ V(AC, 64, 64, C8), V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), \
+ V(A0, 60, 60, C0), V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), V(7F, DC, DC, A3), \
+ V(66, 22, 22, 44), V(7E, 2A, 2A, 54), V(AB, 90, 90, 3B), V(83, 88, 88, 0B), \
+ V(CA, 46, 46, 8C), V(29, EE, EE, C7), V(D3, B8, B8, 6B), V(3C, 14, 14, 28), \
+ V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), V(76, DB, DB, AD), \
+ V(3B, E0, E0, DB), V(56, 32, 32, 64), V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), \
+ V(DB, 49, 49, 92), V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), \
+ V(5D, C2, C2, 9F), V(6E, D3, D3, BD), V(EF, AC, AC, 43), V(A6, 62, 62, C4), \
+ V(A8, 91, 91, 39), V(A4, 95, 95, 31), V(37, E4, E4, D3), V(8B, 79, 79, F2), \
+ V(32, E7, E7, D5), V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \
+ V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), V(E0, A9, A9, 49), \
+ V(B4, 6C, 6C, D8), V(FA, 56, 56, AC), V(07, F4, F4, F3), V(25, EA, EA, CF), \
+ V(AF, 65, 65, CA), V(8E, 7A, 7A, F4), V(E9, AE, AE, 47), V(18, 08, 08, 10), \
+ V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), V(72, 2E, 2E, 5C), \
+ V(24, 1C, 1C, 38), V(F1, A6, A6, 57), V(C7, B4, B4, 73), V(51, C6, C6, 97), \
+ V(23, E8, E8, CB), V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), \
+ V(DD, 4B, 4B, 96), V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), V(85, 8A, 8A, 0F), \
+ V(90, 70, 70, E0), V(42, 3E, 3E, 7C), V(C4, B5, B5, 71), V(AA, 66, 66, CC), \
+ V(D8, 48, 48, 90), V(05, 03, 03, 06), V(01, F6, F6, F7), V(12, 0E, 0E, 1C), \
+ V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), V(D0, B9, B9, 69), \
+ V(91, 86, 86, 17), V(58, C1, C1, 99), V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), \
+ V(38, E1, E1, D9), V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), \
+ V(BB, 69, 69, D2), V(70, D9, D9, A9), V(89, 8E, 8E, 07), V(A7, 94, 94, 33), \
+ V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), V(92, 87, 87, 15), V(20, E9, E9, C9), \
+ V(49, CE, CE, 87), V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \
+ V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), V(17, 0D, 0D, 1A), \
+ V(DA, BF, BF, 65), V(31, E6, E6, D7), V(C6, 42, 42, 84), V(B8, 68, 68, D0), \
+ V(C3, 41, 41, 82), V(B0, 99, 99, 29), V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), \
+ V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), V(3A, 16, 16, 2C)
+
+#define V(a, b, c, d) 0x##a##b##c##d
+MBEDTLS_MAYBE_UNUSED static const uint32_t FT0[256] = { FT };
+#undef V
+
+#define V(a, b, c, d) 0x##b##c##d##a
+MBEDTLS_MAYBE_UNUSED static const uint32_t FT1[256] = { FT };
+#undef V
+
+#define V(a, b, c, d) 0x##c##d##a##b
+MBEDTLS_MAYBE_UNUSED static const uint32_t FT2[256] = { FT };
+#undef V
+
+#define V(a, b, c, d) 0x##d##a##b##c
+MBEDTLS_MAYBE_UNUSED static const uint32_t FT3[256] = { FT };
+#undef V
+
+#undef FT
+
+/*
+ * Reverse S-box
+ */
+MBEDTLS_MAYBE_UNUSED static const unsigned char RSb[256] =
+{
+ 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
+ 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
+ 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
+ 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
+ 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
+ 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
+ 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
+ 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
+ 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
+ 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
+ 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
+ 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
+ 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
+ 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
+ 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
+ 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
+ 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
+ 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
+ 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
+ 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
+ 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
+ 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
+ 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
+ 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
+ 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
+ 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
+ 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
+ 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
+ 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
+ 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
+ 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
+ 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
+};
+
+/*
+ * Reverse tables
+ */
+#define RT \
+\
+ V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), V(96, 5E, 27, 3A), \
+ V(CB, 6B, AB, 3B), V(F1, 45, 9D, 1F), V(AB, 58, FA, AC), V(93, 03, E3, 4B), \
+ V(55, FA, 30, 20), V(F6, 6D, 76, AD), V(91, 76, CC, 88), V(25, 4C, 02, F5), \
+ V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), V(8F, A3, 62, B5), \
+ V(49, 5A, B1, DE), V(67, 1B, BA, 25), V(98, 0E, EA, 45), V(E1, C0, FE, 5D), \
+ V(02, 75, 2F, C3), V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), \
+ V(E7, 5F, 8F, 03), V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), V(DA, 59, 52, 95), \
+ V(2D, 83, BE, D4), V(D3, 21, 74, 58), V(29, 69, E0, 49), V(44, C8, C9, 8E), \
+ V(6A, 89, C2, 75), V(78, 79, 8E, F4), V(6B, 3E, 58, 99), V(DD, 71, B9, 27), \
+ V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), V(B4, 3A, CE, 7D), \
+ V(18, 4A, DF, 63), V(82, 31, 1A, E5), V(60, 33, 51, 97), V(45, 7F, 53, 62), \
+ V(E0, 77, 64, B1), V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), \
+ V(58, 68, 48, 70), V(19, FD, 45, 8F), V(87, 6C, DE, 94), V(B7, F8, 7B, 52), \
+ V(23, D3, 73, AB), V(E2, 02, 4B, 72), V(57, 8F, 1F, E3), V(2A, AB, 55, 66), \
+ V(07, 28, EB, B2), V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \
+ V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), V(5C, 82, 16, ED), \
+ V(2B, 1C, CF, 8A), V(92, B4, 79, A7), V(F0, F2, 07, F3), V(A1, E2, 69, 4E), \
+ V(CD, F4, DA, 65), V(D5, BE, 05, 06), V(1F, 62, 34, D1), V(8A, FE, A6, C4), \
+ V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), V(75, EB, F6, A4), \
+ V(39, EC, 83, 0B), V(AA, EF, 60, 40), V(06, 9F, 71, 5E), V(51, 10, 6E, BD), \
+ V(F9, 8A, 21, 3E), V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), \
+ V(B5, 8D, 54, 91), V(05, 5D, C4, 71), V(6F, D4, 06, 04), V(FF, 15, 50, 60), \
+ V(24, FB, 98, 19), V(97, E9, BD, D6), V(CC, 43, 40, 89), V(77, 9E, D9, 67), \
+ V(BD, 42, E8, B0), V(88, 8B, 89, 07), V(38, 5B, 19, E7), V(DB, EE, C8, 79), \
+ V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), V(00, 00, 00, 00), \
+ V(83, 86, 80, 09), V(48, ED, 2B, 32), V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), \
+ V(FB, FF, 0E, FD), V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), \
+ V(64, D9, 0F, 0A), V(21, A6, 5C, 68), V(D1, 54, 5B, 9B), V(3A, 2E, 36, 24), \
+ V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), V(D2, 96, EE, B4), V(9E, 91, 9B, 1B), \
+ V(4F, C5, C0, 80), V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \
+ V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), V(1D, 17, 1B, 12), \
+ V(0B, 0D, 09, 0E), V(AD, C7, 8B, F2), V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), \
+ V(85, 19, F1, 57), V(4C, 07, 75, AF), V(BB, DD, 99, EE), V(FD, 60, 7F, A3), \
+ V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), V(34, 7E, FB, 5B), \
+ V(76, 29, 43, 8B), V(DC, C6, 23, CB), V(68, FC, ED, B6), V(63, F1, E4, B8), \
+ V(CA, DC, 31, D7), V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), \
+ V(7D, 24, 4A, 85), V(F8, 3D, BB, D2), V(11, 32, F9, AE), V(6D, A1, 29, C7), \
+ V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), V(EC, 52, 86, 0D), V(D0, E3, C1, 77), \
+ V(6C, 16, B3, 2B), V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \
+ V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), V(EF, 90, 33, 22), \
+ V(C7, 4E, 49, 87), V(C1, D1, 38, D9), V(FE, A2, CA, 8C), V(36, 0B, D4, 98), \
+ V(CF, 81, F5, A6), V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), \
+ V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), V(9B, CC, 5F, 6A), V(62, 46, 7E, 54), \
+ V(C2, 13, 8D, F6), V(E8, B8, D8, 90), V(5E, F7, 39, 2E), V(F5, AF, C3, 82), \
+ V(BE, 80, 5D, 9F), V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \
+ V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), V(7B, BB, 3B, DB), \
+ V(09, 78, 26, CD), V(F4, 18, 59, 6E), V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), \
+ V(65, 6E, 95, E6), V(7E, E6, FF, AA), V(08, CF, BC, 21), V(E6, E8, 15, EF), \
+ V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), V(D6, 7C, B0, 29), \
+ V(AF, B2, A4, 31), V(31, 23, 3F, 2A), V(30, 94, A5, C6), V(C0, 66, A2, 35), \
+ V(37, BC, 4E, 74), V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), \
+ V(4A, 98, 04, F1), V(F7, DA, EC, 41), V(0E, 50, CD, 7F), V(2F, F6, 91, 17), \
+ V(8D, D6, 4D, 76), V(4D, B0, EF, 43), V(54, 4D, AA, CC), V(DF, 04, 96, E4), \
+ V(E3, B5, D1, 9E), V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \
+ V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), V(2E, 41, 0B, FB), \
+ V(5A, 1D, 67, B3), V(52, D2, DB, 92), V(33, 56, 10, E9), V(13, 47, D6, 6D), \
+ V(8C, 61, D7, 9A), V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), \
+ V(EE, 27, A9, CE), V(35, C9, 61, B7), V(ED, E5, 1C, E1), V(3C, B1, 47, 7A), \
+ V(59, DF, D2, 9C), V(3F, 73, F2, 55), V(79, CE, 14, 18), V(BF, 37, C7, 73), \
+ V(EA, CD, F7, 53), V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \
+ V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), V(5F, 40, A3, C2), \
+ V(72, C3, 1D, 16), V(0C, 25, E2, BC), V(8B, 49, 3C, 28), V(41, 95, 0D, FF), \
+ V(71, 01, A8, 39), V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \
+ V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), V(42, 57, B8, D0)
+
+
+#define V(a, b, c, d) 0x##a##b##c##d
+MBEDTLS_MAYBE_UNUSED static const uint32_t RT0[256] = { RT };
+#undef V
+
+#define V(a, b, c, d) 0x##b##c##d##a
+MBEDTLS_MAYBE_UNUSED static const uint32_t RT1[256] = { RT };
+#undef V
+
+#define V(a, b, c, d) 0x##c##d##a##b
+MBEDTLS_MAYBE_UNUSED static const uint32_t RT2[256] = { RT };
+#undef V
+
+#define V(a, b, c, d) 0x##d##a##b##c
+MBEDTLS_MAYBE_UNUSED static const uint32_t RT3[256] = { RT };
+#undef V
+
+#undef RT
+
+/*
+ * Round constants
+ */
+MBEDTLS_MAYBE_UNUSED static const uint32_t round_constants[10] =
+{
+ 0x00000001, 0x00000002, 0x00000004, 0x00000008,
+ 0x00000010, 0x00000020, 0x00000040, 0x00000080,
+ 0x0000001B, 0x00000036
+};
+
+#else /* MBEDTLS_AES_ROM_TABLES */
+
+/*
+ * Forward S-box & tables
+ */
+MBEDTLS_MAYBE_UNUSED static unsigned char FSb[256];
+MBEDTLS_MAYBE_UNUSED static uint32_t FT0[256];
+MBEDTLS_MAYBE_UNUSED static uint32_t FT1[256];
+MBEDTLS_MAYBE_UNUSED static uint32_t FT2[256];
+MBEDTLS_MAYBE_UNUSED static uint32_t FT3[256];
+
+/*
+ * Reverse S-box & tables
+ */
+MBEDTLS_MAYBE_UNUSED static unsigned char RSb[256];
+
+MBEDTLS_MAYBE_UNUSED static uint32_t RT0[256];
+MBEDTLS_MAYBE_UNUSED static uint32_t RT1[256];
+MBEDTLS_MAYBE_UNUSED static uint32_t RT2[256];
+MBEDTLS_MAYBE_UNUSED static uint32_t RT3[256];
+
+/*
+ * Round constants
+ */
+MBEDTLS_MAYBE_UNUSED static uint32_t round_constants[10];
+
+/*
+ * Tables generation code
+ */
+#define ROTL8(x) (((x) << 8) & 0xFFFFFFFF) | ((x) >> 24)
+#define XTIME(x) (((x) << 1) ^ (((x) & 0x80) ? 0x1B : 0x00))
+#define MUL(x, y) (((x) && (y)) ? pow[(log[(x)]+log[(y)]) % 255] : 0)
+
+MBEDTLS_MAYBE_UNUSED static int aes_init_done = 0;
+
+MBEDTLS_MAYBE_UNUSED static void aes_gen_tables(void)
+{
+ int i;
+ uint8_t x, y, z;
+ uint8_t pow[256];
+ uint8_t log[256];
+
+ /*
+ * compute pow and log tables over GF(2^8)
+ */
+ for (i = 0, x = 1; i < 256; i++) {
+ pow[i] = x;
+ log[x] = (uint8_t) i;
+ x ^= XTIME(x);
+ }
+
+ /*
+ * calculate the round constants
+ */
+ for (i = 0, x = 1; i < 10; i++) {
+ round_constants[i] = x;
+ x = XTIME(x);
+ }
+
+ /*
+ * generate the forward and reverse S-boxes
+ */
+ FSb[0x00] = 0x63;
+#if defined(MBEDTLS_AES_NEED_REVERSE_TABLES)
+ RSb[0x63] = 0x00;
+#endif
+
+ for (i = 1; i < 256; i++) {
+ x = pow[255 - log[i]];
+
+ y = x; y = (y << 1) | (y >> 7);
+ x ^= y; y = (y << 1) | (y >> 7);
+ x ^= y; y = (y << 1) | (y >> 7);
+ x ^= y; y = (y << 1) | (y >> 7);
+ x ^= y ^ 0x63;
+
+ FSb[i] = x;
+#if defined(MBEDTLS_AES_NEED_REVERSE_TABLES)
+ RSb[x] = (unsigned char) i;
+#endif
+ }
+
+ /*
+ * generate the forward and reverse tables
+ */
+ for (i = 0; i < 256; i++) {
+ x = FSb[i];
+ y = XTIME(x);
+ z = y ^ x;
+
+ FT0[i] = ((uint32_t) y) ^
+ ((uint32_t) x << 8) ^
+ ((uint32_t) x << 16) ^
+ ((uint32_t) z << 24);
+
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+ FT1[i] = ROTL8(FT0[i]);
+ FT2[i] = ROTL8(FT1[i]);
+ FT3[i] = ROTL8(FT2[i]);
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+
+#if defined(MBEDTLS_AES_NEED_REVERSE_TABLES)
+ x = RSb[i];
+
+ RT0[i] = ((uint32_t) MUL(0x0E, x)) ^
+ ((uint32_t) MUL(0x09, x) << 8) ^
+ ((uint32_t) MUL(0x0D, x) << 16) ^
+ ((uint32_t) MUL(0x0B, x) << 24);
+
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+ RT1[i] = ROTL8(RT0[i]);
+ RT2[i] = ROTL8(RT1[i]);
+ RT3[i] = ROTL8(RT2[i]);
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+#endif /* MBEDTLS_AES_NEED_REVERSE_TABLES */
+ }
+}
+
+#undef ROTL8
+
+#endif /* MBEDTLS_AES_ROM_TABLES */
+
+#if defined(MBEDTLS_AES_FEWER_TABLES)
+
+#define ROTL8(x) ((uint32_t) ((x) << 8) + (uint32_t) ((x) >> 24))
+#define ROTL16(x) ((uint32_t) ((x) << 16) + (uint32_t) ((x) >> 16))
+#define ROTL24(x) ((uint32_t) ((x) << 24) + (uint32_t) ((x) >> 8))
+
+#define AES_RT0(idx) RT0[idx]
+#define AES_RT1(idx) ROTL8(RT0[idx])
+#define AES_RT2(idx) ROTL16(RT0[idx])
+#define AES_RT3(idx) ROTL24(RT0[idx])
+
+#define AES_FT0(idx) FT0[idx]
+#define AES_FT1(idx) ROTL8(FT0[idx])
+#define AES_FT2(idx) ROTL16(FT0[idx])
+#define AES_FT3(idx) ROTL24(FT0[idx])
+
+#else /* MBEDTLS_AES_FEWER_TABLES */
+
+#define AES_RT0(idx) RT0[idx]
+#define AES_RT1(idx) RT1[idx]
+#define AES_RT2(idx) RT2[idx]
+#define AES_RT3(idx) RT3[idx]
+
+#define AES_FT0(idx) FT0[idx]
+#define AES_FT1(idx) FT1[idx]
+#define AES_FT2(idx) FT2[idx]
+#define AES_FT3(idx) FT3[idx]
+
+#endif /* MBEDTLS_AES_FEWER_TABLES */
+
+void mbedtls_aes_init(mbedtls_aes_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_aes_context));
+}
+
+void mbedtls_aes_free(mbedtls_aes_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aes_context));
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx)
+{
+ mbedtls_aes_init(&ctx->crypt);
+ mbedtls_aes_init(&ctx->tweak);
+}
+
+void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_aes_free(&ctx->crypt);
+ mbedtls_aes_free(&ctx->tweak);
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+/* Some implementations need the round keys to be aligned.
+ * Return an offset to be added to buf, such that (buf + offset) is
+ * correctly aligned.
+ * Note that the offset is in units of elements of buf, i.e. 32-bit words,
+ * i.e. an offset of 1 means 4 bytes and so on.
+ */
+#if (defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)) || \
+ (defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2)
+#define MAY_NEED_TO_ALIGN
+#endif
+
+MBEDTLS_MAYBE_UNUSED static unsigned mbedtls_aes_rk_offset(uint32_t *buf)
+{
+#if defined(MAY_NEED_TO_ALIGN)
+ int align_16_bytes = 0;
+
+#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
+ if (aes_padlock_ace == -1) {
+ aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
+ }
+ if (aes_padlock_ace) {
+ align_16_bytes = 1;
+ }
+#endif
+
+#if defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2
+ if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
+ align_16_bytes = 1;
+ }
+#endif
+
+ if (align_16_bytes) {
+ /* These implementations needs 16-byte alignment
+ * for the round key array. */
+ unsigned delta = ((uintptr_t) buf & 0x0000000fU) / 4;
+ if (delta == 0) {
+ return 0;
+ } else {
+ return 4 - delta; // 16 bytes = 4 uint32_t
+ }
+ }
+#else /* MAY_NEED_TO_ALIGN */
+ (void) buf;
+#endif /* MAY_NEED_TO_ALIGN */
+
+ return 0;
+}
+
+/*
+ * AES key schedule (encryption)
+ */
+#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
+int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
+ unsigned int keybits)
+{
+ uint32_t *RK;
+
+ switch (keybits) {
+ case 128: ctx->nr = 10; break;
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ case 192: ctx->nr = 12; break;
+ case 256: ctx->nr = 14; break;
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+ default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
+ }
+
+#if !defined(MBEDTLS_AES_ROM_TABLES)
+ if (aes_init_done == 0) {
+ aes_gen_tables();
+ aes_init_done = 1;
+ }
+#endif
+
+ ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf);
+ RK = ctx->buf + ctx->rk_offset;
+
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+ if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
+ return mbedtls_aesni_setkey_enc((unsigned char *) RK, key, keybits);
+ }
+#endif
+
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+ if (MBEDTLS_AESCE_HAS_SUPPORT()) {
+ return mbedtls_aesce_setkey_enc((unsigned char *) RK, key, keybits);
+ }
+#endif
+
+#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+ for (unsigned int i = 0; i < (keybits >> 5); i++) {
+ RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2);
+ }
+
+ switch (ctx->nr) {
+ case 10:
+
+ for (unsigned int i = 0; i < 10; i++, RK += 4) {
+ RK[4] = RK[0] ^ round_constants[i] ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[3])]) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[3])] << 8) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[3])] << 16) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[3])] << 24);
+
+ RK[5] = RK[1] ^ RK[4];
+ RK[6] = RK[2] ^ RK[5];
+ RK[7] = RK[3] ^ RK[6];
+ }
+ break;
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ case 12:
+
+ for (unsigned int i = 0; i < 8; i++, RK += 6) {
+ RK[6] = RK[0] ^ round_constants[i] ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[5])]) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[5])] << 8) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[5])] << 16) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[5])] << 24);
+
+ RK[7] = RK[1] ^ RK[6];
+ RK[8] = RK[2] ^ RK[7];
+ RK[9] = RK[3] ^ RK[8];
+ RK[10] = RK[4] ^ RK[9];
+ RK[11] = RK[5] ^ RK[10];
+ }
+ break;
+
+ case 14:
+
+ for (unsigned int i = 0; i < 7; i++, RK += 8) {
+ RK[8] = RK[0] ^ round_constants[i] ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[7])]) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[7])] << 8) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[7])] << 16) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[7])] << 24);
+
+ RK[9] = RK[1] ^ RK[8];
+ RK[10] = RK[2] ^ RK[9];
+ RK[11] = RK[3] ^ RK[10];
+
+ RK[12] = RK[4] ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[11])]) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[11])] << 8) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[11])] << 16) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[11])] << 24);
+
+ RK[13] = RK[5] ^ RK[12];
+ RK[14] = RK[6] ^ RK[13];
+ RK[15] = RK[7] ^ RK[14];
+ }
+ break;
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+ }
+
+ return 0;
+#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
+}
+#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
+
+/*
+ * AES key schedule (decryption)
+ */
+#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) && !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
+ unsigned int keybits)
+{
+#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+ uint32_t *SK;
+#endif
+ int ret;
+ mbedtls_aes_context cty;
+ uint32_t *RK;
+
+
+ mbedtls_aes_init(&cty);
+
+ ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf);
+ RK = ctx->buf + ctx->rk_offset;
+
+ /* Also checks keybits */
+ if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0) {
+ goto exit;
+ }
+
+ ctx->nr = cty.nr;
+
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+ if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
+ mbedtls_aesni_inverse_key((unsigned char *) RK,
+ (const unsigned char *) (cty.buf + cty.rk_offset), ctx->nr);
+ goto exit;
+ }
+#endif
+
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+ if (MBEDTLS_AESCE_HAS_SUPPORT()) {
+ mbedtls_aesce_inverse_key(
+ (unsigned char *) RK,
+ (const unsigned char *) (cty.buf + cty.rk_offset),
+ ctx->nr);
+ goto exit;
+ }
+#endif
+
+#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+ SK = cty.buf + cty.rk_offset + cty.nr * 4;
+
+ *RK++ = *SK++;
+ *RK++ = *SK++;
+ *RK++ = *SK++;
+ *RK++ = *SK++;
+ SK -= 8;
+ for (int i = ctx->nr - 1; i > 0; i--, SK -= 8) {
+ for (int j = 0; j < 4; j++, SK++) {
+ *RK++ = AES_RT0(FSb[MBEDTLS_BYTE_0(*SK)]) ^
+ AES_RT1(FSb[MBEDTLS_BYTE_1(*SK)]) ^
+ AES_RT2(FSb[MBEDTLS_BYTE_2(*SK)]) ^
+ AES_RT3(FSb[MBEDTLS_BYTE_3(*SK)]);
+ }
+ }
+
+ *RK++ = *SK++;
+ *RK++ = *SK++;
+ *RK++ = *SK++;
+ *RK++ = *SK++;
+#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
+exit:
+ mbedtls_aes_free(&cty);
+
+ return ret;
+}
+#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT && !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int mbedtls_aes_xts_decode_keys(const unsigned char *key,
+ unsigned int keybits,
+ const unsigned char **key1,
+ unsigned int *key1bits,
+ const unsigned char **key2,
+ unsigned int *key2bits)
+{
+ const unsigned int half_keybits = keybits / 2;
+ const unsigned int half_keybytes = half_keybits / 8;
+
+ switch (keybits) {
+ case 256: break;
+ case 512: break;
+ default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
+ }
+
+ *key1bits = half_keybits;
+ *key2bits = half_keybits;
+ *key1 = &key[0];
+ *key2 = &key[half_keybytes];
+
+ return 0;
+}
+
+int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
+ const unsigned char *key,
+ unsigned int keybits)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const unsigned char *key1, *key2;
+ unsigned int key1bits, key2bits;
+
+ ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
+ &key2, &key2bits);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* Set the tweak key. Always set tweak key for the encryption mode. */
+ ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* Set crypt key for encryption. */
+ return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits);
+}
+
+int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
+ const unsigned char *key,
+ unsigned int keybits)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const unsigned char *key1, *key2;
+ unsigned int key1bits, key2bits;
+
+ ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
+ &key2, &key2bits);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* Set the tweak key. Always set tweak key for encryption. */
+ ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* Set crypt key for decryption. */
+ return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits);
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \
+ do \
+ { \
+ (X0) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y0)) ^ \
+ AES_FT1(MBEDTLS_BYTE_1(Y1)) ^ \
+ AES_FT2(MBEDTLS_BYTE_2(Y2)) ^ \
+ AES_FT3(MBEDTLS_BYTE_3(Y3)); \
+ \
+ (X1) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y1)) ^ \
+ AES_FT1(MBEDTLS_BYTE_1(Y2)) ^ \
+ AES_FT2(MBEDTLS_BYTE_2(Y3)) ^ \
+ AES_FT3(MBEDTLS_BYTE_3(Y0)); \
+ \
+ (X2) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y2)) ^ \
+ AES_FT1(MBEDTLS_BYTE_1(Y3)) ^ \
+ AES_FT2(MBEDTLS_BYTE_2(Y0)) ^ \
+ AES_FT3(MBEDTLS_BYTE_3(Y1)); \
+ \
+ (X3) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y3)) ^ \
+ AES_FT1(MBEDTLS_BYTE_1(Y0)) ^ \
+ AES_FT2(MBEDTLS_BYTE_2(Y1)) ^ \
+ AES_FT3(MBEDTLS_BYTE_3(Y2)); \
+ } while (0)
+
+#define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \
+ do \
+ { \
+ (X0) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y0)) ^ \
+ AES_RT1(MBEDTLS_BYTE_1(Y3)) ^ \
+ AES_RT2(MBEDTLS_BYTE_2(Y2)) ^ \
+ AES_RT3(MBEDTLS_BYTE_3(Y1)); \
+ \
+ (X1) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y1)) ^ \
+ AES_RT1(MBEDTLS_BYTE_1(Y0)) ^ \
+ AES_RT2(MBEDTLS_BYTE_2(Y3)) ^ \
+ AES_RT3(MBEDTLS_BYTE_3(Y2)); \
+ \
+ (X2) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y2)) ^ \
+ AES_RT1(MBEDTLS_BYTE_1(Y1)) ^ \
+ AES_RT2(MBEDTLS_BYTE_2(Y0)) ^ \
+ AES_RT3(MBEDTLS_BYTE_3(Y3)); \
+ \
+ (X3) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y3)) ^ \
+ AES_RT1(MBEDTLS_BYTE_1(Y2)) ^ \
+ AES_RT2(MBEDTLS_BYTE_2(Y1)) ^ \
+ AES_RT3(MBEDTLS_BYTE_3(Y0)); \
+ } while (0)
+
+/*
+ * AES-ECB block encryption
+ */
+#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
+int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
+ const unsigned char input[16],
+ unsigned char output[16])
+{
+ int i;
+ uint32_t *RK = ctx->buf + ctx->rk_offset;
+ struct {
+ uint32_t X[4];
+ uint32_t Y[4];
+ } t;
+
+ t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++;
+ t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++;
+ t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++;
+ t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
+
+ for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
+ AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
+ AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
+ }
+
+ AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
+
+ t.X[0] = *RK++ ^ \
+ ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
+
+ t.X[1] = *RK++ ^ \
+ ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
+
+ t.X[2] = *RK++ ^ \
+ ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
+
+ t.X[3] = *RK++ ^ \
+ ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
+ ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
+
+ MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0);
+ MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4);
+ MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8);
+ MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
+
+ mbedtls_platform_zeroize(&t, sizeof(t));
+
+ return 0;
+}
+#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
+
+/*
+ * AES-ECB block decryption
+ */
+#if !defined(MBEDTLS_AES_DECRYPT_ALT) && !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
+ const unsigned char input[16],
+ unsigned char output[16])
+{
+ int i;
+ uint32_t *RK = ctx->buf + ctx->rk_offset;
+ struct {
+ uint32_t X[4];
+ uint32_t Y[4];
+ } t;
+
+ t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++;
+ t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++;
+ t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++;
+ t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
+
+ for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
+ AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
+ AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
+ }
+
+ AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
+
+ t.X[0] = *RK++ ^ \
+ ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
+ ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^
+ ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
+ ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
+
+ t.X[1] = *RK++ ^ \
+ ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
+ ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^
+ ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
+ ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
+
+ t.X[2] = *RK++ ^ \
+ ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
+ ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^
+ ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
+ ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
+
+ t.X[3] = *RK++ ^ \
+ ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
+ ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^
+ ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
+ ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
+
+ MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0);
+ MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4);
+ MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8);
+ MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
+
+ mbedtls_platform_zeroize(&t, sizeof(t));
+
+ return 0;
+}
+#endif /* !MBEDTLS_AES_DECRYPT_ALT && !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+
+/* VIA Padlock and our intrinsics-based implementation of AESNI require
+ * the round keys to be aligned on a 16-byte boundary. We take care of this
+ * before creating them, but the AES context may have moved (this can happen
+ * if the library is called from a language with managed memory), and in later
+ * calls it might have a different alignment with respect to 16-byte memory.
+ * So we may need to realign.
+ */
+MBEDTLS_MAYBE_UNUSED static void aes_maybe_realign(mbedtls_aes_context *ctx)
+{
+ unsigned new_offset = mbedtls_aes_rk_offset(ctx->buf);
+ if (new_offset != ctx->rk_offset) {
+ memmove(ctx->buf + new_offset, // new address
+ ctx->buf + ctx->rk_offset, // current address
+ (ctx->nr + 1) * 16); // number of round keys * bytes per rk
+ ctx->rk_offset = new_offset;
+ }
+}
+
+/*
+ * AES-ECB block encryption/decryption
+ */
+int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
+ int mode,
+ const unsigned char input[16],
+ unsigned char output[16])
+{
+ if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
+ return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
+ }
+
+#if defined(MAY_NEED_TO_ALIGN)
+ aes_maybe_realign(ctx);
+#endif
+
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+ if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
+ return mbedtls_aesni_crypt_ecb(ctx, mode, input, output);
+ }
+#endif
+
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+ if (MBEDTLS_AESCE_HAS_SUPPORT()) {
+ return mbedtls_aesce_crypt_ecb(ctx, mode, input, output);
+ }
+#endif
+
+#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
+ if (aes_padlock_ace > 0) {
+ return mbedtls_padlock_xcryptecb(ctx, mode, input, output);
+ }
+#endif
+
+#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ if (mode == MBEDTLS_AES_DECRYPT) {
+ return mbedtls_internal_aes_decrypt(ctx, input, output);
+ } else
+#endif
+ {
+ return mbedtls_internal_aes_encrypt(ctx, input, output);
+ }
+#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+
+/*
+ * AES-CBC buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
+ int mode,
+ size_t length,
+ unsigned char iv[16],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char temp[16];
+
+ if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
+ return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
+ }
+
+ /* Nothing to do if length is zero. */
+ if (length == 0) {
+ return 0;
+ }
+
+ if (length % 16) {
+ return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
+ }
+
+#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
+ if (aes_padlock_ace > 0) {
+ if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) {
+ return 0;
+ }
+
+ // If padlock data misaligned, we just fall back to
+ // unaccelerated mode
+ //
+ }
+#endif
+
+ const unsigned char *ivp = iv;
+
+ if (mode == MBEDTLS_AES_DECRYPT) {
+ while (length > 0) {
+ memcpy(temp, input, 16);
+ ret = mbedtls_aes_crypt_ecb(ctx, mode, input, output);
+ if (ret != 0) {
+ goto exit;
+ }
+ /* Avoid using the NEON implementation of mbedtls_xor. Because of the dependency on
+ * the result for the next block in CBC, and the cost of transferring that data from
+ * NEON registers, NEON is slower on aarch64. */
+ mbedtls_xor_no_simd(output, output, iv, 16);
+
+ memcpy(iv, temp, 16);
+
+ input += 16;
+ output += 16;
+ length -= 16;
+ }
+ } else {
+ while (length > 0) {
+ mbedtls_xor_no_simd(output, input, ivp, 16);
+
+ ret = mbedtls_aes_crypt_ecb(ctx, mode, output, output);
+ if (ret != 0) {
+ goto exit;
+ }
+ ivp = output;
+
+ input += 16;
+ output += 16;
+ length -= 16;
+ }
+ memcpy(iv, ivp, 16);
+ }
+ ret = 0;
+
+exit:
+ return ret;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+
+typedef unsigned char mbedtls_be128[16];
+
+/*
+ * GF(2^128) multiplication function
+ *
+ * This function multiplies a field element by x in the polynomial field
+ * representation. It uses 64-bit word operations to gain speed but compensates
+ * for machine endianness and hence works correctly on both big and little
+ * endian machines.
+ */
+#if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C)
+MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
+#endif
+static inline void mbedtls_gf128mul_x_ble(unsigned char r[16],
+ const unsigned char x[16])
+{
+ uint64_t a, b, ra, rb;
+
+ a = MBEDTLS_GET_UINT64_LE(x, 0);
+ b = MBEDTLS_GET_UINT64_LE(x, 8);
+
+ ra = (a << 1) ^ 0x0087 >> (8 - ((b >> 63) << 3));
+ rb = (a >> 63) | (b << 1);
+
+ MBEDTLS_PUT_UINT64_LE(ra, r, 0);
+ MBEDTLS_PUT_UINT64_LE(rb, r, 8);
+}
+
+/*
+ * AES-XTS buffer encryption/decryption
+ *
+ * Use of MBEDTLS_OPTIMIZE_FOR_PERFORMANCE here and for mbedtls_gf128mul_x_ble()
+ * is a 3x performance improvement for gcc -Os, if we have hardware AES support.
+ */
+#if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C)
+MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
+#endif
+int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
+ int mode,
+ size_t length,
+ const unsigned char data_unit[16],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t blocks = length / 16;
+ size_t leftover = length % 16;
+ unsigned char tweak[16];
+ unsigned char prev_tweak[16];
+ unsigned char tmp[16];
+
+ if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
+ return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
+ }
+
+ /* Data units must be at least 16 bytes long. */
+ if (length < 16) {
+ return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
+ }
+
+ /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
+ if (length > (1 << 20) * 16) {
+ return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
+ }
+
+ /* Compute the tweak. */
+ ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT,
+ data_unit, tweak);
+ if (ret != 0) {
+ return ret;
+ }
+
+ while (blocks--) {
+ if (MBEDTLS_UNLIKELY(leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0)) {
+ /* We are on the last block in a decrypt operation that has
+ * leftover bytes, so we need to use the next tweak for this block,
+ * and this tweak for the leftover bytes. Save the current tweak for
+ * the leftovers and then update the current tweak for use on this,
+ * the last full block. */
+ memcpy(prev_tweak, tweak, sizeof(tweak));
+ mbedtls_gf128mul_x_ble(tweak, tweak);
+ }
+
+ mbedtls_xor(tmp, input, tweak, 16);
+
+ ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
+ if (ret != 0) {
+ return ret;
+ }
+
+ mbedtls_xor(output, tmp, tweak, 16);
+
+ /* Update the tweak for the next block. */
+ mbedtls_gf128mul_x_ble(tweak, tweak);
+
+ output += 16;
+ input += 16;
+ }
+
+ if (leftover) {
+ /* If we are on the leftover bytes in a decrypt operation, we need to
+ * use the previous tweak for these bytes (as saved in prev_tweak). */
+ unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
+
+ /* We are now on the final part of the data unit, which doesn't divide
+ * evenly by 16. It's time for ciphertext stealing. */
+ size_t i;
+ unsigned char *prev_output = output - 16;
+
+ /* Copy ciphertext bytes from the previous block to our output for each
+ * byte of ciphertext we won't steal. */
+ for (i = 0; i < leftover; i++) {
+ output[i] = prev_output[i];
+ }
+
+ /* Copy the remainder of the input for this final round. */
+ mbedtls_xor(tmp, input, t, leftover);
+
+ /* Copy ciphertext bytes from the previous block for input in this
+ * round. */
+ mbedtls_xor(tmp + i, prev_output + i, t + i, 16 - i);
+
+ ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* Write the result back to the previous block, overriding the previous
+ * output we copied. */
+ mbedtls_xor(prev_output, tmp, t, 16);
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * AES-CFB128 buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx,
+ int mode,
+ size_t length,
+ size_t *iv_off,
+ unsigned char iv[16],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int c;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t n;
+
+ if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
+ return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
+ }
+
+ n = *iv_off;
+
+ if (n > 15) {
+ return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
+ }
+
+ if (mode == MBEDTLS_AES_DECRYPT) {
+ while (length--) {
+ if (n == 0) {
+ ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
+ if (ret != 0) {
+ goto exit;
+ }
+ }
+
+ c = *input++;
+ *output++ = (unsigned char) (c ^ iv[n]);
+ iv[n] = (unsigned char) c;
+
+ n = (n + 1) & 0x0F;
+ }
+ } else {
+ while (length--) {
+ if (n == 0) {
+ ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
+ if (ret != 0) {
+ goto exit;
+ }
+ }
+
+ iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
+
+ n = (n + 1) & 0x0F;
+ }
+ }
+
+ *iv_off = n;
+ ret = 0;
+
+exit:
+ return ret;
+}
+
+/*
+ * AES-CFB8 buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx,
+ int mode,
+ size_t length,
+ unsigned char iv[16],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char c;
+ unsigned char ov[17];
+
+ if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
+ return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
+ }
+ while (length--) {
+ memcpy(ov, iv, 16);
+ ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (mode == MBEDTLS_AES_DECRYPT) {
+ ov[16] = *input;
+ }
+
+ c = *output++ = (unsigned char) (iv[0] ^ *input++);
+
+ if (mode == MBEDTLS_AES_ENCRYPT) {
+ ov[16] = c;
+ }
+
+ memcpy(iv, ov + 1, 16);
+ }
+ ret = 0;
+
+exit:
+ return ret;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/*
+ * AES-OFB (Output Feedback Mode) buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx,
+ size_t length,
+ size_t *iv_off,
+ unsigned char iv[16],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int ret = 0;
+ size_t n;
+
+ n = *iv_off;
+
+ if (n > 15) {
+ return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
+ }
+
+ while (length--) {
+ if (n == 0) {
+ ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
+ if (ret != 0) {
+ goto exit;
+ }
+ }
+ *output++ = *input++ ^ iv[n];
+
+ n = (n + 1) & 0x0F;
+ }
+
+ *iv_off = n;
+
+exit:
+ return ret;
+}
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * AES-CTR buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx,
+ size_t length,
+ size_t *nc_off,
+ unsigned char nonce_counter[16],
+ unsigned char stream_block[16],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ size_t offset = *nc_off;
+
+ if (offset > 0x0F) {
+ return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
+ }
+
+ for (size_t i = 0; i < length;) {
+ size_t n = 16;
+ if (offset == 0) {
+ ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block);
+ if (ret != 0) {
+ goto exit;
+ }
+ mbedtls_ctr_increment_counter(nonce_counter);
+ } else {
+ n -= offset;
+ }
+
+ if (n > (length - i)) {
+ n = (length - i);
+ }
+ mbedtls_xor(&output[i], &input[i], &stream_block[offset], n);
+ // offset might be non-zero for the last block, but in that case, we don't use it again
+ offset = 0;
+ i += n;
+ }
+
+ // capture offset for future resumption
+ *nc_off = (*nc_off + length) % 16;
+
+ ret = 0;
+
+exit:
+ return ret;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#endif /* !MBEDTLS_AES_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * AES test vectors from:
+ *
+ * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
+ */
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+static const unsigned char aes_test_ecb_dec[][16] =
+{
+ { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
+ 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
+ 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
+ { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
+ 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
+#endif
+};
+#endif
+
+static const unsigned char aes_test_ecb_enc[][16] =
+{
+ { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
+ 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
+ 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
+ { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
+ 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
+#endif
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const unsigned char aes_test_cbc_dec[][16] =
+{
+ { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
+ 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
+ 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
+ { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
+ 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
+#endif
+};
+
+static const unsigned char aes_test_cbc_enc[][16] =
+{
+ { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
+ 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
+ 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
+ { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
+ 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
+#endif
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * AES-CFB128 test vectors from:
+ *
+ * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
+ */
+static const unsigned char aes_test_cfb128_key[][32] =
+{
+ { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+ 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
+ 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
+ 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
+ { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+ 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+ 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+ 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
+#endif
+};
+
+static const unsigned char aes_test_cfb128_iv[16] =
+{
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+};
+
+static const unsigned char aes_test_cfb128_pt[64] =
+{
+ 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+ 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
+ 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
+ 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
+ 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
+ 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
+ 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
+ 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
+};
+
+static const unsigned char aes_test_cfb128_ct[][64] =
+{
+ { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
+ 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
+ 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
+ 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
+ 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
+ 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
+ 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
+ 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
+ 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
+ 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
+ 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
+ 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
+ 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
+ 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
+ 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
+ { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
+ 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
+ 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
+ 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
+ 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
+ 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
+ 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
+ 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
+#endif
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/*
+ * AES-OFB test vectors from:
+ *
+ * https://csrc.nist.gov/publications/detail/sp/800-38a/final
+ */
+static const unsigned char aes_test_ofb_key[][32] =
+{
+ { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+ 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
+ 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
+ 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
+ { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+ 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+ 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+ 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
+#endif
+};
+
+static const unsigned char aes_test_ofb_iv[16] =
+{
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+};
+
+static const unsigned char aes_test_ofb_pt[64] =
+{
+ 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+ 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
+ 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
+ 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
+ 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
+ 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
+ 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
+ 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
+};
+
+static const unsigned char aes_test_ofb_ct[][64] =
+{
+ { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
+ 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
+ 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
+ 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
+ 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
+ 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
+ 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
+ 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
+ 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
+ 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
+ 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
+ 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
+ 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
+ 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
+ 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
+ { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
+ 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
+ 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
+ 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
+ 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
+ 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
+ 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
+ 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
+#endif
+};
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * AES-CTR test vectors from:
+ *
+ * http://www.faqs.org/rfcs/rfc3686.html
+ */
+
+static const unsigned char aes_test_ctr_key[][16] =
+{
+ { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
+ 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
+ { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
+ 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
+ { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
+ 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
+};
+
+static const unsigned char aes_test_ctr_nonce_counter[][16] =
+{
+ { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
+ { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
+ 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
+ { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
+ 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
+};
+
+static const unsigned char aes_test_ctr_pt[][48] =
+{
+ { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
+ 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
+ { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
+
+ { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
+ 0x20, 0x21, 0x22, 0x23 }
+};
+
+static const unsigned char aes_test_ctr_ct[][48] =
+{
+ { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
+ 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
+ { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
+ 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
+ 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
+ 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
+ { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
+ 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
+ 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
+ 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
+ 0x25, 0xB2, 0x07, 0x2F }
+};
+
+static const int aes_test_ctr_len[3] =
+{ 16, 32, 36 };
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/*
+ * AES-XTS test vectors from:
+ *
+ * IEEE P1619/D16 Annex B
+ * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
+ * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
+ */
+static const unsigned char aes_test_xts_key[][32] =
+{
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+ 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+ 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+ 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
+ { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
+ 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
+ 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+ 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
+};
+
+static const unsigned char aes_test_xts_pt32[][32] =
+{
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+ 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+ 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+ 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
+ { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+ 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+ 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+ 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
+};
+
+static const unsigned char aes_test_xts_ct32[][32] =
+{
+ { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
+ 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
+ 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
+ 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
+ { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
+ 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
+ 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
+ 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
+ { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
+ 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
+ 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
+ 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
+};
+
+static const unsigned char aes_test_xts_data_unit[][16] =
+{
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+};
+
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_aes_self_test(int verbose)
+{
+ int ret = 0, i, j, u, mode;
+ unsigned int keybits;
+ unsigned char key[32];
+ unsigned char buf[64];
+ const unsigned char *aes_tests;
+#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
+ defined(MBEDTLS_CIPHER_MODE_OFB)
+ unsigned char iv[16];
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ unsigned char prv[16];
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
+ defined(MBEDTLS_CIPHER_MODE_OFB)
+ size_t offset;
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
+ int len;
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ unsigned char nonce_counter[16];
+ unsigned char stream_block[16];
+#endif
+ mbedtls_aes_context ctx;
+
+ memset(key, 0, 32);
+ mbedtls_aes_init(&ctx);
+
+ if (verbose != 0) {
+#if defined(MBEDTLS_AES_ALT)
+ mbedtls_printf(" AES note: alternative implementation.\n");
+#else /* MBEDTLS_AES_ALT */
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+#if MBEDTLS_AESNI_HAVE_CODE == 1
+ mbedtls_printf(" AES note: AESNI code present (assembly implementation).\n");
+#elif MBEDTLS_AESNI_HAVE_CODE == 2
+ mbedtls_printf(" AES note: AESNI code present (intrinsics implementation).\n");
+#else
+#error "Unrecognised value for MBEDTLS_AESNI_HAVE_CODE"
+#endif
+ if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
+ mbedtls_printf(" AES note: using AESNI.\n");
+ } else
+#endif
+#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
+ if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) {
+ mbedtls_printf(" AES note: using VIA Padlock.\n");
+ } else
+#endif
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+ if (MBEDTLS_AESCE_HAS_SUPPORT()) {
+ mbedtls_printf(" AES note: using AESCE.\n");
+ } else
+#endif
+ {
+#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+ mbedtls_printf(" AES note: built-in implementation.\n");
+#endif
+ }
+#endif /* MBEDTLS_AES_ALT */
+ }
+
+ /*
+ * ECB mode
+ */
+ {
+ static const int num_tests =
+ sizeof(aes_test_ecb_enc) / sizeof(*aes_test_ecb_enc);
+
+ for (i = 0; i < num_tests << 1; i++) {
+ u = i >> 1;
+ keybits = 128 + u * 64;
+ mode = i & 1;
+
+ if (verbose != 0) {
+ mbedtls_printf(" AES-ECB-%3u (%s): ", keybits,
+ (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
+ }
+#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ if (mode == MBEDTLS_AES_DECRYPT) {
+ if (verbose != 0) {
+ mbedtls_printf("skipped\n");
+ }
+ continue;
+ }
+#endif
+
+ memset(buf, 0, 16);
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ if (mode == MBEDTLS_AES_DECRYPT) {
+ ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
+ aes_tests = aes_test_ecb_dec[u];
+ } else
+#endif
+ {
+ ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
+ aes_tests = aes_test_ecb_enc[u];
+ }
+
+ /*
+ * AES-192 is an optional feature that may be unavailable when
+ * there is an alternative underlying implementation i.e. when
+ * MBEDTLS_AES_ALT is defined.
+ */
+ if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
+ mbedtls_printf("skipped\n");
+ continue;
+ } else if (ret != 0) {
+ goto exit;
+ }
+
+ for (j = 0; j < 10000; j++) {
+ ret = mbedtls_aes_crypt_ecb(&ctx, mode, buf, buf);
+ if (ret != 0) {
+ goto exit;
+ }
+ }
+
+ if (memcmp(buf, aes_tests, 16) != 0) {
+ ret = 1;
+ goto exit;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+ }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ /*
+ * CBC mode
+ */
+ {
+ static const int num_tests =
+ sizeof(aes_test_cbc_dec) / sizeof(*aes_test_cbc_dec);
+
+ for (i = 0; i < num_tests << 1; i++) {
+ u = i >> 1;
+ keybits = 128 + u * 64;
+ mode = i & 1;
+
+ if (verbose != 0) {
+ mbedtls_printf(" AES-CBC-%3u (%s): ", keybits,
+ (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
+ }
+
+ memset(iv, 0, 16);
+ memset(prv, 0, 16);
+ memset(buf, 0, 16);
+
+ if (mode == MBEDTLS_AES_DECRYPT) {
+ ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
+ aes_tests = aes_test_cbc_dec[u];
+ } else {
+ ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
+ aes_tests = aes_test_cbc_enc[u];
+ }
+
+ /*
+ * AES-192 is an optional feature that may be unavailable when
+ * there is an alternative underlying implementation i.e. when
+ * MBEDTLS_AES_ALT is defined.
+ */
+ if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
+ mbedtls_printf("skipped\n");
+ continue;
+ } else if (ret != 0) {
+ goto exit;
+ }
+
+ for (j = 0; j < 10000; j++) {
+ if (mode == MBEDTLS_AES_ENCRYPT) {
+ unsigned char tmp[16];
+
+ memcpy(tmp, prv, 16);
+ memcpy(prv, buf, 16);
+ memcpy(buf, tmp, 16);
+ }
+
+ ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ }
+
+ if (memcmp(buf, aes_tests, 16) != 0) {
+ ret = 1;
+ goto exit;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+ }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ /*
+ * CFB128 mode
+ */
+ {
+ static const int num_tests =
+ sizeof(aes_test_cfb128_key) / sizeof(*aes_test_cfb128_key);
+
+ for (i = 0; i < num_tests << 1; i++) {
+ u = i >> 1;
+ keybits = 128 + u * 64;
+ mode = i & 1;
+
+ if (verbose != 0) {
+ mbedtls_printf(" AES-CFB128-%3u (%s): ", keybits,
+ (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
+ }
+
+ memcpy(iv, aes_test_cfb128_iv, 16);
+ memcpy(key, aes_test_cfb128_key[u], keybits / 8);
+
+ offset = 0;
+ ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
+ /*
+ * AES-192 is an optional feature that may be unavailable when
+ * there is an alternative underlying implementation i.e. when
+ * MBEDTLS_AES_ALT is defined.
+ */
+ if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
+ mbedtls_printf("skipped\n");
+ continue;
+ } else if (ret != 0) {
+ goto exit;
+ }
+
+ if (mode == MBEDTLS_AES_DECRYPT) {
+ memcpy(buf, aes_test_cfb128_ct[u], 64);
+ aes_tests = aes_test_cfb128_pt;
+ } else {
+ memcpy(buf, aes_test_cfb128_pt, 64);
+ aes_tests = aes_test_cfb128_ct[u];
+ }
+
+ ret = mbedtls_aes_crypt_cfb128(&ctx, mode, 64, &offset, iv, buf, buf);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (memcmp(buf, aes_tests, 64) != 0) {
+ ret = 1;
+ goto exit;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+ }
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ /*
+ * OFB mode
+ */
+ {
+ static const int num_tests =
+ sizeof(aes_test_ofb_key) / sizeof(*aes_test_ofb_key);
+
+ for (i = 0; i < num_tests << 1; i++) {
+ u = i >> 1;
+ keybits = 128 + u * 64;
+ mode = i & 1;
+
+ if (verbose != 0) {
+ mbedtls_printf(" AES-OFB-%3u (%s): ", keybits,
+ (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
+ }
+
+ memcpy(iv, aes_test_ofb_iv, 16);
+ memcpy(key, aes_test_ofb_key[u], keybits / 8);
+
+ offset = 0;
+ ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
+ /*
+ * AES-192 is an optional feature that may be unavailable when
+ * there is an alternative underlying implementation i.e. when
+ * MBEDTLS_AES_ALT is defined.
+ */
+ if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
+ mbedtls_printf("skipped\n");
+ continue;
+ } else if (ret != 0) {
+ goto exit;
+ }
+
+ if (mode == MBEDTLS_AES_DECRYPT) {
+ memcpy(buf, aes_test_ofb_ct[u], 64);
+ aes_tests = aes_test_ofb_pt;
+ } else {
+ memcpy(buf, aes_test_ofb_pt, 64);
+ aes_tests = aes_test_ofb_ct[u];
+ }
+
+ ret = mbedtls_aes_crypt_ofb(&ctx, 64, &offset, iv, buf, buf);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (memcmp(buf, aes_tests, 64) != 0) {
+ ret = 1;
+ goto exit;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+ }
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ /*
+ * CTR mode
+ */
+ {
+ static const int num_tests =
+ sizeof(aes_test_ctr_key) / sizeof(*aes_test_ctr_key);
+
+ for (i = 0; i < num_tests << 1; i++) {
+ u = i >> 1;
+ mode = i & 1;
+
+ if (verbose != 0) {
+ mbedtls_printf(" AES-CTR-128 (%s): ",
+ (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
+ }
+
+ memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16);
+ memcpy(key, aes_test_ctr_key[u], 16);
+
+ offset = 0;
+ if ((ret = mbedtls_aes_setkey_enc(&ctx, key, 128)) != 0) {
+ goto exit;
+ }
+
+ len = aes_test_ctr_len[u];
+
+ if (mode == MBEDTLS_AES_DECRYPT) {
+ memcpy(buf, aes_test_ctr_ct[u], len);
+ aes_tests = aes_test_ctr_pt[u];
+ } else {
+ memcpy(buf, aes_test_ctr_pt[u], len);
+ aes_tests = aes_test_ctr_ct[u];
+ }
+
+ ret = mbedtls_aes_crypt_ctr(&ctx, len, &offset, nonce_counter,
+ stream_block, buf, buf);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (memcmp(buf, aes_tests, len) != 0) {
+ ret = 1;
+ goto exit;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ /*
+ * XTS mode
+ */
+ {
+ static const int num_tests =
+ sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
+ mbedtls_aes_xts_context ctx_xts;
+
+ mbedtls_aes_xts_init(&ctx_xts);
+
+ for (i = 0; i < num_tests << 1; i++) {
+ const unsigned char *data_unit;
+ u = i >> 1;
+ mode = i & 1;
+
+ if (verbose != 0) {
+ mbedtls_printf(" AES-XTS-128 (%s): ",
+ (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
+ }
+
+ memset(key, 0, sizeof(key));
+ memcpy(key, aes_test_xts_key[u], 32);
+ data_unit = aes_test_xts_data_unit[u];
+
+ len = sizeof(*aes_test_xts_ct32);
+
+ if (mode == MBEDTLS_AES_DECRYPT) {
+ ret = mbedtls_aes_xts_setkey_dec(&ctx_xts, key, 256);
+ if (ret != 0) {
+ goto exit;
+ }
+ memcpy(buf, aes_test_xts_ct32[u], len);
+ aes_tests = aes_test_xts_pt32[u];
+ } else {
+ ret = mbedtls_aes_xts_setkey_enc(&ctx_xts, key, 256);
+ if (ret != 0) {
+ goto exit;
+ }
+ memcpy(buf, aes_test_xts_pt32[u], len);
+ aes_tests = aes_test_xts_ct32[u];
+ }
+
+
+ ret = mbedtls_aes_crypt_xts(&ctx_xts, mode, len, data_unit,
+ buf, buf);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (memcmp(buf, aes_tests, len) != 0) {
+ ret = 1;
+ goto exit;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ mbedtls_aes_xts_free(&ctx_xts);
+ }
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+ ret = 0;
+
+exit:
+ if (ret != 0 && verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ mbedtls_aes_free(&ctx);
+
+ return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_AES_C */
diff --git a/library/aesce.c b/library/aesce.c
new file mode 100644
index 0000000..6a9e0a1
--- /dev/null
+++ b/library/aesce.c
@@ -0,0 +1,618 @@
+/*
+ * Armv8-A Cryptographic Extension support functions for Aarch64
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#if defined(__clang__) && (__clang_major__ >= 4)
+
+/* Ideally, we would simply use MBEDTLS_ARCH_IS_ARMV8_A in the following #if,
+ * but that is defined by build_info.h, and we need this block to happen first. */
+#if defined(__ARM_ARCH)
+#if __ARM_ARCH >= 8
+#define MBEDTLS_AESCE_ARCH_IS_ARMV8_A
+#endif
+#endif
+
+#if defined(MBEDTLS_AESCE_ARCH_IS_ARMV8_A) && !defined(__ARM_FEATURE_CRYPTO)
+/* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
+ *
+ * The intrinsic declaration are guarded by predefined ACLE macros in clang:
+ * these are normally only enabled by the -march option on the command line.
+ * By defining the macros ourselves we gain access to those declarations without
+ * requiring -march on the command line.
+ *
+ * `arm_neon.h` is included by common.h, so we put these defines
+ * at the top of this file, before any includes.
+ */
+#define __ARM_FEATURE_CRYPTO 1
+/* See: https://arm-software.github.io/acle/main/acle.html#cryptographic-extensions
+ *
+ * `__ARM_FEATURE_CRYPTO` is deprecated, but we need to continue to specify it
+ * for older compilers.
+ */
+#define __ARM_FEATURE_AES 1
+#define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG
+#endif
+
+#endif /* defined(__clang__) && (__clang_major__ >= 4) */
+
+#include <string.h>
+#include "common.h"
+
+#if defined(MBEDTLS_AESCE_C)
+
+#include "aesce.h"
+
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+
+/* Compiler version checks. */
+#if defined(__clang__)
+# if defined(MBEDTLS_ARCH_IS_ARM32) && (__clang_major__ < 11)
+# error "Minimum version of Clang for MBEDTLS_AESCE_C on 32-bit Arm or Thumb is 11.0."
+# elif defined(MBEDTLS_ARCH_IS_ARM64) && (__clang_major__ < 4)
+# error "Minimum version of Clang for MBEDTLS_AESCE_C on aarch64 is 4.0."
+# endif
+#elif defined(__GNUC__)
+# if __GNUC__ < 6
+# error "Minimum version of GCC for MBEDTLS_AESCE_C is 6.0."
+# endif
+#elif defined(_MSC_VER)
+/* TODO: We haven't verified MSVC from 1920 to 1928. If someone verified that,
+ * please update this and document of `MBEDTLS_AESCE_C` in
+ * `mbedtls_config.h`. */
+# if _MSC_VER < 1929
+# error "Minimum version of MSVC for MBEDTLS_AESCE_C is 2019 version 16.11.2."
+# endif
+#elif defined(__ARMCC_VERSION)
+# if defined(MBEDTLS_ARCH_IS_ARM32) && (__ARMCC_VERSION < 6200002)
+/* TODO: We haven't verified armclang for 32-bit Arm/Thumb prior to 6.20.
+ * If someone verified that, please update this and document of
+ * `MBEDTLS_AESCE_C` in `mbedtls_config.h`. */
+# error "Minimum version of armclang for MBEDTLS_AESCE_C on 32-bit Arm is 6.20."
+# elif defined(MBEDTLS_ARCH_IS_ARM64) && (__ARMCC_VERSION < 6060000)
+# error "Minimum version of armclang for MBEDTLS_AESCE_C on aarch64 is 6.6."
+# endif
+#endif
+
+#if !(defined(__ARM_FEATURE_CRYPTO) || defined(__ARM_FEATURE_AES)) || \
+ defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG)
+# if defined(__ARMCOMPILER_VERSION)
+# if __ARMCOMPILER_VERSION <= 6090000
+# error "Must use minimum -march=armv8-a+crypto for MBEDTLS_AESCE_C"
+# else
+# pragma clang attribute push (__attribute__((target("aes"))), apply_to=function)
+# define MBEDTLS_POP_TARGET_PRAGMA
+# endif
+# elif defined(__clang__)
+# pragma clang attribute push (__attribute__((target("aes"))), apply_to=function)
+# define MBEDTLS_POP_TARGET_PRAGMA
+# elif defined(__GNUC__)
+# pragma GCC push_options
+# pragma GCC target ("+crypto")
+# define MBEDTLS_POP_TARGET_PRAGMA
+# elif defined(_MSC_VER)
+# error "Required feature(__ARM_FEATURE_AES) is not enabled."
+# endif
+#endif /* !(__ARM_FEATURE_CRYPTO || __ARM_FEATURE_AES) ||
+ MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG */
+
+#if defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+
+#include <sys/auxv.h>
+#if !defined(HWCAP_NEON)
+#define HWCAP_NEON (1 << 12)
+#endif
+#if !defined(HWCAP2_AES)
+#define HWCAP2_AES (1 << 0)
+#endif
+#if !defined(HWCAP_AES)
+#define HWCAP_AES (1 << 3)
+#endif
+#if !defined(HWCAP_ASIMD)
+#define HWCAP_ASIMD (1 << 1)
+#endif
+
+signed char mbedtls_aesce_has_support_result = -1;
+
+#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+/*
+ * AES instruction support detection routine
+ */
+int mbedtls_aesce_has_support_impl(void)
+{
+ /* To avoid many calls to getauxval, cache the result. This is
+ * thread-safe, because we store the result in a char so cannot
+ * be vulnerable to non-atomic updates.
+ * It is possible that we could end up setting result more than
+ * once, but that is harmless.
+ */
+ if (mbedtls_aesce_has_support_result == -1) {
+#if defined(MBEDTLS_ARCH_IS_ARM32)
+ unsigned long auxval = getauxval(AT_HWCAP);
+ unsigned long auxval2 = getauxval(AT_HWCAP2);
+ if (((auxval & HWCAP_NEON) == HWCAP_NEON) &&
+ ((auxval2 & HWCAP2_AES) == HWCAP2_AES)) {
+ mbedtls_aesce_has_support_result = 1;
+ } else {
+ mbedtls_aesce_has_support_result = 0;
+ }
+#else
+ unsigned long auxval = getauxval(AT_HWCAP);
+ if ((auxval & (HWCAP_ASIMD | HWCAP_AES)) ==
+ (HWCAP_ASIMD | HWCAP_AES)) {
+ mbedtls_aesce_has_support_result = 1;
+ } else {
+ mbedtls_aesce_has_support_result = 0;
+ }
+#endif
+ }
+ return mbedtls_aesce_has_support_result;
+}
+#endif
+
+#endif /* defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) */
+
+/* Single round of AESCE encryption */
+#define AESCE_ENCRYPT_ROUND \
+ block = vaeseq_u8(block, vld1q_u8(keys)); \
+ block = vaesmcq_u8(block); \
+ keys += 16
+/* Two rounds of AESCE encryption */
+#define AESCE_ENCRYPT_ROUND_X2 AESCE_ENCRYPT_ROUND; AESCE_ENCRYPT_ROUND
+
+MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
+static uint8x16_t aesce_encrypt_block(uint8x16_t block,
+ unsigned char *keys,
+ int rounds)
+{
+ /* 10, 12 or 14 rounds. Unroll loop. */
+ if (rounds == 10) {
+ goto rounds_10;
+ }
+ if (rounds == 12) {
+ goto rounds_12;
+ }
+ AESCE_ENCRYPT_ROUND_X2;
+rounds_12:
+ AESCE_ENCRYPT_ROUND_X2;
+rounds_10:
+ AESCE_ENCRYPT_ROUND_X2;
+ AESCE_ENCRYPT_ROUND_X2;
+ AESCE_ENCRYPT_ROUND_X2;
+ AESCE_ENCRYPT_ROUND_X2;
+ AESCE_ENCRYPT_ROUND;
+
+ /* AES AddRoundKey for the previous round.
+ * SubBytes, ShiftRows for the final round. */
+ block = vaeseq_u8(block, vld1q_u8(keys));
+ keys += 16;
+
+ /* Final round: no MixColumns */
+
+ /* Final AddRoundKey */
+ block = veorq_u8(block, vld1q_u8(keys));
+
+ return block;
+}
+
+/* Single round of AESCE decryption
+ *
+ * AES AddRoundKey, SubBytes, ShiftRows
+ *
+ * block = vaesdq_u8(block, vld1q_u8(keys));
+ *
+ * AES inverse MixColumns for the next round.
+ *
+ * This means that we switch the order of the inverse AddRoundKey and
+ * inverse MixColumns operations. We have to do this as AddRoundKey is
+ * done in an atomic instruction together with the inverses of SubBytes
+ * and ShiftRows.
+ *
+ * It works because MixColumns is a linear operation over GF(2^8) and
+ * AddRoundKey is an exclusive or, which is equivalent to addition over
+ * GF(2^8). (The inverse of MixColumns needs to be applied to the
+ * affected round keys separately which has been done when the
+ * decryption round keys were calculated.)
+ *
+ * block = vaesimcq_u8(block);
+ */
+#define AESCE_DECRYPT_ROUND \
+ block = vaesdq_u8(block, vld1q_u8(keys)); \
+ block = vaesimcq_u8(block); \
+ keys += 16
+/* Two rounds of AESCE decryption */
+#define AESCE_DECRYPT_ROUND_X2 AESCE_DECRYPT_ROUND; AESCE_DECRYPT_ROUND
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+static uint8x16_t aesce_decrypt_block(uint8x16_t block,
+ unsigned char *keys,
+ int rounds)
+{
+ /* 10, 12 or 14 rounds. Unroll loop. */
+ if (rounds == 10) {
+ goto rounds_10;
+ }
+ if (rounds == 12) {
+ goto rounds_12;
+ }
+ AESCE_DECRYPT_ROUND_X2;
+rounds_12:
+ AESCE_DECRYPT_ROUND_X2;
+rounds_10:
+ AESCE_DECRYPT_ROUND_X2;
+ AESCE_DECRYPT_ROUND_X2;
+ AESCE_DECRYPT_ROUND_X2;
+ AESCE_DECRYPT_ROUND_X2;
+ AESCE_DECRYPT_ROUND;
+
+ /* The inverses of AES AddRoundKey, SubBytes, ShiftRows finishing up the
+ * last full round. */
+ block = vaesdq_u8(block, vld1q_u8(keys));
+ keys += 16;
+
+ /* Inverse AddRoundKey for inverting the initial round key addition. */
+ block = veorq_u8(block, vld1q_u8(keys));
+
+ return block;
+}
+#endif
+
+/*
+ * AES-ECB block en(de)cryption
+ */
+int mbedtls_aesce_crypt_ecb(mbedtls_aes_context *ctx,
+ int mode,
+ const unsigned char input[16],
+ unsigned char output[16])
+{
+ uint8x16_t block = vld1q_u8(&input[0]);
+ unsigned char *keys = (unsigned char *) (ctx->buf + ctx->rk_offset);
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ if (mode == MBEDTLS_AES_DECRYPT) {
+ block = aesce_decrypt_block(block, keys, ctx->nr);
+ } else
+#else
+ (void) mode;
+#endif
+ {
+ block = aesce_encrypt_block(block, keys, ctx->nr);
+ }
+ vst1q_u8(&output[0], block);
+
+ return 0;
+}
+
+/*
+ * Compute decryption round keys from encryption round keys
+ */
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+void mbedtls_aesce_inverse_key(unsigned char *invkey,
+ const unsigned char *fwdkey,
+ int nr)
+{
+ int i, j;
+ j = nr;
+ vst1q_u8(invkey, vld1q_u8(fwdkey + j * 16));
+ for (i = 1, j--; j > 0; i++, j--) {
+ vst1q_u8(invkey + i * 16,
+ vaesimcq_u8(vld1q_u8(fwdkey + j * 16)));
+ }
+ vst1q_u8(invkey + i * 16, vld1q_u8(fwdkey + j * 16));
+
+}
+#endif
+
+static inline uint32_t aes_rot_word(uint32_t word)
+{
+ return (word << (32 - 8)) | (word >> 8);
+}
+
+static inline uint32_t aes_sub_word(uint32_t in)
+{
+ uint8x16_t v = vreinterpretq_u8_u32(vdupq_n_u32(in));
+ uint8x16_t zero = vdupq_n_u8(0);
+
+ /* vaeseq_u8 does both SubBytes and ShiftRows. Taking the first row yields
+ * the correct result as ShiftRows doesn't change the first row. */
+ v = vaeseq_u8(zero, v);
+ return vgetq_lane_u32(vreinterpretq_u32_u8(v), 0);
+}
+
+/*
+ * Key expansion function
+ */
+static void aesce_setkey_enc(unsigned char *rk,
+ const unsigned char *key,
+ const size_t key_bit_length)
+{
+ static uint8_t const rcon[] = { 0x01, 0x02, 0x04, 0x08, 0x10,
+ 0x20, 0x40, 0x80, 0x1b, 0x36 };
+ /* See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
+ * - Section 5, Nr = Nk + 6
+ * - Section 5.2, the length of round keys is Nb*(Nr+1)
+ */
+ const size_t key_len_in_words = key_bit_length / 32; /* Nk */
+ const size_t round_key_len_in_words = 4; /* Nb */
+ const size_t rounds_needed = key_len_in_words + 6; /* Nr */
+ const size_t round_keys_len_in_words =
+ round_key_len_in_words * (rounds_needed + 1); /* Nb*(Nr+1) */
+ const uint32_t *rko_end = (uint32_t *) rk + round_keys_len_in_words;
+
+ memcpy(rk, key, key_len_in_words * 4);
+
+ for (uint32_t *rki = (uint32_t *) rk;
+ rki + key_len_in_words < rko_end;
+ rki += key_len_in_words) {
+
+ size_t iteration = (size_t) (rki - (uint32_t *) rk) / key_len_in_words;
+ uint32_t *rko;
+ rko = rki + key_len_in_words;
+ rko[0] = aes_rot_word(aes_sub_word(rki[key_len_in_words - 1]));
+ rko[0] ^= rcon[iteration] ^ rki[0];
+ rko[1] = rko[0] ^ rki[1];
+ rko[2] = rko[1] ^ rki[2];
+ rko[3] = rko[2] ^ rki[3];
+ if (rko + key_len_in_words > rko_end) {
+ /* Do not write overflow words.*/
+ continue;
+ }
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ switch (key_bit_length) {
+ case 128:
+ break;
+ case 192:
+ rko[4] = rko[3] ^ rki[4];
+ rko[5] = rko[4] ^ rki[5];
+ break;
+ case 256:
+ rko[4] = aes_sub_word(rko[3]) ^ rki[4];
+ rko[5] = rko[4] ^ rki[5];
+ rko[6] = rko[5] ^ rki[6];
+ rko[7] = rko[6] ^ rki[7];
+ break;
+ }
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+ }
+}
+
+/*
+ * Key expansion, wrapper
+ */
+int mbedtls_aesce_setkey_enc(unsigned char *rk,
+ const unsigned char *key,
+ size_t bits)
+{
+ switch (bits) {
+ case 128:
+ case 192:
+ case 256:
+ aesce_setkey_enc(rk, key, bits);
+ break;
+ default:
+ return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
+ }
+
+ return 0;
+}
+
+#if defined(MBEDTLS_GCM_C)
+
+#if defined(MBEDTLS_ARCH_IS_ARM32)
+
+#if defined(__clang__)
+/* On clang for A32/T32, work around some missing intrinsics and types which are listed in
+ * [ACLE](https://arm-software.github.io/acle/neon_intrinsics/advsimd.html#polynomial-1)
+ * These are only required for GCM.
+ */
+#define vreinterpretq_u64_p64(a) ((uint64x2_t) a)
+
+typedef uint8x16_t poly128_t;
+
+static inline poly128_t vmull_p64(poly64_t a, poly64_t b)
+{
+ poly128_t r;
+ asm ("vmull.p64 %[r], %[a], %[b]" : [r] "=w" (r) : [a] "w" (a), [b] "w" (b) :);
+ return r;
+}
+
+/* This is set to cause some more missing intrinsics to be defined below */
+#define COMMON_MISSING_INTRINSICS
+
+static inline poly128_t vmull_high_p64(poly64x2_t a, poly64x2_t b)
+{
+ return vmull_p64((poly64_t) (vget_high_u64((uint64x2_t) a)),
+ (poly64_t) (vget_high_u64((uint64x2_t) b)));
+}
+
+#endif /* defined(__clang__) */
+
+static inline uint8x16_t vrbitq_u8(uint8x16_t x)
+{
+ /* There is no vrbitq_u8 instruction in A32/T32, so provide
+ * an equivalent non-Neon implementation. Reverse bit order in each
+ * byte with 4x rbit, rev. */
+ asm ("ldm %[p], { r2-r5 } \n\t"
+ "rbit r2, r2 \n\t"
+ "rev r2, r2 \n\t"
+ "rbit r3, r3 \n\t"
+ "rev r3, r3 \n\t"
+ "rbit r4, r4 \n\t"
+ "rev r4, r4 \n\t"
+ "rbit r5, r5 \n\t"
+ "rev r5, r5 \n\t"
+ "stm %[p], { r2-r5 } \n\t"
+ :
+ /* Output: 16 bytes of memory pointed to by &x */
+ "+m" (*(uint8_t(*)[16]) &x)
+ :
+ [p] "r" (&x)
+ :
+ "r2", "r3", "r4", "r5"
+ );
+ return x;
+}
+
+#endif /* defined(MBEDTLS_ARCH_IS_ARM32) */
+
+#if defined(MBEDTLS_COMPILER_IS_GCC) && __GNUC__ == 5
+/* Some intrinsics are not available for GCC 5.X. */
+#define COMMON_MISSING_INTRINSICS
+#endif /* MBEDTLS_COMPILER_IS_GCC && __GNUC__ == 5 */
+
+
+#if defined(COMMON_MISSING_INTRINSICS)
+
+/* Missing intrinsics common to both GCC 5, and Clang on 32-bit */
+
+#define vreinterpretq_p64_u8(a) ((poly64x2_t) a)
+#define vreinterpretq_u8_p128(a) ((uint8x16_t) a)
+
+static inline poly64x1_t vget_low_p64(poly64x2_t a)
+{
+ uint64x1_t r = vget_low_u64(vreinterpretq_u64_p64(a));
+ return (poly64x1_t) r;
+
+}
+
+#endif /* COMMON_MISSING_INTRINSICS */
+
+/* vmull_p64/vmull_high_p64 wrappers.
+ *
+ * Older compilers miss some intrinsic functions for `poly*_t`. We use
+ * uint8x16_t and uint8x16x3_t as input/output parameters.
+ */
+#if defined(MBEDTLS_COMPILER_IS_GCC)
+/* GCC reports incompatible type error without cast. GCC think poly64_t and
+ * poly64x1_t are different, that is different with MSVC and Clang. */
+#define MBEDTLS_VMULL_P64(a, b) vmull_p64((poly64_t) a, (poly64_t) b)
+#else
+/* MSVC reports `error C2440: 'type cast'` with cast. Clang does not report
+ * error with/without cast. And I think poly64_t and poly64x1_t are same, no
+ * cast for clang also. */
+#define MBEDTLS_VMULL_P64(a, b) vmull_p64(a, b)
+#endif /* MBEDTLS_COMPILER_IS_GCC */
+
+static inline uint8x16_t pmull_low(uint8x16_t a, uint8x16_t b)
+{
+
+ return vreinterpretq_u8_p128(
+ MBEDTLS_VMULL_P64(
+ (poly64_t) vget_low_p64(vreinterpretq_p64_u8(a)),
+ (poly64_t) vget_low_p64(vreinterpretq_p64_u8(b))
+ ));
+}
+
+static inline uint8x16_t pmull_high(uint8x16_t a, uint8x16_t b)
+{
+ return vreinterpretq_u8_p128(
+ vmull_high_p64(vreinterpretq_p64_u8(a),
+ vreinterpretq_p64_u8(b)));
+}
+
+/* GHASH does 128b polynomial multiplication on block in GF(2^128) defined by
+ * `x^128 + x^7 + x^2 + x + 1`.
+ *
+ * Arm64 only has 64b->128b polynomial multipliers, we need to do 4 64b
+ * multiplies to generate a 128b.
+ *
+ * `poly_mult_128` executes polynomial multiplication and outputs 256b that
+ * represented by 3 128b due to code size optimization.
+ *
+ * Output layout:
+ * | | | |
+ * |------------|-------------|-------------|
+ * | ret.val[0] | h3:h2:00:00 | high 128b |
+ * | ret.val[1] | :m2:m1:00 | middle 128b |
+ * | ret.val[2] | : :l1:l0 | low 128b |
+ */
+static inline uint8x16x3_t poly_mult_128(uint8x16_t a, uint8x16_t b)
+{
+ uint8x16x3_t ret;
+ uint8x16_t h, m, l; /* retval high/middle/low */
+ uint8x16_t c, d, e;
+
+ h = pmull_high(a, b); /* h3:h2:00:00 = a1*b1 */
+ l = pmull_low(a, b); /* : :l1:l0 = a0*b0 */
+ c = vextq_u8(b, b, 8); /* :c1:c0 = b0:b1 */
+ d = pmull_high(a, c); /* :d2:d1:00 = a1*b0 */
+ e = pmull_low(a, c); /* :e2:e1:00 = a0*b1 */
+ m = veorq_u8(d, e); /* :m2:m1:00 = d + e */
+
+ ret.val[0] = h;
+ ret.val[1] = m;
+ ret.val[2] = l;
+ return ret;
+}
+
+/*
+ * Modulo reduction.
+ *
+ * See: https://www.researchgate.net/publication/285612706_Implementing_GCM_on_ARMv8
+ *
+ * Section 4.3
+ *
+ * Modular reduction is slightly more complex. Write the GCM modulus as f(z) =
+ * z^128 +r(z), where r(z) = z^7+z^2+z+ 1. The well known approach is to
+ * consider that z^128 ≡r(z) (mod z^128 +r(z)), allowing us to write the 256-bit
+ * operand to be reduced as a(z) = h(z)z^128 +l(z)≡h(z)r(z) + l(z). That is, we
+ * simply multiply the higher part of the operand by r(z) and add it to l(z). If
+ * the result is still larger than 128 bits, we reduce again.
+ */
+static inline uint8x16_t poly_mult_reduce(uint8x16x3_t input)
+{
+ uint8x16_t const ZERO = vdupq_n_u8(0);
+
+ uint64x2_t r = vreinterpretq_u64_u8(vdupq_n_u8(0x87));
+#if defined(__GNUC__)
+ /* use 'asm' as an optimisation barrier to prevent loading MODULO from
+ * memory. It is for GNUC compatible compilers.
+ */
+ asm volatile ("" : "+w" (r));
+#endif
+ uint8x16_t const MODULO = vreinterpretq_u8_u64(vshrq_n_u64(r, 64 - 8));
+ uint8x16_t h, m, l; /* input high/middle/low 128b */
+ uint8x16_t c, d, e, f, g, n, o;
+ h = input.val[0]; /* h3:h2:00:00 */
+ m = input.val[1]; /* :m2:m1:00 */
+ l = input.val[2]; /* : :l1:l0 */
+ c = pmull_high(h, MODULO); /* :c2:c1:00 = reduction of h3 */
+ d = pmull_low(h, MODULO); /* : :d1:d0 = reduction of h2 */
+ e = veorq_u8(c, m); /* :e2:e1:00 = m2:m1:00 + c2:c1:00 */
+ f = pmull_high(e, MODULO); /* : :f1:f0 = reduction of e2 */
+ g = vextq_u8(ZERO, e, 8); /* : :g1:00 = e1:00 */
+ n = veorq_u8(d, l); /* : :n1:n0 = d1:d0 + l1:l0 */
+ o = veorq_u8(n, f); /* o1:o0 = f1:f0 + n1:n0 */
+ return veorq_u8(o, g); /* = o1:o0 + g1:00 */
+}
+
+/*
+ * GCM multiplication: c = a times b in GF(2^128)
+ */
+void mbedtls_aesce_gcm_mult(unsigned char c[16],
+ const unsigned char a[16],
+ const unsigned char b[16])
+{
+ uint8x16_t va, vb, vc;
+ va = vrbitq_u8(vld1q_u8(&a[0]));
+ vb = vrbitq_u8(vld1q_u8(&b[0]));
+ vc = vrbitq_u8(poly_mult_reduce(poly_mult_128(va, vb)));
+ vst1q_u8(&c[0], vc);
+}
+
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_POP_TARGET_PRAGMA)
+#if defined(__clang__)
+#pragma clang attribute pop
+#elif defined(__GNUC__)
+#pragma GCC pop_options
+#endif
+#undef MBEDTLS_POP_TARGET_PRAGMA
+#endif
+
+#endif /* MBEDTLS_AESCE_HAVE_CODE */
+
+#endif /* MBEDTLS_AESCE_C */
diff --git a/library/aesce.h b/library/aesce.h
new file mode 100644
index 0000000..a14d085
--- /dev/null
+++ b/library/aesce.h
@@ -0,0 +1,136 @@
+/**
+ * \file aesce.h
+ *
+ * \brief Support hardware AES acceleration on Armv8-A processors with
+ * the Armv8-A Cryptographic Extension.
+ *
+ * \warning These functions are only for internal use by other library
+ * functions; you must not call them directly.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_AESCE_H
+#define MBEDTLS_AESCE_H
+
+#include "mbedtls/build_info.h"
+#include "common.h"
+
+#include "mbedtls/aes.h"
+
+
+#if defined(MBEDTLS_AESCE_C) \
+ && defined(MBEDTLS_ARCH_IS_ARMV8_A) && defined(MBEDTLS_HAVE_NEON_INTRINSICS) \
+ && (defined(MBEDTLS_COMPILER_IS_GCC) || defined(__clang__) || defined(MSC_VER))
+
+/* MBEDTLS_AESCE_HAVE_CODE is defined if we have a suitable target platform, and a
+ * potentially suitable compiler (compiler version & flags are not checked when defining
+ * this). */
+#define MBEDTLS_AESCE_HAVE_CODE
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+
+extern signed char mbedtls_aesce_has_support_result;
+
+/**
+ * \brief Internal function to detect the crypto extension in CPUs.
+ *
+ * \return 1 if CPU has support for the feature, 0 otherwise
+ */
+int mbedtls_aesce_has_support_impl(void);
+
+#define MBEDTLS_AESCE_HAS_SUPPORT() (mbedtls_aesce_has_support_result == -1 ? \
+ mbedtls_aesce_has_support_impl() : \
+ mbedtls_aesce_has_support_result)
+
+#else /* defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) */
+
+/* If we are not on Linux, we can't detect support so assume that it's supported.
+ * Similarly, assume support if MBEDTLS_AES_USE_HARDWARE_ONLY is set.
+ */
+#define MBEDTLS_AESCE_HAS_SUPPORT() 1
+
+#endif /* defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) */
+
+/**
+ * \brief Internal AES-ECB block encryption and decryption
+ *
+ * \warning This assumes that the context specifies either 10, 12 or 14
+ * rounds and will behave incorrectly if this is not the case.
+ *
+ * \param ctx AES context
+ * \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param input 16-byte input block
+ * \param output 16-byte output block
+ *
+ * \return 0 on success (cannot fail)
+ */
+int mbedtls_aesce_crypt_ecb(mbedtls_aes_context *ctx,
+ int mode,
+ const unsigned char input[16],
+ unsigned char output[16]);
+
+/**
+ * \brief Internal GCM multiplication: c = a * b in GF(2^128)
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
+ *
+ * \param c Result
+ * \param a First operand
+ * \param b Second operand
+ *
+ * \note Both operands and result are bit strings interpreted as
+ * elements of GF(2^128) as per the GCM spec.
+ */
+void mbedtls_aesce_gcm_mult(unsigned char c[16],
+ const unsigned char a[16],
+ const unsigned char b[16]);
+
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+/**
+ * \brief Internal round key inversion. This function computes
+ * decryption round keys from the encryption round keys.
+ *
+ * \param invkey Round keys for the equivalent inverse cipher
+ * \param fwdkey Original round keys (for encryption)
+ * \param nr Number of rounds (that is, number of round keys minus one)
+ */
+void mbedtls_aesce_inverse_key(unsigned char *invkey,
+ const unsigned char *fwdkey,
+ int nr);
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+
+/**
+ * \brief Internal key expansion for encryption
+ *
+ * \param rk Destination buffer where the round keys are written
+ * \param key Encryption key
+ * \param bits Key size in bits (must be 128, 192 or 256)
+ *
+ * \return 0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+ */
+int mbedtls_aesce_setkey_enc(unsigned char *rk,
+ const unsigned char *key,
+ size_t bits);
+
+#ifdef __cplusplus
+}
+#endif
+
+#else
+
+#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) && defined(MBEDTLS_ARCH_IS_ARMV8_A)
+#error "AES hardware acceleration not supported on this platform / compiler"
+#endif
+
+#endif /* MBEDTLS_AESCE_C && MBEDTLS_ARCH_IS_ARMV8_A && MBEDTLS_HAVE_NEON_INTRINSICS &&
+ (MBEDTLS_COMPILER_IS_GCC || __clang__ || MSC_VER) */
+
+#endif /* MBEDTLS_AESCE_H */
diff --git a/library/aesni.c b/library/aesni.c
new file mode 100644
index 0000000..8e5bd55
--- /dev/null
+++ b/library/aesni.c
@@ -0,0 +1,835 @@
+/*
+ * AES-NI support functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * [AES-WP] https://www.intel.com/content/www/us/en/developer/articles/tool/intel-advanced-encryption-standard-aes-instructions-set.html
+ * [CLMUL-WP] https://www.intel.com/content/www/us/en/develop/download/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode.html
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_AESNI_C)
+
+#include "aesni.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+
+#if MBEDTLS_AESNI_HAVE_CODE == 2
+#if defined(__GNUC__)
+#include <cpuid.h>
+#elif defined(_MSC_VER)
+#include <intrin.h>
+#else
+#error "`__cpuid` required by MBEDTLS_AESNI_C is not supported by the compiler"
+#endif
+#include <immintrin.h>
+#endif
+
+#if defined(MBEDTLS_ARCH_IS_X86)
+#if defined(MBEDTLS_COMPILER_IS_GCC)
+#pragma GCC push_options
+#pragma GCC target ("pclmul,sse2,aes")
+#define MBEDTLS_POP_TARGET_PRAGMA
+#elif defined(__clang__) && (__clang_major__ >= 5)
+#pragma clang attribute push (__attribute__((target("pclmul,sse2,aes"))), apply_to=function)
+#define MBEDTLS_POP_TARGET_PRAGMA
+#endif
+#endif
+
+#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+/*
+ * AES-NI support detection routine
+ */
+int mbedtls_aesni_has_support(unsigned int what)
+{
+ static int done = 0;
+ static unsigned int c = 0;
+
+ if (!done) {
+#if MBEDTLS_AESNI_HAVE_CODE == 2
+ static int info[4] = { 0, 0, 0, 0 };
+#if defined(_MSC_VER)
+ __cpuid(info, 1);
+#else
+ __cpuid(1, info[0], info[1], info[2], info[3]);
+#endif
+ c = info[2];
+#else /* AESNI using asm */
+ asm ("movl $1, %%eax \n\t"
+ "cpuid \n\t"
+ : "=c" (c)
+ :
+ : "eax", "ebx", "edx");
+#endif /* MBEDTLS_AESNI_HAVE_CODE */
+ done = 1;
+ }
+
+ return (c & what) != 0;
+}
+#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
+
+#if MBEDTLS_AESNI_HAVE_CODE == 2
+
+/*
+ * AES-NI AES-ECB block en(de)cryption
+ */
+int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx,
+ int mode,
+ const unsigned char input[16],
+ unsigned char output[16])
+{
+ const __m128i *rk = (const __m128i *) (ctx->buf + ctx->rk_offset);
+ unsigned nr = ctx->nr; // Number of remaining rounds
+
+ // Load round key 0
+ __m128i state;
+ memcpy(&state, input, 16);
+ state = _mm_xor_si128(state, rk[0]); // state ^= *rk;
+ ++rk;
+ --nr;
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ if (mode == MBEDTLS_AES_DECRYPT) {
+ while (nr != 0) {
+ state = _mm_aesdec_si128(state, *rk);
+ ++rk;
+ --nr;
+ }
+ state = _mm_aesdeclast_si128(state, *rk);
+ } else
+#else
+ (void) mode;
+#endif
+ {
+ while (nr != 0) {
+ state = _mm_aesenc_si128(state, *rk);
+ ++rk;
+ --nr;
+ }
+ state = _mm_aesenclast_si128(state, *rk);
+ }
+
+ memcpy(output, &state, 16);
+ return 0;
+}
+
+/*
+ * GCM multiplication: c = a times b in GF(2^128)
+ * Based on [CLMUL-WP] algorithms 1 (with equation 27) and 5.
+ */
+
+static void gcm_clmul(const __m128i aa, const __m128i bb,
+ __m128i *cc, __m128i *dd)
+{
+ /*
+ * Caryless multiplication dd:cc = aa * bb
+ * using [CLMUL-WP] algorithm 1 (p. 12).
+ */
+ *cc = _mm_clmulepi64_si128(aa, bb, 0x00); // a0*b0 = c1:c0
+ *dd = _mm_clmulepi64_si128(aa, bb, 0x11); // a1*b1 = d1:d0
+ __m128i ee = _mm_clmulepi64_si128(aa, bb, 0x10); // a0*b1 = e1:e0
+ __m128i ff = _mm_clmulepi64_si128(aa, bb, 0x01); // a1*b0 = f1:f0
+ ff = _mm_xor_si128(ff, ee); // e1+f1:e0+f0
+ ee = ff; // e1+f1:e0+f0
+ ff = _mm_srli_si128(ff, 8); // 0:e1+f1
+ ee = _mm_slli_si128(ee, 8); // e0+f0:0
+ *dd = _mm_xor_si128(*dd, ff); // d1:d0+e1+f1
+ *cc = _mm_xor_si128(*cc, ee); // c1+e0+f0:c0
+}
+
+static void gcm_shift(__m128i *cc, __m128i *dd)
+{
+ /* [CMUCL-WP] Algorithm 5 Step 1: shift cc:dd one bit to the left,
+ * taking advantage of [CLMUL-WP] eq 27 (p. 18). */
+ // // *cc = r1:r0
+ // // *dd = r3:r2
+ __m128i cc_lo = _mm_slli_epi64(*cc, 1); // r1<<1:r0<<1
+ __m128i dd_lo = _mm_slli_epi64(*dd, 1); // r3<<1:r2<<1
+ __m128i cc_hi = _mm_srli_epi64(*cc, 63); // r1>>63:r0>>63
+ __m128i dd_hi = _mm_srli_epi64(*dd, 63); // r3>>63:r2>>63
+ __m128i xmm5 = _mm_srli_si128(cc_hi, 8); // 0:r1>>63
+ cc_hi = _mm_slli_si128(cc_hi, 8); // r0>>63:0
+ dd_hi = _mm_slli_si128(dd_hi, 8); // 0:r1>>63
+
+ *cc = _mm_or_si128(cc_lo, cc_hi); // r1<<1|r0>>63:r0<<1
+ *dd = _mm_or_si128(_mm_or_si128(dd_lo, dd_hi), xmm5); // r3<<1|r2>>62:r2<<1|r1>>63
+}
+
+static __m128i gcm_reduce(__m128i xx)
+{
+ // // xx = x1:x0
+ /* [CLMUL-WP] Algorithm 5 Step 2 */
+ __m128i aa = _mm_slli_epi64(xx, 63); // x1<<63:x0<<63 = stuff:a
+ __m128i bb = _mm_slli_epi64(xx, 62); // x1<<62:x0<<62 = stuff:b
+ __m128i cc = _mm_slli_epi64(xx, 57); // x1<<57:x0<<57 = stuff:c
+ __m128i dd = _mm_slli_si128(_mm_xor_si128(_mm_xor_si128(aa, bb), cc), 8); // a+b+c:0
+ return _mm_xor_si128(dd, xx); // x1+a+b+c:x0 = d:x0
+}
+
+static __m128i gcm_mix(__m128i dx)
+{
+ /* [CLMUL-WP] Algorithm 5 Steps 3 and 4 */
+ __m128i ee = _mm_srli_epi64(dx, 1); // e1:x0>>1 = e1:e0'
+ __m128i ff = _mm_srli_epi64(dx, 2); // f1:x0>>2 = f1:f0'
+ __m128i gg = _mm_srli_epi64(dx, 7); // g1:x0>>7 = g1:g0'
+
+ // e0'+f0'+g0' is almost e0+f0+g0, except for some missing
+ // bits carried from d. Now get those bits back in.
+ __m128i eh = _mm_slli_epi64(dx, 63); // d<<63:stuff
+ __m128i fh = _mm_slli_epi64(dx, 62); // d<<62:stuff
+ __m128i gh = _mm_slli_epi64(dx, 57); // d<<57:stuff
+ __m128i hh = _mm_srli_si128(_mm_xor_si128(_mm_xor_si128(eh, fh), gh), 8); // 0:missing bits of d
+
+ return _mm_xor_si128(_mm_xor_si128(_mm_xor_si128(_mm_xor_si128(ee, ff), gg), hh), dx);
+}
+
+void mbedtls_aesni_gcm_mult(unsigned char c[16],
+ const unsigned char a[16],
+ const unsigned char b[16])
+{
+ __m128i aa = { 0 }, bb = { 0 }, cc, dd;
+
+ /* The inputs are in big-endian order, so byte-reverse them */
+ for (size_t i = 0; i < 16; i++) {
+ ((uint8_t *) &aa)[i] = a[15 - i];
+ ((uint8_t *) &bb)[i] = b[15 - i];
+ }
+
+ gcm_clmul(aa, bb, &cc, &dd);
+ gcm_shift(&cc, &dd);
+ /*
+ * Now reduce modulo the GCM polynomial x^128 + x^7 + x^2 + x + 1
+ * using [CLMUL-WP] algorithm 5 (p. 18).
+ * Currently dd:cc holds x3:x2:x1:x0 (already shifted).
+ */
+ __m128i dx = gcm_reduce(cc);
+ __m128i xh = gcm_mix(dx);
+ cc = _mm_xor_si128(xh, dd); // x3+h1:x2+h0
+
+ /* Now byte-reverse the outputs */
+ for (size_t i = 0; i < 16; i++) {
+ c[i] = ((uint8_t *) &cc)[15 - i];
+ }
+
+ return;
+}
+
+/*
+ * Compute decryption round keys from encryption round keys
+ */
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+void mbedtls_aesni_inverse_key(unsigned char *invkey,
+ const unsigned char *fwdkey, int nr)
+{
+ __m128i *ik = (__m128i *) invkey;
+ const __m128i *fk = (const __m128i *) fwdkey + nr;
+
+ *ik = *fk;
+ for (--fk, ++ik; fk > (const __m128i *) fwdkey; --fk, ++ik) {
+ *ik = _mm_aesimc_si128(*fk);
+ }
+ *ik = *fk;
+}
+#endif
+
+/*
+ * Key expansion, 128-bit case
+ */
+static __m128i aesni_set_rk_128(__m128i state, __m128i xword)
+{
+ /*
+ * Finish generating the next round key.
+ *
+ * On entry state is r3:r2:r1:r0 and xword is X:stuff:stuff:stuff
+ * with X = rot( sub( r3 ) ) ^ RCON (obtained with AESKEYGENASSIST).
+ *
+ * On exit, xword is r7:r6:r5:r4
+ * with r4 = X + r0, r5 = r4 + r1, r6 = r5 + r2, r7 = r6 + r3
+ * and this is returned, to be written to the round key buffer.
+ */
+ xword = _mm_shuffle_epi32(xword, 0xff); // X:X:X:X
+ xword = _mm_xor_si128(xword, state); // X+r3:X+r2:X+r1:r4
+ state = _mm_slli_si128(state, 4); // r2:r1:r0:0
+ xword = _mm_xor_si128(xword, state); // X+r3+r2:X+r2+r1:r5:r4
+ state = _mm_slli_si128(state, 4); // r1:r0:0:0
+ xword = _mm_xor_si128(xword, state); // X+r3+r2+r1:r6:r5:r4
+ state = _mm_slli_si128(state, 4); // r0:0:0:0
+ state = _mm_xor_si128(xword, state); // r7:r6:r5:r4
+ return state;
+}
+
+static void aesni_setkey_enc_128(unsigned char *rk_bytes,
+ const unsigned char *key)
+{
+ __m128i *rk = (__m128i *) rk_bytes;
+
+ memcpy(&rk[0], key, 16);
+ rk[1] = aesni_set_rk_128(rk[0], _mm_aeskeygenassist_si128(rk[0], 0x01));
+ rk[2] = aesni_set_rk_128(rk[1], _mm_aeskeygenassist_si128(rk[1], 0x02));
+ rk[3] = aesni_set_rk_128(rk[2], _mm_aeskeygenassist_si128(rk[2], 0x04));
+ rk[4] = aesni_set_rk_128(rk[3], _mm_aeskeygenassist_si128(rk[3], 0x08));
+ rk[5] = aesni_set_rk_128(rk[4], _mm_aeskeygenassist_si128(rk[4], 0x10));
+ rk[6] = aesni_set_rk_128(rk[5], _mm_aeskeygenassist_si128(rk[5], 0x20));
+ rk[7] = aesni_set_rk_128(rk[6], _mm_aeskeygenassist_si128(rk[6], 0x40));
+ rk[8] = aesni_set_rk_128(rk[7], _mm_aeskeygenassist_si128(rk[7], 0x80));
+ rk[9] = aesni_set_rk_128(rk[8], _mm_aeskeygenassist_si128(rk[8], 0x1B));
+ rk[10] = aesni_set_rk_128(rk[9], _mm_aeskeygenassist_si128(rk[9], 0x36));
+}
+
+/*
+ * Key expansion, 192-bit case
+ */
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static void aesni_set_rk_192(__m128i *state0, __m128i *state1, __m128i xword,
+ unsigned char *rk)
+{
+ /*
+ * Finish generating the next 6 quarter-keys.
+ *
+ * On entry state0 is r3:r2:r1:r0, state1 is stuff:stuff:r5:r4
+ * and xword is stuff:stuff:X:stuff with X = rot( sub( r3 ) ) ^ RCON
+ * (obtained with AESKEYGENASSIST).
+ *
+ * On exit, state0 is r9:r8:r7:r6 and state1 is stuff:stuff:r11:r10
+ * and those are written to the round key buffer.
+ */
+ xword = _mm_shuffle_epi32(xword, 0x55); // X:X:X:X
+ xword = _mm_xor_si128(xword, *state0); // X+r3:X+r2:X+r1:X+r0
+ *state0 = _mm_slli_si128(*state0, 4); // r2:r1:r0:0
+ xword = _mm_xor_si128(xword, *state0); // X+r3+r2:X+r2+r1:X+r1+r0:X+r0
+ *state0 = _mm_slli_si128(*state0, 4); // r1:r0:0:0
+ xword = _mm_xor_si128(xword, *state0); // X+r3+r2+r1:X+r2+r1+r0:X+r1+r0:X+r0
+ *state0 = _mm_slli_si128(*state0, 4); // r0:0:0:0
+ xword = _mm_xor_si128(xword, *state0); // X+r3+r2+r1+r0:X+r2+r1+r0:X+r1+r0:X+r0
+ *state0 = xword; // = r9:r8:r7:r6
+
+ xword = _mm_shuffle_epi32(xword, 0xff); // r9:r9:r9:r9
+ xword = _mm_xor_si128(xword, *state1); // stuff:stuff:r9+r5:r9+r4
+ *state1 = _mm_slli_si128(*state1, 4); // stuff:stuff:r4:0
+ xword = _mm_xor_si128(xword, *state1); // stuff:stuff:r9+r5+r4:r9+r4
+ *state1 = xword; // = stuff:stuff:r11:r10
+
+ /* Store state0 and the low half of state1 into rk, which is conceptually
+ * an array of 24-byte elements. Since 24 is not a multiple of 16,
+ * rk is not necessarily aligned so just `*rk = *state0` doesn't work. */
+ memcpy(rk, state0, 16);
+ memcpy(rk + 16, state1, 8);
+}
+
+static void aesni_setkey_enc_192(unsigned char *rk,
+ const unsigned char *key)
+{
+ /* First round: use original key */
+ memcpy(rk, key, 24);
+ /* aes.c guarantees that rk is aligned on a 16-byte boundary. */
+ __m128i state0 = ((__m128i *) rk)[0];
+ __m128i state1 = _mm_loadl_epi64(((__m128i *) rk) + 1);
+
+ aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x01), rk + 24 * 1);
+ aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x02), rk + 24 * 2);
+ aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x04), rk + 24 * 3);
+ aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x08), rk + 24 * 4);
+ aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x10), rk + 24 * 5);
+ aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x20), rk + 24 * 6);
+ aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x40), rk + 24 * 7);
+ aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x80), rk + 24 * 8);
+}
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+
+/*
+ * Key expansion, 256-bit case
+ */
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static void aesni_set_rk_256(__m128i state0, __m128i state1, __m128i xword,
+ __m128i *rk0, __m128i *rk1)
+{
+ /*
+ * Finish generating the next two round keys.
+ *
+ * On entry state0 is r3:r2:r1:r0, state1 is r7:r6:r5:r4 and
+ * xword is X:stuff:stuff:stuff with X = rot( sub( r7 )) ^ RCON
+ * (obtained with AESKEYGENASSIST).
+ *
+ * On exit, *rk0 is r11:r10:r9:r8 and *rk1 is r15:r14:r13:r12
+ */
+ xword = _mm_shuffle_epi32(xword, 0xff);
+ xword = _mm_xor_si128(xword, state0);
+ state0 = _mm_slli_si128(state0, 4);
+ xword = _mm_xor_si128(xword, state0);
+ state0 = _mm_slli_si128(state0, 4);
+ xword = _mm_xor_si128(xword, state0);
+ state0 = _mm_slli_si128(state0, 4);
+ state0 = _mm_xor_si128(state0, xword);
+ *rk0 = state0;
+
+ /* Set xword to stuff:Y:stuff:stuff with Y = subword( r11 )
+ * and proceed to generate next round key from there */
+ xword = _mm_aeskeygenassist_si128(state0, 0x00);
+ xword = _mm_shuffle_epi32(xword, 0xaa);
+ xword = _mm_xor_si128(xword, state1);
+ state1 = _mm_slli_si128(state1, 4);
+ xword = _mm_xor_si128(xword, state1);
+ state1 = _mm_slli_si128(state1, 4);
+ xword = _mm_xor_si128(xword, state1);
+ state1 = _mm_slli_si128(state1, 4);
+ state1 = _mm_xor_si128(state1, xword);
+ *rk1 = state1;
+}
+
+static void aesni_setkey_enc_256(unsigned char *rk_bytes,
+ const unsigned char *key)
+{
+ __m128i *rk = (__m128i *) rk_bytes;
+
+ memcpy(&rk[0], key, 16);
+ memcpy(&rk[1], key + 16, 16);
+
+ /*
+ * Main "loop" - Generating one more key than necessary,
+ * see definition of mbedtls_aes_context.buf
+ */
+ aesni_set_rk_256(rk[0], rk[1], _mm_aeskeygenassist_si128(rk[1], 0x01), &rk[2], &rk[3]);
+ aesni_set_rk_256(rk[2], rk[3], _mm_aeskeygenassist_si128(rk[3], 0x02), &rk[4], &rk[5]);
+ aesni_set_rk_256(rk[4], rk[5], _mm_aeskeygenassist_si128(rk[5], 0x04), &rk[6], &rk[7]);
+ aesni_set_rk_256(rk[6], rk[7], _mm_aeskeygenassist_si128(rk[7], 0x08), &rk[8], &rk[9]);
+ aesni_set_rk_256(rk[8], rk[9], _mm_aeskeygenassist_si128(rk[9], 0x10), &rk[10], &rk[11]);
+ aesni_set_rk_256(rk[10], rk[11], _mm_aeskeygenassist_si128(rk[11], 0x20), &rk[12], &rk[13]);
+ aesni_set_rk_256(rk[12], rk[13], _mm_aeskeygenassist_si128(rk[13], 0x40), &rk[14], &rk[15]);
+}
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+
+#if defined(MBEDTLS_POP_TARGET_PRAGMA)
+#if defined(__clang__)
+#pragma clang attribute pop
+#elif defined(__GNUC__)
+#pragma GCC pop_options
+#endif
+#undef MBEDTLS_POP_TARGET_PRAGMA
+#endif
+
+#else /* MBEDTLS_AESNI_HAVE_CODE == 1 */
+
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+#warning \
+ "MBEDTLS_AESNI_C is known to cause spurious error reports with some memory sanitizers as they do not understand the assembly code."
+#endif
+#endif
+
+/*
+ * Binutils needs to be at least 2.19 to support AES-NI instructions.
+ * Unfortunately, a lot of users have a lower version now (2014-04).
+ * Emit bytecode directly in order to support "old" version of gas.
+ *
+ * Opcodes from the Intel architecture reference manual, vol. 3.
+ * We always use registers, so we don't need prefixes for memory operands.
+ * Operand macros are in gas order (src, dst) as opposed to Intel order
+ * (dst, src) in order to blend better into the surrounding assembly code.
+ */
+#define AESDEC(regs) ".byte 0x66,0x0F,0x38,0xDE," regs "\n\t"
+#define AESDECLAST(regs) ".byte 0x66,0x0F,0x38,0xDF," regs "\n\t"
+#define AESENC(regs) ".byte 0x66,0x0F,0x38,0xDC," regs "\n\t"
+#define AESENCLAST(regs) ".byte 0x66,0x0F,0x38,0xDD," regs "\n\t"
+#define AESIMC(regs) ".byte 0x66,0x0F,0x38,0xDB," regs "\n\t"
+#define AESKEYGENA(regs, imm) ".byte 0x66,0x0F,0x3A,0xDF," regs "," imm "\n\t"
+#define PCLMULQDQ(regs, imm) ".byte 0x66,0x0F,0x3A,0x44," regs "," imm "\n\t"
+
+#define xmm0_xmm0 "0xC0"
+#define xmm0_xmm1 "0xC8"
+#define xmm0_xmm2 "0xD0"
+#define xmm0_xmm3 "0xD8"
+#define xmm0_xmm4 "0xE0"
+#define xmm1_xmm0 "0xC1"
+#define xmm1_xmm2 "0xD1"
+
+/*
+ * AES-NI AES-ECB block en(de)cryption
+ */
+int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx,
+ int mode,
+ const unsigned char input[16],
+ unsigned char output[16])
+{
+ asm ("movdqu (%3), %%xmm0 \n\t" // load input
+ "movdqu (%1), %%xmm1 \n\t" // load round key 0
+ "pxor %%xmm1, %%xmm0 \n\t" // round 0
+ "add $16, %1 \n\t" // point to next round key
+ "subl $1, %0 \n\t" // normal rounds = nr - 1
+ "test %2, %2 \n\t" // mode?
+ "jz 2f \n\t" // 0 = decrypt
+
+ "1: \n\t" // encryption loop
+ "movdqu (%1), %%xmm1 \n\t" // load round key
+ AESENC(xmm1_xmm0) // do round
+ "add $16, %1 \n\t" // point to next round key
+ "subl $1, %0 \n\t" // loop
+ "jnz 1b \n\t"
+ "movdqu (%1), %%xmm1 \n\t" // load round key
+ AESENCLAST(xmm1_xmm0) // last round
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ "jmp 3f \n\t"
+
+ "2: \n\t" // decryption loop
+ "movdqu (%1), %%xmm1 \n\t"
+ AESDEC(xmm1_xmm0) // do round
+ "add $16, %1 \n\t"
+ "subl $1, %0 \n\t"
+ "jnz 2b \n\t"
+ "movdqu (%1), %%xmm1 \n\t" // load round key
+ AESDECLAST(xmm1_xmm0) // last round
+#endif
+
+ "3: \n\t"
+ "movdqu %%xmm0, (%4) \n\t" // export output
+ :
+ : "r" (ctx->nr), "r" (ctx->buf + ctx->rk_offset), "r" (mode), "r" (input), "r" (output)
+ : "memory", "cc", "xmm0", "xmm1");
+
+
+ return 0;
+}
+
+/*
+ * GCM multiplication: c = a times b in GF(2^128)
+ * Based on [CLMUL-WP] algorithms 1 (with equation 27) and 5.
+ */
+void mbedtls_aesni_gcm_mult(unsigned char c[16],
+ const unsigned char a[16],
+ const unsigned char b[16])
+{
+ unsigned char aa[16], bb[16], cc[16];
+ size_t i;
+
+ /* The inputs are in big-endian order, so byte-reverse them */
+ for (i = 0; i < 16; i++) {
+ aa[i] = a[15 - i];
+ bb[i] = b[15 - i];
+ }
+
+ asm ("movdqu (%0), %%xmm0 \n\t" // a1:a0
+ "movdqu (%1), %%xmm1 \n\t" // b1:b0
+
+ /*
+ * Caryless multiplication xmm2:xmm1 = xmm0 * xmm1
+ * using [CLMUL-WP] algorithm 1 (p. 12).
+ */
+ "movdqa %%xmm1, %%xmm2 \n\t" // copy of b1:b0
+ "movdqa %%xmm1, %%xmm3 \n\t" // same
+ "movdqa %%xmm1, %%xmm4 \n\t" // same
+ PCLMULQDQ(xmm0_xmm1, "0x00") // a0*b0 = c1:c0
+ PCLMULQDQ(xmm0_xmm2, "0x11") // a1*b1 = d1:d0
+ PCLMULQDQ(xmm0_xmm3, "0x10") // a0*b1 = e1:e0
+ PCLMULQDQ(xmm0_xmm4, "0x01") // a1*b0 = f1:f0
+ "pxor %%xmm3, %%xmm4 \n\t" // e1+f1:e0+f0
+ "movdqa %%xmm4, %%xmm3 \n\t" // same
+ "psrldq $8, %%xmm4 \n\t" // 0:e1+f1
+ "pslldq $8, %%xmm3 \n\t" // e0+f0:0
+ "pxor %%xmm4, %%xmm2 \n\t" // d1:d0+e1+f1
+ "pxor %%xmm3, %%xmm1 \n\t" // c1+e0+f1:c0
+
+ /*
+ * Now shift the result one bit to the left,
+ * taking advantage of [CLMUL-WP] eq 27 (p. 18)
+ */
+ "movdqa %%xmm1, %%xmm3 \n\t" // r1:r0
+ "movdqa %%xmm2, %%xmm4 \n\t" // r3:r2
+ "psllq $1, %%xmm1 \n\t" // r1<<1:r0<<1
+ "psllq $1, %%xmm2 \n\t" // r3<<1:r2<<1
+ "psrlq $63, %%xmm3 \n\t" // r1>>63:r0>>63
+ "psrlq $63, %%xmm4 \n\t" // r3>>63:r2>>63
+ "movdqa %%xmm3, %%xmm5 \n\t" // r1>>63:r0>>63
+ "pslldq $8, %%xmm3 \n\t" // r0>>63:0
+ "pslldq $8, %%xmm4 \n\t" // r2>>63:0
+ "psrldq $8, %%xmm5 \n\t" // 0:r1>>63
+ "por %%xmm3, %%xmm1 \n\t" // r1<<1|r0>>63:r0<<1
+ "por %%xmm4, %%xmm2 \n\t" // r3<<1|r2>>62:r2<<1
+ "por %%xmm5, %%xmm2 \n\t" // r3<<1|r2>>62:r2<<1|r1>>63
+
+ /*
+ * Now reduce modulo the GCM polynomial x^128 + x^7 + x^2 + x + 1
+ * using [CLMUL-WP] algorithm 5 (p. 18).
+ * Currently xmm2:xmm1 holds x3:x2:x1:x0 (already shifted).
+ */
+ /* Step 2 (1) */
+ "movdqa %%xmm1, %%xmm3 \n\t" // x1:x0
+ "movdqa %%xmm1, %%xmm4 \n\t" // same
+ "movdqa %%xmm1, %%xmm5 \n\t" // same
+ "psllq $63, %%xmm3 \n\t" // x1<<63:x0<<63 = stuff:a
+ "psllq $62, %%xmm4 \n\t" // x1<<62:x0<<62 = stuff:b
+ "psllq $57, %%xmm5 \n\t" // x1<<57:x0<<57 = stuff:c
+
+ /* Step 2 (2) */
+ "pxor %%xmm4, %%xmm3 \n\t" // stuff:a+b
+ "pxor %%xmm5, %%xmm3 \n\t" // stuff:a+b+c
+ "pslldq $8, %%xmm3 \n\t" // a+b+c:0
+ "pxor %%xmm3, %%xmm1 \n\t" // x1+a+b+c:x0 = d:x0
+
+ /* Steps 3 and 4 */
+ "movdqa %%xmm1,%%xmm0 \n\t" // d:x0
+ "movdqa %%xmm1,%%xmm4 \n\t" // same
+ "movdqa %%xmm1,%%xmm5 \n\t" // same
+ "psrlq $1, %%xmm0 \n\t" // e1:x0>>1 = e1:e0'
+ "psrlq $2, %%xmm4 \n\t" // f1:x0>>2 = f1:f0'
+ "psrlq $7, %%xmm5 \n\t" // g1:x0>>7 = g1:g0'
+ "pxor %%xmm4, %%xmm0 \n\t" // e1+f1:e0'+f0'
+ "pxor %%xmm5, %%xmm0 \n\t" // e1+f1+g1:e0'+f0'+g0'
+ // e0'+f0'+g0' is almost e0+f0+g0, ex\tcept for some missing
+ // bits carried from d. Now get those\t bits back in.
+ "movdqa %%xmm1,%%xmm3 \n\t" // d:x0
+ "movdqa %%xmm1,%%xmm4 \n\t" // same
+ "movdqa %%xmm1,%%xmm5 \n\t" // same
+ "psllq $63, %%xmm3 \n\t" // d<<63:stuff
+ "psllq $62, %%xmm4 \n\t" // d<<62:stuff
+ "psllq $57, %%xmm5 \n\t" // d<<57:stuff
+ "pxor %%xmm4, %%xmm3 \n\t" // d<<63+d<<62:stuff
+ "pxor %%xmm5, %%xmm3 \n\t" // missing bits of d:stuff
+ "psrldq $8, %%xmm3 \n\t" // 0:missing bits of d
+ "pxor %%xmm3, %%xmm0 \n\t" // e1+f1+g1:e0+f0+g0
+ "pxor %%xmm1, %%xmm0 \n\t" // h1:h0
+ "pxor %%xmm2, %%xmm0 \n\t" // x3+h1:x2+h0
+
+ "movdqu %%xmm0, (%2) \n\t" // done
+ :
+ : "r" (aa), "r" (bb), "r" (cc)
+ : "memory", "cc", "xmm0", "xmm1", "xmm2", "xmm3", "xmm4", "xmm5");
+
+ /* Now byte-reverse the outputs */
+ for (i = 0; i < 16; i++) {
+ c[i] = cc[15 - i];
+ }
+
+ return;
+}
+
+/*
+ * Compute decryption round keys from encryption round keys
+ */
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+void mbedtls_aesni_inverse_key(unsigned char *invkey,
+ const unsigned char *fwdkey, int nr)
+{
+ unsigned char *ik = invkey;
+ const unsigned char *fk = fwdkey + 16 * nr;
+
+ memcpy(ik, fk, 16);
+
+ for (fk -= 16, ik += 16; fk > fwdkey; fk -= 16, ik += 16) {
+ asm ("movdqu (%0), %%xmm0 \n\t"
+ AESIMC(xmm0_xmm0)
+ "movdqu %%xmm0, (%1) \n\t"
+ :
+ : "r" (fk), "r" (ik)
+ : "memory", "xmm0");
+ }
+
+ memcpy(ik, fk, 16);
+}
+#endif
+
+/*
+ * Key expansion, 128-bit case
+ */
+static void aesni_setkey_enc_128(unsigned char *rk,
+ const unsigned char *key)
+{
+ asm ("movdqu (%1), %%xmm0 \n\t" // copy the original key
+ "movdqu %%xmm0, (%0) \n\t" // as round key 0
+ "jmp 2f \n\t" // skip auxiliary routine
+
+ /*
+ * Finish generating the next round key.
+ *
+ * On entry xmm0 is r3:r2:r1:r0 and xmm1 is X:stuff:stuff:stuff
+ * with X = rot( sub( r3 ) ) ^ RCON.
+ *
+ * On exit, xmm0 is r7:r6:r5:r4
+ * with r4 = X + r0, r5 = r4 + r1, r6 = r5 + r2, r7 = r6 + r3
+ * and those are written to the round key buffer.
+ */
+ "1: \n\t"
+ "pshufd $0xff, %%xmm1, %%xmm1 \n\t" // X:X:X:X
+ "pxor %%xmm0, %%xmm1 \n\t" // X+r3:X+r2:X+r1:r4
+ "pslldq $4, %%xmm0 \n\t" // r2:r1:r0:0
+ "pxor %%xmm0, %%xmm1 \n\t" // X+r3+r2:X+r2+r1:r5:r4
+ "pslldq $4, %%xmm0 \n\t" // etc
+ "pxor %%xmm0, %%xmm1 \n\t"
+ "pslldq $4, %%xmm0 \n\t"
+ "pxor %%xmm1, %%xmm0 \n\t" // update xmm0 for next time!
+ "add $16, %0 \n\t" // point to next round key
+ "movdqu %%xmm0, (%0) \n\t" // write it
+ "ret \n\t"
+
+ /* Main "loop" */
+ "2: \n\t"
+ AESKEYGENA(xmm0_xmm1, "0x01") "call 1b \n\t"
+ AESKEYGENA(xmm0_xmm1, "0x02") "call 1b \n\t"
+ AESKEYGENA(xmm0_xmm1, "0x04") "call 1b \n\t"
+ AESKEYGENA(xmm0_xmm1, "0x08") "call 1b \n\t"
+ AESKEYGENA(xmm0_xmm1, "0x10") "call 1b \n\t"
+ AESKEYGENA(xmm0_xmm1, "0x20") "call 1b \n\t"
+ AESKEYGENA(xmm0_xmm1, "0x40") "call 1b \n\t"
+ AESKEYGENA(xmm0_xmm1, "0x80") "call 1b \n\t"
+ AESKEYGENA(xmm0_xmm1, "0x1B") "call 1b \n\t"
+ AESKEYGENA(xmm0_xmm1, "0x36") "call 1b \n\t"
+ :
+ : "r" (rk), "r" (key)
+ : "memory", "cc", "0");
+}
+
+/*
+ * Key expansion, 192-bit case
+ */
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static void aesni_setkey_enc_192(unsigned char *rk,
+ const unsigned char *key)
+{
+ asm ("movdqu (%1), %%xmm0 \n\t" // copy original round key
+ "movdqu %%xmm0, (%0) \n\t"
+ "add $16, %0 \n\t"
+ "movq 16(%1), %%xmm1 \n\t"
+ "movq %%xmm1, (%0) \n\t"
+ "add $8, %0 \n\t"
+ "jmp 2f \n\t" // skip auxiliary routine
+
+ /*
+ * Finish generating the next 6 quarter-keys.
+ *
+ * On entry xmm0 is r3:r2:r1:r0, xmm1 is stuff:stuff:r5:r4
+ * and xmm2 is stuff:stuff:X:stuff with X = rot( sub( r3 ) ) ^ RCON.
+ *
+ * On exit, xmm0 is r9:r8:r7:r6 and xmm1 is stuff:stuff:r11:r10
+ * and those are written to the round key buffer.
+ */
+ "1: \n\t"
+ "pshufd $0x55, %%xmm2, %%xmm2 \n\t" // X:X:X:X
+ "pxor %%xmm0, %%xmm2 \n\t" // X+r3:X+r2:X+r1:r4
+ "pslldq $4, %%xmm0 \n\t" // etc
+ "pxor %%xmm0, %%xmm2 \n\t"
+ "pslldq $4, %%xmm0 \n\t"
+ "pxor %%xmm0, %%xmm2 \n\t"
+ "pslldq $4, %%xmm0 \n\t"
+ "pxor %%xmm2, %%xmm0 \n\t" // update xmm0 = r9:r8:r7:r6
+ "movdqu %%xmm0, (%0) \n\t"
+ "add $16, %0 \n\t"
+ "pshufd $0xff, %%xmm0, %%xmm2 \n\t" // r9:r9:r9:r9
+ "pxor %%xmm1, %%xmm2 \n\t" // stuff:stuff:r9+r5:r10
+ "pslldq $4, %%xmm1 \n\t" // r2:r1:r0:0
+ "pxor %%xmm2, %%xmm1 \n\t" // xmm1 = stuff:stuff:r11:r10
+ "movq %%xmm1, (%0) \n\t"
+ "add $8, %0 \n\t"
+ "ret \n\t"
+
+ "2: \n\t"
+ AESKEYGENA(xmm1_xmm2, "0x01") "call 1b \n\t"
+ AESKEYGENA(xmm1_xmm2, "0x02") "call 1b \n\t"
+ AESKEYGENA(xmm1_xmm2, "0x04") "call 1b \n\t"
+ AESKEYGENA(xmm1_xmm2, "0x08") "call 1b \n\t"
+ AESKEYGENA(xmm1_xmm2, "0x10") "call 1b \n\t"
+ AESKEYGENA(xmm1_xmm2, "0x20") "call 1b \n\t"
+ AESKEYGENA(xmm1_xmm2, "0x40") "call 1b \n\t"
+ AESKEYGENA(xmm1_xmm2, "0x80") "call 1b \n\t"
+
+ :
+ : "r" (rk), "r" (key)
+ : "memory", "cc", "0");
+}
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+
+/*
+ * Key expansion, 256-bit case
+ */
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static void aesni_setkey_enc_256(unsigned char *rk,
+ const unsigned char *key)
+{
+ asm ("movdqu (%1), %%xmm0 \n\t"
+ "movdqu %%xmm0, (%0) \n\t"
+ "add $16, %0 \n\t"
+ "movdqu 16(%1), %%xmm1 \n\t"
+ "movdqu %%xmm1, (%0) \n\t"
+ "jmp 2f \n\t" // skip auxiliary routine
+
+ /*
+ * Finish generating the next two round keys.
+ *
+ * On entry xmm0 is r3:r2:r1:r0, xmm1 is r7:r6:r5:r4 and
+ * xmm2 is X:stuff:stuff:stuff with X = rot( sub( r7 )) ^ RCON
+ *
+ * On exit, xmm0 is r11:r10:r9:r8 and xmm1 is r15:r14:r13:r12
+ * and those have been written to the output buffer.
+ */
+ "1: \n\t"
+ "pshufd $0xff, %%xmm2, %%xmm2 \n\t"
+ "pxor %%xmm0, %%xmm2 \n\t"
+ "pslldq $4, %%xmm0 \n\t"
+ "pxor %%xmm0, %%xmm2 \n\t"
+ "pslldq $4, %%xmm0 \n\t"
+ "pxor %%xmm0, %%xmm2 \n\t"
+ "pslldq $4, %%xmm0 \n\t"
+ "pxor %%xmm2, %%xmm0 \n\t"
+ "add $16, %0 \n\t"
+ "movdqu %%xmm0, (%0) \n\t"
+
+ /* Set xmm2 to stuff:Y:stuff:stuff with Y = subword( r11 )
+ * and proceed to generate next round key from there */
+ AESKEYGENA(xmm0_xmm2, "0x00")
+ "pshufd $0xaa, %%xmm2, %%xmm2 \n\t"
+ "pxor %%xmm1, %%xmm2 \n\t"
+ "pslldq $4, %%xmm1 \n\t"
+ "pxor %%xmm1, %%xmm2 \n\t"
+ "pslldq $4, %%xmm1 \n\t"
+ "pxor %%xmm1, %%xmm2 \n\t"
+ "pslldq $4, %%xmm1 \n\t"
+ "pxor %%xmm2, %%xmm1 \n\t"
+ "add $16, %0 \n\t"
+ "movdqu %%xmm1, (%0) \n\t"
+ "ret \n\t"
+
+ /*
+ * Main "loop" - Generating one more key than necessary,
+ * see definition of mbedtls_aes_context.buf
+ */
+ "2: \n\t"
+ AESKEYGENA(xmm1_xmm2, "0x01") "call 1b \n\t"
+ AESKEYGENA(xmm1_xmm2, "0x02") "call 1b \n\t"
+ AESKEYGENA(xmm1_xmm2, "0x04") "call 1b \n\t"
+ AESKEYGENA(xmm1_xmm2, "0x08") "call 1b \n\t"
+ AESKEYGENA(xmm1_xmm2, "0x10") "call 1b \n\t"
+ AESKEYGENA(xmm1_xmm2, "0x20") "call 1b \n\t"
+ AESKEYGENA(xmm1_xmm2, "0x40") "call 1b \n\t"
+ :
+ : "r" (rk), "r" (key)
+ : "memory", "cc", "0");
+}
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+
+#endif /* MBEDTLS_AESNI_HAVE_CODE */
+
+/*
+ * Key expansion, wrapper
+ */
+int mbedtls_aesni_setkey_enc(unsigned char *rk,
+ const unsigned char *key,
+ size_t bits)
+{
+ switch (bits) {
+ case 128: aesni_setkey_enc_128(rk, key); break;
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ case 192: aesni_setkey_enc_192(rk, key); break;
+ case 256: aesni_setkey_enc_256(rk, key); break;
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+ default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
+ }
+
+ return 0;
+}
+
+#endif /* MBEDTLS_AESNI_HAVE_CODE */
+
+#endif /* MBEDTLS_AESNI_C */
diff --git a/library/aesni.h b/library/aesni.h
new file mode 100644
index 0000000..59e27af
--- /dev/null
+++ b/library/aesni.h
@@ -0,0 +1,162 @@
+/**
+ * \file aesni.h
+ *
+ * \brief AES-NI for hardware AES acceleration on some Intel processors
+ *
+ * \warning These functions are only for internal use by other library
+ * functions; you must not call them directly.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_AESNI_H
+#define MBEDTLS_AESNI_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/aes.h"
+
+#define MBEDTLS_AESNI_AES 0x02000000u
+#define MBEDTLS_AESNI_CLMUL 0x00000002u
+
+#if defined(MBEDTLS_AESNI_C) && \
+ (defined(MBEDTLS_ARCH_IS_X64) || defined(MBEDTLS_ARCH_IS_X86))
+
+/* Can we do AESNI with intrinsics?
+ * (Only implemented with certain compilers, only for certain targets.)
+ */
+#undef MBEDTLS_AESNI_HAVE_INTRINSICS
+#if defined(_MSC_VER) && !defined(__clang__)
+/* Visual Studio supports AESNI intrinsics since VS 2008 SP1. We only support
+ * VS 2013 and up for other reasons anyway, so no need to check the version. */
+#define MBEDTLS_AESNI_HAVE_INTRINSICS
+#endif
+/* GCC-like compilers: currently, we only support intrinsics if the requisite
+ * target flag is enabled when building the library (e.g. `gcc -mpclmul -msse2`
+ * or `clang -maes -mpclmul`). */
+#if (defined(__GNUC__) || defined(__clang__)) && defined(__AES__) && defined(__PCLMUL__)
+#define MBEDTLS_AESNI_HAVE_INTRINSICS
+#endif
+/* For 32-bit, we only support intrinsics */
+#if defined(MBEDTLS_ARCH_IS_X86) && (defined(__GNUC__) || defined(__clang__))
+#define MBEDTLS_AESNI_HAVE_INTRINSICS
+#endif
+
+/* Choose the implementation of AESNI, if one is available.
+ *
+ * Favor the intrinsics-based implementation if it's available, for better
+ * maintainability.
+ * Performance is about the same (see #7380).
+ * In the long run, we will likely remove the assembly implementation. */
+#if defined(MBEDTLS_AESNI_HAVE_INTRINSICS)
+#define MBEDTLS_AESNI_HAVE_CODE 2 // via intrinsics
+#elif defined(MBEDTLS_HAVE_ASM) && \
+ (defined(__GNUC__) || defined(__clang__)) && defined(MBEDTLS_ARCH_IS_X64)
+/* Can we do AESNI with inline assembly?
+ * (Only implemented with gas syntax, only for 64-bit.)
+ */
+#define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly
+#else
+#error "MBEDTLS_AESNI_C defined, but neither intrinsics nor assembly available"
+#endif
+
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Internal function to detect the AES-NI feature in CPUs.
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
+ *
+ * \param what The feature to detect
+ * (MBEDTLS_AESNI_AES or MBEDTLS_AESNI_CLMUL)
+ *
+ * \return 1 if CPU has support for the feature, 0 otherwise
+ */
+#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+int mbedtls_aesni_has_support(unsigned int what);
+#else
+#define mbedtls_aesni_has_support(what) 1
+#endif
+
+/**
+ * \brief Internal AES-NI AES-ECB block encryption and decryption
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
+ *
+ * \param ctx AES context
+ * \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param input 16-byte input block
+ * \param output 16-byte output block
+ *
+ * \return 0 on success (cannot fail)
+ */
+int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx,
+ int mode,
+ const unsigned char input[16],
+ unsigned char output[16]);
+
+/**
+ * \brief Internal GCM multiplication: c = a * b in GF(2^128)
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
+ *
+ * \param c Result
+ * \param a First operand
+ * \param b Second operand
+ *
+ * \note Both operands and result are bit strings interpreted as
+ * elements of GF(2^128) as per the GCM spec.
+ */
+void mbedtls_aesni_gcm_mult(unsigned char c[16],
+ const unsigned char a[16],
+ const unsigned char b[16]);
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+/**
+ * \brief Internal round key inversion. This function computes
+ * decryption round keys from the encryption round keys.
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
+ *
+ * \param invkey Round keys for the equivalent inverse cipher
+ * \param fwdkey Original round keys (for encryption)
+ * \param nr Number of rounds (that is, number of round keys minus one)
+ */
+void mbedtls_aesni_inverse_key(unsigned char *invkey,
+ const unsigned char *fwdkey,
+ int nr);
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+
+/**
+ * \brief Internal key expansion for encryption
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
+ *
+ * \param rk Destination buffer where the round keys are written
+ * \param key Encryption key
+ * \param bits Key size in bits (must be 128, 192 or 256)
+ *
+ * \return 0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+ */
+int mbedtls_aesni_setkey_enc(unsigned char *rk,
+ const unsigned char *key,
+ size_t bits);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_AESNI_HAVE_CODE */
+#endif /* MBEDTLS_AESNI_C && (MBEDTLS_ARCH_IS_X64 || MBEDTLS_ARCH_IS_X86) */
+
+#endif /* MBEDTLS_AESNI_H */
diff --git a/library/alignment.h b/library/alignment.h
new file mode 100644
index 0000000..a17001d
--- /dev/null
+++ b/library/alignment.h
@@ -0,0 +1,684 @@
+/**
+ * \file alignment.h
+ *
+ * \brief Utility code for dealing with unaligned memory accesses
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_LIBRARY_ALIGNMENT_H
+#define MBEDTLS_LIBRARY_ALIGNMENT_H
+
+#include <stdint.h>
+#include <string.h>
+#include <stdlib.h>
+
+/*
+ * Define MBEDTLS_EFFICIENT_UNALIGNED_ACCESS for architectures where unaligned memory
+ * accesses are known to be efficient.
+ *
+ * All functions defined here will behave correctly regardless, but might be less
+ * efficient when this is not defined.
+ */
+#if defined(__ARM_FEATURE_UNALIGNED) \
+ || defined(MBEDTLS_ARCH_IS_X86) || defined(MBEDTLS_ARCH_IS_X64) \
+ || defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
+/*
+ * __ARM_FEATURE_UNALIGNED is defined where appropriate by armcc, gcc 7, clang 9
+ * (and later versions) for Arm v7 and later; all x86 platforms should have
+ * efficient unaligned access.
+ *
+ * https://learn.microsoft.com/en-us/cpp/build/arm64-windows-abi-conventions?view=msvc-170#alignment
+ * specifies that on Windows-on-Arm64, unaligned access is safe (except for uncached
+ * device memory).
+ */
+#define MBEDTLS_EFFICIENT_UNALIGNED_ACCESS
+#endif
+
+#if defined(__IAR_SYSTEMS_ICC__) && \
+ (defined(MBEDTLS_ARCH_IS_ARM64) || defined(MBEDTLS_ARCH_IS_ARM32) \
+ || defined(__ICCRX__) || defined(__ICCRL78__) || defined(__ICCRISCV__))
+#pragma language=save
+#pragma language=extended
+#define MBEDTLS_POP_IAR_LANGUAGE_PRAGMA
+/* IAR recommend this technique for accessing unaligned data in
+ * https://www.iar.com/knowledge/support/technical-notes/compiler/accessing-unaligned-data
+ * This results in a single load / store instruction (if unaligned access is supported).
+ * According to that document, this is only supported on certain architectures.
+ */
+ #define UINT_UNALIGNED
+typedef uint16_t __packed mbedtls_uint16_unaligned_t;
+typedef uint32_t __packed mbedtls_uint32_unaligned_t;
+typedef uint64_t __packed mbedtls_uint64_unaligned_t;
+#elif defined(MBEDTLS_COMPILER_IS_GCC) && (MBEDTLS_GCC_VERSION >= 40504) && \
+ ((MBEDTLS_GCC_VERSION < 60300) || (!defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)))
+/*
+ * gcc may generate a branch to memcpy for calls like `memcpy(dest, src, 4)` rather than
+ * generating some LDR or LDRB instructions (similar for stores).
+ *
+ * This is architecture dependent: x86-64 seems fine even with old gcc; 32-bit Arm
+ * is affected. To keep it simple, we enable for all architectures.
+ *
+ * For versions of gcc < 5.4.0 this issue always happens.
+ * For gcc < 6.3.0, this issue happens at -O0
+ * For all versions, this issue happens iff unaligned access is not supported.
+ *
+ * For gcc 4.x, this implementation will generate byte-by-byte loads even if unaligned access is
+ * supported, which is correct but not optimal.
+ *
+ * For performance (and code size, in some cases), we want to avoid the branch and just generate
+ * some inline load/store instructions since the access is small and constant-size.
+ *
+ * The manual states:
+ * "The packed attribute specifies that a variable or structure field should have the smallest
+ * possible alignment—one byte for a variable"
+ * https://gcc.gnu.org/onlinedocs/gcc-4.5.4/gcc/Variable-Attributes.html
+ *
+ * Previous implementations used __attribute__((__aligned__(1)), but had issues with a gcc bug:
+ * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94662
+ *
+ * Tested with several versions of GCC from 4.5.0 up to 13.2.0
+ * We don't enable for older than 4.5.0 as this has not been tested.
+ */
+ #define UINT_UNALIGNED_STRUCT
+typedef struct {
+ uint16_t x;
+} __attribute__((packed)) mbedtls_uint16_unaligned_t;
+typedef struct {
+ uint32_t x;
+} __attribute__((packed)) mbedtls_uint32_unaligned_t;
+typedef struct {
+ uint64_t x;
+} __attribute__((packed)) mbedtls_uint64_unaligned_t;
+ #endif
+
+/*
+ * We try to force mbedtls_(get|put)_unaligned_uintXX to be always inline, because this results
+ * in code that is both smaller and faster. IAR and gcc both benefit from this when optimising
+ * for size.
+ */
+
+/**
+ * Read the unsigned 16 bits integer from the given address, which need not
+ * be aligned.
+ *
+ * \param p pointer to 2 bytes of data
+ * \return Data at the given address
+ */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline uint16_t mbedtls_get_unaligned_uint16(const void *p)
+{
+ uint16_t r;
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p;
+ r = *p16;
+#elif defined(UINT_UNALIGNED_STRUCT)
+ mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p;
+ r = p16->x;
+#else
+ memcpy(&r, p, sizeof(r));
+#endif
+ return r;
+}
+
+/**
+ * Write the unsigned 16 bits integer to the given address, which need not
+ * be aligned.
+ *
+ * \param p pointer to 2 bytes of data
+ * \param x data to write
+ */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline void mbedtls_put_unaligned_uint16(void *p, uint16_t x)
+{
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p;
+ *p16 = x;
+#elif defined(UINT_UNALIGNED_STRUCT)
+ mbedtls_uint16_unaligned_t *p16 = (mbedtls_uint16_unaligned_t *) p;
+ p16->x = x;
+#else
+ memcpy(p, &x, sizeof(x));
+#endif
+}
+
+/**
+ * Read the unsigned 32 bits integer from the given address, which need not
+ * be aligned.
+ *
+ * \param p pointer to 4 bytes of data
+ * \return Data at the given address
+ */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline uint32_t mbedtls_get_unaligned_uint32(const void *p)
+{
+ uint32_t r;
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p;
+ r = *p32;
+#elif defined(UINT_UNALIGNED_STRUCT)
+ mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p;
+ r = p32->x;
+#else
+ memcpy(&r, p, sizeof(r));
+#endif
+ return r;
+}
+
+/**
+ * Write the unsigned 32 bits integer to the given address, which need not
+ * be aligned.
+ *
+ * \param p pointer to 4 bytes of data
+ * \param x data to write
+ */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline void mbedtls_put_unaligned_uint32(void *p, uint32_t x)
+{
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p;
+ *p32 = x;
+#elif defined(UINT_UNALIGNED_STRUCT)
+ mbedtls_uint32_unaligned_t *p32 = (mbedtls_uint32_unaligned_t *) p;
+ p32->x = x;
+#else
+ memcpy(p, &x, sizeof(x));
+#endif
+}
+
+/**
+ * Read the unsigned 64 bits integer from the given address, which need not
+ * be aligned.
+ *
+ * \param p pointer to 8 bytes of data
+ * \return Data at the given address
+ */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline uint64_t mbedtls_get_unaligned_uint64(const void *p)
+{
+ uint64_t r;
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p;
+ r = *p64;
+#elif defined(UINT_UNALIGNED_STRUCT)
+ mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p;
+ r = p64->x;
+#else
+ memcpy(&r, p, sizeof(r));
+#endif
+ return r;
+}
+
+/**
+ * Write the unsigned 64 bits integer to the given address, which need not
+ * be aligned.
+ *
+ * \param p pointer to 8 bytes of data
+ * \param x data to write
+ */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+static inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x)
+{
+#if defined(UINT_UNALIGNED)
+ mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p;
+ *p64 = x;
+#elif defined(UINT_UNALIGNED_STRUCT)
+ mbedtls_uint64_unaligned_t *p64 = (mbedtls_uint64_unaligned_t *) p;
+ p64->x = x;
+#else
+ memcpy(p, &x, sizeof(x));
+#endif
+}
+
+#if defined(MBEDTLS_POP_IAR_LANGUAGE_PRAGMA)
+#pragma language=restore
+#endif
+
+/** Byte Reading Macros
+ *
+ * Given a multi-byte integer \p x, MBEDTLS_BYTE_n retrieves the n-th
+ * byte from x, where byte 0 is the least significant byte.
+ */
+#define MBEDTLS_BYTE_0(x) ((uint8_t) ((x) & 0xff))
+#define MBEDTLS_BYTE_1(x) ((uint8_t) (((x) >> 8) & 0xff))
+#define MBEDTLS_BYTE_2(x) ((uint8_t) (((x) >> 16) & 0xff))
+#define MBEDTLS_BYTE_3(x) ((uint8_t) (((x) >> 24) & 0xff))
+#define MBEDTLS_BYTE_4(x) ((uint8_t) (((x) >> 32) & 0xff))
+#define MBEDTLS_BYTE_5(x) ((uint8_t) (((x) >> 40) & 0xff))
+#define MBEDTLS_BYTE_6(x) ((uint8_t) (((x) >> 48) & 0xff))
+#define MBEDTLS_BYTE_7(x) ((uint8_t) (((x) >> 56) & 0xff))
+
+/*
+ * Detect GCC built-in byteswap routines
+ */
+#if defined(__GNUC__) && defined(__GNUC_PREREQ)
+#if __GNUC_PREREQ(4, 8)
+#define MBEDTLS_BSWAP16 __builtin_bswap16
+#endif /* __GNUC_PREREQ(4,8) */
+#if __GNUC_PREREQ(4, 3)
+#define MBEDTLS_BSWAP32 __builtin_bswap32
+#define MBEDTLS_BSWAP64 __builtin_bswap64
+#endif /* __GNUC_PREREQ(4,3) */
+#endif /* defined(__GNUC__) && defined(__GNUC_PREREQ) */
+
+/*
+ * Detect Clang built-in byteswap routines
+ */
+#if defined(__clang__) && defined(__has_builtin)
+#if __has_builtin(__builtin_bswap16) && !defined(MBEDTLS_BSWAP16)
+#define MBEDTLS_BSWAP16 __builtin_bswap16
+#endif /* __has_builtin(__builtin_bswap16) */
+#if __has_builtin(__builtin_bswap32) && !defined(MBEDTLS_BSWAP32)
+#define MBEDTLS_BSWAP32 __builtin_bswap32
+#endif /* __has_builtin(__builtin_bswap32) */
+#if __has_builtin(__builtin_bswap64) && !defined(MBEDTLS_BSWAP64)
+#define MBEDTLS_BSWAP64 __builtin_bswap64
+#endif /* __has_builtin(__builtin_bswap64) */
+#endif /* defined(__clang__) && defined(__has_builtin) */
+
+/*
+ * Detect MSVC built-in byteswap routines
+ */
+#if defined(_MSC_VER)
+#if !defined(MBEDTLS_BSWAP16)
+#define MBEDTLS_BSWAP16 _byteswap_ushort
+#endif
+#if !defined(MBEDTLS_BSWAP32)
+#define MBEDTLS_BSWAP32 _byteswap_ulong
+#endif
+#if !defined(MBEDTLS_BSWAP64)
+#define MBEDTLS_BSWAP64 _byteswap_uint64
+#endif
+#endif /* defined(_MSC_VER) */
+
+/* Detect armcc built-in byteswap routine */
+#if defined(__ARMCC_VERSION) && (__ARMCC_VERSION >= 410000) && !defined(MBEDTLS_BSWAP32)
+#if defined(__ARM_ACLE) /* ARM Compiler 6 - earlier versions don't need a header */
+#include <arm_acle.h>
+#endif
+#define MBEDTLS_BSWAP32 __rev
+#endif
+
+/* Detect IAR built-in byteswap routine */
+#if defined(__IAR_SYSTEMS_ICC__)
+#if defined(__ARM_ACLE)
+#include <arm_acle.h>
+#define MBEDTLS_BSWAP16(x) ((uint16_t) __rev16((uint32_t) (x)))
+#define MBEDTLS_BSWAP32 __rev
+#define MBEDTLS_BSWAP64 __revll
+#endif
+#endif
+
+/*
+ * Where compiler built-ins are not present, fall back to C code that the
+ * compiler may be able to detect and transform into the relevant bswap or
+ * similar instruction.
+ */
+#if !defined(MBEDTLS_BSWAP16)
+static inline uint16_t mbedtls_bswap16(uint16_t x)
+{
+ return
+ (x & 0x00ff) << 8 |
+ (x & 0xff00) >> 8;
+}
+#define MBEDTLS_BSWAP16 mbedtls_bswap16
+#endif /* !defined(MBEDTLS_BSWAP16) */
+
+#if !defined(MBEDTLS_BSWAP32)
+static inline uint32_t mbedtls_bswap32(uint32_t x)
+{
+ return
+ (x & 0x000000ff) << 24 |
+ (x & 0x0000ff00) << 8 |
+ (x & 0x00ff0000) >> 8 |
+ (x & 0xff000000) >> 24;
+}
+#define MBEDTLS_BSWAP32 mbedtls_bswap32
+#endif /* !defined(MBEDTLS_BSWAP32) */
+
+#if !defined(MBEDTLS_BSWAP64)
+static inline uint64_t mbedtls_bswap64(uint64_t x)
+{
+ return
+ (x & 0x00000000000000ffULL) << 56 |
+ (x & 0x000000000000ff00ULL) << 40 |
+ (x & 0x0000000000ff0000ULL) << 24 |
+ (x & 0x00000000ff000000ULL) << 8 |
+ (x & 0x000000ff00000000ULL) >> 8 |
+ (x & 0x0000ff0000000000ULL) >> 24 |
+ (x & 0x00ff000000000000ULL) >> 40 |
+ (x & 0xff00000000000000ULL) >> 56;
+}
+#define MBEDTLS_BSWAP64 mbedtls_bswap64
+#endif /* !defined(MBEDTLS_BSWAP64) */
+
+#if !defined(__BYTE_ORDER__)
+
+#if defined(__LITTLE_ENDIAN__)
+/* IAR defines __xxx_ENDIAN__, but not __BYTE_ORDER__ */
+#define MBEDTLS_IS_BIG_ENDIAN 0
+#elif defined(__BIG_ENDIAN__)
+#define MBEDTLS_IS_BIG_ENDIAN 1
+#else
+static const uint16_t mbedtls_byte_order_detector = { 0x100 };
+#define MBEDTLS_IS_BIG_ENDIAN (*((unsigned char *) (&mbedtls_byte_order_detector)) == 0x01)
+#endif
+
+#else
+
+#if (__BYTE_ORDER__) == (__ORDER_BIG_ENDIAN__)
+#define MBEDTLS_IS_BIG_ENDIAN 1
+#else
+#define MBEDTLS_IS_BIG_ENDIAN 0
+#endif
+
+#endif /* !defined(__BYTE_ORDER__) */
+
+/**
+ * Get the unsigned 32 bits integer corresponding to four bytes in
+ * big-endian order (MSB first).
+ *
+ * \param data Base address of the memory to get the four bytes from.
+ * \param offset Offset from \p data of the first and most significant
+ * byte of the four bytes to build the 32 bits unsigned
+ * integer from.
+ */
+#define MBEDTLS_GET_UINT32_BE(data, offset) \
+ ((MBEDTLS_IS_BIG_ENDIAN) \
+ ? mbedtls_get_unaligned_uint32((data) + (offset)) \
+ : MBEDTLS_BSWAP32(mbedtls_get_unaligned_uint32((data) + (offset))) \
+ )
+
+/**
+ * Put in memory a 32 bits unsigned integer in big-endian order.
+ *
+ * \param n 32 bits unsigned integer to put in memory.
+ * \param data Base address of the memory where to put the 32
+ * bits unsigned integer in.
+ * \param offset Offset from \p data where to put the most significant
+ * byte of the 32 bits unsigned integer \p n.
+ */
+#define MBEDTLS_PUT_UINT32_BE(n, data, offset) \
+ { \
+ if (MBEDTLS_IS_BIG_ENDIAN) \
+ { \
+ mbedtls_put_unaligned_uint32((data) + (offset), (uint32_t) (n)); \
+ } \
+ else \
+ { \
+ mbedtls_put_unaligned_uint32((data) + (offset), MBEDTLS_BSWAP32((uint32_t) (n))); \
+ } \
+ }
+
+/**
+ * Get the unsigned 32 bits integer corresponding to four bytes in
+ * little-endian order (LSB first).
+ *
+ * \param data Base address of the memory to get the four bytes from.
+ * \param offset Offset from \p data of the first and least significant
+ * byte of the four bytes to build the 32 bits unsigned
+ * integer from.
+ */
+#define MBEDTLS_GET_UINT32_LE(data, offset) \
+ ((MBEDTLS_IS_BIG_ENDIAN) \
+ ? MBEDTLS_BSWAP32(mbedtls_get_unaligned_uint32((data) + (offset))) \
+ : mbedtls_get_unaligned_uint32((data) + (offset)) \
+ )
+
+
+/**
+ * Put in memory a 32 bits unsigned integer in little-endian order.
+ *
+ * \param n 32 bits unsigned integer to put in memory.
+ * \param data Base address of the memory where to put the 32
+ * bits unsigned integer in.
+ * \param offset Offset from \p data where to put the least significant
+ * byte of the 32 bits unsigned integer \p n.
+ */
+#define MBEDTLS_PUT_UINT32_LE(n, data, offset) \
+ { \
+ if (MBEDTLS_IS_BIG_ENDIAN) \
+ { \
+ mbedtls_put_unaligned_uint32((data) + (offset), MBEDTLS_BSWAP32((uint32_t) (n))); \
+ } \
+ else \
+ { \
+ mbedtls_put_unaligned_uint32((data) + (offset), ((uint32_t) (n))); \
+ } \
+ }
+
+/**
+ * Get the unsigned 16 bits integer corresponding to two bytes in
+ * little-endian order (LSB first).
+ *
+ * \param data Base address of the memory to get the two bytes from.
+ * \param offset Offset from \p data of the first and least significant
+ * byte of the two bytes to build the 16 bits unsigned
+ * integer from.
+ */
+#define MBEDTLS_GET_UINT16_LE(data, offset) \
+ ((MBEDTLS_IS_BIG_ENDIAN) \
+ ? MBEDTLS_BSWAP16(mbedtls_get_unaligned_uint16((data) + (offset))) \
+ : mbedtls_get_unaligned_uint16((data) + (offset)) \
+ )
+
+/**
+ * Put in memory a 16 bits unsigned integer in little-endian order.
+ *
+ * \param n 16 bits unsigned integer to put in memory.
+ * \param data Base address of the memory where to put the 16
+ * bits unsigned integer in.
+ * \param offset Offset from \p data where to put the least significant
+ * byte of the 16 bits unsigned integer \p n.
+ */
+#define MBEDTLS_PUT_UINT16_LE(n, data, offset) \
+ { \
+ if (MBEDTLS_IS_BIG_ENDIAN) \
+ { \
+ mbedtls_put_unaligned_uint16((data) + (offset), MBEDTLS_BSWAP16((uint16_t) (n))); \
+ } \
+ else \
+ { \
+ mbedtls_put_unaligned_uint16((data) + (offset), (uint16_t) (n)); \
+ } \
+ }
+
+/**
+ * Get the unsigned 16 bits integer corresponding to two bytes in
+ * big-endian order (MSB first).
+ *
+ * \param data Base address of the memory to get the two bytes from.
+ * \param offset Offset from \p data of the first and most significant
+ * byte of the two bytes to build the 16 bits unsigned
+ * integer from.
+ */
+#define MBEDTLS_GET_UINT16_BE(data, offset) \
+ ((MBEDTLS_IS_BIG_ENDIAN) \
+ ? mbedtls_get_unaligned_uint16((data) + (offset)) \
+ : MBEDTLS_BSWAP16(mbedtls_get_unaligned_uint16((data) + (offset))) \
+ )
+
+/**
+ * Put in memory a 16 bits unsigned integer in big-endian order.
+ *
+ * \param n 16 bits unsigned integer to put in memory.
+ * \param data Base address of the memory where to put the 16
+ * bits unsigned integer in.
+ * \param offset Offset from \p data where to put the most significant
+ * byte of the 16 bits unsigned integer \p n.
+ */
+#define MBEDTLS_PUT_UINT16_BE(n, data, offset) \
+ { \
+ if (MBEDTLS_IS_BIG_ENDIAN) \
+ { \
+ mbedtls_put_unaligned_uint16((data) + (offset), (uint16_t) (n)); \
+ } \
+ else \
+ { \
+ mbedtls_put_unaligned_uint16((data) + (offset), MBEDTLS_BSWAP16((uint16_t) (n))); \
+ } \
+ }
+
+/**
+ * Get the unsigned 24 bits integer corresponding to three bytes in
+ * big-endian order (MSB first).
+ *
+ * \param data Base address of the memory to get the three bytes from.
+ * \param offset Offset from \p data of the first and most significant
+ * byte of the three bytes to build the 24 bits unsigned
+ * integer from.
+ */
+#define MBEDTLS_GET_UINT24_BE(data, offset) \
+ ( \
+ ((uint32_t) (data)[(offset)] << 16) \
+ | ((uint32_t) (data)[(offset) + 1] << 8) \
+ | ((uint32_t) (data)[(offset) + 2]) \
+ )
+
+/**
+ * Put in memory a 24 bits unsigned integer in big-endian order.
+ *
+ * \param n 24 bits unsigned integer to put in memory.
+ * \param data Base address of the memory where to put the 24
+ * bits unsigned integer in.
+ * \param offset Offset from \p data where to put the most significant
+ * byte of the 24 bits unsigned integer \p n.
+ */
+#define MBEDTLS_PUT_UINT24_BE(n, data, offset) \
+ { \
+ (data)[(offset)] = MBEDTLS_BYTE_2(n); \
+ (data)[(offset) + 1] = MBEDTLS_BYTE_1(n); \
+ (data)[(offset) + 2] = MBEDTLS_BYTE_0(n); \
+ }
+
+/**
+ * Get the unsigned 24 bits integer corresponding to three bytes in
+ * little-endian order (LSB first).
+ *
+ * \param data Base address of the memory to get the three bytes from.
+ * \param offset Offset from \p data of the first and least significant
+ * byte of the three bytes to build the 24 bits unsigned
+ * integer from.
+ */
+#define MBEDTLS_GET_UINT24_LE(data, offset) \
+ ( \
+ ((uint32_t) (data)[(offset)]) \
+ | ((uint32_t) (data)[(offset) + 1] << 8) \
+ | ((uint32_t) (data)[(offset) + 2] << 16) \
+ )
+
+/**
+ * Put in memory a 24 bits unsigned integer in little-endian order.
+ *
+ * \param n 24 bits unsigned integer to put in memory.
+ * \param data Base address of the memory where to put the 24
+ * bits unsigned integer in.
+ * \param offset Offset from \p data where to put the least significant
+ * byte of the 24 bits unsigned integer \p n.
+ */
+#define MBEDTLS_PUT_UINT24_LE(n, data, offset) \
+ { \
+ (data)[(offset)] = MBEDTLS_BYTE_0(n); \
+ (data)[(offset) + 1] = MBEDTLS_BYTE_1(n); \
+ (data)[(offset) + 2] = MBEDTLS_BYTE_2(n); \
+ }
+
+/**
+ * Get the unsigned 64 bits integer corresponding to eight bytes in
+ * big-endian order (MSB first).
+ *
+ * \param data Base address of the memory to get the eight bytes from.
+ * \param offset Offset from \p data of the first and most significant
+ * byte of the eight bytes to build the 64 bits unsigned
+ * integer from.
+ */
+#define MBEDTLS_GET_UINT64_BE(data, offset) \
+ ((MBEDTLS_IS_BIG_ENDIAN) \
+ ? mbedtls_get_unaligned_uint64((data) + (offset)) \
+ : MBEDTLS_BSWAP64(mbedtls_get_unaligned_uint64((data) + (offset))) \
+ )
+
+/**
+ * Put in memory a 64 bits unsigned integer in big-endian order.
+ *
+ * \param n 64 bits unsigned integer to put in memory.
+ * \param data Base address of the memory where to put the 64
+ * bits unsigned integer in.
+ * \param offset Offset from \p data where to put the most significant
+ * byte of the 64 bits unsigned integer \p n.
+ */
+#define MBEDTLS_PUT_UINT64_BE(n, data, offset) \
+ { \
+ if (MBEDTLS_IS_BIG_ENDIAN) \
+ { \
+ mbedtls_put_unaligned_uint64((data) + (offset), (uint64_t) (n)); \
+ } \
+ else \
+ { \
+ mbedtls_put_unaligned_uint64((data) + (offset), MBEDTLS_BSWAP64((uint64_t) (n))); \
+ } \
+ }
+
+/**
+ * Get the unsigned 64 bits integer corresponding to eight bytes in
+ * little-endian order (LSB first).
+ *
+ * \param data Base address of the memory to get the eight bytes from.
+ * \param offset Offset from \p data of the first and least significant
+ * byte of the eight bytes to build the 64 bits unsigned
+ * integer from.
+ */
+#define MBEDTLS_GET_UINT64_LE(data, offset) \
+ ((MBEDTLS_IS_BIG_ENDIAN) \
+ ? MBEDTLS_BSWAP64(mbedtls_get_unaligned_uint64((data) + (offset))) \
+ : mbedtls_get_unaligned_uint64((data) + (offset)) \
+ )
+
+/**
+ * Put in memory a 64 bits unsigned integer in little-endian order.
+ *
+ * \param n 64 bits unsigned integer to put in memory.
+ * \param data Base address of the memory where to put the 64
+ * bits unsigned integer in.
+ * \param offset Offset from \p data where to put the least significant
+ * byte of the 64 bits unsigned integer \p n.
+ */
+#define MBEDTLS_PUT_UINT64_LE(n, data, offset) \
+ { \
+ if (MBEDTLS_IS_BIG_ENDIAN) \
+ { \
+ mbedtls_put_unaligned_uint64((data) + (offset), MBEDTLS_BSWAP64((uint64_t) (n))); \
+ } \
+ else \
+ { \
+ mbedtls_put_unaligned_uint64((data) + (offset), (uint64_t) (n)); \
+ } \
+ }
+
+#endif /* MBEDTLS_LIBRARY_ALIGNMENT_H */
diff --git a/library/aria.c b/library/aria.c
new file mode 100644
index 0000000..d9f84cc
--- /dev/null
+++ b/library/aria.c
@@ -0,0 +1,969 @@
+/*
+ * ARIA implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * This implementation is based on the following standards:
+ * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
+ * [2] https://tools.ietf.org/html/rfc5794
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ARIA_C)
+
+#include "mbedtls/aria.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_ARIA_ALT)
+
+#include "mbedtls/platform_util.h"
+
+/*
+ * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
+ *
+ * This is submatrix P1 in [1] Appendix B.1
+ *
+ * Common compilers fail to translate this to minimal number of instructions,
+ * so let's provide asm versions for common platforms with C fallback.
+ */
+#if defined(MBEDTLS_HAVE_ASM)
+#if defined(__arm__) /* rev16 available from v6 up */
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+ (!defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000) && \
+ __ARM_ARCH >= 6
+static inline uint32_t aria_p1(uint32_t x)
+{
+ uint32_t r;
+ __asm("rev16 %0, %1" : "=l" (r) : "l" (x));
+ return r;
+}
+#define ARIA_P1 aria_p1
+#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
+ (__TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3)
+static inline uint32_t aria_p1(uint32_t x)
+{
+ uint32_t r;
+ __asm("rev16 r, x");
+ return r;
+}
+#define ARIA_P1 aria_p1
+#endif
+#endif /* arm */
+#if defined(__GNUC__) && \
+ defined(__i386__) || defined(__amd64__) || defined(__x86_64__)
+/* I couldn't find an Intel equivalent of rev16, so two instructions */
+#define ARIA_P1(x) ARIA_P2(ARIA_P3(x))
+#endif /* x86 gnuc */
+#endif /* MBEDTLS_HAVE_ASM && GNUC */
+#if !defined(ARIA_P1)
+#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
+#endif
+
+/*
+ * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
+ *
+ * This is submatrix P2 in [1] Appendix B.1
+ *
+ * Common compilers will translate this to a single instruction.
+ */
+#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
+
+/*
+ * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
+ *
+ * This is submatrix P3 in [1] Appendix B.1
+ */
+#define ARIA_P3(x) MBEDTLS_BSWAP32(x)
+
+/*
+ * ARIA Affine Transform
+ * (a, b, c, d) = state in/out
+ *
+ * If we denote the first byte of input by 0, ..., the last byte by f,
+ * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
+ *
+ * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
+ * rearrangements on adjacent pairs, output is:
+ *
+ * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
+ * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
+ * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
+ * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
+ * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
+ * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
+ * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
+ * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
+ *
+ * Note: another presentation of the A transform can be found as the first
+ * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
+ * The implementation below uses only P1 and P2 as they are sufficient.
+ */
+static inline void aria_a(uint32_t *a, uint32_t *b,
+ uint32_t *c, uint32_t *d)
+{
+ uint32_t ta, tb, tc;
+ ta = *b; // 4567
+ *b = *a; // 0123
+ *a = ARIA_P2(ta); // 6745
+ tb = ARIA_P2(*d); // efcd
+ *d = ARIA_P1(*c); // 98ba
+ *c = ARIA_P1(tb); // fedc
+ ta ^= *d; // 4567+98ba
+ tc = ARIA_P2(*b); // 2301
+ ta = ARIA_P1(ta) ^ tc ^ *c; // 2301+5476+89ab+fedc
+ tb ^= ARIA_P2(*d); // ba98+efcd
+ tc ^= ARIA_P1(*a); // 2301+7654
+ *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
+ tb = ARIA_P2(tb) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
+ *a ^= ARIA_P1(tb); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
+ ta = ARIA_P2(ta); // 0123+7654+ab89+dcfe
+ *d ^= ARIA_P1(ta) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
+ tc = ARIA_P2(tc); // 0123+5476
+ *c ^= ARIA_P1(tc) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
+}
+
+/*
+ * ARIA Substitution Layer SL1 / SL2
+ * (a, b, c, d) = state in/out
+ * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
+ *
+ * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
+ * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
+ */
+static inline void aria_sl(uint32_t *a, uint32_t *b,
+ uint32_t *c, uint32_t *d,
+ const uint8_t sa[256], const uint8_t sb[256],
+ const uint8_t sc[256], const uint8_t sd[256])
+{
+ *a = ((uint32_t) sa[MBEDTLS_BYTE_0(*a)]) ^
+ (((uint32_t) sb[MBEDTLS_BYTE_1(*a)]) << 8) ^
+ (((uint32_t) sc[MBEDTLS_BYTE_2(*a)]) << 16) ^
+ (((uint32_t) sd[MBEDTLS_BYTE_3(*a)]) << 24);
+ *b = ((uint32_t) sa[MBEDTLS_BYTE_0(*b)]) ^
+ (((uint32_t) sb[MBEDTLS_BYTE_1(*b)]) << 8) ^
+ (((uint32_t) sc[MBEDTLS_BYTE_2(*b)]) << 16) ^
+ (((uint32_t) sd[MBEDTLS_BYTE_3(*b)]) << 24);
+ *c = ((uint32_t) sa[MBEDTLS_BYTE_0(*c)]) ^
+ (((uint32_t) sb[MBEDTLS_BYTE_1(*c)]) << 8) ^
+ (((uint32_t) sc[MBEDTLS_BYTE_2(*c)]) << 16) ^
+ (((uint32_t) sd[MBEDTLS_BYTE_3(*c)]) << 24);
+ *d = ((uint32_t) sa[MBEDTLS_BYTE_0(*d)]) ^
+ (((uint32_t) sb[MBEDTLS_BYTE_1(*d)]) << 8) ^
+ (((uint32_t) sc[MBEDTLS_BYTE_2(*d)]) << 16) ^
+ (((uint32_t) sd[MBEDTLS_BYTE_3(*d)]) << 24);
+}
+
+/*
+ * S-Boxes
+ */
+static const uint8_t aria_sb1[256] =
+{
+ 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
+ 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
+ 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
+ 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
+ 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
+ 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
+ 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
+ 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
+ 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
+ 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
+ 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
+ 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
+ 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
+ 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
+ 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
+ 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
+ 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
+ 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
+ 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
+ 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
+ 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
+ 0xB0, 0x54, 0xBB, 0x16
+};
+
+static const uint8_t aria_sb2[256] =
+{
+ 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
+ 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
+ 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
+ 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
+ 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
+ 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
+ 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
+ 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
+ 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
+ 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
+ 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
+ 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
+ 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
+ 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
+ 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
+ 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
+ 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
+ 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
+ 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
+ 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
+ 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
+ 0xAF, 0xBA, 0xB5, 0x81
+};
+
+static const uint8_t aria_is1[256] =
+{
+ 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
+ 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
+ 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
+ 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
+ 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
+ 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
+ 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
+ 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
+ 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
+ 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
+ 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
+ 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
+ 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
+ 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
+ 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
+ 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
+ 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
+ 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
+ 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
+ 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
+ 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
+ 0x55, 0x21, 0x0C, 0x7D
+};
+
+static const uint8_t aria_is2[256] =
+{
+ 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
+ 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
+ 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
+ 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
+ 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
+ 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
+ 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
+ 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
+ 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
+ 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
+ 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
+ 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
+ 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
+ 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
+ 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
+ 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
+ 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
+ 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
+ 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
+ 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
+ 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
+ 0x03, 0xA2, 0xAC, 0x60
+};
+
+/*
+ * Helper for key schedule: r = FO( p, k ) ^ x
+ */
+static void aria_fo_xor(uint32_t r[4], const uint32_t p[4],
+ const uint32_t k[4], const uint32_t x[4])
+{
+ uint32_t a, b, c, d;
+
+ a = p[0] ^ k[0];
+ b = p[1] ^ k[1];
+ c = p[2] ^ k[2];
+ d = p[3] ^ k[3];
+
+ aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
+ aria_a(&a, &b, &c, &d);
+
+ r[0] = a ^ x[0];
+ r[1] = b ^ x[1];
+ r[2] = c ^ x[2];
+ r[3] = d ^ x[3];
+}
+
+/*
+ * Helper for key schedule: r = FE( p, k ) ^ x
+ */
+static void aria_fe_xor(uint32_t r[4], const uint32_t p[4],
+ const uint32_t k[4], const uint32_t x[4])
+{
+ uint32_t a, b, c, d;
+
+ a = p[0] ^ k[0];
+ b = p[1] ^ k[1];
+ c = p[2] ^ k[2];
+ d = p[3] ^ k[3];
+
+ aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
+ aria_a(&a, &b, &c, &d);
+
+ r[0] = a ^ x[0];
+ r[1] = b ^ x[1];
+ r[2] = c ^ x[2];
+ r[3] = d ^ x[3];
+}
+
+/*
+ * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
+ *
+ * We chose to store bytes into 32-bit words in little-endian format (see
+ * MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
+ * bytes here.
+ */
+static void aria_rot128(uint32_t r[4], const uint32_t a[4],
+ const uint32_t b[4], uint8_t n)
+{
+ uint8_t i, j;
+ uint32_t t, u;
+
+ const uint8_t n1 = n % 32; // bit offset
+ const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
+
+ j = (n / 32) % 4; // initial word offset
+ t = ARIA_P3(b[j]); // big endian
+ for (i = 0; i < 4; i++) {
+ j = (j + 1) % 4; // get next word, big endian
+ u = ARIA_P3(b[j]);
+ t <<= n1; // rotate
+ t |= u >> n2;
+ t = ARIA_P3(t); // back to little endian
+ r[i] = a[i] ^ t; // store
+ t = u; // move to next word
+ }
+}
+
+/*
+ * Set encryption key
+ */
+int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
+ const unsigned char *key, unsigned int keybits)
+{
+ /* round constant masks */
+ const uint32_t rc[3][4] =
+ {
+ { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
+ { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
+ { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
+ };
+
+ int i;
+ uint32_t w[4][4], *w2;
+
+ if (keybits != 128 && keybits != 192 && keybits != 256) {
+ return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
+ }
+
+ /* Copy key to W0 (and potential remainder to W1) */
+ w[0][0] = MBEDTLS_GET_UINT32_LE(key, 0);
+ w[0][1] = MBEDTLS_GET_UINT32_LE(key, 4);
+ w[0][2] = MBEDTLS_GET_UINT32_LE(key, 8);
+ w[0][3] = MBEDTLS_GET_UINT32_LE(key, 12);
+
+ memset(w[1], 0, 16);
+ if (keybits >= 192) {
+ w[1][0] = MBEDTLS_GET_UINT32_LE(key, 16); // 192 bit key
+ w[1][1] = MBEDTLS_GET_UINT32_LE(key, 20);
+ }
+ if (keybits == 256) {
+ w[1][2] = MBEDTLS_GET_UINT32_LE(key, 24); // 256 bit key
+ w[1][3] = MBEDTLS_GET_UINT32_LE(key, 28);
+ }
+
+ i = (keybits - 128) >> 6; // index: 0, 1, 2
+ ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
+
+ aria_fo_xor(w[1], w[0], rc[i], w[1]); // W1 = FO(W0, CK1) ^ KR
+ i = i < 2 ? i + 1 : 0;
+ aria_fe_xor(w[2], w[1], rc[i], w[0]); // W2 = FE(W1, CK2) ^ W0
+ i = i < 2 ? i + 1 : 0;
+ aria_fo_xor(w[3], w[2], rc[i], w[1]); // W3 = FO(W2, CK3) ^ W1
+
+ for (i = 0; i < 4; i++) { // create round keys
+ w2 = w[(i + 1) & 3];
+ aria_rot128(ctx->rk[i], w[i], w2, 128 - 19);
+ aria_rot128(ctx->rk[i + 4], w[i], w2, 128 - 31);
+ aria_rot128(ctx->rk[i + 8], w[i], w2, 61);
+ aria_rot128(ctx->rk[i + 12], w[i], w2, 31);
+ }
+ aria_rot128(ctx->rk[16], w[0], w[1], 19);
+
+ /* w holds enough info to reconstruct the round keys */
+ mbedtls_platform_zeroize(w, sizeof(w));
+
+ return 0;
+}
+
+/*
+ * Set decryption key
+ */
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
+ const unsigned char *key, unsigned int keybits)
+{
+ int i, j, k, ret;
+
+ ret = mbedtls_aria_setkey_enc(ctx, key, keybits);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* flip the order of round keys */
+ for (i = 0, j = ctx->nr; i < j; i++, j--) {
+ for (k = 0; k < 4; k++) {
+ uint32_t t = ctx->rk[i][k];
+ ctx->rk[i][k] = ctx->rk[j][k];
+ ctx->rk[j][k] = t;
+ }
+ }
+
+ /* apply affine transform to middle keys */
+ for (i = 1; i < ctx->nr; i++) {
+ aria_a(&ctx->rk[i][0], &ctx->rk[i][1],
+ &ctx->rk[i][2], &ctx->rk[i][3]);
+ }
+
+ return 0;
+}
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+
+/*
+ * Encrypt a block
+ */
+int mbedtls_aria_crypt_ecb(mbedtls_aria_context *ctx,
+ const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
+ unsigned char output[MBEDTLS_ARIA_BLOCKSIZE])
+{
+ int i;
+
+ uint32_t a, b, c, d;
+
+ a = MBEDTLS_GET_UINT32_LE(input, 0);
+ b = MBEDTLS_GET_UINT32_LE(input, 4);
+ c = MBEDTLS_GET_UINT32_LE(input, 8);
+ d = MBEDTLS_GET_UINT32_LE(input, 12);
+
+ i = 0;
+ while (1) {
+ a ^= ctx->rk[i][0];
+ b ^= ctx->rk[i][1];
+ c ^= ctx->rk[i][2];
+ d ^= ctx->rk[i][3];
+ i++;
+
+ aria_sl(&a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2);
+ aria_a(&a, &b, &c, &d);
+
+ a ^= ctx->rk[i][0];
+ b ^= ctx->rk[i][1];
+ c ^= ctx->rk[i][2];
+ d ^= ctx->rk[i][3];
+ i++;
+
+ aria_sl(&a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2);
+ if (i >= ctx->nr) {
+ break;
+ }
+ aria_a(&a, &b, &c, &d);
+ }
+
+ /* final key mixing */
+ a ^= ctx->rk[i][0];
+ b ^= ctx->rk[i][1];
+ c ^= ctx->rk[i][2];
+ d ^= ctx->rk[i][3];
+
+ MBEDTLS_PUT_UINT32_LE(a, output, 0);
+ MBEDTLS_PUT_UINT32_LE(b, output, 4);
+ MBEDTLS_PUT_UINT32_LE(c, output, 8);
+ MBEDTLS_PUT_UINT32_LE(d, output, 12);
+
+ return 0;
+}
+
+/* Initialize context */
+void mbedtls_aria_init(mbedtls_aria_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_aria_context));
+}
+
+/* Clear context */
+void mbedtls_aria_free(mbedtls_aria_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aria_context));
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * ARIA-CBC buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_cbc(mbedtls_aria_context *ctx,
+ int mode,
+ size_t length,
+ unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
+
+ if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
+ return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
+ }
+
+ if (length % MBEDTLS_ARIA_BLOCKSIZE) {
+ return MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH;
+ }
+
+ if (mode == MBEDTLS_ARIA_DECRYPT) {
+ while (length > 0) {
+ memcpy(temp, input, MBEDTLS_ARIA_BLOCKSIZE);
+ mbedtls_aria_crypt_ecb(ctx, input, output);
+
+ mbedtls_xor(output, output, iv, MBEDTLS_ARIA_BLOCKSIZE);
+
+ memcpy(iv, temp, MBEDTLS_ARIA_BLOCKSIZE);
+
+ input += MBEDTLS_ARIA_BLOCKSIZE;
+ output += MBEDTLS_ARIA_BLOCKSIZE;
+ length -= MBEDTLS_ARIA_BLOCKSIZE;
+ }
+ } else {
+ while (length > 0) {
+ mbedtls_xor(output, input, iv, MBEDTLS_ARIA_BLOCKSIZE);
+
+ mbedtls_aria_crypt_ecb(ctx, output, output);
+ memcpy(iv, output, MBEDTLS_ARIA_BLOCKSIZE);
+
+ input += MBEDTLS_ARIA_BLOCKSIZE;
+ output += MBEDTLS_ARIA_BLOCKSIZE;
+ length -= MBEDTLS_ARIA_BLOCKSIZE;
+ }
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * ARIA-CFB128 buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_cfb128(mbedtls_aria_context *ctx,
+ int mode,
+ size_t length,
+ size_t *iv_off,
+ unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ unsigned char c;
+ size_t n;
+
+ if ((mode != MBEDTLS_ARIA_ENCRYPT) && (mode != MBEDTLS_ARIA_DECRYPT)) {
+ return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
+ }
+
+ n = *iv_off;
+
+ /* An overly large value of n can lead to an unlimited
+ * buffer overflow. */
+ if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
+ return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
+ }
+
+ if (mode == MBEDTLS_ARIA_DECRYPT) {
+ while (length--) {
+ if (n == 0) {
+ mbedtls_aria_crypt_ecb(ctx, iv, iv);
+ }
+
+ c = *input++;
+ *output++ = c ^ iv[n];
+ iv[n] = c;
+
+ n = (n + 1) & 0x0F;
+ }
+ } else {
+ while (length--) {
+ if (n == 0) {
+ mbedtls_aria_crypt_ecb(ctx, iv, iv);
+ }
+
+ iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
+
+ n = (n + 1) & 0x0F;
+ }
+ }
+
+ *iv_off = n;
+
+ return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * ARIA-CTR buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_ctr(mbedtls_aria_context *ctx,
+ size_t length,
+ size_t *nc_off,
+ unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
+ unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int c, i;
+ size_t n;
+
+ n = *nc_off;
+ /* An overly large value of n can lead to an unlimited
+ * buffer overflow. */
+ if (n >= MBEDTLS_ARIA_BLOCKSIZE) {
+ return MBEDTLS_ERR_ARIA_BAD_INPUT_DATA;
+ }
+
+ while (length--) {
+ if (n == 0) {
+ mbedtls_aria_crypt_ecb(ctx, nonce_counter,
+ stream_block);
+
+ for (i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i--) {
+ if (++nonce_counter[i - 1] != 0) {
+ break;
+ }
+ }
+ }
+ c = *input++;
+ *output++ = (unsigned char) (c ^ stream_block[n]);
+
+ n = (n + 1) & 0x0F;
+ }
+
+ *nc_off = n;
+
+ return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#endif /* !MBEDTLS_ARIA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Basic ARIA ECB test vectors from RFC 5794
+ */
+static const uint8_t aria_test1_ecb_key[32] = // test key
+{
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
+ 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
+};
+
+static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
+{
+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
+ 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
+};
+
+static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
+{
+ { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
+ 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
+ { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
+ 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
+ { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
+ 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
+};
+
+/*
+ * Mode tests from "Test Vectors for ARIA" Version 1.0
+ * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
+ */
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
+ defined(MBEDTLS_CIPHER_MODE_CTR))
+static const uint8_t aria_test2_key[32] =
+{
+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
+ 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
+ 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
+};
+
+static const uint8_t aria_test2_pt[48] =
+{
+ 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
+ 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
+ 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
+ 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
+};
+#endif
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
+static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
+{
+ 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
+ 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
+};
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
+{
+ { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
+ 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
+ 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
+ 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
+ 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
+ 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
+ { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
+ 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
+ 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
+ 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
+ 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
+ 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
+ { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
+ 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
+ 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
+ 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
+ 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
+ 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
+{
+ { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
+ 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
+ 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
+ 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
+ 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
+ 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
+ { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
+ 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
+ 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
+ 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
+ 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
+ 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
+ { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
+ 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
+ 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
+ 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
+ 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
+ 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
+{
+ { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
+ 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
+ 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
+ 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
+ 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
+ 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
+ { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
+ 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
+ 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
+ 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
+ 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
+ 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
+ { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
+ 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
+ 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
+ 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
+ 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
+ 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#define ARIA_SELF_TEST_ASSERT(cond) \
+ do { \
+ if (cond) { \
+ if (verbose) \
+ mbedtls_printf("failed\n"); \
+ goto exit; \
+ } else { \
+ if (verbose) \
+ mbedtls_printf("passed\n"); \
+ } \
+ } while (0)
+
+/*
+ * Checkup routine
+ */
+int mbedtls_aria_self_test(int verbose)
+{
+ int i;
+ uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
+ mbedtls_aria_context ctx;
+ int ret = 1;
+
+#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
+ size_t j;
+#endif
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
+ defined(MBEDTLS_CIPHER_MODE_CFB) || \
+ defined(MBEDTLS_CIPHER_MODE_CTR))
+ uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
+#endif
+
+ mbedtls_aria_init(&ctx);
+
+ /*
+ * Test set 1
+ */
+ for (i = 0; i < 3; i++) {
+ /* test ECB encryption */
+ if (verbose) {
+ mbedtls_printf(" ARIA-ECB-%d (enc): ", 128 + 64 * i);
+ }
+ mbedtls_aria_setkey_enc(&ctx, aria_test1_ecb_key, 128 + 64 * i);
+ mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_pt, blk);
+ ARIA_SELF_TEST_ASSERT(
+ memcmp(blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE)
+ != 0);
+
+ /* test ECB decryption */
+ if (verbose) {
+ mbedtls_printf(" ARIA-ECB-%d (dec): ", 128 + 64 * i);
+#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ mbedtls_printf("skipped\n");
+#endif
+ }
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ mbedtls_aria_setkey_dec(&ctx, aria_test1_ecb_key, 128 + 64 * i);
+ mbedtls_aria_crypt_ecb(&ctx, aria_test1_ecb_ct[i], blk);
+ ARIA_SELF_TEST_ASSERT(
+ memcmp(blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE)
+ != 0);
+#endif
+ }
+ if (verbose) {
+ mbedtls_printf("\n");
+ }
+
+ /*
+ * Test set 2
+ */
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ for (i = 0; i < 3; i++) {
+ /* Test CBC encryption */
+ if (verbose) {
+ mbedtls_printf(" ARIA-CBC-%d (enc): ", 128 + 64 * i);
+ }
+ mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
+ memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
+ memset(buf, 0x55, sizeof(buf));
+ mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
+ aria_test2_pt, buf);
+ ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cbc_ct[i], 48)
+ != 0);
+
+ /* Test CBC decryption */
+ if (verbose) {
+ mbedtls_printf(" ARIA-CBC-%d (dec): ", 128 + 64 * i);
+ }
+ mbedtls_aria_setkey_dec(&ctx, aria_test2_key, 128 + 64 * i);
+ memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
+ memset(buf, 0xAA, sizeof(buf));
+ mbedtls_aria_crypt_cbc(&ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
+ aria_test2_cbc_ct[i], buf);
+ ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
+ }
+ if (verbose) {
+ mbedtls_printf("\n");
+ }
+
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ for (i = 0; i < 3; i++) {
+ /* Test CFB encryption */
+ if (verbose) {
+ mbedtls_printf(" ARIA-CFB-%d (enc): ", 128 + 64 * i);
+ }
+ mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
+ memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
+ memset(buf, 0x55, sizeof(buf));
+ j = 0;
+ mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
+ aria_test2_pt, buf);
+ ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_cfb_ct[i], 48) != 0);
+
+ /* Test CFB decryption */
+ if (verbose) {
+ mbedtls_printf(" ARIA-CFB-%d (dec): ", 128 + 64 * i);
+ }
+ mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
+ memcpy(iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE);
+ memset(buf, 0xAA, sizeof(buf));
+ j = 0;
+ mbedtls_aria_crypt_cfb128(&ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
+ iv, aria_test2_cfb_ct[i], buf);
+ ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
+ }
+ if (verbose) {
+ mbedtls_printf("\n");
+ }
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ for (i = 0; i < 3; i++) {
+ /* Test CTR encryption */
+ if (verbose) {
+ mbedtls_printf(" ARIA-CTR-%d (enc): ", 128 + 64 * i);
+ }
+ mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
+ memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
+ memset(buf, 0x55, sizeof(buf));
+ j = 0;
+ mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
+ aria_test2_pt, buf);
+ ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_ctr_ct[i], 48) != 0);
+
+ /* Test CTR decryption */
+ if (verbose) {
+ mbedtls_printf(" ARIA-CTR-%d (dec): ", 128 + 64 * i);
+ }
+ mbedtls_aria_setkey_enc(&ctx, aria_test2_key, 128 + 64 * i);
+ memset(iv, 0, MBEDTLS_ARIA_BLOCKSIZE); // IV = 0
+ memset(buf, 0xAA, sizeof(buf));
+ j = 0;
+ mbedtls_aria_crypt_ctr(&ctx, 48, &j, iv, blk,
+ aria_test2_ctr_ct[i], buf);
+ ARIA_SELF_TEST_ASSERT(memcmp(buf, aria_test2_pt, 48) != 0);
+ }
+ if (verbose) {
+ mbedtls_printf("\n");
+ }
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+ ret = 0;
+
+exit:
+ mbedtls_aria_free(&ctx);
+ return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ARIA_C */
diff --git a/library/asn1parse.c b/library/asn1parse.c
new file mode 100644
index 0000000..e33fdf7
--- /dev/null
+++ b/library/asn1parse.c
@@ -0,0 +1,468 @@
+/*
+ * Generic ASN.1 parsing
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) || \
+ defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
+
+#include "mbedtls/asn1.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+/*
+ * ASN.1 DER decoding routines
+ */
+int mbedtls_asn1_get_len(unsigned char **p,
+ const unsigned char *end,
+ size_t *len)
+{
+ if ((end - *p) < 1) {
+ return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+ }
+
+ if ((**p & 0x80) == 0) {
+ *len = *(*p)++;
+ } else {
+ int n = (**p) & 0x7F;
+ if (n == 0 || n > 4) {
+ return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+ }
+ if ((end - *p) <= n) {
+ return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+ }
+ *len = 0;
+ (*p)++;
+ while (n--) {
+ *len = (*len << 8) | **p;
+ (*p)++;
+ }
+ }
+
+ if (*len > (size_t) (end - *p)) {
+ return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+ }
+
+ return 0;
+}
+
+int mbedtls_asn1_get_tag(unsigned char **p,
+ const unsigned char *end,
+ size_t *len, int tag)
+{
+ if ((end - *p) < 1) {
+ return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+ }
+
+ if (**p != tag) {
+ return MBEDTLS_ERR_ASN1_UNEXPECTED_TAG;
+ }
+
+ (*p)++;
+
+ return mbedtls_asn1_get_len(p, end, len);
+}
+#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+int mbedtls_asn1_get_bool(unsigned char **p,
+ const unsigned char *end,
+ int *val)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_BOOLEAN)) != 0) {
+ return ret;
+ }
+
+ if (len != 1) {
+ return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+ }
+
+ *val = (**p != 0) ? 1 : 0;
+ (*p)++;
+
+ return 0;
+}
+
+static int asn1_get_tagged_int(unsigned char **p,
+ const unsigned char *end,
+ int tag, int *val)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len, tag)) != 0) {
+ return ret;
+ }
+
+ /*
+ * len==0 is malformed (0 must be represented as 020100 for INTEGER,
+ * or 0A0100 for ENUMERATED tags
+ */
+ if (len == 0) {
+ return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+ }
+ /* This is a cryptography library. Reject negative integers. */
+ if ((**p & 0x80) != 0) {
+ return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+ }
+
+ /* Skip leading zeros. */
+ while (len > 0 && **p == 0) {
+ ++(*p);
+ --len;
+ }
+
+ /* Reject integers that don't fit in an int. This code assumes that
+ * the int type has no padding bit. */
+ if (len > sizeof(int)) {
+ return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+ }
+ if (len == sizeof(int) && (**p & 0x80) != 0) {
+ return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+ }
+
+ *val = 0;
+ while (len-- > 0) {
+ *val = (*val << 8) | **p;
+ (*p)++;
+ }
+
+ return 0;
+}
+
+int mbedtls_asn1_get_int(unsigned char **p,
+ const unsigned char *end,
+ int *val)
+{
+ return asn1_get_tagged_int(p, end, MBEDTLS_ASN1_INTEGER, val);
+}
+
+int mbedtls_asn1_get_enum(unsigned char **p,
+ const unsigned char *end,
+ int *val)
+{
+ return asn1_get_tagged_int(p, end, MBEDTLS_ASN1_ENUMERATED, val);
+}
+
+#if defined(MBEDTLS_BIGNUM_C)
+int mbedtls_asn1_get_mpi(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_mpi *X)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_mpi_read_binary(X, *p, len);
+
+ *p += len;
+
+ return ret;
+}
+#endif /* MBEDTLS_BIGNUM_C */
+
+int mbedtls_asn1_get_bitstring(unsigned char **p, const unsigned char *end,
+ mbedtls_asn1_bitstring *bs)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* Certificate type is a single byte bitstring */
+ if ((ret = mbedtls_asn1_get_tag(p, end, &bs->len, MBEDTLS_ASN1_BIT_STRING)) != 0) {
+ return ret;
+ }
+
+ /* Check length, subtract one for actual bit string length */
+ if (bs->len < 1) {
+ return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+ }
+ bs->len -= 1;
+
+ /* Get number of unused bits, ensure unused bits <= 7 */
+ bs->unused_bits = **p;
+ if (bs->unused_bits > 7) {
+ return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+ }
+ (*p)++;
+
+ /* Get actual bitstring */
+ bs->p = *p;
+ *p += bs->len;
+
+ if (*p != end) {
+ return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+ }
+
+ return 0;
+}
+
+/*
+ * Traverse an ASN.1 "SEQUENCE OF <tag>"
+ * and call a callback for each entry found.
+ */
+int mbedtls_asn1_traverse_sequence_of(
+ unsigned char **p,
+ const unsigned char *end,
+ unsigned char tag_must_mask, unsigned char tag_must_val,
+ unsigned char tag_may_mask, unsigned char tag_may_val,
+ int (*cb)(void *ctx, int tag,
+ unsigned char *start, size_t len),
+ void *ctx)
+{
+ int ret;
+ size_t len;
+
+ /* Get main sequence tag */
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return ret;
+ }
+
+ if (*p + len != end) {
+ return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+ }
+
+ while (*p < end) {
+ unsigned char const tag = *(*p)++;
+
+ if ((tag & tag_must_mask) != tag_must_val) {
+ return MBEDTLS_ERR_ASN1_UNEXPECTED_TAG;
+ }
+
+ if ((ret = mbedtls_asn1_get_len(p, end, &len)) != 0) {
+ return ret;
+ }
+
+ if ((tag & tag_may_mask) == tag_may_val) {
+ if (cb != NULL) {
+ ret = cb(ctx, tag, *p, len);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+ }
+
+ *p += len;
+ }
+
+ return 0;
+}
+
+/*
+ * Get a bit string without unused bits
+ */
+int mbedtls_asn1_get_bitstring_null(unsigned char **p, const unsigned char *end,
+ size_t *len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, len, MBEDTLS_ASN1_BIT_STRING)) != 0) {
+ return ret;
+ }
+
+ if (*len == 0) {
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
+ --(*len);
+
+ if (**p != 0) {
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
+ ++(*p);
+
+ return 0;
+}
+
+void mbedtls_asn1_sequence_free(mbedtls_asn1_sequence *seq)
+{
+ while (seq != NULL) {
+ mbedtls_asn1_sequence *next = seq->next;
+ mbedtls_free(seq);
+ seq = next;
+ }
+}
+
+typedef struct {
+ int tag;
+ mbedtls_asn1_sequence *cur;
+} asn1_get_sequence_of_cb_ctx_t;
+
+static int asn1_get_sequence_of_cb(void *ctx,
+ int tag,
+ unsigned char *start,
+ size_t len)
+{
+ asn1_get_sequence_of_cb_ctx_t *cb_ctx =
+ (asn1_get_sequence_of_cb_ctx_t *) ctx;
+ mbedtls_asn1_sequence *cur =
+ cb_ctx->cur;
+
+ if (cur->buf.p != NULL) {
+ cur->next =
+ mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
+
+ if (cur->next == NULL) {
+ return MBEDTLS_ERR_ASN1_ALLOC_FAILED;
+ }
+
+ cur = cur->next;
+ }
+
+ cur->buf.p = start;
+ cur->buf.len = len;
+ cur->buf.tag = tag;
+
+ cb_ctx->cur = cur;
+ return 0;
+}
+
+/*
+ * Parses and splits an ASN.1 "SEQUENCE OF <tag>"
+ */
+int mbedtls_asn1_get_sequence_of(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_asn1_sequence *cur,
+ int tag)
+{
+ asn1_get_sequence_of_cb_ctx_t cb_ctx = { tag, cur };
+ memset(cur, 0, sizeof(mbedtls_asn1_sequence));
+ return mbedtls_asn1_traverse_sequence_of(
+ p, end, 0xFF, tag, 0, 0,
+ asn1_get_sequence_of_cb, &cb_ctx);
+}
+
+int mbedtls_asn1_get_alg(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_asn1_buf *alg, mbedtls_asn1_buf *params)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return ret;
+ }
+
+ if ((end - *p) < 1) {
+ return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+ }
+
+ alg->tag = **p;
+ end = *p + len;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &alg->len, MBEDTLS_ASN1_OID)) != 0) {
+ return ret;
+ }
+
+ alg->p = *p;
+ *p += alg->len;
+
+ if (*p == end) {
+ mbedtls_platform_zeroize(params, sizeof(mbedtls_asn1_buf));
+ return 0;
+ }
+
+ params->tag = **p;
+ (*p)++;
+
+ if ((ret = mbedtls_asn1_get_len(p, end, ¶ms->len)) != 0) {
+ return ret;
+ }
+
+ params->p = *p;
+ *p += params->len;
+
+ if (*p != end) {
+ return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+ }
+
+ return 0;
+}
+
+int mbedtls_asn1_get_alg_null(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_asn1_buf *alg)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_asn1_buf params;
+
+ memset(¶ms, 0, sizeof(mbedtls_asn1_buf));
+
+ if ((ret = mbedtls_asn1_get_alg(p, end, alg, ¶ms)) != 0) {
+ return ret;
+ }
+
+ if ((params.tag != MBEDTLS_ASN1_NULL && params.tag != 0) || params.len != 0) {
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
+
+ return 0;
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_asn1_free_named_data(mbedtls_asn1_named_data *cur)
+{
+ if (cur == NULL) {
+ return;
+ }
+
+ mbedtls_free(cur->oid.p);
+ mbedtls_free(cur->val.p);
+
+ mbedtls_platform_zeroize(cur, sizeof(mbedtls_asn1_named_data));
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+void mbedtls_asn1_free_named_data_list(mbedtls_asn1_named_data **head)
+{
+ mbedtls_asn1_named_data *cur;
+
+ while ((cur = *head) != NULL) {
+ *head = cur->next;
+ mbedtls_free(cur->oid.p);
+ mbedtls_free(cur->val.p);
+ mbedtls_free(cur);
+ }
+}
+
+void mbedtls_asn1_free_named_data_list_shallow(mbedtls_asn1_named_data *name)
+{
+ for (mbedtls_asn1_named_data *next; name != NULL; name = next) {
+ next = name->next;
+ mbedtls_free(name);
+ }
+}
+
+const mbedtls_asn1_named_data *mbedtls_asn1_find_named_data(const mbedtls_asn1_named_data *list,
+ const char *oid, size_t len)
+{
+ while (list != NULL) {
+ if (list->oid.len == len &&
+ memcmp(list->oid.p, oid, len) == 0) {
+ break;
+ }
+
+ list = list->next;
+ }
+
+ return list;
+}
+
+#endif /* MBEDTLS_ASN1_PARSE_C */
diff --git a/library/asn1write.c b/library/asn1write.c
new file mode 100644
index 0000000..775a9ef
--- /dev/null
+++ b/library/asn1write.c
@@ -0,0 +1,437 @@
+/*
+ * ASN.1 buffer writing functionality
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C) || \
+ defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
+
+#include "mbedtls/asn1write.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#endif
+
+int mbedtls_asn1_write_len(unsigned char **p, const unsigned char *start, size_t len)
+{
+#if SIZE_MAX > 0xFFFFFFFF
+ if (len > 0xFFFFFFFF) {
+ return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+ }
+#endif
+
+ int required = 1;
+
+ if (len >= 0x80) {
+ for (size_t l = len; l != 0; l >>= 8) {
+ required++;
+ }
+ }
+
+ if (required > (*p - start)) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ do {
+ *--(*p) = MBEDTLS_BYTE_0(len);
+ len >>= 8;
+ } while (len);
+
+ if (required > 1) {
+ *--(*p) = (unsigned char) (0x80 + required - 1);
+ }
+
+ return required;
+}
+
+int mbedtls_asn1_write_tag(unsigned char **p, const unsigned char *start, unsigned char tag)
+{
+ if (*p - start < 1) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ *--(*p) = tag;
+
+ return 1;
+}
+#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */
+
+#if defined(MBEDTLS_ASN1_WRITE_C)
+static int mbedtls_asn1_write_len_and_tag(unsigned char **p,
+ const unsigned char *start,
+ size_t len,
+ unsigned char tag)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, tag));
+
+ return (int) len;
+}
+
+int mbedtls_asn1_write_raw_buffer(unsigned char **p, const unsigned char *start,
+ const unsigned char *buf, size_t size)
+{
+ size_t len = 0;
+
+ if (*p < start || (size_t) (*p - start) < size) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ len = size;
+ (*p) -= len;
+ memcpy(*p, buf, len);
+
+ return (int) len;
+}
+
+#if defined(MBEDTLS_BIGNUM_C)
+int mbedtls_asn1_write_mpi(unsigned char **p, const unsigned char *start, const mbedtls_mpi *X)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+
+ // Write the MPI
+ //
+ len = mbedtls_mpi_size(X);
+
+ /* DER represents 0 with a sign bit (0=nonnegative) and 7 value bits, not
+ * as 0 digits. We need to end up with 020100, not with 0200. */
+ if (len == 0) {
+ len = 1;
+ }
+
+ if (*p < start || (size_t) (*p - start) < len) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ (*p) -= len;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(X, *p, len));
+
+ // DER format assumes 2s complement for numbers, so the leftmost bit
+ // should be 0 for positive numbers and 1 for negative numbers.
+ //
+ if (X->s == 1 && **p & 0x80) {
+ if (*p - start < 1) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ *--(*p) = 0x00;
+ len += 1;
+ }
+
+ ret = mbedtls_asn1_write_len_and_tag(p, start, len, MBEDTLS_ASN1_INTEGER);
+
+cleanup:
+ return ret;
+}
+#endif /* MBEDTLS_BIGNUM_C */
+
+int mbedtls_asn1_write_null(unsigned char **p, const unsigned char *start)
+{
+ // Write NULL
+ //
+ return mbedtls_asn1_write_len_and_tag(p, start, 0, MBEDTLS_ASN1_NULL);
+}
+
+int mbedtls_asn1_write_oid(unsigned char **p, const unsigned char *start,
+ const char *oid, size_t oid_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start,
+ (const unsigned char *) oid, oid_len));
+ return mbedtls_asn1_write_len_and_tag(p, start, len, MBEDTLS_ASN1_OID);
+}
+
+int mbedtls_asn1_write_algorithm_identifier(unsigned char **p, const unsigned char *start,
+ const char *oid, size_t oid_len,
+ size_t par_len)
+{
+ return mbedtls_asn1_write_algorithm_identifier_ext(p, start, oid, oid_len, par_len, 1);
+}
+
+int mbedtls_asn1_write_algorithm_identifier_ext(unsigned char **p, const unsigned char *start,
+ const char *oid, size_t oid_len,
+ size_t par_len, int has_par)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+
+ if (has_par) {
+ if (par_len == 0) {
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_null(p, start));
+ } else {
+ len += par_len;
+ }
+ }
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_oid(p, start, oid, oid_len));
+
+ return mbedtls_asn1_write_len_and_tag(p, start, len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+}
+
+int mbedtls_asn1_write_bool(unsigned char **p, const unsigned char *start, int boolean)
+{
+ size_t len = 0;
+
+ if (*p - start < 1) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ *--(*p) = (boolean) ? 255 : 0;
+ len++;
+
+ return mbedtls_asn1_write_len_and_tag(p, start, len, MBEDTLS_ASN1_BOOLEAN);
+}
+
+static int asn1_write_tagged_int(unsigned char **p, const unsigned char *start, int val, int tag)
+{
+ size_t len = 0;
+
+ do {
+ if (*p - start < 1) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+ len += 1;
+ *--(*p) = val & 0xff;
+ val >>= 8;
+ } while (val > 0);
+
+ if (**p & 0x80) {
+ if (*p - start < 1) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+ *--(*p) = 0x00;
+ len += 1;
+ }
+
+ return mbedtls_asn1_write_len_and_tag(p, start, len, tag);
+}
+
+int mbedtls_asn1_write_int(unsigned char **p, const unsigned char *start, int val)
+{
+ return asn1_write_tagged_int(p, start, val, MBEDTLS_ASN1_INTEGER);
+}
+
+int mbedtls_asn1_write_enum(unsigned char **p, const unsigned char *start, int val)
+{
+ return asn1_write_tagged_int(p, start, val, MBEDTLS_ASN1_ENUMERATED);
+}
+
+int mbedtls_asn1_write_tagged_string(unsigned char **p, const unsigned char *start, int tag,
+ const char *text, size_t text_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start,
+ (const unsigned char *) text,
+ text_len));
+
+ return mbedtls_asn1_write_len_and_tag(p, start, len, tag);
+}
+
+int mbedtls_asn1_write_utf8_string(unsigned char **p, const unsigned char *start,
+ const char *text, size_t text_len)
+{
+ return mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_UTF8_STRING, text, text_len);
+}
+
+int mbedtls_asn1_write_printable_string(unsigned char **p, const unsigned char *start,
+ const char *text, size_t text_len)
+{
+ return mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_PRINTABLE_STRING, text,
+ text_len);
+}
+
+int mbedtls_asn1_write_ia5_string(unsigned char **p, const unsigned char *start,
+ const char *text, size_t text_len)
+{
+ return mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_IA5_STRING, text, text_len);
+}
+
+int mbedtls_asn1_write_named_bitstring(unsigned char **p,
+ const unsigned char *start,
+ const unsigned char *buf,
+ size_t bits)
+{
+ size_t unused_bits, byte_len;
+ const unsigned char *cur_byte;
+ unsigned char cur_byte_shifted;
+ unsigned char bit;
+
+ byte_len = (bits + 7) / 8;
+ unused_bits = (byte_len * 8) - bits;
+
+ /*
+ * Named bitstrings require that trailing 0s are excluded in the encoding
+ * of the bitstring. Trailing 0s are considered part of the 'unused' bits
+ * when encoding this value in the first content octet
+ */
+ if (bits != 0) {
+ cur_byte = buf + byte_len - 1;
+ cur_byte_shifted = *cur_byte >> unused_bits;
+
+ for (;;) {
+ bit = cur_byte_shifted & 0x1;
+ cur_byte_shifted >>= 1;
+
+ if (bit != 0) {
+ break;
+ }
+
+ bits--;
+ if (bits == 0) {
+ break;
+ }
+
+ if (bits % 8 == 0) {
+ cur_byte_shifted = *--cur_byte;
+ }
+ }
+ }
+
+ return mbedtls_asn1_write_bitstring(p, start, buf, bits);
+}
+
+int mbedtls_asn1_write_bitstring(unsigned char **p, const unsigned char *start,
+ const unsigned char *buf, size_t bits)
+{
+ size_t len = 0;
+ size_t unused_bits, byte_len;
+
+ byte_len = (bits + 7) / 8;
+ unused_bits = (byte_len * 8) - bits;
+
+ if (*p < start || (size_t) (*p - start) < byte_len + 1) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ len = byte_len + 1;
+
+ /* Write the bitstring. Ensure the unused bits are zeroed */
+ if (byte_len > 0) {
+ byte_len--;
+ *--(*p) = buf[byte_len] & ~((0x1 << unused_bits) - 1);
+ (*p) -= byte_len;
+ memcpy(*p, buf, byte_len);
+ }
+
+ /* Write unused bits */
+ *--(*p) = (unsigned char) unused_bits;
+
+ return mbedtls_asn1_write_len_and_tag(p, start, len, MBEDTLS_ASN1_BIT_STRING);
+}
+
+int mbedtls_asn1_write_octet_string(unsigned char **p, const unsigned char *start,
+ const unsigned char *buf, size_t size)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start, buf, size));
+
+ return mbedtls_asn1_write_len_and_tag(p, start, len, MBEDTLS_ASN1_OCTET_STRING);
+}
+
+
+#if !defined(MBEDTLS_ASN1_PARSE_C)
+/* This is a copy of the ASN.1 parsing function mbedtls_asn1_find_named_data(),
+ * which is replicated to avoid a dependency ASN1_WRITE_C on ASN1_PARSE_C. */
+static mbedtls_asn1_named_data *asn1_find_named_data(
+ mbedtls_asn1_named_data *list,
+ const char *oid, size_t len)
+{
+ while (list != NULL) {
+ if (list->oid.len == len &&
+ memcmp(list->oid.p, oid, len) == 0) {
+ break;
+ }
+
+ list = list->next;
+ }
+
+ return list;
+}
+#else
+#define asn1_find_named_data(list, oid, len) \
+ ((mbedtls_asn1_named_data *) mbedtls_asn1_find_named_data(list, oid, len))
+#endif
+
+mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(
+ mbedtls_asn1_named_data **head,
+ const char *oid, size_t oid_len,
+ const unsigned char *val,
+ size_t val_len)
+{
+ mbedtls_asn1_named_data *cur;
+
+ if ((cur = asn1_find_named_data(*head, oid, oid_len)) == NULL) {
+ // Add new entry if not present yet based on OID
+ //
+ cur = (mbedtls_asn1_named_data *) mbedtls_calloc(1,
+ sizeof(mbedtls_asn1_named_data));
+ if (cur == NULL) {
+ return NULL;
+ }
+
+ cur->oid.len = oid_len;
+ cur->oid.p = mbedtls_calloc(1, oid_len);
+ if (cur->oid.p == NULL) {
+ mbedtls_free(cur);
+ return NULL;
+ }
+
+ memcpy(cur->oid.p, oid, oid_len);
+
+ cur->val.len = val_len;
+ if (val_len != 0) {
+ cur->val.p = mbedtls_calloc(1, val_len);
+ if (cur->val.p == NULL) {
+ mbedtls_free(cur->oid.p);
+ mbedtls_free(cur);
+ return NULL;
+ }
+ }
+
+ cur->next = *head;
+ *head = cur;
+ } else if (val_len == 0) {
+ mbedtls_free(cur->val.p);
+ cur->val.p = NULL;
+ } else if (cur->val.len != val_len) {
+ /*
+ * Enlarge existing value buffer if needed
+ * Preserve old data until the allocation succeeded, to leave list in
+ * a consistent state in case allocation fails.
+ */
+ void *p = mbedtls_calloc(1, val_len);
+ if (p == NULL) {
+ return NULL;
+ }
+
+ mbedtls_free(cur->val.p);
+ cur->val.p = p;
+ cur->val.len = val_len;
+ }
+
+ if (val != NULL && val_len != 0) {
+ memcpy(cur->val.p, val, val_len);
+ }
+
+ return cur;
+}
+#endif /* MBEDTLS_ASN1_WRITE_C */
diff --git a/library/base64.c b/library/base64.c
new file mode 100644
index 0000000..9677dee
--- /dev/null
+++ b/library/base64.c
@@ -0,0 +1,299 @@
+/*
+ * RFC 1521 base64 encoding/decoding
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <limits.h>
+
+#include "common.h"
+
+#if defined(MBEDTLS_BASE64_C)
+
+#include "mbedtls/base64.h"
+#include "base64_internal.h"
+#include "constant_time_internal.h"
+
+#include <stdint.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#include <string.h>
+#include "mbedtls/platform.h"
+#endif /* MBEDTLS_SELF_TEST */
+
+MBEDTLS_STATIC_TESTABLE
+unsigned char mbedtls_ct_base64_enc_char(unsigned char value)
+{
+ unsigned char digit = 0;
+ /* For each range of values, if value is in that range, mask digit with
+ * the corresponding value. Since value can only be in a single range,
+ * only at most one masking will change digit. */
+ digit |= mbedtls_ct_uchar_in_range_if(0, 25, value, 'A' + value);
+ digit |= mbedtls_ct_uchar_in_range_if(26, 51, value, 'a' + value - 26);
+ digit |= mbedtls_ct_uchar_in_range_if(52, 61, value, '0' + value - 52);
+ digit |= mbedtls_ct_uchar_in_range_if(62, 62, value, '+');
+ digit |= mbedtls_ct_uchar_in_range_if(63, 63, value, '/');
+ return digit;
+}
+
+MBEDTLS_STATIC_TESTABLE
+signed char mbedtls_ct_base64_dec_value(unsigned char c)
+{
+ unsigned char val = 0;
+ /* For each range of digits, if c is in that range, mask val with
+ * the corresponding value. Since c can only be in a single range,
+ * only at most one masking will change val. Set val to one plus
+ * the desired value so that it stays 0 if c is in none of the ranges. */
+ val |= mbedtls_ct_uchar_in_range_if('A', 'Z', c, c - 'A' + 0 + 1);
+ val |= mbedtls_ct_uchar_in_range_if('a', 'z', c, c - 'a' + 26 + 1);
+ val |= mbedtls_ct_uchar_in_range_if('0', '9', c, c - '0' + 52 + 1);
+ val |= mbedtls_ct_uchar_in_range_if('+', '+', c, c - '+' + 62 + 1);
+ val |= mbedtls_ct_uchar_in_range_if('/', '/', c, c - '/' + 63 + 1);
+ /* At this point, val is 0 if c is an invalid digit and v+1 if c is
+ * a digit with the value v. */
+ return val - 1;
+}
+
+/*
+ * Encode a buffer into base64 format
+ */
+int mbedtls_base64_encode(unsigned char *dst, size_t dlen, size_t *olen,
+ const unsigned char *src, size_t slen)
+{
+ size_t i, n;
+ int C1, C2, C3;
+ unsigned char *p;
+
+ if (slen == 0) {
+ *olen = 0;
+ return 0;
+ }
+
+ n = slen / 3 + (slen % 3 != 0);
+
+ if (n > (SIZE_MAX - 1) / 4) {
+ *olen = SIZE_MAX;
+ return MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL;
+ }
+
+ n *= 4;
+
+ if ((dlen < n + 1) || (NULL == dst)) {
+ *olen = n + 1;
+ return MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL;
+ }
+
+ n = (slen / 3) * 3;
+
+ for (i = 0, p = dst; i < n; i += 3) {
+ C1 = *src++;
+ C2 = *src++;
+ C3 = *src++;
+
+ *p++ = mbedtls_ct_base64_enc_char((C1 >> 2) & 0x3F);
+ *p++ = mbedtls_ct_base64_enc_char((((C1 & 3) << 4) + (C2 >> 4))
+ & 0x3F);
+ *p++ = mbedtls_ct_base64_enc_char((((C2 & 15) << 2) + (C3 >> 6))
+ & 0x3F);
+ *p++ = mbedtls_ct_base64_enc_char(C3 & 0x3F);
+ }
+
+ if (i < slen) {
+ C1 = *src++;
+ C2 = ((i + 1) < slen) ? *src++ : 0;
+
+ *p++ = mbedtls_ct_base64_enc_char((C1 >> 2) & 0x3F);
+ *p++ = mbedtls_ct_base64_enc_char((((C1 & 3) << 4) + (C2 >> 4))
+ & 0x3F);
+
+ if ((i + 1) < slen) {
+ *p++ = mbedtls_ct_base64_enc_char(((C2 & 15) << 2) & 0x3F);
+ } else {
+ *p++ = '=';
+ }
+
+ *p++ = '=';
+ }
+
+ *olen = (size_t) (p - dst);
+ *p = 0;
+
+ return 0;
+}
+
+/*
+ * Decode a base64-formatted buffer
+ */
+int mbedtls_base64_decode(unsigned char *dst, size_t dlen, size_t *olen,
+ const unsigned char *src, size_t slen)
+{
+ size_t i; /* index in source */
+ size_t n; /* number of digits or trailing = in source */
+ uint32_t x; /* value accumulator */
+ unsigned accumulated_digits = 0;
+ unsigned equals = 0;
+ int spaces_present = 0;
+ unsigned char *p;
+
+ /* First pass: check for validity and get output length */
+ for (i = n = 0; i < slen; i++) {
+ /* Skip spaces before checking for EOL */
+ spaces_present = 0;
+ while (i < slen && src[i] == ' ') {
+ ++i;
+ spaces_present = 1;
+ }
+
+ /* Spaces at end of buffer are OK */
+ if (i == slen) {
+ break;
+ }
+
+ if ((slen - i) >= 2 &&
+ src[i] == '\r' && src[i + 1] == '\n') {
+ continue;
+ }
+
+ if (src[i] == '\n') {
+ continue;
+ }
+
+ /* Space inside a line is an error */
+ if (spaces_present) {
+ return MBEDTLS_ERR_BASE64_INVALID_CHARACTER;
+ }
+
+ if (src[i] > 127) {
+ return MBEDTLS_ERR_BASE64_INVALID_CHARACTER;
+ }
+
+ if (src[i] == '=') {
+ if (++equals > 2) {
+ return MBEDTLS_ERR_BASE64_INVALID_CHARACTER;
+ }
+ } else {
+ if (equals != 0) {
+ return MBEDTLS_ERR_BASE64_INVALID_CHARACTER;
+ }
+ if (mbedtls_ct_base64_dec_value(src[i]) < 0) {
+ return MBEDTLS_ERR_BASE64_INVALID_CHARACTER;
+ }
+ }
+ n++;
+ }
+
+ if (n == 0) {
+ *olen = 0;
+ return 0;
+ }
+
+ /* The following expression is to calculate the following formula without
+ * risk of integer overflow in n:
+ * n = ( ( n * 6 ) + 7 ) >> 3;
+ */
+ n = (6 * (n >> 3)) + ((6 * (n & 0x7) + 7) >> 3);
+ n -= equals;
+
+ if (dst == NULL || dlen < n) {
+ *olen = n;
+ return MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL;
+ }
+
+ equals = 0;
+ for (x = 0, p = dst; i > 0; i--, src++) {
+ if (*src == '\r' || *src == '\n' || *src == ' ') {
+ continue;
+ }
+
+ x = x << 6;
+ if (*src == '=') {
+ ++equals;
+ } else {
+ x |= mbedtls_ct_base64_dec_value(*src);
+ }
+
+ if (++accumulated_digits == 4) {
+ accumulated_digits = 0;
+ *p++ = MBEDTLS_BYTE_2(x);
+ if (equals <= 1) {
+ *p++ = MBEDTLS_BYTE_1(x);
+ }
+ if (equals <= 0) {
+ *p++ = MBEDTLS_BYTE_0(x);
+ }
+ }
+ }
+
+ *olen = (size_t) (p - dst);
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char base64_test_dec[64] =
+{
+ 0x24, 0x48, 0x6E, 0x56, 0x87, 0x62, 0x5A, 0xBD,
+ 0xBF, 0x17, 0xD9, 0xA2, 0xC4, 0x17, 0x1A, 0x01,
+ 0x94, 0xED, 0x8F, 0x1E, 0x11, 0xB3, 0xD7, 0x09,
+ 0x0C, 0xB6, 0xE9, 0x10, 0x6F, 0x22, 0xEE, 0x13,
+ 0xCA, 0xB3, 0x07, 0x05, 0x76, 0xC9, 0xFA, 0x31,
+ 0x6C, 0x08, 0x34, 0xFF, 0x8D, 0xC2, 0x6C, 0x38,
+ 0x00, 0x43, 0xE9, 0x54, 0x97, 0xAF, 0x50, 0x4B,
+ 0xD1, 0x41, 0xBA, 0x95, 0x31, 0x5A, 0x0B, 0x97
+};
+
+static const unsigned char base64_test_enc[] =
+ "JEhuVodiWr2/F9mixBcaAZTtjx4Rs9cJDLbpEG8i7hPK"
+ "swcFdsn6MWwINP+Nwmw4AEPpVJevUEvRQbqVMVoLlw==";
+
+/*
+ * Checkup routine
+ */
+int mbedtls_base64_self_test(int verbose)
+{
+ size_t len;
+ const unsigned char *src;
+ unsigned char buffer[128];
+
+ if (verbose != 0) {
+ mbedtls_printf(" Base64 encoding test: ");
+ }
+
+ src = base64_test_dec;
+
+ if (mbedtls_base64_encode(buffer, sizeof(buffer), &len, src, 64) != 0 ||
+ memcmp(base64_test_enc, buffer, 88) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ return 1;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n Base64 decoding test: ");
+ }
+
+ src = base64_test_enc;
+
+ if (mbedtls_base64_decode(buffer, sizeof(buffer), &len, src, 88) != 0 ||
+ memcmp(base64_test_dec, buffer, 64) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ return 1;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n\n");
+ }
+
+ return 0;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_BASE64_C */
diff --git a/library/base64_internal.h b/library/base64_internal.h
new file mode 100644
index 0000000..a09bd23
--- /dev/null
+++ b/library/base64_internal.h
@@ -0,0 +1,45 @@
+/**
+ * \file base64_internal.h
+ *
+ * \brief RFC 1521 base64 encoding/decoding: interfaces for invasive testing
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_BASE64_INTERNAL
+#define MBEDTLS_BASE64_INTERNAL
+
+#include "common.h"
+
+#if defined(MBEDTLS_TEST_HOOKS)
+
+/** Given a value in the range 0..63, return the corresponding Base64 digit.
+ *
+ * The implementation assumes that letters are consecutive (e.g. ASCII
+ * but not EBCDIC).
+ *
+ * \param value A value in the range 0..63.
+ *
+ * \return A base64 digit converted from \p value.
+ */
+unsigned char mbedtls_ct_base64_enc_char(unsigned char value);
+
+/** Given a Base64 digit, return its value.
+ *
+ * If c is not a Base64 digit ('A'..'Z', 'a'..'z', '0'..'9', '+' or '/'),
+ * return -1.
+ *
+ * The implementation assumes that letters are consecutive (e.g. ASCII
+ * but not EBCDIC).
+ *
+ * \param c A base64 digit.
+ *
+ * \return The value of the base64 digit \p c.
+ */
+signed char mbedtls_ct_base64_dec_value(unsigned char c);
+
+#endif /* MBEDTLS_TEST_HOOKS */
+
+#endif /* MBEDTLS_BASE64_INTERNAL */
diff --git a/library/bignum.c b/library/bignum.c
new file mode 100644
index 0000000..c45fd5b
--- /dev/null
+++ b/library/bignum.c
@@ -0,0 +1,2464 @@
+/*
+ * Multi-precision integer library
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * The following sources were referenced in the design of this Multi-precision
+ * Integer library:
+ *
+ * [1] Handbook of Applied Cryptography - 1997
+ * Menezes, van Oorschot and Vanstone
+ *
+ * [2] Multi-Precision Math
+ * Tom St Denis
+ * https://github.com/libtom/libtommath/blob/develop/tommath.pdf
+ *
+ * [3] GNU Multi-Precision Arithmetic Library
+ * https://gmplib.org/manual/index.html
+ *
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+#include "mbedtls/bignum.h"
+#include "bignum_core.h"
+#include "bn_mul.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "constant_time_internal.h"
+
+#include <limits.h>
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+
+
+/*
+ * Conditionally select an MPI sign in constant time.
+ * (MPI sign is the field s in mbedtls_mpi. It is unsigned short and only 1 and -1 are valid
+ * values.)
+ */
+static inline signed short mbedtls_ct_mpi_sign_if(mbedtls_ct_condition_t cond,
+ signed short sign1, signed short sign2)
+{
+ return (signed short) mbedtls_ct_uint_if(cond, sign1 + 1, sign2 + 1) - 1;
+}
+
+/*
+ * Compare signed values in constant time
+ */
+int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X,
+ const mbedtls_mpi *Y,
+ unsigned *ret)
+{
+ mbedtls_ct_condition_t different_sign, X_is_negative, Y_is_negative, result;
+
+ if (X->n != Y->n) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ /*
+ * Set N_is_negative to MBEDTLS_CT_FALSE if N >= 0, MBEDTLS_CT_TRUE if N < 0.
+ * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
+ */
+ X_is_negative = mbedtls_ct_bool((X->s & 2) >> 1);
+ Y_is_negative = mbedtls_ct_bool((Y->s & 2) >> 1);
+
+ /*
+ * If the signs are different, then the positive operand is the bigger.
+ * That is if X is negative (X_is_negative == 1), then X < Y is true and it
+ * is false if X is positive (X_is_negative == 0).
+ */
+ different_sign = mbedtls_ct_bool_ne(X_is_negative, Y_is_negative); // true if different sign
+ result = mbedtls_ct_bool_and(different_sign, X_is_negative);
+
+ /*
+ * Assuming signs are the same, compare X and Y. We switch the comparison
+ * order if they are negative so that we get the right result, regardles of
+ * sign.
+ */
+
+ /* This array is used to conditionally swap the pointers in const time */
+ void * const p[2] = { X->p, Y->p };
+ size_t i = mbedtls_ct_size_if_else_0(X_is_negative, 1);
+ mbedtls_ct_condition_t lt = mbedtls_mpi_core_lt_ct(p[i], p[i ^ 1], X->n);
+
+ /*
+ * Store in result iff the signs are the same (i.e., iff different_sign == false). If
+ * the signs differ, result has already been set, so we don't change it.
+ */
+ result = mbedtls_ct_bool_or(result,
+ mbedtls_ct_bool_and(mbedtls_ct_bool_not(different_sign), lt));
+
+ *ret = mbedtls_ct_uint_if_else_0(result, 1);
+
+ return 0;
+}
+
+/*
+ * Conditionally assign X = Y, without leaking information
+ * about whether the assignment was made or not.
+ * (Leaking information about the respective sizes of X and Y is ok however.)
+ */
+#if defined(_MSC_VER) && defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) && \
+ (_MSC_FULL_VER < 193131103)
+/*
+ * MSVC miscompiles this function if it's inlined prior to Visual Studio 2022 version 17.1. See:
+ * https://developercommunity.visualstudio.com/t/c-compiler-miscompiles-part-of-mbedtls-library-on/1646989
+ */
+__declspec(noinline)
+#endif
+int mbedtls_mpi_safe_cond_assign(mbedtls_mpi *X,
+ const mbedtls_mpi *Y,
+ unsigned char assign)
+{
+ int ret = 0;
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));
+
+ {
+ mbedtls_ct_condition_t do_assign = mbedtls_ct_bool(assign);
+
+ X->s = mbedtls_ct_mpi_sign_if(do_assign, Y->s, X->s);
+
+ mbedtls_mpi_core_cond_assign(X->p, Y->p, Y->n, do_assign);
+
+ mbedtls_ct_condition_t do_not_assign = mbedtls_ct_bool_not(do_assign);
+ for (size_t i = Y->n; i < X->n; i++) {
+ X->p[i] = mbedtls_ct_mpi_uint_if_else_0(do_not_assign, X->p[i]);
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Conditionally swap X and Y, without leaking information
+ * about whether the swap was made or not.
+ * Here it is not ok to simply swap the pointers, which would lead to
+ * different memory access patterns when X and Y are used afterwards.
+ */
+int mbedtls_mpi_safe_cond_swap(mbedtls_mpi *X,
+ mbedtls_mpi *Y,
+ unsigned char swap)
+{
+ int ret = 0;
+ int s;
+
+ if (X == Y) {
+ return 0;
+ }
+
+ mbedtls_ct_condition_t do_swap = mbedtls_ct_bool(swap);
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, Y->n));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Y, X->n));
+
+ s = X->s;
+ X->s = mbedtls_ct_mpi_sign_if(do_swap, Y->s, X->s);
+ Y->s = mbedtls_ct_mpi_sign_if(do_swap, s, Y->s);
+
+ mbedtls_mpi_core_cond_swap(X->p, Y->p, X->n, do_swap);
+
+cleanup:
+ return ret;
+}
+
+/* Implementation that should never be optimized out by the compiler */
+#define mbedtls_mpi_zeroize_and_free(v, n) mbedtls_zeroize_and_free(v, ciL * (n))
+
+/*
+ * Initialize one MPI
+ */
+void mbedtls_mpi_init(mbedtls_mpi *X)
+{
+ X->s = 1;
+ X->n = 0;
+ X->p = NULL;
+}
+
+/*
+ * Unallocate one MPI
+ */
+void mbedtls_mpi_free(mbedtls_mpi *X)
+{
+ if (X == NULL) {
+ return;
+ }
+
+ if (X->p != NULL) {
+ mbedtls_mpi_zeroize_and_free(X->p, X->n);
+ }
+
+ X->s = 1;
+ X->n = 0;
+ X->p = NULL;
+}
+
+/*
+ * Enlarge to the specified number of limbs
+ */
+int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs)
+{
+ mbedtls_mpi_uint *p;
+
+ if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
+ return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+ }
+
+ if (X->n < nblimbs) {
+ if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(nblimbs, ciL)) == NULL) {
+ return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+ }
+
+ if (X->p != NULL) {
+ memcpy(p, X->p, X->n * ciL);
+ mbedtls_mpi_zeroize_and_free(X->p, X->n);
+ }
+
+ /* nblimbs fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS
+ * fits, and we've checked that nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */
+ X->n = (unsigned short) nblimbs;
+ X->p = p;
+ }
+
+ return 0;
+}
+
+/*
+ * Resize down as much as possible,
+ * while keeping at least the specified number of limbs
+ */
+int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs)
+{
+ mbedtls_mpi_uint *p;
+ size_t i;
+
+ if (nblimbs > MBEDTLS_MPI_MAX_LIMBS) {
+ return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+ }
+
+ /* Actually resize up if there are currently fewer than nblimbs limbs. */
+ if (X->n <= nblimbs) {
+ return mbedtls_mpi_grow(X, nblimbs);
+ }
+ /* After this point, then X->n > nblimbs and in particular X->n > 0. */
+
+ for (i = X->n - 1; i > 0; i--) {
+ if (X->p[i] != 0) {
+ break;
+ }
+ }
+ i++;
+
+ if (i < nblimbs) {
+ i = nblimbs;
+ }
+
+ if ((p = (mbedtls_mpi_uint *) mbedtls_calloc(i, ciL)) == NULL) {
+ return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+ }
+
+ if (X->p != NULL) {
+ memcpy(p, X->p, i * ciL);
+ mbedtls_mpi_zeroize_and_free(X->p, X->n);
+ }
+
+ /* i fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS
+ * fits, and we've checked that i <= nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */
+ X->n = (unsigned short) i;
+ X->p = p;
+
+ return 0;
+}
+
+/* Resize X to have exactly n limbs and set it to 0. */
+static int mbedtls_mpi_resize_clear(mbedtls_mpi *X, size_t limbs)
+{
+ if (limbs == 0) {
+ mbedtls_mpi_free(X);
+ return 0;
+ } else if (X->n == limbs) {
+ memset(X->p, 0, limbs * ciL);
+ X->s = 1;
+ return 0;
+ } else {
+ mbedtls_mpi_free(X);
+ return mbedtls_mpi_grow(X, limbs);
+ }
+}
+
+/*
+ * Copy the contents of Y into X.
+ *
+ * This function is not constant-time. Leading zeros in Y may be removed.
+ *
+ * Ensure that X does not shrink. This is not guaranteed by the public API,
+ * but some code in the bignum module might still rely on this property.
+ */
+int mbedtls_mpi_copy(mbedtls_mpi *X, const mbedtls_mpi *Y)
+{
+ int ret = 0;
+ size_t i;
+
+ if (X == Y) {
+ return 0;
+ }
+
+ if (Y->n == 0) {
+ if (X->n != 0) {
+ X->s = 1;
+ memset(X->p, 0, X->n * ciL);
+ }
+ return 0;
+ }
+
+ for (i = Y->n - 1; i > 0; i--) {
+ if (Y->p[i] != 0) {
+ break;
+ }
+ }
+ i++;
+
+ X->s = Y->s;
+
+ if (X->n < i) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i));
+ } else {
+ memset(X->p + i, 0, (X->n - i) * ciL);
+ }
+
+ memcpy(X->p, Y->p, i * ciL);
+
+cleanup:
+
+ return ret;
+}
+
+/*
+ * Swap the contents of X and Y
+ */
+void mbedtls_mpi_swap(mbedtls_mpi *X, mbedtls_mpi *Y)
+{
+ mbedtls_mpi T;
+
+ memcpy(&T, X, sizeof(mbedtls_mpi));
+ memcpy(X, Y, sizeof(mbedtls_mpi));
+ memcpy(Y, &T, sizeof(mbedtls_mpi));
+}
+
+static inline mbedtls_mpi_uint mpi_sint_abs(mbedtls_mpi_sint z)
+{
+ if (z >= 0) {
+ return z;
+ }
+ /* Take care to handle the most negative value (-2^(biL-1)) correctly.
+ * A naive -z would have undefined behavior.
+ * Write this in a way that makes popular compilers happy (GCC, Clang,
+ * MSVC). */
+ return (mbedtls_mpi_uint) 0 - (mbedtls_mpi_uint) z;
+}
+
+/* Convert x to a sign, i.e. to 1, if x is positive, or -1, if x is negative.
+ * This looks awkward but generates smaller code than (x < 0 ? -1 : 1) */
+#define TO_SIGN(x) ((mbedtls_mpi_sint) (((mbedtls_mpi_uint) x) >> (biL - 1)) * -2 + 1)
+
+/*
+ * Set value from integer
+ */
+int mbedtls_mpi_lset(mbedtls_mpi *X, mbedtls_mpi_sint z)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, 1));
+ memset(X->p, 0, X->n * ciL);
+
+ X->p[0] = mpi_sint_abs(z);
+ X->s = TO_SIGN(z);
+
+cleanup:
+
+ return ret;
+}
+
+/*
+ * Get a specific bit
+ */
+int mbedtls_mpi_get_bit(const mbedtls_mpi *X, size_t pos)
+{
+ if (X->n * biL <= pos) {
+ return 0;
+ }
+
+ return (X->p[pos / biL] >> (pos % biL)) & 0x01;
+}
+
+/*
+ * Set a bit to a specific value of 0 or 1
+ */
+int mbedtls_mpi_set_bit(mbedtls_mpi *X, size_t pos, unsigned char val)
+{
+ int ret = 0;
+ size_t off = pos / biL;
+ size_t idx = pos % biL;
+
+ if (val != 0 && val != 1) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ if (X->n * biL <= pos) {
+ if (val == 0) {
+ return 0;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, off + 1));
+ }
+
+ X->p[off] &= ~((mbedtls_mpi_uint) 0x01 << idx);
+ X->p[off] |= (mbedtls_mpi_uint) val << idx;
+
+cleanup:
+
+ return ret;
+}
+
+/*
+ * Return the number of less significant zero-bits
+ */
+size_t mbedtls_mpi_lsb(const mbedtls_mpi *X)
+{
+ size_t i;
+
+#if defined(__has_builtin)
+#if (MBEDTLS_MPI_UINT_MAX == UINT_MAX) && __has_builtin(__builtin_ctz)
+ #define mbedtls_mpi_uint_ctz __builtin_ctz
+#elif (MBEDTLS_MPI_UINT_MAX == ULONG_MAX) && __has_builtin(__builtin_ctzl)
+ #define mbedtls_mpi_uint_ctz __builtin_ctzl
+#elif (MBEDTLS_MPI_UINT_MAX == ULLONG_MAX) && __has_builtin(__builtin_ctzll)
+ #define mbedtls_mpi_uint_ctz __builtin_ctzll
+#endif
+#endif
+
+#if defined(mbedtls_mpi_uint_ctz)
+ for (i = 0; i < X->n; i++) {
+ if (X->p[i] != 0) {
+ return i * biL + mbedtls_mpi_uint_ctz(X->p[i]);
+ }
+ }
+#else
+ size_t count = 0;
+ for (i = 0; i < X->n; i++) {
+ for (size_t j = 0; j < biL; j++, count++) {
+ if (((X->p[i] >> j) & 1) != 0) {
+ return count;
+ }
+ }
+ }
+#endif
+
+ return 0;
+}
+
+/*
+ * Return the number of bits
+ */
+size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X)
+{
+ return mbedtls_mpi_core_bitlen(X->p, X->n);
+}
+
+/*
+ * Return the total size in bytes
+ */
+size_t mbedtls_mpi_size(const mbedtls_mpi *X)
+{
+ return (mbedtls_mpi_bitlen(X) + 7) >> 3;
+}
+
+/*
+ * Convert an ASCII character to digit value
+ */
+static int mpi_get_digit(mbedtls_mpi_uint *d, int radix, char c)
+{
+ *d = 255;
+
+ if (c >= 0x30 && c <= 0x39) {
+ *d = c - 0x30;
+ }
+ if (c >= 0x41 && c <= 0x46) {
+ *d = c - 0x37;
+ }
+ if (c >= 0x61 && c <= 0x66) {
+ *d = c - 0x57;
+ }
+
+ if (*d >= (mbedtls_mpi_uint) radix) {
+ return MBEDTLS_ERR_MPI_INVALID_CHARACTER;
+ }
+
+ return 0;
+}
+
+/*
+ * Import from an ASCII string
+ */
+int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t i, j, slen, n;
+ int sign = 1;
+ mbedtls_mpi_uint d;
+ mbedtls_mpi T;
+
+ if (radix < 2 || radix > 16) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ mbedtls_mpi_init(&T);
+
+ if (s[0] == 0) {
+ mbedtls_mpi_free(X);
+ return 0;
+ }
+
+ if (s[0] == '-') {
+ ++s;
+ sign = -1;
+ }
+
+ slen = strlen(s);
+
+ if (radix == 16) {
+ if (slen > SIZE_MAX >> 2) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ n = BITS_TO_LIMBS(slen << 2);
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
+
+ for (i = slen, j = 0; i > 0; i--, j++) {
+ MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i - 1]));
+ X->p[j / (2 * ciL)] |= d << ((j % (2 * ciL)) << 2);
+ }
+ } else {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
+
+ for (i = 0; i < slen; i++) {
+ MBEDTLS_MPI_CHK(mpi_get_digit(&d, radix, s[i]));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T, X, radix));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, &T, d));
+ }
+ }
+
+ if (sign < 0 && mbedtls_mpi_bitlen(X) != 0) {
+ X->s = -1;
+ }
+
+cleanup:
+
+ mbedtls_mpi_free(&T);
+
+ return ret;
+}
+
+/*
+ * Helper to write the digits high-order first.
+ */
+static int mpi_write_hlp(mbedtls_mpi *X, int radix,
+ char **p, const size_t buflen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi_uint r;
+ size_t length = 0;
+ char *p_end = *p + buflen;
+
+ do {
+ if (length >= buflen) {
+ return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, radix));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_div_int(X, NULL, X, radix));
+ /*
+ * Write the residue in the current position, as an ASCII character.
+ */
+ if (r < 0xA) {
+ *(--p_end) = (char) ('0' + r);
+ } else {
+ *(--p_end) = (char) ('A' + (r - 0xA));
+ }
+
+ length++;
+ } while (mbedtls_mpi_cmp_int(X, 0) != 0);
+
+ memmove(*p, p_end, length);
+ *p += length;
+
+cleanup:
+
+ return ret;
+}
+
+/*
+ * Export into an ASCII string
+ */
+int mbedtls_mpi_write_string(const mbedtls_mpi *X, int radix,
+ char *buf, size_t buflen, size_t *olen)
+{
+ int ret = 0;
+ size_t n;
+ char *p;
+ mbedtls_mpi T;
+
+ if (radix < 2 || radix > 16) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ n = mbedtls_mpi_bitlen(X); /* Number of bits necessary to present `n`. */
+ if (radix >= 4) {
+ n >>= 1; /* Number of 4-adic digits necessary to present
+ * `n`. If radix > 4, this might be a strict
+ * overapproximation of the number of
+ * radix-adic digits needed to present `n`. */
+ }
+ if (radix >= 16) {
+ n >>= 1; /* Number of hexadecimal digits necessary to
+ * present `n`. */
+
+ }
+ n += 1; /* Terminating null byte */
+ n += 1; /* Compensate for the divisions above, which round down `n`
+ * in case it's not even. */
+ n += 1; /* Potential '-'-sign. */
+ n += (n & 1); /* Make n even to have enough space for hexadecimal writing,
+ * which always uses an even number of hex-digits. */
+
+ if (buflen < n) {
+ *olen = n;
+ return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
+ }
+
+ p = buf;
+ mbedtls_mpi_init(&T);
+
+ if (X->s == -1) {
+ *p++ = '-';
+ buflen--;
+ }
+
+ if (radix == 16) {
+ int c;
+ size_t i, j, k;
+
+ for (i = X->n, k = 0; i > 0; i--) {
+ for (j = ciL; j > 0; j--) {
+ c = (X->p[i - 1] >> ((j - 1) << 3)) & 0xFF;
+
+ if (c == 0 && k == 0 && (i + j) != 2) {
+ continue;
+ }
+
+ *(p++) = "0123456789ABCDEF" [c / 16];
+ *(p++) = "0123456789ABCDEF" [c % 16];
+ k = 1;
+ }
+ }
+ } else {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T, X));
+
+ if (T.s == -1) {
+ T.s = 1;
+ }
+
+ MBEDTLS_MPI_CHK(mpi_write_hlp(&T, radix, &p, buflen));
+ }
+
+ *p++ = '\0';
+ *olen = (size_t) (p - buf);
+
+cleanup:
+
+ mbedtls_mpi_free(&T);
+
+ return ret;
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Read X from an opened file
+ */
+int mbedtls_mpi_read_file(mbedtls_mpi *X, int radix, FILE *fin)
+{
+ mbedtls_mpi_uint d;
+ size_t slen;
+ char *p;
+ /*
+ * Buffer should have space for (short) label and decimal formatted MPI,
+ * newline characters and '\0'
+ */
+ char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
+
+ if (radix < 2 || radix > 16) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ memset(s, 0, sizeof(s));
+ if (fgets(s, sizeof(s) - 1, fin) == NULL) {
+ return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
+ }
+
+ slen = strlen(s);
+ if (slen == sizeof(s) - 2) {
+ return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
+ }
+
+ if (slen > 0 && s[slen - 1] == '\n') {
+ slen--; s[slen] = '\0';
+ }
+ if (slen > 0 && s[slen - 1] == '\r') {
+ slen--; s[slen] = '\0';
+ }
+
+ p = s + slen;
+ while (p-- > s) {
+ if (mpi_get_digit(&d, radix, *p) != 0) {
+ break;
+ }
+ }
+
+ return mbedtls_mpi_read_string(X, radix, p + 1);
+}
+
+/*
+ * Write X into an opened file (or stdout if fout == NULL)
+ */
+int mbedtls_mpi_write_file(const char *p, const mbedtls_mpi *X, int radix, FILE *fout)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t n, slen, plen;
+ /*
+ * Buffer should have space for (short) label and decimal formatted MPI,
+ * newline characters and '\0'
+ */
+ char s[MBEDTLS_MPI_RW_BUFFER_SIZE];
+
+ if (radix < 2 || radix > 16) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ memset(s, 0, sizeof(s));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_string(X, radix, s, sizeof(s) - 2, &n));
+
+ if (p == NULL) {
+ p = "";
+ }
+
+ plen = strlen(p);
+ slen = strlen(s);
+ s[slen++] = '\r';
+ s[slen++] = '\n';
+
+ if (fout != NULL) {
+ if (fwrite(p, 1, plen, fout) != plen ||
+ fwrite(s, 1, slen, fout) != slen) {
+ return MBEDTLS_ERR_MPI_FILE_IO_ERROR;
+ }
+ } else {
+ mbedtls_printf("%s%s", p, s);
+ }
+
+cleanup:
+
+ return ret;
+}
+#endif /* MBEDTLS_FS_IO */
+
+/*
+ * Import X from unsigned binary data, little endian
+ *
+ * This function is guaranteed to return an MPI with exactly the necessary
+ * number of limbs (in particular, it does not skip 0s in the input).
+ */
+int mbedtls_mpi_read_binary_le(mbedtls_mpi *X,
+ const unsigned char *buf, size_t buflen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const size_t limbs = CHARS_TO_LIMBS(buflen);
+
+ /* Ensure that target MPI has exactly the necessary number of limbs */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_le(X->p, X->n, buf, buflen));
+
+cleanup:
+
+ /*
+ * This function is also used to import keys. However, wiping the buffers
+ * upon failure is not necessary because failure only can happen before any
+ * input is copied.
+ */
+ return ret;
+}
+
+/*
+ * Import X from unsigned binary data, big endian
+ *
+ * This function is guaranteed to return an MPI with exactly the necessary
+ * number of limbs (in particular, it does not skip 0s in the input).
+ */
+int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, size_t buflen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const size_t limbs = CHARS_TO_LIMBS(buflen);
+
+ /* Ensure that target MPI has exactly the necessary number of limbs */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_core_read_be(X->p, X->n, buf, buflen));
+
+cleanup:
+
+ /*
+ * This function is also used to import keys. However, wiping the buffers
+ * upon failure is not necessary because failure only can happen before any
+ * input is copied.
+ */
+ return ret;
+}
+
+/*
+ * Export X into unsigned binary data, little endian
+ */
+int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X,
+ unsigned char *buf, size_t buflen)
+{
+ return mbedtls_mpi_core_write_le(X->p, X->n, buf, buflen);
+}
+
+/*
+ * Export X into unsigned binary data, big endian
+ */
+int mbedtls_mpi_write_binary(const mbedtls_mpi *X,
+ unsigned char *buf, size_t buflen)
+{
+ return mbedtls_mpi_core_write_be(X->p, X->n, buf, buflen);
+}
+
+/*
+ * Left-shift: X <<= count
+ */
+int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t i;
+
+ i = mbedtls_mpi_bitlen(X) + count;
+
+ if (X->n * biL < i) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, BITS_TO_LIMBS(i)));
+ }
+
+ ret = 0;
+
+ mbedtls_mpi_core_shift_l(X->p, X->n, count);
+cleanup:
+
+ return ret;
+}
+
+/*
+ * Right-shift: X >>= count
+ */
+int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t count)
+{
+ if (X->n != 0) {
+ mbedtls_mpi_core_shift_r(X->p, X->n, count);
+ }
+ return 0;
+}
+
+/*
+ * Compare unsigned values
+ */
+int mbedtls_mpi_cmp_abs(const mbedtls_mpi *X, const mbedtls_mpi *Y)
+{
+ size_t i, j;
+
+ for (i = X->n; i > 0; i--) {
+ if (X->p[i - 1] != 0) {
+ break;
+ }
+ }
+
+ for (j = Y->n; j > 0; j--) {
+ if (Y->p[j - 1] != 0) {
+ break;
+ }
+ }
+
+ /* If i == j == 0, i.e. abs(X) == abs(Y),
+ * we end up returning 0 at the end of the function. */
+
+ if (i > j) {
+ return 1;
+ }
+ if (j > i) {
+ return -1;
+ }
+
+ for (; i > 0; i--) {
+ if (X->p[i - 1] > Y->p[i - 1]) {
+ return 1;
+ }
+ if (X->p[i - 1] < Y->p[i - 1]) {
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+/*
+ * Compare signed values
+ */
+int mbedtls_mpi_cmp_mpi(const mbedtls_mpi *X, const mbedtls_mpi *Y)
+{
+ size_t i, j;
+
+ for (i = X->n; i > 0; i--) {
+ if (X->p[i - 1] != 0) {
+ break;
+ }
+ }
+
+ for (j = Y->n; j > 0; j--) {
+ if (Y->p[j - 1] != 0) {
+ break;
+ }
+ }
+
+ if (i == 0 && j == 0) {
+ return 0;
+ }
+
+ if (i > j) {
+ return X->s;
+ }
+ if (j > i) {
+ return -Y->s;
+ }
+
+ if (X->s > 0 && Y->s < 0) {
+ return 1;
+ }
+ if (Y->s > 0 && X->s < 0) {
+ return -1;
+ }
+
+ for (; i > 0; i--) {
+ if (X->p[i - 1] > Y->p[i - 1]) {
+ return X->s;
+ }
+ if (X->p[i - 1] < Y->p[i - 1]) {
+ return -X->s;
+ }
+ }
+
+ return 0;
+}
+
+/*
+ * Compare signed values
+ */
+int mbedtls_mpi_cmp_int(const mbedtls_mpi *X, mbedtls_mpi_sint z)
+{
+ mbedtls_mpi Y;
+ mbedtls_mpi_uint p[1];
+
+ *p = mpi_sint_abs(z);
+ Y.s = TO_SIGN(z);
+ Y.n = 1;
+ Y.p = p;
+
+ return mbedtls_mpi_cmp_mpi(X, &Y);
+}
+
+/*
+ * Unsigned addition: X = |A| + |B| (HAC 14.7)
+ */
+int mbedtls_mpi_add_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t j;
+ mbedtls_mpi_uint *p;
+ mbedtls_mpi_uint c;
+
+ if (X == B) {
+ const mbedtls_mpi *T = A; A = X; B = T;
+ }
+
+ if (X != A) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
+ }
+
+ /*
+ * X must always be positive as a result of unsigned additions.
+ */
+ X->s = 1;
+
+ for (j = B->n; j > 0; j--) {
+ if (B->p[j - 1] != 0) {
+ break;
+ }
+ }
+
+ /* Exit early to avoid undefined behavior on NULL+0 when X->n == 0
+ * and B is 0 (of any size). */
+ if (j == 0) {
+ return 0;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j));
+
+ /* j is the number of non-zero limbs of B. Add those to X. */
+
+ p = X->p;
+
+ c = mbedtls_mpi_core_add(p, p, B->p, j);
+
+ p += j;
+
+ /* Now propagate any carry */
+
+ while (c != 0) {
+ if (j >= X->n) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, j + 1));
+ p = X->p + j;
+ }
+
+ *p += c; c = (*p < c); j++; p++;
+ }
+
+cleanup:
+
+ return ret;
+}
+
+/*
+ * Unsigned subtraction: X = |A| - |B| (HAC 14.9, 14.10)
+ */
+int mbedtls_mpi_sub_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t n;
+ mbedtls_mpi_uint carry;
+
+ for (n = B->n; n > 0; n--) {
+ if (B->p[n - 1] != 0) {
+ break;
+ }
+ }
+ if (n > A->n) {
+ /* B >= (2^ciL)^n > A */
+ ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, A->n));
+
+ /* Set the high limbs of X to match A. Don't touch the lower limbs
+ * because X might be aliased to B, and we must not overwrite the
+ * significant digits of B. */
+ if (A->n > n && A != X) {
+ memcpy(X->p + n, A->p + n, (A->n - n) * ciL);
+ }
+ if (X->n > A->n) {
+ memset(X->p + A->n, 0, (X->n - A->n) * ciL);
+ }
+
+ carry = mbedtls_mpi_core_sub(X->p, A->p, B->p, n);
+ if (carry != 0) {
+ /* Propagate the carry through the rest of X. */
+ carry = mbedtls_mpi_core_sub_int(X->p + n, X->p + n, carry, X->n - n);
+
+ /* If we have further carry/borrow, the result is negative. */
+ if (carry != 0) {
+ ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
+ goto cleanup;
+ }
+ }
+
+ /* X should always be positive as a result of unsigned subtractions. */
+ X->s = 1;
+
+cleanup:
+ return ret;
+}
+
+/* Common function for signed addition and subtraction.
+ * Calculate A + B * flip_B where flip_B is 1 or -1.
+ */
+static int add_sub_mpi(mbedtls_mpi *X,
+ const mbedtls_mpi *A, const mbedtls_mpi *B,
+ int flip_B)
+{
+ int ret, s;
+
+ s = A->s;
+ if (A->s * B->s * flip_B < 0) {
+ int cmp = mbedtls_mpi_cmp_abs(A, B);
+ if (cmp >= 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, A, B));
+ /* If |A| = |B|, the result is 0 and we must set the sign bit
+ * to +1 regardless of which of A or B was negative. Otherwise,
+ * since |A| > |B|, the sign is the sign of A. */
+ X->s = cmp == 0 ? 1 : s;
+ } else {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(X, B, A));
+ /* Since |A| < |B|, the sign is the opposite of A. */
+ X->s = -s;
+ }
+ } else {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(X, A, B));
+ X->s = s;
+ }
+
+cleanup:
+
+ return ret;
+}
+
+/*
+ * Signed addition: X = A + B
+ */
+int mbedtls_mpi_add_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
+{
+ return add_sub_mpi(X, A, B, 1);
+}
+
+/*
+ * Signed subtraction: X = A - B
+ */
+int mbedtls_mpi_sub_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
+{
+ return add_sub_mpi(X, A, B, -1);
+}
+
+/*
+ * Signed addition: X = A + b
+ */
+int mbedtls_mpi_add_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b)
+{
+ mbedtls_mpi B;
+ mbedtls_mpi_uint p[1];
+
+ p[0] = mpi_sint_abs(b);
+ B.s = TO_SIGN(b);
+ B.n = 1;
+ B.p = p;
+
+ return mbedtls_mpi_add_mpi(X, A, &B);
+}
+
+/*
+ * Signed subtraction: X = A - b
+ */
+int mbedtls_mpi_sub_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b)
+{
+ mbedtls_mpi B;
+ mbedtls_mpi_uint p[1];
+
+ p[0] = mpi_sint_abs(b);
+ B.s = TO_SIGN(b);
+ B.n = 1;
+ B.p = p;
+
+ return mbedtls_mpi_sub_mpi(X, A, &B);
+}
+
+/*
+ * Baseline multiplication: X = A * B (HAC 14.12)
+ */
+int mbedtls_mpi_mul_mpi(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t i, j;
+ mbedtls_mpi TA, TB;
+ int result_is_zero = 0;
+
+ mbedtls_mpi_init(&TA);
+ mbedtls_mpi_init(&TB);
+
+ if (X == A) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A)); A = &TA;
+ }
+ if (X == B) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B)); B = &TB;
+ }
+
+ for (i = A->n; i > 0; i--) {
+ if (A->p[i - 1] != 0) {
+ break;
+ }
+ }
+ if (i == 0) {
+ result_is_zero = 1;
+ }
+
+ for (j = B->n; j > 0; j--) {
+ if (B->p[j - 1] != 0) {
+ break;
+ }
+ }
+ if (j == 0) {
+ result_is_zero = 1;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, i + j));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 0));
+
+ mbedtls_mpi_core_mul(X->p, A->p, i, B->p, j);
+
+ /* If the result is 0, we don't shortcut the operation, which reduces
+ * but does not eliminate side channels leaking the zero-ness. We do
+ * need to take care to set the sign bit properly since the library does
+ * not fully support an MPI object with a value of 0 and s == -1. */
+ if (result_is_zero) {
+ X->s = 1;
+ } else {
+ X->s = A->s * B->s;
+ }
+
+cleanup:
+
+ mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TA);
+
+ return ret;
+}
+
+/*
+ * Baseline multiplication: X = A * b
+ */
+int mbedtls_mpi_mul_int(mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b)
+{
+ size_t n = A->n;
+ while (n > 0 && A->p[n - 1] == 0) {
+ --n;
+ }
+
+ /* The general method below doesn't work if b==0. */
+ if (b == 0 || n == 0) {
+ return mbedtls_mpi_lset(X, 0);
+ }
+
+ /* Calculate A*b as A + A*(b-1) to take advantage of mbedtls_mpi_core_mla */
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ /* In general, A * b requires 1 limb more than b. If
+ * A->p[n - 1] * b / b == A->p[n - 1], then A * b fits in the same
+ * number of limbs as A and the call to grow() is not required since
+ * copy() will take care of the growth if needed. However, experimentally,
+ * making the call to grow() unconditional causes slightly fewer
+ * calls to calloc() in ECP code, presumably because it reuses the
+ * same mpi for a while and this way the mpi is more likely to directly
+ * grow to its final size.
+ *
+ * Note that calculating A*b as 0 + A*b doesn't work as-is because
+ * A,X can be the same. */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, n + 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
+ mbedtls_mpi_core_mla(X->p, X->n, A->p, n, b - 1);
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
+ * mbedtls_mpi_uint divisor, d
+ */
+static mbedtls_mpi_uint mbedtls_int_div_int(mbedtls_mpi_uint u1,
+ mbedtls_mpi_uint u0,
+ mbedtls_mpi_uint d,
+ mbedtls_mpi_uint *r)
+{
+#if defined(MBEDTLS_HAVE_UDBL)
+ mbedtls_t_udbl dividend, quotient;
+#else
+ const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
+ const mbedtls_mpi_uint uint_halfword_mask = ((mbedtls_mpi_uint) 1 << biH) - 1;
+ mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
+ mbedtls_mpi_uint u0_msw, u0_lsw;
+ size_t s;
+#endif
+
+ /*
+ * Check for overflow
+ */
+ if (0 == d || u1 >= d) {
+ if (r != NULL) {
+ *r = ~(mbedtls_mpi_uint) 0u;
+ }
+
+ return ~(mbedtls_mpi_uint) 0u;
+ }
+
+#if defined(MBEDTLS_HAVE_UDBL)
+ dividend = (mbedtls_t_udbl) u1 << biL;
+ dividend |= (mbedtls_t_udbl) u0;
+ quotient = dividend / d;
+ if (quotient > ((mbedtls_t_udbl) 1 << biL) - 1) {
+ quotient = ((mbedtls_t_udbl) 1 << biL) - 1;
+ }
+
+ if (r != NULL) {
+ *r = (mbedtls_mpi_uint) (dividend - (quotient * d));
+ }
+
+ return (mbedtls_mpi_uint) quotient;
+#else
+
+ /*
+ * Algorithm D, Section 4.3.1 - The Art of Computer Programming
+ * Vol. 2 - Seminumerical Algorithms, Knuth
+ */
+
+ /*
+ * Normalize the divisor, d, and dividend, u0, u1
+ */
+ s = mbedtls_mpi_core_clz(d);
+ d = d << s;
+
+ u1 = u1 << s;
+ u1 |= (u0 >> (biL - s)) & (-(mbedtls_mpi_sint) s >> (biL - 1));
+ u0 = u0 << s;
+
+ d1 = d >> biH;
+ d0 = d & uint_halfword_mask;
+
+ u0_msw = u0 >> biH;
+ u0_lsw = u0 & uint_halfword_mask;
+
+ /*
+ * Find the first quotient and remainder
+ */
+ q1 = u1 / d1;
+ r0 = u1 - d1 * q1;
+
+ while (q1 >= radix || (q1 * d0 > radix * r0 + u0_msw)) {
+ q1 -= 1;
+ r0 += d1;
+
+ if (r0 >= radix) {
+ break;
+ }
+ }
+
+ rAX = (u1 * radix) + (u0_msw - q1 * d);
+ q0 = rAX / d1;
+ r0 = rAX - q0 * d1;
+
+ while (q0 >= radix || (q0 * d0 > radix * r0 + u0_lsw)) {
+ q0 -= 1;
+ r0 += d1;
+
+ if (r0 >= radix) {
+ break;
+ }
+ }
+
+ if (r != NULL) {
+ *r = (rAX * radix + u0_lsw - q0 * d) >> s;
+ }
+
+ quotient = q1 * radix + q0;
+
+ return quotient;
+#endif
+}
+
+/*
+ * Division by mbedtls_mpi: A = Q * B + R (HAC 14.20)
+ */
+int mbedtls_mpi_div_mpi(mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+ const mbedtls_mpi *B)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t i, n, t, k;
+ mbedtls_mpi X, Y, Z, T1, T2;
+ mbedtls_mpi_uint TP2[3];
+
+ if (mbedtls_mpi_cmp_int(B, 0) == 0) {
+ return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
+ }
+
+ mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); mbedtls_mpi_init(&Z);
+ mbedtls_mpi_init(&T1);
+ /*
+ * Avoid dynamic memory allocations for constant-size T2.
+ *
+ * T2 is used for comparison only and the 3 limbs are assigned explicitly,
+ * so nobody increase the size of the MPI and we're safe to use an on-stack
+ * buffer.
+ */
+ T2.s = 1;
+ T2.n = sizeof(TP2) / sizeof(*TP2);
+ T2.p = TP2;
+
+ if (mbedtls_mpi_cmp_abs(A, B) < 0) {
+ if (Q != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(Q, 0));
+ }
+ if (R != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, A));
+ }
+ return 0;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&X, A));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, B));
+ X.s = Y.s = 1;
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&Z, A->n + 2));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Z, 0));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&T1, A->n + 2));
+
+ k = mbedtls_mpi_bitlen(&Y) % biL;
+ if (k < biL - 1) {
+ k = biL - 1 - k;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&X, k));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, k));
+ } else {
+ k = 0;
+ }
+
+ n = X.n - 1;
+ t = Y.n - 1;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&Y, biL * (n - t)));
+
+ while (mbedtls_mpi_cmp_mpi(&X, &Y) >= 0) {
+ Z.p[n - t]++;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &Y));
+ }
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, biL * (n - t)));
+
+ for (i = n; i > t; i--) {
+ if (X.p[i] >= Y.p[t]) {
+ Z.p[i - t - 1] = ~(mbedtls_mpi_uint) 0u;
+ } else {
+ Z.p[i - t - 1] = mbedtls_int_div_int(X.p[i], X.p[i - 1],
+ Y.p[t], NULL);
+ }
+
+ T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
+ T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
+ T2.p[2] = X.p[i];
+
+ Z.p[i - t - 1]++;
+ do {
+ Z.p[i - t - 1]--;
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&T1, 0));
+ T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
+ T1.p[1] = Y.p[t];
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &T1, Z.p[i - t - 1]));
+ } while (mbedtls_mpi_cmp_mpi(&T1, &T2) > 0);
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(&T1, &Y, Z.p[i - t - 1]));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&X, &X, &T1));
+
+ if (mbedtls_mpi_cmp_int(&X, 0) < 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&T1, &Y));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&T1, biL * (i - t - 1)));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&X, &X, &T1));
+ Z.p[i - t - 1]--;
+ }
+ }
+
+ if (Q != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(Q, &Z));
+ Q->s = A->s * B->s;
+ }
+
+ if (R != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&X, k));
+ X.s = A->s;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(R, &X));
+
+ if (mbedtls_mpi_cmp_int(R, 0) == 0) {
+ R->s = 1;
+ }
+ }
+
+cleanup:
+
+ mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); mbedtls_mpi_free(&Z);
+ mbedtls_mpi_free(&T1);
+ mbedtls_platform_zeroize(TP2, sizeof(TP2));
+
+ return ret;
+}
+
+/*
+ * Division by int: A = Q * b + R
+ */
+int mbedtls_mpi_div_int(mbedtls_mpi *Q, mbedtls_mpi *R,
+ const mbedtls_mpi *A,
+ mbedtls_mpi_sint b)
+{
+ mbedtls_mpi B;
+ mbedtls_mpi_uint p[1];
+
+ p[0] = mpi_sint_abs(b);
+ B.s = TO_SIGN(b);
+ B.n = 1;
+ B.p = p;
+
+ return mbedtls_mpi_div_mpi(Q, R, A, &B);
+}
+
+/*
+ * Modulo: R = A mod B
+ */
+int mbedtls_mpi_mod_mpi(mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (mbedtls_mpi_cmp_int(B, 0) < 0) {
+ return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(NULL, R, A, B));
+
+ while (mbedtls_mpi_cmp_int(R, 0) < 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(R, R, B));
+ }
+
+ while (mbedtls_mpi_cmp_mpi(R, B) >= 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(R, R, B));
+ }
+
+cleanup:
+
+ return ret;
+}
+
+/*
+ * Modulo: r = A mod b
+ */
+int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b)
+{
+ size_t i;
+ mbedtls_mpi_uint x, y, z;
+
+ if (b == 0) {
+ return MBEDTLS_ERR_MPI_DIVISION_BY_ZERO;
+ }
+
+ if (b < 0) {
+ return MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
+ }
+
+ /*
+ * handle trivial cases
+ */
+ if (b == 1 || A->n == 0) {
+ *r = 0;
+ return 0;
+ }
+
+ if (b == 2) {
+ *r = A->p[0] & 1;
+ return 0;
+ }
+
+ /*
+ * general case
+ */
+ for (i = A->n, y = 0; i > 0; i--) {
+ x = A->p[i - 1];
+ y = (y << biH) | (x >> biH);
+ z = y / b;
+ y -= z * b;
+
+ x <<= biH;
+ y = (y << biH) | (x >> biH);
+ z = y / b;
+ y -= z * b;
+ }
+
+ /*
+ * If A is negative, then the current y represents a negative value.
+ * Flipping it to the positive side.
+ */
+ if (A->s < 0 && y != 0) {
+ y = b - y;
+ }
+
+ *r = y;
+
+ return 0;
+}
+
+int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
+ const mbedtls_mpi *E, const mbedtls_mpi *N,
+ mbedtls_mpi *prec_RR)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (mbedtls_mpi_cmp_int(N, 0) <= 0 || (N->p[0] & 1) == 0) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ if (mbedtls_mpi_cmp_int(E, 0) < 0) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ if (mbedtls_mpi_bitlen(E) > MBEDTLS_MPI_MAX_BITS ||
+ mbedtls_mpi_bitlen(N) > MBEDTLS_MPI_MAX_BITS) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ /*
+ * Ensure that the exponent that we are passing to the core is not NULL.
+ */
+ if (E->n == 0) {
+ ret = mbedtls_mpi_lset(X, 1);
+ return ret;
+ }
+
+ /*
+ * Allocate working memory for mbedtls_mpi_core_exp_mod()
+ */
+ size_t T_limbs = mbedtls_mpi_core_exp_mod_working_limbs(N->n, E->n);
+ mbedtls_mpi_uint *T = (mbedtls_mpi_uint *) mbedtls_calloc(T_limbs, sizeof(mbedtls_mpi_uint));
+ if (T == NULL) {
+ return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+ }
+
+ mbedtls_mpi RR;
+ mbedtls_mpi_init(&RR);
+
+ /*
+ * If 1st call, pre-compute R^2 mod N
+ */
+ if (prec_RR == NULL || prec_RR->p == NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, N));
+
+ if (prec_RR != NULL) {
+ *prec_RR = RR;
+ }
+ } else {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(prec_RR, N->n));
+ RR = *prec_RR;
+ }
+
+ /*
+ * To preserve constness we need to make a copy of A. Using X for this to
+ * save memory.
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A));
+
+ /*
+ * Compensate for negative A (and correct at the end).
+ */
+ X->s = 1;
+
+ /*
+ * Make sure that X is in a form that is safe for consumption by
+ * the core functions.
+ *
+ * - The core functions will not touch the limbs of X above N->n. The
+ * result will be correct if those limbs are 0, which the mod call
+ * ensures.
+ * - Also, X must have at least as many limbs as N for the calls to the
+ * core functions.
+ */
+ if (mbedtls_mpi_cmp_mpi(X, N) >= 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(X, X, N));
+ }
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(X, N->n));
+
+ /*
+ * Convert to and from Montgomery around mbedtls_mpi_core_exp_mod().
+ */
+ {
+ mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p);
+ mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T);
+ mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T);
+ mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T);
+ }
+
+ /*
+ * Correct for negative A.
+ */
+ if (A->s == -1 && (E->p[0] & 1) != 0) {
+ mbedtls_ct_condition_t is_x_non_zero = mbedtls_mpi_core_check_zero_ct(X->p, X->n);
+ X->s = mbedtls_ct_mpi_sign_if(is_x_non_zero, -1, 1);
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, N, X));
+ }
+
+cleanup:
+
+ mbedtls_mpi_zeroize_and_free(T, T_limbs);
+
+ if (prec_RR == NULL || prec_RR->p == NULL) {
+ mbedtls_mpi_free(&RR);
+ }
+
+ return ret;
+}
+
+/*
+ * Greatest common divisor: G = gcd(A, B) (HAC 14.54)
+ */
+int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t lz, lzt;
+ mbedtls_mpi TA, TB;
+
+ mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TB);
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TA, A));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, B));
+
+ lz = mbedtls_mpi_lsb(&TA);
+ lzt = mbedtls_mpi_lsb(&TB);
+
+ /* The loop below gives the correct result when A==0 but not when B==0.
+ * So have a special case for B==0. Leverage the fact that we just
+ * calculated the lsb and lsb(B)==0 iff B is odd or 0 to make the test
+ * slightly more efficient than cmp_int(). */
+ if (lzt == 0 && mbedtls_mpi_get_bit(&TB, 0) == 0) {
+ ret = mbedtls_mpi_copy(G, A);
+ goto cleanup;
+ }
+
+ if (lzt < lz) {
+ lz = lzt;
+ }
+
+ TA.s = TB.s = 1;
+
+ /* We mostly follow the procedure described in HAC 14.54, but with some
+ * minor differences:
+ * - Sequences of multiplications or divisions by 2 are grouped into a
+ * single shift operation.
+ * - The procedure in HAC assumes that 0 < TB <= TA.
+ * - The condition TB <= TA is not actually necessary for correctness.
+ * TA and TB have symmetric roles except for the loop termination
+ * condition, and the shifts at the beginning of the loop body
+ * remove any significance from the ordering of TA vs TB before
+ * the shifts.
+ * - If TA = 0, the loop goes through 0 iterations and the result is
+ * correctly TB.
+ * - The case TB = 0 was short-circuited above.
+ *
+ * For the correctness proof below, decompose the original values of
+ * A and B as
+ * A = sa * 2^a * A' with A'=0 or A' odd, and sa = +-1
+ * B = sb * 2^b * B' with B'=0 or B' odd, and sb = +-1
+ * Then gcd(A, B) = 2^{min(a,b)} * gcd(A',B'),
+ * and gcd(A',B') is odd or 0.
+ *
+ * At the beginning, we have TA = |A| and TB = |B| so gcd(A,B) = gcd(TA,TB).
+ * The code maintains the following invariant:
+ * gcd(A,B) = 2^k * gcd(TA,TB) for some k (I)
+ */
+
+ /* Proof that the loop terminates:
+ * At each iteration, either the right-shift by 1 is made on a nonzero
+ * value and the nonnegative integer bitlen(TA) + bitlen(TB) decreases
+ * by at least 1, or the right-shift by 1 is made on zero and then
+ * TA becomes 0 which ends the loop (TB cannot be 0 if it is right-shifted
+ * since in that case TB is calculated from TB-TA with the condition TB>TA).
+ */
+ while (mbedtls_mpi_cmp_int(&TA, 0) != 0) {
+ /* Divisions by 2 preserve the invariant (I). */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, mbedtls_mpi_lsb(&TA)));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, mbedtls_mpi_lsb(&TB)));
+
+ /* Set either TA or TB to |TA-TB|/2. Since TA and TB are both odd,
+ * TA-TB is even so the division by 2 has an integer result.
+ * Invariant (I) is preserved since any odd divisor of both TA and TB
+ * also divides |TA-TB|/2, and any odd divisor of both TA and |TA-TB|/2
+ * also divides TB, and any odd divisor of both TB and |TA-TB|/2 also
+ * divides TA.
+ */
+ if (mbedtls_mpi_cmp_mpi(&TA, &TB) >= 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TA, &TA, &TB));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TA, 1));
+ } else {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(&TB, &TB, &TA));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TB, 1));
+ }
+ /* Note that one of TA or TB is still odd. */
+ }
+
+ /* By invariant (I), gcd(A,B) = 2^k * gcd(TA,TB) for some k.
+ * At the loop exit, TA = 0, so gcd(TA,TB) = TB.
+ * - If there was at least one loop iteration, then one of TA or TB is odd,
+ * and TA = 0, so TB is odd and gcd(TA,TB) = gcd(A',B'). In this case,
+ * lz = min(a,b) so gcd(A,B) = 2^lz * TB.
+ * - If there was no loop iteration, then A was 0, and gcd(A,B) = B.
+ * In this case, lz = 0 and B = TB so gcd(A,B) = B = 2^lz * TB as well.
+ */
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&TB, lz));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(G, &TB));
+
+cleanup:
+
+ mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TB);
+
+ return ret;
+}
+
+/*
+ * Fill X with size bytes of random.
+ * The bytes returned from the RNG are used in a specific order which
+ * is suitable for deterministic ECDSA (see the specification of
+ * mbedtls_mpi_random() and the implementation in mbedtls_mpi_fill_random()).
+ */
+int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const size_t limbs = CHARS_TO_LIMBS(size);
+
+ /* Ensure that target MPI has exactly the necessary number of limbs */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_resize_clear(X, limbs));
+ if (size == 0) {
+ return 0;
+ }
+
+ ret = mbedtls_mpi_core_fill_random(X->p, X->n, size, f_rng, p_rng);
+
+cleanup:
+ return ret;
+}
+
+int mbedtls_mpi_random(mbedtls_mpi *X,
+ mbedtls_mpi_sint min,
+ const mbedtls_mpi *N,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ if (min < 0) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+ if (mbedtls_mpi_cmp_int(N, min) <= 0) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ /* Ensure that target MPI has exactly the same number of limbs
+ * as the upper bound, even if the upper bound has leading zeros.
+ * This is necessary for mbedtls_mpi_core_random. */
+ int ret = mbedtls_mpi_resize_clear(X, N->n);
+ if (ret != 0) {
+ return ret;
+ }
+
+ return mbedtls_mpi_core_random(X->p, min, N->p, X->n, f_rng, p_rng);
+}
+
+/*
+ * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
+ */
+int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
+
+ if (mbedtls_mpi_cmp_int(N, 1) <= 0) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ mbedtls_mpi_init(&TA); mbedtls_mpi_init(&TU); mbedtls_mpi_init(&U1); mbedtls_mpi_init(&U2);
+ mbedtls_mpi_init(&G); mbedtls_mpi_init(&TB); mbedtls_mpi_init(&TV);
+ mbedtls_mpi_init(&V1); mbedtls_mpi_init(&V2);
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, A, N));
+
+ if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
+ ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&TA, A, N));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TU, &TA));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TB, N));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&TV, N));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U1, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&U2, 0));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V1, 0));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&V2, 1));
+
+ do {
+ while ((TU.p[0] & 1) == 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TU, 1));
+
+ if ((U1.p[0] & 1) != 0 || (U2.p[0] & 1) != 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&U1, &U1, &TB));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &TA));
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U1, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&U2, 1));
+ }
+
+ while ((TV.p[0] & 1) == 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&TV, 1));
+
+ if ((V1.p[0] & 1) != 0 || (V2.p[0] & 1) != 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, &TB));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &TA));
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V1, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&V2, 1));
+ }
+
+ if (mbedtls_mpi_cmp_mpi(&TU, &TV) >= 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TU, &TU, &TV));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U1, &U1, &V1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&U2, &U2, &V2));
+ } else {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&TV, &TV, &TU));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, &U1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V2, &V2, &U2));
+ }
+ } while (mbedtls_mpi_cmp_int(&TU, 0) != 0);
+
+ while (mbedtls_mpi_cmp_int(&V1, 0) < 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&V1, &V1, N));
+ }
+
+ while (mbedtls_mpi_cmp_mpi(&V1, N) >= 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&V1, &V1, N));
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &V1));
+
+cleanup:
+
+ mbedtls_mpi_free(&TA); mbedtls_mpi_free(&TU); mbedtls_mpi_free(&U1); mbedtls_mpi_free(&U2);
+ mbedtls_mpi_free(&G); mbedtls_mpi_free(&TB); mbedtls_mpi_free(&TV);
+ mbedtls_mpi_free(&V1); mbedtls_mpi_free(&V2);
+
+ return ret;
+}
+
+#if defined(MBEDTLS_GENPRIME)
+
+/* Gaps between primes, starting at 3. https://oeis.org/A001223 */
+static const unsigned char small_prime_gaps[] = {
+ 2, 2, 4, 2, 4, 2, 4, 6,
+ 2, 6, 4, 2, 4, 6, 6, 2,
+ 6, 4, 2, 6, 4, 6, 8, 4,
+ 2, 4, 2, 4, 14, 4, 6, 2,
+ 10, 2, 6, 6, 4, 6, 6, 2,
+ 10, 2, 4, 2, 12, 12, 4, 2,
+ 4, 6, 2, 10, 6, 6, 6, 2,
+ 6, 4, 2, 10, 14, 4, 2, 4,
+ 14, 6, 10, 2, 4, 6, 8, 6,
+ 6, 4, 6, 8, 4, 8, 10, 2,
+ 10, 2, 6, 4, 6, 8, 4, 2,
+ 4, 12, 8, 4, 8, 4, 6, 12,
+ 2, 18, 6, 10, 6, 6, 2, 6,
+ 10, 6, 6, 2, 6, 6, 4, 2,
+ 12, 10, 2, 4, 6, 6, 2, 12,
+ 4, 6, 8, 10, 8, 10, 8, 6,
+ 6, 4, 8, 6, 4, 8, 4, 14,
+ 10, 12, 2, 10, 2, 4, 2, 10,
+ 14, 4, 2, 4, 14, 4, 2, 4,
+ 20, 4, 8, 10, 8, 4, 6, 6,
+ 14, 4, 6, 6, 8, 6, /*reaches 997*/
+ 0 /* the last entry is effectively unused */
+};
+
+/*
+ * Small divisors test (X must be positive)
+ *
+ * Return values:
+ * 0: no small factor (possible prime, more tests needed)
+ * 1: certain prime
+ * MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
+ * other negative: error
+ */
+static int mpi_check_small_factors(const mbedtls_mpi *X)
+{
+ int ret = 0;
+ size_t i;
+ mbedtls_mpi_uint r;
+ unsigned p = 3; /* The first odd prime */
+
+ if ((X->p[0] & 1) == 0) {
+ return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+ }
+
+ for (i = 0; i < sizeof(small_prime_gaps); p += small_prime_gaps[i], i++) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, p));
+ if (r == 0) {
+ if (mbedtls_mpi_cmp_int(X, p) == 0) {
+ return 1;
+ } else {
+ return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+ }
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Miller-Rabin pseudo-primality test (HAC 4.24)
+ */
+static int mpi_miller_rabin(const mbedtls_mpi *X, size_t rounds,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret, count;
+ size_t i, j, k, s;
+ mbedtls_mpi W, R, T, A, RR;
+
+ mbedtls_mpi_init(&W); mbedtls_mpi_init(&R);
+ mbedtls_mpi_init(&T); mbedtls_mpi_init(&A);
+ mbedtls_mpi_init(&RR);
+
+ /*
+ * W = |X| - 1
+ * R = W >> lsb( W )
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&W, X, 1));
+ s = mbedtls_mpi_lsb(&W);
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&R, &W));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&R, s));
+
+ for (i = 0; i < rounds; i++) {
+ /*
+ * pick a random A, 1 < A < |X| - 1
+ */
+ count = 0;
+ do {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&A, X->n * ciL, f_rng, p_rng));
+
+ j = mbedtls_mpi_bitlen(&A);
+ k = mbedtls_mpi_bitlen(&W);
+ if (j > k) {
+ A.p[A.n - 1] &= ((mbedtls_mpi_uint) 1 << (k - (A.n - 1) * biL - 1)) - 1;
+ }
+
+ if (count++ > 30) {
+ ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+ goto cleanup;
+ }
+
+ } while (mbedtls_mpi_cmp_mpi(&A, &W) >= 0 ||
+ mbedtls_mpi_cmp_int(&A, 1) <= 0);
+
+ /*
+ * A = A^R mod |X|
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&A, &A, &R, X, &RR));
+
+ if (mbedtls_mpi_cmp_mpi(&A, &W) == 0 ||
+ mbedtls_mpi_cmp_int(&A, 1) == 0) {
+ continue;
+ }
+
+ j = 1;
+ while (j < s && mbedtls_mpi_cmp_mpi(&A, &W) != 0) {
+ /*
+ * A = A * A mod |X|
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &A, &A));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&A, &T, X));
+
+ if (mbedtls_mpi_cmp_int(&A, 1) == 0) {
+ break;
+ }
+
+ j++;
+ }
+
+ /*
+ * not prime if A != |X| - 1 or A == 1
+ */
+ if (mbedtls_mpi_cmp_mpi(&A, &W) != 0 ||
+ mbedtls_mpi_cmp_int(&A, 1) == 0) {
+ ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+ break;
+ }
+ }
+
+cleanup:
+ mbedtls_mpi_free(&W); mbedtls_mpi_free(&R);
+ mbedtls_mpi_free(&T); mbedtls_mpi_free(&A);
+ mbedtls_mpi_free(&RR);
+
+ return ret;
+}
+
+/*
+ * Pseudo-primality test: small factors, then Miller-Rabin
+ */
+int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi XX;
+
+ XX.s = 1;
+ XX.n = X->n;
+ XX.p = X->p;
+
+ if (mbedtls_mpi_cmp_int(&XX, 0) == 0 ||
+ mbedtls_mpi_cmp_int(&XX, 1) == 0) {
+ return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+ }
+
+ if (mbedtls_mpi_cmp_int(&XX, 2) == 0) {
+ return 0;
+ }
+
+ if ((ret = mpi_check_small_factors(&XX)) != 0) {
+ if (ret == 1) {
+ return 0;
+ }
+
+ return ret;
+ }
+
+ return mpi_miller_rabin(&XX, rounds, f_rng, p_rng);
+}
+
+/*
+ * Prime number generation
+ *
+ * To generate an RSA key in a way recommended by FIPS 186-4, both primes must
+ * be either 1024 bits or 1536 bits long, and flags must contain
+ * MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.
+ */
+int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+#ifdef MBEDTLS_HAVE_INT64
+// ceil(2^63.5)
+#define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL
+#else
+// ceil(2^31.5)
+#define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U
+#endif
+ int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+ size_t k, n;
+ int rounds;
+ mbedtls_mpi_uint r;
+ mbedtls_mpi Y;
+
+ if (nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ mbedtls_mpi_init(&Y);
+
+ n = BITS_TO_LIMBS(nbits);
+
+ if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR) == 0) {
+ /*
+ * 2^-80 error probability, number of rounds chosen per HAC, table 4.4
+ */
+ rounds = ((nbits >= 1300) ? 2 : (nbits >= 850) ? 3 :
+ (nbits >= 650) ? 4 : (nbits >= 350) ? 8 :
+ (nbits >= 250) ? 12 : (nbits >= 150) ? 18 : 27);
+ } else {
+ /*
+ * 2^-100 error probability, number of rounds computed based on HAC,
+ * fact 4.48
+ */
+ rounds = ((nbits >= 1450) ? 4 : (nbits >= 1150) ? 5 :
+ (nbits >= 1000) ? 6 : (nbits >= 850) ? 7 :
+ (nbits >= 750) ? 8 : (nbits >= 500) ? 13 :
+ (nbits >= 250) ? 28 : (nbits >= 150) ? 40 : 51);
+ }
+
+ while (1) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(X, n * ciL, f_rng, p_rng));
+ /* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */
+ if (X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2) {
+ continue;
+ }
+
+ k = n * biL;
+ if (k > nbits) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(X, k - nbits));
+ }
+ X->p[0] |= 1;
+
+ if ((flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH) == 0) {
+ ret = mbedtls_mpi_is_prime_ext(X, rounds, f_rng, p_rng);
+
+ if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
+ goto cleanup;
+ }
+ } else {
+ /*
+ * A necessary condition for Y and X = 2Y + 1 to be prime
+ * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
+ * Make sure it is satisfied, while keeping X = 3 mod 4
+ */
+
+ X->p[0] |= 2;
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, 3));
+ if (r == 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 8));
+ } else if (r == 1) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 4));
+ }
+
+ /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&Y, X));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Y, 1));
+
+ while (1) {
+ /*
+ * First, check small factors for X and Y
+ * before doing Miller-Rabin on any of them
+ */
+ if ((ret = mpi_check_small_factors(X)) == 0 &&
+ (ret = mpi_check_small_factors(&Y)) == 0 &&
+ (ret = mpi_miller_rabin(X, rounds, f_rng, p_rng))
+ == 0 &&
+ (ret = mpi_miller_rabin(&Y, rounds, f_rng, p_rng))
+ == 0) {
+ goto cleanup;
+ }
+
+ if (ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
+ goto cleanup;
+ }
+
+ /*
+ * Next candidates. We want to preserve Y = (X-1) / 2 and
+ * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
+ * so up Y by 6 and X by 12.
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(X, X, 12));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&Y, &Y, 6));
+ }
+ }
+ }
+
+cleanup:
+
+ mbedtls_mpi_free(&Y);
+
+ return ret;
+}
+
+#endif /* MBEDTLS_GENPRIME */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#define GCD_PAIR_COUNT 3
+
+static const int gcd_pairs[GCD_PAIR_COUNT][3] =
+{
+ { 693, 609, 21 },
+ { 1764, 868, 28 },
+ { 768454923, 542167814, 1 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_mpi_self_test(int verbose)
+{
+ int ret, i;
+ mbedtls_mpi A, E, N, X, Y, U, V;
+
+ mbedtls_mpi_init(&A); mbedtls_mpi_init(&E); mbedtls_mpi_init(&N); mbedtls_mpi_init(&X);
+ mbedtls_mpi_init(&Y); mbedtls_mpi_init(&U); mbedtls_mpi_init(&V);
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&A, 16,
+ "EFE021C2645FD1DC586E69184AF4A31E" \
+ "D5F53E93B5F123FA41680867BA110131" \
+ "944FE7952E2517337780CB0DB80E61AA" \
+ "E7C8DDC6C5C6AADEB34EB38A2F40D5E6"));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&E, 16,
+ "B2E7EFD37075B9F03FF989C7C5051C20" \
+ "34D2A323810251127E7BF8625A4F49A5" \
+ "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
+ "5B5C25763222FEFCCFC38B832366C29E"));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&N, 16,
+ "0066A198186C18C10B2F5ED9B522752A" \
+ "9830B69916E535C8F047518A889A43A5" \
+ "94B6BED27A168D31D4A52F88925AA8F5"));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&X, &A, &N));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
+ "602AB7ECA597A3D6B56FF9829A5E8B85" \
+ "9E857EA95A03512E2BAE7391688D264A" \
+ "A5663B0341DB9CCFD2C4C5F421FEC814" \
+ "8001B72E848A38CAE1C65F78E56ABDEF" \
+ "E12D3C039B8A02D6BE593F0BBBDA56F1" \
+ "ECF677152EF804370C1A305CAF3B5BF1" \
+ "30879B56C61DE584A0F53A2447A51E"));
+
+ if (verbose != 0) {
+ mbedtls_printf(" MPI test #1 (mul_mpi): ");
+ }
+
+ if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&X, &Y, &A, &N));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
+ "256567336059E52CAE22925474705F39A94"));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&V, 16,
+ "6613F26162223DF488E9CD48CC132C7A" \
+ "0AC93C701B001B092E4E5B9F73BCD27B" \
+ "9EE50D0657C77F374E903CDFA4C642"));
+
+ if (verbose != 0) {
+ mbedtls_printf(" MPI test #2 (div_mpi): ");
+ }
+
+ if (mbedtls_mpi_cmp_mpi(&X, &U) != 0 ||
+ mbedtls_mpi_cmp_mpi(&Y, &V) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&X, &A, &E, &N, NULL));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
+ "36E139AEA55215609D2816998ED020BB" \
+ "BD96C37890F65171D948E9BC7CBAA4D9" \
+ "325D24D6A3C12710F10A09FA08AB87"));
+
+ if (verbose != 0) {
+ mbedtls_printf(" MPI test #3 (exp_mod): ");
+ }
+
+ if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&X, &A, &N));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&U, 16,
+ "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
+ "C3DBA76456363A10869622EAC2DD84EC" \
+ "C5B8A74DAC4D09E03B5E0BE779F2DF61"));
+
+ if (verbose != 0) {
+ mbedtls_printf(" MPI test #4 (inv_mod): ");
+ }
+
+ if (mbedtls_mpi_cmp_mpi(&X, &U) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf(" MPI test #5 (simple gcd): ");
+ }
+
+ for (i = 0; i < GCD_PAIR_COUNT; i++) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&X, gcd_pairs[i][0]));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&Y, gcd_pairs[i][1]));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&A, &X, &Y));
+
+ if (mbedtls_mpi_cmp_int(&A, gcd_pairs[i][2]) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed at %d\n", i);
+ }
+
+ ret = 1;
+ goto cleanup;
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+cleanup:
+
+ if (ret != 0 && verbose != 0) {
+ mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
+ }
+
+ mbedtls_mpi_free(&A); mbedtls_mpi_free(&E); mbedtls_mpi_free(&N); mbedtls_mpi_free(&X);
+ mbedtls_mpi_free(&Y); mbedtls_mpi_free(&U); mbedtls_mpi_free(&V);
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_BIGNUM_C */
diff --git a/library/bignum_core.c b/library/bignum_core.c
new file mode 100644
index 0000000..1a3e0b9
--- /dev/null
+++ b/library/bignum_core.c
@@ -0,0 +1,895 @@
+/*
+ * Core bignum functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+#include <string.h>
+
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+#include "constant_time_internal.h"
+
+#include "mbedtls/platform.h"
+
+#include "bignum_core.h"
+#include "bn_mul.h"
+#include "constant_time_internal.h"
+
+size_t mbedtls_mpi_core_clz(mbedtls_mpi_uint a)
+{
+#if defined(__has_builtin)
+#if (MBEDTLS_MPI_UINT_MAX == UINT_MAX) && __has_builtin(__builtin_clz)
+ #define core_clz __builtin_clz
+#elif (MBEDTLS_MPI_UINT_MAX == ULONG_MAX) && __has_builtin(__builtin_clzl)
+ #define core_clz __builtin_clzl
+#elif (MBEDTLS_MPI_UINT_MAX == ULLONG_MAX) && __has_builtin(__builtin_clzll)
+ #define core_clz __builtin_clzll
+#endif
+#endif
+#if defined(core_clz)
+ return (size_t) core_clz(a);
+#else
+ size_t j;
+ mbedtls_mpi_uint mask = (mbedtls_mpi_uint) 1 << (biL - 1);
+
+ for (j = 0; j < biL; j++) {
+ if (a & mask) {
+ break;
+ }
+
+ mask >>= 1;
+ }
+
+ return j;
+#endif
+}
+
+size_t mbedtls_mpi_core_bitlen(const mbedtls_mpi_uint *A, size_t A_limbs)
+{
+ int i;
+ size_t j;
+
+ for (i = ((int) A_limbs) - 1; i >= 0; i--) {
+ if (A[i] != 0) {
+ j = biL - mbedtls_mpi_core_clz(A[i]);
+ return (i * biL) + j;
+ }
+ }
+
+ return 0;
+}
+
+static mbedtls_mpi_uint mpi_bigendian_to_host(mbedtls_mpi_uint a)
+{
+ if (MBEDTLS_IS_BIG_ENDIAN) {
+ /* Nothing to do on bigendian systems. */
+ return a;
+ } else {
+#if defined(MBEDTLS_HAVE_INT32)
+ return (mbedtls_mpi_uint) MBEDTLS_BSWAP32(a);
+#elif defined(MBEDTLS_HAVE_INT64)
+ return (mbedtls_mpi_uint) MBEDTLS_BSWAP64(a);
+#endif
+ }
+}
+
+void mbedtls_mpi_core_bigendian_to_host(mbedtls_mpi_uint *A,
+ size_t A_limbs)
+{
+ mbedtls_mpi_uint *cur_limb_left;
+ mbedtls_mpi_uint *cur_limb_right;
+ if (A_limbs == 0) {
+ return;
+ }
+
+ /*
+ * Traverse limbs and
+ * - adapt byte-order in each limb
+ * - swap the limbs themselves.
+ * For that, simultaneously traverse the limbs from left to right
+ * and from right to left, as long as the left index is not bigger
+ * than the right index (it's not a problem if limbs is odd and the
+ * indices coincide in the last iteration).
+ */
+ for (cur_limb_left = A, cur_limb_right = A + (A_limbs - 1);
+ cur_limb_left <= cur_limb_right;
+ cur_limb_left++, cur_limb_right--) {
+ mbedtls_mpi_uint tmp;
+ /* Note that if cur_limb_left == cur_limb_right,
+ * this code effectively swaps the bytes only once. */
+ tmp = mpi_bigendian_to_host(*cur_limb_left);
+ *cur_limb_left = mpi_bigendian_to_host(*cur_limb_right);
+ *cur_limb_right = tmp;
+ }
+}
+
+/* Whether min <= A, in constant time.
+ * A_limbs must be at least 1. */
+mbedtls_ct_condition_t mbedtls_mpi_core_uint_le_mpi(mbedtls_mpi_uint min,
+ const mbedtls_mpi_uint *A,
+ size_t A_limbs)
+{
+ /* min <= least significant limb? */
+ mbedtls_ct_condition_t min_le_lsl = mbedtls_ct_uint_ge(A[0], min);
+
+ /* limbs other than the least significant one are all zero? */
+ mbedtls_ct_condition_t msll_mask = MBEDTLS_CT_FALSE;
+ for (size_t i = 1; i < A_limbs; i++) {
+ msll_mask = mbedtls_ct_bool_or(msll_mask, mbedtls_ct_bool(A[i]));
+ }
+
+ /* min <= A iff the lowest limb of A is >= min or the other limbs
+ * are not all zero. */
+ return mbedtls_ct_bool_or(msll_mask, min_le_lsl);
+}
+
+mbedtls_ct_condition_t mbedtls_mpi_core_lt_ct(const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ size_t limbs)
+{
+ mbedtls_ct_condition_t ret = MBEDTLS_CT_FALSE, cond = MBEDTLS_CT_FALSE, done = MBEDTLS_CT_FALSE;
+
+ for (size_t i = limbs; i > 0; i--) {
+ /*
+ * If B[i - 1] < A[i - 1] then A < B is false and the result must
+ * remain 0.
+ *
+ * Again even if we can make a decision, we just mark the result and
+ * the fact that we are done and continue looping.
+ */
+ cond = mbedtls_ct_uint_lt(B[i - 1], A[i - 1]);
+ done = mbedtls_ct_bool_or(done, cond);
+
+ /*
+ * If A[i - 1] < B[i - 1] then A < B is true.
+ *
+ * Again even if we can make a decision, we just mark the result and
+ * the fact that we are done and continue looping.
+ */
+ cond = mbedtls_ct_uint_lt(A[i - 1], B[i - 1]);
+ ret = mbedtls_ct_bool_or(ret, mbedtls_ct_bool_and(cond, mbedtls_ct_bool_not(done)));
+ done = mbedtls_ct_bool_or(done, cond);
+ }
+
+ /*
+ * If all the limbs were equal, then the numbers are equal, A < B is false
+ * and leaving the result 0 is correct.
+ */
+
+ return ret;
+}
+
+void mbedtls_mpi_core_cond_assign(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ size_t limbs,
+ mbedtls_ct_condition_t assign)
+{
+ if (X == A) {
+ return;
+ }
+
+ /* This function is very performance-sensitive for RSA. For this reason
+ * we have the loop below, instead of calling mbedtls_ct_memcpy_if
+ * (this is more optimal since here we don't have to handle the case where
+ * we copy awkwardly sized data).
+ */
+ for (size_t i = 0; i < limbs; i++) {
+ X[i] = mbedtls_ct_mpi_uint_if(assign, A[i], X[i]);
+ }
+}
+
+void mbedtls_mpi_core_cond_swap(mbedtls_mpi_uint *X,
+ mbedtls_mpi_uint *Y,
+ size_t limbs,
+ mbedtls_ct_condition_t swap)
+{
+ if (X == Y) {
+ return;
+ }
+
+ for (size_t i = 0; i < limbs; i++) {
+ mbedtls_mpi_uint tmp = X[i];
+ X[i] = mbedtls_ct_mpi_uint_if(swap, Y[i], X[i]);
+ Y[i] = mbedtls_ct_mpi_uint_if(swap, tmp, Y[i]);
+ }
+}
+
+int mbedtls_mpi_core_read_le(mbedtls_mpi_uint *X,
+ size_t X_limbs,
+ const unsigned char *input,
+ size_t input_length)
+{
+ const size_t limbs = CHARS_TO_LIMBS(input_length);
+
+ if (X_limbs < limbs) {
+ return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
+ }
+
+ if (X != NULL) {
+ memset(X, 0, X_limbs * ciL);
+
+ for (size_t i = 0; i < input_length; i++) {
+ size_t offset = ((i % ciL) << 3);
+ X[i / ciL] |= ((mbedtls_mpi_uint) input[i]) << offset;
+ }
+ }
+
+ return 0;
+}
+
+int mbedtls_mpi_core_read_be(mbedtls_mpi_uint *X,
+ size_t X_limbs,
+ const unsigned char *input,
+ size_t input_length)
+{
+ const size_t limbs = CHARS_TO_LIMBS(input_length);
+
+ if (X_limbs < limbs) {
+ return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
+ }
+
+ /* If X_limbs is 0, input_length must also be 0 (from previous test).
+ * Nothing to do. */
+ if (X_limbs == 0) {
+ return 0;
+ }
+
+ memset(X, 0, X_limbs * ciL);
+
+ /* memcpy() with (NULL, 0) is undefined behaviour */
+ if (input_length != 0) {
+ size_t overhead = (X_limbs * ciL) - input_length;
+ unsigned char *Xp = (unsigned char *) X;
+ memcpy(Xp + overhead, input, input_length);
+ }
+
+ mbedtls_mpi_core_bigendian_to_host(X, X_limbs);
+
+ return 0;
+}
+
+int mbedtls_mpi_core_write_le(const mbedtls_mpi_uint *A,
+ size_t A_limbs,
+ unsigned char *output,
+ size_t output_length)
+{
+ size_t stored_bytes = A_limbs * ciL;
+ size_t bytes_to_copy;
+
+ if (stored_bytes < output_length) {
+ bytes_to_copy = stored_bytes;
+ } else {
+ bytes_to_copy = output_length;
+
+ /* The output buffer is smaller than the allocated size of A.
+ * However A may fit if its leading bytes are zero. */
+ for (size_t i = bytes_to_copy; i < stored_bytes; i++) {
+ if (GET_BYTE(A, i) != 0) {
+ return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
+ }
+ }
+ }
+
+ for (size_t i = 0; i < bytes_to_copy; i++) {
+ output[i] = GET_BYTE(A, i);
+ }
+
+ if (stored_bytes < output_length) {
+ /* Write trailing 0 bytes */
+ memset(output + stored_bytes, 0, output_length - stored_bytes);
+ }
+
+ return 0;
+}
+
+int mbedtls_mpi_core_write_be(const mbedtls_mpi_uint *X,
+ size_t X_limbs,
+ unsigned char *output,
+ size_t output_length)
+{
+ size_t stored_bytes;
+ size_t bytes_to_copy;
+ unsigned char *p;
+
+ stored_bytes = X_limbs * ciL;
+
+ if (stored_bytes < output_length) {
+ /* There is enough space in the output buffer. Write initial
+ * null bytes and record the position at which to start
+ * writing the significant bytes. In this case, the execution
+ * trace of this function does not depend on the value of the
+ * number. */
+ bytes_to_copy = stored_bytes;
+ p = output + output_length - stored_bytes;
+ memset(output, 0, output_length - stored_bytes);
+ } else {
+ /* The output buffer is smaller than the allocated size of X.
+ * However X may fit if its leading bytes are zero. */
+ bytes_to_copy = output_length;
+ p = output;
+ for (size_t i = bytes_to_copy; i < stored_bytes; i++) {
+ if (GET_BYTE(X, i) != 0) {
+ return MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL;
+ }
+ }
+ }
+
+ for (size_t i = 0; i < bytes_to_copy; i++) {
+ p[bytes_to_copy - i - 1] = GET_BYTE(X, i);
+ }
+
+ return 0;
+}
+
+void mbedtls_mpi_core_shift_r(mbedtls_mpi_uint *X, size_t limbs,
+ size_t count)
+{
+ size_t i, v0, v1;
+ mbedtls_mpi_uint r0 = 0, r1;
+
+ v0 = count / biL;
+ v1 = count & (biL - 1);
+
+ if (v0 > limbs || (v0 == limbs && v1 > 0)) {
+ memset(X, 0, limbs * ciL);
+ return;
+ }
+
+ /*
+ * shift by count / limb_size
+ */
+ if (v0 > 0) {
+ for (i = 0; i < limbs - v0; i++) {
+ X[i] = X[i + v0];
+ }
+
+ for (; i < limbs; i++) {
+ X[i] = 0;
+ }
+ }
+
+ /*
+ * shift by count % limb_size
+ */
+ if (v1 > 0) {
+ for (i = limbs; i > 0; i--) {
+ r1 = X[i - 1] << (biL - v1);
+ X[i - 1] >>= v1;
+ X[i - 1] |= r0;
+ r0 = r1;
+ }
+ }
+}
+
+void mbedtls_mpi_core_shift_l(mbedtls_mpi_uint *X, size_t limbs,
+ size_t count)
+{
+ size_t i, v0, v1;
+ mbedtls_mpi_uint r0 = 0, r1;
+
+ v0 = count / (biL);
+ v1 = count & (biL - 1);
+
+ /*
+ * shift by count / limb_size
+ */
+ if (v0 > 0) {
+ for (i = limbs; i > v0; i--) {
+ X[i - 1] = X[i - v0 - 1];
+ }
+
+ for (; i > 0; i--) {
+ X[i - 1] = 0;
+ }
+ }
+
+ /*
+ * shift by count % limb_size
+ */
+ if (v1 > 0) {
+ for (i = v0; i < limbs; i++) {
+ r1 = X[i] >> (biL - v1);
+ X[i] <<= v1;
+ X[i] |= r0;
+ r0 = r1;
+ }
+ }
+}
+
+mbedtls_mpi_uint mbedtls_mpi_core_add(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ size_t limbs)
+{
+ mbedtls_mpi_uint c = 0;
+
+ for (size_t i = 0; i < limbs; i++) {
+ mbedtls_mpi_uint t = c + A[i];
+ c = (t < A[i]);
+ t += B[i];
+ c += (t < B[i]);
+ X[i] = t;
+ }
+
+ return c;
+}
+
+mbedtls_mpi_uint mbedtls_mpi_core_add_if(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ size_t limbs,
+ unsigned cond)
+{
+ mbedtls_mpi_uint c = 0;
+
+ mbedtls_ct_condition_t do_add = mbedtls_ct_bool(cond);
+
+ for (size_t i = 0; i < limbs; i++) {
+ mbedtls_mpi_uint add = mbedtls_ct_mpi_uint_if_else_0(do_add, A[i]);
+ mbedtls_mpi_uint t = c + X[i];
+ c = (t < X[i]);
+ t += add;
+ c += (t < add);
+ X[i] = t;
+ }
+
+ return c;
+}
+
+mbedtls_mpi_uint mbedtls_mpi_core_sub(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ size_t limbs)
+{
+ mbedtls_mpi_uint c = 0;
+
+ for (size_t i = 0; i < limbs; i++) {
+ mbedtls_mpi_uint z = (A[i] < c);
+ mbedtls_mpi_uint t = A[i] - c;
+ c = (t < B[i]) + z;
+ X[i] = t - B[i];
+ }
+
+ return c;
+}
+
+mbedtls_mpi_uint mbedtls_mpi_core_mla(mbedtls_mpi_uint *d, size_t d_len,
+ const mbedtls_mpi_uint *s, size_t s_len,
+ mbedtls_mpi_uint b)
+{
+ mbedtls_mpi_uint c = 0; /* carry */
+ /*
+ * It is a documented precondition of this function that d_len >= s_len.
+ * If that's not the case, we swap these round: this turns what would be
+ * a buffer overflow into an incorrect result.
+ */
+ if (d_len < s_len) {
+ s_len = d_len;
+ }
+ size_t excess_len = d_len - s_len;
+ size_t steps_x8 = s_len / 8;
+ size_t steps_x1 = s_len & 7;
+
+ while (steps_x8--) {
+ MULADDC_X8_INIT
+ MULADDC_X8_CORE
+ MULADDC_X8_STOP
+ }
+
+ while (steps_x1--) {
+ MULADDC_X1_INIT
+ MULADDC_X1_CORE
+ MULADDC_X1_STOP
+ }
+
+ while (excess_len--) {
+ *d += c;
+ c = (*d < c);
+ d++;
+ }
+
+ return c;
+}
+
+void mbedtls_mpi_core_mul(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A, size_t A_limbs,
+ const mbedtls_mpi_uint *B, size_t B_limbs)
+{
+ memset(X, 0, (A_limbs + B_limbs) * ciL);
+
+ for (size_t i = 0; i < B_limbs; i++) {
+ (void) mbedtls_mpi_core_mla(X + i, A_limbs + 1, A, A_limbs, B[i]);
+ }
+}
+
+/*
+ * Fast Montgomery initialization (thanks to Tom St Denis).
+ */
+mbedtls_mpi_uint mbedtls_mpi_core_montmul_init(const mbedtls_mpi_uint *N)
+{
+ mbedtls_mpi_uint x = N[0];
+
+ x += ((N[0] + 2) & 4) << 1;
+
+ for (unsigned int i = biL; i >= 8; i /= 2) {
+ x *= (2 - (N[0] * x));
+ }
+
+ return ~x + 1;
+}
+
+void mbedtls_mpi_core_montmul(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ size_t B_limbs,
+ const mbedtls_mpi_uint *N,
+ size_t AN_limbs,
+ mbedtls_mpi_uint mm,
+ mbedtls_mpi_uint *T)
+{
+ memset(T, 0, (2 * AN_limbs + 1) * ciL);
+
+ for (size_t i = 0; i < AN_limbs; i++) {
+ /* T = (T + u0*B + u1*N) / 2^biL */
+ mbedtls_mpi_uint u0 = A[i];
+ mbedtls_mpi_uint u1 = (T[0] + u0 * B[0]) * mm;
+
+ (void) mbedtls_mpi_core_mla(T, AN_limbs + 2, B, B_limbs, u0);
+ (void) mbedtls_mpi_core_mla(T, AN_limbs + 2, N, AN_limbs, u1);
+
+ T++;
+ }
+
+ /*
+ * The result we want is (T >= N) ? T - N : T.
+ *
+ * For better constant-time properties in this function, we always do the
+ * subtraction, with the result in X.
+ *
+ * We also look to see if there was any carry in the final additions in the
+ * loop above.
+ */
+
+ mbedtls_mpi_uint carry = T[AN_limbs];
+ mbedtls_mpi_uint borrow = mbedtls_mpi_core_sub(X, T, N, AN_limbs);
+
+ /*
+ * Using R as the Montgomery radix (auxiliary modulus) i.e. 2^(biL*AN_limbs):
+ *
+ * T can be in one of 3 ranges:
+ *
+ * 1) T < N : (carry, borrow) = (0, 1): we want T
+ * 2) N <= T < R : (carry, borrow) = (0, 0): we want X
+ * 3) T >= R : (carry, borrow) = (1, 1): we want X
+ *
+ * and (carry, borrow) = (1, 0) can't happen.
+ *
+ * So the correct return value is already in X if (carry ^ borrow) = 0,
+ * but is in (the lower AN_limbs limbs of) T if (carry ^ borrow) = 1.
+ */
+ mbedtls_ct_memcpy_if(mbedtls_ct_bool(carry ^ borrow),
+ (unsigned char *) X,
+ (unsigned char *) T,
+ NULL,
+ AN_limbs * sizeof(mbedtls_mpi_uint));
+}
+
+int mbedtls_mpi_core_get_mont_r2_unsafe(mbedtls_mpi *X,
+ const mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(X, N->n * 2 * biL));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(X, X, N));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(X, N->n));
+
+cleanup:
+ return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+void mbedtls_mpi_core_ct_uint_table_lookup(mbedtls_mpi_uint *dest,
+ const mbedtls_mpi_uint *table,
+ size_t limbs,
+ size_t count,
+ size_t index)
+{
+ for (size_t i = 0; i < count; i++, table += limbs) {
+ mbedtls_ct_condition_t assign = mbedtls_ct_uint_eq(i, index);
+ mbedtls_mpi_core_cond_assign(dest, table, limbs, assign);
+ }
+}
+
+/* Fill X with n_bytes random bytes.
+ * X must already have room for those bytes.
+ * The ordering of the bytes returned from the RNG is suitable for
+ * deterministic ECDSA (see RFC 6979 §3.3 and the specification of
+ * mbedtls_mpi_core_random()).
+ */
+int mbedtls_mpi_core_fill_random(
+ mbedtls_mpi_uint *X, size_t X_limbs,
+ size_t n_bytes,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const size_t limbs = CHARS_TO_LIMBS(n_bytes);
+ const size_t overhead = (limbs * ciL) - n_bytes;
+
+ if (X_limbs < limbs) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ memset(X, 0, overhead);
+ memset((unsigned char *) X + limbs * ciL, 0, (X_limbs - limbs) * ciL);
+ MBEDTLS_MPI_CHK(f_rng(p_rng, (unsigned char *) X + overhead, n_bytes));
+ mbedtls_mpi_core_bigendian_to_host(X, limbs);
+
+cleanup:
+ return ret;
+}
+
+int mbedtls_mpi_core_random(mbedtls_mpi_uint *X,
+ mbedtls_mpi_uint min,
+ const mbedtls_mpi_uint *N,
+ size_t limbs,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ mbedtls_ct_condition_t ge_lower = MBEDTLS_CT_TRUE, lt_upper = MBEDTLS_CT_FALSE;
+ size_t n_bits = mbedtls_mpi_core_bitlen(N, limbs);
+ size_t n_bytes = (n_bits + 7) / 8;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /*
+ * When min == 0, each try has at worst a probability 1/2 of failing
+ * (the msb has a probability 1/2 of being 0, and then the result will
+ * be < N), so after 30 tries failure probability is a most 2**(-30).
+ *
+ * When N is just below a power of 2, as is the case when generating
+ * a random scalar on most elliptic curves, 1 try is enough with
+ * overwhelming probability. When N is just above a power of 2,
+ * as when generating a random scalar on secp224k1, each try has
+ * a probability of failing that is almost 1/2.
+ *
+ * The probabilities are almost the same if min is nonzero but negligible
+ * compared to N. This is always the case when N is crypto-sized, but
+ * it's convenient to support small N for testing purposes. When N
+ * is small, use a higher repeat count, otherwise the probability of
+ * failure is macroscopic.
+ */
+ int count = (n_bytes > 4 ? 30 : 250);
+
+ /*
+ * Match the procedure given in RFC 6979 §3.3 (deterministic ECDSA)
+ * when f_rng is a suitably parametrized instance of HMAC_DRBG:
+ * - use the same byte ordering;
+ * - keep the leftmost n_bits bits of the generated octet string;
+ * - try until result is in the desired range.
+ * This also avoids any bias, which is especially important for ECDSA.
+ */
+ do {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_core_fill_random(X, limbs,
+ n_bytes,
+ f_rng, p_rng));
+ mbedtls_mpi_core_shift_r(X, limbs, 8 * n_bytes - n_bits);
+
+ if (--count == 0) {
+ ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+ goto cleanup;
+ }
+
+ ge_lower = mbedtls_mpi_core_uint_le_mpi(min, X, limbs);
+ lt_upper = mbedtls_mpi_core_lt_ct(X, N, limbs);
+ } while (mbedtls_ct_bool_and(ge_lower, lt_upper) == MBEDTLS_CT_FALSE);
+
+cleanup:
+ return ret;
+}
+
+static size_t exp_mod_get_window_size(size_t Ebits)
+{
+#if MBEDTLS_MPI_WINDOW_SIZE >= 6
+ return (Ebits > 671) ? 6 : (Ebits > 239) ? 5 : (Ebits > 79) ? 4 : 1;
+#elif MBEDTLS_MPI_WINDOW_SIZE == 5
+ return (Ebits > 239) ? 5 : (Ebits > 79) ? 4 : 1;
+#elif MBEDTLS_MPI_WINDOW_SIZE > 1
+ return (Ebits > 79) ? MBEDTLS_MPI_WINDOW_SIZE : 1;
+#else
+ (void) Ebits;
+ return 1;
+#endif
+}
+
+size_t mbedtls_mpi_core_exp_mod_working_limbs(size_t AN_limbs, size_t E_limbs)
+{
+ const size_t wsize = exp_mod_get_window_size(E_limbs * biL);
+ const size_t welem = ((size_t) 1) << wsize;
+
+ /* How big does each part of the working memory pool need to be? */
+ const size_t table_limbs = welem * AN_limbs;
+ const size_t select_limbs = AN_limbs;
+ const size_t temp_limbs = 2 * AN_limbs + 1;
+
+ return table_limbs + select_limbs + temp_limbs;
+}
+
+static void exp_mod_precompute_window(const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N,
+ size_t AN_limbs,
+ mbedtls_mpi_uint mm,
+ const mbedtls_mpi_uint *RR,
+ size_t welem,
+ mbedtls_mpi_uint *Wtable,
+ mbedtls_mpi_uint *temp)
+{
+ /* W[0] = 1 (in Montgomery presentation) */
+ memset(Wtable, 0, AN_limbs * ciL);
+ Wtable[0] = 1;
+ mbedtls_mpi_core_montmul(Wtable, Wtable, RR, AN_limbs, N, AN_limbs, mm, temp);
+
+ /* W[1] = A (already in Montgomery presentation) */
+ mbedtls_mpi_uint *W1 = Wtable + AN_limbs;
+ memcpy(W1, A, AN_limbs * ciL);
+
+ /* W[i+1] = W[i] * W[1], i >= 2 */
+ mbedtls_mpi_uint *Wprev = W1;
+ for (size_t i = 2; i < welem; i++) {
+ mbedtls_mpi_uint *Wcur = Wprev + AN_limbs;
+ mbedtls_mpi_core_montmul(Wcur, Wprev, W1, AN_limbs, N, AN_limbs, mm, temp);
+ Wprev = Wcur;
+ }
+}
+
+/* Exponentiation: X := A^E mod N.
+ *
+ * A must already be in Montgomery form.
+ *
+ * As in other bignum functions, assume that AN_limbs and E_limbs are nonzero.
+ *
+ * RR must contain 2^{2*biL} mod N.
+ *
+ * The algorithm is a variant of Left-to-right k-ary exponentiation: HAC 14.82
+ * (The difference is that the body in our loop processes a single bit instead
+ * of a full window.)
+ */
+void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N,
+ size_t AN_limbs,
+ const mbedtls_mpi_uint *E,
+ size_t E_limbs,
+ const mbedtls_mpi_uint *RR,
+ mbedtls_mpi_uint *T)
+{
+ const size_t wsize = exp_mod_get_window_size(E_limbs * biL);
+ const size_t welem = ((size_t) 1) << wsize;
+
+ /* This is how we will use the temporary storage T, which must have space
+ * for table_limbs, select_limbs and (2 * AN_limbs + 1) for montmul. */
+ const size_t table_limbs = welem * AN_limbs;
+ const size_t select_limbs = AN_limbs;
+
+ /* Pointers to specific parts of the temporary working memory pool */
+ mbedtls_mpi_uint *const Wtable = T;
+ mbedtls_mpi_uint *const Wselect = Wtable + table_limbs;
+ mbedtls_mpi_uint *const temp = Wselect + select_limbs;
+
+ /*
+ * Window precomputation
+ */
+
+ const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N);
+
+ /* Set Wtable[i] = A^(2^i) (in Montgomery representation) */
+ exp_mod_precompute_window(A, N, AN_limbs,
+ mm, RR,
+ welem, Wtable, temp);
+
+ /*
+ * Fixed window exponentiation
+ */
+
+ /* X = 1 (in Montgomery presentation) initially */
+ memcpy(X, Wtable, AN_limbs * ciL);
+
+ /* We'll process the bits of E from most significant
+ * (limb_index=E_limbs-1, E_bit_index=biL-1) to least significant
+ * (limb_index=0, E_bit_index=0). */
+ size_t E_limb_index = E_limbs;
+ size_t E_bit_index = 0;
+ /* At any given time, window contains window_bits bits from E.
+ * window_bits can go up to wsize. */
+ size_t window_bits = 0;
+ mbedtls_mpi_uint window = 0;
+
+ do {
+ /* Square */
+ mbedtls_mpi_core_montmul(X, X, X, AN_limbs, N, AN_limbs, mm, temp);
+
+ /* Move to the next bit of the exponent */
+ if (E_bit_index == 0) {
+ --E_limb_index;
+ E_bit_index = biL - 1;
+ } else {
+ --E_bit_index;
+ }
+ /* Insert next exponent bit into window */
+ ++window_bits;
+ window <<= 1;
+ window |= (E[E_limb_index] >> E_bit_index) & 1;
+
+ /* Clear window if it's full. Also clear the window at the end,
+ * when we've finished processing the exponent. */
+ if (window_bits == wsize ||
+ (E_bit_index == 0 && E_limb_index == 0)) {
+ /* Select Wtable[window] without leaking window through
+ * memory access patterns. */
+ mbedtls_mpi_core_ct_uint_table_lookup(Wselect, Wtable,
+ AN_limbs, welem, window);
+ /* Multiply X by the selected element. */
+ mbedtls_mpi_core_montmul(X, X, Wselect, AN_limbs, N, AN_limbs, mm,
+ temp);
+ window = 0;
+ window_bits = 0;
+ }
+ } while (!(E_bit_index == 0 && E_limb_index == 0));
+}
+
+mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ mbedtls_mpi_uint c, /* doubles as carry */
+ size_t limbs)
+{
+ for (size_t i = 0; i < limbs; i++) {
+ mbedtls_mpi_uint s = A[i];
+ mbedtls_mpi_uint t = s - c;
+ c = (t > s);
+ X[i] = t;
+ }
+
+ return c;
+}
+
+mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A,
+ size_t limbs)
+{
+ volatile const mbedtls_mpi_uint *force_read_A = A;
+ mbedtls_mpi_uint bits = 0;
+
+ for (size_t i = 0; i < limbs; i++) {
+ bits |= force_read_A[i];
+ }
+
+ return mbedtls_ct_bool(bits);
+}
+
+void mbedtls_mpi_core_to_mont_rep(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N,
+ size_t AN_limbs,
+ mbedtls_mpi_uint mm,
+ const mbedtls_mpi_uint *rr,
+ mbedtls_mpi_uint *T)
+{
+ mbedtls_mpi_core_montmul(X, A, rr, AN_limbs, N, AN_limbs, mm, T);
+}
+
+void mbedtls_mpi_core_from_mont_rep(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N,
+ size_t AN_limbs,
+ mbedtls_mpi_uint mm,
+ mbedtls_mpi_uint *T)
+{
+ const mbedtls_mpi_uint Rinv = 1; /* 1/R in Mont. rep => 1 */
+
+ mbedtls_mpi_core_montmul(X, A, &Rinv, 1, N, AN_limbs, mm, T);
+}
+
+#endif /* MBEDTLS_BIGNUM_C */
diff --git a/library/bignum_core.h b/library/bignum_core.h
new file mode 100644
index 0000000..92c8d47
--- /dev/null
+++ b/library/bignum_core.h
@@ -0,0 +1,763 @@
+/**
+ * Core bignum functions
+ *
+ * This interface should only be used by the legacy bignum module (bignum.h)
+ * and the modular bignum modules (bignum_mod.c, bignum_mod_raw.c). All other
+ * modules should use the high-level modular bignum interface (bignum_mod.h)
+ * or the legacy bignum interface (bignum.h).
+ *
+ * This module is about processing non-negative integers with a fixed upper
+ * bound that's of the form 2^n-1 where n is a multiple of #biL.
+ * These can be thought of integers written in base 2^#biL with a fixed
+ * number of digits. Digits in this base are called *limbs*.
+ * Many operations treat these numbers as the principal representation of
+ * a number modulo 2^n or a smaller bound.
+ *
+ * The functions in this module obey the following conventions unless
+ * explicitly indicated otherwise:
+ *
+ * - **Overflow**: some functions indicate overflow from the range
+ * [0, 2^n-1] by returning carry parameters, while others operate
+ * modulo and so cannot overflow. This should be clear from the function
+ * documentation.
+ * - **Bignum parameters**: Bignums are passed as pointers to an array of
+ * limbs. A limb has the type #mbedtls_mpi_uint. Unless otherwise specified:
+ * - Bignum parameters called \p A, \p B, ... are inputs, and are
+ * not modified by the function.
+ * - For operations modulo some number, the modulus is called \p N
+ * and is input-only.
+ * - Bignum parameters called \p X, \p Y are outputs or input-output.
+ * The initial content of output-only parameters is ignored.
+ * - Some functions use different names that reflect traditional
+ * naming of operands of certain operations (e.g.
+ * divisor/dividend/quotient/remainder).
+ * - \p T is a temporary storage area. The initial content of such
+ * parameter is ignored and the final content is unspecified.
+ * - **Bignum sizes**: bignum sizes are always expressed in limbs.
+ * Most functions work on bignums of a given size and take a single
+ * \p limbs parameter that applies to all parameters that are limb arrays.
+ * All bignum sizes must be at least 1 and must be significantly less than
+ * #SIZE_MAX. The behavior if a size is 0 is undefined. The behavior if the
+ * total size of all parameters overflows #SIZE_MAX is undefined.
+ * - **Parameter ordering**: for bignum parameters, outputs come before inputs.
+ * Temporaries come last.
+ * - **Aliasing**: in general, output bignums may be aliased to one or more
+ * inputs. As an exception, parameters that are documented as a modulus value
+ * may not be aliased to an output. Outputs may not be aliased to one another.
+ * Temporaries may not be aliased to any other parameter.
+ * - **Overlap**: apart from aliasing of limb array pointers (where two
+ * arguments are equal pointers), overlap is not supported and may result
+ * in undefined behavior.
+ * - **Error handling**: This is a low-level module. Functions generally do not
+ * try to protect against invalid arguments such as nonsensical sizes or
+ * null pointers. Note that some functions that operate on bignums of
+ * different sizes have constraints about their size, and violating those
+ * constraints may lead to buffer overflows.
+ * - **Modular representatives**: functions that operate modulo \p N expect
+ * all modular inputs to be in the range [0, \p N - 1] and guarantee outputs
+ * in the range [0, \p N - 1]. If an input is out of range, outputs are
+ * fully unspecified, though bignum values out of range should not cause
+ * buffer overflows (beware that this is not extensively tested).
+ */
+
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_BIGNUM_CORE_H
+#define MBEDTLS_BIGNUM_CORE_H
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+#include "constant_time_internal.h"
+
+#define ciL (sizeof(mbedtls_mpi_uint)) /** chars in limb */
+#define biL (ciL << 3) /** bits in limb */
+#define biH (ciL << 2) /** half limb size */
+
+/*
+ * Convert between bits/chars and number of limbs
+ * Divide first in order to avoid potential overflows
+ */
+#define BITS_TO_LIMBS(i) ((i) / biL + ((i) % biL != 0))
+#define CHARS_TO_LIMBS(i) ((i) / ciL + ((i) % ciL != 0))
+/* Get a specific byte, without range checks. */
+#define GET_BYTE(X, i) \
+ (((X)[(i) / ciL] >> (((i) % ciL) * 8)) & 0xff)
+
+/** Count leading zero bits in a given integer.
+ *
+ * \warning The result is undefined if \p a == 0
+ *
+ * \param a Integer to count leading zero bits.
+ *
+ * \return The number of leading zero bits in \p a, if \p a != 0.
+ * If \p a == 0, the result is undefined.
+ */
+size_t mbedtls_mpi_core_clz(mbedtls_mpi_uint a);
+
+/** Return the minimum number of bits required to represent the value held
+ * in the MPI.
+ *
+ * \note This function returns 0 if all the limbs of \p A are 0.
+ *
+ * \param[in] A The address of the MPI.
+ * \param A_limbs The number of limbs of \p A.
+ *
+ * \return The number of bits in \p A.
+ */
+size_t mbedtls_mpi_core_bitlen(const mbedtls_mpi_uint *A, size_t A_limbs);
+
+/** Convert a big-endian byte array aligned to the size of mbedtls_mpi_uint
+ * into the storage form used by mbedtls_mpi.
+ *
+ * \param[in,out] A The address of the MPI.
+ * \param A_limbs The number of limbs of \p A.
+ */
+void mbedtls_mpi_core_bigendian_to_host(mbedtls_mpi_uint *A,
+ size_t A_limbs);
+
+/** \brief Compare a machine integer with an MPI.
+ *
+ * This function operates in constant time with respect
+ * to the values of \p min and \p A.
+ *
+ * \param min A machine integer.
+ * \param[in] A An MPI.
+ * \param A_limbs The number of limbs of \p A.
+ * This must be at least 1.
+ *
+ * \return MBEDTLS_CT_TRUE if \p min is less than or equal to \p A, otherwise MBEDTLS_CT_FALSE.
+ */
+mbedtls_ct_condition_t mbedtls_mpi_core_uint_le_mpi(mbedtls_mpi_uint min,
+ const mbedtls_mpi_uint *A,
+ size_t A_limbs);
+
+/**
+ * \brief Check if one unsigned MPI is less than another in constant
+ * time.
+ *
+ * \param A The left-hand MPI. This must point to an array of limbs
+ * with the same allocated length as \p B.
+ * \param B The right-hand MPI. This must point to an array of limbs
+ * with the same allocated length as \p A.
+ * \param limbs The number of limbs in \p A and \p B.
+ * This must not be 0.
+ *
+ * \return MBEDTLS_CT_TRUE if \p A is less than \p B.
+ * MBEDTLS_CT_FALSE if \p A is greater than or equal to \p B.
+ */
+mbedtls_ct_condition_t mbedtls_mpi_core_lt_ct(const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ size_t limbs);
+
+/**
+ * \brief Perform a safe conditional copy of an MPI which doesn't reveal
+ * whether assignment was done or not.
+ *
+ * \param[out] X The address of the destination MPI.
+ * This must be initialized. Must have enough limbs to
+ * store the full value of \p A.
+ * \param[in] A The address of the source MPI. This must be initialized.
+ * \param limbs The number of limbs of \p A.
+ * \param assign The condition deciding whether to perform the
+ * assignment or not. Callers will need to use
+ * the constant time interface (e.g. `mbedtls_ct_bool()`)
+ * to construct this argument.
+ *
+ * \note This function avoids leaking any information about whether
+ * the assignment was done or not.
+ */
+void mbedtls_mpi_core_cond_assign(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ size_t limbs,
+ mbedtls_ct_condition_t assign);
+
+/**
+ * \brief Perform a safe conditional swap of two MPIs which doesn't reveal
+ * whether the swap was done or not.
+ *
+ * \param[in,out] X The address of the first MPI.
+ * This must be initialized.
+ * \param[in,out] Y The address of the second MPI.
+ * This must be initialized.
+ * \param limbs The number of limbs of \p X and \p Y.
+ * \param swap The condition deciding whether to perform
+ * the swap or not.
+ *
+ * \note This function avoids leaking any information about whether
+ * the swap was done or not.
+ */
+void mbedtls_mpi_core_cond_swap(mbedtls_mpi_uint *X,
+ mbedtls_mpi_uint *Y,
+ size_t limbs,
+ mbedtls_ct_condition_t swap);
+
+/** Import X from unsigned binary data, little-endian.
+ *
+ * The MPI needs to have enough limbs to store the full value (including any
+ * most significant zero bytes in the input).
+ *
+ * \param[out] X The address of the MPI.
+ * \param X_limbs The number of limbs of \p X.
+ * \param[in] input The input buffer to import from.
+ * \param input_length The length bytes of \p input.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't
+ * large enough to hold the value in \p input.
+ */
+int mbedtls_mpi_core_read_le(mbedtls_mpi_uint *X,
+ size_t X_limbs,
+ const unsigned char *input,
+ size_t input_length);
+
+/** Import X from unsigned binary data, big-endian.
+ *
+ * The MPI needs to have enough limbs to store the full value (including any
+ * most significant zero bytes in the input).
+ *
+ * \param[out] X The address of the MPI.
+ * May only be #NULL if \p X_limbs is 0 and \p input_length
+ * is 0.
+ * \param X_limbs The number of limbs of \p X.
+ * \param[in] input The input buffer to import from.
+ * May only be #NULL if \p input_length is 0.
+ * \param input_length The length in bytes of \p input.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't
+ * large enough to hold the value in \p input.
+ */
+int mbedtls_mpi_core_read_be(mbedtls_mpi_uint *X,
+ size_t X_limbs,
+ const unsigned char *input,
+ size_t input_length);
+
+/** Export A into unsigned binary data, little-endian.
+ *
+ * \note If \p output is shorter than \p A the export is still successful if the
+ * value held in \p A fits in the buffer (that is, if enough of the most
+ * significant bytes of \p A are 0).
+ *
+ * \param[in] A The address of the MPI.
+ * \param A_limbs The number of limbs of \p A.
+ * \param[out] output The output buffer to export to.
+ * \param output_length The length in bytes of \p output.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p output isn't
+ * large enough to hold the value of \p A.
+ */
+int mbedtls_mpi_core_write_le(const mbedtls_mpi_uint *A,
+ size_t A_limbs,
+ unsigned char *output,
+ size_t output_length);
+
+/** Export A into unsigned binary data, big-endian.
+ *
+ * \note If \p output is shorter than \p A the export is still successful if the
+ * value held in \p A fits in the buffer (that is, if enough of the most
+ * significant bytes of \p A are 0).
+ *
+ * \param[in] A The address of the MPI.
+ * \param A_limbs The number of limbs of \p A.
+ * \param[out] output The output buffer to export to.
+ * \param output_length The length in bytes of \p output.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p output isn't
+ * large enough to hold the value of \p A.
+ */
+int mbedtls_mpi_core_write_be(const mbedtls_mpi_uint *A,
+ size_t A_limbs,
+ unsigned char *output,
+ size_t output_length);
+
+/** \brief Shift an MPI in-place right by a number of bits.
+ *
+ * Shifting by more bits than there are bit positions
+ * in \p X is valid and results in setting \p X to 0.
+ *
+ * This function's execution time depends on the value
+ * of \p count (and of course \p limbs).
+ *
+ * \param[in,out] X The number to shift.
+ * \param limbs The number of limbs of \p X. This must be at least 1.
+ * \param count The number of bits to shift by.
+ */
+void mbedtls_mpi_core_shift_r(mbedtls_mpi_uint *X, size_t limbs,
+ size_t count);
+
+/**
+ * \brief Shift an MPI in-place left by a number of bits.
+ *
+ * Shifting by more bits than there are bit positions
+ * in \p X will produce an unspecified result.
+ *
+ * This function's execution time depends on the value
+ * of \p count (and of course \p limbs).
+ * \param[in,out] X The number to shift.
+ * \param limbs The number of limbs of \p X. This must be at least 1.
+ * \param count The number of bits to shift by.
+ */
+void mbedtls_mpi_core_shift_l(mbedtls_mpi_uint *X, size_t limbs,
+ size_t count);
+
+/**
+ * \brief Add two fixed-size large unsigned integers, returning the carry.
+ *
+ * Calculates `A + B` where `A` and `B` have the same size.
+ *
+ * This function operates modulo `2^(biL*limbs)` and returns the carry
+ * (1 if there was a wraparound, and 0 otherwise).
+ *
+ * \p X may be aliased to \p A or \p B.
+ *
+ * \param[out] X The result of the addition.
+ * \param[in] A Little-endian presentation of the left operand.
+ * \param[in] B Little-endian presentation of the right operand.
+ * \param limbs Number of limbs of \p X, \p A and \p B.
+ *
+ * \return 1 if `A + B >= 2^(biL*limbs)`, 0 otherwise.
+ */
+mbedtls_mpi_uint mbedtls_mpi_core_add(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ size_t limbs);
+
+/**
+ * \brief Conditional addition of two fixed-size large unsigned integers,
+ * returning the carry.
+ *
+ * Functionally equivalent to
+ *
+ * ```
+ * if( cond )
+ * X += A;
+ * return carry;
+ * ```
+ *
+ * This function operates modulo `2^(biL*limbs)`.
+ *
+ * \param[in,out] X The pointer to the (little-endian) array
+ * representing the bignum to accumulate onto.
+ * \param[in] A The pointer to the (little-endian) array
+ * representing the bignum to conditionally add
+ * to \p X. This may be aliased to \p X but may not
+ * overlap otherwise.
+ * \param limbs Number of limbs of \p X and \p A.
+ * \param cond Condition bit dictating whether addition should
+ * happen or not. This must be \c 0 or \c 1.
+ *
+ * \warning If \p cond is neither 0 nor 1, the result of this function
+ * is unspecified, and the resulting value in \p X might be
+ * neither its original value nor \p X + \p A.
+ *
+ * \return 1 if `X + cond * A >= 2^(biL*limbs)`, 0 otherwise.
+ */
+mbedtls_mpi_uint mbedtls_mpi_core_add_if(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ size_t limbs,
+ unsigned cond);
+
+/**
+ * \brief Subtract two fixed-size large unsigned integers, returning the borrow.
+ *
+ * Calculate `A - B` where \p A and \p B have the same size.
+ * This function operates modulo `2^(biL*limbs)` and returns the carry
+ * (1 if there was a wraparound, i.e. if `A < B`, and 0 otherwise).
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise.
+ *
+ * \param[out] X The result of the subtraction.
+ * \param[in] A Little-endian presentation of left operand.
+ * \param[in] B Little-endian presentation of right operand.
+ * \param limbs Number of limbs of \p X, \p A and \p B.
+ *
+ * \return 1 if `A < B`.
+ * 0 if `A >= B`.
+ */
+mbedtls_mpi_uint mbedtls_mpi_core_sub(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ size_t limbs);
+
+/**
+ * \brief Perform a fixed-size multiply accumulate operation: X += b * A
+ *
+ * \p X may be aliased to \p A (when \p X_limbs == \p A_limbs), but may not
+ * otherwise overlap.
+ *
+ * This function operates modulo `2^(biL*X_limbs)`.
+ *
+ * \param[in,out] X The pointer to the (little-endian) array
+ * representing the bignum to accumulate onto.
+ * \param X_limbs The number of limbs of \p X. This must be
+ * at least \p A_limbs.
+ * \param[in] A The pointer to the (little-endian) array
+ * representing the bignum to multiply with.
+ * This may be aliased to \p X but may not overlap
+ * otherwise.
+ * \param A_limbs The number of limbs of \p A.
+ * \param b X scalar to multiply with.
+ *
+ * \return The carry at the end of the operation.
+ */
+mbedtls_mpi_uint mbedtls_mpi_core_mla(mbedtls_mpi_uint *X, size_t X_limbs,
+ const mbedtls_mpi_uint *A, size_t A_limbs,
+ mbedtls_mpi_uint b);
+
+/**
+ * \brief Perform a known-size multiplication
+ *
+ * \p X may not be aliased to any of the inputs for this function.
+ * \p A may be aliased to \p B.
+ *
+ * \param[out] X The pointer to the (little-endian) array to receive
+ * the product of \p A_limbs and \p B_limbs.
+ * This must be of length \p A_limbs + \p B_limbs.
+ * \param[in] A The pointer to the (little-endian) array
+ * representing the first factor.
+ * \param A_limbs The number of limbs in \p A.
+ * \param[in] B The pointer to the (little-endian) array
+ * representing the second factor.
+ * \param B_limbs The number of limbs in \p B.
+ */
+void mbedtls_mpi_core_mul(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A, size_t A_limbs,
+ const mbedtls_mpi_uint *B, size_t B_limbs);
+
+/**
+ * \brief Calculate initialisation value for fast Montgomery modular
+ * multiplication
+ *
+ * \param[in] N Little-endian presentation of the modulus. This must have
+ * at least one limb.
+ *
+ * \return The initialisation value for fast Montgomery modular multiplication
+ */
+mbedtls_mpi_uint mbedtls_mpi_core_montmul_init(const mbedtls_mpi_uint *N);
+
+/**
+ * \brief Montgomery multiplication: X = A * B * R^-1 mod N (HAC 14.36)
+ *
+ * \p A and \p B must be in canonical form. That is, < \p N.
+ *
+ * \p X may be aliased to \p A or \p N, or even \p B (if \p AN_limbs ==
+ * \p B_limbs) but may not overlap any parameters otherwise.
+ *
+ * \p A and \p B may alias each other, if \p AN_limbs == \p B_limbs. They may
+ * not alias \p N (since they must be in canonical form, they cannot == \p N).
+ *
+ * \param[out] X The destination MPI, as a little-endian array of
+ * length \p AN_limbs.
+ * On successful completion, X contains the result of
+ * the multiplication `A * B * R^-1` mod N where
+ * `R = 2^(biL*AN_limbs)`.
+ * \param[in] A Little-endian presentation of first operand.
+ * Must have the same number of limbs as \p N.
+ * \param[in] B Little-endian presentation of second operand.
+ * \param[in] B_limbs The number of limbs in \p B.
+ * Must be <= \p AN_limbs.
+ * \param[in] N Little-endian presentation of the modulus.
+ * This must be odd, and have exactly the same number
+ * of limbs as \p A.
+ * It may alias \p X, but must not alias or otherwise
+ * overlap any of the other parameters.
+ * \param[in] AN_limbs The number of limbs in \p X, \p A and \p N.
+ * \param mm The Montgomery constant for \p N: -N^-1 mod 2^biL.
+ * This can be calculated by `mbedtls_mpi_core_montmul_init()`.
+ * \param[in,out] T Temporary storage of size at least 2*AN_limbs+1 limbs.
+ * Its initial content is unused and
+ * its final content is indeterminate.
+ * It must not alias or otherwise overlap any of the
+ * other parameters.
+ */
+void mbedtls_mpi_core_montmul(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B, size_t B_limbs,
+ const mbedtls_mpi_uint *N, size_t AN_limbs,
+ mbedtls_mpi_uint mm, mbedtls_mpi_uint *T);
+
+/**
+ * \brief Calculate the square of the Montgomery constant. (Needed
+ * for conversion and operations in Montgomery form.)
+ *
+ * \param[out] X A pointer to the result of the calculation of
+ * the square of the Montgomery constant:
+ * 2^{2*n*biL} mod N.
+ * \param[in] N Little-endian presentation of the modulus, which must be odd.
+ *
+ * \return 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if there is not enough space
+ * to store the value of Montgomery constant squared.
+ * \return #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p N modulus is zero.
+ * \return #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p N modulus is negative.
+ */
+int mbedtls_mpi_core_get_mont_r2_unsafe(mbedtls_mpi *X,
+ const mbedtls_mpi *N);
+
+#if defined(MBEDTLS_TEST_HOOKS)
+/**
+ * Copy an MPI from a table without leaking the index.
+ *
+ * \param dest The destination buffer. This must point to a writable
+ * buffer of at least \p limbs limbs.
+ * \param table The address of the table. This must point to a readable
+ * array of \p count elements of \p limbs limbs each.
+ * \param limbs The number of limbs in each table entry.
+ * \param count The number of entries in \p table.
+ * \param index The (secret) table index to look up. This must be in the
+ * range `0 .. count-1`.
+ */
+void mbedtls_mpi_core_ct_uint_table_lookup(mbedtls_mpi_uint *dest,
+ const mbedtls_mpi_uint *table,
+ size_t limbs,
+ size_t count,
+ size_t index);
+#endif /* MBEDTLS_TEST_HOOKS */
+
+/**
+ * \brief Fill an integer with a number of random bytes.
+ *
+ * \param X The destination MPI.
+ * \param X_limbs The number of limbs of \p X.
+ * \param bytes The number of random bytes to generate.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG parameter to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p X does not have
+ * enough room for \p bytes bytes.
+ * \return A negative error code on RNG failure.
+ *
+ * \note The bytes obtained from the RNG are interpreted
+ * as a big-endian representation of an MPI; this can
+ * be relevant in applications like deterministic ECDSA.
+ */
+int mbedtls_mpi_core_fill_random(mbedtls_mpi_uint *X, size_t X_limbs,
+ size_t bytes,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng);
+
+/** Generate a random number uniformly in a range.
+ *
+ * This function generates a random number between \p min inclusive and
+ * \p N exclusive.
+ *
+ * The procedure complies with RFC 6979 §3.3 (deterministic ECDSA)
+ * when the RNG is a suitably parametrized instance of HMAC_DRBG
+ * and \p min is \c 1.
+ *
+ * \note There are `N - min` possible outputs. The lower bound
+ * \p min can be reached, but the upper bound \p N cannot.
+ *
+ * \param X The destination MPI, with \p limbs limbs.
+ * It must not be aliased with \p N or otherwise overlap it.
+ * \param min The minimum value to return.
+ * \param N The upper bound of the range, exclusive, with \p limbs limbs.
+ * In other words, this is one plus the maximum value to return.
+ * \p N must be strictly larger than \p min.
+ * \param limbs The number of limbs of \p N and \p X.
+ * This must not be 0.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG parameter to be passed to \p f_rng.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if the implementation was
+ * unable to find a suitable value within a limited number
+ * of attempts. This has a negligible probability if \p N
+ * is significantly larger than \p min, which is the case
+ * for all usual cryptographic applications.
+ */
+int mbedtls_mpi_core_random(mbedtls_mpi_uint *X,
+ mbedtls_mpi_uint min,
+ const mbedtls_mpi_uint *N,
+ size_t limbs,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng);
+
+/**
+ * \brief Returns the number of limbs of working memory required for
+ * a call to `mbedtls_mpi_core_exp_mod()`.
+ *
+ * \note This will always be at least
+ * `mbedtls_mpi_core_montmul_working_limbs(AN_limbs)`,
+ * i.e. sufficient for a call to `mbedtls_mpi_core_montmul()`.
+ *
+ * \param AN_limbs The number of limbs in the input `A` and the modulus `N`
+ * (they must be the same size) that will be given to
+ * `mbedtls_mpi_core_exp_mod()`.
+ * \param E_limbs The number of limbs in the exponent `E` that will be given
+ * to `mbedtls_mpi_core_exp_mod()`.
+ *
+ * \return The number of limbs of working memory required by
+ * `mbedtls_mpi_core_exp_mod()`.
+ */
+size_t mbedtls_mpi_core_exp_mod_working_limbs(size_t AN_limbs, size_t E_limbs);
+
+/**
+ * \brief Perform a modular exponentiation with secret exponent:
+ * X = A^E mod N, where \p A is already in Montgomery form.
+ *
+ * \p X may be aliased to \p A, but not to \p RR or \p E, even if \p E_limbs ==
+ * \p AN_limbs.
+ *
+ * \param[out] X The destination MPI, as a little endian array of length
+ * \p AN_limbs.
+ * \param[in] A The base MPI, as a little endian array of length \p AN_limbs.
+ * Must be in Montgomery form.
+ * \param[in] N The modulus, as a little endian array of length \p AN_limbs.
+ * \param AN_limbs The number of limbs in \p X, \p A, \p N, \p RR.
+ * \param[in] E The exponent, as a little endian array of length \p E_limbs.
+ * \param E_limbs The number of limbs in \p E.
+ * \param[in] RR The precomputed residue of 2^{2*biL} modulo N, as a little
+ * endian array of length \p AN_limbs.
+ * \param[in,out] T Temporary storage of at least the number of limbs returned
+ * by `mbedtls_mpi_core_exp_mod_working_limbs()`.
+ * Its initial content is unused and its final content is
+ * indeterminate.
+ * It must not alias or otherwise overlap any of the other
+ * parameters.
+ * It is up to the caller to zeroize \p T when it is no
+ * longer needed, and before freeing it if it was dynamically
+ * allocated.
+ */
+void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N, size_t AN_limbs,
+ const mbedtls_mpi_uint *E, size_t E_limbs,
+ const mbedtls_mpi_uint *RR,
+ mbedtls_mpi_uint *T);
+
+/**
+ * \brief Subtract unsigned integer from known-size large unsigned integers.
+ * Return the borrow.
+ *
+ * \param[out] X The result of the subtraction.
+ * \param[in] A The left operand.
+ * \param b The unsigned scalar to subtract.
+ * \param limbs Number of limbs of \p X and \p A.
+ *
+ * \return 1 if `A < b`.
+ * 0 if `A >= b`.
+ */
+mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ mbedtls_mpi_uint b,
+ size_t limbs);
+
+/**
+ * \brief Determine if a given MPI has the value \c 0 in constant time with
+ * respect to the value (but not with respect to the number of limbs).
+ *
+ * \param[in] A The MPI to test.
+ * \param limbs Number of limbs in \p A.
+ *
+ * \return MBEDTLS_CT_FALSE if `A == 0`
+ * MBEDTLS_CT_TRUE if `A != 0`.
+ */
+mbedtls_ct_condition_t mbedtls_mpi_core_check_zero_ct(const mbedtls_mpi_uint *A,
+ size_t limbs);
+
+/**
+ * \brief Returns the number of limbs of working memory required for
+ * a call to `mbedtls_mpi_core_montmul()`.
+ *
+ * \param AN_limbs The number of limbs in the input `A` and the modulus `N`
+ * (they must be the same size) that will be given to
+ * `mbedtls_mpi_core_montmul()` or one of the other functions
+ * that specifies this as the amount of working memory needed.
+ *
+ * \return The number of limbs of working memory required by
+ * `mbedtls_mpi_core_montmul()` (or other similar function).
+ */
+static inline size_t mbedtls_mpi_core_montmul_working_limbs(size_t AN_limbs)
+{
+ return 2 * AN_limbs + 1;
+}
+
+/** Convert an MPI into Montgomery form.
+ *
+ * \p X may be aliased to \p A, but may not otherwise overlap it.
+ *
+ * \p X may not alias \p N (it is in canonical form, so must be strictly less
+ * than \p N). Nor may it alias or overlap \p rr (this is unlikely to be
+ * required in practice.)
+ *
+ * This function is a thin wrapper around `mbedtls_mpi_core_montmul()` that is
+ * an alternative to calling `mbedtls_mpi_mod_raw_to_mont_rep()` when we
+ * don't want to allocate memory.
+ *
+ * \param[out] X The result of the conversion.
+ * Must have the same number of limbs as \p A.
+ * \param[in] A The MPI to convert into Montgomery form.
+ * Must have the same number of limbs as the modulus.
+ * \param[in] N The address of the modulus, which gives the size of
+ * the base `R` = 2^(biL*N->limbs).
+ * \param[in] AN_limbs The number of limbs in \p X, \p A, \p N and \p rr.
+ * \param mm The Montgomery constant for \p N: -N^-1 mod 2^biL.
+ * This can be determined by calling
+ * `mbedtls_mpi_core_montmul_init()`.
+ * \param[in] rr The residue for `2^{2*n*biL} mod N`.
+ * \param[in,out] T Temporary storage of size at least
+ * `mbedtls_mpi_core_montmul_working_limbs(AN_limbs)`
+ * limbs.
+ * Its initial content is unused and
+ * its final content is indeterminate.
+ * It must not alias or otherwise overlap any of the
+ * other parameters.
+ */
+void mbedtls_mpi_core_to_mont_rep(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N,
+ size_t AN_limbs,
+ mbedtls_mpi_uint mm,
+ const mbedtls_mpi_uint *rr,
+ mbedtls_mpi_uint *T);
+
+/** Convert an MPI from Montgomery form.
+ *
+ * \p X may be aliased to \p A, but may not otherwise overlap it.
+ *
+ * \p X may not alias \p N (it is in canonical form, so must be strictly less
+ * than \p N).
+ *
+ * This function is a thin wrapper around `mbedtls_mpi_core_montmul()` that is
+ * an alternative to calling `mbedtls_mpi_mod_raw_from_mont_rep()` when we
+ * don't want to allocate memory.
+ *
+ * \param[out] X The result of the conversion.
+ * Must have the same number of limbs as \p A.
+ * \param[in] A The MPI to convert from Montgomery form.
+ * Must have the same number of limbs as the modulus.
+ * \param[in] N The address of the modulus, which gives the size of
+ * the base `R` = 2^(biL*N->limbs).
+ * \param[in] AN_limbs The number of limbs in \p X, \p A and \p N.
+ * \param mm The Montgomery constant for \p N: -N^-1 mod 2^biL.
+ * This can be determined by calling
+ * `mbedtls_mpi_core_montmul_init()`.
+ * \param[in,out] T Temporary storage of size at least
+ * `mbedtls_mpi_core_montmul_working_limbs(AN_limbs)`
+ * limbs.
+ * Its initial content is unused and
+ * its final content is indeterminate.
+ * It must not alias or otherwise overlap any of the
+ * other parameters.
+ */
+void mbedtls_mpi_core_from_mont_rep(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N,
+ size_t AN_limbs,
+ mbedtls_mpi_uint mm,
+ mbedtls_mpi_uint *T);
+
+#endif /* MBEDTLS_BIGNUM_CORE_H */
diff --git a/library/bignum_mod.c b/library/bignum_mod.c
new file mode 100644
index 0000000..dfd332a
--- /dev/null
+++ b/library/bignum_mod.c
@@ -0,0 +1,394 @@
+/**
+ * Modular bignum functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_ECP_WITH_MPI_UINT)
+
+#include <string.h>
+
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/bignum.h"
+
+#include "mbedtls/platform.h"
+
+#include "bignum_core.h"
+#include "bignum_mod.h"
+#include "bignum_mod_raw.h"
+#include "constant_time_internal.h"
+
+int mbedtls_mpi_mod_residue_setup(mbedtls_mpi_mod_residue *r,
+ const mbedtls_mpi_mod_modulus *N,
+ mbedtls_mpi_uint *p,
+ size_t p_limbs)
+{
+ if (p_limbs != N->limbs || !mbedtls_mpi_core_lt_ct(p, N->p, N->limbs)) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ r->limbs = N->limbs;
+ r->p = p;
+
+ return 0;
+}
+
+void mbedtls_mpi_mod_residue_release(mbedtls_mpi_mod_residue *r)
+{
+ if (r == NULL) {
+ return;
+ }
+
+ r->limbs = 0;
+ r->p = NULL;
+}
+
+void mbedtls_mpi_mod_modulus_init(mbedtls_mpi_mod_modulus *N)
+{
+ if (N == NULL) {
+ return;
+ }
+
+ N->p = NULL;
+ N->limbs = 0;
+ N->bits = 0;
+ N->int_rep = MBEDTLS_MPI_MOD_REP_INVALID;
+}
+
+void mbedtls_mpi_mod_modulus_free(mbedtls_mpi_mod_modulus *N)
+{
+ if (N == NULL) {
+ return;
+ }
+
+ switch (N->int_rep) {
+ case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
+ if (N->rep.mont.rr != NULL) {
+ mbedtls_zeroize_and_free((mbedtls_mpi_uint *) N->rep.mont.rr,
+ N->limbs * sizeof(mbedtls_mpi_uint));
+ N->rep.mont.rr = NULL;
+ }
+ N->rep.mont.mm = 0;
+ break;
+ case MBEDTLS_MPI_MOD_REP_OPT_RED:
+ N->rep.ored.modp = NULL;
+ break;
+ case MBEDTLS_MPI_MOD_REP_INVALID:
+ break;
+ }
+
+ N->p = NULL;
+ N->limbs = 0;
+ N->bits = 0;
+ N->int_rep = MBEDTLS_MPI_MOD_REP_INVALID;
+}
+
+static int set_mont_const_square(const mbedtls_mpi_uint **X,
+ const mbedtls_mpi_uint *A,
+ size_t limbs)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi N;
+ mbedtls_mpi RR;
+ *X = NULL;
+
+ mbedtls_mpi_init(&N);
+ mbedtls_mpi_init(&RR);
+
+ if (A == NULL || limbs == 0 || limbs >= (MBEDTLS_MPI_MAX_LIMBS / 2) - 2) {
+ goto cleanup;
+ }
+
+ if (mbedtls_mpi_grow(&N, limbs)) {
+ goto cleanup;
+ }
+
+ memcpy(N.p, A, sizeof(mbedtls_mpi_uint) * limbs);
+
+ ret = mbedtls_mpi_core_get_mont_r2_unsafe(&RR, &N);
+
+ if (ret == 0) {
+ *X = RR.p;
+ RR.p = NULL;
+ }
+
+cleanup:
+ mbedtls_mpi_free(&N);
+ mbedtls_mpi_free(&RR);
+ ret = (ret != 0) ? MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED : 0;
+ return ret;
+}
+
+static inline void standard_modulus_setup(mbedtls_mpi_mod_modulus *N,
+ const mbedtls_mpi_uint *p,
+ size_t p_limbs,
+ mbedtls_mpi_mod_rep_selector int_rep)
+{
+ N->p = p;
+ N->limbs = p_limbs;
+ N->bits = mbedtls_mpi_core_bitlen(p, p_limbs);
+ N->int_rep = int_rep;
+}
+
+int mbedtls_mpi_mod_modulus_setup(mbedtls_mpi_mod_modulus *N,
+ const mbedtls_mpi_uint *p,
+ size_t p_limbs)
+{
+ int ret = 0;
+ standard_modulus_setup(N, p, p_limbs, MBEDTLS_MPI_MOD_REP_MONTGOMERY);
+ N->rep.mont.mm = mbedtls_mpi_core_montmul_init(N->p);
+ ret = set_mont_const_square(&N->rep.mont.rr, N->p, N->limbs);
+
+ if (ret != 0) {
+ mbedtls_mpi_mod_modulus_free(N);
+ }
+
+ return ret;
+}
+
+int mbedtls_mpi_mod_optred_modulus_setup(mbedtls_mpi_mod_modulus *N,
+ const mbedtls_mpi_uint *p,
+ size_t p_limbs,
+ mbedtls_mpi_modp_fn modp)
+{
+ standard_modulus_setup(N, p, p_limbs, MBEDTLS_MPI_MOD_REP_OPT_RED);
+ N->rep.ored.modp = modp;
+ return 0;
+}
+
+int mbedtls_mpi_mod_mul(mbedtls_mpi_mod_residue *X,
+ const mbedtls_mpi_mod_residue *A,
+ const mbedtls_mpi_mod_residue *B,
+ const mbedtls_mpi_mod_modulus *N)
+{
+ if (N->limbs == 0) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ if (X->limbs != N->limbs || A->limbs != N->limbs || B->limbs != N->limbs) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ mbedtls_mpi_uint *T = mbedtls_calloc(N->limbs * 2 + 1, ciL);
+ if (T == NULL) {
+ return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+ }
+
+ mbedtls_mpi_mod_raw_mul(X->p, A->p, B->p, N, T);
+
+ mbedtls_free(T);
+
+ return 0;
+}
+
+int mbedtls_mpi_mod_sub(mbedtls_mpi_mod_residue *X,
+ const mbedtls_mpi_mod_residue *A,
+ const mbedtls_mpi_mod_residue *B,
+ const mbedtls_mpi_mod_modulus *N)
+{
+ if (X->limbs != N->limbs || A->limbs != N->limbs || B->limbs != N->limbs) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ mbedtls_mpi_mod_raw_sub(X->p, A->p, B->p, N);
+
+ return 0;
+}
+
+static int mbedtls_mpi_mod_inv_mont(mbedtls_mpi_mod_residue *X,
+ const mbedtls_mpi_mod_residue *A,
+ const mbedtls_mpi_mod_modulus *N,
+ mbedtls_mpi_uint *working_memory)
+{
+ /* Input already in Montgomery form, so there's little to do */
+ mbedtls_mpi_mod_raw_inv_prime(X->p, A->p,
+ N->p, N->limbs,
+ N->rep.mont.rr,
+ working_memory);
+ return 0;
+}
+
+static int mbedtls_mpi_mod_inv_non_mont(mbedtls_mpi_mod_residue *X,
+ const mbedtls_mpi_mod_residue *A,
+ const mbedtls_mpi_mod_modulus *N,
+ mbedtls_mpi_uint *working_memory)
+{
+ /* Need to convert input into Montgomery form */
+
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_mpi_mod_modulus Nmont;
+ mbedtls_mpi_mod_modulus_init(&Nmont);
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_modulus_setup(&Nmont, N->p, N->limbs));
+
+ /* We'll use X->p to hold the Montgomery form of the input A->p */
+ mbedtls_mpi_core_to_mont_rep(X->p, A->p, Nmont.p, Nmont.limbs,
+ Nmont.rep.mont.mm, Nmont.rep.mont.rr,
+ working_memory);
+
+ mbedtls_mpi_mod_raw_inv_prime(X->p, X->p,
+ Nmont.p, Nmont.limbs,
+ Nmont.rep.mont.rr,
+ working_memory);
+
+ /* And convert back from Montgomery form */
+
+ mbedtls_mpi_core_from_mont_rep(X->p, X->p, Nmont.p, Nmont.limbs,
+ Nmont.rep.mont.mm, working_memory);
+
+cleanup:
+ mbedtls_mpi_mod_modulus_free(&Nmont);
+ return ret;
+}
+
+int mbedtls_mpi_mod_inv(mbedtls_mpi_mod_residue *X,
+ const mbedtls_mpi_mod_residue *A,
+ const mbedtls_mpi_mod_modulus *N)
+{
+ if (X->limbs != N->limbs || A->limbs != N->limbs) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ /* Zero has the same value regardless of Montgomery form or not */
+ if (mbedtls_mpi_core_check_zero_ct(A->p, A->limbs) == 0) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ size_t working_limbs =
+ mbedtls_mpi_mod_raw_inv_prime_working_limbs(N->limbs);
+
+ mbedtls_mpi_uint *working_memory = mbedtls_calloc(working_limbs,
+ sizeof(mbedtls_mpi_uint));
+ if (working_memory == NULL) {
+ return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+ }
+
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ switch (N->int_rep) {
+ case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
+ ret = mbedtls_mpi_mod_inv_mont(X, A, N, working_memory);
+ break;
+ case MBEDTLS_MPI_MOD_REP_OPT_RED:
+ ret = mbedtls_mpi_mod_inv_non_mont(X, A, N, working_memory);
+ break;
+ default:
+ ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ break;
+ }
+
+ mbedtls_zeroize_and_free(working_memory,
+ working_limbs * sizeof(mbedtls_mpi_uint));
+
+ return ret;
+}
+
+int mbedtls_mpi_mod_add(mbedtls_mpi_mod_residue *X,
+ const mbedtls_mpi_mod_residue *A,
+ const mbedtls_mpi_mod_residue *B,
+ const mbedtls_mpi_mod_modulus *N)
+{
+ if (X->limbs != N->limbs || A->limbs != N->limbs || B->limbs != N->limbs) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ mbedtls_mpi_mod_raw_add(X->p, A->p, B->p, N);
+
+ return 0;
+}
+
+int mbedtls_mpi_mod_random(mbedtls_mpi_mod_residue *X,
+ mbedtls_mpi_uint min,
+ const mbedtls_mpi_mod_modulus *N,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ if (X->limbs != N->limbs) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+ return mbedtls_mpi_mod_raw_random(X->p, min, N, f_rng, p_rng);
+}
+
+int mbedtls_mpi_mod_read(mbedtls_mpi_mod_residue *r,
+ const mbedtls_mpi_mod_modulus *N,
+ const unsigned char *buf,
+ size_t buflen,
+ mbedtls_mpi_mod_ext_rep ext_rep)
+{
+ int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+
+ /* Do our best to check if r and m have been set up */
+ if (r->limbs == 0 || N->limbs == 0) {
+ goto cleanup;
+ }
+ if (r->limbs != N->limbs) {
+ goto cleanup;
+ }
+
+ ret = mbedtls_mpi_mod_raw_read(r->p, N, buf, buflen, ext_rep);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ r->limbs = N->limbs;
+
+ ret = mbedtls_mpi_mod_raw_canonical_to_modulus_rep(r->p, N);
+
+cleanup:
+ return ret;
+}
+
+int mbedtls_mpi_mod_write(const mbedtls_mpi_mod_residue *r,
+ const mbedtls_mpi_mod_modulus *N,
+ unsigned char *buf,
+ size_t buflen,
+ mbedtls_mpi_mod_ext_rep ext_rep)
+{
+ /* Do our best to check if r and m have been set up */
+ if (r->limbs == 0 || N->limbs == 0) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+ if (r->limbs != N->limbs) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi_uint *working_memory = r->p;
+ size_t working_memory_len = sizeof(mbedtls_mpi_uint) * r->limbs;
+
+ if (N->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY) {
+
+ working_memory = mbedtls_calloc(r->limbs, sizeof(mbedtls_mpi_uint));
+
+ if (working_memory == NULL) {
+ ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
+ goto cleanup;
+ }
+
+ memcpy(working_memory, r->p, working_memory_len);
+
+ ret = mbedtls_mpi_mod_raw_from_mont_rep(working_memory, N);
+ if (ret != 0) {
+ goto cleanup;
+ }
+ }
+
+ ret = mbedtls_mpi_mod_raw_write(working_memory, N, buf, buflen, ext_rep);
+
+cleanup:
+
+ if (N->int_rep == MBEDTLS_MPI_MOD_REP_MONTGOMERY &&
+ working_memory != NULL) {
+
+ mbedtls_zeroize_and_free(working_memory, working_memory_len);
+ }
+
+ return ret;
+}
+
+#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ECP_WITH_MPI_UINT */
diff --git a/library/bignum_mod.h b/library/bignum_mod.h
new file mode 100644
index 0000000..963d888
--- /dev/null
+++ b/library/bignum_mod.h
@@ -0,0 +1,452 @@
+/**
+ * Modular bignum functions
+ *
+ * This module implements operations on integers modulo some fixed modulus.
+ *
+ * The functions in this module obey the following conventions unless
+ * explicitly indicated otherwise:
+ *
+ * - **Modulus parameters**: the modulus is passed as a pointer to a structure
+ * of type #mbedtls_mpi_mod_modulus. The structure must be set up with an
+ * array of limbs storing the bignum value of the modulus. The modulus must
+ * be odd and is assumed to have no leading zeroes. The modulus is usually
+ * named \c N and is usually input-only. Functions which take a parameter
+ * of type \c const #mbedtls_mpi_mod_modulus* must not modify its value.
+ * - **Bignum parameters**: Bignums are passed as pointers to an array of
+ * limbs or to a #mbedtls_mpi_mod_residue structure. A limb has the type
+ * #mbedtls_mpi_uint. Residues must be initialized before use, and must be
+ * associated with the modulus \c N. Unless otherwise specified:
+ * - Bignum parameters called \c A, \c B, ... are inputs and are not
+ * modified by the function. Functions which take a parameter of
+ * type \c const #mbedtls_mpi_mod_residue* must not modify its value.
+ * - Bignum parameters called \c X, \c Y, ... are outputs or input-output.
+ * The initial bignum value of output-only parameters is ignored, but
+ * they must be set up and associated with the modulus \c N. Some
+ * functions (typically constant-flow) require that the limbs in an
+ * output residue are initialized.
+ * - Bignum parameters called \c p are inputs used to set up a modulus or
+ * residue. These must be pointers to an array of limbs.
+ * - \c T is a temporary storage area. The initial content of such a
+ * parameter is ignored and the final content is unspecified.
+ * - Some functions use different names, such as \c r for the residue.
+ * - **Bignum sizes**: bignum sizes are always expressed in limbs. Both
+ * #mbedtls_mpi_mod_modulus and #mbedtls_mpi_mod_residue have a \c limbs
+ * member storing its size. All bignum parameters must have the same
+ * number of limbs as the modulus. All bignum sizes must be at least 1 and
+ * must be significantly less than #SIZE_MAX. The behavior if a size is 0 is
+ * undefined.
+ * - **Bignum representation**: the representation of inputs and outputs is
+ * specified by the \c int_rep field of the modulus.
+ * - **Parameter ordering**: for bignum parameters, outputs come before inputs.
+ * The modulus is passed after residues. Temporaries come last.
+ * - **Aliasing**: in general, output bignums may be aliased to one or more
+ * inputs. Modulus values may not be aliased to any other parameter. Outputs
+ * may not be aliased to one another. Temporaries may not be aliased to any
+ * other parameter.
+ * - **Overlap**: apart from aliasing of residue pointers (where two residue
+ * arguments are equal pointers), overlap is not supported and may result
+ * in undefined behavior.
+ * - **Error handling**: functions generally check compatibility of input
+ * sizes. Most functions will not check that input values are in canonical
+ * form (i.e. that \c A < \c N), this is only checked during setup of a
+ * residue structure.
+ * - **Modular representatives**: all functions expect inputs to be in the
+ * range [0, \c N - 1] and guarantee outputs in the range [0, \c N - 1].
+ * Residues are set up with an associated modulus, and operations are only
+ * guaranteed to work if the modulus is associated with all residue
+ * parameters. If a residue is passed with a modulus other than the one it
+ * is associated with, then it may be out of range. If an input is out of
+ * range, outputs are fully unspecified, though bignum values out of range
+ * should not cause buffer overflows (beware that this is not extensively
+ * tested).
+ */
+
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_BIGNUM_MOD_H
+#define MBEDTLS_BIGNUM_MOD_H
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+/** How residues associated with a modulus are represented.
+ *
+ * This also determines which fields of the modulus structure are valid and
+ * what their contents are (see #mbedtls_mpi_mod_modulus).
+ */
+typedef enum {
+ /** Representation not chosen (makes the modulus structure invalid). */
+ MBEDTLS_MPI_MOD_REP_INVALID = 0,
+ /* Skip 1 as it is slightly easier to accidentally pass to functions. */
+ /** Montgomery representation. */
+ MBEDTLS_MPI_MOD_REP_MONTGOMERY = 2,
+ /* Optimised reduction available. This indicates a coordinate modulus (P)
+ * and one or more of the following have been configured:
+ * - A nist curve (MBEDTLS_ECP_DP_SECPXXXR1_ENABLED) & MBEDTLS_ECP_NIST_OPTIM.
+ * - A Kobliz Curve.
+ * - A Fast Reduction Curve CURVE25519 or CURVE448. */
+ MBEDTLS_MPI_MOD_REP_OPT_RED,
+} mbedtls_mpi_mod_rep_selector;
+
+/* Make mbedtls_mpi_mod_rep_selector and mbedtls_mpi_mod_ext_rep disjoint to
+ * make it easier to catch when they are accidentally swapped. */
+typedef enum {
+ MBEDTLS_MPI_MOD_EXT_REP_INVALID = 0,
+ MBEDTLS_MPI_MOD_EXT_REP_LE = 8,
+ MBEDTLS_MPI_MOD_EXT_REP_BE
+} mbedtls_mpi_mod_ext_rep;
+
+typedef struct {
+ mbedtls_mpi_uint *p;
+ size_t limbs;
+} mbedtls_mpi_mod_residue;
+
+typedef struct {
+ mbedtls_mpi_uint const *rr; /* The residue for 2^{2*n*biL} mod N */
+ mbedtls_mpi_uint mm; /* Montgomery const for -N^{-1} mod 2^{ciL} */
+} mbedtls_mpi_mont_struct;
+
+typedef int (*mbedtls_mpi_modp_fn)(mbedtls_mpi_uint *X, size_t X_limbs);
+
+typedef struct {
+ mbedtls_mpi_modp_fn modp; /* The optimised reduction function pointer */
+} mbedtls_mpi_opt_red_struct;
+
+typedef struct {
+ const mbedtls_mpi_uint *p;
+ size_t limbs; // number of limbs
+ size_t bits; // bitlen of p
+ mbedtls_mpi_mod_rep_selector int_rep; // selector to signal the active member of the union
+ union rep {
+ /* if int_rep == #MBEDTLS_MPI_MOD_REP_MONTGOMERY */
+ mbedtls_mpi_mont_struct mont;
+ /* if int_rep == #MBEDTLS_MPI_MOD_REP_OPT_RED */
+ mbedtls_mpi_opt_red_struct ored;
+ } rep;
+} mbedtls_mpi_mod_modulus;
+
+/** Setup a residue structure.
+ *
+ * The residue will be set up with the buffer \p p and modulus \p N.
+ *
+ * The memory pointed to by \p p will be used by the resulting residue structure.
+ * The value at the pointed-to memory will be the initial value of \p r and must
+ * hold a value that is less than the modulus. This value will be used as-is
+ * and interpreted according to the value of the `N->int_rep` field.
+ *
+ * The modulus \p N will be the modulus associated with \p r. The residue \p r
+ * should only be used in operations where the modulus is \p N.
+ *
+ * \param[out] r The address of the residue to setup.
+ * \param[in] N The address of the modulus related to \p r.
+ * \param[in] p The address of the limb array containing the value of \p r.
+ * The memory pointed to by \p p will be used by \p r and must
+ * not be modified in any way until after
+ * mbedtls_mpi_mod_residue_release() is called. The data
+ * pointed to by \p p must be less than the modulus (the value
+ * pointed to by `N->p`) and already in the representation
+ * indicated by `N->int_rep`.
+ * \param p_limbs The number of limbs of \p p. Must be the same as the number
+ * of limbs in the modulus \p N.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p p_limbs is less than the
+ * limbs in \p N or if \p p is not less than \p N.
+ */
+int mbedtls_mpi_mod_residue_setup(mbedtls_mpi_mod_residue *r,
+ const mbedtls_mpi_mod_modulus *N,
+ mbedtls_mpi_uint *p,
+ size_t p_limbs);
+
+/** Unbind elements of a residue structure.
+ *
+ * This function removes the reference to the limb array that was passed to
+ * mbedtls_mpi_mod_residue_setup() to make it safe to free or use again.
+ *
+ * This function invalidates \p r and it must not be used until after
+ * mbedtls_mpi_mod_residue_setup() is called on it again.
+ *
+ * \param[out] r The address of residue to release.
+ */
+void mbedtls_mpi_mod_residue_release(mbedtls_mpi_mod_residue *r);
+
+/** Initialize a modulus structure.
+ *
+ * \param[out] N The address of the modulus structure to initialize.
+ */
+void mbedtls_mpi_mod_modulus_init(mbedtls_mpi_mod_modulus *N);
+
+/** Setup a modulus structure.
+ *
+ * \param[out] N The address of the modulus structure to populate.
+ * \param[in] p The address of the limb array storing the value of \p N.
+ * The memory pointed to by \p p will be used by \p N and must
+ * not be modified in any way until after
+ * mbedtls_mpi_mod_modulus_free() is called.
+ * \param p_limbs The number of limbs of \p p.
+ *
+ * \return \c 0 if successful.
+ */
+int mbedtls_mpi_mod_modulus_setup(mbedtls_mpi_mod_modulus *N,
+ const mbedtls_mpi_uint *p,
+ size_t p_limbs);
+
+/** Setup an optimised-reduction compatible modulus structure.
+ *
+ * \param[out] N The address of the modulus structure to populate.
+ * \param[in] p The address of the limb array storing the value of \p N.
+ * The memory pointed to by \p p will be used by \p N and must
+ * not be modified in any way until after
+ * mbedtls_mpi_mod_modulus_free() is called.
+ * \param p_limbs The number of limbs of \p p.
+ * \param modp A pointer to the optimised reduction function to use. \p p.
+ *
+ * \return \c 0 if successful.
+ */
+int mbedtls_mpi_mod_optred_modulus_setup(mbedtls_mpi_mod_modulus *N,
+ const mbedtls_mpi_uint *p,
+ size_t p_limbs,
+ mbedtls_mpi_modp_fn modp);
+
+/** Free elements of a modulus structure.
+ *
+ * This function frees any memory allocated by mbedtls_mpi_mod_modulus_setup().
+ *
+ * \warning This function does not free the limb array passed to
+ * mbedtls_mpi_mod_modulus_setup() only removes the reference to it,
+ * making it safe to free or to use it again.
+ *
+ * \param[in,out] N The address of the modulus structure to free.
+ */
+void mbedtls_mpi_mod_modulus_free(mbedtls_mpi_mod_modulus *N);
+
+/** \brief Multiply two residues, returning the residue modulo the specified
+ * modulus.
+ *
+ * \note Currently handles the case when `N->int_rep` is
+ * MBEDTLS_MPI_MOD_REP_MONTGOMERY.
+ *
+ * The size of the operation is determined by \p N. \p A, \p B and \p X must
+ * all be associated with the modulus \p N and must all have the same number
+ * of limbs as \p N.
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise. They may not alias \p N (since they must be in canonical
+ * form, they cannot == \p N).
+ *
+ * \param[out] X The address of the result MPI. Must have the same
+ * number of limbs as \p N.
+ * On successful completion, \p X contains the result of
+ * the multiplication `A * B * R^-1` mod N where
+ * `R = 2^(biL * N->limbs)`.
+ * \param[in] A The address of the first MPI.
+ * \param[in] B The address of the second MPI.
+ * \param[in] N The address of the modulus. Used to perform a modulo
+ * operation on the result of the multiplication.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if all the parameters do not
+ * have the same number of limbs or \p N is invalid.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ */
+int mbedtls_mpi_mod_mul(mbedtls_mpi_mod_residue *X,
+ const mbedtls_mpi_mod_residue *A,
+ const mbedtls_mpi_mod_residue *B,
+ const mbedtls_mpi_mod_modulus *N);
+
+/**
+ * \brief Perform a fixed-size modular subtraction.
+ *
+ * Calculate `A - B modulo N`.
+ *
+ * \p A, \p B and \p X must all have the same number of limbs as \p N.
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise.
+ *
+ * \note This function does not check that \p A or \p B are in canonical
+ * form (that is, are < \p N) - that will have been done by
+ * mbedtls_mpi_mod_residue_setup().
+ *
+ * \param[out] X The address of the result MPI. Must be initialized.
+ * Must have the same number of limbs as the modulus \p N.
+ * \param[in] A The address of the first MPI.
+ * \param[in] B The address of the second MPI.
+ * \param[in] N The address of the modulus. Used to perform a modulo
+ * operation on the result of the subtraction.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the given MPIs do not
+ * have the correct number of limbs.
+ */
+int mbedtls_mpi_mod_sub(mbedtls_mpi_mod_residue *X,
+ const mbedtls_mpi_mod_residue *A,
+ const mbedtls_mpi_mod_residue *B,
+ const mbedtls_mpi_mod_modulus *N);
+
+/**
+ * \brief Perform modular inversion of an MPI with respect to a modulus \p N.
+ *
+ * \p A and \p X must be associated with the modulus \p N and will therefore
+ * have the same number of limbs as \p N.
+ *
+ * \p X may be aliased to \p A.
+ *
+ * \warning Currently only supports prime moduli, but does not check for them.
+ *
+ * \param[out] X The modular inverse of \p A with respect to \p N.
+ * \param[in] A The number to calculate the modular inverse of.
+ * Must not be 0.
+ * \param[in] N The modulus to use.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p A and \p N do not
+ * have the same number of limbs.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p A is zero.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if couldn't allocate enough
+ * memory (needed for conversion to and from Mongtomery form
+ * when not in Montgomery form already, and for temporary use
+ * by the inversion calculation itself).
+ */
+
+int mbedtls_mpi_mod_inv(mbedtls_mpi_mod_residue *X,
+ const mbedtls_mpi_mod_residue *A,
+ const mbedtls_mpi_mod_modulus *N);
+/**
+ * \brief Perform a fixed-size modular addition.
+ *
+ * Calculate `A + B modulo N`.
+ *
+ * \p A, \p B and \p X must all be associated with the modulus \p N and must
+ * all have the same number of limbs as \p N.
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise.
+ *
+ * \note This function does not check that \p A or \p B are in canonical
+ * form (that is, are < \p N) - that will have been done by
+ * mbedtls_mpi_mod_residue_setup().
+ *
+ * \param[out] X The address of the result residue. Must be initialized.
+ * Must have the same number of limbs as the modulus \p N.
+ * \param[in] A The address of the first input residue.
+ * \param[in] B The address of the second input residue.
+ * \param[in] N The address of the modulus. Used to perform a modulo
+ * operation on the result of the addition.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the given MPIs do not
+ * have the correct number of limbs.
+ */
+int mbedtls_mpi_mod_add(mbedtls_mpi_mod_residue *X,
+ const mbedtls_mpi_mod_residue *A,
+ const mbedtls_mpi_mod_residue *B,
+ const mbedtls_mpi_mod_modulus *N);
+
+/** Generate a random number uniformly in a range.
+ *
+ * This function generates a random number between \p min inclusive and
+ * \p N exclusive.
+ *
+ * The procedure complies with RFC 6979 §3.3 (deterministic ECDSA)
+ * when the RNG is a suitably parametrized instance of HMAC_DRBG
+ * and \p min is \c 1.
+ *
+ * \note There are `N - min` possible outputs. The lower bound
+ * \p min can be reached, but the upper bound \p N cannot.
+ *
+ * \param X The destination residue.
+ * \param min The minimum value to return. It must be strictly smaller
+ * than \b N.
+ * \param N The modulus.
+ * This is the upper bound of the output range, exclusive.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG parameter to be passed to \p f_rng.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if the implementation was
+ * unable to find a suitable value within a limited number
+ * of attempts. This has a negligible probability if \p N
+ * is significantly larger than \p min, which is the case
+ * for all usual cryptographic applications.
+ */
+int mbedtls_mpi_mod_random(mbedtls_mpi_mod_residue *X,
+ mbedtls_mpi_uint min,
+ const mbedtls_mpi_mod_modulus *N,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng);
+
+/** Read a residue from a byte buffer.
+ *
+ * The residue will be automatically converted to the internal representation
+ * based on the value of the `N->int_rep` field.
+ *
+ * The modulus \p N will be the modulus associated with \p r. The residue \p r
+ * should only be used in operations where the modulus is \p N or a modulus
+ * equivalent to \p N (in the sense that all their fields or memory pointed by
+ * their fields hold the same value).
+ *
+ * \param[out] r The address of the residue. It must have exactly the same
+ * number of limbs as the modulus \p N.
+ * \param[in] N The address of the modulus.
+ * \param[in] buf The input buffer to import from.
+ * \param buflen The length in bytes of \p buf.
+ * \param ext_rep The endianness of the number in the input buffer.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p r isn't
+ * large enough to hold the value in \p buf.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p ext_rep
+ * is invalid or the value in the buffer is not less than \p N.
+ */
+int mbedtls_mpi_mod_read(mbedtls_mpi_mod_residue *r,
+ const mbedtls_mpi_mod_modulus *N,
+ const unsigned char *buf,
+ size_t buflen,
+ mbedtls_mpi_mod_ext_rep ext_rep);
+
+/** Write a residue into a byte buffer.
+ *
+ * The modulus \p N must be the modulus associated with \p r (see
+ * mbedtls_mpi_mod_residue_setup() and mbedtls_mpi_mod_read()).
+ *
+ * The residue will be automatically converted from the internal representation
+ * based on the value of `N->int_rep` field.
+ *
+ * \warning If the buffer is smaller than `N->bits`, the number of
+ * leading zeroes is leaked through timing. If \p r is
+ * secret, the caller must ensure that \p buflen is at least
+ * (`N->bits`+7)/8.
+ *
+ * \param[in] r The address of the residue. It must have the same number of
+ * limbs as the modulus \p N. (\p r is an input parameter, but
+ * its value will be modified during execution and restored
+ * before the function returns.)
+ * \param[in] N The address of the modulus associated with \p r.
+ * \param[out] buf The output buffer to export to.
+ * \param buflen The length in bytes of \p buf.
+ * \param ext_rep The endianness in which the number should be written into
+ * the output buffer.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't
+ * large enough to hold the value of \p r (without leading
+ * zeroes).
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p ext_rep is invalid.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if couldn't allocate enough
+ * memory for conversion. Can occur only for moduli with
+ * MBEDTLS_MPI_MOD_REP_MONTGOMERY.
+ */
+int mbedtls_mpi_mod_write(const mbedtls_mpi_mod_residue *r,
+ const mbedtls_mpi_mod_modulus *N,
+ unsigned char *buf,
+ size_t buflen,
+ mbedtls_mpi_mod_ext_rep ext_rep);
+
+#endif /* MBEDTLS_BIGNUM_MOD_H */
diff --git a/library/bignum_mod_raw.c b/library/bignum_mod_raw.c
new file mode 100644
index 0000000..5343bc6
--- /dev/null
+++ b/library/bignum_mod_raw.c
@@ -0,0 +1,276 @@
+/*
+ * Low-level modular bignum functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_ECP_WITH_MPI_UINT)
+
+#include <string.h>
+
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+
+#include "mbedtls/platform.h"
+
+#include "bignum_core.h"
+#include "bignum_mod_raw.h"
+#include "bignum_mod.h"
+#include "constant_time_internal.h"
+
+#include "bignum_mod_raw_invasive.h"
+
+void mbedtls_mpi_mod_raw_cond_assign(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_mod_modulus *N,
+ unsigned char assign)
+{
+ mbedtls_mpi_core_cond_assign(X, A, N->limbs, mbedtls_ct_bool(assign));
+}
+
+void mbedtls_mpi_mod_raw_cond_swap(mbedtls_mpi_uint *X,
+ mbedtls_mpi_uint *Y,
+ const mbedtls_mpi_mod_modulus *N,
+ unsigned char swap)
+{
+ mbedtls_mpi_core_cond_swap(X, Y, N->limbs, mbedtls_ct_bool(swap));
+}
+
+int mbedtls_mpi_mod_raw_read(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_mod_modulus *N,
+ const unsigned char *input,
+ size_t input_length,
+ mbedtls_mpi_mod_ext_rep ext_rep)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ switch (ext_rep) {
+ case MBEDTLS_MPI_MOD_EXT_REP_LE:
+ ret = mbedtls_mpi_core_read_le(X, N->limbs,
+ input, input_length);
+ break;
+ case MBEDTLS_MPI_MOD_EXT_REP_BE:
+ ret = mbedtls_mpi_core_read_be(X, N->limbs,
+ input, input_length);
+ break;
+ default:
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ if (!mbedtls_mpi_core_lt_ct(X, N->p, N->limbs)) {
+ ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+cleanup:
+
+ return ret;
+}
+
+int mbedtls_mpi_mod_raw_write(const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_mod_modulus *N,
+ unsigned char *output,
+ size_t output_length,
+ mbedtls_mpi_mod_ext_rep ext_rep)
+{
+ switch (ext_rep) {
+ case MBEDTLS_MPI_MOD_EXT_REP_LE:
+ return mbedtls_mpi_core_write_le(A, N->limbs,
+ output, output_length);
+ case MBEDTLS_MPI_MOD_EXT_REP_BE:
+ return mbedtls_mpi_core_write_be(A, N->limbs,
+ output, output_length);
+ default:
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+}
+
+void mbedtls_mpi_mod_raw_sub(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ const mbedtls_mpi_mod_modulus *N)
+{
+ mbedtls_mpi_uint c = mbedtls_mpi_core_sub(X, A, B, N->limbs);
+
+ (void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) c);
+}
+
+MBEDTLS_STATIC_TESTABLE
+void mbedtls_mpi_mod_raw_fix_quasi_reduction(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_mod_modulus *N)
+{
+ mbedtls_mpi_uint c = mbedtls_mpi_core_sub(X, X, N->p, N->limbs);
+
+ (void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) c);
+}
+
+
+void mbedtls_mpi_mod_raw_mul(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ const mbedtls_mpi_mod_modulus *N,
+ mbedtls_mpi_uint *T)
+{
+ /* Standard (A * B) multiplication stored into pre-allocated T
+ * buffer of fixed limb size of (2N + 1).
+ *
+ * The space may not not fully filled by when
+ * MBEDTLS_MPI_MOD_REP_OPT_RED is used. */
+ const size_t T_limbs = BITS_TO_LIMBS(N->bits) * 2;
+ switch (N->int_rep) {
+ case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
+ mbedtls_mpi_core_montmul(X, A, B, N->limbs, N->p, N->limbs,
+ N->rep.mont.mm, T);
+ break;
+ case MBEDTLS_MPI_MOD_REP_OPT_RED:
+ mbedtls_mpi_core_mul(T, A, N->limbs, B, N->limbs);
+
+ /* Optimised Reduction */
+ (*N->rep.ored.modp)(T, T_limbs);
+
+ /* Convert back to canonical representation */
+ mbedtls_mpi_mod_raw_fix_quasi_reduction(T, N);
+ memcpy(X, T, N->limbs * sizeof(mbedtls_mpi_uint));
+ break;
+ default:
+ break;
+ }
+
+}
+
+size_t mbedtls_mpi_mod_raw_inv_prime_working_limbs(size_t AN_limbs)
+{
+ /* mbedtls_mpi_mod_raw_inv_prime() needs a temporary for the exponent,
+ * which will be the same size as the modulus and input (AN_limbs),
+ * and additional space to pass to mbedtls_mpi_core_exp_mod(). */
+ return AN_limbs +
+ mbedtls_mpi_core_exp_mod_working_limbs(AN_limbs, AN_limbs);
+}
+
+void mbedtls_mpi_mod_raw_inv_prime(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N,
+ size_t AN_limbs,
+ const mbedtls_mpi_uint *RR,
+ mbedtls_mpi_uint *T)
+{
+ /* Inversion by power: g^|G| = 1 => g^(-1) = g^(|G|-1), and
+ * |G| = N - 1, so we want
+ * g^(|G|-1) = g^(N - 2)
+ */
+
+ /* Use the first AN_limbs of T to hold N - 2 */
+ mbedtls_mpi_uint *Nminus2 = T;
+ (void) mbedtls_mpi_core_sub_int(Nminus2, N, 2, AN_limbs);
+
+ /* Rest of T is given to exp_mod for its working space */
+ mbedtls_mpi_core_exp_mod(X,
+ A, N, AN_limbs, Nminus2, AN_limbs,
+ RR, T + AN_limbs);
+}
+
+void mbedtls_mpi_mod_raw_add(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ const mbedtls_mpi_mod_modulus *N)
+{
+ mbedtls_mpi_uint carry, borrow;
+ carry = mbedtls_mpi_core_add(X, A, B, N->limbs);
+ borrow = mbedtls_mpi_core_sub(X, X, N->p, N->limbs);
+ (void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) (carry ^ borrow));
+}
+
+int mbedtls_mpi_mod_raw_canonical_to_modulus_rep(
+ mbedtls_mpi_uint *X,
+ const mbedtls_mpi_mod_modulus *N)
+{
+ switch (N->int_rep) {
+ case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
+ return mbedtls_mpi_mod_raw_to_mont_rep(X, N);
+ case MBEDTLS_MPI_MOD_REP_OPT_RED:
+ return 0;
+ default:
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+}
+
+int mbedtls_mpi_mod_raw_modulus_to_canonical_rep(
+ mbedtls_mpi_uint *X,
+ const mbedtls_mpi_mod_modulus *N)
+{
+ switch (N->int_rep) {
+ case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
+ return mbedtls_mpi_mod_raw_from_mont_rep(X, N);
+ case MBEDTLS_MPI_MOD_REP_OPT_RED:
+ return 0;
+ default:
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+}
+
+int mbedtls_mpi_mod_raw_random(mbedtls_mpi_uint *X,
+ mbedtls_mpi_uint min,
+ const mbedtls_mpi_mod_modulus *N,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = mbedtls_mpi_core_random(X, min, N->p, N->limbs, f_rng, p_rng);
+ if (ret != 0) {
+ return ret;
+ }
+ return mbedtls_mpi_mod_raw_canonical_to_modulus_rep(X, N);
+}
+
+int mbedtls_mpi_mod_raw_to_mont_rep(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_mod_modulus *N)
+{
+ mbedtls_mpi_uint *T;
+ const size_t t_limbs = mbedtls_mpi_core_montmul_working_limbs(N->limbs);
+
+ if ((T = (mbedtls_mpi_uint *) mbedtls_calloc(t_limbs, ciL)) == NULL) {
+ return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+ }
+
+ mbedtls_mpi_core_to_mont_rep(X, X, N->p, N->limbs,
+ N->rep.mont.mm, N->rep.mont.rr, T);
+
+ mbedtls_zeroize_and_free(T, t_limbs * ciL);
+ return 0;
+}
+
+int mbedtls_mpi_mod_raw_from_mont_rep(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_mod_modulus *N)
+{
+ const size_t t_limbs = mbedtls_mpi_core_montmul_working_limbs(N->limbs);
+ mbedtls_mpi_uint *T;
+
+ if ((T = (mbedtls_mpi_uint *) mbedtls_calloc(t_limbs, ciL)) == NULL) {
+ return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+ }
+
+ mbedtls_mpi_core_from_mont_rep(X, X, N->p, N->limbs, N->rep.mont.mm, T);
+
+ mbedtls_zeroize_and_free(T, t_limbs * ciL);
+ return 0;
+}
+
+void mbedtls_mpi_mod_raw_neg(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_mod_modulus *N)
+{
+ mbedtls_mpi_core_sub(X, N->p, A, N->limbs);
+
+ /* If A=0 initially, then X=N now. Detect this by
+ * subtracting N and catching the carry. */
+ mbedtls_mpi_uint borrow = mbedtls_mpi_core_sub(X, X, N->p, N->limbs);
+ (void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) borrow);
+}
+
+#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ECP_WITH_MPI_UINT */
diff --git a/library/bignum_mod_raw.h b/library/bignum_mod_raw.h
new file mode 100644
index 0000000..7bb4ca3
--- /dev/null
+++ b/library/bignum_mod_raw.h
@@ -0,0 +1,416 @@
+/**
+ * Low-level modular bignum functions
+ *
+ * This interface should only be used by the higher-level modular bignum
+ * module (bignum_mod.c) and the ECP module (ecp.c, ecp_curves.c). All other
+ * modules should use the high-level modular bignum interface (bignum_mod.h)
+ * or the legacy bignum interface (bignum.h).
+ *
+ * This is a low-level interface to operations on integers modulo which
+ * has no protection against passing invalid arguments such as arrays of
+ * the wrong size. The functions in bignum_mod.h provide a higher-level
+ * interface that includes protections against accidental misuse, at the
+ * expense of code size and sometimes more cumbersome memory management.
+ *
+ * The functions in this module obey the following conventions unless
+ * explicitly indicated otherwise:
+ * - **Modulus parameters**: the modulus is passed as a pointer to a structure
+ * of type #mbedtls_mpi_mod_modulus. The structure must be set up with an
+ * array of limbs storing the bignum value of the modulus. The modulus must
+ * be odd and is assumed to have no leading zeroes. The modulus is usually
+ * named \c N and is usually input-only.
+ * - **Bignum parameters**: Bignums are passed as pointers to an array of
+ * limbs. A limb has the type #mbedtls_mpi_uint. Unless otherwise specified:
+ * - Bignum parameters called \c A, \c B, ... are inputs, and are not
+ * modified by the function.
+ * - Bignum parameters called \c X, \c Y are outputs or input-output.
+ * The initial content of output-only parameters is ignored.
+ * - \c T is a temporary storage area. The initial content of such a
+ * parameter is ignored and the final content is unspecified.
+ * - **Bignum sizes**: bignum sizes are usually expressed by the \c limbs
+ * member of the modulus argument. All bignum parameters must have the same
+ * number of limbs as the modulus. All bignum sizes must be at least 1 and
+ * must be significantly less than #SIZE_MAX. The behavior if a size is 0 is
+ * undefined.
+ * - **Bignum representation**: the representation of inputs and outputs is
+ * specified by the \c int_rep field of the modulus for arithmetic
+ * functions. Utility functions may allow for different representation.
+ * - **Parameter ordering**: for bignum parameters, outputs come before inputs.
+ * The modulus is passed after other bignum input parameters. Temporaries
+ * come last.
+ * - **Aliasing**: in general, output bignums may be aliased to one or more
+ * inputs. Modulus values may not be aliased to any other parameter. Outputs
+ * may not be aliased to one another. Temporaries may not be aliased to any
+ * other parameter.
+ * - **Overlap**: apart from aliasing of limb array pointers (where two
+ * arguments are equal pointers), overlap is not supported and may result
+ * in undefined behavior.
+ * - **Error handling**: This is a low-level module. Functions generally do not
+ * try to protect against invalid arguments such as nonsensical sizes or
+ * null pointers. Note that passing bignums with a different size than the
+ * modulus may lead to buffer overflows. Some functions which allocate
+ * memory or handle reading/writing of bignums will return an error if
+ * memory allocation fails or if buffer sizes are invalid.
+ * - **Modular representatives**: all functions expect inputs to be in the
+ * range [0, \c N - 1] and guarantee outputs in the range [0, \c N - 1]. If
+ * an input is out of range, outputs are fully unspecified, though bignum
+ * values out of range should not cause buffer overflows (beware that this is
+ * not extensively tested).
+ */
+
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_BIGNUM_MOD_RAW_H
+#define MBEDTLS_BIGNUM_MOD_RAW_H
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+#include "bignum_mod.h"
+
+/**
+ * \brief Perform a safe conditional copy of an MPI which doesn't reveal
+ * whether the assignment was done or not.
+ *
+ * The size to copy is determined by \p N.
+ *
+ * \param[out] X The address of the destination MPI.
+ * This must be initialized. Must have enough limbs to
+ * store the full value of \p A.
+ * \param[in] A The address of the source MPI. This must be initialized.
+ * \param[in] N The address of the modulus related to \p X and \p A.
+ * \param assign The condition deciding whether to perform the
+ * assignment or not. Must be either 0 or 1:
+ * * \c 1: Perform the assignment `X = A`.
+ * * \c 0: Keep the original value of \p X.
+ *
+ * \note This function avoids leaking any information about whether
+ * the assignment was done or not.
+ *
+ * \warning If \p assign is neither 0 nor 1, the result of this function
+ * is indeterminate, and the resulting value in \p X might be
+ * neither its original value nor the value in \p A.
+ */
+void mbedtls_mpi_mod_raw_cond_assign(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_mod_modulus *N,
+ unsigned char assign);
+
+/**
+ * \brief Perform a safe conditional swap of two MPIs which doesn't reveal
+ * whether the swap was done or not.
+ *
+ * The size to swap is determined by \p N.
+ *
+ * \param[in,out] X The address of the first MPI. This must be initialized.
+ * \param[in,out] Y The address of the second MPI. This must be initialized.
+ * \param[in] N The address of the modulus related to \p X and \p Y.
+ * \param swap The condition deciding whether to perform
+ * the swap or not. Must be either 0 or 1:
+ * * \c 1: Swap the values of \p X and \p Y.
+ * * \c 0: Keep the original values of \p X and \p Y.
+ *
+ * \note This function avoids leaking any information about whether
+ * the swap was done or not.
+ *
+ * \warning If \p swap is neither 0 nor 1, the result of this function
+ * is indeterminate, and both \p X and \p Y might end up with
+ * values different to either of the original ones.
+ */
+void mbedtls_mpi_mod_raw_cond_swap(mbedtls_mpi_uint *X,
+ mbedtls_mpi_uint *Y,
+ const mbedtls_mpi_mod_modulus *N,
+ unsigned char swap);
+
+/** Import X from unsigned binary data.
+ *
+ * The MPI needs to have enough limbs to store the full value (including any
+ * most significant zero bytes in the input).
+ *
+ * \param[out] X The address of the MPI. The size is determined by \p N.
+ * (In particular, it must have at least as many limbs as
+ * the modulus \p N.)
+ * \param[in] N The address of the modulus related to \p X.
+ * \param[in] input The input buffer to import from.
+ * \param input_length The length in bytes of \p input.
+ * \param ext_rep The endianness of the number in the input buffer.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p X isn't
+ * large enough to hold the value in \p input.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the external representation
+ * of \p N is invalid or \p X is not less than \p N.
+ */
+int mbedtls_mpi_mod_raw_read(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_mod_modulus *N,
+ const unsigned char *input,
+ size_t input_length,
+ mbedtls_mpi_mod_ext_rep ext_rep);
+
+/** Export A into unsigned binary data.
+ *
+ * \param[in] A The address of the MPI. The size is determined by \p N.
+ * (In particular, it must have at least as many limbs as
+ * the modulus \p N.)
+ * \param[in] N The address of the modulus related to \p A.
+ * \param[out] output The output buffer to export to.
+ * \param output_length The length in bytes of \p output.
+ * \param ext_rep The endianness in which the number should be written into the output buffer.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p output isn't
+ * large enough to hold the value of \p A.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the external representation
+ * of \p N is invalid.
+ */
+int mbedtls_mpi_mod_raw_write(const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_mod_modulus *N,
+ unsigned char *output,
+ size_t output_length,
+ mbedtls_mpi_mod_ext_rep ext_rep);
+
+/** \brief Subtract two MPIs, returning the residue modulo the specified
+ * modulus.
+ *
+ * The size of the operation is determined by \p N. \p A and \p B must have
+ * the same number of limbs as \p N.
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise.
+ *
+ * \param[out] X The address of the result MPI.
+ * This must be initialized. Must have enough limbs to
+ * store the full value of the result.
+ * \param[in] A The address of the first MPI. This must be initialized.
+ * \param[in] B The address of the second MPI. This must be initialized.
+ * \param[in] N The address of the modulus. Used to perform a modulo
+ * operation on the result of the subtraction.
+ */
+void mbedtls_mpi_mod_raw_sub(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ const mbedtls_mpi_mod_modulus *N);
+
+/** \brief Multiply two MPIs, returning the residue modulo the specified
+ * modulus.
+ *
+ * \note Currently handles the case when `N->int_rep` is
+ * MBEDTLS_MPI_MOD_REP_MONTGOMERY.
+ *
+ * The size of the operation is determined by \p N. \p A, \p B and \p X must
+ * all be associated with the modulus \p N and must all have the same number
+ * of limbs as \p N.
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise. They may not alias \p N (since they must be in canonical
+ * form, they cannot == \p N).
+ *
+ * \param[out] X The address of the result MPI. Must have the same
+ * number of limbs as \p N.
+ * On successful completion, \p X contains the result of
+ * the multiplication `A * B * R^-1` mod N where
+ * `R = 2^(biL * N->limbs)`.
+ * \param[in] A The address of the first MPI.
+ * \param[in] B The address of the second MPI.
+ * \param[in] N The address of the modulus. Used to perform a modulo
+ * operation on the result of the multiplication.
+ * \param[in,out] T Temporary storage of size at least 2 * N->limbs + 1
+ * limbs. Its initial content is unused and
+ * its final content is indeterminate.
+ * It must not alias or otherwise overlap any of the
+ * other parameters.
+ */
+void mbedtls_mpi_mod_raw_mul(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ const mbedtls_mpi_mod_modulus *N,
+ mbedtls_mpi_uint *T);
+
+/**
+ * \brief Returns the number of limbs of working memory required for
+ * a call to `mbedtls_mpi_mod_raw_inv_prime()`.
+ *
+ * \note This will always be at least
+ * `mbedtls_mpi_core_montmul_working_limbs(AN_limbs)`,
+ * i.e. sufficient for a call to `mbedtls_mpi_core_montmul()`.
+ *
+ * \param AN_limbs The number of limbs in the input `A` and the modulus `N`
+ * (they must be the same size) that will be given to
+ * `mbedtls_mpi_mod_raw_inv_prime()`.
+ *
+ * \return The number of limbs of working memory required by
+ * `mbedtls_mpi_mod_raw_inv_prime()`.
+ */
+size_t mbedtls_mpi_mod_raw_inv_prime_working_limbs(size_t AN_limbs);
+
+/**
+ * \brief Perform fixed-width modular inversion of a Montgomery-form MPI with
+ * respect to a modulus \p N that must be prime.
+ *
+ * \p X may be aliased to \p A, but not to \p N or \p RR.
+ *
+ * \param[out] X The modular inverse of \p A with respect to \p N.
+ * Will be in Montgomery form.
+ * \param[in] A The number to calculate the modular inverse of.
+ * Must be in Montgomery form. Must not be 0.
+ * \param[in] N The modulus, as a little-endian array of length \p AN_limbs.
+ * Must be prime.
+ * \param AN_limbs The number of limbs in \p A, \p N and \p RR.
+ * \param[in] RR The precomputed residue of 2^{2*biL} modulo N, as a little-
+ * endian array of length \p AN_limbs.
+ * \param[in,out] T Temporary storage of at least the number of limbs returned
+ * by `mbedtls_mpi_mod_raw_inv_prime_working_limbs()`.
+ * Its initial content is unused and its final content is
+ * indeterminate.
+ * It must not alias or otherwise overlap any of the other
+ * parameters.
+ * It is up to the caller to zeroize \p T when it is no
+ * longer needed, and before freeing it if it was dynamically
+ * allocated.
+ */
+void mbedtls_mpi_mod_raw_inv_prime(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *N,
+ size_t AN_limbs,
+ const mbedtls_mpi_uint *RR,
+ mbedtls_mpi_uint *T);
+
+/**
+ * \brief Perform a known-size modular addition.
+ *
+ * Calculate `A + B modulo N`.
+ *
+ * The number of limbs in each operand, and the result, is given by the
+ * modulus \p N.
+ *
+ * \p X may be aliased to \p A or \p B, or even both, but may not overlap
+ * either otherwise.
+ *
+ * \param[out] X The result of the modular addition.
+ * \param[in] A Little-endian presentation of the left operand. This
+ * must be smaller than \p N.
+ * \param[in] B Little-endian presentation of the right operand. This
+ * must be smaller than \p N.
+ * \param[in] N The address of the modulus.
+ */
+void mbedtls_mpi_mod_raw_add(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_uint *B,
+ const mbedtls_mpi_mod_modulus *N);
+
+/** Convert an MPI from canonical representation (little-endian limb array)
+ * to the representation associated with the modulus.
+ *
+ * \param[in,out] X The limb array to convert.
+ * It must have as many limbs as \p N.
+ * It is converted in place.
+ * If this function returns an error, the content of \p X
+ * is unspecified.
+ * \param[in] N The modulus structure.
+ *
+ * \return \c 0 if successful.
+ * Otherwise an \c MBEDTLS_ERR_MPI_xxx error code.
+ */
+int mbedtls_mpi_mod_raw_canonical_to_modulus_rep(
+ mbedtls_mpi_uint *X,
+ const mbedtls_mpi_mod_modulus *N);
+
+/** Convert an MPI from the representation associated with the modulus
+ * to canonical representation (little-endian limb array).
+ *
+ * \param[in,out] X The limb array to convert.
+ * It must have as many limbs as \p N.
+ * It is converted in place.
+ * If this function returns an error, the content of \p X
+ * is unspecified.
+ * \param[in] N The modulus structure.
+ *
+ * \return \c 0 if successful.
+ * Otherwise an \c MBEDTLS_ERR_MPI_xxx error code.
+ */
+int mbedtls_mpi_mod_raw_modulus_to_canonical_rep(
+ mbedtls_mpi_uint *X,
+ const mbedtls_mpi_mod_modulus *N);
+
+/** Generate a random number uniformly in a range.
+ *
+ * This function generates a random number between \p min inclusive and
+ * \p N exclusive.
+ *
+ * The procedure complies with RFC 6979 §3.3 (deterministic ECDSA)
+ * when the RNG is a suitably parametrized instance of HMAC_DRBG
+ * and \p min is \c 1.
+ *
+ * \note There are `N - min` possible outputs. The lower bound
+ * \p min can be reached, but the upper bound \p N cannot.
+ *
+ * \param X The destination MPI, in canonical representation modulo \p N.
+ * It must not be aliased with \p N or otherwise overlap it.
+ * \param min The minimum value to return. It must be strictly smaller
+ * than \b N.
+ * \param N The modulus.
+ * This is the upper bound of the output range, exclusive.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG parameter to be passed to \p f_rng.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if the implementation was
+ * unable to find a suitable value within a limited number
+ * of attempts. This has a negligible probability if \p N
+ * is significantly larger than \p min, which is the case
+ * for all usual cryptographic applications.
+ */
+int mbedtls_mpi_mod_raw_random(mbedtls_mpi_uint *X,
+ mbedtls_mpi_uint min,
+ const mbedtls_mpi_mod_modulus *N,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng);
+
+/** Convert an MPI into Montgomery form.
+ *
+ * \param X The address of the MPI.
+ * Must have the same number of limbs as \p N.
+ * \param N The address of the modulus, which gives the size of
+ * the base `R` = 2^(biL*N->limbs).
+ *
+ * \return \c 0 if successful.
+ */
+int mbedtls_mpi_mod_raw_to_mont_rep(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_mod_modulus *N);
+
+/** Convert an MPI back from Montgomery representation.
+ *
+ * \param X The address of the MPI.
+ * Must have the same number of limbs as \p N.
+ * \param N The address of the modulus, which gives the size of
+ * the base `R`= 2^(biL*N->limbs).
+ *
+ * \return \c 0 if successful.
+ */
+int mbedtls_mpi_mod_raw_from_mont_rep(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_mod_modulus *N);
+
+/** \brief Perform fixed width modular negation.
+ *
+ * The size of the operation is determined by \p N. \p A must have
+ * the same number of limbs as \p N.
+ *
+ * \p X may be aliased to \p A.
+ *
+ * \param[out] X The result of the modular negation.
+ * This must be initialized.
+ * \param[in] A Little-endian presentation of the input operand. This
+ * must be less than or equal to \p N.
+ * \param[in] N The modulus to use.
+ */
+void mbedtls_mpi_mod_raw_neg(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_uint *A,
+ const mbedtls_mpi_mod_modulus *N);
+
+#endif /* MBEDTLS_BIGNUM_MOD_RAW_H */
diff --git a/library/bignum_mod_raw_invasive.h b/library/bignum_mod_raw_invasive.h
new file mode 100644
index 0000000..94a0d06
--- /dev/null
+++ b/library/bignum_mod_raw_invasive.h
@@ -0,0 +1,34 @@
+/**
+ * \file bignum_mod_raw_invasive.h
+ *
+ * \brief Function declarations for invasive functions of Low-level
+ * modular bignum.
+ */
+/**
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_BIGNUM_MOD_RAW_INVASIVE_H
+#define MBEDTLS_BIGNUM_MOD_RAW_INVASIVE_H
+
+#include "common.h"
+#include "mbedtls/bignum.h"
+#include "bignum_mod.h"
+
+#if defined(MBEDTLS_TEST_HOOKS)
+
+/** Convert the result of a quasi-reduction to its canonical representative.
+ *
+ * \param[in,out] X The address of the MPI to be converted. Must have the
+ * same number of limbs as \p N. The input value must
+ * be in range 0 <= X < 2N.
+ * \param[in] N The address of the modulus.
+ */
+MBEDTLS_STATIC_TESTABLE
+void mbedtls_mpi_mod_raw_fix_quasi_reduction(mbedtls_mpi_uint *X,
+ const mbedtls_mpi_mod_modulus *N);
+
+#endif /* MBEDTLS_TEST_HOOKS */
+
+#endif /* MBEDTLS_BIGNUM_MOD_RAW_INVASIVE_H */
diff --git a/library/block_cipher.c b/library/block_cipher.c
new file mode 100644
index 0000000..04cd7fb
--- /dev/null
+++ b/library/block_cipher.c
@@ -0,0 +1,203 @@
+/**
+ * \file block_cipher.c
+ *
+ * \brief Lightweight abstraction layer for block ciphers with 128 bit blocks,
+ * for use by the GCM and CCM modules.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+#include "psa/crypto.h"
+#include "psa_crypto_core.h"
+#include "psa_util_internal.h"
+#endif
+
+#include "block_cipher_internal.h"
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+static psa_key_type_t psa_key_type_from_block_cipher_id(mbedtls_block_cipher_id_t cipher_id)
+{
+ switch (cipher_id) {
+#if defined(MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA)
+ case MBEDTLS_BLOCK_CIPHER_ID_AES:
+ return PSA_KEY_TYPE_AES;
+#endif
+#if defined(MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA)
+ case MBEDTLS_BLOCK_CIPHER_ID_ARIA:
+ return PSA_KEY_TYPE_ARIA;
+#endif
+#if defined(MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA)
+ case MBEDTLS_BLOCK_CIPHER_ID_CAMELLIA:
+ return PSA_KEY_TYPE_CAMELLIA;
+#endif
+ default:
+ return PSA_KEY_TYPE_NONE;
+ }
+}
+
+static int mbedtls_cipher_error_from_psa(psa_status_t status)
+{
+ return PSA_TO_MBEDTLS_ERR_LIST(status, psa_to_cipher_errors,
+ psa_generic_status_to_mbedtls);
+}
+#endif /* MBEDTLS_BLOCK_CIPHER_SOME_PSA */
+
+void mbedtls_block_cipher_free(mbedtls_block_cipher_context_t *ctx)
+{
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+ if (ctx->engine == MBEDTLS_BLOCK_CIPHER_ENGINE_PSA) {
+ psa_destroy_key(ctx->psa_key_id);
+ return;
+ }
+#endif
+ switch (ctx->id) {
+#if defined(MBEDTLS_AES_C)
+ case MBEDTLS_BLOCK_CIPHER_ID_AES:
+ mbedtls_aes_free(&ctx->ctx.aes);
+ break;
+#endif
+#if defined(MBEDTLS_ARIA_C)
+ case MBEDTLS_BLOCK_CIPHER_ID_ARIA:
+ mbedtls_aria_free(&ctx->ctx.aria);
+ break;
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+ case MBEDTLS_BLOCK_CIPHER_ID_CAMELLIA:
+ mbedtls_camellia_free(&ctx->ctx.camellia);
+ break;
+#endif
+ default:
+ break;
+ }
+ ctx->id = MBEDTLS_BLOCK_CIPHER_ID_NONE;
+}
+
+int mbedtls_block_cipher_setup(mbedtls_block_cipher_context_t *ctx,
+ mbedtls_cipher_id_t cipher_id)
+{
+ ctx->id = (cipher_id == MBEDTLS_CIPHER_ID_AES) ? MBEDTLS_BLOCK_CIPHER_ID_AES :
+ (cipher_id == MBEDTLS_CIPHER_ID_ARIA) ? MBEDTLS_BLOCK_CIPHER_ID_ARIA :
+ (cipher_id == MBEDTLS_CIPHER_ID_CAMELLIA) ? MBEDTLS_BLOCK_CIPHER_ID_CAMELLIA :
+ MBEDTLS_BLOCK_CIPHER_ID_NONE;
+
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+ psa_key_type_t psa_key_type = psa_key_type_from_block_cipher_id(ctx->id);
+ if (psa_key_type != PSA_KEY_TYPE_NONE &&
+ psa_can_do_cipher(psa_key_type, PSA_ALG_ECB_NO_PADDING)) {
+ ctx->engine = MBEDTLS_BLOCK_CIPHER_ENGINE_PSA;
+ return 0;
+ }
+ ctx->engine = MBEDTLS_BLOCK_CIPHER_ENGINE_LEGACY;
+#endif
+
+ switch (ctx->id) {
+#if defined(MBEDTLS_AES_C)
+ case MBEDTLS_BLOCK_CIPHER_ID_AES:
+ mbedtls_aes_init(&ctx->ctx.aes);
+ return 0;
+#endif
+#if defined(MBEDTLS_ARIA_C)
+ case MBEDTLS_BLOCK_CIPHER_ID_ARIA:
+ mbedtls_aria_init(&ctx->ctx.aria);
+ return 0;
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+ case MBEDTLS_BLOCK_CIPHER_ID_CAMELLIA:
+ mbedtls_camellia_init(&ctx->ctx.camellia);
+ return 0;
+#endif
+ default:
+ ctx->id = MBEDTLS_BLOCK_CIPHER_ID_NONE;
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+}
+
+int mbedtls_block_cipher_setkey(mbedtls_block_cipher_context_t *ctx,
+ const unsigned char *key,
+ unsigned key_bitlen)
+{
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+ if (ctx->engine == MBEDTLS_BLOCK_CIPHER_ENGINE_PSA) {
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status;
+
+ psa_set_key_type(&key_attr, psa_key_type_from_block_cipher_id(ctx->id));
+ psa_set_key_bits(&key_attr, key_bitlen);
+ psa_set_key_algorithm(&key_attr, PSA_ALG_ECB_NO_PADDING);
+ psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_ENCRYPT);
+
+ status = psa_import_key(&key_attr, key, PSA_BITS_TO_BYTES(key_bitlen), &ctx->psa_key_id);
+ if (status != PSA_SUCCESS) {
+ return mbedtls_cipher_error_from_psa(status);
+ }
+ psa_reset_key_attributes(&key_attr);
+
+ return 0;
+ }
+#endif /* MBEDTLS_BLOCK_CIPHER_SOME_PSA */
+
+ switch (ctx->id) {
+#if defined(MBEDTLS_AES_C)
+ case MBEDTLS_BLOCK_CIPHER_ID_AES:
+ return mbedtls_aes_setkey_enc(&ctx->ctx.aes, key, key_bitlen);
+#endif
+#if defined(MBEDTLS_ARIA_C)
+ case MBEDTLS_BLOCK_CIPHER_ID_ARIA:
+ return mbedtls_aria_setkey_enc(&ctx->ctx.aria, key, key_bitlen);
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+ case MBEDTLS_BLOCK_CIPHER_ID_CAMELLIA:
+ return mbedtls_camellia_setkey_enc(&ctx->ctx.camellia, key, key_bitlen);
+#endif
+ default:
+ return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
+ }
+}
+
+int mbedtls_block_cipher_encrypt(mbedtls_block_cipher_context_t *ctx,
+ const unsigned char input[16],
+ unsigned char output[16])
+{
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+ if (ctx->engine == MBEDTLS_BLOCK_CIPHER_ENGINE_PSA) {
+ psa_status_t status;
+ size_t olen;
+
+ status = psa_cipher_encrypt(ctx->psa_key_id, PSA_ALG_ECB_NO_PADDING,
+ input, 16, output, 16, &olen);
+ if (status != PSA_SUCCESS) {
+ return mbedtls_cipher_error_from_psa(status);
+ }
+ return 0;
+ }
+#endif /* MBEDTLS_BLOCK_CIPHER_SOME_PSA */
+
+ switch (ctx->id) {
+#if defined(MBEDTLS_AES_C)
+ case MBEDTLS_BLOCK_CIPHER_ID_AES:
+ return mbedtls_aes_crypt_ecb(&ctx->ctx.aes, MBEDTLS_AES_ENCRYPT,
+ input, output);
+#endif
+#if defined(MBEDTLS_ARIA_C)
+ case MBEDTLS_BLOCK_CIPHER_ID_ARIA:
+ return mbedtls_aria_crypt_ecb(&ctx->ctx.aria, input, output);
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+ case MBEDTLS_BLOCK_CIPHER_ID_CAMELLIA:
+ return mbedtls_camellia_crypt_ecb(&ctx->ctx.camellia,
+ MBEDTLS_CAMELLIA_ENCRYPT,
+ input, output);
+#endif
+ default:
+ return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
+ }
+}
+
+#endif /* MBEDTLS_BLOCK_CIPHER_C */
diff --git a/library/block_cipher_internal.h b/library/block_cipher_internal.h
new file mode 100644
index 0000000..c57338b
--- /dev/null
+++ b/library/block_cipher_internal.h
@@ -0,0 +1,99 @@
+/**
+ * \file block_cipher_internal.h
+ *
+ * \brief Lightweight abstraction layer for block ciphers with 128 bit blocks,
+ * for use by the GCM and CCM modules.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_BLOCK_CIPHER_INTERNAL_H
+#define MBEDTLS_BLOCK_CIPHER_INTERNAL_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/cipher.h"
+
+#include "mbedtls/block_cipher.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Initialize the context.
+ * This must be the first API call before using the context.
+ *
+ * \param ctx The context to initialize.
+ */
+static inline void mbedtls_block_cipher_init(mbedtls_block_cipher_context_t *ctx)
+{
+ memset(ctx, 0, sizeof(*ctx));
+}
+
+/**
+ * \brief Set the block cipher to use with this context.
+ * This must be called after mbedtls_block_cipher_init().
+ *
+ * \param ctx The context to set up.
+ * \param cipher_id The identifier of the cipher to use.
+ * This must be either AES, ARIA or Camellia.
+ * Warning: this is a ::mbedtls_cipher_id_t,
+ * not a ::mbedtls_block_cipher_id_t!
+ *
+ * \retval \c 0 on success.
+ * \retval #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if \p cipher_id was
+ * invalid.
+ */
+int mbedtls_block_cipher_setup(mbedtls_block_cipher_context_t *ctx,
+ mbedtls_cipher_id_t cipher_id);
+
+/**
+ * \brief Set the key into the context.
+ *
+ * \param ctx The context to configure.
+ * \param key The buffer holding the key material.
+ * \param key_bitlen The size of the key in bits.
+ *
+ * \retval \c 0 on success.
+ * \retval #MBEDTLS_ERR_CIPHER_INVALID_CONTEXT if the context was not
+ * properly set up before calling this function.
+ * \retval One of #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH,
+ * #MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+ * #MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA if \p key_bitlen is
+ * invalid.
+ */
+int mbedtls_block_cipher_setkey(mbedtls_block_cipher_context_t *ctx,
+ const unsigned char *key,
+ unsigned key_bitlen);
+
+/**
+ * \brief Encrypt one block (16 bytes) with the configured key.
+ *
+ * \param ctx The context holding the key.
+ * \param input The buffer holding the input block. Must be 16 bytes.
+ * \param output The buffer to which the output block will be written.
+ * Must be writable and 16 bytes long.
+ * This must either not overlap with \p input, or be equal.
+ *
+ * \retval \c 0 on success.
+ * \retval #MBEDTLS_ERR_CIPHER_INVALID_CONTEXT if the context was not
+ * properly set up before calling this function.
+ * \retval Another negative value if encryption failed.
+ */
+int mbedtls_block_cipher_encrypt(mbedtls_block_cipher_context_t *ctx,
+ const unsigned char input[16],
+ unsigned char output[16]);
+/**
+ * \brief Clear the context.
+ *
+ * \param ctx The context to clear.
+ */
+void mbedtls_block_cipher_free(mbedtls_block_cipher_context_t *ctx);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_BLOCK_CIPHER_INTERNAL_H */
diff --git a/library/bn_mul.h b/library/bn_mul.h
new file mode 100644
index 0000000..0738469
--- /dev/null
+++ b/library/bn_mul.h
@@ -0,0 +1,1094 @@
+/**
+ * \file bn_mul.h
+ *
+ * \brief Multi-precision integer library
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * Multiply source vector [s] with b, add result
+ * to destination vector [d] and set carry c.
+ *
+ * Currently supports:
+ *
+ * . IA-32 (386+) . AMD64 / EM64T
+ * . IA-32 (SSE2) . Motorola 68000
+ * . PowerPC, 32-bit . MicroBlaze
+ * . PowerPC, 64-bit . TriCore
+ * . SPARC v8 . ARM v3+
+ * . Alpha . MIPS32
+ * . C, longlong . C, generic
+ */
+#ifndef MBEDTLS_BN_MUL_H
+#define MBEDTLS_BN_MUL_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/bignum.h"
+
+
+/*
+ * Conversion macros for embedded constants:
+ * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2
+ */
+#if defined(MBEDTLS_HAVE_INT32)
+
+#define MBEDTLS_BYTES_TO_T_UINT_4(a, b, c, d) \
+ ((mbedtls_mpi_uint) (a) << 0) | \
+ ((mbedtls_mpi_uint) (b) << 8) | \
+ ((mbedtls_mpi_uint) (c) << 16) | \
+ ((mbedtls_mpi_uint) (d) << 24)
+
+#define MBEDTLS_BYTES_TO_T_UINT_2(a, b) \
+ MBEDTLS_BYTES_TO_T_UINT_4(a, b, 0, 0)
+
+#define MBEDTLS_BYTES_TO_T_UINT_8(a, b, c, d, e, f, g, h) \
+ MBEDTLS_BYTES_TO_T_UINT_4(a, b, c, d), \
+ MBEDTLS_BYTES_TO_T_UINT_4(e, f, g, h)
+
+#else /* 64-bits */
+
+#define MBEDTLS_BYTES_TO_T_UINT_8(a, b, c, d, e, f, g, h) \
+ ((mbedtls_mpi_uint) (a) << 0) | \
+ ((mbedtls_mpi_uint) (b) << 8) | \
+ ((mbedtls_mpi_uint) (c) << 16) | \
+ ((mbedtls_mpi_uint) (d) << 24) | \
+ ((mbedtls_mpi_uint) (e) << 32) | \
+ ((mbedtls_mpi_uint) (f) << 40) | \
+ ((mbedtls_mpi_uint) (g) << 48) | \
+ ((mbedtls_mpi_uint) (h) << 56)
+
+#define MBEDTLS_BYTES_TO_T_UINT_4(a, b, c, d) \
+ MBEDTLS_BYTES_TO_T_UINT_8(a, b, c, d, 0, 0, 0, 0)
+
+#define MBEDTLS_BYTES_TO_T_UINT_2(a, b) \
+ MBEDTLS_BYTES_TO_T_UINT_8(a, b, 0, 0, 0, 0, 0, 0)
+
+#endif /* bits in mbedtls_mpi_uint */
+
+/* *INDENT-OFF* */
+#if defined(MBEDTLS_HAVE_ASM)
+
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+ ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 )
+
+/*
+ * GCC < 5.0 treated the x86 ebx (which is used for the GOT) as a
+ * fixed reserved register when building as PIC, leading to errors
+ * like: bn_mul.h:46:13: error: PIC register clobbered by 'ebx' in 'asm'
+ *
+ * This is fixed by an improved register allocator in GCC 5+. From the
+ * release notes:
+ * Register allocation improvements: Reuse of the PIC hard register,
+ * instead of using a fixed register, was implemented on x86/x86-64
+ * targets. This improves generated PIC code performance as more hard
+ * registers can be used.
+ */
+#if defined(__GNUC__) && __GNUC__ < 5 && defined(__PIC__)
+#define MULADDC_CANNOT_USE_EBX
+#endif
+
+/*
+ * Disable use of the i386 assembly code below if option -O0, to disable all
+ * compiler optimisations, is passed, detected with __OPTIMIZE__
+ * This is done as the number of registers used in the assembly code doesn't
+ * work with the -O0 option.
+ */
+#if defined(__i386__) && defined(__OPTIMIZE__) && !defined(MULADDC_CANNOT_USE_EBX)
+
+#define MULADDC_X1_INIT \
+ { mbedtls_mpi_uint t; \
+ asm( \
+ "movl %%ebx, %0 \n\t" \
+ "movl %5, %%esi \n\t" \
+ "movl %6, %%edi \n\t" \
+ "movl %7, %%ecx \n\t" \
+ "movl %8, %%ebx \n\t"
+
+#define MULADDC_X1_CORE \
+ "lodsl \n\t" \
+ "mull %%ebx \n\t" \
+ "addl %%ecx, %%eax \n\t" \
+ "adcl $0, %%edx \n\t" \
+ "addl (%%edi), %%eax \n\t" \
+ "adcl $0, %%edx \n\t" \
+ "movl %%edx, %%ecx \n\t" \
+ "stosl \n\t"
+
+#define MULADDC_X1_STOP \
+ "movl %4, %%ebx \n\t" \
+ "movl %%ecx, %1 \n\t" \
+ "movl %%edi, %2 \n\t" \
+ "movl %%esi, %3 \n\t" \
+ : "=m" (t), "=m" (c), "=m" (d), "=m" (s) \
+ : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b) \
+ : "eax", "ebx", "ecx", "edx", "esi", "edi" \
+ ); }
+
+#if defined(MBEDTLS_HAVE_SSE2)
+
+#define MULADDC_X8_INIT MULADDC_X1_INIT
+
+#define MULADDC_X8_CORE \
+ "movd %%ecx, %%mm1 \n\t" \
+ "movd %%ebx, %%mm0 \n\t" \
+ "movd (%%edi), %%mm3 \n\t" \
+ "paddq %%mm3, %%mm1 \n\t" \
+ "movd (%%esi), %%mm2 \n\t" \
+ "pmuludq %%mm0, %%mm2 \n\t" \
+ "movd 4(%%esi), %%mm4 \n\t" \
+ "pmuludq %%mm0, %%mm4 \n\t" \
+ "movd 8(%%esi), %%mm6 \n\t" \
+ "pmuludq %%mm0, %%mm6 \n\t" \
+ "movd 12(%%esi), %%mm7 \n\t" \
+ "pmuludq %%mm0, %%mm7 \n\t" \
+ "paddq %%mm2, %%mm1 \n\t" \
+ "movd 4(%%edi), %%mm3 \n\t" \
+ "paddq %%mm4, %%mm3 \n\t" \
+ "movd 8(%%edi), %%mm5 \n\t" \
+ "paddq %%mm6, %%mm5 \n\t" \
+ "movd 12(%%edi), %%mm4 \n\t" \
+ "paddq %%mm4, %%mm7 \n\t" \
+ "movd %%mm1, (%%edi) \n\t" \
+ "movd 16(%%esi), %%mm2 \n\t" \
+ "pmuludq %%mm0, %%mm2 \n\t" \
+ "psrlq $32, %%mm1 \n\t" \
+ "movd 20(%%esi), %%mm4 \n\t" \
+ "pmuludq %%mm0, %%mm4 \n\t" \
+ "paddq %%mm3, %%mm1 \n\t" \
+ "movd 24(%%esi), %%mm6 \n\t" \
+ "pmuludq %%mm0, %%mm6 \n\t" \
+ "movd %%mm1, 4(%%edi) \n\t" \
+ "psrlq $32, %%mm1 \n\t" \
+ "movd 28(%%esi), %%mm3 \n\t" \
+ "pmuludq %%mm0, %%mm3 \n\t" \
+ "paddq %%mm5, %%mm1 \n\t" \
+ "movd 16(%%edi), %%mm5 \n\t" \
+ "paddq %%mm5, %%mm2 \n\t" \
+ "movd %%mm1, 8(%%edi) \n\t" \
+ "psrlq $32, %%mm1 \n\t" \
+ "paddq %%mm7, %%mm1 \n\t" \
+ "movd 20(%%edi), %%mm5 \n\t" \
+ "paddq %%mm5, %%mm4 \n\t" \
+ "movd %%mm1, 12(%%edi) \n\t" \
+ "psrlq $32, %%mm1 \n\t" \
+ "paddq %%mm2, %%mm1 \n\t" \
+ "movd 24(%%edi), %%mm5 \n\t" \
+ "paddq %%mm5, %%mm6 \n\t" \
+ "movd %%mm1, 16(%%edi) \n\t" \
+ "psrlq $32, %%mm1 \n\t" \
+ "paddq %%mm4, %%mm1 \n\t" \
+ "movd 28(%%edi), %%mm5 \n\t" \
+ "paddq %%mm5, %%mm3 \n\t" \
+ "movd %%mm1, 20(%%edi) \n\t" \
+ "psrlq $32, %%mm1 \n\t" \
+ "paddq %%mm6, %%mm1 \n\t" \
+ "movd %%mm1, 24(%%edi) \n\t" \
+ "psrlq $32, %%mm1 \n\t" \
+ "paddq %%mm3, %%mm1 \n\t" \
+ "movd %%mm1, 28(%%edi) \n\t" \
+ "addl $32, %%edi \n\t" \
+ "addl $32, %%esi \n\t" \
+ "psrlq $32, %%mm1 \n\t" \
+ "movd %%mm1, %%ecx \n\t"
+
+#define MULADDC_X8_STOP \
+ "emms \n\t" \
+ "movl %4, %%ebx \n\t" \
+ "movl %%ecx, %1 \n\t" \
+ "movl %%edi, %2 \n\t" \
+ "movl %%esi, %3 \n\t" \
+ : "=m" (t), "=m" (c), "=m" (d), "=m" (s) \
+ : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b) \
+ : "eax", "ebx", "ecx", "edx", "esi", "edi" \
+ ); } \
+
+#endif /* SSE2 */
+
+#endif /* i386 */
+
+#if defined(__amd64__) || defined (__x86_64__)
+
+#define MULADDC_X1_INIT \
+ asm( \
+ "xorq %%r8, %%r8\n"
+
+#define MULADDC_X1_CORE \
+ "movq (%%rsi), %%rax\n" \
+ "mulq %%rbx\n" \
+ "addq $8, %%rsi\n" \
+ "addq %%rcx, %%rax\n" \
+ "movq %%r8, %%rcx\n" \
+ "adcq $0, %%rdx\n" \
+ "nop \n" \
+ "addq %%rax, (%%rdi)\n" \
+ "adcq %%rdx, %%rcx\n" \
+ "addq $8, %%rdi\n"
+
+#define MULADDC_X1_STOP \
+ : "+c" (c), "+D" (d), "+S" (s), "+m" (*(uint64_t (*)[16]) d) \
+ : "b" (b), "m" (*(const uint64_t (*)[16]) s) \
+ : "rax", "rdx", "r8" \
+ );
+
+#endif /* AMD64 */
+
+// The following assembly code assumes that a pointer will fit in a 64-bit register
+// (including ILP32 __aarch64__ ABIs such as on watchOS, hence the 2^32 - 1)
+#if defined(__aarch64__) && (UINTPTR_MAX == 0xfffffffful || UINTPTR_MAX == 0xfffffffffffffffful)
+
+/*
+ * There are some issues around different compilers requiring different constraint
+ * syntax for updating pointers from assembly code (see notes for
+ * MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT in common.h), especially on aarch64_32 (aka ILP32).
+ *
+ * For this reason we cast the pointers to/from uintptr_t here.
+ */
+#define MULADDC_X1_INIT \
+ do { uintptr_t muladdc_d = (uintptr_t) d, muladdc_s = (uintptr_t) s; asm(
+
+#define MULADDC_X1_CORE \
+ "ldr x4, [%x2], #8 \n\t" \
+ "ldr x5, [%x1] \n\t" \
+ "mul x6, x4, %4 \n\t" \
+ "umulh x7, x4, %4 \n\t" \
+ "adds x5, x5, x6 \n\t" \
+ "adc x7, x7, xzr \n\t" \
+ "adds x5, x5, %0 \n\t" \
+ "adc %0, x7, xzr \n\t" \
+ "str x5, [%x1], #8 \n\t"
+
+#define MULADDC_X1_STOP \
+ : "+r" (c), \
+ "+r" (muladdc_d), \
+ "+r" (muladdc_s), \
+ "+m" (*(uint64_t (*)[16]) d) \
+ : "r" (b), "m" (*(const uint64_t (*)[16]) s) \
+ : "x4", "x5", "x6", "x7", "cc" \
+ ); d = (mbedtls_mpi_uint *)muladdc_d; s = (mbedtls_mpi_uint *)muladdc_s; } while (0);
+
+#endif /* Aarch64 */
+
+#if defined(__mc68020__) || defined(__mcpu32__)
+
+#define MULADDC_X1_INIT \
+ asm( \
+ "movl %3, %%a2 \n\t" \
+ "movl %4, %%a3 \n\t" \
+ "movl %5, %%d3 \n\t" \
+ "movl %6, %%d2 \n\t" \
+ "moveq #0, %%d0 \n\t"
+
+#define MULADDC_X1_CORE \
+ "movel %%a2@+, %%d1 \n\t" \
+ "mulul %%d2, %%d4:%%d1 \n\t" \
+ "addl %%d3, %%d1 \n\t" \
+ "addxl %%d0, %%d4 \n\t" \
+ "moveq #0, %%d3 \n\t" \
+ "addl %%d1, %%a3@+ \n\t" \
+ "addxl %%d4, %%d3 \n\t"
+
+#define MULADDC_X1_STOP \
+ "movl %%d3, %0 \n\t" \
+ "movl %%a3, %1 \n\t" \
+ "movl %%a2, %2 \n\t" \
+ : "=m" (c), "=m" (d), "=m" (s) \
+ : "m" (s), "m" (d), "m" (c), "m" (b) \
+ : "d0", "d1", "d2", "d3", "d4", "a2", "a3" \
+ );
+
+#define MULADDC_X8_INIT MULADDC_X1_INIT
+
+#define MULADDC_X8_CORE \
+ "movel %%a2@+, %%d1 \n\t" \
+ "mulul %%d2, %%d4:%%d1 \n\t" \
+ "addxl %%d3, %%d1 \n\t" \
+ "addxl %%d0, %%d4 \n\t" \
+ "addl %%d1, %%a3@+ \n\t" \
+ "movel %%a2@+, %%d1 \n\t" \
+ "mulul %%d2, %%d3:%%d1 \n\t" \
+ "addxl %%d4, %%d1 \n\t" \
+ "addxl %%d0, %%d3 \n\t" \
+ "addl %%d1, %%a3@+ \n\t" \
+ "movel %%a2@+, %%d1 \n\t" \
+ "mulul %%d2, %%d4:%%d1 \n\t" \
+ "addxl %%d3, %%d1 \n\t" \
+ "addxl %%d0, %%d4 \n\t" \
+ "addl %%d1, %%a3@+ \n\t" \
+ "movel %%a2@+, %%d1 \n\t" \
+ "mulul %%d2, %%d3:%%d1 \n\t" \
+ "addxl %%d4, %%d1 \n\t" \
+ "addxl %%d0, %%d3 \n\t" \
+ "addl %%d1, %%a3@+ \n\t" \
+ "movel %%a2@+, %%d1 \n\t" \
+ "mulul %%d2, %%d4:%%d1 \n\t" \
+ "addxl %%d3, %%d1 \n\t" \
+ "addxl %%d0, %%d4 \n\t" \
+ "addl %%d1, %%a3@+ \n\t" \
+ "movel %%a2@+, %%d1 \n\t" \
+ "mulul %%d2, %%d3:%%d1 \n\t" \
+ "addxl %%d4, %%d1 \n\t" \
+ "addxl %%d0, %%d3 \n\t" \
+ "addl %%d1, %%a3@+ \n\t" \
+ "movel %%a2@+, %%d1 \n\t" \
+ "mulul %%d2, %%d4:%%d1 \n\t" \
+ "addxl %%d3, %%d1 \n\t" \
+ "addxl %%d0, %%d4 \n\t" \
+ "addl %%d1, %%a3@+ \n\t" \
+ "movel %%a2@+, %%d1 \n\t" \
+ "mulul %%d2, %%d3:%%d1 \n\t" \
+ "addxl %%d4, %%d1 \n\t" \
+ "addxl %%d0, %%d3 \n\t" \
+ "addl %%d1, %%a3@+ \n\t" \
+ "addxl %%d0, %%d3 \n\t"
+
+#define MULADDC_X8_STOP MULADDC_X1_STOP
+
+#endif /* MC68000 */
+
+#if defined(__powerpc64__) || defined(__ppc64__)
+
+#if defined(__MACH__) && defined(__APPLE__)
+
+#define MULADDC_X1_INIT \
+ asm( \
+ "ld r3, %3 \n\t" \
+ "ld r4, %4 \n\t" \
+ "ld r5, %5 \n\t" \
+ "ld r6, %6 \n\t" \
+ "addi r3, r3, -8 \n\t" \
+ "addi r4, r4, -8 \n\t" \
+ "addic r5, r5, 0 \n\t"
+
+#define MULADDC_X1_CORE \
+ "ldu r7, 8(r3) \n\t" \
+ "mulld r8, r7, r6 \n\t" \
+ "mulhdu r9, r7, r6 \n\t" \
+ "adde r8, r8, r5 \n\t" \
+ "ld r7, 8(r4) \n\t" \
+ "addze r5, r9 \n\t" \
+ "addc r8, r8, r7 \n\t" \
+ "stdu r8, 8(r4) \n\t"
+
+#define MULADDC_X1_STOP \
+ "addze r5, r5 \n\t" \
+ "addi r4, r4, 8 \n\t" \
+ "addi r3, r3, 8 \n\t" \
+ "std r5, %0 \n\t" \
+ "std r4, %1 \n\t" \
+ "std r3, %2 \n\t" \
+ : "=m" (c), "=m" (d), "=m" (s) \
+ : "m" (s), "m" (d), "m" (c), "m" (b) \
+ : "r3", "r4", "r5", "r6", "r7", "r8", "r9" \
+ );
+
+
+#else /* __MACH__ && __APPLE__ */
+
+#define MULADDC_X1_INIT \
+ asm( \
+ "ld %%r3, %3 \n\t" \
+ "ld %%r4, %4 \n\t" \
+ "ld %%r5, %5 \n\t" \
+ "ld %%r6, %6 \n\t" \
+ "addi %%r3, %%r3, -8 \n\t" \
+ "addi %%r4, %%r4, -8 \n\t" \
+ "addic %%r5, %%r5, 0 \n\t"
+
+#define MULADDC_X1_CORE \
+ "ldu %%r7, 8(%%r3) \n\t" \
+ "mulld %%r8, %%r7, %%r6 \n\t" \
+ "mulhdu %%r9, %%r7, %%r6 \n\t" \
+ "adde %%r8, %%r8, %%r5 \n\t" \
+ "ld %%r7, 8(%%r4) \n\t" \
+ "addze %%r5, %%r9 \n\t" \
+ "addc %%r8, %%r8, %%r7 \n\t" \
+ "stdu %%r8, 8(%%r4) \n\t"
+
+#define MULADDC_X1_STOP \
+ "addze %%r5, %%r5 \n\t" \
+ "addi %%r4, %%r4, 8 \n\t" \
+ "addi %%r3, %%r3, 8 \n\t" \
+ "std %%r5, %0 \n\t" \
+ "std %%r4, %1 \n\t" \
+ "std %%r3, %2 \n\t" \
+ : "=m" (c), "=m" (d), "=m" (s) \
+ : "m" (s), "m" (d), "m" (c), "m" (b) \
+ : "r3", "r4", "r5", "r6", "r7", "r8", "r9" \
+ );
+
+#endif /* __MACH__ && __APPLE__ */
+
+#elif defined(__powerpc__) || defined(__ppc__) /* end PPC64/begin PPC32 */
+
+#if defined(__MACH__) && defined(__APPLE__)
+
+#define MULADDC_X1_INIT \
+ asm( \
+ "lwz r3, %3 \n\t" \
+ "lwz r4, %4 \n\t" \
+ "lwz r5, %5 \n\t" \
+ "lwz r6, %6 \n\t" \
+ "addi r3, r3, -4 \n\t" \
+ "addi r4, r4, -4 \n\t" \
+ "addic r5, r5, 0 \n\t"
+
+#define MULADDC_X1_CORE \
+ "lwzu r7, 4(r3) \n\t" \
+ "mullw r8, r7, r6 \n\t" \
+ "mulhwu r9, r7, r6 \n\t" \
+ "adde r8, r8, r5 \n\t" \
+ "lwz r7, 4(r4) \n\t" \
+ "addze r5, r9 \n\t" \
+ "addc r8, r8, r7 \n\t" \
+ "stwu r8, 4(r4) \n\t"
+
+#define MULADDC_X1_STOP \
+ "addze r5, r5 \n\t" \
+ "addi r4, r4, 4 \n\t" \
+ "addi r3, r3, 4 \n\t" \
+ "stw r5, %0 \n\t" \
+ "stw r4, %1 \n\t" \
+ "stw r3, %2 \n\t" \
+ : "=m" (c), "=m" (d), "=m" (s) \
+ : "m" (s), "m" (d), "m" (c), "m" (b) \
+ : "r3", "r4", "r5", "r6", "r7", "r8", "r9" \
+ );
+
+#else /* __MACH__ && __APPLE__ */
+
+#define MULADDC_X1_INIT \
+ asm( \
+ "lwz %%r3, %3 \n\t" \
+ "lwz %%r4, %4 \n\t" \
+ "lwz %%r5, %5 \n\t" \
+ "lwz %%r6, %6 \n\t" \
+ "addi %%r3, %%r3, -4 \n\t" \
+ "addi %%r4, %%r4, -4 \n\t" \
+ "addic %%r5, %%r5, 0 \n\t"
+
+#define MULADDC_X1_CORE \
+ "lwzu %%r7, 4(%%r3) \n\t" \
+ "mullw %%r8, %%r7, %%r6 \n\t" \
+ "mulhwu %%r9, %%r7, %%r6 \n\t" \
+ "adde %%r8, %%r8, %%r5 \n\t" \
+ "lwz %%r7, 4(%%r4) \n\t" \
+ "addze %%r5, %%r9 \n\t" \
+ "addc %%r8, %%r8, %%r7 \n\t" \
+ "stwu %%r8, 4(%%r4) \n\t"
+
+#define MULADDC_X1_STOP \
+ "addze %%r5, %%r5 \n\t" \
+ "addi %%r4, %%r4, 4 \n\t" \
+ "addi %%r3, %%r3, 4 \n\t" \
+ "stw %%r5, %0 \n\t" \
+ "stw %%r4, %1 \n\t" \
+ "stw %%r3, %2 \n\t" \
+ : "=m" (c), "=m" (d), "=m" (s) \
+ : "m" (s), "m" (d), "m" (c), "m" (b) \
+ : "r3", "r4", "r5", "r6", "r7", "r8", "r9" \
+ );
+
+#endif /* __MACH__ && __APPLE__ */
+
+#endif /* PPC32 */
+
+/*
+ * The Sparc(64) assembly is reported to be broken.
+ * Disable it for now, until we're able to fix it.
+ */
+#if 0 && defined(__sparc__)
+#if defined(__sparc64__)
+
+#define MULADDC_X1_INIT \
+ asm( \
+ "ldx %3, %%o0 \n\t" \
+ "ldx %4, %%o1 \n\t" \
+ "ld %5, %%o2 \n\t" \
+ "ld %6, %%o3 \n\t"
+
+#define MULADDC_X1_CORE \
+ "ld [%%o0], %%o4 \n\t" \
+ "inc 4, %%o0 \n\t" \
+ "ld [%%o1], %%o5 \n\t" \
+ "umul %%o3, %%o4, %%o4 \n\t" \
+ "addcc %%o4, %%o2, %%o4 \n\t" \
+ "rd %%y, %%g1 \n\t" \
+ "addx %%g1, 0, %%g1 \n\t" \
+ "addcc %%o4, %%o5, %%o4 \n\t" \
+ "st %%o4, [%%o1] \n\t" \
+ "addx %%g1, 0, %%o2 \n\t" \
+ "inc 4, %%o1 \n\t"
+
+#define MULADDC_X1_STOP \
+ "st %%o2, %0 \n\t" \
+ "stx %%o1, %1 \n\t" \
+ "stx %%o0, %2 \n\t" \
+ : "=m" (c), "=m" (d), "=m" (s) \
+ : "m" (s), "m" (d), "m" (c), "m" (b) \
+ : "g1", "o0", "o1", "o2", "o3", "o4", \
+ "o5" \
+ );
+
+#else /* __sparc64__ */
+
+#define MULADDC_X1_INIT \
+ asm( \
+ "ld %3, %%o0 \n\t" \
+ "ld %4, %%o1 \n\t" \
+ "ld %5, %%o2 \n\t" \
+ "ld %6, %%o3 \n\t"
+
+#define MULADDC_X1_CORE \
+ "ld [%%o0], %%o4 \n\t" \
+ "inc 4, %%o0 \n\t" \
+ "ld [%%o1], %%o5 \n\t" \
+ "umul %%o3, %%o4, %%o4 \n\t" \
+ "addcc %%o4, %%o2, %%o4 \n\t" \
+ "rd %%y, %%g1 \n\t" \
+ "addx %%g1, 0, %%g1 \n\t" \
+ "addcc %%o4, %%o5, %%o4 \n\t" \
+ "st %%o4, [%%o1] \n\t" \
+ "addx %%g1, 0, %%o2 \n\t" \
+ "inc 4, %%o1 \n\t"
+
+#define MULADDC_X1_STOP \
+ "st %%o2, %0 \n\t" \
+ "st %%o1, %1 \n\t" \
+ "st %%o0, %2 \n\t" \
+ : "=m" (c), "=m" (d), "=m" (s) \
+ : "m" (s), "m" (d), "m" (c), "m" (b) \
+ : "g1", "o0", "o1", "o2", "o3", "o4", \
+ "o5" \
+ );
+
+#endif /* __sparc64__ */
+#endif /* __sparc__ */
+
+#if defined(__microblaze__) || defined(microblaze)
+
+#define MULADDC_X1_INIT \
+ asm( \
+ "lwi r3, %3 \n\t" \
+ "lwi r4, %4 \n\t" \
+ "lwi r5, %5 \n\t" \
+ "lwi r6, %6 \n\t" \
+ "andi r7, r6, 0xffff \n\t" \
+ "bsrli r6, r6, 16 \n\t"
+
+#if(__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__)
+#define MULADDC_LHUI \
+ "lhui r9, r3, 0 \n\t" \
+ "addi r3, r3, 2 \n\t" \
+ "lhui r8, r3, 0 \n\t"
+#else
+#define MULADDC_LHUI \
+ "lhui r8, r3, 0 \n\t" \
+ "addi r3, r3, 2 \n\t" \
+ "lhui r9, r3, 0 \n\t"
+#endif
+
+#define MULADDC_X1_CORE \
+ MULADDC_LHUI \
+ "addi r3, r3, 2 \n\t" \
+ "mul r10, r9, r6 \n\t" \
+ "mul r11, r8, r7 \n\t" \
+ "mul r12, r9, r7 \n\t" \
+ "mul r13, r8, r6 \n\t" \
+ "bsrli r8, r10, 16 \n\t" \
+ "bsrli r9, r11, 16 \n\t" \
+ "add r13, r13, r8 \n\t" \
+ "add r13, r13, r9 \n\t" \
+ "bslli r10, r10, 16 \n\t" \
+ "bslli r11, r11, 16 \n\t" \
+ "add r12, r12, r10 \n\t" \
+ "addc r13, r13, r0 \n\t" \
+ "add r12, r12, r11 \n\t" \
+ "addc r13, r13, r0 \n\t" \
+ "lwi r10, r4, 0 \n\t" \
+ "add r12, r12, r10 \n\t" \
+ "addc r13, r13, r0 \n\t" \
+ "add r12, r12, r5 \n\t" \
+ "addc r5, r13, r0 \n\t" \
+ "swi r12, r4, 0 \n\t" \
+ "addi r4, r4, 4 \n\t"
+
+#define MULADDC_X1_STOP \
+ "swi r5, %0 \n\t" \
+ "swi r4, %1 \n\t" \
+ "swi r3, %2 \n\t" \
+ : "=m" (c), "=m" (d), "=m" (s) \
+ : "m" (s), "m" (d), "m" (c), "m" (b) \
+ : "r3", "r4", "r5", "r6", "r7", "r8", \
+ "r9", "r10", "r11", "r12", "r13" \
+ );
+
+#endif /* MicroBlaze */
+
+#if defined(__tricore__)
+
+#define MULADDC_X1_INIT \
+ asm( \
+ "ld.a %%a2, %3 \n\t" \
+ "ld.a %%a3, %4 \n\t" \
+ "ld.w %%d4, %5 \n\t" \
+ "ld.w %%d1, %6 \n\t" \
+ "xor %%d5, %%d5 \n\t"
+
+#define MULADDC_X1_CORE \
+ "ld.w %%d0, [%%a2+] \n\t" \
+ "madd.u %%e2, %%e4, %%d0, %%d1 \n\t" \
+ "ld.w %%d0, [%%a3] \n\t" \
+ "addx %%d2, %%d2, %%d0 \n\t" \
+ "addc %%d3, %%d3, 0 \n\t" \
+ "mov %%d4, %%d3 \n\t" \
+ "st.w [%%a3+], %%d2 \n\t"
+
+#define MULADDC_X1_STOP \
+ "st.w %0, %%d4 \n\t" \
+ "st.a %1, %%a3 \n\t" \
+ "st.a %2, %%a2 \n\t" \
+ : "=m" (c), "=m" (d), "=m" (s) \
+ : "m" (s), "m" (d), "m" (c), "m" (b) \
+ : "d0", "d1", "e2", "d4", "a2", "a3" \
+ );
+
+#endif /* TriCore */
+
+#if defined(__arm__)
+
+#if defined(__thumb__) && !defined(__thumb2__)
+#if defined(MBEDTLS_COMPILER_IS_GCC)
+/*
+ * Thumb 1 ISA. This code path has only been tested successfully on gcc;
+ * it does not compile on clang or armclang.
+ */
+
+#if !defined(__OPTIMIZE__) && defined(__GNUC__)
+/*
+ * Note, gcc -O0 by default uses r7 for the frame pointer, so it complains about
+ * our use of r7 below, unless -fomit-frame-pointer is passed.
+ *
+ * On the other hand, -fomit-frame-pointer is implied by any -Ox options with
+ * x !=0, which we can detect using __OPTIMIZE__ (which is also defined by
+ * clang and armcc5 under the same conditions).
+ *
+ * If gcc needs to use r7, we use r1 as a scratch register and have a few extra
+ * instructions to preserve/restore it; otherwise, we can use r7 and avoid
+ * the preserve/restore overhead.
+ */
+#define MULADDC_SCRATCH "RS .req r1 \n\t"
+#define MULADDC_PRESERVE_SCRATCH "mov r10, r1 \n\t"
+#define MULADDC_RESTORE_SCRATCH "mov r1, r10 \n\t"
+#define MULADDC_SCRATCH_CLOBBER "r10"
+#else /* !defined(__OPTIMIZE__) && defined(__GNUC__) */
+#define MULADDC_SCRATCH "RS .req r7 \n\t"
+#define MULADDC_PRESERVE_SCRATCH ""
+#define MULADDC_RESTORE_SCRATCH ""
+#define MULADDC_SCRATCH_CLOBBER "r7"
+#endif /* !defined(__OPTIMIZE__) && defined(__GNUC__) */
+
+#define MULADDC_X1_INIT \
+ asm( \
+ MULADDC_SCRATCH \
+ "ldr r0, %3 \n\t" \
+ "ldr r1, %4 \n\t" \
+ "ldr r2, %5 \n\t" \
+ "ldr r3, %6 \n\t" \
+ "lsr r4, r3, #16 \n\t" \
+ "mov r9, r4 \n\t" \
+ "lsl r4, r3, #16 \n\t" \
+ "lsr r4, r4, #16 \n\t" \
+ "mov r8, r4 \n\t" \
+
+
+#define MULADDC_X1_CORE \
+ MULADDC_PRESERVE_SCRATCH \
+ "ldmia r0!, {r6} \n\t" \
+ "lsr RS, r6, #16 \n\t" \
+ "lsl r6, r6, #16 \n\t" \
+ "lsr r6, r6, #16 \n\t" \
+ "mov r4, r8 \n\t" \
+ "mul r4, r6 \n\t" \
+ "mov r3, r9 \n\t" \
+ "mul r6, r3 \n\t" \
+ "mov r5, r9 \n\t" \
+ "mul r5, RS \n\t" \
+ "mov r3, r8 \n\t" \
+ "mul RS, r3 \n\t" \
+ "lsr r3, r6, #16 \n\t" \
+ "add r5, r5, r3 \n\t" \
+ "lsr r3, RS, #16 \n\t" \
+ "add r5, r5, r3 \n\t" \
+ "add r4, r4, r2 \n\t" \
+ "mov r2, #0 \n\t" \
+ "adc r5, r2 \n\t" \
+ "lsl r3, r6, #16 \n\t" \
+ "add r4, r4, r3 \n\t" \
+ "adc r5, r2 \n\t" \
+ "lsl r3, RS, #16 \n\t" \
+ "add r4, r4, r3 \n\t" \
+ "adc r5, r2 \n\t" \
+ MULADDC_RESTORE_SCRATCH \
+ "ldr r3, [r1] \n\t" \
+ "add r4, r4, r3 \n\t" \
+ "adc r2, r5 \n\t" \
+ "stmia r1!, {r4} \n\t"
+
+#define MULADDC_X1_STOP \
+ "str r2, %0 \n\t" \
+ "str r1, %1 \n\t" \
+ "str r0, %2 \n\t" \
+ : "=m" (c), "=m" (d), "=m" (s) \
+ : "m" (s), "m" (d), "m" (c), "m" (b) \
+ : "r0", "r1", "r2", "r3", "r4", "r5", \
+ "r6", MULADDC_SCRATCH_CLOBBER, "r8", "r9", "cc" \
+ );
+#endif /* !defined(__ARMCC_VERSION) && !defined(__clang__) */
+
+#elif (__ARM_ARCH >= 6) && \
+ defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1)
+/* Armv6-M (or later) with DSP Instruction Set Extensions.
+ * Requires support for either Thumb 2 or Arm ISA.
+ */
+
+#define MULADDC_X1_INIT \
+ { \
+ mbedtls_mpi_uint tmp_a, tmp_b; \
+ asm volatile (
+
+#define MULADDC_X1_CORE \
+ ".p2align 2 \n\t" \
+ "ldr %[a], [%[in]], #4 \n\t" \
+ "ldr %[b], [%[acc]] \n\t" \
+ "umaal %[b], %[carry], %[scalar], %[a] \n\t" \
+ "str %[b], [%[acc]], #4 \n\t"
+
+#define MULADDC_X1_STOP \
+ : [a] "=&r" (tmp_a), \
+ [b] "=&r" (tmp_b), \
+ [in] "+r" (s), \
+ [acc] "+r" (d), \
+ [carry] "+l" (c) \
+ : [scalar] "r" (b) \
+ : "memory" \
+ ); \
+ }
+
+#define MULADDC_X2_INIT \
+ { \
+ mbedtls_mpi_uint tmp_a0, tmp_b0; \
+ mbedtls_mpi_uint tmp_a1, tmp_b1; \
+ asm volatile (
+
+ /* - Make sure loop is 4-byte aligned to avoid stalls
+ * upon repeated non-word aligned instructions in
+ * some microarchitectures.
+ * - Don't use ldm with post-increment or back-to-back
+ * loads with post-increment and same address register
+ * to avoid stalls on some microarchitectures.
+ * - Bunch loads and stores to reduce latency on some
+ * microarchitectures. E.g., on Cortex-M4, the first
+ * in a series of load/store operations has latency
+ * 2 cycles, while subsequent loads/stores are single-cycle. */
+#define MULADDC_X2_CORE \
+ ".p2align 2 \n\t" \
+ "ldr %[a0], [%[in]], #+8 \n\t" \
+ "ldr %[b0], [%[acc]], #+8 \n\t" \
+ "ldr %[a1], [%[in], #-4] \n\t" \
+ "ldr %[b1], [%[acc], #-4] \n\t" \
+ "umaal %[b0], %[carry], %[scalar], %[a0] \n\t" \
+ "umaal %[b1], %[carry], %[scalar], %[a1] \n\t" \
+ "str %[b0], [%[acc], #-8] \n\t" \
+ "str %[b1], [%[acc], #-4] \n\t"
+
+#define MULADDC_X2_STOP \
+ : [a0] "=&r" (tmp_a0), \
+ [b0] "=&r" (tmp_b0), \
+ [a1] "=&r" (tmp_a1), \
+ [b1] "=&r" (tmp_b1), \
+ [in] "+r" (s), \
+ [acc] "+r" (d), \
+ [carry] "+l" (c) \
+ : [scalar] "r" (b) \
+ : "memory" \
+ ); \
+ }
+
+#else /* Thumb 2 or Arm ISA, without DSP extensions */
+
+#define MULADDC_X1_INIT \
+ asm( \
+ "ldr r0, %3 \n\t" \
+ "ldr r1, %4 \n\t" \
+ "ldr r2, %5 \n\t" \
+ "ldr r3, %6 \n\t"
+
+#define MULADDC_X1_CORE \
+ "ldr r4, [r0], #4 \n\t" \
+ "mov r5, #0 \n\t" \
+ "ldr r6, [r1] \n\t" \
+ "umlal r2, r5, r3, r4 \n\t" \
+ "adds r4, r6, r2 \n\t" \
+ "adc r2, r5, #0 \n\t" \
+ "str r4, [r1], #4 \n\t"
+
+#define MULADDC_X1_STOP \
+ "str r2, %0 \n\t" \
+ "str r1, %1 \n\t" \
+ "str r0, %2 \n\t" \
+ : "=m" (c), "=m" (d), "=m" (s) \
+ : "m" (s), "m" (d), "m" (c), "m" (b) \
+ : "r0", "r1", "r2", "r3", "r4", "r5", \
+ "r6", "cc" \
+ );
+
+#endif /* ISA codepath selection */
+
+#endif /* defined(__arm__) */
+
+#if defined(__alpha__)
+
+#define MULADDC_X1_INIT \
+ asm( \
+ "ldq $1, %3 \n\t" \
+ "ldq $2, %4 \n\t" \
+ "ldq $3, %5 \n\t" \
+ "ldq $4, %6 \n\t"
+
+#define MULADDC_X1_CORE \
+ "ldq $6, 0($1) \n\t" \
+ "addq $1, 8, $1 \n\t" \
+ "mulq $6, $4, $7 \n\t" \
+ "umulh $6, $4, $6 \n\t" \
+ "addq $7, $3, $7 \n\t" \
+ "cmpult $7, $3, $3 \n\t" \
+ "ldq $5, 0($2) \n\t" \
+ "addq $7, $5, $7 \n\t" \
+ "cmpult $7, $5, $5 \n\t" \
+ "stq $7, 0($2) \n\t" \
+ "addq $2, 8, $2 \n\t" \
+ "addq $6, $3, $3 \n\t" \
+ "addq $5, $3, $3 \n\t"
+
+#define MULADDC_X1_STOP \
+ "stq $3, %0 \n\t" \
+ "stq $2, %1 \n\t" \
+ "stq $1, %2 \n\t" \
+ : "=m" (c), "=m" (d), "=m" (s) \
+ : "m" (s), "m" (d), "m" (c), "m" (b) \
+ : "$1", "$2", "$3", "$4", "$5", "$6", "$7" \
+ );
+#endif /* Alpha */
+
+#if defined(__mips__) && !defined(__mips64)
+
+#define MULADDC_X1_INIT \
+ asm( \
+ "lw $10, %3 \n\t" \
+ "lw $11, %4 \n\t" \
+ "lw $12, %5 \n\t" \
+ "lw $13, %6 \n\t"
+
+#define MULADDC_X1_CORE \
+ "lw $14, 0($10) \n\t" \
+ "multu $13, $14 \n\t" \
+ "addi $10, $10, 4 \n\t" \
+ "mflo $14 \n\t" \
+ "mfhi $9 \n\t" \
+ "addu $14, $12, $14 \n\t" \
+ "lw $15, 0($11) \n\t" \
+ "sltu $12, $14, $12 \n\t" \
+ "addu $15, $14, $15 \n\t" \
+ "sltu $14, $15, $14 \n\t" \
+ "addu $12, $12, $9 \n\t" \
+ "sw $15, 0($11) \n\t" \
+ "addu $12, $12, $14 \n\t" \
+ "addi $11, $11, 4 \n\t"
+
+#define MULADDC_X1_STOP \
+ "sw $12, %0 \n\t" \
+ "sw $11, %1 \n\t" \
+ "sw $10, %2 \n\t" \
+ : "=m" (c), "=m" (d), "=m" (s) \
+ : "m" (s), "m" (d), "m" (c), "m" (b) \
+ : "$9", "$10", "$11", "$12", "$13", "$14", "$15", "lo", "hi" \
+ );
+
+#endif /* MIPS */
+#endif /* GNUC */
+
+#if (defined(_MSC_VER) && defined(_M_IX86)) || defined(__WATCOMC__)
+
+#define MULADDC_X1_INIT \
+ __asm mov esi, s \
+ __asm mov edi, d \
+ __asm mov ecx, c \
+ __asm mov ebx, b
+
+#define MULADDC_X1_CORE \
+ __asm lodsd \
+ __asm mul ebx \
+ __asm add eax, ecx \
+ __asm adc edx, 0 \
+ __asm add eax, [edi] \
+ __asm adc edx, 0 \
+ __asm mov ecx, edx \
+ __asm stosd
+
+#define MULADDC_X1_STOP \
+ __asm mov c, ecx \
+ __asm mov d, edi \
+ __asm mov s, esi
+
+#if defined(MBEDTLS_HAVE_SSE2)
+
+#define EMIT __asm _emit
+
+#define MULADDC_X8_INIT MULADDC_X1_INIT
+
+#define MULADDC_X8_CORE \
+ EMIT 0x0F EMIT 0x6E EMIT 0xC9 \
+ EMIT 0x0F EMIT 0x6E EMIT 0xC3 \
+ EMIT 0x0F EMIT 0x6E EMIT 0x1F \
+ EMIT 0x0F EMIT 0xD4 EMIT 0xCB \
+ EMIT 0x0F EMIT 0x6E EMIT 0x16 \
+ EMIT 0x0F EMIT 0xF4 EMIT 0xD0 \
+ EMIT 0x0F EMIT 0x6E EMIT 0x66 EMIT 0x04 \
+ EMIT 0x0F EMIT 0xF4 EMIT 0xE0 \
+ EMIT 0x0F EMIT 0x6E EMIT 0x76 EMIT 0x08 \
+ EMIT 0x0F EMIT 0xF4 EMIT 0xF0 \
+ EMIT 0x0F EMIT 0x6E EMIT 0x7E EMIT 0x0C \
+ EMIT 0x0F EMIT 0xF4 EMIT 0xF8 \
+ EMIT 0x0F EMIT 0xD4 EMIT 0xCA \
+ EMIT 0x0F EMIT 0x6E EMIT 0x5F EMIT 0x04 \
+ EMIT 0x0F EMIT 0xD4 EMIT 0xDC \
+ EMIT 0x0F EMIT 0x6E EMIT 0x6F EMIT 0x08 \
+ EMIT 0x0F EMIT 0xD4 EMIT 0xEE \
+ EMIT 0x0F EMIT 0x6E EMIT 0x67 EMIT 0x0C \
+ EMIT 0x0F EMIT 0xD4 EMIT 0xFC \
+ EMIT 0x0F EMIT 0x7E EMIT 0x0F \
+ EMIT 0x0F EMIT 0x6E EMIT 0x56 EMIT 0x10 \
+ EMIT 0x0F EMIT 0xF4 EMIT 0xD0 \
+ EMIT 0x0F EMIT 0x73 EMIT 0xD1 EMIT 0x20 \
+ EMIT 0x0F EMIT 0x6E EMIT 0x66 EMIT 0x14 \
+ EMIT 0x0F EMIT 0xF4 EMIT 0xE0 \
+ EMIT 0x0F EMIT 0xD4 EMIT 0xCB \
+ EMIT 0x0F EMIT 0x6E EMIT 0x76 EMIT 0x18 \
+ EMIT 0x0F EMIT 0xF4 EMIT 0xF0 \
+ EMIT 0x0F EMIT 0x7E EMIT 0x4F EMIT 0x04 \
+ EMIT 0x0F EMIT 0x73 EMIT 0xD1 EMIT 0x20 \
+ EMIT 0x0F EMIT 0x6E EMIT 0x5E EMIT 0x1C \
+ EMIT 0x0F EMIT 0xF4 EMIT 0xD8 \
+ EMIT 0x0F EMIT 0xD4 EMIT 0xCD \
+ EMIT 0x0F EMIT 0x6E EMIT 0x6F EMIT 0x10 \
+ EMIT 0x0F EMIT 0xD4 EMIT 0xD5 \
+ EMIT 0x0F EMIT 0x7E EMIT 0x4F EMIT 0x08 \
+ EMIT 0x0F EMIT 0x73 EMIT 0xD1 EMIT 0x20 \
+ EMIT 0x0F EMIT 0xD4 EMIT 0xCF \
+ EMIT 0x0F EMIT 0x6E EMIT 0x6F EMIT 0x14 \
+ EMIT 0x0F EMIT 0xD4 EMIT 0xE5 \
+ EMIT 0x0F EMIT 0x7E EMIT 0x4F EMIT 0x0C \
+ EMIT 0x0F EMIT 0x73 EMIT 0xD1 EMIT 0x20 \
+ EMIT 0x0F EMIT 0xD4 EMIT 0xCA \
+ EMIT 0x0F EMIT 0x6E EMIT 0x6F EMIT 0x18 \
+ EMIT 0x0F EMIT 0xD4 EMIT 0xF5 \
+ EMIT 0x0F EMIT 0x7E EMIT 0x4F EMIT 0x10 \
+ EMIT 0x0F EMIT 0x73 EMIT 0xD1 EMIT 0x20 \
+ EMIT 0x0F EMIT 0xD4 EMIT 0xCC \
+ EMIT 0x0F EMIT 0x6E EMIT 0x6F EMIT 0x1C \
+ EMIT 0x0F EMIT 0xD4 EMIT 0xDD \
+ EMIT 0x0F EMIT 0x7E EMIT 0x4F EMIT 0x14 \
+ EMIT 0x0F EMIT 0x73 EMIT 0xD1 EMIT 0x20 \
+ EMIT 0x0F EMIT 0xD4 EMIT 0xCE \
+ EMIT 0x0F EMIT 0x7E EMIT 0x4F EMIT 0x18 \
+ EMIT 0x0F EMIT 0x73 EMIT 0xD1 EMIT 0x20 \
+ EMIT 0x0F EMIT 0xD4 EMIT 0xCB \
+ EMIT 0x0F EMIT 0x7E EMIT 0x4F EMIT 0x1C \
+ EMIT 0x83 EMIT 0xC7 EMIT 0x20 \
+ EMIT 0x83 EMIT 0xC6 EMIT 0x20 \
+ EMIT 0x0F EMIT 0x73 EMIT 0xD1 EMIT 0x20 \
+ EMIT 0x0F EMIT 0x7E EMIT 0xC9
+
+#define MULADDC_X8_STOP \
+ EMIT 0x0F EMIT 0x77 \
+ __asm mov c, ecx \
+ __asm mov d, edi \
+ __asm mov s, esi
+
+#endif /* SSE2 */
+#endif /* MSVC */
+
+#endif /* MBEDTLS_HAVE_ASM */
+
+#if !defined(MULADDC_X1_CORE)
+#if defined(MBEDTLS_HAVE_UDBL)
+
+#define MULADDC_X1_INIT \
+{ \
+ mbedtls_t_udbl r; \
+ mbedtls_mpi_uint r0, r1;
+
+#define MULADDC_X1_CORE \
+ r = *(s++) * (mbedtls_t_udbl) b; \
+ r0 = (mbedtls_mpi_uint) r; \
+ r1 = (mbedtls_mpi_uint)( r >> biL ); \
+ r0 += c; r1 += (r0 < c); \
+ r0 += *d; r1 += (r0 < *d); \
+ c = r1; *(d++) = r0;
+
+#define MULADDC_X1_STOP \
+}
+
+#else /* MBEDTLS_HAVE_UDBL */
+
+#define MULADDC_X1_INIT \
+{ \
+ mbedtls_mpi_uint s0, s1, b0, b1; \
+ mbedtls_mpi_uint r0, r1, rx, ry; \
+ b0 = ( b << biH ) >> biH; \
+ b1 = ( b >> biH );
+
+#define MULADDC_X1_CORE \
+ s0 = ( *s << biH ) >> biH; \
+ s1 = ( *s >> biH ); s++; \
+ rx = s0 * b1; r0 = s0 * b0; \
+ ry = s1 * b0; r1 = s1 * b1; \
+ r1 += ( rx >> biH ); \
+ r1 += ( ry >> biH ); \
+ rx <<= biH; ry <<= biH; \
+ r0 += rx; r1 += (r0 < rx); \
+ r0 += ry; r1 += (r0 < ry); \
+ r0 += c; r1 += (r0 < c); \
+ r0 += *d; r1 += (r0 < *d); \
+ c = r1; *(d++) = r0;
+
+#define MULADDC_X1_STOP \
+}
+
+#endif /* C (longlong) */
+#endif /* C (generic) */
+
+#if !defined(MULADDC_X2_CORE)
+#define MULADDC_X2_INIT MULADDC_X1_INIT
+#define MULADDC_X2_STOP MULADDC_X1_STOP
+#define MULADDC_X2_CORE MULADDC_X1_CORE MULADDC_X1_CORE
+#endif /* MULADDC_X2_CORE */
+
+#if !defined(MULADDC_X4_CORE)
+#define MULADDC_X4_INIT MULADDC_X2_INIT
+#define MULADDC_X4_STOP MULADDC_X2_STOP
+#define MULADDC_X4_CORE MULADDC_X2_CORE MULADDC_X2_CORE
+#endif /* MULADDC_X4_CORE */
+
+#if !defined(MULADDC_X8_CORE)
+#define MULADDC_X8_INIT MULADDC_X4_INIT
+#define MULADDC_X8_STOP MULADDC_X4_STOP
+#define MULADDC_X8_CORE MULADDC_X4_CORE MULADDC_X4_CORE
+#endif /* MULADDC_X8_CORE */
+
+/* *INDENT-ON* */
+#endif /* bn_mul.h */
diff --git a/library/camellia.c b/library/camellia.c
new file mode 100644
index 0000000..b1c0a08
--- /dev/null
+++ b/library/camellia.c
@@ -0,0 +1,1058 @@
+/*
+ * Camellia implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * The Camellia block cipher was designed by NTT and Mitsubishi Electric
+ * Corporation.
+ *
+ * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_CAMELLIA_C)
+
+#include "mbedtls/camellia.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_CAMELLIA_ALT)
+
+static const unsigned char SIGMA_CHARS[6][8] =
+{
+ { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
+ { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
+ { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
+ { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
+ { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
+ { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
+};
+
+#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
+
+static const unsigned char FSb[256] =
+{
+ 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
+ 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
+ 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
+ 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
+ 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
+ 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
+ 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
+ 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
+ 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
+ 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
+ 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
+ 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
+ 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
+ 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
+ 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
+ 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
+};
+
+#define SBOX1(n) FSb[(n)]
+#define SBOX2(n) (unsigned char) ((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
+#define SBOX3(n) (unsigned char) ((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
+#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
+
+#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
+
+static const unsigned char FSb[256] =
+{
+ 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65,
+ 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189,
+ 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26,
+ 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77,
+ 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153,
+ 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215,
+ 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34,
+ 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80,
+ 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210,
+ 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148,
+ 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226,
+ 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46,
+ 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89,
+ 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250,
+ 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164,
+ 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158
+};
+
+static const unsigned char FSb2[256] =
+{
+ 224, 5, 88, 217, 103, 78, 129, 203, 201, 11, 174, 106, 213, 24, 93, 130,
+ 70, 223, 214, 39, 138, 50, 75, 66, 219, 28, 158, 156, 58, 202, 37, 123,
+ 13, 113, 95, 31, 248, 215, 62, 157, 124, 96, 185, 190, 188, 139, 22, 52,
+ 77, 195, 114, 149, 171, 142, 186, 122, 179, 2, 180, 173, 162, 172, 216, 154,
+ 23, 26, 53, 204, 247, 153, 97, 90, 232, 36, 86, 64, 225, 99, 9, 51,
+ 191, 152, 151, 133, 104, 252, 236, 10, 218, 111, 83, 98, 163, 46, 8, 175,
+ 40, 176, 116, 194, 189, 54, 34, 56, 100, 30, 57, 44, 166, 48, 229, 68,
+ 253, 136, 159, 101, 135, 107, 244, 35, 72, 16, 209, 81, 192, 249, 210, 160,
+ 85, 161, 65, 250, 67, 19, 196, 47, 168, 182, 60, 43, 193, 255, 200, 165,
+ 32, 137, 0, 144, 71, 239, 234, 183, 21, 6, 205, 181, 18, 126, 187, 41,
+ 15, 184, 7, 4, 155, 148, 33, 102, 230, 206, 237, 231, 59, 254, 127, 197,
+ 164, 55, 177, 76, 145, 110, 141, 118, 3, 45, 222, 150, 38, 125, 198, 92,
+ 211, 242, 79, 25, 63, 220, 121, 29, 82, 235, 243, 109, 94, 251, 105, 178,
+ 240, 49, 12, 212, 207, 140, 226, 117, 169, 74, 87, 132, 17, 69, 27, 245,
+ 228, 14, 115, 170, 241, 221, 89, 20, 108, 146, 84, 208, 120, 112, 227, 73,
+ 128, 80, 167, 246, 119, 147, 134, 131, 42, 199, 91, 233, 238, 143, 1, 61
+};
+
+static const unsigned char FSb3[256] =
+{
+ 56, 65, 22, 118, 217, 147, 96, 242, 114, 194, 171, 154, 117, 6, 87, 160,
+ 145, 247, 181, 201, 162, 140, 210, 144, 246, 7, 167, 39, 142, 178, 73, 222,
+ 67, 92, 215, 199, 62, 245, 143, 103, 31, 24, 110, 175, 47, 226, 133, 13,
+ 83, 240, 156, 101, 234, 163, 174, 158, 236, 128, 45, 107, 168, 43, 54, 166,
+ 197, 134, 77, 51, 253, 102, 88, 150, 58, 9, 149, 16, 120, 216, 66, 204,
+ 239, 38, 229, 97, 26, 63, 59, 130, 182, 219, 212, 152, 232, 139, 2, 235,
+ 10, 44, 29, 176, 111, 141, 136, 14, 25, 135, 78, 11, 169, 12, 121, 17,
+ 127, 34, 231, 89, 225, 218, 61, 200, 18, 4, 116, 84, 48, 126, 180, 40,
+ 85, 104, 80, 190, 208, 196, 49, 203, 42, 173, 15, 202, 112, 255, 50, 105,
+ 8, 98, 0, 36, 209, 251, 186, 237, 69, 129, 115, 109, 132, 159, 238, 74,
+ 195, 46, 193, 1, 230, 37, 72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
+ 41, 205, 108, 19, 100, 155, 99, 157, 192, 75, 183, 165, 137, 95, 177, 23,
+ 244, 188, 211, 70, 207, 55, 94, 71, 148, 250, 252, 91, 151, 254, 90, 172,
+ 60, 76, 3, 53, 243, 35, 184, 93, 106, 146, 213, 33, 68, 81, 198, 125,
+ 57, 131, 220, 170, 124, 119, 86, 5, 27, 164, 21, 52, 30, 28, 248, 82,
+ 32, 20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227, 64, 79
+};
+
+static const unsigned char FSb4[256] =
+{
+ 112, 44, 179, 192, 228, 87, 234, 174, 35, 107, 69, 165, 237, 79, 29, 146,
+ 134, 175, 124, 31, 62, 220, 94, 11, 166, 57, 213, 93, 217, 90, 81, 108,
+ 139, 154, 251, 176, 116, 43, 240, 132, 223, 203, 52, 118, 109, 169, 209, 4,
+ 20, 58, 222, 17, 50, 156, 83, 242, 254, 207, 195, 122, 36, 232, 96, 105,
+ 170, 160, 161, 98, 84, 30, 224, 100, 16, 0, 163, 117, 138, 230, 9, 221,
+ 135, 131, 205, 144, 115, 246, 157, 191, 82, 216, 200, 198, 129, 111, 19, 99,
+ 233, 167, 159, 188, 41, 249, 47, 180, 120, 6, 231, 113, 212, 171, 136, 141,
+ 114, 185, 248, 172, 54, 42, 60, 241, 64, 211, 187, 67, 21, 173, 119, 128,
+ 130, 236, 39, 229, 133, 53, 12, 65, 239, 147, 25, 33, 14, 78, 101, 189,
+ 184, 143, 235, 206, 48, 95, 197, 26, 225, 202, 71, 61, 1, 214, 86, 77,
+ 13, 102, 204, 45, 18, 32, 177, 153, 76, 194, 126, 5, 183, 49, 23, 215,
+ 88, 97, 27, 28, 15, 22, 24, 34, 68, 178, 181, 145, 8, 168, 252, 80,
+ 208, 125, 137, 151, 91, 149, 255, 210, 196, 72, 247, 219, 3, 218, 63, 148,
+ 92, 2, 74, 51, 103, 243, 127, 226, 155, 38, 55, 59, 150, 75, 190, 46,
+ 121, 140, 110, 142, 245, 182, 253, 89, 152, 106, 70, 186, 37, 66, 162, 250,
+ 7, 85, 238, 10, 73, 104, 56, 164, 40, 123, 201, 193, 227, 244, 199, 158
+};
+
+#define SBOX1(n) FSb[(n)]
+#define SBOX2(n) FSb2[(n)]
+#define SBOX3(n) FSb3[(n)]
+#define SBOX4(n) FSb4[(n)]
+
+#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
+
+static const unsigned char shifts[2][4][4] =
+{
+ {
+ { 1, 1, 1, 1 }, /* KL */
+ { 0, 0, 0, 0 }, /* KR */
+ { 1, 1, 1, 1 }, /* KA */
+ { 0, 0, 0, 0 } /* KB */
+ },
+ {
+ { 1, 0, 1, 1 }, /* KL */
+ { 1, 1, 0, 1 }, /* KR */
+ { 1, 1, 1, 0 }, /* KA */
+ { 1, 1, 0, 1 } /* KB */
+ }
+};
+
+static const signed char indexes[2][4][20] =
+{
+ {
+ { 0, 1, 2, 3, 8, 9, 10, 11, 38, 39,
+ 36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
+ { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
+ { 4, 5, 6, 7, 12, 13, 14, 15, 16, 17,
+ 18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
+ { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 } /* KB -> RK */
+ },
+ {
+ { 0, 1, 2, 3, 61, 62, 63, 60, -1, -1,
+ -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
+ { -1, -1, -1, -1, 8, 9, 10, 11, 16, 17,
+ 18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
+ { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
+ 56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
+ { 4, 5, 6, 7, 65, 66, 67, 64, 20, 21,
+ 22, 23, -1, -1, -1, -1, 43, 40, 41, 42 } /* KB -> RK */
+ }
+};
+
+static const signed char transposes[2][20] =
+{
+ {
+ 21, 22, 23, 20,
+ -1, -1, -1, -1,
+ 18, 19, 16, 17,
+ 11, 8, 9, 10,
+ 15, 12, 13, 14
+ },
+ {
+ 25, 26, 27, 24,
+ 29, 30, 31, 28,
+ 18, 19, 16, 17,
+ -1, -1, -1, -1,
+ -1, -1, -1, -1
+ }
+};
+
+/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
+#define ROTL(DEST, SRC, SHIFT) \
+ { \
+ (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT)); \
+ (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT)); \
+ (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT)); \
+ (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT)); \
+ }
+
+#define FL(XL, XR, KL, KR) \
+ { \
+ (XR) = ((((XL) &(KL)) << 1) | (((XL) &(KL)) >> 31)) ^ (XR); \
+ (XL) = ((XR) | (KR)) ^ (XL); \
+ }
+
+#define FLInv(YL, YR, KL, KR) \
+ { \
+ (YL) = ((YR) | (KR)) ^ (YL); \
+ (YR) = ((((YL) &(KL)) << 1) | (((YL) &(KL)) >> 31)) ^ (YR); \
+ }
+
+#define SHIFT_AND_PLACE(INDEX, OFFSET) \
+ { \
+ TK[0] = KC[(OFFSET) * 4 + 0]; \
+ TK[1] = KC[(OFFSET) * 4 + 1]; \
+ TK[2] = KC[(OFFSET) * 4 + 2]; \
+ TK[3] = KC[(OFFSET) * 4 + 3]; \
+ \
+ for (i = 1; i <= 4; i++) \
+ if (shifts[(INDEX)][(OFFSET)][i -1]) \
+ ROTL(TK + i * 4, TK, (15 * i) % 32); \
+ \
+ for (i = 0; i < 20; i++) \
+ if (indexes[(INDEX)][(OFFSET)][i] != -1) { \
+ RK[indexes[(INDEX)][(OFFSET)][i]] = TK[i]; \
+ } \
+ }
+
+static void camellia_feistel(const uint32_t x[2], const uint32_t k[2],
+ uint32_t z[2])
+{
+ uint32_t I0, I1;
+ I0 = x[0] ^ k[0];
+ I1 = x[1] ^ k[1];
+
+ I0 = ((uint32_t) SBOX1(MBEDTLS_BYTE_3(I0)) << 24) |
+ ((uint32_t) SBOX2(MBEDTLS_BYTE_2(I0)) << 16) |
+ ((uint32_t) SBOX3(MBEDTLS_BYTE_1(I0)) << 8) |
+ ((uint32_t) SBOX4(MBEDTLS_BYTE_0(I0)));
+ I1 = ((uint32_t) SBOX2(MBEDTLS_BYTE_3(I1)) << 24) |
+ ((uint32_t) SBOX3(MBEDTLS_BYTE_2(I1)) << 16) |
+ ((uint32_t) SBOX4(MBEDTLS_BYTE_1(I1)) << 8) |
+ ((uint32_t) SBOX1(MBEDTLS_BYTE_0(I1)));
+
+ I0 ^= (I1 << 8) | (I1 >> 24);
+ I1 ^= (I0 << 16) | (I0 >> 16);
+ I0 ^= (I1 >> 8) | (I1 << 24);
+ I1 ^= (I0 >> 8) | (I0 << 24);
+
+ z[0] ^= I1;
+ z[1] ^= I0;
+}
+
+void mbedtls_camellia_init(mbedtls_camellia_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_camellia_context));
+}
+
+void mbedtls_camellia_free(mbedtls_camellia_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_camellia_context));
+}
+
+/*
+ * Camellia key schedule (encryption)
+ */
+int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
+ const unsigned char *key,
+ unsigned int keybits)
+{
+ int idx;
+ size_t i;
+ uint32_t *RK;
+ unsigned char t[64];
+ uint32_t SIGMA[6][2];
+ uint32_t KC[16];
+ uint32_t TK[20];
+
+ RK = ctx->rk;
+
+ memset(t, 0, 64);
+ memset(RK, 0, sizeof(ctx->rk));
+
+ switch (keybits) {
+ case 128: ctx->nr = 3; idx = 0; break;
+ case 192:
+ case 256: ctx->nr = 4; idx = 1; break;
+ default: return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
+ }
+
+ for (i = 0; i < keybits / 8; ++i) {
+ t[i] = key[i];
+ }
+
+ if (keybits == 192) {
+ for (i = 0; i < 8; i++) {
+ t[24 + i] = ~t[16 + i];
+ }
+ }
+
+ /*
+ * Prepare SIGMA values
+ */
+ for (i = 0; i < 6; i++) {
+ SIGMA[i][0] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 0);
+ SIGMA[i][1] = MBEDTLS_GET_UINT32_BE(SIGMA_CHARS[i], 4);
+ }
+
+ /*
+ * Key storage in KC
+ * Order: KL, KR, KA, KB
+ */
+ memset(KC, 0, sizeof(KC));
+
+ /* Store KL, KR */
+ for (i = 0; i < 8; i++) {
+ KC[i] = MBEDTLS_GET_UINT32_BE(t, i * 4);
+ }
+
+ /* Generate KA */
+ for (i = 0; i < 4; ++i) {
+ KC[8 + i] = KC[i] ^ KC[4 + i];
+ }
+
+ camellia_feistel(KC + 8, SIGMA[0], KC + 10);
+ camellia_feistel(KC + 10, SIGMA[1], KC + 8);
+
+ for (i = 0; i < 4; ++i) {
+ KC[8 + i] ^= KC[i];
+ }
+
+ camellia_feistel(KC + 8, SIGMA[2], KC + 10);
+ camellia_feistel(KC + 10, SIGMA[3], KC + 8);
+
+ if (keybits > 128) {
+ /* Generate KB */
+ for (i = 0; i < 4; ++i) {
+ KC[12 + i] = KC[4 + i] ^ KC[8 + i];
+ }
+
+ camellia_feistel(KC + 12, SIGMA[4], KC + 14);
+ camellia_feistel(KC + 14, SIGMA[5], KC + 12);
+ }
+
+ /*
+ * Generating subkeys
+ */
+
+ /* Manipulating KL */
+ SHIFT_AND_PLACE(idx, 0);
+
+ /* Manipulating KR */
+ if (keybits > 128) {
+ SHIFT_AND_PLACE(idx, 1);
+ }
+
+ /* Manipulating KA */
+ SHIFT_AND_PLACE(idx, 2);
+
+ /* Manipulating KB */
+ if (keybits > 128) {
+ SHIFT_AND_PLACE(idx, 3);
+ }
+
+ /* Do transpositions */
+ for (i = 0; i < 20; i++) {
+ if (transposes[idx][i] != -1) {
+ RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
+ }
+ }
+
+ return 0;
+}
+
+/*
+ * Camellia key schedule (decryption)
+ */
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
+ const unsigned char *key,
+ unsigned int keybits)
+{
+ int idx, ret;
+ size_t i;
+ mbedtls_camellia_context cty;
+ uint32_t *RK;
+ uint32_t *SK;
+
+ mbedtls_camellia_init(&cty);
+
+ /* Also checks keybits */
+ if ((ret = mbedtls_camellia_setkey_enc(&cty, key, keybits)) != 0) {
+ goto exit;
+ }
+
+ ctx->nr = cty.nr;
+ idx = (ctx->nr == 4);
+
+ RK = ctx->rk;
+ SK = cty.rk + 24 * 2 + 8 * idx * 2;
+
+ *RK++ = *SK++;
+ *RK++ = *SK++;
+ *RK++ = *SK++;
+ *RK++ = *SK++;
+
+ for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4) {
+ *RK++ = *SK++;
+ *RK++ = *SK++;
+ }
+
+ SK -= 2;
+
+ *RK++ = *SK++;
+ *RK++ = *SK++;
+ *RK++ = *SK++;
+ *RK++ = *SK++;
+
+exit:
+ mbedtls_camellia_free(&cty);
+
+ return ret;
+}
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+
+/*
+ * Camellia-ECB block encryption/decryption
+ */
+int mbedtls_camellia_crypt_ecb(mbedtls_camellia_context *ctx,
+ int mode,
+ const unsigned char input[16],
+ unsigned char output[16])
+{
+ int NR;
+ uint32_t *RK, X[4];
+ if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
+ return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
+ }
+
+ ((void) mode);
+
+ NR = ctx->nr;
+ RK = ctx->rk;
+
+ X[0] = MBEDTLS_GET_UINT32_BE(input, 0);
+ X[1] = MBEDTLS_GET_UINT32_BE(input, 4);
+ X[2] = MBEDTLS_GET_UINT32_BE(input, 8);
+ X[3] = MBEDTLS_GET_UINT32_BE(input, 12);
+
+ X[0] ^= *RK++;
+ X[1] ^= *RK++;
+ X[2] ^= *RK++;
+ X[3] ^= *RK++;
+
+ while (NR) {
+ --NR;
+ camellia_feistel(X, RK, X + 2);
+ RK += 2;
+ camellia_feistel(X + 2, RK, X);
+ RK += 2;
+ camellia_feistel(X, RK, X + 2);
+ RK += 2;
+ camellia_feistel(X + 2, RK, X);
+ RK += 2;
+ camellia_feistel(X, RK, X + 2);
+ RK += 2;
+ camellia_feistel(X + 2, RK, X);
+ RK += 2;
+
+ if (NR) {
+ FL(X[0], X[1], RK[0], RK[1]);
+ RK += 2;
+ FLInv(X[2], X[3], RK[0], RK[1]);
+ RK += 2;
+ }
+ }
+
+ X[2] ^= *RK++;
+ X[3] ^= *RK++;
+ X[0] ^= *RK++;
+ X[1] ^= *RK++;
+
+ MBEDTLS_PUT_UINT32_BE(X[2], output, 0);
+ MBEDTLS_PUT_UINT32_BE(X[3], output, 4);
+ MBEDTLS_PUT_UINT32_BE(X[0], output, 8);
+ MBEDTLS_PUT_UINT32_BE(X[1], output, 12);
+
+ return 0;
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * Camellia-CBC buffer encryption/decryption
+ */
+int mbedtls_camellia_crypt_cbc(mbedtls_camellia_context *ctx,
+ int mode,
+ size_t length,
+ unsigned char iv[16],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ unsigned char temp[16];
+ if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
+ return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
+ }
+
+ if (length % 16) {
+ return MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH;
+ }
+
+ if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
+ while (length > 0) {
+ memcpy(temp, input, 16);
+ mbedtls_camellia_crypt_ecb(ctx, mode, input, output);
+
+ mbedtls_xor(output, output, iv, 16);
+
+ memcpy(iv, temp, 16);
+
+ input += 16;
+ output += 16;
+ length -= 16;
+ }
+ } else {
+ while (length > 0) {
+ mbedtls_xor(output, input, iv, 16);
+
+ mbedtls_camellia_crypt_ecb(ctx, mode, output, output);
+ memcpy(iv, output, 16);
+
+ input += 16;
+ output += 16;
+ length -= 16;
+ }
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * Camellia-CFB128 buffer encryption/decryption
+ */
+int mbedtls_camellia_crypt_cfb128(mbedtls_camellia_context *ctx,
+ int mode,
+ size_t length,
+ size_t *iv_off,
+ unsigned char iv[16],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int c;
+ size_t n;
+ if (mode != MBEDTLS_CAMELLIA_ENCRYPT && mode != MBEDTLS_CAMELLIA_DECRYPT) {
+ return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
+ }
+
+ n = *iv_off;
+ if (n >= 16) {
+ return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
+ }
+
+ if (mode == MBEDTLS_CAMELLIA_DECRYPT) {
+ while (length--) {
+ if (n == 0) {
+ mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
+ }
+
+ c = *input++;
+ *output++ = (unsigned char) (c ^ iv[n]);
+ iv[n] = (unsigned char) c;
+
+ n = (n + 1) & 0x0F;
+ }
+ } else {
+ while (length--) {
+ if (n == 0) {
+ mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv);
+ }
+
+ iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
+
+ n = (n + 1) & 0x0F;
+ }
+ }
+
+ *iv_off = n;
+
+ return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * Camellia-CTR buffer encryption/decryption
+ */
+int mbedtls_camellia_crypt_ctr(mbedtls_camellia_context *ctx,
+ size_t length,
+ size_t *nc_off,
+ unsigned char nonce_counter[16],
+ unsigned char stream_block[16],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int c, i;
+ size_t n;
+
+ n = *nc_off;
+ if (n >= 16) {
+ return MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA;
+ }
+
+ while (length--) {
+ if (n == 0) {
+ mbedtls_camellia_crypt_ecb(ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
+ stream_block);
+
+ for (i = 16; i > 0; i--) {
+ if (++nonce_counter[i - 1] != 0) {
+ break;
+ }
+ }
+ }
+ c = *input++;
+ *output++ = (unsigned char) (c ^ stream_block[n]);
+
+ n = (n + 1) & 0x0F;
+ }
+
+ *nc_off = n;
+
+ return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#endif /* !MBEDTLS_CAMELLIA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Camellia test vectors from:
+ *
+ * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
+ * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
+ * http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
+ * (For each bitlength: Key 0, Nr 39)
+ */
+#define CAMELLIA_TESTS_ECB 2
+
+static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
+{
+ {
+ { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+ 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+ },
+ {
+ { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+ 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+ },
+ {
+ { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+ 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+ 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+ },
+};
+
+static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
+{
+ { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+ 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
+ { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+};
+
+static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
+{
+ {
+ { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
+ 0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
+ { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
+ 0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
+ },
+ {
+ { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
+ 0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
+ { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
+ 0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
+ },
+ {
+ { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
+ 0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
+ { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
+ 0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
+ }
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#define CAMELLIA_TESTS_CBC 3
+
+static const unsigned char camellia_test_cbc_key[3][32] =
+{
+ { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+ 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
+ ,
+ { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
+ 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
+ 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
+ ,
+ { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+ 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+ 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+ 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
+};
+
+static const unsigned char camellia_test_cbc_iv[16] =
+
+{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
+;
+
+static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
+{
+ { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+ 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
+ { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
+ 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
+ { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
+ 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
+
+};
+
+static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
+{
+ {
+ { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
+ 0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
+ { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
+ 0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
+ { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
+ 0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
+ },
+ {
+ { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
+ 0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
+ { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
+ 0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
+ { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
+ 0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
+ },
+ {
+ { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
+ 0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
+ { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
+ 0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
+ { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
+ 0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
+ }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * Camellia-CTR test vectors from:
+ *
+ * http://www.faqs.org/rfcs/rfc5528.html
+ */
+
+static const unsigned char camellia_test_ctr_key[3][16] =
+{
+ { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
+ 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
+ { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
+ 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
+ { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
+ 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
+};
+
+static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
+{
+ { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
+ { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
+ 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
+ { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
+ 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
+};
+
+static const unsigned char camellia_test_ctr_pt[3][48] =
+{
+ { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
+ 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
+
+ { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
+
+ { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
+ 0x20, 0x21, 0x22, 0x23 }
+};
+
+static const unsigned char camellia_test_ctr_ct[3][48] =
+{
+ { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
+ 0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
+ { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
+ 0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
+ 0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
+ 0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
+ { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
+ 0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
+ 0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
+ 0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
+ 0xDF, 0x50, 0x86, 0x96 }
+};
+
+static const int camellia_test_ctr_len[3] =
+{ 16, 32, 36 };
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_camellia_self_test(int verbose)
+{
+ int i, j, u, v;
+ unsigned char key[32];
+ unsigned char buf[64];
+ unsigned char src[16];
+ unsigned char dst[16];
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ unsigned char iv[16];
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ size_t offset, len;
+ unsigned char nonce_counter[16];
+ unsigned char stream_block[16];
+#endif
+ int ret = 1;
+
+ mbedtls_camellia_context ctx;
+
+ mbedtls_camellia_init(&ctx);
+ memset(key, 0, 32);
+
+ for (j = 0; j < 6; j++) {
+ u = j >> 1;
+ v = j & 1;
+
+ if (verbose != 0) {
+ mbedtls_printf(" CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
+ (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
+ }
+
+#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ if (v == MBEDTLS_CAMELLIA_DECRYPT) {
+ if (verbose != 0) {
+ mbedtls_printf("skipped\n");
+ }
+ continue;
+ }
+#endif
+
+ for (i = 0; i < CAMELLIA_TESTS_ECB; i++) {
+ memcpy(key, camellia_test_ecb_key[u][i], 16 + 8 * u);
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ if (v == MBEDTLS_CAMELLIA_DECRYPT) {
+ mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
+ memcpy(src, camellia_test_ecb_cipher[u][i], 16);
+ memcpy(dst, camellia_test_ecb_plain[i], 16);
+ } else
+#endif
+ { /* MBEDTLS_CAMELLIA_ENCRYPT */
+ mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
+ memcpy(src, camellia_test_ecb_plain[i], 16);
+ memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
+ }
+
+ mbedtls_camellia_crypt_ecb(&ctx, v, src, buf);
+
+ if (memcmp(buf, dst, 16) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+ goto exit;
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ /*
+ * CBC mode
+ */
+ for (j = 0; j < 6; j++) {
+ u = j >> 1;
+ v = j & 1;
+
+ if (verbose != 0) {
+ mbedtls_printf(" CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
+ (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
+ }
+
+ memcpy(src, camellia_test_cbc_iv, 16);
+ memcpy(dst, camellia_test_cbc_iv, 16);
+ memcpy(key, camellia_test_cbc_key[u], 16 + 8 * u);
+
+ if (v == MBEDTLS_CAMELLIA_DECRYPT) {
+ mbedtls_camellia_setkey_dec(&ctx, key, 128 + u * 64);
+ } else {
+ mbedtls_camellia_setkey_enc(&ctx, key, 128 + u * 64);
+ }
+
+ for (i = 0; i < CAMELLIA_TESTS_CBC; i++) {
+
+ if (v == MBEDTLS_CAMELLIA_DECRYPT) {
+ memcpy(iv, src, 16);
+ memcpy(src, camellia_test_cbc_cipher[u][i], 16);
+ memcpy(dst, camellia_test_cbc_plain[i], 16);
+ } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
+ memcpy(iv, dst, 16);
+ memcpy(src, camellia_test_cbc_plain[i], 16);
+ memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
+ }
+
+ mbedtls_camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
+
+ if (memcmp(buf, dst, 16) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+ goto exit;
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ /*
+ * CTR mode
+ */
+ for (i = 0; i < 6; i++) {
+ u = i >> 1;
+ v = i & 1;
+
+ if (verbose != 0) {
+ mbedtls_printf(" CAMELLIA-CTR-128 (%s): ",
+ (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
+ }
+
+ memcpy(nonce_counter, camellia_test_ctr_nonce_counter[u], 16);
+ memcpy(key, camellia_test_ctr_key[u], 16);
+
+ offset = 0;
+ mbedtls_camellia_setkey_enc(&ctx, key, 128);
+
+ if (v == MBEDTLS_CAMELLIA_DECRYPT) {
+ len = camellia_test_ctr_len[u];
+ memcpy(buf, camellia_test_ctr_ct[u], len);
+
+ mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
+ buf, buf);
+
+ if (memcmp(buf, camellia_test_ctr_pt[u], len) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+ goto exit;
+ }
+ } else {
+ len = camellia_test_ctr_len[u];
+ memcpy(buf, camellia_test_ctr_pt[u], len);
+
+ mbedtls_camellia_crypt_ctr(&ctx, len, &offset, nonce_counter, stream_block,
+ buf, buf);
+
+ if (memcmp(buf, camellia_test_ctr_ct[u], len) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+ goto exit;
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+ ret = 0;
+
+exit:
+ mbedtls_camellia_free(&ctx);
+ return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CAMELLIA_C */
diff --git a/library/ccm.c b/library/ccm.c
new file mode 100644
index 0000000..45ed697
--- /dev/null
+++ b/library/ccm.c
@@ -0,0 +1,763 @@
+/*
+ * NIST SP800-38C compliant CCM implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * Definition of CCM:
+ * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
+ * RFC 3610 "Counter with CBC-MAC (CCM)"
+ *
+ * Related:
+ * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_CCM_C)
+
+#include "mbedtls/ccm.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/constant_time.h"
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+#include "block_cipher_internal.h"
+#endif
+
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+#endif /* MBEDTLS_PLATFORM_C */
+
+#if !defined(MBEDTLS_CCM_ALT)
+
+
+/*
+ * Initialize context
+ */
+void mbedtls_ccm_init(mbedtls_ccm_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_ccm_context));
+}
+
+int mbedtls_ccm_setkey(mbedtls_ccm_context *ctx,
+ mbedtls_cipher_id_t cipher,
+ const unsigned char *key,
+ unsigned int keybits)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+ mbedtls_block_cipher_free(&ctx->block_cipher_ctx);
+
+ if ((ret = mbedtls_block_cipher_setup(&ctx->block_cipher_ctx, cipher)) != 0) {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+
+ if ((ret = mbedtls_block_cipher_setkey(&ctx->block_cipher_ctx, key, keybits)) != 0) {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+#else
+ const mbedtls_cipher_info_t *cipher_info;
+
+ cipher_info = mbedtls_cipher_info_from_values(cipher, keybits,
+ MBEDTLS_MODE_ECB);
+ if (cipher_info == NULL) {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+
+ if (mbedtls_cipher_info_get_block_size(cipher_info) != 16) {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+
+ mbedtls_cipher_free(&ctx->cipher_ctx);
+
+ if ((ret = mbedtls_cipher_setup(&ctx->cipher_ctx, cipher_info)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_cipher_setkey(&ctx->cipher_ctx, key, keybits,
+ MBEDTLS_ENCRYPT)) != 0) {
+ return ret;
+ }
+#endif
+
+ return ret;
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ccm_free(mbedtls_ccm_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+ mbedtls_block_cipher_free(&ctx->block_cipher_ctx);
+#else
+ mbedtls_cipher_free(&ctx->cipher_ctx);
+#endif
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ccm_context));
+}
+
+#define CCM_STATE__CLEAR 0
+#define CCM_STATE__STARTED (1 << 0)
+#define CCM_STATE__LENGTHS_SET (1 << 1)
+#define CCM_STATE__AUTH_DATA_STARTED (1 << 2)
+#define CCM_STATE__AUTH_DATA_FINISHED (1 << 3)
+#define CCM_STATE__ERROR (1 << 4)
+
+/*
+ * Encrypt or decrypt a partial block with CTR
+ */
+static int mbedtls_ccm_crypt(mbedtls_ccm_context *ctx,
+ size_t offset, size_t use_len,
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char tmp_buf[16] = { 0 };
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+ ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->ctr, tmp_buf);
+#else
+ size_t olen = 0;
+ ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->ctr, 16, tmp_buf, &olen);
+#endif
+ if (ret != 0) {
+ ctx->state |= CCM_STATE__ERROR;
+ mbedtls_platform_zeroize(tmp_buf, sizeof(tmp_buf));
+ return ret;
+ }
+
+ mbedtls_xor(output, input, tmp_buf + offset, use_len);
+
+ mbedtls_platform_zeroize(tmp_buf, sizeof(tmp_buf));
+ return ret;
+}
+
+static void mbedtls_ccm_clear_state(mbedtls_ccm_context *ctx)
+{
+ ctx->state = CCM_STATE__CLEAR;
+ memset(ctx->y, 0, 16);
+ memset(ctx->ctr, 0, 16);
+}
+
+static int ccm_calculate_first_block_if_ready(mbedtls_ccm_context *ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char i;
+ size_t len_left;
+#if !defined(MBEDTLS_BLOCK_CIPHER_C)
+ size_t olen;
+#endif
+
+ /* length calculation can be done only after both
+ * mbedtls_ccm_starts() and mbedtls_ccm_set_lengths() have been executed
+ */
+ if (!(ctx->state & CCM_STATE__STARTED) || !(ctx->state & CCM_STATE__LENGTHS_SET)) {
+ return 0;
+ }
+
+ /* CCM expects non-empty tag.
+ * CCM* allows empty tag. For CCM* without tag, ignore plaintext length.
+ */
+ if (ctx->tag_len == 0) {
+ if (ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT || ctx->mode == MBEDTLS_CCM_STAR_DECRYPT) {
+ ctx->plaintext_len = 0;
+ } else {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+ }
+
+ /*
+ * First block:
+ * 0 .. 0 flags
+ * 1 .. iv_len nonce (aka iv) - set by: mbedtls_ccm_starts()
+ * iv_len+1 .. 15 length
+ *
+ * With flags as (bits):
+ * 7 0
+ * 6 add present?
+ * 5 .. 3 (t - 2) / 2
+ * 2 .. 0 q - 1
+ */
+ ctx->y[0] |= (ctx->add_len > 0) << 6;
+ ctx->y[0] |= ((ctx->tag_len - 2) / 2) << 3;
+ ctx->y[0] |= ctx->q - 1;
+
+ for (i = 0, len_left = ctx->plaintext_len; i < ctx->q; i++, len_left >>= 8) {
+ ctx->y[15-i] = MBEDTLS_BYTE_0(len_left);
+ }
+
+ if (len_left > 0) {
+ ctx->state |= CCM_STATE__ERROR;
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+
+ /* Start CBC-MAC with first block*/
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+ ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->y);
+#else
+ ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen);
+#endif
+ if (ret != 0) {
+ ctx->state |= CCM_STATE__ERROR;
+ return ret;
+ }
+
+ return 0;
+}
+
+int mbedtls_ccm_starts(mbedtls_ccm_context *ctx,
+ int mode,
+ const unsigned char *iv,
+ size_t iv_len)
+{
+ /* Also implies q is within bounds */
+ if (iv_len < 7 || iv_len > 13) {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+
+ ctx->mode = mode;
+ ctx->q = 16 - 1 - (unsigned char) iv_len;
+
+ /*
+ * Prepare counter block for encryption:
+ * 0 .. 0 flags
+ * 1 .. iv_len nonce (aka iv)
+ * iv_len+1 .. 15 counter (initially 1)
+ *
+ * With flags as (bits):
+ * 7 .. 3 0
+ * 2 .. 0 q - 1
+ */
+ memset(ctx->ctr, 0, 16);
+ ctx->ctr[0] = ctx->q - 1;
+ memcpy(ctx->ctr + 1, iv, iv_len);
+ memset(ctx->ctr + 1 + iv_len, 0, ctx->q);
+ ctx->ctr[15] = 1;
+
+ /*
+ * See ccm_calculate_first_block_if_ready() for block layout description
+ */
+ memcpy(ctx->y + 1, iv, iv_len);
+
+ ctx->state |= CCM_STATE__STARTED;
+ return ccm_calculate_first_block_if_ready(ctx);
+}
+
+int mbedtls_ccm_set_lengths(mbedtls_ccm_context *ctx,
+ size_t total_ad_len,
+ size_t plaintext_len,
+ size_t tag_len)
+{
+ /*
+ * Check length requirements: SP800-38C A.1
+ * Additional requirement: a < 2^16 - 2^8 to simplify the code.
+ * 'length' checked later (when writing it to the first block)
+ *
+ * Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4).
+ */
+ if (tag_len == 2 || tag_len > 16 || tag_len % 2 != 0) {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+
+ if (total_ad_len >= 0xFF00) {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+
+ ctx->plaintext_len = plaintext_len;
+ ctx->add_len = total_ad_len;
+ ctx->tag_len = tag_len;
+ ctx->processed = 0;
+
+ ctx->state |= CCM_STATE__LENGTHS_SET;
+ return ccm_calculate_first_block_if_ready(ctx);
+}
+
+int mbedtls_ccm_update_ad(mbedtls_ccm_context *ctx,
+ const unsigned char *add,
+ size_t add_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t use_len, offset;
+#if !defined(MBEDTLS_BLOCK_CIPHER_C)
+ size_t olen;
+#endif
+
+ if (ctx->state & CCM_STATE__ERROR) {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+
+ if (add_len > 0) {
+ if (ctx->state & CCM_STATE__AUTH_DATA_FINISHED) {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+
+ if (!(ctx->state & CCM_STATE__AUTH_DATA_STARTED)) {
+ if (add_len > ctx->add_len) {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+
+ ctx->y[0] ^= (unsigned char) ((ctx->add_len >> 8) & 0xFF);
+ ctx->y[1] ^= (unsigned char) ((ctx->add_len) & 0xFF);
+
+ ctx->state |= CCM_STATE__AUTH_DATA_STARTED;
+ } else if (ctx->processed + add_len > ctx->add_len) {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+
+ while (add_len > 0) {
+ offset = (ctx->processed + 2) % 16; /* account for y[0] and y[1]
+ * holding total auth data length */
+ use_len = 16 - offset;
+
+ if (use_len > add_len) {
+ use_len = add_len;
+ }
+
+ mbedtls_xor(ctx->y + offset, ctx->y + offset, add, use_len);
+
+ ctx->processed += use_len;
+ add_len -= use_len;
+ add += use_len;
+
+ if (use_len + offset == 16 || ctx->processed == ctx->add_len) {
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+ ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->y);
+#else
+ ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen);
+#endif
+ if (ret != 0) {
+ ctx->state |= CCM_STATE__ERROR;
+ return ret;
+ }
+ }
+ }
+
+ if (ctx->processed == ctx->add_len) {
+ ctx->state |= CCM_STATE__AUTH_DATA_FINISHED;
+ ctx->processed = 0; // prepare for mbedtls_ccm_update()
+ }
+ }
+
+ return 0;
+}
+
+int mbedtls_ccm_update(mbedtls_ccm_context *ctx,
+ const unsigned char *input, size_t input_len,
+ unsigned char *output, size_t output_size,
+ size_t *output_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char i;
+ size_t use_len, offset;
+#if !defined(MBEDTLS_BLOCK_CIPHER_C)
+ size_t olen;
+#endif
+
+ unsigned char local_output[16];
+
+ if (ctx->state & CCM_STATE__ERROR) {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+
+ /* Check against plaintext length only if performing operation with
+ * authentication
+ */
+ if (ctx->tag_len != 0 && ctx->processed + input_len > ctx->plaintext_len) {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+
+ if (output_size < input_len) {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+ *output_len = input_len;
+
+ ret = 0;
+
+ while (input_len > 0) {
+ offset = ctx->processed % 16;
+
+ use_len = 16 - offset;
+
+ if (use_len > input_len) {
+ use_len = input_len;
+ }
+
+ ctx->processed += use_len;
+
+ if (ctx->mode == MBEDTLS_CCM_ENCRYPT || \
+ ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT) {
+ mbedtls_xor(ctx->y + offset, ctx->y + offset, input, use_len);
+
+ if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) {
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+ ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->y);
+#else
+ ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen);
+#endif
+ if (ret != 0) {
+ ctx->state |= CCM_STATE__ERROR;
+ goto exit;
+ }
+ }
+
+ ret = mbedtls_ccm_crypt(ctx, offset, use_len, input, output);
+ if (ret != 0) {
+ goto exit;
+ }
+ }
+
+ if (ctx->mode == MBEDTLS_CCM_DECRYPT || \
+ ctx->mode == MBEDTLS_CCM_STAR_DECRYPT) {
+ /* Since output may be in shared memory, we cannot be sure that
+ * it will contain what we wrote to it. Therefore, we should avoid using
+ * it as input to any operations.
+ * Write decrypted data to local_output to avoid using output variable as
+ * input in the XOR operation for Y.
+ */
+ ret = mbedtls_ccm_crypt(ctx, offset, use_len, input, local_output);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ mbedtls_xor(ctx->y + offset, ctx->y + offset, local_output, use_len);
+
+ memcpy(output, local_output, use_len);
+
+ if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) {
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+ ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->y);
+#else
+ ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen);
+#endif
+ if (ret != 0) {
+ ctx->state |= CCM_STATE__ERROR;
+ goto exit;
+ }
+ }
+ }
+
+ if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) {
+ for (i = 0; i < ctx->q; i++) {
+ if (++(ctx->ctr)[15-i] != 0) {
+ break;
+ }
+ }
+ }
+
+ input_len -= use_len;
+ input += use_len;
+ output += use_len;
+ }
+
+exit:
+ mbedtls_platform_zeroize(local_output, 16);
+
+ return ret;
+}
+
+int mbedtls_ccm_finish(mbedtls_ccm_context *ctx,
+ unsigned char *tag, size_t tag_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char i;
+
+ if (ctx->state & CCM_STATE__ERROR) {
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ }
+
+ if (ctx->add_len > 0 && !(ctx->state & CCM_STATE__AUTH_DATA_FINISHED)) {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+
+ if (ctx->plaintext_len > 0 && ctx->processed != ctx->plaintext_len) {
+ return MBEDTLS_ERR_CCM_BAD_INPUT;
+ }
+
+ /*
+ * Authentication: reset counter and crypt/mask internal tag
+ */
+ for (i = 0; i < ctx->q; i++) {
+ ctx->ctr[15-i] = 0;
+ }
+
+ ret = mbedtls_ccm_crypt(ctx, 0, 16, ctx->y, ctx->y);
+ if (ret != 0) {
+ return ret;
+ }
+ if (tag != NULL) {
+ memcpy(tag, ctx->y, tag_len);
+ }
+ mbedtls_ccm_clear_state(ctx);
+
+ return 0;
+}
+
+/*
+ * Authenticated encryption or decryption
+ */
+static int ccm_auth_crypt(mbedtls_ccm_context *ctx, int mode, size_t length,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *add, size_t add_len,
+ const unsigned char *input, unsigned char *output,
+ unsigned char *tag, size_t tag_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t olen;
+
+ if ((ret = mbedtls_ccm_starts(ctx, mode, iv, iv_len)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_ccm_set_lengths(ctx, add_len, length, tag_len)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_ccm_update_ad(ctx, add, add_len)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_ccm_update(ctx, input, length,
+ output, length, &olen)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_ccm_finish(ctx, tag, tag_len)) != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+/*
+ * Authenticated encryption
+ */
+int mbedtls_ccm_star_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *add, size_t add_len,
+ const unsigned char *input, unsigned char *output,
+ unsigned char *tag, size_t tag_len)
+{
+ return ccm_auth_crypt(ctx, MBEDTLS_CCM_STAR_ENCRYPT, length, iv, iv_len,
+ add, add_len, input, output, tag, tag_len);
+}
+
+int mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *add, size_t add_len,
+ const unsigned char *input, unsigned char *output,
+ unsigned char *tag, size_t tag_len)
+{
+ return ccm_auth_crypt(ctx, MBEDTLS_CCM_ENCRYPT, length, iv, iv_len,
+ add, add_len, input, output, tag, tag_len);
+}
+
+/*
+ * Authenticated decryption
+ */
+static int mbedtls_ccm_compare_tags(const unsigned char *tag1,
+ const unsigned char *tag2,
+ size_t tag_len)
+{
+ /* Check tag in "constant-time" */
+ int diff = mbedtls_ct_memcmp(tag1, tag2, tag_len);
+
+ if (diff != 0) {
+ return MBEDTLS_ERR_CCM_AUTH_FAILED;
+ }
+
+ return 0;
+}
+
+static int ccm_auth_decrypt(mbedtls_ccm_context *ctx, int mode, size_t length,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *add, size_t add_len,
+ const unsigned char *input, unsigned char *output,
+ const unsigned char *tag, size_t tag_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char check_tag[16];
+
+ if ((ret = ccm_auth_crypt(ctx, mode, length,
+ iv, iv_len, add, add_len,
+ input, output, check_tag, tag_len)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_ccm_compare_tags(tag, check_tag, tag_len)) != 0) {
+ mbedtls_platform_zeroize(output, length);
+ return ret;
+ }
+
+ return 0;
+}
+
+int mbedtls_ccm_star_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *add, size_t add_len,
+ const unsigned char *input, unsigned char *output,
+ const unsigned char *tag, size_t tag_len)
+{
+ return ccm_auth_decrypt(ctx, MBEDTLS_CCM_STAR_DECRYPT, length,
+ iv, iv_len, add, add_len,
+ input, output, tag, tag_len);
+}
+
+int mbedtls_ccm_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *add, size_t add_len,
+ const unsigned char *input, unsigned char *output,
+ const unsigned char *tag, size_t tag_len)
+{
+ return ccm_auth_decrypt(ctx, MBEDTLS_CCM_DECRYPT, length,
+ iv, iv_len, add, add_len,
+ input, output, tag, tag_len);
+}
+#endif /* !MBEDTLS_CCM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_CCM_GCM_CAN_AES)
+/*
+ * Examples 1 to 3 from SP800-38C Appendix C
+ */
+
+#define NB_TESTS 3
+#define CCM_SELFTEST_PT_MAX_LEN 24
+#define CCM_SELFTEST_CT_MAX_LEN 32
+/*
+ * The data is the same for all tests, only the used length changes
+ */
+static const unsigned char key_test_data[] = {
+ 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+ 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
+};
+
+static const unsigned char iv_test_data[] = {
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1a, 0x1b
+};
+
+static const unsigned char ad_test_data[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x10, 0x11, 0x12, 0x13
+};
+
+static const unsigned char msg_test_data[CCM_SELFTEST_PT_MAX_LEN] = {
+ 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+ 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+};
+
+static const size_t iv_len_test_data[NB_TESTS] = { 7, 8, 12 };
+static const size_t add_len_test_data[NB_TESTS] = { 8, 16, 20 };
+static const size_t msg_len_test_data[NB_TESTS] = { 4, 16, 24 };
+static const size_t tag_len_test_data[NB_TESTS] = { 4, 6, 8 };
+
+static const unsigned char res_test_data[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = {
+ { 0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d },
+ { 0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62,
+ 0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d,
+ 0x1f, 0xc6, 0x4f, 0xbf, 0xac, 0xcd },
+ { 0xe3, 0xb2, 0x01, 0xa9, 0xf5, 0xb7, 0x1a, 0x7a,
+ 0x9b, 0x1c, 0xea, 0xec, 0xcd, 0x97, 0xe7, 0x0b,
+ 0x61, 0x76, 0xaa, 0xd9, 0xa4, 0x42, 0x8a, 0xa5,
+ 0x48, 0x43, 0x92, 0xfb, 0xc1, 0xb0, 0x99, 0x51 }
+};
+
+int mbedtls_ccm_self_test(int verbose)
+{
+ mbedtls_ccm_context ctx;
+ /*
+ * Some hardware accelerators require the input and output buffers
+ * would be in RAM, because the flash is not accessible.
+ * Use buffers on the stack to hold the test vectors data.
+ */
+ unsigned char plaintext[CCM_SELFTEST_PT_MAX_LEN];
+ unsigned char ciphertext[CCM_SELFTEST_CT_MAX_LEN];
+ size_t i;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_ccm_init(&ctx);
+
+ if (mbedtls_ccm_setkey(&ctx, MBEDTLS_CIPHER_ID_AES, key_test_data,
+ 8 * sizeof(key_test_data)) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf(" CCM: setup failed");
+ }
+
+ return 1;
+ }
+
+ for (i = 0; i < NB_TESTS; i++) {
+ if (verbose != 0) {
+ mbedtls_printf(" CCM-AES #%u: ", (unsigned int) i + 1);
+ }
+
+ memset(plaintext, 0, CCM_SELFTEST_PT_MAX_LEN);
+ memset(ciphertext, 0, CCM_SELFTEST_CT_MAX_LEN);
+ memcpy(plaintext, msg_test_data, msg_len_test_data[i]);
+
+ ret = mbedtls_ccm_encrypt_and_tag(&ctx, msg_len_test_data[i],
+ iv_test_data, iv_len_test_data[i],
+ ad_test_data, add_len_test_data[i],
+ plaintext, ciphertext,
+ ciphertext + msg_len_test_data[i],
+ tag_len_test_data[i]);
+
+ if (ret != 0 ||
+ memcmp(ciphertext, res_test_data[i],
+ msg_len_test_data[i] + tag_len_test_data[i]) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ return 1;
+ }
+ memset(plaintext, 0, CCM_SELFTEST_PT_MAX_LEN);
+
+ ret = mbedtls_ccm_auth_decrypt(&ctx, msg_len_test_data[i],
+ iv_test_data, iv_len_test_data[i],
+ ad_test_data, add_len_test_data[i],
+ ciphertext, plaintext,
+ ciphertext + msg_len_test_data[i],
+ tag_len_test_data[i]);
+
+ if (ret != 0 ||
+ memcmp(plaintext, msg_test_data, msg_len_test_data[i]) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ return 1;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ mbedtls_ccm_free(&ctx);
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ return 0;
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_CCM_C */
diff --git a/library/chacha20.c b/library/chacha20.c
new file mode 100644
index 0000000..acaae5b
--- /dev/null
+++ b/library/chacha20.c
@@ -0,0 +1,497 @@
+/**
+ * \file chacha20.c
+ *
+ * \brief ChaCha20 cipher.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_CHACHA20_C)
+
+#include "mbedtls/chacha20.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <stddef.h>
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_CHACHA20_ALT)
+
+#define ROTL32(value, amount) \
+ ((uint32_t) ((value) << (amount)) | ((value) >> (32 - (amount))))
+
+#define CHACHA20_CTR_INDEX (12U)
+
+#define CHACHA20_BLOCK_SIZE_BYTES (4U * 16U)
+
+/**
+ * \brief ChaCha20 quarter round operation.
+ *
+ * The quarter round is defined as follows (from RFC 7539):
+ * 1. a += b; d ^= a; d <<<= 16;
+ * 2. c += d; b ^= c; b <<<= 12;
+ * 3. a += b; d ^= a; d <<<= 8;
+ * 4. c += d; b ^= c; b <<<= 7;
+ *
+ * \param state ChaCha20 state to modify.
+ * \param a The index of 'a' in the state.
+ * \param b The index of 'b' in the state.
+ * \param c The index of 'c' in the state.
+ * \param d The index of 'd' in the state.
+ */
+static inline void chacha20_quarter_round(uint32_t state[16],
+ size_t a,
+ size_t b,
+ size_t c,
+ size_t d)
+{
+ /* a += b; d ^= a; d <<<= 16; */
+ state[a] += state[b];
+ state[d] ^= state[a];
+ state[d] = ROTL32(state[d], 16);
+
+ /* c += d; b ^= c; b <<<= 12 */
+ state[c] += state[d];
+ state[b] ^= state[c];
+ state[b] = ROTL32(state[b], 12);
+
+ /* a += b; d ^= a; d <<<= 8; */
+ state[a] += state[b];
+ state[d] ^= state[a];
+ state[d] = ROTL32(state[d], 8);
+
+ /* c += d; b ^= c; b <<<= 7; */
+ state[c] += state[d];
+ state[b] ^= state[c];
+ state[b] = ROTL32(state[b], 7);
+}
+
+/**
+ * \brief Perform the ChaCha20 inner block operation.
+ *
+ * This function performs two rounds: the column round and the
+ * diagonal round.
+ *
+ * \param state The ChaCha20 state to update.
+ */
+static void chacha20_inner_block(uint32_t state[16])
+{
+ chacha20_quarter_round(state, 0, 4, 8, 12);
+ chacha20_quarter_round(state, 1, 5, 9, 13);
+ chacha20_quarter_round(state, 2, 6, 10, 14);
+ chacha20_quarter_round(state, 3, 7, 11, 15);
+
+ chacha20_quarter_round(state, 0, 5, 10, 15);
+ chacha20_quarter_round(state, 1, 6, 11, 12);
+ chacha20_quarter_round(state, 2, 7, 8, 13);
+ chacha20_quarter_round(state, 3, 4, 9, 14);
+}
+
+/**
+ * \brief Generates a keystream block.
+ *
+ * \param initial_state The initial ChaCha20 state (key, nonce, counter).
+ * \param keystream Generated keystream bytes are written to this buffer.
+ */
+static void chacha20_block(const uint32_t initial_state[16],
+ unsigned char keystream[64])
+{
+ uint32_t working_state[16];
+ size_t i;
+
+ memcpy(working_state,
+ initial_state,
+ CHACHA20_BLOCK_SIZE_BYTES);
+
+ for (i = 0U; i < 10U; i++) {
+ chacha20_inner_block(working_state);
+ }
+
+ working_state[0] += initial_state[0];
+ working_state[1] += initial_state[1];
+ working_state[2] += initial_state[2];
+ working_state[3] += initial_state[3];
+ working_state[4] += initial_state[4];
+ working_state[5] += initial_state[5];
+ working_state[6] += initial_state[6];
+ working_state[7] += initial_state[7];
+ working_state[8] += initial_state[8];
+ working_state[9] += initial_state[9];
+ working_state[10] += initial_state[10];
+ working_state[11] += initial_state[11];
+ working_state[12] += initial_state[12];
+ working_state[13] += initial_state[13];
+ working_state[14] += initial_state[14];
+ working_state[15] += initial_state[15];
+
+ for (i = 0U; i < 16; i++) {
+ size_t offset = i * 4U;
+
+ MBEDTLS_PUT_UINT32_LE(working_state[i], keystream, offset);
+ }
+
+ mbedtls_platform_zeroize(working_state, sizeof(working_state));
+}
+
+void mbedtls_chacha20_init(mbedtls_chacha20_context *ctx)
+{
+ mbedtls_platform_zeroize(ctx->state, sizeof(ctx->state));
+ mbedtls_platform_zeroize(ctx->keystream8, sizeof(ctx->keystream8));
+
+ /* Initially, there's no keystream bytes available */
+ ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
+}
+
+void mbedtls_chacha20_free(mbedtls_chacha20_context *ctx)
+{
+ if (ctx != NULL) {
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_chacha20_context));
+ }
+}
+
+int mbedtls_chacha20_setkey(mbedtls_chacha20_context *ctx,
+ const unsigned char key[32])
+{
+ /* ChaCha20 constants - the string "expand 32-byte k" */
+ ctx->state[0] = 0x61707865;
+ ctx->state[1] = 0x3320646e;
+ ctx->state[2] = 0x79622d32;
+ ctx->state[3] = 0x6b206574;
+
+ /* Set key */
+ ctx->state[4] = MBEDTLS_GET_UINT32_LE(key, 0);
+ ctx->state[5] = MBEDTLS_GET_UINT32_LE(key, 4);
+ ctx->state[6] = MBEDTLS_GET_UINT32_LE(key, 8);
+ ctx->state[7] = MBEDTLS_GET_UINT32_LE(key, 12);
+ ctx->state[8] = MBEDTLS_GET_UINT32_LE(key, 16);
+ ctx->state[9] = MBEDTLS_GET_UINT32_LE(key, 20);
+ ctx->state[10] = MBEDTLS_GET_UINT32_LE(key, 24);
+ ctx->state[11] = MBEDTLS_GET_UINT32_LE(key, 28);
+
+ return 0;
+}
+
+int mbedtls_chacha20_starts(mbedtls_chacha20_context *ctx,
+ const unsigned char nonce[12],
+ uint32_t counter)
+{
+ /* Counter */
+ ctx->state[12] = counter;
+
+ /* Nonce */
+ ctx->state[13] = MBEDTLS_GET_UINT32_LE(nonce, 0);
+ ctx->state[14] = MBEDTLS_GET_UINT32_LE(nonce, 4);
+ ctx->state[15] = MBEDTLS_GET_UINT32_LE(nonce, 8);
+
+ mbedtls_platform_zeroize(ctx->keystream8, sizeof(ctx->keystream8));
+
+ /* Initially, there's no keystream bytes available */
+ ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
+
+ return 0;
+}
+
+int mbedtls_chacha20_update(mbedtls_chacha20_context *ctx,
+ size_t size,
+ const unsigned char *input,
+ unsigned char *output)
+{
+ size_t offset = 0U;
+
+ /* Use leftover keystream bytes, if available */
+ while (size > 0U && ctx->keystream_bytes_used < CHACHA20_BLOCK_SIZE_BYTES) {
+ output[offset] = input[offset]
+ ^ ctx->keystream8[ctx->keystream_bytes_used];
+
+ ctx->keystream_bytes_used++;
+ offset++;
+ size--;
+ }
+
+ /* Process full blocks */
+ while (size >= CHACHA20_BLOCK_SIZE_BYTES) {
+ /* Generate new keystream block and increment counter */
+ chacha20_block(ctx->state, ctx->keystream8);
+ ctx->state[CHACHA20_CTR_INDEX]++;
+
+ mbedtls_xor(output + offset, input + offset, ctx->keystream8, 64U);
+
+ offset += CHACHA20_BLOCK_SIZE_BYTES;
+ size -= CHACHA20_BLOCK_SIZE_BYTES;
+ }
+
+ /* Last (partial) block */
+ if (size > 0U) {
+ /* Generate new keystream block and increment counter */
+ chacha20_block(ctx->state, ctx->keystream8);
+ ctx->state[CHACHA20_CTR_INDEX]++;
+
+ mbedtls_xor(output + offset, input + offset, ctx->keystream8, size);
+
+ ctx->keystream_bytes_used = size;
+
+ }
+
+ return 0;
+}
+
+int mbedtls_chacha20_crypt(const unsigned char key[32],
+ const unsigned char nonce[12],
+ uint32_t counter,
+ size_t data_len,
+ const unsigned char *input,
+ unsigned char *output)
+{
+ mbedtls_chacha20_context ctx;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_chacha20_init(&ctx);
+
+ ret = mbedtls_chacha20_setkey(&ctx, key);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ ret = mbedtls_chacha20_starts(&ctx, nonce, counter);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ ret = mbedtls_chacha20_update(&ctx, data_len, input, output);
+
+cleanup:
+ mbedtls_chacha20_free(&ctx);
+ return ret;
+}
+
+#endif /* !MBEDTLS_CHACHA20_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_keys[2][32] =
+{
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+ },
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
+ }
+};
+
+static const unsigned char test_nonces[2][12] =
+{
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00
+ },
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02
+ }
+};
+
+static const uint32_t test_counters[2] =
+{
+ 0U,
+ 1U
+};
+
+static const unsigned char test_input[2][375] =
+{
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+ },
+ {
+ 0x41, 0x6e, 0x79, 0x20, 0x73, 0x75, 0x62, 0x6d,
+ 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x20, 0x74,
+ 0x6f, 0x20, 0x74, 0x68, 0x65, 0x20, 0x49, 0x45,
+ 0x54, 0x46, 0x20, 0x69, 0x6e, 0x74, 0x65, 0x6e,
+ 0x64, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x74,
+ 0x68, 0x65, 0x20, 0x43, 0x6f, 0x6e, 0x74, 0x72,
+ 0x69, 0x62, 0x75, 0x74, 0x6f, 0x72, 0x20, 0x66,
+ 0x6f, 0x72, 0x20, 0x70, 0x75, 0x62, 0x6c, 0x69,
+ 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x61,
+ 0x73, 0x20, 0x61, 0x6c, 0x6c, 0x20, 0x6f, 0x72,
+ 0x20, 0x70, 0x61, 0x72, 0x74, 0x20, 0x6f, 0x66,
+ 0x20, 0x61, 0x6e, 0x20, 0x49, 0x45, 0x54, 0x46,
+ 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
+ 0x74, 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x20,
+ 0x6f, 0x72, 0x20, 0x52, 0x46, 0x43, 0x20, 0x61,
+ 0x6e, 0x64, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x73,
+ 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+ 0x20, 0x6d, 0x61, 0x64, 0x65, 0x20, 0x77, 0x69,
+ 0x74, 0x68, 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65,
+ 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74,
+ 0x20, 0x6f, 0x66, 0x20, 0x61, 0x6e, 0x20, 0x49,
+ 0x45, 0x54, 0x46, 0x20, 0x61, 0x63, 0x74, 0x69,
+ 0x76, 0x69, 0x74, 0x79, 0x20, 0x69, 0x73, 0x20,
+ 0x63, 0x6f, 0x6e, 0x73, 0x69, 0x64, 0x65, 0x72,
+ 0x65, 0x64, 0x20, 0x61, 0x6e, 0x20, 0x22, 0x49,
+ 0x45, 0x54, 0x46, 0x20, 0x43, 0x6f, 0x6e, 0x74,
+ 0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e,
+ 0x22, 0x2e, 0x20, 0x53, 0x75, 0x63, 0x68, 0x20,
+ 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
+ 0x74, 0x73, 0x20, 0x69, 0x6e, 0x63, 0x6c, 0x75,
+ 0x64, 0x65, 0x20, 0x6f, 0x72, 0x61, 0x6c, 0x20,
+ 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
+ 0x74, 0x73, 0x20, 0x69, 0x6e, 0x20, 0x49, 0x45,
+ 0x54, 0x46, 0x20, 0x73, 0x65, 0x73, 0x73, 0x69,
+ 0x6f, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x73, 0x20,
+ 0x77, 0x65, 0x6c, 0x6c, 0x20, 0x61, 0x73, 0x20,
+ 0x77, 0x72, 0x69, 0x74, 0x74, 0x65, 0x6e, 0x20,
+ 0x61, 0x6e, 0x64, 0x20, 0x65, 0x6c, 0x65, 0x63,
+ 0x74, 0x72, 0x6f, 0x6e, 0x69, 0x63, 0x20, 0x63,
+ 0x6f, 0x6d, 0x6d, 0x75, 0x6e, 0x69, 0x63, 0x61,
+ 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6d, 0x61,
+ 0x64, 0x65, 0x20, 0x61, 0x74, 0x20, 0x61, 0x6e,
+ 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x6f,
+ 0x72, 0x20, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x2c,
+ 0x20, 0x77, 0x68, 0x69, 0x63, 0x68, 0x20, 0x61,
+ 0x72, 0x65, 0x20, 0x61, 0x64, 0x64, 0x72, 0x65,
+ 0x73, 0x73, 0x65, 0x64, 0x20, 0x74, 0x6f
+ }
+};
+
+static const unsigned char test_output[2][375] =
+{
+ {
+ 0x76, 0xb8, 0xe0, 0xad, 0xa0, 0xf1, 0x3d, 0x90,
+ 0x40, 0x5d, 0x6a, 0xe5, 0x53, 0x86, 0xbd, 0x28,
+ 0xbd, 0xd2, 0x19, 0xb8, 0xa0, 0x8d, 0xed, 0x1a,
+ 0xa8, 0x36, 0xef, 0xcc, 0x8b, 0x77, 0x0d, 0xc7,
+ 0xda, 0x41, 0x59, 0x7c, 0x51, 0x57, 0x48, 0x8d,
+ 0x77, 0x24, 0xe0, 0x3f, 0xb8, 0xd8, 0x4a, 0x37,
+ 0x6a, 0x43, 0xb8, 0xf4, 0x15, 0x18, 0xa1, 0x1c,
+ 0xc3, 0x87, 0xb6, 0x69, 0xb2, 0xee, 0x65, 0x86
+ },
+ {
+ 0xa3, 0xfb, 0xf0, 0x7d, 0xf3, 0xfa, 0x2f, 0xde,
+ 0x4f, 0x37, 0x6c, 0xa2, 0x3e, 0x82, 0x73, 0x70,
+ 0x41, 0x60, 0x5d, 0x9f, 0x4f, 0x4f, 0x57, 0xbd,
+ 0x8c, 0xff, 0x2c, 0x1d, 0x4b, 0x79, 0x55, 0xec,
+ 0x2a, 0x97, 0x94, 0x8b, 0xd3, 0x72, 0x29, 0x15,
+ 0xc8, 0xf3, 0xd3, 0x37, 0xf7, 0xd3, 0x70, 0x05,
+ 0x0e, 0x9e, 0x96, 0xd6, 0x47, 0xb7, 0xc3, 0x9f,
+ 0x56, 0xe0, 0x31, 0xca, 0x5e, 0xb6, 0x25, 0x0d,
+ 0x40, 0x42, 0xe0, 0x27, 0x85, 0xec, 0xec, 0xfa,
+ 0x4b, 0x4b, 0xb5, 0xe8, 0xea, 0xd0, 0x44, 0x0e,
+ 0x20, 0xb6, 0xe8, 0xdb, 0x09, 0xd8, 0x81, 0xa7,
+ 0xc6, 0x13, 0x2f, 0x42, 0x0e, 0x52, 0x79, 0x50,
+ 0x42, 0xbd, 0xfa, 0x77, 0x73, 0xd8, 0xa9, 0x05,
+ 0x14, 0x47, 0xb3, 0x29, 0x1c, 0xe1, 0x41, 0x1c,
+ 0x68, 0x04, 0x65, 0x55, 0x2a, 0xa6, 0xc4, 0x05,
+ 0xb7, 0x76, 0x4d, 0x5e, 0x87, 0xbe, 0xa8, 0x5a,
+ 0xd0, 0x0f, 0x84, 0x49, 0xed, 0x8f, 0x72, 0xd0,
+ 0xd6, 0x62, 0xab, 0x05, 0x26, 0x91, 0xca, 0x66,
+ 0x42, 0x4b, 0xc8, 0x6d, 0x2d, 0xf8, 0x0e, 0xa4,
+ 0x1f, 0x43, 0xab, 0xf9, 0x37, 0xd3, 0x25, 0x9d,
+ 0xc4, 0xb2, 0xd0, 0xdf, 0xb4, 0x8a, 0x6c, 0x91,
+ 0x39, 0xdd, 0xd7, 0xf7, 0x69, 0x66, 0xe9, 0x28,
+ 0xe6, 0x35, 0x55, 0x3b, 0xa7, 0x6c, 0x5c, 0x87,
+ 0x9d, 0x7b, 0x35, 0xd4, 0x9e, 0xb2, 0xe6, 0x2b,
+ 0x08, 0x71, 0xcd, 0xac, 0x63, 0x89, 0x39, 0xe2,
+ 0x5e, 0x8a, 0x1e, 0x0e, 0xf9, 0xd5, 0x28, 0x0f,
+ 0xa8, 0xca, 0x32, 0x8b, 0x35, 0x1c, 0x3c, 0x76,
+ 0x59, 0x89, 0xcb, 0xcf, 0x3d, 0xaa, 0x8b, 0x6c,
+ 0xcc, 0x3a, 0xaf, 0x9f, 0x39, 0x79, 0xc9, 0x2b,
+ 0x37, 0x20, 0xfc, 0x88, 0xdc, 0x95, 0xed, 0x84,
+ 0xa1, 0xbe, 0x05, 0x9c, 0x64, 0x99, 0xb9, 0xfd,
+ 0xa2, 0x36, 0xe7, 0xe8, 0x18, 0xb0, 0x4b, 0x0b,
+ 0xc3, 0x9c, 0x1e, 0x87, 0x6b, 0x19, 0x3b, 0xfe,
+ 0x55, 0x69, 0x75, 0x3f, 0x88, 0x12, 0x8c, 0xc0,
+ 0x8a, 0xaa, 0x9b, 0x63, 0xd1, 0xa1, 0x6f, 0x80,
+ 0xef, 0x25, 0x54, 0xd7, 0x18, 0x9c, 0x41, 0x1f,
+ 0x58, 0x69, 0xca, 0x52, 0xc5, 0xb8, 0x3f, 0xa3,
+ 0x6f, 0xf2, 0x16, 0xb9, 0xc1, 0xd3, 0x00, 0x62,
+ 0xbe, 0xbc, 0xfd, 0x2d, 0xc5, 0xbc, 0xe0, 0x91,
+ 0x19, 0x34, 0xfd, 0xa7, 0x9a, 0x86, 0xf6, 0xe6,
+ 0x98, 0xce, 0xd7, 0x59, 0xc3, 0xff, 0x9b, 0x64,
+ 0x77, 0x33, 0x8f, 0x3d, 0xa4, 0xf9, 0xcd, 0x85,
+ 0x14, 0xea, 0x99, 0x82, 0xcc, 0xaf, 0xb3, 0x41,
+ 0xb2, 0x38, 0x4d, 0xd9, 0x02, 0xf3, 0xd1, 0xab,
+ 0x7a, 0xc6, 0x1d, 0xd2, 0x9c, 0x6f, 0x21, 0xba,
+ 0x5b, 0x86, 0x2f, 0x37, 0x30, 0xe3, 0x7c, 0xfd,
+ 0xc4, 0xfd, 0x80, 0x6c, 0x22, 0xf2, 0x21
+ }
+};
+
+static const size_t test_lengths[2] =
+{
+ 64U,
+ 375U
+};
+
+/* Make sure no other definition is already present. */
+#undef ASSERT
+
+#define ASSERT(cond, args) \
+ do \
+ { \
+ if (!(cond)) \
+ { \
+ if (verbose != 0) \
+ mbedtls_printf args; \
+ \
+ return -1; \
+ } \
+ } \
+ while (0)
+
+int mbedtls_chacha20_self_test(int verbose)
+{
+ unsigned char output[381];
+ unsigned i;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ for (i = 0U; i < 2U; i++) {
+ if (verbose != 0) {
+ mbedtls_printf(" ChaCha20 test %u ", i);
+ }
+
+ ret = mbedtls_chacha20_crypt(test_keys[i],
+ test_nonces[i],
+ test_counters[i],
+ test_lengths[i],
+ test_input[i],
+ output);
+
+ ASSERT(0 == ret, ("error code: %i\n", ret));
+
+ ASSERT(0 == memcmp(output, test_output[i], test_lengths[i]),
+ ("failed (output)\n"));
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ return 0;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* !MBEDTLS_CHACHA20_C */
diff --git a/library/chachapoly.c b/library/chachapoly.c
new file mode 100644
index 0000000..a1314ea
--- /dev/null
+++ b/library/chachapoly.c
@@ -0,0 +1,478 @@
+/**
+ * \file chachapoly.c
+ *
+ * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#include "common.h"
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+
+#include "mbedtls/chachapoly.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/constant_time.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_CHACHAPOLY_ALT)
+
+#define CHACHAPOLY_STATE_INIT (0)
+#define CHACHAPOLY_STATE_AAD (1)
+#define CHACHAPOLY_STATE_CIPHERTEXT (2) /* Encrypting or decrypting */
+#define CHACHAPOLY_STATE_FINISHED (3)
+
+/**
+ * \brief Adds nul bytes to pad the AAD for Poly1305.
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ */
+static int chachapoly_pad_aad(mbedtls_chachapoly_context *ctx)
+{
+ uint32_t partial_block_len = (uint32_t) (ctx->aad_len % 16U);
+ unsigned char zeroes[15];
+
+ if (partial_block_len == 0U) {
+ return 0;
+ }
+
+ memset(zeroes, 0, sizeof(zeroes));
+
+ return mbedtls_poly1305_update(&ctx->poly1305_ctx,
+ zeroes,
+ 16U - partial_block_len);
+}
+
+/**
+ * \brief Adds nul bytes to pad the ciphertext for Poly1305.
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ */
+static int chachapoly_pad_ciphertext(mbedtls_chachapoly_context *ctx)
+{
+ uint32_t partial_block_len = (uint32_t) (ctx->ciphertext_len % 16U);
+ unsigned char zeroes[15];
+
+ if (partial_block_len == 0U) {
+ return 0;
+ }
+
+ memset(zeroes, 0, sizeof(zeroes));
+ return mbedtls_poly1305_update(&ctx->poly1305_ctx,
+ zeroes,
+ 16U - partial_block_len);
+}
+
+void mbedtls_chachapoly_init(mbedtls_chachapoly_context *ctx)
+{
+ mbedtls_chacha20_init(&ctx->chacha20_ctx);
+ mbedtls_poly1305_init(&ctx->poly1305_ctx);
+ ctx->aad_len = 0U;
+ ctx->ciphertext_len = 0U;
+ ctx->state = CHACHAPOLY_STATE_INIT;
+ ctx->mode = MBEDTLS_CHACHAPOLY_ENCRYPT;
+}
+
+void mbedtls_chachapoly_free(mbedtls_chachapoly_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_chacha20_free(&ctx->chacha20_ctx);
+ mbedtls_poly1305_free(&ctx->poly1305_ctx);
+ ctx->aad_len = 0U;
+ ctx->ciphertext_len = 0U;
+ ctx->state = CHACHAPOLY_STATE_INIT;
+ ctx->mode = MBEDTLS_CHACHAPOLY_ENCRYPT;
+}
+
+int mbedtls_chachapoly_setkey(mbedtls_chachapoly_context *ctx,
+ const unsigned char key[32])
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = mbedtls_chacha20_setkey(&ctx->chacha20_ctx, key);
+
+ return ret;
+}
+
+int mbedtls_chachapoly_starts(mbedtls_chachapoly_context *ctx,
+ const unsigned char nonce[12],
+ mbedtls_chachapoly_mode_t mode)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char poly1305_key[64];
+
+ /* Set counter = 0, will be update to 1 when generating Poly1305 key */
+ ret = mbedtls_chacha20_starts(&ctx->chacha20_ctx, nonce, 0U);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ /* Generate the Poly1305 key by getting the ChaCha20 keystream output with
+ * counter = 0. This is the same as encrypting a buffer of zeroes.
+ * Only the first 256-bits (32 bytes) of the key is used for Poly1305.
+ * The other 256 bits are discarded.
+ */
+ memset(poly1305_key, 0, sizeof(poly1305_key));
+ ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, sizeof(poly1305_key),
+ poly1305_key, poly1305_key);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ ret = mbedtls_poly1305_starts(&ctx->poly1305_ctx, poly1305_key);
+
+ if (ret == 0) {
+ ctx->aad_len = 0U;
+ ctx->ciphertext_len = 0U;
+ ctx->state = CHACHAPOLY_STATE_AAD;
+ ctx->mode = mode;
+ }
+
+cleanup:
+ mbedtls_platform_zeroize(poly1305_key, 64U);
+ return ret;
+}
+
+int mbedtls_chachapoly_update_aad(mbedtls_chachapoly_context *ctx,
+ const unsigned char *aad,
+ size_t aad_len)
+{
+ if (ctx->state != CHACHAPOLY_STATE_AAD) {
+ return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;
+ }
+
+ ctx->aad_len += aad_len;
+
+ return mbedtls_poly1305_update(&ctx->poly1305_ctx, aad, aad_len);
+}
+
+int mbedtls_chachapoly_update(mbedtls_chachapoly_context *ctx,
+ size_t len,
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((ctx->state != CHACHAPOLY_STATE_AAD) &&
+ (ctx->state != CHACHAPOLY_STATE_CIPHERTEXT)) {
+ return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;
+ }
+
+ if (ctx->state == CHACHAPOLY_STATE_AAD) {
+ ctx->state = CHACHAPOLY_STATE_CIPHERTEXT;
+
+ ret = chachapoly_pad_aad(ctx);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+
+ ctx->ciphertext_len += len;
+
+ if (ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT) {
+ ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, len, input, output);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, output, len);
+ if (ret != 0) {
+ return ret;
+ }
+ } else { /* DECRYPT */
+ ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, input, len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, len, input, output);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+
+ return 0;
+}
+
+int mbedtls_chachapoly_finish(mbedtls_chachapoly_context *ctx,
+ unsigned char mac[16])
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char len_block[16];
+
+ if (ctx->state == CHACHAPOLY_STATE_INIT) {
+ return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;
+ }
+
+ if (ctx->state == CHACHAPOLY_STATE_AAD) {
+ ret = chachapoly_pad_aad(ctx);
+ if (ret != 0) {
+ return ret;
+ }
+ } else if (ctx->state == CHACHAPOLY_STATE_CIPHERTEXT) {
+ ret = chachapoly_pad_ciphertext(ctx);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+
+ ctx->state = CHACHAPOLY_STATE_FINISHED;
+
+ /* The lengths of the AAD and ciphertext are processed by
+ * Poly1305 as the final 128-bit block, encoded as little-endian integers.
+ */
+ MBEDTLS_PUT_UINT64_LE(ctx->aad_len, len_block, 0);
+ MBEDTLS_PUT_UINT64_LE(ctx->ciphertext_len, len_block, 8);
+
+ ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, len_block, 16U);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_poly1305_finish(&ctx->poly1305_ctx, mac);
+
+ return ret;
+}
+
+static int chachapoly_crypt_and_tag(mbedtls_chachapoly_context *ctx,
+ mbedtls_chachapoly_mode_t mode,
+ size_t length,
+ const unsigned char nonce[12],
+ const unsigned char *aad,
+ size_t aad_len,
+ const unsigned char *input,
+ unsigned char *output,
+ unsigned char tag[16])
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = mbedtls_chachapoly_starts(ctx, nonce, mode);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ ret = mbedtls_chachapoly_update_aad(ctx, aad, aad_len);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ ret = mbedtls_chachapoly_update(ctx, length, input, output);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ ret = mbedtls_chachapoly_finish(ctx, tag);
+
+cleanup:
+ return ret;
+}
+
+int mbedtls_chachapoly_encrypt_and_tag(mbedtls_chachapoly_context *ctx,
+ size_t length,
+ const unsigned char nonce[12],
+ const unsigned char *aad,
+ size_t aad_len,
+ const unsigned char *input,
+ unsigned char *output,
+ unsigned char tag[16])
+{
+ return chachapoly_crypt_and_tag(ctx, MBEDTLS_CHACHAPOLY_ENCRYPT,
+ length, nonce, aad, aad_len,
+ input, output, tag);
+}
+
+int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,
+ size_t length,
+ const unsigned char nonce[12],
+ const unsigned char *aad,
+ size_t aad_len,
+ const unsigned char tag[16],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char check_tag[16];
+ int diff;
+
+ if ((ret = chachapoly_crypt_and_tag(ctx,
+ MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,
+ aad, aad_len, input, output, check_tag)) != 0) {
+ return ret;
+ }
+
+ /* Check tag in "constant-time" */
+ diff = mbedtls_ct_memcmp(tag, check_tag, sizeof(check_tag));
+
+ if (diff != 0) {
+ mbedtls_platform_zeroize(output, length);
+ return MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED;
+ }
+
+ return 0;
+}
+
+#endif /* MBEDTLS_CHACHAPOLY_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_key[1][32] =
+{
+ {
+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
+ }
+};
+
+static const unsigned char test_nonce[1][12] =
+{
+ {
+ 0x07, 0x00, 0x00, 0x00, /* 32-bit common part */
+ 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47 /* 64-bit IV */
+ }
+};
+
+static const unsigned char test_aad[1][12] =
+{
+ {
+ 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
+ 0xc4, 0xc5, 0xc6, 0xc7
+ }
+};
+
+static const size_t test_aad_len[1] =
+{
+ 12U
+};
+
+static const unsigned char test_input[1][114] =
+{
+ {
+ 0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
+ 0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
+ 0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
+ 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
+ 0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
+ 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
+ 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
+ 0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
+ 0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
+ 0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
+ 0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
+ 0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
+ 0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
+ 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
+ 0x74, 0x2e
+ }
+};
+
+static const unsigned char test_output[1][114] =
+{
+ {
+ 0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
+ 0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
+ 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
+ 0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
+ 0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
+ 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
+ 0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
+ 0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
+ 0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
+ 0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
+ 0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
+ 0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
+ 0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
+ 0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
+ 0x61, 0x16
+ }
+};
+
+static const size_t test_input_len[1] =
+{
+ 114U
+};
+
+static const unsigned char test_mac[1][16] =
+{
+ {
+ 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
+ 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
+ }
+};
+
+/* Make sure no other definition is already present. */
+#undef ASSERT
+
+#define ASSERT(cond, args) \
+ do \
+ { \
+ if (!(cond)) \
+ { \
+ if (verbose != 0) \
+ mbedtls_printf args; \
+ \
+ return -1; \
+ } \
+ } \
+ while (0)
+
+int mbedtls_chachapoly_self_test(int verbose)
+{
+ mbedtls_chachapoly_context ctx;
+ unsigned i;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char output[200];
+ unsigned char mac[16];
+
+ for (i = 0U; i < 1U; i++) {
+ if (verbose != 0) {
+ mbedtls_printf(" ChaCha20-Poly1305 test %u ", i);
+ }
+
+ mbedtls_chachapoly_init(&ctx);
+
+ ret = mbedtls_chachapoly_setkey(&ctx, test_key[i]);
+ ASSERT(0 == ret, ("setkey() error code: %i\n", ret));
+
+ ret = mbedtls_chachapoly_encrypt_and_tag(&ctx,
+ test_input_len[i],
+ test_nonce[i],
+ test_aad[i],
+ test_aad_len[i],
+ test_input[i],
+ output,
+ mac);
+
+ ASSERT(0 == ret, ("crypt_and_tag() error code: %i\n", ret));
+
+ ASSERT(0 == memcmp(output, test_output[i], test_input_len[i]),
+ ("failure (wrong output)\n"));
+
+ ASSERT(0 == memcmp(mac, test_mac[i], 16U),
+ ("failure (wrong MAC)\n"));
+
+ mbedtls_chachapoly_free(&ctx);
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ return 0;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CHACHAPOLY_C */
diff --git a/library/check_crypto_config.h b/library/check_crypto_config.h
new file mode 100644
index 0000000..6469e9f
--- /dev/null
+++ b/library/check_crypto_config.h
@@ -0,0 +1,141 @@
+/**
+ * \file check_crypto_config.h
+ *
+ * \brief Consistency checks for PSA configuration options
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * It is recommended to include this file from your crypto_config.h
+ * in order to catch dependency issues early.
+ */
+
+#ifndef MBEDTLS_CHECK_CRYPTO_CONFIG_H
+#define MBEDTLS_CHECK_CRYPTO_CONFIG_H
+
+#if defined(PSA_WANT_ALG_CCM) && \
+ !(defined(PSA_WANT_KEY_TYPE_AES) || \
+ defined(PSA_WANT_KEY_TYPE_CAMELLIA))
+#error "PSA_WANT_ALG_CCM defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_CMAC) && \
+ !(defined(PSA_WANT_KEY_TYPE_AES) || \
+ defined(PSA_WANT_KEY_TYPE_CAMELLIA) || \
+ defined(PSA_WANT_KEY_TYPE_DES))
+#error "PSA_WANT_ALG_CMAC defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && \
+ !(defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+ defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY))
+#error "PSA_WANT_ALG_DETERMINISTIC_ECDSA defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_ECDSA) && \
+ !(defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+ defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY))
+#error "PSA_WANT_ALG_ECDSA defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_GCM) && \
+ !(defined(PSA_WANT_KEY_TYPE_AES) || \
+ defined(PSA_WANT_KEY_TYPE_CAMELLIA))
+#error "PSA_WANT_ALG_GCM defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT) && \
+ !(defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
+ defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY))
+#error "PSA_WANT_ALG_RSA_PKCS1V15_CRYPT defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) && \
+ !(defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
+ defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY))
+#error "PSA_WANT_ALG_RSA_PKCS1V15_SIGN defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_OAEP) && \
+ !(defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
+ defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY))
+#error "PSA_WANT_ALG_RSA_OAEP defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PSS) && \
+ !(defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
+ defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY))
+#error "PSA_WANT_ALG_RSA_PSS defined, but not all prerequisites"
+#endif
+
+#if (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+ defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+ defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
+ defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) || \
+ defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)) && \
+ !defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#error "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_xxx defined, but not all prerequisites"
+#endif
+
+#if (defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
+ defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT) || \
+ defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
+ defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)) && \
+ !defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY)
+#error "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx defined, but not all prerequisites"
+#endif
+
+#if (defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC) || \
+ defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
+ defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
+ defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)) && \
+ !defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY)
+#error "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_xxx defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR)
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR is deprecated and will be removed in a \
+ future version of Mbed TLS. Please switch to new PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_xxx \
+ symbols, where xxx can be: USE, IMPORT, EXPORT, GENERATE, DERIVE"
+#elif defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR is deprecated and will be removed in a \
+ future version of Mbed TLS. Please switch to new PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_xxx \
+ symbols, where xxx can be: USE, IMPORT, EXPORT, GENERATE, DERIVE"
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR is deprecated and will be removed in a \
+ future version of Mbed TLS. Please switch to new PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx \
+ symbols, where xxx can be: USE, IMPORT, EXPORT, GENERATE, DERIVE"
+#elif defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR is deprecated and will be removed in a \
+ future version of Mbed TLS. Please switch to new PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx \
+ symbols, where xxx can be: USE, IMPORT, EXPORT, GENERATE, DERIVE"
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE)
+#error "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE defined, but feature is not supported"
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE)
+#error "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE defined, but feature is not supported"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ !(defined(PSA_WANT_ALG_SHA_1) || defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_512))
+#error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS) && \
+ !defined(PSA_WANT_ALG_SHA_256)
+#error "PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS defined, but not all prerequisites"
+#endif
+
+#endif /* MBEDTLS_CHECK_CRYPTO_CONFIG_H */
diff --git a/library/cipher.c b/library/cipher.c
new file mode 100644
index 0000000..0683677
--- /dev/null
+++ b/library/cipher.c
@@ -0,0 +1,1680 @@
+/**
+ * \file cipher.c
+ *
+ * \brief Generic cipher wrapper for Mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_CIPHER_C)
+
+#include "mbedtls/cipher.h"
+#include "cipher_wrap.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/constant_time.h"
+#include "constant_time_internal.h"
+
+#include <stdlib.h>
+#include <string.h>
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+#include "mbedtls/gcm.h"
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+#include "mbedtls/ccm.h"
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
+#if defined(MBEDTLS_CMAC_C)
+#include "mbedtls/cmac.h"
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+#include "psa/crypto.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_NIST_KW_C)
+#include "mbedtls/nist_kw.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+static int supported_init = 0;
+
+static inline const mbedtls_cipher_base_t *mbedtls_cipher_get_base(
+ const mbedtls_cipher_info_t *info)
+{
+ return mbedtls_cipher_base_lookup_table[info->base_idx];
+}
+
+const int *mbedtls_cipher_list(void)
+{
+ const mbedtls_cipher_definition_t *def;
+ int *type;
+
+ if (!supported_init) {
+ def = mbedtls_cipher_definitions;
+ type = mbedtls_cipher_supported;
+
+ while (def->type != 0) {
+ *type++ = (*def++).type;
+ }
+
+ *type = 0;
+
+ supported_init = 1;
+ }
+
+ return mbedtls_cipher_supported;
+}
+
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(
+ const mbedtls_cipher_type_t cipher_type)
+{
+ const mbedtls_cipher_definition_t *def;
+
+ for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
+ if (def->type == cipher_type) {
+ return def->info;
+ }
+ }
+
+ return NULL;
+}
+
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(
+ const char *cipher_name)
+{
+ const mbedtls_cipher_definition_t *def;
+
+ if (NULL == cipher_name) {
+ return NULL;
+ }
+
+ for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
+ if (!strcmp(def->info->name, cipher_name)) {
+ return def->info;
+ }
+ }
+
+ return NULL;
+}
+
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
+ const mbedtls_cipher_id_t cipher_id,
+ int key_bitlen,
+ const mbedtls_cipher_mode_t mode)
+{
+ const mbedtls_cipher_definition_t *def;
+
+ for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
+ if (mbedtls_cipher_get_base(def->info)->cipher == cipher_id &&
+ mbedtls_cipher_info_get_key_bitlen(def->info) == (unsigned) key_bitlen &&
+ def->info->mode == mode) {
+ return def->info;
+ }
+ }
+
+ return NULL;
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+static inline psa_key_type_t mbedtls_psa_translate_cipher_type(
+ mbedtls_cipher_type_t cipher)
+{
+ switch (cipher) {
+ case MBEDTLS_CIPHER_AES_128_CCM:
+ case MBEDTLS_CIPHER_AES_192_CCM:
+ case MBEDTLS_CIPHER_AES_256_CCM:
+ case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:
+ case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:
+ case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:
+ case MBEDTLS_CIPHER_AES_128_GCM:
+ case MBEDTLS_CIPHER_AES_192_GCM:
+ case MBEDTLS_CIPHER_AES_256_GCM:
+ case MBEDTLS_CIPHER_AES_128_CBC:
+ case MBEDTLS_CIPHER_AES_192_CBC:
+ case MBEDTLS_CIPHER_AES_256_CBC:
+ case MBEDTLS_CIPHER_AES_128_ECB:
+ case MBEDTLS_CIPHER_AES_192_ECB:
+ case MBEDTLS_CIPHER_AES_256_ECB:
+ return PSA_KEY_TYPE_AES;
+
+ /* ARIA not yet supported in PSA. */
+ /* case MBEDTLS_CIPHER_ARIA_128_CCM:
+ case MBEDTLS_CIPHER_ARIA_192_CCM:
+ case MBEDTLS_CIPHER_ARIA_256_CCM:
+ case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:
+ case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:
+ case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:
+ case MBEDTLS_CIPHER_ARIA_128_GCM:
+ case MBEDTLS_CIPHER_ARIA_192_GCM:
+ case MBEDTLS_CIPHER_ARIA_256_GCM:
+ case MBEDTLS_CIPHER_ARIA_128_CBC:
+ case MBEDTLS_CIPHER_ARIA_192_CBC:
+ case MBEDTLS_CIPHER_ARIA_256_CBC:
+ return( PSA_KEY_TYPE_ARIA ); */
+
+ default:
+ return 0;
+ }
+}
+
+static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode(
+ mbedtls_cipher_mode_t mode, size_t taglen)
+{
+ switch (mode) {
+ case MBEDTLS_MODE_ECB:
+ return PSA_ALG_ECB_NO_PADDING;
+ case MBEDTLS_MODE_GCM:
+ return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, taglen);
+ case MBEDTLS_MODE_CCM:
+ return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen);
+ case MBEDTLS_MODE_CCM_STAR_NO_TAG:
+ return PSA_ALG_CCM_STAR_NO_TAG;
+ case MBEDTLS_MODE_CBC:
+ if (taglen == 0) {
+ return PSA_ALG_CBC_NO_PADDING;
+ } else {
+ return 0;
+ }
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
+}
+
+void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ if (ctx->psa_enabled == 1) {
+ if (ctx->cipher_ctx != NULL) {
+ mbedtls_cipher_context_psa * const cipher_psa =
+ (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
+
+ if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) {
+ /* xxx_free() doesn't allow to return failures. */
+ (void) psa_destroy_key(cipher_psa->slot);
+ }
+
+ mbedtls_zeroize_and_free(cipher_psa, sizeof(*cipher_psa));
+ }
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
+ return;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_CMAC_C)
+ if (ctx->cmac_ctx) {
+ mbedtls_zeroize_and_free(ctx->cmac_ctx,
+ sizeof(mbedtls_cmac_context_t));
+ }
+#endif
+
+ if (ctx->cipher_ctx) {
+ mbedtls_cipher_get_base(ctx->cipher_info)->ctx_free_func(ctx->cipher_ctx);
+ }
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
+}
+
+int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
+ const mbedtls_cipher_info_t *cipher_info)
+{
+ if (cipher_info == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
+
+ if (mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func != NULL) {
+ ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func();
+ if (ctx->cipher_ctx == NULL) {
+ return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
+ }
+ }
+
+ ctx->cipher_info = cipher_info;
+
+ return 0;
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
+ const mbedtls_cipher_info_t *cipher_info,
+ size_t taglen)
+{
+ psa_algorithm_t alg;
+ mbedtls_cipher_context_psa *cipher_psa;
+
+ if (NULL == cipher_info || NULL == ctx) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ /* Check that the underlying cipher mode and cipher type are
+ * supported by the underlying PSA Crypto implementation. */
+ alg = mbedtls_psa_translate_cipher_mode(((mbedtls_cipher_mode_t) cipher_info->mode), taglen);
+ if (alg == 0) {
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+ if (mbedtls_psa_translate_cipher_type(((mbedtls_cipher_type_t) cipher_info->type)) == 0) {
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+
+ memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
+
+ cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa));
+ if (cipher_psa == NULL) {
+ return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
+ }
+ cipher_psa->alg = alg;
+ ctx->cipher_ctx = cipher_psa;
+ ctx->cipher_info = cipher_info;
+ ctx->psa_enabled = 1;
+ return 0;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
+ const unsigned char *key,
+ int key_bitlen,
+ const mbedtls_operation_t operation)
+{
+ if (operation != MBEDTLS_ENCRYPT && operation != MBEDTLS_DECRYPT) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+ if (ctx->cipher_info == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) &&
+ MBEDTLS_DECRYPT == operation) {
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ if (ctx->psa_enabled == 1) {
+ mbedtls_cipher_context_psa * const cipher_psa =
+ (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
+
+ size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8;
+
+ psa_status_t status;
+ psa_key_type_t key_type;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+ /* PSA Crypto API only accepts byte-aligned keys. */
+ if (key_bitlen % 8 != 0) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ /* Don't allow keys to be set multiple times. */
+ if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ key_type = mbedtls_psa_translate_cipher_type(
+ ((mbedtls_cipher_type_t) ctx->cipher_info->type));
+ if (key_type == 0) {
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+ psa_set_key_type(&attributes, key_type);
+
+ /* Mbed TLS' cipher layer doesn't enforce the mode of operation
+ * (encrypt vs. decrypt): it is possible to setup a key for encryption
+ * and use it for AEAD decryption. Until tests relying on this
+ * are changed, allow any usage in PSA. */
+ psa_set_key_usage_flags(&attributes,
+ PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
+ psa_set_key_algorithm(&attributes, cipher_psa->alg);
+
+ status = psa_import_key(&attributes, key, key_bytelen,
+ &cipher_psa->slot);
+ switch (status) {
+ case PSA_SUCCESS:
+ break;
+ case PSA_ERROR_INSUFFICIENT_MEMORY:
+ return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
+ case PSA_ERROR_NOT_SUPPORTED:
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ default:
+ return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+ }
+ /* Indicate that we own the key slot and need to
+ * destroy it in mbedtls_cipher_free(). */
+ cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
+
+ ctx->key_bitlen = key_bitlen;
+ ctx->operation = operation;
+ return 0;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+ if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 &&
+ (int) mbedtls_cipher_info_get_key_bitlen(ctx->cipher_info) != key_bitlen) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ ctx->key_bitlen = key_bitlen;
+ ctx->operation = operation;
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ /*
+ * For OFB, CFB and CTR mode always use the encryption key schedule
+ */
+ if (MBEDTLS_ENCRYPT == operation ||
+ MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+ MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+ MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+ return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,
+ ctx->key_bitlen);
+ }
+
+ if (MBEDTLS_DECRYPT == operation) {
+ return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key,
+ ctx->key_bitlen);
+ }
+#else
+ if (operation == MBEDTLS_ENCRYPT || operation == MBEDTLS_DECRYPT) {
+ return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,
+ ctx->key_bitlen);
+ }
+#endif
+
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+}
+
+int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
+ const unsigned char *iv,
+ size_t iv_len)
+{
+ size_t actual_iv_size;
+
+ if (ctx->cipher_info == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ if (ctx->psa_enabled == 1) {
+ /* While PSA Crypto has an API for multipart
+ * operations, we currently don't make it
+ * accessible through the cipher layer. */
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+ /* avoid buffer overflow in ctx->iv */
+ if (iv_len > MBEDTLS_MAX_IV_LENGTH) {
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+
+ if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) {
+ actual_iv_size = iv_len;
+ } else {
+ actual_iv_size = mbedtls_cipher_info_get_iv_size(ctx->cipher_info);
+
+ /* avoid reading past the end of input buffer */
+ if (actual_iv_size > iv_len) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+ }
+
+#if defined(MBEDTLS_CHACHA20_C)
+ if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20) {
+ /* Even though the actual_iv_size is overwritten with a correct value
+ * of 12 from the cipher info, return an error to indicate that
+ * the input iv_len is wrong. */
+ if (iv_len != 12) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx,
+ iv,
+ 0U)) { /* Initial counter value */
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+ }
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305 &&
+ iv_len != 12) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+#endif
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+ if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+ return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx,
+ ctx->operation,
+ iv, iv_len);
+ }
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+ if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+ int set_lengths_result;
+ int ccm_star_mode;
+
+ set_lengths_result = mbedtls_ccm_set_lengths(
+ (mbedtls_ccm_context *) ctx->cipher_ctx,
+ 0, 0, 0);
+ if (set_lengths_result != 0) {
+ return set_lengths_result;
+ }
+
+ if (ctx->operation == MBEDTLS_DECRYPT) {
+ ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT;
+ } else if (ctx->operation == MBEDTLS_ENCRYPT) {
+ ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT;
+ } else {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ return mbedtls_ccm_starts((mbedtls_ccm_context *) ctx->cipher_ctx,
+ ccm_star_mode,
+ iv, iv_len);
+ }
+#endif
+
+ if (actual_iv_size != 0) {
+ memcpy(ctx->iv, iv, actual_iv_size);
+ ctx->iv_size = actual_iv_size;
+ }
+
+ return 0;
+}
+
+int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx)
+{
+ if (ctx->cipher_info == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ if (ctx->psa_enabled == 1) {
+ /* We don't support resetting PSA-based
+ * cipher contexts, yet. */
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+ ctx->unprocessed_len = 0;
+
+ return 0;
+}
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
+ const unsigned char *ad, size_t ad_len)
+{
+ if (ctx->cipher_info == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ if (ctx->psa_enabled == 1) {
+ /* While PSA Crypto has an API for multipart
+ * operations, we currently don't make it
+ * accessible through the cipher layer. */
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_GCM_C)
+ if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+ return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx,
+ ad, ad_len);
+ }
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
+ int result;
+ mbedtls_chachapoly_mode_t mode;
+
+ mode = (ctx->operation == MBEDTLS_ENCRYPT)
+ ? MBEDTLS_CHACHAPOLY_ENCRYPT
+ : MBEDTLS_CHACHAPOLY_DECRYPT;
+
+ result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx,
+ ctx->iv,
+ mode);
+ if (result != 0) {
+ return result;
+ }
+
+ return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx,
+ ad, ad_len);
+ }
+#endif
+
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+}
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
+
+int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input,
+ size_t ilen, unsigned char *output, size_t *olen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t block_size;
+
+ if (ctx->cipher_info == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ if (ctx->psa_enabled == 1) {
+ /* While PSA Crypto has an API for multipart
+ * operations, we currently don't make it
+ * accessible through the cipher layer. */
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+ *olen = 0;
+ block_size = mbedtls_cipher_get_block_size(ctx);
+ if (0 == block_size) {
+ return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
+ }
+
+ if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_ECB) {
+ if (ilen != block_size) {
+ return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
+ }
+
+ *olen = ilen;
+
+ if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ecb_func(ctx->cipher_ctx,
+ ctx->operation, input,
+ output))) {
+ return ret;
+ }
+
+ return 0;
+ }
+
+#if defined(MBEDTLS_GCM_C)
+ if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_GCM) {
+ return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx,
+ input, ilen,
+ output, ilen, olen);
+ }
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+ if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CCM_STAR_NO_TAG) {
+ return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx,
+ input, ilen,
+ output, ilen, olen);
+ }
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
+ *olen = ilen;
+ return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx,
+ ilen, input, output);
+ }
+#endif
+
+ if (input == output &&
+ (ctx->unprocessed_len != 0 || ilen % block_size)) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CBC) {
+ size_t copy_len = 0;
+
+ /*
+ * If there is not enough data for a full block, cache it.
+ */
+ if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
+ ilen <= block_size - ctx->unprocessed_len) ||
+ (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
+ ilen < block_size - ctx->unprocessed_len) ||
+ (ctx->operation == MBEDTLS_ENCRYPT &&
+ ilen < block_size - ctx->unprocessed_len)) {
+ memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
+ ilen);
+
+ ctx->unprocessed_len += ilen;
+ return 0;
+ }
+
+ /*
+ * Process cached data first
+ */
+ if (0 != ctx->unprocessed_len) {
+ copy_len = block_size - ctx->unprocessed_len;
+
+ memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
+ copy_len);
+
+ if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
+ ctx->operation,
+ block_size, ctx->iv,
+ ctx->
+ unprocessed_data,
+ output))) {
+ return ret;
+ }
+
+ *olen += block_size;
+ output += block_size;
+ ctx->unprocessed_len = 0;
+
+ input += copy_len;
+ ilen -= copy_len;
+ }
+
+ /*
+ * Cache final, incomplete block
+ */
+ if (0 != ilen) {
+ /* Encryption: only cache partial blocks
+ * Decryption w/ padding: always keep at least one whole block
+ * Decryption w/o padding: only cache partial blocks
+ */
+ copy_len = ilen % block_size;
+ if (copy_len == 0 &&
+ ctx->operation == MBEDTLS_DECRYPT &&
+ NULL != ctx->add_padding) {
+ copy_len = block_size;
+ }
+
+ memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]),
+ copy_len);
+
+ ctx->unprocessed_len += copy_len;
+ ilen -= copy_len;
+ }
+
+ /*
+ * Process remaining full blocks
+ */
+ if (ilen) {
+ if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
+ ctx->operation,
+ ilen, ctx->iv,
+ input,
+ output))) {
+ return ret;
+ }
+
+ *olen += ilen;
+ }
+
+ return 0;
+ }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CFB) {
+ if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cfb_func(ctx->cipher_ctx,
+ ctx->operation, ilen,
+ &ctx->unprocessed_len,
+ ctx->iv,
+ input, output))) {
+ return ret;
+ }
+
+ *olen = ilen;
+
+ return 0;
+ }
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_OFB) {
+ if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ofb_func(ctx->cipher_ctx,
+ ilen,
+ &ctx->unprocessed_len,
+ ctx->iv,
+ input, output))) {
+ return ret;
+ }
+
+ *olen = ilen;
+
+ return 0;
+ }
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CTR) {
+ if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ctr_func(ctx->cipher_ctx,
+ ilen,
+ &ctx->unprocessed_len,
+ ctx->iv,
+ ctx->unprocessed_data,
+ input, output))) {
+ return ret;
+ }
+
+ *olen = ilen;
+
+ return 0;
+ }
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_XTS) {
+ if (ctx->unprocessed_len > 0) {
+ /* We can only process an entire data unit at a time. */
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+
+ ret = mbedtls_cipher_get_base(ctx->cipher_info)->xts_func(ctx->cipher_ctx,
+ ctx->operation,
+ ilen,
+ ctx->iv,
+ input,
+ output);
+ if (ret != 0) {
+ return ret;
+ }
+
+ *olen = ilen;
+
+ return 0;
+ }
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_STREAM) {
+ if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->stream_func(ctx->cipher_ctx,
+ ilen, input,
+ output))) {
+ return ret;
+ }
+
+ *olen = ilen;
+
+ return 0;
+ }
+#endif /* MBEDTLS_CIPHER_MODE_STREAM */
+
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+/*
+ * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
+ */
+static void add_pkcs_padding(unsigned char *output, size_t output_len,
+ size_t data_len)
+{
+ size_t padding_len = output_len - data_len;
+ unsigned char i;
+
+ for (i = 0; i < padding_len; i++) {
+ output[data_len + i] = (unsigned char) padding_len;
+ }
+}
+
+static int get_pkcs_padding(unsigned char *input, size_t input_len,
+ size_t *data_len)
+{
+ size_t i, pad_idx;
+ unsigned char padding_len;
+
+ if (NULL == input || NULL == data_len) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ padding_len = input[input_len - 1];
+ *data_len = input_len - padding_len;
+
+ mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len);
+ bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
+
+ /* The number of bytes checked must be independent of padding_len,
+ * so pick input_len, which is usually 8 or 16 (one block) */
+ pad_idx = input_len - padding_len;
+ for (i = 0; i < input_len; i++) {
+ mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx);
+ mbedtls_ct_condition_t different = mbedtls_ct_uint_ne(input[i], padding_len);
+ bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different));
+ }
+
+ return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
+}
+#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
+/*
+ * One and zeros padding: fill with 80 00 ... 00
+ */
+static void add_one_and_zeros_padding(unsigned char *output,
+ size_t output_len, size_t data_len)
+{
+ size_t padding_len = output_len - data_len;
+ unsigned char i = 0;
+
+ output[data_len] = 0x80;
+ for (i = 1; i < padding_len; i++) {
+ output[data_len + i] = 0x00;
+ }
+}
+
+static int get_one_and_zeros_padding(unsigned char *input, size_t input_len,
+ size_t *data_len)
+{
+ if (NULL == input || NULL == data_len) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ mbedtls_ct_condition_t in_padding = MBEDTLS_CT_TRUE;
+ mbedtls_ct_condition_t bad = MBEDTLS_CT_TRUE;
+
+ *data_len = 0;
+
+ for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) {
+ mbedtls_ct_condition_t is_nonzero = mbedtls_ct_bool(input[i]);
+
+ mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding);
+
+ *data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len);
+
+ bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad);
+
+ in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero));
+ }
+
+ return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
+}
+#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
+/*
+ * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
+ */
+static void add_zeros_and_len_padding(unsigned char *output,
+ size_t output_len, size_t data_len)
+{
+ size_t padding_len = output_len - data_len;
+ unsigned char i = 0;
+
+ for (i = 1; i < padding_len; i++) {
+ output[data_len + i - 1] = 0x00;
+ }
+ output[output_len - 1] = (unsigned char) padding_len;
+}
+
+static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
+ size_t *data_len)
+{
+ size_t i, pad_idx;
+ unsigned char padding_len;
+ mbedtls_ct_condition_t bad;
+
+ if (NULL == input || NULL == data_len) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ padding_len = input[input_len - 1];
+ *data_len = input_len - padding_len;
+
+ /* Avoid logical || since it results in a branch */
+ bad = mbedtls_ct_uint_gt(padding_len, input_len);
+ bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
+
+ /* The number of bytes checked must be independent of padding_len */
+ pad_idx = input_len - padding_len;
+ for (i = 0; i < input_len - 1; i++) {
+ mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx);
+ mbedtls_ct_condition_t nonzero_pad_byte;
+ nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i]));
+ bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte);
+ }
+
+ return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
+}
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
+/*
+ * Zero padding: fill with 00 ... 00
+ */
+static void add_zeros_padding(unsigned char *output,
+ size_t output_len, size_t data_len)
+{
+ memset(output + data_len, 0, output_len - data_len);
+}
+
+static int get_zeros_padding(unsigned char *input, size_t input_len,
+ size_t *data_len)
+{
+ size_t i;
+ mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE, prev_done;
+
+ if (NULL == input || NULL == data_len) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ *data_len = 0;
+ for (i = input_len; i > 0; i--) {
+ prev_done = done;
+ done = mbedtls_ct_bool_or(done, mbedtls_ct_uint_ne(input[i-1], 0));
+ *data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len);
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
+
+/*
+ * No padding: don't pad :)
+ *
+ * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
+ * but a trivial get_padding function
+ */
+static int get_no_padding(unsigned char *input, size_t input_len,
+ size_t *data_len)
+{
+ if (NULL == input || NULL == data_len) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ *data_len = input_len;
+
+ return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
+ unsigned char *output, size_t *olen)
+{
+ if (ctx->cipher_info == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ if (ctx->psa_enabled == 1) {
+ /* While PSA Crypto has an API for multipart
+ * operations, we currently don't make it
+ * accessible through the cipher layer. */
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+ *olen = 0;
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+ /* CBC mode requires padding so we make sure a call to
+ * mbedtls_cipher_set_padding_mode has been done successfully. */
+ if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+ if (ctx->get_padding == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+ }
+#endif
+
+ if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+ MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+ MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+ MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+ MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+ MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+ MBEDTLS_MODE_STREAM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+ return 0;
+ }
+
+ if ((MBEDTLS_CIPHER_CHACHA20 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) ||
+ (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type))) {
+ return 0;
+ }
+
+ if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+ if (ctx->unprocessed_len != 0) {
+ return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
+ }
+
+ return 0;
+ }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+ int ret = 0;
+
+ if (MBEDTLS_ENCRYPT == ctx->operation) {
+ /* check for 'no padding' mode */
+ if (NULL == ctx->add_padding) {
+ if (0 != ctx->unprocessed_len) {
+ return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
+ }
+
+ return 0;
+ }
+
+ ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx),
+ ctx->unprocessed_len);
+ } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) {
+ /*
+ * For decrypt operations, expect a full block,
+ * or an empty block if no padding
+ */
+ if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) {
+ return 0;
+ }
+
+ return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
+ }
+
+ /* cipher block */
+ if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
+ ctx->operation,
+ mbedtls_cipher_get_block_size(
+ ctx),
+ ctx->iv,
+ ctx->unprocessed_data,
+ output))) {
+ return ret;
+ }
+
+ /* Set output size for decryption */
+ if (MBEDTLS_DECRYPT == ctx->operation) {
+ return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx),
+ olen);
+ }
+
+ /* Set output size for encryption */
+ *olen = mbedtls_cipher_get_block_size(ctx);
+ return 0;
+ }
+#else
+ ((void) output);
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
+ mbedtls_cipher_padding_t mode)
+{
+ if (NULL == ctx->cipher_info ||
+ MBEDTLS_MODE_CBC != ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ if (ctx->psa_enabled == 1) {
+ /* While PSA Crypto knows about CBC padding
+ * schemes, we currently don't make them
+ * accessible through the cipher layer. */
+ if (mode != MBEDTLS_PADDING_NONE) {
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+
+ return 0;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+ switch (mode) {
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+ case MBEDTLS_PADDING_PKCS7:
+ ctx->add_padding = add_pkcs_padding;
+ ctx->get_padding = get_pkcs_padding;
+ break;
+#endif
+#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
+ case MBEDTLS_PADDING_ONE_AND_ZEROS:
+ ctx->add_padding = add_one_and_zeros_padding;
+ ctx->get_padding = get_one_and_zeros_padding;
+ break;
+#endif
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
+ case MBEDTLS_PADDING_ZEROS_AND_LEN:
+ ctx->add_padding = add_zeros_and_len_padding;
+ ctx->get_padding = get_zeros_and_len_padding;
+ break;
+#endif
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
+ case MBEDTLS_PADDING_ZEROS:
+ ctx->add_padding = add_zeros_padding;
+ ctx->get_padding = get_zeros_padding;
+ break;
+#endif
+ case MBEDTLS_PADDING_NONE:
+ ctx->add_padding = NULL;
+ ctx->get_padding = get_no_padding;
+ break;
+
+ default:
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
+ unsigned char *tag, size_t tag_len)
+{
+ if (ctx->cipher_info == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ if (MBEDTLS_ENCRYPT != ctx->operation) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ if (ctx->psa_enabled == 1) {
+ /* While PSA Crypto has an API for multipart
+ * operations, we currently don't make it
+ * accessible through the cipher layer. */
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_GCM_C)
+ if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+ size_t output_length;
+ /* The code here doesn't yet support alternative implementations
+ * that can delay up to a block of output. */
+ return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx,
+ NULL, 0, &output_length,
+ tag, tag_len);
+ }
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
+ /* Don't allow truncated MAC for Poly1305 */
+ if (tag_len != 16U) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ return mbedtls_chachapoly_finish(
+ (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag);
+ }
+#endif
+
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+}
+
+int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
+ const unsigned char *tag, size_t tag_len)
+{
+ unsigned char check_tag[16];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (ctx->cipher_info == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ if (MBEDTLS_DECRYPT != ctx->operation) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ if (ctx->psa_enabled == 1) {
+ /* While PSA Crypto has an API for multipart
+ * operations, we currently don't make it
+ * accessible through the cipher layer. */
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+ /* Status to return on a non-authenticated algorithm. */
+ ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+
+#if defined(MBEDTLS_GCM_C)
+ if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+ size_t output_length;
+ /* The code here doesn't yet support alternative implementations
+ * that can delay up to a block of output. */
+
+ if (tag_len > sizeof(check_tag)) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ if (0 != (ret = mbedtls_gcm_finish(
+ (mbedtls_gcm_context *) ctx->cipher_ctx,
+ NULL, 0, &output_length,
+ check_tag, tag_len))) {
+ return ret;
+ }
+
+ /* Check the tag in "constant-time" */
+ if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
+ ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+ goto exit;
+ }
+ }
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
+ /* Don't allow truncated MAC for Poly1305 */
+ if (tag_len != sizeof(check_tag)) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ ret = mbedtls_chachapoly_finish(
+ (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* Check the tag in "constant-time" */
+ if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) {
+ ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+ goto exit;
+ }
+ }
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+exit:
+ mbedtls_platform_zeroize(check_tag, tag_len);
+ return ret;
+}
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
+
+/*
+ * Packet-oriented wrapper for non-AEAD modes
+ */
+int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t finish_olen;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ if (ctx->psa_enabled == 1) {
+ /* As in the non-PSA case, we don't check that
+ * a key has been set. If not, the key slot will
+ * still be in its default state of 0, which is
+ * guaranteed to be invalid, hence the PSA-call
+ * below will gracefully fail. */
+ mbedtls_cipher_context_psa * const cipher_psa =
+ (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
+
+ psa_status_t status;
+ psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
+ size_t part_len;
+
+ if (ctx->operation == MBEDTLS_DECRYPT) {
+ status = psa_cipher_decrypt_setup(&cipher_op,
+ cipher_psa->slot,
+ cipher_psa->alg);
+ } else if (ctx->operation == MBEDTLS_ENCRYPT) {
+ status = psa_cipher_encrypt_setup(&cipher_op,
+ cipher_psa->slot,
+ cipher_psa->alg);
+ } else {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ /* In the following, we can immediately return on an error,
+ * because the PSA Crypto API guarantees that cipher operations
+ * are terminated by unsuccessful calls to psa_cipher_update(),
+ * and by any call to psa_cipher_finish(). */
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+ }
+
+ if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) != MBEDTLS_MODE_ECB) {
+ status = psa_cipher_set_iv(&cipher_op, iv, iv_len);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+ }
+ }
+
+ status = psa_cipher_update(&cipher_op,
+ input, ilen,
+ output, ilen, olen);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+ }
+
+ status = psa_cipher_finish(&cipher_op,
+ output + *olen, ilen - *olen,
+ &part_len);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+ }
+
+ *olen += part_len;
+ return 0;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+ if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_cipher_reset(ctx)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_cipher_update(ctx, input, ilen,
+ output, olen)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_cipher_finish(ctx, output + *olen,
+ &finish_olen)) != 0) {
+ return ret;
+ }
+
+ *olen += finish_olen;
+
+ return 0;
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+/*
+ * Packet-oriented encryption for AEAD modes: internal function used by
+ * mbedtls_cipher_auth_encrypt_ext().
+ */
+static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *ad, size_t ad_len,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen,
+ unsigned char *tag, size_t tag_len)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ if (ctx->psa_enabled == 1) {
+ /* As in the non-PSA case, we don't check that
+ * a key has been set. If not, the key slot will
+ * still be in its default state of 0, which is
+ * guaranteed to be invalid, hence the PSA-call
+ * below will gracefully fail. */
+ mbedtls_cipher_context_psa * const cipher_psa =
+ (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
+
+ psa_status_t status;
+
+ /* PSA Crypto API always writes the authentication tag
+ * at the end of the encrypted message. */
+ if (output == NULL || tag != output + ilen) {
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+
+ status = psa_aead_encrypt(cipher_psa->slot,
+ cipher_psa->alg,
+ iv, iv_len,
+ ad, ad_len,
+ input, ilen,
+ output, ilen + tag_len, olen);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+ }
+
+ *olen -= tag_len;
+ return 0;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_GCM_C)
+ if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+ *olen = ilen;
+ return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
+ ilen, iv, iv_len, ad, ad_len,
+ input, output, tag_len, tag);
+ }
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_CCM_C)
+ if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+ *olen = ilen;
+ return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen,
+ iv, iv_len, ad, ad_len, input, output,
+ tag, tag_len);
+ }
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
+ /* ChachaPoly has fixed length nonce and MAC (tag) */
+ if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
+ (tag_len != 16U)) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ *olen = ilen;
+ return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx,
+ ilen, iv, ad, ad_len, input, output, tag);
+ }
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+}
+
+/*
+ * Packet-oriented encryption for AEAD modes: internal function used by
+ * mbedtls_cipher_auth_encrypt_ext().
+ */
+static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *ad, size_t ad_len,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen,
+ const unsigned char *tag, size_t tag_len)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ if (ctx->psa_enabled == 1) {
+ /* As in the non-PSA case, we don't check that
+ * a key has been set. If not, the key slot will
+ * still be in its default state of 0, which is
+ * guaranteed to be invalid, hence the PSA-call
+ * below will gracefully fail. */
+ mbedtls_cipher_context_psa * const cipher_psa =
+ (mbedtls_cipher_context_psa *) ctx->cipher_ctx;
+
+ psa_status_t status;
+
+ /* PSA Crypto API always writes the authentication tag
+ * at the end of the encrypted message. */
+ if (input == NULL || tag != input + ilen) {
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+
+ status = psa_aead_decrypt(cipher_psa->slot,
+ cipher_psa->alg,
+ iv, iv_len,
+ ad, ad_len,
+ input, ilen + tag_len,
+ output, ilen, olen);
+ if (status == PSA_ERROR_INVALID_SIGNATURE) {
+ return MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+ } else if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+ }
+
+ return 0;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_GCM_C)
+ if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ *olen = ilen;
+ ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen,
+ iv, iv_len, ad, ad_len,
+ tag, tag_len, input, output);
+
+ if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) {
+ ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+ }
+
+ return ret;
+ }
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_CCM_C)
+ if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ *olen = ilen;
+ ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen,
+ iv, iv_len, ad, ad_len,
+ input, output, tag, tag_len);
+
+ if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) {
+ ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+ }
+
+ return ret;
+ }
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* ChachaPoly has fixed length nonce and MAC (tag) */
+ if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
+ (tag_len != 16U)) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ *olen = ilen;
+ ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen,
+ iv, ad, ad_len, tag, input, output);
+
+ if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) {
+ ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+ }
+
+ return ret;
+ }
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+}
+#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
+/*
+ * Packet-oriented encryption for AEAD/NIST_KW: public function.
+ */
+int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *ad, size_t ad_len,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t output_len,
+ size_t *olen, size_t tag_len)
+{
+#if defined(MBEDTLS_NIST_KW_C)
+ if (
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ ctx->psa_enabled == 0 &&
+#endif
+ (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+ MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
+ mbedtls_nist_kw_mode_t mode =
+ (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
+ MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
+
+ /* There is no iv, tag or ad associated with KW and KWP,
+ * so these length should be 0 as documented. */
+ if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ (void) iv;
+ (void) ad;
+
+ return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen,
+ output, olen, output_len);
+ }
+#endif /* MBEDTLS_NIST_KW_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+ /* AEAD case: check length before passing on to shared function */
+ if (output_len < ilen + tag_len) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len,
+ input, ilen, output, olen,
+ output + ilen, tag_len);
+ *olen += tag_len;
+ return ret;
+#else
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+}
+
+/*
+ * Packet-oriented decryption for AEAD/NIST_KW: public function.
+ */
+int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *ad, size_t ad_len,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t output_len,
+ size_t *olen, size_t tag_len)
+{
+#if defined(MBEDTLS_NIST_KW_C)
+ if (
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ ctx->psa_enabled == 0 &&
+#endif
+ (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
+ MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
+ mbedtls_nist_kw_mode_t mode =
+ (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
+ MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
+
+ /* There is no iv, tag or ad associated with KW and KWP,
+ * so these length should be 0 as documented. */
+ if (iv_len != 0 || tag_len != 0 || ad_len != 0) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ (void) iv;
+ (void) ad;
+
+ return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen,
+ output, olen, output_len);
+ }
+#endif /* MBEDTLS_NIST_KW_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+ /* AEAD case: check length before passing on to shared function */
+ if (ilen < tag_len || output_len < ilen - tag_len) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len,
+ input, ilen - tag_len, output, olen,
+ input + ilen - tag_len, tag_len);
+#else
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+}
+#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
+
+#endif /* MBEDTLS_CIPHER_C */
diff --git a/library/cipher_wrap.c b/library/cipher_wrap.c
new file mode 100644
index 0000000..d2fee22
--- /dev/null
+++ b/library/cipher_wrap.c
@@ -0,0 +1,2482 @@
+/**
+ * \file cipher_wrap.c
+ *
+ * \brief Generic cipher wrapper for Mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_CIPHER_C)
+
+#include "cipher_wrap.h"
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
+#if defined(MBEDTLS_AES_C)
+#include "mbedtls/aes.h"
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#include "mbedtls/camellia.h"
+#endif
+
+#if defined(MBEDTLS_ARIA_C)
+#include "mbedtls/aria.h"
+#endif
+
+#if defined(MBEDTLS_DES_C)
+#include "mbedtls/des.h"
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+#include "mbedtls/gcm.h"
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+#include "mbedtls/ccm.h"
+#endif
+
+#if defined(MBEDTLS_NIST_KW_C)
+#include "mbedtls/nist_kw.h"
+#endif
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#include <string.h>
+#endif
+
+#include "mbedtls/platform.h"
+
+enum mbedtls_cipher_base_index {
+#if defined(MBEDTLS_AES_C)
+ MBEDTLS_CIPHER_BASE_INDEX_AES,
+#endif
+#if defined(MBEDTLS_ARIA_C)
+ MBEDTLS_CIPHER_BASE_INDEX_ARIA,
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+ MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA,
+#endif
+#if defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA)
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_AES,
+#endif
+#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_ARIA_C)
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA,
+#endif
+#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_CAMELLIA_C)
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA,
+#endif
+#if defined(MBEDTLS_CHACHA20_C)
+ MBEDTLS_CIPHER_BASE_INDEX_CHACHA20_BASE,
+#endif
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ MBEDTLS_CIPHER_BASE_INDEX_CHACHAPOLY_BASE,
+#endif
+#if defined(MBEDTLS_DES_C)
+ MBEDTLS_CIPHER_BASE_INDEX_DES_EDE3,
+#endif
+#if defined(MBEDTLS_DES_C)
+ MBEDTLS_CIPHER_BASE_INDEX_DES_EDE,
+#endif
+#if defined(MBEDTLS_DES_C)
+ MBEDTLS_CIPHER_BASE_INDEX_DES,
+#endif
+#if defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA)
+ MBEDTLS_CIPHER_BASE_INDEX_GCM_AES,
+#endif
+#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_ARIA_C)
+ MBEDTLS_CIPHER_BASE_INDEX_GCM_ARIA,
+#endif
+#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_CAMELLIA_C)
+ MBEDTLS_CIPHER_BASE_INDEX_GCM_CAMELLIA,
+#endif
+#if defined(MBEDTLS_NIST_KW_C)
+ MBEDTLS_CIPHER_BASE_INDEX_KW_AES,
+#endif
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+ MBEDTLS_CIPHER_BASE_INDEX_NULL_BASE,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS) && defined(MBEDTLS_AES_C)
+ MBEDTLS_CIPHER_BASE_INDEX_XTS_AES,
+#endif
+ /* Prevent compile failure due to empty enum */
+ MBEDTLS_CIPHER_BASE_PREVENT_EMPTY_ENUM
+};
+
+#if defined(MBEDTLS_GCM_C) && \
+ (defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA) || \
+ defined(MBEDTLS_ARIA_C) || defined(MBEDTLS_CAMELLIA_C))
+/* shared by all GCM ciphers */
+static void *gcm_ctx_alloc(void)
+{
+ void *ctx = mbedtls_calloc(1, sizeof(mbedtls_gcm_context));
+
+ if (ctx != NULL) {
+ mbedtls_gcm_init((mbedtls_gcm_context *) ctx);
+ }
+
+ return ctx;
+}
+
+static void gcm_ctx_free(void *ctx)
+{
+ mbedtls_gcm_free(ctx);
+ mbedtls_free(ctx);
+}
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C) && \
+ (defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA) || \
+ defined(MBEDTLS_ARIA_C) || defined(MBEDTLS_CAMELLIA_C))
+/* shared by all CCM ciphers */
+static void *ccm_ctx_alloc(void)
+{
+ void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ccm_context));
+
+ if (ctx != NULL) {
+ mbedtls_ccm_init((mbedtls_ccm_context *) ctx);
+ }
+
+ return ctx;
+}
+
+static void ccm_ctx_free(void *ctx)
+{
+ mbedtls_ccm_free(ctx);
+ mbedtls_free(ctx);
+}
+#endif /* MBEDTLS_CCM_C */
+
+#if defined(MBEDTLS_AES_C)
+
+static int aes_crypt_ecb_wrap(void *ctx, mbedtls_operation_t operation,
+ const unsigned char *input, unsigned char *output)
+{
+ return mbedtls_aes_crypt_ecb((mbedtls_aes_context *) ctx, operation, input, output);
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int aes_crypt_cbc_wrap(void *ctx, mbedtls_operation_t operation, size_t length,
+ unsigned char *iv, const unsigned char *input, unsigned char *output)
+{
+ return mbedtls_aes_crypt_cbc((mbedtls_aes_context *) ctx, operation, length, iv, input,
+ output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int aes_crypt_cfb128_wrap(void *ctx, mbedtls_operation_t operation,
+ size_t length, size_t *iv_off, unsigned char *iv,
+ const unsigned char *input, unsigned char *output)
+{
+ return mbedtls_aes_crypt_cfb128((mbedtls_aes_context *) ctx, operation, length, iv_off, iv,
+ input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+static int aes_crypt_ofb_wrap(void *ctx, size_t length, size_t *iv_off,
+ unsigned char *iv, const unsigned char *input, unsigned char *output)
+{
+ return mbedtls_aes_crypt_ofb((mbedtls_aes_context *) ctx, length, iv_off,
+ iv, input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int aes_crypt_ctr_wrap(void *ctx, size_t length, size_t *nc_off,
+ unsigned char *nonce_counter, unsigned char *stream_block,
+ const unsigned char *input, unsigned char *output)
+{
+ return mbedtls_aes_crypt_ctr((mbedtls_aes_context *) ctx, length, nc_off, nonce_counter,
+ stream_block, input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int aes_crypt_xts_wrap(void *ctx, mbedtls_operation_t operation,
+ size_t length,
+ const unsigned char data_unit[16],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ mbedtls_aes_xts_context *xts_ctx = ctx;
+ int mode;
+
+ switch (operation) {
+ case MBEDTLS_ENCRYPT:
+ mode = MBEDTLS_AES_ENCRYPT;
+ break;
+ case MBEDTLS_DECRYPT:
+ mode = MBEDTLS_AES_DECRYPT;
+ break;
+ default:
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ return mbedtls_aes_crypt_xts(xts_ctx, mode, length,
+ data_unit, input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+static int aes_setkey_dec_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_aes_setkey_dec((mbedtls_aes_context *) ctx, key, key_bitlen);
+}
+#endif
+
+static int aes_setkey_enc_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_aes_setkey_enc((mbedtls_aes_context *) ctx, key, key_bitlen);
+}
+
+static void *aes_ctx_alloc(void)
+{
+ mbedtls_aes_context *aes = mbedtls_calloc(1, sizeof(mbedtls_aes_context));
+
+ if (aes == NULL) {
+ return NULL;
+ }
+
+ mbedtls_aes_init(aes);
+
+ return aes;
+}
+
+static void aes_ctx_free(void *ctx)
+{
+ mbedtls_aes_free((mbedtls_aes_context *) ctx);
+ mbedtls_free(ctx);
+}
+
+static const mbedtls_cipher_base_t aes_info = {
+ MBEDTLS_CIPHER_ID_AES,
+ aes_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ aes_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ aes_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ aes_crypt_ofb_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ aes_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ aes_setkey_enc_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ aes_setkey_dec_wrap,
+#endif
+ aes_ctx_alloc,
+ aes_ctx_free
+};
+
+static const mbedtls_cipher_info_t aes_128_ecb_info = {
+ "AES-128-ECB",
+ 16,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_ECB,
+ MBEDTLS_CIPHER_AES_128_ECB,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_ecb_info = {
+ "AES-192-ECB",
+ 16,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_ECB,
+ MBEDTLS_CIPHER_AES_192_ECB,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_ecb_info = {
+ "AES-256-ECB",
+ 16,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_ECB,
+ MBEDTLS_CIPHER_AES_256_ECB,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t aes_128_cbc_info = {
+ "AES-128-CBC",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CBC,
+ MBEDTLS_CIPHER_AES_128_CBC,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_cbc_info = {
+ "AES-192-CBC",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CBC,
+ MBEDTLS_CIPHER_AES_192_CBC,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_cbc_info = {
+ "AES-256-CBC",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CBC,
+ MBEDTLS_CIPHER_AES_256_CBC,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+#endif
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t aes_128_cfb128_info = {
+ "AES-128-CFB128",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CFB,
+ MBEDTLS_CIPHER_AES_128_CFB128,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_cfb128_info = {
+ "AES-192-CFB128",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CFB,
+ MBEDTLS_CIPHER_AES_192_CFB128,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_cfb128_info = {
+ "AES-256-CFB128",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CFB,
+ MBEDTLS_CIPHER_AES_256_CFB128,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+#endif
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+static const mbedtls_cipher_info_t aes_128_ofb_info = {
+ "AES-128-OFB",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_OFB,
+ MBEDTLS_CIPHER_AES_128_OFB,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_ofb_info = {
+ "AES-192-OFB",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_OFB,
+ MBEDTLS_CIPHER_AES_192_OFB,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_ofb_info = {
+ "AES-256-OFB",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_OFB,
+ MBEDTLS_CIPHER_AES_256_OFB,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+#endif
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t aes_128_ctr_info = {
+ "AES-128-CTR",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CTR,
+ MBEDTLS_CIPHER_AES_128_CTR,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_ctr_info = {
+ "AES-192-CTR",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CTR,
+ MBEDTLS_CIPHER_AES_192_CTR,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_ctr_info = {
+ "AES-256-CTR",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CTR,
+ MBEDTLS_CIPHER_AES_256_CTR,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_AES
+};
+#endif
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int xts_aes_setkey_enc_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ mbedtls_aes_xts_context *xts_ctx = ctx;
+ return mbedtls_aes_xts_setkey_enc(xts_ctx, key, key_bitlen);
+}
+
+static int xts_aes_setkey_dec_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ mbedtls_aes_xts_context *xts_ctx = ctx;
+ return mbedtls_aes_xts_setkey_dec(xts_ctx, key, key_bitlen);
+}
+
+static void *xts_aes_ctx_alloc(void)
+{
+ mbedtls_aes_xts_context *xts_ctx = mbedtls_calloc(1, sizeof(*xts_ctx));
+
+ if (xts_ctx != NULL) {
+ mbedtls_aes_xts_init(xts_ctx);
+ }
+
+ return xts_ctx;
+}
+
+static void xts_aes_ctx_free(void *ctx)
+{
+ mbedtls_aes_xts_context *xts_ctx = ctx;
+
+ if (xts_ctx == NULL) {
+ return;
+ }
+
+ mbedtls_aes_xts_free(xts_ctx);
+ mbedtls_free(xts_ctx);
+}
+
+static const mbedtls_cipher_base_t xts_aes_info = {
+ MBEDTLS_CIPHER_ID_AES,
+ NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ aes_crypt_xts_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ xts_aes_setkey_enc_wrap,
+ xts_aes_setkey_dec_wrap,
+ xts_aes_ctx_alloc,
+ xts_aes_ctx_free
+};
+
+static const mbedtls_cipher_info_t aes_128_xts_info = {
+ "AES-128-XTS",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_XTS,
+ MBEDTLS_CIPHER_AES_128_XTS,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_XTS_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_256_xts_info = {
+ "AES-256-XTS",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 512 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_XTS,
+ MBEDTLS_CIPHER_AES_256_XTS,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_XTS_AES
+};
+#endif
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_CCM_GCM_CAN_AES)
+static int gcm_aes_setkey_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_gcm_setkey((mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_AES,
+ key, key_bitlen);
+}
+#endif /* MBEDTLS_GCM_C && MBEDTLS_CCM_GCM_CAN_AES */
+
+#if defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA)
+static const mbedtls_cipher_base_t gcm_aes_info = {
+ MBEDTLS_CIPHER_ID_AES,
+ NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+#if defined(MBEDTLS_GCM_C)
+ gcm_aes_setkey_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ gcm_aes_setkey_wrap,
+#endif
+ gcm_ctx_alloc,
+ gcm_ctx_free,
+#else
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+#endif /* MBEDTLS_GCM_C */
+};
+#endif /* MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA */
+
+#if defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA)
+static const mbedtls_cipher_info_t aes_128_gcm_info = {
+ "AES-128-GCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_GCM,
+ MBEDTLS_CIPHER_AES_128_GCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_GCM_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_gcm_info = {
+ "AES-192-GCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_GCM,
+ MBEDTLS_CIPHER_AES_192_GCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_GCM_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_gcm_info = {
+ "AES-256-GCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_GCM,
+ MBEDTLS_CIPHER_AES_256_GCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_GCM_AES
+};
+#endif
+#endif /* MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA */
+
+#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_CCM_GCM_CAN_AES)
+static int ccm_aes_setkey_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_ccm_setkey((mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_AES,
+ key, key_bitlen);
+}
+#endif /* MBEDTLS_CCM_C && MBEDTLS_CCM_GCM_CAN_AES */
+
+#if defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA)
+static const mbedtls_cipher_base_t ccm_aes_info = {
+ MBEDTLS_CIPHER_ID_AES,
+ NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+#if defined(MBEDTLS_CCM_C)
+ ccm_aes_setkey_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ ccm_aes_setkey_wrap,
+#endif
+ ccm_ctx_alloc,
+ ccm_ctx_free,
+#else
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+#endif
+};
+#endif /* MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA */
+
+#if defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA)
+static const mbedtls_cipher_info_t aes_128_ccm_info = {
+ "AES-128-CCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM,
+ MBEDTLS_CIPHER_AES_128_CCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_ccm_info = {
+ "AES-192-CCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM,
+ MBEDTLS_CIPHER_AES_192_CCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_ccm_info = {
+ "AES-256-CCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM,
+ MBEDTLS_CIPHER_AES_256_CCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
+};
+#endif
+#endif /* MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA */
+
+#if defined(MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_AES_VIA_LEGACY_OR_USE_PSA)
+static const mbedtls_cipher_info_t aes_128_ccm_star_no_tag_info = {
+ "AES-128-CCM*-NO-TAG",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_ccm_star_no_tag_info = {
+ "AES-192-CCM*-NO-TAG",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_ccm_star_no_tag_info = {
+ "AES-256-CCM*-NO-TAG",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_AES
+};
+#endif
+#endif /* MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_AES_VIA_LEGACY_OR_USE_PSA */
+
+
+#if defined(MBEDTLS_CAMELLIA_C)
+
+static int camellia_crypt_ecb_wrap(void *ctx, mbedtls_operation_t operation,
+ const unsigned char *input, unsigned char *output)
+{
+ return mbedtls_camellia_crypt_ecb((mbedtls_camellia_context *) ctx, operation, input,
+ output);
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int camellia_crypt_cbc_wrap(void *ctx, mbedtls_operation_t operation,
+ size_t length, unsigned char *iv,
+ const unsigned char *input, unsigned char *output)
+{
+ return mbedtls_camellia_crypt_cbc((mbedtls_camellia_context *) ctx, operation, length, iv,
+ input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int camellia_crypt_cfb128_wrap(void *ctx, mbedtls_operation_t operation,
+ size_t length, size_t *iv_off, unsigned char *iv,
+ const unsigned char *input, unsigned char *output)
+{
+ return mbedtls_camellia_crypt_cfb128((mbedtls_camellia_context *) ctx, operation, length,
+ iv_off, iv, input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int camellia_crypt_ctr_wrap(void *ctx, size_t length, size_t *nc_off,
+ unsigned char *nonce_counter, unsigned char *stream_block,
+ const unsigned char *input, unsigned char *output)
+{
+ return mbedtls_camellia_crypt_ctr((mbedtls_camellia_context *) ctx, length, nc_off,
+ nonce_counter, stream_block, input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+static int camellia_setkey_dec_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_camellia_setkey_dec((mbedtls_camellia_context *) ctx, key, key_bitlen);
+}
+#endif
+
+static int camellia_setkey_enc_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_camellia_setkey_enc((mbedtls_camellia_context *) ctx, key, key_bitlen);
+}
+
+static void *camellia_ctx_alloc(void)
+{
+ mbedtls_camellia_context *ctx;
+ ctx = mbedtls_calloc(1, sizeof(mbedtls_camellia_context));
+
+ if (ctx == NULL) {
+ return NULL;
+ }
+
+ mbedtls_camellia_init(ctx);
+
+ return ctx;
+}
+
+static void camellia_ctx_free(void *ctx)
+{
+ mbedtls_camellia_free((mbedtls_camellia_context *) ctx);
+ mbedtls_free(ctx);
+}
+
+static const mbedtls_cipher_base_t camellia_info = {
+ MBEDTLS_CIPHER_ID_CAMELLIA,
+ camellia_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ camellia_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ camellia_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ camellia_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ camellia_setkey_enc_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ camellia_setkey_dec_wrap,
+#endif
+ camellia_ctx_alloc,
+ camellia_ctx_free
+};
+
+static const mbedtls_cipher_info_t camellia_128_ecb_info = {
+ "CAMELLIA-128-ECB",
+ 16,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_ECB,
+ MBEDTLS_CIPHER_CAMELLIA_128_ECB,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_192_ecb_info = {
+ "CAMELLIA-192-ECB",
+ 16,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_ECB,
+ MBEDTLS_CIPHER_CAMELLIA_192_ECB,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_256_ecb_info = {
+ "CAMELLIA-256-ECB",
+ 16,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_ECB,
+ MBEDTLS_CIPHER_CAMELLIA_256_ECB,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t camellia_128_cbc_info = {
+ "CAMELLIA-128-CBC",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CBC,
+ MBEDTLS_CIPHER_CAMELLIA_128_CBC,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_192_cbc_info = {
+ "CAMELLIA-192-CBC",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CBC,
+ MBEDTLS_CIPHER_CAMELLIA_192_CBC,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_256_cbc_info = {
+ "CAMELLIA-256-CBC",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CBC,
+ MBEDTLS_CIPHER_CAMELLIA_256_CBC,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t camellia_128_cfb128_info = {
+ "CAMELLIA-128-CFB128",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CFB,
+ MBEDTLS_CIPHER_CAMELLIA_128_CFB128,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_192_cfb128_info = {
+ "CAMELLIA-192-CFB128",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CFB,
+ MBEDTLS_CIPHER_CAMELLIA_192_CFB128,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_256_cfb128_info = {
+ "CAMELLIA-256-CFB128",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CFB,
+ MBEDTLS_CIPHER_CAMELLIA_256_CFB128,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t camellia_128_ctr_info = {
+ "CAMELLIA-128-CTR",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CTR,
+ MBEDTLS_CIPHER_CAMELLIA_128_CTR,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_192_ctr_info = {
+ "CAMELLIA-192-CTR",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CTR,
+ MBEDTLS_CIPHER_CAMELLIA_192_CTR,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_256_ctr_info = {
+ "CAMELLIA-256-CTR",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CTR,
+ MBEDTLS_CIPHER_CAMELLIA_256_CTR,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_GCM_C)
+static int gcm_camellia_setkey_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_gcm_setkey((mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_CAMELLIA,
+ key, key_bitlen);
+}
+
+static const mbedtls_cipher_base_t gcm_camellia_info = {
+ MBEDTLS_CIPHER_ID_CAMELLIA,
+ NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ gcm_camellia_setkey_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ gcm_camellia_setkey_wrap,
+#endif
+ gcm_ctx_alloc,
+ gcm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t camellia_128_gcm_info = {
+ "CAMELLIA-128-GCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_GCM,
+ MBEDTLS_CIPHER_CAMELLIA_128_GCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_GCM_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_192_gcm_info = {
+ "CAMELLIA-192-GCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_GCM,
+ MBEDTLS_CIPHER_CAMELLIA_192_GCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_GCM_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_256_gcm_info = {
+ "CAMELLIA-256-GCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_GCM,
+ MBEDTLS_CIPHER_CAMELLIA_256_GCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_GCM_CAMELLIA
+};
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+static int ccm_camellia_setkey_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_ccm_setkey((mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_CAMELLIA,
+ key, key_bitlen);
+}
+
+static const mbedtls_cipher_base_t ccm_camellia_info = {
+ MBEDTLS_CIPHER_ID_CAMELLIA,
+ NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ ccm_camellia_setkey_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ ccm_camellia_setkey_wrap,
+#endif
+ ccm_ctx_alloc,
+ ccm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t camellia_128_ccm_info = {
+ "CAMELLIA-128-CCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM,
+ MBEDTLS_CIPHER_CAMELLIA_128_CCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_192_ccm_info = {
+ "CAMELLIA-192-CCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM,
+ MBEDTLS_CIPHER_CAMELLIA_192_CCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_256_ccm_info = {
+ "CAMELLIA-256-CCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM,
+ MBEDTLS_CIPHER_CAMELLIA_256_CCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_128_ccm_star_no_tag_info = {
+ "CAMELLIA-128-CCM*-NO-TAG",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_192_ccm_star_no_tag_info = {
+ "CAMELLIA-192-CCM*-NO-TAG",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
+};
+
+static const mbedtls_cipher_info_t camellia_256_ccm_star_no_tag_info = {
+ "CAMELLIA-256-CCM*-NO-TAG",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA
+};
+#endif /* MBEDTLS_CCM_C */
+
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_ARIA_C)
+
+static int aria_crypt_ecb_wrap(void *ctx, mbedtls_operation_t operation,
+ const unsigned char *input, unsigned char *output)
+{
+ (void) operation;
+ return mbedtls_aria_crypt_ecb((mbedtls_aria_context *) ctx, input,
+ output);
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int aria_crypt_cbc_wrap(void *ctx, mbedtls_operation_t operation,
+ size_t length, unsigned char *iv,
+ const unsigned char *input, unsigned char *output)
+{
+ return mbedtls_aria_crypt_cbc((mbedtls_aria_context *) ctx, operation, length, iv,
+ input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int aria_crypt_cfb128_wrap(void *ctx, mbedtls_operation_t operation,
+ size_t length, size_t *iv_off, unsigned char *iv,
+ const unsigned char *input, unsigned char *output)
+{
+ return mbedtls_aria_crypt_cfb128((mbedtls_aria_context *) ctx, operation, length,
+ iv_off, iv, input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int aria_crypt_ctr_wrap(void *ctx, size_t length, size_t *nc_off,
+ unsigned char *nonce_counter, unsigned char *stream_block,
+ const unsigned char *input, unsigned char *output)
+{
+ return mbedtls_aria_crypt_ctr((mbedtls_aria_context *) ctx, length, nc_off,
+ nonce_counter, stream_block, input, output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+static int aria_setkey_dec_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_aria_setkey_dec((mbedtls_aria_context *) ctx, key, key_bitlen);
+}
+#endif
+
+static int aria_setkey_enc_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_aria_setkey_enc((mbedtls_aria_context *) ctx, key, key_bitlen);
+}
+
+static void *aria_ctx_alloc(void)
+{
+ mbedtls_aria_context *ctx;
+ ctx = mbedtls_calloc(1, sizeof(mbedtls_aria_context));
+
+ if (ctx == NULL) {
+ return NULL;
+ }
+
+ mbedtls_aria_init(ctx);
+
+ return ctx;
+}
+
+static void aria_ctx_free(void *ctx)
+{
+ mbedtls_aria_free((mbedtls_aria_context *) ctx);
+ mbedtls_free(ctx);
+}
+
+static const mbedtls_cipher_base_t aria_info = {
+ MBEDTLS_CIPHER_ID_ARIA,
+ aria_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ aria_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ aria_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ aria_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ aria_setkey_enc_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ aria_setkey_dec_wrap,
+#endif
+ aria_ctx_alloc,
+ aria_ctx_free
+};
+
+static const mbedtls_cipher_info_t aria_128_ecb_info = {
+ "ARIA-128-ECB",
+ 16,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_ECB,
+ MBEDTLS_CIPHER_ARIA_128_ECB,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_192_ecb_info = {
+ "ARIA-192-ECB",
+ 16,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_ECB,
+ MBEDTLS_CIPHER_ARIA_192_ECB,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_256_ecb_info = {
+ "ARIA-256-ECB",
+ 16,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_ECB,
+ MBEDTLS_CIPHER_ARIA_256_ECB,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t aria_128_cbc_info = {
+ "ARIA-128-CBC",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CBC,
+ MBEDTLS_CIPHER_ARIA_128_CBC,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_192_cbc_info = {
+ "ARIA-192-CBC",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CBC,
+ MBEDTLS_CIPHER_ARIA_192_CBC,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_256_cbc_info = {
+ "ARIA-256-CBC",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CBC,
+ MBEDTLS_CIPHER_ARIA_256_CBC,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t aria_128_cfb128_info = {
+ "ARIA-128-CFB128",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CFB,
+ MBEDTLS_CIPHER_ARIA_128_CFB128,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_192_cfb128_info = {
+ "ARIA-192-CFB128",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CFB,
+ MBEDTLS_CIPHER_ARIA_192_CFB128,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_256_cfb128_info = {
+ "ARIA-256-CFB128",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CFB,
+ MBEDTLS_CIPHER_ARIA_256_CFB128,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t aria_128_ctr_info = {
+ "ARIA-128-CTR",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CTR,
+ MBEDTLS_CIPHER_ARIA_128_CTR,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_192_ctr_info = {
+ "ARIA-192-CTR",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CTR,
+ MBEDTLS_CIPHER_ARIA_192_CTR,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_256_ctr_info = {
+ "ARIA-256-CTR",
+ 16,
+ 16 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CTR,
+ MBEDTLS_CIPHER_ARIA_256_CTR,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_ARIA
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_GCM_C)
+static int gcm_aria_setkey_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_gcm_setkey((mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_ARIA,
+ key, key_bitlen);
+}
+
+static const mbedtls_cipher_base_t gcm_aria_info = {
+ MBEDTLS_CIPHER_ID_ARIA,
+ NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ gcm_aria_setkey_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ gcm_aria_setkey_wrap,
+#endif
+ gcm_ctx_alloc,
+ gcm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aria_128_gcm_info = {
+ "ARIA-128-GCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_GCM,
+ MBEDTLS_CIPHER_ARIA_128_GCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_GCM_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_192_gcm_info = {
+ "ARIA-192-GCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_GCM,
+ MBEDTLS_CIPHER_ARIA_192_GCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_GCM_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_256_gcm_info = {
+ "ARIA-256-GCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_GCM,
+ MBEDTLS_CIPHER_ARIA_256_GCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_GCM_ARIA
+};
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+static int ccm_aria_setkey_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_ccm_setkey((mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_ARIA,
+ key, key_bitlen);
+}
+
+static const mbedtls_cipher_base_t ccm_aria_info = {
+ MBEDTLS_CIPHER_ID_ARIA,
+ NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ ccm_aria_setkey_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ ccm_aria_setkey_wrap,
+#endif
+ ccm_ctx_alloc,
+ ccm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aria_128_ccm_info = {
+ "ARIA-128-CCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM,
+ MBEDTLS_CIPHER_ARIA_128_CCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_192_ccm_info = {
+ "ARIA-192-CCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM,
+ MBEDTLS_CIPHER_ARIA_192_CCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_256_ccm_info = {
+ "ARIA-256-CCM",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM,
+ MBEDTLS_CIPHER_ARIA_256_CCM,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_128_ccm_star_no_tag_info = {
+ "ARIA-128-CCM*-NO-TAG",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_192_ccm_star_no_tag_info = {
+ "ARIA-192-CCM*-NO-TAG",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
+};
+
+static const mbedtls_cipher_info_t aria_256_ccm_star_no_tag_info = {
+ "ARIA-256-CCM*-NO-TAG",
+ 16,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA
+};
+#endif /* MBEDTLS_CCM_C */
+
+#endif /* MBEDTLS_ARIA_C */
+
+#if defined(MBEDTLS_DES_C)
+
+static int des_crypt_ecb_wrap(void *ctx, mbedtls_operation_t operation,
+ const unsigned char *input, unsigned char *output)
+{
+ ((void) operation);
+ return mbedtls_des_crypt_ecb((mbedtls_des_context *) ctx, input, output);
+}
+
+static int des3_crypt_ecb_wrap(void *ctx, mbedtls_operation_t operation,
+ const unsigned char *input, unsigned char *output)
+{
+ ((void) operation);
+ return mbedtls_des3_crypt_ecb((mbedtls_des3_context *) ctx, input, output);
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int des_crypt_cbc_wrap(void *ctx, mbedtls_operation_t operation, size_t length,
+ unsigned char *iv, const unsigned char *input, unsigned char *output)
+{
+ return mbedtls_des_crypt_cbc((mbedtls_des_context *) ctx, operation, length, iv, input,
+ output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int des3_crypt_cbc_wrap(void *ctx, mbedtls_operation_t operation, size_t length,
+ unsigned char *iv, const unsigned char *input, unsigned char *output)
+{
+ return mbedtls_des3_crypt_cbc((mbedtls_des3_context *) ctx, operation, length, iv, input,
+ output);
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+static int des_setkey_dec_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ ((void) key_bitlen);
+
+ return mbedtls_des_setkey_dec((mbedtls_des_context *) ctx, key);
+}
+
+static int des_setkey_enc_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ ((void) key_bitlen);
+
+ return mbedtls_des_setkey_enc((mbedtls_des_context *) ctx, key);
+}
+
+static int des3_set2key_dec_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ ((void) key_bitlen);
+
+ return mbedtls_des3_set2key_dec((mbedtls_des3_context *) ctx, key);
+}
+
+static int des3_set2key_enc_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ ((void) key_bitlen);
+
+ return mbedtls_des3_set2key_enc((mbedtls_des3_context *) ctx, key);
+}
+
+static int des3_set3key_dec_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ ((void) key_bitlen);
+
+ return mbedtls_des3_set3key_dec((mbedtls_des3_context *) ctx, key);
+}
+
+static int des3_set3key_enc_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ ((void) key_bitlen);
+
+ return mbedtls_des3_set3key_enc((mbedtls_des3_context *) ctx, key);
+}
+
+static void *des_ctx_alloc(void)
+{
+ mbedtls_des_context *des = mbedtls_calloc(1, sizeof(mbedtls_des_context));
+
+ if (des == NULL) {
+ return NULL;
+ }
+
+ mbedtls_des_init(des);
+
+ return des;
+}
+
+static void des_ctx_free(void *ctx)
+{
+ mbedtls_des_free((mbedtls_des_context *) ctx);
+ mbedtls_free(ctx);
+}
+
+static void *des3_ctx_alloc(void)
+{
+ mbedtls_des3_context *des3;
+ des3 = mbedtls_calloc(1, sizeof(mbedtls_des3_context));
+
+ if (des3 == NULL) {
+ return NULL;
+ }
+
+ mbedtls_des3_init(des3);
+
+ return des3;
+}
+
+static void des3_ctx_free(void *ctx)
+{
+ mbedtls_des3_free((mbedtls_des3_context *) ctx);
+ mbedtls_free(ctx);
+}
+
+static const mbedtls_cipher_base_t des_info = {
+ MBEDTLS_CIPHER_ID_DES,
+ des_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ des_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ des_setkey_enc_wrap,
+ des_setkey_dec_wrap,
+ des_ctx_alloc,
+ des_ctx_free
+};
+
+static const mbedtls_cipher_info_t des_ecb_info = {
+ "DES-ECB",
+ 8,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ MBEDTLS_KEY_LENGTH_DES >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_ECB,
+ MBEDTLS_CIPHER_DES_ECB,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_DES
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t des_cbc_info = {
+ "DES-CBC",
+ 8,
+ 8 >> MBEDTLS_IV_SIZE_SHIFT,
+ MBEDTLS_KEY_LENGTH_DES >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CBC,
+ MBEDTLS_CIPHER_DES_CBC,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_DES
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+static const mbedtls_cipher_base_t des_ede_info = {
+ MBEDTLS_CIPHER_ID_DES,
+ des3_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ des3_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ des3_set2key_enc_wrap,
+ des3_set2key_dec_wrap,
+ des3_ctx_alloc,
+ des3_ctx_free
+};
+
+static const mbedtls_cipher_info_t des_ede_ecb_info = {
+ "DES-EDE-ECB",
+ 8,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ MBEDTLS_KEY_LENGTH_DES_EDE >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_ECB,
+ MBEDTLS_CIPHER_DES_EDE_ECB,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_DES_EDE
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t des_ede_cbc_info = {
+ "DES-EDE-CBC",
+ 8,
+ 8 >> MBEDTLS_IV_SIZE_SHIFT,
+ MBEDTLS_KEY_LENGTH_DES_EDE >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CBC,
+ MBEDTLS_CIPHER_DES_EDE_CBC,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_DES_EDE
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+static const mbedtls_cipher_base_t des_ede3_info = {
+ MBEDTLS_CIPHER_ID_3DES,
+ des3_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ des3_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ des3_set3key_enc_wrap,
+ des3_set3key_dec_wrap,
+ des3_ctx_alloc,
+ des3_ctx_free
+};
+
+static const mbedtls_cipher_info_t des_ede3_ecb_info = {
+ "DES-EDE3-ECB",
+ 8,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ MBEDTLS_KEY_LENGTH_DES_EDE3 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_ECB,
+ MBEDTLS_CIPHER_DES_EDE3_ECB,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_DES_EDE3
+};
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t des_ede3_cbc_info = {
+ "DES-EDE3-CBC",
+ 8,
+ 8 >> MBEDTLS_IV_SIZE_SHIFT,
+ MBEDTLS_KEY_LENGTH_DES_EDE3 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CBC,
+ MBEDTLS_CIPHER_DES_EDE3_CBC,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_DES_EDE3
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_CHACHA20_C)
+
+static int chacha20_setkey_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ if (key_bitlen != 256U) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ if (0 != mbedtls_chacha20_setkey((mbedtls_chacha20_context *) ctx, key)) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ return 0;
+}
+
+static int chacha20_stream_wrap(void *ctx, size_t length,
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = mbedtls_chacha20_update(ctx, length, input, output);
+ if (ret == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ return ret;
+}
+
+static void *chacha20_ctx_alloc(void)
+{
+ mbedtls_chacha20_context *ctx;
+ ctx = mbedtls_calloc(1, sizeof(mbedtls_chacha20_context));
+
+ if (ctx == NULL) {
+ return NULL;
+ }
+
+ mbedtls_chacha20_init(ctx);
+
+ return ctx;
+}
+
+static void chacha20_ctx_free(void *ctx)
+{
+ mbedtls_chacha20_free((mbedtls_chacha20_context *) ctx);
+ mbedtls_free(ctx);
+}
+
+static const mbedtls_cipher_base_t chacha20_base_info = {
+ MBEDTLS_CIPHER_ID_CHACHA20,
+ NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ chacha20_stream_wrap,
+#endif
+ chacha20_setkey_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ chacha20_setkey_wrap,
+#endif
+ chacha20_ctx_alloc,
+ chacha20_ctx_free
+};
+static const mbedtls_cipher_info_t chacha20_info = {
+ "CHACHA20",
+ 1,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_STREAM,
+ MBEDTLS_CIPHER_CHACHA20,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_CHACHA20_BASE
+};
+#endif /* MBEDTLS_CHACHA20_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+
+static int chachapoly_setkey_wrap(void *ctx,
+ const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ if (key_bitlen != 256U) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ if (0 != mbedtls_chachapoly_setkey((mbedtls_chachapoly_context *) ctx, key)) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ return 0;
+}
+
+static void *chachapoly_ctx_alloc(void)
+{
+ mbedtls_chachapoly_context *ctx;
+ ctx = mbedtls_calloc(1, sizeof(mbedtls_chachapoly_context));
+
+ if (ctx == NULL) {
+ return NULL;
+ }
+
+ mbedtls_chachapoly_init(ctx);
+
+ return ctx;
+}
+
+static void chachapoly_ctx_free(void *ctx)
+{
+ mbedtls_chachapoly_free((mbedtls_chachapoly_context *) ctx);
+ mbedtls_free(ctx);
+}
+
+static const mbedtls_cipher_base_t chachapoly_base_info = {
+ MBEDTLS_CIPHER_ID_CHACHA20,
+ NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ chachapoly_setkey_wrap,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ chachapoly_setkey_wrap,
+#endif
+ chachapoly_ctx_alloc,
+ chachapoly_ctx_free
+};
+static const mbedtls_cipher_info_t chachapoly_info = {
+ "CHACHA20-POLY1305",
+ 1,
+ 12 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_CHACHAPOLY,
+ MBEDTLS_CIPHER_CHACHA20_POLY1305,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_CHACHAPOLY_BASE
+};
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+static int null_crypt_stream(void *ctx, size_t length,
+ const unsigned char *input,
+ unsigned char *output)
+{
+ ((void) ctx);
+ memmove(output, input, length);
+ return 0;
+}
+
+static int null_setkey(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ ((void) ctx);
+ ((void) key);
+ ((void) key_bitlen);
+
+ return 0;
+}
+
+static void *null_ctx_alloc(void)
+{
+ return (void *) 1;
+}
+
+static void null_ctx_free(void *ctx)
+{
+ ((void) ctx);
+}
+
+static const mbedtls_cipher_base_t null_base_info = {
+ MBEDTLS_CIPHER_ID_NULL,
+ NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ null_crypt_stream,
+#endif
+ null_setkey,
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ null_setkey,
+#endif
+ null_ctx_alloc,
+ null_ctx_free
+};
+
+static const mbedtls_cipher_info_t null_cipher_info = {
+ "NULL",
+ 1,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ 0 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_STREAM,
+ MBEDTLS_CIPHER_NULL,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_NULL_BASE
+};
+#endif /* defined(MBEDTLS_CIPHER_NULL_CIPHER) */
+
+#if defined(MBEDTLS_NIST_KW_C)
+static void *kw_ctx_alloc(void)
+{
+ void *ctx = mbedtls_calloc(1, sizeof(mbedtls_nist_kw_context));
+
+ if (ctx != NULL) {
+ mbedtls_nist_kw_init((mbedtls_nist_kw_context *) ctx);
+ }
+
+ return ctx;
+}
+
+static void kw_ctx_free(void *ctx)
+{
+ mbedtls_nist_kw_free(ctx);
+ mbedtls_free(ctx);
+}
+
+static int kw_aes_setkey_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_nist_kw_setkey((mbedtls_nist_kw_context *) ctx,
+ MBEDTLS_CIPHER_ID_AES, key, key_bitlen, 1);
+}
+
+static int kw_aes_setkey_unwrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_nist_kw_setkey((mbedtls_nist_kw_context *) ctx,
+ MBEDTLS_CIPHER_ID_AES, key, key_bitlen, 0);
+}
+
+static const mbedtls_cipher_base_t kw_aes_info = {
+ MBEDTLS_CIPHER_ID_AES,
+ NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ kw_aes_setkey_wrap,
+ kw_aes_setkey_unwrap,
+ kw_ctx_alloc,
+ kw_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aes_128_nist_kw_info = {
+ "AES-128-KW",
+ 16,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_KW,
+ MBEDTLS_CIPHER_AES_128_KW,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_KW_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_nist_kw_info = {
+ "AES-192-KW",
+ 16,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_KW,
+ MBEDTLS_CIPHER_AES_192_KW,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_KW_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_nist_kw_info = {
+ "AES-256-KW",
+ 16,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_KW,
+ MBEDTLS_CIPHER_AES_256_KW,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_KW_AES
+};
+#endif
+
+static const mbedtls_cipher_info_t aes_128_nist_kwp_info = {
+ "AES-128-KWP",
+ 16,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ 128 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_KWP,
+ MBEDTLS_CIPHER_AES_128_KWP,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_KW_AES
+};
+
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const mbedtls_cipher_info_t aes_192_nist_kwp_info = {
+ "AES-192-KWP",
+ 16,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ 192 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_KWP,
+ MBEDTLS_CIPHER_AES_192_KWP,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_KW_AES
+};
+
+static const mbedtls_cipher_info_t aes_256_nist_kwp_info = {
+ "AES-256-KWP",
+ 16,
+ 0 >> MBEDTLS_IV_SIZE_SHIFT,
+ 256 >> MBEDTLS_KEY_BITLEN_SHIFT,
+ MBEDTLS_MODE_KWP,
+ MBEDTLS_CIPHER_AES_256_KWP,
+ 0,
+ MBEDTLS_CIPHER_BASE_INDEX_KW_AES
+};
+#endif
+#endif /* MBEDTLS_NIST_KW_C */
+
+const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] =
+{
+#if defined(MBEDTLS_AES_C)
+ { MBEDTLS_CIPHER_AES_128_ECB, &aes_128_ecb_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { MBEDTLS_CIPHER_AES_192_ECB, &aes_192_ecb_info },
+ { MBEDTLS_CIPHER_AES_256_ECB, &aes_256_ecb_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ { MBEDTLS_CIPHER_AES_128_CBC, &aes_128_cbc_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { MBEDTLS_CIPHER_AES_192_CBC, &aes_192_cbc_info },
+ { MBEDTLS_CIPHER_AES_256_CBC, &aes_256_cbc_info },
+#endif
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ { MBEDTLS_CIPHER_AES_128_CFB128, &aes_128_cfb128_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { MBEDTLS_CIPHER_AES_192_CFB128, &aes_192_cfb128_info },
+ { MBEDTLS_CIPHER_AES_256_CFB128, &aes_256_cfb128_info },
+#endif
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ { MBEDTLS_CIPHER_AES_128_OFB, &aes_128_ofb_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { MBEDTLS_CIPHER_AES_192_OFB, &aes_192_ofb_info },
+ { MBEDTLS_CIPHER_AES_256_OFB, &aes_256_ofb_info },
+#endif
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ { MBEDTLS_CIPHER_AES_128_CTR, &aes_128_ctr_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { MBEDTLS_CIPHER_AES_192_CTR, &aes_192_ctr_info },
+ { MBEDTLS_CIPHER_AES_256_CTR, &aes_256_ctr_info },
+#endif
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ { MBEDTLS_CIPHER_AES_128_XTS, &aes_128_xts_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { MBEDTLS_CIPHER_AES_256_XTS, &aes_256_xts_info },
+#endif
+#endif
+#endif /* MBEDTLS_AES_C */
+#if defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA)
+ { MBEDTLS_CIPHER_AES_128_GCM, &aes_128_gcm_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { MBEDTLS_CIPHER_AES_192_GCM, &aes_192_gcm_info },
+ { MBEDTLS_CIPHER_AES_256_GCM, &aes_256_gcm_info },
+#endif
+#endif
+#if defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA)
+ { MBEDTLS_CIPHER_AES_128_CCM, &aes_128_ccm_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { MBEDTLS_CIPHER_AES_192_CCM, &aes_192_ccm_info },
+ { MBEDTLS_CIPHER_AES_256_CCM, &aes_256_ccm_info },
+#endif
+#endif
+#if defined(MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_AES_VIA_LEGACY_OR_USE_PSA)
+ { MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG, &aes_128_ccm_star_no_tag_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG, &aes_192_ccm_star_no_tag_info },
+ { MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG, &aes_256_ccm_star_no_tag_info },
+#endif
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+ { MBEDTLS_CIPHER_CAMELLIA_128_ECB, &camellia_128_ecb_info },
+ { MBEDTLS_CIPHER_CAMELLIA_192_ECB, &camellia_192_ecb_info },
+ { MBEDTLS_CIPHER_CAMELLIA_256_ECB, &camellia_256_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ { MBEDTLS_CIPHER_CAMELLIA_128_CBC, &camellia_128_cbc_info },
+ { MBEDTLS_CIPHER_CAMELLIA_192_CBC, &camellia_192_cbc_info },
+ { MBEDTLS_CIPHER_CAMELLIA_256_CBC, &camellia_256_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ { MBEDTLS_CIPHER_CAMELLIA_128_CFB128, &camellia_128_cfb128_info },
+ { MBEDTLS_CIPHER_CAMELLIA_192_CFB128, &camellia_192_cfb128_info },
+ { MBEDTLS_CIPHER_CAMELLIA_256_CFB128, &camellia_256_cfb128_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ { MBEDTLS_CIPHER_CAMELLIA_128_CTR, &camellia_128_ctr_info },
+ { MBEDTLS_CIPHER_CAMELLIA_192_CTR, &camellia_192_ctr_info },
+ { MBEDTLS_CIPHER_CAMELLIA_256_CTR, &camellia_256_ctr_info },
+#endif
+#if defined(MBEDTLS_GCM_C)
+ { MBEDTLS_CIPHER_CAMELLIA_128_GCM, &camellia_128_gcm_info },
+ { MBEDTLS_CIPHER_CAMELLIA_192_GCM, &camellia_192_gcm_info },
+ { MBEDTLS_CIPHER_CAMELLIA_256_GCM, &camellia_256_gcm_info },
+#endif
+#if defined(MBEDTLS_CCM_C)
+ { MBEDTLS_CIPHER_CAMELLIA_128_CCM, &camellia_128_ccm_info },
+ { MBEDTLS_CIPHER_CAMELLIA_192_CCM, &camellia_192_ccm_info },
+ { MBEDTLS_CIPHER_CAMELLIA_256_CCM, &camellia_256_ccm_info },
+ { MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG, &camellia_128_ccm_star_no_tag_info },
+ { MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG, &camellia_192_ccm_star_no_tag_info },
+ { MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG, &camellia_256_ccm_star_no_tag_info },
+#endif
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_ARIA_C)
+ { MBEDTLS_CIPHER_ARIA_128_ECB, &aria_128_ecb_info },
+ { MBEDTLS_CIPHER_ARIA_192_ECB, &aria_192_ecb_info },
+ { MBEDTLS_CIPHER_ARIA_256_ECB, &aria_256_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ { MBEDTLS_CIPHER_ARIA_128_CBC, &aria_128_cbc_info },
+ { MBEDTLS_CIPHER_ARIA_192_CBC, &aria_192_cbc_info },
+ { MBEDTLS_CIPHER_ARIA_256_CBC, &aria_256_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ { MBEDTLS_CIPHER_ARIA_128_CFB128, &aria_128_cfb128_info },
+ { MBEDTLS_CIPHER_ARIA_192_CFB128, &aria_192_cfb128_info },
+ { MBEDTLS_CIPHER_ARIA_256_CFB128, &aria_256_cfb128_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ { MBEDTLS_CIPHER_ARIA_128_CTR, &aria_128_ctr_info },
+ { MBEDTLS_CIPHER_ARIA_192_CTR, &aria_192_ctr_info },
+ { MBEDTLS_CIPHER_ARIA_256_CTR, &aria_256_ctr_info },
+#endif
+#if defined(MBEDTLS_GCM_C)
+ { MBEDTLS_CIPHER_ARIA_128_GCM, &aria_128_gcm_info },
+ { MBEDTLS_CIPHER_ARIA_192_GCM, &aria_192_gcm_info },
+ { MBEDTLS_CIPHER_ARIA_256_GCM, &aria_256_gcm_info },
+#endif
+#if defined(MBEDTLS_CCM_C)
+ { MBEDTLS_CIPHER_ARIA_128_CCM, &aria_128_ccm_info },
+ { MBEDTLS_CIPHER_ARIA_192_CCM, &aria_192_ccm_info },
+ { MBEDTLS_CIPHER_ARIA_256_CCM, &aria_256_ccm_info },
+ { MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG, &aria_128_ccm_star_no_tag_info },
+ { MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG, &aria_192_ccm_star_no_tag_info },
+ { MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG, &aria_256_ccm_star_no_tag_info },
+#endif
+#endif /* MBEDTLS_ARIA_C */
+
+#if defined(MBEDTLS_DES_C)
+ { MBEDTLS_CIPHER_DES_ECB, &des_ecb_info },
+ { MBEDTLS_CIPHER_DES_EDE_ECB, &des_ede_ecb_info },
+ { MBEDTLS_CIPHER_DES_EDE3_ECB, &des_ede3_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ { MBEDTLS_CIPHER_DES_CBC, &des_cbc_info },
+ { MBEDTLS_CIPHER_DES_EDE_CBC, &des_ede_cbc_info },
+ { MBEDTLS_CIPHER_DES_EDE3_CBC, &des_ede3_cbc_info },
+#endif
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_CHACHA20_C)
+ { MBEDTLS_CIPHER_CHACHA20, &chacha20_info },
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ { MBEDTLS_CIPHER_CHACHA20_POLY1305, &chachapoly_info },
+#endif
+
+#if defined(MBEDTLS_NIST_KW_C)
+ { MBEDTLS_CIPHER_AES_128_KW, &aes_128_nist_kw_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { MBEDTLS_CIPHER_AES_192_KW, &aes_192_nist_kw_info },
+ { MBEDTLS_CIPHER_AES_256_KW, &aes_256_nist_kw_info },
+#endif
+ { MBEDTLS_CIPHER_AES_128_KWP, &aes_128_nist_kwp_info },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { MBEDTLS_CIPHER_AES_192_KWP, &aes_192_nist_kwp_info },
+ { MBEDTLS_CIPHER_AES_256_KWP, &aes_256_nist_kwp_info },
+#endif
+#endif
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+ { MBEDTLS_CIPHER_NULL, &null_cipher_info },
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+
+ { MBEDTLS_CIPHER_NONE, NULL }
+};
+
+#define NUM_CIPHERS (sizeof(mbedtls_cipher_definitions) / \
+ sizeof(mbedtls_cipher_definitions[0]))
+int mbedtls_cipher_supported[NUM_CIPHERS];
+
+const mbedtls_cipher_base_t *mbedtls_cipher_base_lookup_table[] = {
+#if defined(MBEDTLS_AES_C)
+ [MBEDTLS_CIPHER_BASE_INDEX_AES] = &aes_info,
+#endif
+#if defined(MBEDTLS_ARIA_C)
+ [MBEDTLS_CIPHER_BASE_INDEX_ARIA] = &aria_info,
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+ [MBEDTLS_CIPHER_BASE_INDEX_CAMELLIA] = &camellia_info,
+#endif
+#if defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA)
+ [MBEDTLS_CIPHER_BASE_INDEX_CCM_AES] = &ccm_aes_info,
+#endif
+#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_ARIA_C)
+ [MBEDTLS_CIPHER_BASE_INDEX_CCM_ARIA] = &ccm_aria_info,
+#endif
+#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_CAMELLIA_C)
+ [MBEDTLS_CIPHER_BASE_INDEX_CCM_CAMELLIA] = &ccm_camellia_info,
+#endif
+#if defined(MBEDTLS_CHACHA20_C)
+ [MBEDTLS_CIPHER_BASE_INDEX_CHACHA20_BASE] = &chacha20_base_info,
+#endif
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ [MBEDTLS_CIPHER_BASE_INDEX_CHACHAPOLY_BASE] = &chachapoly_base_info,
+#endif
+#if defined(MBEDTLS_DES_C)
+ [MBEDTLS_CIPHER_BASE_INDEX_DES_EDE3] = &des_ede3_info,
+#endif
+#if defined(MBEDTLS_DES_C)
+ [MBEDTLS_CIPHER_BASE_INDEX_DES_EDE] = &des_ede_info,
+#endif
+#if defined(MBEDTLS_DES_C)
+ [MBEDTLS_CIPHER_BASE_INDEX_DES] = &des_info,
+#endif
+#if defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA)
+ [MBEDTLS_CIPHER_BASE_INDEX_GCM_AES] = &gcm_aes_info,
+#endif
+#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_ARIA_C)
+ [MBEDTLS_CIPHER_BASE_INDEX_GCM_ARIA] = &gcm_aria_info,
+#endif
+#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_CAMELLIA_C)
+ [MBEDTLS_CIPHER_BASE_INDEX_GCM_CAMELLIA] = &gcm_camellia_info,
+#endif
+#if defined(MBEDTLS_NIST_KW_C)
+ [MBEDTLS_CIPHER_BASE_INDEX_KW_AES] = &kw_aes_info,
+#endif
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+ [MBEDTLS_CIPHER_BASE_INDEX_NULL_BASE] = &null_base_info,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS) && defined(MBEDTLS_AES_C)
+ [MBEDTLS_CIPHER_BASE_INDEX_XTS_AES] = &xts_aes_info
+#endif
+};
+
+#endif /* MBEDTLS_CIPHER_C */
diff --git a/library/cipher_wrap.h b/library/cipher_wrap.h
new file mode 100644
index 0000000..f229151
--- /dev/null
+++ b/library/cipher_wrap.h
@@ -0,0 +1,178 @@
+/**
+ * \file cipher_wrap.h
+ *
+ * \brief Cipher wrappers.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_CIPHER_WRAP_H
+#define MBEDTLS_CIPHER_WRAP_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/cipher.h"
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Support for GCM either through Mbed TLS SW implementation or PSA */
+#if defined(MBEDTLS_GCM_C) || \
+ (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_GCM))
+#define MBEDTLS_CIPHER_HAVE_GCM_VIA_LEGACY_OR_USE_PSA
+#endif
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_AES_C)) || \
+ (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_KEY_TYPE_AES))
+#define MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA
+#endif
+
+#if defined(MBEDTLS_CCM_C) || \
+ (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM))
+#define MBEDTLS_CIPHER_HAVE_CCM_VIA_LEGACY_OR_USE_PSA
+#endif
+
+#if (defined(MBEDTLS_CCM_C) && defined(MBEDTLS_AES_C)) || \
+ (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM) && defined(PSA_WANT_KEY_TYPE_AES))
+#define MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA
+#endif
+
+#if defined(MBEDTLS_CCM_C) || \
+ (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM_STAR_NO_TAG))
+#define MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_VIA_LEGACY_OR_USE_PSA
+#endif
+
+#if (defined(MBEDTLS_CCM_C) && defined(MBEDTLS_AES_C)) || \
+ (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM_STAR_NO_TAG) && \
+ defined(PSA_WANT_KEY_TYPE_AES))
+#define MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_AES_VIA_LEGACY_OR_USE_PSA
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C) || \
+ (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CHACHA20_POLY1305))
+#define MBEDTLS_CIPHER_HAVE_CHACHAPOLY_VIA_LEGACY_OR_USE_PSA
+#endif
+
+#if defined(MBEDTLS_CIPHER_HAVE_GCM_VIA_LEGACY_OR_USE_PSA) || \
+ defined(MBEDTLS_CIPHER_HAVE_CCM_VIA_LEGACY_OR_USE_PSA) || \
+ defined(MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_VIA_LEGACY_OR_USE_PSA) || \
+ defined(MBEDTLS_CIPHER_HAVE_CHACHAPOLY_VIA_LEGACY_OR_USE_PSA)
+#define MBEDTLS_CIPHER_HAVE_SOME_AEAD_VIA_LEGACY_OR_USE_PSA
+#endif
+
+/**
+ * Base cipher information. The non-mode specific functions and values.
+ */
+struct mbedtls_cipher_base_t {
+ /** Base Cipher type (e.g. MBEDTLS_CIPHER_ID_AES) */
+ mbedtls_cipher_id_t cipher;
+
+ /** Encrypt using ECB */
+ int (*ecb_func)(void *ctx, mbedtls_operation_t mode,
+ const unsigned char *input, unsigned char *output);
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ /** Encrypt using CBC */
+ int (*cbc_func)(void *ctx, mbedtls_operation_t mode, size_t length,
+ unsigned char *iv, const unsigned char *input,
+ unsigned char *output);
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ /** Encrypt using CFB (Full length) */
+ int (*cfb_func)(void *ctx, mbedtls_operation_t mode, size_t length, size_t *iv_off,
+ unsigned char *iv, const unsigned char *input,
+ unsigned char *output);
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ /** Encrypt using OFB (Full length) */
+ int (*ofb_func)(void *ctx, size_t length, size_t *iv_off,
+ unsigned char *iv,
+ const unsigned char *input,
+ unsigned char *output);
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ /** Encrypt using CTR */
+ int (*ctr_func)(void *ctx, size_t length, size_t *nc_off,
+ unsigned char *nonce_counter, unsigned char *stream_block,
+ const unsigned char *input, unsigned char *output);
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ /** Encrypt or decrypt using XTS. */
+ int (*xts_func)(void *ctx, mbedtls_operation_t mode, size_t length,
+ const unsigned char data_unit[16],
+ const unsigned char *input, unsigned char *output);
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ /** Encrypt using STREAM */
+ int (*stream_func)(void *ctx, size_t length,
+ const unsigned char *input, unsigned char *output);
+#endif
+
+ /** Set key for encryption purposes */
+ int (*setkey_enc_func)(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen);
+
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ /** Set key for decryption purposes */
+ int (*setkey_dec_func)(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen);
+#endif
+
+ /** Allocate a new context */
+ void * (*ctx_alloc_func)(void);
+
+ /** Free the given context */
+ void (*ctx_free_func)(void *ctx);
+
+};
+
+typedef struct {
+ mbedtls_cipher_type_t type;
+ const mbedtls_cipher_info_t *info;
+} mbedtls_cipher_definition_t;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+typedef enum {
+ MBEDTLS_CIPHER_PSA_KEY_UNSET = 0,
+ MBEDTLS_CIPHER_PSA_KEY_OWNED, /* Used for PSA-based cipher contexts which */
+ /* use raw key material internally imported */
+ /* as a volatile key, and which hence need */
+ /* to destroy that key when the context is */
+ /* freed. */
+ MBEDTLS_CIPHER_PSA_KEY_NOT_OWNED, /* Used for PSA-based cipher contexts */
+ /* which use a key provided by the */
+ /* user, and which hence will not be */
+ /* destroyed when the context is freed. */
+} mbedtls_cipher_psa_key_ownership;
+
+typedef struct {
+ psa_algorithm_t alg;
+ mbedtls_svc_key_id_t slot;
+ mbedtls_cipher_psa_key_ownership slot_state;
+} mbedtls_cipher_context_psa;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+extern const mbedtls_cipher_definition_t mbedtls_cipher_definitions[];
+
+extern int mbedtls_cipher_supported[];
+
+extern const mbedtls_cipher_base_t *mbedtls_cipher_base_lookup_table[];
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CIPHER_WRAP_H */
diff --git a/library/cmac.c b/library/cmac.c
new file mode 100644
index 0000000..eda10d0
--- /dev/null
+++ b/library/cmac.c
@@ -0,0 +1,1067 @@
+/**
+ * \file cmac.c
+ *
+ * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * References:
+ *
+ * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
+ * CMAC Mode for Authentication
+ * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
+ *
+ * - RFC 4493 - The AES-CMAC Algorithm
+ * https://tools.ietf.org/html/rfc4493
+ *
+ * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
+ * Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
+ * Algorithm for the Internet Key Exchange Protocol (IKE)
+ * https://tools.ietf.org/html/rfc4615
+ *
+ * Additional test vectors: ISO/IEC 9797-1
+ *
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_CMAC_C)
+
+#include "mbedtls/cmac.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform.h"
+#include "constant_time_internal.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Multiplication by u in the Galois field of GF(2^n)
+ *
+ * As explained in NIST SP 800-38B, this can be computed:
+ *
+ * If MSB(p) = 0, then p = (p << 1)
+ * If MSB(p) = 1, then p = (p << 1) ^ R_n
+ * with R_64 = 0x1B and R_128 = 0x87
+ *
+ * Input and output MUST NOT point to the same buffer
+ * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
+ */
+static int cmac_multiply_by_u(unsigned char *output,
+ const unsigned char *input,
+ size_t blocksize)
+{
+ const unsigned char R_128 = 0x87;
+ unsigned char R_n;
+ uint32_t overflow = 0x00;
+ int i;
+
+ if (blocksize == MBEDTLS_AES_BLOCK_SIZE) {
+ R_n = R_128;
+ }
+#if defined(MBEDTLS_DES_C)
+ else if (blocksize == MBEDTLS_DES3_BLOCK_SIZE) {
+ const unsigned char R_64 = 0x1B;
+ R_n = R_64;
+ }
+#endif
+ else {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ for (i = (int) blocksize - 4; i >= 0; i -= 4) {
+ uint32_t i32 = MBEDTLS_GET_UINT32_BE(&input[i], 0);
+ uint32_t new_overflow = i32 >> 31;
+ i32 = (i32 << 1) | overflow;
+ MBEDTLS_PUT_UINT32_BE(i32, &output[i], 0);
+ overflow = new_overflow;
+ }
+
+ R_n = (unsigned char) mbedtls_ct_uint_if_else_0(mbedtls_ct_bool(input[0] >> 7), R_n);
+ output[blocksize - 1] ^= R_n;
+
+ return 0;
+}
+
+/*
+ * Generate subkeys
+ *
+ * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
+ */
+static int cmac_generate_subkeys(mbedtls_cipher_context_t *ctx,
+ unsigned char *K1, unsigned char *K2)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char L[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
+ size_t olen, block_size;
+
+ mbedtls_platform_zeroize(L, sizeof(L));
+
+ block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
+
+ /* Calculate Ek(0) */
+ if ((ret = mbedtls_cipher_update(ctx, L, block_size, L, &olen)) != 0) {
+ goto exit;
+ }
+
+ /*
+ * Generate K1 and K2
+ */
+ if ((ret = cmac_multiply_by_u(K1, L, block_size)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = cmac_multiply_by_u(K2, K1, block_size)) != 0) {
+ goto exit;
+ }
+
+exit:
+ mbedtls_platform_zeroize(L, sizeof(L));
+
+ return ret;
+}
+#endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
+
+#if !defined(MBEDTLS_CMAC_ALT)
+
+/*
+ * Create padded last block from (partial) last block.
+ *
+ * We can't use the padding option from the cipher layer, as it only works for
+ * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
+ */
+static void cmac_pad(unsigned char padded_block[MBEDTLS_CMAC_MAX_BLOCK_SIZE],
+ size_t padded_block_len,
+ const unsigned char *last_block,
+ size_t last_block_len)
+{
+ size_t j;
+
+ for (j = 0; j < padded_block_len; j++) {
+ if (j < last_block_len) {
+ padded_block[j] = last_block[j];
+ } else if (j == last_block_len) {
+ padded_block[j] = 0x80;
+ } else {
+ padded_block[j] = 0x00;
+ }
+ }
+}
+
+int mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t *ctx,
+ const unsigned char *key, size_t keybits)
+{
+ mbedtls_cipher_type_t type;
+ mbedtls_cmac_context_t *cmac_ctx;
+ int retval;
+
+ if (ctx == NULL || ctx->cipher_info == NULL || key == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ if ((retval = mbedtls_cipher_setkey(ctx, key, (int) keybits,
+ MBEDTLS_ENCRYPT)) != 0) {
+ return retval;
+ }
+
+ type = mbedtls_cipher_info_get_type(ctx->cipher_info);
+
+ switch (type) {
+ case MBEDTLS_CIPHER_AES_128_ECB:
+ case MBEDTLS_CIPHER_AES_192_ECB:
+ case MBEDTLS_CIPHER_AES_256_ECB:
+ case MBEDTLS_CIPHER_DES_EDE3_ECB:
+ break;
+ default:
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ /* Allocated and initialise in the cipher context memory for the CMAC
+ * context */
+ cmac_ctx = mbedtls_calloc(1, sizeof(mbedtls_cmac_context_t));
+ if (cmac_ctx == NULL) {
+ return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
+ }
+
+ ctx->cmac_ctx = cmac_ctx;
+
+ mbedtls_platform_zeroize(cmac_ctx->state, sizeof(cmac_ctx->state));
+
+ return 0;
+}
+
+int mbedtls_cipher_cmac_update(mbedtls_cipher_context_t *ctx,
+ const unsigned char *input, size_t ilen)
+{
+ mbedtls_cmac_context_t *cmac_ctx;
+ unsigned char *state;
+ int ret = 0;
+ size_t n, j, olen, block_size;
+
+ if (ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
+ ctx->cmac_ctx == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ cmac_ctx = ctx->cmac_ctx;
+ block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
+ state = ctx->cmac_ctx->state;
+
+ /* Without the MBEDTLS_ASSUME below, gcc -O3 will generate a warning of the form
+ * error: writing 16 bytes into a region of size 0 [-Werror=stringop-overflow=] */
+ MBEDTLS_ASSUME(block_size <= MBEDTLS_CMAC_MAX_BLOCK_SIZE);
+
+ /* Is there data still to process from the last call, that's greater in
+ * size than a block? */
+ if (cmac_ctx->unprocessed_len > 0 &&
+ ilen > block_size - cmac_ctx->unprocessed_len) {
+ memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
+ input,
+ block_size - cmac_ctx->unprocessed_len);
+
+ mbedtls_xor_no_simd(state, cmac_ctx->unprocessed_block, state, block_size);
+
+ if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
+ &olen)) != 0) {
+ goto exit;
+ }
+
+ input += block_size - cmac_ctx->unprocessed_len;
+ ilen -= block_size - cmac_ctx->unprocessed_len;
+ cmac_ctx->unprocessed_len = 0;
+ }
+
+ /* n is the number of blocks including any final partial block */
+ n = (ilen + block_size - 1) / block_size;
+
+ /* Iterate across the input data in block sized chunks, excluding any
+ * final partial or complete block */
+ for (j = 1; j < n; j++) {
+ mbedtls_xor_no_simd(state, input, state, block_size);
+
+ if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
+ &olen)) != 0) {
+ goto exit;
+ }
+
+ ilen -= block_size;
+ input += block_size;
+ }
+
+ /* If there is data left over that wasn't aligned to a block */
+ if (ilen > 0) {
+ memcpy(&cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
+ input,
+ ilen);
+ cmac_ctx->unprocessed_len += ilen;
+ }
+
+exit:
+ return ret;
+}
+
+int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx,
+ unsigned char *output)
+{
+ mbedtls_cmac_context_t *cmac_ctx;
+ unsigned char *state, *last_block;
+ unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
+ unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
+ unsigned char M_last[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t olen, block_size;
+
+ if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
+ output == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ cmac_ctx = ctx->cmac_ctx;
+ block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
+ MBEDTLS_ASSUME(block_size <= MBEDTLS_CMAC_MAX_BLOCK_SIZE); // silence GCC warning
+ state = cmac_ctx->state;
+
+ mbedtls_platform_zeroize(K1, sizeof(K1));
+ mbedtls_platform_zeroize(K2, sizeof(K2));
+ cmac_generate_subkeys(ctx, K1, K2);
+
+ last_block = cmac_ctx->unprocessed_block;
+
+ /* Calculate last block */
+ if (cmac_ctx->unprocessed_len < block_size) {
+ cmac_pad(M_last, block_size, last_block, cmac_ctx->unprocessed_len);
+ mbedtls_xor(M_last, M_last, K2, block_size);
+ } else {
+ /* Last block is complete block */
+ mbedtls_xor(M_last, last_block, K1, block_size);
+ }
+
+
+ mbedtls_xor(state, M_last, state, block_size);
+ if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
+ &olen)) != 0) {
+ goto exit;
+ }
+
+ memcpy(output, state, block_size);
+
+exit:
+ /* Wipe the generated keys on the stack, and any other transients to avoid
+ * side channel leakage */
+ mbedtls_platform_zeroize(K1, sizeof(K1));
+ mbedtls_platform_zeroize(K2, sizeof(K2));
+
+ cmac_ctx->unprocessed_len = 0;
+ mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
+ sizeof(cmac_ctx->unprocessed_block));
+
+ mbedtls_platform_zeroize(state, MBEDTLS_CMAC_MAX_BLOCK_SIZE);
+ return ret;
+}
+
+int mbedtls_cipher_cmac_reset(mbedtls_cipher_context_t *ctx)
+{
+ mbedtls_cmac_context_t *cmac_ctx;
+
+ if (ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ cmac_ctx = ctx->cmac_ctx;
+
+ /* Reset the internal state */
+ cmac_ctx->unprocessed_len = 0;
+ mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
+ sizeof(cmac_ctx->unprocessed_block));
+ mbedtls_platform_zeroize(cmac_ctx->state,
+ sizeof(cmac_ctx->state));
+
+ return 0;
+}
+
+int mbedtls_cipher_cmac(const mbedtls_cipher_info_t *cipher_info,
+ const unsigned char *key, size_t keylen,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output)
+{
+ mbedtls_cipher_context_t ctx;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (cipher_info == NULL || key == NULL || input == NULL || output == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ mbedtls_cipher_init(&ctx);
+
+ if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_cipher_cmac_starts(&ctx, key, keylen);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_cipher_cmac_update(&ctx, input, ilen);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_cipher_cmac_finish(&ctx, output);
+
+exit:
+ mbedtls_cipher_free(&ctx);
+
+ return ret;
+}
+
+#if defined(MBEDTLS_AES_C)
+/*
+ * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
+ */
+int mbedtls_aes_cmac_prf_128(const unsigned char *key, size_t key_length,
+ const unsigned char *input, size_t in_len,
+ unsigned char output[16])
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const mbedtls_cipher_info_t *cipher_info;
+ unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
+ unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
+
+ if (key == NULL || input == NULL || output == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB);
+ if (cipher_info == NULL) {
+ /* Failing at this point must be due to a build issue */
+ ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ goto exit;
+ }
+
+ if (key_length == MBEDTLS_AES_BLOCK_SIZE) {
+ /* Use key as is */
+ memcpy(int_key, key, MBEDTLS_AES_BLOCK_SIZE);
+ } else {
+ memset(zero_key, 0, MBEDTLS_AES_BLOCK_SIZE);
+
+ ret = mbedtls_cipher_cmac(cipher_info, zero_key, 128, key,
+ key_length, int_key);
+ if (ret != 0) {
+ goto exit;
+ }
+ }
+
+ ret = mbedtls_cipher_cmac(cipher_info, int_key, 128, input, in_len,
+ output);
+
+exit:
+ mbedtls_platform_zeroize(int_key, sizeof(int_key));
+
+ return ret;
+}
+#endif /* MBEDTLS_AES_C */
+
+#endif /* !MBEDTLS_CMAC_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * CMAC test data for SP800-38B
+ * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
+ * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
+ *
+ * AES-CMAC-PRF-128 test data from RFC 4615
+ * https://tools.ietf.org/html/rfc4615#page-4
+ */
+
+#define NB_CMAC_TESTS_PER_KEY 4
+#define NB_PRF_TESTS 3
+
+#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
+/* All CMAC test inputs are truncated from the same 64 byte buffer. */
+static const unsigned char test_message[] = {
+ /* PT */
+ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
+ 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+ 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
+ 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
+ 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
+ 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
+ 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
+ 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
+};
+#endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+/* Truncation point of message for AES CMAC tests */
+static const unsigned int aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
+ /* Mlen */
+ 0,
+ 16,
+ 20,
+ 64
+};
+
+/* CMAC-AES128 Test Data */
+static const unsigned char aes_128_key[16] = {
+ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
+ 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
+};
+static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
+ {
+ /* K1 */
+ 0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
+ 0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
+ },
+ {
+ /* K2 */
+ 0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
+ 0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
+ }
+};
+static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
+{
+ {
+ /* Example #1 */
+ 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
+ 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
+ },
+ {
+ /* Example #2 */
+ 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
+ 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
+ },
+ {
+ /* Example #3 */
+ 0x7d, 0x85, 0x44, 0x9e, 0xa6, 0xea, 0x19, 0xc8,
+ 0x23, 0xa7, 0xbf, 0x78, 0x83, 0x7d, 0xfa, 0xde
+ },
+ {
+ /* Example #4 */
+ 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
+ 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
+ }
+};
+
+/* CMAC-AES192 Test Data */
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const unsigned char aes_192_key[24] = {
+ 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
+ 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
+ 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
+};
+static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
+ {
+ /* K1 */
+ 0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
+ 0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
+ },
+ {
+ /* K2 */
+ 0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
+ 0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
+ }
+};
+static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
+{
+ {
+ /* Example #1 */
+ 0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
+ 0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
+ },
+ {
+ /* Example #2 */
+ 0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
+ 0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
+ },
+ {
+ /* Example #3 */
+ 0x3d, 0x75, 0xc1, 0x94, 0xed, 0x96, 0x07, 0x04,
+ 0x44, 0xa9, 0xfa, 0x7e, 0xc7, 0x40, 0xec, 0xf8
+ },
+ {
+ /* Example #4 */
+ 0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
+ 0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
+ }
+};
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+
+/* CMAC-AES256 Test Data */
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+static const unsigned char aes_256_key[32] = {
+ 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
+ 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
+ 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
+ 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
+};
+static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
+ {
+ /* K1 */
+ 0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
+ 0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
+ },
+ {
+ /* K2 */
+ 0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
+ 0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
+ }
+};
+static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] =
+{
+ {
+ /* Example #1 */
+ 0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
+ 0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
+ },
+ {
+ /* Example #2 */
+ 0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
+ 0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
+ },
+ {
+ /* Example #3 */
+ 0x15, 0x67, 0x27, 0xdc, 0x08, 0x78, 0x94, 0x4a,
+ 0x02, 0x3c, 0x1f, 0xe0, 0x3b, 0xad, 0x6d, 0x93
+ },
+ {
+ /* Example #4 */
+ 0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
+ 0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
+ }
+};
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_DES_C)
+/* Truncation point of message for 3DES CMAC tests */
+static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
+ 0,
+ 16,
+ 20,
+ 32
+};
+
+/* CMAC-TDES (Generation) - 2 Key Test Data */
+static const unsigned char des3_2key_key[24] = {
+ /* Key1 */
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+ /* Key2 */
+ 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xEF, 0x01,
+ /* Key3 */
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
+};
+static const unsigned char des3_2key_subkeys[2][8] = {
+ {
+ /* K1 */
+ 0x0d, 0xd2, 0xcb, 0x7a, 0x3d, 0x88, 0x88, 0xd9
+ },
+ {
+ /* K2 */
+ 0x1b, 0xa5, 0x96, 0xf4, 0x7b, 0x11, 0x11, 0xb2
+ }
+};
+static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE]
+ = {
+ {
+ /* Sample #1 */
+ 0x79, 0xce, 0x52, 0xa7, 0xf7, 0x86, 0xa9, 0x60
+ },
+ {
+ /* Sample #2 */
+ 0xcc, 0x18, 0xa0, 0xb7, 0x9a, 0xf2, 0x41, 0x3b
+ },
+ {
+ /* Sample #3 */
+ 0xc0, 0x6d, 0x37, 0x7e, 0xcd, 0x10, 0x19, 0x69
+ },
+ {
+ /* Sample #4 */
+ 0x9c, 0xd3, 0x35, 0x80, 0xf9, 0xb6, 0x4d, 0xfb
+ }
+ };
+
+/* CMAC-TDES (Generation) - 3 Key Test Data */
+static const unsigned char des3_3key_key[24] = {
+ /* Key1 */
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xaa, 0xcd, 0xef,
+ /* Key2 */
+ 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01,
+ /* Key3 */
+ 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23
+};
+static const unsigned char des3_3key_subkeys[2][8] = {
+ {
+ /* K1 */
+ 0x9d, 0x74, 0xe7, 0x39, 0x33, 0x17, 0x96, 0xc0
+ },
+ {
+ /* K2 */
+ 0x3a, 0xe9, 0xce, 0x72, 0x66, 0x2f, 0x2d, 0x9b
+ }
+};
+static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE]
+ = {
+ {
+ /* Sample #1 */
+ 0x7d, 0xb0, 0xd3, 0x7d, 0xf9, 0x36, 0xc5, 0x50
+ },
+ {
+ /* Sample #2 */
+ 0x30, 0x23, 0x9c, 0xf1, 0xf5, 0x2e, 0x66, 0x09
+ },
+ {
+ /* Sample #3 */
+ 0x6c, 0x9f, 0x3e, 0xe4, 0x92, 0x3f, 0x6b, 0xe2
+ },
+ {
+ /* Sample #4 */
+ 0x99, 0x42, 0x9b, 0xd0, 0xbF, 0x79, 0x04, 0xe5
+ }
+ };
+
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+/* AES AES-CMAC-PRF-128 Test Data */
+static const unsigned char PRFK[] = {
+ /* Key */
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0xed, 0xcb
+};
+
+/* Sizes in bytes */
+static const size_t PRFKlen[NB_PRF_TESTS] = {
+ 18,
+ 16,
+ 10
+};
+
+/* Message */
+static const unsigned char PRFM[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x10, 0x11, 0x12, 0x13
+};
+
+static const unsigned char PRFT[NB_PRF_TESTS][16] = {
+ {
+ 0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
+ 0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
+ },
+ {
+ 0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
+ 0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
+ },
+ {
+ 0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
+ 0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
+ }
+};
+#endif /* MBEDTLS_AES_C */
+
+static int cmac_test_subkeys(int verbose,
+ const char *testname,
+ const unsigned char *key,
+ int keybits,
+ const unsigned char *subkeys,
+ mbedtls_cipher_type_t cipher_type,
+ int block_size,
+ int num_tests)
+{
+ int i, ret = 0;
+ mbedtls_cipher_context_t ctx;
+ const mbedtls_cipher_info_t *cipher_info;
+ unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
+ unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
+
+ cipher_info = mbedtls_cipher_info_from_type(cipher_type);
+ if (cipher_info == NULL) {
+ /* Failing at this point must be due to a build issue */
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+
+ for (i = 0; i < num_tests; i++) {
+ if (verbose != 0) {
+ mbedtls_printf(" %s CMAC subkey #%d: ", testname, i + 1);
+ }
+
+ mbedtls_cipher_init(&ctx);
+
+ if ((ret = mbedtls_cipher_setup(&ctx, cipher_info)) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("test execution failed\n");
+ }
+
+ goto cleanup;
+ }
+
+ if ((ret = mbedtls_cipher_setkey(&ctx, key, keybits,
+ MBEDTLS_ENCRYPT)) != 0) {
+ /* When CMAC is implemented by an alternative implementation, or
+ * the underlying primitive itself is implemented alternatively,
+ * AES-192 may be unavailable. This should not cause the selftest
+ * function to fail. */
+ if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
+ ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
+ cipher_type == MBEDTLS_CIPHER_AES_192_ECB) {
+ if (verbose != 0) {
+ mbedtls_printf("skipped\n");
+ }
+ goto next_test;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("test execution failed\n");
+ }
+
+ goto cleanup;
+ }
+
+ ret = cmac_generate_subkeys(&ctx, K1, K2);
+ if (ret != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ goto cleanup;
+ }
+
+ if ((ret = memcmp(K1, subkeys, block_size)) != 0 ||
+ (ret = memcmp(K2, &subkeys[block_size], block_size)) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ goto cleanup;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+next_test:
+ mbedtls_cipher_free(&ctx);
+ }
+
+ ret = 0;
+ goto exit;
+
+cleanup:
+ mbedtls_cipher_free(&ctx);
+
+exit:
+ return ret;
+}
+
+static int cmac_test_wth_cipher(int verbose,
+ const char *testname,
+ const unsigned char *key,
+ int keybits,
+ const unsigned char *messages,
+ const unsigned int message_lengths[4],
+ const unsigned char *expected_result,
+ mbedtls_cipher_type_t cipher_type,
+ int block_size,
+ int num_tests)
+{
+ const mbedtls_cipher_info_t *cipher_info;
+ int i, ret = 0;
+ unsigned char output[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
+
+ cipher_info = mbedtls_cipher_info_from_type(cipher_type);
+ if (cipher_info == NULL) {
+ /* Failing at this point must be due to a build issue */
+ ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ goto exit;
+ }
+
+ for (i = 0; i < num_tests; i++) {
+ if (verbose != 0) {
+ mbedtls_printf(" %s CMAC #%d: ", testname, i + 1);
+ }
+
+ if ((ret = mbedtls_cipher_cmac(cipher_info, key, keybits, messages,
+ message_lengths[i], output)) != 0) {
+ /* When CMAC is implemented by an alternative implementation, or
+ * the underlying primitive itself is implemented alternatively,
+ * AES-192 and/or 3DES may be unavailable. This should not cause
+ * the selftest function to fail. */
+ if ((ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
+ ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) &&
+ (cipher_type == MBEDTLS_CIPHER_AES_192_ECB ||
+ cipher_type == MBEDTLS_CIPHER_DES_EDE3_ECB)) {
+ if (verbose != 0) {
+ mbedtls_printf("skipped\n");
+ }
+ continue;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+ goto exit;
+ }
+
+ if ((ret = memcmp(output, &expected_result[i * block_size], block_size)) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+ goto exit;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+ ret = 0;
+
+exit:
+ return ret;
+}
+
+#if defined(MBEDTLS_AES_C)
+static int test_aes128_cmac_prf(int verbose)
+{
+ int i;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
+
+ for (i = 0; i < NB_PRF_TESTS; i++) {
+ mbedtls_printf(" AES CMAC 128 PRF #%d: ", i);
+ ret = mbedtls_aes_cmac_prf_128(PRFK, PRFKlen[i], PRFM, 20, output);
+ if (ret != 0 ||
+ memcmp(output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE) != 0) {
+
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ return ret;
+ } else if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+ return ret;
+}
+#endif /* MBEDTLS_AES_C */
+
+int mbedtls_cmac_self_test(int verbose)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_AES_C)
+ /* AES-128 */
+ if ((ret = cmac_test_subkeys(verbose,
+ "AES 128",
+ aes_128_key,
+ 128,
+ (const unsigned char *) aes_128_subkeys,
+ MBEDTLS_CIPHER_AES_128_ECB,
+ MBEDTLS_AES_BLOCK_SIZE,
+ NB_CMAC_TESTS_PER_KEY)) != 0) {
+ return ret;
+ }
+
+ if ((ret = cmac_test_wth_cipher(verbose,
+ "AES 128",
+ aes_128_key,
+ 128,
+ test_message,
+ aes_message_lengths,
+ (const unsigned char *) aes_128_expected_result,
+ MBEDTLS_CIPHER_AES_128_ECB,
+ MBEDTLS_AES_BLOCK_SIZE,
+ NB_CMAC_TESTS_PER_KEY)) != 0) {
+ return ret;
+ }
+
+ /* AES-192 */
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ if ((ret = cmac_test_subkeys(verbose,
+ "AES 192",
+ aes_192_key,
+ 192,
+ (const unsigned char *) aes_192_subkeys,
+ MBEDTLS_CIPHER_AES_192_ECB,
+ MBEDTLS_AES_BLOCK_SIZE,
+ NB_CMAC_TESTS_PER_KEY)) != 0) {
+ return ret;
+ }
+
+ if ((ret = cmac_test_wth_cipher(verbose,
+ "AES 192",
+ aes_192_key,
+ 192,
+ test_message,
+ aes_message_lengths,
+ (const unsigned char *) aes_192_expected_result,
+ MBEDTLS_CIPHER_AES_192_ECB,
+ MBEDTLS_AES_BLOCK_SIZE,
+ NB_CMAC_TESTS_PER_KEY)) != 0) {
+ return ret;
+ }
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+
+ /* AES-256 */
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ if ((ret = cmac_test_subkeys(verbose,
+ "AES 256",
+ aes_256_key,
+ 256,
+ (const unsigned char *) aes_256_subkeys,
+ MBEDTLS_CIPHER_AES_256_ECB,
+ MBEDTLS_AES_BLOCK_SIZE,
+ NB_CMAC_TESTS_PER_KEY)) != 0) {
+ return ret;
+ }
+
+ if ((ret = cmac_test_wth_cipher(verbose,
+ "AES 256",
+ aes_256_key,
+ 256,
+ test_message,
+ aes_message_lengths,
+ (const unsigned char *) aes_256_expected_result,
+ MBEDTLS_CIPHER_AES_256_ECB,
+ MBEDTLS_AES_BLOCK_SIZE,
+ NB_CMAC_TESTS_PER_KEY)) != 0) {
+ return ret;
+ }
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_DES_C)
+ /* 3DES 2 key */
+ if ((ret = cmac_test_subkeys(verbose,
+ "3DES 2 key",
+ des3_2key_key,
+ 192,
+ (const unsigned char *) des3_2key_subkeys,
+ MBEDTLS_CIPHER_DES_EDE3_ECB,
+ MBEDTLS_DES3_BLOCK_SIZE,
+ NB_CMAC_TESTS_PER_KEY)) != 0) {
+ return ret;
+ }
+
+ if ((ret = cmac_test_wth_cipher(verbose,
+ "3DES 2 key",
+ des3_2key_key,
+ 192,
+ test_message,
+ des3_message_lengths,
+ (const unsigned char *) des3_2key_expected_result,
+ MBEDTLS_CIPHER_DES_EDE3_ECB,
+ MBEDTLS_DES3_BLOCK_SIZE,
+ NB_CMAC_TESTS_PER_KEY)) != 0) {
+ return ret;
+ }
+
+ /* 3DES 3 key */
+ if ((ret = cmac_test_subkeys(verbose,
+ "3DES 3 key",
+ des3_3key_key,
+ 192,
+ (const unsigned char *) des3_3key_subkeys,
+ MBEDTLS_CIPHER_DES_EDE3_ECB,
+ MBEDTLS_DES3_BLOCK_SIZE,
+ NB_CMAC_TESTS_PER_KEY)) != 0) {
+ return ret;
+ }
+
+ if ((ret = cmac_test_wth_cipher(verbose,
+ "3DES 3 key",
+ des3_3key_key,
+ 192,
+ test_message,
+ des3_message_lengths,
+ (const unsigned char *) des3_3key_expected_result,
+ MBEDTLS_CIPHER_DES_EDE3_ECB,
+ MBEDTLS_DES3_BLOCK_SIZE,
+ NB_CMAC_TESTS_PER_KEY)) != 0) {
+ return ret;
+ }
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+ if ((ret = test_aes128_cmac_prf(verbose)) != 0) {
+ return ret;
+ }
+#endif /* MBEDTLS_AES_C */
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ return 0;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CMAC_C */
diff --git a/library/common.h b/library/common.h
new file mode 100644
index 0000000..3936ffd
--- /dev/null
+++ b/library/common.h
@@ -0,0 +1,435 @@
+/**
+ * \file common.h
+ *
+ * \brief Utility macros for internal use in the library
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_LIBRARY_COMMON_H
+#define MBEDTLS_LIBRARY_COMMON_H
+
+#include "mbedtls/build_info.h"
+#include "alignment.h"
+
+#include <assert.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stddef.h>
+
+#if defined(__ARM_NEON)
+#include <arm_neon.h>
+#define MBEDTLS_HAVE_NEON_INTRINSICS
+#elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
+#include <arm64_neon.h>
+#define MBEDTLS_HAVE_NEON_INTRINSICS
+#endif
+
+/** Helper to define a function as static except when building invasive tests.
+ *
+ * If a function is only used inside its own source file and should be
+ * declared `static` to allow the compiler to optimize for code size,
+ * but that function has unit tests, define it with
+ * ```
+ * MBEDTLS_STATIC_TESTABLE int mbedtls_foo(...) { ... }
+ * ```
+ * and declare it in a header in the `library/` directory with
+ * ```
+ * #if defined(MBEDTLS_TEST_HOOKS)
+ * int mbedtls_foo(...);
+ * #endif
+ * ```
+ */
+#if defined(MBEDTLS_TEST_HOOKS)
+#define MBEDTLS_STATIC_TESTABLE
+#else
+#define MBEDTLS_STATIC_TESTABLE static
+#endif
+
+#if defined(MBEDTLS_TEST_HOOKS)
+extern void (*mbedtls_test_hook_test_fail)(const char *test, int line, const char *file);
+#define MBEDTLS_TEST_HOOK_TEST_ASSERT(TEST) \
+ do { \
+ if ((!(TEST)) && ((*mbedtls_test_hook_test_fail) != NULL)) \
+ { \
+ (*mbedtls_test_hook_test_fail)( #TEST, __LINE__, __FILE__); \
+ } \
+ } while (0)
+#else
+#define MBEDTLS_TEST_HOOK_TEST_ASSERT(TEST)
+#endif /* defined(MBEDTLS_TEST_HOOKS) */
+
+/** \def ARRAY_LENGTH
+ * Return the number of elements of a static or stack array.
+ *
+ * \param array A value of array (not pointer) type.
+ *
+ * \return The number of elements of the array.
+ */
+/* A correct implementation of ARRAY_LENGTH, but which silently gives
+ * a nonsensical result if called with a pointer rather than an array. */
+#define ARRAY_LENGTH_UNSAFE(array) \
+ (sizeof(array) / sizeof(*(array)))
+
+#if defined(__GNUC__)
+/* Test if arg and &(arg)[0] have the same type. This is true if arg is
+ * an array but not if it's a pointer. */
+#define IS_ARRAY_NOT_POINTER(arg) \
+ (!__builtin_types_compatible_p(__typeof__(arg), \
+ __typeof__(&(arg)[0])))
+/* A compile-time constant with the value 0. If `const_expr` is not a
+ * compile-time constant with a nonzero value, cause a compile-time error. */
+#define STATIC_ASSERT_EXPR(const_expr) \
+ (0 && sizeof(struct { unsigned int STATIC_ASSERT : 1 - 2 * !(const_expr); }))
+
+/* Return the scalar value `value` (possibly promoted). This is a compile-time
+ * constant if `value` is. `condition` must be a compile-time constant.
+ * If `condition` is false, arrange to cause a compile-time error. */
+#define STATIC_ASSERT_THEN_RETURN(condition, value) \
+ (STATIC_ASSERT_EXPR(condition) ? 0 : (value))
+
+#define ARRAY_LENGTH(array) \
+ (STATIC_ASSERT_THEN_RETURN(IS_ARRAY_NOT_POINTER(array), \
+ ARRAY_LENGTH_UNSAFE(array)))
+
+#else
+/* If we aren't sure the compiler supports our non-standard tricks,
+ * fall back to the unsafe implementation. */
+#define ARRAY_LENGTH(array) ARRAY_LENGTH_UNSAFE(array)
+#endif
+/** Allow library to access its structs' private members.
+ *
+ * Although structs defined in header files are publicly available,
+ * their members are private and should not be accessed by the user.
+ */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
+/**
+ * \brief Securely zeroize a buffer then free it.
+ *
+ * Similar to making consecutive calls to
+ * \c mbedtls_platform_zeroize() and \c mbedtls_free(), but has
+ * code size savings, and potential for optimisation in the future.
+ *
+ * Guaranteed to be a no-op if \p buf is \c NULL and \p len is 0.
+ *
+ * \param buf Buffer to be zeroized then freed.
+ * \param len Length of the buffer in bytes
+ */
+void mbedtls_zeroize_and_free(void *buf, size_t len);
+
+/** Return an offset into a buffer.
+ *
+ * This is just the addition of an offset to a pointer, except that this
+ * function also accepts an offset of 0 into a buffer whose pointer is null.
+ * (`p + n` has undefined behavior when `p` is null, even when `n == 0`.
+ * A null pointer is a valid buffer pointer when the size is 0, for example
+ * as the result of `malloc(0)` on some platforms.)
+ *
+ * \param p Pointer to a buffer of at least n bytes.
+ * This may be \p NULL if \p n is zero.
+ * \param n An offset in bytes.
+ * \return Pointer to offset \p n in the buffer \p p.
+ * Note that this is only a valid pointer if the size of the
+ * buffer is at least \p n + 1.
+ */
+static inline unsigned char *mbedtls_buffer_offset(
+ unsigned char *p, size_t n)
+{
+ return p == NULL ? NULL : p + n;
+}
+
+/** Return an offset into a read-only buffer.
+ *
+ * Similar to mbedtls_buffer_offset(), but for const pointers.
+ *
+ * \param p Pointer to a buffer of at least n bytes.
+ * This may be \p NULL if \p n is zero.
+ * \param n An offset in bytes.
+ * \return Pointer to offset \p n in the buffer \p p.
+ * Note that this is only a valid pointer if the size of the
+ * buffer is at least \p n + 1.
+ */
+static inline const unsigned char *mbedtls_buffer_offset_const(
+ const unsigned char *p, size_t n)
+{
+ return p == NULL ? NULL : p + n;
+}
+
+/* Always inline mbedtls_xor() for similar reasons as mbedtls_xor_no_simd(). */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+/**
+ * Perform a fast block XOR operation, such that
+ * r[i] = a[i] ^ b[i] where 0 <= i < n
+ *
+ * \param r Pointer to result (buffer of at least \p n bytes). \p r
+ * may be equal to either \p a or \p b, but behaviour when
+ * it overlaps in other ways is undefined.
+ * \param a Pointer to input (buffer of at least \p n bytes)
+ * \param b Pointer to input (buffer of at least \p n bytes)
+ * \param n Number of bytes to process.
+ *
+ * \note Depending on the situation, it may be faster to use either mbedtls_xor() or
+ * mbedtls_xor_no_simd() (these are functionally equivalent).
+ * If the result is used immediately after the xor operation in non-SIMD code (e.g, in
+ * AES-CBC), there may be additional latency to transfer the data from SIMD to scalar
+ * registers, and in this case, mbedtls_xor_no_simd() may be faster. In other cases where
+ * the result is not used immediately (e.g., in AES-CTR), mbedtls_xor() may be faster.
+ * For targets without SIMD support, they will behave the same.
+ */
+static inline void mbedtls_xor(unsigned char *r,
+ const unsigned char *a,
+ const unsigned char *b,
+ size_t n)
+{
+ size_t i = 0;
+#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
+#if defined(MBEDTLS_HAVE_NEON_INTRINSICS) && \
+ (!(defined(MBEDTLS_COMPILER_IS_GCC) && MBEDTLS_GCC_VERSION < 70300))
+ /* Old GCC versions generate a warning here, so disable the NEON path for these compilers */
+ for (; (i + 16) <= n; i += 16) {
+ uint8x16_t v1 = vld1q_u8(a + i);
+ uint8x16_t v2 = vld1q_u8(b + i);
+ uint8x16_t x = veorq_u8(v1, v2);
+ vst1q_u8(r + i, x);
+ }
+#if defined(__IAR_SYSTEMS_ICC__)
+ /* This if statement helps some compilers (e.g., IAR) optimise out the byte-by-byte tail case
+ * where n is a constant multiple of 16.
+ * For other compilers (e.g. recent gcc and clang) it makes no difference if n is a compile-time
+ * constant, and is a very small perf regression if n is not a compile-time constant. */
+ if (n % 16 == 0) {
+ return;
+ }
+#endif
+#elif defined(MBEDTLS_ARCH_IS_X64) || defined(MBEDTLS_ARCH_IS_ARM64)
+ /* This codepath probably only makes sense on architectures with 64-bit registers */
+ for (; (i + 8) <= n; i += 8) {
+ uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
+ mbedtls_put_unaligned_uint64(r + i, x);
+ }
+#if defined(__IAR_SYSTEMS_ICC__)
+ if (n % 8 == 0) {
+ return;
+ }
+#endif
+#else
+ for (; (i + 4) <= n; i += 4) {
+ uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
+ mbedtls_put_unaligned_uint32(r + i, x);
+ }
+#if defined(__IAR_SYSTEMS_ICC__)
+ if (n % 4 == 0) {
+ return;
+ }
+#endif
+#endif
+#endif
+ for (; i < n; i++) {
+ r[i] = a[i] ^ b[i];
+ }
+}
+
+/* Always inline mbedtls_xor_no_simd() as we see significant perf regressions when it does not get
+ * inlined (e.g., observed about 3x perf difference in gcm_mult_largetable with gcc 7 - 12) */
+#if defined(__IAR_SYSTEMS_ICC__)
+#pragma inline = forced
+#elif defined(__GNUC__)
+__attribute__((always_inline))
+#endif
+/**
+ * Perform a fast block XOR operation, such that
+ * r[i] = a[i] ^ b[i] where 0 <= i < n
+ *
+ * In some situations, this can perform better than mbedtls_xor() (e.g., it's about 5%
+ * better in AES-CBC).
+ *
+ * \param r Pointer to result (buffer of at least \p n bytes). \p r
+ * may be equal to either \p a or \p b, but behaviour when
+ * it overlaps in other ways is undefined.
+ * \param a Pointer to input (buffer of at least \p n bytes)
+ * \param b Pointer to input (buffer of at least \p n bytes)
+ * \param n Number of bytes to process.
+ *
+ * \note Depending on the situation, it may be faster to use either mbedtls_xor() or
+ * mbedtls_xor_no_simd() (these are functionally equivalent).
+ * If the result is used immediately after the xor operation in non-SIMD code (e.g, in
+ * AES-CBC), there may be additional latency to transfer the data from SIMD to scalar
+ * registers, and in this case, mbedtls_xor_no_simd() may be faster. In other cases where
+ * the result is not used immediately (e.g., in AES-CTR), mbedtls_xor() may be faster.
+ * For targets without SIMD support, they will behave the same.
+ */
+static inline void mbedtls_xor_no_simd(unsigned char *r,
+ const unsigned char *a,
+ const unsigned char *b,
+ size_t n)
+{
+ size_t i = 0;
+#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
+#if defined(MBEDTLS_ARCH_IS_X64) || defined(MBEDTLS_ARCH_IS_ARM64)
+ /* This codepath probably only makes sense on architectures with 64-bit registers */
+ for (; (i + 8) <= n; i += 8) {
+ uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
+ mbedtls_put_unaligned_uint64(r + i, x);
+ }
+#if defined(__IAR_SYSTEMS_ICC__)
+ /* This if statement helps some compilers (e.g., IAR) optimise out the byte-by-byte tail case
+ * where n is a constant multiple of 8.
+ * For other compilers (e.g. recent gcc and clang) it makes no difference if n is a compile-time
+ * constant, and is a very small perf regression if n is not a compile-time constant. */
+ if (n % 8 == 0) {
+ return;
+ }
+#endif
+#else
+ for (; (i + 4) <= n; i += 4) {
+ uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
+ mbedtls_put_unaligned_uint32(r + i, x);
+ }
+#if defined(__IAR_SYSTEMS_ICC__)
+ if (n % 4 == 0) {
+ return;
+ }
+#endif
+#endif
+#endif
+ for (; i < n; i++) {
+ r[i] = a[i] ^ b[i];
+ }
+}
+
+/* Fix MSVC C99 compatible issue
+ * MSVC support __func__ from visual studio 2015( 1900 )
+ * Use MSVC predefine macro to avoid name check fail.
+ */
+#if (defined(_MSC_VER) && (_MSC_VER <= 1900))
+#define /*no-check-names*/ __func__ __FUNCTION__
+#endif
+
+/* Define `asm` for compilers which don't define it. */
+/* *INDENT-OFF* */
+#ifndef asm
+#if defined(__IAR_SYSTEMS_ICC__)
+#define asm __asm
+#else
+#define asm __asm__
+#endif
+#endif
+/* *INDENT-ON* */
+
+/*
+ * Define the constraint used for read-only pointer operands to aarch64 asm.
+ *
+ * This is normally the usual "r", but for aarch64_32 (aka ILP32,
+ * as found in watchos), "p" is required to avoid warnings from clang.
+ *
+ * Note that clang does not recognise '+p' or '=p', and armclang
+ * does not recognise 'p' at all. Therefore, to update a pointer from
+ * aarch64 assembly, it is necessary to use something like:
+ *
+ * uintptr_t uptr = (uintptr_t) ptr;
+ * asm( "ldr x4, [%x0], #8" ... : "+r" (uptr) : : )
+ * ptr = (void*) uptr;
+ *
+ * Note that the "x" in "%x0" is neccessary; writing "%0" will cause warnings.
+ */
+#if defined(__aarch64__) && defined(MBEDTLS_HAVE_ASM)
+#if UINTPTR_MAX == 0xfffffffful
+/* ILP32: Specify the pointer operand slightly differently, as per #7787. */
+#define MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT "p"
+#elif UINTPTR_MAX == 0xfffffffffffffffful
+/* Normal case (64-bit pointers): use "r" as the constraint for pointer operands to asm */
+#define MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT "r"
+#else
+#error "Unrecognised pointer size for aarch64"
+#endif
+#endif
+
+/* Always provide a static assert macro, so it can be used unconditionally.
+ * It will expand to nothing on some systems.
+ * Can be used outside functions (but don't add a trailing ';' in that case:
+ * the semicolon is included here to avoid triggering -Wextra-semi when
+ * MBEDTLS_STATIC_ASSERT() expands to nothing).
+ * Can't use the C11-style `defined(static_assert)` on FreeBSD, since it
+ * defines static_assert even with -std=c99, but then complains about it.
+ */
+#if defined(static_assert) && !defined(__FreeBSD__)
+#define MBEDTLS_STATIC_ASSERT(expr, msg) static_assert(expr, msg);
+#else
+#define MBEDTLS_STATIC_ASSERT(expr, msg)
+#endif
+
+#if defined(__has_builtin)
+#define MBEDTLS_HAS_BUILTIN(x) __has_builtin(x)
+#else
+#define MBEDTLS_HAS_BUILTIN(x) 0
+#endif
+
+/* Define compiler branch hints */
+#if MBEDTLS_HAS_BUILTIN(__builtin_expect)
+#define MBEDTLS_LIKELY(x) __builtin_expect(!!(x), 1)
+#define MBEDTLS_UNLIKELY(x) __builtin_expect(!!(x), 0)
+#else
+#define MBEDTLS_LIKELY(x) x
+#define MBEDTLS_UNLIKELY(x) x
+#endif
+
+/* MBEDTLS_ASSUME may be used to provide additional information to the compiler
+ * which can result in smaller code-size. */
+#if MBEDTLS_HAS_BUILTIN(__builtin_assume)
+/* clang provides __builtin_assume */
+#define MBEDTLS_ASSUME(x) __builtin_assume(x)
+#elif MBEDTLS_HAS_BUILTIN(__builtin_unreachable)
+/* gcc and IAR can use __builtin_unreachable */
+#define MBEDTLS_ASSUME(x) do { if (!(x)) __builtin_unreachable(); } while (0)
+#elif defined(_MSC_VER)
+/* Supported by MSVC since VS 2005 */
+#define MBEDTLS_ASSUME(x) __assume(x)
+#else
+#define MBEDTLS_ASSUME(x) do { } while (0)
+#endif
+
+/* For gcc -Os, override with -O2 for a given function.
+ *
+ * This will not affect behaviour for other optimisation settings, e.g. -O0.
+ */
+#if defined(MBEDTLS_COMPILER_IS_GCC) && defined(__OPTIMIZE_SIZE__)
+#define MBEDTLS_OPTIMIZE_FOR_PERFORMANCE __attribute__((optimize("-O2")))
+#else
+#define MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
+#endif
+
+/* Suppress compiler warnings for unused functions and variables. */
+#if !defined(MBEDTLS_MAYBE_UNUSED) && defined(__has_attribute)
+# if __has_attribute(unused)
+# define MBEDTLS_MAYBE_UNUSED __attribute__((unused))
+# endif
+#endif
+#if !defined(MBEDTLS_MAYBE_UNUSED) && defined(__GNUC__)
+# define MBEDTLS_MAYBE_UNUSED __attribute__((unused))
+#endif
+#if !defined(MBEDTLS_MAYBE_UNUSED) && defined(__IAR_SYSTEMS_ICC__) && defined(__VER__)
+/* IAR does support __attribute__((unused)), but only if the -e flag (extended language support)
+ * is given; the pragma always works.
+ * Unfortunately the pragma affects the rest of the file where it is used, but this is harmless.
+ * Check for version 5.2 or later - this pragma may be supported by earlier versions, but I wasn't
+ * able to find documentation).
+ */
+# if (__VER__ >= 5020000)
+# define MBEDTLS_MAYBE_UNUSED _Pragma("diag_suppress=Pe177")
+# endif
+#endif
+#if !defined(MBEDTLS_MAYBE_UNUSED) && defined(_MSC_VER)
+# define MBEDTLS_MAYBE_UNUSED __pragma(warning(suppress:4189))
+#endif
+#if !defined(MBEDTLS_MAYBE_UNUSED)
+# define MBEDTLS_MAYBE_UNUSED
+#endif
+
+#endif /* MBEDTLS_LIBRARY_COMMON_H */
diff --git a/library/constant_time.c b/library/constant_time.c
new file mode 100644
index 0000000..d212ddf
--- /dev/null
+++ b/library/constant_time.c
@@ -0,0 +1,248 @@
+/**
+ * Constant-time functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * The following functions are implemented without using comparison operators, as those
+ * might be translated to branches by some compilers on some platforms.
+ */
+
+#include <stdint.h>
+#include <limits.h>
+
+#include "common.h"
+#include "constant_time_internal.h"
+#include "mbedtls/constant_time.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_CT_ASM)
+/*
+ * Define an object with the value zero, such that the compiler cannot prove that it
+ * has the value zero (because it is volatile, it "may be modified in ways unknown to
+ * the implementation").
+ */
+volatile mbedtls_ct_uint_t mbedtls_ct_zero = 0;
+#endif
+
+/*
+ * Define MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS where assembly is present to
+ * perform fast unaligned access to volatile data.
+ *
+ * This is needed because mbedtls_get_unaligned_uintXX etc don't support volatile
+ * memory accesses.
+ *
+ * Some of these definitions could be moved into alignment.h but for now they are
+ * only used here.
+ */
+#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS) && \
+ ((defined(MBEDTLS_CT_ARM_ASM) && (UINTPTR_MAX == 0xfffffffful)) || \
+ defined(MBEDTLS_CT_AARCH64_ASM))
+/* We check pointer sizes to avoid issues with them not matching register size requirements */
+#define MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS
+
+static inline uint32_t mbedtls_get_unaligned_volatile_uint32(volatile const unsigned char *p)
+{
+ /* This is UB, even where it's safe:
+ * return *((volatile uint32_t*)p);
+ * so instead the same thing is expressed in assembly below.
+ */
+ uint32_t r;
+#if defined(MBEDTLS_CT_ARM_ASM)
+ asm volatile ("ldr %0, [%1]" : "=r" (r) : "r" (p) :);
+#elif defined(MBEDTLS_CT_AARCH64_ASM)
+ asm volatile ("ldr %w0, [%1]" : "=r" (r) : MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT(p) :);
+#else
+#error "No assembly defined for mbedtls_get_unaligned_volatile_uint32"
+#endif
+ return r;
+}
+#endif /* defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS) &&
+ (defined(MBEDTLS_CT_ARM_ASM) || defined(MBEDTLS_CT_AARCH64_ASM)) */
+
+int mbedtls_ct_memcmp(const void *a,
+ const void *b,
+ size_t n)
+{
+ size_t i = 0;
+ /*
+ * `A` and `B` are cast to volatile to ensure that the compiler
+ * generates code that always fully reads both buffers.
+ * Otherwise it could generate a test to exit early if `diff` has all
+ * bits set early in the loop.
+ */
+ volatile const unsigned char *A = (volatile const unsigned char *) a;
+ volatile const unsigned char *B = (volatile const unsigned char *) b;
+ uint32_t diff = 0;
+
+#if defined(MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS)
+ for (; (i + 4) <= n; i += 4) {
+ uint32_t x = mbedtls_get_unaligned_volatile_uint32(A + i);
+ uint32_t y = mbedtls_get_unaligned_volatile_uint32(B + i);
+ diff |= x ^ y;
+ }
+#endif
+
+ for (; i < n; i++) {
+ /* Read volatile data in order before computing diff.
+ * This avoids IAR compiler warning:
+ * 'the order of volatile accesses is undefined ..' */
+ unsigned char x = A[i], y = B[i];
+ diff |= x ^ y;
+ }
+
+
+#if (INT_MAX < INT32_MAX)
+ /* We don't support int smaller than 32-bits, but if someone tried to build
+ * with this configuration, there is a risk that, for differing data, the
+ * only bits set in diff are in the top 16-bits, and would be lost by a
+ * simple cast from uint32 to int.
+ * This would have significant security implications, so protect against it. */
+#error "mbedtls_ct_memcmp() requires minimum 32-bit ints"
+#else
+ /* The bit-twiddling ensures that when we cast uint32_t to int, we are casting
+ * a value that is in the range 0..INT_MAX - a value larger than this would
+ * result in implementation defined behaviour.
+ *
+ * This ensures that the value returned by the function is non-zero iff
+ * diff is non-zero.
+ */
+ return (int) ((diff & 0xffff) | (diff >> 16));
+#endif
+}
+
+#if defined(MBEDTLS_NIST_KW_C)
+
+int mbedtls_ct_memcmp_partial(const void *a,
+ const void *b,
+ size_t n,
+ size_t skip_head,
+ size_t skip_tail)
+{
+ unsigned int diff = 0;
+
+ volatile const unsigned char *A = (volatile const unsigned char *) a;
+ volatile const unsigned char *B = (volatile const unsigned char *) b;
+
+ size_t valid_end = n - skip_tail;
+
+ for (size_t i = 0; i < n; i++) {
+ unsigned char x = A[i], y = B[i];
+ unsigned int d = x ^ y;
+ mbedtls_ct_condition_t valid = mbedtls_ct_bool_and(mbedtls_ct_uint_ge(i, skip_head),
+ mbedtls_ct_uint_lt(i, valid_end));
+ diff |= mbedtls_ct_uint_if_else_0(valid, d);
+ }
+
+ /* Since we go byte-by-byte, the only bits set will be in the bottom 8 bits, so the
+ * cast from uint to int is safe. */
+ return (int) diff;
+}
+
+#endif
+
+#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
+
+void mbedtls_ct_memmove_left(void *start, size_t total, size_t offset)
+{
+ volatile unsigned char *buf = start;
+ for (size_t i = 0; i < total; i++) {
+ mbedtls_ct_condition_t no_op = mbedtls_ct_uint_gt(total - offset, i);
+ /* The first `total - offset` passes are a no-op. The last
+ * `offset` passes shift the data one byte to the left and
+ * zero out the last byte. */
+ for (size_t n = 0; n < total - 1; n++) {
+ unsigned char current = buf[n];
+ unsigned char next = buf[n+1];
+ buf[n] = mbedtls_ct_uint_if(no_op, current, next);
+ }
+ buf[total-1] = mbedtls_ct_uint_if_else_0(no_op, buf[total-1]);
+ }
+}
+
+#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
+
+void mbedtls_ct_memcpy_if(mbedtls_ct_condition_t condition,
+ unsigned char *dest,
+ const unsigned char *src1,
+ const unsigned char *src2,
+ size_t len)
+{
+#if defined(MBEDTLS_CT_SIZE_64)
+ const uint64_t mask = (uint64_t) condition;
+ const uint64_t not_mask = (uint64_t) ~mbedtls_ct_compiler_opaque(condition);
+#else
+ const uint32_t mask = (uint32_t) condition;
+ const uint32_t not_mask = (uint32_t) ~mbedtls_ct_compiler_opaque(condition);
+#endif
+
+ /* If src2 is NULL, setup src2 so that we read from the destination address.
+ *
+ * This means that if src2 == NULL && condition is false, the result will be a
+ * no-op because we read from dest and write the same data back into dest.
+ */
+ if (src2 == NULL) {
+ src2 = dest;
+ }
+
+ /* dest[i] = c1 == c2 ? src[i] : dest[i] */
+ size_t i = 0;
+#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
+#if defined(MBEDTLS_CT_SIZE_64)
+ for (; (i + 8) <= len; i += 8) {
+ uint64_t a = mbedtls_get_unaligned_uint64(src1 + i) & mask;
+ uint64_t b = mbedtls_get_unaligned_uint64(src2 + i) & not_mask;
+ mbedtls_put_unaligned_uint64(dest + i, a | b);
+ }
+#else
+ for (; (i + 4) <= len; i += 4) {
+ uint32_t a = mbedtls_get_unaligned_uint32(src1 + i) & mask;
+ uint32_t b = mbedtls_get_unaligned_uint32(src2 + i) & not_mask;
+ mbedtls_put_unaligned_uint32(dest + i, a | b);
+ }
+#endif /* defined(MBEDTLS_CT_SIZE_64) */
+#endif /* MBEDTLS_EFFICIENT_UNALIGNED_ACCESS */
+ for (; i < len; i++) {
+ dest[i] = (src1[i] & mask) | (src2[i] & not_mask);
+ }
+}
+
+void mbedtls_ct_memcpy_offset(unsigned char *dest,
+ const unsigned char *src,
+ size_t offset,
+ size_t offset_min,
+ size_t offset_max,
+ size_t len)
+{
+ size_t offsetval;
+
+ for (offsetval = offset_min; offsetval <= offset_max; offsetval++) {
+ mbedtls_ct_memcpy_if(mbedtls_ct_uint_eq(offsetval, offset), dest, src + offsetval, NULL,
+ len);
+ }
+}
+
+#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
+
+void mbedtls_ct_zeroize_if(mbedtls_ct_condition_t condition, void *buf, size_t len)
+{
+ uint32_t mask = (uint32_t) ~condition;
+ uint8_t *p = (uint8_t *) buf;
+ size_t i = 0;
+#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
+ for (; (i + 4) <= len; i += 4) {
+ mbedtls_put_unaligned_uint32((void *) (p + i),
+ mbedtls_get_unaligned_uint32((void *) (p + i)) & mask);
+ }
+#endif
+ for (; i < len; i++) {
+ p[i] = p[i] & mask;
+ }
+}
+
+#endif /* defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) */
diff --git a/library/constant_time_impl.h b/library/constant_time_impl.h
new file mode 100644
index 0000000..2a4574b
--- /dev/null
+++ b/library/constant_time_impl.h
@@ -0,0 +1,556 @@
+/**
+ * Constant-time functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CONSTANT_TIME_IMPL_H
+#define MBEDTLS_CONSTANT_TIME_IMPL_H
+
+#include <stddef.h>
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+/*
+ * To improve readability of constant_time_internal.h, the static inline
+ * definitions are here, and constant_time_internal.h has only the declarations.
+ *
+ * This results in duplicate declarations of the form:
+ * static inline void f(); // from constant_time_internal.h
+ * static inline void f() { ... } // from constant_time_impl.h
+ * when constant_time_internal.h is included.
+ *
+ * This appears to behave as if the declaration-without-definition was not present
+ * (except for warnings if gcc -Wredundant-decls or similar is used).
+ *
+ * Disable -Wredundant-decls so that gcc does not warn about this. This is re-enabled
+ * at the bottom of this file.
+ */
+#if defined(MBEDTLS_COMPILER_IS_GCC) && (__GNUC__ > 4)
+ #pragma GCC diagnostic push
+ #pragma GCC diagnostic ignored "-Wredundant-decls"
+#endif
+
+/* Disable asm under Memsan because it confuses Memsan and generates false errors.
+ *
+ * We also disable under Valgrind by default, because it's more useful
+ * for Valgrind to test the plain C implementation. MBEDTLS_TEST_CONSTANT_FLOW_ASM //no-check-names
+ * may be set to permit building asm under Valgrind.
+ */
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) || \
+ (defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND) && !defined(MBEDTLS_TEST_CONSTANT_FLOW_ASM)) //no-check-names
+#define MBEDTLS_CT_NO_ASM
+#elif defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+#define MBEDTLS_CT_NO_ASM
+#endif
+#endif
+
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && (!defined(__ARMCC_VERSION) || \
+ __ARMCC_VERSION >= 6000000) && !defined(MBEDTLS_CT_NO_ASM)
+#define MBEDTLS_CT_ASM
+#if (defined(__arm__) || defined(__thumb__) || defined(__thumb2__))
+#define MBEDTLS_CT_ARM_ASM
+#elif defined(__aarch64__)
+#define MBEDTLS_CT_AARCH64_ASM
+#elif defined(__amd64__) || defined(__x86_64__)
+#define MBEDTLS_CT_X86_64_ASM
+#elif defined(__i386__)
+#define MBEDTLS_CT_X86_ASM
+#endif
+#endif
+
+#define MBEDTLS_CT_SIZE (sizeof(mbedtls_ct_uint_t) * 8)
+
+
+/* ============================================================================
+ * Core const-time primitives
+ */
+
+/* Ensure that the compiler cannot know the value of x (i.e., cannot optimise
+ * based on its value) after this function is called.
+ *
+ * If we are not using assembly, this will be fairly inefficient, so its use
+ * should be minimised.
+ */
+
+#if !defined(MBEDTLS_CT_ASM)
+extern volatile mbedtls_ct_uint_t mbedtls_ct_zero;
+#endif
+
+/**
+ * \brief Ensure that a value cannot be known at compile time.
+ *
+ * \param x The value to hide from the compiler.
+ * \return The same value that was passed in, such that the compiler
+ * cannot prove its value (even for calls of the form
+ * x = mbedtls_ct_compiler_opaque(1), x will be unknown).
+ *
+ * \note This is mainly used in constructing mbedtls_ct_condition_t
+ * values and performing operations over them, to ensure that
+ * there is no way for the compiler to ever know anything about
+ * the value of an mbedtls_ct_condition_t.
+ */
+static inline mbedtls_ct_uint_t mbedtls_ct_compiler_opaque(mbedtls_ct_uint_t x)
+{
+#if defined(MBEDTLS_CT_ASM)
+ asm volatile ("" : [x] "+r" (x) :);
+ return x;
+#else
+ return x ^ mbedtls_ct_zero;
+#endif
+}
+
+/*
+ * Selecting unified syntax is needed for gcc, and harmless on clang.
+ *
+ * This is needed because on Thumb 1, condition flags are always set, so
+ * e.g. "negs" is supported but "neg" is not (on Thumb 2, both exist).
+ *
+ * Under Thumb 1 unified syntax, only the "negs" form is accepted, and
+ * under divided syntax, only the "neg" form is accepted. clang only
+ * supports unified syntax.
+ *
+ * On Thumb 2 and Arm, both compilers are happy with the "s" suffix,
+ * although we don't actually care about setting the flags.
+ *
+ * For old versions of gcc (see #8516 for details), restore divided
+ * syntax afterwards - otherwise old versions of gcc seem to apply
+ * unified syntax globally, which breaks other asm code.
+ */
+#if defined(MBEDTLS_COMPILER_IS_GCC) && defined(__thumb__) && !defined(__thumb2__) && \
+ (__GNUC__ < 11) && !defined(__ARM_ARCH_2__)
+#define RESTORE_ASM_SYNTAX ".syntax divided \n\t"
+#else
+#define RESTORE_ASM_SYNTAX
+#endif
+
+/* Convert a number into a condition in constant time. */
+static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x)
+{
+ /*
+ * Define mask-generation code that, as far as possible, will not use branches or conditional instructions.
+ *
+ * For some platforms / type sizes, we define assembly to assure this.
+ *
+ * Otherwise, we define a plain C fallback which (in May 2023) does not get optimised into
+ * conditional instructions or branches by trunk clang, gcc, or MSVC v19.
+ */
+#if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
+ mbedtls_ct_uint_t s;
+ asm volatile ("neg %x[s], %x[x] \n\t"
+ "orr %x[x], %x[s], %x[x] \n\t"
+ "asr %x[x], %x[x], 63 \n\t"
+ :
+ [s] "=&r" (s),
+ [x] "+&r" (x)
+ :
+ :
+ );
+ return (mbedtls_ct_condition_t) x;
+#elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32)
+ uint32_t s;
+ asm volatile (".syntax unified \n\t"
+ "negs %[s], %[x] \n\t"
+ "orrs %[x], %[x], %[s] \n\t"
+ "asrs %[x], %[x], #31 \n\t"
+ RESTORE_ASM_SYNTAX
+ :
+ [s] "=&l" (s),
+ [x] "+&l" (x)
+ :
+ :
+ "cc" /* clobbers flag bits */
+ );
+ return (mbedtls_ct_condition_t) x;
+#elif defined(MBEDTLS_CT_X86_64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
+ uint64_t s;
+ asm volatile ("mov %[x], %[s] \n\t"
+ "neg %[s] \n\t"
+ "or %[x], %[s] \n\t"
+ "sar $63, %[s] \n\t"
+ :
+ [s] "=&a" (s)
+ :
+ [x] "D" (x)
+ :
+ );
+ return (mbedtls_ct_condition_t) s;
+#elif defined(MBEDTLS_CT_X86_ASM) && defined(MBEDTLS_CT_SIZE_32)
+ uint32_t s;
+ asm volatile ("mov %[x], %[s] \n\t"
+ "neg %[s] \n\t"
+ "or %[s], %[x] \n\t"
+ "sar $31, %[x] \n\t"
+ :
+ [s] "=&c" (s),
+ [x] "+&a" (x)
+ :
+ :
+ );
+ return (mbedtls_ct_condition_t) x;
+#else
+ const mbedtls_ct_uint_t xo = mbedtls_ct_compiler_opaque(x);
+#if defined(_MSC_VER)
+ /* MSVC has a warning about unary minus on unsigned, but this is
+ * well-defined and precisely what we want to do here */
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+ // y is negative (i.e., top bit set) iff x is non-zero
+ mbedtls_ct_int_t y = (-xo) | -(xo >> 1);
+
+ // extract only the sign bit of y so that y == 1 (if x is non-zero) or 0 (if x is zero)
+ y = (((mbedtls_ct_uint_t) y) >> (MBEDTLS_CT_SIZE - 1));
+
+ // -y has all bits set (if x is non-zero), or all bits clear (if x is zero)
+ return (mbedtls_ct_condition_t) (-y);
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+#endif
+}
+
+static inline mbedtls_ct_uint_t mbedtls_ct_if(mbedtls_ct_condition_t condition,
+ mbedtls_ct_uint_t if1,
+ mbedtls_ct_uint_t if0)
+{
+#if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
+ asm volatile ("and %x[if1], %x[if1], %x[condition] \n\t"
+ "mvn %x[condition], %x[condition] \n\t"
+ "and %x[condition], %x[condition], %x[if0] \n\t"
+ "orr %x[condition], %x[if1], %x[condition]"
+ :
+ [condition] "+&r" (condition),
+ [if1] "+&r" (if1)
+ :
+ [if0] "r" (if0)
+ :
+ );
+ return (mbedtls_ct_uint_t) condition;
+#elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32)
+ asm volatile (".syntax unified \n\t"
+ "ands %[if1], %[if1], %[condition] \n\t"
+ "mvns %[condition], %[condition] \n\t"
+ "ands %[condition], %[condition], %[if0] \n\t"
+ "orrs %[condition], %[if1], %[condition] \n\t"
+ RESTORE_ASM_SYNTAX
+ :
+ [condition] "+&l" (condition),
+ [if1] "+&l" (if1)
+ :
+ [if0] "l" (if0)
+ :
+ "cc"
+ );
+ return (mbedtls_ct_uint_t) condition;
+#elif defined(MBEDTLS_CT_X86_64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
+ asm volatile ("and %[condition], %[if1] \n\t"
+ "not %[condition] \n\t"
+ "and %[condition], %[if0] \n\t"
+ "or %[if1], %[if0] \n\t"
+ :
+ [condition] "+&D" (condition),
+ [if1] "+&S" (if1),
+ [if0] "+&a" (if0)
+ :
+ :
+ );
+ return if0;
+#elif defined(MBEDTLS_CT_X86_ASM) && defined(MBEDTLS_CT_SIZE_32)
+ asm volatile ("and %[condition], %[if1] \n\t"
+ "not %[condition] \n\t"
+ "and %[if0], %[condition] \n\t"
+ "or %[condition], %[if1] \n\t"
+ :
+ [condition] "+&c" (condition),
+ [if1] "+&a" (if1)
+ :
+ [if0] "b" (if0)
+ :
+ );
+ return if1;
+#else
+ mbedtls_ct_condition_t not_cond =
+ (mbedtls_ct_condition_t) (~mbedtls_ct_compiler_opaque(condition));
+ return (mbedtls_ct_uint_t) ((condition & if1) | (not_cond & if0));
+#endif
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y)
+{
+#if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
+ uint64_t s1;
+ asm volatile ("eor %x[s1], %x[y], %x[x] \n\t"
+ "sub %x[x], %x[x], %x[y] \n\t"
+ "bic %x[x], %x[x], %x[s1] \n\t"
+ "and %x[s1], %x[s1], %x[y] \n\t"
+ "orr %x[s1], %x[x], %x[s1] \n\t"
+ "asr %x[x], %x[s1], 63"
+ :
+ [s1] "=&r" (s1),
+ [x] "+&r" (x)
+ :
+ [y] "r" (y)
+ :
+ );
+ return (mbedtls_ct_condition_t) x;
+#elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32)
+ uint32_t s1;
+ asm volatile (
+ ".syntax unified \n\t"
+#if defined(__thumb__) && !defined(__thumb2__)
+ "movs %[s1], %[x] \n\t"
+ "eors %[s1], %[s1], %[y] \n\t"
+#else
+ "eors %[s1], %[x], %[y] \n\t"
+#endif
+ "subs %[x], %[x], %[y] \n\t"
+ "bics %[x], %[x], %[s1] \n\t"
+ "ands %[y], %[s1], %[y] \n\t"
+ "orrs %[x], %[x], %[y] \n\t"
+ "asrs %[x], %[x], #31 \n\t"
+ RESTORE_ASM_SYNTAX
+ :
+ [s1] "=&l" (s1),
+ [x] "+&l" (x),
+ [y] "+&l" (y)
+ :
+ :
+ "cc"
+ );
+ return (mbedtls_ct_condition_t) x;
+#elif defined(MBEDTLS_CT_X86_64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
+ uint64_t s;
+ asm volatile ("mov %[x], %[s] \n\t"
+ "xor %[y], %[s] \n\t"
+ "sub %[y], %[x] \n\t"
+ "and %[s], %[y] \n\t"
+ "not %[s] \n\t"
+ "and %[s], %[x] \n\t"
+ "or %[y], %[x] \n\t"
+ "sar $63, %[x] \n\t"
+ :
+ [s] "=&a" (s),
+ [x] "+&D" (x),
+ [y] "+&S" (y)
+ :
+ :
+ );
+ return (mbedtls_ct_condition_t) x;
+#elif defined(MBEDTLS_CT_X86_ASM) && defined(MBEDTLS_CT_SIZE_32)
+ uint32_t s;
+ asm volatile ("mov %[x], %[s] \n\t"
+ "xor %[y], %[s] \n\t"
+ "sub %[y], %[x] \n\t"
+ "and %[s], %[y] \n\t"
+ "not %[s] \n\t"
+ "and %[s], %[x] \n\t"
+ "or %[y], %[x] \n\t"
+ "sar $31, %[x] \n\t"
+ :
+ [s] "=&b" (s),
+ [x] "+&a" (x),
+ [y] "+&c" (y)
+ :
+ :
+ );
+ return (mbedtls_ct_condition_t) x;
+#else
+ /* Ensure that the compiler cannot optimise the following operations over x and y,
+ * even if it knows the value of x and y.
+ */
+ const mbedtls_ct_uint_t xo = mbedtls_ct_compiler_opaque(x);
+ const mbedtls_ct_uint_t yo = mbedtls_ct_compiler_opaque(y);
+ /*
+ * Check if the most significant bits (MSB) of the operands are different.
+ * cond is true iff the MSBs differ.
+ */
+ mbedtls_ct_condition_t cond = mbedtls_ct_bool((xo ^ yo) >> (MBEDTLS_CT_SIZE - 1));
+
+ /*
+ * If the MSB are the same then the difference x-y will be negative (and
+ * have its MSB set to 1 during conversion to unsigned) if and only if x<y.
+ *
+ * If the MSB are different, then the operand with the MSB of 1 is the
+ * bigger. (That is if y has MSB of 1, then x<y is true and it is false if
+ * the MSB of y is 0.)
+ */
+
+ // Select either y, or x - y
+ mbedtls_ct_uint_t ret = mbedtls_ct_if(cond, yo, (mbedtls_ct_uint_t) (xo - yo));
+
+ // Extract only the MSB of ret
+ ret = ret >> (MBEDTLS_CT_SIZE - 1);
+
+ // Convert to a condition (i.e., all bits set iff non-zero)
+ return mbedtls_ct_bool(ret);
+#endif
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_ne(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y)
+{
+ /* diff = 0 if x == y, non-zero otherwise */
+ const mbedtls_ct_uint_t diff = mbedtls_ct_compiler_opaque(x) ^ mbedtls_ct_compiler_opaque(y);
+
+ /* all ones if x != y, 0 otherwise */
+ return mbedtls_ct_bool(diff);
+}
+
+static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low,
+ unsigned char high,
+ unsigned char c,
+ unsigned char t)
+{
+ const unsigned char co = (unsigned char) mbedtls_ct_compiler_opaque(c);
+ const unsigned char to = (unsigned char) mbedtls_ct_compiler_opaque(t);
+
+ /* low_mask is: 0 if low <= c, 0x...ff if low > c */
+ unsigned low_mask = ((unsigned) co - low) >> 8;
+ /* high_mask is: 0 if c <= high, 0x...ff if c > high */
+ unsigned high_mask = ((unsigned) high - co) >> 8;
+
+ return (unsigned char) (~(low_mask | high_mask)) & to;
+}
+
+/* ============================================================================
+ * Everything below here is trivial wrapper functions
+ */
+
+static inline size_t mbedtls_ct_size_if(mbedtls_ct_condition_t condition,
+ size_t if1,
+ size_t if0)
+{
+ return (size_t) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1, (mbedtls_ct_uint_t) if0);
+}
+
+static inline unsigned mbedtls_ct_uint_if(mbedtls_ct_condition_t condition,
+ unsigned if1,
+ unsigned if0)
+{
+ return (unsigned) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1, (mbedtls_ct_uint_t) if0);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_if(mbedtls_ct_condition_t condition,
+ mbedtls_ct_condition_t if1,
+ mbedtls_ct_condition_t if0)
+{
+ return (mbedtls_ct_condition_t) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1,
+ (mbedtls_ct_uint_t) if0);
+}
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t condition,
+ mbedtls_mpi_uint if1,
+ mbedtls_mpi_uint if0)
+{
+ return (mbedtls_mpi_uint) mbedtls_ct_if(condition,
+ (mbedtls_ct_uint_t) if1,
+ (mbedtls_ct_uint_t) if0);
+}
+
+#endif
+
+static inline size_t mbedtls_ct_size_if_else_0(mbedtls_ct_condition_t condition, size_t if1)
+{
+ return (size_t) (condition & if1);
+}
+
+static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t condition, unsigned if1)
+{
+ return (unsigned) (condition & if1);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_if_else_0(mbedtls_ct_condition_t condition,
+ mbedtls_ct_condition_t if1)
+{
+ return (mbedtls_ct_condition_t) (condition & if1);
+}
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_condition_t condition,
+ mbedtls_mpi_uint if1)
+{
+ return (mbedtls_mpi_uint) (condition & if1);
+}
+
+#endif /* MBEDTLS_BIGNUM_C */
+
+static inline int mbedtls_ct_error_if(mbedtls_ct_condition_t condition, int if1, int if0)
+{
+ /* Coverting int -> uint -> int here is safe, because we require if1 and if0 to be
+ * in the range -32767..0, and we require 32-bit int and uint types.
+ *
+ * This means that (0 <= -if0 < INT_MAX), so negating if0 is safe, and similarly for
+ * converting back to int.
+ */
+ return -((int) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) (-if1),
+ (mbedtls_ct_uint_t) (-if0)));
+}
+
+static inline int mbedtls_ct_error_if_else_0(mbedtls_ct_condition_t condition, int if1)
+{
+ return -((int) (condition & (-if1)));
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_eq(mbedtls_ct_uint_t x,
+ mbedtls_ct_uint_t y)
+{
+ return ~mbedtls_ct_uint_ne(x, y);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_gt(mbedtls_ct_uint_t x,
+ mbedtls_ct_uint_t y)
+{
+ return mbedtls_ct_uint_lt(y, x);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_ge(mbedtls_ct_uint_t x,
+ mbedtls_ct_uint_t y)
+{
+ return ~mbedtls_ct_uint_lt(x, y);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
+ mbedtls_ct_uint_t y)
+{
+ return ~mbedtls_ct_uint_gt(x, y);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_ne(mbedtls_ct_condition_t x,
+ mbedtls_ct_condition_t y)
+{
+ return (mbedtls_ct_condition_t) (x ^ y);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_and(mbedtls_ct_condition_t x,
+ mbedtls_ct_condition_t y)
+{
+ return (mbedtls_ct_condition_t) (x & y);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_or(mbedtls_ct_condition_t x,
+ mbedtls_ct_condition_t y)
+{
+ return (mbedtls_ct_condition_t) (x | y);
+}
+
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_not(mbedtls_ct_condition_t x)
+{
+ return (mbedtls_ct_condition_t) (~x);
+}
+
+#if defined(MBEDTLS_COMPILER_IS_GCC) && (__GNUC__ > 4)
+/* Restore warnings for -Wredundant-decls on gcc */
+ #pragma GCC diagnostic pop
+#endif
+
+#endif /* MBEDTLS_CONSTANT_TIME_IMPL_H */
diff --git a/library/constant_time_internal.h b/library/constant_time_internal.h
new file mode 100644
index 0000000..61a5c6d
--- /dev/null
+++ b/library/constant_time_internal.h
@@ -0,0 +1,579 @@
+/**
+ * Constant-time functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CONSTANT_TIME_INTERNAL_H
+#define MBEDTLS_CONSTANT_TIME_INTERNAL_H
+
+#include <stdint.h>
+#include <stddef.h>
+
+#include "common.h"
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+/* The constant-time interface provides various operations that are likely
+ * to result in constant-time code that does not branch or use conditional
+ * instructions for secret data (for secret pointers, this also applies to
+ * the data pointed to).
+ *
+ * It has three main parts:
+ *
+ * - boolean operations
+ * These are all named mbedtls_ct_<type>_<operation>.
+ * They operate over <type> and return mbedtls_ct_condition_t.
+ * All arguments are considered secret.
+ * example: bool x = y | z => x = mbedtls_ct_bool_or(y, z)
+ * example: bool x = y == z => x = mbedtls_ct_uint_eq(y, z)
+ *
+ * - conditional data selection
+ * These are all named mbedtls_ct_<type>_if and mbedtls_ct_<type>_if_else_0
+ * All arguments are considered secret.
+ * example: size_t a = x ? b : c => a = mbedtls_ct_size_if(x, b, c)
+ * example: unsigned a = x ? b : 0 => a = mbedtls_ct_uint_if_else_0(x, b)
+ *
+ * - block memory operations
+ * Only some arguments are considered secret, as documented for each
+ * function.
+ * example: if (x) memcpy(...) => mbedtls_ct_memcpy_if(x, ...)
+ *
+ * mbedtls_ct_condition_t must be treated as opaque and only created and
+ * manipulated via the functions in this header. The compiler should never
+ * be able to prove anything about its value at compile-time.
+ *
+ * mbedtls_ct_uint_t is an unsigned integer type over which constant time
+ * operations may be performed via the functions in this header. It is as big
+ * as the larger of size_t and mbedtls_mpi_uint, i.e. it is safe to cast
+ * to/from "unsigned int", "size_t", and "mbedtls_mpi_uint" (and any other
+ * not-larger integer types).
+ *
+ * For Arm (32-bit, 64-bit and Thumb), x86 and x86-64, assembly implementations
+ * are used to ensure that the generated code is constant time. For other
+ * architectures, it uses a plain C fallback designed to yield constant-time code
+ * (this has been observed to be constant-time on latest gcc, clang and MSVC
+ * as of May 2023).
+ *
+ * For readability, the static inline definitions are separated out into
+ * constant_time_impl.h.
+ */
+
+#if (SIZE_MAX > 0xffffffffffffffffULL)
+/* Pointer size > 64-bit */
+typedef size_t mbedtls_ct_condition_t;
+typedef size_t mbedtls_ct_uint_t;
+typedef ptrdiff_t mbedtls_ct_int_t;
+#define MBEDTLS_CT_TRUE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(SIZE_MAX))
+#elif (SIZE_MAX > 0xffffffff) || defined(MBEDTLS_HAVE_INT64)
+/* 32-bit < pointer size <= 64-bit, or 64-bit MPI */
+typedef uint64_t mbedtls_ct_condition_t;
+typedef uint64_t mbedtls_ct_uint_t;
+typedef int64_t mbedtls_ct_int_t;
+#define MBEDTLS_CT_SIZE_64
+#define MBEDTLS_CT_TRUE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(UINT64_MAX))
+#else
+/* Pointer size <= 32-bit, and no 64-bit MPIs */
+typedef uint32_t mbedtls_ct_condition_t;
+typedef uint32_t mbedtls_ct_uint_t;
+typedef int32_t mbedtls_ct_int_t;
+#define MBEDTLS_CT_SIZE_32
+#define MBEDTLS_CT_TRUE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(UINT32_MAX))
+#endif
+#define MBEDTLS_CT_FALSE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(0))
+
+/* ============================================================================
+ * Boolean operations
+ */
+
+/** Convert a number into a mbedtls_ct_condition_t.
+ *
+ * \param x Number to convert.
+ *
+ * \return MBEDTLS_CT_TRUE if \p x != 0, or MBEDTLS_CT_FALSE if \p x == 0
+ *
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x);
+
+/** Boolean "not equal" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x != \p y
+ *
+ * \param x The first value to analyze.
+ * \param y The second value to analyze.
+ *
+ * \return MBEDTLS_CT_TRUE if \p x != \p y, otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_ne(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y);
+
+/** Boolean "equals" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x == \p y
+ *
+ * \param x The first value to analyze.
+ * \param y The second value to analyze.
+ *
+ * \return MBEDTLS_CT_TRUE if \p x == \p y, otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_eq(mbedtls_ct_uint_t x,
+ mbedtls_ct_uint_t y);
+
+/** Boolean "less than" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x < \p y
+ *
+ * \param x The first value to analyze.
+ * \param y The second value to analyze.
+ *
+ * \return MBEDTLS_CT_TRUE if \p x < \p y, otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y);
+
+/** Boolean "greater than" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x > \p y
+ *
+ * \param x The first value to analyze.
+ * \param y The second value to analyze.
+ *
+ * \return MBEDTLS_CT_TRUE if \p x > \p y, otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_gt(mbedtls_ct_uint_t x,
+ mbedtls_ct_uint_t y);
+
+/** Boolean "greater or equal" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x >= \p y
+ *
+ * \param x The first value to analyze.
+ * \param y The second value to analyze.
+ *
+ * \return MBEDTLS_CT_TRUE if \p x >= \p y,
+ * otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_ge(mbedtls_ct_uint_t x,
+ mbedtls_ct_uint_t y);
+
+/** Boolean "less than or equal" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x <= \p y
+ *
+ * \param x The first value to analyze.
+ * \param y The second value to analyze.
+ *
+ * \return MBEDTLS_CT_TRUE if \p x <= \p y,
+ * otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
+ mbedtls_ct_uint_t y);
+
+/** Boolean not-equals operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x != \p y
+ *
+ * \param x The first value to analyze.
+ * \param y The second value to analyze.
+ *
+ * \note This is more efficient than mbedtls_ct_uint_ne if both arguments are
+ * mbedtls_ct_condition_t.
+ *
+ * \return MBEDTLS_CT_TRUE if \p x != \p y,
+ * otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_ne(mbedtls_ct_condition_t x,
+ mbedtls_ct_condition_t y);
+
+/** Boolean "and" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x && \p y
+ *
+ * \param x The first value to analyze.
+ * \param y The second value to analyze.
+ *
+ * \return MBEDTLS_CT_TRUE if \p x && \p y,
+ * otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_and(mbedtls_ct_condition_t x,
+ mbedtls_ct_condition_t y);
+
+/** Boolean "or" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * \p x || \p y
+ *
+ * \param x The first value to analyze.
+ * \param y The second value to analyze.
+ *
+ * \return MBEDTLS_CT_TRUE if \p x || \p y,
+ * otherwise MBEDTLS_CT_FALSE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_or(mbedtls_ct_condition_t x,
+ mbedtls_ct_condition_t y);
+
+/** Boolean "not" operation.
+ *
+ * Functionally equivalent to:
+ *
+ * ! \p x
+ *
+ * \param x The value to invert
+ *
+ * \return MBEDTLS_CT_FALSE if \p x, otherwise MBEDTLS_CT_TRUE.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_not(mbedtls_ct_condition_t x);
+
+
+/* ============================================================================
+ * Data selection operations
+ */
+
+/** Choose between two size_t values.
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : if0.
+ *
+ * \param condition Condition to test.
+ * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
+ * \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE.
+ *
+ * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
+ */
+static inline size_t mbedtls_ct_size_if(mbedtls_ct_condition_t condition,
+ size_t if1,
+ size_t if0);
+
+/** Choose between two unsigned values.
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : if0.
+ *
+ * \param condition Condition to test.
+ * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
+ * \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE.
+ *
+ * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
+ */
+static inline unsigned mbedtls_ct_uint_if(mbedtls_ct_condition_t condition,
+ unsigned if1,
+ unsigned if0);
+
+/** Choose between two mbedtls_ct_condition_t values.
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : if0.
+ *
+ * \param condition Condition to test.
+ * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
+ * \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE.
+ *
+ * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_if(mbedtls_ct_condition_t condition,
+ mbedtls_ct_condition_t if1,
+ mbedtls_ct_condition_t if0);
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+/** Choose between two mbedtls_mpi_uint values.
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : if0.
+ *
+ * \param condition Condition to test.
+ * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
+ * \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE.
+ *
+ * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
+ */
+static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t condition, \
+ mbedtls_mpi_uint if1, \
+ mbedtls_mpi_uint if0);
+
+#endif
+
+/** Choose between an unsigned value and 0.
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : 0.
+ *
+ * Functionally equivalent to mbedtls_ct_uint_if(condition, if1, 0) but
+ * results in smaller code size.
+ *
+ * \param condition Condition to test.
+ * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
+ *
+ * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
+ */
+static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t condition, unsigned if1);
+
+/** Choose between an mbedtls_ct_condition_t and 0.
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : 0.
+ *
+ * Functionally equivalent to mbedtls_ct_bool_if(condition, if1, 0) but
+ * results in smaller code size.
+ *
+ * \param condition Condition to test.
+ * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
+ *
+ * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
+ */
+static inline mbedtls_ct_condition_t mbedtls_ct_bool_if_else_0(mbedtls_ct_condition_t condition,
+ mbedtls_ct_condition_t if1);
+
+/** Choose between a size_t value and 0.
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : 0.
+ *
+ * Functionally equivalent to mbedtls_ct_size_if(condition, if1, 0) but
+ * results in smaller code size.
+ *
+ * \param condition Condition to test.
+ * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
+ *
+ * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
+ */
+static inline size_t mbedtls_ct_size_if_else_0(mbedtls_ct_condition_t condition, size_t if1);
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+/** Choose between an mbedtls_mpi_uint value and 0.
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : 0.
+ *
+ * Functionally equivalent to mbedtls_ct_mpi_uint_if(condition, if1, 0) but
+ * results in smaller code size.
+ *
+ * \param condition Condition to test.
+ * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
+ *
+ * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
+ */
+static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_condition_t condition,
+ mbedtls_mpi_uint if1);
+
+#endif
+
+/** Constant-flow char selection
+ *
+ * \param low Secret. Bottom of range
+ * \param high Secret. Top of range
+ * \param c Secret. Value to compare to range
+ * \param t Secret. Value to return, if in range
+ *
+ * \return \p t if \p low <= \p c <= \p high, 0 otherwise.
+ */
+static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low,
+ unsigned char high,
+ unsigned char c,
+ unsigned char t);
+
+/** Choose between two error values. The values must be in the range [-32767..0].
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : if0.
+ *
+ * \param condition Condition to test.
+ * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
+ * \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE.
+ *
+ * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
+ */
+static inline int mbedtls_ct_error_if(mbedtls_ct_condition_t condition, int if1, int if0);
+
+/** Choose between an error value and 0. The error value must be in the range [-32767..0].
+ *
+ * Functionally equivalent to:
+ *
+ * condition ? if1 : 0.
+ *
+ * Functionally equivalent to mbedtls_ct_error_if(condition, if1, 0) but
+ * results in smaller code size.
+ *
+ * \param condition Condition to test.
+ * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
+ *
+ * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
+ */
+static inline int mbedtls_ct_error_if_else_0(mbedtls_ct_condition_t condition, int if1);
+
+/* ============================================================================
+ * Block memory operations
+ */
+
+#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
+
+/** Conditionally set a block of memory to zero.
+ *
+ * Regardless of the condition, every byte will be read once and written to
+ * once.
+ *
+ * \param condition Secret. Condition to test.
+ * \param buf Secret. Pointer to the start of the buffer.
+ * \param len Number of bytes to set to zero.
+ *
+ * \warning Unlike mbedtls_platform_zeroize, this does not have the same guarantees
+ * about not being optimised away if the memory is never read again.
+ */
+void mbedtls_ct_zeroize_if(mbedtls_ct_condition_t condition, void *buf, size_t len);
+
+/** Shift some data towards the left inside a buffer.
+ *
+ * Functionally equivalent to:
+ *
+ * memmove(start, start + offset, total - offset);
+ * memset(start + (total - offset), 0, offset);
+ *
+ * Timing independence comes at the expense of performance.
+ *
+ * \param start Secret. Pointer to the start of the buffer.
+ * \param total Total size of the buffer.
+ * \param offset Secret. Offset from which to copy \p total - \p offset bytes.
+ */
+void mbedtls_ct_memmove_left(void *start,
+ size_t total,
+ size_t offset);
+
+#endif /* defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) */
+
+/** Conditional memcpy.
+ *
+ * Functionally equivalent to:
+ *
+ * if (condition) {
+ * memcpy(dest, src1, len);
+ * } else {
+ * if (src2 != NULL)
+ * memcpy(dest, src2, len);
+ * }
+ *
+ * It will always read len bytes from src1.
+ * If src2 != NULL, it will always read len bytes from src2.
+ * If src2 == NULL, it will instead read len bytes from dest (as if src2 == dest).
+ *
+ * \param condition The condition
+ * \param dest Secret. Destination pointer.
+ * \param src1 Secret. Pointer to copy from (if \p condition == MBEDTLS_CT_TRUE).
+ * This may be equal to \p dest, but may not overlap in other ways.
+ * \param src2 Secret (contents only - may branch to determine if this parameter is NULL).
+ * Pointer to copy from (if \p condition == MBEDTLS_CT_FALSE and \p src2 is not NULL). May be NULL.
+ * This may be equal to \p dest, but may not overlap it in other ways. It may overlap with \p src1.
+ * \param len Number of bytes to copy.
+ */
+void mbedtls_ct_memcpy_if(mbedtls_ct_condition_t condition,
+ unsigned char *dest,
+ const unsigned char *src1,
+ const unsigned char *src2,
+ size_t len
+ );
+
+/** Copy data from a secret position.
+ *
+ * Functionally equivalent to:
+ *
+ * memcpy(dst, src + offset, len)
+ *
+ * This function copies \p len bytes from \p src + \p offset to
+ * \p dst, with a code flow and memory access pattern that does not depend on
+ * \p offset, but only on \p offset_min, \p offset_max and \p len.
+ *
+ * \note This function reads from \p dest, but the value that
+ * is read does not influence the result and this
+ * function's behavior is well-defined regardless of the
+ * contents of the buffers. This may result in false
+ * positives from static or dynamic analyzers, especially
+ * if \p dest is not initialized.
+ *
+ * \param dest Secret. The destination buffer. This must point to a writable
+ * buffer of at least \p len bytes.
+ * \param src Secret. The base of the source buffer. This must point to a
+ * readable buffer of at least \p offset_max + \p len
+ * bytes. Shouldn't overlap with \p dest
+ * \param offset Secret. The offset in the source buffer from which to copy.
+ * This must be no less than \p offset_min and no greater
+ * than \p offset_max.
+ * \param offset_min The minimal value of \p offset.
+ * \param offset_max The maximal value of \p offset.
+ * \param len The number of bytes to copy.
+ */
+void mbedtls_ct_memcpy_offset(unsigned char *dest,
+ const unsigned char *src,
+ size_t offset,
+ size_t offset_min,
+ size_t offset_max,
+ size_t len);
+
+/* Documented in include/mbedtls/constant_time.h. a and b are secret.
+
+ int mbedtls_ct_memcmp(const void *a,
+ const void *b,
+ size_t n);
+ */
+
+#if defined(MBEDTLS_NIST_KW_C)
+
+/** Constant-time buffer comparison without branches.
+ *
+ * Similar to mbedtls_ct_memcmp, except that the result only depends on part of
+ * the input data - differences in the head or tail are ignored. Functionally equivalent to:
+ *
+ * memcmp(a + skip_head, b + skip_head, size - skip_head - skip_tail)
+ *
+ * Time taken depends on \p n, but not on \p skip_head or \p skip_tail .
+ *
+ * Behaviour is undefined if ( \p skip_head + \p skip_tail) > \p n.
+ *
+ * \param a Secret. Pointer to the first buffer, containing at least \p n bytes. May not be NULL.
+ * \param b Secret. Pointer to the second buffer, containing at least \p n bytes. May not be NULL.
+ * \param n The number of bytes to examine (total size of the buffers).
+ * \param skip_head Secret. The number of bytes to treat as non-significant at the start of the buffer.
+ * These bytes will still be read.
+ * \param skip_tail Secret. The number of bytes to treat as non-significant at the end of the buffer.
+ * These bytes will still be read.
+ *
+ * \return Zero if the contents of the two buffers are the same, otherwise non-zero.
+ */
+int mbedtls_ct_memcmp_partial(const void *a,
+ const void *b,
+ size_t n,
+ size_t skip_head,
+ size_t skip_tail);
+
+#endif
+
+/* Include the implementation of static inline functions above. */
+#include "constant_time_impl.h"
+
+#endif /* MBEDTLS_CONSTANT_TIME_INTERNAL_H */
diff --git a/library/ctr.h b/library/ctr.h
new file mode 100644
index 0000000..aa48fb9
--- /dev/null
+++ b/library/ctr.h
@@ -0,0 +1,35 @@
+/**
+ * \file ctr.h
+ *
+ * \brief This file contains common functionality for counter algorithms.
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CTR_H
+#define MBEDTLS_CTR_H
+
+#include "common.h"
+
+/**
+ * \brief Increment a big-endian 16-byte value.
+ * This is quite performance-sensitive for AES-CTR and CTR-DRBG.
+ *
+ * \param n A 16-byte value to be incremented.
+ */
+static inline void mbedtls_ctr_increment_counter(uint8_t n[16])
+{
+ // The 32-bit version seems to perform about the same as a 64-bit version
+ // on 64-bit architectures, so no need to define a 64-bit version.
+ for (int i = 3;; i--) {
+ uint32_t x = MBEDTLS_GET_UINT32_BE(n, i << 2);
+ x += 1;
+ MBEDTLS_PUT_UINT32_BE(x, n, i << 2);
+ if (x != 0 || i == 0) {
+ break;
+ }
+ }
+}
+
+#endif /* MBEDTLS_CTR_H */
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
new file mode 100644
index 0000000..66d9d28
--- /dev/null
+++ b/library/ctr_drbg.c
@@ -0,0 +1,1016 @@
+/*
+ * CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * The NIST SP 800-90 DRBGs are described in the following publication.
+ *
+ * https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-90r.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+
+#include "ctr.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+/* Using error translation functions from PSA to MbedTLS */
+#if !defined(MBEDTLS_AES_C)
+#include "psa_util_internal.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_AES_C)
+static psa_status_t ctr_drbg_setup_psa_context(mbedtls_ctr_drbg_psa_context *psa_ctx,
+ unsigned char *key, size_t key_len)
+{
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status;
+
+ psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_ENCRYPT);
+ psa_set_key_algorithm(&key_attr, PSA_ALG_ECB_NO_PADDING);
+ psa_set_key_type(&key_attr, PSA_KEY_TYPE_AES);
+ status = psa_import_key(&key_attr, key, key_len, &psa_ctx->key_id);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_cipher_encrypt_setup(&psa_ctx->operation, psa_ctx->key_id, PSA_ALG_ECB_NO_PADDING);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+exit:
+ psa_reset_key_attributes(&key_attr);
+ return status;
+}
+
+static void ctr_drbg_destroy_psa_contex(mbedtls_ctr_drbg_psa_context *psa_ctx)
+{
+ psa_cipher_abort(&psa_ctx->operation);
+ psa_destroy_key(psa_ctx->key_id);
+
+ psa_ctx->operation = psa_cipher_operation_init();
+ psa_ctx->key_id = MBEDTLS_SVC_KEY_ID_INIT;
+}
+#endif
+
+/*
+ * CTR_DRBG context initialization
+ */
+void mbedtls_ctr_drbg_init(mbedtls_ctr_drbg_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_ctr_drbg_context));
+#if defined(MBEDTLS_AES_C)
+ mbedtls_aes_init(&ctx->aes_ctx);
+#else
+ ctx->psa_ctx.key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ ctx->psa_ctx.operation = psa_cipher_operation_init();
+#endif
+ /* Indicate that the entropy nonce length is not set explicitly.
+ * See mbedtls_ctr_drbg_set_nonce_len(). */
+ ctx->reseed_counter = -1;
+
+ ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
+}
+
+/*
+ * This function resets CTR_DRBG context to the state immediately
+ * after initial call of mbedtls_ctr_drbg_init().
+ */
+void mbedtls_ctr_drbg_free(mbedtls_ctr_drbg_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ /* The mutex is initialized iff f_entropy is set. */
+ if (ctx->f_entropy != NULL) {
+ mbedtls_mutex_free(&ctx->mutex);
+ }
+#endif
+#if defined(MBEDTLS_AES_C)
+ mbedtls_aes_free(&ctx->aes_ctx);
+#else
+ ctr_drbg_destroy_psa_contex(&ctx->psa_ctx);
+#endif
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ctr_drbg_context));
+ ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
+ ctx->reseed_counter = -1;
+}
+
+void mbedtls_ctr_drbg_set_prediction_resistance(mbedtls_ctr_drbg_context *ctx,
+ int resistance)
+{
+ ctx->prediction_resistance = resistance;
+}
+
+void mbedtls_ctr_drbg_set_entropy_len(mbedtls_ctr_drbg_context *ctx,
+ size_t len)
+{
+ ctx->entropy_len = len;
+}
+
+int mbedtls_ctr_drbg_set_nonce_len(mbedtls_ctr_drbg_context *ctx,
+ size_t len)
+{
+ /* If mbedtls_ctr_drbg_seed() has already been called, it's
+ * too late. Return the error code that's closest to making sense. */
+ if (ctx->f_entropy != NULL) {
+ return MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED;
+ }
+
+ if (len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT) {
+ return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+ }
+
+ /* This shouldn't be an issue because
+ * MBEDTLS_CTR_DRBG_MAX_SEED_INPUT < INT_MAX in any sensible
+ * configuration, but make sure anyway. */
+ if (len > INT_MAX) {
+ return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+ }
+
+ /* For backward compatibility with Mbed TLS <= 2.19, store the
+ * entropy nonce length in a field that already exists, but isn't
+ * used until after the initial seeding. */
+ /* Due to the capping of len above, the value fits in an int. */
+ ctx->reseed_counter = (int) len;
+ return 0;
+}
+
+void mbedtls_ctr_drbg_set_reseed_interval(mbedtls_ctr_drbg_context *ctx,
+ int interval)
+{
+ ctx->reseed_interval = interval;
+}
+
+static int block_cipher_df(unsigned char *output,
+ const unsigned char *data, size_t data_len)
+{
+ unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT +
+ MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
+ unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
+ unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
+ unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
+ unsigned char *p, *iv;
+ int ret = 0;
+#if defined(MBEDTLS_AES_C)
+ mbedtls_aes_context aes_ctx;
+#else
+ psa_status_t status;
+ size_t tmp_len;
+ mbedtls_ctr_drbg_psa_context psa_ctx;
+
+ psa_ctx.key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_ctx.operation = psa_cipher_operation_init();
+#endif
+
+ int i, j;
+ size_t buf_len, use_len;
+
+ if (data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT) {
+ return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+ }
+
+ memset(buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT +
+ MBEDTLS_CTR_DRBG_BLOCKSIZE + 16);
+
+ /*
+ * Construct IV (16 bytes) and S in buffer
+ * IV = Counter (in 32-bits) padded to 16 with zeroes
+ * S = Length input string (in 32-bits) || Length of output (in 32-bits) ||
+ * data || 0x80
+ * (Total is padded to a multiple of 16-bytes with zeroes)
+ */
+ p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE;
+ MBEDTLS_PUT_UINT32_BE(data_len, p, 0);
+ p += 4 + 3;
+ *p++ = MBEDTLS_CTR_DRBG_SEEDLEN;
+ memcpy(p, data, data_len);
+ p[data_len] = 0x80;
+
+ buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
+
+ for (i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++) {
+ key[i] = i;
+ }
+
+#if defined(MBEDTLS_AES_C)
+ mbedtls_aes_init(&aes_ctx);
+
+ if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, key,
+ MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
+ goto exit;
+ }
+#else
+ status = ctr_drbg_setup_psa_context(&psa_ctx, key, sizeof(key));
+ if (status != PSA_SUCCESS) {
+ ret = psa_generic_status_to_mbedtls(status);
+ goto exit;
+ }
+#endif
+
+ /*
+ * Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data
+ */
+ for (j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE) {
+ p = buf;
+ memset(chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE);
+ use_len = buf_len;
+
+ while (use_len > 0) {
+ mbedtls_xor(chain, chain, p, MBEDTLS_CTR_DRBG_BLOCKSIZE);
+ p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
+ use_len -= (use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE) ?
+ MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
+
+#if defined(MBEDTLS_AES_C)
+ if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT,
+ chain, chain)) != 0) {
+ goto exit;
+ }
+#else
+ status = psa_cipher_update(&psa_ctx.operation, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE,
+ chain, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len);
+ if (status != PSA_SUCCESS) {
+ ret = psa_generic_status_to_mbedtls(status);
+ goto exit;
+ }
+#endif
+ }
+
+ memcpy(tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE);
+
+ /*
+ * Update IV
+ */
+ buf[3]++;
+ }
+
+ /*
+ * Do final encryption with reduced data
+ */
+#if defined(MBEDTLS_AES_C)
+ if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, tmp,
+ MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
+ goto exit;
+ }
+#else
+ ctr_drbg_destroy_psa_contex(&psa_ctx);
+
+ status = ctr_drbg_setup_psa_context(&psa_ctx, tmp, MBEDTLS_CTR_DRBG_KEYSIZE);
+ if (status != PSA_SUCCESS) {
+ ret = psa_generic_status_to_mbedtls(status);
+ goto exit;
+ }
+#endif
+ iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
+ p = output;
+
+ for (j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE) {
+#if defined(MBEDTLS_AES_C)
+ if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT,
+ iv, iv)) != 0) {
+ goto exit;
+ }
+#else
+ status = psa_cipher_update(&psa_ctx.operation, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE,
+ iv, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len);
+ if (status != PSA_SUCCESS) {
+ ret = psa_generic_status_to_mbedtls(status);
+ goto exit;
+ }
+#endif
+ memcpy(p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE);
+ p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
+ }
+exit:
+#if defined(MBEDTLS_AES_C)
+ mbedtls_aes_free(&aes_ctx);
+#else
+ ctr_drbg_destroy_psa_contex(&psa_ctx);
+#endif
+ /*
+ * tidy up the stack
+ */
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+ mbedtls_platform_zeroize(tmp, sizeof(tmp));
+ mbedtls_platform_zeroize(key, sizeof(key));
+ mbedtls_platform_zeroize(chain, sizeof(chain));
+ if (0 != ret) {
+ /*
+ * wipe partial seed from memory
+ */
+ mbedtls_platform_zeroize(output, MBEDTLS_CTR_DRBG_SEEDLEN);
+ }
+
+ return ret;
+}
+
+/* CTR_DRBG_Update (SP 800-90A §10.2.1.2)
+ * ctr_drbg_update_internal(ctx, provided_data)
+ * implements
+ * CTR_DRBG_Update(provided_data, Key, V)
+ * with inputs and outputs
+ * ctx->aes_ctx = Key
+ * ctx->counter = V
+ */
+static int ctr_drbg_update_internal(mbedtls_ctr_drbg_context *ctx,
+ const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN])
+{
+ unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
+ unsigned char *p = tmp;
+ int j;
+ int ret = 0;
+#if !defined(MBEDTLS_AES_C)
+ psa_status_t status;
+ size_t tmp_len;
+#endif
+
+ memset(tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN);
+
+ for (j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE) {
+ /*
+ * Increase counter
+ */
+ mbedtls_ctr_increment_counter(ctx->counter);
+
+ /*
+ * Crypt counter block
+ */
+#if defined(MBEDTLS_AES_C)
+ if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
+ ctx->counter, p)) != 0) {
+ goto exit;
+ }
+#else
+ status = psa_cipher_update(&ctx->psa_ctx.operation, ctx->counter, sizeof(ctx->counter),
+ p, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len);
+ if (status != PSA_SUCCESS) {
+ ret = psa_generic_status_to_mbedtls(status);
+ goto exit;
+ }
+#endif
+
+ p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
+ }
+
+ mbedtls_xor(tmp, tmp, data, MBEDTLS_CTR_DRBG_SEEDLEN);
+
+ /*
+ * Update key and counter
+ */
+#if defined(MBEDTLS_AES_C)
+ if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, tmp,
+ MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
+ goto exit;
+ }
+#else
+ ctr_drbg_destroy_psa_contex(&ctx->psa_ctx);
+
+ status = ctr_drbg_setup_psa_context(&ctx->psa_ctx, tmp, MBEDTLS_CTR_DRBG_KEYSIZE);
+ if (status != PSA_SUCCESS) {
+ ret = psa_generic_status_to_mbedtls(status);
+ goto exit;
+ }
+#endif
+ memcpy(ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE,
+ MBEDTLS_CTR_DRBG_BLOCKSIZE);
+
+exit:
+ mbedtls_platform_zeroize(tmp, sizeof(tmp));
+ return ret;
+}
+
+/* CTR_DRBG_Instantiate with derivation function (SP 800-90A §10.2.1.3.2)
+ * mbedtls_ctr_drbg_update(ctx, additional, add_len)
+ * implements
+ * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
+ * security_strength) -> initial_working_state
+ * with inputs
+ * ctx->counter = all-bits-0
+ * ctx->aes_ctx = context from all-bits-0 key
+ * additional[:add_len] = entropy_input || nonce || personalization_string
+ * and with outputs
+ * ctx = initial_working_state
+ */
+int mbedtls_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx,
+ const unsigned char *additional,
+ size_t add_len)
+{
+ unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (add_len == 0) {
+ return 0;
+ }
+
+ if ((ret = block_cipher_df(add_input, additional, add_len)) != 0) {
+ goto exit;
+ }
+ if ((ret = ctr_drbg_update_internal(ctx, add_input)) != 0) {
+ goto exit;
+ }
+
+exit:
+ mbedtls_platform_zeroize(add_input, sizeof(add_input));
+ return ret;
+}
+
+/* CTR_DRBG_Reseed with derivation function (SP 800-90A §10.2.1.4.2)
+ * mbedtls_ctr_drbg_reseed(ctx, additional, len, nonce_len)
+ * implements
+ * CTR_DRBG_Reseed(working_state, entropy_input, additional_input)
+ * -> new_working_state
+ * with inputs
+ * ctx contains working_state
+ * additional[:len] = additional_input
+ * and entropy_input comes from calling ctx->f_entropy
+ * for (ctx->entropy_len + nonce_len) bytes
+ * and with output
+ * ctx contains new_working_state
+ */
+static int mbedtls_ctr_drbg_reseed_internal(mbedtls_ctr_drbg_context *ctx,
+ const unsigned char *additional,
+ size_t len,
+ size_t nonce_len)
+{
+ unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
+ size_t seedlen = 0;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT) {
+ return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+ }
+ if (nonce_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len) {
+ return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+ }
+ if (len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len - nonce_len) {
+ return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+ }
+
+ memset(seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT);
+
+ /* Gather entropy_len bytes of entropy to seed state. */
+ if (0 != ctx->f_entropy(ctx->p_entropy, seed, ctx->entropy_len)) {
+ return MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED;
+ }
+ seedlen += ctx->entropy_len;
+
+ /* Gather entropy for a nonce if requested. */
+ if (nonce_len != 0) {
+ if (0 != ctx->f_entropy(ctx->p_entropy, seed + seedlen, nonce_len)) {
+ return MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED;
+ }
+ seedlen += nonce_len;
+ }
+
+ /* Add additional data if provided. */
+ if (additional != NULL && len != 0) {
+ memcpy(seed + seedlen, additional, len);
+ seedlen += len;
+ }
+
+ /* Reduce to 384 bits. */
+ if ((ret = block_cipher_df(seed, seed, seedlen)) != 0) {
+ goto exit;
+ }
+
+ /* Update state. */
+ if ((ret = ctr_drbg_update_internal(ctx, seed)) != 0) {
+ goto exit;
+ }
+ ctx->reseed_counter = 1;
+
+exit:
+ mbedtls_platform_zeroize(seed, sizeof(seed));
+ return ret;
+}
+
+int mbedtls_ctr_drbg_reseed(mbedtls_ctr_drbg_context *ctx,
+ const unsigned char *additional, size_t len)
+{
+ return mbedtls_ctr_drbg_reseed_internal(ctx, additional, len, 0);
+}
+
+/* Return a "good" nonce length for CTR_DRBG. The chosen nonce length
+ * is sufficient to achieve the maximum security strength given the key
+ * size and entropy length. If there is enough entropy in the initial
+ * call to the entropy function to serve as both the entropy input and
+ * the nonce, don't make a second call to get a nonce. */
+static size_t good_nonce_len(size_t entropy_len)
+{
+ if (entropy_len >= MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2) {
+ return 0;
+ } else {
+ return (entropy_len + 1) / 2;
+ }
+}
+
+/* CTR_DRBG_Instantiate with derivation function (SP 800-90A §10.2.1.3.2)
+ * mbedtls_ctr_drbg_seed(ctx, f_entropy, p_entropy, custom, len)
+ * implements
+ * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
+ * security_strength) -> initial_working_state
+ * with inputs
+ * custom[:len] = nonce || personalization_string
+ * where entropy_input comes from f_entropy for ctx->entropy_len bytes
+ * and with outputs
+ * ctx = initial_working_state
+ */
+int mbedtls_ctr_drbg_seed(mbedtls_ctr_drbg_context *ctx,
+ int (*f_entropy)(void *, unsigned char *, size_t),
+ void *p_entropy,
+ const unsigned char *custom,
+ size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
+ size_t nonce_len;
+
+ memset(key, 0, MBEDTLS_CTR_DRBG_KEYSIZE);
+
+ /* The mutex is initialized iff f_entropy is set. */
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_init(&ctx->mutex);
+#endif
+
+ ctx->f_entropy = f_entropy;
+ ctx->p_entropy = p_entropy;
+
+ if (ctx->entropy_len == 0) {
+ ctx->entropy_len = MBEDTLS_CTR_DRBG_ENTROPY_LEN;
+ }
+ /* ctx->reseed_counter contains the desired amount of entropy to
+ * grab for a nonce (see mbedtls_ctr_drbg_set_nonce_len()).
+ * If it's -1, indicating that the entropy nonce length was not set
+ * explicitly, use a sufficiently large nonce for security. */
+ nonce_len = (ctx->reseed_counter >= 0 ?
+ (size_t) ctx->reseed_counter :
+ good_nonce_len(ctx->entropy_len));
+
+ /* Initialize with an empty key. */
+#if defined(MBEDTLS_AES_C)
+ if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, key,
+ MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
+ return ret;
+ }
+#else
+ psa_status_t status;
+
+ status = ctr_drbg_setup_psa_context(&ctx->psa_ctx, key, MBEDTLS_CTR_DRBG_KEYSIZE);
+ if (status != PSA_SUCCESS) {
+ ret = psa_generic_status_to_mbedtls(status);
+ return status;
+ }
+#endif
+
+ /* Do the initial seeding. */
+ if ((ret = mbedtls_ctr_drbg_reseed_internal(ctx, custom, len,
+ nonce_len)) != 0) {
+ return ret;
+ }
+ return 0;
+}
+
+/* CTR_DRBG_Generate with derivation function (SP 800-90A §10.2.1.5.2)
+ * mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, additional, add_len)
+ * implements
+ * CTR_DRBG_Reseed(working_state, entropy_input, additional[:add_len])
+ * -> working_state_after_reseed
+ * if required, then
+ * CTR_DRBG_Generate(working_state_after_reseed,
+ * requested_number_of_bits, additional_input)
+ * -> status, returned_bits, new_working_state
+ * with inputs
+ * ctx contains working_state
+ * requested_number_of_bits = 8 * output_len
+ * additional[:add_len] = additional_input
+ * and entropy_input comes from calling ctx->f_entropy
+ * and with outputs
+ * status = SUCCESS (this function does the reseed internally)
+ * returned_bits = output[:output_len]
+ * ctx contains new_working_state
+ */
+int mbedtls_ctr_drbg_random_with_add(void *p_rng,
+ unsigned char *output, size_t output_len,
+ const unsigned char *additional, size_t add_len)
+{
+ int ret = 0;
+ mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
+ unsigned char *p = output;
+ struct {
+ unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
+ unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
+ } locals;
+ size_t use_len;
+
+ if (output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST) {
+ return MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG;
+ }
+
+ if (add_len > MBEDTLS_CTR_DRBG_MAX_INPUT) {
+ return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+ }
+
+ memset(locals.add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN);
+
+ if (ctx->reseed_counter > ctx->reseed_interval ||
+ ctx->prediction_resistance) {
+ if ((ret = mbedtls_ctr_drbg_reseed(ctx, additional, add_len)) != 0) {
+ return ret;
+ }
+ add_len = 0;
+ }
+
+ if (add_len > 0) {
+ if ((ret = block_cipher_df(locals.add_input, additional, add_len)) != 0) {
+ goto exit;
+ }
+ if ((ret = ctr_drbg_update_internal(ctx, locals.add_input)) != 0) {
+ goto exit;
+ }
+ }
+
+ while (output_len > 0) {
+ /*
+ * Increase counter (treat it as a 128-bit big-endian integer).
+ */
+ mbedtls_ctr_increment_counter(ctx->counter);
+
+ /*
+ * Crypt counter block
+ */
+#if defined(MBEDTLS_AES_C)
+ if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
+ ctx->counter, locals.tmp)) != 0) {
+ goto exit;
+ }
+#else
+ psa_status_t status;
+ size_t tmp_len;
+
+ status = psa_cipher_update(&ctx->psa_ctx.operation, ctx->counter, sizeof(ctx->counter),
+ locals.tmp, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len);
+ if (status != PSA_SUCCESS) {
+ ret = psa_generic_status_to_mbedtls(status);
+ goto exit;
+ }
+#endif
+
+ use_len = (output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE)
+ ? MBEDTLS_CTR_DRBG_BLOCKSIZE : output_len;
+ /*
+ * Copy random block to destination
+ */
+ memcpy(p, locals.tmp, use_len);
+ p += use_len;
+ output_len -= use_len;
+ }
+
+ if ((ret = ctr_drbg_update_internal(ctx, locals.add_input)) != 0) {
+ goto exit;
+ }
+
+ ctx->reseed_counter++;
+
+exit:
+ mbedtls_platform_zeroize(&locals, sizeof(locals));
+ return ret;
+}
+
+int mbedtls_ctr_drbg_random(void *p_rng, unsigned char *output,
+ size_t output_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
+
+#if defined(MBEDTLS_THREADING_C)
+ if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+ return ret;
+ }
+#endif
+
+ ret = mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, NULL, 0);
+
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+ return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+ }
+#endif
+
+ return ret;
+}
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_ctr_drbg_write_seed_file(mbedtls_ctr_drbg_context *ctx,
+ const char *path)
+{
+ int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+ FILE *f;
+ unsigned char buf[MBEDTLS_CTR_DRBG_MAX_INPUT];
+
+ if ((f = fopen(path, "wb")) == NULL) {
+ return MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+ }
+
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf(f, NULL);
+
+ if ((ret = mbedtls_ctr_drbg_random(ctx, buf,
+ MBEDTLS_CTR_DRBG_MAX_INPUT)) != 0) {
+ goto exit;
+ }
+
+ if (fwrite(buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f) !=
+ MBEDTLS_CTR_DRBG_MAX_INPUT) {
+ ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+ } else {
+ ret = 0;
+ }
+
+exit:
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+
+ fclose(f);
+ return ret;
+}
+
+int mbedtls_ctr_drbg_update_seed_file(mbedtls_ctr_drbg_context *ctx,
+ const char *path)
+{
+ int ret = 0;
+ FILE *f = NULL;
+ size_t n;
+ unsigned char buf[MBEDTLS_CTR_DRBG_MAX_INPUT];
+ unsigned char c;
+
+ if ((f = fopen(path, "rb")) == NULL) {
+ return MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+ }
+
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf(f, NULL);
+
+ n = fread(buf, 1, sizeof(buf), f);
+ if (fread(&c, 1, 1, f) != 0) {
+ ret = MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+ goto exit;
+ }
+ if (n == 0 || ferror(f)) {
+ ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+ goto exit;
+ }
+ fclose(f);
+ f = NULL;
+
+ ret = mbedtls_ctr_drbg_update(ctx, buf, n);
+
+exit:
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+ if (f != NULL) {
+ fclose(f);
+ }
+ if (ret != 0) {
+ return ret;
+ }
+ return mbedtls_ctr_drbg_write_seed_file(ctx, path);
+}
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/* The CTR_DRBG NIST test vectors used here are available at
+ * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/drbg/drbgtestvectors.zip
+ *
+ * The parameters used to derive the test data are:
+ *
+ * [AES-128 use df]
+ * [PredictionResistance = True/False]
+ * [EntropyInputLen = 128]
+ * [NonceLen = 64]
+ * [PersonalizationStringLen = 128]
+ * [AdditionalInputLen = 0]
+ * [ReturnedBitsLen = 512]
+ *
+ * [AES-256 use df]
+ * [PredictionResistance = True/False]
+ * [EntropyInputLen = 256]
+ * [NonceLen = 128]
+ * [PersonalizationStringLen = 256]
+ * [AdditionalInputLen = 0]
+ * [ReturnedBitsLen = 512]
+ *
+ */
+
+#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+static const unsigned char entropy_source_pr[] =
+{ 0x04, 0xd9, 0x49, 0xa6, 0xdc, 0xe8, 0x6e, 0xbb,
+ 0xf1, 0x08, 0x77, 0x2b, 0x9e, 0x08, 0xca, 0x92,
+ 0x65, 0x16, 0xda, 0x99, 0xa2, 0x59, 0xf3, 0xe8,
+ 0x38, 0x7e, 0x3f, 0x6b, 0x51, 0x70, 0x7b, 0x20,
+ 0xec, 0x53, 0xd0, 0x66, 0xc3, 0x0f, 0xe3, 0xb0,
+ 0xe0, 0x86, 0xa6, 0xaa, 0x5f, 0x72, 0x2f, 0xad,
+ 0xf7, 0xef, 0x06, 0xb8, 0xd6, 0x9c, 0x9d, 0xe8 };
+
+static const unsigned char entropy_source_nopr[] =
+{ 0x07, 0x0d, 0x59, 0x63, 0x98, 0x73, 0xa5, 0x45,
+ 0x27, 0x38, 0x22, 0x7b, 0x76, 0x85, 0xd1, 0xa9,
+ 0x74, 0x18, 0x1f, 0x3c, 0x22, 0xf6, 0x49, 0x20,
+ 0x4a, 0x47, 0xc2, 0xf3, 0x85, 0x16, 0xb4, 0x6f,
+ 0x00, 0x2e, 0x71, 0xda, 0xed, 0x16, 0x9b, 0x5c };
+
+static const unsigned char pers_pr[] =
+{ 0xbf, 0xa4, 0x9a, 0x8f, 0x7b, 0xd8, 0xb1, 0x7a,
+ 0x9d, 0xfa, 0x45, 0xed, 0x21, 0x52, 0xb3, 0xad };
+
+static const unsigned char pers_nopr[] =
+{ 0x4e, 0x61, 0x79, 0xd4, 0xc2, 0x72, 0xa1, 0x4c,
+ 0xf1, 0x3d, 0xf6, 0x5e, 0xa3, 0xa6, 0xe5, 0x0f };
+
+static const unsigned char result_pr[] =
+{ 0xc9, 0x0a, 0xaf, 0x85, 0x89, 0x71, 0x44, 0x66,
+ 0x4f, 0x25, 0x0b, 0x2b, 0xde, 0xd8, 0xfa, 0xff,
+ 0x52, 0x5a, 0x1b, 0x32, 0x5e, 0x41, 0x7a, 0x10,
+ 0x1f, 0xef, 0x1e, 0x62, 0x23, 0xe9, 0x20, 0x30,
+ 0xc9, 0x0d, 0xad, 0x69, 0xb4, 0x9c, 0x5b, 0xf4,
+ 0x87, 0x42, 0xd5, 0xae, 0x5e, 0x5e, 0x43, 0xcc,
+ 0xd9, 0xfd, 0x0b, 0x93, 0x4a, 0xe3, 0xd4, 0x06,
+ 0x37, 0x36, 0x0f, 0x3f, 0x72, 0x82, 0x0c, 0xcf };
+
+static const unsigned char result_nopr[] =
+{ 0x31, 0xc9, 0x91, 0x09, 0xf8, 0xc5, 0x10, 0x13,
+ 0x3c, 0xd3, 0x96, 0xf9, 0xbc, 0x2c, 0x12, 0xc0,
+ 0x7c, 0xc1, 0x61, 0x5f, 0xa3, 0x09, 0x99, 0xaf,
+ 0xd7, 0xf2, 0x36, 0xfd, 0x40, 0x1a, 0x8b, 0xf2,
+ 0x33, 0x38, 0xee, 0x1d, 0x03, 0x5f, 0x83, 0xb7,
+ 0xa2, 0x53, 0xdc, 0xee, 0x18, 0xfc, 0xa7, 0xf2,
+ 0xee, 0x96, 0xc6, 0xc2, 0xcd, 0x0c, 0xff, 0x02,
+ 0x76, 0x70, 0x69, 0xaa, 0x69, 0xd1, 0x3b, 0xe8 };
+#else /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
+
+static const unsigned char entropy_source_pr[] =
+{ 0xca, 0x58, 0xfd, 0xf2, 0xb9, 0x77, 0xcb, 0x49,
+ 0xd4, 0xe0, 0x5b, 0xe2, 0x39, 0x50, 0xd9, 0x8a,
+ 0x6a, 0xb3, 0xc5, 0x2f, 0xdf, 0x74, 0xd5, 0x85,
+ 0x8f, 0xd1, 0xba, 0x64, 0x54, 0x7b, 0xdb, 0x1e,
+ 0xc5, 0xea, 0x24, 0xc0, 0xfa, 0x0c, 0x90, 0x15,
+ 0x09, 0x20, 0x92, 0x42, 0x32, 0x36, 0x45, 0x45,
+ 0x7d, 0x20, 0x76, 0x6b, 0xcf, 0xa2, 0x15, 0xc8,
+ 0x2f, 0x9f, 0xbc, 0x88, 0x3f, 0x80, 0xd1, 0x2c,
+ 0xb7, 0x16, 0xd1, 0x80, 0x9e, 0xe1, 0xc9, 0xb3,
+ 0x88, 0x1b, 0x21, 0x45, 0xef, 0xa1, 0x7f, 0xce,
+ 0xc8, 0x92, 0x35, 0x55, 0x2a, 0xd9, 0x1d, 0x8e,
+ 0x12, 0x38, 0xac, 0x01, 0x4e, 0x38, 0x18, 0x76,
+ 0x9c, 0xf2, 0xb6, 0xd4, 0x13, 0xb6, 0x2c, 0x77,
+ 0xc0, 0xe7, 0xe6, 0x0c, 0x47, 0x44, 0x95, 0xbe };
+
+static const unsigned char entropy_source_nopr[] =
+{ 0x4c, 0xfb, 0x21, 0x86, 0x73, 0x34, 0x6d, 0x9d,
+ 0x50, 0xc9, 0x22, 0xe4, 0x9b, 0x0d, 0xfc, 0xd0,
+ 0x90, 0xad, 0xf0, 0x4f, 0x5c, 0x3b, 0xa4, 0x73,
+ 0x27, 0xdf, 0xcd, 0x6f, 0xa6, 0x3a, 0x78, 0x5c,
+ 0x01, 0x69, 0x62, 0xa7, 0xfd, 0x27, 0x87, 0xa2,
+ 0x4b, 0xf6, 0xbe, 0x47, 0xef, 0x37, 0x83, 0xf1,
+ 0xb7, 0xec, 0x46, 0x07, 0x23, 0x63, 0x83, 0x4a,
+ 0x1b, 0x01, 0x33, 0xf2, 0xc2, 0x38, 0x91, 0xdb,
+ 0x4f, 0x11, 0xa6, 0x86, 0x51, 0xf2, 0x3e, 0x3a,
+ 0x8b, 0x1f, 0xdc, 0x03, 0xb1, 0x92, 0xc7, 0xe7 };
+
+static const unsigned char pers_pr[] =
+{ 0x5a, 0x70, 0x95, 0xe9, 0x81, 0x40, 0x52, 0x33,
+ 0x91, 0x53, 0x7e, 0x75, 0xd6, 0x19, 0x9d, 0x1e,
+ 0xad, 0x0d, 0xc6, 0xa7, 0xde, 0x6c, 0x1f, 0xe0,
+ 0xea, 0x18, 0x33, 0xa8, 0x7e, 0x06, 0x20, 0xe9 };
+
+static const unsigned char pers_nopr[] =
+{ 0x88, 0xee, 0xb8, 0xe0, 0xe8, 0x3b, 0xf3, 0x29,
+ 0x4b, 0xda, 0xcd, 0x60, 0x99, 0xeb, 0xe4, 0xbf,
+ 0x55, 0xec, 0xd9, 0x11, 0x3f, 0x71, 0xe5, 0xeb,
+ 0xcb, 0x45, 0x75, 0xf3, 0xd6, 0xa6, 0x8a, 0x6b };
+
+static const unsigned char result_pr[] =
+{ 0xce, 0x2f, 0xdb, 0xb6, 0xd9, 0xb7, 0x39, 0x85,
+ 0x04, 0xc5, 0xc0, 0x42, 0xc2, 0x31, 0xc6, 0x1d,
+ 0x9b, 0x5a, 0x59, 0xf8, 0x7e, 0x0d, 0xcc, 0x62,
+ 0x7b, 0x65, 0x11, 0x55, 0x10, 0xeb, 0x9e, 0x3d,
+ 0xa4, 0xfb, 0x1c, 0x6a, 0x18, 0xc0, 0x74, 0xdb,
+ 0xdd, 0xe7, 0x02, 0x23, 0x63, 0x21, 0xd0, 0x39,
+ 0xf9, 0xa7, 0xc4, 0x52, 0x84, 0x3b, 0x49, 0x40,
+ 0x72, 0x2b, 0xb0, 0x6c, 0x9c, 0xdb, 0xc3, 0x43 };
+
+static const unsigned char result_nopr[] =
+{ 0xa5, 0x51, 0x80, 0xa1, 0x90, 0xbe, 0xf3, 0xad,
+ 0xaf, 0x28, 0xf6, 0xb7, 0x95, 0xe9, 0xf1, 0xf3,
+ 0xd6, 0xdf, 0xa1, 0xb2, 0x7d, 0xd0, 0x46, 0x7b,
+ 0x0c, 0x75, 0xf5, 0xfa, 0x93, 0x1e, 0x97, 0x14,
+ 0x75, 0xb2, 0x7c, 0xae, 0x03, 0xa2, 0x96, 0x54,
+ 0xe2, 0xf4, 0x09, 0x66, 0xea, 0x33, 0x64, 0x30,
+ 0x40, 0xd1, 0x40, 0x0f, 0xe6, 0x77, 0x87, 0x3a,
+ 0xf8, 0x09, 0x7c, 0x1f, 0xe9, 0xf0, 0x02, 0x98 };
+#endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
+
+static size_t test_offset;
+static int ctr_drbg_self_test_entropy(void *data, unsigned char *buf,
+ size_t len)
+{
+ const unsigned char *p = data;
+ memcpy(buf, p + test_offset, len);
+ test_offset += len;
+ return 0;
+}
+
+#define CHK(c) if ((c) != 0) \
+ { \
+ if (verbose != 0) \
+ mbedtls_printf("failed\n"); \
+ return 1; \
+ }
+
+#define SELF_TEST_OUTPUT_DISCARD_LENGTH 64
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ctr_drbg_self_test(int verbose)
+{
+ mbedtls_ctr_drbg_context ctx;
+ unsigned char buf[sizeof(result_pr)];
+
+ mbedtls_ctr_drbg_init(&ctx);
+
+ /*
+ * Based on a NIST CTR_DRBG test vector (PR = True)
+ */
+ if (verbose != 0) {
+ mbedtls_printf(" CTR_DRBG (PR = TRUE) : ");
+ }
+
+ test_offset = 0;
+ mbedtls_ctr_drbg_set_entropy_len(&ctx, MBEDTLS_CTR_DRBG_KEYSIZE);
+ mbedtls_ctr_drbg_set_nonce_len(&ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2);
+ CHK(mbedtls_ctr_drbg_seed(&ctx,
+ ctr_drbg_self_test_entropy,
+ (void *) entropy_source_pr,
+ pers_pr, MBEDTLS_CTR_DRBG_KEYSIZE));
+ mbedtls_ctr_drbg_set_prediction_resistance(&ctx, MBEDTLS_CTR_DRBG_PR_ON);
+ CHK(mbedtls_ctr_drbg_random(&ctx, buf, SELF_TEST_OUTPUT_DISCARD_LENGTH));
+ CHK(mbedtls_ctr_drbg_random(&ctx, buf, sizeof(result_pr)));
+ CHK(memcmp(buf, result_pr, sizeof(result_pr)));
+
+ mbedtls_ctr_drbg_free(&ctx);
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+ /*
+ * Based on a NIST CTR_DRBG test vector (PR = FALSE)
+ */
+ if (verbose != 0) {
+ mbedtls_printf(" CTR_DRBG (PR = FALSE): ");
+ }
+
+ mbedtls_ctr_drbg_init(&ctx);
+
+ test_offset = 0;
+ mbedtls_ctr_drbg_set_entropy_len(&ctx, MBEDTLS_CTR_DRBG_KEYSIZE);
+ mbedtls_ctr_drbg_set_nonce_len(&ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2);
+ CHK(mbedtls_ctr_drbg_seed(&ctx,
+ ctr_drbg_self_test_entropy,
+ (void *) entropy_source_nopr,
+ pers_nopr, MBEDTLS_CTR_DRBG_KEYSIZE));
+ CHK(mbedtls_ctr_drbg_reseed(&ctx, NULL, 0));
+ CHK(mbedtls_ctr_drbg_random(&ctx, buf, SELF_TEST_OUTPUT_DISCARD_LENGTH));
+ CHK(mbedtls_ctr_drbg_random(&ctx, buf, sizeof(result_nopr)));
+ CHK(memcmp(buf, result_nopr, sizeof(result_nopr)));
+
+ mbedtls_ctr_drbg_free(&ctx);
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CTR_DRBG_C */
diff --git a/library/debug.c b/library/debug.c
new file mode 100644
index 0000000..c36ed3c
--- /dev/null
+++ b/library/debug.c
@@ -0,0 +1,465 @@
+/*
+ * Debugging routines
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_DEBUG_C)
+
+#include "mbedtls/platform.h"
+
+#include "debug_internal.h"
+#include "mbedtls/error.h"
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+
+/* DEBUG_BUF_SIZE must be at least 2 */
+#define DEBUG_BUF_SIZE 512
+
+static int debug_threshold = 0;
+
+void mbedtls_debug_set_threshold(int threshold)
+{
+ debug_threshold = threshold;
+}
+
+/*
+ * All calls to f_dbg must be made via this function
+ */
+static inline void debug_send_line(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *str)
+{
+ /*
+ * If in a threaded environment, we need a thread identifier.
+ * Since there is no portable way to get one, use the address of the ssl
+ * context instead, as it shouldn't be shared between threads.
+ */
+#if defined(MBEDTLS_THREADING_C)
+ char idstr[20 + DEBUG_BUF_SIZE]; /* 0x + 16 nibbles + ': ' */
+ mbedtls_snprintf(idstr, sizeof(idstr), "%p: %s", (void *) ssl, str);
+ ssl->conf->f_dbg(ssl->conf->p_dbg, level, file, line, idstr);
+#else
+ ssl->conf->f_dbg(ssl->conf->p_dbg, level, file, line, str);
+#endif
+}
+
+MBEDTLS_PRINTF_ATTRIBUTE(5, 6)
+void mbedtls_debug_print_msg(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *format, ...)
+{
+ va_list argp;
+ char str[DEBUG_BUF_SIZE];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_STATIC_ASSERT(DEBUG_BUF_SIZE >= 2, "DEBUG_BUF_SIZE too small");
+
+ if (NULL == ssl ||
+ NULL == ssl->conf ||
+ NULL == ssl->conf->f_dbg ||
+ level > debug_threshold) {
+ return;
+ }
+
+ va_start(argp, format);
+ ret = mbedtls_vsnprintf(str, DEBUG_BUF_SIZE, format, argp);
+ va_end(argp);
+
+ if (ret < 0) {
+ ret = 0;
+ } else {
+ if (ret >= DEBUG_BUF_SIZE - 1) {
+ ret = DEBUG_BUF_SIZE - 2;
+ }
+ }
+ str[ret] = '\n';
+ str[ret + 1] = '\0';
+
+ debug_send_line(ssl, level, file, line, str);
+}
+
+void mbedtls_debug_print_ret(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *text, int ret)
+{
+ char str[DEBUG_BUF_SIZE];
+
+ if (NULL == ssl ||
+ NULL == ssl->conf ||
+ NULL == ssl->conf->f_dbg ||
+ level > debug_threshold) {
+ return;
+ }
+
+ /*
+ * With non-blocking I/O and examples that just retry immediately,
+ * the logs would be quickly flooded with WANT_READ, so ignore that.
+ * Don't ignore WANT_WRITE however, since it is usually rare.
+ */
+ if (ret == MBEDTLS_ERR_SSL_WANT_READ) {
+ return;
+ }
+
+ mbedtls_snprintf(str, sizeof(str), "%s() returned %d (-0x%04x)\n",
+ text, ret, (unsigned int) -ret);
+
+ debug_send_line(ssl, level, file, line, str);
+}
+
+void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line, const char *text,
+ const unsigned char *buf, size_t len)
+{
+ char str[DEBUG_BUF_SIZE];
+ char txt[17];
+ size_t i, idx = 0;
+
+ if (NULL == ssl ||
+ NULL == ssl->conf ||
+ NULL == ssl->conf->f_dbg ||
+ level > debug_threshold) {
+ return;
+ }
+
+ mbedtls_snprintf(str + idx, sizeof(str) - idx, "dumping '%s' (%u bytes)\n",
+ text, (unsigned int) len);
+
+ debug_send_line(ssl, level, file, line, str);
+
+ memset(txt, 0, sizeof(txt));
+ for (i = 0; i < len; i++) {
+ if (i >= 4096) {
+ break;
+ }
+
+ if (i % 16 == 0) {
+ if (i > 0) {
+ mbedtls_snprintf(str + idx, sizeof(str) - idx, " %s\n", txt);
+ debug_send_line(ssl, level, file, line, str);
+
+ idx = 0;
+ memset(txt, 0, sizeof(txt));
+ }
+
+ idx += mbedtls_snprintf(str + idx, sizeof(str) - idx, "%04x: ",
+ (unsigned int) i);
+
+ }
+
+ idx += mbedtls_snprintf(str + idx, sizeof(str) - idx, " %02x",
+ (unsigned int) buf[i]);
+ txt[i % 16] = (buf[i] > 31 && buf[i] < 127) ? buf[i] : '.';
+ }
+
+ if (len > 0) {
+ for (/* i = i */; i % 16 != 0; i++) {
+ idx += mbedtls_snprintf(str + idx, sizeof(str) - idx, " ");
+ }
+
+ mbedtls_snprintf(str + idx, sizeof(str) - idx, " %s\n", txt);
+ debug_send_line(ssl, level, file, line, str);
+ }
+}
+
+#if defined(MBEDTLS_ECP_LIGHT)
+void mbedtls_debug_print_ecp(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *text, const mbedtls_ecp_point *X)
+{
+ char str[DEBUG_BUF_SIZE];
+
+ if (NULL == ssl ||
+ NULL == ssl->conf ||
+ NULL == ssl->conf->f_dbg ||
+ level > debug_threshold) {
+ return;
+ }
+
+ mbedtls_snprintf(str, sizeof(str), "%s(X)", text);
+ mbedtls_debug_print_mpi(ssl, level, file, line, str, &X->X);
+
+ mbedtls_snprintf(str, sizeof(str), "%s(Y)", text);
+ mbedtls_debug_print_mpi(ssl, level, file, line, str, &X->Y);
+}
+#endif /* MBEDTLS_ECP_LIGHT */
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+static void mbedtls_debug_print_ec_coord(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line, const char *text,
+ const unsigned char *buf, size_t len)
+{
+ char str[DEBUG_BUF_SIZE];
+ size_t i, idx = 0;
+
+ mbedtls_snprintf(str + idx, sizeof(str) - idx, "value of '%s' (%u bits) is:\n",
+ text, (unsigned int) len * 8);
+
+ debug_send_line(ssl, level, file, line, str);
+
+ for (i = 0; i < len; i++) {
+ if (i >= 4096) {
+ break;
+ }
+
+ if (i % 16 == 0) {
+ if (i > 0) {
+ mbedtls_snprintf(str + idx, sizeof(str) - idx, "\n");
+ debug_send_line(ssl, level, file, line, str);
+
+ idx = 0;
+ }
+ }
+
+ idx += mbedtls_snprintf(str + idx, sizeof(str) - idx, " %02x",
+ (unsigned int) buf[i]);
+ }
+
+ if (len > 0) {
+ for (/* i = i */; i % 16 != 0; i++) {
+ idx += mbedtls_snprintf(str + idx, sizeof(str) - idx, " ");
+ }
+
+ mbedtls_snprintf(str + idx, sizeof(str) - idx, "\n");
+ debug_send_line(ssl, level, file, line, str);
+ }
+}
+
+void mbedtls_debug_print_psa_ec(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *text, const mbedtls_pk_context *pk)
+{
+ char str[DEBUG_BUF_SIZE];
+ const uint8_t *coord_start;
+ size_t coord_len;
+
+ if (NULL == ssl ||
+ NULL == ssl->conf ||
+ NULL == ssl->conf->f_dbg ||
+ level > debug_threshold) {
+ return;
+ }
+
+ /* For the description of pk->pk_raw content please refer to the description
+ * psa_export_public_key() function. */
+ coord_len = (pk->pub_raw_len - 1)/2;
+
+ /* X coordinate */
+ coord_start = pk->pub_raw + 1;
+ mbedtls_snprintf(str, sizeof(str), "%s(X)", text);
+ mbedtls_debug_print_ec_coord(ssl, level, file, line, str, coord_start, coord_len);
+
+ /* Y coordinate */
+ coord_start = coord_start + coord_len;
+ mbedtls_snprintf(str, sizeof(str), "%s(Y)", text);
+ mbedtls_debug_print_ec_coord(ssl, level, file, line, str, coord_start, coord_len);
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+#if defined(MBEDTLS_BIGNUM_C)
+void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *text, const mbedtls_mpi *X)
+{
+ char str[DEBUG_BUF_SIZE];
+ size_t bitlen;
+ size_t idx = 0;
+
+ if (NULL == ssl ||
+ NULL == ssl->conf ||
+ NULL == ssl->conf->f_dbg ||
+ NULL == X ||
+ level > debug_threshold) {
+ return;
+ }
+
+ bitlen = mbedtls_mpi_bitlen(X);
+
+ mbedtls_snprintf(str, sizeof(str), "value of '%s' (%u bits) is:\n",
+ text, (unsigned) bitlen);
+ debug_send_line(ssl, level, file, line, str);
+
+ if (bitlen == 0) {
+ str[0] = ' '; str[1] = '0'; str[2] = '0';
+ idx = 3;
+ } else {
+ int n;
+ for (n = (int) ((bitlen - 1) / 8); n >= 0; n--) {
+ size_t limb_offset = n / sizeof(mbedtls_mpi_uint);
+ size_t offset_in_limb = n % sizeof(mbedtls_mpi_uint);
+ unsigned char octet =
+ (X->p[limb_offset] >> (offset_in_limb * 8)) & 0xff;
+ mbedtls_snprintf(str + idx, sizeof(str) - idx, " %02x", octet);
+ idx += 3;
+ /* Wrap lines after 16 octets that each take 3 columns */
+ if (idx >= 3 * 16) {
+ mbedtls_snprintf(str + idx, sizeof(str) - idx, "\n");
+ debug_send_line(ssl, level, file, line, str);
+ idx = 0;
+ }
+ }
+ }
+
+ if (idx != 0) {
+ mbedtls_snprintf(str + idx, sizeof(str) - idx, "\n");
+ debug_send_line(ssl, level, file, line, str);
+ }
+}
+#endif /* MBEDTLS_BIGNUM_C */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO)
+static void debug_print_pk(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *text, const mbedtls_pk_context *pk)
+{
+ size_t i;
+ mbedtls_pk_debug_item items[MBEDTLS_PK_DEBUG_MAX_ITEMS];
+ char name[16];
+
+ memset(items, 0, sizeof(items));
+
+ if (mbedtls_pk_debug(pk, items) != 0) {
+ debug_send_line(ssl, level, file, line,
+ "invalid PK context\n");
+ return;
+ }
+
+ for (i = 0; i < MBEDTLS_PK_DEBUG_MAX_ITEMS; i++) {
+ if (items[i].type == MBEDTLS_PK_DEBUG_NONE) {
+ return;
+ }
+
+ mbedtls_snprintf(name, sizeof(name), "%s%s", text, items[i].name);
+ name[sizeof(name) - 1] = '\0';
+
+#if defined(MBEDTLS_RSA_C)
+ if (items[i].type == MBEDTLS_PK_DEBUG_MPI) {
+ mbedtls_debug_print_mpi(ssl, level, file, line, name, items[i].value);
+ } else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECP_LIGHT)
+ if (items[i].type == MBEDTLS_PK_DEBUG_ECP) {
+ mbedtls_debug_print_ecp(ssl, level, file, line, name, items[i].value);
+ } else
+#endif /* MBEDTLS_ECP_LIGHT */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ if (items[i].type == MBEDTLS_PK_DEBUG_PSA_EC) {
+ mbedtls_debug_print_psa_ec(ssl, level, file, line, name, items[i].value);
+ } else
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ { debug_send_line(ssl, level, file, line,
+ "should not happen\n"); }
+ }
+}
+
+static void debug_print_line_by_line(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line, const char *text)
+{
+ char str[DEBUG_BUF_SIZE];
+ const char *start, *cur;
+
+ start = text;
+ for (cur = text; *cur != '\0'; cur++) {
+ if (*cur == '\n') {
+ size_t len = (size_t) (cur - start) + 1;
+ if (len > DEBUG_BUF_SIZE - 1) {
+ len = DEBUG_BUF_SIZE - 1;
+ }
+
+ memcpy(str, start, len);
+ str[len] = '\0';
+
+ debug_send_line(ssl, level, file, line, str);
+
+ start = cur + 1;
+ }
+ }
+}
+
+void mbedtls_debug_print_crt(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *text, const mbedtls_x509_crt *crt)
+{
+ char str[DEBUG_BUF_SIZE];
+ int i = 0;
+
+ if (NULL == ssl ||
+ NULL == ssl->conf ||
+ NULL == ssl->conf->f_dbg ||
+ NULL == crt ||
+ level > debug_threshold) {
+ return;
+ }
+
+ while (crt != NULL) {
+ char buf[1024];
+
+ mbedtls_snprintf(str, sizeof(str), "%s #%d:\n", text, ++i);
+ debug_send_line(ssl, level, file, line, str);
+
+ mbedtls_x509_crt_info(buf, sizeof(buf) - 1, "", crt);
+ debug_print_line_by_line(ssl, level, file, line, buf);
+
+ debug_print_pk(ssl, level, file, line, "crt->", &crt->pk);
+
+ crt = crt->next;
+ }
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_X509_REMOVE_INFO */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) && \
+ defined(MBEDTLS_ECDH_C)
+static void mbedtls_debug_printf_ecdh_internal(const mbedtls_ssl_context *ssl,
+ int level, const char *file,
+ int line,
+ const mbedtls_ecdh_context *ecdh,
+ mbedtls_debug_ecdh_attr attr)
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+ const mbedtls_ecdh_context *ctx = ecdh;
+#else
+ const mbedtls_ecdh_context_mbed *ctx = &ecdh->ctx.mbed_ecdh;
+#endif
+
+ switch (attr) {
+ case MBEDTLS_DEBUG_ECDH_Q:
+ mbedtls_debug_print_ecp(ssl, level, file, line, "ECDH: Q",
+ &ctx->Q);
+ break;
+ case MBEDTLS_DEBUG_ECDH_QP:
+ mbedtls_debug_print_ecp(ssl, level, file, line, "ECDH: Qp",
+ &ctx->Qp);
+ break;
+ case MBEDTLS_DEBUG_ECDH_Z:
+ mbedtls_debug_print_mpi(ssl, level, file, line, "ECDH: z",
+ &ctx->z);
+ break;
+ default:
+ break;
+ }
+}
+
+void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const mbedtls_ecdh_context *ecdh,
+ mbedtls_debug_ecdh_attr attr)
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+ mbedtls_debug_printf_ecdh_internal(ssl, level, file, line, ecdh, attr);
+#else
+ switch (ecdh->var) {
+ default:
+ mbedtls_debug_printf_ecdh_internal(ssl, level, file, line, ecdh,
+ attr);
+ }
+#endif
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED &&
+ MBEDTLS_ECDH_C */
+
+#endif /* MBEDTLS_DEBUG_C */
diff --git a/library/debug_internal.h b/library/debug_internal.h
new file mode 100644
index 0000000..4523b46
--- /dev/null
+++ b/library/debug_internal.h
@@ -0,0 +1,172 @@
+/**
+ * \file debug_internal.h
+ *
+ * \brief Internal part of the public "debug.h".
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_DEBUG_INTERNAL_H
+#define MBEDTLS_DEBUG_INTERNAL_H
+
+#include "mbedtls/debug.h"
+
+/**
+ * \brief Print a message to the debug output. This function is always used
+ * through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl
+ * context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the message has occurred in
+ * \param line line number the message has occurred at
+ * \param format format specifier, in printf format
+ * \param ... variables used by the format specifier
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
+void mbedtls_debug_print_msg(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *format, ...) MBEDTLS_PRINTF_ATTRIBUTE(5, 6);
+
+/**
+ * \brief Print the return value of a function to the debug output. This
+ * function is always used through the MBEDTLS_SSL_DEBUG_RET() macro,
+ * which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param text the name of the function that returned the error
+ * \param ret the return code value
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
+void mbedtls_debug_print_ret(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *text, int ret);
+
+/**
+ * \brief Output a buffer of size len bytes to the debug output. This function
+ * is always used through the MBEDTLS_SSL_DEBUG_BUF() macro,
+ * which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param text a name or label for the buffer being dumped. Normally the
+ * variable or buffer name
+ * \param buf the buffer to be outputted
+ * \param len length of the buffer
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
+void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line, const char *text,
+ const unsigned char *buf, size_t len);
+
+#if defined(MBEDTLS_BIGNUM_C)
+/**
+ * \brief Print a MPI variable to the debug output. This function is always
+ * used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the
+ * ssl context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param text a name or label for the MPI being output. Normally the
+ * variable name
+ * \param X the MPI variable
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
+void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *text, const mbedtls_mpi *X);
+#endif
+
+#if defined(MBEDTLS_ECP_LIGHT)
+/**
+ * \brief Print an ECP point to the debug output. This function is always
+ * used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the
+ * ssl context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param text a name or label for the ECP point being output. Normally the
+ * variable name
+ * \param X the ECP point
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
+void mbedtls_debug_print_ecp(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *text, const mbedtls_ecp_point *X);
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO)
+/**
+ * \brief Print a X.509 certificate structure to the debug output. This
+ * function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro,
+ * which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param text a name or label for the certificate being output
+ * \param crt X.509 certificate structure
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
+void mbedtls_debug_print_crt(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const char *text, const mbedtls_x509_crt *crt);
+#endif
+
+/* Note: the MBEDTLS_ECDH_C guard here is mandatory because this debug function
+ only works for the built-in implementation. */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) && \
+ defined(MBEDTLS_ECDH_C)
+typedef enum {
+ MBEDTLS_DEBUG_ECDH_Q,
+ MBEDTLS_DEBUG_ECDH_QP,
+ MBEDTLS_DEBUG_ECDH_Z,
+} mbedtls_debug_ecdh_attr;
+
+/**
+ * \brief Print a field of the ECDH structure in the SSL context to the debug
+ * output. This function is always used through the
+ * MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file
+ * and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param ecdh the ECDH context
+ * \param attr the identifier of the attribute being output
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
+void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const mbedtls_ecdh_context *ecdh,
+ mbedtls_debug_ecdh_attr attr);
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED &&
+ MBEDTLS_ECDH_C */
+
+#endif /* MBEDTLS_DEBUG_INTERNAL_H */
diff --git a/library/des.c b/library/des.c
new file mode 100644
index 0000000..f0032b3
--- /dev/null
+++ b/library/des.c
@@ -0,0 +1,1042 @@
+/*
+ * FIPS-46-3 compliant Triple-DES implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * DES, on which TDES is based, was originally designed by Horst Feistel
+ * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
+ *
+ * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_DES_C)
+
+#include "mbedtls/des.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_DES_ALT)
+
+/*
+ * Expanded DES S-boxes
+ */
+static const uint32_t SB1[64] =
+{
+ 0x01010400, 0x00000000, 0x00010000, 0x01010404,
+ 0x01010004, 0x00010404, 0x00000004, 0x00010000,
+ 0x00000400, 0x01010400, 0x01010404, 0x00000400,
+ 0x01000404, 0x01010004, 0x01000000, 0x00000004,
+ 0x00000404, 0x01000400, 0x01000400, 0x00010400,
+ 0x00010400, 0x01010000, 0x01010000, 0x01000404,
+ 0x00010004, 0x01000004, 0x01000004, 0x00010004,
+ 0x00000000, 0x00000404, 0x00010404, 0x01000000,
+ 0x00010000, 0x01010404, 0x00000004, 0x01010000,
+ 0x01010400, 0x01000000, 0x01000000, 0x00000400,
+ 0x01010004, 0x00010000, 0x00010400, 0x01000004,
+ 0x00000400, 0x00000004, 0x01000404, 0x00010404,
+ 0x01010404, 0x00010004, 0x01010000, 0x01000404,
+ 0x01000004, 0x00000404, 0x00010404, 0x01010400,
+ 0x00000404, 0x01000400, 0x01000400, 0x00000000,
+ 0x00010004, 0x00010400, 0x00000000, 0x01010004
+};
+
+static const uint32_t SB2[64] =
+{
+ 0x80108020, 0x80008000, 0x00008000, 0x00108020,
+ 0x00100000, 0x00000020, 0x80100020, 0x80008020,
+ 0x80000020, 0x80108020, 0x80108000, 0x80000000,
+ 0x80008000, 0x00100000, 0x00000020, 0x80100020,
+ 0x00108000, 0x00100020, 0x80008020, 0x00000000,
+ 0x80000000, 0x00008000, 0x00108020, 0x80100000,
+ 0x00100020, 0x80000020, 0x00000000, 0x00108000,
+ 0x00008020, 0x80108000, 0x80100000, 0x00008020,
+ 0x00000000, 0x00108020, 0x80100020, 0x00100000,
+ 0x80008020, 0x80100000, 0x80108000, 0x00008000,
+ 0x80100000, 0x80008000, 0x00000020, 0x80108020,
+ 0x00108020, 0x00000020, 0x00008000, 0x80000000,
+ 0x00008020, 0x80108000, 0x00100000, 0x80000020,
+ 0x00100020, 0x80008020, 0x80000020, 0x00100020,
+ 0x00108000, 0x00000000, 0x80008000, 0x00008020,
+ 0x80000000, 0x80100020, 0x80108020, 0x00108000
+};
+
+static const uint32_t SB3[64] =
+{
+ 0x00000208, 0x08020200, 0x00000000, 0x08020008,
+ 0x08000200, 0x00000000, 0x00020208, 0x08000200,
+ 0x00020008, 0x08000008, 0x08000008, 0x00020000,
+ 0x08020208, 0x00020008, 0x08020000, 0x00000208,
+ 0x08000000, 0x00000008, 0x08020200, 0x00000200,
+ 0x00020200, 0x08020000, 0x08020008, 0x00020208,
+ 0x08000208, 0x00020200, 0x00020000, 0x08000208,
+ 0x00000008, 0x08020208, 0x00000200, 0x08000000,
+ 0x08020200, 0x08000000, 0x00020008, 0x00000208,
+ 0x00020000, 0x08020200, 0x08000200, 0x00000000,
+ 0x00000200, 0x00020008, 0x08020208, 0x08000200,
+ 0x08000008, 0x00000200, 0x00000000, 0x08020008,
+ 0x08000208, 0x00020000, 0x08000000, 0x08020208,
+ 0x00000008, 0x00020208, 0x00020200, 0x08000008,
+ 0x08020000, 0x08000208, 0x00000208, 0x08020000,
+ 0x00020208, 0x00000008, 0x08020008, 0x00020200
+};
+
+static const uint32_t SB4[64] =
+{
+ 0x00802001, 0x00002081, 0x00002081, 0x00000080,
+ 0x00802080, 0x00800081, 0x00800001, 0x00002001,
+ 0x00000000, 0x00802000, 0x00802000, 0x00802081,
+ 0x00000081, 0x00000000, 0x00800080, 0x00800001,
+ 0x00000001, 0x00002000, 0x00800000, 0x00802001,
+ 0x00000080, 0x00800000, 0x00002001, 0x00002080,
+ 0x00800081, 0x00000001, 0x00002080, 0x00800080,
+ 0x00002000, 0x00802080, 0x00802081, 0x00000081,
+ 0x00800080, 0x00800001, 0x00802000, 0x00802081,
+ 0x00000081, 0x00000000, 0x00000000, 0x00802000,
+ 0x00002080, 0x00800080, 0x00800081, 0x00000001,
+ 0x00802001, 0x00002081, 0x00002081, 0x00000080,
+ 0x00802081, 0x00000081, 0x00000001, 0x00002000,
+ 0x00800001, 0x00002001, 0x00802080, 0x00800081,
+ 0x00002001, 0x00002080, 0x00800000, 0x00802001,
+ 0x00000080, 0x00800000, 0x00002000, 0x00802080
+};
+
+static const uint32_t SB5[64] =
+{
+ 0x00000100, 0x02080100, 0x02080000, 0x42000100,
+ 0x00080000, 0x00000100, 0x40000000, 0x02080000,
+ 0x40080100, 0x00080000, 0x02000100, 0x40080100,
+ 0x42000100, 0x42080000, 0x00080100, 0x40000000,
+ 0x02000000, 0x40080000, 0x40080000, 0x00000000,
+ 0x40000100, 0x42080100, 0x42080100, 0x02000100,
+ 0x42080000, 0x40000100, 0x00000000, 0x42000000,
+ 0x02080100, 0x02000000, 0x42000000, 0x00080100,
+ 0x00080000, 0x42000100, 0x00000100, 0x02000000,
+ 0x40000000, 0x02080000, 0x42000100, 0x40080100,
+ 0x02000100, 0x40000000, 0x42080000, 0x02080100,
+ 0x40080100, 0x00000100, 0x02000000, 0x42080000,
+ 0x42080100, 0x00080100, 0x42000000, 0x42080100,
+ 0x02080000, 0x00000000, 0x40080000, 0x42000000,
+ 0x00080100, 0x02000100, 0x40000100, 0x00080000,
+ 0x00000000, 0x40080000, 0x02080100, 0x40000100
+};
+
+static const uint32_t SB6[64] =
+{
+ 0x20000010, 0x20400000, 0x00004000, 0x20404010,
+ 0x20400000, 0x00000010, 0x20404010, 0x00400000,
+ 0x20004000, 0x00404010, 0x00400000, 0x20000010,
+ 0x00400010, 0x20004000, 0x20000000, 0x00004010,
+ 0x00000000, 0x00400010, 0x20004010, 0x00004000,
+ 0x00404000, 0x20004010, 0x00000010, 0x20400010,
+ 0x20400010, 0x00000000, 0x00404010, 0x20404000,
+ 0x00004010, 0x00404000, 0x20404000, 0x20000000,
+ 0x20004000, 0x00000010, 0x20400010, 0x00404000,
+ 0x20404010, 0x00400000, 0x00004010, 0x20000010,
+ 0x00400000, 0x20004000, 0x20000000, 0x00004010,
+ 0x20000010, 0x20404010, 0x00404000, 0x20400000,
+ 0x00404010, 0x20404000, 0x00000000, 0x20400010,
+ 0x00000010, 0x00004000, 0x20400000, 0x00404010,
+ 0x00004000, 0x00400010, 0x20004010, 0x00000000,
+ 0x20404000, 0x20000000, 0x00400010, 0x20004010
+};
+
+static const uint32_t SB7[64] =
+{
+ 0x00200000, 0x04200002, 0x04000802, 0x00000000,
+ 0x00000800, 0x04000802, 0x00200802, 0x04200800,
+ 0x04200802, 0x00200000, 0x00000000, 0x04000002,
+ 0x00000002, 0x04000000, 0x04200002, 0x00000802,
+ 0x04000800, 0x00200802, 0x00200002, 0x04000800,
+ 0x04000002, 0x04200000, 0x04200800, 0x00200002,
+ 0x04200000, 0x00000800, 0x00000802, 0x04200802,
+ 0x00200800, 0x00000002, 0x04000000, 0x00200800,
+ 0x04000000, 0x00200800, 0x00200000, 0x04000802,
+ 0x04000802, 0x04200002, 0x04200002, 0x00000002,
+ 0x00200002, 0x04000000, 0x04000800, 0x00200000,
+ 0x04200800, 0x00000802, 0x00200802, 0x04200800,
+ 0x00000802, 0x04000002, 0x04200802, 0x04200000,
+ 0x00200800, 0x00000000, 0x00000002, 0x04200802,
+ 0x00000000, 0x00200802, 0x04200000, 0x00000800,
+ 0x04000002, 0x04000800, 0x00000800, 0x00200002
+};
+
+static const uint32_t SB8[64] =
+{
+ 0x10001040, 0x00001000, 0x00040000, 0x10041040,
+ 0x10000000, 0x10001040, 0x00000040, 0x10000000,
+ 0x00040040, 0x10040000, 0x10041040, 0x00041000,
+ 0x10041000, 0x00041040, 0x00001000, 0x00000040,
+ 0x10040000, 0x10000040, 0x10001000, 0x00001040,
+ 0x00041000, 0x00040040, 0x10040040, 0x10041000,
+ 0x00001040, 0x00000000, 0x00000000, 0x10040040,
+ 0x10000040, 0x10001000, 0x00041040, 0x00040000,
+ 0x00041040, 0x00040000, 0x10041000, 0x00001000,
+ 0x00000040, 0x10040040, 0x00001000, 0x00041040,
+ 0x10001000, 0x00000040, 0x10000040, 0x10040000,
+ 0x10040040, 0x10000000, 0x00040000, 0x10001040,
+ 0x00000000, 0x10041040, 0x00040040, 0x10000040,
+ 0x10040000, 0x10001000, 0x10001040, 0x00000000,
+ 0x10041040, 0x00041000, 0x00041000, 0x00001040,
+ 0x00001040, 0x00040040, 0x10000000, 0x10041000
+};
+
+/*
+ * PC1: left and right halves bit-swap
+ */
+static const uint32_t LHs[16] =
+{
+ 0x00000000, 0x00000001, 0x00000100, 0x00000101,
+ 0x00010000, 0x00010001, 0x00010100, 0x00010101,
+ 0x01000000, 0x01000001, 0x01000100, 0x01000101,
+ 0x01010000, 0x01010001, 0x01010100, 0x01010101
+};
+
+static const uint32_t RHs[16] =
+{
+ 0x00000000, 0x01000000, 0x00010000, 0x01010000,
+ 0x00000100, 0x01000100, 0x00010100, 0x01010100,
+ 0x00000001, 0x01000001, 0x00010001, 0x01010001,
+ 0x00000101, 0x01000101, 0x00010101, 0x01010101,
+};
+
+/*
+ * Initial Permutation macro
+ */
+#define DES_IP(X, Y) \
+ do \
+ { \
+ T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \
+ T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
+ T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \
+ T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \
+ (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF; \
+ T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T; \
+ (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF; \
+ } while (0)
+
+/*
+ * Final Permutation macro
+ */
+#define DES_FP(X, Y) \
+ do \
+ { \
+ (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF; \
+ T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T; \
+ (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF; \
+ T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \
+ T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \
+ T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
+ T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \
+ } while (0)
+
+/*
+ * DES round macro
+ */
+#define DES_ROUND(X, Y) \
+ do \
+ { \
+ T = *SK++ ^ (X); \
+ (Y) ^= SB8[(T) & 0x3F] ^ \
+ SB6[(T >> 8) & 0x3F] ^ \
+ SB4[(T >> 16) & 0x3F] ^ \
+ SB2[(T >> 24) & 0x3F]; \
+ \
+ T = *SK++ ^ (((X) << 28) | ((X) >> 4)); \
+ (Y) ^= SB7[(T) & 0x3F] ^ \
+ SB5[(T >> 8) & 0x3F] ^ \
+ SB3[(T >> 16) & 0x3F] ^ \
+ SB1[(T >> 24) & 0x3F]; \
+ } while (0)
+
+#define SWAP(a, b) \
+ do \
+ { \
+ uint32_t t = (a); (a) = (b); (b) = t; t = 0; \
+ } while (0)
+
+void mbedtls_des_init(mbedtls_des_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_des_context));
+}
+
+void mbedtls_des_free(mbedtls_des_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des_context));
+}
+
+void mbedtls_des3_init(mbedtls_des3_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_des3_context));
+}
+
+void mbedtls_des3_free(mbedtls_des3_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des3_context));
+}
+
+static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8,
+ 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32,
+ 35, 37, 38, 41, 42, 44,
+ 47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69,
+ 70, 73, 74, 76, 79, 81,
+ 82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103,
+ 104, 107, 109, 110, 112,
+ 115, 117, 118, 121, 122, 124, 127, 128, 131,
+ 133, 134, 137, 138, 140,
+ 143, 145, 146, 148, 151, 152, 155, 157, 158,
+ 161, 162, 164, 167, 168,
+ 171, 173, 174, 176, 179, 181, 182, 185, 186,
+ 188, 191, 193, 194, 196,
+ 199, 200, 203, 205, 206, 208, 211, 213, 214,
+ 217, 218, 220, 223, 224,
+ 227, 229, 230, 233, 234, 236, 239, 241, 242,
+ 244, 247, 248, 251, 253,
+ 254 };
+
+void mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE])
+{
+ int i;
+
+ for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) {
+ key[i] = odd_parity_table[key[i] / 2];
+ }
+}
+
+/*
+ * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
+ */
+int mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE])
+{
+ int i;
+
+ for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) {
+ if (key[i] != odd_parity_table[key[i] / 2]) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
+/*
+ * Table of weak and semi-weak keys
+ *
+ * Source: http://en.wikipedia.org/wiki/Weak_key
+ *
+ * Weak:
+ * Alternating ones + zeros (0x0101010101010101)
+ * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
+ * '0xE0E0E0E0F1F1F1F1'
+ * '0x1F1F1F1F0E0E0E0E'
+ *
+ * Semi-weak:
+ * 0x011F011F010E010E and 0x1F011F010E010E01
+ * 0x01E001E001F101F1 and 0xE001E001F101F101
+ * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
+ * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
+ * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
+ * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
+ *
+ */
+
+#define WEAK_KEY_COUNT 16
+
+static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
+{
+ { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
+ { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
+ { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
+ { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
+
+ { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
+ { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
+ { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
+ { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
+ { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
+ { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
+ { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
+ { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
+ { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
+ { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
+ { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
+ { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
+};
+
+int mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE])
+{
+ int i;
+
+ for (i = 0; i < WEAK_KEY_COUNT; i++) {
+ if (memcmp(weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
+#if !defined(MBEDTLS_DES_SETKEY_ALT)
+void mbedtls_des_setkey(uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE])
+{
+ int i;
+ uint32_t X, Y, T;
+
+ X = MBEDTLS_GET_UINT32_BE(key, 0);
+ Y = MBEDTLS_GET_UINT32_BE(key, 4);
+
+ /*
+ * Permuted Choice 1
+ */
+ T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4);
+ T = ((Y) ^ X) & 0x10101010; X ^= T; Y ^= (T);
+
+ X = (LHs[(X) & 0xF] << 3) | (LHs[(X >> 8) & 0xF] << 2)
+ | (LHs[(X >> 16) & 0xF] << 1) | (LHs[(X >> 24) & 0xF])
+ | (LHs[(X >> 5) & 0xF] << 7) | (LHs[(X >> 13) & 0xF] << 6)
+ | (LHs[(X >> 21) & 0xF] << 5) | (LHs[(X >> 29) & 0xF] << 4);
+
+ Y = (RHs[(Y >> 1) & 0xF] << 3) | (RHs[(Y >> 9) & 0xF] << 2)
+ | (RHs[(Y >> 17) & 0xF] << 1) | (RHs[(Y >> 25) & 0xF])
+ | (RHs[(Y >> 4) & 0xF] << 7) | (RHs[(Y >> 12) & 0xF] << 6)
+ | (RHs[(Y >> 20) & 0xF] << 5) | (RHs[(Y >> 28) & 0xF] << 4);
+
+ X &= 0x0FFFFFFF;
+ Y &= 0x0FFFFFFF;
+
+ /*
+ * calculate subkeys
+ */
+ for (i = 0; i < 16; i++) {
+ if (i < 2 || i == 8 || i == 15) {
+ X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF;
+ Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF;
+ } else {
+ X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF;
+ Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF;
+ }
+
+ *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000)
+ | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
+ | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000)
+ | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000)
+ | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000)
+ | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000)
+ | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400)
+ | ((Y >> 14) & 0x00000200) | ((Y) & 0x00000100)
+ | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010)
+ | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004)
+ | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
+
+ *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
+ | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
+ | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000)
+ | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
+ | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000)
+ | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000)
+ | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000)
+ | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400)
+ | ((Y) & 0x00000200) | ((Y << 7) & 0x00000100)
+ | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011)
+ | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002);
+ }
+}
+#endif /* !MBEDTLS_DES_SETKEY_ALT */
+
+/*
+ * DES key schedule (56-bit, encryption)
+ */
+int mbedtls_des_setkey_enc(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE])
+{
+ mbedtls_des_setkey(ctx->sk, key);
+
+ return 0;
+}
+
+/*
+ * DES key schedule (56-bit, decryption)
+ */
+int mbedtls_des_setkey_dec(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE])
+{
+ int i;
+
+ mbedtls_des_setkey(ctx->sk, key);
+
+ for (i = 0; i < 16; i += 2) {
+ SWAP(ctx->sk[i], ctx->sk[30 - i]);
+ SWAP(ctx->sk[i + 1], ctx->sk[31 - i]);
+ }
+
+ return 0;
+}
+
+static void des3_set2key(uint32_t esk[96],
+ uint32_t dsk[96],
+ const unsigned char key[MBEDTLS_DES_KEY_SIZE*2])
+{
+ int i;
+
+ mbedtls_des_setkey(esk, key);
+ mbedtls_des_setkey(dsk + 32, key + 8);
+
+ for (i = 0; i < 32; i += 2) {
+ dsk[i] = esk[30 - i];
+ dsk[i + 1] = esk[31 - i];
+
+ esk[i + 32] = dsk[62 - i];
+ esk[i + 33] = dsk[63 - i];
+
+ esk[i + 64] = esk[i];
+ esk[i + 65] = esk[i + 1];
+
+ dsk[i + 64] = dsk[i];
+ dsk[i + 65] = dsk[i + 1];
+ }
+}
+
+/*
+ * Triple-DES key schedule (112-bit, encryption)
+ */
+int mbedtls_des3_set2key_enc(mbedtls_des3_context *ctx,
+ const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])
+{
+ uint32_t sk[96];
+
+ des3_set2key(ctx->sk, sk, key);
+ mbedtls_platform_zeroize(sk, sizeof(sk));
+
+ return 0;
+}
+
+/*
+ * Triple-DES key schedule (112-bit, decryption)
+ */
+int mbedtls_des3_set2key_dec(mbedtls_des3_context *ctx,
+ const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])
+{
+ uint32_t sk[96];
+
+ des3_set2key(sk, ctx->sk, key);
+ mbedtls_platform_zeroize(sk, sizeof(sk));
+
+ return 0;
+}
+
+static void des3_set3key(uint32_t esk[96],
+ uint32_t dsk[96],
+ const unsigned char key[24])
+{
+ int i;
+
+ mbedtls_des_setkey(esk, key);
+ mbedtls_des_setkey(dsk + 32, key + 8);
+ mbedtls_des_setkey(esk + 64, key + 16);
+
+ for (i = 0; i < 32; i += 2) {
+ dsk[i] = esk[94 - i];
+ dsk[i + 1] = esk[95 - i];
+
+ esk[i + 32] = dsk[62 - i];
+ esk[i + 33] = dsk[63 - i];
+
+ dsk[i + 64] = esk[30 - i];
+ dsk[i + 65] = esk[31 - i];
+ }
+}
+
+/*
+ * Triple-DES key schedule (168-bit, encryption)
+ */
+int mbedtls_des3_set3key_enc(mbedtls_des3_context *ctx,
+ const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])
+{
+ uint32_t sk[96];
+
+ des3_set3key(ctx->sk, sk, key);
+ mbedtls_platform_zeroize(sk, sizeof(sk));
+
+ return 0;
+}
+
+/*
+ * Triple-DES key schedule (168-bit, decryption)
+ */
+int mbedtls_des3_set3key_dec(mbedtls_des3_context *ctx,
+ const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])
+{
+ uint32_t sk[96];
+
+ des3_set3key(sk, ctx->sk, key);
+ mbedtls_platform_zeroize(sk, sizeof(sk));
+
+ return 0;
+}
+
+/*
+ * DES-ECB block encryption/decryption
+ */
+#if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
+int mbedtls_des_crypt_ecb(mbedtls_des_context *ctx,
+ const unsigned char input[8],
+ unsigned char output[8])
+{
+ int i;
+ uint32_t X, Y, T, *SK;
+
+ SK = ctx->sk;
+
+ X = MBEDTLS_GET_UINT32_BE(input, 0);
+ Y = MBEDTLS_GET_UINT32_BE(input, 4);
+
+ DES_IP(X, Y);
+
+ for (i = 0; i < 8; i++) {
+ DES_ROUND(Y, X);
+ DES_ROUND(X, Y);
+ }
+
+ DES_FP(Y, X);
+
+ MBEDTLS_PUT_UINT32_BE(Y, output, 0);
+ MBEDTLS_PUT_UINT32_BE(X, output, 4);
+
+ return 0;
+}
+#endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * DES-CBC buffer encryption/decryption
+ */
+int mbedtls_des_crypt_cbc(mbedtls_des_context *ctx,
+ int mode,
+ size_t length,
+ unsigned char iv[8],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char temp[8];
+
+ if (length % 8) {
+ return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH;
+ }
+
+ if (mode == MBEDTLS_DES_ENCRYPT) {
+ while (length > 0) {
+ mbedtls_xor(output, input, iv, 8);
+
+ ret = mbedtls_des_crypt_ecb(ctx, output, output);
+ if (ret != 0) {
+ goto exit;
+ }
+ memcpy(iv, output, 8);
+
+ input += 8;
+ output += 8;
+ length -= 8;
+ }
+ } else { /* MBEDTLS_DES_DECRYPT */
+ while (length > 0) {
+ memcpy(temp, input, 8);
+ ret = mbedtls_des_crypt_ecb(ctx, input, output);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ mbedtls_xor(output, output, iv, 8);
+
+ memcpy(iv, temp, 8);
+
+ input += 8;
+ output += 8;
+ length -= 8;
+ }
+ }
+ ret = 0;
+
+exit:
+ return ret;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/*
+ * 3DES-ECB block encryption/decryption
+ */
+#if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
+int mbedtls_des3_crypt_ecb(mbedtls_des3_context *ctx,
+ const unsigned char input[8],
+ unsigned char output[8])
+{
+ int i;
+ uint32_t X, Y, T, *SK;
+
+ SK = ctx->sk;
+
+ X = MBEDTLS_GET_UINT32_BE(input, 0);
+ Y = MBEDTLS_GET_UINT32_BE(input, 4);
+
+ DES_IP(X, Y);
+
+ for (i = 0; i < 8; i++) {
+ DES_ROUND(Y, X);
+ DES_ROUND(X, Y);
+ }
+
+ for (i = 0; i < 8; i++) {
+ DES_ROUND(X, Y);
+ DES_ROUND(Y, X);
+ }
+
+ for (i = 0; i < 8; i++) {
+ DES_ROUND(Y, X);
+ DES_ROUND(X, Y);
+ }
+
+ DES_FP(Y, X);
+
+ MBEDTLS_PUT_UINT32_BE(Y, output, 0);
+ MBEDTLS_PUT_UINT32_BE(X, output, 4);
+
+ return 0;
+}
+#endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * 3DES-CBC buffer encryption/decryption
+ */
+int mbedtls_des3_crypt_cbc(mbedtls_des3_context *ctx,
+ int mode,
+ size_t length,
+ unsigned char iv[8],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char temp[8];
+
+ if (length % 8) {
+ return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH;
+ }
+
+ if (mode == MBEDTLS_DES_ENCRYPT) {
+ while (length > 0) {
+ mbedtls_xor(output, input, iv, 8);
+
+ ret = mbedtls_des3_crypt_ecb(ctx, output, output);
+ if (ret != 0) {
+ goto exit;
+ }
+ memcpy(iv, output, 8);
+
+ input += 8;
+ output += 8;
+ length -= 8;
+ }
+ } else { /* MBEDTLS_DES_DECRYPT */
+ while (length > 0) {
+ memcpy(temp, input, 8);
+ ret = mbedtls_des3_crypt_ecb(ctx, input, output);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ mbedtls_xor(output, output, iv, 8);
+
+ memcpy(iv, temp, 8);
+
+ input += 8;
+ output += 8;
+ length -= 8;
+ }
+ }
+ ret = 0;
+
+exit:
+ return ret;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#endif /* !MBEDTLS_DES_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * DES and 3DES test vectors from:
+ *
+ * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
+ */
+static const unsigned char des3_test_keys[24] =
+{
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
+ 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
+ 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
+};
+
+static const unsigned char des3_test_buf[8] =
+{
+ 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
+};
+
+static const unsigned char des3_test_ecb_dec[3][8] =
+{
+ { 0x37, 0x2B, 0x98, 0xBF, 0x52, 0x65, 0xB0, 0x59 },
+ { 0xC2, 0x10, 0x19, 0x9C, 0x38, 0x5A, 0x65, 0xA1 },
+ { 0xA2, 0x70, 0x56, 0x68, 0x69, 0xE5, 0x15, 0x1D }
+};
+
+static const unsigned char des3_test_ecb_enc[3][8] =
+{
+ { 0x1C, 0xD5, 0x97, 0xEA, 0x84, 0x26, 0x73, 0xFB },
+ { 0xB3, 0x92, 0x4D, 0xF3, 0xC5, 0xB5, 0x42, 0x93 },
+ { 0xDA, 0x37, 0x64, 0x41, 0xBA, 0x6F, 0x62, 0x6F }
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const unsigned char des3_test_iv[8] =
+{
+ 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
+};
+
+static const unsigned char des3_test_cbc_dec[3][8] =
+{
+ { 0x58, 0xD9, 0x48, 0xEF, 0x85, 0x14, 0x65, 0x9A },
+ { 0x5F, 0xC8, 0x78, 0xD4, 0xD7, 0x92, 0xD9, 0x54 },
+ { 0x25, 0xF9, 0x75, 0x85, 0xA8, 0x1E, 0x48, 0xBF }
+};
+
+static const unsigned char des3_test_cbc_enc[3][8] =
+{
+ { 0x91, 0x1C, 0x6D, 0xCF, 0x48, 0xA7, 0xC3, 0x4D },
+ { 0x60, 0x1A, 0x76, 0x8F, 0xA1, 0xF9, 0x66, 0xF1 },
+ { 0xA1, 0x50, 0x0F, 0x99, 0xB2, 0xCD, 0x64, 0x76 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_des_self_test(int verbose)
+{
+ int i, j, u, v, ret = 0;
+ mbedtls_des_context ctx;
+ mbedtls_des3_context ctx3;
+ unsigned char buf[8];
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ unsigned char prv[8];
+ unsigned char iv[8];
+#endif
+
+ mbedtls_des_init(&ctx);
+ mbedtls_des3_init(&ctx3);
+ /*
+ * ECB mode
+ */
+ for (i = 0; i < 6; i++) {
+ u = i >> 1;
+ v = i & 1;
+
+ if (verbose != 0) {
+ mbedtls_printf(" DES%c-ECB-%3d (%s): ",
+ (u == 0) ? ' ' : '3', 56 + u * 56,
+ (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc");
+ }
+
+ memcpy(buf, des3_test_buf, 8);
+
+ switch (i) {
+ case 0:
+ ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys);
+ break;
+
+ case 1:
+ ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys);
+ break;
+
+ case 2:
+ ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys);
+ break;
+
+ case 3:
+ ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys);
+ break;
+
+ case 4:
+ ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys);
+ break;
+
+ case 5:
+ ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys);
+ break;
+
+ default:
+ return 1;
+ }
+ if (ret != 0) {
+ goto exit;
+ }
+
+ for (j = 0; j < 100; j++) {
+ if (u == 0) {
+ ret = mbedtls_des_crypt_ecb(&ctx, buf, buf);
+ } else {
+ ret = mbedtls_des3_crypt_ecb(&ctx3, buf, buf);
+ }
+ if (ret != 0) {
+ goto exit;
+ }
+ }
+
+ if ((v == MBEDTLS_DES_DECRYPT &&
+ memcmp(buf, des3_test_ecb_dec[u], 8) != 0) ||
+ (v != MBEDTLS_DES_DECRYPT &&
+ memcmp(buf, des3_test_ecb_enc[u], 8) != 0)) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ ret = 1;
+ goto exit;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ /*
+ * CBC mode
+ */
+ for (i = 0; i < 6; i++) {
+ u = i >> 1;
+ v = i & 1;
+
+ if (verbose != 0) {
+ mbedtls_printf(" DES%c-CBC-%3d (%s): ",
+ (u == 0) ? ' ' : '3', 56 + u * 56,
+ (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc");
+ }
+
+ memcpy(iv, des3_test_iv, 8);
+ memcpy(prv, des3_test_iv, 8);
+ memcpy(buf, des3_test_buf, 8);
+
+ switch (i) {
+ case 0:
+ ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys);
+ break;
+
+ case 1:
+ ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys);
+ break;
+
+ case 2:
+ ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys);
+ break;
+
+ case 3:
+ ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys);
+ break;
+
+ case 4:
+ ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys);
+ break;
+
+ case 5:
+ ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys);
+ break;
+
+ default:
+ return 1;
+ }
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (v == MBEDTLS_DES_DECRYPT) {
+ for (j = 0; j < 100; j++) {
+ if (u == 0) {
+ ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf);
+ } else {
+ ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf);
+ }
+ if (ret != 0) {
+ goto exit;
+ }
+ }
+ } else {
+ for (j = 0; j < 100; j++) {
+ unsigned char tmp[8];
+
+ if (u == 0) {
+ ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf);
+ } else {
+ ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf);
+ }
+ if (ret != 0) {
+ goto exit;
+ }
+
+ memcpy(tmp, prv, 8);
+ memcpy(prv, buf, 8);
+ memcpy(buf, tmp, 8);
+ }
+
+ memcpy(buf, prv, 8);
+ }
+
+ if ((v == MBEDTLS_DES_DECRYPT &&
+ memcmp(buf, des3_test_cbc_dec[u], 8) != 0) ||
+ (v != MBEDTLS_DES_DECRYPT &&
+ memcmp(buf, des3_test_cbc_enc[u], 8) != 0)) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ ret = 1;
+ goto exit;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+exit:
+ mbedtls_des_free(&ctx);
+ mbedtls_des3_free(&ctx3);
+
+ if (ret != 0) {
+ ret = 1;
+ }
+ return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_DES_C */
diff --git a/library/dhm.c b/library/dhm.c
new file mode 100644
index 0000000..bcc07f5
--- /dev/null
+++ b/library/dhm.c
@@ -0,0 +1,712 @@
+/*
+ * Diffie-Hellman-Merkle key exchange
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * The following sources were referenced in the design of this implementation
+ * of the Diffie-Hellman-Merkle algorithm:
+ *
+ * [1] Handbook of Applied Cryptography - 1997, Chapter 12
+ * Menezes, van Oorschot and Vanstone
+ *
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_DHM_C)
+
+#include "mbedtls/dhm.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_DHM_ALT)
+
+/*
+ * helper to validate the mbedtls_mpi size and import it
+ */
+static int dhm_read_bignum(mbedtls_mpi *X,
+ unsigned char **p,
+ const unsigned char *end)
+{
+ int ret, n;
+
+ if (end - *p < 2) {
+ return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+ }
+
+ n = MBEDTLS_GET_UINT16_BE(*p, 0);
+ (*p) += 2;
+
+ if ((size_t) (end - *p) < (size_t) n) {
+ return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+ }
+
+ if ((ret = mbedtls_mpi_read_binary(X, *p, n)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_READ_PARAMS_FAILED, ret);
+ }
+
+ (*p) += n;
+
+ return 0;
+}
+
+/*
+ * Verify sanity of parameter with regards to P
+ *
+ * Parameter should be: 2 <= public_param <= P - 2
+ *
+ * This means that we need to return an error if
+ * public_param < 2 or public_param > P-2
+ *
+ * For more information on the attack, see:
+ * http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
+ * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
+ */
+static int dhm_check_range(const mbedtls_mpi *param, const mbedtls_mpi *P)
+{
+ mbedtls_mpi U;
+ int ret = 0;
+
+ mbedtls_mpi_init(&U);
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&U, P, 2));
+
+ if (mbedtls_mpi_cmp_int(param, 2) < 0 ||
+ mbedtls_mpi_cmp_mpi(param, &U) > 0) {
+ ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+ }
+
+cleanup:
+ mbedtls_mpi_free(&U);
+ return ret;
+}
+
+void mbedtls_dhm_init(mbedtls_dhm_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_dhm_context));
+}
+
+size_t mbedtls_dhm_get_bitlen(const mbedtls_dhm_context *ctx)
+{
+ return mbedtls_mpi_bitlen(&ctx->P);
+}
+
+size_t mbedtls_dhm_get_len(const mbedtls_dhm_context *ctx)
+{
+ return mbedtls_mpi_size(&ctx->P);
+}
+
+int mbedtls_dhm_get_value(const mbedtls_dhm_context *ctx,
+ mbedtls_dhm_parameter param,
+ mbedtls_mpi *dest)
+{
+ const mbedtls_mpi *src = NULL;
+ switch (param) {
+ case MBEDTLS_DHM_PARAM_P:
+ src = &ctx->P;
+ break;
+ case MBEDTLS_DHM_PARAM_G:
+ src = &ctx->G;
+ break;
+ case MBEDTLS_DHM_PARAM_X:
+ src = &ctx->X;
+ break;
+ case MBEDTLS_DHM_PARAM_GX:
+ src = &ctx->GX;
+ break;
+ case MBEDTLS_DHM_PARAM_GY:
+ src = &ctx->GY;
+ break;
+ case MBEDTLS_DHM_PARAM_K:
+ src = &ctx->K;
+ break;
+ default:
+ return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+ }
+ return mbedtls_mpi_copy(dest, src);
+}
+
+/*
+ * Parse the ServerKeyExchange parameters
+ */
+int mbedtls_dhm_read_params(mbedtls_dhm_context *ctx,
+ unsigned char **p,
+ const unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((ret = dhm_read_bignum(&ctx->P, p, end)) != 0 ||
+ (ret = dhm_read_bignum(&ctx->G, p, end)) != 0 ||
+ (ret = dhm_read_bignum(&ctx->GY, p, end)) != 0) {
+ return ret;
+ }
+
+ if ((ret = dhm_check_range(&ctx->GY, &ctx->P)) != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+/*
+ * Pick a random R in the range [2, M-2] for blinding or key generation.
+ */
+static int dhm_random_below(mbedtls_mpi *R, const mbedtls_mpi *M,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ int ret;
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_random(R, 3, M, f_rng, p_rng));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(R, R, 1));
+
+cleanup:
+ return ret;
+}
+
+static int dhm_make_common(mbedtls_dhm_context *ctx, int x_size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = 0;
+
+ if (mbedtls_mpi_cmp_int(&ctx->P, 0) == 0) {
+ return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+ }
+ if (x_size < 0) {
+ return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+ }
+
+ if ((unsigned) x_size < mbedtls_mpi_size(&ctx->P)) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->X, x_size, f_rng, p_rng));
+ } else {
+ /* Generate X as large as possible ( <= P - 2 ) */
+ ret = dhm_random_below(&ctx->X, &ctx->P, f_rng, p_rng);
+ if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
+ return MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED;
+ }
+ if (ret != 0) {
+ return ret;
+ }
+ }
+
+ /*
+ * Calculate GX = G^X mod P
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->GX, &ctx->G, &ctx->X,
+ &ctx->P, &ctx->RP));
+
+ if ((ret = dhm_check_range(&ctx->GX, &ctx->P)) != 0) {
+ return ret;
+ }
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Setup and write the ServerKeyExchange parameters
+ */
+int mbedtls_dhm_make_params(mbedtls_dhm_context *ctx, int x_size,
+ unsigned char *output, size_t *olen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret;
+ size_t n1, n2, n3;
+ unsigned char *p;
+
+ ret = dhm_make_common(ctx, x_size, f_rng, p_rng);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ /*
+ * Export P, G, GX. RFC 5246 §4.4 states that "leading zero octets are
+ * not required". We omit leading zeros for compactness.
+ */
+#define DHM_MPI_EXPORT(X, n) \
+ do { \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary((X), \
+ p + 2, \
+ (n))); \
+ *p++ = MBEDTLS_BYTE_1(n); \
+ *p++ = MBEDTLS_BYTE_0(n); \
+ p += (n); \
+ } while (0)
+
+ n1 = mbedtls_mpi_size(&ctx->P);
+ n2 = mbedtls_mpi_size(&ctx->G);
+ n3 = mbedtls_mpi_size(&ctx->GX);
+
+ p = output;
+ DHM_MPI_EXPORT(&ctx->P, n1);
+ DHM_MPI_EXPORT(&ctx->G, n2);
+ DHM_MPI_EXPORT(&ctx->GX, n3);
+
+ *olen = (size_t) (p - output);
+
+cleanup:
+ if (ret != 0 && ret > -128) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED, ret);
+ }
+ return ret;
+}
+
+/*
+ * Set prime modulus and generator
+ */
+int mbedtls_dhm_set_group(mbedtls_dhm_context *ctx,
+ const mbedtls_mpi *P,
+ const mbedtls_mpi *G)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((ret = mbedtls_mpi_copy(&ctx->P, P)) != 0 ||
+ (ret = mbedtls_mpi_copy(&ctx->G, G)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_SET_GROUP_FAILED, ret);
+ }
+
+ return 0;
+}
+
+/*
+ * Import the peer's public value G^Y
+ */
+int mbedtls_dhm_read_public(mbedtls_dhm_context *ctx,
+ const unsigned char *input, size_t ilen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (ilen < 1 || ilen > mbedtls_dhm_get_len(ctx)) {
+ return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+ }
+
+ if ((ret = mbedtls_mpi_read_binary(&ctx->GY, input, ilen)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED, ret);
+ }
+
+ return 0;
+}
+
+/*
+ * Create own private value X and export G^X
+ */
+int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx, int x_size,
+ unsigned char *output, size_t olen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret;
+
+ if (olen < 1 || olen > mbedtls_dhm_get_len(ctx)) {
+ return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+ }
+
+ ret = dhm_make_common(ctx, x_size, f_rng, p_rng);
+ if (ret == MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED) {
+ return MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED;
+ }
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->GX, output, olen));
+
+cleanup:
+ if (ret != 0 && ret > -128) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED, ret);
+ }
+ return ret;
+}
+
+
+/*
+ * Use the blinding method and optimisation suggested in section 10 of:
+ * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
+ * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
+ * Berlin Heidelberg, 1996. p. 104-113.
+ */
+static int dhm_update_blinding(mbedtls_dhm_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ int ret;
+ mbedtls_mpi R;
+
+ mbedtls_mpi_init(&R);
+
+ /*
+ * Don't use any blinding the first time a particular X is used,
+ * but remember it to use blinding next time.
+ */
+ if (mbedtls_mpi_cmp_mpi(&ctx->X, &ctx->pX) != 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&ctx->pX, &ctx->X));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->Vi, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->Vf, 1));
+
+ return 0;
+ }
+
+ /*
+ * Ok, we need blinding. Can we re-use existing values?
+ * If yes, just update them by squaring them.
+ */
+ if (mbedtls_mpi_cmp_int(&ctx->Vi, 1) != 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->P));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
+
+ return 0;
+ }
+
+ /*
+ * We need to generate blinding values from scratch
+ */
+
+ /* Vi = random( 2, P-2 ) */
+ MBEDTLS_MPI_CHK(dhm_random_below(&ctx->Vi, &ctx->P, f_rng, p_rng));
+
+ /* Vf = Vi^-X mod P
+ * First compute Vi^-1 = R * (R Vi)^-1, (avoiding leaks from inv_mod),
+ * then elevate to the Xth power. */
+ MBEDTLS_MPI_CHK(dhm_random_below(&R, &ctx->P, f_rng, p_rng));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vi, &R));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->Vf, &ctx->Vf, &ctx->P));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &R));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->P));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP));
+
+cleanup:
+ mbedtls_mpi_free(&R);
+
+ return ret;
+}
+
+/*
+ * Derive and export the shared secret (G^Y)^X mod P
+ */
+int mbedtls_dhm_calc_secret(mbedtls_dhm_context *ctx,
+ unsigned char *output, size_t output_size, size_t *olen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi GYb;
+
+ if (f_rng == NULL) {
+ return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+ }
+
+ if (output_size < mbedtls_dhm_get_len(ctx)) {
+ return MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+ }
+
+ if ((ret = dhm_check_range(&ctx->GY, &ctx->P)) != 0) {
+ return ret;
+ }
+
+ mbedtls_mpi_init(&GYb);
+
+ /* Blind peer's value */
+ MBEDTLS_MPI_CHK(dhm_update_blinding(ctx, f_rng, p_rng));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&GYb, &ctx->GY, &ctx->Vi));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&GYb, &GYb, &ctx->P));
+
+ /* Do modular exponentiation */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->K, &GYb, &ctx->X,
+ &ctx->P, &ctx->RP));
+
+ /* Unblind secret value */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->K, &ctx->K, &ctx->Vf));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->K, &ctx->K, &ctx->P));
+
+ /* Output the secret without any leading zero byte. This is mandatory
+ * for TLS per RFC 5246 §8.1.2. */
+ *olen = mbedtls_mpi_size(&ctx->K);
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->K, output, *olen));
+
+cleanup:
+ mbedtls_mpi_free(&GYb);
+
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_CALC_SECRET_FAILED, ret);
+ }
+
+ return 0;
+}
+
+/*
+ * Free the components of a DHM key
+ */
+void mbedtls_dhm_free(mbedtls_dhm_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_mpi_free(&ctx->pX);
+ mbedtls_mpi_free(&ctx->Vf);
+ mbedtls_mpi_free(&ctx->Vi);
+ mbedtls_mpi_free(&ctx->RP);
+ mbedtls_mpi_free(&ctx->K);
+ mbedtls_mpi_free(&ctx->GY);
+ mbedtls_mpi_free(&ctx->GX);
+ mbedtls_mpi_free(&ctx->X);
+ mbedtls_mpi_free(&ctx->G);
+ mbedtls_mpi_free(&ctx->P);
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_dhm_context));
+}
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+/*
+ * Parse DHM parameters
+ */
+int mbedtls_dhm_parse_dhm(mbedtls_dhm_context *dhm, const unsigned char *dhmin,
+ size_t dhminlen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+ unsigned char *p, *end;
+#if defined(MBEDTLS_PEM_PARSE_C)
+ mbedtls_pem_context pem;
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+ mbedtls_pem_init(&pem);
+
+ /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+ if (dhminlen == 0 || dhmin[dhminlen - 1] != '\0') {
+ ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+ } else {
+ ret = mbedtls_pem_read_buffer(&pem,
+ "-----BEGIN DH PARAMETERS-----",
+ "-----END DH PARAMETERS-----",
+ dhmin, NULL, 0, &dhminlen);
+ }
+
+ if (ret == 0) {
+ /*
+ * Was PEM encoded
+ */
+ dhminlen = pem.buflen;
+ } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+ goto exit;
+ }
+
+ p = (ret == 0) ? pem.buf : (unsigned char *) dhmin;
+#else
+ p = (unsigned char *) dhmin;
+#endif /* MBEDTLS_PEM_PARSE_C */
+ end = p + dhminlen;
+
+ /*
+ * DHParams ::= SEQUENCE {
+ * prime INTEGER, -- P
+ * generator INTEGER, -- g
+ * privateValueLength INTEGER OPTIONAL
+ * }
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
+ goto exit;
+ }
+
+ end = p + len;
+
+ if ((ret = mbedtls_asn1_get_mpi(&p, end, &dhm->P)) != 0 ||
+ (ret = mbedtls_asn1_get_mpi(&p, end, &dhm->G)) != 0) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
+ goto exit;
+ }
+
+ if (p != end) {
+ /* This might be the optional privateValueLength.
+ * If so, we can cleanly discard it */
+ mbedtls_mpi rec;
+ mbedtls_mpi_init(&rec);
+ ret = mbedtls_asn1_get_mpi(&p, end, &rec);
+ mbedtls_mpi_free(&rec);
+ if (ret != 0) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT, ret);
+ goto exit;
+ }
+ if (p != end) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_DHM_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ goto exit;
+ }
+ }
+
+ ret = 0;
+
+exit:
+#if defined(MBEDTLS_PEM_PARSE_C)
+ mbedtls_pem_free(&pem);
+#endif
+ if (ret != 0) {
+ mbedtls_dhm_free(dhm);
+ }
+
+ return ret;
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load all data from a file into a given buffer.
+ *
+ * The file is expected to contain either PEM or DER encoded data.
+ * A terminating null byte is always appended. It is included in the announced
+ * length only if the data looks like it is PEM encoded.
+ */
+static int load_file(const char *path, unsigned char **buf, size_t *n)
+{
+ FILE *f;
+ long size;
+
+ if ((f = fopen(path, "rb")) == NULL) {
+ return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
+ }
+ /* The data loaded here is public, so don't bother disabling buffering. */
+
+ fseek(f, 0, SEEK_END);
+ if ((size = ftell(f)) == -1) {
+ fclose(f);
+ return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
+ }
+ fseek(f, 0, SEEK_SET);
+
+ *n = (size_t) size;
+
+ if (*n + 1 == 0 ||
+ (*buf = mbedtls_calloc(1, *n + 1)) == NULL) {
+ fclose(f);
+ return MBEDTLS_ERR_DHM_ALLOC_FAILED;
+ }
+
+ if (fread(*buf, 1, *n, f) != *n) {
+ fclose(f);
+
+ mbedtls_zeroize_and_free(*buf, *n + 1);
+
+ return MBEDTLS_ERR_DHM_FILE_IO_ERROR;
+ }
+
+ fclose(f);
+
+ (*buf)[*n] = '\0';
+
+ if (strstr((const char *) *buf, "-----BEGIN ") != NULL) {
+ ++*n;
+ }
+
+ return 0;
+}
+
+/*
+ * Load and parse DHM parameters
+ */
+int mbedtls_dhm_parse_dhmfile(mbedtls_dhm_context *dhm, const char *path)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t n;
+ unsigned char *buf;
+
+ if ((ret = load_file(path, &buf, &n)) != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_dhm_parse_dhm(dhm, buf, n);
+
+ mbedtls_zeroize_and_free(buf, n);
+
+ return ret;
+}
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_ASN1_PARSE_C */
+#endif /* MBEDTLS_DHM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+static const char mbedtls_test_dhm_params[] =
+ "-----BEGIN DH PARAMETERS-----\r\n"
+ "MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh\r\n"
+ "1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32\r\n"
+ "9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC\r\n"
+ "-----END DH PARAMETERS-----\r\n";
+#else /* MBEDTLS_PEM_PARSE_C */
+static const char mbedtls_test_dhm_params[] = {
+ 0x30, 0x81, 0x87, 0x02, 0x81, 0x81, 0x00, 0x9e, 0x35, 0xf4, 0x30, 0x44,
+ 0x3a, 0x09, 0x90, 0x4f, 0x3a, 0x39, 0xa9, 0x79, 0x79, 0x7d, 0x07, 0x0d,
+ 0xf5, 0x33, 0x78, 0xe7, 0x9c, 0x24, 0x38, 0xbe, 0xf4, 0xe7, 0x61, 0xf3,
+ 0xc7, 0x14, 0x55, 0x33, 0x28, 0x58, 0x9b, 0x04, 0x1c, 0x80, 0x9b, 0xe1,
+ 0xd6, 0xc6, 0xb5, 0xf1, 0xfc, 0x9f, 0x47, 0xd3, 0xa2, 0x54, 0x43, 0x18,
+ 0x82, 0x53, 0xa9, 0x92, 0xa5, 0x68, 0x18, 0xb3, 0x7b, 0xa9, 0xde, 0x5a,
+ 0x40, 0xd3, 0x62, 0xe5, 0x6e, 0xff, 0x0b, 0xe5, 0x41, 0x74, 0x74, 0xc1,
+ 0x25, 0xc1, 0x99, 0x27, 0x2c, 0x8f, 0xe4, 0x1d, 0xea, 0x73, 0x3d, 0xf6,
+ 0xf6, 0x62, 0xc9, 0x2a, 0xe7, 0x65, 0x56, 0xe7, 0x55, 0xd1, 0x0c, 0x64,
+ 0xe6, 0xa5, 0x09, 0x68, 0xf6, 0x7f, 0xc6, 0xea, 0x73, 0xd0, 0xdc, 0xa8,
+ 0x56, 0x9b, 0xe2, 0xba, 0x20, 0x4e, 0x23, 0x58, 0x0d, 0x8b, 0xca, 0x2f,
+ 0x49, 0x75, 0xb3, 0x02, 0x01, 0x02
+};
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+static const size_t mbedtls_test_dhm_params_len = sizeof(mbedtls_test_dhm_params);
+
+/*
+ * Checkup routine
+ */
+int mbedtls_dhm_self_test(int verbose)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_dhm_context dhm;
+
+ mbedtls_dhm_init(&dhm);
+
+ if (verbose != 0) {
+ mbedtls_printf(" DHM parameter load: ");
+ }
+
+ if ((ret = mbedtls_dhm_parse_dhm(&dhm,
+ (const unsigned char *) mbedtls_test_dhm_params,
+ mbedtls_test_dhm_params_len)) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ ret = 1;
+ goto exit;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n\n");
+ }
+
+exit:
+ mbedtls_dhm_free(&dhm);
+
+ return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_DHM_C */
diff --git a/library/ecdh.c b/library/ecdh.c
new file mode 100644
index 0000000..b276c6a
--- /dev/null
+++ b/library/ecdh.c
@@ -0,0 +1,694 @@
+/*
+ * Elliptic curve Diffie-Hellman
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * References:
+ *
+ * SEC1 https://www.secg.org/sec1-v2.pdf
+ * RFC 4492
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ECDH_C)
+
+#include "mbedtls/ecdh.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+typedef mbedtls_ecdh_context mbedtls_ecdh_context_mbed;
+#endif
+
+static mbedtls_ecp_group_id mbedtls_ecdh_grp_id(
+ const mbedtls_ecdh_context *ctx)
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+ return ctx->grp.id;
+#else
+ return ctx->grp_id;
+#endif
+}
+
+int mbedtls_ecdh_can_do(mbedtls_ecp_group_id gid)
+{
+ /* At this time, all groups support ECDH. */
+ (void) gid;
+ return 1;
+}
+
+#if !defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)
+/*
+ * Generate public key (restartable version)
+ *
+ * Note: this internal function relies on its caller preserving the value of
+ * the output parameter 'd' across continuation calls. This would not be
+ * acceptable for a public function but is OK here as we control call sites.
+ */
+static int ecdh_gen_public_restartable(mbedtls_ecp_group *grp,
+ mbedtls_mpi *d, mbedtls_ecp_point *Q,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_ecp_restart_ctx *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ int restarting = 0;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ restarting = (rs_ctx != NULL && rs_ctx->rsm != NULL);
+#endif
+ /* If multiplication is in progress, we already generated a privkey */
+ if (!restarting) {
+ MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, d, f_rng, p_rng));
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, Q, d, &grp->G,
+ f_rng, p_rng, rs_ctx));
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Generate public key
+ */
+int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ return ecdh_gen_public_restartable(grp, d, Q, f_rng, p_rng, NULL);
+}
+#endif /* !MBEDTLS_ECDH_GEN_PUBLIC_ALT */
+
+#if !defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT)
+/*
+ * Compute shared secret (SEC1 3.3.1)
+ */
+static int ecdh_compute_shared_restartable(mbedtls_ecp_group *grp,
+ mbedtls_mpi *z,
+ const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_ecp_restart_ctx *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_point P;
+
+ mbedtls_ecp_point_init(&P);
+
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, &P, d, Q,
+ f_rng, p_rng, rs_ctx));
+
+ if (mbedtls_ecp_is_zero(&P)) {
+ ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(z, &P.X));
+
+cleanup:
+ mbedtls_ecp_point_free(&P);
+
+ return ret;
+}
+
+/*
+ * Compute shared secret (SEC1 3.3.1)
+ */
+int mbedtls_ecdh_compute_shared(mbedtls_ecp_group *grp, mbedtls_mpi *z,
+ const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ return ecdh_compute_shared_restartable(grp, z, Q, d,
+ f_rng, p_rng, NULL);
+}
+#endif /* !MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
+
+static void ecdh_init_internal(mbedtls_ecdh_context_mbed *ctx)
+{
+ mbedtls_ecp_group_init(&ctx->grp);
+ mbedtls_mpi_init(&ctx->d);
+ mbedtls_ecp_point_init(&ctx->Q);
+ mbedtls_ecp_point_init(&ctx->Qp);
+ mbedtls_mpi_init(&ctx->z);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ mbedtls_ecp_restart_init(&ctx->rs);
+#endif
+}
+
+mbedtls_ecp_group_id mbedtls_ecdh_get_grp_id(mbedtls_ecdh_context *ctx)
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+ return ctx->MBEDTLS_PRIVATE(grp).id;
+#else
+ return ctx->MBEDTLS_PRIVATE(grp_id);
+#endif
+}
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecdh_init(mbedtls_ecdh_context *ctx)
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+ ecdh_init_internal(ctx);
+ mbedtls_ecp_point_init(&ctx->Vi);
+ mbedtls_ecp_point_init(&ctx->Vf);
+ mbedtls_mpi_init(&ctx->_d);
+#else
+ memset(ctx, 0, sizeof(mbedtls_ecdh_context));
+
+ ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
+#endif
+ ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ ctx->restart_enabled = 0;
+#endif
+}
+
+static int ecdh_setup_internal(mbedtls_ecdh_context_mbed *ctx,
+ mbedtls_ecp_group_id grp_id)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = mbedtls_ecp_group_load(&ctx->grp, grp_id);
+ if (ret != 0) {
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+ }
+
+ return 0;
+}
+
+/*
+ * Setup context
+ */
+int mbedtls_ecdh_setup(mbedtls_ecdh_context *ctx, mbedtls_ecp_group_id grp_id)
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+ return ecdh_setup_internal(ctx, grp_id);
+#else
+ switch (grp_id) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+ case MBEDTLS_ECP_DP_CURVE25519:
+ ctx->point_format = MBEDTLS_ECP_PF_COMPRESSED;
+ ctx->var = MBEDTLS_ECDH_VARIANT_EVEREST;
+ ctx->grp_id = grp_id;
+ return mbedtls_everest_setup(&ctx->ctx.everest_ecdh, grp_id);
+#endif
+ default:
+ ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+ ctx->var = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0;
+ ctx->grp_id = grp_id;
+ ecdh_init_internal(&ctx->ctx.mbed_ecdh);
+ return ecdh_setup_internal(&ctx->ctx.mbed_ecdh, grp_id);
+ }
+#endif
+}
+
+static void ecdh_free_internal(mbedtls_ecdh_context_mbed *ctx)
+{
+ mbedtls_ecp_group_free(&ctx->grp);
+ mbedtls_mpi_free(&ctx->d);
+ mbedtls_ecp_point_free(&ctx->Q);
+ mbedtls_ecp_point_free(&ctx->Qp);
+ mbedtls_mpi_free(&ctx->z);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ mbedtls_ecp_restart_free(&ctx->rs);
+#endif
+}
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Enable restartable operations for context
+ */
+void mbedtls_ecdh_enable_restart(mbedtls_ecdh_context *ctx)
+{
+ ctx->restart_enabled = 1;
+}
+#endif
+
+/*
+ * Free context
+ */
+void mbedtls_ecdh_free(mbedtls_ecdh_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+ mbedtls_ecp_point_free(&ctx->Vi);
+ mbedtls_ecp_point_free(&ctx->Vf);
+ mbedtls_mpi_free(&ctx->_d);
+ ecdh_free_internal(ctx);
+#else
+ switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+ case MBEDTLS_ECDH_VARIANT_EVEREST:
+ mbedtls_everest_free(&ctx->ctx.everest_ecdh);
+ break;
+#endif
+ case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+ ecdh_free_internal(&ctx->ctx.mbed_ecdh);
+ break;
+ default:
+ break;
+ }
+
+ ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+ ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
+ ctx->grp_id = MBEDTLS_ECP_DP_NONE;
+#endif
+}
+
+static int ecdh_make_params_internal(mbedtls_ecdh_context_mbed *ctx,
+ size_t *olen, int point_format,
+ unsigned char *buf, size_t blen,
+ int (*f_rng)(void *,
+ unsigned char *,
+ size_t),
+ void *p_rng,
+ int restart_enabled)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t grp_len, pt_len;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
+
+ if (ctx->grp.pbits == 0) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (restart_enabled) {
+ rs_ctx = &ctx->rs;
+ }
+#else
+ (void) restart_enabled;
+#endif
+
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if ((ret = ecdh_gen_public_restartable(&ctx->grp, &ctx->d, &ctx->Q,
+ f_rng, p_rng, rs_ctx)) != 0) {
+ return ret;
+ }
+#else
+ if ((ret = mbedtls_ecdh_gen_public(&ctx->grp, &ctx->d, &ctx->Q,
+ f_rng, p_rng)) != 0) {
+ return ret;
+ }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+ if ((ret = mbedtls_ecp_tls_write_group(&ctx->grp, &grp_len, buf,
+ blen)) != 0) {
+ return ret;
+ }
+
+ buf += grp_len;
+ blen -= grp_len;
+
+ if ((ret = mbedtls_ecp_tls_write_point(&ctx->grp, &ctx->Q, point_format,
+ &pt_len, buf, blen)) != 0) {
+ return ret;
+ }
+
+ *olen = grp_len + pt_len;
+ return 0;
+}
+
+/*
+ * Setup and write the ServerKeyExchange parameters (RFC 4492)
+ * struct {
+ * ECParameters curve_params;
+ * ECPoint public;
+ * } ServerECDHParams;
+ */
+int mbedtls_ecdh_make_params(mbedtls_ecdh_context *ctx, size_t *olen,
+ unsigned char *buf, size_t blen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int restart_enabled = 0;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ restart_enabled = ctx->restart_enabled;
+#else
+ (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+ return ecdh_make_params_internal(ctx, olen, ctx->point_format, buf, blen,
+ f_rng, p_rng, restart_enabled);
+#else
+ switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+ case MBEDTLS_ECDH_VARIANT_EVEREST:
+ return mbedtls_everest_make_params(&ctx->ctx.everest_ecdh, olen,
+ buf, blen, f_rng, p_rng);
+#endif
+ case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+ return ecdh_make_params_internal(&ctx->ctx.mbed_ecdh, olen,
+ ctx->point_format, buf, blen,
+ f_rng, p_rng,
+ restart_enabled);
+ default:
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+#endif
+}
+
+static int ecdh_read_params_internal(mbedtls_ecdh_context_mbed *ctx,
+ const unsigned char **buf,
+ const unsigned char *end)
+{
+ return mbedtls_ecp_tls_read_point(&ctx->grp, &ctx->Qp, buf,
+ (size_t) (end - *buf));
+}
+
+/*
+ * Read the ServerKeyExchange parameters (RFC 4492)
+ * struct {
+ * ECParameters curve_params;
+ * ECPoint public;
+ * } ServerECDHParams;
+ */
+int mbedtls_ecdh_read_params(mbedtls_ecdh_context *ctx,
+ const unsigned char **buf,
+ const unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_group_id grp_id;
+ if ((ret = mbedtls_ecp_tls_read_group_id(&grp_id, buf, (size_t) (end - *buf)))
+ != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_ecdh_setup(ctx, grp_id)) != 0) {
+ return ret;
+ }
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+ return ecdh_read_params_internal(ctx, buf, end);
+#else
+ switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+ case MBEDTLS_ECDH_VARIANT_EVEREST:
+ return mbedtls_everest_read_params(&ctx->ctx.everest_ecdh,
+ buf, end);
+#endif
+ case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+ return ecdh_read_params_internal(&ctx->ctx.mbed_ecdh,
+ buf, end);
+ default:
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+#endif
+}
+
+static int ecdh_get_params_internal(mbedtls_ecdh_context_mbed *ctx,
+ const mbedtls_ecp_keypair *key,
+ mbedtls_ecdh_side side)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* If it's not our key, just import the public part as Qp */
+ if (side == MBEDTLS_ECDH_THEIRS) {
+ return mbedtls_ecp_copy(&ctx->Qp, &key->Q);
+ }
+
+ /* Our key: import public (as Q) and private parts */
+ if (side != MBEDTLS_ECDH_OURS) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ if ((ret = mbedtls_ecp_copy(&ctx->Q, &key->Q)) != 0 ||
+ (ret = mbedtls_mpi_copy(&ctx->d, &key->d)) != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+/*
+ * Get parameters from a keypair
+ */
+int mbedtls_ecdh_get_params(mbedtls_ecdh_context *ctx,
+ const mbedtls_ecp_keypair *key,
+ mbedtls_ecdh_side side)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ if (side != MBEDTLS_ECDH_OURS && side != MBEDTLS_ECDH_THEIRS) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ if (mbedtls_ecdh_grp_id(ctx) == MBEDTLS_ECP_DP_NONE) {
+ /* This is the first call to get_params(). Set up the context
+ * for use with the group. */
+ if ((ret = mbedtls_ecdh_setup(ctx, key->grp.id)) != 0) {
+ return ret;
+ }
+ } else {
+ /* This is not the first call to get_params(). Check that the
+ * current key's group is the same as the context's, which was set
+ * from the first key's group. */
+ if (mbedtls_ecdh_grp_id(ctx) != key->grp.id) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+ }
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+ return ecdh_get_params_internal(ctx, key, side);
+#else
+ switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+ case MBEDTLS_ECDH_VARIANT_EVEREST:
+ {
+ mbedtls_everest_ecdh_side s = side == MBEDTLS_ECDH_OURS ?
+ MBEDTLS_EVEREST_ECDH_OURS :
+ MBEDTLS_EVEREST_ECDH_THEIRS;
+ return mbedtls_everest_get_params(&ctx->ctx.everest_ecdh,
+ key, s);
+ }
+#endif
+ case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+ return ecdh_get_params_internal(&ctx->ctx.mbed_ecdh,
+ key, side);
+ default:
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+#endif
+}
+
+static int ecdh_make_public_internal(mbedtls_ecdh_context_mbed *ctx,
+ size_t *olen, int point_format,
+ unsigned char *buf, size_t blen,
+ int (*f_rng)(void *,
+ unsigned char *,
+ size_t),
+ void *p_rng,
+ int restart_enabled)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
+
+ if (ctx->grp.pbits == 0) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (restart_enabled) {
+ rs_ctx = &ctx->rs;
+ }
+#else
+ (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if ((ret = ecdh_gen_public_restartable(&ctx->grp, &ctx->d, &ctx->Q,
+ f_rng, p_rng, rs_ctx)) != 0) {
+ return ret;
+ }
+#else
+ if ((ret = mbedtls_ecdh_gen_public(&ctx->grp, &ctx->d, &ctx->Q,
+ f_rng, p_rng)) != 0) {
+ return ret;
+ }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+ return mbedtls_ecp_tls_write_point(&ctx->grp, &ctx->Q, point_format, olen,
+ buf, blen);
+}
+
+/*
+ * Setup and export the client public value
+ */
+int mbedtls_ecdh_make_public(mbedtls_ecdh_context *ctx, size_t *olen,
+ unsigned char *buf, size_t blen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int restart_enabled = 0;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ restart_enabled = ctx->restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+ return ecdh_make_public_internal(ctx, olen, ctx->point_format, buf, blen,
+ f_rng, p_rng, restart_enabled);
+#else
+ switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+ case MBEDTLS_ECDH_VARIANT_EVEREST:
+ return mbedtls_everest_make_public(&ctx->ctx.everest_ecdh, olen,
+ buf, blen, f_rng, p_rng);
+#endif
+ case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+ return ecdh_make_public_internal(&ctx->ctx.mbed_ecdh, olen,
+ ctx->point_format, buf, blen,
+ f_rng, p_rng,
+ restart_enabled);
+ default:
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+#endif
+}
+
+static int ecdh_read_public_internal(mbedtls_ecdh_context_mbed *ctx,
+ const unsigned char *buf, size_t blen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const unsigned char *p = buf;
+
+ if ((ret = mbedtls_ecp_tls_read_point(&ctx->grp, &ctx->Qp, &p,
+ blen)) != 0) {
+ return ret;
+ }
+
+ if ((size_t) (p - buf) != blen) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ return 0;
+}
+
+/*
+ * Parse and import the client's public value
+ */
+int mbedtls_ecdh_read_public(mbedtls_ecdh_context *ctx,
+ const unsigned char *buf, size_t blen)
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+ return ecdh_read_public_internal(ctx, buf, blen);
+#else
+ switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+ case MBEDTLS_ECDH_VARIANT_EVEREST:
+ return mbedtls_everest_read_public(&ctx->ctx.everest_ecdh,
+ buf, blen);
+#endif
+ case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+ return ecdh_read_public_internal(&ctx->ctx.mbed_ecdh,
+ buf, blen);
+ default:
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+#endif
+}
+
+static int ecdh_calc_secret_internal(mbedtls_ecdh_context_mbed *ctx,
+ size_t *olen, unsigned char *buf,
+ size_t blen,
+ int (*f_rng)(void *,
+ unsigned char *,
+ size_t),
+ void *p_rng,
+ int restart_enabled)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
+
+ if (ctx == NULL || ctx->grp.pbits == 0) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (restart_enabled) {
+ rs_ctx = &ctx->rs;
+ }
+#else
+ (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if ((ret = ecdh_compute_shared_restartable(&ctx->grp, &ctx->z, &ctx->Qp,
+ &ctx->d, f_rng, p_rng,
+ rs_ctx)) != 0) {
+ return ret;
+ }
+#else
+ if ((ret = mbedtls_ecdh_compute_shared(&ctx->grp, &ctx->z, &ctx->Qp,
+ &ctx->d, f_rng, p_rng)) != 0) {
+ return ret;
+ }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+ if (mbedtls_mpi_size(&ctx->z) > blen) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ *olen = ctx->grp.pbits / 8 + ((ctx->grp.pbits % 8) != 0);
+
+ if (mbedtls_ecp_get_type(&ctx->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+ return mbedtls_mpi_write_binary_le(&ctx->z, buf, *olen);
+ }
+
+ return mbedtls_mpi_write_binary(&ctx->z, buf, *olen);
+}
+
+/*
+ * Derive and export the shared secret
+ */
+int mbedtls_ecdh_calc_secret(mbedtls_ecdh_context *ctx, size_t *olen,
+ unsigned char *buf, size_t blen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int restart_enabled = 0;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ restart_enabled = ctx->restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+ return ecdh_calc_secret_internal(ctx, olen, buf, blen, f_rng, p_rng,
+ restart_enabled);
+#else
+ switch (ctx->var) {
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+ case MBEDTLS_ECDH_VARIANT_EVEREST:
+ return mbedtls_everest_calc_secret(&ctx->ctx.everest_ecdh, olen,
+ buf, blen, f_rng, p_rng);
+#endif
+ case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+ return ecdh_calc_secret_internal(&ctx->ctx.mbed_ecdh, olen, buf,
+ blen, f_rng, p_rng,
+ restart_enabled);
+ default:
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+#endif
+}
+#endif /* MBEDTLS_ECDH_C */
diff --git a/library/ecdsa.c b/library/ecdsa.c
new file mode 100644
index 0000000..2f7a996
--- /dev/null
+++ b/library/ecdsa.c
@@ -0,0 +1,867 @@
+/*
+ * Elliptic curve DSA
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * References:
+ *
+ * SEC1 https://www.secg.org/sec1-v2.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ECDSA_C)
+
+#include "mbedtls/ecdsa.h"
+#include "mbedtls/asn1write.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#include "mbedtls/hmac_drbg.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/*
+ * Sub-context for ecdsa_verify()
+ */
+struct mbedtls_ecdsa_restart_ver {
+ mbedtls_mpi u1, u2; /* intermediate values */
+ enum { /* what to do next? */
+ ecdsa_ver_init = 0, /* getting started */
+ ecdsa_ver_muladd, /* muladd step */
+ } state;
+};
+
+/*
+ * Init verify restart sub-context
+ */
+static void ecdsa_restart_ver_init(mbedtls_ecdsa_restart_ver_ctx *ctx)
+{
+ mbedtls_mpi_init(&ctx->u1);
+ mbedtls_mpi_init(&ctx->u2);
+ ctx->state = ecdsa_ver_init;
+}
+
+/*
+ * Free the components of a verify restart sub-context
+ */
+static void ecdsa_restart_ver_free(mbedtls_ecdsa_restart_ver_ctx *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_mpi_free(&ctx->u1);
+ mbedtls_mpi_free(&ctx->u2);
+
+ ecdsa_restart_ver_init(ctx);
+}
+
+/*
+ * Sub-context for ecdsa_sign()
+ */
+struct mbedtls_ecdsa_restart_sig {
+ int sign_tries;
+ int key_tries;
+ mbedtls_mpi k; /* per-signature random */
+ mbedtls_mpi r; /* r value */
+ enum { /* what to do next? */
+ ecdsa_sig_init = 0, /* getting started */
+ ecdsa_sig_mul, /* doing ecp_mul() */
+ ecdsa_sig_modn, /* mod N computations */
+ } state;
+};
+
+/*
+ * Init verify sign sub-context
+ */
+static void ecdsa_restart_sig_init(mbedtls_ecdsa_restart_sig_ctx *ctx)
+{
+ ctx->sign_tries = 0;
+ ctx->key_tries = 0;
+ mbedtls_mpi_init(&ctx->k);
+ mbedtls_mpi_init(&ctx->r);
+ ctx->state = ecdsa_sig_init;
+}
+
+/*
+ * Free the components of a sign restart sub-context
+ */
+static void ecdsa_restart_sig_free(mbedtls_ecdsa_restart_sig_ctx *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_mpi_free(&ctx->k);
+ mbedtls_mpi_free(&ctx->r);
+}
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/*
+ * Sub-context for ecdsa_sign_det()
+ */
+struct mbedtls_ecdsa_restart_det {
+ mbedtls_hmac_drbg_context rng_ctx; /* DRBG state */
+ enum { /* what to do next? */
+ ecdsa_det_init = 0, /* getting started */
+ ecdsa_det_sign, /* make signature */
+ } state;
+};
+
+/*
+ * Init verify sign_det sub-context
+ */
+static void ecdsa_restart_det_init(mbedtls_ecdsa_restart_det_ctx *ctx)
+{
+ mbedtls_hmac_drbg_init(&ctx->rng_ctx);
+ ctx->state = ecdsa_det_init;
+}
+
+/*
+ * Free the components of a sign_det restart sub-context
+ */
+static void ecdsa_restart_det_free(mbedtls_ecdsa_restart_det_ctx *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_hmac_drbg_free(&ctx->rng_ctx);
+
+ ecdsa_restart_det_init(ctx);
+}
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#define ECDSA_RS_ECP (rs_ctx == NULL ? NULL : &rs_ctx->ecp)
+
+/* Utility macro for checking and updating ops budget */
+#define ECDSA_BUDGET(ops) \
+ MBEDTLS_MPI_CHK(mbedtls_ecp_check_budget(grp, ECDSA_RS_ECP, ops));
+
+/* Call this when entering a function that needs its own sub-context */
+#define ECDSA_RS_ENTER(SUB) do { \
+ /* reset ops count for this call if top-level */ \
+ if (rs_ctx != NULL && rs_ctx->ecp.depth++ == 0) \
+ rs_ctx->ecp.ops_done = 0; \
+ \
+ /* set up our own sub-context if needed */ \
+ if (mbedtls_ecp_restart_is_enabled() && \
+ rs_ctx != NULL && rs_ctx->SUB == NULL) \
+ { \
+ rs_ctx->SUB = mbedtls_calloc(1, sizeof(*rs_ctx->SUB)); \
+ if (rs_ctx->SUB == NULL) \
+ return MBEDTLS_ERR_ECP_ALLOC_FAILED; \
+ \
+ ecdsa_restart_## SUB ##_init(rs_ctx->SUB); \
+ } \
+} while (0)
+
+/* Call this when leaving a function that needs its own sub-context */
+#define ECDSA_RS_LEAVE(SUB) do { \
+ /* clear our sub-context when not in progress (done or error) */ \
+ if (rs_ctx != NULL && rs_ctx->SUB != NULL && \
+ ret != MBEDTLS_ERR_ECP_IN_PROGRESS) \
+ { \
+ ecdsa_restart_## SUB ##_free(rs_ctx->SUB); \
+ mbedtls_free(rs_ctx->SUB); \
+ rs_ctx->SUB = NULL; \
+ } \
+ \
+ if (rs_ctx != NULL) \
+ rs_ctx->ecp.depth--; \
+} while (0)
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define ECDSA_RS_ECP NULL
+
+#define ECDSA_BUDGET(ops) /* no-op; for compatibility */
+
+#define ECDSA_RS_ENTER(SUB) (void) rs_ctx
+#define ECDSA_RS_LEAVE(SUB) (void) rs_ctx
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC) || \
+ !defined(MBEDTLS_ECDSA_SIGN_ALT) || \
+ !defined(MBEDTLS_ECDSA_VERIFY_ALT)
+/*
+ * Derive a suitable integer for group grp from a buffer of length len
+ * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3
+ */
+static int derive_mpi(const mbedtls_ecp_group *grp, mbedtls_mpi *x,
+ const unsigned char *buf, size_t blen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t n_size = (grp->nbits + 7) / 8;
+ size_t use_size = blen > n_size ? n_size : blen;
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(x, buf, use_size));
+ if (use_size * 8 > grp->nbits) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(x, use_size * 8 - grp->nbits));
+ }
+
+ /* While at it, reduce modulo N */
+ if (mbedtls_mpi_cmp_mpi(x, &grp->N) >= 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(x, x, &grp->N));
+ }
+
+cleanup:
+ return ret;
+}
+#endif /* ECDSA_DETERMINISTIC || !ECDSA_SIGN_ALT || !ECDSA_VERIFY_ALT */
+
+int mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid)
+{
+ switch (gid) {
+#ifdef MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ case MBEDTLS_ECP_DP_CURVE25519: return 0;
+#endif
+#ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED
+ case MBEDTLS_ECP_DP_CURVE448: return 0;
+#endif
+ default: return 1;
+ }
+}
+
+#if !defined(MBEDTLS_ECDSA_SIGN_ALT)
+/*
+ * Compute ECDSA signature of a hashed message (SEC1 4.1.3)
+ * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
+ */
+int mbedtls_ecdsa_sign_restartable(mbedtls_ecp_group *grp,
+ mbedtls_mpi *r, mbedtls_mpi *s,
+ const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ int (*f_rng_blind)(void *, unsigned char *, size_t),
+ void *p_rng_blind,
+ mbedtls_ecdsa_restart_ctx *rs_ctx)
+{
+ int ret, key_tries, sign_tries;
+ int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries;
+ mbedtls_ecp_point R;
+ mbedtls_mpi k, e, t;
+ mbedtls_mpi *pk = &k, *pr = r;
+
+ /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
+ if (!mbedtls_ecdsa_can_do(grp->id) || grp->N.p == NULL) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ /* Make sure d is in range 1..n-1 */
+ if (mbedtls_mpi_cmp_int(d, 1) < 0 || mbedtls_mpi_cmp_mpi(d, &grp->N) >= 0) {
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
+ }
+
+ mbedtls_ecp_point_init(&R);
+ mbedtls_mpi_init(&k); mbedtls_mpi_init(&e); mbedtls_mpi_init(&t);
+
+ ECDSA_RS_ENTER(sig);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->sig != NULL) {
+ /* redirect to our context */
+ p_sign_tries = &rs_ctx->sig->sign_tries;
+ p_key_tries = &rs_ctx->sig->key_tries;
+ pk = &rs_ctx->sig->k;
+ pr = &rs_ctx->sig->r;
+
+ /* jump to current step */
+ if (rs_ctx->sig->state == ecdsa_sig_mul) {
+ goto mul;
+ }
+ if (rs_ctx->sig->state == ecdsa_sig_modn) {
+ goto modn;
+ }
+ }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+ *p_sign_tries = 0;
+ do {
+ if ((*p_sign_tries)++ > 10) {
+ ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+ goto cleanup;
+ }
+
+ /*
+ * Steps 1-3: generate a suitable ephemeral keypair
+ * and set r = xR mod n
+ */
+ *p_key_tries = 0;
+ do {
+ if ((*p_key_tries)++ > 10) {
+ ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, pk, f_rng, p_rng));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->sig != NULL) {
+ rs_ctx->sig->state = ecdsa_sig_mul;
+ }
+
+mul:
+#endif
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul_restartable(grp, &R, pk, &grp->G,
+ f_rng_blind,
+ p_rng_blind,
+ ECDSA_RS_ECP));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pr, &R.X, &grp->N));
+ } while (mbedtls_mpi_cmp_int(pr, 0) == 0);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->sig != NULL) {
+ rs_ctx->sig->state = ecdsa_sig_modn;
+ }
+
+modn:
+#endif
+ /*
+ * Accounting for everything up to the end of the loop
+ * (step 6, but checking now avoids saving e and t)
+ */
+ ECDSA_BUDGET(MBEDTLS_ECP_OPS_INV + 4);
+
+ /*
+ * Step 5: derive MPI from hashed message
+ */
+ MBEDTLS_MPI_CHK(derive_mpi(grp, &e, buf, blen));
+
+ /*
+ * Generate a random value to blind inv_mod in next step,
+ * avoiding a potential timing leak.
+ */
+ MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, &t, f_rng_blind,
+ p_rng_blind));
+
+ /*
+ * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(s, pr, d));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&e, &e, s));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&e, &e, &t));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(pk, pk, &t));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pk, pk, &grp->N));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(s, pk, &grp->N));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(s, s, &e));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(s, s, &grp->N));
+ } while (mbedtls_mpi_cmp_int(s, 0) == 0);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->sig != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(r, pr));
+ }
+#endif
+
+cleanup:
+ mbedtls_ecp_point_free(&R);
+ mbedtls_mpi_free(&k); mbedtls_mpi_free(&e); mbedtls_mpi_free(&t);
+
+ ECDSA_RS_LEAVE(sig);
+
+ return ret;
+}
+
+/*
+ * Compute ECDSA signature of a hashed message
+ */
+int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
+ const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ /* Use the same RNG for both blinding and ephemeral key generation */
+ return mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen,
+ f_rng, p_rng, f_rng, p_rng, NULL);
+}
+#endif /* !MBEDTLS_ECDSA_SIGN_ALT */
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/*
+ * Deterministic signature wrapper
+ *
+ * note: The f_rng_blind parameter must not be NULL.
+ *
+ */
+int mbedtls_ecdsa_sign_det_restartable(mbedtls_ecp_group *grp,
+ mbedtls_mpi *r, mbedtls_mpi *s,
+ const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+ mbedtls_md_type_t md_alg,
+ int (*f_rng_blind)(void *, unsigned char *, size_t),
+ void *p_rng_blind,
+ mbedtls_ecdsa_restart_ctx *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_hmac_drbg_context rng_ctx;
+ mbedtls_hmac_drbg_context *p_rng = &rng_ctx;
+ unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES];
+ size_t grp_len = (grp->nbits + 7) / 8;
+ const mbedtls_md_info_t *md_info;
+ mbedtls_mpi h;
+
+ if ((md_info = mbedtls_md_info_from_type(md_alg)) == NULL) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ mbedtls_mpi_init(&h);
+ mbedtls_hmac_drbg_init(&rng_ctx);
+
+ ECDSA_RS_ENTER(det);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->det != NULL) {
+ /* redirect to our context */
+ p_rng = &rs_ctx->det->rng_ctx;
+
+ /* jump to current step */
+ if (rs_ctx->det->state == ecdsa_det_sign) {
+ goto sign;
+ }
+ }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+ /* Use private key and message hash (reduced) to initialize HMAC_DRBG */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(d, data, grp_len));
+ MBEDTLS_MPI_CHK(derive_mpi(grp, &h, buf, blen));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&h, data + grp_len, grp_len));
+ MBEDTLS_MPI_CHK(mbedtls_hmac_drbg_seed_buf(p_rng, md_info, data, 2 * grp_len));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->det != NULL) {
+ rs_ctx->det->state = ecdsa_det_sign;
+ }
+
+sign:
+#endif
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+ (void) f_rng_blind;
+ (void) p_rng_blind;
+ ret = mbedtls_ecdsa_sign(grp, r, s, d, buf, blen,
+ mbedtls_hmac_drbg_random, p_rng);
+#else
+ ret = mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen,
+ mbedtls_hmac_drbg_random, p_rng,
+ f_rng_blind, p_rng_blind, rs_ctx);
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+
+cleanup:
+ mbedtls_hmac_drbg_free(&rng_ctx);
+ mbedtls_mpi_free(&h);
+
+ ECDSA_RS_LEAVE(det);
+
+ return ret;
+}
+
+/*
+ * Deterministic signature wrapper
+ */
+int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r,
+ mbedtls_mpi *s, const mbedtls_mpi *d,
+ const unsigned char *buf, size_t blen,
+ mbedtls_md_type_t md_alg,
+ int (*f_rng_blind)(void *, unsigned char *,
+ size_t),
+ void *p_rng_blind)
+{
+ return mbedtls_ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg,
+ f_rng_blind, p_rng_blind, NULL);
+}
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#if !defined(MBEDTLS_ECDSA_VERIFY_ALT)
+/*
+ * Verify ECDSA signature of hashed message (SEC1 4.1.4)
+ * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)
+ */
+int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp,
+ const unsigned char *buf, size_t blen,
+ const mbedtls_ecp_point *Q,
+ const mbedtls_mpi *r,
+ const mbedtls_mpi *s,
+ mbedtls_ecdsa_restart_ctx *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi e, s_inv, u1, u2;
+ mbedtls_ecp_point R;
+ mbedtls_mpi *pu1 = &u1, *pu2 = &u2;
+
+ mbedtls_ecp_point_init(&R);
+ mbedtls_mpi_init(&e); mbedtls_mpi_init(&s_inv);
+ mbedtls_mpi_init(&u1); mbedtls_mpi_init(&u2);
+
+ /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
+ if (!mbedtls_ecdsa_can_do(grp->id) || grp->N.p == NULL) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ ECDSA_RS_ENTER(ver);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->ver != NULL) {
+ /* redirect to our context */
+ pu1 = &rs_ctx->ver->u1;
+ pu2 = &rs_ctx->ver->u2;
+
+ /* jump to current step */
+ if (rs_ctx->ver->state == ecdsa_ver_muladd) {
+ goto muladd;
+ }
+ }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+ /*
+ * Step 1: make sure r and s are in range 1..n-1
+ */
+ if (mbedtls_mpi_cmp_int(r, 1) < 0 || mbedtls_mpi_cmp_mpi(r, &grp->N) >= 0 ||
+ mbedtls_mpi_cmp_int(s, 1) < 0 || mbedtls_mpi_cmp_mpi(s, &grp->N) >= 0) {
+ ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+ goto cleanup;
+ }
+
+ /*
+ * Step 3: derive MPI from hashed message
+ */
+ MBEDTLS_MPI_CHK(derive_mpi(grp, &e, buf, blen));
+
+ /*
+ * Step 4: u1 = e / s mod n, u2 = r / s mod n
+ */
+ ECDSA_BUDGET(MBEDTLS_ECP_OPS_CHK + MBEDTLS_ECP_OPS_INV + 2);
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&s_inv, s, &grp->N));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(pu1, &e, &s_inv));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pu1, pu1, &grp->N));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(pu2, r, &s_inv));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(pu2, pu2, &grp->N));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->ver != NULL) {
+ rs_ctx->ver->state = ecdsa_ver_muladd;
+ }
+
+muladd:
+#endif
+ /*
+ * Step 5: R = u1 G + u2 Q
+ */
+ MBEDTLS_MPI_CHK(mbedtls_ecp_muladd_restartable(grp,
+ &R, pu1, &grp->G, pu2, Q, ECDSA_RS_ECP));
+
+ if (mbedtls_ecp_is_zero(&R)) {
+ ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+ goto cleanup;
+ }
+
+ /*
+ * Step 6: convert xR to an integer (no-op)
+ * Step 7: reduce xR mod n (gives v)
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&R.X, &R.X, &grp->N));
+
+ /*
+ * Step 8: check if v (that is, R.X) is equal to r
+ */
+ if (mbedtls_mpi_cmp_mpi(&R.X, r) != 0) {
+ ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+ goto cleanup;
+ }
+
+cleanup:
+ mbedtls_ecp_point_free(&R);
+ mbedtls_mpi_free(&e); mbedtls_mpi_free(&s_inv);
+ mbedtls_mpi_free(&u1); mbedtls_mpi_free(&u2);
+
+ ECDSA_RS_LEAVE(ver);
+
+ return ret;
+}
+
+/*
+ * Verify ECDSA signature of hashed message
+ */
+int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
+ const unsigned char *buf, size_t blen,
+ const mbedtls_ecp_point *Q,
+ const mbedtls_mpi *r,
+ const mbedtls_mpi *s)
+{
+ return mbedtls_ecdsa_verify_restartable(grp, buf, blen, Q, r, s, NULL);
+}
+#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
+
+/*
+ * Convert a signature (given by context) to ASN.1
+ */
+static int ecdsa_signature_to_asn1(const mbedtls_mpi *r, const mbedtls_mpi *s,
+ unsigned char *sig, size_t sig_size,
+ size_t *slen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char buf[MBEDTLS_ECDSA_MAX_LEN] = { 0 };
+ unsigned char *p = buf + sizeof(buf);
+ size_t len = 0;
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_mpi(&p, buf, s));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_mpi(&p, buf, r));
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, buf,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ if (len > sig_size) {
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ }
+
+ memcpy(sig, p, len);
+ *slen = len;
+
+ return 0;
+}
+
+/*
+ * Compute and write signature
+ */
+int mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context *ctx,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hlen,
+ unsigned char *sig, size_t sig_size, size_t *slen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_ecdsa_restart_ctx *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi r, s;
+ if (f_rng == NULL) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ mbedtls_mpi_init(&r);
+ mbedtls_mpi_init(&s);
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+ MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_restartable(&ctx->grp, &r, &s, &ctx->d,
+ hash, hlen, md_alg, f_rng,
+ p_rng, rs_ctx));
+#else
+ (void) md_alg;
+
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+ (void) rs_ctx;
+
+ MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign(&ctx->grp, &r, &s, &ctx->d,
+ hash, hlen, f_rng, p_rng));
+#else
+ /* Use the same RNG for both blinding and ephemeral key generation */
+ MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_restartable(&ctx->grp, &r, &s, &ctx->d,
+ hash, hlen, f_rng, p_rng, f_rng,
+ p_rng, rs_ctx));
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+ MBEDTLS_MPI_CHK(ecdsa_signature_to_asn1(&r, &s, sig, sig_size, slen));
+
+cleanup:
+ mbedtls_mpi_free(&r);
+ mbedtls_mpi_free(&s);
+
+ return ret;
+}
+
+/*
+ * Compute and write signature
+ */
+int mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context *ctx,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hlen,
+ unsigned char *sig, size_t sig_size, size_t *slen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ return mbedtls_ecdsa_write_signature_restartable(
+ ctx, md_alg, hash, hlen, sig, sig_size, slen,
+ f_rng, p_rng, NULL);
+}
+
+/*
+ * Read and check signature
+ */
+int mbedtls_ecdsa_read_signature(mbedtls_ecdsa_context *ctx,
+ const unsigned char *hash, size_t hlen,
+ const unsigned char *sig, size_t slen)
+{
+ return mbedtls_ecdsa_read_signature_restartable(
+ ctx, hash, hlen, sig, slen, NULL);
+}
+
+/*
+ * Restartable read and check signature
+ */
+int mbedtls_ecdsa_read_signature_restartable(mbedtls_ecdsa_context *ctx,
+ const unsigned char *hash, size_t hlen,
+ const unsigned char *sig, size_t slen,
+ mbedtls_ecdsa_restart_ctx *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = (unsigned char *) sig;
+ const unsigned char *end = sig + slen;
+ size_t len;
+ mbedtls_mpi r, s;
+ mbedtls_mpi_init(&r);
+ mbedtls_mpi_init(&s);
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ if (p + len != end) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ goto cleanup;
+ }
+
+ if ((ret = mbedtls_asn1_get_mpi(&p, end, &r)) != 0 ||
+ (ret = mbedtls_asn1_get_mpi(&p, end, &s)) != 0) {
+ ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+#if defined(MBEDTLS_ECDSA_VERIFY_ALT)
+ (void) rs_ctx;
+
+ if ((ret = mbedtls_ecdsa_verify(&ctx->grp, hash, hlen,
+ &ctx->Q, &r, &s)) != 0) {
+ goto cleanup;
+ }
+#else
+ if ((ret = mbedtls_ecdsa_verify_restartable(&ctx->grp, hash, hlen,
+ &ctx->Q, &r, &s, rs_ctx)) != 0) {
+ goto cleanup;
+ }
+#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
+
+ /* At this point we know that the buffer starts with a valid signature.
+ * Return 0 if the buffer just contains the signature, and a specific
+ * error code if the valid signature is followed by more data. */
+ if (p != end) {
+ ret = MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH;
+ }
+
+cleanup:
+ mbedtls_mpi_free(&r);
+ mbedtls_mpi_free(&s);
+
+ return ret;
+}
+
+#if !defined(MBEDTLS_ECDSA_GENKEY_ALT)
+/*
+ * Generate key pair
+ */
+int mbedtls_ecdsa_genkey(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ int ret = 0;
+ ret = mbedtls_ecp_group_load(&ctx->grp, gid);
+ if (ret != 0) {
+ return ret;
+ }
+
+ return mbedtls_ecp_gen_keypair(&ctx->grp, &ctx->d,
+ &ctx->Q, f_rng, p_rng);
+}
+#endif /* !MBEDTLS_ECDSA_GENKEY_ALT */
+
+/*
+ * Set context from an mbedtls_ecp_keypair
+ */
+int mbedtls_ecdsa_from_keypair(mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ if ((ret = mbedtls_ecp_group_copy(&ctx->grp, &key->grp)) != 0 ||
+ (ret = mbedtls_mpi_copy(&ctx->d, &key->d)) != 0 ||
+ (ret = mbedtls_ecp_copy(&ctx->Q, &key->Q)) != 0) {
+ mbedtls_ecdsa_free(ctx);
+ }
+
+ return ret;
+}
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecdsa_init(mbedtls_ecdsa_context *ctx)
+{
+ mbedtls_ecp_keypair_init(ctx);
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ecdsa_free(mbedtls_ecdsa_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_ecp_keypair_free(ctx);
+}
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_ecdsa_restart_init(mbedtls_ecdsa_restart_ctx *ctx)
+{
+ mbedtls_ecp_restart_init(&ctx->ecp);
+
+ ctx->ver = NULL;
+ ctx->sig = NULL;
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+ ctx->det = NULL;
+#endif
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_ecdsa_restart_free(mbedtls_ecdsa_restart_ctx *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_ecp_restart_free(&ctx->ecp);
+
+ ecdsa_restart_ver_free(ctx->ver);
+ mbedtls_free(ctx->ver);
+ ctx->ver = NULL;
+
+ ecdsa_restart_sig_free(ctx->sig);
+ mbedtls_free(ctx->sig);
+ ctx->sig = NULL;
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+ ecdsa_restart_det_free(ctx->det);
+ mbedtls_free(ctx->det);
+ ctx->det = NULL;
+#endif
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#endif /* MBEDTLS_ECDSA_C */
diff --git a/library/ecjpake.c b/library/ecjpake.c
new file mode 100644
index 0000000..cdf5d7e
--- /dev/null
+++ b/library/ecjpake.c
@@ -0,0 +1,1216 @@
+/*
+ * Elliptic curve J-PAKE
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * References in the code are to the Thread v1.0 Specification,
+ * available to members of the Thread Group http://threadgroup.org/
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ECJPAKE_C)
+
+#include "mbedtls/ecjpake.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+
+/*
+ * Convert a mbedtls_ecjpake_role to identifier string
+ */
+static const char * const ecjpake_id[] = {
+ "client",
+ "server"
+};
+
+#define ID_MINE (ecjpake_id[ctx->role])
+#define ID_PEER (ecjpake_id[1 - ctx->role])
+
+/**
+ * Helper to Compute a hash from md_type
+ */
+static int mbedtls_ecjpake_compute_hash(mbedtls_md_type_t md_type,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output)
+{
+ return mbedtls_md(mbedtls_md_info_from_type(md_type),
+ input, ilen, output);
+}
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecjpake_init(mbedtls_ecjpake_context *ctx)
+{
+ ctx->md_type = MBEDTLS_MD_NONE;
+ mbedtls_ecp_group_init(&ctx->grp);
+ ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+
+ mbedtls_ecp_point_init(&ctx->Xm1);
+ mbedtls_ecp_point_init(&ctx->Xm2);
+ mbedtls_ecp_point_init(&ctx->Xp1);
+ mbedtls_ecp_point_init(&ctx->Xp2);
+ mbedtls_ecp_point_init(&ctx->Xp);
+
+ mbedtls_mpi_init(&ctx->xm1);
+ mbedtls_mpi_init(&ctx->xm2);
+ mbedtls_mpi_init(&ctx->s);
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ecjpake_free(mbedtls_ecjpake_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ ctx->md_type = MBEDTLS_MD_NONE;
+ mbedtls_ecp_group_free(&ctx->grp);
+
+ mbedtls_ecp_point_free(&ctx->Xm1);
+ mbedtls_ecp_point_free(&ctx->Xm2);
+ mbedtls_ecp_point_free(&ctx->Xp1);
+ mbedtls_ecp_point_free(&ctx->Xp2);
+ mbedtls_ecp_point_free(&ctx->Xp);
+
+ mbedtls_mpi_free(&ctx->xm1);
+ mbedtls_mpi_free(&ctx->xm2);
+ mbedtls_mpi_free(&ctx->s);
+}
+
+/*
+ * Setup context
+ */
+int mbedtls_ecjpake_setup(mbedtls_ecjpake_context *ctx,
+ mbedtls_ecjpake_role role,
+ mbedtls_md_type_t hash,
+ mbedtls_ecp_group_id curve,
+ const unsigned char *secret,
+ size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (role != MBEDTLS_ECJPAKE_CLIENT && role != MBEDTLS_ECJPAKE_SERVER) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ ctx->role = role;
+
+ if ((mbedtls_md_info_from_type(hash)) == NULL) {
+ return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
+ }
+
+ ctx->md_type = hash;
+
+ MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ctx->grp, curve));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->s, secret, len));
+
+cleanup:
+ if (ret != 0) {
+ mbedtls_ecjpake_free(ctx);
+ }
+
+ return ret;
+}
+
+int mbedtls_ecjpake_set_point_format(mbedtls_ecjpake_context *ctx,
+ int point_format)
+{
+ switch (point_format) {
+ case MBEDTLS_ECP_PF_UNCOMPRESSED:
+ case MBEDTLS_ECP_PF_COMPRESSED:
+ ctx->point_format = point_format;
+ return 0;
+ default:
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+}
+
+/*
+ * Check if context is ready for use
+ */
+int mbedtls_ecjpake_check(const mbedtls_ecjpake_context *ctx)
+{
+ if (ctx->md_type == MBEDTLS_MD_NONE ||
+ ctx->grp.id == MBEDTLS_ECP_DP_NONE ||
+ ctx->s.p == NULL) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ return 0;
+}
+
+/*
+ * Write a point plus its length to a buffer
+ */
+static int ecjpake_write_len_point(unsigned char **p,
+ const unsigned char *end,
+ const mbedtls_ecp_group *grp,
+ const int pf,
+ const mbedtls_ecp_point *P)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+
+ /* Need at least 4 for length plus 1 for point */
+ if (end < *p || end - *p < 5) {
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ }
+
+ ret = mbedtls_ecp_point_write_binary(grp, P, pf,
+ &len, *p + 4, (size_t) (end - (*p + 4)));
+ if (ret != 0) {
+ return ret;
+ }
+
+ MBEDTLS_PUT_UINT32_BE(len, *p, 0);
+
+ *p += 4 + len;
+
+ return 0;
+}
+
+/*
+ * Size of the temporary buffer for ecjpake_hash:
+ * 3 EC points plus their length, plus ID and its length (4 + 6 bytes)
+ */
+#define ECJPAKE_HASH_BUF_LEN (3 * (4 + MBEDTLS_ECP_MAX_PT_LEN) + 4 + 6)
+
+/*
+ * Compute hash for ZKP (7.4.2.2.2.1)
+ */
+static int ecjpake_hash(const mbedtls_md_type_t md_type,
+ const mbedtls_ecp_group *grp,
+ const int pf,
+ const mbedtls_ecp_point *G,
+ const mbedtls_ecp_point *V,
+ const mbedtls_ecp_point *X,
+ const char *id,
+ mbedtls_mpi *h)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char buf[ECJPAKE_HASH_BUF_LEN];
+ unsigned char *p = buf;
+ const unsigned char *end = buf + sizeof(buf);
+ const size_t id_len = strlen(id);
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+
+ /* Write things to temporary buffer */
+ MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, G));
+ MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, V));
+ MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, X));
+
+ if (end - p < 4) {
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ }
+
+ MBEDTLS_PUT_UINT32_BE(id_len, p, 0);
+ p += 4;
+
+ if (end < p || (size_t) (end - p) < id_len) {
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ }
+
+ memcpy(p, id, id_len);
+ p += id_len;
+
+ /* Compute hash */
+ MBEDTLS_MPI_CHK(mbedtls_ecjpake_compute_hash(md_type,
+ buf, (size_t) (p - buf), hash));
+
+ /* Turn it into an integer mod n */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(h, hash,
+ mbedtls_md_get_size_from_type(md_type)));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(h, h, &grp->N));
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Parse a ECShnorrZKP (7.4.2.2.2) and verify it (7.4.2.3.3)
+ */
+static int ecjpake_zkp_read(const mbedtls_md_type_t md_type,
+ const mbedtls_ecp_group *grp,
+ const int pf,
+ const mbedtls_ecp_point *G,
+ const mbedtls_ecp_point *X,
+ const char *id,
+ const unsigned char **p,
+ const unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_point V, VV;
+ mbedtls_mpi r, h;
+ size_t r_len;
+
+ mbedtls_ecp_point_init(&V);
+ mbedtls_ecp_point_init(&VV);
+ mbedtls_mpi_init(&r);
+ mbedtls_mpi_init(&h);
+
+ /*
+ * struct {
+ * ECPoint V;
+ * opaque r<1..2^8-1>;
+ * } ECSchnorrZKP;
+ */
+ if (end < *p) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_ecp_tls_read_point(grp, &V, p, (size_t) (end - *p)));
+
+ if (end < *p || (size_t) (end - *p) < 1) {
+ ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ r_len = *(*p)++;
+
+ if (end < *p || (size_t) (end - *p) < r_len || r_len == 0) {
+ ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&r, *p, r_len));
+ *p += r_len;
+
+ /*
+ * Verification
+ */
+ MBEDTLS_MPI_CHK(ecjpake_hash(md_type, grp, pf, G, &V, X, id, &h));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_muladd((mbedtls_ecp_group *) grp,
+ &VV, &h, X, &r, G));
+
+ if (mbedtls_ecp_point_cmp(&VV, &V) != 0) {
+ ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+ goto cleanup;
+ }
+
+cleanup:
+ mbedtls_ecp_point_free(&V);
+ mbedtls_ecp_point_free(&VV);
+ mbedtls_mpi_free(&r);
+ mbedtls_mpi_free(&h);
+
+ return ret;
+}
+
+/*
+ * Generate ZKP (7.4.2.3.2) and write it as ECSchnorrZKP (7.4.2.2.2)
+ */
+static int ecjpake_zkp_write(const mbedtls_md_type_t md_type,
+ const mbedtls_ecp_group *grp,
+ const int pf,
+ const mbedtls_ecp_point *G,
+ const mbedtls_mpi *x,
+ const mbedtls_ecp_point *X,
+ const char *id,
+ unsigned char **p,
+ const unsigned char *end,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_point V;
+ mbedtls_mpi v;
+ mbedtls_mpi h; /* later recycled to hold r */
+ size_t len;
+
+ if (end < *p) {
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ }
+
+ mbedtls_ecp_point_init(&V);
+ mbedtls_mpi_init(&v);
+ mbedtls_mpi_init(&h);
+
+ /* Compute signature */
+ MBEDTLS_MPI_CHK(mbedtls_ecp_gen_keypair_base((mbedtls_ecp_group *) grp,
+ G, &v, &V, f_rng, p_rng));
+ MBEDTLS_MPI_CHK(ecjpake_hash(md_type, grp, pf, G, &V, X, id, &h));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&h, &h, x)); /* x*h */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&h, &v, &h)); /* v - x*h */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&h, &h, &grp->N)); /* r */
+
+ /* Write it out */
+ MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_point(grp, &V,
+ pf, &len, *p, (size_t) (end - *p)));
+ *p += len;
+
+ len = mbedtls_mpi_size(&h); /* actually r */
+ if (end < *p || (size_t) (end - *p) < 1 + len || len > 255) {
+ ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ goto cleanup;
+ }
+
+ *(*p)++ = MBEDTLS_BYTE_0(len);
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&h, *p, len)); /* r */
+ *p += len;
+
+cleanup:
+ mbedtls_ecp_point_free(&V);
+ mbedtls_mpi_free(&v);
+ mbedtls_mpi_free(&h);
+
+ return ret;
+}
+
+/*
+ * Parse a ECJPAKEKeyKP (7.4.2.2.1) and check proof
+ * Output: verified public key X
+ */
+static int ecjpake_kkp_read(const mbedtls_md_type_t md_type,
+ const mbedtls_ecp_group *grp,
+ const int pf,
+ const mbedtls_ecp_point *G,
+ mbedtls_ecp_point *X,
+ const char *id,
+ const unsigned char **p,
+ const unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (end < *p) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ /*
+ * struct {
+ * ECPoint X;
+ * ECSchnorrZKP zkp;
+ * } ECJPAKEKeyKP;
+ */
+ MBEDTLS_MPI_CHK(mbedtls_ecp_tls_read_point(grp, X, p, (size_t) (end - *p)));
+ if (mbedtls_ecp_is_zero(X)) {
+ ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK(ecjpake_zkp_read(md_type, grp, pf, G, X, id, p, end));
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Generate an ECJPAKEKeyKP
+ * Output: the serialized structure, plus private/public key pair
+ */
+static int ecjpake_kkp_write(const mbedtls_md_type_t md_type,
+ const mbedtls_ecp_group *grp,
+ const int pf,
+ const mbedtls_ecp_point *G,
+ mbedtls_mpi *x,
+ mbedtls_ecp_point *X,
+ const char *id,
+ unsigned char **p,
+ const unsigned char *end,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+
+ if (end < *p) {
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ }
+
+ /* Generate key (7.4.2.3.1) and write it out */
+ MBEDTLS_MPI_CHK(mbedtls_ecp_gen_keypair_base((mbedtls_ecp_group *) grp, G, x, X,
+ f_rng, p_rng));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_point(grp, X,
+ pf, &len, *p, (size_t) (end - *p)));
+ *p += len;
+
+ /* Generate and write proof */
+ MBEDTLS_MPI_CHK(ecjpake_zkp_write(md_type, grp, pf, G, x, X, id,
+ p, end, f_rng, p_rng));
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Read a ECJPAKEKeyKPPairList (7.4.2.3) and check proofs
+ * Outputs: verified peer public keys Xa, Xb
+ */
+static int ecjpake_kkpp_read(const mbedtls_md_type_t md_type,
+ const mbedtls_ecp_group *grp,
+ const int pf,
+ const mbedtls_ecp_point *G,
+ mbedtls_ecp_point *Xa,
+ mbedtls_ecp_point *Xb,
+ const char *id,
+ const unsigned char *buf,
+ size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const unsigned char *p = buf;
+ const unsigned char *end = buf + len;
+
+ /*
+ * struct {
+ * ECJPAKEKeyKP ecjpake_key_kp_pair_list[2];
+ * } ECJPAKEKeyKPPairList;
+ */
+ MBEDTLS_MPI_CHK(ecjpake_kkp_read(md_type, grp, pf, G, Xa, id, &p, end));
+ MBEDTLS_MPI_CHK(ecjpake_kkp_read(md_type, grp, pf, G, Xb, id, &p, end));
+
+ if (p != end) {
+ ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Generate a ECJPAKEKeyKPPairList
+ * Outputs: the serialized structure, plus two private/public key pairs
+ */
+static int ecjpake_kkpp_write(const mbedtls_md_type_t md_type,
+ const mbedtls_ecp_group *grp,
+ const int pf,
+ const mbedtls_ecp_point *G,
+ mbedtls_mpi *xm1,
+ mbedtls_ecp_point *Xa,
+ mbedtls_mpi *xm2,
+ mbedtls_ecp_point *Xb,
+ const char *id,
+ unsigned char *buf,
+ size_t len,
+ size_t *olen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = buf;
+ const unsigned char *end = buf + len;
+
+ MBEDTLS_MPI_CHK(ecjpake_kkp_write(md_type, grp, pf, G, xm1, Xa, id,
+ &p, end, f_rng, p_rng));
+ MBEDTLS_MPI_CHK(ecjpake_kkp_write(md_type, grp, pf, G, xm2, Xb, id,
+ &p, end, f_rng, p_rng));
+
+ *olen = (size_t) (p - buf);
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Read and process the first round message
+ */
+int mbedtls_ecjpake_read_round_one(mbedtls_ecjpake_context *ctx,
+ const unsigned char *buf,
+ size_t len)
+{
+ return ecjpake_kkpp_read(ctx->md_type, &ctx->grp, ctx->point_format,
+ &ctx->grp.G,
+ &ctx->Xp1, &ctx->Xp2, ID_PEER,
+ buf, len);
+}
+
+/*
+ * Generate and write the first round message
+ */
+int mbedtls_ecjpake_write_round_one(mbedtls_ecjpake_context *ctx,
+ unsigned char *buf, size_t len, size_t *olen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ return ecjpake_kkpp_write(ctx->md_type, &ctx->grp, ctx->point_format,
+ &ctx->grp.G,
+ &ctx->xm1, &ctx->Xm1, &ctx->xm2, &ctx->Xm2,
+ ID_MINE, buf, len, olen, f_rng, p_rng);
+}
+
+/*
+ * Compute the sum of three points R = A + B + C
+ */
+static int ecjpake_ecp_add3(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+ const mbedtls_ecp_point *A,
+ const mbedtls_ecp_point *B,
+ const mbedtls_ecp_point *C)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi one;
+
+ mbedtls_mpi_init(&one);
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&one, 1));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(grp, R, &one, A, &one, B));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(grp, R, &one, R, &one, C));
+
+cleanup:
+ mbedtls_mpi_free(&one);
+
+ return ret;
+}
+
+/*
+ * Read and process second round message (C: 7.4.2.5, S: 7.4.2.6)
+ */
+int mbedtls_ecjpake_read_round_two(mbedtls_ecjpake_context *ctx,
+ const unsigned char *buf,
+ size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const unsigned char *p = buf;
+ const unsigned char *end = buf + len;
+ mbedtls_ecp_group grp;
+ mbedtls_ecp_point G; /* C: GB, S: GA */
+
+ mbedtls_ecp_group_init(&grp);
+ mbedtls_ecp_point_init(&G);
+
+ /*
+ * Server: GA = X3 + X4 + X1 (7.4.2.6.1)
+ * Client: GB = X1 + X2 + X3 (7.4.2.5.1)
+ * Unified: G = Xm1 + Xm2 + Xp1
+ * We need that before parsing in order to check Xp as we read it
+ */
+ MBEDTLS_MPI_CHK(ecjpake_ecp_add3(&ctx->grp, &G,
+ &ctx->Xm1, &ctx->Xm2, &ctx->Xp1));
+
+ /*
+ * struct {
+ * ECParameters curve_params; // only client reading server msg
+ * ECJPAKEKeyKP ecjpake_key_kp;
+ * } Client/ServerECJPAKEParams;
+ */
+ if (ctx->role == MBEDTLS_ECJPAKE_CLIENT) {
+ MBEDTLS_MPI_CHK(mbedtls_ecp_tls_read_group(&grp, &p, len));
+ if (grp.id != ctx->grp.id) {
+ ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+ goto cleanup;
+ }
+ }
+
+ MBEDTLS_MPI_CHK(ecjpake_kkp_read(ctx->md_type, &ctx->grp,
+ ctx->point_format,
+ &G, &ctx->Xp, ID_PEER, &p, end));
+
+ if (p != end) {
+ ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+cleanup:
+ mbedtls_ecp_group_free(&grp);
+ mbedtls_ecp_point_free(&G);
+
+ return ret;
+}
+
+/*
+ * Compute R = +/- X * S mod N, taking care not to leak S
+ */
+static int ecjpake_mul_secret(mbedtls_mpi *R, int sign,
+ const mbedtls_mpi *X,
+ const mbedtls_mpi *S,
+ const mbedtls_mpi *N,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi b; /* Blinding value, then s + N * blinding */
+
+ mbedtls_mpi_init(&b);
+
+ /* b = s + rnd-128-bit * N */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&b, 16, f_rng, p_rng));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&b, &b, N));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&b, &b, S));
+
+ /* R = sign * X * b mod N */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(R, X, &b));
+ R->s *= sign;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(R, R, N));
+
+cleanup:
+ mbedtls_mpi_free(&b);
+
+ return ret;
+}
+
+/*
+ * Generate and write the second round message (S: 7.4.2.5, C: 7.4.2.6)
+ */
+int mbedtls_ecjpake_write_round_two(mbedtls_ecjpake_context *ctx,
+ unsigned char *buf, size_t len, size_t *olen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_point G; /* C: GA, S: GB */
+ mbedtls_ecp_point Xm; /* C: Xc, S: Xs */
+ mbedtls_mpi xm; /* C: xc, S: xs */
+ unsigned char *p = buf;
+ const unsigned char *end = buf + len;
+ size_t ec_len;
+
+ mbedtls_ecp_point_init(&G);
+ mbedtls_ecp_point_init(&Xm);
+ mbedtls_mpi_init(&xm);
+
+ /*
+ * First generate private/public key pair (S: 7.4.2.5.1, C: 7.4.2.6.1)
+ *
+ * Client: GA = X1 + X3 + X4 | xs = x2 * s | Xc = xc * GA
+ * Server: GB = X3 + X1 + X2 | xs = x4 * s | Xs = xs * GB
+ * Unified: G = Xm1 + Xp1 + Xp2 | xm = xm2 * s | Xm = xm * G
+ */
+ MBEDTLS_MPI_CHK(ecjpake_ecp_add3(&ctx->grp, &G,
+ &ctx->Xp1, &ctx->Xp2, &ctx->Xm1));
+ MBEDTLS_MPI_CHK(ecjpake_mul_secret(&xm, 1, &ctx->xm2, &ctx->s,
+ &ctx->grp.N, f_rng, p_rng));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &Xm, &xm, &G, f_rng, p_rng));
+
+ /*
+ * Now write things out
+ *
+ * struct {
+ * ECParameters curve_params; // only server writing its message
+ * ECJPAKEKeyKP ecjpake_key_kp;
+ * } Client/ServerECJPAKEParams;
+ */
+ if (ctx->role == MBEDTLS_ECJPAKE_SERVER) {
+ if (end < p) {
+ ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ goto cleanup;
+ }
+ MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_group(&ctx->grp, &ec_len,
+ p, (size_t) (end - p)));
+ p += ec_len;
+ }
+
+ if (end < p) {
+ ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ goto cleanup;
+ }
+ MBEDTLS_MPI_CHK(mbedtls_ecp_tls_write_point(&ctx->grp, &Xm,
+ ctx->point_format, &ec_len, p, (size_t) (end - p)));
+ p += ec_len;
+
+ MBEDTLS_MPI_CHK(ecjpake_zkp_write(ctx->md_type, &ctx->grp,
+ ctx->point_format,
+ &G, &xm, &Xm, ID_MINE,
+ &p, end, f_rng, p_rng));
+
+ *olen = (size_t) (p - buf);
+
+cleanup:
+ mbedtls_ecp_point_free(&G);
+ mbedtls_ecp_point_free(&Xm);
+ mbedtls_mpi_free(&xm);
+
+ return ret;
+}
+
+/*
+ * Derive PMS (7.4.2.7 / 7.4.2.8)
+ */
+static int mbedtls_ecjpake_derive_k(mbedtls_ecjpake_context *ctx,
+ mbedtls_ecp_point *K,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi m_xm2_s, one;
+
+ mbedtls_mpi_init(&m_xm2_s);
+ mbedtls_mpi_init(&one);
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&one, 1));
+
+ /*
+ * Client: K = ( Xs - X4 * x2 * s ) * x2
+ * Server: K = ( Xc - X2 * x4 * s ) * x4
+ * Unified: K = ( Xp - Xp2 * xm2 * s ) * xm2
+ */
+ MBEDTLS_MPI_CHK(ecjpake_mul_secret(&m_xm2_s, -1, &ctx->xm2, &ctx->s,
+ &ctx->grp.N, f_rng, p_rng));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_muladd(&ctx->grp, K,
+ &one, &ctx->Xp,
+ &m_xm2_s, &ctx->Xp2));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, K, &ctx->xm2, K,
+ f_rng, p_rng));
+
+cleanup:
+ mbedtls_mpi_free(&m_xm2_s);
+ mbedtls_mpi_free(&one);
+
+ return ret;
+}
+
+int mbedtls_ecjpake_derive_secret(mbedtls_ecjpake_context *ctx,
+ unsigned char *buf, size_t len, size_t *olen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_point K;
+ unsigned char kx[MBEDTLS_ECP_MAX_BYTES];
+ size_t x_bytes;
+
+ *olen = mbedtls_md_get_size_from_type(ctx->md_type);
+ if (len < *olen) {
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ }
+
+ mbedtls_ecp_point_init(&K);
+
+ ret = mbedtls_ecjpake_derive_k(ctx, &K, f_rng, p_rng);
+ if (ret) {
+ goto cleanup;
+ }
+
+ /* PMS = SHA-256( K.X ) */
+ x_bytes = (ctx->grp.pbits + 7) / 8;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&K.X, kx, x_bytes));
+ MBEDTLS_MPI_CHK(mbedtls_ecjpake_compute_hash(ctx->md_type,
+ kx, x_bytes, buf));
+
+cleanup:
+ mbedtls_ecp_point_free(&K);
+
+ return ret;
+}
+
+int mbedtls_ecjpake_write_shared_key(mbedtls_ecjpake_context *ctx,
+ unsigned char *buf, size_t len, size_t *olen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_point K;
+
+ mbedtls_ecp_point_init(&K);
+
+ ret = mbedtls_ecjpake_derive_k(ctx, &K, f_rng, p_rng);
+ if (ret) {
+ goto cleanup;
+ }
+
+ ret = mbedtls_ecp_point_write_binary(&ctx->grp, &K, ctx->point_format,
+ olen, buf, len);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+cleanup:
+ mbedtls_ecp_point_free(&K);
+
+ return ret;
+}
+
+#undef ID_MINE
+#undef ID_PEER
+
+#endif /* ! MBEDTLS_ECJPAKE_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+ !defined(MBEDTLS_MD_CAN_SHA256)
+int mbedtls_ecjpake_self_test(int verbose)
+{
+ (void) verbose;
+ return 0;
+}
+#else
+
+static const unsigned char ecjpake_test_password[] = {
+ 0x74, 0x68, 0x72, 0x65, 0x61, 0x64, 0x6a, 0x70, 0x61, 0x6b, 0x65, 0x74,
+ 0x65, 0x73, 0x74
+};
+
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+
+static const unsigned char ecjpake_test_x1[] = {
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c,
+ 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
+ 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x21
+};
+
+static const unsigned char ecjpake_test_x2[] = {
+ 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+ 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
+ 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
+};
+
+static const unsigned char ecjpake_test_x3[] = {
+ 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+ 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
+ 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
+};
+
+static const unsigned char ecjpake_test_x4[] = {
+ 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc,
+ 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8,
+ 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe1
+};
+
+static const unsigned char ecjpake_test_cli_one[] = {
+ 0x41, 0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19,
+ 0x33, 0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44,
+ 0xe5, 0xc7, 0x89, 0x28, 0x79, 0x14, 0x61, 0x87, 0xdd, 0x26, 0x66, 0xad,
+ 0xa7, 0x81, 0xbb, 0x7f, 0x11, 0x13, 0x72, 0x25, 0x1a, 0x89, 0x10, 0x62,
+ 0x1f, 0x63, 0x4d, 0xf1, 0x28, 0xac, 0x48, 0xe3, 0x81, 0xfd, 0x6e, 0xf9,
+ 0x06, 0x07, 0x31, 0xf6, 0x94, 0xa4, 0x41, 0x04, 0x1d, 0xd0, 0xbd, 0x5d,
+ 0x45, 0x66, 0xc9, 0xbe, 0xd9, 0xce, 0x7d, 0xe7, 0x01, 0xb5, 0xe8, 0x2e,
+ 0x08, 0xe8, 0x4b, 0x73, 0x04, 0x66, 0x01, 0x8a, 0xb9, 0x03, 0xc7, 0x9e,
+ 0xb9, 0x82, 0x17, 0x22, 0x36, 0xc0, 0xc1, 0x72, 0x8a, 0xe4, 0xbf, 0x73,
+ 0x61, 0x0d, 0x34, 0xde, 0x44, 0x24, 0x6e, 0xf3, 0xd9, 0xc0, 0x5a, 0x22,
+ 0x36, 0xfb, 0x66, 0xa6, 0x58, 0x3d, 0x74, 0x49, 0x30, 0x8b, 0xab, 0xce,
+ 0x20, 0x72, 0xfe, 0x16, 0x66, 0x29, 0x92, 0xe9, 0x23, 0x5c, 0x25, 0x00,
+ 0x2f, 0x11, 0xb1, 0x50, 0x87, 0xb8, 0x27, 0x38, 0xe0, 0x3c, 0x94, 0x5b,
+ 0xf7, 0xa2, 0x99, 0x5d, 0xda, 0x1e, 0x98, 0x34, 0x58, 0x41, 0x04, 0x7e,
+ 0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb, 0xd7, 0x92, 0x62,
+ 0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18, 0x40, 0x9a, 0xc5,
+ 0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47, 0x79, 0x0a, 0xeb,
+ 0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f, 0xd1, 0xc3, 0x35,
+ 0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7, 0xe3, 0x2b, 0xb0,
+ 0x13, 0xbb, 0x2b, 0x41, 0x04, 0xa4, 0x95, 0x58, 0xd3, 0x2e, 0xd1, 0xeb,
+ 0xfc, 0x18, 0x16, 0xaf, 0x4f, 0xf0, 0x9b, 0x55, 0xfc, 0xb4, 0xca, 0x47,
+ 0xb2, 0xa0, 0x2d, 0x1e, 0x7c, 0xaf, 0x11, 0x79, 0xea, 0x3f, 0xe1, 0x39,
+ 0x5b, 0x22, 0xb8, 0x61, 0x96, 0x40, 0x16, 0xfa, 0xba, 0xf7, 0x2c, 0x97,
+ 0x56, 0x95, 0xd9, 0x3d, 0x4d, 0xf0, 0xe5, 0x19, 0x7f, 0xe9, 0xf0, 0x40,
+ 0x63, 0x4e, 0xd5, 0x97, 0x64, 0x93, 0x77, 0x87, 0xbe, 0x20, 0xbc, 0x4d,
+ 0xee, 0xbb, 0xf9, 0xb8, 0xd6, 0x0a, 0x33, 0x5f, 0x04, 0x6c, 0xa3, 0xaa,
+ 0x94, 0x1e, 0x45, 0x86, 0x4c, 0x7c, 0xad, 0xef, 0x9c, 0xf7, 0x5b, 0x3d,
+ 0x8b, 0x01, 0x0e, 0x44, 0x3e, 0xf0
+};
+
+static const unsigned char ecjpake_test_srv_one[] = {
+ 0x41, 0x04, 0x7e, 0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb,
+ 0xd7, 0x92, 0x62, 0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18,
+ 0x40, 0x9a, 0xc5, 0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47,
+ 0x79, 0x0a, 0xeb, 0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f,
+ 0xd1, 0xc3, 0x35, 0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7,
+ 0xe3, 0x2b, 0xb0, 0x13, 0xbb, 0x2b, 0x41, 0x04, 0x09, 0xf8, 0x5b, 0x3d,
+ 0x20, 0xeb, 0xd7, 0x88, 0x5c, 0xe4, 0x64, 0xc0, 0x8d, 0x05, 0x6d, 0x64,
+ 0x28, 0xfe, 0x4d, 0xd9, 0x28, 0x7a, 0xa3, 0x65, 0xf1, 0x31, 0xf4, 0x36,
+ 0x0f, 0xf3, 0x86, 0xd8, 0x46, 0x89, 0x8b, 0xc4, 0xb4, 0x15, 0x83, 0xc2,
+ 0xa5, 0x19, 0x7f, 0x65, 0xd7, 0x87, 0x42, 0x74, 0x6c, 0x12, 0xa5, 0xec,
+ 0x0a, 0x4f, 0xfe, 0x2f, 0x27, 0x0a, 0x75, 0x0a, 0x1d, 0x8f, 0xb5, 0x16,
+ 0x20, 0x93, 0x4d, 0x74, 0xeb, 0x43, 0xe5, 0x4d, 0xf4, 0x24, 0xfd, 0x96,
+ 0x30, 0x6c, 0x01, 0x17, 0xbf, 0x13, 0x1a, 0xfa, 0xbf, 0x90, 0xa9, 0xd3,
+ 0x3d, 0x11, 0x98, 0xd9, 0x05, 0x19, 0x37, 0x35, 0x14, 0x41, 0x04, 0x19,
+ 0x0a, 0x07, 0x70, 0x0f, 0xfa, 0x4b, 0xe6, 0xae, 0x1d, 0x79, 0xee, 0x0f,
+ 0x06, 0xae, 0xb5, 0x44, 0xcd, 0x5a, 0xdd, 0xaa, 0xbe, 0xdf, 0x70, 0xf8,
+ 0x62, 0x33, 0x21, 0x33, 0x2c, 0x54, 0xf3, 0x55, 0xf0, 0xfb, 0xfe, 0xc7,
+ 0x83, 0xed, 0x35, 0x9e, 0x5d, 0x0b, 0xf7, 0x37, 0x7a, 0x0f, 0xc4, 0xea,
+ 0x7a, 0xce, 0x47, 0x3c, 0x9c, 0x11, 0x2b, 0x41, 0xcc, 0xd4, 0x1a, 0xc5,
+ 0x6a, 0x56, 0x12, 0x41, 0x04, 0x36, 0x0a, 0x1c, 0xea, 0x33, 0xfc, 0xe6,
+ 0x41, 0x15, 0x64, 0x58, 0xe0, 0xa4, 0xea, 0xc2, 0x19, 0xe9, 0x68, 0x31,
+ 0xe6, 0xae, 0xbc, 0x88, 0xb3, 0xf3, 0x75, 0x2f, 0x93, 0xa0, 0x28, 0x1d,
+ 0x1b, 0xf1, 0xfb, 0x10, 0x60, 0x51, 0xdb, 0x96, 0x94, 0xa8, 0xd6, 0xe8,
+ 0x62, 0xa5, 0xef, 0x13, 0x24, 0xa3, 0xd9, 0xe2, 0x78, 0x94, 0xf1, 0xee,
+ 0x4f, 0x7c, 0x59, 0x19, 0x99, 0x65, 0xa8, 0xdd, 0x4a, 0x20, 0x91, 0x84,
+ 0x7d, 0x2d, 0x22, 0xdf, 0x3e, 0xe5, 0x5f, 0xaa, 0x2a, 0x3f, 0xb3, 0x3f,
+ 0xd2, 0xd1, 0xe0, 0x55, 0xa0, 0x7a, 0x7c, 0x61, 0xec, 0xfb, 0x8d, 0x80,
+ 0xec, 0x00, 0xc2, 0xc9, 0xeb, 0x12
+};
+
+static const unsigned char ecjpake_test_srv_two[] = {
+ 0x03, 0x00, 0x17, 0x41, 0x04, 0x0f, 0xb2, 0x2b, 0x1d, 0x5d, 0x11, 0x23,
+ 0xe0, 0xef, 0x9f, 0xeb, 0x9d, 0x8a, 0x2e, 0x59, 0x0a, 0x1f, 0x4d, 0x7c,
+ 0xed, 0x2c, 0x2b, 0x06, 0x58, 0x6e, 0x8f, 0x2a, 0x16, 0xd4, 0xeb, 0x2f,
+ 0xda, 0x43, 0x28, 0xa2, 0x0b, 0x07, 0xd8, 0xfd, 0x66, 0x76, 0x54, 0xca,
+ 0x18, 0xc5, 0x4e, 0x32, 0xa3, 0x33, 0xa0, 0x84, 0x54, 0x51, 0xe9, 0x26,
+ 0xee, 0x88, 0x04, 0xfd, 0x7a, 0xf0, 0xaa, 0xa7, 0xa6, 0x41, 0x04, 0x55,
+ 0x16, 0xea, 0x3e, 0x54, 0xa0, 0xd5, 0xd8, 0xb2, 0xce, 0x78, 0x6b, 0x38,
+ 0xd3, 0x83, 0x37, 0x00, 0x29, 0xa5, 0xdb, 0xe4, 0x45, 0x9c, 0x9d, 0xd6,
+ 0x01, 0xb4, 0x08, 0xa2, 0x4a, 0xe6, 0x46, 0x5c, 0x8a, 0xc9, 0x05, 0xb9,
+ 0xeb, 0x03, 0xb5, 0xd3, 0x69, 0x1c, 0x13, 0x9e, 0xf8, 0x3f, 0x1c, 0xd4,
+ 0x20, 0x0f, 0x6c, 0x9c, 0xd4, 0xec, 0x39, 0x22, 0x18, 0xa5, 0x9e, 0xd2,
+ 0x43, 0xd3, 0xc8, 0x20, 0xff, 0x72, 0x4a, 0x9a, 0x70, 0xb8, 0x8c, 0xb8,
+ 0x6f, 0x20, 0xb4, 0x34, 0xc6, 0x86, 0x5a, 0xa1, 0xcd, 0x79, 0x06, 0xdd,
+ 0x7c, 0x9b, 0xce, 0x35, 0x25, 0xf5, 0x08, 0x27, 0x6f, 0x26, 0x83, 0x6c
+};
+
+static const unsigned char ecjpake_test_cli_two[] = {
+ 0x41, 0x04, 0x69, 0xd5, 0x4e, 0xe8, 0x5e, 0x90, 0xce, 0x3f, 0x12, 0x46,
+ 0x74, 0x2d, 0xe5, 0x07, 0xe9, 0x39, 0xe8, 0x1d, 0x1d, 0xc1, 0xc5, 0xcb,
+ 0x98, 0x8b, 0x58, 0xc3, 0x10, 0xc9, 0xfd, 0xd9, 0x52, 0x4d, 0x93, 0x72,
+ 0x0b, 0x45, 0x54, 0x1c, 0x83, 0xee, 0x88, 0x41, 0x19, 0x1d, 0xa7, 0xce,
+ 0xd8, 0x6e, 0x33, 0x12, 0xd4, 0x36, 0x23, 0xc1, 0xd6, 0x3e, 0x74, 0x98,
+ 0x9a, 0xba, 0x4a, 0xff, 0xd1, 0xee, 0x41, 0x04, 0x07, 0x7e, 0x8c, 0x31,
+ 0xe2, 0x0e, 0x6b, 0xed, 0xb7, 0x60, 0xc1, 0x35, 0x93, 0xe6, 0x9f, 0x15,
+ 0xbe, 0x85, 0xc2, 0x7d, 0x68, 0xcd, 0x09, 0xcc, 0xb8, 0xc4, 0x18, 0x36,
+ 0x08, 0x91, 0x7c, 0x5c, 0x3d, 0x40, 0x9f, 0xac, 0x39, 0xfe, 0xfe, 0xe8,
+ 0x2f, 0x72, 0x92, 0xd3, 0x6f, 0x0d, 0x23, 0xe0, 0x55, 0x91, 0x3f, 0x45,
+ 0xa5, 0x2b, 0x85, 0xdd, 0x8a, 0x20, 0x52, 0xe9, 0xe1, 0x29, 0xbb, 0x4d,
+ 0x20, 0x0f, 0x01, 0x1f, 0x19, 0x48, 0x35, 0x35, 0xa6, 0xe8, 0x9a, 0x58,
+ 0x0c, 0x9b, 0x00, 0x03, 0xba, 0xf2, 0x14, 0x62, 0xec, 0xe9, 0x1a, 0x82,
+ 0xcc, 0x38, 0xdb, 0xdc, 0xae, 0x60, 0xd9, 0xc5, 0x4c
+};
+
+static const unsigned char ecjpake_test_shared_key[] = {
+ 0x04, 0x01, 0xab, 0xe9, 0xf2, 0xc7, 0x3a, 0x99, 0x14, 0xcb, 0x1f, 0x80,
+ 0xfb, 0x9d, 0xdb, 0x7e, 0x00, 0x12, 0xa8, 0x9c, 0x2f, 0x39, 0x27, 0x79,
+ 0xf9, 0x64, 0x40, 0x14, 0x75, 0xea, 0xc1, 0x31, 0x28, 0x43, 0x8f, 0xe1,
+ 0x12, 0x41, 0xd6, 0xc1, 0xe5, 0x5f, 0x7b, 0x80, 0x88, 0x94, 0xc9, 0xc0,
+ 0x27, 0xa3, 0x34, 0x41, 0xf5, 0xcb, 0xa1, 0xfe, 0x6c, 0xc7, 0xe6, 0x12,
+ 0x17, 0xc3, 0xde, 0x27, 0xb4,
+};
+
+static const unsigned char ecjpake_test_pms[] = {
+ 0xf3, 0xd4, 0x7f, 0x59, 0x98, 0x44, 0xdb, 0x92, 0xa5, 0x69, 0xbb, 0xe7,
+ 0x98, 0x1e, 0x39, 0xd9, 0x31, 0xfd, 0x74, 0x3b, 0xf2, 0x2e, 0x98, 0xf9,
+ 0xb4, 0x38, 0xf7, 0x19, 0xd3, 0xc4, 0xf3, 0x51
+};
+
+/*
+ * PRNG for test - !!!INSECURE NEVER USE IN PRODUCTION!!!
+ *
+ * This is the linear congruential generator from numerical recipes,
+ * except we only use the low byte as the output. See
+ * https://en.wikipedia.org/wiki/Linear_congruential_generator#Parameters_in_common_use
+ */
+static int self_test_rng(void *ctx, unsigned char *out, size_t len)
+{
+ static uint32_t state = 42;
+
+ (void) ctx;
+
+ for (size_t i = 0; i < len; i++) {
+ state = state * 1664525u + 1013904223u;
+ out[i] = (unsigned char) state;
+ }
+
+ return 0;
+}
+
+/* Load my private keys and generate the corresponding public keys */
+static int ecjpake_test_load(mbedtls_ecjpake_context *ctx,
+ const unsigned char *xm1, size_t len1,
+ const unsigned char *xm2, size_t len2)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->xm1, xm1, len1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->xm2, xm2, len2));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &ctx->Xm1, &ctx->xm1,
+ &ctx->grp.G, self_test_rng, NULL));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&ctx->grp, &ctx->Xm2, &ctx->xm2,
+ &ctx->grp.G, self_test_rng, NULL));
+
+cleanup:
+ return ret;
+}
+
+#endif /* ! MBEDTLS_ECJPAKE_ALT */
+
+/* For tests we don't need a secure RNG;
+ * use the LGC from Numerical Recipes for simplicity */
+static int ecjpake_lgc(void *p, unsigned char *out, size_t len)
+{
+ static uint32_t x = 42;
+ (void) p;
+
+ while (len > 0) {
+ size_t use_len = len > 4 ? 4 : len;
+ x = 1664525 * x + 1013904223;
+ memcpy(out, &x, use_len);
+ out += use_len;
+ len -= use_len;
+ }
+
+ return 0;
+}
+
+#define TEST_ASSERT(x) \
+ do { \
+ if (x) \
+ ret = 0; \
+ else \
+ { \
+ ret = 1; \
+ goto cleanup; \
+ } \
+ } while (0)
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ecjpake_self_test(int verbose)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecjpake_context cli;
+ mbedtls_ecjpake_context srv;
+ unsigned char buf[512], pms[32];
+ size_t len, pmslen;
+
+ mbedtls_ecjpake_init(&cli);
+ mbedtls_ecjpake_init(&srv);
+
+ if (verbose != 0) {
+ mbedtls_printf(" ECJPAKE test #0 (setup): ");
+ }
+
+ TEST_ASSERT(mbedtls_ecjpake_setup(&cli, MBEDTLS_ECJPAKE_CLIENT,
+ MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1,
+ ecjpake_test_password,
+ sizeof(ecjpake_test_password)) == 0);
+
+ TEST_ASSERT(mbedtls_ecjpake_setup(&srv, MBEDTLS_ECJPAKE_SERVER,
+ MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1,
+ ecjpake_test_password,
+ sizeof(ecjpake_test_password)) == 0);
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf(" ECJPAKE test #1 (random handshake): ");
+ }
+
+ TEST_ASSERT(mbedtls_ecjpake_write_round_one(&cli,
+ buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+ TEST_ASSERT(mbedtls_ecjpake_read_round_one(&srv, buf, len) == 0);
+
+ TEST_ASSERT(mbedtls_ecjpake_write_round_one(&srv,
+ buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+ TEST_ASSERT(mbedtls_ecjpake_read_round_one(&cli, buf, len) == 0);
+
+ TEST_ASSERT(mbedtls_ecjpake_write_round_two(&srv,
+ buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+ TEST_ASSERT(mbedtls_ecjpake_read_round_two(&cli, buf, len) == 0);
+
+ TEST_ASSERT(mbedtls_ecjpake_derive_secret(&cli,
+ pms, sizeof(pms), &pmslen, ecjpake_lgc, NULL) == 0);
+
+ TEST_ASSERT(mbedtls_ecjpake_write_round_two(&cli,
+ buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+ TEST_ASSERT(mbedtls_ecjpake_read_round_two(&srv, buf, len) == 0);
+
+ TEST_ASSERT(mbedtls_ecjpake_derive_secret(&srv,
+ buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+ TEST_ASSERT(len == pmslen);
+ TEST_ASSERT(memcmp(buf, pms, len) == 0);
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+ /* 'reference handshake' tests can only be run against implementations
+ * for which we have 100% control over how the random ephemeral keys
+ * are generated. This is only the case for the internal Mbed TLS
+ * implementation, so these tests are skipped in case the internal
+ * implementation is swapped out for an alternative one. */
+ if (verbose != 0) {
+ mbedtls_printf(" ECJPAKE test #2 (reference handshake): ");
+ }
+
+ /* Simulate generation of round one */
+ MBEDTLS_MPI_CHK(ecjpake_test_load(&cli,
+ ecjpake_test_x1, sizeof(ecjpake_test_x1),
+ ecjpake_test_x2, sizeof(ecjpake_test_x2)));
+
+ MBEDTLS_MPI_CHK(ecjpake_test_load(&srv,
+ ecjpake_test_x3, sizeof(ecjpake_test_x3),
+ ecjpake_test_x4, sizeof(ecjpake_test_x4)));
+
+ /* Read round one */
+ TEST_ASSERT(mbedtls_ecjpake_read_round_one(&srv,
+ ecjpake_test_cli_one,
+ sizeof(ecjpake_test_cli_one)) == 0);
+
+ TEST_ASSERT(mbedtls_ecjpake_read_round_one(&cli,
+ ecjpake_test_srv_one,
+ sizeof(ecjpake_test_srv_one)) == 0);
+
+ /* Skip generation of round two, read round two */
+ TEST_ASSERT(mbedtls_ecjpake_read_round_two(&cli,
+ ecjpake_test_srv_two,
+ sizeof(ecjpake_test_srv_two)) == 0);
+
+ TEST_ASSERT(mbedtls_ecjpake_read_round_two(&srv,
+ ecjpake_test_cli_two,
+ sizeof(ecjpake_test_cli_two)) == 0);
+
+ /* Server derives PMS */
+ TEST_ASSERT(mbedtls_ecjpake_derive_secret(&srv,
+ buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+ TEST_ASSERT(len == sizeof(ecjpake_test_pms));
+ TEST_ASSERT(memcmp(buf, ecjpake_test_pms, len) == 0);
+
+ /* Server derives K as unsigned binary data */
+ TEST_ASSERT(mbedtls_ecjpake_write_shared_key(&srv,
+ buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+ TEST_ASSERT(len == sizeof(ecjpake_test_shared_key));
+ TEST_ASSERT(memcmp(buf, ecjpake_test_shared_key, len) == 0);
+
+ memset(buf, 0, len); /* Avoid interferences with next step */
+
+ /* Client derives PMS */
+ TEST_ASSERT(mbedtls_ecjpake_derive_secret(&cli,
+ buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+ TEST_ASSERT(len == sizeof(ecjpake_test_pms));
+ TEST_ASSERT(memcmp(buf, ecjpake_test_pms, len) == 0);
+
+ /* Client derives K as unsigned binary data */
+ TEST_ASSERT(mbedtls_ecjpake_write_shared_key(&cli,
+ buf, sizeof(buf), &len, ecjpake_lgc, NULL) == 0);
+
+ TEST_ASSERT(len == sizeof(ecjpake_test_shared_key));
+ TEST_ASSERT(memcmp(buf, ecjpake_test_shared_key, len) == 0);
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+#endif /* ! MBEDTLS_ECJPAKE_ALT */
+
+cleanup:
+ mbedtls_ecjpake_free(&cli);
+ mbedtls_ecjpake_free(&srv);
+
+ if (ret != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ ret = 1;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ return ret;
+}
+
+#undef TEST_ASSERT
+
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED && MBEDTLS_MD_CAN_SHA256 */
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ECJPAKE_C */
diff --git a/library/ecp.c b/library/ecp.c
new file mode 100644
index 0000000..427059b
--- /dev/null
+++ b/library/ecp.c
@@ -0,0 +1,3703 @@
+/*
+ * Elliptic curves over GF(p): generic functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * References:
+ *
+ * SEC1 https://www.secg.org/sec1-v2.pdf
+ * GECC = Guide to Elliptic Curve Cryptography - Hankerson, Menezes, Vanstone
+ * FIPS 186-3 http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
+ * RFC 4492 for the related TLS structures and constants
+ * - https://www.rfc-editor.org/rfc/rfc4492
+ * RFC 7748 for the Curve448 and Curve25519 curve definitions
+ * - https://www.rfc-editor.org/rfc/rfc7748
+ *
+ * [Curve25519] https://cr.yp.to/ecdh/curve25519-20060209.pdf
+ *
+ * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
+ * for elliptic curve cryptosystems. In : Cryptographic Hardware and
+ * Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
+ * <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
+ *
+ * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
+ * render ECC resistant against Side Channel Attacks. IACR Cryptology
+ * ePrint Archive, 2004, vol. 2004, p. 342.
+ * <http://eprint.iacr.org/2004/342.pdf>
+ */
+
+#include "common.h"
+
+/**
+ * \brief Function level alternative implementation.
+ *
+ * The MBEDTLS_ECP_INTERNAL_ALT macro enables alternative implementations to
+ * replace certain functions in this module. The alternative implementations are
+ * typically hardware accelerators and need to activate the hardware before the
+ * computation starts and deactivate it after it finishes. The
+ * mbedtls_internal_ecp_init() and mbedtls_internal_ecp_free() functions serve
+ * this purpose.
+ *
+ * To preserve the correct functionality the following conditions must hold:
+ *
+ * - The alternative implementation must be activated by
+ * mbedtls_internal_ecp_init() before any of the replaceable functions is
+ * called.
+ * - mbedtls_internal_ecp_free() must \b only be called when the alternative
+ * implementation is activated.
+ * - mbedtls_internal_ecp_init() must \b not be called when the alternative
+ * implementation is activated.
+ * - Public functions must not return while the alternative implementation is
+ * activated.
+ * - Replaceable functions are guarded by \c MBEDTLS_ECP_XXX_ALT macros and
+ * before calling them an \code if( mbedtls_internal_ecp_grp_capable( grp ) )
+ * \endcode ensures that the alternative implementation supports the current
+ * group.
+ */
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+#endif
+
+#if defined(MBEDTLS_ECP_LIGHT)
+
+#include "mbedtls/ecp.h"
+#include "mbedtls/threading.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include "bn_mul.h"
+#include "ecp_invasive.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_ECP_ALT)
+
+#include "mbedtls/platform.h"
+
+#include "ecp_internal_alt.h"
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * Counts of point addition and doubling, and field multiplications.
+ * Used to test resistance of point multiplication to simple timing attacks.
+ */
+#if defined(MBEDTLS_ECP_C)
+static unsigned long add_count, dbl_count;
+#endif /* MBEDTLS_ECP_C */
+static unsigned long mul_count;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Maximum number of "basic operations" to be done in a row.
+ *
+ * Default value 0 means that ECC operations will not yield.
+ * Note that regardless of the value of ecp_max_ops, always at
+ * least one step is performed before yielding.
+ *
+ * Setting ecp_max_ops=1 can be suitable for testing purposes
+ * as it will interrupt computation at all possible points.
+ */
+static unsigned ecp_max_ops = 0;
+
+/*
+ * Set ecp_max_ops
+ */
+void mbedtls_ecp_set_max_ops(unsigned max_ops)
+{
+ ecp_max_ops = max_ops;
+}
+
+/*
+ * Check if restart is enabled
+ */
+int mbedtls_ecp_restart_is_enabled(void)
+{
+ return ecp_max_ops != 0;
+}
+
+/*
+ * Restart sub-context for ecp_mul_comb()
+ */
+struct mbedtls_ecp_restart_mul {
+ mbedtls_ecp_point R; /* current intermediate result */
+ size_t i; /* current index in various loops, 0 outside */
+ mbedtls_ecp_point *T; /* table for precomputed points */
+ unsigned char T_size; /* number of points in table T */
+ enum { /* what were we doing last time we returned? */
+ ecp_rsm_init = 0, /* nothing so far, dummy initial state */
+ ecp_rsm_pre_dbl, /* precompute 2^n multiples */
+ ecp_rsm_pre_norm_dbl, /* normalize precomputed 2^n multiples */
+ ecp_rsm_pre_add, /* precompute remaining points by adding */
+ ecp_rsm_pre_norm_add, /* normalize all precomputed points */
+ ecp_rsm_comb_core, /* ecp_mul_comb_core() */
+ ecp_rsm_final_norm, /* do the final normalization */
+ } state;
+};
+
+/*
+ * Init restart_mul sub-context
+ */
+static void ecp_restart_rsm_init(mbedtls_ecp_restart_mul_ctx *ctx)
+{
+ mbedtls_ecp_point_init(&ctx->R);
+ ctx->i = 0;
+ ctx->T = NULL;
+ ctx->T_size = 0;
+ ctx->state = ecp_rsm_init;
+}
+
+/*
+ * Free the components of a restart_mul sub-context
+ */
+static void ecp_restart_rsm_free(mbedtls_ecp_restart_mul_ctx *ctx)
+{
+ unsigned char i;
+
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_ecp_point_free(&ctx->R);
+
+ if (ctx->T != NULL) {
+ for (i = 0; i < ctx->T_size; i++) {
+ mbedtls_ecp_point_free(ctx->T + i);
+ }
+ mbedtls_free(ctx->T);
+ }
+
+ ecp_restart_rsm_init(ctx);
+}
+
+/*
+ * Restart context for ecp_muladd()
+ */
+struct mbedtls_ecp_restart_muladd {
+ mbedtls_ecp_point mP; /* mP value */
+ mbedtls_ecp_point R; /* R intermediate result */
+ enum { /* what should we do next? */
+ ecp_rsma_mul1 = 0, /* first multiplication */
+ ecp_rsma_mul2, /* second multiplication */
+ ecp_rsma_add, /* addition */
+ ecp_rsma_norm, /* normalization */
+ } state;
+};
+
+/*
+ * Init restart_muladd sub-context
+ */
+static void ecp_restart_ma_init(mbedtls_ecp_restart_muladd_ctx *ctx)
+{
+ mbedtls_ecp_point_init(&ctx->mP);
+ mbedtls_ecp_point_init(&ctx->R);
+ ctx->state = ecp_rsma_mul1;
+}
+
+/*
+ * Free the components of a restart_muladd sub-context
+ */
+static void ecp_restart_ma_free(mbedtls_ecp_restart_muladd_ctx *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_ecp_point_free(&ctx->mP);
+ mbedtls_ecp_point_free(&ctx->R);
+
+ ecp_restart_ma_init(ctx);
+}
+
+/*
+ * Initialize a restart context
+ */
+void mbedtls_ecp_restart_init(mbedtls_ecp_restart_ctx *ctx)
+{
+ ctx->ops_done = 0;
+ ctx->depth = 0;
+ ctx->rsm = NULL;
+ ctx->ma = NULL;
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_ecp_restart_free(mbedtls_ecp_restart_ctx *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ ecp_restart_rsm_free(ctx->rsm);
+ mbedtls_free(ctx->rsm);
+
+ ecp_restart_ma_free(ctx->ma);
+ mbedtls_free(ctx->ma);
+
+ mbedtls_ecp_restart_init(ctx);
+}
+
+/*
+ * Check if we can do the next step
+ */
+int mbedtls_ecp_check_budget(const mbedtls_ecp_group *grp,
+ mbedtls_ecp_restart_ctx *rs_ctx,
+ unsigned ops)
+{
+ if (rs_ctx != NULL && ecp_max_ops != 0) {
+ /* scale depending on curve size: the chosen reference is 256-bit,
+ * and multiplication is quadratic. Round to the closest integer. */
+ if (grp->pbits >= 512) {
+ ops *= 4;
+ } else if (grp->pbits >= 384) {
+ ops *= 2;
+ }
+
+ /* Avoid infinite loops: always allow first step.
+ * Because of that, however, it's not generally true
+ * that ops_done <= ecp_max_ops, so the check
+ * ops_done > ecp_max_ops below is mandatory. */
+ if ((rs_ctx->ops_done != 0) &&
+ (rs_ctx->ops_done > ecp_max_ops ||
+ ops > ecp_max_ops - rs_ctx->ops_done)) {
+ return MBEDTLS_ERR_ECP_IN_PROGRESS;
+ }
+
+ /* update running count */
+ rs_ctx->ops_done += ops;
+ }
+
+ return 0;
+}
+
+/* Call this when entering a function that needs its own sub-context */
+#define ECP_RS_ENTER(SUB) do { \
+ /* reset ops count for this call if top-level */ \
+ if (rs_ctx != NULL && rs_ctx->depth++ == 0) \
+ rs_ctx->ops_done = 0; \
+ \
+ /* set up our own sub-context if needed */ \
+ if (mbedtls_ecp_restart_is_enabled() && \
+ rs_ctx != NULL && rs_ctx->SUB == NULL) \
+ { \
+ rs_ctx->SUB = mbedtls_calloc(1, sizeof(*rs_ctx->SUB)); \
+ if (rs_ctx->SUB == NULL) \
+ return MBEDTLS_ERR_ECP_ALLOC_FAILED; \
+ \
+ ecp_restart_## SUB ##_init(rs_ctx->SUB); \
+ } \
+} while (0)
+
+/* Call this when leaving a function that needs its own sub-context */
+#define ECP_RS_LEAVE(SUB) do { \
+ /* clear our sub-context when not in progress (done or error) */ \
+ if (rs_ctx != NULL && rs_ctx->SUB != NULL && \
+ ret != MBEDTLS_ERR_ECP_IN_PROGRESS) \
+ { \
+ ecp_restart_## SUB ##_free(rs_ctx->SUB); \
+ mbedtls_free(rs_ctx->SUB); \
+ rs_ctx->SUB = NULL; \
+ } \
+ \
+ if (rs_ctx != NULL) \
+ rs_ctx->depth--; \
+} while (0)
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define ECP_RS_ENTER(sub) (void) rs_ctx;
+#define ECP_RS_LEAVE(sub) (void) rs_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#if defined(MBEDTLS_ECP_C)
+static void mpi_init_many(mbedtls_mpi *arr, size_t size)
+{
+ while (size--) {
+ mbedtls_mpi_init(arr++);
+ }
+}
+
+static void mpi_free_many(mbedtls_mpi *arr, size_t size)
+{
+ while (size--) {
+ mbedtls_mpi_free(arr++);
+ }
+}
+#endif /* MBEDTLS_ECP_C */
+
+/*
+ * List of supported curves:
+ * - internal ID
+ * - TLS NamedCurve ID (RFC 4492 sec. 5.1.1, RFC 7071 sec. 2, RFC 8446 sec. 4.2.7)
+ * - size in bits
+ * - readable name
+ *
+ * Curves are listed in order: largest curves first, and for a given size,
+ * fastest curves first.
+ *
+ * Reminder: update profiles in x509_crt.c and ssl_tls.c when adding a new curve!
+ */
+static const mbedtls_ecp_curve_info ecp_supported_curves[] =
+{
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+ { MBEDTLS_ECP_DP_SECP521R1, 25, 521, "secp521r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+ { MBEDTLS_ECP_DP_BP512R1, 28, 512, "brainpoolP512r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+ { MBEDTLS_ECP_DP_SECP384R1, 24, 384, "secp384r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+ { MBEDTLS_ECP_DP_BP384R1, 27, 384, "brainpoolP384r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+ { MBEDTLS_ECP_DP_SECP256R1, 23, 256, "secp256r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+ { MBEDTLS_ECP_DP_SECP256K1, 22, 256, "secp256k1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+ { MBEDTLS_ECP_DP_BP256R1, 26, 256, "brainpoolP256r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+ { MBEDTLS_ECP_DP_SECP224R1, 21, 224, "secp224r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+ { MBEDTLS_ECP_DP_SECP224K1, 20, 224, "secp224k1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+ { MBEDTLS_ECP_DP_SECP192R1, 19, 192, "secp192r1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+ { MBEDTLS_ECP_DP_SECP192K1, 18, 192, "secp192k1" },
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+ { MBEDTLS_ECP_DP_CURVE25519, 29, 256, "x25519" },
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+ { MBEDTLS_ECP_DP_CURVE448, 30, 448, "x448" },
+#endif
+ { MBEDTLS_ECP_DP_NONE, 0, 0, NULL },
+};
+
+#define ECP_NB_CURVES sizeof(ecp_supported_curves) / \
+ sizeof(ecp_supported_curves[0])
+
+static mbedtls_ecp_group_id ecp_supported_grp_id[ECP_NB_CURVES];
+
+/*
+ * List of supported curves and associated info
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list(void)
+{
+ return ecp_supported_curves;
+}
+
+/*
+ * List of supported curves, group ID only
+ */
+const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list(void)
+{
+ static int init_done = 0;
+
+ if (!init_done) {
+ size_t i = 0;
+ const mbedtls_ecp_curve_info *curve_info;
+
+ for (curve_info = mbedtls_ecp_curve_list();
+ curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+ curve_info++) {
+ ecp_supported_grp_id[i++] = curve_info->grp_id;
+ }
+ ecp_supported_grp_id[i] = MBEDTLS_ECP_DP_NONE;
+
+ init_done = 1;
+ }
+
+ return ecp_supported_grp_id;
+}
+
+/*
+ * Get the curve info for the internal identifier
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id(mbedtls_ecp_group_id grp_id)
+{
+ const mbedtls_ecp_curve_info *curve_info;
+
+ for (curve_info = mbedtls_ecp_curve_list();
+ curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+ curve_info++) {
+ if (curve_info->grp_id == grp_id) {
+ return curve_info;
+ }
+ }
+
+ return NULL;
+}
+
+/*
+ * Get the curve info from the TLS identifier
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id(uint16_t tls_id)
+{
+ const mbedtls_ecp_curve_info *curve_info;
+
+ for (curve_info = mbedtls_ecp_curve_list();
+ curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+ curve_info++) {
+ if (curve_info->tls_id == tls_id) {
+ return curve_info;
+ }
+ }
+
+ return NULL;
+}
+
+/*
+ * Get the curve info from the name
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name(const char *name)
+{
+ const mbedtls_ecp_curve_info *curve_info;
+
+ if (name == NULL) {
+ return NULL;
+ }
+
+ for (curve_info = mbedtls_ecp_curve_list();
+ curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+ curve_info++) {
+ if (strcmp(curve_info->name, name) == 0) {
+ return curve_info;
+ }
+ }
+
+ return NULL;
+}
+
+/*
+ * Get the type of a curve
+ */
+mbedtls_ecp_curve_type mbedtls_ecp_get_type(const mbedtls_ecp_group *grp)
+{
+ if (grp->G.X.p == NULL) {
+ return MBEDTLS_ECP_TYPE_NONE;
+ }
+
+ if (grp->G.Y.p == NULL) {
+ return MBEDTLS_ECP_TYPE_MONTGOMERY;
+ } else {
+ return MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS;
+ }
+}
+
+/*
+ * Initialize (the components of) a point
+ */
+void mbedtls_ecp_point_init(mbedtls_ecp_point *pt)
+{
+ mbedtls_mpi_init(&pt->X);
+ mbedtls_mpi_init(&pt->Y);
+ mbedtls_mpi_init(&pt->Z);
+}
+
+/*
+ * Initialize (the components of) a group
+ */
+void mbedtls_ecp_group_init(mbedtls_ecp_group *grp)
+{
+ grp->id = MBEDTLS_ECP_DP_NONE;
+ mbedtls_mpi_init(&grp->P);
+ mbedtls_mpi_init(&grp->A);
+ mbedtls_mpi_init(&grp->B);
+ mbedtls_ecp_point_init(&grp->G);
+ mbedtls_mpi_init(&grp->N);
+ grp->pbits = 0;
+ grp->nbits = 0;
+ grp->h = 0;
+ grp->modp = NULL;
+ grp->t_pre = NULL;
+ grp->t_post = NULL;
+ grp->t_data = NULL;
+ grp->T = NULL;
+ grp->T_size = 0;
+}
+
+/*
+ * Initialize (the components of) a key pair
+ */
+void mbedtls_ecp_keypair_init(mbedtls_ecp_keypair *key)
+{
+ mbedtls_ecp_group_init(&key->grp);
+ mbedtls_mpi_init(&key->d);
+ mbedtls_ecp_point_init(&key->Q);
+}
+
+/*
+ * Unallocate (the components of) a point
+ */
+void mbedtls_ecp_point_free(mbedtls_ecp_point *pt)
+{
+ if (pt == NULL) {
+ return;
+ }
+
+ mbedtls_mpi_free(&(pt->X));
+ mbedtls_mpi_free(&(pt->Y));
+ mbedtls_mpi_free(&(pt->Z));
+}
+
+/*
+ * Check that the comb table (grp->T) is static initialized.
+ */
+static int ecp_group_is_static_comb_table(const mbedtls_ecp_group *grp)
+{
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+ return grp->T != NULL && grp->T_size == 0;
+#else
+ (void) grp;
+ return 0;
+#endif
+}
+
+/*
+ * Unallocate (the components of) a group
+ */
+void mbedtls_ecp_group_free(mbedtls_ecp_group *grp)
+{
+ size_t i;
+
+ if (grp == NULL) {
+ return;
+ }
+
+ if (grp->h != 1) {
+ mbedtls_mpi_free(&grp->A);
+ mbedtls_mpi_free(&grp->B);
+ mbedtls_ecp_point_free(&grp->G);
+
+#if !defined(MBEDTLS_ECP_WITH_MPI_UINT)
+ mbedtls_mpi_free(&grp->N);
+ mbedtls_mpi_free(&grp->P);
+#endif
+ }
+
+ if (!ecp_group_is_static_comb_table(grp) && grp->T != NULL) {
+ for (i = 0; i < grp->T_size; i++) {
+ mbedtls_ecp_point_free(&grp->T[i]);
+ }
+ mbedtls_free(grp->T);
+ }
+
+ mbedtls_platform_zeroize(grp, sizeof(mbedtls_ecp_group));
+}
+
+/*
+ * Unallocate (the components of) a key pair
+ */
+void mbedtls_ecp_keypair_free(mbedtls_ecp_keypair *key)
+{
+ if (key == NULL) {
+ return;
+ }
+
+ mbedtls_ecp_group_free(&key->grp);
+ mbedtls_mpi_free(&key->d);
+ mbedtls_ecp_point_free(&key->Q);
+}
+
+/*
+ * Copy the contents of a point
+ */
+int mbedtls_ecp_copy(mbedtls_ecp_point *P, const mbedtls_ecp_point *Q)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->X, &Q->X));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->Y, &Q->Y));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&P->Z, &Q->Z));
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Copy the contents of a group object
+ */
+int mbedtls_ecp_group_copy(mbedtls_ecp_group *dst, const mbedtls_ecp_group *src)
+{
+ return mbedtls_ecp_group_load(dst, src->id);
+}
+
+/*
+ * Set point to zero
+ */
+int mbedtls_ecp_set_zero(mbedtls_ecp_point *pt)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->X, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Y, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 0));
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Tell if a point is zero
+ */
+int mbedtls_ecp_is_zero(mbedtls_ecp_point *pt)
+{
+ return mbedtls_mpi_cmp_int(&pt->Z, 0) == 0;
+}
+
+/*
+ * Compare two points lazily
+ */
+int mbedtls_ecp_point_cmp(const mbedtls_ecp_point *P,
+ const mbedtls_ecp_point *Q)
+{
+ if (mbedtls_mpi_cmp_mpi(&P->X, &Q->X) == 0 &&
+ mbedtls_mpi_cmp_mpi(&P->Y, &Q->Y) == 0 &&
+ mbedtls_mpi_cmp_mpi(&P->Z, &Q->Z) == 0) {
+ return 0;
+ }
+
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+}
+
+/*
+ * Import a non-zero point from ASCII strings
+ */
+int mbedtls_ecp_point_read_string(mbedtls_ecp_point *P, int radix,
+ const char *x, const char *y)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&P->X, radix, x));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&P->Y, radix, y));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&P->Z, 1));
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Export a point into unsigned binary data (SEC1 2.3.3 and RFC7748)
+ */
+int mbedtls_ecp_point_write_binary(const mbedtls_ecp_group *grp,
+ const mbedtls_ecp_point *P,
+ int format, size_t *olen,
+ unsigned char *buf, size_t buflen)
+{
+ int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+ size_t plen;
+ if (format != MBEDTLS_ECP_PF_UNCOMPRESSED &&
+ format != MBEDTLS_ECP_PF_COMPRESSED) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ plen = mbedtls_mpi_size(&grp->P);
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+ (void) format; /* Montgomery curves always use the same point format */
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+ *olen = plen;
+ if (buflen < *olen) {
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary_le(&P->X, buf, plen));
+ }
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+ /*
+ * Common case: P == 0
+ */
+ if (mbedtls_mpi_cmp_int(&P->Z, 0) == 0) {
+ if (buflen < 1) {
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ }
+
+ buf[0] = 0x00;
+ *olen = 1;
+
+ return 0;
+ }
+
+ if (format == MBEDTLS_ECP_PF_UNCOMPRESSED) {
+ *olen = 2 * plen + 1;
+
+ if (buflen < *olen) {
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ }
+
+ buf[0] = 0x04;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->X, buf + 1, plen));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->Y, buf + 1 + plen, plen));
+ } else if (format == MBEDTLS_ECP_PF_COMPRESSED) {
+ *olen = plen + 1;
+
+ if (buflen < *olen) {
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ }
+
+ buf[0] = 0x02 + mbedtls_mpi_get_bit(&P->Y, 0);
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&P->X, buf + 1, plen));
+ }
+ }
+#endif
+
+cleanup:
+ return ret;
+}
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+static int mbedtls_ecp_sw_derive_y(const mbedtls_ecp_group *grp,
+ const mbedtls_mpi *X,
+ mbedtls_mpi *Y,
+ int parity_bit);
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+/*
+ * Import a point from unsigned binary data (SEC1 2.3.4 and RFC7748)
+ */
+int mbedtls_ecp_point_read_binary(const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *pt,
+ const unsigned char *buf, size_t ilen)
+{
+ int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+ size_t plen;
+ if (ilen < 1) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ plen = mbedtls_mpi_size(&grp->P);
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+ if (plen != ilen) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&pt->X, buf, plen));
+ mbedtls_mpi_free(&pt->Y);
+
+ if (grp->id == MBEDTLS_ECP_DP_CURVE25519) {
+ /* Set most significant bit to 0 as prescribed in RFC7748 §5 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&pt->X, plen * 8 - 1, 0));
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 1));
+ }
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+ if (buf[0] == 0x00) {
+ if (ilen == 1) {
+ return mbedtls_ecp_set_zero(pt);
+ } else {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+ }
+
+ if (ilen < 1 + plen) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&pt->X, buf + 1, plen));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&pt->Z, 1));
+
+ if (buf[0] == 0x04) {
+ /* format == MBEDTLS_ECP_PF_UNCOMPRESSED */
+ if (ilen != 1 + plen * 2) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+ return mbedtls_mpi_read_binary(&pt->Y, buf + 1 + plen, plen);
+ } else if (buf[0] == 0x02 || buf[0] == 0x03) {
+ /* format == MBEDTLS_ECP_PF_COMPRESSED */
+ if (ilen != 1 + plen) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+ return mbedtls_ecp_sw_derive_y(grp, &pt->X, &pt->Y,
+ (buf[0] & 1));
+ } else {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+ }
+#endif
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Import a point from a TLS ECPoint record (RFC 4492)
+ * struct {
+ * opaque point <1..2^8-1>;
+ * } ECPoint;
+ */
+int mbedtls_ecp_tls_read_point(const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *pt,
+ const unsigned char **buf, size_t buf_len)
+{
+ unsigned char data_len;
+ const unsigned char *buf_start;
+ /*
+ * We must have at least two bytes (1 for length, at least one for data)
+ */
+ if (buf_len < 2) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ data_len = *(*buf)++;
+ if (data_len < 1 || data_len > buf_len - 1) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ /*
+ * Save buffer start for read_binary and update buf
+ */
+ buf_start = *buf;
+ *buf += data_len;
+
+ return mbedtls_ecp_point_read_binary(grp, pt, buf_start, data_len);
+}
+
+/*
+ * Export a point as a TLS ECPoint record (RFC 4492)
+ * struct {
+ * opaque point <1..2^8-1>;
+ * } ECPoint;
+ */
+int mbedtls_ecp_tls_write_point(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt,
+ int format, size_t *olen,
+ unsigned char *buf, size_t blen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ if (format != MBEDTLS_ECP_PF_UNCOMPRESSED &&
+ format != MBEDTLS_ECP_PF_COMPRESSED) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ /*
+ * buffer length must be at least one, for our length byte
+ */
+ if (blen < 1) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ if ((ret = mbedtls_ecp_point_write_binary(grp, pt, format,
+ olen, buf + 1, blen - 1)) != 0) {
+ return ret;
+ }
+
+ /*
+ * write length to the first byte and update total length
+ */
+ buf[0] = (unsigned char) *olen;
+ ++*olen;
+
+ return 0;
+}
+
+/*
+ * Set a group from an ECParameters record (RFC 4492)
+ */
+int mbedtls_ecp_tls_read_group(mbedtls_ecp_group *grp,
+ const unsigned char **buf, size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_group_id grp_id;
+ if ((ret = mbedtls_ecp_tls_read_group_id(&grp_id, buf, len)) != 0) {
+ return ret;
+ }
+
+ return mbedtls_ecp_group_load(grp, grp_id);
+}
+
+/*
+ * Read a group id from an ECParameters record (RFC 4492) and convert it to
+ * mbedtls_ecp_group_id.
+ */
+int mbedtls_ecp_tls_read_group_id(mbedtls_ecp_group_id *grp,
+ const unsigned char **buf, size_t len)
+{
+ uint16_t tls_id;
+ const mbedtls_ecp_curve_info *curve_info;
+ /*
+ * We expect at least three bytes (see below)
+ */
+ if (len < 3) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ /*
+ * First byte is curve_type; only named_curve is handled
+ */
+ if (*(*buf)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ /*
+ * Next two bytes are the namedcurve value
+ */
+ tls_id = MBEDTLS_GET_UINT16_BE(*buf, 0);
+ *buf += 2;
+
+ if ((curve_info = mbedtls_ecp_curve_info_from_tls_id(tls_id)) == NULL) {
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+ }
+
+ *grp = curve_info->grp_id;
+
+ return 0;
+}
+
+/*
+ * Write the ECParameters record corresponding to a group (RFC 4492)
+ */
+int mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp, size_t *olen,
+ unsigned char *buf, size_t blen)
+{
+ const mbedtls_ecp_curve_info *curve_info;
+ if ((curve_info = mbedtls_ecp_curve_info_from_grp_id(grp->id)) == NULL) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ /*
+ * We are going to write 3 bytes (see below)
+ */
+ *olen = 3;
+ if (blen < *olen) {
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ }
+
+ /*
+ * First byte is curve_type, always named_curve
+ */
+ *buf++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
+
+ /*
+ * Next two bytes are the namedcurve value
+ */
+ MBEDTLS_PUT_UINT16_BE(curve_info->tls_id, buf, 0);
+
+ return 0;
+}
+
+/*
+ * Wrapper around fast quasi-modp functions, with fall-back to mbedtls_mpi_mod_mpi.
+ * See the documentation of struct mbedtls_ecp_group.
+ *
+ * This function is in the critial loop for mbedtls_ecp_mul, so pay attention to perf.
+ */
+static int ecp_modp(mbedtls_mpi *N, const mbedtls_ecp_group *grp)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (grp->modp == NULL) {
+ return mbedtls_mpi_mod_mpi(N, N, &grp->P);
+ }
+
+ /* N->s < 0 is a much faster test, which fails only if N is 0 */
+ if ((N->s < 0 && mbedtls_mpi_cmp_int(N, 0) != 0) ||
+ mbedtls_mpi_bitlen(N) > 2 * grp->pbits) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ MBEDTLS_MPI_CHK(grp->modp(N));
+
+ /* N->s < 0 is a much faster test, which fails only if N is 0 */
+ while (N->s < 0 && mbedtls_mpi_cmp_int(N, 0) != 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &grp->P));
+ }
+
+ while (mbedtls_mpi_cmp_mpi(N, &grp->P) >= 0) {
+ /* we known P, N and the result are positive */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs(N, N, &grp->P));
+ }
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Fast mod-p functions expect their argument to be in the 0..p^2 range.
+ *
+ * In order to guarantee that, we need to ensure that operands of
+ * mbedtls_mpi_mul_mpi are in the 0..p range. So, after each operation we will
+ * bring the result back to this range.
+ *
+ * The following macros are shortcuts for doing that.
+ */
+
+/*
+ * Reduce a mbedtls_mpi mod p in-place, general case, to use after mbedtls_mpi_mul_mpi
+ */
+#if defined(MBEDTLS_SELF_TEST)
+#define INC_MUL_COUNT mul_count++;
+#else
+#define INC_MUL_COUNT
+#endif
+
+#define MOD_MUL(N) \
+ do \
+ { \
+ MBEDTLS_MPI_CHK(ecp_modp(&(N), grp)); \
+ INC_MUL_COUNT \
+ } while (0)
+
+static inline int mbedtls_mpi_mul_mod(const mbedtls_ecp_group *grp,
+ mbedtls_mpi *X,
+ const mbedtls_mpi *A,
+ const mbedtls_mpi *B)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(X, A, B));
+ MOD_MUL(*X);
+cleanup:
+ return ret;
+}
+
+/*
+ * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_sub_mpi
+ * N->s < 0 is a very fast test, which fails only if N is 0
+ */
+#define MOD_SUB(N) \
+ do { \
+ while ((N)->s < 0 && mbedtls_mpi_cmp_int((N), 0) != 0) \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi((N), (N), &grp->P)); \
+ } while (0)
+
+MBEDTLS_MAYBE_UNUSED
+static inline int mbedtls_mpi_sub_mod(const mbedtls_ecp_group *grp,
+ mbedtls_mpi *X,
+ const mbedtls_mpi *A,
+ const mbedtls_mpi *B)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(X, A, B));
+ MOD_SUB(X);
+cleanup:
+ return ret;
+}
+
+/*
+ * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_add_mpi and mbedtls_mpi_mul_int.
+ * We known P, N and the result are positive, so sub_abs is correct, and
+ * a bit faster.
+ */
+#define MOD_ADD(N) \
+ while (mbedtls_mpi_cmp_mpi((N), &grp->P) >= 0) \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_abs((N), (N), &grp->P))
+
+static inline int mbedtls_mpi_add_mod(const mbedtls_ecp_group *grp,
+ mbedtls_mpi *X,
+ const mbedtls_mpi *A,
+ const mbedtls_mpi *B)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(X, A, B));
+ MOD_ADD(X);
+cleanup:
+ return ret;
+}
+
+MBEDTLS_MAYBE_UNUSED
+static inline int mbedtls_mpi_mul_int_mod(const mbedtls_ecp_group *grp,
+ mbedtls_mpi *X,
+ const mbedtls_mpi *A,
+ mbedtls_mpi_uint c)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int(X, A, c));
+ MOD_ADD(X);
+cleanup:
+ return ret;
+}
+
+MBEDTLS_MAYBE_UNUSED
+static inline int mbedtls_mpi_sub_int_mod(const mbedtls_ecp_group *grp,
+ mbedtls_mpi *X,
+ const mbedtls_mpi *A,
+ mbedtls_mpi_uint c)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(X, A, c));
+ MOD_SUB(X);
+cleanup:
+ return ret;
+}
+
+#define MPI_ECP_SUB_INT(X, A, c) \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int_mod(grp, X, A, c))
+
+MBEDTLS_MAYBE_UNUSED
+static inline int mbedtls_mpi_shift_l_mod(const mbedtls_ecp_group *grp,
+ mbedtls_mpi *X,
+ size_t count)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(X, count));
+ MOD_ADD(X);
+cleanup:
+ return ret;
+}
+
+/*
+ * Macro wrappers around ECP modular arithmetic
+ *
+ * Currently, these wrappers are defined via the bignum module.
+ */
+
+#define MPI_ECP_ADD(X, A, B) \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mod(grp, X, A, B))
+
+#define MPI_ECP_SUB(X, A, B) \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mod(grp, X, A, B))
+
+#define MPI_ECP_MUL(X, A, B) \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, X, A, B))
+
+#define MPI_ECP_SQR(X, A) \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mod(grp, X, A, A))
+
+#define MPI_ECP_MUL_INT(X, A, c) \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_int_mod(grp, X, A, c))
+
+#define MPI_ECP_INV(dst, src) \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod((dst), (src), &grp->P))
+
+#define MPI_ECP_MOV(X, A) \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, A))
+
+#define MPI_ECP_SHIFT_L(X, count) \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l_mod(grp, X, count))
+
+#define MPI_ECP_LSET(X, c) \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(X, c))
+
+#define MPI_ECP_CMP_INT(X, c) \
+ mbedtls_mpi_cmp_int(X, c)
+
+#define MPI_ECP_CMP(X, Y) \
+ mbedtls_mpi_cmp_mpi(X, Y)
+
+/* Needs f_rng, p_rng to be defined. */
+#define MPI_ECP_RAND(X) \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_random((X), 2, &grp->P, f_rng, p_rng))
+
+/* Conditional negation
+ * Needs grp and a temporary MPI tmp to be defined. */
+#define MPI_ECP_COND_NEG(X, cond) \
+ do \
+ { \
+ unsigned char nonzero = mbedtls_mpi_cmp_int((X), 0) != 0; \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&tmp, &grp->P, (X))); \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign((X), &tmp, \
+ nonzero & cond)); \
+ } while (0)
+
+#define MPI_ECP_NEG(X) MPI_ECP_COND_NEG((X), 1)
+
+#define MPI_ECP_VALID(X) \
+ ((X)->p != NULL)
+
+#define MPI_ECP_COND_ASSIGN(X, Y, cond) \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign((X), (Y), (cond)))
+
+#define MPI_ECP_COND_SWAP(X, Y, cond) \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_swap((X), (Y), (cond)))
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+
+/*
+ * Computes the right-hand side of the Short Weierstrass equation
+ * RHS = X^3 + A X + B
+ */
+static int ecp_sw_rhs(const mbedtls_ecp_group *grp,
+ mbedtls_mpi *rhs,
+ const mbedtls_mpi *X)
+{
+ int ret;
+
+ /* Compute X^3 + A X + B as X (X^2 + A) + B */
+ MPI_ECP_SQR(rhs, X);
+
+ /* Special case for A = -3 */
+ if (mbedtls_ecp_group_a_is_minus_3(grp)) {
+ MPI_ECP_SUB_INT(rhs, rhs, 3);
+ } else {
+ MPI_ECP_ADD(rhs, rhs, &grp->A);
+ }
+
+ MPI_ECP_MUL(rhs, rhs, X);
+ MPI_ECP_ADD(rhs, rhs, &grp->B);
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Derive Y from X and a parity bit
+ */
+static int mbedtls_ecp_sw_derive_y(const mbedtls_ecp_group *grp,
+ const mbedtls_mpi *X,
+ mbedtls_mpi *Y,
+ int parity_bit)
+{
+ /* w = y^2 = x^3 + ax + b
+ * y = sqrt(w) = w^((p+1)/4) mod p (for prime p where p = 3 mod 4)
+ *
+ * Note: this method for extracting square root does not validate that w
+ * was indeed a square so this function will return garbage in Y if X
+ * does not correspond to a point on the curve.
+ */
+
+ /* Check prerequisite p = 3 mod 4 */
+ if (mbedtls_mpi_get_bit(&grp->P, 0) != 1 ||
+ mbedtls_mpi_get_bit(&grp->P, 1) != 1) {
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+ }
+
+ int ret;
+ mbedtls_mpi exp;
+ mbedtls_mpi_init(&exp);
+
+ /* use Y to store intermediate result, actually w above */
+ MBEDTLS_MPI_CHK(ecp_sw_rhs(grp, Y, X));
+
+ /* w = y^2 */ /* Y contains y^2 intermediate result */
+ /* exp = ((p+1)/4) */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&exp, &grp->P, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&exp, 2));
+ /* sqrt(w) = w^((p+1)/4) mod p (for prime p where p = 3 mod 4) */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(Y, Y /*y^2*/, &exp, &grp->P, NULL));
+
+ /* check parity bit match or else invert Y */
+ /* This quick inversion implementation is valid because Y != 0 for all
+ * Short Weierstrass curves supported by mbedtls, as each supported curve
+ * has an order that is a large prime, so each supported curve does not
+ * have any point of order 2, and a point with Y == 0 would be of order 2 */
+ if (mbedtls_mpi_get_bit(Y, 0) != parity_bit) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(Y, &grp->P, Y));
+ }
+
+cleanup:
+
+ mbedtls_mpi_free(&exp);
+ return ret;
+}
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+/*
+ * For curves in short Weierstrass form, we do all the internal operations in
+ * Jacobian coordinates.
+ *
+ * For multiplication, we'll use a comb method with countermeasures against
+ * SPA, hence timing attacks.
+ */
+
+/*
+ * Normalize jacobian coordinates so that Z == 0 || Z == 1 (GECC 3.2.1)
+ * Cost: 1N := 1I + 3M + 1S
+ */
+static int ecp_normalize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt)
+{
+ if (MPI_ECP_CMP_INT(&pt->Z, 0) == 0) {
+ return 0;
+ }
+
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+ if (mbedtls_internal_ecp_grp_capable(grp)) {
+ return mbedtls_internal_ecp_normalize_jac(grp, pt);
+ }
+#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
+
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi T;
+ mbedtls_mpi_init(&T);
+
+ MPI_ECP_INV(&T, &pt->Z); /* T <- 1 / Z */
+ MPI_ECP_MUL(&pt->Y, &pt->Y, &T); /* Y' <- Y*T = Y / Z */
+ MPI_ECP_SQR(&T, &T); /* T <- T^2 = 1 / Z^2 */
+ MPI_ECP_MUL(&pt->X, &pt->X, &T); /* X <- X * T = X / Z^2 */
+ MPI_ECP_MUL(&pt->Y, &pt->Y, &T); /* Y'' <- Y' * T = Y / Z^3 */
+
+ MPI_ECP_LSET(&pt->Z, 1);
+
+cleanup:
+
+ mbedtls_mpi_free(&T);
+
+ return ret;
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) */
+}
+
+/*
+ * Normalize jacobian coordinates of an array of (pointers to) points,
+ * using Montgomery's trick to perform only one inversion mod P.
+ * (See for example Cohen's "A Course in Computational Algebraic Number
+ * Theory", Algorithm 10.3.4.)
+ *
+ * Warning: fails (returning an error) if one of the points is zero!
+ * This should never happen, see choice of w in ecp_mul_comb().
+ *
+ * Cost: 1N(t) := 1I + (6t - 3)M + 1S
+ */
+static int ecp_normalize_jac_many(const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *T[], size_t T_size)
+{
+ if (T_size < 2) {
+ return ecp_normalize_jac(grp, *T);
+ }
+
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+ if (mbedtls_internal_ecp_grp_capable(grp)) {
+ return mbedtls_internal_ecp_normalize_jac_many(grp, T, T_size);
+ }
+#endif
+
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t i;
+ mbedtls_mpi *c, t;
+
+ if ((c = mbedtls_calloc(T_size, sizeof(mbedtls_mpi))) == NULL) {
+ return MBEDTLS_ERR_ECP_ALLOC_FAILED;
+ }
+
+ mbedtls_mpi_init(&t);
+
+ mpi_init_many(c, T_size);
+ /*
+ * c[i] = Z_0 * ... * Z_i, i = 0,..,n := T_size-1
+ */
+ MPI_ECP_MOV(&c[0], &T[0]->Z);
+ for (i = 1; i < T_size; i++) {
+ MPI_ECP_MUL(&c[i], &c[i-1], &T[i]->Z);
+ }
+
+ /*
+ * c[n] = 1 / (Z_0 * ... * Z_n) mod P
+ */
+ MPI_ECP_INV(&c[T_size-1], &c[T_size-1]);
+
+ for (i = T_size - 1;; i--) {
+ /* At the start of iteration i (note that i decrements), we have
+ * - c[j] = Z_0 * .... * Z_j for j < i,
+ * - c[j] = 1 / (Z_0 * .... * Z_j) for j == i,
+ *
+ * This is maintained via
+ * - c[i-1] <- c[i] * Z_i
+ *
+ * We also derive 1/Z_i = c[i] * c[i-1] for i>0 and use that
+ * to do the actual normalization. For i==0, we already have
+ * c[0] = 1 / Z_0.
+ */
+
+ if (i > 0) {
+ /* Compute 1/Z_i and establish invariant for the next iteration. */
+ MPI_ECP_MUL(&t, &c[i], &c[i-1]);
+ MPI_ECP_MUL(&c[i-1], &c[i], &T[i]->Z);
+ } else {
+ MPI_ECP_MOV(&t, &c[0]);
+ }
+
+ /* Now t holds 1 / Z_i; normalize as in ecp_normalize_jac() */
+ MPI_ECP_MUL(&T[i]->Y, &T[i]->Y, &t);
+ MPI_ECP_SQR(&t, &t);
+ MPI_ECP_MUL(&T[i]->X, &T[i]->X, &t);
+ MPI_ECP_MUL(&T[i]->Y, &T[i]->Y, &t);
+
+ /*
+ * Post-precessing: reclaim some memory by shrinking coordinates
+ * - not storing Z (always 1)
+ * - shrinking other coordinates, but still keeping the same number of
+ * limbs as P, as otherwise it will too likely be regrown too fast.
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(&T[i]->X, grp->P.n));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shrink(&T[i]->Y, grp->P.n));
+
+ MPI_ECP_LSET(&T[i]->Z, 1);
+
+ if (i == 0) {
+ break;
+ }
+ }
+
+cleanup:
+
+ mbedtls_mpi_free(&t);
+ mpi_free_many(c, T_size);
+ mbedtls_free(c);
+
+ return ret;
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) */
+}
+
+/*
+ * Conditional point inversion: Q -> -Q = (Q.X, -Q.Y, Q.Z) without leak.
+ * "inv" must be 0 (don't invert) or 1 (invert) or the result will be invalid
+ */
+static int ecp_safe_invert_jac(const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *Q,
+ unsigned char inv)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi tmp;
+ mbedtls_mpi_init(&tmp);
+
+ MPI_ECP_COND_NEG(&Q->Y, inv);
+
+cleanup:
+ mbedtls_mpi_free(&tmp);
+ return ret;
+}
+
+/*
+ * Point doubling R = 2 P, Jacobian coordinates
+ *
+ * Based on http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-1998-cmo-2 .
+ *
+ * We follow the variable naming fairly closely. The formula variations that trade a MUL for a SQR
+ * (plus a few ADDs) aren't useful as our bignum implementation doesn't distinguish squaring.
+ *
+ * Standard optimizations are applied when curve parameter A is one of { 0, -3 }.
+ *
+ * Cost: 1D := 3M + 4S (A == 0)
+ * 4M + 4S (A == -3)
+ * 3M + 6S + 1a otherwise
+ */
+static int ecp_double_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+ const mbedtls_ecp_point *P,
+ mbedtls_mpi tmp[4])
+{
+#if defined(MBEDTLS_SELF_TEST)
+ dbl_count++;
+#endif
+
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+ if (mbedtls_internal_ecp_grp_capable(grp)) {
+ return mbedtls_internal_ecp_double_jac(grp, R, P);
+ }
+#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
+
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* Special case for A = -3 */
+ if (mbedtls_ecp_group_a_is_minus_3(grp)) {
+ /* tmp[0] <- M = 3(X + Z^2)(X - Z^2) */
+ MPI_ECP_SQR(&tmp[1], &P->Z);
+ MPI_ECP_ADD(&tmp[2], &P->X, &tmp[1]);
+ MPI_ECP_SUB(&tmp[3], &P->X, &tmp[1]);
+ MPI_ECP_MUL(&tmp[1], &tmp[2], &tmp[3]);
+ MPI_ECP_MUL_INT(&tmp[0], &tmp[1], 3);
+ } else {
+ /* tmp[0] <- M = 3.X^2 + A.Z^4 */
+ MPI_ECP_SQR(&tmp[1], &P->X);
+ MPI_ECP_MUL_INT(&tmp[0], &tmp[1], 3);
+
+ /* Optimize away for "koblitz" curves with A = 0 */
+ if (MPI_ECP_CMP_INT(&grp->A, 0) != 0) {
+ /* M += A.Z^4 */
+ MPI_ECP_SQR(&tmp[1], &P->Z);
+ MPI_ECP_SQR(&tmp[2], &tmp[1]);
+ MPI_ECP_MUL(&tmp[1], &tmp[2], &grp->A);
+ MPI_ECP_ADD(&tmp[0], &tmp[0], &tmp[1]);
+ }
+ }
+
+ /* tmp[1] <- S = 4.X.Y^2 */
+ MPI_ECP_SQR(&tmp[2], &P->Y);
+ MPI_ECP_SHIFT_L(&tmp[2], 1);
+ MPI_ECP_MUL(&tmp[1], &P->X, &tmp[2]);
+ MPI_ECP_SHIFT_L(&tmp[1], 1);
+
+ /* tmp[3] <- U = 8.Y^4 */
+ MPI_ECP_SQR(&tmp[3], &tmp[2]);
+ MPI_ECP_SHIFT_L(&tmp[3], 1);
+
+ /* tmp[2] <- T = M^2 - 2.S */
+ MPI_ECP_SQR(&tmp[2], &tmp[0]);
+ MPI_ECP_SUB(&tmp[2], &tmp[2], &tmp[1]);
+ MPI_ECP_SUB(&tmp[2], &tmp[2], &tmp[1]);
+
+ /* tmp[1] <- S = M(S - T) - U */
+ MPI_ECP_SUB(&tmp[1], &tmp[1], &tmp[2]);
+ MPI_ECP_MUL(&tmp[1], &tmp[1], &tmp[0]);
+ MPI_ECP_SUB(&tmp[1], &tmp[1], &tmp[3]);
+
+ /* tmp[3] <- U = 2.Y.Z */
+ MPI_ECP_MUL(&tmp[3], &P->Y, &P->Z);
+ MPI_ECP_SHIFT_L(&tmp[3], 1);
+
+ /* Store results */
+ MPI_ECP_MOV(&R->X, &tmp[2]);
+ MPI_ECP_MOV(&R->Y, &tmp[1]);
+ MPI_ECP_MOV(&R->Z, &tmp[3]);
+
+cleanup:
+
+ return ret;
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) */
+}
+
+/*
+ * Addition: R = P + Q, mixed affine-Jacobian coordinates (GECC 3.22)
+ *
+ * The coordinates of Q must be normalized (= affine),
+ * but those of P don't need to. R is not normalized.
+ *
+ * P,Q,R may alias, but only at the level of EC points: they must be either
+ * equal as pointers, or disjoint (including the coordinate data buffers).
+ * Fine-grained aliasing at the level of coordinates is not supported.
+ *
+ * Special cases: (1) P or Q is zero, (2) R is zero, (3) P == Q.
+ * None of these cases can happen as intermediate step in ecp_mul_comb():
+ * - at each step, P, Q and R are multiples of the base point, the factor
+ * being less than its order, so none of them is zero;
+ * - Q is an odd multiple of the base point, P an even multiple,
+ * due to the choice of precomputed points in the modified comb method.
+ * So branches for these cases do not leak secret information.
+ *
+ * Cost: 1A := 8M + 3S
+ */
+static int ecp_add_mixed(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+ const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
+ mbedtls_mpi tmp[4])
+{
+#if defined(MBEDTLS_SELF_TEST)
+ add_count++;
+#endif
+
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+ if (mbedtls_internal_ecp_grp_capable(grp)) {
+ return mbedtls_internal_ecp_add_mixed(grp, R, P, Q);
+ }
+#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
+
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* NOTE: Aliasing between input and output is allowed, so one has to make
+ * sure that at the point X,Y,Z are written, {P,Q}->{X,Y,Z} are no
+ * longer read from. */
+ mbedtls_mpi * const X = &R->X;
+ mbedtls_mpi * const Y = &R->Y;
+ mbedtls_mpi * const Z = &R->Z;
+
+ if (!MPI_ECP_VALID(&Q->Z)) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ /*
+ * Trivial cases: P == 0 or Q == 0 (case 1)
+ */
+ if (MPI_ECP_CMP_INT(&P->Z, 0) == 0) {
+ return mbedtls_ecp_copy(R, Q);
+ }
+
+ if (MPI_ECP_CMP_INT(&Q->Z, 0) == 0) {
+ return mbedtls_ecp_copy(R, P);
+ }
+
+ /*
+ * Make sure Q coordinates are normalized
+ */
+ if (MPI_ECP_CMP_INT(&Q->Z, 1) != 0) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ MPI_ECP_SQR(&tmp[0], &P->Z);
+ MPI_ECP_MUL(&tmp[1], &tmp[0], &P->Z);
+ MPI_ECP_MUL(&tmp[0], &tmp[0], &Q->X);
+ MPI_ECP_MUL(&tmp[1], &tmp[1], &Q->Y);
+ MPI_ECP_SUB(&tmp[0], &tmp[0], &P->X);
+ MPI_ECP_SUB(&tmp[1], &tmp[1], &P->Y);
+
+ /* Special cases (2) and (3) */
+ if (MPI_ECP_CMP_INT(&tmp[0], 0) == 0) {
+ if (MPI_ECP_CMP_INT(&tmp[1], 0) == 0) {
+ ret = ecp_double_jac(grp, R, P, tmp);
+ goto cleanup;
+ } else {
+ ret = mbedtls_ecp_set_zero(R);
+ goto cleanup;
+ }
+ }
+
+ /* {P,Q}->Z no longer used, so OK to write to Z even if there's aliasing. */
+ MPI_ECP_MUL(Z, &P->Z, &tmp[0]);
+ MPI_ECP_SQR(&tmp[2], &tmp[0]);
+ MPI_ECP_MUL(&tmp[3], &tmp[2], &tmp[0]);
+ MPI_ECP_MUL(&tmp[2], &tmp[2], &P->X);
+
+ MPI_ECP_MOV(&tmp[0], &tmp[2]);
+ MPI_ECP_SHIFT_L(&tmp[0], 1);
+
+ /* {P,Q}->X no longer used, so OK to write to X even if there's aliasing. */
+ MPI_ECP_SQR(X, &tmp[1]);
+ MPI_ECP_SUB(X, X, &tmp[0]);
+ MPI_ECP_SUB(X, X, &tmp[3]);
+ MPI_ECP_SUB(&tmp[2], &tmp[2], X);
+ MPI_ECP_MUL(&tmp[2], &tmp[2], &tmp[1]);
+ MPI_ECP_MUL(&tmp[3], &tmp[3], &P->Y);
+ /* {P,Q}->Y no longer used, so OK to write to Y even if there's aliasing. */
+ MPI_ECP_SUB(Y, &tmp[2], &tmp[3]);
+
+cleanup:
+
+ return ret;
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_ADD_MIXED_ALT) */
+}
+
+/*
+ * Randomize jacobian coordinates:
+ * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l
+ * This is sort of the reverse operation of ecp_normalize_jac().
+ *
+ * This countermeasure was first suggested in [2].
+ */
+static int ecp_randomize_jac(const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+ if (mbedtls_internal_ecp_grp_capable(grp)) {
+ return mbedtls_internal_ecp_randomize_jac(grp, pt, f_rng, p_rng);
+ }
+#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
+
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi l;
+
+ mbedtls_mpi_init(&l);
+
+ /* Generate l such that 1 < l < p */
+ MPI_ECP_RAND(&l);
+
+ /* Z' = l * Z */
+ MPI_ECP_MUL(&pt->Z, &pt->Z, &l);
+
+ /* Y' = l * Y */
+ MPI_ECP_MUL(&pt->Y, &pt->Y, &l);
+
+ /* X' = l^2 * X */
+ MPI_ECP_SQR(&l, &l);
+ MPI_ECP_MUL(&pt->X, &pt->X, &l);
+
+ /* Y'' = l^2 * Y' = l^3 * Y */
+ MPI_ECP_MUL(&pt->Y, &pt->Y, &l);
+
+cleanup:
+ mbedtls_mpi_free(&l);
+
+ if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
+ ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+ }
+ return ret;
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) */
+}
+
+/*
+ * Check and define parameters used by the comb method (see below for details)
+ */
+#if MBEDTLS_ECP_WINDOW_SIZE < 2 || MBEDTLS_ECP_WINDOW_SIZE > 7
+#error "MBEDTLS_ECP_WINDOW_SIZE out of bounds"
+#endif
+
+/* d = ceil( n / w ) */
+#define COMB_MAX_D (MBEDTLS_ECP_MAX_BITS + 1) / 2
+
+/* number of precomputed points */
+#define COMB_MAX_PRE (1 << (MBEDTLS_ECP_WINDOW_SIZE - 1))
+
+/*
+ * Compute the representation of m that will be used with our comb method.
+ *
+ * The basic comb method is described in GECC 3.44 for example. We use a
+ * modified version that provides resistance to SPA by avoiding zero
+ * digits in the representation as in [3]. We modify the method further by
+ * requiring that all K_i be odd, which has the small cost that our
+ * representation uses one more K_i, due to carries, but saves on the size of
+ * the precomputed table.
+ *
+ * Summary of the comb method and its modifications:
+ *
+ * - The goal is to compute m*P for some w*d-bit integer m.
+ *
+ * - The basic comb method splits m into the w-bit integers
+ * x[0] .. x[d-1] where x[i] consists of the bits in m whose
+ * index has residue i modulo d, and computes m * P as
+ * S[x[0]] + 2 * S[x[1]] + .. + 2^(d-1) S[x[d-1]], where
+ * S[i_{w-1} .. i_0] := i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + i_0 P.
+ *
+ * - If it happens that, say, x[i+1]=0 (=> S[x[i+1]]=0), one can replace the sum by
+ * .. + 2^{i-1} S[x[i-1]] - 2^i S[x[i]] + 2^{i+1} S[x[i]] + 2^{i+2} S[x[i+2]] ..,
+ * thereby successively converting it into a form where all summands
+ * are nonzero, at the cost of negative summands. This is the basic idea of [3].
+ *
+ * - More generally, even if x[i+1] != 0, we can first transform the sum as
+ * .. - 2^i S[x[i]] + 2^{i+1} ( S[x[i]] + S[x[i+1]] ) + 2^{i+2} S[x[i+2]] ..,
+ * and then replace S[x[i]] + S[x[i+1]] = S[x[i] ^ x[i+1]] + 2 S[x[i] & x[i+1]].
+ * Performing and iterating this procedure for those x[i] that are even
+ * (keeping track of carry), we can transform the original sum into one of the form
+ * S[x'[0]] +- 2 S[x'[1]] +- .. +- 2^{d-1} S[x'[d-1]] + 2^d S[x'[d]]
+ * with all x'[i] odd. It is therefore only necessary to know S at odd indices,
+ * which is why we are only computing half of it in the first place in
+ * ecp_precompute_comb and accessing it with index abs(i) / 2 in ecp_select_comb.
+ *
+ * - For the sake of compactness, only the seven low-order bits of x[i]
+ * are used to represent its absolute value (K_i in the paper), and the msb
+ * of x[i] encodes the sign (s_i in the paper): it is set if and only if
+ * if s_i == -1;
+ *
+ * Calling conventions:
+ * - x is an array of size d + 1
+ * - w is the size, ie number of teeth, of the comb, and must be between
+ * 2 and 7 (in practice, between 2 and MBEDTLS_ECP_WINDOW_SIZE)
+ * - m is the MPI, expected to be odd and such that bitlength(m) <= w * d
+ * (the result will be incorrect if these assumptions are not satisfied)
+ */
+static void ecp_comb_recode_core(unsigned char x[], size_t d,
+ unsigned char w, const mbedtls_mpi *m)
+{
+ size_t i, j;
+ unsigned char c, cc, adjust;
+
+ memset(x, 0, d+1);
+
+ /* First get the classical comb values (except for x_d = 0) */
+ for (i = 0; i < d; i++) {
+ for (j = 0; j < w; j++) {
+ x[i] |= mbedtls_mpi_get_bit(m, i + d * j) << j;
+ }
+ }
+
+ /* Now make sure x_1 .. x_d are odd */
+ c = 0;
+ for (i = 1; i <= d; i++) {
+ /* Add carry and update it */
+ cc = x[i] & c;
+ x[i] = x[i] ^ c;
+ c = cc;
+
+ /* Adjust if needed, avoiding branches */
+ adjust = 1 - (x[i] & 0x01);
+ c |= x[i] & (x[i-1] * adjust);
+ x[i] = x[i] ^ (x[i-1] * adjust);
+ x[i-1] |= adjust << 7;
+ }
+}
+
+/*
+ * Precompute points for the adapted comb method
+ *
+ * Assumption: T must be able to hold 2^{w - 1} elements.
+ *
+ * Operation: If i = i_{w-1} ... i_1 is the binary representation of i,
+ * sets T[i] = i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + P.
+ *
+ * Cost: d(w-1) D + (2^{w-1} - 1) A + 1 N(w-1) + 1 N(2^{w-1} - 1)
+ *
+ * Note: Even comb values (those where P would be omitted from the
+ * sum defining T[i] above) are not needed in our adaption
+ * the comb method. See ecp_comb_recode_core().
+ *
+ * This function currently works in four steps:
+ * (1) [dbl] Computation of intermediate T[i] for 2-power values of i
+ * (2) [norm_dbl] Normalization of coordinates of these T[i]
+ * (3) [add] Computation of all T[i]
+ * (4) [norm_add] Normalization of all T[i]
+ *
+ * Step 1 can be interrupted but not the others; together with the final
+ * coordinate normalization they are the largest steps done at once, depending
+ * on the window size. Here are operation counts for P-256:
+ *
+ * step (2) (3) (4)
+ * w = 5 142 165 208
+ * w = 4 136 77 160
+ * w = 3 130 33 136
+ * w = 2 124 11 124
+ *
+ * So if ECC operations are blocking for too long even with a low max_ops
+ * value, it's useful to set MBEDTLS_ECP_WINDOW_SIZE to a lower value in order
+ * to minimize maximum blocking time.
+ */
+static int ecp_precompute_comb(const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point T[], const mbedtls_ecp_point *P,
+ unsigned char w, size_t d,
+ mbedtls_ecp_restart_ctx *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char i;
+ size_t j = 0;
+ const unsigned char T_size = 1U << (w - 1);
+ mbedtls_ecp_point *cur, *TT[COMB_MAX_PRE - 1] = { NULL };
+
+ mbedtls_mpi tmp[4];
+
+ mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+ if (rs_ctx->rsm->state == ecp_rsm_pre_dbl) {
+ goto dbl;
+ }
+ if (rs_ctx->rsm->state == ecp_rsm_pre_norm_dbl) {
+ goto norm_dbl;
+ }
+ if (rs_ctx->rsm->state == ecp_rsm_pre_add) {
+ goto add;
+ }
+ if (rs_ctx->rsm->state == ecp_rsm_pre_norm_add) {
+ goto norm_add;
+ }
+ }
+#else
+ (void) rs_ctx;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+ rs_ctx->rsm->state = ecp_rsm_pre_dbl;
+
+ /* initial state for the loop */
+ rs_ctx->rsm->i = 0;
+ }
+
+dbl:
+#endif
+ /*
+ * Set T[0] = P and
+ * T[2^{l-1}] = 2^{dl} P for l = 1 .. w-1 (this is not the final value)
+ */
+ MBEDTLS_MPI_CHK(mbedtls_ecp_copy(&T[0], P));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0) {
+ j = rs_ctx->rsm->i;
+ } else
+#endif
+ j = 0;
+
+ for (; j < d * (w - 1); j++) {
+ MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_DBL);
+
+ i = 1U << (j / d);
+ cur = T + i;
+
+ if (j % d == 0) {
+ MBEDTLS_MPI_CHK(mbedtls_ecp_copy(cur, T + (i >> 1)));
+ }
+
+ MBEDTLS_MPI_CHK(ecp_double_jac(grp, cur, cur, tmp));
+ }
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+ rs_ctx->rsm->state = ecp_rsm_pre_norm_dbl;
+ }
+
+norm_dbl:
+#endif
+ /*
+ * Normalize current elements in T to allow them to be used in
+ * ecp_add_mixed() below, which requires one normalized input.
+ *
+ * As T has holes, use an auxiliary array of pointers to elements in T.
+ *
+ */
+ j = 0;
+ for (i = 1; i < T_size; i <<= 1) {
+ TT[j++] = T + i;
+ }
+
+ MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV + 6 * j - 2);
+
+ MBEDTLS_MPI_CHK(ecp_normalize_jac_many(grp, TT, j));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+ rs_ctx->rsm->state = ecp_rsm_pre_add;
+ }
+
+add:
+#endif
+ /*
+ * Compute the remaining ones using the minimal number of additions
+ * Be careful to update T[2^l] only after using it!
+ */
+ MBEDTLS_ECP_BUDGET((T_size - 1) * MBEDTLS_ECP_OPS_ADD);
+
+ for (i = 1; i < T_size; i <<= 1) {
+ j = i;
+ while (j--) {
+ MBEDTLS_MPI_CHK(ecp_add_mixed(grp, &T[i + j], &T[j], &T[i], tmp));
+ }
+ }
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+ rs_ctx->rsm->state = ecp_rsm_pre_norm_add;
+ }
+
+norm_add:
+#endif
+ /*
+ * Normalize final elements in T. Even though there are no holes now, we
+ * still need the auxiliary array for homogeneity with the previous
+ * call. Also, skip T[0] which is already normalised, being a copy of P.
+ */
+ for (j = 0; j + 1 < T_size; j++) {
+ TT[j] = T + j + 1;
+ }
+
+ MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV + 6 * j - 2);
+
+ MBEDTLS_MPI_CHK(ecp_normalize_jac_many(grp, TT, j));
+
+ /* Free Z coordinate (=1 after normalization) to save RAM.
+ * This makes T[i] invalid as mbedtls_ecp_points, but this is OK
+ * since from this point onwards, they are only accessed indirectly
+ * via the getter function ecp_select_comb() which does set the
+ * target's Z coordinate to 1. */
+ for (i = 0; i < T_size; i++) {
+ mbedtls_mpi_free(&T[i].Z);
+ }
+
+cleanup:
+
+ mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
+ ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+ if (rs_ctx->rsm->state == ecp_rsm_pre_dbl) {
+ rs_ctx->rsm->i = j;
+ }
+ }
+#endif
+
+ return ret;
+}
+
+/*
+ * Select precomputed point: R = sign(i) * T[ abs(i) / 2 ]
+ *
+ * See ecp_comb_recode_core() for background
+ */
+static int ecp_select_comb(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+ const mbedtls_ecp_point T[], unsigned char T_size,
+ unsigned char i)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char ii, j;
+
+ /* Ignore the "sign" bit and scale down */
+ ii = (i & 0x7Fu) >> 1;
+
+ /* Read the whole table to thwart cache-based timing attacks */
+ for (j = 0; j < T_size; j++) {
+ MPI_ECP_COND_ASSIGN(&R->X, &T[j].X, j == ii);
+ MPI_ECP_COND_ASSIGN(&R->Y, &T[j].Y, j == ii);
+ }
+
+ /* Safely invert result if i is "negative" */
+ MBEDTLS_MPI_CHK(ecp_safe_invert_jac(grp, R, i >> 7));
+
+ MPI_ECP_LSET(&R->Z, 1);
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Core multiplication algorithm for the (modified) comb method.
+ * This part is actually common with the basic comb method (GECC 3.44)
+ *
+ * Cost: d A + d D + 1 R
+ */
+static int ecp_mul_comb_core(const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+ const mbedtls_ecp_point T[], unsigned char T_size,
+ const unsigned char x[], size_t d,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_ecp_restart_ctx *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_point Txi;
+ mbedtls_mpi tmp[4];
+ size_t i;
+
+ mbedtls_ecp_point_init(&Txi);
+ mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
+
+#if !defined(MBEDTLS_ECP_RESTARTABLE)
+ (void) rs_ctx;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
+ rs_ctx->rsm->state != ecp_rsm_comb_core) {
+ rs_ctx->rsm->i = 0;
+ rs_ctx->rsm->state = ecp_rsm_comb_core;
+ }
+
+ /* new 'if' instead of nested for the sake of the 'else' branch */
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0) {
+ /* restore current index (R already pointing to rs_ctx->rsm->R) */
+ i = rs_ctx->rsm->i;
+ } else
+#endif
+ {
+ /* Start with a non-zero point and randomize its coordinates */
+ i = d;
+ MBEDTLS_MPI_CHK(ecp_select_comb(grp, R, T, T_size, x[i]));
+ if (f_rng != 0) {
+ MBEDTLS_MPI_CHK(ecp_randomize_jac(grp, R, f_rng, p_rng));
+ }
+ }
+
+ while (i != 0) {
+ MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_DBL + MBEDTLS_ECP_OPS_ADD);
+ --i;
+
+ MBEDTLS_MPI_CHK(ecp_double_jac(grp, R, R, tmp));
+ MBEDTLS_MPI_CHK(ecp_select_comb(grp, &Txi, T, T_size, x[i]));
+ MBEDTLS_MPI_CHK(ecp_add_mixed(grp, R, R, &Txi, tmp));
+ }
+
+cleanup:
+
+ mbedtls_ecp_point_free(&Txi);
+ mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL &&
+ ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+ rs_ctx->rsm->i = i;
+ /* no need to save R, already pointing to rs_ctx->rsm->R */
+ }
+#endif
+
+ return ret;
+}
+
+/*
+ * Recode the scalar to get constant-time comb multiplication
+ *
+ * As the actual scalar recoding needs an odd scalar as a starting point,
+ * this wrapper ensures that by replacing m by N - m if necessary, and
+ * informs the caller that the result of multiplication will be negated.
+ *
+ * This works because we only support large prime order for Short Weierstrass
+ * curves, so N is always odd hence either m or N - m is.
+ *
+ * See ecp_comb_recode_core() for background.
+ */
+static int ecp_comb_recode_scalar(const mbedtls_ecp_group *grp,
+ const mbedtls_mpi *m,
+ unsigned char k[COMB_MAX_D + 1],
+ size_t d,
+ unsigned char w,
+ unsigned char *parity_trick)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi M, mm;
+
+ mbedtls_mpi_init(&M);
+ mbedtls_mpi_init(&mm);
+
+ /* N is always odd (see above), just make extra sure */
+ if (mbedtls_mpi_get_bit(&grp->N, 0) != 1) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ /* do we need the parity trick? */
+ *parity_trick = (mbedtls_mpi_get_bit(m, 0) == 0);
+
+ /* execute parity fix in constant time */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&M, m));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&mm, &grp->N, m));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_safe_cond_assign(&M, &mm, *parity_trick));
+
+ /* actual scalar recoding */
+ ecp_comb_recode_core(k, d, w, &M);
+
+cleanup:
+ mbedtls_mpi_free(&mm);
+ mbedtls_mpi_free(&M);
+
+ return ret;
+}
+
+/*
+ * Perform comb multiplication (for short Weierstrass curves)
+ * once the auxiliary table has been pre-computed.
+ *
+ * Scalar recoding may use a parity trick that makes us compute -m * P,
+ * if that is the case we'll need to recover m * P at the end.
+ */
+static int ecp_mul_comb_after_precomp(const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *R,
+ const mbedtls_mpi *m,
+ const mbedtls_ecp_point *T,
+ unsigned char T_size,
+ unsigned char w,
+ size_t d,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_ecp_restart_ctx *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char parity_trick;
+ unsigned char k[COMB_MAX_D + 1];
+ mbedtls_ecp_point *RR = R;
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+ RR = &rs_ctx->rsm->R;
+
+ if (rs_ctx->rsm->state == ecp_rsm_final_norm) {
+ goto final_norm;
+ }
+ }
+#endif
+
+ MBEDTLS_MPI_CHK(ecp_comb_recode_scalar(grp, m, k, d, w,
+ &parity_trick));
+ MBEDTLS_MPI_CHK(ecp_mul_comb_core(grp, RR, T, T_size, k, d,
+ f_rng, p_rng, rs_ctx));
+ MBEDTLS_MPI_CHK(ecp_safe_invert_jac(grp, RR, parity_trick));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+ rs_ctx->rsm->state = ecp_rsm_final_norm;
+ }
+
+final_norm:
+ MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV);
+#endif
+ /*
+ * Knowledge of the jacobian coordinates may leak the last few bits of the
+ * scalar [1], and since our MPI implementation isn't constant-flow,
+ * inversion (used for coordinate normalization) may leak the full value
+ * of its input via side-channels [2].
+ *
+ * [1] https://eprint.iacr.org/2003/191
+ * [2] https://eprint.iacr.org/2020/055
+ *
+ * Avoid the leak by randomizing coordinates before we normalize them.
+ */
+ if (f_rng != 0) {
+ MBEDTLS_MPI_CHK(ecp_randomize_jac(grp, RR, f_rng, p_rng));
+ }
+
+ MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, RR));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, RR));
+ }
+#endif
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Pick window size based on curve size and whether we optimize for base point
+ */
+static unsigned char ecp_pick_window_size(const mbedtls_ecp_group *grp,
+ unsigned char p_eq_g)
+{
+ unsigned char w;
+
+ /*
+ * Minimize the number of multiplications, that is minimize
+ * 10 * d * w + 18 * 2^(w-1) + 11 * d + 7 * w, with d = ceil( nbits / w )
+ * (see costs of the various parts, with 1S = 1M)
+ */
+ w = grp->nbits >= 384 ? 5 : 4;
+
+ /*
+ * If P == G, pre-compute a bit more, since this may be re-used later.
+ * Just adding one avoids upping the cost of the first mul too much,
+ * and the memory cost too.
+ */
+ if (p_eq_g) {
+ w++;
+ }
+
+ /*
+ * If static comb table may not be used (!p_eq_g) or static comb table does
+ * not exists, make sure w is within bounds.
+ * (The last test is useful only for very small curves in the test suite.)
+ *
+ * The user reduces MBEDTLS_ECP_WINDOW_SIZE does not changes the size of
+ * static comb table, because the size of static comb table is fixed when
+ * it is generated.
+ */
+#if (MBEDTLS_ECP_WINDOW_SIZE < 6)
+ if ((!p_eq_g || !ecp_group_is_static_comb_table(grp)) && w > MBEDTLS_ECP_WINDOW_SIZE) {
+ w = MBEDTLS_ECP_WINDOW_SIZE;
+ }
+#endif
+ if (w >= grp->nbits) {
+ w = 2;
+ }
+
+ return w;
+}
+
+/*
+ * Multiplication using the comb method - for curves in short Weierstrass form
+ *
+ * This function is mainly responsible for administrative work:
+ * - managing the restart context if enabled
+ * - managing the table of precomputed points (passed between the below two
+ * functions): allocation, computation, ownership transfer, freeing.
+ *
+ * It delegates the actual arithmetic work to:
+ * ecp_precompute_comb() and ecp_mul_comb_with_precomp()
+ *
+ * See comments on ecp_comb_recode_core() regarding the computation strategy.
+ */
+static int ecp_mul_comb(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+ const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_ecp_restart_ctx *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char w, p_eq_g, i;
+ size_t d;
+ unsigned char T_size = 0, T_ok = 0;
+ mbedtls_ecp_point *T = NULL;
+
+ ECP_RS_ENTER(rsm);
+
+ /* Is P the base point ? */
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+ p_eq_g = (MPI_ECP_CMP(&P->Y, &grp->G.Y) == 0 &&
+ MPI_ECP_CMP(&P->X, &grp->G.X) == 0);
+#else
+ p_eq_g = 0;
+#endif
+
+ /* Pick window size and deduce related sizes */
+ w = ecp_pick_window_size(grp, p_eq_g);
+ T_size = 1U << (w - 1);
+ d = (grp->nbits + w - 1) / w;
+
+ /* Pre-computed table: do we have it already for the base point? */
+ if (p_eq_g && grp->T != NULL) {
+ /* second pointer to the same table, will be deleted on exit */
+ T = grp->T;
+ T_ok = 1;
+ } else
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ /* Pre-computed table: do we have one in progress? complete? */
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->T != NULL) {
+ /* transfer ownership of T from rsm to local function */
+ T = rs_ctx->rsm->T;
+ rs_ctx->rsm->T = NULL;
+ rs_ctx->rsm->T_size = 0;
+
+ /* This effectively jumps to the call to mul_comb_after_precomp() */
+ T_ok = rs_ctx->rsm->state >= ecp_rsm_comb_core;
+ } else
+#endif
+ /* Allocate table if we didn't have any */
+ {
+ T = mbedtls_calloc(T_size, sizeof(mbedtls_ecp_point));
+ if (T == NULL) {
+ ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
+ goto cleanup;
+ }
+
+ for (i = 0; i < T_size; i++) {
+ mbedtls_ecp_point_init(&T[i]);
+ }
+
+ T_ok = 0;
+ }
+
+ /* Compute table (or finish computing it) if not done already */
+ if (!T_ok) {
+ MBEDTLS_MPI_CHK(ecp_precompute_comb(grp, T, P, w, d, rs_ctx));
+
+ if (p_eq_g) {
+ /* almost transfer ownership of T to the group, but keep a copy of
+ * the pointer to use for calling the next function more easily */
+ grp->T = T;
+ grp->T_size = T_size;
+ }
+ }
+
+ /* Actual comb multiplication using precomputed points */
+ MBEDTLS_MPI_CHK(ecp_mul_comb_after_precomp(grp, R, m,
+ T, T_size, w, d,
+ f_rng, p_rng, rs_ctx));
+
+cleanup:
+
+ /* does T belong to the group? */
+ if (T == grp->T) {
+ T = NULL;
+ }
+
+ /* does T belong to the restart context? */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->rsm != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS && T != NULL) {
+ /* transfer ownership of T from local function to rsm */
+ rs_ctx->rsm->T_size = T_size;
+ rs_ctx->rsm->T = T;
+ T = NULL;
+ }
+#endif
+
+ /* did T belong to us? then let's destroy it! */
+ if (T != NULL) {
+ for (i = 0; i < T_size; i++) {
+ mbedtls_ecp_point_free(&T[i]);
+ }
+ mbedtls_free(T);
+ }
+
+ /* prevent caller from using invalid value */
+ int should_free_R = (ret != 0);
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ /* don't free R while in progress in case R == P */
+ if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+ should_free_R = 0;
+ }
+#endif
+ if (should_free_R) {
+ mbedtls_ecp_point_free(R);
+ }
+
+ ECP_RS_LEAVE(rsm);
+
+ return ret;
+}
+
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+/*
+ * For Montgomery curves, we do all the internal arithmetic in projective
+ * coordinates. Import/export of points uses only the x coordinates, which is
+ * internally represented as X / Z.
+ *
+ * For scalar multiplication, we'll use a Montgomery ladder.
+ */
+
+/*
+ * Normalize Montgomery x/z coordinates: X = X/Z, Z = 1
+ * Cost: 1M + 1I
+ */
+static int ecp_normalize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P)
+{
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+ if (mbedtls_internal_ecp_grp_capable(grp)) {
+ return mbedtls_internal_ecp_normalize_mxz(grp, P);
+ }
+#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
+
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ MPI_ECP_INV(&P->Z, &P->Z);
+ MPI_ECP_MUL(&P->X, &P->X, &P->Z);
+ MPI_ECP_LSET(&P->Z, 1);
+
+cleanup:
+ return ret;
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) */
+}
+
+/*
+ * Randomize projective x/z coordinates:
+ * (X, Z) -> (l X, l Z) for random l
+ * This is sort of the reverse operation of ecp_normalize_mxz().
+ *
+ * This countermeasure was first suggested in [2].
+ * Cost: 2M
+ */
+static int ecp_randomize_mxz(const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+ if (mbedtls_internal_ecp_grp_capable(grp)) {
+ return mbedtls_internal_ecp_randomize_mxz(grp, P, f_rng, p_rng);
+ }
+#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
+
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi l;
+ mbedtls_mpi_init(&l);
+
+ /* Generate l such that 1 < l < p */
+ MPI_ECP_RAND(&l);
+
+ MPI_ECP_MUL(&P->X, &P->X, &l);
+ MPI_ECP_MUL(&P->Z, &P->Z, &l);
+
+cleanup:
+ mbedtls_mpi_free(&l);
+
+ if (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
+ ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+ }
+ return ret;
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) */
+}
+
+/*
+ * Double-and-add: R = 2P, S = P + Q, with d = X(P - Q),
+ * for Montgomery curves in x/z coordinates.
+ *
+ * http://www.hyperelliptic.org/EFD/g1p/auto-code/montgom/xz/ladder/mladd-1987-m.op3
+ * with
+ * d = X1
+ * P = (X2, Z2)
+ * Q = (X3, Z3)
+ * R = (X4, Z4)
+ * S = (X5, Z5)
+ * and eliminating temporary variables tO, ..., t4.
+ *
+ * Cost: 5M + 4S
+ */
+static int ecp_double_add_mxz(const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *R, mbedtls_ecp_point *S,
+ const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
+ const mbedtls_mpi *d,
+ mbedtls_mpi T[4])
+{
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+ if (mbedtls_internal_ecp_grp_capable(grp)) {
+ return mbedtls_internal_ecp_double_add_mxz(grp, R, S, P, Q, d);
+ }
+#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
+
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MPI_ECP_ADD(&T[0], &P->X, &P->Z); /* Pp := PX + PZ */
+ MPI_ECP_SUB(&T[1], &P->X, &P->Z); /* Pm := PX - PZ */
+ MPI_ECP_ADD(&T[2], &Q->X, &Q->Z); /* Qp := QX + XZ */
+ MPI_ECP_SUB(&T[3], &Q->X, &Q->Z); /* Qm := QX - QZ */
+ MPI_ECP_MUL(&T[3], &T[3], &T[0]); /* Qm * Pp */
+ MPI_ECP_MUL(&T[2], &T[2], &T[1]); /* Qp * Pm */
+ MPI_ECP_SQR(&T[0], &T[0]); /* Pp^2 */
+ MPI_ECP_SQR(&T[1], &T[1]); /* Pm^2 */
+ MPI_ECP_MUL(&R->X, &T[0], &T[1]); /* Pp^2 * Pm^2 */
+ MPI_ECP_SUB(&T[0], &T[0], &T[1]); /* Pp^2 - Pm^2 */
+ MPI_ECP_MUL(&R->Z, &grp->A, &T[0]); /* A * (Pp^2 - Pm^2) */
+ MPI_ECP_ADD(&R->Z, &T[1], &R->Z); /* [ A * (Pp^2-Pm^2) ] + Pm^2 */
+ MPI_ECP_ADD(&S->X, &T[3], &T[2]); /* Qm*Pp + Qp*Pm */
+ MPI_ECP_SQR(&S->X, &S->X); /* (Qm*Pp + Qp*Pm)^2 */
+ MPI_ECP_SUB(&S->Z, &T[3], &T[2]); /* Qm*Pp - Qp*Pm */
+ MPI_ECP_SQR(&S->Z, &S->Z); /* (Qm*Pp - Qp*Pm)^2 */
+ MPI_ECP_MUL(&S->Z, d, &S->Z); /* d * ( Qm*Pp - Qp*Pm )^2 */
+ MPI_ECP_MUL(&R->Z, &T[0], &R->Z); /* [A*(Pp^2-Pm^2)+Pm^2]*(Pp^2-Pm^2) */
+
+cleanup:
+
+ return ret;
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) */
+}
+
+/*
+ * Multiplication with Montgomery ladder in x/z coordinates,
+ * for curves in Montgomery form
+ */
+static int ecp_mul_mxz(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+ const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t i;
+ unsigned char b;
+ mbedtls_ecp_point RP;
+ mbedtls_mpi PX;
+ mbedtls_mpi tmp[4];
+ mbedtls_ecp_point_init(&RP); mbedtls_mpi_init(&PX);
+
+ mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
+
+ if (f_rng == NULL) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ /* Save PX and read from P before writing to R, in case P == R */
+ MPI_ECP_MOV(&PX, &P->X);
+ MBEDTLS_MPI_CHK(mbedtls_ecp_copy(&RP, P));
+
+ /* Set R to zero in modified x/z coordinates */
+ MPI_ECP_LSET(&R->X, 1);
+ MPI_ECP_LSET(&R->Z, 0);
+ mbedtls_mpi_free(&R->Y);
+
+ /* RP.X might be slightly larger than P, so reduce it */
+ MOD_ADD(&RP.X);
+
+ /* Randomize coordinates of the starting point */
+ MBEDTLS_MPI_CHK(ecp_randomize_mxz(grp, &RP, f_rng, p_rng));
+
+ /* Loop invariant: R = result so far, RP = R + P */
+ i = grp->nbits + 1; /* one past the (zero-based) required msb for private keys */
+ while (i-- > 0) {
+ b = mbedtls_mpi_get_bit(m, i);
+ /*
+ * if (b) R = 2R + P else R = 2R,
+ * which is:
+ * if (b) double_add( RP, R, RP, R )
+ * else double_add( R, RP, R, RP )
+ * but using safe conditional swaps to avoid leaks
+ */
+ MPI_ECP_COND_SWAP(&R->X, &RP.X, b);
+ MPI_ECP_COND_SWAP(&R->Z, &RP.Z, b);
+ MBEDTLS_MPI_CHK(ecp_double_add_mxz(grp, R, &RP, R, &RP, &PX, tmp));
+ MPI_ECP_COND_SWAP(&R->X, &RP.X, b);
+ MPI_ECP_COND_SWAP(&R->Z, &RP.Z, b);
+ }
+
+ /*
+ * Knowledge of the projective coordinates may leak the last few bits of the
+ * scalar [1], and since our MPI implementation isn't constant-flow,
+ * inversion (used for coordinate normalization) may leak the full value
+ * of its input via side-channels [2].
+ *
+ * [1] https://eprint.iacr.org/2003/191
+ * [2] https://eprint.iacr.org/2020/055
+ *
+ * Avoid the leak by randomizing coordinates before we normalize them.
+ */
+ MBEDTLS_MPI_CHK(ecp_randomize_mxz(grp, R, f_rng, p_rng));
+ MBEDTLS_MPI_CHK(ecp_normalize_mxz(grp, R));
+
+cleanup:
+ mbedtls_ecp_point_free(&RP); mbedtls_mpi_free(&PX);
+
+ mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
+ return ret;
+}
+
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+/*
+ * Restartable multiplication R = m * P
+ *
+ * This internal function can be called without an RNG in case where we know
+ * the inputs are not sensitive.
+ */
+static int ecp_mul_restartable_internal(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+ const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ mbedtls_ecp_restart_ctx *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+ char is_grp_capable = 0;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ /* reset ops count for this call if top-level */
+ if (rs_ctx != NULL && rs_ctx->depth++ == 0) {
+ rs_ctx->ops_done = 0;
+ }
+#else
+ (void) rs_ctx;
+#endif
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+ if ((is_grp_capable = mbedtls_internal_ecp_grp_capable(grp))) {
+ MBEDTLS_MPI_CHK(mbedtls_internal_ecp_init(grp));
+ }
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+ int restarting = 0;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ restarting = (rs_ctx != NULL && rs_ctx->rsm != NULL);
+#endif
+ /* skip argument check when restarting */
+ if (!restarting) {
+ /* check_privkey is free */
+ MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_CHK);
+
+ /* Common sanity checks */
+ MBEDTLS_MPI_CHK(mbedtls_ecp_check_privkey(grp, m));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
+ }
+
+ ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+ MBEDTLS_MPI_CHK(ecp_mul_mxz(grp, R, m, P, f_rng, p_rng));
+ }
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+ MBEDTLS_MPI_CHK(ecp_mul_comb(grp, R, m, P, f_rng, p_rng, rs_ctx));
+ }
+#endif
+
+cleanup:
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+ if (is_grp_capable) {
+ mbedtls_internal_ecp_free(grp);
+ }
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL) {
+ rs_ctx->depth--;
+ }
+#endif
+
+ return ret;
+}
+
+/*
+ * Restartable multiplication R = m * P
+ */
+int mbedtls_ecp_mul_restartable(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+ const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ mbedtls_ecp_restart_ctx *rs_ctx)
+{
+ if (f_rng == NULL) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ return ecp_mul_restartable_internal(grp, R, m, P, f_rng, p_rng, rs_ctx);
+}
+
+/*
+ * Multiplication R = m * P
+ */
+int mbedtls_ecp_mul(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+ const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ return mbedtls_ecp_mul_restartable(grp, R, m, P, f_rng, p_rng, NULL);
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+/*
+ * Check that an affine point is valid as a public key,
+ * short weierstrass curves (SEC1 3.2.3.1)
+ */
+static int ecp_check_pubkey_sw(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi YY, RHS;
+
+ /* pt coordinates must be normalized for our checks */
+ if (mbedtls_mpi_cmp_int(&pt->X, 0) < 0 ||
+ mbedtls_mpi_cmp_int(&pt->Y, 0) < 0 ||
+ mbedtls_mpi_cmp_mpi(&pt->X, &grp->P) >= 0 ||
+ mbedtls_mpi_cmp_mpi(&pt->Y, &grp->P) >= 0) {
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
+ }
+
+ mbedtls_mpi_init(&YY); mbedtls_mpi_init(&RHS);
+
+ /*
+ * YY = Y^2
+ * RHS = X^3 + A X + B
+ */
+ MPI_ECP_SQR(&YY, &pt->Y);
+ MBEDTLS_MPI_CHK(ecp_sw_rhs(grp, &RHS, &pt->X));
+
+ if (MPI_ECP_CMP(&YY, &RHS) != 0) {
+ ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+ }
+
+cleanup:
+
+ mbedtls_mpi_free(&YY); mbedtls_mpi_free(&RHS);
+
+ return ret;
+}
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+/*
+ * R = m * P with shortcuts for m == 0, m == 1 and m == -1
+ * NOT constant-time - ONLY for short Weierstrass!
+ */
+static int mbedtls_ecp_mul_shortcuts(mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *R,
+ const mbedtls_mpi *m,
+ const mbedtls_ecp_point *P,
+ mbedtls_ecp_restart_ctx *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi tmp;
+ mbedtls_mpi_init(&tmp);
+
+ if (mbedtls_mpi_cmp_int(m, 0) == 0) {
+ MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_set_zero(R));
+ } else if (mbedtls_mpi_cmp_int(m, 1) == 0) {
+ MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, P));
+ } else if (mbedtls_mpi_cmp_int(m, -1) == 0) {
+ MBEDTLS_MPI_CHK(mbedtls_ecp_check_pubkey(grp, P));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, P));
+ MPI_ECP_NEG(&R->Y);
+ } else {
+ MBEDTLS_MPI_CHK(ecp_mul_restartable_internal(grp, R, m, P,
+ NULL, NULL, rs_ctx));
+ }
+
+cleanup:
+ mbedtls_mpi_free(&tmp);
+
+ return ret;
+}
+
+/*
+ * Restartable linear combination
+ * NOT constant-time
+ */
+int mbedtls_ecp_muladd_restartable(
+ mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+ const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+ const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
+ mbedtls_ecp_restart_ctx *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_point mP;
+ mbedtls_ecp_point *pmP = &mP;
+ mbedtls_ecp_point *pR = R;
+ mbedtls_mpi tmp[4];
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+ char is_grp_capable = 0;
+#endif
+ if (mbedtls_ecp_get_type(grp) != MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+ }
+
+ mbedtls_ecp_point_init(&mP);
+ mpi_init_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
+
+ ECP_RS_ENTER(ma);
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->ma != NULL) {
+ /* redirect intermediate results to restart context */
+ pmP = &rs_ctx->ma->mP;
+ pR = &rs_ctx->ma->R;
+
+ /* jump to next operation */
+ if (rs_ctx->ma->state == ecp_rsma_mul2) {
+ goto mul2;
+ }
+ if (rs_ctx->ma->state == ecp_rsma_add) {
+ goto add;
+ }
+ if (rs_ctx->ma->state == ecp_rsma_norm) {
+ goto norm;
+ }
+ }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, pmP, m, P, rs_ctx));
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->ma != NULL) {
+ rs_ctx->ma->state = ecp_rsma_mul2;
+ }
+
+mul2:
+#endif
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul_shortcuts(grp, pR, n, Q, rs_ctx));
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+ if ((is_grp_capable = mbedtls_internal_ecp_grp_capable(grp))) {
+ MBEDTLS_MPI_CHK(mbedtls_internal_ecp_init(grp));
+ }
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->ma != NULL) {
+ rs_ctx->ma->state = ecp_rsma_add;
+ }
+
+add:
+#endif
+ MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_ADD);
+ MBEDTLS_MPI_CHK(ecp_add_mixed(grp, pR, pmP, pR, tmp));
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->ma != NULL) {
+ rs_ctx->ma->state = ecp_rsma_norm;
+ }
+
+norm:
+#endif
+ MBEDTLS_ECP_BUDGET(MBEDTLS_ECP_OPS_INV);
+ MBEDTLS_MPI_CHK(ecp_normalize_jac(grp, pR));
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && rs_ctx->ma != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_ecp_copy(R, pR));
+ }
+#endif
+
+cleanup:
+
+ mpi_free_many(tmp, sizeof(tmp) / sizeof(mbedtls_mpi));
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+ if (is_grp_capable) {
+ mbedtls_internal_ecp_free(grp);
+ }
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+ mbedtls_ecp_point_free(&mP);
+
+ ECP_RS_LEAVE(ma);
+
+ return ret;
+}
+
+/*
+ * Linear combination
+ * NOT constant-time
+ */
+int mbedtls_ecp_muladd(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+ const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+ const mbedtls_mpi *n, const mbedtls_ecp_point *Q)
+{
+ return mbedtls_ecp_muladd_restartable(grp, R, m, P, n, Q, NULL);
+}
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) }
+#define ECP_MPI_INIT_ARRAY(x) \
+ ECP_MPI_INIT(x, sizeof(x) / sizeof(mbedtls_mpi_uint))
+/*
+ * Constants for the two points other than 0, 1, -1 (mod p) in
+ * https://cr.yp.to/ecdh.html#validate
+ * See ecp_check_pubkey_x25519().
+ */
+static const mbedtls_mpi_uint x25519_bad_point_1[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00),
+};
+static const mbedtls_mpi_uint x25519_bad_point_2[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57),
+};
+static const mbedtls_mpi ecp_x25519_bad_point_1 = ECP_MPI_INIT_ARRAY(
+ x25519_bad_point_1);
+static const mbedtls_mpi ecp_x25519_bad_point_2 = ECP_MPI_INIT_ARRAY(
+ x25519_bad_point_2);
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+/*
+ * Check that the input point is not one of the low-order points.
+ * This is recommended by the "May the Fourth" paper:
+ * https://eprint.iacr.org/2017/806.pdf
+ * Those points are never sent by an honest peer.
+ */
+static int ecp_check_bad_points_mx(const mbedtls_mpi *X, const mbedtls_mpi *P,
+ const mbedtls_ecp_group_id grp_id)
+{
+ int ret;
+ mbedtls_mpi XmP;
+
+ mbedtls_mpi_init(&XmP);
+
+ /* Reduce X mod P so that we only need to check values less than P.
+ * We know X < 2^256 so we can proceed by subtraction. */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&XmP, X));
+ while (mbedtls_mpi_cmp_mpi(&XmP, P) >= 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&XmP, &XmP, P));
+ }
+
+ /* Check against the known bad values that are less than P. For Curve448
+ * these are 0, 1 and -1. For Curve25519 we check the values less than P
+ * from the following list: https://cr.yp.to/ecdh.html#validate */
+ if (mbedtls_mpi_cmp_int(&XmP, 1) <= 0) { /* takes care of 0 and 1 */
+ ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+ goto cleanup;
+ }
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+ if (grp_id == MBEDTLS_ECP_DP_CURVE25519) {
+ if (mbedtls_mpi_cmp_mpi(&XmP, &ecp_x25519_bad_point_1) == 0) {
+ ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+ goto cleanup;
+ }
+
+ if (mbedtls_mpi_cmp_mpi(&XmP, &ecp_x25519_bad_point_2) == 0) {
+ ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+ goto cleanup;
+ }
+ }
+#else
+ (void) grp_id;
+#endif
+
+ /* Final check: check if XmP + 1 is P (final because it changes XmP!) */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&XmP, &XmP, 1));
+ if (mbedtls_mpi_cmp_mpi(&XmP, P) == 0) {
+ ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+ goto cleanup;
+ }
+
+ ret = 0;
+
+cleanup:
+ mbedtls_mpi_free(&XmP);
+
+ return ret;
+}
+
+/*
+ * Check validity of a public key for Montgomery curves with x-only schemes
+ */
+static int ecp_check_pubkey_mx(const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt)
+{
+ /* [Curve25519 p. 5] Just check X is the correct number of bytes */
+ /* Allow any public value, if it's too big then we'll just reduce it mod p
+ * (RFC 7748 sec. 5 para. 3). */
+ if (mbedtls_mpi_size(&pt->X) > (grp->nbits + 7) / 8) {
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
+ }
+
+ /* Implicit in all standards (as they don't consider negative numbers):
+ * X must be non-negative. This is normally ensured by the way it's
+ * encoded for transmission, but let's be extra sure. */
+ if (mbedtls_mpi_cmp_int(&pt->X, 0) < 0) {
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
+ }
+
+ return ecp_check_bad_points_mx(&pt->X, &grp->P, grp->id);
+}
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+/*
+ * Check that a point is valid as a public key
+ */
+int mbedtls_ecp_check_pubkey(const mbedtls_ecp_group *grp,
+ const mbedtls_ecp_point *pt)
+{
+ /* Must use affine coordinates */
+ if (mbedtls_mpi_cmp_int(&pt->Z, 1) != 0) {
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
+ }
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+ return ecp_check_pubkey_mx(grp, pt);
+ }
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+ return ecp_check_pubkey_sw(grp, pt);
+ }
+#endif
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+}
+
+/*
+ * Check that an mbedtls_mpi is valid as a private key
+ */
+int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp,
+ const mbedtls_mpi *d)
+{
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+ /* see RFC 7748 sec. 5 para. 5 */
+ if (mbedtls_mpi_get_bit(d, 0) != 0 ||
+ mbedtls_mpi_get_bit(d, 1) != 0 ||
+ mbedtls_mpi_bitlen(d) - 1 != grp->nbits) { /* mbedtls_mpi_bitlen is one-based! */
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
+ }
+
+ /* see [Curve25519] page 5 */
+ if (grp->nbits == 254 && mbedtls_mpi_get_bit(d, 2) != 0) {
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
+ }
+
+ return 0;
+ }
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+ /* see SEC1 3.2 */
+ if (mbedtls_mpi_cmp_int(d, 1) < 0 ||
+ mbedtls_mpi_cmp_mpi(d, &grp->N) >= 0) {
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
+ } else {
+ return 0;
+ }
+ }
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+}
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_gen_privkey_mx(size_t high_bit,
+ mbedtls_mpi *d,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ size_t n_random_bytes = high_bit / 8 + 1;
+
+ /* [Curve25519] page 5 */
+ /* Generate a (high_bit+1)-bit random number by generating just enough
+ * random bytes, then shifting out extra bits from the top (necessary
+ * when (high_bit+1) is not a multiple of 8). */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(d, n_random_bytes,
+ f_rng, p_rng));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(d, 8 * n_random_bytes - high_bit - 1));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, high_bit, 1));
+
+ /* Make sure the last two bits are unset for Curve448, three bits for
+ Curve25519 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 0, 0));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 1, 0));
+ if (high_bit == 254) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(d, 2, 0));
+ }
+
+cleanup:
+ return ret;
+}
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+static int mbedtls_ecp_gen_privkey_sw(
+ const mbedtls_mpi *N, mbedtls_mpi *d,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ int ret = mbedtls_mpi_random(d, 1, N, f_rng, p_rng);
+ switch (ret) {
+ case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
+ return MBEDTLS_ERR_ECP_RANDOM_FAILED;
+ default:
+ return ret;
+ }
+}
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+/*
+ * Generate a private key
+ */
+int mbedtls_ecp_gen_privkey(const mbedtls_ecp_group *grp,
+ mbedtls_mpi *d,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+ return mbedtls_ecp_gen_privkey_mx(grp->nbits, d, f_rng, p_rng);
+ }
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+ if (mbedtls_ecp_get_type(grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+ return mbedtls_ecp_gen_privkey_sw(&grp->N, d, f_rng, p_rng);
+ }
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+}
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Generate a keypair with configurable base point
+ */
+int mbedtls_ecp_gen_keypair_base(mbedtls_ecp_group *grp,
+ const mbedtls_ecp_point *G,
+ mbedtls_mpi *d, mbedtls_ecp_point *Q,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ MBEDTLS_MPI_CHK(mbedtls_ecp_gen_privkey(grp, d, f_rng, p_rng));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, Q, d, G, f_rng, p_rng));
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Generate key pair, wrapper for conventional base point
+ */
+int mbedtls_ecp_gen_keypair(mbedtls_ecp_group *grp,
+ mbedtls_mpi *d, mbedtls_ecp_point *Q,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ return mbedtls_ecp_gen_keypair_base(grp, &grp->G, d, Q, f_rng, p_rng);
+}
+
+/*
+ * Generate a keypair, prettier wrapper
+ */
+int mbedtls_ecp_gen_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0) {
+ return ret;
+ }
+
+ return mbedtls_ecp_gen_keypair(&key->grp, &key->d, &key->Q, f_rng, p_rng);
+}
+#endif /* MBEDTLS_ECP_C */
+
+int mbedtls_ecp_set_public_key(mbedtls_ecp_group_id grp_id,
+ mbedtls_ecp_keypair *key,
+ const mbedtls_ecp_point *Q)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (key->grp.id == MBEDTLS_ECP_DP_NONE) {
+ /* Group not set yet */
+ if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0) {
+ return ret;
+ }
+ } else if (key->grp.id != grp_id) {
+ /* Group mismatch */
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+ return mbedtls_ecp_copy(&key->Q, Q);
+}
+
+
+#define ECP_CURVE25519_KEY_SIZE 32
+#define ECP_CURVE448_KEY_SIZE 56
+/*
+ * Read a private key.
+ */
+int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+ const unsigned char *buf, size_t buflen)
+{
+ int ret = 0;
+
+ if ((ret = mbedtls_ecp_group_load(&key->grp, grp_id)) != 0) {
+ return ret;
+ }
+
+ ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+ if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+ /*
+ * Mask the key as mandated by RFC7748 for Curve25519 and Curve448.
+ */
+ if (grp_id == MBEDTLS_ECP_DP_CURVE25519) {
+ if (buflen != ECP_CURVE25519_KEY_SIZE) {
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&key->d, buf, buflen));
+
+ /* Set the three least significant bits to 0 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 0, 0));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 1, 0));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 2, 0));
+
+ /* Set the most significant bit to 0 */
+ MBEDTLS_MPI_CHK(
+ mbedtls_mpi_set_bit(&key->d,
+ ECP_CURVE25519_KEY_SIZE * 8 - 1, 0)
+ );
+
+ /* Set the second most significant bit to 1 */
+ MBEDTLS_MPI_CHK(
+ mbedtls_mpi_set_bit(&key->d,
+ ECP_CURVE25519_KEY_SIZE * 8 - 2, 1)
+ );
+ } else if (grp_id == MBEDTLS_ECP_DP_CURVE448) {
+ if (buflen != ECP_CURVE448_KEY_SIZE) {
+ return MBEDTLS_ERR_ECP_INVALID_KEY;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary_le(&key->d, buf, buflen));
+
+ /* Set the two least significant bits to 0 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 0, 0));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&key->d, 1, 0));
+
+ /* Set the most significant bit to 1 */
+ MBEDTLS_MPI_CHK(
+ mbedtls_mpi_set_bit(&key->d,
+ ECP_CURVE448_KEY_SIZE * 8 - 1, 1)
+ );
+ }
+ }
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+ if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&key->d, buf, buflen));
+ }
+#endif
+
+ if (ret == 0) {
+ MBEDTLS_MPI_CHK(mbedtls_ecp_check_privkey(&key->grp, &key->d));
+ }
+
+cleanup:
+
+ if (ret != 0) {
+ mbedtls_mpi_free(&key->d);
+ }
+
+ return ret;
+}
+
+/*
+ * Write a private key.
+ */
+#if !defined MBEDTLS_DEPRECATED_REMOVED
+int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key,
+ unsigned char *buf, size_t buflen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+ if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+ if (key->grp.id == MBEDTLS_ECP_DP_CURVE25519) {
+ if (buflen < ECP_CURVE25519_KEY_SIZE) {
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ }
+
+ } else if (key->grp.id == MBEDTLS_ECP_DP_CURVE448) {
+ if (buflen < ECP_CURVE448_KEY_SIZE) {
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ }
+ }
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary_le(&key->d, buf, buflen));
+ }
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+ if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&key->d, buf, buflen));
+ }
+
+#endif
+cleanup:
+
+ return ret;
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+int mbedtls_ecp_write_key_ext(const mbedtls_ecp_keypair *key,
+ size_t *olen, unsigned char *buf, size_t buflen)
+{
+ size_t len = (key->grp.nbits + 7) / 8;
+ if (len > buflen) {
+ /* For robustness, ensure *olen <= buflen even on error. */
+ *olen = 0;
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ }
+ *olen = len;
+
+ /* Private key not set */
+ if (key->d.n == 0) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+ if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+ return mbedtls_mpi_write_binary_le(&key->d, buf, len);
+ }
+#endif
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+ if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+ return mbedtls_mpi_write_binary(&key->d, buf, len);
+ }
+#endif
+
+ /* Private key set but no recognized curve type? This shouldn't happen. */
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+}
+
+/*
+ * Write a public key.
+ */
+int mbedtls_ecp_write_public_key(const mbedtls_ecp_keypair *key,
+ int format, size_t *olen,
+ unsigned char *buf, size_t buflen)
+{
+ return mbedtls_ecp_point_write_binary(&key->grp, &key->Q,
+ format, olen, buf, buflen);
+}
+
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Check a public-private key pair
+ */
+int mbedtls_ecp_check_pub_priv(
+ const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_point Q;
+ mbedtls_ecp_group grp;
+ if (pub->grp.id == MBEDTLS_ECP_DP_NONE ||
+ pub->grp.id != prv->grp.id ||
+ mbedtls_mpi_cmp_mpi(&pub->Q.X, &prv->Q.X) ||
+ mbedtls_mpi_cmp_mpi(&pub->Q.Y, &prv->Q.Y) ||
+ mbedtls_mpi_cmp_mpi(&pub->Q.Z, &prv->Q.Z)) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ mbedtls_ecp_point_init(&Q);
+ mbedtls_ecp_group_init(&grp);
+
+ /* mbedtls_ecp_mul() needs a non-const group... */
+ mbedtls_ecp_group_copy(&grp, &prv->grp);
+
+ /* Also checks d is valid */
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &Q, &prv->d, &prv->grp.G, f_rng, p_rng));
+
+ if (mbedtls_mpi_cmp_mpi(&Q.X, &prv->Q.X) ||
+ mbedtls_mpi_cmp_mpi(&Q.Y, &prv->Q.Y) ||
+ mbedtls_mpi_cmp_mpi(&Q.Z, &prv->Q.Z)) {
+ ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+cleanup:
+ mbedtls_ecp_point_free(&Q);
+ mbedtls_ecp_group_free(&grp);
+
+ return ret;
+}
+
+int mbedtls_ecp_keypair_calc_public(mbedtls_ecp_keypair *key,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ return mbedtls_ecp_mul(&key->grp, &key->Q, &key->d, &key->grp.G,
+ f_rng, p_rng);
+}
+#endif /* MBEDTLS_ECP_C */
+
+mbedtls_ecp_group_id mbedtls_ecp_keypair_get_group_id(
+ const mbedtls_ecp_keypair *key)
+{
+ return key->grp.id;
+}
+
+/*
+ * Export generic key-pair parameters.
+ */
+int mbedtls_ecp_export(const mbedtls_ecp_keypair *key, mbedtls_ecp_group *grp,
+ mbedtls_mpi *d, mbedtls_ecp_point *Q)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (grp != NULL && (ret = mbedtls_ecp_group_copy(grp, &key->grp)) != 0) {
+ return ret;
+ }
+
+ if (d != NULL && (ret = mbedtls_mpi_copy(d, &key->d)) != 0) {
+ return ret;
+ }
+
+ if (Q != NULL && (ret = mbedtls_ecp_copy(Q, &key->Q)) != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * PRNG for test - !!!INSECURE NEVER USE IN PRODUCTION!!!
+ *
+ * This is the linear congruential generator from numerical recipes,
+ * except we only use the low byte as the output. See
+ * https://en.wikipedia.org/wiki/Linear_congruential_generator#Parameters_in_common_use
+ */
+static int self_test_rng(void *ctx, unsigned char *out, size_t len)
+{
+ static uint32_t state = 42;
+
+ (void) ctx;
+
+ for (size_t i = 0; i < len; i++) {
+ state = state * 1664525u + 1013904223u;
+ out[i] = (unsigned char) state;
+ }
+
+ return 0;
+}
+
+/* Adjust the exponent to be a valid private point for the specified curve.
+ * This is sometimes necessary because we use a single set of exponents
+ * for all curves but the validity of values depends on the curve. */
+static int self_test_adjust_exponent(const mbedtls_ecp_group *grp,
+ mbedtls_mpi *m)
+{
+ int ret = 0;
+ switch (grp->id) {
+ /* If Curve25519 is available, then that's what we use for the
+ * Montgomery test, so we don't need the adjustment code. */
+#if !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+ case MBEDTLS_ECP_DP_CURVE448:
+ /* Move highest bit from 254 to N-1. Setting bit N-1 is
+ * necessary to enforce the highest-bit-set constraint. */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(m, 254, 0));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(m, grp->nbits, 1));
+ /* Copy second-highest bit from 253 to N-2. This is not
+ * necessary but improves the test variety a bit. */
+ MBEDTLS_MPI_CHK(
+ mbedtls_mpi_set_bit(m, grp->nbits - 1,
+ mbedtls_mpi_get_bit(m, 253)));
+ break;
+#endif
+#endif /* ! defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) */
+ default:
+ /* Non-Montgomery curves and Curve25519 need no adjustment. */
+ (void) grp;
+ (void) m;
+ goto cleanup;
+ }
+cleanup:
+ return ret;
+}
+
+/* Calculate R = m.P for each m in exponents. Check that the number of
+ * basic operations doesn't depend on the value of m. */
+static int self_test_point(int verbose,
+ mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *R,
+ mbedtls_mpi *m,
+ const mbedtls_ecp_point *P,
+ const char *const *exponents,
+ size_t n_exponents)
+{
+ int ret = 0;
+ size_t i = 0;
+ unsigned long add_c_prev, dbl_c_prev, mul_c_prev;
+ add_count = 0;
+ dbl_count = 0;
+ mul_count = 0;
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(m, 16, exponents[0]));
+ MBEDTLS_MPI_CHK(self_test_adjust_exponent(grp, m));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, R, m, P, self_test_rng, NULL));
+
+ for (i = 1; i < n_exponents; i++) {
+ add_c_prev = add_count;
+ dbl_c_prev = dbl_count;
+ mul_c_prev = mul_count;
+ add_count = 0;
+ dbl_count = 0;
+ mul_count = 0;
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(m, 16, exponents[i]));
+ MBEDTLS_MPI_CHK(self_test_adjust_exponent(grp, m));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul(grp, R, m, P, self_test_rng, NULL));
+
+ if (add_count != add_c_prev ||
+ dbl_count != dbl_c_prev ||
+ mul_count != mul_c_prev) {
+ ret = 1;
+ break;
+ }
+ }
+
+cleanup:
+ if (verbose != 0) {
+ if (ret != 0) {
+ mbedtls_printf("failed (%u)\n", (unsigned int) i);
+ } else {
+ mbedtls_printf("passed\n");
+ }
+ }
+ return ret;
+}
+#endif /* MBEDTLS_ECP_C */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ecp_self_test(int verbose)
+{
+#if defined(MBEDTLS_ECP_C)
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_group grp;
+ mbedtls_ecp_point R, P;
+ mbedtls_mpi m;
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+ /* Exponents especially adapted for secp192k1, which has the lowest
+ * order n of all supported curves (secp192r1 is in a slightly larger
+ * field but the order of its base point is slightly smaller). */
+ const char *sw_exponents[] =
+ {
+ "000000000000000000000000000000000000000000000001", /* one */
+ "FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8C", /* n - 1 */
+ "5EA6F389A38B8BC81E767753B15AA5569E1782E30ABE7D25", /* random */
+ "400000000000000000000000000000000000000000000000", /* one and zeros */
+ "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", /* all ones */
+ "555555555555555555555555555555555555555555555555", /* 101010... */
+ };
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+ const char *m_exponents[] =
+ {
+ /* Valid private values for Curve25519. In a build with Curve448
+ * but not Curve25519, they will be adjusted in
+ * self_test_adjust_exponent(). */
+ "4000000000000000000000000000000000000000000000000000000000000000",
+ "5C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C30",
+ "5715ECCE24583F7A7023C24164390586842E816D7280A49EF6DF4EAE6B280BF8",
+ "41A2B017516F6D254E1F002BCCBADD54BE30F8CEC737A0E912B4963B6BA74460",
+ "5555555555555555555555555555555555555555555555555555555555555550",
+ "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8",
+ };
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+ mbedtls_ecp_group_init(&grp);
+ mbedtls_ecp_point_init(&R);
+ mbedtls_ecp_point_init(&P);
+ mbedtls_mpi_init(&m);
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+ /* Use secp192r1 if available, or any available curve */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+ MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_SECP192R1));
+#else
+ MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, mbedtls_ecp_curve_list()->grp_id));
+#endif
+
+ if (verbose != 0) {
+ mbedtls_printf(" ECP SW test #1 (constant op_count, base point G): ");
+ }
+ /* Do a dummy multiplication first to trigger precomputation */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&m, 2));
+ MBEDTLS_MPI_CHK(mbedtls_ecp_mul(&grp, &P, &m, &grp.G, self_test_rng, NULL));
+ ret = self_test_point(verbose,
+ &grp, &R, &m, &grp.G,
+ sw_exponents,
+ sizeof(sw_exponents) / sizeof(sw_exponents[0]));
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf(" ECP SW test #2 (constant op_count, other point): ");
+ }
+ /* We computed P = 2G last time, use it */
+ ret = self_test_point(verbose,
+ &grp, &R, &m, &P,
+ sw_exponents,
+ sizeof(sw_exponents) / sizeof(sw_exponents[0]));
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ mbedtls_ecp_group_free(&grp);
+ mbedtls_ecp_point_free(&R);
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+ if (verbose != 0) {
+ mbedtls_printf(" ECP Montgomery test (constant op_count): ");
+ }
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+ MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_CURVE25519));
+#elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+ MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_CURVE448));
+#else
+#error "MBEDTLS_ECP_MONTGOMERY_ENABLED is defined, but no curve is supported for self-test"
+#endif
+ ret = self_test_point(verbose,
+ &grp, &R, &m, &grp.G,
+ m_exponents,
+ sizeof(m_exponents) / sizeof(m_exponents[0]));
+ if (ret != 0) {
+ goto cleanup;
+ }
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+cleanup:
+
+ if (ret < 0 && verbose != 0) {
+ mbedtls_printf("Unexpected error, return code = %08X\n", (unsigned int) ret);
+ }
+
+ mbedtls_ecp_group_free(&grp);
+ mbedtls_ecp_point_free(&R);
+ mbedtls_ecp_point_free(&P);
+ mbedtls_mpi_free(&m);
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ return ret;
+#else /* MBEDTLS_ECP_C */
+ (void) verbose;
+ return 0;
+#endif /* MBEDTLS_ECP_C */
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* !MBEDTLS_ECP_ALT */
+
+#endif /* MBEDTLS_ECP_LIGHT */
diff --git a/library/ecp_curves.c b/library/ecp_curves.c
new file mode 100644
index 0000000..c3cd33f
--- /dev/null
+++ b/library/ecp_curves.c
@@ -0,0 +1,5460 @@
+/*
+ * Elliptic curves over GF(p): curve-specific data and functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if !defined(MBEDTLS_ECP_WITH_MPI_UINT)
+
+#if defined(MBEDTLS_ECP_LIGHT)
+
+#include "mbedtls/ecp.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include "bn_mul.h"
+#include "bignum_core.h"
+#include "ecp_invasive.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_ECP_ALT)
+
+#define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) }
+
+#define ECP_MPI_INIT_ARRAY(x) \
+ ECP_MPI_INIT(x, sizeof(x) / sizeof(mbedtls_mpi_uint))
+
+#define ECP_POINT_INIT_XY_Z0(x, y) { \
+ ECP_MPI_INIT_ARRAY(x), ECP_MPI_INIT_ARRAY(y), ECP_MPI_INIT(NULL, 0) }
+#define ECP_POINT_INIT_XY_Z1(x, y) { \
+ ECP_MPI_INIT_ARRAY(x), ECP_MPI_INIT_ARRAY(y), ECP_MPI_INIT(mpi_one, 1) }
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/* For these curves, we build the group parameters dynamically. */
+#define ECP_LOAD_GROUP
+static const mbedtls_mpi_uint mpi_one[] = { 1 };
+#endif
+
+/*
+ * Note: the constants are in little-endian order
+ * to be directly usable in MPIs
+ */
+
+/*
+ * Domain parameters for secp192r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+static const mbedtls_mpi_uint secp192r1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp192r1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64),
+};
+static const mbedtls_mpi_uint secp192r1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18),
+};
+static const mbedtls_mpi_uint secp192r1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07),
+};
+static const mbedtls_mpi_uint secp192r1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp192r1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18),
+};
+static const mbedtls_mpi_uint secp192r1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07),
+};
+static const mbedtls_mpi_uint secp192r1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x9E, 0xE3, 0x60, 0x59, 0xD1, 0xC4, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBD, 0x22, 0xD7, 0x2D, 0x07, 0xBD, 0xB6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x2A, 0xCF, 0x33, 0xF0, 0xBE, 0xD1, 0xED),
+};
+static const mbedtls_mpi_uint secp192r1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x71, 0x4B, 0xA8, 0xED, 0x7E, 0xC9, 0x1A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x2A, 0xF6, 0xDF, 0x0E, 0xE8, 0x4C, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x35, 0xF7, 0x8A, 0xC3, 0xEC, 0xDE, 0x1E),
+};
+static const mbedtls_mpi_uint secp192r1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x67, 0xC2, 0x1D, 0x32, 0x8F, 0x10, 0xFB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x2D, 0x17, 0xF3, 0xE4, 0xFE, 0xD8, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x45, 0x10, 0x70, 0x2C, 0x3E, 0x52, 0x3E),
+};
+static const mbedtls_mpi_uint secp192r1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xF1, 0x04, 0x5D, 0xEE, 0xD4, 0x56, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xB7, 0x38, 0x27, 0x61, 0xAA, 0x81, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x37, 0xD7, 0x0E, 0x29, 0x0E, 0x11, 0x14),
+};
+static const mbedtls_mpi_uint secp192r1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x35, 0x52, 0xC6, 0x31, 0xB7, 0x27, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xD4, 0x15, 0x98, 0x0F, 0xE7, 0xF3, 0x6A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x31, 0x70, 0x35, 0x09, 0xA0, 0x2B, 0xC2),
+};
+static const mbedtls_mpi_uint secp192r1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x75, 0xA7, 0x4C, 0x88, 0xCF, 0x5B, 0xE4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x17, 0x48, 0x8D, 0xF2, 0xF0, 0x86, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xCF, 0xFE, 0x6B, 0xB0, 0xA5, 0x06, 0xAB),
+};
+static const mbedtls_mpi_uint secp192r1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x6A, 0xDC, 0x9A, 0x6D, 0x7B, 0x47, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xFC, 0x51, 0x12, 0x62, 0x66, 0x0B, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x40, 0x93, 0xA0, 0xB5, 0x5A, 0x58, 0xD7),
+};
+static const mbedtls_mpi_uint secp192r1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xCB, 0xAF, 0xDC, 0x0B, 0xA1, 0x26, 0xFB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x36, 0x9D, 0xA3, 0xD7, 0x3B, 0xAD, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x3B, 0x05, 0x9A, 0xA8, 0xAA, 0x69, 0xB2),
+};
+static const mbedtls_mpi_uint secp192r1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xD9, 0xD1, 0x4D, 0x4A, 0x6E, 0x96, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x66, 0x32, 0x39, 0xC6, 0x57, 0x7D, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xA0, 0x36, 0xC2, 0x45, 0xF9, 0x00, 0x62),
+};
+static const mbedtls_mpi_uint secp192r1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xEF, 0x59, 0x46, 0xDC, 0x60, 0xD9, 0x8F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xB0, 0xE9, 0x41, 0xA4, 0x87, 0x76, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xD4, 0x0E, 0xB2, 0xFA, 0x16, 0x56, 0xDC),
+};
+static const mbedtls_mpi_uint secp192r1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x62, 0xD2, 0xB1, 0x34, 0xB2, 0xF1, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xED, 0x55, 0xC5, 0x47, 0xB5, 0x07, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xF6, 0x2F, 0x94, 0xC3, 0xDD, 0x54, 0x2F),
+};
+static const mbedtls_mpi_uint secp192r1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xA6, 0xD4, 0x8C, 0xA9, 0xCE, 0x4D, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x4B, 0x46, 0xCC, 0xB2, 0x55, 0xC8, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xAE, 0x31, 0xED, 0x89, 0x65, 0x59, 0x55),
+};
+static const mbedtls_mpi_uint secp192r1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x0A, 0xD1, 0x1A, 0xC5, 0xF6, 0xEA, 0x43),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xFC, 0x0C, 0x1A, 0xFB, 0xA0, 0xC8, 0x70),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xFD, 0x53, 0x6F, 0x6D, 0xBF, 0xBA, 0xAF),
+};
+static const mbedtls_mpi_uint secp192r1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xB0, 0x7D, 0x83, 0x96, 0xE3, 0xCB, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x6E, 0x55, 0x2C, 0x20, 0x53, 0x2F, 0x46),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x66, 0x00, 0x17, 0x08, 0xFE, 0xAC, 0x31),
+};
+static const mbedtls_mpi_uint secp192r1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x12, 0x97, 0x3A, 0xC7, 0x57, 0x45, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x25, 0x99, 0x00, 0xF6, 0x97, 0xB4, 0x64),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x74, 0xE6, 0xE6, 0xA3, 0xDF, 0x9C, 0xCC),
+};
+static const mbedtls_mpi_uint secp192r1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xF4, 0x76, 0xD5, 0x5F, 0x2A, 0xFD, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x80, 0x7E, 0x3E, 0xE5, 0xE8, 0xD6, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xAD, 0x1E, 0x70, 0x79, 0x3E, 0x3D, 0x83),
+};
+static const mbedtls_mpi_uint secp192r1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x15, 0xBB, 0xB3, 0x42, 0x6A, 0xA1, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x58, 0xCB, 0x43, 0x25, 0x00, 0x14, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x4E, 0x93, 0x11, 0xE0, 0x32, 0x54, 0x98),
+};
+static const mbedtls_mpi_uint secp192r1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x52, 0xA2, 0xB4, 0x57, 0x32, 0xB9, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x43, 0xA1, 0xB1, 0xFB, 0x01, 0xE1, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xFB, 0x5A, 0x11, 0xB8, 0xC2, 0x03, 0xE5),
+};
+static const mbedtls_mpi_uint secp192r1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x2B, 0x71, 0x26, 0x4E, 0x7C, 0xC5, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xF5, 0xD3, 0xA8, 0xE4, 0x95, 0x48, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xAE, 0xD9, 0x5D, 0x9F, 0x6A, 0x22, 0xAD),
+};
+static const mbedtls_mpi_uint secp192r1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xCC, 0xA3, 0x4D, 0xA0, 0x1C, 0x34, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x3C, 0x62, 0xF8, 0x5E, 0xA6, 0x58, 0x7D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x6E, 0x66, 0x8A, 0x3D, 0x17, 0xFF, 0x0F),
+};
+static const mbedtls_mpi_uint secp192r1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xCD, 0xA8, 0xDD, 0xD1, 0x20, 0x5C, 0xEA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xFE, 0x17, 0xE2, 0xCF, 0xEA, 0x63, 0xDE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x51, 0xC9, 0x16, 0xDE, 0xB4, 0xB2, 0xDD),
+};
+static const mbedtls_mpi_uint secp192r1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBE, 0x12, 0xD7, 0xA3, 0x0A, 0x50, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x87, 0xC5, 0x8A, 0x76, 0x57, 0x07, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x1F, 0xC6, 0x1B, 0x66, 0xC4, 0x3D, 0x8A),
+};
+static const mbedtls_mpi_uint secp192r1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xA4, 0x85, 0x13, 0x8F, 0xA7, 0x35, 0x19),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x0D, 0xFD, 0xFF, 0x1B, 0xD1, 0xD6, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x7A, 0xD0, 0xC3, 0xB4, 0xEF, 0x39, 0x66),
+};
+static const mbedtls_mpi_uint secp192r1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xFE, 0xA5, 0x9C, 0x34, 0x30, 0x49, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xC5, 0x39, 0x26, 0x06, 0xE3, 0x01, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x2B, 0x66, 0xFC, 0x95, 0x5F, 0x35, 0xF7),
+};
+static const mbedtls_mpi_uint secp192r1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xCF, 0x54, 0x63, 0x99, 0x57, 0x05, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x6F, 0x00, 0x5F, 0x65, 0x08, 0x47, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x2A, 0x90, 0x6D, 0x67, 0xC6, 0xBC, 0x45),
+};
+static const mbedtls_mpi_uint secp192r1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x4D, 0x88, 0x0A, 0x35, 0x9E, 0x33, 0x9C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x17, 0x0C, 0xF8, 0xE1, 0x7A, 0x49, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x44, 0x06, 0x8F, 0x0B, 0x70, 0x2F, 0x71),
+};
+static const mbedtls_mpi_uint secp192r1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x4B, 0xCB, 0xF9, 0x8E, 0x6A, 0xDA, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x43, 0xA1, 0x3F, 0xCE, 0x17, 0xD2, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x0D, 0xD2, 0x6C, 0x82, 0x37, 0xE5, 0xFC),
+};
+static const mbedtls_mpi_uint secp192r1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x3C, 0xF4, 0x92, 0xB4, 0x8A, 0x95, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x96, 0xF1, 0x0A, 0x34, 0x2F, 0x74, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xA1, 0xAA, 0xBA, 0x86, 0x77, 0x4F, 0xA2),
+};
+static const mbedtls_mpi_uint secp192r1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x7F, 0xEF, 0x60, 0x50, 0x80, 0xD7, 0xD4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0xAC, 0xC9, 0xFE, 0xEC, 0x0A, 0x1A, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x2F, 0xBE, 0x91, 0xD7, 0xB7, 0x38, 0x48),
+};
+static const mbedtls_mpi_uint secp192r1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xAE, 0x85, 0x98, 0xFE, 0x05, 0x7F, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBE, 0xFD, 0x11, 0x31, 0x3D, 0x14, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x75, 0xE8, 0x30, 0x01, 0xCB, 0x9B, 0x1C),
+};
+static const mbedtls_ecp_point secp192r1_T[16] = {
+ ECP_POINT_INIT_XY_Z1(secp192r1_T_0_X, secp192r1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_1_X, secp192r1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_2_X, secp192r1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_3_X, secp192r1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_4_X, secp192r1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_5_X, secp192r1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_6_X, secp192r1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_7_X, secp192r1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_8_X, secp192r1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_9_X, secp192r1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_10_X, secp192r1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_11_X, secp192r1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_12_X, secp192r1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_13_X, secp192r1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_14_X, secp192r1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_15_X, secp192r1_T_15_Y),
+};
+#else
+#define secp192r1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+/*
+ * Domain parameters for secp224r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+static const mbedtls_mpi_uint secp224r1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C),
+ MBEDTLS_BYTES_TO_T_UINT_4(0x85, 0x0A, 0x05, 0xB4),
+};
+static const mbedtls_mpi_uint secp224r1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_4(0xBD, 0x0C, 0x0E, 0xB7),
+};
+static const mbedtls_mpi_uint secp224r1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_4(0x88, 0x63, 0x37, 0xBD),
+};
+static const mbedtls_mpi_uint secp224r1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_4(0xFF, 0xFF, 0xFF, 0xFF),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp224r1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x0C, 0x0E, 0xB7, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x63, 0x37, 0xBD, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xF9, 0xB8, 0xD0, 0x3D, 0xD2, 0xD3, 0xFA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xFD, 0x99, 0x26, 0x19, 0xFE, 0x13, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x0E, 0x4C, 0x48, 0x7C, 0xA2, 0x17, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA3, 0x13, 0x57, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x16, 0x5C, 0x8F, 0xAA, 0xED, 0x0F, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xC5, 0x43, 0x34, 0x93, 0x05, 0x2A, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xE3, 0x6C, 0xCA, 0xC6, 0x14, 0xC2, 0x25),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x43, 0x6C, 0xD7, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x5A, 0x98, 0x1E, 0xC8, 0xA5, 0x42, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x49, 0x56, 0x78, 0xF8, 0xEF, 0xED, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0xBB, 0x64, 0xB6, 0x4C, 0x54, 0x5F, 0xD1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x0C, 0x33, 0xCC, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x79, 0xCB, 0x2E, 0x08, 0xFF, 0xD8, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x1F, 0xD4, 0xD7, 0x57, 0xE9, 0x39, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xD6, 0x3B, 0x0A, 0x1C, 0x87, 0xB7, 0x6A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x30, 0xD8, 0x05, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x79, 0x74, 0x9A, 0xE6, 0xBB, 0xC2, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x5B, 0xA6, 0x67, 0xC1, 0x91, 0xE7, 0x64),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xDF, 0x38, 0x82, 0x19, 0x2C, 0x4C, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x2E, 0x39, 0xC5, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x36, 0x78, 0x4E, 0xAE, 0x5B, 0x02, 0x76),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xF6, 0x8B, 0xF8, 0xF4, 0x92, 0x6B, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x4D, 0x71, 0x35, 0xE7, 0x0C, 0x2C, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xA5, 0x1F, 0xAE, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x1C, 0x4B, 0xDF, 0x5B, 0xF2, 0x51, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x74, 0xB1, 0x5A, 0xC6, 0x0F, 0x0E, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x24, 0x09, 0x62, 0xAF, 0xFC, 0xDB, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xE1, 0x80, 0x55, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x82, 0xFE, 0xAD, 0xC3, 0xE5, 0xCF, 0xD8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xA2, 0x62, 0x17, 0x76, 0xF0, 0x5A, 0xFA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xB8, 0xE5, 0xAC, 0xB7, 0x66, 0x38, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xFD, 0x86, 0x05, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xD3, 0x0C, 0x3C, 0xD1, 0x66, 0xB0, 0xF1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x59, 0xB4, 0x8D, 0x90, 0x10, 0xB7, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x47, 0x9B, 0xE6, 0x55, 0x8A, 0xE4, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x49, 0xDB, 0x78, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x97, 0xED, 0xDE, 0xFF, 0xB3, 0xDF, 0x48),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xB9, 0x83, 0xB7, 0xEB, 0xBE, 0x40, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xD3, 0xD3, 0xCD, 0x0E, 0x82, 0x79, 0x3D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x83, 0x1B, 0xF0, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x22, 0xBB, 0x54, 0xD3, 0x31, 0x56, 0xFC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x36, 0xE5, 0xE0, 0x89, 0x96, 0x8E, 0x71),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xEF, 0x0A, 0xED, 0xD0, 0x11, 0x4A, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x00, 0x57, 0x27, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xCA, 0x3D, 0xF7, 0x64, 0x9B, 0x6E, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xE3, 0x70, 0x6B, 0x41, 0xD7, 0xED, 0x8F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x44, 0x44, 0x80, 0xCE, 0x13, 0x37, 0x92),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x73, 0x80, 0x79, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x4D, 0x70, 0x7D, 0x31, 0x0F, 0x1C, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x35, 0x88, 0x47, 0xC4, 0x24, 0x78, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xF0, 0xCD, 0x91, 0x81, 0xB3, 0xDE, 0xB6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xCE, 0xC6, 0xF7, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x9C, 0x2D, 0xE8, 0xD2, 0x00, 0x8F, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x5E, 0x7C, 0x0E, 0x0C, 0x6E, 0x58, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x81, 0x21, 0xCE, 0x43, 0xF4, 0x24, 0x3D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0xBC, 0xF0, 0xF4, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x10, 0xC2, 0x74, 0x4A, 0x8F, 0x8A, 0xCF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x67, 0xF4, 0x2B, 0x38, 0x2B, 0x35, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xE7, 0x0C, 0xA9, 0xFA, 0x77, 0x5C, 0xBD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x33, 0x19, 0x2B, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x3E, 0x96, 0x22, 0x53, 0xE1, 0xE9, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x13, 0xBC, 0xA1, 0x16, 0xEC, 0x01, 0x1A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x00, 0xC9, 0x7A, 0xC3, 0x73, 0xA5, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xF4, 0x5E, 0xC1, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x95, 0xD6, 0xD9, 0x32, 0x30, 0x2B, 0xD0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x42, 0x09, 0x05, 0x61, 0x2A, 0x7E, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x84, 0xA2, 0x05, 0x88, 0x64, 0x65, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x2D, 0x90, 0xB3, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xE7, 0x2E, 0x85, 0x55, 0x80, 0x7C, 0x79),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xC1, 0xAC, 0x78, 0xB4, 0xAF, 0xFB, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xC3, 0x28, 0x8E, 0x79, 0x18, 0x1F, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x46, 0xCF, 0x49, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x5F, 0xA8, 0x6C, 0x46, 0x83, 0x43, 0xFA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xA9, 0x93, 0x11, 0xB6, 0x07, 0x57, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x2A, 0x9D, 0x03, 0x89, 0x7E, 0xD7, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x8C, 0x62, 0xCF, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x2C, 0x13, 0x59, 0xCC, 0xFA, 0x84, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xB9, 0x48, 0xBC, 0x57, 0xC7, 0xB3, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x0A, 0x38, 0x24, 0x2E, 0x3A, 0x28, 0x25),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x0A, 0x43, 0xB8, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x25, 0xAB, 0xC1, 0xEE, 0x70, 0x3C, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xDB, 0x45, 0x1D, 0x4A, 0x80, 0x75, 0x35),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1F, 0x4D, 0x2D, 0x9A, 0x05, 0xF4, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x10, 0xF0, 0x5A, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x95, 0xE1, 0xDC, 0x15, 0x86, 0xC3, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xDC, 0x27, 0xD1, 0x56, 0xA1, 0x14, 0x0D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x0B, 0xD6, 0x77, 0x4E, 0x44, 0xA2, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x42, 0x71, 0x1F, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x86, 0xB2, 0xB0, 0xC8, 0x2F, 0x7B, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xEF, 0xCB, 0xDB, 0xBC, 0x9E, 0x3B, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x03, 0x86, 0xDD, 0x5B, 0xF5, 0x8D, 0x46),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x95, 0x79, 0xD6, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x32, 0x14, 0xDA, 0x9B, 0x4F, 0x07, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x3E, 0xFB, 0x06, 0xEE, 0xA7, 0x40, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x1F, 0xDF, 0x71, 0x61, 0xFD, 0x8B, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x8B, 0xAB, 0x8B, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x34, 0xB3, 0xB4, 0xBC, 0x9F, 0xB0, 0x5E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x58, 0x48, 0xA8, 0x77, 0xBB, 0x13, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xC6, 0xF7, 0x34, 0xCC, 0x89, 0x21, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x33, 0xDD, 0x1F, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x81, 0xEF, 0xA4, 0xF2, 0x10, 0x0B, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xF7, 0x6E, 0x72, 0x4A, 0xDF, 0xDD, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x23, 0x0A, 0x53, 0x03, 0x16, 0x62, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x76, 0xFD, 0x3C, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x14, 0xA1, 0xFA, 0xA0, 0x18, 0xBE, 0x07),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x2A, 0xE1, 0xD7, 0xB0, 0x6C, 0xA0, 0xDE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xC0, 0xB0, 0xC6, 0x63, 0x24, 0xCD, 0x4E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x38, 0x2C, 0xB1, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xCD, 0x7D, 0x20, 0x0C, 0xFE, 0xAC, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x97, 0x9F, 0xA2, 0xB6, 0x45, 0xF7, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x99, 0xF3, 0xD2, 0x20, 0x02, 0xEB, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x18, 0x5B, 0x7B, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xDD, 0x77, 0x91, 0x60, 0xEA, 0xFD, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xD3, 0xB5, 0xD6, 0x90, 0x17, 0x0E, 0x1A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xF4, 0x28, 0xC1, 0xF2, 0x53, 0xF6, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x58, 0xDC, 0x61, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x20, 0x01, 0xFB, 0xF1, 0xBD, 0x5F, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x7F, 0x06, 0xDA, 0x11, 0xCB, 0xBA, 0xA6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x41, 0x00, 0xA4, 0x1B, 0x30, 0x33, 0x79),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xFF, 0x27, 0xCA, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_ecp_point secp224r1_T[16] = {
+ ECP_POINT_INIT_XY_Z1(secp224r1_T_0_X, secp224r1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_1_X, secp224r1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_2_X, secp224r1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_3_X, secp224r1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_4_X, secp224r1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_5_X, secp224r1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_6_X, secp224r1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_7_X, secp224r1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_8_X, secp224r1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_9_X, secp224r1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_10_X, secp224r1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_11_X, secp224r1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_12_X, secp224r1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_13_X, secp224r1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_14_X, secp224r1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_15_X, secp224r1_T_15_Y),
+};
+#else
+#define secp224r1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+/*
+ * Domain parameters for secp256r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+static const mbedtls_mpi_uint secp256r1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp256r1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A),
+};
+static const mbedtls_mpi_uint secp256r1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B),
+};
+static const mbedtls_mpi_uint secp256r1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F),
+};
+static const mbedtls_mpi_uint secp256r1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp256r1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B),
+};
+static const mbedtls_mpi_uint secp256r1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F),
+};
+static const mbedtls_mpi_uint secp256r1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xC8, 0xBA, 0x04, 0xB7, 0x4B, 0xD2, 0xF7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xC6, 0x23, 0x3A, 0xA0, 0x09, 0x3A, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x9D, 0x4C, 0xF9, 0x58, 0x23, 0xCC, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0xED, 0x7B, 0x29, 0x87, 0x0F, 0xFA, 0x3C),
+};
+static const mbedtls_mpi_uint secp256r1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x69, 0xF2, 0x40, 0x0B, 0xA3, 0x98, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xA8, 0x48, 0x02, 0x0D, 0x1C, 0x12, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xAF, 0x09, 0x83, 0x80, 0xAA, 0x58, 0xA7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x12, 0xBE, 0x70, 0x94, 0x76, 0xE3, 0xE4),
+};
+static const mbedtls_mpi_uint secp256r1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x7D, 0xEF, 0x86, 0xFF, 0xE3, 0x37, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x86, 0x8B, 0x08, 0x27, 0x7C, 0xD7, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x54, 0x4C, 0x25, 0x4F, 0x9A, 0xFE, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xFD, 0xF0, 0x6D, 0x37, 0x03, 0x69, 0xD6),
+};
+static const mbedtls_mpi_uint secp256r1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xD5, 0xDA, 0xAD, 0x92, 0x49, 0xF0, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x73, 0x43, 0x9E, 0xAF, 0xA7, 0xD1, 0xF3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x41, 0x07, 0xDF, 0x78, 0x95, 0x3E, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x3D, 0xD1, 0xE6, 0x3C, 0xA5, 0xE2, 0x20),
+};
+static const mbedtls_mpi_uint secp256r1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x6A, 0x5D, 0x52, 0x35, 0xD7, 0xBF, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xA2, 0xBE, 0x96, 0xF4, 0xF8, 0x02, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x20, 0x49, 0x54, 0xEA, 0xB3, 0x82, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0xDB, 0xEA, 0x02, 0xD1, 0x75, 0x1C, 0x62),
+};
+static const mbedtls_mpi_uint secp256r1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x85, 0xF4, 0x9E, 0x4C, 0xDC, 0x39, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x6D, 0xC4, 0x57, 0xD8, 0x03, 0x5D, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x7F, 0x2D, 0x52, 0x6F, 0xC9, 0xDA, 0x4F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x64, 0xFA, 0xB4, 0xFE, 0xA4, 0xC4, 0xD7),
+};
+static const mbedtls_mpi_uint secp256r1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x37, 0xB9, 0xC0, 0xAA, 0x59, 0xC6, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x58, 0xD9, 0xED, 0x58, 0x99, 0x65, 0xF7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x7D, 0x26, 0x8C, 0x4A, 0xF9, 0x05, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x73, 0x9A, 0xC9, 0xE7, 0x46, 0xDC, 0x00),
+};
+static const mbedtls_mpi_uint secp256r1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xD0, 0x55, 0xDF, 0x00, 0x0A, 0xF5, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xBF, 0x56, 0x81, 0x2D, 0x20, 0xEB, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xC1, 0x28, 0x52, 0xAB, 0xE3, 0xD1, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x34, 0x79, 0x45, 0x57, 0xA5, 0x12, 0x03),
+};
+static const mbedtls_mpi_uint secp256r1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xCF, 0xB8, 0x7E, 0xF7, 0x92, 0x96, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x01, 0x8C, 0x0D, 0x23, 0xF2, 0xE3, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x2E, 0xE3, 0x84, 0x52, 0x7A, 0x34, 0x76),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xA1, 0xB0, 0x15, 0x90, 0xE2, 0x53, 0x3C),
+};
+static const mbedtls_mpi_uint secp256r1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x98, 0xE7, 0xFA, 0xA5, 0x7D, 0x8B, 0x53),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x35, 0xD2, 0x00, 0xD1, 0x1B, 0x9F, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x69, 0x08, 0x9A, 0x72, 0xF0, 0xA9, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0xFE, 0x0E, 0x14, 0xDA, 0x7C, 0x0E, 0xD3),
+};
+static const mbedtls_mpi_uint secp256r1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xF6, 0xE8, 0xF8, 0x87, 0xF7, 0xFC, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xBE, 0x7F, 0x3F, 0x7A, 0x2B, 0xD7, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x32, 0xF2, 0x2D, 0x94, 0x6D, 0x42, 0xFD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x9A, 0xE3, 0x5F, 0x42, 0xBB, 0x84, 0xED),
+};
+static const mbedtls_mpi_uint secp256r1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x95, 0x29, 0x73, 0xA1, 0x67, 0x3E, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x30, 0x54, 0x35, 0x8E, 0x0A, 0xDD, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xD7, 0xA1, 0x97, 0x61, 0x3B, 0xF8, 0x0C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x33, 0x3C, 0x58, 0x55, 0x34, 0x23, 0xA3),
+};
+static const mbedtls_mpi_uint secp256r1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x5D, 0x16, 0x5F, 0x7B, 0xBC, 0xBB, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xEE, 0x4E, 0x8A, 0xC1, 0x51, 0xCC, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x0D, 0x4D, 0x1B, 0x53, 0x23, 0x1D, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x2A, 0x38, 0x66, 0x52, 0x84, 0xE1, 0x95),
+};
+static const mbedtls_mpi_uint secp256r1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x9B, 0x83, 0x0A, 0x81, 0x4F, 0xAD, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xFF, 0x42, 0x41, 0x6E, 0xA9, 0xA2, 0xA0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xA1, 0x4F, 0x1F, 0x89, 0x82, 0xAA, 0x3E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xB8, 0x0F, 0x6B, 0x8F, 0x8C, 0xD6, 0x68),
+};
+static const mbedtls_mpi_uint secp256r1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0xB3, 0xBB, 0x51, 0x69, 0xA2, 0x11, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x4F, 0x0F, 0x8D, 0xBD, 0x26, 0x0F, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xCB, 0xEC, 0x6B, 0x34, 0xC3, 0x3D, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x5D, 0x1E, 0x10, 0xD5, 0x44, 0xE2, 0x54),
+};
+static const mbedtls_mpi_uint secp256r1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x9E, 0xB1, 0xF1, 0x6E, 0x4C, 0xAD, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xE3, 0xC2, 0x58, 0xC0, 0xFB, 0x34, 0x43),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x9C, 0xDF, 0x35, 0x07, 0x41, 0xBD, 0x19),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x6E, 0x10, 0xEC, 0x0E, 0xEC, 0xBB, 0xD6),
+};
+static const mbedtls_mpi_uint secp256r1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xCF, 0xEF, 0x3F, 0x83, 0x1A, 0x88, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x29, 0xB5, 0xB9, 0xE0, 0xC9, 0xA3, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x46, 0x1E, 0x77, 0xCD, 0x7E, 0xB3, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x21, 0xD0, 0xD4, 0xA3, 0x16, 0x08, 0xEE),
+};
+static const mbedtls_mpi_uint secp256r1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0xCA, 0xA8, 0xB3, 0xBF, 0x29, 0x99, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xF2, 0x05, 0xC1, 0xCF, 0x5D, 0x91, 0x48),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x01, 0x49, 0xDB, 0x82, 0xDF, 0x5F, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x06, 0x90, 0xAD, 0xE3, 0x38, 0xA4, 0xC4),
+};
+static const mbedtls_mpi_uint secp256r1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xD2, 0x3A, 0xE8, 0x03, 0xC5, 0x6D, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x35, 0xD0, 0xAE, 0x1D, 0x7A, 0x9F, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x1E, 0xD2, 0xCB, 0xAC, 0x88, 0x27, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xB9, 0x9C, 0xE0, 0x31, 0xDD, 0x99, 0x86),
+};
+static const mbedtls_mpi_uint secp256r1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xF9, 0x9B, 0x32, 0x96, 0x41, 0x58, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x5A, 0x2A, 0xB8, 0x96, 0x0E, 0xB2, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x78, 0x2C, 0xC7, 0x08, 0x99, 0x19, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x59, 0x28, 0xE9, 0x84, 0x54, 0xE6, 0x16),
+};
+static const mbedtls_mpi_uint secp256r1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x38, 0x30, 0xDB, 0x70, 0x2C, 0x0A, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x5C, 0x9D, 0xE9, 0xD5, 0x46, 0x0B, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x0B, 0x60, 0x4B, 0x37, 0x7D, 0xB9, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x24, 0xF3, 0x3D, 0x79, 0x7F, 0x6C, 0x18),
+};
+static const mbedtls_mpi_uint secp256r1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7F, 0xE5, 0x1C, 0x4F, 0x60, 0x24, 0xF7, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xD8, 0xE2, 0x91, 0x7F, 0x89, 0x49, 0x92),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xA7, 0x2E, 0x8D, 0x6A, 0xB3, 0x39, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x89, 0xB5, 0x9A, 0xB8, 0x8D, 0x42, 0x9C),
+};
+static const mbedtls_mpi_uint secp256r1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0x45, 0xE6, 0x4B, 0x3F, 0x4F, 0x1E, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x65, 0x5E, 0x59, 0x22, 0xCC, 0x72, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x93, 0x1A, 0x27, 0x1E, 0x34, 0xC5, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xF2, 0xA5, 0x58, 0x5C, 0x15, 0x2E, 0xC6),
+};
+static const mbedtls_mpi_uint secp256r1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x7F, 0xBA, 0x58, 0x5A, 0x84, 0x6F, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xA6, 0x36, 0x7E, 0xDC, 0xF7, 0xE1, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x4D, 0xAA, 0xEE, 0x57, 0x76, 0x3A, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x7E, 0x26, 0x18, 0x22, 0x23, 0x9F, 0xFF),
+};
+static const mbedtls_mpi_uint secp256r1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x4C, 0x64, 0xC7, 0x55, 0x02, 0x3F, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x02, 0x90, 0xBB, 0xC3, 0xEC, 0x30, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x6F, 0x64, 0xF4, 0x16, 0x69, 0x48, 0xA4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x44, 0x9C, 0x95, 0x0C, 0x7D, 0x67, 0x5E),
+};
+static const mbedtls_mpi_uint secp256r1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x91, 0x8B, 0xD8, 0xD0, 0xD7, 0xE7, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xF9, 0x48, 0x62, 0x6F, 0xA8, 0x93, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x3A, 0x99, 0x02, 0xD5, 0x0B, 0x3D, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xD3, 0x00, 0x31, 0xE6, 0x0C, 0x9F, 0x44),
+};
+static const mbedtls_mpi_uint secp256r1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xB2, 0xAA, 0xFD, 0x88, 0x15, 0xDF, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0x35, 0x27, 0x31, 0x44, 0xCD, 0xC0, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xF8, 0x91, 0xA5, 0x71, 0x94, 0x84, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xCB, 0xD0, 0x93, 0xE9, 0x88, 0xDA, 0xE4),
+};
+static const mbedtls_mpi_uint secp256r1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xC6, 0x39, 0x16, 0x5D, 0xA3, 0x1E, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x07, 0x37, 0x26, 0x36, 0x2A, 0xFE, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xBC, 0xF3, 0xD0, 0xDE, 0x50, 0xFC, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x2E, 0x06, 0x10, 0x15, 0x4D, 0xFA, 0xF7),
+};
+static const mbedtls_mpi_uint secp256r1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x65, 0x69, 0x5B, 0x66, 0xA2, 0x75, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x16, 0x00, 0x5A, 0xB0, 0x30, 0x25, 0x1A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xFB, 0x86, 0x42, 0x80, 0xC1, 0xC4, 0x76),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x1D, 0x83, 0x8E, 0x94, 0x01, 0x5F, 0x82),
+};
+static const mbedtls_mpi_uint secp256r1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x37, 0x70, 0xEF, 0x1F, 0xA1, 0xF0, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x10, 0x5B, 0xCE, 0xC4, 0x9B, 0x6F, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x11, 0x11, 0x24, 0x4F, 0x4C, 0x79, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x3A, 0x72, 0xBC, 0xFE, 0x72, 0x58, 0x43),
+};
+static const mbedtls_ecp_point secp256r1_T[16] = {
+ ECP_POINT_INIT_XY_Z1(secp256r1_T_0_X, secp256r1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_1_X, secp256r1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_2_X, secp256r1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_3_X, secp256r1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_4_X, secp256r1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_5_X, secp256r1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_6_X, secp256r1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_7_X, secp256r1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_8_X, secp256r1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_9_X, secp256r1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_10_X, secp256r1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_11_X, secp256r1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_12_X, secp256r1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_13_X, secp256r1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_14_X, secp256r1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_15_X, secp256r1_T_15_Y),
+};
+#else
+#define secp256r1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+/*
+ * Domain parameters for secp384r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+static const mbedtls_mpi_uint secp384r1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp384r1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3),
+};
+static const mbedtls_mpi_uint secp384r1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA),
+};
+static const mbedtls_mpi_uint secp384r1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36),
+};
+static const mbedtls_mpi_uint secp384r1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp384r1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA),
+};
+static const mbedtls_mpi_uint secp384r1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36),
+};
+static const mbedtls_mpi_uint secp384r1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x92, 0x00, 0x2C, 0x78, 0xDB, 0x1F, 0x37),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xF3, 0xEB, 0xB7, 0x06, 0xF7, 0xB6, 0xBC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xBC, 0x2C, 0xCF, 0xD8, 0xED, 0x53, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x75, 0x7B, 0xA3, 0xAB, 0xC3, 0x2C, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x9D, 0x78, 0x41, 0xF6, 0x76, 0x84, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x56, 0xE8, 0x52, 0xB3, 0xCB, 0xA8, 0xBD),
+};
+static const mbedtls_mpi_uint secp384r1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xF2, 0xAE, 0xA4, 0xB6, 0x89, 0x1B, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x0F, 0xCE, 0x1C, 0x7C, 0xF6, 0x50, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xEB, 0x90, 0xE6, 0x4D, 0xC7, 0xD4, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x49, 0x2D, 0x8A, 0x01, 0x99, 0x60, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x80, 0x9B, 0x9B, 0x6A, 0xB0, 0x07, 0xD9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xA2, 0xEE, 0x59, 0xBE, 0x95, 0xBC, 0x23),
+};
+static const mbedtls_mpi_uint secp384r1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x9D, 0x56, 0xAE, 0x59, 0xFB, 0x1F, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xAC, 0x91, 0x80, 0x87, 0xA8, 0x6E, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x08, 0xA7, 0x08, 0x94, 0x32, 0xFC, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x29, 0x9E, 0x84, 0xF4, 0xE5, 0x6E, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x21, 0xB9, 0x50, 0x24, 0xF8, 0x9C, 0xC7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x04, 0x01, 0xC2, 0xFB, 0x77, 0x3E, 0xDE),
+};
+static const mbedtls_mpi_uint secp384r1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x38, 0xEE, 0xE3, 0xC7, 0x9D, 0xEC, 0xA6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x88, 0xCF, 0x43, 0xFA, 0x92, 0x5E, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xCA, 0x43, 0xF8, 0x3B, 0x49, 0x7E, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xE7, 0xEB, 0x17, 0x45, 0x86, 0xC2, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x69, 0x57, 0x32, 0xE0, 0x9C, 0xD1, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x10, 0xB8, 0x4D, 0xB8, 0xF4, 0x0D, 0xE3),
+};
+static const mbedtls_mpi_uint secp384r1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0xDC, 0x9A, 0xB2, 0x79, 0x39, 0x27, 0x16),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x71, 0xE4, 0x3B, 0x4D, 0x60, 0x0C, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xBD, 0x19, 0x40, 0xFA, 0x19, 0x2A, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xF8, 0x1E, 0x43, 0xA1, 0x50, 0x8D, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x18, 0x7C, 0x41, 0xFA, 0x7C, 0x1B, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x59, 0x24, 0xC4, 0xE9, 0xB7, 0xD3, 0xAD),
+};
+static const mbedtls_mpi_uint secp384r1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x01, 0x3D, 0x63, 0x54, 0x45, 0x6F, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xB2, 0x19, 0xA3, 0x86, 0x1D, 0x42, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x02, 0x87, 0x18, 0x92, 0x52, 0x1A, 0x71),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x18, 0xB1, 0x5D, 0x18, 0x1B, 0x37, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x74, 0x61, 0xBA, 0x18, 0xAF, 0x40, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x7D, 0x3C, 0x52, 0x0F, 0x07, 0xB0, 0x6F),
+};
+static const mbedtls_mpi_uint secp384r1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x39, 0x13, 0xAA, 0x60, 0x15, 0x99, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x00, 0xCB, 0xC6, 0xB1, 0xDB, 0x97, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xFA, 0x60, 0xB8, 0x24, 0xE4, 0x7D, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x75, 0xB3, 0x70, 0xB2, 0x83, 0xB1, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xE3, 0x6C, 0xCD, 0x33, 0x62, 0x7A, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x30, 0xDC, 0x0F, 0x9F, 0xBB, 0xB8, 0xAA),
+};
+static const mbedtls_mpi_uint secp384r1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xD5, 0x0A, 0x60, 0x81, 0xB9, 0xC5, 0x16),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xAA, 0x2F, 0xD6, 0xF2, 0x73, 0xDF, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x7B, 0x74, 0xC9, 0xB3, 0x5B, 0x95, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x04, 0xEB, 0x15, 0xC8, 0x5F, 0x00, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x50, 0x20, 0x28, 0xD1, 0x01, 0xAF, 0xF0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x4F, 0x31, 0x81, 0x2F, 0x94, 0x48),
+};
+static const mbedtls_mpi_uint secp384r1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2F, 0xD8, 0xB6, 0x63, 0x7C, 0xE9, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x8C, 0xB9, 0x14, 0xD9, 0x37, 0x63, 0xDE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x02, 0xB8, 0x46, 0xAD, 0xCE, 0x7B, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x47, 0x2D, 0x66, 0xA7, 0xE9, 0x33, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xF9, 0x93, 0x94, 0xA8, 0x48, 0xB3, 0x4F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x4A, 0xAC, 0x51, 0x08, 0x72, 0x2F, 0x1A),
+};
+static const mbedtls_mpi_uint secp384r1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0xAD, 0xA0, 0xF9, 0x81, 0xE1, 0x78, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x9A, 0x63, 0xD8, 0xBA, 0x79, 0x1A, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x31, 0x7B, 0x7A, 0x5A, 0x5D, 0x7D, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x96, 0x12, 0x4B, 0x19, 0x09, 0xE0, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x8A, 0x57, 0xEE, 0x4E, 0x6E, 0x7E, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x9D, 0x69, 0xDC, 0xB3, 0xDA, 0xD8, 0x08),
+};
+static const mbedtls_mpi_uint secp384r1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x49, 0x03, 0x03, 0x33, 0x6F, 0x28, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xDB, 0xA7, 0x05, 0x8C, 0xF3, 0x4D, 0xFB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x92, 0xB1, 0xA8, 0xEC, 0x0D, 0x64, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0xFC, 0xFD, 0xD0, 0x4B, 0x88, 0x1B, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x9C, 0x51, 0x69, 0xCE, 0x71, 0x73, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x5A, 0x14, 0x23, 0x1A, 0x46, 0x63, 0x5F),
+};
+static const mbedtls_mpi_uint secp384r1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x4C, 0x70, 0x44, 0x18, 0xCD, 0xEF, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x49, 0xDD, 0x64, 0x7E, 0x7E, 0x4D, 0x92),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x32, 0x7C, 0x09, 0xD0, 0x3F, 0xD6, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE0, 0x4F, 0x65, 0x0C, 0x7A, 0x54, 0x3E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xFA, 0xFB, 0x4A, 0xB4, 0x79, 0x5A, 0x8C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x5D, 0x1B, 0x2B, 0xDA, 0xBC, 0x9A, 0x74),
+};
+static const mbedtls_mpi_uint secp384r1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xAC, 0x56, 0xF7, 0x5F, 0x51, 0x68, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xE0, 0x1D, 0xBC, 0x13, 0x4E, 0xAC, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xF5, 0xC5, 0xE6, 0xD2, 0x88, 0xBA, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x0E, 0x28, 0x23, 0x58, 0x67, 0xFA, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x80, 0x4B, 0xD8, 0xC4, 0xDF, 0x15, 0xE4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x0E, 0x58, 0xE6, 0x2C, 0x59, 0xC2, 0x03),
+};
+static const mbedtls_mpi_uint secp384r1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x26, 0x27, 0x99, 0x16, 0x2B, 0x22, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xF3, 0x8F, 0xC3, 0x2A, 0x9B, 0xFC, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x2E, 0x83, 0x3D, 0xFE, 0x9E, 0x3C, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x57, 0xCD, 0x2D, 0xC1, 0x49, 0x38, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x42, 0x8B, 0x33, 0x89, 0x1F, 0xEA, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x1D, 0x13, 0xD7, 0x50, 0xBB, 0x3E, 0xEB),
+};
+static const mbedtls_mpi_uint secp384r1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x9A, 0x52, 0xD2, 0x54, 0x7C, 0x97, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x33, 0x6E, 0xED, 0xD9, 0x87, 0x50, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x35, 0x7E, 0x16, 0x40, 0x15, 0x83, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x2B, 0xA4, 0xAB, 0x03, 0x91, 0xEA, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x47, 0x39, 0xEF, 0x05, 0x59, 0xD0, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x24, 0x0D, 0x76, 0x11, 0x53, 0x08, 0xAF),
+};
+static const mbedtls_mpi_uint secp384r1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x2F, 0xDD, 0xBD, 0x50, 0x48, 0xB1, 0xE5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x1C, 0x84, 0x55, 0x78, 0x14, 0xEB, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x5E, 0x3E, 0xA6, 0xAF, 0xF6, 0xC7, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x11, 0xE2, 0x65, 0xCA, 0x41, 0x95, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x83, 0xD8, 0xE6, 0x4D, 0x22, 0x06, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x7F, 0x25, 0x2A, 0xAA, 0x28, 0x46, 0x97),
+};
+static const mbedtls_mpi_uint secp384r1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xDB, 0x15, 0x56, 0x84, 0xCB, 0xC0, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xDB, 0x0E, 0x08, 0xC9, 0xF5, 0xD4, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x62, 0xD0, 0x1A, 0x7C, 0x13, 0xD5, 0x07),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xAD, 0x53, 0xE0, 0x32, 0x21, 0xA0, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x38, 0x81, 0x21, 0x23, 0x0E, 0xD2, 0xBB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x51, 0x05, 0xD0, 0x1E, 0x82, 0xA9, 0x71),
+};
+static const mbedtls_mpi_uint secp384r1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xC3, 0x27, 0xBF, 0xC6, 0xAA, 0xB7, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x65, 0x45, 0xDF, 0xB9, 0x46, 0x17, 0x46),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x38, 0x3F, 0xB2, 0xB1, 0x5D, 0xCA, 0x1C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x29, 0x6C, 0x63, 0xE9, 0xD7, 0x48, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xF1, 0xD7, 0x99, 0x8C, 0xC2, 0x05, 0x99),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE6, 0x5E, 0x82, 0x6D, 0xE5, 0x7E, 0xD5),
+};
+static const mbedtls_mpi_uint secp384r1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x61, 0xFA, 0x7D, 0x01, 0xDB, 0xB6, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xC6, 0x58, 0x39, 0xF4, 0xC6, 0x82, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x5A, 0x7A, 0x80, 0x08, 0xCD, 0xAA, 0xD8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x8C, 0xC6, 0x3F, 0x3C, 0xA5, 0x68, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xF5, 0xD5, 0x17, 0xAE, 0x36, 0xD8, 0x8A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xAD, 0x92, 0xC5, 0x57, 0x6C, 0xDA, 0x91),
+};
+static const mbedtls_mpi_uint secp384r1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x67, 0x17, 0xC0, 0x40, 0x78, 0x8C, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x9F, 0xF4, 0xAA, 0xDA, 0x5C, 0x7E, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xDB, 0x42, 0x3E, 0x72, 0x64, 0xA0, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xF9, 0x41, 0x17, 0x43, 0xE3, 0xE8, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xDD, 0xCC, 0x43, 0x7E, 0x16, 0x05, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x4B, 0xCF, 0x48, 0x8F, 0x41, 0x90, 0xE5),
+};
+static const mbedtls_mpi_uint secp384r1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x0C, 0x6B, 0x9D, 0x22, 0x04, 0xBC, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x63, 0x79, 0x2F, 0x6A, 0x0E, 0x8A, 0xDE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x67, 0x3F, 0x02, 0xB8, 0x91, 0x7F, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x14, 0x64, 0xA0, 0x33, 0xF4, 0x6B, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x44, 0x71, 0x87, 0xB8, 0x88, 0x3F, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x2B, 0x85, 0x05, 0xC5, 0x44, 0x53, 0x15),
+};
+static const mbedtls_mpi_uint secp384r1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x2B, 0xFE, 0xD1, 0x1C, 0x73, 0xE3, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x33, 0xA1, 0xD3, 0x69, 0x1C, 0x9D, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x5A, 0xBA, 0xB6, 0xAE, 0x1B, 0x94, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x74, 0x90, 0x5C, 0x57, 0xB0, 0x3A, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x2F, 0x93, 0x20, 0x24, 0x54, 0x1D, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x78, 0x9D, 0x71, 0x67, 0x5D, 0x49, 0x98),
+};
+static const mbedtls_mpi_uint secp384r1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xC8, 0x0E, 0x11, 0x8D, 0xE0, 0x8F, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x7F, 0x79, 0x6C, 0x5F, 0xB7, 0xBC, 0xB1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xE1, 0x83, 0x3C, 0x12, 0xBB, 0xEE, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xC2, 0xC4, 0x1B, 0x41, 0x71, 0xB9, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0xEE, 0xBB, 0x1D, 0x89, 0x50, 0x88, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x1C, 0x55, 0x74, 0xEB, 0xDE, 0x92, 0x3F),
+};
+static const mbedtls_mpi_uint secp384r1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x38, 0x92, 0x06, 0x19, 0xD0, 0xB3, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x99, 0x26, 0xA3, 0x5F, 0xE2, 0xC1, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xFC, 0xFD, 0xC3, 0xB6, 0x26, 0x24, 0x8F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xAD, 0xE7, 0x49, 0xB7, 0x64, 0x4B, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x4E, 0x95, 0xAD, 0x07, 0xFE, 0xB6, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x15, 0xE7, 0x2D, 0x19, 0xA9, 0x08, 0x10),
+};
+static const mbedtls_mpi_uint secp384r1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xBD, 0xAC, 0x0A, 0x3F, 0x6B, 0xFF, 0xFA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xE4, 0x74, 0x14, 0xD9, 0x70, 0x1D, 0x71),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xB0, 0x71, 0xBB, 0xD8, 0x18, 0x96, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0xB8, 0x19, 0x90, 0x80, 0xB5, 0xEE, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x21, 0x20, 0xA6, 0x17, 0x48, 0x03, 0x6F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x1D, 0xBB, 0x6D, 0x94, 0x20, 0x34, 0xF1),
+};
+static const mbedtls_mpi_uint secp384r1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x82, 0x67, 0x4B, 0x8E, 0x4E, 0xBE, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xDA, 0x77, 0xF8, 0x23, 0x55, 0x2B, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x02, 0xDE, 0x25, 0x35, 0x2D, 0x74, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x0C, 0xB8, 0x0B, 0x39, 0xBA, 0xAD, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x0E, 0x28, 0x4D, 0xE1, 0x3D, 0xE4, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xEC, 0x0A, 0xD4, 0xB8, 0xC4, 0x8D, 0xB0),
+};
+static const mbedtls_mpi_uint secp384r1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x68, 0xCE, 0xC2, 0x55, 0x4D, 0x0C, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x20, 0x93, 0x32, 0x90, 0xD6, 0xAE, 0x47),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x78, 0xAB, 0x43, 0x9E, 0xEB, 0x73, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x97, 0xC3, 0x83, 0xA6, 0x3C, 0xF1, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x25, 0x25, 0x66, 0x08, 0x26, 0xFA, 0x4B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xFB, 0x44, 0x5D, 0x82, 0xEC, 0x3B, 0xAC),
+};
+static const mbedtls_mpi_uint secp384r1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x90, 0xEA, 0xB5, 0x04, 0x99, 0xD0, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0xF2, 0x22, 0xA0, 0xEB, 0xFD, 0x45, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA4, 0x81, 0x32, 0xFC, 0xFA, 0xEE, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xBB, 0xA4, 0x6A, 0x77, 0x41, 0x5C, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x1E, 0xAA, 0x4F, 0xF0, 0x10, 0xB3, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x74, 0x13, 0x14, 0x9E, 0x90, 0xD7, 0xE6),
+};
+static const mbedtls_mpi_uint secp384r1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0xBD, 0x70, 0x4F, 0xA8, 0xD1, 0x06, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x4E, 0x2E, 0x68, 0xFC, 0x35, 0xFA, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x53, 0x75, 0xED, 0xF2, 0x5F, 0xC2, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x87, 0x6B, 0x9F, 0x05, 0xE2, 0x22, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x1A, 0xA8, 0xB7, 0x03, 0x9E, 0x6D, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xD0, 0x69, 0x88, 0xA8, 0x39, 0x9E, 0x3A),
+};
+static const mbedtls_mpi_uint secp384r1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xEF, 0x68, 0xFE, 0xEC, 0x24, 0x08, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x06, 0x4B, 0x92, 0x0D, 0xB7, 0x34, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xF4, 0xDD, 0x1A, 0xA0, 0x4A, 0xE4, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x63, 0x4F, 0x4F, 0xCE, 0xBB, 0xD6, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xEE, 0x8D, 0xDF, 0x3F, 0x73, 0xB7, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x06, 0xB6, 0x80, 0x4D, 0x81, 0xD9, 0x53),
+};
+static const mbedtls_mpi_uint secp384r1_T_16_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xF5, 0x13, 0xDF, 0x13, 0x19, 0x97, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xF9, 0xB3, 0x33, 0x66, 0x82, 0x21, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xFC, 0x39, 0x16, 0x23, 0x43, 0x76, 0x0E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x48, 0x25, 0xA1, 0x64, 0x95, 0x1C, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xAC, 0x15, 0x57, 0xD9, 0xDE, 0xA0, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x5F, 0xB8, 0x3D, 0x48, 0x91, 0x24, 0xCC),
+};
+static const mbedtls_mpi_uint secp384r1_T_16_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xF2, 0xC8, 0x54, 0xD1, 0x32, 0xBD, 0xC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x3B, 0xF0, 0xAA, 0x9D, 0xD8, 0xF4, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xC3, 0xBB, 0x6C, 0x66, 0xAC, 0x25, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x25, 0x10, 0xB2, 0xE1, 0x41, 0xDE, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xE8, 0x30, 0xB8, 0x37, 0xBC, 0x2A, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x57, 0x01, 0x4A, 0x1E, 0x78, 0x9F, 0x85),
+};
+static const mbedtls_mpi_uint secp384r1_T_17_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x19, 0xCD, 0x12, 0x0B, 0x51, 0x4F, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x4B, 0x3D, 0x24, 0xA4, 0x16, 0x59, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xEB, 0xD3, 0x59, 0x2E, 0x75, 0x7C, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xB9, 0xB4, 0xA5, 0xD9, 0x2E, 0x29, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x16, 0x05, 0x75, 0x02, 0xB3, 0x06, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x7C, 0x9F, 0x79, 0x91, 0xF1, 0x4F, 0x23),
+};
+static const mbedtls_mpi_uint secp384r1_T_17_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x98, 0x7C, 0x84, 0xE1, 0xFF, 0x30, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xE2, 0xC2, 0x5F, 0x55, 0x40, 0xBD, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x65, 0x87, 0x3F, 0xC4, 0xC2, 0x24, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x30, 0x0A, 0x60, 0x15, 0xD1, 0x24, 0x48),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x99, 0xD9, 0xB6, 0xAE, 0xB1, 0xAF, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x80, 0xEE, 0xA2, 0x0F, 0x74, 0xB9, 0xF3),
+};
+static const mbedtls_mpi_uint secp384r1_T_18_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xE6, 0x0F, 0x37, 0xC1, 0x10, 0x99, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xAD, 0x9D, 0x5D, 0x80, 0x01, 0xA6, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x0F, 0x10, 0x2A, 0x9D, 0x20, 0x38, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x60, 0xCB, 0xCE, 0x5A, 0xA0, 0xA7, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xCF, 0x14, 0xDF, 0xBF, 0xE5, 0x74, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x12, 0x1A, 0xDD, 0x59, 0x02, 0x5D, 0xC6),
+};
+static const mbedtls_mpi_uint secp384r1_T_18_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC9, 0xF8, 0xF5, 0xB6, 0x13, 0x4D, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x45, 0xB1, 0x93, 0xB3, 0xA2, 0x79, 0xDC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xF6, 0xCF, 0xF7, 0xE6, 0x29, 0x9C, 0xCC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x50, 0x65, 0x80, 0xBC, 0x59, 0x0A, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xF0, 0x24, 0x35, 0xA2, 0x46, 0xF0, 0x0C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x26, 0xC0, 0x9D, 0x61, 0x56, 0x62, 0x67),
+};
+static const mbedtls_mpi_uint secp384r1_T_19_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xBB, 0xC2, 0x24, 0x43, 0x2E, 0x37, 0x54),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xF7, 0xCE, 0x35, 0xFC, 0x77, 0xF3, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x34, 0x96, 0xD5, 0x4A, 0x76, 0x9D, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x3B, 0x0F, 0xEA, 0xA8, 0x12, 0x0B, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x3F, 0x5D, 0x2D, 0x1C, 0xD4, 0x9E, 0xFB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x2E, 0xDD, 0xC7, 0x6E, 0xAB, 0xAF, 0xDC),
+};
+static const mbedtls_mpi_uint secp384r1_T_19_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xB2, 0x7B, 0x0C, 0x9A, 0x83, 0x8E, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x51, 0x90, 0x92, 0x79, 0x32, 0x19, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x89, 0xF9, 0xD0, 0xCF, 0x2C, 0xA5, 0x8F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x50, 0x21, 0xDE, 0x50, 0x41, 0x9D, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x7D, 0x2B, 0x9E, 0x9D, 0x95, 0xA8, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA5, 0x20, 0x87, 0x88, 0x97, 0x5F, 0xAA),
+};
+static const mbedtls_mpi_uint secp384r1_T_20_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x59, 0xB4, 0x66, 0x7E, 0xE8, 0x5A, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x5C, 0x7E, 0xB2, 0xAD, 0xD9, 0xC9, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x97, 0x49, 0xA3, 0x13, 0x83, 0x07, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x26, 0xC7, 0x13, 0x35, 0x0D, 0xB0, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x60, 0xAB, 0xFA, 0x4B, 0x93, 0x18, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x2D, 0x1C, 0x31, 0x4C, 0xE4, 0x61, 0xAE),
+};
+static const mbedtls_mpi_uint secp384r1_T_20_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x4D, 0x1E, 0x51, 0x59, 0x6E, 0x91, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x54, 0x4D, 0x51, 0xED, 0x36, 0xCC, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xA8, 0x56, 0xC7, 0x78, 0x27, 0x33, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB7, 0x95, 0xC9, 0x8B, 0xC8, 0x6A, 0xBC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xE9, 0x13, 0x96, 0xB3, 0xE1, 0xF9, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x46, 0xB0, 0x5E, 0xC3, 0x94, 0x03, 0x05),
+};
+static const mbedtls_mpi_uint secp384r1_T_21_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x5B, 0x29, 0x30, 0x41, 0x1A, 0x9E, 0xB6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xCA, 0x83, 0x31, 0x5B, 0xA7, 0xCB, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x41, 0x50, 0x44, 0x4D, 0x64, 0x31, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x84, 0xC2, 0x5D, 0x97, 0xA5, 0x3C, 0x18),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x0F, 0xA5, 0xFD, 0x8E, 0x5A, 0x47, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x58, 0x02, 0x2D, 0x40, 0xB1, 0x0B, 0xBA),
+};
+static const mbedtls_mpi_uint secp384r1_T_21_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x33, 0x8C, 0x67, 0xCE, 0x23, 0x43, 0x99),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x53, 0x47, 0x72, 0x44, 0x1F, 0x5B, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xC1, 0xD9, 0xA4, 0x50, 0x88, 0x63, 0x18),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xF2, 0x75, 0x69, 0x73, 0x00, 0xC4, 0x31),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x90, 0x1D, 0xDF, 0x1A, 0x00, 0xD8, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xB1, 0x89, 0x48, 0xA8, 0x70, 0x62, 0xEF),
+};
+static const mbedtls_mpi_uint secp384r1_T_22_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x8A, 0x55, 0x50, 0x7B, 0xEF, 0x8A, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x1B, 0x23, 0x48, 0x23, 0x63, 0x91, 0xB6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x04, 0x54, 0x3C, 0x24, 0x9B, 0xC7, 0x9A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x38, 0xC3, 0x84, 0xFB, 0xFF, 0x9F, 0x49),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x2A, 0xE0, 0x6D, 0x68, 0x8A, 0x5C, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x93, 0x53, 0x85, 0xA1, 0x0D, 0xAF, 0x63),
+};
+static const mbedtls_mpi_uint secp384r1_T_22_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x88, 0x95, 0x4C, 0x0B, 0xD0, 0x06, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xAF, 0x8D, 0x49, 0xA2, 0xC8, 0xB4, 0xE0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x76, 0x53, 0x09, 0x88, 0x43, 0x87, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xA4, 0x77, 0x3F, 0x5E, 0x21, 0xB4, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x9E, 0x86, 0x64, 0xCC, 0x91, 0xC1, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x17, 0x56, 0xCB, 0xC3, 0x7D, 0x5B, 0xB1),
+};
+static const mbedtls_mpi_uint secp384r1_T_23_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x74, 0x9F, 0xB5, 0x91, 0x21, 0xB1, 0x1C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xED, 0xE1, 0x11, 0xEF, 0x45, 0xAF, 0xC1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x31, 0xBE, 0xB2, 0xBC, 0x72, 0x65, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x4B, 0x8C, 0x77, 0xCE, 0x1E, 0x42, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xC9, 0xAA, 0xB9, 0xD9, 0x86, 0x99, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x23, 0x80, 0xC6, 0x4E, 0x35, 0x0B, 0x6D),
+};
+static const mbedtls_mpi_uint secp384r1_T_23_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xD8, 0xA2, 0x0A, 0x39, 0x32, 0x1D, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xC8, 0x86, 0xF1, 0x12, 0x9A, 0x4A, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xF1, 0x7C, 0xAA, 0x70, 0x8E, 0xBC, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x01, 0x47, 0x8F, 0xDD, 0x8B, 0xA5, 0xC8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x08, 0x21, 0xF4, 0xAB, 0xC7, 0xF5, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x76, 0xA5, 0x95, 0xC4, 0x0F, 0x88, 0x1D),
+};
+static const mbedtls_mpi_uint secp384r1_T_24_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x42, 0x2A, 0x52, 0xCD, 0x75, 0x51, 0x49),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x36, 0xE5, 0x04, 0x2B, 0x44, 0xC6, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xEE, 0x16, 0x13, 0x07, 0x83, 0xB5, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x59, 0xC6, 0xA2, 0x19, 0x05, 0xD3, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x8B, 0xA8, 0x16, 0x09, 0xB7, 0xEA, 0xD6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xEE, 0x14, 0xAF, 0xB5, 0xFD, 0xD0, 0xEF),
+};
+static const mbedtls_mpi_uint secp384r1_T_24_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x7C, 0xCA, 0x71, 0x3E, 0x6E, 0x66, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x31, 0x0E, 0x3F, 0xE5, 0x91, 0xC4, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x3D, 0xC2, 0x3E, 0x95, 0x37, 0x58, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x1F, 0x02, 0x03, 0xF3, 0xEF, 0xEE, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x5B, 0x1A, 0xFC, 0x38, 0xCD, 0xE8, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x57, 0x42, 0x85, 0xC6, 0x21, 0x68, 0x71),
+};
+static const mbedtls_mpi_uint secp384r1_T_25_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xA2, 0x4A, 0x66, 0xB1, 0x0A, 0xE6, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x0C, 0x94, 0x9D, 0x5E, 0x99, 0xB2, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x03, 0x40, 0xCA, 0xB2, 0xB3, 0x30, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x78, 0x48, 0x27, 0x34, 0x1E, 0xE2, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x72, 0x5B, 0xAC, 0xC1, 0x6D, 0xE3, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAB, 0x46, 0xCB, 0xEA, 0x5E, 0x4B, 0x0B),
+};
+static const mbedtls_mpi_uint secp384r1_T_25_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x08, 0xAD, 0x4E, 0x51, 0x9F, 0x2A, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5C, 0x7D, 0x4C, 0xD6, 0xCF, 0xDD, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x76, 0x26, 0xE0, 0x8B, 0x10, 0xD9, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xA7, 0x23, 0x4E, 0x5F, 0xD2, 0x42, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xE5, 0xA4, 0xEC, 0x77, 0x21, 0x34, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x14, 0x65, 0xEA, 0x4A, 0x85, 0xC3, 0x2F),
+};
+static const mbedtls_mpi_uint secp384r1_T_26_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xD8, 0x40, 0x27, 0x73, 0x15, 0x7E, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xBB, 0x53, 0x7E, 0x0F, 0x40, 0xC8, 0xD4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x37, 0x19, 0x73, 0xEF, 0x5A, 0x5E, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x73, 0x2B, 0x49, 0x7E, 0xAC, 0x97, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xB2, 0xC3, 0x1E, 0x0E, 0xE7, 0xD2, 0x21),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x08, 0xD6, 0xDD, 0xAC, 0x21, 0xD6, 0x3E),
+};
+static const mbedtls_mpi_uint secp384r1_T_26_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x26, 0xBE, 0x6D, 0x6D, 0xF2, 0x38, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x6C, 0x31, 0xA7, 0x49, 0x50, 0x3A, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x99, 0xC6, 0xF5, 0xD2, 0xC2, 0x30, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE4, 0xF6, 0x8B, 0x8B, 0x97, 0xE9, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x21, 0xB7, 0x0D, 0xFC, 0x15, 0x54, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x83, 0x1C, 0xA4, 0xCD, 0x6B, 0x9D, 0xF2),
+};
+static const mbedtls_mpi_uint secp384r1_T_27_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xE8, 0x4C, 0x48, 0xE4, 0xAA, 0x69, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x7A, 0x27, 0xFC, 0x37, 0x96, 0x1A, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0xE7, 0x30, 0xA5, 0xCF, 0x13, 0x46, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xD8, 0xAF, 0x74, 0x23, 0x4D, 0x56, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x3D, 0x44, 0x14, 0x1B, 0x97, 0x83, 0xF0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x47, 0xD7, 0x5F, 0xFD, 0x98, 0x38, 0xF7),
+};
+static const mbedtls_mpi_uint secp384r1_T_27_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x73, 0x64, 0x36, 0xFD, 0x7B, 0xC1, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x5D, 0x32, 0xD2, 0x47, 0x94, 0x89, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xE9, 0x30, 0xAC, 0x06, 0xC8, 0x65, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x6C, 0xB9, 0x1B, 0xF7, 0x61, 0x49, 0x53),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xFF, 0x32, 0x43, 0x80, 0xDA, 0xA6, 0xB1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF8, 0x04, 0x01, 0x95, 0x35, 0xCE, 0x21),
+};
+static const mbedtls_mpi_uint secp384r1_T_28_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x06, 0x46, 0x0D, 0x51, 0xE2, 0xD8, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x57, 0x1D, 0x6F, 0x79, 0xA0, 0xCD, 0xA6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0xFB, 0x36, 0xCA, 0xAD, 0xF5, 0x9E, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x7A, 0x1D, 0x9E, 0x1D, 0x95, 0x48, 0xDC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x26, 0xA5, 0xB7, 0x15, 0x2C, 0xC2, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x42, 0x72, 0xAA, 0x11, 0xDC, 0xC9, 0xB6),
+};
+static const mbedtls_mpi_uint secp384r1_T_28_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x6C, 0x64, 0xA7, 0x62, 0x3C, 0xAB, 0xD4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x6A, 0x44, 0xD8, 0x60, 0xC0, 0xA8, 0x80),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x76, 0x58, 0x12, 0x57, 0x3C, 0x89, 0x46),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x4F, 0x83, 0xCE, 0xCB, 0xB8, 0xD0, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x84, 0x04, 0xB0, 0xAD, 0xEB, 0xFA, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xA4, 0xC3, 0x41, 0x44, 0x4E, 0x65, 0x3E),
+};
+static const mbedtls_mpi_uint secp384r1_T_29_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x16, 0xA9, 0x1C, 0xE7, 0x65, 0x20, 0xC1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x53, 0x32, 0xF8, 0xC0, 0xA6, 0xBD, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xF0, 0xE6, 0x57, 0x31, 0xCC, 0x26, 0x6F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xE3, 0x54, 0x1C, 0x34, 0xD3, 0x17, 0xBC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xAE, 0xED, 0xFB, 0xCD, 0xE7, 0x1E, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x16, 0x1C, 0x34, 0x40, 0x00, 0x1F, 0xB6),
+};
+static const mbedtls_mpi_uint secp384r1_T_29_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x32, 0x00, 0xC2, 0xD4, 0x3B, 0x1A, 0x09),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xE0, 0x99, 0x8F, 0x0C, 0x4A, 0x16, 0x44),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x73, 0x18, 0x1B, 0xD4, 0x94, 0x29, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xA4, 0x2D, 0xB1, 0x9D, 0x74, 0x32, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xF4, 0xB1, 0x0C, 0x37, 0x62, 0x8B, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xFF, 0xDA, 0xE2, 0x35, 0xA3, 0xB6, 0x42),
+};
+static const mbedtls_mpi_uint secp384r1_T_30_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x49, 0x99, 0x65, 0xC5, 0xED, 0x16, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x42, 0x9A, 0xF3, 0xA7, 0x4E, 0x6F, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x0A, 0x7E, 0xC0, 0xD7, 0x4E, 0x07, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x7A, 0x31, 0x69, 0xA6, 0xB9, 0x15, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xE0, 0x72, 0xA4, 0x3F, 0xB9, 0xF8, 0x0C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x75, 0x32, 0x85, 0xA2, 0xDE, 0x37, 0x12),
+};
+static const mbedtls_mpi_uint secp384r1_T_30_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xC0, 0x0D, 0xCF, 0x25, 0x41, 0xA4, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xFC, 0xB2, 0x48, 0xC3, 0x85, 0x83, 0x4B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xBE, 0x0B, 0x58, 0x2D, 0x7A, 0x9A, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xF3, 0x81, 0x18, 0x1B, 0x74, 0x4F, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x43, 0xA3, 0x0A, 0x16, 0x8B, 0xA3, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x18, 0x81, 0x7B, 0x8D, 0xA2, 0x35, 0x77),
+};
+static const mbedtls_mpi_uint secp384r1_T_31_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xC4, 0x3F, 0x2C, 0xE7, 0x5F, 0x99, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x2B, 0xB7, 0xB6, 0xAD, 0x5A, 0x56, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x00, 0xA4, 0x48, 0xC8, 0xE8, 0xBA, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xA1, 0xB5, 0x13, 0x5A, 0xCD, 0x99, 0x9C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x95, 0xAD, 0xFC, 0xE2, 0x7E, 0xE7, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x6B, 0xD1, 0x34, 0x99, 0x53, 0x63, 0x0B),
+};
+static const mbedtls_mpi_uint secp384r1_T_31_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x8A, 0x77, 0x5D, 0x2B, 0xAB, 0x01, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x85, 0xD0, 0xD5, 0x49, 0x83, 0x4D, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xC6, 0x91, 0x30, 0x3B, 0x00, 0xAF, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xAE, 0x61, 0x07, 0xE1, 0xB6, 0xE2, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x43, 0x41, 0xFE, 0x9B, 0xB6, 0xF0, 0xA5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x97, 0xAE, 0xAD, 0x89, 0x88, 0x9E, 0x41),
+};
+static const mbedtls_ecp_point secp384r1_T[32] = {
+ ECP_POINT_INIT_XY_Z1(secp384r1_T_0_X, secp384r1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_1_X, secp384r1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_2_X, secp384r1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_3_X, secp384r1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_4_X, secp384r1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_5_X, secp384r1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_6_X, secp384r1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_7_X, secp384r1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_8_X, secp384r1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_9_X, secp384r1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_10_X, secp384r1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_11_X, secp384r1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_12_X, secp384r1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_13_X, secp384r1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_14_X, secp384r1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_15_X, secp384r1_T_15_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_16_X, secp384r1_T_16_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_17_X, secp384r1_T_17_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_18_X, secp384r1_T_18_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_19_X, secp384r1_T_19_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_20_X, secp384r1_T_20_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_21_X, secp384r1_T_21_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_22_X, secp384r1_T_22_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_23_X, secp384r1_T_23_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_24_X, secp384r1_T_24_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_25_X, secp384r1_T_25_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_26_X, secp384r1_T_26_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_27_X, secp384r1_T_27_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_28_X, secp384r1_T_28_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_29_X, secp384r1_T_29_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_30_X, secp384r1_T_30_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_31_X, secp384r1_T_31_Y),
+};
+#else
+#define secp384r1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+/*
+ * Domain parameters for secp521r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+static const mbedtls_mpi_uint secp521r1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_2(0xFF, 0x01),
+};
+static const mbedtls_mpi_uint secp521r1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_2(0x51, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_2(0xC6, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_2(0x18, 0x01),
+};
+static const mbedtls_mpi_uint secp521r1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_2(0xFF, 0x01),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp521r1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xB1, 0x2D, 0xEB, 0x27, 0x2F, 0xE8, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x4B, 0x44, 0x25, 0xDB, 0x5C, 0x5F, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x85, 0x28, 0x78, 0x2E, 0x75, 0x34, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x57, 0x0F, 0x73, 0x78, 0x7A, 0xE3, 0x53),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD8, 0xEC, 0xDC, 0xDA, 0x04, 0xAD, 0xAB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x8A, 0x09, 0xF3, 0x58, 0x79, 0xD8, 0x29),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x03, 0xCB, 0x50, 0x1A, 0x7F, 0x56, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xA6, 0x78, 0x38, 0x85, 0x67, 0x0B, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xD5, 0xD2, 0x22, 0xC4, 0x00, 0x3B, 0xBA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x93, 0x0E, 0x7B, 0x85, 0x51, 0xC3, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA6, 0x5F, 0x54, 0x49, 0x02, 0x81, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xE9, 0x6B, 0x3A, 0x92, 0xE7, 0x72, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x5F, 0x28, 0x9E, 0x91, 0x27, 0x88, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x28, 0x31, 0xB3, 0x84, 0xCA, 0x12, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xF9, 0xAC, 0x22, 0x10, 0x0A, 0x64, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xC6, 0x33, 0x1F, 0x69, 0x19, 0x18, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x48, 0xB8, 0xC7, 0x37, 0x5A, 0x00, 0x36),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xCC, 0x32, 0xE0, 0xEE, 0x03, 0xC2, 0xBA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x29, 0xC2, 0xE4, 0x6E, 0x24, 0x20, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x6B, 0x7F, 0x7B, 0xF9, 0xB0, 0xB8, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x7B, 0x3C, 0xE1, 0x19, 0xA1, 0x23, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE3, 0xC2, 0x53, 0xC0, 0x07, 0x13, 0xA9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFE, 0x36, 0x35, 0x9F, 0x5E, 0x59, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x55, 0x89, 0x84, 0xBC, 0xEF, 0xA2, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x1A, 0x08, 0x67, 0xB4, 0xE7, 0x22, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x26, 0xDF, 0x81, 0x3C, 0x5F, 0x1C, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x4D, 0xD0, 0x0A, 0x48, 0x06, 0xF4, 0x48),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x18, 0x39, 0xF7, 0xD1, 0x20, 0x77, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x8F, 0x44, 0x13, 0xCB, 0x78, 0x11, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xE2, 0x49, 0xEA, 0x43, 0x79, 0x08, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xD1, 0xD8, 0x73, 0x2C, 0x71, 0x2F, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xE5, 0xE7, 0xF4, 0x46, 0xAB, 0x20, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x0B, 0xB9, 0x71, 0x1A, 0x27, 0xB7, 0xA7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xA2, 0x2C, 0xD1, 0xDA, 0xBC, 0xC1, 0xBD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xA3, 0x10, 0x1F, 0x90, 0xF2, 0xA5, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xFB, 0x20, 0xF4, 0xC0, 0x70, 0xC0, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xA7, 0x99, 0xF0, 0xA5, 0xD3, 0x09, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0xE8, 0x14, 0x39, 0xBE, 0xCB, 0x60, 0xAF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xD6, 0x14, 0xA9, 0xC9, 0x20, 0xC3, 0xEA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA8, 0x5B, 0xFD, 0x2D, 0x96, 0xBC, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x04, 0x45, 0xBE, 0xCE, 0x75, 0x95, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xDA, 0x58, 0x49, 0x35, 0x09, 0x8D, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xF0, 0xC0, 0x36, 0xF2, 0xA6, 0x2D, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xFC, 0x3D, 0xA8, 0xFB, 0x3C, 0xD2, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x4D, 0x71, 0x09, 0x18, 0x42, 0xF0, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xC1, 0xCE, 0x9E, 0x6A, 0x49, 0x60, 0x12),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xB1, 0x00, 0xF7, 0xA1, 0x7A, 0x31, 0xB4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xC3, 0x86, 0xCD, 0x20, 0x4A, 0x17, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xAB, 0x8B, 0x47, 0x8D, 0xAA, 0xA6, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x97, 0xF0, 0xBC, 0x2D, 0xDC, 0x9D, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x86, 0xB0, 0x74, 0xB2, 0xF4, 0xF6, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBD, 0xAC, 0xE3, 0x8F, 0x43, 0x5C, 0xB1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xC3, 0xE2, 0x6E, 0x25, 0x49, 0xCD, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x5E, 0x08, 0xB3, 0xB9, 0xAC, 0x5F, 0xD1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xB7, 0xD1, 0xF4, 0xDC, 0x19, 0xE9, 0xC8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xE4, 0xFA, 0xE1, 0x36, 0x3E, 0xED, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x67, 0x92, 0x84, 0x6E, 0x48, 0x03, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x95, 0xEF, 0x8F, 0xB2, 0x82, 0x6B, 0x1C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFA, 0xB9, 0x55, 0x23, 0xFE, 0x09, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x79, 0x85, 0x4B, 0x0E, 0xD4, 0x35, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x27, 0x45, 0x81, 0xE0, 0x88, 0x52, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x63, 0xA2, 0x4B, 0xBC, 0x5D, 0xB1, 0x92),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x8C, 0x83, 0xD9, 0x3E, 0xD3, 0x42, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x03, 0x3A, 0x31, 0xBA, 0xE9, 0x3A, 0xD1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x10, 0xCD, 0x2D, 0x00, 0xFE, 0x32, 0xA7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x6E, 0x1F, 0xDA, 0xF8, 0x6F, 0x4D, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x79, 0x7D, 0x09, 0xE5, 0xD3, 0x03, 0x21),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xC3, 0xBE, 0xDF, 0x07, 0x65, 0x49, 0xCC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x57, 0x33, 0xEF, 0xAE, 0x4F, 0x04, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0xE9, 0x9B, 0xFE, 0xBF, 0xE6, 0x85, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xBA, 0xAA, 0x06, 0xC4, 0xC6, 0xB8, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x83, 0x01, 0xA9, 0xF6, 0x51, 0xE7, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xA6, 0x15, 0x8E, 0xAB, 0x1F, 0x10, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x08, 0x27, 0x1A, 0xA1, 0x21, 0xAD, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x09, 0x90, 0x6E, 0x50, 0x90, 0x9A, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x9A, 0xFE, 0xD7, 0xA1, 0xF5, 0xA2, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x7D, 0xE3, 0xDC, 0x21, 0xFB, 0xA4, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xBF, 0x07, 0xFF, 0x45, 0xDF, 0x51, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x5C, 0x34, 0x02, 0x62, 0x9B, 0x08, 0x12),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xCE, 0x9A, 0x6A, 0xEC, 0x75, 0xF6, 0x46),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x59, 0xF4, 0x78, 0x3C, 0x60, 0xB1, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x37, 0x84, 0x6A, 0xDC, 0xF2, 0x9A, 0x7D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x9A, 0x9A, 0x15, 0x36, 0xE0, 0x2B, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x38, 0x9C, 0x50, 0x3D, 0x1E, 0x37, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x79, 0xF0, 0x92, 0xF2, 0x8B, 0x18, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xE0, 0x82, 0x1E, 0x80, 0x82, 0x4B, 0xD7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xBB, 0x59, 0x6B, 0x8A, 0x77, 0x41, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xF9, 0xD4, 0xB8, 0x4A, 0x82, 0xCF, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x8C, 0xC8, 0x9B, 0x72, 0x9E, 0xF7, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xCE, 0xE9, 0x77, 0x0A, 0x19, 0x59, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xA1, 0x41, 0x6A, 0x72, 0x4B, 0xB4, 0xDC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x35, 0x43, 0xE2, 0x8C, 0xBE, 0x0D, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xEB, 0xAD, 0xF3, 0xA9, 0xA6, 0x68, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x2F, 0xE2, 0x48, 0x0C, 0xDB, 0x1F, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x1E, 0x60, 0x9B, 0x2A, 0xD2, 0xC1, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x64, 0xB5, 0xD2, 0xF6, 0xF6, 0x6E, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x3D, 0x30, 0x78, 0x10, 0x18, 0x41, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x1D, 0x1C, 0xE0, 0x6D, 0x83, 0xD1, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x03, 0x0B, 0xF5, 0x2F, 0x6C, 0x04, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x3E, 0xD5, 0xFC, 0x31, 0x5B, 0x3A, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x82, 0x2F, 0xFB, 0xFE, 0xF8, 0x76, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x26, 0xDA, 0x9C, 0x36, 0xF5, 0x93, 0xD1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xE7, 0x6E, 0xD2, 0x7D, 0x81, 0x09, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x03, 0xF9, 0x58, 0x48, 0x24, 0xA2, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x79, 0x0C, 0x8E, 0x6B, 0x95, 0xF3, 0xC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x10, 0x5C, 0x87, 0x03, 0x39, 0xCF, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xF0, 0xF7, 0xC1, 0x07, 0xA4, 0xF4, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xE8, 0x02, 0x89, 0x65, 0xC4, 0x72, 0x36),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x88, 0xEA, 0x96, 0x67, 0x0B, 0x5D, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x75, 0x60, 0xA8, 0xBD, 0x74, 0xDF, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xE5, 0x71, 0x50, 0x67, 0xD0, 0xD2, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xFC, 0xE5, 0xC7, 0x77, 0xB0, 0x7F, 0x8C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x86, 0x69, 0xCD, 0x0D, 0x9A, 0xBD, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x17, 0xBC, 0xBB, 0x59, 0x85, 0x7D, 0x0E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xA8, 0x76, 0xAC, 0x80, 0xA9, 0x72, 0xE0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x78, 0xC1, 0xE2, 0x4D, 0xAF, 0xF9, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x97, 0x8E, 0x74, 0xC4, 0x4B, 0xB2, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD8, 0xF6, 0xF3, 0xAF, 0x2F, 0x52, 0xE5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x57, 0xF4, 0xCE, 0xEE, 0x43, 0xED, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x46, 0x38, 0xDE, 0x20, 0xFD, 0x59, 0x18),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x18, 0xE8, 0x58, 0xB9, 0x76, 0x2C, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x54, 0xE4, 0xFE, 0xC7, 0xBC, 0x31, 0x37),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xF8, 0x89, 0xEE, 0x70, 0xB5, 0xB0, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x22, 0x26, 0x9A, 0x53, 0xB9, 0x38, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xA7, 0x19, 0x8C, 0x74, 0x7E, 0x88, 0x46),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xDA, 0x0A, 0xE8, 0xDA, 0xA5, 0xBE, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x5C, 0xF7, 0xB1, 0x0C, 0x72, 0xFB, 0x09),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xE2, 0x23, 0xE7, 0x46, 0xB7, 0xE0, 0x91),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x36, 0xBC, 0xBD, 0x48, 0x11, 0x8E, 0x72),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xBB, 0xA1, 0xF7, 0x0B, 0x9E, 0xBF, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x28, 0xE1, 0xA2, 0x8F, 0xFC, 0xFC, 0xD6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xFE, 0x19, 0x0A, 0xE5, 0xE7, 0x69, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xCD, 0x12, 0xF5, 0xBE, 0xD3, 0x04, 0xF1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xA8, 0x0D, 0x81, 0x59, 0xC4, 0x79, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xF3, 0x4B, 0x92, 0x65, 0xC3, 0x31, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xB5, 0x4F, 0x4D, 0x91, 0xD4, 0xE2, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x09, 0x41, 0x79, 0x1D, 0x4D, 0x0D, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x31, 0x18, 0xBA, 0xA0, 0xF2, 0x6E, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x5B, 0x4D, 0x4F, 0xAF, 0xC9, 0x8C, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x99, 0x9C, 0x06, 0x68, 0xDE, 0xD8, 0x29),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x04, 0xE1, 0xB5, 0x9D, 0x00, 0xBC, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x95, 0x92, 0x8D, 0x72, 0xD3, 0x37, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x4B, 0x27, 0xA2, 0xE8, 0xA4, 0x26, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x45, 0x9C, 0xA9, 0xCB, 0x9F, 0xBA, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x7E, 0x1B, 0x64, 0xF4, 0xE8, 0xA5, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x20, 0xA9, 0xCA, 0xF3, 0x89, 0xE5, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xED, 0xFC, 0xAB, 0xD9, 0x0A, 0xB9, 0x07),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x6F, 0x46, 0x7C, 0xCD, 0x78, 0xFF, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xAB, 0x71, 0x5A, 0x94, 0xAB, 0x20, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x2E, 0xEE, 0x87, 0x57, 0x1F, 0xAD, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x4C, 0x3D, 0xFB, 0x7E, 0xA1, 0x8B, 0x07),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xCF, 0x07, 0x86, 0xBA, 0x53, 0x37, 0xCF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x26, 0xB2, 0xB9, 0xE2, 0x91, 0xE3, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xC9, 0x54, 0x84, 0x08, 0x3D, 0x0B, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA8, 0x77, 0x2F, 0x64, 0x45, 0x99, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x96, 0x16, 0x1F, 0xDB, 0x96, 0x28, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x2B, 0x8D, 0xFF, 0xA2, 0x4F, 0x55, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xE6, 0x48, 0xBD, 0x99, 0x3D, 0x12, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x84, 0x59, 0xDA, 0xB9, 0xB6, 0x66, 0x12),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x78, 0x41, 0x92, 0xDF, 0xF4, 0x3F, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x86, 0x6F, 0x4F, 0xBF, 0x67, 0xDF, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x2B, 0x1E, 0x5F, 0x00, 0xEA, 0xF6, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xB9, 0x6A, 0x89, 0xD8, 0xC0, 0xD7, 0xA7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x9A, 0x32, 0x23, 0xA0, 0x02, 0x91, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x7F, 0x6A, 0x15, 0x64, 0x6A, 0x8B, 0xBB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x57, 0x82, 0x58, 0xA9, 0x56, 0xB5, 0xFB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x50, 0x92, 0x60, 0xCC, 0x81, 0x24, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x3D, 0xAD, 0xDA, 0xD9, 0x51, 0x3E, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xFE, 0x8F, 0xB0, 0x0B, 0xDE, 0x2E, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xD2, 0xBE, 0xEF, 0xAC, 0x76, 0x71, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xE8, 0x72, 0x0B, 0xAC, 0xFE, 0xCA, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x5B, 0xC7, 0xFC, 0xE3, 0x3C, 0x7C, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x04, 0xA7, 0xB9, 0x9B, 0x93, 0xC0, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x48, 0x4B, 0x8E, 0x32, 0xC5, 0xF0, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x42, 0x07, 0xC1, 0xF2, 0xF1, 0x72, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x37, 0x54, 0x9C, 0x88, 0xD2, 0x62, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x19, 0x8A, 0x89, 0x58, 0xA2, 0x0F, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xCC, 0x4C, 0x97, 0x30, 0x66, 0x34, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x6A, 0x1E, 0x1F, 0xDB, 0xC9, 0x5E, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x4D, 0x49, 0xFF, 0x9B, 0x9C, 0xAC, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xE4, 0x4B, 0xF2, 0xD4, 0x1A, 0xD2, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xDA, 0xE8, 0x61, 0x9F, 0xC8, 0x49, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xCB, 0xF2, 0x2D, 0x85, 0xF6, 0x8D, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xC5, 0xCD, 0x2C, 0x79, 0xC6, 0x0E, 0x4F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x1D, 0x55, 0x0F, 0xF8, 0x22, 0x9F, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x56, 0xBA, 0xE7, 0x57, 0x32, 0xEC, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x9A, 0xC6, 0x4C, 0x09, 0xC4, 0x52, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x1E, 0x6F, 0xF4, 0x7D, 0x27, 0xDD, 0xAF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x11, 0x16, 0xEC, 0x79, 0x83, 0xAD, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x4E, 0x92, 0x1F, 0x19, 0x7D, 0x65, 0xDC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xFF, 0x78, 0x15, 0x45, 0x63, 0x32, 0xE4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x91, 0xD0, 0x78, 0x58, 0xDA, 0x50, 0x47),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0xDE, 0x40, 0xF6, 0x41, 0xB4, 0x3B, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x8D, 0xE0, 0xE1, 0xA9, 0xF0, 0x35, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xD4, 0xBA, 0x7B, 0xCC, 0x1B, 0x3A, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x5A, 0x2E, 0x74, 0x47, 0x14, 0xC3, 0x4D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xF0, 0x8B, 0x06, 0x15, 0x8E, 0x0E, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0xD2, 0xEB, 0x97, 0x50, 0x7D, 0x31, 0xFC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x93, 0x4C, 0xDB, 0x97, 0x79, 0x44, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xA2, 0xA0, 0x0B, 0xC8, 0x3A, 0x8A, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x50, 0x92, 0x9E, 0x24, 0x1F, 0xCB, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x16, 0xC9, 0xC5, 0x3D, 0x5A, 0xAF, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xE3, 0x97, 0xE4, 0xA8, 0x50, 0xF6, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x57, 0x97, 0x42, 0x78, 0x92, 0x49, 0x0D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xEB, 0x62, 0x24, 0xFB, 0x8F, 0x32, 0xCF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x0C, 0x36, 0x6E, 0x8F, 0xE8, 0xE8, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xD3, 0x7C, 0xC7, 0x8D, 0x3F, 0x5C, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x64, 0x6A, 0x73, 0x10, 0x79, 0xB8, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xF9, 0xEF, 0xA5, 0x20, 0x4A, 0x5C, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xF3, 0xF4, 0x49, 0x5B, 0x73, 0xAA, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xF2, 0xEA, 0x0F, 0x00, 0xAD, 0x53, 0xAB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xB8, 0x66, 0xED, 0xC4, 0x2B, 0x4C, 0x35),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x2F, 0xC1, 0x9A, 0x37, 0xD2, 0x7F, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xA7, 0x81, 0x38, 0x64, 0xC9, 0x37, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x3B, 0x6C, 0x9F, 0x5B, 0xD9, 0x8B, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x14, 0xD9, 0x08, 0xD8, 0xD2, 0x7E, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x71, 0xE6, 0x3D, 0xD1, 0xB0, 0xE7, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x81, 0x23, 0xEC, 0x2D, 0x42, 0x45, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x5B, 0x44, 0x6B, 0x89, 0x03, 0x67, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x27, 0xAE, 0x80, 0x5A, 0x33, 0xBE, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xB6, 0x64, 0x1A, 0xDF, 0xD3, 0x85, 0x91),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x8C, 0x22, 0xBA, 0xD0, 0xBD, 0xCC, 0xA0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x3C, 0x01, 0x3A, 0xFF, 0x9D, 0xC7, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xC7, 0x64, 0xB4, 0x59, 0x4E, 0x9F, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x34, 0x0A, 0x41, 0x94, 0xA8, 0xF2, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xD4, 0xE4, 0xF0, 0x97, 0x45, 0x6D, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x1F, 0x4D, 0x6D, 0xFE, 0xA0, 0xC4, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x28, 0x5C, 0x40, 0xBB, 0x65, 0xD4, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xA8, 0x87, 0x35, 0x20, 0x3A, 0x89, 0x44),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFD, 0x4F, 0xAB, 0x2D, 0xD1, 0xD0, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xE8, 0x00, 0xFC, 0x69, 0x52, 0xF8, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x9A, 0x99, 0xE1, 0xDC, 0x9C, 0x3F, 0xD9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x08, 0x98, 0xD9, 0xCA, 0x73, 0xD5, 0xA9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x2C, 0xE0, 0xA7, 0x3E, 0x91, 0xD7, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x04, 0xB0, 0x54, 0x09, 0xF4, 0x72, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xEE, 0x28, 0xCC, 0xE8, 0x50, 0x78, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x91, 0x03, 0x76, 0xDB, 0x68, 0x24, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xE0, 0x56, 0xB2, 0x5D, 0x12, 0xD3, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x42, 0x59, 0x8B, 0xDF, 0x67, 0xB5, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xCC, 0xE5, 0x31, 0x53, 0x7A, 0x46, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_16_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x8D, 0x59, 0xB5, 0x1B, 0x0F, 0xF4, 0xAF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x2F, 0xD1, 0x2C, 0xE0, 0xD8, 0x04, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF4, 0xD7, 0xBA, 0xB0, 0xA3, 0x7E, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x08, 0x51, 0x56, 0xA6, 0x76, 0x67, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x17, 0x63, 0xFE, 0x56, 0xD0, 0xD9, 0x71),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xF6, 0xC3, 0x14, 0x47, 0xC5, 0xA7, 0x31),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x4C, 0x80, 0xF6, 0xA2, 0x57, 0xA7, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xB3, 0x7B, 0xF8, 0x2F, 0xE1, 0x3E, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_16_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0xF4, 0xF9, 0x6B, 0x7B, 0x90, 0xDF, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x82, 0xEF, 0x62, 0xA1, 0x4C, 0x53, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x99, 0x76, 0x01, 0xBA, 0x8D, 0x0F, 0x54),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xF4, 0x58, 0x73, 0x56, 0xFE, 0xDD, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xCE, 0xF9, 0xE8, 0xA1, 0x34, 0xC3, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x5F, 0xDC, 0x6A, 0x3D, 0xD8, 0x7F, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xF4, 0x51, 0xB8, 0xB8, 0xC1, 0xD7, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x7D, 0x58, 0xD1, 0xD4, 0x1B, 0x4D, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_17_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x95, 0xDF, 0x00, 0xD8, 0x21, 0xDE, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x47, 0x3C, 0xC3, 0xB2, 0x01, 0x53, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x17, 0x43, 0x23, 0xBD, 0xCA, 0x71, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xBA, 0x0F, 0x4F, 0xDC, 0x41, 0x54, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x39, 0x26, 0x70, 0x53, 0x32, 0x18, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x46, 0x07, 0x97, 0x3A, 0x57, 0xE0, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x92, 0x4F, 0xCE, 0xDF, 0x25, 0x80, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x6F, 0x9A, 0x03, 0x05, 0x4B, 0xD1, 0x47),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_17_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x01, 0x72, 0x30, 0x90, 0x17, 0x51, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xFB, 0x41, 0x65, 0x5C, 0xB4, 0x2D, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xCD, 0xCD, 0xAA, 0x41, 0xCC, 0xBB, 0x07),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xCE, 0x08, 0x0A, 0x63, 0xE9, 0xA2, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA8, 0x21, 0x7F, 0x7A, 0x5B, 0x9B, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x6B, 0x89, 0x44, 0x0A, 0x7F, 0x85, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xDE, 0x7C, 0x19, 0x5C, 0x65, 0x26, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xAC, 0x62, 0x29, 0x4A, 0xF1, 0xD0, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_18_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x00, 0x40, 0x87, 0xEB, 0xA9, 0x58, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x51, 0x0B, 0xFF, 0x56, 0x35, 0x51, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xAC, 0x08, 0x94, 0x71, 0xDA, 0xEC, 0x99),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x4D, 0xC5, 0x7B, 0x31, 0x8B, 0x8D, 0x5E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x05, 0xF1, 0x3E, 0x9E, 0x8F, 0x17, 0x8F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x9C, 0x4B, 0x62, 0x94, 0xAD, 0x49, 0xFC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xC9, 0xC6, 0x8F, 0xFD, 0x33, 0x44, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x96, 0x17, 0x7F, 0x42, 0xBE, 0xF7, 0x0D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_18_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x29, 0x39, 0x13, 0x08, 0x8D, 0x91, 0x47),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x79, 0xF9, 0x2F, 0xA9, 0x0A, 0xCF, 0xD6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x87, 0x7A, 0xA3, 0x19, 0xAB, 0x55, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x0B, 0x01, 0xC5, 0x56, 0x19, 0x9D, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xDE, 0x82, 0x3B, 0xEA, 0xD3, 0x0B, 0x8C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x6B, 0xC7, 0xF3, 0x0F, 0x82, 0x87, 0x6C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x2E, 0x23, 0xF2, 0x39, 0x9D, 0x49, 0x70),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0xDE, 0xAF, 0x7A, 0xEE, 0xB0, 0xDA, 0x70),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_19_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x4E, 0x2A, 0x50, 0xFD, 0x8E, 0xC0, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x0F, 0x7C, 0x76, 0x63, 0xD8, 0x89, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x2D, 0xB9, 0x4E, 0xF4, 0xEE, 0x85, 0xCF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x95, 0x5C, 0x96, 0x5D, 0xAA, 0x59, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xDB, 0xD2, 0x68, 0x8E, 0x5A, 0x94, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x02, 0xBF, 0x77, 0x9F, 0xB9, 0x4C, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xDC, 0xC0, 0xCF, 0x81, 0x1E, 0xC4, 0x6C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xCC, 0x37, 0x86, 0xDC, 0xE2, 0x64, 0x72),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_19_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x30, 0xB1, 0x59, 0x20, 0x9D, 0x98, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x0C, 0x9D, 0xF8, 0x20, 0xDC, 0x90, 0xBA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xA0, 0xF4, 0xE7, 0x3E, 0x9C, 0x9E, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x25, 0xA2, 0xB0, 0x54, 0xCD, 0x2E, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD9, 0x42, 0xB0, 0x80, 0xB0, 0xA3, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xFE, 0x9D, 0x8D, 0x40, 0xFF, 0x27, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x9D, 0xA6, 0x88, 0x3A, 0x8B, 0x6F, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x39, 0xEE, 0x1F, 0x3F, 0xB1, 0x4F, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_20_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xD7, 0x9E, 0xFF, 0xD2, 0x35, 0x67, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x4F, 0x15, 0x5D, 0xE3, 0xE8, 0x53, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xF7, 0x24, 0x98, 0xA2, 0xCB, 0x11, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x2E, 0x25, 0xE1, 0x94, 0xC5, 0xA3, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x82, 0x6E, 0xBA, 0xE7, 0x43, 0x25, 0xB0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x65, 0xB4, 0x49, 0x73, 0x18, 0x35, 0x54),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x5B, 0xBC, 0x62, 0x86, 0x4C, 0xC1, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xF2, 0x95, 0xA2, 0xBB, 0xA2, 0x35, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_20_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x59, 0x62, 0xB0, 0x4B, 0x1E, 0xB4, 0xD8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x55, 0xCE, 0xB0, 0x69, 0xBA, 0x63, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0x69, 0x86, 0xDB, 0x34, 0x7D, 0x68, 0x64),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x06, 0xCA, 0x55, 0x44, 0x36, 0x2B, 0xBA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xD4, 0xC4, 0x3D, 0xCD, 0x9E, 0x69, 0xA4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x44, 0xE4, 0xBF, 0x31, 0xE6, 0x40, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x4F, 0xFA, 0x75, 0xE3, 0xFB, 0x97, 0x0E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xC0, 0xBD, 0x1C, 0x48, 0xB0, 0x26, 0xD0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_21_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x7B, 0x32, 0xFA, 0xF2, 0x6D, 0x84, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x21, 0x03, 0x1D, 0x0D, 0x22, 0x55, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xF9, 0x42, 0x03, 0x9C, 0xC2, 0xCB, 0xBA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xA1, 0x96, 0xD9, 0x9D, 0x11, 0x6F, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x40, 0x57, 0xEB, 0x40, 0x2D, 0xC0, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x96, 0xBB, 0x4F, 0x2F, 0x23, 0xA8, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x29, 0x85, 0x21, 0xA5, 0x50, 0x62, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x7D, 0x92, 0xCF, 0x87, 0x0C, 0x22, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_21_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x0E, 0xA5, 0x32, 0x5B, 0xDF, 0x9C, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x96, 0x37, 0x2C, 0x88, 0x35, 0x30, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xB4, 0x69, 0xFF, 0xEB, 0xC6, 0x94, 0x08),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x55, 0x60, 0xAD, 0xAA, 0x58, 0x14, 0x88),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xFF, 0xF2, 0xB2, 0xD5, 0xA7, 0xD9, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xAE, 0x54, 0xD2, 0x60, 0x31, 0xF3, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x92, 0x83, 0xE3, 0xF1, 0x42, 0x83, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xD2, 0xC8, 0xB7, 0x76, 0x45, 0x7F, 0x7D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_22_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x11, 0xA4, 0xFB, 0x7A, 0x01, 0xBC, 0xC8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x27, 0x73, 0x8D, 0x02, 0x91, 0x27, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x62, 0xF6, 0xDD, 0x6B, 0xFA, 0x5B, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xCA, 0xA2, 0x44, 0x2C, 0xF0, 0x28, 0xD8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xF1, 0x7A, 0xA2, 0x42, 0x4C, 0x50, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x83, 0x3E, 0x50, 0xAB, 0x9C, 0xF7, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xED, 0x78, 0xCB, 0x76, 0x69, 0xDA, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x01, 0x1E, 0x43, 0x27, 0x47, 0x6E, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_22_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x4F, 0x54, 0xB9, 0x3E, 0xBD, 0xD5, 0x44),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x35, 0x40, 0x69, 0x7F, 0x74, 0x9D, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x06, 0x6F, 0x67, 0x68, 0x2B, 0x4D, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x65, 0x41, 0xFC, 0x7C, 0x1E, 0xE8, 0xC8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x79, 0x37, 0xAF, 0xFD, 0xD2, 0xDA, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xA8, 0x69, 0x56, 0x62, 0xA4, 0xE4, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x71, 0x73, 0x21, 0x8A, 0x17, 0x81, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x55, 0x8F, 0x7B, 0xB8, 0xAF, 0xF7, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_23_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xD1, 0xBD, 0xBE, 0x8C, 0xBC, 0x60, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xA6, 0x57, 0x8C, 0xAE, 0x5C, 0x19, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x43, 0xE4, 0xD9, 0xD8, 0x7B, 0xE7, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xB9, 0xE4, 0x85, 0x7C, 0x2E, 0xFC, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x2E, 0x01, 0x2A, 0x6D, 0x56, 0xBE, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x0C, 0x25, 0x9B, 0xAE, 0x86, 0x37, 0x43),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x22, 0xB3, 0xCB, 0x99, 0x66, 0xB7, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xF7, 0x90, 0xF0, 0x1B, 0x09, 0x27, 0xF7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_23_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x16, 0x08, 0xEF, 0x39, 0x64, 0x49, 0x31),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xA0, 0xE3, 0x97, 0xA9, 0x07, 0x54, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xFF, 0xE2, 0x00, 0x07, 0x21, 0x88, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xFD, 0x59, 0x53, 0x05, 0x6C, 0x42, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xF7, 0x39, 0x5C, 0x82, 0x36, 0xE8, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x83, 0xA8, 0xE2, 0xA8, 0x43, 0x07, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xAF, 0x2B, 0x79, 0xED, 0xD8, 0x39, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x20, 0x91, 0x7A, 0xC4, 0x07, 0xEF, 0x6C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_24_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x10, 0x2F, 0xAA, 0x0C, 0x94, 0x0E, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x81, 0x87, 0x41, 0x23, 0xEB, 0x55, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x53, 0xCC, 0x79, 0xB6, 0xEB, 0x6C, 0xCC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x77, 0x73, 0x9D, 0xFC, 0x64, 0x6F, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x40, 0xE3, 0x6D, 0x1C, 0x16, 0x71, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xF4, 0x1B, 0xFF, 0x1C, 0x2F, 0xA5, 0xD7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x0E, 0x0B, 0x11, 0xF4, 0x8D, 0x93, 0xAF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xC5, 0x64, 0x6F, 0x24, 0x19, 0xF2, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_24_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xB3, 0xAF, 0xA5, 0x0E, 0x4F, 0x5E, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x77, 0xCA, 0xF2, 0x6D, 0xC5, 0xF6, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x18, 0x8E, 0x33, 0x68, 0x6C, 0xE8, 0xE0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x8B, 0x80, 0x90, 0x19, 0x7F, 0x90, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x80, 0x6B, 0x68, 0xE2, 0x7D, 0xD4, 0xD0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xC1, 0x67, 0xB3, 0x72, 0xCB, 0xBF, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xD5, 0xD3, 0x1D, 0x14, 0x58, 0x0A, 0x80),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x7A, 0x65, 0x98, 0xB3, 0x07, 0x4B, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_25_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x87, 0x0F, 0x5F, 0xCF, 0xA2, 0x01, 0x08),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xC9, 0xC8, 0x6E, 0x35, 0x87, 0xA5, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x3E, 0x91, 0xA0, 0xAB, 0x24, 0x1E, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xBC, 0x02, 0x35, 0x70, 0xC1, 0x5F, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x59, 0xA0, 0x50, 0x04, 0x80, 0x52, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x56, 0x6E, 0x42, 0x8F, 0x8C, 0x91, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xA2, 0xCB, 0xA5, 0xDE, 0x14, 0x24, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xCB, 0x74, 0x28, 0xE6, 0xA7, 0xE7, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_25_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x73, 0xA8, 0x8F, 0x9E, 0x0E, 0x63, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x1B, 0x77, 0xC7, 0xC1, 0x38, 0xF9, 0xDC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x3C, 0xCF, 0xA8, 0x7A, 0xD7, 0xF3, 0xC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x5F, 0x9A, 0xC9, 0xAD, 0xE9, 0x1A, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xCF, 0x2B, 0x5E, 0xD5, 0x81, 0x95, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x88, 0x75, 0x29, 0x1F, 0xC7, 0xC7, 0xD0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA9, 0x5A, 0x4D, 0x63, 0x95, 0xF9, 0x4E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xCD, 0x04, 0x8F, 0xCD, 0x91, 0xDE, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_26_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xD4, 0xFD, 0x25, 0x11, 0x99, 0x6E, 0xEA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x83, 0x01, 0x3D, 0xFB, 0x56, 0xA5, 0x4E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x3A, 0xDC, 0x74, 0xC2, 0xD7, 0xCF, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xBD, 0xF1, 0xDD, 0xA3, 0x07, 0x03, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xBE, 0xE9, 0x2E, 0x58, 0x84, 0x66, 0xFC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x20, 0x78, 0x37, 0x79, 0x0B, 0xA6, 0x64),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xF2, 0xAC, 0x65, 0xC8, 0xC9, 0x2F, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x93, 0xE5, 0x0D, 0x0C, 0xC6, 0xB8, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_26_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xAD, 0x5C, 0x19, 0x12, 0x61, 0x0E, 0x25),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x4F, 0x0B, 0x1F, 0x49, 0x7E, 0xCD, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2E, 0x30, 0x61, 0xDB, 0x08, 0x68, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x78, 0xAF, 0xB3, 0x08, 0xC1, 0x69, 0xE5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x5F, 0x5D, 0xC1, 0x57, 0x6F, 0xD8, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0xD3, 0x6A, 0xF7, 0xFD, 0x86, 0xE5, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x63, 0xBD, 0x70, 0x7B, 0x47, 0xE8, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x62, 0xC8, 0x7E, 0x9D, 0x11, 0x2B, 0xA5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_27_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x84, 0xFD, 0xD5, 0x9A, 0x56, 0x7F, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xBB, 0xA4, 0x6F, 0x12, 0x6E, 0x4D, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x08, 0xA1, 0x82, 0x9C, 0x62, 0x74, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x58, 0x22, 0x05, 0x1D, 0x15, 0x35, 0x79),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x88, 0xCF, 0x5C, 0x05, 0x78, 0xFB, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x6B, 0x2F, 0x79, 0x09, 0x73, 0x67, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA0, 0x80, 0xD8, 0xE8, 0xEC, 0xFB, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xE7, 0x0B, 0xB7, 0x81, 0x48, 0x7B, 0xD9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_27_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x53, 0xA9, 0xED, 0x61, 0x92, 0xD7, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x49, 0xD9, 0x5D, 0x9B, 0x4E, 0x89, 0x35),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x12, 0xEB, 0x9A, 0xC9, 0xCB, 0xC1, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xDC, 0x95, 0x16, 0xFE, 0x29, 0x70, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x33, 0xB1, 0xD6, 0x78, 0xB9, 0xE2, 0x36),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xCE, 0x88, 0xC3, 0xFD, 0x7A, 0x6B, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x1E, 0x50, 0x1E, 0xAF, 0xB1, 0x25, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xE7, 0xD7, 0xD5, 0xBD, 0x7A, 0x12, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_28_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xAA, 0xA2, 0x80, 0x5D, 0x8F, 0xCD, 0xC8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x39, 0x79, 0x64, 0xA1, 0x67, 0x3C, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xC7, 0x49, 0xFF, 0x7F, 0xAC, 0xAB, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x54, 0x3E, 0x83, 0xF0, 0x3D, 0xBC, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x92, 0x4A, 0x38, 0x42, 0x8A, 0xAB, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x0B, 0x4F, 0xEE, 0x9E, 0x92, 0xA5, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xDD, 0x19, 0x96, 0xF2, 0xF0, 0x6B, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xFC, 0xDD, 0xB2, 0x8A, 0xE5, 0x4C, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_28_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x06, 0x49, 0xAC, 0x99, 0x7E, 0xF8, 0x12),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xC8, 0x01, 0x51, 0xEA, 0xF6, 0x52, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x89, 0x66, 0x2B, 0x1F, 0x9B, 0x2A, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x0F, 0x95, 0x07, 0x2B, 0x6C, 0x6E, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xC3, 0xB4, 0xBB, 0x91, 0x1F, 0xA3, 0x72),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x6E, 0x54, 0x28, 0x7B, 0x9C, 0x79, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x45, 0xFF, 0xA6, 0xDA, 0xA2, 0x83, 0x71),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xDE, 0x8F, 0x17, 0x37, 0x82, 0xCB, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_29_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x94, 0x3F, 0x26, 0xC9, 0x1D, 0xD9, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x97, 0x28, 0x20, 0xCD, 0xC1, 0xF3, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xC9, 0xB5, 0x60, 0x9B, 0x1E, 0xDC, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xB9, 0x5B, 0x7D, 0xA0, 0xB2, 0x8C, 0xF0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xD1, 0x42, 0xE6, 0x39, 0x33, 0x6D, 0xBB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xC0, 0xFC, 0xD2, 0x14, 0x5D, 0x3E, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x4A, 0x3E, 0x40, 0x16, 0x93, 0x15, 0xCF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x24, 0xC1, 0x27, 0x27, 0xE5, 0x4B, 0xD8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_29_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x50, 0xD8, 0xBC, 0xC1, 0x46, 0x22, 0xBB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x0E, 0x60, 0xA1, 0xB3, 0x50, 0xD4, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xB1, 0x26, 0xB6, 0x6D, 0x47, 0x5A, 0x6F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0xAC, 0x11, 0x35, 0x3E, 0xB9, 0xF4, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x97, 0xFA, 0xBB, 0x6B, 0x39, 0x13, 0xD8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x7B, 0x34, 0x12, 0x75, 0x8E, 0x9B, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x9E, 0xCD, 0x29, 0xB6, 0xEF, 0x8D, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xAC, 0xE9, 0x25, 0x27, 0xBB, 0x78, 0x47),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_30_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x7A, 0xA8, 0xD3, 0xE3, 0x66, 0xE5, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x4C, 0xC4, 0x2C, 0x76, 0x81, 0x50, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x71, 0x08, 0xB8, 0x52, 0x7C, 0xAF, 0xDC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x59, 0x24, 0xDD, 0xFB, 0x2F, 0xD0, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xCD, 0x56, 0xE9, 0xAC, 0x91, 0xE6, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x64, 0x20, 0xC6, 0x9F, 0xE4, 0xEF, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x2C, 0x8F, 0x8C, 0x97, 0xF6, 0x22, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF4, 0x88, 0xAA, 0xA8, 0xD7, 0xA5, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_30_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x6C, 0xAE, 0x83, 0xB1, 0x55, 0x55, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x67, 0x84, 0x47, 0x7C, 0x83, 0x5C, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x10, 0x4D, 0xDD, 0x30, 0x60, 0xB0, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xA7, 0x36, 0x76, 0x24, 0x32, 0x9F, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x42, 0x81, 0xFB, 0xA4, 0x2E, 0x13, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x94, 0x91, 0xFF, 0x99, 0xA0, 0x09, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x83, 0xA1, 0x76, 0xAF, 0x37, 0x5C, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xA8, 0x04, 0x86, 0xC4, 0xA9, 0x79, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_31_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x8C, 0xC2, 0x34, 0xFB, 0x83, 0x28, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x03, 0x7D, 0x5E, 0x9E, 0x0E, 0xB0, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x02, 0x46, 0x7F, 0xB9, 0xAC, 0xBB, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xED, 0x48, 0xC2, 0x96, 0x4D, 0x56, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xB5, 0xC5, 0xD1, 0xE6, 0x1C, 0x7E, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x2E, 0x18, 0x71, 0x2D, 0x7B, 0xD7, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x46, 0x9D, 0xDE, 0xAA, 0x78, 0x8E, 0xB1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xD7, 0x69, 0x2E, 0xE1, 0xD9, 0x48, 0xDE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_31_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xFF, 0x9E, 0x09, 0x22, 0x22, 0xE6, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x14, 0x28, 0x13, 0x1B, 0x62, 0x12, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x7F, 0x67, 0x03, 0xB0, 0xC0, 0xF3, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xC3, 0x0F, 0xFB, 0x25, 0x48, 0x3E, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x6E, 0x53, 0x98, 0x36, 0xB3, 0xD3, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x81, 0x54, 0x22, 0xA4, 0xCC, 0xC1, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xBA, 0xFC, 0xA9, 0xDF, 0x68, 0x86, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x92, 0x0E, 0xC3, 0xF2, 0x58, 0xE8, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_ecp_point secp521r1_T[32] = {
+ ECP_POINT_INIT_XY_Z1(secp521r1_T_0_X, secp521r1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_1_X, secp521r1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_2_X, secp521r1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_3_X, secp521r1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_4_X, secp521r1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_5_X, secp521r1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_6_X, secp521r1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_7_X, secp521r1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_8_X, secp521r1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_9_X, secp521r1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_10_X, secp521r1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_11_X, secp521r1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_12_X, secp521r1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_13_X, secp521r1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_14_X, secp521r1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_15_X, secp521r1_T_15_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_16_X, secp521r1_T_16_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_17_X, secp521r1_T_17_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_18_X, secp521r1_T_18_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_19_X, secp521r1_T_19_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_20_X, secp521r1_T_20_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_21_X, secp521r1_T_21_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_22_X, secp521r1_T_22_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_23_X, secp521r1_T_23_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_24_X, secp521r1_T_24_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_25_X, secp521r1_T_25_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_26_X, secp521r1_T_26_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_27_X, secp521r1_T_27_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_28_X, secp521r1_T_28_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_29_X, secp521r1_T_29_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_30_X, secp521r1_T_30_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_31_X, secp521r1_T_31_Y),
+};
+#else
+#define secp521r1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+static const mbedtls_mpi_uint secp192k1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp192k1_a[] = {
+ MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp192k1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_2(0x03, 0x00),
+};
+static const mbedtls_mpi_uint secp192k1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB),
+};
+static const mbedtls_mpi_uint secp192k1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B),
+};
+static const mbedtls_mpi_uint secp192k1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp192k1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB),
+};
+static const mbedtls_mpi_uint secp192k1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B),
+};
+static const mbedtls_mpi_uint secp192k1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x77, 0x3D, 0x0D, 0x85, 0x48, 0xA8, 0xA9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x07, 0xDF, 0x1D, 0xB3, 0xB3, 0x01, 0x54),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x86, 0xF6, 0xAF, 0x19, 0x2A, 0x88, 0x2E),
+};
+static const mbedtls_mpi_uint secp192k1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x90, 0xB6, 0x2F, 0x48, 0x36, 0x4C, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x11, 0x14, 0xA6, 0xCB, 0xBA, 0x15, 0xD9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0xB0, 0xF2, 0xD4, 0xC9, 0xDA, 0xBA, 0xD7),
+};
+static const mbedtls_mpi_uint secp192k1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xC1, 0x9C, 0xE6, 0xBB, 0xFB, 0xCF, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x19, 0xAC, 0x5A, 0xC9, 0x8A, 0x1C, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xF6, 0x76, 0x86, 0x89, 0x27, 0x8D, 0x28),
+};
+static const mbedtls_mpi_uint secp192k1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xE0, 0x6F, 0x34, 0xBA, 0x5E, 0xD3, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xDC, 0xA6, 0x87, 0xC9, 0x9D, 0xC0, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x11, 0x7E, 0xD6, 0xF7, 0x33, 0xFC, 0xE4),
+};
+static const mbedtls_mpi_uint secp192k1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x37, 0x3E, 0xC0, 0x7F, 0x62, 0xE7, 0x54),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x3B, 0x69, 0x9D, 0x44, 0xBC, 0x82, 0x99),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x84, 0xB3, 0x5F, 0x2B, 0xA5, 0x9E, 0x2C),
+};
+static const mbedtls_mpi_uint secp192k1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x95, 0xEB, 0x4C, 0x04, 0xB4, 0xF4, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xAD, 0x4B, 0xD5, 0x9A, 0xEB, 0xC4, 0x4E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xB1, 0xC5, 0x59, 0xE3, 0xD5, 0x16, 0x2A),
+};
+static const mbedtls_mpi_uint secp192k1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x2A, 0xCC, 0xAC, 0xD0, 0xEE, 0x50, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x83, 0xE0, 0x5B, 0x14, 0x44, 0x52, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x15, 0x2D, 0x78, 0xF6, 0x51, 0x32, 0xCF),
+};
+static const mbedtls_mpi_uint secp192k1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x36, 0x9B, 0xDD, 0xF8, 0xDD, 0xEF, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xB1, 0x6A, 0x2B, 0xAF, 0xEB, 0x2B, 0xB1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x87, 0x7A, 0x66, 0x5D, 0x5B, 0xDF, 0x8F),
+};
+static const mbedtls_mpi_uint secp192k1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x45, 0xE5, 0x81, 0x9B, 0xEB, 0x37, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x29, 0xE2, 0x20, 0x64, 0x23, 0x6B, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x1D, 0x41, 0xE1, 0x9B, 0x61, 0x7B, 0xD9),
+};
+static const mbedtls_mpi_uint secp192k1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x57, 0xA3, 0x0A, 0x13, 0xE4, 0x59, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x6E, 0x4A, 0x48, 0x84, 0x90, 0xAC, 0xC7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xB8, 0xF5, 0xF3, 0xDE, 0xA0, 0xA1, 0x1D),
+};
+static const mbedtls_mpi_uint secp192k1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x32, 0x81, 0xA9, 0x91, 0x5A, 0x4E, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xA8, 0x90, 0xBE, 0x0F, 0xEC, 0xC0, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x30, 0xD7, 0x08, 0xAE, 0xC4, 0x3A, 0xA5),
+};
+static const mbedtls_mpi_uint secp192k1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x55, 0xE3, 0x76, 0xB3, 0x64, 0x74, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x75, 0xD4, 0xDB, 0x98, 0xD7, 0x39, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xEB, 0x8A, 0xAB, 0x16, 0xD9, 0xD4, 0x0B),
+};
+static const mbedtls_mpi_uint secp192k1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xBE, 0xF9, 0xC7, 0xC7, 0xBA, 0xF3, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x85, 0x59, 0xF3, 0x60, 0x41, 0x02, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x1C, 0x4A, 0xA4, 0xC7, 0xED, 0x66, 0xBC),
+};
+static const mbedtls_mpi_uint secp192k1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x9C, 0x2E, 0x46, 0x52, 0x18, 0x87, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x35, 0x5A, 0x75, 0xAC, 0x4D, 0x75, 0x91),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x2F, 0xAC, 0xFC, 0xBC, 0xE6, 0x93, 0x5E),
+};
+static const mbedtls_mpi_uint secp192k1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x4D, 0xC9, 0x18, 0xE9, 0x00, 0xEB, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x69, 0x72, 0x07, 0x5A, 0x59, 0xA8, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x65, 0x83, 0x20, 0x10, 0xF9, 0x69, 0x82),
+};
+static const mbedtls_mpi_uint secp192k1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x56, 0x7F, 0x9F, 0xBF, 0x46, 0x0C, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xCF, 0xF0, 0xDC, 0xDF, 0x2D, 0xE6, 0xE5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xF0, 0x72, 0x3A, 0x7A, 0x03, 0xE5, 0x22),
+};
+static const mbedtls_mpi_uint secp192k1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xAA, 0x57, 0x13, 0x37, 0xA7, 0x2C, 0xD4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xAC, 0xA2, 0x23, 0xF9, 0x84, 0x60, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xEB, 0x51, 0x70, 0x64, 0x78, 0xCA, 0x05),
+};
+static const mbedtls_mpi_uint secp192k1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xCC, 0x30, 0x62, 0x93, 0x46, 0x13, 0xE9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x26, 0xCC, 0x6C, 0x3D, 0x5C, 0xDA, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xAA, 0xB8, 0x03, 0xA4, 0x1A, 0x00, 0x96),
+};
+static const mbedtls_mpi_uint secp192k1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x9D, 0xE6, 0xCC, 0x4E, 0x2E, 0xC2, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xC3, 0x8A, 0xAE, 0x6F, 0x40, 0x05, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x8F, 0x4A, 0x4D, 0x35, 0xD3, 0x50, 0x9D),
+};
+static const mbedtls_mpi_uint secp192k1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xFD, 0x98, 0xAB, 0xC7, 0x03, 0xB4, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x40, 0xD2, 0x9F, 0xCA, 0xD0, 0x53, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x84, 0x00, 0x6F, 0xC8, 0xAD, 0xED, 0x8D),
+};
+static const mbedtls_mpi_uint secp192k1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xD3, 0x57, 0xD7, 0xC3, 0x07, 0xBD, 0xD7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xBA, 0x47, 0x1D, 0x3D, 0xEF, 0x98, 0x6C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xC0, 0x6C, 0x7F, 0x12, 0xEE, 0x9F, 0x67),
+};
+static const mbedtls_mpi_uint secp192k1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x02, 0xDA, 0x79, 0xAA, 0xC9, 0x27, 0xC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x79, 0xC7, 0x71, 0x84, 0xCB, 0xE5, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x37, 0x06, 0xBA, 0xB5, 0xD5, 0x18, 0x4C),
+};
+static const mbedtls_mpi_uint secp192k1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x65, 0x72, 0x6C, 0xF2, 0x63, 0x27, 0x6A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xBC, 0x71, 0xDF, 0x75, 0xF8, 0x98, 0x4D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x70, 0x9B, 0xDC, 0xE7, 0x18, 0x71, 0xFF),
+};
+static const mbedtls_mpi_uint secp192k1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x5B, 0x9F, 0x00, 0x5A, 0xB6, 0x80, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xE0, 0xBB, 0xFC, 0x5E, 0x78, 0x9C, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x03, 0x68, 0x83, 0x3D, 0x2E, 0x4C, 0xDD),
+};
+static const mbedtls_mpi_uint secp192k1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x49, 0x23, 0xA8, 0xCB, 0x3B, 0x1A, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x3D, 0xA7, 0x46, 0xCF, 0x75, 0xB6, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xFD, 0x30, 0x01, 0xB6, 0xEF, 0xF9, 0xE8),
+};
+static const mbedtls_mpi_uint secp192k1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xFA, 0xDA, 0xB8, 0x29, 0x42, 0xC9, 0xC7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xD7, 0xA0, 0xE6, 0x6B, 0x86, 0x61, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0xE9, 0xD3, 0x37, 0xD8, 0xE7, 0x35, 0xA9),
+};
+static const mbedtls_mpi_uint secp192k1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC8, 0x8E, 0xB1, 0xCB, 0xB1, 0xB5, 0x4D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xD7, 0x46, 0x7D, 0xAF, 0xE2, 0xDC, 0xBB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x46, 0xE7, 0xD8, 0x76, 0x31, 0x90, 0x76),
+};
+static const mbedtls_mpi_uint secp192k1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xD3, 0xF4, 0x74, 0xE1, 0x67, 0xD8, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x70, 0x3C, 0xC8, 0xAF, 0x5F, 0xF4, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x4E, 0xED, 0x5C, 0x43, 0xB3, 0x16, 0x35),
+};
+static const mbedtls_mpi_uint secp192k1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAE, 0xD1, 0xDD, 0x31, 0x14, 0xD3, 0xF0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x14, 0x06, 0x13, 0x12, 0x1C, 0x81, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xF9, 0x0C, 0x91, 0xF7, 0x67, 0x59, 0x63),
+};
+static const mbedtls_mpi_uint secp192k1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x91, 0xE2, 0xF4, 0x9D, 0xEB, 0x88, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x82, 0x30, 0x9C, 0xAE, 0x18, 0x4D, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x79, 0xCF, 0x17, 0xA5, 0x1E, 0xE8, 0xC8),
+};
+static const mbedtls_ecp_point secp192k1_T[16] = {
+ ECP_POINT_INIT_XY_Z1(secp192k1_T_0_X, secp192k1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_1_X, secp192k1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_2_X, secp192k1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_3_X, secp192k1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_4_X, secp192k1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_5_X, secp192k1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_6_X, secp192k1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_7_X, secp192k1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_8_X, secp192k1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_9_X, secp192k1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_10_X, secp192k1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_11_X, secp192k1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_12_X, secp192k1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_13_X, secp192k1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_14_X, secp192k1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_15_X, secp192k1_T_15_Y),
+};
+#else
+#define secp192k1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+static const mbedtls_mpi_uint secp224k1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_4(0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp224k1_a[] = {
+ MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_2(0x05, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D),
+ MBEDTLS_BYTES_TO_T_UINT_4(0x33, 0x5B, 0x45, 0xA1),
+};
+static const mbedtls_mpi_uint secp224k1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_4(0xED, 0x9F, 0x08, 0x7E),
+};
+static const mbedtls_mpi_uint secp224k1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp224k1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x5B, 0x45, 0xA1, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x9F, 0x08, 0x7E, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x6C, 0x22, 0x22, 0x40, 0x89, 0xAE, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x92, 0xE1, 0x87, 0x56, 0x35, 0xAF, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xAF, 0x08, 0x35, 0x27, 0xEA, 0x04, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x53, 0xFD, 0xCF, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xD0, 0x9F, 0x8D, 0xF3, 0x63, 0x54, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xDB, 0x0F, 0x61, 0x54, 0x26, 0xD1, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x21, 0xF7, 0x1B, 0xB5, 0x1D, 0xF6, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x05, 0xDA, 0x8F, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x26, 0x73, 0xBC, 0xE4, 0x29, 0x62, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x95, 0x17, 0x8B, 0xC3, 0x9B, 0xAC, 0xCC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xDB, 0x77, 0xDF, 0xDD, 0x13, 0x04, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0xFC, 0x22, 0x93, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x65, 0xF1, 0x5A, 0x37, 0xEF, 0x79, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x01, 0x37, 0xAC, 0x9A, 0x5B, 0x51, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x75, 0x13, 0xA9, 0x4A, 0xAD, 0xFE, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x82, 0x6F, 0x66, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x5E, 0xF0, 0x40, 0xC3, 0xA6, 0xE2, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x9A, 0x6F, 0xCF, 0x11, 0x26, 0x66, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x73, 0xA8, 0xCF, 0x2B, 0x12, 0x36, 0x37),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xB3, 0x0A, 0x58, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x79, 0x00, 0x55, 0x04, 0x34, 0x90, 0x1A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x54, 0x1C, 0xC2, 0x45, 0x0C, 0x1B, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x19, 0xAB, 0xA8, 0xFC, 0x73, 0xDC, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0xFB, 0x93, 0xCE, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x75, 0xD0, 0x66, 0x95, 0x86, 0xCA, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xEA, 0x29, 0x16, 0x6A, 0x38, 0xDF, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA2, 0x36, 0x2F, 0xDC, 0xBB, 0x5E, 0xF7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x89, 0x59, 0x49, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xA3, 0x99, 0x9D, 0xB8, 0x77, 0x9D, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x93, 0x43, 0x47, 0xC6, 0x5C, 0xF9, 0xFD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x00, 0x79, 0x42, 0x64, 0xB8, 0x25, 0x3E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x54, 0xB4, 0x33, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x0C, 0x42, 0x90, 0x83, 0x0B, 0x31, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x2E, 0xAE, 0xC8, 0xC7, 0x5F, 0xD2, 0x70),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xBC, 0xAD, 0x41, 0xE7, 0x32, 0x3A, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x97, 0x52, 0x83, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x13, 0x7A, 0xBD, 0xAE, 0x94, 0x60, 0xFD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x9B, 0x95, 0xB4, 0x6E, 0x68, 0xB2, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x49, 0xBE, 0x51, 0xFE, 0x66, 0x15, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x37, 0xE4, 0xFE, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x9B, 0xEE, 0x64, 0xC9, 0x1B, 0xBD, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x5F, 0x34, 0xA9, 0x0B, 0xB7, 0x25, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x13, 0xB1, 0x38, 0xFB, 0x9D, 0x78, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xE7, 0x1B, 0xFA, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xB3, 0xB7, 0x44, 0x92, 0x6B, 0x00, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x82, 0x44, 0x3E, 0x18, 0x1A, 0x58, 0x6A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xF8, 0xC0, 0xE4, 0xEE, 0xC1, 0xBF, 0x44),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x32, 0x27, 0xB2, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x9A, 0x42, 0x62, 0x8B, 0x26, 0x54, 0x21),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x85, 0x74, 0xA0, 0x79, 0xA8, 0xEE, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x36, 0x60, 0xB3, 0x28, 0x4D, 0x55, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x27, 0x82, 0x29, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0xFC, 0x73, 0x77, 0xAF, 0x5C, 0xAC, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xED, 0xE5, 0xF6, 0x1D, 0xA8, 0x67, 0x43),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xDE, 0x33, 0x1C, 0xF1, 0x80, 0x73, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE2, 0xDE, 0x3C, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x3E, 0x6B, 0xFE, 0xF0, 0x04, 0x28, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xB2, 0x14, 0x9D, 0x18, 0x11, 0x7D, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC4, 0xD6, 0x2E, 0x6E, 0x57, 0x4D, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x55, 0x1B, 0xDE, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xF7, 0x17, 0xBC, 0x45, 0xAB, 0x16, 0xAB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xB0, 0xEF, 0x61, 0xE3, 0x20, 0x7C, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x85, 0x41, 0x4D, 0xF1, 0x7E, 0x4D, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xC2, 0x9B, 0x5E, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x2E, 0x49, 0x3D, 0x3E, 0x4B, 0xD3, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x2B, 0x9D, 0xD5, 0x27, 0xFA, 0xCA, 0xE0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0xB3, 0x6A, 0xE0, 0x79, 0x14, 0x28, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x1E, 0xDC, 0xF5, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x44, 0x56, 0xCD, 0xFC, 0x9F, 0x09, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x8C, 0x59, 0xA4, 0x64, 0x2A, 0x3A, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xA0, 0xB5, 0x86, 0x4E, 0x69, 0xDA, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x8B, 0x11, 0x38, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x17, 0x16, 0x12, 0x17, 0xDC, 0x00, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x76, 0x24, 0x6C, 0x97, 0x2C, 0xB5, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x71, 0xE3, 0xB0, 0xBB, 0x4E, 0x50, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0x48, 0x26, 0xD5, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x5F, 0x28, 0xF6, 0x01, 0x5A, 0x60, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x95, 0xFE, 0xD0, 0xAD, 0x15, 0xD4, 0xD9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x5B, 0x7A, 0xFD, 0x80, 0xF7, 0x9F, 0x64),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xBC, 0x1B, 0xDF, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xE6, 0xDF, 0x14, 0x29, 0xF4, 0xD4, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x12, 0xDD, 0xEC, 0x5B, 0x8A, 0x59, 0xE5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x92, 0x3E, 0x35, 0x08, 0xE9, 0xCF, 0x0E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x35, 0x29, 0x97, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xDB, 0xD6, 0x6A, 0xC5, 0x43, 0xA4, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x33, 0x50, 0x61, 0x70, 0xA1, 0xE9, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x15, 0x6E, 0x5F, 0x01, 0x0C, 0x8C, 0xFA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0xA1, 0x9A, 0x9D, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xC6, 0xF7, 0xE2, 0x4A, 0xCD, 0x9B, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x4D, 0x5A, 0xB8, 0xE2, 0x6D, 0xA6, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x3F, 0xB6, 0x17, 0xE3, 0x2C, 0x6F, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xA4, 0x59, 0x51, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x4F, 0x7C, 0x49, 0xCD, 0x6E, 0xEB, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xC9, 0x1F, 0xB7, 0x4D, 0x98, 0xC7, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xFD, 0x98, 0x20, 0x95, 0xBB, 0x20, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xF2, 0x73, 0x92, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xEF, 0xFB, 0x30, 0xFA, 0x12, 0x1A, 0xB0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x4C, 0x24, 0xB4, 0x5B, 0xC9, 0x4C, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xDD, 0x5E, 0x84, 0x95, 0x4D, 0x26, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xFA, 0xF9, 0x3A, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xA3, 0x2E, 0x7A, 0xDC, 0xA7, 0x53, 0xA9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x9F, 0x81, 0x84, 0xB2, 0x0D, 0xFE, 0x31),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x89, 0x1B, 0x77, 0x0C, 0x89, 0x71, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xFF, 0x7F, 0xB2, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xE9, 0x2C, 0x79, 0xA6, 0x3C, 0xAD, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xE0, 0x23, 0x02, 0x86, 0x0F, 0x77, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x93, 0x6D, 0xE9, 0xF9, 0x3C, 0xBE, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xE7, 0x24, 0x92, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x3C, 0x5B, 0x4B, 0x1B, 0x25, 0x37, 0xD6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xE8, 0x38, 0x1B, 0xA1, 0x5A, 0x2E, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x19, 0xFD, 0xF4, 0x78, 0x01, 0x6B, 0x44),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x69, 0x37, 0x4F, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xE2, 0xBF, 0xD3, 0xEC, 0x95, 0x9C, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x7B, 0xFC, 0xD5, 0xD3, 0x25, 0x5E, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x55, 0x09, 0xA2, 0x58, 0x6A, 0xC9, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xCC, 0x3B, 0xD9, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x08, 0x65, 0x5E, 0xCB, 0xAB, 0x48, 0xC8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x79, 0x8B, 0xC0, 0x11, 0xC0, 0x69, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xE8, 0x8C, 0x4C, 0xC5, 0x28, 0xE4, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x1F, 0x34, 0x5C, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_ecp_point secp224k1_T[16] = {
+ ECP_POINT_INIT_XY_Z1(secp224k1_T_0_X, secp224k1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_1_X, secp224k1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_2_X, secp224k1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_3_X, secp224k1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_4_X, secp224k1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_5_X, secp224k1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_6_X, secp224k1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_7_X, secp224k1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_8_X, secp224k1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_9_X, secp224k1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_10_X, secp224k1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_11_X, secp224k1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_12_X, secp224k1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_13_X, secp224k1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_14_X, secp224k1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_15_X, secp224k1_T_15_Y),
+};
+#else
+#define secp224k1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+static const mbedtls_mpi_uint secp256k1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp256k1_a[] = {
+ MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp256k1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_2(0x07, 0x00),
+};
+static const mbedtls_mpi_uint secp256k1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79),
+};
+static const mbedtls_mpi_uint secp256k1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48),
+};
+static const mbedtls_mpi_uint secp256k1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp256k1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79),
+};
+static const mbedtls_mpi_uint secp256k1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48),
+};
+static const mbedtls_mpi_uint secp256k1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xEE, 0xD7, 0x1E, 0x67, 0x86, 0x32, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x73, 0xB1, 0xA9, 0xD5, 0xCC, 0x27, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x0E, 0x11, 0x01, 0x71, 0xFE, 0x92, 0x73),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x28, 0x63, 0x6D, 0x72, 0x09, 0xA6, 0xC0),
+};
+static const mbedtls_mpi_uint secp256k1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE1, 0x69, 0xDC, 0x3E, 0x2C, 0x75, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xB7, 0x3F, 0x30, 0x26, 0x3C, 0xDF, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xBE, 0xB9, 0x5D, 0x0E, 0xE8, 0x5E, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xC3, 0x05, 0xD6, 0xB7, 0xD5, 0x24, 0xFC),
+};
+static const mbedtls_mpi_uint secp256k1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xCF, 0x7B, 0xDC, 0xCD, 0xC3, 0x39, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xDA, 0xB9, 0xE5, 0x64, 0xA7, 0x47, 0x91),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x46, 0xA8, 0x61, 0xF6, 0x23, 0xEB, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xC1, 0xFF, 0xE4, 0x55, 0xD5, 0xC2, 0xBF),
+};
+static const mbedtls_mpi_uint secp256k1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xBE, 0xB9, 0x59, 0x24, 0x13, 0x4A, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x45, 0x12, 0xDE, 0xBA, 0x4F, 0xEF, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x08, 0xBF, 0xC1, 0x66, 0xAA, 0x0A, 0xBC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xFE, 0x30, 0x55, 0x31, 0x86, 0xA7, 0xB4),
+};
+static const mbedtls_mpi_uint secp256k1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xBF, 0x18, 0x81, 0x67, 0x27, 0x42, 0xBD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x05, 0x83, 0xA4, 0xDD, 0x57, 0xD3, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x63, 0xAB, 0xE4, 0x90, 0x70, 0xD0, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x5D, 0xFD, 0xA0, 0xEF, 0xCF, 0x1C, 0x54),
+};
+static const mbedtls_mpi_uint secp256k1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x80, 0xE4, 0xF6, 0x09, 0xBC, 0x57, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x9F, 0x6E, 0x88, 0x54, 0x6E, 0x51, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x5F, 0x85, 0xFB, 0x84, 0x3E, 0x4A, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x19, 0xF5, 0x55, 0xC9, 0x07, 0xD8, 0xCE),
+};
+static const mbedtls_mpi_uint secp256k1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xB4, 0xC3, 0xD9, 0x5C, 0xA0, 0xD4, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x30, 0xAF, 0x59, 0x9B, 0xF8, 0x04, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xA6, 0xFD, 0x66, 0x7B, 0xC3, 0x39, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xBF, 0xF0, 0xC2, 0xE9, 0x71, 0xA4, 0x9E),
+};
+static const mbedtls_mpi_uint secp256k1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x2D, 0xB9, 0x88, 0x28, 0xF1, 0xBE, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xF3, 0x1A, 0x0E, 0xB9, 0x01, 0x66, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xA7, 0xA4, 0xF4, 0x05, 0xD0, 0xAA, 0x53),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x39, 0x1E, 0x47, 0xE5, 0x68, 0xC8, 0xC0),
+};
+static const mbedtls_mpi_uint secp256k1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xB9, 0xFC, 0xE0, 0x33, 0x8A, 0x7D, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x93, 0xA5, 0x53, 0x55, 0x16, 0xB4, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x5F, 0xEA, 0x9B, 0x29, 0x52, 0x71, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xF0, 0x24, 0xB8, 0x7D, 0xB7, 0xA0, 0x9B),
+};
+static const mbedtls_mpi_uint secp256k1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x00, 0x27, 0xB2, 0xDF, 0x73, 0xA2, 0xE0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x2E, 0x4D, 0x7C, 0xDE, 0x7A, 0x23, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x65, 0x60, 0xC7, 0x97, 0x1E, 0xA4, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x13, 0x5B, 0x77, 0x59, 0xCB, 0x36, 0xE1),
+};
+static const mbedtls_mpi_uint secp256k1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xBC, 0x9F, 0x9E, 0x2D, 0x53, 0x2A, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x5F, 0x64, 0x9F, 0x1A, 0x19, 0xE6, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x7B, 0x39, 0xD2, 0xDB, 0x85, 0x84, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xC7, 0x0D, 0x58, 0x6E, 0x3F, 0x52, 0x15),
+};
+static const mbedtls_mpi_uint secp256k1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x68, 0x19, 0x0B, 0x68, 0xC9, 0x1E, 0xFB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x4E, 0x21, 0x49, 0x3D, 0x55, 0xCC, 0x25),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xF9, 0x25, 0x45, 0x54, 0x45, 0xB1, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xB3, 0xF7, 0xCD, 0x80, 0xA4, 0x04, 0x05),
+};
+static const mbedtls_mpi_uint secp256k1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x1E, 0x88, 0xC4, 0xAA, 0x18, 0x7E, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xAC, 0xD9, 0xB2, 0xA1, 0xC0, 0x71, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xA2, 0xF1, 0x15, 0xA6, 0x5F, 0x6C, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x5B, 0x05, 0xBC, 0xB7, 0xC6, 0x4E, 0x72),
+};
+static const mbedtls_mpi_uint secp256k1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x80, 0xF8, 0x5C, 0x20, 0x2A, 0xE1, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x48, 0x2E, 0x68, 0x82, 0x7F, 0xEB, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x3B, 0x25, 0xDB, 0x32, 0x4D, 0x88, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x6E, 0xA6, 0xB6, 0x6D, 0x62, 0x78, 0x22),
+};
+static const mbedtls_mpi_uint secp256k1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x4D, 0x3E, 0x86, 0x58, 0xC3, 0xEB, 0xBA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x89, 0x33, 0x18, 0x21, 0x1D, 0x9B, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x9D, 0xFF, 0xC3, 0x79, 0xC1, 0x88, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xD4, 0x48, 0x53, 0xE8, 0xAD, 0x21, 0x16),
+};
+static const mbedtls_mpi_uint secp256k1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x7B, 0xDE, 0xCB, 0xD8, 0x39, 0x17, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xF3, 0x03, 0xF2, 0x5C, 0xBC, 0xC8, 0x8A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xAE, 0x4C, 0xB0, 0x16, 0xA4, 0x93, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x8B, 0x6B, 0xDC, 0xD7, 0x9A, 0x3E, 0x7E),
+};
+static const mbedtls_mpi_uint secp256k1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x2D, 0x7A, 0xD2, 0x59, 0x05, 0xA2, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x56, 0x09, 0x32, 0xF1, 0xE8, 0xE3, 0x72),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xCA, 0xE5, 0x2E, 0xF0, 0xFB, 0x18, 0x19),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x85, 0xA9, 0x23, 0x15, 0x31, 0x1F, 0x0E),
+};
+static const mbedtls_mpi_uint secp256k1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xE5, 0xB1, 0x86, 0xB9, 0x6E, 0x8D, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x77, 0xFC, 0xC9, 0xA3, 0x3F, 0x89, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x6A, 0xDC, 0x25, 0xB0, 0xC7, 0x41, 0x54),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x11, 0x6B, 0xA6, 0x11, 0x62, 0xD4, 0x2D),
+};
+static const mbedtls_mpi_uint secp256k1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x7D, 0x34, 0xB3, 0x20, 0x7F, 0x37, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xD4, 0x45, 0xE8, 0xC2, 0xE9, 0xC5, 0xEA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x32, 0x3B, 0x25, 0x7E, 0x79, 0xAF, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xE4, 0x54, 0x71, 0xBE, 0x35, 0x4E, 0xD0),
+};
+static const mbedtls_mpi_uint secp256k1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x94, 0xDD, 0x8F, 0xB5, 0xC2, 0xDD, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x49, 0xE9, 0x1C, 0x2F, 0x08, 0x49, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xB6, 0x03, 0x88, 0x6F, 0xB8, 0x15, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xD3, 0x1C, 0xF3, 0xA5, 0xEB, 0x79, 0x01),
+};
+static const mbedtls_mpi_uint secp256k1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xF9, 0x43, 0x88, 0x89, 0x0D, 0x06, 0xEA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x2D, 0xF5, 0x98, 0x32, 0xF6, 0xB1, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x73, 0x8F, 0x2B, 0x50, 0x27, 0x0A, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xE3, 0xBD, 0x16, 0x05, 0xC8, 0x93, 0x12),
+};
+static const mbedtls_mpi_uint secp256k1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x6A, 0xF7, 0xE3, 0x3D, 0xDE, 0x5F, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xA3, 0x9C, 0x22, 0x3C, 0x33, 0x36, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x24, 0x4C, 0x69, 0x45, 0x78, 0x14, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xF8, 0xD4, 0xBF, 0xB8, 0xC0, 0xA1, 0x25),
+};
+static const mbedtls_mpi_uint secp256k1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x88, 0xE1, 0x91, 0x03, 0xEB, 0xB3, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x11, 0xA1, 0xEF, 0x14, 0x0D, 0xC4, 0x7D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xD4, 0x0D, 0x1D, 0x96, 0x33, 0x5C, 0x19),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x45, 0x2A, 0x1A, 0xE6, 0x57, 0x04, 0x9B),
+};
+static const mbedtls_mpi_uint secp256k1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xB5, 0xA7, 0x80, 0xE9, 0x93, 0x97, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xB9, 0x7C, 0xA0, 0xC9, 0x57, 0x26, 0x43),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0xEF, 0x56, 0xDA, 0x66, 0xF6, 0x1B, 0x9A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x89, 0x6B, 0x91, 0xE0, 0xA9, 0x65, 0x2B),
+};
+static const mbedtls_mpi_uint secp256k1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x98, 0x96, 0x9B, 0x06, 0x7D, 0x5E, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xFA, 0xC1, 0x5F, 0x19, 0x37, 0x94, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xBE, 0x6B, 0x1A, 0x05, 0xE4, 0xBF, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xCD, 0x5D, 0x35, 0xB4, 0x51, 0xF7, 0x64),
+};
+static const mbedtls_mpi_uint secp256k1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xEF, 0x96, 0xDB, 0xF2, 0x61, 0x63, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x04, 0x88, 0xC9, 0x9F, 0x1B, 0x94, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x30, 0x79, 0x7E, 0x24, 0xE7, 0x5F, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xB8, 0x90, 0xB7, 0x94, 0x25, 0xBB, 0x0F),
+};
+static const mbedtls_mpi_uint secp256k1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x79, 0xEA, 0xAD, 0xC0, 0x6D, 0x18, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xA4, 0x58, 0x2A, 0x8D, 0x95, 0xB3, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC4, 0xC2, 0x12, 0x0D, 0x79, 0xE2, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x6F, 0xBE, 0x97, 0x4D, 0xA4, 0x20, 0x07),
+};
+static const mbedtls_mpi_uint secp256k1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x31, 0x71, 0xC6, 0xA6, 0x91, 0xEB, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x9B, 0xA8, 0x4A, 0xE7, 0x77, 0xE1, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x06, 0xD3, 0x3D, 0x94, 0x30, 0xEF, 0x8C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xDF, 0xCA, 0xFA, 0xF5, 0x28, 0xF8, 0xC9),
+};
+static const mbedtls_mpi_uint secp256k1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xE1, 0x32, 0xFD, 0x3E, 0x81, 0xF8, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xF2, 0x4B, 0x1D, 0x19, 0xC9, 0x0F, 0xCC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xB1, 0x8A, 0x22, 0x8B, 0x05, 0x6B, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x21, 0xEF, 0x30, 0xEC, 0x09, 0x2A, 0x89),
+};
+static const mbedtls_mpi_uint secp256k1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x84, 0x4A, 0x46, 0x07, 0x6C, 0x3C, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x18, 0x3A, 0xF4, 0xCC, 0xF5, 0xB2, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x8F, 0xCD, 0x0A, 0x9C, 0xF4, 0xBD, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x89, 0x7F, 0x8A, 0xB1, 0x52, 0x3A, 0xAB),
+};
+static const mbedtls_ecp_point secp256k1_T[16] = {
+ ECP_POINT_INIT_XY_Z1(secp256k1_T_0_X, secp256k1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_1_X, secp256k1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_2_X, secp256k1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_3_X, secp256k1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_4_X, secp256k1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_5_X, secp256k1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_6_X, secp256k1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_7_X, secp256k1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_8_X, secp256k1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_9_X, secp256k1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_10_X, secp256k1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_11_X, secp256k1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_12_X, secp256k1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_13_X, secp256k1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_14_X, secp256k1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_15_X, secp256k1_T_15_Y),
+};
+#else
+#define secp256k1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
+ */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint brainpoolP256r1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xA2, 0xED, 0x52, 0xC9, 0x8C, 0xE3, 0xA5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0xC9, 0xC4, 0x87, 0x3F, 0x93, 0x7A, 0xD1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x12, 0x53, 0x61, 0x3E, 0x76, 0x08, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x8C, 0x74, 0xF4, 0x08, 0xC3, 0x76, 0x80),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xDD, 0x09, 0xA6, 0xED, 0xEE, 0xC4, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xD9, 0xBE, 0x4B, 0xA5, 0xB7, 0x2B, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x20, 0x12, 0xCA, 0x0A, 0x38, 0x24, 0xAB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x72, 0x71, 0x90, 0x7A, 0x2E, 0xB7, 0x23),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0xA1, 0x93, 0x10, 0x2A, 0x51, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x10, 0x11, 0x12, 0xBC, 0xB0, 0xB6, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x58, 0xD7, 0x0A, 0x84, 0x05, 0xA3, 0x9C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x8E, 0x95, 0x61, 0xD3, 0x0B, 0xDF, 0x36),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x92, 0x12, 0x0F, 0x5E, 0x87, 0x70, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0xE9, 0x9B, 0xEB, 0x3A, 0xFB, 0xCF, 0xC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0x92, 0xB9, 0xF7, 0x45, 0xD3, 0x06, 0xB6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x28, 0x65, 0xE1, 0xC5, 0x6C, 0x57, 0x18),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x0E, 0x77, 0x01, 0x81, 0x9E, 0x38, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xF0, 0xD5, 0xA5, 0x91, 0x2B, 0xDF, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xEE, 0xB6, 0x25, 0xD6, 0x98, 0xDE, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xA1, 0x55, 0x63, 0x39, 0xEB, 0xB5, 0x47),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xD6, 0xB8, 0xE3, 0x13, 0xED, 0x7F, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xE8, 0xAE, 0x36, 0xB8, 0xCD, 0x19, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x82, 0x83, 0x7A, 0x7B, 0x46, 0x56, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x60, 0x46, 0x15, 0x5A, 0xAC, 0x99, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x61, 0x50, 0xC6, 0xFF, 0x10, 0x7D, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x51, 0xDF, 0xA9, 0x7D, 0x78, 0x26, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0x15, 0x9A, 0xF7, 0x01, 0xC1, 0xBB, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x0F, 0xE6, 0x2A, 0xBD, 0x4A, 0x9E, 0x87),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xF8, 0xD1, 0x77, 0xD2, 0x49, 0xB3, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x86, 0xFB, 0x9E, 0x1F, 0x5A, 0x60, 0x47),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xC4, 0x8D, 0xCD, 0x86, 0x61, 0x2F, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xF6, 0xB9, 0xAC, 0x37, 0x9D, 0xE9, 0x28),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x77, 0xAA, 0x97, 0x9C, 0x0B, 0x04, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xA6, 0x60, 0x81, 0xCE, 0x25, 0x13, 0x3E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x00, 0xF3, 0xBB, 0x82, 0x99, 0x95, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x5A, 0xCE, 0x90, 0x71, 0x38, 0x2F, 0x10),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x1A, 0xC0, 0x84, 0x27, 0xD6, 0x9D, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x37, 0x52, 0x16, 0x13, 0x0E, 0xCE, 0x92),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xBF, 0x5A, 0xDB, 0xDB, 0x6E, 0x1E, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xB7, 0x5E, 0xF9, 0x86, 0xDD, 0x8A, 0x5C),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xAB, 0x5C, 0x8D, 0x1D, 0xF2, 0x2D, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC5, 0xF8, 0xF7, 0x1D, 0x96, 0x0B, 0x4D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x4C, 0xA7, 0x45, 0x20, 0x6A, 0x1E, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x5D, 0xEF, 0xDE, 0xEE, 0x39, 0x44, 0x19),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x2F, 0x6D, 0x52, 0xC9, 0x58, 0x60, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xC9, 0x62, 0xCB, 0x38, 0x3C, 0x55, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xA5, 0x09, 0x10, 0x88, 0xDB, 0xE3, 0xBD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xE0, 0x3C, 0xCE, 0x06, 0x0B, 0x4B, 0x5D),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x1D, 0xB4, 0x10, 0x76, 0x8F, 0xBA, 0x09),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x70, 0x5A, 0x07, 0xF5, 0x1A, 0x74, 0xC7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xE9, 0x94, 0xA8, 0xC0, 0xD5, 0x4A, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x6D, 0xD4, 0xE8, 0x9B, 0xE9, 0x6D, 0x0E),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x00, 0x32, 0x41, 0x57, 0x84, 0x89, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xC7, 0x14, 0xEC, 0xE9, 0x27, 0xFF, 0xF3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x67, 0x9E, 0xFB, 0xB6, 0xB8, 0x96, 0xF3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x4A, 0xE3, 0x97, 0x4B, 0x58, 0xDE, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x1E, 0x5C, 0xF5, 0x7F, 0xD5, 0xD4, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x08, 0x7A, 0xF1, 0xBD, 0x89, 0xC7, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xF9, 0x11, 0x1B, 0xF5, 0x3C, 0x6D, 0x8C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x50, 0xE5, 0x69, 0x1D, 0x59, 0xFC, 0x0C),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x2F, 0xF8, 0x3F, 0xEC, 0x55, 0x99, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xA7, 0x29, 0x90, 0x43, 0x81, 0x31, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x18, 0x44, 0x50, 0x5D, 0x76, 0xCB, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xC5, 0x5B, 0x9A, 0x03, 0xE6, 0x17, 0x39),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x89, 0xFC, 0x55, 0x94, 0x91, 0x6A, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x46, 0x35, 0xF2, 0x3A, 0x42, 0x08, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xD2, 0x76, 0x49, 0x42, 0x87, 0xD3, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xEA, 0xA0, 0x52, 0xF1, 0x6A, 0x30, 0x57),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xB2, 0x57, 0xA3, 0x8A, 0x4D, 0x1B, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xA3, 0x99, 0x94, 0xB5, 0x3D, 0x64, 0x09),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xC3, 0xD7, 0x53, 0xF6, 0x49, 0x1C, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x23, 0x41, 0x4D, 0xFB, 0x7A, 0x5C, 0x53),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xB8, 0x15, 0x65, 0x5C, 0x85, 0x94, 0xD7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x37, 0xC7, 0xF8, 0x7E, 0xAE, 0x6C, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xD8, 0x11, 0x54, 0x98, 0x44, 0xE3, 0xF1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x4D, 0xA6, 0x4B, 0x28, 0xF2, 0x57, 0x9E),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xD0, 0xEB, 0x1E, 0xAA, 0x30, 0xD3, 0x6A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x9B, 0x4D, 0xA7, 0x73, 0x6E, 0xB6, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x47, 0xF6, 0xED, 0x37, 0xEF, 0x71, 0x4D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xB5, 0x49, 0x61, 0x5E, 0x45, 0xF6, 0x4A),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x0E, 0xB3, 0x84, 0x3A, 0x63, 0x72, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x53, 0x5C, 0xA7, 0xC6, 0x2E, 0xAB, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x0F, 0x8F, 0x87, 0x50, 0x28, 0xB4, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x98, 0x4A, 0x98, 0x31, 0x86, 0xCA, 0x51),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xC9, 0xE2, 0xFD, 0x5D, 0x1F, 0xE8, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x90, 0x91, 0xC4, 0x84, 0xF0, 0xBA, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x5A, 0xB3, 0x4E, 0xFB, 0xE0, 0x57, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x0B, 0x90, 0xA6, 0xFD, 0x9D, 0x8E, 0x02),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x41, 0x8F, 0x31, 0xFA, 0x5A, 0xF6, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xE9, 0xE3, 0xF6, 0xE0, 0x4A, 0xE7, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x4E, 0xCD, 0xA2, 0x22, 0x14, 0xD4, 0x12),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xED, 0x21, 0xB7, 0x0F, 0x53, 0x10, 0x17),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x06, 0x24, 0x2C, 0x4E, 0xD1, 0x1E, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x3F, 0xC1, 0x9F, 0xAB, 0xF0, 0x37, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x5E, 0x12, 0xCE, 0x83, 0x1B, 0x2A, 0x18),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x65, 0xCF, 0xE8, 0x5C, 0xA5, 0xA2, 0x70),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x86, 0x76, 0x3A, 0x94, 0xF6, 0x1D, 0xC1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xDA, 0xC9, 0xA6, 0x29, 0x93, 0x15, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x61, 0x6A, 0x7D, 0xC7, 0xA9, 0xF3, 0x76),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x03, 0x71, 0xA2, 0x15, 0xCE, 0x50, 0x72),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xD0, 0xA8, 0x1E, 0x91, 0xC4, 0x4F, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x4B, 0x7E, 0xD7, 0x71, 0x58, 0x7E, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x45, 0xAF, 0x2A, 0x18, 0x93, 0x95, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x8F, 0xC7, 0xFA, 0x4C, 0x7A, 0x86, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xAF, 0x68, 0x3A, 0x23, 0xC1, 0x2E, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x50, 0x11, 0x67, 0x39, 0xB9, 0xAF, 0x48),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x86, 0xAA, 0x1E, 0x88, 0x21, 0x29, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x28, 0xA4, 0x9D, 0x89, 0xA9, 0x9A, 0x10),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBA, 0x04, 0x67, 0xB7, 0x01, 0x40, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xE9, 0x09, 0xA3, 0xCA, 0xA6, 0x37, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x97, 0xA8, 0xB6, 0x3C, 0xEE, 0x90, 0x3D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xED, 0xC4, 0xF7, 0xC3, 0x95, 0xEC, 0x85),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x84, 0xBD, 0xEB, 0xD5, 0x64, 0xBB, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x9B, 0xE2, 0x28, 0x50, 0xC2, 0x72, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xF2, 0x74, 0xD1, 0x26, 0xBF, 0x32, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xCB, 0xAF, 0x72, 0xDB, 0x6D, 0x30, 0x98),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x50, 0x85, 0xF4, 0x2B, 0x48, 0xC1, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x28, 0xBB, 0x11, 0xBA, 0x5B, 0x22, 0x6C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xA1, 0xE5, 0x5C, 0xC9, 0x1D, 0x44, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xE8, 0xE6, 0x6F, 0xBB, 0xC1, 0x81, 0x7F),
+};
+static const mbedtls_ecp_point brainpoolP256r1_T[16] = {
+ ECP_POINT_INIT_XY_Z1(brainpoolP256r1_T_0_X, brainpoolP256r1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_1_X, brainpoolP256r1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_2_X, brainpoolP256r1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_3_X, brainpoolP256r1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_4_X, brainpoolP256r1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_5_X, brainpoolP256r1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_6_X, brainpoolP256r1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_7_X, brainpoolP256r1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_8_X, brainpoolP256r1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_9_X, brainpoolP256r1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_10_X, brainpoolP256r1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_11_X, brainpoolP256r1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_12_X, brainpoolP256r1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_13_X, brainpoolP256r1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_14_X, brainpoolP256r1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_15_X, brainpoolP256r1_T_15_Y),
+};
+#else
+#define brainpoolP256r1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
+ */
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint brainpoolP384r1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0xD8, 0x8A, 0x54, 0x41, 0xD6, 0x6B, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x3B, 0xF1, 0x22, 0xFD, 0x2D, 0x4B, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x55, 0xE3, 0x33, 0xF0, 0x73, 0x52, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x3F, 0x30, 0x26, 0xCA, 0x7F, 0x52, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x6E, 0x17, 0x9B, 0xD5, 0x2A, 0x4A, 0x31),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xDA, 0x6B, 0xE5, 0x03, 0x07, 0x1D, 0x2E),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x7A, 0xAF, 0x98, 0xE3, 0xA4, 0xF6, 0x19),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x7D, 0xFE, 0x51, 0x40, 0x3B, 0x47, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x88, 0xEC, 0xC4, 0xE2, 0x8F, 0xCB, 0xA4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xE2, 0x88, 0x2D, 0x4E, 0x50, 0xEB, 0x9A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x54, 0x94, 0x5E, 0xF4, 0x7F, 0x3A, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x07, 0x1C, 0xE1, 0xBD, 0x0F, 0xF8, 0x63),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x92, 0x28, 0x2E, 0x32, 0x04, 0xB1, 0x4D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x82, 0x44, 0x43, 0x76, 0x0D, 0x55, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xE3, 0xFF, 0x89, 0x46, 0xDE, 0x4E, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x22, 0xBB, 0x67, 0x1A, 0x81, 0xEE, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x54, 0xE2, 0x7A, 0xAE, 0xDA, 0x2C, 0xD0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x9A, 0x90, 0xAA, 0x6E, 0x8B, 0xCC, 0x5F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x40, 0xAC, 0xED, 0x7D, 0x37, 0x87, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xF8, 0xB1, 0x80, 0x4C, 0x8C, 0x04, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x98, 0x2C, 0xAD, 0x30, 0x69, 0x35, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x2E, 0x00, 0x2F, 0x44, 0x8C, 0xF0, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x58, 0x07, 0xD7, 0xCD, 0x60, 0xA1, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xFB, 0x7B, 0x03, 0x05, 0x5E, 0x79, 0x73),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x17, 0xCE, 0x38, 0x4B, 0x5E, 0x5B, 0xC8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x0E, 0x0A, 0x61, 0x9D, 0x7C, 0x62, 0x08),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xF0, 0x98, 0x71, 0x7F, 0x17, 0x26, 0xD7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xD3, 0xFA, 0x3C, 0xF0, 0x70, 0x07, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x47, 0x5C, 0x09, 0x43, 0xB7, 0x65, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xA9, 0xA7, 0x3E, 0xFA, 0xF3, 0xEC, 0x22),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x78, 0x22, 0x2B, 0x58, 0x71, 0xFA, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x30, 0xCE, 0x6A, 0xB3, 0xB0, 0x4F, 0x83),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x95, 0x20, 0xA9, 0x23, 0xC2, 0x65, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xCF, 0x03, 0x5B, 0x8A, 0x80, 0x44, 0xBB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xF8, 0x91, 0xF7, 0xD5, 0xED, 0xEA, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x5B, 0x16, 0x10, 0x25, 0xAC, 0x2A, 0x17),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xEC, 0xDC, 0xC4, 0x7B, 0x8C, 0x6B, 0xE9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xBB, 0x1C, 0xD3, 0x5A, 0xEE, 0xD9, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x5D, 0x30, 0x5E, 0xF7, 0xB2, 0x41, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xCE, 0x0F, 0x1A, 0xC6, 0x41, 0x64, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x18, 0xE1, 0xE3, 0x82, 0x15, 0x66, 0x4B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xE2, 0x24, 0x04, 0x72, 0x39, 0xA0, 0x7C),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x51, 0xA2, 0x58, 0x88, 0x62, 0xE1, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xD2, 0x65, 0x14, 0xE9, 0x4C, 0x82, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xE1, 0xAC, 0x87, 0xAE, 0x31, 0x1A, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x4F, 0x96, 0x1E, 0x85, 0x7A, 0xC3, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x86, 0xBB, 0xF0, 0xC0, 0x9D, 0x08, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x53, 0x03, 0x09, 0x80, 0x91, 0xEF, 0x68),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xD7, 0xAF, 0x6F, 0x69, 0x7B, 0x88, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x13, 0xE4, 0x30, 0xA2, 0x47, 0xB5, 0xC1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xD2, 0xC0, 0xDD, 0x8A, 0x1C, 0x3C, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x8C, 0xB3, 0x4C, 0xBA, 0x8B, 0x6D, 0xCF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0xC7, 0xA1, 0xA8, 0x6E, 0x3C, 0x4F, 0xF1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x4A, 0x97, 0xC8, 0x03, 0x6F, 0x01, 0x82),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x18, 0x12, 0xA9, 0x39, 0xD5, 0x22, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xA7, 0xC0, 0xBD, 0x9D, 0x8D, 0x78, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xB3, 0xD0, 0x7F, 0xDF, 0xD0, 0x30, 0xDE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x25, 0x73, 0x96, 0xEC, 0xA8, 0x1D, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xD1, 0x65, 0x66, 0xDC, 0xD9, 0xCF, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xED, 0x7B, 0x37, 0xAD, 0xE2, 0xBE, 0x2D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x79, 0x42, 0x6A, 0x07, 0x66, 0xB1, 0xBD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x53, 0x62, 0x65, 0x92, 0x09, 0x4C, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xAF, 0xC3, 0x03, 0xF6, 0xF4, 0x2D, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xCA, 0x41, 0xD9, 0xA2, 0x69, 0x9B, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xB2, 0xA6, 0x8D, 0xE1, 0xAA, 0x61, 0x76),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xBA, 0x4D, 0x12, 0xB6, 0xBE, 0xF3, 0x7E),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xD9, 0x92, 0x22, 0x07, 0xCE, 0xC9, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xA1, 0x7C, 0x91, 0xDB, 0x32, 0xF7, 0xE5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x49, 0x4B, 0x6D, 0xFB, 0xD9, 0x70, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xFB, 0x4E, 0x4C, 0x5E, 0x66, 0x81, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xB3, 0xE1, 0x00, 0xB7, 0xD9, 0xCC, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x36, 0x8B, 0xC4, 0x39, 0x20, 0xFD, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x1F, 0x60, 0x03, 0xBB, 0xD7, 0x60, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x3C, 0x62, 0xDD, 0x71, 0x95, 0xE9, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x5B, 0x7A, 0x5F, 0x68, 0x81, 0xC5, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xB5, 0xB9, 0x98, 0x42, 0x28, 0xA5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x29, 0x8E, 0x11, 0x49, 0xB4, 0xD7, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x3E, 0xD2, 0x30, 0xA1, 0xBA, 0xCA, 0x03),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x37, 0x64, 0x44, 0x2F, 0x03, 0xE5, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x42, 0xBC, 0xFF, 0xA2, 0x1A, 0x5F, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x04, 0xAB, 0x04, 0xE0, 0x24, 0xAD, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x45, 0x17, 0x67, 0x1F, 0x3E, 0x53, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x0F, 0xB3, 0x1B, 0x57, 0x54, 0xC2, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xD3, 0xF8, 0xC4, 0x1B, 0x9B, 0xFA, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x90, 0xFD, 0xFB, 0xCA, 0x49, 0x38, 0x4E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xCF, 0xC6, 0xDD, 0xF0, 0xFF, 0x8C, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x69, 0x9D, 0xBD, 0x5F, 0x33, 0xE9, 0xB4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x19, 0x82, 0x3D, 0xAC, 0x1C, 0x40, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC7, 0x02, 0x46, 0x14, 0x77, 0x00, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x05, 0xF2, 0x77, 0x3A, 0x66, 0x5C, 0x39),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xE6, 0x17, 0xDE, 0xB2, 0xA1, 0xE5, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x71, 0xEC, 0x9D, 0xD8, 0xF5, 0xD4, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xC6, 0x42, 0x5E, 0xE7, 0x18, 0xBA, 0xD0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x21, 0x68, 0x5A, 0x26, 0xFB, 0xD7, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x00, 0x5C, 0xBA, 0x8A, 0x34, 0xEC, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x9C, 0x3C, 0xAF, 0x53, 0xE8, 0x65, 0x35),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xEF, 0x28, 0xDC, 0x67, 0x05, 0xC8, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x78, 0xC3, 0x85, 0x49, 0xA0, 0xBC, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x3E, 0x2D, 0xA0, 0xCF, 0xD4, 0x7A, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x93, 0xFE, 0x60, 0xB3, 0x6E, 0x99, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xAD, 0x04, 0xE7, 0x49, 0xAF, 0x5E, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x7A, 0xED, 0xA6, 0x9E, 0x18, 0x09, 0x31),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x05, 0x94, 0x44, 0xDC, 0xB8, 0x85, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xB7, 0x37, 0xC2, 0x50, 0x75, 0x15, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xC6, 0x0F, 0xB2, 0xA9, 0x91, 0x3E, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x81, 0xAD, 0x25, 0xA1, 0x26, 0x73, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xF1, 0xD1, 0x61, 0x7C, 0x76, 0x8F, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xDB, 0x4A, 0xFF, 0x14, 0xA7, 0x48, 0x0B),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x73, 0xC6, 0xC2, 0xCC, 0xF1, 0x57, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xED, 0x73, 0x27, 0x70, 0x82, 0xB6, 0x5E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xBA, 0xAC, 0x3A, 0xCF, 0xF4, 0xEA, 0xA6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xD6, 0xB1, 0x8F, 0x0E, 0x08, 0x2C, 0x5E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xE3, 0x8F, 0x2F, 0x0E, 0xA1, 0xF3, 0x07),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xF5, 0x7C, 0x9B, 0x29, 0x0A, 0xF6, 0x28),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xEE, 0x17, 0x47, 0x34, 0x15, 0xA3, 0xAF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xBE, 0x88, 0x48, 0xE7, 0xA2, 0xBB, 0xDE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xAD, 0xDC, 0x65, 0x61, 0x37, 0x0F, 0xC1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x67, 0xAD, 0xA2, 0x3A, 0x1C, 0x91, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x07, 0x0C, 0x3A, 0x41, 0x6E, 0x13, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0xBD, 0x7E, 0xED, 0xAA, 0x14, 0xDD, 0x61),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xDC, 0x20, 0x01, 0x72, 0x11, 0x48, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xC4, 0x7B, 0xF8, 0x62, 0x3D, 0xF0, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xC2, 0x3D, 0x2E, 0x52, 0xA3, 0x4A, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE2, 0x53, 0x46, 0x5E, 0x21, 0xF8, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xC7, 0x8F, 0xA9, 0x26, 0x42, 0x32, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xA6, 0xA0, 0x8D, 0x4B, 0x9A, 0x19, 0x03),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xAB, 0x6D, 0x1E, 0xFB, 0xEE, 0x60, 0x0C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x56, 0x3C, 0xC5, 0x5D, 0x10, 0x79, 0x1C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xBC, 0x41, 0x9F, 0x71, 0xEF, 0x02, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x36, 0xC4, 0xD0, 0x88, 0x9B, 0x32, 0xFC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xD4, 0x5D, 0x17, 0x39, 0xE6, 0x22, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x26, 0x01, 0xCE, 0xBE, 0x4A, 0x9C, 0x27),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x6D, 0x11, 0xCA, 0x6C, 0x5A, 0x93, 0x0C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x96, 0x26, 0xAF, 0x2F, 0xE4, 0x30, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xC1, 0x4C, 0xC6, 0x30, 0x1F, 0x5C, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xB3, 0xE8, 0xFC, 0x35, 0xEB, 0x63, 0x6C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x1D, 0xCA, 0xFC, 0x50, 0x36, 0x4B, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x0E, 0x23, 0x5B, 0xAF, 0xEB, 0x2D, 0x31),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x88, 0xB6, 0xD7, 0x74, 0x4A, 0x23, 0xB6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x66, 0xE2, 0xBB, 0x29, 0xA6, 0x4F, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x6F, 0x7E, 0x68, 0x6E, 0xA0, 0x14, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x73, 0xD4, 0xE8, 0xAB, 0x5B, 0xF6, 0x0D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xE0, 0x3C, 0x24, 0x00, 0x95, 0xE9, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x0D, 0x4F, 0x81, 0xD0, 0xF2, 0x3F, 0x00),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x1D, 0xCD, 0x78, 0x39, 0xC4, 0x6B, 0xD9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x45, 0xC7, 0xB8, 0x2F, 0xAA, 0x5D, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x8C, 0x6E, 0xA3, 0x24, 0xB2, 0xDB, 0x4B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x2D, 0xD9, 0xF1, 0xC7, 0x9B, 0x8A, 0xAF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xE1, 0x2C, 0xB9, 0x40, 0x37, 0x91, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x2C, 0xB5, 0x23, 0x03, 0x2B, 0xAF, 0x2F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x9D, 0x5A, 0x20, 0x10, 0xA9, 0x84, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x30, 0x89, 0x20, 0x13, 0xE9, 0xB2, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x6E, 0x52, 0xEB, 0x03, 0x18, 0x1F, 0xA6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x9E, 0x1C, 0x35, 0x87, 0x92, 0x69, 0xC7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0xC9, 0x88, 0xAF, 0xC6, 0x6C, 0x83, 0x72),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xD5, 0x7A, 0x54, 0x34, 0x99, 0xB6, 0x6F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0xAD, 0x45, 0x9B, 0x4B, 0x41, 0x4D, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x5D, 0xAB, 0x7F, 0x35, 0x34, 0xE9, 0x29),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0xBE, 0x78, 0x34, 0x44, 0xF3, 0x4A, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xDE, 0xE3, 0xC4, 0xEE, 0x0B, 0xF9, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x86, 0x16, 0x48, 0x32, 0xB8, 0x74, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xEE, 0x7C, 0xBA, 0xBD, 0x81, 0xE3, 0x55),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x6A, 0xFA, 0x84, 0xDA, 0xB8, 0xD5, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x9F, 0x8A, 0xD5, 0x1B, 0x2E, 0x1A, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0C, 0x61, 0xE2, 0xFF, 0x5B, 0xE6, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x62, 0xC1, 0x87, 0x53, 0x1B, 0x92, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x90, 0x00, 0xD1, 0x6A, 0x0C, 0x0E, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x2E, 0xB5, 0x3B, 0x44, 0xB5, 0xA0, 0x78),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x5D, 0x02, 0x58, 0xB5, 0xBE, 0x45, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xEF, 0x8E, 0x90, 0x4D, 0x2A, 0x32, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x99, 0x75, 0x5C, 0x0A, 0x33, 0x8F, 0x36),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x6C, 0x95, 0xD4, 0x1F, 0xF3, 0xEB, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xE4, 0x4C, 0x91, 0x20, 0xF3, 0x25, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x95, 0xEB, 0x29, 0x6F, 0x20, 0x34, 0x81),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x15, 0xE5, 0x13, 0x7E, 0x64, 0x8B, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xBC, 0x0D, 0x18, 0x7E, 0x37, 0x9E, 0xFA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x82, 0x20, 0xF7, 0x2D, 0x7A, 0x77, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x29, 0xA2, 0xDB, 0x7A, 0xE6, 0x6F, 0xA5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xC6, 0x50, 0x5C, 0xBC, 0xE6, 0x4F, 0xBD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x9F, 0xD5, 0xE8, 0xC5, 0x3D, 0xB7, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_16_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x03, 0x55, 0x10, 0xDB, 0xA6, 0x8B, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x17, 0xAE, 0x78, 0xC9, 0x1D, 0x43, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x35, 0x49, 0xD4, 0x47, 0x84, 0x8D, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x95, 0x2F, 0xEA, 0xBC, 0xB4, 0x18, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x48, 0xAE, 0x89, 0xF5, 0x65, 0x3D, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xF2, 0x2B, 0x20, 0xD1, 0x75, 0x50, 0x63),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_16_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xE6, 0x5C, 0x2C, 0xE0, 0x7D, 0xDF, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x07, 0x3E, 0xCE, 0x9F, 0x18, 0xB6, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0xF8, 0xF0, 0xD5, 0xFA, 0x42, 0x1D, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x6C, 0x1D, 0x03, 0xC9, 0x0E, 0x2B, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x18, 0x52, 0xA5, 0xB4, 0x63, 0xE1, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0xD9, 0xC4, 0xFD, 0x16, 0x60, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_17_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x7D, 0xDE, 0xDF, 0x4B, 0x4A, 0xB0, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x4E, 0x8C, 0x94, 0xC1, 0xE2, 0x85, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xF0, 0xEA, 0xB5, 0x9B, 0x70, 0xEF, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xC2, 0x39, 0x5D, 0xF3, 0x2C, 0xD9, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x1C, 0x2E, 0xCC, 0x2F, 0x54, 0x87, 0x80),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x72, 0xC7, 0xB5, 0x50, 0xA3, 0x84, 0x77),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_17_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xD1, 0xAF, 0xA9, 0xB4, 0x8B, 0x5D, 0xFA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xF6, 0x52, 0x8A, 0xC3, 0x56, 0xA5, 0x5E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x52, 0xFF, 0xEA, 0x05, 0x42, 0x77, 0x83),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x08, 0x90, 0x72, 0x86, 0xC4, 0xC3, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x15, 0xF8, 0xF1, 0x16, 0x67, 0xC6, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x87, 0xAC, 0x8F, 0x71, 0xEC, 0x83, 0x81),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_18_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xE1, 0xE6, 0x2D, 0x0E, 0x11, 0xA1, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xE2, 0xA8, 0x32, 0xE6, 0xE3, 0x83, 0xD1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x56, 0xE5, 0xCD, 0xB7, 0x2B, 0x67, 0x6F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xED, 0xC9, 0x65, 0x6D, 0x87, 0xE1, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x8E, 0xFD, 0x9A, 0x53, 0x0E, 0xFA, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x4C, 0x4A, 0xE2, 0x23, 0x84, 0xFA, 0x01),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_18_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xFE, 0x49, 0x81, 0xD1, 0x3E, 0xF4, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x72, 0xE0, 0xEF, 0x0D, 0xB8, 0x3E, 0x6F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x00, 0x0F, 0x5F, 0xCE, 0x60, 0x72, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xCC, 0xD8, 0x03, 0x07, 0x6E, 0x5A, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x3A, 0x35, 0x50, 0x4E, 0x1F, 0xCA, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xEA, 0x88, 0x55, 0xBD, 0x6E, 0x05, 0x7F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_19_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x6D, 0xF1, 0x97, 0xA6, 0x69, 0x39, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x41, 0x99, 0xFF, 0x3B, 0xA1, 0x26, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x2F, 0x95, 0x80, 0x12, 0x4A, 0x1B, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xBF, 0x51, 0xAA, 0xAE, 0x2D, 0xDA, 0xCF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x1C, 0xB3, 0x52, 0x36, 0x49, 0xD4, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xC1, 0x1F, 0x3A, 0xD3, 0x3E, 0x5C, 0x1A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_19_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x51, 0xF7, 0x2B, 0xC8, 0xA9, 0xA7, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x4E, 0x7F, 0x98, 0x41, 0x66, 0xB0, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x1D, 0xC0, 0x42, 0xCD, 0xF8, 0xC3, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x41, 0x91, 0x7D, 0xCC, 0x8B, 0xCC, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xAE, 0x76, 0xED, 0x56, 0x18, 0xC5, 0xAB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x6A, 0x06, 0xA3, 0x7F, 0x65, 0x10, 0x1F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_20_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xEC, 0x3C, 0x05, 0x05, 0xCA, 0xF6, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0xCD, 0x02, 0x51, 0x12, 0x16, 0x3C, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xEB, 0xB3, 0x43, 0x7B, 0xDD, 0xB2, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x59, 0x90, 0x41, 0xDB, 0xE4, 0xF5, 0x91),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x0E, 0x18, 0x2A, 0x5A, 0x83, 0x7C, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x37, 0xA1, 0x0D, 0xF1, 0x2F, 0x63, 0x79),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_20_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xC0, 0xFA, 0x6F, 0x1F, 0x67, 0xCF, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x34, 0x45, 0xBB, 0xF4, 0xF9, 0x9B, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x69, 0xFE, 0x67, 0x1D, 0x64, 0x8F, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x39, 0xBF, 0xD8, 0xB3, 0xC7, 0xAD, 0x8A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x93, 0xFF, 0xF3, 0x28, 0xFA, 0x39, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xF9, 0xC3, 0x85, 0x26, 0x7A, 0x88, 0x89),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_21_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xD5, 0x79, 0xD8, 0x11, 0xDE, 0xEB, 0x4E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x46, 0xA4, 0x6A, 0xDA, 0x74, 0x34, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xBD, 0xD3, 0xF5, 0x14, 0xEE, 0xFE, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x4C, 0xA3, 0x71, 0x43, 0x65, 0xF8, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x6C, 0x35, 0xFA, 0x90, 0x25, 0xD8, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x34, 0x84, 0x96, 0xA1, 0x43, 0x03, 0x4D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_21_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x3B, 0x3B, 0x2F, 0xCA, 0x59, 0xF2, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x48, 0x24, 0x74, 0xD8, 0x72, 0x90, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x42, 0x74, 0x8C, 0x6F, 0x52, 0x19, 0x3D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x9E, 0x41, 0x63, 0x68, 0x78, 0x4C, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x94, 0xB6, 0x6B, 0x38, 0x52, 0xA8, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x30, 0x25, 0x93, 0xA1, 0x6F, 0x6E, 0x68),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_22_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x2F, 0x4B, 0x64, 0x79, 0x50, 0xFF, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x36, 0xED, 0x57, 0x39, 0x3B, 0xE7, 0xF3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x85, 0xEA, 0x35, 0xD6, 0xC0, 0xA0, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x89, 0x3A, 0xCC, 0x22, 0x1C, 0x46, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x7A, 0xB0, 0xA1, 0x1B, 0x69, 0x62, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xB8, 0x8A, 0x6C, 0x18, 0x85, 0x0D, 0x88),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_22_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xB6, 0x50, 0xE9, 0x4E, 0x7F, 0xE8, 0x07),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x5B, 0x5C, 0xD1, 0x4B, 0x11, 0x9A, 0xD8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x25, 0x56, 0x74, 0x51, 0x9C, 0xEC, 0x9C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x7F, 0xB6, 0x8A, 0xCB, 0x3A, 0x10, 0x6A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x33, 0x07, 0x01, 0xE9, 0x49, 0x59, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xA5, 0x2E, 0xF2, 0xBA, 0x32, 0x63, 0x44),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_23_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x06, 0x0B, 0xA5, 0x44, 0x27, 0x7F, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x74, 0xAC, 0x0F, 0xCC, 0x4F, 0x13, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xB1, 0xBF, 0x97, 0x49, 0xA5, 0x1C, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x64, 0x68, 0x7B, 0x0F, 0xCC, 0x77, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x39, 0xF9, 0x4E, 0x84, 0x9C, 0xF6, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xCF, 0x6D, 0xE2, 0xA1, 0x2D, 0xF9, 0x2B),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_23_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xC4, 0x90, 0x57, 0x31, 0x01, 0x05, 0x5E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x1E, 0xBB, 0xBF, 0x98, 0xA4, 0x7C, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xE3, 0xA0, 0xB2, 0xCD, 0x39, 0x9A, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x34, 0x60, 0x7A, 0x89, 0x98, 0xB5, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0x20, 0x3D, 0x3A, 0x04, 0x8F, 0x5A, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x26, 0xB6, 0x49, 0x09, 0x9C, 0x0F, 0x59),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_24_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x66, 0xD2, 0x38, 0x2A, 0x62, 0x81, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xC8, 0x20, 0x5E, 0x28, 0xA3, 0x81, 0xA7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x31, 0xA4, 0xF1, 0xEA, 0x7D, 0x87, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x2C, 0x99, 0x09, 0x6F, 0x63, 0xEB, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x76, 0xDA, 0x1A, 0x06, 0xBE, 0xDE, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x09, 0x2E, 0x75, 0x39, 0x30, 0x2D, 0x42),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_24_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x9B, 0xC1, 0x5A, 0x17, 0xC3, 0x8C, 0x31),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x8D, 0x94, 0x4D, 0x3D, 0xAB, 0x60, 0xD4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFD, 0x1E, 0x0F, 0x43, 0xAE, 0x9D, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0xF2, 0xF3, 0x20, 0x1B, 0xAA, 0xB7, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x5B, 0xA4, 0xF4, 0x90, 0x3B, 0xE3, 0x71),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x78, 0x72, 0xBD, 0x65, 0x09, 0x0B, 0x01),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_25_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x37, 0x2A, 0x6C, 0x16, 0x4F, 0x64, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xCE, 0xA3, 0x90, 0xB4, 0x9A, 0xBC, 0xF7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x38, 0x55, 0x63, 0x1D, 0x3A, 0x6E, 0x18),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xB4, 0xAA, 0x99, 0x22, 0x45, 0x89, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x7C, 0x8C, 0xA6, 0x3D, 0xA7, 0x3E, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x06, 0x42, 0xDC, 0xA6, 0xE3, 0xC6, 0x12),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_25_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x8C, 0x3D, 0x5D, 0x47, 0x31, 0x7C, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x85, 0xEE, 0x46, 0x7E, 0x13, 0x04, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x3C, 0x8B, 0x43, 0x2E, 0x74, 0xF5, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x88, 0x8E, 0x07, 0x29, 0x08, 0x03, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x9B, 0x89, 0xEB, 0x08, 0xE8, 0x43, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x07, 0x67, 0xFD, 0xD9, 0x73, 0x6F, 0x18),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_26_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xEB, 0x21, 0x8D, 0x98, 0x43, 0x74, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xCC, 0x14, 0xD8, 0x08, 0xBB, 0xA6, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x98, 0xF2, 0x6A, 0x18, 0xC3, 0xDD, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x38, 0x91, 0xA0, 0x03, 0xF2, 0x04, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xAF, 0xE8, 0xFD, 0xFB, 0x13, 0x70, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x93, 0x87, 0x98, 0x4A, 0xE0, 0x00, 0x12),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_26_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x2E, 0x69, 0x9C, 0xA2, 0x2D, 0x03, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xFE, 0xF3, 0xB9, 0xC1, 0x85, 0x2A, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xFD, 0x86, 0xB1, 0xCD, 0xBF, 0x41, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xD8, 0x9A, 0x21, 0xF3, 0xFE, 0xCB, 0xF1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x78, 0x04, 0x60, 0xB7, 0xA9, 0xA2, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1E, 0x66, 0x2A, 0x54, 0x51, 0xBD, 0x8B),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_27_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x16, 0x36, 0xEF, 0x61, 0x2D, 0xEE, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x5F, 0x88, 0xA0, 0x13, 0x12, 0xF7, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xC6, 0xAD, 0x4A, 0x4A, 0x07, 0x01, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x74, 0xB1, 0x4F, 0xEB, 0xBD, 0xD5, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xF9, 0x71, 0xA2, 0x06, 0x4F, 0xD7, 0xBC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x8B, 0x4D, 0x48, 0xE0, 0x98, 0xFB, 0x6A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_27_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0xBA, 0x10, 0xA3, 0x0D, 0x52, 0xAC, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xD0, 0xE0, 0x36, 0xE6, 0x07, 0x3A, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x80, 0xF0, 0xAA, 0x49, 0x22, 0x4B, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xC7, 0xAB, 0x1C, 0x89, 0xCD, 0x24, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x2A, 0xFC, 0xB3, 0x6D, 0x45, 0x96, 0x49),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xE4, 0xDB, 0x52, 0x3F, 0xC4, 0xB4, 0x19),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_28_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xCC, 0xC8, 0x7F, 0xBB, 0x6B, 0x87, 0x47),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x21, 0x3C, 0x69, 0x7D, 0x38, 0x57, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x4C, 0x18, 0x3C, 0x53, 0xA5, 0x48, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xC3, 0x64, 0x45, 0xDB, 0xC4, 0x6D, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xCC, 0xD1, 0xBB, 0x17, 0xB8, 0x34, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x69, 0x71, 0xFA, 0xA0, 0x28, 0x4A, 0x3D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_28_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xE8, 0x9E, 0x39, 0xEA, 0x8D, 0x38, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x9C, 0xBB, 0xCD, 0x80, 0x1A, 0xEE, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA0, 0x45, 0xBF, 0xD9, 0x22, 0x11, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x7C, 0x5C, 0xD9, 0xC0, 0x9F, 0x69, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x8A, 0xA6, 0x79, 0x4E, 0x35, 0xB9, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x8B, 0x9A, 0x3E, 0xA1, 0xB8, 0x28, 0x10),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_29_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x2F, 0xEF, 0xBB, 0xA9, 0x72, 0x7F, 0xEA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x34, 0xB7, 0x12, 0xB9, 0xE7, 0xC3, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x1D, 0xD9, 0x42, 0x77, 0x0C, 0x71, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x01, 0x59, 0xA7, 0x56, 0x03, 0x91, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x91, 0x99, 0x33, 0x30, 0x3E, 0xEF, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xC9, 0x5A, 0x9A, 0x54, 0x66, 0xF1, 0x70),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_29_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x2C, 0xB7, 0x6E, 0x71, 0x7D, 0x35, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x0D, 0xEF, 0xD1, 0x2D, 0x99, 0x63, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x31, 0xAF, 0x2D, 0xC9, 0xC6, 0xC2, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xC0, 0xDF, 0x80, 0x54, 0xC4, 0xAC, 0xF3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x6B, 0xA0, 0x84, 0x96, 0xF7, 0x31, 0xC8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0xE2, 0x7C, 0x7A, 0x41, 0x45, 0x75, 0x6A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_30_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xEE, 0x58, 0x31, 0xE8, 0x68, 0xD6, 0x76),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x2E, 0x48, 0xB7, 0x09, 0x9F, 0xD4, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xA9, 0x5C, 0xE7, 0x64, 0x43, 0x5D, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x58, 0x9F, 0x50, 0xAB, 0x68, 0xFF, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x88, 0x2D, 0xBA, 0x12, 0xBF, 0x8D, 0x7D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xDF, 0x6F, 0xB3, 0x75, 0xA4, 0x55, 0x73),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_30_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x17, 0x92, 0x39, 0xB7, 0x13, 0x37, 0x6F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x43, 0x71, 0xA7, 0xCA, 0x17, 0x1B, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xB9, 0xB0, 0x78, 0xEF, 0xA0, 0xDA, 0x83),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x84, 0xF2, 0x0F, 0x85, 0xA2, 0xB6, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x65, 0x2E, 0x6E, 0x45, 0xB9, 0x4C, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x6A, 0x8C, 0x2B, 0x77, 0x96, 0x36, 0x22),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_31_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x7A, 0x13, 0x4A, 0x97, 0x63, 0x02, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x1E, 0x06, 0x03, 0x8F, 0xB9, 0xEE, 0x64),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0xEE, 0x8B, 0x89, 0xA9, 0x70, 0xDB, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x7B, 0x81, 0xC9, 0x70, 0x8D, 0x62, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xDA, 0x46, 0xF8, 0xF9, 0x3A, 0xBE, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x9C, 0x7A, 0x97, 0x62, 0xEB, 0xFA, 0x0F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_31_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x03, 0x3D, 0x3C, 0x46, 0x27, 0x9E, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x08, 0x1C, 0xD5, 0x25, 0xAF, 0xE9, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x69, 0xDC, 0x59, 0xF4, 0x8A, 0x7C, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x9A, 0x7A, 0x99, 0x21, 0x0C, 0x4E, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xCE, 0x85, 0x5F, 0xAC, 0xAA, 0x82, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x57, 0x69, 0x90, 0x76, 0xF3, 0x53, 0x3F),
+};
+static const mbedtls_ecp_point brainpoolP384r1_T[32] = {
+ ECP_POINT_INIT_XY_Z1(brainpoolP384r1_T_0_X, brainpoolP384r1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_1_X, brainpoolP384r1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_2_X, brainpoolP384r1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_3_X, brainpoolP384r1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_4_X, brainpoolP384r1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_5_X, brainpoolP384r1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_6_X, brainpoolP384r1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_7_X, brainpoolP384r1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_8_X, brainpoolP384r1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_9_X, brainpoolP384r1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_10_X, brainpoolP384r1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_11_X, brainpoolP384r1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_12_X, brainpoolP384r1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_13_X, brainpoolP384r1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_14_X, brainpoolP384r1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_15_X, brainpoolP384r1_T_15_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_16_X, brainpoolP384r1_T_16_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_17_X, brainpoolP384r1_T_17_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_18_X, brainpoolP384r1_T_18_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_19_X, brainpoolP384r1_T_19_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_20_X, brainpoolP384r1_T_20_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_21_X, brainpoolP384r1_T_21_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_22_X, brainpoolP384r1_T_22_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_23_X, brainpoolP384r1_T_23_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_24_X, brainpoolP384r1_T_24_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_25_X, brainpoolP384r1_T_25_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_26_X, brainpoolP384r1_T_26_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_27_X, brainpoolP384r1_T_27_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_28_X, brainpoolP384r1_T_28_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_29_X, brainpoolP384r1_T_29_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_30_X, brainpoolP384r1_T_30_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_31_X, brainpoolP384r1_T_31_Y),
+};
+#else
+#define brainpoolP384r1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
+ */
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint brainpoolP512r1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xE9, 0x6B, 0x8C, 0x6F, 0x9D, 0x88, 0x43),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x4F, 0x86, 0x96, 0xA7, 0x56, 0xD1, 0x37),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xAB, 0xFA, 0xEE, 0xA7, 0xF5, 0x0E, 0xA6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x40, 0xEF, 0x9E, 0x6D, 0xD6, 0x32, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xED, 0x56, 0x14, 0x57, 0x1A, 0x8D, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xED, 0x4D, 0x3A, 0xFA, 0x71, 0x75, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xC5, 0x76, 0x1C, 0x14, 0xBE, 0xB5, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x5A, 0xCB, 0xE7, 0x36, 0x1D, 0x52, 0x1C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x8D, 0x7A, 0xEB, 0xA3, 0x8B, 0xD5, 0xB0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xA3, 0x41, 0xF8, 0xAC, 0x9E, 0xAB, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xE3, 0x65, 0x0D, 0x1C, 0xFE, 0x09, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xCA, 0x13, 0x3F, 0xC5, 0xF9, 0x7E, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x5D, 0x63, 0x28, 0xA6, 0x89, 0xD3, 0x91),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x95, 0x3F, 0x7A, 0x82, 0xD4, 0x77, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xBB, 0x92, 0x32, 0x00, 0xF4, 0x66, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x58, 0x31, 0xD1, 0x17, 0x9F, 0x2A, 0x22),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x36, 0xA9, 0xCD, 0x80, 0xA5, 0x2D, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x44, 0xAB, 0xCE, 0x71, 0xFF, 0x0C, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x24, 0x58, 0x35, 0x5A, 0x21, 0x32, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0xA6, 0x28, 0xF8, 0x7A, 0x97, 0xAE, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xE7, 0x08, 0xFA, 0x47, 0xC9, 0x55, 0x09),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xAC, 0x2E, 0x84, 0xA4, 0xF5, 0x52, 0xC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x58, 0x05, 0x9D, 0xA7, 0xC8, 0x71, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x92, 0xB4, 0x92, 0xC1, 0x92, 0xEC, 0x6B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x48, 0x2D, 0x79, 0x5E, 0x58, 0xE5, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x85, 0x26, 0xEC, 0xE9, 0x6E, 0xD4, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x68, 0x26, 0x87, 0x38, 0xA2, 0xD2, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x17, 0x60, 0xCE, 0x75, 0xF8, 0xA5, 0x6F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x51, 0xDB, 0xA9, 0xAE, 0x87, 0xF1, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x49, 0x92, 0x3B, 0x19, 0x96, 0xF5, 0xB0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0xD5, 0x52, 0x52, 0x8C, 0xCE, 0xFD, 0xFA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x18, 0x0A, 0xE6, 0xF6, 0xAE, 0x08, 0x41),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x2B, 0xD8, 0x54, 0xCE, 0xB0, 0x57, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xB0, 0xF8, 0x9E, 0x03, 0x03, 0x3C, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x0E, 0x29, 0x29, 0x00, 0xF3, 0x70, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x33, 0x99, 0x0E, 0x00, 0x5D, 0xFE, 0x4B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2D, 0xF2, 0x59, 0x32, 0xCF, 0x03, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0xC9, 0x72, 0xAE, 0x0C, 0xEF, 0xD1, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x5A, 0x27, 0xBF, 0x2F, 0x45, 0xF9, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xBE, 0xE5, 0x2C, 0xFF, 0x5B, 0x1E, 0x88),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xAC, 0xBB, 0xD8, 0x83, 0xC2, 0x46, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xDC, 0xCE, 0x15, 0xB4, 0xEF, 0xCF, 0x46),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xDB, 0x5E, 0x94, 0x31, 0x0B, 0xB2, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xB9, 0xE3, 0xE3, 0x11, 0x71, 0x41, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xE3, 0x01, 0xB7, 0x7D, 0xBC, 0x65, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x07, 0x65, 0x87, 0xA7, 0xE8, 0x48, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x48, 0x8F, 0xD4, 0x30, 0x8E, 0xB4, 0x6C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xE0, 0x73, 0xBE, 0x1E, 0xBF, 0x56, 0x36),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x0E, 0x5E, 0x87, 0xC5, 0xAB, 0x0E, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xF9, 0x5F, 0x80, 0x24, 0x4C, 0x2A, 0xF1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x15, 0x21, 0x54, 0x92, 0x84, 0x8D, 0x6A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x8A, 0x47, 0x74, 0xDC, 0x42, 0xB1, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xF7, 0x30, 0xFD, 0xC1, 0x9B, 0x0C, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x6C, 0xCC, 0xDF, 0xC5, 0xE3, 0xA9, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x67, 0x59, 0x10, 0x5C, 0x51, 0x54, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x37, 0xFB, 0x6E, 0xB0, 0x78, 0x63, 0x8E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xEF, 0xC4, 0x39, 0x20, 0xF1, 0x46, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x62, 0xAE, 0xFF, 0x10, 0xE4, 0xE2, 0xE9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x5C, 0xF5, 0x2E, 0x22, 0x89, 0xE5, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x0C, 0x29, 0xA8, 0x62, 0xAE, 0xDB, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x9E, 0x0F, 0xCA, 0x87, 0x2A, 0x6F, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xDC, 0x9B, 0x9F, 0x65, 0xD4, 0xAD, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xC3, 0x08, 0x0F, 0xCF, 0x67, 0xE9, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x5C, 0xD7, 0xFF, 0x41, 0x9C, 0xCB, 0x26),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x25, 0x05, 0x12, 0xAD, 0x73, 0x63, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x99, 0x07, 0x86, 0x57, 0xE7, 0x94, 0xB1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x4B, 0xA5, 0xBF, 0x18, 0xA9, 0xEF, 0x6A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x4C, 0xC4, 0x09, 0xF2, 0x2F, 0x0C, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x3A, 0x04, 0xEA, 0x89, 0x6C, 0x91, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0x3A, 0xE7, 0xA3, 0xEC, 0x24, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xA1, 0x26, 0x21, 0x04, 0xE3, 0xB9, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x71, 0x4B, 0x7B, 0xC2, 0x89, 0xCD, 0xA2),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xB9, 0xA8, 0x9D, 0xFD, 0x00, 0x3A, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x41, 0x6C, 0xBB, 0x5A, 0xCA, 0x1F, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xD7, 0xE2, 0x6C, 0x6B, 0xA7, 0x48, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x19, 0xAD, 0xA7, 0xC1, 0x7E, 0x4F, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xF7, 0x19, 0x3C, 0x06, 0x74, 0x2C, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x23, 0x4F, 0x0C, 0x09, 0xB0, 0x80, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x74, 0x34, 0x08, 0x44, 0x7E, 0xA3, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xCC, 0x8D, 0x12, 0x6E, 0xE1, 0x3D, 0x0B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x18, 0xB1, 0x71, 0x02, 0x93, 0xC2, 0xA4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x89, 0x40, 0xE2, 0x1F, 0xE7, 0x5E, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x8E, 0xAE, 0x89, 0x01, 0xD4, 0x0C, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xDA, 0x58, 0x70, 0x24, 0xF2, 0xE4, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0xC7, 0x1D, 0xD6, 0x4A, 0x6F, 0x66, 0x4F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x1D, 0x7E, 0x4A, 0x2C, 0xCA, 0xEC, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x06, 0x7F, 0xA8, 0x99, 0xE4, 0xD3, 0x4E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x1D, 0x5A, 0xDF, 0x5E, 0x58, 0x36, 0x49),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xB9, 0x32, 0x69, 0x1F, 0x72, 0x2A, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x73, 0xE2, 0x03, 0x39, 0x35, 0xAA, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x5E, 0x5D, 0x48, 0xEF, 0xAE, 0x30, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x7F, 0x60, 0x19, 0xAF, 0xEC, 0x9D, 0xFC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xD9, 0x19, 0xE4, 0x1B, 0x56, 0x15, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xD7, 0x33, 0x59, 0x1F, 0x43, 0x59, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xCE, 0xEE, 0xCA, 0xA4, 0x7F, 0x63, 0xD4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x40, 0xC0, 0xF6, 0x19, 0x89, 0x43, 0x20),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x92, 0xEA, 0x07, 0x65, 0x79, 0x86, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xB7, 0x13, 0x75, 0xD3, 0xC5, 0x0A, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x9E, 0xFA, 0xE1, 0x1F, 0x0C, 0xF9, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x8C, 0xED, 0x5C, 0x21, 0xE9, 0x09, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x4D, 0xD8, 0x18, 0xC4, 0xF6, 0x36, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xC9, 0xAC, 0x5C, 0xFA, 0x69, 0xA4, 0xA0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x8C, 0x94, 0x1C, 0x7B, 0x71, 0x36, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xBD, 0x46, 0xCE, 0xB7, 0x1D, 0x9C, 0x5E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD6, 0x96, 0x4B, 0xA6, 0x47, 0xEB, 0xE5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0xF1, 0x5F, 0x15, 0xDE, 0x99, 0x6F, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xBD, 0xE5, 0x04, 0xB8, 0xE6, 0xC0, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xD3, 0xF0, 0x04, 0x00, 0xE4, 0x05, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xF3, 0x06, 0xA3, 0x1A, 0xFF, 0xEA, 0x73),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x32, 0xAA, 0x99, 0x33, 0x09, 0xB6, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xEF, 0xFC, 0x61, 0x10, 0x42, 0x31, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF1, 0xF4, 0x33, 0xCF, 0x28, 0x90, 0x9C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xDE, 0xF9, 0x88, 0x87, 0x7B, 0xEB, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xB8, 0xDA, 0xFA, 0xDA, 0x3D, 0xA6, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xF0, 0x62, 0x82, 0x53, 0x32, 0x55, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xA5, 0x32, 0x4A, 0x19, 0x11, 0x9C, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xB3, 0x27, 0xE9, 0x75, 0x90, 0x05, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x1C, 0x90, 0x48, 0x77, 0x01, 0x85, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xD6, 0x9B, 0x84, 0xA8, 0xD7, 0xC5, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x7A, 0xCB, 0xB3, 0x11, 0x46, 0xD7, 0x99),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x23, 0xBF, 0x75, 0x75, 0xA1, 0x95, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x66, 0x5D, 0x34, 0x13, 0xA9, 0x03, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x80, 0x9D, 0x5F, 0xD2, 0x44, 0xE1, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x5D, 0xBD, 0xA8, 0xBF, 0xB4, 0x25, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x99, 0x1F, 0x53, 0xF1, 0x57, 0xDB, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x7C, 0xE5, 0xC5, 0x51, 0x0B, 0x4C, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0xB0, 0x1A, 0x9C, 0x16, 0xB0, 0x32, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xE3, 0xCF, 0xDD, 0x48, 0xB4, 0x7B, 0x33),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xDD, 0x9E, 0x3C, 0x98, 0x0E, 0x77, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xAB, 0x01, 0xD3, 0x87, 0x74, 0x25, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xA3, 0xE3, 0x76, 0x43, 0x87, 0x12, 0xBD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0xB1, 0x3B, 0x60, 0x66, 0xEB, 0x98, 0x54),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x78, 0xC8, 0xD7, 0x4E, 0x75, 0xCA, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xDF, 0x71, 0x19, 0xE7, 0x07, 0x36, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xC9, 0xA8, 0x5F, 0x91, 0xBF, 0x47, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x96, 0x58, 0x96, 0x18, 0xB6, 0xFA, 0x01),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x2D, 0xA9, 0x9B, 0x86, 0xDB, 0x0C, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x0B, 0x2D, 0x56, 0x4A, 0xD3, 0x93, 0x8A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x15, 0xE2, 0x65, 0x12, 0x86, 0x0E, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x41, 0x4D, 0xC1, 0xCB, 0xE4, 0xC3, 0xD7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x53, 0x10, 0xCA, 0xA3, 0xAC, 0x83, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x01, 0x22, 0x96, 0x10, 0xAD, 0x69, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x46, 0x4E, 0xD8, 0xEA, 0xD6, 0x9D, 0xF3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x2F, 0x7F, 0x62, 0x62, 0x80, 0xD0, 0x14),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xDA, 0x00, 0x63, 0x09, 0xBD, 0x6A, 0x83),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xD4, 0x6E, 0x48, 0x05, 0xB7, 0xF7, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x4D, 0xD7, 0x00, 0x4A, 0x15, 0x27, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x15, 0xAA, 0x37, 0x27, 0x34, 0x18, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x20, 0x2C, 0x84, 0x1B, 0x88, 0xBA, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x09, 0xD6, 0x04, 0xA2, 0x60, 0x84, 0x72),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x04, 0x94, 0x08, 0xD4, 0xED, 0x47, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xF3, 0xE4, 0x3E, 0xB9, 0x5B, 0x35, 0x42),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0xD8, 0xB6, 0x80, 0xD6, 0xF1, 0x30, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x14, 0xA6, 0x85, 0xEE, 0xA7, 0xD8, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x49, 0x2A, 0x1E, 0x7C, 0xE9, 0x2D, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x87, 0x56, 0x91, 0x03, 0x77, 0x4D, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x52, 0xD4, 0xAA, 0xF7, 0xFA, 0xB0, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x5D, 0x11, 0x39, 0xB1, 0xE7, 0x76, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x13, 0xBC, 0x37, 0x5D, 0x74, 0xCD, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x48, 0x14, 0x23, 0x30, 0xF8, 0x46, 0x37),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x27, 0xB0, 0xD9, 0xB2, 0x74, 0xB4, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xA6, 0xB9, 0x6F, 0x9F, 0x64, 0x36, 0x92),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x2B, 0x78, 0x40, 0x05, 0x2B, 0x7B, 0xA9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x68, 0x3A, 0xB6, 0x4A, 0xE2, 0xDB, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x33, 0xD7, 0x34, 0x8B, 0x25, 0x45, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xCE, 0xA8, 0xC9, 0x01, 0xFB, 0x0E, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xF9, 0x51, 0x4C, 0x12, 0x9F, 0x60, 0xE4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x85, 0xBD, 0x30, 0x37, 0x84, 0x39, 0x44),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x33, 0xAF, 0x2E, 0xB8, 0x2E, 0xCC, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xB1, 0x73, 0x59, 0x4E, 0x0C, 0x09, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x24, 0x89, 0x81, 0x12, 0xFF, 0xBB, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x37, 0x1A, 0x66, 0xEE, 0xED, 0xB6, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xBD, 0x04, 0x20, 0x5D, 0xFB, 0xBF, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xF8, 0x34, 0xA3, 0xFF, 0x45, 0xDE, 0x92),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x18, 0x73, 0xF1, 0x32, 0x25, 0x58, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xC1, 0x14, 0xE3, 0x9E, 0x40, 0x0F, 0x12),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0x9D, 0x9C, 0x00, 0xF7, 0x56, 0x19),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xBA, 0x87, 0xF9, 0x15, 0x0C, 0x66, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x1F, 0xC1, 0x28, 0xB0, 0x47, 0x0D, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xCA, 0x27, 0xEE, 0x4B, 0x23, 0x2B, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0xB5, 0x68, 0xC8, 0x17, 0x5D, 0xC3, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x02, 0x08, 0xEE, 0x20, 0x9D, 0xEA, 0x64),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x14, 0x50, 0xD4, 0x7D, 0x5F, 0xCF, 0xA0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xFA, 0xF8, 0xA7, 0xC6, 0xDC, 0x14, 0x8C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xBD, 0x0A, 0x1A, 0x18, 0x98, 0xDC, 0xB0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x63, 0x02, 0xB7, 0xD5, 0x5B, 0x5A, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xB1, 0xD7, 0x4B, 0x15, 0x39, 0x61, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x32, 0xE1, 0x9E, 0x70, 0x1B, 0xCE, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD8, 0x18, 0x83, 0x52, 0x9B, 0x6D, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x55, 0x56, 0x19, 0x34, 0xA4, 0xEA, 0xFC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xA9, 0x55, 0x80, 0xE3, 0x15, 0x36, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x06, 0xC8, 0x1D, 0x17, 0x0D, 0xAD, 0x16),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0xD6, 0xF0, 0xCC, 0xF3, 0x63, 0x53, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x5A, 0xDC, 0x46, 0xBD, 0x0D, 0xAD, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x2F, 0x11, 0x60, 0x15, 0x51, 0x4A, 0xEA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xE3, 0x93, 0x38, 0xD5, 0x83, 0xAA, 0x0D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xA6, 0xCC, 0xB1, 0xFD, 0xBB, 0x1A, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x54, 0xC8, 0x54, 0x6F, 0x79, 0x1A, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x4A, 0xDA, 0x28, 0x92, 0x97, 0x9D, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x4B, 0xDB, 0xC7, 0x52, 0xC5, 0x66, 0x34),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x7E, 0x92, 0x53, 0x30, 0x93, 0xFD, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x16, 0x6A, 0xB1, 0x91, 0x0A, 0xB4, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x9D, 0x40, 0x3F, 0xE3, 0xF1, 0x01, 0x46),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x0E, 0xD8, 0xED, 0x11, 0x8E, 0x4C, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x4A, 0x1B, 0x88, 0xDF, 0x8D, 0x29, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x23, 0x21, 0x11, 0xAB, 0x77, 0x81, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xAF, 0x11, 0xFA, 0xBA, 0x40, 0x63, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x6F, 0x8D, 0x80, 0xDF, 0x67, 0xF5, 0x44),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x8B, 0xB7, 0x08, 0xF4, 0xD7, 0x2D, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x2B, 0x30, 0x02, 0x45, 0x71, 0x08, 0x49),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x3A, 0xCA, 0x50, 0xF6, 0xC2, 0x19, 0x8C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xB9, 0x9B, 0x3E, 0x73, 0x95, 0x1D, 0x49),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x60, 0x59, 0x48, 0xCB, 0xD8, 0xD6, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xB9, 0x6C, 0x89, 0xAB, 0x99, 0xA8, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xA1, 0x8B, 0x4E, 0x06, 0x19, 0xEC, 0x99),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x95, 0x04, 0xCF, 0xD5, 0x94, 0xB3, 0x02),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x35, 0x93, 0x7C, 0xB3, 0xB8, 0x9E, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x45, 0x5C, 0x7E, 0xBF, 0x75, 0x81, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xE8, 0x24, 0xDF, 0xEC, 0x2F, 0x7D, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x8B, 0xD5, 0x6A, 0x9B, 0xA0, 0xE0, 0x4F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xE3, 0x27, 0x82, 0xDE, 0xDD, 0xCA, 0x4B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x57, 0x56, 0x46, 0x05, 0x06, 0x01, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x35, 0xA7, 0x47, 0xE2, 0x6B, 0x2C, 0x4F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x9D, 0x4C, 0xEC, 0x1F, 0x11, 0x75, 0x2B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xAA, 0x41, 0xC1, 0xE9, 0x0E, 0xE9, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xCF, 0x9C, 0x4B, 0xE8, 0xED, 0x0A, 0x49),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x73, 0xCA, 0x0C, 0x46, 0x0A, 0x9C, 0xE4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xE1, 0x9E, 0xBC, 0xFE, 0x44, 0x63, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x43, 0x71, 0xEE, 0xF8, 0xC1, 0x8C, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x4B, 0xF0, 0x69, 0x25, 0xBD, 0x71, 0x1A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x9A, 0xFE, 0x82, 0xE7, 0xC1, 0xC1, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x5A, 0x6E, 0x5E, 0x97, 0x6A, 0x35, 0x8D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x18, 0x6C, 0x7E, 0xB8, 0x9E, 0x57, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xB9, 0xC1, 0xD0, 0xFE, 0x78, 0xFB, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x08, 0xAE, 0x46, 0x34, 0xEA, 0x7A, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1C, 0x56, 0xA9, 0x18, 0x37, 0xD4, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x63, 0xE9, 0x0A, 0xB6, 0x38, 0x3C, 0xC1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x4F, 0xA4, 0x6E, 0x85, 0x31, 0x23, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0xAD, 0xC4, 0xC3, 0xB1, 0x4B, 0x1C, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x56, 0x4A, 0x38, 0xB3, 0x6B, 0x6F, 0x2C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_16_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xC7, 0x19, 0xDE, 0x21, 0xED, 0x89, 0xD0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xBE, 0xA6, 0xAE, 0xEB, 0x9D, 0xA7, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x0E, 0x13, 0x1E, 0x86, 0x57, 0xC3, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x4B, 0x30, 0x46, 0x52, 0xC1, 0xEC, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xD5, 0x44, 0x31, 0x96, 0x3B, 0x26, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x68, 0xA8, 0x67, 0x78, 0x39, 0xE8, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x78, 0xB7, 0xDD, 0xF2, 0x58, 0xB6, 0x3D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x3C, 0xB3, 0x26, 0xC4, 0x2C, 0x8C, 0xA5),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_16_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x24, 0xE5, 0x73, 0xEE, 0x9A, 0x02, 0xA9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x6A, 0x65, 0x60, 0xF3, 0x62, 0xE3, 0xE9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x07, 0x84, 0xE6, 0x3B, 0x46, 0x65, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x8F, 0x0C, 0xB0, 0xE1, 0x04, 0x82, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x13, 0xBF, 0x3D, 0xA0, 0x48, 0xA2, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x26, 0x76, 0x74, 0xAB, 0x0B, 0x29, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x6E, 0x5F, 0x03, 0x34, 0x7C, 0x38, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x72, 0xF9, 0x3B, 0x3C, 0xA4, 0xBC, 0x7C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_17_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xCE, 0x18, 0x80, 0xB8, 0x24, 0x45, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x09, 0x03, 0xB8, 0x06, 0x64, 0xF7, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x26, 0xB1, 0x10, 0x6D, 0x71, 0x12, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x12, 0xC6, 0x6E, 0x1E, 0x6A, 0xC3, 0x80),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xD3, 0x0A, 0xDE, 0xD8, 0x6B, 0x04, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x87, 0x5B, 0xAE, 0xDB, 0x3C, 0xC0, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0xF5, 0xF9, 0xC1, 0x9A, 0x89, 0xBB, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x69, 0x72, 0x8B, 0xAE, 0x32, 0x13, 0x11),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_17_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x16, 0x07, 0x50, 0xFA, 0x4C, 0xCF, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x50, 0x21, 0xE9, 0xDE, 0xEC, 0x7E, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x2F, 0xE8, 0x83, 0x30, 0x0B, 0x65, 0x0E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x0B, 0x99, 0xAC, 0xC9, 0xBA, 0x6C, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x59, 0x5A, 0x0D, 0x7B, 0x9E, 0x08, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x91, 0xB2, 0xDC, 0x90, 0xCE, 0x67, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x93, 0x60, 0x0C, 0xD7, 0x1F, 0x2F, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x7F, 0x9D, 0x40, 0xF8, 0x78, 0x7A, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_18_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x22, 0x95, 0xE8, 0xEF, 0x31, 0x57, 0x35),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x88, 0x53, 0xFE, 0xAF, 0x7C, 0x47, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xCE, 0xCC, 0x79, 0xE8, 0x9F, 0x8C, 0xC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x16, 0xDD, 0x77, 0x6E, 0x8A, 0x73, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x07, 0x97, 0x21, 0x3B, 0xF8, 0x5F, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xB5, 0xD2, 0x81, 0x84, 0xF0, 0xE7, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x8F, 0x75, 0x09, 0x6A, 0x0E, 0x53, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x4F, 0x70, 0x97, 0xC7, 0xAC, 0x7D, 0x3F),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_18_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x3C, 0x6A, 0xB4, 0x10, 0xA9, 0xC8, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xC5, 0xD6, 0x69, 0x16, 0xB8, 0xAC, 0x25),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x44, 0xDC, 0xEB, 0x48, 0x54, 0x5D, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x48, 0x9B, 0xD7, 0x72, 0x69, 0xA4, 0x8A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x0D, 0x36, 0x9A, 0x66, 0x0B, 0xEC, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xC6, 0xD4, 0xB6, 0x60, 0xE5, 0xC3, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x29, 0x42, 0xE0, 0x9D, 0xFD, 0x7C, 0x3E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x10, 0xBA, 0x55, 0xBC, 0x3B, 0x38, 0x5D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_19_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x66, 0xFA, 0x05, 0x73, 0x03, 0x1B, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xA4, 0x66, 0x12, 0x96, 0x7B, 0x02, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xB5, 0xDE, 0x6D, 0x98, 0xD1, 0xD5, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xF5, 0x44, 0xB8, 0x8E, 0xF6, 0x8C, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x15, 0x2B, 0x72, 0xBC, 0x49, 0xE5, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x44, 0xD7, 0xDF, 0x8F, 0xEB, 0x8D, 0x80),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x64, 0x88, 0xAA, 0xB7, 0xE4, 0x70, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x14, 0xBB, 0xE9, 0x9B, 0xB9, 0x65, 0x5D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_19_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x8E, 0x88, 0xF5, 0xF1, 0xC1, 0x89, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x30, 0x53, 0xE6, 0xFB, 0x2D, 0x82, 0xB4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xE4, 0xFF, 0xBA, 0x31, 0x79, 0xAB, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x09, 0xF7, 0xB7, 0x09, 0x78, 0x4C, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xAE, 0xC2, 0x44, 0xDC, 0x17, 0x78, 0x47),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xD4, 0x17, 0x43, 0x19, 0x74, 0x9E, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x64, 0x3B, 0x73, 0xA2, 0x99, 0x27, 0x76),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x74, 0x36, 0x5F, 0xD3, 0x14, 0xB1, 0x31),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_20_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x07, 0xAB, 0xFD, 0x9B, 0x03, 0xC5, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xBE, 0xB0, 0x1D, 0xF2, 0x0C, 0x73, 0x73),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xE7, 0x7B, 0x87, 0xD3, 0x34, 0xFD, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x25, 0x3D, 0xC7, 0x36, 0x83, 0x53, 0xDC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x7C, 0xCF, 0x63, 0x55, 0x12, 0x11, 0xB0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x34, 0x4D, 0x27, 0x92, 0xAC, 0x18, 0x16),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x42, 0x61, 0x9D, 0x2E, 0xFF, 0x13, 0x16),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xDE, 0x92, 0x65, 0x57, 0x0D, 0xBC, 0x0A),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_20_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x7B, 0x6E, 0xC6, 0x2A, 0x21, 0x74, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xA7, 0x53, 0x4D, 0x29, 0x36, 0xEF, 0xE5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xD6, 0x41, 0xC7, 0x99, 0xAD, 0x50, 0x53),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xAC, 0x41, 0x9F, 0xFB, 0x4C, 0x86, 0xF1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xBB, 0xE6, 0x25, 0x28, 0xAA, 0xEB, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x04, 0xA2, 0xC3, 0xAA, 0x08, 0x8A, 0xCC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x2B, 0x5B, 0xE2, 0x8D, 0x76, 0xEA, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x33, 0xD2, 0x21, 0x4D, 0x62, 0xE3, 0x8E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_21_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x06, 0x8B, 0x2B, 0xC2, 0xC4, 0xB1, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xF5, 0xA1, 0xC0, 0x03, 0x6A, 0x29, 0x12),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xA9, 0xEF, 0x55, 0xB6, 0x1A, 0x9F, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x54, 0x32, 0xBE, 0x06, 0x43, 0xB5, 0xFD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xD6, 0xD9, 0x20, 0x89, 0xBE, 0xD4, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x26, 0x95, 0x10, 0xCE, 0xB4, 0x88, 0x79),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xA6, 0x27, 0xAC, 0x32, 0xBA, 0xBD, 0xC7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xA6, 0xAE, 0x9C, 0x7B, 0xBE, 0xA1, 0x63),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_21_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xCD, 0x4D, 0x3D, 0xDF, 0x96, 0xBB, 0x7D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xA7, 0x11, 0x06, 0xCC, 0x0E, 0x31, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0xE4, 0xF4, 0xAD, 0x7B, 0x5F, 0xF1, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x54, 0xBE, 0xF4, 0x8A, 0x03, 0x47, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x53, 0x00, 0x7F, 0xB0, 0x8A, 0x68, 0xA6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x16, 0xB1, 0x73, 0x6F, 0x5B, 0x0E, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x32, 0xE3, 0x43, 0x64, 0x75, 0xFB, 0xFB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x18, 0x55, 0x8A, 0x4E, 0x6E, 0x35, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_22_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x97, 0x15, 0x1E, 0xCB, 0xF2, 0x9C, 0xA5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xD1, 0xBB, 0xF3, 0x70, 0xAD, 0x13, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x96, 0xA4, 0xC5, 0x5E, 0xDA, 0xD5, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x81, 0xE9, 0x65, 0x66, 0x76, 0x47, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x35, 0x87, 0x06, 0x73, 0xCF, 0x34, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x81, 0x15, 0x42, 0xA2, 0x79, 0x5B, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xA2, 0x7D, 0x09, 0x14, 0x64, 0xC6, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x6D, 0xC4, 0xED, 0xF1, 0xD6, 0xE9, 0x24),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_22_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xD5, 0xBB, 0x25, 0xA3, 0xDD, 0xA3, 0x88),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xF2, 0x68, 0x67, 0x39, 0x8F, 0x73, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x76, 0x28, 0x89, 0xAD, 0x32, 0xE0, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x90, 0xCC, 0x57, 0x58, 0xAA, 0xC9, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xD7, 0x43, 0xD2, 0xCE, 0x5E, 0xA0, 0x08),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xB0, 0xB8, 0xA4, 0x9E, 0x96, 0x26, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x61, 0x1D, 0xF3, 0x65, 0x5E, 0x60, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x1E, 0x65, 0xED, 0xCF, 0x07, 0x60, 0x20),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_23_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x30, 0x17, 0x8A, 0x91, 0x88, 0x0A, 0xA4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x7D, 0x18, 0xA4, 0xAC, 0x59, 0xFC, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x31, 0x8B, 0x25, 0x65, 0x39, 0x9A, 0xDC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x16, 0x4B, 0x68, 0xBA, 0x59, 0x13, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFD, 0xD3, 0xC5, 0x56, 0xC9, 0x8C, 0x5E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xC6, 0x9F, 0xF4, 0xE6, 0xF7, 0xB4, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x7C, 0x03, 0x00, 0x26, 0x9F, 0xD8, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x1D, 0x6E, 0x00, 0xB9, 0x00, 0x6E, 0x93),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_23_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x63, 0xDA, 0x03, 0x2B, 0xD5, 0x0B, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xFC, 0xE2, 0xC8, 0x47, 0xF0, 0xAE, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x4C, 0xF7, 0x50, 0x0C, 0x48, 0x06, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x2B, 0x32, 0x98, 0x0E, 0x7E, 0x61, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x02, 0x27, 0xFE, 0x75, 0x86, 0xDF, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x30, 0xB1, 0x22, 0x32, 0x1B, 0xFE, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x27, 0xF7, 0x78, 0x6F, 0xD7, 0xFD, 0xE4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x78, 0xCC, 0xEA, 0xC0, 0x50, 0x24, 0x44),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_24_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x2B, 0x4F, 0x7F, 0x58, 0xE6, 0xC2, 0x70),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x43, 0xD5, 0xA7, 0x35, 0x3C, 0x80, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x6D, 0x4B, 0x12, 0x00, 0x7B, 0xE6, 0xA6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x15, 0xBD, 0xD0, 0x9B, 0xCA, 0xAA, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xCE, 0x9C, 0xE3, 0x8B, 0x60, 0x7A, 0x53),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xDA, 0x4B, 0x03, 0xA7, 0x8D, 0x43, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAF, 0x00, 0x2B, 0x32, 0xF0, 0x22, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xD9, 0x99, 0x99, 0xBE, 0x43, 0x99, 0x3E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_24_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x71, 0x41, 0xF4, 0xB5, 0xFD, 0xDD, 0x36),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xE2, 0x20, 0x4C, 0xD1, 0x2E, 0x1F, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x43, 0x48, 0x76, 0x8A, 0x49, 0xAC, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x1A, 0x55, 0xA8, 0xA3, 0xD4, 0x57, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xA6, 0x84, 0x39, 0xC9, 0x13, 0xBB, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xFA, 0xA9, 0x70, 0xDE, 0x83, 0xDD, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xC9, 0xD9, 0x3E, 0x44, 0x91, 0x68, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x9F, 0x85, 0x6D, 0xF7, 0x54, 0x36, 0x82),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_25_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x6B, 0xA6, 0xA3, 0xE5, 0xD4, 0x46, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x3E, 0xDC, 0x84, 0x7C, 0x7B, 0x24, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xED, 0x7F, 0x86, 0x07, 0x6C, 0x57, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x06, 0xFE, 0x52, 0x12, 0x79, 0x69, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xD1, 0x44, 0x5F, 0x21, 0x3A, 0xC3, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xD9, 0x4A, 0xC0, 0x75, 0xAB, 0x17, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x81, 0x94, 0xB6, 0x80, 0x6B, 0x6F, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xBE, 0x8E, 0xA5, 0xAA, 0xBC, 0x1E, 0x3E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_25_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xC7, 0x85, 0xA6, 0x59, 0x9B, 0xB1, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xCE, 0x40, 0xD1, 0xFB, 0xDF, 0x94, 0xF7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xB8, 0x5E, 0xBF, 0x45, 0xA8, 0x2D, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9C, 0x06, 0x1B, 0xA9, 0x57, 0xB9, 0x79),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xE9, 0xCE, 0xA2, 0xD3, 0x74, 0xA1, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x5F, 0x34, 0x78, 0xDB, 0xAE, 0x3A, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x32, 0x84, 0x3E, 0x68, 0x6A, 0x43, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xBC, 0x39, 0x36, 0xA4, 0xC5, 0xBB, 0x11),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_26_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x07, 0xA2, 0xB5, 0xC9, 0x0F, 0x4D, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x1D, 0x67, 0xE6, 0xF1, 0x46, 0xEB, 0x71),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x41, 0x23, 0x95, 0xE7, 0xE0, 0x10, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x69, 0xFE, 0x68, 0x8C, 0xC6, 0x5F, 0xB6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xB9, 0x2B, 0x3D, 0xD2, 0x4F, 0xD8, 0x1A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x09, 0xF5, 0x5F, 0xCF, 0xF6, 0x91, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x15, 0x42, 0x6B, 0x6D, 0xB5, 0xF3, 0xB6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x56, 0x9D, 0xC5, 0xFF, 0xCA, 0x13, 0x9B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_26_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x38, 0xE6, 0x23, 0x63, 0x48, 0x3C, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x68, 0x3C, 0xD1, 0x3B, 0xE9, 0x3B, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x08, 0x54, 0x49, 0xD1, 0x46, 0x45, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x70, 0x52, 0x6E, 0x79, 0xC4, 0x5E, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xDF, 0xE8, 0x5A, 0x32, 0x81, 0xDA, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x2D, 0x94, 0x5B, 0xB5, 0x35, 0x9F, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x12, 0x8D, 0xC3, 0x36, 0x36, 0xB2, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x2F, 0x22, 0x38, 0x5B, 0x18, 0x4C, 0x35),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_27_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xC1, 0x22, 0x0E, 0xF0, 0x73, 0x11, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xAE, 0xA4, 0x56, 0x18, 0x61, 0x66, 0x12),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xFB, 0x72, 0x08, 0x84, 0x38, 0x51, 0xB0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x86, 0xA8, 0xB9, 0x31, 0x99, 0x29, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xFB, 0xC3, 0x42, 0xB3, 0xC7, 0x6F, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xF8, 0xE1, 0x09, 0xBE, 0x75, 0xB0, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x7D, 0xFF, 0xF4, 0x99, 0xFC, 0x13, 0xAB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x1B, 0x84, 0x81, 0x42, 0x22, 0xC6, 0x3D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_27_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xE0, 0x37, 0xA4, 0xA0, 0x2F, 0x38, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x3D, 0xB7, 0x40, 0x2F, 0x39, 0x3C, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x3B, 0x8A, 0x51, 0xAE, 0x40, 0x49, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x20, 0x9F, 0xDD, 0xA9, 0xD0, 0x77, 0xC7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x1D, 0x64, 0xDA, 0xA0, 0x53, 0xC7, 0x7D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x7B, 0x66, 0x55, 0x94, 0xD1, 0x51, 0x44),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xA9, 0xB5, 0x5B, 0x38, 0x35, 0x40, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC9, 0x0F, 0xF0, 0x73, 0x79, 0x43, 0x61),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_28_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x47, 0x45, 0x69, 0x80, 0x72, 0x72, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x11, 0x99, 0x59, 0xDB, 0x48, 0x80, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x6E, 0x3D, 0xFC, 0x37, 0x15, 0xF4, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xBB, 0x5B, 0xA6, 0x35, 0x8D, 0x28, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x1A, 0x3B, 0x2C, 0x8F, 0xD3, 0xAA, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x1C, 0x1A, 0xF8, 0x02, 0xD9, 0x7B, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x69, 0xAC, 0xF8, 0x54, 0x31, 0x14, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x8A, 0xE6, 0xDE, 0x58, 0xB9, 0xC4, 0x7A),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_28_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x83, 0x52, 0xFE, 0xF9, 0x7B, 0xE9, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xA2, 0x55, 0x46, 0x15, 0x49, 0xC1, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xBC, 0x5C, 0x91, 0xBD, 0xB9, 0x9C, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xFD, 0xB1, 0x4E, 0x5F, 0x74, 0xEE, 0x53),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x8B, 0xD8, 0x8B, 0x17, 0x73, 0x1B, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x92, 0xD7, 0x67, 0x06, 0xAD, 0x25, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x0F, 0x80, 0x24, 0xE2, 0x27, 0x5F, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x1C, 0xCE, 0xD0, 0x67, 0xCA, 0xD4, 0x0B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_29_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xF1, 0xDD, 0x33, 0x66, 0xF9, 0x05, 0xD6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xE5, 0x6B, 0x79, 0xBD, 0x48, 0x42, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x14, 0x52, 0xE3, 0x53, 0xB4, 0x50, 0xD4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x84, 0x6C, 0xCF, 0xDA, 0xB2, 0x20, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xD6, 0x1A, 0xE5, 0xE2, 0x29, 0x70, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x61, 0xFE, 0xBB, 0x21, 0x82, 0xD1, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0xF0, 0x9C, 0x8B, 0x1A, 0x42, 0x30, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xD6, 0x49, 0x81, 0x92, 0xF1, 0xD0, 0x90),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_29_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x91, 0x93, 0x6A, 0xA6, 0x22, 0xE9, 0xD6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xDC, 0xC3, 0x69, 0x11, 0x95, 0x7D, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xA3, 0x9D, 0x87, 0x5E, 0x64, 0x41, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x87, 0x5A, 0x15, 0xBD, 0x6E, 0x3C, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x8D, 0x50, 0xCC, 0xCF, 0xB7, 0x8F, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x65, 0xCD, 0x31, 0x30, 0xF1, 0x68, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x5C, 0x66, 0x67, 0x92, 0x30, 0x57, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x9B, 0x01, 0x3D, 0x20, 0x8B, 0xD1, 0x0D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_30_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xC0, 0xE6, 0x4F, 0xDE, 0x62, 0xAB, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x48, 0xB3, 0x1C, 0x0F, 0x16, 0x93, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x63, 0xBD, 0x1F, 0x16, 0x50, 0x56, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x06, 0xBC, 0xE9, 0x27, 0x1C, 0x9A, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xFE, 0x21, 0xC5, 0x39, 0x55, 0xE1, 0xFD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xA8, 0xD0, 0x96, 0x0E, 0xB5, 0xB2, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xE7, 0x4B, 0xF3, 0x11, 0x0C, 0xC9, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x3A, 0xC4, 0x87, 0x71, 0xEE, 0xFA, 0x18),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_30_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x77, 0xEE, 0x81, 0x5E, 0x96, 0xEA, 0x4B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xDF, 0xA9, 0xF4, 0x4F, 0x7C, 0xB2, 0x43),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xD4, 0xDF, 0x35, 0x63, 0x47, 0x25, 0x8A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x3D, 0xFF, 0xA4, 0x02, 0xC3, 0x95, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x10, 0x78, 0xD1, 0x2B, 0xB7, 0xBE, 0x0E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xE9, 0x57, 0xF9, 0xE0, 0xD8, 0xFC, 0xBC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xC4, 0x01, 0xD6, 0xB4, 0xE7, 0x78, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x6C, 0xB9, 0x13, 0xA4, 0xE8, 0x6D, 0x6F),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_31_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xB0, 0xC9, 0xCD, 0xBF, 0xA2, 0x1E, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x4F, 0x86, 0x22, 0x9B, 0xEA, 0xE8, 0xBB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x46, 0xDF, 0x43, 0xB9, 0x82, 0x2D, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x32, 0xF1, 0x4E, 0x95, 0x41, 0xAE, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x93, 0x26, 0xFC, 0xD3, 0x90, 0xDC, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x05, 0x45, 0xCA, 0xF9, 0x5A, 0x89, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x82, 0x63, 0x4E, 0x55, 0x1D, 0x3A, 0x08),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x69, 0x52, 0x49, 0xE9, 0xED, 0x57, 0x34),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_31_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x64, 0xE9, 0xAC, 0x4C, 0x4A, 0xEA, 0x25),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xE9, 0x0B, 0x99, 0xE7, 0xF9, 0xA9, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x0C, 0xC1, 0xF4, 0x8D, 0x07, 0xB6, 0xB1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x68, 0xFA, 0x35, 0xE4, 0x9E, 0xAE, 0xD9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x2D, 0x1A, 0x13, 0x8E, 0x02, 0xE2, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x38, 0x28, 0x86, 0x46, 0x7B, 0x3A, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x4C, 0x64, 0x59, 0x0A, 0xF9, 0x02, 0xC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x4F, 0x23, 0xA2, 0xC3, 0xD5, 0xEF, 0x42),
+};
+static const mbedtls_ecp_point brainpoolP512r1_T[32] = {
+ ECP_POINT_INIT_XY_Z1(brainpoolP512r1_T_0_X, brainpoolP512r1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_1_X, brainpoolP512r1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_2_X, brainpoolP512r1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_3_X, brainpoolP512r1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_4_X, brainpoolP512r1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_5_X, brainpoolP512r1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_6_X, brainpoolP512r1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_7_X, brainpoolP512r1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_8_X, brainpoolP512r1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_9_X, brainpoolP512r1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_10_X, brainpoolP512r1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_11_X, brainpoolP512r1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_12_X, brainpoolP512r1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_13_X, brainpoolP512r1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_14_X, brainpoolP512r1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_15_X, brainpoolP512r1_T_15_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_16_X, brainpoolP512r1_T_16_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_17_X, brainpoolP512r1_T_17_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_18_X, brainpoolP512r1_T_18_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_19_X, brainpoolP512r1_T_19_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_20_X, brainpoolP512r1_T_20_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_21_X, brainpoolP512r1_T_21_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_22_X, brainpoolP512r1_T_22_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_23_X, brainpoolP512r1_T_23_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_24_X, brainpoolP512r1_T_24_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_25_X, brainpoolP512r1_T_25_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_26_X, brainpoolP512r1_T_26_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_27_X, brainpoolP512r1_T_27_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_28_X, brainpoolP512r1_T_28_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_29_X, brainpoolP512r1_T_29_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_30_X, brainpoolP512r1_T_30_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_31_X, brainpoolP512r1_T_31_Y),
+};
+#else
+#define brainpoolP512r1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+#if defined(ECP_LOAD_GROUP)
+/*
+ * Create an MPI from embedded constants
+ * (assumes len is an exact multiple of sizeof(mbedtls_mpi_uint))
+ */
+static inline void ecp_mpi_load(mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len)
+{
+ X->s = 1;
+ X->n = (unsigned short) (len / sizeof(mbedtls_mpi_uint));
+ X->p = (mbedtls_mpi_uint *) p;
+}
+
+/*
+ * Set an MPI to static value 1
+ */
+static inline void ecp_mpi_set1(mbedtls_mpi *X)
+{
+ X->s = 1;
+ X->n = 1;
+ X->p = (mbedtls_mpi_uint *) mpi_one; /* X->p will not be modified so the cast is safe */
+}
+
+/*
+ * Make group available from embedded constants
+ */
+static int ecp_group_load(mbedtls_ecp_group *grp,
+ const mbedtls_mpi_uint *p, size_t plen,
+ const mbedtls_mpi_uint *a, size_t alen,
+ const mbedtls_mpi_uint *b, size_t blen,
+ const mbedtls_mpi_uint *gx, size_t gxlen,
+ const mbedtls_mpi_uint *gy, size_t gylen,
+ const mbedtls_mpi_uint *n, size_t nlen,
+ const mbedtls_ecp_point *T)
+{
+ ecp_mpi_load(&grp->P, p, plen);
+ if (a != NULL) {
+ ecp_mpi_load(&grp->A, a, alen);
+ }
+ ecp_mpi_load(&grp->B, b, blen);
+ ecp_mpi_load(&grp->N, n, nlen);
+
+ ecp_mpi_load(&grp->G.X, gx, gxlen);
+ ecp_mpi_load(&grp->G.Y, gy, gylen);
+ ecp_mpi_set1(&grp->G.Z);
+
+ grp->pbits = mbedtls_mpi_bitlen(&grp->P);
+ grp->nbits = mbedtls_mpi_bitlen(&grp->N);
+
+ grp->h = 1;
+
+ grp->T = (mbedtls_ecp_point *) T;
+ /*
+ * Set T_size to 0 to prevent T free by mbedtls_ecp_group_free.
+ */
+ grp->T_size = 0;
+
+ return 0;
+}
+#endif /* ECP_LOAD_GROUP */
+
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+/* Forward declarations */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+static int ecp_mod_p192(mbedtls_mpi *);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+static int ecp_mod_p224(mbedtls_mpi *);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+static int ecp_mod_p256(mbedtls_mpi *);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+static int ecp_mod_p384(mbedtls_mpi *);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+static int ecp_mod_p521(mbedtls_mpi *);
+#endif
+
+#define NIST_MODP(P) grp->modp = ecp_mod_ ## P;
+#else
+#define NIST_MODP(P)
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+
+/* Additional forward declarations */
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+static int ecp_mod_p255(mbedtls_mpi *);
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+static int ecp_mod_p448(mbedtls_mpi *);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+static int ecp_mod_p192k1(mbedtls_mpi *);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+static int ecp_mod_p224k1(mbedtls_mpi *);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+static int ecp_mod_p256k1(mbedtls_mpi *);
+#endif
+
+#if defined(ECP_LOAD_GROUP)
+#define LOAD_GROUP_A(G) ecp_group_load(grp, \
+ G ## _p, sizeof(G ## _p), \
+ G ## _a, sizeof(G ## _a), \
+ G ## _b, sizeof(G ## _b), \
+ G ## _gx, sizeof(G ## _gx), \
+ G ## _gy, sizeof(G ## _gy), \
+ G ## _n, sizeof(G ## _n), \
+ G ## _T \
+ )
+
+#define LOAD_GROUP(G) ecp_group_load(grp, \
+ G ## _p, sizeof(G ## _p), \
+ NULL, 0, \
+ G ## _b, sizeof(G ## _b), \
+ G ## _gx, sizeof(G ## _gx), \
+ G ## _gy, sizeof(G ## _gy), \
+ G ## _n, sizeof(G ## _n), \
+ G ## _T \
+ )
+#endif /* ECP_LOAD_GROUP */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+/* Constants used by ecp_use_curve25519() */
+static const mbedtls_mpi_sint curve25519_a24 = 0x01DB42;
+static const unsigned char curve25519_part_of_n[] = {
+ 0x14, 0xDE, 0xF9, 0xDE, 0xA2, 0xF7, 0x9C, 0xD6,
+ 0x58, 0x12, 0x63, 0x1A, 0x5C, 0xF5, 0xD3, 0xED,
+};
+
+/*
+ * Specialized function for creating the Curve25519 group
+ */
+static int ecp_use_curve25519(mbedtls_ecp_group *grp)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* Actually ( A + 2 ) / 4 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve25519_a24));
+
+ /* P = 2^255 - 19 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->P, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 255));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 19));
+ grp->pbits = mbedtls_mpi_bitlen(&grp->P);
+
+ /* N = 2^252 + 27742317777372353535851937790883648493 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&grp->N,
+ curve25519_part_of_n, sizeof(curve25519_part_of_n)));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&grp->N, 252, 1));
+
+ /* Y intentionally not set, since we use x/z coordinates.
+ * This is used as a marker to identify Montgomery curves! */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.X, 9));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1));
+ mbedtls_mpi_free(&grp->G.Y);
+
+ /* Actually, the required msb for private keys */
+ grp->nbits = 254;
+
+cleanup:
+ if (ret != 0) {
+ mbedtls_ecp_group_free(grp);
+ }
+
+ return ret;
+}
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+/* Constants used by ecp_use_curve448() */
+static const mbedtls_mpi_sint curve448_a24 = 0x98AA;
+static const unsigned char curve448_part_of_n[] = {
+ 0x83, 0x35, 0xDC, 0x16, 0x3B, 0xB1, 0x24,
+ 0xB6, 0x51, 0x29, 0xC9, 0x6F, 0xDE, 0x93,
+ 0x3D, 0x8D, 0x72, 0x3A, 0x70, 0xAA, 0xDC,
+ 0x87, 0x3D, 0x6D, 0x54, 0xA7, 0xBB, 0x0D,
+};
+
+/*
+ * Specialized function for creating the Curve448 group
+ */
+static int ecp_use_curve448(mbedtls_ecp_group *grp)
+{
+ mbedtls_mpi Ns;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_mpi_init(&Ns);
+
+ /* Actually ( A + 2 ) / 4 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve448_a24));
+
+ /* P = 2^448 - 2^224 - 1 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->P, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 224));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&grp->P, 224));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&grp->P, &grp->P, 1));
+ grp->pbits = mbedtls_mpi_bitlen(&grp->P);
+
+ /* Y intentionally not set, since we use x/z coordinates.
+ * This is used as a marker to identify Montgomery curves! */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.X, 5));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1));
+ mbedtls_mpi_free(&grp->G.Y);
+
+ /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_set_bit(&grp->N, 446, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&Ns,
+ curve448_part_of_n, sizeof(curve448_part_of_n)));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&grp->N, &grp->N, &Ns));
+
+ /* Actually, the required msb for private keys */
+ grp->nbits = 447;
+
+cleanup:
+ mbedtls_mpi_free(&Ns);
+ if (ret != 0) {
+ mbedtls_ecp_group_free(grp);
+ }
+
+ return ret;
+}
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+/*
+ * Set a group using well-known domain parameters
+ */
+int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id)
+{
+ mbedtls_ecp_group_free(grp);
+
+ mbedtls_ecp_group_init(grp);
+
+ grp->id = id;
+
+ switch (id) {
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP192R1:
+ NIST_MODP(p192);
+ return LOAD_GROUP(secp192r1);
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP224R1:
+ NIST_MODP(p224);
+ return LOAD_GROUP(secp224r1);
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP256R1:
+ NIST_MODP(p256);
+ return LOAD_GROUP(secp256r1);
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP384R1:
+ NIST_MODP(p384);
+ return LOAD_GROUP(secp384r1);
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP521R1:
+ NIST_MODP(p521);
+ return LOAD_GROUP(secp521r1);
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP192K1:
+ grp->modp = ecp_mod_p192k1;
+ return LOAD_GROUP_A(secp192k1);
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP224K1:
+ grp->modp = ecp_mod_p224k1;
+ return LOAD_GROUP_A(secp224k1);
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP256K1:
+ grp->modp = ecp_mod_p256k1;
+ return LOAD_GROUP_A(secp256k1);
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+ case MBEDTLS_ECP_DP_BP256R1:
+ return LOAD_GROUP_A(brainpoolP256r1);
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+ case MBEDTLS_ECP_DP_BP384R1:
+ return LOAD_GROUP_A(brainpoolP384r1);
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+ case MBEDTLS_ECP_DP_BP512R1:
+ return LOAD_GROUP_A(brainpoolP512r1);
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+ case MBEDTLS_ECP_DP_CURVE25519:
+ grp->modp = ecp_mod_p255;
+ return ecp_use_curve25519(grp);
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+ case MBEDTLS_ECP_DP_CURVE448:
+ grp->modp = ecp_mod_p448;
+ return ecp_use_curve448(grp);
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+ default:
+ grp->id = MBEDTLS_ECP_DP_NONE;
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+ }
+}
+
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+/*
+ * Fast reduction modulo the primes used by the NIST curves.
+ *
+ * These functions are critical for speed, but not needed for correct
+ * operations. So, we make the choice to heavily rely on the internals of our
+ * bignum library, which creates a tight coupling between these functions and
+ * our MPI implementation. However, the coupling between the ECP module and
+ * MPI remains loose, since these functions can be deactivated at will.
+ */
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+/*
+ * Compared to the way things are presented in FIPS 186-3 D.2,
+ * we proceed in columns, from right (least significant chunk) to left,
+ * adding chunks to N in place, and keeping a carry for the next chunk.
+ * This avoids moving things around in memory, and uselessly adding zeros,
+ * compared to the more straightforward, line-oriented approach.
+ *
+ * For this prime we need to handle data in chunks of 64 bits.
+ * Since this is always a multiple of our basic mbedtls_mpi_uint, we can
+ * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it.
+ */
+
+/* Add 64-bit chunks (dst += src) and update carry */
+static inline void add64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry)
+{
+ unsigned char i;
+ mbedtls_mpi_uint c = 0;
+ for (i = 0; i < 8 / sizeof(mbedtls_mpi_uint); i++, dst++, src++) {
+ *dst += c; c = (*dst < c);
+ *dst += *src; c += (*dst < *src);
+ }
+ *carry += c;
+}
+
+/* Add carry to a 64-bit chunk and update carry */
+static inline void carry64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry)
+{
+ unsigned char i;
+ for (i = 0; i < 8 / sizeof(mbedtls_mpi_uint); i++, dst++) {
+ *dst += *carry;
+ *carry = (*dst < *carry);
+ }
+}
+
+#define WIDTH 8 / sizeof(mbedtls_mpi_uint)
+#define A(i) N->p + (i) * WIDTH
+#define ADD(i) add64(p, A(i), &c)
+#define NEXT p += WIDTH; carry64(p, &c)
+#define LAST p += WIDTH; *p = c; while (++p < end) *p = 0
+
+/*
+ * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
+ */
+static int ecp_mod_p192(mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi_uint c = 0;
+ mbedtls_mpi_uint *p, *end;
+
+ /* Make sure we have enough blocks so that A(5) is legal */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, 6 * WIDTH));
+
+ p = N->p;
+ end = p + N->n;
+
+ ADD(3); ADD(5); NEXT; // A0 += A3 + A5
+ ADD(3); ADD(4); ADD(5); NEXT; // A1 += A3 + A4 + A5
+ ADD(4); ADD(5); LAST; // A2 += A4 + A5
+
+cleanup:
+ return ret;
+}
+
+#undef WIDTH
+#undef A
+#undef ADD
+#undef NEXT
+#undef LAST
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+/*
+ * The reader is advised to first understand ecp_mod_p192() since the same
+ * general structure is used here, but with additional complications:
+ * (1) chunks of 32 bits, and (2) subtractions.
+ */
+
+/*
+ * For these primes, we need to handle data in chunks of 32 bits.
+ * This makes it more complicated if we use 64 bits limbs in MPI,
+ * which prevents us from using a uniform access method as for p192.
+ *
+ * So, we define a mini abstraction layer to access 32 bit chunks,
+ * load them in 'cur' for work, and store them back from 'cur' when done.
+ *
+ * While at it, also define the size of N in terms of 32-bit chunks.
+ */
+#define LOAD32 cur = A(i);
+
+#if defined(MBEDTLS_HAVE_INT32) /* 32 bit */
+
+#define MAX32 N->n
+#define A(j) N->p[j]
+#define STORE32 N->p[i] = cur;
+
+#else /* 64-bit */
+
+#define MAX32 N->n * 2
+#define A(j) (j) % 2 ? (uint32_t) (N->p[(j)/2] >> 32) : \
+ (uint32_t) (N->p[(j)/2])
+#define STORE32 \
+ if (i % 2) { \
+ N->p[i/2] &= 0x00000000FFFFFFFF; \
+ N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32; \
+ } else { \
+ N->p[i/2] &= 0xFFFFFFFF00000000; \
+ N->p[i/2] |= (mbedtls_mpi_uint) cur; \
+ }
+
+#endif /* sizeof( mbedtls_mpi_uint ) */
+
+/*
+ * Helpers for addition and subtraction of chunks, with signed carry.
+ */
+static inline void add32(uint32_t *dst, uint32_t src, signed char *carry)
+{
+ *dst += src;
+ *carry += (*dst < src);
+}
+
+static inline void sub32(uint32_t *dst, uint32_t src, signed char *carry)
+{
+ *carry -= (*dst < src);
+ *dst -= src;
+}
+
+#define ADD(j) add32(&cur, A(j), &c);
+#define SUB(j) sub32(&cur, A(j), &c);
+
+/*
+ * Helpers for the main 'loop'
+ */
+#define INIT(b) \
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; \
+ signed char c = 0, cc; \
+ uint32_t cur; \
+ size_t i = 0, bits = (b); \
+ /* N is the size of the product of two b-bit numbers, plus one */ \
+ /* limb for fix_negative */ \
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, (b) * 2 / biL + 1)); \
+ LOAD32;
+
+#define NEXT \
+ STORE32; i++; LOAD32; \
+ cc = c; c = 0; \
+ if (cc < 0) \
+ sub32(&cur, -cc, &c); \
+ else \
+ add32(&cur, cc, &c); \
+
+#define LAST \
+ STORE32; i++; \
+ cur = c > 0 ? c : 0; STORE32; \
+ cur = 0; while (++i < MAX32) { STORE32; } \
+ if (c < 0) mbedtls_ecp_fix_negative(N, c, bits);
+
+/*
+ * If the result is negative, we get it in the form
+ * c * 2^bits + N, with c negative and N positive shorter than 'bits'
+ */
+static void mbedtls_ecp_fix_negative(mbedtls_mpi *N, signed char c, size_t bits)
+{
+ size_t i;
+
+ /* Set N := 2^bits - 1 - N. We know that 0 <= N < 2^bits, so
+ * set the absolute value to 0xfff...fff - N. There is no carry
+ * since we're subtracting from all-bits-one. */
+ for (i = 0; i <= bits / 8 / sizeof(mbedtls_mpi_uint); i++) {
+ N->p[i] = ~(mbedtls_mpi_uint) 0 - N->p[i];
+ }
+ /* Add 1, taking care of the carry. */
+ i = 0;
+ do {
+ ++N->p[i];
+ } while (N->p[i++] == 0 && i <= bits / 8 / sizeof(mbedtls_mpi_uint));
+ /* Invert the sign.
+ * Now N = N0 - 2^bits where N0 is the initial value of N. */
+ N->s = -1;
+
+ /* Add |c| * 2^bits to the absolute value. Since c and N are
+ * negative, this adds c * 2^bits. */
+ mbedtls_mpi_uint msw = (mbedtls_mpi_uint) -c;
+#if defined(MBEDTLS_HAVE_INT64)
+ if (bits == 224) {
+ msw <<= 32;
+ }
+#endif
+ N->p[bits / 8 / sizeof(mbedtls_mpi_uint)] += msw;
+}
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
+ */
+static int ecp_mod_p224(mbedtls_mpi *N)
+{
+ INIT(224);
+
+ SUB(7); SUB(11); NEXT; // A0 += -A7 - A11
+ SUB(8); SUB(12); NEXT; // A1 += -A8 - A12
+ SUB(9); SUB(13); NEXT; // A2 += -A9 - A13
+ SUB(10); ADD(7); ADD(11); NEXT; // A3 += -A10 + A7 + A11
+ SUB(11); ADD(8); ADD(12); NEXT; // A4 += -A11 + A8 + A12
+ SUB(12); ADD(9); ADD(13); NEXT; // A5 += -A12 + A9 + A13
+ SUB(13); ADD(10); LAST; // A6 += -A13 + A10
+
+cleanup:
+ return ret;
+}
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
+ */
+static int ecp_mod_p256(mbedtls_mpi *N)
+{
+ INIT(256);
+
+ ADD(8); ADD(9);
+ SUB(11); SUB(12); SUB(13); SUB(14); NEXT; // A0
+
+ ADD(9); ADD(10);
+ SUB(12); SUB(13); SUB(14); SUB(15); NEXT; // A1
+
+ ADD(10); ADD(11);
+ SUB(13); SUB(14); SUB(15); NEXT; // A2
+
+ ADD(11); ADD(11); ADD(12); ADD(12); ADD(13);
+ SUB(15); SUB(8); SUB(9); NEXT; // A3
+
+ ADD(12); ADD(12); ADD(13); ADD(13); ADD(14);
+ SUB(9); SUB(10); NEXT; // A4
+
+ ADD(13); ADD(13); ADD(14); ADD(14); ADD(15);
+ SUB(10); SUB(11); NEXT; // A5
+
+ ADD(14); ADD(14); ADD(15); ADD(15); ADD(14); ADD(13);
+ SUB(8); SUB(9); NEXT; // A6
+
+ ADD(15); ADD(15); ADD(15); ADD(8);
+ SUB(10); SUB(11); SUB(12); SUB(13); LAST; // A7
+
+cleanup:
+ return ret;
+}
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
+ */
+static int ecp_mod_p384(mbedtls_mpi *N)
+{
+ INIT(384);
+
+ ADD(12); ADD(21); ADD(20);
+ SUB(23); NEXT; // A0
+
+ ADD(13); ADD(22); ADD(23);
+ SUB(12); SUB(20); NEXT; // A2
+
+ ADD(14); ADD(23);
+ SUB(13); SUB(21); NEXT; // A2
+
+ ADD(15); ADD(12); ADD(20); ADD(21);
+ SUB(14); SUB(22); SUB(23); NEXT; // A3
+
+ ADD(21); ADD(21); ADD(16); ADD(13); ADD(12); ADD(20); ADD(22);
+ SUB(15); SUB(23); SUB(23); NEXT; // A4
+
+ ADD(22); ADD(22); ADD(17); ADD(14); ADD(13); ADD(21); ADD(23);
+ SUB(16); NEXT; // A5
+
+ ADD(23); ADD(23); ADD(18); ADD(15); ADD(14); ADD(22);
+ SUB(17); NEXT; // A6
+
+ ADD(19); ADD(16); ADD(15); ADD(23);
+ SUB(18); NEXT; // A7
+
+ ADD(20); ADD(17); ADD(16);
+ SUB(19); NEXT; // A8
+
+ ADD(21); ADD(18); ADD(17);
+ SUB(20); NEXT; // A9
+
+ ADD(22); ADD(19); ADD(18);
+ SUB(21); NEXT; // A10
+
+ ADD(23); ADD(20); ADD(19);
+ SUB(22); LAST; // A11
+
+cleanup:
+ return ret;
+}
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#undef A
+#undef LOAD32
+#undef STORE32
+#undef MAX32
+#undef INIT
+#undef NEXT
+#undef LAST
+
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED ||
+ MBEDTLS_ECP_DP_SECP256R1_ENABLED ||
+ MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+/*
+ * Here we have an actual Mersenne prime, so things are more straightforward.
+ * However, chunks are aligned on a 'weird' boundary (521 bits).
+ */
+
+/* Size of p521 in terms of mbedtls_mpi_uint */
+#define P521_WIDTH (521 / 8 / sizeof(mbedtls_mpi_uint) + 1)
+
+/* Bits to keep in the most significant mbedtls_mpi_uint */
+#define P521_MASK 0x01FF
+
+/*
+ * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
+ * Write N as A1 + 2^521 A0, return A0 + A1
+ */
+static int ecp_mod_p521(mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t i;
+ mbedtls_mpi M;
+ mbedtls_mpi_uint Mp[P521_WIDTH + 1];
+ /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits:
+ * we need to hold bits 513 to 1056, which is 34 limbs, that is
+ * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
+
+ if (N->n < P521_WIDTH) {
+ return 0;
+ }
+
+ /* M = A1 */
+ M.s = 1;
+ M.n = N->n - (P521_WIDTH - 1);
+ if (M.n > P521_WIDTH + 1) {
+ M.n = P521_WIDTH + 1;
+ }
+ M.p = Mp;
+ memcpy(Mp, N->p + P521_WIDTH - 1, M.n * sizeof(mbedtls_mpi_uint));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, 521 % (8 * sizeof(mbedtls_mpi_uint))));
+
+ /* N = A0 */
+ N->p[P521_WIDTH - 1] &= P521_MASK;
+ for (i = P521_WIDTH; i < N->n; i++) {
+ N->p[i] = 0;
+ }
+
+ /* N = A0 + A1 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
+
+cleanup:
+ return ret;
+}
+
+#undef P521_WIDTH
+#undef P521_MASK
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+
+/* Size of p255 in terms of mbedtls_mpi_uint */
+#define P255_WIDTH (255 / 8 / sizeof(mbedtls_mpi_uint) + 1)
+
+/*
+ * Fast quasi-reduction modulo p255 = 2^255 - 19
+ * Write N as A0 + 2^256 A1, return A0 + 38 * A1
+ */
+static int ecp_mod_p255(mbedtls_mpi *N)
+{
+ mbedtls_mpi_uint Mp[P255_WIDTH];
+
+ /* Helper references for top part of N */
+ mbedtls_mpi_uint * const NT_p = N->p + P255_WIDTH;
+ const size_t NT_n = N->n - P255_WIDTH;
+ if (N->n <= P255_WIDTH) {
+ return 0;
+ }
+ if (NT_n > P255_WIDTH) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ /* Split N as N + 2^256 M */
+ memcpy(Mp, NT_p, sizeof(mbedtls_mpi_uint) * NT_n);
+ memset(NT_p, 0, sizeof(mbedtls_mpi_uint) * NT_n);
+
+ /* N = A0 + 38 * A1 */
+ mbedtls_mpi_core_mla(N->p, P255_WIDTH + 1,
+ Mp, NT_n,
+ 38);
+
+ return 0;
+}
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+
+/* Size of p448 in terms of mbedtls_mpi_uint */
+#define P448_WIDTH (448 / 8 / sizeof(mbedtls_mpi_uint))
+
+/* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */
+#define DIV_ROUND_UP(X, Y) (((X) + (Y) -1) / (Y))
+#define P224_SIZE (224 / 8)
+#define P224_WIDTH_MIN (P224_SIZE / sizeof(mbedtls_mpi_uint))
+#define P224_WIDTH_MAX DIV_ROUND_UP(P224_SIZE, sizeof(mbedtls_mpi_uint))
+#define P224_UNUSED_BITS ((P224_WIDTH_MAX * sizeof(mbedtls_mpi_uint) * 8) - 224)
+
+/*
+ * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
+ * Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return
+ * A0 + A1 + B1 + (B0 + B1) * 2^224. This is different to the reference
+ * implementation of Curve448, which uses its own special 56-bit limbs rather
+ * than a generic bignum library. We could squeeze some extra speed out on
+ * 32-bit machines by splitting N up into 32-bit limbs and doing the
+ * arithmetic using the limbs directly as we do for the NIST primes above,
+ * but for 64-bit targets it should use half the number of operations if we do
+ * the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds.
+ */
+static int ecp_mod_p448(mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t i;
+ mbedtls_mpi M, Q;
+ mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH];
+
+ if (N->n <= P448_WIDTH) {
+ return 0;
+ }
+
+ /* M = A1 */
+ M.s = 1;
+ M.n = N->n - (P448_WIDTH);
+ if (M.n > P448_WIDTH) {
+ /* Shouldn't be called with N larger than 2^896! */
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+ M.p = Mp;
+ memset(Mp, 0, sizeof(Mp));
+ memcpy(Mp, N->p + P448_WIDTH, M.n * sizeof(mbedtls_mpi_uint));
+
+ /* N = A0 */
+ for (i = P448_WIDTH; i < N->n; i++) {
+ N->p[i] = 0;
+ }
+
+ /* N += A1 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &M));
+
+ /* Q = B1, N += B1 */
+ Q = M;
+ Q.p = Qp;
+ memcpy(Qp, Mp, sizeof(Qp));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Q, 224));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &Q));
+
+ /* M = (B0 + B1) * 2^224, N += M */
+ if (sizeof(mbedtls_mpi_uint) > 4) {
+ Mp[P224_WIDTH_MIN] &= ((mbedtls_mpi_uint)-1) >> (P224_UNUSED_BITS);
+ }
+ for (i = P224_WIDTH_MAX; i < M.n; ++i) {
+ Mp[i] = 0;
+ }
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&M, &M, &Q));
+ M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&M, 224));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &M));
+
+cleanup:
+ return ret;
+}
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo P = 2^s - R,
+ * with R about 33 bits, used by the Koblitz curves.
+ *
+ * Write N as A0 + 2^224 A1, return A0 + R * A1.
+ * Actually do two passes, since R is big.
+ */
+#define P_KOBLITZ_MAX (256 / 8 / sizeof(mbedtls_mpi_uint)) // Max limbs in P
+#define P_KOBLITZ_R (8 / sizeof(mbedtls_mpi_uint)) // Limbs in R
+static inline int ecp_mod_koblitz(mbedtls_mpi *N, const mbedtls_mpi_uint *Rp, size_t p_limbs,
+ size_t adjust, size_t shift, mbedtls_mpi_uint mask)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t i;
+ mbedtls_mpi M, R;
+ mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
+
+ if (N->n < p_limbs) {
+ return 0;
+ }
+
+ /* Init R */
+ R.s = 1;
+ R.p = (mbedtls_mpi_uint *) Rp; /* R.p will not be modified so the cast is safe */
+ R.n = P_KOBLITZ_R;
+
+ /* Common setup for M */
+ M.s = 1;
+ M.p = Mp;
+
+ /* M = A1 */
+ M.n = (unsigned short) (N->n - (p_limbs - adjust));
+ if (M.n > p_limbs + adjust) {
+ M.n = (unsigned short) (p_limbs + adjust);
+ }
+ memset(Mp, 0, sizeof(Mp));
+ memcpy(Mp, N->p + p_limbs - adjust, M.n * sizeof(mbedtls_mpi_uint));
+ if (shift != 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, shift));
+ }
+ M.n += R.n; /* Make room for multiplication by R */
+
+ /* N = A0 */
+ if (mask != 0) {
+ N->p[p_limbs - 1] &= mask;
+ }
+ for (i = p_limbs; i < N->n; i++) {
+ N->p[i] = 0;
+ }
+
+ /* N = A0 + R * A1 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&M, &M, &R));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
+
+ /* Second pass */
+
+ /* M = A1 */
+ M.n = (unsigned short) (N->n - (p_limbs - adjust));
+ if (M.n > p_limbs + adjust) {
+ M.n = (unsigned short) (p_limbs + adjust);
+ }
+ memset(Mp, 0, sizeof(Mp));
+ memcpy(Mp, N->p + p_limbs - adjust, M.n * sizeof(mbedtls_mpi_uint));
+ if (shift != 0) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, shift));
+ }
+ M.n += R.n; /* Make room for multiplication by R */
+
+ /* N = A0 */
+ if (mask != 0) {
+ N->p[p_limbs - 1] &= mask;
+ }
+ for (i = p_limbs; i < N->n; i++) {
+ N->p[i] = 0;
+ }
+
+ /* N = A0 + R * A1 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&M, &M, &R));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
+
+cleanup:
+ return ret;
+}
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||
+ MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||
+ MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p192k1 = 2^192 - R,
+ * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x01000011C9
+ */
+static int ecp_mod_p192k1(mbedtls_mpi *N)
+{
+ static const mbedtls_mpi_uint Rp[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00,
+ 0x00)
+ };
+
+ return ecp_mod_koblitz(N, Rp, 192 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
+ 0);
+}
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p224k1 = 2^224 - R,
+ * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
+ */
+static int ecp_mod_p224k1(mbedtls_mpi *N)
+{
+ static const mbedtls_mpi_uint Rp[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00,
+ 0x00)
+ };
+
+#if defined(MBEDTLS_HAVE_INT64)
+ return ecp_mod_koblitz(N, Rp, 4, 1, 32, 0xFFFFFFFF);
+#else
+ return ecp_mod_koblitz(N, Rp, 224 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
+ 0);
+#endif
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p256k1 = 2^256 - R,
+ * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
+ */
+static int ecp_mod_p256k1(mbedtls_mpi *N)
+{
+ static const mbedtls_mpi_uint Rp[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00,
+ 0x00)
+ };
+ return ecp_mod_koblitz(N, Rp, 256 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
+ 0);
+}
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#if defined(MBEDTLS_TEST_HOOKS)
+
+MBEDTLS_STATIC_TESTABLE
+mbedtls_ecp_variant mbedtls_ecp_get_variant(void)
+{
+ return MBEDTLS_ECP_VARIANT_WITH_MPI_STRUCT;
+}
+
+#endif /* MBEDTLS_TEST_HOOKS */
+
+#endif /* !MBEDTLS_ECP_ALT */
+
+#endif /* MBEDTLS_ECP_LIGHT */
+#endif /* MBEDTLS_ECP_WITH_MPI_UINT */
diff --git a/library/ecp_curves_new.c b/library/ecp_curves_new.c
new file mode 100644
index 0000000..035b23a
--- /dev/null
+++ b/library/ecp_curves_new.c
@@ -0,0 +1,6036 @@
+/*
+ * Elliptic curves over GF(p): curve-specific data and functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ECP_WITH_MPI_UINT)
+
+#if defined(MBEDTLS_ECP_LIGHT)
+
+#include "mbedtls/ecp.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include "mbedtls/platform.h"
+
+#include "constant_time_internal.h"
+
+#include "bn_mul.h"
+#include "bignum_core.h"
+#include "ecp_invasive.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_ECP_ALT)
+
+#define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) }
+
+#define ECP_MPI_INIT_ARRAY(x) \
+ ECP_MPI_INIT(x, sizeof(x) / sizeof(mbedtls_mpi_uint))
+
+#define ECP_POINT_INIT_XY_Z0(x, y) { \
+ ECP_MPI_INIT_ARRAY(x), ECP_MPI_INIT_ARRAY(y), ECP_MPI_INIT(NULL, 0) }
+#define ECP_POINT_INIT_XY_Z1(x, y) { \
+ ECP_MPI_INIT_ARRAY(x), ECP_MPI_INIT_ARRAY(y), ECP_MPI_INIT(mpi_one, 1) }
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/* For these curves, we build the group parameters dynamically. */
+#define ECP_LOAD_GROUP
+static mbedtls_mpi_uint mpi_one[] = { 1 };
+#endif
+
+/*
+ * Note: the constants are in little-endian order
+ * to be directly usable in MPIs
+ */
+
+/*
+ * Domain parameters for secp192r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+static const mbedtls_mpi_uint secp192r1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp192r1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64),
+};
+static const mbedtls_mpi_uint secp192r1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18),
+};
+static const mbedtls_mpi_uint secp192r1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07),
+};
+static const mbedtls_mpi_uint secp192r1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp192r1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18),
+};
+static const mbedtls_mpi_uint secp192r1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07),
+};
+static const mbedtls_mpi_uint secp192r1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x9E, 0xE3, 0x60, 0x59, 0xD1, 0xC4, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBD, 0x22, 0xD7, 0x2D, 0x07, 0xBD, 0xB6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x2A, 0xCF, 0x33, 0xF0, 0xBE, 0xD1, 0xED),
+};
+static const mbedtls_mpi_uint secp192r1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x71, 0x4B, 0xA8, 0xED, 0x7E, 0xC9, 0x1A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x2A, 0xF6, 0xDF, 0x0E, 0xE8, 0x4C, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x35, 0xF7, 0x8A, 0xC3, 0xEC, 0xDE, 0x1E),
+};
+static const mbedtls_mpi_uint secp192r1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x67, 0xC2, 0x1D, 0x32, 0x8F, 0x10, 0xFB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x2D, 0x17, 0xF3, 0xE4, 0xFE, 0xD8, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x45, 0x10, 0x70, 0x2C, 0x3E, 0x52, 0x3E),
+};
+static const mbedtls_mpi_uint secp192r1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xF1, 0x04, 0x5D, 0xEE, 0xD4, 0x56, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xB7, 0x38, 0x27, 0x61, 0xAA, 0x81, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x37, 0xD7, 0x0E, 0x29, 0x0E, 0x11, 0x14),
+};
+static const mbedtls_mpi_uint secp192r1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x35, 0x52, 0xC6, 0x31, 0xB7, 0x27, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xD4, 0x15, 0x98, 0x0F, 0xE7, 0xF3, 0x6A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x31, 0x70, 0x35, 0x09, 0xA0, 0x2B, 0xC2),
+};
+static const mbedtls_mpi_uint secp192r1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x75, 0xA7, 0x4C, 0x88, 0xCF, 0x5B, 0xE4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x17, 0x48, 0x8D, 0xF2, 0xF0, 0x86, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xCF, 0xFE, 0x6B, 0xB0, 0xA5, 0x06, 0xAB),
+};
+static const mbedtls_mpi_uint secp192r1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x6A, 0xDC, 0x9A, 0x6D, 0x7B, 0x47, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xFC, 0x51, 0x12, 0x62, 0x66, 0x0B, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x40, 0x93, 0xA0, 0xB5, 0x5A, 0x58, 0xD7),
+};
+static const mbedtls_mpi_uint secp192r1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xCB, 0xAF, 0xDC, 0x0B, 0xA1, 0x26, 0xFB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x36, 0x9D, 0xA3, 0xD7, 0x3B, 0xAD, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x3B, 0x05, 0x9A, 0xA8, 0xAA, 0x69, 0xB2),
+};
+static const mbedtls_mpi_uint secp192r1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xD9, 0xD1, 0x4D, 0x4A, 0x6E, 0x96, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x66, 0x32, 0x39, 0xC6, 0x57, 0x7D, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xA0, 0x36, 0xC2, 0x45, 0xF9, 0x00, 0x62),
+};
+static const mbedtls_mpi_uint secp192r1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xEF, 0x59, 0x46, 0xDC, 0x60, 0xD9, 0x8F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xB0, 0xE9, 0x41, 0xA4, 0x87, 0x76, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xD4, 0x0E, 0xB2, 0xFA, 0x16, 0x56, 0xDC),
+};
+static const mbedtls_mpi_uint secp192r1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x62, 0xD2, 0xB1, 0x34, 0xB2, 0xF1, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xED, 0x55, 0xC5, 0x47, 0xB5, 0x07, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xF6, 0x2F, 0x94, 0xC3, 0xDD, 0x54, 0x2F),
+};
+static const mbedtls_mpi_uint secp192r1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xA6, 0xD4, 0x8C, 0xA9, 0xCE, 0x4D, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x4B, 0x46, 0xCC, 0xB2, 0x55, 0xC8, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xAE, 0x31, 0xED, 0x89, 0x65, 0x59, 0x55),
+};
+static const mbedtls_mpi_uint secp192r1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x0A, 0xD1, 0x1A, 0xC5, 0xF6, 0xEA, 0x43),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xFC, 0x0C, 0x1A, 0xFB, 0xA0, 0xC8, 0x70),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xFD, 0x53, 0x6F, 0x6D, 0xBF, 0xBA, 0xAF),
+};
+static const mbedtls_mpi_uint secp192r1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xB0, 0x7D, 0x83, 0x96, 0xE3, 0xCB, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x6E, 0x55, 0x2C, 0x20, 0x53, 0x2F, 0x46),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x66, 0x00, 0x17, 0x08, 0xFE, 0xAC, 0x31),
+};
+static const mbedtls_mpi_uint secp192r1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x12, 0x97, 0x3A, 0xC7, 0x57, 0x45, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x25, 0x99, 0x00, 0xF6, 0x97, 0xB4, 0x64),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x74, 0xE6, 0xE6, 0xA3, 0xDF, 0x9C, 0xCC),
+};
+static const mbedtls_mpi_uint secp192r1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xF4, 0x76, 0xD5, 0x5F, 0x2A, 0xFD, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x80, 0x7E, 0x3E, 0xE5, 0xE8, 0xD6, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xAD, 0x1E, 0x70, 0x79, 0x3E, 0x3D, 0x83),
+};
+static const mbedtls_mpi_uint secp192r1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x15, 0xBB, 0xB3, 0x42, 0x6A, 0xA1, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x58, 0xCB, 0x43, 0x25, 0x00, 0x14, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x4E, 0x93, 0x11, 0xE0, 0x32, 0x54, 0x98),
+};
+static const mbedtls_mpi_uint secp192r1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x52, 0xA2, 0xB4, 0x57, 0x32, 0xB9, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x43, 0xA1, 0xB1, 0xFB, 0x01, 0xE1, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xFB, 0x5A, 0x11, 0xB8, 0xC2, 0x03, 0xE5),
+};
+static const mbedtls_mpi_uint secp192r1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x2B, 0x71, 0x26, 0x4E, 0x7C, 0xC5, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xF5, 0xD3, 0xA8, 0xE4, 0x95, 0x48, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xAE, 0xD9, 0x5D, 0x9F, 0x6A, 0x22, 0xAD),
+};
+static const mbedtls_mpi_uint secp192r1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xCC, 0xA3, 0x4D, 0xA0, 0x1C, 0x34, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x3C, 0x62, 0xF8, 0x5E, 0xA6, 0x58, 0x7D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x6E, 0x66, 0x8A, 0x3D, 0x17, 0xFF, 0x0F),
+};
+static const mbedtls_mpi_uint secp192r1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xCD, 0xA8, 0xDD, 0xD1, 0x20, 0x5C, 0xEA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xFE, 0x17, 0xE2, 0xCF, 0xEA, 0x63, 0xDE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x51, 0xC9, 0x16, 0xDE, 0xB4, 0xB2, 0xDD),
+};
+static const mbedtls_mpi_uint secp192r1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBE, 0x12, 0xD7, 0xA3, 0x0A, 0x50, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x87, 0xC5, 0x8A, 0x76, 0x57, 0x07, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x1F, 0xC6, 0x1B, 0x66, 0xC4, 0x3D, 0x8A),
+};
+static const mbedtls_mpi_uint secp192r1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xA4, 0x85, 0x13, 0x8F, 0xA7, 0x35, 0x19),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x0D, 0xFD, 0xFF, 0x1B, 0xD1, 0xD6, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x7A, 0xD0, 0xC3, 0xB4, 0xEF, 0x39, 0x66),
+};
+static const mbedtls_mpi_uint secp192r1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xFE, 0xA5, 0x9C, 0x34, 0x30, 0x49, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xC5, 0x39, 0x26, 0x06, 0xE3, 0x01, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x2B, 0x66, 0xFC, 0x95, 0x5F, 0x35, 0xF7),
+};
+static const mbedtls_mpi_uint secp192r1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xCF, 0x54, 0x63, 0x99, 0x57, 0x05, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x6F, 0x00, 0x5F, 0x65, 0x08, 0x47, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x2A, 0x90, 0x6D, 0x67, 0xC6, 0xBC, 0x45),
+};
+static const mbedtls_mpi_uint secp192r1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x4D, 0x88, 0x0A, 0x35, 0x9E, 0x33, 0x9C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x17, 0x0C, 0xF8, 0xE1, 0x7A, 0x49, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x44, 0x06, 0x8F, 0x0B, 0x70, 0x2F, 0x71),
+};
+static const mbedtls_mpi_uint secp192r1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x4B, 0xCB, 0xF9, 0x8E, 0x6A, 0xDA, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x43, 0xA1, 0x3F, 0xCE, 0x17, 0xD2, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x0D, 0xD2, 0x6C, 0x82, 0x37, 0xE5, 0xFC),
+};
+static const mbedtls_mpi_uint secp192r1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x3C, 0xF4, 0x92, 0xB4, 0x8A, 0x95, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x96, 0xF1, 0x0A, 0x34, 0x2F, 0x74, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xA1, 0xAA, 0xBA, 0x86, 0x77, 0x4F, 0xA2),
+};
+static const mbedtls_mpi_uint secp192r1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x7F, 0xEF, 0x60, 0x50, 0x80, 0xD7, 0xD4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0xAC, 0xC9, 0xFE, 0xEC, 0x0A, 0x1A, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x2F, 0xBE, 0x91, 0xD7, 0xB7, 0x38, 0x48),
+};
+static const mbedtls_mpi_uint secp192r1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xAE, 0x85, 0x98, 0xFE, 0x05, 0x7F, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBE, 0xFD, 0x11, 0x31, 0x3D, 0x14, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x75, 0xE8, 0x30, 0x01, 0xCB, 0x9B, 0x1C),
+};
+static const mbedtls_ecp_point secp192r1_T[16] = {
+ ECP_POINT_INIT_XY_Z1(secp192r1_T_0_X, secp192r1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_1_X, secp192r1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_2_X, secp192r1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_3_X, secp192r1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_4_X, secp192r1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_5_X, secp192r1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_6_X, secp192r1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_7_X, secp192r1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_8_X, secp192r1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_9_X, secp192r1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_10_X, secp192r1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_11_X, secp192r1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_12_X, secp192r1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_13_X, secp192r1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_14_X, secp192r1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(secp192r1_T_15_X, secp192r1_T_15_Y),
+};
+#else
+#define secp192r1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+/*
+ * Domain parameters for secp224r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+static const mbedtls_mpi_uint secp224r1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C),
+ MBEDTLS_BYTES_TO_T_UINT_4(0x85, 0x0A, 0x05, 0xB4),
+};
+static const mbedtls_mpi_uint secp224r1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_4(0xBD, 0x0C, 0x0E, 0xB7),
+};
+static const mbedtls_mpi_uint secp224r1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_4(0x88, 0x63, 0x37, 0xBD),
+};
+static const mbedtls_mpi_uint secp224r1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_4(0xFF, 0xFF, 0xFF, 0xFF),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp224r1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x0C, 0x0E, 0xB7, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x63, 0x37, 0xBD, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xF9, 0xB8, 0xD0, 0x3D, 0xD2, 0xD3, 0xFA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xFD, 0x99, 0x26, 0x19, 0xFE, 0x13, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x0E, 0x4C, 0x48, 0x7C, 0xA2, 0x17, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA3, 0x13, 0x57, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x16, 0x5C, 0x8F, 0xAA, 0xED, 0x0F, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xC5, 0x43, 0x34, 0x93, 0x05, 0x2A, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xE3, 0x6C, 0xCA, 0xC6, 0x14, 0xC2, 0x25),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x43, 0x6C, 0xD7, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x5A, 0x98, 0x1E, 0xC8, 0xA5, 0x42, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x49, 0x56, 0x78, 0xF8, 0xEF, 0xED, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0xBB, 0x64, 0xB6, 0x4C, 0x54, 0x5F, 0xD1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x0C, 0x33, 0xCC, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x79, 0xCB, 0x2E, 0x08, 0xFF, 0xD8, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x1F, 0xD4, 0xD7, 0x57, 0xE9, 0x39, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xD6, 0x3B, 0x0A, 0x1C, 0x87, 0xB7, 0x6A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x30, 0xD8, 0x05, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x79, 0x74, 0x9A, 0xE6, 0xBB, 0xC2, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x5B, 0xA6, 0x67, 0xC1, 0x91, 0xE7, 0x64),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xDF, 0x38, 0x82, 0x19, 0x2C, 0x4C, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x2E, 0x39, 0xC5, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x36, 0x78, 0x4E, 0xAE, 0x5B, 0x02, 0x76),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xF6, 0x8B, 0xF8, 0xF4, 0x92, 0x6B, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x4D, 0x71, 0x35, 0xE7, 0x0C, 0x2C, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xA5, 0x1F, 0xAE, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x1C, 0x4B, 0xDF, 0x5B, 0xF2, 0x51, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x74, 0xB1, 0x5A, 0xC6, 0x0F, 0x0E, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x24, 0x09, 0x62, 0xAF, 0xFC, 0xDB, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xE1, 0x80, 0x55, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x82, 0xFE, 0xAD, 0xC3, 0xE5, 0xCF, 0xD8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xA2, 0x62, 0x17, 0x76, 0xF0, 0x5A, 0xFA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xB8, 0xE5, 0xAC, 0xB7, 0x66, 0x38, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xFD, 0x86, 0x05, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xD3, 0x0C, 0x3C, 0xD1, 0x66, 0xB0, 0xF1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x59, 0xB4, 0x8D, 0x90, 0x10, 0xB7, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x47, 0x9B, 0xE6, 0x55, 0x8A, 0xE4, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x49, 0xDB, 0x78, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x97, 0xED, 0xDE, 0xFF, 0xB3, 0xDF, 0x48),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xB9, 0x83, 0xB7, 0xEB, 0xBE, 0x40, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xD3, 0xD3, 0xCD, 0x0E, 0x82, 0x79, 0x3D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x83, 0x1B, 0xF0, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x22, 0xBB, 0x54, 0xD3, 0x31, 0x56, 0xFC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x36, 0xE5, 0xE0, 0x89, 0x96, 0x8E, 0x71),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xEF, 0x0A, 0xED, 0xD0, 0x11, 0x4A, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x00, 0x57, 0x27, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xCA, 0x3D, 0xF7, 0x64, 0x9B, 0x6E, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xE3, 0x70, 0x6B, 0x41, 0xD7, 0xED, 0x8F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x44, 0x44, 0x80, 0xCE, 0x13, 0x37, 0x92),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x73, 0x80, 0x79, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x4D, 0x70, 0x7D, 0x31, 0x0F, 0x1C, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x35, 0x88, 0x47, 0xC4, 0x24, 0x78, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xF0, 0xCD, 0x91, 0x81, 0xB3, 0xDE, 0xB6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xCE, 0xC6, 0xF7, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x9C, 0x2D, 0xE8, 0xD2, 0x00, 0x8F, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x5E, 0x7C, 0x0E, 0x0C, 0x6E, 0x58, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x81, 0x21, 0xCE, 0x43, 0xF4, 0x24, 0x3D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0xBC, 0xF0, 0xF4, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x10, 0xC2, 0x74, 0x4A, 0x8F, 0x8A, 0xCF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x67, 0xF4, 0x2B, 0x38, 0x2B, 0x35, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xE7, 0x0C, 0xA9, 0xFA, 0x77, 0x5C, 0xBD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x33, 0x19, 0x2B, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x3E, 0x96, 0x22, 0x53, 0xE1, 0xE9, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x13, 0xBC, 0xA1, 0x16, 0xEC, 0x01, 0x1A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x00, 0xC9, 0x7A, 0xC3, 0x73, 0xA5, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xF4, 0x5E, 0xC1, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x95, 0xD6, 0xD9, 0x32, 0x30, 0x2B, 0xD0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x42, 0x09, 0x05, 0x61, 0x2A, 0x7E, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x84, 0xA2, 0x05, 0x88, 0x64, 0x65, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x2D, 0x90, 0xB3, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xE7, 0x2E, 0x85, 0x55, 0x80, 0x7C, 0x79),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xC1, 0xAC, 0x78, 0xB4, 0xAF, 0xFB, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xC3, 0x28, 0x8E, 0x79, 0x18, 0x1F, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x46, 0xCF, 0x49, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x5F, 0xA8, 0x6C, 0x46, 0x83, 0x43, 0xFA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xA9, 0x93, 0x11, 0xB6, 0x07, 0x57, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x2A, 0x9D, 0x03, 0x89, 0x7E, 0xD7, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x8C, 0x62, 0xCF, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x2C, 0x13, 0x59, 0xCC, 0xFA, 0x84, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xB9, 0x48, 0xBC, 0x57, 0xC7, 0xB3, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x0A, 0x38, 0x24, 0x2E, 0x3A, 0x28, 0x25),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x0A, 0x43, 0xB8, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x25, 0xAB, 0xC1, 0xEE, 0x70, 0x3C, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xDB, 0x45, 0x1D, 0x4A, 0x80, 0x75, 0x35),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1F, 0x4D, 0x2D, 0x9A, 0x05, 0xF4, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x10, 0xF0, 0x5A, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x95, 0xE1, 0xDC, 0x15, 0x86, 0xC3, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xDC, 0x27, 0xD1, 0x56, 0xA1, 0x14, 0x0D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x0B, 0xD6, 0x77, 0x4E, 0x44, 0xA2, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x42, 0x71, 0x1F, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x86, 0xB2, 0xB0, 0xC8, 0x2F, 0x7B, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xEF, 0xCB, 0xDB, 0xBC, 0x9E, 0x3B, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x03, 0x86, 0xDD, 0x5B, 0xF5, 0x8D, 0x46),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x95, 0x79, 0xD6, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x32, 0x14, 0xDA, 0x9B, 0x4F, 0x07, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x3E, 0xFB, 0x06, 0xEE, 0xA7, 0x40, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x1F, 0xDF, 0x71, 0x61, 0xFD, 0x8B, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x8B, 0xAB, 0x8B, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x34, 0xB3, 0xB4, 0xBC, 0x9F, 0xB0, 0x5E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x58, 0x48, 0xA8, 0x77, 0xBB, 0x13, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xC6, 0xF7, 0x34, 0xCC, 0x89, 0x21, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x33, 0xDD, 0x1F, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x81, 0xEF, 0xA4, 0xF2, 0x10, 0x0B, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xF7, 0x6E, 0x72, 0x4A, 0xDF, 0xDD, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x23, 0x0A, 0x53, 0x03, 0x16, 0x62, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x76, 0xFD, 0x3C, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x14, 0xA1, 0xFA, 0xA0, 0x18, 0xBE, 0x07),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x2A, 0xE1, 0xD7, 0xB0, 0x6C, 0xA0, 0xDE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xC0, 0xB0, 0xC6, 0x63, 0x24, 0xCD, 0x4E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x38, 0x2C, 0xB1, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xCD, 0x7D, 0x20, 0x0C, 0xFE, 0xAC, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x97, 0x9F, 0xA2, 0xB6, 0x45, 0xF7, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x99, 0xF3, 0xD2, 0x20, 0x02, 0xEB, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x18, 0x5B, 0x7B, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xDD, 0x77, 0x91, 0x60, 0xEA, 0xFD, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xD3, 0xB5, 0xD6, 0x90, 0x17, 0x0E, 0x1A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xF4, 0x28, 0xC1, 0xF2, 0x53, 0xF6, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x58, 0xDC, 0x61, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224r1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x20, 0x01, 0xFB, 0xF1, 0xBD, 0x5F, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x7F, 0x06, 0xDA, 0x11, 0xCB, 0xBA, 0xA6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x41, 0x00, 0xA4, 0x1B, 0x30, 0x33, 0x79),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xFF, 0x27, 0xCA, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_ecp_point secp224r1_T[16] = {
+ ECP_POINT_INIT_XY_Z1(secp224r1_T_0_X, secp224r1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_1_X, secp224r1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_2_X, secp224r1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_3_X, secp224r1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_4_X, secp224r1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_5_X, secp224r1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_6_X, secp224r1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_7_X, secp224r1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_8_X, secp224r1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_9_X, secp224r1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_10_X, secp224r1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_11_X, secp224r1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_12_X, secp224r1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_13_X, secp224r1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_14_X, secp224r1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(secp224r1_T_15_X, secp224r1_T_15_Y),
+};
+#else
+#define secp224r1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+/*
+ * Domain parameters for secp256r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+static const mbedtls_mpi_uint secp256r1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp256r1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A),
+};
+static const mbedtls_mpi_uint secp256r1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B),
+};
+static const mbedtls_mpi_uint secp256r1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F),
+};
+static const mbedtls_mpi_uint secp256r1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp256r1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B),
+};
+static const mbedtls_mpi_uint secp256r1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F),
+};
+static const mbedtls_mpi_uint secp256r1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xC8, 0xBA, 0x04, 0xB7, 0x4B, 0xD2, 0xF7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xC6, 0x23, 0x3A, 0xA0, 0x09, 0x3A, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x9D, 0x4C, 0xF9, 0x58, 0x23, 0xCC, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0xED, 0x7B, 0x29, 0x87, 0x0F, 0xFA, 0x3C),
+};
+static const mbedtls_mpi_uint secp256r1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x69, 0xF2, 0x40, 0x0B, 0xA3, 0x98, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xA8, 0x48, 0x02, 0x0D, 0x1C, 0x12, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xAF, 0x09, 0x83, 0x80, 0xAA, 0x58, 0xA7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x12, 0xBE, 0x70, 0x94, 0x76, 0xE3, 0xE4),
+};
+static const mbedtls_mpi_uint secp256r1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x7D, 0xEF, 0x86, 0xFF, 0xE3, 0x37, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x86, 0x8B, 0x08, 0x27, 0x7C, 0xD7, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x54, 0x4C, 0x25, 0x4F, 0x9A, 0xFE, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xFD, 0xF0, 0x6D, 0x37, 0x03, 0x69, 0xD6),
+};
+static const mbedtls_mpi_uint secp256r1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xD5, 0xDA, 0xAD, 0x92, 0x49, 0xF0, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x73, 0x43, 0x9E, 0xAF, 0xA7, 0xD1, 0xF3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x41, 0x07, 0xDF, 0x78, 0x95, 0x3E, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x3D, 0xD1, 0xE6, 0x3C, 0xA5, 0xE2, 0x20),
+};
+static const mbedtls_mpi_uint secp256r1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x6A, 0x5D, 0x52, 0x35, 0xD7, 0xBF, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xA2, 0xBE, 0x96, 0xF4, 0xF8, 0x02, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x20, 0x49, 0x54, 0xEA, 0xB3, 0x82, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0xDB, 0xEA, 0x02, 0xD1, 0x75, 0x1C, 0x62),
+};
+static const mbedtls_mpi_uint secp256r1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x85, 0xF4, 0x9E, 0x4C, 0xDC, 0x39, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x6D, 0xC4, 0x57, 0xD8, 0x03, 0x5D, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x7F, 0x2D, 0x52, 0x6F, 0xC9, 0xDA, 0x4F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x64, 0xFA, 0xB4, 0xFE, 0xA4, 0xC4, 0xD7),
+};
+static const mbedtls_mpi_uint secp256r1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x37, 0xB9, 0xC0, 0xAA, 0x59, 0xC6, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x58, 0xD9, 0xED, 0x58, 0x99, 0x65, 0xF7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x7D, 0x26, 0x8C, 0x4A, 0xF9, 0x05, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x73, 0x9A, 0xC9, 0xE7, 0x46, 0xDC, 0x00),
+};
+static const mbedtls_mpi_uint secp256r1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xD0, 0x55, 0xDF, 0x00, 0x0A, 0xF5, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xBF, 0x56, 0x81, 0x2D, 0x20, 0xEB, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xC1, 0x28, 0x52, 0xAB, 0xE3, 0xD1, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x34, 0x79, 0x45, 0x57, 0xA5, 0x12, 0x03),
+};
+static const mbedtls_mpi_uint secp256r1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xCF, 0xB8, 0x7E, 0xF7, 0x92, 0x96, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x01, 0x8C, 0x0D, 0x23, 0xF2, 0xE3, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x2E, 0xE3, 0x84, 0x52, 0x7A, 0x34, 0x76),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xA1, 0xB0, 0x15, 0x90, 0xE2, 0x53, 0x3C),
+};
+static const mbedtls_mpi_uint secp256r1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x98, 0xE7, 0xFA, 0xA5, 0x7D, 0x8B, 0x53),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x35, 0xD2, 0x00, 0xD1, 0x1B, 0x9F, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x69, 0x08, 0x9A, 0x72, 0xF0, 0xA9, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0xFE, 0x0E, 0x14, 0xDA, 0x7C, 0x0E, 0xD3),
+};
+static const mbedtls_mpi_uint secp256r1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xF6, 0xE8, 0xF8, 0x87, 0xF7, 0xFC, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xBE, 0x7F, 0x3F, 0x7A, 0x2B, 0xD7, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x32, 0xF2, 0x2D, 0x94, 0x6D, 0x42, 0xFD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x9A, 0xE3, 0x5F, 0x42, 0xBB, 0x84, 0xED),
+};
+static const mbedtls_mpi_uint secp256r1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x95, 0x29, 0x73, 0xA1, 0x67, 0x3E, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x30, 0x54, 0x35, 0x8E, 0x0A, 0xDD, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xD7, 0xA1, 0x97, 0x61, 0x3B, 0xF8, 0x0C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x33, 0x3C, 0x58, 0x55, 0x34, 0x23, 0xA3),
+};
+static const mbedtls_mpi_uint secp256r1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x5D, 0x16, 0x5F, 0x7B, 0xBC, 0xBB, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xEE, 0x4E, 0x8A, 0xC1, 0x51, 0xCC, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x0D, 0x4D, 0x1B, 0x53, 0x23, 0x1D, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x2A, 0x38, 0x66, 0x52, 0x84, 0xE1, 0x95),
+};
+static const mbedtls_mpi_uint secp256r1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x9B, 0x83, 0x0A, 0x81, 0x4F, 0xAD, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xFF, 0x42, 0x41, 0x6E, 0xA9, 0xA2, 0xA0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xA1, 0x4F, 0x1F, 0x89, 0x82, 0xAA, 0x3E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xB8, 0x0F, 0x6B, 0x8F, 0x8C, 0xD6, 0x68),
+};
+static const mbedtls_mpi_uint secp256r1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0xB3, 0xBB, 0x51, 0x69, 0xA2, 0x11, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x4F, 0x0F, 0x8D, 0xBD, 0x26, 0x0F, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xCB, 0xEC, 0x6B, 0x34, 0xC3, 0x3D, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x5D, 0x1E, 0x10, 0xD5, 0x44, 0xE2, 0x54),
+};
+static const mbedtls_mpi_uint secp256r1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x9E, 0xB1, 0xF1, 0x6E, 0x4C, 0xAD, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xE3, 0xC2, 0x58, 0xC0, 0xFB, 0x34, 0x43),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x9C, 0xDF, 0x35, 0x07, 0x41, 0xBD, 0x19),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x6E, 0x10, 0xEC, 0x0E, 0xEC, 0xBB, 0xD6),
+};
+static const mbedtls_mpi_uint secp256r1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xCF, 0xEF, 0x3F, 0x83, 0x1A, 0x88, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x29, 0xB5, 0xB9, 0xE0, 0xC9, 0xA3, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x46, 0x1E, 0x77, 0xCD, 0x7E, 0xB3, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x21, 0xD0, 0xD4, 0xA3, 0x16, 0x08, 0xEE),
+};
+static const mbedtls_mpi_uint secp256r1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0xCA, 0xA8, 0xB3, 0xBF, 0x29, 0x99, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xF2, 0x05, 0xC1, 0xCF, 0x5D, 0x91, 0x48),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x01, 0x49, 0xDB, 0x82, 0xDF, 0x5F, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x06, 0x90, 0xAD, 0xE3, 0x38, 0xA4, 0xC4),
+};
+static const mbedtls_mpi_uint secp256r1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xD2, 0x3A, 0xE8, 0x03, 0xC5, 0x6D, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x35, 0xD0, 0xAE, 0x1D, 0x7A, 0x9F, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x1E, 0xD2, 0xCB, 0xAC, 0x88, 0x27, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xB9, 0x9C, 0xE0, 0x31, 0xDD, 0x99, 0x86),
+};
+static const mbedtls_mpi_uint secp256r1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xF9, 0x9B, 0x32, 0x96, 0x41, 0x58, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x5A, 0x2A, 0xB8, 0x96, 0x0E, 0xB2, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x78, 0x2C, 0xC7, 0x08, 0x99, 0x19, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x59, 0x28, 0xE9, 0x84, 0x54, 0xE6, 0x16),
+};
+static const mbedtls_mpi_uint secp256r1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x38, 0x30, 0xDB, 0x70, 0x2C, 0x0A, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x5C, 0x9D, 0xE9, 0xD5, 0x46, 0x0B, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x0B, 0x60, 0x4B, 0x37, 0x7D, 0xB9, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x24, 0xF3, 0x3D, 0x79, 0x7F, 0x6C, 0x18),
+};
+static const mbedtls_mpi_uint secp256r1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7F, 0xE5, 0x1C, 0x4F, 0x60, 0x24, 0xF7, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xD8, 0xE2, 0x91, 0x7F, 0x89, 0x49, 0x92),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xA7, 0x2E, 0x8D, 0x6A, 0xB3, 0x39, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x89, 0xB5, 0x9A, 0xB8, 0x8D, 0x42, 0x9C),
+};
+static const mbedtls_mpi_uint secp256r1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0x45, 0xE6, 0x4B, 0x3F, 0x4F, 0x1E, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x65, 0x5E, 0x59, 0x22, 0xCC, 0x72, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x93, 0x1A, 0x27, 0x1E, 0x34, 0xC5, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xF2, 0xA5, 0x58, 0x5C, 0x15, 0x2E, 0xC6),
+};
+static const mbedtls_mpi_uint secp256r1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x7F, 0xBA, 0x58, 0x5A, 0x84, 0x6F, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xA6, 0x36, 0x7E, 0xDC, 0xF7, 0xE1, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x4D, 0xAA, 0xEE, 0x57, 0x76, 0x3A, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x7E, 0x26, 0x18, 0x22, 0x23, 0x9F, 0xFF),
+};
+static const mbedtls_mpi_uint secp256r1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x4C, 0x64, 0xC7, 0x55, 0x02, 0x3F, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x02, 0x90, 0xBB, 0xC3, 0xEC, 0x30, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x6F, 0x64, 0xF4, 0x16, 0x69, 0x48, 0xA4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x44, 0x9C, 0x95, 0x0C, 0x7D, 0x67, 0x5E),
+};
+static const mbedtls_mpi_uint secp256r1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x91, 0x8B, 0xD8, 0xD0, 0xD7, 0xE7, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xF9, 0x48, 0x62, 0x6F, 0xA8, 0x93, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x3A, 0x99, 0x02, 0xD5, 0x0B, 0x3D, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xD3, 0x00, 0x31, 0xE6, 0x0C, 0x9F, 0x44),
+};
+static const mbedtls_mpi_uint secp256r1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xB2, 0xAA, 0xFD, 0x88, 0x15, 0xDF, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0x35, 0x27, 0x31, 0x44, 0xCD, 0xC0, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xF8, 0x91, 0xA5, 0x71, 0x94, 0x84, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xCB, 0xD0, 0x93, 0xE9, 0x88, 0xDA, 0xE4),
+};
+static const mbedtls_mpi_uint secp256r1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xC6, 0x39, 0x16, 0x5D, 0xA3, 0x1E, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x07, 0x37, 0x26, 0x36, 0x2A, 0xFE, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xBC, 0xF3, 0xD0, 0xDE, 0x50, 0xFC, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x2E, 0x06, 0x10, 0x15, 0x4D, 0xFA, 0xF7),
+};
+static const mbedtls_mpi_uint secp256r1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x65, 0x69, 0x5B, 0x66, 0xA2, 0x75, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x16, 0x00, 0x5A, 0xB0, 0x30, 0x25, 0x1A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xFB, 0x86, 0x42, 0x80, 0xC1, 0xC4, 0x76),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x1D, 0x83, 0x8E, 0x94, 0x01, 0x5F, 0x82),
+};
+static const mbedtls_mpi_uint secp256r1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x37, 0x70, 0xEF, 0x1F, 0xA1, 0xF0, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x10, 0x5B, 0xCE, 0xC4, 0x9B, 0x6F, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x11, 0x11, 0x24, 0x4F, 0x4C, 0x79, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x3A, 0x72, 0xBC, 0xFE, 0x72, 0x58, 0x43),
+};
+static const mbedtls_ecp_point secp256r1_T[16] = {
+ ECP_POINT_INIT_XY_Z1(secp256r1_T_0_X, secp256r1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_1_X, secp256r1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_2_X, secp256r1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_3_X, secp256r1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_4_X, secp256r1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_5_X, secp256r1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_6_X, secp256r1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_7_X, secp256r1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_8_X, secp256r1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_9_X, secp256r1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_10_X, secp256r1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_11_X, secp256r1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_12_X, secp256r1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_13_X, secp256r1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_14_X, secp256r1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(secp256r1_T_15_X, secp256r1_T_15_Y),
+};
+#else
+#define secp256r1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+/*
+ * Domain parameters for secp384r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+static const mbedtls_mpi_uint secp384r1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp384r1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3),
+};
+static const mbedtls_mpi_uint secp384r1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA),
+};
+static const mbedtls_mpi_uint secp384r1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36),
+};
+static const mbedtls_mpi_uint secp384r1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp384r1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA),
+};
+static const mbedtls_mpi_uint secp384r1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36),
+};
+static const mbedtls_mpi_uint secp384r1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x92, 0x00, 0x2C, 0x78, 0xDB, 0x1F, 0x37),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xF3, 0xEB, 0xB7, 0x06, 0xF7, 0xB6, 0xBC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xBC, 0x2C, 0xCF, 0xD8, 0xED, 0x53, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x75, 0x7B, 0xA3, 0xAB, 0xC3, 0x2C, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x9D, 0x78, 0x41, 0xF6, 0x76, 0x84, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x56, 0xE8, 0x52, 0xB3, 0xCB, 0xA8, 0xBD),
+};
+static const mbedtls_mpi_uint secp384r1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xF2, 0xAE, 0xA4, 0xB6, 0x89, 0x1B, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x0F, 0xCE, 0x1C, 0x7C, 0xF6, 0x50, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xEB, 0x90, 0xE6, 0x4D, 0xC7, 0xD4, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x49, 0x2D, 0x8A, 0x01, 0x99, 0x60, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x80, 0x9B, 0x9B, 0x6A, 0xB0, 0x07, 0xD9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xA2, 0xEE, 0x59, 0xBE, 0x95, 0xBC, 0x23),
+};
+static const mbedtls_mpi_uint secp384r1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x9D, 0x56, 0xAE, 0x59, 0xFB, 0x1F, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xAC, 0x91, 0x80, 0x87, 0xA8, 0x6E, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x08, 0xA7, 0x08, 0x94, 0x32, 0xFC, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x29, 0x9E, 0x84, 0xF4, 0xE5, 0x6E, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x21, 0xB9, 0x50, 0x24, 0xF8, 0x9C, 0xC7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x04, 0x01, 0xC2, 0xFB, 0x77, 0x3E, 0xDE),
+};
+static const mbedtls_mpi_uint secp384r1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x38, 0xEE, 0xE3, 0xC7, 0x9D, 0xEC, 0xA6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x88, 0xCF, 0x43, 0xFA, 0x92, 0x5E, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xCA, 0x43, 0xF8, 0x3B, 0x49, 0x7E, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xE7, 0xEB, 0x17, 0x45, 0x86, 0xC2, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x69, 0x57, 0x32, 0xE0, 0x9C, 0xD1, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x10, 0xB8, 0x4D, 0xB8, 0xF4, 0x0D, 0xE3),
+};
+static const mbedtls_mpi_uint secp384r1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0xDC, 0x9A, 0xB2, 0x79, 0x39, 0x27, 0x16),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x71, 0xE4, 0x3B, 0x4D, 0x60, 0x0C, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xBD, 0x19, 0x40, 0xFA, 0x19, 0x2A, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xF8, 0x1E, 0x43, 0xA1, 0x50, 0x8D, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x18, 0x7C, 0x41, 0xFA, 0x7C, 0x1B, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x59, 0x24, 0xC4, 0xE9, 0xB7, 0xD3, 0xAD),
+};
+static const mbedtls_mpi_uint secp384r1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x01, 0x3D, 0x63, 0x54, 0x45, 0x6F, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xB2, 0x19, 0xA3, 0x86, 0x1D, 0x42, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x02, 0x87, 0x18, 0x92, 0x52, 0x1A, 0x71),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x18, 0xB1, 0x5D, 0x18, 0x1B, 0x37, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x74, 0x61, 0xBA, 0x18, 0xAF, 0x40, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x7D, 0x3C, 0x52, 0x0F, 0x07, 0xB0, 0x6F),
+};
+static const mbedtls_mpi_uint secp384r1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x39, 0x13, 0xAA, 0x60, 0x15, 0x99, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x00, 0xCB, 0xC6, 0xB1, 0xDB, 0x97, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xFA, 0x60, 0xB8, 0x24, 0xE4, 0x7D, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x75, 0xB3, 0x70, 0xB2, 0x83, 0xB1, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xE3, 0x6C, 0xCD, 0x33, 0x62, 0x7A, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x30, 0xDC, 0x0F, 0x9F, 0xBB, 0xB8, 0xAA),
+};
+static const mbedtls_mpi_uint secp384r1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xD5, 0x0A, 0x60, 0x81, 0xB9, 0xC5, 0x16),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xAA, 0x2F, 0xD6, 0xF2, 0x73, 0xDF, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x7B, 0x74, 0xC9, 0xB3, 0x5B, 0x95, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x04, 0xEB, 0x15, 0xC8, 0x5F, 0x00, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x50, 0x20, 0x28, 0xD1, 0x01, 0xAF, 0xF0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x4F, 0x31, 0x81, 0x2F, 0x94, 0x48),
+};
+static const mbedtls_mpi_uint secp384r1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2F, 0xD8, 0xB6, 0x63, 0x7C, 0xE9, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x8C, 0xB9, 0x14, 0xD9, 0x37, 0x63, 0xDE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x02, 0xB8, 0x46, 0xAD, 0xCE, 0x7B, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x47, 0x2D, 0x66, 0xA7, 0xE9, 0x33, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xF9, 0x93, 0x94, 0xA8, 0x48, 0xB3, 0x4F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x4A, 0xAC, 0x51, 0x08, 0x72, 0x2F, 0x1A),
+};
+static const mbedtls_mpi_uint secp384r1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0xAD, 0xA0, 0xF9, 0x81, 0xE1, 0x78, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x9A, 0x63, 0xD8, 0xBA, 0x79, 0x1A, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x31, 0x7B, 0x7A, 0x5A, 0x5D, 0x7D, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x96, 0x12, 0x4B, 0x19, 0x09, 0xE0, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x8A, 0x57, 0xEE, 0x4E, 0x6E, 0x7E, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x9D, 0x69, 0xDC, 0xB3, 0xDA, 0xD8, 0x08),
+};
+static const mbedtls_mpi_uint secp384r1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x49, 0x03, 0x03, 0x33, 0x6F, 0x28, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xDB, 0xA7, 0x05, 0x8C, 0xF3, 0x4D, 0xFB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x92, 0xB1, 0xA8, 0xEC, 0x0D, 0x64, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0xFC, 0xFD, 0xD0, 0x4B, 0x88, 0x1B, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x9C, 0x51, 0x69, 0xCE, 0x71, 0x73, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x5A, 0x14, 0x23, 0x1A, 0x46, 0x63, 0x5F),
+};
+static const mbedtls_mpi_uint secp384r1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x4C, 0x70, 0x44, 0x18, 0xCD, 0xEF, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x49, 0xDD, 0x64, 0x7E, 0x7E, 0x4D, 0x92),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x32, 0x7C, 0x09, 0xD0, 0x3F, 0xD6, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE0, 0x4F, 0x65, 0x0C, 0x7A, 0x54, 0x3E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xFA, 0xFB, 0x4A, 0xB4, 0x79, 0x5A, 0x8C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x5D, 0x1B, 0x2B, 0xDA, 0xBC, 0x9A, 0x74),
+};
+static const mbedtls_mpi_uint secp384r1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xAC, 0x56, 0xF7, 0x5F, 0x51, 0x68, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xE0, 0x1D, 0xBC, 0x13, 0x4E, 0xAC, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xF5, 0xC5, 0xE6, 0xD2, 0x88, 0xBA, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x0E, 0x28, 0x23, 0x58, 0x67, 0xFA, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x80, 0x4B, 0xD8, 0xC4, 0xDF, 0x15, 0xE4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x0E, 0x58, 0xE6, 0x2C, 0x59, 0xC2, 0x03),
+};
+static const mbedtls_mpi_uint secp384r1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x26, 0x27, 0x99, 0x16, 0x2B, 0x22, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xF3, 0x8F, 0xC3, 0x2A, 0x9B, 0xFC, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x2E, 0x83, 0x3D, 0xFE, 0x9E, 0x3C, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x57, 0xCD, 0x2D, 0xC1, 0x49, 0x38, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x42, 0x8B, 0x33, 0x89, 0x1F, 0xEA, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x1D, 0x13, 0xD7, 0x50, 0xBB, 0x3E, 0xEB),
+};
+static const mbedtls_mpi_uint secp384r1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x9A, 0x52, 0xD2, 0x54, 0x7C, 0x97, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x33, 0x6E, 0xED, 0xD9, 0x87, 0x50, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x35, 0x7E, 0x16, 0x40, 0x15, 0x83, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x2B, 0xA4, 0xAB, 0x03, 0x91, 0xEA, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x47, 0x39, 0xEF, 0x05, 0x59, 0xD0, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x24, 0x0D, 0x76, 0x11, 0x53, 0x08, 0xAF),
+};
+static const mbedtls_mpi_uint secp384r1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x2F, 0xDD, 0xBD, 0x50, 0x48, 0xB1, 0xE5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x1C, 0x84, 0x55, 0x78, 0x14, 0xEB, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x5E, 0x3E, 0xA6, 0xAF, 0xF6, 0xC7, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x11, 0xE2, 0x65, 0xCA, 0x41, 0x95, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x83, 0xD8, 0xE6, 0x4D, 0x22, 0x06, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x7F, 0x25, 0x2A, 0xAA, 0x28, 0x46, 0x97),
+};
+static const mbedtls_mpi_uint secp384r1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xDB, 0x15, 0x56, 0x84, 0xCB, 0xC0, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xDB, 0x0E, 0x08, 0xC9, 0xF5, 0xD4, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x62, 0xD0, 0x1A, 0x7C, 0x13, 0xD5, 0x07),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xAD, 0x53, 0xE0, 0x32, 0x21, 0xA0, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x38, 0x81, 0x21, 0x23, 0x0E, 0xD2, 0xBB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x51, 0x05, 0xD0, 0x1E, 0x82, 0xA9, 0x71),
+};
+static const mbedtls_mpi_uint secp384r1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xC3, 0x27, 0xBF, 0xC6, 0xAA, 0xB7, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x65, 0x45, 0xDF, 0xB9, 0x46, 0x17, 0x46),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x38, 0x3F, 0xB2, 0xB1, 0x5D, 0xCA, 0x1C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x29, 0x6C, 0x63, 0xE9, 0xD7, 0x48, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xF1, 0xD7, 0x99, 0x8C, 0xC2, 0x05, 0x99),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE6, 0x5E, 0x82, 0x6D, 0xE5, 0x7E, 0xD5),
+};
+static const mbedtls_mpi_uint secp384r1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x61, 0xFA, 0x7D, 0x01, 0xDB, 0xB6, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xC6, 0x58, 0x39, 0xF4, 0xC6, 0x82, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x5A, 0x7A, 0x80, 0x08, 0xCD, 0xAA, 0xD8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x8C, 0xC6, 0x3F, 0x3C, 0xA5, 0x68, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xF5, 0xD5, 0x17, 0xAE, 0x36, 0xD8, 0x8A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xAD, 0x92, 0xC5, 0x57, 0x6C, 0xDA, 0x91),
+};
+static const mbedtls_mpi_uint secp384r1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x67, 0x17, 0xC0, 0x40, 0x78, 0x8C, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x9F, 0xF4, 0xAA, 0xDA, 0x5C, 0x7E, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xDB, 0x42, 0x3E, 0x72, 0x64, 0xA0, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xF9, 0x41, 0x17, 0x43, 0xE3, 0xE8, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xDD, 0xCC, 0x43, 0x7E, 0x16, 0x05, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x4B, 0xCF, 0x48, 0x8F, 0x41, 0x90, 0xE5),
+};
+static const mbedtls_mpi_uint secp384r1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x0C, 0x6B, 0x9D, 0x22, 0x04, 0xBC, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x63, 0x79, 0x2F, 0x6A, 0x0E, 0x8A, 0xDE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x67, 0x3F, 0x02, 0xB8, 0x91, 0x7F, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x14, 0x64, 0xA0, 0x33, 0xF4, 0x6B, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x44, 0x71, 0x87, 0xB8, 0x88, 0x3F, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x2B, 0x85, 0x05, 0xC5, 0x44, 0x53, 0x15),
+};
+static const mbedtls_mpi_uint secp384r1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x2B, 0xFE, 0xD1, 0x1C, 0x73, 0xE3, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x33, 0xA1, 0xD3, 0x69, 0x1C, 0x9D, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x5A, 0xBA, 0xB6, 0xAE, 0x1B, 0x94, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x74, 0x90, 0x5C, 0x57, 0xB0, 0x3A, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x2F, 0x93, 0x20, 0x24, 0x54, 0x1D, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x78, 0x9D, 0x71, 0x67, 0x5D, 0x49, 0x98),
+};
+static const mbedtls_mpi_uint secp384r1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xC8, 0x0E, 0x11, 0x8D, 0xE0, 0x8F, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x7F, 0x79, 0x6C, 0x5F, 0xB7, 0xBC, 0xB1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xE1, 0x83, 0x3C, 0x12, 0xBB, 0xEE, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xC2, 0xC4, 0x1B, 0x41, 0x71, 0xB9, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0xEE, 0xBB, 0x1D, 0x89, 0x50, 0x88, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x1C, 0x55, 0x74, 0xEB, 0xDE, 0x92, 0x3F),
+};
+static const mbedtls_mpi_uint secp384r1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x38, 0x92, 0x06, 0x19, 0xD0, 0xB3, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x99, 0x26, 0xA3, 0x5F, 0xE2, 0xC1, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xFC, 0xFD, 0xC3, 0xB6, 0x26, 0x24, 0x8F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xAD, 0xE7, 0x49, 0xB7, 0x64, 0x4B, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x4E, 0x95, 0xAD, 0x07, 0xFE, 0xB6, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x15, 0xE7, 0x2D, 0x19, 0xA9, 0x08, 0x10),
+};
+static const mbedtls_mpi_uint secp384r1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xBD, 0xAC, 0x0A, 0x3F, 0x6B, 0xFF, 0xFA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xE4, 0x74, 0x14, 0xD9, 0x70, 0x1D, 0x71),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xB0, 0x71, 0xBB, 0xD8, 0x18, 0x96, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0xB8, 0x19, 0x90, 0x80, 0xB5, 0xEE, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x21, 0x20, 0xA6, 0x17, 0x48, 0x03, 0x6F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x1D, 0xBB, 0x6D, 0x94, 0x20, 0x34, 0xF1),
+};
+static const mbedtls_mpi_uint secp384r1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x82, 0x67, 0x4B, 0x8E, 0x4E, 0xBE, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xDA, 0x77, 0xF8, 0x23, 0x55, 0x2B, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x02, 0xDE, 0x25, 0x35, 0x2D, 0x74, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x0C, 0xB8, 0x0B, 0x39, 0xBA, 0xAD, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x0E, 0x28, 0x4D, 0xE1, 0x3D, 0xE4, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xEC, 0x0A, 0xD4, 0xB8, 0xC4, 0x8D, 0xB0),
+};
+static const mbedtls_mpi_uint secp384r1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x68, 0xCE, 0xC2, 0x55, 0x4D, 0x0C, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x20, 0x93, 0x32, 0x90, 0xD6, 0xAE, 0x47),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x78, 0xAB, 0x43, 0x9E, 0xEB, 0x73, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x97, 0xC3, 0x83, 0xA6, 0x3C, 0xF1, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x25, 0x25, 0x66, 0x08, 0x26, 0xFA, 0x4B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xFB, 0x44, 0x5D, 0x82, 0xEC, 0x3B, 0xAC),
+};
+static const mbedtls_mpi_uint secp384r1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x90, 0xEA, 0xB5, 0x04, 0x99, 0xD0, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0xF2, 0x22, 0xA0, 0xEB, 0xFD, 0x45, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA4, 0x81, 0x32, 0xFC, 0xFA, 0xEE, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xBB, 0xA4, 0x6A, 0x77, 0x41, 0x5C, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x1E, 0xAA, 0x4F, 0xF0, 0x10, 0xB3, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x74, 0x13, 0x14, 0x9E, 0x90, 0xD7, 0xE6),
+};
+static const mbedtls_mpi_uint secp384r1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0xBD, 0x70, 0x4F, 0xA8, 0xD1, 0x06, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x4E, 0x2E, 0x68, 0xFC, 0x35, 0xFA, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x53, 0x75, 0xED, 0xF2, 0x5F, 0xC2, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x87, 0x6B, 0x9F, 0x05, 0xE2, 0x22, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x1A, 0xA8, 0xB7, 0x03, 0x9E, 0x6D, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xD0, 0x69, 0x88, 0xA8, 0x39, 0x9E, 0x3A),
+};
+static const mbedtls_mpi_uint secp384r1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xEF, 0x68, 0xFE, 0xEC, 0x24, 0x08, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x06, 0x4B, 0x92, 0x0D, 0xB7, 0x34, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xF4, 0xDD, 0x1A, 0xA0, 0x4A, 0xE4, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x63, 0x4F, 0x4F, 0xCE, 0xBB, 0xD6, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xEE, 0x8D, 0xDF, 0x3F, 0x73, 0xB7, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x06, 0xB6, 0x80, 0x4D, 0x81, 0xD9, 0x53),
+};
+static const mbedtls_mpi_uint secp384r1_T_16_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xF5, 0x13, 0xDF, 0x13, 0x19, 0x97, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xF9, 0xB3, 0x33, 0x66, 0x82, 0x21, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xFC, 0x39, 0x16, 0x23, 0x43, 0x76, 0x0E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x48, 0x25, 0xA1, 0x64, 0x95, 0x1C, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xAC, 0x15, 0x57, 0xD9, 0xDE, 0xA0, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x5F, 0xB8, 0x3D, 0x48, 0x91, 0x24, 0xCC),
+};
+static const mbedtls_mpi_uint secp384r1_T_16_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xF2, 0xC8, 0x54, 0xD1, 0x32, 0xBD, 0xC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x3B, 0xF0, 0xAA, 0x9D, 0xD8, 0xF4, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xC3, 0xBB, 0x6C, 0x66, 0xAC, 0x25, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x25, 0x10, 0xB2, 0xE1, 0x41, 0xDE, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xE8, 0x30, 0xB8, 0x37, 0xBC, 0x2A, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x57, 0x01, 0x4A, 0x1E, 0x78, 0x9F, 0x85),
+};
+static const mbedtls_mpi_uint secp384r1_T_17_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x19, 0xCD, 0x12, 0x0B, 0x51, 0x4F, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x4B, 0x3D, 0x24, 0xA4, 0x16, 0x59, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xEB, 0xD3, 0x59, 0x2E, 0x75, 0x7C, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xB9, 0xB4, 0xA5, 0xD9, 0x2E, 0x29, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x16, 0x05, 0x75, 0x02, 0xB3, 0x06, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x7C, 0x9F, 0x79, 0x91, 0xF1, 0x4F, 0x23),
+};
+static const mbedtls_mpi_uint secp384r1_T_17_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x98, 0x7C, 0x84, 0xE1, 0xFF, 0x30, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xE2, 0xC2, 0x5F, 0x55, 0x40, 0xBD, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x65, 0x87, 0x3F, 0xC4, 0xC2, 0x24, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x30, 0x0A, 0x60, 0x15, 0xD1, 0x24, 0x48),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x99, 0xD9, 0xB6, 0xAE, 0xB1, 0xAF, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x80, 0xEE, 0xA2, 0x0F, 0x74, 0xB9, 0xF3),
+};
+static const mbedtls_mpi_uint secp384r1_T_18_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xE6, 0x0F, 0x37, 0xC1, 0x10, 0x99, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xAD, 0x9D, 0x5D, 0x80, 0x01, 0xA6, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x0F, 0x10, 0x2A, 0x9D, 0x20, 0x38, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x60, 0xCB, 0xCE, 0x5A, 0xA0, 0xA7, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xCF, 0x14, 0xDF, 0xBF, 0xE5, 0x74, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x12, 0x1A, 0xDD, 0x59, 0x02, 0x5D, 0xC6),
+};
+static const mbedtls_mpi_uint secp384r1_T_18_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC9, 0xF8, 0xF5, 0xB6, 0x13, 0x4D, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x45, 0xB1, 0x93, 0xB3, 0xA2, 0x79, 0xDC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xF6, 0xCF, 0xF7, 0xE6, 0x29, 0x9C, 0xCC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x50, 0x65, 0x80, 0xBC, 0x59, 0x0A, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xF0, 0x24, 0x35, 0xA2, 0x46, 0xF0, 0x0C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x26, 0xC0, 0x9D, 0x61, 0x56, 0x62, 0x67),
+};
+static const mbedtls_mpi_uint secp384r1_T_19_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xBB, 0xC2, 0x24, 0x43, 0x2E, 0x37, 0x54),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xF7, 0xCE, 0x35, 0xFC, 0x77, 0xF3, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x34, 0x96, 0xD5, 0x4A, 0x76, 0x9D, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x3B, 0x0F, 0xEA, 0xA8, 0x12, 0x0B, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x3F, 0x5D, 0x2D, 0x1C, 0xD4, 0x9E, 0xFB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x2E, 0xDD, 0xC7, 0x6E, 0xAB, 0xAF, 0xDC),
+};
+static const mbedtls_mpi_uint secp384r1_T_19_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xB2, 0x7B, 0x0C, 0x9A, 0x83, 0x8E, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x51, 0x90, 0x92, 0x79, 0x32, 0x19, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x89, 0xF9, 0xD0, 0xCF, 0x2C, 0xA5, 0x8F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x50, 0x21, 0xDE, 0x50, 0x41, 0x9D, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x7D, 0x2B, 0x9E, 0x9D, 0x95, 0xA8, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA5, 0x20, 0x87, 0x88, 0x97, 0x5F, 0xAA),
+};
+static const mbedtls_mpi_uint secp384r1_T_20_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x59, 0xB4, 0x66, 0x7E, 0xE8, 0x5A, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x5C, 0x7E, 0xB2, 0xAD, 0xD9, 0xC9, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x97, 0x49, 0xA3, 0x13, 0x83, 0x07, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x26, 0xC7, 0x13, 0x35, 0x0D, 0xB0, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x60, 0xAB, 0xFA, 0x4B, 0x93, 0x18, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x2D, 0x1C, 0x31, 0x4C, 0xE4, 0x61, 0xAE),
+};
+static const mbedtls_mpi_uint secp384r1_T_20_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x4D, 0x1E, 0x51, 0x59, 0x6E, 0x91, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x54, 0x4D, 0x51, 0xED, 0x36, 0xCC, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xA8, 0x56, 0xC7, 0x78, 0x27, 0x33, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB7, 0x95, 0xC9, 0x8B, 0xC8, 0x6A, 0xBC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xE9, 0x13, 0x96, 0xB3, 0xE1, 0xF9, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x46, 0xB0, 0x5E, 0xC3, 0x94, 0x03, 0x05),
+};
+static const mbedtls_mpi_uint secp384r1_T_21_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x5B, 0x29, 0x30, 0x41, 0x1A, 0x9E, 0xB6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xCA, 0x83, 0x31, 0x5B, 0xA7, 0xCB, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x41, 0x50, 0x44, 0x4D, 0x64, 0x31, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x84, 0xC2, 0x5D, 0x97, 0xA5, 0x3C, 0x18),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x0F, 0xA5, 0xFD, 0x8E, 0x5A, 0x47, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x58, 0x02, 0x2D, 0x40, 0xB1, 0x0B, 0xBA),
+};
+static const mbedtls_mpi_uint secp384r1_T_21_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x33, 0x8C, 0x67, 0xCE, 0x23, 0x43, 0x99),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x53, 0x47, 0x72, 0x44, 0x1F, 0x5B, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xC1, 0xD9, 0xA4, 0x50, 0x88, 0x63, 0x18),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xF2, 0x75, 0x69, 0x73, 0x00, 0xC4, 0x31),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x90, 0x1D, 0xDF, 0x1A, 0x00, 0xD8, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xB1, 0x89, 0x48, 0xA8, 0x70, 0x62, 0xEF),
+};
+static const mbedtls_mpi_uint secp384r1_T_22_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x8A, 0x55, 0x50, 0x7B, 0xEF, 0x8A, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x1B, 0x23, 0x48, 0x23, 0x63, 0x91, 0xB6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x04, 0x54, 0x3C, 0x24, 0x9B, 0xC7, 0x9A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x38, 0xC3, 0x84, 0xFB, 0xFF, 0x9F, 0x49),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x2A, 0xE0, 0x6D, 0x68, 0x8A, 0x5C, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x93, 0x53, 0x85, 0xA1, 0x0D, 0xAF, 0x63),
+};
+static const mbedtls_mpi_uint secp384r1_T_22_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x88, 0x95, 0x4C, 0x0B, 0xD0, 0x06, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xAF, 0x8D, 0x49, 0xA2, 0xC8, 0xB4, 0xE0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x76, 0x53, 0x09, 0x88, 0x43, 0x87, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xA4, 0x77, 0x3F, 0x5E, 0x21, 0xB4, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x9E, 0x86, 0x64, 0xCC, 0x91, 0xC1, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x17, 0x56, 0xCB, 0xC3, 0x7D, 0x5B, 0xB1),
+};
+static const mbedtls_mpi_uint secp384r1_T_23_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x74, 0x9F, 0xB5, 0x91, 0x21, 0xB1, 0x1C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xED, 0xE1, 0x11, 0xEF, 0x45, 0xAF, 0xC1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x31, 0xBE, 0xB2, 0xBC, 0x72, 0x65, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x4B, 0x8C, 0x77, 0xCE, 0x1E, 0x42, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xC9, 0xAA, 0xB9, 0xD9, 0x86, 0x99, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x23, 0x80, 0xC6, 0x4E, 0x35, 0x0B, 0x6D),
+};
+static const mbedtls_mpi_uint secp384r1_T_23_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xD8, 0xA2, 0x0A, 0x39, 0x32, 0x1D, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0xC8, 0x86, 0xF1, 0x12, 0x9A, 0x4A, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xF1, 0x7C, 0xAA, 0x70, 0x8E, 0xBC, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x01, 0x47, 0x8F, 0xDD, 0x8B, 0xA5, 0xC8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x08, 0x21, 0xF4, 0xAB, 0xC7, 0xF5, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x76, 0xA5, 0x95, 0xC4, 0x0F, 0x88, 0x1D),
+};
+static const mbedtls_mpi_uint secp384r1_T_24_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x42, 0x2A, 0x52, 0xCD, 0x75, 0x51, 0x49),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x36, 0xE5, 0x04, 0x2B, 0x44, 0xC6, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xEE, 0x16, 0x13, 0x07, 0x83, 0xB5, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x59, 0xC6, 0xA2, 0x19, 0x05, 0xD3, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x8B, 0xA8, 0x16, 0x09, 0xB7, 0xEA, 0xD6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xEE, 0x14, 0xAF, 0xB5, 0xFD, 0xD0, 0xEF),
+};
+static const mbedtls_mpi_uint secp384r1_T_24_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x7C, 0xCA, 0x71, 0x3E, 0x6E, 0x66, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x31, 0x0E, 0x3F, 0xE5, 0x91, 0xC4, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x3D, 0xC2, 0x3E, 0x95, 0x37, 0x58, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x1F, 0x02, 0x03, 0xF3, 0xEF, 0xEE, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x5B, 0x1A, 0xFC, 0x38, 0xCD, 0xE8, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x57, 0x42, 0x85, 0xC6, 0x21, 0x68, 0x71),
+};
+static const mbedtls_mpi_uint secp384r1_T_25_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xA2, 0x4A, 0x66, 0xB1, 0x0A, 0xE6, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x0C, 0x94, 0x9D, 0x5E, 0x99, 0xB2, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x03, 0x40, 0xCA, 0xB2, 0xB3, 0x30, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x78, 0x48, 0x27, 0x34, 0x1E, 0xE2, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x72, 0x5B, 0xAC, 0xC1, 0x6D, 0xE3, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAB, 0x46, 0xCB, 0xEA, 0x5E, 0x4B, 0x0B),
+};
+static const mbedtls_mpi_uint secp384r1_T_25_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x08, 0xAD, 0x4E, 0x51, 0x9F, 0x2A, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5C, 0x7D, 0x4C, 0xD6, 0xCF, 0xDD, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x76, 0x26, 0xE0, 0x8B, 0x10, 0xD9, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xA7, 0x23, 0x4E, 0x5F, 0xD2, 0x42, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xE5, 0xA4, 0xEC, 0x77, 0x21, 0x34, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x14, 0x65, 0xEA, 0x4A, 0x85, 0xC3, 0x2F),
+};
+static const mbedtls_mpi_uint secp384r1_T_26_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xD8, 0x40, 0x27, 0x73, 0x15, 0x7E, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xBB, 0x53, 0x7E, 0x0F, 0x40, 0xC8, 0xD4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x37, 0x19, 0x73, 0xEF, 0x5A, 0x5E, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x73, 0x2B, 0x49, 0x7E, 0xAC, 0x97, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xB2, 0xC3, 0x1E, 0x0E, 0xE7, 0xD2, 0x21),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x08, 0xD6, 0xDD, 0xAC, 0x21, 0xD6, 0x3E),
+};
+static const mbedtls_mpi_uint secp384r1_T_26_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x26, 0xBE, 0x6D, 0x6D, 0xF2, 0x38, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x6C, 0x31, 0xA7, 0x49, 0x50, 0x3A, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x99, 0xC6, 0xF5, 0xD2, 0xC2, 0x30, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE4, 0xF6, 0x8B, 0x8B, 0x97, 0xE9, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x21, 0xB7, 0x0D, 0xFC, 0x15, 0x54, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x83, 0x1C, 0xA4, 0xCD, 0x6B, 0x9D, 0xF2),
+};
+static const mbedtls_mpi_uint secp384r1_T_27_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xE8, 0x4C, 0x48, 0xE4, 0xAA, 0x69, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x7A, 0x27, 0xFC, 0x37, 0x96, 0x1A, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0xE7, 0x30, 0xA5, 0xCF, 0x13, 0x46, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xD8, 0xAF, 0x74, 0x23, 0x4D, 0x56, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x3D, 0x44, 0x14, 0x1B, 0x97, 0x83, 0xF0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x47, 0xD7, 0x5F, 0xFD, 0x98, 0x38, 0xF7),
+};
+static const mbedtls_mpi_uint secp384r1_T_27_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x73, 0x64, 0x36, 0xFD, 0x7B, 0xC1, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x5D, 0x32, 0xD2, 0x47, 0x94, 0x89, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xE9, 0x30, 0xAC, 0x06, 0xC8, 0x65, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x6C, 0xB9, 0x1B, 0xF7, 0x61, 0x49, 0x53),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xFF, 0x32, 0x43, 0x80, 0xDA, 0xA6, 0xB1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF8, 0x04, 0x01, 0x95, 0x35, 0xCE, 0x21),
+};
+static const mbedtls_mpi_uint secp384r1_T_28_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x06, 0x46, 0x0D, 0x51, 0xE2, 0xD8, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x57, 0x1D, 0x6F, 0x79, 0xA0, 0xCD, 0xA6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0xFB, 0x36, 0xCA, 0xAD, 0xF5, 0x9E, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x7A, 0x1D, 0x9E, 0x1D, 0x95, 0x48, 0xDC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x26, 0xA5, 0xB7, 0x15, 0x2C, 0xC2, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x42, 0x72, 0xAA, 0x11, 0xDC, 0xC9, 0xB6),
+};
+static const mbedtls_mpi_uint secp384r1_T_28_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x6C, 0x64, 0xA7, 0x62, 0x3C, 0xAB, 0xD4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x6A, 0x44, 0xD8, 0x60, 0xC0, 0xA8, 0x80),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x76, 0x58, 0x12, 0x57, 0x3C, 0x89, 0x46),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x4F, 0x83, 0xCE, 0xCB, 0xB8, 0xD0, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x84, 0x04, 0xB0, 0xAD, 0xEB, 0xFA, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xA4, 0xC3, 0x41, 0x44, 0x4E, 0x65, 0x3E),
+};
+static const mbedtls_mpi_uint secp384r1_T_29_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x16, 0xA9, 0x1C, 0xE7, 0x65, 0x20, 0xC1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x53, 0x32, 0xF8, 0xC0, 0xA6, 0xBD, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xF0, 0xE6, 0x57, 0x31, 0xCC, 0x26, 0x6F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xE3, 0x54, 0x1C, 0x34, 0xD3, 0x17, 0xBC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xAE, 0xED, 0xFB, 0xCD, 0xE7, 0x1E, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x16, 0x1C, 0x34, 0x40, 0x00, 0x1F, 0xB6),
+};
+static const mbedtls_mpi_uint secp384r1_T_29_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x32, 0x00, 0xC2, 0xD4, 0x3B, 0x1A, 0x09),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xE0, 0x99, 0x8F, 0x0C, 0x4A, 0x16, 0x44),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x73, 0x18, 0x1B, 0xD4, 0x94, 0x29, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xA4, 0x2D, 0xB1, 0x9D, 0x74, 0x32, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0xF4, 0xB1, 0x0C, 0x37, 0x62, 0x8B, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xFF, 0xDA, 0xE2, 0x35, 0xA3, 0xB6, 0x42),
+};
+static const mbedtls_mpi_uint secp384r1_T_30_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x49, 0x99, 0x65, 0xC5, 0xED, 0x16, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x42, 0x9A, 0xF3, 0xA7, 0x4E, 0x6F, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x0A, 0x7E, 0xC0, 0xD7, 0x4E, 0x07, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x7A, 0x31, 0x69, 0xA6, 0xB9, 0x15, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xE0, 0x72, 0xA4, 0x3F, 0xB9, 0xF8, 0x0C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x75, 0x32, 0x85, 0xA2, 0xDE, 0x37, 0x12),
+};
+static const mbedtls_mpi_uint secp384r1_T_30_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xC0, 0x0D, 0xCF, 0x25, 0x41, 0xA4, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xFC, 0xB2, 0x48, 0xC3, 0x85, 0x83, 0x4B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xBE, 0x0B, 0x58, 0x2D, 0x7A, 0x9A, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xF3, 0x81, 0x18, 0x1B, 0x74, 0x4F, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x43, 0xA3, 0x0A, 0x16, 0x8B, 0xA3, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x18, 0x81, 0x7B, 0x8D, 0xA2, 0x35, 0x77),
+};
+static const mbedtls_mpi_uint secp384r1_T_31_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xC4, 0x3F, 0x2C, 0xE7, 0x5F, 0x99, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x2B, 0xB7, 0xB6, 0xAD, 0x5A, 0x56, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x00, 0xA4, 0x48, 0xC8, 0xE8, 0xBA, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xA1, 0xB5, 0x13, 0x5A, 0xCD, 0x99, 0x9C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x95, 0xAD, 0xFC, 0xE2, 0x7E, 0xE7, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x6B, 0xD1, 0x34, 0x99, 0x53, 0x63, 0x0B),
+};
+static const mbedtls_mpi_uint secp384r1_T_31_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x8A, 0x77, 0x5D, 0x2B, 0xAB, 0x01, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x85, 0xD0, 0xD5, 0x49, 0x83, 0x4D, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xC6, 0x91, 0x30, 0x3B, 0x00, 0xAF, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xAE, 0x61, 0x07, 0xE1, 0xB6, 0xE2, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x43, 0x41, 0xFE, 0x9B, 0xB6, 0xF0, 0xA5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x97, 0xAE, 0xAD, 0x89, 0x88, 0x9E, 0x41),
+};
+static const mbedtls_ecp_point secp384r1_T[32] = {
+ ECP_POINT_INIT_XY_Z1(secp384r1_T_0_X, secp384r1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_1_X, secp384r1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_2_X, secp384r1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_3_X, secp384r1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_4_X, secp384r1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_5_X, secp384r1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_6_X, secp384r1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_7_X, secp384r1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_8_X, secp384r1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_9_X, secp384r1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_10_X, secp384r1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_11_X, secp384r1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_12_X, secp384r1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_13_X, secp384r1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_14_X, secp384r1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_15_X, secp384r1_T_15_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_16_X, secp384r1_T_16_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_17_X, secp384r1_T_17_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_18_X, secp384r1_T_18_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_19_X, secp384r1_T_19_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_20_X, secp384r1_T_20_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_21_X, secp384r1_T_21_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_22_X, secp384r1_T_22_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_23_X, secp384r1_T_23_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_24_X, secp384r1_T_24_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_25_X, secp384r1_T_25_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_26_X, secp384r1_T_26_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_27_X, secp384r1_T_27_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_28_X, secp384r1_T_28_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_29_X, secp384r1_T_29_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_30_X, secp384r1_T_30_Y),
+ ECP_POINT_INIT_XY_Z0(secp384r1_T_31_X, secp384r1_T_31_Y),
+};
+#else
+#define secp384r1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+/*
+ * Domain parameters for secp521r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+static const mbedtls_mpi_uint secp521r1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_2(0xFF, 0x01),
+};
+static const mbedtls_mpi_uint secp521r1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_2(0x51, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_2(0xC6, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_2(0x18, 0x01),
+};
+static const mbedtls_mpi_uint secp521r1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_2(0xFF, 0x01),
+};
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp521r1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xB1, 0x2D, 0xEB, 0x27, 0x2F, 0xE8, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x4B, 0x44, 0x25, 0xDB, 0x5C, 0x5F, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x85, 0x28, 0x78, 0x2E, 0x75, 0x34, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x57, 0x0F, 0x73, 0x78, 0x7A, 0xE3, 0x53),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD8, 0xEC, 0xDC, 0xDA, 0x04, 0xAD, 0xAB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x8A, 0x09, 0xF3, 0x58, 0x79, 0xD8, 0x29),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x03, 0xCB, 0x50, 0x1A, 0x7F, 0x56, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xA6, 0x78, 0x38, 0x85, 0x67, 0x0B, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xD5, 0xD2, 0x22, 0xC4, 0x00, 0x3B, 0xBA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x93, 0x0E, 0x7B, 0x85, 0x51, 0xC3, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA6, 0x5F, 0x54, 0x49, 0x02, 0x81, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xE9, 0x6B, 0x3A, 0x92, 0xE7, 0x72, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x5F, 0x28, 0x9E, 0x91, 0x27, 0x88, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x28, 0x31, 0xB3, 0x84, 0xCA, 0x12, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xF9, 0xAC, 0x22, 0x10, 0x0A, 0x64, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xC6, 0x33, 0x1F, 0x69, 0x19, 0x18, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x48, 0xB8, 0xC7, 0x37, 0x5A, 0x00, 0x36),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xCC, 0x32, 0xE0, 0xEE, 0x03, 0xC2, 0xBA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x29, 0xC2, 0xE4, 0x6E, 0x24, 0x20, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x6B, 0x7F, 0x7B, 0xF9, 0xB0, 0xB8, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x7B, 0x3C, 0xE1, 0x19, 0xA1, 0x23, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE3, 0xC2, 0x53, 0xC0, 0x07, 0x13, 0xA9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFE, 0x36, 0x35, 0x9F, 0x5E, 0x59, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x55, 0x89, 0x84, 0xBC, 0xEF, 0xA2, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x1A, 0x08, 0x67, 0xB4, 0xE7, 0x22, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x26, 0xDF, 0x81, 0x3C, 0x5F, 0x1C, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x4D, 0xD0, 0x0A, 0x48, 0x06, 0xF4, 0x48),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x18, 0x39, 0xF7, 0xD1, 0x20, 0x77, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x8F, 0x44, 0x13, 0xCB, 0x78, 0x11, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xE2, 0x49, 0xEA, 0x43, 0x79, 0x08, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xD1, 0xD8, 0x73, 0x2C, 0x71, 0x2F, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xE5, 0xE7, 0xF4, 0x46, 0xAB, 0x20, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x0B, 0xB9, 0x71, 0x1A, 0x27, 0xB7, 0xA7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xA2, 0x2C, 0xD1, 0xDA, 0xBC, 0xC1, 0xBD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xA3, 0x10, 0x1F, 0x90, 0xF2, 0xA5, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xFB, 0x20, 0xF4, 0xC0, 0x70, 0xC0, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xA7, 0x99, 0xF0, 0xA5, 0xD3, 0x09, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0xE8, 0x14, 0x39, 0xBE, 0xCB, 0x60, 0xAF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xD6, 0x14, 0xA9, 0xC9, 0x20, 0xC3, 0xEA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA8, 0x5B, 0xFD, 0x2D, 0x96, 0xBC, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x04, 0x45, 0xBE, 0xCE, 0x75, 0x95, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xDA, 0x58, 0x49, 0x35, 0x09, 0x8D, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xF0, 0xC0, 0x36, 0xF2, 0xA6, 0x2D, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xFC, 0x3D, 0xA8, 0xFB, 0x3C, 0xD2, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x4D, 0x71, 0x09, 0x18, 0x42, 0xF0, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xC1, 0xCE, 0x9E, 0x6A, 0x49, 0x60, 0x12),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xB1, 0x00, 0xF7, 0xA1, 0x7A, 0x31, 0xB4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xC3, 0x86, 0xCD, 0x20, 0x4A, 0x17, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xAB, 0x8B, 0x47, 0x8D, 0xAA, 0xA6, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x97, 0xF0, 0xBC, 0x2D, 0xDC, 0x9D, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x86, 0xB0, 0x74, 0xB2, 0xF4, 0xF6, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBD, 0xAC, 0xE3, 0x8F, 0x43, 0x5C, 0xB1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xC3, 0xE2, 0x6E, 0x25, 0x49, 0xCD, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x5E, 0x08, 0xB3, 0xB9, 0xAC, 0x5F, 0xD1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xB7, 0xD1, 0xF4, 0xDC, 0x19, 0xE9, 0xC8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xE4, 0xFA, 0xE1, 0x36, 0x3E, 0xED, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x67, 0x92, 0x84, 0x6E, 0x48, 0x03, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x95, 0xEF, 0x8F, 0xB2, 0x82, 0x6B, 0x1C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFA, 0xB9, 0x55, 0x23, 0xFE, 0x09, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x79, 0x85, 0x4B, 0x0E, 0xD4, 0x35, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x27, 0x45, 0x81, 0xE0, 0x88, 0x52, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x63, 0xA2, 0x4B, 0xBC, 0x5D, 0xB1, 0x92),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x8C, 0x83, 0xD9, 0x3E, 0xD3, 0x42, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x03, 0x3A, 0x31, 0xBA, 0xE9, 0x3A, 0xD1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x10, 0xCD, 0x2D, 0x00, 0xFE, 0x32, 0xA7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x6E, 0x1F, 0xDA, 0xF8, 0x6F, 0x4D, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x79, 0x7D, 0x09, 0xE5, 0xD3, 0x03, 0x21),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xC3, 0xBE, 0xDF, 0x07, 0x65, 0x49, 0xCC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x57, 0x33, 0xEF, 0xAE, 0x4F, 0x04, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0xE9, 0x9B, 0xFE, 0xBF, 0xE6, 0x85, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xBA, 0xAA, 0x06, 0xC4, 0xC6, 0xB8, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x83, 0x01, 0xA9, 0xF6, 0x51, 0xE7, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xA6, 0x15, 0x8E, 0xAB, 0x1F, 0x10, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x08, 0x27, 0x1A, 0xA1, 0x21, 0xAD, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x09, 0x90, 0x6E, 0x50, 0x90, 0x9A, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x9A, 0xFE, 0xD7, 0xA1, 0xF5, 0xA2, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x7D, 0xE3, 0xDC, 0x21, 0xFB, 0xA4, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xBF, 0x07, 0xFF, 0x45, 0xDF, 0x51, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x5C, 0x34, 0x02, 0x62, 0x9B, 0x08, 0x12),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xCE, 0x9A, 0x6A, 0xEC, 0x75, 0xF6, 0x46),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x59, 0xF4, 0x78, 0x3C, 0x60, 0xB1, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x37, 0x84, 0x6A, 0xDC, 0xF2, 0x9A, 0x7D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x9A, 0x9A, 0x15, 0x36, 0xE0, 0x2B, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x38, 0x9C, 0x50, 0x3D, 0x1E, 0x37, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x79, 0xF0, 0x92, 0xF2, 0x8B, 0x18, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xE0, 0x82, 0x1E, 0x80, 0x82, 0x4B, 0xD7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xBB, 0x59, 0x6B, 0x8A, 0x77, 0x41, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xF9, 0xD4, 0xB8, 0x4A, 0x82, 0xCF, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x8C, 0xC8, 0x9B, 0x72, 0x9E, 0xF7, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xCE, 0xE9, 0x77, 0x0A, 0x19, 0x59, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xA1, 0x41, 0x6A, 0x72, 0x4B, 0xB4, 0xDC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x35, 0x43, 0xE2, 0x8C, 0xBE, 0x0D, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xEB, 0xAD, 0xF3, 0xA9, 0xA6, 0x68, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x2F, 0xE2, 0x48, 0x0C, 0xDB, 0x1F, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x1E, 0x60, 0x9B, 0x2A, 0xD2, 0xC1, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x64, 0xB5, 0xD2, 0xF6, 0xF6, 0x6E, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x3D, 0x30, 0x78, 0x10, 0x18, 0x41, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x1D, 0x1C, 0xE0, 0x6D, 0x83, 0xD1, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x03, 0x0B, 0xF5, 0x2F, 0x6C, 0x04, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x3E, 0xD5, 0xFC, 0x31, 0x5B, 0x3A, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x82, 0x2F, 0xFB, 0xFE, 0xF8, 0x76, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x26, 0xDA, 0x9C, 0x36, 0xF5, 0x93, 0xD1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xE7, 0x6E, 0xD2, 0x7D, 0x81, 0x09, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x03, 0xF9, 0x58, 0x48, 0x24, 0xA2, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x79, 0x0C, 0x8E, 0x6B, 0x95, 0xF3, 0xC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x10, 0x5C, 0x87, 0x03, 0x39, 0xCF, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xF0, 0xF7, 0xC1, 0x07, 0xA4, 0xF4, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xE8, 0x02, 0x89, 0x65, 0xC4, 0x72, 0x36),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x88, 0xEA, 0x96, 0x67, 0x0B, 0x5D, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x75, 0x60, 0xA8, 0xBD, 0x74, 0xDF, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xE5, 0x71, 0x50, 0x67, 0xD0, 0xD2, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xFC, 0xE5, 0xC7, 0x77, 0xB0, 0x7F, 0x8C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x86, 0x69, 0xCD, 0x0D, 0x9A, 0xBD, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x17, 0xBC, 0xBB, 0x59, 0x85, 0x7D, 0x0E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xA8, 0x76, 0xAC, 0x80, 0xA9, 0x72, 0xE0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x78, 0xC1, 0xE2, 0x4D, 0xAF, 0xF9, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x97, 0x8E, 0x74, 0xC4, 0x4B, 0xB2, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD8, 0xF6, 0xF3, 0xAF, 0x2F, 0x52, 0xE5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x57, 0xF4, 0xCE, 0xEE, 0x43, 0xED, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x46, 0x38, 0xDE, 0x20, 0xFD, 0x59, 0x18),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x18, 0xE8, 0x58, 0xB9, 0x76, 0x2C, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x54, 0xE4, 0xFE, 0xC7, 0xBC, 0x31, 0x37),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xF8, 0x89, 0xEE, 0x70, 0xB5, 0xB0, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x22, 0x26, 0x9A, 0x53, 0xB9, 0x38, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xA7, 0x19, 0x8C, 0x74, 0x7E, 0x88, 0x46),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xDA, 0x0A, 0xE8, 0xDA, 0xA5, 0xBE, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x5C, 0xF7, 0xB1, 0x0C, 0x72, 0xFB, 0x09),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0xE2, 0x23, 0xE7, 0x46, 0xB7, 0xE0, 0x91),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x36, 0xBC, 0xBD, 0x48, 0x11, 0x8E, 0x72),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xBB, 0xA1, 0xF7, 0x0B, 0x9E, 0xBF, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x28, 0xE1, 0xA2, 0x8F, 0xFC, 0xFC, 0xD6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xFE, 0x19, 0x0A, 0xE5, 0xE7, 0x69, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xCD, 0x12, 0xF5, 0xBE, 0xD3, 0x04, 0xF1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xA8, 0x0D, 0x81, 0x59, 0xC4, 0x79, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xF3, 0x4B, 0x92, 0x65, 0xC3, 0x31, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xB5, 0x4F, 0x4D, 0x91, 0xD4, 0xE2, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x09, 0x41, 0x79, 0x1D, 0x4D, 0x0D, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x31, 0x18, 0xBA, 0xA0, 0xF2, 0x6E, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x5B, 0x4D, 0x4F, 0xAF, 0xC9, 0x8C, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x99, 0x9C, 0x06, 0x68, 0xDE, 0xD8, 0x29),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x04, 0xE1, 0xB5, 0x9D, 0x00, 0xBC, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x95, 0x92, 0x8D, 0x72, 0xD3, 0x37, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x4B, 0x27, 0xA2, 0xE8, 0xA4, 0x26, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x45, 0x9C, 0xA9, 0xCB, 0x9F, 0xBA, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x7E, 0x1B, 0x64, 0xF4, 0xE8, 0xA5, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x20, 0xA9, 0xCA, 0xF3, 0x89, 0xE5, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xED, 0xFC, 0xAB, 0xD9, 0x0A, 0xB9, 0x07),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x6F, 0x46, 0x7C, 0xCD, 0x78, 0xFF, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xAB, 0x71, 0x5A, 0x94, 0xAB, 0x20, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x2E, 0xEE, 0x87, 0x57, 0x1F, 0xAD, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x4C, 0x3D, 0xFB, 0x7E, 0xA1, 0x8B, 0x07),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xCF, 0x07, 0x86, 0xBA, 0x53, 0x37, 0xCF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x26, 0xB2, 0xB9, 0xE2, 0x91, 0xE3, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xC9, 0x54, 0x84, 0x08, 0x3D, 0x0B, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xA8, 0x77, 0x2F, 0x64, 0x45, 0x99, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x96, 0x16, 0x1F, 0xDB, 0x96, 0x28, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x2B, 0x8D, 0xFF, 0xA2, 0x4F, 0x55, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xE6, 0x48, 0xBD, 0x99, 0x3D, 0x12, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x84, 0x59, 0xDA, 0xB9, 0xB6, 0x66, 0x12),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x78, 0x41, 0x92, 0xDF, 0xF4, 0x3F, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x86, 0x6F, 0x4F, 0xBF, 0x67, 0xDF, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x2B, 0x1E, 0x5F, 0x00, 0xEA, 0xF6, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xB9, 0x6A, 0x89, 0xD8, 0xC0, 0xD7, 0xA7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x9A, 0x32, 0x23, 0xA0, 0x02, 0x91, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x7F, 0x6A, 0x15, 0x64, 0x6A, 0x8B, 0xBB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x57, 0x82, 0x58, 0xA9, 0x56, 0xB5, 0xFB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x50, 0x92, 0x60, 0xCC, 0x81, 0x24, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x3D, 0xAD, 0xDA, 0xD9, 0x51, 0x3E, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xFE, 0x8F, 0xB0, 0x0B, 0xDE, 0x2E, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xD2, 0xBE, 0xEF, 0xAC, 0x76, 0x71, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xE8, 0x72, 0x0B, 0xAC, 0xFE, 0xCA, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x5B, 0xC7, 0xFC, 0xE3, 0x3C, 0x7C, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x04, 0xA7, 0xB9, 0x9B, 0x93, 0xC0, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x48, 0x4B, 0x8E, 0x32, 0xC5, 0xF0, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x42, 0x07, 0xC1, 0xF2, 0xF1, 0x72, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x37, 0x54, 0x9C, 0x88, 0xD2, 0x62, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x19, 0x8A, 0x89, 0x58, 0xA2, 0x0F, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xCC, 0x4C, 0x97, 0x30, 0x66, 0x34, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x6A, 0x1E, 0x1F, 0xDB, 0xC9, 0x5E, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x4D, 0x49, 0xFF, 0x9B, 0x9C, 0xAC, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xE4, 0x4B, 0xF2, 0xD4, 0x1A, 0xD2, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xDA, 0xE8, 0x61, 0x9F, 0xC8, 0x49, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xCB, 0xF2, 0x2D, 0x85, 0xF6, 0x8D, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xC5, 0xCD, 0x2C, 0x79, 0xC6, 0x0E, 0x4F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x1D, 0x55, 0x0F, 0xF8, 0x22, 0x9F, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x56, 0xBA, 0xE7, 0x57, 0x32, 0xEC, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x9A, 0xC6, 0x4C, 0x09, 0xC4, 0x52, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x1E, 0x6F, 0xF4, 0x7D, 0x27, 0xDD, 0xAF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x11, 0x16, 0xEC, 0x79, 0x83, 0xAD, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x4E, 0x92, 0x1F, 0x19, 0x7D, 0x65, 0xDC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xFF, 0x78, 0x15, 0x45, 0x63, 0x32, 0xE4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x91, 0xD0, 0x78, 0x58, 0xDA, 0x50, 0x47),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0xDE, 0x40, 0xF6, 0x41, 0xB4, 0x3B, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x8D, 0xE0, 0xE1, 0xA9, 0xF0, 0x35, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xD4, 0xBA, 0x7B, 0xCC, 0x1B, 0x3A, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x5A, 0x2E, 0x74, 0x47, 0x14, 0xC3, 0x4D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xF0, 0x8B, 0x06, 0x15, 0x8E, 0x0E, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0xD2, 0xEB, 0x97, 0x50, 0x7D, 0x31, 0xFC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x93, 0x4C, 0xDB, 0x97, 0x79, 0x44, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xA2, 0xA0, 0x0B, 0xC8, 0x3A, 0x8A, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x50, 0x92, 0x9E, 0x24, 0x1F, 0xCB, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x16, 0xC9, 0xC5, 0x3D, 0x5A, 0xAF, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xE3, 0x97, 0xE4, 0xA8, 0x50, 0xF6, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x57, 0x97, 0x42, 0x78, 0x92, 0x49, 0x0D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xEB, 0x62, 0x24, 0xFB, 0x8F, 0x32, 0xCF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x0C, 0x36, 0x6E, 0x8F, 0xE8, 0xE8, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xD3, 0x7C, 0xC7, 0x8D, 0x3F, 0x5C, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x64, 0x6A, 0x73, 0x10, 0x79, 0xB8, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xF9, 0xEF, 0xA5, 0x20, 0x4A, 0x5C, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xF3, 0xF4, 0x49, 0x5B, 0x73, 0xAA, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xF2, 0xEA, 0x0F, 0x00, 0xAD, 0x53, 0xAB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xB8, 0x66, 0xED, 0xC4, 0x2B, 0x4C, 0x35),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x2F, 0xC1, 0x9A, 0x37, 0xD2, 0x7F, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xA7, 0x81, 0x38, 0x64, 0xC9, 0x37, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x3B, 0x6C, 0x9F, 0x5B, 0xD9, 0x8B, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x14, 0xD9, 0x08, 0xD8, 0xD2, 0x7E, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x71, 0xE6, 0x3D, 0xD1, 0xB0, 0xE7, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x81, 0x23, 0xEC, 0x2D, 0x42, 0x45, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x5B, 0x44, 0x6B, 0x89, 0x03, 0x67, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x27, 0xAE, 0x80, 0x5A, 0x33, 0xBE, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xB6, 0x64, 0x1A, 0xDF, 0xD3, 0x85, 0x91),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x8C, 0x22, 0xBA, 0xD0, 0xBD, 0xCC, 0xA0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x3C, 0x01, 0x3A, 0xFF, 0x9D, 0xC7, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xC7, 0x64, 0xB4, 0x59, 0x4E, 0x9F, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x34, 0x0A, 0x41, 0x94, 0xA8, 0xF2, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xD4, 0xE4, 0xF0, 0x97, 0x45, 0x6D, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x1F, 0x4D, 0x6D, 0xFE, 0xA0, 0xC4, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x28, 0x5C, 0x40, 0xBB, 0x65, 0xD4, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xA8, 0x87, 0x35, 0x20, 0x3A, 0x89, 0x44),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFD, 0x4F, 0xAB, 0x2D, 0xD1, 0xD0, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xE8, 0x00, 0xFC, 0x69, 0x52, 0xF8, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x9A, 0x99, 0xE1, 0xDC, 0x9C, 0x3F, 0xD9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x08, 0x98, 0xD9, 0xCA, 0x73, 0xD5, 0xA9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x2C, 0xE0, 0xA7, 0x3E, 0x91, 0xD7, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x04, 0xB0, 0x54, 0x09, 0xF4, 0x72, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xEE, 0x28, 0xCC, 0xE8, 0x50, 0x78, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x91, 0x03, 0x76, 0xDB, 0x68, 0x24, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xE0, 0x56, 0xB2, 0x5D, 0x12, 0xD3, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x42, 0x59, 0x8B, 0xDF, 0x67, 0xB5, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xCC, 0xE5, 0x31, 0x53, 0x7A, 0x46, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_16_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x8D, 0x59, 0xB5, 0x1B, 0x0F, 0xF4, 0xAF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x2F, 0xD1, 0x2C, 0xE0, 0xD8, 0x04, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF4, 0xD7, 0xBA, 0xB0, 0xA3, 0x7E, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x08, 0x51, 0x56, 0xA6, 0x76, 0x67, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x17, 0x63, 0xFE, 0x56, 0xD0, 0xD9, 0x71),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xF6, 0xC3, 0x14, 0x47, 0xC5, 0xA7, 0x31),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x4C, 0x80, 0xF6, 0xA2, 0x57, 0xA7, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xB3, 0x7B, 0xF8, 0x2F, 0xE1, 0x3E, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_16_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0xF4, 0xF9, 0x6B, 0x7B, 0x90, 0xDF, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x82, 0xEF, 0x62, 0xA1, 0x4C, 0x53, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x99, 0x76, 0x01, 0xBA, 0x8D, 0x0F, 0x54),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xF4, 0x58, 0x73, 0x56, 0xFE, 0xDD, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xCE, 0xF9, 0xE8, 0xA1, 0x34, 0xC3, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x5F, 0xDC, 0x6A, 0x3D, 0xD8, 0x7F, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xF4, 0x51, 0xB8, 0xB8, 0xC1, 0xD7, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x7D, 0x58, 0xD1, 0xD4, 0x1B, 0x4D, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_17_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x95, 0xDF, 0x00, 0xD8, 0x21, 0xDE, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x47, 0x3C, 0xC3, 0xB2, 0x01, 0x53, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x17, 0x43, 0x23, 0xBD, 0xCA, 0x71, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xBA, 0x0F, 0x4F, 0xDC, 0x41, 0x54, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x39, 0x26, 0x70, 0x53, 0x32, 0x18, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x46, 0x07, 0x97, 0x3A, 0x57, 0xE0, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x92, 0x4F, 0xCE, 0xDF, 0x25, 0x80, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x6F, 0x9A, 0x03, 0x05, 0x4B, 0xD1, 0x47),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_17_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x01, 0x72, 0x30, 0x90, 0x17, 0x51, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xFB, 0x41, 0x65, 0x5C, 0xB4, 0x2D, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xCD, 0xCD, 0xAA, 0x41, 0xCC, 0xBB, 0x07),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xCE, 0x08, 0x0A, 0x63, 0xE9, 0xA2, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xA8, 0x21, 0x7F, 0x7A, 0x5B, 0x9B, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x6B, 0x89, 0x44, 0x0A, 0x7F, 0x85, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0xDE, 0x7C, 0x19, 0x5C, 0x65, 0x26, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0xAC, 0x62, 0x29, 0x4A, 0xF1, 0xD0, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_18_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x00, 0x40, 0x87, 0xEB, 0xA9, 0x58, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x51, 0x0B, 0xFF, 0x56, 0x35, 0x51, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xAC, 0x08, 0x94, 0x71, 0xDA, 0xEC, 0x99),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x4D, 0xC5, 0x7B, 0x31, 0x8B, 0x8D, 0x5E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x05, 0xF1, 0x3E, 0x9E, 0x8F, 0x17, 0x8F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x9C, 0x4B, 0x62, 0x94, 0xAD, 0x49, 0xFC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xC9, 0xC6, 0x8F, 0xFD, 0x33, 0x44, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x96, 0x17, 0x7F, 0x42, 0xBE, 0xF7, 0x0D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_18_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x29, 0x39, 0x13, 0x08, 0x8D, 0x91, 0x47),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x79, 0xF9, 0x2F, 0xA9, 0x0A, 0xCF, 0xD6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x87, 0x7A, 0xA3, 0x19, 0xAB, 0x55, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x0B, 0x01, 0xC5, 0x56, 0x19, 0x9D, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xDE, 0x82, 0x3B, 0xEA, 0xD3, 0x0B, 0x8C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x6B, 0xC7, 0xF3, 0x0F, 0x82, 0x87, 0x6C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x2E, 0x23, 0xF2, 0x39, 0x9D, 0x49, 0x70),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0xDE, 0xAF, 0x7A, 0xEE, 0xB0, 0xDA, 0x70),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_19_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x4E, 0x2A, 0x50, 0xFD, 0x8E, 0xC0, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x0F, 0x7C, 0x76, 0x63, 0xD8, 0x89, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x2D, 0xB9, 0x4E, 0xF4, 0xEE, 0x85, 0xCF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x95, 0x5C, 0x96, 0x5D, 0xAA, 0x59, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xDB, 0xD2, 0x68, 0x8E, 0x5A, 0x94, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x02, 0xBF, 0x77, 0x9F, 0xB9, 0x4C, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xDC, 0xC0, 0xCF, 0x81, 0x1E, 0xC4, 0x6C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xCC, 0x37, 0x86, 0xDC, 0xE2, 0x64, 0x72),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_19_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x30, 0xB1, 0x59, 0x20, 0x9D, 0x98, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x0C, 0x9D, 0xF8, 0x20, 0xDC, 0x90, 0xBA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xA0, 0xF4, 0xE7, 0x3E, 0x9C, 0x9E, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x25, 0xA2, 0xB0, 0x54, 0xCD, 0x2E, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD9, 0x42, 0xB0, 0x80, 0xB0, 0xA3, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xFE, 0x9D, 0x8D, 0x40, 0xFF, 0x27, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x9D, 0xA6, 0x88, 0x3A, 0x8B, 0x6F, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x39, 0xEE, 0x1F, 0x3F, 0xB1, 0x4F, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_20_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xD7, 0x9E, 0xFF, 0xD2, 0x35, 0x67, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x4F, 0x15, 0x5D, 0xE3, 0xE8, 0x53, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xF7, 0x24, 0x98, 0xA2, 0xCB, 0x11, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x2E, 0x25, 0xE1, 0x94, 0xC5, 0xA3, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x82, 0x6E, 0xBA, 0xE7, 0x43, 0x25, 0xB0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x65, 0xB4, 0x49, 0x73, 0x18, 0x35, 0x54),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0x5B, 0xBC, 0x62, 0x86, 0x4C, 0xC1, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xF2, 0x95, 0xA2, 0xBB, 0xA2, 0x35, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_20_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x59, 0x62, 0xB0, 0x4B, 0x1E, 0xB4, 0xD8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x55, 0xCE, 0xB0, 0x69, 0xBA, 0x63, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0x69, 0x86, 0xDB, 0x34, 0x7D, 0x68, 0x64),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x06, 0xCA, 0x55, 0x44, 0x36, 0x2B, 0xBA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xD4, 0xC4, 0x3D, 0xCD, 0x9E, 0x69, 0xA4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x44, 0xE4, 0xBF, 0x31, 0xE6, 0x40, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x4F, 0xFA, 0x75, 0xE3, 0xFB, 0x97, 0x0E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xC0, 0xBD, 0x1C, 0x48, 0xB0, 0x26, 0xD0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_21_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x7B, 0x32, 0xFA, 0xF2, 0x6D, 0x84, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x21, 0x03, 0x1D, 0x0D, 0x22, 0x55, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xF9, 0x42, 0x03, 0x9C, 0xC2, 0xCB, 0xBA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xA1, 0x96, 0xD9, 0x9D, 0x11, 0x6F, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x40, 0x57, 0xEB, 0x40, 0x2D, 0xC0, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x96, 0xBB, 0x4F, 0x2F, 0x23, 0xA8, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x29, 0x85, 0x21, 0xA5, 0x50, 0x62, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x7D, 0x92, 0xCF, 0x87, 0x0C, 0x22, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_21_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x0E, 0xA5, 0x32, 0x5B, 0xDF, 0x9C, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x96, 0x37, 0x2C, 0x88, 0x35, 0x30, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xB4, 0x69, 0xFF, 0xEB, 0xC6, 0x94, 0x08),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x55, 0x60, 0xAD, 0xAA, 0x58, 0x14, 0x88),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xFF, 0xF2, 0xB2, 0xD5, 0xA7, 0xD9, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xAE, 0x54, 0xD2, 0x60, 0x31, 0xF3, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x92, 0x83, 0xE3, 0xF1, 0x42, 0x83, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xD2, 0xC8, 0xB7, 0x76, 0x45, 0x7F, 0x7D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_22_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x11, 0xA4, 0xFB, 0x7A, 0x01, 0xBC, 0xC8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x27, 0x73, 0x8D, 0x02, 0x91, 0x27, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x62, 0xF6, 0xDD, 0x6B, 0xFA, 0x5B, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xCA, 0xA2, 0x44, 0x2C, 0xF0, 0x28, 0xD8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xF1, 0x7A, 0xA2, 0x42, 0x4C, 0x50, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x83, 0x3E, 0x50, 0xAB, 0x9C, 0xF7, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xED, 0x78, 0xCB, 0x76, 0x69, 0xDA, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x01, 0x1E, 0x43, 0x27, 0x47, 0x6E, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_22_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x4F, 0x54, 0xB9, 0x3E, 0xBD, 0xD5, 0x44),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x35, 0x40, 0x69, 0x7F, 0x74, 0x9D, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x06, 0x6F, 0x67, 0x68, 0x2B, 0x4D, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x65, 0x41, 0xFC, 0x7C, 0x1E, 0xE8, 0xC8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x79, 0x37, 0xAF, 0xFD, 0xD2, 0xDA, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xA8, 0x69, 0x56, 0x62, 0xA4, 0xE4, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x71, 0x73, 0x21, 0x8A, 0x17, 0x81, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x55, 0x8F, 0x7B, 0xB8, 0xAF, 0xF7, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_23_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xD1, 0xBD, 0xBE, 0x8C, 0xBC, 0x60, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xA6, 0x57, 0x8C, 0xAE, 0x5C, 0x19, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x43, 0xE4, 0xD9, 0xD8, 0x7B, 0xE7, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xB9, 0xE4, 0x85, 0x7C, 0x2E, 0xFC, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x2E, 0x01, 0x2A, 0x6D, 0x56, 0xBE, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x0C, 0x25, 0x9B, 0xAE, 0x86, 0x37, 0x43),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x22, 0xB3, 0xCB, 0x99, 0x66, 0xB7, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xF7, 0x90, 0xF0, 0x1B, 0x09, 0x27, 0xF7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_23_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x16, 0x08, 0xEF, 0x39, 0x64, 0x49, 0x31),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xA0, 0xE3, 0x97, 0xA9, 0x07, 0x54, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xFF, 0xE2, 0x00, 0x07, 0x21, 0x88, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xFD, 0x59, 0x53, 0x05, 0x6C, 0x42, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xF7, 0x39, 0x5C, 0x82, 0x36, 0xE8, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x83, 0xA8, 0xE2, 0xA8, 0x43, 0x07, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xAF, 0x2B, 0x79, 0xED, 0xD8, 0x39, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x20, 0x91, 0x7A, 0xC4, 0x07, 0xEF, 0x6C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_24_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x10, 0x2F, 0xAA, 0x0C, 0x94, 0x0E, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x81, 0x87, 0x41, 0x23, 0xEB, 0x55, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x53, 0xCC, 0x79, 0xB6, 0xEB, 0x6C, 0xCC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x77, 0x73, 0x9D, 0xFC, 0x64, 0x6F, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x40, 0xE3, 0x6D, 0x1C, 0x16, 0x71, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xF4, 0x1B, 0xFF, 0x1C, 0x2F, 0xA5, 0xD7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x0E, 0x0B, 0x11, 0xF4, 0x8D, 0x93, 0xAF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xC5, 0x64, 0x6F, 0x24, 0x19, 0xF2, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_24_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xB3, 0xAF, 0xA5, 0x0E, 0x4F, 0x5E, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x77, 0xCA, 0xF2, 0x6D, 0xC5, 0xF6, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x18, 0x8E, 0x33, 0x68, 0x6C, 0xE8, 0xE0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x8B, 0x80, 0x90, 0x19, 0x7F, 0x90, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x80, 0x6B, 0x68, 0xE2, 0x7D, 0xD4, 0xD0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xC1, 0x67, 0xB3, 0x72, 0xCB, 0xBF, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xD5, 0xD3, 0x1D, 0x14, 0x58, 0x0A, 0x80),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x7A, 0x65, 0x98, 0xB3, 0x07, 0x4B, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_25_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x87, 0x0F, 0x5F, 0xCF, 0xA2, 0x01, 0x08),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xC9, 0xC8, 0x6E, 0x35, 0x87, 0xA5, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x3E, 0x91, 0xA0, 0xAB, 0x24, 0x1E, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xBC, 0x02, 0x35, 0x70, 0xC1, 0x5F, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x59, 0xA0, 0x50, 0x04, 0x80, 0x52, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x56, 0x6E, 0x42, 0x8F, 0x8C, 0x91, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xA2, 0xCB, 0xA5, 0xDE, 0x14, 0x24, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xCB, 0x74, 0x28, 0xE6, 0xA7, 0xE7, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_25_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x73, 0xA8, 0x8F, 0x9E, 0x0E, 0x63, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x1B, 0x77, 0xC7, 0xC1, 0x38, 0xF9, 0xDC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x3C, 0xCF, 0xA8, 0x7A, 0xD7, 0xF3, 0xC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x5F, 0x9A, 0xC9, 0xAD, 0xE9, 0x1A, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xCF, 0x2B, 0x5E, 0xD5, 0x81, 0x95, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x88, 0x75, 0x29, 0x1F, 0xC7, 0xC7, 0xD0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA9, 0x5A, 0x4D, 0x63, 0x95, 0xF9, 0x4E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xCD, 0x04, 0x8F, 0xCD, 0x91, 0xDE, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_26_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xD4, 0xFD, 0x25, 0x11, 0x99, 0x6E, 0xEA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x83, 0x01, 0x3D, 0xFB, 0x56, 0xA5, 0x4E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x3A, 0xDC, 0x74, 0xC2, 0xD7, 0xCF, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0xBD, 0xF1, 0xDD, 0xA3, 0x07, 0x03, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xBE, 0xE9, 0x2E, 0x58, 0x84, 0x66, 0xFC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x20, 0x78, 0x37, 0x79, 0x0B, 0xA6, 0x64),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xF2, 0xAC, 0x65, 0xC8, 0xC9, 0x2F, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x93, 0xE5, 0x0D, 0x0C, 0xC6, 0xB8, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_26_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xAD, 0x5C, 0x19, 0x12, 0x61, 0x0E, 0x25),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x4F, 0x0B, 0x1F, 0x49, 0x7E, 0xCD, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2E, 0x30, 0x61, 0xDB, 0x08, 0x68, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x78, 0xAF, 0xB3, 0x08, 0xC1, 0x69, 0xE5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x5F, 0x5D, 0xC1, 0x57, 0x6F, 0xD8, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0xD3, 0x6A, 0xF7, 0xFD, 0x86, 0xE5, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x63, 0xBD, 0x70, 0x7B, 0x47, 0xE8, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x62, 0xC8, 0x7E, 0x9D, 0x11, 0x2B, 0xA5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_27_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x84, 0xFD, 0xD5, 0x9A, 0x56, 0x7F, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xBB, 0xA4, 0x6F, 0x12, 0x6E, 0x4D, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x08, 0xA1, 0x82, 0x9C, 0x62, 0x74, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x58, 0x22, 0x05, 0x1D, 0x15, 0x35, 0x79),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x88, 0xCF, 0x5C, 0x05, 0x78, 0xFB, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x6B, 0x2F, 0x79, 0x09, 0x73, 0x67, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA0, 0x80, 0xD8, 0xE8, 0xEC, 0xFB, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xE7, 0x0B, 0xB7, 0x81, 0x48, 0x7B, 0xD9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_27_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x53, 0xA9, 0xED, 0x61, 0x92, 0xD7, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x49, 0xD9, 0x5D, 0x9B, 0x4E, 0x89, 0x35),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x12, 0xEB, 0x9A, 0xC9, 0xCB, 0xC1, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xDC, 0x95, 0x16, 0xFE, 0x29, 0x70, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x33, 0xB1, 0xD6, 0x78, 0xB9, 0xE2, 0x36),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xCE, 0x88, 0xC3, 0xFD, 0x7A, 0x6B, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x1E, 0x50, 0x1E, 0xAF, 0xB1, 0x25, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xE7, 0xD7, 0xD5, 0xBD, 0x7A, 0x12, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_28_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xAA, 0xA2, 0x80, 0x5D, 0x8F, 0xCD, 0xC8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x39, 0x79, 0x64, 0xA1, 0x67, 0x3C, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xC7, 0x49, 0xFF, 0x7F, 0xAC, 0xAB, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x54, 0x3E, 0x83, 0xF0, 0x3D, 0xBC, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x92, 0x4A, 0x38, 0x42, 0x8A, 0xAB, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x0B, 0x4F, 0xEE, 0x9E, 0x92, 0xA5, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0xDD, 0x19, 0x96, 0xF2, 0xF0, 0x6B, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xFC, 0xDD, 0xB2, 0x8A, 0xE5, 0x4C, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_28_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x06, 0x49, 0xAC, 0x99, 0x7E, 0xF8, 0x12),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xC8, 0x01, 0x51, 0xEA, 0xF6, 0x52, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x89, 0x66, 0x2B, 0x1F, 0x9B, 0x2A, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x0F, 0x95, 0x07, 0x2B, 0x6C, 0x6E, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0xC3, 0xB4, 0xBB, 0x91, 0x1F, 0xA3, 0x72),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x6E, 0x54, 0x28, 0x7B, 0x9C, 0x79, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x45, 0xFF, 0xA6, 0xDA, 0xA2, 0x83, 0x71),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xDE, 0x8F, 0x17, 0x37, 0x82, 0xCB, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_29_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x94, 0x3F, 0x26, 0xC9, 0x1D, 0xD9, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x97, 0x28, 0x20, 0xCD, 0xC1, 0xF3, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xC9, 0xB5, 0x60, 0x9B, 0x1E, 0xDC, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xB9, 0x5B, 0x7D, 0xA0, 0xB2, 0x8C, 0xF0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xD1, 0x42, 0xE6, 0x39, 0x33, 0x6D, 0xBB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xC0, 0xFC, 0xD2, 0x14, 0x5D, 0x3E, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x4A, 0x3E, 0x40, 0x16, 0x93, 0x15, 0xCF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x24, 0xC1, 0x27, 0x27, 0xE5, 0x4B, 0xD8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_29_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x50, 0xD8, 0xBC, 0xC1, 0x46, 0x22, 0xBB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x0E, 0x60, 0xA1, 0xB3, 0x50, 0xD4, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xB1, 0x26, 0xB6, 0x6D, 0x47, 0x5A, 0x6F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0xAC, 0x11, 0x35, 0x3E, 0xB9, 0xF4, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x97, 0xFA, 0xBB, 0x6B, 0x39, 0x13, 0xD8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x7B, 0x34, 0x12, 0x75, 0x8E, 0x9B, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x9E, 0xCD, 0x29, 0xB6, 0xEF, 0x8D, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xAC, 0xE9, 0x25, 0x27, 0xBB, 0x78, 0x47),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_30_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x7A, 0xA8, 0xD3, 0xE3, 0x66, 0xE5, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x4C, 0xC4, 0x2C, 0x76, 0x81, 0x50, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x71, 0x08, 0xB8, 0x52, 0x7C, 0xAF, 0xDC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x59, 0x24, 0xDD, 0xFB, 0x2F, 0xD0, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xCD, 0x56, 0xE9, 0xAC, 0x91, 0xE6, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x64, 0x20, 0xC6, 0x9F, 0xE4, 0xEF, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x2C, 0x8F, 0x8C, 0x97, 0xF6, 0x22, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xF4, 0x88, 0xAA, 0xA8, 0xD7, 0xA5, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_30_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x6C, 0xAE, 0x83, 0xB1, 0x55, 0x55, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x67, 0x84, 0x47, 0x7C, 0x83, 0x5C, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x10, 0x4D, 0xDD, 0x30, 0x60, 0xB0, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xA7, 0x36, 0x76, 0x24, 0x32, 0x9F, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x42, 0x81, 0xFB, 0xA4, 0x2E, 0x13, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x94, 0x91, 0xFF, 0x99, 0xA0, 0x09, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x83, 0xA1, 0x76, 0xAF, 0x37, 0x5C, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xA8, 0x04, 0x86, 0xC4, 0xA9, 0x79, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_31_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x8C, 0xC2, 0x34, 0xFB, 0x83, 0x28, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x03, 0x7D, 0x5E, 0x9E, 0x0E, 0xB0, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x02, 0x46, 0x7F, 0xB9, 0xAC, 0xBB, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xED, 0x48, 0xC2, 0x96, 0x4D, 0x56, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xB5, 0xC5, 0xD1, 0xE6, 0x1C, 0x7E, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x2E, 0x18, 0x71, 0x2D, 0x7B, 0xD7, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x46, 0x9D, 0xDE, 0xAA, 0x78, 0x8E, 0xB1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xD7, 0x69, 0x2E, 0xE1, 0xD9, 0x48, 0xDE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp521r1_T_31_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xFF, 0x9E, 0x09, 0x22, 0x22, 0xE6, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x14, 0x28, 0x13, 0x1B, 0x62, 0x12, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x7F, 0x67, 0x03, 0xB0, 0xC0, 0xF3, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xC3, 0x0F, 0xFB, 0x25, 0x48, 0x3E, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x6E, 0x53, 0x98, 0x36, 0xB3, 0xD3, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x81, 0x54, 0x22, 0xA4, 0xCC, 0xC1, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xBA, 0xFC, 0xA9, 0xDF, 0x68, 0x86, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x92, 0x0E, 0xC3, 0xF2, 0x58, 0xE8, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_ecp_point secp521r1_T[32] = {
+ ECP_POINT_INIT_XY_Z1(secp521r1_T_0_X, secp521r1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_1_X, secp521r1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_2_X, secp521r1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_3_X, secp521r1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_4_X, secp521r1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_5_X, secp521r1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_6_X, secp521r1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_7_X, secp521r1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_8_X, secp521r1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_9_X, secp521r1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_10_X, secp521r1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_11_X, secp521r1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_12_X, secp521r1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_13_X, secp521r1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_14_X, secp521r1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_15_X, secp521r1_T_15_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_16_X, secp521r1_T_16_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_17_X, secp521r1_T_17_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_18_X, secp521r1_T_18_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_19_X, secp521r1_T_19_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_20_X, secp521r1_T_20_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_21_X, secp521r1_T_21_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_22_X, secp521r1_T_22_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_23_X, secp521r1_T_23_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_24_X, secp521r1_T_24_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_25_X, secp521r1_T_25_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_26_X, secp521r1_T_26_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_27_X, secp521r1_T_27_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_28_X, secp521r1_T_28_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_29_X, secp521r1_T_29_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_30_X, secp521r1_T_30_Y),
+ ECP_POINT_INIT_XY_Z0(secp521r1_T_31_X, secp521r1_T_31_Y),
+};
+#else
+#define secp521r1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+static const mbedtls_mpi_uint secp192k1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp192k1_a[] = {
+ MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp192k1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_2(0x03, 0x00),
+};
+static const mbedtls_mpi_uint secp192k1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB),
+};
+static const mbedtls_mpi_uint secp192k1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B),
+};
+static const mbedtls_mpi_uint secp192k1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp192k1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB),
+};
+static const mbedtls_mpi_uint secp192k1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B),
+};
+static const mbedtls_mpi_uint secp192k1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x77, 0x3D, 0x0D, 0x85, 0x48, 0xA8, 0xA9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x07, 0xDF, 0x1D, 0xB3, 0xB3, 0x01, 0x54),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x86, 0xF6, 0xAF, 0x19, 0x2A, 0x88, 0x2E),
+};
+static const mbedtls_mpi_uint secp192k1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x90, 0xB6, 0x2F, 0x48, 0x36, 0x4C, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x11, 0x14, 0xA6, 0xCB, 0xBA, 0x15, 0xD9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0xB0, 0xF2, 0xD4, 0xC9, 0xDA, 0xBA, 0xD7),
+};
+static const mbedtls_mpi_uint secp192k1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0xC1, 0x9C, 0xE6, 0xBB, 0xFB, 0xCF, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x19, 0xAC, 0x5A, 0xC9, 0x8A, 0x1C, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xF6, 0x76, 0x86, 0x89, 0x27, 0x8D, 0x28),
+};
+static const mbedtls_mpi_uint secp192k1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xE0, 0x6F, 0x34, 0xBA, 0x5E, 0xD3, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xDC, 0xA6, 0x87, 0xC9, 0x9D, 0xC0, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x11, 0x7E, 0xD6, 0xF7, 0x33, 0xFC, 0xE4),
+};
+static const mbedtls_mpi_uint secp192k1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x37, 0x3E, 0xC0, 0x7F, 0x62, 0xE7, 0x54),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x3B, 0x69, 0x9D, 0x44, 0xBC, 0x82, 0x99),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x84, 0xB3, 0x5F, 0x2B, 0xA5, 0x9E, 0x2C),
+};
+static const mbedtls_mpi_uint secp192k1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x95, 0xEB, 0x4C, 0x04, 0xB4, 0xF4, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xAD, 0x4B, 0xD5, 0x9A, 0xEB, 0xC4, 0x4E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xB1, 0xC5, 0x59, 0xE3, 0xD5, 0x16, 0x2A),
+};
+static const mbedtls_mpi_uint secp192k1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x2A, 0xCC, 0xAC, 0xD0, 0xEE, 0x50, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x83, 0xE0, 0x5B, 0x14, 0x44, 0x52, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x15, 0x2D, 0x78, 0xF6, 0x51, 0x32, 0xCF),
+};
+static const mbedtls_mpi_uint secp192k1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x36, 0x9B, 0xDD, 0xF8, 0xDD, 0xEF, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xB1, 0x6A, 0x2B, 0xAF, 0xEB, 0x2B, 0xB1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x87, 0x7A, 0x66, 0x5D, 0x5B, 0xDF, 0x8F),
+};
+static const mbedtls_mpi_uint secp192k1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x45, 0xE5, 0x81, 0x9B, 0xEB, 0x37, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x29, 0xE2, 0x20, 0x64, 0x23, 0x6B, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x1D, 0x41, 0xE1, 0x9B, 0x61, 0x7B, 0xD9),
+};
+static const mbedtls_mpi_uint secp192k1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x57, 0xA3, 0x0A, 0x13, 0xE4, 0x59, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x6E, 0x4A, 0x48, 0x84, 0x90, 0xAC, 0xC7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xB8, 0xF5, 0xF3, 0xDE, 0xA0, 0xA1, 0x1D),
+};
+static const mbedtls_mpi_uint secp192k1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x32, 0x81, 0xA9, 0x91, 0x5A, 0x4E, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xA8, 0x90, 0xBE, 0x0F, 0xEC, 0xC0, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x30, 0xD7, 0x08, 0xAE, 0xC4, 0x3A, 0xA5),
+};
+static const mbedtls_mpi_uint secp192k1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x55, 0xE3, 0x76, 0xB3, 0x64, 0x74, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x75, 0xD4, 0xDB, 0x98, 0xD7, 0x39, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xEB, 0x8A, 0xAB, 0x16, 0xD9, 0xD4, 0x0B),
+};
+static const mbedtls_mpi_uint secp192k1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xBE, 0xF9, 0xC7, 0xC7, 0xBA, 0xF3, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x85, 0x59, 0xF3, 0x60, 0x41, 0x02, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x1C, 0x4A, 0xA4, 0xC7, 0xED, 0x66, 0xBC),
+};
+static const mbedtls_mpi_uint secp192k1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x9C, 0x2E, 0x46, 0x52, 0x18, 0x87, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x35, 0x5A, 0x75, 0xAC, 0x4D, 0x75, 0x91),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0x2F, 0xAC, 0xFC, 0xBC, 0xE6, 0x93, 0x5E),
+};
+static const mbedtls_mpi_uint secp192k1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x4D, 0xC9, 0x18, 0xE9, 0x00, 0xEB, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x69, 0x72, 0x07, 0x5A, 0x59, 0xA8, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x65, 0x83, 0x20, 0x10, 0xF9, 0x69, 0x82),
+};
+static const mbedtls_mpi_uint secp192k1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x56, 0x7F, 0x9F, 0xBF, 0x46, 0x0C, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xCF, 0xF0, 0xDC, 0xDF, 0x2D, 0xE6, 0xE5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xF0, 0x72, 0x3A, 0x7A, 0x03, 0xE5, 0x22),
+};
+static const mbedtls_mpi_uint secp192k1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xAA, 0x57, 0x13, 0x37, 0xA7, 0x2C, 0xD4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xAC, 0xA2, 0x23, 0xF9, 0x84, 0x60, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xEB, 0x51, 0x70, 0x64, 0x78, 0xCA, 0x05),
+};
+static const mbedtls_mpi_uint secp192k1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xCC, 0x30, 0x62, 0x93, 0x46, 0x13, 0xE9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x26, 0xCC, 0x6C, 0x3D, 0x5C, 0xDA, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xAA, 0xB8, 0x03, 0xA4, 0x1A, 0x00, 0x96),
+};
+static const mbedtls_mpi_uint secp192k1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x9D, 0xE6, 0xCC, 0x4E, 0x2E, 0xC2, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xC3, 0x8A, 0xAE, 0x6F, 0x40, 0x05, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x8F, 0x4A, 0x4D, 0x35, 0xD3, 0x50, 0x9D),
+};
+static const mbedtls_mpi_uint secp192k1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xFD, 0x98, 0xAB, 0xC7, 0x03, 0xB4, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x40, 0xD2, 0x9F, 0xCA, 0xD0, 0x53, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x84, 0x00, 0x6F, 0xC8, 0xAD, 0xED, 0x8D),
+};
+static const mbedtls_mpi_uint secp192k1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xD3, 0x57, 0xD7, 0xC3, 0x07, 0xBD, 0xD7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xBA, 0x47, 0x1D, 0x3D, 0xEF, 0x98, 0x6C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xC0, 0x6C, 0x7F, 0x12, 0xEE, 0x9F, 0x67),
+};
+static const mbedtls_mpi_uint secp192k1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x02, 0xDA, 0x79, 0xAA, 0xC9, 0x27, 0xC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x79, 0xC7, 0x71, 0x84, 0xCB, 0xE5, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x37, 0x06, 0xBA, 0xB5, 0xD5, 0x18, 0x4C),
+};
+static const mbedtls_mpi_uint secp192k1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x65, 0x72, 0x6C, 0xF2, 0x63, 0x27, 0x6A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0xBC, 0x71, 0xDF, 0x75, 0xF8, 0x98, 0x4D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x70, 0x9B, 0xDC, 0xE7, 0x18, 0x71, 0xFF),
+};
+static const mbedtls_mpi_uint secp192k1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x5B, 0x9F, 0x00, 0x5A, 0xB6, 0x80, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xE0, 0xBB, 0xFC, 0x5E, 0x78, 0x9C, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x03, 0x68, 0x83, 0x3D, 0x2E, 0x4C, 0xDD),
+};
+static const mbedtls_mpi_uint secp192k1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x49, 0x23, 0xA8, 0xCB, 0x3B, 0x1A, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x3D, 0xA7, 0x46, 0xCF, 0x75, 0xB6, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0xFD, 0x30, 0x01, 0xB6, 0xEF, 0xF9, 0xE8),
+};
+static const mbedtls_mpi_uint secp192k1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xFA, 0xDA, 0xB8, 0x29, 0x42, 0xC9, 0xC7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xD7, 0xA0, 0xE6, 0x6B, 0x86, 0x61, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0xE9, 0xD3, 0x37, 0xD8, 0xE7, 0x35, 0xA9),
+};
+static const mbedtls_mpi_uint secp192k1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC8, 0x8E, 0xB1, 0xCB, 0xB1, 0xB5, 0x4D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xD7, 0x46, 0x7D, 0xAF, 0xE2, 0xDC, 0xBB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x46, 0xE7, 0xD8, 0x76, 0x31, 0x90, 0x76),
+};
+static const mbedtls_mpi_uint secp192k1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xD3, 0xF4, 0x74, 0xE1, 0x67, 0xD8, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x70, 0x3C, 0xC8, 0xAF, 0x5F, 0xF4, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x4E, 0xED, 0x5C, 0x43, 0xB3, 0x16, 0x35),
+};
+static const mbedtls_mpi_uint secp192k1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAE, 0xD1, 0xDD, 0x31, 0x14, 0xD3, 0xF0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x14, 0x06, 0x13, 0x12, 0x1C, 0x81, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xF9, 0x0C, 0x91, 0xF7, 0x67, 0x59, 0x63),
+};
+static const mbedtls_mpi_uint secp192k1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x91, 0xE2, 0xF4, 0x9D, 0xEB, 0x88, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x82, 0x30, 0x9C, 0xAE, 0x18, 0x4D, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x79, 0xCF, 0x17, 0xA5, 0x1E, 0xE8, 0xC8),
+};
+static const mbedtls_ecp_point secp192k1_T[16] = {
+ ECP_POINT_INIT_XY_Z1(secp192k1_T_0_X, secp192k1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_1_X, secp192k1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_2_X, secp192k1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_3_X, secp192k1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_4_X, secp192k1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_5_X, secp192k1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_6_X, secp192k1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_7_X, secp192k1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_8_X, secp192k1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_9_X, secp192k1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_10_X, secp192k1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_11_X, secp192k1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_12_X, secp192k1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_13_X, secp192k1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_14_X, secp192k1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(secp192k1_T_15_X, secp192k1_T_15_Y),
+};
+#else
+#define secp192k1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+static const mbedtls_mpi_uint secp224k1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_4(0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp224k1_a[] = {
+ MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_2(0x05, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D),
+ MBEDTLS_BYTES_TO_T_UINT_4(0x33, 0x5B, 0x45, 0xA1),
+};
+static const mbedtls_mpi_uint secp224k1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_4(0xED, 0x9F, 0x08, 0x7E),
+};
+static const mbedtls_mpi_uint secp224k1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp224k1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x5B, 0x45, 0xA1, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x9F, 0x08, 0x7E, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x6C, 0x22, 0x22, 0x40, 0x89, 0xAE, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x92, 0xE1, 0x87, 0x56, 0x35, 0xAF, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xAF, 0x08, 0x35, 0x27, 0xEA, 0x04, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x53, 0xFD, 0xCF, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0xD0, 0x9F, 0x8D, 0xF3, 0x63, 0x54, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xDB, 0x0F, 0x61, 0x54, 0x26, 0xD1, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x21, 0xF7, 0x1B, 0xB5, 0x1D, 0xF6, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x05, 0xDA, 0x8F, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x26, 0x73, 0xBC, 0xE4, 0x29, 0x62, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x95, 0x17, 0x8B, 0xC3, 0x9B, 0xAC, 0xCC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0xDB, 0x77, 0xDF, 0xDD, 0x13, 0x04, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0xFC, 0x22, 0x93, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x65, 0xF1, 0x5A, 0x37, 0xEF, 0x79, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x01, 0x37, 0xAC, 0x9A, 0x5B, 0x51, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x75, 0x13, 0xA9, 0x4A, 0xAD, 0xFE, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x82, 0x6F, 0x66, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x5E, 0xF0, 0x40, 0xC3, 0xA6, 0xE2, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x9A, 0x6F, 0xCF, 0x11, 0x26, 0x66, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0x73, 0xA8, 0xCF, 0x2B, 0x12, 0x36, 0x37),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xB3, 0x0A, 0x58, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x79, 0x00, 0x55, 0x04, 0x34, 0x90, 0x1A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x54, 0x1C, 0xC2, 0x45, 0x0C, 0x1B, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x19, 0xAB, 0xA8, 0xFC, 0x73, 0xDC, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0xFB, 0x93, 0xCE, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x75, 0xD0, 0x66, 0x95, 0x86, 0xCA, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xEA, 0x29, 0x16, 0x6A, 0x38, 0xDF, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xA2, 0x36, 0x2F, 0xDC, 0xBB, 0x5E, 0xF7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x89, 0x59, 0x49, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xA3, 0x99, 0x9D, 0xB8, 0x77, 0x9D, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x93, 0x43, 0x47, 0xC6, 0x5C, 0xF9, 0xFD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x00, 0x79, 0x42, 0x64, 0xB8, 0x25, 0x3E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x54, 0xB4, 0x33, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x0C, 0x42, 0x90, 0x83, 0x0B, 0x31, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x2E, 0xAE, 0xC8, 0xC7, 0x5F, 0xD2, 0x70),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xBC, 0xAD, 0x41, 0xE7, 0x32, 0x3A, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x97, 0x52, 0x83, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x13, 0x7A, 0xBD, 0xAE, 0x94, 0x60, 0xFD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x9B, 0x95, 0xB4, 0x6E, 0x68, 0xB2, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x49, 0xBE, 0x51, 0xFE, 0x66, 0x15, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x37, 0xE4, 0xFE, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x9B, 0xEE, 0x64, 0xC9, 0x1B, 0xBD, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x5F, 0x34, 0xA9, 0x0B, 0xB7, 0x25, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0x13, 0xB1, 0x38, 0xFB, 0x9D, 0x78, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xE7, 0x1B, 0xFA, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xB3, 0xB7, 0x44, 0x92, 0x6B, 0x00, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x82, 0x44, 0x3E, 0x18, 0x1A, 0x58, 0x6A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0xF8, 0xC0, 0xE4, 0xEE, 0xC1, 0xBF, 0x44),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x32, 0x27, 0xB2, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x9A, 0x42, 0x62, 0x8B, 0x26, 0x54, 0x21),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x85, 0x74, 0xA0, 0x79, 0xA8, 0xEE, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x36, 0x60, 0xB3, 0x28, 0x4D, 0x55, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x27, 0x82, 0x29, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0xFC, 0x73, 0x77, 0xAF, 0x5C, 0xAC, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xED, 0xE5, 0xF6, 0x1D, 0xA8, 0x67, 0x43),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xDE, 0x33, 0x1C, 0xF1, 0x80, 0x73, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xE2, 0xDE, 0x3C, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x3E, 0x6B, 0xFE, 0xF0, 0x04, 0x28, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xB2, 0x14, 0x9D, 0x18, 0x11, 0x7D, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xC4, 0xD6, 0x2E, 0x6E, 0x57, 0x4D, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x55, 0x1B, 0xDE, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xF7, 0x17, 0xBC, 0x45, 0xAB, 0x16, 0xAB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xB0, 0xEF, 0x61, 0xE3, 0x20, 0x7C, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x85, 0x41, 0x4D, 0xF1, 0x7E, 0x4D, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xC2, 0x9B, 0x5E, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x2E, 0x49, 0x3D, 0x3E, 0x4B, 0xD3, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x2B, 0x9D, 0xD5, 0x27, 0xFA, 0xCA, 0xE0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0xB3, 0x6A, 0xE0, 0x79, 0x14, 0x28, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x1E, 0xDC, 0xF5, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x44, 0x56, 0xCD, 0xFC, 0x9F, 0x09, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x8C, 0x59, 0xA4, 0x64, 0x2A, 0x3A, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xA0, 0xB5, 0x86, 0x4E, 0x69, 0xDA, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x8B, 0x11, 0x38, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x17, 0x16, 0x12, 0x17, 0xDC, 0x00, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0x76, 0x24, 0x6C, 0x97, 0x2C, 0xB5, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x71, 0xE3, 0xB0, 0xBB, 0x4E, 0x50, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0x48, 0x26, 0xD5, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x5F, 0x28, 0xF6, 0x01, 0x5A, 0x60, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x95, 0xFE, 0xD0, 0xAD, 0x15, 0xD4, 0xD9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x5B, 0x7A, 0xFD, 0x80, 0xF7, 0x9F, 0x64),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xBC, 0x1B, 0xDF, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xE6, 0xDF, 0x14, 0x29, 0xF4, 0xD4, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x12, 0xDD, 0xEC, 0x5B, 0x8A, 0x59, 0xE5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x92, 0x3E, 0x35, 0x08, 0xE9, 0xCF, 0x0E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0x35, 0x29, 0x97, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xDB, 0xD6, 0x6A, 0xC5, 0x43, 0xA4, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x33, 0x50, 0x61, 0x70, 0xA1, 0xE9, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x15, 0x6E, 0x5F, 0x01, 0x0C, 0x8C, 0xFA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0xA1, 0x9A, 0x9D, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xC6, 0xF7, 0xE2, 0x4A, 0xCD, 0x9B, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x4D, 0x5A, 0xB8, 0xE2, 0x6D, 0xA6, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x3F, 0xB6, 0x17, 0xE3, 0x2C, 0x6F, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xA4, 0x59, 0x51, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x4F, 0x7C, 0x49, 0xCD, 0x6E, 0xEB, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xC9, 0x1F, 0xB7, 0x4D, 0x98, 0xC7, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4C, 0xFD, 0x98, 0x20, 0x95, 0xBB, 0x20, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xF2, 0x73, 0x92, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xEF, 0xFB, 0x30, 0xFA, 0x12, 0x1A, 0xB0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x4C, 0x24, 0xB4, 0x5B, 0xC9, 0x4C, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xDD, 0x5E, 0x84, 0x95, 0x4D, 0x26, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xFA, 0xF9, 0x3A, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0xA3, 0x2E, 0x7A, 0xDC, 0xA7, 0x53, 0xA9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x9F, 0x81, 0x84, 0xB2, 0x0D, 0xFE, 0x31),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x89, 0x1B, 0x77, 0x0C, 0x89, 0x71, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xFF, 0x7F, 0xB2, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xE9, 0x2C, 0x79, 0xA6, 0x3C, 0xAD, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xE0, 0x23, 0x02, 0x86, 0x0F, 0x77, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x93, 0x6D, 0xE9, 0xF9, 0x3C, 0xBE, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0xE7, 0x24, 0x92, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x3C, 0x5B, 0x4B, 0x1B, 0x25, 0x37, 0xD6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xE8, 0x38, 0x1B, 0xA1, 0x5A, 0x2E, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x19, 0xFD, 0xF4, 0x78, 0x01, 0x6B, 0x44),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0x69, 0x37, 0x4F, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xE2, 0xBF, 0xD3, 0xEC, 0x95, 0x9C, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x7B, 0xFC, 0xD5, 0xD3, 0x25, 0x5E, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x55, 0x09, 0xA2, 0x58, 0x6A, 0xC9, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xCC, 0x3B, 0xD9, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp224k1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x08, 0x65, 0x5E, 0xCB, 0xAB, 0x48, 0xC8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x79, 0x8B, 0xC0, 0x11, 0xC0, 0x69, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xE8, 0x8C, 0x4C, 0xC5, 0x28, 0xE4, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x1F, 0x34, 0x5C, 0x00, 0x00, 0x00, 0x00),
+};
+static const mbedtls_ecp_point secp224k1_T[16] = {
+ ECP_POINT_INIT_XY_Z1(secp224k1_T_0_X, secp224k1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_1_X, secp224k1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_2_X, secp224k1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_3_X, secp224k1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_4_X, secp224k1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_5_X, secp224k1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_6_X, secp224k1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_7_X, secp224k1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_8_X, secp224k1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_9_X, secp224k1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_10_X, secp224k1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_11_X, secp224k1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_12_X, secp224k1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_13_X, secp224k1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_14_X, secp224k1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(secp224k1_T_15_X, secp224k1_T_15_Y),
+};
+#else
+#define secp224k1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+static const mbedtls_mpi_uint secp256k1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+static const mbedtls_mpi_uint secp256k1_a[] = {
+ MBEDTLS_BYTES_TO_T_UINT_2(0x00, 0x00),
+};
+static const mbedtls_mpi_uint secp256k1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_2(0x07, 0x00),
+};
+static const mbedtls_mpi_uint secp256k1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79),
+};
+static const mbedtls_mpi_uint secp256k1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48),
+};
+static const mbedtls_mpi_uint secp256k1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint secp256k1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79),
+};
+static const mbedtls_mpi_uint secp256k1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48),
+};
+static const mbedtls_mpi_uint secp256k1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xEE, 0xD7, 0x1E, 0x67, 0x86, 0x32, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x73, 0xB1, 0xA9, 0xD5, 0xCC, 0x27, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x0E, 0x11, 0x01, 0x71, 0xFE, 0x92, 0x73),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x28, 0x63, 0x6D, 0x72, 0x09, 0xA6, 0xC0),
+};
+static const mbedtls_mpi_uint secp256k1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE1, 0x69, 0xDC, 0x3E, 0x2C, 0x75, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xB7, 0x3F, 0x30, 0x26, 0x3C, 0xDF, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xBE, 0xB9, 0x5D, 0x0E, 0xE8, 0x5E, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0xC3, 0x05, 0xD6, 0xB7, 0xD5, 0x24, 0xFC),
+};
+static const mbedtls_mpi_uint secp256k1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0xCF, 0x7B, 0xDC, 0xCD, 0xC3, 0x39, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0xDA, 0xB9, 0xE5, 0x64, 0xA7, 0x47, 0x91),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0x46, 0xA8, 0x61, 0xF6, 0x23, 0xEB, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xC1, 0xFF, 0xE4, 0x55, 0xD5, 0xC2, 0xBF),
+};
+static const mbedtls_mpi_uint secp256k1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xBE, 0xB9, 0x59, 0x24, 0x13, 0x4A, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x45, 0x12, 0xDE, 0xBA, 0x4F, 0xEF, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x08, 0xBF, 0xC1, 0x66, 0xAA, 0x0A, 0xBC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xFE, 0x30, 0x55, 0x31, 0x86, 0xA7, 0xB4),
+};
+static const mbedtls_mpi_uint secp256k1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xBF, 0x18, 0x81, 0x67, 0x27, 0x42, 0xBD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x05, 0x83, 0xA4, 0xDD, 0x57, 0xD3, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x63, 0xAB, 0xE4, 0x90, 0x70, 0xD0, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x5D, 0xFD, 0xA0, 0xEF, 0xCF, 0x1C, 0x54),
+};
+static const mbedtls_mpi_uint secp256k1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x80, 0xE4, 0xF6, 0x09, 0xBC, 0x57, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x9F, 0x6E, 0x88, 0x54, 0x6E, 0x51, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x5F, 0x85, 0xFB, 0x84, 0x3E, 0x4A, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x19, 0xF5, 0x55, 0xC9, 0x07, 0xD8, 0xCE),
+};
+static const mbedtls_mpi_uint secp256k1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xB4, 0xC3, 0xD9, 0x5C, 0xA0, 0xD4, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x30, 0xAF, 0x59, 0x9B, 0xF8, 0x04, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xA6, 0xFD, 0x66, 0x7B, 0xC3, 0x39, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE0, 0xBF, 0xF0, 0xC2, 0xE9, 0x71, 0xA4, 0x9E),
+};
+static const mbedtls_mpi_uint secp256k1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x2D, 0xB9, 0x88, 0x28, 0xF1, 0xBE, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xF3, 0x1A, 0x0E, 0xB9, 0x01, 0x66, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xA7, 0xA4, 0xF4, 0x05, 0xD0, 0xAA, 0x53),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x39, 0x1E, 0x47, 0xE5, 0x68, 0xC8, 0xC0),
+};
+static const mbedtls_mpi_uint secp256k1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xB9, 0xFC, 0xE0, 0x33, 0x8A, 0x7D, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x93, 0xA5, 0x53, 0x55, 0x16, 0xB4, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x5F, 0xEA, 0x9B, 0x29, 0x52, 0x71, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xF0, 0x24, 0xB8, 0x7D, 0xB7, 0xA0, 0x9B),
+};
+static const mbedtls_mpi_uint secp256k1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x00, 0x27, 0xB2, 0xDF, 0x73, 0xA2, 0xE0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x2E, 0x4D, 0x7C, 0xDE, 0x7A, 0x23, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x65, 0x60, 0xC7, 0x97, 0x1E, 0xA4, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x13, 0x5B, 0x77, 0x59, 0xCB, 0x36, 0xE1),
+};
+static const mbedtls_mpi_uint secp256k1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xBC, 0x9F, 0x9E, 0x2D, 0x53, 0x2A, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x5F, 0x64, 0x9F, 0x1A, 0x19, 0xE6, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x7B, 0x39, 0xD2, 0xDB, 0x85, 0x84, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xC7, 0x0D, 0x58, 0x6E, 0x3F, 0x52, 0x15),
+};
+static const mbedtls_mpi_uint secp256k1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x68, 0x19, 0x0B, 0x68, 0xC9, 0x1E, 0xFB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x4E, 0x21, 0x49, 0x3D, 0x55, 0xCC, 0x25),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xF9, 0x25, 0x45, 0x54, 0x45, 0xB1, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xB3, 0xF7, 0xCD, 0x80, 0xA4, 0x04, 0x05),
+};
+static const mbedtls_mpi_uint secp256k1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x1E, 0x88, 0xC4, 0xAA, 0x18, 0x7E, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xAC, 0xD9, 0xB2, 0xA1, 0xC0, 0x71, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xA2, 0xF1, 0x15, 0xA6, 0x5F, 0x6C, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x5B, 0x05, 0xBC, 0xB7, 0xC6, 0x4E, 0x72),
+};
+static const mbedtls_mpi_uint secp256k1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x80, 0xF8, 0x5C, 0x20, 0x2A, 0xE1, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x48, 0x2E, 0x68, 0x82, 0x7F, 0xEB, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x3B, 0x25, 0xDB, 0x32, 0x4D, 0x88, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0x6E, 0xA6, 0xB6, 0x6D, 0x62, 0x78, 0x22),
+};
+static const mbedtls_mpi_uint secp256k1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x4D, 0x3E, 0x86, 0x58, 0xC3, 0xEB, 0xBA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x89, 0x33, 0x18, 0x21, 0x1D, 0x9B, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x9D, 0xFF, 0xC3, 0x79, 0xC1, 0x88, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0xD4, 0x48, 0x53, 0xE8, 0xAD, 0x21, 0x16),
+};
+static const mbedtls_mpi_uint secp256k1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x7B, 0xDE, 0xCB, 0xD8, 0x39, 0x17, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xF3, 0x03, 0xF2, 0x5C, 0xBC, 0xC8, 0x8A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0xAE, 0x4C, 0xB0, 0x16, 0xA4, 0x93, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x8B, 0x6B, 0xDC, 0xD7, 0x9A, 0x3E, 0x7E),
+};
+static const mbedtls_mpi_uint secp256k1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x2D, 0x7A, 0xD2, 0x59, 0x05, 0xA2, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x56, 0x09, 0x32, 0xF1, 0xE8, 0xE3, 0x72),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0xCA, 0xE5, 0x2E, 0xF0, 0xFB, 0x18, 0x19),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x85, 0xA9, 0x23, 0x15, 0x31, 0x1F, 0x0E),
+};
+static const mbedtls_mpi_uint secp256k1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xE5, 0xB1, 0x86, 0xB9, 0x6E, 0x8D, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x77, 0xFC, 0xC9, 0xA3, 0x3F, 0x89, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x6A, 0xDC, 0x25, 0xB0, 0xC7, 0x41, 0x54),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x11, 0x6B, 0xA6, 0x11, 0x62, 0xD4, 0x2D),
+};
+static const mbedtls_mpi_uint secp256k1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x7D, 0x34, 0xB3, 0x20, 0x7F, 0x37, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xD4, 0x45, 0xE8, 0xC2, 0xE9, 0xC5, 0xEA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x32, 0x3B, 0x25, 0x7E, 0x79, 0xAF, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xE4, 0x54, 0x71, 0xBE, 0x35, 0x4E, 0xD0),
+};
+static const mbedtls_mpi_uint secp256k1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x94, 0xDD, 0x8F, 0xB5, 0xC2, 0xDD, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x49, 0xE9, 0x1C, 0x2F, 0x08, 0x49, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xB6, 0x03, 0x88, 0x6F, 0xB8, 0x15, 0x67),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xD3, 0x1C, 0xF3, 0xA5, 0xEB, 0x79, 0x01),
+};
+static const mbedtls_mpi_uint secp256k1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xF9, 0x43, 0x88, 0x89, 0x0D, 0x06, 0xEA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x2D, 0xF5, 0x98, 0x32, 0xF6, 0xB1, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x73, 0x8F, 0x2B, 0x50, 0x27, 0x0A, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xE3, 0xBD, 0x16, 0x05, 0xC8, 0x93, 0x12),
+};
+static const mbedtls_mpi_uint secp256k1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0x6A, 0xF7, 0xE3, 0x3D, 0xDE, 0x5F, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xA3, 0x9C, 0x22, 0x3C, 0x33, 0x36, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x24, 0x4C, 0x69, 0x45, 0x78, 0x14, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xF8, 0xD4, 0xBF, 0xB8, 0xC0, 0xA1, 0x25),
+};
+static const mbedtls_mpi_uint secp256k1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x88, 0xE1, 0x91, 0x03, 0xEB, 0xB3, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x11, 0xA1, 0xEF, 0x14, 0x0D, 0xC4, 0x7D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0xD4, 0x0D, 0x1D, 0x96, 0x33, 0x5C, 0x19),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x45, 0x2A, 0x1A, 0xE6, 0x57, 0x04, 0x9B),
+};
+static const mbedtls_mpi_uint secp256k1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xB5, 0xA7, 0x80, 0xE9, 0x93, 0x97, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0xB9, 0x7C, 0xA0, 0xC9, 0x57, 0x26, 0x43),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0xEF, 0x56, 0xDA, 0x66, 0xF6, 0x1B, 0x9A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x89, 0x6B, 0x91, 0xE0, 0xA9, 0x65, 0x2B),
+};
+static const mbedtls_mpi_uint secp256k1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x98, 0x96, 0x9B, 0x06, 0x7D, 0x5E, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xFA, 0xC1, 0x5F, 0x19, 0x37, 0x94, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xBE, 0x6B, 0x1A, 0x05, 0xE4, 0xBF, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xCD, 0x5D, 0x35, 0xB4, 0x51, 0xF7, 0x64),
+};
+static const mbedtls_mpi_uint secp256k1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xEF, 0x96, 0xDB, 0xF2, 0x61, 0x63, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x04, 0x88, 0xC9, 0x9F, 0x1B, 0x94, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x30, 0x79, 0x7E, 0x24, 0xE7, 0x5F, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xB8, 0x90, 0xB7, 0x94, 0x25, 0xBB, 0x0F),
+};
+static const mbedtls_mpi_uint secp256k1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x79, 0xEA, 0xAD, 0xC0, 0x6D, 0x18, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xA4, 0x58, 0x2A, 0x8D, 0x95, 0xB3, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC4, 0xC2, 0x12, 0x0D, 0x79, 0xE2, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x6F, 0xBE, 0x97, 0x4D, 0xA4, 0x20, 0x07),
+};
+static const mbedtls_mpi_uint secp256k1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x31, 0x71, 0xC6, 0xA6, 0x91, 0xEB, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x9B, 0xA8, 0x4A, 0xE7, 0x77, 0xE1, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0x06, 0xD3, 0x3D, 0x94, 0x30, 0xEF, 0x8C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xDF, 0xCA, 0xFA, 0xF5, 0x28, 0xF8, 0xC9),
+};
+static const mbedtls_mpi_uint secp256k1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0xE1, 0x32, 0xFD, 0x3E, 0x81, 0xF8, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0xF2, 0x4B, 0x1D, 0x19, 0xC9, 0x0F, 0xCC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xB1, 0x8A, 0x22, 0x8B, 0x05, 0x6B, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0x21, 0xEF, 0x30, 0xEC, 0x09, 0x2A, 0x89),
+};
+static const mbedtls_mpi_uint secp256k1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x84, 0x4A, 0x46, 0x07, 0x6C, 0x3C, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x18, 0x3A, 0xF4, 0xCC, 0xF5, 0xB2, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0x8F, 0xCD, 0x0A, 0x9C, 0xF4, 0xBD, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x89, 0x7F, 0x8A, 0xB1, 0x52, 0x3A, 0xAB),
+};
+static const mbedtls_ecp_point secp256k1_T[16] = {
+ ECP_POINT_INIT_XY_Z1(secp256k1_T_0_X, secp256k1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_1_X, secp256k1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_2_X, secp256k1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_3_X, secp256k1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_4_X, secp256k1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_5_X, secp256k1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_6_X, secp256k1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_7_X, secp256k1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_8_X, secp256k1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_9_X, secp256k1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_10_X, secp256k1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_11_X, secp256k1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_12_X, secp256k1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_13_X, secp256k1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_14_X, secp256k1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(secp256k1_T_15_X, secp256k1_T_15_Y),
+};
+#else
+#define secp256k1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
+ */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint brainpoolP256r1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xA2, 0xED, 0x52, 0xC9, 0x8C, 0xE3, 0xA5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0xC9, 0xC4, 0x87, 0x3F, 0x93, 0x7A, 0xD1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x12, 0x53, 0x61, 0x3E, 0x76, 0x08, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0x8C, 0x74, 0xF4, 0x08, 0xC3, 0x76, 0x80),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0xDD, 0x09, 0xA6, 0xED, 0xEE, 0xC4, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xD9, 0xBE, 0x4B, 0xA5, 0xB7, 0x2B, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x20, 0x12, 0xCA, 0x0A, 0x38, 0x24, 0xAB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x72, 0x71, 0x90, 0x7A, 0x2E, 0xB7, 0x23),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x66, 0xA1, 0x93, 0x10, 0x2A, 0x51, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0x10, 0x11, 0x12, 0xBC, 0xB0, 0xB6, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x58, 0xD7, 0x0A, 0x84, 0x05, 0xA3, 0x9C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x8E, 0x95, 0x61, 0xD3, 0x0B, 0xDF, 0x36),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x92, 0x12, 0x0F, 0x5E, 0x87, 0x70, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0xE9, 0x9B, 0xEB, 0x3A, 0xFB, 0xCF, 0xC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0x92, 0xB9, 0xF7, 0x45, 0xD3, 0x06, 0xB6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x28, 0x65, 0xE1, 0xC5, 0x6C, 0x57, 0x18),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x0E, 0x77, 0x01, 0x81, 0x9E, 0x38, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0xF0, 0xD5, 0xA5, 0x91, 0x2B, 0xDF, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xEE, 0xB6, 0x25, 0xD6, 0x98, 0xDE, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0xA1, 0x55, 0x63, 0x39, 0xEB, 0xB5, 0x47),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xD6, 0xB8, 0xE3, 0x13, 0xED, 0x7F, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xE8, 0xAE, 0x36, 0xB8, 0xCD, 0x19, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x82, 0x83, 0x7A, 0x7B, 0x46, 0x56, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x60, 0x46, 0x15, 0x5A, 0xAC, 0x99, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x61, 0x50, 0xC6, 0xFF, 0x10, 0x7D, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x51, 0xDF, 0xA9, 0x7D, 0x78, 0x26, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0x15, 0x9A, 0xF7, 0x01, 0xC1, 0xBB, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x0F, 0xE6, 0x2A, 0xBD, 0x4A, 0x9E, 0x87),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xF8, 0xD1, 0x77, 0xD2, 0x49, 0xB3, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x86, 0xFB, 0x9E, 0x1F, 0x5A, 0x60, 0x47),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xC4, 0x8D, 0xCD, 0x86, 0x61, 0x2F, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xF6, 0xB9, 0xAC, 0x37, 0x9D, 0xE9, 0x28),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x77, 0xAA, 0x97, 0x9C, 0x0B, 0x04, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0xA6, 0x60, 0x81, 0xCE, 0x25, 0x13, 0x3E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x00, 0xF3, 0xBB, 0x82, 0x99, 0x95, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x5A, 0xCE, 0x90, 0x71, 0x38, 0x2F, 0x10),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x1A, 0xC0, 0x84, 0x27, 0xD6, 0x9D, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x37, 0x52, 0x16, 0x13, 0x0E, 0xCE, 0x92),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xBF, 0x5A, 0xDB, 0xDB, 0x6E, 0x1E, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0xB7, 0x5E, 0xF9, 0x86, 0xDD, 0x8A, 0x5C),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xAB, 0x5C, 0x8D, 0x1D, 0xF2, 0x2D, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0xC5, 0xF8, 0xF7, 0x1D, 0x96, 0x0B, 0x4D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x4C, 0xA7, 0x45, 0x20, 0x6A, 0x1E, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x5D, 0xEF, 0xDE, 0xEE, 0x39, 0x44, 0x19),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x2F, 0x6D, 0x52, 0xC9, 0x58, 0x60, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xC9, 0x62, 0xCB, 0x38, 0x3C, 0x55, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xA5, 0x09, 0x10, 0x88, 0xDB, 0xE3, 0xBD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xE0, 0x3C, 0xCE, 0x06, 0x0B, 0x4B, 0x5D),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x1D, 0xB4, 0x10, 0x76, 0x8F, 0xBA, 0x09),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x70, 0x5A, 0x07, 0xF5, 0x1A, 0x74, 0xC7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xE9, 0x94, 0xA8, 0xC0, 0xD5, 0x4A, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x6D, 0xD4, 0xE8, 0x9B, 0xE9, 0x6D, 0x0E),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x00, 0x32, 0x41, 0x57, 0x84, 0x89, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xC7, 0x14, 0xEC, 0xE9, 0x27, 0xFF, 0xF3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x67, 0x9E, 0xFB, 0xB6, 0xB8, 0x96, 0xF3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0x4A, 0xE3, 0x97, 0x4B, 0x58, 0xDE, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0x1E, 0x5C, 0xF5, 0x7F, 0xD5, 0xD4, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x08, 0x7A, 0xF1, 0xBD, 0x89, 0xC7, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0xF9, 0x11, 0x1B, 0xF5, 0x3C, 0x6D, 0x8C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x50, 0xE5, 0x69, 0x1D, 0x59, 0xFC, 0x0C),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x2F, 0xF8, 0x3F, 0xEC, 0x55, 0x99, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0xA7, 0x29, 0x90, 0x43, 0x81, 0x31, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x18, 0x44, 0x50, 0x5D, 0x76, 0xCB, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xC5, 0x5B, 0x9A, 0x03, 0xE6, 0x17, 0x39),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x89, 0xFC, 0x55, 0x94, 0x91, 0x6A, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x46, 0x35, 0xF2, 0x3A, 0x42, 0x08, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0xD2, 0x76, 0x49, 0x42, 0x87, 0xD3, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xEA, 0xA0, 0x52, 0xF1, 0x6A, 0x30, 0x57),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0xB2, 0x57, 0xA3, 0x8A, 0x4D, 0x1B, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0xA3, 0x99, 0x94, 0xB5, 0x3D, 0x64, 0x09),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xC3, 0xD7, 0x53, 0xF6, 0x49, 0x1C, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x23, 0x41, 0x4D, 0xFB, 0x7A, 0x5C, 0x53),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xB8, 0x15, 0x65, 0x5C, 0x85, 0x94, 0xD7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x37, 0xC7, 0xF8, 0x7E, 0xAE, 0x6C, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xD8, 0x11, 0x54, 0x98, 0x44, 0xE3, 0xF1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x4D, 0xA6, 0x4B, 0x28, 0xF2, 0x57, 0x9E),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xD0, 0xEB, 0x1E, 0xAA, 0x30, 0xD3, 0x6A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x9B, 0x4D, 0xA7, 0x73, 0x6E, 0xB6, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x47, 0xF6, 0xED, 0x37, 0xEF, 0x71, 0x4D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xB5, 0x49, 0x61, 0x5E, 0x45, 0xF6, 0x4A),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x0E, 0xB3, 0x84, 0x3A, 0x63, 0x72, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x53, 0x5C, 0xA7, 0xC6, 0x2E, 0xAB, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x0F, 0x8F, 0x87, 0x50, 0x28, 0xB4, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x98, 0x4A, 0x98, 0x31, 0x86, 0xCA, 0x51),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xC9, 0xE2, 0xFD, 0x5D, 0x1F, 0xE8, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x90, 0x91, 0xC4, 0x84, 0xF0, 0xBA, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x5A, 0xB3, 0x4E, 0xFB, 0xE0, 0x57, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x0B, 0x90, 0xA6, 0xFD, 0x9D, 0x8E, 0x02),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x41, 0x8F, 0x31, 0xFA, 0x5A, 0xF6, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xE9, 0xE3, 0xF6, 0xE0, 0x4A, 0xE7, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0x4E, 0xCD, 0xA2, 0x22, 0x14, 0xD4, 0x12),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xED, 0x21, 0xB7, 0x0F, 0x53, 0x10, 0x17),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x06, 0x24, 0x2C, 0x4E, 0xD1, 0x1E, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x3F, 0xC1, 0x9F, 0xAB, 0xF0, 0x37, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x03, 0x5E, 0x12, 0xCE, 0x83, 0x1B, 0x2A, 0x18),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x65, 0xCF, 0xE8, 0x5C, 0xA5, 0xA2, 0x70),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x86, 0x76, 0x3A, 0x94, 0xF6, 0x1D, 0xC1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xDA, 0xC9, 0xA6, 0x29, 0x93, 0x15, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x61, 0x6A, 0x7D, 0xC7, 0xA9, 0xF3, 0x76),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x03, 0x71, 0xA2, 0x15, 0xCE, 0x50, 0x72),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xD0, 0xA8, 0x1E, 0x91, 0xC4, 0x4F, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x4B, 0x7E, 0xD7, 0x71, 0x58, 0x7E, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x45, 0xAF, 0x2A, 0x18, 0x93, 0x95, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x8F, 0xC7, 0xFA, 0x4C, 0x7A, 0x86, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0xAF, 0x68, 0x3A, 0x23, 0xC1, 0x2E, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x50, 0x11, 0x67, 0x39, 0xB9, 0xAF, 0x48),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x86, 0xAA, 0x1E, 0x88, 0x21, 0x29, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x28, 0xA4, 0x9D, 0x89, 0xA9, 0x9A, 0x10),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xBA, 0x04, 0x67, 0xB7, 0x01, 0x40, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xE9, 0x09, 0xA3, 0xCA, 0xA6, 0x37, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x97, 0xA8, 0xB6, 0x3C, 0xEE, 0x90, 0x3D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xED, 0xC4, 0xF7, 0xC3, 0x95, 0xEC, 0x85),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x84, 0xBD, 0xEB, 0xD5, 0x64, 0xBB, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x9B, 0xE2, 0x28, 0x50, 0xC2, 0x72, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0xF2, 0x74, 0xD1, 0x26, 0xBF, 0x32, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xCB, 0xAF, 0x72, 0xDB, 0x6D, 0x30, 0x98),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x50, 0x85, 0xF4, 0x2B, 0x48, 0xC1, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x28, 0xBB, 0x11, 0xBA, 0x5B, 0x22, 0x6C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xA1, 0xE5, 0x5C, 0xC9, 0x1D, 0x44, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xE8, 0xE6, 0x6F, 0xBB, 0xC1, 0x81, 0x7F),
+};
+static const mbedtls_ecp_point brainpoolP256r1_T[16] = {
+ ECP_POINT_INIT_XY_Z1(brainpoolP256r1_T_0_X, brainpoolP256r1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_1_X, brainpoolP256r1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_2_X, brainpoolP256r1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_3_X, brainpoolP256r1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_4_X, brainpoolP256r1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_5_X, brainpoolP256r1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_6_X, brainpoolP256r1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_7_X, brainpoolP256r1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_8_X, brainpoolP256r1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_9_X, brainpoolP256r1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_10_X, brainpoolP256r1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_11_X, brainpoolP256r1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_12_X, brainpoolP256r1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_13_X, brainpoolP256r1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_14_X, brainpoolP256r1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP256r1_T_15_X, brainpoolP256r1_T_15_Y),
+};
+#else
+#define brainpoolP256r1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
+ */
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint brainpoolP384r1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0xD8, 0x8A, 0x54, 0x41, 0xD6, 0x6B, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x3B, 0xF1, 0x22, 0xFD, 0x2D, 0x4B, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x55, 0xE3, 0x33, 0xF0, 0x73, 0x52, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x3F, 0x30, 0x26, 0xCA, 0x7F, 0x52, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD3, 0x6E, 0x17, 0x9B, 0xD5, 0x2A, 0x4A, 0x31),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xDA, 0x6B, 0xE5, 0x03, 0x07, 0x1D, 0x2E),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x7A, 0xAF, 0x98, 0xE3, 0xA4, 0xF6, 0x19),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x7D, 0xFE, 0x51, 0x40, 0x3B, 0x47, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x88, 0xEC, 0xC4, 0xE2, 0x8F, 0xCB, 0xA4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xE2, 0x88, 0x2D, 0x4E, 0x50, 0xEB, 0x9A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x54, 0x94, 0x5E, 0xF4, 0x7F, 0x3A, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x07, 0x1C, 0xE1, 0xBD, 0x0F, 0xF8, 0x63),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x92, 0x28, 0x2E, 0x32, 0x04, 0xB1, 0x4D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x82, 0x44, 0x43, 0x76, 0x0D, 0x55, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xE3, 0xFF, 0x89, 0x46, 0xDE, 0x4E, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0x22, 0xBB, 0x67, 0x1A, 0x81, 0xEE, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x54, 0xE2, 0x7A, 0xAE, 0xDA, 0x2C, 0xD0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x9A, 0x90, 0xAA, 0x6E, 0x8B, 0xCC, 0x5F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x40, 0xAC, 0xED, 0x7D, 0x37, 0x87, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0xF8, 0xB1, 0x80, 0x4C, 0x8C, 0x04, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x98, 0x2C, 0xAD, 0x30, 0x69, 0x35, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x2E, 0x00, 0x2F, 0x44, 0x8C, 0xF0, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x58, 0x07, 0xD7, 0xCD, 0x60, 0xA1, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0xFB, 0x7B, 0x03, 0x05, 0x5E, 0x79, 0x73),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x17, 0xCE, 0x38, 0x4B, 0x5E, 0x5B, 0xC8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x0E, 0x0A, 0x61, 0x9D, 0x7C, 0x62, 0x08),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xF0, 0x98, 0x71, 0x7F, 0x17, 0x26, 0xD7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0xD3, 0xFA, 0x3C, 0xF0, 0x70, 0x07, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x47, 0x5C, 0x09, 0x43, 0xB7, 0x65, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xA9, 0xA7, 0x3E, 0xFA, 0xF3, 0xEC, 0x22),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x78, 0x22, 0x2B, 0x58, 0x71, 0xFA, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x30, 0xCE, 0x6A, 0xB3, 0xB0, 0x4F, 0x83),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0x95, 0x20, 0xA9, 0x23, 0xC2, 0x65, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0xCF, 0x03, 0x5B, 0x8A, 0x80, 0x44, 0xBB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xF8, 0x91, 0xF7, 0xD5, 0xED, 0xEA, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x5B, 0x16, 0x10, 0x25, 0xAC, 0x2A, 0x17),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xEC, 0xDC, 0xC4, 0x7B, 0x8C, 0x6B, 0xE9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xBB, 0x1C, 0xD3, 0x5A, 0xEE, 0xD9, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x5D, 0x30, 0x5E, 0xF7, 0xB2, 0x41, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xCE, 0x0F, 0x1A, 0xC6, 0x41, 0x64, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x18, 0xE1, 0xE3, 0x82, 0x15, 0x66, 0x4B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0xE2, 0x24, 0x04, 0x72, 0x39, 0xA0, 0x7C),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x51, 0xA2, 0x58, 0x88, 0x62, 0xE1, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xD2, 0x65, 0x14, 0xE9, 0x4C, 0x82, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xE1, 0xAC, 0x87, 0xAE, 0x31, 0x1A, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0x4F, 0x96, 0x1E, 0x85, 0x7A, 0xC3, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x86, 0xBB, 0xF0, 0xC0, 0x9D, 0x08, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x53, 0x03, 0x09, 0x80, 0x91, 0xEF, 0x68),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0xD7, 0xAF, 0x6F, 0x69, 0x7B, 0x88, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x13, 0xE4, 0x30, 0xA2, 0x47, 0xB5, 0xC1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xD2, 0xC0, 0xDD, 0x8A, 0x1C, 0x3C, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x8C, 0xB3, 0x4C, 0xBA, 0x8B, 0x6D, 0xCF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0xC7, 0xA1, 0xA8, 0x6E, 0x3C, 0x4F, 0xF1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x4A, 0x97, 0xC8, 0x03, 0x6F, 0x01, 0x82),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x18, 0x12, 0xA9, 0x39, 0xD5, 0x22, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0xA7, 0xC0, 0xBD, 0x9D, 0x8D, 0x78, 0x38),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xB3, 0xD0, 0x7F, 0xDF, 0xD0, 0x30, 0xDE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x25, 0x73, 0x96, 0xEC, 0xA8, 0x1D, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xD1, 0x65, 0x66, 0xDC, 0xD9, 0xCF, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xED, 0x7B, 0x37, 0xAD, 0xE2, 0xBE, 0x2D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x79, 0x42, 0x6A, 0x07, 0x66, 0xB1, 0xBD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x53, 0x62, 0x65, 0x92, 0x09, 0x4C, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xAF, 0xC3, 0x03, 0xF6, 0xF4, 0x2D, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xCA, 0x41, 0xD9, 0xA2, 0x69, 0x9B, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0xB2, 0xA6, 0x8D, 0xE1, 0xAA, 0x61, 0x76),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xBA, 0x4D, 0x12, 0xB6, 0xBE, 0xF3, 0x7E),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xD9, 0x92, 0x22, 0x07, 0xCE, 0xC9, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xA1, 0x7C, 0x91, 0xDB, 0x32, 0xF7, 0xE5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x49, 0x4B, 0x6D, 0xFB, 0xD9, 0x70, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xFB, 0x4E, 0x4C, 0x5E, 0x66, 0x81, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xB3, 0xE1, 0x00, 0xB7, 0xD9, 0xCC, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x36, 0x8B, 0xC4, 0x39, 0x20, 0xFD, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x1F, 0x60, 0x03, 0xBB, 0xD7, 0x60, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x3C, 0x62, 0xDD, 0x71, 0x95, 0xE9, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x5B, 0x7A, 0x5F, 0x68, 0x81, 0xC5, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xAF, 0xB5, 0xB9, 0x98, 0x42, 0x28, 0xA5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x29, 0x8E, 0x11, 0x49, 0xB4, 0xD7, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x3E, 0xD2, 0x30, 0xA1, 0xBA, 0xCA, 0x03),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x37, 0x64, 0x44, 0x2F, 0x03, 0xE5, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x42, 0xBC, 0xFF, 0xA2, 0x1A, 0x5F, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0x04, 0xAB, 0x04, 0xE0, 0x24, 0xAD, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x45, 0x17, 0x67, 0x1F, 0x3E, 0x53, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x0F, 0xB3, 0x1B, 0x57, 0x54, 0xC2, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xD3, 0xF8, 0xC4, 0x1B, 0x9B, 0xFA, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x90, 0xFD, 0xFB, 0xCA, 0x49, 0x38, 0x4E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xCF, 0xC6, 0xDD, 0xF0, 0xFF, 0x8C, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x69, 0x9D, 0xBD, 0x5F, 0x33, 0xE9, 0xB4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x19, 0x82, 0x3D, 0xAC, 0x1C, 0x40, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0xC7, 0x02, 0x46, 0x14, 0x77, 0x00, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x05, 0xF2, 0x77, 0x3A, 0x66, 0x5C, 0x39),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xE6, 0x17, 0xDE, 0xB2, 0xA1, 0xE5, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x71, 0xEC, 0x9D, 0xD8, 0xF5, 0xD4, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xC6, 0x42, 0x5E, 0xE7, 0x18, 0xBA, 0xD0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x21, 0x68, 0x5A, 0x26, 0xFB, 0xD7, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x00, 0x5C, 0xBA, 0x8A, 0x34, 0xEC, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0x9C, 0x3C, 0xAF, 0x53, 0xE8, 0x65, 0x35),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xEF, 0x28, 0xDC, 0x67, 0x05, 0xC8, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x78, 0xC3, 0x85, 0x49, 0xA0, 0xBC, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x3E, 0x2D, 0xA0, 0xCF, 0xD4, 0x7A, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x93, 0xFE, 0x60, 0xB3, 0x6E, 0x99, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x62, 0xAD, 0x04, 0xE7, 0x49, 0xAF, 0x5E, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x7A, 0xED, 0xA6, 0x9E, 0x18, 0x09, 0x31),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x05, 0x94, 0x44, 0xDC, 0xB8, 0x85, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xB7, 0x37, 0xC2, 0x50, 0x75, 0x15, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0xC6, 0x0F, 0xB2, 0xA9, 0x91, 0x3E, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x81, 0xAD, 0x25, 0xA1, 0x26, 0x73, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xF1, 0xD1, 0x61, 0x7C, 0x76, 0x8F, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0xDB, 0x4A, 0xFF, 0x14, 0xA7, 0x48, 0x0B),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x73, 0xC6, 0xC2, 0xCC, 0xF1, 0x57, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0xED, 0x73, 0x27, 0x70, 0x82, 0xB6, 0x5E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xBA, 0xAC, 0x3A, 0xCF, 0xF4, 0xEA, 0xA6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xD6, 0xB1, 0x8F, 0x0E, 0x08, 0x2C, 0x5E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xE3, 0x8F, 0x2F, 0x0E, 0xA1, 0xF3, 0x07),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0xF5, 0x7C, 0x9B, 0x29, 0x0A, 0xF6, 0x28),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0xEE, 0x17, 0x47, 0x34, 0x15, 0xA3, 0xAF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xBE, 0x88, 0x48, 0xE7, 0xA2, 0xBB, 0xDE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xAD, 0xDC, 0x65, 0x61, 0x37, 0x0F, 0xC1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x67, 0xAD, 0xA2, 0x3A, 0x1C, 0x91, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x07, 0x0C, 0x3A, 0x41, 0x6E, 0x13, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0xBD, 0x7E, 0xED, 0xAA, 0x14, 0xDD, 0x61),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC3, 0xDC, 0x20, 0x01, 0x72, 0x11, 0x48, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xC4, 0x7B, 0xF8, 0x62, 0x3D, 0xF0, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xC2, 0x3D, 0x2E, 0x52, 0xA3, 0x4A, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xE2, 0x53, 0x46, 0x5E, 0x21, 0xF8, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xC7, 0x8F, 0xA9, 0x26, 0x42, 0x32, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xA6, 0xA0, 0x8D, 0x4B, 0x9A, 0x19, 0x03),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xAB, 0x6D, 0x1E, 0xFB, 0xEE, 0x60, 0x0C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x56, 0x3C, 0xC5, 0x5D, 0x10, 0x79, 0x1C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0xBC, 0x41, 0x9F, 0x71, 0xEF, 0x02, 0xF9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x36, 0xC4, 0xD0, 0x88, 0x9B, 0x32, 0xFC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xD4, 0x5D, 0x17, 0x39, 0xE6, 0x22, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7B, 0x26, 0x01, 0xCE, 0xBE, 0x4A, 0x9C, 0x27),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x6D, 0x11, 0xCA, 0x6C, 0x5A, 0x93, 0x0C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x96, 0x26, 0xAF, 0x2F, 0xE4, 0x30, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xC1, 0x4C, 0xC6, 0x30, 0x1F, 0x5C, 0x04),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x59, 0xB3, 0xE8, 0xFC, 0x35, 0xEB, 0x63, 0x6C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x1D, 0xCA, 0xFC, 0x50, 0x36, 0x4B, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x0E, 0x23, 0x5B, 0xAF, 0xEB, 0x2D, 0x31),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0x88, 0xB6, 0xD7, 0x74, 0x4A, 0x23, 0xB6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x66, 0xE2, 0xBB, 0x29, 0xA6, 0x4F, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0x6F, 0x7E, 0x68, 0x6E, 0xA0, 0x14, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x73, 0xD4, 0xE8, 0xAB, 0x5B, 0xF6, 0x0D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xE0, 0x3C, 0x24, 0x00, 0x95, 0xE9, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x0D, 0x4F, 0x81, 0xD0, 0xF2, 0x3F, 0x00),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0x1D, 0xCD, 0x78, 0x39, 0xC4, 0x6B, 0xD9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x45, 0xC7, 0xB8, 0x2F, 0xAA, 0x5D, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0x8C, 0x6E, 0xA3, 0x24, 0xB2, 0xDB, 0x4B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x2D, 0xD9, 0xF1, 0xC7, 0x9B, 0x8A, 0xAF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xE1, 0x2C, 0xB9, 0x40, 0x37, 0x91, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x2C, 0xB5, 0x23, 0x03, 0x2B, 0xAF, 0x2F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0x9D, 0x5A, 0x20, 0x10, 0xA9, 0x84, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x30, 0x89, 0x20, 0x13, 0xE9, 0xB2, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x6E, 0x52, 0xEB, 0x03, 0x18, 0x1F, 0xA6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x9E, 0x1C, 0x35, 0x87, 0x92, 0x69, 0xC7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0xC9, 0x88, 0xAF, 0xC6, 0x6C, 0x83, 0x72),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0xD5, 0x7A, 0x54, 0x34, 0x99, 0xB6, 0x6F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0xAD, 0x45, 0x9B, 0x4B, 0x41, 0x4D, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0x5D, 0xAB, 0x7F, 0x35, 0x34, 0xE9, 0x29),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0xBE, 0x78, 0x34, 0x44, 0xF3, 0x4A, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xDE, 0xE3, 0xC4, 0xEE, 0x0B, 0xF9, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x86, 0x16, 0x48, 0x32, 0xB8, 0x74, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0xEE, 0x7C, 0xBA, 0xBD, 0x81, 0xE3, 0x55),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x6A, 0xFA, 0x84, 0xDA, 0xB8, 0xD5, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x9F, 0x8A, 0xD5, 0x1B, 0x2E, 0x1A, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x0C, 0x61, 0xE2, 0xFF, 0x5B, 0xE6, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x62, 0xC1, 0x87, 0x53, 0x1B, 0x92, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x90, 0x00, 0xD1, 0x6A, 0x0C, 0x0E, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x2E, 0xB5, 0x3B, 0x44, 0xB5, 0xA0, 0x78),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x5D, 0x02, 0x58, 0xB5, 0xBE, 0x45, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xEF, 0x8E, 0x90, 0x4D, 0x2A, 0x32, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0x99, 0x75, 0x5C, 0x0A, 0x33, 0x8F, 0x36),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x6C, 0x95, 0xD4, 0x1F, 0xF3, 0xEB, 0xDA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0xE4, 0x4C, 0x91, 0x20, 0xF3, 0x25, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x95, 0xEB, 0x29, 0x6F, 0x20, 0x34, 0x81),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x15, 0xE5, 0x13, 0x7E, 0x64, 0x8B, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xBC, 0x0D, 0x18, 0x7E, 0x37, 0x9E, 0xFA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x82, 0x20, 0xF7, 0x2D, 0x7A, 0x77, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x29, 0xA2, 0xDB, 0x7A, 0xE6, 0x6F, 0xA5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xC6, 0x50, 0x5C, 0xBC, 0xE6, 0x4F, 0xBD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x9F, 0xD5, 0xE8, 0xC5, 0x3D, 0xB7, 0x30),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_16_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x03, 0x55, 0x10, 0xDB, 0xA6, 0x8B, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x17, 0xAE, 0x78, 0xC9, 0x1D, 0x43, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x35, 0x49, 0xD4, 0x47, 0x84, 0x8D, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x95, 0x2F, 0xEA, 0xBC, 0xB4, 0x18, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x48, 0xAE, 0x89, 0xF5, 0x65, 0x3D, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xF2, 0x2B, 0x20, 0xD1, 0x75, 0x50, 0x63),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_16_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0xE6, 0x5C, 0x2C, 0xE0, 0x7D, 0xDF, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x07, 0x3E, 0xCE, 0x9F, 0x18, 0xB6, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0xF8, 0xF0, 0xD5, 0xFA, 0x42, 0x1D, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x6C, 0x1D, 0x03, 0xC9, 0x0E, 0x2B, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x18, 0x52, 0xA5, 0xB4, 0x63, 0xE1, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x0A, 0xD9, 0xC4, 0xFD, 0x16, 0x60, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_17_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x7D, 0xDE, 0xDF, 0x4B, 0x4A, 0xB0, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x4E, 0x8C, 0x94, 0xC1, 0xE2, 0x85, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4F, 0xF0, 0xEA, 0xB5, 0x9B, 0x70, 0xEF, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x56, 0xC2, 0x39, 0x5D, 0xF3, 0x2C, 0xD9, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0x1C, 0x2E, 0xCC, 0x2F, 0x54, 0x87, 0x80),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB0, 0x72, 0xC7, 0xB5, 0x50, 0xA3, 0x84, 0x77),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_17_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xD1, 0xAF, 0xA9, 0xB4, 0x8B, 0x5D, 0xFA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xF6, 0x52, 0x8A, 0xC3, 0x56, 0xA5, 0x5E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x52, 0xFF, 0xEA, 0x05, 0x42, 0x77, 0x83),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x08, 0x90, 0x72, 0x86, 0xC4, 0xC3, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x15, 0xF8, 0xF1, 0x16, 0x67, 0xC6, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x87, 0xAC, 0x8F, 0x71, 0xEC, 0x83, 0x81),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_18_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0xE1, 0xE6, 0x2D, 0x0E, 0x11, 0xA1, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0xE2, 0xA8, 0x32, 0xE6, 0xE3, 0x83, 0xD1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x56, 0xE5, 0xCD, 0xB7, 0x2B, 0x67, 0x6F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xED, 0xC9, 0x65, 0x6D, 0x87, 0xE1, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x8E, 0xFD, 0x9A, 0x53, 0x0E, 0xFA, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0x4C, 0x4A, 0xE2, 0x23, 0x84, 0xFA, 0x01),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_18_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xFE, 0x49, 0x81, 0xD1, 0x3E, 0xF4, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x72, 0xE0, 0xEF, 0x0D, 0xB8, 0x3E, 0x6F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x00, 0x0F, 0x5F, 0xCE, 0x60, 0x72, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xCC, 0xD8, 0x03, 0x07, 0x6E, 0x5A, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x3A, 0x35, 0x50, 0x4E, 0x1F, 0xCA, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0xEA, 0x88, 0x55, 0xBD, 0x6E, 0x05, 0x7F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_19_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x6D, 0xF1, 0x97, 0xA6, 0x69, 0x39, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0x41, 0x99, 0xFF, 0x3B, 0xA1, 0x26, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x2F, 0x95, 0x80, 0x12, 0x4A, 0x1B, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xBF, 0x51, 0xAA, 0xAE, 0x2D, 0xDA, 0xCF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x1C, 0xB3, 0x52, 0x36, 0x49, 0xD4, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xC1, 0x1F, 0x3A, 0xD3, 0x3E, 0x5C, 0x1A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_19_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x51, 0xF7, 0x2B, 0xC8, 0xA9, 0xA7, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0x4E, 0x7F, 0x98, 0x41, 0x66, 0xB0, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x1D, 0xC0, 0x42, 0xCD, 0xF8, 0xC3, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x41, 0x91, 0x7D, 0xCC, 0x8B, 0xCC, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xAE, 0x76, 0xED, 0x56, 0x18, 0xC5, 0xAB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x6A, 0x06, 0xA3, 0x7F, 0x65, 0x10, 0x1F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_20_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xEC, 0x3C, 0x05, 0x05, 0xCA, 0xF6, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x48, 0xCD, 0x02, 0x51, 0x12, 0x16, 0x3C, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0xEB, 0xB3, 0x43, 0x7B, 0xDD, 0xB2, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x59, 0x90, 0x41, 0xDB, 0xE4, 0xF5, 0x91),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x0E, 0x18, 0x2A, 0x5A, 0x83, 0x7C, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x37, 0xA1, 0x0D, 0xF1, 0x2F, 0x63, 0x79),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_20_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xC0, 0xFA, 0x6F, 0x1F, 0x67, 0xCF, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x34, 0x45, 0xBB, 0xF4, 0xF9, 0x9B, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0x69, 0xFE, 0x67, 0x1D, 0x64, 0x8F, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x39, 0xBF, 0xD8, 0xB3, 0xC7, 0xAD, 0x8A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x93, 0xFF, 0xF3, 0x28, 0xFA, 0x39, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xF9, 0xC3, 0x85, 0x26, 0x7A, 0x88, 0x89),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_21_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xD5, 0x79, 0xD8, 0x11, 0xDE, 0xEB, 0x4E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x46, 0xA4, 0x6A, 0xDA, 0x74, 0x34, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0xBD, 0xD3, 0xF5, 0x14, 0xEE, 0xFE, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x4C, 0xA3, 0x71, 0x43, 0x65, 0xF8, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x6C, 0x35, 0xFA, 0x90, 0x25, 0xD8, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x34, 0x84, 0x96, 0xA1, 0x43, 0x03, 0x4D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_21_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x3B, 0x3B, 0x2F, 0xCA, 0x59, 0xF2, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCD, 0x48, 0x24, 0x74, 0xD8, 0x72, 0x90, 0xA3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x42, 0x74, 0x8C, 0x6F, 0x52, 0x19, 0x3D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x40, 0x9E, 0x41, 0x63, 0x68, 0x78, 0x4C, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x94, 0xB6, 0x6B, 0x38, 0x52, 0xA8, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x30, 0x25, 0x93, 0xA1, 0x6F, 0x6E, 0x68),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_22_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x2F, 0x4B, 0x64, 0x79, 0x50, 0xFF, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0x36, 0xED, 0x57, 0x39, 0x3B, 0xE7, 0xF3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x85, 0xEA, 0x35, 0xD6, 0xC0, 0xA0, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x89, 0x3A, 0xCC, 0x22, 0x1C, 0x46, 0x02),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x7A, 0xB0, 0xA1, 0x1B, 0x69, 0x62, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xB8, 0x8A, 0x6C, 0x18, 0x85, 0x0D, 0x88),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_22_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xB6, 0x50, 0xE9, 0x4E, 0x7F, 0xE8, 0x07),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x5B, 0x5C, 0xD1, 0x4B, 0x11, 0x9A, 0xD8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x25, 0x56, 0x74, 0x51, 0x9C, 0xEC, 0x9C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x7F, 0xB6, 0x8A, 0xCB, 0x3A, 0x10, 0x6A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x60, 0x33, 0x07, 0x01, 0xE9, 0x49, 0x59, 0xE6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xA5, 0x2E, 0xF2, 0xBA, 0x32, 0x63, 0x44),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_23_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x06, 0x0B, 0xA5, 0x44, 0x27, 0x7F, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x74, 0xAC, 0x0F, 0xCC, 0x4F, 0x13, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0xB1, 0xBF, 0x97, 0x49, 0xA5, 0x1C, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x64, 0x68, 0x7B, 0x0F, 0xCC, 0x77, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x39, 0xF9, 0x4E, 0x84, 0x9C, 0xF6, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xCF, 0x6D, 0xE2, 0xA1, 0x2D, 0xF9, 0x2B),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_23_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0xC4, 0x90, 0x57, 0x31, 0x01, 0x05, 0x5E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x1E, 0xBB, 0xBF, 0x98, 0xA4, 0x7C, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xE3, 0xA0, 0xB2, 0xCD, 0x39, 0x9A, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x34, 0x60, 0x7A, 0x89, 0x98, 0xB5, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0x20, 0x3D, 0x3A, 0x04, 0x8F, 0x5A, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x26, 0xB6, 0x49, 0x09, 0x9C, 0x0F, 0x59),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_24_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x66, 0xD2, 0x38, 0x2A, 0x62, 0x81, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0xC8, 0x20, 0x5E, 0x28, 0xA3, 0x81, 0xA7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x31, 0xA4, 0xF1, 0xEA, 0x7D, 0x87, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8F, 0x2C, 0x99, 0x09, 0x6F, 0x63, 0xEB, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x73, 0x76, 0xDA, 0x1A, 0x06, 0xBE, 0xDE, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x09, 0x2E, 0x75, 0x39, 0x30, 0x2D, 0x42),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_24_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x9B, 0xC1, 0x5A, 0x17, 0xC3, 0x8C, 0x31),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x58, 0x8D, 0x94, 0x4D, 0x3D, 0xAB, 0x60, 0xD4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xFD, 0x1E, 0x0F, 0x43, 0xAE, 0x9D, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0xF2, 0xF3, 0x20, 0x1B, 0xAA, 0xB7, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0x5B, 0xA4, 0xF4, 0x90, 0x3B, 0xE3, 0x71),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x78, 0x72, 0xBD, 0x65, 0x09, 0x0B, 0x01),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_25_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x37, 0x2A, 0x6C, 0x16, 0x4F, 0x64, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0xCE, 0xA3, 0x90, 0xB4, 0x9A, 0xBC, 0xF7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x38, 0x55, 0x63, 0x1D, 0x3A, 0x6E, 0x18),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xB4, 0xAA, 0x99, 0x22, 0x45, 0x89, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0x7C, 0x8C, 0xA6, 0x3D, 0xA7, 0x3E, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x06, 0x42, 0xDC, 0xA6, 0xE3, 0xC6, 0x12),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_25_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x8C, 0x3D, 0x5D, 0x47, 0x31, 0x7C, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x85, 0xEE, 0x46, 0x7E, 0x13, 0x04, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x3C, 0x8B, 0x43, 0x2E, 0x74, 0xF5, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x88, 0x8E, 0x07, 0x29, 0x08, 0x03, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0x9B, 0x89, 0xEB, 0x08, 0xE8, 0x43, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x07, 0x67, 0xFD, 0xD9, 0x73, 0x6F, 0x18),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_26_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0xEB, 0x21, 0x8D, 0x98, 0x43, 0x74, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x88, 0xCC, 0x14, 0xD8, 0x08, 0xBB, 0xA6, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x98, 0xF2, 0x6A, 0x18, 0xC3, 0xDD, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x38, 0x91, 0xA0, 0x03, 0xF2, 0x04, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0xAF, 0xE8, 0xFD, 0xFB, 0x13, 0x70, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x93, 0x87, 0x98, 0x4A, 0xE0, 0x00, 0x12),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_26_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x2E, 0x69, 0x9C, 0xA2, 0x2D, 0x03, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xFE, 0xF3, 0xB9, 0xC1, 0x85, 0x2A, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xFD, 0x86, 0xB1, 0xCD, 0xBF, 0x41, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xD8, 0x9A, 0x21, 0xF3, 0xFE, 0xCB, 0xF1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x78, 0x04, 0x60, 0xB7, 0xA9, 0xA2, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1E, 0x66, 0x2A, 0x54, 0x51, 0xBD, 0x8B),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_27_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x16, 0x36, 0xEF, 0x61, 0x2D, 0xEE, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x5F, 0x88, 0xA0, 0x13, 0x12, 0xF7, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA9, 0xC6, 0xAD, 0x4A, 0x4A, 0x07, 0x01, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB8, 0x74, 0xB1, 0x4F, 0xEB, 0xBD, 0xD5, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xF9, 0x71, 0xA2, 0x06, 0x4F, 0xD7, 0xBC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x8B, 0x4D, 0x48, 0xE0, 0x98, 0xFB, 0x6A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_27_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0xBA, 0x10, 0xA3, 0x0D, 0x52, 0xAC, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xD0, 0xE0, 0x36, 0xE6, 0x07, 0x3A, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x80, 0xF0, 0xAA, 0x49, 0x22, 0x4B, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xC7, 0xAB, 0x1C, 0x89, 0xCD, 0x24, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x82, 0x2A, 0xFC, 0xB3, 0x6D, 0x45, 0x96, 0x49),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xE4, 0xDB, 0x52, 0x3F, 0xC4, 0xB4, 0x19),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_28_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5B, 0xCC, 0xC8, 0x7F, 0xBB, 0x6B, 0x87, 0x47),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x21, 0x3C, 0x69, 0x7D, 0x38, 0x57, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x4C, 0x18, 0x3C, 0x53, 0xA5, 0x48, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xC3, 0x64, 0x45, 0xDB, 0xC4, 0x6D, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xCC, 0xD1, 0xBB, 0x17, 0xB8, 0x34, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x69, 0x71, 0xFA, 0xA0, 0x28, 0x4A, 0x3D),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_28_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xE8, 0x9E, 0x39, 0xEA, 0x8D, 0x38, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x9C, 0xBB, 0xCD, 0x80, 0x1A, 0xEE, 0xB7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xA0, 0x45, 0xBF, 0xD9, 0x22, 0x11, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x7C, 0x5C, 0xD9, 0xC0, 0x9F, 0x69, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x8A, 0xA6, 0x79, 0x4E, 0x35, 0xB9, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCC, 0x8B, 0x9A, 0x3E, 0xA1, 0xB8, 0x28, 0x10),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_29_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x2F, 0xEF, 0xBB, 0xA9, 0x72, 0x7F, 0xEA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x34, 0xB7, 0x12, 0xB9, 0xE7, 0xC3, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x1D, 0xD9, 0x42, 0x77, 0x0C, 0x71, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x01, 0x59, 0xA7, 0x56, 0x03, 0x91, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x91, 0x99, 0x33, 0x30, 0x3E, 0xEF, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xC9, 0x5A, 0x9A, 0x54, 0x66, 0xF1, 0x70),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_29_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0x2C, 0xB7, 0x6E, 0x71, 0x7D, 0x35, 0x30),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x0D, 0xEF, 0xD1, 0x2D, 0x99, 0x63, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x31, 0xAF, 0x2D, 0xC9, 0xC6, 0xC2, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0xC0, 0xDF, 0x80, 0x54, 0xC4, 0xAC, 0xF3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x6B, 0xA0, 0x84, 0x96, 0xF7, 0x31, 0xC8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0xE2, 0x7C, 0x7A, 0x41, 0x45, 0x75, 0x6A),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_30_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xEE, 0x58, 0x31, 0xE8, 0x68, 0xD6, 0x76),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x2E, 0x48, 0xB7, 0x09, 0x9F, 0xD4, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xA9, 0x5C, 0xE7, 0x64, 0x43, 0x5D, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9E, 0x58, 0x9F, 0x50, 0xAB, 0x68, 0xFF, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0x88, 0x2D, 0xBA, 0x12, 0xBF, 0x8D, 0x7D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xDF, 0x6F, 0xB3, 0x75, 0xA4, 0x55, 0x73),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_30_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x17, 0x92, 0x39, 0xB7, 0x13, 0x37, 0x6F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x43, 0x71, 0xA7, 0xCA, 0x17, 0x1B, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE7, 0xB9, 0xB0, 0x78, 0xEF, 0xA0, 0xDA, 0x83),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x84, 0xF2, 0x0F, 0x85, 0xA2, 0xB6, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x72, 0x65, 0x2E, 0x6E, 0x45, 0xB9, 0x4C, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x6A, 0x8C, 0x2B, 0x77, 0x96, 0x36, 0x22),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_31_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x7A, 0x13, 0x4A, 0x97, 0x63, 0x02, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x1E, 0x06, 0x03, 0x8F, 0xB9, 0xEE, 0x64),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0xEE, 0x8B, 0x89, 0xA9, 0x70, 0xDB, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x7B, 0x81, 0xC9, 0x70, 0x8D, 0x62, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0xDA, 0x46, 0xF8, 0xF9, 0x3A, 0xBE, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0x9C, 0x7A, 0x97, 0x62, 0xEB, 0xFA, 0x0F),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_T_31_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x03, 0x3D, 0x3C, 0x46, 0x27, 0x9E, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x08, 0x1C, 0xD5, 0x25, 0xAF, 0xE9, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x69, 0xDC, 0x59, 0xF4, 0x8A, 0x7C, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x9A, 0x7A, 0x99, 0x21, 0x0C, 0x4E, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xCE, 0x85, 0x5F, 0xAC, 0xAA, 0x82, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x83, 0x57, 0x69, 0x90, 0x76, 0xF3, 0x53, 0x3F),
+};
+static const mbedtls_ecp_point brainpoolP384r1_T[32] = {
+ ECP_POINT_INIT_XY_Z1(brainpoolP384r1_T_0_X, brainpoolP384r1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_1_X, brainpoolP384r1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_2_X, brainpoolP384r1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_3_X, brainpoolP384r1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_4_X, brainpoolP384r1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_5_X, brainpoolP384r1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_6_X, brainpoolP384r1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_7_X, brainpoolP384r1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_8_X, brainpoolP384r1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_9_X, brainpoolP384r1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_10_X, brainpoolP384r1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_11_X, brainpoolP384r1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_12_X, brainpoolP384r1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_13_X, brainpoolP384r1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_14_X, brainpoolP384r1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_15_X, brainpoolP384r1_T_15_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_16_X, brainpoolP384r1_T_16_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_17_X, brainpoolP384r1_T_17_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_18_X, brainpoolP384r1_T_18_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_19_X, brainpoolP384r1_T_19_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_20_X, brainpoolP384r1_T_20_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_21_X, brainpoolP384r1_T_21_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_22_X, brainpoolP384r1_T_22_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_23_X, brainpoolP384r1_T_23_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_24_X, brainpoolP384r1_T_24_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_25_X, brainpoolP384r1_T_25_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_26_X, brainpoolP384r1_T_26_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_27_X, brainpoolP384r1_T_27_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_28_X, brainpoolP384r1_T_28_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_29_X, brainpoolP384r1_T_29_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_30_X, brainpoolP384r1_T_30_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP384r1_T_31_X, brainpoolP384r1_T_31_Y),
+};
+#else
+#define brainpoolP384r1_T NULL
+#endif
+
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
+ */
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA),
+};
+
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+static const mbedtls_mpi_uint brainpoolP512r1_T_0_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_0_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_1_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xE9, 0x6B, 0x8C, 0x6F, 0x9D, 0x88, 0x43),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x4F, 0x86, 0x96, 0xA7, 0x56, 0xD1, 0x37),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xAB, 0xFA, 0xEE, 0xA7, 0xF5, 0x0E, 0xA6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x40, 0xEF, 0x9E, 0x6D, 0xD6, 0x32, 0x33),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xED, 0x56, 0x14, 0x57, 0x1A, 0x8D, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xED, 0x4D, 0x3A, 0xFA, 0x71, 0x75, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xC5, 0x76, 0x1C, 0x14, 0xBE, 0xB5, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x5A, 0xCB, 0xE7, 0x36, 0x1D, 0x52, 0x1C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_1_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x8D, 0x7A, 0xEB, 0xA3, 0x8B, 0xD5, 0xB0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0xA3, 0x41, 0xF8, 0xAC, 0x9E, 0xAB, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x12, 0xE3, 0x65, 0x0D, 0x1C, 0xFE, 0x09, 0x2B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0xCA, 0x13, 0x3F, 0xC5, 0xF9, 0x7E, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0x5D, 0x63, 0x28, 0xA6, 0x89, 0xD3, 0x91),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x95, 0x3F, 0x7A, 0x82, 0xD4, 0x77, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xBB, 0x92, 0x32, 0x00, 0xF4, 0x66, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x58, 0x31, 0xD1, 0x17, 0x9F, 0x2A, 0x22),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_2_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x36, 0xA9, 0xCD, 0x80, 0xA5, 0x2D, 0x78),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x91, 0x44, 0xAB, 0xCE, 0x71, 0xFF, 0x0C, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0x24, 0x58, 0x35, 0x5A, 0x21, 0x32, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1B, 0xA6, 0x28, 0xF8, 0x7A, 0x97, 0xAE, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xE7, 0x08, 0xFA, 0x47, 0xC9, 0x55, 0x09),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xAC, 0x2E, 0x84, 0xA4, 0xF5, 0x52, 0xC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x58, 0x05, 0x9D, 0xA7, 0xC8, 0x71, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x92, 0xB4, 0x92, 0xC1, 0x92, 0xEC, 0x6B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_2_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4A, 0x48, 0x2D, 0x79, 0x5E, 0x58, 0xE5, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x85, 0x26, 0xEC, 0xE9, 0x6E, 0xD4, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x68, 0x26, 0x87, 0x38, 0xA2, 0xD2, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0x17, 0x60, 0xCE, 0x75, 0xF8, 0xA5, 0x6F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0x51, 0xDB, 0xA9, 0xAE, 0x87, 0xF1, 0x15),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x49, 0x92, 0x3B, 0x19, 0x96, 0xF5, 0xB0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0xD5, 0x52, 0x52, 0x8C, 0xCE, 0xFD, 0xFA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x18, 0x0A, 0xE6, 0xF6, 0xAE, 0x08, 0x41),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_3_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x2B, 0xD8, 0x54, 0xCE, 0xB0, 0x57, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xB0, 0xF8, 0x9E, 0x03, 0x03, 0x3C, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x0E, 0x29, 0x29, 0x00, 0xF3, 0x70, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0x33, 0x99, 0x0E, 0x00, 0x5D, 0xFE, 0x4B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0x2D, 0xF2, 0x59, 0x32, 0xCF, 0x03, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0xC9, 0x72, 0xAE, 0x0C, 0xEF, 0xD1, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x5A, 0x27, 0xBF, 0x2F, 0x45, 0xF9, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD4, 0xBE, 0xE5, 0x2C, 0xFF, 0x5B, 0x1E, 0x88),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_3_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0xAC, 0xBB, 0xD8, 0x83, 0xC2, 0x46, 0xF6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xDC, 0xCE, 0x15, 0xB4, 0xEF, 0xCF, 0x46),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xDB, 0x5E, 0x94, 0x31, 0x0B, 0xB2, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0xB9, 0xE3, 0xE3, 0x11, 0x71, 0x41, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xE3, 0x01, 0xB7, 0x7D, 0xBC, 0x65, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x07, 0x65, 0x87, 0xA7, 0xE8, 0x48, 0xE3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x48, 0x8F, 0xD4, 0x30, 0x8E, 0xB4, 0x6C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0xE0, 0x73, 0xBE, 0x1E, 0xBF, 0x56, 0x36),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_4_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFE, 0x0E, 0x5E, 0x87, 0xC5, 0xAB, 0x0E, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0xF9, 0x5F, 0x80, 0x24, 0x4C, 0x2A, 0xF1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDE, 0x15, 0x21, 0x54, 0x92, 0x84, 0x8D, 0x6A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA8, 0x8A, 0x47, 0x74, 0xDC, 0x42, 0xB1, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0xF7, 0x30, 0xFD, 0xC1, 0x9B, 0x0C, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x6C, 0xCC, 0xDF, 0xC5, 0xE3, 0xA9, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x67, 0x59, 0x10, 0x5C, 0x51, 0x54, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x37, 0xFB, 0x6E, 0xB0, 0x78, 0x63, 0x8E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_4_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0xEF, 0xC4, 0x39, 0x20, 0xF1, 0x46, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0x62, 0xAE, 0xFF, 0x10, 0xE4, 0xE2, 0xE9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x5C, 0xF5, 0x2E, 0x22, 0x89, 0xE5, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0x0C, 0x29, 0xA8, 0x62, 0xAE, 0xDB, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x9E, 0x0F, 0xCA, 0x87, 0x2A, 0x6F, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCE, 0xDC, 0x9B, 0x9F, 0x65, 0xD4, 0xAD, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0xC3, 0x08, 0x0F, 0xCF, 0x67, 0xE9, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x5C, 0xD7, 0xFF, 0x41, 0x9C, 0xCB, 0x26),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_5_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x25, 0x05, 0x12, 0xAD, 0x73, 0x63, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x99, 0x07, 0x86, 0x57, 0xE7, 0x94, 0xB1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x4B, 0xA5, 0xBF, 0x18, 0xA9, 0xEF, 0x6A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0x4C, 0xC4, 0x09, 0xF2, 0x2F, 0x0C, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x3A, 0x04, 0xEA, 0x89, 0x6C, 0x91, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x6C, 0x3A, 0xE7, 0xA3, 0xEC, 0x24, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xA1, 0x26, 0x21, 0x04, 0xE3, 0xB9, 0x40),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0x71, 0x4B, 0x7B, 0xC2, 0x89, 0xCD, 0xA2),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_5_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB7, 0xB9, 0xA8, 0x9D, 0xFD, 0x00, 0x3A, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x41, 0x6C, 0xBB, 0x5A, 0xCA, 0x1F, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0xD7, 0xE2, 0x6C, 0x6B, 0xA7, 0x48, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x19, 0xAD, 0xA7, 0xC1, 0x7E, 0x4F, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0xF7, 0x19, 0x3C, 0x06, 0x74, 0x2C, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x23, 0x4F, 0x0C, 0x09, 0xB0, 0x80, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4E, 0x74, 0x34, 0x08, 0x44, 0x7E, 0xA3, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xCC, 0x8D, 0x12, 0x6E, 0xE1, 0x3D, 0x0B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_6_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x18, 0xB1, 0x71, 0x02, 0x93, 0xC2, 0xA4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x89, 0x40, 0xE2, 0x1F, 0xE7, 0x5E, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x8E, 0xAE, 0x89, 0x01, 0xD4, 0x0C, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAE, 0xDA, 0x58, 0x70, 0x24, 0xF2, 0xE4, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0xC7, 0x1D, 0xD6, 0x4A, 0x6F, 0x66, 0x4F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x1D, 0x7E, 0x4A, 0x2C, 0xCA, 0xEC, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA1, 0x06, 0x7F, 0xA8, 0x99, 0xE4, 0xD3, 0x4E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x1D, 0x5A, 0xDF, 0x5E, 0x58, 0x36, 0x49),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_6_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0xB9, 0x32, 0x69, 0x1F, 0x72, 0x2A, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0x73, 0xE2, 0x03, 0x39, 0x35, 0xAA, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x5E, 0x5D, 0x48, 0xEF, 0xAE, 0x30, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x7F, 0x60, 0x19, 0xAF, 0xEC, 0x9D, 0xFC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCA, 0xD9, 0x19, 0xE4, 0x1B, 0x56, 0x15, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xD7, 0x33, 0x59, 0x1F, 0x43, 0x59, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xCE, 0xEE, 0xCA, 0xA4, 0x7F, 0x63, 0xD4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBD, 0x40, 0xC0, 0xF6, 0x19, 0x89, 0x43, 0x20),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_7_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x92, 0xEA, 0x07, 0x65, 0x79, 0x86, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0xB7, 0x13, 0x75, 0xD3, 0xC5, 0x0A, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x9E, 0xFA, 0xE1, 0x1F, 0x0C, 0xF9, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x8C, 0xED, 0x5C, 0x21, 0xE9, 0x09, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0x4D, 0xD8, 0x18, 0xC4, 0xF6, 0x36, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xC9, 0xAC, 0x5C, 0xFA, 0x69, 0xA4, 0xA0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0x8C, 0x94, 0x1C, 0x7B, 0x71, 0x36, 0x58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xBD, 0x46, 0xCE, 0xB7, 0x1D, 0x9C, 0x5E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_7_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xD6, 0x96, 0x4B, 0xA6, 0x47, 0xEB, 0xE5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0xF1, 0x5F, 0x15, 0xDE, 0x99, 0x6F, 0x66),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xBD, 0xE5, 0x04, 0xB8, 0xE6, 0xC0, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x49, 0xD3, 0xF0, 0x04, 0x00, 0xE4, 0x05, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xF3, 0x06, 0xA3, 0x1A, 0xFF, 0xEA, 0x73),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x32, 0xAA, 0x99, 0x33, 0x09, 0xB6, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xEF, 0xFC, 0x61, 0x10, 0x42, 0x31, 0x94),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0xF1, 0xF4, 0x33, 0xCF, 0x28, 0x90, 0x9C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_8_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xDE, 0xF9, 0x88, 0x87, 0x7B, 0xEB, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0xB8, 0xDA, 0xFA, 0xDA, 0x3D, 0xA6, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xF0, 0x62, 0x82, 0x53, 0x32, 0x55, 0x03),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xA5, 0x32, 0x4A, 0x19, 0x11, 0x9C, 0x10),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xB3, 0x27, 0xE9, 0x75, 0x90, 0x05, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x1C, 0x90, 0x48, 0x77, 0x01, 0x85, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xD6, 0x9B, 0x84, 0xA8, 0xD7, 0xC5, 0x28),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x7A, 0xCB, 0xB3, 0x11, 0x46, 0xD7, 0x99),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_8_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0x23, 0xBF, 0x75, 0x75, 0xA1, 0x95, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4B, 0x66, 0x5D, 0x34, 0x13, 0xA9, 0x03, 0xBE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x80, 0x9D, 0x5F, 0xD2, 0x44, 0xE1, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x5D, 0xBD, 0xA8, 0xBF, 0xB4, 0x25, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x99, 0x1F, 0x53, 0xF1, 0x57, 0xDB, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x7C, 0xE5, 0xC5, 0x51, 0x0B, 0x4C, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6B, 0xB0, 0x1A, 0x9C, 0x16, 0xB0, 0x32, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xE3, 0xCF, 0xDD, 0x48, 0xB4, 0x7B, 0x33),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_9_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0xDD, 0x9E, 0x3C, 0x98, 0x0E, 0x77, 0x65),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0xAB, 0x01, 0xD3, 0x87, 0x74, 0x25, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xA3, 0xE3, 0x76, 0x43, 0x87, 0x12, 0xBD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x54, 0xB1, 0x3B, 0x60, 0x66, 0xEB, 0x98, 0x54),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x78, 0xC8, 0xD7, 0x4E, 0x75, 0xCA, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xDF, 0x71, 0x19, 0xE7, 0x07, 0x36, 0xB5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0xC9, 0xA8, 0x5F, 0x91, 0xBF, 0x47, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x96, 0x58, 0x96, 0x18, 0xB6, 0xFA, 0x01),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_9_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x2D, 0xA9, 0x9B, 0x86, 0xDB, 0x0C, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x0B, 0x2D, 0x56, 0x4A, 0xD3, 0x93, 0x8A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x15, 0xE2, 0x65, 0x12, 0x86, 0x0E, 0xB2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x41, 0x4D, 0xC1, 0xCB, 0xE4, 0xC3, 0xD7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x53, 0x10, 0xCA, 0xA3, 0xAC, 0x83, 0x26),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x01, 0x22, 0x96, 0x10, 0xAD, 0x69, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x42, 0x46, 0x4E, 0xD8, 0xEA, 0xD6, 0x9D, 0xF3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x2F, 0x7F, 0x62, 0x62, 0x80, 0xD0, 0x14),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_10_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xDA, 0x00, 0x63, 0x09, 0xBD, 0x6A, 0x83),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0F, 0xD4, 0x6E, 0x48, 0x05, 0xB7, 0xF7, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0x4D, 0xD7, 0x00, 0x4A, 0x15, 0x27, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x15, 0xAA, 0x37, 0x27, 0x34, 0x18, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x20, 0x2C, 0x84, 0x1B, 0x88, 0xBA, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x09, 0xD6, 0x04, 0xA2, 0x60, 0x84, 0x72),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0x04, 0x94, 0x08, 0xD4, 0xED, 0x47, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xF3, 0xE4, 0x3E, 0xB9, 0x5B, 0x35, 0x42),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_10_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5F, 0xD8, 0xB6, 0x80, 0xD6, 0xF1, 0x30, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x14, 0xA6, 0x85, 0xEE, 0xA7, 0xD8, 0x61),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x49, 0x2A, 0x1E, 0x7C, 0xE9, 0x2D, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3A, 0x87, 0x56, 0x91, 0x03, 0x77, 0x4D, 0x55),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0x52, 0xD4, 0xAA, 0xF7, 0xFA, 0xB0, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x5D, 0x11, 0x39, 0xB1, 0xE7, 0x76, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x13, 0xBC, 0x37, 0x5D, 0x74, 0xCD, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x48, 0x14, 0x23, 0x30, 0xF8, 0x46, 0x37),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_11_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x27, 0xB0, 0xD9, 0xB2, 0x74, 0xB4, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEA, 0xA6, 0xB9, 0x6F, 0x9F, 0x64, 0x36, 0x92),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2E, 0x2B, 0x78, 0x40, 0x05, 0x2B, 0x7B, 0xA9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x68, 0x3A, 0xB6, 0x4A, 0xE2, 0xDB, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1E, 0x33, 0xD7, 0x34, 0x8B, 0x25, 0x45, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xCE, 0xA8, 0xC9, 0x01, 0xFB, 0x0E, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xF9, 0x51, 0x4C, 0x12, 0x9F, 0x60, 0xE4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0x85, 0xBD, 0x30, 0x37, 0x84, 0x39, 0x44),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_11_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x26, 0x33, 0xAF, 0x2E, 0xB8, 0x2E, 0xCC, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0xB1, 0x73, 0x59, 0x4E, 0x0C, 0x09, 0x4A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0x24, 0x89, 0x81, 0x12, 0xFF, 0xBB, 0x6E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x71, 0x37, 0x1A, 0x66, 0xEE, 0xED, 0xB6, 0x9B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0xBD, 0x04, 0x20, 0x5D, 0xFB, 0xBF, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0xF8, 0x34, 0xA3, 0xFF, 0x45, 0xDE, 0x92),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x18, 0x73, 0xF1, 0x32, 0x25, 0x58, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0xC1, 0x14, 0xE3, 0x9E, 0x40, 0x0F, 0x12),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_12_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x07, 0x9D, 0x9C, 0x00, 0xF7, 0x56, 0x19),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0xBA, 0x87, 0xF9, 0x15, 0x0C, 0x66, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0x1F, 0xC1, 0x28, 0xB0, 0x47, 0x0D, 0xF5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0xCA, 0x27, 0xEE, 0x4B, 0x23, 0x2B, 0x89),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7E, 0xB5, 0x68, 0xC8, 0x17, 0x5D, 0xC3, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0x02, 0x08, 0xEE, 0x20, 0x9D, 0xEA, 0x64),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x14, 0x50, 0xD4, 0x7D, 0x5F, 0xCF, 0xA0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0xFA, 0xF8, 0xA7, 0xC6, 0xDC, 0x14, 0x8C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_12_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x76, 0xBD, 0x0A, 0x1A, 0x18, 0x98, 0xDC, 0xB0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x63, 0x63, 0x02, 0xB7, 0xD5, 0x5B, 0x5A, 0xC6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0xB1, 0xD7, 0x4B, 0x15, 0x39, 0x61, 0x5D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0x32, 0xE1, 0x9E, 0x70, 0x1B, 0xCE, 0x51),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x64, 0xD8, 0x18, 0x83, 0x52, 0x9B, 0x6D, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x55, 0x56, 0x19, 0x34, 0xA4, 0xEA, 0xFC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0xA9, 0x55, 0x80, 0xE3, 0x15, 0x36, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0x06, 0xC8, 0x1D, 0x17, 0x0D, 0xAD, 0x16),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_13_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0xD6, 0xF0, 0xCC, 0xF3, 0x63, 0x53, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x5A, 0xDC, 0x46, 0xBD, 0x0D, 0xAD, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0x2F, 0x11, 0x60, 0x15, 0x51, 0x4A, 0xEA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xE3, 0x93, 0x38, 0xD5, 0x83, 0xAA, 0x0D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x90, 0xA6, 0xCC, 0xB1, 0xFD, 0xBB, 0x1A, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3B, 0x54, 0xC8, 0x54, 0x6F, 0x79, 0x1A, 0x59),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x4A, 0xDA, 0x28, 0x92, 0x97, 0x9D, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD6, 0x4B, 0xDB, 0xC7, 0x52, 0xC5, 0x66, 0x34),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_13_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x7E, 0x92, 0x53, 0x30, 0x93, 0xFD, 0xFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x16, 0x6A, 0xB1, 0x91, 0x0A, 0xB4, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6D, 0x9D, 0x40, 0x3F, 0xE3, 0xF1, 0x01, 0x46),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x0E, 0xD8, 0xED, 0x11, 0x8E, 0x4C, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x86, 0x4A, 0x1B, 0x88, 0xDF, 0x8D, 0x29, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x23, 0x21, 0x11, 0xAB, 0x77, 0x81, 0x62),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0B, 0xAF, 0x11, 0xFA, 0xBA, 0x40, 0x63, 0xE7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x6F, 0x8D, 0x80, 0xDF, 0x67, 0xF5, 0x44),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_14_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0x8B, 0xB7, 0x08, 0xF4, 0xD7, 0x2D, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x2B, 0x30, 0x02, 0x45, 0x71, 0x08, 0x49),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x97, 0x3A, 0xCA, 0x50, 0xF6, 0xC2, 0x19, 0x8C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xB9, 0x9B, 0x3E, 0x73, 0x95, 0x1D, 0x49),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x60, 0x59, 0x48, 0xCB, 0xD8, 0xD6, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0xB9, 0x6C, 0x89, 0xAB, 0x99, 0xA8, 0xF8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0xA1, 0x8B, 0x4E, 0x06, 0x19, 0xEC, 0x99),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x95, 0x04, 0xCF, 0xD5, 0x94, 0xB3, 0x02),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_14_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x29, 0x35, 0x93, 0x7C, 0xB3, 0xB8, 0x9E, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC4, 0x45, 0x5C, 0x7E, 0xBF, 0x75, 0x81, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xE8, 0x24, 0xDF, 0xEC, 0x2F, 0x7D, 0xB9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF2, 0x8B, 0xD5, 0x6A, 0x9B, 0xA0, 0xE0, 0x4F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0xE3, 0x27, 0x82, 0xDE, 0xDD, 0xCA, 0x4B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x57, 0x56, 0x46, 0x05, 0x06, 0x01, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x74, 0x35, 0xA7, 0x47, 0xE2, 0x6B, 0x2C, 0x4F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x9D, 0x4C, 0xEC, 0x1F, 0x11, 0x75, 0x2B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_15_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0xAA, 0x41, 0xC1, 0xE9, 0x0E, 0xE9, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xCF, 0x9C, 0x4B, 0xE8, 0xED, 0x0A, 0x49),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0x73, 0xCA, 0x0C, 0x46, 0x0A, 0x9C, 0xE4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xE1, 0x9E, 0xBC, 0xFE, 0x44, 0x63, 0x6D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x31, 0x43, 0x71, 0xEE, 0xF8, 0xC1, 0x8C, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6A, 0x4B, 0xF0, 0x69, 0x25, 0xBD, 0x71, 0x1A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFD, 0x9A, 0xFE, 0x82, 0xE7, 0xC1, 0xC1, 0xEE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFC, 0x5A, 0x6E, 0x5E, 0x97, 0x6A, 0x35, 0x8D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_15_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA2, 0x18, 0x6C, 0x7E, 0xB8, 0x9E, 0x57, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x35, 0xB9, 0xC1, 0xD0, 0xFE, 0x78, 0xFB, 0x32),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x08, 0xAE, 0x46, 0x34, 0xEA, 0x7A, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x1C, 0x56, 0xA9, 0x18, 0x37, 0xD4, 0x9E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x28, 0x63, 0xE9, 0x0A, 0xB6, 0x38, 0x3C, 0xC1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3E, 0x4F, 0xA4, 0x6E, 0x85, 0x31, 0x23, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0D, 0xAD, 0xC4, 0xC3, 0xB1, 0x4B, 0x1C, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x56, 0x4A, 0x38, 0xB3, 0x6B, 0x6F, 0x2C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_16_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x67, 0xC7, 0x19, 0xDE, 0x21, 0xED, 0x89, 0xD0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2F, 0xBE, 0xA6, 0xAE, 0xEB, 0x9D, 0xA7, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x0E, 0x13, 0x1E, 0x86, 0x57, 0xC3, 0x3B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x4B, 0x30, 0x46, 0x52, 0xC1, 0xEC, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6E, 0xD5, 0x44, 0x31, 0x96, 0x3B, 0x26, 0x27),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x68, 0xA8, 0x67, 0x78, 0x39, 0xE8, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0x78, 0xB7, 0xDD, 0xF2, 0x58, 0xB6, 0x3D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x81, 0x3C, 0xB3, 0x26, 0xC4, 0x2C, 0x8C, 0xA5),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_16_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB9, 0x24, 0xE5, 0x73, 0xEE, 0x9A, 0x02, 0xA9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0x6A, 0x65, 0x60, 0xF3, 0x62, 0xE3, 0xE9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFB, 0x07, 0x84, 0xE6, 0x3B, 0x46, 0x65, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0x8F, 0x0C, 0xB0, 0xE1, 0x04, 0x82, 0x9D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEB, 0x13, 0xBF, 0x3D, 0xA0, 0x48, 0xA2, 0x74),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0x26, 0x76, 0x74, 0xAB, 0x0B, 0x29, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x30, 0x6E, 0x5F, 0x03, 0x34, 0x7C, 0x38, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x72, 0xF9, 0x3B, 0x3C, 0xA4, 0xBC, 0x7C),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_17_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5C, 0xCE, 0x18, 0x80, 0xB8, 0x24, 0x45, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x09, 0x03, 0xB8, 0x06, 0x64, 0xF7, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF1, 0x26, 0xB1, 0x10, 0x6D, 0x71, 0x12, 0x2E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x12, 0xC6, 0x6E, 0x1E, 0x6A, 0xC3, 0x80),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE5, 0xD3, 0x0A, 0xDE, 0xD8, 0x6B, 0x04, 0x5C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x87, 0x5B, 0xAE, 0xDB, 0x3C, 0xC0, 0xC5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8E, 0xF5, 0xF9, 0xC1, 0x9A, 0x89, 0xBB, 0x7E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0x69, 0x72, 0x8B, 0xAE, 0x32, 0x13, 0x11),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_17_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x16, 0x07, 0x50, 0xFA, 0x4C, 0xCF, 0xE8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x50, 0x21, 0xE9, 0xDE, 0xEC, 0x7E, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x2F, 0xE8, 0x83, 0x30, 0x0B, 0x65, 0x0E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x0B, 0x99, 0xAC, 0xC9, 0xBA, 0x6C, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x59, 0x5A, 0x0D, 0x7B, 0x9E, 0x08, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x34, 0x91, 0xB2, 0xDC, 0x90, 0xCE, 0x67, 0xED),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x93, 0x60, 0x0C, 0xD7, 0x1F, 0x2F, 0x17),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x19, 0x7F, 0x9D, 0x40, 0xF8, 0x78, 0x7A, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_18_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x13, 0x22, 0x95, 0xE8, 0xEF, 0x31, 0x57, 0x35),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x88, 0x53, 0xFE, 0xAF, 0x7C, 0x47, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xCE, 0xCC, 0x79, 0xE8, 0x9F, 0x8C, 0xC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDB, 0x16, 0xDD, 0x77, 0x6E, 0x8A, 0x73, 0x97),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x07, 0x97, 0x21, 0x3B, 0xF8, 0x5F, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC6, 0xB5, 0xD2, 0x81, 0x84, 0xF0, 0xE7, 0x9F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCB, 0x8F, 0x75, 0x09, 0x6A, 0x0E, 0x53, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x4F, 0x70, 0x97, 0xC7, 0xAC, 0x7D, 0x3F),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_18_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF9, 0x3C, 0x6A, 0xB4, 0x10, 0xA9, 0xC8, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xC5, 0xD6, 0x69, 0x16, 0xB8, 0xAC, 0x25),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x44, 0xDC, 0xEB, 0x48, 0x54, 0x5D, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6F, 0x48, 0x9B, 0xD7, 0x72, 0x69, 0xA4, 0x8A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x0D, 0x36, 0x9A, 0x66, 0x0B, 0xEC, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0xC6, 0xD4, 0xB6, 0x60, 0xE5, 0xC3, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBA, 0x29, 0x42, 0xE0, 0x9D, 0xFD, 0x7C, 0x3E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x10, 0xBA, 0x55, 0xBC, 0x3B, 0x38, 0x5D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_19_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x25, 0x66, 0xFA, 0x05, 0x73, 0x03, 0x1B, 0x69),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x11, 0xA4, 0x66, 0x12, 0x96, 0x7B, 0x02, 0x4C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x44, 0xB5, 0xDE, 0x6D, 0x98, 0xD1, 0xD5, 0xA8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE2, 0xF5, 0x44, 0xB8, 0x8E, 0xF6, 0x8C, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x15, 0x2B, 0x72, 0xBC, 0x49, 0xE5, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x6C, 0x44, 0xD7, 0xDF, 0x8F, 0xEB, 0x8D, 0x80),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x64, 0x88, 0xAA, 0xB7, 0xE4, 0x70, 0x1D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9C, 0x14, 0xBB, 0xE9, 0x9B, 0xB9, 0x65, 0x5D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_19_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x66, 0x8E, 0x88, 0xF5, 0xF1, 0xC1, 0x89, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x16, 0x30, 0x53, 0xE6, 0xFB, 0x2D, 0x82, 0xB4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0xE4, 0xFF, 0xBA, 0x31, 0x79, 0xAB, 0xC2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x45, 0x09, 0xF7, 0xB7, 0x09, 0x78, 0x4C, 0x90),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xAE, 0xC2, 0x44, 0xDC, 0x17, 0x78, 0x47),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xD4, 0x17, 0x43, 0x19, 0x74, 0x9E, 0x23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x64, 0x3B, 0x73, 0xA2, 0x99, 0x27, 0x76),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x74, 0x36, 0x5F, 0xD3, 0x14, 0xB1, 0x31),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_20_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAC, 0x07, 0xAB, 0xFD, 0x9B, 0x03, 0xC5, 0xD5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0xBE, 0xB0, 0x1D, 0xF2, 0x0C, 0x73, 0x73),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xE7, 0x7B, 0x87, 0xD3, 0x34, 0xFD, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9A, 0x25, 0x3D, 0xC7, 0x36, 0x83, 0x53, 0xDC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x7C, 0xCF, 0x63, 0x55, 0x12, 0x11, 0xB0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC0, 0x34, 0x4D, 0x27, 0x92, 0xAC, 0x18, 0x16),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x42, 0x61, 0x9D, 0x2E, 0xFF, 0x13, 0x16),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF4, 0xDE, 0x92, 0x65, 0x57, 0x0D, 0xBC, 0x0A),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_20_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEF, 0x7B, 0x6E, 0xC6, 0x2A, 0x21, 0x74, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0xA7, 0x53, 0x4D, 0x29, 0x36, 0xEF, 0xE5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE1, 0xD6, 0x41, 0xC7, 0x99, 0xAD, 0x50, 0x53),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x99, 0xAC, 0x41, 0x9F, 0xFB, 0x4C, 0x86, 0xF1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xBB, 0xE6, 0x25, 0x28, 0xAA, 0xEB, 0x1E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x92, 0x04, 0xA2, 0xC3, 0xAA, 0x08, 0x8A, 0xCC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x2B, 0x5B, 0xE2, 0x8D, 0x76, 0xEA, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB3, 0x33, 0xD2, 0x21, 0x4D, 0x62, 0xE3, 0x8E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_21_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0x06, 0x8B, 0x2B, 0xC2, 0xC4, 0xB1, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFA, 0xF5, 0xA1, 0xC0, 0x03, 0x6A, 0x29, 0x12),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF5, 0xA9, 0xEF, 0x55, 0xB6, 0x1A, 0x9F, 0x6B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9B, 0x54, 0x32, 0xBE, 0x06, 0x43, 0xB5, 0xFD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF7, 0xD6, 0xD9, 0x20, 0x89, 0xBE, 0xD4, 0x1B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0x26, 0x95, 0x10, 0xCE, 0xB4, 0x88, 0x79),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0xA6, 0x27, 0xAC, 0x32, 0xBA, 0xBD, 0xC7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0xA6, 0xAE, 0x9C, 0x7B, 0xBE, 0xA1, 0x63),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_21_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8B, 0xCD, 0x4D, 0x3D, 0xDF, 0x96, 0xBB, 0x7D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0xA7, 0x11, 0x06, 0xCC, 0x0E, 0x31, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x20, 0xE4, 0xF4, 0xAD, 0x7B, 0x5F, 0xF1, 0xEF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE4, 0x54, 0xBE, 0xF4, 0x8A, 0x03, 0x47, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0x53, 0x00, 0x7F, 0xB0, 0x8A, 0x68, 0xA6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x16, 0xB1, 0x73, 0x6F, 0x5B, 0x0E, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x32, 0xE3, 0x43, 0x64, 0x75, 0xFB, 0xFB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x18, 0x55, 0x8A, 0x4E, 0x6E, 0x35, 0x54),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_22_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x80, 0x97, 0x15, 0x1E, 0xCB, 0xF2, 0x9C, 0xA5),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0xD1, 0xBB, 0xF3, 0x70, 0xAD, 0x13, 0xAD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0x96, 0xA4, 0xC5, 0x5E, 0xDA, 0xD5, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x81, 0xE9, 0x65, 0x66, 0x76, 0x47, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x35, 0x87, 0x06, 0x73, 0xCF, 0x34, 0xD2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x81, 0x15, 0x42, 0xA2, 0x79, 0x5B, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x08, 0xA2, 0x7D, 0x09, 0x14, 0x64, 0xC6, 0xAE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0x6D, 0xC4, 0xED, 0xF1, 0xD6, 0xE9, 0x24),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_22_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB4, 0xD5, 0xBB, 0x25, 0xA3, 0xDD, 0xA3, 0x88),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xF2, 0x68, 0x67, 0x39, 0x8F, 0x73, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x76, 0x28, 0x89, 0xAD, 0x32, 0xE0, 0xDF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0x90, 0xCC, 0x57, 0x58, 0xAA, 0xC9, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xD7, 0x43, 0xD2, 0xCE, 0x5E, 0xA0, 0x08),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x33, 0xB0, 0xB8, 0xA4, 0x9E, 0x96, 0x26, 0x86),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x94, 0x61, 0x1D, 0xF3, 0x65, 0x5E, 0x60, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC7, 0x1E, 0x65, 0xED, 0xCF, 0x07, 0x60, 0x20),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_23_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x30, 0x17, 0x8A, 0x91, 0x88, 0x0A, 0xA4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x05, 0x7D, 0x18, 0xA4, 0xAC, 0x59, 0xFC, 0x5F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x31, 0x8B, 0x25, 0x65, 0x39, 0x9A, 0xDC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x15, 0x16, 0x4B, 0x68, 0xBA, 0x59, 0x13, 0x2F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8D, 0xFD, 0xD3, 0xC5, 0x56, 0xC9, 0x8C, 0x5E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBC, 0xC6, 0x9F, 0xF4, 0xE6, 0xF7, 0xB4, 0x01),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2D, 0x7C, 0x03, 0x00, 0x26, 0x9F, 0xD8, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x1D, 0x6E, 0x00, 0xB9, 0x00, 0x6E, 0x93),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_23_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x63, 0xDA, 0x03, 0x2B, 0xD5, 0x0B, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x46, 0xFC, 0xE2, 0xC8, 0x47, 0xF0, 0xAE, 0xF2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x51, 0x4C, 0xF7, 0x50, 0x0C, 0x48, 0x06, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDF, 0x2B, 0x32, 0x98, 0x0E, 0x7E, 0x61, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x02, 0x27, 0xFE, 0x75, 0x86, 0xDF, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2B, 0x30, 0xB1, 0x22, 0x32, 0x1B, 0xFE, 0x24),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC2, 0x27, 0xF7, 0x78, 0x6F, 0xD7, 0xFD, 0xE4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA0, 0x78, 0xCC, 0xEA, 0xC0, 0x50, 0x24, 0x44),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_24_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x2B, 0x4F, 0x7F, 0x58, 0xE6, 0xC2, 0x70),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x43, 0xD5, 0xA7, 0x35, 0x3C, 0x80, 0xB8),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1A, 0x6D, 0x4B, 0x12, 0x00, 0x7B, 0xE6, 0xA6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x15, 0xBD, 0xD0, 0x9B, 0xCA, 0xAA, 0x81),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xCF, 0xCE, 0x9C, 0xE3, 0x8B, 0x60, 0x7A, 0x53),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0xDA, 0x4B, 0x03, 0xA7, 0x8D, 0x43, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0xAF, 0x00, 0x2B, 0x32, 0xF0, 0x22, 0x68),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDC, 0xD9, 0x99, 0x99, 0xBE, 0x43, 0x99, 0x3E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_24_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1F, 0x71, 0x41, 0xF4, 0xB5, 0xFD, 0xDD, 0x36),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9D, 0xE2, 0x20, 0x4C, 0xD1, 0x2E, 0x1F, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x96, 0x43, 0x48, 0x76, 0x8A, 0x49, 0xAC, 0x87),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0C, 0x1A, 0x55, 0xA8, 0xA3, 0xD4, 0x57, 0x75),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0xA6, 0x84, 0x39, 0xC9, 0x13, 0xBB, 0x60),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD9, 0xFA, 0xA9, 0x70, 0xDE, 0x83, 0xDD, 0xC9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEC, 0xC9, 0xD9, 0x3E, 0x44, 0x91, 0x68, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB6, 0x9F, 0x85, 0x6D, 0xF7, 0x54, 0x36, 0x82),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_25_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x68, 0x6B, 0xA6, 0xA3, 0xE5, 0xD4, 0x46, 0xDB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x3E, 0xDC, 0x84, 0x7C, 0x7B, 0x24, 0x34),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x14, 0xED, 0x7F, 0x86, 0x07, 0x6C, 0x57, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x95, 0x06, 0xFE, 0x52, 0x12, 0x79, 0x69, 0x56),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x84, 0xD1, 0x44, 0x5F, 0x21, 0x3A, 0xC3, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5E, 0xD9, 0x4A, 0xC0, 0x75, 0xAB, 0x17, 0xAC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xFF, 0x81, 0x94, 0xB6, 0x80, 0x6B, 0x6F, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xBE, 0x8E, 0xA5, 0xAA, 0xBC, 0x1E, 0x3E),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_25_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x89, 0xC7, 0x85, 0xA6, 0x59, 0x9B, 0xB1, 0x52),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xCE, 0x40, 0xD1, 0xFB, 0xDF, 0x94, 0xF7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x18, 0xB8, 0x5E, 0xBF, 0x45, 0xA8, 0x2D, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x98, 0x9C, 0x06, 0x1B, 0xA9, 0x57, 0xB9, 0x79),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x53, 0xE9, 0xCE, 0xA2, 0xD3, 0x74, 0xA1, 0x3C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAA, 0x5F, 0x34, 0x78, 0xDB, 0xAE, 0x3A, 0x14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7D, 0x32, 0x84, 0x3E, 0x68, 0x6A, 0x43, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0xBC, 0x39, 0x36, 0xA4, 0xC5, 0xBB, 0x11),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_26_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8C, 0x07, 0xA2, 0xB5, 0xC9, 0x0F, 0x4D, 0x0F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0x1D, 0x67, 0xE6, 0xF1, 0x46, 0xEB, 0x71),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD7, 0x41, 0x23, 0x95, 0xE7, 0xE0, 0x10, 0xDD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x69, 0xFE, 0x68, 0x8C, 0xC6, 0x5F, 0xB6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE3, 0xB9, 0x2B, 0x3D, 0xD2, 0x4F, 0xD8, 0x1A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA3, 0x09, 0xF5, 0x5F, 0xCF, 0xF6, 0x91, 0x57),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x65, 0x15, 0x42, 0x6B, 0x6D, 0xB5, 0xF3, 0xB6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBF, 0x56, 0x9D, 0xC5, 0xFF, 0xCA, 0x13, 0x9B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_26_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x4D, 0x38, 0xE6, 0x23, 0x63, 0x48, 0x3C, 0xCA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD2, 0x68, 0x3C, 0xD1, 0x3B, 0xE9, 0x3B, 0x82),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB5, 0x08, 0x54, 0x49, 0xD1, 0x46, 0x45, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x70, 0x52, 0x6E, 0x79, 0xC4, 0x5E, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0xDF, 0xE8, 0x5A, 0x32, 0x81, 0xDA, 0xD3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3C, 0x2D, 0x94, 0x5B, 0xB5, 0x35, 0x9F, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2A, 0x12, 0x8D, 0xC3, 0x36, 0x36, 0xB2, 0x2A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x39, 0x2F, 0x22, 0x38, 0x5B, 0x18, 0x4C, 0x35),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_27_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0xC1, 0x22, 0x0E, 0xF0, 0x73, 0x11, 0x05),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB2, 0xAE, 0xA4, 0x56, 0x18, 0x61, 0x66, 0x12),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x79, 0xFB, 0x72, 0x08, 0x84, 0x38, 0x51, 0xB0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDA, 0x86, 0xA8, 0xB9, 0x31, 0x99, 0x29, 0xC3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x8A, 0xFB, 0xC3, 0x42, 0xB3, 0xC7, 0x6F, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD8, 0xF8, 0xE1, 0x09, 0xBE, 0x75, 0xB0, 0x22),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5A, 0x7D, 0xFF, 0xF4, 0x99, 0xFC, 0x13, 0xAB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE6, 0x1B, 0x84, 0x81, 0x42, 0x22, 0xC6, 0x3D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_27_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x21, 0xE0, 0x37, 0xA4, 0xA0, 0x2F, 0x38, 0x7F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x3D, 0xB7, 0x40, 0x2F, 0x39, 0x3C, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7A, 0x3B, 0x8A, 0x51, 0xAE, 0x40, 0x49, 0x7A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x36, 0x20, 0x9F, 0xDD, 0xA9, 0xD0, 0x77, 0xC7),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x78, 0x1D, 0x64, 0xDA, 0xA0, 0x53, 0xC7, 0x7D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x37, 0x7B, 0x66, 0x55, 0x94, 0xD1, 0x51, 0x44),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0E, 0xA9, 0xB5, 0x5B, 0x38, 0x35, 0x40, 0xC0),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC8, 0xC9, 0x0F, 0xF0, 0x73, 0x79, 0x43, 0x61),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_28_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x47, 0x45, 0x69, 0x80, 0x72, 0x72, 0x42),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x11, 0x99, 0x59, 0xDB, 0x48, 0x80, 0x39),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x75, 0x6E, 0x3D, 0xFC, 0x37, 0x15, 0xF4, 0xBF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x17, 0xBB, 0x5B, 0xA6, 0x35, 0x8D, 0x28, 0x20),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0x1A, 0x3B, 0x2C, 0x8F, 0xD3, 0xAA, 0x2D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x55, 0x1C, 0x1A, 0xF8, 0x02, 0xD9, 0x7B, 0x41),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAF, 0x69, 0xAC, 0xF8, 0x54, 0x31, 0x14, 0xA1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x8A, 0xE6, 0xDE, 0x58, 0xB9, 0xC4, 0x7A),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_28_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x57, 0x83, 0x52, 0xFE, 0xF9, 0x7B, 0xE9, 0x1F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0xA2, 0x55, 0x46, 0x15, 0x49, 0xC1, 0x3A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xBC, 0x5C, 0x91, 0xBD, 0xB9, 0x9C, 0xF4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBB, 0xFD, 0xB1, 0x4E, 0x5F, 0x74, 0xEE, 0x53),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xB1, 0x8B, 0xD8, 0x8B, 0x17, 0x73, 0x1B, 0x96),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x22, 0x92, 0xD7, 0x67, 0x06, 0xAD, 0x25, 0xCD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x01, 0x0F, 0x80, 0x24, 0xE2, 0x27, 0x5F, 0x8B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x61, 0x1C, 0xCE, 0xD0, 0x67, 0xCA, 0xD4, 0x0B),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_29_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x87, 0xF1, 0xDD, 0x33, 0x66, 0xF9, 0x05, 0xD6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1D, 0xE5, 0x6B, 0x79, 0xBD, 0x48, 0x42, 0xAA),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x14, 0x52, 0xE3, 0x53, 0xB4, 0x50, 0xD4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x32, 0x84, 0x6C, 0xCF, 0xDA, 0xB2, 0x20, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0xD6, 0x1A, 0xE5, 0xE2, 0x29, 0x70, 0xCE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x61, 0xFE, 0xBB, 0x21, 0x82, 0xD1, 0xFE),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x2C, 0xF0, 0x9C, 0x8B, 0x1A, 0x42, 0x30, 0x06),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0xD6, 0x49, 0x81, 0x92, 0xF1, 0xD0, 0x90),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_29_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x91, 0x93, 0x6A, 0xA6, 0x22, 0xE9, 0xD6),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x09, 0xDC, 0xC3, 0x69, 0x11, 0x95, 0x7D, 0xEC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x1C, 0xA3, 0x9D, 0x87, 0x5E, 0x64, 0x41, 0xA2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xBE, 0x87, 0x5A, 0x15, 0xBD, 0x6E, 0x3C, 0x8D),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD0, 0x8D, 0x50, 0xCC, 0xCF, 0xB7, 0x8F, 0x0B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x38, 0x65, 0xCD, 0x31, 0x30, 0xF1, 0x68, 0x13),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x10, 0x5C, 0x66, 0x67, 0x92, 0x30, 0x57, 0x95),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x23, 0x9B, 0x01, 0x3D, 0x20, 0x8B, 0xD1, 0x0D),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_30_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAB, 0xC0, 0xE6, 0x4F, 0xDE, 0x62, 0xAB, 0xB3),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA4, 0x48, 0xB3, 0x1C, 0x0F, 0x16, 0x93, 0x45),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x77, 0x63, 0xBD, 0x1F, 0x16, 0x50, 0x56, 0x98),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x5D, 0x06, 0xBC, 0xE9, 0x27, 0x1C, 0x9A, 0x7B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF8, 0xFE, 0x21, 0xC5, 0x39, 0x55, 0xE1, 0xFD),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF6, 0xA8, 0xD0, 0x96, 0x0E, 0xB5, 0xB2, 0x84),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3D, 0xE7, 0x4B, 0xF3, 0x11, 0x0C, 0xC9, 0x5B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x43, 0x3A, 0xC4, 0x87, 0x71, 0xEE, 0xFA, 0x18),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_30_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA7, 0x77, 0xEE, 0x81, 0x5E, 0x96, 0xEA, 0x4B),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xEE, 0xDF, 0xA9, 0xF4, 0x4F, 0x7C, 0xB2, 0x43),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x9F, 0xD4, 0xDF, 0x35, 0x63, 0x47, 0x25, 0x8A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xA5, 0x3D, 0xFF, 0xA4, 0x02, 0xC3, 0x95, 0x11),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD5, 0x10, 0x78, 0xD1, 0x2B, 0xB7, 0xBE, 0x0E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x0A, 0xE9, 0x57, 0xF9, 0xE0, 0xD8, 0xFC, 0xBC),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF3, 0xC4, 0x01, 0xD6, 0xB4, 0xE7, 0x78, 0xE2),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x02, 0x6C, 0xB9, 0x13, 0xA4, 0xE8, 0x6D, 0x6F),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_31_X[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE8, 0xB0, 0xC9, 0xCD, 0xBF, 0xA2, 0x1E, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xDD, 0x4F, 0x86, 0x22, 0x9B, 0xEA, 0xE8, 0xBB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x50, 0x46, 0xDF, 0x43, 0xB9, 0x82, 0x2D, 0x0A),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x07, 0x32, 0xF1, 0x4E, 0x95, 0x41, 0xAE, 0x8E),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x52, 0x93, 0x26, 0xFC, 0xD3, 0x90, 0xDC, 0xEB),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x04, 0x05, 0x45, 0xCA, 0xF9, 0x5A, 0x89, 0x93),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC5, 0x82, 0x63, 0x4E, 0x55, 0x1D, 0x3A, 0x08),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x7C, 0x69, 0x52, 0x49, 0xE9, 0xED, 0x57, 0x34),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_T_31_Y[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x70, 0x64, 0xE9, 0xAC, 0x4C, 0x4A, 0xEA, 0x25),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xE9, 0xE9, 0x0B, 0x99, 0xE7, 0xF9, 0xA9, 0x2C),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x24, 0x0C, 0xC1, 0xF4, 0x8D, 0x07, 0xB6, 0xB1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xAD, 0x68, 0xFA, 0x35, 0xE4, 0x9E, 0xAE, 0xD9),
+ MBEDTLS_BYTES_TO_T_UINT_8(0xF0, 0x2D, 0x1A, 0x13, 0x8E, 0x02, 0xE2, 0x63),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x27, 0x38, 0x28, 0x86, 0x46, 0x7B, 0x3A, 0xE1),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x3F, 0x4C, 0x64, 0x59, 0x0A, 0xF9, 0x02, 0xC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x41, 0x4F, 0x23, 0xA2, 0xC3, 0xD5, 0xEF, 0x42),
+};
+static const mbedtls_ecp_point brainpoolP512r1_T[32] = {
+ ECP_POINT_INIT_XY_Z1(brainpoolP512r1_T_0_X, brainpoolP512r1_T_0_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_1_X, brainpoolP512r1_T_1_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_2_X, brainpoolP512r1_T_2_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_3_X, brainpoolP512r1_T_3_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_4_X, brainpoolP512r1_T_4_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_5_X, brainpoolP512r1_T_5_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_6_X, brainpoolP512r1_T_6_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_7_X, brainpoolP512r1_T_7_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_8_X, brainpoolP512r1_T_8_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_9_X, brainpoolP512r1_T_9_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_10_X, brainpoolP512r1_T_10_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_11_X, brainpoolP512r1_T_11_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_12_X, brainpoolP512r1_T_12_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_13_X, brainpoolP512r1_T_13_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_14_X, brainpoolP512r1_T_14_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_15_X, brainpoolP512r1_T_15_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_16_X, brainpoolP512r1_T_16_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_17_X, brainpoolP512r1_T_17_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_18_X, brainpoolP512r1_T_18_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_19_X, brainpoolP512r1_T_19_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_20_X, brainpoolP512r1_T_20_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_21_X, brainpoolP512r1_T_21_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_22_X, brainpoolP512r1_T_22_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_23_X, brainpoolP512r1_T_23_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_24_X, brainpoolP512r1_T_24_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_25_X, brainpoolP512r1_T_25_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_26_X, brainpoolP512r1_T_26_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_27_X, brainpoolP512r1_T_27_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_28_X, brainpoolP512r1_T_28_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_29_X, brainpoolP512r1_T_29_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_30_X, brainpoolP512r1_T_30_Y),
+ ECP_POINT_INIT_XY_Z0(brainpoolP512r1_T_31_X, brainpoolP512r1_T_31_Y),
+};
+#else
+#define brainpoolP512r1_T NULL
+#endif
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+
+#if defined(ECP_LOAD_GROUP) || defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+/*
+ * Create an MPI from embedded constants
+ * (assumes len is an exact multiple of sizeof(mbedtls_mpi_uint) and
+ * len < 1048576)
+ */
+static inline void ecp_mpi_load(mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len)
+{
+ X->s = 1;
+ X->n = (unsigned short) (len / sizeof(mbedtls_mpi_uint));
+ X->p = (mbedtls_mpi_uint *) p;
+}
+#endif
+
+#if defined(ECP_LOAD_GROUP)
+/*
+ * Set an MPI to static value 1
+ */
+static inline void ecp_mpi_set1(mbedtls_mpi *X)
+{
+ X->s = 1;
+ X->n = 1;
+ X->p = mpi_one;
+}
+
+/*
+ * Make group available from embedded constants
+ */
+static int ecp_group_load(mbedtls_ecp_group *grp,
+ const mbedtls_mpi_uint *p, size_t plen,
+ const mbedtls_mpi_uint *a, size_t alen,
+ const mbedtls_mpi_uint *b, size_t blen,
+ const mbedtls_mpi_uint *gx, size_t gxlen,
+ const mbedtls_mpi_uint *gy, size_t gylen,
+ const mbedtls_mpi_uint *n, size_t nlen,
+ const mbedtls_ecp_point *T)
+{
+ ecp_mpi_load(&grp->P, p, plen);
+ if (a != NULL) {
+ ecp_mpi_load(&grp->A, a, alen);
+ }
+ ecp_mpi_load(&grp->B, b, blen);
+ ecp_mpi_load(&grp->N, n, nlen);
+
+ ecp_mpi_load(&grp->G.X, gx, gxlen);
+ ecp_mpi_load(&grp->G.Y, gy, gylen);
+ ecp_mpi_set1(&grp->G.Z);
+
+ grp->pbits = mbedtls_mpi_bitlen(&grp->P);
+ grp->nbits = mbedtls_mpi_bitlen(&grp->N);
+
+ grp->h = 1;
+
+ grp->T = (mbedtls_ecp_point *) T;
+ /*
+ * Set T_size to 0 to prevent T free by mbedtls_ecp_group_free.
+ */
+ grp->T_size = 0;
+
+ return 0;
+}
+#endif /* ECP_LOAD_GROUP */
+
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+/* Forward declarations */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+static int ecp_mod_p192(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+static int ecp_mod_p224(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+static int ecp_mod_p256(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p256_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+static int ecp_mod_p384(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+static int ecp_mod_p521(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n);
+#endif
+
+#define NIST_MODP(P) grp->modp = ecp_mod_ ## P;
+#else
+#define NIST_MODP(P)
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+
+/* Additional forward declarations */
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+static int ecp_mod_p255(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p255_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+static int ecp_mod_p448(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p448_raw(mbedtls_mpi_uint *, size_t);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+static int ecp_mod_p192k1(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+static int ecp_mod_p224k1(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+static int ecp_mod_p256k1(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+#endif
+
+#if defined(ECP_LOAD_GROUP)
+#define LOAD_GROUP_A(G) ecp_group_load(grp, \
+ G ## _p, sizeof(G ## _p), \
+ G ## _a, sizeof(G ## _a), \
+ G ## _b, sizeof(G ## _b), \
+ G ## _gx, sizeof(G ## _gx), \
+ G ## _gy, sizeof(G ## _gy), \
+ G ## _n, sizeof(G ## _n), \
+ G ## _T \
+ )
+
+#define LOAD_GROUP(G) ecp_group_load(grp, \
+ G ## _p, sizeof(G ## _p), \
+ NULL, 0, \
+ G ## _b, sizeof(G ## _b), \
+ G ## _gx, sizeof(G ## _gx), \
+ G ## _gy, sizeof(G ## _gy), \
+ G ## _n, sizeof(G ## _n), \
+ G ## _T \
+ )
+#endif /* ECP_LOAD_GROUP */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+/* Constants used by ecp_use_curve25519() */
+static const mbedtls_mpi_sint curve25519_a24 = 0x01DB42;
+
+/* P = 2^255 - 19 */
+static const mbedtls_mpi_uint curve25519_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xED, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0X7F)
+};
+
+/* N = 2^252 + 27742317777372353535851937790883648493 */
+static const mbedtls_mpi_uint curve25519_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0XED, 0XD3, 0XF5, 0X5C, 0X1A, 0X63, 0X12, 0X58),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XD6, 0X9C, 0XF7, 0XA2, 0XDE, 0XF9, 0XDE, 0X14),
+ MBEDTLS_BYTES_TO_T_UINT_8(0X00, 0X00, 0X00, 0X00, 0x00, 0x00, 0x00, 0x00),
+ MBEDTLS_BYTES_TO_T_UINT_8(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10)
+};
+
+/*
+ * Specialized function for creating the Curve25519 group
+ */
+static int ecp_use_curve25519(mbedtls_ecp_group *grp)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* Actually ( A + 2 ) / 4 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve25519_a24));
+
+ ecp_mpi_load(&grp->P, curve25519_p, sizeof(curve25519_p));
+
+ grp->pbits = mbedtls_mpi_bitlen(&grp->P);
+
+ ecp_mpi_load(&grp->N, curve25519_n, sizeof(curve25519_n));
+
+ /* Y intentionally not set, since we use x/z coordinates.
+ * This is used as a marker to identify Montgomery curves! */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.X, 9));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1));
+ mbedtls_mpi_free(&grp->G.Y);
+
+ /* Actually, the required msb for private keys */
+ grp->nbits = 254;
+
+cleanup:
+ if (ret != 0) {
+ mbedtls_ecp_group_free(grp);
+ }
+
+ return ret;
+}
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+/* Constants used by ecp_use_curve448() */
+static const mbedtls_mpi_sint curve448_a24 = 0x98AA;
+
+/* P = 2^448 - 2^224 - 1 */
+static const mbedtls_mpi_uint curve448_p[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFE, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0X00, 0X00, 0X00, 0X00, 0X00, 0X00, 0X00, 0X00)
+};
+
+/* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
+static const mbedtls_mpi_uint curve448_n[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0XF3, 0X44, 0X58, 0XAB, 0X92, 0XC2, 0X78, 0X23),
+ MBEDTLS_BYTES_TO_T_UINT_8(0X55, 0X8F, 0XC5, 0X8D, 0X72, 0XC2, 0X6C, 0X21),
+ MBEDTLS_BYTES_TO_T_UINT_8(0X90, 0X36, 0XD6, 0XAE, 0X49, 0XDB, 0X4E, 0XC4),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XE9, 0X23, 0XCA, 0X7C, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF),
+ MBEDTLS_BYTES_TO_T_UINT_8(0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0X3F),
+ MBEDTLS_BYTES_TO_T_UINT_8(0X00, 0X00, 0X00, 0X00, 0X00, 0X00, 0X00, 0X00)
+};
+
+/*
+ * Specialized function for creating the Curve448 group
+ */
+static int ecp_use_curve448(mbedtls_ecp_group *grp)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* Actually ( A + 2 ) / 4 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->A, curve448_a24));
+
+ ecp_mpi_load(&grp->P, curve448_p, sizeof(curve448_p));
+ grp->pbits = mbedtls_mpi_bitlen(&grp->P);
+
+ /* Y intentionally not set, since we use x/z coordinates.
+ * This is used as a marker to identify Montgomery curves! */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.X, 5));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&grp->G.Z, 1));
+ mbedtls_mpi_free(&grp->G.Y);
+
+ ecp_mpi_load(&grp->N, curve448_n, sizeof(curve448_n));
+
+ /* Actually, the required msb for private keys */
+ grp->nbits = 447;
+
+cleanup:
+ if (ret != 0) {
+ mbedtls_ecp_group_free(grp);
+ }
+
+ return ret;
+}
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+/*
+ * Set a group using well-known domain parameters
+ */
+int mbedtls_ecp_group_load(mbedtls_ecp_group *grp, mbedtls_ecp_group_id id)
+{
+ mbedtls_ecp_group_free(grp);
+
+ mbedtls_ecp_group_init(grp);
+
+ grp->id = id;
+
+ switch (id) {
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP192R1:
+ NIST_MODP(p192);
+ return LOAD_GROUP(secp192r1);
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP224R1:
+ NIST_MODP(p224);
+ return LOAD_GROUP(secp224r1);
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP256R1:
+ NIST_MODP(p256);
+ return LOAD_GROUP(secp256r1);
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP384R1:
+ NIST_MODP(p384);
+ return LOAD_GROUP(secp384r1);
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP521R1:
+ NIST_MODP(p521);
+ return LOAD_GROUP(secp521r1);
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP192K1:
+ grp->modp = ecp_mod_p192k1;
+ return LOAD_GROUP_A(secp192k1);
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP224K1:
+ grp->modp = ecp_mod_p224k1;
+ return LOAD_GROUP_A(secp224k1);
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP256K1:
+ grp->modp = ecp_mod_p256k1;
+ return LOAD_GROUP_A(secp256k1);
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+ case MBEDTLS_ECP_DP_BP256R1:
+ return LOAD_GROUP_A(brainpoolP256r1);
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+ case MBEDTLS_ECP_DP_BP384R1:
+ return LOAD_GROUP_A(brainpoolP384r1);
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+ case MBEDTLS_ECP_DP_BP512R1:
+ return LOAD_GROUP_A(brainpoolP512r1);
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+ case MBEDTLS_ECP_DP_CURVE25519:
+ grp->modp = ecp_mod_p255;
+ return ecp_use_curve25519(grp);
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+ case MBEDTLS_ECP_DP_CURVE448:
+ grp->modp = ecp_mod_p448;
+ return ecp_use_curve448(grp);
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+ default:
+ grp->id = MBEDTLS_ECP_DP_NONE;
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+ }
+}
+
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+/*
+ * Fast reduction modulo the primes used by the NIST curves.
+ *
+ * These functions are critical for speed, but not needed for correct
+ * operations. So, we make the choice to heavily rely on the internals of our
+ * bignum library, which creates a tight coupling between these functions and
+ * our MPI implementation. However, the coupling between the ECP module and
+ * MPI remains loose, since these functions can be deactivated at will.
+ */
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+/*
+ * Compared to the way things are presented in FIPS 186-3 D.2,
+ * we proceed in columns, from right (least significant chunk) to left,
+ * adding chunks to N in place, and keeping a carry for the next chunk.
+ * This avoids moving things around in memory, and uselessly adding zeros,
+ * compared to the more straightforward, line-oriented approach.
+ *
+ * For this prime we need to handle data in chunks of 64 bits.
+ * Since this is always a multiple of our basic mbedtls_mpi_uint, we can
+ * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it.
+ */
+
+/* Add 64-bit chunks (dst += src) and update carry */
+static inline void add64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry)
+{
+ unsigned char i;
+ mbedtls_mpi_uint c = 0;
+ for (i = 0; i < 8 / sizeof(mbedtls_mpi_uint); i++, dst++, src++) {
+ *dst += c; c = (*dst < c);
+ *dst += *src; c += (*dst < *src);
+ }
+ *carry += c;
+}
+
+/* Add carry to a 64-bit chunk and update carry */
+static inline void carry64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry)
+{
+ unsigned char i;
+ for (i = 0; i < 8 / sizeof(mbedtls_mpi_uint); i++, dst++) {
+ *dst += *carry;
+ *carry = (*dst < *carry);
+ }
+}
+
+#define WIDTH 8 / sizeof(mbedtls_mpi_uint)
+#define A(i) Np + (i) * WIDTH
+#define ADD(i) add64(p, A(i), &c)
+#define NEXT p += WIDTH; carry64(p, &c)
+#define LAST p += WIDTH; do *p = 0; while (++p < end)
+#define RESET last_carry[0] = c; c = 0; p = Np
+#define ADD_LAST add64(p, last_carry, &c)
+
+/*
+ * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
+ */
+static int ecp_mod_p192(mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t expected_width = BITS_TO_LIMBS(192) * 2;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p192_raw(N->p, expected_width);
+
+cleanup:
+ return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn)
+{
+ mbedtls_mpi_uint c = 0, last_carry[WIDTH] = { 0 };
+ mbedtls_mpi_uint *p, *end;
+
+ if (Nn != BITS_TO_LIMBS(192) * 2) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ p = Np;
+ end = p + Nn;
+
+ ADD(3); ADD(5); NEXT; // A0 += A3 + A5
+ ADD(3); ADD(4); ADD(5); NEXT; // A1 += A3 + A4 + A5
+ ADD(4); ADD(5); // A2 += A4 + A5
+
+ RESET;
+
+ /* Use the reduction for the carry as well:
+ * 2^192 * last_carry = 2^64 * last_carry + last_carry mod P192
+ * It can generate a carry. */
+ ADD_LAST; NEXT; // A0 += last_carry
+ ADD_LAST; NEXT; // A1 += last_carry
+ // A2 += carry
+
+ RESET;
+
+ /* Use the reduction for the carry as well:
+ * 2^192 * last_carry = 2^64 * last_carry + last_carry mod P192
+ */
+ ADD_LAST; NEXT; // A0 += last_carry
+ ADD_LAST; NEXT; // A1 += last_carry
+ // A2 += carry
+
+ LAST;
+
+ return 0;
+}
+
+#undef WIDTH
+#undef A
+#undef ADD
+#undef NEXT
+#undef LAST
+#undef RESET
+#undef ADD_LAST
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+
+/*
+ * The reader is advised to first understand ecp_mod_p192() since the same
+ * general structure is used here, but with additional complications:
+ * (1) chunks of 32 bits, and (2) subtractions.
+ */
+
+/*
+ * For these primes, we need to handle data in chunks of 32 bits.
+ * This makes it more complicated if we use 64 bits limbs in MPI,
+ * which prevents us from using a uniform access method as for p192.
+ *
+ * So, we define a mini abstraction layer to access 32 bit chunks,
+ * load them in 'cur' for work, and store them back from 'cur' when done.
+ *
+ * While at it, also define the size of N in terms of 32-bit chunks.
+ */
+#define LOAD32 cur = A(i);
+
+#if defined(MBEDTLS_HAVE_INT32) /* 32 bit */
+
+#define MAX32 X_limbs
+#define A(j) X[j]
+#define STORE32 X[i] = (mbedtls_mpi_uint) cur;
+#define STORE0 X[i] = 0;
+
+#else /* 64 bit */
+
+#define MAX32 X_limbs * 2
+#define A(j) \
+ (j) % 2 ? \
+ (uint32_t) (X[(j) / 2] >> 32) : \
+ (uint32_t) (X[(j) / 2])
+#define STORE32 \
+ if (i % 2) { \
+ X[i/2] &= 0x00000000FFFFFFFF; \
+ X[i/2] |= (uint64_t) (cur) << 32; \
+ } else { \
+ X[i/2] &= 0xFFFFFFFF00000000; \
+ X[i/2] |= (uint32_t) cur; \
+ }
+
+#define STORE0 \
+ if (i % 2) { \
+ X[i/2] &= 0x00000000FFFFFFFF; \
+ } else { \
+ X[i/2] &= 0xFFFFFFFF00000000; \
+ }
+
+#endif
+
+static inline int8_t extract_carry(int64_t cur)
+{
+ return (int8_t) (cur >> 32);
+}
+
+#define ADD(j) cur += A(j)
+#define SUB(j) cur -= A(j)
+
+#define ADD_CARRY(cc) cur += (cc)
+#define SUB_CARRY(cc) cur -= (cc)
+
+#define ADD_LAST ADD_CARRY(last_c)
+#define SUB_LAST SUB_CARRY(last_c)
+
+/*
+ * Helpers for the main 'loop'
+ */
+#define INIT(b) \
+ int8_t c = 0, last_c; \
+ int64_t cur; \
+ size_t i = 0; \
+ LOAD32;
+
+#define NEXT \
+ c = extract_carry(cur); \
+ STORE32; i++; LOAD32; \
+ ADD_CARRY(c);
+
+#define RESET \
+ c = extract_carry(cur); \
+ last_c = c; \
+ STORE32; i = 0; LOAD32; \
+ c = 0; \
+
+#define LAST \
+ c = extract_carry(cur); \
+ STORE32; i++; \
+ if (c != 0) \
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; \
+ while (i < MAX32) { STORE0; i++; }
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+
+/*
+ * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
+ */
+static int ecp_mod_p224(mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t expected_width = BITS_TO_LIMBS(224) * 2;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p224_raw(N->p, expected_width);
+cleanup:
+ return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+ if (X_limbs != BITS_TO_LIMBS(224) * 2) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ INIT(224);
+
+ SUB(7); SUB(11); NEXT; // A0 += -A7 - A11
+ SUB(8); SUB(12); NEXT; // A1 += -A8 - A12
+ SUB(9); SUB(13); NEXT; // A2 += -A9 - A13
+ SUB(10); ADD(7); ADD(11); NEXT; // A3 += -A10 + A7 + A11
+ SUB(11); ADD(8); ADD(12); NEXT; // A4 += -A11 + A8 + A12
+ SUB(12); ADD(9); ADD(13); NEXT; // A5 += -A12 + A9 + A13
+ SUB(13); ADD(10); // A6 += -A13 + A10
+
+ RESET;
+
+ /* Use 2^224 = P + 2^96 - 1 to modulo reduce the final carry */
+ SUB_LAST; NEXT; // A0 -= last_c
+ ; NEXT; // A1
+ ; NEXT; // A2
+ ADD_LAST; NEXT; // A3 += last_c
+ ; NEXT; // A4
+ ; NEXT; // A5
+ // A6
+
+ /* The carry reduction cannot generate a carry
+ * (see commit 73e8553 for details)*/
+
+ LAST;
+
+ return 0;
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+
+/*
+ * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
+ */
+static int ecp_mod_p256(mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t expected_width = BITS_TO_LIMBS(256) * 2;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p256_raw(N->p, expected_width);
+cleanup:
+ return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p256_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+ if (X_limbs != BITS_TO_LIMBS(256) * 2) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ INIT(256);
+
+ ADD(8); ADD(9);
+ SUB(11); SUB(12); SUB(13); SUB(14); NEXT; // A0
+
+ ADD(9); ADD(10);
+ SUB(12); SUB(13); SUB(14); SUB(15); NEXT; // A1
+
+ ADD(10); ADD(11);
+ SUB(13); SUB(14); SUB(15); NEXT; // A2
+
+ ADD(11); ADD(11); ADD(12); ADD(12); ADD(13);
+ SUB(15); SUB(8); SUB(9); NEXT; // A3
+
+ ADD(12); ADD(12); ADD(13); ADD(13); ADD(14);
+ SUB(9); SUB(10); NEXT; // A4
+
+ ADD(13); ADD(13); ADD(14); ADD(14); ADD(15);
+ SUB(10); SUB(11); NEXT; // A5
+
+ ADD(14); ADD(14); ADD(15); ADD(15); ADD(14); ADD(13);
+ SUB(8); SUB(9); NEXT; // A6
+
+ ADD(15); ADD(15); ADD(15); ADD(8);
+ SUB(10); SUB(11); SUB(12); SUB(13); // A7
+
+ RESET;
+
+ /* Use 2^224 * (2^32 - 1) + 2^192 + 2^96 - 1
+ * to modulo reduce the final carry. */
+ ADD_LAST; NEXT; // A0
+ ; NEXT; // A1
+ ; NEXT; // A2
+ SUB_LAST; NEXT; // A3
+ ; NEXT; // A4
+ ; NEXT; // A5
+ SUB_LAST; NEXT; // A6
+ ADD_LAST; // A7
+
+ RESET;
+
+ /* Use 2^224 * (2^32 - 1) + 2^192 + 2^96 - 1
+ * to modulo reduce the carry generated by the previous reduction. */
+ ADD_LAST; NEXT; // A0
+ ; NEXT; // A1
+ ; NEXT; // A2
+ SUB_LAST; NEXT; // A3
+ ; NEXT; // A4
+ ; NEXT; // A5
+ SUB_LAST; NEXT; // A6
+ ADD_LAST; // A7
+
+ LAST;
+
+ return 0;
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
+ */
+static int ecp_mod_p384(mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t expected_width = BITS_TO_LIMBS(384) * 2;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p384_raw(N->p, expected_width);
+cleanup:
+ return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+ if (X_limbs != BITS_TO_LIMBS(384) * 2) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ INIT(384);
+
+ ADD(12); ADD(21); ADD(20);
+ SUB(23); NEXT; // A0
+
+ ADD(13); ADD(22); ADD(23);
+ SUB(12); SUB(20); NEXT; // A1
+
+ ADD(14); ADD(23);
+ SUB(13); SUB(21); NEXT; // A2
+
+ ADD(15); ADD(12); ADD(20); ADD(21);
+ SUB(14); SUB(22); SUB(23); NEXT; // A3
+
+ ADD(21); ADD(21); ADD(16); ADD(13); ADD(12); ADD(20); ADD(22);
+ SUB(15); SUB(23); SUB(23); NEXT; // A4
+
+ ADD(22); ADD(22); ADD(17); ADD(14); ADD(13); ADD(21); ADD(23);
+ SUB(16); NEXT; // A5
+
+ ADD(23); ADD(23); ADD(18); ADD(15); ADD(14); ADD(22);
+ SUB(17); NEXT; // A6
+
+ ADD(19); ADD(16); ADD(15); ADD(23);
+ SUB(18); NEXT; // A7
+
+ ADD(20); ADD(17); ADD(16);
+ SUB(19); NEXT; // A8
+
+ ADD(21); ADD(18); ADD(17);
+ SUB(20); NEXT; // A9
+
+ ADD(22); ADD(19); ADD(18);
+ SUB(21); NEXT; // A10
+
+ ADD(23); ADD(20); ADD(19);
+ SUB(22); // A11
+
+ RESET;
+
+ /* Use 2^384 = P + 2^128 + 2^96 - 2^32 + 1 to modulo reduce the final carry */
+ ADD_LAST; NEXT; // A0
+ SUB_LAST; NEXT; // A1
+ ; NEXT; // A2
+ ADD_LAST; NEXT; // A3
+ ADD_LAST; NEXT; // A4
+ ; NEXT; // A5
+ ; NEXT; // A6
+ ; NEXT; // A7
+ ; NEXT; // A8
+ ; NEXT; // A9
+ ; NEXT; // A10
+ // A11
+
+ RESET;
+
+ ADD_LAST; NEXT; // A0
+ SUB_LAST; NEXT; // A1
+ ; NEXT; // A2
+ ADD_LAST; NEXT; // A3
+ ADD_LAST; NEXT; // A4
+ ; NEXT; // A5
+ ; NEXT; // A6
+ ; NEXT; // A7
+ ; NEXT; // A8
+ ; NEXT; // A9
+ ; NEXT; // A10
+ // A11
+
+ LAST;
+
+ return 0;
+}
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#undef LOAD32
+#undef MAX32
+#undef A
+#undef STORE32
+#undef STORE0
+#undef ADD
+#undef SUB
+#undef ADD_CARRY
+#undef SUB_CARRY
+#undef ADD_LAST
+#undef SUB_LAST
+#undef INIT
+#undef NEXT
+#undef RESET
+#undef LAST
+
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED ||
+ MBEDTLS_ECP_DP_SECP256R1_ENABLED ||
+ MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+/* Size of p521 in terms of mbedtls_mpi_uint */
+#define P521_WIDTH (521 / 8 / sizeof(mbedtls_mpi_uint) + 1)
+
+/* Bits to keep in the most significant mbedtls_mpi_uint */
+#define P521_MASK 0x01FF
+
+/*
+ * Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5)
+ */
+static int ecp_mod_p521(mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t expected_width = BITS_TO_LIMBS(521) * 2;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p521_raw(N->p, expected_width);
+cleanup:
+ return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+ mbedtls_mpi_uint carry = 0;
+
+ if (X_limbs != BITS_TO_LIMBS(521) * 2) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ /* Step 1: Reduction to P521_WIDTH limbs */
+ /* Helper references for bottom part of X */
+ mbedtls_mpi_uint *X0 = X;
+ size_t X0_limbs = P521_WIDTH;
+ /* Helper references for top part of X */
+ mbedtls_mpi_uint *X1 = X + X0_limbs;
+ size_t X1_limbs = X_limbs - X0_limbs;
+ /* Split X as X0 + 2^P521_WIDTH X1 and compute X0 + 2^(biL - 9) X1.
+ * (We are using that 2^P521_WIDTH = 2^(512 + biL) and that
+ * 2^(512 + biL) X1 = 2^(biL - 9) X1 mod P521.)
+ * The high order limb of the result will be held in carry and the rest
+ * in X0 (that is the result will be represented as
+ * 2^P521_WIDTH carry + X0).
+ *
+ * Also, note that the resulting carry is either 0 or 1:
+ * X0 < 2^P521_WIDTH = 2^(512 + biL) and X1 < 2^(P521_WIDTH-biL) = 2^512
+ * therefore
+ * X0 + 2^(biL - 9) X1 < 2^(512 + biL) + 2^(512 + biL - 9)
+ * which in turn is less than 2 * 2^(512 + biL).
+ */
+ mbedtls_mpi_uint shift = ((mbedtls_mpi_uint) 1u) << (biL - 9);
+ carry = mbedtls_mpi_core_mla(X0, X0_limbs, X1, X1_limbs, shift);
+ /* Set X to X0 (by clearing the top part). */
+ memset(X1, 0, X1_limbs * sizeof(mbedtls_mpi_uint));
+
+ /* Step 2: Reduction modulo P521
+ *
+ * At this point X is reduced to P521_WIDTH limbs. What remains is to add
+ * the carry (that is 2^P521_WIDTH carry) and to reduce mod P521. */
+
+ /* 2^P521_WIDTH carry = 2^(512 + biL) carry = 2^(biL - 9) carry mod P521.
+ * Also, recall that carry is either 0 or 1. */
+ mbedtls_mpi_uint addend = carry << (biL - 9);
+ /* Keep the top 9 bits and reduce the rest, using 2^521 = 1 mod P521. */
+ addend += (X[P521_WIDTH - 1] >> 9);
+ X[P521_WIDTH - 1] &= P521_MASK;
+
+ /* Reuse the top part of X (already zeroed) as a helper array for
+ * carrying out the addition. */
+ mbedtls_mpi_uint *addend_arr = X + P521_WIDTH;
+ addend_arr[0] = addend;
+ (void) mbedtls_mpi_core_add(X, X, addend_arr, P521_WIDTH);
+ /* Both addends were less than P521 therefore X < 2 * P521. (This also means
+ * that the result fit in P521_WIDTH limbs and there won't be any carry.) */
+
+ /* Clear the reused part of X. */
+ addend_arr[0] = 0;
+
+ return 0;
+}
+
+#undef P521_WIDTH
+#undef P521_MASK
+
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+
+/* Size of p255 in terms of mbedtls_mpi_uint */
+#define P255_WIDTH (255 / 8 / sizeof(mbedtls_mpi_uint) + 1)
+
+/*
+ * Fast quasi-reduction modulo p255 = 2^255 - 19
+ * Write N as A0 + 2^256 A1, return A0 + 38 * A1
+ */
+static int ecp_mod_p255(mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t expected_width = BITS_TO_LIMBS(255) * 2;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p255_raw(N->p, expected_width);
+cleanup:
+ return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p255_raw(mbedtls_mpi_uint *X, size_t X_Limbs)
+{
+
+ if (X_Limbs != BITS_TO_LIMBS(255) * 2) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ mbedtls_mpi_uint *carry = mbedtls_calloc(P255_WIDTH, ciL);
+ if (carry == NULL) {
+ return MBEDTLS_ERR_ECP_ALLOC_FAILED;
+ }
+
+ /* Step 1: Reduction to P255_WIDTH limbs */
+ if (X_Limbs > P255_WIDTH) {
+ /* Helper references for top part of X */
+ mbedtls_mpi_uint * const A1 = X + P255_WIDTH;
+ const size_t A1_limbs = X_Limbs - P255_WIDTH;
+
+ /* X = A0 + 38 * A1, capture carry out */
+ *carry = mbedtls_mpi_core_mla(X, P255_WIDTH, A1, A1_limbs, 38);
+ /* Clear top part */
+ memset(A1, 0, sizeof(mbedtls_mpi_uint) * A1_limbs);
+ }
+
+ /* Step 2: Reduce to <2p
+ * Split as A0 + 2^255*c, with c a scalar, and compute A0 + 19*c */
+ *carry <<= 1;
+ *carry += (X[P255_WIDTH - 1] >> (biL - 1));
+ *carry *= 19;
+
+ /* Clear top bit */
+ X[P255_WIDTH - 1] <<= 1; X[P255_WIDTH - 1] >>= 1;
+ /* Since the top bit for X has been cleared 0 + 0 + Carry
+ * will not overflow.
+ *
+ * Furthermore for 2p = 2^256-38. When a carry propagation on the highest
+ * limb occurs, X > 2^255 and all the remaining bits on the limb are zero.
+ * - If X < 2^255 ==> X < 2p
+ * - If X > 2^255 ==> X < 2^256 - 2^255 < 2p */
+ (void) mbedtls_mpi_core_add(X, X, carry, P255_WIDTH);
+
+ mbedtls_free(carry);
+ return 0;
+}
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+
+/* Size of p448 in terms of mbedtls_mpi_uint */
+#define P448_WIDTH (448 / 8 / sizeof(mbedtls_mpi_uint))
+
+/* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */
+#define DIV_ROUND_UP(X, Y) (((X) + (Y) -1) / (Y))
+#define P224_SIZE (224 / 8)
+#define P224_WIDTH_MIN (P224_SIZE / sizeof(mbedtls_mpi_uint))
+#define P224_WIDTH_MAX DIV_ROUND_UP(P224_SIZE, sizeof(mbedtls_mpi_uint))
+#define P224_UNUSED_BITS ((P224_WIDTH_MAX * sizeof(mbedtls_mpi_uint) * 8) - 224)
+
+static int ecp_mod_p448(mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t expected_width = BITS_TO_LIMBS(448) * 2;
+
+ /* This is required as some tests and use cases do not pass in a Bignum of
+ * the correct size, and expect the growth to be done automatically, which
+ * will no longer happen. */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+
+ ret = mbedtls_ecp_mod_p448_raw(N->p, N->n);
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
+ * Write X as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return A0 + A1 + B1 +
+ * (B0 + B1) * 2^224. This is different to the reference implementation of
+ * Curve448, which uses its own special 56-bit limbs rather than a generic
+ * bignum library. We could squeeze some extra speed out on 32-bit machines by
+ * splitting N up into 32-bit limbs and doing the arithmetic using the limbs
+ * directly as we do for the NIST primes above, but for 64-bit targets it should
+ * use half the number of operations if we do the reduction with 224-bit limbs,
+ * since mpi_core_add will then use 64-bit adds.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p448_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+ size_t round;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (X_limbs != BITS_TO_LIMBS(448) * 2) {
+ return 0;
+ }
+
+ size_t M_limbs = X_limbs - (P448_WIDTH);
+
+ if (M_limbs > P448_WIDTH) {
+ /* Shouldn't be called with X larger than 2^896! */
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ /* Both M and Q require an extra limb to catch carries. */
+ M_limbs++;
+
+ const size_t Q_limbs = M_limbs;
+ mbedtls_mpi_uint *M = NULL;
+ mbedtls_mpi_uint *Q = NULL;
+
+ M = mbedtls_calloc(M_limbs, ciL);
+
+ if (M == NULL) {
+ return MBEDTLS_ERR_ECP_ALLOC_FAILED;
+ }
+
+ Q = mbedtls_calloc(Q_limbs, ciL);
+
+ if (Q == NULL) {
+ ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
+ goto cleanup;
+ }
+
+ /* M = A1 */
+ memset(M, 0, (M_limbs * ciL));
+ /* Do not copy into the overflow limb, as this would read past the end of
+ * X. */
+ memcpy(M, X + P448_WIDTH, ((M_limbs - 1) * ciL));
+
+ /* X = A0 */
+ memset(X + P448_WIDTH, 0, ((M_limbs - 1) * ciL));
+
+ /* X = X + M = A0 + A1 */
+ /* Carry here fits in oversize X. Oversize M means it will get
+ * added in, not returned as carry. */
+ (void) mbedtls_mpi_core_add(X, X, M, M_limbs);
+
+ /* Q = B1 = M >> 224 */
+ memcpy(Q, (char *) M + P224_SIZE, P224_SIZE);
+ memset((char *) Q + P224_SIZE, 0, P224_SIZE);
+
+ /* X = X + Q = (A0 + A1) + B1
+ * Oversize Q catches potential carry here when X is already max 448 bits.
+ */
+ (void) mbedtls_mpi_core_add(X, X, Q, Q_limbs);
+
+ /* M = B0 */
+#ifdef MBEDTLS_HAVE_INT64
+ M[P224_WIDTH_MIN] &= ((mbedtls_mpi_uint)-1) >> (P224_UNUSED_BITS);
+ #endif
+ memset(M + P224_WIDTH_MAX, 0, ((M_limbs - P224_WIDTH_MAX) * ciL));
+
+ /* M = M + Q = B0 + B1 */
+ (void) mbedtls_mpi_core_add(M, M, Q, Q_limbs);
+
+ /* M = (B0 + B1) * 2^224 */
+ /* Shifted carry bit from the addition fits in oversize M. */
+ memmove((char *) M + P224_SIZE, M, P224_SIZE + ciL);
+ memset(M, 0, P224_SIZE);
+
+ /* X = X + M = (A0 + A1 + B1) + (B0 + B1) * 2^224 */
+ (void) mbedtls_mpi_core_add(X, X, M, M_limbs);
+
+ /* In the second and third rounds A1 and B0 have at most 1 non-zero limb and
+ * B1=0.
+ * Using this we need to calculate:
+ * A0 + A1 + B1 + (B0 + B1) * 2^224 = A0 + A1 + B0 * 2^224. */
+ for (round = 0; round < 2; ++round) {
+
+ /* M = A1 */
+ memset(M, 0, (M_limbs * ciL));
+ memcpy(M, X + P448_WIDTH, ((M_limbs - 1) * ciL));
+
+ /* X = A0 */
+ memset(X + P448_WIDTH, 0, ((M_limbs - 1) * ciL));
+
+ /* M = A1 + B0 * 2^224
+ * We know that only one limb of A1 will be non-zero and that it will be
+ * limb 0. We also know that B0 is the bottom 224 bits of A1 (which is
+ * then shifted up 224 bits), so, given M is currently A1 this turns
+ * into:
+ * M = M + (M << 224)
+ * As the single non-zero limb in B0 will be A1 limb 0 shifted up by 224
+ * bits, we can just move that into the right place, shifted up
+ * accordingly.*/
+ M[P224_WIDTH_MIN] = M[0] << (224 & (biL - 1));
+
+ /* X = A0 + (A1 + B0 * 2^224) */
+ (void) mbedtls_mpi_core_add(X, X, M, M_limbs);
+ }
+
+ ret = 0;
+
+cleanup:
+ mbedtls_free(M);
+ mbedtls_free(Q);
+
+ return ret;
+}
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+
+/*
+ * Fast quasi-reduction modulo P = 2^s - R,
+ * with R about 33 bits, used by the Koblitz curves.
+ *
+ * Write X as A0 + 2^224 A1, return A0 + R * A1.
+ */
+#define P_KOBLITZ_R (8 / sizeof(mbedtls_mpi_uint)) // Limbs in R
+
+static inline int ecp_mod_koblitz(mbedtls_mpi_uint *X,
+ size_t X_limbs,
+ mbedtls_mpi_uint *R,
+ size_t bits)
+{
+ int ret = 0;
+
+ /* Determine if A1 is aligned to limb bitsize. If not then the used limbs
+ * of P, A0 and A1 must be set accordingly and there is a middle limb
+ * which is shared by A0 and A1 and need to handle accordingly.
+ */
+ size_t shift = bits % biL;
+ size_t adjust = (shift + biL - 1) / biL;
+ size_t P_limbs = bits / biL + adjust;
+
+ mbedtls_mpi_uint *A1 = mbedtls_calloc(P_limbs, ciL);
+ if (A1 == NULL) {
+ return MBEDTLS_ERR_ECP_ALLOC_FAILED;
+ }
+
+ /* Create a buffer to store the value of `R * A1` */
+ size_t R_limbs = P_KOBLITZ_R;
+ size_t M_limbs = P_limbs + R_limbs;
+ mbedtls_mpi_uint *M = mbedtls_calloc(M_limbs, ciL);
+ if (M == NULL) {
+ ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
+ goto cleanup;
+ }
+
+ mbedtls_mpi_uint mask = 0;
+ if (adjust != 0) {
+ mask = ((mbedtls_mpi_uint) 1 << shift) - 1;
+ }
+
+ /* Two passes are needed to reduce the value of `A0 + R * A1` and then
+ * we need an additional one to reduce the possible overflow during
+ * the addition.
+ */
+ for (size_t pass = 0; pass < 3; pass++) {
+ /* Copy A1 */
+ memcpy(A1, X + P_limbs - adjust, P_limbs * ciL);
+
+ /* Shift A1 to be aligned */
+ if (shift != 0) {
+ mbedtls_mpi_core_shift_r(A1, P_limbs, shift);
+ }
+
+ /* Zeroize the A1 part of the shared limb */
+ if (mask != 0) {
+ X[P_limbs - 1] &= mask;
+ }
+
+ /* X = A0
+ * Zeroize the A1 part of X to keep only the A0 part.
+ */
+ for (size_t i = P_limbs; i < X_limbs; i++) {
+ X[i] = 0;
+ }
+
+ /* X = A0 + R * A1 */
+ mbedtls_mpi_core_mul(M, A1, P_limbs, R, R_limbs);
+ (void) mbedtls_mpi_core_add(X, X, M, P_limbs + R_limbs);
+
+ /* Carry can not be generated since R is a 33-bit value and stored in
+ * 64 bits. The result value of the multiplication is at most
+ * P length + 33 bits in length and the result value of the addition
+ * is at most P length + 34 bits in length. So the result of the
+ * addition always fits in P length + 64 bits.
+ */
+ }
+
+cleanup:
+ mbedtls_free(M);
+ mbedtls_free(A1);
+
+ return ret;
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||
+ MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||
+ MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+
+/*
+ * Fast quasi-reduction modulo p192k1 = 2^192 - R,
+ * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x01000011C9
+ */
+static int ecp_mod_p192k1(mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t expected_width = BITS_TO_LIMBS(192) * 2;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p192k1_raw(N->p, expected_width);
+
+cleanup:
+ return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+ static mbedtls_mpi_uint Rp[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x11, 0x00, 0x00,
+ 0x01, 0x00, 0x00, 0x00)
+ };
+
+ if (X_limbs != BITS_TO_LIMBS(192) * 2) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ return ecp_mod_koblitz(X, X_limbs, Rp, 192);
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+
+/*
+ * Fast quasi-reduction modulo p224k1 = 2^224 - R,
+ * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
+ */
+static int ecp_mod_p224k1(mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t expected_width = BITS_TO_LIMBS(224) * 2;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p224k1_raw(N->p, expected_width);
+
+cleanup:
+ return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+ static mbedtls_mpi_uint Rp[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x1A, 0x00, 0x00,
+ 0x01, 0x00, 0x00, 0x00)
+ };
+
+ if (X_limbs != BITS_TO_LIMBS(224) * 2) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ return ecp_mod_koblitz(X, X_limbs, Rp, 224);
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+
+/*
+ * Fast quasi-reduction modulo p256k1 = 2^256 - R,
+ * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
+ */
+static int ecp_mod_p256k1(mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t expected_width = BITS_TO_LIMBS(256) * 2;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p256k1_raw(N->p, expected_width);
+
+cleanup:
+ return ret;
+}
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+ static mbedtls_mpi_uint Rp[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x03, 0x00, 0x00,
+ 0x01, 0x00, 0x00, 0x00)
+ };
+
+ if (X_limbs != BITS_TO_LIMBS(256) * 2) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ return ecp_mod_koblitz(X, X_limbs, Rp, 256);
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#if defined(MBEDTLS_TEST_HOOKS)
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
+ const mbedtls_ecp_group_id id,
+ const mbedtls_ecp_modulus_type ctype)
+{
+ mbedtls_mpi_modp_fn modp = NULL;
+ mbedtls_mpi_uint *p = NULL;
+ size_t p_limbs;
+
+ if (!(ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE || \
+ ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_SCALAR)) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ switch (id) {
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP192R1:
+ if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+ modp = &mbedtls_ecp_mod_p192_raw;
+#endif
+ p = (mbedtls_mpi_uint *) secp192r1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp192r1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) secp192r1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp192r1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP224R1:
+ if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+ modp = &mbedtls_ecp_mod_p224_raw;
+#endif
+ p = (mbedtls_mpi_uint *) secp224r1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp224r1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) secp224r1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp224r1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP256R1:
+ if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+ modp = &mbedtls_ecp_mod_p256_raw;
+#endif
+ p = (mbedtls_mpi_uint *) secp256r1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp256r1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) secp256r1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp256r1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP384R1:
+ if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+ modp = &mbedtls_ecp_mod_p384_raw;
+#endif
+ p = (mbedtls_mpi_uint *) secp384r1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp384r1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) secp384r1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp384r1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP521R1:
+ if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+ modp = &mbedtls_ecp_mod_p521_raw;
+#endif
+ p = (mbedtls_mpi_uint *) secp521r1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp521r1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) secp521r1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp521r1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+ case MBEDTLS_ECP_DP_BP256R1:
+ if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ p = (mbedtls_mpi_uint *) brainpoolP256r1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP256r1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) brainpoolP256r1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP256r1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+ case MBEDTLS_ECP_DP_BP384R1:
+ if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ p = (mbedtls_mpi_uint *) brainpoolP384r1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP384r1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) brainpoolP384r1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP384r1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+ case MBEDTLS_ECP_DP_BP512R1:
+ if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ p = (mbedtls_mpi_uint *) brainpoolP512r1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP512r1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) brainpoolP512r1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP512r1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+ case MBEDTLS_ECP_DP_CURVE25519:
+ if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ modp = &mbedtls_ecp_mod_p255_raw;
+ p = (mbedtls_mpi_uint *) curve25519_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(curve25519_p));
+ } else {
+ p = (mbedtls_mpi_uint *) curve25519_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(curve25519_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP192K1:
+ if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ modp = &mbedtls_ecp_mod_p192k1_raw;
+ p = (mbedtls_mpi_uint *) secp192k1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp192k1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) secp192k1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp192k1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP224K1:
+ if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ modp = &mbedtls_ecp_mod_p224k1_raw;
+ p = (mbedtls_mpi_uint *) secp224k1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp224k1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) secp224k1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp224k1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP256K1:
+ if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ modp = &mbedtls_ecp_mod_p256k1_raw;
+ p = (mbedtls_mpi_uint *) secp256k1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp256k1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) secp256k1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp256k1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+ case MBEDTLS_ECP_DP_CURVE448:
+ if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ modp = &mbedtls_ecp_mod_p448_raw;
+ p = (mbedtls_mpi_uint *) curve448_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(curve448_p));
+ } else {
+ p = (mbedtls_mpi_uint *) curve448_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(curve448_n));
+ }
+ break;
+#endif
+
+ default:
+ case MBEDTLS_ECP_DP_NONE:
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ if (modp != NULL) {
+ if (mbedtls_mpi_mod_optred_modulus_setup(N, p, p_limbs, modp)) {
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ }
+ } else {
+ if (mbedtls_mpi_mod_modulus_setup(N, p, p_limbs)) {
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ }
+ }
+ return 0;
+}
+#endif /* MBEDTLS_TEST_HOOKS */
+
+#if defined(MBEDTLS_TEST_HOOKS)
+
+MBEDTLS_STATIC_TESTABLE
+mbedtls_ecp_variant mbedtls_ecp_get_variant(void)
+{
+ return MBEDTLS_ECP_VARIANT_WITH_MPI_UINT;
+}
+
+#endif /* MBEDTLS_TEST_HOOKS */
+
+#endif /* !MBEDTLS_ECP_ALT */
+#endif /* MBEDTLS_ECP_LIGHT */
+#endif /* MBEDTLS_ECP_WITH_MPI_UINT */
diff --git a/library/ecp_internal_alt.h b/library/ecp_internal_alt.h
new file mode 100644
index 0000000..668edc7
--- /dev/null
+++ b/library/ecp_internal_alt.h
@@ -0,0 +1,287 @@
+/**
+ * \file ecp_internal_alt.h
+ *
+ * \brief Function declarations for alternative implementation of elliptic curve
+ * point arithmetic.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * References:
+ *
+ * [1] BERNSTEIN, Daniel J. Curve25519: new Diffie-Hellman speed records.
+ * <http://cr.yp.to/ecdh/curve25519-20060209.pdf>
+ *
+ * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
+ * for elliptic curve cryptosystems. In : Cryptographic Hardware and
+ * Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
+ * <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
+ *
+ * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
+ * render ECC resistant against Side Channel Attacks. IACR Cryptology
+ * ePrint Archive, 2004, vol. 2004, p. 342.
+ * <http://eprint.iacr.org/2004/342.pdf>
+ *
+ * [4] Certicom Research. SEC 2: Recommended Elliptic Curve Domain Parameters.
+ * <http://www.secg.org/sec2-v2.pdf>
+ *
+ * [5] HANKERSON, Darrel, MENEZES, Alfred J., VANSTONE, Scott. Guide to Elliptic
+ * Curve Cryptography.
+ *
+ * [6] Digital Signature Standard (DSS), FIPS 186-4.
+ * <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf>
+ *
+ * [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer
+ * Security (TLS), RFC 4492.
+ * <https://tools.ietf.org/search/rfc4492>
+ *
+ * [8] <http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html>
+ *
+ * [9] COHEN, Henri. A Course in Computational Algebraic Number Theory.
+ * Springer Science & Business Media, 1 Aug 2000
+ */
+
+#ifndef MBEDTLS_ECP_INTERNAL_H
+#define MBEDTLS_ECP_INTERNAL_H
+
+#include "mbedtls/build_info.h"
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+
+/**
+ * \brief Indicate if the Elliptic Curve Point module extension can
+ * handle the group.
+ *
+ * \param grp The pointer to the elliptic curve group that will be the
+ * basis of the cryptographic computations.
+ *
+ * \return Non-zero if successful.
+ */
+unsigned char mbedtls_internal_ecp_grp_capable(const mbedtls_ecp_group *grp);
+
+/**
+ * \brief Initialise the Elliptic Curve Point module extension.
+ *
+ * If mbedtls_internal_ecp_grp_capable returns true for a
+ * group, this function has to be able to initialise the
+ * module for it.
+ *
+ * This module can be a driver to a crypto hardware
+ * accelerator, for which this could be an initialise function.
+ *
+ * \param grp The pointer to the group the module needs to be
+ * initialised for.
+ *
+ * \return 0 if successful.
+ */
+int mbedtls_internal_ecp_init(const mbedtls_ecp_group *grp);
+
+/**
+ * \brief Frees and deallocates the Elliptic Curve Point module
+ * extension.
+ *
+ * \param grp The pointer to the group the module was initialised for.
+ */
+void mbedtls_internal_ecp_free(const mbedtls_ecp_group *grp);
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+/**
+ * \brief Randomize jacobian coordinates:
+ * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l.
+ *
+ * \param grp Pointer to the group representing the curve.
+ *
+ * \param pt The point on the curve to be randomised, given with Jacobian
+ * coordinates.
+ *
+ * \param f_rng A function pointer to the random number generator.
+ *
+ * \param p_rng A pointer to the random number generator state.
+ *
+ * \return 0 if successful.
+ */
+int mbedtls_internal_ecp_randomize_jac(const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *pt, int (*f_rng)(void *,
+ unsigned char *,
+ size_t),
+ void *p_rng);
+#endif
+
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+/**
+ * \brief Addition: R = P + Q, mixed affine-Jacobian coordinates.
+ *
+ * The coordinates of Q must be normalized (= affine),
+ * but those of P don't need to. R is not normalized.
+ *
+ * This function is used only as a subrutine of
+ * ecp_mul_comb().
+ *
+ * Special cases: (1) P or Q is zero, (2) R is zero,
+ * (3) P == Q.
+ * None of these cases can happen as intermediate step in
+ * ecp_mul_comb():
+ * - at each step, P, Q and R are multiples of the base
+ * point, the factor being less than its order, so none of
+ * them is zero;
+ * - Q is an odd multiple of the base point, P an even
+ * multiple, due to the choice of precomputed points in the
+ * modified comb method.
+ * So branches for these cases do not leak secret information.
+ *
+ * We accept Q->Z being unset (saving memory in tables) as
+ * meaning 1.
+ *
+ * Cost in field operations if done by [5] 3.22:
+ * 1A := 8M + 3S
+ *
+ * \param grp Pointer to the group representing the curve.
+ *
+ * \param R Pointer to a point structure to hold the result.
+ *
+ * \param P Pointer to the first summand, given with Jacobian
+ * coordinates
+ *
+ * \param Q Pointer to the second summand, given with affine
+ * coordinates.
+ *
+ * \return 0 if successful.
+ */
+int mbedtls_internal_ecp_add_mixed(const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *R, const mbedtls_ecp_point *P,
+ const mbedtls_ecp_point *Q);
+#endif
+
+/**
+ * \brief Point doubling R = 2 P, Jacobian coordinates.
+ *
+ * Cost: 1D := 3M + 4S (A == 0)
+ * 4M + 4S (A == -3)
+ * 3M + 6S + 1a otherwise
+ * when the implementation is based on the "dbl-1998-cmo-2"
+ * doubling formulas in [8] and standard optimizations are
+ * applied when curve parameter A is one of { 0, -3 }.
+ *
+ * \param grp Pointer to the group representing the curve.
+ *
+ * \param R Pointer to a point structure to hold the result.
+ *
+ * \param P Pointer to the point that has to be doubled, given with
+ * Jacobian coordinates.
+ *
+ * \return 0 if successful.
+ */
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+int mbedtls_internal_ecp_double_jac(const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *R, const mbedtls_ecp_point *P);
+#endif
+
+/**
+ * \brief Normalize jacobian coordinates of an array of (pointers to)
+ * points.
+ *
+ * Using Montgomery's trick to perform only one inversion mod P
+ * the cost is:
+ * 1N(t) := 1I + (6t - 3)M + 1S
+ * (See for example Algorithm 10.3.4. in [9])
+ *
+ * This function is used only as a subrutine of
+ * ecp_mul_comb().
+ *
+ * Warning: fails (returning an error) if one of the points is
+ * zero!
+ * This should never happen, see choice of w in ecp_mul_comb().
+ *
+ * \param grp Pointer to the group representing the curve.
+ *
+ * \param T Array of pointers to the points to normalise.
+ *
+ * \param t_len Number of elements in the array.
+ *
+ * \return 0 if successful,
+ * an error if one of the points is zero.
+ */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+int mbedtls_internal_ecp_normalize_jac_many(const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *T[], size_t t_len);
+#endif
+
+/**
+ * \brief Normalize jacobian coordinates so that Z == 0 || Z == 1.
+ *
+ * Cost in field operations if done by [5] 3.2.1:
+ * 1N := 1I + 3M + 1S
+ *
+ * \param grp Pointer to the group representing the curve.
+ *
+ * \param pt pointer to the point to be normalised. This is an
+ * input/output parameter.
+ *
+ * \return 0 if successful.
+ */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+int mbedtls_internal_ecp_normalize_jac(const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *pt);
+#endif
+
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+int mbedtls_internal_ecp_double_add_mxz(const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *R,
+ mbedtls_ecp_point *S,
+ const mbedtls_ecp_point *P,
+ const mbedtls_ecp_point *Q,
+ const mbedtls_mpi *d);
+#endif
+
+/**
+ * \brief Randomize projective x/z coordinates:
+ * (X, Z) -> (l X, l Z) for random l
+ *
+ * \param grp pointer to the group representing the curve
+ *
+ * \param P the point on the curve to be randomised given with
+ * projective coordinates. This is an input/output parameter.
+ *
+ * \param f_rng a function pointer to the random number generator
+ *
+ * \param p_rng a pointer to the random number generator state
+ *
+ * \return 0 if successful
+ */
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+int mbedtls_internal_ecp_randomize_mxz(const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *P, int (*f_rng)(void *,
+ unsigned char *,
+ size_t),
+ void *p_rng);
+#endif
+
+/**
+ * \brief Normalize Montgomery x/z coordinates: X = X/Z, Z = 1.
+ *
+ * \param grp pointer to the group representing the curve
+ *
+ * \param P pointer to the point to be normalised. This is an
+ * input/output parameter.
+ *
+ * \return 0 if successful
+ */
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+int mbedtls_internal_ecp_normalize_mxz(const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *P);
+#endif
+
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#endif /* ecp_internal_alt.h */
diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h
new file mode 100644
index 0000000..ff9f9ec
--- /dev/null
+++ b/library/ecp_invasive.h
@@ -0,0 +1,325 @@
+/**
+ * \file ecp_invasive.h
+ *
+ * \brief ECP module: interfaces for invasive testing only.
+ *
+ * The interfaces in this file are intended for testing purposes only.
+ * They SHOULD NOT be made available in library integrations except when
+ * building the library for testing.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_ECP_INVASIVE_H
+#define MBEDTLS_ECP_INVASIVE_H
+
+#include "common.h"
+#include "mbedtls/bignum.h"
+#include "bignum_mod.h"
+#include "mbedtls/ecp.h"
+
+/*
+ * Curve modulus types
+ */
+typedef enum {
+ MBEDTLS_ECP_MOD_NONE = 0,
+ MBEDTLS_ECP_MOD_COORDINATE,
+ MBEDTLS_ECP_MOD_SCALAR
+} mbedtls_ecp_modulus_type;
+
+typedef enum {
+ MBEDTLS_ECP_VARIANT_NONE = 0,
+ MBEDTLS_ECP_VARIANT_WITH_MPI_STRUCT,
+ MBEDTLS_ECP_VARIANT_WITH_MPI_UINT
+} mbedtls_ecp_variant;
+
+#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_ECP_LIGHT)
+
+/** Queries the ecp variant.
+ *
+ * \return The id of the ecp variant.
+ */
+MBEDTLS_STATIC_TESTABLE
+mbedtls_ecp_variant mbedtls_ecp_get_variant(void);
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+/** Generate a private key on a Montgomery curve (Curve25519 or Curve448).
+ *
+ * This function implements key generation for the set of secret keys
+ * specified in [Curve25519] p. 5 and in [Curve448]. The resulting value
+ * has the lower bits masked but is not necessarily canonical.
+ *
+ * \note - [Curve25519] http://cr.yp.to/ecdh/curve25519-20060209.pdf
+ * - [RFC7748] https://tools.ietf.org/html/rfc7748
+ *
+ * \p high_bit The position of the high-order bit of the key to generate.
+ * This is the bit-size of the key minus 1:
+ * 254 for Curve25519 or 447 for Curve448.
+ * \param d The randomly generated key. This is a number of size
+ * exactly \p high_bit + 1 bits, with the least significant bits
+ * masked as specified in [Curve25519] and in [RFC7748] §5.
+ * \param f_rng The RNG function.
+ * \param p_rng The RNG context to be passed to \p f_rng.
+ *
+ * \return \c 0 on success.
+ * \return \c MBEDTLS_ERR_ECP_xxx or MBEDTLS_ERR_MPI_xxx on failure.
+ */
+int mbedtls_ecp_gen_privkey_mx(size_t high_bit,
+ mbedtls_mpi *d,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng);
+
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+
+/** Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
+ *
+ * This operation expects a 384 bit MPI and the result of the reduction
+ * is a 192 bit MPI.
+ *
+ * \param[in,out] Np The address of the MPI to be converted.
+ * Must have twice as many limbs as the modulus.
+ * Upon return this holds the reduced value. The bitlength
+ * of the reduced value is the same as that of the modulus
+ * (192 bits).
+ * \param[in] Nn The length of \p Np in limbs.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn);
+
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+
+/** Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
+ *
+ * \param[in,out] X The address of the MPI to be converted.
+ * Must have exact limb size that stores a 448-bit MPI
+ * (double the bitlength of the modulus).
+ * Upon return holds the reduced value which is
+ * in range `0 <= X < 2 * N` (where N is the modulus).
+ * The bitlength of the reduced value is the same as
+ * that of the modulus (224 bits).
+ * \param[in] X_limbs The length of \p X in limbs.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs is not the
+ * limb size that sores a 448-bit MPI.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+
+/** Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
+ *
+ * \param[in,out] X The address of the MPI to be converted.
+ * Must have exact limb size that stores a 512-bit MPI
+ * (double the bitlength of the modulus).
+ * Upon return holds the reduced value which is
+ * in range `0 <= X < 2 * N` (where N is the modulus).
+ * The bitlength of the reduced value is the same as
+ * that of the modulus (256 bits).
+ * \param[in] X_limbs The length of \p X in limbs.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs is not the
+ * limb size that sores a 512-bit MPI.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p256_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+
+/** Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5)
+ *
+ * \param[in,out] X The address of the MPI to be converted.
+ * Must have twice as many limbs as the modulus
+ * (the modulus is 521 bits long). Upon return this
+ * holds the reduced value. The reduced value is
+ * in range `0 <= X < 2 * N` (where N is the modulus).
+ * and its the bitlength is one plus the bitlength
+ * of the modulus.
+ * \param[in] X_limbs The length of \p X in limbs.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs does not have
+ * twice as many limbs as the modulus.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+
+/** Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
+ *
+ * \param[in,out] X The address of the MPI to be converted.
+ * Must have exact limb size that stores a 768-bit MPI
+ * (double the bitlength of the modulus).
+ * Upon return holds the reduced value which is
+ * in range `0 <= X < 2 * N` (where N is the modulus).
+ * The bitlength of the reduced value is the same as
+ * that of the modulus (384 bits).
+ * \param[in] X_limbs The length of \p N in limbs.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p N_n does not have
+ * twice as many limbs as the modulus.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+
+/** Fast quasi-reduction modulo p192k1 = 2^192 - R,
+ * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x01000011C9
+ *
+ * \param[in,out] X The address of the MPI to be converted.
+ * Must have exact limb size that stores a 384-bit MPI
+ * (double the bitlength of the modulus).
+ * Upon return holds the reduced value which is
+ * in range `0 <= X < 2 * N` (where N is the modulus).
+ * The bitlength of the reduced value is the same as
+ * that of the modulus (192 bits).
+ * \param[in] X_limbs The length of \p X in limbs.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
+ * twice as many limbs as the modulus.
+ * \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+
+/** Fast quasi-reduction modulo p224k1 = 2^224 - R,
+ * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
+ *
+ * \param[in,out] X The address of the MPI to be converted.
+ * Must have exact limb size that stores a 448-bit MPI
+ * (double the bitlength of the modulus).
+ * Upon return holds the reduced value which is
+ * in range `0 <= X < 2 * N` (where N is the modulus).
+ * The bitlength of the reduced value is the same as
+ * that of the modulus (224 bits).
+ * \param[in] X_limbs The length of \p X in limbs.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
+ * twice as many limbs as the modulus.
+ * \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+
+/** Fast quasi-reduction modulo p256k1 = 2^256 - R,
+ * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
+ *
+ * \param[in,out] X The address of the MPI to be converted.
+ * Must have exact limb size that stores a 512-bit MPI
+ * (double the bitlength of the modulus).
+ * Upon return holds the reduced value which is
+ * in range `0 <= X < 2 * N` (where N is the modulus).
+ * The bitlength of the reduced value is the same as
+ * that of the modulus (256 bits).
+ * \param[in] X_limbs The length of \p X in limbs.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
+ * twice as many limbs as the modulus.
+ * \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+
+/** Fast quasi-reduction modulo p255 = 2^255 - 19
+ *
+ * \param[in,out] X The address of the MPI to be converted.
+ * Must have exact limb size that stores a 510-bit MPI
+ * (double the bitlength of the modulus).
+ * Upon return holds the reduced value which is
+ * in range `0 <= X < 2 * N` (where N is the modulus).
+ * \param[in] X_limbs The length of \p X in limbs.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
+ * twice as many limbs as the modulus.
+ * \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p255_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+
+/** Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
+ * Write X as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return A0 + A1 + B1 +
+ * (B0 + B1) * 2^224.
+ *
+ * \param[in,out] X The address of the MPI to be converted.
+ * Must have exact limb size that stores a 896-bit MPI
+ * (double the bitlength of the modulus). Upon return
+ * holds the reduced value which is in range `0 <= X <
+ * N` (where N is the modulus). The bitlength of the
+ * reduced value is the same as that of the modulus
+ * (448 bits).
+ * \param[in] X_limbs The length of \p X in limbs.
+ *
+ * \return \c 0 on Success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
+ * twice as many limbs as the modulus.
+ * \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation
+ * failed.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p448_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+/** Initialise a modulus with hard-coded const curve data.
+ *
+ * \note The caller is responsible for the \p N modulus' memory.
+ * mbedtls_mpi_mod_modulus_free(&N) should be invoked at the
+ * end of its lifecycle.
+ *
+ * \param[in,out] N The address of the modulus structure to populate.
+ * Must be initialized.
+ * \param[in] id The mbedtls_ecp_group_id for which to initialise the modulus.
+ * \param[in] ctype The mbedtls_ecp_modulus_type identifier for a coordinate modulus (P)
+ * or a scalar modulus (N).
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the given MPIs do not
+ * have the correct number of limbs.
+ *
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
+ const mbedtls_ecp_group_id id,
+ const mbedtls_ecp_modulus_type ctype);
+
+#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_ECP_C */
+
+#endif /* MBEDTLS_ECP_INVASIVE_H */
diff --git a/library/entropy.c b/library/entropy.c
new file mode 100644
index 0000000..e3bc851
--- /dev/null
+++ b/library/entropy.c
@@ -0,0 +1,676 @@
+/*
+ * Entropy accumulator implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_ENTROPY_C)
+
+#include "mbedtls/entropy.h"
+#include "entropy_poll.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#include "mbedtls/platform.h"
+
+#define ENTROPY_MAX_LOOP 256 /**< Maximum amount to loop before error */
+
+void mbedtls_entropy_init(mbedtls_entropy_context *ctx)
+{
+ ctx->source_count = 0;
+ memset(ctx->source, 0, sizeof(ctx->source));
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_init(&ctx->mutex);
+#endif
+
+ ctx->accumulator_started = 0;
+ mbedtls_md_init(&ctx->accumulator);
+
+ /* Reminder: Update ENTROPY_HAVE_STRONG in the test files
+ * when adding more strong entropy sources here. */
+
+#if !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+ mbedtls_entropy_add_source(ctx, mbedtls_platform_entropy_poll, NULL,
+ MBEDTLS_ENTROPY_MIN_PLATFORM,
+ MBEDTLS_ENTROPY_SOURCE_STRONG);
+#endif
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+ mbedtls_entropy_add_source(ctx, mbedtls_hardware_poll, NULL,
+ MBEDTLS_ENTROPY_MIN_HARDWARE,
+ MBEDTLS_ENTROPY_SOURCE_STRONG);
+#endif
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+ mbedtls_entropy_add_source(ctx, mbedtls_nv_seed_poll, NULL,
+ MBEDTLS_ENTROPY_BLOCK_SIZE,
+ MBEDTLS_ENTROPY_SOURCE_STRONG);
+ ctx->initial_entropy_run = 0;
+#endif
+#endif /* MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES */
+}
+
+void mbedtls_entropy_free(mbedtls_entropy_context *ctx)
+{
+ /* If the context was already free, don't call free() again.
+ * This is important for mutexes which don't allow double-free. */
+ if (ctx->accumulator_started == -1) {
+ return;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_free(&ctx->mutex);
+#endif
+ mbedtls_md_free(&ctx->accumulator);
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+ ctx->initial_entropy_run = 0;
+#endif
+ ctx->source_count = 0;
+ mbedtls_platform_zeroize(ctx->source, sizeof(ctx->source));
+ ctx->accumulator_started = -1;
+}
+
+int mbedtls_entropy_add_source(mbedtls_entropy_context *ctx,
+ mbedtls_entropy_f_source_ptr f_source, void *p_source,
+ size_t threshold, int strong)
+{
+ int idx, ret = 0;
+
+#if defined(MBEDTLS_THREADING_C)
+ if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+ return ret;
+ }
+#endif
+
+ idx = ctx->source_count;
+ if (idx >= MBEDTLS_ENTROPY_MAX_SOURCES) {
+ ret = MBEDTLS_ERR_ENTROPY_MAX_SOURCES;
+ goto exit;
+ }
+
+ ctx->source[idx].f_source = f_source;
+ ctx->source[idx].p_source = p_source;
+ ctx->source[idx].threshold = threshold;
+ ctx->source[idx].strong = strong;
+
+ ctx->source_count++;
+
+exit:
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+ return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+ }
+#endif
+
+ return ret;
+}
+
+/*
+ * Entropy accumulator update
+ */
+static int entropy_update(mbedtls_entropy_context *ctx, unsigned char source_id,
+ const unsigned char *data, size_t len)
+{
+ unsigned char header[2];
+ unsigned char tmp[MBEDTLS_ENTROPY_BLOCK_SIZE];
+ size_t use_len = len;
+ const unsigned char *p = data;
+ int ret = 0;
+
+ if (use_len > MBEDTLS_ENTROPY_BLOCK_SIZE) {
+ if ((ret = mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_ENTROPY_MD),
+ data, len, tmp)) != 0) {
+ goto cleanup;
+ }
+ p = tmp;
+ use_len = MBEDTLS_ENTROPY_BLOCK_SIZE;
+ }
+
+ header[0] = source_id;
+ header[1] = use_len & 0xFF;
+
+ /*
+ * Start the accumulator if this has not already happened. Note that
+ * it is sufficient to start the accumulator here only because all calls to
+ * gather entropy eventually execute this code.
+ */
+ if (ctx->accumulator_started == 0) {
+ ret = mbedtls_md_setup(&ctx->accumulator,
+ mbedtls_md_info_from_type(MBEDTLS_ENTROPY_MD), 0);
+ if (ret != 0) {
+ goto cleanup;
+ }
+ ret = mbedtls_md_starts(&ctx->accumulator);
+ if (ret != 0) {
+ goto cleanup;
+ }
+ ctx->accumulator_started = 1;
+ }
+ if ((ret = mbedtls_md_update(&ctx->accumulator, header, 2)) != 0) {
+ goto cleanup;
+ }
+ ret = mbedtls_md_update(&ctx->accumulator, p, use_len);
+
+cleanup:
+ mbedtls_platform_zeroize(tmp, sizeof(tmp));
+
+ return ret;
+}
+
+int mbedtls_entropy_update_manual(mbedtls_entropy_context *ctx,
+ const unsigned char *data, size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_THREADING_C)
+ if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+ return ret;
+ }
+#endif
+
+ ret = entropy_update(ctx, MBEDTLS_ENTROPY_SOURCE_MANUAL, data, len);
+
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+ return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+ }
+#endif
+
+ return ret;
+}
+
+/*
+ * Run through the different sources to add entropy to our accumulator
+ */
+static int entropy_gather_internal(mbedtls_entropy_context *ctx)
+{
+ int ret = MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+ int i;
+ int have_one_strong = 0;
+ unsigned char buf[MBEDTLS_ENTROPY_MAX_GATHER];
+ size_t olen;
+
+ if (ctx->source_count == 0) {
+ return MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED;
+ }
+
+ /*
+ * Run through our entropy sources
+ */
+ for (i = 0; i < ctx->source_count; i++) {
+ if (ctx->source[i].strong == MBEDTLS_ENTROPY_SOURCE_STRONG) {
+ have_one_strong = 1;
+ }
+
+ olen = 0;
+ if ((ret = ctx->source[i].f_source(ctx->source[i].p_source,
+ buf, MBEDTLS_ENTROPY_MAX_GATHER, &olen)) != 0) {
+ goto cleanup;
+ }
+
+ /*
+ * Add if we actually gathered something
+ */
+ if (olen > 0) {
+ if ((ret = entropy_update(ctx, (unsigned char) i,
+ buf, olen)) != 0) {
+ return ret;
+ }
+ ctx->source[i].size += olen;
+ }
+ }
+
+ if (have_one_strong == 0) {
+ ret = MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE;
+ }
+
+cleanup:
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+
+ return ret;
+}
+
+/*
+ * Thread-safe wrapper for entropy_gather_internal()
+ */
+int mbedtls_entropy_gather(mbedtls_entropy_context *ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_THREADING_C)
+ if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+ return ret;
+ }
+#endif
+
+ ret = entropy_gather_internal(ctx);
+
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+ return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+ }
+#endif
+
+ return ret;
+}
+
+int mbedtls_entropy_func(void *data, unsigned char *output, size_t len)
+{
+ int ret, count = 0, i, thresholds_reached;
+ size_t strong_size;
+ mbedtls_entropy_context *ctx = (mbedtls_entropy_context *) data;
+ unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+ if (len > MBEDTLS_ENTROPY_BLOCK_SIZE) {
+ return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+ }
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+ /* Update the NV entropy seed before generating any entropy for outside
+ * use.
+ */
+ if (ctx->initial_entropy_run == 0) {
+ ctx->initial_entropy_run = 1;
+ if ((ret = mbedtls_entropy_update_nv_seed(ctx)) != 0) {
+ return ret;
+ }
+ }
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+ if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+ return ret;
+ }
+#endif
+
+ /*
+ * Always gather extra entropy before a call
+ */
+ do {
+ if (count++ > ENTROPY_MAX_LOOP) {
+ ret = MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+ goto exit;
+ }
+
+ if ((ret = entropy_gather_internal(ctx)) != 0) {
+ goto exit;
+ }
+
+ thresholds_reached = 1;
+ strong_size = 0;
+ for (i = 0; i < ctx->source_count; i++) {
+ if (ctx->source[i].size < ctx->source[i].threshold) {
+ thresholds_reached = 0;
+ }
+ if (ctx->source[i].strong == MBEDTLS_ENTROPY_SOURCE_STRONG) {
+ strong_size += ctx->source[i].size;
+ }
+ }
+ } while (!thresholds_reached || strong_size < MBEDTLS_ENTROPY_BLOCK_SIZE);
+
+ memset(buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE);
+
+ /*
+ * Note that at this stage it is assumed that the accumulator was started
+ * in a previous call to entropy_update(). If this is not guaranteed, the
+ * code below will fail.
+ */
+ if ((ret = mbedtls_md_finish(&ctx->accumulator, buf)) != 0) {
+ goto exit;
+ }
+
+ /*
+ * Reset accumulator and counters and recycle existing entropy
+ */
+ mbedtls_md_free(&ctx->accumulator);
+ mbedtls_md_init(&ctx->accumulator);
+ ret = mbedtls_md_setup(&ctx->accumulator,
+ mbedtls_md_info_from_type(MBEDTLS_ENTROPY_MD), 0);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_md_starts(&ctx->accumulator);
+ if (ret != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_update(&ctx->accumulator, buf,
+ MBEDTLS_ENTROPY_BLOCK_SIZE)) != 0) {
+ goto exit;
+ }
+
+ /*
+ * Perform second hashing on entropy
+ */
+ if ((ret = mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_ENTROPY_MD),
+ buf, MBEDTLS_ENTROPY_BLOCK_SIZE, buf)) != 0) {
+ goto exit;
+ }
+
+ for (i = 0; i < ctx->source_count; i++) {
+ ctx->source[i].size = 0;
+ }
+
+ memcpy(output, buf, len);
+
+ ret = 0;
+
+exit:
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+ return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+ }
+#endif
+
+ return ret;
+}
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+int mbedtls_entropy_update_nv_seed(mbedtls_entropy_context *ctx)
+{
+ int ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+ unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+ /* Read new seed and write it to NV */
+ if ((ret = mbedtls_entropy_func(ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE)) != 0) {
+ return ret;
+ }
+
+ if (mbedtls_nv_seed_write(buf, MBEDTLS_ENTROPY_BLOCK_SIZE) < 0) {
+ return MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+ }
+
+ /* Manually update the remaining stream with a separator value to diverge */
+ memset(buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE);
+ ret = mbedtls_entropy_update_manual(ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE);
+
+ return ret;
+}
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_entropy_write_seed_file(mbedtls_entropy_context *ctx, const char *path)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ FILE *f = NULL;
+ unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+ if ((ret = mbedtls_entropy_func(ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE)) != 0) {
+ ret = MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+ goto exit;
+ }
+
+ if ((f = fopen(path, "wb")) == NULL) {
+ ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+ goto exit;
+ }
+
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf(f, NULL);
+
+ if (fwrite(buf, 1, MBEDTLS_ENTROPY_BLOCK_SIZE, f) != MBEDTLS_ENTROPY_BLOCK_SIZE) {
+ ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+ goto exit;
+ }
+
+ ret = 0;
+
+exit:
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+
+ if (f != NULL) {
+ fclose(f);
+ }
+
+ return ret;
+}
+
+int mbedtls_entropy_update_seed_file(mbedtls_entropy_context *ctx, const char *path)
+{
+ int ret = 0;
+ FILE *f;
+ size_t n;
+ unsigned char buf[MBEDTLS_ENTROPY_MAX_SEED_SIZE];
+
+ if ((f = fopen(path, "rb")) == NULL) {
+ return MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+ }
+
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf(f, NULL);
+
+ fseek(f, 0, SEEK_END);
+ n = (size_t) ftell(f);
+ fseek(f, 0, SEEK_SET);
+
+ if (n > MBEDTLS_ENTROPY_MAX_SEED_SIZE) {
+ n = MBEDTLS_ENTROPY_MAX_SEED_SIZE;
+ }
+
+ if (fread(buf, 1, n, f) != n) {
+ ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+ } else {
+ ret = mbedtls_entropy_update_manual(ctx, buf, n);
+ }
+
+ fclose(f);
+
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+
+ if (ret != 0) {
+ return ret;
+ }
+
+ return mbedtls_entropy_write_seed_file(ctx, path);
+}
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * Dummy source function
+ */
+static int entropy_dummy_source(void *data, unsigned char *output,
+ size_t len, size_t *olen)
+{
+ ((void) data);
+
+ memset(output, 0x2a, len);
+ *olen = len;
+
+ return 0;
+}
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+
+static int mbedtls_entropy_source_self_test_gather(unsigned char *buf, size_t buf_len)
+{
+ int ret = 0;
+ size_t entropy_len = 0;
+ size_t olen = 0;
+ size_t attempts = buf_len;
+
+ while (attempts > 0 && entropy_len < buf_len) {
+ if ((ret = mbedtls_hardware_poll(NULL, buf + entropy_len,
+ buf_len - entropy_len, &olen)) != 0) {
+ return ret;
+ }
+
+ entropy_len += olen;
+ attempts--;
+ }
+
+ if (entropy_len < buf_len) {
+ ret = 1;
+ }
+
+ return ret;
+}
+
+
+static int mbedtls_entropy_source_self_test_check_bits(const unsigned char *buf,
+ size_t buf_len)
+{
+ unsigned char set = 0xFF;
+ unsigned char unset = 0x00;
+ size_t i;
+
+ for (i = 0; i < buf_len; i++) {
+ set &= buf[i];
+ unset |= buf[i];
+ }
+
+ return set == 0xFF || unset == 0x00;
+}
+
+/*
+ * A test to ensure that the entropy sources are functioning correctly
+ * and there is no obvious failure. The test performs the following checks:
+ * - The entropy source is not providing only 0s (all bits unset) or 1s (all
+ * bits set).
+ * - The entropy source is not providing values in a pattern. Because the
+ * hardware could be providing data in an arbitrary length, this check polls
+ * the hardware entropy source twice and compares the result to ensure they
+ * are not equal.
+ * - The error code returned by the entropy source is not an error.
+ */
+int mbedtls_entropy_source_self_test(int verbose)
+{
+ int ret = 0;
+ unsigned char buf0[2 * sizeof(unsigned long long int)];
+ unsigned char buf1[2 * sizeof(unsigned long long int)];
+
+ if (verbose != 0) {
+ mbedtls_printf(" ENTROPY_BIAS test: ");
+ }
+
+ memset(buf0, 0x00, sizeof(buf0));
+ memset(buf1, 0x00, sizeof(buf1));
+
+ if ((ret = mbedtls_entropy_source_self_test_gather(buf0, sizeof(buf0))) != 0) {
+ goto cleanup;
+ }
+ if ((ret = mbedtls_entropy_source_self_test_gather(buf1, sizeof(buf1))) != 0) {
+ goto cleanup;
+ }
+
+ /* Make sure that the returned values are not all 0 or 1 */
+ if ((ret = mbedtls_entropy_source_self_test_check_bits(buf0, sizeof(buf0))) != 0) {
+ goto cleanup;
+ }
+ if ((ret = mbedtls_entropy_source_self_test_check_bits(buf1, sizeof(buf1))) != 0) {
+ goto cleanup;
+ }
+
+ /* Make sure that the entropy source is not returning values in a
+ * pattern */
+ ret = memcmp(buf0, buf1, sizeof(buf0)) == 0;
+
+cleanup:
+ if (verbose != 0) {
+ if (ret != 0) {
+ mbedtls_printf("failed\n");
+ } else {
+ mbedtls_printf("passed\n");
+ }
+
+ mbedtls_printf("\n");
+ }
+
+ return ret != 0;
+}
+
+#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
+
+/*
+ * The actual entropy quality is hard to test, but we can at least
+ * test that the functions don't cause errors and write the correct
+ * amount of data to buffers.
+ */
+int mbedtls_entropy_self_test(int verbose)
+{
+ int ret = 1;
+ mbedtls_entropy_context ctx;
+ unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 };
+ unsigned char acc[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 };
+ size_t i, j;
+
+ if (verbose != 0) {
+ mbedtls_printf(" ENTROPY test: ");
+ }
+
+ mbedtls_entropy_init(&ctx);
+
+ /* First do a gather to make sure we have default sources */
+ if ((ret = mbedtls_entropy_gather(&ctx)) != 0) {
+ goto cleanup;
+ }
+
+ ret = mbedtls_entropy_add_source(&ctx, entropy_dummy_source, NULL, 16,
+ MBEDTLS_ENTROPY_SOURCE_WEAK);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ if ((ret = mbedtls_entropy_update_manual(&ctx, buf, sizeof(buf))) != 0) {
+ goto cleanup;
+ }
+
+ /*
+ * To test that mbedtls_entropy_func writes correct number of bytes:
+ * - use the whole buffer and rely on ASan to detect overruns
+ * - collect entropy 8 times and OR the result in an accumulator:
+ * any byte should then be 0 with probably 2^(-64), so requiring
+ * each of the 32 or 64 bytes to be non-zero has a false failure rate
+ * of at most 2^(-58) which is acceptable.
+ */
+ for (i = 0; i < 8; i++) {
+ if ((ret = mbedtls_entropy_func(&ctx, buf, sizeof(buf))) != 0) {
+ goto cleanup;
+ }
+
+ for (j = 0; j < sizeof(buf); j++) {
+ acc[j] |= buf[j];
+ }
+ }
+
+ for (j = 0; j < sizeof(buf); j++) {
+ if (acc[j] == 0) {
+ ret = 1;
+ goto cleanup;
+ }
+ }
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+ if ((ret = mbedtls_entropy_source_self_test(0)) != 0) {
+ goto cleanup;
+ }
+#endif
+
+cleanup:
+ mbedtls_entropy_free(&ctx);
+
+ if (verbose != 0) {
+ if (ret != 0) {
+ mbedtls_printf("failed\n");
+ } else {
+ mbedtls_printf("passed\n");
+ }
+
+ mbedtls_printf("\n");
+ }
+
+ return ret != 0;
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ENTROPY_C */
diff --git a/library/entropy_poll.c b/library/entropy_poll.c
new file mode 100644
index 0000000..794ee03
--- /dev/null
+++ b/library/entropy_poll.c
@@ -0,0 +1,229 @@
+/*
+ * Platform-specific and custom entropy polling functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#if defined(__linux__) || defined(__midipix__) && !defined(_GNU_SOURCE)
+/* Ensure that syscall() is available even when compiling with -std=c99 */
+#define _GNU_SOURCE
+#endif
+
+#include "common.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ENTROPY_C)
+
+#include "mbedtls/entropy.h"
+#include "entropy_poll.h"
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_TIMING_C)
+#include "mbedtls/timing.h"
+#endif
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+ !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+ !defined(__HAIKU__) && !defined(__midipix__) && !defined(__MVS__)
+#error \
+ "Platform entropy sources only work on Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in mbedtls_config.h"
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+
+#include <windows.h>
+#include <bcrypt.h>
+#include <intsafe.h>
+
+int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len,
+ size_t *olen)
+{
+ ((void) data);
+ *olen = 0;
+
+ /*
+ * BCryptGenRandom takes ULONG for size, which is smaller than size_t on
+ * 64-bit Windows platforms. Extract entropy in chunks of len (dependent
+ * on ULONG_MAX) size.
+ */
+ while (len != 0) {
+ unsigned long ulong_bytes =
+ (len > ULONG_MAX) ? ULONG_MAX : (unsigned long) len;
+
+ if (!BCRYPT_SUCCESS(BCryptGenRandom(NULL, output, ulong_bytes,
+ BCRYPT_USE_SYSTEM_PREFERRED_RNG))) {
+ return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+ }
+
+ *olen += ulong_bytes;
+ len -= ulong_bytes;
+ }
+
+ return 0;
+}
+#else /* _WIN32 && !EFIX64 && !EFI32 */
+
+/*
+ * Test for Linux getrandom() support.
+ * Since there is no wrapper in the libc yet, use the generic syscall wrapper
+ * available in GNU libc and compatible libc's (eg uClibc).
+ */
+#if ((defined(__linux__) && defined(__GLIBC__)) || defined(__midipix__))
+#include <unistd.h>
+#include <sys/syscall.h>
+#if defined(SYS_getrandom)
+#define HAVE_GETRANDOM
+#include <errno.h>
+
+static int getrandom_wrapper(void *buf, size_t buflen, unsigned int flags)
+{
+ /* MemSan cannot understand that the syscall writes to the buffer */
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+ memset(buf, 0, buflen);
+#endif
+#endif
+ return (int) syscall(SYS_getrandom, buf, buflen, flags);
+}
+#endif /* SYS_getrandom */
+#endif /* __linux__ || __midipix__ */
+
+#if defined(__FreeBSD__) || defined(__DragonFly__)
+#include <sys/param.h>
+#if (defined(__FreeBSD__) && __FreeBSD_version >= 1200000) || \
+ (defined(__DragonFly__) && __DragonFly_version >= 500700)
+#include <errno.h>
+#include <sys/random.h>
+#define HAVE_GETRANDOM
+static int getrandom_wrapper(void *buf, size_t buflen, unsigned int flags)
+{
+ return (int) getrandom(buf, buflen, flags);
+}
+#endif /* (__FreeBSD__ && __FreeBSD_version >= 1200000) ||
+ (__DragonFly__ && __DragonFly_version >= 500700) */
+#endif /* __FreeBSD__ || __DragonFly__ */
+
+/*
+ * Some BSD systems provide KERN_ARND.
+ * This is equivalent to reading from /dev/urandom, only it doesn't require an
+ * open file descriptor, and provides up to 256 bytes per call (basically the
+ * same as getentropy(), but with a longer history).
+ *
+ * Documentation: https://netbsd.gw.com/cgi-bin/man-cgi?sysctl+7
+ */
+#if (defined(__FreeBSD__) || defined(__NetBSD__)) && !defined(HAVE_GETRANDOM)
+#include <sys/param.h>
+#include <sys/sysctl.h>
+#if defined(KERN_ARND)
+#define HAVE_SYSCTL_ARND
+
+static int sysctl_arnd_wrapper(unsigned char *buf, size_t buflen)
+{
+ int name[2];
+ size_t len;
+
+ name[0] = CTL_KERN;
+ name[1] = KERN_ARND;
+
+ while (buflen > 0) {
+ len = buflen > 256 ? 256 : buflen;
+ if (sysctl(name, 2, buf, &len, NULL, 0) == -1) {
+ return -1;
+ }
+ buflen -= len;
+ buf += len;
+ }
+ return 0;
+}
+#endif /* KERN_ARND */
+#endif /* __FreeBSD__ || __NetBSD__ */
+
+#include <stdio.h>
+
+int mbedtls_platform_entropy_poll(void *data,
+ unsigned char *output, size_t len, size_t *olen)
+{
+ FILE *file;
+ size_t read_len;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ ((void) data);
+
+#if defined(HAVE_GETRANDOM)
+ ret = getrandom_wrapper(output, len, 0);
+ if (ret >= 0) {
+ *olen = (size_t) ret;
+ return 0;
+ } else if (errno != ENOSYS) {
+ return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+ }
+ /* Fall through if the system call isn't known. */
+#else
+ ((void) ret);
+#endif /* HAVE_GETRANDOM */
+
+#if defined(HAVE_SYSCTL_ARND)
+ ((void) file);
+ ((void) read_len);
+ if (sysctl_arnd_wrapper(output, len) == -1) {
+ return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+ }
+ *olen = len;
+ return 0;
+#else
+
+ *olen = 0;
+
+ file = fopen("/dev/urandom", "rb");
+ if (file == NULL) {
+ return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+ }
+
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf(file, NULL);
+
+ read_len = fread(output, 1, len, file);
+ if (read_len != len) {
+ fclose(file);
+ return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+ }
+
+ fclose(file);
+ *olen = len;
+
+ return 0;
+#endif /* HAVE_SYSCTL_ARND */
+}
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+#endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+int mbedtls_nv_seed_poll(void *data,
+ unsigned char *output, size_t len, size_t *olen)
+{
+ unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+ size_t use_len = MBEDTLS_ENTROPY_BLOCK_SIZE;
+ ((void) data);
+
+ memset(buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE);
+
+ if (mbedtls_nv_seed_read(buf, MBEDTLS_ENTROPY_BLOCK_SIZE) < 0) {
+ return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+ }
+
+ if (len < use_len) {
+ use_len = len;
+ }
+
+ memcpy(output, buf, use_len);
+ *olen = use_len;
+
+ return 0;
+}
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#endif /* MBEDTLS_ENTROPY_C */
diff --git a/library/entropy_poll.h b/library/entropy_poll.h
new file mode 100644
index 0000000..6b4aec0
--- /dev/null
+++ b/library/entropy_poll.h
@@ -0,0 +1,64 @@
+/**
+ * \file entropy_poll.h
+ *
+ * \brief Platform-specific and custom entropy polling functions
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_ENTROPY_POLL_H
+#define MBEDTLS_ENTROPY_POLL_H
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Default thresholds for built-in sources, in bytes
+ */
+#define MBEDTLS_ENTROPY_MIN_PLATFORM 32 /**< Minimum for platform source */
+#if !defined(MBEDTLS_ENTROPY_MIN_HARDWARE)
+#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Minimum for the hardware source */
+#endif
+
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+/**
+ * \brief Platform-specific entropy poll callback
+ */
+int mbedtls_platform_entropy_poll(void *data,
+ unsigned char *output, size_t len, size_t *olen);
+#endif
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+/**
+ * \brief Entropy poll callback for a hardware source
+ *
+ * \warning This is not provided by Mbed TLS!
+ * See \c MBEDTLS_ENTROPY_HARDWARE_ALT in mbedtls_config.h.
+ *
+ * \note This must accept NULL as its first argument.
+ */
+int mbedtls_hardware_poll(void *data,
+ unsigned char *output, size_t len, size_t *olen);
+#endif
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+/**
+ * \brief Entropy poll callback for a non-volatile seed file
+ *
+ * \note This must accept NULL as its first argument.
+ */
+int mbedtls_nv_seed_poll(void *data,
+ unsigned char *output, size_t len, size_t *olen);
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* entropy_poll.h */
diff --git a/library/error.c b/library/error.c
new file mode 100644
index 0000000..84b637a
--- /dev/null
+++ b/library/error.c
@@ -0,0 +1,880 @@
+/*
+ * Error message information
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_ERROR_C) || defined(MBEDTLS_ERROR_STRERROR_DUMMY)
+
+#if defined(MBEDTLS_ERROR_C)
+
+#include "mbedtls/platform.h"
+
+#include <stdio.h>
+#include <string.h>
+
+#if defined(MBEDTLS_AES_C)
+#include "mbedtls/aes.h"
+#endif
+
+#if defined(MBEDTLS_ARIA_C)
+#include "mbedtls/aria.h"
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#endif
+
+#if defined(MBEDTLS_BASE64_C)
+#include "mbedtls/base64.h"
+#endif
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#include "mbedtls/camellia.h"
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+#include "mbedtls/ccm.h"
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
+#if defined(MBEDTLS_CIPHER_C)
+#include "mbedtls/cipher.h"
+#endif
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+#include "mbedtls/ctr_drbg.h"
+#endif
+
+#if defined(MBEDTLS_DES_C)
+#include "mbedtls/des.h"
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+#include "mbedtls/dhm.h"
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_ENTROPY_C)
+#include "mbedtls/entropy.h"
+#endif
+
+#if defined(MBEDTLS_ERROR_C)
+#include "mbedtls/error.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+#include "mbedtls/gcm.h"
+#endif
+
+#if defined(MBEDTLS_HKDF_C)
+#include "mbedtls/hkdf.h"
+#endif
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+#include "mbedtls/hmac_drbg.h"
+#endif
+
+#if defined(MBEDTLS_LMS_C)
+#include "mbedtls/lms.h"
+#endif
+
+#if defined(MBEDTLS_MD_C)
+#include "mbedtls/md.h"
+#endif
+
+#if defined(MBEDTLS_NET_C)
+#include "mbedtls/net_sockets.h"
+#endif
+
+#if defined(MBEDTLS_OID_C)
+#include "mbedtls/oid.h"
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PK_C)
+#include "mbedtls/pk.h"
+#endif
+
+#if defined(MBEDTLS_PKCS12_C)
+#include "mbedtls/pkcs12.h"
+#endif
+
+#if defined(MBEDTLS_PKCS5_C)
+#include "mbedtls/pkcs5.h"
+#endif
+
+#if defined(MBEDTLS_PKCS7_C)
+#include "mbedtls/pkcs7.h"
+#endif
+
+#if defined(MBEDTLS_POLY1305_C)
+#include "mbedtls/poly1305.h"
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+#include "mbedtls/sha1.h"
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+#include "mbedtls/sha256.h"
+#endif
+
+#if defined(MBEDTLS_SHA3_C)
+#include "mbedtls/sha3.h"
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+#include "mbedtls/sha512.h"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C)
+#include "mbedtls/ssl.h"
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+#include "mbedtls/x509.h"
+#endif
+
+
+const char *mbedtls_high_level_strerr(int error_code)
+{
+ int high_level_error_code;
+
+ if (error_code < 0) {
+ error_code = -error_code;
+ }
+
+ /* Extract the high-level part from the error code. */
+ high_level_error_code = error_code & 0xFF80;
+
+ switch (high_level_error_code) {
+ /* Begin Auto-Generated Code. */
+ #if defined(MBEDTLS_CIPHER_C)
+ case -(MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE):
+ return( "CIPHER - The selected feature is not available" );
+ case -(MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA):
+ return( "CIPHER - Bad input parameters" );
+ case -(MBEDTLS_ERR_CIPHER_ALLOC_FAILED):
+ return( "CIPHER - Failed to allocate memory" );
+ case -(MBEDTLS_ERR_CIPHER_INVALID_PADDING):
+ return( "CIPHER - Input data contains invalid padding and is rejected" );
+ case -(MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED):
+ return( "CIPHER - Decryption of block requires a full block" );
+ case -(MBEDTLS_ERR_CIPHER_AUTH_FAILED):
+ return( "CIPHER - Authentication failed (for AEAD modes)" );
+ case -(MBEDTLS_ERR_CIPHER_INVALID_CONTEXT):
+ return( "CIPHER - The context is invalid. For example, because it was freed" );
+#endif /* MBEDTLS_CIPHER_C */
+
+#if defined(MBEDTLS_DHM_C)
+ case -(MBEDTLS_ERR_DHM_BAD_INPUT_DATA):
+ return( "DHM - Bad input parameters" );
+ case -(MBEDTLS_ERR_DHM_READ_PARAMS_FAILED):
+ return( "DHM - Reading of the DHM parameters failed" );
+ case -(MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED):
+ return( "DHM - Making of the DHM parameters failed" );
+ case -(MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED):
+ return( "DHM - Reading of the public values failed" );
+ case -(MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED):
+ return( "DHM - Making of the public value failed" );
+ case -(MBEDTLS_ERR_DHM_CALC_SECRET_FAILED):
+ return( "DHM - Calculation of the DHM secret failed" );
+ case -(MBEDTLS_ERR_DHM_INVALID_FORMAT):
+ return( "DHM - The ASN.1 data is not formatted correctly" );
+ case -(MBEDTLS_ERR_DHM_ALLOC_FAILED):
+ return( "DHM - Allocation of memory failed" );
+ case -(MBEDTLS_ERR_DHM_FILE_IO_ERROR):
+ return( "DHM - Read or write of file failed" );
+ case -(MBEDTLS_ERR_DHM_SET_GROUP_FAILED):
+ return( "DHM - Setting the modulus and generator failed" );
+#endif /* MBEDTLS_DHM_C */
+
+#if defined(MBEDTLS_ECP_C)
+ case -(MBEDTLS_ERR_ECP_BAD_INPUT_DATA):
+ return( "ECP - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL):
+ return( "ECP - The buffer is too small to write to" );
+ case -(MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE):
+ return( "ECP - The requested feature is not available, for example, the requested curve is not supported" );
+ case -(MBEDTLS_ERR_ECP_VERIFY_FAILED):
+ return( "ECP - The signature is not valid" );
+ case -(MBEDTLS_ERR_ECP_ALLOC_FAILED):
+ return( "ECP - Memory allocation failed" );
+ case -(MBEDTLS_ERR_ECP_RANDOM_FAILED):
+ return( "ECP - Generation of random value, such as ephemeral key, failed" );
+ case -(MBEDTLS_ERR_ECP_INVALID_KEY):
+ return( "ECP - Invalid private or public key" );
+ case -(MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH):
+ return( "ECP - The buffer contains a valid signature followed by more data" );
+ case -(MBEDTLS_ERR_ECP_IN_PROGRESS):
+ return( "ECP - Operation in progress, call again with the same parameters to continue" );
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_MD_C)
+ case -(MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE):
+ return( "MD - The selected feature is not available" );
+ case -(MBEDTLS_ERR_MD_BAD_INPUT_DATA):
+ return( "MD - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_MD_ALLOC_FAILED):
+ return( "MD - Failed to allocate memory" );
+ case -(MBEDTLS_ERR_MD_FILE_IO_ERROR):
+ return( "MD - Opening or reading of file failed" );
+#endif /* MBEDTLS_MD_C */
+
+#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
+ case -(MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT):
+ return( "PEM - No PEM header or footer found" );
+ case -(MBEDTLS_ERR_PEM_INVALID_DATA):
+ return( "PEM - PEM string is not as expected" );
+ case -(MBEDTLS_ERR_PEM_ALLOC_FAILED):
+ return( "PEM - Failed to allocate memory" );
+ case -(MBEDTLS_ERR_PEM_INVALID_ENC_IV):
+ return( "PEM - RSA IV is not in hex-format" );
+ case -(MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG):
+ return( "PEM - Unsupported key encryption algorithm" );
+ case -(MBEDTLS_ERR_PEM_PASSWORD_REQUIRED):
+ return( "PEM - Private key password can't be empty" );
+ case -(MBEDTLS_ERR_PEM_PASSWORD_MISMATCH):
+ return( "PEM - Given private key password does not allow for correct decryption" );
+ case -(MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE):
+ return( "PEM - Unavailable feature, e.g. hashing/encryption combination" );
+ case -(MBEDTLS_ERR_PEM_BAD_INPUT_DATA):
+ return( "PEM - Bad input parameters to function" );
+#endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
+
+#if defined(MBEDTLS_PK_C)
+ case -(MBEDTLS_ERR_PK_ALLOC_FAILED):
+ return( "PK - Memory allocation failed" );
+ case -(MBEDTLS_ERR_PK_TYPE_MISMATCH):
+ return( "PK - Type mismatch, eg attempt to encrypt with an ECDSA key" );
+ case -(MBEDTLS_ERR_PK_BAD_INPUT_DATA):
+ return( "PK - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_PK_FILE_IO_ERROR):
+ return( "PK - Read/write of file failed" );
+ case -(MBEDTLS_ERR_PK_KEY_INVALID_VERSION):
+ return( "PK - Unsupported key version" );
+ case -(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT):
+ return( "PK - Invalid key tag or value" );
+ case -(MBEDTLS_ERR_PK_UNKNOWN_PK_ALG):
+ return( "PK - Key algorithm is unsupported (only RSA and EC are supported)" );
+ case -(MBEDTLS_ERR_PK_PASSWORD_REQUIRED):
+ return( "PK - Private key password can't be empty" );
+ case -(MBEDTLS_ERR_PK_PASSWORD_MISMATCH):
+ return( "PK - Given private key password does not allow for correct decryption" );
+ case -(MBEDTLS_ERR_PK_INVALID_PUBKEY):
+ return( "PK - The pubkey tag or value is invalid (only RSA and EC are supported)" );
+ case -(MBEDTLS_ERR_PK_INVALID_ALG):
+ return( "PK - The algorithm tag or value is invalid" );
+ case -(MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE):
+ return( "PK - Elliptic curve is unsupported (only NIST curves are supported)" );
+ case -(MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE):
+ return( "PK - Unavailable feature, e.g. RSA disabled for RSA key" );
+ case -(MBEDTLS_ERR_PK_SIG_LEN_MISMATCH):
+ return( "PK - The buffer contains a valid signature followed by more data" );
+ case -(MBEDTLS_ERR_PK_BUFFER_TOO_SMALL):
+ return( "PK - The output buffer is too small" );
+#endif /* MBEDTLS_PK_C */
+
+#if defined(MBEDTLS_PKCS12_C)
+ case -(MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA):
+ return( "PKCS12 - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE):
+ return( "PKCS12 - Feature not available, e.g. unsupported encryption scheme" );
+ case -(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT):
+ return( "PKCS12 - PBE ASN.1 data not as expected" );
+ case -(MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH):
+ return( "PKCS12 - Given private key password does not allow for correct decryption" );
+#endif /* MBEDTLS_PKCS12_C */
+
+#if defined(MBEDTLS_PKCS5_C)
+ case -(MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA):
+ return( "PKCS5 - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_PKCS5_INVALID_FORMAT):
+ return( "PKCS5 - Unexpected ASN.1 data" );
+ case -(MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE):
+ return( "PKCS5 - Requested encryption or digest alg not available" );
+ case -(MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH):
+ return( "PKCS5 - Given private key password does not allow for correct decryption" );
+#endif /* MBEDTLS_PKCS5_C */
+
+#if defined(MBEDTLS_PKCS7_C)
+ case -(MBEDTLS_ERR_PKCS7_INVALID_FORMAT):
+ return( "PKCS7 - The format is invalid, e.g. different type expected" );
+ case -(MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE):
+ return( "PKCS7 - Unavailable feature, e.g. anything other than signed data" );
+ case -(MBEDTLS_ERR_PKCS7_INVALID_VERSION):
+ return( "PKCS7 - The PKCS #7 version element is invalid or cannot be parsed" );
+ case -(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO):
+ return( "PKCS7 - The PKCS #7 content info is invalid or cannot be parsed" );
+ case -(MBEDTLS_ERR_PKCS7_INVALID_ALG):
+ return( "PKCS7 - The algorithm tag or value is invalid or cannot be parsed" );
+ case -(MBEDTLS_ERR_PKCS7_INVALID_CERT):
+ return( "PKCS7 - The certificate tag or value is invalid or cannot be parsed" );
+ case -(MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE):
+ return( "PKCS7 - Error parsing the signature" );
+ case -(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO):
+ return( "PKCS7 - Error parsing the signer's info" );
+ case -(MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA):
+ return( "PKCS7 - Input invalid" );
+ case -(MBEDTLS_ERR_PKCS7_ALLOC_FAILED):
+ return( "PKCS7 - Allocation of memory failed" );
+ case -(MBEDTLS_ERR_PKCS7_VERIFY_FAIL):
+ return( "PKCS7 - Verification Failed" );
+ case -(MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID):
+ return( "PKCS7 - The PKCS #7 date issued/expired dates are invalid" );
+#endif /* MBEDTLS_PKCS7_C */
+
+#if defined(MBEDTLS_RSA_C)
+ case -(MBEDTLS_ERR_RSA_BAD_INPUT_DATA):
+ return( "RSA - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_RSA_INVALID_PADDING):
+ return( "RSA - Input data contains invalid padding and is rejected" );
+ case -(MBEDTLS_ERR_RSA_KEY_GEN_FAILED):
+ return( "RSA - Something failed during generation of a key" );
+ case -(MBEDTLS_ERR_RSA_KEY_CHECK_FAILED):
+ return( "RSA - Key failed to pass the validity check of the library" );
+ case -(MBEDTLS_ERR_RSA_PUBLIC_FAILED):
+ return( "RSA - The public key operation failed" );
+ case -(MBEDTLS_ERR_RSA_PRIVATE_FAILED):
+ return( "RSA - The private key operation failed" );
+ case -(MBEDTLS_ERR_RSA_VERIFY_FAILED):
+ return( "RSA - The PKCS#1 verification failed" );
+ case -(MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE):
+ return( "RSA - The output buffer for decryption is not large enough" );
+ case -(MBEDTLS_ERR_RSA_RNG_FAILED):
+ return( "RSA - The random generator failed to generate non-zeros" );
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_SSL_TLS_C)
+ case -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS):
+ return( "SSL - A cryptographic operation is in progress. Try again later" );
+ case -(MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE):
+ return( "SSL - The requested feature is not available" );
+ case -(MBEDTLS_ERR_SSL_BAD_INPUT_DATA):
+ return( "SSL - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_SSL_INVALID_MAC):
+ return( "SSL - Verification of the message MAC failed" );
+ case -(MBEDTLS_ERR_SSL_INVALID_RECORD):
+ return( "SSL - An invalid SSL record was received" );
+ case -(MBEDTLS_ERR_SSL_CONN_EOF):
+ return( "SSL - The connection indicated an EOF" );
+ case -(MBEDTLS_ERR_SSL_DECODE_ERROR):
+ return( "SSL - A message could not be parsed due to a syntactic error" );
+ case -(MBEDTLS_ERR_SSL_NO_RNG):
+ return( "SSL - No RNG was provided to the SSL module" );
+ case -(MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE):
+ return( "SSL - No client certification received from the client, but required by the authentication mode" );
+ case -(MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION):
+ return( "SSL - Client received an extended server hello containing an unsupported extension" );
+ case -(MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL):
+ return( "SSL - No ALPN protocols supported that the client advertises" );
+ case -(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED):
+ return( "SSL - The own private key or pre-shared key is not set, but needed" );
+ case -(MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED):
+ return( "SSL - No CA Chain is set, but required to operate" );
+ case -(MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE):
+ return( "SSL - An unexpected message was received from our peer" );
+ case -(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE):
+ return( "SSL - A fatal alert message was received from our peer" );
+ case -(MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME):
+ return( "SSL - No server could be identified matching the client's SNI" );
+ case -(MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY):
+ return( "SSL - The peer notified us that the connection is going to be closed" );
+ case -(MBEDTLS_ERR_SSL_BAD_CERTIFICATE):
+ return( "SSL - Processing of the Certificate handshake message failed" );
+ case -(MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET):
+ return( "SSL - * Received NewSessionTicket Post Handshake Message. This error code is experimental and may be changed or removed without notice" );
+ case -(MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA):
+ return( "SSL - Not possible to read early data" );
+ case -(MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA):
+ return( "SSL - * Early data has been received as part of an on-going handshake. This error code can be returned only on server side if and only if early data has been enabled by means of the mbedtls_ssl_conf_early_data() API. This error code can then be returned by mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(), mbedtls_ssl_read() or mbedtls_ssl_write() if early data has been received as part of the handshake sequence they triggered. To read the early data, call mbedtls_ssl_read_early_data()" );
+ case -(MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA):
+ return( "SSL - Not possible to write early data" );
+ case -(MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND):
+ return( "SSL - Cache entry not found" );
+ case -(MBEDTLS_ERR_SSL_ALLOC_FAILED):
+ return( "SSL - Memory allocation failed" );
+ case -(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED):
+ return( "SSL - Hardware acceleration function returned with error" );
+ case -(MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH):
+ return( "SSL - Hardware acceleration function skipped / left alone data" );
+ case -(MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION):
+ return( "SSL - Handshake protocol not within min/max boundaries" );
+ case -(MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE):
+ return( "SSL - The handshake negotiation failed" );
+ case -(MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED):
+ return( "SSL - Session ticket has expired" );
+ case -(MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH):
+ return( "SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)" );
+ case -(MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY):
+ return( "SSL - Unknown identity received (eg, PSK identity)" );
+ case -(MBEDTLS_ERR_SSL_INTERNAL_ERROR):
+ return( "SSL - Internal error (eg, unexpected failure in lower-level module)" );
+ case -(MBEDTLS_ERR_SSL_COUNTER_WRAPPING):
+ return( "SSL - A counter would wrap (eg, too many messages exchanged)" );
+ case -(MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO):
+ return( "SSL - Unexpected message at ServerHello in renegotiation" );
+ case -(MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED):
+ return( "SSL - DTLS client must retry for hello verification" );
+ case -(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL):
+ return( "SSL - A buffer is too small to receive or write a message" );
+ case -(MBEDTLS_ERR_SSL_WANT_READ):
+ return( "SSL - No data of requested type currently available on underlying transport" );
+ case -(MBEDTLS_ERR_SSL_WANT_WRITE):
+ return( "SSL - Connection requires a write call" );
+ case -(MBEDTLS_ERR_SSL_TIMEOUT):
+ return( "SSL - The operation timed out" );
+ case -(MBEDTLS_ERR_SSL_CLIENT_RECONNECT):
+ return( "SSL - The client initiated a reconnect from the same port" );
+ case -(MBEDTLS_ERR_SSL_UNEXPECTED_RECORD):
+ return( "SSL - Record header looks valid but is not expected" );
+ case -(MBEDTLS_ERR_SSL_NON_FATAL):
+ return( "SSL - The alert message received indicates a non-fatal error" );
+ case -(MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER):
+ return( "SSL - A field in a message was incorrect or inconsistent with other fields" );
+ case -(MBEDTLS_ERR_SSL_CONTINUE_PROCESSING):
+ return( "SSL - Internal-only message signaling that further message-processing should be done" );
+ case -(MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS):
+ return( "SSL - The asynchronous operation is not completed yet" );
+ case -(MBEDTLS_ERR_SSL_EARLY_MESSAGE):
+ return( "SSL - Internal-only message signaling that a message arrived early" );
+ case -(MBEDTLS_ERR_SSL_UNEXPECTED_CID):
+ return( "SSL - An encrypted DTLS-frame with an unexpected CID was received" );
+ case -(MBEDTLS_ERR_SSL_VERSION_MISMATCH):
+ return( "SSL - An operation failed due to an unexpected version or configuration" );
+ case -(MBEDTLS_ERR_SSL_BAD_CONFIG):
+ return( "SSL - Invalid value in SSL config" );
+#endif /* MBEDTLS_SSL_TLS_C */
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+ case -(MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE):
+ return( "X509 - Unavailable feature, e.g. RSA hashing/encryption combination" );
+ case -(MBEDTLS_ERR_X509_UNKNOWN_OID):
+ return( "X509 - Requested OID is unknown" );
+ case -(MBEDTLS_ERR_X509_INVALID_FORMAT):
+ return( "X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected" );
+ case -(MBEDTLS_ERR_X509_INVALID_VERSION):
+ return( "X509 - The CRT/CRL/CSR version element is invalid" );
+ case -(MBEDTLS_ERR_X509_INVALID_SERIAL):
+ return( "X509 - The serial tag or value is invalid" );
+ case -(MBEDTLS_ERR_X509_INVALID_ALG):
+ return( "X509 - The algorithm tag or value is invalid" );
+ case -(MBEDTLS_ERR_X509_INVALID_NAME):
+ return( "X509 - The name tag or value is invalid" );
+ case -(MBEDTLS_ERR_X509_INVALID_DATE):
+ return( "X509 - The date tag or value is invalid" );
+ case -(MBEDTLS_ERR_X509_INVALID_SIGNATURE):
+ return( "X509 - The signature tag or value invalid" );
+ case -(MBEDTLS_ERR_X509_INVALID_EXTENSIONS):
+ return( "X509 - The extension tag or value is invalid" );
+ case -(MBEDTLS_ERR_X509_UNKNOWN_VERSION):
+ return( "X509 - CRT/CRL/CSR has an unsupported version number" );
+ case -(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG):
+ return( "X509 - Signature algorithm (oid) is unsupported" );
+ case -(MBEDTLS_ERR_X509_SIG_MISMATCH):
+ return( "X509 - Signature algorithms do not match. (see \\c ::mbedtls_x509_crt sig_oid)" );
+ case -(MBEDTLS_ERR_X509_CERT_VERIFY_FAILED):
+ return( "X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" );
+ case -(MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT):
+ return( "X509 - Format not recognized as DER or PEM" );
+ case -(MBEDTLS_ERR_X509_BAD_INPUT_DATA):
+ return( "X509 - Input invalid" );
+ case -(MBEDTLS_ERR_X509_ALLOC_FAILED):
+ return( "X509 - Allocation of memory failed" );
+ case -(MBEDTLS_ERR_X509_FILE_IO_ERROR):
+ return( "X509 - Read/write of file failed" );
+ case -(MBEDTLS_ERR_X509_BUFFER_TOO_SMALL):
+ return( "X509 - Destination buffer is too small" );
+ case -(MBEDTLS_ERR_X509_FATAL_ERROR):
+ return( "X509 - A fatal error occurred, eg the chain is too long or the vrfy callback failed" );
+#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */
+ /* End Auto-Generated Code. */
+
+ default:
+ break;
+ }
+
+ return NULL;
+}
+
+const char *mbedtls_low_level_strerr(int error_code)
+{
+ int low_level_error_code;
+
+ if (error_code < 0) {
+ error_code = -error_code;
+ }
+
+ /* Extract the low-level part from the error code. */
+ low_level_error_code = error_code & ~0xFF80;
+
+ switch (low_level_error_code) {
+ /* Begin Auto-Generated Code. */
+ #if defined(MBEDTLS_AES_C)
+ case -(MBEDTLS_ERR_AES_INVALID_KEY_LENGTH):
+ return( "AES - Invalid key length" );
+ case -(MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH):
+ return( "AES - Invalid data input length" );
+ case -(MBEDTLS_ERR_AES_BAD_INPUT_DATA):
+ return( "AES - Invalid input data" );
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_ARIA_C)
+ case -(MBEDTLS_ERR_ARIA_BAD_INPUT_DATA):
+ return( "ARIA - Bad input data" );
+ case -(MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH):
+ return( "ARIA - Invalid data input length" );
+#endif /* MBEDTLS_ARIA_C */
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+ case -(MBEDTLS_ERR_ASN1_OUT_OF_DATA):
+ return( "ASN1 - Out of data when parsing an ASN1 data structure" );
+ case -(MBEDTLS_ERR_ASN1_UNEXPECTED_TAG):
+ return( "ASN1 - ASN1 tag was of an unexpected value" );
+ case -(MBEDTLS_ERR_ASN1_INVALID_LENGTH):
+ return( "ASN1 - Error when trying to determine the length or invalid length" );
+ case -(MBEDTLS_ERR_ASN1_LENGTH_MISMATCH):
+ return( "ASN1 - Actual length differs from expected length" );
+ case -(MBEDTLS_ERR_ASN1_INVALID_DATA):
+ return( "ASN1 - Data is invalid" );
+ case -(MBEDTLS_ERR_ASN1_ALLOC_FAILED):
+ return( "ASN1 - Memory allocation failed" );
+ case -(MBEDTLS_ERR_ASN1_BUF_TOO_SMALL):
+ return( "ASN1 - Buffer too small when writing ASN.1 data structure" );
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#if defined(MBEDTLS_BASE64_C)
+ case -(MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL):
+ return( "BASE64 - Output buffer too small" );
+ case -(MBEDTLS_ERR_BASE64_INVALID_CHARACTER):
+ return( "BASE64 - Invalid character in input" );
+#endif /* MBEDTLS_BASE64_C */
+
+#if defined(MBEDTLS_BIGNUM_C)
+ case -(MBEDTLS_ERR_MPI_FILE_IO_ERROR):
+ return( "BIGNUM - An error occurred while reading from or writing to a file" );
+ case -(MBEDTLS_ERR_MPI_BAD_INPUT_DATA):
+ return( "BIGNUM - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_MPI_INVALID_CHARACTER):
+ return( "BIGNUM - There is an invalid character in the digit string" );
+ case -(MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL):
+ return( "BIGNUM - The buffer is too small to write to" );
+ case -(MBEDTLS_ERR_MPI_NEGATIVE_VALUE):
+ return( "BIGNUM - The input arguments are negative or result in illegal output" );
+ case -(MBEDTLS_ERR_MPI_DIVISION_BY_ZERO):
+ return( "BIGNUM - The input argument for division is zero, which is not allowed" );
+ case -(MBEDTLS_ERR_MPI_NOT_ACCEPTABLE):
+ return( "BIGNUM - The input arguments are not acceptable" );
+ case -(MBEDTLS_ERR_MPI_ALLOC_FAILED):
+ return( "BIGNUM - Memory allocation failed" );
+#endif /* MBEDTLS_BIGNUM_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+ case -(MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA):
+ return( "CAMELLIA - Bad input data" );
+ case -(MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH):
+ return( "CAMELLIA - Invalid data input length" );
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_CCM_C)
+ case -(MBEDTLS_ERR_CCM_BAD_INPUT):
+ return( "CCM - Bad input parameters to the function" );
+ case -(MBEDTLS_ERR_CCM_AUTH_FAILED):
+ return( "CCM - Authenticated decryption failed" );
+#endif /* MBEDTLS_CCM_C */
+
+#if defined(MBEDTLS_CHACHA20_C)
+ case -(MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA):
+ return( "CHACHA20 - Invalid input parameter(s)" );
+#endif /* MBEDTLS_CHACHA20_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ case -(MBEDTLS_ERR_CHACHAPOLY_BAD_STATE):
+ return( "CHACHAPOLY - The requested operation is not permitted in the current state" );
+ case -(MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED):
+ return( "CHACHAPOLY - Authenticated decryption failed: data was not authentic" );
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+ case -(MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED):
+ return( "CTR_DRBG - The entropy source failed" );
+ case -(MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG):
+ return( "CTR_DRBG - The requested random buffer length is too big" );
+ case -(MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG):
+ return( "CTR_DRBG - The input (entropy + additional data) is too large" );
+ case -(MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR):
+ return( "CTR_DRBG - Read or write error in file" );
+#endif /* MBEDTLS_CTR_DRBG_C */
+
+#if defined(MBEDTLS_DES_C)
+ case -(MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH):
+ return( "DES - The data input has an invalid length" );
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ENTROPY_C)
+ case -(MBEDTLS_ERR_ENTROPY_SOURCE_FAILED):
+ return( "ENTROPY - Critical entropy source failure" );
+ case -(MBEDTLS_ERR_ENTROPY_MAX_SOURCES):
+ return( "ENTROPY - No more sources can be added" );
+ case -(MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED):
+ return( "ENTROPY - No sources have been added to poll" );
+ case -(MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE):
+ return( "ENTROPY - No strong sources have been added to poll" );
+ case -(MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR):
+ return( "ENTROPY - Read/write error in file" );
+#endif /* MBEDTLS_ENTROPY_C */
+
+#if defined(MBEDTLS_ERROR_C)
+ case -(MBEDTLS_ERR_ERROR_GENERIC_ERROR):
+ return( "ERROR - Generic error" );
+ case -(MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED):
+ return( "ERROR - This is a bug in the library" );
+#endif /* MBEDTLS_ERROR_C */
+
+#if defined(MBEDTLS_PLATFORM_C)
+ case -(MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED):
+ return( "PLATFORM - Hardware accelerator failed" );
+ case -(MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED):
+ return( "PLATFORM - The requested feature is not supported by the platform" );
+#endif /* MBEDTLS_PLATFORM_C */
+
+#if defined(MBEDTLS_GCM_C)
+ case -(MBEDTLS_ERR_GCM_AUTH_FAILED):
+ return( "GCM - Authenticated decryption failed" );
+ case -(MBEDTLS_ERR_GCM_BAD_INPUT):
+ return( "GCM - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL):
+ return( "GCM - An output buffer is too small" );
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_HKDF_C)
+ case -(MBEDTLS_ERR_HKDF_BAD_INPUT_DATA):
+ return( "HKDF - Bad input parameters to function" );
+#endif /* MBEDTLS_HKDF_C */
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+ case -(MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG):
+ return( "HMAC_DRBG - Too many random requested in single call" );
+ case -(MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG):
+ return( "HMAC_DRBG - Input too large (Entropy + additional)" );
+ case -(MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR):
+ return( "HMAC_DRBG - Read/write error in file" );
+ case -(MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED):
+ return( "HMAC_DRBG - The entropy source failed" );
+#endif /* MBEDTLS_HMAC_DRBG_C */
+
+#if defined(MBEDTLS_LMS_C)
+ case -(MBEDTLS_ERR_LMS_BAD_INPUT_DATA):
+ return( "LMS - Bad data has been input to an LMS function" );
+ case -(MBEDTLS_ERR_LMS_OUT_OF_PRIVATE_KEYS):
+ return( "LMS - Specified LMS key has utilised all of its private keys" );
+ case -(MBEDTLS_ERR_LMS_VERIFY_FAILED):
+ return( "LMS - LMS signature verification failed" );
+ case -(MBEDTLS_ERR_LMS_ALLOC_FAILED):
+ return( "LMS - LMS failed to allocate space for a private key" );
+ case -(MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL):
+ return( "LMS - Input/output buffer is too small to contain requited data" );
+#endif /* MBEDTLS_LMS_C */
+
+#if defined(MBEDTLS_NET_C)
+ case -(MBEDTLS_ERR_NET_SOCKET_FAILED):
+ return( "NET - Failed to open a socket" );
+ case -(MBEDTLS_ERR_NET_CONNECT_FAILED):
+ return( "NET - The connection to the given server / port failed" );
+ case -(MBEDTLS_ERR_NET_BIND_FAILED):
+ return( "NET - Binding of the socket failed" );
+ case -(MBEDTLS_ERR_NET_LISTEN_FAILED):
+ return( "NET - Could not listen on the socket" );
+ case -(MBEDTLS_ERR_NET_ACCEPT_FAILED):
+ return( "NET - Could not accept the incoming connection" );
+ case -(MBEDTLS_ERR_NET_RECV_FAILED):
+ return( "NET - Reading information from the socket failed" );
+ case -(MBEDTLS_ERR_NET_SEND_FAILED):
+ return( "NET - Sending information through the socket failed" );
+ case -(MBEDTLS_ERR_NET_CONN_RESET):
+ return( "NET - Connection was reset by peer" );
+ case -(MBEDTLS_ERR_NET_UNKNOWN_HOST):
+ return( "NET - Failed to get an IP address for the given hostname" );
+ case -(MBEDTLS_ERR_NET_BUFFER_TOO_SMALL):
+ return( "NET - Buffer is too small to hold the data" );
+ case -(MBEDTLS_ERR_NET_INVALID_CONTEXT):
+ return( "NET - The context is invalid, eg because it was free()ed" );
+ case -(MBEDTLS_ERR_NET_POLL_FAILED):
+ return( "NET - Polling the net context failed" );
+ case -(MBEDTLS_ERR_NET_BAD_INPUT_DATA):
+ return( "NET - Input invalid" );
+#endif /* MBEDTLS_NET_C */
+
+#if defined(MBEDTLS_OID_C)
+ case -(MBEDTLS_ERR_OID_NOT_FOUND):
+ return( "OID - OID is not found" );
+ case -(MBEDTLS_ERR_OID_BUF_TOO_SMALL):
+ return( "OID - output buffer is too small" );
+#endif /* MBEDTLS_OID_C */
+
+#if defined(MBEDTLS_POLY1305_C)
+ case -(MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA):
+ return( "POLY1305 - Invalid input parameter(s)" );
+#endif /* MBEDTLS_POLY1305_C */
+
+#if defined(MBEDTLS_SHA1_C)
+ case -(MBEDTLS_ERR_SHA1_BAD_INPUT_DATA):
+ return( "SHA1 - SHA-1 input data was malformed" );
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+ case -(MBEDTLS_ERR_SHA256_BAD_INPUT_DATA):
+ return( "SHA256 - SHA-256 input data was malformed" );
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA3_C)
+ case -(MBEDTLS_ERR_SHA3_BAD_INPUT_DATA):
+ return( "SHA3 - SHA-3 input data was malformed" );
+#endif /* MBEDTLS_SHA3_C */
+
+#if defined(MBEDTLS_SHA512_C)
+ case -(MBEDTLS_ERR_SHA512_BAD_INPUT_DATA):
+ return( "SHA512 - SHA-512 input data was malformed" );
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_THREADING_C)
+ case -(MBEDTLS_ERR_THREADING_BAD_INPUT_DATA):
+ return( "THREADING - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_THREADING_MUTEX_ERROR):
+ return( "THREADING - Locking / unlocking / free failed with error code" );
+#endif /* MBEDTLS_THREADING_C */
+ /* End Auto-Generated Code. */
+
+ default:
+ break;
+ }
+
+ return NULL;
+}
+
+void mbedtls_strerror(int ret, char *buf, size_t buflen)
+{
+ size_t len;
+ int use_ret;
+ const char *high_level_error_description = NULL;
+ const char *low_level_error_description = NULL;
+
+ if (buflen == 0) {
+ return;
+ }
+
+ memset(buf, 0x00, buflen);
+
+ if (ret < 0) {
+ ret = -ret;
+ }
+
+ if (ret & 0xFF80) {
+ use_ret = ret & 0xFF80;
+
+ // Translate high level error code.
+ high_level_error_description = mbedtls_high_level_strerr(ret);
+
+ if (high_level_error_description == NULL) {
+ mbedtls_snprintf(buf, buflen, "UNKNOWN ERROR CODE (%04X)", (unsigned int) use_ret);
+ } else {
+ mbedtls_snprintf(buf, buflen, "%s", high_level_error_description);
+ }
+
+#if defined(MBEDTLS_SSL_TLS_C)
+ // Early return in case of a fatal error - do not try to translate low
+ // level code.
+ if (use_ret == -(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE)) {
+ return;
+ }
+#endif /* MBEDTLS_SSL_TLS_C */
+ }
+
+ use_ret = ret & ~0xFF80;
+
+ if (use_ret == 0) {
+ return;
+ }
+
+ // If high level code is present, make a concatenation between both
+ // error strings.
+ //
+ len = strlen(buf);
+
+ if (len > 0) {
+ if (buflen - len < 5) {
+ return;
+ }
+
+ mbedtls_snprintf(buf + len, buflen - len, " : ");
+
+ buf += len + 3;
+ buflen -= len + 3;
+ }
+
+ // Translate low level error code.
+ low_level_error_description = mbedtls_low_level_strerr(ret);
+
+ if (low_level_error_description == NULL) {
+ mbedtls_snprintf(buf, buflen, "UNKNOWN ERROR CODE (%04X)", (unsigned int) use_ret);
+ } else {
+ mbedtls_snprintf(buf, buflen, "%s", low_level_error_description);
+ }
+}
+
+#else /* MBEDTLS_ERROR_C */
+
+/*
+ * Provide a dummy implementation when MBEDTLS_ERROR_C is not defined
+ */
+void mbedtls_strerror(int ret, char *buf, size_t buflen)
+{
+ ((void) ret);
+
+ if (buflen > 0) {
+ buf[0] = '\0';
+ }
+}
+
+#endif /* MBEDTLS_ERROR_C */
+
+#if defined(MBEDTLS_TEST_HOOKS)
+void (*mbedtls_test_hook_error_add)(int, int, const char *, int);
+#endif
+
+#endif /* MBEDTLS_ERROR_C || MBEDTLS_ERROR_STRERROR_DUMMY */
diff --git a/library/gcm.c b/library/gcm.c
new file mode 100644
index 0000000..5dfac23
--- /dev/null
+++ b/library/gcm.c
@@ -0,0 +1,1330 @@
+/*
+ * NIST SP800-38D compliant GCM implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
+ *
+ * See also:
+ * [MGV] http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
+ *
+ * We use the algorithm described as Shoup's method with 4-bit tables in
+ * [MGV] 4.1, pp. 12-13, to enhance speed without using too much memory.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_GCM_C)
+
+#include "mbedtls/gcm.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/constant_time.h"
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+#include "block_cipher_internal.h"
+#endif
+
+#include <string.h>
+
+#if defined(MBEDTLS_AESNI_C)
+#include "aesni.h"
+#endif
+
+#if defined(MBEDTLS_AESCE_C)
+#include "aesce.h"
+#endif
+
+#if !defined(MBEDTLS_GCM_ALT)
+
+/* Used to select the acceleration mechanism */
+#define MBEDTLS_GCM_ACC_SMALLTABLE 0
+#define MBEDTLS_GCM_ACC_LARGETABLE 1
+#define MBEDTLS_GCM_ACC_AESNI 2
+#define MBEDTLS_GCM_ACC_AESCE 3
+
+/*
+ * Initialize a context
+ */
+void mbedtls_gcm_init(mbedtls_gcm_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_gcm_context));
+}
+
+static inline void gcm_set_acceleration(mbedtls_gcm_context *ctx)
+{
+#if defined(MBEDTLS_GCM_LARGE_TABLE)
+ ctx->acceleration = MBEDTLS_GCM_ACC_LARGETABLE;
+#else
+ ctx->acceleration = MBEDTLS_GCM_ACC_SMALLTABLE;
+#endif
+
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+ /* With CLMUL support, we need only h, not the rest of the table */
+ if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) {
+ ctx->acceleration = MBEDTLS_GCM_ACC_AESNI;
+ }
+#endif
+
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+ if (MBEDTLS_AESCE_HAS_SUPPORT()) {
+ ctx->acceleration = MBEDTLS_GCM_ACC_AESCE;
+ }
+#endif
+}
+
+static inline void gcm_gen_table_rightshift(uint64_t dst[2], const uint64_t src[2])
+{
+ uint8_t *u8Dst = (uint8_t *) dst;
+ uint8_t *u8Src = (uint8_t *) src;
+
+ MBEDTLS_PUT_UINT64_BE(MBEDTLS_GET_UINT64_BE(&src[1], 0) >> 1, &dst[1], 0);
+ u8Dst[8] |= (u8Src[7] & 0x01) << 7;
+ MBEDTLS_PUT_UINT64_BE(MBEDTLS_GET_UINT64_BE(&src[0], 0) >> 1, &dst[0], 0);
+ u8Dst[0] ^= (u8Src[15] & 0x01) ? 0xE1 : 0;
+}
+
+/*
+ * Precompute small multiples of H, that is set
+ * HH[i] || HL[i] = H times i,
+ * where i is seen as a field element as in [MGV], ie high-order bits
+ * correspond to low powers of P. The result is stored in the same way, that
+ * is the high-order bit of HH corresponds to P^0 and the low-order bit of HL
+ * corresponds to P^127.
+ */
+static int gcm_gen_table(mbedtls_gcm_context *ctx)
+{
+ int ret, i, j;
+ uint64_t u64h[2] = { 0 };
+ uint8_t *h = (uint8_t *) u64h;
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+ ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, h, h);
+#else
+ size_t olen = 0;
+ ret = mbedtls_cipher_update(&ctx->cipher_ctx, h, 16, h, &olen);
+#endif
+ if (ret != 0) {
+ return ret;
+ }
+
+ gcm_set_acceleration(ctx);
+
+ /* MBEDTLS_GCM_HTABLE_SIZE/2 = 1000 corresponds to 1 in GF(2^128) */
+ ctx->H[MBEDTLS_GCM_HTABLE_SIZE/2][0] = u64h[0];
+ ctx->H[MBEDTLS_GCM_HTABLE_SIZE/2][1] = u64h[1];
+
+ switch (ctx->acceleration) {
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+ case MBEDTLS_GCM_ACC_AESNI:
+ return 0;
+#endif
+
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+ case MBEDTLS_GCM_ACC_AESCE:
+ return 0;
+#endif
+
+ default:
+ /* 0 corresponds to 0 in GF(2^128) */
+ ctx->H[0][0] = 0;
+ ctx->H[0][1] = 0;
+
+ for (i = MBEDTLS_GCM_HTABLE_SIZE/4; i > 0; i >>= 1) {
+ gcm_gen_table_rightshift(ctx->H[i], ctx->H[i*2]);
+ }
+
+#if !defined(MBEDTLS_GCM_LARGE_TABLE)
+ /* pack elements of H as 64-bits ints, big-endian */
+ for (i = MBEDTLS_GCM_HTABLE_SIZE/2; i > 0; i >>= 1) {
+ MBEDTLS_PUT_UINT64_BE(ctx->H[i][0], &ctx->H[i][0], 0);
+ MBEDTLS_PUT_UINT64_BE(ctx->H[i][1], &ctx->H[i][1], 0);
+ }
+#endif
+
+ for (i = 2; i < MBEDTLS_GCM_HTABLE_SIZE; i <<= 1) {
+ for (j = 1; j < i; j++) {
+ mbedtls_xor_no_simd((unsigned char *) ctx->H[i+j],
+ (unsigned char *) ctx->H[i],
+ (unsigned char *) ctx->H[j],
+ 16);
+ }
+ }
+ }
+
+ return 0;
+}
+
+int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx,
+ mbedtls_cipher_id_t cipher,
+ const unsigned char *key,
+ unsigned int keybits)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (keybits != 128 && keybits != 192 && keybits != 256) {
+ return MBEDTLS_ERR_GCM_BAD_INPUT;
+ }
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+ mbedtls_block_cipher_free(&ctx->block_cipher_ctx);
+
+ if ((ret = mbedtls_block_cipher_setup(&ctx->block_cipher_ctx, cipher)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_block_cipher_setkey(&ctx->block_cipher_ctx, key, keybits)) != 0) {
+ return ret;
+ }
+#else
+ const mbedtls_cipher_info_t *cipher_info;
+
+ cipher_info = mbedtls_cipher_info_from_values(cipher, keybits,
+ MBEDTLS_MODE_ECB);
+ if (cipher_info == NULL) {
+ return MBEDTLS_ERR_GCM_BAD_INPUT;
+ }
+
+ if (mbedtls_cipher_info_get_block_size(cipher_info) != 16) {
+ return MBEDTLS_ERR_GCM_BAD_INPUT;
+ }
+
+ mbedtls_cipher_free(&ctx->cipher_ctx);
+
+ if ((ret = mbedtls_cipher_setup(&ctx->cipher_ctx, cipher_info)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_cipher_setkey(&ctx->cipher_ctx, key, keybits,
+ MBEDTLS_ENCRYPT)) != 0) {
+ return ret;
+ }
+#endif
+
+ if ((ret = gcm_gen_table(ctx)) != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+#if defined(MBEDTLS_GCM_LARGE_TABLE)
+static const uint16_t last8[256] = {
+ 0x0000, 0xc201, 0x8403, 0x4602, 0x0807, 0xca06, 0x8c04, 0x4e05,
+ 0x100e, 0xd20f, 0x940d, 0x560c, 0x1809, 0xda08, 0x9c0a, 0x5e0b,
+ 0x201c, 0xe21d, 0xa41f, 0x661e, 0x281b, 0xea1a, 0xac18, 0x6e19,
+ 0x3012, 0xf213, 0xb411, 0x7610, 0x3815, 0xfa14, 0xbc16, 0x7e17,
+ 0x4038, 0x8239, 0xc43b, 0x063a, 0x483f, 0x8a3e, 0xcc3c, 0x0e3d,
+ 0x5036, 0x9237, 0xd435, 0x1634, 0x5831, 0x9a30, 0xdc32, 0x1e33,
+ 0x6024, 0xa225, 0xe427, 0x2626, 0x6823, 0xaa22, 0xec20, 0x2e21,
+ 0x702a, 0xb22b, 0xf429, 0x3628, 0x782d, 0xba2c, 0xfc2e, 0x3e2f,
+ 0x8070, 0x4271, 0x0473, 0xc672, 0x8877, 0x4a76, 0x0c74, 0xce75,
+ 0x907e, 0x527f, 0x147d, 0xd67c, 0x9879, 0x5a78, 0x1c7a, 0xde7b,
+ 0xa06c, 0x626d, 0x246f, 0xe66e, 0xa86b, 0x6a6a, 0x2c68, 0xee69,
+ 0xb062, 0x7263, 0x3461, 0xf660, 0xb865, 0x7a64, 0x3c66, 0xfe67,
+ 0xc048, 0x0249, 0x444b, 0x864a, 0xc84f, 0x0a4e, 0x4c4c, 0x8e4d,
+ 0xd046, 0x1247, 0x5445, 0x9644, 0xd841, 0x1a40, 0x5c42, 0x9e43,
+ 0xe054, 0x2255, 0x6457, 0xa656, 0xe853, 0x2a52, 0x6c50, 0xae51,
+ 0xf05a, 0x325b, 0x7459, 0xb658, 0xf85d, 0x3a5c, 0x7c5e, 0xbe5f,
+ 0x00e1, 0xc2e0, 0x84e2, 0x46e3, 0x08e6, 0xcae7, 0x8ce5, 0x4ee4,
+ 0x10ef, 0xd2ee, 0x94ec, 0x56ed, 0x18e8, 0xdae9, 0x9ceb, 0x5eea,
+ 0x20fd, 0xe2fc, 0xa4fe, 0x66ff, 0x28fa, 0xeafb, 0xacf9, 0x6ef8,
+ 0x30f3, 0xf2f2, 0xb4f0, 0x76f1, 0x38f4, 0xfaf5, 0xbcf7, 0x7ef6,
+ 0x40d9, 0x82d8, 0xc4da, 0x06db, 0x48de, 0x8adf, 0xccdd, 0x0edc,
+ 0x50d7, 0x92d6, 0xd4d4, 0x16d5, 0x58d0, 0x9ad1, 0xdcd3, 0x1ed2,
+ 0x60c5, 0xa2c4, 0xe4c6, 0x26c7, 0x68c2, 0xaac3, 0xecc1, 0x2ec0,
+ 0x70cb, 0xb2ca, 0xf4c8, 0x36c9, 0x78cc, 0xbacd, 0xfccf, 0x3ece,
+ 0x8091, 0x4290, 0x0492, 0xc693, 0x8896, 0x4a97, 0x0c95, 0xce94,
+ 0x909f, 0x529e, 0x149c, 0xd69d, 0x9898, 0x5a99, 0x1c9b, 0xde9a,
+ 0xa08d, 0x628c, 0x248e, 0xe68f, 0xa88a, 0x6a8b, 0x2c89, 0xee88,
+ 0xb083, 0x7282, 0x3480, 0xf681, 0xb884, 0x7a85, 0x3c87, 0xfe86,
+ 0xc0a9, 0x02a8, 0x44aa, 0x86ab, 0xc8ae, 0x0aaf, 0x4cad, 0x8eac,
+ 0xd0a7, 0x12a6, 0x54a4, 0x96a5, 0xd8a0, 0x1aa1, 0x5ca3, 0x9ea2,
+ 0xe0b5, 0x22b4, 0x64b6, 0xa6b7, 0xe8b2, 0x2ab3, 0x6cb1, 0xaeb0,
+ 0xf0bb, 0x32ba, 0x74b8, 0xb6b9, 0xf8bc, 0x3abd, 0x7cbf, 0xbebe
+};
+
+static void gcm_mult_largetable(uint8_t *output, const uint8_t *x, uint64_t H[256][2])
+{
+ int i;
+ uint64_t u64z[2];
+ uint16_t *u16z = (uint16_t *) u64z;
+ uint8_t *u8z = (uint8_t *) u64z;
+ uint8_t rem;
+
+ u64z[0] = 0;
+ u64z[1] = 0;
+
+ if (MBEDTLS_IS_BIG_ENDIAN) {
+ for (i = 15; i > 0; i--) {
+ mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[x[i]], 16);
+ rem = u8z[15];
+
+ u64z[1] >>= 8;
+ u8z[8] = u8z[7];
+ u64z[0] >>= 8;
+
+ u16z[0] ^= MBEDTLS_GET_UINT16_LE(&last8[rem], 0);
+ }
+ } else {
+ for (i = 15; i > 0; i--) {
+ mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[x[i]], 16);
+ rem = u8z[15];
+
+ u64z[1] <<= 8;
+ u8z[8] = u8z[7];
+ u64z[0] <<= 8;
+
+ u16z[0] ^= last8[rem];
+ }
+ }
+
+ mbedtls_xor_no_simd(output, u8z, (uint8_t *) H[x[0]], 16);
+}
+#else
+/*
+ * Shoup's method for multiplication use this table with
+ * last4[x] = x times P^128
+ * where x and last4[x] are seen as elements of GF(2^128) as in [MGV]
+ */
+static const uint16_t last4[16] =
+{
+ 0x0000, 0x1c20, 0x3840, 0x2460,
+ 0x7080, 0x6ca0, 0x48c0, 0x54e0,
+ 0xe100, 0xfd20, 0xd940, 0xc560,
+ 0x9180, 0x8da0, 0xa9c0, 0xb5e0
+};
+
+static void gcm_mult_smalltable(uint8_t *output, const uint8_t *x, uint64_t H[16][2])
+{
+ int i = 0;
+ unsigned char lo, hi, rem;
+ uint64_t u64z[2];
+ const uint64_t *pu64z = NULL;
+ uint8_t *u8z = (uint8_t *) u64z;
+
+ lo = x[15] & 0xf;
+ hi = (x[15] >> 4) & 0xf;
+
+ pu64z = H[lo];
+
+ rem = (unsigned char) pu64z[1] & 0xf;
+ u64z[1] = (pu64z[0] << 60) | (pu64z[1] >> 4);
+ u64z[0] = (pu64z[0] >> 4);
+ u64z[0] ^= (uint64_t) last4[rem] << 48;
+ mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[hi], 16);
+
+ for (i = 14; i >= 0; i--) {
+ lo = x[i] & 0xf;
+ hi = (x[i] >> 4) & 0xf;
+
+ rem = (unsigned char) u64z[1] & 0xf;
+ u64z[1] = (u64z[0] << 60) | (u64z[1] >> 4);
+ u64z[0] = (u64z[0] >> 4);
+ u64z[0] ^= (uint64_t) last4[rem] << 48;
+ mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[lo], 16);
+
+ rem = (unsigned char) u64z[1] & 0xf;
+ u64z[1] = (u64z[0] << 60) | (u64z[1] >> 4);
+ u64z[0] = (u64z[0] >> 4);
+ u64z[0] ^= (uint64_t) last4[rem] << 48;
+ mbedtls_xor_no_simd(u8z, u8z, (uint8_t *) H[hi], 16);
+ }
+
+ MBEDTLS_PUT_UINT64_BE(u64z[0], output, 0);
+ MBEDTLS_PUT_UINT64_BE(u64z[1], output, 8);
+}
+#endif
+
+/*
+ * Sets output to x times H using the precomputed tables.
+ * x and output are seen as elements of GF(2^128) as in [MGV].
+ */
+static void gcm_mult(mbedtls_gcm_context *ctx, const unsigned char x[16],
+ unsigned char output[16])
+{
+ switch (ctx->acceleration) {
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+ case MBEDTLS_GCM_ACC_AESNI:
+ mbedtls_aesni_gcm_mult(output, x, (uint8_t *) ctx->H[MBEDTLS_GCM_HTABLE_SIZE/2]);
+ break;
+#endif
+
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+ case MBEDTLS_GCM_ACC_AESCE:
+ mbedtls_aesce_gcm_mult(output, x, (uint8_t *) ctx->H[MBEDTLS_GCM_HTABLE_SIZE/2]);
+ break;
+#endif
+
+#if defined(MBEDTLS_GCM_LARGE_TABLE)
+ case MBEDTLS_GCM_ACC_LARGETABLE:
+ gcm_mult_largetable(output, x, ctx->H);
+ break;
+#else
+ case MBEDTLS_GCM_ACC_SMALLTABLE:
+ gcm_mult_smalltable(output, x, ctx->H);
+ break;
+#endif
+ }
+
+ return;
+}
+
+int mbedtls_gcm_starts(mbedtls_gcm_context *ctx,
+ int mode,
+ const unsigned char *iv, size_t iv_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char work_buf[16];
+ const unsigned char *p;
+ size_t use_len;
+ uint64_t iv_bits;
+#if !defined(MBEDTLS_BLOCK_CIPHER_C)
+ size_t olen = 0;
+#endif
+
+ /* IV is limited to 2^64 bits, so 2^61 bytes */
+ /* IV is not allowed to be zero length */
+ if (iv_len == 0 || (uint64_t) iv_len >> 61 != 0) {
+ return MBEDTLS_ERR_GCM_BAD_INPUT;
+ }
+
+ memset(ctx->y, 0x00, sizeof(ctx->y));
+ memset(ctx->buf, 0x00, sizeof(ctx->buf));
+
+ ctx->mode = mode;
+ ctx->len = 0;
+ ctx->add_len = 0;
+
+ if (iv_len == 12) {
+ memcpy(ctx->y, iv, iv_len);
+ ctx->y[15] = 1;
+ } else {
+ memset(work_buf, 0x00, 16);
+ iv_bits = (uint64_t) iv_len * 8;
+ MBEDTLS_PUT_UINT64_BE(iv_bits, work_buf, 8);
+
+ p = iv;
+ while (iv_len > 0) {
+ use_len = (iv_len < 16) ? iv_len : 16;
+
+#if defined(MBEDTLS_COMPILER_IS_GCC) && (MBEDTLS_GCC_VERSION >= 70110)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic warning "-Wstringop-overflow=0"
+#endif
+
+ mbedtls_xor(ctx->y, ctx->y, p, use_len);
+
+#if defined(MBEDTLS_COMPILER_IS_GCC) && (MBEDTLS_GCC_VERSION >= 70110)
+#pragma GCC diagnostic pop
+#endif
+
+ gcm_mult(ctx, ctx->y, ctx->y);
+
+ iv_len -= use_len;
+ p += use_len;
+ }
+
+ mbedtls_xor(ctx->y, ctx->y, work_buf, 16);
+
+ gcm_mult(ctx, ctx->y, ctx->y);
+ }
+
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+ ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->base_ectr);
+#else
+ ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->base_ectr, &olen);
+#endif
+ if (ret != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+/**
+ * mbedtls_gcm_context::buf contains the partial state of the computation of
+ * the authentication tag.
+ * mbedtls_gcm_context::add_len and mbedtls_gcm_context::len indicate
+ * different stages of the computation:
+ * * len == 0 && add_len == 0: initial state
+ * * len == 0 && add_len % 16 != 0: the first `add_len % 16` bytes have
+ * a partial block of AD that has been
+ * xored in but not yet multiplied in.
+ * * len == 0 && add_len % 16 == 0: the authentication tag is correct if
+ * the data ends now.
+ * * len % 16 != 0: the first `len % 16` bytes have
+ * a partial block of ciphertext that has
+ * been xored in but not yet multiplied in.
+ * * len > 0 && len % 16 == 0: the authentication tag is correct if
+ * the data ends now.
+ */
+int mbedtls_gcm_update_ad(mbedtls_gcm_context *ctx,
+ const unsigned char *add, size_t add_len)
+{
+ const unsigned char *p;
+ size_t use_len, offset;
+ uint64_t new_add_len;
+
+ /* AD is limited to 2^64 bits, ie 2^61 bytes
+ * Also check for possible overflow */
+#if SIZE_MAX > 0xFFFFFFFFFFFFFFFFULL
+ if (add_len > 0xFFFFFFFFFFFFFFFFULL) {
+ return MBEDTLS_ERR_GCM_BAD_INPUT;
+ }
+#endif
+ new_add_len = ctx->add_len + (uint64_t) add_len;
+ if (new_add_len < ctx->add_len || new_add_len >> 61 != 0) {
+ return MBEDTLS_ERR_GCM_BAD_INPUT;
+ }
+
+ offset = ctx->add_len % 16;
+ p = add;
+
+ if (offset != 0) {
+ use_len = 16 - offset;
+ if (use_len > add_len) {
+ use_len = add_len;
+ }
+
+ mbedtls_xor(ctx->buf + offset, ctx->buf + offset, p, use_len);
+
+ if (offset + use_len == 16) {
+ gcm_mult(ctx, ctx->buf, ctx->buf);
+ }
+
+ ctx->add_len += use_len;
+ add_len -= use_len;
+ p += use_len;
+ }
+
+ ctx->add_len += add_len;
+
+ while (add_len >= 16) {
+ mbedtls_xor(ctx->buf, ctx->buf, p, 16);
+
+ gcm_mult(ctx, ctx->buf, ctx->buf);
+
+ add_len -= 16;
+ p += 16;
+ }
+
+ if (add_len > 0) {
+ mbedtls_xor(ctx->buf, ctx->buf, p, add_len);
+ }
+
+ return 0;
+}
+
+/* Increment the counter. */
+static void gcm_incr(unsigned char y[16])
+{
+ uint32_t x = MBEDTLS_GET_UINT32_BE(y, 12);
+ x++;
+ MBEDTLS_PUT_UINT32_BE(x, y, 12);
+}
+
+/* Calculate and apply the encryption mask. Process use_len bytes of data,
+ * starting at position offset in the mask block. */
+static int gcm_mask(mbedtls_gcm_context *ctx,
+ unsigned char ectr[16],
+ size_t offset, size_t use_len,
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+ ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ectr);
+#else
+ size_t olen = 0;
+ ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ectr, &olen);
+#endif
+ if (ret != 0) {
+ mbedtls_platform_zeroize(ectr, 16);
+ return ret;
+ }
+
+ if (ctx->mode == MBEDTLS_GCM_DECRYPT) {
+ mbedtls_xor(ctx->buf + offset, ctx->buf + offset, input, use_len);
+ }
+ mbedtls_xor(output, ectr + offset, input, use_len);
+ if (ctx->mode == MBEDTLS_GCM_ENCRYPT) {
+ mbedtls_xor(ctx->buf + offset, ctx->buf + offset, output, use_len);
+ }
+
+ return 0;
+}
+
+int mbedtls_gcm_update(mbedtls_gcm_context *ctx,
+ const unsigned char *input, size_t input_length,
+ unsigned char *output, size_t output_size,
+ size_t *output_length)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const unsigned char *p = input;
+ unsigned char *out_p = output;
+ size_t offset;
+ unsigned char ectr[16] = { 0 };
+
+ if (output_size < input_length) {
+ return MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL;
+ }
+ *output_length = input_length;
+
+ /* Exit early if input_length==0 so that we don't do any pointer arithmetic
+ * on a potentially null pointer.
+ * Returning early also means that the last partial block of AD remains
+ * untouched for mbedtls_gcm_finish */
+ if (input_length == 0) {
+ return 0;
+ }
+
+ if (output > input && (size_t) (output - input) < input_length) {
+ return MBEDTLS_ERR_GCM_BAD_INPUT;
+ }
+
+ /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes
+ * Also check for possible overflow */
+ if (ctx->len + input_length < ctx->len ||
+ (uint64_t) ctx->len + input_length > 0xFFFFFFFE0ull) {
+ return MBEDTLS_ERR_GCM_BAD_INPUT;
+ }
+
+ if (ctx->len == 0 && ctx->add_len % 16 != 0) {
+ gcm_mult(ctx, ctx->buf, ctx->buf);
+ }
+
+ offset = ctx->len % 16;
+ if (offset != 0) {
+ size_t use_len = 16 - offset;
+ if (use_len > input_length) {
+ use_len = input_length;
+ }
+
+ if ((ret = gcm_mask(ctx, ectr, offset, use_len, p, out_p)) != 0) {
+ return ret;
+ }
+
+ if (offset + use_len == 16) {
+ gcm_mult(ctx, ctx->buf, ctx->buf);
+ }
+
+ ctx->len += use_len;
+ input_length -= use_len;
+ p += use_len;
+ out_p += use_len;
+ }
+
+ ctx->len += input_length;
+
+ while (input_length >= 16) {
+ gcm_incr(ctx->y);
+ if ((ret = gcm_mask(ctx, ectr, 0, 16, p, out_p)) != 0) {
+ return ret;
+ }
+
+ gcm_mult(ctx, ctx->buf, ctx->buf);
+
+ input_length -= 16;
+ p += 16;
+ out_p += 16;
+ }
+
+ if (input_length > 0) {
+ gcm_incr(ctx->y);
+ if ((ret = gcm_mask(ctx, ectr, 0, input_length, p, out_p)) != 0) {
+ return ret;
+ }
+ }
+
+ mbedtls_platform_zeroize(ectr, sizeof(ectr));
+ return 0;
+}
+
+int mbedtls_gcm_finish(mbedtls_gcm_context *ctx,
+ unsigned char *output, size_t output_size,
+ size_t *output_length,
+ unsigned char *tag, size_t tag_len)
+{
+ unsigned char work_buf[16];
+ uint64_t orig_len;
+ uint64_t orig_add_len;
+
+ /* We never pass any output in finish(). The output parameter exists only
+ * for the sake of alternative implementations. */
+ (void) output;
+ (void) output_size;
+ *output_length = 0;
+
+ /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes
+ * and AD length is restricted to 2^64 bits, ie 2^61 bytes so neither of
+ * the two multiplications would overflow. */
+ orig_len = ctx->len * 8;
+ orig_add_len = ctx->add_len * 8;
+
+ if (ctx->len == 0 && ctx->add_len % 16 != 0) {
+ gcm_mult(ctx, ctx->buf, ctx->buf);
+ }
+
+ if (tag_len > 16 || tag_len < 4) {
+ return MBEDTLS_ERR_GCM_BAD_INPUT;
+ }
+
+ if (ctx->len % 16 != 0) {
+ gcm_mult(ctx, ctx->buf, ctx->buf);
+ }
+
+ memcpy(tag, ctx->base_ectr, tag_len);
+
+ if (orig_len || orig_add_len) {
+ memset(work_buf, 0x00, 16);
+
+ MBEDTLS_PUT_UINT32_BE((orig_add_len >> 32), work_buf, 0);
+ MBEDTLS_PUT_UINT32_BE((orig_add_len), work_buf, 4);
+ MBEDTLS_PUT_UINT32_BE((orig_len >> 32), work_buf, 8);
+ MBEDTLS_PUT_UINT32_BE((orig_len), work_buf, 12);
+
+ mbedtls_xor(ctx->buf, ctx->buf, work_buf, 16);
+
+ gcm_mult(ctx, ctx->buf, ctx->buf);
+
+ mbedtls_xor(tag, tag, ctx->buf, tag_len);
+ }
+
+ return 0;
+}
+
+int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx,
+ int mode,
+ size_t length,
+ const unsigned char *iv,
+ size_t iv_len,
+ const unsigned char *add,
+ size_t add_len,
+ const unsigned char *input,
+ unsigned char *output,
+ size_t tag_len,
+ unsigned char *tag)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t olen;
+
+ if ((ret = mbedtls_gcm_starts(ctx, mode, iv, iv_len)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_gcm_update_ad(ctx, add, add_len)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_gcm_update(ctx, input, length,
+ output, length, &olen)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_gcm_finish(ctx, NULL, 0, &olen, tag, tag_len)) != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
+ size_t length,
+ const unsigned char *iv,
+ size_t iv_len,
+ const unsigned char *add,
+ size_t add_len,
+ const unsigned char *tag,
+ size_t tag_len,
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char check_tag[16];
+ int diff;
+
+ if ((ret = mbedtls_gcm_crypt_and_tag(ctx, MBEDTLS_GCM_DECRYPT, length,
+ iv, iv_len, add, add_len,
+ input, output, tag_len, check_tag)) != 0) {
+ return ret;
+ }
+
+ /* Check tag in "constant-time" */
+ diff = mbedtls_ct_memcmp(tag, check_tag, tag_len);
+
+ if (diff != 0) {
+ mbedtls_platform_zeroize(output, length);
+ return MBEDTLS_ERR_GCM_AUTH_FAILED;
+ }
+
+ return 0;
+}
+
+void mbedtls_gcm_free(mbedtls_gcm_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+ mbedtls_block_cipher_free(&ctx->block_cipher_ctx);
+#else
+ mbedtls_cipher_free(&ctx->cipher_ctx);
+#endif
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_gcm_context));
+}
+
+#endif /* !MBEDTLS_GCM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_CCM_GCM_CAN_AES)
+/*
+ * AES-GCM test vectors from:
+ *
+ * http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmtestvectors.zip
+ */
+#define MAX_TESTS 6
+
+static const int key_index_test_data[MAX_TESTS] =
+{ 0, 0, 1, 1, 1, 1 };
+
+static const unsigned char key_test_data[][32] =
+{
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+ 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+ 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+ 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 },
+};
+
+static const size_t iv_len_test_data[MAX_TESTS] =
+{ 12, 12, 12, 12, 8, 60 };
+
+static const int iv_index_test_data[MAX_TESTS] =
+{ 0, 0, 1, 1, 1, 2 };
+
+static const unsigned char iv_test_data[][64] =
+{
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00 },
+ { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+ 0xde, 0xca, 0xf8, 0x88 },
+ { 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
+ 0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
+ 0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
+ 0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
+ 0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
+ 0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
+ 0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
+ 0xa6, 0x37, 0xb3, 0x9b },
+};
+
+static const size_t add_len_test_data[MAX_TESTS] =
+{ 0, 0, 0, 20, 20, 20 };
+
+static const int add_index_test_data[MAX_TESTS] =
+{ 0, 0, 0, 1, 1, 1 };
+
+static const unsigned char additional_test_data[][64] =
+{
+ { 0x00 },
+ { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+ 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+ 0xab, 0xad, 0xda, 0xd2 },
+};
+
+static const size_t pt_len_test_data[MAX_TESTS] =
+{ 0, 16, 64, 60, 60, 60 };
+
+static const int pt_index_test_data[MAX_TESTS] =
+{ 0, 0, 1, 1, 1, 1 };
+
+static const unsigned char pt_test_data[][64] =
+{
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+ 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+ 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+ 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+ 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+ 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+ 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+ 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55 },
+};
+
+static const unsigned char ct_test_data[][64] =
+{
+ { 0x00 },
+ { 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92,
+ 0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78 },
+ { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+ 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+ 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+ 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+ 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+ 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+ 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+ 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 },
+ { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+ 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+ 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+ 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+ 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+ 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+ 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+ 0x3d, 0x58, 0xe0, 0x91 },
+ { 0x61, 0x35, 0x3b, 0x4c, 0x28, 0x06, 0x93, 0x4a,
+ 0x77, 0x7f, 0xf5, 0x1f, 0xa2, 0x2a, 0x47, 0x55,
+ 0x69, 0x9b, 0x2a, 0x71, 0x4f, 0xcd, 0xc6, 0xf8,
+ 0x37, 0x66, 0xe5, 0xf9, 0x7b, 0x6c, 0x74, 0x23,
+ 0x73, 0x80, 0x69, 0x00, 0xe4, 0x9f, 0x24, 0xb2,
+ 0x2b, 0x09, 0x75, 0x44, 0xd4, 0x89, 0x6b, 0x42,
+ 0x49, 0x89, 0xb5, 0xe1, 0xeb, 0xac, 0x0f, 0x07,
+ 0xc2, 0x3f, 0x45, 0x98 },
+ { 0x8c, 0xe2, 0x49, 0x98, 0x62, 0x56, 0x15, 0xb6,
+ 0x03, 0xa0, 0x33, 0xac, 0xa1, 0x3f, 0xb8, 0x94,
+ 0xbe, 0x91, 0x12, 0xa5, 0xc3, 0xa2, 0x11, 0xa8,
+ 0xba, 0x26, 0x2a, 0x3c, 0xca, 0x7e, 0x2c, 0xa7,
+ 0x01, 0xe4, 0xa9, 0xa4, 0xfb, 0xa4, 0x3c, 0x90,
+ 0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f,
+ 0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03,
+ 0x4c, 0x34, 0xae, 0xe5 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { 0x00 },
+ { 0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41,
+ 0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00 },
+ { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
+ 0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
+ 0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
+ 0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
+ 0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
+ 0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
+ 0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
+ 0xcc, 0xda, 0x27, 0x10, 0xac, 0xad, 0xe2, 0x56 },
+ { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
+ 0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
+ 0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
+ 0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
+ 0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
+ 0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
+ 0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
+ 0xcc, 0xda, 0x27, 0x10 },
+ { 0x0f, 0x10, 0xf5, 0x99, 0xae, 0x14, 0xa1, 0x54,
+ 0xed, 0x24, 0xb3, 0x6e, 0x25, 0x32, 0x4d, 0xb8,
+ 0xc5, 0x66, 0x63, 0x2e, 0xf2, 0xbb, 0xb3, 0x4f,
+ 0x83, 0x47, 0x28, 0x0f, 0xc4, 0x50, 0x70, 0x57,
+ 0xfd, 0xdc, 0x29, 0xdf, 0x9a, 0x47, 0x1f, 0x75,
+ 0xc6, 0x65, 0x41, 0xd4, 0xd4, 0xda, 0xd1, 0xc9,
+ 0xe9, 0x3a, 0x19, 0xa5, 0x8e, 0x8b, 0x47, 0x3f,
+ 0xa0, 0xf0, 0x62, 0xf7 },
+ { 0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c,
+ 0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff,
+ 0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef,
+ 0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45,
+ 0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9,
+ 0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3,
+ 0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7,
+ 0xe9, 0xb7, 0x37, 0x3b },
+ { 0x00 },
+ { 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e,
+ 0x07, 0x4e, 0xc5, 0xd3, 0xba, 0xf3, 0x9d, 0x18 },
+ { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
+ 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
+ 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
+ 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
+ 0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
+ 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
+ 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
+ 0xbc, 0xc9, 0xf6, 0x62, 0x89, 0x80, 0x15, 0xad },
+ { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
+ 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
+ 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
+ 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
+ 0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
+ 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
+ 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
+ 0xbc, 0xc9, 0xf6, 0x62 },
+ { 0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32,
+ 0xae, 0x47, 0xc1, 0x3b, 0xf1, 0x98, 0x44, 0xcb,
+ 0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa,
+ 0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0,
+ 0xfe, 0xb5, 0x82, 0xd3, 0x39, 0x34, 0xa4, 0xf0,
+ 0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78,
+ 0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99,
+ 0xf4, 0x7c, 0x9b, 0x1f },
+ { 0x5a, 0x8d, 0xef, 0x2f, 0x0c, 0x9e, 0x53, 0xf1,
+ 0xf7, 0x5d, 0x78, 0x53, 0x65, 0x9e, 0x2a, 0x20,
+ 0xee, 0xb2, 0xb2, 0x2a, 0xaf, 0xde, 0x64, 0x19,
+ 0xa0, 0x58, 0xab, 0x4f, 0x6f, 0x74, 0x6b, 0xf4,
+ 0x0f, 0xc0, 0xc3, 0xb7, 0x80, 0xf2, 0x44, 0x45,
+ 0x2d, 0xa3, 0xeb, 0xf1, 0xc5, 0xd8, 0x2c, 0xde,
+ 0xa2, 0x41, 0x89, 0x97, 0x20, 0x0e, 0xf8, 0x2e,
+ 0x44, 0xae, 0x7e, 0x3f },
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+};
+
+static const unsigned char tag_test_data[][16] =
+{
+ { 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61,
+ 0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a },
+ { 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd,
+ 0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf },
+ { 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6,
+ 0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4 },
+ { 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
+ 0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47 },
+ { 0x36, 0x12, 0xd2, 0xe7, 0x9e, 0x3b, 0x07, 0x85,
+ 0x56, 0x1b, 0xe1, 0x4a, 0xac, 0xa2, 0xfc, 0xcb },
+ { 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa,
+ 0x46, 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { 0xcd, 0x33, 0xb2, 0x8a, 0xc7, 0x73, 0xf7, 0x4b,
+ 0xa0, 0x0e, 0xd1, 0xf3, 0x12, 0x57, 0x24, 0x35 },
+ { 0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,
+ 0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb },
+ { 0x99, 0x24, 0xa7, 0xc8, 0x58, 0x73, 0x36, 0xbf,
+ 0xb1, 0x18, 0x02, 0x4d, 0xb8, 0x67, 0x4a, 0x14 },
+ { 0x25, 0x19, 0x49, 0x8e, 0x80, 0xf1, 0x47, 0x8f,
+ 0x37, 0xba, 0x55, 0xbd, 0x6d, 0x27, 0x61, 0x8c },
+ { 0x65, 0xdc, 0xc5, 0x7f, 0xcf, 0x62, 0x3a, 0x24,
+ 0x09, 0x4f, 0xcc, 0xa4, 0x0d, 0x35, 0x33, 0xf8 },
+ { 0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb,
+ 0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9 },
+ { 0x53, 0x0f, 0x8a, 0xfb, 0xc7, 0x45, 0x36, 0xb9,
+ 0xa9, 0x63, 0xb4, 0xf1, 0xc4, 0xcb, 0x73, 0x8b },
+ { 0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0,
+ 0x26, 0x5b, 0x98, 0xb5, 0xd4, 0x8a, 0xb9, 0x19 },
+ { 0xb0, 0x94, 0xda, 0xc5, 0xd9, 0x34, 0x71, 0xbd,
+ 0xec, 0x1a, 0x50, 0x22, 0x70, 0xe3, 0xcc, 0x6c },
+ { 0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68,
+ 0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b },
+ { 0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4,
+ 0x5e, 0x45, 0x49, 0x13, 0xfe, 0x2e, 0xa8, 0xf2 },
+ { 0xa4, 0x4a, 0x82, 0x66, 0xee, 0x1c, 0x8e, 0xb0,
+ 0xc8, 0xb5, 0xd4, 0xcf, 0x5a, 0xe9, 0xf1, 0x9a },
+#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+};
+
+int mbedtls_gcm_self_test(int verbose)
+{
+ mbedtls_gcm_context ctx;
+ unsigned char buf[64];
+ unsigned char tag_buf[16];
+ int i, j, ret;
+ mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES;
+ size_t olen;
+
+ if (verbose != 0) {
+#if defined(MBEDTLS_GCM_ALT)
+ mbedtls_printf(" GCM note: alternative implementation.\n");
+#else /* MBEDTLS_GCM_ALT */
+#if defined(MBEDTLS_AESNI_HAVE_CODE)
+ if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) {
+ mbedtls_printf(" GCM note: using AESNI.\n");
+ } else
+#endif
+
+#if defined(MBEDTLS_AESCE_HAVE_CODE)
+ if (MBEDTLS_AESCE_HAS_SUPPORT()) {
+ mbedtls_printf(" GCM note: using AESCE.\n");
+ } else
+#endif
+
+ mbedtls_printf(" GCM note: built-in implementation.\n");
+#endif /* MBEDTLS_GCM_ALT */
+ }
+
+ static const int loop_limit =
+ (sizeof(ct_test_data) / sizeof(*ct_test_data)) / MAX_TESTS;
+
+ for (j = 0; j < loop_limit; j++) {
+ int key_len = 128 + 64 * j;
+
+ for (i = 0; i < MAX_TESTS; i++) {
+ if (verbose != 0) {
+ mbedtls_printf(" AES-GCM-%3d #%d (%s): ",
+ key_len, i, "enc");
+ }
+
+ mbedtls_gcm_init(&ctx);
+
+ ret = mbedtls_gcm_setkey(&ctx, cipher,
+ key_test_data[key_index_test_data[i]],
+ key_len);
+ /*
+ * AES-192 is an optional feature that may be unavailable when
+ * there is an alternative underlying implementation i.e. when
+ * MBEDTLS_AES_ALT is defined.
+ */
+ if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && key_len == 192) {
+ mbedtls_printf("skipped\n");
+ break;
+ } else if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_GCM_ENCRYPT,
+ pt_len_test_data[i],
+ iv_test_data[iv_index_test_data[i]],
+ iv_len_test_data[i],
+ additional_test_data[add_index_test_data[i]],
+ add_len_test_data[i],
+ pt_test_data[pt_index_test_data[i]],
+ buf, 16, tag_buf);
+#if defined(MBEDTLS_GCM_ALT)
+ /* Allow alternative implementations to only support 12-byte nonces. */
+ if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED &&
+ iv_len_test_data[i] != 12) {
+ mbedtls_printf("skipped\n");
+ break;
+ }
+#endif /* defined(MBEDTLS_GCM_ALT) */
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (memcmp(buf, ct_test_data[j * 6 + i],
+ pt_len_test_data[i]) != 0 ||
+ memcmp(tag_buf, tag_test_data[j * 6 + i], 16) != 0) {
+ ret = 1;
+ goto exit;
+ }
+
+ mbedtls_gcm_free(&ctx);
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+ mbedtls_gcm_init(&ctx);
+
+ if (verbose != 0) {
+ mbedtls_printf(" AES-GCM-%3d #%d (%s): ",
+ key_len, i, "dec");
+ }
+
+ ret = mbedtls_gcm_setkey(&ctx, cipher,
+ key_test_data[key_index_test_data[i]],
+ key_len);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_GCM_DECRYPT,
+ pt_len_test_data[i],
+ iv_test_data[iv_index_test_data[i]],
+ iv_len_test_data[i],
+ additional_test_data[add_index_test_data[i]],
+ add_len_test_data[i],
+ ct_test_data[j * 6 + i], buf, 16, tag_buf);
+
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (memcmp(buf, pt_test_data[pt_index_test_data[i]],
+ pt_len_test_data[i]) != 0 ||
+ memcmp(tag_buf, tag_test_data[j * 6 + i], 16) != 0) {
+ ret = 1;
+ goto exit;
+ }
+
+ mbedtls_gcm_free(&ctx);
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+ mbedtls_gcm_init(&ctx);
+
+ if (verbose != 0) {
+ mbedtls_printf(" AES-GCM-%3d #%d split (%s): ",
+ key_len, i, "enc");
+ }
+
+ ret = mbedtls_gcm_setkey(&ctx, cipher,
+ key_test_data[key_index_test_data[i]],
+ key_len);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_ENCRYPT,
+ iv_test_data[iv_index_test_data[i]],
+ iv_len_test_data[i]);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_gcm_update_ad(&ctx,
+ additional_test_data[add_index_test_data[i]],
+ add_len_test_data[i]);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (pt_len_test_data[i] > 32) {
+ size_t rest_len = pt_len_test_data[i] - 32;
+ ret = mbedtls_gcm_update(&ctx,
+ pt_test_data[pt_index_test_data[i]],
+ 32,
+ buf, sizeof(buf), &olen);
+ if (ret != 0) {
+ goto exit;
+ }
+ if (olen != 32) {
+ goto exit;
+ }
+
+ ret = mbedtls_gcm_update(&ctx,
+ pt_test_data[pt_index_test_data[i]] + 32,
+ rest_len,
+ buf + 32, sizeof(buf) - 32, &olen);
+ if (ret != 0) {
+ goto exit;
+ }
+ if (olen != rest_len) {
+ goto exit;
+ }
+ } else {
+ ret = mbedtls_gcm_update(&ctx,
+ pt_test_data[pt_index_test_data[i]],
+ pt_len_test_data[i],
+ buf, sizeof(buf), &olen);
+ if (ret != 0) {
+ goto exit;
+ }
+ if (olen != pt_len_test_data[i]) {
+ goto exit;
+ }
+ }
+
+ ret = mbedtls_gcm_finish(&ctx, NULL, 0, &olen, tag_buf, 16);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (memcmp(buf, ct_test_data[j * 6 + i],
+ pt_len_test_data[i]) != 0 ||
+ memcmp(tag_buf, tag_test_data[j * 6 + i], 16) != 0) {
+ ret = 1;
+ goto exit;
+ }
+
+ mbedtls_gcm_free(&ctx);
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+ mbedtls_gcm_init(&ctx);
+
+ if (verbose != 0) {
+ mbedtls_printf(" AES-GCM-%3d #%d split (%s): ",
+ key_len, i, "dec");
+ }
+
+ ret = mbedtls_gcm_setkey(&ctx, cipher,
+ key_test_data[key_index_test_data[i]],
+ key_len);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_DECRYPT,
+ iv_test_data[iv_index_test_data[i]],
+ iv_len_test_data[i]);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_gcm_update_ad(&ctx,
+ additional_test_data[add_index_test_data[i]],
+ add_len_test_data[i]);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (pt_len_test_data[i] > 32) {
+ size_t rest_len = pt_len_test_data[i] - 32;
+ ret = mbedtls_gcm_update(&ctx,
+ ct_test_data[j * 6 + i], 32,
+ buf, sizeof(buf), &olen);
+ if (ret != 0) {
+ goto exit;
+ }
+ if (olen != 32) {
+ goto exit;
+ }
+
+ ret = mbedtls_gcm_update(&ctx,
+ ct_test_data[j * 6 + i] + 32,
+ rest_len,
+ buf + 32, sizeof(buf) - 32, &olen);
+ if (ret != 0) {
+ goto exit;
+ }
+ if (olen != rest_len) {
+ goto exit;
+ }
+ } else {
+ ret = mbedtls_gcm_update(&ctx,
+ ct_test_data[j * 6 + i],
+ pt_len_test_data[i],
+ buf, sizeof(buf), &olen);
+ if (ret != 0) {
+ goto exit;
+ }
+ if (olen != pt_len_test_data[i]) {
+ goto exit;
+ }
+ }
+
+ ret = mbedtls_gcm_finish(&ctx, NULL, 0, &olen, tag_buf, 16);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (memcmp(buf, pt_test_data[pt_index_test_data[i]],
+ pt_len_test_data[i]) != 0 ||
+ memcmp(tag_buf, tag_test_data[j * 6 + i], 16) != 0) {
+ ret = 1;
+ goto exit;
+ }
+
+ mbedtls_gcm_free(&ctx);
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ ret = 0;
+
+exit:
+ if (ret != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+ mbedtls_gcm_free(&ctx);
+ }
+
+ return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_GCM_C */
diff --git a/library/hkdf.c b/library/hkdf.c
new file mode 100644
index 0000000..631ac24
--- /dev/null
+++ b/library/hkdf.c
@@ -0,0 +1,161 @@
+/*
+ * HKDF implementation -- RFC 5869
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#include "common.h"
+
+#if defined(MBEDTLS_HKDF_C)
+
+#include <string.h>
+#include "mbedtls/hkdf.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+int mbedtls_hkdf(const mbedtls_md_info_t *md, const unsigned char *salt,
+ size_t salt_len, const unsigned char *ikm, size_t ikm_len,
+ const unsigned char *info, size_t info_len,
+ unsigned char *okm, size_t okm_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char prk[MBEDTLS_MD_MAX_SIZE];
+
+ ret = mbedtls_hkdf_extract(md, salt, salt_len, ikm, ikm_len, prk);
+
+ if (ret == 0) {
+ ret = mbedtls_hkdf_expand(md, prk, mbedtls_md_get_size(md),
+ info, info_len, okm, okm_len);
+ }
+
+ mbedtls_platform_zeroize(prk, sizeof(prk));
+
+ return ret;
+}
+
+int mbedtls_hkdf_extract(const mbedtls_md_info_t *md,
+ const unsigned char *salt, size_t salt_len,
+ const unsigned char *ikm, size_t ikm_len,
+ unsigned char *prk)
+{
+ unsigned char null_salt[MBEDTLS_MD_MAX_SIZE] = { '\0' };
+
+ if (salt == NULL) {
+ size_t hash_len;
+
+ if (salt_len != 0) {
+ return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+ }
+
+ hash_len = mbedtls_md_get_size(md);
+
+ if (hash_len == 0) {
+ return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+ }
+
+ salt = null_salt;
+ salt_len = hash_len;
+ }
+
+ return mbedtls_md_hmac(md, salt, salt_len, ikm, ikm_len, prk);
+}
+
+int mbedtls_hkdf_expand(const mbedtls_md_info_t *md, const unsigned char *prk,
+ size_t prk_len, const unsigned char *info,
+ size_t info_len, unsigned char *okm, size_t okm_len)
+{
+ size_t hash_len;
+ size_t where = 0;
+ size_t n;
+ size_t t_len = 0;
+ size_t i;
+ int ret = 0;
+ mbedtls_md_context_t ctx;
+ unsigned char t[MBEDTLS_MD_MAX_SIZE];
+
+ if (okm == NULL) {
+ return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+ }
+
+ hash_len = mbedtls_md_get_size(md);
+
+ if (prk_len < hash_len || hash_len == 0) {
+ return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+ }
+
+ if (info == NULL) {
+ info = (const unsigned char *) "";
+ info_len = 0;
+ }
+
+ n = okm_len / hash_len;
+
+ if (okm_len % hash_len != 0) {
+ n++;
+ }
+
+ /*
+ * Per RFC 5869 Section 2.3, okm_len must not exceed
+ * 255 times the hash length
+ */
+ if (n > 255) {
+ return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+ }
+
+ mbedtls_md_init(&ctx);
+
+ if ((ret = mbedtls_md_setup(&ctx, md, 1)) != 0) {
+ goto exit;
+ }
+
+ memset(t, 0, hash_len);
+
+ /*
+ * Compute T = T(1) | T(2) | T(3) | ... | T(N)
+ * Where T(N) is defined in RFC 5869 Section 2.3
+ */
+ for (i = 1; i <= n; i++) {
+ size_t num_to_copy;
+ unsigned char c = i & 0xff;
+
+ ret = mbedtls_md_hmac_starts(&ctx, prk, prk_len);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_md_hmac_update(&ctx, t, t_len);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_md_hmac_update(&ctx, info, info_len);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ /* The constant concatenated to the end of each T(n) is a single octet.
+ * */
+ ret = mbedtls_md_hmac_update(&ctx, &c, 1);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_md_hmac_finish(&ctx, t);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ num_to_copy = i != n ? hash_len : okm_len - where;
+ memcpy(okm + where, t, num_to_copy);
+ where += hash_len;
+ t_len = hash_len;
+ }
+
+exit:
+ mbedtls_md_free(&ctx);
+ mbedtls_platform_zeroize(t, sizeof(t));
+
+ return ret;
+}
+
+#endif /* MBEDTLS_HKDF_C */
diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c
new file mode 100644
index 0000000..90174d5
--- /dev/null
+++ b/library/hmac_drbg.c
@@ -0,0 +1,633 @@
+/*
+ * HMAC_DRBG implementation (NIST SP 800-90)
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * The NIST SP 800-90A DRBGs are described in the following publication.
+ * http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
+ * References below are based on rev. 1 (January 2012).
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+
+#include "mbedtls/hmac_drbg.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#include "mbedtls/platform.h"
+
+/*
+ * HMAC_DRBG context initialization
+ */
+void mbedtls_hmac_drbg_init(mbedtls_hmac_drbg_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_hmac_drbg_context));
+
+ ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
+}
+
+/*
+ * HMAC_DRBG update, using optional additional data (10.1.2.2)
+ */
+int mbedtls_hmac_drbg_update(mbedtls_hmac_drbg_context *ctx,
+ const unsigned char *additional,
+ size_t add_len)
+{
+ size_t md_len = mbedtls_md_get_size(ctx->md_ctx.md_info);
+ unsigned char rounds = (additional != NULL && add_len != 0) ? 2 : 1;
+ unsigned char sep[1];
+ unsigned char K[MBEDTLS_MD_MAX_SIZE];
+ int ret = MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+
+ for (sep[0] = 0; sep[0] < rounds; sep[0]++) {
+ /* Step 1 or 4 */
+ if ((ret = mbedtls_md_hmac_reset(&ctx->md_ctx)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
+ ctx->V, md_len)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
+ sep, 1)) != 0) {
+ goto exit;
+ }
+ if (rounds == 2) {
+ if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
+ additional, add_len)) != 0) {
+ goto exit;
+ }
+ }
+ if ((ret = mbedtls_md_hmac_finish(&ctx->md_ctx, K)) != 0) {
+ goto exit;
+ }
+
+ /* Step 2 or 5 */
+ if ((ret = mbedtls_md_hmac_starts(&ctx->md_ctx, K, md_len)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
+ ctx->V, md_len)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_hmac_finish(&ctx->md_ctx, ctx->V)) != 0) {
+ goto exit;
+ }
+ }
+
+exit:
+ mbedtls_platform_zeroize(K, sizeof(K));
+ return ret;
+}
+
+/*
+ * Simplified HMAC_DRBG initialisation (for use with deterministic ECDSA)
+ */
+int mbedtls_hmac_drbg_seed_buf(mbedtls_hmac_drbg_context *ctx,
+ const mbedtls_md_info_t *md_info,
+ const unsigned char *data, size_t data_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((ret = mbedtls_md_setup(&ctx->md_ctx, md_info, 1)) != 0) {
+ return ret;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_init(&ctx->mutex);
+#endif
+
+ /*
+ * Set initial working state.
+ * Use the V memory location, which is currently all 0, to initialize the
+ * MD context with an all-zero key. Then set V to its initial value.
+ */
+ if ((ret = mbedtls_md_hmac_starts(&ctx->md_ctx, ctx->V,
+ mbedtls_md_get_size(md_info))) != 0) {
+ return ret;
+ }
+ memset(ctx->V, 0x01, mbedtls_md_get_size(md_info));
+
+ if ((ret = mbedtls_hmac_drbg_update(ctx, data, data_len)) != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+/*
+ * Internal function used both for seeding and reseeding the DRBG.
+ * Comments starting with arabic numbers refer to section 10.1.2.4
+ * of SP800-90A, while roman numbers refer to section 9.2.
+ */
+static int hmac_drbg_reseed_core(mbedtls_hmac_drbg_context *ctx,
+ const unsigned char *additional, size_t len,
+ int use_nonce)
+{
+ unsigned char seed[MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT];
+ size_t seedlen = 0;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ {
+ size_t total_entropy_len;
+
+ if (use_nonce == 0) {
+ total_entropy_len = ctx->entropy_len;
+ } else {
+ total_entropy_len = ctx->entropy_len * 3 / 2;
+ }
+
+ /* III. Check input length */
+ if (len > MBEDTLS_HMAC_DRBG_MAX_INPUT ||
+ total_entropy_len + len > MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT) {
+ return MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG;
+ }
+ }
+
+ memset(seed, 0, MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT);
+
+ /* IV. Gather entropy_len bytes of entropy for the seed */
+ if ((ret = ctx->f_entropy(ctx->p_entropy,
+ seed, ctx->entropy_len)) != 0) {
+ return MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED;
+ }
+ seedlen += ctx->entropy_len;
+
+ /* For initial seeding, allow adding of nonce generated
+ * from the entropy source. See Sect 8.6.7 in SP800-90A. */
+ if (use_nonce) {
+ /* Note: We don't merge the two calls to f_entropy() in order
+ * to avoid requesting too much entropy from f_entropy()
+ * at once. Specifically, if the underlying digest is not
+ * SHA-1, 3 / 2 * entropy_len is at least 36 Bytes, which
+ * is larger than the maximum of 32 Bytes that our own
+ * entropy source implementation can emit in a single
+ * call in configurations disabling SHA-512. */
+ if ((ret = ctx->f_entropy(ctx->p_entropy,
+ seed + seedlen,
+ ctx->entropy_len / 2)) != 0) {
+ return MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED;
+ }
+
+ seedlen += ctx->entropy_len / 2;
+ }
+
+
+ /* 1. Concatenate entropy and additional data if any */
+ if (additional != NULL && len != 0) {
+ memcpy(seed + seedlen, additional, len);
+ seedlen += len;
+ }
+
+ /* 2. Update state */
+ if ((ret = mbedtls_hmac_drbg_update(ctx, seed, seedlen)) != 0) {
+ goto exit;
+ }
+
+ /* 3. Reset reseed_counter */
+ ctx->reseed_counter = 1;
+
+exit:
+ /* 4. Done */
+ mbedtls_platform_zeroize(seed, seedlen);
+ return ret;
+}
+
+/*
+ * HMAC_DRBG reseeding: 10.1.2.4 + 9.2
+ */
+int mbedtls_hmac_drbg_reseed(mbedtls_hmac_drbg_context *ctx,
+ const unsigned char *additional, size_t len)
+{
+ return hmac_drbg_reseed_core(ctx, additional, len, 0);
+}
+
+/*
+ * HMAC_DRBG initialisation (10.1.2.3 + 9.1)
+ *
+ * The nonce is not passed as a separate parameter but extracted
+ * from the entropy source as suggested in 8.6.7.
+ */
+int mbedtls_hmac_drbg_seed(mbedtls_hmac_drbg_context *ctx,
+ const mbedtls_md_info_t *md_info,
+ int (*f_entropy)(void *, unsigned char *, size_t),
+ void *p_entropy,
+ const unsigned char *custom,
+ size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t md_size;
+
+ if ((ret = mbedtls_md_setup(&ctx->md_ctx, md_info, 1)) != 0) {
+ return ret;
+ }
+
+ /* The mutex is initialized iff the md context is set up. */
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_init(&ctx->mutex);
+#endif
+
+ md_size = mbedtls_md_get_size(md_info);
+
+ /*
+ * Set initial working state.
+ * Use the V memory location, which is currently all 0, to initialize the
+ * MD context with an all-zero key. Then set V to its initial value.
+ */
+ if ((ret = mbedtls_md_hmac_starts(&ctx->md_ctx, ctx->V, md_size)) != 0) {
+ return ret;
+ }
+ memset(ctx->V, 0x01, md_size);
+
+ ctx->f_entropy = f_entropy;
+ ctx->p_entropy = p_entropy;
+
+ if (ctx->entropy_len == 0) {
+ /*
+ * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by
+ * each hash function, then according to SP800-90A rev1 10.1 table 2,
+ * min_entropy_len (in bits) is security_strength.
+ *
+ * (This also matches the sizes used in the NIST test vectors.)
+ */
+ ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */
+ md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */
+ 32; /* better (256+) -> 256 bits */
+ }
+
+ if ((ret = hmac_drbg_reseed_core(ctx, custom, len,
+ 1 /* add nonce */)) != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+/*
+ * Set prediction resistance
+ */
+void mbedtls_hmac_drbg_set_prediction_resistance(mbedtls_hmac_drbg_context *ctx,
+ int resistance)
+{
+ ctx->prediction_resistance = resistance;
+}
+
+/*
+ * Set entropy length grabbed for seeding
+ */
+void mbedtls_hmac_drbg_set_entropy_len(mbedtls_hmac_drbg_context *ctx, size_t len)
+{
+ ctx->entropy_len = len;
+}
+
+/*
+ * Set reseed interval
+ */
+void mbedtls_hmac_drbg_set_reseed_interval(mbedtls_hmac_drbg_context *ctx, int interval)
+{
+ ctx->reseed_interval = interval;
+}
+
+/*
+ * HMAC_DRBG random function with optional additional data:
+ * 10.1.2.5 (arabic) + 9.3 (Roman)
+ */
+int mbedtls_hmac_drbg_random_with_add(void *p_rng,
+ unsigned char *output, size_t out_len,
+ const unsigned char *additional, size_t add_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
+ size_t md_len = mbedtls_md_get_size(ctx->md_ctx.md_info);
+ size_t left = out_len;
+ unsigned char *out = output;
+
+ /* II. Check request length */
+ if (out_len > MBEDTLS_HMAC_DRBG_MAX_REQUEST) {
+ return MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG;
+ }
+
+ /* III. Check input length */
+ if (add_len > MBEDTLS_HMAC_DRBG_MAX_INPUT) {
+ return MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG;
+ }
+
+ /* 1. (aka VII and IX) Check reseed counter and PR */
+ if (ctx->f_entropy != NULL && /* For no-reseeding instances */
+ (ctx->prediction_resistance == MBEDTLS_HMAC_DRBG_PR_ON ||
+ ctx->reseed_counter > ctx->reseed_interval)) {
+ if ((ret = mbedtls_hmac_drbg_reseed(ctx, additional, add_len)) != 0) {
+ return ret;
+ }
+
+ add_len = 0; /* VII.4 */
+ }
+
+ /* 2. Use additional data if any */
+ if (additional != NULL && add_len != 0) {
+ if ((ret = mbedtls_hmac_drbg_update(ctx,
+ additional, add_len)) != 0) {
+ goto exit;
+ }
+ }
+
+ /* 3, 4, 5. Generate bytes */
+ while (left != 0) {
+ size_t use_len = left > md_len ? md_len : left;
+
+ if ((ret = mbedtls_md_hmac_reset(&ctx->md_ctx)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_hmac_update(&ctx->md_ctx,
+ ctx->V, md_len)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_hmac_finish(&ctx->md_ctx, ctx->V)) != 0) {
+ goto exit;
+ }
+
+ memcpy(out, ctx->V, use_len);
+ out += use_len;
+ left -= use_len;
+ }
+
+ /* 6. Update */
+ if ((ret = mbedtls_hmac_drbg_update(ctx,
+ additional, add_len)) != 0) {
+ goto exit;
+ }
+
+ /* 7. Update reseed counter */
+ ctx->reseed_counter++;
+
+exit:
+ /* 8. Done */
+ return ret;
+}
+
+/*
+ * HMAC_DRBG random function
+ */
+int mbedtls_hmac_drbg_random(void *p_rng, unsigned char *output, size_t out_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
+
+#if defined(MBEDTLS_THREADING_C)
+ if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+ return ret;
+ }
+#endif
+
+ ret = mbedtls_hmac_drbg_random_with_add(ctx, output, out_len, NULL, 0);
+
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+ return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+ }
+#endif
+
+ return ret;
+}
+
+/*
+ * This function resets HMAC_DRBG context to the state immediately
+ * after initial call of mbedtls_hmac_drbg_init().
+ */
+void mbedtls_hmac_drbg_free(mbedtls_hmac_drbg_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ /* The mutex is initialized iff the md context is set up. */
+ if (ctx->md_ctx.md_info != NULL) {
+ mbedtls_mutex_free(&ctx->mutex);
+ }
+#endif
+ mbedtls_md_free(&ctx->md_ctx);
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_hmac_drbg_context));
+ ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
+}
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_hmac_drbg_write_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ FILE *f;
+ unsigned char buf[MBEDTLS_HMAC_DRBG_MAX_INPUT];
+
+ if ((f = fopen(path, "wb")) == NULL) {
+ return MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+ }
+
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf(f, NULL);
+
+ if ((ret = mbedtls_hmac_drbg_random(ctx, buf, sizeof(buf))) != 0) {
+ goto exit;
+ }
+
+ if (fwrite(buf, 1, sizeof(buf), f) != sizeof(buf)) {
+ ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+ goto exit;
+ }
+
+ ret = 0;
+
+exit:
+ fclose(f);
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+
+ return ret;
+}
+
+int mbedtls_hmac_drbg_update_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path)
+{
+ int ret = 0;
+ FILE *f = NULL;
+ size_t n;
+ unsigned char buf[MBEDTLS_HMAC_DRBG_MAX_INPUT];
+ unsigned char c;
+
+ if ((f = fopen(path, "rb")) == NULL) {
+ return MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+ }
+
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf(f, NULL);
+
+ n = fread(buf, 1, sizeof(buf), f);
+ if (fread(&c, 1, 1, f) != 0) {
+ ret = MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG;
+ goto exit;
+ }
+ if (n == 0 || ferror(f)) {
+ ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+ goto exit;
+ }
+ fclose(f);
+ f = NULL;
+
+ ret = mbedtls_hmac_drbg_update(ctx, buf, n);
+
+exit:
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+ if (f != NULL) {
+ fclose(f);
+ }
+ if (ret != 0) {
+ return ret;
+ }
+ return mbedtls_hmac_drbg_write_seed_file(ctx, path);
+}
+#endif /* MBEDTLS_FS_IO */
+
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if !defined(MBEDTLS_MD_CAN_SHA1)
+/* Dummy checkup routine */
+int mbedtls_hmac_drbg_self_test(int verbose)
+{
+ (void) verbose;
+ return 0;
+}
+#else
+
+#define OUTPUT_LEN 80
+
+/* From a NIST PR=true test vector */
+static const unsigned char entropy_pr[] = {
+ 0xa0, 0xc9, 0xab, 0x58, 0xf1, 0xe2, 0xe5, 0xa4, 0xde, 0x3e, 0xbd, 0x4f,
+ 0xf7, 0x3e, 0x9c, 0x5b, 0x64, 0xef, 0xd8, 0xca, 0x02, 0x8c, 0xf8, 0x11,
+ 0x48, 0xa5, 0x84, 0xfe, 0x69, 0xab, 0x5a, 0xee, 0x42, 0xaa, 0x4d, 0x42,
+ 0x17, 0x60, 0x99, 0xd4, 0x5e, 0x13, 0x97, 0xdc, 0x40, 0x4d, 0x86, 0xa3,
+ 0x7b, 0xf5, 0x59, 0x54, 0x75, 0x69, 0x51, 0xe4
+};
+static const unsigned char result_pr[OUTPUT_LEN] = {
+ 0x9a, 0x00, 0xa2, 0xd0, 0x0e, 0xd5, 0x9b, 0xfe, 0x31, 0xec, 0xb1, 0x39,
+ 0x9b, 0x60, 0x81, 0x48, 0xd1, 0x96, 0x9d, 0x25, 0x0d, 0x3c, 0x1e, 0x94,
+ 0x10, 0x10, 0x98, 0x12, 0x93, 0x25, 0xca, 0xb8, 0xfc, 0xcc, 0x2d, 0x54,
+ 0x73, 0x19, 0x70, 0xc0, 0x10, 0x7a, 0xa4, 0x89, 0x25, 0x19, 0x95, 0x5e,
+ 0x4b, 0xc6, 0x00, 0x1d, 0x7f, 0x4e, 0x6a, 0x2b, 0xf8, 0xa3, 0x01, 0xab,
+ 0x46, 0x05, 0x5c, 0x09, 0xa6, 0x71, 0x88, 0xf1, 0xa7, 0x40, 0xee, 0xf3,
+ 0xe1, 0x5c, 0x02, 0x9b, 0x44, 0xaf, 0x03, 0x44
+};
+
+/* From a NIST PR=false test vector */
+static const unsigned char entropy_nopr[] = {
+ 0x79, 0x34, 0x9b, 0xbf, 0x7c, 0xdd, 0xa5, 0x79, 0x95, 0x57, 0x86, 0x66,
+ 0x21, 0xc9, 0x13, 0x83, 0x11, 0x46, 0x73, 0x3a, 0xbf, 0x8c, 0x35, 0xc8,
+ 0xc7, 0x21, 0x5b, 0x5b, 0x96, 0xc4, 0x8e, 0x9b, 0x33, 0x8c, 0x74, 0xe3,
+ 0xe9, 0x9d, 0xfe, 0xdf
+};
+static const unsigned char result_nopr[OUTPUT_LEN] = {
+ 0xc6, 0xa1, 0x6a, 0xb8, 0xd4, 0x20, 0x70, 0x6f, 0x0f, 0x34, 0xab, 0x7f,
+ 0xec, 0x5a, 0xdc, 0xa9, 0xd8, 0xca, 0x3a, 0x13, 0x3e, 0x15, 0x9c, 0xa6,
+ 0xac, 0x43, 0xc6, 0xf8, 0xa2, 0xbe, 0x22, 0x83, 0x4a, 0x4c, 0x0a, 0x0a,
+ 0xff, 0xb1, 0x0d, 0x71, 0x94, 0xf1, 0xc1, 0xa5, 0xcf, 0x73, 0x22, 0xec,
+ 0x1a, 0xe0, 0x96, 0x4e, 0xd4, 0xbf, 0x12, 0x27, 0x46, 0xe0, 0x87, 0xfd,
+ 0xb5, 0xb3, 0xe9, 0x1b, 0x34, 0x93, 0xd5, 0xbb, 0x98, 0xfa, 0xed, 0x49,
+ 0xe8, 0x5f, 0x13, 0x0f, 0xc8, 0xa4, 0x59, 0xb7
+};
+
+/* "Entropy" from buffer */
+static size_t test_offset;
+static int hmac_drbg_self_test_entropy(void *data,
+ unsigned char *buf, size_t len)
+{
+ const unsigned char *p = data;
+ memcpy(buf, p + test_offset, len);
+ test_offset += len;
+ return 0;
+}
+
+#define CHK(c) if ((c) != 0) \
+ { \
+ if (verbose != 0) \
+ mbedtls_printf("failed\n"); \
+ return 1; \
+ }
+
+/*
+ * Checkup routine for HMAC_DRBG with SHA-1
+ */
+int mbedtls_hmac_drbg_self_test(int verbose)
+{
+ mbedtls_hmac_drbg_context ctx;
+ unsigned char buf[OUTPUT_LEN];
+ const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA1);
+
+ mbedtls_hmac_drbg_init(&ctx);
+
+ /*
+ * PR = True
+ */
+ if (verbose != 0) {
+ mbedtls_printf(" HMAC_DRBG (PR = True) : ");
+ }
+
+ test_offset = 0;
+ CHK(mbedtls_hmac_drbg_seed(&ctx, md_info,
+ hmac_drbg_self_test_entropy, (void *) entropy_pr,
+ NULL, 0));
+ mbedtls_hmac_drbg_set_prediction_resistance(&ctx, MBEDTLS_HMAC_DRBG_PR_ON);
+ CHK(mbedtls_hmac_drbg_random(&ctx, buf, OUTPUT_LEN));
+ CHK(mbedtls_hmac_drbg_random(&ctx, buf, OUTPUT_LEN));
+ CHK(memcmp(buf, result_pr, OUTPUT_LEN));
+ mbedtls_hmac_drbg_free(&ctx);
+
+ mbedtls_hmac_drbg_free(&ctx);
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+ /*
+ * PR = False
+ */
+ if (verbose != 0) {
+ mbedtls_printf(" HMAC_DRBG (PR = False) : ");
+ }
+
+ mbedtls_hmac_drbg_init(&ctx);
+
+ test_offset = 0;
+ CHK(mbedtls_hmac_drbg_seed(&ctx, md_info,
+ hmac_drbg_self_test_entropy, (void *) entropy_nopr,
+ NULL, 0));
+ CHK(mbedtls_hmac_drbg_reseed(&ctx, NULL, 0));
+ CHK(mbedtls_hmac_drbg_random(&ctx, buf, OUTPUT_LEN));
+ CHK(mbedtls_hmac_drbg_random(&ctx, buf, OUTPUT_LEN));
+ CHK(memcmp(buf, result_nopr, OUTPUT_LEN));
+ mbedtls_hmac_drbg_free(&ctx);
+
+ mbedtls_hmac_drbg_free(&ctx);
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_HMAC_DRBG_C */
diff --git a/library/lmots.c b/library/lmots.c
new file mode 100644
index 0000000..c7091b4
--- /dev/null
+++ b/library/lmots.c
@@ -0,0 +1,778 @@
+/*
+ * The LM-OTS one-time public-key signature scheme
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * The following sources were referenced in the design of this implementation
+ * of the LM-OTS algorithm:
+ *
+ * [1] IETF RFC8554
+ * D. McGrew, M. Curcio, S.Fluhrer
+ * https://datatracker.ietf.org/doc/html/rfc8554
+ *
+ * [2] NIST Special Publication 800-208
+ * David A. Cooper et. al.
+ * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_LMS_C)
+
+#include <string.h>
+
+#include "lmots.h"
+
+#include "mbedtls/lms.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "psa_util_internal.h"
+
+#include "psa/crypto.h"
+
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_lms_errors,
+ ARRAY_LENGTH(psa_to_lms_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+
+#define PUBLIC_KEY_TYPE_OFFSET (0)
+#define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \
+ MBEDTLS_LMOTS_TYPE_LEN)
+#define PUBLIC_KEY_Q_LEAF_ID_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \
+ MBEDTLS_LMOTS_I_KEY_ID_LEN)
+#define PUBLIC_KEY_KEY_HASH_OFFSET (PUBLIC_KEY_Q_LEAF_ID_OFFSET + \
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
+
+/* We only support parameter sets that use 8-bit digits, as it does not require
+ * translation logic between digits and bytes */
+#define W_WINTERNITZ_PARAMETER (8u)
+#define CHECKSUM_LEN (2)
+#define I_DIGIT_IDX_LEN (2)
+#define J_HASH_IDX_LEN (1)
+#define D_CONST_LEN (2)
+
+#define DIGIT_MAX_VALUE ((1u << W_WINTERNITZ_PARAMETER) - 1u)
+
+#define D_CONST_LEN (2)
+static const unsigned char D_PUBLIC_CONSTANT_BYTES[D_CONST_LEN] = { 0x80, 0x80 };
+static const unsigned char D_MESSAGE_CONSTANT_BYTES[D_CONST_LEN] = { 0x81, 0x81 };
+
+#if defined(MBEDTLS_TEST_HOOKS)
+int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *) = NULL;
+#endif /* defined(MBEDTLS_TEST_HOOKS) */
+
+/* Calculate the checksum digits that are appended to the end of the LMOTS digit
+ * string. See NIST SP800-208 section 3.1 or RFC8554 Algorithm 2 for details of
+ * the checksum algorithm.
+ *
+ * params The LMOTS parameter set, I and q values which
+ * describe the key being used.
+ *
+ * digest The digit string to create the digest from. As
+ * this does not contain a checksum, it is the same
+ * size as a hash output.
+ */
+static unsigned short lmots_checksum_calculate(const mbedtls_lmots_parameters_t *params,
+ const unsigned char *digest)
+{
+ size_t idx;
+ unsigned sum = 0;
+
+ for (idx = 0; idx < MBEDTLS_LMOTS_N_HASH_LEN(params->type); idx++) {
+ sum += DIGIT_MAX_VALUE - digest[idx];
+ }
+
+ return sum;
+}
+
+/* Create the string of digest digits (in the base determined by the Winternitz
+ * parameter with the checksum appended to the end (Q || cksm(Q)). See NIST
+ * SP800-208 section 3.1 or RFC8554 Algorithm 3 step 5 (also used in Algorithm
+ * 4b step 3) for details.
+ *
+ * params The LMOTS parameter set, I and q values which
+ * describe the key being used.
+ *
+ * msg The message that will be hashed to create the
+ * digest.
+ *
+ * msg_size The size of the message.
+ *
+ * C_random_value The random value that will be combined with the
+ * message digest. This is always the same size as a
+ * hash output for whichever hash algorithm is
+ * determined by the parameter set.
+ *
+ * output An output containing the digit string (+
+ * checksum) of length P digits (in the case of
+ * MBEDTLS_LMOTS_SHA256_N32_W8, this means it is of
+ * size P bytes).
+ */
+static int create_digit_array_with_checksum(const mbedtls_lmots_parameters_t *params,
+ const unsigned char *msg,
+ size_t msg_len,
+ const unsigned char *C_random_value,
+ unsigned char *out)
+{
+ psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t output_hash_len;
+ unsigned short checksum;
+
+ status = psa_hash_setup(&op, PSA_ALG_SHA_256);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, params->I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, params->q_leaf_identifier,
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, D_MESSAGE_CONSTANT_BYTES, D_CONST_LEN);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, C_random_value,
+ MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(params->type));
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, msg, msg_len);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_finish(&op, out,
+ MBEDTLS_LMOTS_N_HASH_LEN(params->type),
+ &output_hash_len);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ checksum = lmots_checksum_calculate(params, out);
+ MBEDTLS_PUT_UINT16_BE(checksum, out, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
+
+exit:
+ psa_hash_abort(&op);
+
+ return PSA_TO_MBEDTLS_ERR(status);
+}
+
+/* Hash each element of the string of digits (+ checksum), producing a hash
+ * output for each element. This is used in several places (by varying the
+ * hash_idx_min/max_values) in order to calculate a public key from a private
+ * key (RFC8554 Algorithm 1 step 4), in order to sign a message (RFC8554
+ * Algorithm 3 step 5), and to calculate a public key candidate from a
+ * signature and message (RFC8554 Algorithm 4b step 3).
+ *
+ * params The LMOTS parameter set, I and q values which
+ * describe the key being used.
+ *
+ * x_digit_array The array of digits (of size P, 34 in the case of
+ * MBEDTLS_LMOTS_SHA256_N32_W8).
+ *
+ * hash_idx_min_values An array of the starting values of the j iterator
+ * for each of the members of the digit array. If
+ * this value in NULL, then all iterators will start
+ * at 0.
+ *
+ * hash_idx_max_values An array of the upper bound values of the j
+ * iterator for each of the members of the digit
+ * array. If this value in NULL, then iterator is
+ * bounded to be less than 2^w - 1 (255 in the case
+ * of MBEDTLS_LMOTS_SHA256_N32_W8)
+ *
+ * output An array containing a hash output for each member
+ * of the digit string P. In the case of
+ * MBEDTLS_LMOTS_SHA256_N32_W8, this is of size 32 *
+ * 34.
+ */
+static int hash_digit_array(const mbedtls_lmots_parameters_t *params,
+ const unsigned char *x_digit_array,
+ const unsigned char *hash_idx_min_values,
+ const unsigned char *hash_idx_max_values,
+ unsigned char *output)
+{
+ unsigned int i_digit_idx;
+ unsigned char i_digit_idx_bytes[I_DIGIT_IDX_LEN];
+ unsigned int j_hash_idx;
+ unsigned char j_hash_idx_bytes[J_HASH_IDX_LEN];
+ unsigned int j_hash_idx_min;
+ unsigned int j_hash_idx_max;
+ psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t output_hash_len;
+ unsigned char tmp_hash[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+
+ for (i_digit_idx = 0;
+ i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type);
+ i_digit_idx++) {
+
+ memcpy(tmp_hash,
+ &x_digit_array[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
+ MBEDTLS_LMOTS_N_HASH_LEN(params->type));
+
+ j_hash_idx_min = hash_idx_min_values != NULL ?
+ hash_idx_min_values[i_digit_idx] : 0;
+ j_hash_idx_max = hash_idx_max_values != NULL ?
+ hash_idx_max_values[i_digit_idx] : DIGIT_MAX_VALUE;
+
+ for (j_hash_idx = j_hash_idx_min;
+ j_hash_idx < j_hash_idx_max;
+ j_hash_idx++) {
+ status = psa_hash_setup(&op, PSA_ALG_SHA_256);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op,
+ params->I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op,
+ params->q_leaf_identifier,
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0);
+ status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ j_hash_idx_bytes[0] = (uint8_t) j_hash_idx;
+ status = psa_hash_update(&op, j_hash_idx_bytes, J_HASH_IDX_LEN);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, tmp_hash,
+ MBEDTLS_LMOTS_N_HASH_LEN(params->type));
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_finish(&op, tmp_hash, sizeof(tmp_hash),
+ &output_hash_len);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ psa_hash_abort(&op);
+ }
+
+ memcpy(&output[i_digit_idx * MBEDTLS_LMOTS_N_HASH_LEN(params->type)],
+ tmp_hash, MBEDTLS_LMOTS_N_HASH_LEN(params->type));
+ }
+
+exit:
+ psa_hash_abort(&op);
+ mbedtls_platform_zeroize(tmp_hash, sizeof(tmp_hash));
+
+ return PSA_TO_MBEDTLS_ERR(status);
+}
+
+/* Combine the hashes of the digit array into a public key. This is used in
+ * in order to calculate a public key from a private key (RFC8554 Algorithm 1
+ * step 4), and to calculate a public key candidate from a signature and message
+ * (RFC8554 Algorithm 4b step 3).
+ *
+ * params The LMOTS parameter set, I and q values which describe
+ * the key being used.
+ * y_hashed_digits The array of hashes, one hash for each digit of the
+ * symbol array (which is of size P, 34 in the case of
+ * MBEDTLS_LMOTS_SHA256_N32_W8)
+ *
+ * pub_key The output public key (or candidate public key in
+ * case this is being run as part of signature
+ * verification), in the form of a hash output.
+ */
+static int public_key_from_hashed_digit_array(const mbedtls_lmots_parameters_t *params,
+ const unsigned char *y_hashed_digits,
+ unsigned char *pub_key)
+{
+ psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t output_hash_len;
+
+ status = psa_hash_setup(&op, PSA_ALG_SHA_256);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op,
+ params->I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, params->q_leaf_identifier,
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, D_PUBLIC_CONSTANT_BYTES, D_CONST_LEN);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, y_hashed_digits,
+ MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(params->type) *
+ MBEDTLS_LMOTS_N_HASH_LEN(params->type));
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_finish(&op, pub_key,
+ MBEDTLS_LMOTS_N_HASH_LEN(params->type),
+ &output_hash_len);
+ if (status != PSA_SUCCESS) {
+
+exit:
+ psa_hash_abort(&op);
+ }
+
+ return PSA_TO_MBEDTLS_ERR(status);
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_lms_error_from_psa(psa_status_t status)
+{
+ switch (status) {
+ case PSA_SUCCESS:
+ return 0;
+ case PSA_ERROR_HARDWARE_FAILURE:
+ return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+ case PSA_ERROR_NOT_SUPPORTED:
+ return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
+ case PSA_ERROR_BUFFER_TOO_SMALL:
+ return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
+ case PSA_ERROR_INVALID_ARGUMENT:
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ default:
+ return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
+ }
+}
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx)
+{
+ memset(ctx, 0, sizeof(*ctx));
+}
+
+void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx)
+{
+ mbedtls_platform_zeroize(ctx, sizeof(*ctx));
+}
+
+int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx,
+ const unsigned char *key, size_t key_len)
+{
+ if (key_len < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ ctx->params.type = (mbedtls_lmots_algorithm_type_t)
+ MBEDTLS_GET_UINT32_BE(key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
+
+ if (key_len != MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ memcpy(ctx->params.I_key_identifier,
+ key + PUBLIC_KEY_I_KEY_ID_OFFSET,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN);
+
+ memcpy(ctx->params.q_leaf_identifier,
+ key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
+
+ memcpy(ctx->public_key,
+ key + PUBLIC_KEY_KEY_HASH_OFFSET,
+ MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
+
+ ctx->have_public_key = 1;
+
+ return 0;
+}
+
+int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx,
+ unsigned char *key, size_t key_size,
+ size_t *key_len)
+{
+ if (key_size < MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type)) {
+ return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
+ }
+
+ if (!ctx->have_public_key) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ MBEDTLS_PUT_UINT32_BE(ctx->params.type, key, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
+
+ memcpy(key + PUBLIC_KEY_I_KEY_ID_OFFSET,
+ ctx->params.I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN);
+
+ memcpy(key + PUBLIC_KEY_Q_LEAF_ID_OFFSET,
+ ctx->params.q_leaf_identifier,
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
+
+ memcpy(key + PUBLIC_KEY_KEY_HASH_OFFSET, ctx->public_key,
+ MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
+
+ if (key_len != NULL) {
+ *key_len = MBEDTLS_LMOTS_PUBLIC_KEY_LEN(ctx->params.type);
+ }
+
+ return 0;
+}
+
+int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params,
+ const unsigned char *msg,
+ size_t msg_size,
+ const unsigned char *sig,
+ size_t sig_size,
+ unsigned char *out,
+ size_t out_size,
+ size_t *out_len)
+{
+ unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
+ unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (msg == NULL && msg_size != 0) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ if (sig_size != MBEDTLS_LMOTS_SIG_LEN(params->type) ||
+ out_size < MBEDTLS_LMOTS_N_HASH_LEN(params->type)) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ ret = create_digit_array_with_checksum(params, msg, msg_size,
+ sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET,
+ tmp_digit_array);
+ if (ret) {
+ return ret;
+ }
+
+ ret = hash_digit_array(params,
+ sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(params->type),
+ tmp_digit_array, NULL, (unsigned char *) y_hashed_digits);
+ if (ret) {
+ return ret;
+ }
+
+ ret = public_key_from_hashed_digit_array(params,
+ (unsigned char *) y_hashed_digits,
+ out);
+ if (ret) {
+ return ret;
+ }
+
+ if (out_len != NULL) {
+ *out_len = MBEDTLS_LMOTS_N_HASH_LEN(params->type);
+ }
+
+ return 0;
+}
+
+int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx,
+ const unsigned char *msg, size_t msg_size,
+ const unsigned char *sig, size_t sig_size)
+{
+ unsigned char Kc_public_key_candidate[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (msg == NULL && msg_size != 0) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ if (!ctx->have_public_key) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ if (ctx->params.type != MBEDTLS_LMOTS_SHA256_N32_W8) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ if (sig_size < MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
+ return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+ }
+
+ if (MBEDTLS_GET_UINT32_BE(sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET) != MBEDTLS_LMOTS_SHA256_N32_W8) {
+ return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+ }
+
+ ret = mbedtls_lmots_calculate_public_key_candidate(&ctx->params,
+ msg, msg_size, sig, sig_size,
+ Kc_public_key_candidate,
+ MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
+ NULL);
+ if (ret) {
+ return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+ }
+
+ if (memcmp(&Kc_public_key_candidate, ctx->public_key,
+ sizeof(ctx->public_key))) {
+ return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+ }
+
+ return 0;
+}
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+
+void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx)
+{
+ memset(ctx, 0, sizeof(*ctx));
+}
+
+void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx)
+{
+ mbedtls_platform_zeroize(ctx,
+ sizeof(*ctx));
+}
+
+int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx,
+ mbedtls_lmots_algorithm_type_t type,
+ const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
+ uint32_t q_leaf_identifier,
+ const unsigned char *seed,
+ size_t seed_size)
+{
+ psa_hash_operation_t op = PSA_HASH_OPERATION_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t output_hash_len;
+ unsigned int i_digit_idx;
+ unsigned char i_digit_idx_bytes[2];
+ unsigned char const_bytes[1] = { 0xFF };
+
+ if (ctx->have_private_key) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ if (type != MBEDTLS_LMOTS_SHA256_N32_W8) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ ctx->params.type = type;
+
+ memcpy(ctx->params.I_key_identifier,
+ I_key_identifier,
+ sizeof(ctx->params.I_key_identifier));
+
+ MBEDTLS_PUT_UINT32_BE(q_leaf_identifier, ctx->params.q_leaf_identifier, 0);
+
+ for (i_digit_idx = 0;
+ i_digit_idx < MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type);
+ i_digit_idx++) {
+ status = psa_hash_setup(&op, PSA_ALG_SHA_256);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op,
+ ctx->params.I_key_identifier,
+ sizeof(ctx->params.I_key_identifier));
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op,
+ ctx->params.q_leaf_identifier,
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ MBEDTLS_PUT_UINT16_BE(i_digit_idx, i_digit_idx_bytes, 0);
+ status = psa_hash_update(&op, i_digit_idx_bytes, I_DIGIT_IDX_LEN);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, const_bytes, sizeof(const_bytes));
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, seed, seed_size);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_finish(&op,
+ ctx->private_key[i_digit_idx],
+ MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type),
+ &output_hash_len);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ psa_hash_abort(&op);
+ }
+
+ ctx->have_private_key = 1;
+
+exit:
+ psa_hash_abort(&op);
+
+ return PSA_TO_MBEDTLS_ERR(status);
+}
+
+int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx,
+ const mbedtls_lmots_private_t *priv_ctx)
+{
+ unsigned char y_hashed_digits[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* Check that a private key is loaded */
+ if (!priv_ctx->have_private_key) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ ret = hash_digit_array(&priv_ctx->params,
+ (unsigned char *) priv_ctx->private_key, NULL,
+ NULL, (unsigned char *) y_hashed_digits);
+ if (ret) {
+ goto exit;
+ }
+
+ ret = public_key_from_hashed_digit_array(&priv_ctx->params,
+ (unsigned char *) y_hashed_digits,
+ ctx->public_key);
+ if (ret) {
+ goto exit;
+ }
+
+ memcpy(&ctx->params, &priv_ctx->params,
+ sizeof(ctx->params));
+
+ ctx->have_public_key = 1;
+
+exit:
+ mbedtls_platform_zeroize(y_hashed_digits, sizeof(y_hashed_digits));
+
+ return ret;
+}
+
+int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng, const unsigned char *msg, size_t msg_size,
+ unsigned char *sig, size_t sig_size, size_t *sig_len)
+{
+ unsigned char tmp_digit_array[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX];
+ /* Create a temporary buffer to prepare the signature in. This allows us to
+ * finish creating a signature (ensuring the process doesn't fail), and then
+ * erase the private key **before** writing any data into the sig parameter
+ * buffer. If data were directly written into the sig buffer, it might leak
+ * a partial signature on failure, which effectively compromises the private
+ * key.
+ */
+ unsigned char tmp_sig[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+ unsigned char tmp_c_random[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (msg == NULL && msg_size != 0) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ if (sig_size < MBEDTLS_LMOTS_SIG_LEN(ctx->params.type)) {
+ return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
+ }
+
+ /* Check that a private key is loaded */
+ if (!ctx->have_private_key) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ ret = f_rng(p_rng, tmp_c_random,
+ MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
+ if (ret) {
+ return ret;
+ }
+
+ ret = create_digit_array_with_checksum(&ctx->params,
+ msg, msg_size,
+ tmp_c_random,
+ tmp_digit_array);
+ if (ret) {
+ goto exit;
+ }
+
+ ret = hash_digit_array(&ctx->params, (unsigned char *) ctx->private_key,
+ NULL, tmp_digit_array, (unsigned char *) tmp_sig);
+ if (ret) {
+ goto exit;
+ }
+
+ MBEDTLS_PUT_UINT32_BE(ctx->params.type, sig, MBEDTLS_LMOTS_SIG_TYPE_OFFSET);
+
+ /* Test hook to check if sig is being written to before we invalidate the
+ * private key.
+ */
+#if defined(MBEDTLS_TEST_HOOKS)
+ if (mbedtls_lmots_sign_private_key_invalidated_hook != NULL) {
+ ret = (*mbedtls_lmots_sign_private_key_invalidated_hook)(sig);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+#endif /* defined(MBEDTLS_TEST_HOOKS) */
+
+ /* We've got a valid signature now, so it's time to make sure the private
+ * key can't be reused.
+ */
+ ctx->have_private_key = 0;
+ mbedtls_platform_zeroize(ctx->private_key,
+ sizeof(ctx->private_key));
+
+ memcpy(sig + MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET, tmp_c_random,
+ MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(ctx->params.type));
+
+ memcpy(sig + MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(ctx->params.type), tmp_sig,
+ MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(ctx->params.type)
+ * MBEDTLS_LMOTS_N_HASH_LEN(ctx->params.type));
+
+ if (sig_len != NULL) {
+ *sig_len = MBEDTLS_LMOTS_SIG_LEN(ctx->params.type);
+ }
+
+ ret = 0;
+
+exit:
+ mbedtls_platform_zeroize(tmp_digit_array, sizeof(tmp_digit_array));
+ mbedtls_platform_zeroize(tmp_sig, sizeof(tmp_sig));
+
+ return ret;
+}
+
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+#endif /* defined(MBEDTLS_LMS_C) */
diff --git a/library/lmots.h b/library/lmots.h
new file mode 100644
index 0000000..cf92d32
--- /dev/null
+++ b/library/lmots.h
@@ -0,0 +1,288 @@
+/**
+ * \file lmots.h
+ *
+ * \brief This file provides an API for the LM-OTS post-quantum-safe one-time
+ * public-key signature scheme as defined in RFC8554 and NIST.SP.200-208.
+ * This implementation currently only supports a single parameter set
+ * MBEDTLS_LMOTS_SHA256_N32_W8 in order to reduce complexity.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_LMOTS_H
+#define MBEDTLS_LMOTS_H
+
+#include "mbedtls/build_info.h"
+
+#include "psa/crypto.h"
+
+#include "mbedtls/lms.h"
+
+#include <stdint.h>
+#include <stddef.h>
+
+
+#define MBEDTLS_LMOTS_PUBLIC_KEY_LEN(type) (MBEDTLS_LMOTS_TYPE_LEN + \
+ MBEDTLS_LMOTS_I_KEY_ID_LEN + \
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN + \
+ MBEDTLS_LMOTS_N_HASH_LEN(type))
+
+#define MBEDTLS_LMOTS_SIG_TYPE_OFFSET (0)
+#define MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET (MBEDTLS_LMOTS_SIG_TYPE_OFFSET + \
+ MBEDTLS_LMOTS_TYPE_LEN)
+#define MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(type) (MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET + \
+ MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type))
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+#if defined(MBEDTLS_TEST_HOOKS)
+extern int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *);
+#endif /* defined(MBEDTLS_TEST_HOOKS) */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/**
+ * \brief This function converts a \ref psa_status_t to a
+ * low-level LMS error code.
+ *
+ * \param status The psa_status_t to convert
+ *
+ * \return The corresponding LMS error code.
+ */
+int MBEDTLS_DEPRECATED mbedtls_lms_error_from_psa(psa_status_t status);
+#endif
+
+/**
+ * \brief This function initializes a public LMOTS context
+ *
+ * \param ctx The uninitialized LMOTS context that will then be
+ * initialized.
+ */
+void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx);
+
+/**
+ * \brief This function uninitializes a public LMOTS context
+ *
+ * \param ctx The initialized LMOTS context that will then be
+ * uninitialized.
+ */
+void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx);
+
+/**
+ * \brief This function imports an LMOTS public key into a
+ * LMOTS context.
+ *
+ * \note Before this function is called, the context must
+ * have been initialized.
+ *
+ * \note See IETF RFC8554 for details of the encoding of
+ * this public key.
+ *
+ * \param ctx The initialized LMOTS context store the key in.
+ * \param key The buffer from which the key will be read.
+ * #MBEDTLS_LMOTS_PUBLIC_KEY_LEN bytes will be read
+ * from this.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx,
+ const unsigned char *key, size_t key_size);
+
+/**
+ * \brief This function exports an LMOTS public key from a
+ * LMOTS context that already contains a public key.
+ *
+ * \note Before this function is called, the context must
+ * have been initialized and the context must contain
+ * a public key.
+ *
+ * \note See IETF RFC8554 for details of the encoding of
+ * this public key.
+ *
+ * \param ctx The initialized LMOTS context that contains the
+ * public key.
+ * \param key The buffer into which the key will be output. Must
+ * be at least #MBEDTLS_LMOTS_PUBLIC_KEY_LEN in size.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx,
+ unsigned char *key, size_t key_size,
+ size_t *key_len);
+
+/**
+ * \brief This function creates a candidate public key from
+ * an LMOTS signature. This can then be compared to
+ * the real public key to determine the validity of
+ * the signature.
+ *
+ * \note This function is exposed publicly to be used in LMS
+ * signature verification, it is expected that
+ * mbedtls_lmots_verify will be used for LMOTS
+ * signature verification.
+ *
+ * \param params The LMOTS parameter set, q and I values as an
+ * mbedtls_lmots_parameters_t struct.
+ * \param msg The buffer from which the message will be read.
+ * \param msg_size The size of the message that will be read.
+ * \param sig The buffer from which the signature will be read.
+ * #MBEDTLS_LMOTS_SIG_LEN bytes will be read from
+ * this.
+ * \param out The buffer where the candidate public key will be
+ * stored. Must be at least #MBEDTLS_LMOTS_N_HASH_LEN
+ * bytes in size.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params,
+ const unsigned char *msg,
+ size_t msg_size,
+ const unsigned char *sig,
+ size_t sig_size,
+ unsigned char *out,
+ size_t out_size,
+ size_t *out_len);
+
+/**
+ * \brief This function verifies a LMOTS signature, using a
+ * LMOTS context that contains a public key.
+ *
+ * \warning This function is **not intended for use in
+ * production**, due to as-yet unsolved problems with
+ * handling stateful keys. The API for this function
+ * may change considerably in future versions.
+ *
+ * \note Before this function is called, the context must
+ * have been initialized and must contain a public key
+ * (either by import or calculation from a private
+ * key).
+ *
+ * \param ctx The initialized LMOTS context from which the public
+ * key will be read.
+ * \param msg The buffer from which the message will be read.
+ * \param msg_size The size of the message that will be read.
+ * \param sig The buf from which the signature will be read.
+ * #MBEDTLS_LMOTS_SIG_LEN bytes will be read from
+ * this.
+ *
+ * \return \c 0 on successful verification.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx,
+ const unsigned char *msg,
+ size_t msg_size, const unsigned char *sig,
+ size_t sig_size);
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+
+/**
+ * \brief This function initializes a private LMOTS context
+ *
+ * \param ctx The uninitialized LMOTS context that will then be
+ * initialized.
+ */
+void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx);
+
+/**
+ * \brief This function uninitializes a private LMOTS context
+ *
+ * \param ctx The initialized LMOTS context that will then be
+ * uninitialized.
+ */
+void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx);
+
+/**
+ * \brief This function calculates an LMOTS private key, and
+ * stores in into an LMOTS context.
+ *
+ * \warning This function is **not intended for use in
+ * production**, due to as-yet unsolved problems with
+ * handling stateful keys. The API for this function
+ * may change considerably in future versions.
+ *
+ * \note The seed must have at least 256 bits of entropy.
+ *
+ * \param ctx The initialized LMOTS context to generate the key
+ * into.
+ * \param I_key_identifier The key identifier of the key, as a 16-byte string.
+ * \param q_leaf_identifier The leaf identifier of key. If this LMOTS key is
+ * not being used as part of an LMS key, this should
+ * be set to 0.
+ * \param seed The seed used to deterministically generate the
+ * key.
+ * \param seed_size The length of the seed.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx,
+ mbedtls_lmots_algorithm_type_t type,
+ const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN],
+ uint32_t q_leaf_identifier,
+ const unsigned char *seed,
+ size_t seed_size);
+
+/**
+ * \brief This function generates an LMOTS public key from a
+ * LMOTS context that already contains a private key.
+ *
+ * \note Before this function is called, the context must
+ * have been initialized and the context must contain
+ * a private key.
+ *
+ * \param ctx The initialized LMOTS context to generate the key
+ * from and store it into.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx,
+ const mbedtls_lmots_private_t *priv_ctx);
+
+/**
+ * \brief This function creates a LMOTS signature, using a
+ * LMOTS context that contains a private key.
+ *
+ * \note Before this function is called, the context must
+ * have been initialized and must contain a private
+ * key.
+ *
+ * \note LMOTS private keys can only be used once, otherwise
+ * attackers may be able to create forged signatures.
+ * If the signing operation is successful, the private
+ * key in the context will be erased, and no further
+ * signing will be possible until another private key
+ * is loaded
+ *
+ * \param ctx The initialized LMOTS context from which the
+ * private key will be read.
+ * \param f_rng The RNG function to be used for signature
+ * generation.
+ * \param p_rng The RNG context to be passed to f_rng
+ * \param msg The buffer from which the message will be read.
+ * \param msg_size The size of the message that will be read.
+ * \param sig The buf into which the signature will be stored.
+ * Must be at least #MBEDTLS_LMOTS_SIG_LEN in size.
+ *
+ * \return \c 0 on success.
+ * \return A non-zero error code on failure.
+ */
+int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng, const unsigned char *msg, size_t msg_size,
+ unsigned char *sig, size_t sig_size, size_t *sig_len);
+
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_LMOTS_H */
diff --git a/library/lms.c b/library/lms.c
new file mode 100644
index 0000000..8d3cae0
--- /dev/null
+++ b/library/lms.c
@@ -0,0 +1,761 @@
+/*
+ * The LMS stateful-hash public-key signature scheme
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * The following sources were referenced in the design of this implementation
+ * of the LMS algorithm:
+ *
+ * [1] IETF RFC8554
+ * D. McGrew, M. Curcio, S.Fluhrer
+ * https://datatracker.ietf.org/doc/html/rfc8554
+ *
+ * [2] NIST Special Publication 800-208
+ * David A. Cooper et. al.
+ * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_LMS_C)
+
+#include <string.h>
+
+#include "lmots.h"
+
+#include "psa/crypto.h"
+#include "psa_util_internal.h"
+#include "mbedtls/lms.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+
+#include "mbedtls/platform.h"
+
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_lms_errors,
+ ARRAY_LENGTH(psa_to_lms_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+
+#define SIG_Q_LEAF_ID_OFFSET (0)
+#define SIG_OTS_SIG_OFFSET (SIG_Q_LEAF_ID_OFFSET + \
+ MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
+#define SIG_TYPE_OFFSET(otstype) (SIG_OTS_SIG_OFFSET + \
+ MBEDTLS_LMOTS_SIG_LEN(otstype))
+#define SIG_PATH_OFFSET(otstype) (SIG_TYPE_OFFSET(otstype) + \
+ MBEDTLS_LMS_TYPE_LEN)
+
+#define PUBLIC_KEY_TYPE_OFFSET (0)
+#define PUBLIC_KEY_OTSTYPE_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \
+ MBEDTLS_LMS_TYPE_LEN)
+#define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_OTSTYPE_OFFSET + \
+ MBEDTLS_LMOTS_TYPE_LEN)
+#define PUBLIC_KEY_ROOT_NODE_OFFSET (PUBLIC_KEY_I_KEY_ID_OFFSET + \
+ MBEDTLS_LMOTS_I_KEY_ID_LEN)
+
+
+/* Currently only support H=10 */
+#define H_TREE_HEIGHT_MAX 10
+#define MERKLE_TREE_NODE_AM(type) ((size_t) 1 << (MBEDTLS_LMS_H_TREE_HEIGHT(type) + 1u))
+#define MERKLE_TREE_LEAF_NODE_AM(type) ((size_t) 1 << MBEDTLS_LMS_H_TREE_HEIGHT(type))
+#define MERKLE_TREE_INTERNAL_NODE_AM(type) ((unsigned int) \
+ (1u << MBEDTLS_LMS_H_TREE_HEIGHT(type)))
+
+#define D_CONST_LEN (2)
+static const unsigned char D_LEAF_CONSTANT_BYTES[D_CONST_LEN] = { 0x82, 0x82 };
+static const unsigned char D_INTR_CONSTANT_BYTES[D_CONST_LEN] = { 0x83, 0x83 };
+
+
+/* Calculate the value of a leaf node of the Merkle tree (which is a hash of a
+ * public key and some other parameters like the leaf index). This function
+ * implements RFC8554 section 5.3, in the case where r >= 2^h.
+ *
+ * params The LMS parameter set, the underlying LMOTS
+ * parameter set, and I value which describe the key
+ * being used.
+ *
+ * pub_key The public key of the private whose index
+ * corresponds to the index of this leaf node. This
+ * is a hash output.
+ *
+ * r_node_idx The index of this node in the Merkle tree. Note
+ * that the root node of the Merkle tree is
+ * 1-indexed.
+ *
+ * out The output node value, which is a hash output.
+ */
+static int create_merkle_leaf_value(const mbedtls_lms_parameters_t *params,
+ unsigned char *pub_key,
+ unsigned int r_node_idx,
+ unsigned char *out)
+{
+ psa_hash_operation_t op;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t output_hash_len;
+ unsigned char r_node_idx_bytes[4];
+
+ op = psa_hash_operation_init();
+ status = psa_hash_setup(&op, PSA_ALG_SHA_256);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, params->I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ MBEDTLS_PUT_UINT32_BE(r_node_idx, r_node_idx_bytes, 0);
+ status = psa_hash_update(&op, r_node_idx_bytes, 4);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, D_LEAF_CONSTANT_BYTES, D_CONST_LEN);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, pub_key,
+ MBEDTLS_LMOTS_N_HASH_LEN(params->otstype));
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_finish(&op, out, MBEDTLS_LMS_M_NODE_BYTES(params->type),
+ &output_hash_len);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+exit:
+ psa_hash_abort(&op);
+
+ return PSA_TO_MBEDTLS_ERR(status);
+}
+
+/* Calculate the value of an internal node of the Merkle tree (which is a hash
+ * of a public key and some other parameters like the node index). This function
+ * implements RFC8554 section 5.3, in the case where r < 2^h.
+ *
+ * params The LMS parameter set, the underlying LMOTS
+ * parameter set, and I value which describe the key
+ * being used.
+ *
+ * left_node The value of the child of this node which is on
+ * the left-hand side. As with all nodes on the
+ * Merkle tree, this is a hash output.
+ *
+ * right_node The value of the child of this node which is on
+ * the right-hand side. As with all nodes on the
+ * Merkle tree, this is a hash output.
+ *
+ * r_node_idx The index of this node in the Merkle tree. Note
+ * that the root node of the Merkle tree is
+ * 1-indexed.
+ *
+ * out The output node value, which is a hash output.
+ */
+static int create_merkle_internal_value(const mbedtls_lms_parameters_t *params,
+ const unsigned char *left_node,
+ const unsigned char *right_node,
+ unsigned int r_node_idx,
+ unsigned char *out)
+{
+ psa_hash_operation_t op;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t output_hash_len;
+ unsigned char r_node_idx_bytes[4];
+
+ op = psa_hash_operation_init();
+ status = psa_hash_setup(&op, PSA_ALG_SHA_256);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, params->I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ MBEDTLS_PUT_UINT32_BE(r_node_idx, r_node_idx_bytes, 0);
+ status = psa_hash_update(&op, r_node_idx_bytes, 4);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, D_INTR_CONSTANT_BYTES, D_CONST_LEN);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, left_node,
+ MBEDTLS_LMS_M_NODE_BYTES(params->type));
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&op, right_node,
+ MBEDTLS_LMS_M_NODE_BYTES(params->type));
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_finish(&op, out, MBEDTLS_LMS_M_NODE_BYTES(params->type),
+ &output_hash_len);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+exit:
+ psa_hash_abort(&op);
+
+ return PSA_TO_MBEDTLS_ERR(status);
+}
+
+void mbedtls_lms_public_init(mbedtls_lms_public_t *ctx)
+{
+ memset(ctx, 0, sizeof(*ctx));
+}
+
+void mbedtls_lms_public_free(mbedtls_lms_public_t *ctx)
+{
+ mbedtls_platform_zeroize(ctx, sizeof(*ctx));
+}
+
+int mbedtls_lms_import_public_key(mbedtls_lms_public_t *ctx,
+ const unsigned char *key, size_t key_size)
+{
+ mbedtls_lms_algorithm_type_t type;
+ mbedtls_lmots_algorithm_type_t otstype;
+
+ type = (mbedtls_lms_algorithm_type_t) MBEDTLS_GET_UINT32_BE(key, PUBLIC_KEY_TYPE_OFFSET);
+ if (type != MBEDTLS_LMS_SHA256_M32_H10) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+ ctx->params.type = type;
+
+ if (key_size != MBEDTLS_LMS_PUBLIC_KEY_LEN(ctx->params.type)) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ otstype = (mbedtls_lmots_algorithm_type_t)
+ MBEDTLS_GET_UINT32_BE(key, PUBLIC_KEY_OTSTYPE_OFFSET);
+ if (otstype != MBEDTLS_LMOTS_SHA256_N32_W8) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+ ctx->params.otstype = otstype;
+
+ memcpy(ctx->params.I_key_identifier,
+ key + PUBLIC_KEY_I_KEY_ID_OFFSET,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN);
+ memcpy(ctx->T_1_pub_key, key + PUBLIC_KEY_ROOT_NODE_OFFSET,
+ MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type));
+
+ ctx->have_public_key = 1;
+
+ return 0;
+}
+
+int mbedtls_lms_export_public_key(const mbedtls_lms_public_t *ctx,
+ unsigned char *key,
+ size_t key_size, size_t *key_len)
+{
+ if (key_size < MBEDTLS_LMS_PUBLIC_KEY_LEN(ctx->params.type)) {
+ return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
+ }
+
+ if (!ctx->have_public_key) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ MBEDTLS_PUT_UINT32_BE(ctx->params.type, key, PUBLIC_KEY_TYPE_OFFSET);
+ MBEDTLS_PUT_UINT32_BE(ctx->params.otstype, key, PUBLIC_KEY_OTSTYPE_OFFSET);
+ memcpy(key + PUBLIC_KEY_I_KEY_ID_OFFSET,
+ ctx->params.I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN);
+ memcpy(key +PUBLIC_KEY_ROOT_NODE_OFFSET,
+ ctx->T_1_pub_key,
+ MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type));
+
+ if (key_len != NULL) {
+ *key_len = MBEDTLS_LMS_PUBLIC_KEY_LEN(ctx->params.type);
+ }
+
+ return 0;
+}
+
+int mbedtls_lms_verify(const mbedtls_lms_public_t *ctx,
+ const unsigned char *msg, size_t msg_size,
+ const unsigned char *sig, size_t sig_size)
+{
+ unsigned int q_leaf_identifier;
+ unsigned char Kc_candidate_ots_pub_key[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+ unsigned char Tc_candidate_root_node[MBEDTLS_LMS_M_NODE_BYTES_MAX];
+ unsigned int height;
+ unsigned int curr_node_id;
+ unsigned int parent_node_id;
+ const unsigned char *left_node;
+ const unsigned char *right_node;
+ mbedtls_lmots_parameters_t ots_params;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (!ctx->have_public_key) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ if (ctx->params.type
+ != MBEDTLS_LMS_SHA256_M32_H10) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ if (ctx->params.otstype
+ != MBEDTLS_LMOTS_SHA256_N32_W8) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ if (sig_size != MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype)) {
+ return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+ }
+
+ if (sig_size < SIG_OTS_SIG_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) {
+ return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+ }
+
+ if (MBEDTLS_GET_UINT32_BE(sig, SIG_OTS_SIG_OFFSET + MBEDTLS_LMOTS_SIG_TYPE_OFFSET)
+ != MBEDTLS_LMOTS_SHA256_N32_W8) {
+ return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+ }
+
+ if (sig_size < SIG_TYPE_OFFSET(ctx->params.otstype) + MBEDTLS_LMS_TYPE_LEN) {
+ return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+ }
+
+ if (MBEDTLS_GET_UINT32_BE(sig, SIG_TYPE_OFFSET(ctx->params.otstype))
+ != MBEDTLS_LMS_SHA256_M32_H10) {
+ return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+ }
+
+
+ q_leaf_identifier = MBEDTLS_GET_UINT32_BE(sig, SIG_Q_LEAF_ID_OFFSET);
+
+ if (q_leaf_identifier >= MERKLE_TREE_LEAF_NODE_AM(ctx->params.type)) {
+ return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+ }
+
+ memcpy(ots_params.I_key_identifier,
+ ctx->params.I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN);
+ MBEDTLS_PUT_UINT32_BE(q_leaf_identifier, ots_params.q_leaf_identifier, 0);
+ ots_params.type = ctx->params.otstype;
+
+ ret = mbedtls_lmots_calculate_public_key_candidate(&ots_params,
+ msg,
+ msg_size,
+ sig + SIG_OTS_SIG_OFFSET,
+ MBEDTLS_LMOTS_SIG_LEN(ctx->params.otstype),
+ Kc_candidate_ots_pub_key,
+ sizeof(Kc_candidate_ots_pub_key),
+ NULL);
+ if (ret != 0) {
+ return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+ }
+
+ create_merkle_leaf_value(
+ &ctx->params,
+ Kc_candidate_ots_pub_key,
+ MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) + q_leaf_identifier,
+ Tc_candidate_root_node);
+
+ curr_node_id = MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) +
+ q_leaf_identifier;
+
+ for (height = 0; height < MBEDTLS_LMS_H_TREE_HEIGHT(ctx->params.type);
+ height++) {
+ parent_node_id = curr_node_id / 2;
+
+ /* Left/right node ordering matters for the hash */
+ if (curr_node_id & 1) {
+ left_node = sig + SIG_PATH_OFFSET(ctx->params.otstype) +
+ height * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type);
+ right_node = Tc_candidate_root_node;
+ } else {
+ left_node = Tc_candidate_root_node;
+ right_node = sig + SIG_PATH_OFFSET(ctx->params.otstype) +
+ height * MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type);
+ }
+
+ create_merkle_internal_value(&ctx->params, left_node, right_node,
+ parent_node_id, Tc_candidate_root_node);
+
+ curr_node_id /= 2;
+ }
+
+ if (memcmp(Tc_candidate_root_node, ctx->T_1_pub_key,
+ MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type))) {
+ return MBEDTLS_ERR_LMS_VERIFY_FAILED;
+ }
+
+ return 0;
+}
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+
+/* Calculate a full Merkle tree based on a private key. This function
+ * implements RFC8554 section 5.3, and is used to generate a public key (as the
+ * public key is the root node of the Merkle tree).
+ *
+ * ctx The LMS private context, containing a parameter
+ * set and private key material consisting of both
+ * public and private OTS.
+ *
+ * tree The output tree, which is 2^(H + 1) hash outputs.
+ * In the case of H=10 we have 2048 tree nodes (of
+ * which 1024 of them are leaf nodes). Note that
+ * because the Merkle tree root is 1-indexed, the 0
+ * index tree node is never used.
+ */
+static int calculate_merkle_tree(const mbedtls_lms_private_t *ctx,
+ unsigned char *tree)
+{
+ unsigned int priv_key_idx;
+ unsigned int r_node_idx;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* First create the leaf nodes, in ascending order */
+ for (priv_key_idx = 0;
+ priv_key_idx < MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type);
+ priv_key_idx++) {
+ r_node_idx = MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) + priv_key_idx;
+
+ ret = create_merkle_leaf_value(&ctx->params,
+ ctx->ots_public_keys[priv_key_idx].public_key,
+ r_node_idx,
+ &tree[r_node_idx * MBEDTLS_LMS_M_NODE_BYTES(
+ ctx->params.type)]);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+
+ /* Then the internal nodes, in reverse order so that we can guarantee the
+ * parent has been created */
+ for (r_node_idx = MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) - 1;
+ r_node_idx > 0;
+ r_node_idx--) {
+ ret = create_merkle_internal_value(&ctx->params,
+ &tree[(r_node_idx * 2) *
+ MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)],
+ &tree[(r_node_idx * 2 + 1) *
+ MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)],
+ r_node_idx,
+ &tree[r_node_idx *
+ MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type)]);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+
+ return 0;
+}
+
+/* Calculate a path from a leaf node of the Merkle tree to the root of the tree,
+ * and return the full path. This function implements RFC8554 section 5.4.1, as
+ * the Merkle path is the main component of an LMS signature.
+ *
+ * ctx The LMS private context, containing a parameter
+ * set and private key material consisting of both
+ * public and private OTS.
+ *
+ * leaf_node_id Which leaf node to calculate the path from.
+ *
+ * path The output path, which is H hash outputs.
+ */
+static int get_merkle_path(mbedtls_lms_private_t *ctx,
+ unsigned int leaf_node_id,
+ unsigned char *path)
+{
+ const size_t node_bytes = MBEDTLS_LMS_M_NODE_BYTES(ctx->params.type);
+ unsigned int curr_node_id = leaf_node_id;
+ unsigned int adjacent_node_id;
+ unsigned char *tree = NULL;
+ unsigned int height;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ tree = mbedtls_calloc((size_t) MERKLE_TREE_NODE_AM(ctx->params.type),
+ node_bytes);
+ if (tree == NULL) {
+ return MBEDTLS_ERR_LMS_ALLOC_FAILED;
+ }
+
+ ret = calculate_merkle_tree(ctx, tree);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ for (height = 0; height < MBEDTLS_LMS_H_TREE_HEIGHT(ctx->params.type);
+ height++) {
+ adjacent_node_id = curr_node_id ^ 1;
+
+ memcpy(&path[height * node_bytes],
+ &tree[adjacent_node_id * node_bytes], node_bytes);
+
+ curr_node_id >>= 1;
+ }
+
+ ret = 0;
+
+exit:
+ mbedtls_zeroize_and_free(tree, node_bytes *
+ (size_t) MERKLE_TREE_NODE_AM(ctx->params.type));
+
+ return ret;
+}
+
+void mbedtls_lms_private_init(mbedtls_lms_private_t *ctx)
+{
+ memset(ctx, 0, sizeof(*ctx));
+}
+
+void mbedtls_lms_private_free(mbedtls_lms_private_t *ctx)
+{
+ unsigned int idx;
+
+ if (ctx->have_private_key) {
+ if (ctx->ots_private_keys != NULL) {
+ for (idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++) {
+ mbedtls_lmots_private_free(&ctx->ots_private_keys[idx]);
+ }
+ }
+
+ if (ctx->ots_public_keys != NULL) {
+ for (idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++) {
+ mbedtls_lmots_public_free(&ctx->ots_public_keys[idx]);
+ }
+ }
+
+ mbedtls_free(ctx->ots_private_keys);
+ mbedtls_free(ctx->ots_public_keys);
+ }
+
+ mbedtls_platform_zeroize(ctx, sizeof(*ctx));
+}
+
+
+int mbedtls_lms_generate_private_key(mbedtls_lms_private_t *ctx,
+ mbedtls_lms_algorithm_type_t type,
+ mbedtls_lmots_algorithm_type_t otstype,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng, const unsigned char *seed,
+ size_t seed_size)
+{
+ unsigned int idx = 0;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (type != MBEDTLS_LMS_SHA256_M32_H10) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ if (otstype != MBEDTLS_LMOTS_SHA256_N32_W8) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ if (ctx->have_private_key) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ ctx->params.type = type;
+ ctx->params.otstype = otstype;
+ ctx->have_private_key = 1;
+
+ ret = f_rng(p_rng,
+ ctx->params.I_key_identifier,
+ MBEDTLS_LMOTS_I_KEY_ID_LEN);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ /* Requires a cast to size_t to avoid an implicit cast warning on certain
+ * platforms (particularly Windows) */
+ ctx->ots_private_keys = mbedtls_calloc((size_t) MERKLE_TREE_LEAF_NODE_AM(ctx->params.type),
+ sizeof(*ctx->ots_private_keys));
+ if (ctx->ots_private_keys == NULL) {
+ ret = MBEDTLS_ERR_LMS_ALLOC_FAILED;
+ goto exit;
+ }
+
+ /* Requires a cast to size_t to avoid an implicit cast warning on certain
+ * platforms (particularly Windows) */
+ ctx->ots_public_keys = mbedtls_calloc((size_t) MERKLE_TREE_LEAF_NODE_AM(ctx->params.type),
+ sizeof(*ctx->ots_public_keys));
+ if (ctx->ots_public_keys == NULL) {
+ ret = MBEDTLS_ERR_LMS_ALLOC_FAILED;
+ goto exit;
+ }
+
+ for (idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++) {
+ mbedtls_lmots_private_init(&ctx->ots_private_keys[idx]);
+ mbedtls_lmots_public_init(&ctx->ots_public_keys[idx]);
+ }
+
+
+ for (idx = 0; idx < MERKLE_TREE_LEAF_NODE_AM(ctx->params.type); idx++) {
+ ret = mbedtls_lmots_generate_private_key(&ctx->ots_private_keys[idx],
+ otstype,
+ ctx->params.I_key_identifier,
+ idx, seed, seed_size);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_lmots_calculate_public_key(&ctx->ots_public_keys[idx],
+ &ctx->ots_private_keys[idx]);
+ if (ret != 0) {
+ goto exit;
+ }
+ }
+
+ ctx->q_next_usable_key = 0;
+
+exit:
+ if (ret != 0) {
+ mbedtls_lms_private_free(ctx);
+ }
+
+ return ret;
+}
+
+int mbedtls_lms_calculate_public_key(mbedtls_lms_public_t *ctx,
+ const mbedtls_lms_private_t *priv_ctx)
+{
+ const size_t node_bytes = MBEDTLS_LMS_M_NODE_BYTES(priv_ctx->params.type);
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *tree = NULL;
+
+ if (!priv_ctx->have_private_key) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ if (priv_ctx->params.type
+ != MBEDTLS_LMS_SHA256_M32_H10) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ if (priv_ctx->params.otstype
+ != MBEDTLS_LMOTS_SHA256_N32_W8) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ tree = mbedtls_calloc((size_t) MERKLE_TREE_NODE_AM(priv_ctx->params.type),
+ node_bytes);
+ if (tree == NULL) {
+ return MBEDTLS_ERR_LMS_ALLOC_FAILED;
+ }
+
+ memcpy(&ctx->params, &priv_ctx->params,
+ sizeof(mbedtls_lmots_parameters_t));
+
+ ret = calculate_merkle_tree(priv_ctx, tree);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ /* Root node is always at position 1, due to 1-based indexing */
+ memcpy(ctx->T_1_pub_key, &tree[node_bytes], node_bytes);
+
+ ctx->have_public_key = 1;
+
+ ret = 0;
+
+exit:
+ mbedtls_zeroize_and_free(tree, node_bytes *
+ (size_t) MERKLE_TREE_NODE_AM(priv_ctx->params.type));
+
+ return ret;
+}
+
+
+int mbedtls_lms_sign(mbedtls_lms_private_t *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng, const unsigned char *msg,
+ unsigned int msg_size, unsigned char *sig, size_t sig_size,
+ size_t *sig_len)
+{
+ uint32_t q_leaf_identifier;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (!ctx->have_private_key) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ if (sig_size < MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype)) {
+ return MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL;
+ }
+
+ if (ctx->params.type != MBEDTLS_LMS_SHA256_M32_H10) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ if (ctx->params.otstype
+ != MBEDTLS_LMOTS_SHA256_N32_W8) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ if (ctx->q_next_usable_key >= MERKLE_TREE_LEAF_NODE_AM(ctx->params.type)) {
+ return MBEDTLS_ERR_LMS_OUT_OF_PRIVATE_KEYS;
+ }
+
+
+ q_leaf_identifier = ctx->q_next_usable_key;
+ /* This new value must _always_ be written back to the disk before the
+ * signature is returned.
+ */
+ ctx->q_next_usable_key += 1;
+
+ if (MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype)
+ < SIG_OTS_SIG_OFFSET) {
+ return MBEDTLS_ERR_LMS_BAD_INPUT_DATA;
+ }
+
+ ret = mbedtls_lmots_sign(&ctx->ots_private_keys[q_leaf_identifier],
+ f_rng,
+ p_rng,
+ msg,
+ msg_size,
+ sig + SIG_OTS_SIG_OFFSET,
+ MBEDTLS_LMS_SIG_LEN(ctx->params.type,
+ ctx->params.otstype) - SIG_OTS_SIG_OFFSET,
+ NULL);
+ if (ret != 0) {
+ return ret;
+ }
+
+ MBEDTLS_PUT_UINT32_BE(ctx->params.type, sig, SIG_TYPE_OFFSET(ctx->params.otstype));
+ MBEDTLS_PUT_UINT32_BE(q_leaf_identifier, sig, SIG_Q_LEAF_ID_OFFSET);
+
+ ret = get_merkle_path(ctx,
+ MERKLE_TREE_INTERNAL_NODE_AM(ctx->params.type) + q_leaf_identifier,
+ sig + SIG_PATH_OFFSET(ctx->params.otstype));
+ if (ret != 0) {
+ return ret;
+ }
+
+ if (sig_len != NULL) {
+ *sig_len = MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype);
+ }
+
+
+ return 0;
+}
+
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+#endif /* defined(MBEDTLS_LMS_C) */
diff --git a/library/md.c b/library/md.c
new file mode 100644
index 0000000..12a3ea2
--- /dev/null
+++ b/library/md.c
@@ -0,0 +1,1108 @@
+/**
+ * \file md.c
+ *
+ * \brief Generic message digest wrapper for Mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+/*
+ * Availability of functions in this module is controlled by two
+ * feature macros:
+ * - MBEDTLS_MD_C enables the whole module;
+ * - MBEDTLS_MD_LIGHT enables only functions for hashing and accessing
+ * most hash metadata (everything except string names); is it
+ * automatically set whenever MBEDTLS_MD_C is defined.
+ *
+ * In this file, functions from MD_LIGHT are at the top, MD_C at the end.
+ *
+ * In the future we may want to change the contract of some functions
+ * (behaviour with NULL arguments) depending on whether MD_C is defined or
+ * only MD_LIGHT. Also, the exact scope of MD_LIGHT might vary.
+ *
+ * For these reasons, we're keeping MD_LIGHT internal for now.
+ */
+#if defined(MBEDTLS_MD_LIGHT)
+
+#include "mbedtls/md.h"
+#include "md_wrap.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include "mbedtls/md5.h"
+#include "mbedtls/ripemd160.h"
+#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
+#include "mbedtls/sha512.h"
+#include "mbedtls/sha3.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+#include <psa/crypto.h>
+#include "md_psa.h"
+#include "psa_util_internal.h"
+#endif
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+#include "psa_crypto_core.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+/* See comment above MBEDTLS_MD_MAX_SIZE in md.h */
+#if defined(MBEDTLS_PSA_CRYPTO_C) && MBEDTLS_MD_MAX_SIZE < PSA_HASH_MAX_SIZE
+#error "Internal error: MBEDTLS_MD_MAX_SIZE < PSA_HASH_MAX_SIZE"
+#endif
+
+#if defined(MBEDTLS_MD_C)
+#define MD_INFO(type, out_size, block_size) type, out_size, block_size,
+#else
+#define MD_INFO(type, out_size, block_size) type, out_size,
+#endif
+
+#if defined(MBEDTLS_MD_CAN_MD5)
+static const mbedtls_md_info_t mbedtls_md5_info = {
+ MD_INFO(MBEDTLS_MD_MD5, 16, 64)
+};
+#endif
+
+#if defined(MBEDTLS_MD_CAN_RIPEMD160)
+static const mbedtls_md_info_t mbedtls_ripemd160_info = {
+ MD_INFO(MBEDTLS_MD_RIPEMD160, 20, 64)
+};
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+static const mbedtls_md_info_t mbedtls_sha1_info = {
+ MD_INFO(MBEDTLS_MD_SHA1, 20, 64)
+};
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA224)
+static const mbedtls_md_info_t mbedtls_sha224_info = {
+ MD_INFO(MBEDTLS_MD_SHA224, 28, 64)
+};
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+static const mbedtls_md_info_t mbedtls_sha256_info = {
+ MD_INFO(MBEDTLS_MD_SHA256, 32, 64)
+};
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+static const mbedtls_md_info_t mbedtls_sha384_info = {
+ MD_INFO(MBEDTLS_MD_SHA384, 48, 128)
+};
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA512)
+static const mbedtls_md_info_t mbedtls_sha512_info = {
+ MD_INFO(MBEDTLS_MD_SHA512, 64, 128)
+};
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA3_224)
+static const mbedtls_md_info_t mbedtls_sha3_224_info = {
+ MD_INFO(MBEDTLS_MD_SHA3_224, 28, 144)
+};
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA3_256)
+static const mbedtls_md_info_t mbedtls_sha3_256_info = {
+ MD_INFO(MBEDTLS_MD_SHA3_256, 32, 136)
+};
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA3_384)
+static const mbedtls_md_info_t mbedtls_sha3_384_info = {
+ MD_INFO(MBEDTLS_MD_SHA3_384, 48, 104)
+};
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA3_512)
+static const mbedtls_md_info_t mbedtls_sha3_512_info = {
+ MD_INFO(MBEDTLS_MD_SHA3_512, 64, 72)
+};
+#endif
+
+const mbedtls_md_info_t *mbedtls_md_info_from_type(mbedtls_md_type_t md_type)
+{
+ switch (md_type) {
+#if defined(MBEDTLS_MD_CAN_MD5)
+ case MBEDTLS_MD_MD5:
+ return &mbedtls_md5_info;
+#endif
+#if defined(MBEDTLS_MD_CAN_RIPEMD160)
+ case MBEDTLS_MD_RIPEMD160:
+ return &mbedtls_ripemd160_info;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ case MBEDTLS_MD_SHA1:
+ return &mbedtls_sha1_info;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA224)
+ case MBEDTLS_MD_SHA224:
+ return &mbedtls_sha224_info;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ case MBEDTLS_MD_SHA256:
+ return &mbedtls_sha256_info;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ case MBEDTLS_MD_SHA384:
+ return &mbedtls_sha384_info;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA512)
+ case MBEDTLS_MD_SHA512:
+ return &mbedtls_sha512_info;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_224)
+ case MBEDTLS_MD_SHA3_224:
+ return &mbedtls_sha3_224_info;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_256)
+ case MBEDTLS_MD_SHA3_256:
+ return &mbedtls_sha3_256_info;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_384)
+ case MBEDTLS_MD_SHA3_384:
+ return &mbedtls_sha3_384_info;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_512)
+ case MBEDTLS_MD_SHA3_512:
+ return &mbedtls_sha3_512_info;
+#endif
+ default:
+ return NULL;
+ }
+}
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+static psa_algorithm_t psa_alg_of_md(const mbedtls_md_info_t *info)
+{
+ switch (info->type) {
+#if defined(MBEDTLS_MD_MD5_VIA_PSA)
+ case MBEDTLS_MD_MD5:
+ return PSA_ALG_MD5;
+#endif
+#if defined(MBEDTLS_MD_RIPEMD160_VIA_PSA)
+ case MBEDTLS_MD_RIPEMD160:
+ return PSA_ALG_RIPEMD160;
+#endif
+#if defined(MBEDTLS_MD_SHA1_VIA_PSA)
+ case MBEDTLS_MD_SHA1:
+ return PSA_ALG_SHA_1;
+#endif
+#if defined(MBEDTLS_MD_SHA224_VIA_PSA)
+ case MBEDTLS_MD_SHA224:
+ return PSA_ALG_SHA_224;
+#endif
+#if defined(MBEDTLS_MD_SHA256_VIA_PSA)
+ case MBEDTLS_MD_SHA256:
+ return PSA_ALG_SHA_256;
+#endif
+#if defined(MBEDTLS_MD_SHA384_VIA_PSA)
+ case MBEDTLS_MD_SHA384:
+ return PSA_ALG_SHA_384;
+#endif
+#if defined(MBEDTLS_MD_SHA512_VIA_PSA)
+ case MBEDTLS_MD_SHA512:
+ return PSA_ALG_SHA_512;
+#endif
+#if defined(MBEDTLS_MD_SHA3_224_VIA_PSA)
+ case MBEDTLS_MD_SHA3_224:
+ return PSA_ALG_SHA3_224;
+#endif
+#if defined(MBEDTLS_MD_SHA3_256_VIA_PSA)
+ case MBEDTLS_MD_SHA3_256:
+ return PSA_ALG_SHA3_256;
+#endif
+#if defined(MBEDTLS_MD_SHA3_384_VIA_PSA)
+ case MBEDTLS_MD_SHA3_384:
+ return PSA_ALG_SHA3_384;
+#endif
+#if defined(MBEDTLS_MD_SHA3_512_VIA_PSA)
+ case MBEDTLS_MD_SHA3_512:
+ return PSA_ALG_SHA3_512;
+#endif
+ default:
+ return PSA_ALG_NONE;
+ }
+}
+
+static int md_can_use_psa(const mbedtls_md_info_t *info)
+{
+ psa_algorithm_t alg = psa_alg_of_md(info);
+ if (alg == PSA_ALG_NONE) {
+ return 0;
+ }
+
+ return psa_can_do_hash(alg);
+}
+#endif /* MBEDTLS_MD_SOME_PSA */
+
+void mbedtls_md_init(mbedtls_md_context_t *ctx)
+{
+ /* Note: this sets engine (if present) to MBEDTLS_MD_ENGINE_LEGACY */
+ memset(ctx, 0, sizeof(mbedtls_md_context_t));
+}
+
+void mbedtls_md_free(mbedtls_md_context_t *ctx)
+{
+ if (ctx == NULL || ctx->md_info == NULL) {
+ return;
+ }
+
+ if (ctx->md_ctx != NULL) {
+#if defined(MBEDTLS_MD_SOME_PSA)
+ if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
+ psa_hash_abort(ctx->md_ctx);
+ } else
+#endif
+ switch (ctx->md_info->type) {
+#if defined(MBEDTLS_MD5_C)
+ case MBEDTLS_MD_MD5:
+ mbedtls_md5_free(ctx->md_ctx);
+ break;
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+ case MBEDTLS_MD_RIPEMD160:
+ mbedtls_ripemd160_free(ctx->md_ctx);
+ break;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+ case MBEDTLS_MD_SHA1:
+ mbedtls_sha1_free(ctx->md_ctx);
+ break;
+#endif
+#if defined(MBEDTLS_SHA224_C)
+ case MBEDTLS_MD_SHA224:
+ mbedtls_sha256_free(ctx->md_ctx);
+ break;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+ case MBEDTLS_MD_SHA256:
+ mbedtls_sha256_free(ctx->md_ctx);
+ break;
+#endif
+#if defined(MBEDTLS_SHA384_C)
+ case MBEDTLS_MD_SHA384:
+ mbedtls_sha512_free(ctx->md_ctx);
+ break;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+ case MBEDTLS_MD_SHA512:
+ mbedtls_sha512_free(ctx->md_ctx);
+ break;
+#endif
+#if defined(MBEDTLS_SHA3_C)
+ case MBEDTLS_MD_SHA3_224:
+ case MBEDTLS_MD_SHA3_256:
+ case MBEDTLS_MD_SHA3_384:
+ case MBEDTLS_MD_SHA3_512:
+ mbedtls_sha3_free(ctx->md_ctx);
+ break;
+#endif
+ default:
+ /* Shouldn't happen */
+ break;
+ }
+ mbedtls_free(ctx->md_ctx);
+ }
+
+#if defined(MBEDTLS_MD_C)
+ if (ctx->hmac_ctx != NULL) {
+ mbedtls_zeroize_and_free(ctx->hmac_ctx,
+ 2 * ctx->md_info->block_size);
+ }
+#endif
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_md_context_t));
+}
+
+int mbedtls_md_clone(mbedtls_md_context_t *dst,
+ const mbedtls_md_context_t *src)
+{
+ if (dst == NULL || dst->md_info == NULL ||
+ src == NULL || src->md_info == NULL ||
+ dst->md_info != src->md_info) {
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+ if (src->engine != dst->engine) {
+ /* This can happen with src set to legacy because PSA wasn't ready
+ * yet, and dst to PSA because it became ready in the meantime.
+ * We currently don't support that case (we'd need to re-allocate
+ * md_ctx to the size of the appropriate MD context). */
+ return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
+ }
+
+ if (src->engine == MBEDTLS_MD_ENGINE_PSA) {
+ psa_status_t status = psa_hash_clone(src->md_ctx, dst->md_ctx);
+ return mbedtls_md_error_from_psa(status);
+ }
+#endif
+
+ switch (src->md_info->type) {
+#if defined(MBEDTLS_MD5_C)
+ case MBEDTLS_MD_MD5:
+ mbedtls_md5_clone(dst->md_ctx, src->md_ctx);
+ break;
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+ case MBEDTLS_MD_RIPEMD160:
+ mbedtls_ripemd160_clone(dst->md_ctx, src->md_ctx);
+ break;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+ case MBEDTLS_MD_SHA1:
+ mbedtls_sha1_clone(dst->md_ctx, src->md_ctx);
+ break;
+#endif
+#if defined(MBEDTLS_SHA224_C)
+ case MBEDTLS_MD_SHA224:
+ mbedtls_sha256_clone(dst->md_ctx, src->md_ctx);
+ break;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+ case MBEDTLS_MD_SHA256:
+ mbedtls_sha256_clone(dst->md_ctx, src->md_ctx);
+ break;
+#endif
+#if defined(MBEDTLS_SHA384_C)
+ case MBEDTLS_MD_SHA384:
+ mbedtls_sha512_clone(dst->md_ctx, src->md_ctx);
+ break;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+ case MBEDTLS_MD_SHA512:
+ mbedtls_sha512_clone(dst->md_ctx, src->md_ctx);
+ break;
+#endif
+#if defined(MBEDTLS_SHA3_C)
+ case MBEDTLS_MD_SHA3_224:
+ case MBEDTLS_MD_SHA3_256:
+ case MBEDTLS_MD_SHA3_384:
+ case MBEDTLS_MD_SHA3_512:
+ mbedtls_sha3_clone(dst->md_ctx, src->md_ctx);
+ break;
+#endif
+ default:
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+
+ return 0;
+}
+
+#define ALLOC(type) \
+ do { \
+ ctx->md_ctx = mbedtls_calloc(1, sizeof(mbedtls_##type##_context)); \
+ if (ctx->md_ctx == NULL) \
+ return MBEDTLS_ERR_MD_ALLOC_FAILED; \
+ mbedtls_##type##_init(ctx->md_ctx); \
+ } \
+ while (0)
+
+int mbedtls_md_setup(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac)
+{
+#if defined(MBEDTLS_MD_C)
+ if (ctx == NULL) {
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+#endif
+ if (md_info == NULL) {
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+
+ ctx->md_info = md_info;
+ ctx->md_ctx = NULL;
+#if defined(MBEDTLS_MD_C)
+ ctx->hmac_ctx = NULL;
+#else
+ if (hmac != 0) {
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+#endif
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+ if (md_can_use_psa(ctx->md_info)) {
+ ctx->md_ctx = mbedtls_calloc(1, sizeof(psa_hash_operation_t));
+ if (ctx->md_ctx == NULL) {
+ return MBEDTLS_ERR_MD_ALLOC_FAILED;
+ }
+ ctx->engine = MBEDTLS_MD_ENGINE_PSA;
+ } else
+#endif
+ switch (md_info->type) {
+#if defined(MBEDTLS_MD5_C)
+ case MBEDTLS_MD_MD5:
+ ALLOC(md5);
+ break;
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+ case MBEDTLS_MD_RIPEMD160:
+ ALLOC(ripemd160);
+ break;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+ case MBEDTLS_MD_SHA1:
+ ALLOC(sha1);
+ break;
+#endif
+#if defined(MBEDTLS_SHA224_C)
+ case MBEDTLS_MD_SHA224:
+ ALLOC(sha256);
+ break;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+ case MBEDTLS_MD_SHA256:
+ ALLOC(sha256);
+ break;
+#endif
+#if defined(MBEDTLS_SHA384_C)
+ case MBEDTLS_MD_SHA384:
+ ALLOC(sha512);
+ break;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+ case MBEDTLS_MD_SHA512:
+ ALLOC(sha512);
+ break;
+#endif
+#if defined(MBEDTLS_SHA3_C)
+ case MBEDTLS_MD_SHA3_224:
+ case MBEDTLS_MD_SHA3_256:
+ case MBEDTLS_MD_SHA3_384:
+ case MBEDTLS_MD_SHA3_512:
+ ALLOC(sha3);
+ break;
+#endif
+ default:
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_MD_C)
+ if (hmac != 0) {
+ ctx->hmac_ctx = mbedtls_calloc(2, md_info->block_size);
+ if (ctx->hmac_ctx == NULL) {
+ mbedtls_md_free(ctx);
+ return MBEDTLS_ERR_MD_ALLOC_FAILED;
+ }
+ }
+#endif
+
+ return 0;
+}
+#undef ALLOC
+
+int mbedtls_md_starts(mbedtls_md_context_t *ctx)
+{
+#if defined(MBEDTLS_MD_C)
+ if (ctx == NULL || ctx->md_info == NULL) {
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+#endif
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+ if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
+ psa_algorithm_t alg = psa_alg_of_md(ctx->md_info);
+ psa_hash_abort(ctx->md_ctx);
+ psa_status_t status = psa_hash_setup(ctx->md_ctx, alg);
+ return mbedtls_md_error_from_psa(status);
+ }
+#endif
+
+ switch (ctx->md_info->type) {
+#if defined(MBEDTLS_MD5_C)
+ case MBEDTLS_MD_MD5:
+ return mbedtls_md5_starts(ctx->md_ctx);
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+ case MBEDTLS_MD_RIPEMD160:
+ return mbedtls_ripemd160_starts(ctx->md_ctx);
+#endif
+#if defined(MBEDTLS_SHA1_C)
+ case MBEDTLS_MD_SHA1:
+ return mbedtls_sha1_starts(ctx->md_ctx);
+#endif
+#if defined(MBEDTLS_SHA224_C)
+ case MBEDTLS_MD_SHA224:
+ return mbedtls_sha256_starts(ctx->md_ctx, 1);
+#endif
+#if defined(MBEDTLS_SHA256_C)
+ case MBEDTLS_MD_SHA256:
+ return mbedtls_sha256_starts(ctx->md_ctx, 0);
+#endif
+#if defined(MBEDTLS_SHA384_C)
+ case MBEDTLS_MD_SHA384:
+ return mbedtls_sha512_starts(ctx->md_ctx, 1);
+#endif
+#if defined(MBEDTLS_SHA512_C)
+ case MBEDTLS_MD_SHA512:
+ return mbedtls_sha512_starts(ctx->md_ctx, 0);
+#endif
+#if defined(MBEDTLS_SHA3_C)
+ case MBEDTLS_MD_SHA3_224:
+ return mbedtls_sha3_starts(ctx->md_ctx, MBEDTLS_SHA3_224);
+ case MBEDTLS_MD_SHA3_256:
+ return mbedtls_sha3_starts(ctx->md_ctx, MBEDTLS_SHA3_256);
+ case MBEDTLS_MD_SHA3_384:
+ return mbedtls_sha3_starts(ctx->md_ctx, MBEDTLS_SHA3_384);
+ case MBEDTLS_MD_SHA3_512:
+ return mbedtls_sha3_starts(ctx->md_ctx, MBEDTLS_SHA3_512);
+#endif
+ default:
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+}
+
+int mbedtls_md_update(mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen)
+{
+#if defined(MBEDTLS_MD_C)
+ if (ctx == NULL || ctx->md_info == NULL) {
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+#endif
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+ if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
+ psa_status_t status = psa_hash_update(ctx->md_ctx, input, ilen);
+ return mbedtls_md_error_from_psa(status);
+ }
+#endif
+
+ switch (ctx->md_info->type) {
+#if defined(MBEDTLS_MD5_C)
+ case MBEDTLS_MD_MD5:
+ return mbedtls_md5_update(ctx->md_ctx, input, ilen);
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+ case MBEDTLS_MD_RIPEMD160:
+ return mbedtls_ripemd160_update(ctx->md_ctx, input, ilen);
+#endif
+#if defined(MBEDTLS_SHA1_C)
+ case MBEDTLS_MD_SHA1:
+ return mbedtls_sha1_update(ctx->md_ctx, input, ilen);
+#endif
+#if defined(MBEDTLS_SHA224_C)
+ case MBEDTLS_MD_SHA224:
+ return mbedtls_sha256_update(ctx->md_ctx, input, ilen);
+#endif
+#if defined(MBEDTLS_SHA256_C)
+ case MBEDTLS_MD_SHA256:
+ return mbedtls_sha256_update(ctx->md_ctx, input, ilen);
+#endif
+#if defined(MBEDTLS_SHA384_C)
+ case MBEDTLS_MD_SHA384:
+ return mbedtls_sha512_update(ctx->md_ctx, input, ilen);
+#endif
+#if defined(MBEDTLS_SHA512_C)
+ case MBEDTLS_MD_SHA512:
+ return mbedtls_sha512_update(ctx->md_ctx, input, ilen);
+#endif
+#if defined(MBEDTLS_SHA3_C)
+ case MBEDTLS_MD_SHA3_224:
+ case MBEDTLS_MD_SHA3_256:
+ case MBEDTLS_MD_SHA3_384:
+ case MBEDTLS_MD_SHA3_512:
+ return mbedtls_sha3_update(ctx->md_ctx, input, ilen);
+#endif
+ default:
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+}
+
+int mbedtls_md_finish(mbedtls_md_context_t *ctx, unsigned char *output)
+{
+#if defined(MBEDTLS_MD_C)
+ if (ctx == NULL || ctx->md_info == NULL) {
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+#endif
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+ if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
+ size_t size = ctx->md_info->size;
+ psa_status_t status = psa_hash_finish(ctx->md_ctx,
+ output, size, &size);
+ return mbedtls_md_error_from_psa(status);
+ }
+#endif
+
+ switch (ctx->md_info->type) {
+#if defined(MBEDTLS_MD5_C)
+ case MBEDTLS_MD_MD5:
+ return mbedtls_md5_finish(ctx->md_ctx, output);
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+ case MBEDTLS_MD_RIPEMD160:
+ return mbedtls_ripemd160_finish(ctx->md_ctx, output);
+#endif
+#if defined(MBEDTLS_SHA1_C)
+ case MBEDTLS_MD_SHA1:
+ return mbedtls_sha1_finish(ctx->md_ctx, output);
+#endif
+#if defined(MBEDTLS_SHA224_C)
+ case MBEDTLS_MD_SHA224:
+ return mbedtls_sha256_finish(ctx->md_ctx, output);
+#endif
+#if defined(MBEDTLS_SHA256_C)
+ case MBEDTLS_MD_SHA256:
+ return mbedtls_sha256_finish(ctx->md_ctx, output);
+#endif
+#if defined(MBEDTLS_SHA384_C)
+ case MBEDTLS_MD_SHA384:
+ return mbedtls_sha512_finish(ctx->md_ctx, output);
+#endif
+#if defined(MBEDTLS_SHA512_C)
+ case MBEDTLS_MD_SHA512:
+ return mbedtls_sha512_finish(ctx->md_ctx, output);
+#endif
+#if defined(MBEDTLS_SHA3_C)
+ case MBEDTLS_MD_SHA3_224:
+ case MBEDTLS_MD_SHA3_256:
+ case MBEDTLS_MD_SHA3_384:
+ case MBEDTLS_MD_SHA3_512:
+ return mbedtls_sha3_finish(ctx->md_ctx, output, ctx->md_info->size);
+#endif
+ default:
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+}
+
+int mbedtls_md(const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
+ unsigned char *output)
+{
+ if (md_info == NULL) {
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+ if (md_can_use_psa(md_info)) {
+ size_t size = md_info->size;
+ psa_status_t status = psa_hash_compute(psa_alg_of_md(md_info),
+ input, ilen,
+ output, size, &size);
+ return mbedtls_md_error_from_psa(status);
+ }
+#endif
+
+ switch (md_info->type) {
+#if defined(MBEDTLS_MD5_C)
+ case MBEDTLS_MD_MD5:
+ return mbedtls_md5(input, ilen, output);
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+ case MBEDTLS_MD_RIPEMD160:
+ return mbedtls_ripemd160(input, ilen, output);
+#endif
+#if defined(MBEDTLS_SHA1_C)
+ case MBEDTLS_MD_SHA1:
+ return mbedtls_sha1(input, ilen, output);
+#endif
+#if defined(MBEDTLS_SHA224_C)
+ case MBEDTLS_MD_SHA224:
+ return mbedtls_sha256(input, ilen, output, 1);
+#endif
+#if defined(MBEDTLS_SHA256_C)
+ case MBEDTLS_MD_SHA256:
+ return mbedtls_sha256(input, ilen, output, 0);
+#endif
+#if defined(MBEDTLS_SHA384_C)
+ case MBEDTLS_MD_SHA384:
+ return mbedtls_sha512(input, ilen, output, 1);
+#endif
+#if defined(MBEDTLS_SHA512_C)
+ case MBEDTLS_MD_SHA512:
+ return mbedtls_sha512(input, ilen, output, 0);
+#endif
+#if defined(MBEDTLS_SHA3_C)
+ case MBEDTLS_MD_SHA3_224:
+ return mbedtls_sha3(MBEDTLS_SHA3_224, input, ilen, output, md_info->size);
+ case MBEDTLS_MD_SHA3_256:
+ return mbedtls_sha3(MBEDTLS_SHA3_256, input, ilen, output, md_info->size);
+ case MBEDTLS_MD_SHA3_384:
+ return mbedtls_sha3(MBEDTLS_SHA3_384, input, ilen, output, md_info->size);
+ case MBEDTLS_MD_SHA3_512:
+ return mbedtls_sha3(MBEDTLS_SHA3_512, input, ilen, output, md_info->size);
+#endif
+ default:
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+}
+
+unsigned char mbedtls_md_get_size(const mbedtls_md_info_t *md_info)
+{
+ if (md_info == NULL) {
+ return 0;
+ }
+
+ return md_info->size;
+}
+
+mbedtls_md_type_t mbedtls_md_get_type(const mbedtls_md_info_t *md_info)
+{
+ if (md_info == NULL) {
+ return MBEDTLS_MD_NONE;
+ }
+
+ return md_info->type;
+}
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+int mbedtls_md_error_from_psa(psa_status_t status)
+{
+ return PSA_TO_MBEDTLS_ERR_LIST(status, psa_to_md_errors,
+ psa_generic_status_to_mbedtls);
+}
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
+
+/************************************************************************
+ * Functions above this separator are part of MBEDTLS_MD_LIGHT, *
+ * functions below are only available when MBEDTLS_MD_C is set. *
+ ************************************************************************/
+#if defined(MBEDTLS_MD_C)
+
+/*
+ * Reminder: update profiles in x509_crt.c when adding a new hash!
+ */
+static const int supported_digests[] = {
+
+#if defined(MBEDTLS_MD_CAN_SHA512)
+ MBEDTLS_MD_SHA512,
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ MBEDTLS_MD_SHA384,
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ MBEDTLS_MD_SHA256,
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA224)
+ MBEDTLS_MD_SHA224,
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ MBEDTLS_MD_SHA1,
+#endif
+
+#if defined(MBEDTLS_MD_CAN_RIPEMD160)
+ MBEDTLS_MD_RIPEMD160,
+#endif
+
+#if defined(MBEDTLS_MD_CAN_MD5)
+ MBEDTLS_MD_MD5,
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA3_224)
+ MBEDTLS_MD_SHA3_224,
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA3_256)
+ MBEDTLS_MD_SHA3_256,
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA3_384)
+ MBEDTLS_MD_SHA3_384,
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA3_512)
+ MBEDTLS_MD_SHA3_512,
+#endif
+
+ MBEDTLS_MD_NONE
+};
+
+const int *mbedtls_md_list(void)
+{
+ return supported_digests;
+}
+
+typedef struct {
+ const char *md_name;
+ mbedtls_md_type_t md_type;
+} md_name_entry;
+
+static const md_name_entry md_names[] = {
+#if defined(MBEDTLS_MD_CAN_MD5)
+ { "MD5", MBEDTLS_MD_MD5 },
+#endif
+#if defined(MBEDTLS_MD_CAN_RIPEMD160)
+ { "RIPEMD160", MBEDTLS_MD_RIPEMD160 },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { "SHA1", MBEDTLS_MD_SHA1 },
+ { "SHA", MBEDTLS_MD_SHA1 }, // compatibility fallback
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA224)
+ { "SHA224", MBEDTLS_MD_SHA224 },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { "SHA256", MBEDTLS_MD_SHA256 },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { "SHA384", MBEDTLS_MD_SHA384 },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA512)
+ { "SHA512", MBEDTLS_MD_SHA512 },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_224)
+ { "SHA3-224", MBEDTLS_MD_SHA3_224 },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_256)
+ { "SHA3-256", MBEDTLS_MD_SHA3_256 },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_384)
+ { "SHA3-384", MBEDTLS_MD_SHA3_384 },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_512)
+ { "SHA3-512", MBEDTLS_MD_SHA3_512 },
+#endif
+ { NULL, MBEDTLS_MD_NONE },
+};
+
+const mbedtls_md_info_t *mbedtls_md_info_from_string(const char *md_name)
+{
+ if (NULL == md_name) {
+ return NULL;
+ }
+
+ const md_name_entry *entry = md_names;
+ while (entry->md_name != NULL &&
+ strcmp(entry->md_name, md_name) != 0) {
+ ++entry;
+ }
+
+ return mbedtls_md_info_from_type(entry->md_type);
+}
+
+const char *mbedtls_md_get_name(const mbedtls_md_info_t *md_info)
+{
+ if (md_info == NULL) {
+ return NULL;
+ }
+
+ const md_name_entry *entry = md_names;
+ while (entry->md_type != MBEDTLS_MD_NONE &&
+ entry->md_type != md_info->type) {
+ ++entry;
+ }
+
+ return entry->md_name;
+}
+
+const mbedtls_md_info_t *mbedtls_md_info_from_ctx(
+ const mbedtls_md_context_t *ctx)
+{
+ if (ctx == NULL) {
+ return NULL;
+ }
+
+ return ctx->MBEDTLS_PRIVATE(md_info);
+}
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_md_file(const mbedtls_md_info_t *md_info, const char *path, unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ FILE *f;
+ size_t n;
+ mbedtls_md_context_t ctx;
+ unsigned char buf[1024];
+
+ if (md_info == NULL) {
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+
+ if ((f = fopen(path, "rb")) == NULL) {
+ return MBEDTLS_ERR_MD_FILE_IO_ERROR;
+ }
+
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf(f, NULL);
+
+ mbedtls_md_init(&ctx);
+
+ if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) {
+ goto cleanup;
+ }
+
+ if ((ret = mbedtls_md_starts(&ctx)) != 0) {
+ goto cleanup;
+ }
+
+ while ((n = fread(buf, 1, sizeof(buf), f)) > 0) {
+ if ((ret = mbedtls_md_update(&ctx, buf, n)) != 0) {
+ goto cleanup;
+ }
+ }
+
+ if (ferror(f) != 0) {
+ ret = MBEDTLS_ERR_MD_FILE_IO_ERROR;
+ } else {
+ ret = mbedtls_md_finish(&ctx, output);
+ }
+
+cleanup:
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+ fclose(f);
+ mbedtls_md_free(&ctx);
+
+ return ret;
+}
+#endif /* MBEDTLS_FS_IO */
+
+int mbedtls_md_hmac_starts(mbedtls_md_context_t *ctx, const unsigned char *key, size_t keylen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char sum[MBEDTLS_MD_MAX_SIZE];
+ unsigned char *ipad, *opad;
+
+ if (ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL) {
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+
+ if (keylen > (size_t) ctx->md_info->block_size) {
+ if ((ret = mbedtls_md_starts(ctx)) != 0) {
+ goto cleanup;
+ }
+ if ((ret = mbedtls_md_update(ctx, key, keylen)) != 0) {
+ goto cleanup;
+ }
+ if ((ret = mbedtls_md_finish(ctx, sum)) != 0) {
+ goto cleanup;
+ }
+
+ keylen = ctx->md_info->size;
+ key = sum;
+ }
+
+ ipad = (unsigned char *) ctx->hmac_ctx;
+ opad = (unsigned char *) ctx->hmac_ctx + ctx->md_info->block_size;
+
+ memset(ipad, 0x36, ctx->md_info->block_size);
+ memset(opad, 0x5C, ctx->md_info->block_size);
+
+ mbedtls_xor(ipad, ipad, key, keylen);
+ mbedtls_xor(opad, opad, key, keylen);
+
+ if ((ret = mbedtls_md_starts(ctx)) != 0) {
+ goto cleanup;
+ }
+ if ((ret = mbedtls_md_update(ctx, ipad,
+ ctx->md_info->block_size)) != 0) {
+ goto cleanup;
+ }
+
+cleanup:
+ mbedtls_platform_zeroize(sum, sizeof(sum));
+
+ return ret;
+}
+
+int mbedtls_md_hmac_update(mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen)
+{
+ if (ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL) {
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+
+ return mbedtls_md_update(ctx, input, ilen);
+}
+
+int mbedtls_md_hmac_finish(mbedtls_md_context_t *ctx, unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char tmp[MBEDTLS_MD_MAX_SIZE];
+ unsigned char *opad;
+
+ if (ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL) {
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+
+ opad = (unsigned char *) ctx->hmac_ctx + ctx->md_info->block_size;
+
+ if ((ret = mbedtls_md_finish(ctx, tmp)) != 0) {
+ return ret;
+ }
+ if ((ret = mbedtls_md_starts(ctx)) != 0) {
+ return ret;
+ }
+ if ((ret = mbedtls_md_update(ctx, opad,
+ ctx->md_info->block_size)) != 0) {
+ return ret;
+ }
+ if ((ret = mbedtls_md_update(ctx, tmp,
+ ctx->md_info->size)) != 0) {
+ return ret;
+ }
+ return mbedtls_md_finish(ctx, output);
+}
+
+int mbedtls_md_hmac_reset(mbedtls_md_context_t *ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *ipad;
+
+ if (ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL) {
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+
+ ipad = (unsigned char *) ctx->hmac_ctx;
+
+ if ((ret = mbedtls_md_starts(ctx)) != 0) {
+ return ret;
+ }
+ return mbedtls_md_update(ctx, ipad, ctx->md_info->block_size);
+}
+
+int mbedtls_md_hmac(const mbedtls_md_info_t *md_info,
+ const unsigned char *key, size_t keylen,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output)
+{
+ mbedtls_md_context_t ctx;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (md_info == NULL) {
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ }
+
+ mbedtls_md_init(&ctx);
+
+ if ((ret = mbedtls_md_setup(&ctx, md_info, 1)) != 0) {
+ goto cleanup;
+ }
+
+ if ((ret = mbedtls_md_hmac_starts(&ctx, key, keylen)) != 0) {
+ goto cleanup;
+ }
+ if ((ret = mbedtls_md_hmac_update(&ctx, input, ilen)) != 0) {
+ goto cleanup;
+ }
+ if ((ret = mbedtls_md_hmac_finish(&ctx, output)) != 0) {
+ goto cleanup;
+ }
+
+cleanup:
+ mbedtls_md_free(&ctx);
+
+ return ret;
+}
+
+#endif /* MBEDTLS_MD_C */
+
+#endif /* MBEDTLS_MD_LIGHT */
diff --git a/library/md5.c b/library/md5.c
new file mode 100644
index 0000000..e4a87a2
--- /dev/null
+++ b/library/md5.c
@@ -0,0 +1,426 @@
+/*
+ * RFC 1321 compliant MD5 implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * The MD5 algorithm was designed by Ron Rivest in 1991.
+ *
+ * http://www.ietf.org/rfc/rfc1321.txt
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_MD5_C)
+
+#include "mbedtls/md5.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_MD5_ALT)
+
+void mbedtls_md5_init(mbedtls_md5_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_md5_context));
+}
+
+void mbedtls_md5_free(mbedtls_md5_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_md5_context));
+}
+
+void mbedtls_md5_clone(mbedtls_md5_context *dst,
+ const mbedtls_md5_context *src)
+{
+ *dst = *src;
+}
+
+/*
+ * MD5 context setup
+ */
+int mbedtls_md5_starts(mbedtls_md5_context *ctx)
+{
+ ctx->total[0] = 0;
+ ctx->total[1] = 0;
+
+ ctx->state[0] = 0x67452301;
+ ctx->state[1] = 0xEFCDAB89;
+ ctx->state[2] = 0x98BADCFE;
+ ctx->state[3] = 0x10325476;
+
+ return 0;
+}
+
+#if !defined(MBEDTLS_MD5_PROCESS_ALT)
+int mbedtls_internal_md5_process(mbedtls_md5_context *ctx,
+ const unsigned char data[64])
+{
+ struct {
+ uint32_t X[16], A, B, C, D;
+ } local;
+
+ local.X[0] = MBEDTLS_GET_UINT32_LE(data, 0);
+ local.X[1] = MBEDTLS_GET_UINT32_LE(data, 4);
+ local.X[2] = MBEDTLS_GET_UINT32_LE(data, 8);
+ local.X[3] = MBEDTLS_GET_UINT32_LE(data, 12);
+ local.X[4] = MBEDTLS_GET_UINT32_LE(data, 16);
+ local.X[5] = MBEDTLS_GET_UINT32_LE(data, 20);
+ local.X[6] = MBEDTLS_GET_UINT32_LE(data, 24);
+ local.X[7] = MBEDTLS_GET_UINT32_LE(data, 28);
+ local.X[8] = MBEDTLS_GET_UINT32_LE(data, 32);
+ local.X[9] = MBEDTLS_GET_UINT32_LE(data, 36);
+ local.X[10] = MBEDTLS_GET_UINT32_LE(data, 40);
+ local.X[11] = MBEDTLS_GET_UINT32_LE(data, 44);
+ local.X[12] = MBEDTLS_GET_UINT32_LE(data, 48);
+ local.X[13] = MBEDTLS_GET_UINT32_LE(data, 52);
+ local.X[14] = MBEDTLS_GET_UINT32_LE(data, 56);
+ local.X[15] = MBEDTLS_GET_UINT32_LE(data, 60);
+
+#define S(x, n) \
+ (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
+
+#define P(a, b, c, d, k, s, t) \
+ do \
+ { \
+ (a) += F((b), (c), (d)) + local.X[(k)] + (t); \
+ (a) = S((a), (s)) + (b); \
+ } while (0)
+
+ local.A = ctx->state[0];
+ local.B = ctx->state[1];
+ local.C = ctx->state[2];
+ local.D = ctx->state[3];
+
+#define F(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
+
+ P(local.A, local.B, local.C, local.D, 0, 7, 0xD76AA478);
+ P(local.D, local.A, local.B, local.C, 1, 12, 0xE8C7B756);
+ P(local.C, local.D, local.A, local.B, 2, 17, 0x242070DB);
+ P(local.B, local.C, local.D, local.A, 3, 22, 0xC1BDCEEE);
+ P(local.A, local.B, local.C, local.D, 4, 7, 0xF57C0FAF);
+ P(local.D, local.A, local.B, local.C, 5, 12, 0x4787C62A);
+ P(local.C, local.D, local.A, local.B, 6, 17, 0xA8304613);
+ P(local.B, local.C, local.D, local.A, 7, 22, 0xFD469501);
+ P(local.A, local.B, local.C, local.D, 8, 7, 0x698098D8);
+ P(local.D, local.A, local.B, local.C, 9, 12, 0x8B44F7AF);
+ P(local.C, local.D, local.A, local.B, 10, 17, 0xFFFF5BB1);
+ P(local.B, local.C, local.D, local.A, 11, 22, 0x895CD7BE);
+ P(local.A, local.B, local.C, local.D, 12, 7, 0x6B901122);
+ P(local.D, local.A, local.B, local.C, 13, 12, 0xFD987193);
+ P(local.C, local.D, local.A, local.B, 14, 17, 0xA679438E);
+ P(local.B, local.C, local.D, local.A, 15, 22, 0x49B40821);
+
+#undef F
+
+#define F(x, y, z) ((y) ^ ((z) & ((x) ^ (y))))
+
+ P(local.A, local.B, local.C, local.D, 1, 5, 0xF61E2562);
+ P(local.D, local.A, local.B, local.C, 6, 9, 0xC040B340);
+ P(local.C, local.D, local.A, local.B, 11, 14, 0x265E5A51);
+ P(local.B, local.C, local.D, local.A, 0, 20, 0xE9B6C7AA);
+ P(local.A, local.B, local.C, local.D, 5, 5, 0xD62F105D);
+ P(local.D, local.A, local.B, local.C, 10, 9, 0x02441453);
+ P(local.C, local.D, local.A, local.B, 15, 14, 0xD8A1E681);
+ P(local.B, local.C, local.D, local.A, 4, 20, 0xE7D3FBC8);
+ P(local.A, local.B, local.C, local.D, 9, 5, 0x21E1CDE6);
+ P(local.D, local.A, local.B, local.C, 14, 9, 0xC33707D6);
+ P(local.C, local.D, local.A, local.B, 3, 14, 0xF4D50D87);
+ P(local.B, local.C, local.D, local.A, 8, 20, 0x455A14ED);
+ P(local.A, local.B, local.C, local.D, 13, 5, 0xA9E3E905);
+ P(local.D, local.A, local.B, local.C, 2, 9, 0xFCEFA3F8);
+ P(local.C, local.D, local.A, local.B, 7, 14, 0x676F02D9);
+ P(local.B, local.C, local.D, local.A, 12, 20, 0x8D2A4C8A);
+
+#undef F
+
+#define F(x, y, z) ((x) ^ (y) ^ (z))
+
+ P(local.A, local.B, local.C, local.D, 5, 4, 0xFFFA3942);
+ P(local.D, local.A, local.B, local.C, 8, 11, 0x8771F681);
+ P(local.C, local.D, local.A, local.B, 11, 16, 0x6D9D6122);
+ P(local.B, local.C, local.D, local.A, 14, 23, 0xFDE5380C);
+ P(local.A, local.B, local.C, local.D, 1, 4, 0xA4BEEA44);
+ P(local.D, local.A, local.B, local.C, 4, 11, 0x4BDECFA9);
+ P(local.C, local.D, local.A, local.B, 7, 16, 0xF6BB4B60);
+ P(local.B, local.C, local.D, local.A, 10, 23, 0xBEBFBC70);
+ P(local.A, local.B, local.C, local.D, 13, 4, 0x289B7EC6);
+ P(local.D, local.A, local.B, local.C, 0, 11, 0xEAA127FA);
+ P(local.C, local.D, local.A, local.B, 3, 16, 0xD4EF3085);
+ P(local.B, local.C, local.D, local.A, 6, 23, 0x04881D05);
+ P(local.A, local.B, local.C, local.D, 9, 4, 0xD9D4D039);
+ P(local.D, local.A, local.B, local.C, 12, 11, 0xE6DB99E5);
+ P(local.C, local.D, local.A, local.B, 15, 16, 0x1FA27CF8);
+ P(local.B, local.C, local.D, local.A, 2, 23, 0xC4AC5665);
+
+#undef F
+
+#define F(x, y, z) ((y) ^ ((x) | ~(z)))
+
+ P(local.A, local.B, local.C, local.D, 0, 6, 0xF4292244);
+ P(local.D, local.A, local.B, local.C, 7, 10, 0x432AFF97);
+ P(local.C, local.D, local.A, local.B, 14, 15, 0xAB9423A7);
+ P(local.B, local.C, local.D, local.A, 5, 21, 0xFC93A039);
+ P(local.A, local.B, local.C, local.D, 12, 6, 0x655B59C3);
+ P(local.D, local.A, local.B, local.C, 3, 10, 0x8F0CCC92);
+ P(local.C, local.D, local.A, local.B, 10, 15, 0xFFEFF47D);
+ P(local.B, local.C, local.D, local.A, 1, 21, 0x85845DD1);
+ P(local.A, local.B, local.C, local.D, 8, 6, 0x6FA87E4F);
+ P(local.D, local.A, local.B, local.C, 15, 10, 0xFE2CE6E0);
+ P(local.C, local.D, local.A, local.B, 6, 15, 0xA3014314);
+ P(local.B, local.C, local.D, local.A, 13, 21, 0x4E0811A1);
+ P(local.A, local.B, local.C, local.D, 4, 6, 0xF7537E82);
+ P(local.D, local.A, local.B, local.C, 11, 10, 0xBD3AF235);
+ P(local.C, local.D, local.A, local.B, 2, 15, 0x2AD7D2BB);
+ P(local.B, local.C, local.D, local.A, 9, 21, 0xEB86D391);
+
+#undef F
+
+ ctx->state[0] += local.A;
+ ctx->state[1] += local.B;
+ ctx->state[2] += local.C;
+ ctx->state[3] += local.D;
+
+ /* Zeroise variables to clear sensitive data from memory. */
+ mbedtls_platform_zeroize(&local, sizeof(local));
+
+ return 0;
+}
+
+#endif /* !MBEDTLS_MD5_PROCESS_ALT */
+
+/*
+ * MD5 process buffer
+ */
+int mbedtls_md5_update(mbedtls_md5_context *ctx,
+ const unsigned char *input,
+ size_t ilen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t fill;
+ uint32_t left;
+
+ if (ilen == 0) {
+ return 0;
+ }
+
+ left = ctx->total[0] & 0x3F;
+ fill = 64 - left;
+
+ ctx->total[0] += (uint32_t) ilen;
+ ctx->total[0] &= 0xFFFFFFFF;
+
+ if (ctx->total[0] < (uint32_t) ilen) {
+ ctx->total[1]++;
+ }
+
+ if (left && ilen >= fill) {
+ memcpy((void *) (ctx->buffer + left), input, fill);
+ if ((ret = mbedtls_internal_md5_process(ctx, ctx->buffer)) != 0) {
+ return ret;
+ }
+
+ input += fill;
+ ilen -= fill;
+ left = 0;
+ }
+
+ while (ilen >= 64) {
+ if ((ret = mbedtls_internal_md5_process(ctx, input)) != 0) {
+ return ret;
+ }
+
+ input += 64;
+ ilen -= 64;
+ }
+
+ if (ilen > 0) {
+ memcpy((void *) (ctx->buffer + left), input, ilen);
+ }
+
+ return 0;
+}
+
+/*
+ * MD5 final digest
+ */
+int mbedtls_md5_finish(mbedtls_md5_context *ctx,
+ unsigned char output[16])
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ uint32_t used;
+ uint32_t high, low;
+
+ /*
+ * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
+ */
+ used = ctx->total[0] & 0x3F;
+
+ ctx->buffer[used++] = 0x80;
+
+ if (used <= 56) {
+ /* Enough room for padding + length in current block */
+ memset(ctx->buffer + used, 0, 56 - used);
+ } else {
+ /* We'll need an extra block */
+ memset(ctx->buffer + used, 0, 64 - used);
+
+ if ((ret = mbedtls_internal_md5_process(ctx, ctx->buffer)) != 0) {
+ goto exit;
+ }
+
+ memset(ctx->buffer, 0, 56);
+ }
+
+ /*
+ * Add message length
+ */
+ high = (ctx->total[0] >> 29)
+ | (ctx->total[1] << 3);
+ low = (ctx->total[0] << 3);
+
+ MBEDTLS_PUT_UINT32_LE(low, ctx->buffer, 56);
+ MBEDTLS_PUT_UINT32_LE(high, ctx->buffer, 60);
+
+ if ((ret = mbedtls_internal_md5_process(ctx, ctx->buffer)) != 0) {
+ goto exit;
+ }
+
+ /*
+ * Output final state
+ */
+ MBEDTLS_PUT_UINT32_LE(ctx->state[0], output, 0);
+ MBEDTLS_PUT_UINT32_LE(ctx->state[1], output, 4);
+ MBEDTLS_PUT_UINT32_LE(ctx->state[2], output, 8);
+ MBEDTLS_PUT_UINT32_LE(ctx->state[3], output, 12);
+
+ ret = 0;
+
+exit:
+ mbedtls_md5_free(ctx);
+ return ret;
+}
+
+#endif /* !MBEDTLS_MD5_ALT */
+
+/*
+ * output = MD5( input buffer )
+ */
+int mbedtls_md5(const unsigned char *input,
+ size_t ilen,
+ unsigned char output[16])
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_md5_context ctx;
+
+ mbedtls_md5_init(&ctx);
+
+ if ((ret = mbedtls_md5_starts(&ctx)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_md5_update(&ctx, input, ilen)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_md5_finish(&ctx, output)) != 0) {
+ goto exit;
+ }
+
+exit:
+ mbedtls_md5_free(&ctx);
+
+ return ret;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * RFC 1321 test vectors
+ */
+static const unsigned char md5_test_buf[7][81] =
+{
+ { "" },
+ { "a" },
+ { "abc" },
+ { "message digest" },
+ { "abcdefghijklmnopqrstuvwxyz" },
+ { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+ { "12345678901234567890123456789012345678901234567890123456789012345678901234567890" }
+};
+
+static const size_t md5_test_buflen[7] =
+{
+ 0, 1, 3, 14, 26, 62, 80
+};
+
+static const unsigned char md5_test_sum[7][16] =
+{
+ { 0xD4, 0x1D, 0x8C, 0xD9, 0x8F, 0x00, 0xB2, 0x04,
+ 0xE9, 0x80, 0x09, 0x98, 0xEC, 0xF8, 0x42, 0x7E },
+ { 0x0C, 0xC1, 0x75, 0xB9, 0xC0, 0xF1, 0xB6, 0xA8,
+ 0x31, 0xC3, 0x99, 0xE2, 0x69, 0x77, 0x26, 0x61 },
+ { 0x90, 0x01, 0x50, 0x98, 0x3C, 0xD2, 0x4F, 0xB0,
+ 0xD6, 0x96, 0x3F, 0x7D, 0x28, 0xE1, 0x7F, 0x72 },
+ { 0xF9, 0x6B, 0x69, 0x7D, 0x7C, 0xB7, 0x93, 0x8D,
+ 0x52, 0x5A, 0x2F, 0x31, 0xAA, 0xF1, 0x61, 0xD0 },
+ { 0xC3, 0xFC, 0xD3, 0xD7, 0x61, 0x92, 0xE4, 0x00,
+ 0x7D, 0xFB, 0x49, 0x6C, 0xCA, 0x67, 0xE1, 0x3B },
+ { 0xD1, 0x74, 0xAB, 0x98, 0xD2, 0x77, 0xD9, 0xF5,
+ 0xA5, 0x61, 0x1C, 0x2C, 0x9F, 0x41, 0x9D, 0x9F },
+ { 0x57, 0xED, 0xF4, 0xA2, 0x2B, 0xE3, 0xC9, 0x55,
+ 0xAC, 0x49, 0xDA, 0x2E, 0x21, 0x07, 0xB6, 0x7A }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_md5_self_test(int verbose)
+{
+ int i, ret = 0;
+ unsigned char md5sum[16];
+
+ for (i = 0; i < 7; i++) {
+ if (verbose != 0) {
+ mbedtls_printf(" MD5 test #%d: ", i + 1);
+ }
+
+ ret = mbedtls_md5(md5_test_buf[i], md5_test_buflen[i], md5sum);
+ if (ret != 0) {
+ goto fail;
+ }
+
+ if (memcmp(md5sum, md5_test_sum[i], 16) != 0) {
+ ret = 1;
+ goto fail;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ return 0;
+
+fail:
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MD5_C */
diff --git a/library/md_psa.h b/library/md_psa.h
new file mode 100644
index 0000000..028ba24
--- /dev/null
+++ b/library/md_psa.h
@@ -0,0 +1,26 @@
+/**
+ * Translation between MD and PSA identifiers (algorithms, errors).
+ *
+ * Note: this internal module will go away when everything becomes based on
+ * PSA Crypto; it is a helper for the transition period.
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_MD_PSA_H
+#define MBEDTLS_MD_PSA_H
+
+#include "common.h"
+
+#include "mbedtls/md.h"
+#include "psa/crypto.h"
+
+/** Convert PSA status to MD error code.
+ *
+ * \param status PSA status.
+ *
+ * \return The corresponding MD error code,
+ */
+int mbedtls_md_error_from_psa(psa_status_t status);
+
+#endif /* MBEDTLS_MD_PSA_H */
diff --git a/library/md_wrap.h b/library/md_wrap.h
new file mode 100644
index 0000000..dad1235
--- /dev/null
+++ b/library/md_wrap.h
@@ -0,0 +1,46 @@
+/**
+ * \file md_wrap.h
+ *
+ * \brief Message digest wrappers.
+ *
+ * \warning This in an internal header. Do not include directly.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_MD_WRAP_H
+#define MBEDTLS_MD_WRAP_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/md.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Message digest information.
+ * Allows message digest functions to be called in a generic way.
+ */
+struct mbedtls_md_info_t {
+ /** Digest identifier */
+ mbedtls_md_type_t type;
+
+ /** Output length of the digest function in bytes */
+ unsigned char size;
+
+#if defined(MBEDTLS_MD_C)
+ /** Block length of the digest function in bytes */
+ unsigned char block_size;
+#endif
+};
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_MD_WRAP_H */
diff --git a/library/memory_buffer_alloc.c b/library/memory_buffer_alloc.c
new file mode 100644
index 0000000..79b0a8b
--- /dev/null
+++ b/library/memory_buffer_alloc.c
@@ -0,0 +1,745 @@
+/*
+ * Buffer-based memory allocator
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#include "mbedtls/memory_buffer_alloc.h"
+
+/* No need for the header guard as MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ is dependent upon MBEDTLS_PLATFORM_C */
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+#include <execinfo.h>
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+#define MAGIC1 0xFF00AA55
+#define MAGIC2 0xEE119966
+#define MAX_BT 20
+
+typedef struct _memory_header memory_header;
+struct _memory_header {
+ size_t magic1;
+ size_t size;
+ size_t alloc;
+ memory_header *prev;
+ memory_header *next;
+ memory_header *prev_free;
+ memory_header *next_free;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+ char **trace;
+ size_t trace_count;
+#endif
+ size_t magic2;
+};
+
+typedef struct {
+ unsigned char *buf;
+ size_t len;
+ memory_header *first;
+ memory_header *first_free;
+ int verify;
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ size_t alloc_count;
+ size_t free_count;
+ size_t total_used;
+ size_t maximum_used;
+ size_t header_count;
+ size_t maximum_header_count;
+#endif
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_threading_mutex_t mutex;
+#endif
+}
+buffer_alloc_ctx;
+
+static buffer_alloc_ctx heap;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+static void debug_header(memory_header *hdr)
+{
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+ size_t i;
+#endif
+
+ mbedtls_fprintf(stderr, "HDR: PTR(%10zu), PREV(%10zu), NEXT(%10zu), "
+ "ALLOC(%zu), SIZE(%10zu)\n",
+ (size_t) hdr, (size_t) hdr->prev, (size_t) hdr->next,
+ hdr->alloc, hdr->size);
+ mbedtls_fprintf(stderr, " FPREV(%10zu), FNEXT(%10zu)\n",
+ (size_t) hdr->prev_free, (size_t) hdr->next_free);
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+ mbedtls_fprintf(stderr, "TRACE: \n");
+ for (i = 0; i < hdr->trace_count; i++) {
+ mbedtls_fprintf(stderr, "%s\n", hdr->trace[i]);
+ }
+ mbedtls_fprintf(stderr, "\n");
+#endif
+}
+
+static void debug_chain(void)
+{
+ memory_header *cur = heap.first;
+
+ mbedtls_fprintf(stderr, "\nBlock list\n");
+ while (cur != NULL) {
+ debug_header(cur);
+ cur = cur->next;
+ }
+
+ mbedtls_fprintf(stderr, "Free list\n");
+ cur = heap.first_free;
+
+ while (cur != NULL) {
+ debug_header(cur);
+ cur = cur->next_free;
+ }
+}
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+static int verify_header(memory_header *hdr)
+{
+ if (hdr->magic1 != MAGIC1) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ mbedtls_fprintf(stderr, "FATAL: MAGIC1 mismatch\n");
+#endif
+ return 1;
+ }
+
+ if (hdr->magic2 != MAGIC2) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ mbedtls_fprintf(stderr, "FATAL: MAGIC2 mismatch\n");
+#endif
+ return 1;
+ }
+
+ if (hdr->alloc > 1) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ mbedtls_fprintf(stderr, "FATAL: alloc has illegal value\n");
+#endif
+ return 1;
+ }
+
+ if (hdr->prev != NULL && hdr->prev == hdr->next) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ mbedtls_fprintf(stderr, "FATAL: prev == next\n");
+#endif
+ return 1;
+ }
+
+ if (hdr->prev_free != NULL && hdr->prev_free == hdr->next_free) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ mbedtls_fprintf(stderr, "FATAL: prev_free == next_free\n");
+#endif
+ return 1;
+ }
+
+ return 0;
+}
+
+static int verify_chain(void)
+{
+ memory_header *prv = heap.first, *cur;
+
+ if (prv == NULL || verify_header(prv) != 0) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ mbedtls_fprintf(stderr, "FATAL: verification of first header "
+ "failed\n");
+#endif
+ return 1;
+ }
+
+ if (heap.first->prev != NULL) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ mbedtls_fprintf(stderr, "FATAL: verification failed: "
+ "first->prev != NULL\n");
+#endif
+ return 1;
+ }
+
+ cur = heap.first->next;
+
+ while (cur != NULL) {
+ if (verify_header(cur) != 0) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ mbedtls_fprintf(stderr, "FATAL: verification of header "
+ "failed\n");
+#endif
+ return 1;
+ }
+
+ if (cur->prev != prv) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ mbedtls_fprintf(stderr, "FATAL: verification failed: "
+ "cur->prev != prv\n");
+#endif
+ return 1;
+ }
+
+ prv = cur;
+ cur = cur->next;
+ }
+
+ return 0;
+}
+
+static void *buffer_alloc_calloc(size_t n, size_t size)
+{
+ memory_header *new, *cur = heap.first_free;
+ unsigned char *p;
+ void *ret;
+ size_t original_len, len;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+ void *trace_buffer[MAX_BT];
+ size_t trace_cnt;
+#endif
+
+ if (heap.buf == NULL || heap.first == NULL) {
+ return NULL;
+ }
+
+ original_len = len = n * size;
+
+ if (n == 0 || size == 0 || len / n != size) {
+ return NULL;
+ } else if (len > (size_t) -MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
+ return NULL;
+ }
+
+ if (len % MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
+ len -= len % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+ len += MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+ }
+
+ // Find block that fits
+ //
+ while (cur != NULL) {
+ if (cur->size >= len) {
+ break;
+ }
+
+ cur = cur->next_free;
+ }
+
+ if (cur == NULL) {
+ return NULL;
+ }
+
+ if (cur->alloc != 0) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ mbedtls_fprintf(stderr, "FATAL: block in free_list but allocated "
+ "data\n");
+#endif
+ mbedtls_exit(1);
+ }
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ heap.alloc_count++;
+#endif
+
+ // Found location, split block if > memory_header + 4 room left
+ //
+ if (cur->size - len < sizeof(memory_header) +
+ MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
+ cur->alloc = 1;
+
+ // Remove from free_list
+ //
+ if (cur->prev_free != NULL) {
+ cur->prev_free->next_free = cur->next_free;
+ } else {
+ heap.first_free = cur->next_free;
+ }
+
+ if (cur->next_free != NULL) {
+ cur->next_free->prev_free = cur->prev_free;
+ }
+
+ cur->prev_free = NULL;
+ cur->next_free = NULL;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ heap.total_used += cur->size;
+ if (heap.total_used > heap.maximum_used) {
+ heap.maximum_used = heap.total_used;
+ }
+#endif
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+ trace_cnt = backtrace(trace_buffer, MAX_BT);
+ cur->trace = backtrace_symbols(trace_buffer, trace_cnt);
+ cur->trace_count = trace_cnt;
+#endif
+
+ if ((heap.verify & MBEDTLS_MEMORY_VERIFY_ALLOC) && verify_chain() != 0) {
+ mbedtls_exit(1);
+ }
+
+ ret = (unsigned char *) cur + sizeof(memory_header);
+ memset(ret, 0, original_len);
+
+ return ret;
+ }
+
+ p = ((unsigned char *) cur) + sizeof(memory_header) + len;
+ new = (memory_header *) p;
+
+ new->size = cur->size - len - sizeof(memory_header);
+ new->alloc = 0;
+ new->prev = cur;
+ new->next = cur->next;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+ new->trace = NULL;
+ new->trace_count = 0;
+#endif
+ new->magic1 = MAGIC1;
+ new->magic2 = MAGIC2;
+
+ if (new->next != NULL) {
+ new->next->prev = new;
+ }
+
+ // Replace cur with new in free_list
+ //
+ new->prev_free = cur->prev_free;
+ new->next_free = cur->next_free;
+ if (new->prev_free != NULL) {
+ new->prev_free->next_free = new;
+ } else {
+ heap.first_free = new;
+ }
+
+ if (new->next_free != NULL) {
+ new->next_free->prev_free = new;
+ }
+
+ cur->alloc = 1;
+ cur->size = len;
+ cur->next = new;
+ cur->prev_free = NULL;
+ cur->next_free = NULL;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ heap.header_count++;
+ if (heap.header_count > heap.maximum_header_count) {
+ heap.maximum_header_count = heap.header_count;
+ }
+ heap.total_used += cur->size;
+ if (heap.total_used > heap.maximum_used) {
+ heap.maximum_used = heap.total_used;
+ }
+#endif
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+ trace_cnt = backtrace(trace_buffer, MAX_BT);
+ cur->trace = backtrace_symbols(trace_buffer, trace_cnt);
+ cur->trace_count = trace_cnt;
+#endif
+
+ if ((heap.verify & MBEDTLS_MEMORY_VERIFY_ALLOC) && verify_chain() != 0) {
+ mbedtls_exit(1);
+ }
+
+ ret = (unsigned char *) cur + sizeof(memory_header);
+ memset(ret, 0, original_len);
+
+ return ret;
+}
+
+static void buffer_alloc_free(void *ptr)
+{
+ memory_header *hdr, *old = NULL;
+ unsigned char *p = (unsigned char *) ptr;
+
+ if (ptr == NULL || heap.buf == NULL || heap.first == NULL) {
+ return;
+ }
+
+ if (p < heap.buf || p >= heap.buf + heap.len) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ mbedtls_fprintf(stderr, "FATAL: mbedtls_free() outside of managed "
+ "space\n");
+#endif
+ mbedtls_exit(1);
+ }
+
+ p -= sizeof(memory_header);
+ hdr = (memory_header *) p;
+
+ if (verify_header(hdr) != 0) {
+ mbedtls_exit(1);
+ }
+
+ if (hdr->alloc != 1) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ mbedtls_fprintf(stderr, "FATAL: mbedtls_free() on unallocated "
+ "data\n");
+#endif
+ mbedtls_exit(1);
+ }
+
+ hdr->alloc = 0;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ heap.free_count++;
+ heap.total_used -= hdr->size;
+#endif
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+ free(hdr->trace);
+ hdr->trace = NULL;
+ hdr->trace_count = 0;
+#endif
+
+ // Regroup with block before
+ //
+ if (hdr->prev != NULL && hdr->prev->alloc == 0) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ heap.header_count--;
+#endif
+ hdr->prev->size += sizeof(memory_header) + hdr->size;
+ hdr->prev->next = hdr->next;
+ old = hdr;
+ hdr = hdr->prev;
+
+ if (hdr->next != NULL) {
+ hdr->next->prev = hdr;
+ }
+
+ memset(old, 0, sizeof(memory_header));
+ }
+
+ // Regroup with block after
+ //
+ if (hdr->next != NULL && hdr->next->alloc == 0) {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ heap.header_count--;
+#endif
+ hdr->size += sizeof(memory_header) + hdr->next->size;
+ old = hdr->next;
+ hdr->next = hdr->next->next;
+
+ if (hdr->prev_free != NULL || hdr->next_free != NULL) {
+ if (hdr->prev_free != NULL) {
+ hdr->prev_free->next_free = hdr->next_free;
+ } else {
+ heap.first_free = hdr->next_free;
+ }
+
+ if (hdr->next_free != NULL) {
+ hdr->next_free->prev_free = hdr->prev_free;
+ }
+ }
+
+ hdr->prev_free = old->prev_free;
+ hdr->next_free = old->next_free;
+
+ if (hdr->prev_free != NULL) {
+ hdr->prev_free->next_free = hdr;
+ } else {
+ heap.first_free = hdr;
+ }
+
+ if (hdr->next_free != NULL) {
+ hdr->next_free->prev_free = hdr;
+ }
+
+ if (hdr->next != NULL) {
+ hdr->next->prev = hdr;
+ }
+
+ memset(old, 0, sizeof(memory_header));
+ }
+
+ // Prepend to free_list if we have not merged
+ // (Does not have to stay in same order as prev / next list)
+ //
+ if (old == NULL) {
+ hdr->next_free = heap.first_free;
+ if (heap.first_free != NULL) {
+ heap.first_free->prev_free = hdr;
+ }
+ heap.first_free = hdr;
+ }
+
+ if ((heap.verify & MBEDTLS_MEMORY_VERIFY_FREE) && verify_chain() != 0) {
+ mbedtls_exit(1);
+ }
+}
+
+void mbedtls_memory_buffer_set_verify(int verify)
+{
+ heap.verify = verify;
+}
+
+int mbedtls_memory_buffer_alloc_verify(void)
+{
+ return verify_chain();
+}
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+void mbedtls_memory_buffer_alloc_status(void)
+{
+ mbedtls_fprintf(stderr,
+ "Current use: %zu blocks / %zu bytes, max: %zu blocks / "
+ "%zu bytes (total %zu bytes), alloc / free: %zu / %zu\n",
+ heap.header_count, heap.total_used,
+ heap.maximum_header_count, heap.maximum_used,
+ heap.maximum_header_count * sizeof(memory_header)
+ + heap.maximum_used,
+ heap.alloc_count, heap.free_count);
+
+ if (heap.first->next == NULL) {
+ mbedtls_fprintf(stderr, "All memory de-allocated in stack buffer\n");
+ } else {
+ mbedtls_fprintf(stderr, "Memory currently allocated:\n");
+ debug_chain();
+ }
+}
+
+void mbedtls_memory_buffer_alloc_count_get(size_t *alloc_count, size_t *free_count)
+{
+ *alloc_count = heap.alloc_count;
+ *free_count = heap.free_count;
+}
+
+void mbedtls_memory_buffer_alloc_max_get(size_t *max_used, size_t *max_blocks)
+{
+ *max_used = heap.maximum_used;
+ *max_blocks = heap.maximum_header_count;
+}
+
+void mbedtls_memory_buffer_alloc_max_reset(void)
+{
+ heap.maximum_used = 0;
+ heap.maximum_header_count = 0;
+}
+
+void mbedtls_memory_buffer_alloc_cur_get(size_t *cur_used, size_t *cur_blocks)
+{
+ *cur_used = heap.total_used;
+ *cur_blocks = heap.header_count;
+}
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+#if defined(MBEDTLS_THREADING_C)
+static void *buffer_alloc_calloc_mutexed(size_t n, size_t size)
+{
+ void *buf;
+ if (mbedtls_mutex_lock(&heap.mutex) != 0) {
+ return NULL;
+ }
+ buf = buffer_alloc_calloc(n, size);
+ if (mbedtls_mutex_unlock(&heap.mutex)) {
+ return NULL;
+ }
+ return buf;
+}
+
+static void buffer_alloc_free_mutexed(void *ptr)
+{
+ /* We have no good option here, but corrupting the heap seems
+ * worse than losing memory. */
+ if (mbedtls_mutex_lock(&heap.mutex)) {
+ return;
+ }
+ buffer_alloc_free(ptr);
+ (void) mbedtls_mutex_unlock(&heap.mutex);
+}
+#endif /* MBEDTLS_THREADING_C */
+
+void mbedtls_memory_buffer_alloc_init(unsigned char *buf, size_t len)
+{
+ memset(&heap, 0, sizeof(buffer_alloc_ctx));
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_init(&heap.mutex);
+ mbedtls_platform_set_calloc_free(buffer_alloc_calloc_mutexed,
+ buffer_alloc_free_mutexed);
+#else
+ mbedtls_platform_set_calloc_free(buffer_alloc_calloc, buffer_alloc_free);
+#endif
+
+ if (len < sizeof(memory_header) + MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
+ return;
+ } else if ((size_t) buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE) {
+ /* Adjust len first since buf is used in the computation */
+ len -= MBEDTLS_MEMORY_ALIGN_MULTIPLE
+ - (size_t) buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+ buf += MBEDTLS_MEMORY_ALIGN_MULTIPLE
+ - (size_t) buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+ }
+
+ memset(buf, 0, len);
+
+ heap.buf = buf;
+ heap.len = len;
+
+ heap.first = (memory_header *) buf;
+ heap.first->size = len - sizeof(memory_header);
+ heap.first->magic1 = MAGIC1;
+ heap.first->magic2 = MAGIC2;
+ heap.first_free = heap.first;
+}
+
+void mbedtls_memory_buffer_alloc_free(void)
+{
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_free(&heap.mutex);
+#endif
+ mbedtls_platform_zeroize(&heap, sizeof(buffer_alloc_ctx));
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+static int check_pointer(void *p)
+{
+ if (p == NULL) {
+ return -1;
+ }
+
+ if ((size_t) p % MBEDTLS_MEMORY_ALIGN_MULTIPLE != 0) {
+ return -1;
+ }
+
+ return 0;
+}
+
+static int check_all_free(void)
+{
+ if (
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ heap.total_used != 0 ||
+#endif
+ heap.first != heap.first_free ||
+ (void *) heap.first != (void *) heap.buf) {
+ return -1;
+ }
+
+ return 0;
+}
+
+#define TEST_ASSERT(condition) \
+ if (!(condition)) \
+ { \
+ if (verbose != 0) \
+ mbedtls_printf("failed\n"); \
+ \
+ ret = 1; \
+ goto cleanup; \
+ }
+
+int mbedtls_memory_buffer_alloc_self_test(int verbose)
+{
+ unsigned char buf[1024];
+ unsigned char *p, *q, *r, *end;
+ int ret = 0;
+
+ if (verbose != 0) {
+ mbedtls_printf(" MBA test #1 (basic alloc-free cycle): ");
+ }
+
+ mbedtls_memory_buffer_alloc_init(buf, sizeof(buf));
+
+ p = mbedtls_calloc(1, 1);
+ q = mbedtls_calloc(1, 128);
+ r = mbedtls_calloc(1, 16);
+
+ TEST_ASSERT(check_pointer(p) == 0 &&
+ check_pointer(q) == 0 &&
+ check_pointer(r) == 0);
+
+ mbedtls_free(r);
+ mbedtls_free(q);
+ mbedtls_free(p);
+
+ TEST_ASSERT(check_all_free() == 0);
+
+ /* Memorize end to compare with the next test */
+ end = heap.buf + heap.len;
+
+ mbedtls_memory_buffer_alloc_free();
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf(" MBA test #2 (buf not aligned): ");
+ }
+
+ mbedtls_memory_buffer_alloc_init(buf + 1, sizeof(buf) - 1);
+
+ TEST_ASSERT(heap.buf + heap.len == end);
+
+ p = mbedtls_calloc(1, 1);
+ q = mbedtls_calloc(1, 128);
+ r = mbedtls_calloc(1, 16);
+
+ TEST_ASSERT(check_pointer(p) == 0 &&
+ check_pointer(q) == 0 &&
+ check_pointer(r) == 0);
+
+ mbedtls_free(r);
+ mbedtls_free(q);
+ mbedtls_free(p);
+
+ TEST_ASSERT(check_all_free() == 0);
+
+ mbedtls_memory_buffer_alloc_free();
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf(" MBA test #3 (full): ");
+ }
+
+ mbedtls_memory_buffer_alloc_init(buf, sizeof(buf));
+
+ p = mbedtls_calloc(1, sizeof(buf) - sizeof(memory_header));
+
+ TEST_ASSERT(check_pointer(p) == 0);
+ TEST_ASSERT(mbedtls_calloc(1, 1) == NULL);
+
+ mbedtls_free(p);
+
+ p = mbedtls_calloc(1, sizeof(buf) - 2 * sizeof(memory_header) - 16);
+ q = mbedtls_calloc(1, 16);
+
+ TEST_ASSERT(check_pointer(p) == 0 && check_pointer(q) == 0);
+ TEST_ASSERT(mbedtls_calloc(1, 1) == NULL);
+
+ mbedtls_free(q);
+
+ TEST_ASSERT(mbedtls_calloc(1, 17) == NULL);
+
+ mbedtls_free(p);
+
+ TEST_ASSERT(check_all_free() == 0);
+
+ mbedtls_memory_buffer_alloc_free();
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+cleanup:
+ mbedtls_memory_buffer_alloc_free();
+
+ return ret;
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
diff --git a/library/mps_common.h b/library/mps_common.h
new file mode 100644
index 0000000..f9fe099
--- /dev/null
+++ b/library/mps_common.h
@@ -0,0 +1,181 @@
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/**
+ * \file mps_common.h
+ *
+ * \brief Common functions and macros used by MPS
+ */
+
+#ifndef MBEDTLS_MPS_COMMON_H
+#define MBEDTLS_MPS_COMMON_H
+
+#include "mps_error.h"
+
+#include <stdio.h>
+
+/**
+ * \name SECTION: MPS Configuration
+ *
+ * \{
+ */
+
+/*! This flag controls whether the MPS-internal components
+ * (reader, writer, Layer 1-3) perform validation of the
+ * expected abstract state at the entry of API calls.
+ *
+ * Context: All MPS API functions impose assumptions/preconditions on the
+ * context on which they operate. For example, every structure has a notion of
+ * state integrity which is established by `xxx_init()` and preserved by any
+ * calls to the MPS API which satisfy their preconditions and either succeed,
+ * or fail with an error code which is explicitly documented to not corrupt
+ * structure integrity (such as WANT_READ and WANT_WRITE);
+ * apart from `xxx_init()` any function assumes state integrity as a
+ * precondition (but usually more). If any of the preconditions is violated,
+ * the function's behavior is entirely undefined.
+ * In addition to state integrity, all MPS structures have a more refined
+ * notion of abstract state that the API operates on. For example, all layers
+ * have a notion of 'abstract read state' which indicates if incoming data has
+ * been passed to the user, e.g. through mps_l2_read_start() for Layer 2
+ * or mps_l3_read() in Layer 3. After such a call, it doesn't make sense to
+ * call these reading functions again until the incoming data has been
+ * explicitly 'consumed', e.g. through mps_l2_read_consume() for Layer 2 or
+ * mps_l3_read_consume() on Layer 3. However, even if it doesn't make sense,
+ * it's a design choice whether the API should fail gracefully on such
+ * non-sensical calls or not, and that's what this option is about:
+ *
+ * This option determines whether the expected abstract state
+ * is part of the API preconditions or not: If the option is set,
+ * then the abstract state is not part of the precondition and is
+ * thus required to be validated by the implementation. If an unexpected
+ * abstract state is encountered, the implementation must fail gracefully
+ * with error #MBEDTLS_ERR_MPS_OPERATION_UNEXPECTED.
+ * Conversely, if this option is not set, then the expected abstract state
+ * is included in the preconditions of the respective API calls, and
+ * an implementation's behaviour is undefined if the abstract state is
+ * not as expected.
+ *
+ * For example: Enabling this makes mps_l2_read_done() fail if
+ * no incoming record is currently open; disabling this would
+ * lead to undefined behavior in this case.
+ *
+ * Comment this to remove state validation.
+ */
+#define MBEDTLS_MPS_STATE_VALIDATION
+
+/*! This flag enables/disables assertions on the internal state of MPS.
+ *
+ * Assertions are sanity checks that should never trigger when MPS
+ * is used within the bounds of its API and preconditions.
+ *
+ * Enabling this increases security by limiting the scope of
+ * potential bugs, but comes at the cost of increased code size.
+ *
+ * Note: So far, there is no guiding principle as to what
+ * expected conditions merit an assertion, and which don't.
+ *
+ * Comment this to disable assertions.
+ */
+#define MBEDTLS_MPS_ENABLE_ASSERTIONS
+
+/*! This flag controls whether tracing for MPS should be enabled. */
+//#define MBEDTLS_MPS_ENABLE_TRACE
+
+#if defined(MBEDTLS_MPS_STATE_VALIDATION)
+
+#define MBEDTLS_MPS_STATE_VALIDATE_RAW(cond, string) \
+ do \
+ { \
+ if (!(cond)) \
+ { \
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_ERROR, string); \
+ MBEDTLS_MPS_TRACE_RETURN(MBEDTLS_ERR_MPS_OPERATION_UNEXPECTED); \
+ } \
+ } while (0)
+
+#else /* MBEDTLS_MPS_STATE_VALIDATION */
+
+#define MBEDTLS_MPS_STATE_VALIDATE_RAW(cond, string) \
+ do \
+ { \
+ (cond); \
+ } while (0)
+
+#endif /* MBEDTLS_MPS_STATE_VALIDATION */
+
+#if defined(MBEDTLS_MPS_ENABLE_ASSERTIONS)
+
+#define MBEDTLS_MPS_ASSERT_RAW(cond, string) \
+ do \
+ { \
+ if (!(cond)) \
+ { \
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_ERROR, string); \
+ MBEDTLS_MPS_TRACE_RETURN(MBEDTLS_ERR_MPS_INTERNAL_ERROR); \
+ } \
+ } while (0)
+
+#else /* MBEDTLS_MPS_ENABLE_ASSERTIONS */
+
+#define MBEDTLS_MPS_ASSERT_RAW(cond, string) do {} while (0)
+
+#endif /* MBEDTLS_MPS_ENABLE_ASSERTIONS */
+
+
+/* \} name SECTION: MPS Configuration */
+
+/**
+ * \name SECTION: Common types
+ *
+ * Various common types used throughout MPS.
+ * \{
+ */
+
+/** \brief The type of buffer sizes and offsets used in MPS structures.
+ *
+ * This is an unsigned integer type that should be large enough to
+ * hold the length of any buffer or message processed by MPS.
+ *
+ * The reason to pick a value as small as possible here is
+ * to reduce the size of MPS structures.
+ *
+ * \warning Care has to be taken when using a narrower type
+ * than ::mbedtls_mps_size_t here because of
+ * potential truncation during conversion.
+ *
+ * \warning Handshake messages in TLS may be up to 2^24 ~ 16Mb in size.
+ * If mbedtls_mps_[opt_]stored_size_t is smaller than that, the
+ * maximum handshake message is restricted accordingly.
+ *
+ * For now, we use the default type of size_t throughout, and the use of
+ * smaller types or different types for ::mbedtls_mps_size_t and
+ * ::mbedtls_mps_stored_size_t is not yet supported.
+ *
+ */
+typedef size_t mbedtls_mps_stored_size_t;
+#define MBEDTLS_MPS_STORED_SIZE_MAX (SIZE_MAX)
+
+/** \brief The type of buffer sizes and offsets used in the MPS API
+ * and implementation.
+ *
+ * This must be at least as wide as ::mbedtls_stored_size_t but
+ * may be chosen to be strictly larger if more suitable for the
+ * target architecture.
+ *
+ * For example, in a test build for ARM Thumb, using uint_fast16_t
+ * instead of uint16_t reduced the code size from 1060 Byte to 962 Byte,
+ * so almost 10%.
+ */
+typedef size_t mbedtls_mps_size_t;
+#define MBEDTLS_MPS_SIZE_MAX (SIZE_MAX)
+
+#if MBEDTLS_MPS_STORED_SIZE_MAX > MBEDTLS_MPS_SIZE_MAX
+#error "Misconfiguration of mbedtls_mps_size_t and mbedtls_mps_stored_size_t."
+#endif
+
+/* \} SECTION: Common types */
+
+
+#endif /* MBEDTLS_MPS_COMMON_H */
diff --git a/library/mps_error.h b/library/mps_error.h
new file mode 100644
index 0000000..016a84c
--- /dev/null
+++ b/library/mps_error.h
@@ -0,0 +1,89 @@
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/**
+ * \file mps_error.h
+ *
+ * \brief Error codes used by MPS
+ */
+
+#ifndef MBEDTLS_MPS_ERROR_H
+#define MBEDTLS_MPS_ERROR_H
+
+
+/* TODO: The error code allocation needs to be revisited:
+ *
+ * - Should we make (some of) the MPS Reader error codes public?
+ * If so, we need to adjust MBEDTLS_MPS_READER_MAKE_ERROR() to hit
+ * a gap in the Mbed TLS public error space.
+ * If not, we have to make sure we don't forward those errors
+ * at the level of the public API -- no risk at the moment as
+ * long as MPS is an experimental component not accessible from
+ * public API.
+ */
+
+/**
+ * \name SECTION: MPS general error codes
+ *
+ * \{
+ */
+
+#ifndef MBEDTLS_MPS_ERR_BASE
+#define MBEDTLS_MPS_ERR_BASE (0)
+#endif
+
+#define MBEDTLS_MPS_MAKE_ERROR(code) \
+ (-(MBEDTLS_MPS_ERR_BASE | (code)))
+
+#define MBEDTLS_ERR_MPS_OPERATION_UNEXPECTED MBEDTLS_MPS_MAKE_ERROR(0x1)
+#define MBEDTLS_ERR_MPS_INTERNAL_ERROR MBEDTLS_MPS_MAKE_ERROR(0x2)
+
+/* \} name SECTION: MPS general error codes */
+
+/**
+ * \name SECTION: MPS Reader error codes
+ *
+ * \{
+ */
+
+#ifndef MBEDTLS_MPS_READER_ERR_BASE
+#define MBEDTLS_MPS_READER_ERR_BASE (1 << 8)
+#endif
+
+#define MBEDTLS_MPS_READER_MAKE_ERROR(code) \
+ (-(MBEDTLS_MPS_READER_ERR_BASE | (code)))
+
+/*! An attempt to reclaim the data buffer from a reader failed because
+ * the user hasn't yet read and committed all of it. */
+#define MBEDTLS_ERR_MPS_READER_DATA_LEFT MBEDTLS_MPS_READER_MAKE_ERROR(0x1)
+
+/*! An invalid argument was passed to the reader. */
+#define MBEDTLS_ERR_MPS_READER_INVALID_ARG MBEDTLS_MPS_READER_MAKE_ERROR(0x2)
+
+/*! An attempt to move a reader to consuming mode through mbedtls_mps_reader_feed()
+ * after pausing failed because the provided data is not sufficient to serve the
+ * read requests that led to the pausing. */
+#define MBEDTLS_ERR_MPS_READER_NEED_MORE MBEDTLS_MPS_READER_MAKE_ERROR(0x3)
+
+/*! A get request failed because not enough data is available in the reader. */
+#define MBEDTLS_ERR_MPS_READER_OUT_OF_DATA MBEDTLS_MPS_READER_MAKE_ERROR(0x4)
+
+/*!< A get request after pausing and reactivating the reader failed because
+ * the request is not in line with the request made prior to pausing. The user
+ * must not change it's 'strategy' after pausing and reactivating a reader. */
+#define MBEDTLS_ERR_MPS_READER_INCONSISTENT_REQUESTS MBEDTLS_MPS_READER_MAKE_ERROR(0x5)
+
+/*! An attempt to reclaim the data buffer from a reader failed because the reader
+ * has no accumulator it can use to backup the data that hasn't been processed. */
+#define MBEDTLS_ERR_MPS_READER_NEED_ACCUMULATOR MBEDTLS_MPS_READER_MAKE_ERROR(0x6)
+
+/*! An attempt to reclaim the data buffer from a reader failed because the
+ * accumulator passed to the reader is not large enough to hold both the
+ * data that hasn't been processed and the excess of the last read-request. */
+#define MBEDTLS_ERR_MPS_READER_ACCUMULATOR_TOO_SMALL MBEDTLS_MPS_READER_MAKE_ERROR(0x7)
+
+/* \} name SECTION: MPS Reader error codes */
+
+#endif /* MBEDTLS_MPS_ERROR_H */
diff --git a/library/mps_reader.c b/library/mps_reader.c
new file mode 100644
index 0000000..27d0c04
--- /dev/null
+++ b/library/mps_reader.c
@@ -0,0 +1,538 @@
+/*
+ * Message Processing Stack, Reader implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+#include "mps_reader.h"
+#include "mps_common.h"
+#include "mps_trace.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_MPS_ENABLE_TRACE)
+static int mbedtls_mps_trace_id = MBEDTLS_MPS_TRACE_BIT_READER;
+#endif /* MBEDTLS_MPS_ENABLE_TRACE */
+
+/*
+ * GENERAL NOTE ON CODING STYLE
+ *
+ * The following code intentionally separates memory loads
+ * and stores from other operations (arithmetic or branches).
+ * This leads to the introduction of many local variables
+ * and significantly increases the C-code line count, but
+ * should not increase the size of generated assembly.
+ *
+ * The reason for this is twofold:
+ * (1) It will ease verification efforts using the VST
+ * (Verified Software Toolchain)
+ * whose program logic cannot directly reason
+ * about instructions containing a load or store in
+ * addition to other operations (e.g. *p = *q or
+ * tmp = *p + 42).
+ * (2) Operating on local variables and writing the results
+ * back to the target contexts on success only
+ * allows to maintain structure invariants even
+ * on failure - this in turn has two benefits:
+ * (2.a) If for some reason an error code is not caught
+ * and operation continues, functions are nonetheless
+ * called with sane contexts, reducing the risk
+ * of dangerous behavior.
+ * (2.b) Randomized testing is easier if structures
+ * remain intact even in the face of failing
+ * and/or non-sensical calls.
+ * Moreover, it might even reduce code-size because
+ * the compiler need not write back temporary results
+ * to memory in case of failure.
+ *
+ */
+
+static inline int mps_reader_is_accumulating(
+ mbedtls_mps_reader const *rd)
+{
+ mbedtls_mps_size_t acc_remaining;
+ if (rd->acc == NULL) {
+ return 0;
+ }
+
+ acc_remaining = rd->acc_share.acc_remaining;
+ return acc_remaining > 0;
+}
+
+static inline int mps_reader_is_producing(
+ mbedtls_mps_reader const *rd)
+{
+ unsigned char *frag = rd->frag;
+ return frag == NULL;
+}
+
+static inline int mps_reader_is_consuming(
+ mbedtls_mps_reader const *rd)
+{
+ return !mps_reader_is_producing(rd);
+}
+
+static inline mbedtls_mps_size_t mps_reader_get_fragment_offset(
+ mbedtls_mps_reader const *rd)
+{
+ unsigned char *acc = rd->acc;
+ mbedtls_mps_size_t frag_offset;
+
+ if (acc == NULL) {
+ return 0;
+ }
+
+ frag_offset = rd->acc_share.frag_offset;
+ return frag_offset;
+}
+
+static inline mbedtls_mps_size_t mps_reader_serving_from_accumulator(
+ mbedtls_mps_reader const *rd)
+{
+ mbedtls_mps_size_t frag_offset, end;
+
+ frag_offset = mps_reader_get_fragment_offset(rd);
+ end = rd->end;
+
+ return end < frag_offset;
+}
+
+static inline void mps_reader_zero(mbedtls_mps_reader *rd)
+{
+ /* A plain memset() would likely be more efficient,
+ * but the current way of zeroing makes it harder
+ * to overlook fields which should not be zero-initialized.
+ * It's also more suitable for FV efforts since it
+ * doesn't require reasoning about structs being
+ * interpreted as unstructured binary blobs. */
+ static mbedtls_mps_reader const zero =
+ { .frag = NULL,
+ .frag_len = 0,
+ .commit = 0,
+ .end = 0,
+ .pending = 0,
+ .acc = NULL,
+ .acc_len = 0,
+ .acc_available = 0,
+ .acc_share = { .acc_remaining = 0 } };
+ *rd = zero;
+}
+
+int mbedtls_mps_reader_init(mbedtls_mps_reader *rd,
+ unsigned char *acc,
+ mbedtls_mps_size_t acc_len)
+{
+ MBEDTLS_MPS_TRACE_INIT("mbedtls_mps_reader_init");
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "* Accumulator size: %u bytes", (unsigned) acc_len);
+ mps_reader_zero(rd);
+ rd->acc = acc;
+ rd->acc_len = acc_len;
+ MBEDTLS_MPS_TRACE_RETURN(0);
+}
+
+int mbedtls_mps_reader_free(mbedtls_mps_reader *rd)
+{
+ MBEDTLS_MPS_TRACE_INIT("mbedtls_mps_reader_free");
+ mps_reader_zero(rd);
+ MBEDTLS_MPS_TRACE_RETURN(0);
+}
+
+int mbedtls_mps_reader_feed(mbedtls_mps_reader *rd,
+ unsigned char *new_frag,
+ mbedtls_mps_size_t new_frag_len)
+{
+ mbedtls_mps_size_t copy_to_acc;
+ MBEDTLS_MPS_TRACE_INIT("mbedtls_mps_reader_feed");
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "* Fragment length: %u bytes", (unsigned) new_frag_len);
+
+ if (new_frag == NULL) {
+ MBEDTLS_MPS_TRACE_RETURN(MBEDTLS_ERR_MPS_READER_INVALID_ARG);
+ }
+
+ MBEDTLS_MPS_STATE_VALIDATE_RAW(mps_reader_is_producing(
+ rd),
+ "mbedtls_mps_reader_feed() requires reader to be in producing mode");
+
+ if (mps_reader_is_accumulating(rd)) {
+ unsigned char *acc = rd->acc;
+ mbedtls_mps_size_t acc_remaining = rd->acc_share.acc_remaining;
+ mbedtls_mps_size_t acc_available = rd->acc_available;
+
+ /* Skip over parts of the accumulator that have already been filled. */
+ acc += acc_available;
+
+ copy_to_acc = acc_remaining;
+ if (copy_to_acc > new_frag_len) {
+ copy_to_acc = new_frag_len;
+ }
+
+ /* Copy new contents to accumulator. */
+ memcpy(acc, new_frag, copy_to_acc);
+
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "Copy new data of size %u of %u into accumulator at offset %u",
+ (unsigned) copy_to_acc, (unsigned) new_frag_len,
+ (unsigned) acc_available);
+
+ /* Check if, with the new fragment, we have enough data. */
+ acc_remaining -= copy_to_acc;
+ if (acc_remaining > 0) {
+ /* We need to accumulate more data. Stay in producing mode. */
+ acc_available += copy_to_acc;
+ rd->acc_share.acc_remaining = acc_remaining;
+ rd->acc_available = acc_available;
+ MBEDTLS_MPS_TRACE_RETURN(MBEDTLS_ERR_MPS_READER_NEED_MORE);
+ }
+
+ /* We have filled the accumulator: Move to consuming mode. */
+
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "Enough data available to serve user request");
+
+ /* Remember overlap of accumulator and fragment. */
+ rd->acc_share.frag_offset = acc_available;
+ acc_available += copy_to_acc;
+ rd->acc_available = acc_available;
+ } else { /* Not accumulating */
+ rd->acc_share.frag_offset = 0;
+ }
+
+ rd->frag = new_frag;
+ rd->frag_len = new_frag_len;
+ rd->commit = 0;
+ rd->end = 0;
+ MBEDTLS_MPS_TRACE_RETURN(0);
+}
+
+
+int mbedtls_mps_reader_get(mbedtls_mps_reader *rd,
+ mbedtls_mps_size_t desired,
+ unsigned char **buffer,
+ mbedtls_mps_size_t *buflen)
+{
+ unsigned char *frag;
+ mbedtls_mps_size_t frag_len, frag_offset, end, frag_fetched, frag_remaining;
+ MBEDTLS_MPS_TRACE_INIT("mbedtls_mps_reader_get");
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "* Bytes requested: %u", (unsigned) desired);
+
+ MBEDTLS_MPS_STATE_VALIDATE_RAW(mps_reader_is_consuming(
+ rd),
+ "mbedtls_mps_reader_get() requires reader to be in consuming mode");
+
+ end = rd->end;
+ frag_offset = mps_reader_get_fragment_offset(rd);
+
+ /* Check if we're still serving from the accumulator. */
+ if (mps_reader_serving_from_accumulator(rd)) {
+ /* Illustration of supported and unsupported cases:
+ *
+ * - Allowed #1
+ *
+ * +-----------------------------------+
+ * | frag |
+ * +-----------------------------------+
+ *
+ * end end+desired
+ * | |
+ * +-----v-------v-------------+
+ * | acc |
+ * +---------------------------+
+ * | |
+ * frag_offset acc_available
+ *
+ * - Allowed #2
+ *
+ * +-----------------------------------+
+ * | frag |
+ * +-----------------------------------+
+ *
+ * end end+desired
+ * | |
+ * +----------v----------------v
+ * | acc |
+ * +---------------------------+
+ * | |
+ * frag_offset acc_available
+ *
+ * - Not allowed #1 (could be served, but we don't actually use it):
+ *
+ * +-----------------------------------+
+ * | frag |
+ * +-----------------------------------+
+ *
+ * end end+desired
+ * | |
+ * +------v-------------v------+
+ * | acc |
+ * +---------------------------+
+ * | |
+ * frag_offset acc_available
+ *
+ *
+ * - Not allowed #2 (can't be served with a contiguous buffer):
+ *
+ * +-----------------------------------+
+ * | frag |
+ * +-----------------------------------+
+ *
+ * end end + desired
+ * | |
+ * +------v--------------------+ v
+ * | acc |
+ * +---------------------------+
+ * | |
+ * frag_offset acc_available
+ *
+ * In case of Allowed #2 we're switching to serve from
+ * `frag` starting from the next call to mbedtls_mps_reader_get().
+ */
+
+ unsigned char *acc;
+
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "Serve the request from the accumulator");
+ if (frag_offset - end < desired) {
+ mbedtls_mps_size_t acc_available;
+ acc_available = rd->acc_available;
+ if (acc_available - end != desired) {
+ /* It might be possible to serve some of these situations by
+ * making additional space in the accumulator, removing those
+ * parts that have already been committed.
+ * On the other hand, this brings additional complexity and
+ * enlarges the code size, while there doesn't seem to be a use
+ * case where we don't attempt exactly the same `get` calls when
+ * resuming on a reader than what we tried before pausing it.
+ * If we believe we adhere to this restricted usage throughout
+ * the library, this check is a good opportunity to
+ * validate this. */
+ MBEDTLS_MPS_TRACE_RETURN(
+ MBEDTLS_ERR_MPS_READER_INCONSISTENT_REQUESTS);
+ }
+ }
+
+ acc = rd->acc;
+ acc += end;
+
+ *buffer = acc;
+ if (buflen != NULL) {
+ *buflen = desired;
+ }
+
+ end += desired;
+ rd->end = end;
+ rd->pending = 0;
+
+ MBEDTLS_MPS_TRACE_RETURN(0);
+ }
+
+ /* Attempt to serve the request from the current fragment */
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "Serve the request from the current fragment.");
+
+ frag_len = rd->frag_len;
+ frag_fetched = end - frag_offset; /* The amount of data from the current
+ * fragment that has already been passed
+ * to the user. */
+ frag_remaining = frag_len - frag_fetched; /* Remaining data in fragment */
+
+ /* Check if we can serve the read request from the fragment. */
+ if (frag_remaining < desired) {
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "There's not enough data in the current fragment "
+ "to serve the request.");
+ /* There's not enough data in the current fragment,
+ * so either just RETURN what we have or fail. */
+ if (buflen == NULL) {
+ if (frag_remaining > 0) {
+ rd->pending = desired - frag_remaining;
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "Remember to collect %u bytes before re-opening",
+ (unsigned) rd->pending);
+ }
+ MBEDTLS_MPS_TRACE_RETURN(MBEDTLS_ERR_MPS_READER_OUT_OF_DATA);
+ }
+
+ desired = frag_remaining;
+ }
+
+ /* There's enough data in the current fragment to serve the
+ * (potentially modified) read request. */
+
+ frag = rd->frag;
+ frag += frag_fetched;
+
+ *buffer = frag;
+ if (buflen != NULL) {
+ *buflen = desired;
+ }
+
+ end += desired;
+ rd->end = end;
+ rd->pending = 0;
+ MBEDTLS_MPS_TRACE_RETURN(0);
+}
+
+int mbedtls_mps_reader_commit(mbedtls_mps_reader *rd)
+{
+ mbedtls_mps_size_t end;
+ MBEDTLS_MPS_TRACE_INIT("mbedtls_mps_reader_commit");
+ MBEDTLS_MPS_STATE_VALIDATE_RAW(mps_reader_is_consuming(
+ rd),
+ "mbedtls_mps_reader_commit() requires reader to be in consuming mode");
+
+ end = rd->end;
+ rd->commit = end;
+
+ MBEDTLS_MPS_TRACE_RETURN(0);
+}
+
+int mbedtls_mps_reader_reclaim(mbedtls_mps_reader *rd,
+ int *paused)
+{
+ unsigned char *frag, *acc;
+ mbedtls_mps_size_t pending, commit;
+ mbedtls_mps_size_t acc_len, frag_offset, frag_len;
+ MBEDTLS_MPS_TRACE_INIT("mbedtls_mps_reader_reclaim");
+
+ if (paused != NULL) {
+ *paused = 0;
+ }
+
+ MBEDTLS_MPS_STATE_VALIDATE_RAW(mps_reader_is_consuming(
+ rd),
+ "mbedtls_mps_reader_reclaim() requires reader to be in consuming mode");
+
+ frag = rd->frag;
+ acc = rd->acc;
+ pending = rd->pending;
+ commit = rd->commit;
+ frag_len = rd->frag_len;
+
+ frag_offset = mps_reader_get_fragment_offset(rd);
+
+ if (pending == 0) {
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "No unsatisfied read-request has been logged.");
+
+ /* Check if there's data left to be consumed. */
+ if (commit < frag_offset || commit - frag_offset < frag_len) {
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "There is data left to be consumed.");
+ rd->end = commit;
+ MBEDTLS_MPS_TRACE_RETURN(MBEDTLS_ERR_MPS_READER_DATA_LEFT);
+ }
+
+ rd->acc_available = 0;
+ rd->acc_share.acc_remaining = 0;
+
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "Fragment has been fully processed and committed.");
+ } else {
+ int overflow;
+
+ mbedtls_mps_size_t acc_backup_offset;
+ mbedtls_mps_size_t acc_backup_len;
+ mbedtls_mps_size_t frag_backup_offset;
+ mbedtls_mps_size_t frag_backup_len;
+
+ mbedtls_mps_size_t backup_len;
+ mbedtls_mps_size_t acc_len_needed;
+
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "There has been an unsatisfied read with %u bytes overhead.",
+ (unsigned) pending);
+
+ if (acc == NULL) {
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "No accumulator present");
+ MBEDTLS_MPS_TRACE_RETURN(
+ MBEDTLS_ERR_MPS_READER_NEED_ACCUMULATOR);
+ }
+ acc_len = rd->acc_len;
+
+ /* Check if the upper layer has already fetched
+ * and committed the contents of the accumulator. */
+ if (commit < frag_offset) {
+ /* No, accumulator is still being processed. */
+ frag_backup_offset = 0;
+ frag_backup_len = frag_len;
+ acc_backup_offset = commit;
+ acc_backup_len = frag_offset - commit;
+ } else {
+ /* Yes, the accumulator is already processed. */
+ frag_backup_offset = commit - frag_offset;
+ frag_backup_len = frag_len - frag_backup_offset;
+ acc_backup_offset = 0;
+ acc_backup_len = 0;
+ }
+
+ backup_len = acc_backup_len + frag_backup_len;
+ acc_len_needed = backup_len + pending;
+
+ overflow = 0;
+ overflow |= (backup_len < acc_backup_len);
+ overflow |= (acc_len_needed < backup_len);
+
+ if (overflow || acc_len < acc_len_needed) {
+ /* Except for the different return code, we behave as if
+ * there hadn't been a call to mbedtls_mps_reader_get()
+ * since the last commit. */
+ rd->end = commit;
+ rd->pending = 0;
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_ERROR,
+ "The accumulator is too small to handle the backup.");
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_ERROR,
+ "* Size: %u", (unsigned) acc_len);
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_ERROR,
+ "* Needed: %u (%u + %u)",
+ (unsigned) acc_len_needed,
+ (unsigned) backup_len, (unsigned) pending);
+ MBEDTLS_MPS_TRACE_RETURN(
+ MBEDTLS_ERR_MPS_READER_ACCUMULATOR_TOO_SMALL);
+ }
+
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "Fragment backup: %u", (unsigned) frag_backup_len);
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "Accumulator backup: %u", (unsigned) acc_backup_len);
+
+ /* Move uncommitted parts from the accumulator to the front
+ * of the accumulator. */
+ memmove(acc, acc + acc_backup_offset, acc_backup_len);
+
+ /* Copy uncommitted parts of the current fragment to the
+ * accumulator. */
+ memcpy(acc + acc_backup_len,
+ frag + frag_backup_offset, frag_backup_len);
+
+ rd->acc_available = backup_len;
+ rd->acc_share.acc_remaining = pending;
+
+ if (paused != NULL) {
+ *paused = 1;
+ }
+ }
+
+ rd->frag = NULL;
+ rd->frag_len = 0;
+
+ rd->commit = 0;
+ rd->end = 0;
+ rd->pending = 0;
+
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ "Final state: aa %u, al %u, ar %u",
+ (unsigned) rd->acc_available, (unsigned) rd->acc_len,
+ (unsigned) rd->acc_share.acc_remaining);
+ MBEDTLS_MPS_TRACE_RETURN(0);
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/mps_reader.h b/library/mps_reader.h
new file mode 100644
index 0000000..3193a5e
--- /dev/null
+++ b/library/mps_reader.h
@@ -0,0 +1,366 @@
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/**
+ * \file mps_reader.h
+ *
+ * \brief This file defines reader objects, which together with their
+ * sibling writer objects form the basis for the communication
+ * between the various layers of the Mbed TLS messaging stack,
+ * as well as the communication between the messaging stack and
+ * the (D)TLS handshake protocol implementation.
+ *
+ * Readers provide a means of transferring incoming data from
+ * a 'producer' providing it in chunks of arbitrary size, to
+ * a 'consumer' which fetches and processes it in chunks of
+ * again arbitrary, and potentially different, size.
+ *
+ * Readers can thus be seen as datagram-to-stream converters,
+ * and they abstract away the following two tasks from the user:
+ * 1. The pointer arithmetic of stepping through a producer-
+ * provided chunk in smaller chunks.
+ * 2. The merging of incoming data chunks in case the
+ * consumer requests data in larger chunks than what the
+ * producer provides.
+ *
+ * The basic abstract flow of operation is the following:
+ * - Initially, the reader is in 'producing mode'.
+ * - The producer hands an incoming data buffer to the reader,
+ * moving it from 'producing' to 'consuming' mode.
+ * - The consumer subsequently fetches and processes the buffer
+ * content. Once that's done -- or partially done and a consumer's
+ * request can't be fulfilled -- the producer revokes the reader's
+ * access to the incoming data buffer, putting the reader back to
+ * producing mode.
+ * - The producer subsequently gathers more incoming data and hands
+ * it to the reader until it switches back to consuming mode
+ * if enough data is available for the last consumer request to
+ * be satisfiable.
+ * - Repeat the above.
+ *
+ * The abstract states of the reader from the producer's and
+ * consumer's perspective are as follows:
+ *
+ * - From the perspective of the consumer, the state of the
+ * reader consists of the following:
+ * - A byte stream representing (concatenation of) the data
+ * received through calls to mbedtls_mps_reader_get(),
+ * - A marker within that byte stream indicating which data
+ * can be considered processed, and hence need not be retained,
+ * when the reader is passed back to the producer via
+ * mbedtls_mps_reader_reclaim().
+ * The marker is set via mbedtls_mps_reader_commit()
+ * which places it at the end of the current byte stream.
+ * The consumer need not be aware of the distinction between consumer
+ * and producer mode, because it only interfaces with the reader
+ * when the latter is in consuming mode.
+ *
+ * - From the perspective of the producer, the reader's state is one of:
+ * - Attached: The reader is in consuming mode.
+ * - Unset: No incoming data buffer is currently managed by the reader,
+ * and all previously handed incoming data buffers have been
+ * fully processed. More data needs to be fed into the reader
+ * via mbedtls_mps_reader_feed().
+ *
+ * - Accumulating: No incoming data buffer is currently managed by the
+ * reader, but some data from the previous incoming data
+ * buffer hasn't been processed yet and is internally
+ * held back.
+ * The Attached state belongs to consuming mode, while the Unset and
+ * Accumulating states belong to producing mode.
+ *
+ * Transitioning from the Unset or Accumulating state to Attached is
+ * done via successful calls to mbedtls_mps_reader_feed(), while
+ * transitioning from Attached to either Unset or Accumulating (depending
+ * on what has been processed) is done via mbedtls_mps_reader_reclaim().
+ *
+ * The following diagram depicts the producer-state progression:
+ *
+ * +------------------+ reclaim
+ * | Unset +<-------------------------------------+ get
+ * +--------|---------+ | +------+
+ * | | | |
+ * | | | |
+ * | feed +---------+---+--+ |
+ * +--------------------------------------> <---+
+ * | Attached |
+ * +--------------------------------------> <---+
+ * | feed, enough data available +---------+---+--+ |
+ * | to serve previous consumer request | | |
+ * | | | |
+ * +--------+---------+ | +------+
+ * +----> Accumulating |<-------------------------------------+ commit
+ * | +---+--------------+ reclaim, previous read request
+ * | | couldn't be fulfilled
+ * | |
+ * +--------+
+ * feed, need more data to serve
+ * previous consumer request
+ * |
+ * |
+ * producing mode | consuming mode
+ * |
+ *
+ */
+
+#ifndef MBEDTLS_READER_H
+#define MBEDTLS_READER_H
+
+#include <stdio.h>
+
+#include "mps_common.h"
+#include "mps_error.h"
+
+struct mbedtls_mps_reader;
+typedef struct mbedtls_mps_reader mbedtls_mps_reader;
+
+/*
+ * Structure definitions
+ */
+
+struct mbedtls_mps_reader {
+ unsigned char *frag; /*!< The fragment of incoming data managed by
+ * the reader; it is provided to the reader
+ * through mbedtls_mps_reader_feed(). The reader
+ * does not own the fragment and does not
+ * perform any allocation operations on it,
+ * but does have read and write access to it.
+ *
+ * The reader is in consuming mode if
+ * and only if \c frag is not \c NULL. */
+ mbedtls_mps_stored_size_t frag_len;
+ /*!< The length of the current fragment.
+ * Must be 0 if \c frag == \c NULL. */
+ mbedtls_mps_stored_size_t commit;
+ /*!< The offset of the last commit, relative
+ * to the first byte in the fragment, if
+ * no accumulator is present. If an accumulator
+ * is present, it is viewed as a prefix to the
+ * current fragment, and this variable contains
+ * an offset from the beginning of the accumulator.
+ *
+ * This is only used when the reader is in
+ * consuming mode, i.e. \c frag != \c NULL;
+ * otherwise, its value is \c 0. */
+ mbedtls_mps_stored_size_t end;
+ /*!< The offset of the end of the last chunk
+ * passed to the user through a call to
+ * mbedtls_mps_reader_get(), relative to the first
+ * byte in the fragment, if no accumulator is
+ * present. If an accumulator is present, it is
+ * viewed as a prefix to the current fragment, and
+ * this variable contains an offset from the
+ * beginning of the accumulator.
+ *
+ * This is only used when the reader is in
+ * consuming mode, i.e. \c frag != \c NULL;
+ * otherwise, its value is \c 0. */
+ mbedtls_mps_stored_size_t pending;
+ /*!< The amount of incoming data missing on the
+ * last call to mbedtls_mps_reader_get().
+ * In particular, it is \c 0 if the last call
+ * was successful.
+ * If a reader is reclaimed after an
+ * unsuccessful call to mbedtls_mps_reader_get(),
+ * this variable is used to have the reader
+ * remember how much data should be accumulated
+ * so that the call to mbedtls_mps_reader_get()
+ * succeeds next time.
+ * This is only used when the reader is in
+ * consuming mode, i.e. \c frag != \c NULL;
+ * otherwise, its value is \c 0. */
+
+ /* The accumulator is only needed if we need to be able to pause
+ * the reader. A few bytes could be saved by moving this to a
+ * separate struct and using a pointer here. */
+
+ unsigned char *acc; /*!< The accumulator is used to gather incoming
+ * data if a read-request via mbedtls_mps_reader_get()
+ * cannot be served from the current fragment. */
+ mbedtls_mps_stored_size_t acc_len;
+ /*!< The total size of the accumulator. */
+ mbedtls_mps_stored_size_t acc_available;
+ /*!< The number of bytes currently gathered in
+ * the accumulator. This is both used in
+ * producing and in consuming mode:
+ * While producing, it is increased until
+ * it reaches the value of \c acc_remaining below.
+ * While consuming, it is used to judge if a
+ * get request can be served from the
+ * accumulator or not.
+ * Must not be larger than \c acc_len. */
+ union {
+ mbedtls_mps_stored_size_t acc_remaining;
+ /*!< This indicates the amount of data still
+ * to be gathered in the accumulator. It is
+ * only used in producing mode.
+ * Must be at most acc_len - acc_available. */
+ mbedtls_mps_stored_size_t frag_offset;
+ /*!< If an accumulator is present and in use, this
+ * field indicates the offset of the current
+ * fragment from the beginning of the
+ * accumulator. If no accumulator is present
+ * or the accumulator is not in use, this is \c 0.
+ * It is only used in consuming mode.
+ * Must not be larger than \c acc_available. */
+ } acc_share;
+};
+
+/*
+ * API organization:
+ * A reader object is usually prepared and maintained
+ * by some lower layer and passed for usage to an upper
+ * layer, and the API naturally splits according to which
+ * layer is supposed to use the respective functions.
+ */
+
+/*
+ * Maintenance API (Lower layer)
+ */
+
+/**
+ * \brief Initialize a reader object
+ *
+ * \param reader The reader to be initialized.
+ * \param acc The buffer to be used as a temporary accumulator
+ * in case get requests through mbedtls_mps_reader_get()
+ * exceed the buffer provided by mbedtls_mps_reader_feed().
+ * This buffer is owned by the caller and exclusive use
+ * for reading and writing is given to the reader for the
+ * duration of the reader's lifetime. It is thus the caller's
+ * responsibility to maintain (and not touch) the buffer for
+ * the lifetime of the reader, and to properly zeroize and
+ * free the memory after the reader has been destroyed.
+ * \param acc_len The size in Bytes of \p acc.
+ *
+ * \return \c 0 on success.
+ * \return A negative \c MBEDTLS_ERR_READER_XXX error code on failure.
+ */
+int mbedtls_mps_reader_init(mbedtls_mps_reader *reader,
+ unsigned char *acc,
+ mbedtls_mps_size_t acc_len);
+
+/**
+ * \brief Free a reader object
+ *
+ * \param reader The reader to be freed.
+ *
+ * \return \c 0 on success.
+ * \return A negative \c MBEDTLS_ERR_READER_XXX error code on failure.
+ */
+int mbedtls_mps_reader_free(mbedtls_mps_reader *reader);
+
+/**
+ * \brief Pass chunk of data for the reader to manage.
+ *
+ * \param reader The reader context to use. The reader must be
+ * in producing mode.
+ * \param buf The buffer to be managed by the reader.
+ * \param buflen The size in Bytes of \p buffer.
+ *
+ * \return \c 0 on success. In this case, the reader will be
+ * moved to consuming mode and obtains read access
+ * of \p buf until mbedtls_mps_reader_reclaim()
+ * is called. It is the responsibility of the caller
+ * to ensure that the \p buf persists and is not changed
+ * between successful calls to mbedtls_mps_reader_feed()
+ * and mbedtls_mps_reader_reclaim().
+ * \return \c MBEDTLS_ERR_MPS_READER_NEED_MORE if more input data is
+ * required to fulfill a previous request to mbedtls_mps_reader_get().
+ * In this case, the reader remains in producing mode and
+ * takes no ownership of the provided buffer (an internal copy
+ * is made instead).
+ * \return Another negative \c MBEDTLS_ERR_READER_XXX error code on
+ * different kinds of failures.
+ */
+int mbedtls_mps_reader_feed(mbedtls_mps_reader *reader,
+ unsigned char *buf,
+ mbedtls_mps_size_t buflen);
+
+/**
+ * \brief Reclaim reader's access to the current input buffer.
+ *
+ * \param reader The reader context to use. The reader must be
+ * in consuming mode.
+ * \param paused If not \c NULL, the integer at address \p paused will be
+ * modified to indicate whether the reader has been paused
+ * (value \c 1) or not (value \c 0). Pausing happens if there
+ * is uncommitted data and a previous request to
+ * mbedtls_mps_reader_get() has exceeded the bounds of the
+ * input buffer.
+ *
+ * \return \c 0 on success.
+ * \return A negative \c MBEDTLS_ERR_READER_XXX error code on failure.
+ */
+int mbedtls_mps_reader_reclaim(mbedtls_mps_reader *reader,
+ int *paused);
+
+/*
+ * Usage API (Upper layer)
+ */
+
+/**
+ * \brief Request data from the reader.
+ *
+ * \param reader The reader context to use. The reader must
+ * be in consuming mode.
+ * \param desired The desired amount of data to be read, in Bytes.
+ * \param buffer The address to store the buffer pointer in.
+ * This must not be \c NULL.
+ * \param buflen The address to store the actual buffer
+ * length in, or \c NULL.
+ *
+ * \return \c 0 on success. In this case, \c *buf holds the
+ * address of a buffer of size \c *buflen
+ * (if \c buflen != \c NULL) or \c desired
+ * (if \c buflen == \c NULL). The user has read access
+ * to the buffer and guarantee of stability of the data
+ * until the next call to mbedtls_mps_reader_reclaim().
+ * \return #MBEDTLS_ERR_MPS_READER_OUT_OF_DATA if there is not enough
+ * data available to serve the get request. In this case, the
+ * reader remains intact and in consuming mode, and the consumer
+ * should retry the call after a successful cycle of
+ * mbedtls_mps_reader_reclaim() and mbedtls_mps_reader_feed().
+ * If, after such a cycle, the consumer requests a different
+ * amount of data, the result is implementation-defined;
+ * progress is guaranteed only if the same amount of data
+ * is requested after a mbedtls_mps_reader_reclaim() and
+ * mbedtls_mps_reader_feed() cycle.
+ * \return Another negative \c MBEDTLS_ERR_READER_XXX error
+ * code for different kinds of failure.
+ *
+ * \note Passing \c NULL as \p buflen is a convenient way to
+ * indicate that fragmentation is not tolerated.
+ * It's functionally equivalent to passing a valid
+ * address as buflen and checking \c *buflen == \c desired
+ * afterwards.
+ */
+int mbedtls_mps_reader_get(mbedtls_mps_reader *reader,
+ mbedtls_mps_size_t desired,
+ unsigned char **buffer,
+ mbedtls_mps_size_t *buflen);
+
+/**
+ * \brief Mark data obtained from mbedtls_mps_reader_get() as processed.
+ *
+ * This call indicates that all data received from prior calls to
+ * mbedtls_mps_reader_get() has been or will have been
+ * processed when mbedtls_mps_reader_reclaim() is called,
+ * and thus need not be backed up.
+ *
+ * This function has no user observable effect until
+ * mbedtls_mps_reader_reclaim() is called. In particular,
+ * buffers received from mbedtls_mps_reader_get() remain
+ * valid until mbedtls_mps_reader_reclaim() is called.
+ *
+ * \param reader The reader context to use.
+ *
+ * \return \c 0 on success.
+ * \return A negative \c MBEDTLS_ERR_READER_XXX error code on failure.
+ *
+ */
+int mbedtls_mps_reader_commit(mbedtls_mps_reader *reader);
+
+#endif /* MBEDTLS_READER_H */
diff --git a/library/mps_trace.c b/library/mps_trace.c
new file mode 100644
index 0000000..69f6e5a
--- /dev/null
+++ b/library/mps_trace.c
@@ -0,0 +1,112 @@
+/*
+ * Message Processing Stack, Trace module
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+#include "mps_common.h"
+
+#if defined(MBEDTLS_MPS_ENABLE_TRACE)
+
+#include "mps_trace.h"
+#include <stdarg.h>
+
+static int trace_depth = 0;
+
+#define color_default "\x1B[0m"
+#define color_red "\x1B[1;31m"
+#define color_green "\x1B[1;32m"
+#define color_yellow "\x1B[1;33m"
+#define color_blue "\x1B[1;34m"
+#define color_magenta "\x1B[1;35m"
+#define color_cyan "\x1B[1;36m"
+#define color_white "\x1B[1;37m"
+
+static char const *colors[] =
+{
+ color_default,
+ color_green,
+ color_yellow,
+ color_magenta,
+ color_cyan,
+ color_blue,
+ color_white
+};
+
+#define MPS_TRACE_BUF_SIZE 100
+
+void mbedtls_mps_trace_print_msg(int id, int line, const char *format, ...)
+{
+ int ret;
+ char str[MPS_TRACE_BUF_SIZE];
+ va_list argp;
+ va_start(argp, format);
+ ret = mbedtls_vsnprintf(str, MPS_TRACE_BUF_SIZE, format, argp);
+ va_end(argp);
+
+ if (ret >= 0 && ret < MPS_TRACE_BUF_SIZE) {
+ str[ret] = '\0';
+ mbedtls_printf("[%d|L%d]: %s\n", id, line, str);
+ }
+}
+
+int mbedtls_mps_trace_get_depth()
+{
+ return trace_depth;
+}
+void mbedtls_mps_trace_dec_depth()
+{
+ trace_depth--;
+}
+void mbedtls_mps_trace_inc_depth()
+{
+ trace_depth++;
+}
+
+void mbedtls_mps_trace_color(int id)
+{
+ if (id > (int) (sizeof(colors) / sizeof(*colors))) {
+ return;
+ }
+ printf("%s", colors[id]);
+}
+
+void mbedtls_mps_trace_indent(int level, mbedtls_mps_trace_type ty)
+{
+ if (level > 0) {
+ while (--level) {
+ printf("| ");
+ }
+
+ printf("| ");
+ }
+
+ switch (ty) {
+ case MBEDTLS_MPS_TRACE_TYPE_COMMENT:
+ mbedtls_printf("@ ");
+ break;
+
+ case MBEDTLS_MPS_TRACE_TYPE_CALL:
+ mbedtls_printf("+--> ");
+ break;
+
+ case MBEDTLS_MPS_TRACE_TYPE_ERROR:
+ mbedtls_printf("E ");
+ break;
+
+ case MBEDTLS_MPS_TRACE_TYPE_RETURN:
+ mbedtls_printf("< ");
+ break;
+
+ default:
+ break;
+ }
+}
+
+#endif /* MBEDTLS_MPS_ENABLE_TRACE */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/mps_trace.h b/library/mps_trace.h
new file mode 100644
index 0000000..b456b2f
--- /dev/null
+++ b/library/mps_trace.h
@@ -0,0 +1,154 @@
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/**
+ * \file mps_trace.h
+ *
+ * \brief Tracing module for MPS
+ */
+
+#ifndef MBEDTLS_MPS_MBEDTLS_MPS_TRACE_H
+#define MBEDTLS_MPS_MBEDTLS_MPS_TRACE_H
+
+#include "common.h"
+#include "mps_common.h"
+#include "mps_trace.h"
+
+#include "mbedtls/platform.h"
+
+#if defined(MBEDTLS_MPS_ENABLE_TRACE)
+
+/*
+ * Adapt this to enable/disable tracing output
+ * from the various layers of the MPS.
+ */
+
+#define MBEDTLS_MPS_TRACE_ENABLE_LAYER_1
+#define MBEDTLS_MPS_TRACE_ENABLE_LAYER_2
+#define MBEDTLS_MPS_TRACE_ENABLE_LAYER_3
+#define MBEDTLS_MPS_TRACE_ENABLE_LAYER_4
+#define MBEDTLS_MPS_TRACE_ENABLE_READER
+#define MBEDTLS_MPS_TRACE_ENABLE_WRITER
+
+/*
+ * To use the existing trace module, only change
+ * MBEDTLS_MPS_TRACE_ENABLE_XXX above, but don't modify the
+ * rest of this file.
+ */
+
+typedef enum {
+ MBEDTLS_MPS_TRACE_TYPE_COMMENT,
+ MBEDTLS_MPS_TRACE_TYPE_CALL,
+ MBEDTLS_MPS_TRACE_TYPE_ERROR,
+ MBEDTLS_MPS_TRACE_TYPE_RETURN
+} mbedtls_mps_trace_type;
+
+#define MBEDTLS_MPS_TRACE_BIT_LAYER_1 1
+#define MBEDTLS_MPS_TRACE_BIT_LAYER_2 2
+#define MBEDTLS_MPS_TRACE_BIT_LAYER_3 3
+#define MBEDTLS_MPS_TRACE_BIT_LAYER_4 4
+#define MBEDTLS_MPS_TRACE_BIT_WRITER 5
+#define MBEDTLS_MPS_TRACE_BIT_READER 6
+
+#if defined(MBEDTLS_MPS_TRACE_ENABLE_LAYER_1)
+#define MBEDTLS_MPS_TRACE_MASK_LAYER_1 (1u << MBEDTLS_MPS_TRACE_BIT_LAYER_1)
+#else
+#define MBEDTLS_MPS_TRACE_MASK_LAYER_1 0
+#endif
+
+#if defined(MBEDTLS_MPS_TRACE_ENABLE_LAYER_2)
+#define MBEDTLS_MPS_TRACE_MASK_LAYER_2 (1u << MBEDTLS_MPS_TRACE_BIT_LAYER_2)
+#else
+#define MBEDTLS_MPS_TRACE_MASK_LAYER_2 0
+#endif
+
+#if defined(MBEDTLS_MPS_TRACE_ENABLE_LAYER_3)
+#define MBEDTLS_MPS_TRACE_MASK_LAYER_3 (1u << MBEDTLS_MPS_TRACE_BIT_LAYER_3)
+#else
+#define MBEDTLS_MPS_TRACE_MASK_LAYER_3 0
+#endif
+
+#if defined(MBEDTLS_MPS_TRACE_ENABLE_LAYER_4)
+#define MBEDTLS_MPS_TRACE_MASK_LAYER_4 (1u << MBEDTLS_MPS_TRACE_BIT_LAYER_4)
+#else
+#define MBEDTLS_MPS_TRACE_MASK_LAYER_4 0
+#endif
+
+#if defined(MBEDTLS_MPS_TRACE_ENABLE_READER)
+#define MBEDTLS_MPS_TRACE_MASK_READER (1u << MBEDTLS_MPS_TRACE_BIT_READER)
+#else
+#define MBEDTLS_MPS_TRACE_MASK_READER 0
+#endif
+
+#if defined(MBEDTLS_MPS_TRACE_ENABLE_WRITER)
+#define MBEDTLS_MPS_TRACE_MASK_WRITER (1u << MBEDTLS_MPS_TRACE_BIT_WRITER)
+#else
+#define MBEDTLS_MPS_TRACE_MASK_WRITER 0
+#endif
+
+#define MBEDTLS_MPS_TRACE_MASK (MBEDTLS_MPS_TRACE_MASK_LAYER_1 | \
+ MBEDTLS_MPS_TRACE_MASK_LAYER_2 | \
+ MBEDTLS_MPS_TRACE_MASK_LAYER_3 | \
+ MBEDTLS_MPS_TRACE_MASK_LAYER_4 | \
+ MBEDTLS_MPS_TRACE_MASK_READER | \
+ MBEDTLS_MPS_TRACE_MASK_WRITER)
+
+/* We have to avoid globals because E-ACSL chokes on them...
+ * Wrap everything in stub functions. */
+int mbedtls_mps_trace_get_depth(void);
+void mbedtls_mps_trace_inc_depth(void);
+void mbedtls_mps_trace_dec_depth(void);
+
+void mbedtls_mps_trace_color(int id);
+void mbedtls_mps_trace_indent(int level, mbedtls_mps_trace_type ty);
+
+void mbedtls_mps_trace_print_msg(int id, int line, const char *format, ...);
+
+#define MBEDTLS_MPS_TRACE(type, ...) \
+ do { \
+ if (!(MBEDTLS_MPS_TRACE_MASK & (1u << mbedtls_mps_trace_id))) \
+ break; \
+ mbedtls_mps_trace_indent(mbedtls_mps_trace_get_depth(), type); \
+ mbedtls_mps_trace_color(mbedtls_mps_trace_id); \
+ mbedtls_mps_trace_print_msg(mbedtls_mps_trace_id, __LINE__, __VA_ARGS__); \
+ mbedtls_mps_trace_color(0); \
+ } while (0)
+
+#define MBEDTLS_MPS_TRACE_INIT(...) \
+ do { \
+ if (!(MBEDTLS_MPS_TRACE_MASK & (1u << mbedtls_mps_trace_id))) \
+ break; \
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_CALL, __VA_ARGS__); \
+ mbedtls_mps_trace_inc_depth(); \
+ } while (0)
+
+#define MBEDTLS_MPS_TRACE_END(val) \
+ do { \
+ if (!(MBEDTLS_MPS_TRACE_MASK & (1u << mbedtls_mps_trace_id))) \
+ break; \
+ MBEDTLS_MPS_TRACE(MBEDTLS_MPS_TRACE_TYPE_RETURN, "%d (-%#04x)", \
+ (int) (val), -((unsigned) (val))); \
+ mbedtls_mps_trace_dec_depth(); \
+ } while (0)
+
+#define MBEDTLS_MPS_TRACE_RETURN(val) \
+ do { \
+ /* Breaks tail recursion. */ \
+ int ret__ = val; \
+ MBEDTLS_MPS_TRACE_END(ret__); \
+ return ret__; \
+ } while (0)
+
+#else /* MBEDTLS_MPS_TRACE */
+
+#define MBEDTLS_MPS_TRACE(type, ...) do { } while (0)
+#define MBEDTLS_MPS_TRACE_INIT(...) do { } while (0)
+#define MBEDTLS_MPS_TRACE_END do { } while (0)
+
+#define MBEDTLS_MPS_TRACE_RETURN(val) return val;
+
+#endif /* MBEDTLS_MPS_TRACE */
+
+#endif /* MBEDTLS_MPS_MBEDTLS_MPS_TRACE_H */
diff --git a/library/net_sockets.c b/library/net_sockets.c
new file mode 100644
index 0000000..edec587
--- /dev/null
+++ b/library/net_sockets.c
@@ -0,0 +1,696 @@
+/*
+ * TCP/IP or UDP/IP networking functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/* Enable definition of getaddrinfo() even when compiling with -std=c99. Must
+ * be set before mbedtls_config.h, which pulls in glibc's features.h indirectly.
+ * Harmless on other platforms. */
+#ifndef _POSIX_C_SOURCE
+#define _POSIX_C_SOURCE 200112L
+#endif
+#ifndef _XOPEN_SOURCE
+#define _XOPEN_SOURCE 600 /* sockaddr_storage */
+#endif
+
+#include "common.h"
+
+#if defined(MBEDTLS_NET_C)
+
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+ !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+ !defined(__HAIKU__) && !defined(__midipix__)
+#error "This module only works on Unix and Windows, see MBEDTLS_NET_C in mbedtls_config.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+#include "mbedtls/net_sockets.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
+ !defined(EFI32)
+
+#define IS_EINTR(ret) ((ret) == WSAEINTR)
+
+#include <ws2tcpip.h>
+
+#include <winsock2.h>
+#include <windows.h>
+#if (_WIN32_WINNT < 0x0501)
+#include <wspiapi.h>
+#endif
+
+#if defined(_MSC_VER)
+#if defined(_WIN32_WCE)
+#pragma comment( lib, "ws2.lib" )
+#else
+#pragma comment( lib, "ws2_32.lib" )
+#endif
+#endif /* _MSC_VER */
+
+#define read(fd, buf, len) recv(fd, (char *) (buf), (int) (len), 0)
+#define write(fd, buf, len) send(fd, (char *) (buf), (int) (len), 0)
+#define close(fd) closesocket(fd)
+
+static int wsa_init_done = 0;
+
+#else /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/time.h>
+#include <unistd.h>
+#include <signal.h>
+#include <fcntl.h>
+#include <netdb.h>
+#include <errno.h>
+
+#define IS_EINTR(ret) ((ret) == EINTR)
+#define SOCKET int
+
+#endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
+
+/* Some MS functions want int and MSVC warns if we pass size_t,
+ * but the standard functions use socklen_t, so cast only for MSVC */
+#if defined(_MSC_VER)
+#define MSVC_INT_CAST (int)
+#else
+#define MSVC_INT_CAST
+#endif
+
+#include <stdio.h>
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include <time.h>
+#endif
+
+#include <stdint.h>
+
+/*
+ * Prepare for using the sockets interface
+ */
+static int net_prepare(void)
+{
+#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
+ !defined(EFI32)
+ WSADATA wsaData;
+
+ if (wsa_init_done == 0) {
+ if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0) {
+ return MBEDTLS_ERR_NET_SOCKET_FAILED;
+ }
+
+ wsa_init_done = 1;
+ }
+#else
+#if !defined(EFIX64) && !defined(EFI32)
+ signal(SIGPIPE, SIG_IGN);
+#endif
+#endif
+ return 0;
+}
+
+/*
+ * Return 0 if the file descriptor is valid, an error otherwise.
+ * If for_select != 0, check whether the file descriptor is within the range
+ * allowed for fd_set used for the FD_xxx macros and the select() function.
+ */
+static int check_fd(int fd, int for_select)
+{
+ if (fd < 0) {
+ return MBEDTLS_ERR_NET_INVALID_CONTEXT;
+ }
+
+#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
+ !defined(EFI32)
+ (void) for_select;
+#else
+ /* A limitation of select() is that it only works with file descriptors
+ * that are strictly less than FD_SETSIZE. This is a limitation of the
+ * fd_set type. Error out early, because attempting to call FD_SET on a
+ * large file descriptor is a buffer overflow on typical platforms. */
+ if (for_select && fd >= FD_SETSIZE) {
+ return MBEDTLS_ERR_NET_POLL_FAILED;
+ }
+#endif
+
+ return 0;
+}
+
+/*
+ * Initialize a context
+ */
+void mbedtls_net_init(mbedtls_net_context *ctx)
+{
+ ctx->fd = -1;
+}
+
+/*
+ * Initiate a TCP connection with host:port and the given protocol
+ */
+int mbedtls_net_connect(mbedtls_net_context *ctx, const char *host,
+ const char *port, int proto)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ struct addrinfo hints, *addr_list, *cur;
+
+ if ((ret = net_prepare()) != 0) {
+ return ret;
+ }
+
+ /* Do name resolution with both IPv6 and IPv4 */
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = AF_UNSPEC;
+ hints.ai_socktype = proto == MBEDTLS_NET_PROTO_UDP ? SOCK_DGRAM : SOCK_STREAM;
+ hints.ai_protocol = proto == MBEDTLS_NET_PROTO_UDP ? IPPROTO_UDP : IPPROTO_TCP;
+
+ if (getaddrinfo(host, port, &hints, &addr_list) != 0) {
+ return MBEDTLS_ERR_NET_UNKNOWN_HOST;
+ }
+
+ /* Try the sockaddrs until a connection succeeds */
+ ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
+ for (cur = addr_list; cur != NULL; cur = cur->ai_next) {
+ ctx->fd = (int) socket(cur->ai_family, cur->ai_socktype,
+ cur->ai_protocol);
+ if (ctx->fd < 0) {
+ ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+ continue;
+ }
+
+ if (connect(ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen) == 0) {
+ ret = 0;
+ break;
+ }
+
+ close(ctx->fd);
+ ret = MBEDTLS_ERR_NET_CONNECT_FAILED;
+ }
+
+ freeaddrinfo(addr_list);
+
+ return ret;
+}
+
+/*
+ * Create a listening socket on bind_ip:port
+ */
+int mbedtls_net_bind(mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto)
+{
+ int n, ret;
+ struct addrinfo hints, *addr_list, *cur;
+
+ if ((ret = net_prepare()) != 0) {
+ return ret;
+ }
+
+ /* Bind to IPv6 and/or IPv4, but only in the desired protocol */
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = AF_UNSPEC;
+ hints.ai_socktype = proto == MBEDTLS_NET_PROTO_UDP ? SOCK_DGRAM : SOCK_STREAM;
+ hints.ai_protocol = proto == MBEDTLS_NET_PROTO_UDP ? IPPROTO_UDP : IPPROTO_TCP;
+ if (bind_ip == NULL) {
+ hints.ai_flags = AI_PASSIVE;
+ }
+
+ if (getaddrinfo(bind_ip, port, &hints, &addr_list) != 0) {
+ return MBEDTLS_ERR_NET_UNKNOWN_HOST;
+ }
+
+ /* Try the sockaddrs until a binding succeeds */
+ ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
+ for (cur = addr_list; cur != NULL; cur = cur->ai_next) {
+ ctx->fd = (int) socket(cur->ai_family, cur->ai_socktype,
+ cur->ai_protocol);
+ if (ctx->fd < 0) {
+ ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+ continue;
+ }
+
+ n = 1;
+ if (setsockopt(ctx->fd, SOL_SOCKET, SO_REUSEADDR,
+ (const char *) &n, sizeof(n)) != 0) {
+ close(ctx->fd);
+ ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+ continue;
+ }
+
+ if (bind(ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen) != 0) {
+ close(ctx->fd);
+ ret = MBEDTLS_ERR_NET_BIND_FAILED;
+ continue;
+ }
+
+ /* Listen only makes sense for TCP */
+ if (proto == MBEDTLS_NET_PROTO_TCP) {
+ if (listen(ctx->fd, MBEDTLS_NET_LISTEN_BACKLOG) != 0) {
+ close(ctx->fd);
+ ret = MBEDTLS_ERR_NET_LISTEN_FAILED;
+ continue;
+ }
+ }
+
+ /* Bind was successful */
+ ret = 0;
+ break;
+ }
+
+ freeaddrinfo(addr_list);
+
+ return ret;
+
+}
+
+#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
+ !defined(EFI32)
+/*
+ * Check if the requested operation would be blocking on a non-blocking socket
+ * and thus 'failed' with a negative return value.
+ */
+static int net_would_block(const mbedtls_net_context *ctx)
+{
+ ((void) ctx);
+ return WSAGetLastError() == WSAEWOULDBLOCK;
+}
+#else
+/*
+ * Check if the requested operation would be blocking on a non-blocking socket
+ * and thus 'failed' with a negative return value.
+ *
+ * Note: on a blocking socket this function always returns 0!
+ */
+static int net_would_block(const mbedtls_net_context *ctx)
+{
+ int err = errno;
+
+ /*
+ * Never return 'WOULD BLOCK' on a blocking socket
+ */
+ if ((fcntl(ctx->fd, F_GETFL) & O_NONBLOCK) != O_NONBLOCK) {
+ errno = err;
+ return 0;
+ }
+
+ switch (errno = err) {
+#if defined EAGAIN
+ case EAGAIN:
+#endif
+#if defined EWOULDBLOCK && EWOULDBLOCK != EAGAIN
+ case EWOULDBLOCK:
+#endif
+ return 1;
+ }
+ return 0;
+}
+#endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
+
+/*
+ * Accept a connection from a remote client
+ */
+int mbedtls_net_accept(mbedtls_net_context *bind_ctx,
+ mbedtls_net_context *client_ctx,
+ void *client_ip, size_t buf_size, size_t *cip_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int type;
+
+ struct sockaddr_storage client_addr;
+
+#if defined(__socklen_t_defined) || defined(_SOCKLEN_T) || \
+ defined(_SOCKLEN_T_DECLARED) || defined(__DEFINED_socklen_t) || \
+ defined(socklen_t) || (defined(_POSIX_VERSION) && _POSIX_VERSION >= 200112L)
+ socklen_t n = (socklen_t) sizeof(client_addr);
+ socklen_t type_len = (socklen_t) sizeof(type);
+#else
+ int n = (int) sizeof(client_addr);
+ int type_len = (int) sizeof(type);
+#endif
+
+ /* Is this a TCP or UDP socket? */
+ if (getsockopt(bind_ctx->fd, SOL_SOCKET, SO_TYPE,
+ (void *) &type, &type_len) != 0 ||
+ (type != SOCK_STREAM && type != SOCK_DGRAM)) {
+ return MBEDTLS_ERR_NET_ACCEPT_FAILED;
+ }
+
+ if (type == SOCK_STREAM) {
+ /* TCP: actual accept() */
+ ret = client_ctx->fd = (int) accept(bind_ctx->fd,
+ (struct sockaddr *) &client_addr, &n);
+ } else {
+ /* UDP: wait for a message, but keep it in the queue */
+ char buf[1] = { 0 };
+
+ ret = (int) recvfrom(bind_ctx->fd, buf, sizeof(buf), MSG_PEEK,
+ (struct sockaddr *) &client_addr, &n);
+
+#if defined(_WIN32)
+ if (ret == SOCKET_ERROR &&
+ WSAGetLastError() == WSAEMSGSIZE) {
+ /* We know buf is too small, thanks, just peeking here */
+ ret = 0;
+ }
+#endif
+ }
+
+ if (ret < 0) {
+ if (net_would_block(bind_ctx) != 0) {
+ return MBEDTLS_ERR_SSL_WANT_READ;
+ }
+
+ return MBEDTLS_ERR_NET_ACCEPT_FAILED;
+ }
+
+ /* UDP: hijack the listening socket to communicate with the client,
+ * then bind a new socket to accept new connections */
+ if (type != SOCK_STREAM) {
+ struct sockaddr_storage local_addr;
+ int one = 1;
+
+ if (connect(bind_ctx->fd, (struct sockaddr *) &client_addr, n) != 0) {
+ return MBEDTLS_ERR_NET_ACCEPT_FAILED;
+ }
+
+ client_ctx->fd = bind_ctx->fd;
+ bind_ctx->fd = -1; /* In case we exit early */
+
+ n = sizeof(struct sockaddr_storage);
+ if (getsockname(client_ctx->fd,
+ (struct sockaddr *) &local_addr, &n) != 0 ||
+ (bind_ctx->fd = (int) socket(local_addr.ss_family,
+ SOCK_DGRAM, IPPROTO_UDP)) < 0 ||
+ setsockopt(bind_ctx->fd, SOL_SOCKET, SO_REUSEADDR,
+ (const char *) &one, sizeof(one)) != 0) {
+ return MBEDTLS_ERR_NET_SOCKET_FAILED;
+ }
+
+ if (bind(bind_ctx->fd, (struct sockaddr *) &local_addr, n) != 0) {
+ return MBEDTLS_ERR_NET_BIND_FAILED;
+ }
+ }
+
+ if (client_ip != NULL) {
+ if (client_addr.ss_family == AF_INET) {
+ struct sockaddr_in *addr4 = (struct sockaddr_in *) &client_addr;
+ *cip_len = sizeof(addr4->sin_addr.s_addr);
+
+ if (buf_size < *cip_len) {
+ return MBEDTLS_ERR_NET_BUFFER_TOO_SMALL;
+ }
+
+ memcpy(client_ip, &addr4->sin_addr.s_addr, *cip_len);
+ } else {
+ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &client_addr;
+ *cip_len = sizeof(addr6->sin6_addr.s6_addr);
+
+ if (buf_size < *cip_len) {
+ return MBEDTLS_ERR_NET_BUFFER_TOO_SMALL;
+ }
+
+ memcpy(client_ip, &addr6->sin6_addr.s6_addr, *cip_len);
+ }
+ }
+
+ return 0;
+}
+
+/*
+ * Set the socket blocking or non-blocking
+ */
+int mbedtls_net_set_block(mbedtls_net_context *ctx)
+{
+#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
+ !defined(EFI32)
+ u_long n = 0;
+ return ioctlsocket(ctx->fd, FIONBIO, &n);
+#else
+ return fcntl(ctx->fd, F_SETFL, fcntl(ctx->fd, F_GETFL) & ~O_NONBLOCK);
+#endif
+}
+
+int mbedtls_net_set_nonblock(mbedtls_net_context *ctx)
+{
+#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
+ !defined(EFI32)
+ u_long n = 1;
+ return ioctlsocket(ctx->fd, FIONBIO, &n);
+#else
+ return fcntl(ctx->fd, F_SETFL, fcntl(ctx->fd, F_GETFL) | O_NONBLOCK);
+#endif
+}
+
+/*
+ * Check if data is available on the socket
+ */
+
+int mbedtls_net_poll(mbedtls_net_context *ctx, uint32_t rw, uint32_t timeout)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ struct timeval tv;
+
+ fd_set read_fds;
+ fd_set write_fds;
+
+ int fd = ctx->fd;
+
+ ret = check_fd(fd, 1);
+ if (ret != 0) {
+ return ret;
+ }
+
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+ /* Ensure that memory sanitizers consider read_fds and write_fds as
+ * initialized even on platforms such as Glibc/x86_64 where FD_ZERO
+ * is implemented in assembly. */
+ memset(&read_fds, 0, sizeof(read_fds));
+ memset(&write_fds, 0, sizeof(write_fds));
+#endif
+#endif
+
+ FD_ZERO(&read_fds);
+ if (rw & MBEDTLS_NET_POLL_READ) {
+ rw &= ~MBEDTLS_NET_POLL_READ;
+ FD_SET((SOCKET) fd, &read_fds);
+ }
+
+ FD_ZERO(&write_fds);
+ if (rw & MBEDTLS_NET_POLL_WRITE) {
+ rw &= ~MBEDTLS_NET_POLL_WRITE;
+ FD_SET((SOCKET) fd, &write_fds);
+ }
+
+ if (rw != 0) {
+ return MBEDTLS_ERR_NET_BAD_INPUT_DATA;
+ }
+
+ tv.tv_sec = timeout / 1000;
+ tv.tv_usec = (timeout % 1000) * 1000;
+
+ do {
+ ret = select(fd + 1, &read_fds, &write_fds, NULL,
+ timeout == (uint32_t) -1 ? NULL : &tv);
+ } while (IS_EINTR(ret));
+
+ if (ret < 0) {
+ return MBEDTLS_ERR_NET_POLL_FAILED;
+ }
+
+ ret = 0;
+ if (FD_ISSET(fd, &read_fds)) {
+ ret |= MBEDTLS_NET_POLL_READ;
+ }
+ if (FD_ISSET(fd, &write_fds)) {
+ ret |= MBEDTLS_NET_POLL_WRITE;
+ }
+
+ return ret;
+}
+
+/*
+ * Portable usleep helper
+ */
+void mbedtls_net_usleep(unsigned long usec)
+{
+#if defined(_WIN32)
+ Sleep((usec + 999) / 1000);
+#else
+ struct timeval tv;
+ tv.tv_sec = usec / 1000000;
+#if defined(__unix__) || defined(__unix) || \
+ (defined(__APPLE__) && defined(__MACH__))
+ tv.tv_usec = (suseconds_t) usec % 1000000;
+#else
+ tv.tv_usec = usec % 1000000;
+#endif
+ select(0, NULL, NULL, NULL, &tv);
+#endif
+}
+
+/*
+ * Read at most 'len' characters
+ */
+int mbedtls_net_recv(void *ctx, unsigned char *buf, size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int fd = ((mbedtls_net_context *) ctx)->fd;
+
+ ret = check_fd(fd, 0);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = (int) read(fd, buf, len);
+
+ if (ret < 0) {
+ if (net_would_block(ctx) != 0) {
+ return MBEDTLS_ERR_SSL_WANT_READ;
+ }
+
+#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
+ !defined(EFI32)
+ if (WSAGetLastError() == WSAECONNRESET) {
+ return MBEDTLS_ERR_NET_CONN_RESET;
+ }
+#else
+ if (errno == EPIPE || errno == ECONNRESET) {
+ return MBEDTLS_ERR_NET_CONN_RESET;
+ }
+
+ if (errno == EINTR) {
+ return MBEDTLS_ERR_SSL_WANT_READ;
+ }
+#endif
+
+ return MBEDTLS_ERR_NET_RECV_FAILED;
+ }
+
+ return ret;
+}
+
+/*
+ * Read at most 'len' characters, blocking for at most 'timeout' ms
+ */
+int mbedtls_net_recv_timeout(void *ctx, unsigned char *buf,
+ size_t len, uint32_t timeout)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ struct timeval tv;
+ fd_set read_fds;
+ int fd = ((mbedtls_net_context *) ctx)->fd;
+
+ ret = check_fd(fd, 1);
+ if (ret != 0) {
+ return ret;
+ }
+
+ FD_ZERO(&read_fds);
+ FD_SET((SOCKET) fd, &read_fds);
+
+ tv.tv_sec = timeout / 1000;
+ tv.tv_usec = (timeout % 1000) * 1000;
+
+ ret = select(fd + 1, &read_fds, NULL, NULL, timeout == 0 ? NULL : &tv);
+
+ /* Zero fds ready means we timed out */
+ if (ret == 0) {
+ return MBEDTLS_ERR_SSL_TIMEOUT;
+ }
+
+ if (ret < 0) {
+#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
+ !defined(EFI32)
+ if (WSAGetLastError() == WSAEINTR) {
+ return MBEDTLS_ERR_SSL_WANT_READ;
+ }
+#else
+ if (errno == EINTR) {
+ return MBEDTLS_ERR_SSL_WANT_READ;
+ }
+#endif
+
+ return MBEDTLS_ERR_NET_RECV_FAILED;
+ }
+
+ /* This call will not block */
+ return mbedtls_net_recv(ctx, buf, len);
+}
+
+/*
+ * Write at most 'len' characters
+ */
+int mbedtls_net_send(void *ctx, const unsigned char *buf, size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int fd = ((mbedtls_net_context *) ctx)->fd;
+
+ ret = check_fd(fd, 0);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = (int) write(fd, buf, len);
+
+ if (ret < 0) {
+ if (net_would_block(ctx) != 0) {
+ return MBEDTLS_ERR_SSL_WANT_WRITE;
+ }
+
+#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
+ !defined(EFI32)
+ if (WSAGetLastError() == WSAECONNRESET) {
+ return MBEDTLS_ERR_NET_CONN_RESET;
+ }
+#else
+ if (errno == EPIPE || errno == ECONNRESET) {
+ return MBEDTLS_ERR_NET_CONN_RESET;
+ }
+
+ if (errno == EINTR) {
+ return MBEDTLS_ERR_SSL_WANT_WRITE;
+ }
+#endif
+
+ return MBEDTLS_ERR_NET_SEND_FAILED;
+ }
+
+ return ret;
+}
+
+/*
+ * Close the connection
+ */
+void mbedtls_net_close(mbedtls_net_context *ctx)
+{
+ if (ctx->fd == -1) {
+ return;
+ }
+
+ close(ctx->fd);
+
+ ctx->fd = -1;
+}
+
+/*
+ * Gracefully close the connection
+ */
+void mbedtls_net_free(mbedtls_net_context *ctx)
+{
+ if (ctx->fd == -1) {
+ return;
+ }
+
+ shutdown(ctx->fd, 2);
+ close(ctx->fd);
+
+ ctx->fd = -1;
+}
+
+#endif /* MBEDTLS_NET_C */
diff --git a/library/nist_kw.c b/library/nist_kw.c
new file mode 100644
index 0000000..f15425b
--- /dev/null
+++ b/library/nist_kw.c
@@ -0,0 +1,725 @@
+/*
+ * Implementation of NIST SP 800-38F key wrapping, supporting KW and KWP modes
+ * only
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * Definition of Key Wrapping:
+ * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ * RFC 3394 "Advanced Encryption Standard (AES) Key Wrap Algorithm"
+ * RFC 5649 "Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm"
+ *
+ * Note: RFC 3394 defines different methodology for intermediate operations for
+ * the wrapping and unwrapping operation than the definition in NIST SP 800-38F.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_NIST_KW_C)
+
+#include "mbedtls/nist_kw.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/constant_time.h"
+#include "constant_time_internal.h"
+
+#include <stdint.h>
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_NIST_KW_ALT)
+
+#define KW_SEMIBLOCK_LENGTH 8
+#define MIN_SEMIBLOCKS_COUNT 3
+
+/*! The 64-bit default integrity check value (ICV) for KW mode. */
+static const unsigned char NIST_KW_ICV1[] = { 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6 };
+/*! The 32-bit default integrity check value (ICV) for KWP mode. */
+static const unsigned char NIST_KW_ICV2[] = { 0xA6, 0x59, 0x59, 0xA6 };
+
+/*
+ * Initialize context
+ */
+void mbedtls_nist_kw_init(mbedtls_nist_kw_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_nist_kw_context));
+}
+
+int mbedtls_nist_kw_setkey(mbedtls_nist_kw_context *ctx,
+ mbedtls_cipher_id_t cipher,
+ const unsigned char *key,
+ unsigned int keybits,
+ const int is_wrap)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const mbedtls_cipher_info_t *cipher_info;
+
+ cipher_info = mbedtls_cipher_info_from_values(cipher,
+ keybits,
+ MBEDTLS_MODE_ECB);
+ if (cipher_info == NULL) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ if (mbedtls_cipher_info_get_block_size(cipher_info) != 16) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ /*
+ * SP 800-38F currently defines AES cipher as the only block cipher allowed:
+ * "For KW and KWP, the underlying block cipher shall be approved, and the
+ * block size shall be 128 bits. Currently, the AES block cipher, with key
+ * lengths of 128, 192, or 256 bits, is the only block cipher that fits
+ * this profile."
+ * Currently we don't support other 128 bit block ciphers for key wrapping,
+ * such as Camellia and Aria.
+ */
+ if (cipher != MBEDTLS_CIPHER_ID_AES) {
+ return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ }
+
+ mbedtls_cipher_free(&ctx->cipher_ctx);
+
+ if ((ret = mbedtls_cipher_setup(&ctx->cipher_ctx, cipher_info)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_cipher_setkey(&ctx->cipher_ctx, key, keybits,
+ is_wrap ? MBEDTLS_ENCRYPT :
+ MBEDTLS_DECRYPT)
+ ) != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+/*
+ * Free context
+ */
+void mbedtls_nist_kw_free(mbedtls_nist_kw_context *ctx)
+{
+ mbedtls_cipher_free(&ctx->cipher_ctx);
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_nist_kw_context));
+}
+
+/*
+ * Helper function for Xoring the uint64_t "t" with the encrypted A.
+ * Defined in NIST SP 800-38F section 6.1
+ */
+static void calc_a_xor_t(unsigned char A[KW_SEMIBLOCK_LENGTH], uint64_t t)
+{
+ size_t i = 0;
+ for (i = 0; i < sizeof(t); i++) {
+ A[i] ^= (t >> ((sizeof(t) - 1 - i) * 8)) & 0xff;
+ }
+}
+
+/*
+ * KW-AE as defined in SP 800-38F section 6.2
+ * KWP-AE as defined in SP 800-38F section 6.3
+ */
+int mbedtls_nist_kw_wrap(mbedtls_nist_kw_context *ctx,
+ mbedtls_nist_kw_mode_t mode,
+ const unsigned char *input, size_t in_len,
+ unsigned char *output, size_t *out_len, size_t out_size)
+{
+ int ret = 0;
+ size_t semiblocks = 0;
+ size_t s;
+ size_t olen, padlen = 0;
+ uint64_t t = 0;
+ unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+ unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
+
+ *out_len = 0;
+ /*
+ * Generate the String to work on
+ */
+ if (mode == MBEDTLS_KW_MODE_KW) {
+ if (out_size < in_len + KW_SEMIBLOCK_LENGTH) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ /*
+ * According to SP 800-38F Table 1, the plaintext length for KW
+ * must be between 2 to 2^54-1 semiblocks inclusive.
+ */
+ if (in_len < 16 ||
+#if SIZE_MAX > 0x1FFFFFFFFFFFFF8
+ in_len > 0x1FFFFFFFFFFFFF8 ||
+#endif
+ in_len % KW_SEMIBLOCK_LENGTH != 0) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ memcpy(output, NIST_KW_ICV1, KW_SEMIBLOCK_LENGTH);
+ memmove(output + KW_SEMIBLOCK_LENGTH, input, in_len);
+ } else {
+ if (in_len % 8 != 0) {
+ padlen = (8 - (in_len % 8));
+ }
+
+ if (out_size < in_len + KW_SEMIBLOCK_LENGTH + padlen) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ /*
+ * According to SP 800-38F Table 1, the plaintext length for KWP
+ * must be between 1 and 2^32-1 octets inclusive.
+ */
+ if (in_len < 1
+#if SIZE_MAX > 0xFFFFFFFF
+ || in_len > 0xFFFFFFFF
+#endif
+ ) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ memcpy(output, NIST_KW_ICV2, KW_SEMIBLOCK_LENGTH / 2);
+ MBEDTLS_PUT_UINT32_BE((in_len & 0xffffffff), output,
+ KW_SEMIBLOCK_LENGTH / 2);
+
+ memcpy(output + KW_SEMIBLOCK_LENGTH, input, in_len);
+ memset(output + KW_SEMIBLOCK_LENGTH + in_len, 0, padlen);
+ }
+ semiblocks = ((in_len + padlen) / KW_SEMIBLOCK_LENGTH) + 1;
+
+ s = 6 * (semiblocks - 1);
+
+ if (mode == MBEDTLS_KW_MODE_KWP
+ && in_len <= KW_SEMIBLOCK_LENGTH) {
+ memcpy(inbuff, output, 16);
+ ret = mbedtls_cipher_update(&ctx->cipher_ctx,
+ inbuff, 16, output, &olen);
+ if (ret != 0) {
+ goto cleanup;
+ }
+ } else {
+ unsigned char *R2 = output + KW_SEMIBLOCK_LENGTH;
+ unsigned char *A = output;
+
+ /*
+ * Do the wrapping function W, as defined in RFC 3394 section 2.2.1
+ */
+ if (semiblocks < MIN_SEMIBLOCKS_COUNT) {
+ ret = MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ /* Calculate intermediate values */
+ for (t = 1; t <= s; t++) {
+ memcpy(inbuff, A, KW_SEMIBLOCK_LENGTH);
+ memcpy(inbuff + KW_SEMIBLOCK_LENGTH, R2, KW_SEMIBLOCK_LENGTH);
+
+ ret = mbedtls_cipher_update(&ctx->cipher_ctx,
+ inbuff, 16, outbuff, &olen);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ memcpy(A, outbuff, KW_SEMIBLOCK_LENGTH);
+ calc_a_xor_t(A, t);
+
+ memcpy(R2, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH);
+ R2 += KW_SEMIBLOCK_LENGTH;
+ if (R2 >= output + (semiblocks * KW_SEMIBLOCK_LENGTH)) {
+ R2 = output + KW_SEMIBLOCK_LENGTH;
+ }
+ }
+ }
+
+ *out_len = semiblocks * KW_SEMIBLOCK_LENGTH;
+
+cleanup:
+
+ if (ret != 0) {
+ memset(output, 0, semiblocks * KW_SEMIBLOCK_LENGTH);
+ }
+ mbedtls_platform_zeroize(inbuff, KW_SEMIBLOCK_LENGTH * 2);
+ mbedtls_platform_zeroize(outbuff, KW_SEMIBLOCK_LENGTH * 2);
+
+ return ret;
+}
+
+/*
+ * W-1 function as defined in RFC 3394 section 2.2.2
+ * This function assumes the following:
+ * 1. Output buffer is at least of size ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH.
+ * 2. The input buffer is of size semiblocks * KW_SEMIBLOCK_LENGTH.
+ * 3. Minimal number of semiblocks is 3.
+ * 4. A is a buffer to hold the first semiblock of the input buffer.
+ */
+static int unwrap(mbedtls_nist_kw_context *ctx,
+ const unsigned char *input, size_t semiblocks,
+ unsigned char A[KW_SEMIBLOCK_LENGTH],
+ unsigned char *output, size_t *out_len)
+{
+ int ret = 0;
+ const size_t s = 6 * (semiblocks - 1);
+ size_t olen;
+ uint64_t t = 0;
+ unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+ unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
+ unsigned char *R = NULL;
+ *out_len = 0;
+
+ if (semiblocks < MIN_SEMIBLOCKS_COUNT) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ memcpy(A, input, KW_SEMIBLOCK_LENGTH);
+ memmove(output, input + KW_SEMIBLOCK_LENGTH, (semiblocks - 1) * KW_SEMIBLOCK_LENGTH);
+ R = output + (semiblocks - 2) * KW_SEMIBLOCK_LENGTH;
+
+ /* Calculate intermediate values */
+ for (t = s; t >= 1; t--) {
+ calc_a_xor_t(A, t);
+
+ memcpy(inbuff, A, KW_SEMIBLOCK_LENGTH);
+ memcpy(inbuff + KW_SEMIBLOCK_LENGTH, R, KW_SEMIBLOCK_LENGTH);
+
+ ret = mbedtls_cipher_update(&ctx->cipher_ctx,
+ inbuff, 16, outbuff, &olen);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ memcpy(A, outbuff, KW_SEMIBLOCK_LENGTH);
+
+ /* Set R as LSB64 of outbuff */
+ memcpy(R, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH);
+
+ if (R == output) {
+ R = output + (semiblocks - 2) * KW_SEMIBLOCK_LENGTH;
+ } else {
+ R -= KW_SEMIBLOCK_LENGTH;
+ }
+ }
+
+ *out_len = (semiblocks - 1) * KW_SEMIBLOCK_LENGTH;
+
+cleanup:
+ if (ret != 0) {
+ memset(output, 0, (semiblocks - 1) * KW_SEMIBLOCK_LENGTH);
+ }
+ mbedtls_platform_zeroize(inbuff, sizeof(inbuff));
+ mbedtls_platform_zeroize(outbuff, sizeof(outbuff));
+
+ return ret;
+}
+
+/*
+ * KW-AD as defined in SP 800-38F section 6.2
+ * KWP-AD as defined in SP 800-38F section 6.3
+ */
+int mbedtls_nist_kw_unwrap(mbedtls_nist_kw_context *ctx,
+ mbedtls_nist_kw_mode_t mode,
+ const unsigned char *input, size_t in_len,
+ unsigned char *output, size_t *out_len, size_t out_size)
+{
+ int ret = 0;
+ size_t olen;
+ unsigned char A[KW_SEMIBLOCK_LENGTH];
+ int diff;
+
+ *out_len = 0;
+ if (out_size < in_len - KW_SEMIBLOCK_LENGTH) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ if (mode == MBEDTLS_KW_MODE_KW) {
+ /*
+ * According to SP 800-38F Table 1, the ciphertext length for KW
+ * must be between 3 to 2^54 semiblocks inclusive.
+ */
+ if (in_len < 24 ||
+#if SIZE_MAX > 0x200000000000000
+ in_len > 0x200000000000000 ||
+#endif
+ in_len % KW_SEMIBLOCK_LENGTH != 0) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ ret = unwrap(ctx, input, in_len / KW_SEMIBLOCK_LENGTH,
+ A, output, out_len);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ /* Check ICV in "constant-time" */
+ diff = mbedtls_ct_memcmp(NIST_KW_ICV1, A, KW_SEMIBLOCK_LENGTH);
+
+ if (diff != 0) {
+ ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+ goto cleanup;
+ }
+
+ } else if (mode == MBEDTLS_KW_MODE_KWP) {
+ size_t padlen = 0;
+ uint32_t Plen;
+ /*
+ * According to SP 800-38F Table 1, the ciphertext length for KWP
+ * must be between 2 to 2^29 semiblocks inclusive.
+ */
+ if (in_len < KW_SEMIBLOCK_LENGTH * 2 ||
+#if SIZE_MAX > 0x100000000
+ in_len > 0x100000000 ||
+#endif
+ in_len % KW_SEMIBLOCK_LENGTH != 0) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ if (in_len == KW_SEMIBLOCK_LENGTH * 2) {
+ unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+ ret = mbedtls_cipher_update(&ctx->cipher_ctx,
+ input, 16, outbuff, &olen);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ memcpy(A, outbuff, KW_SEMIBLOCK_LENGTH);
+ memcpy(output, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH);
+ mbedtls_platform_zeroize(outbuff, sizeof(outbuff));
+ *out_len = KW_SEMIBLOCK_LENGTH;
+ } else {
+ /* in_len >= KW_SEMIBLOCK_LENGTH * 3 */
+ ret = unwrap(ctx, input, in_len / KW_SEMIBLOCK_LENGTH,
+ A, output, out_len);
+ if (ret != 0) {
+ goto cleanup;
+ }
+ }
+
+ /* Check ICV in "constant-time" */
+ diff = mbedtls_ct_memcmp(NIST_KW_ICV2, A, KW_SEMIBLOCK_LENGTH / 2);
+
+ if (diff != 0) {
+ ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+ }
+
+ Plen = MBEDTLS_GET_UINT32_BE(A, KW_SEMIBLOCK_LENGTH / 2);
+
+ /*
+ * Plen is the length of the plaintext, when the input is valid.
+ * If Plen is larger than the plaintext and padding, padlen will be
+ * larger than 8, because of the type wrap around.
+ */
+ padlen = in_len - KW_SEMIBLOCK_LENGTH - Plen;
+ ret = mbedtls_ct_error_if(mbedtls_ct_uint_gt(padlen, 7),
+ MBEDTLS_ERR_CIPHER_AUTH_FAILED, ret);
+ padlen &= 7;
+
+ /* Check padding in "constant-time" */
+ const uint8_t zero[KW_SEMIBLOCK_LENGTH] = { 0 };
+ diff = mbedtls_ct_memcmp_partial(
+ &output[*out_len - KW_SEMIBLOCK_LENGTH], zero,
+ KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH - padlen, 0);
+
+ if (diff != 0) {
+ ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+ }
+
+ if (ret != 0) {
+ goto cleanup;
+ }
+ memset(output + Plen, 0, padlen);
+ *out_len = Plen;
+ } else {
+ ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ goto cleanup;
+ }
+
+cleanup:
+ if (ret != 0) {
+ memset(output, 0, *out_len);
+ *out_len = 0;
+ }
+
+ mbedtls_platform_zeroize(&diff, sizeof(diff));
+ mbedtls_platform_zeroize(A, sizeof(A));
+
+ return ret;
+}
+
+#endif /* !MBEDTLS_NIST_KW_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+
+/*
+ * Test vectors taken from NIST
+ * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/CAVP-TESTING-BLOCK-CIPHER-MODES#KW
+ */
+static const unsigned int key_len[] = {
+ 16,
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ 24,
+ 32
+#endif
+};
+
+static const unsigned char kw_key[][32] = {
+ { 0x75, 0x75, 0xda, 0x3a, 0x93, 0x60, 0x7c, 0xc2,
+ 0xbf, 0xd8, 0xce, 0xc7, 0xaa, 0xdf, 0xd9, 0xa6 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { 0x2d, 0x85, 0x26, 0x08, 0x1d, 0x02, 0xfb, 0x5b,
+ 0x85, 0xf6, 0x9a, 0xc2, 0x86, 0xec, 0xd5, 0x7d,
+ 0x40, 0xdf, 0x5d, 0xf3, 0x49, 0x47, 0x44, 0xd3 },
+ { 0x11, 0x2a, 0xd4, 0x1b, 0x48, 0x56, 0xc7, 0x25,
+ 0x4a, 0x98, 0x48, 0xd3, 0x0f, 0xdd, 0x78, 0x33,
+ 0x5b, 0x03, 0x9a, 0x48, 0xa8, 0x96, 0x2c, 0x4d,
+ 0x1c, 0xb7, 0x8e, 0xab, 0xd5, 0xda, 0xd7, 0x88 }
+#endif
+};
+
+static const unsigned char kw_msg[][40] = {
+ { 0x42, 0x13, 0x6d, 0x3c, 0x38, 0x4a, 0x3e, 0xea,
+ 0xc9, 0x5a, 0x06, 0x6f, 0xd2, 0x8f, 0xed, 0x3f },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { 0x95, 0xc1, 0x1b, 0xf5, 0x35, 0x3a, 0xfe, 0xdb,
+ 0x98, 0xfd, 0xd6, 0xc8, 0xca, 0x6f, 0xdb, 0x6d,
+ 0xa5, 0x4b, 0x74, 0xb4, 0x99, 0x0f, 0xdc, 0x45,
+ 0xc0, 0x9d, 0x15, 0x8f, 0x51, 0xce, 0x62, 0x9d,
+ 0xe2, 0xaf, 0x26, 0xe3, 0x25, 0x0e, 0x6b, 0x4c },
+ { 0x1b, 0x20, 0xbf, 0x19, 0x90, 0xb0, 0x65, 0xd7,
+ 0x98, 0xe1, 0xb3, 0x22, 0x64, 0xad, 0x50, 0xa8,
+ 0x74, 0x74, 0x92, 0xba, 0x09, 0xa0, 0x4d, 0xd1 }
+#endif
+};
+
+static const size_t kw_msg_len[] = {
+ 16,
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ 40,
+ 24
+#endif
+};
+static const size_t kw_out_len[] = {
+ 24,
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ 48,
+ 32
+#endif
+};
+static const unsigned char kw_res[][48] = {
+ { 0x03, 0x1f, 0x6b, 0xd7, 0xe6, 0x1e, 0x64, 0x3d,
+ 0xf6, 0x85, 0x94, 0x81, 0x6f, 0x64, 0xca, 0xa3,
+ 0xf5, 0x6f, 0xab, 0xea, 0x25, 0x48, 0xf5, 0xfb },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { 0x44, 0x3c, 0x6f, 0x15, 0x09, 0x83, 0x71, 0x91,
+ 0x3e, 0x5c, 0x81, 0x4c, 0xa1, 0xa0, 0x42, 0xec,
+ 0x68, 0x2f, 0x7b, 0x13, 0x6d, 0x24, 0x3a, 0x4d,
+ 0x6c, 0x42, 0x6f, 0xc6, 0x97, 0x15, 0x63, 0xe8,
+ 0xa1, 0x4a, 0x55, 0x8e, 0x09, 0x64, 0x16, 0x19,
+ 0xbf, 0x03, 0xfc, 0xaf, 0x90, 0xb1, 0xfc, 0x2d },
+ { 0xba, 0x8a, 0x25, 0x9a, 0x47, 0x1b, 0x78, 0x7d,
+ 0xd5, 0xd5, 0x40, 0xec, 0x25, 0xd4, 0x3d, 0x87,
+ 0x20, 0x0f, 0xda, 0xdc, 0x6d, 0x1f, 0x05, 0xd9,
+ 0x16, 0x58, 0x4f, 0xa9, 0xf6, 0xcb, 0xf5, 0x12 }
+#endif
+};
+
+static const unsigned char kwp_key[][32] = {
+ { 0x78, 0x65, 0xe2, 0x0f, 0x3c, 0x21, 0x65, 0x9a,
+ 0xb4, 0x69, 0x0b, 0x62, 0x9c, 0xdf, 0x3c, 0xc4 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { 0xf5, 0xf8, 0x96, 0xa3, 0xbd, 0x2f, 0x4a, 0x98,
+ 0x23, 0xef, 0x16, 0x2b, 0x00, 0xb8, 0x05, 0xd7,
+ 0xde, 0x1e, 0xa4, 0x66, 0x26, 0x96, 0xa2, 0x58 },
+ { 0x95, 0xda, 0x27, 0x00, 0xca, 0x6f, 0xd9, 0xa5,
+ 0x25, 0x54, 0xee, 0x2a, 0x8d, 0xf1, 0x38, 0x6f,
+ 0x5b, 0x94, 0xa1, 0xa6, 0x0e, 0xd8, 0xa4, 0xae,
+ 0xf6, 0x0a, 0x8d, 0x61, 0xab, 0x5f, 0x22, 0x5a }
+#endif
+};
+
+static const unsigned char kwp_msg[][31] = {
+ { 0xbd, 0x68, 0x43, 0xd4, 0x20, 0x37, 0x8d, 0xc8,
+ 0x96 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { 0x6c, 0xcd, 0xd5, 0x85, 0x18, 0x40, 0x97, 0xeb,
+ 0xd5, 0xc3, 0xaf, 0x3e, 0x47, 0xd0, 0x2c, 0x19,
+ 0x14, 0x7b, 0x4d, 0x99, 0x5f, 0x96, 0x43, 0x66,
+ 0x91, 0x56, 0x75, 0x8c, 0x13, 0x16, 0x8f },
+ { 0xd1 }
+#endif
+};
+static const size_t kwp_msg_len[] = {
+ 9,
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ 31,
+ 1
+#endif
+};
+
+static const unsigned char kwp_res[][48] = {
+ { 0x41, 0xec, 0xa9, 0x56, 0xd4, 0xaa, 0x04, 0x7e,
+ 0xb5, 0xcf, 0x4e, 0xfe, 0x65, 0x96, 0x61, 0xe7,
+ 0x4d, 0xb6, 0xf8, 0xc5, 0x64, 0xe2, 0x35, 0x00 },
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ { 0x4e, 0x9b, 0xc2, 0xbc, 0xbc, 0x6c, 0x1e, 0x13,
+ 0xd3, 0x35, 0xbc, 0xc0, 0xf7, 0x73, 0x6a, 0x88,
+ 0xfa, 0x87, 0x53, 0x66, 0x15, 0xbb, 0x8e, 0x63,
+ 0x8b, 0xcc, 0x81, 0x66, 0x84, 0x68, 0x17, 0x90,
+ 0x67, 0xcf, 0xa9, 0x8a, 0x9d, 0x0e, 0x33, 0x26 },
+ { 0x06, 0xba, 0x7a, 0xe6, 0xf3, 0x24, 0x8c, 0xfd,
+ 0xcf, 0x26, 0x75, 0x07, 0xfa, 0x00, 0x1b, 0xc4 }
+#endif
+};
+static const size_t kwp_out_len[] = {
+ 24,
+#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ 40,
+ 16
+#endif
+};
+
+int mbedtls_nist_kw_self_test(int verbose)
+{
+ mbedtls_nist_kw_context ctx;
+ unsigned char out[48];
+ size_t olen;
+ int i;
+ int ret = 0;
+ mbedtls_nist_kw_init(&ctx);
+
+ /*
+ * KW mode
+ */
+ {
+ static const int num_tests = sizeof(kw_key) / sizeof(*kw_key);
+
+ for (i = 0; i < num_tests; i++) {
+ if (verbose != 0) {
+ mbedtls_printf(" KW-AES-%u ", (unsigned int) key_len[i] * 8);
+ }
+
+ ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
+ kw_key[i], key_len[i] * 8, 1);
+ if (ret != 0) {
+ if (verbose != 0) {
+ mbedtls_printf(" KW: setup failed ");
+ }
+
+ goto end;
+ }
+
+ ret = mbedtls_nist_kw_wrap(&ctx, MBEDTLS_KW_MODE_KW, kw_msg[i],
+ kw_msg_len[i], out, &olen, sizeof(out));
+ if (ret != 0 || kw_out_len[i] != olen ||
+ memcmp(out, kw_res[i], kw_out_len[i]) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed. ");
+ }
+
+ ret = 1;
+ goto end;
+ }
+
+ if ((ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
+ kw_key[i], key_len[i] * 8, 0))
+ != 0) {
+ if (verbose != 0) {
+ mbedtls_printf(" KW: setup failed ");
+ }
+
+ goto end;
+ }
+
+ ret = mbedtls_nist_kw_unwrap(&ctx, MBEDTLS_KW_MODE_KW,
+ out, olen, out, &olen, sizeof(out));
+
+ if (ret != 0 || olen != kw_msg_len[i] ||
+ memcmp(out, kw_msg[i], kw_msg_len[i]) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ ret = 1;
+ goto end;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf(" passed\n");
+ }
+ }
+ }
+
+ /*
+ * KWP mode
+ */
+ {
+ static const int num_tests = sizeof(kwp_key) / sizeof(*kwp_key);
+
+ for (i = 0; i < num_tests; i++) {
+ olen = sizeof(out);
+ if (verbose != 0) {
+ mbedtls_printf(" KWP-AES-%u ", (unsigned int) key_len[i] * 8);
+ }
+
+ ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES, kwp_key[i],
+ key_len[i] * 8, 1);
+ if (ret != 0) {
+ if (verbose != 0) {
+ mbedtls_printf(" KWP: setup failed ");
+ }
+
+ goto end;
+ }
+ ret = mbedtls_nist_kw_wrap(&ctx, MBEDTLS_KW_MODE_KWP, kwp_msg[i],
+ kwp_msg_len[i], out, &olen, sizeof(out));
+
+ if (ret != 0 || kwp_out_len[i] != olen ||
+ memcmp(out, kwp_res[i], kwp_out_len[i]) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed. ");
+ }
+
+ ret = 1;
+ goto end;
+ }
+
+ if ((ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
+ kwp_key[i], key_len[i] * 8, 0))
+ != 0) {
+ if (verbose != 0) {
+ mbedtls_printf(" KWP: setup failed ");
+ }
+
+ goto end;
+ }
+
+ ret = mbedtls_nist_kw_unwrap(&ctx, MBEDTLS_KW_MODE_KWP, out,
+ olen, out, &olen, sizeof(out));
+
+ if (ret != 0 || olen != kwp_msg_len[i] ||
+ memcmp(out, kwp_msg[i], kwp_msg_len[i]) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed. ");
+ }
+
+ ret = 1;
+ goto end;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf(" passed\n");
+ }
+ }
+ }
+end:
+ mbedtls_nist_kw_free(&ctx);
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_NIST_KW_C */
diff --git a/library/oid.c b/library/oid.c
new file mode 100644
index 0000000..1d6b1eb
--- /dev/null
+++ b/library/oid.c
@@ -0,0 +1,1166 @@
+/**
+ * \file oid.c
+ *
+ * \brief Object Identifier (OID) database
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_OID_C)
+
+#include "mbedtls/oid.h"
+#include "mbedtls/rsa.h"
+#include "mbedtls/error.h"
+#include "mbedtls/pk.h"
+
+#include <stdio.h>
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+/*
+ * Macro to automatically add the size of #define'd OIDs
+ */
+#define ADD_LEN(s) s, MBEDTLS_OID_SIZE(s)
+
+/*
+ * Macro to generate mbedtls_oid_descriptor_t
+ */
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+#define OID_DESCRIPTOR(s, name, description) { ADD_LEN(s), name, description }
+#define NULL_OID_DESCRIPTOR { NULL, 0, NULL, NULL }
+#else
+#define OID_DESCRIPTOR(s, name, description) { ADD_LEN(s) }
+#define NULL_OID_DESCRIPTOR { NULL, 0 }
+#endif
+
+/*
+ * Macro to generate an internal function for oid_XXX_from_asn1() (used by
+ * the other functions)
+ */
+#define FN_OID_TYPED_FROM_ASN1(TYPE_T, NAME, LIST) \
+ static const TYPE_T *oid_ ## NAME ## _from_asn1( \
+ const mbedtls_asn1_buf *oid) \
+ { \
+ const TYPE_T *p = (LIST); \
+ const mbedtls_oid_descriptor_t *cur = \
+ (const mbedtls_oid_descriptor_t *) p; \
+ if (p == NULL || oid == NULL) return NULL; \
+ while (cur->asn1 != NULL) { \
+ if (cur->asn1_len == oid->len && \
+ memcmp(cur->asn1, oid->p, oid->len) == 0) { \
+ return p; \
+ } \
+ p++; \
+ cur = (const mbedtls_oid_descriptor_t *) p; \
+ } \
+ return NULL; \
+ }
+
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+/*
+ * Macro to generate a function for retrieving a single attribute from the
+ * descriptor of an mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_DESCRIPTOR_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
+ int FN_NAME(const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1) \
+ { \
+ const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1(oid); \
+ if (data == NULL) return MBEDTLS_ERR_OID_NOT_FOUND; \
+ *ATTR1 = data->descriptor.ATTR1; \
+ return 0; \
+ }
+#endif /* MBEDTLS_X509_REMOVE_INFO */
+
+/*
+ * Macro to generate a function for retrieving a single attribute from an
+ * mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
+ int FN_NAME(const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1) \
+ { \
+ const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1(oid); \
+ if (data == NULL) return MBEDTLS_ERR_OID_NOT_FOUND; \
+ *ATTR1 = data->ATTR1; \
+ return 0; \
+ }
+
+/*
+ * Macro to generate a function for retrieving two attributes from an
+ * mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_ATTR2(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1, \
+ ATTR2_TYPE, ATTR2) \
+ int FN_NAME(const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1, \
+ ATTR2_TYPE * ATTR2) \
+ { \
+ const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1(oid); \
+ if (data == NULL) return MBEDTLS_ERR_OID_NOT_FOUND; \
+ *(ATTR1) = data->ATTR1; \
+ *(ATTR2) = data->ATTR2; \
+ return 0; \
+ }
+
+/*
+ * Macro to generate a function for retrieving the OID based on a single
+ * attribute from a mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_OID_BY_ATTR1(FN_NAME, TYPE_T, LIST, ATTR1_TYPE, ATTR1) \
+ int FN_NAME(ATTR1_TYPE ATTR1, const char **oid, size_t *olen) \
+ { \
+ const TYPE_T *cur = (LIST); \
+ while (cur->descriptor.asn1 != NULL) { \
+ if (cur->ATTR1 == (ATTR1)) { \
+ *oid = cur->descriptor.asn1; \
+ *olen = cur->descriptor.asn1_len; \
+ return 0; \
+ } \
+ cur++; \
+ } \
+ return MBEDTLS_ERR_OID_NOT_FOUND; \
+ }
+
+/*
+ * Macro to generate a function for retrieving the OID based on two
+ * attributes from a mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_OID_BY_ATTR2(FN_NAME, TYPE_T, LIST, ATTR1_TYPE, ATTR1, \
+ ATTR2_TYPE, ATTR2) \
+ int FN_NAME(ATTR1_TYPE ATTR1, ATTR2_TYPE ATTR2, const char **oid, \
+ size_t *olen) \
+ { \
+ const TYPE_T *cur = (LIST); \
+ while (cur->descriptor.asn1 != NULL) { \
+ if (cur->ATTR1 == (ATTR1) && cur->ATTR2 == (ATTR2)) { \
+ *oid = cur->descriptor.asn1; \
+ *olen = cur->descriptor.asn1_len; \
+ return 0; \
+ } \
+ cur++; \
+ } \
+ return MBEDTLS_ERR_OID_NOT_FOUND; \
+ }
+
+/*
+ * For X520 attribute types
+ */
+typedef struct {
+ mbedtls_oid_descriptor_t descriptor;
+ const char *short_name;
+} oid_x520_attr_t;
+
+static const oid_x520_attr_t oid_x520_attr_type[] =
+{
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_CN, "id-at-commonName", "Common Name"),
+ "CN",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_COUNTRY, "id-at-countryName", "Country"),
+ "C",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_LOCALITY, "id-at-locality", "Locality"),
+ "L",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_STATE, "id-at-state", "State"),
+ "ST",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_ORGANIZATION, "id-at-organizationName",
+ "Organization"),
+ "O",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_ORG_UNIT, "id-at-organizationalUnitName", "Org Unit"),
+ "OU",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_PKCS9_EMAIL,
+ "emailAddress",
+ "E-mail address"),
+ "emailAddress",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_SERIAL_NUMBER,
+ "id-at-serialNumber",
+ "Serial number"),
+ "serialNumber",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_POSTAL_ADDRESS,
+ "id-at-postalAddress",
+ "Postal address"),
+ "postalAddress",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_POSTAL_CODE, "id-at-postalCode", "Postal code"),
+ "postalCode",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_SUR_NAME, "id-at-surName", "Surname"),
+ "SN",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_GIVEN_NAME, "id-at-givenName", "Given name"),
+ "GN",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_INITIALS, "id-at-initials", "Initials"),
+ "initials",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_GENERATION_QUALIFIER,
+ "id-at-generationQualifier",
+ "Generation qualifier"),
+ "generationQualifier",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_TITLE, "id-at-title", "Title"),
+ "title",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_DN_QUALIFIER,
+ "id-at-dnQualifier",
+ "Distinguished Name qualifier"),
+ "dnQualifier",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_PSEUDONYM, "id-at-pseudonym", "Pseudonym"),
+ "pseudonym",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_UID, "id-uid", "User Id"),
+ "uid",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_DOMAIN_COMPONENT,
+ "id-domainComponent",
+ "Domain component"),
+ "DC",
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AT_UNIQUE_IDENTIFIER,
+ "id-at-uniqueIdentifier",
+ "Unique Identifier"),
+ "uniqueIdentifier",
+ },
+ {
+ NULL_OID_DESCRIPTOR,
+ NULL,
+ }
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_x520_attr_t, x520_attr, oid_x520_attr_type)
+FN_OID_GET_ATTR1(mbedtls_oid_get_attr_short_name,
+ oid_x520_attr_t,
+ x520_attr,
+ const char *,
+ short_name)
+
+/*
+ * For X509 extensions
+ */
+typedef struct {
+ mbedtls_oid_descriptor_t descriptor;
+ int ext_type;
+} oid_x509_ext_t;
+
+static const oid_x509_ext_t oid_x509_ext[] =
+{
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_BASIC_CONSTRAINTS,
+ "id-ce-basicConstraints",
+ "Basic Constraints"),
+ MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS,
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_KEY_USAGE, "id-ce-keyUsage", "Key Usage"),
+ MBEDTLS_OID_X509_EXT_KEY_USAGE,
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_EXTENDED_KEY_USAGE,
+ "id-ce-extKeyUsage",
+ "Extended Key Usage"),
+ MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE,
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_SUBJECT_ALT_NAME,
+ "id-ce-subjectAltName",
+ "Subject Alt Name"),
+ MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME,
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_NS_CERT_TYPE,
+ "id-netscape-certtype",
+ "Netscape Certificate Type"),
+ MBEDTLS_OID_X509_EXT_NS_CERT_TYPE,
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_CERTIFICATE_POLICIES,
+ "id-ce-certificatePolicies",
+ "Certificate Policies"),
+ MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES,
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER,
+ "id-ce-subjectKeyIdentifier",
+ "Subject Key Identifier"),
+ MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER,
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
+ "id-ce-authorityKeyIdentifier",
+ "Authority Key Identifier"),
+ MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER,
+ },
+ {
+ NULL_OID_DESCRIPTOR,
+ 0,
+ },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_x509_ext_t, x509_ext, oid_x509_ext)
+FN_OID_GET_ATTR1(mbedtls_oid_get_x509_ext_type, oid_x509_ext_t, x509_ext, int, ext_type)
+
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+static const mbedtls_oid_descriptor_t oid_ext_key_usage[] =
+{
+ OID_DESCRIPTOR(MBEDTLS_OID_SERVER_AUTH,
+ "id-kp-serverAuth",
+ "TLS Web Server Authentication"),
+ OID_DESCRIPTOR(MBEDTLS_OID_CLIENT_AUTH,
+ "id-kp-clientAuth",
+ "TLS Web Client Authentication"),
+ OID_DESCRIPTOR(MBEDTLS_OID_CODE_SIGNING, "id-kp-codeSigning", "Code Signing"),
+ OID_DESCRIPTOR(MBEDTLS_OID_EMAIL_PROTECTION, "id-kp-emailProtection", "E-mail Protection"),
+ OID_DESCRIPTOR(MBEDTLS_OID_TIME_STAMPING, "id-kp-timeStamping", "Time Stamping"),
+ OID_DESCRIPTOR(MBEDTLS_OID_OCSP_SIGNING, "id-kp-OCSPSigning", "OCSP Signing"),
+ OID_DESCRIPTOR(MBEDTLS_OID_WISUN_FAN,
+ "id-kp-wisun-fan-device",
+ "Wi-SUN Alliance Field Area Network (FAN)"),
+ NULL_OID_DESCRIPTOR,
+};
+
+FN_OID_TYPED_FROM_ASN1(mbedtls_oid_descriptor_t, ext_key_usage, oid_ext_key_usage)
+FN_OID_GET_ATTR1(mbedtls_oid_get_extended_key_usage,
+ mbedtls_oid_descriptor_t,
+ ext_key_usage,
+ const char *,
+ description)
+
+static const mbedtls_oid_descriptor_t oid_certificate_policies[] =
+{
+ OID_DESCRIPTOR(MBEDTLS_OID_ANY_POLICY, "anyPolicy", "Any Policy"),
+ NULL_OID_DESCRIPTOR,
+};
+
+FN_OID_TYPED_FROM_ASN1(mbedtls_oid_descriptor_t, certificate_policies, oid_certificate_policies)
+FN_OID_GET_ATTR1(mbedtls_oid_get_certificate_policies,
+ mbedtls_oid_descriptor_t,
+ certificate_policies,
+ const char *,
+ description)
+#endif /* MBEDTLS_X509_REMOVE_INFO */
+
+/*
+ * For SignatureAlgorithmIdentifier
+ */
+typedef struct {
+ mbedtls_oid_descriptor_t descriptor;
+ mbedtls_md_type_t md_alg;
+ mbedtls_pk_type_t pk_alg;
+} oid_sig_alg_t;
+
+static const oid_sig_alg_t oid_sig_alg[] =
+{
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_MD_CAN_MD5)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_MD5, "md5WithRSAEncryption", "RSA with MD5"),
+ MBEDTLS_MD_MD5, MBEDTLS_PK_RSA,
+ },
+#endif /* MBEDTLS_MD_CAN_MD5 */
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA1, "sha-1WithRSAEncryption", "RSA with SHA1"),
+ MBEDTLS_MD_SHA1, MBEDTLS_PK_RSA,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#if defined(MBEDTLS_MD_CAN_SHA224)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA224, "sha224WithRSAEncryption",
+ "RSA with SHA-224"),
+ MBEDTLS_MD_SHA224, MBEDTLS_PK_RSA,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA224 */
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA256, "sha256WithRSAEncryption",
+ "RSA with SHA-256"),
+ MBEDTLS_MD_SHA256, MBEDTLS_PK_RSA,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA384, "sha384WithRSAEncryption",
+ "RSA with SHA-384"),
+ MBEDTLS_MD_SHA384, MBEDTLS_PK_RSA,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#if defined(MBEDTLS_MD_CAN_SHA512)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA512, "sha512WithRSAEncryption",
+ "RSA with SHA-512"),
+ MBEDTLS_MD_SHA512, MBEDTLS_PK_RSA,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA512 */
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_RSA_SHA_OBS, "sha-1WithRSAEncryption", "RSA with SHA1"),
+ MBEDTLS_MD_SHA1, MBEDTLS_PK_RSA,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA1, "ecdsa-with-SHA1", "ECDSA with SHA1"),
+ MBEDTLS_MD_SHA1, MBEDTLS_PK_ECDSA,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#if defined(MBEDTLS_MD_CAN_SHA224)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA224, "ecdsa-with-SHA224", "ECDSA with SHA224"),
+ MBEDTLS_MD_SHA224, MBEDTLS_PK_ECDSA,
+ },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA256, "ecdsa-with-SHA256", "ECDSA with SHA256"),
+ MBEDTLS_MD_SHA256, MBEDTLS_PK_ECDSA,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA384, "ecdsa-with-SHA384", "ECDSA with SHA384"),
+ MBEDTLS_MD_SHA384, MBEDTLS_PK_ECDSA,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#if defined(MBEDTLS_MD_CAN_SHA512)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA512, "ecdsa-with-SHA512", "ECDSA with SHA512"),
+ MBEDTLS_MD_SHA512, MBEDTLS_PK_ECDSA,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA512 */
+#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
+#if defined(MBEDTLS_RSA_C)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_RSASSA_PSS, "RSASSA-PSS", "RSASSA-PSS"),
+ MBEDTLS_MD_NONE, MBEDTLS_PK_RSASSA_PSS,
+ },
+#endif /* MBEDTLS_RSA_C */
+ {
+ NULL_OID_DESCRIPTOR,
+ MBEDTLS_MD_NONE, MBEDTLS_PK_NONE,
+ },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_sig_alg_t, sig_alg, oid_sig_alg)
+
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+FN_OID_GET_DESCRIPTOR_ATTR1(mbedtls_oid_get_sig_alg_desc,
+ oid_sig_alg_t,
+ sig_alg,
+ const char *,
+ description)
+#endif
+
+FN_OID_GET_ATTR2(mbedtls_oid_get_sig_alg,
+ oid_sig_alg_t,
+ sig_alg,
+ mbedtls_md_type_t,
+ md_alg,
+ mbedtls_pk_type_t,
+ pk_alg)
+FN_OID_GET_OID_BY_ATTR2(mbedtls_oid_get_oid_by_sig_alg,
+ oid_sig_alg_t,
+ oid_sig_alg,
+ mbedtls_pk_type_t,
+ pk_alg,
+ mbedtls_md_type_t,
+ md_alg)
+
+/*
+ * For PublicKeyInfo (PKCS1, RFC 5480)
+ */
+typedef struct {
+ mbedtls_oid_descriptor_t descriptor;
+ mbedtls_pk_type_t pk_alg;
+} oid_pk_alg_t;
+
+static const oid_pk_alg_t oid_pk_alg[] =
+{
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_RSA, "rsaEncryption", "RSA"),
+ MBEDTLS_PK_RSA,
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_EC_ALG_UNRESTRICTED, "id-ecPublicKey", "Generic EC key"),
+ MBEDTLS_PK_ECKEY,
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_EC_ALG_ECDH, "id-ecDH", "EC key for ECDH"),
+ MBEDTLS_PK_ECKEY_DH,
+ },
+ {
+ NULL_OID_DESCRIPTOR,
+ MBEDTLS_PK_NONE,
+ },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_pk_alg_t, pk_alg, oid_pk_alg)
+FN_OID_GET_ATTR1(mbedtls_oid_get_pk_alg, oid_pk_alg_t, pk_alg, mbedtls_pk_type_t, pk_alg)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_pk_alg,
+ oid_pk_alg_t,
+ oid_pk_alg,
+ mbedtls_pk_type_t,
+ pk_alg)
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+/*
+ * For elliptic curves that use namedCurve inside ECParams (RFC 5480)
+ */
+typedef struct {
+ mbedtls_oid_descriptor_t descriptor;
+ mbedtls_ecp_group_id grp_id;
+} oid_ecp_grp_t;
+
+static const oid_ecp_grp_t oid_ecp_grp[] =
+{
+#if defined(MBEDTLS_ECP_HAVE_SECP192R1)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP192R1, "secp192r1", "secp192r1"),
+ MBEDTLS_ECP_DP_SECP192R1,
+ },
+#endif /* MBEDTLS_ECP_HAVE_SECP192R1 */
+#if defined(MBEDTLS_ECP_HAVE_SECP224R1)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP224R1, "secp224r1", "secp224r1"),
+ MBEDTLS_ECP_DP_SECP224R1,
+ },
+#endif /* MBEDTLS_ECP_HAVE_SECP224R1 */
+#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP256R1, "secp256r1", "secp256r1"),
+ MBEDTLS_ECP_DP_SECP256R1,
+ },
+#endif /* MBEDTLS_ECP_HAVE_SECP256R1 */
+#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP384R1, "secp384r1", "secp384r1"),
+ MBEDTLS_ECP_DP_SECP384R1,
+ },
+#endif /* MBEDTLS_ECP_HAVE_SECP384R1 */
+#if defined(MBEDTLS_ECP_HAVE_SECP521R1)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP521R1, "secp521r1", "secp521r1"),
+ MBEDTLS_ECP_DP_SECP521R1,
+ },
+#endif /* MBEDTLS_ECP_HAVE_SECP521R1 */
+#if defined(MBEDTLS_ECP_HAVE_SECP192K1)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP192K1, "secp192k1", "secp192k1"),
+ MBEDTLS_ECP_DP_SECP192K1,
+ },
+#endif /* MBEDTLS_ECP_HAVE_SECP192K1 */
+#if defined(MBEDTLS_ECP_HAVE_SECP224K1)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP224K1, "secp224k1", "secp224k1"),
+ MBEDTLS_ECP_DP_SECP224K1,
+ },
+#endif /* MBEDTLS_ECP_HAVE_SECP224K1 */
+#if defined(MBEDTLS_ECP_HAVE_SECP256K1)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_SECP256K1, "secp256k1", "secp256k1"),
+ MBEDTLS_ECP_DP_SECP256K1,
+ },
+#endif /* MBEDTLS_ECP_HAVE_SECP256K1 */
+#if defined(MBEDTLS_ECP_HAVE_BP256R1)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_BP256R1, "brainpoolP256r1", "brainpool256r1"),
+ MBEDTLS_ECP_DP_BP256R1,
+ },
+#endif /* MBEDTLS_ECP_HAVE_BP256R1 */
+#if defined(MBEDTLS_ECP_HAVE_BP384R1)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_BP384R1, "brainpoolP384r1", "brainpool384r1"),
+ MBEDTLS_ECP_DP_BP384R1,
+ },
+#endif /* MBEDTLS_ECP_HAVE_BP384R1 */
+#if defined(MBEDTLS_ECP_HAVE_BP512R1)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_EC_GRP_BP512R1, "brainpoolP512r1", "brainpool512r1"),
+ MBEDTLS_ECP_DP_BP512R1,
+ },
+#endif /* MBEDTLS_ECP_HAVE_BP512R1 */
+ {
+ NULL_OID_DESCRIPTOR,
+ MBEDTLS_ECP_DP_NONE,
+ },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_ecp_grp_t, grp_id, oid_ecp_grp)
+FN_OID_GET_ATTR1(mbedtls_oid_get_ec_grp, oid_ecp_grp_t, grp_id, mbedtls_ecp_group_id, grp_id)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_ec_grp,
+ oid_ecp_grp_t,
+ oid_ecp_grp,
+ mbedtls_ecp_group_id,
+ grp_id)
+
+/*
+ * For Elliptic Curve algorithms that are directly
+ * encoded in the AlgorithmIdentifier (RFC 8410)
+ */
+typedef struct {
+ mbedtls_oid_descriptor_t descriptor;
+ mbedtls_ecp_group_id grp_id;
+} oid_ecp_grp_algid_t;
+
+static const oid_ecp_grp_algid_t oid_ecp_grp_algid[] =
+{
+#if defined(MBEDTLS_ECP_HAVE_CURVE25519)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_X25519, "X25519", "X25519"),
+ MBEDTLS_ECP_DP_CURVE25519,
+ },
+#endif /* MBEDTLS_ECP_HAVE_CURVE25519 */
+#if defined(MBEDTLS_ECP_HAVE_CURVE448)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_X448, "X448", "X448"),
+ MBEDTLS_ECP_DP_CURVE448,
+ },
+#endif /* MBEDTLS_ECP_HAVE_CURVE448 */
+ {
+ NULL_OID_DESCRIPTOR,
+ MBEDTLS_ECP_DP_NONE,
+ },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_ecp_grp_algid_t, grp_id_algid, oid_ecp_grp_algid)
+FN_OID_GET_ATTR1(mbedtls_oid_get_ec_grp_algid,
+ oid_ecp_grp_algid_t,
+ grp_id_algid,
+ mbedtls_ecp_group_id,
+ grp_id)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_ec_grp_algid,
+ oid_ecp_grp_algid_t,
+ oid_ecp_grp_algid,
+ mbedtls_ecp_group_id,
+ grp_id)
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+#if defined(MBEDTLS_CIPHER_C)
+/*
+ * For PKCS#5 PBES2 encryption algorithm
+ */
+typedef struct {
+ mbedtls_oid_descriptor_t descriptor;
+ mbedtls_cipher_type_t cipher_alg;
+} oid_cipher_alg_t;
+
+static const oid_cipher_alg_t oid_cipher_alg[] =
+{
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_DES_CBC, "desCBC", "DES-CBC"),
+ MBEDTLS_CIPHER_DES_CBC,
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_DES_EDE3_CBC, "des-ede3-cbc", "DES-EDE3-CBC"),
+ MBEDTLS_CIPHER_DES_EDE3_CBC,
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AES_128_CBC, "aes128-cbc", "AES128-CBC"),
+ MBEDTLS_CIPHER_AES_128_CBC,
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AES_192_CBC, "aes192-cbc", "AES192-CBC"),
+ MBEDTLS_CIPHER_AES_192_CBC,
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_AES_256_CBC, "aes256-cbc", "AES256-CBC"),
+ MBEDTLS_CIPHER_AES_256_CBC,
+ },
+ {
+ NULL_OID_DESCRIPTOR,
+ MBEDTLS_CIPHER_NONE,
+ },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_cipher_alg_t, cipher_alg, oid_cipher_alg)
+FN_OID_GET_ATTR1(mbedtls_oid_get_cipher_alg,
+ oid_cipher_alg_t,
+ cipher_alg,
+ mbedtls_cipher_type_t,
+ cipher_alg)
+#endif /* MBEDTLS_CIPHER_C */
+
+/*
+ * For digestAlgorithm
+ */
+typedef struct {
+ mbedtls_oid_descriptor_t descriptor;
+ mbedtls_md_type_t md_alg;
+} oid_md_alg_t;
+
+static const oid_md_alg_t oid_md_alg[] =
+{
+#if defined(MBEDTLS_MD_CAN_MD5)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_MD5, "id-md5", "MD5"),
+ MBEDTLS_MD_MD5,
+ },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA1, "id-sha1", "SHA-1"),
+ MBEDTLS_MD_SHA1,
+ },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA224)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA224, "id-sha224", "SHA-224"),
+ MBEDTLS_MD_SHA224,
+ },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA256, "id-sha256", "SHA-256"),
+ MBEDTLS_MD_SHA256,
+ },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA384, "id-sha384", "SHA-384"),
+ MBEDTLS_MD_SHA384,
+ },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA512)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA512, "id-sha512", "SHA-512"),
+ MBEDTLS_MD_SHA512,
+ },
+#endif
+#if defined(MBEDTLS_MD_CAN_RIPEMD160)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_RIPEMD160, "id-ripemd160", "RIPEMD-160"),
+ MBEDTLS_MD_RIPEMD160,
+ },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_224)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_224, "id-sha3-224", "SHA-3-224"),
+ MBEDTLS_MD_SHA3_224,
+ },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_256)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_256, "id-sha3-256", "SHA-3-256"),
+ MBEDTLS_MD_SHA3_256,
+ },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_384)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_384, "id-sha3-384", "SHA-3-384"),
+ MBEDTLS_MD_SHA3_384,
+ },
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA3_512)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_512, "id-sha3-512", "SHA-3-512"),
+ MBEDTLS_MD_SHA3_512,
+ },
+#endif
+ {
+ NULL_OID_DESCRIPTOR,
+ MBEDTLS_MD_NONE,
+ },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_md_alg_t, md_alg, oid_md_alg)
+FN_OID_GET_ATTR1(mbedtls_oid_get_md_alg, oid_md_alg_t, md_alg, mbedtls_md_type_t, md_alg)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_md,
+ oid_md_alg_t,
+ oid_md_alg,
+ mbedtls_md_type_t,
+ md_alg)
+
+/*
+ * For HMAC digestAlgorithm
+ */
+typedef struct {
+ mbedtls_oid_descriptor_t descriptor;
+ mbedtls_md_type_t md_hmac;
+} oid_md_hmac_t;
+
+static const oid_md_hmac_t oid_md_hmac[] =
+{
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA1, "hmacSHA1", "HMAC-SHA-1"),
+ MBEDTLS_MD_SHA1,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#if defined(MBEDTLS_MD_CAN_SHA224)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA224, "hmacSHA224", "HMAC-SHA-224"),
+ MBEDTLS_MD_SHA224,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA224 */
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA256, "hmacSHA256", "HMAC-SHA-256"),
+ MBEDTLS_MD_SHA256,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA384, "hmacSHA384", "HMAC-SHA-384"),
+ MBEDTLS_MD_SHA384,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#if defined(MBEDTLS_MD_CAN_SHA512)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA512, "hmacSHA512", "HMAC-SHA-512"),
+ MBEDTLS_MD_SHA512,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA512 */
+#if defined(MBEDTLS_MD_CAN_SHA3_224)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_224, "hmacSHA3-224", "HMAC-SHA3-224"),
+ MBEDTLS_MD_SHA3_224,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA3_224 */
+#if defined(MBEDTLS_MD_CAN_SHA3_256)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_256, "hmacSHA3-256", "HMAC-SHA3-256"),
+ MBEDTLS_MD_SHA3_256,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA3_256 */
+#if defined(MBEDTLS_MD_CAN_SHA3_384)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_384, "hmacSHA3-384", "HMAC-SHA3-384"),
+ MBEDTLS_MD_SHA3_384,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA3_384 */
+#if defined(MBEDTLS_MD_CAN_SHA3_512)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_512, "hmacSHA3-512", "HMAC-SHA3-512"),
+ MBEDTLS_MD_SHA3_512,
+ },
+#endif /* MBEDTLS_MD_CAN_SHA3_512 */
+#if defined(MBEDTLS_MD_CAN_RIPEMD160)
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_HMAC_RIPEMD160, "hmacRIPEMD160", "HMAC-RIPEMD160"),
+ MBEDTLS_MD_RIPEMD160,
+ },
+#endif /* MBEDTLS_MD_CAN_RIPEMD160 */
+ {
+ NULL_OID_DESCRIPTOR,
+ MBEDTLS_MD_NONE,
+ },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_md_hmac_t, md_hmac, oid_md_hmac)
+FN_OID_GET_ATTR1(mbedtls_oid_get_md_hmac, oid_md_hmac_t, md_hmac, mbedtls_md_type_t, md_hmac)
+
+#if defined(MBEDTLS_PKCS12_C) && defined(MBEDTLS_CIPHER_C)
+/*
+ * For PKCS#12 PBEs
+ */
+typedef struct {
+ mbedtls_oid_descriptor_t descriptor;
+ mbedtls_md_type_t md_alg;
+ mbedtls_cipher_type_t cipher_alg;
+} oid_pkcs12_pbe_alg_t;
+
+static const oid_pkcs12_pbe_alg_t oid_pkcs12_pbe_alg[] =
+{
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC,
+ "pbeWithSHAAnd3-KeyTripleDES-CBC",
+ "PBE with SHA1 and 3-Key 3DES"),
+ MBEDTLS_MD_SHA1, MBEDTLS_CIPHER_DES_EDE3_CBC,
+ },
+ {
+ OID_DESCRIPTOR(MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC,
+ "pbeWithSHAAnd2-KeyTripleDES-CBC",
+ "PBE with SHA1 and 2-Key 3DES"),
+ MBEDTLS_MD_SHA1, MBEDTLS_CIPHER_DES_EDE_CBC,
+ },
+ {
+ NULL_OID_DESCRIPTOR,
+ MBEDTLS_MD_NONE, MBEDTLS_CIPHER_NONE,
+ },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, oid_pkcs12_pbe_alg)
+FN_OID_GET_ATTR2(mbedtls_oid_get_pkcs12_pbe_alg,
+ oid_pkcs12_pbe_alg_t,
+ pkcs12_pbe_alg,
+ mbedtls_md_type_t,
+ md_alg,
+ mbedtls_cipher_type_t,
+ cipher_alg)
+#endif /* MBEDTLS_PKCS12_C && MBEDTLS_CIPHER_C */
+
+/* Return the x.y.z.... style numeric string for the given OID */
+int mbedtls_oid_get_numeric_string(char *buf, size_t size,
+ const mbedtls_asn1_buf *oid)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ char *p = buf;
+ size_t n = size;
+ unsigned int value = 0;
+
+ if (size > INT_MAX) {
+ /* Avoid overflow computing return value */
+ return MBEDTLS_ERR_ASN1_INVALID_LENGTH;
+ }
+
+ if (oid->len <= 0) {
+ /* OID must not be empty */
+ return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+ }
+
+ for (size_t i = 0; i < oid->len; i++) {
+ /* Prevent overflow in value. */
+ if (value > (UINT_MAX >> 7)) {
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
+ if ((value == 0) && ((oid->p[i]) == 0x80)) {
+ /* Overlong encoding is not allowed */
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
+
+ value <<= 7;
+ value |= oid->p[i] & 0x7F;
+
+ if (!(oid->p[i] & 0x80)) {
+ /* Last byte */
+ if (n == size) {
+ int component1;
+ unsigned int component2;
+ /* First subidentifier contains first two OID components */
+ if (value >= 80) {
+ component1 = '2';
+ component2 = value - 80;
+ } else if (value >= 40) {
+ component1 = '1';
+ component2 = value - 40;
+ } else {
+ component1 = '0';
+ component2 = value;
+ }
+ ret = mbedtls_snprintf(p, n, "%c.%u", component1, component2);
+ } else {
+ ret = mbedtls_snprintf(p, n, ".%u", value);
+ }
+ if (ret < 2 || (size_t) ret >= n) {
+ return MBEDTLS_ERR_OID_BUF_TOO_SMALL;
+ }
+ n -= (size_t) ret;
+ p += ret;
+ value = 0;
+ }
+ }
+
+ if (value != 0) {
+ /* Unterminated subidentifier */
+ return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+ }
+
+ return (int) (size - n);
+}
+
+static int oid_parse_number(unsigned int *num, const char **p, const char *bound)
+{
+ int ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+
+ *num = 0;
+
+ while (*p < bound && **p >= '0' && **p <= '9') {
+ ret = 0;
+ if (*num > (UINT_MAX / 10)) {
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
+ *num *= 10;
+ *num += **p - '0';
+ (*p)++;
+ }
+ return ret;
+}
+
+static size_t oid_subidentifier_num_bytes(unsigned int value)
+{
+ size_t num_bytes = 0;
+
+ do {
+ value >>= 7;
+ num_bytes++;
+ } while (value != 0);
+
+ return num_bytes;
+}
+
+static int oid_subidentifier_encode_into(unsigned char **p,
+ unsigned char *bound,
+ unsigned int value)
+{
+ size_t num_bytes = oid_subidentifier_num_bytes(value);
+
+ if ((size_t) (bound - *p) < num_bytes) {
+ return MBEDTLS_ERR_OID_BUF_TOO_SMALL;
+ }
+ (*p)[num_bytes - 1] = (unsigned char) (value & 0x7f);
+ value >>= 7;
+
+ for (size_t i = 2; i <= num_bytes; i++) {
+ (*p)[num_bytes - i] = 0x80 | (unsigned char) (value & 0x7f);
+ value >>= 7;
+ }
+ *p += num_bytes;
+
+ return 0;
+}
+
+/* Return the OID for the given x.y.z.... style numeric string */
+int mbedtls_oid_from_numeric_string(mbedtls_asn1_buf *oid,
+ const char *oid_str, size_t size)
+{
+ int ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+ const char *str_ptr = oid_str;
+ const char *str_bound = oid_str + size;
+ unsigned int val = 0;
+ unsigned int component1, component2;
+ size_t encoded_len;
+ unsigned char *resized_mem;
+
+ /* Count the number of dots to get a worst-case allocation size. */
+ size_t num_dots = 0;
+ for (size_t i = 0; i < size; i++) {
+ if (oid_str[i] == '.') {
+ num_dots++;
+ }
+ }
+ /* Allocate maximum possible required memory:
+ * There are (num_dots + 1) integer components, but the first 2 share the
+ * same subidentifier, so we only need num_dots subidentifiers maximum. */
+ if (num_dots == 0 || (num_dots > MBEDTLS_OID_MAX_COMPONENTS - 1)) {
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
+ /* Each byte can store 7 bits, calculate number of bytes for a
+ * subidentifier:
+ *
+ * bytes = ceil(subidentifer_size * 8 / 7)
+ */
+ size_t bytes_per_subidentifier = (((sizeof(unsigned int) * 8) - 1) / 7)
+ + 1;
+ size_t max_possible_bytes = num_dots * bytes_per_subidentifier;
+ oid->p = mbedtls_calloc(max_possible_bytes, 1);
+ if (oid->p == NULL) {
+ return MBEDTLS_ERR_ASN1_ALLOC_FAILED;
+ }
+ unsigned char *out_ptr = oid->p;
+ unsigned char *out_bound = oid->p + max_possible_bytes;
+
+ ret = oid_parse_number(&component1, &str_ptr, str_bound);
+ if (ret != 0) {
+ goto error;
+ }
+ if (component1 > 2) {
+ /* First component can't be > 2 */
+ ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+ goto error;
+ }
+ if (str_ptr >= str_bound || *str_ptr != '.') {
+ ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+ goto error;
+ }
+ str_ptr++;
+
+ ret = oid_parse_number(&component2, &str_ptr, str_bound);
+ if (ret != 0) {
+ goto error;
+ }
+ if ((component1 < 2) && (component2 > 39)) {
+ /* Root nodes 0 and 1 may have up to 40 children, numbered 0-39 */
+ ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+ goto error;
+ }
+ if (str_ptr < str_bound) {
+ if (*str_ptr == '.') {
+ str_ptr++;
+ } else {
+ ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+ goto error;
+ }
+ }
+
+ if (component2 > (UINT_MAX - (component1 * 40))) {
+ ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+ goto error;
+ }
+ ret = oid_subidentifier_encode_into(&out_ptr, out_bound,
+ (component1 * 40) + component2);
+ if (ret != 0) {
+ goto error;
+ }
+
+ while (str_ptr < str_bound) {
+ ret = oid_parse_number(&val, &str_ptr, str_bound);
+ if (ret != 0) {
+ goto error;
+ }
+ if (str_ptr < str_bound) {
+ if (*str_ptr == '.') {
+ str_ptr++;
+ } else {
+ ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+ goto error;
+ }
+ }
+
+ ret = oid_subidentifier_encode_into(&out_ptr, out_bound, val);
+ if (ret != 0) {
+ goto error;
+ }
+ }
+
+ encoded_len = (size_t) (out_ptr - oid->p);
+ resized_mem = mbedtls_calloc(encoded_len, 1);
+ if (resized_mem == NULL) {
+ ret = MBEDTLS_ERR_ASN1_ALLOC_FAILED;
+ goto error;
+ }
+ memcpy(resized_mem, oid->p, encoded_len);
+ mbedtls_free(oid->p);
+ oid->p = resized_mem;
+ oid->len = encoded_len;
+
+ oid->tag = MBEDTLS_ASN1_OID;
+
+ return 0;
+
+error:
+ mbedtls_free(oid->p);
+ oid->p = NULL;
+ oid->len = 0;
+ return ret;
+}
+
+#endif /* MBEDTLS_OID_C */
diff --git a/library/padlock.c b/library/padlock.c
new file mode 100644
index 0000000..1f00691
--- /dev/null
+++ b/library/padlock.c
@@ -0,0 +1,157 @@
+/*
+ * VIA PadLock support functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * This implementation is based on the VIA PadLock Programming Guide:
+ *
+ * http://www.via.com.tw/en/downloads/whitepapers/initiatives/padlock/
+ * programming_guide.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PADLOCK_C)
+
+#include "padlock.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
+
+/*
+ * PadLock detection routine
+ */
+int mbedtls_padlock_has_support(int feature)
+{
+ static int flags = -1;
+ int ebx = 0, edx = 0;
+
+ if (flags == -1) {
+ asm ("movl %%ebx, %0 \n\t"
+ "movl $0xC0000000, %%eax \n\t"
+ "cpuid \n\t"
+ "cmpl $0xC0000001, %%eax \n\t"
+ "movl $0, %%edx \n\t"
+ "jb 1f \n\t"
+ "movl $0xC0000001, %%eax \n\t"
+ "cpuid \n\t"
+ "1: \n\t"
+ "movl %%edx, %1 \n\t"
+ "movl %2, %%ebx \n\t"
+ : "=m" (ebx), "=m" (edx)
+ : "m" (ebx)
+ : "eax", "ecx", "edx");
+
+ flags = edx;
+ }
+
+ return flags & feature;
+}
+
+/*
+ * PadLock AES-ECB block en(de)cryption
+ */
+int mbedtls_padlock_xcryptecb(mbedtls_aes_context *ctx,
+ int mode,
+ const unsigned char input[16],
+ unsigned char output[16])
+{
+ int ebx = 0;
+ uint32_t *rk;
+ uint32_t *blk;
+ uint32_t *ctrl;
+ unsigned char buf[256];
+
+ rk = ctx->buf + ctx->rk_offset;
+
+ if (((long) rk & 15) != 0) {
+ return MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED;
+ }
+
+ blk = MBEDTLS_PADLOCK_ALIGN16(buf);
+ memcpy(blk, input, 16);
+
+ ctrl = blk + 4;
+ *ctrl = 0x80 | ctx->nr | ((ctx->nr + (mode^1) - 10) << 9);
+
+ asm ("pushfl \n\t"
+ "popfl \n\t"
+ "movl %%ebx, %0 \n\t"
+ "movl $1, %%ecx \n\t"
+ "movl %2, %%edx \n\t"
+ "movl %3, %%ebx \n\t"
+ "movl %4, %%esi \n\t"
+ "movl %4, %%edi \n\t"
+ ".byte 0xf3,0x0f,0xa7,0xc8 \n\t"
+ "movl %1, %%ebx \n\t"
+ : "=m" (ebx)
+ : "m" (ebx), "m" (ctrl), "m" (rk), "m" (blk)
+ : "memory", "ecx", "edx", "esi", "edi");
+
+ memcpy(output, blk, 16);
+
+ return 0;
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * PadLock AES-CBC buffer en(de)cryption
+ */
+int mbedtls_padlock_xcryptcbc(mbedtls_aes_context *ctx,
+ int mode,
+ size_t length,
+ unsigned char iv[16],
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int ebx = 0;
+ size_t count;
+ uint32_t *rk;
+ uint32_t *iw;
+ uint32_t *ctrl;
+ unsigned char buf[256];
+
+ rk = ctx->buf + ctx->rk_offset;
+
+ if (((long) input & 15) != 0 ||
+ ((long) output & 15) != 0 ||
+ ((long) rk & 15) != 0) {
+ return MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED;
+ }
+
+ iw = MBEDTLS_PADLOCK_ALIGN16(buf);
+ memcpy(iw, iv, 16);
+
+ ctrl = iw + 4;
+ *ctrl = 0x80 | ctx->nr | ((ctx->nr + (mode ^ 1) - 10) << 9);
+
+ count = (length + 15) >> 4;
+
+ asm ("pushfl \n\t"
+ "popfl \n\t"
+ "movl %%ebx, %0 \n\t"
+ "movl %2, %%ecx \n\t"
+ "movl %3, %%edx \n\t"
+ "movl %4, %%ebx \n\t"
+ "movl %5, %%esi \n\t"
+ "movl %6, %%edi \n\t"
+ "movl %7, %%eax \n\t"
+ ".byte 0xf3,0x0f,0xa7,0xd0 \n\t"
+ "movl %1, %%ebx \n\t"
+ : "=m" (ebx)
+ : "m" (ebx), "m" (count), "m" (ctrl),
+ "m" (rk), "m" (input), "m" (output), "m" (iw)
+ : "memory", "eax", "ecx", "edx", "esi", "edi");
+
+ memcpy(iv, iw, 16);
+
+ return 0;
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#endif /* MBEDTLS_VIA_PADLOCK_HAVE_CODE */
+
+#endif /* MBEDTLS_PADLOCK_C */
diff --git a/library/padlock.h b/library/padlock.h
new file mode 100644
index 0000000..92d72af
--- /dev/null
+++ b/library/padlock.h
@@ -0,0 +1,111 @@
+/**
+ * \file padlock.h
+ *
+ * \brief VIA PadLock ACE for HW encryption/decryption supported by some
+ * processors
+ *
+ * \warning These functions are only for internal use by other library
+ * functions; you must not call them directly.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_PADLOCK_H
+#define MBEDTLS_PADLOCK_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/aes.h"
+
+#define MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED -0x0030 /**< Input data should be aligned. */
+
+#if defined(__has_feature)
+#if __has_feature(address_sanitizer)
+#define MBEDTLS_HAVE_ASAN
+#endif
+#endif
+
+/*
+ * - `padlock` is implements with GNUC assembly for x86 target.
+ * - Some versions of ASan result in errors about not enough registers.
+ */
+#if defined(MBEDTLS_PADLOCK_C) && \
+ defined(__GNUC__) && defined(MBEDTLS_ARCH_IS_X86) && \
+ defined(MBEDTLS_HAVE_ASM) && \
+ !defined(MBEDTLS_HAVE_ASAN)
+
+#define MBEDTLS_VIA_PADLOCK_HAVE_CODE
+
+#include <stdint.h>
+
+#define MBEDTLS_PADLOCK_RNG 0x000C
+#define MBEDTLS_PADLOCK_ACE 0x00C0
+#define MBEDTLS_PADLOCK_PHE 0x0C00
+#define MBEDTLS_PADLOCK_PMM 0x3000
+
+#define MBEDTLS_PADLOCK_ALIGN16(x) (uint32_t *) (16 + ((int32_t) (x) & ~15))
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Internal PadLock detection routine
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
+ *
+ * \param feature The feature to detect
+ *
+ * \return non-zero if CPU has support for the feature, 0 otherwise
+ */
+int mbedtls_padlock_has_support(int feature);
+
+/**
+ * \brief Internal PadLock AES-ECB block en(de)cryption
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
+ *
+ * \param ctx AES context
+ * \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param input 16-byte input block
+ * \param output 16-byte output block
+ *
+ * \return 0 if success, 1 if operation failed
+ */
+int mbedtls_padlock_xcryptecb(mbedtls_aes_context *ctx,
+ int mode,
+ const unsigned char input[16],
+ unsigned char output[16]);
+
+/**
+ * \brief Internal PadLock AES-CBC buffer en(de)cryption
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
+ *
+ * \param ctx AES context
+ * \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param length length of the input data
+ * \param iv initialization vector (updated after use)
+ * \param input buffer holding the input data
+ * \param output buffer holding the output data
+ *
+ * \return 0 if success, 1 if operation failed
+ */
+int mbedtls_padlock_xcryptcbc(mbedtls_aes_context *ctx,
+ int mode,
+ size_t length,
+ unsigned char iv[16],
+ const unsigned char *input,
+ unsigned char *output);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* HAVE_X86 */
+
+#endif /* padlock.h */
diff --git a/library/pem.c b/library/pem.c
new file mode 100644
index 0000000..0fee5df
--- /dev/null
+++ b/library/pem.c
@@ -0,0 +1,547 @@
+/*
+ * Privacy Enhanced Mail (PEM) decoding
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
+
+#include "mbedtls/pem.h"
+#include "mbedtls/base64.h"
+#include "mbedtls/des.h"
+#include "mbedtls/aes.h"
+#include "mbedtls/md.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#endif
+
+#if defined(MBEDTLS_MD_CAN_MD5) && \
+ defined(MBEDTLS_CIPHER_MODE_CBC) && \
+ (defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C))
+#define PEM_RFC1421
+#endif /* MBEDTLS_MD_CAN_MD5 &&
+ MBEDTLS_CIPHER_MODE_CBC &&
+ ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+void mbedtls_pem_init(mbedtls_pem_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_pem_context));
+}
+
+#if defined(PEM_RFC1421)
+/*
+ * Read a 16-byte hex string and convert it to binary
+ */
+static int pem_get_iv(const unsigned char *s, unsigned char *iv,
+ size_t iv_len)
+{
+ size_t i, j, k;
+
+ memset(iv, 0, iv_len);
+
+ for (i = 0; i < iv_len * 2; i++, s++) {
+ if (*s >= '0' && *s <= '9') {
+ j = *s - '0';
+ } else
+ if (*s >= 'A' && *s <= 'F') {
+ j = *s - '7';
+ } else
+ if (*s >= 'a' && *s <= 'f') {
+ j = *s - 'W';
+ } else {
+ return MBEDTLS_ERR_PEM_INVALID_ENC_IV;
+ }
+
+ k = ((i & 1) != 0) ? j : j << 4;
+
+ iv[i >> 1] = (unsigned char) (iv[i >> 1] | k);
+ }
+
+ return 0;
+}
+
+static int pem_pbkdf1(unsigned char *key, size_t keylen,
+ unsigned char *iv,
+ const unsigned char *pwd, size_t pwdlen)
+{
+ mbedtls_md_context_t md5_ctx;
+ const mbedtls_md_info_t *md5_info;
+ unsigned char md5sum[16];
+ size_t use_len;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_md_init(&md5_ctx);
+
+ /* Prepare the context. (setup() errors gracefully on NULL info.) */
+ md5_info = mbedtls_md_info_from_type(MBEDTLS_MD_MD5);
+ if ((ret = mbedtls_md_setup(&md5_ctx, md5_info, 0)) != 0) {
+ goto exit;
+ }
+
+ /*
+ * key[ 0..15] = MD5(pwd || IV)
+ */
+ if ((ret = mbedtls_md_starts(&md5_ctx)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_update(&md5_ctx, pwd, pwdlen)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_update(&md5_ctx, iv, 8)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_finish(&md5_ctx, md5sum)) != 0) {
+ goto exit;
+ }
+
+ if (keylen <= 16) {
+ memcpy(key, md5sum, keylen);
+ goto exit;
+ }
+
+ memcpy(key, md5sum, 16);
+
+ /*
+ * key[16..23] = MD5(key[ 0..15] || pwd || IV])
+ */
+ if ((ret = mbedtls_md_starts(&md5_ctx)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_update(&md5_ctx, md5sum, 16)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_update(&md5_ctx, pwd, pwdlen)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_update(&md5_ctx, iv, 8)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_finish(&md5_ctx, md5sum)) != 0) {
+ goto exit;
+ }
+
+ use_len = 16;
+ if (keylen < 32) {
+ use_len = keylen - 16;
+ }
+
+ memcpy(key + 16, md5sum, use_len);
+
+exit:
+ mbedtls_md_free(&md5_ctx);
+ mbedtls_platform_zeroize(md5sum, 16);
+
+ return ret;
+}
+
+#if defined(MBEDTLS_DES_C)
+/*
+ * Decrypt with DES-CBC, using PBKDF1 for key derivation
+ */
+static int pem_des_decrypt(unsigned char des_iv[8],
+ unsigned char *buf, size_t buflen,
+ const unsigned char *pwd, size_t pwdlen)
+{
+ mbedtls_des_context des_ctx;
+ unsigned char des_key[8];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_des_init(&des_ctx);
+
+ if ((ret = pem_pbkdf1(des_key, 8, des_iv, pwd, pwdlen)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_des_setkey_dec(&des_ctx, des_key)) != 0) {
+ goto exit;
+ }
+ ret = mbedtls_des_crypt_cbc(&des_ctx, MBEDTLS_DES_DECRYPT, buflen,
+ des_iv, buf, buf);
+
+exit:
+ mbedtls_des_free(&des_ctx);
+ mbedtls_platform_zeroize(des_key, 8);
+
+ return ret;
+}
+
+/*
+ * Decrypt with 3DES-CBC, using PBKDF1 for key derivation
+ */
+static int pem_des3_decrypt(unsigned char des3_iv[8],
+ unsigned char *buf, size_t buflen,
+ const unsigned char *pwd, size_t pwdlen)
+{
+ mbedtls_des3_context des3_ctx;
+ unsigned char des3_key[24];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_des3_init(&des3_ctx);
+
+ if ((ret = pem_pbkdf1(des3_key, 24, des3_iv, pwd, pwdlen)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_des3_set3key_dec(&des3_ctx, des3_key)) != 0) {
+ goto exit;
+ }
+ ret = mbedtls_des3_crypt_cbc(&des3_ctx, MBEDTLS_DES_DECRYPT, buflen,
+ des3_iv, buf, buf);
+
+exit:
+ mbedtls_des3_free(&des3_ctx);
+ mbedtls_platform_zeroize(des3_key, 24);
+
+ return ret;
+}
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+/*
+ * Decrypt with AES-XXX-CBC, using PBKDF1 for key derivation
+ */
+static int pem_aes_decrypt(unsigned char aes_iv[16], unsigned int keylen,
+ unsigned char *buf, size_t buflen,
+ const unsigned char *pwd, size_t pwdlen)
+{
+ mbedtls_aes_context aes_ctx;
+ unsigned char aes_key[32];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_aes_init(&aes_ctx);
+
+ if ((ret = pem_pbkdf1(aes_key, keylen, aes_iv, pwd, pwdlen)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_aes_setkey_dec(&aes_ctx, aes_key, keylen * 8)) != 0) {
+ goto exit;
+ }
+ ret = mbedtls_aes_crypt_cbc(&aes_ctx, MBEDTLS_AES_DECRYPT, buflen,
+ aes_iv, buf, buf);
+
+exit:
+ mbedtls_aes_free(&aes_ctx);
+ mbedtls_platform_zeroize(aes_key, keylen);
+
+ return ret;
+}
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C)
+static int pem_check_pkcs_padding(unsigned char *input, size_t input_len, size_t *data_len)
+{
+ /* input_len > 0 is guaranteed by mbedtls_pem_read_buffer(). */
+ size_t pad_len = input[input_len - 1];
+ size_t i;
+
+ if (pad_len > input_len) {
+ return MBEDTLS_ERR_PEM_PASSWORD_MISMATCH;
+ }
+
+ *data_len = input_len - pad_len;
+
+ for (i = *data_len; i < input_len; i++) {
+ if (input[i] != pad_len) {
+ return MBEDTLS_ERR_PEM_PASSWORD_MISMATCH;
+ }
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_DES_C || MBEDTLS_AES_C */
+
+#endif /* PEM_RFC1421 */
+
+int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const char *footer,
+ const unsigned char *data, const unsigned char *pwd,
+ size_t pwdlen, size_t *use_len)
+{
+ int ret, enc;
+ size_t len;
+ unsigned char *buf;
+ const unsigned char *s1, *s2, *end;
+#if defined(PEM_RFC1421)
+ unsigned char pem_iv[16];
+ mbedtls_cipher_type_t enc_alg = MBEDTLS_CIPHER_NONE;
+#else
+ ((void) pwd);
+ ((void) pwdlen);
+#endif /* PEM_RFC1421 */
+
+ if (ctx == NULL) {
+ return MBEDTLS_ERR_PEM_BAD_INPUT_DATA;
+ }
+
+ s1 = (unsigned char *) strstr((const char *) data, header);
+
+ if (s1 == NULL) {
+ return MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+ }
+
+ s2 = (unsigned char *) strstr((const char *) data, footer);
+
+ if (s2 == NULL || s2 <= s1) {
+ return MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+ }
+
+ s1 += strlen(header);
+ if (*s1 == ' ') {
+ s1++;
+ }
+ if (*s1 == '\r') {
+ s1++;
+ }
+ if (*s1 == '\n') {
+ s1++;
+ } else {
+ return MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+ }
+
+ end = s2;
+ end += strlen(footer);
+ if (*end == ' ') {
+ end++;
+ }
+ if (*end == '\r') {
+ end++;
+ }
+ if (*end == '\n') {
+ end++;
+ }
+ *use_len = (size_t) (end - data);
+
+ enc = 0;
+
+ if (s2 - s1 >= 22 && memcmp(s1, "Proc-Type: 4,ENCRYPTED", 22) == 0) {
+#if defined(PEM_RFC1421)
+ enc++;
+
+ s1 += 22;
+ if (*s1 == '\r') {
+ s1++;
+ }
+ if (*s1 == '\n') {
+ s1++;
+ } else {
+ return MBEDTLS_ERR_PEM_INVALID_DATA;
+ }
+
+
+#if defined(MBEDTLS_DES_C)
+ if (s2 - s1 >= 23 && memcmp(s1, "DEK-Info: DES-EDE3-CBC,", 23) == 0) {
+ enc_alg = MBEDTLS_CIPHER_DES_EDE3_CBC;
+
+ s1 += 23;
+ if (s2 - s1 < 16 || pem_get_iv(s1, pem_iv, 8) != 0) {
+ return MBEDTLS_ERR_PEM_INVALID_ENC_IV;
+ }
+
+ s1 += 16;
+ } else if (s2 - s1 >= 18 && memcmp(s1, "DEK-Info: DES-CBC,", 18) == 0) {
+ enc_alg = MBEDTLS_CIPHER_DES_CBC;
+
+ s1 += 18;
+ if (s2 - s1 < 16 || pem_get_iv(s1, pem_iv, 8) != 0) {
+ return MBEDTLS_ERR_PEM_INVALID_ENC_IV;
+ }
+
+ s1 += 16;
+ }
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+ if (s2 - s1 >= 14 && memcmp(s1, "DEK-Info: AES-", 14) == 0) {
+ if (s2 - s1 < 22) {
+ return MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG;
+ } else if (memcmp(s1, "DEK-Info: AES-128-CBC,", 22) == 0) {
+ enc_alg = MBEDTLS_CIPHER_AES_128_CBC;
+ } else if (memcmp(s1, "DEK-Info: AES-192-CBC,", 22) == 0) {
+ enc_alg = MBEDTLS_CIPHER_AES_192_CBC;
+ } else if (memcmp(s1, "DEK-Info: AES-256-CBC,", 22) == 0) {
+ enc_alg = MBEDTLS_CIPHER_AES_256_CBC;
+ } else {
+ return MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG;
+ }
+
+ s1 += 22;
+ if (s2 - s1 < 32 || pem_get_iv(s1, pem_iv, 16) != 0) {
+ return MBEDTLS_ERR_PEM_INVALID_ENC_IV;
+ }
+
+ s1 += 32;
+ }
+#endif /* MBEDTLS_AES_C */
+
+ if (enc_alg == MBEDTLS_CIPHER_NONE) {
+ return MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG;
+ }
+
+ if (*s1 == '\r') {
+ s1++;
+ }
+ if (*s1 == '\n') {
+ s1++;
+ } else {
+ return MBEDTLS_ERR_PEM_INVALID_DATA;
+ }
+#else
+ return MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE;
+#endif /* PEM_RFC1421 */
+ }
+
+ if (s1 >= s2) {
+ return MBEDTLS_ERR_PEM_INVALID_DATA;
+ }
+
+ ret = mbedtls_base64_decode(NULL, 0, &len, s1, (size_t) (s2 - s1));
+
+ if (ret == MBEDTLS_ERR_BASE64_INVALID_CHARACTER) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PEM_INVALID_DATA, ret);
+ }
+
+ if (len == 0) {
+ return MBEDTLS_ERR_PEM_BAD_INPUT_DATA;
+ }
+
+ if ((buf = mbedtls_calloc(1, len)) == NULL) {
+ return MBEDTLS_ERR_PEM_ALLOC_FAILED;
+ }
+
+ if ((ret = mbedtls_base64_decode(buf, len, &len, s1, (size_t) (s2 - s1))) != 0) {
+ mbedtls_zeroize_and_free(buf, len);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PEM_INVALID_DATA, ret);
+ }
+
+ if (enc != 0) {
+#if defined(PEM_RFC1421)
+ if (pwd == NULL) {
+ mbedtls_zeroize_and_free(buf, len);
+ return MBEDTLS_ERR_PEM_PASSWORD_REQUIRED;
+ }
+
+ ret = 0;
+
+#if defined(MBEDTLS_DES_C)
+ if (enc_alg == MBEDTLS_CIPHER_DES_EDE3_CBC) {
+ ret = pem_des3_decrypt(pem_iv, buf, len, pwd, pwdlen);
+ } else if (enc_alg == MBEDTLS_CIPHER_DES_CBC) {
+ ret = pem_des_decrypt(pem_iv, buf, len, pwd, pwdlen);
+ }
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+ if (enc_alg == MBEDTLS_CIPHER_AES_128_CBC) {
+ ret = pem_aes_decrypt(pem_iv, 16, buf, len, pwd, pwdlen);
+ } else if (enc_alg == MBEDTLS_CIPHER_AES_192_CBC) {
+ ret = pem_aes_decrypt(pem_iv, 24, buf, len, pwd, pwdlen);
+ } else if (enc_alg == MBEDTLS_CIPHER_AES_256_CBC) {
+ ret = pem_aes_decrypt(pem_iv, 32, buf, len, pwd, pwdlen);
+ }
+#endif /* MBEDTLS_AES_C */
+
+ if (ret != 0) {
+ mbedtls_zeroize_and_free(buf, len);
+ return ret;
+ }
+
+ /* Check PKCS padding and update data length based on padding info.
+ * This can be used to detect invalid padding data and password
+ * mismatches. */
+ size_t unpadded_len;
+ ret = pem_check_pkcs_padding(buf, len, &unpadded_len);
+ if (ret != 0) {
+ mbedtls_zeroize_and_free(buf, len);
+ return ret;
+ }
+ len = unpadded_len;
+#else
+ mbedtls_zeroize_and_free(buf, len);
+ return MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE;
+#endif /* PEM_RFC1421 */
+ }
+
+ ctx->buf = buf;
+ ctx->buflen = len;
+
+ return 0;
+}
+
+void mbedtls_pem_free(mbedtls_pem_context *ctx)
+{
+ if (ctx->buf != NULL) {
+ mbedtls_zeroize_and_free(ctx->buf, ctx->buflen);
+ }
+ mbedtls_free(ctx->info);
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_pem_context));
+}
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+int mbedtls_pem_write_buffer(const char *header, const char *footer,
+ const unsigned char *der_data, size_t der_len,
+ unsigned char *buf, size_t buf_len, size_t *olen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *encode_buf = NULL, *c, *p = buf;
+ size_t len = 0, use_len, add_len = 0;
+
+ mbedtls_base64_encode(NULL, 0, &use_len, der_data, der_len);
+ add_len = strlen(header) + strlen(footer) + (((use_len > 2) ? (use_len - 2) : 0) / 64) + 1;
+
+ if (use_len + add_len > buf_len) {
+ *olen = use_len + add_len;
+ return MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL;
+ }
+
+ if (use_len != 0 &&
+ ((encode_buf = mbedtls_calloc(1, use_len)) == NULL)) {
+ return MBEDTLS_ERR_PEM_ALLOC_FAILED;
+ }
+
+ if ((ret = mbedtls_base64_encode(encode_buf, use_len, &use_len, der_data,
+ der_len)) != 0) {
+ mbedtls_free(encode_buf);
+ return ret;
+ }
+
+ memcpy(p, header, strlen(header));
+ p += strlen(header);
+ c = encode_buf;
+
+ while (use_len) {
+ len = (use_len > 64) ? 64 : use_len;
+ memcpy(p, c, len);
+ use_len -= len;
+ p += len;
+ c += len;
+ *p++ = '\n';
+ }
+
+ memcpy(p, footer, strlen(footer));
+ p += strlen(footer);
+
+ *p++ = '\0';
+ *olen = (size_t) (p - buf);
+
+ /* Clean any remaining data previously written to the buffer */
+ memset(buf + *olen, 0, buf_len - *olen);
+
+ mbedtls_free(encode_buf);
+ return 0;
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+#endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
diff --git a/library/pk.c b/library/pk.c
new file mode 100644
index 0000000..097777f
--- /dev/null
+++ b/library/pk.c
@@ -0,0 +1,1531 @@
+/*
+ * Public Key abstraction layer
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PK_C)
+#include "mbedtls/pk.h"
+#include "pk_wrap.h"
+#include "pkwrite.h"
+#include "pk_internal.h"
+
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#include "rsa_internal.h"
+#endif
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+#include "mbedtls/ecp.h"
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+#include "psa_util_internal.h"
+#include "mbedtls/psa_util.h"
+#endif
+
+#include <limits.h>
+#include <stdint.h>
+
+#define PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE \
+ (PSA_EXPORT_KEY_PAIR_MAX_SIZE > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) ? \
+ PSA_EXPORT_KEY_PAIR_MAX_SIZE : PSA_EXPORT_PUBLIC_KEY_MAX_SIZE
+
+/*
+ * Initialise a mbedtls_pk_context
+ */
+void mbedtls_pk_init(mbedtls_pk_context *ctx)
+{
+ ctx->pk_info = NULL;
+ ctx->pk_ctx = NULL;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ ctx->priv_id = MBEDTLS_SVC_KEY_ID_INIT;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ memset(ctx->pub_raw, 0, sizeof(ctx->pub_raw));
+ ctx->pub_raw_len = 0;
+ ctx->ec_family = 0;
+ ctx->ec_bits = 0;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+}
+
+/*
+ * Free (the components of) a mbedtls_pk_context
+ */
+void mbedtls_pk_free(mbedtls_pk_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ if ((ctx->pk_info != NULL) && (ctx->pk_info->ctx_free_func != NULL)) {
+ ctx->pk_info->ctx_free_func(ctx->pk_ctx);
+ }
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ /* The ownership of the priv_id key for opaque keys is external of the PK
+ * module. It's the user responsibility to clear it after use. */
+ if ((ctx->pk_info != NULL) && (ctx->pk_info->type != MBEDTLS_PK_OPAQUE)) {
+ psa_destroy_key(ctx->priv_id);
+ }
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_pk_context));
+}
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_pk_restart_init(mbedtls_pk_restart_ctx *ctx)
+{
+ ctx->pk_info = NULL;
+ ctx->rs_ctx = NULL;
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_pk_restart_free(mbedtls_pk_restart_ctx *ctx)
+{
+ if (ctx == NULL || ctx->pk_info == NULL ||
+ ctx->pk_info->rs_free_func == NULL) {
+ return;
+ }
+
+ ctx->pk_info->rs_free_func(ctx->rs_ctx);
+
+ ctx->pk_info = NULL;
+ ctx->rs_ctx = NULL;
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/*
+ * Get pk_info structure from type
+ */
+const mbedtls_pk_info_t *mbedtls_pk_info_from_type(mbedtls_pk_type_t pk_type)
+{
+ switch (pk_type) {
+#if defined(MBEDTLS_RSA_C)
+ case MBEDTLS_PK_RSA:
+ return &mbedtls_rsa_info;
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ case MBEDTLS_PK_ECKEY:
+ return &mbedtls_eckey_info;
+ case MBEDTLS_PK_ECKEY_DH:
+ return &mbedtls_eckeydh_info;
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
+ case MBEDTLS_PK_ECDSA:
+ return &mbedtls_ecdsa_info;
+#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
+ /* MBEDTLS_PK_RSA_ALT omitted on purpose */
+ default:
+ return NULL;
+ }
+}
+
+/*
+ * Initialise context
+ */
+int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info)
+{
+ if (info == NULL || ctx->pk_info != NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if ((info->ctx_alloc_func != NULL) &&
+ ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL)) {
+ return MBEDTLS_ERR_PK_ALLOC_FAILED;
+ }
+
+ ctx->pk_info = info;
+
+ return 0;
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/*
+ * Initialise a PSA-wrapping context
+ */
+int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,
+ const mbedtls_svc_key_id_t key)
+{
+ const mbedtls_pk_info_t *info = NULL;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_type_t type;
+
+ if (ctx == NULL || ctx->pk_info != NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if (PSA_SUCCESS != psa_get_key_attributes(key, &attributes)) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ type = psa_get_key_type(&attributes);
+ psa_reset_key_attributes(&attributes);
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) {
+ info = &mbedtls_ecdsa_opaque_info;
+ } else
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+ if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+ info = &mbedtls_rsa_opaque_info;
+ } else {
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+ }
+
+ ctx->pk_info = info;
+ ctx->priv_id = key;
+
+ return 0;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/*
+ * Initialize an RSA-alt context
+ */
+int mbedtls_pk_setup_rsa_alt(mbedtls_pk_context *ctx, void *key,
+ mbedtls_pk_rsa_alt_decrypt_func decrypt_func,
+ mbedtls_pk_rsa_alt_sign_func sign_func,
+ mbedtls_pk_rsa_alt_key_len_func key_len_func)
+{
+ mbedtls_rsa_alt_context *rsa_alt;
+ const mbedtls_pk_info_t *info = &mbedtls_rsa_alt_info;
+
+ if (ctx->pk_info != NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if ((ctx->pk_ctx = info->ctx_alloc_func()) == NULL) {
+ return MBEDTLS_ERR_PK_ALLOC_FAILED;
+ }
+
+ ctx->pk_info = info;
+
+ rsa_alt = (mbedtls_rsa_alt_context *) ctx->pk_ctx;
+
+ rsa_alt->key = key;
+ rsa_alt->decrypt_func = decrypt_func;
+ rsa_alt->sign_func = sign_func;
+ rsa_alt->key_len_func = key_len_func;
+
+ return 0;
+}
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+/*
+ * Tell if a PK can do the operations of the given type
+ */
+int mbedtls_pk_can_do(const mbedtls_pk_context *ctx, mbedtls_pk_type_t type)
+{
+ /* A context with null pk_info is not set up yet and can't do anything.
+ * For backward compatibility, also accept NULL instead of a context
+ * pointer. */
+ if (ctx == NULL || ctx->pk_info == NULL) {
+ return 0;
+ }
+
+ return ctx->pk_info->can_do(type);
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/*
+ * Tell if a PK can do the operations of the given PSA algorithm
+ */
+int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg,
+ psa_key_usage_t usage)
+{
+ psa_key_usage_t key_usage;
+
+ /* A context with null pk_info is not set up yet and can't do anything.
+ * For backward compatibility, also accept NULL instead of a context
+ * pointer. */
+ if (ctx == NULL || ctx->pk_info == NULL) {
+ return 0;
+ }
+
+ /* Filter out non allowed algorithms */
+ if (PSA_ALG_IS_ECDSA(alg) == 0 &&
+ PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) == 0 &&
+ PSA_ALG_IS_RSA_PSS(alg) == 0 &&
+ alg != PSA_ALG_RSA_PKCS1V15_CRYPT &&
+ PSA_ALG_IS_ECDH(alg) == 0) {
+ return 0;
+ }
+
+ /* Filter out non allowed usage flags */
+ if (usage == 0 ||
+ (usage & ~(PSA_KEY_USAGE_SIGN_HASH |
+ PSA_KEY_USAGE_DECRYPT |
+ PSA_KEY_USAGE_DERIVE)) != 0) {
+ return 0;
+ }
+
+ /* Wildcard hash is not allowed */
+ if (PSA_ALG_IS_SIGN_HASH(alg) &&
+ PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH) {
+ return 0;
+ }
+
+ if (mbedtls_pk_get_type(ctx) != MBEDTLS_PK_OPAQUE) {
+ mbedtls_pk_type_t type;
+
+ if (PSA_ALG_IS_ECDSA(alg) || PSA_ALG_IS_ECDH(alg)) {
+ type = MBEDTLS_PK_ECKEY;
+ } else if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
+ alg == PSA_ALG_RSA_PKCS1V15_CRYPT) {
+ type = MBEDTLS_PK_RSA;
+ } else if (PSA_ALG_IS_RSA_PSS(alg)) {
+ type = MBEDTLS_PK_RSASSA_PSS;
+ } else {
+ return 0;
+ }
+
+ if (ctx->pk_info->can_do(type) == 0) {
+ return 0;
+ }
+
+ switch (type) {
+ case MBEDTLS_PK_ECKEY:
+ key_usage = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_DERIVE;
+ break;
+ case MBEDTLS_PK_RSA:
+ case MBEDTLS_PK_RSASSA_PSS:
+ key_usage = PSA_KEY_USAGE_SIGN_HASH |
+ PSA_KEY_USAGE_SIGN_MESSAGE |
+ PSA_KEY_USAGE_DECRYPT;
+ break;
+ default:
+ /* Should never happen */
+ return 0;
+ }
+
+ return (key_usage & usage) == usage;
+ }
+
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status;
+
+ status = psa_get_key_attributes(ctx->priv_id, &attributes);
+ if (status != PSA_SUCCESS) {
+ return 0;
+ }
+
+ psa_algorithm_t key_alg = psa_get_key_algorithm(&attributes);
+ /* Key's enrollment is available only when an Mbed TLS implementation of PSA
+ * Crypto is being used, i.e. when MBEDTLS_PSA_CRYPTO_C is defined.
+ * Even though we don't officially support using other implementations of PSA
+ * Crypto with TLS and X.509 (yet), we try to keep vendor's customizations
+ * separated. */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ psa_algorithm_t key_alg2 = psa_get_key_enrollment_algorithm(&attributes);
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+ key_usage = psa_get_key_usage_flags(&attributes);
+ psa_reset_key_attributes(&attributes);
+
+ if ((key_usage & usage) != usage) {
+ return 0;
+ }
+
+ /*
+ * Common case: the key alg [or alg2] only allows alg.
+ * This will match PSA_ALG_RSA_PKCS1V15_CRYPT & PSA_ALG_IS_ECDH
+ * directly.
+ * This would also match ECDSA/RSA_PKCS1V15_SIGN/RSA_PSS with
+ * a fixed hash on key_alg [or key_alg2].
+ */
+ if (alg == key_alg) {
+ return 1;
+ }
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ if (alg == key_alg2) {
+ return 1;
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
+ /*
+ * If key_alg [or key_alg2] is a hash-and-sign with a wildcard for the hash,
+ * and alg is the same hash-and-sign family with any hash,
+ * then alg is compliant with this key alg
+ */
+ if (PSA_ALG_IS_SIGN_HASH(alg)) {
+ if (PSA_ALG_IS_SIGN_HASH(key_alg) &&
+ PSA_ALG_SIGN_GET_HASH(key_alg) == PSA_ALG_ANY_HASH &&
+ (alg & ~PSA_ALG_HASH_MASK) == (key_alg & ~PSA_ALG_HASH_MASK)) {
+ return 1;
+ }
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ if (PSA_ALG_IS_SIGN_HASH(key_alg2) &&
+ PSA_ALG_SIGN_GET_HASH(key_alg2) == PSA_ALG_ANY_HASH &&
+ (alg & ~PSA_ALG_HASH_MASK) == (key_alg2 & ~PSA_ALG_HASH_MASK)) {
+ return 1;
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+#if defined(MBEDTLS_RSA_C)
+static psa_algorithm_t psa_algorithm_for_rsa(const mbedtls_rsa_context *rsa,
+ int want_crypt)
+{
+ if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
+ if (want_crypt) {
+ mbedtls_md_type_t md_type = (mbedtls_md_type_t) mbedtls_rsa_get_md_alg(rsa);
+ return PSA_ALG_RSA_OAEP(mbedtls_md_psa_alg_from_type(md_type));
+ } else {
+ return PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH);
+ }
+ } else {
+ if (want_crypt) {
+ return PSA_ALG_RSA_PKCS1V15_CRYPT;
+ } else {
+ return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH);
+ }
+ }
+}
+#endif /* MBEDTLS_RSA_C */
+
+int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk,
+ psa_key_usage_t usage,
+ psa_key_attributes_t *attributes)
+{
+ mbedtls_pk_type_t pk_type = mbedtls_pk_get_type(pk);
+
+ psa_key_usage_t more_usage = usage;
+ if (usage == PSA_KEY_USAGE_SIGN_MESSAGE) {
+ more_usage |= PSA_KEY_USAGE_VERIFY_MESSAGE;
+ } else if (usage == PSA_KEY_USAGE_SIGN_HASH) {
+ more_usage |= PSA_KEY_USAGE_VERIFY_HASH;
+ } else if (usage == PSA_KEY_USAGE_DECRYPT) {
+ more_usage |= PSA_KEY_USAGE_ENCRYPT;
+ }
+ more_usage |= PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY;
+
+ int want_private = !(usage == PSA_KEY_USAGE_VERIFY_MESSAGE ||
+ usage == PSA_KEY_USAGE_VERIFY_HASH ||
+ usage == PSA_KEY_USAGE_ENCRYPT);
+
+ switch (pk_type) {
+#if defined(MBEDTLS_RSA_C)
+ case MBEDTLS_PK_RSA:
+ {
+ int want_crypt = 0; /* 0: sign/verify; 1: encrypt/decrypt */
+ switch (usage) {
+ case PSA_KEY_USAGE_SIGN_MESSAGE:
+ case PSA_KEY_USAGE_SIGN_HASH:
+ case PSA_KEY_USAGE_VERIFY_MESSAGE:
+ case PSA_KEY_USAGE_VERIFY_HASH:
+ /* Nothing to do. */
+ break;
+ case PSA_KEY_USAGE_DECRYPT:
+ case PSA_KEY_USAGE_ENCRYPT:
+ want_crypt = 1;
+ break;
+ default:
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ /* Detect the presence of a private key in a way that works both
+ * in CRT and non-CRT configurations. */
+ mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk);
+ int has_private = (mbedtls_rsa_check_privkey(rsa) == 0);
+ if (want_private && !has_private) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ psa_set_key_type(attributes, (want_private ?
+ PSA_KEY_TYPE_RSA_KEY_PAIR :
+ PSA_KEY_TYPE_RSA_PUBLIC_KEY));
+ psa_set_key_bits(attributes, mbedtls_pk_get_bitlen(pk));
+ psa_set_key_algorithm(attributes,
+ psa_algorithm_for_rsa(rsa, want_crypt));
+ break;
+ }
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ case MBEDTLS_PK_ECKEY:
+ case MBEDTLS_PK_ECKEY_DH:
+ case MBEDTLS_PK_ECDSA:
+ {
+ int sign_ok = (pk_type != MBEDTLS_PK_ECKEY_DH);
+ int derive_ok = (pk_type != MBEDTLS_PK_ECDSA);
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ psa_ecc_family_t family = pk->ec_family;
+ size_t bits = pk->ec_bits;
+ int has_private = 0;
+ if (pk->priv_id != MBEDTLS_SVC_KEY_ID_INIT) {
+ has_private = 1;
+ }
+#else
+ const mbedtls_ecp_keypair *ec = mbedtls_pk_ec_ro(*pk);
+ int has_private = (ec->d.n != 0);
+ size_t bits = 0;
+ psa_ecc_family_t family =
+ mbedtls_ecc_group_to_psa(ec->grp.id, &bits);
+#endif
+ psa_algorithm_t alg = 0;
+ switch (usage) {
+ case PSA_KEY_USAGE_SIGN_MESSAGE:
+ case PSA_KEY_USAGE_SIGN_HASH:
+ case PSA_KEY_USAGE_VERIFY_MESSAGE:
+ case PSA_KEY_USAGE_VERIFY_HASH:
+ if (!sign_ok) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+ alg = PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH);
+#else
+ alg = PSA_ALG_ECDSA(PSA_ALG_ANY_HASH);
+#endif
+ break;
+ case PSA_KEY_USAGE_DERIVE:
+ alg = PSA_ALG_ECDH;
+ if (!derive_ok) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ break;
+ default:
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ if (want_private && !has_private) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ psa_set_key_type(attributes, (want_private ?
+ PSA_KEY_TYPE_ECC_KEY_PAIR(family) :
+ PSA_KEY_TYPE_ECC_PUBLIC_KEY(family)));
+ psa_set_key_bits(attributes, bits);
+ psa_set_key_algorithm(attributes, alg);
+ break;
+ }
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+ case MBEDTLS_PK_RSA_ALT:
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ case MBEDTLS_PK_OPAQUE:
+ {
+ psa_key_attributes_t old_attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ status = psa_get_key_attributes(pk->priv_id, &old_attributes);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ psa_key_type_t old_type = psa_get_key_type(&old_attributes);
+ switch (usage) {
+ case PSA_KEY_USAGE_SIGN_MESSAGE:
+ case PSA_KEY_USAGE_SIGN_HASH:
+ case PSA_KEY_USAGE_VERIFY_MESSAGE:
+ case PSA_KEY_USAGE_VERIFY_HASH:
+ if (!(PSA_KEY_TYPE_IS_ECC_KEY_PAIR(old_type) ||
+ old_type == PSA_KEY_TYPE_RSA_KEY_PAIR)) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ break;
+ case PSA_KEY_USAGE_DECRYPT:
+ case PSA_KEY_USAGE_ENCRYPT:
+ if (old_type != PSA_KEY_TYPE_RSA_KEY_PAIR) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ break;
+ case PSA_KEY_USAGE_DERIVE:
+ if (!(PSA_KEY_TYPE_IS_ECC_KEY_PAIR(old_type))) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ break;
+ default:
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ psa_key_type_t new_type = old_type;
+ /* Opaque keys are always key pairs, so we don't need a check
+ * on the input if the required usage is private. We just need
+ * to adjust the type correctly if the required usage is public. */
+ if (!want_private) {
+ new_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(new_type);
+ }
+ more_usage = psa_get_key_usage_flags(&old_attributes);
+ if ((usage & more_usage) == 0) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ psa_set_key_type(attributes, new_type);
+ psa_set_key_bits(attributes, psa_get_key_bits(&old_attributes));
+ psa_set_key_algorithm(attributes, psa_get_key_algorithm(&old_attributes));
+ break;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ default:
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ psa_set_key_usage_flags(attributes, more_usage);
+ /* Key's enrollment is available only when an Mbed TLS implementation of PSA
+ * Crypto is being used, i.e. when MBEDTLS_PSA_CRYPTO_C is defined.
+ * Even though we don't officially support using other implementations of PSA
+ * Crypto with TLS and X.509 (yet), we try to keep vendor's customizations
+ * separated. */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ psa_set_key_enrollment_algorithm(attributes, PSA_ALG_NONE);
+#endif
+
+ return 0;
+}
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) || defined(MBEDTLS_USE_PSA_CRYPTO)
+static psa_status_t export_import_into_psa(mbedtls_svc_key_id_t old_key_id,
+ const psa_key_attributes_t *attributes,
+ mbedtls_svc_key_id_t *new_key_id)
+{
+ unsigned char key_buffer[PSA_EXPORT_KEY_PAIR_MAX_SIZE];
+ size_t key_length = 0;
+ psa_status_t status = psa_export_key(old_key_id,
+ key_buffer, sizeof(key_buffer),
+ &key_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ status = psa_import_key(attributes, key_buffer, key_length, new_key_id);
+ mbedtls_platform_zeroize(key_buffer, key_length);
+ return status;
+}
+
+static int copy_into_psa(mbedtls_svc_key_id_t old_key_id,
+ const psa_key_attributes_t *attributes,
+ mbedtls_svc_key_id_t *new_key_id)
+{
+ /* Normally, we prefer copying: it's more efficient and works even
+ * for non-exportable keys. */
+ psa_status_t status = psa_copy_key(old_key_id, attributes, new_key_id);
+ if (status == PSA_ERROR_NOT_PERMITTED /*missing COPY usage*/ ||
+ status == PSA_ERROR_INVALID_ARGUMENT /*incompatible policy*/) {
+ /* There are edge cases where copying won't work, but export+import
+ * might:
+ * - If the old key does not allow PSA_KEY_USAGE_COPY.
+ * - If the old key's usage does not allow what attributes wants.
+ * Because the key was intended for use in the pk module, and may
+ * have had a policy chosen solely for what pk needs rather than
+ * based on a detailed understanding of PSA policies, we are a bit
+ * more liberal than psa_copy_key() here.
+ */
+ /* Here we need to check that the types match, otherwise we risk
+ * importing nonsensical data. */
+ psa_key_attributes_t old_attributes = PSA_KEY_ATTRIBUTES_INIT;
+ status = psa_get_key_attributes(old_key_id, &old_attributes);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ psa_key_type_t old_type = psa_get_key_type(&old_attributes);
+ psa_reset_key_attributes(&old_attributes);
+ if (old_type != psa_get_key_type(attributes)) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ status = export_import_into_psa(old_key_id, attributes, new_key_id);
+ }
+ return PSA_PK_TO_MBEDTLS_ERR(status);
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_USE_PSA_CRYPTO */
+
+static int import_pair_into_psa(const mbedtls_pk_context *pk,
+ const psa_key_attributes_t *attributes,
+ mbedtls_svc_key_id_t *key_id)
+{
+ switch (mbedtls_pk_get_type(pk)) {
+#if defined(MBEDTLS_RSA_C)
+ case MBEDTLS_PK_RSA:
+ {
+ if (psa_get_key_type(attributes) != PSA_KEY_TYPE_RSA_KEY_PAIR) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ unsigned char key_buffer[
+ PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS)];
+ unsigned char *const key_end = key_buffer + sizeof(key_buffer);
+ unsigned char *key_data = key_end;
+ int ret = mbedtls_rsa_write_key(mbedtls_pk_rsa(*pk),
+ key_buffer, &key_data);
+ if (ret < 0) {
+ return ret;
+ }
+ size_t key_length = key_end - key_data;
+ ret = PSA_PK_TO_MBEDTLS_ERR(psa_import_key(attributes,
+ key_data, key_length,
+ key_id));
+ mbedtls_platform_zeroize(key_data, key_length);
+ return ret;
+ }
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ case MBEDTLS_PK_ECKEY:
+ case MBEDTLS_PK_ECKEY_DH:
+ case MBEDTLS_PK_ECDSA:
+ {
+ /* We need to check the curve family, otherwise the import could
+ * succeed with nonsensical data.
+ * We don't check the bit-size: it's optional in attributes,
+ * and if it's specified, psa_import_key() will know from the key
+ * data length and will check that the bit-size matches. */
+ psa_key_type_t to_type = psa_get_key_type(attributes);
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ psa_ecc_family_t from_family = pk->ec_family;
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ const mbedtls_ecp_keypair *ec = mbedtls_pk_ec_ro(*pk);
+ size_t from_bits = 0;
+ psa_ecc_family_t from_family = mbedtls_ecc_group_to_psa(ec->grp.id,
+ &from_bits);
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ if (to_type != PSA_KEY_TYPE_ECC_KEY_PAIR(from_family)) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ if (mbedtls_svc_key_id_is_null(pk->priv_id)) {
+ /* We have a public key and want a key pair. */
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ return copy_into_psa(pk->priv_id, attributes, key_id);
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ if (ec->d.n == 0) {
+ /* Private key not set. Assume the input is a public key only.
+ * (The other possibility is that it's an incomplete object
+ * where the group is set but neither the public key nor
+ * the private key. This is not possible through ecp.h
+ * functions, so we don't bother reporting a more suitable
+ * error in that case.) */
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ unsigned char key_buffer[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
+ size_t key_length = 0;
+ int ret = mbedtls_ecp_write_key_ext(ec, &key_length,
+ key_buffer, sizeof(key_buffer));
+ if (ret < 0) {
+ return ret;
+ }
+ ret = PSA_PK_TO_MBEDTLS_ERR(psa_import_key(attributes,
+ key_buffer, key_length,
+ key_id));
+ mbedtls_platform_zeroize(key_buffer, key_length);
+ return ret;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ }
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ case MBEDTLS_PK_OPAQUE:
+ return copy_into_psa(pk->priv_id, attributes, key_id);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ default:
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+}
+
+static int import_public_into_psa(const mbedtls_pk_context *pk,
+ const psa_key_attributes_t *attributes,
+ mbedtls_svc_key_id_t *key_id)
+{
+ psa_key_type_t psa_type = psa_get_key_type(attributes);
+
+#if defined(MBEDTLS_RSA_C) || \
+ (defined(MBEDTLS_PK_HAVE_ECC_KEYS) && !defined(MBEDTLS_PK_USE_PSA_EC_DATA)) || \
+ defined(MBEDTLS_USE_PSA_CRYPTO)
+ unsigned char key_buffer[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
+#endif
+ unsigned char *key_data = NULL;
+ size_t key_length = 0;
+
+ switch (mbedtls_pk_get_type(pk)) {
+#if defined(MBEDTLS_RSA_C)
+ case MBEDTLS_PK_RSA:
+ {
+ if (psa_type != PSA_KEY_TYPE_RSA_PUBLIC_KEY) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ unsigned char *const key_end = key_buffer + sizeof(key_buffer);
+ key_data = key_end;
+ int ret = mbedtls_rsa_write_pubkey(mbedtls_pk_rsa(*pk),
+ key_buffer, &key_data);
+ if (ret < 0) {
+ return ret;
+ }
+ key_length = (size_t) ret;
+ break;
+ }
+#endif /*MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ case MBEDTLS_PK_ECKEY:
+ case MBEDTLS_PK_ECKEY_DH:
+ case MBEDTLS_PK_ECDSA:
+ {
+ /* We need to check the curve family, otherwise the import could
+ * succeed with nonsensical data.
+ * We don't check the bit-size: it's optional in attributes,
+ * and if it's specified, psa_import_key() will know from the key
+ * data length and will check that the bit-size matches. */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ if (psa_type != PSA_KEY_TYPE_ECC_PUBLIC_KEY(pk->ec_family)) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ key_data = (unsigned char *) pk->pub_raw;
+ key_length = pk->pub_raw_len;
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ const mbedtls_ecp_keypair *ec = mbedtls_pk_ec_ro(*pk);
+ size_t from_bits = 0;
+ psa_ecc_family_t from_family = mbedtls_ecc_group_to_psa(ec->grp.id,
+ &from_bits);
+ if (psa_type != PSA_KEY_TYPE_ECC_PUBLIC_KEY(from_family)) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ int ret = mbedtls_ecp_write_public_key(
+ ec, MBEDTLS_ECP_PF_UNCOMPRESSED,
+ &key_length, key_buffer, sizeof(key_buffer));
+ if (ret < 0) {
+ return ret;
+ }
+ key_data = key_buffer;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ break;
+ }
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ case MBEDTLS_PK_OPAQUE:
+ {
+ psa_key_attributes_t old_attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status =
+ psa_get_key_attributes(pk->priv_id, &old_attributes);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ psa_key_type_t old_type = psa_get_key_type(&old_attributes);
+ psa_reset_key_attributes(&old_attributes);
+ if (psa_type != PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(old_type)) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ status = psa_export_public_key(pk->priv_id,
+ key_buffer, sizeof(key_buffer),
+ &key_length);
+ if (status != PSA_SUCCESS) {
+ return PSA_PK_TO_MBEDTLS_ERR(status);
+ }
+ key_data = key_buffer;
+ break;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ default:
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ return PSA_PK_TO_MBEDTLS_ERR(psa_import_key(attributes,
+ key_data, key_length,
+ key_id));
+}
+
+int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk,
+ const psa_key_attributes_t *attributes,
+ mbedtls_svc_key_id_t *key_id)
+{
+ /* Set the output immediately so that it won't contain garbage even
+ * if we error out before calling psa_import_key(). */
+ *key_id = MBEDTLS_SVC_KEY_ID_INIT;
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+ if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_RSA_ALT) {
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+ }
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+ int want_public = PSA_KEY_TYPE_IS_PUBLIC_KEY(psa_get_key_type(attributes));
+ if (want_public) {
+ return import_public_into_psa(pk, attributes, key_id);
+ } else {
+ return import_pair_into_psa(pk, attributes, key_id);
+ }
+}
+
+static int copy_from_psa(mbedtls_svc_key_id_t key_id,
+ mbedtls_pk_context *pk,
+ int public_only)
+{
+ psa_status_t status;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_type_t key_type;
+ psa_algorithm_t alg_type;
+ size_t key_bits;
+ /* Use a buffer size large enough to contain either a key pair or public key. */
+ unsigned char exp_key[PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE];
+ size_t exp_key_len;
+ int ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+
+ if (pk == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ status = psa_get_key_attributes(key_id, &key_attr);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if (public_only) {
+ status = psa_export_public_key(key_id, exp_key, sizeof(exp_key), &exp_key_len);
+ } else {
+ status = psa_export_key(key_id, exp_key, sizeof(exp_key), &exp_key_len);
+ }
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ goto exit;
+ }
+
+ key_type = psa_get_key_type(&key_attr);
+ if (public_only) {
+ key_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(key_type);
+ }
+ key_bits = psa_get_key_bits(&key_attr);
+ alg_type = psa_get_key_algorithm(&key_attr);
+
+#if defined(MBEDTLS_RSA_C)
+ if ((key_type == PSA_KEY_TYPE_RSA_KEY_PAIR) ||
+ (key_type == PSA_KEY_TYPE_RSA_PUBLIC_KEY)) {
+
+ ret = mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (key_type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+ ret = mbedtls_rsa_parse_key(mbedtls_pk_rsa(*pk), exp_key, exp_key_len);
+ } else {
+ ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*pk), exp_key, exp_key_len);
+ }
+ if (ret != 0) {
+ goto exit;
+ }
+
+ mbedtls_md_type_t md_type = MBEDTLS_MD_NONE;
+ if (PSA_ALG_GET_HASH(alg_type) != PSA_ALG_ANY_HASH) {
+ md_type = mbedtls_md_type_from_psa_alg(alg_type);
+ }
+
+ if (PSA_ALG_IS_RSA_OAEP(alg_type) || PSA_ALG_IS_RSA_PSS(alg_type)) {
+ ret = mbedtls_rsa_set_padding(mbedtls_pk_rsa(*pk), MBEDTLS_RSA_PKCS_V21, md_type);
+ } else if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg_type) ||
+ alg_type == PSA_ALG_RSA_PKCS1V15_CRYPT) {
+ ret = mbedtls_rsa_set_padding(mbedtls_pk_rsa(*pk), MBEDTLS_RSA_PKCS_V15, md_type);
+ }
+ if (ret != 0) {
+ goto exit;
+ }
+ } else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) ||
+ PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(key_type)) {
+ mbedtls_ecp_group_id grp_id;
+
+ ret = mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY));
+ if (ret != 0) {
+ goto exit;
+ }
+
+ grp_id = mbedtls_ecc_group_from_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(key_type), key_bits);
+ ret = mbedtls_pk_ecc_set_group(pk, grp_id);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type)) {
+ ret = mbedtls_pk_ecc_set_key(pk, exp_key, exp_key_len);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_pk_ecc_set_pubkey_from_prv(pk, exp_key, exp_key_len,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE);
+ } else {
+ ret = mbedtls_pk_ecc_set_pubkey(pk, exp_key, exp_key_len);
+ }
+ if (ret != 0) {
+ goto exit;
+ }
+ } else
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+ {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+exit:
+ psa_reset_key_attributes(&key_attr);
+ mbedtls_platform_zeroize(exp_key, sizeof(exp_key));
+
+ return ret;
+}
+
+int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id,
+ mbedtls_pk_context *pk)
+{
+ return copy_from_psa(key_id, pk, 0);
+}
+
+int mbedtls_pk_copy_public_from_psa(mbedtls_svc_key_id_t key_id,
+ mbedtls_pk_context *pk)
+{
+ return copy_from_psa(key_id, pk, 1);
+}
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+
+/*
+ * Helper for mbedtls_pk_sign and mbedtls_pk_verify
+ */
+static inline int pk_hashlen_helper(mbedtls_md_type_t md_alg, size_t *hash_len)
+{
+ if (*hash_len != 0) {
+ return 0;
+ }
+
+ *hash_len = mbedtls_md_get_size_from_type(md_alg);
+
+ if (*hash_len == 0) {
+ return -1;
+ }
+
+ return 0;
+}
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Helper to set up a restart context if needed
+ */
+static int pk_restart_setup(mbedtls_pk_restart_ctx *ctx,
+ const mbedtls_pk_info_t *info)
+{
+ /* Don't do anything if already set up or invalid */
+ if (ctx == NULL || ctx->pk_info != NULL) {
+ return 0;
+ }
+
+ /* Should never happen when we're called */
+ if (info->rs_alloc_func == NULL || info->rs_free_func == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if ((ctx->rs_ctx = info->rs_alloc_func()) == NULL) {
+ return MBEDTLS_ERR_PK_ALLOC_FAILED;
+ }
+
+ ctx->pk_info = info;
+
+ return 0;
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/*
+ * Verify a signature (restartable)
+ */
+int mbedtls_pk_verify_restartable(mbedtls_pk_context *ctx,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len,
+ mbedtls_pk_restart_ctx *rs_ctx)
+{
+ if ((md_alg != MBEDTLS_MD_NONE || hash_len != 0) && hash == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if (ctx->pk_info == NULL ||
+ pk_hashlen_helper(md_alg, &hash_len) != 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ /* optimization: use non-restartable version if restart disabled */
+ if (rs_ctx != NULL &&
+ mbedtls_ecp_restart_is_enabled() &&
+ ctx->pk_info->verify_rs_func != NULL) {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((ret = pk_restart_setup(rs_ctx, ctx->pk_info)) != 0) {
+ return ret;
+ }
+
+ ret = ctx->pk_info->verify_rs_func(ctx,
+ md_alg, hash, hash_len, sig, sig_len, rs_ctx->rs_ctx);
+
+ if (ret != MBEDTLS_ERR_ECP_IN_PROGRESS) {
+ mbedtls_pk_restart_free(rs_ctx);
+ }
+
+ return ret;
+ }
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+ (void) rs_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+ if (ctx->pk_info->verify_func == NULL) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+
+ return ctx->pk_info->verify_func(ctx, md_alg, hash, hash_len,
+ sig, sig_len);
+}
+
+/*
+ * Verify a signature
+ */
+int mbedtls_pk_verify(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len)
+{
+ return mbedtls_pk_verify_restartable(ctx, md_alg, hash, hash_len,
+ sig, sig_len, NULL);
+}
+
+/*
+ * Verify a signature with options
+ */
+int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
+ mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len)
+{
+ if ((md_alg != MBEDTLS_MD_NONE || hash_len != 0) && hash == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if (ctx->pk_info == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if (!mbedtls_pk_can_do(ctx, type)) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+
+ if (type != MBEDTLS_PK_RSASSA_PSS) {
+ /* General case: no options */
+ if (options != NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ return mbedtls_pk_verify(ctx, md_alg, hash, hash_len, sig, sig_len);
+ }
+
+ /* Ensure the PK context is of the right type otherwise mbedtls_pk_rsa()
+ * below would return a NULL pointer. */
+ if (mbedtls_pk_get_type(ctx) != MBEDTLS_PK_RSA) {
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+ }
+
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const mbedtls_pk_rsassa_pss_options *pss_opts;
+
+#if SIZE_MAX > UINT_MAX
+ if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+#endif
+
+ if (options == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ pss_opts = (const mbedtls_pk_rsassa_pss_options *) options;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (pss_opts->mgf1_hash_id == md_alg) {
+ unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
+ unsigned char *p;
+ int key_len;
+ size_t signature_length;
+ psa_status_t status = PSA_ERROR_DATA_CORRUPT;
+ psa_status_t destruction_status = PSA_ERROR_DATA_CORRUPT;
+
+ psa_algorithm_t psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_algorithm_t psa_sig_alg = PSA_ALG_RSA_PSS_ANY_SALT(psa_md_alg);
+ p = buf + sizeof(buf);
+ key_len = mbedtls_rsa_write_pubkey(mbedtls_pk_rsa(*ctx), buf, &p);
+
+ if (key_len < 0) {
+ return key_len;
+ }
+
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&attributes, psa_sig_alg);
+
+ status = psa_import_key(&attributes,
+ buf + sizeof(buf) - key_len, key_len,
+ &key_id);
+ if (status != PSA_SUCCESS) {
+ psa_destroy_key(key_id);
+ return PSA_PK_TO_MBEDTLS_ERR(status);
+ }
+
+ /* This function requires returning MBEDTLS_ERR_PK_SIG_LEN_MISMATCH
+ * on a valid signature with trailing data in a buffer, but
+ * mbedtls_psa_rsa_verify_hash requires the sig_len to be exact,
+ * so for this reason the passed sig_len is overwritten. Smaller
+ * signature lengths should not be accepted for verification. */
+ signature_length = sig_len > mbedtls_pk_get_len(ctx) ?
+ mbedtls_pk_get_len(ctx) : sig_len;
+ status = psa_verify_hash(key_id, psa_sig_alg, hash,
+ hash_len, sig, signature_length);
+ destruction_status = psa_destroy_key(key_id);
+
+ if (status == PSA_SUCCESS && sig_len > mbedtls_pk_get_len(ctx)) {
+ return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
+ }
+
+ if (status == PSA_SUCCESS) {
+ status = destruction_status;
+ }
+
+ return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+ } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ {
+ if (sig_len < mbedtls_pk_get_len(ctx)) {
+ return MBEDTLS_ERR_RSA_VERIFY_FAILED;
+ }
+
+ ret = mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_pk_rsa(*ctx),
+ md_alg, (unsigned int) hash_len, hash,
+ pss_opts->mgf1_hash_id,
+ pss_opts->expected_salt_len,
+ sig);
+ if (ret != 0) {
+ return ret;
+ }
+
+ if (sig_len > mbedtls_pk_get_len(ctx)) {
+ return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
+ }
+
+ return 0;
+ }
+#else
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+#endif /* MBEDTLS_RSA_C && MBEDTLS_PKCS1_V21 */
+}
+
+/*
+ * Make a signature (restartable)
+ */
+int mbedtls_pk_sign_restartable(mbedtls_pk_context *ctx,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ mbedtls_pk_restart_ctx *rs_ctx)
+{
+ if ((md_alg != MBEDTLS_MD_NONE || hash_len != 0) && hash == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if (ctx->pk_info == NULL || pk_hashlen_helper(md_alg, &hash_len) != 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ /* optimization: use non-restartable version if restart disabled */
+ if (rs_ctx != NULL &&
+ mbedtls_ecp_restart_is_enabled() &&
+ ctx->pk_info->sign_rs_func != NULL) {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((ret = pk_restart_setup(rs_ctx, ctx->pk_info)) != 0) {
+ return ret;
+ }
+
+ ret = ctx->pk_info->sign_rs_func(ctx, md_alg,
+ hash, hash_len,
+ sig, sig_size, sig_len,
+ f_rng, p_rng, rs_ctx->rs_ctx);
+
+ if (ret != MBEDTLS_ERR_ECP_IN_PROGRESS) {
+ mbedtls_pk_restart_free(rs_ctx);
+ }
+
+ return ret;
+ }
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+ (void) rs_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+ if (ctx->pk_info->sign_func == NULL) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+
+ return ctx->pk_info->sign_func(ctx, md_alg,
+ hash, hash_len,
+ sig, sig_size, sig_len,
+ f_rng, p_rng);
+}
+
+/*
+ * Make a signature
+ */
+int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ return mbedtls_pk_sign_restartable(ctx, md_alg, hash, hash_len,
+ sig, sig_size, sig_len,
+ f_rng, p_rng, NULL);
+}
+
+/*
+ * Make a signature given a signature type.
+ */
+int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
+ mbedtls_pk_context *ctx,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ if (ctx->pk_info == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if (!mbedtls_pk_can_do(ctx, pk_type)) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+
+ if (pk_type != MBEDTLS_PK_RSASSA_PSS) {
+ return mbedtls_pk_sign(ctx, md_alg, hash, hash_len,
+ sig, sig_size, sig_len, f_rng, p_rng);
+ }
+
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ const psa_algorithm_t psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
+ if (psa_md_alg == 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if (mbedtls_pk_get_type(ctx) == MBEDTLS_PK_OPAQUE) {
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+ psa_algorithm_t psa_alg, sign_alg;
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ psa_algorithm_t psa_enrollment_alg;
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+ psa_status_t status;
+
+ status = psa_get_key_attributes(ctx->priv_id, &key_attr);
+ if (status != PSA_SUCCESS) {
+ return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+ }
+ psa_alg = psa_get_key_algorithm(&key_attr);
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ psa_enrollment_alg = psa_get_key_enrollment_algorithm(&key_attr);
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+ psa_reset_key_attributes(&key_attr);
+
+ /* Since we're PK type is MBEDTLS_PK_RSASSA_PSS at least one between
+ * alg and enrollment alg should be of type RSA_PSS. */
+ if (PSA_ALG_IS_RSA_PSS(psa_alg)) {
+ sign_alg = psa_alg;
+ }
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ else if (PSA_ALG_IS_RSA_PSS(psa_enrollment_alg)) {
+ sign_alg = psa_enrollment_alg;
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+ else {
+ /* The opaque key has no RSA PSS algorithm associated. */
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ /* Adjust the hashing algorithm. */
+ sign_alg = (sign_alg & ~PSA_ALG_HASH_MASK) | PSA_ALG_GET_HASH(psa_md_alg);
+
+ status = psa_sign_hash(ctx->priv_id, sign_alg,
+ hash, hash_len,
+ sig, sig_size, sig_len);
+ return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+ }
+
+ return mbedtls_pk_psa_rsa_sign_ext(PSA_ALG_RSA_PSS(psa_md_alg),
+ ctx->pk_ctx, hash, hash_len,
+ sig, sig_size, sig_len);
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+
+ if (sig_size < mbedtls_pk_get_len(ctx)) {
+ return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
+ }
+
+ if (pk_hashlen_helper(md_alg, &hash_len) != 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ mbedtls_rsa_context *const rsa_ctx = mbedtls_pk_rsa(*ctx);
+
+ const int ret = mbedtls_rsa_rsassa_pss_sign_no_mode_check(rsa_ctx, f_rng, p_rng, md_alg,
+ (unsigned int) hash_len, hash, sig);
+ if (ret == 0) {
+ *sig_len = rsa_ctx->len;
+ }
+ return ret;
+
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#else
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+#endif /* MBEDTLS_RSA_C && MBEDTLS_PKCS1_V21 */
+}
+
+/*
+ * Decrypt message
+ */
+int mbedtls_pk_decrypt(mbedtls_pk_context *ctx,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen, size_t osize,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ if (ctx->pk_info == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if (ctx->pk_info->decrypt_func == NULL) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+
+ return ctx->pk_info->decrypt_func(ctx, input, ilen,
+ output, olen, osize, f_rng, p_rng);
+}
+
+/*
+ * Encrypt message
+ */
+int mbedtls_pk_encrypt(mbedtls_pk_context *ctx,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen, size_t osize,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ if (ctx->pk_info == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if (ctx->pk_info->encrypt_func == NULL) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+
+ return ctx->pk_info->encrypt_func(ctx, input, ilen,
+ output, olen, osize, f_rng, p_rng);
+}
+
+/*
+ * Check public-private key pair
+ */
+int mbedtls_pk_check_pair(const mbedtls_pk_context *pub,
+ const mbedtls_pk_context *prv,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ if (pub->pk_info == NULL ||
+ prv->pk_info == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if (f_rng == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if (prv->pk_info->check_pair_func == NULL) {
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+ }
+
+ if (prv->pk_info->type == MBEDTLS_PK_RSA_ALT) {
+ if (pub->pk_info->type != MBEDTLS_PK_RSA) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ } else {
+ if ((prv->pk_info->type != MBEDTLS_PK_OPAQUE) &&
+ (pub->pk_info != prv->pk_info)) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+ }
+
+ return prv->pk_info->check_pair_func((mbedtls_pk_context *) pub,
+ (mbedtls_pk_context *) prv,
+ f_rng, p_rng);
+}
+
+/*
+ * Get key size in bits
+ */
+size_t mbedtls_pk_get_bitlen(const mbedtls_pk_context *ctx)
+{
+ /* For backward compatibility, accept NULL or a context that
+ * isn't set up yet, and return a fake value that should be safe. */
+ if (ctx == NULL || ctx->pk_info == NULL) {
+ return 0;
+ }
+
+ return ctx->pk_info->get_bitlen((mbedtls_pk_context *) ctx);
+}
+
+/*
+ * Export debug information
+ */
+int mbedtls_pk_debug(const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items)
+{
+ if (ctx->pk_info == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if (ctx->pk_info->debug_func == NULL) {
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
+
+ ctx->pk_info->debug_func((mbedtls_pk_context *) ctx, items);
+ return 0;
+}
+
+/*
+ * Access the PK type name
+ */
+const char *mbedtls_pk_get_name(const mbedtls_pk_context *ctx)
+{
+ if (ctx == NULL || ctx->pk_info == NULL) {
+ return "invalid PK";
+ }
+
+ return ctx->pk_info->name;
+}
+
+/*
+ * Access the PK type
+ */
+mbedtls_pk_type_t mbedtls_pk_get_type(const mbedtls_pk_context *ctx)
+{
+ if (ctx == NULL || ctx->pk_info == NULL) {
+ return MBEDTLS_PK_NONE;
+ }
+
+ return ctx->pk_info->type;
+}
+
+#endif /* MBEDTLS_PK_C */
diff --git a/library/pk_ecc.c b/library/pk_ecc.c
new file mode 100644
index 0000000..86218ff
--- /dev/null
+++ b/library/pk_ecc.c
@@ -0,0 +1,255 @@
+/*
+ * ECC setters for PK.
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#include "mbedtls/pk.h"
+#include "mbedtls/error.h"
+#include "mbedtls/ecp.h"
+#include "pk_internal.h"
+
+#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+
+int mbedtls_pk_ecc_set_group(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id)
+{
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ size_t ec_bits;
+ psa_ecc_family_t ec_family = mbedtls_ecc_group_to_psa(grp_id, &ec_bits);
+
+ /* group may already be initialized; if so, make sure IDs match */
+ if ((pk->ec_family != 0 && pk->ec_family != ec_family) ||
+ (pk->ec_bits != 0 && pk->ec_bits != ec_bits)) {
+ return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+ }
+
+ /* set group */
+ pk->ec_family = ec_family;
+ pk->ec_bits = ec_bits;
+
+ return 0;
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ mbedtls_ecp_keypair *ecp = mbedtls_pk_ec_rw(*pk);
+
+ /* grp may already be initialized; if so, make sure IDs match */
+ if (mbedtls_pk_ec_ro(*pk)->grp.id != MBEDTLS_ECP_DP_NONE &&
+ mbedtls_pk_ec_ro(*pk)->grp.id != grp_id) {
+ return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+ }
+
+ /* set group */
+ return mbedtls_ecp_group_load(&(ecp->grp), grp_id);
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+}
+
+int mbedtls_pk_ecc_set_key(mbedtls_pk_context *pk, unsigned char *key, size_t key_len)
+{
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_usage_t flags;
+ psa_status_t status;
+
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family));
+ if (pk->ec_family == PSA_ECC_FAMILY_MONTGOMERY) {
+ /* Do not set algorithm here because Montgomery keys cannot do ECDSA and
+ * the PK module cannot do ECDH. When the key will be used in TLS for
+ * ECDH, it will be exported and then re-imported with proper flags
+ * and algorithm. */
+ flags = PSA_KEY_USAGE_EXPORT;
+ } else {
+ psa_set_key_algorithm(&attributes,
+ MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET(PSA_ALG_ANY_HASH));
+ flags = PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE |
+ PSA_KEY_USAGE_EXPORT;
+ }
+ psa_set_key_usage_flags(&attributes, flags);
+
+ status = psa_import_key(&attributes, key, key_len, &pk->priv_id);
+ return psa_pk_status_to_mbedtls(status);
+
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+ mbedtls_ecp_keypair *eck = mbedtls_pk_ec_rw(*pk);
+ int ret = mbedtls_ecp_read_key(eck->grp.id, eck, key, key_len);
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+ return 0;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+}
+
+int mbedtls_pk_ecc_set_pubkey_from_prv(mbedtls_pk_context *pk,
+ const unsigned char *prv, size_t prv_len,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+
+ (void) f_rng;
+ (void) p_rng;
+ (void) prv;
+ (void) prv_len;
+ psa_status_t status;
+
+ status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw),
+ &pk->pub_raw_len);
+ return psa_pk_status_to_mbedtls(status);
+
+#elif defined(MBEDTLS_USE_PSA_CRYPTO) /* && !MBEDTLS_PK_USE_PSA_EC_DATA */
+
+ (void) f_rng;
+ (void) p_rng;
+ psa_status_t status;
+
+ mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx;
+ size_t curve_bits;
+ psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(eck->grp.id, &curve_bits);
+
+ /* Import private key into PSA, from serialized input */
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+ psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
+ psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
+ status = psa_import_key(&key_attr, prv, prv_len, &key_id);
+ if (status != PSA_SUCCESS) {
+ return psa_pk_status_to_mbedtls(status);
+ }
+
+ /* Export public key from PSA */
+ unsigned char pub[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
+ size_t pub_len;
+ status = psa_export_public_key(key_id, pub, sizeof(pub), &pub_len);
+ psa_status_t destruction_status = psa_destroy_key(key_id);
+ if (status != PSA_SUCCESS) {
+ return psa_pk_status_to_mbedtls(status);
+ } else if (destruction_status != PSA_SUCCESS) {
+ return psa_pk_status_to_mbedtls(destruction_status);
+ }
+
+ /* Load serialized public key into ecp_keypair structure */
+ return mbedtls_ecp_point_read_binary(&eck->grp, &eck->Q, pub, pub_len);
+
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+
+ (void) prv;
+ (void) prv_len;
+
+ mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx;
+ return mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G, f_rng, p_rng);
+
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+}
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+/*
+ * Set the public key: fallback using ECP_LIGHT in the USE_PSA_EC_DATA case.
+ *
+ * Normally, when MBEDTLS_PK_USE_PSA_EC_DATA is enabled, we only use PSA
+ * functions to handle keys. However, currently psa_import_key() does not
+ * support compressed points. In case that support was explicitly requested,
+ * this fallback uses ECP functions to get the job done. This is the reason
+ * why MBEDTLS_PK_PARSE_EC_COMPRESSED auto-enables MBEDTLS_ECP_LIGHT.
+ *
+ * [in/out] pk: in: must have the group set, see mbedtls_pk_ecc_set_group().
+ * out: will have the public key set.
+ * [in] pub, pub_len: the public key as an ECPoint,
+ * in any format supported by ECP.
+ *
+ * Return:
+ * - 0 on success;
+ * - MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the format is potentially valid
+ * but not supported;
+ * - another error code otherwise.
+ */
+static int pk_ecc_set_pubkey_psa_ecp_fallback(mbedtls_pk_context *pk,
+ const unsigned char *pub,
+ size_t pub_len)
+{
+#if !defined(MBEDTLS_PK_PARSE_EC_COMPRESSED)
+ (void) pk;
+ (void) pub;
+ (void) pub_len;
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+#else /* MBEDTLS_PK_PARSE_EC_COMPRESSED */
+ mbedtls_ecp_keypair ecp_key;
+ mbedtls_ecp_group_id ecp_group_id;
+ int ret;
+
+ ecp_group_id = mbedtls_ecc_group_from_psa(pk->ec_family, pk->ec_bits);
+
+ mbedtls_ecp_keypair_init(&ecp_key);
+ ret = mbedtls_ecp_group_load(&(ecp_key.grp), ecp_group_id);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_ecp_point_read_binary(&(ecp_key.grp), &ecp_key.Q,
+ pub, pub_len);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_ecp_point_write_binary(&(ecp_key.grp), &ecp_key.Q,
+ MBEDTLS_ECP_PF_UNCOMPRESSED,
+ &pk->pub_raw_len, pk->pub_raw,
+ sizeof(pk->pub_raw));
+
+exit:
+ mbedtls_ecp_keypair_free(&ecp_key);
+ return ret;
+#endif /* MBEDTLS_PK_PARSE_EC_COMPRESSED */
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+int mbedtls_pk_ecc_set_pubkey(mbedtls_pk_context *pk, const unsigned char *pub, size_t pub_len)
+{
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+
+ /* Load the key */
+ if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(pk->ec_family) || *pub == 0x04) {
+ /* Format directly supported by PSA:
+ * - non-Weierstrass curves that only have one format;
+ * - uncompressed format for Weierstrass curves. */
+ if (pub_len > sizeof(pk->pub_raw)) {
+ return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
+ }
+ memcpy(pk->pub_raw, pub, pub_len);
+ pk->pub_raw_len = pub_len;
+ } else {
+ /* Other format, try the fallback */
+ int ret = pk_ecc_set_pubkey_psa_ecp_fallback(pk, pub, pub_len);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+
+ /* Validate the key by trying to import it */
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t key_attrs = PSA_KEY_ATTRIBUTES_INIT;
+
+ psa_set_key_usage_flags(&key_attrs, 0);
+ psa_set_key_type(&key_attrs, PSA_KEY_TYPE_ECC_PUBLIC_KEY(pk->ec_family));
+ psa_set_key_bits(&key_attrs, pk->ec_bits);
+
+ if ((psa_import_key(&key_attrs, pk->pub_raw, pk->pub_raw_len,
+ &key_id) != PSA_SUCCESS) ||
+ (psa_destroy_key(key_id) != PSA_SUCCESS)) {
+ return MBEDTLS_ERR_PK_INVALID_PUBKEY;
+ }
+
+ return 0;
+
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+ int ret;
+ mbedtls_ecp_keypair *ec_key = (mbedtls_ecp_keypair *) pk->pk_ctx;
+ ret = mbedtls_ecp_point_read_binary(&ec_key->grp, &ec_key->Q, pub, pub_len);
+ if (ret != 0) {
+ return ret;
+ }
+ return mbedtls_ecp_check_pubkey(&ec_key->grp, &ec_key->Q);
+
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+}
+
+#endif /* MBEDTLS_PK_C && MBEDTLS_PK_HAVE_ECC_KEYS */
diff --git a/library/pk_internal.h b/library/pk_internal.h
new file mode 100644
index 0000000..e86a3a0
--- /dev/null
+++ b/library/pk_internal.h
@@ -0,0 +1,207 @@
+/**
+ * \file pk_internal.h
+ *
+ * \brief Public Key abstraction layer: internal (i.e. library only) functions
+ * and definitions.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_PK_INTERNAL_H
+#define MBEDTLS_PK_INTERNAL_H
+
+#include "mbedtls/pk.h"
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+#include "psa/crypto.h"
+
+#include "psa_util_internal.h"
+#define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status)
+#define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
+ psa_to_pk_rsa_errors, \
+ psa_pk_status_to_mbedtls)
+#define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
+ psa_to_pk_ecdsa_errors, \
+ psa_pk_status_to_mbedtls)
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+
+/* Headers/footers for PEM files */
+#define PEM_BEGIN_PUBLIC_KEY "-----BEGIN PUBLIC KEY-----"
+#define PEM_END_PUBLIC_KEY "-----END PUBLIC KEY-----"
+#define PEM_BEGIN_PRIVATE_KEY_RSA "-----BEGIN RSA PRIVATE KEY-----"
+#define PEM_END_PRIVATE_KEY_RSA "-----END RSA PRIVATE KEY-----"
+#define PEM_BEGIN_PUBLIC_KEY_RSA "-----BEGIN RSA PUBLIC KEY-----"
+#define PEM_END_PUBLIC_KEY_RSA "-----END RSA PUBLIC KEY-----"
+#define PEM_BEGIN_PRIVATE_KEY_EC "-----BEGIN EC PRIVATE KEY-----"
+#define PEM_END_PRIVATE_KEY_EC "-----END EC PRIVATE KEY-----"
+#define PEM_BEGIN_PRIVATE_KEY_PKCS8 "-----BEGIN PRIVATE KEY-----"
+#define PEM_END_PRIVATE_KEY_PKCS8 "-----END PRIVATE KEY-----"
+#define PEM_BEGIN_ENCRYPTED_PRIVATE_KEY_PKCS8 "-----BEGIN ENCRYPTED PRIVATE KEY-----"
+#define PEM_END_ENCRYPTED_PRIVATE_KEY_PKCS8 "-----END ENCRYPTED PRIVATE KEY-----"
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+/**
+ * Public function mbedtls_pk_ec() can be used to get direct access to the
+ * wrapped ecp_keypair structure pointed to the pk_ctx. However this is not
+ * ideal because it bypasses the PK module on the control of its internal
+ * structure (pk_context) fields.
+ * For backward compatibility we keep mbedtls_pk_ec() when ECP_C is defined, but
+ * we provide 2 very similar functions when only ECP_LIGHT is enabled and not
+ * ECP_C.
+ * These variants embed the "ro" or "rw" keywords in their name to make the
+ * usage of the returned pointer explicit. Of course the returned value is
+ * const or non-const accordingly.
+ */
+static inline const mbedtls_ecp_keypair *mbedtls_pk_ec_ro(const mbedtls_pk_context pk)
+{
+ switch (mbedtls_pk_get_type(&pk)) {
+ case MBEDTLS_PK_ECKEY:
+ case MBEDTLS_PK_ECKEY_DH:
+ case MBEDTLS_PK_ECDSA:
+ return (const mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx);
+ default:
+ return NULL;
+ }
+}
+
+static inline mbedtls_ecp_keypair *mbedtls_pk_ec_rw(const mbedtls_pk_context pk)
+{
+ switch (mbedtls_pk_get_type(&pk)) {
+ case MBEDTLS_PK_ECKEY:
+ case MBEDTLS_PK_ECKEY_DH:
+ case MBEDTLS_PK_ECDSA:
+ return (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx);
+ default:
+ return NULL;
+ }
+}
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS && !MBEDTLS_PK_USE_PSA_EC_DATA */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+static inline mbedtls_ecp_group_id mbedtls_pk_get_ec_group_id(const mbedtls_pk_context *pk)
+{
+ mbedtls_ecp_group_id id;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+ psa_key_attributes_t opaque_attrs = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_type_t opaque_key_type;
+ psa_ecc_family_t curve;
+
+ if (psa_get_key_attributes(pk->priv_id, &opaque_attrs) != PSA_SUCCESS) {
+ return MBEDTLS_ECP_DP_NONE;
+ }
+ opaque_key_type = psa_get_key_type(&opaque_attrs);
+ curve = PSA_KEY_TYPE_ECC_GET_FAMILY(opaque_key_type);
+ id = mbedtls_ecc_group_from_psa(curve, psa_get_key_bits(&opaque_attrs));
+ psa_reset_key_attributes(&opaque_attrs);
+ } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ {
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ id = mbedtls_ecc_group_from_psa(pk->ec_family, pk->ec_bits);
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ id = mbedtls_pk_ec_ro(*pk)->grp.id;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ }
+
+ return id;
+}
+
+/* Helper for Montgomery curves */
+#if defined(MBEDTLS_ECP_HAVE_CURVE25519) || defined(MBEDTLS_ECP_HAVE_CURVE448)
+#define MBEDTLS_PK_HAVE_RFC8410_CURVES
+#endif /* MBEDTLS_ECP_HAVE_CURVE25519 || MBEDTLS_ECP_DP_CURVE448 */
+
+#define MBEDTLS_PK_IS_RFC8410_GROUP_ID(id) \
+ ((id == MBEDTLS_ECP_DP_CURVE25519) || (id == MBEDTLS_ECP_DP_CURVE448))
+
+static inline int mbedtls_pk_is_rfc8410(const mbedtls_pk_context *pk)
+{
+ mbedtls_ecp_group_id id = mbedtls_pk_get_ec_group_id(pk);
+
+ return MBEDTLS_PK_IS_RFC8410_GROUP_ID(id);
+}
+
+/*
+ * Set the group used by this key.
+ *
+ * [in/out] pk: in: must have been pk_setup() to an ECC type
+ * out: will have group (curve) information set
+ * [in] grp_in: a supported group ID (not NONE)
+ */
+int mbedtls_pk_ecc_set_group(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id);
+
+/*
+ * Set the private key material
+ *
+ * [in/out] pk: in: must have the group set already, see mbedtls_pk_ecc_set_group().
+ * out: will have the private key set.
+ * [in] key, key_len: the raw private key (no ASN.1 wrapping).
+ */
+int mbedtls_pk_ecc_set_key(mbedtls_pk_context *pk, unsigned char *key, size_t key_len);
+
+/*
+ * Set the public key.
+ *
+ * [in/out] pk: in: must have its group set, see mbedtls_pk_ecc_set_group().
+ * out: will have the public key set.
+ * [in] pub, pub_len: the raw public key (an ECPoint).
+ *
+ * Return:
+ * - 0 on success;
+ * - MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the format is potentially valid
+ * but not supported;
+ * - another error code otherwise.
+ */
+int mbedtls_pk_ecc_set_pubkey(mbedtls_pk_context *pk, const unsigned char *pub, size_t pub_len);
+
+/*
+ * Derive a public key from its private counterpart.
+ * Computationally intensive, only use when public key is not available.
+ *
+ * [in/out] pk: in: must have the private key set, see mbedtls_pk_ecc_set_key().
+ * out: will have the public key set.
+ * [in] prv, prv_len: the raw private key (see note below).
+ * [in] f_rng, p_rng: RNG function and context.
+ *
+ * Note: the private key information is always available from pk,
+ * however for convenience the serialized version is also passed,
+ * as it's available at each calling site, and useful in some configs
+ * (as otherwise we would have to re-serialize it from the pk context).
+ *
+ * There are three implementations of this function:
+ * 1. MBEDTLS_PK_USE_PSA_EC_DATA,
+ * 2. MBEDTLS_USE_PSA_CRYPTO but not MBEDTLS_PK_USE_PSA_EC_DATA,
+ * 3. not MBEDTLS_USE_PSA_CRYPTO.
+ */
+int mbedtls_pk_ecc_set_pubkey_from_prv(mbedtls_pk_context *pk,
+ const unsigned char *prv, size_t prv_len,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+/* Helper for (deterministic) ECDSA */
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#define MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET PSA_ALG_DETERMINISTIC_ECDSA
+#else
+#define MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET PSA_ALG_ECDSA
+#endif
+
+#if defined(MBEDTLS_TEST_HOOKS)
+MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der(
+ mbedtls_pk_context *pk,
+ unsigned char *key, size_t keylen,
+ const unsigned char *pwd, size_t pwdlen,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+#endif
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n);
+#endif
+
+#endif /* MBEDTLS_PK_INTERNAL_H */
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
new file mode 100644
index 0000000..19196b5
--- /dev/null
+++ b/library/pk_wrap.c
@@ -0,0 +1,1584 @@
+/*
+ * Public Key abstraction layer: wrapper functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_PK_C)
+#include "pk_wrap.h"
+#include "pk_internal.h"
+#include "mbedtls/error.h"
+#include "mbedtls/psa_util.h"
+
+/* Even if RSA not activated, for the sake of RSA-alt */
+#include "mbedtls/rsa.h"
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa_util_internal.h"
+#include "psa/crypto.h"
+#include "mbedtls/psa_util.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "pkwrite.h"
+#include "rsa_internal.h"
+#endif
+
+#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
+#include "mbedtls/asn1write.h"
+#include "mbedtls/asn1.h"
+#endif
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#include "mbedtls/platform.h"
+
+#include <limits.h>
+#include <stdint.h>
+#include <string.h>
+
+#if defined(MBEDTLS_RSA_C)
+static int rsa_can_do(mbedtls_pk_type_t type)
+{
+ return type == MBEDTLS_PK_RSA ||
+ type == MBEDTLS_PK_RSASSA_PSS;
+}
+
+static size_t rsa_get_bitlen(mbedtls_pk_context *pk)
+{
+ const mbedtls_rsa_context *rsa = (const mbedtls_rsa_context *) pk->pk_ctx;
+ return mbedtls_rsa_get_bitlen(rsa);
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len)
+{
+ mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_status_t status;
+ int key_len;
+ unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
+ unsigned char *p = buf + sizeof(buf);
+ psa_algorithm_t psa_alg_md;
+ size_t rsa_len = mbedtls_rsa_get_len(rsa);
+
+#if SIZE_MAX > UINT_MAX
+ if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+#endif
+
+ if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
+ psa_alg_md = PSA_ALG_RSA_PSS(mbedtls_md_psa_alg_from_type(md_alg));
+ } else {
+ psa_alg_md = PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_md_psa_alg_from_type(md_alg));
+ }
+
+ if (sig_len < rsa_len) {
+ return MBEDTLS_ERR_RSA_VERIFY_FAILED;
+ }
+
+ key_len = mbedtls_rsa_write_pubkey(rsa, buf, &p);
+ if (key_len <= 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&attributes, psa_alg_md);
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
+
+ status = psa_import_key(&attributes,
+ buf + sizeof(buf) - key_len, key_len,
+ &key_id);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ goto cleanup;
+ }
+
+ status = psa_verify_hash(key_id, psa_alg_md, hash, hash_len,
+ sig, sig_len);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+ goto cleanup;
+ }
+ ret = 0;
+
+cleanup:
+ status = psa_destroy_key(key_id);
+ if (ret == 0 && status != PSA_SUCCESS) {
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ }
+
+ return ret;
+}
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
+ size_t rsa_len = mbedtls_rsa_get_len(rsa);
+
+#if SIZE_MAX > UINT_MAX
+ if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+#endif
+
+ if (sig_len < rsa_len) {
+ return MBEDTLS_ERR_RSA_VERIFY_FAILED;
+ }
+
+ if ((ret = mbedtls_rsa_pkcs1_verify(rsa, md_alg,
+ (unsigned int) hash_len,
+ hash, sig)) != 0) {
+ return ret;
+ }
+
+ /* The buffer contains a valid signature followed by extra data.
+ * We have a special error code for that so that so that callers can
+ * use mbedtls_pk_verify() to check "Does the buffer start with a
+ * valid signature?" and not just "Does the buffer contain a valid
+ * signature?". */
+ if (sig_len > rsa_len) {
+ return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg,
+ mbedtls_rsa_context *rsa_ctx,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size,
+ size_t *sig_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_status_t status;
+ int key_len;
+ unsigned char *buf = NULL;
+ unsigned char *p;
+
+ buf = mbedtls_calloc(1, MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES);
+ if (buf == NULL) {
+ return MBEDTLS_ERR_PK_ALLOC_FAILED;
+ }
+ p = buf + MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES;
+
+ *sig_len = mbedtls_rsa_get_len(rsa_ctx);
+ if (sig_size < *sig_len) {
+ mbedtls_free(buf);
+ return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
+ }
+
+ key_len = mbedtls_rsa_write_key(rsa_ctx, buf, &p);
+ if (key_len <= 0) {
+ mbedtls_free(buf);
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
+
+ status = psa_import_key(&attributes,
+ buf + MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES - key_len, key_len,
+ &key_id);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ goto cleanup;
+ }
+ status = psa_sign_hash(key_id, alg, hash, hash_len,
+ sig, sig_size, sig_len);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+ goto cleanup;
+ }
+
+ ret = 0;
+
+cleanup:
+ mbedtls_free(buf);
+ status = psa_destroy_key(key_id);
+ if (ret == 0 && status != PSA_SUCCESS) {
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ }
+ return ret;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ ((void) f_rng);
+ ((void) p_rng);
+
+ psa_algorithm_t psa_md_alg;
+ psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
+ if (psa_md_alg == 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ psa_algorithm_t psa_alg;
+ if (mbedtls_rsa_get_padding_mode(mbedtls_pk_rsa(*pk)) == MBEDTLS_RSA_PKCS_V21) {
+ psa_alg = PSA_ALG_RSA_PSS(psa_md_alg);
+ } else {
+ psa_alg = PSA_ALG_RSA_PKCS1V15_SIGN(psa_md_alg);
+ }
+
+ return mbedtls_pk_psa_rsa_sign_ext(psa_alg, pk->pk_ctx, hash, hash_len,
+ sig, sig_size, sig_len);
+}
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
+
+#if SIZE_MAX > UINT_MAX
+ if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+#endif
+
+ *sig_len = mbedtls_rsa_get_len(rsa);
+ if (sig_size < *sig_len) {
+ return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
+ }
+
+ return mbedtls_rsa_pkcs1_sign(rsa, f_rng, p_rng,
+ md_alg, (unsigned int) hash_len,
+ hash, sig);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static int rsa_decrypt_wrap(mbedtls_pk_context *pk,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen, size_t osize,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_algorithm_t psa_md_alg, decrypt_alg;
+ psa_status_t status;
+ int key_len;
+ unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
+ unsigned char *p = buf + sizeof(buf);
+
+ ((void) f_rng);
+ ((void) p_rng);
+
+ if (ilen != mbedtls_rsa_get_len(rsa)) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ key_len = mbedtls_rsa_write_key(rsa, buf, &p);
+ if (key_len <= 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
+ if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
+ psa_md_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) mbedtls_rsa_get_md_alg(rsa));
+ decrypt_alg = PSA_ALG_RSA_OAEP(psa_md_alg);
+ } else {
+ decrypt_alg = PSA_ALG_RSA_PKCS1V15_CRYPT;
+ }
+ psa_set_key_algorithm(&attributes, decrypt_alg);
+
+ status = psa_import_key(&attributes,
+ buf + sizeof(buf) - key_len, key_len,
+ &key_id);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ goto cleanup;
+ }
+
+ status = psa_asymmetric_decrypt(key_id, decrypt_alg,
+ input, ilen,
+ NULL, 0,
+ output, osize, olen);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+ goto cleanup;
+ }
+
+ ret = 0;
+
+cleanup:
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+ status = psa_destroy_key(key_id);
+ if (ret == 0 && status != PSA_SUCCESS) {
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ }
+
+ return ret;
+}
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+static int rsa_decrypt_wrap(mbedtls_pk_context *pk,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen, size_t osize,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
+
+ if (ilen != mbedtls_rsa_get_len(rsa)) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ return mbedtls_rsa_pkcs1_decrypt(rsa, f_rng, p_rng,
+ olen, input, output, osize);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static int rsa_encrypt_wrap(mbedtls_pk_context *pk,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen, size_t osize,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_algorithm_t psa_md_alg, psa_encrypt_alg;
+ psa_status_t status;
+ int key_len;
+ unsigned char buf[MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES];
+ unsigned char *p = buf + sizeof(buf);
+
+ ((void) f_rng);
+ ((void) p_rng);
+
+ if (mbedtls_rsa_get_len(rsa) > osize) {
+ return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
+ }
+
+ key_len = mbedtls_rsa_write_pubkey(rsa, buf, &p);
+ if (key_len <= 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
+ if (mbedtls_rsa_get_padding_mode(rsa) == MBEDTLS_RSA_PKCS_V21) {
+ psa_md_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) mbedtls_rsa_get_md_alg(rsa));
+ psa_encrypt_alg = PSA_ALG_RSA_OAEP(psa_md_alg);
+ } else {
+ psa_encrypt_alg = PSA_ALG_RSA_PKCS1V15_CRYPT;
+ }
+ psa_set_key_algorithm(&attributes, psa_encrypt_alg);
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY);
+
+ status = psa_import_key(&attributes,
+ buf + sizeof(buf) - key_len, key_len,
+ &key_id);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ goto cleanup;
+ }
+
+ status = psa_asymmetric_encrypt(key_id, psa_encrypt_alg,
+ input, ilen,
+ NULL, 0,
+ output, osize, olen);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+ goto cleanup;
+ }
+
+ ret = 0;
+
+cleanup:
+ status = psa_destroy_key(key_id);
+ if (ret == 0 && status != PSA_SUCCESS) {
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ }
+
+ return ret;
+}
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+static int rsa_encrypt_wrap(mbedtls_pk_context *pk,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen, size_t osize,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
+ *olen = mbedtls_rsa_get_len(rsa);
+
+ if (*olen > osize) {
+ return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
+ }
+
+ return mbedtls_rsa_pkcs1_encrypt(rsa, f_rng, p_rng,
+ ilen, input, output);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+static int rsa_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ (void) f_rng;
+ (void) p_rng;
+ return mbedtls_rsa_check_pub_priv((const mbedtls_rsa_context *) pub->pk_ctx,
+ (const mbedtls_rsa_context *) prv->pk_ctx);
+}
+
+static void *rsa_alloc_wrap(void)
+{
+ void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_context));
+
+ if (ctx != NULL) {
+ mbedtls_rsa_init((mbedtls_rsa_context *) ctx);
+ }
+
+ return ctx;
+}
+
+static void rsa_free_wrap(void *ctx)
+{
+ mbedtls_rsa_free((mbedtls_rsa_context *) ctx);
+ mbedtls_free(ctx);
+}
+
+static void rsa_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items)
+{
+#if defined(MBEDTLS_RSA_ALT)
+ /* Not supported */
+ (void) pk;
+ (void) items;
+#else
+ mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) pk->pk_ctx;
+
+ items->type = MBEDTLS_PK_DEBUG_MPI;
+ items->name = "rsa.N";
+ items->value = &(rsa->N);
+
+ items++;
+
+ items->type = MBEDTLS_PK_DEBUG_MPI;
+ items->name = "rsa.E";
+ items->value = &(rsa->E);
+#endif
+}
+
+const mbedtls_pk_info_t mbedtls_rsa_info = {
+ .type = MBEDTLS_PK_RSA,
+ .name = "RSA",
+ .get_bitlen = rsa_get_bitlen,
+ .can_do = rsa_can_do,
+ .verify_func = rsa_verify_wrap,
+ .sign_func = rsa_sign_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ .verify_rs_func = NULL,
+ .sign_rs_func = NULL,
+ .rs_alloc_func = NULL,
+ .rs_free_func = NULL,
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+ .decrypt_func = rsa_decrypt_wrap,
+ .encrypt_func = rsa_encrypt_wrap,
+ .check_pair_func = rsa_check_pair_wrap,
+ .ctx_alloc_func = rsa_alloc_wrap,
+ .ctx_free_func = rsa_free_wrap,
+ .debug_func = rsa_debug,
+};
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+/*
+ * Generic EC key
+ */
+static int eckey_can_do(mbedtls_pk_type_t type)
+{
+ return type == MBEDTLS_PK_ECKEY ||
+ type == MBEDTLS_PK_ECKEY_DH ||
+ type == MBEDTLS_PK_ECDSA;
+}
+
+static size_t eckey_get_bitlen(mbedtls_pk_context *pk)
+{
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ return pk->ec_bits;
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ mbedtls_ecp_keypair *ecp = (mbedtls_ecp_keypair *) pk->pk_ctx;
+ return ecp->grp.pbits;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+}
+
+#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/* Common helper for ECDSA verify using PSA functions. */
+static int ecdsa_verify_psa(unsigned char *key, size_t key_len,
+ psa_ecc_family_t curve, size_t curve_bits,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
+ size_t signature_len = PSA_ECDSA_SIGNATURE_SIZE(curve_bits);
+ size_t converted_sig_len;
+ unsigned char extracted_sig[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE];
+ unsigned char *p;
+ psa_status_t status;
+
+ if (curve == 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve));
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&attributes, psa_sig_md);
+
+ status = psa_import_key(&attributes, key, key_len, &key_id);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ goto cleanup;
+ }
+
+ if (signature_len > sizeof(extracted_sig)) {
+ ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ p = (unsigned char *) sig;
+ ret = mbedtls_ecdsa_der_to_raw(curve_bits, p, sig_len, extracted_sig,
+ sizeof(extracted_sig), &converted_sig_len);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ if (converted_sig_len != signature_len) {
+ ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ status = psa_verify_hash(key_id, psa_sig_md, hash, hash_len,
+ extracted_sig, signature_len);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+ goto cleanup;
+ }
+
+ ret = 0;
+
+cleanup:
+ status = psa_destroy_key(key_id);
+ if (ret == 0 && status != PSA_SUCCESS) {
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ }
+
+ return ret;
+}
+
+static int ecdsa_opaque_verify_wrap(mbedtls_pk_context *pk,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len)
+{
+ (void) md_alg;
+ unsigned char key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
+ size_t key_len;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+ psa_ecc_family_t curve;
+ size_t curve_bits;
+ psa_status_t status;
+
+ status = psa_get_key_attributes(pk->priv_id, &key_attr);
+ if (status != PSA_SUCCESS) {
+ return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+ }
+ curve = PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(&key_attr));
+ curve_bits = psa_get_key_bits(&key_attr);
+ psa_reset_key_attributes(&key_attr);
+
+ status = psa_export_public_key(pk->priv_id, key, sizeof(key), &key_len);
+ if (status != PSA_SUCCESS) {
+ return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+ }
+
+ return ecdsa_verify_psa(key, key_len, curve, curve_bits,
+ hash, hash_len, sig, sig_len);
+}
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len)
+{
+ (void) md_alg;
+ psa_ecc_family_t curve = pk->ec_family;
+ size_t curve_bits = pk->ec_bits;
+
+ return ecdsa_verify_psa(pk->pub_raw, pk->pub_raw_len, curve, curve_bits,
+ hash, hash_len, sig, sig_len);
+}
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+static int ecdsa_verify_wrap(mbedtls_pk_context *pk,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len)
+{
+ (void) md_alg;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_keypair *ctx = pk->pk_ctx;
+ unsigned char key[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
+ size_t key_len;
+ size_t curve_bits;
+ psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
+
+ ret = mbedtls_ecp_point_write_binary(&ctx->grp, &ctx->Q,
+ MBEDTLS_ECP_PF_UNCOMPRESSED,
+ &key_len, key, sizeof(key));
+ if (ret != 0) {
+ return ret;
+ }
+
+ return ecdsa_verify_psa(key, key_len, curve, curve_bits,
+ hash, hash_len, sig, sig_len);
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+static int ecdsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ ((void) md_alg);
+
+ ret = mbedtls_ecdsa_read_signature((mbedtls_ecdsa_context *) pk->pk_ctx,
+ hash, hash_len, sig, sig_len);
+
+ if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
+ return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
+ }
+
+ return ret;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+
+#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/* Common helper for ECDSA sign using PSA functions.
+ * Instead of extracting key's properties in order to check which kind of ECDSA
+ * signature it supports, we try both deterministic and non-deterministic.
+ */
+static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size, size_t *sig_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_status_t status;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+ size_t key_bits = 0;
+
+ status = psa_get_key_attributes(key_id, &key_attr);
+ if (status != PSA_SUCCESS) {
+ return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+ }
+ key_bits = psa_get_key_bits(&key_attr);
+ psa_reset_key_attributes(&key_attr);
+
+ status = psa_sign_hash(key_id,
+ PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_md_psa_alg_from_type(md_alg)),
+ hash, hash_len, sig, sig_size, sig_len);
+ if (status == PSA_SUCCESS) {
+ goto done;
+ } else if (status != PSA_ERROR_NOT_PERMITTED) {
+ return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+ }
+
+ status = psa_sign_hash(key_id,
+ PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type(md_alg)),
+ hash, hash_len, sig, sig_size, sig_len);
+ if (status != PSA_SUCCESS) {
+ return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+ }
+
+done:
+ ret = mbedtls_ecdsa_raw_to_der(key_bits, sig, *sig_len, sig, sig_size, sig_len);
+
+ return ret;
+}
+
+static int ecdsa_opaque_sign_wrap(mbedtls_pk_context *pk,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size,
+ size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ ((void) f_rng);
+ ((void) p_rng);
+
+ return ecdsa_sign_psa(pk->priv_id, md_alg, hash, hash_len, sig, sig_size,
+ sig_len);
+}
+
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+/* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
+ * using the same function. */
+#define ecdsa_sign_wrap ecdsa_opaque_sign_wrap
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_status_t status;
+ mbedtls_ecp_keypair *ctx = pk->pk_ctx;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ unsigned char buf[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
+ size_t curve_bits;
+ psa_ecc_family_t curve =
+ mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
+ size_t key_len = PSA_BITS_TO_BYTES(curve_bits);
+ psa_algorithm_t psa_hash = mbedtls_md_psa_alg_from_type(md_alg);
+ psa_algorithm_t psa_sig_md = MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET(psa_hash);
+ ((void) f_rng);
+ ((void) p_rng);
+
+ if (curve == 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ if (key_len > sizeof(buf)) {
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ }
+ ret = mbedtls_mpi_write_binary(&ctx->d, buf, key_len);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
+ psa_set_key_algorithm(&attributes, psa_sig_md);
+
+ status = psa_import_key(&attributes, buf, key_len, &key_id);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ goto cleanup;
+ }
+
+ ret = ecdsa_sign_psa(key_id, md_alg, hash, hash_len, sig, sig_size, sig_len);
+
+cleanup:
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+ status = psa_destroy_key(key_id);
+ if (ret == 0 && status != PSA_SUCCESS) {
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ }
+
+ return ret;
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ return mbedtls_ecdsa_write_signature((mbedtls_ecdsa_context *) pk->pk_ctx,
+ md_alg, hash, hash_len,
+ sig, sig_size, sig_len,
+ f_rng, p_rng);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/* Forward declarations */
+static int ecdsa_verify_rs_wrap(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len,
+ void *rs_ctx);
+
+static int ecdsa_sign_rs_wrap(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ void *rs_ctx);
+
+/*
+ * Restart context for ECDSA operations with ECKEY context
+ *
+ * We need to store an actual ECDSA context, as we need to pass the same to
+ * the underlying ecdsa function, so we can't create it on the fly every time.
+ */
+typedef struct {
+ mbedtls_ecdsa_restart_ctx ecdsa_rs;
+ mbedtls_ecdsa_context ecdsa_ctx;
+} eckey_restart_ctx;
+
+static void *eckey_rs_alloc(void)
+{
+ eckey_restart_ctx *rs_ctx;
+
+ void *ctx = mbedtls_calloc(1, sizeof(eckey_restart_ctx));
+
+ if (ctx != NULL) {
+ rs_ctx = ctx;
+ mbedtls_ecdsa_restart_init(&rs_ctx->ecdsa_rs);
+ mbedtls_ecdsa_init(&rs_ctx->ecdsa_ctx);
+ }
+
+ return ctx;
+}
+
+static void eckey_rs_free(void *ctx)
+{
+ eckey_restart_ctx *rs_ctx;
+
+ if (ctx == NULL) {
+ return;
+ }
+
+ rs_ctx = ctx;
+ mbedtls_ecdsa_restart_free(&rs_ctx->ecdsa_rs);
+ mbedtls_ecdsa_free(&rs_ctx->ecdsa_ctx);
+
+ mbedtls_free(ctx);
+}
+
+static int eckey_verify_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len,
+ void *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ eckey_restart_ctx *rs = rs_ctx;
+
+ /* Should never happen */
+ if (rs == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ /* set up our own sub-context if needed (that is, on first run) */
+ if (rs->ecdsa_ctx.grp.pbits == 0) {
+ MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, pk->pk_ctx));
+ }
+
+ MBEDTLS_MPI_CHK(ecdsa_verify_rs_wrap(pk,
+ md_alg, hash, hash_len,
+ sig, sig_len, &rs->ecdsa_rs));
+
+cleanup:
+ return ret;
+}
+
+static int eckey_sign_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ void *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ eckey_restart_ctx *rs = rs_ctx;
+
+ /* Should never happen */
+ if (rs == NULL) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ /* set up our own sub-context if needed (that is, on first run) */
+ if (rs->ecdsa_ctx.grp.pbits == 0) {
+ MBEDTLS_MPI_CHK(mbedtls_ecdsa_from_keypair(&rs->ecdsa_ctx, pk->pk_ctx));
+ }
+
+ MBEDTLS_MPI_CHK(ecdsa_sign_rs_wrap(pk, md_alg,
+ hash, hash_len, sig, sig_size, sig_len,
+ f_rng, p_rng, &rs->ecdsa_rs));
+
+cleanup:
+ return ret;
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
+{
+ psa_status_t status;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ uint8_t prv_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
+ size_t prv_key_len;
+ mbedtls_svc_key_id_t key_id = prv->priv_id;
+
+ status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
+ &prv_key_len);
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ if (ret != 0) {
+ return ret;
+ }
+
+ if (memcmp(prv_key_buf, pub->pub_raw, pub->pub_raw_len) != 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ return 0;
+}
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+static int eckey_check_pair_psa(mbedtls_pk_context *pub, mbedtls_pk_context *prv)
+{
+ psa_status_t status;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ uint8_t prv_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
+ size_t prv_key_len;
+ psa_status_t destruction_status;
+ mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+ uint8_t pub_key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
+ size_t pub_key_len;
+ size_t curve_bits;
+ const psa_ecc_family_t curve =
+ mbedtls_ecc_group_to_psa(mbedtls_pk_ec_ro(*prv)->grp.id, &curve_bits);
+ const size_t curve_bytes = PSA_BITS_TO_BYTES(curve_bits);
+
+ if (curve == 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
+ psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
+
+ ret = mbedtls_mpi_write_binary(&mbedtls_pk_ec_ro(*prv)->d,
+ prv_key_buf, curve_bytes);
+ if (ret != 0) {
+ mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
+ return ret;
+ }
+
+ status = psa_import_key(&key_attr, prv_key_buf, curve_bytes, &key_id);
+ mbedtls_platform_zeroize(prv_key_buf, sizeof(prv_key_buf));
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ if (ret != 0) {
+ return ret;
+ }
+
+ // From now on prv_key_buf is used to store the public key of prv.
+ status = psa_export_public_key(key_id, prv_key_buf, sizeof(prv_key_buf),
+ &prv_key_len);
+ ret = PSA_PK_TO_MBEDTLS_ERR(status);
+ destruction_status = psa_destroy_key(key_id);
+ if (ret != 0) {
+ return ret;
+ } else if (destruction_status != PSA_SUCCESS) {
+ return PSA_PK_TO_MBEDTLS_ERR(destruction_status);
+ }
+
+ ret = mbedtls_ecp_point_write_binary(&mbedtls_pk_ec_rw(*pub)->grp,
+ &mbedtls_pk_ec_rw(*pub)->Q,
+ MBEDTLS_ECP_PF_UNCOMPRESSED,
+ &pub_key_len, pub_key_buf,
+ sizeof(pub_key_buf));
+ if (ret != 0) {
+ return ret;
+ }
+
+ if (memcmp(prv_key_buf, pub_key_buf, curve_bytes) != 0) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ (void) f_rng;
+ (void) p_rng;
+ return eckey_check_pair_psa(pub, prv);
+}
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+static int eckey_check_pair_wrap(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ return mbedtls_ecp_check_pub_priv((const mbedtls_ecp_keypair *) pub->pk_ctx,
+ (const mbedtls_ecp_keypair *) prv->pk_ctx,
+ f_rng, p_rng);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+/* When PK_USE_PSA_EC_DATA is defined opaque and non-opaque keys end up
+ * using the same function. */
+#define ecdsa_opaque_check_pair_wrap eckey_check_pair_wrap
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+static int ecdsa_opaque_check_pair_wrap(mbedtls_pk_context *pub,
+ mbedtls_pk_context *prv,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ psa_status_t status;
+ uint8_t exp_pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
+ size_t exp_pub_key_len = 0;
+ uint8_t pub_key[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN];
+ size_t pub_key_len = 0;
+ int ret;
+ (void) f_rng;
+ (void) p_rng;
+
+ status = psa_export_public_key(prv->priv_id, exp_pub_key, sizeof(exp_pub_key),
+ &exp_pub_key_len);
+ if (status != PSA_SUCCESS) {
+ ret = psa_pk_status_to_mbedtls(status);
+ return ret;
+ }
+ ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec_ro(*pub)->grp),
+ &(mbedtls_pk_ec_ro(*pub)->Q),
+ MBEDTLS_ECP_PF_UNCOMPRESSED,
+ &pub_key_len, pub_key, sizeof(pub_key));
+ if (ret != 0) {
+ return ret;
+ }
+ if ((exp_pub_key_len != pub_key_len) ||
+ memcmp(exp_pub_key, pub_key, exp_pub_key_len)) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ return 0;
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+static void *eckey_alloc_wrap(void)
+{
+ void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
+
+ if (ctx != NULL) {
+ mbedtls_ecp_keypair_init(ctx);
+ }
+
+ return ctx;
+}
+
+static void eckey_free_wrap(void *ctx)
+{
+ mbedtls_ecp_keypair_free((mbedtls_ecp_keypair *) ctx);
+ mbedtls_free(ctx);
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+static void eckey_debug(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items)
+{
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ items->type = MBEDTLS_PK_DEBUG_PSA_EC;
+ items->name = "eckey.Q";
+ items->value = pk;
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ mbedtls_ecp_keypair *ecp = (mbedtls_ecp_keypair *) pk->pk_ctx;
+ items->type = MBEDTLS_PK_DEBUG_ECP;
+ items->name = "eckey.Q";
+ items->value = &(ecp->Q);
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+}
+
+const mbedtls_pk_info_t mbedtls_eckey_info = {
+ .type = MBEDTLS_PK_ECKEY,
+ .name = "EC",
+ .get_bitlen = eckey_get_bitlen,
+ .can_do = eckey_can_do,
+#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
+ .verify_func = ecdsa_verify_wrap, /* Compatible key structures */
+#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+ .verify_func = NULL,
+#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
+ .sign_func = ecdsa_sign_wrap, /* Compatible key structures */
+#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+ .sign_func = NULL,
+#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ .verify_rs_func = eckey_verify_rs_wrap,
+ .sign_rs_func = eckey_sign_rs_wrap,
+ .rs_alloc_func = eckey_rs_alloc,
+ .rs_free_func = eckey_rs_free,
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+ .decrypt_func = NULL,
+ .encrypt_func = NULL,
+ .check_pair_func = eckey_check_pair_wrap,
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ .ctx_alloc_func = NULL,
+ .ctx_free_func = NULL,
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ .ctx_alloc_func = eckey_alloc_wrap,
+ .ctx_free_func = eckey_free_wrap,
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ .debug_func = eckey_debug,
+};
+
+/*
+ * EC key restricted to ECDH
+ */
+static int eckeydh_can_do(mbedtls_pk_type_t type)
+{
+ return type == MBEDTLS_PK_ECKEY ||
+ type == MBEDTLS_PK_ECKEY_DH;
+}
+
+const mbedtls_pk_info_t mbedtls_eckeydh_info = {
+ .type = MBEDTLS_PK_ECKEY_DH,
+ .name = "EC_DH",
+ .get_bitlen = eckey_get_bitlen, /* Same underlying key structure */
+ .can_do = eckeydh_can_do,
+ .verify_func = NULL,
+ .sign_func = NULL,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ .verify_rs_func = NULL,
+ .sign_rs_func = NULL,
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+ .decrypt_func = NULL,
+ .encrypt_func = NULL,
+ .check_pair_func = eckey_check_pair_wrap,
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ .ctx_alloc_func = NULL,
+ .ctx_free_func = NULL,
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ .ctx_alloc_func = eckey_alloc_wrap, /* Same underlying key structure */
+ .ctx_free_func = eckey_free_wrap, /* Same underlying key structure */
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ .debug_func = eckey_debug, /* Same underlying key structure */
+};
+
+#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
+static int ecdsa_can_do(mbedtls_pk_type_t type)
+{
+ return type == MBEDTLS_PK_ECDSA;
+}
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+static int ecdsa_verify_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len,
+ void *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ ((void) md_alg);
+
+ ret = mbedtls_ecdsa_read_signature_restartable(
+ (mbedtls_ecdsa_context *) pk->pk_ctx,
+ hash, hash_len, sig, sig_len,
+ (mbedtls_ecdsa_restart_ctx *) rs_ctx);
+
+ if (ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) {
+ return MBEDTLS_ERR_PK_SIG_LEN_MISMATCH;
+ }
+
+ return ret;
+}
+
+static int ecdsa_sign_rs_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ void *rs_ctx)
+{
+ return mbedtls_ecdsa_write_signature_restartable(
+ (mbedtls_ecdsa_context *) pk->pk_ctx,
+ md_alg, hash, hash_len, sig, sig_size, sig_len, f_rng, p_rng,
+ (mbedtls_ecdsa_restart_ctx *) rs_ctx);
+
+}
+
+static void *ecdsa_rs_alloc(void)
+{
+ void *ctx = mbedtls_calloc(1, sizeof(mbedtls_ecdsa_restart_ctx));
+
+ if (ctx != NULL) {
+ mbedtls_ecdsa_restart_init(ctx);
+ }
+
+ return ctx;
+}
+
+static void ecdsa_rs_free(void *ctx)
+{
+ mbedtls_ecdsa_restart_free(ctx);
+ mbedtls_free(ctx);
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+const mbedtls_pk_info_t mbedtls_ecdsa_info = {
+ .type = MBEDTLS_PK_ECDSA,
+ .name = "ECDSA",
+ .get_bitlen = eckey_get_bitlen, /* Compatible key structures */
+ .can_do = ecdsa_can_do,
+#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
+ .verify_func = ecdsa_verify_wrap, /* Compatible key structures */
+#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+ .verify_func = NULL,
+#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
+ .sign_func = ecdsa_sign_wrap, /* Compatible key structures */
+#else /* MBEDTLS_PK_CAN_ECDSA_SIGN */
+ .sign_func = NULL,
+#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ .verify_rs_func = ecdsa_verify_rs_wrap,
+ .sign_rs_func = ecdsa_sign_rs_wrap,
+ .rs_alloc_func = ecdsa_rs_alloc,
+ .rs_free_func = ecdsa_rs_free,
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+ .decrypt_func = NULL,
+ .encrypt_func = NULL,
+ .check_pair_func = eckey_check_pair_wrap, /* Compatible key structures */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ .ctx_alloc_func = NULL,
+ .ctx_free_func = NULL,
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ .ctx_alloc_func = eckey_alloc_wrap, /* Compatible key structures */
+ .ctx_free_func = eckey_free_wrap, /* Compatible key structures */
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ .debug_func = eckey_debug, /* Compatible key structures */
+};
+#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/*
+ * Support for alternative RSA-private implementations
+ */
+
+static int rsa_alt_can_do(mbedtls_pk_type_t type)
+{
+ return type == MBEDTLS_PK_RSA;
+}
+
+static size_t rsa_alt_get_bitlen(mbedtls_pk_context *pk)
+{
+ const mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
+
+ return 8 * rsa_alt->key_len_func(rsa_alt->key);
+}
+
+static int rsa_alt_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
+
+#if SIZE_MAX > UINT_MAX
+ if (UINT_MAX < hash_len) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+#endif
+
+ *sig_len = rsa_alt->key_len_func(rsa_alt->key);
+ if (*sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ if (*sig_len > sig_size) {
+ return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
+ }
+
+ return rsa_alt->sign_func(rsa_alt->key, f_rng, p_rng,
+ md_alg, (unsigned int) hash_len, hash, sig);
+}
+
+static int rsa_alt_decrypt_wrap(mbedtls_pk_context *pk,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen, size_t osize,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ mbedtls_rsa_alt_context *rsa_alt = pk->pk_ctx;
+
+ ((void) f_rng);
+ ((void) p_rng);
+
+ if (ilen != rsa_alt->key_len_func(rsa_alt->key)) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ return rsa_alt->decrypt_func(rsa_alt->key,
+ olen, input, output, osize);
+}
+
+#if defined(MBEDTLS_RSA_C)
+static int rsa_alt_check_pair(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
+ unsigned char hash[32];
+ size_t sig_len = 0;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (rsa_alt_get_bitlen(prv) != rsa_get_bitlen(pub)) {
+ return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ }
+
+ memset(hash, 0x2a, sizeof(hash));
+
+ if ((ret = rsa_alt_sign_wrap(prv, MBEDTLS_MD_NONE,
+ hash, sizeof(hash),
+ sig, sizeof(sig), &sig_len,
+ f_rng, p_rng)) != 0) {
+ return ret;
+ }
+
+ if (rsa_verify_wrap(pub, MBEDTLS_MD_NONE,
+ hash, sizeof(hash), sig, sig_len) != 0) {
+ return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_RSA_C */
+
+static void *rsa_alt_alloc_wrap(void)
+{
+ void *ctx = mbedtls_calloc(1, sizeof(mbedtls_rsa_alt_context));
+
+ if (ctx != NULL) {
+ memset(ctx, 0, sizeof(mbedtls_rsa_alt_context));
+ }
+
+ return ctx;
+}
+
+static void rsa_alt_free_wrap(void *ctx)
+{
+ mbedtls_zeroize_and_free(ctx, sizeof(mbedtls_rsa_alt_context));
+}
+
+const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
+ .type = MBEDTLS_PK_RSA_ALT,
+ .name = "RSA-alt",
+ .get_bitlen = rsa_alt_get_bitlen,
+ .can_do = rsa_alt_can_do,
+ .verify_func = NULL,
+ .sign_func = rsa_alt_sign_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ .verify_rs_func = NULL,
+ .sign_rs_func = NULL,
+ .rs_alloc_func = NULL,
+ .rs_free_func = NULL,
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+ .decrypt_func = rsa_alt_decrypt_wrap,
+ .encrypt_func = NULL,
+#if defined(MBEDTLS_RSA_C)
+ .check_pair_func = rsa_alt_check_pair,
+#else
+ .check_pair_func = NULL,
+#endif
+ .ctx_alloc_func = rsa_alt_alloc_wrap,
+ .ctx_free_func = rsa_alt_free_wrap,
+ .debug_func = NULL,
+};
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static size_t opaque_get_bitlen(mbedtls_pk_context *pk)
+{
+ size_t bits;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+ if (PSA_SUCCESS != psa_get_key_attributes(pk->priv_id, &attributes)) {
+ return 0;
+ }
+
+ bits = psa_get_key_bits(&attributes);
+ psa_reset_key_attributes(&attributes);
+ return bits;
+}
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+static int ecdsa_opaque_can_do(mbedtls_pk_type_t type)
+{
+ return type == MBEDTLS_PK_ECKEY ||
+ type == MBEDTLS_PK_ECDSA;
+}
+
+const mbedtls_pk_info_t mbedtls_ecdsa_opaque_info = {
+ .type = MBEDTLS_PK_OPAQUE,
+ .name = "Opaque",
+ .get_bitlen = opaque_get_bitlen,
+ .can_do = ecdsa_opaque_can_do,
+#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
+ .verify_func = ecdsa_opaque_verify_wrap,
+#else /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+ .verify_func = NULL,
+#endif /* MBEDTLS_PK_CAN_ECDSA_VERIFY */
+#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
+ .sign_func = ecdsa_opaque_sign_wrap,
+#else /* MBEDTLS_PK_CAN_ECDSA_SIGN */
+ .sign_func = NULL,
+#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ .verify_rs_func = NULL,
+ .sign_rs_func = NULL,
+ .rs_alloc_func = NULL,
+ .rs_free_func = NULL,
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+ .decrypt_func = NULL,
+ .encrypt_func = NULL,
+ .check_pair_func = ecdsa_opaque_check_pair_wrap,
+ .ctx_alloc_func = NULL,
+ .ctx_free_func = NULL,
+ .debug_func = NULL,
+};
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+static int rsa_opaque_can_do(mbedtls_pk_type_t type)
+{
+ return type == MBEDTLS_PK_RSA ||
+ type == MBEDTLS_PK_RSASSA_PSS;
+}
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+static int rsa_opaque_decrypt(mbedtls_pk_context *pk,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen, size_t osize,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_algorithm_t alg;
+ psa_key_type_t type;
+ psa_status_t status;
+
+ /* PSA has its own RNG */
+ (void) f_rng;
+ (void) p_rng;
+
+ status = psa_get_key_attributes(pk->priv_id, &attributes);
+ if (status != PSA_SUCCESS) {
+ return PSA_PK_TO_MBEDTLS_ERR(status);
+ }
+
+ type = psa_get_key_type(&attributes);
+ alg = psa_get_key_algorithm(&attributes);
+ psa_reset_key_attributes(&attributes);
+
+ if (!PSA_KEY_TYPE_IS_RSA(type)) {
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+ }
+
+ status = psa_asymmetric_decrypt(pk->priv_id, alg, input, ilen, NULL, 0, output, osize, olen);
+ if (status != PSA_SUCCESS) {
+ return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+ }
+
+ return 0;
+}
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
+
+static int rsa_opaque_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+#if defined(MBEDTLS_RSA_C)
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_algorithm_t alg;
+ psa_key_type_t type;
+ psa_status_t status;
+
+ /* PSA has its own RNG */
+ (void) f_rng;
+ (void) p_rng;
+
+ status = psa_get_key_attributes(pk->priv_id, &attributes);
+ if (status != PSA_SUCCESS) {
+ return PSA_PK_TO_MBEDTLS_ERR(status);
+ }
+
+ type = psa_get_key_type(&attributes);
+ alg = psa_get_key_algorithm(&attributes);
+ psa_reset_key_attributes(&attributes);
+
+ if (PSA_KEY_TYPE_IS_RSA(type)) {
+ alg = (alg & ~PSA_ALG_HASH_MASK) | mbedtls_md_psa_alg_from_type(md_alg);
+ } else {
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+ }
+
+ status = psa_sign_hash(pk->priv_id, alg, hash, hash_len, sig, sig_size, sig_len);
+ if (status != PSA_SUCCESS) {
+ if (PSA_KEY_TYPE_IS_RSA(type)) {
+ return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
+ } else {
+ return PSA_PK_TO_MBEDTLS_ERR(status);
+ }
+ }
+
+ return 0;
+#else /* !MBEDTLS_RSA_C */
+ ((void) pk);
+ ((void) md_alg);
+ ((void) hash);
+ ((void) hash_len);
+ ((void) sig);
+ ((void) sig_size);
+ ((void) sig_len);
+ ((void) f_rng);
+ ((void) p_rng);
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+#endif /* !MBEDTLS_RSA_C */
+}
+
+const mbedtls_pk_info_t mbedtls_rsa_opaque_info = {
+ .type = MBEDTLS_PK_OPAQUE,
+ .name = "Opaque",
+ .get_bitlen = opaque_get_bitlen,
+ .can_do = rsa_opaque_can_do,
+ .verify_func = NULL,
+ .sign_func = rsa_opaque_sign_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ .verify_rs_func = NULL,
+ .sign_rs_func = NULL,
+ .rs_alloc_func = NULL,
+ .rs_free_func = NULL,
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+ .decrypt_func = rsa_opaque_decrypt,
+#else /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
+ .decrypt_func = NULL,
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
+ .encrypt_func = NULL,
+ .check_pair_func = NULL,
+ .ctx_alloc_func = NULL,
+ .ctx_free_func = NULL,
+ .debug_func = NULL,
+};
+
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#endif /* MBEDTLS_PK_C */
diff --git a/library/pk_wrap.h b/library/pk_wrap.h
new file mode 100644
index 0000000..be096da
--- /dev/null
+++ b/library/pk_wrap.h
@@ -0,0 +1,138 @@
+/**
+ * \file pk_wrap.h
+ *
+ * \brief Public Key abstraction layer: wrapper functions
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_PK_WRAP_H
+#define MBEDTLS_PK_WRAP_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/pk.h"
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#endif
+
+struct mbedtls_pk_info_t {
+ /** Public key type */
+ mbedtls_pk_type_t type;
+
+ /** Type name */
+ const char *name;
+
+ /** Get key size in bits */
+ size_t (*get_bitlen)(mbedtls_pk_context *pk);
+
+ /** Tell if the context implements this type (e.g. ECKEY can do ECDSA) */
+ int (*can_do)(mbedtls_pk_type_t type);
+
+ /** Verify signature */
+ int (*verify_func)(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len);
+
+ /** Make signature */
+ int (*sign_func)(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng);
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ /** Verify signature (restartable) */
+ int (*verify_rs_func)(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len,
+ void *rs_ctx);
+
+ /** Make signature (restartable) */
+ int (*sign_rs_func)(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng, void *rs_ctx);
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+ /** Decrypt message */
+ int (*decrypt_func)(mbedtls_pk_context *pk, const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen, size_t osize,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng);
+
+ /** Encrypt message */
+ int (*encrypt_func)(mbedtls_pk_context *pk, const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen, size_t osize,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng);
+
+ /** Check public-private key pair */
+ int (*check_pair_func)(mbedtls_pk_context *pub, mbedtls_pk_context *prv,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng);
+
+ /** Allocate a new context */
+ void * (*ctx_alloc_func)(void);
+
+ /** Free the given context */
+ void (*ctx_free_func)(void *ctx);
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ /** Allocate the restart context */
+ void *(*rs_alloc_func)(void);
+
+ /** Free the restart context */
+ void (*rs_free_func)(void *rs_ctx);
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+ /** Interface with the debug module */
+ void (*debug_func)(mbedtls_pk_context *pk, mbedtls_pk_debug_item *items);
+
+};
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/* Container for RSA-alt */
+typedef struct {
+ void *key;
+ mbedtls_pk_rsa_alt_decrypt_func decrypt_func;
+ mbedtls_pk_rsa_alt_sign_func sign_func;
+ mbedtls_pk_rsa_alt_key_len_func key_len_func;
+} mbedtls_rsa_alt_context;
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+extern const mbedtls_pk_info_t mbedtls_rsa_info;
+#endif
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+extern const mbedtls_pk_info_t mbedtls_eckey_info;
+extern const mbedtls_pk_info_t mbedtls_eckeydh_info;
+#endif
+
+#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
+extern const mbedtls_pk_info_t mbedtls_ecdsa_info;
+#endif
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+extern const mbedtls_pk_info_t mbedtls_rsa_alt_info;
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+extern const mbedtls_pk_info_t mbedtls_ecdsa_opaque_info;
+extern const mbedtls_pk_info_t mbedtls_rsa_opaque_info;
+
+#if defined(MBEDTLS_RSA_C)
+int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t psa_alg_md,
+ mbedtls_rsa_context *rsa_ctx,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t sig_size,
+ size_t *sig_len);
+#endif /* MBEDTLS_RSA_C */
+
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#endif /* MBEDTLS_PK_WRAP_H */
diff --git a/library/pkcs12.c b/library/pkcs12.c
new file mode 100644
index 0000000..a3467b9
--- /dev/null
+++ b/library/pkcs12.c
@@ -0,0 +1,437 @@
+/*
+ * PKCS#12 Personal Information Exchange Syntax
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * The PKCS #12 Personal Information Exchange Syntax Standard v1.1
+ *
+ * http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf
+ * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PKCS12_C)
+
+#include "mbedtls/pkcs12.h"
+#include "mbedtls/asn1.h"
+#if defined(MBEDTLS_CIPHER_C)
+#include "mbedtls/cipher.h"
+#endif /* MBEDTLS_CIPHER_C */
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_DES_C)
+#include "mbedtls/des.h"
+#endif
+
+#include "psa_util_internal.h"
+
+#if defined(MBEDTLS_ASN1_PARSE_C) && defined(MBEDTLS_CIPHER_C)
+
+static int pkcs12_parse_pbe_params(mbedtls_asn1_buf *params,
+ mbedtls_asn1_buf *salt, int *iterations)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char **p = ¶ms->p;
+ const unsigned char *end = params->p + params->len;
+
+ /*
+ * pkcs-12PbeParams ::= SEQUENCE {
+ * salt OCTET STRING,
+ * iterations INTEGER
+ * }
+ *
+ */
+ if (params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+ }
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret);
+ }
+
+ salt->p = *p;
+ *p += salt->len;
+
+ if ((ret = mbedtls_asn1_get_int(p, end, iterations)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret);
+ }
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+#define PKCS12_MAX_PWDLEN 128
+
+static int pkcs12_pbe_derive_key_iv(mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type,
+ const unsigned char *pwd, size_t pwdlen,
+ unsigned char *key, size_t keylen,
+ unsigned char *iv, size_t ivlen)
+{
+ int ret, iterations = 0;
+ mbedtls_asn1_buf salt;
+ size_t i;
+ unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
+
+ if (pwdlen > PKCS12_MAX_PWDLEN) {
+ return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
+ }
+
+ memset(&salt, 0, sizeof(mbedtls_asn1_buf));
+ memset(&unipwd, 0, sizeof(unipwd));
+
+ if ((ret = pkcs12_parse_pbe_params(pbe_params, &salt,
+ &iterations)) != 0) {
+ return ret;
+ }
+
+ for (i = 0; i < pwdlen; i++) {
+ unipwd[i * 2 + 1] = pwd[i];
+ }
+
+ if ((ret = mbedtls_pkcs12_derivation(key, keylen, unipwd, pwdlen * 2 + 2,
+ salt.p, salt.len, md_type,
+ MBEDTLS_PKCS12_DERIVE_KEY, iterations)) != 0) {
+ return ret;
+ }
+
+ if (iv == NULL || ivlen == 0) {
+ return 0;
+ }
+
+ if ((ret = mbedtls_pkcs12_derivation(iv, ivlen, unipwd, pwdlen * 2 + 2,
+ salt.p, salt.len, md_type,
+ MBEDTLS_PKCS12_DERIVE_IV, iterations)) != 0) {
+ return ret;
+ }
+ return 0;
+}
+
+#undef PKCS12_MAX_PWDLEN
+
+#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
+ mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
+ const unsigned char *pwd, size_t pwdlen,
+ const unsigned char *data, size_t len,
+ unsigned char *output, size_t output_size,
+ size_t *output_len);
+#endif
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
+ mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
+ const unsigned char *pwd, size_t pwdlen,
+ const unsigned char *data, size_t len,
+ unsigned char *output)
+{
+ size_t output_len = 0;
+
+ /* We assume caller of the function is providing a big enough output buffer
+ * so we pass output_size as SIZE_MAX to pass checks, However, no guarantees
+ * for the output size actually being correct.
+ */
+ return mbedtls_pkcs12_pbe_ext(pbe_params, mode, cipher_type, md_type,
+ pwd, pwdlen, data, len, output, SIZE_MAX,
+ &output_len);
+}
+#endif
+
+int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
+ mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
+ const unsigned char *pwd, size_t pwdlen,
+ const unsigned char *data, size_t len,
+ unsigned char *output, size_t output_size,
+ size_t *output_len)
+{
+ int ret, keylen = 0;
+ unsigned char key[32];
+ unsigned char iv[16];
+ const mbedtls_cipher_info_t *cipher_info;
+ mbedtls_cipher_context_t cipher_ctx;
+ size_t iv_len = 0;
+ size_t finish_olen = 0;
+ unsigned int padlen = 0;
+
+ if (pwd == NULL && pwdlen != 0) {
+ return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
+ }
+
+ cipher_info = mbedtls_cipher_info_from_type(cipher_type);
+ if (cipher_info == NULL) {
+ return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
+ }
+
+ keylen = (int) mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
+
+ if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
+ if (output_size < len) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+ }
+
+ if (mode == MBEDTLS_PKCS12_PBE_ENCRYPT) {
+ padlen = cipher_info->block_size - (len % cipher_info->block_size);
+ if (output_size < (len + padlen)) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+ }
+
+ iv_len = mbedtls_cipher_info_get_iv_size(cipher_info);
+ if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, md_type, pwd, pwdlen,
+ key, keylen,
+ iv, iv_len)) != 0) {
+ return ret;
+ }
+
+ mbedtls_cipher_init(&cipher_ctx);
+
+ if ((ret = mbedtls_cipher_setup(&cipher_ctx, cipher_info)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_cipher_setkey(&cipher_ctx, key, 8 * keylen,
+ (mbedtls_operation_t) mode)) != 0) {
+ goto exit;
+ }
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+ {
+ /* PKCS12 uses CBC with PKCS7 padding */
+ mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
+#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+ /* For historical reasons, when decrypting, this function works when
+ * decrypting even when support for PKCS7 padding is disabled. In this
+ * case, it ignores the padding, and so will never report a
+ * password mismatch.
+ */
+ if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
+ padding = MBEDTLS_PADDING_NONE;
+ }
+#endif
+ if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
+ goto exit;
+ }
+ }
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+ ret = mbedtls_cipher_crypt(&cipher_ctx, iv, iv_len, data, len, output, &finish_olen);
+ if (ret == MBEDTLS_ERR_CIPHER_INVALID_PADDING) {
+ ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH;
+ }
+
+ *output_len += finish_olen;
+
+exit:
+ mbedtls_platform_zeroize(key, sizeof(key));
+ mbedtls_platform_zeroize(iv, sizeof(iv));
+ mbedtls_cipher_free(&cipher_ctx);
+
+ return ret;
+}
+
+#endif /* MBEDTLS_ASN1_PARSE_C && MBEDTLS_CIPHER_C */
+
+static void pkcs12_fill_buffer(unsigned char *data, size_t data_len,
+ const unsigned char *filler, size_t fill_len)
+{
+ unsigned char *p = data;
+ size_t use_len;
+
+ if (filler != NULL && fill_len != 0) {
+ while (data_len > 0) {
+ use_len = (data_len > fill_len) ? fill_len : data_len;
+ memcpy(p, filler, use_len);
+ p += use_len;
+ data_len -= use_len;
+ }
+ } else {
+ /* If either of the above are not true then clearly there is nothing
+ * that this function can do. The function should *not* be called
+ * under either of those circumstances, as you could end up with an
+ * incorrect output but for safety's sake, leaving the check in as
+ * otherwise we could end up with memory corruption.*/
+ }
+}
+
+
+static int calculate_hashes(mbedtls_md_type_t md_type, int iterations,
+ unsigned char *diversifier, unsigned char *salt_block,
+ unsigned char *pwd_block, unsigned char *hash_output, int use_salt,
+ int use_password, size_t hlen, size_t v)
+{
+ int ret = -1;
+ size_t i;
+ const mbedtls_md_info_t *md_info;
+ mbedtls_md_context_t md_ctx;
+ md_info = mbedtls_md_info_from_type(md_type);
+ if (md_info == NULL) {
+ return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
+ }
+
+ mbedtls_md_init(&md_ctx);
+
+ if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
+ return ret;
+ }
+ // Calculate hash( diversifier || salt_block || pwd_block )
+ if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_md_update(&md_ctx, diversifier, v)) != 0) {
+ goto exit;
+ }
+
+ if (use_salt != 0) {
+ if ((ret = mbedtls_md_update(&md_ctx, salt_block, v)) != 0) {
+ goto exit;
+ }
+ }
+
+ if (use_password != 0) {
+ if ((ret = mbedtls_md_update(&md_ctx, pwd_block, v)) != 0) {
+ goto exit;
+ }
+ }
+
+ if ((ret = mbedtls_md_finish(&md_ctx, hash_output)) != 0) {
+ goto exit;
+ }
+
+ // Perform remaining ( iterations - 1 ) recursive hash calculations
+ for (i = 1; i < (size_t) iterations; i++) {
+ if ((ret = mbedtls_md(md_info, hash_output, hlen, hash_output))
+ != 0) {
+ goto exit;
+ }
+ }
+
+exit:
+ mbedtls_md_free(&md_ctx);
+ return ret;
+}
+
+
+int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen,
+ const unsigned char *pwd, size_t pwdlen,
+ const unsigned char *salt, size_t saltlen,
+ mbedtls_md_type_t md_type, int id, int iterations)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned int j;
+
+ unsigned char diversifier[128];
+ unsigned char salt_block[128], pwd_block[128], hash_block[128] = { 0 };
+ unsigned char hash_output[MBEDTLS_MD_MAX_SIZE];
+ unsigned char *p;
+ unsigned char c;
+ int use_password = 0;
+ int use_salt = 0;
+
+ size_t hlen, use_len, v, i;
+
+ // This version only allows max of 64 bytes of password or salt
+ if (datalen > 128 || pwdlen > 64 || saltlen > 64) {
+ return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
+ }
+
+ if (pwd == NULL && pwdlen != 0) {
+ return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
+ }
+
+ if (salt == NULL && saltlen != 0) {
+ return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
+ }
+
+ use_password = (pwd && pwdlen != 0);
+ use_salt = (salt && saltlen != 0);
+
+ hlen = mbedtls_md_get_size_from_type(md_type);
+
+ if (hlen <= 32) {
+ v = 64;
+ } else {
+ v = 128;
+ }
+
+ memset(diversifier, (unsigned char) id, v);
+
+ if (use_salt != 0) {
+ pkcs12_fill_buffer(salt_block, v, salt, saltlen);
+ }
+
+ if (use_password != 0) {
+ pkcs12_fill_buffer(pwd_block, v, pwd, pwdlen);
+ }
+
+ p = data;
+ while (datalen > 0) {
+ if (calculate_hashes(md_type, iterations, diversifier, salt_block,
+ pwd_block, hash_output, use_salt, use_password, hlen,
+ v) != 0) {
+ goto exit;
+ }
+
+ use_len = (datalen > hlen) ? hlen : datalen;
+ memcpy(p, hash_output, use_len);
+ datalen -= use_len;
+ p += use_len;
+
+ if (datalen == 0) {
+ break;
+ }
+
+ // Concatenating copies of hash_output into hash_block (B)
+ pkcs12_fill_buffer(hash_block, v, hash_output, hlen);
+
+ // B += 1
+ for (i = v; i > 0; i--) {
+ if (++hash_block[i - 1] != 0) {
+ break;
+ }
+ }
+
+ if (use_salt != 0) {
+ // salt_block += B
+ c = 0;
+ for (i = v; i > 0; i--) {
+ j = salt_block[i - 1] + hash_block[i - 1] + c;
+ c = MBEDTLS_BYTE_1(j);
+ salt_block[i - 1] = MBEDTLS_BYTE_0(j);
+ }
+ }
+
+ if (use_password != 0) {
+ // pwd_block += B
+ c = 0;
+ for (i = v; i > 0; i--) {
+ j = pwd_block[i - 1] + hash_block[i - 1] + c;
+ c = MBEDTLS_BYTE_1(j);
+ pwd_block[i - 1] = MBEDTLS_BYTE_0(j);
+ }
+ }
+ }
+
+ ret = 0;
+
+exit:
+ mbedtls_platform_zeroize(salt_block, sizeof(salt_block));
+ mbedtls_platform_zeroize(pwd_block, sizeof(pwd_block));
+ mbedtls_platform_zeroize(hash_block, sizeof(hash_block));
+ mbedtls_platform_zeroize(hash_output, sizeof(hash_output));
+
+ return ret;
+}
+
+#endif /* MBEDTLS_PKCS12_C */
diff --git a/library/pkcs5.c b/library/pkcs5.c
new file mode 100644
index 0000000..c6c5305
--- /dev/null
+++ b/library/pkcs5.c
@@ -0,0 +1,500 @@
+/**
+ * \file pkcs5.c
+ *
+ * \brief PKCS#5 functions
+ *
+ * \author Mathias Olsson <mathias@kompetensum.com>
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * PKCS#5 includes PBKDF2 and more
+ *
+ * http://tools.ietf.org/html/rfc2898 (Specification)
+ * http://tools.ietf.org/html/rfc6070 (Test vectors)
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PKCS5_C)
+
+#include "mbedtls/pkcs5.h"
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#if defined(MBEDTLS_CIPHER_C)
+#include "mbedtls/cipher.h"
+#endif /* MBEDTLS_CIPHER_C */
+#include "mbedtls/oid.h"
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#include "psa_util_internal.h"
+
+#if defined(MBEDTLS_ASN1_PARSE_C) && defined(MBEDTLS_CIPHER_C)
+static int pkcs5_parse_pbkdf2_params(const mbedtls_asn1_buf *params,
+ mbedtls_asn1_buf *salt, int *iterations,
+ int *keylen, mbedtls_md_type_t *md_type)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_asn1_buf prf_alg_oid;
+ unsigned char *p = params->p;
+ const unsigned char *end = params->p + params->len;
+
+ if (params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+ }
+ /*
+ * PBKDF2-params ::= SEQUENCE {
+ * salt OCTET STRING,
+ * iterationCount INTEGER,
+ * keyLength INTEGER OPTIONAL
+ * prf AlgorithmIdentifier DEFAULT algid-hmacWithSHA1
+ * }
+ *
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &salt->len,
+ MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
+ }
+
+ salt->p = p;
+ p += salt->len;
+
+ if ((ret = mbedtls_asn1_get_int(&p, end, iterations)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
+ }
+
+ if (p == end) {
+ return 0;
+ }
+
+ if ((ret = mbedtls_asn1_get_int(&p, end, keylen)) != 0) {
+ if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
+ }
+ }
+
+ if (p == end) {
+ return 0;
+ }
+
+ if ((ret = mbedtls_asn1_get_alg_null(&p, end, &prf_alg_oid)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
+ }
+
+ if (mbedtls_oid_get_md_hmac(&prf_alg_oid, md_type) != 0) {
+ return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
+ }
+
+ if (p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
+ const unsigned char *pwd, size_t pwdlen,
+ const unsigned char *data, size_t datalen,
+ unsigned char *output, size_t output_size,
+ size_t *output_len);
+#endif
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
+ const unsigned char *pwd, size_t pwdlen,
+ const unsigned char *data, size_t datalen,
+ unsigned char *output)
+{
+ size_t output_len = 0;
+
+ /* We assume caller of the function is providing a big enough output buffer
+ * so we pass output_size as SIZE_MAX to pass checks, However, no guarantees
+ * for the output size actually being correct.
+ */
+ return mbedtls_pkcs5_pbes2_ext(pbe_params, mode, pwd, pwdlen, data,
+ datalen, output, SIZE_MAX, &output_len);
+}
+#endif
+
+int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
+ const unsigned char *pwd, size_t pwdlen,
+ const unsigned char *data, size_t datalen,
+ unsigned char *output, size_t output_size,
+ size_t *output_len)
+{
+ int ret, iterations = 0, keylen = 0;
+ unsigned char *p, *end;
+ mbedtls_asn1_buf kdf_alg_oid, enc_scheme_oid, kdf_alg_params, enc_scheme_params;
+ mbedtls_asn1_buf salt;
+ mbedtls_md_type_t md_type = MBEDTLS_MD_SHA1;
+ unsigned char key[32], iv[32];
+ const mbedtls_cipher_info_t *cipher_info;
+ mbedtls_cipher_type_t cipher_alg;
+ mbedtls_cipher_context_t cipher_ctx;
+ unsigned int padlen = 0;
+
+ p = pbe_params->p;
+ end = p + pbe_params->len;
+
+ /*
+ * PBES2-params ::= SEQUENCE {
+ * keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
+ * encryptionScheme AlgorithmIdentifier {{PBES2-Encs}}
+ * }
+ */
+ if (pbe_params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+ }
+
+ if ((ret = mbedtls_asn1_get_alg(&p, end, &kdf_alg_oid,
+ &kdf_alg_params)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
+ }
+
+ // Only PBKDF2 supported at the moment
+ //
+ if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS5_PBKDF2, &kdf_alg_oid) != 0) {
+ return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
+ }
+
+ if ((ret = pkcs5_parse_pbkdf2_params(&kdf_alg_params,
+ &salt, &iterations, &keylen,
+ &md_type)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_asn1_get_alg(&p, end, &enc_scheme_oid,
+ &enc_scheme_params)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret);
+ }
+
+ if (mbedtls_oid_get_cipher_alg(&enc_scheme_oid, &cipher_alg) != 0) {
+ return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
+ }
+
+ cipher_info = mbedtls_cipher_info_from_type(cipher_alg);
+ if (cipher_info == NULL) {
+ return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
+ }
+
+ /*
+ * The value of keylen from pkcs5_parse_pbkdf2_params() is ignored
+ * since it is optional and we don't know if it was set or not
+ */
+ keylen = (int) mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
+
+ if (enc_scheme_params.tag != MBEDTLS_ASN1_OCTET_STRING ||
+ enc_scheme_params.len != mbedtls_cipher_info_get_iv_size(cipher_info)) {
+ return MBEDTLS_ERR_PKCS5_INVALID_FORMAT;
+ }
+
+ if (mode == MBEDTLS_PKCS5_DECRYPT) {
+ if (output_size < datalen) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+ }
+
+ if (mode == MBEDTLS_PKCS5_ENCRYPT) {
+ padlen = cipher_info->block_size - (datalen % cipher_info->block_size);
+ if (output_size < (datalen + padlen)) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+ }
+
+ mbedtls_cipher_init(&cipher_ctx);
+
+ memcpy(iv, enc_scheme_params.p, enc_scheme_params.len);
+
+ if ((ret = mbedtls_pkcs5_pbkdf2_hmac_ext(md_type, pwd, pwdlen, salt.p,
+ salt.len, iterations, keylen,
+ key)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_cipher_setup(&cipher_ctx, cipher_info)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_cipher_setkey(&cipher_ctx, key, 8 * keylen,
+ (mbedtls_operation_t) mode)) != 0) {
+ goto exit;
+ }
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+ {
+ /* PKCS5 uses CBC with PKCS7 padding (which is the same as
+ * "PKCS5 padding" except that it's typically only called PKCS5
+ * with 64-bit-block ciphers).
+ */
+ mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
+#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+ /* For historical reasons, when decrypting, this function works when
+ * decrypting even when support for PKCS7 padding is disabled. In this
+ * case, it ignores the padding, and so will never report a
+ * password mismatch.
+ */
+ if (mode == MBEDTLS_DECRYPT) {
+ padding = MBEDTLS_PADDING_NONE;
+ }
+#endif
+ if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
+ goto exit;
+ }
+ }
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+ if ((ret = mbedtls_cipher_crypt(&cipher_ctx, iv, enc_scheme_params.len,
+ data, datalen, output, output_len)) != 0) {
+ ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH;
+ }
+
+exit:
+ mbedtls_cipher_free(&cipher_ctx);
+
+ return ret;
+}
+#endif /* MBEDTLS_ASN1_PARSE_C && MBEDTLS_CIPHER_C */
+
+static int pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx,
+ const unsigned char *password,
+ size_t plen, const unsigned char *salt, size_t slen,
+ unsigned int iteration_count,
+ uint32_t key_length, unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned int i;
+ unsigned char md1[MBEDTLS_MD_MAX_SIZE];
+ unsigned char work[MBEDTLS_MD_MAX_SIZE];
+ unsigned char md_size = mbedtls_md_get_size(ctx->md_info);
+ size_t use_len;
+ unsigned char *out_p = output;
+ unsigned char counter[4];
+
+ memset(counter, 0, 4);
+ counter[3] = 1;
+
+#if UINT_MAX > 0xFFFFFFFF
+ if (iteration_count > 0xFFFFFFFF) {
+ return MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA;
+ }
+#endif
+
+ if ((ret = mbedtls_md_hmac_starts(ctx, password, plen)) != 0) {
+ return ret;
+ }
+ while (key_length) {
+ // U1 ends up in work
+ //
+ if ((ret = mbedtls_md_hmac_update(ctx, salt, slen)) != 0) {
+ goto cleanup;
+ }
+
+ if ((ret = mbedtls_md_hmac_update(ctx, counter, 4)) != 0) {
+ goto cleanup;
+ }
+
+ if ((ret = mbedtls_md_hmac_finish(ctx, work)) != 0) {
+ goto cleanup;
+ }
+
+ if ((ret = mbedtls_md_hmac_reset(ctx)) != 0) {
+ goto cleanup;
+ }
+
+ memcpy(md1, work, md_size);
+
+ for (i = 1; i < iteration_count; i++) {
+ // U2 ends up in md1
+ //
+ if ((ret = mbedtls_md_hmac_update(ctx, md1, md_size)) != 0) {
+ goto cleanup;
+ }
+
+ if ((ret = mbedtls_md_hmac_finish(ctx, md1)) != 0) {
+ goto cleanup;
+ }
+
+ if ((ret = mbedtls_md_hmac_reset(ctx)) != 0) {
+ goto cleanup;
+ }
+
+ // U1 xor U2
+ //
+ mbedtls_xor(work, work, md1, md_size);
+ }
+
+ use_len = (key_length < md_size) ? key_length : md_size;
+ memcpy(out_p, work, use_len);
+
+ key_length -= (uint32_t) use_len;
+ out_p += use_len;
+
+ for (i = 4; i > 0; i--) {
+ if (++counter[i - 1] != 0) {
+ break;
+ }
+ }
+ }
+
+cleanup:
+ /* Zeroise buffers to clear sensitive data from memory. */
+ mbedtls_platform_zeroize(work, MBEDTLS_MD_MAX_SIZE);
+ mbedtls_platform_zeroize(md1, MBEDTLS_MD_MAX_SIZE);
+
+ return ret;
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx,
+ const unsigned char *password,
+ size_t plen, const unsigned char *salt, size_t slen,
+ unsigned int iteration_count,
+ uint32_t key_length, unsigned char *output)
+{
+ return pkcs5_pbkdf2_hmac(ctx, password, plen, salt, slen, iteration_count,
+ key_length, output);
+}
+#endif
+
+int mbedtls_pkcs5_pbkdf2_hmac_ext(mbedtls_md_type_t md_alg,
+ const unsigned char *password,
+ size_t plen, const unsigned char *salt, size_t slen,
+ unsigned int iteration_count,
+ uint32_t key_length, unsigned char *output)
+{
+ mbedtls_md_context_t md_ctx;
+ const mbedtls_md_info_t *md_info = NULL;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ md_info = mbedtls_md_info_from_type(md_alg);
+ if (md_info == NULL) {
+ return MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE;
+ }
+
+ mbedtls_md_init(&md_ctx);
+
+ if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) {
+ goto exit;
+ }
+ ret = pkcs5_pbkdf2_hmac(&md_ctx, password, plen, salt, slen,
+ iteration_count, key_length, output);
+exit:
+ mbedtls_md_free(&md_ctx);
+ return ret;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if !defined(MBEDTLS_MD_CAN_SHA1)
+int mbedtls_pkcs5_self_test(int verbose)
+{
+ if (verbose != 0) {
+ mbedtls_printf(" PBKDF2 (SHA1): skipped\n\n");
+ }
+
+ return 0;
+}
+#else
+
+#define MAX_TESTS 6
+
+static const size_t plen_test_data[MAX_TESTS] =
+{ 8, 8, 8, 24, 9 };
+
+static const unsigned char password_test_data[MAX_TESTS][32] =
+{
+ "password",
+ "password",
+ "password",
+ "passwordPASSWORDpassword",
+ "pass\0word",
+};
+
+static const size_t slen_test_data[MAX_TESTS] =
+{ 4, 4, 4, 36, 5 };
+
+static const unsigned char salt_test_data[MAX_TESTS][40] =
+{
+ "salt",
+ "salt",
+ "salt",
+ "saltSALTsaltSALTsaltSALTsaltSALTsalt",
+ "sa\0lt",
+};
+
+static const uint32_t it_cnt_test_data[MAX_TESTS] =
+{ 1, 2, 4096, 4096, 4096 };
+
+static const uint32_t key_len_test_data[MAX_TESTS] =
+{ 20, 20, 20, 25, 16 };
+
+static const unsigned char result_key_test_data[MAX_TESTS][32] =
+{
+ { 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
+ 0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
+ 0x2f, 0xe0, 0x37, 0xa6 },
+ { 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
+ 0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
+ 0xd8, 0xde, 0x89, 0x57 },
+ { 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
+ 0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
+ 0x65, 0xa4, 0x29, 0xc1 },
+ { 0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
+ 0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
+ 0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
+ 0x38 },
+ { 0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
+ 0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3 },
+};
+
+int mbedtls_pkcs5_self_test(int verbose)
+{
+ int ret, i;
+ unsigned char key[64];
+
+ for (i = 0; i < MAX_TESTS; i++) {
+ if (verbose != 0) {
+ mbedtls_printf(" PBKDF2 (SHA1) #%d: ", i);
+ }
+
+ ret = mbedtls_pkcs5_pbkdf2_hmac_ext(MBEDTLS_MD_SHA1, password_test_data[i],
+ plen_test_data[i], salt_test_data[i],
+ slen_test_data[i], it_cnt_test_data[i],
+ key_len_test_data[i], key);
+ if (ret != 0 ||
+ memcmp(result_key_test_data[i], key, key_len_test_data[i]) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ ret = 1;
+ goto exit;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+exit:
+ return ret;
+}
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_PKCS5_C */
diff --git a/library/pkcs7.c b/library/pkcs7.c
new file mode 100644
index 0000000..3aac662
--- /dev/null
+++ b/library/pkcs7.c
@@ -0,0 +1,773 @@
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#include "common.h"
+
+#include "mbedtls/build_info.h"
+#if defined(MBEDTLS_PKCS7_C)
+#include "mbedtls/pkcs7.h"
+#include "x509_internal.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/x509_crl.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_FS_IO)
+#include <sys/types.h>
+#include <sys/stat.h>
+#endif
+
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+#include <time.h>
+#endif
+
+/**
+ * Initializes the mbedtls_pkcs7 structure.
+ */
+void mbedtls_pkcs7_init(mbedtls_pkcs7 *pkcs7)
+{
+ memset(pkcs7, 0, sizeof(*pkcs7));
+}
+
+static int pkcs7_get_next_content_len(unsigned char **p, unsigned char *end,
+ size_t *len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = mbedtls_asn1_get_tag(p, end, len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_CONTEXT_SPECIFIC);
+ if (ret != 0) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
+ } else if ((size_t) (end - *p) != *len) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return ret;
+}
+
+/**
+ * version Version
+ * Version ::= INTEGER
+ **/
+static int pkcs7_get_version(unsigned char **p, unsigned char *end, int *ver)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = mbedtls_asn1_get_int(p, end, ver);
+ if (ret != 0) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_VERSION, ret);
+ }
+
+ /* If version != 1, return invalid version */
+ if (*ver != MBEDTLS_PKCS7_SUPPORTED_VERSION) {
+ ret = MBEDTLS_ERR_PKCS7_INVALID_VERSION;
+ }
+
+ return ret;
+}
+
+/**
+ * ContentInfo ::= SEQUENCE {
+ * contentType ContentType,
+ * content
+ * [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
+ **/
+static int pkcs7_get_content_info_type(unsigned char **p, unsigned char *end,
+ unsigned char **seq_end,
+ mbedtls_pkcs7_buf *pkcs7)
+{
+ size_t len = 0;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *start = *p;
+
+ ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SEQUENCE);
+ if (ret != 0) {
+ *p = start;
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
+ }
+ *seq_end = *p + len;
+ ret = mbedtls_asn1_get_tag(p, *seq_end, &len, MBEDTLS_ASN1_OID);
+ if (ret != 0) {
+ *p = start;
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
+ }
+
+ pkcs7->tag = MBEDTLS_ASN1_OID;
+ pkcs7->len = len;
+ pkcs7->p = *p;
+ *p += len;
+
+ return ret;
+}
+
+/**
+ * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+ *
+ * This is from x509.h
+ **/
+static int pkcs7_get_digest_algorithm(unsigned char **p, unsigned char *end,
+ mbedtls_x509_buf *alg)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((ret = mbedtls_asn1_get_alg_null(p, end, alg)) != 0) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_ALG, ret);
+ }
+
+ return ret;
+}
+
+/**
+ * DigestAlgorithmIdentifiers :: SET of DigestAlgorithmIdentifier
+ **/
+static int pkcs7_get_digest_algorithm_set(unsigned char **p,
+ unsigned char *end,
+ mbedtls_x509_buf *alg)
+{
+ size_t len = 0;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SET);
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_ALG, ret);
+ }
+
+ end = *p + len;
+
+ ret = mbedtls_asn1_get_alg_null(p, end, alg);
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_ALG, ret);
+ }
+
+ /** For now, it assumes there is only one digest algorithm specified **/
+ if (*p != end) {
+ return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
+ }
+
+ return 0;
+}
+
+/**
+ * certificates :: SET OF ExtendedCertificateOrCertificate,
+ * ExtendedCertificateOrCertificate ::= CHOICE {
+ * certificate Certificate -- x509,
+ * extendedCertificate[0] IMPLICIT ExtendedCertificate }
+ * Return number of certificates added to the signed data,
+ * 0 or higher is valid.
+ * Return negative error code for failure.
+ **/
+static int pkcs7_get_certificates(unsigned char **p, unsigned char *end,
+ mbedtls_x509_crt *certs)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len1 = 0;
+ size_t len2 = 0;
+ unsigned char *end_set, *end_cert, *start;
+
+ ret = mbedtls_asn1_get_tag(p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_CONTEXT_SPECIFIC);
+ if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ return 0;
+ }
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
+ }
+ start = *p;
+ end_set = *p + len1;
+
+ ret = mbedtls_asn1_get_tag(p, end_set, &len2, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SEQUENCE);
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CERT, ret);
+ }
+
+ end_cert = *p + len2;
+
+ /*
+ * This is to verify that there is only one signer certificate. It seems it is
+ * not easy to differentiate between the chain vs different signer's certificate.
+ * So, we support only the root certificate and the single signer.
+ * The behaviour would be improved with addition of multiple signer support.
+ */
+ if (end_cert != end_set) {
+ return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
+ }
+
+ if ((ret = mbedtls_x509_crt_parse_der(certs, start, len1)) < 0) {
+ return MBEDTLS_ERR_PKCS7_INVALID_CERT;
+ }
+
+ *p = end_cert;
+
+ /*
+ * Since in this version we strictly support single certificate, and reaching
+ * here implies we have parsed successfully, we return 1.
+ */
+ return 1;
+}
+
+/**
+ * EncryptedDigest ::= OCTET STRING
+ **/
+static int pkcs7_get_signature(unsigned char **p, unsigned char *end,
+ mbedtls_pkcs7_buf *signature)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+
+ ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_OCTET_STRING);
+ if (ret != 0) {
+ return ret;
+ }
+
+ signature->tag = MBEDTLS_ASN1_OCTET_STRING;
+ signature->len = len;
+ signature->p = *p;
+
+ *p = *p + len;
+
+ return 0;
+}
+
+static void pkcs7_free_signer_info(mbedtls_pkcs7_signer_info *signer)
+{
+ mbedtls_x509_name *name_cur;
+ mbedtls_x509_name *name_prv;
+
+ if (signer == NULL) {
+ return;
+ }
+
+ name_cur = signer->issuer.next;
+ while (name_cur != NULL) {
+ name_prv = name_cur;
+ name_cur = name_cur->next;
+ mbedtls_free(name_prv);
+ }
+ signer->issuer.next = NULL;
+}
+
+/**
+ * SignerInfo ::= SEQUENCE {
+ * version Version;
+ * issuerAndSerialNumber IssuerAndSerialNumber,
+ * digestAlgorithm DigestAlgorithmIdentifier,
+ * authenticatedAttributes
+ * [0] IMPLICIT Attributes OPTIONAL,
+ * digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
+ * encryptedDigest EncryptedDigest,
+ * unauthenticatedAttributes
+ * [1] IMPLICIT Attributes OPTIONAL,
+ * Returns 0 if the signerInfo is valid.
+ * Return negative error code for failure.
+ * Structure must not contain vales for authenticatedAttributes
+ * and unauthenticatedAttributes.
+ **/
+static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end,
+ mbedtls_pkcs7_signer_info *signer,
+ mbedtls_x509_buf *alg)
+{
+ unsigned char *end_signer, *end_issuer_and_sn;
+ int asn1_ret = 0, ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+
+ asn1_ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SEQUENCE);
+ if (asn1_ret != 0) {
+ goto out;
+ }
+
+ end_signer = *p + len;
+
+ ret = pkcs7_get_version(p, end_signer, &signer->version);
+ if (ret != 0) {
+ goto out;
+ }
+
+ asn1_ret = mbedtls_asn1_get_tag(p, end_signer, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+ if (asn1_ret != 0) {
+ goto out;
+ }
+
+ end_issuer_and_sn = *p + len;
+ /* Parsing IssuerAndSerialNumber */
+ signer->issuer_raw.p = *p;
+
+ asn1_ret = mbedtls_asn1_get_tag(p, end_issuer_and_sn, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+ if (asn1_ret != 0) {
+ goto out;
+ }
+
+ ret = mbedtls_x509_get_name(p, *p + len, &signer->issuer);
+ if (ret != 0) {
+ goto out;
+ }
+
+ signer->issuer_raw.len = (size_t) (*p - signer->issuer_raw.p);
+
+ ret = mbedtls_x509_get_serial(p, end_issuer_and_sn, &signer->serial);
+ if (ret != 0) {
+ goto out;
+ }
+
+ /* ensure no extra or missing bytes */
+ if (*p != end_issuer_and_sn) {
+ ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO;
+ goto out;
+ }
+
+ ret = pkcs7_get_digest_algorithm(p, end_signer, &signer->alg_identifier);
+ if (ret != 0) {
+ goto out;
+ }
+
+ /* Check that the digest algorithm used matches the one provided earlier */
+ if (signer->alg_identifier.tag != alg->tag ||
+ signer->alg_identifier.len != alg->len ||
+ memcmp(signer->alg_identifier.p, alg->p, alg->len) != 0) {
+ ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO;
+ goto out;
+ }
+
+ /* Assume authenticatedAttributes is nonexistent */
+ ret = pkcs7_get_digest_algorithm(p, end_signer, &signer->sig_alg_identifier);
+ if (ret != 0) {
+ goto out;
+ }
+
+ ret = pkcs7_get_signature(p, end_signer, &signer->sig);
+ if (ret != 0) {
+ goto out;
+ }
+
+ /* Do not permit any unauthenticated attributes */
+ if (*p != end_signer) {
+ ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO;
+ }
+
+out:
+ if (asn1_ret != 0 || ret != 0) {
+ pkcs7_free_signer_info(signer);
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,
+ asn1_ret);
+ }
+
+ return ret;
+}
+
+/**
+ * SignerInfos ::= SET of SignerInfo
+ * Return number of signers added to the signed data,
+ * 0 or higher is valid.
+ * Return negative error code for failure.
+ **/
+static int pkcs7_get_signers_info_set(unsigned char **p, unsigned char *end,
+ mbedtls_pkcs7_signer_info *signers_set,
+ mbedtls_x509_buf *digest_alg)
+{
+ unsigned char *end_set;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int count = 0;
+ size_t len = 0;
+
+ ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SET);
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO, ret);
+ }
+
+ /* Detect zero signers */
+ if (len == 0) {
+ return 0;
+ }
+
+ end_set = *p + len;
+
+ ret = pkcs7_get_signer_info(p, end_set, signers_set, digest_alg);
+ if (ret != 0) {
+ return ret;
+ }
+ count++;
+
+ mbedtls_pkcs7_signer_info *prev = signers_set;
+ while (*p != end_set) {
+ mbedtls_pkcs7_signer_info *signer =
+ mbedtls_calloc(1, sizeof(mbedtls_pkcs7_signer_info));
+ if (!signer) {
+ ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED;
+ goto cleanup;
+ }
+
+ ret = pkcs7_get_signer_info(p, end_set, signer, digest_alg);
+ if (ret != 0) {
+ mbedtls_free(signer);
+ goto cleanup;
+ }
+ prev->next = signer;
+ prev = signer;
+ count++;
+ }
+
+ return count;
+
+cleanup:
+ pkcs7_free_signer_info(signers_set);
+ mbedtls_pkcs7_signer_info *signer = signers_set->next;
+ while (signer != NULL) {
+ prev = signer;
+ signer = signer->next;
+ pkcs7_free_signer_info(prev);
+ mbedtls_free(prev);
+ }
+ signers_set->next = NULL;
+ return ret;
+}
+
+/**
+ * SignedData ::= SEQUENCE {
+ * version Version,
+ * digestAlgorithms DigestAlgorithmIdentifiers,
+ * contentInfo ContentInfo,
+ * certificates
+ * [0] IMPLICIT ExtendedCertificatesAndCertificates
+ * OPTIONAL,
+ * crls
+ * [0] IMPLICIT CertificateRevocationLists OPTIONAL,
+ * signerInfos SignerInfos }
+ */
+static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
+ mbedtls_pkcs7_signed_data *signed_data)
+{
+ unsigned char *p = buf;
+ unsigned char *end = buf + buflen;
+ unsigned char *end_content_info = NULL;
+ size_t len = 0;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_md_type_t md_alg;
+
+ ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SEQUENCE);
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
+ }
+
+ if (p + len != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ /* Get version of signed data */
+ ret = pkcs7_get_version(&p, end, &signed_data->version);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* Get digest algorithm */
+ ret = pkcs7_get_digest_algorithm_set(&p, end,
+ &signed_data->digest_alg_identifiers);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_oid_get_md_alg(&signed_data->digest_alg_identifiers, &md_alg);
+ if (ret != 0) {
+ return MBEDTLS_ERR_PKCS7_INVALID_ALG;
+ }
+
+ mbedtls_pkcs7_buf content_type;
+ memset(&content_type, 0, sizeof(content_type));
+ ret = pkcs7_get_content_info_type(&p, end, &end_content_info, &content_type);
+ if (ret != 0) {
+ return ret;
+ }
+ if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) {
+ return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO;
+ }
+
+ if (p != end_content_info) {
+ /* Determine if valid content is present */
+ ret = mbedtls_asn1_get_tag(&p,
+ end_content_info,
+ &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC);
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
+ }
+ p += len;
+ if (p != end_content_info) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
+ }
+ /* Valid content is present - this is not supported */
+ return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
+ }
+
+ /* Look for certificates, there may or may not be any */
+ mbedtls_x509_crt_init(&signed_data->certs);
+ ret = pkcs7_get_certificates(&p, end, &signed_data->certs);
+ if (ret < 0) {
+ return ret;
+ }
+
+ signed_data->no_of_certs = ret;
+
+ /*
+ * Currently CRLs are not supported. If CRL exist, the parsing will fail
+ * at next step of getting signers info and return error as invalid
+ * signer info.
+ */
+
+ signed_data->no_of_crls = 0;
+
+ /* Get signers info */
+ ret = pkcs7_get_signers_info_set(&p,
+ end,
+ &signed_data->signers,
+ &signed_data->digest_alg_identifiers);
+ if (ret < 0) {
+ return ret;
+ }
+
+ signed_data->no_of_signers = ret;
+
+ /* Don't permit trailing data */
+ if (p != end) {
+ return MBEDTLS_ERR_PKCS7_INVALID_FORMAT;
+ }
+
+ return 0;
+}
+
+int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf,
+ const size_t buflen)
+{
+ unsigned char *p;
+ unsigned char *end;
+ size_t len = 0;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (pkcs7 == NULL) {
+ return MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
+ }
+
+ /* make an internal copy of the buffer for parsing */
+ pkcs7->raw.p = p = mbedtls_calloc(1, buflen);
+ if (pkcs7->raw.p == NULL) {
+ ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED;
+ goto out;
+ }
+ memcpy(p, buf, buflen);
+ pkcs7->raw.len = buflen;
+ end = p + buflen;
+
+ ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SEQUENCE);
+ if (ret != 0) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
+ goto out;
+ }
+
+ if ((size_t) (end - p) != len) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ goto out;
+ }
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
+ if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ goto out;
+ }
+ p = pkcs7->raw.p;
+ len = buflen;
+ goto try_data;
+ }
+
+ if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_SIGNED_DATA, p, len)) {
+ /* OID is not MBEDTLS_OID_PKCS7_SIGNED_DATA, which is the only supported feature */
+ if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_DATA, p, len)
+ || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, p, len)
+ || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_ENVELOPED_DATA, p, len)
+ || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, p, len)
+ || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_DIGESTED_DATA, p, len)) {
+ /* OID is valid according to the spec, but unsupported */
+ ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
+ } else {
+ /* OID is invalid according to the spec */
+ ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
+ }
+ goto out;
+ }
+
+ p += len;
+
+ ret = pkcs7_get_next_content_len(&p, end, &len);
+ if (ret != 0) {
+ goto out;
+ }
+
+ /* ensure no extra/missing data */
+ if (p + len != end) {
+ ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
+ goto out;
+ }
+
+try_data:
+ ret = pkcs7_get_signed_data(p, len, &pkcs7->signed_data);
+ if (ret != 0) {
+ goto out;
+ }
+
+ ret = MBEDTLS_PKCS7_SIGNED_DATA;
+
+out:
+ if (ret < 0) {
+ mbedtls_pkcs7_free(pkcs7);
+ }
+
+ return ret;
+}
+
+static int mbedtls_pkcs7_data_or_hash_verify(mbedtls_pkcs7 *pkcs7,
+ const mbedtls_x509_crt *cert,
+ const unsigned char *data,
+ size_t datalen,
+ const int is_data_hash)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *hash;
+ mbedtls_pk_context pk_cxt = cert->pk;
+ const mbedtls_md_info_t *md_info;
+ mbedtls_md_type_t md_alg;
+ mbedtls_pkcs7_signer_info *signer;
+
+ if (pkcs7->signed_data.no_of_signers == 0) {
+ return MBEDTLS_ERR_PKCS7_INVALID_CERT;
+ }
+
+ if (mbedtls_x509_time_is_past(&cert->valid_to) ||
+ mbedtls_x509_time_is_future(&cert->valid_from)) {
+ return MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID;
+ }
+
+ ret = mbedtls_oid_get_md_alg(&pkcs7->signed_data.digest_alg_identifiers, &md_alg);
+ if (ret != 0) {
+ return ret;
+ }
+
+ md_info = mbedtls_md_info_from_type(md_alg);
+ if (md_info == NULL) {
+ return MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ }
+
+ hash = mbedtls_calloc(mbedtls_md_get_size(md_info), 1);
+ if (hash == NULL) {
+ return MBEDTLS_ERR_PKCS7_ALLOC_FAILED;
+ }
+
+ /* BEGIN must free hash before jumping out */
+ if (is_data_hash) {
+ if (datalen != mbedtls_md_get_size(md_info)) {
+ ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ } else {
+ memcpy(hash, data, datalen);
+ }
+ } else {
+ ret = mbedtls_md(md_info, data, datalen, hash);
+ }
+ if (ret != 0) {
+ mbedtls_free(hash);
+ return MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ }
+
+ /* assume failure */
+ ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+
+ /*
+ * Potential TODOs
+ * Currently we iterate over all signers and return success if any of them
+ * verify.
+ *
+ * However, we could make this better by checking against the certificate's
+ * identification and SignerIdentifier fields first. That would also allow
+ * us to distinguish between 'no signature for key' and 'signature for key
+ * failed to validate'.
+ */
+ for (signer = &pkcs7->signed_data.signers; signer; signer = signer->next) {
+ ret = mbedtls_pk_verify(&pk_cxt, md_alg, hash,
+ mbedtls_md_get_size(md_info),
+ signer->sig.p, signer->sig.len);
+
+ if (ret == 0) {
+ break;
+ }
+ }
+
+ mbedtls_free(hash);
+ /* END must free hash before jumping out */
+ return ret;
+}
+
+int mbedtls_pkcs7_signed_data_verify(mbedtls_pkcs7 *pkcs7,
+ const mbedtls_x509_crt *cert,
+ const unsigned char *data,
+ size_t datalen)
+{
+ if (data == NULL) {
+ return MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
+ }
+ return mbedtls_pkcs7_data_or_hash_verify(pkcs7, cert, data, datalen, 0);
+}
+
+int mbedtls_pkcs7_signed_hash_verify(mbedtls_pkcs7 *pkcs7,
+ const mbedtls_x509_crt *cert,
+ const unsigned char *hash,
+ size_t hashlen)
+{
+ if (hash == NULL) {
+ return MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
+ }
+ return mbedtls_pkcs7_data_or_hash_verify(pkcs7, cert, hash, hashlen, 1);
+}
+
+/*
+ * Unallocate all pkcs7 data
+ */
+void mbedtls_pkcs7_free(mbedtls_pkcs7 *pkcs7)
+{
+ mbedtls_pkcs7_signer_info *signer_cur;
+ mbedtls_pkcs7_signer_info *signer_prev;
+
+ if (pkcs7 == NULL || pkcs7->raw.p == NULL) {
+ return;
+ }
+
+ mbedtls_free(pkcs7->raw.p);
+
+ mbedtls_x509_crt_free(&pkcs7->signed_data.certs);
+ mbedtls_x509_crl_free(&pkcs7->signed_data.crl);
+
+ signer_cur = pkcs7->signed_data.signers.next;
+ pkcs7_free_signer_info(&pkcs7->signed_data.signers);
+ while (signer_cur != NULL) {
+ signer_prev = signer_cur;
+ signer_cur = signer_prev->next;
+ pkcs7_free_signer_info(signer_prev);
+ mbedtls_free(signer_prev);
+ }
+
+ pkcs7->raw.p = NULL;
+}
+
+#endif
diff --git a/library/pkparse.c b/library/pkparse.c
new file mode 100644
index 0000000..4f6ee13
--- /dev/null
+++ b/library/pkparse.c
@@ -0,0 +1,1392 @@
+/*
+ * Public Key layer for parsing key files and structures
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PK_PARSE_C)
+
+#include "mbedtls/pk.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/error.h"
+#include "mbedtls/ecp.h"
+#include "pk_internal.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "mbedtls/psa_util.h"
+#include "psa/crypto.h"
+#endif
+
+/* Key types */
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#include "rsa_internal.h"
+#endif
+
+/* Extended formats */
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+#if defined(MBEDTLS_PKCS5_C)
+#include "mbedtls/pkcs5.h"
+#endif
+#if defined(MBEDTLS_PKCS12_C)
+#include "mbedtls/pkcs12.h"
+#endif
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+
+/***********************************************************************
+ *
+ * Low-level ECC parsing: optional support for SpecifiedECDomain
+ *
+ * There are two functions here that are used by the rest of the code:
+ * - pk_ecc_tag_is_speficied_ec_domain()
+ * - pk_ecc_group_id_from_specified()
+ *
+ * All the other functions are internal to this section.
+ *
+ * The two "public" functions have a dummy variant provided
+ * in configs without MBEDTLS_PK_PARSE_EC_EXTENDED. This acts as an
+ * abstraction layer for this macro, which should not appear outside
+ * this section.
+ *
+ **********************************************************************/
+
+#if !defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+/* See the "real" version for documentation */
+static int pk_ecc_tag_is_specified_ec_domain(int tag)
+{
+ (void) tag;
+ return 0;
+}
+
+/* See the "real" version for documentation */
+static int pk_ecc_group_id_from_specified(const mbedtls_asn1_buf *params,
+ mbedtls_ecp_group_id *grp_id)
+{
+ (void) params;
+ (void) grp_id;
+ return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+}
+#else /* MBEDTLS_PK_PARSE_EC_EXTENDED */
+/*
+ * Tell if the passed tag might be the start of SpecifiedECDomain
+ * (that is, a sequence).
+ */
+static int pk_ecc_tag_is_specified_ec_domain(int tag)
+{
+ return tag == (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+}
+
+/*
+ * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it.
+ * WARNING: the resulting group should only be used with
+ * pk_ecc_group_id_from_specified(), since its base point may not be set correctly
+ * if it was encoded compressed.
+ *
+ * SpecifiedECDomain ::= SEQUENCE {
+ * version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...),
+ * fieldID FieldID {{FieldTypes}},
+ * curve Curve,
+ * base ECPoint,
+ * order INTEGER,
+ * cofactor INTEGER OPTIONAL,
+ * hash HashAlgorithm OPTIONAL,
+ * ...
+ * }
+ *
+ * We only support prime-field as field type, and ignore hash and cofactor.
+ */
+static int pk_group_from_specified(const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = params->p;
+ const unsigned char *const end = params->p + params->len;
+ const unsigned char *end_field, *end_curve;
+ size_t len;
+ int ver;
+
+ /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */
+ if ((ret = mbedtls_asn1_get_int(&p, end, &ver)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ if (ver < 1 || ver > 3) {
+ return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+ }
+
+ /*
+ * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field
+ * fieldType FIELD-ID.&id({IOSet}),
+ * parameters FIELD-ID.&Type({IOSet}{@fieldType})
+ * }
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return ret;
+ }
+
+ end_field = p + len;
+
+ /*
+ * FIELD-ID ::= TYPE-IDENTIFIER
+ * FieldTypes FIELD-ID ::= {
+ * { Prime-p IDENTIFIED BY prime-field } |
+ * { Characteristic-two IDENTIFIED BY characteristic-two-field }
+ * }
+ * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end_field, &len, MBEDTLS_ASN1_OID)) != 0) {
+ return ret;
+ }
+
+ if (len != MBEDTLS_OID_SIZE(MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD) ||
+ memcmp(p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len) != 0) {
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+ }
+
+ p += len;
+
+ /* Prime-p ::= INTEGER -- Field of size p. */
+ if ((ret = mbedtls_asn1_get_mpi(&p, end_field, &grp->P)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ grp->pbits = mbedtls_mpi_bitlen(&grp->P);
+
+ if (p != end_field) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ /*
+ * Curve ::= SEQUENCE {
+ * a FieldElement,
+ * b FieldElement,
+ * seed BIT STRING OPTIONAL
+ * -- Shall be present if used in SpecifiedECDomain
+ * -- with version equal to ecdpVer2 or ecdpVer3
+ * }
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return ret;
+ }
+
+ end_curve = p + len;
+
+ /*
+ * FieldElement ::= OCTET STRING
+ * containing an integer in the case of a prime field
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0 ||
+ (ret = mbedtls_mpi_read_binary(&grp->A, p, len)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ p += len;
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0 ||
+ (ret = mbedtls_mpi_read_binary(&grp->B, p, len)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ p += len;
+
+ /* Ignore seed BIT STRING OPTIONAL */
+ if ((ret = mbedtls_asn1_get_tag(&p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING)) == 0) {
+ p += len;
+ }
+
+ if (p != end_curve) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ /*
+ * ECPoint ::= OCTET STRING
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ if ((ret = mbedtls_ecp_point_read_binary(grp, &grp->G,
+ (const unsigned char *) p, len)) != 0) {
+ /*
+ * If we can't read the point because it's compressed, cheat by
+ * reading only the X coordinate and the parity bit of Y.
+ */
+ if (ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ||
+ (p[0] != 0x02 && p[0] != 0x03) ||
+ len != mbedtls_mpi_size(&grp->P) + 1 ||
+ mbedtls_mpi_read_binary(&grp->G.X, p + 1, len - 1) != 0 ||
+ mbedtls_mpi_lset(&grp->G.Y, p[0] - 2) != 0 ||
+ mbedtls_mpi_lset(&grp->G.Z, 1) != 0) {
+ return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+ }
+ }
+
+ p += len;
+
+ /*
+ * order INTEGER
+ */
+ if ((ret = mbedtls_asn1_get_mpi(&p, end, &grp->N)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ grp->nbits = mbedtls_mpi_bitlen(&grp->N);
+
+ /*
+ * Allow optional elements by purposefully not enforcing p == end here.
+ */
+
+ return 0;
+}
+
+/*
+ * Find the group id associated with an (almost filled) group as generated by
+ * pk_group_from_specified(), or return an error if unknown.
+ */
+static int pk_group_id_from_group(const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id)
+{
+ int ret = 0;
+ mbedtls_ecp_group ref;
+ const mbedtls_ecp_group_id *id;
+
+ mbedtls_ecp_group_init(&ref);
+
+ for (id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++) {
+ /* Load the group associated to that id */
+ mbedtls_ecp_group_free(&ref);
+ MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ref, *id));
+
+ /* Compare to the group we were given, starting with easy tests */
+ if (grp->pbits == ref.pbits && grp->nbits == ref.nbits &&
+ mbedtls_mpi_cmp_mpi(&grp->P, &ref.P) == 0 &&
+ mbedtls_mpi_cmp_mpi(&grp->A, &ref.A) == 0 &&
+ mbedtls_mpi_cmp_mpi(&grp->B, &ref.B) == 0 &&
+ mbedtls_mpi_cmp_mpi(&grp->N, &ref.N) == 0 &&
+ mbedtls_mpi_cmp_mpi(&grp->G.X, &ref.G.X) == 0 &&
+ mbedtls_mpi_cmp_mpi(&grp->G.Z, &ref.G.Z) == 0 &&
+ /* For Y we may only know the parity bit, so compare only that */
+ mbedtls_mpi_get_bit(&grp->G.Y, 0) == mbedtls_mpi_get_bit(&ref.G.Y, 0)) {
+ break;
+ }
+ }
+
+cleanup:
+ mbedtls_ecp_group_free(&ref);
+
+ *grp_id = *id;
+
+ if (ret == 0 && *id == MBEDTLS_ECP_DP_NONE) {
+ ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+ }
+
+ return ret;
+}
+
+/*
+ * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID
+ */
+static int pk_ecc_group_id_from_specified(const mbedtls_asn1_buf *params,
+ mbedtls_ecp_group_id *grp_id)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_group grp;
+
+ mbedtls_ecp_group_init(&grp);
+
+ if ((ret = pk_group_from_specified(params, &grp)) != 0) {
+ goto cleanup;
+ }
+
+ ret = pk_group_id_from_group(&grp, grp_id);
+
+cleanup:
+ /* The API respecting lifecycle for mbedtls_ecp_group struct is
+ * _init(), _load() and _free(). In pk_ecc_group_id_from_specified() the
+ * temporary grp breaks that flow and it's members are populated
+ * by pk_group_id_from_group(). As such mbedtls_ecp_group_free()
+ * which is assuming a group populated by _setup() may not clean-up
+ * properly -> Manually free it's members.
+ */
+ mbedtls_mpi_free(&grp.N);
+ mbedtls_mpi_free(&grp.P);
+ mbedtls_mpi_free(&grp.A);
+ mbedtls_mpi_free(&grp.B);
+ mbedtls_ecp_point_free(&grp.G);
+
+ return ret;
+}
+#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
+
+/***********************************************************************
+ *
+ * Unsorted (yet!) from this point on until the next section header
+ *
+ **********************************************************************/
+
+/* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf
+ *
+ * ECParameters ::= CHOICE {
+ * namedCurve OBJECT IDENTIFIER
+ * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... }
+ * -- implicitCurve NULL
+ * }
+ */
+static int pk_get_ecparams(unsigned char **p, const unsigned char *end,
+ mbedtls_asn1_buf *params)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (end - *p < 1) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA);
+ }
+
+ /* Acceptable tags: OID for namedCurve, or specifiedECDomain */
+ params->tag = **p;
+ if (params->tag != MBEDTLS_ASN1_OID &&
+ !pk_ecc_tag_is_specified_ec_domain(params->tag)) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+ }
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, ¶ms->len, params->tag)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ params->p = *p;
+ *p += params->len;
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * Use EC parameters to initialise an EC group
+ *
+ * ECParameters ::= CHOICE {
+ * namedCurve OBJECT IDENTIFIER
+ * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... }
+ * -- implicitCurve NULL
+ */
+static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_pk_context *pk)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_group_id grp_id;
+
+ if (params->tag == MBEDTLS_ASN1_OID) {
+ if (mbedtls_oid_get_ec_grp(params, &grp_id) != 0) {
+ return MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE;
+ }
+ } else {
+ ret = pk_ecc_group_id_from_specified(params, &grp_id);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+
+ return mbedtls_pk_ecc_set_group(pk, grp_id);
+}
+
+#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
+
+/*
+ * Load an RFC8410 EC key, which doesn't have any parameters
+ */
+static int pk_use_ecparams_rfc8410(const mbedtls_asn1_buf *params,
+ mbedtls_ecp_group_id grp_id,
+ mbedtls_pk_context *pk)
+{
+ if (params->tag != 0 || params->len != 0) {
+ return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+ }
+
+ return mbedtls_pk_ecc_set_group(pk, grp_id);
+}
+
+/*
+ * Parse an RFC 8410 encoded private EC key
+ *
+ * CurvePrivateKey ::= OCTET STRING
+ */
+static int pk_parse_key_rfc8410_der(mbedtls_pk_context *pk,
+ unsigned char *key, size_t keylen, const unsigned char *end,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+
+ if ((ret = mbedtls_asn1_get_tag(&key, (key + keylen), &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ if (key + len != end) {
+ return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+ }
+
+ /*
+ * Load the private key
+ */
+ ret = mbedtls_pk_ecc_set_key(pk, key, len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* pk_parse_key_pkcs8_unencrypted_der() only supports version 1 PKCS8 keys,
+ * which never contain a public key. As such, derive the public key
+ * unconditionally. */
+ if ((ret = mbedtls_pk_ecc_set_pubkey_from_prv(pk, key, len, f_rng, p_rng)) != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
+
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+/* Get a PK algorithm identifier
+ *
+ * AlgorithmIdentifier ::= SEQUENCE {
+ * algorithm OBJECT IDENTIFIER,
+ * parameters ANY DEFINED BY algorithm OPTIONAL }
+ */
+static int pk_get_pk_alg(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params,
+ mbedtls_ecp_group_id *ec_grp_id)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_asn1_buf alg_oid;
+
+ memset(params, 0, sizeof(mbedtls_asn1_buf));
+
+ if ((ret = mbedtls_asn1_get_alg(p, end, &alg_oid, params)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_ALG, ret);
+ }
+
+ ret = mbedtls_oid_get_pk_alg(&alg_oid, pk_alg);
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ if (ret == MBEDTLS_ERR_OID_NOT_FOUND) {
+ ret = mbedtls_oid_get_ec_grp_algid(&alg_oid, ec_grp_id);
+ if (ret == 0) {
+ *pk_alg = MBEDTLS_PK_ECKEY;
+ }
+ }
+#else
+ (void) ec_grp_id;
+#endif
+ if (ret != 0) {
+ return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+ }
+
+ /*
+ * No parameters with RSA (only for EC)
+ */
+ if (*pk_alg == MBEDTLS_PK_RSA &&
+ ((params->tag != MBEDTLS_ASN1_NULL && params->tag != 0) ||
+ params->len != 0)) {
+ return MBEDTLS_ERR_PK_INVALID_ALG;
+ }
+
+ return 0;
+}
+
+/*
+ * SubjectPublicKeyInfo ::= SEQUENCE {
+ * algorithm AlgorithmIdentifier,
+ * subjectPublicKey BIT STRING }
+ */
+int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end,
+ mbedtls_pk_context *pk)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+ mbedtls_asn1_buf alg_params;
+ mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
+ mbedtls_ecp_group_id ec_grp_id = MBEDTLS_ECP_DP_NONE;
+ const mbedtls_pk_info_t *pk_info;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ end = *p + len;
+
+ if ((ret = pk_get_pk_alg(p, end, &pk_alg, &alg_params, &ec_grp_id)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_asn1_get_bitstring_null(p, end, &len)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret);
+ }
+
+ if (*p + len != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ if ((pk_info = mbedtls_pk_info_from_type(pk_alg)) == NULL) {
+ return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+ }
+
+ if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0) {
+ return ret;
+ }
+
+#if defined(MBEDTLS_RSA_C)
+ if (pk_alg == MBEDTLS_PK_RSA) {
+ ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*pk), *p, (size_t) (end - *p));
+ if (ret == 0) {
+ /* On success all the input has been consumed by the parsing function. */
+ *p += end - *p;
+ } else if ((ret <= MBEDTLS_ERR_ASN1_OUT_OF_DATA) &&
+ (ret >= MBEDTLS_ERR_ASN1_BUF_TOO_SMALL)) {
+ /* In case of ASN1 error codes add MBEDTLS_ERR_PK_INVALID_PUBKEY. */
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY, ret);
+ } else {
+ ret = MBEDTLS_ERR_PK_INVALID_PUBKEY;
+ }
+ } else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ if (pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY) {
+#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
+ if (MBEDTLS_PK_IS_RFC8410_GROUP_ID(ec_grp_id)) {
+ ret = pk_use_ecparams_rfc8410(&alg_params, ec_grp_id, pk);
+ } else
+#endif
+ {
+ ret = pk_use_ecparams(&alg_params, pk);
+ }
+ if (ret == 0) {
+ ret = mbedtls_pk_ecc_set_pubkey(pk, *p, (size_t) (end - *p));
+ *p += end - *p;
+ }
+ } else
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+ ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+
+ if (ret == 0 && *p != end) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_INVALID_PUBKEY,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ if (ret != 0) {
+ mbedtls_pk_free(pk);
+ }
+
+ return ret;
+}
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+/*
+ * Parse a SEC1 encoded private EC key
+ */
+static int pk_parse_key_sec1_der(mbedtls_pk_context *pk,
+ const unsigned char *key, size_t keylen,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int version, pubkey_done;
+ size_t len, d_len;
+ mbedtls_asn1_buf params = { 0, 0, NULL };
+ unsigned char *p = (unsigned char *) key;
+ unsigned char *d;
+ unsigned char *end = p + keylen;
+ unsigned char *end2;
+
+ /*
+ * RFC 5915, or SEC1 Appendix C.4
+ *
+ * ECPrivateKey ::= SEQUENCE {
+ * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+ * privateKey OCTET STRING,
+ * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+ * publicKey [1] BIT STRING OPTIONAL
+ * }
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ end = p + len;
+
+ if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ if (version != 1) {
+ return MBEDTLS_ERR_PK_KEY_INVALID_VERSION;
+ }
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ /* Keep a reference to the position fo the private key. It will be used
+ * later in this function. */
+ d = p;
+ d_len = len;
+
+ p += len;
+
+ pubkey_done = 0;
+ if (p != end) {
+ /*
+ * Is 'parameters' present?
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
+ 0)) == 0) {
+ if ((ret = pk_get_ecparams(&p, p + len, ¶ms)) != 0 ||
+ (ret = pk_use_ecparams(¶ms, pk)) != 0) {
+ return ret;
+ }
+ } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+ }
+
+ /*
+ * Load the private key
+ */
+ ret = mbedtls_pk_ecc_set_key(pk, d, d_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ if (p != end) {
+ /*
+ * Is 'publickey' present? If not, or if we can't read it (eg because it
+ * is compressed), create it from the private key.
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
+ 1)) == 0) {
+ end2 = p + len;
+
+ if ((ret = mbedtls_asn1_get_bitstring_null(&p, end2, &len)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ if (p + len != end2) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ if ((ret = mbedtls_pk_ecc_set_pubkey(pk, p, (size_t) (end2 - p))) == 0) {
+ pubkey_done = 1;
+ } else {
+ /*
+ * The only acceptable failure mode of mbedtls_pk_ecc_set_pubkey() above
+ * is if the point format is not recognized.
+ */
+ if (ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE) {
+ return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+ }
+ }
+ } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+ }
+
+ if (!pubkey_done) {
+ if ((ret = mbedtls_pk_ecc_set_pubkey_from_prv(pk, d, d_len, f_rng, p_rng)) != 0) {
+ return ret;
+ }
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+/***********************************************************************
+ *
+ * PKCS#8 parsing functions
+ *
+ **********************************************************************/
+
+/*
+ * Parse an unencrypted PKCS#8 encoded private key
+ *
+ * Notes:
+ *
+ * - This function does not own the key buffer. It is the
+ * responsibility of the caller to take care of zeroizing
+ * and freeing it after use.
+ *
+ * - The function is responsible for freeing the provided
+ * PK context on failure.
+ *
+ */
+static int pk_parse_key_pkcs8_unencrypted_der(
+ mbedtls_pk_context *pk,
+ const unsigned char *key, size_t keylen,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ int ret, version;
+ size_t len;
+ mbedtls_asn1_buf params;
+ unsigned char *p = (unsigned char *) key;
+ unsigned char *end = p + keylen;
+ mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
+ mbedtls_ecp_group_id ec_grp_id = MBEDTLS_ECP_DP_NONE;
+ const mbedtls_pk_info_t *pk_info;
+
+#if !defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ (void) f_rng;
+ (void) p_rng;
+#endif
+
+ /*
+ * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208)
+ *
+ * PrivateKeyInfo ::= SEQUENCE {
+ * version Version,
+ * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
+ * privateKey PrivateKey,
+ * attributes [0] IMPLICIT Attributes OPTIONAL }
+ *
+ * Version ::= INTEGER
+ * PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
+ * PrivateKey ::= OCTET STRING
+ *
+ * The PrivateKey OCTET STRING is a SEC1 ECPrivateKey
+ */
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ end = p + len;
+
+ if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ if (version != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_VERSION, ret);
+ }
+
+ if ((ret = pk_get_pk_alg(&p, end, &pk_alg, ¶ms, &ec_grp_id)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ if (len < 1) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA);
+ }
+
+ if ((pk_info = mbedtls_pk_info_from_type(pk_alg)) == NULL) {
+ return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+ }
+
+ if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0) {
+ return ret;
+ }
+
+#if defined(MBEDTLS_RSA_C)
+ if (pk_alg == MBEDTLS_PK_RSA) {
+ if ((ret = mbedtls_rsa_parse_key(mbedtls_pk_rsa(*pk), p, len)) != 0) {
+ mbedtls_pk_free(pk);
+ return ret;
+ }
+ } else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ if (pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH) {
+#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
+ if (MBEDTLS_PK_IS_RFC8410_GROUP_ID(ec_grp_id)) {
+ if ((ret =
+ pk_use_ecparams_rfc8410(¶ms, ec_grp_id, pk)) != 0 ||
+ (ret =
+ pk_parse_key_rfc8410_der(pk, p, len, end, f_rng,
+ p_rng)) != 0) {
+ mbedtls_pk_free(pk);
+ return ret;
+ }
+ } else
+#endif
+ {
+ if ((ret = pk_use_ecparams(¶ms, pk)) != 0 ||
+ (ret = pk_parse_key_sec1_der(pk, p, len, f_rng, p_rng)) != 0) {
+ mbedtls_pk_free(pk);
+ return ret;
+ }
+ }
+ } else
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+ return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+
+ end = p + len;
+ if (end != (key + keylen)) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * Parse an encrypted PKCS#8 encoded private key
+ *
+ * To save space, the decryption happens in-place on the given key buffer.
+ * Also, while this function may modify the keybuffer, it doesn't own it,
+ * and instead it is the responsibility of the caller to zeroize and properly
+ * free it after use.
+ *
+ */
+#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
+MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der(
+ mbedtls_pk_context *pk,
+ unsigned char *key, size_t keylen,
+ const unsigned char *pwd, size_t pwdlen,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ int ret, decrypted = 0;
+ size_t len;
+ unsigned char *buf;
+ unsigned char *p, *end;
+ mbedtls_asn1_buf pbe_alg_oid, pbe_params;
+#if defined(MBEDTLS_PKCS12_C) && defined(MBEDTLS_CIPHER_PADDING_PKCS7) && defined(MBEDTLS_CIPHER_C)
+ mbedtls_cipher_type_t cipher_alg;
+ mbedtls_md_type_t md_alg;
+#endif
+ size_t outlen = 0;
+
+ p = key;
+ end = p + keylen;
+
+ if (pwdlen == 0) {
+ return MBEDTLS_ERR_PK_PASSWORD_REQUIRED;
+ }
+
+ /*
+ * This function parses the EncryptedPrivateKeyInfo object (PKCS#8)
+ *
+ * EncryptedPrivateKeyInfo ::= SEQUENCE {
+ * encryptionAlgorithm EncryptionAlgorithmIdentifier,
+ * encryptedData EncryptedData
+ * }
+ *
+ * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+ *
+ * EncryptedData ::= OCTET STRING
+ *
+ * The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
+ *
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ end = p + len;
+
+ if ((ret = mbedtls_asn1_get_alg(&p, end, &pbe_alg_oid, &pbe_params)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
+ }
+
+ buf = p;
+
+ /*
+ * Decrypt EncryptedData with appropriate PBE
+ */
+#if defined(MBEDTLS_PKCS12_C) && defined(MBEDTLS_CIPHER_PADDING_PKCS7) && defined(MBEDTLS_CIPHER_C)
+ if (mbedtls_oid_get_pkcs12_pbe_alg(&pbe_alg_oid, &md_alg, &cipher_alg) == 0) {
+ if ((ret = mbedtls_pkcs12_pbe_ext(&pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT,
+ cipher_alg, md_alg,
+ pwd, pwdlen, p, len, buf, len, &outlen)) != 0) {
+ if (ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH) {
+ return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
+ }
+
+ return ret;
+ }
+
+ decrypted = 1;
+ } else
+#endif /* MBEDTLS_PKCS12_C && MBEDTLS_CIPHER_PADDING_PKCS7 && MBEDTLS_CIPHER_C */
+#if defined(MBEDTLS_PKCS5_C) && defined(MBEDTLS_CIPHER_PADDING_PKCS7) && defined(MBEDTLS_CIPHER_C)
+ if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid) == 0) {
+ if ((ret = mbedtls_pkcs5_pbes2_ext(&pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen,
+ p, len, buf, len, &outlen)) != 0) {
+ if (ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH) {
+ return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
+ }
+
+ return ret;
+ }
+
+ decrypted = 1;
+ } else
+#endif /* MBEDTLS_PKCS5_C && MBEDTLS_CIPHER_PADDING_PKCS7 && MBEDTLS_CIPHER_C */
+ {
+ ((void) pwd);
+ }
+
+ if (decrypted == 0) {
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+ }
+ return pk_parse_key_pkcs8_unencrypted_der(pk, buf, outlen, f_rng, p_rng);
+}
+#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
+
+/***********************************************************************
+ *
+ * Top-level functions, with format auto-discovery
+ *
+ **********************************************************************/
+
+/*
+ * Parse a private key
+ */
+int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
+ const unsigned char *key, size_t keylen,
+ const unsigned char *pwd, size_t pwdlen,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const mbedtls_pk_info_t *pk_info;
+#if defined(MBEDTLS_PEM_PARSE_C)
+ size_t len;
+ mbedtls_pem_context pem;
+#endif
+
+ if (keylen == 0) {
+ return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+ }
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+ mbedtls_pem_init(&pem);
+
+#if defined(MBEDTLS_RSA_C)
+ /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+ if (key[keylen - 1] != '\0') {
+ ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+ } else {
+ ret = mbedtls_pem_read_buffer(&pem,
+ PEM_BEGIN_PRIVATE_KEY_RSA, PEM_END_PRIVATE_KEY_RSA,
+ key, pwd, pwdlen, &len);
+ }
+
+ if (ret == 0) {
+ pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA);
+ if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 ||
+ (ret = mbedtls_rsa_parse_key(mbedtls_pk_rsa(*pk),
+ pem.buf, pem.buflen)) != 0) {
+ mbedtls_pk_free(pk);
+ }
+
+ mbedtls_pem_free(&pem);
+ return ret;
+ } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH) {
+ return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
+ } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED) {
+ return MBEDTLS_ERR_PK_PASSWORD_REQUIRED;
+ } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+ return ret;
+ }
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+ if (key[keylen - 1] != '\0') {
+ ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+ } else {
+ ret = mbedtls_pem_read_buffer(&pem,
+ PEM_BEGIN_PRIVATE_KEY_EC,
+ PEM_END_PRIVATE_KEY_EC,
+ key, pwd, pwdlen, &len);
+ }
+ if (ret == 0) {
+ pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
+
+ if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 ||
+ (ret = pk_parse_key_sec1_der(pk,
+ pem.buf, pem.buflen,
+ f_rng, p_rng)) != 0) {
+ mbedtls_pk_free(pk);
+ }
+
+ mbedtls_pem_free(&pem);
+ return ret;
+ } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH) {
+ return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
+ } else if (ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED) {
+ return MBEDTLS_ERR_PK_PASSWORD_REQUIRED;
+ } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+ return ret;
+ }
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+ /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+ if (key[keylen - 1] != '\0') {
+ ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+ } else {
+ ret = mbedtls_pem_read_buffer(&pem,
+ PEM_BEGIN_PRIVATE_KEY_PKCS8, PEM_END_PRIVATE_KEY_PKCS8,
+ key, NULL, 0, &len);
+ }
+ if (ret == 0) {
+ if ((ret = pk_parse_key_pkcs8_unencrypted_der(pk,
+ pem.buf, pem.buflen, f_rng, p_rng)) != 0) {
+ mbedtls_pk_free(pk);
+ }
+
+ mbedtls_pem_free(&pem);
+ return ret;
+ } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+ return ret;
+ }
+
+#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
+ /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+ if (key[keylen - 1] != '\0') {
+ ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+ } else {
+ ret = mbedtls_pem_read_buffer(&pem,
+ PEM_BEGIN_ENCRYPTED_PRIVATE_KEY_PKCS8,
+ PEM_END_ENCRYPTED_PRIVATE_KEY_PKCS8,
+ key, NULL, 0, &len);
+ }
+ if (ret == 0) {
+ if ((ret = mbedtls_pk_parse_key_pkcs8_encrypted_der(pk, pem.buf, pem.buflen,
+ pwd, pwdlen, f_rng, p_rng)) != 0) {
+ mbedtls_pk_free(pk);
+ }
+
+ mbedtls_pem_free(&pem);
+ return ret;
+ } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+ return ret;
+ }
+#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
+#else
+ ((void) pwd);
+ ((void) pwdlen);
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+ /*
+ * At this point we only know it's not a PEM formatted key. Could be any
+ * of the known DER encoded private key formats
+ *
+ * We try the different DER format parsers to see if one passes without
+ * error
+ */
+#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
+ if (pwdlen != 0) {
+ unsigned char *key_copy;
+
+ if ((key_copy = mbedtls_calloc(1, keylen)) == NULL) {
+ return MBEDTLS_ERR_PK_ALLOC_FAILED;
+ }
+
+ memcpy(key_copy, key, keylen);
+
+ ret = mbedtls_pk_parse_key_pkcs8_encrypted_der(pk, key_copy, keylen,
+ pwd, pwdlen, f_rng, p_rng);
+
+ mbedtls_zeroize_and_free(key_copy, keylen);
+ }
+
+ if (ret == 0) {
+ return 0;
+ }
+
+ mbedtls_pk_free(pk);
+ mbedtls_pk_init(pk);
+
+ if (ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH) {
+ return ret;
+ }
+#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
+
+ ret = pk_parse_key_pkcs8_unencrypted_der(pk, key, keylen, f_rng, p_rng);
+ if (ret == 0) {
+ return 0;
+ }
+
+ mbedtls_pk_free(pk);
+ mbedtls_pk_init(pk);
+
+#if defined(MBEDTLS_RSA_C)
+
+ pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA);
+ if (mbedtls_pk_setup(pk, pk_info) == 0 &&
+ mbedtls_rsa_parse_key(mbedtls_pk_rsa(*pk), key, keylen) == 0) {
+ return 0;
+ }
+
+ mbedtls_pk_free(pk);
+ mbedtls_pk_init(pk);
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
+ if (mbedtls_pk_setup(pk, pk_info) == 0 &&
+ pk_parse_key_sec1_der(pk,
+ key, keylen, f_rng, p_rng) == 0) {
+ return 0;
+ }
+ mbedtls_pk_free(pk);
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+ /* If MBEDTLS_RSA_C is defined but MBEDTLS_PK_HAVE_ECC_KEYS isn't,
+ * it is ok to leave the PK context initialized but not
+ * freed: It is the caller's responsibility to call pk_init()
+ * before calling this function, and to call pk_free()
+ * when it fails. If MBEDTLS_PK_HAVE_ECC_KEYS is defined but MBEDTLS_RSA_C
+ * isn't, this leads to mbedtls_pk_free() being called
+ * twice, once here and once by the caller, but this is
+ * also ok and in line with the mbedtls_pk_free() calls
+ * on failed PEM parsing attempts. */
+
+ return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+}
+
+/*
+ * Parse a public key
+ */
+int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx,
+ const unsigned char *key, size_t keylen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p;
+#if defined(MBEDTLS_RSA_C)
+ const mbedtls_pk_info_t *pk_info;
+#endif
+#if defined(MBEDTLS_PEM_PARSE_C)
+ size_t len;
+ mbedtls_pem_context pem;
+#endif
+
+ if (keylen == 0) {
+ return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+ }
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+ mbedtls_pem_init(&pem);
+#if defined(MBEDTLS_RSA_C)
+ /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+ if (key[keylen - 1] != '\0') {
+ ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+ } else {
+ ret = mbedtls_pem_read_buffer(&pem,
+ PEM_BEGIN_PUBLIC_KEY_RSA, PEM_END_PUBLIC_KEY_RSA,
+ key, NULL, 0, &len);
+ }
+
+ if (ret == 0) {
+ p = pem.buf;
+ if ((pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == NULL) {
+ mbedtls_pem_free(&pem);
+ return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+ }
+
+ if ((ret = mbedtls_pk_setup(ctx, pk_info)) != 0) {
+ mbedtls_pem_free(&pem);
+ return ret;
+ }
+
+ if ((ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*ctx), p, pem.buflen)) != 0) {
+ mbedtls_pk_free(ctx);
+ }
+
+ mbedtls_pem_free(&pem);
+ return ret;
+ } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+ mbedtls_pem_free(&pem);
+ return ret;
+ }
+#endif /* MBEDTLS_RSA_C */
+
+ /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+ if (key[keylen - 1] != '\0') {
+ ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+ } else {
+ ret = mbedtls_pem_read_buffer(&pem,
+ PEM_BEGIN_PUBLIC_KEY, PEM_END_PUBLIC_KEY,
+ key, NULL, 0, &len);
+ }
+
+ if (ret == 0) {
+ /*
+ * Was PEM encoded
+ */
+ p = pem.buf;
+
+ ret = mbedtls_pk_parse_subpubkey(&p, p + pem.buflen, ctx);
+ mbedtls_pem_free(&pem);
+ return ret;
+ } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+ mbedtls_pem_free(&pem);
+ return ret;
+ }
+ mbedtls_pem_free(&pem);
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_RSA_C)
+ if ((pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == NULL) {
+ return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+ }
+
+ if ((ret = mbedtls_pk_setup(ctx, pk_info)) != 0) {
+ return ret;
+ }
+
+ p = (unsigned char *) key;
+ ret = mbedtls_rsa_parse_pubkey(mbedtls_pk_rsa(*ctx), p, keylen);
+ if (ret == 0) {
+ return ret;
+ }
+ mbedtls_pk_free(ctx);
+ if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ return ret;
+ }
+#endif /* MBEDTLS_RSA_C */
+ p = (unsigned char *) key;
+
+ ret = mbedtls_pk_parse_subpubkey(&p, p + keylen, ctx);
+
+ return ret;
+}
+
+/***********************************************************************
+ *
+ * Top-level functions, with filesystem support
+ *
+ **********************************************************************/
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load all data from a file into a given buffer.
+ *
+ * The file is expected to contain either PEM or DER encoded data.
+ * A terminating null byte is always appended. It is included in the announced
+ * length only if the data looks like it is PEM encoded.
+ */
+int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n)
+{
+ FILE *f;
+ long size;
+
+ if ((f = fopen(path, "rb")) == NULL) {
+ return MBEDTLS_ERR_PK_FILE_IO_ERROR;
+ }
+
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf(f, NULL);
+
+ fseek(f, 0, SEEK_END);
+ if ((size = ftell(f)) == -1) {
+ fclose(f);
+ return MBEDTLS_ERR_PK_FILE_IO_ERROR;
+ }
+ fseek(f, 0, SEEK_SET);
+
+ *n = (size_t) size;
+
+ if (*n + 1 == 0 ||
+ (*buf = mbedtls_calloc(1, *n + 1)) == NULL) {
+ fclose(f);
+ return MBEDTLS_ERR_PK_ALLOC_FAILED;
+ }
+
+ if (fread(*buf, 1, *n, f) != *n) {
+ fclose(f);
+
+ mbedtls_zeroize_and_free(*buf, *n);
+
+ return MBEDTLS_ERR_PK_FILE_IO_ERROR;
+ }
+
+ fclose(f);
+
+ (*buf)[*n] = '\0';
+
+ if (strstr((const char *) *buf, "-----BEGIN ") != NULL) {
+ ++*n;
+ }
+
+ return 0;
+}
+
+/*
+ * Load and parse a private key
+ */
+int mbedtls_pk_parse_keyfile(mbedtls_pk_context *ctx,
+ const char *path, const char *pwd,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t n;
+ unsigned char *buf;
+
+ if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) {
+ return ret;
+ }
+
+ if (pwd == NULL) {
+ ret = mbedtls_pk_parse_key(ctx, buf, n, NULL, 0, f_rng, p_rng);
+ } else {
+ ret = mbedtls_pk_parse_key(ctx, buf, n,
+ (const unsigned char *) pwd, strlen(pwd), f_rng, p_rng);
+ }
+
+ mbedtls_zeroize_and_free(buf, n);
+
+ return ret;
+}
+
+/*
+ * Load and parse a public key
+ */
+int mbedtls_pk_parse_public_keyfile(mbedtls_pk_context *ctx, const char *path)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t n;
+ unsigned char *buf;
+
+ if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_pk_parse_public_key(ctx, buf, n);
+
+ mbedtls_zeroize_and_free(buf, n);
+
+ return ret;
+}
+#endif /* MBEDTLS_FS_IO */
+
+#endif /* MBEDTLS_PK_PARSE_C */
diff --git a/library/pkwrite.c b/library/pkwrite.c
new file mode 100644
index 0000000..5e009c5
--- /dev/null
+++ b/library/pkwrite.c
@@ -0,0 +1,621 @@
+/*
+ * Public Key layer for writing key files and structures
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PK_WRITE_C)
+
+#include "mbedtls/pk.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "pk_internal.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/bignum.h"
+#include "mbedtls/ecp.h"
+#include "mbedtls/platform_util.h"
+#endif
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+#include "pk_internal.h"
+#endif
+#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+#include "pkwrite.h"
+#endif
+#if defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif
+#if defined(MBEDTLS_RSA_C)
+#include "rsa_internal.h"
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#include "psa_util_internal.h"
+#endif
+#include "mbedtls/platform.h"
+
+/* Helpers for properly sizing buffers aimed at holding public keys or
+ * key-pairs based on build symbols. */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+#define PK_MAX_EC_PUBLIC_KEY_SIZE PSA_EXPORT_PUBLIC_KEY_MAX_SIZE
+#define PK_MAX_EC_KEY_PAIR_SIZE MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH
+#elif defined(MBEDTLS_USE_PSA_CRYPTO)
+#define PK_MAX_EC_PUBLIC_KEY_SIZE PSA_EXPORT_PUBLIC_KEY_MAX_SIZE
+#define PK_MAX_EC_KEY_PAIR_SIZE MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH
+#else
+#define PK_MAX_EC_PUBLIC_KEY_SIZE MBEDTLS_ECP_MAX_PT_LEN
+#define PK_MAX_EC_KEY_PAIR_SIZE MBEDTLS_ECP_MAX_BYTES
+#endif
+
+/******************************************************************************
+ * Internal functions for RSA keys.
+ ******************************************************************************/
+#if defined(MBEDTLS_RSA_C)
+static int pk_write_rsa_der(unsigned char **p, unsigned char *buf,
+ const mbedtls_pk_context *pk)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+ uint8_t tmp[PSA_EXPORT_KEY_PAIR_MAX_SIZE];
+ size_t len = 0, tmp_len = 0;
+
+ if (psa_export_key(pk->priv_id, tmp, sizeof(tmp), &tmp_len) != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ *p -= tmp_len;
+ memcpy(*p, tmp, tmp_len);
+ len += tmp_len;
+ mbedtls_platform_zeroize(tmp, sizeof(tmp));
+
+ return (int) len;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ return mbedtls_rsa_write_key(mbedtls_pk_rsa(*pk), buf, p);
+}
+#endif /* MBEDTLS_RSA_C */
+
+/******************************************************************************
+ * Internal functions for EC keys.
+ ******************************************************************************/
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+static int pk_write_ec_pubkey(unsigned char **p, unsigned char *start,
+ const mbedtls_pk_context *pk)
+{
+ size_t len = 0;
+ uint8_t buf[PK_MAX_EC_PUBLIC_KEY_SIZE];
+
+ if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+ if (psa_export_public_key(pk->priv_id, buf, sizeof(buf), &len) != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ } else {
+ len = pk->pub_raw_len;
+ memcpy(buf, pk->pub_raw, len);
+ }
+
+ if (*p < start || (size_t) (*p - start) < len) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ *p -= len;
+ memcpy(*p, buf, len);
+
+ return (int) len;
+}
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+static int pk_write_ec_pubkey(unsigned char **p, unsigned char *start,
+ const mbedtls_pk_context *pk)
+{
+ size_t len = 0;
+ unsigned char buf[PK_MAX_EC_PUBLIC_KEY_SIZE];
+ mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk);
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+ if (psa_export_public_key(pk->priv_id, buf, sizeof(buf), &len) != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+ *p -= len;
+ memcpy(*p, buf, len);
+ return (int) len;
+ } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ {
+ if ((ret = mbedtls_ecp_point_write_binary(&ec->grp, &ec->Q,
+ MBEDTLS_ECP_PF_UNCOMPRESSED,
+ &len, buf, sizeof(buf))) != 0) {
+ return ret;
+ }
+ }
+
+ if (*p < start || (size_t) (*p - start) < len) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ *p -= len;
+ memcpy(*p, buf, len);
+
+ return (int) len;
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+/*
+ * privateKey OCTET STRING -- always of length ceil(log2(n)/8)
+ */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+static int pk_write_ec_private(unsigned char **p, unsigned char *start,
+ const mbedtls_pk_context *pk)
+{
+ size_t byte_length;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char tmp[PK_MAX_EC_KEY_PAIR_SIZE];
+ psa_status_t status;
+
+ if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+ status = psa_export_key(pk->priv_id, tmp, sizeof(tmp), &byte_length);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+ return ret;
+ }
+ } else {
+ status = psa_export_key(pk->priv_id, tmp, sizeof(tmp), &byte_length);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+ goto exit;
+ }
+ }
+
+ ret = mbedtls_asn1_write_octet_string(p, start, tmp, byte_length);
+exit:
+ mbedtls_platform_zeroize(tmp, sizeof(tmp));
+ return ret;
+}
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+static int pk_write_ec_private(unsigned char **p, unsigned char *start,
+ const mbedtls_pk_context *pk)
+{
+ size_t byte_length;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char tmp[PK_MAX_EC_KEY_PAIR_SIZE];
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status;
+ if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
+ status = psa_export_key(pk->priv_id, tmp, sizeof(tmp), &byte_length);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
+ return ret;
+ }
+ } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ {
+ mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk);
+ byte_length = (ec->grp.pbits + 7) / 8;
+
+ ret = mbedtls_ecp_write_key_ext(ec, &byte_length, tmp, sizeof(tmp));
+ if (ret != 0) {
+ goto exit;
+ }
+ }
+ ret = mbedtls_asn1_write_octet_string(p, start, tmp, byte_length);
+exit:
+ mbedtls_platform_zeroize(tmp, sizeof(tmp));
+ return ret;
+}
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+
+/*
+ * ECParameters ::= CHOICE {
+ * namedCurve OBJECT IDENTIFIER
+ * }
+ */
+static int pk_write_ec_param(unsigned char **p, unsigned char *start,
+ mbedtls_ecp_group_id grp_id)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+ const char *oid;
+ size_t oid_len;
+
+ if ((ret = mbedtls_oid_get_oid_by_ec_grp(grp_id, &oid, &oid_len)) != 0) {
+ return ret;
+ }
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_oid(p, start, oid, oid_len));
+
+ return (int) len;
+}
+
+#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
+/*
+ * RFC8410 section 7
+ *
+ * OneAsymmetricKey ::= SEQUENCE {
+ * version Version,
+ * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
+ * privateKey PrivateKey,
+ * attributes [0] IMPLICIT Attributes OPTIONAL,
+ * ...,
+ * [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]],
+ * ...
+ * }
+ * ...
+ * CurvePrivateKey ::= OCTET STRING
+ */
+static int pk_write_ec_rfc8410_der(unsigned char **p, unsigned char *buf,
+ const mbedtls_pk_context *pk)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+ size_t oid_len = 0;
+ const char *oid;
+ mbedtls_ecp_group_id grp_id;
+
+ /* privateKey */
+ MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_private(p, buf, pk));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_OCTET_STRING));
+
+ grp_id = mbedtls_pk_get_ec_group_id(pk);
+ /* privateKeyAlgorithm */
+ if ((ret = mbedtls_oid_get_oid_by_ec_grp_algid(grp_id, &oid, &oid_len)) != 0) {
+ return ret;
+ }
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_algorithm_identifier_ext(p, buf, oid, oid_len, 0, 0));
+
+ /* version */
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, buf, 0));
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ return (int) len;
+}
+#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
+
+/*
+ * RFC 5915, or SEC1 Appendix C.4
+ *
+ * ECPrivateKey ::= SEQUENCE {
+ * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+ * privateKey OCTET STRING,
+ * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+ * publicKey [1] BIT STRING OPTIONAL
+ * }
+ */
+static int pk_write_ec_der(unsigned char **p, unsigned char *buf,
+ const mbedtls_pk_context *pk)
+{
+ size_t len = 0;
+ int ret;
+ size_t pub_len = 0, par_len = 0;
+ mbedtls_ecp_group_id grp_id;
+
+ /* publicKey */
+ MBEDTLS_ASN1_CHK_ADD(pub_len, pk_write_ec_pubkey(p, buf, pk));
+
+ if (*p - buf < 1) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+ (*p)--;
+ **p = 0;
+ pub_len += 1;
+
+ MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_len(p, buf, pub_len));
+ MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_BIT_STRING));
+
+ MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_len(p, buf, pub_len));
+ MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_tag(p, buf,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+ MBEDTLS_ASN1_CONSTRUCTED | 1));
+ len += pub_len;
+
+ /* parameters */
+ grp_id = mbedtls_pk_get_ec_group_id(pk);
+ MBEDTLS_ASN1_CHK_ADD(par_len, pk_write_ec_param(p, buf, grp_id));
+ MBEDTLS_ASN1_CHK_ADD(par_len, mbedtls_asn1_write_len(p, buf, par_len));
+ MBEDTLS_ASN1_CHK_ADD(par_len, mbedtls_asn1_write_tag(p, buf,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+ MBEDTLS_ASN1_CONSTRUCTED | 0));
+ len += par_len;
+
+ /* privateKey */
+ MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_private(p, buf, pk));
+
+ /* version */
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, buf, 1));
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ return (int) len;
+}
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+/******************************************************************************
+ * Internal functions for Opaque keys.
+ ******************************************************************************/
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static int pk_write_opaque_pubkey(unsigned char **p, unsigned char *start,
+ const mbedtls_pk_context *pk)
+{
+ size_t buffer_size;
+ size_t len = 0;
+
+ if (*p < start) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ buffer_size = (size_t) (*p - start);
+ if (psa_export_public_key(pk->priv_id, start, buffer_size,
+ &len) != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ }
+
+ *p -= len;
+ memmove(*p, start, len);
+
+ return (int) len;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+/******************************************************************************
+ * Generic helpers
+ ******************************************************************************/
+
+/* Extend the public mbedtls_pk_get_type() by getting key type also in case of
+ * opaque keys. */
+static mbedtls_pk_type_t pk_get_type_ext(const mbedtls_pk_context *pk)
+{
+ mbedtls_pk_type_t pk_type = mbedtls_pk_get_type(pk);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (pk_type == MBEDTLS_PK_OPAQUE) {
+ psa_key_attributes_t opaque_attrs = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_type_t opaque_key_type;
+
+ if (psa_get_key_attributes(pk->priv_id, &opaque_attrs) != PSA_SUCCESS) {
+ return MBEDTLS_PK_NONE;
+ }
+ opaque_key_type = psa_get_key_type(&opaque_attrs);
+ psa_reset_key_attributes(&opaque_attrs);
+
+ if (PSA_KEY_TYPE_IS_ECC(opaque_key_type)) {
+ return MBEDTLS_PK_ECKEY;
+ } else if (PSA_KEY_TYPE_IS_RSA(opaque_key_type)) {
+ return MBEDTLS_PK_RSA;
+ } else {
+ return MBEDTLS_PK_NONE;
+ }
+ } else
+#endif
+ return pk_type;
+}
+
+/******************************************************************************
+ * Public functions for writing private/public DER keys.
+ ******************************************************************************/
+int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start,
+ const mbedtls_pk_context *key)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+
+#if defined(MBEDTLS_RSA_C)
+ if (mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) {
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_rsa_write_pubkey(mbedtls_pk_rsa(*key), start, p));
+ } else
+#endif
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ if (mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) {
+ MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_pubkey(p, start, key));
+ } else
+#endif
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (mbedtls_pk_get_type(key) == MBEDTLS_PK_OPAQUE) {
+ MBEDTLS_ASN1_CHK_ADD(len, pk_write_opaque_pubkey(p, start, key));
+ } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+
+ return (int) len;
+}
+
+int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *c;
+ int has_par = 1;
+ size_t len = 0, par_len = 0, oid_len = 0;
+ mbedtls_pk_type_t pk_type;
+ const char *oid = NULL;
+
+ if (size == 0) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ c = buf + size;
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_pk_write_pubkey(&c, buf, key));
+
+ if (c - buf < 1) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ /*
+ * SubjectPublicKeyInfo ::= SEQUENCE {
+ * algorithm AlgorithmIdentifier,
+ * subjectPublicKey BIT STRING }
+ */
+ *--c = 0;
+ len += 1;
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_BIT_STRING));
+
+ pk_type = pk_get_type_ext(key);
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ if (pk_get_type_ext(key) == MBEDTLS_PK_ECKEY) {
+ mbedtls_ecp_group_id ec_grp_id = mbedtls_pk_get_ec_group_id(key);
+ if (MBEDTLS_PK_IS_RFC8410_GROUP_ID(ec_grp_id)) {
+ ret = mbedtls_oid_get_oid_by_ec_grp_algid(ec_grp_id, &oid, &oid_len);
+ if (ret != 0) {
+ return ret;
+ }
+ has_par = 0;
+ } else {
+ MBEDTLS_ASN1_CHK_ADD(par_len, pk_write_ec_param(&c, buf, ec_grp_id));
+ }
+ }
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+ /* At this point oid_len is not null only for EC Montgomery keys. */
+ if (oid_len == 0) {
+ ret = mbedtls_oid_get_oid_by_pk_alg(pk_type, &oid, &oid_len);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_algorithm_identifier_ext(&c, buf, oid, oid_len,
+ par_len, has_par));
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ return (int) len;
+}
+
+int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
+{
+ unsigned char *c;
+
+ if (size == 0) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ c = buf + size;
+
+#if defined(MBEDTLS_RSA_C)
+ if (pk_get_type_ext(key) == MBEDTLS_PK_RSA) {
+ return pk_write_rsa_der(&c, buf, key);
+ } else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ if (pk_get_type_ext(key) == MBEDTLS_PK_ECKEY) {
+#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
+ if (mbedtls_pk_is_rfc8410(key)) {
+ return pk_write_ec_rfc8410_der(&c, buf, key);
+ }
+#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
+ return pk_write_ec_der(&c, buf, key);
+ } else
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+}
+
+/******************************************************************************
+ * Public functions for wrinting private/public PEM keys.
+ ******************************************************************************/
+#if defined(MBEDTLS_PEM_WRITE_C)
+
+#define PUB_DER_MAX_BYTES \
+ (MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES > MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES ? \
+ MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES : MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES)
+#define PRV_DER_MAX_BYTES \
+ (MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES > MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES ? \
+ MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES : MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES)
+
+int mbedtls_pk_write_pubkey_pem(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *output_buf = NULL;
+ output_buf = mbedtls_calloc(1, PUB_DER_MAX_BYTES);
+ if (output_buf == NULL) {
+ return MBEDTLS_ERR_PK_ALLOC_FAILED;
+ }
+ size_t olen = 0;
+
+ if ((ret = mbedtls_pk_write_pubkey_der(key, output_buf,
+ PUB_DER_MAX_BYTES)) < 0) {
+ goto cleanup;
+ }
+
+ if ((ret = mbedtls_pem_write_buffer(PEM_BEGIN_PUBLIC_KEY "\n", PEM_END_PUBLIC_KEY "\n",
+ output_buf + PUB_DER_MAX_BYTES - ret,
+ ret, buf, size, &olen)) != 0) {
+ goto cleanup;
+ }
+
+ ret = 0;
+cleanup:
+ mbedtls_free(output_buf);
+ return ret;
+}
+
+int mbedtls_pk_write_key_pem(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *output_buf = NULL;
+ output_buf = mbedtls_calloc(1, PRV_DER_MAX_BYTES);
+ if (output_buf == NULL) {
+ return MBEDTLS_ERR_PK_ALLOC_FAILED;
+ }
+ const char *begin, *end;
+ size_t olen = 0;
+
+ if ((ret = mbedtls_pk_write_key_der(key, output_buf, PRV_DER_MAX_BYTES)) < 0) {
+ goto cleanup;
+ }
+
+#if defined(MBEDTLS_RSA_C)
+ if (pk_get_type_ext(key) == MBEDTLS_PK_RSA) {
+ begin = PEM_BEGIN_PRIVATE_KEY_RSA "\n";
+ end = PEM_END_PRIVATE_KEY_RSA "\n";
+ } else
+#endif
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ if (pk_get_type_ext(key) == MBEDTLS_PK_ECKEY) {
+ if (mbedtls_pk_is_rfc8410(key)) {
+ begin = PEM_BEGIN_PRIVATE_KEY_PKCS8 "\n";
+ end = PEM_END_PRIVATE_KEY_PKCS8 "\n";
+ } else {
+ begin = PEM_BEGIN_PRIVATE_KEY_EC "\n";
+ end = PEM_END_PRIVATE_KEY_EC "\n";
+ }
+ } else
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+ {
+ ret = MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+ goto cleanup;
+ }
+
+ if ((ret = mbedtls_pem_write_buffer(begin, end,
+ output_buf + PRV_DER_MAX_BYTES - ret,
+ ret, buf, size, &olen)) != 0) {
+ goto cleanup;
+ }
+
+ ret = 0;
+cleanup:
+ mbedtls_zeroize_and_free(output_buf, PRV_DER_MAX_BYTES);
+ return ret;
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#endif /* MBEDTLS_PK_WRITE_C */
diff --git a/library/pkwrite.h b/library/pkwrite.h
new file mode 100644
index 0000000..01dc3d2
--- /dev/null
+++ b/library/pkwrite.h
@@ -0,0 +1,121 @@
+/**
+ * \file pkwrite.h
+ *
+ * \brief Internal defines shared by the PK write module
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_PK_WRITE_H
+#define MBEDTLS_PK_WRITE_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/pk.h"
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+/*
+ * Max sizes of key per types. Shown as tag + len (+ content).
+ */
+
+#if defined(MBEDTLS_RSA_C)
+/*
+ * RSA public keys:
+ * SubjectPublicKeyInfo ::= SEQUENCE { 1 + 3
+ * algorithm AlgorithmIdentifier, 1 + 1 (sequence)
+ * + 1 + 1 + 9 (rsa oid)
+ * + 1 + 1 (params null)
+ * subjectPublicKey BIT STRING } 1 + 3 + (1 + below)
+ * RSAPublicKey ::= SEQUENCE { 1 + 3
+ * modulus INTEGER, -- n 1 + 3 + MPI_MAX + 1
+ * publicExponent INTEGER -- e 1 + 3 + MPI_MAX + 1
+ * }
+ */
+#define MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES (38 + 2 * MBEDTLS_MPI_MAX_SIZE)
+
+/*
+ * RSA private keys:
+ * RSAPrivateKey ::= SEQUENCE { 1 + 3
+ * version Version, 1 + 1 + 1
+ * modulus INTEGER, 1 + 3 + MPI_MAX + 1
+ * publicExponent INTEGER, 1 + 3 + MPI_MAX + 1
+ * privateExponent INTEGER, 1 + 3 + MPI_MAX + 1
+ * prime1 INTEGER, 1 + 3 + MPI_MAX / 2 + 1
+ * prime2 INTEGER, 1 + 3 + MPI_MAX / 2 + 1
+ * exponent1 INTEGER, 1 + 3 + MPI_MAX / 2 + 1
+ * exponent2 INTEGER, 1 + 3 + MPI_MAX / 2 + 1
+ * coefficient INTEGER, 1 + 3 + MPI_MAX / 2 + 1
+ * otherPrimeInfos OtherPrimeInfos OPTIONAL 0 (not supported)
+ * }
+ */
+#define MBEDTLS_MPI_MAX_SIZE_2 (MBEDTLS_MPI_MAX_SIZE / 2 + \
+ MBEDTLS_MPI_MAX_SIZE % 2)
+#define MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES (47 + 3 * MBEDTLS_MPI_MAX_SIZE \
+ + 5 * MBEDTLS_MPI_MAX_SIZE_2)
+
+#else /* MBEDTLS_RSA_C */
+
+#define MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES 0
+#define MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES 0
+
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+
+/* Find the maximum number of bytes necessary to store an EC point. When USE_PSA
+ * is defined this means looking for the maximum between PSA and built-in
+ * supported curves. */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#define MBEDTLS_PK_MAX_ECC_BYTES (PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS) > \
+ MBEDTLS_ECP_MAX_BYTES ? \
+ PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS) : \
+ MBEDTLS_ECP_MAX_BYTES)
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+#define MBEDTLS_PK_MAX_ECC_BYTES MBEDTLS_ECP_MAX_BYTES
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+/*
+ * EC public keys:
+ * SubjectPublicKeyInfo ::= SEQUENCE { 1 + 2
+ * algorithm AlgorithmIdentifier, 1 + 1 (sequence)
+ * + 1 + 1 + 7 (ec oid)
+ * + 1 + 1 + 9 (namedCurve oid)
+ * subjectPublicKey BIT STRING 1 + 2 + 1 [1]
+ * + 1 (point format) [1]
+ * + 2 * ECP_MAX (coords) [1]
+ * }
+ */
+#define MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES (30 + 2 * MBEDTLS_PK_MAX_ECC_BYTES)
+
+/*
+ * EC private keys:
+ * ECPrivateKey ::= SEQUENCE { 1 + 2
+ * version INTEGER , 1 + 1 + 1
+ * privateKey OCTET STRING, 1 + 1 + ECP_MAX
+ * parameters [0] ECParameters OPTIONAL, 1 + 1 + (1 + 1 + 9)
+ * publicKey [1] BIT STRING OPTIONAL 1 + 2 + [1] above
+ * }
+ */
+#define MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES (29 + 3 * MBEDTLS_PK_MAX_ECC_BYTES)
+
+#else /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+#define MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES 0
+#define MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES 0
+
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+/* Define the maximum available public key DER length based on the supported
+ * key types (EC and/or RSA). */
+#if (MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES > MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES)
+#define MBEDTLS_PK_WRITE_PUBKEY_MAX_SIZE MBEDTLS_PK_RSA_PUB_DER_MAX_BYTES
+#else
+#define MBEDTLS_PK_WRITE_PUBKEY_MAX_SIZE MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES
+#endif
+
+#endif /* MBEDTLS_PK_WRITE_H */
diff --git a/library/platform.c b/library/platform.c
new file mode 100644
index 0000000..890c4cb
--- /dev/null
+++ b/library/platform.c
@@ -0,0 +1,402 @@
+/*
+ * Platform abstraction layer
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+/* The compile time configuration of memory allocation via the macros
+ * MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO takes precedence over the runtime
+ * configuration via mbedtls_platform_set_calloc_free(). So, omit everything
+ * related to the latter if MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO are defined. */
+#if defined(MBEDTLS_PLATFORM_MEMORY) && \
+ !(defined(MBEDTLS_PLATFORM_CALLOC_MACRO) && \
+ defined(MBEDTLS_PLATFORM_FREE_MACRO))
+
+#if !defined(MBEDTLS_PLATFORM_STD_CALLOC)
+static void *platform_calloc_uninit(size_t n, size_t size)
+{
+ ((void) n);
+ ((void) size);
+ return NULL;
+}
+
+#define MBEDTLS_PLATFORM_STD_CALLOC platform_calloc_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_CALLOC */
+
+#if !defined(MBEDTLS_PLATFORM_STD_FREE)
+static void platform_free_uninit(void *ptr)
+{
+ ((void) ptr);
+}
+
+#define MBEDTLS_PLATFORM_STD_FREE platform_free_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_FREE */
+
+static void * (*mbedtls_calloc_func)(size_t, size_t) = MBEDTLS_PLATFORM_STD_CALLOC;
+static void (*mbedtls_free_func)(void *) = MBEDTLS_PLATFORM_STD_FREE;
+
+void *mbedtls_calloc(size_t nmemb, size_t size)
+{
+ return (*mbedtls_calloc_func)(nmemb, size);
+}
+
+void mbedtls_free(void *ptr)
+{
+ (*mbedtls_free_func)(ptr);
+}
+
+int mbedtls_platform_set_calloc_free(void *(*calloc_func)(size_t, size_t),
+ void (*free_func)(void *))
+{
+ mbedtls_calloc_func = calloc_func;
+ mbedtls_free_func = free_func;
+ return 0;
+}
+#endif /* MBEDTLS_PLATFORM_MEMORY &&
+ !( defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&
+ defined(MBEDTLS_PLATFORM_FREE_MACRO) ) */
+
+#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_SNPRINTF)
+#include <stdarg.h>
+int mbedtls_platform_win32_snprintf(char *s, size_t n, const char *fmt, ...)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ va_list argp;
+
+ va_start(argp, fmt);
+ ret = mbedtls_vsnprintf(s, n, fmt, argp);
+ va_end(argp);
+
+ return ret;
+}
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_snprintf_uninit(char *s, size_t n,
+ const char *format, ...)
+{
+ ((void) s);
+ ((void) n);
+ ((void) format);
+ return 0;
+}
+
+#define MBEDTLS_PLATFORM_STD_SNPRINTF platform_snprintf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_SNPRINTF */
+
+int (*mbedtls_snprintf)(char *s, size_t n,
+ const char *format,
+ ...) = MBEDTLS_PLATFORM_STD_SNPRINTF;
+
+int mbedtls_platform_set_snprintf(int (*snprintf_func)(char *s, size_t n,
+ const char *format,
+ ...))
+{
+ mbedtls_snprintf = snprintf_func;
+ return 0;
+}
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_HAS_NON_CONFORMING_VSNPRINTF)
+#include <stdarg.h>
+int mbedtls_platform_win32_vsnprintf(char *s, size_t n, const char *fmt, va_list arg)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* Avoid calling the invalid parameter handler by checking ourselves */
+ if (s == NULL || n == 0 || fmt == NULL) {
+ return -1;
+ }
+
+#if defined(_TRUNCATE)
+ ret = vsnprintf_s(s, n, _TRUNCATE, fmt, arg);
+#else
+ ret = vsnprintf(s, n, fmt, arg);
+ if (ret < 0 || (size_t) ret == n) {
+ s[n-1] = '\0';
+ ret = -1;
+ }
+#endif
+
+ return ret;
+}
+#endif
+
+#if defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_VSNPRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_vsnprintf_uninit(char *s, size_t n,
+ const char *format, va_list arg)
+{
+ ((void) s);
+ ((void) n);
+ ((void) format);
+ ((void) arg);
+ return -1;
+}
+
+#define MBEDTLS_PLATFORM_STD_VSNPRINTF platform_vsnprintf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_VSNPRINTF */
+
+int (*mbedtls_vsnprintf)(char *s, size_t n,
+ const char *format,
+ va_list arg) = MBEDTLS_PLATFORM_STD_VSNPRINTF;
+
+int mbedtls_platform_set_vsnprintf(int (*vsnprintf_func)(char *s, size_t n,
+ const char *format,
+ va_list arg))
+{
+ mbedtls_vsnprintf = vsnprintf_func;
+ return 0;
+}
+#endif /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_PRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_printf_uninit(const char *format, ...)
+{
+ ((void) format);
+ return 0;
+}
+
+#define MBEDTLS_PLATFORM_STD_PRINTF platform_printf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_PRINTF */
+
+int (*mbedtls_printf)(const char *, ...) = MBEDTLS_PLATFORM_STD_PRINTF;
+
+int mbedtls_platform_set_printf(int (*printf_func)(const char *, ...))
+{
+ mbedtls_printf = printf_func;
+ return 0;
+}
+#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_FPRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_fprintf_uninit(FILE *stream, const char *format, ...)
+{
+ ((void) stream);
+ ((void) format);
+ return 0;
+}
+
+#define MBEDTLS_PLATFORM_STD_FPRINTF platform_fprintf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_FPRINTF */
+
+int (*mbedtls_fprintf)(FILE *, const char *, ...) =
+ MBEDTLS_PLATFORM_STD_FPRINTF;
+
+int mbedtls_platform_set_fprintf(int (*fprintf_func)(FILE *, const char *, ...))
+{
+ mbedtls_fprintf = fprintf_func;
+ return 0;
+}
+#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_SETBUF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_SETBUF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static void platform_setbuf_uninit(FILE *stream, char *buf)
+{
+ ((void) stream);
+ ((void) buf);
+}
+
+#define MBEDTLS_PLATFORM_STD_SETBUF platform_setbuf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_SETBUF */
+void (*mbedtls_setbuf)(FILE *stream, char *buf) = MBEDTLS_PLATFORM_STD_SETBUF;
+
+int mbedtls_platform_set_setbuf(void (*setbuf_func)(FILE *stream, char *buf))
+{
+ mbedtls_setbuf = setbuf_func;
+ return 0;
+}
+#endif /* MBEDTLS_PLATFORM_SETBUF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static void platform_exit_uninit(int status)
+{
+ ((void) status);
+}
+
+#define MBEDTLS_PLATFORM_STD_EXIT platform_exit_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_EXIT */
+
+void (*mbedtls_exit)(int status) = MBEDTLS_PLATFORM_STD_EXIT;
+
+int mbedtls_platform_set_exit(void (*exit_func)(int status))
+{
+ mbedtls_exit = exit_func;
+ return 0;
+}
+#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+
+#if defined(MBEDTLS_HAVE_TIME)
+
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_TIME)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static mbedtls_time_t platform_time_uninit(mbedtls_time_t *timer)
+{
+ ((void) timer);
+ return 0;
+}
+
+#define MBEDTLS_PLATFORM_STD_TIME platform_time_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_TIME */
+
+mbedtls_time_t (*mbedtls_time)(mbedtls_time_t *timer) = MBEDTLS_PLATFORM_STD_TIME;
+
+int mbedtls_platform_set_time(mbedtls_time_t (*time_func)(mbedtls_time_t *timer))
+{
+ mbedtls_time = time_func;
+ return 0;
+}
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+
+#endif /* MBEDTLS_HAVE_TIME */
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS) && defined(MBEDTLS_FS_IO)
+/* Default implementations for the platform independent seed functions use
+ * standard libc file functions to read from and write to a pre-defined filename
+ */
+int mbedtls_platform_std_nv_seed_read(unsigned char *buf, size_t buf_len)
+{
+ FILE *file;
+ size_t n;
+
+ if ((file = fopen(MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "rb")) == NULL) {
+ return -1;
+ }
+
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf(file, NULL);
+
+ if ((n = fread(buf, 1, buf_len, file)) != buf_len) {
+ fclose(file);
+ mbedtls_platform_zeroize(buf, buf_len);
+ return -1;
+ }
+
+ fclose(file);
+ return (int) n;
+}
+
+int mbedtls_platform_std_nv_seed_write(unsigned char *buf, size_t buf_len)
+{
+ FILE *file;
+ size_t n;
+
+ if ((file = fopen(MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "w")) == NULL) {
+ return -1;
+ }
+
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf(file, NULL);
+
+ if ((n = fwrite(buf, 1, buf_len, file)) != buf_len) {
+ fclose(file);
+ return -1;
+ }
+
+ fclose(file);
+ return (int) n;
+}
+#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_nv_seed_read_uninit(unsigned char *buf, size_t buf_len)
+{
+ ((void) buf);
+ ((void) buf_len);
+ return -1;
+}
+
+#define MBEDTLS_PLATFORM_STD_NV_SEED_READ platform_nv_seed_read_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_NV_SEED_READ */
+
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_nv_seed_write_uninit(unsigned char *buf, size_t buf_len)
+{
+ ((void) buf);
+ ((void) buf_len);
+ return -1;
+}
+
+#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE platform_nv_seed_write_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_NV_SEED_WRITE */
+
+int (*mbedtls_nv_seed_read)(unsigned char *buf, size_t buf_len) =
+ MBEDTLS_PLATFORM_STD_NV_SEED_READ;
+int (*mbedtls_nv_seed_write)(unsigned char *buf, size_t buf_len) =
+ MBEDTLS_PLATFORM_STD_NV_SEED_WRITE;
+
+int mbedtls_platform_set_nv_seed(
+ int (*nv_seed_read_func)(unsigned char *buf, size_t buf_len),
+ int (*nv_seed_write_func)(unsigned char *buf, size_t buf_len))
+{
+ mbedtls_nv_seed_read = nv_seed_read_func;
+ mbedtls_nv_seed_write = nv_seed_write_func;
+ return 0;
+}
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if !defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
+/*
+ * Placeholder platform setup that does nothing by default
+ */
+int mbedtls_platform_setup(mbedtls_platform_context *ctx)
+{
+ (void) ctx;
+
+ return 0;
+}
+
+/*
+ * Placeholder platform teardown that does nothing by default
+ */
+void mbedtls_platform_teardown(mbedtls_platform_context *ctx)
+{
+ (void) ctx;
+}
+#endif /* MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
+
+#endif /* MBEDTLS_PLATFORM_C */
diff --git a/library/platform_util.c b/library/platform_util.c
new file mode 100644
index 0000000..0741bf5
--- /dev/null
+++ b/library/platform_util.c
@@ -0,0 +1,263 @@
+/*
+ * Common and shared functions used by multiple modules in the Mbed TLS
+ * library.
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * Ensure gmtime_r is available even with -std=c99; must be defined before
+ * mbedtls_config.h, which pulls in glibc's features.h. Harmless on other platforms
+ * except OpenBSD, where it stops us accessing explicit_bzero.
+ */
+#if !defined(_POSIX_C_SOURCE) && !defined(__OpenBSD__)
+#define _POSIX_C_SOURCE 200112L
+#endif
+
+#if !defined(_GNU_SOURCE)
+/* Clang requires this to get support for explicit_bzero */
+#define _GNU_SOURCE
+#endif
+
+#include "common.h"
+
+#include "mbedtls/platform_util.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/threading.h"
+
+#include <stddef.h>
+
+#ifndef __STDC_WANT_LIB_EXT1__
+#define __STDC_WANT_LIB_EXT1__ 1 /* Ask for the C11 gmtime_s() and memset_s() if available */
+#endif
+#include <string.h>
+
+#if defined(_WIN32)
+#include <windows.h>
+#endif
+
+// Detect platforms known to support explicit_bzero()
+#if defined(__GLIBC__) && (__GLIBC__ >= 2) && (__GLIBC_MINOR__ >= 25)
+#define MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO 1
+#elif (defined(__FreeBSD__) && (__FreeBSD_version >= 1100037)) || defined(__OpenBSD__)
+#define MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO 1
+#endif
+
+#if !defined(MBEDTLS_PLATFORM_ZEROIZE_ALT)
+
+#undef HAVE_MEMORY_SANITIZER
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+#include <sanitizer/msan_interface.h>
+#define HAVE_MEMORY_SANITIZER
+#endif
+#endif
+
+/*
+ * Where possible, we try to detect the presence of a platform-provided
+ * secure memset, such as explicit_bzero(), that is safe against being optimized
+ * out, and use that.
+ *
+ * For other platforms, we provide an implementation that aims not to be
+ * optimized out by the compiler.
+ *
+ * This implementation for mbedtls_platform_zeroize() was inspired from Colin
+ * Percival's blog article at:
+ *
+ * http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html
+ *
+ * It uses a volatile function pointer to the standard memset(). Because the
+ * pointer is volatile the compiler expects it to change at
+ * any time and will not optimize out the call that could potentially perform
+ * other operations on the input buffer instead of just setting it to 0.
+ * Nevertheless, as pointed out by davidtgoldblatt on Hacker News
+ * (refer to http://www.daemonology.net/blog/2014-09-05-erratum.html for
+ * details), optimizations of the following form are still possible:
+ *
+ * if (memset_func != memset)
+ * memset_func(buf, 0, len);
+ *
+ * Note that it is extremely difficult to guarantee that
+ * the memset() call will not be optimized out by aggressive compilers
+ * in a portable way. For this reason, Mbed TLS also provides the configuration
+ * option MBEDTLS_PLATFORM_ZEROIZE_ALT, which allows users to configure
+ * mbedtls_platform_zeroize() to use a suitable implementation for their
+ * platform and needs.
+ */
+#if !defined(MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO) && !(defined(__STDC_LIB_EXT1__) && \
+ !defined(__IAR_SYSTEMS_ICC__)) \
+ && !defined(_WIN32)
+static void *(*const volatile memset_func)(void *, int, size_t) = memset;
+#endif
+
+void mbedtls_platform_zeroize(void *buf, size_t len)
+{
+ if (len > 0) {
+#if defined(MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO)
+ explicit_bzero(buf, len);
+#if defined(HAVE_MEMORY_SANITIZER)
+ /* You'd think that Msan would recognize explicit_bzero() as
+ * equivalent to bzero(), but it actually doesn't on several
+ * platforms, including Linux (Ubuntu 20.04).
+ * https://github.com/google/sanitizers/issues/1507
+ * https://github.com/openssh/openssh-portable/commit/74433a19bb6f4cef607680fa4d1d7d81ca3826aa
+ */
+ __msan_unpoison(buf, len);
+#endif
+#elif defined(__STDC_LIB_EXT1__) && !defined(__IAR_SYSTEMS_ICC__)
+ memset_s(buf, len, 0, len);
+#elif defined(_WIN32)
+ SecureZeroMemory(buf, len);
+#else
+ memset_func(buf, 0, len);
+#endif
+
+#if defined(__GNUC__)
+ /* For clang and recent gcc, pretend that we have some assembly that reads the
+ * zero'd memory as an additional protection against being optimised away. */
+#if defined(__clang__) || (__GNUC__ >= 10)
+#if defined(__clang__)
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wvla"
+#elif defined(MBEDTLS_COMPILER_IS_GCC)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wvla"
+#endif
+ asm volatile ("" : : "m" (*(char (*)[len]) buf) :);
+#if defined(__clang__)
+#pragma clang diagnostic pop
+#elif defined(MBEDTLS_COMPILER_IS_GCC)
+#pragma GCC diagnostic pop
+#endif
+#endif
+#endif
+ }
+}
+#endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */
+
+void mbedtls_zeroize_and_free(void *buf, size_t len)
+{
+ if (buf != NULL) {
+ mbedtls_platform_zeroize(buf, len);
+ }
+
+ mbedtls_free(buf);
+}
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+#include <time.h>
+#if !defined(_WIN32) && (defined(unix) || \
+ defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
+ defined(__MACH__)) || defined__midipix__)
+#include <unistd.h>
+#endif /* !_WIN32 && (unix || __unix || __unix__ ||
+ * (__APPLE__ && __MACH__) || __midipix__) */
+
+#if !((defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L) || \
+ (defined(_POSIX_THREAD_SAFE_FUNCTIONS) && \
+ _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L))
+/*
+ * This is a convenience shorthand macro to avoid checking the long
+ * preprocessor conditions above. Ideally, we could expose this macro in
+ * platform_util.h and simply use it in platform_util.c, threading.c and
+ * threading.h. However, this macro is not part of the Mbed TLS public API, so
+ * we keep it private by only defining it in this file
+ */
+#if !(defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)) || \
+ (defined(__MINGW32__) && !defined(__MINGW64_VERSION_MAJOR))
+#define PLATFORM_UTIL_USE_GMTIME
+#endif
+
+#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) || \
+ ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) && \
+ _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L ) ) */
+
+struct tm *mbedtls_platform_gmtime_r(const mbedtls_time_t *tt,
+ struct tm *tm_buf)
+{
+#if defined(_WIN32) && !defined(PLATFORM_UTIL_USE_GMTIME)
+#if defined(__STDC_LIB_EXT1__)
+ return (gmtime_s(tt, tm_buf) == 0) ? NULL : tm_buf;
+#else
+ /* MSVC and mingw64 argument order and return value are inconsistent with the C11 standard */
+ return (gmtime_s(tm_buf, tt) == 0) ? tm_buf : NULL;
+#endif
+#elif !defined(PLATFORM_UTIL_USE_GMTIME)
+ return gmtime_r(tt, tm_buf);
+#else
+ struct tm *lt;
+
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_lock(&mbedtls_threading_gmtime_mutex) != 0) {
+ return NULL;
+ }
+#endif /* MBEDTLS_THREADING_C */
+
+ lt = gmtime(tt);
+
+ if (lt != NULL) {
+ memcpy(tm_buf, lt, sizeof(struct tm));
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&mbedtls_threading_gmtime_mutex) != 0) {
+ return NULL;
+ }
+#endif /* MBEDTLS_THREADING_C */
+
+ return (lt == NULL) ? NULL : tm_buf;
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+}
+#endif /* MBEDTLS_HAVE_TIME_DATE && MBEDTLS_PLATFORM_GMTIME_R_ALT */
+
+#if defined(MBEDTLS_TEST_HOOKS)
+void (*mbedtls_test_hook_test_fail)(const char *, int, const char *);
+#endif /* MBEDTLS_TEST_HOOKS */
+
+#if defined(MBEDTLS_HAVE_TIME) && !defined(MBEDTLS_PLATFORM_MS_TIME_ALT)
+
+#include <time.h>
+#if !defined(_WIN32) && \
+ (defined(unix) || defined(__unix) || defined(__unix__) || \
+ (defined(__APPLE__) && defined(__MACH__)) || defined(__HAIKU__) || defined(__midipix__))
+#include <unistd.h>
+#endif \
+ /* !_WIN32 && (unix || __unix || __unix__ || (__APPLE__ && __MACH__) || __HAIKU__ || __midipix__) */
+#if (defined(_POSIX_VERSION) && _POSIX_VERSION >= 199309L) || defined(__HAIKU__)
+mbedtls_ms_time_t mbedtls_ms_time(void)
+{
+ int ret;
+ struct timespec tv;
+ mbedtls_ms_time_t current_ms;
+
+#if defined(__linux__) && defined(CLOCK_BOOTTIME) || defined(__midipix__)
+ ret = clock_gettime(CLOCK_BOOTTIME, &tv);
+#else
+ ret = clock_gettime(CLOCK_MONOTONIC, &tv);
+#endif
+ if (ret) {
+ return time(NULL) * 1000;
+ }
+
+ current_ms = tv.tv_sec;
+
+ return current_ms*1000 + tv.tv_nsec / 1000000;
+}
+#elif defined(_WIN32) || defined(WIN32) || defined(__CYGWIN__) || \
+ defined(__MINGW32__) || defined(_WIN64)
+#include <windows.h>
+mbedtls_ms_time_t mbedtls_ms_time(void)
+{
+ FILETIME ct;
+ mbedtls_ms_time_t current_ms;
+
+ GetSystemTimeAsFileTime(&ct);
+ current_ms = ((mbedtls_ms_time_t) ct.dwLowDateTime +
+ ((mbedtls_ms_time_t) (ct.dwHighDateTime) << 32LL))/10000;
+ return current_ms;
+}
+#else
+#error "No mbedtls_ms_time available"
+#endif
+#endif /* MBEDTLS_HAVE_TIME && !MBEDTLS_PLATFORM_MS_TIME_ALT */
diff --git a/library/poly1305.c b/library/poly1305.c
new file mode 100644
index 0000000..c9ebe9e
--- /dev/null
+++ b/library/poly1305.c
@@ -0,0 +1,492 @@
+/**
+ * \file poly1305.c
+ *
+ * \brief Poly1305 authentication algorithm.
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#include "common.h"
+
+#if defined(MBEDTLS_POLY1305_C)
+
+#include "mbedtls/poly1305.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_POLY1305_ALT)
+
+#define POLY1305_BLOCK_SIZE_BYTES (16U)
+
+/*
+ * Our implementation is tuned for 32-bit platforms with a 64-bit multiplier.
+ * However we provided an alternative for platforms without such a multiplier.
+ */
+#if defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
+static uint64_t mul64(uint32_t a, uint32_t b)
+{
+ /* a = al + 2**16 ah, b = bl + 2**16 bh */
+ const uint16_t al = (uint16_t) a;
+ const uint16_t bl = (uint16_t) b;
+ const uint16_t ah = a >> 16;
+ const uint16_t bh = b >> 16;
+
+ /* ab = al*bl + 2**16 (ah*bl + bl*bh) + 2**32 ah*bh */
+ const uint32_t lo = (uint32_t) al * bl;
+ const uint64_t me = (uint64_t) ((uint32_t) ah * bl) + (uint32_t) al * bh;
+ const uint32_t hi = (uint32_t) ah * bh;
+
+ return lo + (me << 16) + ((uint64_t) hi << 32);
+}
+#else
+static inline uint64_t mul64(uint32_t a, uint32_t b)
+{
+ return (uint64_t) a * b;
+}
+#endif
+
+
+/**
+ * \brief Process blocks with Poly1305.
+ *
+ * \param ctx The Poly1305 context.
+ * \param nblocks Number of blocks to process. Note that this
+ * function only processes full blocks.
+ * \param input Buffer containing the input block(s).
+ * \param needs_padding Set to 0 if the padding bit has already been
+ * applied to the input data before calling this
+ * function. Otherwise, set this parameter to 1.
+ */
+static void poly1305_process(mbedtls_poly1305_context *ctx,
+ size_t nblocks,
+ const unsigned char *input,
+ uint32_t needs_padding)
+{
+ uint64_t d0, d1, d2, d3;
+ uint32_t acc0, acc1, acc2, acc3, acc4;
+ uint32_t r0, r1, r2, r3;
+ uint32_t rs1, rs2, rs3;
+ size_t offset = 0U;
+ size_t i;
+
+ r0 = ctx->r[0];
+ r1 = ctx->r[1];
+ r2 = ctx->r[2];
+ r3 = ctx->r[3];
+
+ rs1 = r1 + (r1 >> 2U);
+ rs2 = r2 + (r2 >> 2U);
+ rs3 = r3 + (r3 >> 2U);
+
+ acc0 = ctx->acc[0];
+ acc1 = ctx->acc[1];
+ acc2 = ctx->acc[2];
+ acc3 = ctx->acc[3];
+ acc4 = ctx->acc[4];
+
+ /* Process full blocks */
+ for (i = 0U; i < nblocks; i++) {
+ /* The input block is treated as a 128-bit little-endian integer */
+ d0 = MBEDTLS_GET_UINT32_LE(input, offset + 0);
+ d1 = MBEDTLS_GET_UINT32_LE(input, offset + 4);
+ d2 = MBEDTLS_GET_UINT32_LE(input, offset + 8);
+ d3 = MBEDTLS_GET_UINT32_LE(input, offset + 12);
+
+ /* Compute: acc += (padded) block as a 130-bit integer */
+ d0 += (uint64_t) acc0;
+ d1 += (uint64_t) acc1 + (d0 >> 32U);
+ d2 += (uint64_t) acc2 + (d1 >> 32U);
+ d3 += (uint64_t) acc3 + (d2 >> 32U);
+ acc0 = (uint32_t) d0;
+ acc1 = (uint32_t) d1;
+ acc2 = (uint32_t) d2;
+ acc3 = (uint32_t) d3;
+ acc4 += (uint32_t) (d3 >> 32U) + needs_padding;
+
+ /* Compute: acc *= r */
+ d0 = mul64(acc0, r0) +
+ mul64(acc1, rs3) +
+ mul64(acc2, rs2) +
+ mul64(acc3, rs1);
+ d1 = mul64(acc0, r1) +
+ mul64(acc1, r0) +
+ mul64(acc2, rs3) +
+ mul64(acc3, rs2) +
+ mul64(acc4, rs1);
+ d2 = mul64(acc0, r2) +
+ mul64(acc1, r1) +
+ mul64(acc2, r0) +
+ mul64(acc3, rs3) +
+ mul64(acc4, rs2);
+ d3 = mul64(acc0, r3) +
+ mul64(acc1, r2) +
+ mul64(acc2, r1) +
+ mul64(acc3, r0) +
+ mul64(acc4, rs3);
+ acc4 *= r0;
+
+ /* Compute: acc %= (2^130 - 5) (partial remainder) */
+ d1 += (d0 >> 32);
+ d2 += (d1 >> 32);
+ d3 += (d2 >> 32);
+ acc0 = (uint32_t) d0;
+ acc1 = (uint32_t) d1;
+ acc2 = (uint32_t) d2;
+ acc3 = (uint32_t) d3;
+ acc4 = (uint32_t) (d3 >> 32) + acc4;
+
+ d0 = (uint64_t) acc0 + (acc4 >> 2) + (acc4 & 0xFFFFFFFCU);
+ acc4 &= 3U;
+ acc0 = (uint32_t) d0;
+ d0 = (uint64_t) acc1 + (d0 >> 32U);
+ acc1 = (uint32_t) d0;
+ d0 = (uint64_t) acc2 + (d0 >> 32U);
+ acc2 = (uint32_t) d0;
+ d0 = (uint64_t) acc3 + (d0 >> 32U);
+ acc3 = (uint32_t) d0;
+ d0 = (uint64_t) acc4 + (d0 >> 32U);
+ acc4 = (uint32_t) d0;
+
+ offset += POLY1305_BLOCK_SIZE_BYTES;
+ }
+
+ ctx->acc[0] = acc0;
+ ctx->acc[1] = acc1;
+ ctx->acc[2] = acc2;
+ ctx->acc[3] = acc3;
+ ctx->acc[4] = acc4;
+}
+
+/**
+ * \brief Compute the Poly1305 MAC
+ *
+ * \param ctx The Poly1305 context.
+ * \param mac The buffer to where the MAC is written. Must be
+ * big enough to contain the 16-byte MAC.
+ */
+static void poly1305_compute_mac(const mbedtls_poly1305_context *ctx,
+ unsigned char mac[16])
+{
+ uint64_t d;
+ uint32_t g0, g1, g2, g3, g4;
+ uint32_t acc0, acc1, acc2, acc3, acc4;
+ uint32_t mask;
+ uint32_t mask_inv;
+
+ acc0 = ctx->acc[0];
+ acc1 = ctx->acc[1];
+ acc2 = ctx->acc[2];
+ acc3 = ctx->acc[3];
+ acc4 = ctx->acc[4];
+
+ /* Before adding 's' we ensure that the accumulator is mod 2^130 - 5.
+ * We do this by calculating acc - (2^130 - 5), then checking if
+ * the 131st bit is set. If it is, then reduce: acc -= (2^130 - 5)
+ */
+
+ /* Calculate acc + -(2^130 - 5) */
+ d = ((uint64_t) acc0 + 5U);
+ g0 = (uint32_t) d;
+ d = ((uint64_t) acc1 + (d >> 32));
+ g1 = (uint32_t) d;
+ d = ((uint64_t) acc2 + (d >> 32));
+ g2 = (uint32_t) d;
+ d = ((uint64_t) acc3 + (d >> 32));
+ g3 = (uint32_t) d;
+ g4 = acc4 + (uint32_t) (d >> 32U);
+
+ /* mask == 0xFFFFFFFF if 131st bit is set, otherwise mask == 0 */
+ mask = (uint32_t) 0U - (g4 >> 2U);
+ mask_inv = ~mask;
+
+ /* If 131st bit is set then acc=g, otherwise, acc is unmodified */
+ acc0 = (acc0 & mask_inv) | (g0 & mask);
+ acc1 = (acc1 & mask_inv) | (g1 & mask);
+ acc2 = (acc2 & mask_inv) | (g2 & mask);
+ acc3 = (acc3 & mask_inv) | (g3 & mask);
+
+ /* Add 's' */
+ d = (uint64_t) acc0 + ctx->s[0];
+ acc0 = (uint32_t) d;
+ d = (uint64_t) acc1 + ctx->s[1] + (d >> 32U);
+ acc1 = (uint32_t) d;
+ d = (uint64_t) acc2 + ctx->s[2] + (d >> 32U);
+ acc2 = (uint32_t) d;
+ acc3 += ctx->s[3] + (uint32_t) (d >> 32U);
+
+ /* Compute MAC (128 least significant bits of the accumulator) */
+ MBEDTLS_PUT_UINT32_LE(acc0, mac, 0);
+ MBEDTLS_PUT_UINT32_LE(acc1, mac, 4);
+ MBEDTLS_PUT_UINT32_LE(acc2, mac, 8);
+ MBEDTLS_PUT_UINT32_LE(acc3, mac, 12);
+}
+
+void mbedtls_poly1305_init(mbedtls_poly1305_context *ctx)
+{
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_poly1305_context));
+}
+
+void mbedtls_poly1305_free(mbedtls_poly1305_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_poly1305_context));
+}
+
+int mbedtls_poly1305_starts(mbedtls_poly1305_context *ctx,
+ const unsigned char key[32])
+{
+ /* r &= 0x0ffffffc0ffffffc0ffffffc0fffffff */
+ ctx->r[0] = MBEDTLS_GET_UINT32_LE(key, 0) & 0x0FFFFFFFU;
+ ctx->r[1] = MBEDTLS_GET_UINT32_LE(key, 4) & 0x0FFFFFFCU;
+ ctx->r[2] = MBEDTLS_GET_UINT32_LE(key, 8) & 0x0FFFFFFCU;
+ ctx->r[3] = MBEDTLS_GET_UINT32_LE(key, 12) & 0x0FFFFFFCU;
+
+ ctx->s[0] = MBEDTLS_GET_UINT32_LE(key, 16);
+ ctx->s[1] = MBEDTLS_GET_UINT32_LE(key, 20);
+ ctx->s[2] = MBEDTLS_GET_UINT32_LE(key, 24);
+ ctx->s[3] = MBEDTLS_GET_UINT32_LE(key, 28);
+
+ /* Initial accumulator state */
+ ctx->acc[0] = 0U;
+ ctx->acc[1] = 0U;
+ ctx->acc[2] = 0U;
+ ctx->acc[3] = 0U;
+ ctx->acc[4] = 0U;
+
+ /* Queue initially empty */
+ mbedtls_platform_zeroize(ctx->queue, sizeof(ctx->queue));
+ ctx->queue_len = 0U;
+
+ return 0;
+}
+
+int mbedtls_poly1305_update(mbedtls_poly1305_context *ctx,
+ const unsigned char *input,
+ size_t ilen)
+{
+ size_t offset = 0U;
+ size_t remaining = ilen;
+ size_t queue_free_len;
+ size_t nblocks;
+
+ if ((remaining > 0U) && (ctx->queue_len > 0U)) {
+ queue_free_len = (POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len);
+
+ if (ilen < queue_free_len) {
+ /* Not enough data to complete the block.
+ * Store this data with the other leftovers.
+ */
+ memcpy(&ctx->queue[ctx->queue_len],
+ input,
+ ilen);
+
+ ctx->queue_len += ilen;
+
+ remaining = 0U;
+ } else {
+ /* Enough data to produce a complete block */
+ memcpy(&ctx->queue[ctx->queue_len],
+ input,
+ queue_free_len);
+
+ ctx->queue_len = 0U;
+
+ poly1305_process(ctx, 1U, ctx->queue, 1U); /* add padding bit */
+
+ offset += queue_free_len;
+ remaining -= queue_free_len;
+ }
+ }
+
+ if (remaining >= POLY1305_BLOCK_SIZE_BYTES) {
+ nblocks = remaining / POLY1305_BLOCK_SIZE_BYTES;
+
+ poly1305_process(ctx, nblocks, &input[offset], 1U);
+
+ offset += nblocks * POLY1305_BLOCK_SIZE_BYTES;
+ remaining %= POLY1305_BLOCK_SIZE_BYTES;
+ }
+
+ if (remaining > 0U) {
+ /* Store partial block */
+ ctx->queue_len = remaining;
+ memcpy(ctx->queue, &input[offset], remaining);
+ }
+
+ return 0;
+}
+
+int mbedtls_poly1305_finish(mbedtls_poly1305_context *ctx,
+ unsigned char mac[16])
+{
+ /* Process any leftover data */
+ if (ctx->queue_len > 0U) {
+ /* Add padding bit */
+ ctx->queue[ctx->queue_len] = 1U;
+ ctx->queue_len++;
+
+ /* Pad with zeroes */
+ memset(&ctx->queue[ctx->queue_len],
+ 0,
+ POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len);
+
+ poly1305_process(ctx, 1U, /* Process 1 block */
+ ctx->queue, 0U); /* Already padded above */
+ }
+
+ poly1305_compute_mac(ctx, mac);
+
+ return 0;
+}
+
+int mbedtls_poly1305_mac(const unsigned char key[32],
+ const unsigned char *input,
+ size_t ilen,
+ unsigned char mac[16])
+{
+ mbedtls_poly1305_context ctx;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_poly1305_init(&ctx);
+
+ ret = mbedtls_poly1305_starts(&ctx, key);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ ret = mbedtls_poly1305_update(&ctx, input, ilen);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ ret = mbedtls_poly1305_finish(&ctx, mac);
+
+cleanup:
+ mbedtls_poly1305_free(&ctx);
+ return ret;
+}
+
+#endif /* MBEDTLS_POLY1305_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_keys[2][32] =
+{
+ {
+ 0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33,
+ 0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8,
+ 0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd,
+ 0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b
+ },
+ {
+ 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
+ 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
+ 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
+ 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
+ }
+};
+
+static const unsigned char test_data[2][127] =
+{
+ {
+ 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72,
+ 0x61, 0x70, 0x68, 0x69, 0x63, 0x20, 0x46, 0x6f,
+ 0x72, 0x75, 0x6d, 0x20, 0x52, 0x65, 0x73, 0x65,
+ 0x61, 0x72, 0x63, 0x68, 0x20, 0x47, 0x72, 0x6f,
+ 0x75, 0x70
+ },
+ {
+ 0x27, 0x54, 0x77, 0x61, 0x73, 0x20, 0x62, 0x72,
+ 0x69, 0x6c, 0x6c, 0x69, 0x67, 0x2c, 0x20, 0x61,
+ 0x6e, 0x64, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
+ 0x6c, 0x69, 0x74, 0x68, 0x79, 0x20, 0x74, 0x6f,
+ 0x76, 0x65, 0x73, 0x0a, 0x44, 0x69, 0x64, 0x20,
+ 0x67, 0x79, 0x72, 0x65, 0x20, 0x61, 0x6e, 0x64,
+ 0x20, 0x67, 0x69, 0x6d, 0x62, 0x6c, 0x65, 0x20,
+ 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x77,
+ 0x61, 0x62, 0x65, 0x3a, 0x0a, 0x41, 0x6c, 0x6c,
+ 0x20, 0x6d, 0x69, 0x6d, 0x73, 0x79, 0x20, 0x77,
+ 0x65, 0x72, 0x65, 0x20, 0x74, 0x68, 0x65, 0x20,
+ 0x62, 0x6f, 0x72, 0x6f, 0x67, 0x6f, 0x76, 0x65,
+ 0x73, 0x2c, 0x0a, 0x41, 0x6e, 0x64, 0x20, 0x74,
+ 0x68, 0x65, 0x20, 0x6d, 0x6f, 0x6d, 0x65, 0x20,
+ 0x72, 0x61, 0x74, 0x68, 0x73, 0x20, 0x6f, 0x75,
+ 0x74, 0x67, 0x72, 0x61, 0x62, 0x65, 0x2e
+ }
+};
+
+static const size_t test_data_len[2] =
+{
+ 34U,
+ 127U
+};
+
+static const unsigned char test_mac[2][16] =
+{
+ {
+ 0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6,
+ 0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9
+ },
+ {
+ 0x45, 0x41, 0x66, 0x9a, 0x7e, 0xaa, 0xee, 0x61,
+ 0xe7, 0x08, 0xdc, 0x7c, 0xbc, 0xc5, 0xeb, 0x62
+ }
+};
+
+/* Make sure no other definition is already present. */
+#undef ASSERT
+
+#define ASSERT(cond, args) \
+ do \
+ { \
+ if (!(cond)) \
+ { \
+ if (verbose != 0) \
+ mbedtls_printf args; \
+ \
+ return -1; \
+ } \
+ } \
+ while (0)
+
+int mbedtls_poly1305_self_test(int verbose)
+{
+ unsigned char mac[16];
+ unsigned i;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ for (i = 0U; i < 2U; i++) {
+ if (verbose != 0) {
+ mbedtls_printf(" Poly1305 test %u ", i);
+ }
+
+ ret = mbedtls_poly1305_mac(test_keys[i],
+ test_data[i],
+ test_data_len[i],
+ mac);
+ ASSERT(0 == ret, ("error code: %i\n", ret));
+
+ ASSERT(0 == memcmp(mac, test_mac[i], 16U), ("failed (mac)\n"));
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ return 0;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_POLY1305_C */
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
new file mode 100644
index 0000000..969c695
--- /dev/null
+++ b/library/psa_crypto.c
@@ -0,0 +1,9166 @@
+/*
+ * PSA crypto layer on top of Mbed TLS crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+#include "psa_crypto_core_common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+#include "check_crypto_config.h"
+#endif
+
+#include "psa/crypto.h"
+#include "psa/crypto_values.h"
+
+#include "psa_crypto_cipher.h"
+#include "psa_crypto_core.h"
+#include "psa_crypto_invasive.h"
+#include "psa_crypto_driver_wrappers.h"
+#include "psa_crypto_driver_wrappers_no_static.h"
+#include "psa_crypto_ecp.h"
+#include "psa_crypto_ffdh.h"
+#include "psa_crypto_hash.h"
+#include "psa_crypto_mac.h"
+#include "psa_crypto_rsa.h"
+#include "psa_crypto_ecp.h"
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+#include "psa_crypto_se.h"
+#endif
+#include "psa_crypto_slot_management.h"
+/* Include internal declarations that are useful for implementing persistently
+ * stored keys. */
+#include "psa_crypto_storage.h"
+
+#include "psa_crypto_random_impl.h"
+
+#include <stdlib.h>
+#include <string.h>
+#include "mbedtls/platform.h"
+
+#include "mbedtls/aes.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/bignum.h"
+#include "mbedtls/camellia.h"
+#include "mbedtls/chacha20.h"
+#include "mbedtls/chachapoly.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/ccm.h"
+#include "mbedtls/cmac.h"
+#include "mbedtls/constant_time.h"
+#include "mbedtls/des.h"
+#include "mbedtls/ecdh.h"
+#include "mbedtls/ecp.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/error.h"
+#include "mbedtls/gcm.h"
+#include "mbedtls/md5.h"
+#include "mbedtls/pk.h"
+#include "pk_wrap.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "mbedtls/ripemd160.h"
+#include "mbedtls/rsa.h"
+#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
+#include "mbedtls/sha512.h"
+#include "mbedtls/psa_util.h"
+#include "mbedtls/threading.h"
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+#define BUILTIN_ALG_ANY_HKDF 1
+#endif
+
+/****************************************************************/
+/* Global data, support functions and library management */
+/****************************************************************/
+
+static int key_type_is_raw_bytes(psa_key_type_t type)
+{
+ return PSA_KEY_TYPE_IS_UNSTRUCTURED(type);
+}
+
+/* Values for psa_global_data_t::rng_state */
+#define RNG_NOT_INITIALIZED 0
+#define RNG_INITIALIZED 1
+#define RNG_SEEDED 2
+
+/* IDs for PSA crypto subsystems. Starts at 1 to catch potential uninitialized
+ * variables as arguments. */
+typedef enum {
+ PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS = 1,
+ PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS,
+ PSA_CRYPTO_SUBSYSTEM_RNG,
+ PSA_CRYPTO_SUBSYSTEM_TRANSACTION,
+} mbedtls_psa_crypto_subsystem;
+
+/* Initialization flags for global_data::initialized */
+#define PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED 0x01
+#define PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED 0x02
+#define PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED 0x04
+
+#define PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED ( \
+ PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED | \
+ PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED | \
+ PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED)
+
+typedef struct {
+ uint8_t initialized;
+ uint8_t rng_state;
+ mbedtls_psa_random_context_t rng;
+} psa_global_data_t;
+
+static psa_global_data_t global_data;
+
+static uint8_t psa_get_initialized(void)
+{
+ uint8_t initialized;
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ initialized = global_data.rng_state == RNG_SEEDED;
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ initialized =
+ (initialized && (global_data.initialized == PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED));
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ return initialized;
+}
+
+static uint8_t psa_get_drivers_initialized(void)
+{
+ uint8_t initialized;
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ initialized = (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED) != 0;
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ return initialized;
+}
+
+#define GUARD_MODULE_INITIALIZED \
+ if (psa_get_initialized() == 0) \
+ return PSA_ERROR_BAD_STATE;
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+
+/* Declare a local copy of an input buffer and a variable that will be used
+ * to store a pointer to the start of the buffer.
+ *
+ * Note: This macro must be called before any operations which may jump to
+ * the exit label, so that the local input copy object is safe to be freed.
+ *
+ * Assumptions:
+ * - input is the name of a pointer to the buffer to be copied
+ * - The name LOCAL_INPUT_COPY_OF_input is unused in the current scope
+ * - input_copy_name is a name that is unused in the current scope
+ */
+#define LOCAL_INPUT_DECLARE(input, input_copy_name) \
+ psa_crypto_local_input_t LOCAL_INPUT_COPY_OF_##input = PSA_CRYPTO_LOCAL_INPUT_INIT; \
+ const uint8_t *input_copy_name = NULL;
+
+/* Allocate a copy of the buffer input and set the pointer input_copy to
+ * point to the start of the copy.
+ *
+ * Assumptions:
+ * - psa_status_t status exists
+ * - An exit label is declared
+ * - input is the name of a pointer to the buffer to be copied
+ * - LOCAL_INPUT_DECLARE(input, input_copy) has previously been called
+ */
+#define LOCAL_INPUT_ALLOC(input, length, input_copy) \
+ status = psa_crypto_local_input_alloc(input, length, \
+ &LOCAL_INPUT_COPY_OF_##input); \
+ if (status != PSA_SUCCESS) { \
+ goto exit; \
+ } \
+ input_copy = LOCAL_INPUT_COPY_OF_##input.buffer;
+
+/* Free the local input copy allocated previously by LOCAL_INPUT_ALLOC()
+ *
+ * Assumptions:
+ * - input_copy is the name of the input copy pointer set by LOCAL_INPUT_ALLOC()
+ * - input is the name of the original buffer that was copied
+ */
+#define LOCAL_INPUT_FREE(input, input_copy) \
+ input_copy = NULL; \
+ psa_crypto_local_input_free(&LOCAL_INPUT_COPY_OF_##input);
+
+/* Declare a local copy of an output buffer and a variable that will be used
+ * to store a pointer to the start of the buffer.
+ *
+ * Note: This macro must be called before any operations which may jump to
+ * the exit label, so that the local output copy object is safe to be freed.
+ *
+ * Assumptions:
+ * - output is the name of a pointer to the buffer to be copied
+ * - The name LOCAL_OUTPUT_COPY_OF_output is unused in the current scope
+ * - output_copy_name is a name that is unused in the current scope
+ */
+#define LOCAL_OUTPUT_DECLARE(output, output_copy_name) \
+ psa_crypto_local_output_t LOCAL_OUTPUT_COPY_OF_##output = PSA_CRYPTO_LOCAL_OUTPUT_INIT; \
+ uint8_t *output_copy_name = NULL;
+
+/* Allocate a copy of the buffer output and set the pointer output_copy to
+ * point to the start of the copy.
+ *
+ * Assumptions:
+ * - psa_status_t status exists
+ * - An exit label is declared
+ * - output is the name of a pointer to the buffer to be copied
+ * - LOCAL_OUTPUT_DECLARE(output, output_copy) has previously been called
+ */
+#define LOCAL_OUTPUT_ALLOC(output, length, output_copy) \
+ status = psa_crypto_local_output_alloc(output, length, \
+ &LOCAL_OUTPUT_COPY_OF_##output); \
+ if (status != PSA_SUCCESS) { \
+ goto exit; \
+ } \
+ output_copy = LOCAL_OUTPUT_COPY_OF_##output.buffer;
+
+/* Free the local output copy allocated previously by LOCAL_OUTPUT_ALLOC()
+ * after first copying back its contents to the original buffer.
+ *
+ * Assumptions:
+ * - psa_status_t status exists
+ * - output_copy is the name of the output copy pointer set by LOCAL_OUTPUT_ALLOC()
+ * - output is the name of the original buffer that was copied
+ */
+#define LOCAL_OUTPUT_FREE(output, output_copy) \
+ output_copy = NULL; \
+ do { \
+ psa_status_t local_output_status; \
+ local_output_status = psa_crypto_local_output_free(&LOCAL_OUTPUT_COPY_OF_##output); \
+ if (local_output_status != PSA_SUCCESS) { \
+ /* Since this error case is an internal error, it's more serious than \
+ * any existing error code and so it's fine to overwrite the existing \
+ * status. */ \
+ status = local_output_status; \
+ } \
+ } while (0)
+#else /* !MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS */
+#define LOCAL_INPUT_DECLARE(input, input_copy_name) \
+ const uint8_t *input_copy_name = NULL;
+#define LOCAL_INPUT_ALLOC(input, length, input_copy) \
+ input_copy = input;
+#define LOCAL_INPUT_FREE(input, input_copy) \
+ input_copy = NULL;
+#define LOCAL_OUTPUT_DECLARE(output, output_copy_name) \
+ uint8_t *output_copy_name = NULL;
+#define LOCAL_OUTPUT_ALLOC(output, length, output_copy) \
+ output_copy = output;
+#define LOCAL_OUTPUT_FREE(output, output_copy) \
+ output_copy = NULL;
+#endif /* !MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS */
+
+
+int psa_can_do_hash(psa_algorithm_t hash_alg)
+{
+ (void) hash_alg;
+ return psa_get_drivers_initialized();
+}
+
+int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg)
+{
+ (void) key_type;
+ (void) cipher_alg;
+ return psa_get_drivers_initialized();
+}
+
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) || \
+ defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
+static int psa_is_dh_key_size_valid(size_t bits)
+{
+ switch (bits) {
+#if defined(PSA_WANT_DH_RFC7919_2048)
+ case 2048:
+ return 1;
+#endif /* PSA_WANT_DH_RFC7919_2048 */
+#if defined(PSA_WANT_DH_RFC7919_3072)
+ case 3072:
+ return 1;
+#endif /* PSA_WANT_DH_RFC7919_3072 */
+#if defined(PSA_WANT_DH_RFC7919_4096)
+ case 4096:
+ return 1;
+#endif /* PSA_WANT_DH_RFC7919_4096 */
+#if defined(PSA_WANT_DH_RFC7919_6144)
+ case 6144:
+ return 1;
+#endif /* PSA_WANT_DH_RFC7919_6144 */
+#if defined(PSA_WANT_DH_RFC7919_8192)
+ case 8192:
+ return 1;
+#endif /* PSA_WANT_DH_RFC7919_8192 */
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT ||
+ MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY ||
+ PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */
+
+psa_status_t mbedtls_to_psa_error(int ret)
+{
+ /* Mbed TLS error codes can combine a high-level error code and a
+ * low-level error code. The low-level error usually reflects the
+ * root cause better, so dispatch on that preferably. */
+ int low_level_ret = -(-ret & 0x007f);
+ switch (low_level_ret != 0 ? low_level_ret : ret) {
+ case 0:
+ return PSA_SUCCESS;
+
+#if defined(MBEDTLS_AES_C)
+ case MBEDTLS_ERR_AES_INVALID_KEY_LENGTH:
+ case MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:
+ return PSA_ERROR_NOT_SUPPORTED;
+ case MBEDTLS_ERR_AES_BAD_INPUT_DATA:
+ return PSA_ERROR_INVALID_ARGUMENT;
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_ASN1_WRITE_C)
+ case MBEDTLS_ERR_ASN1_OUT_OF_DATA:
+ case MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:
+ case MBEDTLS_ERR_ASN1_INVALID_LENGTH:
+ case MBEDTLS_ERR_ASN1_LENGTH_MISMATCH:
+ case MBEDTLS_ERR_ASN1_INVALID_DATA:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ case MBEDTLS_ERR_ASN1_ALLOC_FAILED:
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ case MBEDTLS_ERR_ASN1_BUF_TOO_SMALL:
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+ case MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA:
+ case MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH:
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+ case MBEDTLS_ERR_CCM_BAD_INPUT:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ case MBEDTLS_ERR_CCM_AUTH_FAILED:
+ return PSA_ERROR_INVALID_SIGNATURE;
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+ case MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA:
+ return PSA_ERROR_INVALID_ARGUMENT;
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ case MBEDTLS_ERR_CHACHAPOLY_BAD_STATE:
+ return PSA_ERROR_BAD_STATE;
+ case MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED:
+ return PSA_ERROR_INVALID_SIGNATURE;
+#endif
+
+#if defined(MBEDTLS_CIPHER_C)
+ case MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE:
+ return PSA_ERROR_NOT_SUPPORTED;
+ case MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ case MBEDTLS_ERR_CIPHER_ALLOC_FAILED:
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ case MBEDTLS_ERR_CIPHER_INVALID_PADDING:
+ return PSA_ERROR_INVALID_PADDING;
+ case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ case MBEDTLS_ERR_CIPHER_AUTH_FAILED:
+ return PSA_ERROR_INVALID_SIGNATURE;
+ case MBEDTLS_ERR_CIPHER_INVALID_CONTEXT:
+ return PSA_ERROR_CORRUPTION_DETECTED;
+#endif
+
+#if !(defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) || \
+ defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE))
+ /* Only check CTR_DRBG error codes if underlying mbedtls_xxx
+ * functions are passed a CTR_DRBG instance. */
+ case MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED:
+ return PSA_ERROR_INSUFFICIENT_ENTROPY;
+ case MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG:
+ case MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG:
+ return PSA_ERROR_NOT_SUPPORTED;
+ case MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR:
+ return PSA_ERROR_INSUFFICIENT_ENTROPY;
+#endif
+
+#if defined(MBEDTLS_DES_C)
+ case MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH:
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif
+
+ case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED:
+ case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE:
+ case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED:
+ return PSA_ERROR_INSUFFICIENT_ENTROPY;
+
+#if defined(MBEDTLS_GCM_C)
+ case MBEDTLS_ERR_GCM_AUTH_FAILED:
+ return PSA_ERROR_INVALID_SIGNATURE;
+ case MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL:
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ case MBEDTLS_ERR_GCM_BAD_INPUT:
+ return PSA_ERROR_INVALID_ARGUMENT;
+#endif
+
+#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) && \
+ defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
+ /* Only check HMAC_DRBG error codes if underlying mbedtls_xxx
+ * functions are passed a HMAC_DRBG instance. */
+ case MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED:
+ return PSA_ERROR_INSUFFICIENT_ENTROPY;
+ case MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG:
+ case MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG:
+ return PSA_ERROR_NOT_SUPPORTED;
+ case MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR:
+ return PSA_ERROR_INSUFFICIENT_ENTROPY;
+#endif
+
+#if defined(MBEDTLS_MD_LIGHT)
+ case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
+ return PSA_ERROR_NOT_SUPPORTED;
+ case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ case MBEDTLS_ERR_MD_ALLOC_FAILED:
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+#if defined(MBEDTLS_FS_IO)
+ case MBEDTLS_ERR_MD_FILE_IO_ERROR:
+ return PSA_ERROR_STORAGE_FAILURE;
+#endif
+#endif
+
+#if defined(MBEDTLS_BIGNUM_C)
+#if defined(MBEDTLS_FS_IO)
+ case MBEDTLS_ERR_MPI_FILE_IO_ERROR:
+ return PSA_ERROR_STORAGE_FAILURE;
+#endif
+ case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ case MBEDTLS_ERR_MPI_INVALID_CHARACTER:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL:
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ case MBEDTLS_ERR_MPI_NEGATIVE_VALUE:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ case MBEDTLS_ERR_MPI_DIVISION_BY_ZERO:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ case MBEDTLS_ERR_MPI_ALLOC_FAILED:
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+#endif
+
+#if defined(MBEDTLS_PK_C)
+ case MBEDTLS_ERR_PK_ALLOC_FAILED:
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ case MBEDTLS_ERR_PK_TYPE_MISMATCH:
+ case MBEDTLS_ERR_PK_BAD_INPUT_DATA:
+ return PSA_ERROR_INVALID_ARGUMENT;
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || defined(MBEDTLS_FS_IO) || \
+ defined(MBEDTLS_PSA_ITS_FILE_C)
+ case MBEDTLS_ERR_PK_FILE_IO_ERROR:
+ return PSA_ERROR_STORAGE_FAILURE;
+#endif
+ case MBEDTLS_ERR_PK_KEY_INVALID_VERSION:
+ case MBEDTLS_ERR_PK_KEY_INVALID_FORMAT:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ case MBEDTLS_ERR_PK_UNKNOWN_PK_ALG:
+ return PSA_ERROR_NOT_SUPPORTED;
+ case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
+ case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
+ return PSA_ERROR_NOT_PERMITTED;
+ case MBEDTLS_ERR_PK_INVALID_PUBKEY:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ case MBEDTLS_ERR_PK_INVALID_ALG:
+ case MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE:
+ case MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE:
+ return PSA_ERROR_NOT_SUPPORTED;
+ case MBEDTLS_ERR_PK_SIG_LEN_MISMATCH:
+ return PSA_ERROR_INVALID_SIGNATURE;
+ case MBEDTLS_ERR_PK_BUFFER_TOO_SMALL:
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+#endif
+
+ case MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED:
+ return PSA_ERROR_HARDWARE_FAILURE;
+ case MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:
+ return PSA_ERROR_NOT_SUPPORTED;
+
+#if defined(MBEDTLS_RSA_C)
+ case MBEDTLS_ERR_RSA_BAD_INPUT_DATA:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ case MBEDTLS_ERR_RSA_INVALID_PADDING:
+ return PSA_ERROR_INVALID_PADDING;
+ case MBEDTLS_ERR_RSA_KEY_GEN_FAILED:
+ return PSA_ERROR_HARDWARE_FAILURE;
+ case MBEDTLS_ERR_RSA_KEY_CHECK_FAILED:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ case MBEDTLS_ERR_RSA_PUBLIC_FAILED:
+ case MBEDTLS_ERR_RSA_PRIVATE_FAILED:
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ case MBEDTLS_ERR_RSA_VERIFY_FAILED:
+ return PSA_ERROR_INVALID_SIGNATURE;
+ case MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE:
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ case MBEDTLS_ERR_RSA_RNG_FAILED:
+ return PSA_ERROR_INSUFFICIENT_ENTROPY;
+#endif
+
+#if defined(MBEDTLS_ECP_LIGHT)
+ case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
+ case MBEDTLS_ERR_ECP_INVALID_KEY:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ case MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:
+ return PSA_ERROR_NOT_SUPPORTED;
+ case MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH:
+ case MBEDTLS_ERR_ECP_VERIFY_FAILED:
+ return PSA_ERROR_INVALID_SIGNATURE;
+ case MBEDTLS_ERR_ECP_ALLOC_FAILED:
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ case MBEDTLS_ERR_ECP_RANDOM_FAILED:
+ return PSA_ERROR_INSUFFICIENT_ENTROPY;
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ case MBEDTLS_ERR_ECP_IN_PROGRESS:
+ return PSA_OPERATION_INCOMPLETE;
+#endif
+#endif
+
+ case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
+ return PSA_ERROR_CORRUPTION_DETECTED;
+
+ default:
+ return PSA_ERROR_GENERIC_ERROR;
+ }
+}
+
+/**
+ * \brief For output buffers which contain "tags"
+ * (outputs that may be checked for validity like
+ * hashes, MACs and signatures), fill the unused
+ * part of the output buffer (the whole buffer on
+ * error, the trailing part on success) with
+ * something that isn't a valid tag (barring an
+ * attack on the tag and deliberately-crafted
+ * input), in case the caller doesn't check the
+ * return status properly.
+ *
+ * \param output_buffer Pointer to buffer to wipe. May not be NULL
+ * unless \p output_buffer_size is zero.
+ * \param status Status of function called to generate
+ * output_buffer originally
+ * \param output_buffer_size Size of output buffer. If zero, \p output_buffer
+ * could be NULL.
+ * \param output_buffer_length Length of data written to output_buffer, must be
+ * less than \p output_buffer_size
+ */
+static void psa_wipe_tag_output_buffer(uint8_t *output_buffer, psa_status_t status,
+ size_t output_buffer_size, size_t output_buffer_length)
+{
+ size_t offset = 0;
+
+ if (output_buffer_size == 0) {
+ /* If output_buffer_size is 0 then we have nothing to do. We must not
+ call memset because output_buffer may be NULL in this case */
+ return;
+ }
+
+ if (status == PSA_SUCCESS) {
+ offset = output_buffer_length;
+ }
+
+ memset(output_buffer + offset, '!', output_buffer_size - offset);
+}
+
+
+psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type,
+ size_t bits)
+{
+ /* Check that the bit size is acceptable for the key type */
+ switch (type) {
+ case PSA_KEY_TYPE_RAW_DATA:
+ case PSA_KEY_TYPE_HMAC:
+ case PSA_KEY_TYPE_DERIVE:
+ case PSA_KEY_TYPE_PASSWORD:
+ case PSA_KEY_TYPE_PASSWORD_HASH:
+ break;
+#if defined(PSA_WANT_KEY_TYPE_AES)
+ case PSA_KEY_TYPE_AES:
+ if (bits != 128 && bits != 192 && bits != 256) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ break;
+#endif
+#if defined(PSA_WANT_KEY_TYPE_ARIA)
+ case PSA_KEY_TYPE_ARIA:
+ if (bits != 128 && bits != 192 && bits != 256) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ break;
+#endif
+#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
+ case PSA_KEY_TYPE_CAMELLIA:
+ if (bits != 128 && bits != 192 && bits != 256) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ break;
+#endif
+#if defined(PSA_WANT_KEY_TYPE_DES)
+ case PSA_KEY_TYPE_DES:
+ if (bits != 64 && bits != 128 && bits != 192) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ break;
+#endif
+#if defined(PSA_WANT_KEY_TYPE_CHACHA20)
+ case PSA_KEY_TYPE_CHACHA20:
+ if (bits != 256) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ break;
+#endif
+ default:
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ if (bits % 8 != 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ return PSA_SUCCESS;
+}
+
+/** Check whether a given key type is valid for use with a given MAC algorithm
+ *
+ * Upon successful return of this function, the behavior of #PSA_MAC_LENGTH
+ * when called with the validated \p algorithm and \p key_type is well-defined.
+ *
+ * \param[in] algorithm The specific MAC algorithm (can be wildcard).
+ * \param[in] key_type The key type of the key to be used with the
+ * \p algorithm.
+ *
+ * \retval #PSA_SUCCESS
+ * The \p key_type is valid for use with the \p algorithm
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * The \p key_type is not valid for use with the \p algorithm
+ */
+MBEDTLS_STATIC_TESTABLE psa_status_t psa_mac_key_can_do(
+ psa_algorithm_t algorithm,
+ psa_key_type_t key_type)
+{
+ if (PSA_ALG_IS_HMAC(algorithm)) {
+ if (key_type == PSA_KEY_TYPE_HMAC) {
+ return PSA_SUCCESS;
+ }
+ }
+
+ if (PSA_ALG_IS_BLOCK_CIPHER_MAC(algorithm)) {
+ /* Check that we're calling PSA_BLOCK_CIPHER_BLOCK_LENGTH with a cipher
+ * key. */
+ if ((key_type & PSA_KEY_TYPE_CATEGORY_MASK) ==
+ PSA_KEY_TYPE_CATEGORY_SYMMETRIC) {
+ /* PSA_BLOCK_CIPHER_BLOCK_LENGTH returns 1 for stream ciphers and
+ * the block length (larger than 1) for block ciphers. */
+ if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) > 1) {
+ return PSA_SUCCESS;
+ }
+ }
+ }
+
+ return PSA_ERROR_INVALID_ARGUMENT;
+}
+
+psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot,
+ size_t buffer_length)
+{
+ if (slot->key.data != NULL) {
+ return PSA_ERROR_ALREADY_EXISTS;
+ }
+
+ slot->key.data = mbedtls_calloc(1, buffer_length);
+ if (slot->key.data == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+
+ slot->key.bytes = buffer_length;
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_copy_key_material_into_slot(psa_key_slot_t *slot,
+ const uint8_t *data,
+ size_t data_length)
+{
+ psa_status_t status = psa_allocate_buffer_to_slot(slot,
+ data_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ memcpy(slot->key.data, data, data_length);
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_import_key_into_slot(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *data, size_t data_length,
+ uint8_t *key_buffer, size_t key_buffer_size,
+ size_t *key_buffer_length, size_t *bits)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_type_t type = attributes->type;
+
+ /* zero-length keys are never supported. */
+ if (data_length == 0) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (key_type_is_raw_bytes(type)) {
+ *bits = PSA_BYTES_TO_BITS(data_length);
+
+ status = psa_validate_unstructured_key_bit_size(attributes->type,
+ *bits);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* Copy the key material. */
+ memcpy(key_buffer, data, data_length);
+ *key_buffer_length = data_length;
+ (void) key_buffer_size;
+
+ return PSA_SUCCESS;
+ } else if (PSA_KEY_TYPE_IS_ASYMMETRIC(type)) {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
+ if (PSA_KEY_TYPE_IS_DH(type)) {
+ if (psa_is_dh_key_size_valid(PSA_BYTES_TO_BITS(data_length)) == 0) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ return mbedtls_psa_ffdh_import_key(attributes,
+ data, data_length,
+ key_buffer, key_buffer_size,
+ key_buffer_length,
+ bits);
+ }
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+ if (PSA_KEY_TYPE_IS_ECC(type)) {
+ return mbedtls_psa_ecp_import_key(attributes,
+ data, data_length,
+ key_buffer, key_buffer_size,
+ key_buffer_length,
+ bits);
+ }
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
+#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+ if (PSA_KEY_TYPE_IS_RSA(type)) {
+ return mbedtls_psa_rsa_import_key(attributes,
+ data, data_length,
+ key_buffer, key_buffer_size,
+ key_buffer_length,
+ bits);
+ }
+#endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) &&
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+ }
+
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+/** Calculate the intersection of two algorithm usage policies.
+ *
+ * Return 0 (which allows no operation) on incompatibility.
+ */
+static psa_algorithm_t psa_key_policy_algorithm_intersection(
+ psa_key_type_t key_type,
+ psa_algorithm_t alg1,
+ psa_algorithm_t alg2)
+{
+ /* Common case: both sides actually specify the same policy. */
+ if (alg1 == alg2) {
+ return alg1;
+ }
+ /* If the policies are from the same hash-and-sign family, check
+ * if one is a wildcard. If so the other has the specific algorithm. */
+ if (PSA_ALG_IS_SIGN_HASH(alg1) &&
+ PSA_ALG_IS_SIGN_HASH(alg2) &&
+ (alg1 & ~PSA_ALG_HASH_MASK) == (alg2 & ~PSA_ALG_HASH_MASK)) {
+ if (PSA_ALG_SIGN_GET_HASH(alg1) == PSA_ALG_ANY_HASH) {
+ return alg2;
+ }
+ if (PSA_ALG_SIGN_GET_HASH(alg2) == PSA_ALG_ANY_HASH) {
+ return alg1;
+ }
+ }
+ /* If the policies are from the same AEAD family, check whether
+ * one of them is a minimum-tag-length wildcard. Calculate the most
+ * restrictive tag length. */
+ if (PSA_ALG_IS_AEAD(alg1) && PSA_ALG_IS_AEAD(alg2) &&
+ (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg1, 0) ==
+ PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg2, 0))) {
+ size_t alg1_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg1);
+ size_t alg2_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg2);
+ size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len;
+
+ /* If both are wildcards, return most restrictive wildcard */
+ if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
+ ((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
+ return PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(
+ alg1, restricted_len);
+ }
+ /* If only one is a wildcard, return specific algorithm if compatible. */
+ if (((alg1 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
+ (alg1_len <= alg2_len)) {
+ return alg2;
+ }
+ if (((alg2 & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
+ (alg2_len <= alg1_len)) {
+ return alg1;
+ }
+ }
+ /* If the policies are from the same MAC family, check whether one
+ * of them is a minimum-MAC-length policy. Calculate the most
+ * restrictive tag length. */
+ if (PSA_ALG_IS_MAC(alg1) && PSA_ALG_IS_MAC(alg2) &&
+ (PSA_ALG_FULL_LENGTH_MAC(alg1) ==
+ PSA_ALG_FULL_LENGTH_MAC(alg2))) {
+ /* Validate the combination of key type and algorithm. Since the base
+ * algorithm of alg1 and alg2 are the same, we only need this once. */
+ if (PSA_SUCCESS != psa_mac_key_can_do(alg1, key_type)) {
+ return 0;
+ }
+
+ /* Get the (exact or at-least) output lengths for both sides of the
+ * requested intersection. None of the currently supported algorithms
+ * have an output length dependent on the actual key size, so setting it
+ * to a bogus value of 0 is currently OK.
+ *
+ * Note that for at-least-this-length wildcard algorithms, the output
+ * length is set to the shortest allowed length, which allows us to
+ * calculate the most restrictive tag length for the intersection. */
+ size_t alg1_len = PSA_MAC_LENGTH(key_type, 0, alg1);
+ size_t alg2_len = PSA_MAC_LENGTH(key_type, 0, alg2);
+ size_t restricted_len = alg1_len > alg2_len ? alg1_len : alg2_len;
+
+ /* If both are wildcards, return most restrictive wildcard */
+ if (((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) &&
+ ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
+ return PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(alg1, restricted_len);
+ }
+
+ /* If only one is an at-least-this-length policy, the intersection would
+ * be the other (fixed-length) policy as long as said fixed length is
+ * equal to or larger than the shortest allowed length. */
+ if ((alg1 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
+ return (alg1_len <= alg2_len) ? alg2 : 0;
+ }
+ if ((alg2 & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
+ return (alg2_len <= alg1_len) ? alg1 : 0;
+ }
+
+ /* If none of them are wildcards, check whether they define the same tag
+ * length. This is still possible here when one is default-length and
+ * the other specific-length. Ensure to always return the
+ * specific-length version for the intersection. */
+ if (alg1_len == alg2_len) {
+ return PSA_ALG_TRUNCATED_MAC(alg1, alg1_len);
+ }
+ }
+ /* If the policies are incompatible, allow nothing. */
+ return 0;
+}
+
+static int psa_key_algorithm_permits(psa_key_type_t key_type,
+ psa_algorithm_t policy_alg,
+ psa_algorithm_t requested_alg)
+{
+ /* Common case: the policy only allows requested_alg. */
+ if (requested_alg == policy_alg) {
+ return 1;
+ }
+ /* If policy_alg is a hash-and-sign with a wildcard for the hash,
+ * and requested_alg is the same hash-and-sign family with any hash,
+ * then requested_alg is compliant with policy_alg. */
+ if (PSA_ALG_IS_SIGN_HASH(requested_alg) &&
+ PSA_ALG_SIGN_GET_HASH(policy_alg) == PSA_ALG_ANY_HASH) {
+ return (policy_alg & ~PSA_ALG_HASH_MASK) ==
+ (requested_alg & ~PSA_ALG_HASH_MASK);
+ }
+ /* If policy_alg is a wildcard AEAD algorithm of the same base as
+ * the requested algorithm, check the requested tag length to be
+ * equal-length or longer than the wildcard-specified length. */
+ if (PSA_ALG_IS_AEAD(policy_alg) &&
+ PSA_ALG_IS_AEAD(requested_alg) &&
+ (PSA_ALG_AEAD_WITH_SHORTENED_TAG(policy_alg, 0) ==
+ PSA_ALG_AEAD_WITH_SHORTENED_TAG(requested_alg, 0)) &&
+ ((policy_alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0)) {
+ return PSA_ALG_AEAD_GET_TAG_LENGTH(policy_alg) <=
+ PSA_ALG_AEAD_GET_TAG_LENGTH(requested_alg);
+ }
+ /* If policy_alg is a MAC algorithm of the same base as the requested
+ * algorithm, check whether their MAC lengths are compatible. */
+ if (PSA_ALG_IS_MAC(policy_alg) &&
+ PSA_ALG_IS_MAC(requested_alg) &&
+ (PSA_ALG_FULL_LENGTH_MAC(policy_alg) ==
+ PSA_ALG_FULL_LENGTH_MAC(requested_alg))) {
+ /* Validate the combination of key type and algorithm. Since the policy
+ * and requested algorithms are the same, we only need this once. */
+ if (PSA_SUCCESS != psa_mac_key_can_do(policy_alg, key_type)) {
+ return 0;
+ }
+
+ /* Get both the requested output length for the algorithm which is to be
+ * verified, and the default output length for the base algorithm.
+ * Note that none of the currently supported algorithms have an output
+ * length dependent on actual key size, so setting it to a bogus value
+ * of 0 is currently OK. */
+ size_t requested_output_length = PSA_MAC_LENGTH(
+ key_type, 0, requested_alg);
+ size_t default_output_length = PSA_MAC_LENGTH(
+ key_type, 0,
+ PSA_ALG_FULL_LENGTH_MAC(requested_alg));
+
+ /* If the policy is default-length, only allow an algorithm with
+ * a declared exact-length matching the default. */
+ if (PSA_MAC_TRUNCATED_LENGTH(policy_alg) == 0) {
+ return requested_output_length == default_output_length;
+ }
+
+ /* If the requested algorithm is default-length, allow it if the policy
+ * length exactly matches the default length. */
+ if (PSA_MAC_TRUNCATED_LENGTH(requested_alg) == 0 &&
+ PSA_MAC_TRUNCATED_LENGTH(policy_alg) == default_output_length) {
+ return 1;
+ }
+
+ /* If policy_alg is an at-least-this-length wildcard MAC algorithm,
+ * check for the requested MAC length to be equal to or longer than the
+ * minimum allowed length. */
+ if ((policy_alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0) {
+ return PSA_MAC_TRUNCATED_LENGTH(policy_alg) <=
+ requested_output_length;
+ }
+ }
+ /* If policy_alg is a generic key agreement operation, then using it for
+ * a key derivation with that key agreement should also be allowed. This
+ * behaviour is expected to be defined in a future specification version. */
+ if (PSA_ALG_IS_RAW_KEY_AGREEMENT(policy_alg) &&
+ PSA_ALG_IS_KEY_AGREEMENT(requested_alg)) {
+ return PSA_ALG_KEY_AGREEMENT_GET_BASE(requested_alg) ==
+ policy_alg;
+ }
+ /* If it isn't explicitly permitted, it's forbidden. */
+ return 0;
+}
+
+/** Test whether a policy permits an algorithm.
+ *
+ * The caller must test usage flags separately.
+ *
+ * \note This function requires providing the key type for which the policy is
+ * being validated, since some algorithm policy definitions (e.g. MAC)
+ * have different properties depending on what kind of cipher it is
+ * combined with.
+ *
+ * \retval PSA_SUCCESS When \p alg is a specific algorithm
+ * allowed by the \p policy.
+ * \retval PSA_ERROR_INVALID_ARGUMENT When \p alg is not a specific algorithm
+ * \retval PSA_ERROR_NOT_PERMITTED When \p alg is a specific algorithm, but
+ * the \p policy does not allow it.
+ */
+static psa_status_t psa_key_policy_permits(const psa_key_policy_t *policy,
+ psa_key_type_t key_type,
+ psa_algorithm_t alg)
+{
+ /* '0' is not a valid algorithm */
+ if (alg == 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ /* A requested algorithm cannot be a wildcard. */
+ if (PSA_ALG_IS_WILDCARD(alg)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ if (psa_key_algorithm_permits(key_type, policy->alg, alg) ||
+ psa_key_algorithm_permits(key_type, policy->alg2, alg)) {
+ return PSA_SUCCESS;
+ } else {
+ return PSA_ERROR_NOT_PERMITTED;
+ }
+}
+
+/** Restrict a key policy based on a constraint.
+ *
+ * \note This function requires providing the key type for which the policy is
+ * being restricted, since some algorithm policy definitions (e.g. MAC)
+ * have different properties depending on what kind of cipher it is
+ * combined with.
+ *
+ * \param[in] key_type The key type for which to restrict the policy
+ * \param[in,out] policy The policy to restrict.
+ * \param[in] constraint The policy constraint to apply.
+ *
+ * \retval #PSA_SUCCESS
+ * \c *policy contains the intersection of the original value of
+ * \c *policy and \c *constraint.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \c key_type, \c *policy and \c *constraint are incompatible.
+ * \c *policy is unchanged.
+ */
+static psa_status_t psa_restrict_key_policy(
+ psa_key_type_t key_type,
+ psa_key_policy_t *policy,
+ const psa_key_policy_t *constraint)
+{
+ psa_algorithm_t intersection_alg =
+ psa_key_policy_algorithm_intersection(key_type, policy->alg,
+ constraint->alg);
+ psa_algorithm_t intersection_alg2 =
+ psa_key_policy_algorithm_intersection(key_type, policy->alg2,
+ constraint->alg2);
+ if (intersection_alg == 0 && policy->alg != 0 && constraint->alg != 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ if (intersection_alg2 == 0 && policy->alg2 != 0 && constraint->alg2 != 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ policy->usage &= constraint->usage;
+ policy->alg = intersection_alg;
+ policy->alg2 = intersection_alg2;
+ return PSA_SUCCESS;
+}
+
+/** Get the description of a key given its identifier and policy constraints
+ * and lock it.
+ *
+ * The key must have allow all the usage flags set in \p usage. If \p alg is
+ * nonzero, the key must allow operations with this algorithm. If \p alg is
+ * zero, the algorithm is not checked.
+ *
+ * In case of a persistent key, the function loads the description of the key
+ * into a key slot if not already done.
+ *
+ * On success, the returned key slot has been registered for reading.
+ * It is the responsibility of the caller to then unregister
+ * once they have finished reading the contents of the slot.
+ * The caller unregisters by calling psa_unregister_read() or
+ * psa_unregister_read_under_mutex(). psa_unregister_read() must be called
+ * if and only if the caller already holds the global key slot mutex
+ * (when mutexes are enabled). psa_unregister_read_under_mutex() encapsulates
+ * the unregister with mutex lock and unlock operations.
+ */
+static psa_status_t psa_get_and_lock_key_slot_with_policy(
+ mbedtls_svc_key_id_t key,
+ psa_key_slot_t **p_slot,
+ psa_key_usage_t usage,
+ psa_algorithm_t alg)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot = NULL;
+
+ status = psa_get_and_lock_key_slot(key, p_slot);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ slot = *p_slot;
+
+ /* Enforce that usage policy for the key slot contains all the flags
+ * required by the usage parameter. There is one exception: public
+ * keys can always be exported, so we treat public key objects as
+ * if they had the export flag. */
+ if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) {
+ usage &= ~PSA_KEY_USAGE_EXPORT;
+ }
+
+ if ((slot->attr.policy.usage & usage) != usage) {
+ status = PSA_ERROR_NOT_PERMITTED;
+ goto error;
+ }
+
+ /* Enforce that the usage policy permits the requested algorithm. */
+ if (alg != 0) {
+ status = psa_key_policy_permits(&slot->attr.policy,
+ slot->attr.type,
+ alg);
+ if (status != PSA_SUCCESS) {
+ goto error;
+ }
+ }
+
+ return PSA_SUCCESS;
+
+error:
+ *p_slot = NULL;
+ psa_unregister_read_under_mutex(slot);
+
+ return status;
+}
+
+/** Get a key slot containing a transparent key and lock it.
+ *
+ * A transparent key is a key for which the key material is directly
+ * available, as opposed to a key in a secure element and/or to be used
+ * by a secure element.
+ *
+ * This is a temporary function that may be used instead of
+ * psa_get_and_lock_key_slot_with_policy() when there is no opaque key support
+ * for a cryptographic operation.
+ *
+ * On success, the returned key slot has been registered for reading.
+ * It is the responsibility of the caller to then unregister
+ * once they have finished reading the contents of the slot.
+ * The caller unregisters by calling psa_unregister_read() or
+ * psa_unregister_read_under_mutex(). psa_unregister_read() must be called
+ * if and only if the caller already holds the global key slot mutex
+ * (when mutexes are enabled). psa_unregister_read_under_mutex() encapsulates
+ * psa_unregister_read() with mutex lock and unlock operations.
+ */
+static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
+ mbedtls_svc_key_id_t key,
+ psa_key_slot_t **p_slot,
+ psa_key_usage_t usage,
+ psa_algorithm_t alg)
+{
+ psa_status_t status = psa_get_and_lock_key_slot_with_policy(key, p_slot,
+ usage, alg);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ if (psa_key_lifetime_is_external((*p_slot)->attr.lifetime)) {
+ psa_unregister_read_under_mutex(*p_slot);
+ *p_slot = NULL;
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_remove_key_data_from_memory(psa_key_slot_t *slot)
+{
+ if (slot->key.data != NULL) {
+ mbedtls_zeroize_and_free(slot->key.data, slot->key.bytes);
+ }
+
+ slot->key.data = NULL;
+ slot->key.bytes = 0;
+
+ return PSA_SUCCESS;
+}
+
+/** Completely wipe a slot in memory, including its policy.
+ * Persistent storage is not affected. */
+psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot)
+{
+ psa_status_t status = psa_remove_key_data_from_memory(slot);
+
+ /*
+ * As the return error code may not be handled in case of multiple errors,
+ * do our best to report an unexpected amount of registered readers or
+ * an unexpected state.
+ * Assert with MBEDTLS_TEST_HOOK_TEST_ASSERT that the slot is valid for
+ * wiping.
+ * if the MBEDTLS_TEST_HOOKS configuration option is enabled and the
+ * function is called as part of the execution of a test suite, the
+ * execution of the test suite is stopped in error if the assertion fails.
+ */
+ switch (slot->state) {
+ case PSA_SLOT_FULL:
+ /* In this state psa_wipe_key_slot() must only be called if the
+ * caller is the last reader. */
+ case PSA_SLOT_PENDING_DELETION:
+ /* In this state psa_wipe_key_slot() must only be called if the
+ * caller is the last reader. */
+ if (slot->registered_readers != 1) {
+ MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->registered_readers == 1);
+ status = PSA_ERROR_CORRUPTION_DETECTED;
+ }
+ break;
+ case PSA_SLOT_FILLING:
+ /* In this state registered_readers must be 0. */
+ if (slot->registered_readers != 0) {
+ MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->registered_readers == 0);
+ status = PSA_ERROR_CORRUPTION_DETECTED;
+ }
+ break;
+ case PSA_SLOT_EMPTY:
+ /* The slot is already empty, it cannot be wiped. */
+ MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->state != PSA_SLOT_EMPTY);
+ status = PSA_ERROR_CORRUPTION_DETECTED;
+ break;
+ default:
+ /* The slot's state is invalid. */
+ status = PSA_ERROR_CORRUPTION_DETECTED;
+ }
+
+ /* Multipart operations may still be using the key. This is safe
+ * because all multipart operation objects are independent from
+ * the key slot: if they need to access the key after the setup
+ * phase, they have a copy of the key. Note that this means that
+ * key material can linger until all operations are completed. */
+ /* At this point, key material and other type-specific content has
+ * been wiped. Clear remaining metadata. We can call memset and not
+ * zeroize because the metadata is not particularly sensitive.
+ * This memset also sets the slot's state to PSA_SLOT_EMPTY. */
+ memset(slot, 0, sizeof(*slot));
+ return status;
+}
+
+psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key)
+{
+ psa_key_slot_t *slot;
+ psa_status_t status; /* status of the last operation */
+ psa_status_t overall_status = PSA_SUCCESS;
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ psa_se_drv_table_entry_t *driver;
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+ if (mbedtls_svc_key_id_is_null(key)) {
+ return PSA_SUCCESS;
+ }
+
+ /*
+ * Get the description of the key in a key slot, and register to read it.
+ * In the case of a persistent key, this will load the key description
+ * from persistent memory if not done yet.
+ * We cannot avoid this loading as without it we don't know if
+ * the key is operated by an SE or not and this information is needed by
+ * the current implementation. */
+ status = psa_get_and_lock_key_slot(key, &slot);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ /* We cannot unlock between setting the state to PENDING_DELETION
+ * and destroying the key in storage, as otherwise another thread
+ * could load the key into a new slot and the key will not be
+ * fully destroyed. */
+ PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(
+ &mbedtls_threading_key_slot_mutex));
+
+ if (slot->state == PSA_SLOT_PENDING_DELETION) {
+ /* Another thread has destroyed the key between us locking the slot
+ * and us gaining the mutex. Unregister from the slot,
+ * and report that the key does not exist. */
+ status = psa_unregister_read(slot);
+
+ PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+ &mbedtls_threading_key_slot_mutex));
+ return (status == PSA_SUCCESS) ? PSA_ERROR_INVALID_HANDLE : status;
+ }
+#endif
+ /* Set the key slot containing the key description's state to
+ * PENDING_DELETION. This stops new operations from registering
+ * to read the slot. Current readers can safely continue to access
+ * the key within the slot; the last registered reader will
+ * automatically wipe the slot when they call psa_unregister_read().
+ * If the key is persistent, we can now delete the copy of the key
+ * from memory. If the key is opaque, we require the driver to
+ * deal with the deletion. */
+ overall_status = psa_key_slot_state_transition(slot, PSA_SLOT_FULL,
+ PSA_SLOT_PENDING_DELETION);
+
+ if (overall_status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (PSA_KEY_LIFETIME_IS_READ_ONLY(slot->attr.lifetime)) {
+ /* Refuse the destruction of a read-only key (which may or may not work
+ * if we attempt it, depending on whether the key is merely read-only
+ * by policy or actually physically read-only).
+ * Just do the best we can, which is to wipe the copy in memory
+ * (done in this function's cleanup code). */
+ overall_status = PSA_ERROR_NOT_PERMITTED;
+ goto exit;
+ }
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ driver = psa_get_se_driver_entry(slot->attr.lifetime);
+ if (driver != NULL) {
+ /* For a key in a secure element, we need to do three things:
+ * remove the key file in internal storage, destroy the
+ * key inside the secure element, and update the driver's
+ * persistent data. Start a transaction that will encompass these
+ * three actions. */
+ psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_DESTROY_KEY);
+ psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
+ psa_crypto_transaction.key.slot = psa_key_slot_get_slot_number(slot);
+ psa_crypto_transaction.key.id = slot->attr.id;
+ status = psa_crypto_save_transaction();
+ if (status != PSA_SUCCESS) {
+ (void) psa_crypto_stop_transaction();
+ /* We should still try to destroy the key in the secure
+ * element and the key metadata in storage. This is especially
+ * important if the error is that the storage is full.
+ * But how to do it exactly without risking an inconsistent
+ * state after a reset?
+ * https://github.com/ARMmbed/mbed-crypto/issues/215
+ */
+ overall_status = status;
+ goto exit;
+ }
+
+ status = psa_destroy_se_key(driver,
+ psa_key_slot_get_slot_number(slot));
+ if (overall_status == PSA_SUCCESS) {
+ overall_status = status;
+ }
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+ if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
+ /* Destroy the copy of the persistent key from storage.
+ * The slot will still hold a copy of the key until the last reader
+ * unregisters. */
+ status = psa_destroy_persistent_key(slot->attr.id);
+ if (overall_status == PSA_SUCCESS) {
+ overall_status = status;
+ }
+ }
+#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ if (driver != NULL) {
+ status = psa_save_se_persistent_data(driver);
+ if (overall_status == PSA_SUCCESS) {
+ overall_status = status;
+ }
+ status = psa_crypto_stop_transaction();
+ if (overall_status == PSA_SUCCESS) {
+ overall_status = status;
+ }
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+exit:
+ /* Unregister from reading the slot. If we are the last active reader
+ * then this will wipe the slot. */
+ status = psa_unregister_read(slot);
+ /* Prioritize CORRUPTION_DETECTED from unregistering over
+ * a storage error. */
+ if (status != PSA_SUCCESS) {
+ overall_status = status;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ /* Don't overwrite existing errors if the unlock fails. */
+ status = overall_status;
+ PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+
+ return overall_status;
+}
+
+/** Retrieve all the publicly-accessible attributes of a key.
+ */
+psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key,
+ psa_key_attributes_t *attributes)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+ psa_reset_key_attributes(attributes);
+
+ status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ *attributes = slot->attr;
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ if (psa_get_se_driver_entry(slot->attr.lifetime) != NULL) {
+ psa_set_key_slot_number(attributes,
+ psa_key_slot_get_slot_number(slot));
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+ return psa_unregister_read_under_mutex(slot);
+}
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+psa_status_t psa_get_key_slot_number(
+ const psa_key_attributes_t *attributes,
+ psa_key_slot_number_t *slot_number)
+{
+ if (attributes->has_slot_number) {
+ *slot_number = attributes->slot_number;
+ return PSA_SUCCESS;
+ } else {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+}
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+static psa_status_t psa_export_key_buffer_internal(const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ uint8_t *data,
+ size_t data_size,
+ size_t *data_length)
+{
+ if (key_buffer_size > data_size) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+ memcpy(data, key_buffer, key_buffer_size);
+ memset(data + key_buffer_size, 0,
+ data_size - key_buffer_size);
+ *data_length = key_buffer_size;
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_export_key_internal(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ uint8_t *data, size_t data_size, size_t *data_length)
+{
+ psa_key_type_t type = attributes->type;
+
+ if (key_type_is_raw_bytes(type) ||
+ PSA_KEY_TYPE_IS_RSA(type) ||
+ PSA_KEY_TYPE_IS_ECC(type) ||
+ PSA_KEY_TYPE_IS_DH(type)) {
+ return psa_export_key_buffer_internal(
+ key_buffer, key_buffer_size,
+ data, data_size, data_length);
+ } else {
+ /* This shouldn't happen in the reference implementation, but
+ it is valid for a special-purpose implementation to omit
+ support for exporting certain key types. */
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+}
+
+psa_status_t psa_export_key(mbedtls_svc_key_id_t key,
+ uint8_t *data_external,
+ size_t data_size,
+ size_t *data_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+ LOCAL_OUTPUT_DECLARE(data_external, data);
+
+ /* Reject a zero-length output buffer now, since this can never be a
+ * valid key representation. This way we know that data must be a valid
+ * pointer and we can do things like memset(data, ..., data_size). */
+ if (data_size == 0) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+ /* Set the key to empty now, so that even when there are errors, we always
+ * set data_length to a value between 0 and data_size. On error, setting
+ * the key to empty is a good choice because an empty key representation is
+ * unlikely to be accepted anywhere. */
+ *data_length = 0;
+
+ /* Export requires the EXPORT flag. There is an exception for public keys,
+ * which don't require any flag, but
+ * psa_get_and_lock_key_slot_with_policy() takes care of this.
+ */
+ status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+ PSA_KEY_USAGE_EXPORT, 0);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ LOCAL_OUTPUT_ALLOC(data_external, data_size, data);
+
+ status = psa_driver_wrapper_export_key(&slot->attr,
+ slot->key.data, slot->key.bytes,
+ data, data_size, data_length);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+ unlock_status = psa_unregister_read_under_mutex(slot);
+
+ LOCAL_OUTPUT_FREE(data_external, data);
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_export_public_key_internal(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ uint8_t *data,
+ size_t data_size,
+ size_t *data_length)
+{
+ psa_key_type_t type = attributes->type;
+
+ if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) &&
+ (PSA_KEY_TYPE_IS_RSA(type) || PSA_KEY_TYPE_IS_ECC(type) ||
+ PSA_KEY_TYPE_IS_DH(type))) {
+ /* Exporting public -> public */
+ return psa_export_key_buffer_internal(
+ key_buffer, key_buffer_size,
+ data, data_size, data_length);
+ } else if (PSA_KEY_TYPE_IS_RSA(type)) {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+ return mbedtls_psa_rsa_export_public_key(attributes,
+ key_buffer,
+ key_buffer_size,
+ data,
+ data_size,
+ data_length);
+#else
+ /* We don't know how to convert a private RSA key to public. */
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+ } else if (PSA_KEY_TYPE_IS_ECC(type)) {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+ return mbedtls_psa_ecp_export_public_key(attributes,
+ key_buffer,
+ key_buffer_size,
+ data,
+ data_size,
+ data_length);
+#else
+ /* We don't know how to convert a private ECC key to public */
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
+ } else if (PSA_KEY_TYPE_IS_DH(type)) {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
+ return mbedtls_psa_ffdh_export_public_key(attributes,
+ key_buffer,
+ key_buffer_size,
+ data, data_size,
+ data_length);
+#else
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) */
+ } else {
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) data;
+ (void) data_size;
+ (void) data_length;
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+}
+
+psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key,
+ uint8_t *data_external,
+ size_t data_size,
+ size_t *data_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+ LOCAL_OUTPUT_DECLARE(data_external, data);
+
+ /* Reject a zero-length output buffer now, since this can never be a
+ * valid key representation. This way we know that data must be a valid
+ * pointer and we can do things like memset(data, ..., data_size). */
+ if (data_size == 0) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+ /* Set the key to empty now, so that even when there are errors, we always
+ * set data_length to a value between 0 and data_size. On error, setting
+ * the key to empty is a good choice because an empty key representation is
+ * unlikely to be accepted anywhere. */
+ *data_length = 0;
+
+ /* Exporting a public key doesn't require a usage flag. */
+ status = psa_get_and_lock_key_slot_with_policy(key, &slot, 0, 0);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ LOCAL_OUTPUT_ALLOC(data_external, data_size, data);
+
+ if (!PSA_KEY_TYPE_IS_ASYMMETRIC(slot->attr.type)) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ status = psa_driver_wrapper_export_public_key(
+ &slot->attr, slot->key.data, slot->key.bytes,
+ data, data_size, data_length);
+
+exit:
+ unlock_status = psa_unregister_read_under_mutex(slot);
+
+ LOCAL_OUTPUT_FREE(data_external, data);
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+/** Validate that a key policy is internally well-formed.
+ *
+ * This function only rejects invalid policies. It does not validate the
+ * consistency of the policy with respect to other attributes of the key
+ * such as the key type.
+ */
+static psa_status_t psa_validate_key_policy(const psa_key_policy_t *policy)
+{
+ if ((policy->usage & ~(PSA_KEY_USAGE_EXPORT |
+ PSA_KEY_USAGE_COPY |
+ PSA_KEY_USAGE_ENCRYPT |
+ PSA_KEY_USAGE_DECRYPT |
+ PSA_KEY_USAGE_SIGN_MESSAGE |
+ PSA_KEY_USAGE_VERIFY_MESSAGE |
+ PSA_KEY_USAGE_SIGN_HASH |
+ PSA_KEY_USAGE_VERIFY_HASH |
+ PSA_KEY_USAGE_VERIFY_DERIVATION |
+ PSA_KEY_USAGE_DERIVE)) != 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ return PSA_SUCCESS;
+}
+
+/** Validate the internal consistency of key attributes.
+ *
+ * This function only rejects invalid attribute values. If does not
+ * validate the consistency of the attributes with any key data that may
+ * be involved in the creation of the key.
+ *
+ * Call this function early in the key creation process.
+ *
+ * \param[in] attributes Key attributes for the new key.
+ * \param[out] p_drv On any return, the driver for the key, if any.
+ * NULL for a transparent key.
+ *
+ */
+static psa_status_t psa_validate_key_attributes(
+ const psa_key_attributes_t *attributes,
+ psa_se_drv_table_entry_t **p_drv)
+{
+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+ psa_key_lifetime_t lifetime = psa_get_key_lifetime(attributes);
+ mbedtls_svc_key_id_t key = psa_get_key_id(attributes);
+
+ status = psa_validate_key_location(lifetime, p_drv);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_validate_key_persistence(lifetime);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
+ if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key) != 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ } else {
+ if (!psa_is_valid_key_id(psa_get_key_id(attributes), 0)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ }
+
+ status = psa_validate_key_policy(&attributes->policy);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* Refuse to create overly large keys.
+ * Note that this doesn't trigger on import if the attributes don't
+ * explicitly specify a size (so psa_get_key_bits returns 0), so
+ * psa_import_key() needs its own checks. */
+ if (psa_get_key_bits(attributes) > PSA_MAX_KEY_BITS) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ return PSA_SUCCESS;
+}
+
+/** Prepare a key slot to receive key material.
+ *
+ * This function allocates a key slot and sets its metadata.
+ *
+ * If this function fails, call psa_fail_key_creation().
+ *
+ * This function is intended to be used as follows:
+ * -# Call psa_start_key_creation() to allocate a key slot, prepare
+ * it with the specified attributes, and in case of a volatile key assign it
+ * a volatile key identifier.
+ * -# Populate the slot with the key material.
+ * -# Call psa_finish_key_creation() to finalize the creation of the slot.
+ * In case of failure at any step, stop the sequence and call
+ * psa_fail_key_creation().
+ *
+ * On success, the key slot's state is PSA_SLOT_FILLING.
+ * It is the responsibility of the caller to change the slot's state to
+ * PSA_SLOT_EMPTY/FULL once key creation has finished.
+ *
+ * \param method An identification of the calling function.
+ * \param[in] attributes Key attributes for the new key.
+ * \param[out] p_slot On success, a pointer to the prepared slot.
+ * \param[out] p_drv On any return, the driver for the key, if any.
+ * NULL for a transparent key.
+ *
+ * \retval #PSA_SUCCESS
+ * The key slot is ready to receive key material.
+ * \return If this function fails, the key slot is an invalid state.
+ * You must call psa_fail_key_creation() to wipe and free the slot.
+ */
+static psa_status_t psa_start_key_creation(
+ psa_key_creation_method_t method,
+ const psa_key_attributes_t *attributes,
+ psa_key_slot_t **p_slot,
+ psa_se_drv_table_entry_t **p_drv)
+{
+ psa_status_t status;
+ psa_key_id_t volatile_key_id;
+ psa_key_slot_t *slot;
+
+ (void) method;
+ *p_drv = NULL;
+
+ status = psa_validate_key_attributes(attributes, p_drv);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+ status = psa_reserve_free_key_slot(&volatile_key_id, p_slot);
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ slot = *p_slot;
+
+ /* We're storing the declared bit-size of the key. It's up to each
+ * creation mechanism to verify that this information is correct.
+ * It's automatically correct for mechanisms that use the bit-size as
+ * an input (generate, device) but not for those where the bit-size
+ * is optional (import, copy). In case of a volatile key, assign it the
+ * volatile key identifier associated to the slot returned to contain its
+ * definition. */
+
+ slot->attr = *attributes;
+ if (PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
+#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+ slot->attr.id = volatile_key_id;
+#else
+ slot->attr.id.key_id = volatile_key_id;
+#endif
+ }
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ /* For a key in a secure element, we need to do three things
+ * when creating or registering a persistent key:
+ * create the key file in internal storage, create the
+ * key inside the secure element, and update the driver's
+ * persistent data. This is done by starting a transaction that will
+ * encompass these three actions.
+ * For registering a volatile key, we just need to find an appropriate
+ * slot number inside the SE. Since the key is designated volatile, creating
+ * a transaction is not required. */
+ /* The first thing to do is to find a slot number for the new key.
+ * We save the slot number in persistent storage as part of the
+ * transaction data. It will be needed to recover if the power
+ * fails during the key creation process, to clean up on the secure
+ * element side after restarting. Obtaining a slot number from the
+ * secure element driver updates its persistent state, but we do not yet
+ * save the driver's persistent state, so that if the power fails,
+ * we can roll back to a state where the key doesn't exist. */
+ if (*p_drv != NULL) {
+ psa_key_slot_number_t slot_number;
+ status = psa_find_se_slot_for_key(attributes, method, *p_drv,
+ &slot_number);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ if (!PSA_KEY_LIFETIME_IS_VOLATILE(attributes->lifetime)) {
+ psa_crypto_prepare_transaction(PSA_CRYPTO_TRANSACTION_CREATE_KEY);
+ psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
+ psa_crypto_transaction.key.slot = slot_number;
+ psa_crypto_transaction.key.id = slot->attr.id;
+ status = psa_crypto_save_transaction();
+ if (status != PSA_SUCCESS) {
+ (void) psa_crypto_stop_transaction();
+ return status;
+ }
+ }
+
+ status = psa_copy_key_material_into_slot(
+ slot, (uint8_t *) (&slot_number), sizeof(slot_number));
+ }
+
+ if (*p_drv == NULL && method == PSA_KEY_CREATION_REGISTER) {
+ /* Key registration only makes sense with a secure element. */
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+ return PSA_SUCCESS;
+}
+
+/** Finalize the creation of a key once its key material has been set.
+ *
+ * This entails writing the key to persistent storage.
+ *
+ * If this function fails, call psa_fail_key_creation().
+ * See the documentation of psa_start_key_creation() for the intended use
+ * of this function.
+ *
+ * If the finalization succeeds, the function sets the key slot's state to
+ * PSA_SLOT_FULL, and the key slot can no longer be accessed as part of the
+ * key creation process.
+ *
+ * \param[in,out] slot Pointer to the slot with key material.
+ * \param[in] driver The secure element driver for the key,
+ * or NULL for a transparent key.
+ * \param[out] key On success, identifier of the key. Note that the
+ * key identifier is also stored in the key slot.
+ *
+ * \retval #PSA_SUCCESS
+ * The key was successfully created.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ *
+ * \return If this function fails, the key slot is an invalid state.
+ * You must call psa_fail_key_creation() to wipe and free the slot.
+ */
+static psa_status_t psa_finish_key_creation(
+ psa_key_slot_t *slot,
+ psa_se_drv_table_entry_t *driver,
+ mbedtls_svc_key_id_t *key)
+{
+ psa_status_t status = PSA_SUCCESS;
+ (void) slot;
+ (void) driver;
+
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+ if (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ if (driver != NULL) {
+ psa_se_key_data_storage_t data;
+ psa_key_slot_number_t slot_number =
+ psa_key_slot_get_slot_number(slot);
+
+ MBEDTLS_STATIC_ASSERT(sizeof(slot_number) ==
+ sizeof(data.slot_number),
+ "Slot number size does not match psa_se_key_data_storage_t");
+
+ memcpy(&data.slot_number, &slot_number, sizeof(slot_number));
+ status = psa_save_persistent_key(&slot->attr,
+ (uint8_t *) &data,
+ sizeof(data));
+ } else
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+ {
+ /* Key material is saved in export representation in the slot, so
+ * just pass the slot buffer for storage. */
+ status = psa_save_persistent_key(&slot->attr,
+ slot->key.data,
+ slot->key.bytes);
+ }
+ }
+#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ /* Finish the transaction for a key creation. This does not
+ * happen when registering an existing key. Detect this case
+ * by checking whether a transaction is in progress (actual
+ * creation of a persistent key in a secure element requires a transaction,
+ * but registration or volatile key creation doesn't use one). */
+ if (driver != NULL &&
+ psa_crypto_transaction.unknown.type == PSA_CRYPTO_TRANSACTION_CREATE_KEY) {
+ status = psa_save_se_persistent_data(driver);
+ if (status != PSA_SUCCESS) {
+ psa_destroy_persistent_key(slot->attr.id);
+
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+ return status;
+ }
+ status = psa_crypto_stop_transaction();
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+ if (status == PSA_SUCCESS) {
+ *key = slot->attr.id;
+ status = psa_key_slot_state_transition(slot, PSA_SLOT_FILLING,
+ PSA_SLOT_FULL);
+ if (status != PSA_SUCCESS) {
+ *key = MBEDTLS_SVC_KEY_ID_INIT;
+ }
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+ return status;
+}
+
+/** Abort the creation of a key.
+ *
+ * You may call this function after calling psa_start_key_creation(),
+ * or after psa_finish_key_creation() fails. In other circumstances, this
+ * function may not clean up persistent storage.
+ * See the documentation of psa_start_key_creation() for the intended use
+ * of this function. Sets the slot's state to PSA_SLOT_EMPTY.
+ *
+ * \param[in,out] slot Pointer to the slot with key material.
+ * \param[in] driver The secure element driver for the key,
+ * or NULL for a transparent key.
+ */
+static void psa_fail_key_creation(psa_key_slot_t *slot,
+ psa_se_drv_table_entry_t *driver)
+{
+ (void) driver;
+
+ if (slot == NULL) {
+ return;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ /* If the lock operation fails we still wipe the slot.
+ * Operations will no longer work after a failed lock,
+ * but we still need to wipe the slot of confidential data. */
+ mbedtls_mutex_lock(&mbedtls_threading_key_slot_mutex);
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ /* TODO: If the key has already been created in the secure
+ * element, and the failure happened later (when saving metadata
+ * to internal storage), we need to destroy the key in the secure
+ * element.
+ * https://github.com/ARMmbed/mbed-crypto/issues/217
+ */
+
+ /* Abort the ongoing transaction if any (there may not be one if
+ * the creation process failed before starting one, or if the
+ * key creation is a registration of a key in a secure element).
+ * Earlier functions must already have done what it takes to undo any
+ * partial creation. All that's left is to update the transaction data
+ * itself. */
+ (void) psa_crypto_stop_transaction();
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+ psa_wipe_key_slot(slot);
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_unlock(&mbedtls_threading_key_slot_mutex);
+#endif
+}
+
+/** Validate optional attributes during key creation.
+ *
+ * Some key attributes are optional during key creation. If they are
+ * specified in the attributes structure, check that they are consistent
+ * with the data in the slot.
+ *
+ * This function should be called near the end of key creation, after
+ * the slot in memory is fully populated but before saving persistent data.
+ */
+static psa_status_t psa_validate_optional_attributes(
+ const psa_key_slot_t *slot,
+ const psa_key_attributes_t *attributes)
+{
+ if (attributes->type != 0) {
+ if (attributes->type != slot->attr.type) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ }
+
+ if (attributes->bits != 0) {
+ if (attributes->bits != slot->attr.bits) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ }
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
+ const uint8_t *data_external,
+ size_t data_length,
+ mbedtls_svc_key_id_t *key)
+{
+ psa_status_t status;
+ LOCAL_INPUT_DECLARE(data_external, data);
+ psa_key_slot_t *slot = NULL;
+ psa_se_drv_table_entry_t *driver = NULL;
+ size_t bits;
+ size_t storage_size = data_length;
+
+ *key = MBEDTLS_SVC_KEY_ID_INIT;
+
+ /* Reject zero-length symmetric keys (including raw data key objects).
+ * This also rejects any key which might be encoded as an empty string,
+ * which is never valid. */
+ if (data_length == 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ /* Ensure that the bytes-to-bits conversion cannot overflow. */
+ if (data_length > SIZE_MAX / 8) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ LOCAL_INPUT_ALLOC(data_external, data_length, data);
+
+ status = psa_start_key_creation(PSA_KEY_CREATION_IMPORT, attributes,
+ &slot, &driver);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ /* In the case of a transparent key or an opaque key stored in local
+ * storage ( thus not in the case of importing a key in a secure element
+ * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
+ * buffer to hold the imported key material. */
+ if (slot->key.data == NULL) {
+ if (psa_key_lifetime_is_external(attributes->lifetime)) {
+ status = psa_driver_wrapper_get_key_buffer_size_from_key_data(
+ attributes, data, data_length, &storage_size);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ }
+ status = psa_allocate_buffer_to_slot(slot, storage_size);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ }
+
+ bits = slot->attr.bits;
+ status = psa_driver_wrapper_import_key(attributes,
+ data, data_length,
+ slot->key.data,
+ slot->key.bytes,
+ &slot->key.bytes, &bits);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (slot->attr.bits == 0) {
+ slot->attr.bits = (psa_key_bits_t) bits;
+ } else if (bits != slot->attr.bits) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ /* Enforce a size limit, and in particular ensure that the bit
+ * size fits in its representation type.*/
+ if (bits > PSA_MAX_KEY_BITS) {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+ }
+ status = psa_validate_optional_attributes(slot, attributes);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_finish_key_creation(slot, driver, key);
+exit:
+ LOCAL_INPUT_FREE(data_external, data);
+ if (status != PSA_SUCCESS) {
+ psa_fail_key_creation(slot, driver);
+ }
+
+ return status;
+}
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+psa_status_t mbedtls_psa_register_se_key(
+ const psa_key_attributes_t *attributes)
+{
+ psa_status_t status;
+ psa_key_slot_t *slot = NULL;
+ psa_se_drv_table_entry_t *driver = NULL;
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+
+ /* Leaving attributes unspecified is not currently supported.
+ * It could make sense to query the key type and size from the
+ * secure element, but not all secure elements support this
+ * and the driver HAL doesn't currently support it. */
+ if (psa_get_key_type(attributes) == PSA_KEY_TYPE_NONE) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ if (psa_get_key_bits(attributes) == 0) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ status = psa_start_key_creation(PSA_KEY_CREATION_REGISTER, attributes,
+ &slot, &driver);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_finish_key_creation(slot, driver, &key);
+
+exit:
+ if (status != PSA_SUCCESS) {
+ psa_fail_key_creation(slot, driver);
+ }
+
+ /* Registration doesn't keep the key in RAM. */
+ psa_close_key(key);
+ return status;
+}
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key,
+ const psa_key_attributes_t *specified_attributes,
+ mbedtls_svc_key_id_t *target_key)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *source_slot = NULL;
+ psa_key_slot_t *target_slot = NULL;
+ psa_key_attributes_t actual_attributes = *specified_attributes;
+ psa_se_drv_table_entry_t *driver = NULL;
+ size_t storage_size = 0;
+
+ *target_key = MBEDTLS_SVC_KEY_ID_INIT;
+
+ status = psa_get_and_lock_key_slot_with_policy(
+ source_key, &source_slot, PSA_KEY_USAGE_COPY, 0);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_validate_optional_attributes(source_slot,
+ specified_attributes);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ /* The target key type and number of bits have been validated by
+ * psa_validate_optional_attributes() to be either equal to zero or
+ * equal to the ones of the source key. So it is safe to inherit
+ * them from the source key now."
+ * */
+ actual_attributes.bits = source_slot->attr.bits;
+ actual_attributes.type = source_slot->attr.type;
+
+
+ status = psa_restrict_key_policy(source_slot->attr.type,
+ &actual_attributes.policy,
+ &source_slot->attr.policy);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_start_key_creation(PSA_KEY_CREATION_COPY, &actual_attributes,
+ &target_slot, &driver);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ if (PSA_KEY_LIFETIME_GET_LOCATION(target_slot->attr.lifetime) !=
+ PSA_KEY_LIFETIME_GET_LOCATION(source_slot->attr.lifetime)) {
+ /*
+ * If the source and target keys are stored in different locations,
+ * the source key would need to be exported as plaintext and re-imported
+ * in the other location. This has security implications which have not
+ * been fully mapped. For now, this can be achieved through
+ * appropriate API invocations from the application, if needed.
+ * */
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+ }
+ /*
+ * When the source and target keys are within the same location,
+ * - For transparent keys it is a blind copy without any driver invocation,
+ * - For opaque keys this translates to an invocation of the drivers'
+ * copy_key entry point through the dispatch layer.
+ * */
+ if (psa_key_lifetime_is_external(actual_attributes.lifetime)) {
+ status = psa_driver_wrapper_get_key_buffer_size(&actual_attributes,
+ &storage_size);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_allocate_buffer_to_slot(target_slot, storage_size);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_driver_wrapper_copy_key(&actual_attributes,
+ source_slot->key.data,
+ source_slot->key.bytes,
+ target_slot->key.data,
+ target_slot->key.bytes,
+ &target_slot->key.bytes);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ } else {
+ status = psa_copy_key_material_into_slot(target_slot,
+ source_slot->key.data,
+ source_slot->key.bytes);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ }
+ status = psa_finish_key_creation(target_slot, driver, target_key);
+exit:
+ if (status != PSA_SUCCESS) {
+ psa_fail_key_creation(target_slot, driver);
+ }
+
+ unlock_status = psa_unregister_read_under_mutex(source_slot);
+
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+
+
+/****************************************************************/
+/* Message digests */
+/****************************************************************/
+
+psa_status_t psa_hash_abort(psa_hash_operation_t *operation)
+{
+ /* Aborting a non-active operation is allowed */
+ if (operation->id == 0) {
+ return PSA_SUCCESS;
+ }
+
+ psa_status_t status = psa_driver_wrapper_hash_abort(operation);
+ operation->id = 0;
+
+ return status;
+}
+
+psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
+ psa_algorithm_t alg)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ /* A context must be freshly initialized before it can be set up. */
+ if (operation->id != 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (!PSA_ALG_IS_HASH(alg)) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ /* Ensure all of the context is zeroized, since PSA_HASH_OPERATION_INIT only
+ * directly zeroes the int-sized dummy member of the context union. */
+ memset(&operation->ctx, 0, sizeof(operation->ctx));
+
+ status = psa_driver_wrapper_hash_setup(operation, alg);
+
+exit:
+ if (status != PSA_SUCCESS) {
+ psa_hash_abort(operation);
+ }
+
+ return status;
+}
+
+psa_status_t psa_hash_update(psa_hash_operation_t *operation,
+ const uint8_t *input_external,
+ size_t input_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ LOCAL_INPUT_DECLARE(input_external, input);
+
+ if (operation->id == 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ /* Don't require hash implementations to behave correctly on a
+ * zero-length input, which may have an invalid pointer. */
+ if (input_length == 0) {
+ return PSA_SUCCESS;
+ }
+
+ LOCAL_INPUT_ALLOC(input_external, input_length, input);
+ status = psa_driver_wrapper_hash_update(operation, input, input_length);
+
+exit:
+ if (status != PSA_SUCCESS) {
+ psa_hash_abort(operation);
+ }
+
+ LOCAL_INPUT_FREE(input_external, input);
+ return status;
+}
+
+static psa_status_t psa_hash_finish_internal(psa_hash_operation_t *operation,
+ uint8_t *hash,
+ size_t hash_size,
+ size_t *hash_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ *hash_length = 0;
+ if (operation->id == 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ status = psa_driver_wrapper_hash_finish(
+ operation, hash, hash_size, hash_length);
+ psa_hash_abort(operation);
+
+ return status;
+}
+
+psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
+ uint8_t *hash_external,
+ size_t hash_size,
+ size_t *hash_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ LOCAL_OUTPUT_DECLARE(hash_external, hash);
+
+ LOCAL_OUTPUT_ALLOC(hash_external, hash_size, hash);
+ status = psa_hash_finish_internal(operation, hash, hash_size, hash_length);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+ LOCAL_OUTPUT_FREE(hash_external, hash);
+ return status;
+}
+
+psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
+ const uint8_t *hash_external,
+ size_t hash_length)
+{
+ uint8_t actual_hash[PSA_HASH_MAX_SIZE];
+ size_t actual_hash_length;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ LOCAL_INPUT_DECLARE(hash_external, hash);
+
+ status = psa_hash_finish_internal(
+ operation,
+ actual_hash, sizeof(actual_hash),
+ &actual_hash_length);
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (actual_hash_length != hash_length) {
+ status = PSA_ERROR_INVALID_SIGNATURE;
+ goto exit;
+ }
+
+ LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
+ if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) {
+ status = PSA_ERROR_INVALID_SIGNATURE;
+ }
+
+exit:
+ mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash));
+ if (status != PSA_SUCCESS) {
+ psa_hash_abort(operation);
+ }
+ LOCAL_INPUT_FREE(hash_external, hash);
+ return status;
+}
+
+psa_status_t psa_hash_compute(psa_algorithm_t alg,
+ const uint8_t *input_external, size_t input_length,
+ uint8_t *hash_external, size_t hash_size,
+ size_t *hash_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ LOCAL_INPUT_DECLARE(input_external, input);
+ LOCAL_OUTPUT_DECLARE(hash_external, hash);
+
+ *hash_length = 0;
+ if (!PSA_ALG_IS_HASH(alg)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ LOCAL_INPUT_ALLOC(input_external, input_length, input);
+ LOCAL_OUTPUT_ALLOC(hash_external, hash_size, hash);
+ status = psa_driver_wrapper_hash_compute(alg, input, input_length,
+ hash, hash_size, hash_length);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+ LOCAL_INPUT_FREE(input_external, input);
+ LOCAL_OUTPUT_FREE(hash_external, hash);
+ return status;
+}
+
+psa_status_t psa_hash_compare(psa_algorithm_t alg,
+ const uint8_t *input_external, size_t input_length,
+ const uint8_t *hash_external, size_t hash_length)
+{
+ uint8_t actual_hash[PSA_HASH_MAX_SIZE];
+ size_t actual_hash_length;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ LOCAL_INPUT_DECLARE(input_external, input);
+ LOCAL_INPUT_DECLARE(hash_external, hash);
+
+ if (!PSA_ALG_IS_HASH(alg)) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ return status;
+ }
+
+ LOCAL_INPUT_ALLOC(input_external, input_length, input);
+ status = psa_driver_wrapper_hash_compute(
+ alg, input, input_length,
+ actual_hash, sizeof(actual_hash),
+ &actual_hash_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ if (actual_hash_length != hash_length) {
+ status = PSA_ERROR_INVALID_SIGNATURE;
+ goto exit;
+ }
+
+ LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
+ if (mbedtls_ct_memcmp(hash, actual_hash, actual_hash_length) != 0) {
+ status = PSA_ERROR_INVALID_SIGNATURE;
+ }
+
+exit:
+ mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash));
+
+ LOCAL_INPUT_FREE(input_external, input);
+ LOCAL_INPUT_FREE(hash_external, hash);
+
+ return status;
+}
+
+psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
+ psa_hash_operation_t *target_operation)
+{
+ if (source_operation->id == 0 ||
+ target_operation->id != 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ psa_status_t status = psa_driver_wrapper_hash_clone(source_operation,
+ target_operation);
+ if (status != PSA_SUCCESS) {
+ psa_hash_abort(target_operation);
+ }
+
+ return status;
+}
+
+
+/****************************************************************/
+/* MAC */
+/****************************************************************/
+
+psa_status_t psa_mac_abort(psa_mac_operation_t *operation)
+{
+ /* Aborting a non-active operation is allowed */
+ if (operation->id == 0) {
+ return PSA_SUCCESS;
+ }
+
+ psa_status_t status = psa_driver_wrapper_mac_abort(operation);
+ operation->mac_size = 0;
+ operation->is_sign = 0;
+ operation->id = 0;
+
+ return status;
+}
+
+static psa_status_t psa_mac_finalize_alg_and_key_validation(
+ psa_algorithm_t alg,
+ const psa_key_attributes_t *attributes,
+ uint8_t *mac_size)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_type_t key_type = psa_get_key_type(attributes);
+ size_t key_bits = psa_get_key_bits(attributes);
+
+ if (!PSA_ALG_IS_MAC(alg)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ /* Validate the combination of key type and algorithm */
+ status = psa_mac_key_can_do(alg, key_type);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* Get the output length for the algorithm and key combination */
+ *mac_size = PSA_MAC_LENGTH(key_type, key_bits, alg);
+
+ if (*mac_size < 4) {
+ /* A very short MAC is too short for security since it can be
+ * brute-forced. Ancient protocols with 32-bit MACs do exist,
+ * so we make this our minimum, even though 32 bits is still
+ * too small for security. */
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (*mac_size > PSA_MAC_LENGTH(key_type, key_bits,
+ PSA_ALG_FULL_LENGTH_MAC(alg))) {
+ /* It's impossible to "truncate" to a larger length than the full length
+ * of the algorithm. */
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ if (*mac_size > PSA_MAC_MAX_SIZE) {
+ /* PSA_MAC_LENGTH returns the correct length even for a MAC algorithm
+ * that is disabled in the compile-time configuration. The result can
+ * therefore be larger than PSA_MAC_MAX_SIZE, which does take the
+ * configuration into account. In this case, force a return of
+ * PSA_ERROR_NOT_SUPPORTED here. Otherwise psa_mac_verify(), or
+ * psa_mac_compute(mac_size=PSA_MAC_MAX_SIZE), would return
+ * PSA_ERROR_BUFFER_TOO_SMALL for an unsupported algorithm whose MAC size
+ * is larger than PSA_MAC_MAX_SIZE, which is misleading and which breaks
+ * systematically generated tests. */
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ return PSA_SUCCESS;
+}
+
+static psa_status_t psa_mac_setup(psa_mac_operation_t *operation,
+ mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg,
+ int is_sign)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot = NULL;
+
+ /* A context must be freshly initialized before it can be set up. */
+ if (operation->id != 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(
+ key,
+ &slot,
+ is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE,
+ alg);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_mac_finalize_alg_and_key_validation(alg, &slot->attr,
+ &operation->mac_size);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ operation->is_sign = is_sign;
+ /* Dispatch the MAC setup call with validated input */
+ if (is_sign) {
+ status = psa_driver_wrapper_mac_sign_setup(operation,
+ &slot->attr,
+ slot->key.data,
+ slot->key.bytes,
+ alg);
+ } else {
+ status = psa_driver_wrapper_mac_verify_setup(operation,
+ &slot->attr,
+ slot->key.data,
+ slot->key.bytes,
+ alg);
+ }
+
+exit:
+ if (status != PSA_SUCCESS) {
+ psa_mac_abort(operation);
+ }
+
+ unlock_status = psa_unregister_read_under_mutex(slot);
+
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
+ mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg)
+{
+ return psa_mac_setup(operation, key, alg, 1);
+}
+
+psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
+ mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg)
+{
+ return psa_mac_setup(operation, key, alg, 0);
+}
+
+psa_status_t psa_mac_update(psa_mac_operation_t *operation,
+ const uint8_t *input_external,
+ size_t input_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ LOCAL_INPUT_DECLARE(input_external, input);
+
+ if (operation->id == 0) {
+ status = PSA_ERROR_BAD_STATE;
+ return status;
+ }
+
+ /* Don't require hash implementations to behave correctly on a
+ * zero-length input, which may have an invalid pointer. */
+ if (input_length == 0) {
+ status = PSA_SUCCESS;
+ return status;
+ }
+
+ LOCAL_INPUT_ALLOC(input_external, input_length, input);
+ status = psa_driver_wrapper_mac_update(operation, input, input_length);
+
+ if (status != PSA_SUCCESS) {
+ psa_mac_abort(operation);
+ }
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+ LOCAL_INPUT_FREE(input_external, input);
+
+ return status;
+}
+
+psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation,
+ uint8_t *mac_external,
+ size_t mac_size,
+ size_t *mac_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
+ LOCAL_OUTPUT_DECLARE(mac_external, mac);
+ LOCAL_OUTPUT_ALLOC(mac_external, mac_size, mac);
+
+ if (operation->id == 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (!operation->is_sign) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ /* Sanity check. This will guarantee that mac_size != 0 (and so mac != NULL)
+ * once all the error checks are done. */
+ if (operation->mac_size == 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (mac_size < operation->mac_size) {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+
+
+ status = psa_driver_wrapper_mac_sign_finish(operation,
+ mac, operation->mac_size,
+ mac_length);
+
+exit:
+ /* In case of success, set the potential excess room in the output buffer
+ * to an invalid value, to avoid potentially leaking a longer MAC.
+ * In case of error, set the output length and content to a safe default,
+ * such that in case the caller misses an error check, the output would be
+ * an unachievable MAC.
+ */
+ if (status != PSA_SUCCESS) {
+ *mac_length = mac_size;
+ operation->mac_size = 0;
+ }
+
+ if (mac != NULL) {
+ psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
+ }
+
+ abort_status = psa_mac_abort(operation);
+ LOCAL_OUTPUT_FREE(mac_external, mac);
+
+ return status == PSA_SUCCESS ? abort_status : status;
+}
+
+psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
+ const uint8_t *mac_external,
+ size_t mac_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
+ LOCAL_INPUT_DECLARE(mac_external, mac);
+
+ if (operation->id == 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (operation->is_sign) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (operation->mac_size != mac_length) {
+ status = PSA_ERROR_INVALID_SIGNATURE;
+ goto exit;
+ }
+
+ LOCAL_INPUT_ALLOC(mac_external, mac_length, mac);
+ status = psa_driver_wrapper_mac_verify_finish(operation,
+ mac, mac_length);
+
+exit:
+ abort_status = psa_mac_abort(operation);
+ LOCAL_INPUT_FREE(mac_external, mac);
+
+ return status == PSA_SUCCESS ? abort_status : status;
+}
+
+static psa_status_t psa_mac_compute_internal(mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *mac,
+ size_t mac_size,
+ size_t *mac_length,
+ int is_sign)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+ uint8_t operation_mac_size = 0;
+
+ status = psa_get_and_lock_key_slot_with_policy(
+ key,
+ &slot,
+ is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE,
+ alg);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_mac_finalize_alg_and_key_validation(alg, &slot->attr,
+ &operation_mac_size);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (mac_size < operation_mac_size) {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+
+ status = psa_driver_wrapper_mac_compute(
+ &slot->attr,
+ slot->key.data, slot->key.bytes,
+ alg,
+ input, input_length,
+ mac, operation_mac_size, mac_length);
+
+exit:
+ /* In case of success, set the potential excess room in the output buffer
+ * to an invalid value, to avoid potentially leaking a longer MAC.
+ * In case of error, set the output length and content to a safe default,
+ * such that in case the caller misses an error check, the output would be
+ * an unachievable MAC.
+ */
+ if (status != PSA_SUCCESS) {
+ *mac_length = mac_size;
+ operation_mac_size = 0;
+ }
+
+ psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
+
+ unlock_status = psa_unregister_read_under_mutex(slot);
+
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *input_external,
+ size_t input_length,
+ uint8_t *mac_external,
+ size_t mac_size,
+ size_t *mac_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ LOCAL_INPUT_DECLARE(input_external, input);
+ LOCAL_OUTPUT_DECLARE(mac_external, mac);
+
+ LOCAL_INPUT_ALLOC(input_external, input_length, input);
+ LOCAL_OUTPUT_ALLOC(mac_external, mac_size, mac);
+ status = psa_mac_compute_internal(key, alg,
+ input, input_length,
+ mac, mac_size, mac_length, 1);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+ LOCAL_INPUT_FREE(input_external, input);
+ LOCAL_OUTPUT_FREE(mac_external, mac);
+
+ return status;
+}
+
+psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *input_external,
+ size_t input_length,
+ const uint8_t *mac_external,
+ size_t mac_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ uint8_t actual_mac[PSA_MAC_MAX_SIZE];
+ size_t actual_mac_length;
+ LOCAL_INPUT_DECLARE(input_external, input);
+ LOCAL_INPUT_DECLARE(mac_external, mac);
+
+ LOCAL_INPUT_ALLOC(input_external, input_length, input);
+ status = psa_mac_compute_internal(key, alg,
+ input, input_length,
+ actual_mac, sizeof(actual_mac),
+ &actual_mac_length, 0);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (mac_length != actual_mac_length) {
+ status = PSA_ERROR_INVALID_SIGNATURE;
+ goto exit;
+ }
+
+ LOCAL_INPUT_ALLOC(mac_external, mac_length, mac);
+ if (mbedtls_ct_memcmp(mac, actual_mac, actual_mac_length) != 0) {
+ status = PSA_ERROR_INVALID_SIGNATURE;
+ goto exit;
+ }
+
+exit:
+ mbedtls_platform_zeroize(actual_mac, sizeof(actual_mac));
+ LOCAL_INPUT_FREE(input_external, input);
+ LOCAL_INPUT_FREE(mac_external, mac);
+
+ return status;
+}
+
+/****************************************************************/
+/* Asymmetric cryptography */
+/****************************************************************/
+
+static psa_status_t psa_sign_verify_check_alg(int input_is_message,
+ psa_algorithm_t alg)
+{
+ if (input_is_message) {
+ if (!PSA_ALG_IS_SIGN_MESSAGE(alg)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ if (PSA_ALG_IS_SIGN_HASH(alg)) {
+ if (!PSA_ALG_IS_HASH(PSA_ALG_SIGN_GET_HASH(alg))) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ }
+ } else {
+ if (!PSA_ALG_IS_SIGN_HASH(alg)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ }
+
+ return PSA_SUCCESS;
+}
+
+static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key,
+ int input_is_message,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *signature,
+ size_t signature_size,
+ size_t *signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+ *signature_length = 0;
+
+ status = psa_sign_verify_check_alg(input_is_message, alg);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* Immediately reject a zero-length signature buffer. This guarantees
+ * that signature must be a valid pointer. (On the other hand, the input
+ * buffer can in principle be empty since it doesn't actually have
+ * to be a hash.) */
+ if (signature_size == 0) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(
+ key, &slot,
+ input_is_message ? PSA_KEY_USAGE_SIGN_MESSAGE :
+ PSA_KEY_USAGE_SIGN_HASH,
+ alg);
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ if (input_is_message) {
+ status = psa_driver_wrapper_sign_message(
+ &slot->attr, slot->key.data, slot->key.bytes,
+ alg, input, input_length,
+ signature, signature_size, signature_length);
+ } else {
+
+ status = psa_driver_wrapper_sign_hash(
+ &slot->attr, slot->key.data, slot->key.bytes,
+ alg, input, input_length,
+ signature, signature_size, signature_length);
+ }
+
+
+exit:
+ psa_wipe_tag_output_buffer(signature, status, signature_size,
+ *signature_length);
+
+ unlock_status = psa_unregister_read_under_mutex(slot);
+
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+static psa_status_t psa_verify_internal(mbedtls_svc_key_id_t key,
+ int input_is_message,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ const uint8_t *signature,
+ size_t signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+ status = psa_sign_verify_check_alg(input_is_message, alg);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(
+ key, &slot,
+ input_is_message ? PSA_KEY_USAGE_VERIFY_MESSAGE :
+ PSA_KEY_USAGE_VERIFY_HASH,
+ alg);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ if (input_is_message) {
+ status = psa_driver_wrapper_verify_message(
+ &slot->attr, slot->key.data, slot->key.bytes,
+ alg, input, input_length,
+ signature, signature_length);
+ } else {
+ status = psa_driver_wrapper_verify_hash(
+ &slot->attr, slot->key.data, slot->key.bytes,
+ alg, input, input_length,
+ signature, signature_length);
+ }
+
+ unlock_status = psa_unregister_read_under_mutex(slot);
+
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+
+}
+
+psa_status_t psa_sign_message_builtin(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *signature,
+ size_t signature_size,
+ size_t *signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ if (PSA_ALG_IS_SIGN_HASH(alg)) {
+ size_t hash_length;
+ uint8_t hash[PSA_HASH_MAX_SIZE];
+
+ status = psa_driver_wrapper_hash_compute(
+ PSA_ALG_SIGN_GET_HASH(alg),
+ input, input_length,
+ hash, sizeof(hash), &hash_length);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ return psa_driver_wrapper_sign_hash(
+ attributes, key_buffer, key_buffer_size,
+ alg, hash, hash_length,
+ signature, signature_size, signature_length);
+ }
+
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t psa_sign_message(mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *input_external,
+ size_t input_length,
+ uint8_t *signature_external,
+ size_t signature_size,
+ size_t *signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ LOCAL_INPUT_DECLARE(input_external, input);
+ LOCAL_OUTPUT_DECLARE(signature_external, signature);
+
+ LOCAL_INPUT_ALLOC(input_external, input_length, input);
+ LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature);
+ status = psa_sign_internal(key, 1, alg, input, input_length, signature,
+ signature_size, signature_length);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+ LOCAL_INPUT_FREE(input_external, input);
+ LOCAL_OUTPUT_FREE(signature_external, signature);
+ return status;
+}
+
+psa_status_t psa_verify_message_builtin(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ const uint8_t *signature,
+ size_t signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ if (PSA_ALG_IS_SIGN_HASH(alg)) {
+ size_t hash_length;
+ uint8_t hash[PSA_HASH_MAX_SIZE];
+
+ status = psa_driver_wrapper_hash_compute(
+ PSA_ALG_SIGN_GET_HASH(alg),
+ input, input_length,
+ hash, sizeof(hash), &hash_length);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ return psa_driver_wrapper_verify_hash(
+ attributes, key_buffer, key_buffer_size,
+ alg, hash, hash_length,
+ signature, signature_length);
+ }
+
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t psa_verify_message(mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *input_external,
+ size_t input_length,
+ const uint8_t *signature_external,
+ size_t signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ LOCAL_INPUT_DECLARE(input_external, input);
+ LOCAL_INPUT_DECLARE(signature_external, signature);
+
+ LOCAL_INPUT_ALLOC(input_external, input_length, input);
+ LOCAL_INPUT_ALLOC(signature_external, signature_length, signature);
+ status = psa_verify_internal(key, 1, alg, input, input_length, signature,
+ signature_length);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+ LOCAL_INPUT_FREE(input_external, input);
+ LOCAL_INPUT_FREE(signature_external, signature);
+
+ return status;
+}
+
+psa_status_t psa_sign_hash_builtin(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length)
+{
+ if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+ if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
+ PSA_ALG_IS_RSA_PSS(alg)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+ return mbedtls_psa_rsa_sign_hash(
+ attributes,
+ key_buffer, key_buffer_size,
+ alg, hash, hash_length,
+ signature, signature_size, signature_length);
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
+ } else {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) {
+ if (PSA_ALG_IS_ECDSA(alg)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+ return mbedtls_psa_ecdsa_sign_hash(
+ attributes,
+ key_buffer, key_buffer_size,
+ alg, hash, hash_length,
+ signature, signature_size, signature_length);
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+ } else {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ }
+
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) hash;
+ (void) hash_length;
+ (void) signature;
+ (void) signature_size;
+ (void) signature_length;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *hash_external,
+ size_t hash_length,
+ uint8_t *signature_external,
+ size_t signature_size,
+ size_t *signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ LOCAL_INPUT_DECLARE(hash_external, hash);
+ LOCAL_OUTPUT_DECLARE(signature_external, signature);
+
+ LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
+ LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature);
+ status = psa_sign_internal(key, 0, alg, hash, hash_length, signature,
+ signature_size, signature_length);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+ LOCAL_INPUT_FREE(hash_external, hash);
+ LOCAL_OUTPUT_FREE(signature_external, signature);
+
+ return status;
+}
+
+psa_status_t psa_verify_hash_builtin(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length)
+{
+ if (PSA_KEY_TYPE_IS_RSA(attributes->type)) {
+ if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||
+ PSA_ALG_IS_RSA_PSS(alg)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+ return mbedtls_psa_rsa_verify_hash(
+ attributes,
+ key_buffer, key_buffer_size,
+ alg, hash, hash_length,
+ signature, signature_length);
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
+ } else {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ } else if (PSA_KEY_TYPE_IS_ECC(attributes->type)) {
+ if (PSA_ALG_IS_ECDSA(alg)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+ return mbedtls_psa_ecdsa_verify_hash(
+ attributes,
+ key_buffer, key_buffer_size,
+ alg, hash, hash_length,
+ signature, signature_length);
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+ } else {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ }
+
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) hash;
+ (void) hash_length;
+ (void) signature;
+ (void) signature_length;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t psa_verify_hash(mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *hash_external,
+ size_t hash_length,
+ const uint8_t *signature_external,
+ size_t signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ LOCAL_INPUT_DECLARE(hash_external, hash);
+ LOCAL_INPUT_DECLARE(signature_external, signature);
+
+ LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
+ LOCAL_INPUT_ALLOC(signature_external, signature_length, signature);
+ status = psa_verify_internal(key, 0, alg, hash, hash_length, signature,
+ signature_length);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+ LOCAL_INPUT_FREE(hash_external, hash);
+ LOCAL_INPUT_FREE(signature_external, signature);
+
+ return status;
+}
+
+psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *input_external,
+ size_t input_length,
+ const uint8_t *salt_external,
+ size_t salt_length,
+ uint8_t *output_external,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+ LOCAL_INPUT_DECLARE(input_external, input);
+ LOCAL_INPUT_DECLARE(salt_external, salt);
+ LOCAL_OUTPUT_DECLARE(output_external, output);
+
+ (void) input;
+ (void) input_length;
+ (void) salt;
+ (void) output;
+ (void) output_size;
+
+ *output_length = 0;
+
+ if (!PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(
+ key, &slot, PSA_KEY_USAGE_ENCRYPT, alg);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ if (!(PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type) ||
+ PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type))) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ LOCAL_INPUT_ALLOC(input_external, input_length, input);
+ LOCAL_INPUT_ALLOC(salt_external, salt_length, salt);
+ LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+ status = psa_driver_wrapper_asymmetric_encrypt(
+ &slot->attr, slot->key.data, slot->key.bytes,
+ alg, input, input_length, salt, salt_length,
+ output, output_size, output_length);
+exit:
+ unlock_status = psa_unregister_read_under_mutex(slot);
+
+ LOCAL_INPUT_FREE(input_external, input);
+ LOCAL_INPUT_FREE(salt_external, salt);
+ LOCAL_OUTPUT_FREE(output_external, output);
+
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *input_external,
+ size_t input_length,
+ const uint8_t *salt_external,
+ size_t salt_length,
+ uint8_t *output_external,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+ LOCAL_INPUT_DECLARE(input_external, input);
+ LOCAL_INPUT_DECLARE(salt_external, salt);
+ LOCAL_OUTPUT_DECLARE(output_external, output);
+
+ (void) input;
+ (void) input_length;
+ (void) salt;
+ (void) output;
+ (void) output_size;
+
+ *output_length = 0;
+
+ if (!PSA_ALG_IS_RSA_OAEP(alg) && salt_length != 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(
+ key, &slot, PSA_KEY_USAGE_DECRYPT, alg);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ LOCAL_INPUT_ALLOC(input_external, input_length, input);
+ LOCAL_INPUT_ALLOC(salt_external, salt_length, salt);
+ LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+ status = psa_driver_wrapper_asymmetric_decrypt(
+ &slot->attr, slot->key.data, slot->key.bytes,
+ alg, input, input_length, salt, salt_length,
+ output, output_size, output_length);
+
+exit:
+ unlock_status = psa_unregister_read_under_mutex(slot);
+
+ LOCAL_INPUT_FREE(input_external, input);
+ LOCAL_INPUT_FREE(salt_external, salt);
+ LOCAL_OUTPUT_FREE(output_external, output);
+
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+/****************************************************************/
+/* Asymmetric interruptible cryptography */
+/****************************************************************/
+
+static uint32_t psa_interruptible_max_ops = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
+
+void psa_interruptible_set_max_ops(uint32_t max_ops)
+{
+ psa_interruptible_max_ops = max_ops;
+}
+
+uint32_t psa_interruptible_get_max_ops(void)
+{
+ return psa_interruptible_max_ops;
+}
+
+uint32_t psa_sign_hash_get_num_ops(
+ const psa_sign_hash_interruptible_operation_t *operation)
+{
+ return operation->num_ops;
+}
+
+uint32_t psa_verify_hash_get_num_ops(
+ const psa_verify_hash_interruptible_operation_t *operation)
+{
+ return operation->num_ops;
+}
+
+static psa_status_t psa_sign_hash_abort_internal(
+ psa_sign_hash_interruptible_operation_t *operation)
+{
+ if (operation->id == 0) {
+ /* The object has (apparently) been initialized but it is not (yet)
+ * in use. It's ok to call abort on such an object, and there's
+ * nothing to do. */
+ return PSA_SUCCESS;
+ }
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = psa_driver_wrapper_sign_hash_abort(operation);
+
+ operation->id = 0;
+
+ /* Do not clear either the error_occurred or num_ops elements here as they
+ * only want to be cleared by the application calling abort, not by abort
+ * being called at completion of an operation. */
+
+ return status;
+}
+
+psa_status_t psa_sign_hash_start(
+ psa_sign_hash_interruptible_operation_t *operation,
+ mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+ const uint8_t *hash_external, size_t hash_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+ LOCAL_INPUT_DECLARE(hash_external, hash);
+
+ /* Check that start has not been previously called, or operation has not
+ * previously errored. */
+ if (operation->id != 0 || operation->error_occurred) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ status = psa_sign_verify_check_alg(0, alg);
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ return status;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+ PSA_KEY_USAGE_SIGN_HASH,
+ alg);
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
+
+ /* Ensure ops count gets reset, in case of operation re-use. */
+ operation->num_ops = 0;
+
+ status = psa_driver_wrapper_sign_hash_start(operation, &slot->attr,
+ slot->key.data,
+ slot->key.bytes, alg,
+ hash, hash_length);
+exit:
+
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ psa_sign_hash_abort_internal(operation);
+ }
+
+ unlock_status = psa_unregister_read_under_mutex(slot);
+
+ if (unlock_status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ }
+
+ LOCAL_INPUT_FREE(hash_external, hash);
+
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+
+psa_status_t psa_sign_hash_complete(
+ psa_sign_hash_interruptible_operation_t *operation,
+ uint8_t *signature_external, size_t signature_size,
+ size_t *signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ LOCAL_OUTPUT_DECLARE(signature_external, signature);
+
+ *signature_length = 0;
+
+ /* Check that start has been called first, and that operation has not
+ * previously errored. */
+ if (operation->id == 0 || operation->error_occurred) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ /* Immediately reject a zero-length signature buffer. This guarantees that
+ * signature must be a valid pointer. */
+ if (signature_size == 0) {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+
+ LOCAL_OUTPUT_ALLOC(signature_external, signature_size, signature);
+
+ status = psa_driver_wrapper_sign_hash_complete(operation, signature,
+ signature_size,
+ signature_length);
+
+ /* Update ops count with work done. */
+ operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation);
+
+exit:
+
+ if (signature != NULL) {
+ psa_wipe_tag_output_buffer(signature, status, signature_size,
+ *signature_length);
+ }
+
+ if (status != PSA_OPERATION_INCOMPLETE) {
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ }
+
+ psa_sign_hash_abort_internal(operation);
+ }
+
+ LOCAL_OUTPUT_FREE(signature_external, signature);
+
+ return status;
+}
+
+psa_status_t psa_sign_hash_abort(
+ psa_sign_hash_interruptible_operation_t *operation)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = psa_sign_hash_abort_internal(operation);
+
+ /* We clear the number of ops done here, so that it is not cleared when
+ * the operation fails or succeeds, only on manual abort. */
+ operation->num_ops = 0;
+
+ /* Likewise, failure state. */
+ operation->error_occurred = 0;
+
+ return status;
+}
+
+static psa_status_t psa_verify_hash_abort_internal(
+ psa_verify_hash_interruptible_operation_t *operation)
+{
+ if (operation->id == 0) {
+ /* The object has (apparently) been initialized but it is not (yet)
+ * in use. It's ok to call abort on such an object, and there's
+ * nothing to do. */
+ return PSA_SUCCESS;
+ }
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = psa_driver_wrapper_verify_hash_abort(operation);
+
+ operation->id = 0;
+
+ /* Do not clear either the error_occurred or num_ops elements here as they
+ * only want to be cleared by the application calling abort, not by abort
+ * being called at completion of an operation. */
+
+ return status;
+}
+
+psa_status_t psa_verify_hash_start(
+ psa_verify_hash_interruptible_operation_t *operation,
+ mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+ const uint8_t *hash_external, size_t hash_length,
+ const uint8_t *signature_external, size_t signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+ LOCAL_INPUT_DECLARE(hash_external, hash);
+ LOCAL_INPUT_DECLARE(signature_external, signature);
+
+ /* Check that start has not been previously called, or operation has not
+ * previously errored. */
+ if (operation->id != 0 || operation->error_occurred) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ status = psa_sign_verify_check_alg(0, alg);
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ return status;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+ PSA_KEY_USAGE_VERIFY_HASH,
+ alg);
+
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ return status;
+ }
+
+ LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
+ LOCAL_INPUT_ALLOC(signature_external, signature_length, signature);
+
+ /* Ensure ops count gets reset, in case of operation re-use. */
+ operation->num_ops = 0;
+
+ status = psa_driver_wrapper_verify_hash_start(operation, &slot->attr,
+ slot->key.data,
+ slot->key.bytes,
+ alg, hash, hash_length,
+ signature, signature_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ psa_verify_hash_abort_internal(operation);
+ }
+
+ unlock_status = psa_unregister_read_under_mutex(slot);
+
+ if (unlock_status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ }
+
+ LOCAL_INPUT_FREE(hash_external, hash);
+ LOCAL_INPUT_FREE(signature_external, signature);
+
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_verify_hash_complete(
+ psa_verify_hash_interruptible_operation_t *operation)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ /* Check that start has been called first, and that operation has not
+ * previously errored. */
+ if (operation->id == 0 || operation->error_occurred) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ status = psa_driver_wrapper_verify_hash_complete(operation);
+
+ /* Update ops count with work done. */
+ operation->num_ops = psa_driver_wrapper_verify_hash_get_num_ops(
+ operation);
+
+exit:
+
+ if (status != PSA_OPERATION_INCOMPLETE) {
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ }
+
+ psa_verify_hash_abort_internal(operation);
+ }
+
+ return status;
+}
+
+psa_status_t psa_verify_hash_abort(
+ psa_verify_hash_interruptible_operation_t *operation)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = psa_verify_hash_abort_internal(operation);
+
+ /* We clear the number of ops done here, so that it is not cleared when
+ * the operation fails or succeeds, only on manual abort. */
+ operation->num_ops = 0;
+
+ /* Likewise, failure state. */
+ operation->error_occurred = 0;
+
+ return status;
+}
+
+/****************************************************************/
+/* Asymmetric interruptible cryptography internal */
+/* implementations */
+/****************************************************************/
+
+void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ /* Internal implementation uses zero to indicate infinite number max ops,
+ * therefore avoid this value, and set to minimum possible. */
+ if (max_ops == 0) {
+ max_ops = 1;
+ }
+
+ mbedtls_ecp_set_max_ops(max_ops);
+#else
+ (void) max_ops;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+uint32_t mbedtls_psa_sign_hash_get_num_ops(
+ const mbedtls_psa_sign_hash_interruptible_operation_t *operation)
+{
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ return operation->num_ops;
+#else
+ (void) operation;
+ return 0;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+uint32_t mbedtls_psa_verify_hash_get_num_ops(
+ const mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+{
+ #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ return operation->num_ops;
+#else
+ (void) operation;
+ return 0;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_sign_hash_start(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t required_hash_length;
+
+ if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (!PSA_ALG_IS_ECDSA(alg)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ mbedtls_ecdsa_restart_init(&operation->restart_ctx);
+
+ /* Ensure num_ops is zero'ed in case of context re-use. */
+ operation->num_ops = 0;
+
+ status = mbedtls_psa_ecp_load_representation(attributes->type,
+ attributes->bits,
+ key_buffer,
+ key_buffer_size,
+ &operation->ctx);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ operation->coordinate_bytes = PSA_BITS_TO_BYTES(
+ operation->ctx->grp.nbits);
+
+ psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
+ operation->md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
+ operation->alg = alg;
+
+ /* We only need to store the same length of hash as the private key size
+ * here, it would be truncated by the internal implementation anyway. */
+ required_hash_length = (hash_length < operation->coordinate_bytes ?
+ hash_length : operation->coordinate_bytes);
+
+ if (required_hash_length > sizeof(operation->hash)) {
+ /* Shouldn't happen, but better safe than sorry. */
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+
+ memcpy(operation->hash, hash, required_hash_length);
+ operation->hash_length = required_hash_length;
+
+ return PSA_SUCCESS;
+
+#else
+ (void) operation;
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) alg;
+ (void) hash;
+ (void) hash_length;
+ (void) status;
+ (void) required_hash_length;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_sign_hash_complete(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+ uint8_t *signature, size_t signature_size,
+ size_t *signature_length)
+{
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi r;
+ mbedtls_mpi s;
+
+ mbedtls_mpi_init(&r);
+ mbedtls_mpi_init(&s);
+
+ /* Ensure max_ops is set to the current value (or default). */
+ mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops());
+
+ if (signature_size < 2 * operation->coordinate_bytes) {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+
+ if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) {
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+ status = mbedtls_to_psa_error(
+ mbedtls_ecdsa_sign_det_restartable(&operation->ctx->grp,
+ &r,
+ &s,
+ &operation->ctx->d,
+ operation->hash,
+ operation->hash_length,
+ operation->md_alg,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE,
+ &operation->restart_ctx));
+#else /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+ } else {
+ status = mbedtls_to_psa_error(
+ mbedtls_ecdsa_sign_restartable(&operation->ctx->grp,
+ &r,
+ &s,
+ &operation->ctx->d,
+ operation->hash,
+ operation->hash_length,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE,
+ &operation->restart_ctx));
+ }
+
+ /* Hide the fact that the restart context only holds a delta of number of
+ * ops done during the last operation, not an absolute value. */
+ operation->num_ops += operation->restart_ctx.ecp.ops_done;
+
+ if (status == PSA_SUCCESS) {
+ status = mbedtls_to_psa_error(
+ mbedtls_mpi_write_binary(&r,
+ signature,
+ operation->coordinate_bytes)
+ );
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_mpi_write_binary(&s,
+ signature +
+ operation->coordinate_bytes,
+ operation->coordinate_bytes)
+ );
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ *signature_length = operation->coordinate_bytes * 2;
+
+ status = PSA_SUCCESS;
+ }
+
+exit:
+
+ mbedtls_mpi_free(&r);
+ mbedtls_mpi_free(&s);
+ return status;
+
+ #else
+
+ (void) operation;
+ (void) signature;
+ (void) signature_size;
+ (void) signature_length;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_sign_hash_abort(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ if (operation->ctx) {
+ mbedtls_ecdsa_free(operation->ctx);
+ mbedtls_free(operation->ctx);
+ operation->ctx = NULL;
+ }
+
+ mbedtls_ecdsa_restart_free(&operation->restart_ctx);
+
+ operation->num_ops = 0;
+
+ return PSA_SUCCESS;
+
+#else
+
+ (void) operation;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_verify_hash_start(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t coordinate_bytes = 0;
+ size_t required_hash_length = 0;
+
+ if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (!PSA_ALG_IS_ECDSA(alg)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ mbedtls_ecdsa_restart_init(&operation->restart_ctx);
+ mbedtls_mpi_init(&operation->r);
+ mbedtls_mpi_init(&operation->s);
+
+ /* Ensure num_ops is zero'ed in case of context re-use. */
+ operation->num_ops = 0;
+
+ status = mbedtls_psa_ecp_load_representation(attributes->type,
+ attributes->bits,
+ key_buffer,
+ key_buffer_size,
+ &operation->ctx);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.nbits);
+
+ if (signature_length != 2 * coordinate_bytes) {
+ return PSA_ERROR_INVALID_SIGNATURE;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_mpi_read_binary(&operation->r,
+ signature,
+ coordinate_bytes));
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_mpi_read_binary(&operation->s,
+ signature +
+ coordinate_bytes,
+ coordinate_bytes));
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = mbedtls_psa_ecp_load_public_part(operation->ctx);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* We only need to store the same length of hash as the private key size
+ * here, it would be truncated by the internal implementation anyway. */
+ required_hash_length = (hash_length < coordinate_bytes ? hash_length :
+ coordinate_bytes);
+
+ if (required_hash_length > sizeof(operation->hash)) {
+ /* Shouldn't happen, but better safe than sorry. */
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+
+ memcpy(operation->hash, hash, required_hash_length);
+ operation->hash_length = required_hash_length;
+
+ return PSA_SUCCESS;
+#else
+ (void) operation;
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) alg;
+ (void) hash;
+ (void) hash_length;
+ (void) signature;
+ (void) signature_length;
+ (void) status;
+ (void) coordinate_bytes;
+ (void) required_hash_length;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_verify_hash_complete(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ /* Ensure max_ops is set to the current value (or default). */
+ mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops());
+
+ status = mbedtls_to_psa_error(
+ mbedtls_ecdsa_verify_restartable(&operation->ctx->grp,
+ operation->hash,
+ operation->hash_length,
+ &operation->ctx->Q,
+ &operation->r,
+ &operation->s,
+ &operation->restart_ctx));
+
+ /* Hide the fact that the restart context only holds a delta of number of
+ * ops done during the last operation, not an absolute value. */
+ operation->num_ops += operation->restart_ctx.ecp.ops_done;
+
+ return status;
+#else
+ (void) operation;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_verify_hash_abort(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ if (operation->ctx) {
+ mbedtls_ecdsa_free(operation->ctx);
+ mbedtls_free(operation->ctx);
+ operation->ctx = NULL;
+ }
+
+ mbedtls_ecdsa_restart_free(&operation->restart_ctx);
+
+ operation->num_ops = 0;
+
+ mbedtls_mpi_free(&operation->r);
+ mbedtls_mpi_free(&operation->s);
+
+ return PSA_SUCCESS;
+
+#else
+ (void) operation;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+static psa_status_t psa_generate_random_internal(uint8_t *output,
+ size_t output_size)
+{
+ GUARD_MODULE_INITIALIZED;
+
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+
+ psa_status_t status;
+ size_t output_length = 0;
+ status = mbedtls_psa_external_get_random(&global_data.rng,
+ output, output_size,
+ &output_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ /* Breaking up a request into smaller chunks is currently not supported
+ * for the external RNG interface. */
+ if (output_length != output_size) {
+ return PSA_ERROR_INSUFFICIENT_ENTROPY;
+ }
+ return PSA_SUCCESS;
+
+#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+
+ while (output_size > 0) {
+ int ret = MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
+ size_t request_size =
+ (output_size > MBEDTLS_PSA_RANDOM_MAX_REQUEST ?
+ MBEDTLS_PSA_RANDOM_MAX_REQUEST :
+ output_size);
+#if defined(MBEDTLS_CTR_DRBG_C)
+ ret = mbedtls_ctr_drbg_random(&global_data.rng.drbg, output, request_size);
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+ ret = mbedtls_hmac_drbg_random(&global_data.rng.drbg, output, request_size);
+#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */
+ if (ret != 0) {
+ return mbedtls_to_psa_error(ret);
+ }
+ output_size -= request_size;
+ output += request_size;
+ }
+ return PSA_SUCCESS;
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+}
+
+
+/****************************************************************/
+/* Symmetric cryptography */
+/****************************************************************/
+
+static psa_status_t psa_cipher_setup(psa_cipher_operation_t *operation,
+ mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg,
+ mbedtls_operation_t cipher_operation)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot = NULL;
+ psa_key_usage_t usage = (cipher_operation == MBEDTLS_ENCRYPT ?
+ PSA_KEY_USAGE_ENCRYPT :
+ PSA_KEY_USAGE_DECRYPT);
+
+ /* A context must be freshly initialized before it can be set up. */
+ if (operation->id != 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (!PSA_ALG_IS_CIPHER(alg)) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(key, &slot, usage, alg);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ /* Initialize the operation struct members, except for id. The id member
+ * is used to indicate to psa_cipher_abort that there are resources to free,
+ * so we only set it (in the driver wrapper) after resources have been
+ * allocated/initialized. */
+ operation->iv_set = 0;
+ if (alg == PSA_ALG_ECB_NO_PADDING) {
+ operation->iv_required = 0;
+ } else {
+ operation->iv_required = 1;
+ }
+ operation->default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg);
+
+ /* Try doing the operation through a driver before using software fallback. */
+ if (cipher_operation == MBEDTLS_ENCRYPT) {
+ status = psa_driver_wrapper_cipher_encrypt_setup(operation,
+ &slot->attr,
+ slot->key.data,
+ slot->key.bytes,
+ alg);
+ } else {
+ status = psa_driver_wrapper_cipher_decrypt_setup(operation,
+ &slot->attr,
+ slot->key.data,
+ slot->key.bytes,
+ alg);
+ }
+
+exit:
+ if (status != PSA_SUCCESS) {
+ psa_cipher_abort(operation);
+ }
+
+ unlock_status = psa_unregister_read_under_mutex(slot);
+
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
+ mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg)
+{
+ return psa_cipher_setup(operation, key, alg, MBEDTLS_ENCRYPT);
+}
+
+psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
+ mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg)
+{
+ return psa_cipher_setup(operation, key, alg, MBEDTLS_DECRYPT);
+}
+
+psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation,
+ uint8_t *iv_external,
+ size_t iv_size,
+ size_t *iv_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t default_iv_length = 0;
+
+ LOCAL_OUTPUT_DECLARE(iv_external, iv);
+
+ if (operation->id == 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (operation->iv_set || !operation->iv_required) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ default_iv_length = operation->default_iv_length;
+ if (iv_size < default_iv_length) {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+
+ if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) {
+ status = PSA_ERROR_GENERIC_ERROR;
+ goto exit;
+ }
+
+ LOCAL_OUTPUT_ALLOC(iv_external, default_iv_length, iv);
+
+ status = psa_generate_random_internal(iv, default_iv_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_driver_wrapper_cipher_set_iv(operation,
+ iv, default_iv_length);
+
+exit:
+ if (status == PSA_SUCCESS) {
+ *iv_length = default_iv_length;
+ operation->iv_set = 1;
+ } else {
+ *iv_length = 0;
+ psa_cipher_abort(operation);
+ if (iv != NULL) {
+ mbedtls_platform_zeroize(iv, default_iv_length);
+ }
+ }
+
+ LOCAL_OUTPUT_FREE(iv_external, iv);
+ return status;
+}
+
+psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
+ const uint8_t *iv_external,
+ size_t iv_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ LOCAL_INPUT_DECLARE(iv_external, iv);
+
+ if (operation->id == 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (operation->iv_set || !operation->iv_required) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (iv_length > PSA_CIPHER_IV_MAX_SIZE) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ LOCAL_INPUT_ALLOC(iv_external, iv_length, iv);
+
+ status = psa_driver_wrapper_cipher_set_iv(operation,
+ iv,
+ iv_length);
+
+exit:
+ if (status == PSA_SUCCESS) {
+ operation->iv_set = 1;
+ } else {
+ psa_cipher_abort(operation);
+ }
+
+ LOCAL_INPUT_FREE(iv_external, iv);
+
+ return status;
+}
+
+psa_status_t psa_cipher_update(psa_cipher_operation_t *operation,
+ const uint8_t *input_external,
+ size_t input_length,
+ uint8_t *output_external,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ LOCAL_INPUT_DECLARE(input_external, input);
+ LOCAL_OUTPUT_DECLARE(output_external, output);
+
+ if (operation->id == 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (operation->iv_required && !operation->iv_set) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ LOCAL_INPUT_ALLOC(input_external, input_length, input);
+ LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+ status = psa_driver_wrapper_cipher_update(operation,
+ input,
+ input_length,
+ output,
+ output_size,
+ output_length);
+
+exit:
+ if (status != PSA_SUCCESS) {
+ psa_cipher_abort(operation);
+ }
+
+ LOCAL_INPUT_FREE(input_external, input);
+ LOCAL_OUTPUT_FREE(output_external, output);
+
+ return status;
+}
+
+psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation,
+ uint8_t *output_external,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+
+ LOCAL_OUTPUT_DECLARE(output_external, output);
+
+ if (operation->id == 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (operation->iv_required && !operation->iv_set) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+ status = psa_driver_wrapper_cipher_finish(operation,
+ output,
+ output_size,
+ output_length);
+
+exit:
+ if (status == PSA_SUCCESS) {
+ status = psa_cipher_abort(operation);
+ } else {
+ *output_length = 0;
+ (void) psa_cipher_abort(operation);
+ }
+
+ LOCAL_OUTPUT_FREE(output_external, output);
+
+ return status;
+}
+
+psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation)
+{
+ if (operation->id == 0) {
+ /* The object has (apparently) been initialized but it is not (yet)
+ * in use. It's ok to call abort on such an object, and there's
+ * nothing to do. */
+ return PSA_SUCCESS;
+ }
+
+ psa_driver_wrapper_cipher_abort(operation);
+
+ operation->id = 0;
+ operation->iv_set = 0;
+ operation->iv_required = 0;
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *input_external,
+ size_t input_length,
+ uint8_t *output_external,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot = NULL;
+ uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE];
+ size_t default_iv_length = 0;
+
+ LOCAL_INPUT_DECLARE(input_external, input);
+ LOCAL_OUTPUT_DECLARE(output_external, output);
+
+ if (!PSA_ALG_IS_CIPHER(alg)) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+ PSA_KEY_USAGE_ENCRYPT,
+ alg);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg);
+ if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) {
+ status = PSA_ERROR_GENERIC_ERROR;
+ goto exit;
+ }
+
+ if (default_iv_length > 0) {
+ if (output_size < default_iv_length) {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+
+ status = psa_generate_random_internal(local_iv, default_iv_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ }
+
+ LOCAL_INPUT_ALLOC(input_external, input_length, input);
+ LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+ status = psa_driver_wrapper_cipher_encrypt(
+ &slot->attr, slot->key.data, slot->key.bytes,
+ alg, local_iv, default_iv_length, input, input_length,
+ psa_crypto_buffer_offset(output, default_iv_length),
+ output_size - default_iv_length, output_length);
+
+exit:
+ unlock_status = psa_unregister_read_under_mutex(slot);
+ if (status == PSA_SUCCESS) {
+ status = unlock_status;
+ }
+
+ if (status == PSA_SUCCESS) {
+ if (default_iv_length > 0) {
+ memcpy(output, local_iv, default_iv_length);
+ }
+ *output_length += default_iv_length;
+ } else {
+ *output_length = 0;
+ }
+
+ LOCAL_INPUT_FREE(input_external, input);
+ LOCAL_OUTPUT_FREE(output_external, output);
+
+ return status;
+}
+
+psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *input_external,
+ size_t input_length,
+ uint8_t *output_external,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot = NULL;
+
+ LOCAL_INPUT_DECLARE(input_external, input);
+ LOCAL_OUTPUT_DECLARE(output_external, output);
+
+ if (!PSA_ALG_IS_CIPHER(alg)) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+ PSA_KEY_USAGE_DECRYPT,
+ alg);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (alg == PSA_ALG_CCM_STAR_NO_TAG &&
+ input_length < PSA_BLOCK_CIPHER_BLOCK_LENGTH(slot->attr.type)) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ } else if (input_length < PSA_CIPHER_IV_LENGTH(slot->attr.type, alg)) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ LOCAL_INPUT_ALLOC(input_external, input_length, input);
+ LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+ status = psa_driver_wrapper_cipher_decrypt(
+ &slot->attr, slot->key.data, slot->key.bytes,
+ alg, input, input_length,
+ output, output_size, output_length);
+
+exit:
+ unlock_status = psa_unregister_read_under_mutex(slot);
+ if (status == PSA_SUCCESS) {
+ status = unlock_status;
+ }
+
+ if (status != PSA_SUCCESS) {
+ *output_length = 0;
+ }
+
+ LOCAL_INPUT_FREE(input_external, input);
+ LOCAL_OUTPUT_FREE(output_external, output);
+
+ return status;
+}
+
+
+/****************************************************************/
+/* AEAD */
+/****************************************************************/
+
+/* Helper function to get the base algorithm from its variants. */
+static psa_algorithm_t psa_aead_get_base_algorithm(psa_algorithm_t alg)
+{
+ return PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg);
+}
+
+/* Helper function to perform common nonce length checks. */
+static psa_status_t psa_aead_check_nonce_length(psa_algorithm_t alg,
+ size_t nonce_length)
+{
+ psa_algorithm_t base_alg = psa_aead_get_base_algorithm(alg);
+
+ switch (base_alg) {
+#if defined(PSA_WANT_ALG_GCM)
+ case PSA_ALG_GCM:
+ /* Not checking max nonce size here as GCM spec allows almost
+ * arbitrarily large nonces. Please note that we do not generally
+ * recommend the usage of nonces of greater length than
+ * PSA_AEAD_NONCE_MAX_SIZE, as large nonces are hashed to a shorter
+ * size, which can then lead to collisions if you encrypt a very
+ * large number of messages.*/
+ if (nonce_length != 0) {
+ return PSA_SUCCESS;
+ }
+ break;
+#endif /* PSA_WANT_ALG_GCM */
+#if defined(PSA_WANT_ALG_CCM)
+ case PSA_ALG_CCM:
+ if (nonce_length >= 7 && nonce_length <= 13) {
+ return PSA_SUCCESS;
+ }
+ break;
+#endif /* PSA_WANT_ALG_CCM */
+#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
+ case PSA_ALG_CHACHA20_POLY1305:
+ if (nonce_length == 12) {
+ return PSA_SUCCESS;
+ } else if (nonce_length == 8) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ break;
+#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
+ default:
+ (void) nonce_length;
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ return PSA_ERROR_INVALID_ARGUMENT;
+}
+
+static psa_status_t psa_aead_check_algorithm(psa_algorithm_t alg)
+{
+ if (!PSA_ALG_IS_AEAD(alg) || PSA_ALG_IS_WILDCARD(alg)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *nonce_external,
+ size_t nonce_length,
+ const uint8_t *additional_data_external,
+ size_t additional_data_length,
+ const uint8_t *plaintext_external,
+ size_t plaintext_length,
+ uint8_t *ciphertext_external,
+ size_t ciphertext_size,
+ size_t *ciphertext_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+ LOCAL_INPUT_DECLARE(nonce_external, nonce);
+ LOCAL_INPUT_DECLARE(additional_data_external, additional_data);
+ LOCAL_INPUT_DECLARE(plaintext_external, plaintext);
+ LOCAL_OUTPUT_DECLARE(ciphertext_external, ciphertext);
+
+ *ciphertext_length = 0;
+
+ status = psa_aead_check_algorithm(alg);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(
+ key, &slot, PSA_KEY_USAGE_ENCRYPT, alg);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
+ LOCAL_INPUT_ALLOC(additional_data_external, additional_data_length, additional_data);
+ LOCAL_INPUT_ALLOC(plaintext_external, plaintext_length, plaintext);
+ LOCAL_OUTPUT_ALLOC(ciphertext_external, ciphertext_size, ciphertext);
+
+ status = psa_aead_check_nonce_length(alg, nonce_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_driver_wrapper_aead_encrypt(
+ &slot->attr, slot->key.data, slot->key.bytes,
+ alg,
+ nonce, nonce_length,
+ additional_data, additional_data_length,
+ plaintext, plaintext_length,
+ ciphertext, ciphertext_size, ciphertext_length);
+
+ if (status != PSA_SUCCESS && ciphertext_size != 0) {
+ memset(ciphertext, 0, ciphertext_size);
+ }
+
+exit:
+ LOCAL_INPUT_FREE(nonce_external, nonce);
+ LOCAL_INPUT_FREE(additional_data_external, additional_data);
+ LOCAL_INPUT_FREE(plaintext_external, plaintext);
+ LOCAL_OUTPUT_FREE(ciphertext_external, ciphertext);
+
+ psa_unregister_read_under_mutex(slot);
+
+ return status;
+}
+
+psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg,
+ const uint8_t *nonce_external,
+ size_t nonce_length,
+ const uint8_t *additional_data_external,
+ size_t additional_data_length,
+ const uint8_t *ciphertext_external,
+ size_t ciphertext_length,
+ uint8_t *plaintext_external,
+ size_t plaintext_size,
+ size_t *plaintext_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+ LOCAL_INPUT_DECLARE(nonce_external, nonce);
+ LOCAL_INPUT_DECLARE(additional_data_external, additional_data);
+ LOCAL_INPUT_DECLARE(ciphertext_external, ciphertext);
+ LOCAL_OUTPUT_DECLARE(plaintext_external, plaintext);
+
+ *plaintext_length = 0;
+
+ status = psa_aead_check_algorithm(alg);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(
+ key, &slot, PSA_KEY_USAGE_DECRYPT, alg);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
+ LOCAL_INPUT_ALLOC(additional_data_external, additional_data_length,
+ additional_data);
+ LOCAL_INPUT_ALLOC(ciphertext_external, ciphertext_length, ciphertext);
+ LOCAL_OUTPUT_ALLOC(plaintext_external, plaintext_size, plaintext);
+
+ status = psa_aead_check_nonce_length(alg, nonce_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_driver_wrapper_aead_decrypt(
+ &slot->attr, slot->key.data, slot->key.bytes,
+ alg,
+ nonce, nonce_length,
+ additional_data, additional_data_length,
+ ciphertext, ciphertext_length,
+ plaintext, plaintext_size, plaintext_length);
+
+ if (status != PSA_SUCCESS && plaintext_size != 0) {
+ memset(plaintext, 0, plaintext_size);
+ }
+
+exit:
+ LOCAL_INPUT_FREE(nonce_external, nonce);
+ LOCAL_INPUT_FREE(additional_data_external, additional_data);
+ LOCAL_INPUT_FREE(ciphertext_external, ciphertext);
+ LOCAL_OUTPUT_FREE(plaintext_external, plaintext);
+
+ psa_unregister_read_under_mutex(slot);
+
+ return status;
+}
+
+static psa_status_t psa_validate_tag_length(psa_algorithm_t alg)
+{
+ const uint8_t tag_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg);
+
+ switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) {
+#if defined(PSA_WANT_ALG_CCM)
+ case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
+ /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.*/
+ if (tag_len < 4 || tag_len > 16 || tag_len % 2) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ break;
+#endif /* PSA_WANT_ALG_CCM */
+
+#if defined(PSA_WANT_ALG_GCM)
+ case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
+ /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16. */
+ if (tag_len != 4 && tag_len != 8 && (tag_len < 12 || tag_len > 16)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ break;
+#endif /* PSA_WANT_ALG_GCM */
+
+#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
+ case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
+ /* We only support the default tag length. */
+ if (tag_len != 16) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ break;
+#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
+
+ default:
+ (void) tag_len;
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ return PSA_SUCCESS;
+}
+
+/* Set the key for a multipart authenticated operation. */
+static psa_status_t psa_aead_setup(psa_aead_operation_t *operation,
+ int is_encrypt,
+ mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot = NULL;
+ psa_key_usage_t key_usage = 0;
+
+ status = psa_aead_check_algorithm(alg);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (operation->id != 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (operation->nonce_set || operation->lengths_set ||
+ operation->ad_started || operation->body_started) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (is_encrypt) {
+ key_usage = PSA_KEY_USAGE_ENCRYPT;
+ } else {
+ key_usage = PSA_KEY_USAGE_DECRYPT;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(key, &slot, key_usage,
+ alg);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if ((status = psa_validate_tag_length(alg)) != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (is_encrypt) {
+ status = psa_driver_wrapper_aead_encrypt_setup(operation,
+ &slot->attr,
+ slot->key.data,
+ slot->key.bytes,
+ alg);
+ } else {
+ status = psa_driver_wrapper_aead_decrypt_setup(operation,
+ &slot->attr,
+ slot->key.data,
+ slot->key.bytes,
+ alg);
+ }
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ operation->key_type = psa_get_key_type(&slot->attr);
+
+exit:
+ unlock_status = psa_unregister_read_under_mutex(slot);
+
+ if (status == PSA_SUCCESS) {
+ status = unlock_status;
+ operation->alg = psa_aead_get_base_algorithm(alg);
+ operation->is_encrypt = is_encrypt;
+ } else {
+ psa_aead_abort(operation);
+ }
+
+ return status;
+}
+
+/* Set the key for a multipart authenticated encryption operation. */
+psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
+ mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg)
+{
+ return psa_aead_setup(operation, 1, key, alg);
+}
+
+/* Set the key for a multipart authenticated decryption operation. */
+psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
+ mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg)
+{
+ return psa_aead_setup(operation, 0, key, alg);
+}
+
+static psa_status_t psa_aead_set_nonce_internal(psa_aead_operation_t *operation,
+ const uint8_t *nonce,
+ size_t nonce_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ if (operation->id == 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (operation->nonce_set) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ status = psa_aead_check_nonce_length(operation->alg, nonce_length);
+ if (status != PSA_SUCCESS) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ status = psa_driver_wrapper_aead_set_nonce(operation, nonce,
+ nonce_length);
+
+exit:
+ if (status == PSA_SUCCESS) {
+ operation->nonce_set = 1;
+ } else {
+ psa_aead_abort(operation);
+ }
+
+ return status;
+}
+
+/* Generate a random nonce / IV for multipart AEAD operation */
+psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation,
+ uint8_t *nonce_external,
+ size_t nonce_size,
+ size_t *nonce_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ uint8_t local_nonce[PSA_AEAD_NONCE_MAX_SIZE];
+ size_t required_nonce_size = 0;
+
+ LOCAL_OUTPUT_DECLARE(nonce_external, nonce);
+ LOCAL_OUTPUT_ALLOC(nonce_external, nonce_size, nonce);
+
+ *nonce_length = 0;
+
+ if (operation->id == 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (operation->nonce_set || !operation->is_encrypt) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ /* For CCM, this size may not be correct according to the PSA
+ * specification. The PSA Crypto 1.0.1 specification states:
+ *
+ * CCM encodes the plaintext length pLen in L octets, with L the smallest
+ * integer >= 2 where pLen < 2^(8L). The nonce length is then 15 - L bytes.
+ *
+ * However this restriction that L has to be the smallest integer is not
+ * applied in practice, and it is not implementable here since the
+ * plaintext length may or may not be known at this time. */
+ required_nonce_size = PSA_AEAD_NONCE_LENGTH(operation->key_type,
+ operation->alg);
+ if (nonce_size < required_nonce_size) {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+
+ status = psa_generate_random_internal(local_nonce, required_nonce_size);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_aead_set_nonce_internal(operation, local_nonce,
+ required_nonce_size);
+
+exit:
+ if (status == PSA_SUCCESS) {
+ memcpy(nonce, local_nonce, required_nonce_size);
+ *nonce_length = required_nonce_size;
+ } else {
+ psa_aead_abort(operation);
+ }
+
+ LOCAL_OUTPUT_FREE(nonce_external, nonce);
+
+ return status;
+}
+
+/* Set the nonce for a multipart authenticated encryption or decryption
+ operation.*/
+psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation,
+ const uint8_t *nonce_external,
+ size_t nonce_length)
+{
+ psa_status_t status;
+
+ LOCAL_INPUT_DECLARE(nonce_external, nonce);
+ LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
+
+ status = psa_aead_set_nonce_internal(operation, nonce, nonce_length);
+
+/* Exit label is only needed for buffer copying, prevent unused warnings. */
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+
+ LOCAL_INPUT_FREE(nonce_external, nonce);
+
+ return status;
+}
+
+/* Declare the lengths of the message and additional data for multipart AEAD. */
+psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation,
+ size_t ad_length,
+ size_t plaintext_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ if (operation->id == 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (operation->lengths_set || operation->ad_started ||
+ operation->body_started) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ switch (operation->alg) {
+#if defined(PSA_WANT_ALG_GCM)
+ case PSA_ALG_GCM:
+ /* Lengths can only be too large for GCM if size_t is bigger than 32
+ * bits. Without the guard this code will generate warnings on 32bit
+ * builds. */
+#if SIZE_MAX > UINT32_MAX
+ if (((uint64_t) ad_length) >> 61 != 0 ||
+ ((uint64_t) plaintext_length) > 0xFFFFFFFE0ull) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+#endif
+ break;
+#endif /* PSA_WANT_ALG_GCM */
+#if defined(PSA_WANT_ALG_CCM)
+ case PSA_ALG_CCM:
+ if (ad_length > 0xFF00) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+ break;
+#endif /* PSA_WANT_ALG_CCM */
+#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
+ case PSA_ALG_CHACHA20_POLY1305:
+ /* No length restrictions for ChaChaPoly. */
+ break;
+#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
+ default:
+ break;
+ }
+
+ status = psa_driver_wrapper_aead_set_lengths(operation, ad_length,
+ plaintext_length);
+
+exit:
+ if (status == PSA_SUCCESS) {
+ operation->ad_remaining = ad_length;
+ operation->body_remaining = plaintext_length;
+ operation->lengths_set = 1;
+ } else {
+ psa_aead_abort(operation);
+ }
+
+ return status;
+}
+
+/* Pass additional data to an active multipart AEAD operation. */
+psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation,
+ const uint8_t *input_external,
+ size_t input_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ LOCAL_INPUT_DECLARE(input_external, input);
+ LOCAL_INPUT_ALLOC(input_external, input_length, input);
+
+ if (operation->id == 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (!operation->nonce_set || operation->body_started) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (operation->lengths_set) {
+ if (operation->ad_remaining < input_length) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ operation->ad_remaining -= input_length;
+ }
+#if defined(PSA_WANT_ALG_CCM)
+ else if (operation->alg == PSA_ALG_CCM) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+#endif /* PSA_WANT_ALG_CCM */
+
+ status = psa_driver_wrapper_aead_update_ad(operation, input,
+ input_length);
+
+exit:
+ if (status == PSA_SUCCESS) {
+ operation->ad_started = 1;
+ } else {
+ psa_aead_abort(operation);
+ }
+
+ LOCAL_INPUT_FREE(input_external, input);
+
+ return status;
+}
+
+/* Encrypt or decrypt a message fragment in an active multipart AEAD
+ operation.*/
+psa_status_t psa_aead_update(psa_aead_operation_t *operation,
+ const uint8_t *input_external,
+ size_t input_length,
+ uint8_t *output_external,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+
+ LOCAL_INPUT_DECLARE(input_external, input);
+ LOCAL_OUTPUT_DECLARE(output_external, output);
+
+ LOCAL_INPUT_ALLOC(input_external, input_length, input);
+ LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+ *output_length = 0;
+
+ if (operation->id == 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (!operation->nonce_set) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (operation->lengths_set) {
+ /* Additional data length was supplied, but not all the additional
+ data was supplied.*/
+ if (operation->ad_remaining != 0) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ /* Too much data provided. */
+ if (operation->body_remaining < input_length) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ operation->body_remaining -= input_length;
+ }
+#if defined(PSA_WANT_ALG_CCM)
+ else if (operation->alg == PSA_ALG_CCM) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+#endif /* PSA_WANT_ALG_CCM */
+
+ status = psa_driver_wrapper_aead_update(operation, input, input_length,
+ output, output_size,
+ output_length);
+
+exit:
+ if (status == PSA_SUCCESS) {
+ operation->body_started = 1;
+ } else {
+ psa_aead_abort(operation);
+ }
+
+ LOCAL_INPUT_FREE(input_external, input);
+ LOCAL_OUTPUT_FREE(output_external, output);
+
+ return status;
+}
+
+static psa_status_t psa_aead_final_checks(const psa_aead_operation_t *operation)
+{
+ if (operation->id == 0 || !operation->nonce_set) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (operation->lengths_set && (operation->ad_remaining != 0 ||
+ operation->body_remaining != 0)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ return PSA_SUCCESS;
+}
+
+/* Finish encrypting a message in a multipart AEAD operation. */
+psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
+ uint8_t *ciphertext_external,
+ size_t ciphertext_size,
+ size_t *ciphertext_length,
+ uint8_t *tag_external,
+ size_t tag_size,
+ size_t *tag_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ LOCAL_OUTPUT_DECLARE(ciphertext_external, ciphertext);
+ LOCAL_OUTPUT_DECLARE(tag_external, tag);
+
+ LOCAL_OUTPUT_ALLOC(ciphertext_external, ciphertext_size, ciphertext);
+ LOCAL_OUTPUT_ALLOC(tag_external, tag_size, tag);
+
+ *ciphertext_length = 0;
+ *tag_length = tag_size;
+
+ status = psa_aead_final_checks(operation);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (!operation->is_encrypt) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ status = psa_driver_wrapper_aead_finish(operation, ciphertext,
+ ciphertext_size,
+ ciphertext_length,
+ tag, tag_size, tag_length);
+
+exit:
+
+
+ /* In case the operation fails and the user fails to check for failure or
+ * the zero tag size, make sure the tag is set to something implausible.
+ * Even if the operation succeeds, make sure we clear the rest of the
+ * buffer to prevent potential leakage of anything previously placed in
+ * the same buffer.*/
+ psa_wipe_tag_output_buffer(tag, status, tag_size, *tag_length);
+
+ psa_aead_abort(operation);
+
+ LOCAL_OUTPUT_FREE(ciphertext_external, ciphertext);
+ LOCAL_OUTPUT_FREE(tag_external, tag);
+
+ return status;
+}
+
+/* Finish authenticating and decrypting a message in a multipart AEAD
+ operation.*/
+psa_status_t psa_aead_verify(psa_aead_operation_t *operation,
+ uint8_t *plaintext_external,
+ size_t plaintext_size,
+ size_t *plaintext_length,
+ const uint8_t *tag_external,
+ size_t tag_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ LOCAL_OUTPUT_DECLARE(plaintext_external, plaintext);
+ LOCAL_INPUT_DECLARE(tag_external, tag);
+
+ LOCAL_OUTPUT_ALLOC(plaintext_external, plaintext_size, plaintext);
+ LOCAL_INPUT_ALLOC(tag_external, tag_length, tag);
+
+ *plaintext_length = 0;
+
+ status = psa_aead_final_checks(operation);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (operation->is_encrypt) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ status = psa_driver_wrapper_aead_verify(operation, plaintext,
+ plaintext_size,
+ plaintext_length,
+ tag, tag_length);
+
+exit:
+ psa_aead_abort(operation);
+
+ LOCAL_OUTPUT_FREE(plaintext_external, plaintext);
+ LOCAL_INPUT_FREE(tag_external, tag);
+
+ return status;
+}
+
+/* Abort an AEAD operation. */
+psa_status_t psa_aead_abort(psa_aead_operation_t *operation)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ if (operation->id == 0) {
+ /* The object has (apparently) been initialized but it is not (yet)
+ * in use. It's ok to call abort on such an object, and there's
+ * nothing to do. */
+ return PSA_SUCCESS;
+ }
+
+ status = psa_driver_wrapper_aead_abort(operation);
+
+ memset(operation, 0, sizeof(*operation));
+
+ return status;
+}
+
+/****************************************************************/
+/* Generators */
+/****************************************************************/
+
+#if defined(BUILTIN_ALG_ANY_HKDF) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) || \
+ defined(PSA_HAVE_SOFT_PBKDF2)
+#define AT_LEAST_ONE_BUILTIN_KDF
+#endif /* At least one builtin KDF */
+
+#if defined(BUILTIN_ALG_ANY_HKDF) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+static psa_status_t psa_key_derivation_start_hmac(
+ psa_mac_operation_t *operation,
+ psa_algorithm_t hash_alg,
+ const uint8_t *hmac_key,
+ size_t hmac_key_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
+ psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(hmac_key_length));
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
+
+ operation->is_sign = 1;
+ operation->mac_size = PSA_HASH_LENGTH(hash_alg);
+
+ status = psa_driver_wrapper_mac_sign_setup(operation,
+ &attributes,
+ hmac_key, hmac_key_length,
+ PSA_ALG_HMAC(hash_alg));
+
+ psa_reset_key_attributes(&attributes);
+ return status;
+}
+#endif /* KDF algorithms reliant on HMAC */
+
+#define HKDF_STATE_INIT 0 /* no input yet */
+#define HKDF_STATE_STARTED 1 /* got salt */
+#define HKDF_STATE_KEYED 2 /* got key */
+#define HKDF_STATE_OUTPUT 3 /* output started */
+
+static psa_algorithm_t psa_key_derivation_get_kdf_alg(
+ const psa_key_derivation_operation_t *operation)
+{
+ if (PSA_ALG_IS_KEY_AGREEMENT(operation->alg)) {
+ return PSA_ALG_KEY_AGREEMENT_GET_KDF(operation->alg);
+ } else {
+ return operation->alg;
+ }
+}
+
+psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation)
+{
+ psa_status_t status = PSA_SUCCESS;
+ psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
+ if (kdf_alg == 0) {
+ /* The object has (apparently) been initialized but it is not
+ * in use. It's ok to call abort on such an object, and there's
+ * nothing to do. */
+ } else
+#if defined(BUILTIN_ALG_ANY_HKDF)
+ if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
+ mbedtls_free(operation->ctx.hkdf.info);
+ status = psa_mac_abort(&operation->ctx.hkdf.hmac);
+ } else
+#endif /* BUILTIN_ALG_ANY_HKDF */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+ if (PSA_ALG_IS_TLS12_PRF(kdf_alg) ||
+ /* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */
+ PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
+ if (operation->ctx.tls12_prf.secret != NULL) {
+ mbedtls_zeroize_and_free(operation->ctx.tls12_prf.secret,
+ operation->ctx.tls12_prf.secret_length);
+ }
+
+ if (operation->ctx.tls12_prf.seed != NULL) {
+ mbedtls_zeroize_and_free(operation->ctx.tls12_prf.seed,
+ operation->ctx.tls12_prf.seed_length);
+ }
+
+ if (operation->ctx.tls12_prf.label != NULL) {
+ mbedtls_zeroize_and_free(operation->ctx.tls12_prf.label,
+ operation->ctx.tls12_prf.label_length);
+ }
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+ if (operation->ctx.tls12_prf.other_secret != NULL) {
+ mbedtls_zeroize_and_free(operation->ctx.tls12_prf.other_secret,
+ operation->ctx.tls12_prf.other_secret_length);
+ }
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+ status = PSA_SUCCESS;
+
+ /* We leave the fields Ai and output_block to be erased safely by the
+ * mbedtls_platform_zeroize() in the end of this function. */
+ } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+ if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
+ mbedtls_platform_zeroize(operation->ctx.tls12_ecjpake_to_pms.data,
+ sizeof(operation->ctx.tls12_ecjpake_to_pms.data));
+ } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) */
+#if defined(PSA_HAVE_SOFT_PBKDF2)
+ if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
+ if (operation->ctx.pbkdf2.salt != NULL) {
+ mbedtls_zeroize_and_free(operation->ctx.pbkdf2.salt,
+ operation->ctx.pbkdf2.salt_length);
+ }
+
+ status = PSA_SUCCESS;
+ } else
+#endif /* defined(PSA_HAVE_SOFT_PBKDF2) */
+ {
+ status = PSA_ERROR_BAD_STATE;
+ }
+ mbedtls_platform_zeroize(operation, sizeof(*operation));
+ return status;
+}
+
+psa_status_t psa_key_derivation_get_capacity(const psa_key_derivation_operation_t *operation,
+ size_t *capacity)
+{
+ if (operation->alg == 0) {
+ /* This is a blank key derivation operation. */
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ *capacity = operation->capacity;
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_key_derivation_set_capacity(psa_key_derivation_operation_t *operation,
+ size_t capacity)
+{
+ if (operation->alg == 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+ if (capacity > operation->capacity) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ operation->capacity = capacity;
+ return PSA_SUCCESS;
+}
+
+#if defined(BUILTIN_ALG_ANY_HKDF)
+/* Read some bytes from an HKDF-based operation. */
+static psa_status_t psa_key_derivation_hkdf_read(psa_hkdf_key_derivation_t *hkdf,
+ psa_algorithm_t kdf_alg,
+ uint8_t *output,
+ size_t output_length)
+{
+ psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg);
+ uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
+ size_t hmac_output_length;
+ psa_status_t status;
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+ const uint8_t last_block = PSA_ALG_IS_HKDF_EXTRACT(kdf_alg) ? 0 : 0xff;
+#else
+ const uint8_t last_block = 0xff;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+
+ if (hkdf->state < HKDF_STATE_KEYED ||
+ (!hkdf->info_set
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+ && !PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+ )) {
+ return PSA_ERROR_BAD_STATE;
+ }
+ hkdf->state = HKDF_STATE_OUTPUT;
+
+ while (output_length != 0) {
+ /* Copy what remains of the current block */
+ uint8_t n = hash_length - hkdf->offset_in_block;
+ if (n > output_length) {
+ n = (uint8_t) output_length;
+ }
+ memcpy(output, hkdf->output_block + hkdf->offset_in_block, n);
+ output += n;
+ output_length -= n;
+ hkdf->offset_in_block += n;
+ if (output_length == 0) {
+ break;
+ }
+ /* We can't be wanting more output after the last block, otherwise
+ * the capacity check in psa_key_derivation_output_bytes() would have
+ * prevented this call. It could happen only if the operation
+ * object was corrupted or if this function is called directly
+ * inside the library. */
+ if (hkdf->block_number == last_block) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ /* We need a new block */
+ ++hkdf->block_number;
+ hkdf->offset_in_block = 0;
+
+ status = psa_key_derivation_start_hmac(&hkdf->hmac,
+ hash_alg,
+ hkdf->prk,
+ hash_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ if (hkdf->block_number != 1) {
+ status = psa_mac_update(&hkdf->hmac,
+ hkdf->output_block,
+ hash_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ }
+ status = psa_mac_update(&hkdf->hmac,
+ hkdf->info,
+ hkdf->info_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ status = psa_mac_update(&hkdf->hmac,
+ &hkdf->block_number, 1);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ status = psa_mac_sign_finish(&hkdf->hmac,
+ hkdf->output_block,
+ sizeof(hkdf->output_block),
+ &hmac_output_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ }
+
+ return PSA_SUCCESS;
+}
+#endif /* BUILTIN_ALG_ANY_HKDF */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+static psa_status_t psa_key_derivation_tls12_prf_generate_next_block(
+ psa_tls12_prf_key_derivation_t *tls12_prf,
+ psa_algorithm_t alg)
+{
+ psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(alg);
+ uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
+ psa_mac_operation_t hmac = PSA_MAC_OPERATION_INIT;
+ size_t hmac_output_length;
+ psa_status_t status, cleanup_status;
+
+ /* We can't be wanting more output after block 0xff, otherwise
+ * the capacity check in psa_key_derivation_output_bytes() would have
+ * prevented this call. It could happen only if the operation
+ * object was corrupted or if this function is called directly
+ * inside the library. */
+ if (tls12_prf->block_number == 0xff) {
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+
+ /* We need a new block */
+ ++tls12_prf->block_number;
+ tls12_prf->left_in_block = hash_length;
+
+ /* Recall the definition of the TLS-1.2-PRF from RFC 5246:
+ *
+ * PRF(secret, label, seed) = P_<hash>(secret, label + seed)
+ *
+ * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
+ * HMAC_hash(secret, A(2) + seed) +
+ * HMAC_hash(secret, A(3) + seed) + ...
+ *
+ * A(0) = seed
+ * A(i) = HMAC_hash(secret, A(i-1))
+ *
+ * The `psa_tls12_prf_key_derivation` structure saves the block
+ * `HMAC_hash(secret, A(i) + seed)` from which the output
+ * is currently extracted as `output_block` and where i is
+ * `block_number`.
+ */
+
+ status = psa_key_derivation_start_hmac(&hmac,
+ hash_alg,
+ tls12_prf->secret,
+ tls12_prf->secret_length);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ /* Calculate A(i) where i = tls12_prf->block_number. */
+ if (tls12_prf->block_number == 1) {
+ /* A(1) = HMAC_hash(secret, A(0)), where A(0) = seed. (The RFC overloads
+ * the variable seed and in this instance means it in the context of the
+ * P_hash function, where seed = label + seed.) */
+ status = psa_mac_update(&hmac,
+ tls12_prf->label,
+ tls12_prf->label_length);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+ status = psa_mac_update(&hmac,
+ tls12_prf->seed,
+ tls12_prf->seed_length);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+ } else {
+ /* A(i) = HMAC_hash(secret, A(i-1)) */
+ status = psa_mac_update(&hmac, tls12_prf->Ai, hash_length);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+ }
+
+ status = psa_mac_sign_finish(&hmac,
+ tls12_prf->Ai, hash_length,
+ &hmac_output_length);
+ if (hmac_output_length != hash_length) {
+ status = PSA_ERROR_CORRUPTION_DETECTED;
+ }
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ /* Calculate HMAC_hash(secret, A(i) + label + seed). */
+ status = psa_key_derivation_start_hmac(&hmac,
+ hash_alg,
+ tls12_prf->secret,
+ tls12_prf->secret_length);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+ status = psa_mac_update(&hmac, tls12_prf->Ai, hash_length);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+ status = psa_mac_update(&hmac, tls12_prf->label, tls12_prf->label_length);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+ status = psa_mac_update(&hmac, tls12_prf->seed, tls12_prf->seed_length);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+ status = psa_mac_sign_finish(&hmac,
+ tls12_prf->output_block, hash_length,
+ &hmac_output_length);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+
+cleanup:
+ cleanup_status = psa_mac_abort(&hmac);
+ if (status == PSA_SUCCESS && cleanup_status != PSA_SUCCESS) {
+ status = cleanup_status;
+ }
+
+ return status;
+}
+
+static psa_status_t psa_key_derivation_tls12_prf_read(
+ psa_tls12_prf_key_derivation_t *tls12_prf,
+ psa_algorithm_t alg,
+ uint8_t *output,
+ size_t output_length)
+{
+ psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH(alg);
+ uint8_t hash_length = PSA_HASH_LENGTH(hash_alg);
+ psa_status_t status;
+ uint8_t offset, length;
+
+ switch (tls12_prf->state) {
+ case PSA_TLS12_PRF_STATE_LABEL_SET:
+ tls12_prf->state = PSA_TLS12_PRF_STATE_OUTPUT;
+ break;
+ case PSA_TLS12_PRF_STATE_OUTPUT:
+ break;
+ default:
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ while (output_length != 0) {
+ /* Check if we have fully processed the current block. */
+ if (tls12_prf->left_in_block == 0) {
+ status = psa_key_derivation_tls12_prf_generate_next_block(tls12_prf,
+ alg);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ continue;
+ }
+
+ if (tls12_prf->left_in_block > output_length) {
+ length = (uint8_t) output_length;
+ } else {
+ length = tls12_prf->left_in_block;
+ }
+
+ offset = hash_length - tls12_prf->left_in_block;
+ memcpy(output, tls12_prf->output_block + offset, length);
+ output += length;
+ output_length -= length;
+ tls12_prf->left_in_block -= length;
+ }
+
+ return PSA_SUCCESS;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
+ * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+static psa_status_t psa_key_derivation_tls12_ecjpake_to_pms_read(
+ psa_tls12_ecjpake_to_pms_t *ecjpake,
+ uint8_t *output,
+ size_t output_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t output_size = 0;
+
+ if (output_length != 32) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ status = psa_hash_compute(PSA_ALG_SHA_256, ecjpake->data,
+ PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE, output, output_length,
+ &output_size);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ if (output_size != output_length) {
+ return PSA_ERROR_GENERIC_ERROR;
+ }
+
+ return PSA_SUCCESS;
+}
+#endif
+
+#if defined(PSA_HAVE_SOFT_PBKDF2)
+static psa_status_t psa_key_derivation_pbkdf2_generate_block(
+ psa_pbkdf2_key_derivation_t *pbkdf2,
+ psa_algorithm_t prf_alg,
+ uint8_t prf_output_length,
+ psa_key_attributes_t *attributes)
+{
+ psa_status_t status;
+ psa_mac_operation_t mac_operation = PSA_MAC_OPERATION_INIT;
+ size_t mac_output_length;
+ uint8_t U_i[PSA_MAC_MAX_SIZE];
+ uint8_t *U_accumulator = pbkdf2->output_block;
+ uint64_t i;
+ uint8_t block_counter[4];
+
+ mac_operation.is_sign = 1;
+ mac_operation.mac_size = prf_output_length;
+ MBEDTLS_PUT_UINT32_BE(pbkdf2->block_number, block_counter, 0);
+
+ status = psa_driver_wrapper_mac_sign_setup(&mac_operation,
+ attributes,
+ pbkdf2->password,
+ pbkdf2->password_length,
+ prf_alg);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+ status = psa_mac_update(&mac_operation, pbkdf2->salt, pbkdf2->salt_length);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+ status = psa_mac_update(&mac_operation, block_counter, sizeof(block_counter));
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+ status = psa_mac_sign_finish(&mac_operation, U_i, sizeof(U_i),
+ &mac_output_length);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ if (mac_output_length != prf_output_length) {
+ status = PSA_ERROR_CORRUPTION_DETECTED;
+ goto cleanup;
+ }
+
+ memcpy(U_accumulator, U_i, prf_output_length);
+
+ for (i = 1; i < pbkdf2->input_cost; i++) {
+ /* We are passing prf_output_length as mac_size because the driver
+ * function directly sets mac_output_length as mac_size upon success.
+ * See https://github.com/Mbed-TLS/mbedtls/issues/7801 */
+ status = psa_driver_wrapper_mac_compute(attributes,
+ pbkdf2->password,
+ pbkdf2->password_length,
+ prf_alg, U_i, prf_output_length,
+ U_i, prf_output_length,
+ &mac_output_length);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ mbedtls_xor(U_accumulator, U_accumulator, U_i, prf_output_length);
+ }
+
+cleanup:
+ /* Zeroise buffers to clear sensitive data from memory. */
+ mbedtls_platform_zeroize(U_i, PSA_MAC_MAX_SIZE);
+ return status;
+}
+
+static psa_status_t psa_key_derivation_pbkdf2_read(
+ psa_pbkdf2_key_derivation_t *pbkdf2,
+ psa_algorithm_t kdf_alg,
+ uint8_t *output,
+ size_t output_length)
+{
+ psa_status_t status;
+ psa_algorithm_t prf_alg;
+ uint8_t prf_output_length;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(pbkdf2->password_length));
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
+
+ if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
+ prf_alg = PSA_ALG_HMAC(PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg));
+ prf_output_length = PSA_HASH_LENGTH(prf_alg);
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
+ } else if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
+ prf_alg = PSA_ALG_CMAC;
+ prf_output_length = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC);
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
+ } else {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ switch (pbkdf2->state) {
+ case PSA_PBKDF2_STATE_PASSWORD_SET:
+ /* Initially we need a new block so bytes_used is equal to block size*/
+ pbkdf2->bytes_used = prf_output_length;
+ pbkdf2->state = PSA_PBKDF2_STATE_OUTPUT;
+ break;
+ case PSA_PBKDF2_STATE_OUTPUT:
+ break;
+ default:
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ while (output_length != 0) {
+ uint8_t n = prf_output_length - pbkdf2->bytes_used;
+ if (n > output_length) {
+ n = (uint8_t) output_length;
+ }
+ memcpy(output, pbkdf2->output_block + pbkdf2->bytes_used, n);
+ output += n;
+ output_length -= n;
+ pbkdf2->bytes_used += n;
+
+ if (output_length == 0) {
+ break;
+ }
+
+ /* We need a new block */
+ pbkdf2->bytes_used = 0;
+ pbkdf2->block_number++;
+
+ status = psa_key_derivation_pbkdf2_generate_block(pbkdf2, prf_alg,
+ prf_output_length,
+ &attributes);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ }
+
+ return PSA_SUCCESS;
+}
+#endif /* PSA_HAVE_SOFT_PBKDF2 */
+
+psa_status_t psa_key_derivation_output_bytes(
+ psa_key_derivation_operation_t *operation,
+ uint8_t *output_external,
+ size_t output_length)
+{
+ psa_status_t status;
+ LOCAL_OUTPUT_DECLARE(output_external, output);
+
+ psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
+
+ if (operation->alg == 0) {
+ /* This is a blank operation. */
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (output_length == 0 && operation->capacity == 0) {
+ /* Edge case: this is a finished operation, and 0 bytes
+ * were requested. The right error in this case could
+ * be either INSUFFICIENT_CAPACITY or BAD_STATE. Return
+ * INSUFFICIENT_CAPACITY, which is right for a finished
+ * operation, for consistency with the case when
+ * output_length > 0. */
+ return PSA_ERROR_INSUFFICIENT_DATA;
+ }
+
+ LOCAL_OUTPUT_ALLOC(output_external, output_length, output);
+ if (output_length > operation->capacity) {
+ operation->capacity = 0;
+ /* Go through the error path to wipe all confidential data now
+ * that the operation object is useless. */
+ status = PSA_ERROR_INSUFFICIENT_DATA;
+ goto exit;
+ }
+
+ operation->capacity -= output_length;
+
+#if defined(BUILTIN_ALG_ANY_HKDF)
+ if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
+ status = psa_key_derivation_hkdf_read(&operation->ctx.hkdf, kdf_alg,
+ output, output_length);
+ } else
+#endif /* BUILTIN_ALG_ANY_HKDF */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+ if (PSA_ALG_IS_TLS12_PRF(kdf_alg) ||
+ PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
+ status = psa_key_derivation_tls12_prf_read(&operation->ctx.tls12_prf,
+ kdf_alg, output,
+ output_length);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
+ * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+ if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
+ status = psa_key_derivation_tls12_ecjpake_to_pms_read(
+ &operation->ctx.tls12_ecjpake_to_pms, output, output_length);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
+#if defined(PSA_HAVE_SOFT_PBKDF2)
+ if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
+ status = psa_key_derivation_pbkdf2_read(&operation->ctx.pbkdf2, kdf_alg,
+ output, output_length);
+ } else
+#endif /* PSA_HAVE_SOFT_PBKDF2 */
+
+ {
+ (void) kdf_alg;
+ status = PSA_ERROR_BAD_STATE;
+ LOCAL_OUTPUT_FREE(output_external, output);
+
+ return status;
+ }
+
+exit:
+ if (status != PSA_SUCCESS) {
+ /* Preserve the algorithm upon errors, but clear all sensitive state.
+ * This allows us to differentiate between exhausted operations and
+ * blank operations, so we can return PSA_ERROR_BAD_STATE on blank
+ * operations. */
+ psa_algorithm_t alg = operation->alg;
+ psa_key_derivation_abort(operation);
+ operation->alg = alg;
+ if (output != NULL) {
+ memset(output, '!', output_length);
+ }
+ }
+
+ LOCAL_OUTPUT_FREE(output_external, output);
+ return status;
+}
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+static void psa_des_set_key_parity(uint8_t *data, size_t data_size)
+{
+ if (data_size >= 8) {
+ mbedtls_des_key_set_parity(data);
+ }
+ if (data_size >= 16) {
+ mbedtls_des_key_set_parity(data + 8);
+ }
+ if (data_size >= 24) {
+ mbedtls_des_key_set_parity(data + 16);
+ }
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */
+
+/*
+ * ECC keys on a Weierstrass elliptic curve require the generation
+ * of a private key which is an integer
+ * in the range [1, N - 1], where N is the boundary of the private key domain:
+ * N is the prime p for Diffie-Hellman, or the order of the
+ * curve’s base point for ECC.
+ *
+ * Let m be the bit size of N, such that 2^m > N >= 2^(m-1).
+ * This function generates the private key using the following process:
+ *
+ * 1. Draw a byte string of length ceiling(m/8) bytes.
+ * 2. If m is not a multiple of 8, set the most significant
+ * (8 * ceiling(m/8) - m) bits of the first byte in the string to zero.
+ * 3. Convert the string to integer k by decoding it as a big-endian byte string.
+ * 4. If k > N - 2, discard the result and return to step 1.
+ * 5. Output k + 1 as the private key.
+ *
+ * This method allows compliance to NIST standards, specifically the methods titled
+ * Key-Pair Generation by Testing Candidates in the following publications:
+ * - NIST Special Publication 800-56A: Recommendation for Pair-Wise Key-Establishment
+ * Schemes Using Discrete Logarithm Cryptography [SP800-56A] §5.6.1.1.4 for
+ * Diffie-Hellman keys.
+ *
+ * - [SP800-56A] §5.6.1.2.2 or FIPS Publication 186-4: Digital Signature
+ * Standard (DSS) [FIPS186-4] §B.4.2 for elliptic curve keys.
+ *
+ * Note: Function allocates memory for *data buffer, so given *data should be
+ * always NULL.
+ */
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper(
+ psa_key_slot_t *slot,
+ size_t bits,
+ psa_key_derivation_operation_t *operation,
+ uint8_t **data
+ )
+{
+ unsigned key_out_of_range = 1;
+ mbedtls_mpi k;
+ mbedtls_mpi diff_N_2;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t m;
+ size_t m_bytes;
+
+ mbedtls_mpi_init(&k);
+ mbedtls_mpi_init(&diff_N_2);
+
+ psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
+ slot->attr.type);
+ mbedtls_ecp_group_id grp_id =
+ mbedtls_ecc_group_from_psa(curve, bits);
+
+ if (grp_id == MBEDTLS_ECP_DP_NONE) {
+ ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
+ goto cleanup;
+ }
+
+ mbedtls_ecp_group ecp_group;
+ mbedtls_ecp_group_init(&ecp_group);
+
+ MBEDTLS_MPI_CHK(mbedtls_ecp_group_load(&ecp_group, grp_id));
+
+ /* N is the boundary of the private key domain (ecp_group.N). */
+ /* Let m be the bit size of N. */
+ m = ecp_group.nbits;
+
+ m_bytes = PSA_BITS_TO_BYTES(m);
+
+ /* Calculate N - 2 - it will be needed later. */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&diff_N_2, &ecp_group.N, 2));
+
+ /* Note: This function is always called with *data == NULL and it
+ * allocates memory for the data buffer. */
+ *data = mbedtls_calloc(1, m_bytes);
+ if (*data == NULL) {
+ ret = MBEDTLS_ERR_ASN1_ALLOC_FAILED;
+ goto cleanup;
+ }
+
+ while (key_out_of_range) {
+ /* 1. Draw a byte string of length ceiling(m/8) bytes. */
+ if ((status = psa_key_derivation_output_bytes(operation, *data, m_bytes)) != 0) {
+ goto cleanup;
+ }
+
+ /* 2. If m is not a multiple of 8 */
+ if (m % 8 != 0) {
+ /* Set the most significant
+ * (8 * ceiling(m/8) - m) bits of the first byte in
+ * the string to zero.
+ */
+ uint8_t clear_bit_mask = (1 << (m % 8)) - 1;
+ (*data)[0] &= clear_bit_mask;
+ }
+
+ /* 3. Convert the string to integer k by decoding it as a
+ * big-endian byte string.
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&k, *data, m_bytes));
+
+ /* 4. If k > N - 2, discard the result and return to step 1.
+ * Result of comparison is returned. When it indicates error
+ * then this function is called again.
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lt_mpi_ct(&diff_N_2, &k, &key_out_of_range));
+ }
+
+ /* 5. Output k + 1 as the private key. */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&k, &k, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&k, *data, m_bytes));
+cleanup:
+ if (ret != 0) {
+ status = mbedtls_to_psa_error(ret);
+ }
+ if (status != PSA_SUCCESS) {
+ mbedtls_free(*data);
+ *data = NULL;
+ }
+ mbedtls_mpi_free(&k);
+ mbedtls_mpi_free(&diff_N_2);
+ return status;
+}
+
+/* ECC keys on a Montgomery elliptic curve draws a byte string whose length
+ * is determined by the curve, and sets the mandatory bits accordingly. That is:
+ *
+ * - Curve25519 (PSA_ECC_FAMILY_MONTGOMERY, 255 bits):
+ * draw a 32-byte string and process it as specified in
+ * Elliptic Curves for Security [RFC7748] §5.
+ *
+ * - Curve448 (PSA_ECC_FAMILY_MONTGOMERY, 448 bits):
+ * draw a 56-byte string and process it as specified in [RFC7748] §5.
+ *
+ * Note: Function allocates memory for *data buffer, so given *data should be
+ * always NULL.
+ */
+
+static psa_status_t psa_generate_derived_ecc_key_montgomery_helper(
+ size_t bits,
+ psa_key_derivation_operation_t *operation,
+ uint8_t **data
+ )
+{
+ size_t output_length;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ switch (bits) {
+ case 255:
+ output_length = 32;
+ break;
+ case 448:
+ output_length = 56;
+ break;
+ default:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ break;
+ }
+
+ *data = mbedtls_calloc(1, output_length);
+
+ if (*data == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+
+ status = psa_key_derivation_output_bytes(operation, *data, output_length);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ switch (bits) {
+ case 255:
+ (*data)[0] &= 248;
+ (*data)[31] &= 127;
+ (*data)[31] |= 64;
+ break;
+ case 448:
+ (*data)[0] &= 252;
+ (*data)[55] |= 128;
+ break;
+ default:
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ break;
+ }
+
+ return status;
+}
+#else /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
+static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper(
+ psa_key_slot_t *slot, size_t bits,
+ psa_key_derivation_operation_t *operation, uint8_t **data)
+{
+ (void) slot;
+ (void) bits;
+ (void) operation;
+ (void) data;
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+static psa_status_t psa_generate_derived_ecc_key_montgomery_helper(
+ size_t bits, psa_key_derivation_operation_t *operation, uint8_t **data)
+{
+ (void) bits;
+ (void) operation;
+ (void) data;
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
+#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
+
+static psa_status_t psa_generate_derived_key_internal(
+ psa_key_slot_t *slot,
+ size_t bits,
+ psa_key_derivation_operation_t *operation)
+{
+ uint8_t *data = NULL;
+ size_t bytes = PSA_BITS_TO_BYTES(bits);
+ size_t storage_size = bytes;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+ if (PSA_KEY_TYPE_IS_ECC(slot->attr.type)) {
+ psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(slot->attr.type);
+ if (PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
+ /* Weierstrass elliptic curve */
+ status = psa_generate_derived_ecc_key_weierstrass_helper(slot, bits, operation, &data);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ } else {
+ /* Montgomery elliptic curve */
+ status = psa_generate_derived_ecc_key_montgomery_helper(bits, operation, &data);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ }
+ } else
+#endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) ||
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE) */
+ if (key_type_is_raw_bytes(slot->attr.type)) {
+ if (bits % 8 != 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ data = mbedtls_calloc(1, bytes);
+ if (data == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+
+ status = psa_key_derivation_output_bytes(operation, data, bytes);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+ if (slot->attr.type == PSA_KEY_TYPE_DES) {
+ psa_des_set_key_parity(data, bytes);
+ }
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) */
+ } else {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ slot->attr.bits = (psa_key_bits_t) bits;
+
+ if (psa_key_lifetime_is_external(slot->attr.lifetime)) {
+ status = psa_driver_wrapper_get_key_buffer_size(&slot->attr,
+ &storage_size);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ }
+ status = psa_allocate_buffer_to_slot(slot, storage_size);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_driver_wrapper_import_key(&slot->attr,
+ data, bytes,
+ slot->key.data,
+ slot->key.bytes,
+ &slot->key.bytes, &bits);
+ if (bits != slot->attr.bits) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+exit:
+ mbedtls_free(data);
+ return status;
+}
+
+static const psa_key_production_parameters_t default_production_parameters =
+ PSA_KEY_PRODUCTION_PARAMETERS_INIT;
+
+int psa_key_production_parameters_are_default(
+ const psa_key_production_parameters_t *params,
+ size_t params_data_length)
+{
+ if (params->flags != 0) {
+ return 0;
+ }
+ if (params_data_length != 0) {
+ return 0;
+ }
+ return 1;
+}
+
+psa_status_t psa_key_derivation_output_key_ext(
+ const psa_key_attributes_t *attributes,
+ psa_key_derivation_operation_t *operation,
+ const psa_key_production_parameters_t *params,
+ size_t params_data_length,
+ mbedtls_svc_key_id_t *key)
+{
+ psa_status_t status;
+ psa_key_slot_t *slot = NULL;
+ psa_se_drv_table_entry_t *driver = NULL;
+
+ *key = MBEDTLS_SVC_KEY_ID_INIT;
+
+ /* Reject any attempt to create a zero-length key so that we don't
+ * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
+ if (psa_get_key_bits(attributes) == 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ if (!psa_key_production_parameters_are_default(params, params_data_length)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ if (operation->alg == PSA_ALG_NONE) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (!operation->can_output_key) {
+ return PSA_ERROR_NOT_PERMITTED;
+ }
+
+ status = psa_start_key_creation(PSA_KEY_CREATION_DERIVE, attributes,
+ &slot, &driver);
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ if (driver != NULL) {
+ /* Deriving a key in a secure element is not implemented yet. */
+ status = PSA_ERROR_NOT_SUPPORTED;
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+ if (status == PSA_SUCCESS) {
+ status = psa_generate_derived_key_internal(slot,
+ attributes->bits,
+ operation);
+ }
+ if (status == PSA_SUCCESS) {
+ status = psa_finish_key_creation(slot, driver, key);
+ }
+ if (status != PSA_SUCCESS) {
+ psa_fail_key_creation(slot, driver);
+ }
+
+ return status;
+}
+
+psa_status_t psa_key_derivation_output_key(
+ const psa_key_attributes_t *attributes,
+ psa_key_derivation_operation_t *operation,
+ mbedtls_svc_key_id_t *key)
+{
+ return psa_key_derivation_output_key_ext(attributes, operation,
+ &default_production_parameters, 0,
+ key);
+}
+
+
+/****************************************************************/
+/* Key derivation */
+/****************************************************************/
+
+#if defined(AT_LEAST_ONE_BUILTIN_KDF)
+static int is_kdf_alg_supported(psa_algorithm_t kdf_alg)
+{
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
+ if (PSA_ALG_IS_HKDF(kdf_alg)) {
+ return 1;
+ }
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+ if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
+ return 1;
+ }
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+ if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
+ return 1;
+ }
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
+ if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) {
+ return 1;
+ }
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+ if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
+ return 1;
+ }
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+ if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
+ return 1;
+ }
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
+ if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
+ return 1;
+ }
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
+ if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
+ return 1;
+ }
+#endif
+ return 0;
+}
+
+static psa_status_t psa_hash_try_support(psa_algorithm_t alg)
+{
+ psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
+ psa_status_t status = psa_hash_setup(&operation, alg);
+ psa_hash_abort(&operation);
+ return status;
+}
+
+static psa_status_t psa_key_derivation_set_maximum_capacity(
+ psa_key_derivation_operation_t *operation,
+ psa_algorithm_t kdf_alg)
+{
+#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
+ if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
+ operation->capacity = PSA_HASH_LENGTH(PSA_ALG_SHA_256);
+ return PSA_SUCCESS;
+ }
+#endif
+#if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128)
+ if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
+#if (SIZE_MAX > UINT32_MAX)
+ operation->capacity = UINT32_MAX * (size_t) PSA_MAC_LENGTH(
+ PSA_KEY_TYPE_AES,
+ 128U,
+ PSA_ALG_CMAC);
+#else
+ operation->capacity = SIZE_MAX;
+#endif
+ return PSA_SUCCESS;
+ }
+#endif /* PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 */
+
+ /* After this point, if kdf_alg is not valid then value of hash_alg may be
+ * invalid or meaningless but it does not affect this function */
+ psa_algorithm_t hash_alg = PSA_ALG_GET_HASH(kdf_alg);
+ size_t hash_size = PSA_HASH_LENGTH(hash_alg);
+ if (hash_size == 0) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ /* Make sure that hash_alg is a supported hash algorithm. Otherwise
+ * we might fail later, which is somewhat unfriendly and potentially
+ * risk-prone. */
+ psa_status_t status = psa_hash_try_support(hash_alg);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+#if defined(PSA_WANT_ALG_HKDF)
+ if (PSA_ALG_IS_HKDF(kdf_alg)) {
+ operation->capacity = 255 * hash_size;
+ } else
+#endif
+#if defined(PSA_WANT_ALG_HKDF_EXTRACT)
+ if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
+ operation->capacity = hash_size;
+ } else
+#endif
+#if defined(PSA_WANT_ALG_HKDF_EXPAND)
+ if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
+ operation->capacity = 255 * hash_size;
+ } else
+#endif
+#if defined(PSA_WANT_ALG_TLS12_PRF)
+ if (PSA_ALG_IS_TLS12_PRF(kdf_alg) &&
+ (hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) {
+ operation->capacity = SIZE_MAX;
+ } else
+#endif
+#if defined(PSA_WANT_ALG_TLS12_PSK_TO_MS)
+ if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg) &&
+ (hash_alg == PSA_ALG_SHA_256 || hash_alg == PSA_ALG_SHA_384)) {
+ /* Master Secret is always 48 bytes
+ * https://datatracker.ietf.org/doc/html/rfc5246.html#section-8.1 */
+ operation->capacity = 48U;
+ } else
+#endif
+#if defined(PSA_WANT_ALG_PBKDF2_HMAC)
+ if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
+#if (SIZE_MAX > UINT32_MAX)
+ operation->capacity = UINT32_MAX * hash_size;
+#else
+ operation->capacity = SIZE_MAX;
+#endif
+ } else
+#endif /* PSA_WANT_ALG_PBKDF2_HMAC */
+ {
+ (void) hash_size;
+ status = PSA_ERROR_NOT_SUPPORTED;
+ }
+ return status;
+}
+
+static psa_status_t psa_key_derivation_setup_kdf(
+ psa_key_derivation_operation_t *operation,
+ psa_algorithm_t kdf_alg)
+{
+ /* Make sure that operation->ctx is properly zero-initialised. (Macro
+ * initialisers for this union leave some bytes unspecified.) */
+ memset(&operation->ctx, 0, sizeof(operation->ctx));
+
+ /* Make sure that kdf_alg is a supported key derivation algorithm. */
+ if (!is_kdf_alg_supported(kdf_alg)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ psa_status_t status = psa_key_derivation_set_maximum_capacity(operation,
+ kdf_alg);
+ return status;
+}
+
+static psa_status_t psa_key_agreement_try_support(psa_algorithm_t alg)
+{
+#if defined(PSA_WANT_ALG_ECDH)
+ if (alg == PSA_ALG_ECDH) {
+ return PSA_SUCCESS;
+ }
+#endif
+#if defined(PSA_WANT_ALG_FFDH)
+ if (alg == PSA_ALG_FFDH) {
+ return PSA_SUCCESS;
+ }
+#endif
+ (void) alg;
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+static int psa_key_derivation_allows_free_form_secret_input(
+ psa_algorithm_t kdf_alg)
+{
+#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
+ if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
+ return 0;
+ }
+#endif
+ (void) kdf_alg;
+ return 1;
+}
+#endif /* AT_LEAST_ONE_BUILTIN_KDF */
+
+psa_status_t psa_key_derivation_setup(psa_key_derivation_operation_t *operation,
+ psa_algorithm_t alg)
+{
+ psa_status_t status;
+
+ if (operation->alg != 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ } else if (PSA_ALG_IS_KEY_AGREEMENT(alg)) {
+#if defined(AT_LEAST_ONE_BUILTIN_KDF)
+ psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF(alg);
+ psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(alg);
+ status = psa_key_agreement_try_support(ka_alg);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ if (!psa_key_derivation_allows_free_form_secret_input(kdf_alg)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ status = psa_key_derivation_setup_kdf(operation, kdf_alg);
+#else
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif /* AT_LEAST_ONE_BUILTIN_KDF */
+ } else if (PSA_ALG_IS_KEY_DERIVATION(alg)) {
+#if defined(AT_LEAST_ONE_BUILTIN_KDF)
+ status = psa_key_derivation_setup_kdf(operation, alg);
+#else
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif /* AT_LEAST_ONE_BUILTIN_KDF */
+ } else {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ if (status == PSA_SUCCESS) {
+ operation->alg = alg;
+ }
+ return status;
+}
+
+#if defined(BUILTIN_ALG_ANY_HKDF)
+static psa_status_t psa_hkdf_input(psa_hkdf_key_derivation_t *hkdf,
+ psa_algorithm_t kdf_alg,
+ psa_key_derivation_step_t step,
+ const uint8_t *data,
+ size_t data_length)
+{
+ psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH(kdf_alg);
+ psa_status_t status;
+ switch (step) {
+ case PSA_KEY_DERIVATION_INPUT_SALT:
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+ if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
+ if (hkdf->state != HKDF_STATE_INIT) {
+ return PSA_ERROR_BAD_STATE;
+ } else {
+ status = psa_key_derivation_start_hmac(&hkdf->hmac,
+ hash_alg,
+ data, data_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ hkdf->state = HKDF_STATE_STARTED;
+ return PSA_SUCCESS;
+ }
+ case PSA_KEY_DERIVATION_INPUT_SECRET:
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+ if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg)) {
+ /* We shouldn't be in different state as HKDF_EXPAND only allows
+ * two inputs: SECRET (this case) and INFO which does not modify
+ * the state. It could happen only if the hkdf
+ * object was corrupted. */
+ if (hkdf->state != HKDF_STATE_INIT) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ /* Allow only input that fits expected prk size */
+ if (data_length != PSA_HASH_LENGTH(hash_alg)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ memcpy(hkdf->prk, data, data_length);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */
+ {
+ /* HKDF: If no salt was provided, use an empty salt.
+ * HKDF-EXTRACT: salt is mandatory. */
+ if (hkdf->state == HKDF_STATE_INIT) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+ if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
+ return PSA_ERROR_BAD_STATE;
+ }
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+ status = psa_key_derivation_start_hmac(&hkdf->hmac,
+ hash_alg,
+ NULL, 0);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ hkdf->state = HKDF_STATE_STARTED;
+ }
+ if (hkdf->state != HKDF_STATE_STARTED) {
+ return PSA_ERROR_BAD_STATE;
+ }
+ status = psa_mac_update(&hkdf->hmac,
+ data, data_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ status = psa_mac_sign_finish(&hkdf->hmac,
+ hkdf->prk,
+ sizeof(hkdf->prk),
+ &data_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ }
+
+ hkdf->state = HKDF_STATE_KEYED;
+ hkdf->block_number = 0;
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+ if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
+ /* The only block of output is the PRK. */
+ memcpy(hkdf->output_block, hkdf->prk, PSA_HASH_LENGTH(hash_alg));
+ hkdf->offset_in_block = 0;
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+ {
+ /* Block 0 is empty, and the next block will be
+ * generated by psa_key_derivation_hkdf_read(). */
+ hkdf->offset_in_block = PSA_HASH_LENGTH(hash_alg);
+ }
+
+ return PSA_SUCCESS;
+ case PSA_KEY_DERIVATION_INPUT_INFO:
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT)
+ if (PSA_ALG_IS_HKDF_EXTRACT(kdf_alg)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
+ if (PSA_ALG_IS_HKDF_EXPAND(kdf_alg) &&
+ hkdf->state == HKDF_STATE_INIT) {
+ return PSA_ERROR_BAD_STATE;
+ }
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT */
+ if (hkdf->state == HKDF_STATE_OUTPUT) {
+ return PSA_ERROR_BAD_STATE;
+ }
+ if (hkdf->info_set) {
+ return PSA_ERROR_BAD_STATE;
+ }
+ hkdf->info_length = data_length;
+ if (data_length != 0) {
+ hkdf->info = mbedtls_calloc(1, data_length);
+ if (hkdf->info == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+ memcpy(hkdf->info, data, data_length);
+ }
+ hkdf->info_set = 1;
+ return PSA_SUCCESS;
+ default:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+}
+#endif /* BUILTIN_ALG_ANY_HKDF */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+static psa_status_t psa_tls12_prf_set_seed(psa_tls12_prf_key_derivation_t *prf,
+ const uint8_t *data,
+ size_t data_length)
+{
+ if (prf->state != PSA_TLS12_PRF_STATE_INIT) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (data_length != 0) {
+ prf->seed = mbedtls_calloc(1, data_length);
+ if (prf->seed == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+
+ memcpy(prf->seed, data, data_length);
+ prf->seed_length = data_length;
+ }
+
+ prf->state = PSA_TLS12_PRF_STATE_SEED_SET;
+
+ return PSA_SUCCESS;
+}
+
+static psa_status_t psa_tls12_prf_set_key(psa_tls12_prf_key_derivation_t *prf,
+ const uint8_t *data,
+ size_t data_length)
+{
+ if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET &&
+ prf->state != PSA_TLS12_PRF_STATE_OTHER_KEY_SET) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (data_length != 0) {
+ prf->secret = mbedtls_calloc(1, data_length);
+ if (prf->secret == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+
+ memcpy(prf->secret, data, data_length);
+ prf->secret_length = data_length;
+ }
+
+ prf->state = PSA_TLS12_PRF_STATE_KEY_SET;
+
+ return PSA_SUCCESS;
+}
+
+static psa_status_t psa_tls12_prf_set_label(psa_tls12_prf_key_derivation_t *prf,
+ const uint8_t *data,
+ size_t data_length)
+{
+ if (prf->state != PSA_TLS12_PRF_STATE_KEY_SET) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (data_length != 0) {
+ prf->label = mbedtls_calloc(1, data_length);
+ if (prf->label == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+
+ memcpy(prf->label, data, data_length);
+ prf->label_length = data_length;
+ }
+
+ prf->state = PSA_TLS12_PRF_STATE_LABEL_SET;
+
+ return PSA_SUCCESS;
+}
+
+static psa_status_t psa_tls12_prf_input(psa_tls12_prf_key_derivation_t *prf,
+ psa_key_derivation_step_t step,
+ const uint8_t *data,
+ size_t data_length)
+{
+ switch (step) {
+ case PSA_KEY_DERIVATION_INPUT_SEED:
+ return psa_tls12_prf_set_seed(prf, data, data_length);
+ case PSA_KEY_DERIVATION_INPUT_SECRET:
+ return psa_tls12_prf_set_key(prf, data, data_length);
+ case PSA_KEY_DERIVATION_INPUT_LABEL:
+ return psa_tls12_prf_set_label(prf, data, data_length);
+ default:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
+ * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+static psa_status_t psa_tls12_prf_psk_to_ms_set_key(
+ psa_tls12_prf_key_derivation_t *prf,
+ const uint8_t *data,
+ size_t data_length)
+{
+ psa_status_t status;
+ const size_t pms_len = (prf->state == PSA_TLS12_PRF_STATE_OTHER_KEY_SET ?
+ 4 + data_length + prf->other_secret_length :
+ 4 + 2 * data_length);
+
+ if (data_length > PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ uint8_t *pms = mbedtls_calloc(1, pms_len);
+ if (pms == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+ uint8_t *cur = pms;
+
+ /* pure-PSK:
+ * Quoting RFC 4279, Section 2:
+ *
+ * The premaster secret is formed as follows: if the PSK is N octets
+ * long, concatenate a uint16 with the value N, N zero octets, a second
+ * uint16 with the value N, and the PSK itself.
+ *
+ * mixed-PSK:
+ * In a DHE-PSK, RSA-PSK, ECDHE-PSK the premaster secret is formed as
+ * follows: concatenate a uint16 with the length of the other secret,
+ * the other secret itself, uint16 with the length of PSK, and the
+ * PSK itself.
+ * For details please check:
+ * - RFC 4279, Section 4 for the definition of RSA-PSK,
+ * - RFC 4279, Section 3 for the definition of DHE-PSK,
+ * - RFC 5489 for the definition of ECDHE-PSK.
+ */
+
+ if (prf->state == PSA_TLS12_PRF_STATE_OTHER_KEY_SET) {
+ *cur++ = MBEDTLS_BYTE_1(prf->other_secret_length);
+ *cur++ = MBEDTLS_BYTE_0(prf->other_secret_length);
+ if (prf->other_secret_length != 0) {
+ memcpy(cur, prf->other_secret, prf->other_secret_length);
+ mbedtls_platform_zeroize(prf->other_secret, prf->other_secret_length);
+ cur += prf->other_secret_length;
+ }
+ } else {
+ *cur++ = MBEDTLS_BYTE_1(data_length);
+ *cur++ = MBEDTLS_BYTE_0(data_length);
+ memset(cur, 0, data_length);
+ cur += data_length;
+ }
+
+ *cur++ = MBEDTLS_BYTE_1(data_length);
+ *cur++ = MBEDTLS_BYTE_0(data_length);
+ memcpy(cur, data, data_length);
+ cur += data_length;
+
+ status = psa_tls12_prf_set_key(prf, pms, (size_t) (cur - pms));
+
+ mbedtls_zeroize_and_free(pms, pms_len);
+ return status;
+}
+
+static psa_status_t psa_tls12_prf_psk_to_ms_set_other_key(
+ psa_tls12_prf_key_derivation_t *prf,
+ const uint8_t *data,
+ size_t data_length)
+{
+ if (prf->state != PSA_TLS12_PRF_STATE_SEED_SET) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (data_length != 0) {
+ prf->other_secret = mbedtls_calloc(1, data_length);
+ if (prf->other_secret == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+
+ memcpy(prf->other_secret, data, data_length);
+ prf->other_secret_length = data_length;
+ } else {
+ prf->other_secret_length = 0;
+ }
+
+ prf->state = PSA_TLS12_PRF_STATE_OTHER_KEY_SET;
+
+ return PSA_SUCCESS;
+}
+
+static psa_status_t psa_tls12_prf_psk_to_ms_input(
+ psa_tls12_prf_key_derivation_t *prf,
+ psa_key_derivation_step_t step,
+ const uint8_t *data,
+ size_t data_length)
+{
+ switch (step) {
+ case PSA_KEY_DERIVATION_INPUT_SECRET:
+ return psa_tls12_prf_psk_to_ms_set_key(prf,
+ data, data_length);
+ break;
+ case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:
+ return psa_tls12_prf_psk_to_ms_set_other_key(prf,
+ data,
+ data_length);
+ break;
+ default:
+ return psa_tls12_prf_input(prf, step, data, data_length);
+ break;
+
+ }
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+static psa_status_t psa_tls12_ecjpake_to_pms_input(
+ psa_tls12_ecjpake_to_pms_t *ecjpake,
+ psa_key_derivation_step_t step,
+ const uint8_t *data,
+ size_t data_length)
+{
+ if (data_length != PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE ||
+ step != PSA_KEY_DERIVATION_INPUT_SECRET) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ /* Check if the passed point is in an uncompressed form */
+ if (data[0] != 0x04) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ /* Only K.X has to be extracted - bytes 1 to 32 inclusive. */
+ memcpy(ecjpake->data, data + 1, PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
+
+ return PSA_SUCCESS;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
+
+#if defined(PSA_HAVE_SOFT_PBKDF2)
+static psa_status_t psa_pbkdf2_set_input_cost(
+ psa_pbkdf2_key_derivation_t *pbkdf2,
+ psa_key_derivation_step_t step,
+ uint64_t data)
+{
+ if (step != PSA_KEY_DERIVATION_INPUT_COST) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ if (pbkdf2->state != PSA_PBKDF2_STATE_INIT) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (data > PSA_VENDOR_PBKDF2_MAX_ITERATIONS) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (data == 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ pbkdf2->input_cost = data;
+ pbkdf2->state = PSA_PBKDF2_STATE_INPUT_COST_SET;
+
+ return PSA_SUCCESS;
+}
+
+static psa_status_t psa_pbkdf2_set_salt(psa_pbkdf2_key_derivation_t *pbkdf2,
+ const uint8_t *data,
+ size_t data_length)
+{
+ if (pbkdf2->state == PSA_PBKDF2_STATE_INPUT_COST_SET) {
+ pbkdf2->state = PSA_PBKDF2_STATE_SALT_SET;
+ } else if (pbkdf2->state == PSA_PBKDF2_STATE_SALT_SET) {
+ /* Appending to existing salt. No state change. */
+ } else {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (data_length == 0) {
+ /* Appending an empty string, nothing to do. */
+ } else {
+ uint8_t *next_salt;
+
+ next_salt = mbedtls_calloc(1, data_length + pbkdf2->salt_length);
+ if (next_salt == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+
+ if (pbkdf2->salt_length != 0) {
+ memcpy(next_salt, pbkdf2->salt, pbkdf2->salt_length);
+ }
+ memcpy(next_salt + pbkdf2->salt_length, data, data_length);
+ pbkdf2->salt_length += data_length;
+ mbedtls_free(pbkdf2->salt);
+ pbkdf2->salt = next_salt;
+ }
+ return PSA_SUCCESS;
+}
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
+static psa_status_t psa_pbkdf2_hmac_set_password(psa_algorithm_t hash_alg,
+ const uint8_t *input,
+ size_t input_len,
+ uint8_t *output,
+ size_t *output_len)
+{
+ psa_status_t status = PSA_SUCCESS;
+ if (input_len > PSA_HASH_BLOCK_LENGTH(hash_alg)) {
+ return psa_hash_compute(hash_alg, input, input_len, output,
+ PSA_HMAC_MAX_HASH_BLOCK_SIZE, output_len);
+ } else if (input_len > 0) {
+ memcpy(output, input, input_len);
+ }
+ *output_len = PSA_HASH_BLOCK_LENGTH(hash_alg);
+ return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
+static psa_status_t psa_pbkdf2_cmac_set_password(const uint8_t *input,
+ size_t input_len,
+ uint8_t *output,
+ size_t *output_len)
+{
+ psa_status_t status = PSA_SUCCESS;
+ if (input_len != PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC)) {
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ uint8_t zeros[16] = { 0 };
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
+ psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(sizeof(zeros)));
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
+ /* Passing PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC) as
+ * mac_size as the driver function sets mac_output_length = mac_size
+ * on success. See https://github.com/Mbed-TLS/mbedtls/issues/7801 */
+ status = psa_driver_wrapper_mac_compute(&attributes,
+ zeros, sizeof(zeros),
+ PSA_ALG_CMAC, input, input_len,
+ output,
+ PSA_MAC_LENGTH(PSA_KEY_TYPE_AES,
+ 128U,
+ PSA_ALG_CMAC),
+ output_len);
+ } else {
+ memcpy(output, input, input_len);
+ *output_len = PSA_MAC_LENGTH(PSA_KEY_TYPE_AES, 128U, PSA_ALG_CMAC);
+ }
+ return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 */
+
+static psa_status_t psa_pbkdf2_set_password(psa_pbkdf2_key_derivation_t *pbkdf2,
+ psa_algorithm_t kdf_alg,
+ const uint8_t *data,
+ size_t data_length)
+{
+ psa_status_t status = PSA_SUCCESS;
+ if (pbkdf2->state != PSA_PBKDF2_STATE_SALT_SET) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
+ if (PSA_ALG_IS_PBKDF2_HMAC(kdf_alg)) {
+ psa_algorithm_t hash_alg = PSA_ALG_PBKDF2_HMAC_GET_HASH(kdf_alg);
+ status = psa_pbkdf2_hmac_set_password(hash_alg, data, data_length,
+ pbkdf2->password,
+ &pbkdf2->password_length);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128)
+ if (kdf_alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
+ status = psa_pbkdf2_cmac_set_password(data, data_length,
+ pbkdf2->password,
+ &pbkdf2->password_length);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 */
+ {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ pbkdf2->state = PSA_PBKDF2_STATE_PASSWORD_SET;
+
+ return status;
+}
+
+static psa_status_t psa_pbkdf2_input(psa_pbkdf2_key_derivation_t *pbkdf2,
+ psa_algorithm_t kdf_alg,
+ psa_key_derivation_step_t step,
+ const uint8_t *data,
+ size_t data_length)
+{
+ switch (step) {
+ case PSA_KEY_DERIVATION_INPUT_SALT:
+ return psa_pbkdf2_set_salt(pbkdf2, data, data_length);
+ case PSA_KEY_DERIVATION_INPUT_PASSWORD:
+ return psa_pbkdf2_set_password(pbkdf2, kdf_alg, data, data_length);
+ default:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+}
+#endif /* PSA_HAVE_SOFT_PBKDF2 */
+
+/** Check whether the given key type is acceptable for the given
+ * input step of a key derivation.
+ *
+ * Secret inputs must have the type #PSA_KEY_TYPE_DERIVE.
+ * Non-secret inputs must have the type #PSA_KEY_TYPE_RAW_DATA.
+ * Both secret and non-secret inputs can alternatively have the type
+ * #PSA_KEY_TYPE_NONE, which is never the type of a key object, meaning
+ * that the input was passed as a buffer rather than via a key object.
+ */
+static int psa_key_derivation_check_input_type(
+ psa_key_derivation_step_t step,
+ psa_key_type_t key_type)
+{
+ switch (step) {
+ case PSA_KEY_DERIVATION_INPUT_SECRET:
+ if (key_type == PSA_KEY_TYPE_DERIVE) {
+ return PSA_SUCCESS;
+ }
+ if (key_type == PSA_KEY_TYPE_NONE) {
+ return PSA_SUCCESS;
+ }
+ break;
+ case PSA_KEY_DERIVATION_INPUT_OTHER_SECRET:
+ if (key_type == PSA_KEY_TYPE_DERIVE) {
+ return PSA_SUCCESS;
+ }
+ if (key_type == PSA_KEY_TYPE_NONE) {
+ return PSA_SUCCESS;
+ }
+ break;
+ case PSA_KEY_DERIVATION_INPUT_LABEL:
+ case PSA_KEY_DERIVATION_INPUT_SALT:
+ case PSA_KEY_DERIVATION_INPUT_INFO:
+ case PSA_KEY_DERIVATION_INPUT_SEED:
+ if (key_type == PSA_KEY_TYPE_RAW_DATA) {
+ return PSA_SUCCESS;
+ }
+ if (key_type == PSA_KEY_TYPE_NONE) {
+ return PSA_SUCCESS;
+ }
+ break;
+ case PSA_KEY_DERIVATION_INPUT_PASSWORD:
+ if (key_type == PSA_KEY_TYPE_PASSWORD) {
+ return PSA_SUCCESS;
+ }
+ if (key_type == PSA_KEY_TYPE_DERIVE) {
+ return PSA_SUCCESS;
+ }
+ if (key_type == PSA_KEY_TYPE_NONE) {
+ return PSA_SUCCESS;
+ }
+ break;
+ }
+ return PSA_ERROR_INVALID_ARGUMENT;
+}
+
+static psa_status_t psa_key_derivation_input_internal(
+ psa_key_derivation_operation_t *operation,
+ psa_key_derivation_step_t step,
+ psa_key_type_t key_type,
+ const uint8_t *data,
+ size_t data_length)
+{
+ psa_status_t status;
+ psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
+
+ status = psa_key_derivation_check_input_type(step, key_type);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+#if defined(BUILTIN_ALG_ANY_HKDF)
+ if (PSA_ALG_IS_ANY_HKDF(kdf_alg)) {
+ status = psa_hkdf_input(&operation->ctx.hkdf, kdf_alg,
+ step, data, data_length);
+ } else
+#endif /* BUILTIN_ALG_ANY_HKDF */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
+ if (PSA_ALG_IS_TLS12_PRF(kdf_alg)) {
+ status = psa_tls12_prf_input(&operation->ctx.tls12_prf,
+ step, data, data_length);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+ if (PSA_ALG_IS_TLS12_PSK_TO_MS(kdf_alg)) {
+ status = psa_tls12_prf_psk_to_ms_input(&operation->ctx.tls12_prf,
+ step, data, data_length);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
+ if (kdf_alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
+ status = psa_tls12_ecjpake_to_pms_input(
+ &operation->ctx.tls12_ecjpake_to_pms, step, data, data_length);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */
+#if defined(PSA_HAVE_SOFT_PBKDF2)
+ if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
+ status = psa_pbkdf2_input(&operation->ctx.pbkdf2, kdf_alg,
+ step, data, data_length);
+ } else
+#endif /* PSA_HAVE_SOFT_PBKDF2 */
+ {
+ /* This can't happen unless the operation object was not initialized */
+ (void) data;
+ (void) data_length;
+ (void) kdf_alg;
+ return PSA_ERROR_BAD_STATE;
+ }
+
+exit:
+ if (status != PSA_SUCCESS) {
+ psa_key_derivation_abort(operation);
+ }
+ return status;
+}
+
+static psa_status_t psa_key_derivation_input_integer_internal(
+ psa_key_derivation_operation_t *operation,
+ psa_key_derivation_step_t step,
+ uint64_t value)
+{
+ psa_status_t status;
+ psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
+
+#if defined(PSA_HAVE_SOFT_PBKDF2)
+ if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
+ status = psa_pbkdf2_set_input_cost(
+ &operation->ctx.pbkdf2, step, value);
+ } else
+#endif /* PSA_HAVE_SOFT_PBKDF2 */
+ {
+ (void) step;
+ (void) value;
+ (void) kdf_alg;
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ if (status != PSA_SUCCESS) {
+ psa_key_derivation_abort(operation);
+ }
+ return status;
+}
+
+psa_status_t psa_key_derivation_input_bytes(
+ psa_key_derivation_operation_t *operation,
+ psa_key_derivation_step_t step,
+ const uint8_t *data_external,
+ size_t data_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ LOCAL_INPUT_DECLARE(data_external, data);
+
+ LOCAL_INPUT_ALLOC(data_external, data_length, data);
+
+ status = psa_key_derivation_input_internal(operation, step,
+ PSA_KEY_TYPE_NONE,
+ data, data_length);
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+ LOCAL_INPUT_FREE(data_external, data);
+ return status;
+}
+
+psa_status_t psa_key_derivation_input_integer(
+ psa_key_derivation_operation_t *operation,
+ psa_key_derivation_step_t step,
+ uint64_t value)
+{
+ return psa_key_derivation_input_integer_internal(operation, step, value);
+}
+
+psa_status_t psa_key_derivation_input_key(
+ psa_key_derivation_operation_t *operation,
+ psa_key_derivation_step_t step,
+ mbedtls_svc_key_id_t key)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+ status = psa_get_and_lock_transparent_key_slot_with_policy(
+ key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg);
+ if (status != PSA_SUCCESS) {
+ psa_key_derivation_abort(operation);
+ return status;
+ }
+
+ /* Passing a key object as a SECRET or PASSWORD input unlocks the
+ * permission to output to a key object. */
+ if (step == PSA_KEY_DERIVATION_INPUT_SECRET ||
+ step == PSA_KEY_DERIVATION_INPUT_PASSWORD) {
+ operation->can_output_key = 1;
+ }
+
+ status = psa_key_derivation_input_internal(operation,
+ step, slot->attr.type,
+ slot->key.data,
+ slot->key.bytes);
+
+ unlock_status = psa_unregister_read_under_mutex(slot);
+
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+
+
+/****************************************************************/
+/* Key agreement */
+/****************************************************************/
+
+psa_status_t psa_key_agreement_raw_builtin(const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *peer_key,
+ size_t peer_key_length,
+ uint8_t *shared_secret,
+ size_t shared_secret_size,
+ size_t *shared_secret_length)
+{
+ switch (alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+ case PSA_ALG_ECDH:
+ return mbedtls_psa_key_agreement_ecdh(attributes, key_buffer,
+ key_buffer_size, alg,
+ peer_key, peer_key_length,
+ shared_secret,
+ shared_secret_size,
+ shared_secret_length);
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
+ case PSA_ALG_FFDH:
+ return mbedtls_psa_ffdh_key_agreement(attributes,
+ peer_key,
+ peer_key_length,
+ key_buffer,
+ key_buffer_size,
+ shared_secret,
+ shared_secret_size,
+ shared_secret_length);
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_FFDH */
+
+ default:
+ (void) attributes;
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) peer_key;
+ (void) peer_key_length;
+ (void) shared_secret;
+ (void) shared_secret_size;
+ (void) shared_secret_length;
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+}
+
+/** Internal function for raw key agreement
+ * Calls the driver wrapper which will hand off key agreement task
+ * to the driver's implementation if a driver is present.
+ * Fallback specified in the driver wrapper is built-in raw key agreement
+ * (psa_key_agreement_raw_builtin).
+ */
+static psa_status_t psa_key_agreement_raw_internal(psa_algorithm_t alg,
+ psa_key_slot_t *private_key,
+ const uint8_t *peer_key,
+ size_t peer_key_length,
+ uint8_t *shared_secret,
+ size_t shared_secret_size,
+ size_t *shared_secret_length)
+{
+ if (!PSA_ALG_IS_RAW_KEY_AGREEMENT(alg)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ return psa_driver_wrapper_key_agreement(&private_key->attr,
+ private_key->key.data,
+ private_key->key.bytes, alg,
+ peer_key, peer_key_length,
+ shared_secret,
+ shared_secret_size,
+ shared_secret_length);
+}
+
+/* Note that if this function fails, you must call psa_key_derivation_abort()
+ * to potentially free embedded data structures and wipe confidential data.
+ */
+static psa_status_t psa_key_agreement_internal(psa_key_derivation_operation_t *operation,
+ psa_key_derivation_step_t step,
+ psa_key_slot_t *private_key,
+ const uint8_t *peer_key,
+ size_t peer_key_length)
+{
+ psa_status_t status;
+ uint8_t shared_secret[PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE] = { 0 };
+ size_t shared_secret_length = 0;
+ psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE(operation->alg);
+
+ /* Step 1: run the secret agreement algorithm to generate the shared
+ * secret. */
+ status = psa_key_agreement_raw_internal(ka_alg,
+ private_key,
+ peer_key, peer_key_length,
+ shared_secret,
+ sizeof(shared_secret),
+ &shared_secret_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ /* Step 2: set up the key derivation to generate key material from
+ * the shared secret. A shared secret is permitted wherever a key
+ * of type DERIVE is permitted. */
+ status = psa_key_derivation_input_internal(operation, step,
+ PSA_KEY_TYPE_DERIVE,
+ shared_secret,
+ shared_secret_length);
+exit:
+ mbedtls_platform_zeroize(shared_secret, shared_secret_length);
+ return status;
+}
+
+psa_status_t psa_key_derivation_key_agreement(psa_key_derivation_operation_t *operation,
+ psa_key_derivation_step_t step,
+ mbedtls_svc_key_id_t private_key,
+ const uint8_t *peer_key_external,
+ size_t peer_key_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+ LOCAL_INPUT_DECLARE(peer_key_external, peer_key);
+
+ if (!PSA_ALG_IS_KEY_AGREEMENT(operation->alg)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ status = psa_get_and_lock_transparent_key_slot_with_policy(
+ private_key, &slot, PSA_KEY_USAGE_DERIVE, operation->alg);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ LOCAL_INPUT_ALLOC(peer_key_external, peer_key_length, peer_key);
+ status = psa_key_agreement_internal(operation, step,
+ slot,
+ peer_key, peer_key_length);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+ if (status != PSA_SUCCESS) {
+ psa_key_derivation_abort(operation);
+ } else {
+ /* If a private key has been added as SECRET, we allow the derived
+ * key material to be used as a key in PSA Crypto. */
+ if (step == PSA_KEY_DERIVATION_INPUT_SECRET) {
+ operation->can_output_key = 1;
+ }
+ }
+
+ unlock_status = psa_unregister_read_under_mutex(slot);
+ LOCAL_INPUT_FREE(peer_key_external, peer_key);
+
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
+ mbedtls_svc_key_id_t private_key,
+ const uint8_t *peer_key_external,
+ size_t peer_key_length,
+ uint8_t *output_external,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot = NULL;
+ size_t expected_length;
+ LOCAL_INPUT_DECLARE(peer_key_external, peer_key);
+ LOCAL_OUTPUT_DECLARE(output_external, output);
+ LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+ if (!PSA_ALG_IS_KEY_AGREEMENT(alg)) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+ status = psa_get_and_lock_transparent_key_slot_with_policy(
+ private_key, &slot, PSA_KEY_USAGE_DERIVE, alg);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ /* PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is in general an upper bound
+ * for the output size. The PSA specification only guarantees that this
+ * function works if output_size >= PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(...),
+ * but it might be nice to allow smaller buffers if the output fits.
+ * At the time of writing this comment, with only ECDH implemented,
+ * PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is exact so the point is moot.
+ * If FFDH is implemented, PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() can easily
+ * be exact for it as well. */
+ expected_length =
+ PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(slot->attr.type, slot->attr.bits);
+ if (output_size < expected_length) {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+
+ LOCAL_INPUT_ALLOC(peer_key_external, peer_key_length, peer_key);
+ status = psa_key_agreement_raw_internal(alg, slot,
+ peer_key, peer_key_length,
+ output, output_size,
+ output_length);
+
+exit:
+ /* Check for successful allocation of output,
+ * with an unsuccessful status. */
+ if (output != NULL && status != PSA_SUCCESS) {
+ /* If an error happens and is not handled properly, the output
+ * may be used as a key to protect sensitive data. Arrange for such
+ * a key to be random, which is likely to result in decryption or
+ * verification errors. This is better than filling the buffer with
+ * some constant data such as zeros, which would result in the data
+ * being protected with a reproducible, easily knowable key.
+ */
+ psa_generate_random_internal(output, output_size);
+ *output_length = output_size;
+ }
+
+ if (output == NULL) {
+ /* output allocation failed. */
+ *output_length = 0;
+ }
+
+ unlock_status = psa_unregister_read_under_mutex(slot);
+
+ LOCAL_INPUT_FREE(peer_key_external, peer_key);
+ LOCAL_OUTPUT_FREE(output_external, output);
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+
+/****************************************************************/
+/* Random generation */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+#include "entropy_poll.h"
+#endif
+
+/** Initialize the PSA random generator.
+ *
+ * Note: the mbedtls_threading_psa_rngdata_mutex should be held when calling
+ * this function if mutexes are enabled.
+ */
+static void mbedtls_psa_random_init(mbedtls_psa_random_context_t *rng)
+{
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+ memset(rng, 0, sizeof(*rng));
+#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+
+ /* Set default configuration if
+ * mbedtls_psa_crypto_configure_entropy_sources() hasn't been called. */
+ if (rng->entropy_init == NULL) {
+ rng->entropy_init = mbedtls_entropy_init;
+ }
+ if (rng->entropy_free == NULL) {
+ rng->entropy_free = mbedtls_entropy_free;
+ }
+
+ rng->entropy_init(&rng->entropy);
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY) && \
+ defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+ /* The PSA entropy injection feature depends on using NV seed as an entropy
+ * source. Add NV seed as an entropy source for PSA entropy injection. */
+ mbedtls_entropy_add_source(&rng->entropy,
+ mbedtls_nv_seed_poll, NULL,
+ MBEDTLS_ENTROPY_BLOCK_SIZE,
+ MBEDTLS_ENTROPY_SOURCE_STRONG);
+#endif
+
+ mbedtls_psa_drbg_init(&rng->drbg);
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+}
+
+/** Deinitialize the PSA random generator.
+ *
+ * Note: the mbedtls_threading_psa_rngdata_mutex should be held when calling
+ * this function if mutexes are enabled.
+ */
+static void mbedtls_psa_random_free(mbedtls_psa_random_context_t *rng)
+{
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+ memset(rng, 0, sizeof(*rng));
+#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+ mbedtls_psa_drbg_free(&rng->drbg);
+ rng->entropy_free(&rng->entropy);
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+}
+
+/** Seed the PSA random generator.
+ */
+static psa_status_t mbedtls_psa_random_seed(mbedtls_psa_random_context_t *rng)
+{
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+ /* Do nothing: the external RNG seeds itself. */
+ (void) rng;
+ return PSA_SUCCESS;
+#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+ const unsigned char drbg_seed[] = "PSA";
+ int ret = mbedtls_psa_drbg_seed(&rng->drbg, &rng->entropy,
+ drbg_seed, sizeof(drbg_seed) - 1);
+ return mbedtls_to_psa_error(ret);
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+}
+
+psa_status_t psa_generate_random(uint8_t *output_external,
+ size_t output_size)
+{
+ psa_status_t status;
+
+ LOCAL_OUTPUT_DECLARE(output_external, output);
+ LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+ status = psa_generate_random_internal(output, output_size);
+
+#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+exit:
+#endif
+ LOCAL_OUTPUT_FREE(output_external, output);
+ return status;
+}
+
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
+ size_t seed_size)
+{
+ if (psa_get_initialized()) {
+ return PSA_ERROR_NOT_PERMITTED;
+ }
+
+ if (((seed_size < MBEDTLS_ENTROPY_MIN_PLATFORM) ||
+ (seed_size < MBEDTLS_ENTROPY_BLOCK_SIZE)) ||
+ (seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ return mbedtls_psa_storage_inject_entropy(seed, seed_size);
+}
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
+
+/** Validate the key type and size for key generation
+ *
+ * \param type The key type
+ * \param bits The number of bits of the key
+ *
+ * \retval #PSA_SUCCESS
+ * The key type and size are valid.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * The size in bits of the key is not valid.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * The type and/or the size in bits of the key or the combination of
+ * the two is not supported.
+ */
+static psa_status_t psa_validate_key_type_and_size_for_key_generation(
+ psa_key_type_t type, size_t bits)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ if (key_type_is_raw_bytes(type)) {
+ status = psa_validate_unstructured_key_bit_size(type, bits);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ } else
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+ if (PSA_KEY_TYPE_IS_RSA(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+ if (bits > PSA_VENDOR_RSA_MAX_KEY_BITS) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ if (bits < PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ /* Accept only byte-aligned keys, for the same reasons as
+ * in psa_import_rsa_key(). */
+ if (bits % 8 != 0) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ } else
+#endif /* defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
+ if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+ /* To avoid empty block, return successfully here. */
+ return PSA_SUCCESS;
+ } else
+#endif /* defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) */
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
+ if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+ if (psa_is_dh_key_size_valid(bits) == 0) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ } else
+#endif /* defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) */
+ {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_generate_key_internal(
+ const psa_key_attributes_t *attributes,
+ const psa_key_production_parameters_t *params, size_t params_data_length,
+ uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_type_t type = attributes->type;
+
+ /* Only used for RSA */
+ (void) params;
+ (void) params_data_length;
+
+ if (key_type_is_raw_bytes(type)) {
+ status = psa_generate_random_internal(key_buffer, key_buffer_size);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+ if (type == PSA_KEY_TYPE_DES) {
+ psa_des_set_key_parity(key_buffer, key_buffer_size);
+ }
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */
+ } else
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+ if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+ return mbedtls_psa_rsa_generate_key(attributes,
+ params, params_data_length,
+ key_buffer,
+ key_buffer_size,
+ key_buffer_length);
+ } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
+ if (PSA_KEY_TYPE_IS_ECC(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+ return mbedtls_psa_ecp_generate_key(attributes,
+ key_buffer,
+ key_buffer_size,
+ key_buffer_length);
+ } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE)
+ if (PSA_KEY_TYPE_IS_DH(type) && PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+ return mbedtls_psa_ffdh_generate_key(attributes,
+ key_buffer,
+ key_buffer_size,
+ key_buffer_length);
+ } else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE) */
+ {
+ (void) key_buffer_length;
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes,
+ const psa_key_production_parameters_t *params,
+ size_t params_data_length,
+ mbedtls_svc_key_id_t *key)
+{
+ psa_status_t status;
+ psa_key_slot_t *slot = NULL;
+ psa_se_drv_table_entry_t *driver = NULL;
+ size_t key_buffer_size;
+
+ *key = MBEDTLS_SVC_KEY_ID_INIT;
+
+ /* Reject any attempt to create a zero-length key so that we don't
+ * risk tripping up later, e.g. on a malloc(0) that returns NULL. */
+ if (psa_get_key_bits(attributes) == 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ /* Reject any attempt to create a public key. */
+ if (PSA_KEY_TYPE_IS_PUBLIC_KEY(attributes->type)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+ if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+ if (params->flags != 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ } else
+#endif
+ if (!psa_key_production_parameters_are_default(params, params_data_length)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ status = psa_start_key_creation(PSA_KEY_CREATION_GENERATE, attributes,
+ &slot, &driver);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ /* In the case of a transparent key or an opaque key stored in local
+ * storage ( thus not in the case of generating a key in a secure element
+ * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
+ * buffer to hold the generated key material. */
+ if (slot->key.data == NULL) {
+ if (PSA_KEY_LIFETIME_GET_LOCATION(attributes->lifetime) ==
+ PSA_KEY_LOCATION_LOCAL_STORAGE) {
+ status = psa_validate_key_type_and_size_for_key_generation(
+ attributes->type, attributes->bits);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ key_buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE(
+ attributes->type,
+ attributes->bits);
+ } else {
+ status = psa_driver_wrapper_get_key_buffer_size(
+ attributes, &key_buffer_size);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ }
+
+ status = psa_allocate_buffer_to_slot(slot, key_buffer_size);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ }
+
+ status = psa_driver_wrapper_generate_key(attributes,
+ params, params_data_length,
+ slot->key.data, slot->key.bytes,
+ &slot->key.bytes);
+ if (status != PSA_SUCCESS) {
+ psa_remove_key_data_from_memory(slot);
+ }
+
+exit:
+ if (status == PSA_SUCCESS) {
+ status = psa_finish_key_creation(slot, driver, key);
+ }
+ if (status != PSA_SUCCESS) {
+ psa_fail_key_creation(slot, driver);
+ }
+
+ return status;
+}
+
+psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
+ mbedtls_svc_key_id_t *key)
+{
+ return psa_generate_key_ext(attributes,
+ &default_production_parameters, 0,
+ key);
+}
+
+/****************************************************************/
+/* Module setup */
+/****************************************************************/
+
+#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+psa_status_t mbedtls_psa_crypto_configure_entropy_sources(
+ void (* entropy_init)(mbedtls_entropy_context *ctx),
+ void (* entropy_free)(mbedtls_entropy_context *ctx))
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ if (global_data.rng_state != RNG_NOT_INITIALIZED) {
+ status = PSA_ERROR_BAD_STATE;
+ } else {
+ global_data.rng.entropy_init = entropy_init;
+ global_data.rng.entropy_free = entropy_free;
+ status = PSA_SUCCESS;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ return status;
+}
+#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
+
+void mbedtls_psa_crypto_free(void)
+{
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ /* Nothing to do to free transaction. */
+ if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED) {
+ global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
+ }
+
+ if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED) {
+ psa_wipe_all_key_slots();
+ global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ if (global_data.rng_state != RNG_NOT_INITIALIZED) {
+ mbedtls_psa_random_free(&global_data.rng);
+ }
+ global_data.rng_state = RNG_NOT_INITIALIZED;
+ mbedtls_platform_zeroize(&global_data.rng, sizeof(global_data.rng));
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_unlock(&mbedtls_threading_psa_rngdata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ /* Terminate drivers */
+ if (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED) {
+ psa_driver_wrapper_free();
+ global_data.initialized &= ~PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+}
+
+#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
+/** Recover a transaction that was interrupted by a power failure.
+ *
+ * This function is called during initialization, before psa_crypto_init()
+ * returns. If this function returns a failure status, the initialization
+ * fails.
+ */
+static psa_status_t psa_crypto_recover_transaction(
+ const psa_crypto_transaction_t *transaction)
+{
+ switch (transaction->unknown.type) {
+ case PSA_CRYPTO_TRANSACTION_CREATE_KEY:
+ case PSA_CRYPTO_TRANSACTION_DESTROY_KEY:
+ /* TODO - fall through to the failure case until this
+ * is implemented.
+ * https://github.com/ARMmbed/mbed-crypto/issues/218
+ */
+ default:
+ /* We found an unsupported transaction in the storage.
+ * We don't know what state the storage is in. Give up. */
+ return PSA_ERROR_DATA_INVALID;
+ }
+}
+#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
+
+static psa_status_t mbedtls_psa_crypto_init_subsystem(mbedtls_psa_crypto_subsystem subsystem)
+{
+ psa_status_t status = PSA_SUCCESS;
+ uint8_t driver_wrappers_initialized = 0;
+
+ switch (subsystem) {
+ case PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS:
+
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED)) {
+ /* Init drivers */
+ status = psa_driver_wrapper_init();
+
+ /* Drivers need shutdown regardless of startup errors. */
+ global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED;
+
+
+ }
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
+ &mbedtls_threading_psa_globaldata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ break;
+
+ case PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS:
+
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED)) {
+ status = psa_initialize_key_slots();
+
+ /* Need to wipe keys even if initialization fails. */
+ global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED;
+
+ }
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
+ &mbedtls_threading_psa_globaldata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ break;
+
+ case PSA_CRYPTO_SUBSYSTEM_RNG:
+
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ driver_wrappers_initialized =
+ (global_data.initialized & PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED);
+
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
+ &mbedtls_threading_psa_globaldata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ /* Need to use separate mutex here, as initialisation can require
+ * testing of init flags, which requires locking the global data
+ * mutex. */
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_rngdata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ /* Initialize and seed the random generator. */
+ if (global_data.rng_state == RNG_NOT_INITIALIZED && driver_wrappers_initialized) {
+ mbedtls_psa_random_init(&global_data.rng);
+ global_data.rng_state = RNG_INITIALIZED;
+
+ status = mbedtls_psa_random_seed(&global_data.rng);
+ if (status == PSA_SUCCESS) {
+ global_data.rng_state = RNG_SEEDED;
+ }
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
+ &mbedtls_threading_psa_rngdata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ break;
+
+ case PSA_CRYPTO_SUBSYSTEM_TRANSACTION:
+
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ if (!(global_data.initialized & PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED)) {
+#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
+ status = psa_crypto_load_transaction();
+ if (status == PSA_SUCCESS) {
+ status = psa_crypto_recover_transaction(&psa_crypto_transaction);
+ if (status == PSA_SUCCESS) {
+ global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
+ }
+ status = psa_crypto_stop_transaction();
+ } else if (status == PSA_ERROR_DOES_NOT_EXIST) {
+ /* There's no transaction to complete. It's all good. */
+ global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
+ status = PSA_SUCCESS;
+ }
+#else /* defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) */
+ global_data.initialized |= PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED;
+ status = PSA_SUCCESS;
+#endif /* defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) */
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_GOTO_EXIT(mbedtls_mutex_unlock(
+ &mbedtls_threading_psa_globaldata_mutex));
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ break;
+
+ default:
+ status = PSA_ERROR_CORRUPTION_DETECTED;
+ }
+
+ /* Exit label only required when using threading macros. */
+#if defined(MBEDTLS_THREADING_C)
+exit:
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ return status;
+}
+
+psa_status_t psa_crypto_init(void)
+{
+ psa_status_t status;
+
+ /* Double initialization is explicitly allowed. Early out if everything is
+ * done. */
+ if (psa_get_initialized()) {
+ return PSA_SUCCESS;
+ }
+
+ status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_RNG);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_TRANSACTION);
+
+exit:
+
+ if (status != PSA_SUCCESS) {
+ mbedtls_psa_crypto_free();
+ }
+
+ return status;
+}
+
+#if defined(PSA_WANT_ALG_SOME_PAKE)
+psa_status_t psa_crypto_driver_pake_get_password_len(
+ const psa_crypto_driver_pake_inputs_t *inputs,
+ size_t *password_len)
+{
+ if (inputs->password_len == 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ *password_len = inputs->password_len;
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_driver_pake_get_password(
+ const psa_crypto_driver_pake_inputs_t *inputs,
+ uint8_t *buffer, size_t buffer_size, size_t *buffer_length)
+{
+ if (inputs->password_len == 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (buffer_size < inputs->password_len) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+ memcpy(buffer, inputs->password, inputs->password_len);
+ *buffer_length = inputs->password_len;
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_driver_pake_get_user_len(
+ const psa_crypto_driver_pake_inputs_t *inputs,
+ size_t *user_len)
+{
+ if (inputs->user_len == 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ *user_len = inputs->user_len;
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_driver_pake_get_user(
+ const psa_crypto_driver_pake_inputs_t *inputs,
+ uint8_t *user_id, size_t user_id_size, size_t *user_id_len)
+{
+ if (inputs->user_len == 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (user_id_size < inputs->user_len) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+ memcpy(user_id, inputs->user, inputs->user_len);
+ *user_id_len = inputs->user_len;
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_driver_pake_get_peer_len(
+ const psa_crypto_driver_pake_inputs_t *inputs,
+ size_t *peer_len)
+{
+ if (inputs->peer_len == 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ *peer_len = inputs->peer_len;
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_driver_pake_get_peer(
+ const psa_crypto_driver_pake_inputs_t *inputs,
+ uint8_t *peer_id, size_t peer_id_size, size_t *peer_id_length)
+{
+ if (inputs->peer_len == 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (peer_id_size < inputs->peer_len) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+ memcpy(peer_id, inputs->peer, inputs->peer_len);
+ *peer_id_length = inputs->peer_len;
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_driver_pake_get_cipher_suite(
+ const psa_crypto_driver_pake_inputs_t *inputs,
+ psa_pake_cipher_suite_t *cipher_suite)
+{
+ if (inputs->cipher_suite.algorithm == PSA_ALG_NONE) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ *cipher_suite = inputs->cipher_suite;
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_pake_setup(
+ psa_pake_operation_t *operation,
+ const psa_pake_cipher_suite_t *cipher_suite)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ if (operation->stage != PSA_PAKE_OPERATION_STAGE_SETUP) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (PSA_ALG_IS_PAKE(cipher_suite->algorithm) == 0 ||
+ PSA_ALG_IS_HASH(cipher_suite->hash) == 0) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ memset(&operation->data.inputs, 0, sizeof(operation->data.inputs));
+
+ operation->alg = cipher_suite->algorithm;
+ operation->primitive = PSA_PAKE_PRIMITIVE(cipher_suite->type,
+ cipher_suite->family, cipher_suite->bits);
+ operation->data.inputs.cipher_suite = *cipher_suite;
+
+#if defined(PSA_WANT_ALG_JPAKE)
+ if (operation->alg == PSA_ALG_JPAKE) {
+ psa_jpake_computation_stage_t *computation_stage =
+ &operation->computation_stage.jpake;
+
+ memset(computation_stage, 0, sizeof(*computation_stage));
+ computation_stage->step = PSA_PAKE_STEP_KEY_SHARE;
+ } else
+#endif /* PSA_WANT_ALG_JPAKE */
+ {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+ }
+
+ operation->stage = PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS;
+
+ return PSA_SUCCESS;
+exit:
+ psa_pake_abort(operation);
+ return status;
+}
+
+psa_status_t psa_pake_set_password_key(
+ psa_pake_operation_t *operation,
+ mbedtls_svc_key_id_t password)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot = NULL;
+ psa_key_type_t type;
+
+ if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(password, &slot,
+ PSA_KEY_USAGE_DERIVE,
+ operation->alg);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ type = psa_get_key_type(&slot->attr);
+
+ if (type != PSA_KEY_TYPE_PASSWORD &&
+ type != PSA_KEY_TYPE_PASSWORD_HASH) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ operation->data.inputs.password = mbedtls_calloc(1, slot->key.bytes);
+ if (operation->data.inputs.password == NULL) {
+ status = PSA_ERROR_INSUFFICIENT_MEMORY;
+ goto exit;
+ }
+
+ memcpy(operation->data.inputs.password, slot->key.data, slot->key.bytes);
+ operation->data.inputs.password_len = slot->key.bytes;
+ operation->data.inputs.attributes = slot->attr;
+
+exit:
+ if (status != PSA_SUCCESS) {
+ psa_pake_abort(operation);
+ }
+ unlock_status = psa_unregister_read_under_mutex(slot);
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_pake_set_user(
+ psa_pake_operation_t *operation,
+ const uint8_t *user_id_external,
+ size_t user_id_len)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ LOCAL_INPUT_DECLARE(user_id_external, user_id);
+
+ if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (user_id_len == 0) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ if (operation->data.inputs.user_len != 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ operation->data.inputs.user = mbedtls_calloc(1, user_id_len);
+ if (operation->data.inputs.user == NULL) {
+ status = PSA_ERROR_INSUFFICIENT_MEMORY;
+ goto exit;
+ }
+
+ LOCAL_INPUT_ALLOC(user_id_external, user_id_len, user_id);
+
+ memcpy(operation->data.inputs.user, user_id, user_id_len);
+ operation->data.inputs.user_len = user_id_len;
+
+ status = PSA_SUCCESS;
+
+exit:
+ LOCAL_INPUT_FREE(user_id_external, user_id);
+ if (status != PSA_SUCCESS) {
+ psa_pake_abort(operation);
+ }
+ return status;
+}
+
+psa_status_t psa_pake_set_peer(
+ psa_pake_operation_t *operation,
+ const uint8_t *peer_id_external,
+ size_t peer_id_len)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ LOCAL_INPUT_DECLARE(peer_id_external, peer_id);
+
+ if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (peer_id_len == 0) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ if (operation->data.inputs.peer_len != 0) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ operation->data.inputs.peer = mbedtls_calloc(1, peer_id_len);
+ if (operation->data.inputs.peer == NULL) {
+ status = PSA_ERROR_INSUFFICIENT_MEMORY;
+ goto exit;
+ }
+
+ LOCAL_INPUT_ALLOC(peer_id_external, peer_id_len, peer_id);
+
+ memcpy(operation->data.inputs.peer, peer_id, peer_id_len);
+ operation->data.inputs.peer_len = peer_id_len;
+
+ status = PSA_SUCCESS;
+
+exit:
+ LOCAL_INPUT_FREE(peer_id_external, peer_id);
+ if (status != PSA_SUCCESS) {
+ psa_pake_abort(operation);
+ }
+ return status;
+}
+
+psa_status_t psa_pake_set_role(
+ psa_pake_operation_t *operation,
+ psa_pake_role_t role)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ switch (operation->alg) {
+#if defined(PSA_WANT_ALG_JPAKE)
+ case PSA_ALG_JPAKE:
+ if (role == PSA_PAKE_ROLE_NONE) {
+ return PSA_SUCCESS;
+ }
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ break;
+#endif
+ default:
+ (void) role;
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+ }
+exit:
+ psa_pake_abort(operation);
+ return status;
+}
+
+/* Auxiliary function to convert core computation stage to single driver step. */
+#if defined(PSA_WANT_ALG_JPAKE)
+static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_step(
+ psa_jpake_computation_stage_t *stage)
+{
+ psa_crypto_driver_pake_step_t key_share_step;
+ if (stage->round == PSA_JPAKE_FIRST) {
+ int is_x1;
+
+ if (stage->io_mode == PSA_JPAKE_OUTPUT) {
+ is_x1 = (stage->outputs < 1);
+ } else {
+ is_x1 = (stage->inputs < 1);
+ }
+
+ key_share_step = is_x1 ?
+ PSA_JPAKE_X1_STEP_KEY_SHARE :
+ PSA_JPAKE_X2_STEP_KEY_SHARE;
+ } else if (stage->round == PSA_JPAKE_SECOND) {
+ key_share_step = (stage->io_mode == PSA_JPAKE_OUTPUT) ?
+ PSA_JPAKE_X2S_STEP_KEY_SHARE :
+ PSA_JPAKE_X4S_STEP_KEY_SHARE;
+ } else {
+ return PSA_JPAKE_STEP_INVALID;
+ }
+ return (psa_crypto_driver_pake_step_t) (key_share_step + stage->step - PSA_PAKE_STEP_KEY_SHARE);
+}
+#endif /* PSA_WANT_ALG_JPAKE */
+
+static psa_status_t psa_pake_complete_inputs(
+ psa_pake_operation_t *operation)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ /* Create copy of the inputs on stack as inputs share memory
+ with the driver context which will be setup by the driver. */
+ psa_crypto_driver_pake_inputs_t inputs = operation->data.inputs;
+
+ if (inputs.password_len == 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (operation->alg == PSA_ALG_JPAKE) {
+ if (inputs.user_len == 0 || inputs.peer_len == 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+ }
+
+ /* Clear driver context */
+ mbedtls_platform_zeroize(&operation->data, sizeof(operation->data));
+
+ status = psa_driver_wrapper_pake_setup(operation, &inputs);
+
+ /* Driver is responsible for creating its own copy of the password. */
+ mbedtls_zeroize_and_free(inputs.password, inputs.password_len);
+
+ /* User and peer are translated to role. */
+ mbedtls_free(inputs.user);
+ mbedtls_free(inputs.peer);
+
+ if (status == PSA_SUCCESS) {
+#if defined(PSA_WANT_ALG_JPAKE)
+ if (operation->alg == PSA_ALG_JPAKE) {
+ operation->stage = PSA_PAKE_OPERATION_STAGE_COMPUTATION;
+ } else
+#endif /* PSA_WANT_ALG_JPAKE */
+ {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ }
+ }
+ return status;
+}
+
+#if defined(PSA_WANT_ALG_JPAKE)
+static psa_status_t psa_jpake_prologue(
+ psa_pake_operation_t *operation,
+ psa_pake_step_t step,
+ psa_jpake_io_mode_t io_mode)
+{
+ if (step != PSA_PAKE_STEP_KEY_SHARE &&
+ step != PSA_PAKE_STEP_ZK_PUBLIC &&
+ step != PSA_PAKE_STEP_ZK_PROOF) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ psa_jpake_computation_stage_t *computation_stage =
+ &operation->computation_stage.jpake;
+
+ if (computation_stage->round != PSA_JPAKE_FIRST &&
+ computation_stage->round != PSA_JPAKE_SECOND) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ /* Check that the step we are given is the one we were expecting */
+ if (step != computation_stage->step) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ if (step == PSA_PAKE_STEP_KEY_SHARE &&
+ computation_stage->inputs == 0 &&
+ computation_stage->outputs == 0) {
+ /* Start of the round, so function decides whether we are inputting
+ * or outputting */
+ computation_stage->io_mode = io_mode;
+ } else if (computation_stage->io_mode != io_mode) {
+ /* Middle of the round so the mode we are in must match the function
+ * called by the user */
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ return PSA_SUCCESS;
+}
+
+static psa_status_t psa_jpake_epilogue(
+ psa_pake_operation_t *operation,
+ psa_jpake_io_mode_t io_mode)
+{
+ psa_jpake_computation_stage_t *stage =
+ &operation->computation_stage.jpake;
+
+ if (stage->step == PSA_PAKE_STEP_ZK_PROOF) {
+ /* End of an input/output */
+ if (io_mode == PSA_JPAKE_INPUT) {
+ stage->inputs++;
+ if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round)) {
+ stage->io_mode = PSA_JPAKE_OUTPUT;
+ }
+ }
+ if (io_mode == PSA_JPAKE_OUTPUT) {
+ stage->outputs++;
+ if (stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) {
+ stage->io_mode = PSA_JPAKE_INPUT;
+ }
+ }
+ if (stage->inputs == PSA_JPAKE_EXPECTED_INPUTS(stage->round) &&
+ stage->outputs == PSA_JPAKE_EXPECTED_OUTPUTS(stage->round)) {
+ /* End of a round, move to the next round */
+ stage->inputs = 0;
+ stage->outputs = 0;
+ stage->round++;
+ }
+ stage->step = PSA_PAKE_STEP_KEY_SHARE;
+ } else {
+ stage->step++;
+ }
+ return PSA_SUCCESS;
+}
+
+#endif /* PSA_WANT_ALG_JPAKE */
+
+psa_status_t psa_pake_output(
+ psa_pake_operation_t *operation,
+ psa_pake_step_t step,
+ uint8_t *output_external,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID;
+ LOCAL_OUTPUT_DECLARE(output_external, output);
+ *output_length = 0;
+
+ if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
+ status = psa_pake_complete_inputs(operation);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ }
+
+ if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (output_size == 0) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ switch (operation->alg) {
+#if defined(PSA_WANT_ALG_JPAKE)
+ case PSA_ALG_JPAKE:
+ status = psa_jpake_prologue(operation, step, PSA_JPAKE_OUTPUT);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ driver_step = convert_jpake_computation_stage_to_driver_step(
+ &operation->computation_stage.jpake);
+ break;
+#endif /* PSA_WANT_ALG_JPAKE */
+ default:
+ (void) step;
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+ }
+
+ LOCAL_OUTPUT_ALLOC(output_external, output_size, output);
+
+ status = psa_driver_wrapper_pake_output(operation, driver_step,
+ output, output_size, output_length);
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ switch (operation->alg) {
+#if defined(PSA_WANT_ALG_JPAKE)
+ case PSA_ALG_JPAKE:
+ status = psa_jpake_epilogue(operation, PSA_JPAKE_OUTPUT);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ break;
+#endif /* PSA_WANT_ALG_JPAKE */
+ default:
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+ }
+
+exit:
+ LOCAL_OUTPUT_FREE(output_external, output);
+ if (status != PSA_SUCCESS) {
+ psa_pake_abort(operation);
+ }
+ return status;
+}
+
+psa_status_t psa_pake_input(
+ psa_pake_operation_t *operation,
+ psa_pake_step_t step,
+ const uint8_t *input_external,
+ size_t input_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID;
+ const size_t max_input_length = (size_t) PSA_PAKE_INPUT_SIZE(operation->alg,
+ operation->primitive,
+ step);
+ LOCAL_INPUT_DECLARE(input_external, input);
+
+ if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
+ status = psa_pake_complete_inputs(operation);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ }
+
+ if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ if (input_length == 0 || input_length > max_input_length) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ switch (operation->alg) {
+#if defined(PSA_WANT_ALG_JPAKE)
+ case PSA_ALG_JPAKE:
+ status = psa_jpake_prologue(operation, step, PSA_JPAKE_INPUT);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ driver_step = convert_jpake_computation_stage_to_driver_step(
+ &operation->computation_stage.jpake);
+ break;
+#endif /* PSA_WANT_ALG_JPAKE */
+ default:
+ (void) step;
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+ }
+
+ LOCAL_INPUT_ALLOC(input_external, input_length, input);
+ status = psa_driver_wrapper_pake_input(operation, driver_step,
+ input, input_length);
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ switch (operation->alg) {
+#if defined(PSA_WANT_ALG_JPAKE)
+ case PSA_ALG_JPAKE:
+ status = psa_jpake_epilogue(operation, PSA_JPAKE_INPUT);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ break;
+#endif /* PSA_WANT_ALG_JPAKE */
+ default:
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+ }
+
+exit:
+ LOCAL_INPUT_FREE(input_external, input);
+ if (status != PSA_SUCCESS) {
+ psa_pake_abort(operation);
+ }
+ return status;
+}
+
+psa_status_t psa_pake_get_implicit_key(
+ psa_pake_operation_t *operation,
+ psa_key_derivation_operation_t *output)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
+ uint8_t shared_key[MBEDTLS_PSA_JPAKE_BUFFER_SIZE];
+ size_t shared_key_len = 0;
+
+ if (operation->stage != PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+#if defined(PSA_WANT_ALG_JPAKE)
+ if (operation->alg == PSA_ALG_JPAKE) {
+ psa_jpake_computation_stage_t *computation_stage =
+ &operation->computation_stage.jpake;
+ if (computation_stage->round != PSA_JPAKE_FINISHED) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+ } else
+#endif /* PSA_WANT_ALG_JPAKE */
+ {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+ }
+
+ status = psa_driver_wrapper_pake_get_implicit_key(operation,
+ shared_key,
+ sizeof(shared_key),
+ &shared_key_len);
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_key_derivation_input_bytes(output,
+ PSA_KEY_DERIVATION_INPUT_SECRET,
+ shared_key,
+ shared_key_len);
+
+ mbedtls_platform_zeroize(shared_key, sizeof(shared_key));
+exit:
+ abort_status = psa_pake_abort(operation);
+ return status == PSA_SUCCESS ? abort_status : status;
+}
+
+psa_status_t psa_pake_abort(
+ psa_pake_operation_t *operation)
+{
+ psa_status_t status = PSA_SUCCESS;
+
+ if (operation->stage == PSA_PAKE_OPERATION_STAGE_COMPUTATION) {
+ status = psa_driver_wrapper_pake_abort(operation);
+ }
+
+ if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) {
+ if (operation->data.inputs.password != NULL) {
+ mbedtls_zeroize_and_free(operation->data.inputs.password,
+ operation->data.inputs.password_len);
+ }
+ if (operation->data.inputs.user != NULL) {
+ mbedtls_free(operation->data.inputs.user);
+ }
+ if (operation->data.inputs.peer != NULL) {
+ mbedtls_free(operation->data.inputs.peer);
+ }
+ }
+ memset(operation, 0, sizeof(psa_pake_operation_t));
+
+ return status;
+}
+#endif /* PSA_WANT_ALG_SOME_PAKE */
+
+/* Memory copying test hooks. These are called before input copy, after input
+ * copy, before output copy and after output copy, respectively.
+ * They are used by memory-poisoning tests to temporarily unpoison buffers
+ * while they are copied. */
+#if defined(MBEDTLS_TEST_HOOKS)
+void (*psa_input_pre_copy_hook)(const uint8_t *input, size_t input_len) = NULL;
+void (*psa_input_post_copy_hook)(const uint8_t *input, size_t input_len) = NULL;
+void (*psa_output_pre_copy_hook)(const uint8_t *output, size_t output_len) = NULL;
+void (*psa_output_post_copy_hook)(const uint8_t *output, size_t output_len) = NULL;
+#endif
+
+/** Copy from an input buffer to a local copy.
+ *
+ * \param[in] input Pointer to input buffer.
+ * \param[in] input_len Length of the input buffer.
+ * \param[out] input_copy Pointer to a local copy in which to store the input data.
+ * \param[out] input_copy_len Length of the local copy buffer.
+ * \return #PSA_SUCCESS, if the buffer was successfully
+ * copied.
+ * \return #PSA_ERROR_CORRUPTION_DETECTED, if the local
+ * copy is too small to hold contents of the
+ * input buffer.
+ */
+MBEDTLS_STATIC_TESTABLE
+psa_status_t psa_crypto_copy_input(const uint8_t *input, size_t input_len,
+ uint8_t *input_copy, size_t input_copy_len)
+{
+ if (input_len > input_copy_len) {
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+
+#if defined(MBEDTLS_TEST_HOOKS)
+ if (psa_input_pre_copy_hook != NULL) {
+ psa_input_pre_copy_hook(input, input_len);
+ }
+#endif
+
+ if (input_len > 0) {
+ memcpy(input_copy, input, input_len);
+ }
+
+#if defined(MBEDTLS_TEST_HOOKS)
+ if (psa_input_post_copy_hook != NULL) {
+ psa_input_post_copy_hook(input, input_len);
+ }
+#endif
+
+ return PSA_SUCCESS;
+}
+
+/** Copy from a local output buffer into a user-supplied one.
+ *
+ * \param[in] output_copy Pointer to a local buffer containing the output.
+ * \param[in] output_copy_len Length of the local buffer.
+ * \param[out] output Pointer to user-supplied output buffer.
+ * \param[out] output_len Length of the user-supplied output buffer.
+ * \return #PSA_SUCCESS, if the buffer was successfully
+ * copied.
+ * \return #PSA_ERROR_BUFFER_TOO_SMALL, if the
+ * user-supplied output buffer is too small to
+ * hold the contents of the local buffer.
+ */
+MBEDTLS_STATIC_TESTABLE
+psa_status_t psa_crypto_copy_output(const uint8_t *output_copy, size_t output_copy_len,
+ uint8_t *output, size_t output_len)
+{
+ if (output_len < output_copy_len) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+#if defined(MBEDTLS_TEST_HOOKS)
+ if (psa_output_pre_copy_hook != NULL) {
+ psa_output_pre_copy_hook(output, output_len);
+ }
+#endif
+
+ if (output_copy_len > 0) {
+ memcpy(output, output_copy, output_copy_len);
+ }
+
+#if defined(MBEDTLS_TEST_HOOKS)
+ if (psa_output_post_copy_hook != NULL) {
+ psa_output_post_copy_hook(output, output_len);
+ }
+#endif
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_local_input_alloc(const uint8_t *input, size_t input_len,
+ psa_crypto_local_input_t *local_input)
+{
+ psa_status_t status;
+
+ *local_input = PSA_CRYPTO_LOCAL_INPUT_INIT;
+
+ if (input_len == 0) {
+ return PSA_SUCCESS;
+ }
+
+ local_input->buffer = mbedtls_calloc(input_len, 1);
+ if (local_input->buffer == NULL) {
+ /* Since we dealt with the zero-length case above, we know that
+ * a NULL return value means a failure of allocation. */
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+ /* From now on, we must free local_input->buffer on error. */
+
+ local_input->length = input_len;
+
+ status = psa_crypto_copy_input(input, input_len,
+ local_input->buffer, local_input->length);
+ if (status != PSA_SUCCESS) {
+ goto error;
+ }
+
+ return PSA_SUCCESS;
+
+error:
+ mbedtls_free(local_input->buffer);
+ local_input->buffer = NULL;
+ local_input->length = 0;
+ return status;
+}
+
+void psa_crypto_local_input_free(psa_crypto_local_input_t *local_input)
+{
+ mbedtls_free(local_input->buffer);
+ local_input->buffer = NULL;
+ local_input->length = 0;
+}
+
+psa_status_t psa_crypto_local_output_alloc(uint8_t *output, size_t output_len,
+ psa_crypto_local_output_t *local_output)
+{
+ *local_output = PSA_CRYPTO_LOCAL_OUTPUT_INIT;
+
+ if (output_len == 0) {
+ return PSA_SUCCESS;
+ }
+ local_output->buffer = mbedtls_calloc(output_len, 1);
+ if (local_output->buffer == NULL) {
+ /* Since we dealt with the zero-length case above, we know that
+ * a NULL return value means a failure of allocation. */
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+ local_output->length = output_len;
+ local_output->original = output;
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_local_output_free(psa_crypto_local_output_t *local_output)
+{
+ psa_status_t status;
+
+ if (local_output->buffer == NULL) {
+ local_output->length = 0;
+ return PSA_SUCCESS;
+ }
+ if (local_output->original == NULL) {
+ /* We have an internal copy but nothing to copy back to. */
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+
+ status = psa_crypto_copy_output(local_output->buffer, local_output->length,
+ local_output->original, local_output->length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ mbedtls_free(local_output->buffer);
+ local_output->buffer = NULL;
+ local_output->length = 0;
+
+ return PSA_SUCCESS;
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_aead.c b/library/psa_crypto_aead.c
new file mode 100644
index 0000000..a201985
--- /dev/null
+++ b/library/psa_crypto_aead.c
@@ -0,0 +1,649 @@
+/*
+ * PSA AEAD entry points
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include "psa_crypto_aead.h"
+#include "psa_crypto_core.h"
+#include "psa_crypto_cipher.h"
+
+#include <string.h>
+#include "mbedtls/platform.h"
+
+#include "mbedtls/ccm.h"
+#include "mbedtls/chachapoly.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/gcm.h"
+#include "mbedtls/error.h"
+
+static psa_status_t psa_aead_setup(
+ mbedtls_psa_aead_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_cipher_id_t cipher_id;
+ mbedtls_cipher_mode_t mode;
+ size_t key_bits = attributes->bits;
+ (void) key_buffer_size;
+
+ status = mbedtls_cipher_values_from_psa(alg, attributes->type,
+ &key_bits, &mode, &cipher_id);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+ case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
+ operation->alg = PSA_ALG_CCM;
+ /* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
+ * The call to mbedtls_ccm_encrypt_and_tag or
+ * mbedtls_ccm_auth_decrypt will validate the tag length. */
+ if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(attributes->type) != 16) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ mbedtls_ccm_init(&operation->ctx.ccm);
+ status = mbedtls_to_psa_error(
+ mbedtls_ccm_setkey(&operation->ctx.ccm, cipher_id,
+ key_buffer, (unsigned int) key_bits));
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ break;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+ case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
+ operation->alg = PSA_ALG_GCM;
+ /* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
+ * The call to mbedtls_gcm_crypt_and_tag or
+ * mbedtls_gcm_auth_decrypt will validate the tag length. */
+ if (PSA_BLOCK_CIPHER_BLOCK_LENGTH(attributes->type) != 16) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ mbedtls_gcm_init(&operation->ctx.gcm);
+ status = mbedtls_to_psa_error(
+ mbedtls_gcm_setkey(&operation->ctx.gcm, cipher_id,
+ key_buffer, (unsigned int) key_bits));
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ break;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+ case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
+ operation->alg = PSA_ALG_CHACHA20_POLY1305;
+ /* We only support the default tag length. */
+ if (alg != PSA_ALG_CHACHA20_POLY1305) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ mbedtls_chachapoly_init(&operation->ctx.chachapoly);
+ status = mbedtls_to_psa_error(
+ mbedtls_chachapoly_setkey(&operation->ctx.chachapoly,
+ key_buffer));
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ break;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+
+ default:
+ (void) status;
+ (void) key_buffer;
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ operation->key_type = psa_get_key_type(attributes);
+
+ operation->tag_length = PSA_ALG_AEAD_GET_TAG_LENGTH(alg);
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t mbedtls_psa_aead_encrypt(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *nonce, size_t nonce_length,
+ const uint8_t *additional_data, size_t additional_data_length,
+ const uint8_t *plaintext, size_t plaintext_length,
+ uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
+ uint8_t *tag;
+
+ status = psa_aead_setup(&operation, attributes, key_buffer,
+ key_buffer_size, alg);
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ /* For all currently supported modes, the tag is at the end of the
+ * ciphertext. */
+ if (ciphertext_size < (plaintext_length + operation.tag_length)) {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+ tag = ciphertext + plaintext_length;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+ if (operation.alg == PSA_ALG_CCM) {
+ status = mbedtls_to_psa_error(
+ mbedtls_ccm_encrypt_and_tag(&operation.ctx.ccm,
+ plaintext_length,
+ nonce, nonce_length,
+ additional_data,
+ additional_data_length,
+ plaintext, ciphertext,
+ tag, operation.tag_length));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+ if (operation.alg == PSA_ALG_GCM) {
+ status = mbedtls_to_psa_error(
+ mbedtls_gcm_crypt_and_tag(&operation.ctx.gcm,
+ MBEDTLS_GCM_ENCRYPT,
+ plaintext_length,
+ nonce, nonce_length,
+ additional_data, additional_data_length,
+ plaintext, ciphertext,
+ operation.tag_length, tag));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+ if (operation.alg == PSA_ALG_CHACHA20_POLY1305) {
+ if (operation.tag_length != 16) {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+ }
+ status = mbedtls_to_psa_error(
+ mbedtls_chachapoly_encrypt_and_tag(&operation.ctx.chachapoly,
+ plaintext_length,
+ nonce,
+ additional_data,
+ additional_data_length,
+ plaintext,
+ ciphertext,
+ tag));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+ {
+ (void) tag;
+ (void) nonce;
+ (void) nonce_length;
+ (void) additional_data;
+ (void) additional_data_length;
+ (void) plaintext;
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (status == PSA_SUCCESS) {
+ *ciphertext_length = plaintext_length + operation.tag_length;
+ }
+
+exit:
+ mbedtls_psa_aead_abort(&operation);
+
+ return status;
+}
+
+/* Locate the tag in a ciphertext buffer containing the encrypted data
+ * followed by the tag. Return the length of the part preceding the tag in
+ * *plaintext_length. This is the size of the plaintext in modes where
+ * the encrypted data has the same size as the plaintext, such as
+ * CCM and GCM. */
+static psa_status_t psa_aead_unpadded_locate_tag(size_t tag_length,
+ const uint8_t *ciphertext,
+ size_t ciphertext_length,
+ size_t plaintext_size,
+ const uint8_t **p_tag)
+{
+ size_t payload_length;
+ if (tag_length > ciphertext_length) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ payload_length = ciphertext_length - tag_length;
+ if (payload_length > plaintext_size) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+ *p_tag = ciphertext + payload_length;
+ return PSA_SUCCESS;
+}
+
+psa_status_t mbedtls_psa_aead_decrypt(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *nonce, size_t nonce_length,
+ const uint8_t *additional_data, size_t additional_data_length,
+ const uint8_t *ciphertext, size_t ciphertext_length,
+ uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_psa_aead_operation_t operation = MBEDTLS_PSA_AEAD_OPERATION_INIT;
+ const uint8_t *tag = NULL;
+
+ status = psa_aead_setup(&operation, attributes, key_buffer,
+ key_buffer_size, alg);
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_aead_unpadded_locate_tag(operation.tag_length,
+ ciphertext, ciphertext_length,
+ plaintext_size, &tag);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+ if (operation.alg == PSA_ALG_CCM) {
+ status = mbedtls_to_psa_error(
+ mbedtls_ccm_auth_decrypt(&operation.ctx.ccm,
+ ciphertext_length - operation.tag_length,
+ nonce, nonce_length,
+ additional_data,
+ additional_data_length,
+ ciphertext, plaintext,
+ tag, operation.tag_length));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+ if (operation.alg == PSA_ALG_GCM) {
+ status = mbedtls_to_psa_error(
+ mbedtls_gcm_auth_decrypt(&operation.ctx.gcm,
+ ciphertext_length - operation.tag_length,
+ nonce, nonce_length,
+ additional_data,
+ additional_data_length,
+ tag, operation.tag_length,
+ ciphertext, plaintext));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+ if (operation.alg == PSA_ALG_CHACHA20_POLY1305) {
+ if (operation.tag_length != 16) {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+ }
+ status = mbedtls_to_psa_error(
+ mbedtls_chachapoly_auth_decrypt(&operation.ctx.chachapoly,
+ ciphertext_length - operation.tag_length,
+ nonce,
+ additional_data,
+ additional_data_length,
+ tag,
+ ciphertext,
+ plaintext));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+ {
+ (void) nonce;
+ (void) nonce_length;
+ (void) additional_data;
+ (void) additional_data_length;
+ (void) plaintext;
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (status == PSA_SUCCESS) {
+ *plaintext_length = ciphertext_length - operation.tag_length;
+ }
+
+exit:
+ mbedtls_psa_aead_abort(&operation);
+
+ if (status == PSA_SUCCESS) {
+ *plaintext_length = ciphertext_length - operation.tag_length;
+ }
+ return status;
+}
+
+/* Set the key and algorithm for a multipart authenticated encryption
+ * operation. */
+psa_status_t mbedtls_psa_aead_encrypt_setup(
+ mbedtls_psa_aead_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = psa_aead_setup(operation, attributes, key_buffer,
+ key_buffer_size, alg);
+
+ if (status == PSA_SUCCESS) {
+ operation->is_encrypt = 1;
+ }
+
+ return status;
+}
+
+/* Set the key and algorithm for a multipart authenticated decryption
+ * operation. */
+psa_status_t mbedtls_psa_aead_decrypt_setup(
+ mbedtls_psa_aead_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = psa_aead_setup(operation, attributes, key_buffer,
+ key_buffer_size, alg);
+
+ if (status == PSA_SUCCESS) {
+ operation->is_encrypt = 0;
+ }
+
+ return status;
+}
+
+/* Set a nonce for the multipart AEAD operation*/
+psa_status_t mbedtls_psa_aead_set_nonce(
+ mbedtls_psa_aead_operation_t *operation,
+ const uint8_t *nonce,
+ size_t nonce_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+ if (operation->alg == PSA_ALG_GCM) {
+ status = mbedtls_to_psa_error(
+ mbedtls_gcm_starts(&operation->ctx.gcm,
+ operation->is_encrypt ?
+ MBEDTLS_GCM_ENCRYPT : MBEDTLS_GCM_DECRYPT,
+ nonce,
+ nonce_length));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+ if (operation->alg == PSA_ALG_CCM) {
+ status = mbedtls_to_psa_error(
+ mbedtls_ccm_starts(&operation->ctx.ccm,
+ operation->is_encrypt ?
+ MBEDTLS_CCM_ENCRYPT : MBEDTLS_CCM_DECRYPT,
+ nonce,
+ nonce_length));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+ if (operation->alg == PSA_ALG_CHACHA20_POLY1305) {
+ /* Note - ChaChaPoly allows an 8 byte nonce, but we would have to
+ * allocate a buffer in the operation, copy the nonce to it and pad
+ * it, so for now check the nonce is 12 bytes, as
+ * mbedtls_chachapoly_starts() assumes it can read 12 bytes from the
+ * passed in buffer. */
+ if (nonce_length != 12) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_chachapoly_starts(&operation->ctx.chachapoly,
+ nonce,
+ operation->is_encrypt ?
+ MBEDTLS_CHACHAPOLY_ENCRYPT :
+ MBEDTLS_CHACHAPOLY_DECRYPT));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+ {
+ (void) operation;
+ (void) nonce;
+ (void) nonce_length;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ return status;
+}
+
+/* Declare the lengths of the message and additional data for AEAD. */
+psa_status_t mbedtls_psa_aead_set_lengths(
+ mbedtls_psa_aead_operation_t *operation,
+ size_t ad_length,
+ size_t plaintext_length)
+{
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+ if (operation->alg == PSA_ALG_CCM) {
+ return mbedtls_to_psa_error(
+ mbedtls_ccm_set_lengths(&operation->ctx.ccm,
+ ad_length,
+ plaintext_length,
+ operation->tag_length));
+
+ }
+#else /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+ (void) operation;
+ (void) ad_length;
+ (void) plaintext_length;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+
+ return PSA_SUCCESS;
+}
+
+/* Pass additional data to an active multipart AEAD operation. */
+psa_status_t mbedtls_psa_aead_update_ad(
+ mbedtls_psa_aead_operation_t *operation,
+ const uint8_t *input,
+ size_t input_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+ if (operation->alg == PSA_ALG_GCM) {
+ status = mbedtls_to_psa_error(
+ mbedtls_gcm_update_ad(&operation->ctx.gcm, input, input_length));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+ if (operation->alg == PSA_ALG_CCM) {
+ status = mbedtls_to_psa_error(
+ mbedtls_ccm_update_ad(&operation->ctx.ccm, input, input_length));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+ if (operation->alg == PSA_ALG_CHACHA20_POLY1305) {
+ status = mbedtls_to_psa_error(
+ mbedtls_chachapoly_update_aad(&operation->ctx.chachapoly,
+ input,
+ input_length));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+ {
+ (void) operation;
+ (void) input;
+ (void) input_length;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ return status;
+}
+
+/* Encrypt or decrypt a message fragment in an active multipart AEAD
+ * operation.*/
+psa_status_t mbedtls_psa_aead_update(
+ mbedtls_psa_aead_operation_t *operation,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length)
+{
+ size_t update_output_length;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ update_output_length = input_length;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+ if (operation->alg == PSA_ALG_GCM) {
+ status = mbedtls_to_psa_error(
+ mbedtls_gcm_update(&operation->ctx.gcm,
+ input, input_length,
+ output, output_size,
+ &update_output_length));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+ if (operation->alg == PSA_ALG_CCM) {
+ if (output_size < input_length) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_ccm_update(&operation->ctx.ccm,
+ input, input_length,
+ output, output_size,
+ &update_output_length));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+ if (operation->alg == PSA_ALG_CHACHA20_POLY1305) {
+ if (output_size < input_length) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_chachapoly_update(&operation->ctx.chachapoly,
+ input_length,
+ input,
+ output));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+ {
+ (void) operation;
+ (void) input;
+ (void) output;
+ (void) output_size;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (status == PSA_SUCCESS) {
+ *output_length = update_output_length;
+ }
+
+ return status;
+}
+
+/* Finish encrypting a message in a multipart AEAD operation. */
+psa_status_t mbedtls_psa_aead_finish(
+ mbedtls_psa_aead_operation_t *operation,
+ uint8_t *ciphertext,
+ size_t ciphertext_size,
+ size_t *ciphertext_length,
+ uint8_t *tag,
+ size_t tag_size,
+ size_t *tag_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t finish_output_size = 0;
+
+ if (tag_size < operation->tag_length) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+ if (operation->alg == PSA_ALG_GCM) {
+ status = mbedtls_to_psa_error(
+ mbedtls_gcm_finish(&operation->ctx.gcm,
+ ciphertext, ciphertext_size, ciphertext_length,
+ tag, operation->tag_length));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+ if (operation->alg == PSA_ALG_CCM) {
+ /* tag must be big enough to store a tag of size passed into set
+ * lengths. */
+ if (tag_size < operation->tag_length) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_ccm_finish(&operation->ctx.ccm,
+ tag, operation->tag_length));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+ if (operation->alg == PSA_ALG_CHACHA20_POLY1305) {
+ /* Belt and braces. Although the above tag_size check should have
+ * already done this, if we later start supporting smaller tag sizes
+ * for chachapoly, then passing a tag buffer smaller than 16 into here
+ * could cause a buffer overflow, so better safe than sorry. */
+ if (tag_size < 16) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_chachapoly_finish(&operation->ctx.chachapoly,
+ tag));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+ {
+ (void) ciphertext;
+ (void) ciphertext_size;
+ (void) ciphertext_length;
+ (void) tag;
+ (void) tag_size;
+ (void) tag_length;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (status == PSA_SUCCESS) {
+ /* This will be zero for all supported algorithms currently, but left
+ * here for future support. */
+ *ciphertext_length = finish_output_size;
+ *tag_length = operation->tag_length;
+ }
+
+ return status;
+}
+
+/* Abort an AEAD operation */
+psa_status_t mbedtls_psa_aead_abort(
+ mbedtls_psa_aead_operation_t *operation)
+{
+ switch (operation->alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+ case PSA_ALG_CCM:
+ mbedtls_ccm_free(&operation->ctx.ccm);
+ break;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+ case PSA_ALG_GCM:
+ mbedtls_gcm_free(&operation->ctx.gcm);
+ break;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+ case PSA_ALG_CHACHA20_POLY1305:
+ mbedtls_chachapoly_free(&operation->ctx.chachapoly);
+ break;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
+ }
+
+ operation->is_encrypt = 0;
+
+ return PSA_SUCCESS;
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_aead.h b/library/psa_crypto_aead.h
new file mode 100644
index 0000000..a339219
--- /dev/null
+++ b/library/psa_crypto_aead.h
@@ -0,0 +1,499 @@
+/*
+ * PSA AEAD driver entry points
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_AEAD_H
+#define PSA_CRYPTO_AEAD_H
+
+#include <psa/crypto.h>
+
+/**
+ * \brief Process an authenticated encryption operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * aead_encrypt entry point. This function behaves as an aead_encrypt
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param alg The AEAD algorithm to compute.
+ * \param[in] nonce Nonce or IV to use.
+ * \param nonce_length Size of the nonce buffer in bytes. This must
+ * be appropriate for the selected algorithm.
+ * The default nonce size is
+ * PSA_AEAD_NONCE_LENGTH(key_type, alg) where
+ * key_type is the type of key.
+ * \param[in] additional_data Additional data that will be authenticated
+ * but not encrypted.
+ * \param additional_data_length Size of additional_data in bytes.
+ * \param[in] plaintext Data that will be authenticated and encrypted.
+ * \param plaintext_length Size of plaintext in bytes.
+ * \param[out] ciphertext Output buffer for the authenticated and
+ * encrypted data. The additional data is not
+ * part of this output. For algorithms where the
+ * encrypted data and the authentication tag are
+ * defined as separate outputs, the
+ * authentication tag is appended to the
+ * encrypted data.
+ * \param ciphertext_size Size of the ciphertext buffer in bytes. This
+ * must be appropriate for the selected algorithm
+ * and key:
+ * - A sufficient output size is
+ * PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg,
+ * plaintext_length) where key_type is the type
+ * of key.
+ * - PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(
+ * plaintext_length) evaluates to the maximum
+ * ciphertext size of any supported AEAD
+ * encryption.
+ * \param[out] ciphertext_length On success, the size of the output in the
+ * ciphertext buffer.
+ *
+ * \retval #PSA_SUCCESS Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \p alg is not supported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * ciphertext_size is too small.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_aead_encrypt(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *nonce, size_t nonce_length,
+ const uint8_t *additional_data, size_t additional_data_length,
+ const uint8_t *plaintext, size_t plaintext_length,
+ uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length);
+
+/**
+ * \brief Process an authenticated decryption operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * aead_decrypt entry point. This function behaves as an aead_decrypt
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param alg The AEAD algorithm to compute.
+ * \param[in] nonce Nonce or IV to use.
+ * \param nonce_length Size of the nonce buffer in bytes. This must
+ * be appropriate for the selected algorithm.
+ * The default nonce size is
+ * PSA_AEAD_NONCE_LENGTH(key_type, alg) where
+ * key_type is the type of key.
+ * \param[in] additional_data Additional data that has been authenticated
+ * but not encrypted.
+ * \param additional_data_length Size of additional_data in bytes.
+ * \param[in] ciphertext Data that has been authenticated and
+ * encrypted. For algorithms where the encrypted
+ * data and the authentication tag are defined
+ * as separate inputs, the buffer contains
+ * encrypted data followed by the authentication
+ * tag.
+ * \param ciphertext_length Size of ciphertext in bytes.
+ * \param[out] plaintext Output buffer for the decrypted data.
+ * \param plaintext_size Size of the plaintext buffer in bytes. This
+ * must be appropriate for the selected algorithm
+ * and key:
+ * - A sufficient output size is
+ * PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg,
+ * ciphertext_length) where key_type is the
+ * type of key.
+ * - PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(
+ * ciphertext_length) evaluates to the maximum
+ * plaintext size of any supported AEAD
+ * decryption.
+ * \param[out] plaintext_length On success, the size of the output in the
+ * plaintext buffer.
+ *
+ * \retval #PSA_SUCCESS Success.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ * The cipher is not authentic.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \p alg is not supported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * plaintext_size is too small.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_aead_decrypt(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *nonce, size_t nonce_length,
+ const uint8_t *additional_data, size_t additional_data_length,
+ const uint8_t *ciphertext, size_t ciphertext_length,
+ uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length);
+
+/** Set the key for a multipart authenticated encryption operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * aead_encrypt_setup entry point. This function behaves as an
+ * aead_encrypt_setup entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * If an error occurs at any step after a call to
+ * mbedtls_psa_aead_encrypt_setup(), the operation is reset by the PSA core by a
+ * call to mbedtls_psa_aead_abort(). The PSA core may call
+ * mbedtls_psa_aead_abort() at any time after the operation has been
+ * initialized, and is required to when the operation is no longer needed.
+ *
+ * \param[in,out] operation The operation object to set up. It must have
+ * been initialized as per the documentation for
+ * #mbedtls_psa_aead_operation_t and not yet in
+ * use.
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param key_buffer_size Size of the \p key_buffer buffer in bytes.
+ It must be consistent with the size in bits
+ recorded in \p attributes.
+ * \param alg The AEAD algorithm to compute
+ * (\c PSA_ALG_XXX value such that
+ * #PSA_ALG_IS_AEAD(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * An invalid block length was supplied.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \p alg is not supported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * Failed to allocate memory for key material
+ */
+psa_status_t mbedtls_psa_aead_encrypt_setup(
+ mbedtls_psa_aead_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg);
+
+/** Set the key for a multipart authenticated decryption operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * aead_decrypt_setup entry point. This function behaves as an
+ * aead_decrypt_setup entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * If an error occurs at any step after a call to
+ * mbedtls_psa_aead_decrypt_setup(), the PSA core resets the operation by a
+ * call to mbedtls_psa_aead_abort(). The PSA core may call
+ * mbedtls_psa_aead_abort() at any time after the operation has been
+ * initialized, and is required to when the operation is no longer needed.
+ *
+ * \param[in,out] operation The operation object to set up. It must have
+ * been initialized as per the documentation for
+ * #mbedtls_psa_aead_operation_t and not yet in
+ * use.
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param key_buffer_size Size of the \p key_buffer buffer in bytes.
+ It must be consistent with the size in bits
+ recorded in \p attributes.
+ * \param alg The AEAD algorithm to compute
+ * (\c PSA_ALG_XXX value such that
+ * #PSA_ALG_IS_AEAD(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * An invalid block length was supplied.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \p alg is not supported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * Failed to allocate memory for key material
+ */
+psa_status_t mbedtls_psa_aead_decrypt_setup(
+ mbedtls_psa_aead_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg);
+
+/** Set the nonce for an authenticated encryption or decryption operation.
+ *
+ * \note The signature of this function is that of a PSA driver aead_set_nonce
+ * entry point. This function behaves as an aead_set_nonce entry point as
+ * defined in the PSA driver interface specification for transparent
+ * drivers.
+ *
+ * This function sets the nonce for the authenticated
+ * encryption or decryption operation.
+ *
+ * The PSA core calls mbedtls_psa_aead_encrypt_setup() or
+ * mbedtls_psa_aead_decrypt_setup() before calling this function.
+ *
+ * If this function returns an error status, the PSA core will call
+ * mbedtls_psa_aead_abort().
+ *
+ * \param[in,out] operation Active AEAD operation.
+ * \param[in] nonce Buffer containing the nonce to use.
+ * \param nonce_length Size of the nonce in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * The size of \p nonce is not acceptable for the chosen algorithm.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * Algorithm previously set is not supported in this configuration of
+ * the library.
+ */
+psa_status_t mbedtls_psa_aead_set_nonce(
+ mbedtls_psa_aead_operation_t *operation,
+ const uint8_t *nonce,
+ size_t nonce_length);
+
+/** Declare the lengths of the message and additional data for AEAD.
+ *
+ * \note The signature of this function is that of a PSA driver aead_set_lengths
+ * entry point. This function behaves as an aead_set_lengths entry point
+ * as defined in the PSA driver interface specification for transparent
+ * drivers.
+ *
+ * The PSA core calls this function before calling mbedtls_psa_aead_update_ad()
+ * or mbedtls_psa_aead_update() if the algorithm for the operation requires it.
+ * If the algorithm does not require it, calling this function is optional, but
+ * if this function is called then the implementation must enforce the lengths.
+ *
+ * The PSA core may call this function before or after setting the nonce with
+ * mbedtls_psa_aead_set_nonce().
+ *
+ * - For #PSA_ALG_CCM, calling this function is required.
+ * - For the other AEAD algorithms defined in this specification, calling
+ * this function is not required.
+ *
+ * If this function returns an error status, the PSA core calls
+ * mbedtls_psa_aead_abort().
+ *
+ * \param[in,out] operation Active AEAD operation.
+ * \param ad_length Size of the non-encrypted additional
+ * authenticated data in bytes.
+ * \param plaintext_length Size of the plaintext to encrypt in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * At least one of the lengths is not acceptable for the chosen
+ * algorithm.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * Algorithm previously set is not supported in this configuration of
+ * the library.
+ */
+psa_status_t mbedtls_psa_aead_set_lengths(
+ mbedtls_psa_aead_operation_t *operation,
+ size_t ad_length,
+ size_t plaintext_length);
+
+/** Pass additional data to an active AEAD operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * aead_update_ad entry point. This function behaves as an aead_update_ad
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * Additional data is authenticated, but not encrypted.
+ *
+ * The PSA core can call this function multiple times to pass successive
+ * fragments of the additional data. It will not call this function after
+ * passing data to encrypt or decrypt with mbedtls_psa_aead_update().
+ *
+ * Before calling this function, the PSA core will:
+ * 1. Call either mbedtls_psa_aead_encrypt_setup() or
+ * mbedtls_psa_aead_decrypt_setup().
+ * 2. Set the nonce with mbedtls_psa_aead_set_nonce().
+ *
+ * If this function returns an error status, the PSA core will call
+ * mbedtls_psa_aead_abort().
+ *
+ * \param[in,out] operation Active AEAD operation.
+ * \param[in] input Buffer containing the fragment of
+ * additional data.
+ * \param input_length Size of the \p input buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * Algorithm previously set is not supported in this configuration of
+ * the library.
+ */
+psa_status_t mbedtls_psa_aead_update_ad(
+ mbedtls_psa_aead_operation_t *operation,
+ const uint8_t *input,
+ size_t input_length);
+
+/** Encrypt or decrypt a message fragment in an active AEAD operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * aead_update entry point. This function behaves as an aead_update entry
+ * point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * Before calling this function, the PSA core will:
+ * 1. Call either mbedtls_psa_aead_encrypt_setup() or
+ * mbedtls_psa_aead_decrypt_setup(). The choice of setup function
+ * determines whether this function encrypts or decrypts its input.
+ * 2. Set the nonce with mbedtls_psa_aead_set_nonce().
+ * 3. Call mbedtls_psa_aead_update_ad() to pass all the additional data.
+ *
+ * If this function returns an error status, the PSA core will call
+ * mbedtls_psa_aead_abort().
+ *
+ * This function does not require the input to be aligned to any
+ * particular block boundary. If the implementation can only process
+ * a whole block at a time, it must consume all the input provided, but
+ * it may delay the end of the corresponding output until a subsequent
+ * call to mbedtls_psa_aead_update(), mbedtls_psa_aead_finish() provides
+ * sufficient input. The amount of data that can be delayed in this way is
+ * bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE.
+ *
+ * \param[in,out] operation Active AEAD operation.
+ * \param[in] input Buffer containing the message fragment to
+ * encrypt or decrypt.
+ * \param input_length Size of the \p input buffer in bytes.
+ * \param[out] output Buffer where the output is to be written.
+ * \param output_size Size of the \p output buffer in bytes.
+ * This must be appropriate for the selected
+ * algorithm and key:
+ * - A sufficient output size is
+ * #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type,
+ * \c alg, \p input_length) where
+ * \c key_type is the type of key and \c alg is
+ * the algorithm that were used to set up the
+ * operation.
+ * - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p
+ * input_length) evaluates to the maximum
+ * output size of any supported AEAD
+ * algorithm.
+ * \param[out] output_length On success, the number of bytes
+ * that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ *
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p output buffer is too small.
+ * #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or
+ * #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to
+ * determine the required buffer size.
+ */
+psa_status_t mbedtls_psa_aead_update(
+ mbedtls_psa_aead_operation_t *operation,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length);
+
+/** Finish encrypting a message in an AEAD operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * aead_finish entry point. This function behaves as an aead_finish entry
+ * point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * The operation must have been set up by the PSA core with
+ * mbedtls_psa_aead_encrypt_setup().
+ *
+ * This function finishes the authentication of the additional data
+ * formed by concatenating the inputs passed to preceding calls to
+ * mbedtls_psa_aead_update_ad() with the plaintext formed by concatenating the
+ * inputs passed to preceding calls to mbedtls_psa_aead_update().
+ *
+ * This function has two output buffers:
+ * - \p ciphertext contains trailing ciphertext that was buffered from
+ * preceding calls to mbedtls_psa_aead_update().
+ * - \p tag contains the authentication tag.
+ *
+ * Whether or not this function returns successfully, the PSA core subsequently
+ * calls mbedtls_psa_aead_abort() to deactivate the operation.
+ *
+ * \param[in,out] operation Active AEAD operation.
+ * \param[out] ciphertext Buffer where the last part of the ciphertext
+ * is to be written.
+ * \param ciphertext_size Size of the \p ciphertext buffer in bytes.
+ * This must be appropriate for the selected
+ * algorithm and key:
+ * - A sufficient output size is
+ * #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type,
+ * \c alg) where \c key_type is the type of key
+ * and \c alg is the algorithm that were used to
+ * set up the operation.
+ * - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to
+ * the maximum output size of any supported AEAD
+ * algorithm.
+ * \param[out] ciphertext_length On success, the number of bytes of
+ * returned ciphertext.
+ * \param[out] tag Buffer where the authentication tag is
+ * to be written.
+ * \param tag_size Size of the \p tag buffer in bytes.
+ * This must be appropriate for the selected
+ * algorithm and key:
+ * - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c
+ * key_type, \c key_bits, \c alg) where
+ * \c key_type and \c key_bits are the type and
+ * bit-size of the key, and \c alg are the
+ * algorithm that were used in the call to
+ * mbedtls_psa_aead_encrypt_setup().
+ * - #PSA_AEAD_TAG_MAX_SIZE evaluates to the
+ * maximum tag size of any supported AEAD
+ * algorithm.
+ * \param[out] tag_length On success, the number of bytes
+ * that make up the returned tag.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p tag buffer is too small.
+ * #PSA_AEAD_TAG_LENGTH(\c key_type, key_bits, \c alg) or
+ * #PSA_AEAD_TAG_MAX_SIZE can be used to determine the required \p tag
+ * buffer size.
+ */
+psa_status_t mbedtls_psa_aead_finish(
+ mbedtls_psa_aead_operation_t *operation,
+ uint8_t *ciphertext,
+ size_t ciphertext_size,
+ size_t *ciphertext_length,
+ uint8_t *tag,
+ size_t tag_size,
+ size_t *tag_length);
+
+/** Abort an AEAD operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * aead_abort entry point. This function behaves as an aead_abort entry
+ * point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * Aborting an operation frees all associated resources except for the
+ * \p operation structure itself. Once aborted, the operation object
+ * can be reused for another operation by the PSA core by it calling
+ * mbedtls_psa_aead_encrypt_setup() or mbedtls_psa_aead_decrypt_setup() again.
+ *
+ * The PSA core may call this function any time after the operation object has
+ * been initialized as described in #mbedtls_psa_aead_operation_t.
+ *
+ * In particular, calling mbedtls_psa_aead_abort() after the operation has been
+ * terminated by a call to mbedtls_psa_aead_abort() or
+ * mbedtls_psa_aead_finish() is safe and has no effect.
+ *
+ * \param[in,out] operation Initialized AEAD operation.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ */
+psa_status_t mbedtls_psa_aead_abort(
+ mbedtls_psa_aead_operation_t *operation);
+
+#endif /* PSA_CRYPTO_AEAD_H */
diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c
new file mode 100644
index 0000000..881d673
--- /dev/null
+++ b/library/psa_crypto_cipher.c
@@ -0,0 +1,724 @@
+/*
+ * PSA cipher driver entry points
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include "psa_crypto_cipher.h"
+#include "psa_crypto_core.h"
+#include "psa_crypto_random_impl.h"
+
+#include "mbedtls/cipher.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+/* mbedtls_cipher_values_from_psa() below only checks if the proper build symbols
+ * are enabled, but it does not provide any compatibility check between them
+ * (i.e. if the specified key works with the specified algorithm). This helper
+ * function is meant to provide this support.
+ * mbedtls_cipher_info_from_psa() might be used for the same purpose, but it
+ * requires CIPHER_C to be enabled.
+ */
+static psa_status_t mbedtls_cipher_validate_values(
+ psa_algorithm_t alg,
+ psa_key_type_t key_type)
+{
+ /* Reduce code size - hinting to the compiler about what it can assume allows the compiler to
+ eliminate bits of the logic below. */
+#if !defined(PSA_WANT_KEY_TYPE_AES)
+ MBEDTLS_ASSUME(key_type != PSA_KEY_TYPE_AES);
+#endif
+#if !defined(PSA_WANT_KEY_TYPE_ARIA)
+ MBEDTLS_ASSUME(key_type != PSA_KEY_TYPE_ARIA);
+#endif
+#if !defined(PSA_WANT_KEY_TYPE_CAMELLIA)
+ MBEDTLS_ASSUME(key_type != PSA_KEY_TYPE_CAMELLIA);
+#endif
+#if !defined(PSA_WANT_KEY_TYPE_CHACHA20)
+ MBEDTLS_ASSUME(key_type != PSA_KEY_TYPE_CHACHA20);
+#endif
+#if !defined(PSA_WANT_KEY_TYPE_DES)
+ MBEDTLS_ASSUME(key_type != PSA_KEY_TYPE_DES);
+#endif
+#if !defined(PSA_WANT_ALG_CCM)
+ MBEDTLS_ASSUME(alg != PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0));
+#endif
+#if !defined(PSA_WANT_ALG_GCM)
+ MBEDTLS_ASSUME(alg != PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0));
+#endif
+#if !defined(PSA_WANT_ALG_STREAM_CIPHER)
+ MBEDTLS_ASSUME(alg != PSA_ALG_STREAM_CIPHER);
+#endif
+#if !defined(PSA_WANT_ALG_CHACHA20_POLY1305)
+ MBEDTLS_ASSUME(alg != PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0));
+#endif
+#if !defined(PSA_WANT_ALG_CCM_STAR_NO_TAG)
+ MBEDTLS_ASSUME(alg != PSA_ALG_CCM_STAR_NO_TAG);
+#endif
+#if !defined(PSA_WANT_ALG_CTR)
+ MBEDTLS_ASSUME(alg != PSA_ALG_CTR);
+#endif
+#if !defined(PSA_WANT_ALG_CFB)
+ MBEDTLS_ASSUME(alg != PSA_ALG_CFB);
+#endif
+#if !defined(PSA_WANT_ALG_OFB)
+ MBEDTLS_ASSUME(alg != PSA_ALG_OFB);
+#endif
+#if !defined(PSA_WANT_ALG_XTS)
+ MBEDTLS_ASSUME(alg != PSA_ALG_XTS);
+#endif
+#if !defined(PSA_WANT_ALG_ECB_NO_PADDING)
+ MBEDTLS_ASSUME(alg != PSA_ALG_ECB_NO_PADDING);
+#endif
+#if !defined(PSA_WANT_ALG_CBC_NO_PADDING)
+ MBEDTLS_ASSUME(alg != PSA_ALG_CBC_NO_PADDING);
+#endif
+#if !defined(PSA_WANT_ALG_CBC_PKCS7)
+ MBEDTLS_ASSUME(alg != PSA_ALG_CBC_PKCS7);
+#endif
+#if !defined(PSA_WANT_ALG_CMAC)
+ MBEDTLS_ASSUME(alg != PSA_ALG_CMAC);
+#endif
+
+ if (alg == PSA_ALG_STREAM_CIPHER ||
+ alg == PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0)) {
+ if (key_type == PSA_KEY_TYPE_CHACHA20) {
+ return PSA_SUCCESS;
+ }
+ }
+
+ if (alg == PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0) ||
+ alg == PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0) ||
+ alg == PSA_ALG_CCM_STAR_NO_TAG) {
+ if (key_type == PSA_KEY_TYPE_AES ||
+ key_type == PSA_KEY_TYPE_ARIA ||
+ key_type == PSA_KEY_TYPE_CAMELLIA) {
+ return PSA_SUCCESS;
+ }
+ }
+
+ if (alg == PSA_ALG_CTR ||
+ alg == PSA_ALG_CFB ||
+ alg == PSA_ALG_OFB ||
+ alg == PSA_ALG_XTS ||
+ alg == PSA_ALG_ECB_NO_PADDING ||
+ alg == PSA_ALG_CBC_NO_PADDING ||
+ alg == PSA_ALG_CBC_PKCS7 ||
+ alg == PSA_ALG_CMAC) {
+ if (key_type == PSA_KEY_TYPE_AES ||
+ key_type == PSA_KEY_TYPE_ARIA ||
+ key_type == PSA_KEY_TYPE_DES ||
+ key_type == PSA_KEY_TYPE_CAMELLIA) {
+ return PSA_SUCCESS;
+ }
+ }
+
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t mbedtls_cipher_values_from_psa(
+ psa_algorithm_t alg,
+ psa_key_type_t key_type,
+ size_t *key_bits,
+ mbedtls_cipher_mode_t *mode,
+ mbedtls_cipher_id_t *cipher_id)
+{
+ mbedtls_cipher_id_t cipher_id_tmp;
+ /* Only DES modifies key_bits */
+#if !defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+ (void) key_bits;
+#endif
+
+ if (PSA_ALG_IS_AEAD(alg)) {
+ alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0);
+ }
+
+ if (PSA_ALG_IS_CIPHER(alg) || PSA_ALG_IS_AEAD(alg)) {
+ switch (alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER)
+ case PSA_ALG_STREAM_CIPHER:
+ *mode = MBEDTLS_MODE_STREAM;
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CTR)
+ case PSA_ALG_CTR:
+ *mode = MBEDTLS_MODE_CTR;
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CFB)
+ case PSA_ALG_CFB:
+ *mode = MBEDTLS_MODE_CFB;
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_OFB)
+ case PSA_ALG_OFB:
+ *mode = MBEDTLS_MODE_OFB;
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING)
+ case PSA_ALG_ECB_NO_PADDING:
+ *mode = MBEDTLS_MODE_ECB;
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING)
+ case PSA_ALG_CBC_NO_PADDING:
+ *mode = MBEDTLS_MODE_CBC;
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7)
+ case PSA_ALG_CBC_PKCS7:
+ *mode = MBEDTLS_MODE_CBC;
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG)
+ case PSA_ALG_CCM_STAR_NO_TAG:
+ *mode = MBEDTLS_MODE_CCM_STAR_NO_TAG;
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
+ case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0):
+ *mode = MBEDTLS_MODE_CCM;
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
+ case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0):
+ *mode = MBEDTLS_MODE_GCM;
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
+ case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0):
+ *mode = MBEDTLS_MODE_CHACHAPOLY;
+ break;
+#endif
+ default:
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ } else if (alg == PSA_ALG_CMAC) {
+ *mode = MBEDTLS_MODE_ECB;
+ } else {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ switch (key_type) {
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES)
+ case PSA_KEY_TYPE_AES:
+ cipher_id_tmp = MBEDTLS_CIPHER_ID_AES;
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA)
+ case PSA_KEY_TYPE_ARIA:
+ cipher_id_tmp = MBEDTLS_CIPHER_ID_ARIA;
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+ case PSA_KEY_TYPE_DES:
+ /* key_bits is 64 for Single-DES, 128 for two-key Triple-DES,
+ * and 192 for three-key Triple-DES. */
+ if (*key_bits == 64) {
+ cipher_id_tmp = MBEDTLS_CIPHER_ID_DES;
+ } else {
+ cipher_id_tmp = MBEDTLS_CIPHER_ID_3DES;
+ }
+ /* mbedtls doesn't recognize two-key Triple-DES as an algorithm,
+ * but two-key Triple-DES is functionally three-key Triple-DES
+ * with K1=K3, so that's how we present it to mbedtls. */
+ if (*key_bits == 128) {
+ *key_bits = 192;
+ }
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA)
+ case PSA_KEY_TYPE_CAMELLIA:
+ cipher_id_tmp = MBEDTLS_CIPHER_ID_CAMELLIA;
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20)
+ case PSA_KEY_TYPE_CHACHA20:
+ cipher_id_tmp = MBEDTLS_CIPHER_ID_CHACHA20;
+ break;
+#endif
+ default:
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ if (cipher_id != NULL) {
+ *cipher_id = cipher_id_tmp;
+ }
+
+ return mbedtls_cipher_validate_values(alg, key_type);
+}
+
+#if defined(MBEDTLS_CIPHER_C)
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
+ psa_algorithm_t alg,
+ psa_key_type_t key_type,
+ size_t key_bits,
+ mbedtls_cipher_id_t *cipher_id)
+{
+ mbedtls_cipher_mode_t mode;
+ psa_status_t status;
+ mbedtls_cipher_id_t cipher_id_tmp;
+
+ status = mbedtls_cipher_values_from_psa(alg, key_type, &key_bits, &mode, &cipher_id_tmp);
+ if (status != PSA_SUCCESS) {
+ return NULL;
+ }
+ if (cipher_id != NULL) {
+ *cipher_id = cipher_id_tmp;
+ }
+
+ return mbedtls_cipher_info_from_values(cipher_id_tmp, (int) key_bits, mode);
+}
+#endif /* MBEDTLS_CIPHER_C */
+
+#if defined(MBEDTLS_PSA_BUILTIN_CIPHER)
+
+static psa_status_t psa_cipher_setup(
+ mbedtls_psa_cipher_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg,
+ mbedtls_operation_t cipher_operation)
+{
+ int ret = 0;
+ size_t key_bits;
+ const mbedtls_cipher_info_t *cipher_info = NULL;
+ psa_key_type_t key_type = attributes->type;
+
+ (void) key_buffer_size;
+
+ mbedtls_cipher_init(&operation->ctx.cipher);
+
+ operation->alg = alg;
+ key_bits = attributes->bits;
+ cipher_info = mbedtls_cipher_info_from_psa(alg, key_type,
+ key_bits, NULL);
+ if (cipher_info == NULL) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ ret = mbedtls_cipher_setup(&operation->ctx.cipher, cipher_info);
+ if (ret != 0) {
+ goto exit;
+ }
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES)
+ if (key_type == PSA_KEY_TYPE_DES && key_bits == 128) {
+ /* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */
+ uint8_t keys[24];
+ memcpy(keys, key_buffer, 16);
+ memcpy(keys + 16, key_buffer, 8);
+ ret = mbedtls_cipher_setkey(&operation->ctx.cipher,
+ keys,
+ 192, cipher_operation);
+ } else
+#endif
+ {
+ ret = mbedtls_cipher_setkey(&operation->ctx.cipher, key_buffer,
+ (int) key_bits, cipher_operation);
+ }
+ if (ret != 0) {
+ goto exit;
+ }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7)
+ switch (alg) {
+ case PSA_ALG_CBC_NO_PADDING:
+ ret = mbedtls_cipher_set_padding_mode(&operation->ctx.cipher,
+ MBEDTLS_PADDING_NONE);
+ break;
+ case PSA_ALG_CBC_PKCS7:
+ ret = mbedtls_cipher_set_padding_mode(&operation->ctx.cipher,
+ MBEDTLS_PADDING_PKCS7);
+ break;
+ default:
+ /* The algorithm doesn't involve padding. */
+ ret = 0;
+ break;
+ }
+ if (ret != 0) {
+ goto exit;
+ }
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING ||
+ MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 */
+
+ operation->block_length = (PSA_ALG_IS_STREAM_CIPHER(alg) ? 1 :
+ PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type));
+ operation->iv_length = PSA_CIPHER_IV_LENGTH(key_type, alg);
+
+exit:
+ return mbedtls_to_psa_error(ret);
+}
+
+psa_status_t mbedtls_psa_cipher_encrypt_setup(
+ mbedtls_psa_cipher_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg)
+{
+ return psa_cipher_setup(operation, attributes,
+ key_buffer, key_buffer_size,
+ alg, MBEDTLS_ENCRYPT);
+}
+
+psa_status_t mbedtls_psa_cipher_decrypt_setup(
+ mbedtls_psa_cipher_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg)
+{
+ return psa_cipher_setup(operation, attributes,
+ key_buffer, key_buffer_size,
+ alg, MBEDTLS_DECRYPT);
+}
+
+psa_status_t mbedtls_psa_cipher_set_iv(
+ mbedtls_psa_cipher_operation_t *operation,
+ const uint8_t *iv, size_t iv_length)
+{
+ if (iv_length != operation->iv_length) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ return mbedtls_to_psa_error(
+ mbedtls_cipher_set_iv(&operation->ctx.cipher,
+ iv, iv_length));
+}
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING)
+/** Process input for which the algorithm is set to ECB mode.
+ *
+ * This requires manual processing, since the PSA API is defined as being
+ * able to process arbitrary-length calls to psa_cipher_update() with ECB mode,
+ * but the underlying mbedtls_cipher_update only takes full blocks.
+ *
+ * \param ctx The mbedtls cipher context to use. It must have been
+ * set up for ECB.
+ * \param[in] input The input plaintext or ciphertext to process.
+ * \param input_length The number of bytes to process from \p input.
+ * This does not need to be aligned to a block boundary.
+ * If there is a partial block at the end of the input,
+ * it is stored in \p ctx for future processing.
+ * \param output The buffer where the output is written. It must be
+ * at least `BS * floor((p + input_length) / BS)` bytes
+ * long, where `p` is the number of bytes in the
+ * unprocessed partial block in \p ctx (with
+ * `0 <= p <= BS - 1`) and `BS` is the block size.
+ * \param output_length On success, the number of bytes written to \p output.
+ * \c 0 on error.
+ *
+ * \return #PSA_SUCCESS or an error from a hardware accelerator
+ */
+static psa_status_t psa_cipher_update_ecb(
+ mbedtls_cipher_context_t *ctx,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *output,
+ size_t *output_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
+ size_t internal_output_length = 0;
+ *output_length = 0;
+
+ if (input_length == 0) {
+ status = PSA_SUCCESS;
+ goto exit;
+ }
+
+ if (ctx->unprocessed_len > 0) {
+ /* Fill up to block size, and run the block if there's a full one. */
+ size_t bytes_to_copy = block_size - ctx->unprocessed_len;
+
+ if (input_length < bytes_to_copy) {
+ bytes_to_copy = input_length;
+ }
+
+ memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]),
+ input, bytes_to_copy);
+ input_length -= bytes_to_copy;
+ input += bytes_to_copy;
+ ctx->unprocessed_len += bytes_to_copy;
+
+ if (ctx->unprocessed_len == block_size) {
+ status = mbedtls_to_psa_error(
+ mbedtls_cipher_update(ctx,
+ ctx->unprocessed_data,
+ block_size,
+ output, &internal_output_length));
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ output += internal_output_length;
+ *output_length += internal_output_length;
+ ctx->unprocessed_len = 0;
+ }
+ }
+
+ while (input_length >= block_size) {
+ /* Run all full blocks we have, one by one */
+ status = mbedtls_to_psa_error(
+ mbedtls_cipher_update(ctx, input,
+ block_size,
+ output, &internal_output_length));
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ input_length -= block_size;
+ input += block_size;
+
+ output += internal_output_length;
+ *output_length += internal_output_length;
+ }
+
+ if (input_length > 0) {
+ /* Save unprocessed bytes for later processing */
+ memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]),
+ input, input_length);
+ ctx->unprocessed_len += input_length;
+ }
+
+ status = PSA_SUCCESS;
+
+exit:
+ return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING */
+
+psa_status_t mbedtls_psa_cipher_update(
+ mbedtls_psa_cipher_operation_t *operation,
+ const uint8_t *input, size_t input_length,
+ uint8_t *output, size_t output_size, size_t *output_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t expected_output_size;
+
+ if (!PSA_ALG_IS_STREAM_CIPHER(operation->alg)) {
+ /* Take the unprocessed partial block left over from previous
+ * update calls, if any, plus the input to this call. Remove
+ * the last partial block, if any. You get the data that will be
+ * output in this call. */
+ expected_output_size =
+ (operation->ctx.cipher.unprocessed_len + input_length)
+ / operation->block_length * operation->block_length;
+ } else {
+ expected_output_size = input_length;
+ }
+
+ if (output_size < expected_output_size) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING)
+ if (operation->alg == PSA_ALG_ECB_NO_PADDING) {
+ /* mbedtls_cipher_update has an API inconsistency: it will only
+ * process a single block at a time in ECB mode. Abstract away that
+ * inconsistency here to match the PSA API behaviour. */
+ status = psa_cipher_update_ecb(&operation->ctx.cipher,
+ input,
+ input_length,
+ output,
+ output_length);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING */
+ if (input_length == 0) {
+ /* There is no input, nothing to be done */
+ *output_length = 0;
+ status = PSA_SUCCESS;
+ } else {
+ status = mbedtls_to_psa_error(
+ mbedtls_cipher_update(&operation->ctx.cipher, input,
+ input_length, output, output_length));
+
+ if (*output_length > output_size) {
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+ }
+
+ return status;
+}
+
+psa_status_t mbedtls_psa_cipher_finish(
+ mbedtls_psa_cipher_operation_t *operation,
+ uint8_t *output, size_t output_size, size_t *output_length)
+{
+ psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+ uint8_t temp_output_buffer[MBEDTLS_MAX_BLOCK_LENGTH];
+
+ if (operation->ctx.cipher.unprocessed_len != 0) {
+ if (operation->alg == PSA_ALG_ECB_NO_PADDING ||
+ operation->alg == PSA_ALG_CBC_NO_PADDING) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_cipher_finish(&operation->ctx.cipher,
+ temp_output_buffer,
+ output_length));
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (*output_length == 0) {
+ ; /* Nothing to copy. Note that output may be NULL in this case. */
+ } else if (output_size >= *output_length) {
+ memcpy(output, temp_output_buffer, *output_length);
+ } else {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+exit:
+ mbedtls_platform_zeroize(temp_output_buffer,
+ sizeof(temp_output_buffer));
+
+ return status;
+}
+
+psa_status_t mbedtls_psa_cipher_abort(
+ mbedtls_psa_cipher_operation_t *operation)
+{
+ /* Sanity check (shouldn't happen: operation->alg should
+ * always have been initialized to a valid value). */
+ if (!PSA_ALG_IS_CIPHER(operation->alg)) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ mbedtls_cipher_free(&operation->ctx.cipher);
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t mbedtls_psa_cipher_encrypt(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *iv,
+ size_t iv_length,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT;
+ size_t update_output_length, finish_output_length;
+
+ status = mbedtls_psa_cipher_encrypt_setup(&operation, attributes,
+ key_buffer, key_buffer_size,
+ alg);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (iv_length > 0) {
+ status = mbedtls_psa_cipher_set_iv(&operation, iv, iv_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ }
+
+ status = mbedtls_psa_cipher_update(&operation, input, input_length,
+ output, output_size,
+ &update_output_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = mbedtls_psa_cipher_finish(
+ &operation,
+ mbedtls_buffer_offset(output, update_output_length),
+ output_size - update_output_length, &finish_output_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ *output_length = update_output_length + finish_output_length;
+
+exit:
+ if (status == PSA_SUCCESS) {
+ status = mbedtls_psa_cipher_abort(&operation);
+ } else {
+ mbedtls_psa_cipher_abort(&operation);
+ }
+
+ return status;
+}
+
+psa_status_t mbedtls_psa_cipher_decrypt(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT;
+ size_t olength, accumulated_length;
+
+ status = mbedtls_psa_cipher_decrypt_setup(&operation, attributes,
+ key_buffer, key_buffer_size,
+ alg);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (operation.iv_length > 0) {
+ status = mbedtls_psa_cipher_set_iv(&operation,
+ input, operation.iv_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ }
+
+ status = mbedtls_psa_cipher_update(
+ &operation,
+ mbedtls_buffer_offset_const(input, operation.iv_length),
+ input_length - operation.iv_length,
+ output, output_size, &olength);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ accumulated_length = olength;
+
+ status = mbedtls_psa_cipher_finish(
+ &operation,
+ mbedtls_buffer_offset(output, accumulated_length),
+ output_size - accumulated_length, &olength);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ *output_length = accumulated_length + olength;
+
+exit:
+ if (status == PSA_SUCCESS) {
+ status = mbedtls_psa_cipher_abort(&operation);
+ } else {
+ mbedtls_psa_cipher_abort(&operation);
+ }
+
+ return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_cipher.h b/library/psa_crypto_cipher.h
new file mode 100644
index 0000000..cc56585
--- /dev/null
+++ b/library/psa_crypto_cipher.h
@@ -0,0 +1,316 @@
+/*
+ * PSA cipher driver entry points and associated auxiliary functions
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_CIPHER_H
+#define PSA_CRYPTO_CIPHER_H
+
+#include <mbedtls/cipher.h>
+#include <psa/crypto.h>
+
+/** Get Mbed TLS cipher information given the cipher algorithm PSA identifier
+ * as well as the PSA type and size of the key to be used with the cipher
+ * algorithm.
+ *
+ * \param[in] alg PSA cipher algorithm identifier
+ * \param[in] key_type PSA key type
+ * \param[in,out] key_bits Size of the key in bits. The value provided in input
+ * might be updated if necessary.
+ * \param[out] mode Mbed TLS cipher mode
+ * \param[out] cipher_id Mbed TLS cipher algorithm identifier
+ *
+ * \return On success \c PSA_SUCCESS is returned and key_bits, mode and cipher_id
+ * are properly updated.
+ * \c PSA_ERROR_NOT_SUPPORTED is returned if the cipher algorithm is not
+ * supported.
+ */
+
+psa_status_t mbedtls_cipher_values_from_psa(psa_algorithm_t alg, psa_key_type_t key_type,
+ size_t *key_bits, mbedtls_cipher_mode_t *mode,
+ mbedtls_cipher_id_t *cipher_id);
+
+#if defined(MBEDTLS_CIPHER_C)
+/** Get Mbed TLS cipher information given the cipher algorithm PSA identifier
+ * as well as the PSA type and size of the key to be used with the cipher
+ * algorithm.
+ *
+ * \param alg PSA cipher algorithm identifier
+ * \param key_type PSA key type
+ * \param key_bits Size of the key in bits
+ * \param[out] cipher_id Mbed TLS cipher algorithm identifier
+ *
+ * \return The Mbed TLS cipher information of the cipher algorithm.
+ * \c NULL if the PSA cipher algorithm is not supported.
+ */
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
+ psa_algorithm_t alg, psa_key_type_t key_type, size_t key_bits,
+ mbedtls_cipher_id_t *cipher_id);
+#endif /* MBEDTLS_CIPHER_C */
+
+/**
+ * \brief Set the key for a multipart symmetric encryption operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * cipher_encrypt_setup entry point. This function behaves as a
+ * cipher_encrypt_setup entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param[in,out] operation The operation object to set up. It has been
+ * initialized as per the documentation for
+ * #psa_cipher_operation_t and not yet in use.
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg The cipher algorithm to compute
+ * (\c PSA_ALG_XXX value such that
+ * #PSA_ALG_IS_CIPHER(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_cipher_encrypt_setup(
+ mbedtls_psa_cipher_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg);
+
+/**
+ * \brief Set the key for a multipart symmetric decryption operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * cipher_decrypt_setup entry point. This function behaves as a
+ * cipher_decrypt_setup entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param[in,out] operation The operation object to set up. It has been
+ * initialized as per the documentation for
+ * #psa_cipher_operation_t and not yet in use.
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg The cipher algorithm to compute
+ * (\c PSA_ALG_XXX value such that
+ * #PSA_ALG_IS_CIPHER(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_cipher_decrypt_setup(
+ mbedtls_psa_cipher_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg);
+
+/** Set the IV for a symmetric encryption or decryption operation.
+ *
+ * This function sets the IV (initialization vector), nonce
+ * or initial counter value for the encryption or decryption operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * cipher_set_iv entry point. This function behaves as a
+ * cipher_set_iv entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param[in,out] operation Active cipher operation.
+ * \param[in] iv Buffer containing the IV to use.
+ * \param[in] iv_length Size of the IV in bytes. It is guaranteed by
+ * the core to be less or equal to
+ * PSA_CIPHER_IV_MAX_SIZE.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * The size of \p iv is not acceptable for the chosen algorithm,
+ * or the chosen algorithm does not use an IV.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_cipher_set_iv(
+ mbedtls_psa_cipher_operation_t *operation,
+ const uint8_t *iv, size_t iv_length);
+
+/** Encrypt or decrypt a message fragment in an active cipher operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * cipher_update entry point. This function behaves as a
+ * cipher_update entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param[in,out] operation Active cipher operation.
+ * \param[in] input Buffer containing the message fragment to
+ * encrypt or decrypt.
+ * \param[in] input_length Size of the \p input buffer in bytes.
+ * \param[out] output Buffer where the output is to be written.
+ * \param[in] output_size Size of the \p output buffer in bytes.
+ * \param[out] output_length On success, the number of bytes
+ * that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p output buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_cipher_update(
+ mbedtls_psa_cipher_operation_t *operation,
+ const uint8_t *input, size_t input_length,
+ uint8_t *output, size_t output_size, size_t *output_length);
+
+/** Finish encrypting or decrypting a message in a cipher operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * cipher_finish entry point. This function behaves as a
+ * cipher_finish entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param[in,out] operation Active cipher operation.
+ * \param[out] output Buffer where the output is to be written.
+ * \param[in] output_size Size of the \p output buffer in bytes.
+ * \param[out] output_length On success, the number of bytes
+ * that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * The total input size passed to this operation is not valid for
+ * this particular algorithm. For example, the algorithm is a based
+ * on block cipher and requires a whole number of blocks, but the
+ * total input size is not a multiple of the block size.
+ * \retval #PSA_ERROR_INVALID_PADDING
+ * This is a decryption operation for an algorithm that includes
+ * padding, and the ciphertext does not contain valid padding.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p output buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_cipher_finish(
+ mbedtls_psa_cipher_operation_t *operation,
+ uint8_t *output, size_t output_size, size_t *output_length);
+
+/** Abort a cipher operation.
+ *
+ * Aborting an operation frees all associated resources except for the
+ * \p operation structure itself. Once aborted, the operation object
+ * can be reused for another operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * cipher_abort entry point. This function behaves as a
+ * cipher_abort entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param[in,out] operation Initialized cipher operation.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ */
+psa_status_t mbedtls_psa_cipher_abort(mbedtls_psa_cipher_operation_t *operation);
+
+/** Encrypt a message using a symmetric cipher.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * cipher_encrypt entry point. This function behaves as a
+ * cipher_encrypt entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg The cipher algorithm to compute
+ * (\c PSA_ALG_XXX value such that
+ * #PSA_ALG_IS_CIPHER(\p alg) is true).
+ * \param[in] iv Buffer containing the IV for encryption. The
+ * IV has been generated by the core.
+ * \param[in] iv_length Size of the \p iv in bytes.
+ * \param[in] input Buffer containing the message to encrypt.
+ * \param[in] input_length Size of the \p input buffer in bytes.
+ * \param[in,out] output Buffer where the output is to be written.
+ * \param[in] output_size Size of the \p output buffer in bytes.
+ * \param[out] output_length On success, the number of bytes that make up
+ * the returned output. Initialized to zero
+ * by the core.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p output buffer is too small.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * The size \p iv_length is not acceptable for the chosen algorithm,
+ * or the chosen algorithm does not use an IV.
+ * The total input size passed to this operation is not valid for
+ * this particular algorithm. For example, the algorithm is a based
+ * on block cipher and requires a whole number of blocks, but the
+ * total input size is not a multiple of the block size.
+ * \retval #PSA_ERROR_INVALID_PADDING
+ * This is a decryption operation for an algorithm that includes
+ * padding, and the ciphertext does not contain valid padding.
+ */
+psa_status_t mbedtls_psa_cipher_encrypt(const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *iv,
+ size_t iv_length,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length);
+
+/** Decrypt a message using a symmetric cipher.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * cipher_decrypt entry point. This function behaves as a
+ * cipher_decrypt entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg The cipher algorithm to compute
+ * (\c PSA_ALG_XXX value such that
+ * #PSA_ALG_IS_CIPHER(\p alg) is true).
+ * \param[in] input Buffer containing the iv and the ciphertext.
+ * \param[in] input_length Size of the \p input buffer in bytes.
+ * \param[out] output Buffer where the output is to be written.
+ * \param[in] output_size Size of the \p output buffer in bytes.
+ * \param[out] output_length On success, the number of bytes that make up
+ * the returned output. Initialized to zero
+ * by the core.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p output buffer is too small.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * The size of \p iv is not acceptable for the chosen algorithm,
+ * or the chosen algorithm does not use an IV.
+ * The total input size passed to this operation is not valid for
+ * this particular algorithm. For example, the algorithm is a based
+ * on block cipher and requires a whole number of blocks, but the
+ * total input size is not a multiple of the block size.
+ * \retval #PSA_ERROR_INVALID_PADDING
+ * This is a decryption operation for an algorithm that includes
+ * padding, and the ciphertext does not contain valid padding.
+ */
+psa_status_t mbedtls_psa_cipher_decrypt(const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length);
+
+#endif /* PSA_CRYPTO_CIPHER_H */
diff --git a/library/psa_crypto_client.c b/library/psa_crypto_client.c
new file mode 100644
index 0000000..72f671d
--- /dev/null
+++ b/library/psa_crypto_client.c
@@ -0,0 +1,22 @@
+/*
+ * PSA crypto client code
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+#include "psa/crypto.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+
+#include <string.h>
+#include "mbedtls/platform.h"
+
+void psa_reset_key_attributes(psa_key_attributes_t *attributes)
+{
+ memset(attributes, 0, sizeof(*attributes));
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
new file mode 100644
index 0000000..9462d2e
--- /dev/null
+++ b/library/psa_crypto_core.h
@@ -0,0 +1,957 @@
+/*
+ * PSA crypto core internal interfaces
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_CORE_H
+#define PSA_CRYPTO_CORE_H
+
+/*
+ * Include the build-time configuration information header. Here, we do not
+ * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
+ * is basically just an alias to it. This is to ease the maintenance of the
+ * TF-PSA-Crypto repository which has a different build system and
+ * configuration.
+ */
+#include "psa/build_info.h"
+
+#include "psa/crypto.h"
+#include "psa/crypto_se_driver.h"
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+/**
+ * Tell if PSA is ready for this hash.
+ *
+ * \note For now, only checks the state of the driver subsystem,
+ * not the algorithm. Might do more in the future.
+ *
+ * \param hash_alg The hash algorithm (ignored for now).
+ *
+ * \return 1 if the driver subsytem is ready, 0 otherwise.
+ */
+int psa_can_do_hash(psa_algorithm_t hash_alg);
+
+/**
+ * Tell if PSA is ready for this cipher.
+ *
+ * \note For now, only checks the state of the driver subsystem,
+ * not the algorithm. Might do more in the future.
+ *
+ * \param cipher_alg The cipher algorithm (ignored for now).
+ *
+ * \return 1 if the driver subsytem is ready, 0 otherwise.
+ */
+int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg);
+
+typedef enum {
+ PSA_SLOT_EMPTY = 0,
+ PSA_SLOT_FILLING,
+ PSA_SLOT_FULL,
+ PSA_SLOT_PENDING_DELETION,
+} psa_key_slot_state_t;
+
+/** The data structure representing a key slot, containing key material
+ * and metadata for one key.
+ */
+typedef struct {
+ psa_key_attributes_t attr;
+
+ /*
+ * The current state of the key slot, as described in
+ * docs/architecture/psa-thread-safety/psa-thread-safety.md.
+ *
+ * Library functions can modify the state of a key slot by calling
+ * psa_key_slot_state_transition.
+ *
+ * The state variable is used to help determine whether library functions
+ * which operate on the slot succeed. For example, psa_finish_key_creation,
+ * which transfers the state of a slot from PSA_SLOT_FILLING to
+ * PSA_SLOT_FULL, must fail with error code PSA_ERROR_CORRUPTION_DETECTED
+ * if the state of the slot is not PSA_SLOT_FILLING.
+ *
+ * Library functions which traverse the array of key slots only consider
+ * slots that are in a suitable state for the function.
+ * For example, psa_get_and_lock_key_slot_in_memory, which finds a slot
+ * containing a given key ID, will only check slots whose state variable is
+ * PSA_SLOT_FULL. */
+ psa_key_slot_state_t state;
+
+ /*
+ * Number of functions registered as reading the material in the key slot.
+ *
+ * Library functions must not write directly to registered_readers
+ *
+ * A function must call psa_register_read(slot) before reading the current
+ * contents of the slot for an operation.
+ * They then must call psa_unregister_read(slot) once they have finished
+ * reading the current contents of the slot. If the key slot mutex is not
+ * held (when mutexes are enabled), this call must be done via a call to
+ * psa_unregister_read_under_mutex(slot).
+ * A function must call psa_key_slot_has_readers(slot) to check if
+ * the slot is in use for reading.
+ *
+ * This counter is used to prevent resetting the key slot while the library
+ * may access it. For example, such control is needed in the following
+ * scenarios:
+ * . In case of key slot starvation, all key slots contain the description
+ * of a key, and the library asks for the description of a persistent
+ * key not present in the key slots, the key slots currently accessed by
+ * the library cannot be reclaimed to free a key slot to load the
+ * persistent key.
+ * . In case of a multi-threaded application where one thread asks to close
+ * or purge or destroy a key while it is in use by the library through
+ * another thread. */
+ size_t registered_readers;
+
+ /* Dynamically allocated key data buffer.
+ * Format as specified in psa_export_key(). */
+ struct key_data {
+ uint8_t *data;
+ size_t bytes;
+ } key;
+} psa_key_slot_t;
+
+#if defined(MBEDTLS_THREADING_C)
+
+/** Perform a mutex operation and return immediately upon failure.
+ *
+ * Returns PSA_ERROR_SERVICE_FAILURE if the operation fails
+ * and status was PSA_SUCCESS.
+ *
+ * Assumptions:
+ * psa_status_t status exists.
+ * f is a mutex operation which returns 0 upon success.
+ */
+#define PSA_THREADING_CHK_RET(f) \
+ do \
+ { \
+ if ((f) != 0) { \
+ if (status == PSA_SUCCESS) { \
+ return PSA_ERROR_SERVICE_FAILURE; \
+ } \
+ return status; \
+ } \
+ } while (0);
+
+/** Perform a mutex operation and goto exit on failure.
+ *
+ * Sets status to PSA_ERROR_SERVICE_FAILURE if status was PSA_SUCCESS.
+ *
+ * Assumptions:
+ * psa_status_t status exists.
+ * Label exit: exists.
+ * f is a mutex operation which returns 0 upon success.
+ */
+#define PSA_THREADING_CHK_GOTO_EXIT(f) \
+ do \
+ { \
+ if ((f) != 0) { \
+ if (status == PSA_SUCCESS) { \
+ status = PSA_ERROR_SERVICE_FAILURE; \
+ } \
+ goto exit; \
+ } \
+ } while (0);
+#endif
+
+/** Test whether a key slot has any registered readers.
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
+ *
+ * \param[in] slot The key slot to test.
+ *
+ * \return 1 if the slot has any registered readers, 0 otherwise.
+ */
+static inline int psa_key_slot_has_readers(const psa_key_slot_t *slot)
+{
+ return slot->registered_readers > 0;
+}
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+/** Get the SE slot number of a key from the key slot storing its description.
+ *
+ * \param[in] slot The key slot to query. This must be a key slot storing
+ * the description of a key of a dynamically registered
+ * secure element, otherwise the behaviour is undefined.
+ */
+static inline psa_key_slot_number_t psa_key_slot_get_slot_number(
+ const psa_key_slot_t *slot)
+{
+ return *((psa_key_slot_number_t *) (slot->key.data));
+}
+#endif
+
+/** Completely wipe a slot in memory, including its policy.
+ *
+ * Persistent storage is not affected.
+ * Sets the slot's state to PSA_SLOT_EMPTY.
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
+ *
+ * \param[in,out] slot The key slot to wipe.
+ *
+ * \retval #PSA_SUCCESS
+ * The slot has been successfully wiped.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * The slot's state was PSA_SLOT_FULL or PSA_SLOT_PENDING_DELETION, and
+ * the amount of registered readers was not equal to 1. Or,
+ * the slot's state was PSA_SLOT_EMPTY. Or,
+ * the slot's state was PSA_SLOT_FILLING, and the amount
+ * of registered readers was not equal to 0.
+ */
+psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot);
+
+/** Try to allocate a buffer to an empty key slot.
+ *
+ * \param[in,out] slot Key slot to attach buffer to.
+ * \param[in] buffer_length Requested size of the buffer.
+ *
+ * \retval #PSA_SUCCESS
+ * The buffer has been successfully allocated.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * Not enough memory was available for allocation.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ * Trying to allocate a buffer to a non-empty key slot.
+ */
+psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot,
+ size_t buffer_length);
+
+/** Wipe key data from a slot. Preserves metadata such as the policy. */
+psa_status_t psa_remove_key_data_from_memory(psa_key_slot_t *slot);
+
+/** Copy key data (in export format) into an empty key slot.
+ *
+ * This function assumes that the slot does not contain
+ * any key material yet. On failure, the slot content is unchanged.
+ *
+ * \param[in,out] slot Key slot to copy the key into.
+ * \param[in] data Buffer containing the key material.
+ * \param data_length Size of the key buffer.
+ *
+ * \retval #PSA_SUCCESS
+ * The key has been copied successfully.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * Not enough memory was available for allocation of the
+ * copy buffer.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ * There was other key material already present in the slot.
+ */
+psa_status_t psa_copy_key_material_into_slot(psa_key_slot_t *slot,
+ const uint8_t *data,
+ size_t data_length);
+
+/** Convert an Mbed TLS error code to a PSA error code
+ *
+ * \note This function is provided solely for the convenience of
+ * Mbed TLS and may be removed at any time without notice.
+ *
+ * \param ret An Mbed TLS-thrown error code
+ *
+ * \return The corresponding PSA error code
+ */
+psa_status_t mbedtls_to_psa_error(int ret);
+
+/** Import a key in binary format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * import_key entry point. This function behaves as an import_key
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \param[in] attributes The attributes for the key to import.
+ * \param[in] data The buffer containing the key data in import
+ * format.
+ * \param[in] data_length Size of the \p data buffer in bytes.
+ * \param[out] key_buffer The buffer to contain the key data in output
+ * format upon successful return.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes. This
+ * size is greater or equal to \p data_length.
+ * \param[out] key_buffer_length The length of the data written in \p
+ * key_buffer in bytes.
+ * \param[out] bits The key size in number of bits.
+ *
+ * \retval #PSA_SUCCESS The key was imported successfully.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * The key data is not correctly formatted.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t psa_import_key_into_slot(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *data, size_t data_length,
+ uint8_t *key_buffer, size_t key_buffer_size,
+ size_t *key_buffer_length, size_t *bits);
+
+/** Export a key in binary format
+ *
+ * \note The signature of this function is that of a PSA driver export_key
+ * entry point. This function behaves as an export_key entry point as
+ * defined in the PSA driver interface specification.
+ *
+ * \param[in] attributes The attributes for the key to export.
+ * \param[in] key_buffer Material or context of the key to export.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[out] data Buffer where the key data is to be written.
+ * \param[in] data_size Size of the \p data buffer in bytes.
+ * \param[out] data_length On success, the number of bytes written in
+ * \p data
+ *
+ * \retval #PSA_SUCCESS The key was exported successfully.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t psa_export_key_internal(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ uint8_t *data, size_t data_size, size_t *data_length);
+
+/** Export a public key or the public part of a key pair in binary format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * export_public_key entry point. This function behaves as an
+ * export_public_key entry point as defined in the PSA driver interface
+ * specification.
+ *
+ * \param[in] attributes The attributes for the key to export.
+ * \param[in] key_buffer Material or context of the key to export.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[out] data Buffer where the key data is to be written.
+ * \param[in] data_size Size of the \p data buffer in bytes.
+ * \param[out] data_length On success, the number of bytes written in
+ * \p data
+ *
+ * \retval #PSA_SUCCESS The public key was exported successfully.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t psa_export_public_key_internal(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ uint8_t *data, size_t data_size, size_t *data_length);
+
+/** Whether a key production parameters structure is the default.
+ *
+ * Calls to a key generation driver with non-default production parameters
+ * require a driver supporting custom production parameters.
+ *
+ * \param[in] params The key production parameters to check.
+ * \param params_data_length Size of `params->data` in bytes.
+ */
+int psa_key_production_parameters_are_default(
+ const psa_key_production_parameters_t *params,
+ size_t params_data_length);
+
+/**
+ * \brief Generate a key.
+ *
+ * \note The signature of the function is that of a PSA driver generate_key
+ * entry point.
+ *
+ * \param[in] attributes The attributes for the key to generate.
+ * \param[in] params The production parameters from
+ * psa_generate_key_ext().
+ * \param params_data_length The size of `params->data` in bytes.
+ * \param[out] key_buffer Buffer where the key data is to be written.
+ * \param[in] key_buffer_size Size of \p key_buffer in bytes.
+ * \param[out] key_buffer_length On success, the number of bytes written in
+ * \p key_buffer.
+ *
+ * \retval #PSA_SUCCESS
+ * The key was generated successfully.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * Key size in bits or type not supported.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of \p key_buffer is too small.
+ */
+psa_status_t psa_generate_key_internal(const psa_key_attributes_t *attributes,
+ const psa_key_production_parameters_t *params,
+ size_t params_data_length,
+ uint8_t *key_buffer,
+ size_t key_buffer_size,
+ size_t *key_buffer_length);
+
+/** Sign a message with a private key. For hash-and-sign algorithms,
+ * this includes the hashing step.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * sign_message entry point. This function behaves as a sign_message
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \note This function will call the driver for psa_sign_hash
+ * and go through driver dispatch again.
+ *
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg A signature algorithm that is compatible with
+ * the type of the key.
+ * \param[in] input The input message to sign.
+ * \param[in] input_length Size of the \p input buffer in bytes.
+ * \param[out] signature Buffer where the signature is to be written.
+ * \param[in] signature_size Size of the \p signature buffer in bytes.
+ * \param[out] signature_length On success, the number of bytes
+ * that make up the returned signature value.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p signature buffer is too small. You can
+ * determine a sufficient buffer size by calling
+ * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ * where \c key_type and \c key_bits are the type and bit-size
+ * respectively of the key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ */
+psa_status_t psa_sign_message_builtin(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *input, size_t input_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+/** Verify the signature of a message with a public key, using
+ * a hash-and-sign verification algorithm.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * verify_message entry point. This function behaves as a verify_message
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \note This function will call the driver for psa_verify_hash
+ * and go through driver dispatch again.
+ *
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg A signature algorithm that is compatible with
+ * the type of the key.
+ * \param[in] input The message whose signature is to be verified.
+ * \param[in] input_length Size of the \p input buffer in bytes.
+ * \param[in] signature Buffer containing the signature to verify.
+ * \param[in] signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * The signature is valid.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ * The calculation was performed successfully, but the passed
+ * signature is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t psa_verify_message_builtin(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *input, size_t input_length,
+ const uint8_t *signature, size_t signature_length);
+
+/** Sign an already-calculated hash with a private key.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * sign_hash entry point. This function behaves as a sign_hash
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg A signature algorithm that is compatible with
+ * the type of the key.
+ * \param[in] hash The hash or message to sign.
+ * \param[in] hash_length Size of the \p hash buffer in bytes.
+ * \param[out] signature Buffer where the signature is to be written.
+ * \param[in] signature_size Size of the \p signature buffer in bytes.
+ * \param[out] signature_length On success, the number of bytes
+ * that make up the returned signature value.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p signature buffer is too small. You can
+ * determine a sufficient buffer size by calling
+ * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ * where \c key_type and \c key_bits are the type and bit-size
+ * respectively of the key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ */
+psa_status_t psa_sign_hash_builtin(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+/**
+ * \brief Verify the signature a hash or short message using a public key.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * verify_hash entry point. This function behaves as a verify_hash
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg A signature algorithm that is compatible with
+ * the type of the key.
+ * \param[in] hash The hash or message whose signature is to be
+ * verified.
+ * \param[in] hash_length Size of the \p hash buffer in bytes.
+ * \param[in] signature Buffer containing the signature to verify.
+ * \param[in] signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * The signature is valid.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ * The calculation was performed successfully, but the passed
+ * signature is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t psa_verify_hash_builtin(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length);
+
+/**
+ * \brief Validate the key bit size for unstructured keys.
+ *
+ * \note Check that the bit size is acceptable for a given key type for
+ * unstructured keys.
+ *
+ * \param[in] type The key type
+ * \param[in] bits The number of bits of the key
+ *
+ * \retval #PSA_SUCCESS
+ * The key type and size are valid.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * The size in bits of the key is not valid.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * The type and/or the size in bits of the key or the combination of
+ * the two is not supported.
+ */
+psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type,
+ size_t bits);
+
+/** Perform a key agreement and return the raw shared secret, using
+ built-in raw key agreement functions.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * key_agreement entry point. This function behaves as a key_agreement
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the private key
+ * context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in
+ * bytes.
+ * \param[in] alg A key agreement algorithm that is
+ * compatible with the type of the key.
+ * \param[in] peer_key The buffer containing the key context
+ * of the peer's public key.
+ * \param[in] peer_key_length Size of the \p peer_key buffer in
+ * bytes.
+ * \param[out] shared_secret The buffer to which the shared secret
+ * is to be written.
+ * \param[in] shared_secret_size Size of the \p shared_secret buffer in
+ * bytes.
+ * \param[out] shared_secret_length On success, the number of bytes that make
+ * up the returned shared secret.
+ * \retval #PSA_SUCCESS
+ * Success. Shared secret successfully calculated.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \p alg is not a key agreement algorithm, or
+ * \p private_key is not compatible with \p alg,
+ * or \p peer_key is not valid for \p alg or not compatible with
+ * \p private_key.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * \p shared_secret_size is too small
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \p alg is not a supported key agreement algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE \emptydescription
+ */
+psa_status_t psa_key_agreement_raw_builtin(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *peer_key,
+ size_t peer_key_length,
+ uint8_t *shared_secret,
+ size_t shared_secret_size,
+ size_t *shared_secret_length);
+
+/**
+ * \brief Set the maximum number of ops allowed to be executed by an
+ * interruptible function in a single call.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * interruptible_set_max_ops entry point. This function behaves as an
+ * interruptible_set_max_ops entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param[in] max_ops The maximum number of ops to be executed in a
+ * single call, this can be a number from 0 to
+ * #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0
+ * is obviously the least amount of work done per
+ * call.
+ */
+void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops);
+
+/**
+ * \brief Get the maximum number of ops allowed to be executed by an
+ * interruptible function in a single call.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * interruptible_get_max_ops entry point. This function behaves as an
+ * interruptible_get_max_ops entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \return Maximum number of ops allowed to be executed
+ * by an interruptible function in a single call.
+ */
+uint32_t mbedtls_psa_interruptible_get_max_ops(void);
+
+/**
+ * \brief Get the number of ops that a hash signing operation has taken for the
+ * previous call. If no call or work has taken place, this will return
+ * zero.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * sign_hash_get_num_ops entry point. This function behaves as an
+ * sign_hash_get_num_ops entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param operation The \c
+ * mbedtls_psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \return Number of ops that were completed
+ * in the last call to \c
+ * mbedtls_psa_sign_hash_complete().
+ */
+uint32_t mbedtls_psa_sign_hash_get_num_ops(
+ const mbedtls_psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Get the number of ops that a hash verification operation has taken for
+ * the previous call. If no call or work has taken place, this will
+ * return zero.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * verify_hash_get_num_ops entry point. This function behaves as an
+ * verify_hash_get_num_ops entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param operation The \c
+ * mbedtls_psa_verify_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \return Number of ops that were completed
+ * in the last call to \c
+ * mbedtls_psa_verify_hash_complete().
+ */
+uint32_t mbedtls_psa_verify_hash_get_num_ops(
+ const mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Start signing a hash or short message with a private key, in an
+ * interruptible manner.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * sign_hash_start entry point. This function behaves as a
+ * sign_hash_start entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg A signature algorithm that is compatible with
+ * the type of the key.
+ * \param[in] hash The hash or message to sign.
+ * \param hash_length Size of the \p hash buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation started successfully - call \c psa_sign_hash_complete()
+ * with the same context to complete the operation
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * An unsupported, incorrectly formatted or incorrect type of key was
+ * used.
+ * \retval #PSA_ERROR_NOT_SUPPORTED Either no internal interruptible operations
+ * are currently supported, or the key type is currently unsupported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * There was insufficient memory to load the key representation.
+ */
+psa_status_t mbedtls_psa_sign_hash_start(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length);
+
+/**
+ * \brief Continue and eventually complete the action of signing a hash or
+ * short message with a private key, in an interruptible manner.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * sign_hash_complete entry point. This function behaves as a
+ * sign_hash_complete entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \param[out] signature Buffer where the signature is to be written.
+ * \param signature_size Size of the \p signature buffer in bytes. This
+ * must be appropriate for the selected
+ * algorithm and key.
+ * \param[out] signature_length On success, the number of bytes that make up
+ * the returned signature value.
+ *
+ * \retval #PSA_SUCCESS
+ * Operation completed successfully
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ * Operation was interrupted due to the setting of \c
+ * psa_interruptible_set_max_ops(), there is still work to be done,
+ * please call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p signature buffer is too small. You can
+ * determine a sufficient buffer size by calling
+ * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ * where \c key_type and \c key_bits are the type and bit-size
+ * respectively of \p key.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ */
+psa_status_t mbedtls_psa_sign_hash_complete(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+ uint8_t *signature, size_t signature_size,
+ size_t *signature_length);
+
+/**
+ * \brief Abort a sign hash operation.
+ *
+ * \note The signature of this function is that of a PSA driver sign_hash_abort
+ * entry point. This function behaves as a sign_hash_abort entry point as
+ * defined in the PSA driver interface specification for transparent
+ * drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_sign_hash_interruptible_operation_t
+ * to abort.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation was aborted successfully.
+ */
+psa_status_t mbedtls_psa_sign_hash_abort(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Start reading and verifying a hash or short message, in an
+ * interruptible manner.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * verify_hash_start entry point. This function behaves as a
+ * verify_hash_start entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_verify_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg A signature algorithm that is compatible with
+ * the type of the key.
+ * \param[in] hash The hash whose signature is to be verified.
+ * \param hash_length Size of the \p hash buffer in bytes.
+ * \param[in] signature Buffer containing the signature to verify.
+ * \param signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation started successfully - call \c psa_sign_hash_complete()
+ * with the same context to complete the operation
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * An unsupported or incorrect type of key was used.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * Either no internal interruptible operations are currently supported,
+ * or the key type is currently unsupported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * There was insufficient memory either to load the key representation,
+ * or to prepare the operation.
+ */
+psa_status_t mbedtls_psa_verify_hash_start(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length);
+
+/**
+ * \brief Continue and eventually complete the action of signing a hash or
+ * short message with a private key, in an interruptible manner.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * sign_hash_complete entry point. This function behaves as a
+ * sign_hash_complete entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \retval #PSA_SUCCESS
+ * Operation completed successfully, and the passed signature is valid.
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ * Operation was interrupted due to the setting of \c
+ * psa_interruptible_set_max_ops(), there is still work to be done,
+ * please call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ * The calculation was performed successfully, but the passed
+ * signature is not a valid signature.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_verify_hash_complete(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Abort a verify signed hash operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * verify_hash_abort entry point. This function behaves as a
+ * verify_hash_abort entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_verify_hash_interruptible_operation_t
+ * to abort.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation was aborted successfully.
+ */
+psa_status_t mbedtls_psa_verify_hash_abort(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+
+typedef struct psa_crypto_local_input_s {
+ uint8_t *buffer;
+ size_t length;
+} psa_crypto_local_input_t;
+
+#define PSA_CRYPTO_LOCAL_INPUT_INIT ((psa_crypto_local_input_t) { NULL, 0 })
+
+/** Allocate a local copy of an input buffer and copy the contents into it.
+ *
+ * \param[in] input Pointer to input buffer.
+ * \param[in] input_len Length of the input buffer.
+ * \param[out] local_input Pointer to a psa_crypto_local_input_t struct
+ * containing a local input copy.
+ * \return #PSA_SUCCESS, if the buffer was successfully
+ * copied.
+ * \return #PSA_ERROR_INSUFFICIENT_MEMORY, if a copy of
+ * the buffer cannot be allocated.
+ */
+psa_status_t psa_crypto_local_input_alloc(const uint8_t *input, size_t input_len,
+ psa_crypto_local_input_t *local_input);
+
+/** Free a local copy of an input buffer.
+ *
+ * \param[in] local_input Pointer to a psa_crypto_local_input_t struct
+ * populated by a previous call to
+ * psa_crypto_local_input_alloc().
+ */
+void psa_crypto_local_input_free(psa_crypto_local_input_t *local_input);
+
+typedef struct psa_crypto_local_output_s {
+ uint8_t *original;
+ uint8_t *buffer;
+ size_t length;
+} psa_crypto_local_output_t;
+
+#define PSA_CRYPTO_LOCAL_OUTPUT_INIT ((psa_crypto_local_output_t) { NULL, NULL, 0 })
+
+/** Allocate a local copy of an output buffer.
+ *
+ * \note This does not copy any data from the original
+ * output buffer but only allocates a buffer
+ * whose contents will be copied back to the
+ * original in a future call to
+ * psa_crypto_local_output_free().
+ *
+ * \param[in] output Pointer to output buffer.
+ * \param[in] output_len Length of the output buffer.
+ * \param[out] local_output Pointer to a psa_crypto_local_output_t struct to
+ * populate with the local output copy.
+ * \return #PSA_SUCCESS, if the buffer was successfully
+ * copied.
+ * \return #PSA_ERROR_INSUFFICIENT_MEMORY, if a copy of
+ * the buffer cannot be allocated.
+ */
+psa_status_t psa_crypto_local_output_alloc(uint8_t *output, size_t output_len,
+ psa_crypto_local_output_t *local_output);
+
+/** Copy from a local copy of an output buffer back to the original, then
+ * free the local copy.
+ *
+ * \param[in] local_output Pointer to a psa_crypto_local_output_t struct
+ * populated by a previous call to
+ * psa_crypto_local_output_alloc().
+ * \return #PSA_SUCCESS, if the local output was
+ * successfully copied back to the original.
+ * \return #PSA_ERROR_CORRUPTION_DETECTED, if the output
+ * could not be copied back to the original.
+ */
+psa_status_t psa_crypto_local_output_free(psa_crypto_local_output_t *local_output);
+
+#endif /* PSA_CRYPTO_CORE_H */
diff --git a/library/psa_crypto_core_common.h b/library/psa_crypto_core_common.h
new file mode 100644
index 0000000..98fce2c
--- /dev/null
+++ b/library/psa_crypto_core_common.h
@@ -0,0 +1,52 @@
+/**
+ * \file psa_crypto_core_common.h
+ *
+ * \brief Utility macros for internal use in the PSA cryptography core.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_CORE_COMMON_H
+#define PSA_CRYPTO_CORE_COMMON_H
+
+/** Return an offset into a buffer.
+ *
+ * This is just the addition of an offset to a pointer, except that this
+ * function also accepts an offset of 0 into a buffer whose pointer is null.
+ * (`p + n` has undefined behavior when `p` is null, even when `n == 0`.
+ * A null pointer is a valid buffer pointer when the size is 0, for example
+ * as the result of `malloc(0)` on some platforms.)
+ *
+ * \param p Pointer to a buffer of at least n bytes.
+ * This may be \p NULL if \p n is zero.
+ * \param n An offset in bytes.
+ * \return Pointer to offset \p n in the buffer \p p.
+ * Note that this is only a valid pointer if the size of the
+ * buffer is at least \p n + 1.
+ */
+static inline unsigned char *psa_crypto_buffer_offset(
+ unsigned char *p, size_t n)
+{
+ return p == NULL ? NULL : p + n;
+}
+
+/** Return an offset into a read-only buffer.
+ *
+ * Similar to mbedtls_buffer_offset(), but for const pointers.
+ *
+ * \param p Pointer to a buffer of at least n bytes.
+ * This may be \p NULL if \p n is zero.
+ * \param n An offset in bytes.
+ * \return Pointer to offset \p n in the buffer \p p.
+ * Note that this is only a valid pointer if the size of the
+ * buffer is at least \p n + 1.
+ */
+static inline const unsigned char *psa_crypto_buffer_offset_const(
+ const unsigned char *p, size_t n)
+{
+ return p == NULL ? NULL : p + n;
+}
+
+#endif /* PSA_CRYPTO_CORE_COMMON_H */
diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h
new file mode 100644
index 0000000..ea6aee3
--- /dev/null
+++ b/library/psa_crypto_driver_wrappers.h
@@ -0,0 +1,2897 @@
+/*
+ * Functions to delegate cryptographic operations to an available
+ * and appropriate accelerator.
+ * Warning: This file is now auto-generated.
+ */
+/* Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+
+/* BEGIN-common headers */
+#include "common.h"
+#include "psa_crypto_aead.h"
+#include "psa_crypto_cipher.h"
+#include "psa_crypto_core.h"
+#include "psa_crypto_driver_wrappers_no_static.h"
+#include "psa_crypto_hash.h"
+#include "psa_crypto_mac.h"
+#include "psa_crypto_pake.h"
+#include "psa_crypto_rsa.h"
+
+#include "mbedtls/platform.h"
+#include "mbedtls/constant_time.h"
+/* END-common headers */
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+/* BEGIN-driver headers */
+/* Headers for mbedtls_test opaque driver */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+#include "test/drivers/test_driver.h"
+
+#endif
+/* Headers for mbedtls_test transparent driver */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+#include "test/drivers/test_driver.h"
+
+#endif
+/* Headers for p256 transparent driver */
+#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
+#include "../3rdparty/p256-m/p256-m_driver_entrypoints.h"
+
+#endif
+
+/* END-driver headers */
+
+/* Auto-generated values depending on which drivers are registered.
+ * ID 0 is reserved for unallocated operations.
+ * ID 1 is reserved for the Mbed TLS software driver. */
+/* BEGIN-driver id definition */
+#define PSA_CRYPTO_MBED_TLS_DRIVER_ID (1)
+#define MBEDTLS_TEST_OPAQUE_DRIVER_ID (2)
+#define MBEDTLS_TEST_TRANSPARENT_DRIVER_ID (3)
+#define P256_TRANSPARENT_DRIVER_ID (4)
+
+/* END-driver id */
+
+/* BEGIN-Common Macro definitions */
+
+/* END-Common Macro definitions */
+
+/* Support the 'old' SE interface when asked to */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+/* PSA_CRYPTO_DRIVER_PRESENT is defined when either a new-style or old-style
+ * SE driver is present, to avoid unused argument errors at compile time. */
+#ifndef PSA_CRYPTO_DRIVER_PRESENT
+#define PSA_CRYPTO_DRIVER_PRESENT
+#endif
+#include "psa_crypto_se.h"
+#endif
+
+static inline psa_status_t psa_driver_wrapper_init( void )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ status = psa_init_all_se_drivers( );
+ if( status != PSA_SUCCESS )
+ return( status );
+#endif
+
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_init( );
+ if( status != PSA_SUCCESS )
+ return( status );
+
+ status = mbedtls_test_opaque_init( );
+ if( status != PSA_SUCCESS )
+ return( status );
+#endif
+
+ (void) status;
+ return( PSA_SUCCESS );
+}
+
+static inline void psa_driver_wrapper_free( void )
+{
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ /* Unregister all secure element drivers, so that we restart from
+ * a pristine state. */
+ psa_unregister_all_se_drivers( );
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ mbedtls_test_transparent_free( );
+ mbedtls_test_opaque_free( );
+#endif
+}
+
+/* Start delegation functions */
+static inline psa_status_t psa_driver_wrapper_sign_message(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *signature,
+ size_t signature_size,
+ size_t *signature_length )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_signature_sign_message(
+ attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ input,
+ input_length,
+ signature,
+ signature_size,
+ signature_length );
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ break;
+
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+ status = mbedtls_test_opaque_signature_sign_message(
+ attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ input,
+ input_length,
+ signature,
+ signature_size,
+ signature_length );
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+ break;
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void)status;
+ break;
+ }
+
+ return( psa_sign_message_builtin( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ input,
+ input_length,
+ signature,
+ signature_size,
+ signature_length ) );
+}
+
+static inline psa_status_t psa_driver_wrapper_verify_message(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ const uint8_t *signature,
+ size_t signature_length )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_signature_verify_message(
+ attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ input,
+ input_length,
+ signature,
+ signature_length );
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ break;
+
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+ return( mbedtls_test_opaque_signature_verify_message(
+ attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ input,
+ input_length,
+ signature,
+ signature_length ) );
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+ break;
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void)status;
+ break;
+ }
+
+ return( psa_verify_message_builtin( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ input,
+ input_length,
+ signature,
+ signature_length ) );
+}
+
+static inline psa_status_t psa_driver_wrapper_sign_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length )
+{
+ /* Try dynamically-registered SE interface first */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ const psa_drv_se_t *drv;
+ psa_drv_se_context_t *drv_context;
+
+ if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) )
+ {
+ if( drv->asymmetric == NULL ||
+ drv->asymmetric->p_sign == NULL )
+ {
+ /* Key is defined in SE, but we have no way to exercise it */
+ return( PSA_ERROR_NOT_SUPPORTED );
+ }
+ return( drv->asymmetric->p_sign(
+ drv_context, *( (psa_key_slot_number_t *)key_buffer ),
+ alg, hash, hash_length,
+ signature, signature_size, signature_length ) );
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_signature_sign_hash( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_size,
+ signature_length );
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED)
+ if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
+ PSA_ALG_IS_ECDSA(alg) &&
+ !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) &&
+ PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 &&
+ psa_get_key_bits(attributes) == 256 )
+ {
+ status = p256_transparent_sign_hash( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_size,
+ signature_length );
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+ }
+#endif /* MBEDTLS_PSA_P256M_DRIVER_ENABLED */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ /* Fell through, meaning no accelerator supports this operation */
+ return( psa_sign_hash_builtin( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_size,
+ signature_length ) );
+
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+ return( mbedtls_test_opaque_signature_sign_hash( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_size,
+ signature_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void)status;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_verify_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length )
+{
+ /* Try dynamically-registered SE interface first */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ const psa_drv_se_t *drv;
+ psa_drv_se_context_t *drv_context;
+
+ if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) )
+ {
+ if( drv->asymmetric == NULL ||
+ drv->asymmetric->p_verify == NULL )
+ {
+ /* Key is defined in SE, but we have no way to exercise it */
+ return( PSA_ERROR_NOT_SUPPORTED );
+ }
+ return( drv->asymmetric->p_verify(
+ drv_context, *( (psa_key_slot_number_t *)key_buffer ),
+ alg, hash, hash_length,
+ signature, signature_length ) );
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_signature_verify_hash(
+ attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_length );
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED)
+ if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
+ PSA_ALG_IS_ECDSA(alg) &&
+ !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) &&
+ PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 &&
+ psa_get_key_bits(attributes) == 256 )
+ {
+ status = p256_transparent_verify_hash( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_length );
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+ }
+#endif /* MBEDTLS_PSA_P256M_DRIVER_ENABLED */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ return( psa_verify_hash_builtin( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_length ) );
+
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+ return( mbedtls_test_opaque_signature_verify_hash( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ hash,
+ hash_length,
+ signature,
+ signature_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void)status;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline uint32_t psa_driver_wrapper_sign_hash_get_num_ops(
+ psa_sign_hash_interruptible_operation_t *operation )
+{
+ switch( operation->id )
+ {
+ /* If uninitialised, return 0, as no work can have been done. */
+ case 0:
+ return 0;
+
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return(mbedtls_psa_sign_hash_get_num_ops(&operation->ctx.mbedtls_ctx));
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ /* Can't happen (see discussion in #8271) */
+ return 0;
+}
+
+static inline uint32_t psa_driver_wrapper_verify_hash_get_num_ops(
+ psa_verify_hash_interruptible_operation_t *operation )
+{
+ switch( operation->id )
+ {
+ /* If uninitialised, return 0, as no work can have been done. */
+ case 0:
+ return 0;
+
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return (mbedtls_psa_verify_hash_get_num_ops(&operation->ctx.mbedtls_ctx));
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ }
+
+ /* Can't happen (see discussion in #8271) */
+ return 0;
+}
+
+static inline psa_status_t psa_driver_wrapper_sign_hash_start(
+ psa_sign_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(
+ psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+
+ /* Add test driver tests here */
+
+ /* Declared with fallback == true */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ /* Fell through, meaning no accelerator supports this operation */
+ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+ status = mbedtls_psa_sign_hash_start( &operation->ctx.mbedtls_ctx,
+ attributes,
+ key_buffer, key_buffer_size,
+ alg, hash, hash_length );
+ break;
+
+ /* Add cases for opaque driver here */
+
+ default:
+ /* Key is declared with a lifetime not known to us */
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ break;
+ }
+
+ return( status );
+}
+
+static inline psa_status_t psa_driver_wrapper_sign_hash_complete(
+ psa_sign_hash_interruptible_operation_t *operation,
+ uint8_t *signature, size_t signature_size,
+ size_t *signature_length )
+{
+ switch( operation->id )
+ {
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_sign_hash_complete( &operation->ctx.mbedtls_ctx,
+ signature, signature_size,
+ signature_length ) );
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ ( void ) signature;
+ ( void ) signature_size;
+ ( void ) signature_length;
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+static inline psa_status_t psa_driver_wrapper_sign_hash_abort(
+ psa_sign_hash_interruptible_operation_t *operation )
+{
+ switch( operation->id )
+ {
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_sign_hash_abort( &operation->ctx.mbedtls_ctx ) );
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+static inline psa_status_t psa_driver_wrapper_verify_hash_start(
+ psa_verify_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(
+ psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+
+ /* Add test driver tests here */
+
+ /* Declared with fallback == true */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ /* Fell through, meaning no accelerator supports this operation */
+ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+ status = mbedtls_psa_verify_hash_start( &operation->ctx.mbedtls_ctx,
+ attributes,
+ key_buffer, key_buffer_size,
+ alg, hash, hash_length,
+ signature, signature_length );
+ break;
+
+ /* Add cases for opaque driver here */
+
+ default:
+ /* Key is declared with a lifetime not known to us */
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ break;
+ }
+
+ return( status );
+}
+
+static inline psa_status_t psa_driver_wrapper_verify_hash_complete(
+ psa_verify_hash_interruptible_operation_t *operation )
+{
+ switch( operation->id )
+ {
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_verify_hash_complete(
+ &operation->ctx.mbedtls_ctx
+ ) );
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+static inline psa_status_t psa_driver_wrapper_verify_hash_abort(
+ psa_verify_hash_interruptible_operation_t *operation )
+{
+ switch( operation->id )
+ {
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_verify_hash_abort( &operation->ctx.mbedtls_ctx
+ ) );
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+/** Calculate the key buffer size required to store the key material of a key
+ * associated with an opaque driver from input key data.
+ *
+ * \param[in] attributes The key attributes
+ * \param[in] data The input key data.
+ * \param[in] data_length The input data length.
+ * \param[out] key_buffer_size Minimum buffer size to contain the key material.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ */
+static inline psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *data,
+ size_t data_length,
+ size_t *key_buffer_size )
+{
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+ psa_key_type_t key_type = psa_get_key_type(attributes);
+
+ *key_buffer_size = 0;
+ switch( location )
+ {
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+ *key_buffer_size = mbedtls_test_opaque_size_function( key_type,
+ PSA_BYTES_TO_BITS( data_length ) );
+ return( ( *key_buffer_size != 0 ) ?
+ PSA_SUCCESS : PSA_ERROR_NOT_SUPPORTED );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+
+ default:
+ (void)key_type;
+ (void)data;
+ (void)data_length;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_generate_key(
+ const psa_key_attributes_t *attributes,
+ const psa_key_production_parameters_t *params, size_t params_data_length,
+ uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes));
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+ int is_default_production =
+ psa_key_production_parameters_are_default(params, params_data_length);
+ if( location != PSA_KEY_LOCATION_LOCAL_STORAGE && !is_default_production )
+ {
+ /* We don't support passing custom production parameters
+ * to drivers yet. */
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+#else
+ int is_default_production = 1;
+ (void) is_default_production;
+#endif
+
+ /* Try dynamically-registered SE interface first */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ const psa_drv_se_t *drv;
+ psa_drv_se_context_t *drv_context;
+
+ if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) )
+ {
+ size_t pubkey_length = 0; /* We don't support this feature yet */
+ if( drv->key_management == NULL ||
+ drv->key_management->p_generate == NULL )
+ {
+ /* Key is defined as being in SE, but we have no way to generate it */
+ return( PSA_ERROR_NOT_SUPPORTED );
+ }
+ return( drv->key_management->p_generate(
+ drv_context,
+ *( (psa_key_slot_number_t *)key_buffer ),
+ attributes, NULL, 0, &pubkey_length ) );
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+ /* Transparent drivers are limited to generating asymmetric keys. */
+ /* We don't support passing custom production parameters
+ * to drivers yet. */
+ if( PSA_KEY_TYPE_IS_ASYMMETRIC( psa_get_key_type(attributes) ) &&
+ is_default_production )
+ {
+ /* Cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_generate_key(
+ attributes, key_buffer, key_buffer_size,
+ key_buffer_length );
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ break;
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
+ if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
+ psa_get_key_type(attributes) == PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) &&
+ psa_get_key_bits(attributes) == 256 )
+ {
+ status = p256_transparent_generate_key( attributes,
+ key_buffer,
+ key_buffer_size,
+ key_buffer_length );
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ break;
+ }
+
+#endif /* MBEDTLS_PSA_P256M_DRIVER_ENABLED */
+ }
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ /* Software fallback */
+ status = psa_generate_key_internal(
+ attributes, params, params_data_length,
+ key_buffer, key_buffer_size, key_buffer_length );
+ break;
+
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+ status = mbedtls_test_opaque_generate_key(
+ attributes, key_buffer, key_buffer_size, key_buffer_length );
+ break;
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ default:
+ /* Key is declared with a lifetime not known to us */
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ break;
+ }
+
+ return( status );
+}
+
+static inline psa_status_t psa_driver_wrapper_import_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *data,
+ size_t data_length,
+ uint8_t *key_buffer,
+ size_t key_buffer_size,
+ size_t *key_buffer_length,
+ size_t *bits )
+{
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(
+ psa_get_key_lifetime( attributes ) );
+
+ /* Try dynamically-registered SE interface first */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ const psa_drv_se_t *drv;
+ psa_drv_se_context_t *drv_context;
+
+ if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) )
+ {
+ if( drv->key_management == NULL ||
+ drv->key_management->p_import == NULL )
+ return( PSA_ERROR_NOT_SUPPORTED );
+
+ /* The driver should set the number of key bits, however in
+ * case it doesn't, we initialize bits to an invalid value. */
+ *bits = PSA_MAX_KEY_BITS + 1;
+ status = drv->key_management->p_import(
+ drv_context,
+ *( (psa_key_slot_number_t *)key_buffer ),
+ attributes, data, data_length, bits );
+
+ if( status != PSA_SUCCESS )
+ return( status );
+
+ if( (*bits) > PSA_MAX_KEY_BITS )
+ return( PSA_ERROR_NOT_SUPPORTED );
+
+ return( PSA_SUCCESS );
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+
+#if (defined(PSA_CRYPTO_DRIVER_TEST) )
+ status = mbedtls_test_transparent_import_key
+ (attributes,
+ data,
+ data_length,
+ key_buffer,
+ key_buffer_size,
+ key_buffer_length,
+ bits
+ );
+
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif
+
+#if (defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED) )
+ status = p256_transparent_import_key
+ (attributes,
+ data,
+ data_length,
+ key_buffer,
+ key_buffer_size,
+ key_buffer_length,
+ bits
+ );
+
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif
+
+
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ /* Fell through, meaning no accelerator supports this operation */
+ return( psa_import_key_into_slot( attributes,
+ data, data_length,
+ key_buffer, key_buffer_size,
+ key_buffer_length, bits ) );
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+
+#if (defined(PSA_CRYPTO_DRIVER_TEST) )
+ case 0x7fffff:
+ return( mbedtls_test_opaque_import_key
+ (attributes,
+ data,
+ data_length,
+ key_buffer,
+ key_buffer_size,
+ key_buffer_length,
+ bits
+ ));
+#endif
+
+
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ (void)status;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+
+}
+
+static inline psa_status_t psa_driver_wrapper_export_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ uint8_t *data, size_t data_size, size_t *data_length )
+
+{
+
+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+ psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(
+ psa_get_key_lifetime( attributes ) );
+
+ /* Try dynamically-registered SE interface first */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ const psa_drv_se_t *drv;
+ psa_drv_se_context_t *drv_context;
+
+ if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) )
+ {
+ if( ( drv->key_management == NULL ) ||
+ ( drv->key_management->p_export == NULL ) )
+ {
+ return( PSA_ERROR_NOT_SUPPORTED );
+ }
+
+ return( drv->key_management->p_export(
+ drv_context,
+ *( (psa_key_slot_number_t *)key_buffer ),
+ data, data_size, data_length ) );
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ return( psa_export_key_internal( attributes,
+ key_buffer,
+ key_buffer_size,
+ data,
+ data_size,
+ data_length ) );
+
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+
+#if (defined(PSA_CRYPTO_DRIVER_TEST) )
+ case 0x7fffff:
+ return( mbedtls_test_opaque_export_key
+ (attributes,
+ key_buffer,
+ key_buffer_size,
+ data,
+ data_size,
+ data_length
+ ));
+#endif
+
+
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ /* Key is declared with a lifetime not known to us */
+ return( status );
+ }
+
+}
+
+static inline psa_status_t psa_driver_wrapper_copy_key(
+ psa_key_attributes_t *attributes,
+ const uint8_t *source_key, size_t source_key_length,
+ uint8_t *target_key_buffer, size_t target_key_buffer_size,
+ size_t *target_key_buffer_length )
+{
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ const psa_drv_se_t *drv;
+ psa_drv_se_context_t *drv_context;
+
+ if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) )
+ {
+ /* Copying to a secure element is not implemented yet. */
+ return( PSA_ERROR_NOT_SUPPORTED );
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+ switch( location )
+ {
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+
+#if (defined(PSA_CRYPTO_DRIVER_TEST) )
+ case 0x7fffff:
+ return( mbedtls_test_opaque_copy_key
+ (attributes,
+ source_key,
+ source_key_length,
+ target_key_buffer,
+ target_key_buffer_size,
+ target_key_buffer_length
+ ));
+#endif
+
+
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ (void)source_key;
+ (void)source_key_length;
+ (void)target_key_buffer;
+ (void)target_key_buffer_size;
+ (void)target_key_buffer_length;
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ }
+ return( status );
+
+}
+
+/*
+ * Cipher functions
+ */
+static inline psa_status_t psa_driver_wrapper_cipher_encrypt(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *iv,
+ size_t iv_length,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_cipher_encrypt( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ iv,
+ iv_length,
+ input,
+ input_length,
+ output,
+ output_size,
+ output_length );
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+#if defined(MBEDTLS_PSA_BUILTIN_CIPHER)
+ return( mbedtls_psa_cipher_encrypt( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ iv,
+ iv_length,
+ input,
+ input_length,
+ output,
+ output_size,
+ output_length ) );
+#else
+ return( PSA_ERROR_NOT_SUPPORTED );
+#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */
+
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+ return( mbedtls_test_opaque_cipher_encrypt( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ iv,
+ iv_length,
+ input,
+ input_length,
+ output,
+ output_size,
+ output_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void)status;
+ (void)key_buffer;
+ (void)key_buffer_size;
+ (void)alg;
+ (void)iv;
+ (void)iv_length;
+ (void)input;
+ (void)input_length;
+ (void)output;
+ (void)output_size;
+ (void)output_length;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_cipher_decrypt(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_cipher_decrypt( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ input,
+ input_length,
+ output,
+ output_size,
+ output_length );
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+#if defined(MBEDTLS_PSA_BUILTIN_CIPHER)
+ return( mbedtls_psa_cipher_decrypt( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ input,
+ input_length,
+ output,
+ output_size,
+ output_length ) );
+#else
+ return( PSA_ERROR_NOT_SUPPORTED );
+#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */
+
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+ return( mbedtls_test_opaque_cipher_decrypt( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ input,
+ input_length,
+ output,
+ output_size,
+ output_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void)status;
+ (void)key_buffer;
+ (void)key_buffer_size;
+ (void)alg;
+ (void)input;
+ (void)input_length;
+ (void)output;
+ (void)output_size;
+ (void)output_length;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_cipher_encrypt_setup(
+ psa_cipher_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_cipher_encrypt_setup(
+ &operation->ctx.transparent_test_driver_ctx,
+ attributes,
+ key_buffer,
+ key_buffer_size,
+ alg );
+ /* Declared with fallback == true */
+ if( status == PSA_SUCCESS )
+ operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID;
+
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+#if defined(MBEDTLS_PSA_BUILTIN_CIPHER)
+ /* Fell through, meaning no accelerator supports this operation */
+ status = mbedtls_psa_cipher_encrypt_setup( &operation->ctx.mbedtls_ctx,
+ attributes,
+ key_buffer,
+ key_buffer_size,
+ alg );
+ if( status == PSA_SUCCESS )
+ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */
+ return( PSA_ERROR_NOT_SUPPORTED );
+
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+ status = mbedtls_test_opaque_cipher_encrypt_setup(
+ &operation->ctx.opaque_test_driver_ctx,
+ attributes,
+ key_buffer, key_buffer_size,
+ alg );
+
+ if( status == PSA_SUCCESS )
+ operation->id = MBEDTLS_TEST_OPAQUE_DRIVER_ID;
+
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void)status;
+ (void)operation;
+ (void)key_buffer;
+ (void)key_buffer_size;
+ (void)alg;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_cipher_decrypt_setup(
+ psa_cipher_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg )
+{
+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_cipher_decrypt_setup(
+ &operation->ctx.transparent_test_driver_ctx,
+ attributes,
+ key_buffer,
+ key_buffer_size,
+ alg );
+ /* Declared with fallback == true */
+ if( status == PSA_SUCCESS )
+ operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID;
+
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+#if defined(MBEDTLS_PSA_BUILTIN_CIPHER)
+ /* Fell through, meaning no accelerator supports this operation */
+ status = mbedtls_psa_cipher_decrypt_setup( &operation->ctx.mbedtls_ctx,
+ attributes,
+ key_buffer,
+ key_buffer_size,
+ alg );
+ if( status == PSA_SUCCESS )
+ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+
+ return( status );
+#else /* MBEDTLS_PSA_BUILTIN_CIPHER */
+ return( PSA_ERROR_NOT_SUPPORTED );
+#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */
+
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+ status = mbedtls_test_opaque_cipher_decrypt_setup(
+ &operation->ctx.opaque_test_driver_ctx,
+ attributes,
+ key_buffer, key_buffer_size,
+ alg );
+
+ if( status == PSA_SUCCESS )
+ operation->id = MBEDTLS_TEST_OPAQUE_DRIVER_ID;
+
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void)status;
+ (void)operation;
+ (void)key_buffer;
+ (void)key_buffer_size;
+ (void)alg;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_cipher_set_iv(
+ psa_cipher_operation_t *operation,
+ const uint8_t *iv,
+ size_t iv_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_CIPHER)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_cipher_set_iv( &operation->ctx.mbedtls_ctx,
+ iv,
+ iv_length ) );
+#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_cipher_set_iv(
+ &operation->ctx.transparent_test_driver_ctx,
+ iv, iv_length ) );
+
+ case MBEDTLS_TEST_OPAQUE_DRIVER_ID:
+ return( mbedtls_test_opaque_cipher_set_iv(
+ &operation->ctx.opaque_test_driver_ctx,
+ iv, iv_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ (void)iv;
+ (void)iv_length;
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+static inline psa_status_t psa_driver_wrapper_cipher_update(
+ psa_cipher_operation_t *operation,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_CIPHER)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_cipher_update( &operation->ctx.mbedtls_ctx,
+ input,
+ input_length,
+ output,
+ output_size,
+ output_length ) );
+#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_cipher_update(
+ &operation->ctx.transparent_test_driver_ctx,
+ input, input_length,
+ output, output_size, output_length ) );
+
+ case MBEDTLS_TEST_OPAQUE_DRIVER_ID:
+ return( mbedtls_test_opaque_cipher_update(
+ &operation->ctx.opaque_test_driver_ctx,
+ input, input_length,
+ output, output_size, output_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ (void)input;
+ (void)input_length;
+ (void)output;
+ (void)output_size;
+ (void)output_length;
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+static inline psa_status_t psa_driver_wrapper_cipher_finish(
+ psa_cipher_operation_t *operation,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_CIPHER)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_cipher_finish( &operation->ctx.mbedtls_ctx,
+ output,
+ output_size,
+ output_length ) );
+#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_cipher_finish(
+ &operation->ctx.transparent_test_driver_ctx,
+ output, output_size, output_length ) );
+
+ case MBEDTLS_TEST_OPAQUE_DRIVER_ID:
+ return( mbedtls_test_opaque_cipher_finish(
+ &operation->ctx.opaque_test_driver_ctx,
+ output, output_size, output_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ (void)output;
+ (void)output_size;
+ (void)output_length;
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+static inline psa_status_t psa_driver_wrapper_cipher_abort(
+ psa_cipher_operation_t *operation )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_CIPHER)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_cipher_abort( &operation->ctx.mbedtls_ctx ) );
+#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ status = mbedtls_test_transparent_cipher_abort(
+ &operation->ctx.transparent_test_driver_ctx );
+ mbedtls_platform_zeroize(
+ &operation->ctx.transparent_test_driver_ctx,
+ sizeof( operation->ctx.transparent_test_driver_ctx ) );
+ return( status );
+
+ case MBEDTLS_TEST_OPAQUE_DRIVER_ID:
+ status = mbedtls_test_opaque_cipher_abort(
+ &operation->ctx.opaque_test_driver_ctx );
+ mbedtls_platform_zeroize(
+ &operation->ctx.opaque_test_driver_ctx,
+ sizeof( operation->ctx.opaque_test_driver_ctx ) );
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ (void)status;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+/*
+ * Hashing functions
+ */
+static inline psa_status_t psa_driver_wrapper_hash_compute(
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *hash,
+ size_t hash_size,
+ size_t *hash_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ /* Try accelerators first */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_hash_compute(
+ alg, input, input_length, hash, hash_size, hash_length );
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif
+
+ /* If software fallback is compiled in, try fallback */
+#if defined(MBEDTLS_PSA_BUILTIN_HASH)
+ status = mbedtls_psa_hash_compute( alg, input, input_length,
+ hash, hash_size, hash_length );
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif
+ (void) status;
+ (void) alg;
+ (void) input;
+ (void) input_length;
+ (void) hash;
+ (void) hash_size;
+ (void) hash_length;
+
+ return( PSA_ERROR_NOT_SUPPORTED );
+}
+
+static inline psa_status_t psa_driver_wrapper_hash_setup(
+ psa_hash_operation_t *operation,
+ psa_algorithm_t alg )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ /* Try setup on accelerators first */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_hash_setup(
+ &operation->ctx.test_driver_ctx, alg );
+ if( status == PSA_SUCCESS )
+ operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID;
+
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif
+
+ /* If software fallback is compiled in, try fallback */
+#if defined(MBEDTLS_PSA_BUILTIN_HASH)
+ status = mbedtls_psa_hash_setup( &operation->ctx.mbedtls_ctx, alg );
+ if( status == PSA_SUCCESS )
+ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif
+ /* Nothing left to try if we fall through here */
+ (void) status;
+ (void) operation;
+ (void) alg;
+ return( PSA_ERROR_NOT_SUPPORTED );
+}
+
+static inline psa_status_t psa_driver_wrapper_hash_clone(
+ const psa_hash_operation_t *source_operation,
+ psa_hash_operation_t *target_operation )
+{
+ switch( source_operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_HASH)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ target_operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+ return( mbedtls_psa_hash_clone( &source_operation->ctx.mbedtls_ctx,
+ &target_operation->ctx.mbedtls_ctx ) );
+#endif
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ target_operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID;
+ return( mbedtls_test_transparent_hash_clone(
+ &source_operation->ctx.test_driver_ctx,
+ &target_operation->ctx.test_driver_ctx ) );
+#endif
+ default:
+ (void) target_operation;
+ return( PSA_ERROR_BAD_STATE );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_hash_update(
+ psa_hash_operation_t *operation,
+ const uint8_t *input,
+ size_t input_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_HASH)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_hash_update( &operation->ctx.mbedtls_ctx,
+ input, input_length ) );
+#endif
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_hash_update(
+ &operation->ctx.test_driver_ctx,
+ input, input_length ) );
+#endif
+ default:
+ (void) input;
+ (void) input_length;
+ return( PSA_ERROR_BAD_STATE );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_hash_finish(
+ psa_hash_operation_t *operation,
+ uint8_t *hash,
+ size_t hash_size,
+ size_t *hash_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_HASH)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_hash_finish( &operation->ctx.mbedtls_ctx,
+ hash, hash_size, hash_length ) );
+#endif
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_hash_finish(
+ &operation->ctx.test_driver_ctx,
+ hash, hash_size, hash_length ) );
+#endif
+ default:
+ (void) hash;
+ (void) hash_size;
+ (void) hash_length;
+ return( PSA_ERROR_BAD_STATE );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_hash_abort(
+ psa_hash_operation_t *operation )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_HASH)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_hash_abort( &operation->ctx.mbedtls_ctx ) );
+#endif
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_hash_abort(
+ &operation->ctx.test_driver_ctx ) );
+#endif
+ default:
+ return( PSA_ERROR_BAD_STATE );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_aead_encrypt(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *nonce, size_t nonce_length,
+ const uint8_t *additional_data, size_t additional_data_length,
+ const uint8_t *plaintext, size_t plaintext_length,
+ uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_aead_encrypt(
+ attributes, key_buffer, key_buffer_size,
+ alg,
+ nonce, nonce_length,
+ additional_data, additional_data_length,
+ plaintext, plaintext_length,
+ ciphertext, ciphertext_size, ciphertext_length );
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ /* Fell through, meaning no accelerator supports this operation */
+ return( mbedtls_psa_aead_encrypt(
+ attributes, key_buffer, key_buffer_size,
+ alg,
+ nonce, nonce_length,
+ additional_data, additional_data_length,
+ plaintext, plaintext_length,
+ ciphertext, ciphertext_size, ciphertext_length ) );
+
+ /* Add cases for opaque driver here */
+
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void)status;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_aead_decrypt(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *nonce, size_t nonce_length,
+ const uint8_t *additional_data, size_t additional_data_length,
+ const uint8_t *ciphertext, size_t ciphertext_length,
+ uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_aead_decrypt(
+ attributes, key_buffer, key_buffer_size,
+ alg,
+ nonce, nonce_length,
+ additional_data, additional_data_length,
+ ciphertext, ciphertext_length,
+ plaintext, plaintext_size, plaintext_length );
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ /* Fell through, meaning no accelerator supports this operation */
+ return( mbedtls_psa_aead_decrypt(
+ attributes, key_buffer, key_buffer_size,
+ alg,
+ nonce, nonce_length,
+ additional_data, additional_data_length,
+ ciphertext, ciphertext_length,
+ plaintext, plaintext_size, plaintext_length ) );
+
+ /* Add cases for opaque driver here */
+
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void)status;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_aead_encrypt_setup(
+ psa_aead_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID;
+ status = mbedtls_test_transparent_aead_encrypt_setup(
+ &operation->ctx.transparent_test_driver_ctx,
+ attributes, key_buffer, key_buffer_size,
+ alg );
+
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ /* Fell through, meaning no accelerator supports this operation */
+ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+ status = mbedtls_psa_aead_encrypt_setup(
+ &operation->ctx.mbedtls_ctx, attributes,
+ key_buffer, key_buffer_size,
+ alg );
+
+ return( status );
+
+ /* Add cases for opaque driver here */
+
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void)status;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_aead_decrypt_setup(
+ psa_aead_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID;
+ status = mbedtls_test_transparent_aead_decrypt_setup(
+ &operation->ctx.transparent_test_driver_ctx,
+ attributes,
+ key_buffer, key_buffer_size,
+ alg );
+
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ /* Fell through, meaning no accelerator supports this operation */
+ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+ status = mbedtls_psa_aead_decrypt_setup(
+ &operation->ctx.mbedtls_ctx,
+ attributes,
+ key_buffer, key_buffer_size,
+ alg );
+
+ return( status );
+
+ /* Add cases for opaque driver here */
+
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void)status;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_aead_set_nonce(
+ psa_aead_operation_t *operation,
+ const uint8_t *nonce,
+ size_t nonce_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_aead_set_nonce( &operation->ctx.mbedtls_ctx,
+ nonce,
+ nonce_length ) );
+
+#endif /* MBEDTLS_PSA_BUILTIN_AEAD */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_aead_set_nonce(
+ &operation->ctx.transparent_test_driver_ctx,
+ nonce, nonce_length ) );
+
+ /* Add cases for opaque driver here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ (void)nonce;
+ (void)nonce_length;
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+static inline psa_status_t psa_driver_wrapper_aead_set_lengths(
+ psa_aead_operation_t *operation,
+ size_t ad_length,
+ size_t plaintext_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_aead_set_lengths( &operation->ctx.mbedtls_ctx,
+ ad_length,
+ plaintext_length ) );
+
+#endif /* MBEDTLS_PSA_BUILTIN_AEAD */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_aead_set_lengths(
+ &operation->ctx.transparent_test_driver_ctx,
+ ad_length, plaintext_length ) );
+
+ /* Add cases for opaque driver here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ (void)ad_length;
+ (void)plaintext_length;
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+static inline psa_status_t psa_driver_wrapper_aead_update_ad(
+ psa_aead_operation_t *operation,
+ const uint8_t *input,
+ size_t input_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_aead_update_ad( &operation->ctx.mbedtls_ctx,
+ input,
+ input_length ) );
+
+#endif /* MBEDTLS_PSA_BUILTIN_AEAD */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_aead_update_ad(
+ &operation->ctx.transparent_test_driver_ctx,
+ input, input_length ) );
+
+ /* Add cases for opaque driver here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ (void)input;
+ (void)input_length;
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+static inline psa_status_t psa_driver_wrapper_aead_update(
+ psa_aead_operation_t *operation,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_aead_update( &operation->ctx.mbedtls_ctx,
+ input, input_length,
+ output, output_size,
+ output_length ) );
+
+#endif /* MBEDTLS_PSA_BUILTIN_AEAD */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_aead_update(
+ &operation->ctx.transparent_test_driver_ctx,
+ input, input_length, output, output_size,
+ output_length ) );
+
+ /* Add cases for opaque driver here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ (void)input;
+ (void)input_length;
+ (void)output;
+ (void)output_size;
+ (void)output_length;
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+static inline psa_status_t psa_driver_wrapper_aead_finish(
+ psa_aead_operation_t *operation,
+ uint8_t *ciphertext,
+ size_t ciphertext_size,
+ size_t *ciphertext_length,
+ uint8_t *tag,
+ size_t tag_size,
+ size_t *tag_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_aead_finish( &operation->ctx.mbedtls_ctx,
+ ciphertext,
+ ciphertext_size,
+ ciphertext_length, tag,
+ tag_size, tag_length ) );
+
+#endif /* MBEDTLS_PSA_BUILTIN_AEAD */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_aead_finish(
+ &operation->ctx.transparent_test_driver_ctx,
+ ciphertext, ciphertext_size,
+ ciphertext_length, tag, tag_size, tag_length ) );
+
+ /* Add cases for opaque driver here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ (void)ciphertext;
+ (void)ciphertext_size;
+ (void)ciphertext_length;
+ (void)tag;
+ (void)tag_size;
+ (void)tag_length;
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+static inline psa_status_t psa_driver_wrapper_aead_verify(
+ psa_aead_operation_t *operation,
+ uint8_t *plaintext,
+ size_t plaintext_size,
+ size_t *plaintext_length,
+ const uint8_t *tag,
+ size_t tag_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ {
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ uint8_t check_tag[PSA_AEAD_TAG_MAX_SIZE];
+ size_t check_tag_length;
+
+ status = mbedtls_psa_aead_finish( &operation->ctx.mbedtls_ctx,
+ plaintext,
+ plaintext_size,
+ plaintext_length,
+ check_tag,
+ sizeof( check_tag ),
+ &check_tag_length );
+
+ if( status == PSA_SUCCESS )
+ {
+ if( tag_length != check_tag_length ||
+ mbedtls_ct_memcmp( tag, check_tag, tag_length )
+ != 0 )
+ status = PSA_ERROR_INVALID_SIGNATURE;
+ }
+
+ mbedtls_platform_zeroize( check_tag, sizeof( check_tag ) );
+
+ return( status );
+ }
+
+#endif /* MBEDTLS_PSA_BUILTIN_AEAD */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_aead_verify(
+ &operation->ctx.transparent_test_driver_ctx,
+ plaintext, plaintext_size,
+ plaintext_length, tag, tag_length ) );
+
+ /* Add cases for opaque driver here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ (void)plaintext;
+ (void)plaintext_size;
+ (void)plaintext_length;
+ (void)tag;
+ (void)tag_length;
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+static inline psa_status_t psa_driver_wrapper_aead_abort(
+ psa_aead_operation_t *operation )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_AEAD)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_aead_abort( &operation->ctx.mbedtls_ctx ) );
+
+#endif /* MBEDTLS_PSA_BUILTIN_AEAD */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_aead_abort(
+ &operation->ctx.transparent_test_driver_ctx ) );
+
+ /* Add cases for opaque driver here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+/*
+ * MAC functions
+ */
+static inline psa_status_t psa_driver_wrapper_mac_compute(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *mac,
+ size_t mac_size,
+ size_t *mac_length )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_mac_compute(
+ attributes, key_buffer, key_buffer_size, alg,
+ input, input_length,
+ mac, mac_size, mac_length );
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+#if defined(MBEDTLS_PSA_BUILTIN_MAC)
+ /* Fell through, meaning no accelerator supports this operation */
+ status = mbedtls_psa_mac_compute(
+ attributes, key_buffer, key_buffer_size, alg,
+ input, input_length,
+ mac, mac_size, mac_length );
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* MBEDTLS_PSA_BUILTIN_MAC */
+ return( PSA_ERROR_NOT_SUPPORTED );
+
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+ status = mbedtls_test_opaque_mac_compute(
+ attributes, key_buffer, key_buffer_size, alg,
+ input, input_length,
+ mac, mac_size, mac_length );
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) alg;
+ (void) input;
+ (void) input_length;
+ (void) mac;
+ (void) mac_size;
+ (void) mac_length;
+ (void) status;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_mac_sign_setup(
+ psa_mac_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_mac_sign_setup(
+ &operation->ctx.transparent_test_driver_ctx,
+ attributes,
+ key_buffer, key_buffer_size,
+ alg );
+ /* Declared with fallback == true */
+ if( status == PSA_SUCCESS )
+ operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID;
+
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+#if defined(MBEDTLS_PSA_BUILTIN_MAC)
+ /* Fell through, meaning no accelerator supports this operation */
+ status = mbedtls_psa_mac_sign_setup( &operation->ctx.mbedtls_ctx,
+ attributes,
+ key_buffer, key_buffer_size,
+ alg );
+ if( status == PSA_SUCCESS )
+ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* MBEDTLS_PSA_BUILTIN_MAC */
+ return( PSA_ERROR_NOT_SUPPORTED );
+
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+ status = mbedtls_test_opaque_mac_sign_setup(
+ &operation->ctx.opaque_test_driver_ctx,
+ attributes,
+ key_buffer, key_buffer_size,
+ alg );
+
+ if( status == PSA_SUCCESS )
+ operation->id = MBEDTLS_TEST_OPAQUE_DRIVER_ID;
+
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void) status;
+ (void) operation;
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) alg;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_mac_verify_setup(
+ psa_mac_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_mac_verify_setup(
+ &operation->ctx.transparent_test_driver_ctx,
+ attributes,
+ key_buffer, key_buffer_size,
+ alg );
+ /* Declared with fallback == true */
+ if( status == PSA_SUCCESS )
+ operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID;
+
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+#if defined(MBEDTLS_PSA_BUILTIN_MAC)
+ /* Fell through, meaning no accelerator supports this operation */
+ status = mbedtls_psa_mac_verify_setup( &operation->ctx.mbedtls_ctx,
+ attributes,
+ key_buffer, key_buffer_size,
+ alg );
+ if( status == PSA_SUCCESS )
+ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* MBEDTLS_PSA_BUILTIN_MAC */
+ return( PSA_ERROR_NOT_SUPPORTED );
+
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+ status = mbedtls_test_opaque_mac_verify_setup(
+ &operation->ctx.opaque_test_driver_ctx,
+ attributes,
+ key_buffer, key_buffer_size,
+ alg );
+
+ if( status == PSA_SUCCESS )
+ operation->id = MBEDTLS_TEST_OPAQUE_DRIVER_ID;
+
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void) status;
+ (void) operation;
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) alg;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_mac_update(
+ psa_mac_operation_t *operation,
+ const uint8_t *input,
+ size_t input_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_MAC)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_mac_update( &operation->ctx.mbedtls_ctx,
+ input, input_length ) );
+#endif /* MBEDTLS_PSA_BUILTIN_MAC */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_mac_update(
+ &operation->ctx.transparent_test_driver_ctx,
+ input, input_length ) );
+
+ case MBEDTLS_TEST_OPAQUE_DRIVER_ID:
+ return( mbedtls_test_opaque_mac_update(
+ &operation->ctx.opaque_test_driver_ctx,
+ input, input_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ (void) input;
+ (void) input_length;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_mac_sign_finish(
+ psa_mac_operation_t *operation,
+ uint8_t *mac,
+ size_t mac_size,
+ size_t *mac_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_MAC)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_mac_sign_finish( &operation->ctx.mbedtls_ctx,
+ mac, mac_size, mac_length ) );
+#endif /* MBEDTLS_PSA_BUILTIN_MAC */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_mac_sign_finish(
+ &operation->ctx.transparent_test_driver_ctx,
+ mac, mac_size, mac_length ) );
+
+ case MBEDTLS_TEST_OPAQUE_DRIVER_ID:
+ return( mbedtls_test_opaque_mac_sign_finish(
+ &operation->ctx.opaque_test_driver_ctx,
+ mac, mac_size, mac_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ (void) mac;
+ (void) mac_size;
+ (void) mac_length;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_mac_verify_finish(
+ psa_mac_operation_t *operation,
+ const uint8_t *mac,
+ size_t mac_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_MAC)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_mac_verify_finish( &operation->ctx.mbedtls_ctx,
+ mac, mac_length ) );
+#endif /* MBEDTLS_PSA_BUILTIN_MAC */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_mac_verify_finish(
+ &operation->ctx.transparent_test_driver_ctx,
+ mac, mac_length ) );
+
+ case MBEDTLS_TEST_OPAQUE_DRIVER_ID:
+ return( mbedtls_test_opaque_mac_verify_finish(
+ &operation->ctx.opaque_test_driver_ctx,
+ mac, mac_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ (void) mac;
+ (void) mac_length;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_mac_abort(
+ psa_mac_operation_t *operation )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_MAC)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_mac_abort( &operation->ctx.mbedtls_ctx ) );
+#endif /* MBEDTLS_PSA_BUILTIN_MAC */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_mac_abort(
+ &operation->ctx.transparent_test_driver_ctx ) );
+ case MBEDTLS_TEST_OPAQUE_DRIVER_ID:
+ return( mbedtls_test_opaque_mac_abort(
+ &operation->ctx.opaque_test_driver_ctx ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+/*
+ * Asymmetric cryptography
+ */
+static inline psa_status_t psa_driver_wrapper_asymmetric_encrypt(
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg, const uint8_t *input,
+ size_t input_length, const uint8_t *salt, size_t salt_length,
+ uint8_t *output, size_t output_size, size_t *output_length )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_asymmetric_encrypt( attributes,
+ key_buffer, key_buffer_size, alg, input, input_length,
+ salt, salt_length, output, output_size,
+ output_length );
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ return( mbedtls_psa_asymmetric_encrypt( attributes,
+ key_buffer, key_buffer_size, alg, input, input_length,
+ salt, salt_length, output, output_size, output_length )
+ );
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+ return( mbedtls_test_opaque_asymmetric_encrypt( attributes,
+ key_buffer, key_buffer_size, alg, input, input_length,
+ salt, salt_length, output, output_size, output_length )
+ );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void)status;
+ (void)key_buffer;
+ (void)key_buffer_size;
+ (void)alg;
+ (void)input;
+ (void)input_length;
+ (void)salt;
+ (void)salt_length;
+ (void)output;
+ (void)output_size;
+ (void)output_length;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_asymmetric_decrypt(
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg, const uint8_t *input,
+ size_t input_length, const uint8_t *salt, size_t salt_length,
+ uint8_t *output, size_t output_size, size_t *output_length )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_asymmetric_decrypt( attributes,
+ key_buffer, key_buffer_size, alg, input, input_length,
+ salt, salt_length, output, output_size,
+ output_length );
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ return( mbedtls_psa_asymmetric_decrypt( attributes,
+ key_buffer, key_buffer_size, alg,input, input_length,
+ salt, salt_length, output, output_size,
+ output_length ) );
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+ return( mbedtls_test_opaque_asymmetric_decrypt( attributes,
+ key_buffer, key_buffer_size, alg, input, input_length,
+ salt, salt_length, output, output_size,
+ output_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void)status;
+ (void)key_buffer;
+ (void)key_buffer_size;
+ (void)alg;
+ (void)input;
+ (void)input_length;
+ (void)salt;
+ (void)salt_length;
+ (void)output;
+ (void)output_size;
+ (void)output_length;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_key_agreement(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *peer_key,
+ size_t peer_key_length,
+ uint8_t *shared_secret,
+ size_t shared_secret_size,
+ size_t *shared_secret_length
+ )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status =
+ mbedtls_test_transparent_key_agreement( attributes,
+ key_buffer, key_buffer_size, alg, peer_key,
+ peer_key_length, shared_secret, shared_secret_size,
+ shared_secret_length );
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
+ if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
+ PSA_ALG_IS_ECDH(alg) &&
+ PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 &&
+ psa_get_key_bits(attributes) == 256 )
+ {
+ status = p256_transparent_key_agreement( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ peer_key,
+ peer_key_length,
+ shared_secret,
+ shared_secret_size,
+ shared_secret_length );
+ if( status != PSA_ERROR_NOT_SUPPORTED)
+ return( status );
+ }
+#endif /* MBEDTLS_PSA_P256M_DRIVER_ENABLED */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ /* Software Fallback */
+ status = psa_key_agreement_raw_builtin( attributes,
+ key_buffer,
+ key_buffer_size,
+ alg,
+ peer_key,
+ peer_key_length,
+ shared_secret,
+ shared_secret_size,
+ shared_secret_length );
+ return( status );
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+ return( mbedtls_test_opaque_key_agreement( attributes,
+ key_buffer, key_buffer_size, alg, peer_key,
+ peer_key_length, shared_secret, shared_secret_size,
+ shared_secret_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ default:
+ (void) attributes;
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) peer_key;
+ (void) peer_key_length;
+ (void) shared_secret;
+ (void) shared_secret_size;
+ (void) shared_secret_length;
+ return( PSA_ERROR_NOT_SUPPORTED );
+
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_pake_setup(
+ psa_pake_operation_t *operation,
+ const psa_crypto_driver_pake_inputs_t *inputs )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime( &inputs->attributes ) );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+ status = PSA_ERROR_NOT_SUPPORTED;
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ status = mbedtls_test_transparent_pake_setup(
+ &operation->data.ctx.transparent_test_driver_ctx,
+ inputs );
+ if( status == PSA_SUCCESS )
+ operation->id = MBEDTLS_TEST_TRANSPARENT_DRIVER_ID;
+ /* Declared with fallback == true */
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+#if defined(MBEDTLS_PSA_BUILTIN_PAKE)
+ status = mbedtls_psa_pake_setup( &operation->data.ctx.mbedtls_ctx,
+ inputs );
+ if( status == PSA_SUCCESS )
+ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+#endif
+ return status;
+ /* Add cases for opaque driver here */
+ default:
+ /* Key is declared with a lifetime not known to us */
+ (void)operation;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_pake_output(
+ psa_pake_operation_t *operation,
+ psa_crypto_driver_pake_step_t step,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_PAKE)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_pake_output( &operation->data.ctx.mbedtls_ctx, step,
+ output, output_size, output_length ) );
+#endif /* MBEDTLS_PSA_BUILTIN_PAKE */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_pake_output(
+ &operation->data.ctx.transparent_test_driver_ctx,
+ step, output, output_size, output_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ (void) step;
+ (void) output;
+ (void) output_size;
+ (void) output_length;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_pake_input(
+ psa_pake_operation_t *operation,
+ psa_crypto_driver_pake_step_t step,
+ const uint8_t *input,
+ size_t input_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_PAKE)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_pake_input( &operation->data.ctx.mbedtls_ctx,
+ step, input,
+ input_length ) );
+#endif /* MBEDTLS_PSA_BUILTIN_PAKE */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_pake_input(
+ &operation->data.ctx.transparent_test_driver_ctx,
+ step,
+ input, input_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ (void) step;
+ (void) input;
+ (void) input_length;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_pake_get_implicit_key(
+ psa_pake_operation_t *operation,
+ uint8_t *output, size_t output_size,
+ size_t *output_length )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_PAKE)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_pake_get_implicit_key( &operation->data.ctx.mbedtls_ctx,
+ output, output_size, output_length ) );
+#endif /* MBEDTLS_PSA_BUILTIN_PAKE */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_pake_get_implicit_key(
+ &operation->data.ctx.transparent_test_driver_ctx,
+ output, output_size, output_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ (void) output;
+ (void) output_size;
+ (void) output_length;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+static inline psa_status_t psa_driver_wrapper_pake_abort(
+ psa_pake_operation_t * operation )
+{
+ switch( operation->id )
+ {
+#if defined(MBEDTLS_PSA_BUILTIN_PAKE)
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_pake_abort( &operation->data.ctx.mbedtls_ctx ) );
+#endif /* MBEDTLS_PSA_BUILTIN_PAKE */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case MBEDTLS_TEST_TRANSPARENT_DRIVER_ID:
+ return( mbedtls_test_transparent_pake_abort(
+ &operation->data.ctx.transparent_test_driver_ctx ) );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_driver_wrappers_no_static.c b/library/psa_crypto_driver_wrappers_no_static.c
new file mode 100644
index 0000000..de8a526
--- /dev/null
+++ b/library/psa_crypto_driver_wrappers_no_static.c
@@ -0,0 +1,256 @@
+/*
+ * Functions to delegate cryptographic operations to an available
+ * and appropriate accelerator.
+ * Warning: This file is now auto-generated.
+ */
+/* Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+
+/* BEGIN-common headers */
+#include "common.h"
+#include "psa_crypto_aead.h"
+#include "psa_crypto_cipher.h"
+#include "psa_crypto_core.h"
+#include "psa_crypto_driver_wrappers_no_static.h"
+#include "psa_crypto_hash.h"
+#include "psa_crypto_mac.h"
+#include "psa_crypto_pake.h"
+#include "psa_crypto_rsa.h"
+
+#include "mbedtls/platform.h"
+/* END-common headers */
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+/* BEGIN-driver headers */
+/* Headers for mbedtls_test opaque driver */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+#include "test/drivers/test_driver.h"
+
+#endif
+/* Headers for mbedtls_test transparent driver */
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+#include "test/drivers/test_driver.h"
+
+#endif
+/* Headers for p256 transparent driver */
+#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
+#include "../3rdparty/p256-m/p256-m_driver_entrypoints.h"
+
+#endif
+
+/* END-driver headers */
+
+/* Auto-generated values depending on which drivers are registered.
+ * ID 0 is reserved for unallocated operations.
+ * ID 1 is reserved for the Mbed TLS software driver. */
+/* BEGIN-driver id definition */
+#define PSA_CRYPTO_MBED_TLS_DRIVER_ID (1)
+#define MBEDTLS_TEST_OPAQUE_DRIVER_ID (2)
+#define MBEDTLS_TEST_TRANSPARENT_DRIVER_ID (3)
+#define P256_TRANSPARENT_DRIVER_ID (4)
+
+/* END-driver id */
+
+/* BEGIN-Common Macro definitions */
+
+/* END-Common Macro definitions */
+
+/* Support the 'old' SE interface when asked to */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+/* PSA_CRYPTO_DRIVER_PRESENT is defined when either a new-style or old-style
+ * SE driver is present, to avoid unused argument errors at compile time. */
+#ifndef PSA_CRYPTO_DRIVER_PRESENT
+#define PSA_CRYPTO_DRIVER_PRESENT
+#endif
+#include "psa_crypto_se.h"
+#endif
+
+/** Get the key buffer size required to store the key material of a key
+ * associated with an opaque driver.
+ *
+ * \param[in] attributes The key attributes.
+ * \param[out] key_buffer_size Minimum buffer size to contain the key material
+ *
+ * \retval #PSA_SUCCESS
+ * The minimum size for a buffer to contain the key material has been
+ * returned successfully.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * The type and/or the size in bits of the key or the combination of
+ * the two is not supported.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * The key is declared with a lifetime not known to us.
+ */
+psa_status_t psa_driver_wrapper_get_key_buffer_size(
+ const psa_key_attributes_t *attributes,
+ size_t *key_buffer_size )
+{
+ psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+ psa_key_type_t key_type = psa_get_key_type(attributes);
+ size_t key_bits = psa_get_key_bits(attributes);
+
+ *key_buffer_size = 0;
+ switch( location )
+ {
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ case PSA_CRYPTO_TEST_DRIVER_LOCATION:
+#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+ /* Emulate property 'builtin_key_size' */
+ if( psa_key_id_is_builtin(
+ MBEDTLS_SVC_KEY_ID_GET_KEY_ID(
+ psa_get_key_id( attributes ) ) ) )
+ {
+ *key_buffer_size = sizeof( psa_drv_slot_number_t );
+ return( PSA_SUCCESS );
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
+ *key_buffer_size = mbedtls_test_opaque_size_function( key_type,
+ key_bits );
+ return( ( *key_buffer_size != 0 ) ?
+ PSA_SUCCESS : PSA_ERROR_NOT_SUPPORTED );
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+
+ default:
+ (void)key_type;
+ (void)key_bits;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+}
+
+psa_status_t psa_driver_wrapper_export_public_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ uint8_t *data, size_t data_size, size_t *data_length )
+
+{
+
+ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+ psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(
+ psa_get_key_lifetime( attributes ) );
+
+ /* Try dynamically-registered SE interface first */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ const psa_drv_se_t *drv;
+ psa_drv_se_context_t *drv_context;
+
+ if( psa_get_se_driver( psa_get_key_lifetime(attributes), &drv, &drv_context ) )
+ {
+ if( ( drv->key_management == NULL ) ||
+ ( drv->key_management->p_export_public == NULL ) )
+ {
+ return( PSA_ERROR_NOT_SUPPORTED );
+ }
+
+ return( drv->key_management->p_export_public(
+ drv_context,
+ *( (psa_key_slot_number_t *)key_buffer ),
+ data, data_size, data_length ) );
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+
+#if (defined(PSA_CRYPTO_DRIVER_TEST) )
+ status = mbedtls_test_transparent_export_public_key
+ (attributes,
+ key_buffer,
+ key_buffer_size,
+ data,
+ data_size,
+ data_length
+ );
+
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif
+
+#if (defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED) )
+ status = p256_transparent_export_public_key
+ (attributes,
+ key_buffer,
+ key_buffer_size,
+ data,
+ data_size,
+ data_length
+ );
+
+ if( status != PSA_ERROR_NOT_SUPPORTED )
+ return( status );
+#endif
+
+
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ /* Fell through, meaning no accelerator supports this operation */
+ return( psa_export_public_key_internal( attributes,
+ key_buffer,
+ key_buffer_size,
+ data,
+ data_size,
+ data_length ) );
+
+ /* Add cases for opaque driver here */
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+
+#if (defined(PSA_CRYPTO_DRIVER_TEST) )
+ case 0x7fffff:
+ return( mbedtls_test_opaque_export_public_key
+ (attributes,
+ key_buffer,
+ key_buffer_size,
+ data,
+ data_size,
+ data_length
+ ));
+#endif
+
+
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ /* Key is declared with a lifetime not known to us */
+ return( status );
+ }
+
+}
+
+psa_status_t psa_driver_wrapper_get_builtin_key(
+ psa_drv_slot_number_t slot_number,
+ psa_key_attributes_t *attributes,
+ uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length )
+{
+
+ psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( psa_get_key_lifetime(attributes) );
+ switch( location )
+ {
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+
+#if (defined(PSA_CRYPTO_DRIVER_TEST) )
+ case 0x7fffff:
+ return( mbedtls_test_opaque_get_builtin_key
+ (slot_number,
+ attributes,
+ key_buffer,
+ key_buffer_size,
+ key_buffer_length
+ ));
+#endif
+
+
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ default:
+ (void) slot_number;
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) key_buffer_length;
+ return( PSA_ERROR_DOES_NOT_EXIST );
+ }
+
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_driver_wrappers_no_static.h b/library/psa_crypto_driver_wrappers_no_static.h
new file mode 100644
index 0000000..cd617f6
--- /dev/null
+++ b/library/psa_crypto_driver_wrappers_no_static.h
@@ -0,0 +1,31 @@
+/*
+ * Function signatures for functionality that can be provided by
+ * cryptographic accelerators.
+ */
+/* Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_DRIVER_WRAPPERS_NO_STATIC_H
+#define PSA_CRYPTO_DRIVER_WRAPPERS_NO_STATIC_H
+
+#include "psa/crypto.h"
+#include "psa/crypto_driver_common.h"
+
+psa_status_t psa_driver_wrapper_export_public_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ uint8_t *data, size_t data_size, size_t *data_length);
+
+psa_status_t psa_driver_wrapper_get_key_buffer_size(
+ const psa_key_attributes_t *attributes,
+ size_t *key_buffer_size);
+
+psa_status_t psa_driver_wrapper_get_builtin_key(
+ psa_drv_slot_number_t slot_number,
+ psa_key_attributes_t *attributes,
+ uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
+
+#endif /* PSA_CRYPTO_DRIVER_WRAPPERS_NO_STATIC_H */
+
+/* End of automatically generated file. */
diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c
new file mode 100644
index 0000000..95baff6
--- /dev/null
+++ b/library/psa_crypto_ecp.c
@@ -0,0 +1,596 @@
+/*
+ * PSA ECP layer on top of Mbed TLS crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include <psa/crypto.h>
+#include "psa_crypto_core.h"
+#include "psa_crypto_ecp.h"
+#include "psa_crypto_random_impl.h"
+#include "mbedtls/psa_util.h"
+
+#include <stdlib.h>
+#include <string.h>
+#include "mbedtls/platform.h"
+
+#include <mbedtls/ecdsa.h>
+#include <mbedtls/ecdh.h>
+#include <mbedtls/ecp.h>
+#include <mbedtls/error.h>
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+/* Helper function to verify if the provided EC's family and key bit size are valid.
+ *
+ * Note: "bits" parameter is used both as input and output and it might be updated
+ * in case provided input value is not multiple of 8 ("sloppy" bits).
+ */
+static int check_ecc_parameters(psa_ecc_family_t family, size_t *bits)
+{
+ switch (family) {
+ case PSA_ECC_FAMILY_SECP_R1:
+ switch (*bits) {
+ case 192:
+ case 224:
+ case 256:
+ case 384:
+ case 521:
+ return PSA_SUCCESS;
+ case 528:
+ *bits = 521;
+ return PSA_SUCCESS;
+ }
+ break;
+
+ case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
+ switch (*bits) {
+ case 256:
+ case 384:
+ case 512:
+ return PSA_SUCCESS;
+ }
+ break;
+
+ case PSA_ECC_FAMILY_MONTGOMERY:
+ switch (*bits) {
+ case 448:
+ case 255:
+ return PSA_SUCCESS;
+ case 256:
+ *bits = 255;
+ return PSA_SUCCESS;
+ }
+ break;
+
+ case PSA_ECC_FAMILY_SECP_K1:
+ switch (*bits) {
+ case 192:
+ /* secp224k1 is not and will not be supported in PSA (#3541). */
+ case 256:
+ return PSA_SUCCESS;
+ }
+ break;
+ }
+
+ return PSA_ERROR_INVALID_ARGUMENT;
+}
+
+psa_status_t mbedtls_psa_ecp_load_representation(
+ psa_key_type_t type, size_t curve_bits,
+ const uint8_t *data, size_t data_length,
+ mbedtls_ecp_keypair **p_ecp)
+{
+ mbedtls_ecp_group_id grp_id = MBEDTLS_ECP_DP_NONE;
+ psa_status_t status;
+ mbedtls_ecp_keypair *ecp = NULL;
+ size_t curve_bytes = data_length;
+ int explicit_bits = (curve_bits != 0);
+
+ if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type) &&
+ PSA_KEY_TYPE_ECC_GET_FAMILY(type) != PSA_ECC_FAMILY_MONTGOMERY) {
+ /* A Weierstrass public key is represented as:
+ * - The byte 0x04;
+ * - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
+ * - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
+ * So its data length is 2m+1 where m is the curve size in bits.
+ */
+ if ((data_length & 1) == 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ curve_bytes = data_length / 2;
+
+ /* Montgomery public keys are represented in compressed format, meaning
+ * their curve_bytes is equal to the amount of input. */
+
+ /* Private keys are represented in uncompressed private random integer
+ * format, meaning their curve_bytes is equal to the amount of input. */
+ }
+
+ if (explicit_bits) {
+ /* With an explicit bit-size, the data must have the matching length. */
+ if (curve_bytes != PSA_BITS_TO_BYTES(curve_bits)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ } else {
+ /* We need to infer the bit-size from the data. Since the only
+ * information we have is the length in bytes, the value of curve_bits
+ * at this stage is rounded up to the nearest multiple of 8. */
+ curve_bits = PSA_BYTES_TO_BITS(curve_bytes);
+ }
+
+ /* Allocate and initialize a key representation. */
+ ecp = mbedtls_calloc(1, sizeof(mbedtls_ecp_keypair));
+ if (ecp == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+ mbedtls_ecp_keypair_init(ecp);
+
+ status = check_ecc_parameters(PSA_KEY_TYPE_ECC_GET_FAMILY(type), &curve_bits);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ /* Load the group. */
+ grp_id = mbedtls_ecc_group_from_psa(PSA_KEY_TYPE_ECC_GET_FAMILY(type),
+ curve_bits);
+ if (grp_id == MBEDTLS_ECP_DP_NONE) {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_ecp_group_load(&ecp->grp, grp_id));
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ /* Load the key material. */
+ if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
+ /* Load the public value. */
+ status = mbedtls_to_psa_error(
+ mbedtls_ecp_point_read_binary(&ecp->grp, &ecp->Q,
+ data,
+ data_length));
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ /* Check that the point is on the curve. */
+ status = mbedtls_to_psa_error(
+ mbedtls_ecp_check_pubkey(&ecp->grp, &ecp->Q));
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ } else {
+ /* Load and validate the secret value. */
+ status = mbedtls_to_psa_error(
+ mbedtls_ecp_read_key(ecp->grp.id,
+ ecp,
+ data,
+ data_length));
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ }
+
+ *p_ecp = ecp;
+exit:
+ if (status != PSA_SUCCESS) {
+ mbedtls_ecp_keypair_free(ecp);
+ mbedtls_free(ecp);
+ }
+
+ return status;
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+
+psa_status_t mbedtls_psa_ecp_import_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *data, size_t data_length,
+ uint8_t *key_buffer, size_t key_buffer_size,
+ size_t *key_buffer_length, size_t *bits)
+{
+ psa_status_t status;
+ mbedtls_ecp_keypair *ecp = NULL;
+
+ /* Parse input */
+ status = mbedtls_psa_ecp_load_representation(attributes->type,
+ attributes->bits,
+ data,
+ data_length,
+ &ecp);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type) ==
+ PSA_ECC_FAMILY_MONTGOMERY) {
+ *bits = ecp->grp.nbits + 1;
+ } else {
+ *bits = ecp->grp.nbits;
+ }
+
+ /* Re-export the data to PSA export format. There is currently no support
+ * for other input formats then the export format, so this is a 1-1
+ * copy operation. */
+ status = mbedtls_psa_ecp_export_key(attributes->type,
+ ecp,
+ key_buffer,
+ key_buffer_size,
+ key_buffer_length);
+exit:
+ /* Always free the PK object (will also free contained ECP context) */
+ mbedtls_ecp_keypair_free(ecp);
+ mbedtls_free(ecp);
+
+ return status;
+}
+
+psa_status_t mbedtls_psa_ecp_export_key(psa_key_type_t type,
+ mbedtls_ecp_keypair *ecp,
+ uint8_t *data,
+ size_t data_size,
+ size_t *data_length)
+{
+ psa_status_t status;
+
+ if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
+ /* Check whether the public part is loaded */
+ if (mbedtls_ecp_is_zero(&ecp->Q)) {
+ /* Calculate the public key */
+ status = mbedtls_to_psa_error(
+ mbedtls_ecp_mul(&ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE));
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_ecp_point_write_binary(&ecp->grp, &ecp->Q,
+ MBEDTLS_ECP_PF_UNCOMPRESSED,
+ data_length,
+ data,
+ data_size));
+ if (status != PSA_SUCCESS) {
+ memset(data, 0, data_size);
+ }
+
+ return status;
+ } else {
+ status = mbedtls_to_psa_error(
+ mbedtls_ecp_write_key_ext(ecp, data_length, data, data_size));
+ return status;
+ }
+}
+
+psa_status_t mbedtls_psa_ecp_export_public_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ uint8_t *data, size_t data_size, size_t *data_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_keypair *ecp = NULL;
+
+ status = mbedtls_psa_ecp_load_representation(
+ attributes->type, attributes->bits,
+ key_buffer, key_buffer_size, &ecp);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = mbedtls_psa_ecp_export_key(
+ PSA_KEY_TYPE_ECC_PUBLIC_KEY(
+ PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type)),
+ ecp, data, data_size, data_length);
+
+ mbedtls_ecp_keypair_free(ecp);
+ mbedtls_free(ecp);
+
+ return status;
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
+psa_status_t mbedtls_psa_ecp_generate_key(
+ const psa_key_attributes_t *attributes,
+ uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
+ attributes->type);
+ mbedtls_ecp_group_id grp_id =
+ mbedtls_ecc_group_from_psa(curve, attributes->bits);
+
+ const mbedtls_ecp_curve_info *curve_info =
+ mbedtls_ecp_curve_info_from_grp_id(grp_id);
+ mbedtls_ecp_keypair ecp;
+
+ if (grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ mbedtls_ecp_keypair_init(&ecp);
+ ret = mbedtls_ecp_gen_key(grp_id, &ecp,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE);
+ if (ret != 0) {
+ mbedtls_ecp_keypair_free(&ecp);
+ return mbedtls_to_psa_error(ret);
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_ecp_write_key_ext(&ecp, key_buffer_length,
+ key_buffer, key_buffer_size));
+
+ mbedtls_ecp_keypair_free(&ecp);
+
+ return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE */
+
+/****************************************************************/
+/* ECDSA sign/verify */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+psa_status_t mbedtls_psa_ecdsa_sign_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_keypair *ecp = NULL;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t curve_bytes;
+ mbedtls_mpi r, s;
+
+ status = mbedtls_psa_ecp_load_representation(attributes->type,
+ attributes->bits,
+ key_buffer,
+ key_buffer_size,
+ &ecp);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ curve_bytes = PSA_BITS_TO_BYTES(ecp->grp.pbits);
+ mbedtls_mpi_init(&r);
+ mbedtls_mpi_init(&s);
+
+ if (signature_size < 2 * curve_bytes) {
+ ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+ goto cleanup;
+ }
+
+ if (PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+ psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
+ mbedtls_md_type_t md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
+ MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_ext(
+ &ecp->grp, &r, &s,
+ &ecp->d, hash,
+ hash_length, md_alg,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE));
+#else
+ ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+ goto cleanup;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+ } else {
+ (void) alg;
+ MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign(&ecp->grp, &r, &s, &ecp->d,
+ hash, hash_length,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE));
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&r,
+ signature,
+ curve_bytes));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&s,
+ signature + curve_bytes,
+ curve_bytes));
+cleanup:
+ mbedtls_mpi_free(&r);
+ mbedtls_mpi_free(&s);
+ if (ret == 0) {
+ *signature_length = 2 * curve_bytes;
+ }
+
+ mbedtls_ecp_keypair_free(ecp);
+ mbedtls_free(ecp);
+
+ return mbedtls_to_psa_error(ret);
+}
+
+psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp)
+{
+ int ret = 0;
+
+ /* Check whether the public part is loaded. If not, load it. */
+ if (mbedtls_ecp_is_zero(&ecp->Q)) {
+ ret = mbedtls_ecp_mul(&ecp->grp, &ecp->Q,
+ &ecp->d, &ecp->grp.G,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE);
+ }
+
+ return mbedtls_to_psa_error(ret);
+}
+
+psa_status_t mbedtls_psa_ecdsa_verify_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ecp_keypair *ecp = NULL;
+ size_t curve_bytes;
+ mbedtls_mpi r, s;
+
+ (void) alg;
+
+ status = mbedtls_psa_ecp_load_representation(attributes->type,
+ attributes->bits,
+ key_buffer,
+ key_buffer_size,
+ &ecp);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ curve_bytes = PSA_BITS_TO_BYTES(ecp->grp.pbits);
+ mbedtls_mpi_init(&r);
+ mbedtls_mpi_init(&s);
+
+ if (signature_length != 2 * curve_bytes) {
+ status = PSA_ERROR_INVALID_SIGNATURE;
+ goto cleanup;
+ }
+
+ status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&r,
+ signature,
+ curve_bytes));
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&s,
+ signature + curve_bytes,
+ curve_bytes));
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ status = mbedtls_psa_ecp_load_public_part(ecp);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ status = mbedtls_to_psa_error(mbedtls_ecdsa_verify(&ecp->grp, hash,
+ hash_length, &ecp->Q,
+ &r, &s));
+cleanup:
+ mbedtls_mpi_free(&r);
+ mbedtls_mpi_free(&s);
+ mbedtls_ecp_keypair_free(ecp);
+ mbedtls_free(ecp);
+
+ return status;
+}
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+
+/****************************************************************/
+/* ECDH Key Agreement */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+psa_status_t mbedtls_psa_key_agreement_ecdh(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *peer_key, size_t peer_key_length,
+ uint8_t *shared_secret, size_t shared_secret_size,
+ size_t *shared_secret_length)
+{
+ psa_status_t status;
+ if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(attributes->type) ||
+ !PSA_ALG_IS_ECDH(alg)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ mbedtls_ecp_keypair *ecp = NULL;
+ status = mbedtls_psa_ecp_load_representation(
+ attributes->type,
+ attributes->bits,
+ key_buffer,
+ key_buffer_size,
+ &ecp);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ mbedtls_ecp_keypair *their_key = NULL;
+ mbedtls_ecdh_context ecdh;
+ size_t bits = 0;
+ psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(ecp->grp.id, &bits);
+ mbedtls_ecdh_init(&ecdh);
+
+ status = mbedtls_psa_ecp_load_representation(
+ PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve),
+ bits,
+ peer_key,
+ peer_key_length,
+ &their_key);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_ecdh_get_params(&ecdh, their_key, MBEDTLS_ECDH_THEIRS));
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ status = mbedtls_to_psa_error(
+ mbedtls_ecdh_get_params(&ecdh, ecp, MBEDTLS_ECDH_OURS));
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_ecdh_calc_secret(&ecdh,
+ shared_secret_length,
+ shared_secret, shared_secret_size,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE));
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ if (PSA_BITS_TO_BYTES(bits) != *shared_secret_length) {
+ status = PSA_ERROR_CORRUPTION_DETECTED;
+ }
+exit:
+ if (status != PSA_SUCCESS) {
+ mbedtls_platform_zeroize(shared_secret, shared_secret_size);
+ }
+ mbedtls_ecdh_free(&ecdh);
+ mbedtls_ecp_keypair_free(their_key);
+ mbedtls_free(their_key);
+ mbedtls_ecp_keypair_free(ecp);
+ mbedtls_free(ecp);
+ return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
+
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_ecp.h b/library/psa_crypto_ecp.h
new file mode 100644
index 0000000..a9f5d59
--- /dev/null
+++ b/library/psa_crypto_ecp.h
@@ -0,0 +1,267 @@
+/*
+ * PSA ECP layer on top of Mbed TLS crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_ECP_H
+#define PSA_CRYPTO_ECP_H
+
+#include <psa/crypto.h>
+#include <mbedtls/ecp.h>
+
+/** Load the contents of a key buffer into an internal ECP representation
+ *
+ * \param[in] type The type of key contained in \p data.
+ * \param[in] curve_bits The nominal bit-size of the curve.
+ * It must be consistent with the representation
+ * passed in \p data.
+ * This can be 0, in which case the bit-size
+ * is inferred from \p data_length (which is possible
+ * for all key types and representation formats
+ * formats that are currently supported or will
+ * be in the foreseeable future).
+ * \param[in] data The buffer from which to load the representation.
+ * \param[in] data_length The size in bytes of \p data.
+ * \param[out] p_ecp Returns a pointer to an ECP context on success.
+ * The caller is responsible for freeing both the
+ * contents of the context and the context itself
+ * when done.
+ */
+psa_status_t mbedtls_psa_ecp_load_representation(psa_key_type_t type,
+ size_t curve_bits,
+ const uint8_t *data,
+ size_t data_length,
+ mbedtls_ecp_keypair **p_ecp);
+
+/** Load the public part of an internal ECP, if required.
+ *
+ * \param ecp The ECP context to load the public part for.
+ *
+ * \return PSA_SUCCESS on success, otherwise an MPI error.
+ */
+
+psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp);
+
+/** Import an ECP key in binary format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * import_key entry point. This function behaves as an import_key
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \param[in] attributes The attributes for the key to import.
+ * \param[in] data The buffer containing the key data in import
+ * format.
+ * \param[in] data_length Size of the \p data buffer in bytes.
+ * \param[out] key_buffer The buffer containing the key data in output
+ * format.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes. This
+ * size is greater or equal to \p data_length.
+ * \param[out] key_buffer_length The length of the data written in \p
+ * key_buffer in bytes.
+ * \param[out] bits The key size in number of bits.
+ *
+ * \retval #PSA_SUCCESS The ECP key was imported successfully.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * The key data is not correctly formatted.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_ecp_import_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *data, size_t data_length,
+ uint8_t *key_buffer, size_t key_buffer_size,
+ size_t *key_buffer_length, size_t *bits);
+
+/** Export an ECP key to export representation
+ *
+ * \param[in] type The type of key (public/private) to export
+ * \param[in] ecp The internal ECP representation from which to export
+ * \param[out] data The buffer to export to
+ * \param[in] data_size The length of the buffer to export to
+ * \param[out] data_length The amount of bytes written to \p data
+ */
+psa_status_t mbedtls_psa_ecp_export_key(psa_key_type_t type,
+ mbedtls_ecp_keypair *ecp,
+ uint8_t *data,
+ size_t data_size,
+ size_t *data_length);
+
+/** Export an ECP public key or the public part of an ECP key pair in binary
+ * format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * export_public_key entry point. This function behaves as an
+ * export_public_key entry point as defined in the PSA driver interface
+ * specification.
+ *
+ * \param[in] attributes The attributes for the key to export.
+ * \param[in] key_buffer Material or context of the key to export.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[out] data Buffer where the key data is to be written.
+ * \param[in] data_size Size of the \p data buffer in bytes.
+ * \param[out] data_length On success, the number of bytes written in
+ * \p data
+ *
+ * \retval #PSA_SUCCESS The ECP public key was exported successfully.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_ecp_export_public_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ uint8_t *data, size_t data_size, size_t *data_length);
+
+/**
+ * \brief Generate an ECP key.
+ *
+ * \note The signature of the function is that of a PSA driver generate_key
+ * entry point.
+ *
+ * \param[in] attributes The attributes for the ECP key to generate.
+ * \param[out] key_buffer Buffer where the key data is to be written.
+ * \param[in] key_buffer_size Size of \p key_buffer in bytes.
+ * \param[out] key_buffer_length On success, the number of bytes written in
+ * \p key_buffer.
+ *
+ * \retval #PSA_SUCCESS
+ * The key was successfully generated.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * Key length or type not supported.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of \p key_buffer is too small.
+ */
+psa_status_t mbedtls_psa_ecp_generate_key(
+ const psa_key_attributes_t *attributes,
+ uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
+
+/** Sign an already-calculated hash with ECDSA.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * sign_hash entry point. This function behaves as a sign_hash
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \param[in] attributes The attributes of the ECC key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the ECC key context.
+ * format.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg Randomized or deterministic ECDSA algorithm.
+ * \param[in] hash The hash or message to sign.
+ * \param[in] hash_length Size of the \p hash buffer in bytes.
+ * \param[out] signature Buffer where the signature is to be written.
+ * \param[in] signature_size Size of the \p signature buffer in bytes.
+ * \param[out] signature_length On success, the number of bytes
+ * that make up the returned signature value.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p signature buffer is too small. You can
+ * determine a sufficient buffer size by calling
+ * #PSA_SIGN_OUTPUT_SIZE(\c PSA_KEY_TYPE_ECC_KEY_PAIR, \c key_bits,
+ * \p alg) where \c key_bits is the bit-size of the ECC key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ */
+psa_status_t mbedtls_psa_ecdsa_sign_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+/**
+ * \brief Verify an ECDSA hash or short message signature.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * verify_hash entry point. This function behaves as a verify_hash
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \param[in] attributes The attributes of the ECC key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the ECC key context.
+ * format.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg Randomized or deterministic ECDSA algorithm.
+ * \param[in] hash The hash or message whose signature is to be
+ * verified.
+ * \param[in] hash_length Size of the \p hash buffer in bytes.
+ * \param[in] signature Buffer containing the signature to verify.
+ * \param[in] signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * The signature is valid.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ * The calculation was performed successfully, but the passed
+ * signature is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_ecdsa_verify_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length);
+
+
+/** Perform a key agreement and return the raw ECDH shared secret.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * key_agreement entry point. This function behaves as a key_agreement
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the private key
+ * context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in
+ * bytes.
+ * \param[in] alg A key agreement algorithm that is
+ * compatible with the type of the key.
+ * \param[in] peer_key The buffer containing the key context
+ * of the peer's public key.
+ * \param[in] peer_key_length Size of the \p peer_key buffer in
+ * bytes.
+ * \param[out] shared_secret The buffer to which the shared secret
+ * is to be written.
+ * \param[in] shared_secret_size Size of the \p shared_secret buffer in
+ * bytes.
+ * \param[out] shared_secret_length On success, the number of bytes that make
+ * up the returned shared secret.
+ * \retval #PSA_SUCCESS
+ * Success. Shared secret successfully calculated.
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \p alg is not a key agreement algorithm, or
+ * \p private_key is not compatible with \p alg,
+ * or \p peer_key is not valid for \p alg or not compatible with
+ * \p private_key.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * \p shared_secret_size is too small
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \p alg is not a supported key agreement algorithm.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_key_agreement_ecdh(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *peer_key, size_t peer_key_length,
+ uint8_t *shared_secret, size_t shared_secret_size,
+ size_t *shared_secret_length);
+#endif /* PSA_CRYPTO_ECP_H */
diff --git a/library/psa_crypto_ffdh.c b/library/psa_crypto_ffdh.c
new file mode 100644
index 0000000..ae38f6d
--- /dev/null
+++ b/library/psa_crypto_ffdh.c
@@ -0,0 +1,321 @@
+/*
+ * PSA FFDH layer on top of Mbed TLS crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+/* This header is only needed because it defines
+ * MBEDTLS_DHM_RFC7919_FFDHEXXXX_[P|G]_BIN symbols that are used in
+ * mbedtls_psa_ffdh_set_prime_generator(). Apart from that, this module
+ * only uses bignum functions for arithmetic. */
+#include <mbedtls/dhm.h>
+
+#include <psa/crypto.h>
+#include "psa_crypto_core.h"
+#include "psa_crypto_ffdh.h"
+#include "psa_crypto_random_impl.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
+static psa_status_t mbedtls_psa_ffdh_set_prime_generator(size_t key_size,
+ mbedtls_mpi *P,
+ mbedtls_mpi *G)
+{
+ const unsigned char *dhm_P = NULL;
+ const unsigned char *dhm_G = NULL;
+ size_t dhm_size_P = 0;
+ size_t dhm_size_G = 0;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (P == NULL && G == NULL) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048)
+ static const unsigned char dhm_P_2048[] =
+ MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN;
+ static const unsigned char dhm_G_2048[] =
+ MBEDTLS_DHM_RFC7919_FFDHE2048_G_BIN;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 */
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072)
+ static const unsigned char dhm_P_3072[] =
+ MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN;
+ static const unsigned char dhm_G_3072[] =
+ MBEDTLS_DHM_RFC7919_FFDHE3072_G_BIN;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 */
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096)
+ static const unsigned char dhm_P_4096[] =
+ MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN;
+ static const unsigned char dhm_G_4096[] =
+ MBEDTLS_DHM_RFC7919_FFDHE4096_G_BIN;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 */
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144)
+ static const unsigned char dhm_P_6144[] =
+ MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN;
+ static const unsigned char dhm_G_6144[] =
+ MBEDTLS_DHM_RFC7919_FFDHE6144_G_BIN;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 */
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192)
+ static const unsigned char dhm_P_8192[] =
+ MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN;
+ static const unsigned char dhm_G_8192[] =
+ MBEDTLS_DHM_RFC7919_FFDHE8192_G_BIN;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 */
+
+ switch (key_size) {
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048)
+ case sizeof(dhm_P_2048):
+ dhm_P = dhm_P_2048;
+ dhm_G = dhm_G_2048;
+ dhm_size_P = sizeof(dhm_P_2048);
+ dhm_size_G = sizeof(dhm_G_2048);
+ break;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 */
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072)
+ case sizeof(dhm_P_3072):
+ dhm_P = dhm_P_3072;
+ dhm_G = dhm_G_3072;
+ dhm_size_P = sizeof(dhm_P_3072);
+ dhm_size_G = sizeof(dhm_G_3072);
+ break;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 */
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096)
+ case sizeof(dhm_P_4096):
+ dhm_P = dhm_P_4096;
+ dhm_G = dhm_G_4096;
+ dhm_size_P = sizeof(dhm_P_4096);
+ dhm_size_G = sizeof(dhm_G_4096);
+ break;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 */
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144)
+ case sizeof(dhm_P_6144):
+ dhm_P = dhm_P_6144;
+ dhm_G = dhm_G_6144;
+ dhm_size_P = sizeof(dhm_P_6144);
+ dhm_size_G = sizeof(dhm_G_6144);
+ break;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 */
+#if defined(MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192)
+ case sizeof(dhm_P_8192):
+ dhm_P = dhm_P_8192;
+ dhm_G = dhm_G_8192;
+ dhm_size_P = sizeof(dhm_P_8192);
+ dhm_size_G = sizeof(dhm_G_8192);
+ break;
+#endif /* MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 */
+ default:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ if (P != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(P, dhm_P,
+ dhm_size_P));
+ }
+ if (G != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(G, dhm_G,
+ dhm_size_G));
+ }
+
+cleanup:
+ if (ret != 0) {
+ return mbedtls_to_psa_error(ret);
+ }
+
+ return PSA_SUCCESS;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT ||
+ MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE ||
+ MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY ||
+ MBEDTLS_PSA_BUILTIN_ALG_FFDH */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
+psa_status_t mbedtls_psa_ffdh_export_public_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ uint8_t *data,
+ size_t data_size,
+ size_t *data_length)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi GX, G, X, P;
+ psa_key_type_t type = attributes->type;
+
+ if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
+ if (key_buffer_size > data_size) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+ memcpy(data, key_buffer, key_buffer_size);
+ memset(data + key_buffer_size, 0,
+ data_size - key_buffer_size);
+ *data_length = key_buffer_size;
+ return PSA_SUCCESS;
+ }
+
+ mbedtls_mpi_init(&GX); mbedtls_mpi_init(&G);
+ mbedtls_mpi_init(&X); mbedtls_mpi_init(&P);
+
+ size_t key_len = PSA_BITS_TO_BYTES(attributes->bits);
+
+ status = mbedtls_psa_ffdh_set_prime_generator(key_len, &P, &G);
+
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, key_buffer,
+ key_buffer_size));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&GX, &G, &X, &P, NULL));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&GX, data, key_len));
+
+ *data_length = key_len;
+
+ ret = 0;
+cleanup:
+ mbedtls_mpi_free(&P); mbedtls_mpi_free(&G);
+ mbedtls_mpi_free(&X); mbedtls_mpi_free(&GX);
+
+ if (status == PSA_SUCCESS && ret != 0) {
+ status = mbedtls_to_psa_error(ret);
+ }
+
+ return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT ||
+ MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE)
+psa_status_t mbedtls_psa_ffdh_generate_key(
+ const psa_key_attributes_t *attributes,
+ uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
+{
+ mbedtls_mpi X, P;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi_init(&P); mbedtls_mpi_init(&X);
+ (void) attributes;
+
+ status = mbedtls_psa_ffdh_set_prime_generator(key_buffer_size, &P, NULL);
+
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ /* RFC7919: Traditional finite field Diffie-Hellman has each peer choose their
+ secret exponent from the range [2, P-2].
+ Select random value in range [3, P-1] and decrease it by 1. */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_random(&X, 3, &P, mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&X, &X, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&X, key_buffer, key_buffer_size));
+ *key_buffer_length = key_buffer_size;
+
+cleanup:
+ mbedtls_mpi_free(&P); mbedtls_mpi_free(&X);
+ if (status == PSA_SUCCESS && ret != 0) {
+ return mbedtls_to_psa_error(ret);
+ }
+
+ return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT)
+psa_status_t mbedtls_psa_ffdh_import_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *data, size_t data_length,
+ uint8_t *key_buffer, size_t key_buffer_size,
+ size_t *key_buffer_length, size_t *bits)
+{
+ (void) attributes;
+
+ if (key_buffer_size < data_length) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+ memcpy(key_buffer, data, data_length);
+ *key_buffer_length = data_length;
+ *bits = PSA_BYTES_TO_BITS(data_length);
+
+ return PSA_SUCCESS;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
+psa_status_t mbedtls_psa_ffdh_key_agreement(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *peer_key,
+ size_t peer_key_length,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ uint8_t *shared_secret,
+ size_t shared_secret_size,
+ size_t *shared_secret_length)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi P, G, X, GY, K;
+ const size_t calculated_shared_secret_size = peer_key_length;
+
+ if (peer_key_length != key_buffer_size ||
+ calculated_shared_secret_size > shared_secret_size) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ if (!PSA_KEY_TYPE_IS_DH_KEY_PAIR(psa_get_key_type(attributes))) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ mbedtls_mpi_init(&P); mbedtls_mpi_init(&G);
+ mbedtls_mpi_init(&X); mbedtls_mpi_init(&GY);
+ mbedtls_mpi_init(&K);
+
+ status = mbedtls_psa_ffdh_set_prime_generator(
+ PSA_BITS_TO_BYTES(attributes->bits), &P, &G);
+
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, key_buffer,
+ key_buffer_size));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&GY, peer_key,
+ peer_key_length));
+
+ /* Calculate shared secret public key: K = G^(XY) mod P = GY^X mod P */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&K, &GY, &X, &P, NULL));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&K, shared_secret,
+ calculated_shared_secret_size));
+
+ *shared_secret_length = calculated_shared_secret_size;
+
+ ret = 0;
+
+cleanup:
+ mbedtls_mpi_free(&P); mbedtls_mpi_free(&G);
+ mbedtls_mpi_free(&X); mbedtls_mpi_free(&GY);
+ mbedtls_mpi_free(&K);
+
+ if (status == PSA_SUCCESS && ret != 0) {
+ status = mbedtls_to_psa_error(ret);
+ }
+
+ return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_FFDH */
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_ffdh.h b/library/psa_crypto_ffdh.h
new file mode 100644
index 0000000..79accd1
--- /dev/null
+++ b/library/psa_crypto_ffdh.h
@@ -0,0 +1,131 @@
+/*
+ * PSA FFDH layer on top of Mbed TLS crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_FFDH_H
+#define PSA_CRYPTO_FFDH_H
+
+#include <psa/crypto.h>
+
+/** Perform a key agreement and return the FFDH shared secret.
+ *
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] peer_key The buffer containing the key context
+ * of the peer's public key.
+ * \param[in] peer_key_length Size of the \p peer_key buffer in
+ * bytes.
+ * \param[in] key_buffer The buffer containing the private key
+ * context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in
+ * bytes.
+ * \param[out] shared_secret The buffer to which the shared secret
+ * is to be written.
+ * \param[in] shared_secret_size Size of the \p shared_secret buffer in
+ * bytes.
+ * \param[out] shared_secret_length On success, the number of bytes that make
+ * up the returned shared secret.
+ * \retval #PSA_SUCCESS
+ * Success. Shared secret successfully calculated.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \p key_buffer_size, \p peer_key_length, \p shared_secret_size
+ * do not match
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_ffdh_key_agreement(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *peer_key,
+ size_t peer_key_length,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ uint8_t *shared_secret,
+ size_t shared_secret_size,
+ size_t *shared_secret_length);
+
+/** Export a public key or the public part of a DH key pair in binary format.
+ *
+ * \param[in] attributes The attributes for the key to export.
+ * \param[in] key_buffer Material or context of the key to export.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[out] data Buffer where the key data is to be written.
+ * \param[in] data_size Size of the \p data buffer in bytes.
+ * \param[out] data_length On success, the number of bytes written in
+ * \p data
+ *
+ * \retval #PSA_SUCCESS The public key was exported successfully.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of \p key_buffer is too small.
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_ffdh_export_public_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ uint8_t *data,
+ size_t data_size,
+ size_t *data_length);
+
+/**
+ * \brief Generate DH key.
+ *
+ * \note The signature of the function is that of a PSA driver generate_key
+ * entry point.
+ *
+ * \param[in] attributes The attributes for the key to generate.
+ * \param[out] key_buffer Buffer where the key data is to be written.
+ * \param[in] key_buffer_size Size of \p key_buffer in bytes.
+ * \param[out] key_buffer_length On success, the number of bytes written in
+ * \p key_buffer.
+ *
+ * \retval #PSA_SUCCESS
+ * The key was generated successfully.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * Key size in bits is invalid.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of \p key_buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_ffdh_generate_key(
+ const psa_key_attributes_t *attributes,
+ uint8_t *key_buffer,
+ size_t key_buffer_size,
+ size_t *key_buffer_length);
+
+/**
+ * \brief Import DH key.
+ *
+ * \note The signature of the function is that of a PSA driver import_key
+ * entry point.
+ *
+ * \param[in] attributes The attributes for the key to import.
+ * \param[in] data The buffer containing the key data in import
+ * format.
+ * \param[in] data_length Size of the \p data buffer in bytes.
+ * \param[out] key_buffer The buffer containing the key data in output
+ * format.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes. This
+ * size is greater or equal to \p data_length.
+ * \param[out] key_buffer_length The length of the data written in \p
+ * key_buffer in bytes.
+ * \param[out] bits The key size in number of bits.
+ *
+ * \retval #PSA_SUCCESS
+ * The key was generated successfully.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of \p key_buffer is too small.
+ */
+psa_status_t mbedtls_psa_ffdh_import_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *data, size_t data_length,
+ uint8_t *key_buffer, size_t key_buffer_size,
+ size_t *key_buffer_length, size_t *bits);
+
+#endif /* PSA_CRYPTO_FFDH_H */
diff --git a/library/psa_crypto_hash.c b/library/psa_crypto_hash.c
new file mode 100644
index 0000000..eeb7666
--- /dev/null
+++ b/library/psa_crypto_hash.c
@@ -0,0 +1,470 @@
+/*
+ * PSA hashing layer on top of Mbed TLS software crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include <psa/crypto.h>
+#include "psa_crypto_core.h"
+#include "psa_crypto_hash.h"
+
+#include <mbedtls/error.h>
+#include <string.h>
+
+#if defined(MBEDTLS_PSA_BUILTIN_HASH)
+psa_status_t mbedtls_psa_hash_abort(
+ mbedtls_psa_hash_operation_t *operation)
+{
+ switch (operation->alg) {
+ case 0:
+ /* The object has (apparently) been initialized but it is not
+ * in use. It's ok to call abort on such an object, and there's
+ * nothing to do. */
+ break;
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+ case PSA_ALG_MD5:
+ mbedtls_md5_free(&operation->ctx.md5);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+ case PSA_ALG_RIPEMD160:
+ mbedtls_ripemd160_free(&operation->ctx.ripemd160);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+ case PSA_ALG_SHA_1:
+ mbedtls_sha1_free(&operation->ctx.sha1);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+ case PSA_ALG_SHA_224:
+ mbedtls_sha256_free(&operation->ctx.sha256);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+ case PSA_ALG_SHA_256:
+ mbedtls_sha256_free(&operation->ctx.sha256);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+ case PSA_ALG_SHA_384:
+ mbedtls_sha512_free(&operation->ctx.sha512);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
+ case PSA_ALG_SHA_512:
+ mbedtls_sha512_free(&operation->ctx.sha512);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
+ case PSA_ALG_SHA3_224:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
+ case PSA_ALG_SHA3_256:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
+ case PSA_ALG_SHA3_384:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+ case PSA_ALG_SHA3_512:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+ mbedtls_sha3_free(&operation->ctx.sha3);
+ break;
+#endif
+ default:
+ return PSA_ERROR_BAD_STATE;
+ }
+ operation->alg = 0;
+ return PSA_SUCCESS;
+}
+
+psa_status_t mbedtls_psa_hash_setup(
+ mbedtls_psa_hash_operation_t *operation,
+ psa_algorithm_t alg)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* A context must be freshly initialized before it can be set up. */
+ if (operation->alg != 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ switch (alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+ case PSA_ALG_MD5:
+ mbedtls_md5_init(&operation->ctx.md5);
+ ret = mbedtls_md5_starts(&operation->ctx.md5);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+ case PSA_ALG_RIPEMD160:
+ mbedtls_ripemd160_init(&operation->ctx.ripemd160);
+ ret = mbedtls_ripemd160_starts(&operation->ctx.ripemd160);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+ case PSA_ALG_SHA_1:
+ mbedtls_sha1_init(&operation->ctx.sha1);
+ ret = mbedtls_sha1_starts(&operation->ctx.sha1);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+ case PSA_ALG_SHA_224:
+ mbedtls_sha256_init(&operation->ctx.sha256);
+ ret = mbedtls_sha256_starts(&operation->ctx.sha256, 1);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+ case PSA_ALG_SHA_256:
+ mbedtls_sha256_init(&operation->ctx.sha256);
+ ret = mbedtls_sha256_starts(&operation->ctx.sha256, 0);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+ case PSA_ALG_SHA_384:
+ mbedtls_sha512_init(&operation->ctx.sha512);
+ ret = mbedtls_sha512_starts(&operation->ctx.sha512, 1);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
+ case PSA_ALG_SHA_512:
+ mbedtls_sha512_init(&operation->ctx.sha512);
+ ret = mbedtls_sha512_starts(&operation->ctx.sha512, 0);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
+ case PSA_ALG_SHA3_224:
+ mbedtls_sha3_init(&operation->ctx.sha3);
+ ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_224);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
+ case PSA_ALG_SHA3_256:
+ mbedtls_sha3_init(&operation->ctx.sha3);
+ ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_256);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
+ case PSA_ALG_SHA3_384:
+ mbedtls_sha3_init(&operation->ctx.sha3);
+ ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_384);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+ case PSA_ALG_SHA3_512:
+ mbedtls_sha3_init(&operation->ctx.sha3);
+ ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_512);
+ break;
+#endif
+ default:
+ return PSA_ALG_IS_HASH(alg) ?
+ PSA_ERROR_NOT_SUPPORTED :
+ PSA_ERROR_INVALID_ARGUMENT;
+ }
+ if (ret == 0) {
+ operation->alg = alg;
+ } else {
+ mbedtls_psa_hash_abort(operation);
+ }
+ return mbedtls_to_psa_error(ret);
+}
+
+psa_status_t mbedtls_psa_hash_clone(
+ const mbedtls_psa_hash_operation_t *source_operation,
+ mbedtls_psa_hash_operation_t *target_operation)
+{
+ switch (source_operation->alg) {
+ case 0:
+ return PSA_ERROR_BAD_STATE;
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+ case PSA_ALG_MD5:
+ mbedtls_md5_clone(&target_operation->ctx.md5,
+ &source_operation->ctx.md5);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+ case PSA_ALG_RIPEMD160:
+ mbedtls_ripemd160_clone(&target_operation->ctx.ripemd160,
+ &source_operation->ctx.ripemd160);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+ case PSA_ALG_SHA_1:
+ mbedtls_sha1_clone(&target_operation->ctx.sha1,
+ &source_operation->ctx.sha1);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+ case PSA_ALG_SHA_224:
+ mbedtls_sha256_clone(&target_operation->ctx.sha256,
+ &source_operation->ctx.sha256);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+ case PSA_ALG_SHA_256:
+ mbedtls_sha256_clone(&target_operation->ctx.sha256,
+ &source_operation->ctx.sha256);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+ case PSA_ALG_SHA_384:
+ mbedtls_sha512_clone(&target_operation->ctx.sha512,
+ &source_operation->ctx.sha512);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
+ case PSA_ALG_SHA_512:
+ mbedtls_sha512_clone(&target_operation->ctx.sha512,
+ &source_operation->ctx.sha512);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
+ case PSA_ALG_SHA3_224:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
+ case PSA_ALG_SHA3_256:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
+ case PSA_ALG_SHA3_384:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+ case PSA_ALG_SHA3_512:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+ mbedtls_sha3_clone(&target_operation->ctx.sha3,
+ &source_operation->ctx.sha3);
+ break;
+#endif
+ default:
+ (void) source_operation;
+ (void) target_operation;
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ target_operation->alg = source_operation->alg;
+ return PSA_SUCCESS;
+}
+
+psa_status_t mbedtls_psa_hash_update(
+ mbedtls_psa_hash_operation_t *operation,
+ const uint8_t *input,
+ size_t input_length)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ switch (operation->alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+ case PSA_ALG_MD5:
+ ret = mbedtls_md5_update(&operation->ctx.md5,
+ input, input_length);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+ case PSA_ALG_RIPEMD160:
+ ret = mbedtls_ripemd160_update(&operation->ctx.ripemd160,
+ input, input_length);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+ case PSA_ALG_SHA_1:
+ ret = mbedtls_sha1_update(&operation->ctx.sha1,
+ input, input_length);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+ case PSA_ALG_SHA_224:
+ ret = mbedtls_sha256_update(&operation->ctx.sha256,
+ input, input_length);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+ case PSA_ALG_SHA_256:
+ ret = mbedtls_sha256_update(&operation->ctx.sha256,
+ input, input_length);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+ case PSA_ALG_SHA_384:
+ ret = mbedtls_sha512_update(&operation->ctx.sha512,
+ input, input_length);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
+ case PSA_ALG_SHA_512:
+ ret = mbedtls_sha512_update(&operation->ctx.sha512,
+ input, input_length);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
+ case PSA_ALG_SHA3_224:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
+ case PSA_ALG_SHA3_256:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
+ case PSA_ALG_SHA3_384:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+ case PSA_ALG_SHA3_512:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+ ret = mbedtls_sha3_update(&operation->ctx.sha3,
+ input, input_length);
+ break;
+#endif
+ default:
+ (void) input;
+ (void) input_length;
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ return mbedtls_to_psa_error(ret);
+}
+
+psa_status_t mbedtls_psa_hash_finish(
+ mbedtls_psa_hash_operation_t *operation,
+ uint8_t *hash,
+ size_t hash_size,
+ size_t *hash_length)
+{
+ psa_status_t status;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t actual_hash_length = PSA_HASH_LENGTH(operation->alg);
+
+ /* Fill the output buffer with something that isn't a valid hash
+ * (barring an attack on the hash and deliberately-crafted input),
+ * in case the caller doesn't check the return status properly. */
+ *hash_length = hash_size;
+ /* If hash_size is 0 then hash may be NULL and then the
+ * call to memset would have undefined behavior. */
+ if (hash_size != 0) {
+ memset(hash, '!', hash_size);
+ }
+
+ if (hash_size < actual_hash_length) {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+
+ switch (operation->alg) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_MD5)
+ case PSA_ALG_MD5:
+ ret = mbedtls_md5_finish(&operation->ctx.md5, hash);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160)
+ case PSA_ALG_RIPEMD160:
+ ret = mbedtls_ripemd160_finish(&operation->ctx.ripemd160, hash);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_1)
+ case PSA_ALG_SHA_1:
+ ret = mbedtls_sha1_finish(&operation->ctx.sha1, hash);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_224)
+ case PSA_ALG_SHA_224:
+ ret = mbedtls_sha256_finish(&operation->ctx.sha256, hash);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+ case PSA_ALG_SHA_256:
+ ret = mbedtls_sha256_finish(&operation->ctx.sha256, hash);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_384)
+ case PSA_ALG_SHA_384:
+ ret = mbedtls_sha512_finish(&operation->ctx.sha512, hash);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_512)
+ case PSA_ALG_SHA_512:
+ ret = mbedtls_sha512_finish(&operation->ctx.sha512, hash);
+ break;
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
+ case PSA_ALG_SHA3_224:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
+ case PSA_ALG_SHA3_256:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
+ case PSA_ALG_SHA3_384:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+ case PSA_ALG_SHA3_512:
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
+ ret = mbedtls_sha3_finish(&operation->ctx.sha3, hash, hash_size);
+ break;
+#endif
+ default:
+ (void) hash;
+ return PSA_ERROR_BAD_STATE;
+ }
+ status = mbedtls_to_psa_error(ret);
+
+exit:
+ if (status == PSA_SUCCESS) {
+ *hash_length = actual_hash_length;
+ }
+ return status;
+}
+
+psa_status_t mbedtls_psa_hash_compute(
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *hash,
+ size_t hash_size,
+ size_t *hash_length)
+{
+ mbedtls_psa_hash_operation_t operation = MBEDTLS_PSA_HASH_OPERATION_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ *hash_length = hash_size;
+ status = mbedtls_psa_hash_setup(&operation, alg);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ status = mbedtls_psa_hash_update(&operation, input, input_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ status = mbedtls_psa_hash_finish(&operation, hash, hash_size, hash_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+exit:
+ abort_status = mbedtls_psa_hash_abort(&operation);
+ if (status == PSA_SUCCESS) {
+ return abort_status;
+ } else {
+ return status;
+ }
+
+}
+#endif /* MBEDTLS_PSA_BUILTIN_HASH */
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_hash.h b/library/psa_crypto_hash.h
new file mode 100644
index 0000000..0a7be80
--- /dev/null
+++ b/library/psa_crypto_hash.h
@@ -0,0 +1,211 @@
+/*
+ * PSA hashing layer on top of Mbed TLS software crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_HASH_H
+#define PSA_CRYPTO_HASH_H
+
+#include <psa/crypto.h>
+
+/** Calculate the hash (digest) of a message using Mbed TLS routines.
+ *
+ * \note The signature of this function is that of a PSA driver hash_compute
+ * entry point. This function behaves as a hash_compute entry point as
+ * defined in the PSA driver interface specification for transparent
+ * drivers.
+ *
+ * \param alg The hash algorithm to compute (\c PSA_ALG_XXX value
+ * such that #PSA_ALG_IS_HASH(\p alg) is true).
+ * \param[in] input Buffer containing the message to hash.
+ * \param input_length Size of the \p input buffer in bytes.
+ * \param[out] hash Buffer where the hash is to be written.
+ * \param hash_size Size of the \p hash buffer in bytes.
+ * \param[out] hash_length On success, the number of bytes
+ * that make up the hash value. This is always
+ * #PSA_HASH_LENGTH(\p alg).
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \p alg is not supported
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * \p hash_size is too small
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_hash_compute(
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *hash,
+ size_t hash_size,
+ size_t *hash_length);
+
+/** Set up a multipart hash operation using Mbed TLS routines.
+ *
+ * \note The signature of this function is that of a PSA driver hash_setup
+ * entry point. This function behaves as a hash_setup entry point as
+ * defined in the PSA driver interface specification for transparent
+ * drivers.
+ *
+ * If an error occurs at any step after a call to mbedtls_psa_hash_setup(), the
+ * operation will need to be reset by a call to mbedtls_psa_hash_abort(). The
+ * core may call mbedtls_psa_hash_abort() at any time after the operation
+ * has been initialized.
+ *
+ * After a successful call to mbedtls_psa_hash_setup(), the core must
+ * eventually terminate the operation. The following events terminate an
+ * operation:
+ * - A successful call to mbedtls_psa_hash_finish() or mbedtls_psa_hash_verify().
+ * - A call to mbedtls_psa_hash_abort().
+ *
+ * \param[in,out] operation The operation object to set up. It must have
+ * been initialized to all-zero and not yet be in use.
+ * \param alg The hash algorithm to compute (\c PSA_ALG_XXX value
+ * such that #PSA_ALG_IS_HASH(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \p alg is not supported
+ * \retval #PSA_ERROR_BAD_STATE
+ * The operation state is not valid (it must be inactive).
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_hash_setup(
+ mbedtls_psa_hash_operation_t *operation,
+ psa_algorithm_t alg);
+
+/** Clone an Mbed TLS hash operation.
+ *
+ * \note The signature of this function is that of a PSA driver hash_clone
+ * entry point. This function behaves as a hash_clone entry point as
+ * defined in the PSA driver interface specification for transparent
+ * drivers.
+ *
+ * This function copies the state of an ongoing hash operation to
+ * a new operation object. In other words, this function is equivalent
+ * to calling mbedtls_psa_hash_setup() on \p target_operation with the same
+ * algorithm that \p source_operation was set up for, then
+ * mbedtls_psa_hash_update() on \p target_operation with the same input that
+ * that was passed to \p source_operation. After this function returns, the
+ * two objects are independent, i.e. subsequent calls involving one of
+ * the objects do not affect the other object.
+ *
+ * \param[in] source_operation The active hash operation to clone.
+ * \param[in,out] target_operation The operation object to set up.
+ * It must be initialized but not active.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ * The \p source_operation state is not valid (it must be active).
+ * \retval #PSA_ERROR_BAD_STATE
+ * The \p target_operation state is not valid (it must be inactive).
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_hash_clone(
+ const mbedtls_psa_hash_operation_t *source_operation,
+ mbedtls_psa_hash_operation_t *target_operation);
+
+/** Add a message fragment to a multipart Mbed TLS hash operation.
+ *
+ * \note The signature of this function is that of a PSA driver hash_update
+ * entry point. This function behaves as a hash_update entry point as
+ * defined in the PSA driver interface specification for transparent
+ * drivers.
+ *
+ * The application must call mbedtls_psa_hash_setup() before calling this function.
+ *
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling mbedtls_psa_hash_abort().
+ *
+ * \param[in,out] operation Active hash operation.
+ * \param[in] input Buffer containing the message fragment to hash.
+ * \param input_length Size of the \p input buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ * The operation state is not valid (it must be active).
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_hash_update(
+ mbedtls_psa_hash_operation_t *operation,
+ const uint8_t *input,
+ size_t input_length);
+
+/** Finish the calculation of the Mbed TLS-calculated hash of a message.
+ *
+ * \note The signature of this function is that of a PSA driver hash_finish
+ * entry point. This function behaves as a hash_finish entry point as
+ * defined in the PSA driver interface specification for transparent
+ * drivers.
+ *
+ * The application must call mbedtls_psa_hash_setup() before calling this function.
+ * This function calculates the hash of the message formed by concatenating
+ * the inputs passed to preceding calls to mbedtls_psa_hash_update().
+ *
+ * When this function returns successfully, the operation becomes inactive.
+ * If this function returns an error status, the operation enters an error
+ * state and must be aborted by calling mbedtls_psa_hash_abort().
+ *
+ * \param[in,out] operation Active hash operation.
+ * \param[out] hash Buffer where the hash is to be written.
+ * \param hash_size Size of the \p hash buffer in bytes.
+ * \param[out] hash_length On success, the number of bytes
+ * that make up the hash value. This is always
+ * #PSA_HASH_LENGTH(\c alg) where \c alg is the
+ * hash algorithm that is calculated.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ * The operation state is not valid (it must be active).
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p hash buffer is too small. You can determine a
+ * sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg)
+ * where \c alg is the hash algorithm that is calculated.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_hash_finish(
+ mbedtls_psa_hash_operation_t *operation,
+ uint8_t *hash,
+ size_t hash_size,
+ size_t *hash_length);
+
+/** Abort an Mbed TLS hash operation.
+ *
+ * \note The signature of this function is that of a PSA driver hash_abort
+ * entry point. This function behaves as a hash_abort entry point as
+ * defined in the PSA driver interface specification for transparent
+ * drivers.
+ *
+ * Aborting an operation frees all associated resources except for the
+ * \p operation structure itself. Once aborted, the operation object
+ * can be reused for another operation by calling
+ * mbedtls_psa_hash_setup() again.
+ *
+ * You may call this function any time after the operation object has
+ * been initialized by one of the methods described in #psa_hash_operation_t.
+ *
+ * In particular, calling mbedtls_psa_hash_abort() after the operation has been
+ * terminated by a call to mbedtls_psa_hash_abort(), mbedtls_psa_hash_finish() or
+ * mbedtls_psa_hash_verify() is safe and has no effect.
+ *
+ * \param[in,out] operation Initialized hash operation.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_hash_abort(
+ mbedtls_psa_hash_operation_t *operation);
+
+#endif /* PSA_CRYPTO_HASH_H */
diff --git a/library/psa_crypto_invasive.h b/library/psa_crypto_invasive.h
new file mode 100644
index 0000000..51c90c6
--- /dev/null
+++ b/library/psa_crypto_invasive.h
@@ -0,0 +1,92 @@
+/**
+ * \file psa_crypto_invasive.h
+ *
+ * \brief PSA cryptography module: invasive interfaces for test only.
+ *
+ * The interfaces in this file are intended for testing purposes only.
+ * They MUST NOT be made available to clients over IPC in integrations
+ * with isolation, and they SHOULD NOT be made available in library
+ * integrations except when building the library for testing.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_INVASIVE_H
+#define PSA_CRYPTO_INVASIVE_H
+
+/*
+ * Include the build-time configuration information header. Here, we do not
+ * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
+ * is basically just an alias to it. This is to ease the maintenance of the
+ * TF-PSA-Crypto repository which has a different build system and
+ * configuration.
+ */
+#include "psa/build_info.h"
+
+#include "psa/crypto.h"
+#include "common.h"
+
+#include "mbedtls/entropy.h"
+
+#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+/** \brief Configure entropy sources.
+ *
+ * This function may only be called before a call to psa_crypto_init(),
+ * or after a call to mbedtls_psa_crypto_free() and before any
+ * subsequent call to psa_crypto_init().
+ *
+ * This function is only intended for test purposes. The functionality
+ * it provides is also useful for system integrators, but
+ * system integrators should configure entropy drivers instead of
+ * breaking through to the Mbed TLS API.
+ *
+ * \param entropy_init Function to initialize the entropy context
+ * and set up the desired entropy sources.
+ * It is called by psa_crypto_init().
+ * By default this is mbedtls_entropy_init().
+ * This function cannot report failures directly.
+ * To indicate a failure, set the entropy context
+ * to a state where mbedtls_entropy_func() will
+ * return an error.
+ * \param entropy_free Function to free the entropy context
+ * and associated resources.
+ * It is called by mbedtls_psa_crypto_free().
+ * By default this is mbedtls_entropy_free().
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ * The caller does not have the permission to configure
+ * entropy sources.
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has already been initialized.
+ */
+psa_status_t mbedtls_psa_crypto_configure_entropy_sources(
+ void (* entropy_init)(mbedtls_entropy_context *ctx),
+ void (* entropy_free)(mbedtls_entropy_context *ctx));
+#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
+
+#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_PSA_CRYPTO_C)
+psa_status_t psa_mac_key_can_do(
+ psa_algorithm_t algorithm,
+ psa_key_type_t key_type);
+
+psa_status_t psa_crypto_copy_input(const uint8_t *input, size_t input_len,
+ uint8_t *input_copy, size_t input_copy_len);
+
+psa_status_t psa_crypto_copy_output(const uint8_t *output_copy, size_t output_copy_len,
+ uint8_t *output, size_t output_len);
+
+/*
+ * Test hooks to use for memory unpoisoning/poisoning in copy functions.
+ */
+extern void (*psa_input_pre_copy_hook)(const uint8_t *input, size_t input_len);
+extern void (*psa_input_post_copy_hook)(const uint8_t *input, size_t input_len);
+extern void (*psa_output_pre_copy_hook)(const uint8_t *output, size_t output_len);
+extern void (*psa_output_post_copy_hook)(const uint8_t *output, size_t output_len);
+
+#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_PSA_CRYPTO_C */
+
+#endif /* PSA_CRYPTO_INVASIVE_H */
diff --git a/library/psa_crypto_its.h b/library/psa_crypto_its.h
new file mode 100644
index 0000000..877063b
--- /dev/null
+++ b/library/psa_crypto_its.h
@@ -0,0 +1,131 @@
+/** \file psa_crypto_its.h
+ * \brief Interface of trusted storage that crypto is built on.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_ITS_H
+#define PSA_CRYPTO_ITS_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <psa/crypto_types.h>
+#include <psa/crypto_values.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** \brief Flags used when creating a data entry
+ */
+typedef uint32_t psa_storage_create_flags_t;
+
+/** \brief A type for UIDs used for identifying data
+ */
+typedef uint64_t psa_storage_uid_t;
+
+#define PSA_STORAGE_FLAG_NONE 0 /**< No flags to pass */
+#define PSA_STORAGE_FLAG_WRITE_ONCE (1 << 0) /**< The data associated with the uid will not be able to be modified or deleted. Intended to be used to set bits in `psa_storage_create_flags_t`*/
+
+/**
+ * \brief A container for metadata associated with a specific uid
+ */
+struct psa_storage_info_t {
+ uint32_t size; /**< The size of the data associated with a uid **/
+ psa_storage_create_flags_t flags; /**< The flags set when the uid was created **/
+};
+
+/** Flag indicating that \ref psa_storage_create and \ref psa_storage_set_extended are supported */
+#define PSA_STORAGE_SUPPORT_SET_EXTENDED (1 << 0)
+
+#define PSA_ITS_API_VERSION_MAJOR 1 /**< The major version number of the PSA ITS API. It will be incremented on significant updates that may include breaking changes */
+#define PSA_ITS_API_VERSION_MINOR 1 /**< The minor version number of the PSA ITS API. It will be incremented in small updates that are unlikely to include breaking changes */
+
+/**
+ * \brief create a new or modify an existing uid/value pair
+ *
+ * \param[in] uid the identifier for the data
+ * \param[in] data_length The size in bytes of the data in `p_data`
+ * \param[in] p_data A buffer containing the data
+ * \param[in] create_flags The flags that the data will be stored with
+ *
+ * \return A status indicating the success/failure of the operation
+ *
+ * \retval #PSA_SUCCESS The operation completed successfully
+ * \retval #PSA_ERROR_NOT_PERMITTED The operation failed because the provided `uid` value was already created with PSA_STORAGE_FLAG_WRITE_ONCE
+ * \retval #PSA_ERROR_NOT_SUPPORTED The operation failed because one or more of the flags provided in `create_flags` is not supported or is not valid
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE The operation failed because there was insufficient space on the storage medium
+ * \retval #PSA_ERROR_STORAGE_FAILURE The operation failed because the physical storage has failed (Fatal error)
+ * \retval #PSA_ERROR_INVALID_ARGUMENT The operation failed because one of the provided pointers(`p_data`)
+ * is invalid, for example is `NULL` or references memory the caller cannot access
+ */
+psa_status_t psa_its_set(psa_storage_uid_t uid,
+ uint32_t data_length,
+ const void *p_data,
+ psa_storage_create_flags_t create_flags);
+
+/**
+ * \brief Retrieve the value associated with a provided uid
+ *
+ * \param[in] uid The uid value
+ * \param[in] data_offset The starting offset of the data requested
+ * \param[in] data_length the amount of data requested (and the minimum allocated size of the `p_data` buffer)
+ * \param[out] p_data The buffer where the data will be placed upon successful completion
+ * \param[out] p_data_length The amount of data returned in the p_data buffer
+ *
+ *
+ * \return A status indicating the success/failure of the operation
+ *
+ * \retval #PSA_SUCCESS The operation completed successfully
+ * \retval #PSA_ERROR_DOES_NOT_EXIST The operation failed because the provided `uid` value was not found in the storage
+ * \retval #PSA_ERROR_STORAGE_FAILURE The operation failed because the physical storage has failed (Fatal error)
+ * \retval #PSA_ERROR_DATA_CORRUPT The operation failed because stored data has been corrupted
+ * \retval #PSA_ERROR_INVALID_ARGUMENT The operation failed because one of the provided pointers(`p_data`, `p_data_length`)
+ * is invalid. For example is `NULL` or references memory the caller cannot access.
+ * In addition, this can also happen if an invalid offset was provided.
+ */
+psa_status_t psa_its_get(psa_storage_uid_t uid,
+ uint32_t data_offset,
+ uint32_t data_length,
+ void *p_data,
+ size_t *p_data_length);
+
+/**
+ * \brief Retrieve the metadata about the provided uid
+ *
+ * \param[in] uid The uid value
+ * \param[out] p_info A pointer to the `psa_storage_info_t` struct that will be populated with the metadata
+ *
+ * \return A status indicating the success/failure of the operation
+ *
+ * \retval #PSA_SUCCESS The operation completed successfully
+ * \retval #PSA_ERROR_DOES_NOT_EXIST The operation failed because the provided uid value was not found in the storage
+ * \retval #PSA_ERROR_DATA_CORRUPT The operation failed because stored data has been corrupted
+ * \retval #PSA_ERROR_INVALID_ARGUMENT The operation failed because one of the provided pointers(`p_info`)
+ * is invalid, for example is `NULL` or references memory the caller cannot access
+ */
+psa_status_t psa_its_get_info(psa_storage_uid_t uid,
+ struct psa_storage_info_t *p_info);
+
+/**
+ * \brief Remove the provided key and its associated data from the storage
+ *
+ * \param[in] uid The uid value
+ *
+ * \return A status indicating the success/failure of the operation
+ *
+ * \retval #PSA_SUCCESS The operation completed successfully
+ * \retval #PSA_ERROR_DOES_NOT_EXIST The operation failed because the provided key value was not found in the storage
+ * \retval #PSA_ERROR_NOT_PERMITTED The operation failed because the provided key value was created with PSA_STORAGE_FLAG_WRITE_ONCE
+ * \retval #PSA_ERROR_STORAGE_FAILURE The operation failed because the physical storage has failed (Fatal error)
+ */
+psa_status_t psa_its_remove(psa_storage_uid_t uid);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_CRYPTO_ITS_H */
diff --git a/library/psa_crypto_mac.c b/library/psa_crypto_mac.c
new file mode 100644
index 0000000..8fe6218
--- /dev/null
+++ b/library/psa_crypto_mac.c
@@ -0,0 +1,496 @@
+/*
+ * PSA MAC layer on top of Mbed TLS software crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include <psa/crypto.h>
+#include "psa_crypto_core.h"
+#include "psa_crypto_cipher.h"
+#include "psa_crypto_mac.h"
+#include <mbedtls/md.h>
+
+#include <mbedtls/error.h>
+#include "mbedtls/constant_time.h"
+#include <string.h>
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+static psa_status_t psa_hmac_abort_internal(
+ mbedtls_psa_hmac_operation_t *hmac)
+{
+ mbedtls_platform_zeroize(hmac->opad, sizeof(hmac->opad));
+ return psa_hash_abort(&hmac->hash_ctx);
+}
+
+static psa_status_t psa_hmac_setup_internal(
+ mbedtls_psa_hmac_operation_t *hmac,
+ const uint8_t *key,
+ size_t key_length,
+ psa_algorithm_t hash_alg)
+{
+ uint8_t ipad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
+ size_t i;
+ size_t hash_size = PSA_HASH_LENGTH(hash_alg);
+ size_t block_size = PSA_HASH_BLOCK_LENGTH(hash_alg);
+ psa_status_t status;
+
+ hmac->alg = hash_alg;
+
+ /* Sanity checks on block_size, to guarantee that there won't be a buffer
+ * overflow below. This should never trigger if the hash algorithm
+ * is implemented correctly. */
+ /* The size checks against the ipad and opad buffers cannot be written
+ * `block_size > sizeof( ipad ) || block_size > sizeof( hmac->opad )`
+ * because that triggers -Wlogical-op on GCC 7.3. */
+ if (block_size > sizeof(ipad)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ if (block_size > sizeof(hmac->opad)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ if (block_size < hash_size) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (key_length > block_size) {
+ status = psa_hash_compute(hash_alg, key, key_length,
+ ipad, sizeof(ipad), &key_length);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+ }
+ /* A 0-length key is not commonly used in HMAC when used as a MAC,
+ * but it is permitted. It is common when HMAC is used in HKDF, for
+ * example. Don't call `memcpy` in the 0-length because `key` could be
+ * an invalid pointer which would make the behavior undefined. */
+ else if (key_length != 0) {
+ memcpy(ipad, key, key_length);
+ }
+
+ /* ipad contains the key followed by garbage. Xor and fill with 0x36
+ * to create the ipad value. */
+ for (i = 0; i < key_length; i++) {
+ ipad[i] ^= 0x36;
+ }
+ memset(ipad + key_length, 0x36, block_size - key_length);
+
+ /* Copy the key material from ipad to opad, flipping the requisite bits,
+ * and filling the rest of opad with the requisite constant. */
+ for (i = 0; i < key_length; i++) {
+ hmac->opad[i] = ipad[i] ^ 0x36 ^ 0x5C;
+ }
+ memset(hmac->opad + key_length, 0x5C, block_size - key_length);
+
+ status = psa_hash_setup(&hmac->hash_ctx, hash_alg);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ status = psa_hash_update(&hmac->hash_ctx, ipad, block_size);
+
+cleanup:
+ mbedtls_platform_zeroize(ipad, sizeof(ipad));
+
+ return status;
+}
+
+static psa_status_t psa_hmac_update_internal(
+ mbedtls_psa_hmac_operation_t *hmac,
+ const uint8_t *data,
+ size_t data_length)
+{
+ return psa_hash_update(&hmac->hash_ctx, data, data_length);
+}
+
+static psa_status_t psa_hmac_finish_internal(
+ mbedtls_psa_hmac_operation_t *hmac,
+ uint8_t *mac,
+ size_t mac_size)
+{
+ uint8_t tmp[PSA_HASH_MAX_SIZE];
+ psa_algorithm_t hash_alg = hmac->alg;
+ size_t hash_size = 0;
+ size_t block_size = PSA_HASH_BLOCK_LENGTH(hash_alg);
+ psa_status_t status;
+
+ status = psa_hash_finish(&hmac->hash_ctx, tmp, sizeof(tmp), &hash_size);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ /* From here on, tmp needs to be wiped. */
+
+ status = psa_hash_setup(&hmac->hash_ctx, hash_alg);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&hmac->hash_ctx, hmac->opad, block_size);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_update(&hmac->hash_ctx, tmp, hash_size);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_finish(&hmac->hash_ctx, tmp, sizeof(tmp), &hash_size);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ memcpy(mac, tmp, mac_size);
+
+exit:
+ mbedtls_platform_zeroize(tmp, hash_size);
+ return status;
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
+static psa_status_t cmac_setup(mbedtls_psa_mac_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(PSA_WANT_KEY_TYPE_DES)
+ /* Mbed TLS CMAC does not accept 3DES with only two keys, nor does it accept
+ * to do CMAC with pure DES, so return NOT_SUPPORTED here. */
+ if (psa_get_key_type(attributes) == PSA_KEY_TYPE_DES &&
+ (psa_get_key_bits(attributes) == 64 ||
+ psa_get_key_bits(attributes) == 128)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+#endif
+
+ const mbedtls_cipher_info_t *cipher_info =
+ mbedtls_cipher_info_from_psa(
+ PSA_ALG_CMAC,
+ psa_get_key_type(attributes),
+ psa_get_key_bits(attributes),
+ NULL);
+
+ if (cipher_info == NULL) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ ret = mbedtls_cipher_setup(&operation->ctx.cmac, cipher_info);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_cipher_cmac_starts(&operation->ctx.cmac,
+ key_buffer,
+ psa_get_key_bits(attributes));
+exit:
+ return mbedtls_to_psa_error(ret);
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
+
+/* Initialize this driver's MAC operation structure. Once this function has been
+ * called, mbedtls_psa_mac_abort can run and will do the right thing. */
+static psa_status_t mac_init(
+ mbedtls_psa_mac_operation_t *operation,
+ psa_algorithm_t alg)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ operation->alg = alg;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
+ if (PSA_ALG_FULL_LENGTH_MAC(operation->alg) == PSA_ALG_CMAC) {
+ mbedtls_cipher_init(&operation->ctx.cmac);
+ status = PSA_SUCCESS;
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+ if (PSA_ALG_IS_HMAC(operation->alg)) {
+ /* We'll set up the hash operation later in psa_hmac_setup_internal. */
+ operation->ctx.hmac.alg = 0;
+ status = PSA_SUCCESS;
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+ {
+ (void) operation;
+ status = PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (status != PSA_SUCCESS) {
+ memset(operation, 0, sizeof(*operation));
+ }
+ return status;
+}
+
+psa_status_t mbedtls_psa_mac_abort(mbedtls_psa_mac_operation_t *operation)
+{
+ if (operation->alg == 0) {
+ /* The object has (apparently) been initialized but it is not
+ * in use. It's ok to call abort on such an object, and there's
+ * nothing to do. */
+ return PSA_SUCCESS;
+ } else
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
+ if (PSA_ALG_FULL_LENGTH_MAC(operation->alg) == PSA_ALG_CMAC) {
+ mbedtls_cipher_free(&operation->ctx.cmac);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+ if (PSA_ALG_IS_HMAC(operation->alg)) {
+ psa_hmac_abort_internal(&operation->ctx.hmac);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+ {
+ /* Sanity check (shouldn't happen: operation->alg should
+ * always have been initialized to a valid value). */
+ goto bad_state;
+ }
+
+ operation->alg = 0;
+
+ return PSA_SUCCESS;
+
+bad_state:
+ /* If abort is called on an uninitialized object, we can't trust
+ * anything. Wipe the object in case it contains confidential data.
+ * This may result in a memory leak if a pointer gets overwritten,
+ * but it's too late to do anything about this. */
+ memset(operation, 0, sizeof(*operation));
+ return PSA_ERROR_BAD_STATE;
+}
+
+static psa_status_t psa_mac_setup(mbedtls_psa_mac_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ /* A context must be freshly initialized before it can be set up. */
+ if (operation->alg != 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ status = mac_init(operation, alg);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
+ if (PSA_ALG_FULL_LENGTH_MAC(alg) == PSA_ALG_CMAC) {
+ /* Key buffer size for CMAC is dictated by the key bits set on the
+ * attributes, and previously validated by the core on key import. */
+ (void) key_buffer_size;
+ status = cmac_setup(operation, attributes, key_buffer);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+ if (PSA_ALG_IS_HMAC(alg)) {
+ status = psa_hmac_setup_internal(&operation->ctx.hmac,
+ key_buffer,
+ key_buffer_size,
+ PSA_ALG_HMAC_GET_HASH(alg));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+ {
+ (void) attributes;
+ (void) key_buffer;
+ (void) key_buffer_size;
+ status = PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (status != PSA_SUCCESS) {
+ mbedtls_psa_mac_abort(operation);
+ }
+
+ return status;
+}
+
+psa_status_t mbedtls_psa_mac_sign_setup(
+ mbedtls_psa_mac_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg)
+{
+ return psa_mac_setup(operation, attributes,
+ key_buffer, key_buffer_size, alg);
+}
+
+psa_status_t mbedtls_psa_mac_verify_setup(
+ mbedtls_psa_mac_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg)
+{
+ return psa_mac_setup(operation, attributes,
+ key_buffer, key_buffer_size, alg);
+}
+
+psa_status_t mbedtls_psa_mac_update(
+ mbedtls_psa_mac_operation_t *operation,
+ const uint8_t *input,
+ size_t input_length)
+{
+ if (operation->alg == 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
+ if (PSA_ALG_FULL_LENGTH_MAC(operation->alg) == PSA_ALG_CMAC) {
+ return mbedtls_to_psa_error(
+ mbedtls_cipher_cmac_update(&operation->ctx.cmac,
+ input, input_length));
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+ if (PSA_ALG_IS_HMAC(operation->alg)) {
+ return psa_hmac_update_internal(&operation->ctx.hmac,
+ input, input_length);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+ {
+ /* This shouldn't happen if `operation` was initialized by
+ * a setup function. */
+ (void) input;
+ (void) input_length;
+ return PSA_ERROR_BAD_STATE;
+ }
+}
+
+static psa_status_t psa_mac_finish_internal(
+ mbedtls_psa_mac_operation_t *operation,
+ uint8_t *mac, size_t mac_size)
+{
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC)
+ if (PSA_ALG_FULL_LENGTH_MAC(operation->alg) == PSA_ALG_CMAC) {
+ uint8_t tmp[PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE];
+ int ret = mbedtls_cipher_cmac_finish(&operation->ctx.cmac, tmp);
+ if (ret == 0) {
+ memcpy(mac, tmp, mac_size);
+ }
+ mbedtls_platform_zeroize(tmp, sizeof(tmp));
+ return mbedtls_to_psa_error(ret);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
+ if (PSA_ALG_IS_HMAC(operation->alg)) {
+ return psa_hmac_finish_internal(&operation->ctx.hmac,
+ mac, mac_size);
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+ {
+ /* This shouldn't happen if `operation` was initialized by
+ * a setup function. */
+ (void) operation;
+ (void) mac;
+ (void) mac_size;
+ return PSA_ERROR_BAD_STATE;
+ }
+}
+
+psa_status_t mbedtls_psa_mac_sign_finish(
+ mbedtls_psa_mac_operation_t *operation,
+ uint8_t *mac,
+ size_t mac_size,
+ size_t *mac_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ if (operation->alg == 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ status = psa_mac_finish_internal(operation, mac, mac_size);
+ if (status == PSA_SUCCESS) {
+ *mac_length = mac_size;
+ }
+
+ return status;
+}
+
+psa_status_t mbedtls_psa_mac_verify_finish(
+ mbedtls_psa_mac_operation_t *operation,
+ const uint8_t *mac,
+ size_t mac_length)
+{
+ uint8_t actual_mac[PSA_MAC_MAX_SIZE];
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ if (operation->alg == 0) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ /* Consistency check: requested MAC length fits our local buffer */
+ if (mac_length > sizeof(actual_mac)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ status = psa_mac_finish_internal(operation, actual_mac, mac_length);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ if (mbedtls_ct_memcmp(mac, actual_mac, mac_length) != 0) {
+ status = PSA_ERROR_INVALID_SIGNATURE;
+ }
+
+cleanup:
+ mbedtls_platform_zeroize(actual_mac, sizeof(actual_mac));
+
+ return status;
+}
+
+psa_status_t mbedtls_psa_mac_compute(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *mac,
+ size_t mac_size,
+ size_t *mac_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_psa_mac_operation_t operation = MBEDTLS_PSA_MAC_OPERATION_INIT;
+
+ status = psa_mac_setup(&operation,
+ attributes, key_buffer, key_buffer_size,
+ alg);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (input_length > 0) {
+ status = mbedtls_psa_mac_update(&operation, input, input_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ }
+
+ status = psa_mac_finish_internal(&operation, mac, mac_size);
+ if (status == PSA_SUCCESS) {
+ *mac_length = mac_size;
+ }
+
+exit:
+ mbedtls_psa_mac_abort(&operation);
+
+ return status;
+}
+
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_CMAC */
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_mac.h b/library/psa_crypto_mac.h
new file mode 100644
index 0000000..2f614bc
--- /dev/null
+++ b/library/psa_crypto_mac.h
@@ -0,0 +1,264 @@
+/*
+ * PSA MAC layer on top of Mbed TLS software crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_MAC_H
+#define PSA_CRYPTO_MAC_H
+
+#include <psa/crypto.h>
+
+/** Calculate the MAC (message authentication code) of a message using Mbed TLS.
+ *
+ * \note The signature of this function is that of a PSA driver mac_compute
+ * entry point. This function behaves as a mac_compute entry point as
+ * defined in the PSA driver interface specification for transparent
+ * drivers.
+ *
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key to use for
+ * computing the MAC. This buffer contains the key
+ * in export representation as defined by
+ * psa_export_key() (i.e. the raw key bytes).
+ * \param key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param alg The MAC algorithm to use (\c PSA_ALG_XXX value
+ * such that #PSA_ALG_IS_MAC(\p alg) is true).
+ * \param[in] input Buffer containing the input message.
+ * \param input_length Size of the \p input buffer in bytes.
+ * \param[out] mac Buffer where the MAC value is to be written.
+ * \param mac_size Size of the \p mac buffer in bytes.
+ * \param[out] mac_length On success, the number of bytes
+ * that make up the MAC value.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \p alg is not supported.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * \p mac_size is too small
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_mac_compute(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *mac,
+ size_t mac_size,
+ size_t *mac_length);
+
+/** Set up a multipart MAC calculation operation using Mbed TLS.
+ *
+ * \note The signature of this function is that of a PSA driver mac_sign_setup
+ * entry point. This function behaves as a mac_sign_setup entry point as
+ * defined in the PSA driver interface specification for transparent
+ * drivers.
+ *
+ * \param[in,out] operation The operation object to set up. It must have
+ * been initialized and not yet in use.
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key to use for
+ * computing the MAC. This buffer contains the key
+ * in export representation as defined by
+ * psa_export_key() (i.e. the raw key bytes).
+ * \param key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param alg The MAC algorithm to use (\c PSA_ALG_XXX value
+ * such that #PSA_ALG_IS_MAC(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \p alg is not supported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ * The operation state is not valid (it must be inactive).
+ */
+psa_status_t mbedtls_psa_mac_sign_setup(
+ mbedtls_psa_mac_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg);
+
+/** Set up a multipart MAC verification operation using Mbed TLS.
+ *
+ * \note The signature of this function is that of a PSA driver mac_verify_setup
+ * entry point. This function behaves as a mac_verify_setup entry point as
+ * defined in the PSA driver interface specification for transparent
+ * drivers.
+ *
+ * \param[in,out] operation The operation object to set up. It must have
+ * been initialized and not yet in use.
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key to use for
+ * computing the MAC. This buffer contains the key
+ * in export representation as defined by
+ * psa_export_key() (i.e. the raw key bytes).
+ * \param key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param alg The MAC algorithm to use (\c PSA_ALG_XXX value
+ * such that #PSA_ALG_IS_MAC(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \p alg is not supported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ * The operation state is not valid (it must be inactive).
+ */
+psa_status_t mbedtls_psa_mac_verify_setup(
+ mbedtls_psa_mac_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg);
+
+/** Add a message fragment to a multipart MAC operation using Mbed TLS.
+ *
+ * \note The signature of this function is that of a PSA driver mac_update
+ * entry point. This function behaves as a mac_update entry point as
+ * defined in the PSA driver interface specification for transparent
+ * drivers.
+ *
+ * The PSA core calls mbedtls_psa_mac_sign_setup() or
+ * mbedtls_psa_mac_verify_setup() before calling this function.
+ *
+ * If this function returns an error status, the PSA core aborts the
+ * operation by calling mbedtls_psa_mac_abort().
+ *
+ * \param[in,out] operation Active MAC operation.
+ * \param[in] input Buffer containing the message fragment to add to
+ * the MAC calculation.
+ * \param input_length Size of the \p input buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ * The operation state is not valid (it must be active).
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_mac_update(
+ mbedtls_psa_mac_operation_t *operation,
+ const uint8_t *input,
+ size_t input_length);
+
+/** Finish the calculation of the MAC of a message using Mbed TLS.
+ *
+ * \note The signature of this function is that of a PSA driver mac_sign_finish
+ * entry point. This function behaves as a mac_sign_finish entry point as
+ * defined in the PSA driver interface specification for transparent
+ * drivers.
+ *
+ * The PSA core calls mbedtls_psa_mac_sign_setup() before calling this function.
+ * This function calculates the MAC of the message formed by concatenating
+ * the inputs passed to preceding calls to mbedtls_psa_mac_update().
+ *
+ * Whether this function returns successfully or not, the PSA core subsequently
+ * aborts the operation by calling mbedtls_psa_mac_abort().
+ *
+ * \param[in,out] operation Active MAC operation.
+ * \param[out] mac Buffer where the MAC value is to be written.
+ * \param mac_size Output size requested for the MAC algorithm. The PSA
+ * core guarantees this is a valid MAC length for the
+ * algorithm and key combination passed to
+ * mbedtls_psa_mac_sign_setup(). It also guarantees the
+ * \p mac buffer is large enough to contain the
+ * requested output size.
+ * \param[out] mac_length On success, the number of bytes output to buffer
+ * \p mac, which will be equal to the requested length
+ * \p mac_size.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_BAD_STATE
+ * The operation state is not valid (it must be an active mac sign
+ * operation).
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p mac buffer is too small. A sufficient buffer size
+ * can be determined by calling PSA_MAC_LENGTH().
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_mac_sign_finish(
+ mbedtls_psa_mac_operation_t *operation,
+ uint8_t *mac,
+ size_t mac_size,
+ size_t *mac_length);
+
+/** Finish the calculation of the MAC of a message and compare it with
+ * an expected value using Mbed TLS.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * mac_verify_finish entry point. This function behaves as a
+ * mac_verify_finish entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * The PSA core calls mbedtls_psa_mac_verify_setup() before calling this
+ * function. This function calculates the MAC of the message formed by
+ * concatenating the inputs passed to preceding calls to
+ * mbedtls_psa_mac_update(). It then compares the calculated MAC with the
+ * expected MAC passed as a parameter to this function.
+ *
+ * Whether this function returns successfully or not, the PSA core subsequently
+ * aborts the operation by calling mbedtls_psa_mac_abort().
+ *
+ * \param[in,out] operation Active MAC operation.
+ * \param[in] mac Buffer containing the expected MAC value.
+ * \param mac_length Length in bytes of the expected MAC value. The PSA
+ * core guarantees that this length is a valid MAC
+ * length for the algorithm and key combination passed
+ * to mbedtls_psa_mac_verify_setup().
+ *
+ * \retval #PSA_SUCCESS
+ * The expected MAC is identical to the actual MAC of the message.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ * The MAC of the message was calculated successfully, but it
+ * differs from the expected MAC.
+ * \retval #PSA_ERROR_BAD_STATE
+ * The operation state is not valid (it must be an active mac verify
+ * operation).
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_mac_verify_finish(
+ mbedtls_psa_mac_operation_t *operation,
+ const uint8_t *mac,
+ size_t mac_length);
+
+/** Abort a MAC operation using Mbed TLS.
+ *
+ * Aborting an operation frees all associated resources except for the
+ * \p operation structure itself. Once aborted, the operation object
+ * can be reused for another operation by calling
+ * mbedtls_psa_mac_sign_setup() or mbedtls_psa_mac_verify_setup() again.
+ *
+ * The PSA core may call this function any time after the operation object has
+ * been initialized by one of the methods described in
+ * #mbedtls_psa_mac_operation_t.
+ *
+ * In particular, calling mbedtls_psa_mac_abort() after the operation has been
+ * terminated by a call to mbedtls_psa_mac_abort(),
+ * mbedtls_psa_mac_sign_finish() or mbedtls_psa_mac_verify_finish() is safe and
+ * has no effect.
+ *
+ * \param[in,out] operation Initialized MAC operation.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_mac_abort(
+ mbedtls_psa_mac_operation_t *operation);
+
+#endif /* PSA_CRYPTO_MAC_H */
diff --git a/library/psa_crypto_pake.c b/library/psa_crypto_pake.c
new file mode 100644
index 0000000..9ac2e8c
--- /dev/null
+++ b/library/psa_crypto_pake.c
@@ -0,0 +1,571 @@
+/*
+ * PSA PAKE layer on top of Mbed TLS software crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include <psa/crypto.h>
+#include "psa_crypto_core.h"
+#include "psa_crypto_pake.h"
+#include "psa_crypto_slot_management.h"
+
+#include <mbedtls/ecjpake.h>
+#include "psa_util_internal.h"
+
+#include <mbedtls/platform.h>
+#include <mbedtls/error.h>
+#include <string.h>
+
+/*
+ * State sequence:
+ *
+ * psa_pake_setup()
+ * |
+ * |-- In any order:
+ * | | psa_pake_set_password_key()
+ * | | psa_pake_set_user()
+ * | | psa_pake_set_peer()
+ * | | psa_pake_set_role()
+ * |
+ * |--- In any order: (First round input before or after first round output)
+ * | |
+ * | |------ In Order
+ * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
+ * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
+ * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
+ * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
+ * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
+ * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
+ * | |
+ * | |------ In Order:
+ * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
+ * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
+ * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
+ * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
+ * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
+ * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
+ * |
+ * |--- In any order: (Second round input before or after second round output)
+ * | |
+ * | |------ In Order
+ * | | | psa_pake_output(PSA_PAKE_STEP_KEY_SHARE)
+ * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PUBLIC)
+ * | | | psa_pake_output(PSA_PAKE_STEP_ZK_PROOF)
+ * | |
+ * | |------ In Order:
+ * | | psa_pake_input(PSA_PAKE_STEP_KEY_SHARE)
+ * | | psa_pake_input(PSA_PAKE_STEP_ZK_PUBLIC)
+ * | | psa_pake_input(PSA_PAKE_STEP_ZK_PROOF)
+ * |
+ * psa_pake_get_implicit_key()
+ * psa_pake_abort()
+ */
+
+/*
+ * Possible sequence of calls to implementation:
+ *
+ * |--- In any order:
+ * | |
+ * | |------ In Order
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_KEY_SHARE)
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_ZK_PUBLIC)
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_ZK_PROOF)
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_KEY_SHARE)
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_ZK_PUBLIC)
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_ZK_PROOF)
+ * | |
+ * | |------ In Order:
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_KEY_SHARE)
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_ZK_PUBLIC)
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_ZK_PROOF)
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_KEY_SHARE)
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_ZK_PUBLIC)
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_ZK_PROOF)
+ * |
+ * |--- In any order:
+ * | |
+ * | |------ In Order
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_KEY_SHARE)
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_ZK_PUBLIC)
+ * | | | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_ZK_PROOF)
+ * | |
+ * | |------ In Order:
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_KEY_SHARE)
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_ZK_PUBLIC)
+ * | | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_ZK_PROOF)
+ */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+static psa_status_t mbedtls_ecjpake_to_psa_error(int ret)
+{
+ switch (ret) {
+ case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
+ case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
+ case MBEDTLS_ERR_ECP_INVALID_KEY:
+ case MBEDTLS_ERR_ECP_VERIFY_FAILED:
+ return PSA_ERROR_DATA_INVALID;
+ case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL:
+ case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ case MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE:
+ return PSA_ERROR_NOT_SUPPORTED;
+ case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ default:
+ return PSA_ERROR_GENERIC_ERROR;
+ }
+}
+#endif
+
+#if defined(MBEDTLS_PSA_BUILTIN_PAKE)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+static psa_status_t psa_pake_ecjpake_setup(mbedtls_psa_pake_operation_t *operation)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_ecjpake_init(&operation->ctx.jpake);
+
+ ret = mbedtls_ecjpake_setup(&operation->ctx.jpake,
+ operation->role,
+ MBEDTLS_MD_SHA256,
+ MBEDTLS_ECP_DP_SECP256R1,
+ operation->password,
+ operation->password_len);
+
+ mbedtls_platform_zeroize(operation->password, operation->password_len);
+
+ if (ret != 0) {
+ return mbedtls_ecjpake_to_psa_error(ret);
+ }
+
+ return PSA_SUCCESS;
+}
+#endif
+
+/* The only two JPAKE user/peer identifiers supported in built-in implementation. */
+static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
+static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
+
+psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
+ const psa_crypto_driver_pake_inputs_t *inputs)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t user_len = 0, peer_len = 0, password_len = 0;
+ uint8_t *peer = NULL, *user = NULL;
+ size_t actual_user_len = 0, actual_peer_len = 0, actual_password_len = 0;
+ psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
+
+ status = psa_crypto_driver_pake_get_password_len(inputs, &password_len);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_crypto_driver_pake_get_user_len(inputs, &user_len);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_crypto_driver_pake_get_peer_len(inputs, &peer_len);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_crypto_driver_pake_get_cipher_suite(inputs, &cipher_suite);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ operation->password = mbedtls_calloc(1, password_len);
+ if (operation->password == NULL) {
+ status = PSA_ERROR_INSUFFICIENT_MEMORY;
+ goto error;
+ }
+
+ user = mbedtls_calloc(1, user_len);
+ if (user == NULL) {
+ status = PSA_ERROR_INSUFFICIENT_MEMORY;
+ goto error;
+ }
+
+ peer = mbedtls_calloc(1, peer_len);
+ if (peer == NULL) {
+ status = PSA_ERROR_INSUFFICIENT_MEMORY;
+ goto error;
+ }
+
+ status = psa_crypto_driver_pake_get_password(inputs, operation->password,
+ password_len, &actual_password_len);
+ if (status != PSA_SUCCESS) {
+ goto error;
+ }
+
+ status = psa_crypto_driver_pake_get_user(inputs, user,
+ user_len, &actual_user_len);
+ if (status != PSA_SUCCESS) {
+ goto error;
+ }
+
+ status = psa_crypto_driver_pake_get_peer(inputs, peer,
+ peer_len, &actual_peer_len);
+ if (status != PSA_SUCCESS) {
+ goto error;
+ }
+
+ operation->password_len = actual_password_len;
+ operation->alg = cipher_suite.algorithm;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+ if (cipher_suite.algorithm == PSA_ALG_JPAKE) {
+ if (cipher_suite.type != PSA_PAKE_PRIMITIVE_TYPE_ECC ||
+ cipher_suite.family != PSA_ECC_FAMILY_SECP_R1 ||
+ cipher_suite.bits != 256 ||
+ cipher_suite.hash != PSA_ALG_SHA_256) {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto error;
+ }
+
+ const size_t user_peer_len = sizeof(jpake_client_id); // client and server have the same length
+ if (actual_user_len != user_peer_len ||
+ actual_peer_len != user_peer_len) {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto error;
+ }
+
+ if (memcmp(user, jpake_client_id, actual_user_len) == 0 &&
+ memcmp(peer, jpake_server_id, actual_peer_len) == 0) {
+ operation->role = MBEDTLS_ECJPAKE_CLIENT;
+ } else
+ if (memcmp(user, jpake_server_id, actual_user_len) == 0 &&
+ memcmp(peer, jpake_client_id, actual_peer_len) == 0) {
+ operation->role = MBEDTLS_ECJPAKE_SERVER;
+ } else {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto error;
+ }
+
+ operation->buffer_length = 0;
+ operation->buffer_offset = 0;
+
+ status = psa_pake_ecjpake_setup(operation);
+ if (status != PSA_SUCCESS) {
+ goto error;
+ }
+
+ /* Role has been set, release user/peer buffers. */
+ mbedtls_free(user); mbedtls_free(peer);
+
+ return PSA_SUCCESS;
+ } else
+#else
+ (void) operation;
+ (void) inputs;
+#endif
+ { status = PSA_ERROR_NOT_SUPPORTED; }
+
+error:
+ mbedtls_free(user); mbedtls_free(peer);
+ /* In case of failure of the setup of a multipart operation, the PSA driver interface
+ * specifies that the core does not call any other driver entry point thus does not
+ * call mbedtls_psa_pake_abort(). Therefore call it here to do the needed clean
+ * up like freeing the memory that may have been allocated to store the password.
+ */
+ mbedtls_psa_pake_abort(operation);
+ return status;
+}
+
+static psa_status_t mbedtls_psa_pake_output_internal(
+ mbedtls_psa_pake_operation_t *operation,
+ psa_crypto_driver_pake_step_t step,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t length;
+ (void) step; // Unused parameter
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+ /*
+ * The PSA CRYPTO PAKE and Mbed TLS JPAKE API have a different
+ * handling of output sequencing.
+ *
+ * The Mbed TLS JPAKE API outputs the whole X1+X2 and X2S steps data
+ * at once, on the other side the PSA CRYPTO PAKE api requires
+ * the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X2S to be
+ * retrieved in sequence.
+ *
+ * In order to achieve API compatibility, the whole X1+X2 or X2S steps
+ * data is stored in an intermediate buffer at first step output call,
+ * and data is sliced down by parsing the ECPoint records in order
+ * to return the right parts on each step.
+ */
+ if (operation->alg == PSA_ALG_JPAKE) {
+ /* Initialize & write round on KEY_SHARE sequences */
+ if (step == PSA_JPAKE_X1_STEP_KEY_SHARE) {
+ ret = mbedtls_ecjpake_write_round_one(&operation->ctx.jpake,
+ operation->buffer,
+ sizeof(operation->buffer),
+ &operation->buffer_length,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE);
+ if (ret != 0) {
+ return mbedtls_ecjpake_to_psa_error(ret);
+ }
+
+ operation->buffer_offset = 0;
+ } else if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE) {
+ ret = mbedtls_ecjpake_write_round_two(&operation->ctx.jpake,
+ operation->buffer,
+ sizeof(operation->buffer),
+ &operation->buffer_length,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE);
+ if (ret != 0) {
+ return mbedtls_ecjpake_to_psa_error(ret);
+ }
+
+ operation->buffer_offset = 0;
+ }
+
+ /*
+ * mbedtls_ecjpake_write_round_xxx() outputs thing in the format
+ * defined by draft-cragie-tls-ecjpake-01 section 7. The summary is
+ * that the data for each step is prepended with a length byte, and
+ * then they're concatenated. Additionally, the server's second round
+ * output is prepended with a 3-bytes ECParameters structure.
+ *
+ * In PSA, we output each step separately, and don't prepend the
+ * output with a length byte, even less a curve identifier, as that
+ * information is already available.
+ */
+ if (step == PSA_JPAKE_X2S_STEP_KEY_SHARE &&
+ operation->role == MBEDTLS_ECJPAKE_SERVER) {
+ /* Skip ECParameters, with is 3 bytes (RFC 8422) */
+ operation->buffer_offset += 3;
+ }
+
+ /* Read the length byte then move past it to the data */
+ length = operation->buffer[operation->buffer_offset];
+ operation->buffer_offset += 1;
+
+ if (operation->buffer_offset + length > operation->buffer_length) {
+ return PSA_ERROR_DATA_CORRUPT;
+ }
+
+ if (output_size < length) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+ memcpy(output,
+ operation->buffer + operation->buffer_offset,
+ length);
+ *output_length = length;
+
+ operation->buffer_offset += length;
+
+ /* Reset buffer after ZK_PROOF sequence */
+ if ((step == PSA_JPAKE_X2_STEP_ZK_PROOF) ||
+ (step == PSA_JPAKE_X2S_STEP_ZK_PROOF)) {
+ mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
+ operation->buffer_length = 0;
+ operation->buffer_offset = 0;
+ }
+
+ return PSA_SUCCESS;
+ } else
+#else
+ (void) step;
+ (void) output;
+ (void) output_size;
+ (void) output_length;
+#endif
+ { return PSA_ERROR_NOT_SUPPORTED; }
+}
+
+psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation,
+ psa_crypto_driver_pake_step_t step,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status = mbedtls_psa_pake_output_internal(
+ operation, step, output, output_size, output_length);
+
+ return status;
+}
+
+static psa_status_t mbedtls_psa_pake_input_internal(
+ mbedtls_psa_pake_operation_t *operation,
+ psa_crypto_driver_pake_step_t step,
+ const uint8_t *input,
+ size_t input_length)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ (void) step; // Unused parameter
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+ /*
+ * The PSA CRYPTO PAKE and Mbed TLS JPAKE API have a different
+ * handling of input sequencing.
+ *
+ * The Mbed TLS JPAKE API takes the whole X1+X2 or X4S steps data
+ * at once as input, on the other side the PSA CRYPTO PAKE api requires
+ * the KEY_SHARE/ZP_PUBLIC/ZK_PROOF parts of X1, X2 & X4S to be
+ * given in sequence.
+ *
+ * In order to achieve API compatibility, each X1+X2 or X4S step data
+ * is stored sequentially in an intermediate buffer and given to the
+ * Mbed TLS JPAKE API on the last step.
+ *
+ * This causes any input error to be only detected on the last step.
+ */
+ if (operation->alg == PSA_ALG_JPAKE) {
+ /*
+ * Copy input to local buffer and format it as the Mbed TLS API
+ * expects, i.e. as defined by draft-cragie-tls-ecjpake-01 section 7.
+ * The summary is that the data for each step is prepended with a
+ * length byte, and then they're concatenated. Additionally, the
+ * server's second round output is prepended with a 3-bytes
+ * ECParameters structure - which means we have to prepend that when
+ * we're a client.
+ */
+ if (step == PSA_JPAKE_X4S_STEP_KEY_SHARE &&
+ operation->role == MBEDTLS_ECJPAKE_CLIENT) {
+ /* We only support secp256r1. */
+ /* This is the ECParameters structure defined by RFC 8422. */
+ unsigned char ecparameters[3] = {
+ 3, /* named_curve */
+ 0, 23 /* secp256r1 */
+ };
+
+ if (operation->buffer_length + sizeof(ecparameters) >
+ sizeof(operation->buffer)) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+ memcpy(operation->buffer + operation->buffer_length,
+ ecparameters, sizeof(ecparameters));
+ operation->buffer_length += sizeof(ecparameters);
+ }
+
+ /*
+ * The core checks that input_length is smaller than
+ * PSA_PAKE_INPUT_MAX_SIZE.
+ * Thus no risk of integer overflow here.
+ */
+ if (operation->buffer_length + input_length + 1 > sizeof(operation->buffer)) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+ /* Write the length byte */
+ operation->buffer[operation->buffer_length] = (uint8_t) input_length;
+ operation->buffer_length += 1;
+
+ /* Finally copy the data */
+ memcpy(operation->buffer + operation->buffer_length,
+ input, input_length);
+ operation->buffer_length += input_length;
+
+ /* Load buffer at each last round ZK_PROOF */
+ if (step == PSA_JPAKE_X2_STEP_ZK_PROOF) {
+ ret = mbedtls_ecjpake_read_round_one(&operation->ctx.jpake,
+ operation->buffer,
+ operation->buffer_length);
+
+ mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
+ operation->buffer_length = 0;
+
+ if (ret != 0) {
+ return mbedtls_ecjpake_to_psa_error(ret);
+ }
+ } else if (step == PSA_JPAKE_X4S_STEP_ZK_PROOF) {
+ ret = mbedtls_ecjpake_read_round_two(&operation->ctx.jpake,
+ operation->buffer,
+ operation->buffer_length);
+
+ mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
+ operation->buffer_length = 0;
+
+ if (ret != 0) {
+ return mbedtls_ecjpake_to_psa_error(ret);
+ }
+ }
+
+ return PSA_SUCCESS;
+ } else
+#else
+ (void) step;
+ (void) input;
+ (void) input_length;
+#endif
+ { return PSA_ERROR_NOT_SUPPORTED; }
+}
+
+psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation,
+ psa_crypto_driver_pake_step_t step,
+ const uint8_t *input,
+ size_t input_length)
+{
+ psa_status_t status = mbedtls_psa_pake_input_internal(
+ operation, step, input, input_length);
+
+ return status;
+}
+
+psa_status_t mbedtls_psa_pake_get_implicit_key(
+ mbedtls_psa_pake_operation_t *operation,
+ uint8_t *output, size_t output_size,
+ size_t *output_length)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+ if (operation->alg == PSA_ALG_JPAKE) {
+ ret = mbedtls_ecjpake_write_shared_key(&operation->ctx.jpake,
+ output,
+ output_size,
+ output_length,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE);
+ if (ret != 0) {
+ return mbedtls_ecjpake_to_psa_error(ret);
+ }
+
+ return PSA_SUCCESS;
+ } else
+#else
+ (void) output;
+#endif
+ { return PSA_ERROR_NOT_SUPPORTED; }
+}
+
+psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation)
+{
+ mbedtls_zeroize_and_free(operation->password, operation->password_len);
+ operation->password = NULL;
+ operation->password_len = 0;
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)
+ if (operation->alg == PSA_ALG_JPAKE) {
+ operation->role = MBEDTLS_ECJPAKE_NONE;
+ mbedtls_platform_zeroize(operation->buffer, sizeof(operation->buffer));
+ operation->buffer_length = 0;
+ operation->buffer_offset = 0;
+ mbedtls_ecjpake_free(&operation->ctx.jpake);
+ }
+#endif
+
+ operation->alg = PSA_ALG_NONE;
+
+ return PSA_SUCCESS;
+}
+
+#endif /* MBEDTLS_PSA_BUILTIN_PAKE */
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_pake.h b/library/psa_crypto_pake.h
new file mode 100644
index 0000000..3d3ee0c
--- /dev/null
+++ b/library/psa_crypto_pake.h
@@ -0,0 +1,159 @@
+/*
+ * PSA PAKE layer on top of Mbed TLS software crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_PAKE_H
+#define PSA_CRYPTO_PAKE_H
+
+#include <psa/crypto.h>
+
+/** Set the session information for a password-authenticated key exchange.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * pake_setup entry point. This function behaves as a pake_setup
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \param[in,out] operation The operation object to set up. It must have
+ * been initialized but not set up yet.
+ * \param[in] inputs Inputs required for PAKE operation (role, password,
+ * key lifetime, cipher suite)
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * The algorithm in \p cipher_suite is not a supported PAKE algorithm,
+ * or the PAKE primitive in \p cipher_suite is not supported or not
+ * compatible with the PAKE algorithm, or the hash algorithm in
+ * \p cipher_suite is not supported or not compatible with the PAKE
+ * algorithm and primitive.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
+ const psa_crypto_driver_pake_inputs_t *inputs);
+
+
+/** Get output for a step of a password-authenticated key exchange.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * pake_output entry point. This function behaves as a pake_output
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \param[in,out] operation Active PAKE operation.
+ * \param step The step of the algorithm for which the output is
+ * requested.
+ * \param[out] output Buffer where the output is to be written in the
+ * format appropriate for this driver \p step. Refer to
+ * the documentation of psa_crypto_driver_pake_step_t for
+ * more information.
+ * \param output_size Size of the \p output buffer in bytes. This must
+ * be at least #PSA_PAKE_OUTPUT_SIZE(\p alg, \p
+ * primitive, \p step) where \p alg and
+ * \p primitive are the PAKE algorithm and primitive
+ * in the operation's cipher suite, and \p step is
+ * the output step.
+ *
+ * \param[out] output_length On success, the number of bytes of the returned
+ * output.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p output buffer is too small.
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ */
+psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation,
+ psa_crypto_driver_pake_step_t step,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length);
+
+/** Provide input for a step of a password-authenticated key exchange.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * pake_input entry point. This function behaves as a pake_input
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \note The core checks that input_length is smaller than PSA_PAKE_INPUT_MAX_SIZE.
+ *
+ * \param[in,out] operation Active PAKE operation.
+ * \param step The driver step for which the input is provided.
+ * \param[in] input Buffer containing the input in the format
+ * appropriate for this \p step. Refer to the
+ * documentation of psa_crypto_driver_pake_step_t
+ * for more information.
+ * \param input_length Size of the \p input buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ * The verification fails for a zero-knowledge input step.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * the \p input is not valid for the \p operation's algorithm, cipher suite
+ * or \p step.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * the \p input is not supported for the \p operation's algorithm, cipher
+ * suite or \p step.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ */
+psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation,
+ psa_crypto_driver_pake_step_t step,
+ const uint8_t *input,
+ size_t input_length);
+
+/** Get implicitly confirmed shared secret from a PAKE.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * pake_get_implicit_key entry point. This function behaves as a
+ * pake_get_implicit_key entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param[in,out] operation Active PAKE operation.
+ * \param[out] output Output buffer for implicit key.
+ * \param output_size Size of the output buffer in bytes.
+ * \param[out] output_length On success, the number of bytes of the implicit key.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * Input from a PAKE is not supported by the algorithm in the \p output
+ * key derivation operation.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ */
+psa_status_t mbedtls_psa_pake_get_implicit_key(
+ mbedtls_psa_pake_operation_t *operation,
+ uint8_t *output, size_t output_size,
+ size_t *output_length);
+
+/** Abort a PAKE operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * pake_abort entry point. This function behaves as a pake_abort
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \param[in,out] operation The operation to abort.
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation);
+
+#endif /* PSA_CRYPTO_PAKE_H */
diff --git a/library/psa_crypto_random_impl.h b/library/psa_crypto_random_impl.h
new file mode 100644
index 0000000..533fb2e
--- /dev/null
+++ b/library/psa_crypto_random_impl.h
@@ -0,0 +1,135 @@
+/** \file psa_crypto_random_impl.h
+ *
+ * \brief PSA crypto random generator implementation abstraction.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_RANDOM_IMPL_H
+#define PSA_CRYPTO_RANDOM_IMPL_H
+
+#include "psa_util_internal.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+
+typedef mbedtls_psa_external_random_context_t mbedtls_psa_random_context_t;
+
+#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+
+#include "mbedtls/entropy.h"
+
+/* Choose a DRBG based on configuration and availability */
+#if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
+
+#include "mbedtls/hmac_drbg.h"
+
+#elif defined(MBEDTLS_CTR_DRBG_C)
+
+#include "mbedtls/ctr_drbg.h"
+
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+
+#include "mbedtls/hmac_drbg.h"
+#if defined(MBEDTLS_MD_CAN_SHA512) && defined(MBEDTLS_MD_CAN_SHA256)
+#include <limits.h>
+#if SIZE_MAX > 0xffffffff
+/* Looks like a 64-bit system, so prefer SHA-512. */
+#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA512
+#else
+/* Looks like a 32-bit system, so prefer SHA-256. */
+#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
+#endif
+#elif defined(MBEDTLS_MD_CAN_SHA512)
+#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA512
+#elif defined(MBEDTLS_MD_CAN_SHA256)
+#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
+#else
+#error "No hash algorithm available for HMAC_DBRG."
+#endif
+
+#else /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
+
+#error "No DRBG module available for the psa_crypto module."
+
+#endif /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+#include "mbedtls/ctr_drbg.h"
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+#include "mbedtls/hmac_drbg.h"
+#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */
+
+/* The maximum number of bytes that mbedtls_psa_get_random() is expected to return. */
+#if defined(MBEDTLS_CTR_DRBG_C)
+#define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_CTR_DRBG_MAX_REQUEST
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+#define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_HMAC_DRBG_MAX_REQUEST
+#endif
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+typedef mbedtls_ctr_drbg_context mbedtls_psa_drbg_context_t;
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+typedef mbedtls_hmac_drbg_context mbedtls_psa_drbg_context_t;
+#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */
+
+typedef struct {
+ void (* entropy_init)(mbedtls_entropy_context *ctx);
+ void (* entropy_free)(mbedtls_entropy_context *ctx);
+ mbedtls_entropy_context entropy;
+ mbedtls_psa_drbg_context_t drbg;
+} mbedtls_psa_random_context_t;
+
+/** Initialize the PSA DRBG.
+ *
+ * \param p_rng Pointer to the Mbed TLS DRBG state.
+ */
+static inline void mbedtls_psa_drbg_init(mbedtls_psa_drbg_context_t *p_rng)
+{
+#if defined(MBEDTLS_CTR_DRBG_C)
+ mbedtls_ctr_drbg_init(p_rng);
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+ mbedtls_hmac_drbg_init(p_rng);
+#endif
+}
+
+/** Deinitialize the PSA DRBG.
+ *
+ * \param p_rng Pointer to the Mbed TLS DRBG state.
+ */
+static inline void mbedtls_psa_drbg_free(mbedtls_psa_drbg_context_t *p_rng)
+{
+#if defined(MBEDTLS_CTR_DRBG_C)
+ mbedtls_ctr_drbg_free(p_rng);
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+ mbedtls_hmac_drbg_free(p_rng);
+#endif
+}
+
+/** Seed the PSA DRBG.
+ *
+ * \param entropy An entropy context to read the seed from.
+ * \param custom The personalization string.
+ * This can be \c NULL, in which case the personalization
+ * string is empty regardless of the value of \p len.
+ * \param len The length of the personalization string.
+ *
+ * \return \c 0 on success.
+ * \return An Mbed TLS error code (\c MBEDTLS_ERR_xxx) on failure.
+ */
+static inline int mbedtls_psa_drbg_seed(mbedtls_psa_drbg_context_t *drbg_ctx,
+ mbedtls_entropy_context *entropy,
+ const unsigned char *custom, size_t len)
+{
+#if defined(MBEDTLS_CTR_DRBG_C)
+ return mbedtls_ctr_drbg_seed(drbg_ctx, mbedtls_entropy_func, entropy, custom, len);
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+ const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE);
+ return mbedtls_hmac_drbg_seed(drbg_ctx, md_info, mbedtls_entropy_func, entropy, custom, len);
+#endif
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+
+#endif /* PSA_CRYPTO_RANDOM_IMPL_H */
diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c
new file mode 100644
index 0000000..2f613b3
--- /dev/null
+++ b/library/psa_crypto_rsa.c
@@ -0,0 +1,706 @@
+/*
+ * PSA RSA layer on top of Mbed TLS crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include <psa/crypto.h>
+#include "psa/crypto_values.h"
+#include "psa_crypto_core.h"
+#include "psa_crypto_random_impl.h"
+#include "psa_crypto_rsa.h"
+#include "psa_crypto_hash.h"
+#include "mbedtls/psa_util.h"
+
+#include <stdlib.h>
+#include <string.h>
+#include "mbedtls/platform.h"
+
+#include <mbedtls/rsa.h>
+#include <mbedtls/error.h>
+#include "rsa_internal.h"
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+
+/* Mbed TLS doesn't support non-byte-aligned key sizes (i.e. key sizes
+ * that are not a multiple of 8) well. For example, there is only
+ * mbedtls_rsa_get_len(), which returns a number of bytes, and no
+ * way to return the exact bit size of a key.
+ * To keep things simple, reject non-byte-aligned key sizes. */
+static psa_status_t psa_check_rsa_key_byte_aligned(
+ const mbedtls_rsa_context *rsa)
+{
+ mbedtls_mpi n;
+ psa_status_t status;
+ mbedtls_mpi_init(&n);
+ status = mbedtls_to_psa_error(
+ mbedtls_rsa_export(rsa, &n, NULL, NULL, NULL, NULL));
+ if (status == PSA_SUCCESS) {
+ if (mbedtls_mpi_bitlen(&n) % 8 != 0) {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ }
+ }
+ mbedtls_mpi_free(&n);
+ return status;
+}
+
+psa_status_t mbedtls_psa_rsa_load_representation(
+ psa_key_type_t type, const uint8_t *data, size_t data_length,
+ mbedtls_rsa_context **p_rsa)
+{
+ psa_status_t status;
+ size_t bits;
+
+ *p_rsa = mbedtls_calloc(1, sizeof(mbedtls_rsa_context));
+ if (*p_rsa == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+ mbedtls_rsa_init(*p_rsa);
+
+ /* Parse the data. */
+ if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+ status = mbedtls_to_psa_error(mbedtls_rsa_parse_key(*p_rsa, data, data_length));
+ } else {
+ status = mbedtls_to_psa_error(mbedtls_rsa_parse_pubkey(*p_rsa, data, data_length));
+ }
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ /* The size of an RSA key doesn't have to be a multiple of 8. Mbed TLS
+ * supports non-byte-aligned key sizes, but not well. For example,
+ * mbedtls_rsa_get_len() returns the key size in bytes, not in bits. */
+ bits = PSA_BYTES_TO_BITS(mbedtls_rsa_get_len(*p_rsa));
+ if (bits > PSA_VENDOR_RSA_MAX_KEY_BITS) {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+ }
+ status = psa_check_rsa_key_byte_aligned(*p_rsa);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+exit:
+ return status;
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+
+#if (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) && \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+psa_status_t mbedtls_psa_rsa_import_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *data, size_t data_length,
+ uint8_t *key_buffer, size_t key_buffer_size,
+ size_t *key_buffer_length, size_t *bits)
+{
+ psa_status_t status;
+ mbedtls_rsa_context *rsa = NULL;
+
+ /* Parse input */
+ status = mbedtls_psa_rsa_load_representation(attributes->type,
+ data,
+ data_length,
+ &rsa);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ *bits = (psa_key_bits_t) PSA_BYTES_TO_BITS(mbedtls_rsa_get_len(rsa));
+
+ /* Re-export the data to PSA export format, such that we can store export
+ * representation in the key slot. Export representation in case of RSA is
+ * the smallest representation that's allowed as input, so a straight-up
+ * allocation of the same size as the input buffer will be large enough. */
+ status = mbedtls_psa_rsa_export_key(attributes->type,
+ rsa,
+ key_buffer,
+ key_buffer_size,
+ key_buffer_length);
+exit:
+ /* Always free the RSA object */
+ mbedtls_rsa_free(rsa);
+ mbedtls_free(rsa);
+
+ return status;
+}
+#endif /* (defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT) &&
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT)) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
+ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+psa_status_t mbedtls_psa_rsa_export_key(psa_key_type_t type,
+ mbedtls_rsa_context *rsa,
+ uint8_t *data,
+ size_t data_size,
+ size_t *data_length)
+{
+ int ret;
+ uint8_t *end = data + data_size;
+
+ /* PSA Crypto API defines the format of an RSA key as a DER-encoded
+ * representation of the non-encrypted PKCS#1 RSAPrivateKey for a
+ * private key and of the RFC3279 RSAPublicKey for a public key. */
+ if (PSA_KEY_TYPE_IS_KEY_PAIR(type)) {
+ ret = mbedtls_rsa_write_key(rsa, data, &end);
+ } else {
+ ret = mbedtls_rsa_write_pubkey(rsa, data, &end);
+ }
+
+ if (ret < 0) {
+ /* Clean up in case pk_write failed halfway through. */
+ memset(data, 0, data_size);
+ return mbedtls_to_psa_error(ret);
+ }
+
+ /* The mbedtls_pk_xxx functions write to the end of the buffer.
+ * Move the data to the beginning and erase remaining data
+ * at the original location. */
+ if (2 * (size_t) ret <= data_size) {
+ memcpy(data, data + data_size - ret, ret);
+ memset(data + data_size - ret, 0, ret);
+ } else if ((size_t) ret < data_size) {
+ memmove(data, data + data_size - ret, ret);
+ memset(data + ret, 0, data_size - ret);
+ }
+
+ *data_length = ret;
+ return PSA_SUCCESS;
+}
+
+psa_status_t mbedtls_psa_rsa_export_public_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ uint8_t *data, size_t data_size, size_t *data_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_rsa_context *rsa = NULL;
+
+ status = mbedtls_psa_rsa_load_representation(
+ attributes->type, key_buffer, key_buffer_size, &rsa);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = mbedtls_psa_rsa_export_key(PSA_KEY_TYPE_RSA_PUBLIC_KEY,
+ rsa,
+ data,
+ data_size,
+ data_length);
+
+ mbedtls_rsa_free(rsa);
+ mbedtls_free(rsa);
+
+ return status;
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+static psa_status_t psa_rsa_read_exponent(const uint8_t *e_bytes,
+ size_t e_length,
+ int *exponent)
+{
+ size_t i;
+ uint32_t acc = 0;
+
+ /* Mbed TLS encodes the public exponent as an int. For simplicity, only
+ * support values that fit in a 32-bit integer, which is larger than
+ * int on just about every platform anyway. */
+ if (e_length > sizeof(acc)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ for (i = 0; i < e_length; i++) {
+ acc = (acc << 8) | e_bytes[i];
+ }
+ if (acc > INT_MAX) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ *exponent = acc;
+ return PSA_SUCCESS;
+}
+
+psa_status_t mbedtls_psa_rsa_generate_key(
+ const psa_key_attributes_t *attributes,
+ const psa_key_production_parameters_t *params, size_t params_data_length,
+ uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
+{
+ psa_status_t status;
+ mbedtls_rsa_context rsa;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int exponent = 65537;
+
+ if (params_data_length != 0) {
+ status = psa_rsa_read_exponent(params->data, params_data_length,
+ &exponent);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ }
+
+ mbedtls_rsa_init(&rsa);
+ ret = mbedtls_rsa_gen_key(&rsa,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE,
+ (unsigned int) attributes->bits,
+ exponent);
+ if (ret != 0) {
+ return mbedtls_to_psa_error(ret);
+ }
+
+ status = mbedtls_psa_rsa_export_key(attributes->type,
+ &rsa, key_buffer, key_buffer_size,
+ key_buffer_length);
+ mbedtls_rsa_free(&rsa);
+
+ return status;
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) */
+
+/****************************************************************/
+/* Sign/verify hashes */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+
+/* Decode the hash algorithm from alg and store the mbedtls encoding in
+ * md_alg. Verify that the hash length is acceptable. */
+static psa_status_t psa_rsa_decode_md_type(psa_algorithm_t alg,
+ size_t hash_length,
+ mbedtls_md_type_t *md_alg)
+{
+ psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
+ *md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
+
+ /* The Mbed TLS RSA module uses an unsigned int for hash length
+ * parameters. Validate that it fits so that we don't risk an
+ * overflow later. */
+#if SIZE_MAX > UINT_MAX
+ if (hash_length > UINT_MAX) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+#endif
+
+ /* For signatures using a hash, the hash length must be correct. */
+ if (alg != PSA_ALG_RSA_PKCS1V15_SIGN_RAW) {
+ if (*md_alg == MBEDTLS_MD_NONE) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ if (mbedtls_md_get_size_from_type(*md_alg) != hash_length) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ }
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t mbedtls_psa_rsa_sign_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_rsa_context *rsa = NULL;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_md_type_t md_alg;
+
+ status = mbedtls_psa_rsa_load_representation(attributes->type,
+ key_buffer,
+ key_buffer_size,
+ &rsa);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_rsa_decode_md_type(alg, hash_length, &md_alg);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (signature_size < mbedtls_rsa_get_len(rsa)) {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
+ if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg)) {
+ ret = mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V15,
+ MBEDTLS_MD_NONE);
+ if (ret == 0) {
+ ret = mbedtls_rsa_pkcs1_sign(rsa,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE,
+ md_alg,
+ (unsigned int) hash_length,
+ hash,
+ signature);
+ }
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+ if (PSA_ALG_IS_RSA_PSS(alg)) {
+ ret = mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_alg);
+
+ if (ret == 0) {
+ ret = mbedtls_rsa_rsassa_pss_sign(rsa,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE,
+ MBEDTLS_MD_NONE,
+ (unsigned int) hash_length,
+ hash,
+ signature);
+ }
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */
+ {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ if (ret == 0) {
+ *signature_length = mbedtls_rsa_get_len(rsa);
+ }
+ status = mbedtls_to_psa_error(ret);
+
+exit:
+ mbedtls_rsa_free(rsa);
+ mbedtls_free(rsa);
+
+ return status;
+}
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+static int rsa_pss_expected_salt_len(psa_algorithm_t alg,
+ const mbedtls_rsa_context *rsa,
+ size_t hash_length)
+{
+ if (PSA_ALG_IS_RSA_PSS_ANY_SALT(alg)) {
+ return MBEDTLS_RSA_SALT_LEN_ANY;
+ }
+ /* Otherwise: standard salt length, i.e. largest possible salt length
+ * up to the hash length. */
+ int klen = (int) mbedtls_rsa_get_len(rsa); // known to fit
+ int hlen = (int) hash_length; // known to fit
+ int room = klen - 2 - hlen;
+ if (room < 0) {
+ return 0; // there is no valid signature in this case anyway
+ } else if (room > hlen) {
+ return hlen;
+ } else {
+ return room;
+ }
+}
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */
+
+psa_status_t mbedtls_psa_rsa_verify_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_rsa_context *rsa = NULL;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_md_type_t md_alg;
+
+ status = mbedtls_psa_rsa_load_representation(attributes->type,
+ key_buffer,
+ key_buffer_size,
+ &rsa);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_rsa_decode_md_type(alg, hash_length, &md_alg);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (signature_length != mbedtls_rsa_get_len(rsa)) {
+ status = PSA_ERROR_INVALID_SIGNATURE;
+ goto exit;
+ }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
+ if (PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg)) {
+ ret = mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V15,
+ MBEDTLS_MD_NONE);
+ if (ret == 0) {
+ ret = mbedtls_rsa_pkcs1_verify(rsa,
+ md_alg,
+ (unsigned int) hash_length,
+ hash,
+ signature);
+ }
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+ if (PSA_ALG_IS_RSA_PSS(alg)) {
+ ret = mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_alg);
+ if (ret == 0) {
+ int slen = rsa_pss_expected_salt_len(alg, rsa, hash_length);
+ ret = mbedtls_rsa_rsassa_pss_verify_ext(rsa,
+ md_alg,
+ (unsigned) hash_length,
+ hash,
+ md_alg,
+ slen,
+ signature);
+ }
+ } else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */
+ {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ /* Mbed TLS distinguishes "invalid padding" from "valid padding but
+ * the rest of the signature is invalid". This has little use in
+ * practice and PSA doesn't report this distinction. */
+ status = (ret == MBEDTLS_ERR_RSA_INVALID_PADDING) ?
+ PSA_ERROR_INVALID_SIGNATURE :
+ mbedtls_to_psa_error(ret);
+
+exit:
+ mbedtls_rsa_free(rsa);
+ mbedtls_free(rsa);
+
+ return status;
+}
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
+
+/****************************************************************/
+/* Asymmetric cryptography */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+static int psa_rsa_oaep_set_padding_mode(psa_algorithm_t alg,
+ mbedtls_rsa_context *rsa)
+{
+ psa_algorithm_t hash_alg = PSA_ALG_RSA_OAEP_GET_HASH(alg);
+ mbedtls_md_type_t md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
+
+ /* Just to get the error status right, as rsa_set_padding() doesn't
+ * distinguish between "bad RSA algorithm" and "unknown hash". */
+ if (mbedtls_md_info_from_type(md_alg) == NULL) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ return mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_alg);
+}
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
+
+psa_status_t mbedtls_psa_asymmetric_encrypt(const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ const uint8_t *salt,
+ size_t salt_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) input;
+ (void) input_length;
+ (void) salt;
+ (void) salt_length;
+ (void) output;
+ (void) output_size;
+ (void) output_length;
+
+ if (PSA_KEY_TYPE_IS_RSA(attributes->type)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+ mbedtls_rsa_context *rsa = NULL;
+ status = mbedtls_psa_rsa_load_representation(attributes->type,
+ key_buffer,
+ key_buffer_size,
+ &rsa);
+ if (status != PSA_SUCCESS) {
+ goto rsa_exit;
+ }
+
+ if (output_size < mbedtls_rsa_get_len(rsa)) {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto rsa_exit;
+ }
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
+ if (alg == PSA_ALG_RSA_PKCS1V15_CRYPT) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT)
+ status = mbedtls_to_psa_error(
+ mbedtls_rsa_pkcs1_encrypt(rsa,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE,
+ input_length,
+ input,
+ output));
+#else
+ status = PSA_ERROR_NOT_SUPPORTED;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT */
+ } else
+ if (PSA_ALG_IS_RSA_OAEP(alg)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+ status = mbedtls_to_psa_error(
+ psa_rsa_oaep_set_padding_mode(alg, rsa));
+ if (status != PSA_SUCCESS) {
+ goto rsa_exit;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_rsa_rsaes_oaep_encrypt(rsa,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE,
+ salt, salt_length,
+ input_length,
+ input,
+ output));
+#else
+ status = PSA_ERROR_NOT_SUPPORTED;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP */
+ } else {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ }
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+rsa_exit:
+ if (status == PSA_SUCCESS) {
+ *output_length = mbedtls_rsa_get_len(rsa);
+ }
+
+ mbedtls_rsa_free(rsa);
+ mbedtls_free(rsa);
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
+ } else {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ return status;
+}
+
+psa_status_t mbedtls_psa_asymmetric_decrypt(const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ const uint8_t *salt,
+ size_t salt_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) input;
+ (void) input_length;
+ (void) salt;
+ (void) salt_length;
+ (void) output;
+ (void) output_size;
+ (void) output_length;
+
+ *output_length = 0;
+
+ if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+ mbedtls_rsa_context *rsa = NULL;
+ status = mbedtls_psa_rsa_load_representation(attributes->type,
+ key_buffer,
+ key_buffer_size,
+ &rsa);
+ if (status != PSA_SUCCESS) {
+ goto rsa_exit;
+ }
+
+ if (input_length != mbedtls_rsa_get_len(rsa)) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto rsa_exit;
+ }
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
+
+ if (alg == PSA_ALG_RSA_PKCS1V15_CRYPT) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT)
+ status = mbedtls_to_psa_error(
+ mbedtls_rsa_pkcs1_decrypt(rsa,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE,
+ output_length,
+ input,
+ output,
+ output_size));
+#else
+ status = PSA_ERROR_NOT_SUPPORTED;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT */
+ } else
+ if (PSA_ALG_IS_RSA_OAEP(alg)) {
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+ status = mbedtls_to_psa_error(
+ psa_rsa_oaep_set_padding_mode(alg, rsa));
+ if (status != PSA_SUCCESS) {
+ goto rsa_exit;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_rsa_rsaes_oaep_decrypt(rsa,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE,
+ salt, salt_length,
+ output_length,
+ input,
+ output,
+ output_size));
+#else
+ status = PSA_ERROR_NOT_SUPPORTED;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP */
+ } else {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
+rsa_exit:
+ mbedtls_rsa_free(rsa);
+ mbedtls_free(rsa);
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
+ } else {
+ status = PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ return status;
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_rsa.h b/library/psa_crypto_rsa.h
new file mode 100644
index 0000000..ffeef26
--- /dev/null
+++ b/library/psa_crypto_rsa.h
@@ -0,0 +1,327 @@
+/*
+ * PSA RSA layer on top of Mbed TLS crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_RSA_H
+#define PSA_CRYPTO_RSA_H
+
+#include <psa/crypto.h>
+#include <mbedtls/rsa.h>
+
+/** Load the contents of a key buffer into an internal RSA representation
+ *
+ * \param[in] type The type of key contained in \p data.
+ * \param[in] data The buffer from which to load the representation.
+ * \param[in] data_length The size in bytes of \p data.
+ * \param[out] p_rsa Returns a pointer to an RSA context on success.
+ * The caller is responsible for freeing both the
+ * contents of the context and the context itself
+ * when done.
+ */
+psa_status_t mbedtls_psa_rsa_load_representation(psa_key_type_t type,
+ const uint8_t *data,
+ size_t data_length,
+ mbedtls_rsa_context **p_rsa);
+
+/** Import an RSA key in binary format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * import_key entry point. This function behaves as an import_key
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \param[in] attributes The attributes for the key to import.
+ * \param[in] data The buffer containing the key data in import
+ * format.
+ * \param[in] data_length Size of the \p data buffer in bytes.
+ * \param[out] key_buffer The buffer containing the key data in output
+ * format.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes. This
+ * size is greater or equal to \p data_length.
+ * \param[out] key_buffer_length The length of the data written in \p
+ * key_buffer in bytes.
+ * \param[out] bits The key size in number of bits.
+ *
+ * \retval #PSA_SUCCESS The RSA key was imported successfully.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * The key data is not correctly formatted.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ */
+psa_status_t mbedtls_psa_rsa_import_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *data, size_t data_length,
+ uint8_t *key_buffer, size_t key_buffer_size,
+ size_t *key_buffer_length, size_t *bits);
+
+/** Export an RSA key to export representation
+ *
+ * \param[in] type The type of key (public/private) to export
+ * \param[in] rsa The internal RSA representation from which to export
+ * \param[out] data The buffer to export to
+ * \param[in] data_size The length of the buffer to export to
+ * \param[out] data_length The amount of bytes written to \p data
+ */
+psa_status_t mbedtls_psa_rsa_export_key(psa_key_type_t type,
+ mbedtls_rsa_context *rsa,
+ uint8_t *data,
+ size_t data_size,
+ size_t *data_length);
+
+/** Export a public RSA key or the public part of an RSA key pair in binary
+ * format.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * export_public_key entry point. This function behaves as an
+ * export_public_key entry point as defined in the PSA driver interface
+ * specification.
+ *
+ * \param[in] attributes The attributes for the key to export.
+ * \param[in] key_buffer Material or context of the key to export.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[out] data Buffer where the key data is to be written.
+ * \param[in] data_size Size of the \p data buffer in bytes.
+ * \param[out] data_length On success, the number of bytes written in
+ * \p data.
+ *
+ * \retval #PSA_SUCCESS The RSA public key was exported successfully.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_rsa_export_public_key(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ uint8_t *data, size_t data_size, size_t *data_length);
+
+/**
+ * \brief Generate an RSA key.
+ *
+ * \note The signature of the function is that of a PSA driver generate_key
+ * entry point.
+ *
+ * \param[in] attributes The attributes for the RSA key to generate.
+ * \param[in] params Production parameters for the key
+ * generation. This function only uses
+ * `params->data`,
+ * which contains the public exponent.
+ * This can be a null pointer if
+ * \c params_data_length is 0.
+ * \param params_data_length Length of `params->data` in bytes.
+ * This can be 0, in which case the
+ * public exponent will be 65537.
+ * \param[out] key_buffer Buffer where the key data is to be written.
+ * \param[in] key_buffer_size Size of \p key_buffer in bytes.
+ * \param[out] key_buffer_length On success, the number of bytes written in
+ * \p key_buffer.
+ *
+ * \retval #PSA_SUCCESS
+ * The key was successfully generated.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * Key length or type not supported.
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of \p key_buffer is too small.
+ */
+psa_status_t mbedtls_psa_rsa_generate_key(
+ const psa_key_attributes_t *attributes,
+ const psa_key_production_parameters_t *params, size_t params_data_length,
+ uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
+
+/** Sign an already-calculated hash with an RSA private key.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * sign_hash entry point. This function behaves as a sign_hash
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \param[in] attributes The attributes of the RSA key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the RSA key context.
+ * format.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg A signature algorithm that is compatible with
+ * an RSA key.
+ * \param[in] hash The hash or message to sign.
+ * \param[in] hash_length Size of the \p hash buffer in bytes.
+ * \param[out] signature Buffer where the signature is to be written.
+ * \param[in] signature_size Size of the \p signature buffer in bytes.
+ * \param[out] signature_length On success, the number of bytes
+ * that make up the returned signature value.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p signature buffer is too small. You can
+ * determine a sufficient buffer size by calling
+ * #PSA_SIGN_OUTPUT_SIZE(\c PSA_KEY_TYPE_RSA_KEY_PAIR, \c key_bits,
+ * \p alg) where \c key_bits is the bit-size of the RSA key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ */
+psa_status_t mbedtls_psa_rsa_sign_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+/**
+ * \brief Verify the signature a hash or short message using a public RSA key.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * verify_hash entry point. This function behaves as a verify_hash
+ * entry point as defined in the PSA driver interface specification for
+ * transparent drivers.
+ *
+ * \param[in] attributes The attributes of the RSA key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the RSA key context.
+ * format.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg A signature algorithm that is compatible with
+ * an RSA key.
+ * \param[in] hash The hash or message whose signature is to be
+ * verified.
+ * \param[in] hash_length Size of the \p hash buffer in bytes.
+ * \param[in] signature Buffer containing the signature to verify.
+ * \param[in] signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * The signature is valid.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ * The calculation was performed successfully, but the passed
+ * signature is not a valid signature.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_rsa_verify_hash(
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length);
+
+/**
+ * \brief Encrypt a short message with a public key.
+ *
+ * \param attributes The attributes for the key to import.
+ * \param key_buffer Buffer where the key data is to be written.
+ * \param key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param input_length Size of the \p input buffer in bytes.
+ * \param[in] salt A salt or label, if supported by the
+ * encryption algorithm.
+ * If the algorithm does not support a
+ * salt, pass \c NULL.
+ * If the algorithm supports an optional
+ * salt and you do not want to pass a salt,
+ * pass \c NULL.
+ *
+ * - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
+ * supported.
+ * \param salt_length Size of the \p salt buffer in bytes.
+ * If \p salt is \c NULL, pass 0.
+ * \param[out] output Buffer where the encrypted message is to
+ * be written.
+ * \param output_size Size of the \p output buffer in bytes.
+ * \param[out] output_length On success, the number of bytes
+ * that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p output buffer is too small. You can
+ * determine a sufficient buffer size by calling
+ * #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ * where \c key_type and \c key_bits are the type and bit-size
+ * respectively of \p key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t mbedtls_psa_asymmetric_encrypt(const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ const uint8_t *salt,
+ size_t salt_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length);
+
+/**
+ * \brief Decrypt a short message with a private key.
+ *
+ * \param attributes The attributes for the key to import.
+ * \param key_buffer Buffer where the key data is to be written.
+ * \param key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] input The message to decrypt.
+ * \param input_length Size of the \p input buffer in bytes.
+ * \param[in] salt A salt or label, if supported by the
+ * encryption algorithm.
+ * If the algorithm does not support a
+ * salt, pass \c NULL.
+ * If the algorithm supports an optional
+ * salt and you do not want to pass a salt,
+ * pass \c NULL.
+ *
+ * - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
+ * supported.
+ * \param salt_length Size of the \p salt buffer in bytes.
+ * If \p salt is \c NULL, pass 0.
+ * \param[out] output Buffer where the decrypted message is to
+ * be written.
+ * \param output_size Size of the \c output buffer in bytes.
+ * \param[out] output_length On success, the number of bytes
+ * that make up the returned output.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p output buffer is too small. You can
+ * determine a sufficient buffer size by calling
+ * #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ * where \c key_type and \c key_bits are the type and bit-size
+ * respectively of \p key.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_INVALID_PADDING \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t mbedtls_psa_asymmetric_decrypt(const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer,
+ size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ const uint8_t *salt,
+ size_t salt_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length);
+
+#endif /* PSA_CRYPTO_RSA_H */
diff --git a/library/psa_crypto_se.c b/library/psa_crypto_se.c
new file mode 100644
index 0000000..7a36a4f
--- /dev/null
+++ b/library/psa_crypto_se.c
@@ -0,0 +1,373 @@
+/*
+ * PSA crypto support for secure element drivers
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+
+#include <stdint.h>
+#include <string.h>
+
+#include "psa/crypto_se_driver.h"
+
+#include "psa_crypto_se.h"
+
+#if defined(MBEDTLS_PSA_ITS_FILE_C)
+#include "psa_crypto_its.h"
+#else /* Native ITS implementation */
+#include "psa/error.h"
+#include "psa/internal_trusted_storage.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+
+
+/****************************************************************/
+/* Driver lookup */
+/****************************************************************/
+
+/* This structure is identical to psa_drv_se_context_t declared in
+ * `crypto_se_driver.h`, except that some parts are writable here
+ * (non-const, or pointer to non-const). */
+typedef struct {
+ void *persistent_data;
+ size_t persistent_data_size;
+ uintptr_t transient_data;
+} psa_drv_se_internal_context_t;
+
+struct psa_se_drv_table_entry_s {
+ psa_key_location_t location;
+ const psa_drv_se_t *methods;
+ union {
+ psa_drv_se_internal_context_t internal;
+ psa_drv_se_context_t context;
+ } u;
+};
+
+static psa_se_drv_table_entry_t driver_table[PSA_MAX_SE_DRIVERS];
+
+psa_se_drv_table_entry_t *psa_get_se_driver_entry(
+ psa_key_lifetime_t lifetime)
+{
+ size_t i;
+ psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(lifetime);
+ /* In the driver table, location=0 means an entry that isn't used.
+ * No driver has a location of 0 because it's a reserved value
+ * (which designates transparent keys). Make sure we never return
+ * a driver entry for location 0. */
+ if (location == 0) {
+ return NULL;
+ }
+ for (i = 0; i < PSA_MAX_SE_DRIVERS; i++) {
+ if (driver_table[i].location == location) {
+ return &driver_table[i];
+ }
+ }
+ return NULL;
+}
+
+const psa_drv_se_t *psa_get_se_driver_methods(
+ const psa_se_drv_table_entry_t *driver)
+{
+ return driver->methods;
+}
+
+psa_drv_se_context_t *psa_get_se_driver_context(
+ psa_se_drv_table_entry_t *driver)
+{
+ return &driver->u.context;
+}
+
+int psa_get_se_driver(psa_key_lifetime_t lifetime,
+ const psa_drv_se_t **p_methods,
+ psa_drv_se_context_t **p_drv_context)
+{
+ psa_se_drv_table_entry_t *driver = psa_get_se_driver_entry(lifetime);
+ if (p_methods != NULL) {
+ *p_methods = (driver ? driver->methods : NULL);
+ }
+ if (p_drv_context != NULL) {
+ *p_drv_context = (driver ? &driver->u.context : NULL);
+ }
+ return driver != NULL;
+}
+
+
+
+/****************************************************************/
+/* Persistent data management */
+/****************************************************************/
+
+static psa_status_t psa_get_se_driver_its_file_uid(
+ const psa_se_drv_table_entry_t *driver,
+ psa_storage_uid_t *uid)
+{
+ if (driver->location > PSA_MAX_SE_LOCATION) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ /* ITS file sizes are limited to 32 bits. */
+ if (driver->u.internal.persistent_data_size > UINT32_MAX) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ /* See the documentation of PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE. */
+ *uid = PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE + driver->location;
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_load_se_persistent_data(
+ const psa_se_drv_table_entry_t *driver)
+{
+ psa_status_t status;
+ psa_storage_uid_t uid;
+ size_t length;
+
+ status = psa_get_se_driver_its_file_uid(driver, &uid);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* Read the amount of persistent data that the driver requests.
+ * If the data in storage is larger, it is truncated. If the data
+ * in storage is smaller, silently keep what is already at the end
+ * of the output buffer. */
+ /* psa_get_se_driver_its_file_uid ensures that the size_t
+ * persistent_data_size is in range, but compilers don't know that,
+ * so cast to reassure them. */
+ return psa_its_get(uid, 0,
+ (uint32_t) driver->u.internal.persistent_data_size,
+ driver->u.internal.persistent_data,
+ &length);
+}
+
+psa_status_t psa_save_se_persistent_data(
+ const psa_se_drv_table_entry_t *driver)
+{
+ psa_status_t status;
+ psa_storage_uid_t uid;
+
+ status = psa_get_se_driver_its_file_uid(driver, &uid);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* psa_get_se_driver_its_file_uid ensures that the size_t
+ * persistent_data_size is in range, but compilers don't know that,
+ * so cast to reassure them. */
+ return psa_its_set(uid,
+ (uint32_t) driver->u.internal.persistent_data_size,
+ driver->u.internal.persistent_data,
+ 0);
+}
+
+psa_status_t psa_destroy_se_persistent_data(psa_key_location_t location)
+{
+ psa_storage_uid_t uid;
+ if (location > PSA_MAX_SE_LOCATION) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ uid = PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE + location;
+ return psa_its_remove(uid);
+}
+
+psa_status_t psa_find_se_slot_for_key(
+ const psa_key_attributes_t *attributes,
+ psa_key_creation_method_t method,
+ psa_se_drv_table_entry_t *driver,
+ psa_key_slot_number_t *slot_number)
+{
+ psa_status_t status;
+ psa_key_location_t key_location =
+ PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes));
+
+ /* If the location is wrong, it's a bug in the library. */
+ if (driver->location != key_location) {
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+
+ /* If the driver doesn't support key creation in any way, give up now. */
+ if (driver->methods->key_management == NULL) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (psa_get_key_slot_number(attributes, slot_number) == PSA_SUCCESS) {
+ /* The application wants to use a specific slot. Allow it if
+ * the driver supports it. On a system with isolation,
+ * the crypto service must check that the application is
+ * permitted to request this slot. */
+ psa_drv_se_validate_slot_number_t p_validate_slot_number =
+ driver->methods->key_management->p_validate_slot_number;
+ if (p_validate_slot_number == NULL) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ status = p_validate_slot_number(&driver->u.context,
+ driver->u.internal.persistent_data,
+ attributes, method,
+ *slot_number);
+ } else if (method == PSA_KEY_CREATION_REGISTER) {
+ /* The application didn't specify a slot number. This doesn't
+ * make sense when registering a slot. */
+ return PSA_ERROR_INVALID_ARGUMENT;
+ } else {
+ /* The application didn't tell us which slot to use. Let the driver
+ * choose. This is the normal case. */
+ psa_drv_se_allocate_key_t p_allocate =
+ driver->methods->key_management->p_allocate;
+ if (p_allocate == NULL) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ status = p_allocate(&driver->u.context,
+ driver->u.internal.persistent_data,
+ attributes, method,
+ slot_number);
+ }
+ return status;
+}
+
+psa_status_t psa_destroy_se_key(psa_se_drv_table_entry_t *driver,
+ psa_key_slot_number_t slot_number)
+{
+ psa_status_t status;
+ psa_status_t storage_status;
+ /* Normally a missing method would mean that the action is not
+ * supported. But psa_destroy_key() is not supposed to return
+ * PSA_ERROR_NOT_SUPPORTED: if you can create a key, you should
+ * be able to destroy it. The only use case for a driver that
+ * does not have a way to destroy keys at all is if the keys are
+ * locked in a read-only state: we can use the keys but not
+ * destroy them. Hence, if the driver doesn't support destroying
+ * keys, it's really a lack of permission. */
+ if (driver->methods->key_management == NULL ||
+ driver->methods->key_management->p_destroy == NULL) {
+ return PSA_ERROR_NOT_PERMITTED;
+ }
+ status = driver->methods->key_management->p_destroy(
+ &driver->u.context,
+ driver->u.internal.persistent_data,
+ slot_number);
+ storage_status = psa_save_se_persistent_data(driver);
+ return status == PSA_SUCCESS ? storage_status : status;
+}
+
+psa_status_t psa_init_all_se_drivers(void)
+{
+ size_t i;
+ for (i = 0; i < PSA_MAX_SE_DRIVERS; i++) {
+ psa_se_drv_table_entry_t *driver = &driver_table[i];
+ if (driver->location == 0) {
+ continue; /* skipping unused entry */
+ }
+ const psa_drv_se_t *methods = psa_get_se_driver_methods(driver);
+ if (methods->p_init != NULL) {
+ psa_status_t status = methods->p_init(
+ &driver->u.context,
+ driver->u.internal.persistent_data,
+ driver->location);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ status = psa_save_se_persistent_data(driver);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ }
+ }
+ return PSA_SUCCESS;
+}
+
+
+
+/****************************************************************/
+/* Driver registration */
+/****************************************************************/
+
+psa_status_t psa_register_se_driver(
+ psa_key_location_t location,
+ const psa_drv_se_t *methods)
+{
+ size_t i;
+ psa_status_t status;
+
+ if (methods->hal_version != PSA_DRV_SE_HAL_VERSION) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+ /* Driver table entries are 0-initialized. 0 is not a valid driver
+ * location because it means a transparent key. */
+ MBEDTLS_STATIC_ASSERT(PSA_KEY_LOCATION_LOCAL_STORAGE == 0,
+ "Secure element support requires 0 to mean a local key");
+
+ if (location == PSA_KEY_LOCATION_LOCAL_STORAGE) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ if (location > PSA_MAX_SE_LOCATION) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ for (i = 0; i < PSA_MAX_SE_DRIVERS; i++) {
+ if (driver_table[i].location == 0) {
+ break;
+ }
+ /* Check that location isn't already in use up to the first free
+ * entry. Since entries are created in order and never deleted,
+ * there can't be a used entry after the first free entry. */
+ if (driver_table[i].location == location) {
+ return PSA_ERROR_ALREADY_EXISTS;
+ }
+ }
+ if (i == PSA_MAX_SE_DRIVERS) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+
+ driver_table[i].location = location;
+ driver_table[i].methods = methods;
+ driver_table[i].u.internal.persistent_data_size =
+ methods->persistent_data_size;
+
+ if (methods->persistent_data_size != 0) {
+ driver_table[i].u.internal.persistent_data =
+ mbedtls_calloc(1, methods->persistent_data_size);
+ if (driver_table[i].u.internal.persistent_data == NULL) {
+ status = PSA_ERROR_INSUFFICIENT_MEMORY;
+ goto error;
+ }
+ /* Load the driver's persistent data. On first use, the persistent
+ * data does not exist in storage, and is initialized to
+ * all-bits-zero by the calloc call just above. */
+ status = psa_load_se_persistent_data(&driver_table[i]);
+ if (status != PSA_SUCCESS && status != PSA_ERROR_DOES_NOT_EXIST) {
+ goto error;
+ }
+ }
+
+ return PSA_SUCCESS;
+
+error:
+ memset(&driver_table[i], 0, sizeof(driver_table[i]));
+ return status;
+}
+
+void psa_unregister_all_se_drivers(void)
+{
+ size_t i;
+ for (i = 0; i < PSA_MAX_SE_DRIVERS; i++) {
+ if (driver_table[i].u.internal.persistent_data != NULL) {
+ mbedtls_free(driver_table[i].u.internal.persistent_data);
+ }
+ }
+ memset(driver_table, 0, sizeof(driver_table));
+}
+
+
+
+/****************************************************************/
+/* The end */
+/****************************************************************/
+
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
diff --git a/library/psa_crypto_se.h b/library/psa_crypto_se.h
new file mode 100644
index 0000000..e0bd5ac
--- /dev/null
+++ b/library/psa_crypto_se.h
@@ -0,0 +1,192 @@
+/*
+ * PSA crypto support for secure element drivers
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_SE_H
+#define PSA_CRYPTO_SE_H
+
+/*
+ * Include the build-time configuration information header. Here, we do not
+ * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
+ * is basically just an alias to it. This is to ease the maintenance of the
+ * TF-PSA-Crypto repository which has a different build system and
+ * configuration.
+ */
+#include "psa/build_info.h"
+
+#include "psa/crypto.h"
+#include "psa/crypto_se_driver.h"
+
+/** The maximum location value that this implementation supports
+ * for a secure element.
+ *
+ * This is not a characteristic that each PSA implementation has, but a
+ * limitation of the current implementation due to the constraints imposed
+ * by storage. See #PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE.
+ *
+ * The minimum location value for a secure element is 1, like on any
+ * PSA implementation (0 means a transparent key).
+ */
+#define PSA_MAX_SE_LOCATION 255
+
+/** The base of the range of ITS file identifiers for secure element
+ * driver persistent data.
+ *
+ * We use a slice of the implementation reserved range 0xffff0000..0xffffffff,
+ * specifically the range 0xfffffe00..0xfffffeff. The length of this range
+ * drives the value of #PSA_MAX_SE_LOCATION. The identifier 0xfffffe00 is
+ * actually not used since it corresponds to #PSA_KEY_LOCATION_LOCAL_STORAGE
+ * which doesn't have a driver.
+ */
+#define PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE ((psa_key_id_t) 0xfffffe00)
+
+/** The maximum number of registered secure element driver locations. */
+#define PSA_MAX_SE_DRIVERS 4
+
+/** Unregister all secure element drivers.
+ *
+ * \warning Do not call this function while the library is in the initialized
+ * state. This function is only intended to be called at the end
+ * of mbedtls_psa_crypto_free().
+ */
+void psa_unregister_all_se_drivers(void);
+
+/** Initialize all secure element drivers.
+ *
+ * Called from psa_crypto_init().
+ */
+psa_status_t psa_init_all_se_drivers(void);
+
+/** A structure that describes a registered secure element driver.
+ *
+ * A secure element driver table entry contains a pointer to the
+ * driver's method table as well as the driver context structure.
+ */
+typedef struct psa_se_drv_table_entry_s psa_se_drv_table_entry_t;
+
+/** Return the secure element driver information for a lifetime value.
+ *
+ * \param lifetime The lifetime value to query.
+ * \param[out] p_methods On output, if there is a driver,
+ * \c *methods points to its method table.
+ * Otherwise \c *methods is \c NULL.
+ * \param[out] p_drv_context On output, if there is a driver,
+ * \c *drv_context points to its context
+ * structure.
+ * Otherwise \c *drv_context is \c NULL.
+ *
+ * \retval 1
+ * \p lifetime corresponds to a registered driver.
+ * \retval 0
+ * \p lifetime does not correspond to a registered driver.
+ */
+int psa_get_se_driver(psa_key_lifetime_t lifetime,
+ const psa_drv_se_t **p_methods,
+ psa_drv_se_context_t **p_drv_context);
+
+/** Return the secure element driver table entry for a lifetime value.
+ *
+ * \param lifetime The lifetime value to query.
+ *
+ * \return The driver table entry for \p lifetime, or
+ * \p NULL if \p lifetime does not correspond to a registered driver.
+ */
+psa_se_drv_table_entry_t *psa_get_se_driver_entry(
+ psa_key_lifetime_t lifetime);
+
+/** Return the method table for a secure element driver.
+ *
+ * \param[in] driver The driver table entry to access, or \c NULL.
+ *
+ * \return The driver's method table.
+ * \c NULL if \p driver is \c NULL.
+ */
+const psa_drv_se_t *psa_get_se_driver_methods(
+ const psa_se_drv_table_entry_t *driver);
+
+/** Return the context of a secure element driver.
+ *
+ * \param[in] driver The driver table entry to access, or \c NULL.
+ *
+ * \return A pointer to the driver context.
+ * \c NULL if \p driver is \c NULL.
+ */
+psa_drv_se_context_t *psa_get_se_driver_context(
+ psa_se_drv_table_entry_t *driver);
+
+/** Find a free slot for a key that is to be created.
+ *
+ * This function calls the relevant method in the driver to find a suitable
+ * slot for a key with the given attributes.
+ *
+ * \param[in] attributes Metadata about the key that is about to be created.
+ * \param[in] driver The driver table entry to query.
+ * \param[out] slot_number On success, a slot number that is free in this
+ * secure element.
+ */
+psa_status_t psa_find_se_slot_for_key(
+ const psa_key_attributes_t *attributes,
+ psa_key_creation_method_t method,
+ psa_se_drv_table_entry_t *driver,
+ psa_key_slot_number_t *slot_number);
+
+/** Destroy a key in a secure element.
+ *
+ * This function calls the relevant driver method to destroy a key
+ * and updates the driver's persistent data.
+ */
+psa_status_t psa_destroy_se_key(psa_se_drv_table_entry_t *driver,
+ psa_key_slot_number_t slot_number);
+
+/** Load the persistent data of a secure element driver.
+ *
+ * \param driver The driver table entry containing the persistent
+ * data to load from storage.
+ *
+ * \return #PSA_SUCCESS
+ * \return #PSA_ERROR_NOT_SUPPORTED
+ * \return #PSA_ERROR_DOES_NOT_EXIST
+ * \return #PSA_ERROR_STORAGE_FAILURE
+ * \return #PSA_ERROR_DATA_CORRUPT
+ * \return #PSA_ERROR_INVALID_ARGUMENT
+ */
+psa_status_t psa_load_se_persistent_data(
+ const psa_se_drv_table_entry_t *driver);
+
+/** Save the persistent data of a secure element driver.
+ *
+ * \param[in] driver The driver table entry containing the persistent
+ * data to save to storage.
+ *
+ * \return #PSA_SUCCESS
+ * \return #PSA_ERROR_NOT_SUPPORTED
+ * \return #PSA_ERROR_NOT_PERMITTED
+ * \return #PSA_ERROR_NOT_SUPPORTED
+ * \return #PSA_ERROR_INSUFFICIENT_STORAGE
+ * \return #PSA_ERROR_STORAGE_FAILURE
+ * \return #PSA_ERROR_INVALID_ARGUMENT
+ */
+psa_status_t psa_save_se_persistent_data(
+ const psa_se_drv_table_entry_t *driver);
+
+/** Destroy the persistent data of a secure element driver.
+ *
+ * This is currently only used for testing.
+ *
+ * \param[in] location The location identifier for the driver whose
+ * persistent data is to be erased.
+ */
+psa_status_t psa_destroy_se_persistent_data(psa_key_location_t location);
+
+
+/** The storage representation of a key whose data is in a secure element.
+ */
+typedef struct {
+ uint8_t slot_number[sizeof(psa_key_slot_number_t)];
+} psa_se_key_data_storage_t;
+
+#endif /* PSA_CRYPTO_SE_H */
diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
new file mode 100644
index 0000000..b184ed0
--- /dev/null
+++ b/library/psa_crypto_slot_management.c
@@ -0,0 +1,685 @@
+/*
+ * PSA crypto layer on top of Mbed TLS crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include "psa/crypto.h"
+
+#include "psa_crypto_core.h"
+#include "psa_crypto_driver_wrappers_no_static.h"
+#include "psa_crypto_slot_management.h"
+#include "psa_crypto_storage.h"
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+#include "psa_crypto_se.h"
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+#include "mbedtls/platform.h"
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+typedef struct {
+ psa_key_slot_t key_slots[MBEDTLS_PSA_KEY_SLOT_COUNT];
+ uint8_t key_slots_initialized;
+} psa_global_data_t;
+
+static psa_global_data_t global_data;
+
+static uint8_t psa_get_key_slots_initialized(void)
+{
+ uint8_t initialized;
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_lock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ initialized = global_data.key_slots_initialized;
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_unlock(&mbedtls_threading_psa_globaldata_mutex);
+#endif /* defined(MBEDTLS_THREADING_C) */
+
+ return initialized;
+}
+
+int psa_is_valid_key_id(mbedtls_svc_key_id_t key, int vendor_ok)
+{
+ psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key);
+
+ if ((PSA_KEY_ID_USER_MIN <= key_id) &&
+ (key_id <= PSA_KEY_ID_USER_MAX)) {
+ return 1;
+ }
+
+ if (vendor_ok &&
+ (PSA_KEY_ID_VENDOR_MIN <= key_id) &&
+ (key_id <= PSA_KEY_ID_VENDOR_MAX)) {
+ return 1;
+ }
+
+ return 0;
+}
+
+/** Get the description in memory of a key given its identifier and lock it.
+ *
+ * The descriptions of volatile keys and loaded persistent keys are
+ * stored in key slots. This function returns a pointer to the key slot
+ * containing the description of a key given its identifier.
+ *
+ * The function searches the key slots containing the description of the key
+ * with \p key identifier. The function does only read accesses to the key
+ * slots. The function does not load any persistent key thus does not access
+ * any storage.
+ *
+ * For volatile key identifiers, only one key slot is queried as a volatile
+ * key with identifier key_id can only be stored in slot of index
+ * ( key_id - #PSA_KEY_ID_VOLATILE_MIN ).
+ *
+ * On success, the function locks the key slot. It is the responsibility of
+ * the caller to unlock the key slot when it does not access it anymore.
+ *
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
+ *
+ * \param key Key identifier to query.
+ * \param[out] p_slot On success, `*p_slot` contains a pointer to the
+ * key slot containing the description of the key
+ * identified by \p key.
+ *
+ * \retval #PSA_SUCCESS
+ * The pointer to the key slot containing the description of the key
+ * identified by \p key was returned.
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ * \p key is not a valid key identifier.
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ * There is no key with key identifier \p key in the key slots.
+ */
+static psa_status_t psa_get_and_lock_key_slot_in_memory(
+ mbedtls_svc_key_id_t key, psa_key_slot_t **p_slot)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key);
+ size_t slot_idx;
+ psa_key_slot_t *slot = NULL;
+
+ if (psa_key_id_is_volatile(key_id)) {
+ slot = &global_data.key_slots[key_id - PSA_KEY_ID_VOLATILE_MIN];
+
+ /* Check if both the PSA key identifier key_id and the owner
+ * identifier of key match those of the key slot. */
+ if ((slot->state == PSA_SLOT_FULL) &&
+ (mbedtls_svc_key_id_equal(key, slot->attr.id))) {
+ status = PSA_SUCCESS;
+ } else {
+ status = PSA_ERROR_DOES_NOT_EXIST;
+ }
+ } else {
+ if (!psa_is_valid_key_id(key, 1)) {
+ return PSA_ERROR_INVALID_HANDLE;
+ }
+
+ for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
+ slot = &global_data.key_slots[slot_idx];
+ /* Only consider slots which are in a full state. */
+ if ((slot->state == PSA_SLOT_FULL) &&
+ (mbedtls_svc_key_id_equal(key, slot->attr.id))) {
+ break;
+ }
+ }
+ status = (slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT) ?
+ PSA_SUCCESS : PSA_ERROR_DOES_NOT_EXIST;
+ }
+
+ if (status == PSA_SUCCESS) {
+ status = psa_register_read(slot);
+ if (status == PSA_SUCCESS) {
+ *p_slot = slot;
+ }
+ }
+
+ return status;
+}
+
+psa_status_t psa_initialize_key_slots(void)
+{
+ /* Nothing to do: program startup and psa_wipe_all_key_slots() both
+ * guarantee that the key slots are initialized to all-zero, which
+ * means that all the key slots are in a valid, empty state. The global
+ * data mutex is already held when calling this function, so no need to
+ * lock it here, to set the flag. */
+ global_data.key_slots_initialized = 1;
+ return PSA_SUCCESS;
+}
+
+void psa_wipe_all_key_slots(void)
+{
+ size_t slot_idx;
+
+ for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
+ psa_key_slot_t *slot = &global_data.key_slots[slot_idx];
+ slot->registered_readers = 1;
+ slot->state = PSA_SLOT_PENDING_DELETION;
+ (void) psa_wipe_key_slot(slot);
+ }
+ /* The global data mutex is already held when calling this function. */
+ global_data.key_slots_initialized = 0;
+}
+
+psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id,
+ psa_key_slot_t **p_slot)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t slot_idx;
+ psa_key_slot_t *selected_slot, *unused_persistent_key_slot;
+
+ if (!psa_get_key_slots_initialized()) {
+ status = PSA_ERROR_BAD_STATE;
+ goto error;
+ }
+
+ selected_slot = unused_persistent_key_slot = NULL;
+ for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
+ psa_key_slot_t *slot = &global_data.key_slots[slot_idx];
+ if (slot->state == PSA_SLOT_EMPTY) {
+ selected_slot = slot;
+ break;
+ }
+
+ if ((unused_persistent_key_slot == NULL) &&
+ (slot->state == PSA_SLOT_FULL) &&
+ (!psa_key_slot_has_readers(slot)) &&
+ (!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime))) {
+ unused_persistent_key_slot = slot;
+ }
+ }
+
+ /*
+ * If there is no unused key slot and there is at least one unlocked key
+ * slot containing the description of a persistent key, recycle the first
+ * such key slot we encountered. If we later need to operate on the
+ * persistent key we are evicting now, we will reload its description from
+ * storage.
+ */
+ if ((selected_slot == NULL) &&
+ (unused_persistent_key_slot != NULL)) {
+ selected_slot = unused_persistent_key_slot;
+ psa_register_read(selected_slot);
+ status = psa_wipe_key_slot(selected_slot);
+ if (status != PSA_SUCCESS) {
+ goto error;
+ }
+ }
+
+ if (selected_slot != NULL) {
+ status = psa_key_slot_state_transition(selected_slot, PSA_SLOT_EMPTY,
+ PSA_SLOT_FILLING);
+ if (status != PSA_SUCCESS) {
+ goto error;
+ }
+
+ *volatile_key_id = PSA_KEY_ID_VOLATILE_MIN +
+ ((psa_key_id_t) (selected_slot - global_data.key_slots));
+ *p_slot = selected_slot;
+
+ return PSA_SUCCESS;
+ }
+ status = PSA_ERROR_INSUFFICIENT_MEMORY;
+
+error:
+ *p_slot = NULL;
+ *volatile_key_id = 0;
+
+ return status;
+}
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+static psa_status_t psa_load_persistent_key_into_slot(psa_key_slot_t *slot)
+{
+ psa_status_t status = PSA_SUCCESS;
+ uint8_t *key_data = NULL;
+ size_t key_data_length = 0;
+
+ status = psa_load_persistent_key(&slot->attr,
+ &key_data, &key_data_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ /* Special handling is required for loading keys associated with a
+ * dynamically registered SE interface. */
+ const psa_drv_se_t *drv;
+ psa_drv_se_context_t *drv_context;
+ if (psa_get_se_driver(slot->attr.lifetime, &drv, &drv_context)) {
+ psa_se_key_data_storage_t *data;
+
+ if (key_data_length != sizeof(*data)) {
+ status = PSA_ERROR_DATA_INVALID;
+ goto exit;
+ }
+ data = (psa_se_key_data_storage_t *) key_data;
+ status = psa_copy_key_material_into_slot(
+ slot, data->slot_number, sizeof(data->slot_number));
+ goto exit;
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+ status = psa_copy_key_material_into_slot(slot, key_data, key_data_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+exit:
+ psa_free_persistent_key_data(key_data, key_data_length);
+ return status;
+}
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
+
+#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+
+static psa_status_t psa_load_builtin_key_into_slot(psa_key_slot_t *slot)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_lifetime_t lifetime = PSA_KEY_LIFETIME_VOLATILE;
+ psa_drv_slot_number_t slot_number = 0;
+ size_t key_buffer_size = 0;
+ size_t key_buffer_length = 0;
+
+ if (!psa_key_id_is_builtin(
+ MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id))) {
+ return PSA_ERROR_DOES_NOT_EXIST;
+ }
+
+ /* Check the platform function to see whether this key actually exists */
+ status = mbedtls_psa_platform_get_builtin_key(
+ slot->attr.id, &lifetime, &slot_number);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* Set required key attributes to ensure get_builtin_key can retrieve the
+ * full attributes. */
+ psa_set_key_id(&attributes, slot->attr.id);
+ psa_set_key_lifetime(&attributes, lifetime);
+
+ /* Get the full key attributes from the driver in order to be able to
+ * calculate the required buffer size. */
+ status = psa_driver_wrapper_get_builtin_key(
+ slot_number, &attributes,
+ NULL, 0, NULL);
+ if (status != PSA_ERROR_BUFFER_TOO_SMALL) {
+ /* Builtin keys cannot be defined by the attributes alone */
+ if (status == PSA_SUCCESS) {
+ status = PSA_ERROR_CORRUPTION_DETECTED;
+ }
+ return status;
+ }
+
+ /* If the key should exist according to the platform, then ask the driver
+ * what its expected size is. */
+ status = psa_driver_wrapper_get_key_buffer_size(&attributes,
+ &key_buffer_size);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* Allocate a buffer of the required size and load the builtin key directly
+ * into the (now properly sized) slot buffer. */
+ status = psa_allocate_buffer_to_slot(slot, key_buffer_size);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_driver_wrapper_get_builtin_key(
+ slot_number, &attributes,
+ slot->key.data, slot->key.bytes, &key_buffer_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ /* Copy actual key length and core attributes into the slot on success */
+ slot->key.bytes = key_buffer_length;
+ slot->attr = attributes;
+exit:
+ if (status != PSA_SUCCESS) {
+ psa_remove_key_data_from_memory(slot);
+ }
+ return status;
+}
+#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
+
+psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key,
+ psa_key_slot_t **p_slot)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ *p_slot = NULL;
+ if (!psa_get_key_slots_initialized()) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ /* We need to set status as success, otherwise CORRUPTION_DETECTED
+ * would be returned if the lock fails. */
+ status = PSA_SUCCESS;
+ /* If the key is persistent and not loaded, we cannot unlock the mutex
+ * between checking if the key is loaded and setting the slot as FULL,
+ * as otherwise another thread may load and then destroy the key
+ * in the meantime. */
+ PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+ /*
+ * On success, the pointer to the slot is passed directly to the caller
+ * thus no need to unlock the key slot here.
+ */
+ status = psa_get_and_lock_key_slot_in_memory(key, p_slot);
+ if (status != PSA_ERROR_DOES_NOT_EXIST) {
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+ return status;
+ }
+
+ /* Loading keys from storage requires support for such a mechanism */
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || \
+ defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+ psa_key_id_t volatile_key_id;
+
+ status = psa_reserve_free_key_slot(&volatile_key_id, p_slot);
+ if (status != PSA_SUCCESS) {
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+ return status;
+ }
+
+ (*p_slot)->attr.id = key;
+ (*p_slot)->attr.lifetime = PSA_KEY_LIFETIME_PERSISTENT;
+
+ status = PSA_ERROR_DOES_NOT_EXIST;
+#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+ /* Load keys in the 'builtin' range through their own interface */
+ status = psa_load_builtin_key_into_slot(*p_slot);
+#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+ if (status == PSA_ERROR_DOES_NOT_EXIST) {
+ status = psa_load_persistent_key_into_slot(*p_slot);
+ }
+#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
+
+ if (status != PSA_SUCCESS) {
+ psa_wipe_key_slot(*p_slot);
+
+ if (status == PSA_ERROR_DOES_NOT_EXIST) {
+ status = PSA_ERROR_INVALID_HANDLE;
+ }
+ } else {
+ /* Add implicit usage flags. */
+ psa_extend_key_usage_flags(&(*p_slot)->attr.policy.usage);
+
+ psa_key_slot_state_transition((*p_slot), PSA_SLOT_FILLING,
+ PSA_SLOT_FULL);
+ status = psa_register_read(*p_slot);
+ }
+
+#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
+ status = PSA_ERROR_INVALID_HANDLE;
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
+
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+ return status;
+}
+
+psa_status_t psa_unregister_read(psa_key_slot_t *slot)
+{
+ if (slot == NULL) {
+ return PSA_SUCCESS;
+ }
+ if ((slot->state != PSA_SLOT_FULL) &&
+ (slot->state != PSA_SLOT_PENDING_DELETION)) {
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+
+ /* If we are the last reader and the slot is marked for deletion,
+ * we must wipe the slot here. */
+ if ((slot->state == PSA_SLOT_PENDING_DELETION) &&
+ (slot->registered_readers == 1)) {
+ return psa_wipe_key_slot(slot);
+ }
+
+ if (psa_key_slot_has_readers(slot)) {
+ slot->registered_readers--;
+ return PSA_SUCCESS;
+ }
+
+ /*
+ * As the return error code may not be handled in case of multiple errors,
+ * do our best to report if there are no registered readers. Assert with
+ * MBEDTLS_TEST_HOOK_TEST_ASSERT that there are registered readers:
+ * if the MBEDTLS_TEST_HOOKS configuration option is enabled and
+ * the function is called as part of the execution of a test suite, the
+ * execution of the test suite is stopped in error if the assertion fails.
+ */
+ MBEDTLS_TEST_HOOK_TEST_ASSERT(psa_key_slot_has_readers(slot));
+ return PSA_ERROR_CORRUPTION_DETECTED;
+}
+
+psa_status_t psa_unregister_read_under_mutex(psa_key_slot_t *slot)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_THREADING_C)
+ /* We need to set status as success, otherwise CORRUPTION_DETECTED
+ * would be returned if the lock fails. */
+ status = PSA_SUCCESS;
+ PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+ status = psa_unregister_read(slot);
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+ return status;
+}
+
+psa_status_t psa_validate_key_location(psa_key_lifetime_t lifetime,
+ psa_se_drv_table_entry_t **p_drv)
+{
+ if (psa_key_lifetime_is_external(lifetime)) {
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ /* Check whether a driver is registered against this lifetime */
+ psa_se_drv_table_entry_t *driver = psa_get_se_driver_entry(lifetime);
+ if (driver != NULL) {
+ if (p_drv != NULL) {
+ *p_drv = driver;
+ }
+ return PSA_SUCCESS;
+ }
+#else /* MBEDTLS_PSA_CRYPTO_SE_C */
+ (void) p_drv;
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
+ /* Key location for external keys gets checked by the wrapper */
+ return PSA_SUCCESS;
+ } else {
+ /* Local/internal keys are always valid */
+ return PSA_SUCCESS;
+ }
+}
+
+psa_status_t psa_validate_key_persistence(psa_key_lifetime_t lifetime)
+{
+ if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
+ /* Volatile keys are always supported */
+ return PSA_SUCCESS;
+ } else {
+ /* Persistent keys require storage support */
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+ if (PSA_KEY_LIFETIME_IS_READ_ONLY(lifetime)) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ } else {
+ return PSA_SUCCESS;
+ }
+#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif /* !MBEDTLS_PSA_CRYPTO_STORAGE_C */
+ }
+}
+
+psa_status_t psa_open_key(mbedtls_svc_key_id_t key, psa_key_handle_t *handle)
+{
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || \
+ defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+ psa_status_t status;
+ psa_key_slot_t *slot;
+
+ status = psa_get_and_lock_key_slot(key, &slot);
+ if (status != PSA_SUCCESS) {
+ *handle = PSA_KEY_HANDLE_INIT;
+ if (status == PSA_ERROR_INVALID_HANDLE) {
+ status = PSA_ERROR_DOES_NOT_EXIST;
+ }
+
+ return status;
+ }
+
+ *handle = key;
+
+ return psa_unregister_read_under_mutex(slot);
+
+#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
+ (void) key;
+ *handle = PSA_KEY_HANDLE_INIT;
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
+}
+
+psa_status_t psa_close_key(psa_key_handle_t handle)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+ if (psa_key_handle_is_null(handle)) {
+ return PSA_SUCCESS;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ /* We need to set status as success, otherwise CORRUPTION_DETECTED
+ * would be returned if the lock fails. */
+ status = PSA_SUCCESS;
+ PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+ status = psa_get_and_lock_key_slot_in_memory(handle, &slot);
+ if (status != PSA_SUCCESS) {
+ if (status == PSA_ERROR_DOES_NOT_EXIST) {
+ status = PSA_ERROR_INVALID_HANDLE;
+ }
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+ return status;
+ }
+
+ if (slot->registered_readers == 1) {
+ status = psa_wipe_key_slot(slot);
+ } else {
+ status = psa_unregister_read(slot);
+ }
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+
+ return status;
+}
+
+psa_status_t psa_purge_key(mbedtls_svc_key_id_t key)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+#if defined(MBEDTLS_THREADING_C)
+ /* We need to set status as success, otherwise CORRUPTION_DETECTED
+ * would be returned if the lock fails. */
+ status = PSA_SUCCESS;
+ PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+ status = psa_get_and_lock_key_slot_in_memory(key, &slot);
+ if (status != PSA_SUCCESS) {
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+ return status;
+ }
+
+ if ((!PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) &&
+ (slot->registered_readers == 1)) {
+ status = psa_wipe_key_slot(slot);
+ } else {
+ status = psa_unregister_read(slot);
+ }
+#if defined(MBEDTLS_THREADING_C)
+ PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
+ &mbedtls_threading_key_slot_mutex));
+#endif
+
+ return status;
+}
+
+void mbedtls_psa_get_stats(mbedtls_psa_stats_t *stats)
+{
+ size_t slot_idx;
+
+ memset(stats, 0, sizeof(*stats));
+
+ for (slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++) {
+ const psa_key_slot_t *slot = &global_data.key_slots[slot_idx];
+ if (psa_key_slot_has_readers(slot)) {
+ ++stats->locked_slots;
+ }
+ if (slot->state == PSA_SLOT_EMPTY) {
+ ++stats->empty_slots;
+ continue;
+ }
+ if (PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
+ ++stats->volatile_slots;
+ } else {
+ psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id);
+ ++stats->persistent_slots;
+ if (id > stats->max_open_internal_key_id) {
+ stats->max_open_internal_key_id = id;
+ }
+ }
+ if (PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime) !=
+ PSA_KEY_LOCATION_LOCAL_STORAGE) {
+ psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot->attr.id);
+ ++stats->external_slots;
+ if (id > stats->max_open_external_key_id) {
+ stats->max_open_external_key_id = id;
+ }
+ }
+ }
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h
new file mode 100644
index 0000000..bcfc9d8
--- /dev/null
+++ b/library/psa_crypto_slot_management.h
@@ -0,0 +1,285 @@
+/*
+ * PSA crypto layer on top of Mbed TLS crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_SLOT_MANAGEMENT_H
+#define PSA_CRYPTO_SLOT_MANAGEMENT_H
+
+#include "psa/crypto.h"
+#include "psa_crypto_core.h"
+#include "psa_crypto_se.h"
+
+/** Range of volatile key identifiers.
+ *
+ * The last #MBEDTLS_PSA_KEY_SLOT_COUNT identifiers of the implementation
+ * range of key identifiers are reserved for volatile key identifiers.
+ * A volatile key identifier is equal to #PSA_KEY_ID_VOLATILE_MIN plus the
+ * index of the key slot containing the volatile key definition.
+ */
+
+/** The minimum value for a volatile key identifier.
+ */
+#define PSA_KEY_ID_VOLATILE_MIN (PSA_KEY_ID_VENDOR_MAX - \
+ MBEDTLS_PSA_KEY_SLOT_COUNT + 1)
+
+/** The maximum value for a volatile key identifier.
+ */
+#define PSA_KEY_ID_VOLATILE_MAX PSA_KEY_ID_VENDOR_MAX
+
+/** Test whether a key identifier is a volatile key identifier.
+ *
+ * \param key_id Key identifier to test.
+ *
+ * \retval 1
+ * The key identifier is a volatile key identifier.
+ * \retval 0
+ * The key identifier is not a volatile key identifier.
+ */
+static inline int psa_key_id_is_volatile(psa_key_id_t key_id)
+{
+ return (key_id >= PSA_KEY_ID_VOLATILE_MIN) &&
+ (key_id <= PSA_KEY_ID_VOLATILE_MAX);
+}
+
+/** Get the description of a key given its identifier and lock it.
+ *
+ * The descriptions of volatile keys and loaded persistent keys are stored in
+ * key slots. This function returns a pointer to the key slot containing the
+ * description of a key given its identifier.
+ *
+ * In case of a persistent key, the function loads the description of the key
+ * into a key slot if not already done.
+ *
+ * On success, the returned key slot has been registered for reading.
+ * It is the responsibility of the caller to call psa_unregister_read(slot)
+ * when they have finished reading the contents of the slot.
+ *
+ * \param key Key identifier to query.
+ * \param[out] p_slot On success, `*p_slot` contains a pointer to the
+ * key slot containing the description of the key
+ * identified by \p key.
+ *
+ * \retval #PSA_SUCCESS
+ * \p *p_slot contains a pointer to the key slot containing the
+ * description of the key identified by \p key.
+ * The key slot counter has been incremented.
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been initialized.
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ * \p key is not a valid key identifier.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \p key is a persistent key identifier. The implementation does not
+ * have sufficient resources to load the persistent key. This can be
+ * due to a lack of empty key slot, or available memory.
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ * There is no key with key identifier \p key.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ */
+psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key,
+ psa_key_slot_t **p_slot);
+
+/** Initialize the key slot structures.
+ *
+ * \retval #PSA_SUCCESS
+ * Currently this function always succeeds.
+ */
+psa_status_t psa_initialize_key_slots(void);
+
+/** Delete all data from key slots in memory.
+ * This function is not thread safe, it wipes every key slot regardless of
+ * state and reader count. It should only be called when no slot is in use.
+ *
+ * This does not affect persistent storage. */
+void psa_wipe_all_key_slots(void);
+
+/** Find a free key slot and reserve it to be filled with a key.
+ *
+ * This function finds a key slot that is free,
+ * sets its state to PSA_SLOT_FILLING and then returns the slot.
+ *
+ * On success, the key slot's state is PSA_SLOT_FILLING.
+ * It is the responsibility of the caller to change the slot's state to
+ * PSA_SLOT_EMPTY/FULL once key creation has finished.
+ *
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
+ *
+ * \param[out] volatile_key_id On success, volatile key identifier
+ * associated to the returned slot.
+ * \param[out] p_slot On success, a pointer to the slot.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * There were no free key slots.
+ * \retval #PSA_ERROR_BAD_STATE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * This function attempted to operate on a key slot which was in an
+ * unexpected state.
+ */
+psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id,
+ psa_key_slot_t **p_slot);
+
+/** Change the state of a key slot.
+ *
+ * This function changes the state of the key slot from expected_state to
+ * new state. If the state of the slot was not expected_state, the state is
+ * unchanged.
+ *
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
+ *
+ * \param[in] slot The key slot.
+ * \param[in] expected_state The current state of the slot.
+ * \param[in] new_state The new state of the slot.
+ *
+ * \retval #PSA_SUCCESS
+ The key slot's state variable is new_state.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * The slot's state was not expected_state.
+ */
+static inline psa_status_t psa_key_slot_state_transition(
+ psa_key_slot_t *slot, psa_key_slot_state_t expected_state,
+ psa_key_slot_state_t new_state)
+{
+ if (slot->state != expected_state) {
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+ slot->state = new_state;
+ return PSA_SUCCESS;
+}
+
+/** Register as a reader of a key slot.
+ *
+ * This function increments the key slot registered reader counter by one.
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
+ *
+ * \param[in] slot The key slot.
+ *
+ * \retval #PSA_SUCCESS
+ The key slot registered reader counter was incremented.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * The reader counter already reached its maximum value and was not
+ * increased, or the slot's state was not PSA_SLOT_FULL.
+ */
+static inline psa_status_t psa_register_read(psa_key_slot_t *slot)
+{
+ if ((slot->state != PSA_SLOT_FULL) ||
+ (slot->registered_readers >= SIZE_MAX)) {
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+ slot->registered_readers++;
+
+ return PSA_SUCCESS;
+}
+
+/** Unregister from reading a key slot.
+ *
+ * This function decrements the key slot registered reader counter by one.
+ * If the state of the slot is PSA_SLOT_PENDING_DELETION,
+ * and there is only one registered reader (the caller),
+ * this function will call psa_wipe_key_slot().
+ * If multi-threading is enabled, the caller must hold the
+ * global key slot mutex.
+ *
+ * \note To ease the handling of errors in retrieving a key slot
+ * a NULL input pointer is valid, and the function returns
+ * successfully without doing anything in that case.
+ *
+ * \param[in] slot The key slot.
+ * \retval #PSA_SUCCESS
+ * \p slot is NULL or the key slot reader counter has been
+ * decremented (and potentially wiped) successfully.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * The slot's state was neither PSA_SLOT_FULL nor
+ * PSA_SLOT_PENDING_DELETION.
+ * Or a wipe was attempted and the slot's state was not
+ * PSA_SLOT_PENDING_DELETION.
+ * Or registered_readers was equal to 0.
+ */
+psa_status_t psa_unregister_read(psa_key_slot_t *slot);
+
+/** Wrap a call to psa_unregister_read in the global key slot mutex.
+ *
+ * If threading is disabled, this simply calls psa_unregister_read.
+ *
+ * \note To ease the handling of errors in retrieving a key slot
+ * a NULL input pointer is valid, and the function returns
+ * successfully without doing anything in that case.
+ *
+ * \param[in] slot The key slot.
+ * \retval #PSA_SUCCESS
+ * \p slot is NULL or the key slot reader counter has been
+ * decremented (and potentially wiped) successfully.
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * The slot's state was neither PSA_SLOT_FULL nor
+ * PSA_SLOT_PENDING_DELETION.
+ * Or a wipe was attempted and the slot's state was not
+ * PSA_SLOT_PENDING_DELETION.
+ * Or registered_readers was equal to 0.
+ */
+psa_status_t psa_unregister_read_under_mutex(psa_key_slot_t *slot);
+
+/** Test whether a lifetime designates a key in an external cryptoprocessor.
+ *
+ * \param lifetime The lifetime to test.
+ *
+ * \retval 1
+ * The lifetime designates an external key. There should be a
+ * registered driver for this lifetime, otherwise the key cannot
+ * be created or manipulated.
+ * \retval 0
+ * The lifetime designates a key that is volatile or in internal
+ * storage.
+ */
+static inline int psa_key_lifetime_is_external(psa_key_lifetime_t lifetime)
+{
+ return PSA_KEY_LIFETIME_GET_LOCATION(lifetime)
+ != PSA_KEY_LOCATION_LOCAL_STORAGE;
+}
+
+/** Validate a key's location.
+ *
+ * This function checks whether the key's attributes point to a location that
+ * is known to the PSA Core, and returns the driver function table if the key
+ * is to be found in an external location.
+ *
+ * \param[in] lifetime The key lifetime attribute.
+ * \param[out] p_drv On success, when a key is located in external
+ * storage, returns a pointer to the driver table
+ * associated with the key's storage location.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ */
+psa_status_t psa_validate_key_location(psa_key_lifetime_t lifetime,
+ psa_se_drv_table_entry_t **p_drv);
+
+/** Validate the persistence of a key.
+ *
+ * \param[in] lifetime The key lifetime attribute.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED The key is persistent but persistent keys
+ * are not supported.
+ */
+psa_status_t psa_validate_key_persistence(psa_key_lifetime_t lifetime);
+
+/** Validate a key identifier.
+ *
+ * \param[in] key The key identifier.
+ * \param[in] vendor_ok Non-zero to indicate that key identifiers in the
+ * vendor range are allowed, volatile key identifiers
+ * excepted \c 0 otherwise.
+ *
+ * \retval <> 0 if the key identifier is valid, 0 otherwise.
+ */
+int psa_is_valid_key_id(mbedtls_svc_key_id_t key, int vendor_ok);
+
+#endif /* PSA_CRYPTO_SLOT_MANAGEMENT_H */
diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c
new file mode 100644
index 0000000..7d1317b
--- /dev/null
+++ b/library/psa_crypto_storage.c
@@ -0,0 +1,481 @@
+/*
+ * PSA persistent key storage
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "psa/crypto.h"
+#include "psa_crypto_storage.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_PSA_ITS_FILE_C)
+#include "psa_crypto_its.h"
+#else /* Native ITS implementation */
+#include "psa/error.h"
+#include "psa/internal_trusted_storage.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+
+
+/****************************************************************/
+/* Key storage */
+/****************************************************************/
+
+/* Determine a file name (ITS file identifier) for the given key identifier.
+ * The file name must be distinct from any file that is used for a purpose
+ * other than storing a key. Currently, the only such file is the random seed
+ * file whose name is PSA_CRYPTO_ITS_RANDOM_SEED_UID and whose value is
+ * 0xFFFFFF52. */
+static psa_storage_uid_t psa_its_identifier_of_slot(mbedtls_svc_key_id_t key)
+{
+#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+ /* Encode the owner in the upper 32 bits. This means that if
+ * owner values are nonzero (as they are on a PSA platform),
+ * no key file will ever have a value less than 0x100000000, so
+ * the whole range 0..0xffffffff is available for non-key files. */
+ uint32_t unsigned_owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(key);
+ return ((uint64_t) unsigned_owner_id << 32) |
+ MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key);
+#else
+ /* Use the key id directly as a file name.
+ * psa_is_key_id_valid() in psa_crypto_slot_management.c
+ * is responsible for ensuring that key identifiers do not have a
+ * value that is reserved for non-key files. */
+ return key;
+#endif
+}
+
+/**
+ * \brief Load persistent data for the given key slot number.
+ *
+ * This function reads data from a storage backend and returns the data in a
+ * buffer.
+ *
+ * \param key Persistent identifier of the key to be loaded. This
+ * should be an occupied storage location.
+ * \param[out] data Buffer where the data is to be written.
+ * \param data_size Size of the \c data buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
+ */
+static psa_status_t psa_crypto_storage_load(
+ const mbedtls_svc_key_id_t key, uint8_t *data, size_t data_size)
+{
+ psa_status_t status;
+ psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
+ struct psa_storage_info_t data_identifier_info;
+ size_t data_length = 0;
+
+ status = psa_its_get_info(data_identifier, &data_identifier_info);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_its_get(data_identifier, 0, (uint32_t) data_size, data, &data_length);
+ if (data_size != data_length) {
+ return PSA_ERROR_DATA_INVALID;
+ }
+
+ return status;
+}
+
+int psa_is_key_present_in_storage(const mbedtls_svc_key_id_t key)
+{
+ psa_status_t ret;
+ psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
+ struct psa_storage_info_t data_identifier_info;
+
+ ret = psa_its_get_info(data_identifier, &data_identifier_info);
+
+ if (ret == PSA_ERROR_DOES_NOT_EXIST) {
+ return 0;
+ }
+ return 1;
+}
+
+/**
+ * \brief Store persistent data for the given key slot number.
+ *
+ * This function stores the given data buffer to a persistent storage.
+ *
+ * \param key Persistent identifier of the key to be stored. This
+ * should be an unoccupied storage location.
+ * \param[in] data Buffer containing the data to be stored.
+ * \param data_length The number of bytes
+ * that make up the data.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ */
+static psa_status_t psa_crypto_storage_store(const mbedtls_svc_key_id_t key,
+ const uint8_t *data,
+ size_t data_length)
+{
+ psa_status_t status;
+ psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
+ struct psa_storage_info_t data_identifier_info;
+
+ if (psa_is_key_present_in_storage(key) == 1) {
+ return PSA_ERROR_ALREADY_EXISTS;
+ }
+
+ status = psa_its_set(data_identifier, (uint32_t) data_length, data, 0);
+ if (status != PSA_SUCCESS) {
+ return PSA_ERROR_DATA_INVALID;
+ }
+
+ status = psa_its_get_info(data_identifier, &data_identifier_info);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (data_identifier_info.size != data_length) {
+ status = PSA_ERROR_DATA_INVALID;
+ goto exit;
+ }
+
+exit:
+ if (status != PSA_SUCCESS) {
+ /* Remove the file in case we managed to create it but something
+ * went wrong. It's ok if the file doesn't exist. If the file exists
+ * but the removal fails, we're already reporting an error so there's
+ * nothing else we can do. */
+ (void) psa_its_remove(data_identifier);
+ }
+ return status;
+}
+
+psa_status_t psa_destroy_persistent_key(const mbedtls_svc_key_id_t key)
+{
+ psa_status_t ret;
+ psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
+ struct psa_storage_info_t data_identifier_info;
+
+ ret = psa_its_get_info(data_identifier, &data_identifier_info);
+ if (ret == PSA_ERROR_DOES_NOT_EXIST) {
+ return PSA_SUCCESS;
+ }
+
+ if (psa_its_remove(data_identifier) != PSA_SUCCESS) {
+ return PSA_ERROR_DATA_INVALID;
+ }
+
+ ret = psa_its_get_info(data_identifier, &data_identifier_info);
+ if (ret != PSA_ERROR_DOES_NOT_EXIST) {
+ return PSA_ERROR_DATA_INVALID;
+ }
+
+ return PSA_SUCCESS;
+}
+
+/**
+ * \brief Get data length for given key slot number.
+ *
+ * \param key Persistent identifier whose stored data length
+ * is to be obtained.
+ * \param[out] data_length The number of bytes that make up the data.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ */
+static psa_status_t psa_crypto_storage_get_data_length(
+ const mbedtls_svc_key_id_t key,
+ size_t *data_length)
+{
+ psa_status_t status;
+ psa_storage_uid_t data_identifier = psa_its_identifier_of_slot(key);
+ struct psa_storage_info_t data_identifier_info;
+
+ status = psa_its_get_info(data_identifier, &data_identifier_info);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ *data_length = (size_t) data_identifier_info.size;
+
+ return PSA_SUCCESS;
+}
+
+/**
+ * Persistent key storage magic header.
+ */
+#define PSA_KEY_STORAGE_MAGIC_HEADER "PSA\0KEY"
+#define PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH (sizeof(PSA_KEY_STORAGE_MAGIC_HEADER))
+
+typedef struct {
+ uint8_t magic[PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH];
+ uint8_t version[4];
+ uint8_t lifetime[sizeof(psa_key_lifetime_t)];
+ uint8_t type[2];
+ uint8_t bits[2];
+ uint8_t policy[sizeof(psa_key_policy_t)];
+ uint8_t data_len[4];
+ uint8_t key_data[];
+} psa_persistent_key_storage_format;
+
+void psa_format_key_data_for_storage(const uint8_t *data,
+ const size_t data_length,
+ const psa_key_attributes_t *attr,
+ uint8_t *storage_data)
+{
+ psa_persistent_key_storage_format *storage_format =
+ (psa_persistent_key_storage_format *) storage_data;
+
+ memcpy(storage_format->magic, PSA_KEY_STORAGE_MAGIC_HEADER,
+ PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH);
+ MBEDTLS_PUT_UINT32_LE(0, storage_format->version, 0);
+ MBEDTLS_PUT_UINT32_LE(attr->lifetime, storage_format->lifetime, 0);
+ MBEDTLS_PUT_UINT16_LE((uint16_t) attr->type, storage_format->type, 0);
+ MBEDTLS_PUT_UINT16_LE((uint16_t) attr->bits, storage_format->bits, 0);
+ MBEDTLS_PUT_UINT32_LE(attr->policy.usage, storage_format->policy, 0);
+ MBEDTLS_PUT_UINT32_LE(attr->policy.alg, storage_format->policy, sizeof(uint32_t));
+ MBEDTLS_PUT_UINT32_LE(attr->policy.alg2, storage_format->policy, 2 * sizeof(uint32_t));
+ MBEDTLS_PUT_UINT32_LE(data_length, storage_format->data_len, 0);
+ memcpy(storage_format->key_data, data, data_length);
+}
+
+static psa_status_t check_magic_header(const uint8_t *data)
+{
+ if (memcmp(data, PSA_KEY_STORAGE_MAGIC_HEADER,
+ PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH) != 0) {
+ return PSA_ERROR_DATA_INVALID;
+ }
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_parse_key_data_from_storage(const uint8_t *storage_data,
+ size_t storage_data_length,
+ uint8_t **key_data,
+ size_t *key_data_length,
+ psa_key_attributes_t *attr)
+{
+ psa_status_t status;
+ const psa_persistent_key_storage_format *storage_format =
+ (const psa_persistent_key_storage_format *) storage_data;
+ uint32_t version;
+
+ if (storage_data_length < sizeof(*storage_format)) {
+ return PSA_ERROR_DATA_INVALID;
+ }
+
+ status = check_magic_header(storage_data);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ version = MBEDTLS_GET_UINT32_LE(storage_format->version, 0);
+ if (version != 0) {
+ return PSA_ERROR_DATA_INVALID;
+ }
+
+ *key_data_length = MBEDTLS_GET_UINT32_LE(storage_format->data_len, 0);
+ if (*key_data_length > (storage_data_length - sizeof(*storage_format)) ||
+ *key_data_length > PSA_CRYPTO_MAX_STORAGE_SIZE) {
+ return PSA_ERROR_DATA_INVALID;
+ }
+
+ if (*key_data_length == 0) {
+ *key_data = NULL;
+ } else {
+ *key_data = mbedtls_calloc(1, *key_data_length);
+ if (*key_data == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+ memcpy(*key_data, storage_format->key_data, *key_data_length);
+ }
+
+ attr->lifetime = MBEDTLS_GET_UINT32_LE(storage_format->lifetime, 0);
+ attr->type = MBEDTLS_GET_UINT16_LE(storage_format->type, 0);
+ attr->bits = MBEDTLS_GET_UINT16_LE(storage_format->bits, 0);
+ attr->policy.usage = MBEDTLS_GET_UINT32_LE(storage_format->policy, 0);
+ attr->policy.alg = MBEDTLS_GET_UINT32_LE(storage_format->policy, sizeof(uint32_t));
+ attr->policy.alg2 = MBEDTLS_GET_UINT32_LE(storage_format->policy, 2 * sizeof(uint32_t));
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_save_persistent_key(const psa_key_attributes_t *attr,
+ const uint8_t *data,
+ const size_t data_length)
+{
+ size_t storage_data_length;
+ uint8_t *storage_data;
+ psa_status_t status;
+
+ /* All keys saved to persistent storage always have a key context */
+ if (data == NULL || data_length == 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ if (data_length > PSA_CRYPTO_MAX_STORAGE_SIZE) {
+ return PSA_ERROR_INSUFFICIENT_STORAGE;
+ }
+ storage_data_length = data_length + sizeof(psa_persistent_key_storage_format);
+
+ storage_data = mbedtls_calloc(1, storage_data_length);
+ if (storage_data == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+
+ psa_format_key_data_for_storage(data, data_length, attr, storage_data);
+
+ status = psa_crypto_storage_store(attr->id,
+ storage_data, storage_data_length);
+
+ mbedtls_zeroize_and_free(storage_data, storage_data_length);
+
+ return status;
+}
+
+void psa_free_persistent_key_data(uint8_t *key_data, size_t key_data_length)
+{
+ mbedtls_zeroize_and_free(key_data, key_data_length);
+}
+
+psa_status_t psa_load_persistent_key(psa_key_attributes_t *attr,
+ uint8_t **data,
+ size_t *data_length)
+{
+ psa_status_t status = PSA_SUCCESS;
+ uint8_t *loaded_data;
+ size_t storage_data_length = 0;
+ mbedtls_svc_key_id_t key = attr->id;
+
+ status = psa_crypto_storage_get_data_length(key, &storage_data_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ loaded_data = mbedtls_calloc(1, storage_data_length);
+
+ if (loaded_data == NULL) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+
+ status = psa_crypto_storage_load(key, loaded_data, storage_data_length);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_parse_key_data_from_storage(loaded_data, storage_data_length,
+ data, data_length, attr);
+
+ /* All keys saved to persistent storage always have a key context */
+ if (status == PSA_SUCCESS &&
+ (*data == NULL || *data_length == 0)) {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ }
+
+exit:
+ mbedtls_zeroize_and_free(loaded_data, storage_data_length);
+ return status;
+}
+
+
+
+/****************************************************************/
+/* Transactions */
+/****************************************************************/
+
+#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
+
+psa_crypto_transaction_t psa_crypto_transaction;
+
+psa_status_t psa_crypto_save_transaction(void)
+{
+ struct psa_storage_info_t p_info;
+ psa_status_t status;
+ status = psa_its_get_info(PSA_CRYPTO_ITS_TRANSACTION_UID, &p_info);
+ if (status == PSA_SUCCESS) {
+ /* This shouldn't happen: we're trying to start a transaction while
+ * there is still a transaction that hasn't been replayed. */
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ } else if (status != PSA_ERROR_DOES_NOT_EXIST) {
+ return status;
+ }
+ return psa_its_set(PSA_CRYPTO_ITS_TRANSACTION_UID,
+ sizeof(psa_crypto_transaction),
+ &psa_crypto_transaction,
+ 0);
+}
+
+psa_status_t psa_crypto_load_transaction(void)
+{
+ psa_status_t status;
+ size_t length;
+ status = psa_its_get(PSA_CRYPTO_ITS_TRANSACTION_UID, 0,
+ sizeof(psa_crypto_transaction),
+ &psa_crypto_transaction, &length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ if (length != sizeof(psa_crypto_transaction)) {
+ return PSA_ERROR_DATA_INVALID;
+ }
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_crypto_stop_transaction(void)
+{
+ psa_status_t status = psa_its_remove(PSA_CRYPTO_ITS_TRANSACTION_UID);
+ /* Whether or not updating the storage succeeded, the transaction is
+ * finished now. It's too late to go back, so zero out the in-memory
+ * data. */
+ memset(&psa_crypto_transaction, 0, sizeof(psa_crypto_transaction));
+ return status;
+}
+
+#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
+
+
+
+/****************************************************************/
+/* Random generator state */
+/****************************************************************/
+
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+psa_status_t mbedtls_psa_storage_inject_entropy(const unsigned char *seed,
+ size_t seed_size)
+{
+ psa_status_t status;
+ struct psa_storage_info_t p_info;
+
+ status = psa_its_get_info(PSA_CRYPTO_ITS_RANDOM_SEED_UID, &p_info);
+
+ if (PSA_ERROR_DOES_NOT_EXIST == status) { /* No seed exists */
+ status = psa_its_set(PSA_CRYPTO_ITS_RANDOM_SEED_UID, seed_size, seed, 0);
+ } else if (PSA_SUCCESS == status) {
+ /* You should not be here. Seed needs to be injected only once */
+ status = PSA_ERROR_NOT_PERMITTED;
+ }
+ return status;
+}
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
+
+
+
+/****************************************************************/
+/* The end */
+/****************************************************************/
+
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h
new file mode 100644
index 0000000..d7f5b18
--- /dev/null
+++ b/library/psa_crypto_storage.h
@@ -0,0 +1,385 @@
+/**
+ * \file psa_crypto_storage.h
+ *
+ * \brief PSA cryptography module: Mbed TLS key storage
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_STORAGE_H
+#define PSA_CRYPTO_STORAGE_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "psa/crypto.h"
+#include "psa/crypto_se_driver.h"
+
+#include <stdint.h>
+#include <string.h>
+
+/* Limit the maximum key size in storage. This should have no effect
+ * since the key size is limited in memory. */
+#define PSA_CRYPTO_MAX_STORAGE_SIZE (PSA_BITS_TO_BYTES(PSA_MAX_KEY_BITS))
+/* Sanity check: a file size must fit in 32 bits. Allow a generous
+ * 64kB of metadata. */
+#if PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000
+#error "PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000"
+#endif
+
+/** The maximum permitted persistent slot number.
+ *
+ * In Mbed Crypto 0.1.0b:
+ * - Using the file backend, all key ids are ok except 0.
+ * - Using the ITS backend, all key ids are ok except 0xFFFFFF52
+ * (#PSA_CRYPTO_ITS_RANDOM_SEED_UID) for which the file contains the
+ * device's random seed (if this feature is enabled).
+ * - Only key ids from 1 to #MBEDTLS_PSA_KEY_SLOT_COUNT are actually used.
+ *
+ * Since we need to preserve the random seed, avoid using that key slot.
+ * Reserve a whole range of key slots just in case something else comes up.
+ *
+ * This limitation will probably become moot when we implement client
+ * separation for key storage.
+ */
+#define PSA_MAX_PERSISTENT_KEY_IDENTIFIER PSA_KEY_ID_VENDOR_MAX
+
+/**
+ * \brief Checks if persistent data is stored for the given key slot number
+ *
+ * This function checks if any key data or metadata exists for the key slot in
+ * the persistent storage.
+ *
+ * \param key Persistent identifier to check.
+ *
+ * \retval 0
+ * No persistent data present for slot number
+ * \retval 1
+ * Persistent data present for slot number
+ */
+int psa_is_key_present_in_storage(const mbedtls_svc_key_id_t key);
+
+/**
+ * \brief Format key data and metadata and save to a location for given key
+ * slot.
+ *
+ * This function formats the key data and metadata and saves it to a
+ * persistent storage backend. The storage location corresponding to the
+ * key slot must be empty, otherwise this function will fail. This function
+ * should be called after loading the key into an internal slot to ensure the
+ * persistent key is not saved into a storage location corresponding to an
+ * already occupied non-persistent key, as well as ensuring the key data is
+ * validated.
+ *
+ * Note: This function will only succeed for key buffers which are not
+ * empty. If passed a NULL pointer or zero-length, the function will fail
+ * with #PSA_ERROR_INVALID_ARGUMENT.
+ *
+ * \param[in] attr The attributes of the key to save.
+ * The key identifier field in the attributes
+ * determines the key's location.
+ * \param[in] data Buffer containing the key data.
+ * \param data_length The number of bytes that make up the key data.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ */
+psa_status_t psa_save_persistent_key(const psa_key_attributes_t *attr,
+ const uint8_t *data,
+ const size_t data_length);
+
+/**
+ * \brief Parses key data and metadata and load persistent key for given
+ * key slot number.
+ *
+ * This function reads from a storage backend, parses the key data and
+ * metadata and writes them to the appropriate output parameters.
+ *
+ * Note: This function allocates a buffer and returns a pointer to it through
+ * the data parameter. On successful return, the pointer is guaranteed to be
+ * valid and the buffer contains at least one byte of data.
+ * psa_free_persistent_key_data() must be called on the data buffer
+ * afterwards to zeroize and free this buffer.
+ *
+ * \param[in,out] attr On input, the key identifier field identifies
+ * the key to load. Other fields are ignored.
+ * On success, the attribute structure contains
+ * the key metadata that was loaded from storage.
+ * \param[out] data Pointer to an allocated key data buffer on return.
+ * \param[out] data_length The number of bytes that make up the key data.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
+ */
+psa_status_t psa_load_persistent_key(psa_key_attributes_t *attr,
+ uint8_t **data,
+ size_t *data_length);
+
+/**
+ * \brief Remove persistent data for the given key slot number.
+ *
+ * \param key Persistent identifier of the key to remove
+ * from persistent storage.
+ *
+ * \retval #PSA_SUCCESS
+ * The key was successfully removed,
+ * or the key did not exist.
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ */
+psa_status_t psa_destroy_persistent_key(const mbedtls_svc_key_id_t key);
+
+/**
+ * \brief Free the temporary buffer allocated by psa_load_persistent_key().
+ *
+ * This function must be called at some point after psa_load_persistent_key()
+ * to zeroize and free the memory allocated to the buffer in that function.
+ *
+ * \param key_data Buffer for the key data.
+ * \param key_data_length Size of the key data buffer.
+ *
+ */
+void psa_free_persistent_key_data(uint8_t *key_data, size_t key_data_length);
+
+/**
+ * \brief Formats key data and metadata for persistent storage
+ *
+ * \param[in] data Buffer containing the key data.
+ * \param data_length Length of the key data buffer.
+ * \param[in] attr The core attributes of the key.
+ * \param[out] storage_data Output buffer for the formatted data.
+ *
+ */
+void psa_format_key_data_for_storage(const uint8_t *data,
+ const size_t data_length,
+ const psa_key_attributes_t *attr,
+ uint8_t *storage_data);
+
+/**
+ * \brief Parses persistent storage data into key data and metadata
+ *
+ * \param[in] storage_data Buffer for the storage data.
+ * \param storage_data_length Length of the storage data buffer
+ * \param[out] key_data On output, pointer to a newly allocated buffer
+ * containing the key data. This must be freed
+ * using psa_free_persistent_key_data()
+ * \param[out] key_data_length Length of the key data buffer
+ * \param[out] attr On success, the attribute structure is filled
+ * with the loaded key metadata.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ */
+psa_status_t psa_parse_key_data_from_storage(const uint8_t *storage_data,
+ size_t storage_data_length,
+ uint8_t **key_data,
+ size_t *key_data_length,
+ psa_key_attributes_t *attr);
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+/** This symbol is defined if transaction support is required. */
+#define PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS 1
+#endif
+
+#if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
+
+/** The type of transaction that is in progress.
+ */
+/* This is an integer type rather than an enum for two reasons: to support
+ * unknown values when loading a transaction file, and to ensure that the
+ * type has a known size.
+ */
+typedef uint16_t psa_crypto_transaction_type_t;
+
+/** No transaction is in progress.
+ *
+ * This has the value 0, so zero-initialization sets a transaction's type to
+ * this value.
+ */
+#define PSA_CRYPTO_TRANSACTION_NONE ((psa_crypto_transaction_type_t) 0x0000)
+
+/** A key creation transaction.
+ *
+ * This is only used for keys in an external cryptoprocessor (secure element).
+ * Keys in RAM or in internal storage are created atomically in storage
+ * (simple file creation), so they do not need a transaction mechanism.
+ */
+#define PSA_CRYPTO_TRANSACTION_CREATE_KEY ((psa_crypto_transaction_type_t) 0x0001)
+
+/** A key destruction transaction.
+ *
+ * This is only used for keys in an external cryptoprocessor (secure element).
+ * Keys in RAM or in internal storage are destroyed atomically in storage
+ * (simple file deletion), so they do not need a transaction mechanism.
+ */
+#define PSA_CRYPTO_TRANSACTION_DESTROY_KEY ((psa_crypto_transaction_type_t) 0x0002)
+
+/** Transaction data.
+ *
+ * This type is designed to be serialized by writing the memory representation
+ * and reading it back on the same device.
+ *
+ * \note The transaction mechanism is not thread-safe. There can only be one
+ * single active transaction at a time.
+ * The transaction object is #psa_crypto_transaction.
+ *
+ * \note If an API call starts a transaction, it must complete this transaction
+ * before returning to the application.
+ *
+ * The lifetime of a transaction is the following (note that only one
+ * transaction may be active at a time):
+ *
+ * -# Call psa_crypto_prepare_transaction() to initialize the transaction
+ * object in memory and declare the type of transaction that is starting.
+ * -# Fill in the type-specific fields of #psa_crypto_transaction.
+ * -# Call psa_crypto_save_transaction() to start the transaction. This
+ * saves the transaction data to internal storage.
+ * -# Perform the work of the transaction by modifying files, contacting
+ * external entities, or whatever needs doing. Note that the transaction
+ * may be interrupted by a power failure, so you need to have a way
+ * recover from interruptions either by undoing what has been done
+ * so far or by resuming where you left off.
+ * -# If there are intermediate stages in the transaction, update
+ * the fields of #psa_crypto_transaction and call
+ * psa_crypto_save_transaction() again when each stage is reached.
+ * -# When the transaction is over, call psa_crypto_stop_transaction() to
+ * remove the transaction data in storage and in memory.
+ *
+ * If the system crashes while a transaction is in progress, psa_crypto_init()
+ * calls psa_crypto_load_transaction() and takes care of completing or
+ * rewinding the transaction. This is done in psa_crypto_recover_transaction()
+ * in psa_crypto.c. If you add a new type of transaction, be
+ * sure to add code for it in psa_crypto_recover_transaction().
+ */
+typedef union {
+ /* Each element of this union must have the following properties
+ * to facilitate serialization and deserialization:
+ *
+ * - The element is a struct.
+ * - The first field of the struct is `psa_crypto_transaction_type_t type`.
+ * - Elements of the struct are arranged such a way that there is
+ * no padding.
+ */
+ struct psa_crypto_transaction_unknown_s {
+ psa_crypto_transaction_type_t type;
+ uint16_t unused1;
+ uint32_t unused2;
+ uint64_t unused3;
+ uint64_t unused4;
+ } unknown;
+ /* ::type is #PSA_CRYPTO_TRANSACTION_CREATE_KEY or
+ * #PSA_CRYPTO_TRANSACTION_DESTROY_KEY. */
+ struct psa_crypto_transaction_key_s {
+ psa_crypto_transaction_type_t type;
+ uint16_t unused1;
+ psa_key_lifetime_t lifetime;
+ psa_key_slot_number_t slot;
+ mbedtls_svc_key_id_t id;
+ } key;
+} psa_crypto_transaction_t;
+
+/** The single active transaction.
+ */
+extern psa_crypto_transaction_t psa_crypto_transaction;
+
+/** Prepare for a transaction.
+ *
+ * There must not be an ongoing transaction.
+ *
+ * \param type The type of transaction to start.
+ */
+static inline void psa_crypto_prepare_transaction(
+ psa_crypto_transaction_type_t type)
+{
+ psa_crypto_transaction.unknown.type = type;
+}
+
+/** Save the transaction data to storage.
+ *
+ * You may call this function multiple times during a transaction to
+ * atomically update the transaction state.
+ *
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ */
+psa_status_t psa_crypto_save_transaction(void);
+
+/** Load the transaction data from storage, if any.
+ *
+ * This function is meant to be called from psa_crypto_init() to recover
+ * in case a transaction was interrupted by a system crash.
+ *
+ * \retval #PSA_SUCCESS
+ * The data about the ongoing transaction has been loaded to
+ * #psa_crypto_transaction.
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ * There is no ongoing transaction.
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ */
+psa_status_t psa_crypto_load_transaction(void);
+
+/** Indicate that the current transaction is finished.
+ *
+ * Call this function at the very end of transaction processing.
+ * This function does not "commit" or "abort" the transaction: the storage
+ * subsystem has no concept of "commit" and "abort", just saving and
+ * removing the transaction information in storage.
+ *
+ * This function erases the transaction data in storage (if any) and
+ * resets the transaction data in memory.
+ *
+ * \retval #PSA_SUCCESS
+ * There was transaction data in storage.
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ * There was no transaction data in storage.
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * It was impossible to determine whether there was transaction data
+ * in storage, or the transaction data could not be erased.
+ */
+psa_status_t psa_crypto_stop_transaction(void);
+
+/** The ITS file identifier for the transaction data.
+ *
+ * 0xffffffNN = special file; 0x74 = 't' for transaction.
+ */
+#define PSA_CRYPTO_ITS_TRANSACTION_UID ((psa_key_id_t) 0xffffff74)
+
+#endif /* PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS */
+
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+/** Backend side of mbedtls_psa_inject_entropy().
+ *
+ * This function stores the supplied data into the entropy seed file.
+ *
+ * \retval #PSA_SUCCESS
+ * Success
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ * The entropy seed file already exists.
+ */
+psa_status_t mbedtls_psa_storage_inject_entropy(const unsigned char *seed,
+ size_t seed_size);
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_CRYPTO_STORAGE_H */
diff --git a/library/psa_its_file.c b/library/psa_its_file.c
new file mode 100644
index 0000000..9567137
--- /dev/null
+++ b/library/psa_its_file.c
@@ -0,0 +1,254 @@
+/*
+ * PSA ITS simulator over stdio files.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_ITS_FILE_C)
+
+#include "mbedtls/platform.h"
+
+#if defined(_WIN32)
+#include <windows.h>
+#endif
+
+#include "psa_crypto_its.h"
+
+#include <limits.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+#if !defined(PSA_ITS_STORAGE_PREFIX)
+#define PSA_ITS_STORAGE_PREFIX ""
+#endif
+
+#define PSA_ITS_STORAGE_FILENAME_PATTERN "%08x%08x"
+#define PSA_ITS_STORAGE_SUFFIX ".psa_its"
+#define PSA_ITS_STORAGE_FILENAME_LENGTH \
+ (sizeof(PSA_ITS_STORAGE_PREFIX) - 1 + /*prefix without terminating 0*/ \
+ 16 + /*UID (64-bit number in hex)*/ \
+ sizeof(PSA_ITS_STORAGE_SUFFIX) - 1 + /*suffix without terminating 0*/ \
+ 1 /*terminating null byte*/)
+#define PSA_ITS_STORAGE_TEMP \
+ PSA_ITS_STORAGE_PREFIX "tempfile" PSA_ITS_STORAGE_SUFFIX
+
+/* The maximum value of psa_storage_info_t.size */
+#define PSA_ITS_MAX_SIZE 0xffffffff
+
+#define PSA_ITS_MAGIC_STRING "PSA\0ITS\0"
+#define PSA_ITS_MAGIC_LENGTH 8
+
+/* As rename fails on Windows if the new filepath already exists,
+ * use MoveFileExA with the MOVEFILE_REPLACE_EXISTING flag instead.
+ * Returns 0 on success, nonzero on failure. */
+#if defined(_WIN32)
+#define rename_replace_existing(oldpath, newpath) \
+ (!MoveFileExA(oldpath, newpath, MOVEFILE_REPLACE_EXISTING))
+#else
+#define rename_replace_existing(oldpath, newpath) rename(oldpath, newpath)
+#endif
+
+typedef struct {
+ uint8_t magic[PSA_ITS_MAGIC_LENGTH];
+ uint8_t size[sizeof(uint32_t)];
+ uint8_t flags[sizeof(psa_storage_create_flags_t)];
+} psa_its_file_header_t;
+
+static void psa_its_fill_filename(psa_storage_uid_t uid, char *filename)
+{
+ /* Break up the UID into two 32-bit pieces so as not to rely on
+ * long long support in snprintf. */
+ mbedtls_snprintf(filename, PSA_ITS_STORAGE_FILENAME_LENGTH,
+ "%s" PSA_ITS_STORAGE_FILENAME_PATTERN "%s",
+ PSA_ITS_STORAGE_PREFIX,
+ (unsigned) (uid >> 32),
+ (unsigned) (uid & 0xffffffff),
+ PSA_ITS_STORAGE_SUFFIX);
+}
+
+static psa_status_t psa_its_read_file(psa_storage_uid_t uid,
+ struct psa_storage_info_t *p_info,
+ FILE **p_stream)
+{
+ char filename[PSA_ITS_STORAGE_FILENAME_LENGTH];
+ psa_its_file_header_t header;
+ size_t n;
+
+ *p_stream = NULL;
+ psa_its_fill_filename(uid, filename);
+ *p_stream = fopen(filename, "rb");
+ if (*p_stream == NULL) {
+ return PSA_ERROR_DOES_NOT_EXIST;
+ }
+
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf(*p_stream, NULL);
+
+ n = fread(&header, 1, sizeof(header), *p_stream);
+ if (n != sizeof(header)) {
+ return PSA_ERROR_DATA_CORRUPT;
+ }
+ if (memcmp(header.magic, PSA_ITS_MAGIC_STRING,
+ PSA_ITS_MAGIC_LENGTH) != 0) {
+ return PSA_ERROR_DATA_CORRUPT;
+ }
+
+ p_info->size = MBEDTLS_GET_UINT32_LE(header.size, 0);
+ p_info->flags = MBEDTLS_GET_UINT32_LE(header.flags, 0);
+
+ return PSA_SUCCESS;
+}
+
+psa_status_t psa_its_get_info(psa_storage_uid_t uid,
+ struct psa_storage_info_t *p_info)
+{
+ psa_status_t status;
+ FILE *stream = NULL;
+ status = psa_its_read_file(uid, p_info, &stream);
+ if (stream != NULL) {
+ fclose(stream);
+ }
+ return status;
+}
+
+psa_status_t psa_its_get(psa_storage_uid_t uid,
+ uint32_t data_offset,
+ uint32_t data_length,
+ void *p_data,
+ size_t *p_data_length)
+{
+ psa_status_t status;
+ FILE *stream = NULL;
+ size_t n;
+ struct psa_storage_info_t info;
+
+ status = psa_its_read_file(uid, &info, &stream);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ if (data_offset + data_length < data_offset) {
+ goto exit;
+ }
+#if SIZE_MAX < 0xffffffff
+ if (data_offset + data_length > SIZE_MAX) {
+ goto exit;
+ }
+#endif
+ if (data_offset + data_length > info.size) {
+ goto exit;
+ }
+
+ status = PSA_ERROR_STORAGE_FAILURE;
+#if LONG_MAX < 0xffffffff
+ while (data_offset > LONG_MAX) {
+ if (fseek(stream, LONG_MAX, SEEK_CUR) != 0) {
+ goto exit;
+ }
+ data_offset -= LONG_MAX;
+ }
+#endif
+ if (fseek(stream, data_offset, SEEK_CUR) != 0) {
+ goto exit;
+ }
+ n = fread(p_data, 1, data_length, stream);
+ if (n != data_length) {
+ goto exit;
+ }
+ status = PSA_SUCCESS;
+ if (p_data_length != NULL) {
+ *p_data_length = n;
+ }
+
+exit:
+ if (stream != NULL) {
+ fclose(stream);
+ }
+ return status;
+}
+
+psa_status_t psa_its_set(psa_storage_uid_t uid,
+ uint32_t data_length,
+ const void *p_data,
+ psa_storage_create_flags_t create_flags)
+{
+ if (uid == 0) {
+ return PSA_ERROR_INVALID_HANDLE;
+ }
+
+ psa_status_t status = PSA_ERROR_STORAGE_FAILURE;
+ char filename[PSA_ITS_STORAGE_FILENAME_LENGTH];
+ FILE *stream = NULL;
+ psa_its_file_header_t header;
+ size_t n;
+
+ memcpy(header.magic, PSA_ITS_MAGIC_STRING, PSA_ITS_MAGIC_LENGTH);
+ MBEDTLS_PUT_UINT32_LE(data_length, header.size, 0);
+ MBEDTLS_PUT_UINT32_LE(create_flags, header.flags, 0);
+
+ psa_its_fill_filename(uid, filename);
+ stream = fopen(PSA_ITS_STORAGE_TEMP, "wb");
+
+ if (stream == NULL) {
+ goto exit;
+ }
+
+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
+ mbedtls_setbuf(stream, NULL);
+
+ status = PSA_ERROR_INSUFFICIENT_STORAGE;
+ n = fwrite(&header, 1, sizeof(header), stream);
+ if (n != sizeof(header)) {
+ goto exit;
+ }
+ if (data_length != 0) {
+ n = fwrite(p_data, 1, data_length, stream);
+ if (n != data_length) {
+ goto exit;
+ }
+ }
+ status = PSA_SUCCESS;
+
+exit:
+ if (stream != NULL) {
+ int ret = fclose(stream);
+ if (status == PSA_SUCCESS && ret != 0) {
+ status = PSA_ERROR_INSUFFICIENT_STORAGE;
+ }
+ }
+ if (status == PSA_SUCCESS) {
+ if (rename_replace_existing(PSA_ITS_STORAGE_TEMP, filename) != 0) {
+ status = PSA_ERROR_STORAGE_FAILURE;
+ }
+ }
+ /* The temporary file may still exist, but only in failure cases where
+ * we're already reporting an error. So there's nothing we can do on
+ * failure. If the function succeeded, and in some error cases, the
+ * temporary file doesn't exist and so remove() is expected to fail.
+ * Thus we just ignore the return status of remove(). */
+ (void) remove(PSA_ITS_STORAGE_TEMP);
+ return status;
+}
+
+psa_status_t psa_its_remove(psa_storage_uid_t uid)
+{
+ char filename[PSA_ITS_STORAGE_FILENAME_LENGTH];
+ FILE *stream;
+ psa_its_fill_filename(uid, filename);
+ stream = fopen(filename, "rb");
+ if (stream == NULL) {
+ return PSA_ERROR_DOES_NOT_EXIST;
+ }
+ fclose(stream);
+ if (remove(filename) != 0) {
+ return PSA_ERROR_STORAGE_FAILURE;
+ }
+ return PSA_SUCCESS;
+}
+
+#endif /* MBEDTLS_PSA_ITS_FILE_C */
diff --git a/library/psa_util.c b/library/psa_util.c
new file mode 100644
index 0000000..4ccc5b0
--- /dev/null
+++ b/library/psa_util.c
@@ -0,0 +1,602 @@
+/*
+ * PSA hashing layer on top of Mbed TLS software crypto
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+/* This is needed for MBEDTLS_ERR_XXX macros */
+#include <mbedtls/error.h>
+
+#if defined(MBEDTLS_ASN1_WRITE_C)
+#include <mbedtls/asn1write.h>
+#include <psa/crypto_sizes.h>
+#endif
+
+#include "psa_util_internal.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+
+#include <psa/crypto.h>
+
+#if defined(MBEDTLS_MD_LIGHT)
+#include <mbedtls/md.h>
+#endif
+#if defined(MBEDTLS_LMS_C)
+#include <mbedtls/lms.h>
+#endif
+#if defined(MBEDTLS_SSL_TLS_C) && \
+ (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
+#include <mbedtls/ssl.h>
+#endif
+#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
+ defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+#include <mbedtls/rsa.h>
+#endif
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#include <mbedtls/ecp.h>
+#endif
+#if defined(MBEDTLS_PK_C)
+#include <mbedtls/pk.h>
+#endif
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+#include <mbedtls/cipher.h>
+#endif
+#include <mbedtls/entropy.h>
+
+/* PSA_SUCCESS is kept at the top of each error table since
+ * it's the most common status when everything functions properly. */
+#if defined(MBEDTLS_MD_LIGHT)
+const mbedtls_error_pair_t psa_to_md_errors[] =
+{
+ { PSA_SUCCESS, 0 },
+ { PSA_ERROR_NOT_SUPPORTED, MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE },
+ { PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_MD_BAD_INPUT_DATA },
+ { PSA_ERROR_INSUFFICIENT_MEMORY, MBEDTLS_ERR_MD_ALLOC_FAILED }
+};
+#endif
+
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+const mbedtls_error_pair_t psa_to_cipher_errors[] =
+{
+ { PSA_SUCCESS, 0 },
+ { PSA_ERROR_NOT_SUPPORTED, MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE },
+ { PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA },
+ { PSA_ERROR_INSUFFICIENT_MEMORY, MBEDTLS_ERR_CIPHER_ALLOC_FAILED }
+};
+#endif
+
+#if defined(MBEDTLS_LMS_C)
+const mbedtls_error_pair_t psa_to_lms_errors[] =
+{
+ { PSA_SUCCESS, 0 },
+ { PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL },
+ { PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_LMS_BAD_INPUT_DATA }
+};
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && \
+ (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
+const mbedtls_error_pair_t psa_to_ssl_errors[] =
+{
+ { PSA_SUCCESS, 0 },
+ { PSA_ERROR_INSUFFICIENT_MEMORY, MBEDTLS_ERR_SSL_ALLOC_FAILED },
+ { PSA_ERROR_NOT_SUPPORTED, MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE },
+ { PSA_ERROR_INVALID_SIGNATURE, MBEDTLS_ERR_SSL_INVALID_MAC },
+ { PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_SSL_BAD_INPUT_DATA },
+ { PSA_ERROR_BAD_STATE, MBEDTLS_ERR_SSL_INTERNAL_ERROR },
+ { PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL }
+};
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
+ defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+const mbedtls_error_pair_t psa_to_pk_rsa_errors[] =
+{
+ { PSA_SUCCESS, 0 },
+ { PSA_ERROR_NOT_PERMITTED, MBEDTLS_ERR_RSA_BAD_INPUT_DATA },
+ { PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_RSA_BAD_INPUT_DATA },
+ { PSA_ERROR_INVALID_HANDLE, MBEDTLS_ERR_RSA_BAD_INPUT_DATA },
+ { PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE },
+ { PSA_ERROR_INSUFFICIENT_ENTROPY, MBEDTLS_ERR_RSA_RNG_FAILED },
+ { PSA_ERROR_INVALID_SIGNATURE, MBEDTLS_ERR_RSA_VERIFY_FAILED },
+ { PSA_ERROR_INVALID_PADDING, MBEDTLS_ERR_RSA_INVALID_PADDING }
+};
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+const mbedtls_error_pair_t psa_to_pk_ecdsa_errors[] =
+{
+ { PSA_SUCCESS, 0 },
+ { PSA_ERROR_NOT_PERMITTED, MBEDTLS_ERR_ECP_BAD_INPUT_DATA },
+ { PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_ECP_BAD_INPUT_DATA },
+ { PSA_ERROR_INVALID_HANDLE, MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE },
+ { PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL },
+ { PSA_ERROR_INSUFFICIENT_ENTROPY, MBEDTLS_ERR_ECP_RANDOM_FAILED },
+ { PSA_ERROR_INVALID_SIGNATURE, MBEDTLS_ERR_ECP_VERIFY_FAILED }
+};
+#endif
+
+int psa_generic_status_to_mbedtls(psa_status_t status)
+{
+ switch (status) {
+ case PSA_SUCCESS:
+ return 0;
+ case PSA_ERROR_NOT_SUPPORTED:
+ return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
+ case PSA_ERROR_CORRUPTION_DETECTED:
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ case PSA_ERROR_COMMUNICATION_FAILURE:
+ case PSA_ERROR_HARDWARE_FAILURE:
+ return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+ case PSA_ERROR_NOT_PERMITTED:
+ default:
+ return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
+ }
+}
+
+int psa_status_to_mbedtls(psa_status_t status,
+ const mbedtls_error_pair_t *local_translations,
+ size_t local_errors_num,
+ int (*fallback_f)(psa_status_t))
+{
+ for (size_t i = 0; i < local_errors_num; i++) {
+ if (status == local_translations[i].psa_status) {
+ return local_translations[i].mbedtls_error;
+ }
+ }
+ return fallback_f(status);
+}
+
+#if defined(MBEDTLS_PK_C)
+int psa_pk_status_to_mbedtls(psa_status_t status)
+{
+ switch (status) {
+ case PSA_ERROR_INVALID_HANDLE:
+ return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+ case PSA_ERROR_BUFFER_TOO_SMALL:
+ return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
+ case PSA_ERROR_NOT_SUPPORTED:
+ return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+ case PSA_ERROR_INVALID_ARGUMENT:
+ return MBEDTLS_ERR_PK_INVALID_ALG;
+ case PSA_ERROR_NOT_PERMITTED:
+ return MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ case PSA_ERROR_INSUFFICIENT_MEMORY:
+ return MBEDTLS_ERR_PK_ALLOC_FAILED;
+ case PSA_ERROR_BAD_STATE:
+ return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
+ case PSA_ERROR_DATA_CORRUPT:
+ case PSA_ERROR_DATA_INVALID:
+ case PSA_ERROR_STORAGE_FAILURE:
+ return MBEDTLS_ERR_PK_FILE_IO_ERROR;
+ default:
+ return psa_generic_status_to_mbedtls(status);
+ }
+}
+#endif /* MBEDTLS_PK_C */
+
+/****************************************************************/
+/* Key management */
+/****************************************************************/
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+psa_ecc_family_t mbedtls_ecc_group_to_psa(mbedtls_ecp_group_id grpid,
+ size_t *bits)
+{
+ switch (grpid) {
+#if defined(MBEDTLS_ECP_HAVE_SECP192R1)
+ case MBEDTLS_ECP_DP_SECP192R1:
+ *bits = 192;
+ return PSA_ECC_FAMILY_SECP_R1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP224R1)
+ case MBEDTLS_ECP_DP_SECP224R1:
+ *bits = 224;
+ return PSA_ECC_FAMILY_SECP_R1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
+ case MBEDTLS_ECP_DP_SECP256R1:
+ *bits = 256;
+ return PSA_ECC_FAMILY_SECP_R1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
+ case MBEDTLS_ECP_DP_SECP384R1:
+ *bits = 384;
+ return PSA_ECC_FAMILY_SECP_R1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP521R1)
+ case MBEDTLS_ECP_DP_SECP521R1:
+ *bits = 521;
+ return PSA_ECC_FAMILY_SECP_R1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_BP256R1)
+ case MBEDTLS_ECP_DP_BP256R1:
+ *bits = 256;
+ return PSA_ECC_FAMILY_BRAINPOOL_P_R1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_BP384R1)
+ case MBEDTLS_ECP_DP_BP384R1:
+ *bits = 384;
+ return PSA_ECC_FAMILY_BRAINPOOL_P_R1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_BP512R1)
+ case MBEDTLS_ECP_DP_BP512R1:
+ *bits = 512;
+ return PSA_ECC_FAMILY_BRAINPOOL_P_R1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_CURVE25519)
+ case MBEDTLS_ECP_DP_CURVE25519:
+ *bits = 255;
+ return PSA_ECC_FAMILY_MONTGOMERY;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP192K1)
+ case MBEDTLS_ECP_DP_SECP192K1:
+ *bits = 192;
+ return PSA_ECC_FAMILY_SECP_K1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP224K1)
+ /* secp224k1 is not and will not be supported in PSA (#3541). */
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP256K1)
+ case MBEDTLS_ECP_DP_SECP256K1:
+ *bits = 256;
+ return PSA_ECC_FAMILY_SECP_K1;
+#endif
+#if defined(MBEDTLS_ECP_HAVE_CURVE448)
+ case MBEDTLS_ECP_DP_CURVE448:
+ *bits = 448;
+ return PSA_ECC_FAMILY_MONTGOMERY;
+#endif
+ default:
+ *bits = 0;
+ return 0;
+ }
+}
+
+mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family,
+ size_t bits)
+{
+ switch (family) {
+ case PSA_ECC_FAMILY_SECP_R1:
+ switch (bits) {
+#if defined(PSA_WANT_ECC_SECP_R1_192)
+ case 192:
+ return MBEDTLS_ECP_DP_SECP192R1;
+#endif
+#if defined(PSA_WANT_ECC_SECP_R1_224)
+ case 224:
+ return MBEDTLS_ECP_DP_SECP224R1;
+#endif
+#if defined(PSA_WANT_ECC_SECP_R1_256)
+ case 256:
+ return MBEDTLS_ECP_DP_SECP256R1;
+#endif
+#if defined(PSA_WANT_ECC_SECP_R1_384)
+ case 384:
+ return MBEDTLS_ECP_DP_SECP384R1;
+#endif
+#if defined(PSA_WANT_ECC_SECP_R1_521)
+ case 521:
+ return MBEDTLS_ECP_DP_SECP521R1;
+#endif
+ }
+ break;
+
+ case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
+ switch (bits) {
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
+ case 256:
+ return MBEDTLS_ECP_DP_BP256R1;
+#endif
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
+ case 384:
+ return MBEDTLS_ECP_DP_BP384R1;
+#endif
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
+ case 512:
+ return MBEDTLS_ECP_DP_BP512R1;
+#endif
+ }
+ break;
+
+ case PSA_ECC_FAMILY_MONTGOMERY:
+ switch (bits) {
+#if defined(PSA_WANT_ECC_MONTGOMERY_255)
+ case 255:
+ return MBEDTLS_ECP_DP_CURVE25519;
+#endif
+#if defined(PSA_WANT_ECC_MONTGOMERY_448)
+ case 448:
+ return MBEDTLS_ECP_DP_CURVE448;
+#endif
+ }
+ break;
+
+ case PSA_ECC_FAMILY_SECP_K1:
+ switch (bits) {
+#if defined(PSA_WANT_ECC_SECP_K1_192)
+ case 192:
+ return MBEDTLS_ECP_DP_SECP192K1;
+#endif
+#if defined(PSA_WANT_ECC_SECP_K1_224)
+ /* secp224k1 is not and will not be supported in PSA (#3541). */
+#endif
+#if defined(PSA_WANT_ECC_SECP_K1_256)
+ case 256:
+ return MBEDTLS_ECP_DP_SECP256K1;
+#endif
+ }
+ break;
+ }
+
+ return MBEDTLS_ECP_DP_NONE;
+}
+#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+
+/* Wrapper function allowing the classic API to use the PSA RNG.
+ *
+ * `mbedtls_psa_get_random(MBEDTLS_PSA_RANDOM_STATE, ...)` calls
+ * `psa_generate_random(...)`. The state parameter is ignored since the
+ * PSA API doesn't support passing an explicit state.
+ */
+int mbedtls_psa_get_random(void *p_rng,
+ unsigned char *output,
+ size_t output_size)
+{
+ /* This function takes a pointer to the RNG state because that's what
+ * classic mbedtls functions using an RNG expect. The PSA RNG manages
+ * its own state internally and doesn't let the caller access that state.
+ * So we just ignore the state parameter, and in practice we'll pass
+ * NULL. */
+ (void) p_rng;
+ psa_status_t status = psa_generate_random(output, output_size);
+ if (status == PSA_SUCCESS) {
+ return 0;
+ } else {
+ return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+ }
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+
+#if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
+
+/**
+ * \brief Convert a single raw coordinate to DER ASN.1 format. The output der
+ * buffer is filled backward (i.e. starting from its end).
+ *
+ * \param raw_buf Buffer containing the raw coordinate to be
+ * converted.
+ * \param raw_len Length of raw_buf in bytes. This must be > 0.
+ * \param der_buf_start Pointer to the beginning of the buffer which
+ * will be filled with the DER converted data.
+ * \param der_buf_end End of the buffer used to store the DER output.
+ *
+ * \return On success, the amount of data (in bytes) written to
+ * the DER buffer.
+ * \return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if the provided der
+ * buffer is too small to contain all the converted data.
+ * \return MBEDTLS_ERR_ASN1_INVALID_DATA if the input raw
+ * coordinate is null (i.e. all zeros).
+ *
+ * \warning Raw and der buffer must not be overlapping.
+ */
+static int convert_raw_to_der_single_int(const unsigned char *raw_buf, size_t raw_len,
+ unsigned char *der_buf_start,
+ unsigned char *der_buf_end)
+{
+ unsigned char *p = der_buf_end;
+ int len;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* ASN.1 DER encoding requires minimal length, so skip leading 0s.
+ * Provided input MPIs should not be 0, but as a failsafe measure, still
+ * detect that and return error in case. */
+ while (*raw_buf == 0x00) {
+ ++raw_buf;
+ --raw_len;
+ if (raw_len == 0) {
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
+ }
+ len = (int) raw_len;
+
+ /* Copy the raw coordinate to the end of der_buf. */
+ if ((p - der_buf_start) < len) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+ p -= len;
+ memcpy(p, raw_buf, len);
+
+ /* If MSb is 1, ASN.1 requires that we prepend a 0. */
+ if (*p & 0x80) {
+ if ((p - der_buf_start) < 1) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+ --p;
+ *p = 0x00;
+ ++len;
+ }
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, der_buf_start, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, der_buf_start, MBEDTLS_ASN1_INTEGER));
+
+ return len;
+}
+
+int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_len,
+ unsigned char *der, size_t der_size, size_t *der_len)
+{
+ unsigned char r[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
+ unsigned char s[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
+ const size_t coordinate_len = PSA_BITS_TO_BYTES(bits);
+ size_t len = 0;
+ unsigned char *p = der + der_size;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (raw_len != (2 * coordinate_len)) {
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
+
+ /* Since raw and der buffers might overlap, dump r and s before starting
+ * the conversion. */
+ memcpy(r, raw, coordinate_len);
+ memcpy(s, raw + coordinate_len, coordinate_len);
+
+ /* der buffer will initially be written starting from its end so we pick s
+ * first and then r. */
+ ret = convert_raw_to_der_single_int(s, coordinate_len, der, p);
+ if (ret < 0) {
+ return ret;
+ }
+ p -= ret;
+ len += ret;
+
+ ret = convert_raw_to_der_single_int(r, coordinate_len, der, p);
+ if (ret < 0) {
+ return ret;
+ }
+ p -= ret;
+ len += ret;
+
+ /* Add ASN.1 header (len + tag). */
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, der, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, der,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ /* memmove the content of der buffer to its beginnig. */
+ memmove(der, p, len);
+ *der_len = len;
+
+ return 0;
+}
+
+/**
+ * \brief Convert a single integer from ASN.1 DER format to raw.
+ *
+ * \param der Buffer containing the DER integer value to be
+ * converted.
+ * \param der_len Length of the der buffer in bytes.
+ * \param raw Output buffer that will be filled with the
+ * converted data. This should be at least
+ * coordinate_size bytes and it must be zeroed before
+ * calling this function.
+ * \param coordinate_size Size (in bytes) of a single coordinate in raw
+ * format.
+ *
+ * \return On success, the amount of DER data parsed from the
+ * provided der buffer.
+ * \return MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the integer tag
+ * is missing in the der buffer.
+ * \return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the integer
+ * is null (i.e. all zeros) or if the output raw buffer
+ * is too small to contain the converted raw value.
+ *
+ * \warning Der and raw buffers must not be overlapping.
+ */
+static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len,
+ unsigned char *raw, size_t coordinate_size)
+{
+ unsigned char *p = der;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t unpadded_len, padding_len = 0;
+
+ /* Get the length of ASN.1 element (i.e. the integer we need to parse). */
+ ret = mbedtls_asn1_get_tag(&p, p + der_len, &unpadded_len,
+ MBEDTLS_ASN1_INTEGER);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* It's invalid to have:
+ * - unpadded_len == 0.
+ * - MSb set without a leading 0x00 (leading 0x00 is checked below). */
+ if (((unpadded_len == 0) || (*p & 0x80) != 0)) {
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
+
+ /* Skip possible leading zero */
+ if (*p == 0x00) {
+ p++;
+ unpadded_len--;
+ /* It is not allowed to have more than 1 leading zero.
+ * Ignore the case in which unpadded_len = 0 because that's a 0 encoded
+ * in ASN.1 format (i.e. 020100). */
+ if ((unpadded_len > 0) && (*p == 0x00)) {
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
+ }
+
+ if (unpadded_len > coordinate_size) {
+ /* Parsed number is longer than the maximum expected value. */
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
+ padding_len = coordinate_size - unpadded_len;
+ /* raw buffer was already zeroed by the calling function so zero-padding
+ * operation is skipped here. */
+ memcpy(raw + padding_len, p, unpadded_len);
+ p += unpadded_len;
+
+ return (int) (p - der);
+}
+
+int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_len,
+ unsigned char *raw, size_t raw_size, size_t *raw_len)
+{
+ unsigned char raw_tmp[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE];
+ unsigned char *p = (unsigned char *) der;
+ size_t data_len;
+ size_t coordinate_size = PSA_BITS_TO_BYTES(bits);
+ int ret;
+
+ /* The output raw buffer should be at least twice the size of a raw
+ * coordinate in order to store r and s. */
+ if (raw_size < coordinate_size * 2) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ /* Check that the provided input DER buffer has the right header. */
+ ret = mbedtls_asn1_get_tag(&p, der + der_len, &data_len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+ if (ret != 0) {
+ return ret;
+ }
+
+ memset(raw_tmp, 0, 2 * coordinate_size);
+
+ /* Extract r */
+ ret = convert_der_to_raw_single_int(p, data_len, raw_tmp, coordinate_size);
+ if (ret < 0) {
+ return ret;
+ }
+ p += ret;
+ data_len -= ret;
+
+ /* Extract s */
+ ret = convert_der_to_raw_single_int(p, data_len, raw_tmp + coordinate_size,
+ coordinate_size);
+ if (ret < 0) {
+ return ret;
+ }
+ p += ret;
+ data_len -= ret;
+
+ /* Check that we consumed all the input der data. */
+ if ((size_t) (p - der) != der_len) {
+ return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+ }
+
+ memcpy(raw, raw_tmp, 2 * coordinate_size);
+ *raw_len = 2 * coordinate_size;
+
+ return 0;
+}
+
+#endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */
diff --git a/library/psa_util_internal.h b/library/psa_util_internal.h
new file mode 100644
index 0000000..70a08a0
--- /dev/null
+++ b/library/psa_util_internal.h
@@ -0,0 +1,100 @@
+/**
+ * \file psa_util_internal.h
+ *
+ * \brief Internal utility functions for use of PSA Crypto.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_PSA_UTIL_INTERNAL_H
+#define MBEDTLS_PSA_UTIL_INTERNAL_H
+
+/* Include the public header so that users only need one include. */
+#include "mbedtls/psa_util.h"
+
+#include "psa/crypto.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+
+/*************************************************************************
+ * FFDH
+ ************************************************************************/
+
+#define MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH \
+ PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS)
+
+/*************************************************************************
+ * ECC
+ ************************************************************************/
+
+#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH \
+ PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
+
+#define MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH \
+ PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
+
+/*************************************************************************
+ * Error translation
+ ************************************************************************/
+
+typedef struct {
+ /* Error codes used by PSA crypto are in -255..-128, fitting in 16 bits. */
+ int16_t psa_status;
+ /* Error codes used by Mbed TLS are in one of the ranges
+ * -127..-1 (low-level) or -32767..-4096 (high-level with a low-level
+ * code optionally added), fitting in 16 bits. */
+ int16_t mbedtls_error;
+} mbedtls_error_pair_t;
+
+#if defined(MBEDTLS_MD_LIGHT)
+extern const mbedtls_error_pair_t psa_to_md_errors[4];
+#endif
+
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+extern const mbedtls_error_pair_t psa_to_cipher_errors[4];
+#endif
+
+#if defined(MBEDTLS_LMS_C)
+extern const mbedtls_error_pair_t psa_to_lms_errors[3];
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+extern const mbedtls_error_pair_t psa_to_ssl_errors[7];
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
+ defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+extern const mbedtls_error_pair_t psa_to_pk_rsa_errors[8];
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+extern const mbedtls_error_pair_t psa_to_pk_ecdsa_errors[7];
+#endif
+
+/* Generic fallback function for error translation,
+ * when the received state was not module-specific. */
+int psa_generic_status_to_mbedtls(psa_status_t status);
+
+/* This function iterates over provided local error translations,
+ * and if no match was found - calls the fallback error translation function. */
+int psa_status_to_mbedtls(psa_status_t status,
+ const mbedtls_error_pair_t *local_translations,
+ size_t local_errors_num,
+ int (*fallback_f)(psa_status_t));
+
+/* The second out of three-stage error handling functions of the pk module,
+ * acts as a fallback after RSA / ECDSA error translation, and if no match
+ * is found, it itself calls psa_generic_status_to_mbedtls. */
+int psa_pk_status_to_mbedtls(psa_status_t status);
+
+/* Utility macro to shorten the defines of error translator in modules. */
+#define PSA_TO_MBEDTLS_ERR_LIST(status, error_list, fallback_f) \
+ psa_status_to_mbedtls(status, error_list, \
+ sizeof(error_list)/sizeof(error_list[0]), \
+ fallback_f)
+
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#endif /* MBEDTLS_PSA_UTIL_INTERNAL_H */
diff --git a/library/ripemd160.c b/library/ripemd160.c
new file mode 100644
index 0000000..b4fc3cd
--- /dev/null
+++ b/library/ripemd160.c
@@ -0,0 +1,490 @@
+/*
+ * RIPE MD-160 implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * The RIPEMD-160 algorithm was designed by RIPE in 1996
+ * http://homes.esat.kuleuven.be/~bosselae/mbedtls_ripemd160.html
+ * http://ehash.iaik.tugraz.at/wiki/RIPEMD-160
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_RIPEMD160_C)
+
+#include "mbedtls/ripemd160.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_RIPEMD160_ALT)
+
+void mbedtls_ripemd160_init(mbedtls_ripemd160_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_ripemd160_context));
+}
+
+void mbedtls_ripemd160_free(mbedtls_ripemd160_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ripemd160_context));
+}
+
+void mbedtls_ripemd160_clone(mbedtls_ripemd160_context *dst,
+ const mbedtls_ripemd160_context *src)
+{
+ *dst = *src;
+}
+
+/*
+ * RIPEMD-160 context setup
+ */
+int mbedtls_ripemd160_starts(mbedtls_ripemd160_context *ctx)
+{
+ ctx->total[0] = 0;
+ ctx->total[1] = 0;
+
+ ctx->state[0] = 0x67452301;
+ ctx->state[1] = 0xEFCDAB89;
+ ctx->state[2] = 0x98BADCFE;
+ ctx->state[3] = 0x10325476;
+ ctx->state[4] = 0xC3D2E1F0;
+
+ return 0;
+}
+
+#if !defined(MBEDTLS_RIPEMD160_PROCESS_ALT)
+/*
+ * Process one block
+ */
+int mbedtls_internal_ripemd160_process(mbedtls_ripemd160_context *ctx,
+ const unsigned char data[64])
+{
+ struct {
+ uint32_t A, B, C, D, E, Ap, Bp, Cp, Dp, Ep, X[16];
+ } local;
+
+ local.X[0] = MBEDTLS_GET_UINT32_LE(data, 0);
+ local.X[1] = MBEDTLS_GET_UINT32_LE(data, 4);
+ local.X[2] = MBEDTLS_GET_UINT32_LE(data, 8);
+ local.X[3] = MBEDTLS_GET_UINT32_LE(data, 12);
+ local.X[4] = MBEDTLS_GET_UINT32_LE(data, 16);
+ local.X[5] = MBEDTLS_GET_UINT32_LE(data, 20);
+ local.X[6] = MBEDTLS_GET_UINT32_LE(data, 24);
+ local.X[7] = MBEDTLS_GET_UINT32_LE(data, 28);
+ local.X[8] = MBEDTLS_GET_UINT32_LE(data, 32);
+ local.X[9] = MBEDTLS_GET_UINT32_LE(data, 36);
+ local.X[10] = MBEDTLS_GET_UINT32_LE(data, 40);
+ local.X[11] = MBEDTLS_GET_UINT32_LE(data, 44);
+ local.X[12] = MBEDTLS_GET_UINT32_LE(data, 48);
+ local.X[13] = MBEDTLS_GET_UINT32_LE(data, 52);
+ local.X[14] = MBEDTLS_GET_UINT32_LE(data, 56);
+ local.X[15] = MBEDTLS_GET_UINT32_LE(data, 60);
+
+ local.A = local.Ap = ctx->state[0];
+ local.B = local.Bp = ctx->state[1];
+ local.C = local.Cp = ctx->state[2];
+ local.D = local.Dp = ctx->state[3];
+ local.E = local.Ep = ctx->state[4];
+
+#define F1(x, y, z) ((x) ^ (y) ^ (z))
+#define F2(x, y, z) (((x) & (y)) | (~(x) & (z)))
+#define F3(x, y, z) (((x) | ~(y)) ^ (z))
+#define F4(x, y, z) (((x) & (z)) | ((y) & ~(z)))
+#define F5(x, y, z) ((x) ^ ((y) | ~(z)))
+
+#define S(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
+
+#define P(a, b, c, d, e, r, s, f, k) \
+ do \
+ { \
+ (a) += f((b), (c), (d)) + local.X[r] + (k); \
+ (a) = S((a), (s)) + (e); \
+ (c) = S((c), 10); \
+ } while (0)
+
+#define P2(a, b, c, d, e, r, s, rp, sp) \
+ do \
+ { \
+ P((a), (b), (c), (d), (e), (r), (s), F, K); \
+ P(a ## p, b ## p, c ## p, d ## p, e ## p, \
+ (rp), (sp), Fp, Kp); \
+ } while (0)
+
+#define F F1
+#define K 0x00000000
+#define Fp F5
+#define Kp 0x50A28BE6
+ P2(local.A, local.B, local.C, local.D, local.E, 0, 11, 5, 8);
+ P2(local.E, local.A, local.B, local.C, local.D, 1, 14, 14, 9);
+ P2(local.D, local.E, local.A, local.B, local.C, 2, 15, 7, 9);
+ P2(local.C, local.D, local.E, local.A, local.B, 3, 12, 0, 11);
+ P2(local.B, local.C, local.D, local.E, local.A, 4, 5, 9, 13);
+ P2(local.A, local.B, local.C, local.D, local.E, 5, 8, 2, 15);
+ P2(local.E, local.A, local.B, local.C, local.D, 6, 7, 11, 15);
+ P2(local.D, local.E, local.A, local.B, local.C, 7, 9, 4, 5);
+ P2(local.C, local.D, local.E, local.A, local.B, 8, 11, 13, 7);
+ P2(local.B, local.C, local.D, local.E, local.A, 9, 13, 6, 7);
+ P2(local.A, local.B, local.C, local.D, local.E, 10, 14, 15, 8);
+ P2(local.E, local.A, local.B, local.C, local.D, 11, 15, 8, 11);
+ P2(local.D, local.E, local.A, local.B, local.C, 12, 6, 1, 14);
+ P2(local.C, local.D, local.E, local.A, local.B, 13, 7, 10, 14);
+ P2(local.B, local.C, local.D, local.E, local.A, 14, 9, 3, 12);
+ P2(local.A, local.B, local.C, local.D, local.E, 15, 8, 12, 6);
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F F2
+#define K 0x5A827999
+#define Fp F4
+#define Kp 0x5C4DD124
+ P2(local.E, local.A, local.B, local.C, local.D, 7, 7, 6, 9);
+ P2(local.D, local.E, local.A, local.B, local.C, 4, 6, 11, 13);
+ P2(local.C, local.D, local.E, local.A, local.B, 13, 8, 3, 15);
+ P2(local.B, local.C, local.D, local.E, local.A, 1, 13, 7, 7);
+ P2(local.A, local.B, local.C, local.D, local.E, 10, 11, 0, 12);
+ P2(local.E, local.A, local.B, local.C, local.D, 6, 9, 13, 8);
+ P2(local.D, local.E, local.A, local.B, local.C, 15, 7, 5, 9);
+ P2(local.C, local.D, local.E, local.A, local.B, 3, 15, 10, 11);
+ P2(local.B, local.C, local.D, local.E, local.A, 12, 7, 14, 7);
+ P2(local.A, local.B, local.C, local.D, local.E, 0, 12, 15, 7);
+ P2(local.E, local.A, local.B, local.C, local.D, 9, 15, 8, 12);
+ P2(local.D, local.E, local.A, local.B, local.C, 5, 9, 12, 7);
+ P2(local.C, local.D, local.E, local.A, local.B, 2, 11, 4, 6);
+ P2(local.B, local.C, local.D, local.E, local.A, 14, 7, 9, 15);
+ P2(local.A, local.B, local.C, local.D, local.E, 11, 13, 1, 13);
+ P2(local.E, local.A, local.B, local.C, local.D, 8, 12, 2, 11);
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F F3
+#define K 0x6ED9EBA1
+#define Fp F3
+#define Kp 0x6D703EF3
+ P2(local.D, local.E, local.A, local.B, local.C, 3, 11, 15, 9);
+ P2(local.C, local.D, local.E, local.A, local.B, 10, 13, 5, 7);
+ P2(local.B, local.C, local.D, local.E, local.A, 14, 6, 1, 15);
+ P2(local.A, local.B, local.C, local.D, local.E, 4, 7, 3, 11);
+ P2(local.E, local.A, local.B, local.C, local.D, 9, 14, 7, 8);
+ P2(local.D, local.E, local.A, local.B, local.C, 15, 9, 14, 6);
+ P2(local.C, local.D, local.E, local.A, local.B, 8, 13, 6, 6);
+ P2(local.B, local.C, local.D, local.E, local.A, 1, 15, 9, 14);
+ P2(local.A, local.B, local.C, local.D, local.E, 2, 14, 11, 12);
+ P2(local.E, local.A, local.B, local.C, local.D, 7, 8, 8, 13);
+ P2(local.D, local.E, local.A, local.B, local.C, 0, 13, 12, 5);
+ P2(local.C, local.D, local.E, local.A, local.B, 6, 6, 2, 14);
+ P2(local.B, local.C, local.D, local.E, local.A, 13, 5, 10, 13);
+ P2(local.A, local.B, local.C, local.D, local.E, 11, 12, 0, 13);
+ P2(local.E, local.A, local.B, local.C, local.D, 5, 7, 4, 7);
+ P2(local.D, local.E, local.A, local.B, local.C, 12, 5, 13, 5);
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F F4
+#define K 0x8F1BBCDC
+#define Fp F2
+#define Kp 0x7A6D76E9
+ P2(local.C, local.D, local.E, local.A, local.B, 1, 11, 8, 15);
+ P2(local.B, local.C, local.D, local.E, local.A, 9, 12, 6, 5);
+ P2(local.A, local.B, local.C, local.D, local.E, 11, 14, 4, 8);
+ P2(local.E, local.A, local.B, local.C, local.D, 10, 15, 1, 11);
+ P2(local.D, local.E, local.A, local.B, local.C, 0, 14, 3, 14);
+ P2(local.C, local.D, local.E, local.A, local.B, 8, 15, 11, 14);
+ P2(local.B, local.C, local.D, local.E, local.A, 12, 9, 15, 6);
+ P2(local.A, local.B, local.C, local.D, local.E, 4, 8, 0, 14);
+ P2(local.E, local.A, local.B, local.C, local.D, 13, 9, 5, 6);
+ P2(local.D, local.E, local.A, local.B, local.C, 3, 14, 12, 9);
+ P2(local.C, local.D, local.E, local.A, local.B, 7, 5, 2, 12);
+ P2(local.B, local.C, local.D, local.E, local.A, 15, 6, 13, 9);
+ P2(local.A, local.B, local.C, local.D, local.E, 14, 8, 9, 12);
+ P2(local.E, local.A, local.B, local.C, local.D, 5, 6, 7, 5);
+ P2(local.D, local.E, local.A, local.B, local.C, 6, 5, 10, 15);
+ P2(local.C, local.D, local.E, local.A, local.B, 2, 12, 14, 8);
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F F5
+#define K 0xA953FD4E
+#define Fp F1
+#define Kp 0x00000000
+ P2(local.B, local.C, local.D, local.E, local.A, 4, 9, 12, 8);
+ P2(local.A, local.B, local.C, local.D, local.E, 0, 15, 15, 5);
+ P2(local.E, local.A, local.B, local.C, local.D, 5, 5, 10, 12);
+ P2(local.D, local.E, local.A, local.B, local.C, 9, 11, 4, 9);
+ P2(local.C, local.D, local.E, local.A, local.B, 7, 6, 1, 12);
+ P2(local.B, local.C, local.D, local.E, local.A, 12, 8, 5, 5);
+ P2(local.A, local.B, local.C, local.D, local.E, 2, 13, 8, 14);
+ P2(local.E, local.A, local.B, local.C, local.D, 10, 12, 7, 6);
+ P2(local.D, local.E, local.A, local.B, local.C, 14, 5, 6, 8);
+ P2(local.C, local.D, local.E, local.A, local.B, 1, 12, 2, 13);
+ P2(local.B, local.C, local.D, local.E, local.A, 3, 13, 13, 6);
+ P2(local.A, local.B, local.C, local.D, local.E, 8, 14, 14, 5);
+ P2(local.E, local.A, local.B, local.C, local.D, 11, 11, 0, 15);
+ P2(local.D, local.E, local.A, local.B, local.C, 6, 8, 3, 13);
+ P2(local.C, local.D, local.E, local.A, local.B, 15, 5, 9, 11);
+ P2(local.B, local.C, local.D, local.E, local.A, 13, 6, 11, 11);
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+ local.C = ctx->state[1] + local.C + local.Dp;
+ ctx->state[1] = ctx->state[2] + local.D + local.Ep;
+ ctx->state[2] = ctx->state[3] + local.E + local.Ap;
+ ctx->state[3] = ctx->state[4] + local.A + local.Bp;
+ ctx->state[4] = ctx->state[0] + local.B + local.Cp;
+ ctx->state[0] = local.C;
+
+ /* Zeroise variables to clear sensitive data from memory. */
+ mbedtls_platform_zeroize(&local, sizeof(local));
+
+ return 0;
+}
+
+#endif /* !MBEDTLS_RIPEMD160_PROCESS_ALT */
+
+/*
+ * RIPEMD-160 process buffer
+ */
+int mbedtls_ripemd160_update(mbedtls_ripemd160_context *ctx,
+ const unsigned char *input,
+ size_t ilen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t fill;
+ uint32_t left;
+
+ if (ilen == 0) {
+ return 0;
+ }
+
+ left = ctx->total[0] & 0x3F;
+ fill = 64 - left;
+
+ ctx->total[0] += (uint32_t) ilen;
+ ctx->total[0] &= 0xFFFFFFFF;
+
+ if (ctx->total[0] < (uint32_t) ilen) {
+ ctx->total[1]++;
+ }
+
+ if (left && ilen >= fill) {
+ memcpy((void *) (ctx->buffer + left), input, fill);
+
+ if ((ret = mbedtls_internal_ripemd160_process(ctx, ctx->buffer)) != 0) {
+ return ret;
+ }
+
+ input += fill;
+ ilen -= fill;
+ left = 0;
+ }
+
+ while (ilen >= 64) {
+ if ((ret = mbedtls_internal_ripemd160_process(ctx, input)) != 0) {
+ return ret;
+ }
+
+ input += 64;
+ ilen -= 64;
+ }
+
+ if (ilen > 0) {
+ memcpy((void *) (ctx->buffer + left), input, ilen);
+ }
+
+ return 0;
+}
+
+static const unsigned char ripemd160_padding[64] =
+{
+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * RIPEMD-160 final digest
+ */
+int mbedtls_ripemd160_finish(mbedtls_ripemd160_context *ctx,
+ unsigned char output[20])
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ uint32_t last, padn;
+ uint32_t high, low;
+ unsigned char msglen[8];
+
+ high = (ctx->total[0] >> 29)
+ | (ctx->total[1] << 3);
+ low = (ctx->total[0] << 3);
+
+ MBEDTLS_PUT_UINT32_LE(low, msglen, 0);
+ MBEDTLS_PUT_UINT32_LE(high, msglen, 4);
+
+ last = ctx->total[0] & 0x3F;
+ padn = (last < 56) ? (56 - last) : (120 - last);
+
+ ret = mbedtls_ripemd160_update(ctx, ripemd160_padding, padn);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_ripemd160_update(ctx, msglen, 8);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ MBEDTLS_PUT_UINT32_LE(ctx->state[0], output, 0);
+ MBEDTLS_PUT_UINT32_LE(ctx->state[1], output, 4);
+ MBEDTLS_PUT_UINT32_LE(ctx->state[2], output, 8);
+ MBEDTLS_PUT_UINT32_LE(ctx->state[3], output, 12);
+ MBEDTLS_PUT_UINT32_LE(ctx->state[4], output, 16);
+
+ ret = 0;
+
+exit:
+ mbedtls_ripemd160_free(ctx);
+ return ret;
+}
+
+#endif /* ! MBEDTLS_RIPEMD160_ALT */
+
+/*
+ * output = RIPEMD-160( input buffer )
+ */
+int mbedtls_ripemd160(const unsigned char *input,
+ size_t ilen,
+ unsigned char output[20])
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ripemd160_context ctx;
+
+ mbedtls_ripemd160_init(&ctx);
+
+ if ((ret = mbedtls_ripemd160_starts(&ctx)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_ripemd160_update(&ctx, input, ilen)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_ripemd160_finish(&ctx, output)) != 0) {
+ goto exit;
+ }
+
+exit:
+ mbedtls_ripemd160_free(&ctx);
+
+ return ret;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * Test vectors from the RIPEMD-160 paper and
+ * http://homes.esat.kuleuven.be/~bosselae/mbedtls_ripemd160.html#HMAC
+ */
+#define TESTS 8
+static const unsigned char ripemd160_test_str[TESTS][81] =
+{
+ { "" },
+ { "a" },
+ { "abc" },
+ { "message digest" },
+ { "abcdefghijklmnopqrstuvwxyz" },
+ { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
+ { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+ { "12345678901234567890123456789012345678901234567890123456789012345678901234567890" },
+};
+
+static const size_t ripemd160_test_strlen[TESTS] =
+{
+ 0, 1, 3, 14, 26, 56, 62, 80
+};
+
+static const unsigned char ripemd160_test_md[TESTS][20] =
+{
+ { 0x9c, 0x11, 0x85, 0xa5, 0xc5, 0xe9, 0xfc, 0x54, 0x61, 0x28,
+ 0x08, 0x97, 0x7e, 0xe8, 0xf5, 0x48, 0xb2, 0x25, 0x8d, 0x31 },
+ { 0x0b, 0xdc, 0x9d, 0x2d, 0x25, 0x6b, 0x3e, 0xe9, 0xda, 0xae,
+ 0x34, 0x7b, 0xe6, 0xf4, 0xdc, 0x83, 0x5a, 0x46, 0x7f, 0xfe },
+ { 0x8e, 0xb2, 0x08, 0xf7, 0xe0, 0x5d, 0x98, 0x7a, 0x9b, 0x04,
+ 0x4a, 0x8e, 0x98, 0xc6, 0xb0, 0x87, 0xf1, 0x5a, 0x0b, 0xfc },
+ { 0x5d, 0x06, 0x89, 0xef, 0x49, 0xd2, 0xfa, 0xe5, 0x72, 0xb8,
+ 0x81, 0xb1, 0x23, 0xa8, 0x5f, 0xfa, 0x21, 0x59, 0x5f, 0x36 },
+ { 0xf7, 0x1c, 0x27, 0x10, 0x9c, 0x69, 0x2c, 0x1b, 0x56, 0xbb,
+ 0xdc, 0xeb, 0x5b, 0x9d, 0x28, 0x65, 0xb3, 0x70, 0x8d, 0xbc },
+ { 0x12, 0xa0, 0x53, 0x38, 0x4a, 0x9c, 0x0c, 0x88, 0xe4, 0x05,
+ 0xa0, 0x6c, 0x27, 0xdc, 0xf4, 0x9a, 0xda, 0x62, 0xeb, 0x2b },
+ { 0xb0, 0xe2, 0x0b, 0x6e, 0x31, 0x16, 0x64, 0x02, 0x86, 0xed,
+ 0x3a, 0x87, 0xa5, 0x71, 0x30, 0x79, 0xb2, 0x1f, 0x51, 0x89 },
+ { 0x9b, 0x75, 0x2e, 0x45, 0x57, 0x3d, 0x4b, 0x39, 0xf4, 0xdb,
+ 0xd3, 0x32, 0x3c, 0xab, 0x82, 0xbf, 0x63, 0x32, 0x6b, 0xfb },
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ripemd160_self_test(int verbose)
+{
+ int i, ret = 0;
+ unsigned char output[20];
+
+ memset(output, 0, sizeof(output));
+
+ for (i = 0; i < TESTS; i++) {
+ if (verbose != 0) {
+ mbedtls_printf(" RIPEMD-160 test #%d: ", i + 1);
+ }
+
+ ret = mbedtls_ripemd160(ripemd160_test_str[i],
+ ripemd160_test_strlen[i], output);
+ if (ret != 0) {
+ goto fail;
+ }
+
+ if (memcmp(output, ripemd160_test_md[i], 20) != 0) {
+ ret = 1;
+ goto fail;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ return 0;
+
+fail:
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_RIPEMD160_C */
diff --git a/library/rsa.c b/library/rsa.c
new file mode 100644
index 0000000..7eb4a25
--- /dev/null
+++ b/library/rsa.c
@@ -0,0 +1,3065 @@
+/*
+ * The RSA public-key cryptosystem
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * The following sources were referenced in the design of this implementation
+ * of the RSA algorithm:
+ *
+ * [1] A method for obtaining digital signatures and public-key cryptosystems
+ * R Rivest, A Shamir, and L Adleman
+ * http://people.csail.mit.edu/rivest/pubs.html#RSA78
+ *
+ * [2] Handbook of Applied Cryptography - 1997, Chapter 8
+ * Menezes, van Oorschot and Vanstone
+ *
+ * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
+ * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
+ * Stefan Mangard
+ * https://arxiv.org/abs/1702.08719v2
+ *
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_RSA_C)
+
+#include "mbedtls/rsa.h"
+#include "bignum_core.h"
+#include "rsa_alt_helpers.h"
+#include "rsa_internal.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+#include "constant_time_internal.h"
+#include "mbedtls/constant_time.h"
+#include "md_psa.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
+#include <stdlib.h>
+#endif
+
+#include "mbedtls/platform.h"
+
+/*
+ * Wrapper around mbedtls_asn1_get_mpi() that rejects zero.
+ *
+ * The value zero is:
+ * - never a valid value for an RSA parameter
+ * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete().
+ *
+ * Since values can't be omitted in PKCS#1, passing a zero value to
+ * rsa_complete() would be incorrect, so reject zero values early.
+ */
+static int asn1_get_nonzero_mpi(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_mpi *X)
+{
+ int ret;
+
+ ret = mbedtls_asn1_get_mpi(p, end, X);
+ if (ret != 0) {
+ return ret;
+ }
+
+ if (mbedtls_mpi_cmp_int(X, 0) == 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ return 0;
+}
+
+int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen)
+{
+ int ret, version;
+ size_t len;
+ unsigned char *p, *end;
+
+ mbedtls_mpi T;
+ mbedtls_mpi_init(&T);
+
+ p = (unsigned char *) key;
+ end = p + keylen;
+
+ /*
+ * This function parses the RSAPrivateKey (PKCS#1)
+ *
+ * RSAPrivateKey ::= SEQUENCE {
+ * version Version,
+ * modulus INTEGER, -- n
+ * publicExponent INTEGER, -- e
+ * privateExponent INTEGER, -- d
+ * prime1 INTEGER, -- p
+ * prime2 INTEGER, -- q
+ * exponent1 INTEGER, -- d mod (p-1)
+ * exponent2 INTEGER, -- d mod (q-1)
+ * coefficient INTEGER, -- (inverse of q) mod p
+ * otherPrimeInfos OtherPrimeInfos OPTIONAL
+ * }
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return ret;
+ }
+
+ if (end != p + len) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ if ((ret = mbedtls_asn1_get_int(&p, end, &version)) != 0) {
+ return ret;
+ }
+
+ if (version != 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ /* Import N */
+ if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+ (ret = mbedtls_rsa_import(rsa, &T, NULL, NULL,
+ NULL, NULL)) != 0) {
+ goto cleanup;
+ }
+
+ /* Import E */
+ if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+ (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL,
+ NULL, &T)) != 0) {
+ goto cleanup;
+ }
+
+ /* Import D */
+ if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+ (ret = mbedtls_rsa_import(rsa, NULL, NULL, NULL,
+ &T, NULL)) != 0) {
+ goto cleanup;
+ }
+
+ /* Import P */
+ if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+ (ret = mbedtls_rsa_import(rsa, NULL, &T, NULL,
+ NULL, NULL)) != 0) {
+ goto cleanup;
+ }
+
+ /* Import Q */
+ if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+ (ret = mbedtls_rsa_import(rsa, NULL, NULL, &T,
+ NULL, NULL)) != 0) {
+ goto cleanup;
+ }
+
+#if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT)
+ /*
+ * The RSA CRT parameters DP, DQ and QP are nominally redundant, in
+ * that they can be easily recomputed from D, P and Q. However by
+ * parsing them from the PKCS1 structure it is possible to avoid
+ * recalculating them which both reduces the overhead of loading
+ * RSA private keys into memory and also avoids side channels which
+ * can arise when computing those values, since all of D, P, and Q
+ * are secret. See https://eprint.iacr.org/2020/055 for a
+ * description of one such attack.
+ */
+
+ /* Import DP */
+ if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+ (ret = mbedtls_mpi_copy(&rsa->DP, &T)) != 0) {
+ goto cleanup;
+ }
+
+ /* Import DQ */
+ if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+ (ret = mbedtls_mpi_copy(&rsa->DQ, &T)) != 0) {
+ goto cleanup;
+ }
+
+ /* Import QP */
+ if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+ (ret = mbedtls_mpi_copy(&rsa->QP, &T)) != 0) {
+ goto cleanup;
+ }
+
+#else
+ /* Verify existence of the CRT params */
+ if ((ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+ (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0 ||
+ (ret = asn1_get_nonzero_mpi(&p, end, &T)) != 0) {
+ goto cleanup;
+ }
+#endif
+
+ /* rsa_complete() doesn't complete anything with the default
+ * implementation but is still called:
+ * - for the benefit of alternative implementation that may want to
+ * pre-compute stuff beyond what's provided (eg Montgomery factors)
+ * - as is also sanity-checks the key
+ *
+ * Furthermore, we also check the public part for consistency with
+ * mbedtls_pk_parse_pubkey(), as it includes size minima for example.
+ */
+ if ((ret = mbedtls_rsa_complete(rsa)) != 0 ||
+ (ret = mbedtls_rsa_check_pubkey(rsa)) != 0) {
+ goto cleanup;
+ }
+
+ if (p != end) {
+ ret = MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+ }
+
+cleanup:
+
+ mbedtls_mpi_free(&T);
+
+ if (ret != 0) {
+ mbedtls_rsa_free(rsa);
+ }
+
+ return ret;
+}
+
+int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen)
+{
+ unsigned char *p = (unsigned char *) key;
+ unsigned char *end = (unsigned char *) (key + keylen);
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+
+ /*
+ * RSAPublicKey ::= SEQUENCE {
+ * modulus INTEGER, -- n
+ * publicExponent INTEGER -- e
+ * }
+ */
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return ret;
+ }
+
+ if (end != p + len) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ /* Import N */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_rsa_import_raw(rsa, p, len, NULL, 0, NULL, 0,
+ NULL, 0, NULL, 0)) != 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ p += len;
+
+ /* Import E */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_rsa_import_raw(rsa, NULL, 0, NULL, 0, NULL, 0,
+ NULL, 0, p, len)) != 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ p += len;
+
+ if (mbedtls_rsa_complete(rsa) != 0 ||
+ mbedtls_rsa_check_pubkey(rsa) != 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ if (p != end) {
+ return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+ }
+
+ return 0;
+}
+
+int mbedtls_rsa_write_key(const mbedtls_rsa_context *rsa, unsigned char *start,
+ unsigned char **p)
+{
+ size_t len = 0;
+ int ret;
+
+ mbedtls_mpi T; /* Temporary holding the exported parameters */
+
+ /*
+ * Export the parameters one after another to avoid simultaneous copies.
+ */
+
+ mbedtls_mpi_init(&T);
+
+ /* Export QP */
+ if ((ret = mbedtls_rsa_export_crt(rsa, NULL, NULL, &T)) != 0 ||
+ (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+ goto end_of_export;
+ }
+ len += ret;
+
+ /* Export DQ */
+ if ((ret = mbedtls_rsa_export_crt(rsa, NULL, &T, NULL)) != 0 ||
+ (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+ goto end_of_export;
+ }
+ len += ret;
+
+ /* Export DP */
+ if ((ret = mbedtls_rsa_export_crt(rsa, &T, NULL, NULL)) != 0 ||
+ (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+ goto end_of_export;
+ }
+ len += ret;
+
+ /* Export Q */
+ if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, &T, NULL, NULL)) != 0 ||
+ (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+ goto end_of_export;
+ }
+ len += ret;
+
+ /* Export P */
+ if ((ret = mbedtls_rsa_export(rsa, NULL, &T, NULL, NULL, NULL)) != 0 ||
+ (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+ goto end_of_export;
+ }
+ len += ret;
+
+ /* Export D */
+ if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, &T, NULL)) != 0 ||
+ (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+ goto end_of_export;
+ }
+ len += ret;
+
+ /* Export E */
+ if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 ||
+ (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+ goto end_of_export;
+ }
+ len += ret;
+
+ /* Export N */
+ if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 ||
+ (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+ goto end_of_export;
+ }
+ len += ret;
+
+end_of_export:
+
+ mbedtls_mpi_free(&T);
+ if (ret < 0) {
+ return ret;
+ }
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, start, 0));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ return (int) len;
+}
+
+/*
+ * RSAPublicKey ::= SEQUENCE {
+ * modulus INTEGER, -- n
+ * publicExponent INTEGER -- e
+ * }
+ */
+int mbedtls_rsa_write_pubkey(const mbedtls_rsa_context *rsa, unsigned char *start,
+ unsigned char **p)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+ mbedtls_mpi T;
+
+ mbedtls_mpi_init(&T);
+
+ /* Export E */
+ if ((ret = mbedtls_rsa_export(rsa, NULL, NULL, NULL, NULL, &T)) != 0 ||
+ (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+ goto end_of_export;
+ }
+ len += ret;
+
+ /* Export N */
+ if ((ret = mbedtls_rsa_export(rsa, &T, NULL, NULL, NULL, NULL)) != 0 ||
+ (ret = mbedtls_asn1_write_mpi(p, start, &T)) < 0) {
+ goto end_of_export;
+ }
+ len += ret;
+
+end_of_export:
+
+ mbedtls_mpi_free(&T);
+ if (ret < 0) {
+ return ret;
+ }
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ return (int) len;
+}
+
+#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
+
+/** This function performs the unpadding part of a PKCS#1 v1.5 decryption
+ * operation (EME-PKCS1-v1_5 decoding).
+ *
+ * \note The return value from this function is a sensitive value
+ * (this is unusual). #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE shouldn't happen
+ * in a well-written application, but 0 vs #MBEDTLS_ERR_RSA_INVALID_PADDING
+ * is often a situation that an attacker can provoke and leaking which
+ * one is the result is precisely the information the attacker wants.
+ *
+ * \param input The input buffer which is the payload inside PKCS#1v1.5
+ * encryption padding, called the "encoded message EM"
+ * by the terminology.
+ * \param ilen The length of the payload in the \p input buffer.
+ * \param output The buffer for the payload, called "message M" by the
+ * PKCS#1 terminology. This must be a writable buffer of
+ * length \p output_max_len bytes.
+ * \param olen The address at which to store the length of
+ * the payload. This must not be \c NULL.
+ * \param output_max_len The length in bytes of the output buffer \p output.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
+ * The output buffer is too small for the unpadded payload.
+ * \return #MBEDTLS_ERR_RSA_INVALID_PADDING
+ * The input doesn't contain properly formatted padding.
+ */
+static int mbedtls_ct_rsaes_pkcs1_v15_unpadding(unsigned char *input,
+ size_t ilen,
+ unsigned char *output,
+ size_t output_max_len,
+ size_t *olen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t i, plaintext_max_size;
+
+ /* The following variables take sensitive values: their value must
+ * not leak into the observable behavior of the function other than
+ * the designated outputs (output, olen, return value). Otherwise
+ * this would open the execution of the function to
+ * side-channel-based variants of the Bleichenbacher padding oracle
+ * attack. Potential side channels include overall timing, memory
+ * access patterns (especially visible to an adversary who has access
+ * to a shared memory cache), and branches (especially visible to
+ * an adversary who has access to a shared code cache or to a shared
+ * branch predictor). */
+ size_t pad_count = 0;
+ mbedtls_ct_condition_t bad;
+ mbedtls_ct_condition_t pad_done;
+ size_t plaintext_size = 0;
+ mbedtls_ct_condition_t output_too_large;
+
+ plaintext_max_size = (output_max_len > ilen - 11) ? ilen - 11
+ : output_max_len;
+
+ /* Check and get padding length in constant time and constant
+ * memory trace. The first byte must be 0. */
+ bad = mbedtls_ct_bool(input[0]);
+
+
+ /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
+ * where PS must be at least 8 nonzero bytes. */
+ bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_ne(input[1], MBEDTLS_RSA_CRYPT));
+
+ /* Read the whole buffer. Set pad_done to nonzero if we find
+ * the 0x00 byte and remember the padding length in pad_count. */
+ pad_done = MBEDTLS_CT_FALSE;
+ for (i = 2; i < ilen; i++) {
+ mbedtls_ct_condition_t found = mbedtls_ct_uint_eq(input[i], 0);
+ pad_done = mbedtls_ct_bool_or(pad_done, found);
+ pad_count += mbedtls_ct_uint_if_else_0(mbedtls_ct_bool_not(pad_done), 1);
+ }
+
+ /* If pad_done is still zero, there's no data, only unfinished padding. */
+ bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_not(pad_done));
+
+ /* There must be at least 8 bytes of padding. */
+ bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_gt(8, pad_count));
+
+ /* If the padding is valid, set plaintext_size to the number of
+ * remaining bytes after stripping the padding. If the padding
+ * is invalid, avoid leaking this fact through the size of the
+ * output: use the maximum message size that fits in the output
+ * buffer. Do it without branches to avoid leaking the padding
+ * validity through timing. RSA keys are small enough that all the
+ * size_t values involved fit in unsigned int. */
+ plaintext_size = mbedtls_ct_uint_if(
+ bad, (unsigned) plaintext_max_size,
+ (unsigned) (ilen - pad_count - 3));
+
+ /* Set output_too_large to 0 if the plaintext fits in the output
+ * buffer and to 1 otherwise. */
+ output_too_large = mbedtls_ct_uint_gt(plaintext_size,
+ plaintext_max_size);
+
+ /* Set ret without branches to avoid timing attacks. Return:
+ * - INVALID_PADDING if the padding is bad (bad != 0).
+ * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
+ * plaintext does not fit in the output buffer.
+ * - 0 if the padding is correct. */
+ ret = mbedtls_ct_error_if(
+ bad,
+ MBEDTLS_ERR_RSA_INVALID_PADDING,
+ mbedtls_ct_error_if_else_0(output_too_large, MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE)
+ );
+
+ /* If the padding is bad or the plaintext is too large, zero the
+ * data that we're about to copy to the output buffer.
+ * We need to copy the same amount of data
+ * from the same buffer whether the padding is good or not to
+ * avoid leaking the padding validity through overall timing or
+ * through memory or cache access patterns. */
+ mbedtls_ct_zeroize_if(mbedtls_ct_bool_or(bad, output_too_large), input + 11, ilen - 11);
+
+ /* If the plaintext is too large, truncate it to the buffer size.
+ * Copy anyway to avoid revealing the length through timing, because
+ * revealing the length is as bad as revealing the padding validity
+ * for a Bleichenbacher attack. */
+ plaintext_size = mbedtls_ct_uint_if(output_too_large,
+ (unsigned) plaintext_max_size,
+ (unsigned) plaintext_size);
+
+ /* Move the plaintext to the leftmost position where it can start in
+ * the working buffer, i.e. make it start plaintext_max_size from
+ * the end of the buffer. Do this with a memory access trace that
+ * does not depend on the plaintext size. After this move, the
+ * starting location of the plaintext is no longer sensitive
+ * information. */
+ mbedtls_ct_memmove_left(input + ilen - plaintext_max_size,
+ plaintext_max_size,
+ plaintext_max_size - plaintext_size);
+
+ /* Finally copy the decrypted plaintext plus trailing zeros into the output
+ * buffer. If output_max_len is 0, then output may be an invalid pointer
+ * and the result of memcpy() would be undefined; prevent undefined
+ * behavior making sure to depend only on output_max_len (the size of the
+ * user-provided output buffer), which is independent from plaintext
+ * length, validity of padding, success of the decryption, and other
+ * secrets. */
+ if (output_max_len != 0) {
+ memcpy(output, input + ilen - plaintext_max_size, plaintext_max_size);
+ }
+
+ /* Report the amount of data we copied to the output buffer. In case
+ * of errors (bad padding or output too large), the value of *olen
+ * when this function returns is not specified. Making it equivalent
+ * to the good case limits the risks of leaking the padding validity. */
+ *olen = plaintext_size;
+
+ return ret;
+}
+
+#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
+
+#if !defined(MBEDTLS_RSA_ALT)
+
+int mbedtls_rsa_import(mbedtls_rsa_context *ctx,
+ const mbedtls_mpi *N,
+ const mbedtls_mpi *P, const mbedtls_mpi *Q,
+ const mbedtls_mpi *D, const mbedtls_mpi *E)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((N != NULL && (ret = mbedtls_mpi_copy(&ctx->N, N)) != 0) ||
+ (P != NULL && (ret = mbedtls_mpi_copy(&ctx->P, P)) != 0) ||
+ (Q != NULL && (ret = mbedtls_mpi_copy(&ctx->Q, Q)) != 0) ||
+ (D != NULL && (ret = mbedtls_mpi_copy(&ctx->D, D)) != 0) ||
+ (E != NULL && (ret = mbedtls_mpi_copy(&ctx->E, E)) != 0)) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
+ }
+
+ if (N != NULL) {
+ ctx->len = mbedtls_mpi_size(&ctx->N);
+ }
+
+ return 0;
+}
+
+int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx,
+ unsigned char const *N, size_t N_len,
+ unsigned char const *P, size_t P_len,
+ unsigned char const *Q, size_t Q_len,
+ unsigned char const *D, size_t D_len,
+ unsigned char const *E, size_t E_len)
+{
+ int ret = 0;
+
+ if (N != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->N, N, N_len));
+ ctx->len = mbedtls_mpi_size(&ctx->N);
+ }
+
+ if (P != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->P, P, P_len));
+ }
+
+ if (Q != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->Q, Q, Q_len));
+ }
+
+ if (D != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->D, D, D_len));
+ }
+
+ if (E != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&ctx->E, E, E_len));
+ }
+
+cleanup:
+
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
+ }
+
+ return 0;
+}
+
+/*
+ * Checks whether the context fields are set in such a way
+ * that the RSA primitives will be able to execute without error.
+ * It does *not* make guarantees for consistency of the parameters.
+ */
+static int rsa_check_context(mbedtls_rsa_context const *ctx, int is_priv,
+ int blinding_needed)
+{
+#if !defined(MBEDTLS_RSA_NO_CRT)
+ /* blinding_needed is only used for NO_CRT to decide whether
+ * P,Q need to be present or not. */
+ ((void) blinding_needed);
+#endif
+
+ if (ctx->len != mbedtls_mpi_size(&ctx->N) ||
+ ctx->len > MBEDTLS_MPI_MAX_SIZE) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ /*
+ * 1. Modular exponentiation needs positive, odd moduli.
+ */
+
+ /* Modular exponentiation wrt. N is always used for
+ * RSA public key operations. */
+ if (mbedtls_mpi_cmp_int(&ctx->N, 0) <= 0 ||
+ mbedtls_mpi_get_bit(&ctx->N, 0) == 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+ /* Modular exponentiation for P and Q is only
+ * used for private key operations and if CRT
+ * is used. */
+ if (is_priv &&
+ (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||
+ mbedtls_mpi_get_bit(&ctx->P, 0) == 0 ||
+ mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0 ||
+ mbedtls_mpi_get_bit(&ctx->Q, 0) == 0)) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+#endif /* !MBEDTLS_RSA_NO_CRT */
+
+ /*
+ * 2. Exponents must be positive
+ */
+
+ /* Always need E for public key operations */
+ if (mbedtls_mpi_cmp_int(&ctx->E, 0) <= 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+ /* For private key operations, use D or DP & DQ
+ * as (unblinded) exponents. */
+ if (is_priv && mbedtls_mpi_cmp_int(&ctx->D, 0) <= 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+#else
+ if (is_priv &&
+ (mbedtls_mpi_cmp_int(&ctx->DP, 0) <= 0 ||
+ mbedtls_mpi_cmp_int(&ctx->DQ, 0) <= 0)) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+ /* Blinding shouldn't make exponents negative either,
+ * so check that P, Q >= 1 if that hasn't yet been
+ * done as part of 1. */
+#if defined(MBEDTLS_RSA_NO_CRT)
+ if (is_priv && blinding_needed &&
+ (mbedtls_mpi_cmp_int(&ctx->P, 0) <= 0 ||
+ mbedtls_mpi_cmp_int(&ctx->Q, 0) <= 0)) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+#endif
+
+ /* It wouldn't lead to an error if it wasn't satisfied,
+ * but check for QP >= 1 nonetheless. */
+#if !defined(MBEDTLS_RSA_NO_CRT)
+ if (is_priv &&
+ mbedtls_mpi_cmp_int(&ctx->QP, 0) <= 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+#endif
+
+ return 0;
+}
+
+int mbedtls_rsa_complete(mbedtls_rsa_context *ctx)
+{
+ int ret = 0;
+ int have_N, have_P, have_Q, have_D, have_E;
+#if !defined(MBEDTLS_RSA_NO_CRT)
+ int have_DP, have_DQ, have_QP;
+#endif
+ int n_missing, pq_missing, d_missing, is_pub, is_priv;
+
+ have_N = (mbedtls_mpi_cmp_int(&ctx->N, 0) != 0);
+ have_P = (mbedtls_mpi_cmp_int(&ctx->P, 0) != 0);
+ have_Q = (mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0);
+ have_D = (mbedtls_mpi_cmp_int(&ctx->D, 0) != 0);
+ have_E = (mbedtls_mpi_cmp_int(&ctx->E, 0) != 0);
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+ have_DP = (mbedtls_mpi_cmp_int(&ctx->DP, 0) != 0);
+ have_DQ = (mbedtls_mpi_cmp_int(&ctx->DQ, 0) != 0);
+ have_QP = (mbedtls_mpi_cmp_int(&ctx->QP, 0) != 0);
+#endif
+
+ /*
+ * Check whether provided parameters are enough
+ * to deduce all others. The following incomplete
+ * parameter sets for private keys are supported:
+ *
+ * (1) P, Q missing.
+ * (2) D and potentially N missing.
+ *
+ */
+
+ n_missing = have_P && have_Q && have_D && have_E;
+ pq_missing = have_N && !have_P && !have_Q && have_D && have_E;
+ d_missing = have_P && have_Q && !have_D && have_E;
+ is_pub = have_N && !have_P && !have_Q && !have_D && have_E;
+
+ /* These three alternatives are mutually exclusive */
+ is_priv = n_missing || pq_missing || d_missing;
+
+ if (!is_priv && !is_pub) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ /*
+ * Step 1: Deduce N if P, Q are provided.
+ */
+
+ if (!have_N && have_P && have_Q) {
+ if ((ret = mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P,
+ &ctx->Q)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
+ }
+
+ ctx->len = mbedtls_mpi_size(&ctx->N);
+ }
+
+ /*
+ * Step 2: Deduce and verify all remaining core parameters.
+ */
+
+ if (pq_missing) {
+ ret = mbedtls_rsa_deduce_primes(&ctx->N, &ctx->E, &ctx->D,
+ &ctx->P, &ctx->Q);
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
+ }
+
+ } else if (d_missing) {
+ if ((ret = mbedtls_rsa_deduce_private_exponent(&ctx->P,
+ &ctx->Q,
+ &ctx->E,
+ &ctx->D)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
+ }
+ }
+
+ /*
+ * Step 3: Deduce all additional parameters specific
+ * to our current RSA implementation.
+ */
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+ if (is_priv && !(have_DP && have_DQ && have_QP)) {
+ ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
+ &ctx->DP, &ctx->DQ, &ctx->QP);
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
+ }
+ }
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+ /*
+ * Step 3: Basic sanity checks
+ */
+
+ return rsa_check_context(ctx, is_priv, 1);
+}
+
+int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx,
+ unsigned char *N, size_t N_len,
+ unsigned char *P, size_t P_len,
+ unsigned char *Q, size_t Q_len,
+ unsigned char *D, size_t D_len,
+ unsigned char *E, size_t E_len)
+{
+ int ret = 0;
+ int is_priv;
+
+ /* Check if key is private or public */
+ is_priv =
+ mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
+ mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
+ mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
+ mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
+ mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
+
+ if (!is_priv) {
+ /* If we're trying to export private parameters for a public key,
+ * something must be wrong. */
+ if (P != NULL || Q != NULL || D != NULL) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ }
+
+ if (N != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->N, N, N_len));
+ }
+
+ if (P != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->P, P, P_len));
+ }
+
+ if (Q != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->Q, Q, Q_len));
+ }
+
+ if (D != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->D, D, D_len));
+ }
+
+ if (E != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&ctx->E, E, E_len));
+ }
+
+cleanup:
+
+ return ret;
+}
+
+int mbedtls_rsa_export(const mbedtls_rsa_context *ctx,
+ mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
+ mbedtls_mpi *D, mbedtls_mpi *E)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int is_priv;
+
+ /* Check if key is private or public */
+ is_priv =
+ mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
+ mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
+ mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
+ mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
+ mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
+
+ if (!is_priv) {
+ /* If we're trying to export private parameters for a public key,
+ * something must be wrong. */
+ if (P != NULL || Q != NULL || D != NULL) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ }
+
+ /* Export all requested core parameters. */
+
+ if ((N != NULL && (ret = mbedtls_mpi_copy(N, &ctx->N)) != 0) ||
+ (P != NULL && (ret = mbedtls_mpi_copy(P, &ctx->P)) != 0) ||
+ (Q != NULL && (ret = mbedtls_mpi_copy(Q, &ctx->Q)) != 0) ||
+ (D != NULL && (ret = mbedtls_mpi_copy(D, &ctx->D)) != 0) ||
+ (E != NULL && (ret = mbedtls_mpi_copy(E, &ctx->E)) != 0)) {
+ return ret;
+ }
+
+ return 0;
+}
+
+/*
+ * Export CRT parameters
+ * This must also be implemented if CRT is not used, for being able to
+ * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
+ * can be used in this case.
+ */
+int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx,
+ mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int is_priv;
+
+ /* Check if key is private or public */
+ is_priv =
+ mbedtls_mpi_cmp_int(&ctx->N, 0) != 0 &&
+ mbedtls_mpi_cmp_int(&ctx->P, 0) != 0 &&
+ mbedtls_mpi_cmp_int(&ctx->Q, 0) != 0 &&
+ mbedtls_mpi_cmp_int(&ctx->D, 0) != 0 &&
+ mbedtls_mpi_cmp_int(&ctx->E, 0) != 0;
+
+ if (!is_priv) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+ /* Export all requested blinding parameters. */
+ if ((DP != NULL && (ret = mbedtls_mpi_copy(DP, &ctx->DP)) != 0) ||
+ (DQ != NULL && (ret = mbedtls_mpi_copy(DQ, &ctx->DQ)) != 0) ||
+ (QP != NULL && (ret = mbedtls_mpi_copy(QP, &ctx->QP)) != 0)) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
+ }
+#else
+ if ((ret = mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
+ DP, DQ, QP)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret);
+ }
+#endif
+
+ return 0;
+}
+
+/*
+ * Initialize an RSA context
+ */
+void mbedtls_rsa_init(mbedtls_rsa_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_rsa_context));
+
+ ctx->padding = MBEDTLS_RSA_PKCS_V15;
+ ctx->hash_id = MBEDTLS_MD_NONE;
+
+#if defined(MBEDTLS_THREADING_C)
+ /* Set ctx->ver to nonzero to indicate that the mutex has been
+ * initialized and will need to be freed. */
+ ctx->ver = 1;
+ mbedtls_mutex_init(&ctx->mutex);
+#endif
+}
+
+/*
+ * Set padding for an existing RSA context
+ */
+int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
+ mbedtls_md_type_t hash_id)
+{
+ switch (padding) {
+#if defined(MBEDTLS_PKCS1_V15)
+ case MBEDTLS_RSA_PKCS_V15:
+ break;
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+ case MBEDTLS_RSA_PKCS_V21:
+ break;
+#endif
+ default:
+ return MBEDTLS_ERR_RSA_INVALID_PADDING;
+ }
+
+#if defined(MBEDTLS_PKCS1_V21)
+ if ((padding == MBEDTLS_RSA_PKCS_V21) &&
+ (hash_id != MBEDTLS_MD_NONE)) {
+ /* Just make sure this hash is supported in this build. */
+ if (mbedtls_md_info_from_type(hash_id) == NULL) {
+ return MBEDTLS_ERR_RSA_INVALID_PADDING;
+ }
+ }
+#endif /* MBEDTLS_PKCS1_V21 */
+
+ ctx->padding = padding;
+ ctx->hash_id = hash_id;
+
+ return 0;
+}
+
+/*
+ * Get padding mode of initialized RSA context
+ */
+int mbedtls_rsa_get_padding_mode(const mbedtls_rsa_context *ctx)
+{
+ return ctx->padding;
+}
+
+/*
+ * Get hash identifier of mbedtls_md_type_t type
+ */
+int mbedtls_rsa_get_md_alg(const mbedtls_rsa_context *ctx)
+{
+ return ctx->hash_id;
+}
+
+/*
+ * Get length in bits of RSA modulus
+ */
+size_t mbedtls_rsa_get_bitlen(const mbedtls_rsa_context *ctx)
+{
+ return mbedtls_mpi_bitlen(&ctx->N);
+}
+
+/*
+ * Get length in bytes of RSA modulus
+ */
+size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx)
+{
+ return ctx->len;
+}
+
+#if defined(MBEDTLS_GENPRIME)
+
+/*
+ * Generate an RSA keypair
+ *
+ * This generation method follows the RSA key pair generation procedure of
+ * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
+ */
+int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ unsigned int nbits, int exponent)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi H, G, L;
+ int prime_quality = 0;
+
+ /*
+ * If the modulus is 1024 bit long or shorter, then the security strength of
+ * the RSA algorithm is less than or equal to 80 bits and therefore an error
+ * rate of 2^-80 is sufficient.
+ */
+ if (nbits > 1024) {
+ prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
+ }
+
+ mbedtls_mpi_init(&H);
+ mbedtls_mpi_init(&G);
+ mbedtls_mpi_init(&L);
+
+ if (exponent < 3 || nbits % 2 != 0) {
+ ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ if (nbits < MBEDTLS_RSA_GEN_KEY_MIN_BITS) {
+ ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ /*
+ * find primes P and Q with Q < P so that:
+ * 1. |P-Q| > 2^( nbits / 2 - 100 )
+ * 2. GCD( E, (P-1)*(Q-1) ) == 1
+ * 3. E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&ctx->E, exponent));
+
+ do {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->P, nbits >> 1,
+ prime_quality, f_rng, p_rng));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_gen_prime(&ctx->Q, nbits >> 1,
+ prime_quality, f_rng, p_rng));
+
+ /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&H, &ctx->P, &ctx->Q));
+ if (mbedtls_mpi_bitlen(&H) <= ((nbits >= 200) ? ((nbits >> 1) - 99) : 0)) {
+ continue;
+ }
+
+ /* not required by any standards, but some users rely on the fact that P > Q */
+ if (H.s < 0) {
+ mbedtls_mpi_swap(&ctx->P, &ctx->Q);
+ }
+
+ /* Temporarily replace P,Q by P-1, Q-1 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->P, &ctx->P, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&ctx->Q, &ctx->Q, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&H, &ctx->P, &ctx->Q));
+
+ /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->E, &H));
+ if (mbedtls_mpi_cmp_int(&G, 1) != 0) {
+ continue;
+ }
+
+ /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(&G, &ctx->P, &ctx->Q));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&L, NULL, &H, &G));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(&ctx->D, &ctx->E, &L));
+
+ if (mbedtls_mpi_bitlen(&ctx->D) <= ((nbits + 1) / 2)) { // (FIPS 186-4 §B.3.1 criterion 3(a))
+ continue;
+ }
+
+ break;
+ } while (1);
+
+ /* Restore P,Q */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->P, &ctx->P, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&ctx->Q, &ctx->Q, 1));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->N, &ctx->P, &ctx->Q));
+
+ ctx->len = mbedtls_mpi_size(&ctx->N);
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+ /*
+ * DP = D mod (P - 1)
+ * DQ = D mod (Q - 1)
+ * QP = Q^-1 mod P
+ */
+ MBEDTLS_MPI_CHK(mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
+ &ctx->DP, &ctx->DQ, &ctx->QP));
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+ /* Double-check */
+ MBEDTLS_MPI_CHK(mbedtls_rsa_check_privkey(ctx));
+
+cleanup:
+
+ mbedtls_mpi_free(&H);
+ mbedtls_mpi_free(&G);
+ mbedtls_mpi_free(&L);
+
+ if (ret != 0) {
+ mbedtls_rsa_free(ctx);
+
+ if ((-ret & ~0x7f) == 0) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret);
+ }
+ return ret;
+ }
+
+ return 0;
+}
+
+#endif /* MBEDTLS_GENPRIME */
+
+/*
+ * Check a public RSA key
+ */
+int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx)
+{
+ if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */) != 0) {
+ return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ }
+
+ if (mbedtls_mpi_bitlen(&ctx->N) < 128) {
+ return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ }
+
+ if (mbedtls_mpi_get_bit(&ctx->E, 0) == 0 ||
+ mbedtls_mpi_bitlen(&ctx->E) < 2 ||
+ mbedtls_mpi_cmp_mpi(&ctx->E, &ctx->N) >= 0) {
+ return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ }
+
+ return 0;
+}
+
+/*
+ * Check for the consistency of all fields in an RSA private key context
+ */
+int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx)
+{
+ if (mbedtls_rsa_check_pubkey(ctx) != 0 ||
+ rsa_check_context(ctx, 1 /* private */, 1 /* blinding */) != 0) {
+ return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ }
+
+ if (mbedtls_rsa_validate_params(&ctx->N, &ctx->P, &ctx->Q,
+ &ctx->D, &ctx->E, NULL, NULL) != 0) {
+ return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ }
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+ else if (mbedtls_rsa_validate_crt(&ctx->P, &ctx->Q, &ctx->D,
+ &ctx->DP, &ctx->DQ, &ctx->QP) != 0) {
+ return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ }
+#endif
+
+ return 0;
+}
+
+/*
+ * Check if contexts holding a public and private key match
+ */
+int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub,
+ const mbedtls_rsa_context *prv)
+{
+ if (mbedtls_rsa_check_pubkey(pub) != 0 ||
+ mbedtls_rsa_check_privkey(prv) != 0) {
+ return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ }
+
+ if (mbedtls_mpi_cmp_mpi(&pub->N, &prv->N) != 0 ||
+ mbedtls_mpi_cmp_mpi(&pub->E, &prv->E) != 0) {
+ return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ }
+
+ return 0;
+}
+
+/*
+ * Do an RSA public key operation
+ */
+int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t olen;
+ mbedtls_mpi T;
+
+ if (rsa_check_context(ctx, 0 /* public */, 0 /* no blinding */)) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ mbedtls_mpi_init(&T);
+
+#if defined(MBEDTLS_THREADING_C)
+ if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+ return ret;
+ }
+#endif
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
+
+ if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
+ ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ olen = ctx->len;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &ctx->E, &ctx->N, &ctx->RN));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+ return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+ }
+#endif
+
+ mbedtls_mpi_free(&T);
+
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret);
+ }
+
+ return 0;
+}
+
+/*
+ * Generate or update blinding values, see section 10 of:
+ * KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
+ * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
+ * Berlin Heidelberg, 1996. p. 104-113.
+ */
+static int rsa_prepare_blinding(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
+{
+ int ret, count = 0;
+ mbedtls_mpi R;
+
+ mbedtls_mpi_init(&R);
+
+ if (ctx->Vf.p != NULL) {
+ /* We already have blinding values, just update them by squaring */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &ctx->Vi));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vf, &ctx->Vf, &ctx->Vf));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vf, &ctx->Vf, &ctx->N));
+
+ goto cleanup;
+ }
+
+ /* Unblinding value: Vf = random number, invertible mod N */
+ do {
+ if (count++ > 10) {
+ ret = MBEDTLS_ERR_RSA_RNG_FAILED;
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->Vf, ctx->len - 1, f_rng, p_rng));
+
+ /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, ctx->len - 1, f_rng, p_rng));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
+
+ /* At this point, Vi is invertible mod N if and only if both Vf and R
+ * are invertible mod N. If one of them isn't, we don't need to know
+ * which one, we just loop and choose new values for both of them.
+ * (Each iteration succeeds with overwhelming probability.) */
+ ret = mbedtls_mpi_inv_mod(&ctx->Vi, &ctx->Vi, &ctx->N);
+ if (ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) {
+ goto cleanup;
+ }
+
+ } while (ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE);
+
+ /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vi, &R));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi, &ctx->Vi, &ctx->N));
+
+ /* Blinding value: Vi = Vf^(-e) mod N
+ * (Vi already contains Vf^-1 at this point) */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN));
+
+
+cleanup:
+ mbedtls_mpi_free(&R);
+
+ return ret;
+}
+
+/*
+ * Unblind
+ * T = T * Vf mod N
+ */
+static int rsa_unblind(mbedtls_mpi *T, mbedtls_mpi *Vf, const mbedtls_mpi *N)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p);
+ const size_t nlimbs = N->n;
+ const size_t tlimbs = mbedtls_mpi_core_montmul_working_limbs(nlimbs);
+ mbedtls_mpi RR, M_T;
+
+ mbedtls_mpi_init(&RR);
+ mbedtls_mpi_init(&M_T);
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_core_get_mont_r2_unsafe(&RR, N));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&M_T, tlimbs));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(T, nlimbs));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(Vf, nlimbs));
+
+ /* T = T * Vf mod N
+ * Reminder: montmul(A, B, N) = A * B * R^-1 mod N
+ * Usually both operands are multiplied by R mod N beforehand (by calling
+ * `to_mont_rep()` on them), yielding a result that's also * R mod N (aka
+ * "in the Montgomery domain"). Here we only multiply one operand by R mod
+ * N, so the result is directly what we want - no need to call
+ * `from_mont_rep()` on it. */
+ mbedtls_mpi_core_to_mont_rep(T->p, T->p, N->p, nlimbs, mm, RR.p, M_T.p);
+ mbedtls_mpi_core_montmul(T->p, T->p, Vf->p, nlimbs, N->p, nlimbs, mm, M_T.p);
+
+cleanup:
+
+ mbedtls_mpi_free(&RR);
+ mbedtls_mpi_free(&M_T);
+
+ return ret;
+}
+
+/*
+ * Exponent blinding supposed to prevent side-channel attacks using multiple
+ * traces of measurements to recover the RSA key. The more collisions are there,
+ * the more bits of the key can be recovered. See [3].
+ *
+ * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
+ * observations on average.
+ *
+ * For example with 28 byte blinding to achieve 2 collisions the adversary has
+ * to make 2^112 observations on average.
+ *
+ * (With the currently (as of 2017 April) known best algorithms breaking 2048
+ * bit RSA requires approximately as much time as trying out 2^112 random keys.
+ * Thus in this sense with 28 byte blinding the security is not reduced by
+ * side-channel attacks like the one in [3])
+ *
+ * This countermeasure does not help if the key recovery is possible with a
+ * single trace.
+ */
+#define RSA_EXPONENT_BLINDING 28
+
+/*
+ * Do an RSA private key operation
+ */
+int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ const unsigned char *input,
+ unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t olen;
+
+ /* Temporary holding the result */
+ mbedtls_mpi T;
+
+ /* Temporaries holding P-1, Q-1 and the
+ * exponent blinding factor, respectively. */
+ mbedtls_mpi P1, Q1, R;
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+ /* Temporaries holding the results mod p resp. mod q. */
+ mbedtls_mpi TP, TQ;
+
+ /* Temporaries holding the blinded exponents for
+ * the mod p resp. mod q computation (if used). */
+ mbedtls_mpi DP_blind, DQ_blind;
+#else
+ /* Temporary holding the blinded exponent (if used). */
+ mbedtls_mpi D_blind;
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+ /* Temporaries holding the initial input and the double
+ * checked result; should be the same in the end. */
+ mbedtls_mpi input_blinded, check_result_blinded;
+
+ if (f_rng == NULL) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ if (rsa_check_context(ctx, 1 /* private key checks */,
+ 1 /* blinding on */) != 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+ return ret;
+ }
+#endif
+
+ /* MPI Initialization */
+ mbedtls_mpi_init(&T);
+
+ mbedtls_mpi_init(&P1);
+ mbedtls_mpi_init(&Q1);
+ mbedtls_mpi_init(&R);
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+ mbedtls_mpi_init(&D_blind);
+#else
+ mbedtls_mpi_init(&DP_blind);
+ mbedtls_mpi_init(&DQ_blind);
+#endif
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+ mbedtls_mpi_init(&TP); mbedtls_mpi_init(&TQ);
+#endif
+
+ mbedtls_mpi_init(&input_blinded);
+ mbedtls_mpi_init(&check_result_blinded);
+
+ /* End of MPI initialization */
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&T, input, ctx->len));
+ if (mbedtls_mpi_cmp_mpi(&T, &ctx->N) >= 0) {
+ ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ /*
+ * Blinding
+ * T = T * Vi mod N
+ */
+ MBEDTLS_MPI_CHK(rsa_prepare_blinding(ctx, f_rng, p_rng));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&input_blinded, &T));
+
+ /*
+ * Exponent blinding
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&P1, &ctx->P, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&Q1, &ctx->Q, 1));
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+ /*
+ * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
+ f_rng, p_rng));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &P1, &Q1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&D_blind, &D_blind, &R));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&D_blind, &D_blind, &ctx->D));
+#else
+ /*
+ * DP_blind = ( P - 1 ) * R + DP
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
+ f_rng, p_rng));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DP_blind, &P1, &R));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DP_blind, &DP_blind,
+ &ctx->DP));
+
+ /*
+ * DQ_blind = ( Q - 1 ) * R + DQ
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, RSA_EXPONENT_BLINDING,
+ f_rng, p_rng));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&DQ_blind, &Q1, &R));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&DQ_blind, &DQ_blind,
+ &ctx->DQ));
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &D_blind, &ctx->N, &ctx->RN));
+#else
+ /*
+ * Faster decryption using the CRT
+ *
+ * TP = input ^ dP mod P
+ * TQ = input ^ dQ mod Q
+ */
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TP, &T, &DP_blind, &ctx->P, &ctx->RP));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&TQ, &T, &DQ_blind, &ctx->Q, &ctx->RQ));
+
+ /*
+ * T = (TP - TQ) * (Q^-1 mod P) mod P
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&T, &TP, &TQ));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->QP));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &TP, &ctx->P));
+
+ /*
+ * T = TQ + T * Q
+ */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&TP, &T, &ctx->Q));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T, &TQ, &TP));
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+ /* Verify the result to prevent glitching attacks. */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&check_result_blinded, &T, &ctx->E,
+ &ctx->N, &ctx->RN));
+ if (mbedtls_mpi_cmp_mpi(&check_result_blinded, &input_blinded) != 0) {
+ ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
+ goto cleanup;
+ }
+
+ /*
+ * Unblind
+ * T = T * Vf mod N
+ */
+ MBEDTLS_MPI_CHK(rsa_unblind(&T, &ctx->Vf, &ctx->N));
+
+ olen = ctx->len;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+ return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+ }
+#endif
+
+ mbedtls_mpi_free(&P1);
+ mbedtls_mpi_free(&Q1);
+ mbedtls_mpi_free(&R);
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+ mbedtls_mpi_free(&D_blind);
+#else
+ mbedtls_mpi_free(&DP_blind);
+ mbedtls_mpi_free(&DQ_blind);
+#endif
+
+ mbedtls_mpi_free(&T);
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+ mbedtls_mpi_free(&TP); mbedtls_mpi_free(&TQ);
+#endif
+
+ mbedtls_mpi_free(&check_result_blinded);
+ mbedtls_mpi_free(&input_blinded);
+
+ if (ret != 0 && ret >= -0x007f) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret);
+ }
+
+ return ret;
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/**
+ * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
+ *
+ * \param dst buffer to mask
+ * \param dlen length of destination buffer
+ * \param src source of the mask generation
+ * \param slen length of the source buffer
+ * \param md_alg message digest to use
+ */
+static int mgf_mask(unsigned char *dst, size_t dlen, unsigned char *src,
+ size_t slen, mbedtls_md_type_t md_alg)
+{
+ unsigned char counter[4];
+ unsigned char *p;
+ unsigned int hlen;
+ size_t i, use_len;
+ unsigned char mask[MBEDTLS_MD_MAX_SIZE];
+ int ret = 0;
+ const mbedtls_md_info_t *md_info;
+ mbedtls_md_context_t md_ctx;
+
+ mbedtls_md_init(&md_ctx);
+ md_info = mbedtls_md_info_from_type(md_alg);
+ if (md_info == NULL) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ mbedtls_md_init(&md_ctx);
+ if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
+ goto exit;
+ }
+
+ hlen = mbedtls_md_get_size(md_info);
+
+ memset(mask, 0, sizeof(mask));
+ memset(counter, 0, 4);
+
+ /* Generate and apply dbMask */
+ p = dst;
+
+ while (dlen > 0) {
+ use_len = hlen;
+ if (dlen < hlen) {
+ use_len = dlen;
+ }
+
+ if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_update(&md_ctx, src, slen)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_update(&md_ctx, counter, 4)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_finish(&md_ctx, mask)) != 0) {
+ goto exit;
+ }
+
+ for (i = 0; i < use_len; ++i) {
+ *p++ ^= mask[i];
+ }
+
+ counter[3]++;
+
+ dlen -= use_len;
+ }
+
+exit:
+ mbedtls_platform_zeroize(mask, sizeof(mask));
+ mbedtls_md_free(&md_ctx);
+
+ return ret;
+}
+
+/**
+ * Generate Hash(M') as in RFC 8017 page 43 points 5 and 6.
+ *
+ * \param hash the input hash
+ * \param hlen length of the input hash
+ * \param salt the input salt
+ * \param slen length of the input salt
+ * \param out the output buffer - must be large enough for \p md_alg
+ * \param md_alg message digest to use
+ */
+static int hash_mprime(const unsigned char *hash, size_t hlen,
+ const unsigned char *salt, size_t slen,
+ unsigned char *out, mbedtls_md_type_t md_alg)
+{
+ const unsigned char zeros[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+
+ mbedtls_md_context_t md_ctx;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
+ if (md_info == NULL) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ mbedtls_md_init(&md_ctx);
+ if ((ret = mbedtls_md_setup(&md_ctx, md_info, 0)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_starts(&md_ctx)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_update(&md_ctx, zeros, sizeof(zeros))) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_update(&md_ctx, hash, hlen)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_update(&md_ctx, salt, slen)) != 0) {
+ goto exit;
+ }
+ if ((ret = mbedtls_md_finish(&md_ctx, out)) != 0) {
+ goto exit;
+ }
+
+exit:
+ mbedtls_md_free(&md_ctx);
+
+ return ret;
+}
+
+/**
+ * Compute a hash.
+ *
+ * \param md_alg algorithm to use
+ * \param input input message to hash
+ * \param ilen input length
+ * \param output the output buffer - must be large enough for \p md_alg
+ */
+static int compute_hash(mbedtls_md_type_t md_alg,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output)
+{
+ const mbedtls_md_info_t *md_info;
+
+ md_info = mbedtls_md_info_from_type(md_alg);
+ if (md_info == NULL) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ return mbedtls_md(md_info, input, ilen, output);
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
+ */
+int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ const unsigned char *label, size_t label_len,
+ size_t ilen,
+ const unsigned char *input,
+ unsigned char *output)
+{
+ size_t olen;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = output;
+ unsigned int hlen;
+
+ if (f_rng == NULL) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
+ if (hlen == 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ olen = ctx->len;
+
+ /* first comparison checks for overflow */
+ if (ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ memset(output, 0, olen);
+
+ *p++ = 0;
+
+ /* Generate a random octet string seed */
+ if ((ret = f_rng(p_rng, p, hlen)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
+ }
+
+ p += hlen;
+
+ /* Construct DB */
+ ret = compute_hash((mbedtls_md_type_t) ctx->hash_id, label, label_len, p);
+ if (ret != 0) {
+ return ret;
+ }
+ p += hlen;
+ p += olen - 2 * hlen - 2 - ilen;
+ *p++ = 1;
+ if (ilen != 0) {
+ memcpy(p, input, ilen);
+ }
+
+ /* maskedDB: Apply dbMask to DB */
+ if ((ret = mgf_mask(output + hlen + 1, olen - hlen - 1, output + 1, hlen,
+ (mbedtls_md_type_t) ctx->hash_id)) != 0) {
+ return ret;
+ }
+
+ /* maskedSeed: Apply seedMask to seed */
+ if ((ret = mgf_mask(output + 1, hlen, output + hlen + 1, olen - hlen - 1,
+ (mbedtls_md_type_t) ctx->hash_id)) != 0) {
+ return ret;
+ }
+
+ return mbedtls_rsa_public(ctx, output, output);
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng, size_t ilen,
+ const unsigned char *input,
+ unsigned char *output)
+{
+ size_t nb_pad, olen;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = output;
+
+ olen = ctx->len;
+
+ /* first comparison checks for overflow */
+ if (ilen + 11 < ilen || olen < ilen + 11) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ nb_pad = olen - 3 - ilen;
+
+ *p++ = 0;
+
+ if (f_rng == NULL) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ *p++ = MBEDTLS_RSA_CRYPT;
+
+ while (nb_pad-- > 0) {
+ int rng_dl = 100;
+
+ do {
+ ret = f_rng(p_rng, p, 1);
+ } while (*p == 0 && --rng_dl && ret == 0);
+
+ /* Check if RNG failed to generate data */
+ if (rng_dl == 0 || ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
+ }
+
+ p++;
+ }
+
+ *p++ = 0;
+ if (ilen != 0) {
+ memcpy(p, input, ilen);
+ }
+
+ return mbedtls_rsa_public(ctx, output, output);
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Add the message padding, then do an RSA operation
+ */
+int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ size_t ilen,
+ const unsigned char *input,
+ unsigned char *output)
+{
+ switch (ctx->padding) {
+#if defined(MBEDTLS_PKCS1_V15)
+ case MBEDTLS_RSA_PKCS_V15:
+ return mbedtls_rsa_rsaes_pkcs1_v15_encrypt(ctx, f_rng, p_rng,
+ ilen, input, output);
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+ case MBEDTLS_RSA_PKCS_V21:
+ return mbedtls_rsa_rsaes_oaep_encrypt(ctx, f_rng, p_rng, NULL, 0,
+ ilen, input, output);
+#endif
+
+ default:
+ return MBEDTLS_ERR_RSA_INVALID_PADDING;
+ }
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
+ */
+int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ const unsigned char *label, size_t label_len,
+ size_t *olen,
+ const unsigned char *input,
+ unsigned char *output,
+ size_t output_max_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t ilen, i, pad_len;
+ unsigned char *p;
+ mbedtls_ct_condition_t bad, in_padding;
+ unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+ unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
+ unsigned int hlen;
+
+ /*
+ * Parameters sanity checks
+ */
+ if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ ilen = ctx->len;
+
+ if (ilen < 16 || ilen > sizeof(buf)) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
+ if (hlen == 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ // checking for integer underflow
+ if (2 * hlen + 2 > ilen) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ /*
+ * RSA operation
+ */
+ ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
+
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ /*
+ * Unmask data and generate lHash
+ */
+ /* seed: Apply seedMask to maskedSeed */
+ if ((ret = mgf_mask(buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
+ (mbedtls_md_type_t) ctx->hash_id)) != 0 ||
+ /* DB: Apply dbMask to maskedDB */
+ (ret = mgf_mask(buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
+ (mbedtls_md_type_t) ctx->hash_id)) != 0) {
+ goto cleanup;
+ }
+
+ /* Generate lHash */
+ ret = compute_hash((mbedtls_md_type_t) ctx->hash_id,
+ label, label_len, lhash);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ /*
+ * Check contents, in "constant-time"
+ */
+ p = buf;
+
+ bad = mbedtls_ct_bool(*p++); /* First byte must be 0 */
+
+ p += hlen; /* Skip seed */
+
+ /* Check lHash */
+ bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool(mbedtls_ct_memcmp(lhash, p, hlen)));
+ p += hlen;
+
+ /* Get zero-padding len, but always read till end of buffer
+ * (minus one, for the 01 byte) */
+ pad_len = 0;
+ in_padding = MBEDTLS_CT_TRUE;
+ for (i = 0; i < ilen - 2 * hlen - 2; i++) {
+ in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_uint_eq(p[i], 0));
+ pad_len += mbedtls_ct_uint_if_else_0(in_padding, 1);
+ }
+
+ p += pad_len;
+ bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_ne(*p++, 0x01));
+
+ /*
+ * The only information "leaked" is whether the padding was correct or not
+ * (eg, no data is copied if it was not correct). This meets the
+ * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
+ * the different error conditions.
+ */
+ if (bad != MBEDTLS_CT_FALSE) {
+ ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
+ goto cleanup;
+ }
+
+ if (ilen - ((size_t) (p - buf)) > output_max_len) {
+ ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
+ goto cleanup;
+ }
+
+ *olen = ilen - ((size_t) (p - buf));
+ if (*olen != 0) {
+ memcpy(output, p, *olen);
+ }
+ ret = 0;
+
+cleanup:
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+ mbedtls_platform_zeroize(lhash, sizeof(lhash));
+
+ return ret;
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ size_t *olen,
+ const unsigned char *input,
+ unsigned char *output,
+ size_t output_max_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t ilen;
+ unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+
+ ilen = ctx->len;
+
+ if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ if (ilen < 16 || ilen > sizeof(buf)) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ ret = mbedtls_rsa_private(ctx, f_rng, p_rng, input, buf);
+
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding(buf, ilen,
+ output, output_max_len, olen);
+
+cleanup:
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+
+ return ret;
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Do an RSA operation, then remove the message padding
+ */
+int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ size_t *olen,
+ const unsigned char *input,
+ unsigned char *output,
+ size_t output_max_len)
+{
+ switch (ctx->padding) {
+#if defined(MBEDTLS_PKCS1_V15)
+ case MBEDTLS_RSA_PKCS_V15:
+ return mbedtls_rsa_rsaes_pkcs1_v15_decrypt(ctx, f_rng, p_rng, olen,
+ input, output, output_max_len);
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+ case MBEDTLS_RSA_PKCS_V21:
+ return mbedtls_rsa_rsaes_oaep_decrypt(ctx, f_rng, p_rng, NULL, 0,
+ olen, input, output,
+ output_max_len);
+#endif
+
+ default:
+ return MBEDTLS_ERR_RSA_INVALID_PADDING;
+ }
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+static int rsa_rsassa_pss_sign_no_mode_check(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ int saltlen,
+ unsigned char *sig)
+{
+ size_t olen;
+ unsigned char *p = sig;
+ unsigned char *salt = NULL;
+ size_t slen, min_slen, hlen, offset = 0;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t msb;
+ mbedtls_md_type_t hash_id;
+
+ if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ if (f_rng == NULL) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ olen = ctx->len;
+
+ if (md_alg != MBEDTLS_MD_NONE) {
+ /* Gather length of hash to sign */
+ size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg);
+ if (exp_hashlen == 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ if (hashlen != exp_hashlen) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+ }
+
+ hash_id = (mbedtls_md_type_t) ctx->hash_id;
+ if (hash_id == MBEDTLS_MD_NONE) {
+ hash_id = md_alg;
+ }
+ hlen = mbedtls_md_get_size_from_type(hash_id);
+ if (hlen == 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY) {
+ /* Calculate the largest possible salt length, up to the hash size.
+ * Normally this is the hash length, which is the maximum salt length
+ * according to FIPS 185-4 §5.5 (e) and common practice. If there is not
+ * enough room, use the maximum salt length that fits. The constraint is
+ * that the hash length plus the salt length plus 2 bytes must be at most
+ * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
+ * (PKCS#1 v2.2) §9.1.1 step 3. */
+ min_slen = hlen - 2;
+ if (olen < hlen + min_slen + 2) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ } else if (olen >= hlen + hlen + 2) {
+ slen = hlen;
+ } else {
+ slen = olen - hlen - 2;
+ }
+ } else if ((saltlen < 0) || (saltlen + hlen + 2 > olen)) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ } else {
+ slen = (size_t) saltlen;
+ }
+
+ memset(sig, 0, olen);
+
+ /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
+ msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
+ p += olen - hlen - slen - 2;
+ *p++ = 0x01;
+
+ /* Generate salt of length slen in place in the encoded message */
+ salt = p;
+ if ((ret = f_rng(p_rng, salt, slen)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_RSA_RNG_FAILED, ret);
+ }
+
+ p += slen;
+
+ /* Generate H = Hash( M' ) */
+ ret = hash_mprime(hash, hashlen, salt, slen, p, hash_id);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* Compensate for boundary condition when applying mask */
+ if (msb % 8 == 0) {
+ offset = 1;
+ }
+
+ /* maskedDB: Apply dbMask to DB */
+ ret = mgf_mask(sig + offset, olen - hlen - 1 - offset, p, hlen, hash_id);
+ if (ret != 0) {
+ return ret;
+ }
+
+ msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
+ sig[0] &= 0xFF >> (olen * 8 - msb);
+
+ p += hlen;
+ *p++ = 0xBC;
+
+ return mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig);
+}
+
+static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ int saltlen,
+ unsigned char *sig)
+{
+ if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+ if ((ctx->hash_id == MBEDTLS_MD_NONE) && (md_alg == MBEDTLS_MD_NONE)) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+ return rsa_rsassa_pss_sign_no_mode_check(ctx, f_rng, p_rng, md_alg, hashlen, hash, saltlen,
+ sig);
+}
+
+int mbedtls_rsa_rsassa_pss_sign_no_mode_check(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ unsigned char *sig)
+{
+ return rsa_rsassa_pss_sign_no_mode_check(ctx, f_rng, p_rng, md_alg,
+ hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig);
+}
+
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
+ * the option to pass in the salt length.
+ */
+int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ int saltlen,
+ unsigned char *sig)
+{
+ return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
+ hashlen, hash, saltlen, sig);
+}
+
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
+ */
+int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ unsigned char *sig)
+{
+ return rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
+ hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig);
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
+ */
+
+/* Construct a PKCS v1.5 encoding of a hashed message
+ *
+ * This is used both for signature generation and verification.
+ *
+ * Parameters:
+ * - md_alg: Identifies the hash algorithm used to generate the given hash;
+ * MBEDTLS_MD_NONE if raw data is signed.
+ * - hashlen: Length of hash. Must match md_alg if that's not NONE.
+ * - hash: Buffer containing the hashed message or the raw data.
+ * - dst_len: Length of the encoded message.
+ * - dst: Buffer to hold the encoded message.
+ *
+ * Assumptions:
+ * - hash has size hashlen.
+ * - dst points to a buffer of size at least dst_len.
+ *
+ */
+static int rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ size_t dst_len,
+ unsigned char *dst)
+{
+ size_t oid_size = 0;
+ size_t nb_pad = dst_len;
+ unsigned char *p = dst;
+ const char *oid = NULL;
+
+ /* Are we signing hashed or raw data? */
+ if (md_alg != MBEDTLS_MD_NONE) {
+ unsigned char md_size = mbedtls_md_get_size_from_type(md_alg);
+ if (md_size == 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ if (mbedtls_oid_get_oid_by_md(md_alg, &oid, &oid_size) != 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ if (hashlen != md_size) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ /* Double-check that 8 + hashlen + oid_size can be used as a
+ * 1-byte ASN.1 length encoding and that there's no overflow. */
+ if (8 + hashlen + oid_size >= 0x80 ||
+ 10 + hashlen < hashlen ||
+ 10 + hashlen + oid_size < 10 + hashlen) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ /*
+ * Static bounds check:
+ * - Need 10 bytes for five tag-length pairs.
+ * (Insist on 1-byte length encodings to protect against variants of
+ * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
+ * - Need hashlen bytes for hash
+ * - Need oid_size bytes for hash alg OID.
+ */
+ if (nb_pad < 10 + hashlen + oid_size) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+ nb_pad -= 10 + hashlen + oid_size;
+ } else {
+ if (nb_pad < hashlen) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ nb_pad -= hashlen;
+ }
+
+ /* Need space for signature header and padding delimiter (3 bytes),
+ * and 8 bytes for the minimal padding */
+ if (nb_pad < 3 + 8) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+ nb_pad -= 3;
+
+ /* Now nb_pad is the amount of memory to be filled
+ * with padding, and at least 8 bytes long. */
+
+ /* Write signature header and padding */
+ *p++ = 0;
+ *p++ = MBEDTLS_RSA_SIGN;
+ memset(p, 0xFF, nb_pad);
+ p += nb_pad;
+ *p++ = 0;
+
+ /* Are we signing raw data? */
+ if (md_alg == MBEDTLS_MD_NONE) {
+ memcpy(p, hash, hashlen);
+ return 0;
+ }
+
+ /* Signing hashed data, add corresponding ASN.1 structure
+ *
+ * DigestInfo ::= SEQUENCE {
+ * digestAlgorithm DigestAlgorithmIdentifier,
+ * digest Digest }
+ * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+ * Digest ::= OCTET STRING
+ *
+ * Schematic:
+ * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID + LEN [ OID ]
+ * TAG-NULL + LEN [ NULL ] ]
+ * TAG-OCTET + LEN [ HASH ] ]
+ */
+ *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+ *p++ = (unsigned char) (0x08 + oid_size + hashlen);
+ *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+ *p++ = (unsigned char) (0x04 + oid_size);
+ *p++ = MBEDTLS_ASN1_OID;
+ *p++ = (unsigned char) oid_size;
+ memcpy(p, oid, oid_size);
+ p += oid_size;
+ *p++ = MBEDTLS_ASN1_NULL;
+ *p++ = 0x00;
+ *p++ = MBEDTLS_ASN1_OCTET_STRING;
+ *p++ = (unsigned char) hashlen;
+ memcpy(p, hash, hashlen);
+ p += hashlen;
+
+ /* Just a sanity-check, should be automatic
+ * after the initial bounds check. */
+ if (p != dst + dst_len) {
+ mbedtls_platform_zeroize(dst, dst_len);
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ return 0;
+}
+
+/*
+ * Do an RSA operation to sign the message digest
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ unsigned char *sig)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *sig_try = NULL, *verif = NULL;
+
+ if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ if (ctx->padding != MBEDTLS_RSA_PKCS_V15) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ /*
+ * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
+ */
+
+ if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash,
+ ctx->len, sig)) != 0) {
+ return ret;
+ }
+
+ /* Private key operation
+ *
+ * In order to prevent Lenstra's attack, make the signature in a
+ * temporary buffer and check it before returning it.
+ */
+
+ sig_try = mbedtls_calloc(1, ctx->len);
+ if (sig_try == NULL) {
+ return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+ }
+
+ verif = mbedtls_calloc(1, ctx->len);
+ if (verif == NULL) {
+ mbedtls_free(sig_try);
+ return MBEDTLS_ERR_MPI_ALLOC_FAILED;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig_try));
+ MBEDTLS_MPI_CHK(mbedtls_rsa_public(ctx, sig_try, verif));
+
+ if (mbedtls_ct_memcmp(verif, sig, ctx->len) != 0) {
+ ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
+ goto cleanup;
+ }
+
+ memcpy(sig, sig_try, ctx->len);
+
+cleanup:
+ mbedtls_zeroize_and_free(sig_try, ctx->len);
+ mbedtls_zeroize_and_free(verif, ctx->len);
+
+ if (ret != 0) {
+ memset(sig, '!', ctx->len);
+ }
+ return ret;
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Do an RSA operation to sign the message digest
+ */
+int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ unsigned char *sig)
+{
+ if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ switch (ctx->padding) {
+#if defined(MBEDTLS_PKCS1_V15)
+ case MBEDTLS_RSA_PKCS_V15:
+ return mbedtls_rsa_rsassa_pkcs1_v15_sign(ctx, f_rng, p_rng,
+ md_alg, hashlen, hash, sig);
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+ case MBEDTLS_RSA_PKCS_V21:
+ return mbedtls_rsa_rsassa_pss_sign(ctx, f_rng, p_rng, md_alg,
+ hashlen, hash, sig);
+#endif
+
+ default:
+ return MBEDTLS_ERR_RSA_INVALID_PADDING;
+ }
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
+ */
+int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
+ mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ mbedtls_md_type_t mgf1_hash_id,
+ int expected_salt_len,
+ const unsigned char *sig)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t siglen;
+ unsigned char *p;
+ unsigned char *hash_start;
+ unsigned char result[MBEDTLS_MD_MAX_SIZE];
+ unsigned int hlen;
+ size_t observed_salt_len, msb;
+ unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = { 0 };
+
+ if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ siglen = ctx->len;
+
+ if (siglen < 16 || siglen > sizeof(buf)) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ ret = mbedtls_rsa_public(ctx, sig, buf);
+
+ if (ret != 0) {
+ return ret;
+ }
+
+ p = buf;
+
+ if (buf[siglen - 1] != 0xBC) {
+ return MBEDTLS_ERR_RSA_INVALID_PADDING;
+ }
+
+ if (md_alg != MBEDTLS_MD_NONE) {
+ /* Gather length of hash to sign */
+ size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg);
+ if (exp_hashlen == 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ if (hashlen != exp_hashlen) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+ }
+
+ hlen = mbedtls_md_get_size_from_type(mgf1_hash_id);
+ if (hlen == 0) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ /*
+ * Note: EMSA-PSS verification is over the length of N - 1 bits
+ */
+ msb = mbedtls_mpi_bitlen(&ctx->N) - 1;
+
+ if (buf[0] >> (8 - siglen * 8 + msb)) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ /* Compensate for boundary condition when applying mask */
+ if (msb % 8 == 0) {
+ p++;
+ siglen -= 1;
+ }
+
+ if (siglen < hlen + 2) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+ hash_start = p + siglen - hlen - 1;
+
+ ret = mgf_mask(p, siglen - hlen - 1, hash_start, hlen, mgf1_hash_id);
+ if (ret != 0) {
+ return ret;
+ }
+
+ buf[0] &= 0xFF >> (siglen * 8 - msb);
+
+ while (p < hash_start - 1 && *p == 0) {
+ p++;
+ }
+
+ if (*p++ != 0x01) {
+ return MBEDTLS_ERR_RSA_INVALID_PADDING;
+ }
+
+ observed_salt_len = (size_t) (hash_start - p);
+
+ if (expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
+ observed_salt_len != (size_t) expected_salt_len) {
+ return MBEDTLS_ERR_RSA_INVALID_PADDING;
+ }
+
+ /*
+ * Generate H = Hash( M' )
+ */
+ ret = hash_mprime(hash, hashlen, p, observed_salt_len,
+ result, mgf1_hash_id);
+ if (ret != 0) {
+ return ret;
+ }
+
+ if (memcmp(hash_start, result, hlen) != 0) {
+ return MBEDTLS_ERR_RSA_VERIFY_FAILED;
+ }
+
+ return 0;
+}
+
+/*
+ * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
+ */
+int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,
+ mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ const unsigned char *sig)
+{
+ mbedtls_md_type_t mgf1_hash_id;
+ if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ mgf1_hash_id = (ctx->hash_id != MBEDTLS_MD_NONE)
+ ? (mbedtls_md_type_t) ctx->hash_id
+ : md_alg;
+
+ return mbedtls_rsa_rsassa_pss_verify_ext(ctx,
+ md_alg, hashlen, hash,
+ mgf1_hash_id,
+ MBEDTLS_RSA_SALT_LEN_ANY,
+ sig);
+
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
+ mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ const unsigned char *sig)
+{
+ int ret = 0;
+ size_t sig_len;
+ unsigned char *encoded = NULL, *encoded_expected = NULL;
+
+ if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ sig_len = ctx->len;
+
+ /*
+ * Prepare expected PKCS1 v1.5 encoding of hash.
+ */
+
+ if ((encoded = mbedtls_calloc(1, sig_len)) == NULL ||
+ (encoded_expected = mbedtls_calloc(1, sig_len)) == NULL) {
+ ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
+ goto cleanup;
+ }
+
+ if ((ret = rsa_rsassa_pkcs1_v15_encode(md_alg, hashlen, hash, sig_len,
+ encoded_expected)) != 0) {
+ goto cleanup;
+ }
+
+ /*
+ * Apply RSA primitive to get what should be PKCS1 encoded hash.
+ */
+
+ ret = mbedtls_rsa_public(ctx, sig, encoded);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ /*
+ * Compare
+ */
+
+ if ((ret = mbedtls_ct_memcmp(encoded, encoded_expected,
+ sig_len)) != 0) {
+ ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
+ goto cleanup;
+ }
+
+cleanup:
+
+ if (encoded != NULL) {
+ mbedtls_zeroize_and_free(encoded, sig_len);
+ }
+
+ if (encoded_expected != NULL) {
+ mbedtls_zeroize_and_free(encoded_expected, sig_len);
+ }
+
+ return ret;
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Do an RSA operation and check the message digest
+ */
+int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
+ mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ const unsigned char *sig)
+{
+ if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ }
+
+ switch (ctx->padding) {
+#if defined(MBEDTLS_PKCS1_V15)
+ case MBEDTLS_RSA_PKCS_V15:
+ return mbedtls_rsa_rsassa_pkcs1_v15_verify(ctx, md_alg,
+ hashlen, hash, sig);
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+ case MBEDTLS_RSA_PKCS_V21:
+ return mbedtls_rsa_rsassa_pss_verify(ctx, md_alg,
+ hashlen, hash, sig);
+#endif
+
+ default:
+ return MBEDTLS_ERR_RSA_INVALID_PADDING;
+ }
+}
+
+/*
+ * Copy the components of an RSA key
+ */
+int mbedtls_rsa_copy(mbedtls_rsa_context *dst, const mbedtls_rsa_context *src)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ dst->len = src->len;
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->N, &src->N));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->E, &src->E));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->D, &src->D));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->P, &src->P));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Q, &src->Q));
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DP, &src->DP));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->DQ, &src->DQ));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->QP, &src->QP));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RP, &src->RP));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RQ, &src->RQ));
+#endif
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->RN, &src->RN));
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vi, &src->Vi));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&dst->Vf, &src->Vf));
+
+ dst->padding = src->padding;
+ dst->hash_id = src->hash_id;
+
+cleanup:
+ if (ret != 0) {
+ mbedtls_rsa_free(dst);
+ }
+
+ return ret;
+}
+
+/*
+ * Free the components of an RSA key
+ */
+void mbedtls_rsa_free(mbedtls_rsa_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_mpi_free(&ctx->Vi);
+ mbedtls_mpi_free(&ctx->Vf);
+ mbedtls_mpi_free(&ctx->RN);
+ mbedtls_mpi_free(&ctx->D);
+ mbedtls_mpi_free(&ctx->Q);
+ mbedtls_mpi_free(&ctx->P);
+ mbedtls_mpi_free(&ctx->E);
+ mbedtls_mpi_free(&ctx->N);
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+ mbedtls_mpi_free(&ctx->RQ);
+ mbedtls_mpi_free(&ctx->RP);
+ mbedtls_mpi_free(&ctx->QP);
+ mbedtls_mpi_free(&ctx->DQ);
+ mbedtls_mpi_free(&ctx->DP);
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+#if defined(MBEDTLS_THREADING_C)
+ /* Free the mutex, but only if it hasn't been freed already. */
+ if (ctx->ver != 0) {
+ mbedtls_mutex_free(&ctx->mutex);
+ ctx->ver = 0;
+ }
+#endif
+}
+
+#endif /* !MBEDTLS_RSA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+
+/*
+ * Example RSA-1024 keypair, for test purposes
+ */
+#define KEY_LEN 128
+
+#define RSA_N "9292758453063D803DD603D5E777D788" \
+ "8ED1D5BF35786190FA2F23EBC0848AEA" \
+ "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
+ "7130B9CED7ACDF54CFC7555AC14EEBAB" \
+ "93A89813FBF3C4F8066D2D800F7C38A8" \
+ "1AE31942917403FF4946B0A83D3D3E05" \
+ "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
+ "5E94BB77B07507233A0BC7BAC8F90F79"
+
+#define RSA_E "10001"
+
+#define RSA_D "24BF6185468786FDD303083D25E64EFC" \
+ "66CA472BC44D253102F8B4A9D3BFA750" \
+ "91386C0077937FE33FA3252D28855837" \
+ "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
+ "DF79C5CE07EE72C7F123142198164234" \
+ "CABB724CF78B8173B9F880FC86322407" \
+ "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
+ "071513A1E85B5DFA031F21ECAE91A34D"
+
+#define RSA_P "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
+ "2C01CAD19EA484A87EA4377637E75500" \
+ "FCB2005C5C7DD6EC4AC023CDA285D796" \
+ "C3D9E75E1EFC42488BB4F1D13AC30A57"
+
+#define RSA_Q "C000DF51A7C77AE8D7C7370C1FF55B69" \
+ "E211C2B9E5DB1ED0BF61D0D9899620F4" \
+ "910E4168387E3C30AA1E00C339A79508" \
+ "8452DD96A9A5EA5D9DCA68DA636032AF"
+
+#define PT_LEN 24
+#define RSA_PT "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
+ "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
+
+#if defined(MBEDTLS_PKCS1_V15)
+static int myrand(void *rng_state, unsigned char *output, size_t len)
+{
+#if !defined(__OpenBSD__) && !defined(__NetBSD__)
+ size_t i;
+
+ if (rng_state != NULL) {
+ rng_state = NULL;
+ }
+
+ for (i = 0; i < len; ++i) {
+ output[i] = rand();
+ }
+#else
+ if (rng_state != NULL) {
+ rng_state = NULL;
+ }
+
+ arc4random_buf(output, len);
+#endif /* !OpenBSD && !NetBSD */
+
+ return 0;
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_rsa_self_test(int verbose)
+{
+ int ret = 0;
+#if defined(MBEDTLS_PKCS1_V15)
+ size_t len;
+ mbedtls_rsa_context rsa;
+ unsigned char rsa_plaintext[PT_LEN];
+ unsigned char rsa_decrypted[PT_LEN];
+ unsigned char rsa_ciphertext[KEY_LEN];
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ unsigned char sha1sum[20];
+#endif
+
+ mbedtls_mpi K;
+
+ mbedtls_mpi_init(&K);
+ mbedtls_rsa_init(&rsa);
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_N));
+ MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, &K, NULL, NULL, NULL, NULL));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_P));
+ MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, &K, NULL, NULL, NULL));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_Q));
+ MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, &K, NULL, NULL));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_D));
+ MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, &K, NULL));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_read_string(&K, 16, RSA_E));
+ MBEDTLS_MPI_CHK(mbedtls_rsa_import(&rsa, NULL, NULL, NULL, NULL, &K));
+
+ MBEDTLS_MPI_CHK(mbedtls_rsa_complete(&rsa));
+
+ if (verbose != 0) {
+ mbedtls_printf(" RSA key validation: ");
+ }
+
+ if (mbedtls_rsa_check_pubkey(&rsa) != 0 ||
+ mbedtls_rsa_check_privkey(&rsa) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n PKCS#1 encryption : ");
+ }
+
+ memcpy(rsa_plaintext, RSA_PT, PT_LEN);
+
+ if (mbedtls_rsa_pkcs1_encrypt(&rsa, myrand, NULL,
+ PT_LEN, rsa_plaintext,
+ rsa_ciphertext) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n PKCS#1 decryption : ");
+ }
+
+ if (mbedtls_rsa_pkcs1_decrypt(&rsa, myrand, NULL,
+ &len, rsa_ciphertext, rsa_decrypted,
+ sizeof(rsa_decrypted)) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (memcmp(rsa_decrypted, rsa_plaintext, len) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ if (verbose != 0) {
+ mbedtls_printf(" PKCS#1 data sign : ");
+ }
+
+ if (mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1),
+ rsa_plaintext, PT_LEN, sha1sum) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ return 1;
+ }
+
+ if (mbedtls_rsa_pkcs1_sign(&rsa, myrand, NULL,
+ MBEDTLS_MD_SHA1, 20,
+ sha1sum, rsa_ciphertext) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n PKCS#1 sig. verify: ");
+ }
+
+ if (mbedtls_rsa_pkcs1_verify(&rsa, MBEDTLS_MD_SHA1, 20,
+ sha1sum, rsa_ciphertext) != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+cleanup:
+ mbedtls_mpi_free(&K);
+ mbedtls_rsa_free(&rsa);
+#else /* MBEDTLS_PKCS1_V15 */
+ ((void) verbose);
+#endif /* MBEDTLS_PKCS1_V15 */
+ return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_RSA_C */
diff --git a/library/rsa_alt_helpers.c b/library/rsa_alt_helpers.c
new file mode 100644
index 0000000..5c265a9
--- /dev/null
+++ b/library/rsa_alt_helpers.c
@@ -0,0 +1,447 @@
+/*
+ * Helper functions for the RSA module
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_RSA_C)
+
+#include "mbedtls/rsa.h"
+#include "mbedtls/bignum.h"
+#include "rsa_alt_helpers.h"
+
+/*
+ * Compute RSA prime factors from public and private exponents
+ *
+ * Summary of algorithm:
+ * Setting F := lcm(P-1,Q-1), the idea is as follows:
+ *
+ * (a) For any 1 <= X < N with gcd(X,N)=1, we have X^F = 1 modulo N, so X^(F/2)
+ * is a square root of 1 in Z/NZ. Since Z/NZ ~= Z/PZ x Z/QZ by CRT and the
+ * square roots of 1 in Z/PZ and Z/QZ are +1 and -1, this leaves the four
+ * possibilities X^(F/2) = (+-1, +-1). If it happens that X^(F/2) = (-1,+1)
+ * or (+1,-1), then gcd(X^(F/2) + 1, N) will be equal to one of the prime
+ * factors of N.
+ *
+ * (b) If we don't know F/2 but (F/2) * K for some odd (!) K, then the same
+ * construction still applies since (-)^K is the identity on the set of
+ * roots of 1 in Z/NZ.
+ *
+ * The public and private key primitives (-)^E and (-)^D are mutually inverse
+ * bijections on Z/NZ if and only if (-)^(DE) is the identity on Z/NZ, i.e.
+ * if and only if DE - 1 is a multiple of F, say DE - 1 = F * L.
+ * Splitting L = 2^t * K with K odd, we have
+ *
+ * DE - 1 = FL = (F/2) * (2^(t+1)) * K,
+ *
+ * so (F / 2) * K is among the numbers
+ *
+ * (DE - 1) >> 1, (DE - 1) >> 2, ..., (DE - 1) >> ord
+ *
+ * where ord is the order of 2 in (DE - 1).
+ * We can therefore iterate through these numbers apply the construction
+ * of (a) and (b) above to attempt to factor N.
+ *
+ */
+int mbedtls_rsa_deduce_primes(mbedtls_mpi const *N,
+ mbedtls_mpi const *E, mbedtls_mpi const *D,
+ mbedtls_mpi *P, mbedtls_mpi *Q)
+{
+ int ret = 0;
+
+ uint16_t attempt; /* Number of current attempt */
+ uint16_t iter; /* Number of squares computed in the current attempt */
+
+ uint16_t order; /* Order of 2 in DE - 1 */
+
+ mbedtls_mpi T; /* Holds largest odd divisor of DE - 1 */
+ mbedtls_mpi K; /* Temporary holding the current candidate */
+
+ const unsigned char primes[] = { 2,
+ 3, 5, 7, 11, 13, 17, 19, 23,
+ 29, 31, 37, 41, 43, 47, 53, 59,
+ 61, 67, 71, 73, 79, 83, 89, 97,
+ 101, 103, 107, 109, 113, 127, 131, 137,
+ 139, 149, 151, 157, 163, 167, 173, 179,
+ 181, 191, 193, 197, 199, 211, 223, 227,
+ 229, 233, 239, 241, 251 };
+
+ const size_t num_primes = sizeof(primes) / sizeof(*primes);
+
+ if (P == NULL || Q == NULL || P->p != NULL || Q->p != NULL) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ if (mbedtls_mpi_cmp_int(N, 0) <= 0 ||
+ mbedtls_mpi_cmp_int(D, 1) <= 0 ||
+ mbedtls_mpi_cmp_mpi(D, N) >= 0 ||
+ mbedtls_mpi_cmp_int(E, 1) <= 0 ||
+ mbedtls_mpi_cmp_mpi(E, N) >= 0) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ /*
+ * Initializations and temporary changes
+ */
+
+ mbedtls_mpi_init(&K);
+ mbedtls_mpi_init(&T);
+
+ /* T := DE - 1 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, D, E));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&T, &T, 1));
+
+ if ((order = (uint16_t) mbedtls_mpi_lsb(&T)) == 0) {
+ ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ /* After this operation, T holds the largest odd divisor of DE - 1. */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&T, order));
+
+ /*
+ * Actual work
+ */
+
+ /* Skip trying 2 if N == 1 mod 8 */
+ attempt = 0;
+ if (N->p[0] % 8 == 1) {
+ attempt = 1;
+ }
+
+ for (; attempt < num_primes; ++attempt) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&K, primes[attempt]));
+
+ /* Check if gcd(K,N) = 1 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(P, &K, N));
+ if (mbedtls_mpi_cmp_int(P, 1) != 0) {
+ continue;
+ }
+
+ /* Go through K^T + 1, K^(2T) + 1, K^(4T) + 1, ...
+ * and check whether they have nontrivial GCD with N. */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&K, &K, &T, N,
+ Q /* temporarily use Q for storing Montgomery
+ * multiplication helper values */));
+
+ for (iter = 1; iter <= order; ++iter) {
+ /* If we reach 1 prematurely, there's no point
+ * in continuing to square K */
+ if (mbedtls_mpi_cmp_int(&K, 1) == 0) {
+ break;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_add_int(&K, &K, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(P, &K, N));
+
+ if (mbedtls_mpi_cmp_int(P, 1) == 1 &&
+ mbedtls_mpi_cmp_mpi(P, N) == -1) {
+ /*
+ * Have found a nontrivial divisor P of N.
+ * Set Q := N / P.
+ */
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(Q, NULL, N, P));
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, &K, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, &K, &K));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&K, &K, N));
+ }
+
+ /*
+ * If we get here, then either we prematurely aborted the loop because
+ * we reached 1, or K holds primes[attempt]^(DE - 1) mod N, which must
+ * be 1 if D,E,N were consistent.
+ * Check if that's the case and abort if not, to avoid very long,
+ * yet eventually failing, computations if N,D,E were not sane.
+ */
+ if (mbedtls_mpi_cmp_int(&K, 1) != 0) {
+ break;
+ }
+ }
+
+ ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+
+cleanup:
+
+ mbedtls_mpi_free(&K);
+ mbedtls_mpi_free(&T);
+ return ret;
+}
+
+/*
+ * Given P, Q and the public exponent E, deduce D.
+ * This is essentially a modular inversion.
+ */
+int mbedtls_rsa_deduce_private_exponent(mbedtls_mpi const *P,
+ mbedtls_mpi const *Q,
+ mbedtls_mpi const *E,
+ mbedtls_mpi *D)
+{
+ int ret = 0;
+ mbedtls_mpi K, L;
+
+ if (D == NULL || mbedtls_mpi_cmp_int(D, 0) != 0) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ if (mbedtls_mpi_cmp_int(P, 1) <= 0 ||
+ mbedtls_mpi_cmp_int(Q, 1) <= 0 ||
+ mbedtls_mpi_cmp_int(E, 0) == 0) {
+ return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ }
+
+ mbedtls_mpi_init(&K);
+ mbedtls_mpi_init(&L);
+
+ /* Temporarily put K := P-1 and L := Q-1 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, P, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&L, Q, 1));
+
+ /* Temporarily put D := gcd(P-1, Q-1) */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(D, &K, &L));
+
+ /* K := LCM(P-1, Q-1) */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, &K, &L));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_div_mpi(&K, NULL, &K, D));
+
+ /* Compute modular inverse of E in LCM(P-1, Q-1) */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(D, E, &K));
+
+cleanup:
+
+ mbedtls_mpi_free(&K);
+ mbedtls_mpi_free(&L);
+
+ return ret;
+}
+
+int mbedtls_rsa_deduce_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q,
+ const mbedtls_mpi *D, mbedtls_mpi *DP,
+ mbedtls_mpi *DQ, mbedtls_mpi *QP)
+{
+ int ret = 0;
+ mbedtls_mpi K;
+ mbedtls_mpi_init(&K);
+
+ /* DP = D mod P-1 */
+ if (DP != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, P, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(DP, D, &K));
+ }
+
+ /* DQ = D mod Q-1 */
+ if (DQ != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, Q, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(DQ, D, &K));
+ }
+
+ /* QP = Q^{-1} mod P */
+ if (QP != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_inv_mod(QP, Q, P));
+ }
+
+cleanup:
+ mbedtls_mpi_free(&K);
+
+ return ret;
+}
+
+/*
+ * Check that core RSA parameters are sane.
+ */
+int mbedtls_rsa_validate_params(const mbedtls_mpi *N, const mbedtls_mpi *P,
+ const mbedtls_mpi *Q, const mbedtls_mpi *D,
+ const mbedtls_mpi *E,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = 0;
+ mbedtls_mpi K, L;
+
+ mbedtls_mpi_init(&K);
+ mbedtls_mpi_init(&L);
+
+ /*
+ * Step 1: If PRNG provided, check that P and Q are prime
+ */
+
+#if defined(MBEDTLS_GENPRIME)
+ /*
+ * When generating keys, the strongest security we support aims for an error
+ * rate of at most 2^-100 and we are aiming for the same certainty here as
+ * well.
+ */
+ if (f_rng != NULL && P != NULL &&
+ (ret = mbedtls_mpi_is_prime_ext(P, 50, f_rng, p_rng)) != 0) {
+ ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ goto cleanup;
+ }
+
+ if (f_rng != NULL && Q != NULL &&
+ (ret = mbedtls_mpi_is_prime_ext(Q, 50, f_rng, p_rng)) != 0) {
+ ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ goto cleanup;
+ }
+#else
+ ((void) f_rng);
+ ((void) p_rng);
+#endif /* MBEDTLS_GENPRIME */
+
+ /*
+ * Step 2: Check that 1 < N = P * Q
+ */
+
+ if (P != NULL && Q != NULL && N != NULL) {
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, P, Q));
+ if (mbedtls_mpi_cmp_int(N, 1) <= 0 ||
+ mbedtls_mpi_cmp_mpi(&K, N) != 0) {
+ ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ goto cleanup;
+ }
+ }
+
+ /*
+ * Step 3: Check and 1 < D, E < N if present.
+ */
+
+ if (N != NULL && D != NULL && E != NULL) {
+ if (mbedtls_mpi_cmp_int(D, 1) <= 0 ||
+ mbedtls_mpi_cmp_int(E, 1) <= 0 ||
+ mbedtls_mpi_cmp_mpi(D, N) >= 0 ||
+ mbedtls_mpi_cmp_mpi(E, N) >= 0) {
+ ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ goto cleanup;
+ }
+ }
+
+ /*
+ * Step 4: Check that D, E are inverse modulo P-1 and Q-1
+ */
+
+ if (P != NULL && Q != NULL && D != NULL && E != NULL) {
+ if (mbedtls_mpi_cmp_int(P, 1) <= 0 ||
+ mbedtls_mpi_cmp_int(Q, 1) <= 0) {
+ ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ goto cleanup;
+ }
+
+ /* Compute DE-1 mod P-1 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, D, E));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, &K, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&L, P, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&K, &K, &L));
+ if (mbedtls_mpi_cmp_int(&K, 0) != 0) {
+ ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ goto cleanup;
+ }
+
+ /* Compute DE-1 mod Q-1 */
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, D, E));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, &K, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&L, Q, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&K, &K, &L));
+ if (mbedtls_mpi_cmp_int(&K, 0) != 0) {
+ ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ goto cleanup;
+ }
+ }
+
+cleanup:
+
+ mbedtls_mpi_free(&K);
+ mbedtls_mpi_free(&L);
+
+ /* Wrap MPI error codes by RSA check failure error code */
+ if (ret != 0 && ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED) {
+ ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ }
+
+ return ret;
+}
+
+/*
+ * Check that RSA CRT parameters are in accordance with core parameters.
+ */
+int mbedtls_rsa_validate_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q,
+ const mbedtls_mpi *D, const mbedtls_mpi *DP,
+ const mbedtls_mpi *DQ, const mbedtls_mpi *QP)
+{
+ int ret = 0;
+
+ mbedtls_mpi K, L;
+ mbedtls_mpi_init(&K);
+ mbedtls_mpi_init(&L);
+
+ /* Check that DP - D == 0 mod P - 1 */
+ if (DP != NULL) {
+ if (P == NULL) {
+ ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, P, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&L, DP, D));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&L, &L, &K));
+
+ if (mbedtls_mpi_cmp_int(&L, 0) != 0) {
+ ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ goto cleanup;
+ }
+ }
+
+ /* Check that DQ - D == 0 mod Q - 1 */
+ if (DQ != NULL) {
+ if (Q == NULL) {
+ ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, Q, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_mpi(&L, DQ, D));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&L, &L, &K));
+
+ if (mbedtls_mpi_cmp_int(&L, 0) != 0) {
+ ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ goto cleanup;
+ }
+ }
+
+ /* Check that QP * Q - 1 == 0 mod P */
+ if (QP != NULL) {
+ if (P == NULL || Q == NULL) {
+ ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&K, QP, Q));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&K, &K, 1));
+ MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&K, &K, P));
+ if (mbedtls_mpi_cmp_int(&K, 0) != 0) {
+ ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ goto cleanup;
+ }
+ }
+
+cleanup:
+
+ /* Wrap MPI error codes by RSA check failure error code */
+ if (ret != 0 &&
+ ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED &&
+ ret != MBEDTLS_ERR_RSA_BAD_INPUT_DATA) {
+ ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+ }
+
+ mbedtls_mpi_free(&K);
+ mbedtls_mpi_free(&L);
+
+ return ret;
+}
+
+#endif /* MBEDTLS_RSA_C */
diff --git a/library/rsa_alt_helpers.h b/library/rsa_alt_helpers.h
new file mode 100644
index 0000000..052b024
--- /dev/null
+++ b/library/rsa_alt_helpers.h
@@ -0,0 +1,206 @@
+/**
+ * \file rsa_alt_helpers.h
+ *
+ * \brief Context-independent RSA helper functions
+ *
+ * This module declares some RSA-related helper functions useful when
+ * implementing the RSA interface. These functions are provided in a separate
+ * compilation unit in order to make it easy for designers of alternative RSA
+ * implementations to use them in their own code, as it is conceived that the
+ * functionality they provide will be necessary for most complete
+ * implementations.
+ *
+ * End-users of Mbed TLS who are not providing their own alternative RSA
+ * implementations should not use these functions directly, and should instead
+ * use only the functions declared in rsa.h.
+ *
+ * The interface provided by this module will be maintained through LTS (Long
+ * Term Support) branches of Mbed TLS, but may otherwise be subject to change,
+ * and must be considered an internal interface of the library.
+ *
+ * There are two classes of helper functions:
+ *
+ * (1) Parameter-generating helpers. These are:
+ * - mbedtls_rsa_deduce_primes
+ * - mbedtls_rsa_deduce_private_exponent
+ * - mbedtls_rsa_deduce_crt
+ * Each of these functions takes a set of core RSA parameters and
+ * generates some other, or CRT related parameters.
+ *
+ * (2) Parameter-checking helpers. These are:
+ * - mbedtls_rsa_validate_params
+ * - mbedtls_rsa_validate_crt
+ * They take a set of core or CRT related RSA parameters and check their
+ * validity.
+ *
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_RSA_ALT_HELPERS_H
+#define MBEDTLS_RSA_ALT_HELPERS_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/bignum.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+/**
+ * \brief Compute RSA prime moduli P, Q from public modulus N=PQ
+ * and a pair of private and public key.
+ *
+ * \note This is a 'static' helper function not operating on
+ * an RSA context. Alternative implementations need not
+ * overwrite it.
+ *
+ * \param N RSA modulus N = PQ, with P, Q to be found
+ * \param E RSA public exponent
+ * \param D RSA private exponent
+ * \param P Pointer to MPI holding first prime factor of N on success
+ * \param Q Pointer to MPI holding second prime factor of N on success
+ *
+ * \return
+ * - 0 if successful. In this case, P and Q constitute a
+ * factorization of N.
+ * - A non-zero error code otherwise.
+ *
+ * \note It is neither checked that P, Q are prime nor that
+ * D, E are modular inverses wrt. P-1 and Q-1. For that,
+ * use the helper function \c mbedtls_rsa_validate_params.
+ *
+ */
+int mbedtls_rsa_deduce_primes(mbedtls_mpi const *N, mbedtls_mpi const *E,
+ mbedtls_mpi const *D,
+ mbedtls_mpi *P, mbedtls_mpi *Q);
+
+/**
+ * \brief Compute RSA private exponent from
+ * prime moduli and public key.
+ *
+ * \note This is a 'static' helper function not operating on
+ * an RSA context. Alternative implementations need not
+ * overwrite it.
+ *
+ * \param P First prime factor of RSA modulus
+ * \param Q Second prime factor of RSA modulus
+ * \param E RSA public exponent
+ * \param D Pointer to MPI holding the private exponent on success.
+ *
+ * \return
+ * - 0 if successful. In this case, D is set to a simultaneous
+ * modular inverse of E modulo both P-1 and Q-1.
+ * - A non-zero error code otherwise.
+ *
+ * \note This function does not check whether P and Q are primes.
+ *
+ */
+int mbedtls_rsa_deduce_private_exponent(mbedtls_mpi const *P,
+ mbedtls_mpi const *Q,
+ mbedtls_mpi const *E,
+ mbedtls_mpi *D);
+
+
+/**
+ * \brief Generate RSA-CRT parameters
+ *
+ * \note This is a 'static' helper function not operating on
+ * an RSA context. Alternative implementations need not
+ * overwrite it.
+ *
+ * \param P First prime factor of N
+ * \param Q Second prime factor of N
+ * \param D RSA private exponent
+ * \param DP Output variable for D modulo P-1
+ * \param DQ Output variable for D modulo Q-1
+ * \param QP Output variable for the modular inverse of Q modulo P.
+ *
+ * \return 0 on success, non-zero error code otherwise.
+ *
+ * \note This function does not check whether P, Q are
+ * prime and whether D is a valid private exponent.
+ *
+ */
+int mbedtls_rsa_deduce_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q,
+ const mbedtls_mpi *D, mbedtls_mpi *DP,
+ mbedtls_mpi *DQ, mbedtls_mpi *QP);
+
+
+/**
+ * \brief Check validity of core RSA parameters
+ *
+ * \note This is a 'static' helper function not operating on
+ * an RSA context. Alternative implementations need not
+ * overwrite it.
+ *
+ * \param N RSA modulus N = PQ
+ * \param P First prime factor of N
+ * \param Q Second prime factor of N
+ * \param D RSA private exponent
+ * \param E RSA public exponent
+ * \param f_rng PRNG to be used for primality check, or NULL
+ * \param p_rng PRNG context for f_rng, or NULL
+ *
+ * \return
+ * - 0 if the following conditions are satisfied
+ * if all relevant parameters are provided:
+ * - P prime if f_rng != NULL (%)
+ * - Q prime if f_rng != NULL (%)
+ * - 1 < N = P * Q
+ * - 1 < D, E < N
+ * - D and E are modular inverses modulo P-1 and Q-1
+ * (%) This is only done if MBEDTLS_GENPRIME is defined.
+ * - A non-zero error code otherwise.
+ *
+ * \note The function can be used with a restricted set of arguments
+ * to perform specific checks only. E.g., calling it with
+ * (-,P,-,-,-) and a PRNG amounts to a primality check for P.
+ */
+int mbedtls_rsa_validate_params(const mbedtls_mpi *N, const mbedtls_mpi *P,
+ const mbedtls_mpi *Q, const mbedtls_mpi *D,
+ const mbedtls_mpi *E,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng);
+
+/**
+ * \brief Check validity of RSA CRT parameters
+ *
+ * \note This is a 'static' helper function not operating on
+ * an RSA context. Alternative implementations need not
+ * overwrite it.
+ *
+ * \param P First prime factor of RSA modulus
+ * \param Q Second prime factor of RSA modulus
+ * \param D RSA private exponent
+ * \param DP MPI to check for D modulo P-1
+ * \param DQ MPI to check for D modulo P-1
+ * \param QP MPI to check for the modular inverse of Q modulo P.
+ *
+ * \return
+ * - 0 if the following conditions are satisfied:
+ * - D = DP mod P-1 if P, D, DP != NULL
+ * - Q = DQ mod P-1 if P, D, DQ != NULL
+ * - QP = Q^-1 mod P if P, Q, QP != NULL
+ * - \c MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if check failed,
+ * potentially including \c MBEDTLS_ERR_MPI_XXX if some
+ * MPI calculations failed.
+ * - \c MBEDTLS_ERR_RSA_BAD_INPUT_DATA if insufficient
+ * data was provided to check DP, DQ or QP.
+ *
+ * \note The function can be used with a restricted set of arguments
+ * to perform specific checks only. E.g., calling it with the
+ * parameters (P, -, D, DP, -, -) will check DP = D mod P-1.
+ */
+int mbedtls_rsa_validate_crt(const mbedtls_mpi *P, const mbedtls_mpi *Q,
+ const mbedtls_mpi *D, const mbedtls_mpi *DP,
+ const mbedtls_mpi *DQ, const mbedtls_mpi *QP);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* rsa_alt_helpers.h */
diff --git a/library/rsa_internal.h b/library/rsa_internal.h
new file mode 100644
index 0000000..f79c3b7
--- /dev/null
+++ b/library/rsa_internal.h
@@ -0,0 +1,121 @@
+/**
+ * \file rsa_internal.h
+ *
+ * \brief Internal-only RSA public-key cryptosystem API.
+ *
+ * This file declares RSA-related functions that are to be used
+ * only from within the Mbed TLS library itself.
+ *
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_RSA_INTERNAL_H
+#define MBEDTLS_RSA_INTERNAL_H
+
+#include "mbedtls/rsa.h"
+#include "mbedtls/asn1.h"
+
+/**
+ * \brief Parse a PKCS#1 (ASN.1) encoded private RSA key.
+ *
+ * \param rsa The RSA context where parsed data will be stored.
+ * \param key The buffer that contains the key.
+ * \param keylen The length of the key buffer in bytes.
+ *
+ * \return 0 on success.
+ * \return MBEDTLS_ERR_ASN1_xxx in case of ASN.1 parsing errors.
+ * \return MBEDTLS_ERR_RSA_xxx in case of RSA internal failures while
+ * parsing data.
+ * \return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if validity checks on the
+ * provided key fail.
+ */
+int mbedtls_rsa_parse_key(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen);
+
+/**
+ * \brief Parse a PKCS#1 (ASN.1) encoded public RSA key.
+ *
+ * \param rsa The RSA context where parsed data will be stored.
+ * \param key The buffer that contains the key.
+ * \param keylen The length of the key buffer in bytes.
+ *
+ * \return 0 on success.
+ * \return MBEDTLS_ERR_ASN1_xxx in case of ASN.1 parsing errors.
+ * \return MBEDTLS_ERR_RSA_xxx in case of RSA internal failures while
+ * parsing data.
+ * \return MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if validity checks on the
+ * provided key fail.
+ */
+int mbedtls_rsa_parse_pubkey(mbedtls_rsa_context *rsa, const unsigned char *key, size_t keylen);
+
+/**
+ * \brief Write a PKCS#1 (ASN.1) encoded private RSA key.
+ *
+ * \param rsa The RSA context which contains the data to be written.
+ * \param start Beginning of the buffer that will be filled with the
+ * private key.
+ * \param p End of the buffer that will be filled with the private key.
+ * On successful return, the referenced pointer will be
+ * updated in order to point to the beginning of written data.
+ *
+ * \return On success, the number of bytes written to the output buffer
+ * (i.e. a value > 0).
+ * \return MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the RSA context does not
+ * contain a valid key pair.
+ * \return MBEDTLS_ERR_ASN1_xxx in case of failure while writing to the
+ * output buffer.
+ *
+ * \note The output buffer is filled backward, i.e. starting from its
+ * end and moving toward its start.
+ */
+int mbedtls_rsa_write_key(const mbedtls_rsa_context *rsa, unsigned char *start,
+ unsigned char **p);
+
+/**
+ * \brief Parse a PKCS#1 (ASN.1) encoded public RSA key.
+ *
+ * \param rsa The RSA context which contains the data to be written.
+ * \param start Beginning of the buffer that will be filled with the
+ * private key.
+ * \param p End of the buffer that will be filled with the private key.
+ * On successful return, the referenced pointer will be
+ * updated in order to point to the beginning of written data.
+ *
+ * \return On success, the number of bytes written to the output buffer
+ * (i.e. a value > 0).
+ * \return MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the RSA context does not
+ * contain a valid public key.
+ * \return MBEDTLS_ERR_ASN1_xxx in case of failure while writing to the
+ * output buffer.
+ *
+ * \note The output buffer is filled backward, i.e. starting from its
+ * end and moving toward its start.
+ */
+int mbedtls_rsa_write_pubkey(const mbedtls_rsa_context *rsa, unsigned char *start,
+ unsigned char **p);
+
+#if defined(MBEDTLS_PKCS1_V21)
+/**
+ * \brief This function is analogue to \c mbedtls_rsa_rsassa_pss_sign().
+ * The only difference between them is that this function is more flexible
+ * on the parameters of \p ctx that are set with \c mbedtls_rsa_set_padding().
+ *
+ * \note Compared to its counterpart, this function:
+ * - does not check the padding setting of \p ctx.
+ * - allows the hash_id of \p ctx to be MBEDTLS_MD_NONE,
+ * in which case it uses \p md_alg as the hash_id.
+ *
+ * \note Refer to \c mbedtls_rsa_rsassa_pss_sign() for a description
+ * of the functioning and parameters of this function.
+ */
+int mbedtls_rsa_rsassa_pss_sign_no_mode_check(mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ unsigned char *sig);
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#endif /* rsa_internal.h */
diff --git a/library/sha1.c b/library/sha1.c
new file mode 100644
index 0000000..dfbe481
--- /dev/null
+++ b/library/sha1.c
@@ -0,0 +1,480 @@
+/*
+ * FIPS-180-1 compliant SHA-1 implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * The SHA-1 standard was published by NIST in 1993.
+ *
+ * http://www.itl.nist.gov/fipspubs/fip180-1.htm
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SHA1_C)
+
+#include "mbedtls/sha1.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if !defined(MBEDTLS_SHA1_ALT)
+
+void mbedtls_sha1_init(mbedtls_sha1_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_sha1_context));
+}
+
+void mbedtls_sha1_free(mbedtls_sha1_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha1_context));
+}
+
+void mbedtls_sha1_clone(mbedtls_sha1_context *dst,
+ const mbedtls_sha1_context *src)
+{
+ *dst = *src;
+}
+
+/*
+ * SHA-1 context setup
+ */
+int mbedtls_sha1_starts(mbedtls_sha1_context *ctx)
+{
+ ctx->total[0] = 0;
+ ctx->total[1] = 0;
+
+ ctx->state[0] = 0x67452301;
+ ctx->state[1] = 0xEFCDAB89;
+ ctx->state[2] = 0x98BADCFE;
+ ctx->state[3] = 0x10325476;
+ ctx->state[4] = 0xC3D2E1F0;
+
+ return 0;
+}
+
+#if !defined(MBEDTLS_SHA1_PROCESS_ALT)
+int mbedtls_internal_sha1_process(mbedtls_sha1_context *ctx,
+ const unsigned char data[64])
+{
+ struct {
+ uint32_t temp, W[16], A, B, C, D, E;
+ } local;
+
+ local.W[0] = MBEDTLS_GET_UINT32_BE(data, 0);
+ local.W[1] = MBEDTLS_GET_UINT32_BE(data, 4);
+ local.W[2] = MBEDTLS_GET_UINT32_BE(data, 8);
+ local.W[3] = MBEDTLS_GET_UINT32_BE(data, 12);
+ local.W[4] = MBEDTLS_GET_UINT32_BE(data, 16);
+ local.W[5] = MBEDTLS_GET_UINT32_BE(data, 20);
+ local.W[6] = MBEDTLS_GET_UINT32_BE(data, 24);
+ local.W[7] = MBEDTLS_GET_UINT32_BE(data, 28);
+ local.W[8] = MBEDTLS_GET_UINT32_BE(data, 32);
+ local.W[9] = MBEDTLS_GET_UINT32_BE(data, 36);
+ local.W[10] = MBEDTLS_GET_UINT32_BE(data, 40);
+ local.W[11] = MBEDTLS_GET_UINT32_BE(data, 44);
+ local.W[12] = MBEDTLS_GET_UINT32_BE(data, 48);
+ local.W[13] = MBEDTLS_GET_UINT32_BE(data, 52);
+ local.W[14] = MBEDTLS_GET_UINT32_BE(data, 56);
+ local.W[15] = MBEDTLS_GET_UINT32_BE(data, 60);
+
+#define S(x, n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
+
+#define R(t) \
+ ( \
+ local.temp = local.W[((t) - 3) & 0x0F] ^ \
+ local.W[((t) - 8) & 0x0F] ^ \
+ local.W[((t) - 14) & 0x0F] ^ \
+ local.W[(t) & 0x0F], \
+ (local.W[(t) & 0x0F] = S(local.temp, 1)) \
+ )
+
+#define P(a, b, c, d, e, x) \
+ do \
+ { \
+ (e) += S((a), 5) + F((b), (c), (d)) + K + (x); \
+ (b) = S((b), 30); \
+ } while (0)
+
+ local.A = ctx->state[0];
+ local.B = ctx->state[1];
+ local.C = ctx->state[2];
+ local.D = ctx->state[3];
+ local.E = ctx->state[4];
+
+#define F(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
+#define K 0x5A827999
+
+ P(local.A, local.B, local.C, local.D, local.E, local.W[0]);
+ P(local.E, local.A, local.B, local.C, local.D, local.W[1]);
+ P(local.D, local.E, local.A, local.B, local.C, local.W[2]);
+ P(local.C, local.D, local.E, local.A, local.B, local.W[3]);
+ P(local.B, local.C, local.D, local.E, local.A, local.W[4]);
+ P(local.A, local.B, local.C, local.D, local.E, local.W[5]);
+ P(local.E, local.A, local.B, local.C, local.D, local.W[6]);
+ P(local.D, local.E, local.A, local.B, local.C, local.W[7]);
+ P(local.C, local.D, local.E, local.A, local.B, local.W[8]);
+ P(local.B, local.C, local.D, local.E, local.A, local.W[9]);
+ P(local.A, local.B, local.C, local.D, local.E, local.W[10]);
+ P(local.E, local.A, local.B, local.C, local.D, local.W[11]);
+ P(local.D, local.E, local.A, local.B, local.C, local.W[12]);
+ P(local.C, local.D, local.E, local.A, local.B, local.W[13]);
+ P(local.B, local.C, local.D, local.E, local.A, local.W[14]);
+ P(local.A, local.B, local.C, local.D, local.E, local.W[15]);
+ P(local.E, local.A, local.B, local.C, local.D, R(16));
+ P(local.D, local.E, local.A, local.B, local.C, R(17));
+ P(local.C, local.D, local.E, local.A, local.B, R(18));
+ P(local.B, local.C, local.D, local.E, local.A, R(19));
+
+#undef K
+#undef F
+
+#define F(x, y, z) ((x) ^ (y) ^ (z))
+#define K 0x6ED9EBA1
+
+ P(local.A, local.B, local.C, local.D, local.E, R(20));
+ P(local.E, local.A, local.B, local.C, local.D, R(21));
+ P(local.D, local.E, local.A, local.B, local.C, R(22));
+ P(local.C, local.D, local.E, local.A, local.B, R(23));
+ P(local.B, local.C, local.D, local.E, local.A, R(24));
+ P(local.A, local.B, local.C, local.D, local.E, R(25));
+ P(local.E, local.A, local.B, local.C, local.D, R(26));
+ P(local.D, local.E, local.A, local.B, local.C, R(27));
+ P(local.C, local.D, local.E, local.A, local.B, R(28));
+ P(local.B, local.C, local.D, local.E, local.A, R(29));
+ P(local.A, local.B, local.C, local.D, local.E, R(30));
+ P(local.E, local.A, local.B, local.C, local.D, R(31));
+ P(local.D, local.E, local.A, local.B, local.C, R(32));
+ P(local.C, local.D, local.E, local.A, local.B, R(33));
+ P(local.B, local.C, local.D, local.E, local.A, R(34));
+ P(local.A, local.B, local.C, local.D, local.E, R(35));
+ P(local.E, local.A, local.B, local.C, local.D, R(36));
+ P(local.D, local.E, local.A, local.B, local.C, R(37));
+ P(local.C, local.D, local.E, local.A, local.B, R(38));
+ P(local.B, local.C, local.D, local.E, local.A, R(39));
+
+#undef K
+#undef F
+
+#define F(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define K 0x8F1BBCDC
+
+ P(local.A, local.B, local.C, local.D, local.E, R(40));
+ P(local.E, local.A, local.B, local.C, local.D, R(41));
+ P(local.D, local.E, local.A, local.B, local.C, R(42));
+ P(local.C, local.D, local.E, local.A, local.B, R(43));
+ P(local.B, local.C, local.D, local.E, local.A, R(44));
+ P(local.A, local.B, local.C, local.D, local.E, R(45));
+ P(local.E, local.A, local.B, local.C, local.D, R(46));
+ P(local.D, local.E, local.A, local.B, local.C, R(47));
+ P(local.C, local.D, local.E, local.A, local.B, R(48));
+ P(local.B, local.C, local.D, local.E, local.A, R(49));
+ P(local.A, local.B, local.C, local.D, local.E, R(50));
+ P(local.E, local.A, local.B, local.C, local.D, R(51));
+ P(local.D, local.E, local.A, local.B, local.C, R(52));
+ P(local.C, local.D, local.E, local.A, local.B, R(53));
+ P(local.B, local.C, local.D, local.E, local.A, R(54));
+ P(local.A, local.B, local.C, local.D, local.E, R(55));
+ P(local.E, local.A, local.B, local.C, local.D, R(56));
+ P(local.D, local.E, local.A, local.B, local.C, R(57));
+ P(local.C, local.D, local.E, local.A, local.B, R(58));
+ P(local.B, local.C, local.D, local.E, local.A, R(59));
+
+#undef K
+#undef F
+
+#define F(x, y, z) ((x) ^ (y) ^ (z))
+#define K 0xCA62C1D6
+
+ P(local.A, local.B, local.C, local.D, local.E, R(60));
+ P(local.E, local.A, local.B, local.C, local.D, R(61));
+ P(local.D, local.E, local.A, local.B, local.C, R(62));
+ P(local.C, local.D, local.E, local.A, local.B, R(63));
+ P(local.B, local.C, local.D, local.E, local.A, R(64));
+ P(local.A, local.B, local.C, local.D, local.E, R(65));
+ P(local.E, local.A, local.B, local.C, local.D, R(66));
+ P(local.D, local.E, local.A, local.B, local.C, R(67));
+ P(local.C, local.D, local.E, local.A, local.B, R(68));
+ P(local.B, local.C, local.D, local.E, local.A, R(69));
+ P(local.A, local.B, local.C, local.D, local.E, R(70));
+ P(local.E, local.A, local.B, local.C, local.D, R(71));
+ P(local.D, local.E, local.A, local.B, local.C, R(72));
+ P(local.C, local.D, local.E, local.A, local.B, R(73));
+ P(local.B, local.C, local.D, local.E, local.A, R(74));
+ P(local.A, local.B, local.C, local.D, local.E, R(75));
+ P(local.E, local.A, local.B, local.C, local.D, R(76));
+ P(local.D, local.E, local.A, local.B, local.C, R(77));
+ P(local.C, local.D, local.E, local.A, local.B, R(78));
+ P(local.B, local.C, local.D, local.E, local.A, R(79));
+
+#undef K
+#undef F
+
+ ctx->state[0] += local.A;
+ ctx->state[1] += local.B;
+ ctx->state[2] += local.C;
+ ctx->state[3] += local.D;
+ ctx->state[4] += local.E;
+
+ /* Zeroise buffers and variables to clear sensitive data from memory. */
+ mbedtls_platform_zeroize(&local, sizeof(local));
+
+ return 0;
+}
+
+#endif /* !MBEDTLS_SHA1_PROCESS_ALT */
+
+/*
+ * SHA-1 process buffer
+ */
+int mbedtls_sha1_update(mbedtls_sha1_context *ctx,
+ const unsigned char *input,
+ size_t ilen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t fill;
+ uint32_t left;
+
+ if (ilen == 0) {
+ return 0;
+ }
+
+ left = ctx->total[0] & 0x3F;
+ fill = 64 - left;
+
+ ctx->total[0] += (uint32_t) ilen;
+ ctx->total[0] &= 0xFFFFFFFF;
+
+ if (ctx->total[0] < (uint32_t) ilen) {
+ ctx->total[1]++;
+ }
+
+ if (left && ilen >= fill) {
+ memcpy((void *) (ctx->buffer + left), input, fill);
+
+ if ((ret = mbedtls_internal_sha1_process(ctx, ctx->buffer)) != 0) {
+ return ret;
+ }
+
+ input += fill;
+ ilen -= fill;
+ left = 0;
+ }
+
+ while (ilen >= 64) {
+ if ((ret = mbedtls_internal_sha1_process(ctx, input)) != 0) {
+ return ret;
+ }
+
+ input += 64;
+ ilen -= 64;
+ }
+
+ if (ilen > 0) {
+ memcpy((void *) (ctx->buffer + left), input, ilen);
+ }
+
+ return 0;
+}
+
+/*
+ * SHA-1 final digest
+ */
+int mbedtls_sha1_finish(mbedtls_sha1_context *ctx,
+ unsigned char output[20])
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ uint32_t used;
+ uint32_t high, low;
+
+ /*
+ * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
+ */
+ used = ctx->total[0] & 0x3F;
+
+ ctx->buffer[used++] = 0x80;
+
+ if (used <= 56) {
+ /* Enough room for padding + length in current block */
+ memset(ctx->buffer + used, 0, 56 - used);
+ } else {
+ /* We'll need an extra block */
+ memset(ctx->buffer + used, 0, 64 - used);
+
+ if ((ret = mbedtls_internal_sha1_process(ctx, ctx->buffer)) != 0) {
+ goto exit;
+ }
+
+ memset(ctx->buffer, 0, 56);
+ }
+
+ /*
+ * Add message length
+ */
+ high = (ctx->total[0] >> 29)
+ | (ctx->total[1] << 3);
+ low = (ctx->total[0] << 3);
+
+ MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56);
+ MBEDTLS_PUT_UINT32_BE(low, ctx->buffer, 60);
+
+ if ((ret = mbedtls_internal_sha1_process(ctx, ctx->buffer)) != 0) {
+ goto exit;
+ }
+
+ /*
+ * Output final state
+ */
+ MBEDTLS_PUT_UINT32_BE(ctx->state[0], output, 0);
+ MBEDTLS_PUT_UINT32_BE(ctx->state[1], output, 4);
+ MBEDTLS_PUT_UINT32_BE(ctx->state[2], output, 8);
+ MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12);
+ MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16);
+
+ ret = 0;
+
+exit:
+ mbedtls_sha1_free(ctx);
+ return ret;
+}
+
+#endif /* !MBEDTLS_SHA1_ALT */
+
+/*
+ * output = SHA-1( input buffer )
+ */
+int mbedtls_sha1(const unsigned char *input,
+ size_t ilen,
+ unsigned char output[20])
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_sha1_context ctx;
+
+ mbedtls_sha1_init(&ctx);
+
+ if ((ret = mbedtls_sha1_starts(&ctx)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_sha1_update(&ctx, input, ilen)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_sha1_finish(&ctx, output)) != 0) {
+ goto exit;
+ }
+
+exit:
+ mbedtls_sha1_free(&ctx);
+ return ret;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * FIPS-180-1 test vectors
+ */
+static const unsigned char sha1_test_buf[3][57] =
+{
+ { "abc" },
+ { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
+ { "" }
+};
+
+static const size_t sha1_test_buflen[3] =
+{
+ 3, 56, 1000
+};
+
+static const unsigned char sha1_test_sum[3][20] =
+{
+ { 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
+ 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D },
+ { 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
+ 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1 },
+ { 0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
+ 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_sha1_self_test(int verbose)
+{
+ int i, j, buflen, ret = 0;
+ unsigned char buf[1024];
+ unsigned char sha1sum[20];
+ mbedtls_sha1_context ctx;
+
+ mbedtls_sha1_init(&ctx);
+
+ /*
+ * SHA-1
+ */
+ for (i = 0; i < 3; i++) {
+ if (verbose != 0) {
+ mbedtls_printf(" SHA-1 test #%d: ", i + 1);
+ }
+
+ if ((ret = mbedtls_sha1_starts(&ctx)) != 0) {
+ goto fail;
+ }
+
+ if (i == 2) {
+ memset(buf, 'a', buflen = 1000);
+
+ for (j = 0; j < 1000; j++) {
+ ret = mbedtls_sha1_update(&ctx, buf, buflen);
+ if (ret != 0) {
+ goto fail;
+ }
+ }
+ } else {
+ ret = mbedtls_sha1_update(&ctx, sha1_test_buf[i],
+ sha1_test_buflen[i]);
+ if (ret != 0) {
+ goto fail;
+ }
+ }
+
+ if ((ret = mbedtls_sha1_finish(&ctx, sha1sum)) != 0) {
+ goto fail;
+ }
+
+ if (memcmp(sha1sum, sha1_test_sum[i], 20) != 0) {
+ ret = 1;
+ goto fail;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ goto exit;
+
+fail:
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+exit:
+ mbedtls_sha1_free(&ctx);
+
+ return ret;
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA1_C */
diff --git a/library/sha256.c b/library/sha256.c
new file mode 100644
index 0000000..8788981
--- /dev/null
+++ b/library/sha256.c
@@ -0,0 +1,976 @@
+/*
+ * FIPS-180-2 compliant SHA-256 implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * The SHA-256 Secure Hash Standard was published by NIST in 2002.
+ *
+ * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
+ */
+
+#if defined(__clang__) && (__clang_major__ >= 4)
+
+/* Ideally, we would simply use MBEDTLS_ARCH_IS_ARMV8_A in the following #if,
+ * but that is defined by build_info.h, and we need this block to happen first. */
+#if defined(__ARM_ARCH) && (__ARM_ARCH_PROFILE == 'A')
+#if __ARM_ARCH >= 8
+#define MBEDTLS_SHA256_ARCH_IS_ARMV8_A
+#endif
+#endif
+
+#if defined(MBEDTLS_SHA256_ARCH_IS_ARMV8_A) && !defined(__ARM_FEATURE_CRYPTO)
+/* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
+ *
+ * The intrinsic declaration are guarded by predefined ACLE macros in clang:
+ * these are normally only enabled by the -march option on the command line.
+ * By defining the macros ourselves we gain access to those declarations without
+ * requiring -march on the command line.
+ *
+ * `arm_neon.h` is included by common.h, so we put these defines
+ * at the top of this file, before any includes.
+ */
+#define __ARM_FEATURE_CRYPTO 1
+/* See: https://arm-software.github.io/acle/main/acle.html#cryptographic-extensions
+ *
+ * `__ARM_FEATURE_CRYPTO` is deprecated, but we need to continue to specify it
+ * for older compilers.
+ */
+#define __ARM_FEATURE_SHA2 1
+#define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG
+#endif
+
+#endif /* defined(__clang__) && (__clang_major__ >= 4) */
+
+/* Ensure that SIG_SETMASK is defined when -std=c99 is used. */
+#define _GNU_SOURCE
+
+#include "common.h"
+
+#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C)
+
+#include "mbedtls/sha256.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if defined(MBEDTLS_ARCH_IS_ARMV8_A)
+
+# if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
+ defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+# if !defined(MBEDTLS_HAVE_NEON_INTRINSICS)
+# if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+# warning "Target does not support NEON instructions"
+# undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
+# else
+# error "Target does not support NEON instructions"
+# endif
+# endif
+# endif
+
+# if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
+ defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+/* *INDENT-OFF* */
+
+# if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG)
+# if defined(__ARMCOMPILER_VERSION)
+# if __ARMCOMPILER_VERSION <= 6090000
+# error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
+# endif
+# pragma clang attribute push (__attribute__((target("sha2"))), apply_to=function)
+# define MBEDTLS_POP_TARGET_PRAGMA
+# elif defined(__clang__)
+# if __clang_major__ < 4
+# error "A more recent Clang is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
+# endif
+# pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function)
+# define MBEDTLS_POP_TARGET_PRAGMA
+# elif defined(__GNUC__)
+ /* FIXME: GCC 5 claims to support Armv8 Crypto Extensions, but some
+ * intrinsics are missing. Missing intrinsics could be worked around.
+ */
+# if __GNUC__ < 6
+# error "A more recent GCC is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
+# else
+# pragma GCC push_options
+# pragma GCC target ("arch=armv8-a+crypto")
+# define MBEDTLS_POP_TARGET_PRAGMA
+# endif
+# else
+# error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
+# endif
+# endif
+/* *INDENT-ON* */
+
+# endif
+# if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+# if defined(__unix__)
+# if defined(__linux__)
+/* Our preferred method of detection is getauxval() */
+# include <sys/auxv.h>
+/* These are not always defined via sys/auxv.h */
+# if !defined(HWCAP_SHA2)
+# define HWCAP_SHA2 (1 << 6)
+# endif
+# if !defined(HWCAP2_SHA2)
+# define HWCAP2_SHA2 (1 << 3)
+# endif
+# endif
+/* Use SIGILL on Unix, and fall back to it on Linux */
+# include <signal.h>
+# endif
+# endif
+#elif !defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
+# undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
+# undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
+#endif
+
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+/*
+ * Capability detection code comes early, so we can disable
+ * MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT if no detection mechanism found
+ */
+#if defined(MBEDTLS_ARCH_IS_ARM64) && defined(HWCAP_SHA2)
+static int mbedtls_a64_crypto_sha256_determine_support(void)
+{
+ return (getauxval(AT_HWCAP) & HWCAP_SHA2) ? 1 : 0;
+}
+#elif defined(MBEDTLS_ARCH_IS_ARM32) && defined(HWCAP2_SHA2)
+static int mbedtls_a64_crypto_sha256_determine_support(void)
+{
+ return (getauxval(AT_HWCAP2) & HWCAP2_SHA2) ? 1 : 0;
+}
+#elif defined(__APPLE__)
+static int mbedtls_a64_crypto_sha256_determine_support(void)
+{
+ return 1;
+}
+#elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
+#define WIN32_LEAN_AND_MEAN
+#include <Windows.h>
+#include <processthreadsapi.h>
+
+static int mbedtls_a64_crypto_sha256_determine_support(void)
+{
+ return IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE) ?
+ 1 : 0;
+}
+#elif defined(__unix__) && defined(SIG_SETMASK)
+/* Detection with SIGILL, setjmp() and longjmp() */
+#include <signal.h>
+#include <setjmp.h>
+
+static jmp_buf return_from_sigill;
+
+/*
+ * Armv8-A SHA256 support detection via SIGILL
+ */
+static void sigill_handler(int signal)
+{
+ (void) signal;
+ longjmp(return_from_sigill, 1);
+}
+
+static int mbedtls_a64_crypto_sha256_determine_support(void)
+{
+ struct sigaction old_action, new_action;
+
+ sigset_t old_mask;
+ if (sigprocmask(0, NULL, &old_mask)) {
+ return 0;
+ }
+
+ sigemptyset(&new_action.sa_mask);
+ new_action.sa_flags = 0;
+ new_action.sa_handler = sigill_handler;
+
+ sigaction(SIGILL, &new_action, &old_action);
+
+ static int ret = 0;
+
+ if (setjmp(return_from_sigill) == 0) { /* First return only */
+ /* If this traps, we will return a second time from setjmp() with 1 */
+#if defined(MBEDTLS_ARCH_IS_ARM64)
+ asm volatile ("sha256h q0, q0, v0.4s" : : : "v0");
+#else
+ asm volatile ("sha256h.32 q0, q0, q0" : : : "q0");
+#endif
+ ret = 1;
+ }
+
+ sigaction(SIGILL, &old_action, NULL);
+ sigprocmask(SIG_SETMASK, &old_mask, NULL);
+
+ return ret;
+}
+#else
+#warning "No mechanism to detect ARMV8_CRYPTO found, using C code only"
+#undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
+#endif /* HWCAP_SHA2, __APPLE__, __unix__ && SIG_SETMASK */
+
+#endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */
+
+#if !defined(MBEDTLS_SHA256_ALT)
+
+#define SHA256_BLOCK_SIZE 64
+
+void mbedtls_sha256_init(mbedtls_sha256_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_sha256_context));
+}
+
+void mbedtls_sha256_free(mbedtls_sha256_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha256_context));
+}
+
+void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
+ const mbedtls_sha256_context *src)
+{
+ *dst = *src;
+}
+
+/*
+ * SHA-256 context setup
+ */
+int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224)
+{
+#if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
+ if (is224 != 0 && is224 != 1) {
+ return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
+ }
+#elif defined(MBEDTLS_SHA256_C)
+ if (is224 != 0) {
+ return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
+ }
+#else /* defined MBEDTLS_SHA224_C only */
+ if (is224 == 0) {
+ return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
+ }
+#endif
+
+ ctx->total[0] = 0;
+ ctx->total[1] = 0;
+
+ if (is224 == 0) {
+#if defined(MBEDTLS_SHA256_C)
+ ctx->state[0] = 0x6A09E667;
+ ctx->state[1] = 0xBB67AE85;
+ ctx->state[2] = 0x3C6EF372;
+ ctx->state[3] = 0xA54FF53A;
+ ctx->state[4] = 0x510E527F;
+ ctx->state[5] = 0x9B05688C;
+ ctx->state[6] = 0x1F83D9AB;
+ ctx->state[7] = 0x5BE0CD19;
+#endif
+ } else {
+#if defined(MBEDTLS_SHA224_C)
+ ctx->state[0] = 0xC1059ED8;
+ ctx->state[1] = 0x367CD507;
+ ctx->state[2] = 0x3070DD17;
+ ctx->state[3] = 0xF70E5939;
+ ctx->state[4] = 0xFFC00B31;
+ ctx->state[5] = 0x68581511;
+ ctx->state[6] = 0x64F98FA7;
+ ctx->state[7] = 0xBEFA4FA4;
+#endif
+ }
+
+#if defined(MBEDTLS_SHA224_C)
+ ctx->is224 = is224;
+#endif
+
+ return 0;
+}
+
+#if !defined(MBEDTLS_SHA256_PROCESS_ALT)
+static const uint32_t K[] =
+{
+ 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
+ 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
+ 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
+ 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
+ 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
+ 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
+ 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
+ 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
+ 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
+ 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
+ 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
+ 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
+ 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
+ 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
+ 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
+ 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
+};
+
+#endif
+
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
+ defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+# define mbedtls_internal_sha256_process_many_a64_crypto mbedtls_internal_sha256_process_many
+# define mbedtls_internal_sha256_process_a64_crypto mbedtls_internal_sha256_process
+#endif
+
+static size_t mbedtls_internal_sha256_process_many_a64_crypto(
+ mbedtls_sha256_context *ctx, const uint8_t *msg, size_t len)
+{
+ uint32x4_t abcd = vld1q_u32(&ctx->state[0]);
+ uint32x4_t efgh = vld1q_u32(&ctx->state[4]);
+
+ size_t processed = 0;
+
+ for (;
+ len >= SHA256_BLOCK_SIZE;
+ processed += SHA256_BLOCK_SIZE,
+ msg += SHA256_BLOCK_SIZE,
+ len -= SHA256_BLOCK_SIZE) {
+ uint32x4_t tmp, abcd_prev;
+
+ uint32x4_t abcd_orig = abcd;
+ uint32x4_t efgh_orig = efgh;
+
+ uint32x4_t sched0 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 0));
+ uint32x4_t sched1 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 1));
+ uint32x4_t sched2 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 2));
+ uint32x4_t sched3 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 3));
+
+#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ /* Will be true if not defined */
+ /* Untested on BE */
+ sched0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched0)));
+ sched1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched1)));
+ sched2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched2)));
+ sched3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(sched3)));
+#endif
+
+ /* Rounds 0 to 3 */
+ tmp = vaddq_u32(sched0, vld1q_u32(&K[0]));
+ abcd_prev = abcd;
+ abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
+ efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
+
+ /* Rounds 4 to 7 */
+ tmp = vaddq_u32(sched1, vld1q_u32(&K[4]));
+ abcd_prev = abcd;
+ abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
+ efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
+
+ /* Rounds 8 to 11 */
+ tmp = vaddq_u32(sched2, vld1q_u32(&K[8]));
+ abcd_prev = abcd;
+ abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
+ efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
+
+ /* Rounds 12 to 15 */
+ tmp = vaddq_u32(sched3, vld1q_u32(&K[12]));
+ abcd_prev = abcd;
+ abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
+ efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
+
+ for (int t = 16; t < 64; t += 16) {
+ /* Rounds t to t + 3 */
+ sched0 = vsha256su1q_u32(vsha256su0q_u32(sched0, sched1), sched2, sched3);
+ tmp = vaddq_u32(sched0, vld1q_u32(&K[t]));
+ abcd_prev = abcd;
+ abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
+ efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
+
+ /* Rounds t + 4 to t + 7 */
+ sched1 = vsha256su1q_u32(vsha256su0q_u32(sched1, sched2), sched3, sched0);
+ tmp = vaddq_u32(sched1, vld1q_u32(&K[t + 4]));
+ abcd_prev = abcd;
+ abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
+ efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
+
+ /* Rounds t + 8 to t + 11 */
+ sched2 = vsha256su1q_u32(vsha256su0q_u32(sched2, sched3), sched0, sched1);
+ tmp = vaddq_u32(sched2, vld1q_u32(&K[t + 8]));
+ abcd_prev = abcd;
+ abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
+ efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
+
+ /* Rounds t + 12 to t + 15 */
+ sched3 = vsha256su1q_u32(vsha256su0q_u32(sched3, sched0), sched1, sched2);
+ tmp = vaddq_u32(sched3, vld1q_u32(&K[t + 12]));
+ abcd_prev = abcd;
+ abcd = vsha256hq_u32(abcd_prev, efgh, tmp);
+ efgh = vsha256h2q_u32(efgh, abcd_prev, tmp);
+ }
+
+ abcd = vaddq_u32(abcd, abcd_orig);
+ efgh = vaddq_u32(efgh, efgh_orig);
+ }
+
+ vst1q_u32(&ctx->state[0], abcd);
+ vst1q_u32(&ctx->state[4], efgh);
+
+ return processed;
+}
+
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+/*
+ * This function is for internal use only if we are building both C and Armv8-A
+ * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
+ */
+static
+#endif
+int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx,
+ const unsigned char data[SHA256_BLOCK_SIZE])
+{
+ return (mbedtls_internal_sha256_process_many_a64_crypto(ctx, data,
+ SHA256_BLOCK_SIZE) ==
+ SHA256_BLOCK_SIZE) ? 0 : -1;
+}
+
+#endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
+
+#if defined(MBEDTLS_POP_TARGET_PRAGMA)
+#if defined(__clang__)
+#pragma clang attribute pop
+#elif defined(__GNUC__)
+#pragma GCC pop_options
+#endif
+#undef MBEDTLS_POP_TARGET_PRAGMA
+#endif
+
+#if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+#define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many
+#define mbedtls_internal_sha256_process_c mbedtls_internal_sha256_process
+#endif
+
+
+#if !defined(MBEDTLS_SHA256_PROCESS_ALT) && \
+ !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+
+#define SHR(x, n) (((x) & 0xFFFFFFFF) >> (n))
+#define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n))))
+
+#define S0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
+#define S1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
+
+#define S2(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
+#define S3(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
+
+#define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
+
+#define R(t) \
+ ( \
+ local.W[t] = S1(local.W[(t) - 2]) + local.W[(t) - 7] + \
+ S0(local.W[(t) - 15]) + local.W[(t) - 16] \
+ )
+
+#define P(a, b, c, d, e, f, g, h, x, K) \
+ do \
+ { \
+ local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x); \
+ local.temp2 = S2(a) + F0((a), (b), (c)); \
+ (d) += local.temp1; (h) = local.temp1 + local.temp2; \
+ } while (0)
+
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+/*
+ * This function is for internal use only if we are building both C and Armv8
+ * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process()
+ */
+static
+#endif
+int mbedtls_internal_sha256_process_c(mbedtls_sha256_context *ctx,
+ const unsigned char data[SHA256_BLOCK_SIZE])
+{
+ struct {
+ uint32_t temp1, temp2, W[64];
+ uint32_t A[8];
+ } local;
+
+ unsigned int i;
+
+ for (i = 0; i < 8; i++) {
+ local.A[i] = ctx->state[i];
+ }
+
+#if defined(MBEDTLS_SHA256_SMALLER)
+ for (i = 0; i < 64; i++) {
+ if (i < 16) {
+ local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
+ } else {
+ R(i);
+ }
+
+ P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+ local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
+
+ local.temp1 = local.A[7]; local.A[7] = local.A[6];
+ local.A[6] = local.A[5]; local.A[5] = local.A[4];
+ local.A[4] = local.A[3]; local.A[3] = local.A[2];
+ local.A[2] = local.A[1]; local.A[1] = local.A[0];
+ local.A[0] = local.temp1;
+ }
+#else /* MBEDTLS_SHA256_SMALLER */
+ for (i = 0; i < 16; i++) {
+ local.W[i] = MBEDTLS_GET_UINT32_BE(data, 4 * i);
+ }
+
+ for (i = 0; i < 16; i += 8) {
+ P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+ local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0]);
+ P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
+ local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1]);
+ P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
+ local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2]);
+ P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
+ local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3]);
+ P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
+ local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4]);
+ P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
+ local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5]);
+ P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
+ local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6]);
+ P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
+ local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7]);
+ }
+
+ for (i = 16; i < 64; i += 8) {
+ P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+ local.A[5], local.A[6], local.A[7], R(i+0), K[i+0]);
+ P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
+ local.A[4], local.A[5], local.A[6], R(i+1), K[i+1]);
+ P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
+ local.A[3], local.A[4], local.A[5], R(i+2), K[i+2]);
+ P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
+ local.A[2], local.A[3], local.A[4], R(i+3), K[i+3]);
+ P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
+ local.A[1], local.A[2], local.A[3], R(i+4), K[i+4]);
+ P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
+ local.A[0], local.A[1], local.A[2], R(i+5), K[i+5]);
+ P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
+ local.A[7], local.A[0], local.A[1], R(i+6), K[i+6]);
+ P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
+ local.A[6], local.A[7], local.A[0], R(i+7), K[i+7]);
+ }
+#endif /* MBEDTLS_SHA256_SMALLER */
+
+ for (i = 0; i < 8; i++) {
+ ctx->state[i] += local.A[i];
+ }
+
+ /* Zeroise buffers and variables to clear sensitive data from memory. */
+ mbedtls_platform_zeroize(&local, sizeof(local));
+
+ return 0;
+}
+
+#endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
+
+
+#if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+
+static size_t mbedtls_internal_sha256_process_many_c(
+ mbedtls_sha256_context *ctx, const uint8_t *data, size_t len)
+{
+ size_t processed = 0;
+
+ while (len >= SHA256_BLOCK_SIZE) {
+ if (mbedtls_internal_sha256_process_c(ctx, data) != 0) {
+ return 0;
+ }
+
+ data += SHA256_BLOCK_SIZE;
+ len -= SHA256_BLOCK_SIZE;
+
+ processed += SHA256_BLOCK_SIZE;
+ }
+
+ return processed;
+}
+
+#endif /* !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
+
+
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+
+static int mbedtls_a64_crypto_sha256_has_support(void)
+{
+ static int done = 0;
+ static int supported = 0;
+
+ if (!done) {
+ supported = mbedtls_a64_crypto_sha256_determine_support();
+ done = 1;
+ }
+
+ return supported;
+}
+
+static size_t mbedtls_internal_sha256_process_many(mbedtls_sha256_context *ctx,
+ const uint8_t *msg, size_t len)
+{
+ if (mbedtls_a64_crypto_sha256_has_support()) {
+ return mbedtls_internal_sha256_process_many_a64_crypto(ctx, msg, len);
+ } else {
+ return mbedtls_internal_sha256_process_many_c(ctx, msg, len);
+ }
+}
+
+int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
+ const unsigned char data[SHA256_BLOCK_SIZE])
+{
+ if (mbedtls_a64_crypto_sha256_has_support()) {
+ return mbedtls_internal_sha256_process_a64_crypto(ctx, data);
+ } else {
+ return mbedtls_internal_sha256_process_c(ctx, data);
+ }
+}
+
+#endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */
+
+
+/*
+ * SHA-256 process buffer
+ */
+int mbedtls_sha256_update(mbedtls_sha256_context *ctx,
+ const unsigned char *input,
+ size_t ilen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t fill;
+ uint32_t left;
+
+ if (ilen == 0) {
+ return 0;
+ }
+
+ left = ctx->total[0] & 0x3F;
+ fill = SHA256_BLOCK_SIZE - left;
+
+ ctx->total[0] += (uint32_t) ilen;
+ ctx->total[0] &= 0xFFFFFFFF;
+
+ if (ctx->total[0] < (uint32_t) ilen) {
+ ctx->total[1]++;
+ }
+
+ if (left && ilen >= fill) {
+ memcpy((void *) (ctx->buffer + left), input, fill);
+
+ if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
+ return ret;
+ }
+
+ input += fill;
+ ilen -= fill;
+ left = 0;
+ }
+
+ while (ilen >= SHA256_BLOCK_SIZE) {
+ size_t processed =
+ mbedtls_internal_sha256_process_many(ctx, input, ilen);
+ if (processed < SHA256_BLOCK_SIZE) {
+ return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
+ }
+
+ input += processed;
+ ilen -= processed;
+ }
+
+ if (ilen > 0) {
+ memcpy((void *) (ctx->buffer + left), input, ilen);
+ }
+
+ return 0;
+}
+
+/*
+ * SHA-256 final digest
+ */
+int mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
+ unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ uint32_t used;
+ uint32_t high, low;
+ int truncated = 0;
+
+ /*
+ * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
+ */
+ used = ctx->total[0] & 0x3F;
+
+ ctx->buffer[used++] = 0x80;
+
+ if (used <= 56) {
+ /* Enough room for padding + length in current block */
+ memset(ctx->buffer + used, 0, 56 - used);
+ } else {
+ /* We'll need an extra block */
+ memset(ctx->buffer + used, 0, SHA256_BLOCK_SIZE - used);
+
+ if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
+ goto exit;
+ }
+
+ memset(ctx->buffer, 0, 56);
+ }
+
+ /*
+ * Add message length
+ */
+ high = (ctx->total[0] >> 29)
+ | (ctx->total[1] << 3);
+ low = (ctx->total[0] << 3);
+
+ MBEDTLS_PUT_UINT32_BE(high, ctx->buffer, 56);
+ MBEDTLS_PUT_UINT32_BE(low, ctx->buffer, 60);
+
+ if ((ret = mbedtls_internal_sha256_process(ctx, ctx->buffer)) != 0) {
+ goto exit;
+ }
+
+ /*
+ * Output final state
+ */
+ MBEDTLS_PUT_UINT32_BE(ctx->state[0], output, 0);
+ MBEDTLS_PUT_UINT32_BE(ctx->state[1], output, 4);
+ MBEDTLS_PUT_UINT32_BE(ctx->state[2], output, 8);
+ MBEDTLS_PUT_UINT32_BE(ctx->state[3], output, 12);
+ MBEDTLS_PUT_UINT32_BE(ctx->state[4], output, 16);
+ MBEDTLS_PUT_UINT32_BE(ctx->state[5], output, 20);
+ MBEDTLS_PUT_UINT32_BE(ctx->state[6], output, 24);
+
+#if defined(MBEDTLS_SHA224_C)
+ truncated = ctx->is224;
+#endif
+ if (!truncated) {
+ MBEDTLS_PUT_UINT32_BE(ctx->state[7], output, 28);
+ }
+
+ ret = 0;
+
+exit:
+ mbedtls_sha256_free(ctx);
+ return ret;
+}
+
+#endif /* !MBEDTLS_SHA256_ALT */
+
+/*
+ * output = SHA-256( input buffer )
+ */
+int mbedtls_sha256(const unsigned char *input,
+ size_t ilen,
+ unsigned char *output,
+ int is224)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_sha256_context ctx;
+
+#if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
+ if (is224 != 0 && is224 != 1) {
+ return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
+ }
+#elif defined(MBEDTLS_SHA256_C)
+ if (is224 != 0) {
+ return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
+ }
+#else /* defined MBEDTLS_SHA224_C only */
+ if (is224 == 0) {
+ return MBEDTLS_ERR_SHA256_BAD_INPUT_DATA;
+ }
+#endif
+
+ mbedtls_sha256_init(&ctx);
+
+ if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_sha256_update(&ctx, input, ilen)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_sha256_finish(&ctx, output)) != 0) {
+ goto exit;
+ }
+
+exit:
+ mbedtls_sha256_free(&ctx);
+
+ return ret;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * FIPS-180-2 test vectors
+ */
+static const unsigned char sha_test_buf[3][57] =
+{
+ { "abc" },
+ { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
+ { "" }
+};
+
+static const size_t sha_test_buflen[3] =
+{
+ 3, 56, 1000
+};
+
+typedef const unsigned char (sha_test_sum_t)[32];
+
+/*
+ * SHA-224 test vectors
+ */
+#if defined(MBEDTLS_SHA224_C)
+static sha_test_sum_t sha224_test_sum[] =
+{
+ { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
+ 0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
+ 0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
+ 0xE3, 0x6C, 0x9D, 0xA7 },
+ { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
+ 0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
+ 0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
+ 0x52, 0x52, 0x25, 0x25 },
+ { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
+ 0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
+ 0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
+ 0x4E, 0xE7, 0xAD, 0x67 }
+};
+#endif
+
+/*
+ * SHA-256 test vectors
+ */
+#if defined(MBEDTLS_SHA256_C)
+static sha_test_sum_t sha256_test_sum[] =
+{
+ { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
+ 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
+ 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
+ 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
+ { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
+ 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
+ 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
+ 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
+ { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
+ 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
+ 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
+ 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
+};
+#endif
+
+/*
+ * Checkup routine
+ */
+static int mbedtls_sha256_common_self_test(int verbose, int is224)
+{
+ int i, buflen, ret = 0;
+ unsigned char *buf;
+ unsigned char sha256sum[32];
+ mbedtls_sha256_context ctx;
+
+#if defined(MBEDTLS_SHA224_C) && defined(MBEDTLS_SHA256_C)
+ sha_test_sum_t *sha_test_sum = (is224) ? sha224_test_sum : sha256_test_sum;
+#elif defined(MBEDTLS_SHA256_C)
+ sha_test_sum_t *sha_test_sum = sha256_test_sum;
+#else
+ sha_test_sum_t *sha_test_sum = sha224_test_sum;
+#endif
+
+ buf = mbedtls_calloc(1024, sizeof(unsigned char));
+ if (NULL == buf) {
+ if (verbose != 0) {
+ mbedtls_printf("Buffer allocation failed\n");
+ }
+
+ return 1;
+ }
+
+ mbedtls_sha256_init(&ctx);
+
+ for (i = 0; i < 3; i++) {
+ if (verbose != 0) {
+ mbedtls_printf(" SHA-%d test #%d: ", 256 - is224 * 32, i + 1);
+ }
+
+ if ((ret = mbedtls_sha256_starts(&ctx, is224)) != 0) {
+ goto fail;
+ }
+
+ if (i == 2) {
+ memset(buf, 'a', buflen = 1000);
+
+ for (int j = 0; j < 1000; j++) {
+ ret = mbedtls_sha256_update(&ctx, buf, buflen);
+ if (ret != 0) {
+ goto fail;
+ }
+ }
+
+ } else {
+ ret = mbedtls_sha256_update(&ctx, sha_test_buf[i],
+ sha_test_buflen[i]);
+ if (ret != 0) {
+ goto fail;
+ }
+ }
+
+ if ((ret = mbedtls_sha256_finish(&ctx, sha256sum)) != 0) {
+ goto fail;
+ }
+
+
+ if (memcmp(sha256sum, sha_test_sum[i], 32 - is224 * 4) != 0) {
+ ret = 1;
+ goto fail;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ goto exit;
+
+fail:
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+exit:
+ mbedtls_sha256_free(&ctx);
+ mbedtls_free(buf);
+
+ return ret;
+}
+
+#if defined(MBEDTLS_SHA256_C)
+int mbedtls_sha256_self_test(int verbose)
+{
+ return mbedtls_sha256_common_self_test(verbose, 0);
+}
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA224_C)
+int mbedtls_sha224_self_test(int verbose)
+{
+ return mbedtls_sha256_common_self_test(verbose, 1);
+}
+#endif /* MBEDTLS_SHA224_C */
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA224_C */
diff --git a/library/sha3.c b/library/sha3.c
new file mode 100644
index 0000000..5738559
--- /dev/null
+++ b/library/sha3.c
@@ -0,0 +1,721 @@
+/*
+ * FIPS-202 compliant SHA3 implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * The SHA-3 Secure Hash Standard was published by NIST in 2015.
+ *
+ * https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.202.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SHA3_C)
+
+/*
+ * These macros select manually unrolled implementations of parts of the main permutation function.
+ *
+ * Unrolling has a major impact on both performance and code size. gcc performance benefits a lot
+ * from manually unrolling at higher optimisation levels.
+ *
+ * Depending on your size/perf priorities, compiler and target, it may be beneficial to adjust
+ * these; the defaults here should give sensible trade-offs for gcc and clang on aarch64 and
+ * x86-64.
+ */
+#if !defined(MBEDTLS_SHA3_THETA_UNROLL)
+ #define MBEDTLS_SHA3_THETA_UNROLL 0 //no-check-names
+#endif
+#if !defined(MBEDTLS_SHA3_CHI_UNROLL)
+ #if defined(__OPTIMIZE_SIZE__)
+ #define MBEDTLS_SHA3_CHI_UNROLL 0 //no-check-names
+ #else
+ #define MBEDTLS_SHA3_CHI_UNROLL 1 //no-check-names
+ #endif
+#endif
+#if !defined(MBEDTLS_SHA3_PI_UNROLL)
+ #define MBEDTLS_SHA3_PI_UNROLL 1 //no-check-names
+#endif
+#if !defined(MBEDTLS_SHA3_RHO_UNROLL)
+ #define MBEDTLS_SHA3_RHO_UNROLL 1 //no-check-names
+#endif
+
+#include "mbedtls/sha3.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#include "mbedtls/platform.h"
+#endif /* MBEDTLS_SELF_TEST */
+
+#define XOR_BYTE 0x6
+
+/* Precomputed masks for the iota transform.
+ *
+ * Each round uses a 64-bit mask value. In each mask values, only
+ * bits whose position is of the form 2^k-1 can be set, thus only
+ * 7 of 64 bits of the mask need to be known for each mask value.
+ *
+ * We use a compressed encoding of the mask where bits 63, 31 and 15
+ * are moved to bits 4-6. This allows us to make each mask value
+ * 1 byte rather than 8 bytes, saving 7*24 = 168 bytes of data (with
+ * perhaps a little variation due to alignment). Decompressing this
+ * requires a little code, but much less than the savings on the table.
+ *
+ * The impact on performance depends on the platform and compiler.
+ * There's a bit more computation, but less memory bandwidth. A quick
+ * benchmark on x86_64 shows a 7% speed improvement with GCC and a
+ * 5% speed penalty with Clang, compared to the naive uint64_t[24] table.
+ * YMMV.
+ */
+/* Helper macro to set the values of the higher bits in unused low positions */
+#define H(b63, b31, b15) (b63 << 6 | b31 << 5 | b15 << 4)
+static const uint8_t iota_r_packed[24] = {
+ H(0, 0, 0) | 0x01, H(0, 0, 1) | 0x82, H(1, 0, 1) | 0x8a, H(1, 1, 1) | 0x00,
+ H(0, 0, 1) | 0x8b, H(0, 1, 0) | 0x01, H(1, 1, 1) | 0x81, H(1, 0, 1) | 0x09,
+ H(0, 0, 0) | 0x8a, H(0, 0, 0) | 0x88, H(0, 1, 1) | 0x09, H(0, 1, 0) | 0x0a,
+ H(0, 1, 1) | 0x8b, H(1, 0, 0) | 0x8b, H(1, 0, 1) | 0x89, H(1, 0, 1) | 0x03,
+ H(1, 0, 1) | 0x02, H(1, 0, 0) | 0x80, H(0, 0, 1) | 0x0a, H(1, 1, 0) | 0x0a,
+ H(1, 1, 1) | 0x81, H(1, 0, 1) | 0x80, H(0, 1, 0) | 0x01, H(1, 1, 1) | 0x08,
+};
+#undef H
+
+static const uint32_t rho[6] = {
+ 0x3f022425, 0x1c143a09, 0x2c3d3615, 0x27191713, 0x312b382e, 0x3e030832
+};
+
+static const uint32_t pi[6] = {
+ 0x110b070a, 0x10050312, 0x04181508, 0x0d13170f, 0x0e14020c, 0x01060916
+};
+
+#define ROTR64(x, y) (((x) << (64U - (y))) | ((x) >> (y))) // 64-bit rotate right
+#define ABSORB(ctx, idx, v) do { ctx->state[(idx) >> 3] ^= ((uint64_t) (v)) << (((idx) & 0x7) << 3); \
+} while (0)
+#define SQUEEZE(ctx, idx) ((uint8_t) (ctx->state[(idx) >> 3] >> (((idx) & 0x7) << 3)))
+#define SWAP(x, y) do { uint64_t tmp = (x); (x) = (y); (y) = tmp; } while (0)
+
+/* The permutation function. */
+static void keccak_f1600(mbedtls_sha3_context *ctx)
+{
+ uint64_t lane[5];
+ uint64_t *s = ctx->state;
+ int i;
+
+ for (int round = 0; round < 24; round++) {
+ uint64_t t;
+
+ /* Theta */
+#if MBEDTLS_SHA3_THETA_UNROLL == 0 //no-check-names
+ for (i = 0; i < 5; i++) {
+ lane[i] = s[i] ^ s[i + 5] ^ s[i + 10] ^ s[i + 15] ^ s[i + 20];
+ }
+ for (i = 0; i < 5; i++) {
+ t = lane[(i + 4) % 5] ^ ROTR64(lane[(i + 1) % 5], 63);
+ s[i] ^= t; s[i + 5] ^= t; s[i + 10] ^= t; s[i + 15] ^= t; s[i + 20] ^= t;
+ }
+#else
+ lane[0] = s[0] ^ s[5] ^ s[10] ^ s[15] ^ s[20];
+ lane[1] = s[1] ^ s[6] ^ s[11] ^ s[16] ^ s[21];
+ lane[2] = s[2] ^ s[7] ^ s[12] ^ s[17] ^ s[22];
+ lane[3] = s[3] ^ s[8] ^ s[13] ^ s[18] ^ s[23];
+ lane[4] = s[4] ^ s[9] ^ s[14] ^ s[19] ^ s[24];
+
+ t = lane[4] ^ ROTR64(lane[1], 63);
+ s[0] ^= t; s[5] ^= t; s[10] ^= t; s[15] ^= t; s[20] ^= t;
+
+ t = lane[0] ^ ROTR64(lane[2], 63);
+ s[1] ^= t; s[6] ^= t; s[11] ^= t; s[16] ^= t; s[21] ^= t;
+
+ t = lane[1] ^ ROTR64(lane[3], 63);
+ s[2] ^= t; s[7] ^= t; s[12] ^= t; s[17] ^= t; s[22] ^= t;
+
+ t = lane[2] ^ ROTR64(lane[4], 63);
+ s[3] ^= t; s[8] ^= t; s[13] ^= t; s[18] ^= t; s[23] ^= t;
+
+ t = lane[3] ^ ROTR64(lane[0], 63);
+ s[4] ^= t; s[9] ^= t; s[14] ^= t; s[19] ^= t; s[24] ^= t;
+#endif
+
+ /* Rho */
+ for (i = 1; i < 25; i += 4) {
+ uint32_t r = rho[(i - 1) >> 2];
+#if MBEDTLS_SHA3_RHO_UNROLL == 0
+ for (int j = i; j < i + 4; j++) {
+ uint8_t r8 = (uint8_t) (r >> 24);
+ r <<= 8;
+ s[j] = ROTR64(s[j], r8);
+ }
+#else
+ s[i + 0] = ROTR64(s[i + 0], MBEDTLS_BYTE_3(r));
+ s[i + 1] = ROTR64(s[i + 1], MBEDTLS_BYTE_2(r));
+ s[i + 2] = ROTR64(s[i + 2], MBEDTLS_BYTE_1(r));
+ s[i + 3] = ROTR64(s[i + 3], MBEDTLS_BYTE_0(r));
+#endif
+ }
+
+ /* Pi */
+ t = s[1];
+#if MBEDTLS_SHA3_PI_UNROLL == 0
+ for (i = 0; i < 24; i += 4) {
+ uint32_t p = pi[i >> 2];
+ for (unsigned j = 0; j < 4; j++) {
+ SWAP(s[p & 0xff], t);
+ p >>= 8;
+ }
+ }
+#else
+ uint32_t p = pi[0];
+ SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t);
+ SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t);
+ p = pi[1];
+ SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t);
+ SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t);
+ p = pi[2];
+ SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t);
+ SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t);
+ p = pi[3];
+ SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t);
+ SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t);
+ p = pi[4];
+ SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t);
+ SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t);
+ p = pi[5];
+ SWAP(s[MBEDTLS_BYTE_0(p)], t); SWAP(s[MBEDTLS_BYTE_1(p)], t);
+ SWAP(s[MBEDTLS_BYTE_2(p)], t); SWAP(s[MBEDTLS_BYTE_3(p)], t);
+#endif
+
+ /* Chi */
+#if MBEDTLS_SHA3_CHI_UNROLL == 0 //no-check-names
+ for (i = 0; i <= 20; i += 5) {
+ lane[0] = s[i]; lane[1] = s[i + 1]; lane[2] = s[i + 2];
+ lane[3] = s[i + 3]; lane[4] = s[i + 4];
+ s[i + 0] ^= (~lane[1]) & lane[2];
+ s[i + 1] ^= (~lane[2]) & lane[3];
+ s[i + 2] ^= (~lane[3]) & lane[4];
+ s[i + 3] ^= (~lane[4]) & lane[0];
+ s[i + 4] ^= (~lane[0]) & lane[1];
+ }
+#else
+ lane[0] = s[0]; lane[1] = s[1]; lane[2] = s[2]; lane[3] = s[3]; lane[4] = s[4];
+ s[0] ^= (~lane[1]) & lane[2];
+ s[1] ^= (~lane[2]) & lane[3];
+ s[2] ^= (~lane[3]) & lane[4];
+ s[3] ^= (~lane[4]) & lane[0];
+ s[4] ^= (~lane[0]) & lane[1];
+
+ lane[0] = s[5]; lane[1] = s[6]; lane[2] = s[7]; lane[3] = s[8]; lane[4] = s[9];
+ s[5] ^= (~lane[1]) & lane[2];
+ s[6] ^= (~lane[2]) & lane[3];
+ s[7] ^= (~lane[3]) & lane[4];
+ s[8] ^= (~lane[4]) & lane[0];
+ s[9] ^= (~lane[0]) & lane[1];
+
+ lane[0] = s[10]; lane[1] = s[11]; lane[2] = s[12]; lane[3] = s[13]; lane[4] = s[14];
+ s[10] ^= (~lane[1]) & lane[2];
+ s[11] ^= (~lane[2]) & lane[3];
+ s[12] ^= (~lane[3]) & lane[4];
+ s[13] ^= (~lane[4]) & lane[0];
+ s[14] ^= (~lane[0]) & lane[1];
+
+ lane[0] = s[15]; lane[1] = s[16]; lane[2] = s[17]; lane[3] = s[18]; lane[4] = s[19];
+ s[15] ^= (~lane[1]) & lane[2];
+ s[16] ^= (~lane[2]) & lane[3];
+ s[17] ^= (~lane[3]) & lane[4];
+ s[18] ^= (~lane[4]) & lane[0];
+ s[19] ^= (~lane[0]) & lane[1];
+
+ lane[0] = s[20]; lane[1] = s[21]; lane[2] = s[22]; lane[3] = s[23]; lane[4] = s[24];
+ s[20] ^= (~lane[1]) & lane[2];
+ s[21] ^= (~lane[2]) & lane[3];
+ s[22] ^= (~lane[3]) & lane[4];
+ s[23] ^= (~lane[4]) & lane[0];
+ s[24] ^= (~lane[0]) & lane[1];
+#endif
+
+ /* Iota */
+ /* Decompress the round masks (see definition of rc) */
+ s[0] ^= ((iota_r_packed[round] & 0x40ull) << 57 |
+ (iota_r_packed[round] & 0x20ull) << 26 |
+ (iota_r_packed[round] & 0x10ull) << 11 |
+ (iota_r_packed[round] & 0x8f));
+ }
+}
+
+void mbedtls_sha3_init(mbedtls_sha3_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_sha3_context));
+}
+
+void mbedtls_sha3_free(mbedtls_sha3_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha3_context));
+}
+
+void mbedtls_sha3_clone(mbedtls_sha3_context *dst,
+ const mbedtls_sha3_context *src)
+{
+ *dst = *src;
+}
+
+/*
+ * SHA-3 context setup
+ */
+int mbedtls_sha3_starts(mbedtls_sha3_context *ctx, mbedtls_sha3_id id)
+{
+ switch (id) {
+ case MBEDTLS_SHA3_224:
+ ctx->olen = 224 / 8;
+ ctx->max_block_size = 1152 / 8;
+ break;
+ case MBEDTLS_SHA3_256:
+ ctx->olen = 256 / 8;
+ ctx->max_block_size = 1088 / 8;
+ break;
+ case MBEDTLS_SHA3_384:
+ ctx->olen = 384 / 8;
+ ctx->max_block_size = 832 / 8;
+ break;
+ case MBEDTLS_SHA3_512:
+ ctx->olen = 512 / 8;
+ ctx->max_block_size = 576 / 8;
+ break;
+ default:
+ return MBEDTLS_ERR_SHA3_BAD_INPUT_DATA;
+ }
+
+ memset(ctx->state, 0, sizeof(ctx->state));
+ ctx->index = 0;
+
+ return 0;
+}
+
+/*
+ * SHA-3 process buffer
+ */
+int mbedtls_sha3_update(mbedtls_sha3_context *ctx,
+ const uint8_t *input,
+ size_t ilen)
+{
+ if (ilen >= 8) {
+ // 8-byte align index
+ int align_bytes = 8 - (ctx->index % 8);
+ if (align_bytes) {
+ for (; align_bytes > 0; align_bytes--) {
+ ABSORB(ctx, ctx->index, *input++);
+ ilen--;
+ ctx->index++;
+ }
+ if ((ctx->index = ctx->index % ctx->max_block_size) == 0) {
+ keccak_f1600(ctx);
+ }
+ }
+
+ // process input in 8-byte chunks
+ while (ilen >= 8) {
+ ABSORB(ctx, ctx->index, MBEDTLS_GET_UINT64_LE(input, 0));
+ input += 8;
+ ilen -= 8;
+ if ((ctx->index = (ctx->index + 8) % ctx->max_block_size) == 0) {
+ keccak_f1600(ctx);
+ }
+ }
+ }
+
+ // handle remaining bytes
+ while (ilen-- > 0) {
+ ABSORB(ctx, ctx->index, *input++);
+ if ((ctx->index = (ctx->index + 1) % ctx->max_block_size) == 0) {
+ keccak_f1600(ctx);
+ }
+ }
+
+ return 0;
+}
+
+int mbedtls_sha3_finish(mbedtls_sha3_context *ctx,
+ uint8_t *output, size_t olen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* Catch SHA-3 families, with fixed output length */
+ if (ctx->olen > 0) {
+ if (ctx->olen > olen) {
+ ret = MBEDTLS_ERR_SHA3_BAD_INPUT_DATA;
+ goto exit;
+ }
+ olen = ctx->olen;
+ }
+
+ ABSORB(ctx, ctx->index, XOR_BYTE);
+ ABSORB(ctx, ctx->max_block_size - 1, 0x80);
+ keccak_f1600(ctx);
+ ctx->index = 0;
+
+ while (olen-- > 0) {
+ *output++ = SQUEEZE(ctx, ctx->index);
+
+ if ((ctx->index = (ctx->index + 1) % ctx->max_block_size) == 0) {
+ keccak_f1600(ctx);
+ }
+ }
+
+ ret = 0;
+
+exit:
+ mbedtls_sha3_free(ctx);
+ return ret;
+}
+
+/*
+ * output = SHA-3( input buffer )
+ */
+int mbedtls_sha3(mbedtls_sha3_id id, const uint8_t *input,
+ size_t ilen, uint8_t *output, size_t olen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_sha3_context ctx;
+
+ mbedtls_sha3_init(&ctx);
+
+ /* Sanity checks are performed in every mbedtls_sha3_xxx() */
+ if ((ret = mbedtls_sha3_starts(&ctx, id)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_sha3_update(&ctx, input, ilen)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_sha3_finish(&ctx, output, olen)) != 0) {
+ goto exit;
+ }
+
+exit:
+ mbedtls_sha3_free(&ctx);
+
+ return ret;
+}
+
+/**************** Self-tests ****************/
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_data[2][4] =
+{
+ "",
+ "abc",
+};
+
+static const size_t test_data_len[2] =
+{
+ 0, /* "" */
+ 3 /* "abc" */
+};
+
+static const unsigned char test_hash_sha3_224[2][28] =
+{
+ { /* "" */
+ 0x6B, 0x4E, 0x03, 0x42, 0x36, 0x67, 0xDB, 0xB7,
+ 0x3B, 0x6E, 0x15, 0x45, 0x4F, 0x0E, 0xB1, 0xAB,
+ 0xD4, 0x59, 0x7F, 0x9A, 0x1B, 0x07, 0x8E, 0x3F,
+ 0x5B, 0x5A, 0x6B, 0xC7
+ },
+ { /* "abc" */
+ 0xE6, 0x42, 0x82, 0x4C, 0x3F, 0x8C, 0xF2, 0x4A,
+ 0xD0, 0x92, 0x34, 0xEE, 0x7D, 0x3C, 0x76, 0x6F,
+ 0xC9, 0xA3, 0xA5, 0x16, 0x8D, 0x0C, 0x94, 0xAD,
+ 0x73, 0xB4, 0x6F, 0xDF
+ }
+};
+
+static const unsigned char test_hash_sha3_256[2][32] =
+{
+ { /* "" */
+ 0xA7, 0xFF, 0xC6, 0xF8, 0xBF, 0x1E, 0xD7, 0x66,
+ 0x51, 0xC1, 0x47, 0x56, 0xA0, 0x61, 0xD6, 0x62,
+ 0xF5, 0x80, 0xFF, 0x4D, 0xE4, 0x3B, 0x49, 0xFA,
+ 0x82, 0xD8, 0x0A, 0x4B, 0x80, 0xF8, 0x43, 0x4A
+ },
+ { /* "abc" */
+ 0x3A, 0x98, 0x5D, 0xA7, 0x4F, 0xE2, 0x25, 0xB2,
+ 0x04, 0x5C, 0x17, 0x2D, 0x6B, 0xD3, 0x90, 0xBD,
+ 0x85, 0x5F, 0x08, 0x6E, 0x3E, 0x9D, 0x52, 0x5B,
+ 0x46, 0xBF, 0xE2, 0x45, 0x11, 0x43, 0x15, 0x32
+ }
+};
+
+static const unsigned char test_hash_sha3_384[2][48] =
+{
+ { /* "" */
+ 0x0C, 0x63, 0xA7, 0x5B, 0x84, 0x5E, 0x4F, 0x7D,
+ 0x01, 0x10, 0x7D, 0x85, 0x2E, 0x4C, 0x24, 0x85,
+ 0xC5, 0x1A, 0x50, 0xAA, 0xAA, 0x94, 0xFC, 0x61,
+ 0x99, 0x5E, 0x71, 0xBB, 0xEE, 0x98, 0x3A, 0x2A,
+ 0xC3, 0x71, 0x38, 0x31, 0x26, 0x4A, 0xDB, 0x47,
+ 0xFB, 0x6B, 0xD1, 0xE0, 0x58, 0xD5, 0xF0, 0x04
+ },
+ { /* "abc" */
+ 0xEC, 0x01, 0x49, 0x82, 0x88, 0x51, 0x6F, 0xC9,
+ 0x26, 0x45, 0x9F, 0x58, 0xE2, 0xC6, 0xAD, 0x8D,
+ 0xF9, 0xB4, 0x73, 0xCB, 0x0F, 0xC0, 0x8C, 0x25,
+ 0x96, 0xDA, 0x7C, 0xF0, 0xE4, 0x9B, 0xE4, 0xB2,
+ 0x98, 0xD8, 0x8C, 0xEA, 0x92, 0x7A, 0xC7, 0xF5,
+ 0x39, 0xF1, 0xED, 0xF2, 0x28, 0x37, 0x6D, 0x25
+ }
+};
+
+static const unsigned char test_hash_sha3_512[2][64] =
+{
+ { /* "" */
+ 0xA6, 0x9F, 0x73, 0xCC, 0xA2, 0x3A, 0x9A, 0xC5,
+ 0xC8, 0xB5, 0x67, 0xDC, 0x18, 0x5A, 0x75, 0x6E,
+ 0x97, 0xC9, 0x82, 0x16, 0x4F, 0xE2, 0x58, 0x59,
+ 0xE0, 0xD1, 0xDC, 0xC1, 0x47, 0x5C, 0x80, 0xA6,
+ 0x15, 0xB2, 0x12, 0x3A, 0xF1, 0xF5, 0xF9, 0x4C,
+ 0x11, 0xE3, 0xE9, 0x40, 0x2C, 0x3A, 0xC5, 0x58,
+ 0xF5, 0x00, 0x19, 0x9D, 0x95, 0xB6, 0xD3, 0xE3,
+ 0x01, 0x75, 0x85, 0x86, 0x28, 0x1D, 0xCD, 0x26
+ },
+ { /* "abc" */
+ 0xB7, 0x51, 0x85, 0x0B, 0x1A, 0x57, 0x16, 0x8A,
+ 0x56, 0x93, 0xCD, 0x92, 0x4B, 0x6B, 0x09, 0x6E,
+ 0x08, 0xF6, 0x21, 0x82, 0x74, 0x44, 0xF7, 0x0D,
+ 0x88, 0x4F, 0x5D, 0x02, 0x40, 0xD2, 0x71, 0x2E,
+ 0x10, 0xE1, 0x16, 0xE9, 0x19, 0x2A, 0xF3, 0xC9,
+ 0x1A, 0x7E, 0xC5, 0x76, 0x47, 0xE3, 0x93, 0x40,
+ 0x57, 0x34, 0x0B, 0x4C, 0xF4, 0x08, 0xD5, 0xA5,
+ 0x65, 0x92, 0xF8, 0x27, 0x4E, 0xEC, 0x53, 0xF0
+ }
+};
+
+static const unsigned char long_kat_hash_sha3_224[28] =
+{
+ 0xD6, 0x93, 0x35, 0xB9, 0x33, 0x25, 0x19, 0x2E,
+ 0x51, 0x6A, 0x91, 0x2E, 0x6D, 0x19, 0xA1, 0x5C,
+ 0xB5, 0x1C, 0x6E, 0xD5, 0xC1, 0x52, 0x43, 0xE7,
+ 0xA7, 0xFD, 0x65, 0x3C
+};
+
+static const unsigned char long_kat_hash_sha3_256[32] =
+{
+ 0x5C, 0x88, 0x75, 0xAE, 0x47, 0x4A, 0x36, 0x34,
+ 0xBA, 0x4F, 0xD5, 0x5E, 0xC8, 0x5B, 0xFF, 0xD6,
+ 0x61, 0xF3, 0x2A, 0xCA, 0x75, 0xC6, 0xD6, 0x99,
+ 0xD0, 0xCD, 0xCB, 0x6C, 0x11, 0x58, 0x91, 0xC1
+};
+
+static const unsigned char long_kat_hash_sha3_384[48] =
+{
+ 0xEE, 0xE9, 0xE2, 0x4D, 0x78, 0xC1, 0x85, 0x53,
+ 0x37, 0x98, 0x34, 0x51, 0xDF, 0x97, 0xC8, 0xAD,
+ 0x9E, 0xED, 0xF2, 0x56, 0xC6, 0x33, 0x4F, 0x8E,
+ 0x94, 0x8D, 0x25, 0x2D, 0x5E, 0x0E, 0x76, 0x84,
+ 0x7A, 0xA0, 0x77, 0x4D, 0xDB, 0x90, 0xA8, 0x42,
+ 0x19, 0x0D, 0x2C, 0x55, 0x8B, 0x4B, 0x83, 0x40
+};
+
+static const unsigned char long_kat_hash_sha3_512[64] =
+{
+ 0x3C, 0x3A, 0x87, 0x6D, 0xA1, 0x40, 0x34, 0xAB,
+ 0x60, 0x62, 0x7C, 0x07, 0x7B, 0xB9, 0x8F, 0x7E,
+ 0x12, 0x0A, 0x2A, 0x53, 0x70, 0x21, 0x2D, 0xFF,
+ 0xB3, 0x38, 0x5A, 0x18, 0xD4, 0xF3, 0x88, 0x59,
+ 0xED, 0x31, 0x1D, 0x0A, 0x9D, 0x51, 0x41, 0xCE,
+ 0x9C, 0xC5, 0xC6, 0x6E, 0xE6, 0x89, 0xB2, 0x66,
+ 0xA8, 0xAA, 0x18, 0xAC, 0xE8, 0x28, 0x2A, 0x0E,
+ 0x0D, 0xB5, 0x96, 0xC9, 0x0B, 0x0A, 0x7B, 0x87
+};
+
+static int mbedtls_sha3_kat_test(int verbose,
+ const char *type_name,
+ mbedtls_sha3_id id,
+ int test_num)
+{
+ uint8_t hash[64];
+ int result;
+
+ result = mbedtls_sha3(id,
+ test_data[test_num], test_data_len[test_num],
+ hash, sizeof(hash));
+ if (result != 0) {
+ if (verbose != 0) {
+ mbedtls_printf(" %s test %d error code: %d\n",
+ type_name, test_num, result);
+ }
+
+ return result;
+ }
+
+ switch (id) {
+ case MBEDTLS_SHA3_224:
+ result = memcmp(hash, test_hash_sha3_224[test_num], 28);
+ break;
+ case MBEDTLS_SHA3_256:
+ result = memcmp(hash, test_hash_sha3_256[test_num], 32);
+ break;
+ case MBEDTLS_SHA3_384:
+ result = memcmp(hash, test_hash_sha3_384[test_num], 48);
+ break;
+ case MBEDTLS_SHA3_512:
+ result = memcmp(hash, test_hash_sha3_512[test_num], 64);
+ break;
+ default:
+ break;
+ }
+
+ if (0 != result) {
+ if (verbose != 0) {
+ mbedtls_printf(" %s test %d failed\n", type_name, test_num);
+ }
+
+ return -1;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf(" %s test %d passed\n", type_name, test_num);
+ }
+
+ return 0;
+}
+
+static int mbedtls_sha3_long_kat_test(int verbose,
+ const char *type_name,
+ mbedtls_sha3_id id)
+{
+ mbedtls_sha3_context ctx;
+ unsigned char buffer[1000];
+ unsigned char hash[64];
+ int result = 0;
+
+ memset(buffer, 'a', 1000);
+
+ if (verbose != 0) {
+ mbedtls_printf(" %s long KAT test ", type_name);
+ }
+
+ mbedtls_sha3_init(&ctx);
+
+ result = mbedtls_sha3_starts(&ctx, id);
+ if (result != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("setup failed\n ");
+ }
+ }
+
+ /* Process 1,000,000 (one million) 'a' characters */
+ for (int i = 0; i < 1000; i++) {
+ result = mbedtls_sha3_update(&ctx, buffer, 1000);
+ if (result != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("update error code: %i\n", result);
+ }
+
+ goto cleanup;
+ }
+ }
+
+ result = mbedtls_sha3_finish(&ctx, hash, sizeof(hash));
+ if (result != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("finish error code: %d\n", result);
+ }
+
+ goto cleanup;
+ }
+
+ switch (id) {
+ case MBEDTLS_SHA3_224:
+ result = memcmp(hash, long_kat_hash_sha3_224, 28);
+ break;
+ case MBEDTLS_SHA3_256:
+ result = memcmp(hash, long_kat_hash_sha3_256, 32);
+ break;
+ case MBEDTLS_SHA3_384:
+ result = memcmp(hash, long_kat_hash_sha3_384, 48);
+ break;
+ case MBEDTLS_SHA3_512:
+ result = memcmp(hash, long_kat_hash_sha3_512, 64);
+ break;
+ default:
+ break;
+ }
+
+ if (result != 0) {
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+
+cleanup:
+ mbedtls_sha3_free(&ctx);
+ return result;
+}
+
+int mbedtls_sha3_self_test(int verbose)
+{
+ int i;
+
+ /* SHA-3 Known Answer Tests (KAT) */
+ for (i = 0; i < 2; i++) {
+ if (0 != mbedtls_sha3_kat_test(verbose,
+ "SHA3-224", MBEDTLS_SHA3_224, i)) {
+ return 1;
+ }
+
+ if (0 != mbedtls_sha3_kat_test(verbose,
+ "SHA3-256", MBEDTLS_SHA3_256, i)) {
+ return 1;
+ }
+
+ if (0 != mbedtls_sha3_kat_test(verbose,
+ "SHA3-384", MBEDTLS_SHA3_384, i)) {
+ return 1;
+ }
+
+ if (0 != mbedtls_sha3_kat_test(verbose,
+ "SHA3-512", MBEDTLS_SHA3_512, i)) {
+ return 1;
+ }
+ }
+
+ /* SHA-3 long KAT tests */
+ if (0 != mbedtls_sha3_long_kat_test(verbose,
+ "SHA3-224", MBEDTLS_SHA3_224)) {
+ return 1;
+ }
+
+ if (0 != mbedtls_sha3_long_kat_test(verbose,
+ "SHA3-256", MBEDTLS_SHA3_256)) {
+ return 1;
+ }
+
+ if (0 != mbedtls_sha3_long_kat_test(verbose,
+ "SHA3-384", MBEDTLS_SHA3_384)) {
+ return 1;
+ }
+
+ if (0 != mbedtls_sha3_long_kat_test(verbose,
+ "SHA3-512", MBEDTLS_SHA3_512)) {
+ return 1;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA3_C */
diff --git a/library/sha512.c b/library/sha512.c
new file mode 100644
index 0000000..6dcea8d
--- /dev/null
+++ b/library/sha512.c
@@ -0,0 +1,1112 @@
+/*
+ * FIPS-180-2 compliant SHA-384/512 implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * The SHA-512 Secure Hash Standard was published by NIST in 2002.
+ *
+ * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
+ */
+
+#if defined(__aarch64__) && !defined(__ARM_FEATURE_SHA512) && \
+ defined(__clang__) && __clang_major__ >= 7
+/* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
+ *
+ * The intrinsic declaration are guarded by predefined ACLE macros in clang:
+ * these are normally only enabled by the -march option on the command line.
+ * By defining the macros ourselves we gain access to those declarations without
+ * requiring -march on the command line.
+ *
+ * `arm_neon.h` is included by common.h, so we put these defines
+ * at the top of this file, before any includes.
+ */
+#define __ARM_FEATURE_SHA512 1
+#define MBEDTLS_ENABLE_ARM_SHA3_EXTENSIONS_COMPILER_FLAG
+#endif
+
+#include "common.h"
+
+#if defined(MBEDTLS_SHA512_C) || defined(MBEDTLS_SHA384_C)
+
+#include "mbedtls/sha512.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/error.h"
+
+#if defined(_MSC_VER) || defined(__WATCOMC__)
+ #define UL64(x) x##ui64
+#else
+ #define UL64(x) x##ULL
+#endif
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#if defined(__aarch64__)
+# if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \
+ defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
+/* *INDENT-OFF* */
+# if !defined(MBEDTLS_HAVE_NEON_INTRINSICS)
+# error "Target does not support NEON instructions"
+# endif
+/*
+ * Best performance comes from most recent compilers, with intrinsics and -O3.
+ * Must compile with -march=armv8.2-a+sha3, but we can't detect armv8.2-a, and
+ * can't always detect __ARM_FEATURE_SHA512 (notably clang 7-12).
+ *
+ * GCC < 8 won't work at all (lacks the sha512 instructions)
+ * GCC >= 8 uses intrinsics, sets __ARM_FEATURE_SHA512
+ *
+ * Clang < 7 won't work at all (lacks the sha512 instructions)
+ * Clang 7-12 don't have intrinsics (but we work around that with inline
+ * assembler) or __ARM_FEATURE_SHA512
+ * Clang == 13.0.0 same as clang 12 (only seen on macOS)
+ * Clang >= 13.0.1 has __ARM_FEATURE_SHA512 and intrinsics
+ */
+# if !defined(__ARM_FEATURE_SHA512) || defined(MBEDTLS_ENABLE_ARM_SHA3_EXTENSIONS_COMPILER_FLAG)
+ /* Test Clang first, as it defines __GNUC__ */
+# if defined(__ARMCOMPILER_VERSION)
+# if __ARMCOMPILER_VERSION < 6090000
+# error "A more recent armclang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
+# elif __ARMCOMPILER_VERSION == 6090000
+# error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
+# else
+# pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function)
+# define MBEDTLS_POP_TARGET_PRAGMA
+# endif
+# elif defined(__clang__)
+# if __clang_major__ < 7
+# error "A more recent Clang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
+# else
+# pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function)
+# define MBEDTLS_POP_TARGET_PRAGMA
+# endif
+# elif defined(__GNUC__)
+# if __GNUC__ < 8
+# error "A more recent GCC is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
+# else
+# pragma GCC push_options
+# pragma GCC target ("arch=armv8.2-a+sha3")
+# define MBEDTLS_POP_TARGET_PRAGMA
+# endif
+# else
+# error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
+# endif
+# endif
+/* *INDENT-ON* */
+# endif
+# if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
+# if defined(__unix__)
+# if defined(__linux__)
+/* Our preferred method of detection is getauxval() */
+# include <sys/auxv.h>
+# if !defined(HWCAP_SHA512)
+/* The same header that declares getauxval() should provide the HWCAP_xxx
+ * constants to analyze its return value. However, the libc may be too
+ * old to have the constant that we need. So if it's missing, assume that
+ * the value is the same one used by the Linux kernel ABI.
+ */
+# define HWCAP_SHA512 (1 << 21)
+# endif
+# endif
+/* Use SIGILL on Unix, and fall back to it on Linux */
+# include <signal.h>
+# endif
+# endif
+#elif !defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
+# undef MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
+# undef MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
+#endif
+
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
+/*
+ * Capability detection code comes early, so we can disable
+ * MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT if no detection mechanism found
+ */
+#if defined(HWCAP_SHA512)
+static int mbedtls_a64_crypto_sha512_determine_support(void)
+{
+ return (getauxval(AT_HWCAP) & HWCAP_SHA512) ? 1 : 0;
+}
+#elif defined(__APPLE__)
+#include <sys/types.h>
+#include <sys/sysctl.h>
+
+static int mbedtls_a64_crypto_sha512_determine_support(void)
+{
+ int value = 0;
+ size_t value_len = sizeof(value);
+
+ int ret = sysctlbyname("hw.optional.armv8_2_sha512", &value, &value_len,
+ NULL, 0);
+ return ret == 0 && value != 0;
+}
+#elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
+/*
+ * As of March 2022, there don't appear to be any PF_ARM_V8_* flags
+ * available to pass to IsProcessorFeaturePresent() to check for
+ * SHA-512 support. So we fall back to the C code only.
+ */
+#if defined(_MSC_VER)
+#pragma message "No mechanism to detect A64_CRYPTO found, using C code only"
+#else
+#warning "No mechanism to detect A64_CRYPTO found, using C code only"
+#endif
+#elif defined(__unix__) && defined(SIG_SETMASK)
+/* Detection with SIGILL, setjmp() and longjmp() */
+#include <signal.h>
+#include <setjmp.h>
+
+static jmp_buf return_from_sigill;
+
+/*
+ * A64 SHA512 support detection via SIGILL
+ */
+static void sigill_handler(int signal)
+{
+ (void) signal;
+ longjmp(return_from_sigill, 1);
+}
+
+static int mbedtls_a64_crypto_sha512_determine_support(void)
+{
+ struct sigaction old_action, new_action;
+
+ sigset_t old_mask;
+ if (sigprocmask(0, NULL, &old_mask)) {
+ return 0;
+ }
+
+ sigemptyset(&new_action.sa_mask);
+ new_action.sa_flags = 0;
+ new_action.sa_handler = sigill_handler;
+
+ sigaction(SIGILL, &new_action, &old_action);
+
+ static int ret = 0;
+
+ if (setjmp(return_from_sigill) == 0) { /* First return only */
+ /* If this traps, we will return a second time from setjmp() with 1 */
+ asm ("sha512h q0, q0, v0.2d" : : : "v0");
+ ret = 1;
+ }
+
+ sigaction(SIGILL, &old_action, NULL);
+ sigprocmask(SIG_SETMASK, &old_mask, NULL);
+
+ return ret;
+}
+#else
+#warning "No mechanism to detect A64_CRYPTO found, using C code only"
+#undef MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
+#endif /* HWCAP_SHA512, __APPLE__, __unix__ && SIG_SETMASK */
+
+#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT */
+
+#if !defined(MBEDTLS_SHA512_ALT)
+
+#define SHA512_BLOCK_SIZE 128
+
+#if defined(MBEDTLS_SHA512_SMALLER)
+static void sha512_put_uint64_be(uint64_t n, unsigned char *b, uint8_t i)
+{
+ MBEDTLS_PUT_UINT64_BE(n, b, i);
+}
+#else
+#define sha512_put_uint64_be MBEDTLS_PUT_UINT64_BE
+#endif /* MBEDTLS_SHA512_SMALLER */
+
+void mbedtls_sha512_init(mbedtls_sha512_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_sha512_context));
+}
+
+void mbedtls_sha512_free(mbedtls_sha512_context *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha512_context));
+}
+
+void mbedtls_sha512_clone(mbedtls_sha512_context *dst,
+ const mbedtls_sha512_context *src)
+{
+ *dst = *src;
+}
+
+/*
+ * SHA-512 context setup
+ */
+int mbedtls_sha512_starts(mbedtls_sha512_context *ctx, int is384)
+{
+#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_SHA512_C)
+ if (is384 != 0 && is384 != 1) {
+ return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
+ }
+#elif defined(MBEDTLS_SHA512_C)
+ if (is384 != 0) {
+ return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
+ }
+#else /* defined MBEDTLS_SHA384_C only */
+ if (is384 == 0) {
+ return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
+ }
+#endif
+
+ ctx->total[0] = 0;
+ ctx->total[1] = 0;
+
+ if (is384 == 0) {
+#if defined(MBEDTLS_SHA512_C)
+ ctx->state[0] = UL64(0x6A09E667F3BCC908);
+ ctx->state[1] = UL64(0xBB67AE8584CAA73B);
+ ctx->state[2] = UL64(0x3C6EF372FE94F82B);
+ ctx->state[3] = UL64(0xA54FF53A5F1D36F1);
+ ctx->state[4] = UL64(0x510E527FADE682D1);
+ ctx->state[5] = UL64(0x9B05688C2B3E6C1F);
+ ctx->state[6] = UL64(0x1F83D9ABFB41BD6B);
+ ctx->state[7] = UL64(0x5BE0CD19137E2179);
+#endif /* MBEDTLS_SHA512_C */
+ } else {
+#if defined(MBEDTLS_SHA384_C)
+ ctx->state[0] = UL64(0xCBBB9D5DC1059ED8);
+ ctx->state[1] = UL64(0x629A292A367CD507);
+ ctx->state[2] = UL64(0x9159015A3070DD17);
+ ctx->state[3] = UL64(0x152FECD8F70E5939);
+ ctx->state[4] = UL64(0x67332667FFC00B31);
+ ctx->state[5] = UL64(0x8EB44A8768581511);
+ ctx->state[6] = UL64(0xDB0C2E0D64F98FA7);
+ ctx->state[7] = UL64(0x47B5481DBEFA4FA4);
+#endif /* MBEDTLS_SHA384_C */
+ }
+
+#if defined(MBEDTLS_SHA384_C)
+ ctx->is384 = is384;
+#endif
+
+ return 0;
+}
+
+#if !defined(MBEDTLS_SHA512_PROCESS_ALT)
+
+/*
+ * Round constants
+ */
+static const uint64_t K[80] =
+{
+ UL64(0x428A2F98D728AE22), UL64(0x7137449123EF65CD),
+ UL64(0xB5C0FBCFEC4D3B2F), UL64(0xE9B5DBA58189DBBC),
+ UL64(0x3956C25BF348B538), UL64(0x59F111F1B605D019),
+ UL64(0x923F82A4AF194F9B), UL64(0xAB1C5ED5DA6D8118),
+ UL64(0xD807AA98A3030242), UL64(0x12835B0145706FBE),
+ UL64(0x243185BE4EE4B28C), UL64(0x550C7DC3D5FFB4E2),
+ UL64(0x72BE5D74F27B896F), UL64(0x80DEB1FE3B1696B1),
+ UL64(0x9BDC06A725C71235), UL64(0xC19BF174CF692694),
+ UL64(0xE49B69C19EF14AD2), UL64(0xEFBE4786384F25E3),
+ UL64(0x0FC19DC68B8CD5B5), UL64(0x240CA1CC77AC9C65),
+ UL64(0x2DE92C6F592B0275), UL64(0x4A7484AA6EA6E483),
+ UL64(0x5CB0A9DCBD41FBD4), UL64(0x76F988DA831153B5),
+ UL64(0x983E5152EE66DFAB), UL64(0xA831C66D2DB43210),
+ UL64(0xB00327C898FB213F), UL64(0xBF597FC7BEEF0EE4),
+ UL64(0xC6E00BF33DA88FC2), UL64(0xD5A79147930AA725),
+ UL64(0x06CA6351E003826F), UL64(0x142929670A0E6E70),
+ UL64(0x27B70A8546D22FFC), UL64(0x2E1B21385C26C926),
+ UL64(0x4D2C6DFC5AC42AED), UL64(0x53380D139D95B3DF),
+ UL64(0x650A73548BAF63DE), UL64(0x766A0ABB3C77B2A8),
+ UL64(0x81C2C92E47EDAEE6), UL64(0x92722C851482353B),
+ UL64(0xA2BFE8A14CF10364), UL64(0xA81A664BBC423001),
+ UL64(0xC24B8B70D0F89791), UL64(0xC76C51A30654BE30),
+ UL64(0xD192E819D6EF5218), UL64(0xD69906245565A910),
+ UL64(0xF40E35855771202A), UL64(0x106AA07032BBD1B8),
+ UL64(0x19A4C116B8D2D0C8), UL64(0x1E376C085141AB53),
+ UL64(0x2748774CDF8EEB99), UL64(0x34B0BCB5E19B48A8),
+ UL64(0x391C0CB3C5C95A63), UL64(0x4ED8AA4AE3418ACB),
+ UL64(0x5B9CCA4F7763E373), UL64(0x682E6FF3D6B2B8A3),
+ UL64(0x748F82EE5DEFB2FC), UL64(0x78A5636F43172F60),
+ UL64(0x84C87814A1F0AB72), UL64(0x8CC702081A6439EC),
+ UL64(0x90BEFFFA23631E28), UL64(0xA4506CEBDE82BDE9),
+ UL64(0xBEF9A3F7B2C67915), UL64(0xC67178F2E372532B),
+ UL64(0xCA273ECEEA26619C), UL64(0xD186B8C721C0C207),
+ UL64(0xEADA7DD6CDE0EB1E), UL64(0xF57D4F7FEE6ED178),
+ UL64(0x06F067AA72176FBA), UL64(0x0A637DC5A2C898A6),
+ UL64(0x113F9804BEF90DAE), UL64(0x1B710B35131C471B),
+ UL64(0x28DB77F523047D84), UL64(0x32CAAB7B40C72493),
+ UL64(0x3C9EBE0A15C9BEBC), UL64(0x431D67C49C100D4C),
+ UL64(0x4CC5D4BECB3E42B6), UL64(0x597F299CFC657E2A),
+ UL64(0x5FCB6FAB3AD6FAEC), UL64(0x6C44198C4A475817)
+};
+#endif
+
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \
+ defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
+
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
+# define mbedtls_internal_sha512_process_many_a64_crypto mbedtls_internal_sha512_process_many
+# define mbedtls_internal_sha512_process_a64_crypto mbedtls_internal_sha512_process
+#endif
+
+/* Accelerated SHA-512 implementation originally written by Simon Tatham for PuTTY,
+ * under the MIT licence; dual-licensed as Apache 2 with his kind permission.
+ */
+
+#if defined(__clang__) && \
+ (__clang_major__ < 13 || \
+ (__clang_major__ == 13 && __clang_minor__ == 0 && __clang_patchlevel__ == 0))
+static inline uint64x2_t vsha512su0q_u64(uint64x2_t x, uint64x2_t y)
+{
+ asm ("sha512su0 %0.2D,%1.2D" : "+w" (x) : "w" (y));
+ return x;
+}
+static inline uint64x2_t vsha512su1q_u64(uint64x2_t x, uint64x2_t y, uint64x2_t z)
+{
+ asm ("sha512su1 %0.2D,%1.2D,%2.2D" : "+w" (x) : "w" (y), "w" (z));
+ return x;
+}
+static inline uint64x2_t vsha512hq_u64(uint64x2_t x, uint64x2_t y, uint64x2_t z)
+{
+ asm ("sha512h %0,%1,%2.2D" : "+w" (x) : "w" (y), "w" (z));
+ return x;
+}
+static inline uint64x2_t vsha512h2q_u64(uint64x2_t x, uint64x2_t y, uint64x2_t z)
+{
+ asm ("sha512h2 %0,%1,%2.2D" : "+w" (x) : "w" (y), "w" (z));
+ return x;
+}
+#endif /* __clang__ etc */
+
+static size_t mbedtls_internal_sha512_process_many_a64_crypto(
+ mbedtls_sha512_context *ctx, const uint8_t *msg, size_t len)
+{
+ uint64x2_t ab = vld1q_u64(&ctx->state[0]);
+ uint64x2_t cd = vld1q_u64(&ctx->state[2]);
+ uint64x2_t ef = vld1q_u64(&ctx->state[4]);
+ uint64x2_t gh = vld1q_u64(&ctx->state[6]);
+
+ size_t processed = 0;
+
+ for (;
+ len >= SHA512_BLOCK_SIZE;
+ processed += SHA512_BLOCK_SIZE,
+ msg += SHA512_BLOCK_SIZE,
+ len -= SHA512_BLOCK_SIZE) {
+ uint64x2_t initial_sum, sum, intermed;
+
+ uint64x2_t ab_orig = ab;
+ uint64x2_t cd_orig = cd;
+ uint64x2_t ef_orig = ef;
+ uint64x2_t gh_orig = gh;
+
+ uint64x2_t s0 = (uint64x2_t) vld1q_u8(msg + 16 * 0);
+ uint64x2_t s1 = (uint64x2_t) vld1q_u8(msg + 16 * 1);
+ uint64x2_t s2 = (uint64x2_t) vld1q_u8(msg + 16 * 2);
+ uint64x2_t s3 = (uint64x2_t) vld1q_u8(msg + 16 * 3);
+ uint64x2_t s4 = (uint64x2_t) vld1q_u8(msg + 16 * 4);
+ uint64x2_t s5 = (uint64x2_t) vld1q_u8(msg + 16 * 5);
+ uint64x2_t s6 = (uint64x2_t) vld1q_u8(msg + 16 * 6);
+ uint64x2_t s7 = (uint64x2_t) vld1q_u8(msg + 16 * 7);
+
+#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ /* assume LE if these not defined; untested on BE */
+ s0 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s0)));
+ s1 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s1)));
+ s2 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s2)));
+ s3 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s3)));
+ s4 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s4)));
+ s5 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s5)));
+ s6 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s6)));
+ s7 = vreinterpretq_u64_u8(vrev64q_u8(vreinterpretq_u8_u64(s7)));
+#endif
+
+ /* Rounds 0 and 1 */
+ initial_sum = vaddq_u64(s0, vld1q_u64(&K[0]));
+ sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh);
+ intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1));
+ gh = vsha512h2q_u64(intermed, cd, ab);
+ cd = vaddq_u64(cd, intermed);
+
+ /* Rounds 2 and 3 */
+ initial_sum = vaddq_u64(s1, vld1q_u64(&K[2]));
+ sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef);
+ intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1));
+ ef = vsha512h2q_u64(intermed, ab, gh);
+ ab = vaddq_u64(ab, intermed);
+
+ /* Rounds 4 and 5 */
+ initial_sum = vaddq_u64(s2, vld1q_u64(&K[4]));
+ sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd);
+ intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1));
+ cd = vsha512h2q_u64(intermed, gh, ef);
+ gh = vaddq_u64(gh, intermed);
+
+ /* Rounds 6 and 7 */
+ initial_sum = vaddq_u64(s3, vld1q_u64(&K[6]));
+ sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab);
+ intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1));
+ ab = vsha512h2q_u64(intermed, ef, cd);
+ ef = vaddq_u64(ef, intermed);
+
+ /* Rounds 8 and 9 */
+ initial_sum = vaddq_u64(s4, vld1q_u64(&K[8]));
+ sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh);
+ intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1));
+ gh = vsha512h2q_u64(intermed, cd, ab);
+ cd = vaddq_u64(cd, intermed);
+
+ /* Rounds 10 and 11 */
+ initial_sum = vaddq_u64(s5, vld1q_u64(&K[10]));
+ sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef);
+ intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1));
+ ef = vsha512h2q_u64(intermed, ab, gh);
+ ab = vaddq_u64(ab, intermed);
+
+ /* Rounds 12 and 13 */
+ initial_sum = vaddq_u64(s6, vld1q_u64(&K[12]));
+ sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd);
+ intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1));
+ cd = vsha512h2q_u64(intermed, gh, ef);
+ gh = vaddq_u64(gh, intermed);
+
+ /* Rounds 14 and 15 */
+ initial_sum = vaddq_u64(s7, vld1q_u64(&K[14]));
+ sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab);
+ intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1));
+ ab = vsha512h2q_u64(intermed, ef, cd);
+ ef = vaddq_u64(ef, intermed);
+
+ for (unsigned int t = 16; t < 80; t += 16) {
+ /* Rounds t and t + 1 */
+ s0 = vsha512su1q_u64(vsha512su0q_u64(s0, s1), s7, vextq_u64(s4, s5, 1));
+ initial_sum = vaddq_u64(s0, vld1q_u64(&K[t]));
+ sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh);
+ intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1));
+ gh = vsha512h2q_u64(intermed, cd, ab);
+ cd = vaddq_u64(cd, intermed);
+
+ /* Rounds t + 2 and t + 3 */
+ s1 = vsha512su1q_u64(vsha512su0q_u64(s1, s2), s0, vextq_u64(s5, s6, 1));
+ initial_sum = vaddq_u64(s1, vld1q_u64(&K[t + 2]));
+ sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef);
+ intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1));
+ ef = vsha512h2q_u64(intermed, ab, gh);
+ ab = vaddq_u64(ab, intermed);
+
+ /* Rounds t + 4 and t + 5 */
+ s2 = vsha512su1q_u64(vsha512su0q_u64(s2, s3), s1, vextq_u64(s6, s7, 1));
+ initial_sum = vaddq_u64(s2, vld1q_u64(&K[t + 4]));
+ sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd);
+ intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1));
+ cd = vsha512h2q_u64(intermed, gh, ef);
+ gh = vaddq_u64(gh, intermed);
+
+ /* Rounds t + 6 and t + 7 */
+ s3 = vsha512su1q_u64(vsha512su0q_u64(s3, s4), s2, vextq_u64(s7, s0, 1));
+ initial_sum = vaddq_u64(s3, vld1q_u64(&K[t + 6]));
+ sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab);
+ intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1));
+ ab = vsha512h2q_u64(intermed, ef, cd);
+ ef = vaddq_u64(ef, intermed);
+
+ /* Rounds t + 8 and t + 9 */
+ s4 = vsha512su1q_u64(vsha512su0q_u64(s4, s5), s3, vextq_u64(s0, s1, 1));
+ initial_sum = vaddq_u64(s4, vld1q_u64(&K[t + 8]));
+ sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), gh);
+ intermed = vsha512hq_u64(sum, vextq_u64(ef, gh, 1), vextq_u64(cd, ef, 1));
+ gh = vsha512h2q_u64(intermed, cd, ab);
+ cd = vaddq_u64(cd, intermed);
+
+ /* Rounds t + 10 and t + 11 */
+ s5 = vsha512su1q_u64(vsha512su0q_u64(s5, s6), s4, vextq_u64(s1, s2, 1));
+ initial_sum = vaddq_u64(s5, vld1q_u64(&K[t + 10]));
+ sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ef);
+ intermed = vsha512hq_u64(sum, vextq_u64(cd, ef, 1), vextq_u64(ab, cd, 1));
+ ef = vsha512h2q_u64(intermed, ab, gh);
+ ab = vaddq_u64(ab, intermed);
+
+ /* Rounds t + 12 and t + 13 */
+ s6 = vsha512su1q_u64(vsha512su0q_u64(s6, s7), s5, vextq_u64(s2, s3, 1));
+ initial_sum = vaddq_u64(s6, vld1q_u64(&K[t + 12]));
+ sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), cd);
+ intermed = vsha512hq_u64(sum, vextq_u64(ab, cd, 1), vextq_u64(gh, ab, 1));
+ cd = vsha512h2q_u64(intermed, gh, ef);
+ gh = vaddq_u64(gh, intermed);
+
+ /* Rounds t + 14 and t + 15 */
+ s7 = vsha512su1q_u64(vsha512su0q_u64(s7, s0), s6, vextq_u64(s3, s4, 1));
+ initial_sum = vaddq_u64(s7, vld1q_u64(&K[t + 14]));
+ sum = vaddq_u64(vextq_u64(initial_sum, initial_sum, 1), ab);
+ intermed = vsha512hq_u64(sum, vextq_u64(gh, ab, 1), vextq_u64(ef, gh, 1));
+ ab = vsha512h2q_u64(intermed, ef, cd);
+ ef = vaddq_u64(ef, intermed);
+ }
+
+ ab = vaddq_u64(ab, ab_orig);
+ cd = vaddq_u64(cd, cd_orig);
+ ef = vaddq_u64(ef, ef_orig);
+ gh = vaddq_u64(gh, gh_orig);
+ }
+
+ vst1q_u64(&ctx->state[0], ab);
+ vst1q_u64(&ctx->state[2], cd);
+ vst1q_u64(&ctx->state[4], ef);
+ vst1q_u64(&ctx->state[6], gh);
+
+ return processed;
+}
+
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
+/*
+ * This function is for internal use only if we are building both C and A64
+ * versions, otherwise it is renamed to be the public mbedtls_internal_sha512_process()
+ */
+static
+#endif
+int mbedtls_internal_sha512_process_a64_crypto(mbedtls_sha512_context *ctx,
+ const unsigned char data[SHA512_BLOCK_SIZE])
+{
+ return (mbedtls_internal_sha512_process_many_a64_crypto(ctx, data,
+ SHA512_BLOCK_SIZE) ==
+ SHA512_BLOCK_SIZE) ? 0 : -1;
+}
+
+#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
+
+#if defined(MBEDTLS_POP_TARGET_PRAGMA)
+#if defined(__clang__)
+#pragma clang attribute pop
+#elif defined(__GNUC__)
+#pragma GCC pop_options
+#endif
+#undef MBEDTLS_POP_TARGET_PRAGMA
+#endif
+
+
+#if !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
+#define mbedtls_internal_sha512_process_many_c mbedtls_internal_sha512_process_many
+#define mbedtls_internal_sha512_process_c mbedtls_internal_sha512_process
+#endif
+
+
+#if !defined(MBEDTLS_SHA512_PROCESS_ALT) && !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
+
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
+/*
+ * This function is for internal use only if we are building both C and A64
+ * versions, otherwise it is renamed to be the public mbedtls_internal_sha512_process()
+ */
+static
+#endif
+int mbedtls_internal_sha512_process_c(mbedtls_sha512_context *ctx,
+ const unsigned char data[SHA512_BLOCK_SIZE])
+{
+ int i;
+ struct {
+ uint64_t temp1, temp2, W[80];
+ uint64_t A[8];
+ } local;
+
+#define SHR(x, n) ((x) >> (n))
+#define ROTR(x, n) (SHR((x), (n)) | ((x) << (64 - (n))))
+
+#define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
+#define S1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6))
+
+#define S2(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
+#define S3(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
+
+#define F0(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
+
+#define P(a, b, c, d, e, f, g, h, x, K) \
+ do \
+ { \
+ local.temp1 = (h) + S3(e) + F1((e), (f), (g)) + (K) + (x); \
+ local.temp2 = S2(a) + F0((a), (b), (c)); \
+ (d) += local.temp1; (h) = local.temp1 + local.temp2; \
+ } while (0)
+
+ for (i = 0; i < 8; i++) {
+ local.A[i] = ctx->state[i];
+ }
+
+#if defined(MBEDTLS_SHA512_SMALLER)
+ for (i = 0; i < 80; i++) {
+ if (i < 16) {
+ local.W[i] = MBEDTLS_GET_UINT64_BE(data, i << 3);
+ } else {
+ local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] +
+ S0(local.W[i - 15]) + local.W[i - 16];
+ }
+
+ P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+ local.A[5], local.A[6], local.A[7], local.W[i], K[i]);
+
+ local.temp1 = local.A[7]; local.A[7] = local.A[6];
+ local.A[6] = local.A[5]; local.A[5] = local.A[4];
+ local.A[4] = local.A[3]; local.A[3] = local.A[2];
+ local.A[2] = local.A[1]; local.A[1] = local.A[0];
+ local.A[0] = local.temp1;
+ }
+#else /* MBEDTLS_SHA512_SMALLER */
+ for (i = 0; i < 16; i++) {
+ local.W[i] = MBEDTLS_GET_UINT64_BE(data, i << 3);
+ }
+
+ for (; i < 80; i++) {
+ local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] +
+ S0(local.W[i - 15]) + local.W[i - 16];
+ }
+
+ i = 0;
+ do {
+ P(local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+ local.A[5], local.A[6], local.A[7], local.W[i], K[i]); i++;
+ P(local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
+ local.A[4], local.A[5], local.A[6], local.W[i], K[i]); i++;
+ P(local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
+ local.A[3], local.A[4], local.A[5], local.W[i], K[i]); i++;
+ P(local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
+ local.A[2], local.A[3], local.A[4], local.W[i], K[i]); i++;
+ P(local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
+ local.A[1], local.A[2], local.A[3], local.W[i], K[i]); i++;
+ P(local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
+ local.A[0], local.A[1], local.A[2], local.W[i], K[i]); i++;
+ P(local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
+ local.A[7], local.A[0], local.A[1], local.W[i], K[i]); i++;
+ P(local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
+ local.A[6], local.A[7], local.A[0], local.W[i], K[i]); i++;
+ } while (i < 80);
+#endif /* MBEDTLS_SHA512_SMALLER */
+
+ for (i = 0; i < 8; i++) {
+ ctx->state[i] += local.A[i];
+ }
+
+ /* Zeroise buffers and variables to clear sensitive data from memory. */
+ mbedtls_platform_zeroize(&local, sizeof(local));
+
+ return 0;
+}
+
+#endif /* !MBEDTLS_SHA512_PROCESS_ALT && !MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
+
+
+#if !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
+
+static size_t mbedtls_internal_sha512_process_many_c(
+ mbedtls_sha512_context *ctx, const uint8_t *data, size_t len)
+{
+ size_t processed = 0;
+
+ while (len >= SHA512_BLOCK_SIZE) {
+ if (mbedtls_internal_sha512_process_c(ctx, data) != 0) {
+ return 0;
+ }
+
+ data += SHA512_BLOCK_SIZE;
+ len -= SHA512_BLOCK_SIZE;
+
+ processed += SHA512_BLOCK_SIZE;
+ }
+
+ return processed;
+}
+
+#endif /* !MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
+
+
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
+
+static int mbedtls_a64_crypto_sha512_has_support(void)
+{
+ static int done = 0;
+ static int supported = 0;
+
+ if (!done) {
+ supported = mbedtls_a64_crypto_sha512_determine_support();
+ done = 1;
+ }
+
+ return supported;
+}
+
+static size_t mbedtls_internal_sha512_process_many(mbedtls_sha512_context *ctx,
+ const uint8_t *msg, size_t len)
+{
+ if (mbedtls_a64_crypto_sha512_has_support()) {
+ return mbedtls_internal_sha512_process_many_a64_crypto(ctx, msg, len);
+ } else {
+ return mbedtls_internal_sha512_process_many_c(ctx, msg, len);
+ }
+}
+
+int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx,
+ const unsigned char data[SHA512_BLOCK_SIZE])
+{
+ if (mbedtls_a64_crypto_sha512_has_support()) {
+ return mbedtls_internal_sha512_process_a64_crypto(ctx, data);
+ } else {
+ return mbedtls_internal_sha512_process_c(ctx, data);
+ }
+}
+
+#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT */
+
+/*
+ * SHA-512 process buffer
+ */
+int mbedtls_sha512_update(mbedtls_sha512_context *ctx,
+ const unsigned char *input,
+ size_t ilen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t fill;
+ unsigned int left;
+
+ if (ilen == 0) {
+ return 0;
+ }
+
+ left = (unsigned int) (ctx->total[0] & 0x7F);
+ fill = SHA512_BLOCK_SIZE - left;
+
+ ctx->total[0] += (uint64_t) ilen;
+
+ if (ctx->total[0] < (uint64_t) ilen) {
+ ctx->total[1]++;
+ }
+
+ if (left && ilen >= fill) {
+ memcpy((void *) (ctx->buffer + left), input, fill);
+
+ if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
+ return ret;
+ }
+
+ input += fill;
+ ilen -= fill;
+ left = 0;
+ }
+
+ while (ilen >= SHA512_BLOCK_SIZE) {
+ size_t processed =
+ mbedtls_internal_sha512_process_many(ctx, input, ilen);
+ if (processed < SHA512_BLOCK_SIZE) {
+ return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
+ }
+
+ input += processed;
+ ilen -= processed;
+ }
+
+ if (ilen > 0) {
+ memcpy((void *) (ctx->buffer + left), input, ilen);
+ }
+
+ return 0;
+}
+
+/*
+ * SHA-512 final digest
+ */
+int mbedtls_sha512_finish(mbedtls_sha512_context *ctx,
+ unsigned char *output)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned used;
+ uint64_t high, low;
+ int truncated = 0;
+
+ /*
+ * Add padding: 0x80 then 0x00 until 16 bytes remain for the length
+ */
+ used = ctx->total[0] & 0x7F;
+
+ ctx->buffer[used++] = 0x80;
+
+ if (used <= 112) {
+ /* Enough room for padding + length in current block */
+ memset(ctx->buffer + used, 0, 112 - used);
+ } else {
+ /* We'll need an extra block */
+ memset(ctx->buffer + used, 0, SHA512_BLOCK_SIZE - used);
+
+ if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
+ goto exit;
+ }
+
+ memset(ctx->buffer, 0, 112);
+ }
+
+ /*
+ * Add message length
+ */
+ high = (ctx->total[0] >> 61)
+ | (ctx->total[1] << 3);
+ low = (ctx->total[0] << 3);
+
+ sha512_put_uint64_be(high, ctx->buffer, 112);
+ sha512_put_uint64_be(low, ctx->buffer, 120);
+
+ if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
+ goto exit;
+ }
+
+ /*
+ * Output final state
+ */
+ sha512_put_uint64_be(ctx->state[0], output, 0);
+ sha512_put_uint64_be(ctx->state[1], output, 8);
+ sha512_put_uint64_be(ctx->state[2], output, 16);
+ sha512_put_uint64_be(ctx->state[3], output, 24);
+ sha512_put_uint64_be(ctx->state[4], output, 32);
+ sha512_put_uint64_be(ctx->state[5], output, 40);
+
+#if defined(MBEDTLS_SHA384_C)
+ truncated = ctx->is384;
+#endif
+ if (!truncated) {
+ sha512_put_uint64_be(ctx->state[6], output, 48);
+ sha512_put_uint64_be(ctx->state[7], output, 56);
+ }
+
+ ret = 0;
+
+exit:
+ mbedtls_sha512_free(ctx);
+ return ret;
+}
+
+#endif /* !MBEDTLS_SHA512_ALT */
+
+/*
+ * output = SHA-512( input buffer )
+ */
+int mbedtls_sha512(const unsigned char *input,
+ size_t ilen,
+ unsigned char *output,
+ int is384)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_sha512_context ctx;
+
+#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_SHA512_C)
+ if (is384 != 0 && is384 != 1) {
+ return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
+ }
+#elif defined(MBEDTLS_SHA512_C)
+ if (is384 != 0) {
+ return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
+ }
+#else /* defined MBEDTLS_SHA384_C only */
+ if (is384 == 0) {
+ return MBEDTLS_ERR_SHA512_BAD_INPUT_DATA;
+ }
+#endif
+
+ mbedtls_sha512_init(&ctx);
+
+ if ((ret = mbedtls_sha512_starts(&ctx, is384)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_sha512_update(&ctx, input, ilen)) != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_sha512_finish(&ctx, output)) != 0) {
+ goto exit;
+ }
+
+exit:
+ mbedtls_sha512_free(&ctx);
+
+ return ret;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * FIPS-180-2 test vectors
+ */
+static const unsigned char sha_test_buf[3][113] =
+{
+ { "abc" },
+ {
+ "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"
+ },
+ { "" }
+};
+
+static const size_t sha_test_buflen[3] =
+{
+ 3, 112, 1000
+};
+
+typedef const unsigned char (sha_test_sum_t)[64];
+
+/*
+ * SHA-384 test vectors
+ */
+#if defined(MBEDTLS_SHA384_C)
+static sha_test_sum_t sha384_test_sum[] =
+{
+ { 0xCB, 0x00, 0x75, 0x3F, 0x45, 0xA3, 0x5E, 0x8B,
+ 0xB5, 0xA0, 0x3D, 0x69, 0x9A, 0xC6, 0x50, 0x07,
+ 0x27, 0x2C, 0x32, 0xAB, 0x0E, 0xDE, 0xD1, 0x63,
+ 0x1A, 0x8B, 0x60, 0x5A, 0x43, 0xFF, 0x5B, 0xED,
+ 0x80, 0x86, 0x07, 0x2B, 0xA1, 0xE7, 0xCC, 0x23,
+ 0x58, 0xBA, 0xEC, 0xA1, 0x34, 0xC8, 0x25, 0xA7 },
+ { 0x09, 0x33, 0x0C, 0x33, 0xF7, 0x11, 0x47, 0xE8,
+ 0x3D, 0x19, 0x2F, 0xC7, 0x82, 0xCD, 0x1B, 0x47,
+ 0x53, 0x11, 0x1B, 0x17, 0x3B, 0x3B, 0x05, 0xD2,
+ 0x2F, 0xA0, 0x80, 0x86, 0xE3, 0xB0, 0xF7, 0x12,
+ 0xFC, 0xC7, 0xC7, 0x1A, 0x55, 0x7E, 0x2D, 0xB9,
+ 0x66, 0xC3, 0xE9, 0xFA, 0x91, 0x74, 0x60, 0x39 },
+ { 0x9D, 0x0E, 0x18, 0x09, 0x71, 0x64, 0x74, 0xCB,
+ 0x08, 0x6E, 0x83, 0x4E, 0x31, 0x0A, 0x4A, 0x1C,
+ 0xED, 0x14, 0x9E, 0x9C, 0x00, 0xF2, 0x48, 0x52,
+ 0x79, 0x72, 0xCE, 0xC5, 0x70, 0x4C, 0x2A, 0x5B,
+ 0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB,
+ 0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85 }
+};
+#endif /* MBEDTLS_SHA384_C */
+
+/*
+ * SHA-512 test vectors
+ */
+#if defined(MBEDTLS_SHA512_C)
+static sha_test_sum_t sha512_test_sum[] =
+{
+ { 0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA,
+ 0xCC, 0x41, 0x73, 0x49, 0xAE, 0x20, 0x41, 0x31,
+ 0x12, 0xE6, 0xFA, 0x4E, 0x89, 0xA9, 0x7E, 0xA2,
+ 0x0A, 0x9E, 0xEE, 0xE6, 0x4B, 0x55, 0xD3, 0x9A,
+ 0x21, 0x92, 0x99, 0x2A, 0x27, 0x4F, 0xC1, 0xA8,
+ 0x36, 0xBA, 0x3C, 0x23, 0xA3, 0xFE, 0xEB, 0xBD,
+ 0x45, 0x4D, 0x44, 0x23, 0x64, 0x3C, 0xE8, 0x0E,
+ 0x2A, 0x9A, 0xC9, 0x4F, 0xA5, 0x4C, 0xA4, 0x9F },
+ { 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA,
+ 0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F,
+ 0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1,
+ 0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18,
+ 0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4,
+ 0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A,
+ 0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54,
+ 0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 },
+ { 0xE7, 0x18, 0x48, 0x3D, 0x0C, 0xE7, 0x69, 0x64,
+ 0x4E, 0x2E, 0x42, 0xC7, 0xBC, 0x15, 0xB4, 0x63,
+ 0x8E, 0x1F, 0x98, 0xB1, 0x3B, 0x20, 0x44, 0x28,
+ 0x56, 0x32, 0xA8, 0x03, 0xAF, 0xA9, 0x73, 0xEB,
+ 0xDE, 0x0F, 0xF2, 0x44, 0x87, 0x7E, 0xA6, 0x0A,
+ 0x4C, 0xB0, 0x43, 0x2C, 0xE5, 0x77, 0xC3, 0x1B,
+ 0xEB, 0x00, 0x9C, 0x5C, 0x2C, 0x49, 0xAA, 0x2E,
+ 0x4E, 0xAD, 0xB2, 0x17, 0xAD, 0x8C, 0xC0, 0x9B }
+};
+#endif /* MBEDTLS_SHA512_C */
+
+static int mbedtls_sha512_common_self_test(int verbose, int is384)
+{
+ int i, buflen, ret = 0;
+ unsigned char *buf;
+ unsigned char sha512sum[64];
+ mbedtls_sha512_context ctx;
+
+#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_SHA512_C)
+ sha_test_sum_t *sha_test_sum = (is384) ? sha384_test_sum : sha512_test_sum;
+#elif defined(MBEDTLS_SHA512_C)
+ sha_test_sum_t *sha_test_sum = sha512_test_sum;
+#else
+ sha_test_sum_t *sha_test_sum = sha384_test_sum;
+#endif
+
+ buf = mbedtls_calloc(1024, sizeof(unsigned char));
+ if (NULL == buf) {
+ if (verbose != 0) {
+ mbedtls_printf("Buffer allocation failed\n");
+ }
+
+ return 1;
+ }
+
+ mbedtls_sha512_init(&ctx);
+
+ for (i = 0; i < 3; i++) {
+ if (verbose != 0) {
+ mbedtls_printf(" SHA-%d test #%d: ", 512 - is384 * 128, i + 1);
+ }
+
+ if ((ret = mbedtls_sha512_starts(&ctx, is384)) != 0) {
+ goto fail;
+ }
+
+ if (i == 2) {
+ memset(buf, 'a', buflen = 1000);
+
+ for (int j = 0; j < 1000; j++) {
+ ret = mbedtls_sha512_update(&ctx, buf, buflen);
+ if (ret != 0) {
+ goto fail;
+ }
+ }
+ } else {
+ ret = mbedtls_sha512_update(&ctx, sha_test_buf[i],
+ sha_test_buflen[i]);
+ if (ret != 0) {
+ goto fail;
+ }
+ }
+
+ if ((ret = mbedtls_sha512_finish(&ctx, sha512sum)) != 0) {
+ goto fail;
+ }
+
+ if (memcmp(sha512sum, sha_test_sum[i], 64 - is384 * 16) != 0) {
+ ret = 1;
+ goto fail;
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("passed\n");
+ }
+ }
+
+ if (verbose != 0) {
+ mbedtls_printf("\n");
+ }
+
+ goto exit;
+
+fail:
+ if (verbose != 0) {
+ mbedtls_printf("failed\n");
+ }
+
+exit:
+ mbedtls_sha512_free(&ctx);
+ mbedtls_free(buf);
+
+ return ret;
+}
+
+#if defined(MBEDTLS_SHA512_C)
+int mbedtls_sha512_self_test(int verbose)
+{
+ return mbedtls_sha512_common_self_test(verbose, 0);
+}
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA384_C)
+int mbedtls_sha384_self_test(int verbose)
+{
+ return mbedtls_sha512_common_self_test(verbose, 1);
+}
+#endif /* MBEDTLS_SHA384_C */
+
+#undef ARRAY_LENGTH
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA512_C || MBEDTLS_SHA384_C */
diff --git a/library/ssl_cache.c b/library/ssl_cache.c
new file mode 100644
index 0000000..772cb8f
--- /dev/null
+++ b/library/ssl_cache.c
@@ -0,0 +1,410 @@
+/*
+ * SSL session cache implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * These session callbacks use a simple chained list
+ * to store and retrieve the session information.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_CACHE_C)
+
+#include "mbedtls/platform.h"
+
+#include "mbedtls/ssl_cache.h"
+#include "ssl_misc.h"
+#include "mbedtls/error.h"
+
+#include <string.h>
+
+void mbedtls_ssl_cache_init(mbedtls_ssl_cache_context *cache)
+{
+ memset(cache, 0, sizeof(mbedtls_ssl_cache_context));
+
+ cache->timeout = MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT;
+ cache->max_entries = MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES;
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_init(&cache->mutex);
+#endif
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_cache_find_entry(mbedtls_ssl_cache_context *cache,
+ unsigned char const *session_id,
+ size_t session_id_len,
+ mbedtls_ssl_cache_entry **dst)
+{
+ int ret = MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND;
+#if defined(MBEDTLS_HAVE_TIME)
+ mbedtls_time_t t = mbedtls_time(NULL);
+#endif
+ mbedtls_ssl_cache_entry *cur;
+
+ for (cur = cache->chain; cur != NULL; cur = cur->next) {
+#if defined(MBEDTLS_HAVE_TIME)
+ if (cache->timeout != 0 &&
+ (int) (t - cur->timestamp) > cache->timeout) {
+ continue;
+ }
+#endif
+
+ if (session_id_len != cur->session_id_len ||
+ memcmp(session_id, cur->session_id,
+ cur->session_id_len) != 0) {
+ continue;
+ }
+
+ break;
+ }
+
+ if (cur != NULL) {
+ *dst = cur;
+ ret = 0;
+ }
+
+ return ret;
+}
+
+
+int mbedtls_ssl_cache_get(void *data,
+ unsigned char const *session_id,
+ size_t session_id_len,
+ mbedtls_ssl_session *session)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
+ mbedtls_ssl_cache_entry *entry;
+
+#if defined(MBEDTLS_THREADING_C)
+ if ((ret = mbedtls_mutex_lock(&cache->mutex)) != 0) {
+ return ret;
+ }
+#endif
+
+ ret = ssl_cache_find_entry(cache, session_id, session_id_len, &entry);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_ssl_session_load(session,
+ entry->session,
+ entry->session_len);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = 0;
+
+exit:
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&cache->mutex) != 0) {
+ ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+ }
+#endif
+
+ return ret;
+}
+
+/* zeroize a cache entry */
+static void ssl_cache_entry_zeroize(mbedtls_ssl_cache_entry *entry)
+{
+ if (entry == NULL) {
+ return;
+ }
+
+ /* zeroize and free session structure */
+ if (entry->session != NULL) {
+ mbedtls_zeroize_and_free(entry->session, entry->session_len);
+ }
+
+ /* zeroize the whole entry structure */
+ mbedtls_platform_zeroize(entry, sizeof(mbedtls_ssl_cache_entry));
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_cache_pick_writing_slot(mbedtls_ssl_cache_context *cache,
+ unsigned char const *session_id,
+ size_t session_id_len,
+ mbedtls_ssl_cache_entry **dst)
+{
+#if defined(MBEDTLS_HAVE_TIME)
+ mbedtls_time_t t = mbedtls_time(NULL), oldest = 0;
+#endif /* MBEDTLS_HAVE_TIME */
+
+ mbedtls_ssl_cache_entry *old = NULL;
+ int count = 0;
+ mbedtls_ssl_cache_entry *cur, *last;
+
+ /* Check 1: Is there already an entry with the given session ID?
+ *
+ * If yes, overwrite it.
+ *
+ * If not, `count` will hold the size of the session cache
+ * at the end of this loop, and `last` will point to the last
+ * entry, both of which will be used later. */
+
+ last = NULL;
+ for (cur = cache->chain; cur != NULL; cur = cur->next) {
+ count++;
+ if (session_id_len == cur->session_id_len &&
+ memcmp(session_id, cur->session_id, cur->session_id_len) == 0) {
+ goto found;
+ }
+ last = cur;
+ }
+
+ /* Check 2: Is there an outdated entry in the cache?
+ *
+ * If so, overwrite it.
+ *
+ * If not, remember the oldest entry in `old` for later.
+ */
+
+#if defined(MBEDTLS_HAVE_TIME)
+ for (cur = cache->chain; cur != NULL; cur = cur->next) {
+ if (cache->timeout != 0 &&
+ (int) (t - cur->timestamp) > cache->timeout) {
+ goto found;
+ }
+
+ if (oldest == 0 || cur->timestamp < oldest) {
+ oldest = cur->timestamp;
+ old = cur;
+ }
+ }
+#endif /* MBEDTLS_HAVE_TIME */
+
+ /* Check 3: Is there free space in the cache? */
+
+ if (count < cache->max_entries) {
+ /* Create new entry */
+ cur = mbedtls_calloc(1, sizeof(mbedtls_ssl_cache_entry));
+ if (cur == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ /* Append to the end of the linked list. */
+ if (last == NULL) {
+ cache->chain = cur;
+ } else {
+ last->next = cur;
+ }
+
+ goto found;
+ }
+
+ /* Last resort: The cache is full and doesn't contain any outdated
+ * elements. In this case, we evict the oldest one, judged by timestamp
+ * (if present) or cache-order. */
+
+#if defined(MBEDTLS_HAVE_TIME)
+ if (old == NULL) {
+ /* This should only happen on an ill-configured cache
+ * with max_entries == 0. */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+#else /* MBEDTLS_HAVE_TIME */
+ /* Reuse first entry in chain, but move to last place. */
+ if (cache->chain == NULL) {
+ /* This should never happen */
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ }
+
+ old = cache->chain;
+ cache->chain = old->next;
+ old->next = NULL;
+ last->next = old;
+#endif /* MBEDTLS_HAVE_TIME */
+
+ /* Now `old` points to the oldest entry to be overwritten. */
+ cur = old;
+
+found:
+
+ /* If we're reusing an entry, free it first. */
+ if (cur->session != NULL) {
+ /* `ssl_cache_entry_zeroize` would break the chain,
+ * so we reuse `old` to record `next` temporarily. */
+ old = cur->next;
+ ssl_cache_entry_zeroize(cur);
+ cur->next = old;
+ }
+
+#if defined(MBEDTLS_HAVE_TIME)
+ cur->timestamp = t;
+#endif
+
+ *dst = cur;
+ return 0;
+}
+
+int mbedtls_ssl_cache_set(void *data,
+ unsigned char const *session_id,
+ size_t session_id_len,
+ const mbedtls_ssl_session *session)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
+ mbedtls_ssl_cache_entry *cur;
+
+ size_t session_serialized_len = 0;
+ unsigned char *session_serialized = NULL;
+
+#if defined(MBEDTLS_THREADING_C)
+ if ((ret = mbedtls_mutex_lock(&cache->mutex)) != 0) {
+ return ret;
+ }
+#endif
+
+ ret = ssl_cache_pick_writing_slot(cache,
+ session_id, session_id_len,
+ &cur);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ /* Check how much space we need to serialize the session
+ * and allocate a sufficiently large buffer. */
+ ret = mbedtls_ssl_session_save(session, NULL, 0, &session_serialized_len);
+ if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
+ goto exit;
+ }
+
+ session_serialized = mbedtls_calloc(1, session_serialized_len);
+ if (session_serialized == NULL) {
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ goto exit;
+ }
+
+ /* Now serialize the session into the allocated buffer. */
+ ret = mbedtls_ssl_session_save(session,
+ session_serialized,
+ session_serialized_len,
+ &session_serialized_len);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (session_id_len > sizeof(cur->session_id)) {
+ ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ goto exit;
+ }
+ cur->session_id_len = session_id_len;
+ memcpy(cur->session_id, session_id, session_id_len);
+
+ cur->session = session_serialized;
+ cur->session_len = session_serialized_len;
+ session_serialized = NULL;
+
+ ret = 0;
+
+exit:
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&cache->mutex) != 0) {
+ ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+ }
+#endif
+
+ if (session_serialized != NULL) {
+ mbedtls_zeroize_and_free(session_serialized, session_serialized_len);
+ session_serialized = NULL;
+ }
+
+ return ret;
+}
+
+int mbedtls_ssl_cache_remove(void *data,
+ unsigned char const *session_id,
+ size_t session_id_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
+ mbedtls_ssl_cache_entry *entry;
+ mbedtls_ssl_cache_entry *prev;
+
+#if defined(MBEDTLS_THREADING_C)
+ if ((ret = mbedtls_mutex_lock(&cache->mutex)) != 0) {
+ return ret;
+ }
+#endif
+
+ ret = ssl_cache_find_entry(cache, session_id, session_id_len, &entry);
+ /* No valid entry found, exit with success */
+ if (ret != 0) {
+ ret = 0;
+ goto exit;
+ }
+
+ /* Now we remove the entry from the chain */
+ if (entry == cache->chain) {
+ cache->chain = entry->next;
+ goto free;
+ }
+ for (prev = cache->chain; prev->next != NULL; prev = prev->next) {
+ if (prev->next == entry) {
+ prev->next = entry->next;
+ break;
+ }
+ }
+
+free:
+ ssl_cache_entry_zeroize(entry);
+ mbedtls_free(entry);
+ ret = 0;
+
+exit:
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&cache->mutex) != 0) {
+ ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+ }
+#endif
+
+ return ret;
+}
+
+#if defined(MBEDTLS_HAVE_TIME)
+void mbedtls_ssl_cache_set_timeout(mbedtls_ssl_cache_context *cache, int timeout)
+{
+ if (timeout < 0) {
+ timeout = 0;
+ }
+
+ cache->timeout = timeout;
+}
+#endif /* MBEDTLS_HAVE_TIME */
+
+void mbedtls_ssl_cache_set_max_entries(mbedtls_ssl_cache_context *cache, int max)
+{
+ if (max < 0) {
+ max = 0;
+ }
+
+ cache->max_entries = max;
+}
+
+void mbedtls_ssl_cache_free(mbedtls_ssl_cache_context *cache)
+{
+ mbedtls_ssl_cache_entry *cur, *prv;
+
+ cur = cache->chain;
+
+ while (cur != NULL) {
+ prv = cur;
+ cur = cur->next;
+
+ ssl_cache_entry_zeroize(prv);
+ mbedtls_free(prv);
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_free(&cache->mutex);
+#endif
+ cache->chain = NULL;
+}
+
+#endif /* MBEDTLS_SSL_CACHE_C */
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
new file mode 100644
index 0000000..23619a2
--- /dev/null
+++ b/library/ssl_ciphersuites.c
@@ -0,0 +1,2050 @@
+/**
+ * \file ssl_ciphersuites.c
+ *
+ * \brief SSL ciphersuites for Mbed TLS
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_TLS_C)
+
+#include "mbedtls/platform.h"
+
+#include "mbedtls/ssl_ciphersuites.h"
+#include "mbedtls/ssl.h"
+#include "ssl_misc.h"
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "mbedtls/psa_util.h"
+#endif
+
+#include <string.h>
+
+/*
+ * Ordered from most preferred to least preferred in terms of security.
+ *
+ * Current rule (except weak and null which come last):
+ * 1. By key exchange:
+ * Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK
+ * 2. By key length and cipher:
+ * ChaCha > AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-128
+ * 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8
+ * 4. By hash function used when relevant
+ * 5. By key exchange/auth again: EC > non-EC
+ */
+static const int ciphersuite_preference[] =
+{
+#if defined(MBEDTLS_SSL_CIPHERSUITES)
+ MBEDTLS_SSL_CIPHERSUITES,
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ /* TLS 1.3 ciphersuites */
+ MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256,
+ MBEDTLS_TLS1_3_AES_256_GCM_SHA384,
+ MBEDTLS_TLS1_3_AES_128_GCM_SHA256,
+ MBEDTLS_TLS1_3_AES_128_CCM_SHA256,
+ MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256,
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+ /* Chacha-Poly ephemeral suites */
+ MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+
+ /* All AES-256 ephemeral suites */
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8,
+
+ /* All CAMELLIA-256 ephemeral suites */
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+
+ /* All ARIA-256 ephemeral suites */
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+
+ /* All AES-128 ephemeral suites */
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+ MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+ MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8,
+
+ /* All CAMELLIA-128 ephemeral suites */
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+
+ /* All ARIA-128 ephemeral suites */
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+
+ /* The PSK ephemeral suites */
+ MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+ MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
+ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM,
+ MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
+ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
+ MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
+ MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+ MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8,
+ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+
+ MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
+ MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM,
+ MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
+ MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
+ MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+ MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
+ MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+ MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+ MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+ MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8,
+ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+
+ /* The ECJPAKE suite */
+ MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8,
+
+ /* All AES-256 suites */
+ MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,
+ MBEDTLS_TLS_RSA_WITH_AES_256_CCM,
+ MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256,
+ MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
+ MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
+ MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+ MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8,
+
+ /* All CAMELLIA-256 suites */
+ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+ MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+
+ /* All ARIA-256 suites */
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
+ MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
+ MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+
+ /* All AES-128 suites */
+ MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
+ MBEDTLS_TLS_RSA_WITH_AES_128_CCM,
+ MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256,
+ MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
+ MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
+ MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+ MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8,
+
+ /* All CAMELLIA-128 suites */
+ MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+ MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+ MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+
+ /* All ARIA-128 suites */
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
+ MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
+ MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+
+ /* The RSA PSK suites */
+ MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
+ MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
+ MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
+ MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
+ MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+ MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+ MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
+
+ MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
+ MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
+ MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
+ MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+ MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+ MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
+
+ /* The PSK suites */
+ MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
+ MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384,
+ MBEDTLS_TLS_PSK_WITH_AES_256_CCM,
+ MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384,
+ MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA,
+ MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+ MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+ MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8,
+ MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
+
+ MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256,
+ MBEDTLS_TLS_PSK_WITH_AES_128_CCM,
+ MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256,
+ MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA,
+ MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+ MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+ MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8,
+ MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
+
+ /* NULL suites */
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA,
+ MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384,
+ MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256,
+ MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA,
+ MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384,
+ MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256,
+ MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA,
+
+ MBEDTLS_TLS_RSA_WITH_NULL_SHA256,
+ MBEDTLS_TLS_RSA_WITH_NULL_SHA,
+ MBEDTLS_TLS_RSA_WITH_NULL_MD5,
+ MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA,
+ MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384,
+ MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256,
+ MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA,
+ MBEDTLS_TLS_PSK_WITH_NULL_SHA384,
+ MBEDTLS_TLS_PSK_WITH_NULL_SHA256,
+ MBEDTLS_TLS_PSK_WITH_NULL_SHA,
+
+#endif /* MBEDTLS_SSL_CIPHERSUITES */
+ 0
+};
+
+static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
+{
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#if defined(MBEDTLS_SSL_HAVE_AES)
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS1_3_AES_256_GCM_SHA384, "TLS1-3-AES-256-GCM-SHA384",
+ MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384,
+ MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS1_3_AES_128_GCM_SHA256, "TLS1-3-AES-128-GCM-SHA256",
+ MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#if defined(MBEDTLS_SSL_HAVE_CCM) && defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS1_3_AES_128_CCM_SHA256, "TLS1-3-AES-128-CCM-SHA256",
+ MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 },
+ { MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256, "TLS1-3-AES-128-CCM-8-SHA256",
+ MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */
+ MBEDTLS_CIPHERSUITE_SHORT_TAG,
+ MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 },
+#endif /* MBEDTLS_MD_CAN_SHA256 && MBEDTLS_SSL_HAVE_CCM */
+#endif /* MBEDTLS_SSL_HAVE_AES */
+#if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY) && defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256,
+ "TLS1-3-CHACHA20-POLY1305-SHA256",
+ MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_3, MBEDTLS_SSL_VERSION_TLS1_3 },
+#endif /* MBEDTLS_SSL_HAVE_CHACHAPOLY && MBEDTLS_MD_CAN_SHA256 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY) && \
+ defined(MBEDTLS_MD_CAN_SHA256) && \
+ defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
+ MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
+ MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+ { MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
+ MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+ { MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS-PSK-WITH-CHACHA20-POLY1305-SHA256",
+ MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+ { MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
+ MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+ { MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
+ MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+ { MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256",
+ MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#endif /* MBEDTLS_SSL_HAVE_CHACHAPOLY &&
+ MBEDTLS_MD_CAN_SHA256 &&
+ MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#if defined(MBEDTLS_SSL_HAVE_AES)
+#if defined(MBEDTLS_MD_CAN_SHA1)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#if defined(MBEDTLS_MD_CAN_SHA256)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256",
+ MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384",
+ MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#if defined(MBEDTLS_SSL_HAVE_CCM)
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM",
+ MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8",
+ MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ MBEDTLS_CIPHERSUITE_SHORT_TAG,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, "TLS-ECDHE-ECDSA-WITH-AES-128-CCM",
+ MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, "TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8",
+ MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ MBEDTLS_CIPHERSUITE_SHORT_TAG,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CCM */
+#endif /* MBEDTLS_SSL_HAVE_AES */
+
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+ "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+ "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+ "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+ "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA, "TLS-ECDHE-ECDSA-WITH-NULL-SHA",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+#if defined(MBEDTLS_SSL_HAVE_AES)
+#if defined(MBEDTLS_MD_CAN_SHA1)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#if defined(MBEDTLS_MD_CAN_SHA256)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256",
+ MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384",
+ MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_AES */
+
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+ "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+ "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+ "TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+ "TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA, "TLS-ECDHE-RSA-WITH-NULL-SHA",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+#if defined(MBEDTLS_SSL_HAVE_AES)
+#if defined(MBEDTLS_MD_CAN_SHA384) && \
+ defined(MBEDTLS_SSL_HAVE_GCM)
+ { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384",
+ MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 && MBEDTLS_SSL_HAVE_GCM */
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+ { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256",
+ MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+ { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+
+ { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+
+ { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#if defined(MBEDTLS_SSL_HAVE_CCM)
+ { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM, "TLS-DHE-RSA-WITH-AES-256-CCM",
+ MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8, "TLS-DHE-RSA-WITH-AES-256-CCM-8",
+ MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ MBEDTLS_CIPHERSUITE_SHORT_TAG,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM, "TLS-DHE-RSA-WITH-AES-128-CCM",
+ MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8, "TLS-DHE-RSA-WITH-AES-128-CCM-8",
+ MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ MBEDTLS_CIPHERSUITE_SHORT_TAG,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CCM */
+#endif /* MBEDTLS_SSL_HAVE_AES */
+
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+
+ { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA",
+ MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+
+ { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA",
+ MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
+
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+#if defined(MBEDTLS_SSL_HAVE_AES)
+#if defined(MBEDTLS_MD_CAN_SHA384) && \
+ defined(MBEDTLS_SSL_HAVE_GCM)
+ { MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS-RSA-WITH-AES-256-GCM-SHA384",
+ MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 && MBEDTLS_SSL_HAVE_GCM */
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+ { MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS-RSA-WITH-AES-128-GCM-SHA256",
+ MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+ { MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS-RSA-WITH-AES-128-CBC-SHA256",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+
+ { MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS-RSA-WITH-AES-256-CBC-SHA256",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+ { MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, "TLS-RSA-WITH-AES-128-CBC-SHA",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+
+ { MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA, "TLS-RSA-WITH-AES-256-CBC-SHA",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#if defined(MBEDTLS_SSL_HAVE_CCM)
+ { MBEDTLS_TLS_RSA_WITH_AES_256_CCM, "TLS-RSA-WITH-AES-256-CCM",
+ MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8, "TLS-RSA-WITH-AES-256-CCM-8",
+ MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+ MBEDTLS_CIPHERSUITE_SHORT_TAG,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_RSA_WITH_AES_128_CCM, "TLS-RSA-WITH-AES-128-CCM",
+ MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8, "TLS-RSA-WITH-AES-128-CCM-8",
+ MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+ MBEDTLS_CIPHERSUITE_SHORT_TAG,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CCM */
+#endif /* MBEDTLS_SSL_HAVE_AES */
+
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+
+ { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA",
+ MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+
+ { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA",
+ MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
+
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+#if defined(MBEDTLS_SSL_HAVE_AES)
+#if defined(MBEDTLS_MD_CAN_SHA1)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+ { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#if defined(MBEDTLS_MD_CAN_SHA256)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+ { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+ { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256",
+ MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+ { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+ { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384",
+ MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_AES */
+
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+ "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+ "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+ "TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+ "TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA, "TLS-ECDH-RSA-WITH-NULL-SHA",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#if defined(MBEDTLS_SSL_HAVE_AES)
+#if defined(MBEDTLS_MD_CAN_SHA1)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#if defined(MBEDTLS_MD_CAN_SHA256)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256",
+ MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384",
+ MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_AES */
+
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+ "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+ "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+ "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+ "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA, "TLS-ECDH-ECDSA-WITH-NULL-SHA",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+#if defined(MBEDTLS_SSL_HAVE_AES)
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256, "TLS-PSK-WITH-AES-128-GCM-SHA256",
+ MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384, "TLS-PSK-WITH-AES-256-GCM-SHA384",
+ MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256, "TLS-PSK-WITH-AES-128-CBC-SHA256",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384, "TLS-PSK-WITH-AES-256-CBC-SHA384",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA, "TLS-PSK-WITH-AES-128-CBC-SHA",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+
+ { MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA, "TLS-PSK-WITH-AES-256-CBC-SHA",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#if defined(MBEDTLS_SSL_HAVE_CCM)
+ { MBEDTLS_TLS_PSK_WITH_AES_256_CCM, "TLS-PSK-WITH-AES-256-CCM",
+ MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8, "TLS-PSK-WITH-AES-256-CCM-8",
+ MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+ MBEDTLS_CIPHERSUITE_SHORT_TAG,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_PSK_WITH_AES_128_CCM, "TLS-PSK-WITH-AES-128-CCM",
+ MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8, "TLS-PSK-WITH-AES-128-CCM-8",
+ MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+ MBEDTLS_CIPHERSUITE_SHORT_TAG,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CCM */
+#endif /* MBEDTLS_SSL_HAVE_AES */
+
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
+
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#if defined(MBEDTLS_SSL_HAVE_AES)
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, "TLS-DHE-PSK-WITH-AES-128-GCM-SHA256",
+ MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, "TLS-DHE-PSK-WITH-AES-256-GCM-SHA384",
+ MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA256",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA384",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+
+ { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#if defined(MBEDTLS_SSL_HAVE_CCM)
+ { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM, "TLS-DHE-PSK-WITH-AES-256-CCM",
+ MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8, "TLS-DHE-PSK-WITH-AES-256-CCM-8",
+ MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ MBEDTLS_CIPHERSUITE_SHORT_TAG,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM, "TLS-DHE-PSK-WITH-AES-128-CCM",
+ MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+ { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8, "TLS-DHE-PSK-WITH-AES-128-CCM-8",
+ MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ MBEDTLS_CIPHERSUITE_SHORT_TAG,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CCM */
+#endif /* MBEDTLS_SSL_HAVE_AES */
+
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
+
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#if defined(MBEDTLS_SSL_HAVE_AES)
+
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+
+ { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_AES */
+
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+ "TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+ "TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+#if defined(MBEDTLS_SSL_HAVE_AES)
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, "TLS-RSA-PSK-WITH-AES-128-GCM-SHA256",
+ MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, "TLS-RSA-PSK-WITH-AES-256-GCM-SHA384",
+ MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA256",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA384",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA",
+ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+
+ { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA",
+ MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+#endif /* MBEDTLS_SSL_HAVE_AES */
+
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA)
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_CBC */
+
+#if defined(MBEDTLS_SSL_HAVE_GCM)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_SSL_HAVE_GCM */
+#endif /* MBEDTLS_SSL_HAVE_CAMELLIA */
+
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#if defined(MBEDTLS_SSL_HAVE_AES)
+#if defined(MBEDTLS_SSL_HAVE_CCM)
+ { MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8, "TLS-ECJPAKE-WITH-AES-128-CCM-8",
+ MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECJPAKE,
+ MBEDTLS_CIPHERSUITE_SHORT_TAG,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_SSL_HAVE_CCM */
+#endif /* MBEDTLS_SSL_HAVE_AES */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+#if defined(MBEDTLS_MD_CAN_MD5)
+ { MBEDTLS_TLS_RSA_WITH_NULL_MD5, "TLS-RSA-WITH-NULL-MD5",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_MD5, MBEDTLS_KEY_EXCHANGE_RSA,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { MBEDTLS_TLS_RSA_WITH_NULL_SHA, "TLS-RSA-WITH-NULL-SHA",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_RSA_WITH_NULL_SHA256, "TLS-RSA-WITH-NULL-SHA256",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { MBEDTLS_TLS_PSK_WITH_NULL_SHA, "TLS-PSK-WITH-NULL-SHA",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_PSK_WITH_NULL_SHA256, "TLS-PSK-WITH-NULL-SHA256",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_PSK_WITH_NULL_SHA384, "TLS-PSK-WITH-NULL-SHA384",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA, "TLS-DHE-PSK-WITH-NULL-SHA",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256, "TLS-DHE-PSK-WITH-NULL-SHA256",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384, "TLS-DHE-PSK-WITH-NULL-SHA384",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA, "TLS-ECDHE-PSK-WITH-NULL-SHA",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256, "TLS-ECDHE-PSK-WITH-NULL-SHA256",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384, "TLS-ECDHE-PSK-WITH-NULL-SHA384",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA, "TLS-RSA-PSK-WITH-NULL-SHA",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256, "TLS-RSA-PSK-WITH-NULL-SHA256",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384, "TLS-RSA-PSK-WITH-NULL-SHA384",
+ MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ MBEDTLS_CIPHERSUITE_WEAK,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+
+#if defined(MBEDTLS_SSL_HAVE_ARIA)
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+ "TLS-RSA-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+ "TLS-RSA-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+ "TLS-RSA-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+ "TLS-RSA-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+ "TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
+ "TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+ "TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
+ "TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
+ "TLS-PSK-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
+ "TLS-PSK-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
+ "TLS-PSK-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
+ "TLS-PSK-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
+ "TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
+ "TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
+ "TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
+ "TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+ "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+ "TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+ "TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+ "TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+ "TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+ "TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+ "TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+ "TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+ "TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+ "TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
+ "TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
+ "TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
+ "TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
+ "TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+ "TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+ "TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+ "TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+ "TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+ "TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA384))
+ { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+ "TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_GCM) && defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+ "TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+#if (defined(MBEDTLS_SSL_HAVE_CBC) && \
+ defined(MBEDTLS_MD_CAN_SHA256))
+ { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+ "TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ 0,
+ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#endif /* MBEDTLS_SSL_HAVE_ARIA */
+
+
+ { 0, "",
+ MBEDTLS_CIPHER_NONE, MBEDTLS_MD_NONE, MBEDTLS_KEY_EXCHANGE_NONE,
+ 0, 0, 0 }
+};
+
+#if defined(MBEDTLS_SSL_CIPHERSUITES)
+const int *mbedtls_ssl_list_ciphersuites(void)
+{
+ return ciphersuite_preference;
+}
+#else
+#define MAX_CIPHERSUITES sizeof(ciphersuite_definitions) / \
+ sizeof(ciphersuite_definitions[0])
+static int supported_ciphersuites[MAX_CIPHERSUITES];
+static int supported_init = 0;
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ciphersuite_is_removed(const mbedtls_ssl_ciphersuite_t *cs_info)
+{
+ (void) cs_info;
+
+ return 0;
+}
+
+const int *mbedtls_ssl_list_ciphersuites(void)
+{
+ /*
+ * On initial call filter out all ciphersuites not supported by current
+ * build based on presence in the ciphersuite_definitions.
+ */
+ if (supported_init == 0) {
+ const int *p;
+ int *q;
+
+ for (p = ciphersuite_preference, q = supported_ciphersuites;
+ *p != 0 && q < supported_ciphersuites + MAX_CIPHERSUITES - 1;
+ p++) {
+ const mbedtls_ssl_ciphersuite_t *cs_info;
+ if ((cs_info = mbedtls_ssl_ciphersuite_from_id(*p)) != NULL &&
+ !ciphersuite_is_removed(cs_info)) {
+ *(q++) = *p;
+ }
+ }
+ *q = 0;
+
+ supported_init = 1;
+ }
+
+ return supported_ciphersuites;
+}
+#endif /* MBEDTLS_SSL_CIPHERSUITES */
+
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string(
+ const char *ciphersuite_name)
+{
+ const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions;
+
+ if (NULL == ciphersuite_name) {
+ return NULL;
+ }
+
+ while (cur->id != 0) {
+ if (0 == strcmp(cur->name, ciphersuite_name)) {
+ return cur;
+ }
+
+ cur++;
+ }
+
+ return NULL;
+}
+
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id(int ciphersuite)
+{
+ const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions;
+
+ while (cur->id != 0) {
+ if (cur->id == ciphersuite) {
+ return cur;
+ }
+
+ cur++;
+ }
+
+ return NULL;
+}
+
+const char *mbedtls_ssl_get_ciphersuite_name(const int ciphersuite_id)
+{
+ const mbedtls_ssl_ciphersuite_t *cur;
+
+ cur = mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
+
+ if (cur == NULL) {
+ return "unknown";
+ }
+
+ return cur->name;
+}
+
+int mbedtls_ssl_get_ciphersuite_id(const char *ciphersuite_name)
+{
+ const mbedtls_ssl_ciphersuite_t *cur;
+
+ cur = mbedtls_ssl_ciphersuite_from_string(ciphersuite_name);
+
+ if (cur == NULL) {
+ return 0;
+ }
+
+ return cur->id;
+}
+
+size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen(const mbedtls_ssl_ciphersuite_t *info)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_type_t key_type;
+ psa_algorithm_t alg;
+ size_t key_bits;
+
+ status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) info->cipher,
+ info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16,
+ &alg, &key_type, &key_bits);
+
+ if (status != PSA_SUCCESS) {
+ return 0;
+ }
+
+ return key_bits;
+#else
+ const mbedtls_cipher_info_t * const cipher_info =
+ mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) info->cipher);
+
+ return mbedtls_cipher_info_get_key_bitlen(cipher_info);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+}
+
+#if defined(MBEDTLS_PK_C)
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->key_exchange) {
+ case MBEDTLS_KEY_EXCHANGE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+ return MBEDTLS_PK_RSA;
+
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ return MBEDTLS_PK_ECDSA;
+
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ return MBEDTLS_PK_ECKEY;
+
+ default:
+ return MBEDTLS_PK_NONE;
+ }
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->key_exchange) {
+ case MBEDTLS_KEY_EXCHANGE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+ return PSA_ALG_RSA_PKCS1V15_CRYPT;
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ return PSA_ALG_RSA_PKCS1V15_SIGN(
+ mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
+
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ return PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
+
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ return PSA_ALG_ECDH;
+
+ default:
+ return PSA_ALG_NONE;
+ }
+}
+
+psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->key_exchange) {
+ case MBEDTLS_KEY_EXCHANGE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+ return PSA_KEY_USAGE_DECRYPT;
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ return PSA_KEY_USAGE_SIGN_HASH;
+
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ return PSA_KEY_USAGE_DERIVE;
+
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->key_exchange) {
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ return MBEDTLS_PK_RSA;
+
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ return MBEDTLS_PK_ECDSA;
+
+ default:
+ return MBEDTLS_PK_NONE;
+ }
+}
+
+#endif /* MBEDTLS_PK_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->key_exchange) {
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
+ * MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
+ * MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED*/
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->key_exchange) {
+ case MBEDTLS_KEY_EXCHANGE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+ case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/library/ssl_ciphersuites_internal.h b/library/ssl_ciphersuites_internal.h
new file mode 100644
index 0000000..27ff721
--- /dev/null
+++ b/library/ssl_ciphersuites_internal.h
@@ -0,0 +1,154 @@
+/**
+ * \file ssl_ciphersuites_internal.h
+ *
+ * \brief Internal part of the public "ssl_ciphersuites.h".
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_SSL_CIPHERSUITES_INTERNAL_H
+#define MBEDTLS_SSL_CIPHERSUITES_INTERNAL_H
+
+#include "mbedtls/pk.h"
+
+#if defined(MBEDTLS_PK_C)
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info);
+psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info);
+#endif /* MBEDTLS_PK_C */
+
+int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info);
+int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info);
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_has_pfs(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_no_pfs(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ case MBEDTLS_KEY_EXCHANGE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_ecdh(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
+
+static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+ case MBEDTLS_KEY_EXCHANGE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+
+static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+ case MBEDTLS_KEY_EXCHANGE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_dhe(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_ecdhe(const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_server_signature(
+ const mbedtls_ssl_ciphersuite_t *info)
+{
+ switch (info->MBEDTLS_PRIVATE(key_exchange)) {
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ return 1;
+
+ default:
+ return 0;
+ }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
+
+#endif /* MBEDTLS_SSL_CIPHERSUITES_INTERNAL_H */
diff --git a/library/ssl_client.c b/library/ssl_client.c
new file mode 100644
index 0000000..345e608
--- /dev/null
+++ b/library/ssl_client.c
@@ -0,0 +1,1017 @@
+/*
+ * TLS 1.2 and 1.3 client-side functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+
+#include <string.h>
+
+#include "debug_internal.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform.h"
+
+#include "ssl_client.h"
+#include "ssl_misc.h"
+#include "ssl_tls13_keys.h"
+#include "ssl_debug_helpers.h"
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_hostname_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+ size_t hostname_len;
+
+ *olen = 0;
+
+ if (ssl->hostname == NULL) {
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("client hello, adding server name extension: %s",
+ ssl->hostname));
+
+ hostname_len = strlen(ssl->hostname);
+
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, hostname_len + 9);
+
+ /*
+ * Sect. 3, RFC 6066 (TLS Extensions Definitions)
+ *
+ * In order to provide any of the server names, clients MAY include an
+ * extension of type "server_name" in the (extended) client hello. The
+ * "extension_data" field of this extension SHALL contain
+ * "ServerNameList" where:
+ *
+ * struct {
+ * NameType name_type;
+ * select (name_type) {
+ * case host_name: HostName;
+ * } name;
+ * } ServerName;
+ *
+ * enum {
+ * host_name(0), (255)
+ * } NameType;
+ *
+ * opaque HostName<1..2^16-1>;
+ *
+ * struct {
+ * ServerName server_name_list<1..2^16-1>
+ * } ServerNameList;
+ *
+ */
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SERVERNAME, p, 0);
+ p += 2;
+
+ MBEDTLS_PUT_UINT16_BE(hostname_len + 5, p, 0);
+ p += 2;
+
+ MBEDTLS_PUT_UINT16_BE(hostname_len + 3, p, 0);
+ p += 2;
+
+ *p++ = MBEDTLS_BYTE_0(MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME);
+
+ MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
+ p += 2;
+
+ memcpy(p, ssl->hostname, hostname_len);
+
+ *olen = hostname_len + 9;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SERVERNAME);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+ return 0;
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_ALPN)
+/*
+ * ssl_write_alpn_ext()
+ *
+ * Structure of the application_layer_protocol_negotiation extension in
+ * ClientHello:
+ *
+ * opaque ProtocolName<1..2^8-1>;
+ *
+ * struct {
+ * ProtocolName protocol_name_list<2..2^16-1>
+ * } ProtocolNameList;
+ *
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *out_len)
+{
+ unsigned char *p = buf;
+
+ *out_len = 0;
+
+ if (ssl->conf->alpn_list == NULL) {
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding alpn extension"));
+
+
+ /* Check we have enough space for the extension type (2 bytes), the
+ * extension length (2 bytes) and the protocol_name_list length (2 bytes).
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0);
+ /* Skip writing extension and list length for now */
+ p += 6;
+
+ /*
+ * opaque ProtocolName<1..2^8-1>;
+ *
+ * struct {
+ * ProtocolName protocol_name_list<2..2^16-1>
+ * } ProtocolNameList;
+ */
+ for (const char **cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
+ /*
+ * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of
+ * protocol names is less than 255.
+ */
+ size_t protocol_name_len = strlen(*cur);
+
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1 + protocol_name_len);
+ *p++ = (unsigned char) protocol_name_len;
+ memcpy(p, *cur, protocol_name_len);
+ p += protocol_name_len;
+ }
+
+ *out_len = (size_t) (p - buf);
+
+ /* List length = *out_len - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
+ MBEDTLS_PUT_UINT16_BE(*out_len - 6, buf, 4);
+
+ /* Extension length = *out_len - 2 (ext_type) - 2 (ext_len) */
+ MBEDTLS_PUT_UINT16_BE(*out_len - 4, buf, 2);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+ return 0;
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC) || \
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+/*
+ * Function for writing a supported groups (TLS 1.3) or supported elliptic
+ * curves (TLS 1.2) extension.
+ *
+ * The "extension_data" field of a supported groups extension contains a
+ * "NamedGroupList" value (TLS 1.3 RFC8446):
+ * enum {
+ * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
+ * x25519(0x001D), x448(0x001E),
+ * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
+ * ffdhe6144(0x0103), ffdhe8192(0x0104),
+ * ffdhe_private_use(0x01FC..0x01FF),
+ * ecdhe_private_use(0xFE00..0xFEFF),
+ * (0xFFFF)
+ * } NamedGroup;
+ * struct {
+ * NamedGroup named_group_list<2..2^16-1>;
+ * } NamedGroupList;
+ *
+ * The "extension_data" field of a supported elliptic curves extension contains
+ * a "NamedCurveList" value (TLS 1.2 RFC 8422):
+ * enum {
+ * deprecated(1..22),
+ * secp256r1 (23), secp384r1 (24), secp521r1 (25),
+ * x25519(29), x448(30),
+ * reserved (0xFE00..0xFEFF),
+ * deprecated(0xFF01..0xFF02),
+ * (0xFFFF)
+ * } NamedCurve;
+ * struct {
+ * NamedCurve named_curve_list<2..2^16-1>
+ * } NamedCurveList;
+ *
+ * The TLS 1.3 supported groups extension was defined to be a compatible
+ * generalization of the TLS 1.2 supported elliptic curves extension. They both
+ * share the same extension identifier.
+ *
+ */
+#define SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG 1
+#define SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG 2
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ int flags,
+ size_t *out_len)
+{
+ unsigned char *p = buf;
+ unsigned char *named_group_list; /* Start of named_group_list */
+ size_t named_group_list_len; /* Length of named_group_list */
+ const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
+
+ *out_len = 0;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported_groups extension"));
+
+ /* Check if we have space for header and length fields:
+ * - extension_type (2 bytes)
+ * - extension_data_length (2 bytes)
+ * - named_group_list_length (2 bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
+ p += 6;
+
+ named_group_list = p;
+
+ if (group_list == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_CONFIG;
+ }
+
+ for (; *group_list != 0; group_list++) {
+ int propose_group = 0;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("got supported group(%04x)", *group_list));
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+ if (flags & SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG) {
+#if defined(PSA_WANT_ALG_ECDH)
+ if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list) &&
+ (mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) !=
+ MBEDTLS_ECP_DP_NONE)) {
+ propose_group = 1;
+ }
+#endif
+#if defined(PSA_WANT_ALG_FFDH)
+ if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
+ propose_group = 1;
+ }
+#endif
+ }
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
+
+#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC)
+ if ((flags & SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG) &&
+ mbedtls_ssl_tls12_named_group_is_ecdhe(*group_list) &&
+ (mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) !=
+ MBEDTLS_ECP_DP_NONE)) {
+ propose_group = 1;
+ }
+#endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC */
+
+ if (propose_group) {
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+ MBEDTLS_PUT_UINT16_BE(*group_list, p, 0);
+ p += 2;
+ MBEDTLS_SSL_DEBUG_MSG(3, ("NamedGroup: %s ( %x )",
+ mbedtls_ssl_named_group_to_str(*group_list),
+ *group_list));
+ }
+ }
+
+ /* Length of named_group_list */
+ named_group_list_len = (size_t) (p - named_group_list);
+ if (named_group_list_len == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("No group available."));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /* Write extension_type */
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_GROUPS, buf, 0);
+ /* Write extension_data_length */
+ MBEDTLS_PUT_UINT16_BE(named_group_list_len + 2, buf, 2);
+ /* Write length of named_group_list */
+ MBEDTLS_PUT_UINT16_BE(named_group_list_len, buf, 4);
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "Supported groups extension",
+ buf + 4, named_group_list_len + 2);
+
+ *out_len = (size_t) (p - buf);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(
+ ssl, MBEDTLS_TLS_EXT_SUPPORTED_GROUPS);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC ||
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_client_hello_cipher_suites(
+ mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ int *tls12_uses_ec,
+ size_t *out_len)
+{
+ unsigned char *p = buf;
+ const int *ciphersuite_list;
+ unsigned char *cipher_suites; /* Start of the cipher_suites list */
+ size_t cipher_suites_len;
+
+ *tls12_uses_ec = 0;
+ *out_len = 0;
+
+ /*
+ * Ciphersuite list
+ *
+ * This is a list of the symmetric cipher options supported by
+ * the client, specifically the record protection algorithm
+ * ( including secret key length ) and a hash to be used with
+ * HKDF, in descending order of client preference.
+ */
+ ciphersuite_list = ssl->conf->ciphersuite_list;
+
+ /* Check there is space for the cipher suite list length (2 bytes). */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+ p += 2;
+
+ /* Write cipher_suites
+ * CipherSuite cipher_suites<2..2^16-2>;
+ */
+ cipher_suites = p;
+ for (size_t i = 0; ciphersuite_list[i] != 0; i++) {
+ int cipher_suite = ciphersuite_list[i];
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
+
+ if (mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
+ ssl->handshake->min_tls_version,
+ ssl->tls_version) != 0) {
+ continue;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ (defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED))
+ *tls12_uses_ec |= mbedtls_ssl_ciphersuite_uses_ec(ciphersuite_info);
+#endif
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, add ciphersuite: %04x, %s",
+ (unsigned int) cipher_suite,
+ ciphersuite_info->name));
+
+ /* Check there is space for the cipher suite identifier (2 bytes). */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+ MBEDTLS_PUT_UINT16_BE(cipher_suite, p, 0);
+ p += 2;
+ }
+
+ /*
+ * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+ */
+ int renegotiating = 0;
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
+#endif
+ if (!renegotiating) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("adding EMPTY_RENEGOTIATION_INFO_SCSV"));
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO, p, 0);
+ p += 2;
+ }
+
+ /* Write the cipher_suites length in number of bytes */
+ cipher_suites_len = (size_t) (p - cipher_suites);
+ MBEDTLS_PUT_UINT16_BE(cipher_suites_len, buf, 0);
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("client hello, got %" MBEDTLS_PRINTF_SIZET " cipher suites",
+ cipher_suites_len/2));
+
+ /* Output the total length of cipher_suites field. */
+ *out_len = (size_t) (p - buf);
+
+ return 0;
+}
+
+/*
+ * Structure of the TLS 1.3 ClientHello message:
+ *
+ * struct {
+ * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
+ * Random random;
+ * opaque legacy_session_id<0..32>;
+ * CipherSuite cipher_suites<2..2^16-2>;
+ * opaque legacy_compression_methods<1..2^8-1>;
+ * Extension extensions<8..2^16-1>;
+ * } ClientHello;
+ *
+ * Structure of the (D)TLS 1.2 ClientHello message:
+ *
+ * struct {
+ * ProtocolVersion client_version;
+ * Random random;
+ * SessionID session_id;
+ * opaque cookie<0..2^8-1>; // DTLS 1.2 ONLY
+ * CipherSuite cipher_suites<2..2^16-2>;
+ * CompressionMethod compression_methods<1..2^8-1>;
+ * select (extensions_present) {
+ * case false:
+ * struct {};
+ * case true:
+ * Extension extensions<0..2^16-1>;
+ * };
+ * } ClientHello;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len,
+ size_t *binders_len)
+{
+ int ret;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+ unsigned char *p = buf;
+ unsigned char *p_extensions_len; /* Pointer to extensions length */
+ size_t output_len; /* Length of buffer used by function */
+ size_t extensions_len; /* Length of the list of extensions*/
+ int tls12_uses_ec = 0;
+
+ *out_len = 0;
+ *binders_len = 0;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ unsigned char propose_tls12 =
+ (handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2)
+ &&
+ (MBEDTLS_SSL_VERSION_TLS1_2 <= ssl->tls_version);
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ unsigned char propose_tls13 =
+ (handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3)
+ &&
+ (MBEDTLS_SSL_VERSION_TLS1_3 <= ssl->tls_version);
+#endif
+
+ /*
+ * Write client_version (TLS 1.2) or legacy_version (TLS 1.3)
+ *
+ * In all cases this is the TLS 1.2 version.
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+ mbedtls_ssl_write_version(p, ssl->conf->transport,
+ MBEDTLS_SSL_VERSION_TLS1_2);
+ p += 2;
+
+ /* ...
+ * Random random;
+ * ...
+ *
+ * The random bytes have been prepared by ssl_prepare_client_hello() into
+ * the handshake->randbytes buffer and are copied here into the output
+ * buffer.
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
+ memcpy(p, handshake->randbytes, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes",
+ p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
+ p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
+
+ /* TLS 1.2:
+ * ...
+ * SessionID session_id;
+ * ...
+ * with
+ * opaque SessionID<0..32>;
+ *
+ * TLS 1.3:
+ * ...
+ * opaque legacy_session_id<0..32>;
+ * ...
+ *
+ * The (legacy) session identifier bytes have been prepared by
+ * ssl_prepare_client_hello() into the ssl->session_negotiate->id buffer
+ * and are copied here into the output buffer.
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, ssl->session_negotiate->id_len + 1);
+ *p++ = (unsigned char) ssl->session_negotiate->id_len;
+ memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
+ p += ssl->session_negotiate->id_len;
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id,
+ ssl->session_negotiate->id_len);
+
+ /* DTLS 1.2 ONLY
+ * ...
+ * opaque cookie<0..2^8-1>;
+ * ...
+ */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+#if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ uint8_t cookie_len = 0;
+#else
+ uint16_t cookie_len = 0;
+#endif /* !MBEDTLS_SSL_PROTO_TLS1_3 */
+
+ if (handshake->cookie != NULL) {
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
+ handshake->cookie,
+ handshake->cookie_len);
+ cookie_len = handshake->cookie_len;
+ }
+
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, cookie_len + 1);
+ *p++ = (unsigned char) cookie_len;
+ if (cookie_len > 0) {
+ memcpy(p, handshake->cookie, cookie_len);
+ p += cookie_len;
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */
+
+ /* Write cipher_suites */
+ ret = ssl_write_client_hello_cipher_suites(ssl, p, end,
+ &tls12_uses_ec,
+ &output_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += output_len;
+
+ /* Write legacy_compression_methods (TLS 1.3) or
+ * compression_methods (TLS 1.2)
+ *
+ * For every TLS 1.3 ClientHello, this vector MUST contain exactly
+ * one byte set to zero, which corresponds to the 'null' compression
+ * method in prior versions of TLS.
+ *
+ * For TLS 1.2 ClientHello, for security reasons we do not support
+ * compression anymore, thus also just the 'null' compression method.
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+ *p++ = 1;
+ *p++ = MBEDTLS_SSL_COMPRESS_NULL;
+
+ /* Write extensions */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ /* Keeping track of the included extensions */
+ handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
+#endif
+
+ /* First write extensions, then the total length */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+ p_extensions_len = p;
+ p += 2;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ /* Write server name extension */
+ ret = ssl_write_hostname_ext(ssl, p, end, &output_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += output_len;
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_ALPN)
+ ret = ssl_write_alpn_ext(ssl, p, end, &output_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += output_len;
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (propose_tls13) {
+ ret = mbedtls_ssl_tls13_write_client_hello_exts(ssl, p, end,
+ &output_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += output_len;
+ }
+#endif
+
+#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC) || \
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+ {
+ int ssl_write_supported_groups_ext_flags = 0;
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+ if (propose_tls13 && mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
+ ssl_write_supported_groups_ext_flags |=
+ SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG;
+ }
+#endif
+#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC)
+ if (propose_tls12 && tls12_uses_ec) {
+ ssl_write_supported_groups_ext_flags |=
+ SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG;
+ }
+#endif
+ if (ssl_write_supported_groups_ext_flags != 0) {
+ ret = ssl_write_supported_groups_ext(ssl, p, end,
+ ssl_write_supported_groups_ext_flags,
+ &output_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += output_len;
+ }
+ }
+#endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC ||
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+ int write_sig_alg_ext = 0;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ write_sig_alg_ext = write_sig_alg_ext ||
+ (propose_tls13 && mbedtls_ssl_conf_tls13_is_ephemeral_enabled(ssl));
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ write_sig_alg_ext = write_sig_alg_ext || propose_tls12;
+#endif
+
+ if (write_sig_alg_ext) {
+ ret = mbedtls_ssl_write_sig_alg_ext(ssl, p, end, &output_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += output_len;
+ }
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if (propose_tls12) {
+ ret = mbedtls_ssl_tls12_write_client_hello_exts(ssl, p, end,
+ tls12_uses_ec,
+ &output_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += output_len;
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+ /* The "pre_shared_key" extension (RFC 8446 Section 4.2.11)
+ * MUST be the last extension in the ClientHello.
+ */
+ if (propose_tls13 && mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {
+ ret = mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
+ ssl, p, end, &output_len, binders_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += output_len;
+ }
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
+
+ /* Write the length of the list of extensions. */
+ extensions_len = (size_t) (p - p_extensions_len) - 2;
+
+ if (extensions_len == 0) {
+ p = p_extensions_len;
+ } else {
+ MBEDTLS_PUT_UINT16_BE(extensions_len, p_extensions_len, 0);
+ MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, total extension length: %" \
+ MBEDTLS_PRINTF_SIZET, extensions_len));
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions",
+ p_extensions_len, extensions_len);
+ }
+
+ *out_len = (size_t) (p - buf);
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_generate_random(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *randbytes = ssl->handshake->randbytes;
+ size_t gmt_unix_time_len = 0;
+
+ /*
+ * Generate the random bytes
+ *
+ * TLS 1.2 case:
+ * struct {
+ * uint32 gmt_unix_time;
+ * opaque random_bytes[28];
+ * } Random;
+ *
+ * TLS 1.3 case:
+ * opaque Random[32];
+ */
+ if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
+#if defined(MBEDTLS_HAVE_TIME)
+ mbedtls_time_t gmt_unix_time = mbedtls_time(NULL);
+ MBEDTLS_PUT_UINT32_BE(gmt_unix_time, randbytes, 0);
+ gmt_unix_time_len = 4;
+
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("client hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
+ (long long) gmt_unix_time));
+#endif /* MBEDTLS_HAVE_TIME */
+ }
+
+ ret = ssl->conf->f_rng(ssl->conf->p_rng,
+ randbytes + gmt_unix_time_len,
+ MBEDTLS_CLIENT_HELLO_RANDOM_LEN - gmt_unix_time_len);
+ return ret;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl)
+{
+ int ret;
+ size_t session_id_len;
+ mbedtls_ssl_session *session_negotiate = ssl->session_negotiate;
+
+ if (session_negotiate == NULL) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_HAVE_TIME)
+
+ /* Check if a tls13 ticket has been configured. */
+ if (ssl->handshake->resume != 0 &&
+ session_negotiate->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
+ session_negotiate->ticket != NULL) {
+ mbedtls_ms_time_t now = mbedtls_ms_time();
+ mbedtls_ms_time_t age = now - session_negotiate->ticket_reception_time;
+ if (age < 0 ||
+ age > (mbedtls_ms_time_t) session_negotiate->ticket_lifetime * 1000) {
+ /* Without valid ticket, disable session resumption.*/
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ("Ticket expired, disable session resumption"));
+ ssl->handshake->resume = 0;
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
+ MBEDTLS_SSL_SESSION_TICKETS &&
+ MBEDTLS_HAVE_TIME */
+
+ /* Bet on the highest configured version if we are not in a TLS 1.2
+ * renegotiation or session resumption.
+ */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
+ ssl->handshake->min_tls_version = ssl->tls_version;
+ } else
+#endif
+ {
+ if (ssl->handshake->resume) {
+ ssl->tls_version = session_negotiate->tls_version;
+ ssl->handshake->min_tls_version = ssl->tls_version;
+ } else {
+ ssl->handshake->min_tls_version = ssl->conf->min_tls_version;
+ }
+ }
+
+ /*
+ * Generate the random bytes, except when responding to a verify request
+ * where we MUST reuse the previously generated random bytes
+ * (RFC 6347 4.2.1).
+ */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
+ (ssl->handshake->cookie == NULL))
+#endif
+ {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (!ssl->handshake->hello_retry_request_flag)
+#endif
+ {
+ ret = ssl_generate_random(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "Random bytes generation failed", ret);
+ return ret;
+ }
+ }
+ }
+
+ /*
+ * Prepare session identifier. At that point, the length of the session
+ * identifier in the SSL context `ssl->session_negotiate->id_len` is equal
+ * to zero, except in the case of a TLS 1.2 session renegotiation or
+ * session resumption.
+ */
+ session_id_len = session_negotiate->id_len;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
+ if (session_id_len < 16 || session_id_len > 32 ||
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
+#endif
+ ssl->handshake->resume == 0) {
+ session_id_len = 0;
+ }
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ /*
+ * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
+ * generate and include a Session ID in the TLS ClientHello."
+ */
+ int renegotiating = 0;
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
+ renegotiating = 1;
+ }
+#endif
+ if (!renegotiating) {
+ if ((session_negotiate->ticket != NULL) &&
+ (session_negotiate->ticket_len != 0)) {
+ session_id_len = 32;
+ }
+ }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+ /*
+ * Create a legacy session identifier for the purpose of middlebox
+ * compatibility only if one has not been created already, which is
+ * the case if we are here for the TLS 1.3 second ClientHello.
+ *
+ * Versions of TLS before TLS 1.3 supported a "session resumption"
+ * feature which has been merged with pre-shared keys in TLS 1.3
+ * version. A client which has a cached session ID set by a pre-TLS 1.3
+ * server SHOULD set this field to that value. In compatibility mode,
+ * this field MUST be non-empty, so a client not offering a pre-TLS 1.3
+ * session MUST generate a new 32-byte value. This value need not be
+ * random but SHOULD be unpredictable to avoid implementations fixating
+ * on a specific value (also known as ossification). Otherwise, it MUST
+ * be set as a zero-length vector ( i.e., a zero-valued single byte
+ * length field ).
+ */
+ session_id_len = 32;
+ }
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+
+ if (session_id_len != session_negotiate->id_len) {
+ session_negotiate->id_len = session_id_len;
+ if (session_id_len > 0) {
+ ret = ssl->conf->f_rng(ssl->conf->p_rng,
+ session_negotiate->id,
+ session_id_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "creating session id failed", ret);
+ return ret;
+ }
+ }
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
+ ssl->handshake->resume) {
+ int hostname_mismatch = ssl->hostname != NULL ||
+ session_negotiate->hostname != NULL;
+ if (ssl->hostname != NULL && session_negotiate->hostname != NULL) {
+ hostname_mismatch = strcmp(
+ ssl->hostname, session_negotiate->hostname) != 0;
+ }
+
+ if (hostname_mismatch) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("Hostname mismatch the session ticket, "
+ "disable session resumption."));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ } else {
+ return mbedtls_ssl_session_set_hostname(session_negotiate,
+ ssl->hostname);
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
+ MBEDTLS_SSL_SESSION_TICKETS &&
+ MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+ return 0;
+}
+/*
+ * Write ClientHello handshake message.
+ * Handler for MBEDTLS_SSL_CLIENT_HELLO
+ */
+int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl)
+{
+ int ret = 0;
+ unsigned char *buf;
+ size_t buf_len, msg_len, binders_len;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client hello"));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_prepare_client_hello(ssl));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
+ &buf, &buf_len));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_write_client_hello_body(ssl, buf,
+ buf + buf_len,
+ &msg_len,
+ &binders_len));
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ ssl->out_msglen = msg_len + 4;
+ mbedtls_ssl_send_flight_completed(ssl);
+
+ /*
+ * The two functions below may try to send data on the network and
+ * can return with the MBEDTLS_ERR_SSL_WANT_READ error code when they
+ * fail to do so and the transmission has to be retried later. In that
+ * case as in fatal error cases, we return immediately. But we must have
+ * set the handshake state to the next state at that point to ensure
+ * that we will not write and send again a ClientHello when we
+ * eventually succeed in sending the pending data.
+ */
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
+
+ if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+ return ret;
+ }
+
+ if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
+ return ret;
+ }
+ } else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */
+ {
+
+ ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl,
+ MBEDTLS_SSL_HS_CLIENT_HELLO,
+ msg_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_add_hs_hdr_to_checksum", ret);
+ return ret;
+ }
+ ret = ssl->handshake->update_checksum(ssl, buf, msg_len - binders_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
+ return ret;
+ }
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+ if (binders_len > 0) {
+ MBEDTLS_SSL_PROC_CHK(
+ mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
+ ssl, buf + msg_len - binders_len, buf + msg_len));
+ ret = ssl->handshake->update_checksum(ssl, buf + msg_len - binders_len,
+ binders_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
+ return ret;
+ }
+ }
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl,
+ buf_len,
+ msg_len));
+
+ /*
+ * Set next state. Note that if TLS 1.3 is proposed, this may be
+ * overwritten by mbedtls_ssl_tls13_finalize_client_hello().
+ */
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 &&
+ MBEDTLS_SSL_VERSION_TLS1_3 <= ssl->tls_version) {
+ ret = mbedtls_ssl_tls13_finalize_client_hello(ssl);
+ }
+#endif
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ MBEDTLS_SSL_PRINT_EXTS(
+ 3, MBEDTLS_SSL_HS_CLIENT_HELLO, ssl->handshake->sent_extensions);
+#endif
+
+cleanup:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client hello"));
+ return ret;
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 || MBEDTLS_SSL_PROTO_TLS1_2 */
+#endif /* MBEDTLS_SSL_CLI_C */
diff --git a/library/ssl_client.h b/library/ssl_client.h
new file mode 100644
index 0000000..05ee7e4
--- /dev/null
+++ b/library/ssl_client.h
@@ -0,0 +1,22 @@
+/**
+ * TLS 1.2 and 1.3 client-side functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_SSL_CLIENT_H
+#define MBEDTLS_SSL_CLIENT_H
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_TLS_C)
+#include "ssl_misc.h"
+#endif
+
+#include <stddef.h>
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl);
+
+#endif /* MBEDTLS_SSL_CLIENT_H */
diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c
new file mode 100644
index 0000000..2772cac
--- /dev/null
+++ b/library/ssl_cookie.c
@@ -0,0 +1,380 @@
+/*
+ * DTLS cookie callbacks implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * These session callbacks use a simple chained list
+ * to store and retrieve the session information.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_COOKIE_C)
+
+#include "mbedtls/platform.h"
+
+#include "mbedtls/ssl_cookie.h"
+#include "ssl_misc.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/constant_time.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "mbedtls/psa_util.h"
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+#endif
+
+/*
+ * If DTLS is in use, then at least one of SHA-256 or SHA-384 is
+ * available. Try SHA-256 first as 384 wastes resources
+ */
+#if defined(MBEDTLS_MD_CAN_SHA256)
+#define COOKIE_MD MBEDTLS_MD_SHA256
+#define COOKIE_MD_OUTLEN 32
+#define COOKIE_HMAC_LEN 28
+#elif defined(MBEDTLS_MD_CAN_SHA384)
+#define COOKIE_MD MBEDTLS_MD_SHA384
+#define COOKIE_MD_OUTLEN 48
+#define COOKIE_HMAC_LEN 28
+#else
+#error "DTLS hello verify needs SHA-256 or SHA-384"
+#endif
+
+/*
+ * Cookies are formed of a 4-bytes timestamp (or serial number) and
+ * an HMAC of timestamp and client ID.
+ */
+#define COOKIE_LEN (4 + COOKIE_HMAC_LEN)
+
+void mbedtls_ssl_cookie_init(mbedtls_ssl_cookie_ctx *ctx)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ ctx->psa_hmac_key = MBEDTLS_SVC_KEY_ID_INIT;
+#else
+ mbedtls_md_init(&ctx->hmac_ctx);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if !defined(MBEDTLS_HAVE_TIME)
+ ctx->serial = 0;
+#endif
+ ctx->timeout = MBEDTLS_SSL_COOKIE_TIMEOUT;
+
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_init(&ctx->mutex);
+#endif
+#endif /* !MBEDTLS_USE_PSA_CRYPTO */
+}
+
+void mbedtls_ssl_cookie_set_timeout(mbedtls_ssl_cookie_ctx *ctx, unsigned long delay)
+{
+ ctx->timeout = delay;
+}
+
+void mbedtls_ssl_cookie_free(mbedtls_ssl_cookie_ctx *ctx)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_destroy_key(ctx->psa_hmac_key);
+#else
+ mbedtls_md_free(&ctx->hmac_ctx);
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_free(&ctx->mutex);
+#endif
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ssl_cookie_ctx));
+}
+
+int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_algorithm_t alg;
+
+ (void) f_rng;
+ (void) p_rng;
+
+ alg = mbedtls_md_psa_alg_from_type(COOKIE_MD);
+ if (alg == 0) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ ctx->psa_hmac_alg = PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(alg),
+ COOKIE_HMAC_LEN);
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_MESSAGE |
+ PSA_KEY_USAGE_SIGN_MESSAGE);
+ psa_set_key_algorithm(&attributes, ctx->psa_hmac_alg);
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
+ psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(COOKIE_MD_OUTLEN));
+
+ if ((status = psa_generate_key(&attributes,
+ &ctx->psa_hmac_key)) != PSA_SUCCESS) {
+ return PSA_TO_MBEDTLS_ERR(status);
+ }
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char key[COOKIE_MD_OUTLEN];
+
+ if ((ret = f_rng(p_rng, key, sizeof(key))) != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_md_setup(&ctx->hmac_ctx, mbedtls_md_info_from_type(COOKIE_MD), 1);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_md_hmac_starts(&ctx->hmac_ctx, key, sizeof(key));
+ if (ret != 0) {
+ return ret;
+ }
+
+ mbedtls_platform_zeroize(key, sizeof(key));
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ return 0;
+}
+
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+/*
+ * Generate the HMAC part of a cookie
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_cookie_hmac(mbedtls_md_context_t *hmac_ctx,
+ const unsigned char time[4],
+ unsigned char **p, unsigned char *end,
+ const unsigned char *cli_id, size_t cli_id_len)
+{
+ unsigned char hmac_out[COOKIE_MD_OUTLEN];
+
+ MBEDTLS_SSL_CHK_BUF_PTR(*p, end, COOKIE_HMAC_LEN);
+
+ if (mbedtls_md_hmac_reset(hmac_ctx) != 0 ||
+ mbedtls_md_hmac_update(hmac_ctx, time, 4) != 0 ||
+ mbedtls_md_hmac_update(hmac_ctx, cli_id, cli_id_len) != 0 ||
+ mbedtls_md_hmac_finish(hmac_ctx, hmac_out) != 0) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ memcpy(*p, hmac_out, COOKIE_HMAC_LEN);
+ *p += COOKIE_HMAC_LEN;
+
+ return 0;
+}
+#endif /* !MBEDTLS_USE_PSA_CRYPTO */
+
+/*
+ * Generate cookie for DTLS ClientHello verification
+ */
+int mbedtls_ssl_cookie_write(void *p_ctx,
+ unsigned char **p, unsigned char *end,
+ const unsigned char *cli_id, size_t cli_id_len)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t sign_mac_length = 0;
+#endif
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
+ unsigned long t;
+
+ if (ctx == NULL || cli_id == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ MBEDTLS_SSL_CHK_BUF_PTR(*p, end, COOKIE_LEN);
+
+#if defined(MBEDTLS_HAVE_TIME)
+ t = (unsigned long) mbedtls_time(NULL);
+#else
+ t = ctx->serial++;
+#endif
+
+ MBEDTLS_PUT_UINT32_BE(t, *p, 0);
+ *p += 4;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_mac_sign_setup(&operation, ctx->psa_hmac_key,
+ ctx->psa_hmac_alg);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ goto exit;
+ }
+
+ status = psa_mac_update(&operation, *p - 4, 4);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ goto exit;
+ }
+
+ status = psa_mac_update(&operation, cli_id, cli_id_len);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ goto exit;
+ }
+
+ status = psa_mac_sign_finish(&operation, *p, COOKIE_MD_OUTLEN,
+ &sign_mac_length);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ goto exit;
+ }
+
+ *p += COOKIE_HMAC_LEN;
+
+ ret = 0;
+#else
+#if defined(MBEDTLS_THREADING_C)
+ if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR, ret);
+ }
+#endif
+
+ ret = ssl_cookie_hmac(&ctx->hmac_ctx, *p - 4,
+ p, end, cli_id, cli_id_len);
+
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR,
+ MBEDTLS_ERR_THREADING_MUTEX_ERROR);
+ }
+#endif
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+exit:
+ status = psa_mac_abort(&operation);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ return ret;
+}
+
+/*
+ * Check a cookie
+ */
+int mbedtls_ssl_cookie_check(void *p_ctx,
+ const unsigned char *cookie, size_t cookie_len,
+ const unsigned char *cli_id, size_t cli_id_len)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+#else
+ unsigned char ref_hmac[COOKIE_HMAC_LEN];
+ unsigned char *p = ref_hmac;
+#endif
+ int ret = 0;
+ mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
+ unsigned long cur_time, cookie_time;
+
+ if (ctx == NULL || cli_id == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (cookie_len != COOKIE_LEN) {
+ return -1;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_mac_verify_setup(&operation, ctx->psa_hmac_key,
+ ctx->psa_hmac_alg);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ goto exit;
+ }
+
+ status = psa_mac_update(&operation, cookie, 4);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ goto exit;
+ }
+
+ status = psa_mac_update(&operation, cli_id,
+ cli_id_len);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ goto exit;
+ }
+
+ status = psa_mac_verify_finish(&operation, cookie + 4,
+ COOKIE_HMAC_LEN);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ goto exit;
+ }
+
+ ret = 0;
+#else
+#if defined(MBEDTLS_THREADING_C)
+ if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR, ret);
+ }
+#endif
+
+ if (ssl_cookie_hmac(&ctx->hmac_ctx, cookie,
+ &p, p + sizeof(ref_hmac),
+ cli_id, cli_id_len) != 0) {
+ ret = -1;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR,
+ MBEDTLS_ERR_THREADING_MUTEX_ERROR);
+ }
+#endif
+
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (mbedtls_ct_memcmp(cookie + 4, ref_hmac, sizeof(ref_hmac)) != 0) {
+ ret = -1;
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_HAVE_TIME)
+ cur_time = (unsigned long) mbedtls_time(NULL);
+#else
+ cur_time = ctx->serial;
+#endif
+
+ cookie_time = (unsigned long) MBEDTLS_GET_UINT32_BE(cookie, 0);
+
+ if (ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout) {
+ ret = -1;
+ goto exit;
+ }
+
+exit:
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_mac_abort(&operation);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ }
+#else
+ mbedtls_platform_zeroize(ref_hmac, sizeof(ref_hmac));
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ return ret;
+}
+#endif /* MBEDTLS_SSL_COOKIE_C */
diff --git a/library/ssl_debug_helpers.h b/library/ssl_debug_helpers.h
new file mode 100644
index 0000000..4889e77
--- /dev/null
+++ b/library/ssl_debug_helpers.h
@@ -0,0 +1,83 @@
+/**
+ * \file ssl_debug_helpers.h
+ *
+ * \brief Automatically generated helper functions for debugging
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_SSL_DEBUG_HELPERS_H
+#define MBEDTLS_SSL_DEBUG_HELPERS_H
+
+#include "common.h"
+
+#if defined(MBEDTLS_DEBUG_C)
+
+#include "mbedtls/ssl.h"
+#include "ssl_misc.h"
+
+
+const char *mbedtls_ssl_states_str(mbedtls_ssl_states in);
+
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+const char *mbedtls_ssl_early_data_status_str(mbedtls_ssl_early_data_status in);
+const char *mbedtls_ssl_early_data_state_str(mbedtls_ssl_early_data_state in);
+#endif
+
+const char *mbedtls_ssl_protocol_version_str(mbedtls_ssl_protocol_version in);
+
+const char *mbedtls_tls_prf_types_str(mbedtls_tls_prf_types in);
+
+const char *mbedtls_ssl_key_export_type_str(mbedtls_ssl_key_export_type in);
+
+const char *mbedtls_ssl_sig_alg_to_str(uint16_t in);
+
+const char *mbedtls_ssl_named_group_to_str(uint16_t in);
+
+const char *mbedtls_ssl_get_extension_name(unsigned int extension_type);
+
+void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
+ int level, const char *file, int line,
+ int hs_msg_type, uint32_t extensions_mask,
+ const char *extra);
+
+void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
+ int level, const char *file, int line,
+ int hs_msg_type, unsigned int extension_type,
+ const char *extra_msg0, const char *extra_msg1);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl,
+ int level, const char *file, int line,
+ unsigned int flags);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
+
+#define MBEDTLS_SSL_PRINT_EXTS(level, hs_msg_type, extensions_mask) \
+ mbedtls_ssl_print_extensions(ssl, level, __FILE__, __LINE__, \
+ hs_msg_type, extensions_mask, NULL)
+
+#define MBEDTLS_SSL_PRINT_EXT(level, hs_msg_type, extension_type, extra) \
+ mbedtls_ssl_print_extension(ssl, level, __FILE__, __LINE__, \
+ hs_msg_type, extension_type, \
+ extra, NULL)
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+#define MBEDTLS_SSL_PRINT_TICKET_FLAGS(level, flags) \
+ mbedtls_ssl_print_ticket_flags(ssl, level, __FILE__, __LINE__, flags)
+#endif
+
+#else
+
+#define MBEDTLS_SSL_PRINT_EXTS(level, hs_msg_type, extension_mask)
+
+#define MBEDTLS_SSL_PRINT_EXT(level, hs_msg_type, extension_type, extra)
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+#define MBEDTLS_SSL_PRINT_TICKET_FLAGS(level, flags)
+#endif
+
+#endif /* MBEDTLS_DEBUG_C */
+
+#endif /* MBEDTLS_SSL_DEBUG_HELPERS_H */
diff --git a/library/ssl_debug_helpers_generated.c b/library/ssl_debug_helpers_generated.c
new file mode 100644
index 0000000..f8b4448
--- /dev/null
+++ b/library/ssl_debug_helpers_generated.c
@@ -0,0 +1,251 @@
+/* Automatically generated by generate_ssl_debug_helpers.py. DO NOT EDIT. */
+
+/**
+ * \file ssl_debug_helpers_generated.c
+ *
+ * \brief Automatically generated helper functions for debugging
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_DEBUG_C)
+
+#include "ssl_debug_helpers.h"
+
+
+const char *mbedtls_ssl_named_group_to_str( uint16_t in )
+{
+ switch( in )
+ {
+ case MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1:
+ return "secp192k1";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1:
+ return "secp192r1";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1:
+ return "secp224k1";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1:
+ return "secp224r1";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1:
+ return "secp256k1";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1:
+ return "secp256r1";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1:
+ return "secp384r1";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1:
+ return "secp521r1";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1:
+ return "bp256r1";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1:
+ return "bp384r1";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1:
+ return "bp512r1";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_X25519:
+ return "x25519";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_X448:
+ return "x448";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048:
+ return "ffdhe2048";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072:
+ return "ffdhe3072";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096:
+ return "ffdhe4096";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144:
+ return "ffdhe6144";
+ case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192:
+ return "ffdhe8192";
+ };
+
+ return "UNKOWN";
+}
+const char *mbedtls_ssl_sig_alg_to_str( uint16_t in )
+{
+ switch( in )
+ {
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
+ return "rsa_pkcs1_sha256";
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
+ return "rsa_pkcs1_sha384";
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
+ return "rsa_pkcs1_sha512";
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
+ return "ecdsa_secp256r1_sha256";
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
+ return "ecdsa_secp384r1_sha384";
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
+ return "ecdsa_secp521r1_sha512";
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
+ return "rsa_pss_rsae_sha256";
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
+ return "rsa_pss_rsae_sha384";
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
+ return "rsa_pss_rsae_sha512";
+ case MBEDTLS_TLS1_3_SIG_ED25519:
+ return "ed25519";
+ case MBEDTLS_TLS1_3_SIG_ED448:
+ return "ed448";
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA256:
+ return "rsa_pss_pss_sha256";
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA384:
+ return "rsa_pss_pss_sha384";
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA512:
+ return "rsa_pss_pss_sha512";
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA1:
+ return "rsa_pkcs1_sha1";
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SHA1:
+ return "ecdsa_sha1";
+ case MBEDTLS_TLS1_3_SIG_NONE:
+ return "none";
+ };
+
+ return "UNKNOWN";
+}
+const char *mbedtls_ssl_states_str( mbedtls_ssl_states in )
+{
+ switch (in) {
+ case MBEDTLS_SSL_HELLO_REQUEST:
+ return "MBEDTLS_SSL_HELLO_REQUEST";
+ case MBEDTLS_SSL_CLIENT_HELLO:
+ return "MBEDTLS_SSL_CLIENT_HELLO";
+ case MBEDTLS_SSL_SERVER_HELLO:
+ return "MBEDTLS_SSL_SERVER_HELLO";
+ case MBEDTLS_SSL_SERVER_CERTIFICATE:
+ return "MBEDTLS_SSL_SERVER_CERTIFICATE";
+ case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
+ return "MBEDTLS_SSL_SERVER_KEY_EXCHANGE";
+ case MBEDTLS_SSL_CERTIFICATE_REQUEST:
+ return "MBEDTLS_SSL_CERTIFICATE_REQUEST";
+ case MBEDTLS_SSL_SERVER_HELLO_DONE:
+ return "MBEDTLS_SSL_SERVER_HELLO_DONE";
+ case MBEDTLS_SSL_CLIENT_CERTIFICATE:
+ return "MBEDTLS_SSL_CLIENT_CERTIFICATE";
+ case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
+ return "MBEDTLS_SSL_CLIENT_KEY_EXCHANGE";
+ case MBEDTLS_SSL_CERTIFICATE_VERIFY:
+ return "MBEDTLS_SSL_CERTIFICATE_VERIFY";
+ case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
+ return "MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC";
+ case MBEDTLS_SSL_CLIENT_FINISHED:
+ return "MBEDTLS_SSL_CLIENT_FINISHED";
+ case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
+ return "MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC";
+ case MBEDTLS_SSL_SERVER_FINISHED:
+ return "MBEDTLS_SSL_SERVER_FINISHED";
+ case MBEDTLS_SSL_FLUSH_BUFFERS:
+ return "MBEDTLS_SSL_FLUSH_BUFFERS";
+ case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
+ return "MBEDTLS_SSL_HANDSHAKE_WRAPUP";
+ case MBEDTLS_SSL_NEW_SESSION_TICKET:
+ return "MBEDTLS_SSL_NEW_SESSION_TICKET";
+ case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
+ return "MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT";
+ case MBEDTLS_SSL_HELLO_RETRY_REQUEST:
+ return "MBEDTLS_SSL_HELLO_RETRY_REQUEST";
+ case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
+ return "MBEDTLS_SSL_ENCRYPTED_EXTENSIONS";
+ case MBEDTLS_SSL_END_OF_EARLY_DATA:
+ return "MBEDTLS_SSL_END_OF_EARLY_DATA";
+ case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
+ return "MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY";
+ case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
+ return "MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED";
+ case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
+ return "MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO";
+ case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:
+ return "MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO";
+ case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
+ return "MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO";
+ case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST:
+ return "MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST";
+ case MBEDTLS_SSL_HANDSHAKE_OVER:
+ return "MBEDTLS_SSL_HANDSHAKE_OVER";
+ case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
+ return "MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET";
+ case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH:
+ return "MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH";
+ default:
+ return "UNKNOWN_VALUE";
+ }
+}
+
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+const char *mbedtls_ssl_early_data_status_str( mbedtls_ssl_early_data_status in )
+{
+ switch (in) {
+ case MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED:
+ return "MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED";
+ case MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED:
+ return "MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED";
+ case MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED:
+ return "MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED";
+ default:
+ return "UNKNOWN_VALUE";
+ }
+}
+
+#endif /* defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) */
+const char *mbedtls_ssl_protocol_version_str( mbedtls_ssl_protocol_version in )
+{
+ switch (in) {
+ case MBEDTLS_SSL_VERSION_UNKNOWN:
+ return "MBEDTLS_SSL_VERSION_UNKNOWN";
+ case MBEDTLS_SSL_VERSION_TLS1_2:
+ return "MBEDTLS_SSL_VERSION_TLS1_2";
+ case MBEDTLS_SSL_VERSION_TLS1_3:
+ return "MBEDTLS_SSL_VERSION_TLS1_3";
+ default:
+ return "UNKNOWN_VALUE";
+ }
+}
+
+const char *mbedtls_tls_prf_types_str( mbedtls_tls_prf_types in )
+{
+ switch (in) {
+ case MBEDTLS_SSL_TLS_PRF_NONE:
+ return "MBEDTLS_SSL_TLS_PRF_NONE";
+ case MBEDTLS_SSL_TLS_PRF_SHA384:
+ return "MBEDTLS_SSL_TLS_PRF_SHA384";
+ case MBEDTLS_SSL_TLS_PRF_SHA256:
+ return "MBEDTLS_SSL_TLS_PRF_SHA256";
+ case MBEDTLS_SSL_HKDF_EXPAND_SHA384:
+ return "MBEDTLS_SSL_HKDF_EXPAND_SHA384";
+ case MBEDTLS_SSL_HKDF_EXPAND_SHA256:
+ return "MBEDTLS_SSL_HKDF_EXPAND_SHA256";
+ default:
+ return "UNKNOWN_VALUE";
+ }
+}
+
+const char *mbedtls_ssl_key_export_type_str( mbedtls_ssl_key_export_type in )
+{
+ switch (in) {
+ case MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET:
+ return "MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET";
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET:
+ return "MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET";
+ case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_EARLY_EXPORTER_SECRET:
+ return "MBEDTLS_SSL_KEY_EXPORT_TLS1_3_EARLY_EXPORTER_SECRET";
+ case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET:
+ return "MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET";
+ case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET:
+ return "MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET";
+ case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET:
+ return "MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET";
+ case MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET:
+ return "MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET";
+#endif
+ default:
+ return "UNKNOWN_VALUE";
+ }
+}
+
+
+
+#endif /* MBEDTLS_DEBUG_C */
+/* End of automatically generated file. */
+
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
new file mode 100644
index 0000000..a8807f6
--- /dev/null
+++ b/library/ssl_misc.h
@@ -0,0 +1,2983 @@
+/**
+ * \file ssl_misc.h
+ *
+ * \brief Internal functions shared by the SSL modules
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_SSL_MISC_H
+#define MBEDTLS_SSL_MISC_H
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/error.h"
+
+#include "mbedtls/ssl.h"
+#include "mbedtls/cipher.h"
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#include "psa/crypto.h"
+#include "psa_util_internal.h"
+#endif
+
+#if defined(MBEDTLS_MD_CAN_MD5)
+#include "mbedtls/md5.h"
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+#include "mbedtls/sha1.h"
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+#include "mbedtls/sha256.h"
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA512)
+#include "mbedtls/sha512.h"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
+ !defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "mbedtls/ecjpake.h"
+#endif
+
+#include "mbedtls/pk.h"
+#include "ssl_ciphersuites_internal.h"
+#include "x509_internal.h"
+#include "pk_internal.h"
+#include "common.h"
+
+/* Shorthand for restartable ECC */
+#if defined(MBEDTLS_ECP_RESTARTABLE) && \
+ defined(MBEDTLS_SSL_CLI_C) && \
+ defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
+#endif
+
+#define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
+#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
+#define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
+#define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
+
+/* Faked handshake message identity for HelloRetryRequest. */
+#define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST (-MBEDTLS_SSL_HS_SERVER_HELLO)
+
+/*
+ * Internal identity of handshake extensions
+ */
+#define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED 0
+#define MBEDTLS_SSL_EXT_ID_SERVERNAME 1
+#define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME 1
+#define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH 2
+#define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST 3
+#define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS 4
+#define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES 4
+#define MBEDTLS_SSL_EXT_ID_SIG_ALG 5
+#define MBEDTLS_SSL_EXT_ID_USE_SRTP 6
+#define MBEDTLS_SSL_EXT_ID_HEARTBEAT 7
+#define MBEDTLS_SSL_EXT_ID_ALPN 8
+#define MBEDTLS_SSL_EXT_ID_SCT 9
+#define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE 10
+#define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE 11
+#define MBEDTLS_SSL_EXT_ID_PADDING 12
+#define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY 13
+#define MBEDTLS_SSL_EXT_ID_EARLY_DATA 14
+#define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS 15
+#define MBEDTLS_SSL_EXT_ID_COOKIE 16
+#define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES 17
+#define MBEDTLS_SSL_EXT_ID_CERT_AUTH 18
+#define MBEDTLS_SSL_EXT_ID_OID_FILTERS 19
+#define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH 20
+#define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT 21
+#define MBEDTLS_SSL_EXT_ID_KEY_SHARE 22
+#define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC 23
+#define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS 24
+#define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC 25
+#define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET 26
+#define MBEDTLS_SSL_EXT_ID_SESSION_TICKET 27
+#define MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT 28
+
+/* Utility for translating IANA extension type. */
+uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type);
+uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type);
+/* Macros used to define mask constants */
+#define MBEDTLS_SSL_EXT_MASK(id) (1ULL << (MBEDTLS_SSL_EXT_ID_##id))
+/* Reset value of extension mask */
+#define MBEDTLS_SSL_EXT_MASK_NONE 0
+
+/* In messages containing extension requests, we should ignore unrecognized
+ * extensions. In messages containing extension responses, unrecognized
+ * extensions should result in handshake abortion. Messages containing
+ * extension requests include ClientHello, CertificateRequest and
+ * NewSessionTicket. Messages containing extension responses include
+ * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate.
+ *
+ * RFC 8446 section 4.1.3
+ *
+ * The ServerHello MUST only include extensions which are required to establish
+ * the cryptographic context and negotiate the protocol version.
+ *
+ * RFC 8446 section 4.2
+ *
+ * If an implementation receives an extension which it recognizes and which is
+ * not specified for the message in which it appears, it MUST abort the handshake
+ * with an "illegal_parameter" alert.
+ */
+
+/* Extensions that are not recognized by TLS 1.3 */
+#define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED \
+ (MBEDTLS_SSL_EXT_MASK(SUPPORTED_POINT_FORMATS) | \
+ MBEDTLS_SSL_EXT_MASK(ENCRYPT_THEN_MAC) | \
+ MBEDTLS_SSL_EXT_MASK(EXTENDED_MASTER_SECRET) | \
+ MBEDTLS_SSL_EXT_MASK(SESSION_TICKET) | \
+ MBEDTLS_SSL_EXT_MASK(TRUNCATED_HMAC) | \
+ MBEDTLS_SSL_EXT_MASK(UNRECOGNIZED))
+
+/* RFC 8446 section 4.2. Allowed extensions for ClientHello */
+#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \
+ (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \
+ MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \
+ MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
+ MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \
+ MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \
+ MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \
+ MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \
+ MBEDTLS_SSL_EXT_MASK(ALPN) | \
+ MBEDTLS_SSL_EXT_MASK(SCT) | \
+ MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \
+ MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \
+ MBEDTLS_SSL_EXT_MASK(PADDING) | \
+ MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
+ MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \
+ MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES) | \
+ MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
+ MBEDTLS_SSL_EXT_MASK(COOKIE) | \
+ MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS) | \
+ MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \
+ MBEDTLS_SSL_EXT_MASK(POST_HANDSHAKE_AUTH) | \
+ MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \
+ MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT) | \
+ MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
+
+/* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
+#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \
+ (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \
+ MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \
+ MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \
+ MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \
+ MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \
+ MBEDTLS_SSL_EXT_MASK(ALPN) | \
+ MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \
+ MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \
+ MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
+ MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT))
+
+/* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */
+#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \
+ (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
+ MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \
+ MBEDTLS_SSL_EXT_MASK(SCT) | \
+ MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \
+ MBEDTLS_SSL_EXT_MASK(OID_FILTERS) | \
+ MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \
+ MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
+
+/* RFC 8446 section 4.2. Allowed extensions for Certificate */
+#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \
+ (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
+ MBEDTLS_SSL_EXT_MASK(SCT))
+
+/* RFC 8446 section 4.2. Allowed extensions for ServerHello */
+#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \
+ (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
+ MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \
+ MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS))
+
+/* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */
+#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \
+ (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
+ MBEDTLS_SSL_EXT_MASK(COOKIE) | \
+ MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS))
+
+/* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
+#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \
+ (MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
+ MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
+
+/*
+ * Helper macros for function call with return check.
+ */
+/*
+ * Exit when return non-zero value
+ */
+#define MBEDTLS_SSL_PROC_CHK(f) \
+ do { \
+ ret = (f); \
+ if (ret != 0) \
+ { \
+ goto cleanup; \
+ } \
+ } while (0)
+/*
+ * Exit when return negative value
+ */
+#define MBEDTLS_SSL_PROC_CHK_NEG(f) \
+ do { \
+ ret = (f); \
+ if (ret < 0) \
+ { \
+ goto cleanup; \
+ } \
+ } while (0)
+
+/*
+ * DTLS retransmission states, see RFC 6347 4.2.4
+ *
+ * The SENDING state is merged in PREPARING for initial sends,
+ * but is distinct for resends.
+ *
+ * Note: initial state is wrong for server, but is not used anyway.
+ */
+#define MBEDTLS_SSL_RETRANS_PREPARING 0
+#define MBEDTLS_SSL_RETRANS_SENDING 1
+#define MBEDTLS_SSL_RETRANS_WAITING 2
+#define MBEDTLS_SSL_RETRANS_FINISHED 3
+
+/*
+ * Allow extra bytes for record, authentication and encryption overhead:
+ * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
+ */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+
+/* This macro determines whether CBC is supported. */
+#if defined(MBEDTLS_SSL_HAVE_CBC) && \
+ (defined(MBEDTLS_SSL_HAVE_AES) || \
+ defined(MBEDTLS_SSL_HAVE_CAMELLIA) || \
+ defined(MBEDTLS_SSL_HAVE_ARIA))
+#define MBEDTLS_SSL_SOME_SUITES_USE_CBC
+#endif
+
+/* This macro determines whether a ciphersuite using a
+ * stream cipher can be used. */
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#define MBEDTLS_SSL_SOME_SUITES_USE_STREAM
+#endif
+
+/* This macro determines whether the CBC construct used in TLS 1.2 is supported. */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
+ defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
+#endif
+
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \
+ defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
+#define MBEDTLS_SSL_SOME_SUITES_USE_MAC
+#endif
+
+/* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
+ defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+#define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM
+#endif
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+/* Ciphersuites using HMAC */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+#define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
+#elif defined(MBEDTLS_MD_CAN_SHA256)
+#define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
+#else
+#define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
+#endif
+#else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
+/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
+#define MBEDTLS_SSL_MAC_ADD 16
+#endif
+
+#if defined(MBEDTLS_SSL_HAVE_CBC)
+#define MBEDTLS_SSL_PADDING_ADD 256
+#else
+#define MBEDTLS_SSL_PADDING_ADD 0
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
+#else
+#define MBEDTLS_SSL_MAX_CID_EXPANSION 0
+#endif
+
+#define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_MAX_IV_LENGTH + \
+ MBEDTLS_SSL_MAC_ADD + \
+ MBEDTLS_SSL_PADDING_ADD + \
+ MBEDTLS_SSL_MAX_CID_EXPANSION \
+ )
+
+#define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
+ (MBEDTLS_SSL_IN_CONTENT_LEN))
+
+#define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
+ (MBEDTLS_SSL_OUT_CONTENT_LEN))
+
+/* The maximum number of buffered handshake messages. */
+#define MBEDTLS_SSL_MAX_BUFFERED_HS 4
+
+/* Maximum length we can advertise as our max content length for
+ RFC 6066 max_fragment_length extension negotiation purposes
+ (the lesser of both sizes, if they are unequal.)
+ */
+#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
+ (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
+ ? (MBEDTLS_SSL_OUT_CONTENT_LEN) \
+ : (MBEDTLS_SSL_IN_CONTENT_LEN) \
+ )
+
+/* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
+#define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 65534
+
+/* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
+#define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN 2
+
+/* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
+#define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
+
+#define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+
+#define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(sig, hash) ((hash << 8) | sig)
+#define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF)
+#define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
+/*
+ * Check that we obey the standard's message size bounds
+ */
+
+#if MBEDTLS_SSL_IN_CONTENT_LEN > 16384
+#error "Bad configuration - incoming record content too large."
+#endif
+
+#if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384
+#error "Bad configuration - outgoing record content too large."
+#endif
+
+#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048
+#error "Bad configuration - incoming protected record payload too large."
+#endif
+
+#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048
+#error "Bad configuration - outgoing protected record payload too large."
+#endif
+
+/* Calculate buffer sizes */
+
+/* Note: Even though the TLS record header is only 5 bytes
+ long, we're internally using 8 bytes to store the
+ implicit sequence number. */
+#define MBEDTLS_SSL_HEADER_LEN 13
+
+#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#define MBEDTLS_SSL_IN_BUFFER_LEN \
+ ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN))
+#else
+#define MBEDTLS_SSL_IN_BUFFER_LEN \
+ ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \
+ + (MBEDTLS_SSL_CID_IN_LEN_MAX))
+#endif
+
+#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#define MBEDTLS_SSL_OUT_BUFFER_LEN \
+ ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN))
+#else
+#define MBEDTLS_SSL_OUT_BUFFER_LEN \
+ ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN) \
+ + (MBEDTLS_SSL_CID_OUT_LEN_MAX))
+#endif
+
+#define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32
+#define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+/**
+ * \brief Return the maximum fragment length (payload, in bytes) for
+ * the output buffer. For the client, this is the configured
+ * value. For the server, it is the minimum of two - the
+ * configured value and the negotiated one.
+ *
+ * \sa mbedtls_ssl_conf_max_frag_len()
+ * \sa mbedtls_ssl_get_max_out_record_payload()
+ *
+ * \param ssl SSL context
+ *
+ * \return Current maximum fragment length for the output buffer.
+ */
+size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl);
+
+/**
+ * \brief Return the maximum fragment length (payload, in bytes) for
+ * the input buffer. This is the negotiated maximum fragment
+ * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN.
+ * If it is not defined either, the value is 2^14. This function
+ * works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
+ *
+ * \sa mbedtls_ssl_conf_max_frag_len()
+ * \sa mbedtls_ssl_get_max_in_record_payload()
+ *
+ * \param ssl SSL context
+ *
+ * \return Current maximum fragment length for the output buffer.
+ */
+size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+/**
+ * \brief Get the size limit in bytes for the protected outgoing records
+ * as defined in RFC 8449
+ *
+ * \param ssl SSL context
+ *
+ * \return The size limit in bytes for the protected outgoing
+ * records as defined in RFC 8449.
+ */
+size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx)
+{
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ return mbedtls_ssl_get_output_max_frag_len(ctx)
+ + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
+ + MBEDTLS_SSL_CID_OUT_LEN_MAX;
+#else
+ return mbedtls_ssl_get_output_max_frag_len(ctx)
+ + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
+#endif
+}
+
+static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx)
+{
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ return mbedtls_ssl_get_input_max_frag_len(ctx)
+ + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
+ + MBEDTLS_SSL_CID_IN_LEN_MAX;
+#else
+ return mbedtls_ssl_get_input_max_frag_len(ctx)
+ + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
+#endif
+}
+#endif
+
+/*
+ * TLS extension flags (for extensions with outgoing ServerHello content
+ * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
+ * of state of the renegotiation flag, so no indicator is required)
+ */
+#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
+#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
+
+/**
+ * \brief This function checks if the remaining size in a buffer is
+ * greater or equal than a needed space.
+ *
+ * \param cur Pointer to the current position in the buffer.
+ * \param end Pointer to one past the end of the buffer.
+ * \param need Needed space in bytes.
+ *
+ * \return Zero if the needed space is available in the buffer, non-zero
+ * otherwise.
+ */
+#if !defined(MBEDTLS_TEST_HOOKS)
+static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
+ const uint8_t *end, size_t need)
+{
+ return (cur > end) || (need > (size_t) (end - cur));
+}
+#else
+typedef struct {
+ const uint8_t *cur;
+ const uint8_t *end;
+ size_t need;
+} mbedtls_ssl_chk_buf_ptr_args;
+
+void mbedtls_ssl_set_chk_buf_ptr_fail_args(
+ const uint8_t *cur, const uint8_t *end, size_t need);
+void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void);
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args);
+
+static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
+ const uint8_t *end, size_t need)
+{
+ if ((cur > end) || (need > (size_t) (end - cur))) {
+ mbedtls_ssl_set_chk_buf_ptr_fail_args(cur, end, need);
+ return 1;
+ }
+ return 0;
+}
+#endif /* MBEDTLS_TEST_HOOKS */
+
+/**
+ * \brief This macro checks if the remaining size in a buffer is
+ * greater or equal than a needed space. If it is not the case,
+ * it returns an SSL_BUFFER_TOO_SMALL error.
+ *
+ * \param cur Pointer to the current position in the buffer.
+ * \param end Pointer to one past the end of the buffer.
+ * \param need Needed space in bytes.
+ *
+ */
+#define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need) \
+ do { \
+ if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
+ { \
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; \
+ } \
+ } while (0)
+
+/**
+ * \brief This macro checks if the remaining length in an input buffer is
+ * greater or equal than a needed length. If it is not the case, it
+ * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a
+ * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message.
+ *
+ * This is a function-like macro. It is guaranteed to evaluate each
+ * argument exactly once.
+ *
+ * \param cur Pointer to the current position in the buffer.
+ * \param end Pointer to one past the end of the buffer.
+ * \param need Needed length in bytes.
+ *
+ */
+#define MBEDTLS_SSL_CHK_BUF_READ_PTR(cur, end, need) \
+ do { \
+ if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
+ { \
+ MBEDTLS_SSL_DEBUG_MSG(1, \
+ ("missing input data in %s", __func__)); \
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
+ MBEDTLS_ERR_SSL_DECODE_ERROR); \
+ return MBEDTLS_ERR_SSL_DECODE_ERROR; \
+ } \
+ } while (0)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef int mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen,
+ const char *label,
+ const unsigned char *random, size_t rlen,
+ unsigned char *dstbuf, size_t dlen);
+
+/* cipher.h exports the maximum IV, key and block length from
+ * all ciphers enabled in the config, regardless of whether those
+ * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
+ * in the default configuration and uses 64 Byte keys, but it is
+ * not used for record protection in SSL/TLS.
+ *
+ * In order to prevent unnecessary inflation of key structures,
+ * we introduce SSL-specific variants of the max-{key,block,IV}
+ * macros here which are meant to only take those ciphers into
+ * account which can be negotiated in SSL/TLS.
+ *
+ * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
+ * in cipher.h are rough overapproximations of the real maxima, here
+ * we content ourselves with replicating those overapproximations
+ * for the maximum block and IV length, and excluding XTS from the
+ * computation of the maximum key length. */
+#define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
+#define MBEDTLS_SSL_MAX_IV_LENGTH 16
+#define MBEDTLS_SSL_MAX_KEY_LENGTH 32
+
+/**
+ * \brief The data structure holding the cryptographic material (key and IV)
+ * used for record protection in TLS 1.3.
+ */
+struct mbedtls_ssl_key_set {
+ /*! The key for client->server records. */
+ unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
+ /*! The key for server->client records. */
+ unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
+ /*! The IV for client->server records. */
+ unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
+ /*! The IV for server->client records. */
+ unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
+
+ size_t key_len; /*!< The length of client_write_key and
+ * server_write_key, in Bytes. */
+ size_t iv_len; /*!< The length of client_write_iv and
+ * server_write_iv, in Bytes. */
+};
+typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
+
+typedef struct {
+ unsigned char binder_key[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ unsigned char client_early_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ unsigned char early_exporter_master_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+} mbedtls_ssl_tls13_early_secrets;
+
+typedef struct {
+ unsigned char client_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ unsigned char server_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+} mbedtls_ssl_tls13_handshake_secrets;
+
+/*
+ * This structure contains the parameters only needed during handshake.
+ */
+struct mbedtls_ssl_handshake_params {
+ /* Frequently-used boolean or byte fields (placed early to take
+ * advantage of smaller code size for indirect access on Arm Thumb) */
+ uint8_t resume; /*!< session resume indicator*/
+ uint8_t cli_exts; /*!< client extension presence*/
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ uint8_t sni_authmode; /*!< authmode from SNI callback */
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+ /* Flag indicating if a CertificateRequest message has been sent
+ * to the client or not. */
+ uint8_t certificate_request_sent;
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ /* Flag indicating if the server has accepted early data or not. */
+ uint8_t early_data_accepted;
+#endif
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ uint8_t new_session_ticket; /*!< use NewSessionTicket? */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+ /** Minimum TLS version to be negotiated.
+ *
+ * It is set up in the ClientHello writing preparation stage and used
+ * throughout the ClientHello writing. Not relevant anymore as soon as
+ * the protocol version has been negotiated thus as soon as the
+ * ServerHello is received.
+ * For a fresh handshake not linked to any previous handshake, it is
+ * equal to the configured minimum minor version to be negotiated. When
+ * renegotiating or resuming a session, it is equal to the previously
+ * negotiated minor version.
+ *
+ * There is no maximum TLS version field in this handshake context.
+ * From the start of the handshake, we need to define a current protocol
+ * version for the record layer which we define as the maximum TLS
+ * version to be negotiated. The `tls_version` field of the SSL context is
+ * used to store this maximum value until it contains the actual
+ * negotiated value.
+ */
+ mbedtls_ssl_protocol_version min_tls_version;
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+ uint8_t extended_ms; /*!< use Extended Master Secret? */
+#endif
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ uint8_t async_in_progress; /*!< an asynchronous operation is in progress */
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ unsigned char retransmit_state; /*!< Retransmission state */
+#endif
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+ unsigned char group_list_heap_allocated;
+ unsigned char sig_algs_heap_allocated;
+#endif
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */
+ enum { /* this complements ssl->state with info on intra-state operations */
+ ssl_ecrs_none = 0, /*!< nothing going on (yet) */
+ ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
+ ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
+ ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
+ ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
+ } ecrs_state; /*!< current (or last) operation */
+ mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
+ size_t ecrs_n; /*!< place for saving a length */
+#endif
+
+ mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
+
+ MBEDTLS_CHECK_RETURN_CRITICAL
+ int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
+ MBEDTLS_CHECK_RETURN_CRITICAL
+ int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
+ MBEDTLS_CHECK_RETURN_CRITICAL
+ int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
+ mbedtls_ssl_tls_prf_cb *tls_prf;
+
+ /*
+ * Handshake specific crypto variables
+ */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ uint8_t key_exchange_mode; /*!< Selected key exchange mode */
+
+ /**
+ * Flag indicating if, in the course of the current handshake, an
+ * HelloRetryRequest message has been sent by the server or received by
+ * the client (<> 0) or not (0).
+ */
+ uint8_t hello_retry_request_flag;
+
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ /**
+ * Flag indicating if, in the course of the current handshake, a dummy
+ * change_cipher_spec (CCS) record has already been sent. Used to send only
+ * one CCS per handshake while not complicating the handshake state
+ * transitions for that purpose.
+ */
+ uint8_t ccs_sent;
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+ uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
+#endif
+ /** selected_group of key_share extension in HelloRetryRequest message. */
+ uint16_t hrr_selected_group;
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ uint16_t new_session_tickets_count; /*!< number of session tickets */
+#endif
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+ uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
+#endif
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+ const uint16_t *group_list;
+ const uint16_t *sig_algs;
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+ mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
+#endif
+
+#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
+ mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
+#endif /* !MBEDTLS_USE_PSA_CRYPTO &&
+ MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
+ psa_key_type_t xxdh_psa_type;
+ size_t xxdh_psa_bits;
+ mbedtls_svc_key_id_t xxdh_psa_privkey;
+ uint8_t xxdh_psa_privkey_is_external;
+ unsigned char xxdh_psa_peerkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
+ size_t xxdh_psa_peerkey_len;
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */
+ mbedtls_svc_key_id_t psa_pake_password;
+ uint8_t psa_pake_ctx_is_ok;
+#else
+ mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_SSL_CLI_C)
+ unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
+ size_t ecjpake_cache_len; /*!< Length of cached data */
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */
+#endif
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
+ uint8_t psk_opaque_is_internal;
+#else
+ unsigned char *psk; /*!< PSK from the callback */
+ size_t psk_len; /*!< Length of PSK from callback */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ uint16_t selected_identity;
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
+ mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
+ mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+ !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+ struct {
+ size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
+ * buffers used for message buffering. */
+
+ uint8_t seen_ccs; /*!< Indicates if a CCS message has
+ * been seen in the current flight. */
+
+ struct mbedtls_ssl_hs_buffer {
+ unsigned is_valid : 1;
+ unsigned is_fragmented : 1;
+ unsigned is_complete : 1;
+ unsigned char *data;
+ size_t data_len;
+ } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
+
+ struct {
+ unsigned char *data;
+ size_t len;
+ unsigned epoch;
+ } future_record;
+
+ } buffering;
+
+#if defined(MBEDTLS_SSL_CLI_C) && \
+ (defined(MBEDTLS_SSL_PROTO_DTLS) || \
+ defined(MBEDTLS_SSL_PROTO_TLS1_3))
+ unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS
+ * HelloRetryRequest cookie for TLS 1.3 */
+#if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ /* RFC 6347 page 15
+ ...
+ opaque cookie<0..2^8-1>;
+ ...
+ */
+ uint8_t cookie_len;
+#else
+ /* RFC 8446 page 39
+ ...
+ opaque cookie<0..2^16-1>;
+ ...
+ If TLS1_3 is enabled, the max length is 2^16 - 1
+ */
+ uint16_t cookie_len; /*!< DTLS: HelloVerifyRequest cookie length
+ * TLS1_3: HelloRetryRequest cookie length */
+#endif
+#endif /* MBEDTLS_SSL_CLI_C &&
+ ( MBEDTLS_SSL_PROTO_DTLS ||
+ MBEDTLS_SSL_PROTO_TLS1_3 ) */
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_DTLS)
+ unsigned char cookie_verify_result; /*!< Srv: flag for sending a cookie */
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
+ unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
+
+ uint32_t retransmit_timeout; /*!< Current value of timeout */
+ mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
+ mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
+ unsigned char *cur_msg_p; /*!< Position in current message */
+ unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
+ flight being received */
+ mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
+ resending messages */
+ unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter
+ for resending messages */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ /* The state of CID configuration in this handshake. */
+
+ uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
+ * has been negotiated. Possible values are
+ * #MBEDTLS_SSL_CID_ENABLED and
+ * #MBEDTLS_SSL_CID_DISABLED. */
+ unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; /*! The peer's CID */
+ uint8_t peer_cid_len; /*!< The length of
+ * \c peer_cid. */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+ uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ /*
+ * Checksum contexts
+ */
+#if defined(MBEDTLS_MD_CAN_SHA256)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_hash_operation_t fin_sha256_psa;
+#else
+ mbedtls_md_context_t fin_sha256;
+#endif
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_hash_operation_t fin_sha384_psa;
+#else
+ mbedtls_md_context_t fin_sha384;
+#endif
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ uint16_t offered_group_id; /* The NamedGroup value for the group
+ * that is being used for ephemeral
+ * key exchange.
+ *
+ * On the client: Defaults to the first
+ * entry in the client's group list,
+ * but can be overwritten by the HRR. */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+ uint8_t client_auth; /*!< used to check if CertificateRequest has been
+ received from server side. If CertificateRequest
+ has been received, Certificate and CertificateVerify
+ should be sent to server */
+#endif /* MBEDTLS_SSL_CLI_C */
+ /*
+ * State-local variables used during the processing
+ * of a specific handshake state.
+ */
+ union {
+ /* Outgoing Finished message */
+ struct {
+ uint8_t preparation_done;
+
+ /* Buffer holding digest of the handshake up to
+ * but excluding the outgoing finished message. */
+ unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ size_t digest_len;
+ } finished_out;
+
+ /* Incoming Finished message */
+ struct {
+ uint8_t preparation_done;
+
+ /* Buffer holding digest of the handshake up to but
+ * excluding the peer's incoming finished message. */
+ unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ size_t digest_len;
+ } finished_in;
+
+ } state_local;
+
+ /* End of state-local variables. */
+
+ unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
+ MBEDTLS_SERVER_HELLO_RANDOM_LEN];
+ /*!< random bytes */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
+ /*!< premaster secret */
+ size_t pmslen; /*!< premaster length */
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ uint32_t sent_extensions; /*!< extensions sent by endpoint */
+ uint32_t received_extensions; /*!< extensions received by endpoint */
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+ unsigned char certificate_request_context_len;
+ unsigned char *certificate_request_context;
+#endif
+
+ /** TLS 1.3 transform for encrypted handshake messages. */
+ mbedtls_ssl_transform *transform_handshake;
+ union {
+ unsigned char early[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ unsigned char app[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ } tls13_master_secrets;
+
+ mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ /** TLS 1.3 transform for early data and handshake messages. */
+ mbedtls_ssl_transform *transform_earlydata;
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ /** Asynchronous operation context. This field is meant for use by the
+ * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
+ * mbedtls_ssl_config::f_async_decrypt_start,
+ * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
+ * The library does not use it internally. */
+ void *user_async_ctx;
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ const unsigned char *sni_name; /*!< raw SNI */
+ size_t sni_name_len; /*!< raw SNI len */
+#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+ const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */
+#endif
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+};
+
+typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
+
+/*
+ * Representation of decryption/encryption transformations on records
+ *
+ * There are the following general types of record transformations:
+ * - Stream transformations (TLS versions == 1.2 only)
+ * Transformation adding a MAC and applying a stream-cipher
+ * to the authenticated message.
+ * - CBC block cipher transformations ([D]TLS versions == 1.2 only)
+ * For TLS 1.2, no IV is generated at key extraction time, but every
+ * encrypted record is explicitly prefixed by the IV with which it was
+ * encrypted.
+ * - AEAD transformations ([D]TLS versions == 1.2 only)
+ * These come in two fundamentally different versions, the first one
+ * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
+ * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
+ * In the first transformation, the IV to be used for a record is obtained
+ * as the concatenation of an explicit, static 4-byte IV and the 8-byte
+ * record sequence number, and explicitly prepending this sequence number
+ * to the encrypted record. In contrast, in the second transformation
+ * the IV is obtained by XOR'ing a static IV obtained at key extraction
+ * time with the 8-byte record sequence number, without prepending the
+ * latter to the encrypted record.
+ *
+ * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
+ * which allows to add flexible length padding and to hide a record's true
+ * content type.
+ *
+ * In addition to type and version, the following parameters are relevant:
+ * - The symmetric cipher algorithm to be used.
+ * - The (static) encryption/decryption keys for the cipher.
+ * - For stream/CBC, the type of message digest to be used.
+ * - For stream/CBC, (static) encryption/decryption keys for the digest.
+ * - For AEAD transformations, the size (potentially 0) of an explicit,
+ * random initialization vector placed in encrypted records.
+ * - For some transformations (currently AEAD) an implicit IV. It is static
+ * and (if present) is combined with the explicit IV in a transformation-
+ * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
+ * - For stream/CBC, a flag determining the order of encryption and MAC.
+ * - The details of the transformation depend on the SSL/TLS version.
+ * - The length of the authentication tag.
+ *
+ * The struct below refines this abstract view as follows:
+ * - The cipher underlying the transformation is managed in
+ * cipher contexts cipher_ctx_{enc/dec}, which must have the
+ * same cipher type. The mode of these cipher contexts determines
+ * the type of the transformation in the sense above: e.g., if
+ * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
+ * then the transformation has type CBC resp. AEAD.
+ * - The cipher keys are never stored explicitly but
+ * are maintained within cipher_ctx_{enc/dec}.
+ * - For stream/CBC transformations, the message digest contexts
+ * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
+ * are unused for AEAD transformations.
+ * - For stream/CBC transformations, the MAC keys are not stored explicitly
+ * but maintained within md_ctx_{enc/dec}.
+ * - The mac_enc and mac_dec fields are unused for EAD transformations.
+ * - For transformations using an implicit IV maintained within
+ * the transformation context, its contents are stored within
+ * iv_{enc/dec}.
+ * - The value of ivlen indicates the length of the IV.
+ * This is redundant in case of stream/CBC transformations
+ * which always use 0 resp. the cipher's block length as the
+ * IV length, but is needed for AEAD ciphers and may be
+ * different from the underlying cipher's block length
+ * in this case.
+ * - The field fixed_ivlen is nonzero for AEAD transformations only
+ * and indicates the length of the static part of the IV which is
+ * constant throughout the communication, and which is stored in
+ * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
+ * - tls_version denotes the 2-byte TLS version
+ * - For stream/CBC transformations, maclen denotes the length of the
+ * authentication tag, while taglen is unused and 0.
+ * - For AEAD transformations, taglen denotes the length of the
+ * authentication tag, while maclen is unused and 0.
+ * - For CBC transformations, encrypt_then_mac determines the
+ * order of encryption and authentication. This field is unused
+ * in other transformations.
+ *
+ */
+struct mbedtls_ssl_transform {
+ /*
+ * Session specific crypto layer
+ */
+ size_t minlen; /*!< min. ciphertext length */
+ size_t ivlen; /*!< IV length */
+ size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
+ size_t maclen; /*!< MAC(CBC) len */
+ size_t taglen; /*!< TAG(AEAD) len */
+
+ unsigned char iv_enc[16]; /*!< IV (encryption) */
+ unsigned char iv_dec[16]; /*!< IV (decryption) */
+
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */
+ mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */
+ psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */
+#else
+ mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
+ mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ int encrypt_then_mac; /*!< flag for EtM activation */
+#endif
+
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
+
+ mbedtls_ssl_protocol_version tls_version;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */
+ mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */
+ psa_algorithm_t psa_alg; /*!< psa algorithm */
+#else
+ mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
+ mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ uint8_t in_cid_len;
+ uint8_t out_cid_len;
+ unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
+ unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
+ /* We need the Hello random bytes in order to re-derive keys from the
+ * Master Secret and other session info,
+ * see ssl_tls12_populate_transform() */
+ unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
+ MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
+ /*!< ServerHello.random+ClientHello.random */
+#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
+};
+
+/*
+ * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
+ * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
+ */
+static inline int mbedtls_ssl_transform_uses_aead(
+ const mbedtls_ssl_transform *transform)
+{
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+ return transform->maclen == 0 && transform->taglen != 0;
+#else
+ (void) transform;
+ return 1;
+#endif
+}
+
+/*
+ * Internal representation of record frames
+ *
+ * Instances come in two flavors:
+ * (1) Encrypted
+ * These always have data_offset = 0
+ * (2) Unencrypted
+ * These have data_offset set to the amount of
+ * pre-expansion during record protection. Concretely,
+ * this is the length of the fixed part of the explicit IV
+ * used for encryption, or 0 if no explicit IV is used
+ * (e.g. for stream ciphers).
+ *
+ * The reason for the data_offset in the unencrypted case
+ * is to allow for in-place conversion of an unencrypted to
+ * an encrypted record. If the offset wasn't included, the
+ * encrypted content would need to be shifted afterwards to
+ * make space for the fixed IV.
+ *
+ */
+#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
+#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
+#else
+#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
+#endif
+
+typedef struct {
+ uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number.
+ * In DTLS: The 2-byte epoch followed by
+ * the 6-byte sequence number.
+ * This is stored as a raw big endian byte array
+ * as opposed to a uint64_t because we rarely
+ * need to perform arithmetic on this, but do
+ * need it as a Byte array for the purpose of
+ * MAC computations. */
+ uint8_t type; /* The record content type. */
+ uint8_t ver[2]; /* SSL/TLS version as present on the wire.
+ * Convert to internal presentation of versions
+ * using mbedtls_ssl_read_version() and
+ * mbedtls_ssl_write_version().
+ * Keep wire-format for MAC computations. */
+
+ unsigned char *buf; /* Memory buffer enclosing the record content */
+ size_t buf_len; /* Buffer length */
+ size_t data_offset; /* Offset of record content */
+ size_t data_len; /* Length of record content */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ uint8_t cid_len; /* Length of the CID (0 if not present) */
+ unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX]; /* The CID */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+} mbedtls_record;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/*
+ * List of certificate + private key pairs
+ */
+struct mbedtls_ssl_key_cert {
+ mbedtls_x509_crt *cert; /*!< cert */
+ mbedtls_pk_context *key; /*!< private key */
+ mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
+};
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/*
+ * List of handshake messages kept around for resending
+ */
+struct mbedtls_ssl_flight_item {
+ unsigned char *p; /*!< message, including handshake headers */
+ size_t len; /*!< length of p */
+ unsigned char type; /*!< type of the message: handshake or CCS */
+ mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
+};
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+/**
+ * \brief Given an SSL context and its associated configuration, write the TLS
+ * 1.2 specific extensions of the ClientHello message.
+ *
+ * \param[in] ssl SSL context
+ * \param[in] buf Base address of the buffer where to write the extensions
+ * \param[in] end End address of the buffer where to write the extensions
+ * \param uses_ec Whether one proposed ciphersuite uses an elliptic curve
+ * (<> 0) or not ( 0 ).
+ * \param[out] out_len Length of the data written into the buffer \p buf
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ int uses_ec,
+ size_t *out_len);
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+
+/**
+ * \brief Find the preferred hash for a given signature algorithm.
+ *
+ * \param[in] ssl SSL context
+ * \param[in] sig_alg A signature algorithm identifier as defined in the
+ * TLS 1.2 SignatureAlgorithm enumeration.
+ *
+ * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm
+ * identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
+ */
+unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+ mbedtls_ssl_context *ssl,
+ unsigned int sig_alg);
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+ MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+/**
+ * \brief Free referenced items in an SSL transform context and clear
+ * memory
+ *
+ * \param transform SSL transform context
+ */
+void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform);
+
+/**
+ * \brief Free referenced items in an SSL handshake context and clear
+ * memory
+ *
+ * \param ssl SSL context
+ */
+void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl);
+
+/* set inbound transform of ssl context */
+void mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context *ssl,
+ mbedtls_ssl_transform *transform);
+
+/* set outbound transform of ssl context */
+void mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context *ssl,
+ mbedtls_ssl_transform *transform);
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl);
+static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl,
+ mbedtls_ssl_states state)
+{
+ ssl->state = (int) state;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl);
+
+/**
+ * \brief Update record layer
+ *
+ * This function roughly separates the implementation
+ * of the logic of (D)TLS from the implementation
+ * of the secure transport.
+ *
+ * \param ssl The SSL context to use.
+ * \param update_hs_digest This indicates if the handshake digest
+ * should be automatically updated in case
+ * a handshake message is found.
+ *
+ * \return 0 or non-zero error code.
+ *
+ * \note A clarification on what is called 'record layer' here
+ * is in order, as many sensible definitions are possible:
+ *
+ * The record layer takes as input an untrusted underlying
+ * transport (stream or datagram) and transforms it into
+ * a serially multiplexed, secure transport, which
+ * conceptually provides the following:
+ *
+ * (1) Three datagram based, content-agnostic transports
+ * for handshake, alert and CCS messages.
+ * (2) One stream- or datagram-based transport
+ * for application data.
+ * (3) Functionality for changing the underlying transform
+ * securing the contents.
+ *
+ * The interface to this functionality is given as follows:
+ *
+ * a Updating
+ * [Currently implemented by mbedtls_ssl_read_record]
+ *
+ * Check if and on which of the four 'ports' data is pending:
+ * Nothing, a controlling datagram of type (1), or application
+ * data (2). In any case data is present, internal buffers
+ * provide access to the data for the user to process it.
+ * Consumption of type (1) datagrams is done automatically
+ * on the next update, invalidating that the internal buffers
+ * for previous datagrams, while consumption of application
+ * data (2) is user-controlled.
+ *
+ * b Reading of application data
+ * [Currently manual adaption of ssl->in_offt pointer]
+ *
+ * As mentioned in the last paragraph, consumption of data
+ * is different from the automatic consumption of control
+ * datagrams (1) because application data is treated as a stream.
+ *
+ * c Tracking availability of application data
+ * [Currently manually through decreasing ssl->in_msglen]
+ *
+ * For efficiency and to retain datagram semantics for
+ * application data in case of DTLS, the record layer
+ * provides functionality for checking how much application
+ * data is still available in the internal buffer.
+ *
+ * d Changing the transformation securing the communication.
+ *
+ * Given an opaque implementation of the record layer in the
+ * above sense, it should be possible to implement the logic
+ * of (D)TLS on top of it without the need to know anything
+ * about the record layer's internals. This is done e.g.
+ * in all the handshake handling functions, and in the
+ * application data reading function mbedtls_ssl_read.
+ *
+ * \note The above tries to give a conceptual picture of the
+ * record layer, but the current implementation deviates
+ * from it in some places. For example, our implementation of
+ * the update functionality through mbedtls_ssl_read_record
+ * discards datagrams depending on the current state, which
+ * wouldn't fall under the record layer's responsibility
+ * following the above definition.
+ *
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl,
+ unsigned update_hs_digest);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want);
+
+/*
+ * Write handshake message header
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned char hs_type,
+ unsigned char **buf, size_t *buf_len);
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
+ int update_checksum,
+ int force_flush);
+static inline int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl)
+{
+ return mbedtls_ssl_write_handshake_msg_ext(ssl, 1 /* update checksum */, 1 /* force flush */);
+}
+
+/*
+ * Write handshake message tail
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_finish_handshake_msg(mbedtls_ssl_context *ssl,
+ size_t buf_len, size_t msg_len);
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl);
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl);
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl);
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl);
+
+void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info);
+
+/*
+ * Update checksum of handshake messages.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
+ unsigned hs_type,
+ unsigned char const *msg,
+ size_t msg_len);
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
+ unsigned hs_type,
+ size_t total_hs_len);
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl,
+ mbedtls_key_exchange_type_t key_ex);
+#endif /* !MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
+#if defined(MBEDTLS_SSL_CLI_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf);
+#endif
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/**
+ * Get the first defined opaque PSK by order of precedence:
+ * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
+ * callback
+ * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
+ * Return an opaque PSK
+ */
+static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
+ const mbedtls_ssl_context *ssl)
+{
+ if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
+ return ssl->handshake->psk_opaque;
+ }
+
+ if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) {
+ return ssl->conf->psk_opaque;
+ }
+
+ return MBEDTLS_SVC_KEY_ID_INIT;
+}
+#else
+/**
+ * Get the first defined PSK by order of precedence:
+ * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
+ * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
+ * Return a code and update the pair (PSK, PSK length) passed to this function
+ */
+static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl,
+ const unsigned char **psk, size_t *psk_len)
+{
+ if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) {
+ *psk = ssl->handshake->psk;
+ *psk_len = ssl->handshake->psk_len;
+ } else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) {
+ *psk = ssl->conf->psk;
+ *psk_len = ssl->conf->psk_len;
+ } else {
+ *psk = NULL;
+ *psk_len = 0;
+ return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
+
+#if defined(MBEDTLS_PK_C)
+unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk);
+unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type);
+mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig);
+#endif
+
+mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash);
+unsigned char mbedtls_ssl_hash_from_md_alg(int md);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md);
+#endif
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id);
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id);
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+/**
+ * \brief Return PSA EC info for the specified TLS ID.
+ *
+ * \param tls_id The TLS ID to look for
+ * \param type If the TLD ID is supported, then proper \c psa_key_type_t
+ * value is returned here. Can be NULL.
+ * \param bits If the TLD ID is supported, then proper bit size is returned
+ * here. Can be NULL.
+ * \return PSA_SUCCESS if the TLS ID is supported,
+ * PSA_ERROR_NOT_SUPPORTED otherwise
+ *
+ * \note If either \c family or \c bits parameters are NULL, then
+ * the corresponding value is not returned.
+ * The function can be called with both parameters as NULL
+ * simply to check if a specific TLS ID is supported.
+ */
+int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
+ psa_key_type_t *type,
+ size_t *bits);
+
+/**
+ * \brief Return \c mbedtls_ecp_group_id for the specified TLS ID.
+ *
+ * \param tls_id The TLS ID to look for
+ * \return Proper \c mbedtls_ecp_group_id if the TLS ID is supported,
+ * or MBEDTLS_ECP_DP_NONE otherwise
+ */
+mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id);
+
+/**
+ * \brief Return TLS ID for the specified \c mbedtls_ecp_group_id.
+ *
+ * \param grp_id The \c mbedtls_ecp_group_id ID to look for
+ * \return Proper TLS ID if the \c mbedtls_ecp_group_id is supported,
+ * or 0 otherwise
+ */
+uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id);
+
+#if defined(MBEDTLS_DEBUG_C)
+/**
+ * \brief Return EC's name for the specified TLS ID.
+ *
+ * \param tls_id The TLS ID to look for
+ * \return A pointer to a const string with the proper name. If TLS
+ * ID is not supported, a NULL pointer is returned instead.
+ */
+const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id);
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
+ (const uint16_t srtp_profile_value)
+{
+ switch (srtp_profile_value) {
+ case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
+ case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
+ case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
+ case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
+ return srtp_profile_value;
+ default: break;
+ }
+ return MBEDTLS_TLS_SRTP_UNSET;
+}
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl)
+{
+ mbedtls_ssl_key_cert *key_cert;
+
+ if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
+ key_cert = ssl->handshake->key_cert;
+ } else {
+ key_cert = ssl->conf->key_cert;
+ }
+
+ return key_cert == NULL ? NULL : key_cert->key;
+}
+
+static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl)
+{
+ mbedtls_ssl_key_cert *key_cert;
+
+ if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
+ key_cert = ssl->handshake->key_cert;
+ } else {
+ key_cert = ssl->conf->key_cert;
+ }
+
+ return key_cert == NULL ? NULL : key_cert->cert;
+}
+
+/*
+ * Check usage of a certificate wrt extensions:
+ * keyUsage, extendedKeyUsage (later), and nSCertType (later).
+ *
+ * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
+ * check a cert we received from them)!
+ *
+ * Return 0 if everything is OK, -1 if not.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
+ const mbedtls_ssl_ciphersuite_t *ciphersuite,
+ int cert_endpoint,
+ uint32_t *flags);
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+void mbedtls_ssl_write_version(unsigned char version[2], int transport,
+ mbedtls_ssl_protocol_version tls_version);
+uint16_t mbedtls_ssl_read_version(const unsigned char version[2],
+ int transport);
+
+static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl)
+{
+#if !defined(MBEDTLS_SSL_PROTO_DTLS)
+ ((void) ssl);
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ return 13;
+ } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+ {
+ return 5;
+ }
+}
+
+static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl)
+{
+ return (size_t) (ssl->out_iv - ssl->out_hdr);
+}
+
+static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ return 12;
+ }
+#else
+ ((void) ssl);
+#endif
+ return 4;
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_resend(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl);
+#endif
+
+/* Visible for testing purposes only */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl);
+void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl);
+#endif
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
+ const mbedtls_ssl_session *src);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+/* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
+ unsigned char *hash, size_t *hashlen,
+ unsigned char *data, size_t data_len,
+ mbedtls_md_type_t md_alg);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#ifdef __cplusplus
+}
+#endif
+
+void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
+ mbedtls_ssl_transform *transform,
+ mbedtls_record *rec,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
+ mbedtls_ssl_transform *transform,
+ mbedtls_record *rec);
+
+/* Length of the "epoch" field in the record header */
+static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl)
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ return 2;
+ }
+#else
+ ((void) ssl);
+#endif
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
+
+void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
+ mbedtls_ssl_transform *transform);
+void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
+void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
+ int partial);
+
+/*
+ * Send pending alert
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context *ssl);
+
+/*
+ * Set pending fatal alert flag.
+ */
+void mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context *ssl,
+ unsigned char alert_type,
+ int alert_reason);
+
+/* Alias of mbedtls_ssl_pend_fatal_alert */
+#define MBEDTLS_SSL_PEND_FATAL_ALERT(type, user_return_value) \
+ mbedtls_ssl_pend_fatal_alert(ssl, type, user_return_value)
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl);
+#endif
+
+void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl);
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl);
+void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight);
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+/**
+ * ssl utils functions for checking configuration.
+ */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+static inline int mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config *conf)
+{
+ return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
+ conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3;
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+static inline int mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config *conf)
+{
+ return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
+ conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2;
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+static inline int mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config *conf)
+{
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 &&
+ conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3;
+#else
+ ((void) conf);
+ return 0;
+#endif
+}
+
+static inline int mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config *conf)
+{
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 &&
+ conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2;
+#else
+ ((void) conf);
+ return 0;
+#endif
+}
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
+static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config *conf)
+{
+ return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
+ conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3;
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
+ MBEDTLS_SERVER_HELLO_RANDOM_LEN];
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl);
+
+/**
+ * \brief Given an SSL context and its associated configuration, write the TLS
+ * 1.3 specific extensions of the ClientHello message.
+ *
+ * \param[in] ssl SSL context
+ * \param[in] buf Base address of the buffer where to write the extensions
+ * \param[in] end End address of the buffer where to write the extensions
+ * \param[out] out_len Length of the data written into the buffer \p buf
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len);
+
+/**
+ * \brief TLS 1.3 client side state machine entry
+ *
+ * \param ssl SSL context
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl);
+
+/**
+ * \brief TLS 1.3 server side state machine entry
+ *
+ * \param ssl SSL context
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl);
+
+
+/*
+ * Helper functions around key exchange modes.
+ */
+static inline int mbedtls_ssl_conf_tls13_is_kex_mode_enabled(mbedtls_ssl_context *ssl,
+ int kex_mode_mask)
+{
+ return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0;
+}
+
+static inline int mbedtls_ssl_conf_tls13_is_psk_enabled(mbedtls_ssl_context *ssl)
+{
+ return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
+}
+
+static inline int mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(mbedtls_ssl_context *ssl)
+{
+ return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
+}
+
+static inline int mbedtls_ssl_conf_tls13_is_ephemeral_enabled(mbedtls_ssl_context *ssl)
+{
+ return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
+}
+
+static inline int mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
+{
+ return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
+}
+
+static inline int mbedtls_ssl_conf_tls13_is_some_psk_enabled(mbedtls_ssl_context *ssl)
+{
+ return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
+}
+
+#if defined(MBEDTLS_SSL_SRV_C) && \
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+/**
+ * Given a list of key exchange modes, check if at least one of them is
+ * supported by peer.
+ *
+ * \param[in] ssl SSL context
+ * \param kex_modes_mask Mask of the key exchange modes to check
+ *
+ * \return Non-zero if at least one of the key exchange modes is supported by
+ * the peer, otherwise \c 0.
+ */
+static inline int mbedtls_ssl_tls13_is_kex_mode_supported(mbedtls_ssl_context *ssl,
+ int kex_modes_mask)
+{
+ return (ssl->handshake->tls13_kex_modes & kex_modes_mask) != 0;
+}
+
+static inline int mbedtls_ssl_tls13_is_psk_supported(mbedtls_ssl_context *ssl)
+{
+ return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
+}
+
+static inline int mbedtls_ssl_tls13_is_psk_ephemeral_supported(
+ mbedtls_ssl_context *ssl)
+{
+ return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
+}
+
+static inline int mbedtls_ssl_tls13_is_ephemeral_supported(mbedtls_ssl_context *ssl)
+{
+ return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
+}
+
+static inline int mbedtls_ssl_tls13_is_some_ephemeral_supported(mbedtls_ssl_context *ssl)
+{
+ return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
+}
+
+static inline int mbedtls_ssl_tls13_is_some_psk_supported(mbedtls_ssl_context *ssl)
+{
+ return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
+}
+#endif /* MBEDTLS_SSL_SRV_C &&
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
+
+/*
+ * Helper functions for extensions checking.
+ */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_check_received_extension(
+ mbedtls_ssl_context *ssl,
+ int hs_msg_type,
+ unsigned int received_extension_type,
+ uint32_t hs_msg_allowed_extensions_mask);
+
+static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask(
+ mbedtls_ssl_context *ssl, unsigned int extension_type)
+{
+ ssl->handshake->sent_extensions |=
+ mbedtls_ssl_get_extension_mask(extension_type);
+}
+
+/*
+ * Helper functions to check the selected key exchange mode.
+ */
+static inline int mbedtls_ssl_tls13_key_exchange_mode_check(
+ mbedtls_ssl_context *ssl, int kex_mask)
+{
+ return (ssl->handshake->key_exchange_mode & kex_mask) != 0;
+}
+
+static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk(
+ mbedtls_ssl_context *ssl)
+{
+ return mbedtls_ssl_tls13_key_exchange_mode_check(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
+}
+
+static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(
+ mbedtls_ssl_context *ssl)
+{
+ return mbedtls_ssl_tls13_key_exchange_mode_check(ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
+}
+
+/*
+ * Fetch TLS 1.3 handshake message header
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl,
+ unsigned hs_type,
+ unsigned char **buf,
+ size_t *buf_len);
+
+/**
+ * \brief Detect if a list of extensions contains a supported_versions
+ * extension or not.
+ *
+ * \param[in] ssl SSL context
+ * \param[in] buf Address of the first byte of the extensions vector.
+ * \param[in] end End of the buffer containing the list of extensions.
+ * \param[out] supported_versions_data If the extension is present, address of
+ * its first byte of data, NULL otherwise.
+ * \param[out] supported_versions_data_end If the extension is present, address
+ * of the first byte immediately
+ * following the extension data, NULL
+ * otherwise.
+ * \return 0 if the list of extensions does not contain a supported_versions
+ * extension.
+ * \return 1 if the list of extensions contains a supported_versions
+ * extension.
+ * \return A negative value if an error occurred while parsing the
+ * extensions.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
+ mbedtls_ssl_context *ssl,
+ const unsigned char *buf, const unsigned char *end,
+ const unsigned char **supported_versions_data,
+ const unsigned char **supported_versions_data_end);
+
+/*
+ * Handler of TLS 1.3 server certificate message
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl);
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+/*
+ * Handler of TLS 1.3 write Certificate message
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl);
+
+/*
+ * Handler of TLS 1.3 write Certificate Verify message
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl);
+
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+/*
+ * Generic handler of Certificate Verify
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl);
+
+/*
+ * Write of dummy-CCS's for middlebox compatibility
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl);
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl);
+
+#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
+ mbedtls_ssl_context *ssl,
+ uint16_t named_group,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len);
+#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
+ int in_new_session_ticket,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *out_len);
+
+int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl,
+ size_t early_data_len);
+
+typedef enum {
+/*
+ * The client has not sent the first ClientHello yet, the negotiation of early
+ * data has not started yet.
+ */
+ MBEDTLS_SSL_EARLY_DATA_STATE_IDLE,
+
+/*
+ * In its ClientHello, the client has not included an early data indication
+ * extension.
+ */
+ MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT,
+
+/*
+ * The client has sent an early data indication extension in its first
+ * ClientHello, it has not received the response (ServerHello or
+ * HelloRetryRequest) from the server yet. The transform to protect early data
+ * is not set either as for middlebox compatibility a dummy CCS may have to be
+ * sent in clear. Early data cannot be sent to the server yet.
+ */
+ MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT,
+
+/*
+ * The client has sent an early data indication extension in its first
+ * ClientHello, it has not received the response (ServerHello or
+ * HelloRetryRequest) from the server yet. The transform to protect early data
+ * has been set and early data can be written now.
+ */
+ MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE,
+
+/*
+ * The client has indicated the use of early data and the server has accepted
+ * it.
+ */
+ MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED,
+
+/*
+ * The client has indicated the use of early data but the server has rejected
+ * it.
+ */
+ MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED,
+
+/*
+ * The client has sent an early data indication extension in its first
+ * ClientHello, the server has accepted them and the client has received the
+ * server Finished message. It cannot send early data to the server anymore.
+ */
+ MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED,
+
+} mbedtls_ssl_early_data_state;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+/*
+ * Write Signature Algorithm extension
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
+ const unsigned char *end, size_t *out_len);
+/*
+ * Parse TLS Signature Algorithm extension
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end);
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
+/* Get handshake transcript */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
+ const mbedtls_md_type_t md,
+ unsigned char *dst,
+ size_t dst_len,
+ size_t *olen);
+
+/*
+ * Return supported groups.
+ *
+ * In future, invocations can be changed to ssl->conf->group_list
+ * when mbedtls_ssl_conf_curves() is deleted.
+ *
+ * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group
+ * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to
+ * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked.
+ *
+ */
+static inline const void *mbedtls_ssl_get_groups(const mbedtls_ssl_context *ssl)
+{
+ #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C)
+ return ssl->conf->group_list;
+ #else
+ if ((ssl->handshake != NULL) && (ssl->handshake->group_list != NULL)) {
+ return ssl->handshake->group_list;
+ } else {
+ return ssl->conf->group_list;
+ }
+ #endif
+}
+
+/*
+ * Helper functions for NamedGroup.
+ */
+static inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group)
+{
+ /*
+ * RFC 8422 section 5.1.1
+ */
+ return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
+ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 ||
+ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 ||
+ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 ||
+ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 ||
+ /* Below deprecated curves should be removed with notice to users */
+ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 ||
+ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 ||
+ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 ||
+ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 ||
+ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 ||
+ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
+ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
+ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1;
+}
+
+static inline int mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)
+{
+ return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
+ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
+ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
+ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 ||
+ named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448;
+}
+
+static inline int mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group)
+{
+ return named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
+ named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192;
+}
+
+static inline int mbedtls_ssl_named_group_is_offered(
+ const mbedtls_ssl_context *ssl, uint16_t named_group)
+{
+ const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
+
+ if (group_list == NULL) {
+ return 0;
+ }
+
+ for (; *group_list != 0; group_list++) {
+ if (*group_list == named_group) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
+static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group)
+{
+#if defined(PSA_WANT_ALG_ECDH)
+ if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) {
+ if (mbedtls_ssl_get_ecp_group_id_from_tls_id(named_group) !=
+ MBEDTLS_ECP_DP_NONE) {
+ return 1;
+ }
+ }
+#endif
+#if defined(PSA_WANT_ALG_FFDH)
+ if (mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) {
+ return 1;
+ }
+#endif
+#if !defined(PSA_WANT_ALG_ECDH) && !defined(PSA_WANT_ALG_FFDH)
+ (void) named_group;
+#endif
+ return 0;
+}
+
+/*
+ * Return supported signature algorithms.
+ *
+ * In future, invocations can be changed to ssl->conf->sig_algs when
+ * mbedtls_ssl_conf_sig_hashes() is deleted.
+ *
+ * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS
+ * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been
+ * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has
+ * been more recently invoked.
+ *
+ */
+static inline const void *mbedtls_ssl_get_sig_algs(
+ const mbedtls_ssl_context *ssl)
+{
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+ if (ssl->handshake != NULL &&
+ ssl->handshake->sig_algs_heap_allocated == 1 &&
+ ssl->handshake->sig_algs != NULL) {
+ return ssl->handshake->sig_algs;
+ }
+#endif
+ return ssl->conf->sig_algs;
+
+#else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
+ ((void) ssl);
+ return NULL;
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+}
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+static inline int mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context *ssl,
+ uint16_t own_sig_alg)
+{
+ const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
+ if (sig_alg == NULL) {
+ return 0;
+ }
+
+ for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
+ if (*sig_alg == own_sig_alg) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
+static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
+ const uint16_t sig_alg)
+{
+ switch (sig_alg) {
+#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
+#if defined(PSA_WANT_ALG_SHA_256) && defined(PSA_WANT_ECC_SECP_R1_256)
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
+ break;
+#endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+#if defined(PSA_WANT_ALG_SHA_384) && defined(PSA_WANT_ECC_SECP_R1_384)
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
+ break;
+#endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+#if defined(PSA_WANT_ALG_SHA_512) && defined(PSA_WANT_ECC_SECP_R1_521)
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
+ break;
+#endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
+
+#if defined(MBEDTLS_PKCS1_V21)
+#if defined(PSA_WANT_ALG_SHA_256)
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
+ break;
+#endif /* PSA_WANT_ALG_SHA_256 */
+#if defined(PSA_WANT_ALG_SHA_384)
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
+ break;
+#endif /* PSA_WANT_ALG_SHA_384 */
+#if defined(PSA_WANT_ALG_SHA_512)
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
+ break;
+#endif /* PSA_WANT_ALG_SHA_512 */
+#endif /* MBEDTLS_PKCS1_V21 */
+ default:
+ return 0;
+ }
+ return 1;
+
+}
+
+static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
+ const uint16_t sig_alg)
+{
+ switch (sig_alg) {
+#if defined(MBEDTLS_PKCS1_V15)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
+ break;
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
+ break;
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#if defined(MBEDTLS_MD_CAN_SHA512)
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
+ break;
+#endif /* MBEDTLS_MD_CAN_SHA512 */
+#endif /* MBEDTLS_PKCS1_V15 */
+ default:
+ return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
+ sig_alg);
+ }
+ return 1;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg,
+ mbedtls_pk_context *key);
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl,
+ uint16_t proposed_sig_alg)
+{
+ const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
+ if (sig_alg == NULL) {
+ return 0;
+ }
+
+ for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
+ if (*sig_alg == proposed_sig_alg) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
+static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
+ uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg)
+{
+ *pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff);
+ *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff);
+
+ if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) {
+ return 0;
+ }
+
+ switch (sig_alg) {
+#if defined(MBEDTLS_PKCS1_V21)
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
+ *md_alg = MBEDTLS_MD_SHA256;
+ *pk_type = MBEDTLS_PK_RSASSA_PSS;
+ break;
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
+ *md_alg = MBEDTLS_MD_SHA384;
+ *pk_type = MBEDTLS_PK_RSASSA_PSS;
+ break;
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+#if defined(MBEDTLS_MD_CAN_SHA512)
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
+ *md_alg = MBEDTLS_MD_SHA512;
+ *pk_type = MBEDTLS_PK_RSASSA_PSS;
+ break;
+#endif /* MBEDTLS_MD_CAN_SHA512 */
+#endif /* MBEDTLS_PKCS1_V21 */
+ default:
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
+ const uint16_t sig_alg)
+{
+ /* High byte is hash */
+ unsigned char hash = MBEDTLS_BYTE_1(sig_alg);
+ unsigned char sig = MBEDTLS_BYTE_0(sig_alg);
+
+ switch (hash) {
+#if defined(MBEDTLS_MD_CAN_MD5)
+ case MBEDTLS_SSL_HASH_MD5:
+ break;
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ case MBEDTLS_SSL_HASH_SHA1:
+ break;
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA224)
+ case MBEDTLS_SSL_HASH_SHA224:
+ break;
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ case MBEDTLS_SSL_HASH_SHA256:
+ break;
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ case MBEDTLS_SSL_HASH_SHA384:
+ break;
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA512)
+ case MBEDTLS_SSL_HASH_SHA512:
+ break;
+#endif
+
+ default:
+ return 0;
+ }
+
+ switch (sig) {
+#if defined(MBEDTLS_RSA_C)
+ case MBEDTLS_SSL_SIG_RSA:
+ break;
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
+ case MBEDTLS_SSL_SIG_ECDSA:
+ break;
+#endif
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+static inline int mbedtls_ssl_sig_alg_is_supported(
+ const mbedtls_ssl_context *ssl,
+ const uint16_t sig_alg)
+{
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
+ return mbedtls_ssl_tls12_sig_alg_is_supported(sig_alg);
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+ if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+ return mbedtls_ssl_tls13_sig_alg_is_supported(sig_alg);
+ }
+#endif
+ ((void) ssl);
+ ((void) sig_alg);
+ return 0;
+}
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+/* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
+ * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is
+ * guaranteed to not be a valid PSA algorithm identifier.
+ */
+#define MBEDTLS_SSL_NULL_CIPHER 0x04000000
+
+/**
+ * \brief Translate mbedtls cipher type/taglen pair to psa:
+ * algorithm, key type and key size.
+ *
+ * \param mbedtls_cipher_type [in] given mbedtls cipher type
+ * \param taglen [in] given tag length
+ * 0 - default tag length
+ * \param alg [out] corresponding PSA alg
+ * There is no corresponding PSA
+ * alg for MBEDTLS_CIPHER_NULL, so
+ * in this case MBEDTLS_SSL_NULL_CIPHER
+ * is returned via this parameter
+ * \param key_type [out] corresponding PSA key type
+ * \param key_size [out] corresponding PSA key size
+ *
+ * \return PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if
+ * conversion is not supported.
+ */
+psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
+ size_t taglen,
+ psa_algorithm_t *alg,
+ psa_key_type_t *key_type,
+ size_t *key_size);
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/**
+ * \brief Convert given PSA status to mbedtls error code.
+ *
+ * \param status [in] given PSA status
+ *
+ * \return corresponding mbedtls error code
+ */
+static inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t status)
+{
+ switch (status) {
+ case PSA_SUCCESS:
+ return 0;
+ case PSA_ERROR_INSUFFICIENT_MEMORY:
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ case PSA_ERROR_NOT_SUPPORTED:
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ case PSA_ERROR_INVALID_SIGNATURE:
+ return MBEDTLS_ERR_SSL_INVALID_MAC;
+ case PSA_ERROR_INVALID_ARGUMENT:
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ case PSA_ERROR_BAD_STATE:
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ case PSA_ERROR_BUFFER_TOO_SMALL:
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ default:
+ return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+ }
+}
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
+ defined(MBEDTLS_USE_PSA_CRYPTO)
+
+typedef enum {
+ MBEDTLS_ECJPAKE_ROUND_ONE,
+ MBEDTLS_ECJPAKE_ROUND_TWO
+} mbedtls_ecjpake_rounds_t;
+
+/**
+ * \brief Parse the provided input buffer for getting the first round
+ * of key exchange. This code is common between server and client
+ *
+ * \param pake_ctx [in] the PAKE's operation/context structure
+ * \param buf [in] input buffer to parse
+ * \param len [in] length of the input buffer
+ * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
+ * MBEDTLS_ECJPAKE_ROUND_TWO
+ *
+ * \return 0 on success or a negative error code in case of failure
+ */
+int mbedtls_psa_ecjpake_read_round(
+ psa_pake_operation_t *pake_ctx,
+ const unsigned char *buf,
+ size_t len, mbedtls_ecjpake_rounds_t round);
+
+/**
+ * \brief Write the first round of key exchange into the provided output
+ * buffer. This code is common between server and client
+ *
+ * \param pake_ctx [in] the PAKE's operation/context structure
+ * \param buf [out] the output buffer in which data will be written to
+ * \param len [in] length of the output buffer
+ * \param olen [out] the length of the data really written on the buffer
+ * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
+ * MBEDTLS_ECJPAKE_ROUND_TWO
+ *
+ * \return 0 on success or a negative error code in case of failure
+ */
+int mbedtls_psa_ecjpake_write_round(
+ psa_pake_operation_t *pake_ctx,
+ unsigned char *buf,
+ size_t len, size_t *olen,
+ mbedtls_ecjpake_rounds_t round);
+
+#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
+
+/**
+ * \brief TLS record protection modes
+ */
+typedef enum {
+ MBEDTLS_SSL_MODE_STREAM = 0,
+ MBEDTLS_SSL_MODE_CBC,
+ MBEDTLS_SSL_MODE_CBC_ETM,
+ MBEDTLS_SSL_MODE_AEAD
+} mbedtls_ssl_mode_t;
+
+mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
+ const mbedtls_ssl_transform *transform);
+
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
+ int encrypt_then_mac,
+ const mbedtls_ssl_ciphersuite_t *suite);
+#else
+mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
+ const mbedtls_ssl_ciphersuite_t *suite);
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
+
+#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t buf_len);
+
+#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
+
+static inline int mbedtls_ssl_tls13_cipher_suite_is_offered(
+ mbedtls_ssl_context *ssl, int cipher_suite)
+{
+ const int *ciphersuite_list = ssl->conf->ciphersuite_list;
+
+ /* Check whether we have offered this ciphersuite */
+ for (size_t i = 0; ciphersuite_list[i] != 0; i++) {
+ if (ciphersuite_list[i] == cipher_suite) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
+/**
+ * \brief Validate cipher suite against config in SSL context.
+ *
+ * \param ssl SSL context
+ * \param suite_info Cipher suite to validate
+ * \param min_tls_version Minimal TLS version to accept a cipher suite
+ * \param max_tls_version Maximal TLS version to accept a cipher suite
+ *
+ * \return 0 if valid, negative value otherwise.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_validate_ciphersuite(
+ const mbedtls_ssl_context *ssl,
+ const mbedtls_ssl_ciphersuite_t *suite_info,
+ mbedtls_ssl_protocol_version min_tls_version,
+ mbedtls_ssl_protocol_version max_tls_version);
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end);
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+#define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2)
+#define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64) /* As defined in RFC 8449 */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end);
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *out_len);
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
+#if defined(MBEDTLS_SSL_ALPN)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end);
+
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len);
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_TEST_HOOKS)
+int mbedtls_ssl_check_dtls_clihlo_cookie(
+ mbedtls_ssl_context *ssl,
+ const unsigned char *cli_id, size_t cli_id_len,
+ const unsigned char *in, size_t in_len,
+ unsigned char *obuf, size_t buf_len, size_t *olen);
+#endif
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+/**
+ * \brief Given an SSL context and its associated configuration, write the TLS
+ * 1.3 specific Pre-Shared key extension.
+ *
+ * \param[in] ssl SSL context
+ * \param[in] buf Base address of the buffer where to write the extension
+ * \param[in] end End address of the buffer where to write the extension
+ * \param[out] out_len Length in bytes of the Pre-Shared key extension: data
+ * written into the buffer \p buf by this function plus
+ * the length of the binders to be written.
+ * \param[out] binders_len Length of the binders to be written at the end of
+ * the extension.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
+ mbedtls_ssl_context *ssl,
+ unsigned char *buf, unsigned char *end,
+ size_t *out_len, size_t *binders_len);
+
+/**
+ * \brief Given an SSL context and its associated configuration, write the TLS
+ * 1.3 specific Pre-Shared key extension binders at the end of the
+ * ClientHello.
+ *
+ * \param[in] ssl SSL context
+ * \param[in] buf Base address of the buffer where to write the binders
+ * \param[in] end End address of the buffer where to write the binders
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
+ mbedtls_ssl_context *ssl,
+ unsigned char *buf, unsigned char *end);
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
+ defined(MBEDTLS_SSL_CLI_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
+ const char *hostname);
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \
+ defined(MBEDTLS_SSL_ALPN)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
+ const char *alpn);
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+
+#define MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME (604800)
+
+static inline unsigned int mbedtls_ssl_tls13_session_get_ticket_flags(
+ mbedtls_ssl_session *session, unsigned int flags)
+{
+ return session->ticket_flags &
+ (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
+}
+
+/**
+ * Check if at least one of the given flags is set in
+ * the session ticket. See the definition of
+ * `MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK` to get all
+ * permitted flags.
+ */
+static inline int mbedtls_ssl_tls13_session_ticket_has_flags(
+ mbedtls_ssl_session *session, unsigned int flags)
+{
+ return mbedtls_ssl_tls13_session_get_ticket_flags(session, flags) != 0;
+}
+
+static inline int mbedtls_ssl_tls13_session_ticket_allow_psk(
+ mbedtls_ssl_session *session)
+{
+ return mbedtls_ssl_tls13_session_ticket_has_flags(
+ session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION);
+}
+
+static inline int mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral(
+ mbedtls_ssl_session *session)
+{
+ return mbedtls_ssl_tls13_session_ticket_has_flags(
+ session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION);
+}
+
+static inline unsigned int mbedtls_ssl_tls13_session_ticket_allow_early_data(
+ mbedtls_ssl_session *session)
+{
+ return mbedtls_ssl_tls13_session_ticket_has_flags(
+ session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
+}
+
+static inline void mbedtls_ssl_tls13_session_set_ticket_flags(
+ mbedtls_ssl_session *session, unsigned int flags)
+{
+ session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
+}
+
+static inline void mbedtls_ssl_tls13_session_clear_ticket_flags(
+ mbedtls_ssl_session *session, unsigned int flags)
+{
+ session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
+int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl);
+#endif
+
+#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+
+/** Compute the HMAC of variable-length data with constant flow.
+ *
+ * This function computes the HMAC of the concatenation of \p add_data and \p
+ * data, and does with a code flow and memory access pattern that does not
+ * depend on \p data_len_secret, but only on \p min_data_len and \p
+ * max_data_len. In particular, this function always reads exactly \p
+ * max_data_len bytes from \p data.
+ *
+ * \param ctx The HMAC context. It must have keys configured
+ * with mbedtls_md_hmac_starts() and use one of the
+ * following hashes: SHA-384, SHA-256, SHA-1 or MD-5.
+ * It is reset using mbedtls_md_hmac_reset() after
+ * the computation is complete to prepare for the
+ * next computation.
+ * \param add_data The first part of the message whose HMAC is being
+ * calculated. This must point to a readable buffer
+ * of \p add_data_len bytes.
+ * \param add_data_len The length of \p add_data in bytes.
+ * \param data The buffer containing the second part of the
+ * message. This must point to a readable buffer
+ * of \p max_data_len bytes.
+ * \param data_len_secret The length of the data to process in \p data.
+ * This must be no less than \p min_data_len and no
+ * greater than \p max_data_len.
+ * \param min_data_len The minimal length of the second part of the
+ * message, read from \p data.
+ * \param max_data_len The maximal length of the second part of the
+ * message, read from \p data.
+ * \param output The HMAC will be written here. This must point to
+ * a writable buffer of sufficient size to hold the
+ * HMAC value.
+ *
+ * \retval 0 on success.
+ * \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
+ * The hardware accelerator failed.
+ */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+int mbedtls_ct_hmac(mbedtls_svc_key_id_t key,
+ psa_algorithm_t mac_alg,
+ const unsigned char *add_data,
+ size_t add_data_len,
+ const unsigned char *data,
+ size_t data_len_secret,
+ size_t min_data_len,
+ size_t max_data_len,
+ unsigned char *output);
+#else
+int mbedtls_ct_hmac(mbedtls_md_context_t *ctx,
+ const unsigned char *add_data,
+ size_t add_data_len,
+ const unsigned char *data,
+ size_t data_len_secret,
+ size_t min_data_len,
+ size_t max_data_len,
+ unsigned char *output);
+#endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */
+#endif /* MBEDTLS_TEST_HOOKS && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) */
+
+#endif /* ssl_misc.h */
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
new file mode 100644
index 0000000..b07cd96
--- /dev/null
+++ b/library/ssl_msg.c
@@ -0,0 +1,6368 @@
+/*
+ * Generic SSL/TLS messaging layer functions
+ * (record layer + retransmission state machine)
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * http://www.ietf.org/rfc/rfc2246.txt
+ * http://www.ietf.org/rfc/rfc4346.txt
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_TLS_C)
+
+#include "mbedtls/platform.h"
+
+#include "mbedtls/ssl.h"
+#include "ssl_misc.h"
+#include "debug_internal.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/version.h"
+#include "constant_time_internal.h"
+#include "mbedtls/constant_time.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa_util_internal.h"
+#include "psa/crypto.h"
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#include "mbedtls/oid.h"
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+#endif
+
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+
+#if defined(PSA_WANT_ALG_SHA_384)
+#define MAX_HASH_BLOCK_LENGTH PSA_HASH_BLOCK_LENGTH(PSA_ALG_SHA_384)
+#elif defined(PSA_WANT_ALG_SHA_256)
+#define MAX_HASH_BLOCK_LENGTH PSA_HASH_BLOCK_LENGTH(PSA_ALG_SHA_256)
+#else /* See check_config.h */
+#define MAX_HASH_BLOCK_LENGTH PSA_HASH_BLOCK_LENGTH(PSA_ALG_SHA_1)
+#endif
+
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ct_hmac(mbedtls_svc_key_id_t key,
+ psa_algorithm_t mac_alg,
+ const unsigned char *add_data,
+ size_t add_data_len,
+ const unsigned char *data,
+ size_t data_len_secret,
+ size_t min_data_len,
+ size_t max_data_len,
+ unsigned char *output)
+{
+ /*
+ * This function breaks the HMAC abstraction and uses psa_hash_clone()
+ * extension in order to get constant-flow behaviour.
+ *
+ * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
+ * concatenation, and okey/ikey are the XOR of the key with some fixed bit
+ * patterns (see RFC 2104, sec. 2).
+ *
+ * We'll first compute ikey/okey, then inner_hash = HASH(ikey + msg) by
+ * hashing up to minlen, then cloning the context, and for each byte up
+ * to maxlen finishing up the hash computation, keeping only the
+ * correct result.
+ *
+ * Then we only need to compute HASH(okey + inner_hash) and we're done.
+ */
+ psa_algorithm_t hash_alg = PSA_ALG_HMAC_GET_HASH(mac_alg);
+ const size_t block_size = PSA_HASH_BLOCK_LENGTH(hash_alg);
+ unsigned char key_buf[MAX_HASH_BLOCK_LENGTH];
+ const size_t hash_size = PSA_HASH_LENGTH(hash_alg);
+ psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
+ size_t hash_length;
+
+ unsigned char aux_out[PSA_HASH_MAX_SIZE];
+ psa_hash_operation_t aux_operation = PSA_HASH_OPERATION_INIT;
+ size_t offset;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ size_t mac_key_length;
+ size_t i;
+
+#define PSA_CHK(func_call) \
+ do { \
+ status = (func_call); \
+ if (status != PSA_SUCCESS) \
+ goto cleanup; \
+ } while (0)
+
+ /* Export MAC key
+ * We assume key length is always exactly the output size
+ * which is never more than the block size, thus we use block_size
+ * as the key buffer size.
+ */
+ PSA_CHK(psa_export_key(key, key_buf, block_size, &mac_key_length));
+
+ /* Calculate ikey */
+ for (i = 0; i < mac_key_length; i++) {
+ key_buf[i] = (unsigned char) (key_buf[i] ^ 0x36);
+ }
+ for (; i < block_size; ++i) {
+ key_buf[i] = 0x36;
+ }
+
+ PSA_CHK(psa_hash_setup(&operation, hash_alg));
+
+ /* Now compute inner_hash = HASH(ikey + msg) */
+ PSA_CHK(psa_hash_update(&operation, key_buf, block_size));
+ PSA_CHK(psa_hash_update(&operation, add_data, add_data_len));
+ PSA_CHK(psa_hash_update(&operation, data, min_data_len));
+
+ /* Fill the hash buffer in advance with something that is
+ * not a valid hash (barring an attack on the hash and
+ * deliberately-crafted input), in case the caller doesn't
+ * check the return status properly. */
+ memset(output, '!', hash_size);
+
+ /* For each possible length, compute the hash up to that point */
+ for (offset = min_data_len; offset <= max_data_len; offset++) {
+ PSA_CHK(psa_hash_clone(&operation, &aux_operation));
+ PSA_CHK(psa_hash_finish(&aux_operation, aux_out,
+ PSA_HASH_MAX_SIZE, &hash_length));
+ /* Keep only the correct inner_hash in the output buffer */
+ mbedtls_ct_memcpy_if(mbedtls_ct_uint_eq(offset, data_len_secret),
+ output, aux_out, NULL, hash_size);
+
+ if (offset < max_data_len) {
+ PSA_CHK(psa_hash_update(&operation, data + offset, 1));
+ }
+ }
+
+ /* Abort current operation to prepare for final operation */
+ PSA_CHK(psa_hash_abort(&operation));
+
+ /* Calculate okey */
+ for (i = 0; i < mac_key_length; i++) {
+ key_buf[i] = (unsigned char) ((key_buf[i] ^ 0x36) ^ 0x5C);
+ }
+ for (; i < block_size; ++i) {
+ key_buf[i] = 0x5C;
+ }
+
+ /* Now compute HASH(okey + inner_hash) */
+ PSA_CHK(psa_hash_setup(&operation, hash_alg));
+ PSA_CHK(psa_hash_update(&operation, key_buf, block_size));
+ PSA_CHK(psa_hash_update(&operation, output, hash_size));
+ PSA_CHK(psa_hash_finish(&operation, output, hash_size, &hash_length));
+
+#undef PSA_CHK
+
+cleanup:
+ mbedtls_platform_zeroize(key_buf, MAX_HASH_BLOCK_LENGTH);
+ mbedtls_platform_zeroize(aux_out, PSA_HASH_MAX_SIZE);
+
+ psa_hash_abort(&operation);
+ psa_hash_abort(&aux_operation);
+ return PSA_TO_MBEDTLS_ERR(status);
+}
+
+#undef MAX_HASH_BLOCK_LENGTH
+
+#else
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ct_hmac(mbedtls_md_context_t *ctx,
+ const unsigned char *add_data,
+ size_t add_data_len,
+ const unsigned char *data,
+ size_t data_len_secret,
+ size_t min_data_len,
+ size_t max_data_len,
+ unsigned char *output)
+{
+ /*
+ * This function breaks the HMAC abstraction and uses the md_clone()
+ * extension to the MD API in order to get constant-flow behaviour.
+ *
+ * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
+ * concatenation, and okey/ikey are the XOR of the key with some fixed bit
+ * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx.
+ *
+ * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to
+ * minlen, then cloning the context, and for each byte up to maxlen
+ * finishing up the hash computation, keeping only the correct result.
+ *
+ * Then we only need to compute HASH(okey + inner_hash) and we're done.
+ */
+ const mbedtls_md_type_t md_alg = mbedtls_md_get_type(ctx->md_info);
+ /* TLS 1.2 only supports SHA-384, SHA-256, SHA-1, MD-5,
+ * all of which have the same block size except SHA-384. */
+ const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64;
+ const unsigned char * const ikey = ctx->hmac_ctx;
+ const unsigned char * const okey = ikey + block_size;
+ const size_t hash_size = mbedtls_md_get_size(ctx->md_info);
+
+ unsigned char aux_out[MBEDTLS_MD_MAX_SIZE];
+ mbedtls_md_context_t aux;
+ size_t offset;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_md_init(&aux);
+
+#define MD_CHK(func_call) \
+ do { \
+ ret = (func_call); \
+ if (ret != 0) \
+ goto cleanup; \
+ } while (0)
+
+ MD_CHK(mbedtls_md_setup(&aux, ctx->md_info, 0));
+
+ /* After hmac_start() of hmac_reset(), ikey has already been hashed,
+ * so we can start directly with the message */
+ MD_CHK(mbedtls_md_update(ctx, add_data, add_data_len));
+ MD_CHK(mbedtls_md_update(ctx, data, min_data_len));
+
+ /* Fill the hash buffer in advance with something that is
+ * not a valid hash (barring an attack on the hash and
+ * deliberately-crafted input), in case the caller doesn't
+ * check the return status properly. */
+ memset(output, '!', hash_size);
+
+ /* For each possible length, compute the hash up to that point */
+ for (offset = min_data_len; offset <= max_data_len; offset++) {
+ MD_CHK(mbedtls_md_clone(&aux, ctx));
+ MD_CHK(mbedtls_md_finish(&aux, aux_out));
+ /* Keep only the correct inner_hash in the output buffer */
+ mbedtls_ct_memcpy_if(mbedtls_ct_uint_eq(offset, data_len_secret),
+ output, aux_out, NULL, hash_size);
+
+ if (offset < max_data_len) {
+ MD_CHK(mbedtls_md_update(ctx, data + offset, 1));
+ }
+ }
+
+ /* The context needs to finish() before it starts() again */
+ MD_CHK(mbedtls_md_finish(ctx, aux_out));
+
+ /* Now compute HASH(okey + inner_hash) */
+ MD_CHK(mbedtls_md_starts(ctx));
+ MD_CHK(mbedtls_md_update(ctx, okey, block_size));
+ MD_CHK(mbedtls_md_update(ctx, output, hash_size));
+ MD_CHK(mbedtls_md_finish(ctx, output));
+
+ /* Done, get ready for next time */
+ MD_CHK(mbedtls_md_hmac_reset(ctx));
+
+#undef MD_CHK
+
+cleanup:
+ mbedtls_md_free(&aux);
+ return ret;
+}
+
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
+
+static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl);
+
+/*
+ * Start a timer.
+ * Passing millisecs = 0 cancels a running timer.
+ */
+void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs)
+{
+ if (ssl->f_set_timer == NULL) {
+ return;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("set_timer to %d ms", (int) millisecs));
+ ssl->f_set_timer(ssl->p_timer, millisecs / 4, millisecs);
+}
+
+/*
+ * Return -1 is timer is expired, 0 if it isn't.
+ */
+int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl)
+{
+ if (ssl->f_get_timer == NULL) {
+ return 0;
+ }
+
+ if (ssl->f_get_timer(ssl->p_timer) == 2) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("timer expired"));
+ return -1;
+ }
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_record_header(mbedtls_ssl_context const *ssl,
+ unsigned char *buf,
+ size_t len,
+ mbedtls_record *rec);
+
+int mbedtls_ssl_check_record(mbedtls_ssl_context const *ssl,
+ unsigned char *buf,
+ size_t buflen)
+{
+ int ret = 0;
+ MBEDTLS_SSL_DEBUG_MSG(1, ("=> mbedtls_ssl_check_record"));
+ MBEDTLS_SSL_DEBUG_BUF(3, "record buffer", buf, buflen);
+
+ /* We don't support record checking in TLS because
+ * there doesn't seem to be a usecase for it.
+ */
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM) {
+ ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ goto exit;
+ }
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ else {
+ mbedtls_record rec;
+
+ ret = ssl_parse_record_header(ssl, buf, buflen, &rec);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(3, "ssl_parse_record_header", ret);
+ goto exit;
+ }
+
+ if (ssl->transform_in != NULL) {
+ ret = mbedtls_ssl_decrypt_buf(ssl, ssl->transform_in, &rec);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(3, "mbedtls_ssl_decrypt_buf", ret);
+ goto exit;
+ }
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+exit:
+ /* On success, we have decrypted the buffer in-place, so make
+ * sure we don't leak any plaintext data. */
+ mbedtls_platform_zeroize(buf, buflen);
+
+ /* For the purpose of this API, treat messages with unexpected CID
+ * as well as such from future epochs as unexpected. */
+ if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID ||
+ ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE) {
+ ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("<= mbedtls_ssl_check_record"));
+ return ret;
+}
+
+#define SSL_DONT_FORCE_FLUSH 0
+#define SSL_FORCE_FLUSH 1
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+/* Forward declarations for functions related to message buffering. */
+static void ssl_buffering_free_slot(mbedtls_ssl_context *ssl,
+ uint8_t slot);
+static void ssl_free_buffered_record(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_load_buffered_message(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_load_buffered_record(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_buffer_message(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_buffer_future_record(mbedtls_ssl_context *ssl,
+ mbedtls_record const *rec);
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_next_record_is_in_datagram(mbedtls_ssl_context *ssl);
+
+static size_t ssl_get_maximum_datagram_size(mbedtls_ssl_context const *ssl)
+{
+ size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ size_t out_buf_len = ssl->out_buf_len;
+#else
+ size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
+#endif
+
+ if (mtu != 0 && mtu < out_buf_len) {
+ return mtu;
+ }
+
+ return out_buf_len;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_get_remaining_space_in_datagram(mbedtls_ssl_context const *ssl)
+{
+ size_t const bytes_written = ssl->out_left;
+ size_t const mtu = ssl_get_maximum_datagram_size(ssl);
+
+ /* Double-check that the write-index hasn't gone
+ * past what we can transmit in a single datagram. */
+ if (bytes_written > mtu) {
+ /* Should never happen... */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ return (int) (mtu - bytes_written);
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_get_remaining_payload_in_datagram(mbedtls_ssl_context const *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t remaining, expansion;
+ size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+ const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
+
+ if (max_len > mfl) {
+ max_len = mfl;
+ }
+
+ /* By the standard (RFC 6066 Sect. 4), the MFL extension
+ * only limits the maximum record payload size, so in theory
+ * we would be allowed to pack multiple records of payload size
+ * MFL into a single datagram. However, this would mean that there's
+ * no way to explicitly communicate MTU restrictions to the peer.
+ *
+ * The following reduction of max_len makes sure that we never
+ * write datagrams larger than MFL + Record Expansion Overhead.
+ */
+ if (max_len <= ssl->out_left) {
+ return 0;
+ }
+
+ max_len -= ssl->out_left;
+#endif
+
+ ret = ssl_get_remaining_space_in_datagram(ssl);
+ if (ret < 0) {
+ return ret;
+ }
+ remaining = (size_t) ret;
+
+ ret = mbedtls_ssl_get_record_expansion(ssl);
+ if (ret < 0) {
+ return ret;
+ }
+ expansion = (size_t) ret;
+
+ if (remaining <= expansion) {
+ return 0;
+ }
+
+ remaining -= expansion;
+ if (remaining >= max_len) {
+ remaining = max_len;
+ }
+
+ return (int) remaining;
+}
+
+/*
+ * Double the retransmit timeout value, within the allowed range,
+ * returning -1 if the maximum value has already been reached.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_double_retransmit_timeout(mbedtls_ssl_context *ssl)
+{
+ uint32_t new_timeout;
+
+ if (ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max) {
+ return -1;
+ }
+
+ /* Implement the final paragraph of RFC 6347 section 4.1.1.1
+ * in the following way: after the initial transmission and a first
+ * retransmission, back off to a temporary estimated MTU of 508 bytes.
+ * This value is guaranteed to be deliverable (if not guaranteed to be
+ * delivered) of any compliant IPv4 (and IPv6) network, and should work
+ * on most non-IP stacks too. */
+ if (ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min) {
+ ssl->handshake->mtu = 508;
+ MBEDTLS_SSL_DEBUG_MSG(2, ("mtu autoreduction to %d bytes", ssl->handshake->mtu));
+ }
+
+ new_timeout = 2 * ssl->handshake->retransmit_timeout;
+
+ /* Avoid arithmetic overflow and range overflow */
+ if (new_timeout < ssl->handshake->retransmit_timeout ||
+ new_timeout > ssl->conf->hs_timeout_max) {
+ new_timeout = ssl->conf->hs_timeout_max;
+ }
+
+ ssl->handshake->retransmit_timeout = new_timeout;
+ MBEDTLS_SSL_DEBUG_MSG(3, ("update timeout value to %lu millisecs",
+ (unsigned long) ssl->handshake->retransmit_timeout));
+
+ return 0;
+}
+
+static void ssl_reset_retransmit_timeout(mbedtls_ssl_context *ssl)
+{
+ ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
+ MBEDTLS_SSL_DEBUG_MSG(3, ("update timeout value to %lu millisecs",
+ (unsigned long) ssl->handshake->retransmit_timeout));
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+/*
+ * Encryption/decryption functions
+ */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+static size_t ssl_compute_padding_length(size_t len,
+ size_t granularity)
+{
+ return (granularity - (len + 1) % granularity) % granularity;
+}
+
+/* This functions transforms a (D)TLS plaintext fragment and a record content
+ * type into an instance of the (D)TLSInnerPlaintext structure. This is used
+ * in DTLS 1.2 + CID and within TLS 1.3 to allow flexible padding and to protect
+ * a record's content type.
+ *
+ * struct {
+ * opaque content[DTLSPlaintext.length];
+ * ContentType real_type;
+ * uint8 zeros[length_of_padding];
+ * } (D)TLSInnerPlaintext;
+ *
+ * Input:
+ * - `content`: The beginning of the buffer holding the
+ * plaintext to be wrapped.
+ * - `*content_size`: The length of the plaintext in Bytes.
+ * - `max_len`: The number of Bytes available starting from
+ * `content`. This must be `>= *content_size`.
+ * - `rec_type`: The desired record content type.
+ *
+ * Output:
+ * - `content`: The beginning of the resulting (D)TLSInnerPlaintext structure.
+ * - `*content_size`: The length of the resulting (D)TLSInnerPlaintext structure.
+ *
+ * Returns:
+ * - `0` on success.
+ * - A negative error code if `max_len` didn't offer enough space
+ * for the expansion.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_build_inner_plaintext(unsigned char *content,
+ size_t *content_size,
+ size_t remaining,
+ uint8_t rec_type,
+ size_t pad)
+{
+ size_t len = *content_size;
+
+ /* Write real content type */
+ if (remaining == 0) {
+ return -1;
+ }
+ content[len] = rec_type;
+ len++;
+ remaining--;
+
+ if (remaining < pad) {
+ return -1;
+ }
+ memset(content + len, 0, pad);
+ len += pad;
+ remaining -= pad;
+
+ *content_size = len;
+ return 0;
+}
+
+/* This function parses a (D)TLSInnerPlaintext structure.
+ * See ssl_build_inner_plaintext() for details. */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_inner_plaintext(unsigned char const *content,
+ size_t *content_size,
+ uint8_t *rec_type)
+{
+ size_t remaining = *content_size;
+
+ /* Determine length of padding by skipping zeroes from the back. */
+ do {
+ if (remaining == 0) {
+ return -1;
+ }
+ remaining--;
+ } while (content[remaining] == 0);
+
+ *content_size = remaining;
+ *rec_type = content[remaining];
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID || MBEDTLS_SSL_PROTO_TLS1_3 */
+
+/* The size of the `add_data` structure depends on various
+ * factors, namely
+ *
+ * 1) CID functionality disabled
+ *
+ * additional_data =
+ * 8: seq_num +
+ * 1: type +
+ * 2: version +
+ * 2: length of inner plaintext +
+ *
+ * size = 13 bytes
+ *
+ * 2) CID functionality based on RFC 9146 enabled
+ *
+ * size = 8 + 1 + 1 + 1 + 2 + 2 + 6 + 2 + CID-length
+ * = 23 + CID-length
+ *
+ * 3) CID functionality based on legacy CID version
+ according to draft-ietf-tls-dtls-connection-id-05
+ * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
+ *
+ * size = 13 + 1 + CID-length
+ *
+ * More information about the CID usage:
+ *
+ * Per Section 5.3 of draft-ietf-tls-dtls-connection-id-05 the
+ * size of the additional data structure is calculated as:
+ *
+ * additional_data =
+ * 8: seq_num +
+ * 1: tls12_cid +
+ * 2: DTLSCipherText.version +
+ * n: cid +
+ * 1: cid_length +
+ * 2: length_of_DTLSInnerPlaintext
+ *
+ * Per RFC 9146 the size of the add_data structure is calculated as:
+ *
+ * additional_data =
+ * 8: seq_num_placeholder +
+ * 1: tls12_cid +
+ * 1: cid_length +
+ * 1: tls12_cid +
+ * 2: DTLSCiphertext.version +
+ * 2: epoch +
+ * 6: sequence_number +
+ * n: cid +
+ * 2: length_of_DTLSInnerPlaintext
+ *
+ */
+static void ssl_extract_add_data_from_record(unsigned char *add_data,
+ size_t *add_data_len,
+ mbedtls_record *rec,
+ mbedtls_ssl_protocol_version
+ tls_version,
+ size_t taglen)
+{
+ /* Several types of ciphers have been defined for use with TLS and DTLS,
+ * and the MAC calculations for those ciphers differ slightly. Further
+ * variants were added when the CID functionality was added with RFC 9146.
+ * This implementations also considers the use of a legacy version of the
+ * CID specification published in draft-ietf-tls-dtls-connection-id-05,
+ * which is used in deployments.
+ *
+ * We will distinguish between the non-CID and the CID cases below.
+ *
+ * --- Non-CID cases ---
+ *
+ * Quoting RFC 5246 (TLS 1.2):
+ *
+ * additional_data = seq_num + TLSCompressed.type +
+ * TLSCompressed.version + TLSCompressed.length;
+ *
+ * For TLS 1.3, the record sequence number is dropped from the AAD
+ * and encoded within the nonce of the AEAD operation instead.
+ * Moreover, the additional data involves the length of the TLS
+ * ciphertext, not the TLS plaintext as in earlier versions.
+ * Quoting RFC 8446 (TLS 1.3):
+ *
+ * additional_data = TLSCiphertext.opaque_type ||
+ * TLSCiphertext.legacy_record_version ||
+ * TLSCiphertext.length
+ *
+ * We pass the tag length to this function in order to compute the
+ * ciphertext length from the inner plaintext length rec->data_len via
+ *
+ * TLSCiphertext.length = TLSInnerPlaintext.length + taglen.
+ *
+ * --- CID cases ---
+ *
+ * RFC 9146 uses a common pattern when constructing the data
+ * passed into a MAC / AEAD cipher.
+ *
+ * Data concatenation for MACs used with block ciphers with
+ * Encrypt-then-MAC Processing (with CID):
+ *
+ * data = seq_num_placeholder +
+ * tls12_cid +
+ * cid_length +
+ * tls12_cid +
+ * DTLSCiphertext.version +
+ * epoch +
+ * sequence_number +
+ * cid +
+ * DTLSCiphertext.length +
+ * IV +
+ * ENC(content + padding + padding_length)
+ *
+ * Data concatenation for MACs used with block ciphers (with CID):
+ *
+ * data = seq_num_placeholder +
+ * tls12_cid +
+ * cid_length +
+ * tls12_cid +
+ * DTLSCiphertext.version +
+ * epoch +
+ * sequence_number +
+ * cid +
+ * length_of_DTLSInnerPlaintext +
+ * DTLSInnerPlaintext.content +
+ * DTLSInnerPlaintext.real_type +
+ * DTLSInnerPlaintext.zeros
+ *
+ * AEAD ciphers use the following additional data calculation (with CIDs):
+ *
+ * additional_data = seq_num_placeholder +
+ * tls12_cid +
+ * cid_length +
+ * tls12_cid +
+ * DTLSCiphertext.version +
+ * epoch +
+ * sequence_number +
+ * cid +
+ * length_of_DTLSInnerPlaintext
+ *
+ * Section 5.3 of draft-ietf-tls-dtls-connection-id-05 (for legacy CID use)
+ * defines the additional data calculation as follows:
+ *
+ * additional_data = seq_num +
+ * tls12_cid +
+ * DTLSCipherText.version +
+ * cid +
+ * cid_length +
+ * length_of_DTLSInnerPlaintext
+ */
+
+ unsigned char *cur = add_data;
+ size_t ad_len_field = rec->data_len;
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+ MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0
+ const unsigned char seq_num_placeholder[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+ /* In TLS 1.3, the AAD contains the length of the TLSCiphertext,
+ * which differs from the length of the TLSInnerPlaintext
+ * by the length of the authentication tag. */
+ ad_len_field += taglen;
+ } else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+ {
+ ((void) tls_version);
+ ((void) taglen);
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+ MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0
+ if (rec->cid_len != 0) {
+ // seq_num_placeholder
+ memcpy(cur, seq_num_placeholder, sizeof(seq_num_placeholder));
+ cur += sizeof(seq_num_placeholder);
+
+ // tls12_cid type
+ *cur = rec->type;
+ cur++;
+
+ // cid_length
+ *cur = rec->cid_len;
+ cur++;
+ } else
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+ {
+ // epoch + sequence number
+ memcpy(cur, rec->ctr, sizeof(rec->ctr));
+ cur += sizeof(rec->ctr);
+ }
+ }
+
+ // type
+ *cur = rec->type;
+ cur++;
+
+ // version
+ memcpy(cur, rec->ver, sizeof(rec->ver));
+ cur += sizeof(rec->ver);
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+ MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 1
+
+ if (rec->cid_len != 0) {
+ // CID
+ memcpy(cur, rec->cid, rec->cid_len);
+ cur += rec->cid_len;
+
+ // cid_length
+ *cur = rec->cid_len;
+ cur++;
+
+ // length of inner plaintext
+ MBEDTLS_PUT_UINT16_BE(ad_len_field, cur, 0);
+ cur += 2;
+ } else
+#elif defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+ MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0
+
+ if (rec->cid_len != 0) {
+ // epoch + sequence number
+ memcpy(cur, rec->ctr, sizeof(rec->ctr));
+ cur += sizeof(rec->ctr);
+
+ // CID
+ memcpy(cur, rec->cid, rec->cid_len);
+ cur += rec->cid_len;
+
+ // length of inner plaintext
+ MBEDTLS_PUT_UINT16_BE(ad_len_field, cur, 0);
+ cur += 2;
+ } else
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+ {
+ MBEDTLS_PUT_UINT16_BE(ad_len_field, cur, 0);
+ cur += 2;
+ }
+
+ *add_data_len = (size_t) (cur - add_data);
+}
+
+#if defined(MBEDTLS_SSL_HAVE_AEAD)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_transform_aead_dynamic_iv_is_explicit(
+ mbedtls_ssl_transform const *transform)
+{
+ return transform->ivlen != transform->fixed_ivlen;
+}
+
+/* Compute IV := ( fixed_iv || 0 ) XOR ( 0 || dynamic_IV )
+ *
+ * Concretely, this occurs in two variants:
+ *
+ * a) Fixed and dynamic IV lengths add up to total IV length, giving
+ * IV = fixed_iv || dynamic_iv
+ *
+ * This variant is used in TLS 1.2 when used with GCM or CCM.
+ *
+ * b) Fixed IV lengths matches total IV length, giving
+ * IV = fixed_iv XOR ( 0 || dynamic_iv )
+ *
+ * This variant occurs in TLS 1.3 and for TLS 1.2 when using ChaChaPoly.
+ *
+ * See also the documentation of mbedtls_ssl_transform.
+ *
+ * This function has the precondition that
+ *
+ * dst_iv_len >= max( fixed_iv_len, dynamic_iv_len )
+ *
+ * which has to be ensured by the caller. If this precondition
+ * violated, the behavior of this function is undefined.
+ */
+static void ssl_build_record_nonce(unsigned char *dst_iv,
+ size_t dst_iv_len,
+ unsigned char const *fixed_iv,
+ size_t fixed_iv_len,
+ unsigned char const *dynamic_iv,
+ size_t dynamic_iv_len)
+{
+ /* Start with Fixed IV || 0 */
+ memset(dst_iv, 0, dst_iv_len);
+ memcpy(dst_iv, fixed_iv, fixed_iv_len);
+
+ dst_iv += dst_iv_len - dynamic_iv_len;
+ mbedtls_xor(dst_iv, dst_iv, dynamic_iv, dynamic_iv_len);
+}
+#endif /* MBEDTLS_SSL_HAVE_AEAD */
+
+int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
+ mbedtls_ssl_transform *transform,
+ mbedtls_record *rec,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ mbedtls_ssl_mode_t ssl_mode;
+ int auth_done = 0;
+ unsigned char *data;
+ /* For an explanation of the additional data length see
+ * the description of ssl_extract_add_data_from_record().
+ */
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ unsigned char add_data[23 + MBEDTLS_SSL_CID_OUT_LEN_MAX];
+#else
+ unsigned char add_data[13];
+#endif
+ size_t add_data_len;
+ size_t post_avail;
+
+ /* The SSL context is only used for debugging purposes! */
+#if !defined(MBEDTLS_DEBUG_C)
+ ssl = NULL; /* make sure we don't use it except for debug */
+ ((void) ssl);
+#endif
+
+ /* The PRNG is used for dynamic IV generation that's used
+ * for CBC transformations in TLS 1.2. */
+#if !(defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
+ defined(MBEDTLS_SSL_PROTO_TLS1_2))
+ ((void) f_rng);
+ ((void) p_rng);
+#endif
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> encrypt buf"));
+
+ if (transform == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("no transform provided to encrypt_buf"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+ if (rec == NULL
+ || rec->buf == NULL
+ || rec->buf_len < rec->data_offset
+ || rec->buf_len - rec->data_offset < rec->data_len
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ || rec->cid_len != 0
+#endif
+ ) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad record structure provided to encrypt_buf"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ ssl_mode = mbedtls_ssl_get_mode_from_transform(transform);
+
+ data = rec->buf + rec->data_offset;
+ post_avail = rec->buf_len - (rec->data_len + rec->data_offset);
+ MBEDTLS_SSL_DEBUG_BUF(4, "before encrypt: output payload",
+ data, rec->data_len);
+
+ if (rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Record content %" MBEDTLS_PRINTF_SIZET
+ " too large, maximum %" MBEDTLS_PRINTF_SIZET,
+ rec->data_len,
+ (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /* The following two code paths implement the (D)TLSInnerPlaintext
+ * structure present in TLS 1.3 and DTLS 1.2 + CID.
+ *
+ * See ssl_build_inner_plaintext() for more information.
+ *
+ * Note that this changes `rec->data_len`, and hence
+ * `post_avail` needs to be recalculated afterwards.
+ *
+ * Note also that the two code paths cannot occur simultaneously
+ * since they apply to different versions of the protocol. There
+ * is hence no risk of double-addition of the inner plaintext.
+ */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (transform->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+ size_t padding =
+ ssl_compute_padding_length(rec->data_len,
+ MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY);
+ if (ssl_build_inner_plaintext(data,
+ &rec->data_len,
+ post_avail,
+ rec->type,
+ padding) != 0) {
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ rec->type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ /*
+ * Add CID information
+ */
+ rec->cid_len = transform->out_cid_len;
+ memcpy(rec->cid, transform->out_cid, transform->out_cid_len);
+ MBEDTLS_SSL_DEBUG_BUF(3, "CID", rec->cid, rec->cid_len);
+
+ if (rec->cid_len != 0) {
+ size_t padding =
+ ssl_compute_padding_length(rec->data_len,
+ MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY);
+ /*
+ * Wrap plaintext into DTLSInnerPlaintext structure.
+ * See ssl_build_inner_plaintext() for more information.
+ *
+ * Note that this changes `rec->data_len`, and hence
+ * `post_avail` needs to be recalculated afterwards.
+ */
+ if (ssl_build_inner_plaintext(data,
+ &rec->data_len,
+ post_avail,
+ rec->type,
+ padding) != 0) {
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ rec->type = MBEDTLS_SSL_MSG_CID;
+ }
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+ post_avail = rec->buf_len - (rec->data_len + rec->data_offset);
+
+ /*
+ * Add MAC before if needed
+ */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+ if (ssl_mode == MBEDTLS_SSL_MODE_STREAM ||
+ ssl_mode == MBEDTLS_SSL_MODE_CBC) {
+ if (post_avail < transform->maclen) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ unsigned char mac[MBEDTLS_SSL_MAC_ADD];
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t sign_mac_length = 0;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
+ transform->tls_version,
+ transform->taglen);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_mac_sign_setup(&operation, transform->psa_mac_enc,
+ transform->psa_mac_alg);
+ if (status != PSA_SUCCESS) {
+ goto hmac_failed_etm_disabled;
+ }
+
+ status = psa_mac_update(&operation, add_data, add_data_len);
+ if (status != PSA_SUCCESS) {
+ goto hmac_failed_etm_disabled;
+ }
+
+ status = psa_mac_update(&operation, data, rec->data_len);
+ if (status != PSA_SUCCESS) {
+ goto hmac_failed_etm_disabled;
+ }
+
+ status = psa_mac_sign_finish(&operation, mac, MBEDTLS_SSL_MAC_ADD,
+ &sign_mac_length);
+ if (status != PSA_SUCCESS) {
+ goto hmac_failed_etm_disabled;
+ }
+#else
+ ret = mbedtls_md_hmac_update(&transform->md_ctx_enc, add_data,
+ add_data_len);
+ if (ret != 0) {
+ goto hmac_failed_etm_disabled;
+ }
+ ret = mbedtls_md_hmac_update(&transform->md_ctx_enc, data, rec->data_len);
+ if (ret != 0) {
+ goto hmac_failed_etm_disabled;
+ }
+ ret = mbedtls_md_hmac_finish(&transform->md_ctx_enc, mac);
+ if (ret != 0) {
+ goto hmac_failed_etm_disabled;
+ }
+ ret = mbedtls_md_hmac_reset(&transform->md_ctx_enc);
+ if (ret != 0) {
+ goto hmac_failed_etm_disabled;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ memcpy(data + rec->data_len, mac, transform->maclen);
+#endif
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "computed mac", data + rec->data_len,
+ transform->maclen);
+
+ rec->data_len += transform->maclen;
+ post_avail -= transform->maclen;
+ auth_done++;
+
+hmac_failed_etm_disabled:
+ mbedtls_platform_zeroize(mac, transform->maclen);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ status = psa_mac_abort(&operation);
+ if (ret == 0 && status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_hmac_xxx", ret);
+ return ret;
+ }
+ }
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
+
+ /*
+ * Encrypt
+ */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM)
+ if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
+ "including %d bytes of padding",
+ rec->data_len, 0));
+
+ /* The only supported stream cipher is "NULL",
+ * so there's nothing to do here.*/
+ } else
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */
+
+#if defined(MBEDTLS_SSL_HAVE_AEAD)
+ if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
+ unsigned char iv[12];
+ unsigned char *dynamic_iv;
+ size_t dynamic_iv_len;
+ int dynamic_iv_is_explicit =
+ ssl_transform_aead_dynamic_iv_is_explicit(transform);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* Check that there's space for the authentication tag. */
+ if (post_avail < transform->taglen) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ /*
+ * Build nonce for AEAD encryption.
+ *
+ * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
+ * part of the IV is prepended to the ciphertext and
+ * can be chosen freely - in particular, it need not
+ * agree with the record sequence number.
+ * However, since ChaChaPoly as well as all AEAD modes
+ * in TLS 1.3 use the record sequence number as the
+ * dynamic part of the nonce, we uniformly use the
+ * record sequence number here in all cases.
+ */
+ dynamic_iv = rec->ctr;
+ dynamic_iv_len = sizeof(rec->ctr);
+
+ ssl_build_record_nonce(iv, sizeof(iv),
+ transform->iv_enc,
+ transform->fixed_ivlen,
+ dynamic_iv,
+ dynamic_iv_len);
+
+ /*
+ * Build additional data for AEAD encryption.
+ * This depends on the TLS version.
+ */
+ ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
+ transform->tls_version,
+ transform->taglen);
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "IV used (internal)",
+ iv, transform->ivlen);
+ MBEDTLS_SSL_DEBUG_BUF(4, "IV used (transmitted)",
+ dynamic_iv,
+ dynamic_iv_is_explicit ? dynamic_iv_len : 0);
+ MBEDTLS_SSL_DEBUG_BUF(4, "additional data used for AEAD",
+ add_data, add_data_len);
+ MBEDTLS_SSL_DEBUG_MSG(3, ("before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
+ "including 0 bytes of padding",
+ rec->data_len));
+
+ /*
+ * Encrypt and authenticate
+ */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_aead_encrypt(transform->psa_key_enc,
+ transform->psa_alg,
+ iv, transform->ivlen,
+ add_data, add_data_len,
+ data, rec->data_len,
+ data, rec->buf_len - (data - rec->buf),
+ &rec->data_len);
+
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_encrypt_buf", ret);
+ return ret;
+ }
+#else
+ if ((ret = mbedtls_cipher_auth_encrypt_ext(&transform->cipher_ctx_enc,
+ iv, transform->ivlen,
+ add_data, add_data_len,
+ data, rec->data_len, /* src */
+ data, rec->buf_len - (size_t) (data - rec->buf), /* dst */
+ &rec->data_len,
+ transform->taglen)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_auth_encrypt_ext", ret);
+ return ret;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "after encrypt: tag",
+ data + rec->data_len - transform->taglen,
+ transform->taglen);
+ /* Account for authentication tag. */
+ post_avail -= transform->taglen;
+
+ /*
+ * Prefix record content with dynamic IV in case it is explicit.
+ */
+ if (dynamic_iv_is_explicit != 0) {
+ if (rec->data_offset < dynamic_iv_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ memcpy(data - dynamic_iv_len, dynamic_iv, dynamic_iv_len);
+ rec->data_offset -= dynamic_iv_len;
+ rec->data_len += dynamic_iv_len;
+ }
+
+ auth_done++;
+ } else
+#endif /* MBEDTLS_SSL_HAVE_AEAD */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
+ if (ssl_mode == MBEDTLS_SSL_MODE_CBC ||
+ ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t padlen, i;
+ size_t olen;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t part_len;
+ psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ /* Currently we're always using minimal padding
+ * (up to 255 bytes would be allowed). */
+ padlen = transform->ivlen - (rec->data_len + 1) % transform->ivlen;
+ if (padlen == transform->ivlen) {
+ padlen = 0;
+ }
+
+ /* Check there's enough space in the buffer for the padding. */
+ if (post_avail < padlen + 1) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ for (i = 0; i <= padlen; i++) {
+ data[rec->data_len + i] = (unsigned char) padlen;
+ }
+
+ rec->data_len += padlen + 1;
+ post_avail -= padlen + 1;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ /*
+ * Prepend per-record IV for block cipher in TLS v1.2 as per
+ * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
+ */
+ if (f_rng == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("No PRNG provided to encrypt_record routine"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ if (rec->data_offset < transform->ivlen) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ /*
+ * Generate IV
+ */
+ ret = f_rng(p_rng, transform->iv_enc, transform->ivlen);
+ if (ret != 0) {
+ return ret;
+ }
+
+ memcpy(data - transform->ivlen, transform->iv_enc, transform->ivlen);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
+ "including %"
+ MBEDTLS_PRINTF_SIZET
+ " bytes of IV and %" MBEDTLS_PRINTF_SIZET " bytes of padding",
+ rec->data_len, transform->ivlen,
+ padlen + 1));
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_cipher_encrypt_setup(&cipher_op,
+ transform->psa_key_enc, transform->psa_alg);
+
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_encrypt_setup", ret);
+ return ret;
+ }
+
+ status = psa_cipher_set_iv(&cipher_op, transform->iv_enc, transform->ivlen);
+
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_set_iv", ret);
+ return ret;
+
+ }
+
+ status = psa_cipher_update(&cipher_op,
+ data, rec->data_len,
+ data, rec->data_len, &olen);
+
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_update", ret);
+ return ret;
+
+ }
+
+ status = psa_cipher_finish(&cipher_op,
+ data + olen, rec->data_len - olen,
+ &part_len);
+
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_finish", ret);
+ return ret;
+
+ }
+
+ olen += part_len;
+#else
+ if ((ret = mbedtls_cipher_crypt(&transform->cipher_ctx_enc,
+ transform->iv_enc,
+ transform->ivlen,
+ data, rec->data_len,
+ data, &olen)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_crypt", ret);
+ return ret;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ if (rec->data_len != olen) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ data -= transform->ivlen;
+ rec->data_offset -= transform->ivlen;
+ rec->data_len += transform->ivlen;
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ if (auth_done == 0) {
+ unsigned char mac[MBEDTLS_SSL_MAC_ADD];
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
+ size_t sign_mac_length = 0;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ /* MAC(MAC_write_key, add_data, IV, ENC(content + padding + padding_length))
+ */
+
+ if (post_avail < transform->maclen) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ ssl_extract_add_data_from_record(add_data, &add_data_len,
+ rec, transform->tls_version,
+ transform->taglen);
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("using encrypt then mac"));
+ MBEDTLS_SSL_DEBUG_BUF(4, "MAC'd meta-data", add_data,
+ add_data_len);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_mac_sign_setup(&operation, transform->psa_mac_enc,
+ transform->psa_mac_alg);
+ if (status != PSA_SUCCESS) {
+ goto hmac_failed_etm_enabled;
+ }
+
+ status = psa_mac_update(&operation, add_data, add_data_len);
+ if (status != PSA_SUCCESS) {
+ goto hmac_failed_etm_enabled;
+ }
+
+ status = psa_mac_update(&operation, data, rec->data_len);
+ if (status != PSA_SUCCESS) {
+ goto hmac_failed_etm_enabled;
+ }
+
+ status = psa_mac_sign_finish(&operation, mac, MBEDTLS_SSL_MAC_ADD,
+ &sign_mac_length);
+ if (status != PSA_SUCCESS) {
+ goto hmac_failed_etm_enabled;
+ }
+#else
+
+ ret = mbedtls_md_hmac_update(&transform->md_ctx_enc, add_data,
+ add_data_len);
+ if (ret != 0) {
+ goto hmac_failed_etm_enabled;
+ }
+ ret = mbedtls_md_hmac_update(&transform->md_ctx_enc,
+ data, rec->data_len);
+ if (ret != 0) {
+ goto hmac_failed_etm_enabled;
+ }
+ ret = mbedtls_md_hmac_finish(&transform->md_ctx_enc, mac);
+ if (ret != 0) {
+ goto hmac_failed_etm_enabled;
+ }
+ ret = mbedtls_md_hmac_reset(&transform->md_ctx_enc);
+ if (ret != 0) {
+ goto hmac_failed_etm_enabled;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ memcpy(data + rec->data_len, mac, transform->maclen);
+
+ rec->data_len += transform->maclen;
+ post_avail -= transform->maclen;
+ auth_done++;
+
+hmac_failed_etm_enabled:
+ mbedtls_platform_zeroize(mac, transform->maclen);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ status = psa_mac_abort(&operation);
+ if (ret == 0 && status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "HMAC calculation failed", ret);
+ return ret;
+ }
+ }
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+ } else
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC) */
+ {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /* Make extra sure authentication was performed, exactly once */
+ if (auth_done != 1) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= encrypt buf"));
+
+ return 0;
+}
+
+int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
+ mbedtls_ssl_transform *transform,
+ mbedtls_record *rec)
+{
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) || defined(MBEDTLS_SSL_HAVE_AEAD)
+ size_t olen;
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC || MBEDTLS_SSL_HAVE_AEAD */
+ mbedtls_ssl_mode_t ssl_mode;
+ int ret;
+
+ int auth_done = 0;
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+ size_t padlen = 0;
+ mbedtls_ct_condition_t correct = MBEDTLS_CT_TRUE;
+#endif
+ unsigned char *data;
+ /* For an explanation of the additional data length see
+ * the description of ssl_extract_add_data_from_record().
+ */
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ unsigned char add_data[23 + MBEDTLS_SSL_CID_IN_LEN_MAX];
+#else
+ unsigned char add_data[13];
+#endif
+ size_t add_data_len;
+
+#if !defined(MBEDTLS_DEBUG_C)
+ ssl = NULL; /* make sure we don't use it except for debug */
+ ((void) ssl);
+#endif
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> decrypt buf"));
+ if (rec == NULL ||
+ rec->buf == NULL ||
+ rec->buf_len < rec->data_offset ||
+ rec->buf_len - rec->data_offset < rec->data_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad record structure provided to decrypt_buf"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ data = rec->buf + rec->data_offset;
+ ssl_mode = mbedtls_ssl_get_mode_from_transform(transform);
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ /*
+ * Match record's CID with incoming CID.
+ */
+ if (rec->cid_len != transform->in_cid_len ||
+ memcmp(rec->cid, transform->in_cid, rec->cid_len) != 0) {
+ return MBEDTLS_ERR_SSL_UNEXPECTED_CID;
+ }
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM)
+ if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) {
+ if (rec->data_len < transform->maclen) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("Record too short for MAC:"
+ " %" MBEDTLS_PRINTF_SIZET " < %" MBEDTLS_PRINTF_SIZET,
+ rec->data_len, transform->maclen));
+ return MBEDTLS_ERR_SSL_INVALID_MAC;
+ }
+
+ /* The only supported stream cipher is "NULL",
+ * so there's no encryption to do here.*/
+ } else
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */
+#if defined(MBEDTLS_SSL_HAVE_AEAD)
+ if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
+ unsigned char iv[12];
+ unsigned char *dynamic_iv;
+ size_t dynamic_iv_len;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ /*
+ * Extract dynamic part of nonce for AEAD decryption.
+ *
+ * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
+ * part of the IV is prepended to the ciphertext and
+ * can be chosen freely - in particular, it need not
+ * agree with the record sequence number.
+ */
+ dynamic_iv_len = sizeof(rec->ctr);
+ if (ssl_transform_aead_dynamic_iv_is_explicit(transform) == 1) {
+ if (rec->data_len < dynamic_iv_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("msglen (%" MBEDTLS_PRINTF_SIZET
+ " ) < explicit_iv_len (%" MBEDTLS_PRINTF_SIZET ") ",
+ rec->data_len,
+ dynamic_iv_len));
+ return MBEDTLS_ERR_SSL_INVALID_MAC;
+ }
+ dynamic_iv = data;
+
+ data += dynamic_iv_len;
+ rec->data_offset += dynamic_iv_len;
+ rec->data_len -= dynamic_iv_len;
+ } else {
+ dynamic_iv = rec->ctr;
+ }
+
+ /* Check that there's space for the authentication tag. */
+ if (rec->data_len < transform->taglen) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("msglen (%" MBEDTLS_PRINTF_SIZET
+ ") < taglen (%" MBEDTLS_PRINTF_SIZET ") ",
+ rec->data_len,
+ transform->taglen));
+ return MBEDTLS_ERR_SSL_INVALID_MAC;
+ }
+ rec->data_len -= transform->taglen;
+
+ /*
+ * Prepare nonce from dynamic and static parts.
+ */
+ ssl_build_record_nonce(iv, sizeof(iv),
+ transform->iv_dec,
+ transform->fixed_ivlen,
+ dynamic_iv,
+ dynamic_iv_len);
+
+ /*
+ * Build additional data for AEAD encryption.
+ * This depends on the TLS version.
+ */
+ ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
+ transform->tls_version,
+ transform->taglen);
+ MBEDTLS_SSL_DEBUG_BUF(4, "additional data used for AEAD",
+ add_data, add_data_len);
+
+ /* Because of the check above, we know that there are
+ * explicit_iv_len Bytes preceding data, and taglen
+ * bytes following data + data_len. This justifies
+ * the debug message and the invocation of
+ * mbedtls_cipher_auth_decrypt_ext() below. */
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "IV used", iv, transform->ivlen);
+ MBEDTLS_SSL_DEBUG_BUF(4, "TAG used", data + rec->data_len,
+ transform->taglen);
+
+ /*
+ * Decrypt and authenticate
+ */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_aead_decrypt(transform->psa_key_dec,
+ transform->psa_alg,
+ iv, transform->ivlen,
+ add_data, add_data_len,
+ data, rec->data_len + transform->taglen,
+ data, rec->buf_len - (data - rec->buf),
+ &olen);
+
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_aead_decrypt", ret);
+ return ret;
+ }
+#else
+ if ((ret = mbedtls_cipher_auth_decrypt_ext
+ (&transform->cipher_ctx_dec,
+ iv, transform->ivlen,
+ add_data, add_data_len,
+ data, rec->data_len + transform->taglen, /* src */
+ data, rec->buf_len - (size_t) (data - rec->buf), &olen, /* dst */
+ transform->taglen)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_auth_decrypt_ext", ret);
+
+ if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED) {
+ return MBEDTLS_ERR_SSL_INVALID_MAC;
+ }
+
+ return ret;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ auth_done++;
+
+ /* Double-check that AEAD decryption doesn't change content length. */
+ if (olen != rec->data_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+ } else
+#endif /* MBEDTLS_SSL_HAVE_AEAD */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
+ if (ssl_mode == MBEDTLS_SSL_MODE_CBC ||
+ ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
+ size_t minlen = 0;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t part_len;
+ psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ /*
+ * Check immediate ciphertext sanity
+ */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ /* The ciphertext is prefixed with the CBC IV. */
+ minlen += transform->ivlen;
+#endif
+
+ /* Size considerations:
+ *
+ * - The CBC cipher text must not be empty and hence
+ * at least of size transform->ivlen.
+ *
+ * Together with the potential IV-prefix, this explains
+ * the first of the two checks below.
+ *
+ * - The record must contain a MAC, either in plain or
+ * encrypted, depending on whether Encrypt-then-MAC
+ * is used or not.
+ * - If it is, the message contains the IV-prefix,
+ * the CBC ciphertext, and the MAC.
+ * - If it is not, the padded plaintext, and hence
+ * the CBC ciphertext, has at least length maclen + 1
+ * because there is at least the padding length byte.
+ *
+ * As the CBC ciphertext is not empty, both cases give the
+ * lower bound minlen + maclen + 1 on the record size, which
+ * we test for in the second check below.
+ */
+ if (rec->data_len < minlen + transform->ivlen ||
+ rec->data_len < minlen + transform->maclen + 1) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("msglen (%" MBEDTLS_PRINTF_SIZET
+ ") < max( ivlen(%" MBEDTLS_PRINTF_SIZET
+ "), maclen (%" MBEDTLS_PRINTF_SIZET ") "
+ "+ 1 ) ( + expl IV )",
+ rec->data_len,
+ transform->ivlen,
+ transform->maclen));
+ return MBEDTLS_ERR_SSL_INVALID_MAC;
+ }
+
+ /*
+ * Authenticate before decrypt if enabled
+ */
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
+#else
+ unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("using encrypt then mac"));
+
+ /* Update data_len in tandem with add_data.
+ *
+ * The subtraction is safe because of the previous check
+ * data_len >= minlen + maclen + 1.
+ *
+ * Afterwards, we know that data + data_len is followed by at
+ * least maclen Bytes, which justifies the call to
+ * mbedtls_ct_memcmp() below.
+ *
+ * Further, we still know that data_len > minlen */
+ rec->data_len -= transform->maclen;
+ ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
+ transform->tls_version,
+ transform->taglen);
+
+ /* Calculate expected MAC. */
+ MBEDTLS_SSL_DEBUG_BUF(4, "MAC'd meta-data", add_data,
+ add_data_len);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_mac_verify_setup(&operation, transform->psa_mac_dec,
+ transform->psa_mac_alg);
+ if (status != PSA_SUCCESS) {
+ goto hmac_failed_etm_enabled;
+ }
+
+ status = psa_mac_update(&operation, add_data, add_data_len);
+ if (status != PSA_SUCCESS) {
+ goto hmac_failed_etm_enabled;
+ }
+
+ status = psa_mac_update(&operation, data, rec->data_len);
+ if (status != PSA_SUCCESS) {
+ goto hmac_failed_etm_enabled;
+ }
+
+ /* Compare expected MAC with MAC at the end of the record. */
+ status = psa_mac_verify_finish(&operation, data + rec->data_len,
+ transform->maclen);
+ if (status != PSA_SUCCESS) {
+ goto hmac_failed_etm_enabled;
+ }
+#else
+ ret = mbedtls_md_hmac_update(&transform->md_ctx_dec, add_data,
+ add_data_len);
+ if (ret != 0) {
+ goto hmac_failed_etm_enabled;
+ }
+ ret = mbedtls_md_hmac_update(&transform->md_ctx_dec,
+ data, rec->data_len);
+ if (ret != 0) {
+ goto hmac_failed_etm_enabled;
+ }
+ ret = mbedtls_md_hmac_finish(&transform->md_ctx_dec, mac_expect);
+ if (ret != 0) {
+ goto hmac_failed_etm_enabled;
+ }
+ ret = mbedtls_md_hmac_reset(&transform->md_ctx_dec);
+ if (ret != 0) {
+ goto hmac_failed_etm_enabled;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "message mac", data + rec->data_len,
+ transform->maclen);
+ MBEDTLS_SSL_DEBUG_BUF(4, "expected mac", mac_expect,
+ transform->maclen);
+
+ /* Compare expected MAC with MAC at the end of the record. */
+ if (mbedtls_ct_memcmp(data + rec->data_len, mac_expect,
+ transform->maclen) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("message mac does not match"));
+ ret = MBEDTLS_ERR_SSL_INVALID_MAC;
+ goto hmac_failed_etm_enabled;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ auth_done++;
+
+hmac_failed_etm_enabled:
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ status = psa_mac_abort(&operation);
+ if (ret == 0 && status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ }
+#else
+ mbedtls_platform_zeroize(mac_expect, transform->maclen);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ if (ret != 0) {
+ if (ret != MBEDTLS_ERR_SSL_INVALID_MAC) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_hmac_xxx", ret);
+ }
+ return ret;
+ }
+ }
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+ /*
+ * Check length sanity
+ */
+
+ /* We know from above that data_len > minlen >= 0,
+ * so the following check in particular implies that
+ * data_len >= minlen + ivlen ( = minlen or 2 * minlen ). */
+ if (rec->data_len % transform->ivlen != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("msglen (%" MBEDTLS_PRINTF_SIZET
+ ") %% ivlen (%" MBEDTLS_PRINTF_SIZET ") != 0",
+ rec->data_len, transform->ivlen));
+ return MBEDTLS_ERR_SSL_INVALID_MAC;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ /*
+ * Initialize for prepended IV for block cipher in TLS v1.2
+ */
+ /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */
+ memcpy(transform->iv_dec, data, transform->ivlen);
+
+ data += transform->ivlen;
+ rec->data_offset += transform->ivlen;
+ rec->data_len -= transform->ivlen;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+ /* We still have data_len % ivlen == 0 and data_len >= ivlen here. */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_cipher_decrypt_setup(&cipher_op,
+ transform->psa_key_dec, transform->psa_alg);
+
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_decrypt_setup", ret);
+ return ret;
+ }
+
+ status = psa_cipher_set_iv(&cipher_op, transform->iv_dec, transform->ivlen);
+
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_set_iv", ret);
+ return ret;
+ }
+
+ status = psa_cipher_update(&cipher_op,
+ data, rec->data_len,
+ data, rec->data_len, &olen);
+
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_update", ret);
+ return ret;
+ }
+
+ status = psa_cipher_finish(&cipher_op,
+ data + olen, rec->data_len - olen,
+ &part_len);
+
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_finish", ret);
+ return ret;
+ }
+
+ olen += part_len;
+#else
+
+ if ((ret = mbedtls_cipher_crypt(&transform->cipher_ctx_dec,
+ transform->iv_dec, transform->ivlen,
+ data, rec->data_len, data, &olen)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_crypt", ret);
+ return ret;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ /* Double-check that length hasn't changed during decryption. */
+ if (rec->data_len != olen) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /* Safe since data_len >= minlen + maclen + 1, so after having
+ * subtracted at most minlen and maclen up to this point,
+ * data_len > 0 (because of data_len % ivlen == 0, it's actually
+ * >= ivlen ). */
+ padlen = data[rec->data_len - 1];
+
+ if (auth_done == 1) {
+ const mbedtls_ct_condition_t ge = mbedtls_ct_uint_ge(
+ rec->data_len,
+ padlen + 1);
+ correct = mbedtls_ct_bool_and(ge, correct);
+ padlen = mbedtls_ct_size_if_else_0(ge, padlen);
+ } else {
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+ if (rec->data_len < transform->maclen + padlen + 1) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("msglen (%" MBEDTLS_PRINTF_SIZET
+ ") < maclen (%" MBEDTLS_PRINTF_SIZET
+ ") + padlen (%" MBEDTLS_PRINTF_SIZET ")",
+ rec->data_len,
+ transform->maclen,
+ padlen + 1));
+ }
+#endif
+ const mbedtls_ct_condition_t ge = mbedtls_ct_uint_ge(
+ rec->data_len,
+ transform->maclen + padlen + 1);
+ correct = mbedtls_ct_bool_and(ge, correct);
+ padlen = mbedtls_ct_size_if_else_0(ge, padlen);
+ }
+
+ padlen++;
+
+ /* Regardless of the validity of the padding,
+ * we have data_len >= padlen here. */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ /* The padding check involves a series of up to 256
+ * consecutive memory reads at the end of the record
+ * plaintext buffer. In order to hide the length and
+ * validity of the padding, always perform exactly
+ * `min(256,plaintext_len)` reads (but take into account
+ * only the last `padlen` bytes for the padding check). */
+ size_t pad_count = 0;
+ volatile unsigned char * const check = data;
+
+ /* Index of first padding byte; it has been ensured above
+ * that the subtraction is safe. */
+ size_t const padding_idx = rec->data_len - padlen;
+ size_t const num_checks = rec->data_len <= 256 ? rec->data_len : 256;
+ size_t const start_idx = rec->data_len - num_checks;
+ size_t idx;
+
+ for (idx = start_idx; idx < rec->data_len; idx++) {
+ /* pad_count += (idx >= padding_idx) &&
+ * (check[idx] == padlen - 1);
+ */
+ const mbedtls_ct_condition_t a = mbedtls_ct_uint_ge(idx, padding_idx);
+ size_t increment = mbedtls_ct_size_if_else_0(a, 1);
+ const mbedtls_ct_condition_t b = mbedtls_ct_uint_eq(check[idx], padlen - 1);
+ increment = mbedtls_ct_size_if_else_0(b, increment);
+ pad_count += increment;
+ }
+ correct = mbedtls_ct_bool_and(mbedtls_ct_uint_eq(pad_count, padlen), correct);
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+ if (padlen > 0 && correct == MBEDTLS_CT_FALSE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad padding byte detected"));
+ }
+#endif
+ padlen = mbedtls_ct_size_if_else_0(correct, padlen);
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+ /* If the padding was found to be invalid, padlen == 0
+ * and the subtraction is safe. If the padding was found valid,
+ * padlen hasn't been changed and the previous assertion
+ * data_len >= padlen still holds. */
+ rec->data_len -= padlen;
+ } else
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC */
+ {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+ MBEDTLS_SSL_DEBUG_BUF(4, "raw buffer after decryption",
+ data, rec->data_len);
+#endif
+
+ /*
+ * Authenticate if not done yet.
+ * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
+ */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+ if (auth_done == 0) {
+ unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD] = { 0 };
+ unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD] = { 0 };
+
+ /* For CBC+MAC, If the initial value of padlen was such that
+ * data_len < maclen + padlen + 1, then padlen
+ * got reset to 1, and the initial check
+ * data_len >= minlen + maclen + 1
+ * guarantees that at this point we still
+ * have at least data_len >= maclen.
+ *
+ * If the initial value of padlen was such that
+ * data_len >= maclen + padlen + 1, then we have
+ * subtracted either padlen + 1 (if the padding was correct)
+ * or 0 (if the padding was incorrect) since then,
+ * hence data_len >= maclen in any case.
+ *
+ * For stream ciphers, we checked above that
+ * data_len >= maclen.
+ */
+ rec->data_len -= transform->maclen;
+ ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
+ transform->tls_version,
+ transform->taglen);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ /*
+ * The next two sizes are the minimum and maximum values of
+ * data_len over all padlen values.
+ *
+ * They're independent of padlen, since we previously did
+ * data_len -= padlen.
+ *
+ * Note that max_len + maclen is never more than the buffer
+ * length, as we previously did in_msglen -= maclen too.
+ */
+ const size_t max_len = rec->data_len + padlen;
+ const size_t min_len = (max_len > 256) ? max_len - 256 : 0;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ ret = mbedtls_ct_hmac(transform->psa_mac_dec,
+ transform->psa_mac_alg,
+ add_data, add_data_len,
+ data, rec->data_len, min_len, max_len,
+ mac_expect);
+#else
+ ret = mbedtls_ct_hmac(&transform->md_ctx_dec,
+ add_data, add_data_len,
+ data, rec->data_len, min_len, max_len,
+ mac_expect);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ct_hmac", ret);
+ goto hmac_failed_etm_disabled;
+ }
+
+ mbedtls_ct_memcpy_offset(mac_peer, data,
+ rec->data_len,
+ min_len, max_len,
+ transform->maclen);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+ MBEDTLS_SSL_DEBUG_BUF(4, "expected mac", mac_expect, transform->maclen);
+ MBEDTLS_SSL_DEBUG_BUF(4, "message mac", mac_peer, transform->maclen);
+#endif
+
+ if (mbedtls_ct_memcmp(mac_peer, mac_expect,
+ transform->maclen) != 0) {
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+ MBEDTLS_SSL_DEBUG_MSG(1, ("message mac does not match"));
+#endif
+ correct = MBEDTLS_CT_FALSE;
+ }
+ auth_done++;
+
+hmac_failed_etm_disabled:
+ mbedtls_platform_zeroize(mac_peer, transform->maclen);
+ mbedtls_platform_zeroize(mac_expect, transform->maclen);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+
+ /*
+ * Finally check the correct flag
+ */
+ if (correct == MBEDTLS_CT_FALSE) {
+ return MBEDTLS_ERR_SSL_INVALID_MAC;
+ }
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
+
+ /* Make extra sure authentication was performed, exactly once */
+ if (auth_done != 1) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (transform->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+ /* Remove inner padding and infer true content type. */
+ ret = ssl_parse_inner_plaintext(data, &rec->data_len,
+ &rec->type);
+
+ if (ret != 0) {
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ if (rec->cid_len != 0) {
+ ret = ssl_parse_inner_plaintext(data, &rec->data_len,
+ &rec->type);
+ if (ret != 0) {
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+ }
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= decrypt buf"));
+
+ return 0;
+}
+
+#undef MAC_NONE
+#undef MAC_PLAINTEXT
+#undef MAC_CIPHERTEXT
+
+/*
+ * Fill the input message buffer by appending data to it.
+ * The amount of data already fetched is in ssl->in_left.
+ *
+ * If we return 0, is it guaranteed that (at least) nb_want bytes are
+ * available (from this read and/or a previous one). Otherwise, an error code
+ * is returned (possibly EOF or WANT_READ).
+ *
+ * With stream transport (TLS) on success ssl->in_left == nb_want, but
+ * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
+ * since we always read a whole datagram at once.
+ *
+ * For DTLS, it is up to the caller to set ssl->next_record_offset when
+ * they're done reading a record.
+ */
+int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ size_t in_buf_len = ssl->in_buf_len;
+#else
+ size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
+#endif
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> fetch input"));
+
+ if (ssl->f_recv == NULL && ssl->f_recv_timeout == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Bad usage of mbedtls_ssl_set_bio() "));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (nb_want > in_buf_len - (size_t) (ssl->in_hdr - ssl->in_buf)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("requesting more data than fits"));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ uint32_t timeout;
+
+ /*
+ * The point is, we need to always read a full datagram at once, so we
+ * sometimes read more then requested, and handle the additional data.
+ * It could be the rest of the current record (while fetching the
+ * header) and/or some other records in the same datagram.
+ */
+
+ /*
+ * Move to the next record in the already read datagram if applicable
+ */
+ if (ssl->next_record_offset != 0) {
+ if (ssl->in_left < ssl->next_record_offset) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ ssl->in_left -= ssl->next_record_offset;
+
+ if (ssl->in_left != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("next record in same datagram, offset: %"
+ MBEDTLS_PRINTF_SIZET,
+ ssl->next_record_offset));
+ memmove(ssl->in_hdr,
+ ssl->in_hdr + ssl->next_record_offset,
+ ssl->in_left);
+ }
+
+ ssl->next_record_offset = 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("in_left: %" MBEDTLS_PRINTF_SIZET
+ ", nb_want: %" MBEDTLS_PRINTF_SIZET,
+ ssl->in_left, nb_want));
+
+ /*
+ * Done if we already have enough data.
+ */
+ if (nb_want <= ssl->in_left) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= fetch input"));
+ return 0;
+ }
+
+ /*
+ * A record can't be split across datagrams. If we need to read but
+ * are not at the beginning of a new record, the caller did something
+ * wrong.
+ */
+ if (ssl->in_left != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /*
+ * Don't even try to read if time's out already.
+ * This avoids by-passing the timer when repeatedly receiving messages
+ * that will end up being dropped.
+ */
+ if (mbedtls_ssl_check_timer(ssl) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("timer has expired"));
+ ret = MBEDTLS_ERR_SSL_TIMEOUT;
+ } else {
+ len = in_buf_len - (size_t) (ssl->in_hdr - ssl->in_buf);
+
+ if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
+ timeout = ssl->handshake->retransmit_timeout;
+ } else {
+ timeout = ssl->conf->read_timeout;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("f_recv_timeout: %lu ms", (unsigned long) timeout));
+
+ if (ssl->f_recv_timeout != NULL) {
+ ret = ssl->f_recv_timeout(ssl->p_bio, ssl->in_hdr, len,
+ timeout);
+ } else {
+ ret = ssl->f_recv(ssl->p_bio, ssl->in_hdr, len);
+ }
+
+ MBEDTLS_SSL_DEBUG_RET(2, "ssl->f_recv(_timeout)", ret);
+
+ if (ret == 0) {
+ return MBEDTLS_ERR_SSL_CONN_EOF;
+ }
+ }
+
+ if (ret == MBEDTLS_ERR_SSL_TIMEOUT) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("timeout"));
+ mbedtls_ssl_set_timer(ssl, 0);
+
+ if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
+ if (ssl_double_retransmit_timeout(ssl) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("handshake timeout"));
+ return MBEDTLS_ERR_SSL_TIMEOUT;
+ }
+
+ if ((ret = mbedtls_ssl_resend(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_resend", ret);
+ return ret;
+ }
+
+ return MBEDTLS_ERR_SSL_WANT_READ;
+ }
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
+ else if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+ ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
+ if ((ret = mbedtls_ssl_resend_hello_request(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_resend_hello_request",
+ ret);
+ return ret;
+ }
+
+ return MBEDTLS_ERR_SSL_WANT_READ;
+ }
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
+ }
+
+ if (ret < 0) {
+ return ret;
+ }
+
+ ssl->in_left = ret;
+ } else
+#endif
+ {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("in_left: %" MBEDTLS_PRINTF_SIZET
+ ", nb_want: %" MBEDTLS_PRINTF_SIZET,
+ ssl->in_left, nb_want));
+
+ while (ssl->in_left < nb_want) {
+ len = nb_want - ssl->in_left;
+
+ if (mbedtls_ssl_check_timer(ssl) != 0) {
+ ret = MBEDTLS_ERR_SSL_TIMEOUT;
+ } else {
+ if (ssl->f_recv_timeout != NULL) {
+ ret = ssl->f_recv_timeout(ssl->p_bio,
+ ssl->in_hdr + ssl->in_left, len,
+ ssl->conf->read_timeout);
+ } else {
+ ret = ssl->f_recv(ssl->p_bio,
+ ssl->in_hdr + ssl->in_left, len);
+ }
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("in_left: %" MBEDTLS_PRINTF_SIZET
+ ", nb_want: %" MBEDTLS_PRINTF_SIZET,
+ ssl->in_left, nb_want));
+ MBEDTLS_SSL_DEBUG_RET(2, "ssl->f_recv(_timeout)", ret);
+
+ if (ret == 0) {
+ return MBEDTLS_ERR_SSL_CONN_EOF;
+ }
+
+ if (ret < 0) {
+ return ret;
+ }
+
+ if ((size_t) ret > len) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("f_recv returned %d bytes but only %" MBEDTLS_PRINTF_SIZET
+ " were requested",
+ ret, len));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ ssl->in_left += ret;
+ }
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= fetch input"));
+
+ return 0;
+}
+
+/*
+ * Flush any data not yet written
+ */
+int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *buf;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> flush output"));
+
+ if (ssl->f_send == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Bad usage of mbedtls_ssl_set_bio() "));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /* Avoid incrementing counter if data is flushed */
+ if (ssl->out_left == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= flush output"));
+ return 0;
+ }
+
+ while (ssl->out_left > 0) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("message length: %" MBEDTLS_PRINTF_SIZET
+ ", out_left: %" MBEDTLS_PRINTF_SIZET,
+ mbedtls_ssl_out_hdr_len(ssl) + ssl->out_msglen, ssl->out_left));
+
+ buf = ssl->out_hdr - ssl->out_left;
+ ret = ssl->f_send(ssl->p_bio, buf, ssl->out_left);
+
+ MBEDTLS_SSL_DEBUG_RET(2, "ssl->f_send", ret);
+
+ if (ret <= 0) {
+ return ret;
+ }
+
+ if ((size_t) ret > ssl->out_left) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("f_send returned %d bytes but only %" MBEDTLS_PRINTF_SIZET
+ " bytes were sent",
+ ret, ssl->out_left));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ ssl->out_left -= ret;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ ssl->out_hdr = ssl->out_buf;
+ } else
+#endif
+ {
+ ssl->out_hdr = ssl->out_buf + 8;
+ }
+ mbedtls_ssl_update_out_pointers(ssl, ssl->transform_out);
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= flush output"));
+
+ return 0;
+}
+
+/*
+ * Functions to handle the DTLS retransmission state machine
+ */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/*
+ * Append current handshake message to current outgoing flight
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_flight_append(mbedtls_ssl_context *ssl)
+{
+ mbedtls_ssl_flight_item *msg;
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_flight_append"));
+ MBEDTLS_SSL_DEBUG_BUF(4, "message appended to flight",
+ ssl->out_msg, ssl->out_msglen);
+
+ /* Allocate space for current message */
+ if ((msg = mbedtls_calloc(1, sizeof(mbedtls_ssl_flight_item))) == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("alloc %" MBEDTLS_PRINTF_SIZET " bytes failed",
+ sizeof(mbedtls_ssl_flight_item)));
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ if ((msg->p = mbedtls_calloc(1, ssl->out_msglen)) == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("alloc %" MBEDTLS_PRINTF_SIZET " bytes failed",
+ ssl->out_msglen));
+ mbedtls_free(msg);
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ /* Copy current handshake message with headers */
+ memcpy(msg->p, ssl->out_msg, ssl->out_msglen);
+ msg->len = ssl->out_msglen;
+ msg->type = ssl->out_msgtype;
+ msg->next = NULL;
+
+ /* Append to the current flight */
+ if (ssl->handshake->flight == NULL) {
+ ssl->handshake->flight = msg;
+ } else {
+ mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
+ while (cur->next != NULL) {
+ cur = cur->next;
+ }
+ cur->next = msg;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_flight_append"));
+ return 0;
+}
+
+/*
+ * Free the current flight of handshake messages
+ */
+void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight)
+{
+ mbedtls_ssl_flight_item *cur = flight;
+ mbedtls_ssl_flight_item *next;
+
+ while (cur != NULL) {
+ next = cur->next;
+
+ mbedtls_free(cur->p);
+ mbedtls_free(cur);
+
+ cur = next;
+ }
+}
+
+/*
+ * Swap transform_out and out_ctr with the alternative ones
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_swap_epochs(mbedtls_ssl_context *ssl)
+{
+ mbedtls_ssl_transform *tmp_transform;
+ unsigned char tmp_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN];
+
+ if (ssl->transform_out == ssl->handshake->alt_transform_out) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("skip swap epochs"));
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("swap epochs"));
+
+ /* Swap transforms */
+ tmp_transform = ssl->transform_out;
+ ssl->transform_out = ssl->handshake->alt_transform_out;
+ ssl->handshake->alt_transform_out = tmp_transform;
+
+ /* Swap epoch + sequence_number */
+ memcpy(tmp_out_ctr, ssl->cur_out_ctr, sizeof(tmp_out_ctr));
+ memcpy(ssl->cur_out_ctr, ssl->handshake->alt_out_ctr,
+ sizeof(ssl->cur_out_ctr));
+ memcpy(ssl->handshake->alt_out_ctr, tmp_out_ctr,
+ sizeof(ssl->handshake->alt_out_ctr));
+
+ /* Adjust to the newly activated transform */
+ mbedtls_ssl_update_out_pointers(ssl, ssl->transform_out);
+
+ return 0;
+}
+
+/*
+ * Retransmit the current flight of messages.
+ */
+int mbedtls_ssl_resend(mbedtls_ssl_context *ssl)
+{
+ int ret = 0;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> mbedtls_ssl_resend"));
+
+ ret = mbedtls_ssl_flight_transmit(ssl);
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= mbedtls_ssl_resend"));
+
+ return ret;
+}
+
+/*
+ * Transmit or retransmit the current flight of messages.
+ *
+ * Need to remember the current message in case flush_output returns
+ * WANT_WRITE, causing us to exit this function and come back later.
+ * This function must be called until state is no longer SENDING.
+ */
+int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> mbedtls_ssl_flight_transmit"));
+
+ if (ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("initialise flight transmission"));
+
+ ssl->handshake->cur_msg = ssl->handshake->flight;
+ ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
+ ret = ssl_swap_epochs(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
+ }
+
+ while (ssl->handshake->cur_msg != NULL) {
+ size_t max_frag_len;
+ const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
+
+ int const is_finished =
+ (cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
+ cur->p[0] == MBEDTLS_SSL_HS_FINISHED);
+
+ int const force_flush = ssl->disable_datagram_packing == 1 ?
+ SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
+
+ /* Swap epochs before sending Finished: we can't do it after
+ * sending ChangeCipherSpec, in case write returns WANT_READ.
+ * Must be done before copying, may change out_msg pointer */
+ if (is_finished && ssl->handshake->cur_msg_p == (cur->p + 12)) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("swap epochs to send finished message"));
+ ret = ssl_swap_epochs(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+
+ ret = ssl_get_remaining_payload_in_datagram(ssl);
+ if (ret < 0) {
+ return ret;
+ }
+ max_frag_len = (size_t) ret;
+
+ /* CCS is copied as is, while HS messages may need fragmentation */
+ if (cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) {
+ if (max_frag_len == 0) {
+ if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
+ return ret;
+ }
+
+ continue;
+ }
+
+ memcpy(ssl->out_msg, cur->p, cur->len);
+ ssl->out_msglen = cur->len;
+ ssl->out_msgtype = cur->type;
+
+ /* Update position inside current message */
+ ssl->handshake->cur_msg_p += cur->len;
+ } else {
+ const unsigned char * const p = ssl->handshake->cur_msg_p;
+ const size_t hs_len = cur->len - 12;
+ const size_t frag_off = (size_t) (p - (cur->p + 12));
+ const size_t rem_len = hs_len - frag_off;
+ size_t cur_hs_frag_len, max_hs_frag_len;
+
+ if ((max_frag_len < 12) || (max_frag_len == 12 && hs_len != 0)) {
+ if (is_finished) {
+ ret = ssl_swap_epochs(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+
+ if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
+ return ret;
+ }
+
+ continue;
+ }
+ max_hs_frag_len = max_frag_len - 12;
+
+ cur_hs_frag_len = rem_len > max_hs_frag_len ?
+ max_hs_frag_len : rem_len;
+
+ if (frag_off == 0 && cur_hs_frag_len != hs_len) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("fragmenting handshake message (%u > %u)",
+ (unsigned) cur_hs_frag_len,
+ (unsigned) max_hs_frag_len));
+ }
+
+ /* Messages are stored with handshake headers as if not fragmented,
+ * copy beginning of headers then fill fragmentation fields.
+ * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
+ memcpy(ssl->out_msg, cur->p, 6);
+
+ ssl->out_msg[6] = MBEDTLS_BYTE_2(frag_off);
+ ssl->out_msg[7] = MBEDTLS_BYTE_1(frag_off);
+ ssl->out_msg[8] = MBEDTLS_BYTE_0(frag_off);
+
+ ssl->out_msg[9] = MBEDTLS_BYTE_2(cur_hs_frag_len);
+ ssl->out_msg[10] = MBEDTLS_BYTE_1(cur_hs_frag_len);
+ ssl->out_msg[11] = MBEDTLS_BYTE_0(cur_hs_frag_len);
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "handshake header", ssl->out_msg, 12);
+
+ /* Copy the handshake message content and set records fields */
+ memcpy(ssl->out_msg + 12, p, cur_hs_frag_len);
+ ssl->out_msglen = cur_hs_frag_len + 12;
+ ssl->out_msgtype = cur->type;
+
+ /* Update position inside current message */
+ ssl->handshake->cur_msg_p += cur_hs_frag_len;
+ }
+
+ /* If done with the current message move to the next one if any */
+ if (ssl->handshake->cur_msg_p >= cur->p + cur->len) {
+ if (cur->next != NULL) {
+ ssl->handshake->cur_msg = cur->next;
+ ssl->handshake->cur_msg_p = cur->next->p + 12;
+ } else {
+ ssl->handshake->cur_msg = NULL;
+ ssl->handshake->cur_msg_p = NULL;
+ }
+ }
+
+ /* Actually send the message out */
+ if ((ret = mbedtls_ssl_write_record(ssl, force_flush)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_record", ret);
+ return ret;
+ }
+ }
+
+ if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
+ return ret;
+ }
+
+ /* Update state and set timer */
+ if (mbedtls_ssl_is_handshake_over(ssl) == 1) {
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
+ } else {
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+ mbedtls_ssl_set_timer(ssl, ssl->handshake->retransmit_timeout);
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= mbedtls_ssl_flight_transmit"));
+
+ return 0;
+}
+
+/*
+ * To be called when the last message of an incoming flight is received.
+ */
+void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl)
+{
+ /* We won't need to resend that one any more */
+ mbedtls_ssl_flight_free(ssl->handshake->flight);
+ ssl->handshake->flight = NULL;
+ ssl->handshake->cur_msg = NULL;
+
+ /* The next incoming flight will start with this msg_seq */
+ ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
+
+ /* We don't want to remember CCS's across flight boundaries. */
+ ssl->handshake->buffering.seen_ccs = 0;
+
+ /* Clear future message buffering structure. */
+ mbedtls_ssl_buffering_free(ssl);
+
+ /* Cancel timer */
+ mbedtls_ssl_set_timer(ssl, 0);
+
+ if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+ ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED) {
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
+ } else {
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
+ }
+}
+
+/*
+ * To be called when the last message of an outgoing flight is send.
+ */
+void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl)
+{
+ ssl_reset_retransmit_timeout(ssl);
+ mbedtls_ssl_set_timer(ssl, ssl->handshake->retransmit_timeout);
+
+ if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+ ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED) {
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
+ } else {
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+ }
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+/*
+ * Handshake layer functions
+ */
+int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned char hs_type,
+ unsigned char **buf, size_t *buf_len)
+{
+ /*
+ * Reserve 4 bytes for handshake header. ( Section 4,RFC 8446 )
+ * ...
+ * HandshakeType msg_type;
+ * uint24 length;
+ * ...
+ */
+ *buf = ssl->out_msg + 4;
+ *buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
+
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+ ssl->out_msg[0] = hs_type;
+
+ return 0;
+}
+
+/*
+ * Write (DTLS: or queue) current handshake (including CCS) message.
+ *
+ * - fill in handshake headers
+ * - update handshake checksum
+ * - DTLS: save message for resending
+ * - then pass to the record layer
+ *
+ * DTLS: except for HelloRequest, messages are only queued, and will only be
+ * actually sent when calling flight_transmit() or resend().
+ *
+ * Inputs:
+ * - ssl->out_msglen: 4 + actual handshake message len
+ * (4 is the size of handshake headers for TLS)
+ * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
+ * - ssl->out_msg + 4: the handshake message body
+ *
+ * Outputs, ie state before passing to flight_append() or write_record():
+ * - ssl->out_msglen: the length of the record contents
+ * (including handshake headers but excluding record headers)
+ * - ssl->out_msg: the record contents (handshake headers + content)
+ */
+int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
+ int update_checksum,
+ int force_flush)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const size_t hs_len = ssl->out_msglen - 4;
+ const unsigned char hs_type = ssl->out_msg[0];
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write handshake message"));
+
+ /*
+ * Sanity checks
+ */
+ if (ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
+ ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /* Whenever we send anything different from a
+ * HelloRequest we should be in a handshake - double check. */
+ if (!(ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+ hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST) &&
+ ssl->handshake == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ ssl->handshake != NULL &&
+ ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+#endif
+
+ /* Double-check that we did not exceed the bounds
+ * of the outgoing record buffer.
+ * This should never fail as the various message
+ * writing functions must obey the bounds of the
+ * outgoing record buffer, but better be safe.
+ *
+ * Note: We deliberately do not check for the MTU or MFL here.
+ */
+ if (ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Record too large: "
+ "size %" MBEDTLS_PRINTF_SIZET
+ ", maximum %" MBEDTLS_PRINTF_SIZET,
+ ssl->out_msglen,
+ (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /*
+ * Fill handshake headers
+ */
+ if (ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) {
+ ssl->out_msg[1] = MBEDTLS_BYTE_2(hs_len);
+ ssl->out_msg[2] = MBEDTLS_BYTE_1(hs_len);
+ ssl->out_msg[3] = MBEDTLS_BYTE_0(hs_len);
+
+ /*
+ * DTLS has additional fields in the Handshake layer,
+ * between the length field and the actual payload:
+ * uint16 message_seq;
+ * uint24 fragment_offset;
+ * uint24 fragment_length;
+ */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ /* Make room for the additional DTLS fields */
+ if (MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS handshake message too large: "
+ "size %" MBEDTLS_PRINTF_SIZET ", maximum %"
+ MBEDTLS_PRINTF_SIZET,
+ hs_len,
+ (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN - 12)));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ memmove(ssl->out_msg + 12, ssl->out_msg + 4, hs_len);
+ ssl->out_msglen += 8;
+
+ /* Write message_seq and update it, except for HelloRequest */
+ if (hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST) {
+ MBEDTLS_PUT_UINT16_BE(ssl->handshake->out_msg_seq, ssl->out_msg, 4);
+ ++(ssl->handshake->out_msg_seq);
+ } else {
+ ssl->out_msg[4] = 0;
+ ssl->out_msg[5] = 0;
+ }
+
+ /* Handshake hashes are computed without fragmentation,
+ * so set frag_offset = 0 and frag_len = hs_len for now */
+ memset(ssl->out_msg + 6, 0x00, 3);
+ memcpy(ssl->out_msg + 9, ssl->out_msg + 1, 3);
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ /* Update running hashes of handshake messages seen */
+ if (hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST && update_checksum != 0) {
+ ret = ssl->handshake->update_checksum(ssl, ssl->out_msg,
+ ssl->out_msglen);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
+ return ret;
+ }
+ }
+ }
+
+ /* Either send now, or just save to be sent (and resent) later */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ !(ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+ hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST)) {
+ if ((ret = ssl_flight_append(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_flight_append", ret);
+ return ret;
+ }
+ } else
+#endif
+ {
+ if ((ret = mbedtls_ssl_write_record(ssl, force_flush)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_record", ret);
+ return ret;
+ }
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write handshake message"));
+
+ return 0;
+}
+
+int mbedtls_ssl_finish_handshake_msg(mbedtls_ssl_context *ssl,
+ size_t buf_len, size_t msg_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t msg_with_header_len;
+ ((void) buf_len);
+
+ /* Add reserved 4 bytes for handshake header */
+ msg_with_header_len = msg_len + 4;
+ ssl->out_msglen = msg_with_header_len;
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_handshake_msg_ext(ssl, 0, 0));
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Record layer functions
+ */
+
+/*
+ * Write current record.
+ *
+ * Uses:
+ * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
+ * - ssl->out_msglen: length of the record content (excl headers)
+ * - ssl->out_msg: record content
+ */
+int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush)
+{
+ int ret, done = 0;
+ size_t len = ssl->out_msglen;
+ int flush = force_flush;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write record"));
+
+ if (!done) {
+ unsigned i;
+ size_t protected_record_size;
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ size_t out_buf_len = ssl->out_buf_len;
+#else
+ size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
+#endif
+ /* Skip writing the record content type to after the encryption,
+ * as it may change when using the CID extension. */
+ mbedtls_ssl_protocol_version tls_ver = ssl->tls_version;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ /* TLS 1.3 still uses the TLS 1.2 version identifier
+ * for backwards compatibility. */
+ if (tls_ver == MBEDTLS_SSL_VERSION_TLS1_3) {
+ tls_ver = MBEDTLS_SSL_VERSION_TLS1_2;
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+ mbedtls_ssl_write_version(ssl->out_hdr + 1, ssl->conf->transport,
+ tls_ver);
+
+ memcpy(ssl->out_ctr, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
+ MBEDTLS_PUT_UINT16_BE(len, ssl->out_len, 0);
+
+ if (ssl->transform_out != NULL) {
+ mbedtls_record rec;
+
+ rec.buf = ssl->out_iv;
+ rec.buf_len = out_buf_len - (size_t) (ssl->out_iv - ssl->out_buf);
+ rec.data_len = ssl->out_msglen;
+ rec.data_offset = (size_t) (ssl->out_msg - rec.buf);
+
+ memcpy(&rec.ctr[0], ssl->out_ctr, sizeof(rec.ctr));
+ mbedtls_ssl_write_version(rec.ver, ssl->conf->transport, tls_ver);
+ rec.type = ssl->out_msgtype;
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ /* The CID is set by mbedtls_ssl_encrypt_buf(). */
+ rec.cid_len = 0;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+ if ((ret = mbedtls_ssl_encrypt_buf(ssl, ssl->transform_out, &rec,
+ ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_encrypt_buf", ret);
+ return ret;
+ }
+
+ if (rec.data_offset != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /* Update the record content type and CID. */
+ ssl->out_msgtype = rec.type;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ memcpy(ssl->out_cid, rec.cid, rec.cid_len);
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+ ssl->out_msglen = len = rec.data_len;
+ MBEDTLS_PUT_UINT16_BE(rec.data_len, ssl->out_len, 0);
+ }
+
+ protected_record_size = len + mbedtls_ssl_out_hdr_len(ssl);
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ /* In case of DTLS, double-check that we don't exceed
+ * the remaining space in the datagram. */
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ ret = ssl_get_remaining_space_in_datagram(ssl);
+ if (ret < 0) {
+ return ret;
+ }
+
+ if (protected_record_size > (size_t) ret) {
+ /* Should never happen */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ /* Now write the potentially updated record content type. */
+ ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("output record: msgtype = %u, "
+ "version = [%u:%u], msglen = %" MBEDTLS_PRINTF_SIZET,
+ ssl->out_hdr[0], ssl->out_hdr[1],
+ ssl->out_hdr[2], len));
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "output record sent to network",
+ ssl->out_hdr, protected_record_size);
+
+ ssl->out_left += protected_record_size;
+ ssl->out_hdr += protected_record_size;
+ mbedtls_ssl_update_out_pointers(ssl, ssl->transform_out);
+
+ for (i = 8; i > mbedtls_ssl_ep_len(ssl); i--) {
+ if (++ssl->cur_out_ctr[i - 1] != 0) {
+ break;
+ }
+ }
+
+ /* The loop goes to its end if the counter is wrapping */
+ if (i == mbedtls_ssl_ep_len(ssl)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("outgoing message counter would wrap"));
+ return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
+ }
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ flush == SSL_DONT_FORCE_FLUSH) {
+ size_t remaining;
+ ret = ssl_get_remaining_payload_in_datagram(ssl);
+ if (ret < 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_remaining_payload_in_datagram",
+ ret);
+ return ret;
+ }
+
+ remaining = (size_t) ret;
+ if (remaining == 0) {
+ flush = SSL_FORCE_FLUSH;
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(2,
+ ("Still %u bytes available in current datagram",
+ (unsigned) remaining));
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ if ((flush == SSL_FORCE_FLUSH) &&
+ (ret = mbedtls_ssl_flush_output(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flush_output", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write record"));
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_hs_is_proper_fragment(mbedtls_ssl_context *ssl)
+{
+ if (ssl->in_msglen < ssl->in_hslen ||
+ memcmp(ssl->in_msg + 6, "\0\0\0", 3) != 0 ||
+ memcmp(ssl->in_msg + 9, ssl->in_msg + 1, 3) != 0) {
+ return 1;
+ }
+ return 0;
+}
+
+static uint32_t ssl_get_hs_frag_len(mbedtls_ssl_context const *ssl)
+{
+ return MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
+}
+
+static uint32_t ssl_get_hs_frag_off(mbedtls_ssl_context const *ssl)
+{
+ return MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_check_hs_header(mbedtls_ssl_context const *ssl)
+{
+ uint32_t msg_len, frag_off, frag_len;
+
+ msg_len = ssl_get_hs_total_len(ssl);
+ frag_off = ssl_get_hs_frag_off(ssl);
+ frag_len = ssl_get_hs_frag_len(ssl);
+
+ if (frag_off > msg_len) {
+ return -1;
+ }
+
+ if (frag_len > msg_len - frag_off) {
+ return -1;
+ }
+
+ if (frag_len + 12 > ssl->in_msglen) {
+ return -1;
+ }
+
+ return 0;
+}
+
+/*
+ * Mark bits in bitmask (used for DTLS HS reassembly)
+ */
+static void ssl_bitmask_set(unsigned char *mask, size_t offset, size_t len)
+{
+ unsigned int start_bits, end_bits;
+
+ start_bits = 8 - (offset % 8);
+ if (start_bits != 8) {
+ size_t first_byte_idx = offset / 8;
+
+ /* Special case */
+ if (len <= start_bits) {
+ for (; len != 0; len--) {
+ mask[first_byte_idx] |= 1 << (start_bits - len);
+ }
+
+ /* Avoid potential issues with offset or len becoming invalid */
+ return;
+ }
+
+ offset += start_bits; /* Now offset % 8 == 0 */
+ len -= start_bits;
+
+ for (; start_bits != 0; start_bits--) {
+ mask[first_byte_idx] |= 1 << (start_bits - 1);
+ }
+ }
+
+ end_bits = len % 8;
+ if (end_bits != 0) {
+ size_t last_byte_idx = (offset + len) / 8;
+
+ len -= end_bits; /* Now len % 8 == 0 */
+
+ for (; end_bits != 0; end_bits--) {
+ mask[last_byte_idx] |= 1 << (8 - end_bits);
+ }
+ }
+
+ memset(mask + offset / 8, 0xFF, len / 8);
+}
+
+/*
+ * Check that bitmask is full
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_bitmask_check(unsigned char *mask, size_t len)
+{
+ size_t i;
+
+ for (i = 0; i < len / 8; i++) {
+ if (mask[i] != 0xFF) {
+ return -1;
+ }
+ }
+
+ for (i = 0; i < len % 8; i++) {
+ if ((mask[len / 8] & (1 << (7 - i))) == 0) {
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+/* msg_len does not include the handshake header */
+static size_t ssl_get_reassembly_buffer_size(size_t msg_len,
+ unsigned add_bitmap)
+{
+ size_t alloc_len;
+
+ alloc_len = 12; /* Handshake header */
+ alloc_len += msg_len; /* Content buffer */
+
+ if (add_bitmap) {
+ alloc_len += msg_len / 8 + (msg_len % 8 != 0); /* Bitmap */
+
+ }
+ return alloc_len;
+}
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl)
+{
+ return MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
+}
+
+int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
+{
+ if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,
+ ssl->in_msglen));
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+
+ ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl);
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("handshake message: msglen ="
+ " %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %"
+ MBEDTLS_PRINTF_SIZET,
+ ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen));
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned int recv_msg_seq = MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
+
+ if (ssl_check_hs_header(ssl) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("invalid handshake header"));
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+
+ if (ssl->handshake != NULL &&
+ ((mbedtls_ssl_is_handshake_over(ssl) == 0 &&
+ recv_msg_seq != ssl->handshake->in_msg_seq) ||
+ (mbedtls_ssl_is_handshake_over(ssl) == 1 &&
+ ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO))) {
+ if (recv_msg_seq > ssl->handshake->in_msg_seq) {
+ MBEDTLS_SSL_DEBUG_MSG(2,
+ (
+ "received future handshake message of sequence number %u (next %u)",
+ recv_msg_seq,
+ ssl->handshake->in_msg_seq));
+ return MBEDTLS_ERR_SSL_EARLY_MESSAGE;
+ }
+
+ /* Retransmit only on last message from previous flight, to avoid
+ * too many retransmissions.
+ * Besides, No sane server ever retransmits HelloVerifyRequest */
+ if (recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
+ ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("received message from last flight, "
+ "message_seq = %u, start_of_flight = %u",
+ recv_msg_seq,
+ ssl->handshake->in_flight_start_seq));
+
+ if ((ret = mbedtls_ssl_resend(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_resend", ret);
+ return ret;
+ }
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("dropping out-of-sequence message: "
+ "message_seq = %u, expected = %u",
+ recv_msg_seq,
+ ssl->handshake->in_msg_seq));
+ }
+
+ return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+ }
+ /* Wait until message completion to increment in_msg_seq */
+
+ /* Message reassembly is handled alongside buffering of future
+ * messages; the commonality is that both handshake fragments and
+ * future messages cannot be forwarded immediately to the
+ * handshake logic layer. */
+ if (ssl_hs_is_proper_fragment(ssl) == 1) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("found fragmented DTLS handshake message"));
+ return MBEDTLS_ERR_SSL_EARLY_MESSAGE;
+ }
+ } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+ /* With TLS we don't handle fragmentation (for now) */
+ if (ssl->in_msglen < ssl->in_hslen) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("TLS handshake fragmentation not supported"));
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+
+ return 0;
+}
+
+int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+
+ if (mbedtls_ssl_is_handshake_over(ssl) == 0 && hs != NULL) {
+ ret = ssl->handshake->update_checksum(ssl, ssl->in_msg, ssl->in_hslen);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
+ return ret;
+ }
+ }
+
+ /* Handshake message is complete, increment counter */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ ssl->handshake != NULL) {
+ unsigned offset;
+ mbedtls_ssl_hs_buffer *hs_buf;
+
+ /* Increment handshake sequence number */
+ hs->in_msg_seq++;
+
+ /*
+ * Clear up handshake buffering and reassembly structure.
+ */
+
+ /* Free first entry */
+ ssl_buffering_free_slot(ssl, 0);
+
+ /* Shift all other entries */
+ for (offset = 0, hs_buf = &hs->buffering.hs[0];
+ offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
+ offset++, hs_buf++) {
+ *hs_buf = *(hs_buf + 1);
+ }
+
+ /* Create a fresh last entry */
+ memset(hs_buf, 0, sizeof(mbedtls_ssl_hs_buffer));
+ }
+#endif
+ return 0;
+}
+
+/*
+ * DTLS anti-replay: RFC 6347 4.1.2.6
+ *
+ * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
+ * Bit n is set iff record number in_window_top - n has been seen.
+ *
+ * Usually, in_window_top is the last record number seen and the lsb of
+ * in_window is set. The only exception is the initial state (record number 0
+ * not seen yet).
+ */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl)
+{
+ ssl->in_window_top = 0;
+ ssl->in_window = 0;
+}
+
+static inline uint64_t ssl_load_six_bytes(unsigned char *buf)
+{
+ return ((uint64_t) buf[0] << 40) |
+ ((uint64_t) buf[1] << 32) |
+ ((uint64_t) buf[2] << 24) |
+ ((uint64_t) buf[3] << 16) |
+ ((uint64_t) buf[4] << 8) |
+ ((uint64_t) buf[5]);
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int mbedtls_ssl_dtls_record_replay_check(mbedtls_ssl_context *ssl, uint8_t *record_in_ctr)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *original_in_ctr;
+
+ // save original in_ctr
+ original_in_ctr = ssl->in_ctr;
+
+ // use counter from record
+ ssl->in_ctr = record_in_ctr;
+
+ ret = mbedtls_ssl_dtls_replay_check((mbedtls_ssl_context const *) ssl);
+
+ // restore the counter
+ ssl->in_ctr = original_in_ctr;
+
+ return ret;
+}
+
+/*
+ * Return 0 if sequence number is acceptable, -1 otherwise
+ */
+int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl)
+{
+ uint64_t rec_seqnum = ssl_load_six_bytes(ssl->in_ctr + 2);
+ uint64_t bit;
+
+ if (ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED) {
+ return 0;
+ }
+
+ if (rec_seqnum > ssl->in_window_top) {
+ return 0;
+ }
+
+ bit = ssl->in_window_top - rec_seqnum;
+
+ if (bit >= 64) {
+ return -1;
+ }
+
+ if ((ssl->in_window & ((uint64_t) 1 << bit)) != 0) {
+ return -1;
+ }
+
+ return 0;
+}
+
+/*
+ * Update replay window on new validated record
+ */
+void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl)
+{
+ uint64_t rec_seqnum = ssl_load_six_bytes(ssl->in_ctr + 2);
+
+ if (ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED) {
+ return;
+ }
+
+ if (rec_seqnum > ssl->in_window_top) {
+ /* Update window_top and the contents of the window */
+ uint64_t shift = rec_seqnum - ssl->in_window_top;
+
+ if (shift >= 64) {
+ ssl->in_window = 1;
+ } else {
+ ssl->in_window <<= shift;
+ ssl->in_window |= 1;
+ }
+
+ ssl->in_window_top = rec_seqnum;
+ } else {
+ /* Mark that number as seen in the current window */
+ uint64_t bit = ssl->in_window_top - rec_seqnum;
+
+ if (bit < 64) { /* Always true, but be extra sure */
+ ssl->in_window |= (uint64_t) 1 << bit;
+ }
+ }
+}
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
+/*
+ * Check if a datagram looks like a ClientHello with a valid cookie,
+ * and if it doesn't, generate a HelloVerifyRequest message.
+ * Both input and output include full DTLS headers.
+ *
+ * - if cookie is valid, return 0
+ * - if ClientHello looks superficially valid but cookie is not,
+ * fill obuf and set olen, then
+ * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
+ * - otherwise return a specific error code
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ssl_check_dtls_clihlo_cookie(
+ mbedtls_ssl_context *ssl,
+ const unsigned char *cli_id, size_t cli_id_len,
+ const unsigned char *in, size_t in_len,
+ unsigned char *obuf, size_t buf_len, size_t *olen)
+{
+ size_t sid_len, cookie_len, epoch, fragment_offset;
+ unsigned char *p;
+
+ /*
+ * Structure of ClientHello with record and handshake headers,
+ * and expected values. We don't need to check a lot, more checks will be
+ * done when actually parsing the ClientHello - skipping those checks
+ * avoids code duplication and does not make cookie forging any easier.
+ *
+ * 0-0 ContentType type; copied, must be handshake
+ * 1-2 ProtocolVersion version; copied
+ * 3-4 uint16 epoch; copied, must be 0
+ * 5-10 uint48 sequence_number; copied
+ * 11-12 uint16 length; (ignored)
+ *
+ * 13-13 HandshakeType msg_type; (ignored)
+ * 14-16 uint24 length; (ignored)
+ * 17-18 uint16 message_seq; copied
+ * 19-21 uint24 fragment_offset; copied, must be 0
+ * 22-24 uint24 fragment_length; (ignored)
+ *
+ * 25-26 ProtocolVersion client_version; (ignored)
+ * 27-58 Random random; (ignored)
+ * 59-xx SessionID session_id; 1 byte len + sid_len content
+ * 60+ opaque cookie<0..2^8-1>; 1 byte len + content
+ * ...
+ *
+ * Minimum length is 61 bytes.
+ */
+ MBEDTLS_SSL_DEBUG_MSG(4, ("check cookie: in_len=%u",
+ (unsigned) in_len));
+ MBEDTLS_SSL_DEBUG_BUF(4, "cli_id", cli_id, cli_id_len);
+ if (in_len < 61) {
+ MBEDTLS_SSL_DEBUG_MSG(4, ("check cookie: record too short"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ epoch = MBEDTLS_GET_UINT16_BE(in, 3);
+ fragment_offset = MBEDTLS_GET_UINT24_BE(in, 19);
+
+ if (in[0] != MBEDTLS_SSL_MSG_HANDSHAKE || epoch != 0 ||
+ fragment_offset != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(4, ("check cookie: not a good ClientHello"));
+ MBEDTLS_SSL_DEBUG_MSG(4, (" type=%u epoch=%u fragment_offset=%u",
+ in[0], (unsigned) epoch,
+ (unsigned) fragment_offset));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ sid_len = in[59];
+ if (59 + 1 + sid_len + 1 > in_len) {
+ MBEDTLS_SSL_DEBUG_MSG(4, ("check cookie: sid_len=%u > %u",
+ (unsigned) sid_len,
+ (unsigned) in_len - 61));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ MBEDTLS_SSL_DEBUG_BUF(4, "sid received from network",
+ in + 60, sid_len);
+
+ cookie_len = in[60 + sid_len];
+ if (59 + 1 + sid_len + 1 + cookie_len > in_len) {
+ MBEDTLS_SSL_DEBUG_MSG(4, ("check cookie: cookie_len=%u > %u",
+ (unsigned) cookie_len,
+ (unsigned) (in_len - sid_len - 61)));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "cookie received from network",
+ in + sid_len + 61, cookie_len);
+ if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
+ in + sid_len + 61, cookie_len,
+ cli_id, cli_id_len) == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(4, ("check cookie: valid"));
+ return 0;
+ }
+
+ /*
+ * If we get here, we've got an invalid cookie, let's prepare HVR.
+ *
+ * 0-0 ContentType type; copied
+ * 1-2 ProtocolVersion version; copied
+ * 3-4 uint16 epoch; copied
+ * 5-10 uint48 sequence_number; copied
+ * 11-12 uint16 length; olen - 13
+ *
+ * 13-13 HandshakeType msg_type; hello_verify_request
+ * 14-16 uint24 length; olen - 25
+ * 17-18 uint16 message_seq; copied
+ * 19-21 uint24 fragment_offset; copied
+ * 22-24 uint24 fragment_length; olen - 25
+ *
+ * 25-26 ProtocolVersion server_version; 0xfe 0xff
+ * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
+ *
+ * Minimum length is 28.
+ */
+ if (buf_len < 28) {
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ /* Copy most fields and adapt others */
+ memcpy(obuf, in, 25);
+ obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
+ obuf[25] = 0xfe;
+ obuf[26] = 0xff;
+
+ /* Generate and write actual cookie */
+ p = obuf + 28;
+ if (ssl->conf->f_cookie_write(ssl->conf->p_cookie,
+ &p, obuf + buf_len,
+ cli_id, cli_id_len) != 0) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ *olen = (size_t) (p - obuf);
+
+ /* Go back and fill length fields */
+ obuf[27] = (unsigned char) (*olen - 28);
+
+ obuf[14] = obuf[22] = MBEDTLS_BYTE_2(*olen - 25);
+ obuf[15] = obuf[23] = MBEDTLS_BYTE_1(*olen - 25);
+ obuf[16] = obuf[24] = MBEDTLS_BYTE_0(*olen - 25);
+
+ MBEDTLS_PUT_UINT16_BE(*olen - 13, obuf, 11);
+
+ return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED;
+}
+
+/*
+ * Handle possible client reconnect with the same UDP quadruplet
+ * (RFC 6347 Section 4.2.8).
+ *
+ * Called by ssl_parse_record_header() in case we receive an epoch 0 record
+ * that looks like a ClientHello.
+ *
+ * - if the input looks like a ClientHello without cookies,
+ * send back HelloVerifyRequest, then return 0
+ * - if the input looks like a ClientHello with a valid cookie,
+ * reset the session of the current context, and
+ * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
+ * - if anything goes wrong, return a specific error code
+ *
+ * This function is called (through ssl_check_client_reconnect()) when an
+ * unexpected record is found in ssl_get_next_record(), which will discard the
+ * record if we return 0, and bubble up the return value otherwise (this
+ * includes the case of MBEDTLS_ERR_SSL_CLIENT_RECONNECT and of unexpected
+ * errors, and is the right thing to do in both cases).
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_handle_possible_reconnect(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+
+ if (ssl->conf->f_cookie_write == NULL ||
+ ssl->conf->f_cookie_check == NULL) {
+ /* If we can't use cookies to verify reachability of the peer,
+ * drop the record. */
+ MBEDTLS_SSL_DEBUG_MSG(1, ("no cookie callbacks, "
+ "can't check reconnect validity"));
+ return 0;
+ }
+
+ ret = mbedtls_ssl_check_dtls_clihlo_cookie(
+ ssl,
+ ssl->cli_id, ssl->cli_id_len,
+ ssl->in_buf, ssl->in_left,
+ ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len);
+
+ MBEDTLS_SSL_DEBUG_RET(2, "mbedtls_ssl_check_dtls_clihlo_cookie", ret);
+
+ if (ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) {
+ int send_ret;
+ MBEDTLS_SSL_DEBUG_MSG(1, ("sending HelloVerifyRequest"));
+ MBEDTLS_SSL_DEBUG_BUF(4, "output record sent to network",
+ ssl->out_buf, len);
+ /* Don't check write errors as we can't do anything here.
+ * If the error is permanent we'll catch it later,
+ * if it's not, then hopefully it'll work next time. */
+ send_ret = ssl->f_send(ssl->p_bio, ssl->out_buf, len);
+ MBEDTLS_SSL_DEBUG_RET(2, "ssl->f_send", send_ret);
+ (void) send_ret;
+
+ return 0;
+ }
+
+ if (ret == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("cookie is valid, resetting context"));
+ if ((ret = mbedtls_ssl_session_reset_int(ssl, 1)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "reset", ret);
+ return ret;
+ }
+
+ return MBEDTLS_ERR_SSL_CLIENT_RECONNECT;
+ }
+
+ return ret;
+}
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_check_record_type(uint8_t record_type)
+{
+ if (record_type != MBEDTLS_SSL_MSG_HANDSHAKE &&
+ record_type != MBEDTLS_SSL_MSG_ALERT &&
+ record_type != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
+ record_type != MBEDTLS_SSL_MSG_APPLICATION_DATA) {
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+
+ return 0;
+}
+
+/*
+ * ContentType type;
+ * ProtocolVersion version;
+ * uint16 epoch; // DTLS only
+ * uint48 sequence_number; // DTLS only
+ * uint16 length;
+ *
+ * Return 0 if header looks sane (and, for DTLS, the record is expected)
+ * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
+ * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
+ *
+ * With DTLS, mbedtls_ssl_read_record() will:
+ * 1. proceed with the record if this function returns 0
+ * 2. drop only the current record if this function returns UNEXPECTED_RECORD
+ * 3. return CLIENT_RECONNECT if this function return that value
+ * 4. drop the whole datagram if this function returns anything else.
+ * Point 2 is needed when the peer is resending, and we have already received
+ * the first record from a datagram but are still waiting for the others.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_record_header(mbedtls_ssl_context const *ssl,
+ unsigned char *buf,
+ size_t len,
+ mbedtls_record *rec)
+{
+ mbedtls_ssl_protocol_version tls_version;
+
+ size_t const rec_hdr_type_offset = 0;
+ size_t const rec_hdr_type_len = 1;
+
+ size_t const rec_hdr_version_offset = rec_hdr_type_offset +
+ rec_hdr_type_len;
+ size_t const rec_hdr_version_len = 2;
+
+ size_t const rec_hdr_ctr_len = 8;
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ uint32_t rec_epoch;
+ size_t const rec_hdr_ctr_offset = rec_hdr_version_offset +
+ rec_hdr_version_len;
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ size_t const rec_hdr_cid_offset = rec_hdr_ctr_offset +
+ rec_hdr_ctr_len;
+ size_t rec_hdr_cid_len = 0;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ size_t rec_hdr_len_offset; /* To be determined */
+ size_t const rec_hdr_len_len = 2;
+
+ /*
+ * Check minimum lengths for record header.
+ */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ rec_hdr_len_offset = rec_hdr_ctr_offset + rec_hdr_ctr_len;
+ } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+ {
+ rec_hdr_len_offset = rec_hdr_version_offset + rec_hdr_version_len;
+ }
+
+ if (len < rec_hdr_len_offset + rec_hdr_len_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ (
+ "datagram of length %u too small to hold DTLS record header of length %u",
+ (unsigned) len,
+ (unsigned) (rec_hdr_len_len + rec_hdr_len_len)));
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+
+ /*
+ * Parse and validate record content type
+ */
+
+ rec->type = buf[rec_hdr_type_offset];
+
+ /* Check record content type */
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ rec->cid_len = 0;
+
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ ssl->conf->cid_len != 0 &&
+ rec->type == MBEDTLS_SSL_MSG_CID) {
+ /* Shift pointers to account for record header including CID
+ * struct {
+ * ContentType outer_type = tls12_cid;
+ * ProtocolVersion version;
+ * uint16 epoch;
+ * uint48 sequence_number;
+ * opaque cid[cid_length]; // Additional field compared to
+ * // default DTLS record format
+ * uint16 length;
+ * opaque enc_content[DTLSCiphertext.length];
+ * } DTLSCiphertext;
+ */
+
+ /* So far, we only support static CID lengths
+ * fixed in the configuration. */
+ rec_hdr_cid_len = ssl->conf->cid_len;
+ rec_hdr_len_offset += rec_hdr_cid_len;
+
+ if (len < rec_hdr_len_offset + rec_hdr_len_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ (
+ "datagram of length %u too small to hold DTLS record header including CID, length %u",
+ (unsigned) len,
+ (unsigned) (rec_hdr_len_offset + rec_hdr_len_len)));
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+
+ /* configured CID len is guaranteed at most 255, see
+ * MBEDTLS_SSL_CID_OUT_LEN_MAX in check_config.h */
+ rec->cid_len = (uint8_t) rec_hdr_cid_len;
+ memcpy(rec->cid, buf + rec_hdr_cid_offset, rec_hdr_cid_len);
+ } else
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+ {
+ if (ssl_check_record_type(rec->type)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("unknown record type %u",
+ (unsigned) rec->type));
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+ }
+
+ /*
+ * Parse and validate record version
+ */
+ rec->ver[0] = buf[rec_hdr_version_offset + 0];
+ rec->ver[1] = buf[rec_hdr_version_offset + 1];
+ tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(
+ buf + rec_hdr_version_offset,
+ ssl->conf->transport);
+
+ if (tls_version > ssl->conf->max_tls_version) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("TLS version mismatch: got %u, expected max %u",
+ (unsigned) tls_version,
+ (unsigned) ssl->conf->max_tls_version));
+
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+ /*
+ * Parse/Copy record sequence number.
+ */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ /* Copy explicit record sequence number from input buffer. */
+ memcpy(&rec->ctr[0], buf + rec_hdr_ctr_offset,
+ rec_hdr_ctr_len);
+ } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+ {
+ /* Copy implicit record sequence number from SSL context structure. */
+ memcpy(&rec->ctr[0], ssl->in_ctr, rec_hdr_ctr_len);
+ }
+
+ /*
+ * Parse record length.
+ */
+
+ rec->data_offset = rec_hdr_len_offset + rec_hdr_len_len;
+ rec->data_len = MBEDTLS_GET_UINT16_BE(buf, rec_hdr_len_offset);
+ MBEDTLS_SSL_DEBUG_BUF(4, "input record header", buf, rec->data_offset);
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("input record: msgtype = %u, "
+ "version = [0x%x], msglen = %" MBEDTLS_PRINTF_SIZET,
+ rec->type, (unsigned) tls_version, rec->data_len));
+
+ rec->buf = buf;
+ rec->buf_len = rec->data_offset + rec->data_len;
+
+ if (rec->data_len == 0) {
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+
+ /*
+ * DTLS-related tests.
+ * Check epoch before checking length constraint because
+ * the latter varies with the epoch. E.g., if a ChangeCipherSpec
+ * message gets duplicated before the corresponding Finished message,
+ * the second ChangeCipherSpec should be discarded because it belongs
+ * to an old epoch, but not because its length is shorter than
+ * the minimum record length for packets using the new record transform.
+ * Note that these two kinds of failures are handled differently,
+ * as an unexpected record is silently skipped but an invalid
+ * record leads to the entire datagram being dropped.
+ */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ rec_epoch = MBEDTLS_GET_UINT16_BE(rec->ctr, 0);
+
+ /* Check that the datagram is large enough to contain a record
+ * of the advertised length. */
+ if (len < rec->data_offset + rec->data_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ (
+ "Datagram of length %u too small to contain record of advertised length %u.",
+ (unsigned) len,
+ (unsigned) (rec->data_offset + rec->data_len)));
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+
+ /* Records from other, non-matching epochs are silently discarded.
+ * (The case of same-port Client reconnects must be considered in
+ * the caller). */
+ if (rec_epoch != ssl->in_epoch) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("record from another epoch: "
+ "expected %u, received %lu",
+ ssl->in_epoch, (unsigned long) rec_epoch));
+
+ /* Records from the next epoch are considered for buffering
+ * (concretely: early Finished messages). */
+ if (rec_epoch == (unsigned) ssl->in_epoch + 1) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Consider record for buffering"));
+ return MBEDTLS_ERR_SSL_EARLY_MESSAGE;
+ }
+
+ return MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
+ }
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+ /* For records from the correct epoch, check whether their
+ * sequence number has been seen before. */
+ else if (mbedtls_ssl_dtls_record_replay_check((mbedtls_ssl_context *) ssl,
+ &rec->ctr[0]) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record"));
+ return MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
+ }
+#endif
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ return 0;
+}
+
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_check_client_reconnect(mbedtls_ssl_context *ssl)
+{
+ unsigned int rec_epoch = MBEDTLS_GET_UINT16_BE(ssl->in_ctr, 0);
+
+ /*
+ * Check for an epoch 0 ClientHello. We can't use in_msg here to
+ * access the first byte of record content (handshake type), as we
+ * have an active transform (possibly iv_len != 0), so use the
+ * fact that the record header len is 13 instead.
+ */
+ if (rec_epoch == 0 &&
+ ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+ mbedtls_ssl_is_handshake_over(ssl) == 1 &&
+ ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+ ssl->in_left > 13 &&
+ ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("possible client reconnect "
+ "from the same port"));
+ return ssl_handle_possible_reconnect(ssl);
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
+
+/*
+ * If applicable, decrypt record content
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_prepare_record_content(mbedtls_ssl_context *ssl,
+ mbedtls_record *rec)
+{
+ int ret, done = 0;
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "input record from network",
+ rec->buf, rec->buf_len);
+
+ /*
+ * In TLS 1.3, always treat ChangeCipherSpec records
+ * as unencrypted. The only thing we do with them is
+ * check the length and content and ignore them.
+ */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (ssl->transform_in != NULL &&
+ ssl->transform_in->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+ if (rec->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) {
+ done = 1;
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+ if (!done && ssl->transform_in != NULL) {
+ unsigned char const old_msg_type = rec->type;
+
+ if ((ret = mbedtls_ssl_decrypt_buf(ssl, ssl->transform_in,
+ rec)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_decrypt_buf", ret);
+
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
+ /*
+ * Although the server rejected early data, it might receive early
+ * data as long as it has not received the client Finished message.
+ * It is encrypted with early keys and should be ignored as stated
+ * in section 4.2.10 of RFC 8446:
+ *
+ * "Ignore the extension and return a regular 1-RTT response. The
+ * server then skips past early data by attempting to deprotect
+ * received records using the handshake traffic key, discarding
+ * records which fail deprotection (up to the configured
+ * max_early_data_size). Once a record is deprotected successfully,
+ * it is treated as the start of the client's second flight and the
+ * server proceeds as with an ordinary 1-RTT handshake."
+ */
+ if ((old_msg_type == MBEDTLS_SSL_MSG_APPLICATION_DATA) &&
+ (ssl->discard_early_data_record ==
+ MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD)) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ("EarlyData: deprotect and discard app data records."));
+
+ ret = mbedtls_ssl_tls13_check_early_data_len(ssl, rec->data_len);
+ if (ret != 0) {
+ return ret;
+ }
+ ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
+ ssl->conf->ignore_unexpected_cid
+ == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ignoring unexpected CID"));
+ ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+ }
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+ /*
+ * The decryption of the record failed, no reason to ignore it,
+ * return in error with the decryption error code.
+ */
+ return ret;
+ }
+
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
+ /*
+ * If the server were discarding protected records that it fails to
+ * deprotect because it has rejected early data, as we have just
+ * deprotected successfully a record, the server has to resume normal
+ * operation and fail the connection if the deprotection of a record
+ * fails.
+ */
+ if (ssl->discard_early_data_record ==
+ MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD) {
+ ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
+
+ if (old_msg_type != rec->type) {
+ MBEDTLS_SSL_DEBUG_MSG(4, ("record type after decrypt (before %d): %d",
+ old_msg_type, rec->type));
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "input payload after decrypt",
+ rec->buf + rec->data_offset, rec->data_len);
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ /* We have already checked the record content type
+ * in ssl_parse_record_header(), failing or silently
+ * dropping the record in the case of an unknown type.
+ *
+ * Since with the use of CIDs, the record content type
+ * might change during decryption, re-check the record
+ * content type, but treat a failure as fatal this time. */
+ if (ssl_check_record_type(rec->type)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("unknown record type"));
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+ if (rec->data_len == 0) {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2
+ && rec->type != MBEDTLS_SSL_MSG_APPLICATION_DATA) {
+ /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
+ MBEDTLS_SSL_DEBUG_MSG(1, ("invalid zero-length message type: %d", ssl->in_msgtype));
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+ ssl->nb_zero++;
+
+ /*
+ * Three or more empty messages may be a DoS attack
+ * (excessive CPU consumption).
+ */
+ if (ssl->nb_zero > 3) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("received four consecutive empty "
+ "messages, possible DoS attack"));
+ /* Treat the records as if they were not properly authenticated,
+ * thereby failing the connection if we see more than allowed
+ * by the configured bad MAC threshold. */
+ return MBEDTLS_ERR_SSL_INVALID_MAC;
+ }
+ } else {
+ ssl->nb_zero = 0;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ ; /* in_ctr read from peer, not maintained internally */
+ } else
+#endif
+ {
+ unsigned i;
+ for (i = MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+ i > mbedtls_ssl_ep_len(ssl); i--) {
+ if (++ssl->in_ctr[i - 1] != 0) {
+ break;
+ }
+ }
+
+ /* The loop goes to its end iff the counter is wrapping */
+ if (i == mbedtls_ssl_ep_len(ssl)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("incoming message counter would wrap"));
+ return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
+ }
+ }
+
+ }
+
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
+ /*
+ * Although the server rejected early data because it needed to send an
+ * HelloRetryRequest message, it might receive early data as long as it has
+ * not received the client Finished message.
+ * The early data is encrypted with early keys and should be ignored as
+ * stated in section 4.2.10 of RFC 8446 (second case):
+ *
+ * "The server then ignores early data by skipping all records with an
+ * external content type of "application_data" (indicating that they are
+ * encrypted), up to the configured max_early_data_size. Ignore application
+ * data message before 2nd ClientHello when early_data was received in 1st
+ * ClientHello."
+ */
+ if (ssl->discard_early_data_record == MBEDTLS_SSL_EARLY_DATA_DISCARD) {
+ if (rec->type == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
+
+ ret = mbedtls_ssl_tls13_check_early_data_len(ssl, rec->data_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ("EarlyData: Ignore application message before 2nd ClientHello"));
+
+ return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+ } else if (rec->type == MBEDTLS_SSL_MSG_HANDSHAKE) {
+ ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
+ }
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ mbedtls_ssl_dtls_replay_update(ssl);
+ }
+#endif
+
+ /* Check actual (decrypted) record content length against
+ * configured maximum. */
+ if (rec->data_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad message length"));
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+
+ return 0;
+}
+
+/*
+ * Read a record.
+ *
+ * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
+ * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
+ *
+ */
+
+/* Helper functions for mbedtls_ssl_read_record(). */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_consume_current_message(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_get_next_record(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_record_is_in_progress(mbedtls_ssl_context *ssl);
+
+int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl,
+ unsigned update_hs_digest)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> read record"));
+
+ if (ssl->keep_current_message == 0) {
+ do {
+
+ ret = ssl_consume_current_message(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+
+ if (ssl_record_is_in_progress(ssl) == 0) {
+ int dtls_have_buffered = 0;
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+ /* We only check for buffered messages if the
+ * current datagram is fully consumed. */
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ ssl_next_record_is_in_datagram(ssl) == 0) {
+ if (ssl_load_buffered_message(ssl) == 0) {
+ dtls_have_buffered = 1;
+ }
+ }
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+ if (dtls_have_buffered == 0) {
+ ret = ssl_get_next_record(ssl);
+ if (ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING) {
+ continue;
+ }
+
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("ssl_get_next_record"), ret);
+ return ret;
+ }
+ }
+ }
+
+ ret = mbedtls_ssl_handle_message_type(ssl);
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE) {
+ /* Buffer future message */
+ ret = ssl_buffer_message(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ } while (MBEDTLS_ERR_SSL_NON_FATAL == ret ||
+ MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret);
+
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_handle_message_type"), ret);
+ return ret;
+ }
+
+ if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+ update_hs_digest == 1) {
+ ret = mbedtls_ssl_update_handshake_status(ssl);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
+ return ret;
+ }
+ }
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("reuse previously read message"));
+ ssl->keep_current_message = 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= read record"));
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_next_record_is_in_datagram(mbedtls_ssl_context *ssl)
+{
+ if (ssl->in_left > ssl->next_record_offset) {
+ return 1;
+ }
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_load_buffered_message(mbedtls_ssl_context *ssl)
+{
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+ mbedtls_ssl_hs_buffer *hs_buf;
+ int ret = 0;
+
+ if (hs == NULL) {
+ return -1;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_load_buffered_message"));
+
+ if (ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
+ ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC) {
+ /* Check if we have seen a ChangeCipherSpec before.
+ * If yes, synthesize a CCS record. */
+ if (!hs->buffering.seen_ccs) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("CCS not seen in the current flight"));
+ ret = -1;
+ goto exit;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Injecting buffered CCS message"));
+ ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
+ ssl->in_msglen = 1;
+ ssl->in_msg[0] = 1;
+
+ /* As long as they are equal, the exact value doesn't matter. */
+ ssl->in_left = 0;
+ ssl->next_record_offset = 0;
+
+ hs->buffering.seen_ccs = 0;
+ goto exit;
+ }
+
+#if defined(MBEDTLS_DEBUG_C)
+ /* Debug only */
+ {
+ unsigned offset;
+ for (offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++) {
+ hs_buf = &hs->buffering.hs[offset];
+ if (hs_buf->is_valid == 1) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Future message with sequence number %u %s buffered.",
+ hs->in_msg_seq + offset,
+ hs_buf->is_complete ? "fully" : "partially"));
+ }
+ }
+ }
+#endif /* MBEDTLS_DEBUG_C */
+
+ /* Check if we have buffered and/or fully reassembled the
+ * next handshake message. */
+ hs_buf = &hs->buffering.hs[0];
+ if ((hs_buf->is_valid == 1) && (hs_buf->is_complete == 1)) {
+ /* Synthesize a record containing the buffered HS message. */
+ size_t msg_len = MBEDTLS_GET_UINT24_BE(hs_buf->data, 1);
+
+ /* Double-check that we haven't accidentally buffered
+ * a message that doesn't fit into the input buffer. */
+ if (msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Next handshake message has been buffered - load"));
+ MBEDTLS_SSL_DEBUG_BUF(3, "Buffered handshake message (incl. header)",
+ hs_buf->data, msg_len + 12);
+
+ ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+ ssl->in_hslen = msg_len + 12;
+ ssl->in_msglen = msg_len + 12;
+ memcpy(ssl->in_msg, hs_buf->data, ssl->in_hslen);
+
+ ret = 0;
+ goto exit;
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Next handshake message %u not or only partially bufffered",
+ hs->in_msg_seq));
+ }
+
+ ret = -1;
+
+exit:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_load_buffered_message"));
+ return ret;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_buffer_make_space(mbedtls_ssl_context *ssl,
+ size_t desired)
+{
+ int offset;
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Attempt to free buffered messages to have %u bytes available",
+ (unsigned) desired));
+
+ /* Get rid of future records epoch first, if such exist. */
+ ssl_free_buffered_record(ssl);
+
+ /* Check if we have enough space available now. */
+ if (desired <= (MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+ hs->buffering.total_bytes_buffered)) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Enough space available after freeing future epoch record"));
+ return 0;
+ }
+
+ /* We don't have enough space to buffer the next expected handshake
+ * message. Remove buffers used for future messages to gain space,
+ * starting with the most distant one. */
+ for (offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
+ offset >= 0; offset--) {
+ MBEDTLS_SSL_DEBUG_MSG(2,
+ (
+ "Free buffering slot %d to make space for reassembly of next handshake message",
+ offset));
+
+ ssl_buffering_free_slot(ssl, (uint8_t) offset);
+
+ /* Check if we have enough space available now. */
+ if (desired <= (MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+ hs->buffering.total_bytes_buffered)) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Enough space available after freeing buffered HS messages"));
+ return 0;
+ }
+ }
+
+ return -1;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_buffer_message(mbedtls_ssl_context *ssl)
+{
+ int ret = 0;
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+
+ if (hs == NULL) {
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_buffer_message"));
+
+ switch (ssl->in_msgtype) {
+ case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Remember CCS message"));
+
+ hs->buffering.seen_ccs = 1;
+ break;
+
+ case MBEDTLS_SSL_MSG_HANDSHAKE:
+ {
+ unsigned recv_msg_seq_offset;
+ unsigned recv_msg_seq = MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
+ mbedtls_ssl_hs_buffer *hs_buf;
+ size_t msg_len = ssl->in_hslen - 12;
+
+ /* We should never receive an old handshake
+ * message - double-check nonetheless. */
+ if (recv_msg_seq < ssl->handshake->in_msg_seq) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
+ if (recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS) {
+ /* Silently ignore -- message too far in the future */
+ MBEDTLS_SSL_DEBUG_MSG(2,
+ ("Ignore future HS message with sequence number %u, "
+ "buffering window %u - %u",
+ recv_msg_seq, ssl->handshake->in_msg_seq,
+ ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS -
+ 1));
+
+ goto exit;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Buffering HS message with sequence number %u, offset %u ",
+ recv_msg_seq, recv_msg_seq_offset));
+
+ hs_buf = &hs->buffering.hs[recv_msg_seq_offset];
+
+ /* Check if the buffering for this seq nr has already commenced. */
+ if (!hs_buf->is_valid) {
+ size_t reassembly_buf_sz;
+
+ hs_buf->is_fragmented =
+ (ssl_hs_is_proper_fragment(ssl) == 1);
+
+ /* We copy the message back into the input buffer
+ * after reassembly, so check that it's not too large.
+ * This is an implementation-specific limitation
+ * and not one from the standard, hence it is not
+ * checked in ssl_check_hs_header(). */
+ if (msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN) {
+ /* Ignore message */
+ goto exit;
+ }
+
+ /* Check if we have enough space to buffer the message. */
+ if (hs->buffering.total_bytes_buffered >
+ MBEDTLS_SSL_DTLS_MAX_BUFFERING) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ reassembly_buf_sz = ssl_get_reassembly_buffer_size(msg_len,
+ hs_buf->is_fragmented);
+
+ if (reassembly_buf_sz > (MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+ hs->buffering.total_bytes_buffered)) {
+ if (recv_msg_seq_offset > 0) {
+ /* If we can't buffer a future message because
+ * of space limitations -- ignore. */
+ MBEDTLS_SSL_DEBUG_MSG(2,
+ ("Buffering of future message of size %"
+ MBEDTLS_PRINTF_SIZET
+ " would exceed the compile-time limit %"
+ MBEDTLS_PRINTF_SIZET
+ " (already %" MBEDTLS_PRINTF_SIZET
+ " bytes buffered) -- ignore\n",
+ msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+ hs->buffering.total_bytes_buffered));
+ goto exit;
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(2,
+ ("Buffering of future message of size %"
+ MBEDTLS_PRINTF_SIZET
+ " would exceed the compile-time limit %"
+ MBEDTLS_PRINTF_SIZET
+ " (already %" MBEDTLS_PRINTF_SIZET
+ " bytes buffered) -- attempt to make space by freeing buffered future messages\n",
+ msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+ hs->buffering.total_bytes_buffered));
+ }
+
+ if (ssl_buffer_make_space(ssl, reassembly_buf_sz) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(2,
+ ("Reassembly of next message of size %"
+ MBEDTLS_PRINTF_SIZET
+ " (%" MBEDTLS_PRINTF_SIZET
+ " with bitmap) would exceed"
+ " the compile-time limit %"
+ MBEDTLS_PRINTF_SIZET
+ " (already %" MBEDTLS_PRINTF_SIZET
+ " bytes buffered) -- fail\n",
+ msg_len,
+ reassembly_buf_sz,
+ (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+ hs->buffering.total_bytes_buffered));
+ ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2,
+ ("initialize reassembly, total length = %"
+ MBEDTLS_PRINTF_SIZET,
+ msg_len));
+
+ hs_buf->data = mbedtls_calloc(1, reassembly_buf_sz);
+ if (hs_buf->data == NULL) {
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ goto exit;
+ }
+ hs_buf->data_len = reassembly_buf_sz;
+
+ /* Prepare final header: copy msg_type, length and message_seq,
+ * then add standardised fragment_offset and fragment_length */
+ memcpy(hs_buf->data, ssl->in_msg, 6);
+ memset(hs_buf->data + 6, 0, 3);
+ memcpy(hs_buf->data + 9, hs_buf->data + 1, 3);
+
+ hs_buf->is_valid = 1;
+
+ hs->buffering.total_bytes_buffered += reassembly_buf_sz;
+ } else {
+ /* Make sure msg_type and length are consistent */
+ if (memcmp(hs_buf->data, ssl->in_msg, 4) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Fragment header mismatch - ignore"));
+ /* Ignore */
+ goto exit;
+ }
+ }
+
+ if (!hs_buf->is_complete) {
+ size_t frag_len, frag_off;
+ unsigned char * const msg = hs_buf->data + 12;
+
+ /*
+ * Check and copy current fragment
+ */
+
+ /* Validation of header fields already done in
+ * mbedtls_ssl_prepare_handshake_record(). */
+ frag_off = ssl_get_hs_frag_off(ssl);
+ frag_len = ssl_get_hs_frag_len(ssl);
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("adding fragment, offset = %" MBEDTLS_PRINTF_SIZET
+ ", length = %" MBEDTLS_PRINTF_SIZET,
+ frag_off, frag_len));
+ memcpy(msg + frag_off, ssl->in_msg + 12, frag_len);
+
+ if (hs_buf->is_fragmented) {
+ unsigned char * const bitmask = msg + msg_len;
+ ssl_bitmask_set(bitmask, frag_off, frag_len);
+ hs_buf->is_complete = (ssl_bitmask_check(bitmask,
+ msg_len) == 0);
+ } else {
+ hs_buf->is_complete = 1;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("message %scomplete",
+ hs_buf->is_complete ? "" : "not yet "));
+ }
+
+ break;
+ }
+
+ default:
+ /* We don't buffer other types of messages. */
+ break;
+ }
+
+exit:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_buffer_message"));
+ return ret;
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_consume_current_message(mbedtls_ssl_context *ssl)
+{
+ /*
+ * Consume last content-layer message and potentially
+ * update in_msglen which keeps track of the contents'
+ * consumption state.
+ *
+ * (1) Handshake messages:
+ * Remove last handshake message, move content
+ * and adapt in_msglen.
+ *
+ * (2) Alert messages:
+ * Consume whole record content, in_msglen = 0.
+ *
+ * (3) Change cipher spec:
+ * Consume whole record content, in_msglen = 0.
+ *
+ * (4) Application data:
+ * Don't do anything - the record layer provides
+ * the application data as a stream transport
+ * and consumes through mbedtls_ssl_read only.
+ *
+ */
+
+ /* Case (1): Handshake messages */
+ if (ssl->in_hslen != 0) {
+ /* Hard assertion to be sure that no application data
+ * is in flight, as corrupting ssl->in_msglen during
+ * ssl->in_offt != NULL is fatal. */
+ if (ssl->in_offt != NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /*
+ * Get next Handshake message in the current record
+ */
+
+ /* Notes:
+ * (1) in_hslen is not necessarily the size of the
+ * current handshake content: If DTLS handshake
+ * fragmentation is used, that's the fragment
+ * size instead. Using the total handshake message
+ * size here is faulty and should be changed at
+ * some point.
+ * (2) While it doesn't seem to cause problems, one
+ * has to be very careful not to assume that in_hslen
+ * is always <= in_msglen in a sensible communication.
+ * Again, it's wrong for DTLS handshake fragmentation.
+ * The following check is therefore mandatory, and
+ * should not be treated as a silently corrected assertion.
+ * Additionally, ssl->in_hslen might be arbitrarily out of
+ * bounds after handling a DTLS message with an unexpected
+ * sequence number, see mbedtls_ssl_prepare_handshake_record.
+ */
+ if (ssl->in_hslen < ssl->in_msglen) {
+ ssl->in_msglen -= ssl->in_hslen;
+ memmove(ssl->in_msg, ssl->in_msg + ssl->in_hslen,
+ ssl->in_msglen);
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "remaining content in record",
+ ssl->in_msg, ssl->in_msglen);
+ } else {
+ ssl->in_msglen = 0;
+ }
+
+ ssl->in_hslen = 0;
+ }
+ /* Case (4): Application data */
+ else if (ssl->in_offt != NULL) {
+ return 0;
+ }
+ /* Everything else (CCS & Alerts) */
+ else {
+ ssl->in_msglen = 0;
+ }
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_record_is_in_progress(mbedtls_ssl_context *ssl)
+{
+ if (ssl->in_msglen > 0) {
+ return 1;
+ }
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+static void ssl_free_buffered_record(mbedtls_ssl_context *ssl)
+{
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+ if (hs == NULL) {
+ return;
+ }
+
+ if (hs->buffering.future_record.data != NULL) {
+ hs->buffering.total_bytes_buffered -=
+ hs->buffering.future_record.len;
+
+ mbedtls_free(hs->buffering.future_record.data);
+ hs->buffering.future_record.data = NULL;
+ }
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_load_buffered_record(mbedtls_ssl_context *ssl)
+{
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+ unsigned char *rec;
+ size_t rec_len;
+ unsigned rec_epoch;
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ size_t in_buf_len = ssl->in_buf_len;
+#else
+ size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
+#endif
+ if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ return 0;
+ }
+
+ if (hs == NULL) {
+ return 0;
+ }
+
+ rec = hs->buffering.future_record.data;
+ rec_len = hs->buffering.future_record.len;
+ rec_epoch = hs->buffering.future_record.epoch;
+
+ if (rec == NULL) {
+ return 0;
+ }
+
+ /* Only consider loading future records if the
+ * input buffer is empty. */
+ if (ssl_next_record_is_in_datagram(ssl) == 1) {
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_load_buffered_record"));
+
+ if (rec_epoch != ssl->in_epoch) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Buffered record not from current epoch."));
+ goto exit;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Found buffered record from current epoch - load"));
+
+ /* Double-check that the record is not too large */
+ if (rec_len > in_buf_len - (size_t) (ssl->in_hdr - ssl->in_buf)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ memcpy(ssl->in_hdr, rec, rec_len);
+ ssl->in_left = rec_len;
+ ssl->next_record_offset = 0;
+
+ ssl_free_buffered_record(ssl);
+
+exit:
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_load_buffered_record"));
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_buffer_future_record(mbedtls_ssl_context *ssl,
+ mbedtls_record const *rec)
+{
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+
+ /* Don't buffer future records outside handshakes. */
+ if (hs == NULL) {
+ return 0;
+ }
+
+ /* Only buffer handshake records (we are only interested
+ * in Finished messages). */
+ if (rec->type != MBEDTLS_SSL_MSG_HANDSHAKE) {
+ return 0;
+ }
+
+ /* Don't buffer more than one future epoch record. */
+ if (hs->buffering.future_record.data != NULL) {
+ return 0;
+ }
+
+ /* Don't buffer record if there's not enough buffering space remaining. */
+ if (rec->buf_len > (MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+ hs->buffering.total_bytes_buffered)) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Buffering of future epoch record of size %" MBEDTLS_PRINTF_SIZET
+ " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
+ " (already %" MBEDTLS_PRINTF_SIZET
+ " bytes buffered) -- ignore\n",
+ rec->buf_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+ hs->buffering.total_bytes_buffered));
+ return 0;
+ }
+
+ /* Buffer record */
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Buffer record from epoch %u",
+ ssl->in_epoch + 1U));
+ MBEDTLS_SSL_DEBUG_BUF(3, "Buffered record", rec->buf, rec->buf_len);
+
+ /* ssl_parse_record_header() only considers records
+ * of the next epoch as candidates for buffering. */
+ hs->buffering.future_record.epoch = ssl->in_epoch + 1;
+ hs->buffering.future_record.len = rec->buf_len;
+
+ hs->buffering.future_record.data =
+ mbedtls_calloc(1, hs->buffering.future_record.len);
+ if (hs->buffering.future_record.data == NULL) {
+ /* If we run out of RAM trying to buffer a
+ * record from the next epoch, just ignore. */
+ return 0;
+ }
+
+ memcpy(hs->buffering.future_record.data, rec->buf, rec->buf_len);
+
+ hs->buffering.total_bytes_buffered += rec->buf_len;
+ return 0;
+}
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_get_next_record(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_record rec;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ /* We might have buffered a future record; if so,
+ * and if the epoch matches now, load it.
+ * On success, this call will set ssl->in_left to
+ * the length of the buffered record, so that
+ * the calls to ssl_fetch_input() below will
+ * essentially be no-ops. */
+ ret = ssl_load_buffered_record(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ /* Ensure that we have enough space available for the default form
+ * of TLS / DTLS record headers (5 Bytes for TLS, 13 Bytes for DTLS,
+ * with no space for CIDs counted in). */
+ ret = mbedtls_ssl_fetch_input(ssl, mbedtls_ssl_in_hdr_len(ssl));
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
+ return ret;
+ }
+
+ ret = ssl_parse_record_header(ssl, ssl->in_hdr, ssl->in_left, &rec);
+ if (ret != 0) {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ if (ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE) {
+ ret = ssl_buffer_future_record(ssl, &rec);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* Fall through to handling of unexpected records */
+ ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
+ }
+
+ if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) {
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
+ /* Reset in pointers to default state for TLS/DTLS records,
+ * assuming no CID and no offset between record content and
+ * record plaintext. */
+ mbedtls_ssl_update_in_pointers(ssl);
+
+ /* Setup internal message pointers from record structure. */
+ ssl->in_msgtype = rec.type;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ ssl->in_len = ssl->in_cid + rec.cid_len;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+ ssl->in_iv = ssl->in_msg = ssl->in_len + 2;
+ ssl->in_msglen = rec.data_len;
+
+ ret = ssl_check_client_reconnect(ssl);
+ MBEDTLS_SSL_DEBUG_RET(2, "ssl_check_client_reconnect", ret);
+ if (ret != 0) {
+ return ret;
+ }
+#endif
+
+ /* Skip unexpected record (but not whole datagram) */
+ ssl->next_record_offset = rec.buf_len;
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("discarding unexpected record "
+ "(header)"));
+ } else {
+ /* Skip invalid record and the rest of the datagram */
+ ssl->next_record_offset = 0;
+ ssl->in_left = 0;
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("discarding invalid record "
+ "(header)"));
+ }
+
+ /* Get next record */
+ return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+ } else
+#endif
+ {
+ return ret;
+ }
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ /* Remember offset of next record within datagram. */
+ ssl->next_record_offset = rec.buf_len;
+ if (ssl->next_record_offset < ssl->in_left) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("more than one record within datagram"));
+ }
+ } else
+#endif
+ {
+ /*
+ * Fetch record contents from underlying transport.
+ */
+ ret = mbedtls_ssl_fetch_input(ssl, rec.buf_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
+ return ret;
+ }
+
+ ssl->in_left = 0;
+ }
+
+ /*
+ * Decrypt record contents.
+ */
+
+ if ((ret = ssl_prepare_record_content(ssl, &rec)) != 0) {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ /* Silently discard invalid records */
+ if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
+ /* Except when waiting for Finished as a bad mac here
+ * probably means something went wrong in the handshake
+ * (eg wrong psk used, mitm downgrade attempt, etc.) */
+ if (ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
+ ssl->state == MBEDTLS_SSL_SERVER_FINISHED) {
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
+ if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
+ mbedtls_ssl_send_alert_message(ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC);
+ }
+#endif
+ return ret;
+ }
+
+ if (ssl->conf->badmac_limit != 0 &&
+ ++ssl->badmac_seen >= ssl->conf->badmac_limit) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("too many records with bad MAC"));
+ return MBEDTLS_ERR_SSL_INVALID_MAC;
+ }
+
+ /* As above, invalid records cause
+ * dismissal of the whole datagram. */
+
+ ssl->next_record_offset = 0;
+ ssl->in_left = 0;
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("discarding invalid record (mac)"));
+ return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+ }
+
+ return ret;
+ } else
+#endif
+ {
+ /* Error out (and send alert) on invalid records */
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
+ if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
+ mbedtls_ssl_send_alert_message(ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC);
+ }
+#endif
+ return ret;
+ }
+ }
+
+
+ /* Reset in pointers to default state for TLS/DTLS records,
+ * assuming no CID and no offset between record content and
+ * record plaintext. */
+ mbedtls_ssl_update_in_pointers(ssl);
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ ssl->in_len = ssl->in_cid + rec.cid_len;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+ ssl->in_iv = ssl->in_len + 2;
+
+ /* The record content type may change during decryption,
+ * so re-read it. */
+ ssl->in_msgtype = rec.type;
+ /* Also update the input buffer, because unfortunately
+ * the server-side ssl_parse_client_hello() reparses the
+ * record header when receiving a ClientHello initiating
+ * a renegotiation. */
+ ssl->in_hdr[0] = rec.type;
+ ssl->in_msg = rec.buf + rec.data_offset;
+ ssl->in_msglen = rec.data_len;
+ MBEDTLS_PUT_UINT16_BE(rec.data_len, ssl->in_len, 0);
+
+ return 0;
+}
+
+int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /*
+ * Handle particular types of records
+ */
+ if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) {
+ if ((ret = mbedtls_ssl_prepare_handshake_record(ssl)) != 0) {
+ return ret;
+ }
+ }
+
+ if (ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) {
+ if (ssl->in_msglen != 1) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("invalid CCS message, len: %" MBEDTLS_PRINTF_SIZET,
+ ssl->in_msglen));
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+
+ if (ssl->in_msg[0] != 1) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("invalid CCS message, content: %02x",
+ ssl->in_msg[0]));
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
+ ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC) {
+ if (ssl->handshake == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("dropping ChangeCipherSpec outside handshake"));
+ return MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("received out-of-order ChangeCipherSpec - remember"));
+ return MBEDTLS_ERR_SSL_EARLY_MESSAGE;
+ }
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"));
+ return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+#else
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("ChangeCipherSpec invalid in TLS 1.3 without compatibility mode"));
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+ }
+
+ if (ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT) {
+ if (ssl->in_msglen != 2) {
+ /* Note: Standard allows for more than one 2 byte alert
+ to be packed in a single message, but Mbed TLS doesn't
+ currently support this. */
+ MBEDTLS_SSL_DEBUG_MSG(1, ("invalid alert message, len: %" MBEDTLS_PRINTF_SIZET,
+ ssl->in_msglen));
+ return MBEDTLS_ERR_SSL_INVALID_RECORD;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("got an alert message, type: [%u:%u]",
+ ssl->in_msg[0], ssl->in_msg[1]));
+
+ /*
+ * Ignore non-fatal alerts, except close_notify and no_renegotiation
+ */
+ if (ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("is a fatal alert message (msg %d)",
+ ssl->in_msg[1]));
+ return MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE;
+ }
+
+ if (ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
+ ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("is a close notify message"));
+ return MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY;
+ }
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
+ if (ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
+ ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("is a no renegotiation alert"));
+ /* Will be handled when trying to parse ServerHello */
+ return 0;
+ }
+#endif
+ /* Silently ignore: fetch new message */
+ return MBEDTLS_ERR_SSL_NON_FATAL;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ /* Drop unexpected ApplicationData records,
+ * except at the beginning of renegotiations */
+ if (ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
+ mbedtls_ssl_is_handshake_over(ssl) == 0
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ && !(ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+ ssl->state == MBEDTLS_SSL_SERVER_HELLO)
+#endif
+ ) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("dropping unexpected ApplicationData"));
+ return MBEDTLS_ERR_SSL_NON_FATAL;
+ }
+
+ if (ssl->handshake != NULL &&
+ mbedtls_ssl_is_handshake_over(ssl) == 1) {
+ mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ return 0;
+}
+
+int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl)
+{
+ return mbedtls_ssl_send_alert_message(ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+}
+
+int mbedtls_ssl_send_alert_message(mbedtls_ssl_context *ssl,
+ unsigned char level,
+ unsigned char message)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (ssl == NULL || ssl->conf == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (ssl->out_left != 0) {
+ return mbedtls_ssl_flush_output(ssl);
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> send alert message"));
+ MBEDTLS_SSL_DEBUG_MSG(3, ("send alert level=%u message=%u", level, message));
+
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
+ ssl->out_msglen = 2;
+ ssl->out_msg[0] = level;
+ ssl->out_msg[1] = message;
+
+ if ((ret = mbedtls_ssl_write_record(ssl, SSL_FORCE_FLUSH)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_record", ret);
+ return ret;
+ }
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= send alert message"));
+
+ return 0;
+}
+
+int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec"));
+
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
+ ssl->out_msglen = 1;
+ ssl->out_msg[0] = 1;
+
+ ssl->state++;
+
+ if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write change cipher spec"));
+
+ return 0;
+}
+
+int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse change cipher spec"));
+
+ if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+ return ret;
+ }
+
+ if (ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad change cipher spec message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+ /* CCS records are only accepted if they have length 1 and content '1',
+ * so we don't need to check this here. */
+
+ /*
+ * Switch to our negotiated transform and session parameters for inbound
+ * data.
+ */
+ MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for inbound data"));
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ ssl->transform_in = ssl->transform_negotiate;
+#endif
+ ssl->session_in = ssl->session_negotiate;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+ mbedtls_ssl_dtls_replay_reset(ssl);
+#endif
+
+ /* Increment epoch */
+ if (++ssl->in_epoch == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap"));
+ /* This is highly unlikely to happen for legitimate reasons, so
+ treat it as an attack and don't send an alert. */
+ return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
+ }
+ } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+ memset(ssl->in_ctr, 0, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
+
+ mbedtls_ssl_update_in_pointers(ssl);
+
+ ssl->state++;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse change cipher spec"));
+
+ return 0;
+}
+
+/* Once ssl->out_hdr as the address of the beginning of the
+ * next outgoing record is set, deduce the other pointers.
+ *
+ * Note: For TLS, we save the implicit record sequence number
+ * (entering MAC computation) in the 8 bytes before ssl->out_hdr,
+ * and the caller has to make sure there's space for this.
+ */
+
+static size_t ssl_transform_get_explicit_iv_len(
+ mbedtls_ssl_transform const *transform)
+{
+ return transform->ivlen - transform->fixed_ivlen;
+}
+
+void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
+ mbedtls_ssl_transform *transform)
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ ssl->out_ctr = ssl->out_hdr + 3;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ ssl->out_cid = ssl->out_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+ ssl->out_len = ssl->out_cid;
+ if (transform != NULL) {
+ ssl->out_len += transform->out_cid_len;
+ }
+#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+ ssl->out_len = ssl->out_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+ ssl->out_iv = ssl->out_len + 2;
+ } else
+#endif
+ {
+ ssl->out_len = ssl->out_hdr + 3;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ ssl->out_cid = ssl->out_len;
+#endif
+ ssl->out_iv = ssl->out_hdr + 5;
+ }
+
+ ssl->out_msg = ssl->out_iv;
+ /* Adjust out_msg to make space for explicit IV, if used. */
+ if (transform != NULL) {
+ ssl->out_msg += ssl_transform_get_explicit_iv_len(transform);
+ }
+}
+
+/* Once ssl->in_hdr as the address of the beginning of the
+ * next incoming record is set, deduce the other pointers.
+ *
+ * Note: For TLS, we save the implicit record sequence number
+ * (entering MAC computation) in the 8 bytes before ssl->in_hdr,
+ * and the caller has to make sure there's space for this.
+ */
+
+void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl)
+{
+ /* This function sets the pointers to match the case
+ * of unprotected TLS/DTLS records, with both ssl->in_iv
+ * and ssl->in_msg pointing to the beginning of the record
+ * content.
+ *
+ * When decrypting a protected record, ssl->in_msg
+ * will be shifted to point to the beginning of the
+ * record plaintext.
+ */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ /* This sets the header pointers to match records
+ * without CID. When we receive a record containing
+ * a CID, the fields are shifted accordingly in
+ * ssl_parse_record_header(). */
+ ssl->in_ctr = ssl->in_hdr + 3;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ ssl->in_cid = ssl->in_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+ ssl->in_len = ssl->in_cid; /* Default: no CID */
+#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+ ssl->in_len = ssl->in_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+ ssl->in_iv = ssl->in_len + 2;
+ } else
+#endif
+ {
+ ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+ ssl->in_len = ssl->in_hdr + 3;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ ssl->in_cid = ssl->in_len;
+#endif
+ ssl->in_iv = ssl->in_hdr + 5;
+ }
+
+ /* This will be adjusted at record decryption time. */
+ ssl->in_msg = ssl->in_iv;
+}
+
+/*
+ * Setup an SSL context
+ */
+
+void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl)
+{
+ /* Set the incoming and outgoing record pointers. */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ ssl->out_hdr = ssl->out_buf;
+ ssl->in_hdr = ssl->in_buf;
+ } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+ {
+ ssl->out_ctr = ssl->out_buf;
+ ssl->out_hdr = ssl->out_buf + 8;
+ ssl->in_hdr = ssl->in_buf + 8;
+ }
+
+ /* Derive other internal pointers. */
+ mbedtls_ssl_update_out_pointers(ssl, NULL /* no transform enabled */);
+ mbedtls_ssl_update_in_pointers(ssl);
+}
+
+/*
+ * SSL get accessors
+ */
+size_t mbedtls_ssl_get_bytes_avail(const mbedtls_ssl_context *ssl)
+{
+ return ssl->in_offt == NULL ? 0 : ssl->in_msglen;
+}
+
+int mbedtls_ssl_check_pending(const mbedtls_ssl_context *ssl)
+{
+ /*
+ * Case A: We're currently holding back
+ * a message for further processing.
+ */
+
+ if (ssl->keep_current_message == 1) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_check_pending: record held back for processing"));
+ return 1;
+ }
+
+ /*
+ * Case B: Further records are pending in the current datagram.
+ */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ ssl->in_left > ssl->next_record_offset) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_check_pending: more records within current datagram"));
+ return 1;
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ /*
+ * Case C: A handshake message is being processed.
+ */
+
+ if (ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen) {
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("ssl_check_pending: more handshake messages within current record"));
+ return 1;
+ }
+
+ /*
+ * Case D: An application data message is being processed
+ */
+ if (ssl->in_offt != NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_check_pending: application data record is being processed"));
+ return 1;
+ }
+
+ /*
+ * In all other cases, the rest of the message can be dropped.
+ * As in ssl_get_next_record, this needs to be adapted if
+ * we implement support for multiple alerts in single records.
+ */
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_check_pending: nothing pending"));
+ return 0;
+}
+
+
+int mbedtls_ssl_get_record_expansion(const mbedtls_ssl_context *ssl)
+{
+ size_t transform_expansion = 0;
+ const mbedtls_ssl_transform *transform = ssl->transform_out;
+ unsigned block_size;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_key_attributes_t attr = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_type_t key_type;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ size_t out_hdr_len = mbedtls_ssl_out_hdr_len(ssl);
+
+ if (transform == NULL) {
+ return (int) out_hdr_len;
+ }
+
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (transform->psa_alg == PSA_ALG_GCM ||
+ transform->psa_alg == PSA_ALG_CCM ||
+ transform->psa_alg == PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8) ||
+ transform->psa_alg == PSA_ALG_CHACHA20_POLY1305 ||
+ transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) {
+ transform_expansion = transform->minlen;
+ } else if (transform->psa_alg == PSA_ALG_CBC_NO_PADDING) {
+ (void) psa_get_key_attributes(transform->psa_key_enc, &attr);
+ key_type = psa_get_key_type(&attr);
+
+ block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type);
+
+ /* Expansion due to the addition of the MAC. */
+ transform_expansion += transform->maclen;
+
+ /* Expansion due to the addition of CBC padding;
+ * Theoretically up to 256 bytes, but we never use
+ * more than the block size of the underlying cipher. */
+ transform_expansion += block_size;
+
+ /* For TLS 1.2 or higher, an explicit IV is added
+ * after the record header. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ transform_expansion += block_size;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("Unsupported psa_alg spotted in mbedtls_ssl_get_record_expansion()"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+#else
+ switch (mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc)) {
+ case MBEDTLS_MODE_GCM:
+ case MBEDTLS_MODE_CCM:
+ case MBEDTLS_MODE_CHACHAPOLY:
+ case MBEDTLS_MODE_STREAM:
+ transform_expansion = transform->minlen;
+ break;
+
+ case MBEDTLS_MODE_CBC:
+
+ block_size = mbedtls_cipher_get_block_size(
+ &transform->cipher_ctx_enc);
+
+ /* Expansion due to the addition of the MAC. */
+ transform_expansion += transform->maclen;
+
+ /* Expansion due to the addition of CBC padding;
+ * Theoretically up to 256 bytes, but we never use
+ * more than the block size of the underlying cipher. */
+ transform_expansion += block_size;
+
+ /* For TLS 1.2 or higher, an explicit IV is added
+ * after the record header. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ transform_expansion += block_size;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+ break;
+
+ default:
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ if (transform->out_cid_len != 0) {
+ transform_expansion += MBEDTLS_SSL_MAX_CID_EXPANSION;
+ }
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+ return (int) (out_hdr_len + transform_expansion);
+}
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+/*
+ * Check record counters and renegotiate if they're above the limit.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_check_ctr_renegotiate(mbedtls_ssl_context *ssl)
+{
+ size_t ep_len = mbedtls_ssl_ep_len(ssl);
+ int in_ctr_cmp;
+ int out_ctr_cmp;
+
+ if (mbedtls_ssl_is_handshake_over(ssl) == 0 ||
+ ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
+ ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED) {
+ return 0;
+ }
+
+ in_ctr_cmp = memcmp(ssl->in_ctr + ep_len,
+ &ssl->conf->renego_period[ep_len],
+ MBEDTLS_SSL_SEQUENCE_NUMBER_LEN - ep_len);
+ out_ctr_cmp = memcmp(&ssl->cur_out_ctr[ep_len],
+ &ssl->conf->renego_period[ep_len],
+ sizeof(ssl->cur_out_ctr) - ep_len);
+
+ if (in_ctr_cmp <= 0 && out_ctr_cmp <= 0) {
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("record counter limit reached: renegotiate"));
+ return mbedtls_ssl_renegotiate(ssl);
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_check_new_session_ticket(mbedtls_ssl_context *ssl)
+{
+
+ if ((ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl)) ||
+ (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET)) {
+ return 0;
+ }
+
+ ssl->keep_current_message = 1;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received"));
+ mbedtls_ssl_handshake_set_state(ssl,
+ MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
+
+ return MBEDTLS_ERR_SSL_WANT_READ;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
+{
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("received post-handshake message"));
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ int ret = ssl_tls13_check_new_session_ticket(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+ /* Fail in all other cases. */
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+/* This function is called from mbedtls_ssl_read() when a handshake message is
+ * received after the initial handshake. In this context, handshake messages
+ * may only be sent for the purpose of initiating renegotiations.
+ *
+ * This function is introduced as a separate helper since the handling
+ * of post-handshake handshake messages changes significantly in TLS 1.3,
+ * and having a helper function allows to distinguish between TLS <= 1.2 and
+ * TLS 1.3 in the future without bloating the logic of mbedtls_ssl_read().
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls12_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /*
+ * - For client-side, expect SERVER_HELLO_REQUEST.
+ * - For server-side, expect CLIENT_HELLO.
+ * - Fail (TLS) or silently drop record (DTLS) in other cases.
+ */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+ (ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
+ ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl))) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("handshake received (not HelloRequest)"));
+
+ /* With DTLS, drop the packet (probably from last handshake) */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ return 0;
+ }
+#endif
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+#endif /* MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+ ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("handshake received (not ClientHello)"));
+
+ /* With DTLS, drop the packet (probably from last handshake) */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ return 0;
+ }
+#endif
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ /* Determine whether renegotiation attempt should be accepted */
+ if (!(ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
+ (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+ ssl->conf->allow_legacy_renegotiation ==
+ MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION))) {
+ /*
+ * Accept renegotiation request
+ */
+
+ /* DTLS clients need to know renego is server-initiated */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
+ }
+#endif
+ ret = mbedtls_ssl_start_renegotiation(ssl);
+ if (ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+ ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation",
+ ret);
+ return ret;
+ }
+ } else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+ {
+ /*
+ * Refuse renegotiation
+ */
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("refusing renegotiation, sending alert"));
+
+ if ((ret = mbedtls_ssl_send_alert_message(ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_WARNING,
+ MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION)) != 0) {
+ return ret;
+ }
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
+{
+ /* Check protocol version and dispatch accordingly. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+ return ssl_tls13_handle_hs_message_post_handshake(ssl);
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if (ssl->tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) {
+ return ssl_tls12_handle_hs_message_post_handshake(ssl);
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+ /* Should never happen */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+}
+
+/*
+ * brief Read at most 'len' application data bytes from the input
+ * buffer.
+ *
+ * param ssl SSL context:
+ * - First byte of application data not read yet in the input
+ * buffer located at address `in_offt`.
+ * - The number of bytes of data not read yet is `in_msglen`.
+ * param buf buffer that will hold the data
+ * param len maximum number of bytes to read
+ *
+ * note The function updates the fields `in_offt` and `in_msglen`
+ * according to the number of bytes read.
+ *
+ * return The number of bytes read.
+ */
+static int ssl_read_application_data(
+ mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
+{
+ size_t n = (len < ssl->in_msglen) ? len : ssl->in_msglen;
+
+ if (len != 0) {
+ memcpy(buf, ssl->in_offt, n);
+ ssl->in_msglen -= n;
+ }
+
+ /* Zeroising the plaintext buffer to erase unused application data
+ from the memory. */
+ mbedtls_platform_zeroize(ssl->in_offt, n);
+
+ if (ssl->in_msglen == 0) {
+ /* all bytes consumed */
+ ssl->in_offt = NULL;
+ ssl->keep_current_message = 0;
+ } else {
+ /* more data available */
+ ssl->in_offt += n;
+ }
+
+ return (int) n;
+}
+
+/*
+ * Receive application data decrypted from the SSL layer
+ */
+int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (ssl == NULL || ssl->conf == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> read"));
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
+ return ret;
+ }
+
+ if (ssl->handshake != NULL &&
+ ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
+ if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
+ return ret;
+ }
+ }
+ }
+#endif
+
+ /*
+ * Check if renegotiation is necessary and/or handshake is
+ * in process. If yes, perform/continue, and fall through
+ * if an unexpected packet is received while the client
+ * is waiting for the ServerHello.
+ *
+ * (There is no equivalent to the last condition on
+ * the server-side as it is not treated as within
+ * a handshake while waiting for the ClientHello
+ * after a renegotiation request.)
+ */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ ret = ssl_check_ctr_renegotiate(ssl);
+ if (ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+ ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_check_ctr_renegotiate", ret);
+ return ret;
+ }
+#endif
+
+ if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
+ ret = mbedtls_ssl_handshake(ssl);
+ if (ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+ ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
+ return ret;
+ }
+ }
+
+ /* Loop as long as no application data record is available */
+ while (ssl->in_offt == NULL) {
+ /* Start timer if not already running */
+ if (ssl->f_get_timer != NULL &&
+ ssl->f_get_timer(ssl->p_timer) == -1) {
+ mbedtls_ssl_set_timer(ssl, ssl->conf->read_timeout);
+ }
+
+ if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+ if (ret == MBEDTLS_ERR_SSL_CONN_EOF) {
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+ return ret;
+ }
+
+ if (ssl->in_msglen == 0 &&
+ ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
+ /*
+ * OpenSSL sends empty messages to randomize the IV
+ */
+ if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+ if (ret == MBEDTLS_ERR_SSL_CONN_EOF) {
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+ return ret;
+ }
+ }
+
+ if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) {
+ ret = ssl_handle_hs_message_post_handshake(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_handle_hs_message_post_handshake",
+ ret);
+ return ret;
+ }
+
+ /* At this point, we don't know whether the renegotiation triggered
+ * by the post-handshake message has been completed or not. The cases
+ * to consider are the following:
+ * 1) The renegotiation is complete. In this case, no new record
+ * has been read yet.
+ * 2) The renegotiation is incomplete because the client received
+ * an application data record while awaiting the ServerHello.
+ * 3) The renegotiation is incomplete because the client received
+ * a non-handshake, non-application data message while awaiting
+ * the ServerHello.
+ *
+ * In each of these cases, looping will be the proper action:
+ * - For 1), the next iteration will read a new record and check
+ * if it's application data.
+ * - For 2), the loop condition isn't satisfied as application data
+ * is present, hence continue is the same as break
+ * - For 3), the loop condition is satisfied and read_record
+ * will re-deliver the message that was held back by the client
+ * when expecting the ServerHello.
+ */
+
+ continue;
+ }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
+ if (ssl->conf->renego_max_records >= 0) {
+ if (++ssl->renego_records_seen > ssl->conf->renego_max_records) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation requested, "
+ "but not honored by client"));
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+ }
+ }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+ /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
+ if (ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("ignoring non-fatal non-closure alert"));
+ return MBEDTLS_ERR_SSL_WANT_READ;
+ }
+
+ if (ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad application data message"));
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+ ssl->in_offt = ssl->in_msg;
+
+ /* We're going to return something now, cancel timer,
+ * except if handshake (renegotiation) is in progress */
+ if (mbedtls_ssl_is_handshake_over(ssl) == 1) {
+ mbedtls_ssl_set_timer(ssl, 0);
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ /* If we requested renego but received AppData, resend HelloRequest.
+ * Do it now, after setting in_offt, to avoid taking this branch
+ * again if ssl_write_hello_request() returns WANT_WRITE */
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+ ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
+ if ((ret = mbedtls_ssl_resend_hello_request(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_resend_hello_request",
+ ret);
+ return ret;
+ }
+ }
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+ }
+
+ ret = ssl_read_application_data(ssl, buf, len);
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= read"));
+
+ return ret;
+}
+
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA)
+int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl,
+ unsigned char *buf, size_t len)
+{
+ if (ssl == NULL || (ssl->conf == NULL)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /*
+ * The server may receive early data only while waiting for the End of
+ * Early Data handshake message.
+ */
+ if ((ssl->state != MBEDTLS_SSL_END_OF_EARLY_DATA) ||
+ (ssl->in_offt == NULL)) {
+ return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA;
+ }
+
+ return ssl_read_application_data(ssl, buf, len);
+}
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA */
+
+/*
+ * Send application data to be encrypted by the SSL layer, taking care of max
+ * fragment length and buffer size.
+ *
+ * According to RFC 5246 Section 6.2.1:
+ *
+ * Zero-length fragments of Application data MAY be sent as they are
+ * potentially useful as a traffic analysis countermeasure.
+ *
+ * Therefore, it is possible that the input message length is 0 and the
+ * corresponding return code is 0 on success.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_real(mbedtls_ssl_context *ssl,
+ const unsigned char *buf, size_t len)
+{
+ int ret = mbedtls_ssl_get_max_out_record_payload(ssl);
+ const size_t max_len = (size_t) ret;
+
+ if (ret < 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_get_max_out_record_payload", ret);
+ return ret;
+ }
+
+ if (len > max_len) {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("fragment larger than the (negotiated) "
+ "maximum fragment length: %" MBEDTLS_PRINTF_SIZET
+ " > %" MBEDTLS_PRINTF_SIZET,
+ len, max_len));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ } else
+#endif
+ len = max_len;
+ }
+
+ if (ssl->out_left != 0) {
+ /*
+ * The user has previously tried to send the data and
+ * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
+ * written. In this case, we expect the high-level write function
+ * (e.g. mbedtls_ssl_write()) to be called with the same parameters
+ */
+ if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flush_output", ret);
+ return ret;
+ }
+ } else {
+ /*
+ * The user is trying to send a message the first time, so we need to
+ * copy the data into the internal buffers and setup the data structure
+ * to keep track of partial writes
+ */
+ ssl->out_msglen = len;
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+ if (len > 0) {
+ memcpy(ssl->out_msg, buf, len);
+ }
+
+ if ((ret = mbedtls_ssl_write_record(ssl, SSL_FORCE_FLUSH)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_record", ret);
+ return ret;
+ }
+ }
+
+ return (int) len;
+}
+
+/*
+ * Write application data (public-facing wrapper)
+ */
+int mbedtls_ssl_write(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write"));
+
+ if (ssl == NULL || ssl->conf == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ if ((ret = ssl_check_ctr_renegotiate(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_check_ctr_renegotiate", ret);
+ return ret;
+ }
+#endif
+
+ if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
+ if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
+ return ret;
+ }
+ }
+
+ ret = ssl_write_real(ssl, buf, len);
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write"));
+
+ return ret;
+}
+
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
+int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl,
+ const unsigned char *buf, size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const struct mbedtls_ssl_config *conf;
+ uint32_t remaining;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write early_data"));
+
+ if (ssl == NULL || (conf = ssl->conf) == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if ((!mbedtls_ssl_conf_is_tls13_enabled(conf)) ||
+ (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
+ (conf->early_data_enabled != MBEDTLS_SSL_EARLY_DATA_ENABLED)) {
+ return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
+ }
+
+ if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_3) {
+ return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
+ }
+
+ /*
+ * If we are at the beginning of the handshake, the early data state being
+ * equal to MBEDTLS_SSL_EARLY_DATA_STATE_IDLE or
+ * MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT advance the handshake just
+ * enough to be able to send early data if possible. That way, we can
+ * guarantee that when starting the handshake with this function we will
+ * send at least one record of early data. Note that when the state is
+ * MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT and not yet
+ * MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE, we cannot send early data
+ * as the early data outbound transform has not been set as we may have to
+ * first send a dummy CCS in clear.
+ */
+ if ((ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IDLE) ||
+ (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT)) {
+ while ((ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IDLE) ||
+ (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT)) {
+ ret = mbedtls_ssl_handshake_step(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake_step", ret);
+ return ret;
+ }
+
+ ret = mbedtls_ssl_flush_output(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flush_output", ret);
+ return ret;
+ }
+ }
+ remaining = ssl->session_negotiate->max_early_data_size;
+ } else {
+ /*
+ * If we are past the point where we can send early data or we have
+ * already reached the maximum early data size, return immediatly.
+ * Otherwise, progress the handshake as much as possible to not delay
+ * it too much. If we reach a point where we can still send early data,
+ * then we will send some.
+ */
+ if ((ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE) &&
+ (ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED)) {
+ return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
+ }
+
+ remaining = ssl->session_negotiate->max_early_data_size -
+ ssl->total_early_data_size;
+
+ if (remaining == 0) {
+ return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
+ }
+
+ ret = mbedtls_ssl_handshake(ssl);
+ if ((ret != 0) && (ret != MBEDTLS_ERR_SSL_WANT_READ)) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
+ return ret;
+ }
+ }
+
+ if (((ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE) &&
+ (ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED))
+ || (remaining == 0)) {
+ return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
+ }
+
+ if (len > remaining) {
+ len = remaining;
+ }
+
+ ret = ssl_write_real(ssl, buf, len);
+ if (ret >= 0) {
+ ssl->total_early_data_size += ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write early_data, ret=%d", ret));
+
+ return ret;
+}
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */
+
+/*
+ * Notify the peer that the connection is being closed
+ */
+int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (ssl == NULL || ssl->conf == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write close notify"));
+
+ if (mbedtls_ssl_is_handshake_over(ssl) == 1) {
+ if ((ret = mbedtls_ssl_send_alert_message(ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_WARNING,
+ MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_send_alert_message", ret);
+ return ret;
+ }
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write close notify"));
+
+ return 0;
+}
+
+void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform)
+{
+ if (transform == NULL) {
+ return;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_destroy_key(transform->psa_key_enc);
+ psa_destroy_key(transform->psa_key_dec);
+#else
+ mbedtls_cipher_free(&transform->cipher_ctx_enc);
+ mbedtls_cipher_free(&transform->cipher_ctx_dec);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_destroy_key(transform->psa_mac_enc);
+ psa_destroy_key(transform->psa_mac_dec);
+#else
+ mbedtls_md_free(&transform->md_ctx_enc);
+ mbedtls_md_free(&transform->md_ctx_dec);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif
+
+ mbedtls_platform_zeroize(transform, sizeof(mbedtls_ssl_transform));
+}
+
+void mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context *ssl,
+ mbedtls_ssl_transform *transform)
+{
+ ssl->transform_in = transform;
+ memset(ssl->in_ctr, 0, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
+}
+
+void mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context *ssl,
+ mbedtls_ssl_transform *transform)
+{
+ ssl->transform_out = transform;
+ memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl)
+{
+ unsigned offset;
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+
+ if (hs == NULL) {
+ return;
+ }
+
+ ssl_free_buffered_record(ssl);
+
+ for (offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++) {
+ ssl_buffering_free_slot(ssl, offset);
+ }
+}
+
+static void ssl_buffering_free_slot(mbedtls_ssl_context *ssl,
+ uint8_t slot)
+{
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+ mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
+
+ if (slot >= MBEDTLS_SSL_MAX_BUFFERED_HS) {
+ return;
+ }
+
+ if (hs_buf->is_valid == 1) {
+ hs->buffering.total_bytes_buffered -= hs_buf->data_len;
+ mbedtls_zeroize_and_free(hs_buf->data, hs_buf->data_len);
+ memset(hs_buf, 0, sizeof(mbedtls_ssl_hs_buffer));
+ }
+}
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+/*
+ * Convert version numbers to/from wire format
+ * and, for DTLS, to/from TLS equivalent.
+ *
+ * For TLS this is the identity.
+ * For DTLS, map as follows, then use 1's complement (v -> ~v):
+ * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
+ * DTLS 1.0 is stored as TLS 1.1 internally
+ */
+void mbedtls_ssl_write_version(unsigned char version[2], int transport,
+ mbedtls_ssl_protocol_version tls_version)
+{
+ uint16_t tls_version_formatted;
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ tls_version_formatted =
+ ~(tls_version - (tls_version == 0x0302 ? 0x0202 : 0x0201));
+ } else
+#else
+ ((void) transport);
+#endif
+ {
+ tls_version_formatted = (uint16_t) tls_version;
+ }
+ MBEDTLS_PUT_UINT16_BE(tls_version_formatted, version, 0);
+}
+
+uint16_t mbedtls_ssl_read_version(const unsigned char version[2],
+ int transport)
+{
+ uint16_t tls_version = MBEDTLS_GET_UINT16_BE(version, 0);
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ tls_version =
+ ~(tls_version - (tls_version == 0xfeff ? 0x0202 : 0x0201));
+ }
+#else
+ ((void) transport);
+#endif
+ return tls_version;
+}
+
+/*
+ * Send pending fatal alert.
+ * 0, No alert message.
+ * !0, if mbedtls_ssl_send_alert_message() returned in error, the error code it
+ * returned, ssl->alert_reason otherwise.
+ */
+int mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context *ssl)
+{
+ int ret;
+
+ /* No pending alert, return success*/
+ if (ssl->send_alert == 0) {
+ return 0;
+ }
+
+ ret = mbedtls_ssl_send_alert_message(ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ ssl->alert_type);
+
+ /* If mbedtls_ssl_send_alert_message() returned with MBEDTLS_ERR_SSL_WANT_WRITE,
+ * do not clear the alert to be able to send it later.
+ */
+ if (ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
+ ssl->send_alert = 0;
+ }
+
+ if (ret != 0) {
+ return ret;
+ }
+
+ return ssl->alert_reason;
+}
+
+/*
+ * Set pending fatal alert flag.
+ */
+void mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context *ssl,
+ unsigned char alert_type,
+ int alert_reason)
+{
+ ssl->send_alert = 1;
+ ssl->alert_type = alert_type;
+ ssl->alert_reason = alert_reason;
+}
+
+#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c
new file mode 100644
index 0000000..6a31b0b
--- /dev/null
+++ b/library/ssl_ticket.c
@@ -0,0 +1,552 @@
+/*
+ * TLS server tickets callbacks implementation
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_TICKET_C)
+
+#include "mbedtls/platform.h"
+
+#include "ssl_misc.h"
+#include "mbedtls/ssl_ticket.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+#endif
+
+/*
+ * Initialize context
+ */
+void mbedtls_ssl_ticket_init(mbedtls_ssl_ticket_context *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_ssl_ticket_context));
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_init(&ctx->mutex);
+#endif
+}
+
+#define MAX_KEY_BYTES MBEDTLS_SSL_TICKET_MAX_KEY_BYTES
+
+#define TICKET_KEY_NAME_BYTES MBEDTLS_SSL_TICKET_KEY_NAME_BYTES
+#define TICKET_IV_BYTES 12
+#define TICKET_CRYPT_LEN_BYTES 2
+#define TICKET_AUTH_TAG_BYTES 16
+
+#define TICKET_MIN_LEN (TICKET_KEY_NAME_BYTES + \
+ TICKET_IV_BYTES + \
+ TICKET_CRYPT_LEN_BYTES + \
+ TICKET_AUTH_TAG_BYTES)
+#define TICKET_ADD_DATA_LEN (TICKET_KEY_NAME_BYTES + \
+ TICKET_IV_BYTES + \
+ TICKET_CRYPT_LEN_BYTES)
+
+/*
+ * Generate/update a key
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx,
+ unsigned char index)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char buf[MAX_KEY_BYTES] = { 0 };
+ mbedtls_ssl_ticket_key *key = ctx->keys + index;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+ key->generation_time = mbedtls_time(NULL);
+#endif
+ /* The lifetime of a key is the configured lifetime of the tickets when
+ * the key is created.
+ */
+ key->lifetime = ctx->ticket_lifetime;
+
+ if ((ret = ctx->f_rng(ctx->p_rng, key->name, sizeof(key->name))) != 0) {
+ return ret;
+ }
+
+ if ((ret = ctx->f_rng(ctx->p_rng, buf, sizeof(buf))) != 0) {
+ return ret;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_set_key_usage_flags(&attributes,
+ PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
+ psa_set_key_algorithm(&attributes, key->alg);
+ psa_set_key_type(&attributes, key->key_type);
+ psa_set_key_bits(&attributes, key->key_bits);
+
+ ret = PSA_TO_MBEDTLS_ERR(
+ psa_import_key(&attributes, buf,
+ PSA_BITS_TO_BYTES(key->key_bits),
+ &key->key));
+#else
+ /* With GCM and CCM, same context can encrypt & decrypt */
+ ret = mbedtls_cipher_setkey(&key->ctx, buf,
+ mbedtls_cipher_get_key_bitlen(&key->ctx),
+ MBEDTLS_ENCRYPT);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+
+ return ret;
+}
+
+/*
+ * Rotate/generate keys if necessary
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_ticket_update_keys(mbedtls_ssl_ticket_context *ctx)
+{
+#if !defined(MBEDTLS_HAVE_TIME)
+ ((void) ctx);
+#else
+ mbedtls_ssl_ticket_key * const key = ctx->keys + ctx->active;
+ if (key->lifetime != 0) {
+ mbedtls_time_t current_time = mbedtls_time(NULL);
+ mbedtls_time_t key_time = key->generation_time;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+#endif
+
+ if (current_time >= key_time &&
+ (uint64_t) (current_time - key_time) < key->lifetime) {
+ return 0;
+ }
+
+ ctx->active = 1 - ctx->active;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if ((status = psa_destroy_key(ctx->keys[ctx->active].key)) != PSA_SUCCESS) {
+ return PSA_TO_MBEDTLS_ERR(status);
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ return ssl_ticket_gen_key(ctx, ctx->active);
+ } else
+#endif /* MBEDTLS_HAVE_TIME */
+ return 0;
+}
+
+/*
+ * Rotate active session ticket encryption key
+ */
+int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx,
+ const unsigned char *name, size_t nlength,
+ const unsigned char *k, size_t klength,
+ uint32_t lifetime)
+{
+ const unsigned char idx = 1 - ctx->active;
+ mbedtls_ssl_ticket_key * const key = ctx->keys + idx;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ const size_t bitlen = key->key_bits;
+#else
+ const int bitlen = mbedtls_cipher_get_key_bitlen(&key->ctx);
+#endif
+
+ if (nlength < TICKET_KEY_NAME_BYTES || klength * 8 < (size_t) bitlen) {
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if ((status = psa_destroy_key(key->key)) != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ return ret;
+ }
+
+ psa_set_key_usage_flags(&attributes,
+ PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
+ psa_set_key_algorithm(&attributes, key->alg);
+ psa_set_key_type(&attributes, key->key_type);
+ psa_set_key_bits(&attributes, key->key_bits);
+
+ if ((status = psa_import_key(&attributes, k,
+ PSA_BITS_TO_BYTES(key->key_bits),
+ &key->key)) != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ return ret;
+ }
+#else
+ ret = mbedtls_cipher_setkey(&key->ctx, k, bitlen, MBEDTLS_ENCRYPT);
+ if (ret != 0) {
+ return ret;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ ctx->active = idx;
+ ctx->ticket_lifetime = lifetime;
+ memcpy(key->name, name, TICKET_KEY_NAME_BYTES);
+#if defined(MBEDTLS_HAVE_TIME)
+ key->generation_time = mbedtls_time(NULL);
+#endif
+ key->lifetime = lifetime;
+
+ return 0;
+}
+
+/*
+ * Setup context for actual use
+ */
+int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ mbedtls_cipher_type_t cipher,
+ uint32_t lifetime)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t key_bits;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_algorithm_t alg;
+ psa_key_type_t key_type;
+#else
+ const mbedtls_cipher_info_t *cipher_info;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (mbedtls_ssl_cipher_to_psa(cipher, TICKET_AUTH_TAG_BYTES,
+ &alg, &key_type, &key_bits) != PSA_SUCCESS) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (PSA_ALG_IS_AEAD(alg) == 0) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+#else
+ cipher_info = mbedtls_cipher_info_from_type(cipher);
+
+ if (mbedtls_cipher_info_get_mode(cipher_info) != MBEDTLS_MODE_GCM &&
+ mbedtls_cipher_info_get_mode(cipher_info) != MBEDTLS_MODE_CCM &&
+ mbedtls_cipher_info_get_mode(cipher_info) != MBEDTLS_MODE_CHACHAPOLY) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ key_bits = mbedtls_cipher_info_get_key_bitlen(cipher_info);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ if (key_bits > 8 * MAX_KEY_BYTES) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ ctx->f_rng = f_rng;
+ ctx->p_rng = p_rng;
+
+ ctx->ticket_lifetime = lifetime;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ ctx->keys[0].alg = alg;
+ ctx->keys[0].key_type = key_type;
+ ctx->keys[0].key_bits = key_bits;
+
+ ctx->keys[1].alg = alg;
+ ctx->keys[1].key_type = key_type;
+ ctx->keys[1].key_bits = key_bits;
+#else
+ if ((ret = mbedtls_cipher_setup(&ctx->keys[0].ctx, cipher_info)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_cipher_setup(&ctx->keys[1].ctx, cipher_info)) != 0) {
+ return ret;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ if ((ret = ssl_ticket_gen_key(ctx, 0)) != 0 ||
+ (ret = ssl_ticket_gen_key(ctx, 1)) != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+/*
+ * Create session ticket, with the following structure:
+ *
+ * struct {
+ * opaque key_name[4];
+ * opaque iv[12];
+ * opaque encrypted_state<0..2^16-1>;
+ * opaque tag[16];
+ * } ticket;
+ *
+ * The key_name, iv, and length of encrypted_state are the additional
+ * authenticated data.
+ */
+
+int mbedtls_ssl_ticket_write(void *p_ticket,
+ const mbedtls_ssl_session *session,
+ unsigned char *start,
+ const unsigned char *end,
+ size_t *tlen,
+ uint32_t *ticket_lifetime)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_ticket_context *ctx = p_ticket;
+ mbedtls_ssl_ticket_key *key;
+ unsigned char *key_name = start;
+ unsigned char *iv = start + TICKET_KEY_NAME_BYTES;
+ unsigned char *state_len_bytes = iv + TICKET_IV_BYTES;
+ unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
+ size_t clear_len, ciph_len;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+#endif
+
+ *tlen = 0;
+
+ if (ctx == NULL || ctx->f_rng == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
+ * in addition to session itself, that will be checked when writing it. */
+ MBEDTLS_SSL_CHK_BUF_PTR(start, end, TICKET_MIN_LEN);
+
+#if defined(MBEDTLS_THREADING_C)
+ if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+ return ret;
+ }
+#endif
+
+ if ((ret = ssl_ticket_update_keys(ctx)) != 0) {
+ goto cleanup;
+ }
+
+ key = &ctx->keys[ctx->active];
+
+ *ticket_lifetime = key->lifetime;
+
+ memcpy(key_name, key->name, TICKET_KEY_NAME_BYTES);
+
+ if ((ret = ctx->f_rng(ctx->p_rng, iv, TICKET_IV_BYTES)) != 0) {
+ goto cleanup;
+ }
+
+ /* Dump session state */
+ if ((ret = mbedtls_ssl_session_save(session,
+ state, (size_t) (end - state),
+ &clear_len)) != 0 ||
+ (unsigned long) clear_len > 65535) {
+ goto cleanup;
+ }
+ MBEDTLS_PUT_UINT16_BE(clear_len, state_len_bytes, 0);
+
+ /* Encrypt and authenticate */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if ((status = psa_aead_encrypt(key->key, key->alg, iv, TICKET_IV_BYTES,
+ key_name, TICKET_ADD_DATA_LEN,
+ state, clear_len,
+ state, end - state,
+ &ciph_len)) != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ goto cleanup;
+ }
+#else
+ if ((ret = mbedtls_cipher_auth_encrypt_ext(&key->ctx,
+ iv, TICKET_IV_BYTES,
+ /* Additional data: key name, IV and length */
+ key_name, TICKET_ADD_DATA_LEN,
+ state, clear_len,
+ state, (size_t) (end - state), &ciph_len,
+ TICKET_AUTH_TAG_BYTES)) != 0) {
+ goto cleanup;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ if (ciph_len != clear_len + TICKET_AUTH_TAG_BYTES) {
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ goto cleanup;
+ }
+
+ *tlen = TICKET_MIN_LEN + ciph_len - TICKET_AUTH_TAG_BYTES;
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+ return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+ }
+#endif
+
+ return ret;
+}
+
+/*
+ * Select key based on name
+ */
+static mbedtls_ssl_ticket_key *ssl_ticket_select_key(
+ mbedtls_ssl_ticket_context *ctx,
+ const unsigned char name[4])
+{
+ unsigned char i;
+
+ for (i = 0; i < sizeof(ctx->keys) / sizeof(*ctx->keys); i++) {
+ if (memcmp(name, ctx->keys[i].name, 4) == 0) {
+ return &ctx->keys[i];
+ }
+ }
+
+ return NULL;
+}
+
+/*
+ * Load session ticket (see mbedtls_ssl_ticket_write for structure)
+ */
+int mbedtls_ssl_ticket_parse(void *p_ticket,
+ mbedtls_ssl_session *session,
+ unsigned char *buf,
+ size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_ticket_context *ctx = p_ticket;
+ mbedtls_ssl_ticket_key *key;
+ unsigned char *key_name = buf;
+ unsigned char *iv = buf + TICKET_KEY_NAME_BYTES;
+ unsigned char *enc_len_p = iv + TICKET_IV_BYTES;
+ unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
+ size_t enc_len, clear_len;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+#endif
+
+ if (ctx == NULL || ctx->f_rng == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (len < TICKET_MIN_LEN) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
+ return ret;
+ }
+#endif
+
+ if ((ret = ssl_ticket_update_keys(ctx)) != 0) {
+ goto cleanup;
+ }
+
+ enc_len = MBEDTLS_GET_UINT16_BE(enc_len_p, 0);
+
+ if (len != TICKET_MIN_LEN + enc_len) {
+ ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ /* Select key */
+ if ((key = ssl_ticket_select_key(ctx, key_name)) == NULL) {
+ /* We can't know for sure but this is a likely option unless we're
+ * under attack - this is only informative anyway */
+ ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
+ goto cleanup;
+ }
+
+ /* Decrypt and authenticate */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if ((status = psa_aead_decrypt(key->key, key->alg, iv, TICKET_IV_BYTES,
+ key_name, TICKET_ADD_DATA_LEN,
+ ticket, enc_len + TICKET_AUTH_TAG_BYTES,
+ ticket, enc_len, &clear_len)) != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ goto cleanup;
+ }
+#else
+ if ((ret = mbedtls_cipher_auth_decrypt_ext(&key->ctx,
+ iv, TICKET_IV_BYTES,
+ /* Additional data: key name, IV and length */
+ key_name, TICKET_ADD_DATA_LEN,
+ ticket, enc_len + TICKET_AUTH_TAG_BYTES,
+ ticket, enc_len, &clear_len,
+ TICKET_AUTH_TAG_BYTES)) != 0) {
+ if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED) {
+ ret = MBEDTLS_ERR_SSL_INVALID_MAC;
+ }
+
+ goto cleanup;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ if (clear_len != enc_len) {
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ goto cleanup;
+ }
+
+ /* Actually load session */
+ if ((ret = mbedtls_ssl_session_load(session, ticket, clear_len)) != 0) {
+ goto cleanup;
+ }
+
+#if defined(MBEDTLS_HAVE_TIME)
+ mbedtls_ms_time_t ticket_creation_time, ticket_age;
+ mbedtls_ms_time_t ticket_lifetime =
+ (mbedtls_ms_time_t) key->lifetime * 1000;
+
+ ret = mbedtls_ssl_session_get_ticket_creation_time(session,
+ &ticket_creation_time);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ ticket_age = mbedtls_ms_time() - ticket_creation_time;
+ if (ticket_age < 0 || ticket_age > ticket_lifetime) {
+ ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
+ goto cleanup;
+ }
+#endif
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
+ return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+ }
+#endif
+
+ return ret;
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ssl_ticket_free(mbedtls_ssl_ticket_context *ctx)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_destroy_key(ctx->keys[0].key);
+ psa_destroy_key(ctx->keys[1].key);
+#else
+ mbedtls_cipher_free(&ctx->keys[0].ctx);
+ mbedtls_cipher_free(&ctx->keys[1].ctx);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_free(&ctx->mutex);
+#endif
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ssl_ticket_context));
+}
+
+#endif /* MBEDTLS_SSL_TICKET_C */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
new file mode 100644
index 0000000..c5e0649
--- /dev/null
+++ b/library/ssl_tls.c
@@ -0,0 +1,9922 @@
+/*
+ * TLS shared functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * http://www.ietf.org/rfc/rfc2246.txt
+ * http://www.ietf.org/rfc/rfc4346.txt
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_TLS_C)
+
+#include "mbedtls/platform.h"
+
+#include "mbedtls/ssl.h"
+#include "ssl_client.h"
+#include "ssl_debug_helpers.h"
+#include "ssl_misc.h"
+
+#include "debug_internal.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/version.h"
+#include "mbedtls/constant_time.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "mbedtls/psa_util.h"
+#include "md_psa.h"
+#include "psa_util_internal.h"
+#include "psa/crypto.h"
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#include "mbedtls/oid.h"
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/* Define local translating functions to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+#endif
+
+#if defined(MBEDTLS_TEST_HOOKS)
+static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args;
+
+void mbedtls_ssl_set_chk_buf_ptr_fail_args(
+ const uint8_t *cur, const uint8_t *end, size_t need)
+{
+ chk_buf_ptr_fail_args.cur = cur;
+ chk_buf_ptr_fail_args.end = end;
+ chk_buf_ptr_fail_args.need = need;
+}
+
+void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)
+{
+ memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args));
+}
+
+int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args)
+{
+ return (chk_buf_ptr_fail_args.cur != args->cur) ||
+ (chk_buf_ptr_fail_args.end != args->end) ||
+ (chk_buf_ptr_fail_args.need != args->need);
+}
+#endif /* MBEDTLS_TEST_HOOKS */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+/* Top-level Connection ID API */
+
+int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf,
+ size_t len,
+ int ignore_other_cid)
+{
+ if (len > MBEDTLS_SSL_CID_IN_LEN_MAX) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
+ ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ conf->ignore_unexpected_cid = ignore_other_cid;
+ conf->cid_len = len;
+ return 0;
+}
+
+int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
+ int enable,
+ unsigned char const *own_cid,
+ size_t own_cid_len)
+{
+ if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ ssl->negotiate_cid = enable;
+ if (enable == MBEDTLS_SSL_CID_DISABLED) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension."));
+ return 0;
+ }
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension."));
+ MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len);
+
+ if (own_cid_len != ssl->conf->cid_len) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config",
+ (unsigned) own_cid_len,
+ (unsigned) ssl->conf->cid_len));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ memcpy(ssl->own_cid, own_cid, own_cid_len);
+ /* Truncation is not an issue here because
+ * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
+ ssl->own_cid_len = (uint8_t) own_cid_len;
+
+ return 0;
+}
+
+int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl,
+ int *enabled,
+ unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
+ size_t *own_cid_len)
+{
+ *enabled = MBEDTLS_SSL_CID_DISABLED;
+
+ if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is
+ * zero as this is indistinguishable from not requesting to use
+ * the CID extension. */
+ if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
+ return 0;
+ }
+
+ if (own_cid_len != NULL) {
+ *own_cid_len = ssl->own_cid_len;
+ if (own_cid != NULL) {
+ memcpy(own_cid, ssl->own_cid, ssl->own_cid_len);
+ }
+ }
+
+ *enabled = MBEDTLS_SSL_CID_ENABLED;
+
+ return 0;
+}
+
+int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl,
+ int *enabled,
+ unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
+ size_t *peer_cid_len)
+{
+ *enabled = MBEDTLS_SSL_CID_DISABLED;
+
+ if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
+ mbedtls_ssl_is_handshake_over(ssl) == 0) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
+ * were used, but client and server requested the empty CID.
+ * This is indistinguishable from not using the CID extension
+ * in the first place. */
+ if (ssl->transform_in->in_cid_len == 0 &&
+ ssl->transform_in->out_cid_len == 0) {
+ return 0;
+ }
+
+ if (peer_cid_len != NULL) {
+ *peer_cid_len = ssl->transform_in->out_cid_len;
+ if (peer_cid != NULL) {
+ memcpy(peer_cid, ssl->transform_in->out_cid,
+ ssl->transform_in->out_cid_len);
+ }
+ }
+
+ *enabled = MBEDTLS_SSL_CID_ENABLED;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+/*
+ * Convert max_fragment_length codes to length.
+ * RFC 6066 says:
+ * enum{
+ * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
+ * } MaxFragmentLength;
+ * and we add 0 -> extension unused
+ */
+static unsigned int ssl_mfl_code_to_length(int mfl)
+{
+ switch (mfl) {
+ case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
+ return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
+ case MBEDTLS_SSL_MAX_FRAG_LEN_512:
+ return 512;
+ case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
+ return 1024;
+ case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
+ return 2048;
+ case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
+ return 4096;
+ default:
+ return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
+ }
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
+ const mbedtls_ssl_session *src)
+{
+ mbedtls_ssl_session_free(dst);
+ memcpy(dst, src, sizeof(mbedtls_ssl_session));
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+ dst->ticket = NULL;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ dst->hostname = NULL;
+#endif
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
+ defined(MBEDTLS_SSL_EARLY_DATA)
+ dst->ticket_alpn = NULL;
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ if (src->peer_cert != NULL) {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
+ if (dst->peer_cert == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ mbedtls_x509_crt_init(dst->peer_cert);
+
+ if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p,
+ src->peer_cert->raw.len)) != 0) {
+ mbedtls_free(dst->peer_cert);
+ dst->peer_cert = NULL;
+ return ret;
+ }
+ }
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ if (src->peer_cert_digest != NULL) {
+ dst->peer_cert_digest =
+ mbedtls_calloc(1, src->peer_cert_digest_len);
+ if (dst->peer_cert_digest == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ memcpy(dst->peer_cert_digest, src->peer_cert_digest,
+ src->peer_cert_digest_len);
+ dst->peer_cert_digest_type = src->peer_cert_digest_type;
+ dst->peer_cert_digest_len = src->peer_cert_digest_len;
+ }
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
+ defined(MBEDTLS_SSL_EARLY_DATA)
+ {
+ int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_ALPN && MBEDTLS_SSL_EARLY_DATA */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+ if (src->ticket != NULL) {
+ dst->ticket = mbedtls_calloc(1, src->ticket_len);
+ if (dst->ticket == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ memcpy(dst->ticket, src->ticket, src->ticket_len);
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ ret = mbedtls_ssl_session_set_hostname(dst, src->hostname);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
+ MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old)
+{
+ unsigned char *resized_buffer = mbedtls_calloc(1, len_new);
+ if (resized_buffer == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ /* We want to copy len_new bytes when downsizing the buffer, and
+ * len_old bytes when upsizing, so we choose the smaller of two sizes,
+ * to fit one buffer into another. Size checks, ensuring that no data is
+ * lost, are done outside of this function. */
+ memcpy(resized_buffer, *buffer,
+ (len_new < *len_old) ? len_new : *len_old);
+ mbedtls_zeroize_and_free(*buffer, *len_old);
+
+ *buffer = resized_buffer;
+ *len_old = len_new;
+
+ return 0;
+}
+
+static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing,
+ size_t in_buf_new_len,
+ size_t out_buf_new_len)
+{
+ int modified = 0;
+ size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
+ size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
+ if (ssl->in_buf != NULL) {
+ written_in = ssl->in_msg - ssl->in_buf;
+ iv_offset_in = ssl->in_iv - ssl->in_buf;
+ len_offset_in = ssl->in_len - ssl->in_buf;
+ if (downsizing ?
+ ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
+ ssl->in_buf_len < in_buf_new_len) {
+ if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory"));
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
+ in_buf_new_len));
+ modified = 1;
+ }
+ }
+ }
+
+ if (ssl->out_buf != NULL) {
+ written_out = ssl->out_msg - ssl->out_buf;
+ iv_offset_out = ssl->out_iv - ssl->out_buf;
+ len_offset_out = ssl->out_len - ssl->out_buf;
+ if (downsizing ?
+ ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
+ ssl->out_buf_len < out_buf_new_len) {
+ if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory"));
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
+ out_buf_new_len));
+ modified = 1;
+ }
+ }
+ }
+ if (modified) {
+ /* Update pointers here to avoid doing it twice. */
+ mbedtls_ssl_reset_in_out_pointers(ssl);
+ /* Fields below might not be properly updated with record
+ * splitting or with CID, so they are manually updated here. */
+ ssl->out_msg = ssl->out_buf + written_out;
+ ssl->out_len = ssl->out_buf + len_offset_out;
+ ssl->out_iv = ssl->out_buf + iv_offset_out;
+
+ ssl->in_msg = ssl->in_buf + written_in;
+ ssl->in_len = ssl->in_buf + len_offset_in;
+ ssl->in_iv = ssl->in_buf + iv_offset_in;
+ }
+}
+#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
+typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen,
+ const char *label,
+ const unsigned char *random, size_t rlen,
+ unsigned char *dstbuf, size_t dlen);
+
+static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id);
+
+#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
+
+/* Type for the TLS PRF */
+typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
+ const unsigned char *, size_t,
+ unsigned char *, size_t);
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
+ int ciphersuite,
+ const unsigned char master[48],
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ int encrypt_then_mac,
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
+ ssl_tls_prf_t tls_prf,
+ const unsigned char randbytes[64],
+ mbedtls_ssl_protocol_version tls_version,
+ unsigned endpoint,
+ const mbedtls_ssl_context *ssl);
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int tls_prf_sha256(const unsigned char *secret, size_t slen,
+ const char *label,
+ const unsigned char *random, size_t rlen,
+ unsigned char *dstbuf, size_t dlen);
+static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
+static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
+
+#endif /* MBEDTLS_MD_CAN_SHA256*/
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int tls_prf_sha384(const unsigned char *secret, size_t slen,
+ const char *label,
+ const unsigned char *random, size_t rlen,
+ unsigned char *dstbuf, size_t dlen);
+
+static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
+static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
+#endif /* MBEDTLS_MD_CAN_SHA384*/
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls12_session_load(mbedtls_ssl_session *session,
+ const unsigned char *buf,
+ size_t len);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
+#endif /* MBEDTLS_MD_CAN_SHA256*/
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
+#endif /* MBEDTLS_MD_CAN_SHA384*/
+
+int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
+ const unsigned char *secret, size_t slen,
+ const char *label,
+ const unsigned char *random, size_t rlen,
+ unsigned char *dstbuf, size_t dlen)
+{
+ mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
+
+ switch (prf) {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ case MBEDTLS_SSL_TLS_PRF_SHA384:
+ tls_prf = tls_prf_sha384;
+ break;
+#endif /* MBEDTLS_MD_CAN_SHA384*/
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ case MBEDTLS_SSL_TLS_PRF_SHA256:
+ tls_prf = tls_prf_sha256;
+ break;
+#endif /* MBEDTLS_MD_CAN_SHA256*/
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+ default:
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+
+ return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen);
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static void ssl_clear_peer_cert(mbedtls_ssl_session *session)
+{
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ if (session->peer_cert != NULL) {
+ mbedtls_x509_crt_free(session->peer_cert);
+ mbedtls_free(session->peer_cert);
+ session->peer_cert = NULL;
+ }
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ if (session->peer_cert_digest != NULL) {
+ /* Zeroization is not necessary. */
+ mbedtls_free(session->peer_cert_digest);
+ session->peer_cert_digest = NULL;
+ session->peer_cert_digest_type = MBEDTLS_MD_NONE;
+ session->peer_cert_digest_len = 0;
+ }
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type)
+{
+ switch (extension_type) {
+ case MBEDTLS_TLS_EXT_SERVERNAME:
+ return MBEDTLS_SSL_EXT_ID_SERVERNAME;
+
+ case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
+ return MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH;
+
+ case MBEDTLS_TLS_EXT_STATUS_REQUEST:
+ return MBEDTLS_SSL_EXT_ID_STATUS_REQUEST;
+
+ case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
+ return MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS;
+
+ case MBEDTLS_TLS_EXT_SIG_ALG:
+ return MBEDTLS_SSL_EXT_ID_SIG_ALG;
+
+ case MBEDTLS_TLS_EXT_USE_SRTP:
+ return MBEDTLS_SSL_EXT_ID_USE_SRTP;
+
+ case MBEDTLS_TLS_EXT_HEARTBEAT:
+ return MBEDTLS_SSL_EXT_ID_HEARTBEAT;
+
+ case MBEDTLS_TLS_EXT_ALPN:
+ return MBEDTLS_SSL_EXT_ID_ALPN;
+
+ case MBEDTLS_TLS_EXT_SCT:
+ return MBEDTLS_SSL_EXT_ID_SCT;
+
+ case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
+ return MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE;
+
+ case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
+ return MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE;
+
+ case MBEDTLS_TLS_EXT_PADDING:
+ return MBEDTLS_SSL_EXT_ID_PADDING;
+
+ case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
+ return MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY;
+
+ case MBEDTLS_TLS_EXT_EARLY_DATA:
+ return MBEDTLS_SSL_EXT_ID_EARLY_DATA;
+
+ case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
+ return MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS;
+
+ case MBEDTLS_TLS_EXT_COOKIE:
+ return MBEDTLS_SSL_EXT_ID_COOKIE;
+
+ case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
+ return MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES;
+
+ case MBEDTLS_TLS_EXT_CERT_AUTH:
+ return MBEDTLS_SSL_EXT_ID_CERT_AUTH;
+
+ case MBEDTLS_TLS_EXT_OID_FILTERS:
+ return MBEDTLS_SSL_EXT_ID_OID_FILTERS;
+
+ case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
+ return MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH;
+
+ case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
+ return MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT;
+
+ case MBEDTLS_TLS_EXT_KEY_SHARE:
+ return MBEDTLS_SSL_EXT_ID_KEY_SHARE;
+
+ case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
+ return MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC;
+
+ case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
+ return MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS;
+
+ case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
+ return MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC;
+
+ case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
+ return MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET;
+
+ case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
+ return MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT;
+
+ case MBEDTLS_TLS_EXT_SESSION_TICKET:
+ return MBEDTLS_SSL_EXT_ID_SESSION_TICKET;
+
+ }
+
+ return MBEDTLS_SSL_EXT_ID_UNRECOGNIZED;
+}
+
+uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type)
+{
+ return 1 << mbedtls_ssl_get_extension_id(extension_type);
+}
+
+#if defined(MBEDTLS_DEBUG_C)
+static const char *extension_name_table[] = {
+ [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized",
+ [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name",
+ [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length",
+ [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request",
+ [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups",
+ [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms",
+ [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp",
+ [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat",
+ [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation",
+ [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp",
+ [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type",
+ [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type",
+ [MBEDTLS_SSL_EXT_ID_PADDING] = "padding",
+ [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key",
+ [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data",
+ [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions",
+ [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie",
+ [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes",
+ [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities",
+ [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters",
+ [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth",
+ [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert",
+ [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share",
+ [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac",
+ [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats",
+ [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac",
+ [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret",
+ [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket",
+ [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit"
+};
+
+static const unsigned int extension_type_table[] = {
+ [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff,
+ [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME,
+ [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH,
+ [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST,
+ [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS,
+ [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG,
+ [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP,
+ [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT,
+ [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN,
+ [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT,
+ [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE,
+ [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE,
+ [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING,
+ [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY,
+ [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA,
+ [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS,
+ [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE,
+ [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES,
+ [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH,
+ [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS,
+ [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH,
+ [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT,
+ [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE,
+ [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC,
+ [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS,
+ [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC,
+ [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET,
+ [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET,
+ [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT
+};
+
+const char *mbedtls_ssl_get_extension_name(unsigned int extension_type)
+{
+ return extension_name_table[
+ mbedtls_ssl_get_extension_id(extension_type)];
+}
+
+static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type)
+{
+ switch (hs_msg_type) {
+ case MBEDTLS_SSL_HS_CLIENT_HELLO:
+ return "ClientHello";
+ case MBEDTLS_SSL_HS_SERVER_HELLO:
+ return "ServerHello";
+ case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
+ return "HelloRetryRequest";
+ case MBEDTLS_SSL_HS_NEW_SESSION_TICKET:
+ return "NewSessionTicket";
+ case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
+ return "EncryptedExtensions";
+ case MBEDTLS_SSL_HS_CERTIFICATE:
+ return "Certificate";
+ case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
+ return "CertificateRequest";
+ }
+ return "Unknown";
+}
+
+void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
+ int level, const char *file, int line,
+ int hs_msg_type, unsigned int extension_type,
+ const char *extra_msg0, const char *extra_msg1)
+{
+ const char *extra_msg;
+ if (extra_msg0 && extra_msg1) {
+ mbedtls_debug_print_msg(
+ ssl, level, file, line,
+ "%s: %s(%u) extension %s %s.",
+ ssl_tls13_get_hs_msg_name(hs_msg_type),
+ mbedtls_ssl_get_extension_name(extension_type),
+ extension_type,
+ extra_msg0, extra_msg1);
+ return;
+ }
+
+ extra_msg = extra_msg0 ? extra_msg0 : extra_msg1;
+ if (extra_msg) {
+ mbedtls_debug_print_msg(
+ ssl, level, file, line,
+ "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name(hs_msg_type),
+ mbedtls_ssl_get_extension_name(extension_type), extension_type,
+ extra_msg);
+ return;
+ }
+
+ mbedtls_debug_print_msg(
+ ssl, level, file, line,
+ "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name(hs_msg_type),
+ mbedtls_ssl_get_extension_name(extension_type), extension_type);
+}
+
+void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
+ int level, const char *file, int line,
+ int hs_msg_type, uint32_t extensions_mask,
+ const char *extra)
+{
+
+ for (unsigned i = 0;
+ i < sizeof(extension_name_table) / sizeof(extension_name_table[0]);
+ i++) {
+ mbedtls_ssl_print_extension(
+ ssl, level, file, line, hs_msg_type, extension_type_table[i],
+ extensions_mask & (1 << i) ? "exists" : "does not exist", extra);
+ }
+}
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+static const char *ticket_flag_name_table[] =
+{
+ [0] = "ALLOW_PSK_RESUMPTION",
+ [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION",
+ [3] = "ALLOW_EARLY_DATA",
+};
+
+void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl,
+ int level, const char *file, int line,
+ unsigned int flags)
+{
+ size_t i;
+
+ mbedtls_debug_print_msg(ssl, level, file, line,
+ "print ticket_flags (0x%02x)", flags);
+
+ flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK;
+
+ for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) {
+ if ((flags & (1 << i))) {
+ mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.",
+ ticket_flag_name_table[i]);
+ }
+ }
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
+
+#endif /* MBEDTLS_DEBUG_C */
+
+void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
+{
+ ((void) ciphersuite_info);
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
+ ssl->handshake->update_checksum = ssl_update_checksum_sha384;
+ } else
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) {
+ ssl->handshake->update_checksum = ssl_update_checksum_sha256;
+ } else
+#endif
+ {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return;
+ }
+}
+
+int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
+ unsigned hs_type,
+ size_t total_hs_len)
+{
+ unsigned char hs_hdr[4];
+
+ /* Build HS header for checksum update. */
+ hs_hdr[0] = MBEDTLS_BYTE_0(hs_type);
+ hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len);
+ hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len);
+ hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len);
+
+ return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
+}
+
+int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
+ unsigned hs_type,
+ unsigned char const *msg,
+ size_t msg_len)
+{
+ int ret;
+ ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
+ if (ret != 0) {
+ return ret;
+ }
+ return ssl->handshake->update_checksum(ssl, msg, msg_len);
+}
+
+int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
+{
+#if defined(MBEDTLS_MD_CAN_SHA256) || \
+ defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status;
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#endif
+#else /* SHA-256 or SHA-384 */
+ ((void) ssl);
+#endif /* SHA-256 or SHA-384 */
+#if defined(MBEDTLS_MD_CAN_SHA256)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
+ if (status != PSA_SUCCESS) {
+ return mbedtls_md_error_from_psa(status);
+ }
+ status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
+ if (status != PSA_SUCCESS) {
+ return mbedtls_md_error_from_psa(status);
+ }
+#else
+ mbedtls_md_free(&ssl->handshake->fin_sha256);
+ mbedtls_md_init(&ssl->handshake->fin_sha256);
+ ret = mbedtls_md_setup(&ssl->handshake->fin_sha256,
+ mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
+ 0);
+ if (ret != 0) {
+ return ret;
+ }
+ ret = mbedtls_md_starts(&ssl->handshake->fin_sha256);
+ if (ret != 0) {
+ return ret;
+ }
+#endif
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
+ if (status != PSA_SUCCESS) {
+ return mbedtls_md_error_from_psa(status);
+ }
+ status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
+ if (status != PSA_SUCCESS) {
+ return mbedtls_md_error_from_psa(status);
+ }
+#else
+ mbedtls_md_free(&ssl->handshake->fin_sha384);
+ mbedtls_md_init(&ssl->handshake->fin_sha384);
+ ret = mbedtls_md_setup(&ssl->handshake->fin_sha384,
+ mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
+ if (ret != 0) {
+ return ret;
+ }
+ ret = mbedtls_md_starts(&ssl->handshake->fin_sha384);
+ if (ret != 0) {
+ return ret;
+ }
+#endif
+#endif
+ return 0;
+}
+
+static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
+ const unsigned char *buf, size_t len)
+{
+#if defined(MBEDTLS_MD_CAN_SHA256) || \
+ defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status;
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#endif
+#else /* SHA-256 or SHA-384 */
+ ((void) ssl);
+ (void) buf;
+ (void) len;
+#endif /* SHA-256 or SHA-384 */
+#if defined(MBEDTLS_MD_CAN_SHA256)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
+ if (status != PSA_SUCCESS) {
+ return mbedtls_md_error_from_psa(status);
+ }
+#else
+ ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
+ if (ret != 0) {
+ return ret;
+ }
+#endif
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
+ if (status != PSA_SUCCESS) {
+ return mbedtls_md_error_from_psa(status);
+ }
+#else
+ ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
+ if (ret != 0) {
+ return ret;
+ }
+#endif
+#endif
+ return 0;
+}
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
+ const unsigned char *buf, size_t len)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ return mbedtls_md_error_from_psa(psa_hash_update(
+ &ssl->handshake->fin_sha256_psa, buf, len));
+#else
+ return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
+#endif
+}
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
+ const unsigned char *buf, size_t len)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ return mbedtls_md_error_from_psa(psa_hash_update(
+ &ssl->handshake->fin_sha384_psa, buf, len));
+#else
+ return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
+#endif
+}
+#endif
+
+static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
+{
+ memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params));
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ handshake->fin_sha256_psa = psa_hash_operation_init();
+#else
+ mbedtls_md_init(&handshake->fin_sha256);
+#endif
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ handshake->fin_sha384_psa = psa_hash_operation_init();
+#else
+ mbedtls_md_init(&handshake->fin_sha384);
+#endif
+#endif
+
+ handshake->update_checksum = ssl_update_checksum_start;
+
+#if defined(MBEDTLS_DHM_C)
+ mbedtls_dhm_init(&handshake->dhm_ctx);
+#endif
+#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
+ mbedtls_ecdh_init(&handshake->ecdh_ctx);
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ handshake->psa_pake_ctx = psa_pake_operation_init();
+ handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
+#else
+ mbedtls_ecjpake_init(&handshake->ecjpake_ctx);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_SSL_CLI_C)
+ handshake->ecjpake_cache = NULL;
+ handshake->ecjpake_cache_len = 0;
+#endif
+#endif
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx);
+#endif
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+ !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ mbedtls_pk_init(&handshake->peer_pubkey);
+#endif
+}
+
+void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
+{
+ memset(transform, 0, sizeof(mbedtls_ssl_transform));
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT;
+ transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT;
+#else
+ mbedtls_cipher_init(&transform->cipher_ctx_enc);
+ mbedtls_cipher_init(&transform->cipher_ctx_dec);
+#endif
+
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
+ transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
+#else
+ mbedtls_md_init(&transform->md_ctx_enc);
+ mbedtls_md_init(&transform->md_ctx_dec);
+#endif
+#endif
+}
+
+void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
+{
+ memset(session, 0, sizeof(mbedtls_ssl_session));
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_handshake_init(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* Clear old handshake information if present */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if (ssl->transform_negotiate) {
+ mbedtls_ssl_transform_free(ssl->transform_negotiate);
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+ if (ssl->session_negotiate) {
+ mbedtls_ssl_session_free(ssl->session_negotiate);
+ }
+ if (ssl->handshake) {
+ mbedtls_ssl_handshake_free(ssl);
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ /*
+ * Either the pointers are now NULL or cleared properly and can be freed.
+ * Now allocate missing structures.
+ */
+ if (ssl->transform_negotiate == NULL) {
+ ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+ if (ssl->session_negotiate == NULL) {
+ ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session));
+ }
+
+ if (ssl->handshake == NULL) {
+ ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params));
+ }
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ /* If the buffers are too small - reallocate */
+
+ handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
+ MBEDTLS_SSL_OUT_BUFFER_LEN);
+#endif
+
+ /* All pointers should exist and can be directly freed without issue */
+ if (ssl->handshake == NULL ||
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ ssl->transform_negotiate == NULL ||
+#endif
+ ssl->session_negotiate == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed"));
+
+ mbedtls_free(ssl->handshake);
+ ssl->handshake = NULL;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ mbedtls_free(ssl->transform_negotiate);
+ ssl->transform_negotiate = NULL;
+#endif
+
+ mbedtls_free(ssl->session_negotiate);
+ ssl->session_negotiate = NULL;
+
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+#if defined(MBEDTLS_SSL_CLI_C)
+ ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IDLE;
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+ ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
+#endif
+ ssl->total_early_data_size = 0;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+ /* Initialize structures */
+ mbedtls_ssl_session_init(ssl->session_negotiate);
+ ssl_handshake_params_init(ssl->handshake);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ mbedtls_ssl_transform_init(ssl->transform_negotiate);
+#endif
+
+ /* Setup handshake checksums */
+ ret = mbedtls_ssl_reset_checksum(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
+ return ret;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SRV_C) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS)
+ ssl->handshake->new_session_tickets_count =
+ ssl->conf->new_session_tickets_count;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ ssl->handshake->alt_transform_out = ssl->transform_out;
+
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
+ } else {
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+ }
+
+ mbedtls_ssl_set_timer(ssl, 0);
+ }
+#endif
+
+/*
+ * curve_list is translated to IANA TLS group identifiers here because
+ * mbedtls_ssl_conf_curves returns void and so can't return
+ * any error codes.
+ */
+#if defined(MBEDTLS_ECP_C)
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+ /* Heap allocate and translate curve_list from internal to IANA group ids */
+ if (ssl->conf->curve_list != NULL) {
+ size_t length;
+ const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list;
+
+ for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE); length++) {
+ }
+
+ /* Leave room for zero termination */
+ uint16_t *group_list = mbedtls_calloc(length + 1, sizeof(uint16_t));
+ if (group_list == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ for (size_t i = 0; i < length; i++) {
+ uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
+ curve_list[i]);
+ if (tls_id == 0) {
+ mbedtls_free(group_list);
+ return MBEDTLS_ERR_SSL_BAD_CONFIG;
+ }
+ group_list[i] = tls_id;
+ }
+
+ group_list[length] = 0;
+
+ ssl->handshake->group_list = group_list;
+ ssl->handshake->group_list_heap_allocated = 1;
+ } else {
+ ssl->handshake->group_list = ssl->conf->group_list;
+ ssl->handshake->group_list_heap_allocated = 0;
+ }
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ /* Heap allocate and translate sig_hashes from internal hash identifiers to
+ signature algorithms IANA identifiers. */
+ if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) &&
+ ssl->conf->sig_hashes != NULL) {
+ const int *md;
+ const int *sig_hashes = ssl->conf->sig_hashes;
+ size_t sig_algs_len = 0;
+ uint16_t *p;
+
+ MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN
+ <= (SIZE_MAX - (2 * sizeof(uint16_t))),
+ "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big");
+
+ for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
+ if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) {
+ continue;
+ }
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
+ sig_algs_len += sizeof(uint16_t);
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+ sig_algs_len += sizeof(uint16_t);
+#endif
+ if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) {
+ return MBEDTLS_ERR_SSL_BAD_CONFIG;
+ }
+ }
+
+ if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) {
+ return MBEDTLS_ERR_SSL_BAD_CONFIG;
+ }
+
+ ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len +
+ sizeof(uint16_t));
+ if (ssl->handshake->sig_algs == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ p = (uint16_t *) ssl->handshake->sig_algs;
+ for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
+ unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md);
+ if (hash == MBEDTLS_SSL_HASH_NONE) {
+ continue;
+ }
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
+ *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA);
+ p++;
+#endif
+#if defined(MBEDTLS_RSA_C)
+ *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA);
+ p++;
+#endif
+ }
+ *p = MBEDTLS_TLS_SIG_NONE;
+ ssl->handshake->sig_algs_heap_allocated = 1;
+ } else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+ {
+ ssl->handshake->sig_algs_heap_allocated = 0;
+ }
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+/* Dummy cookie callbacks for defaults */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_cookie_write_dummy(void *ctx,
+ unsigned char **p, unsigned char *end,
+ const unsigned char *cli_id, size_t cli_id_len)
+{
+ ((void) ctx);
+ ((void) p);
+ ((void) end);
+ ((void) cli_id);
+ ((void) cli_id_len);
+
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_cookie_check_dummy(void *ctx,
+ const unsigned char *cookie, size_t cookie_len,
+ const unsigned char *cli_id, size_t cli_id_len)
+{
+ ((void) ctx);
+ ((void) cookie);
+ ((void) cookie_len);
+ ((void) cli_id);
+ ((void) cli_id_len);
+
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+}
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
+
+/*
+ * Initialize an SSL context
+ */
+void mbedtls_ssl_init(mbedtls_ssl_context *ssl)
+{
+ memset(ssl, 0, sizeof(mbedtls_ssl_context));
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_conf_version_check(const mbedtls_ssl_context *ssl)
+{
+ const mbedtls_ssl_config *conf = ssl->conf;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (mbedtls_ssl_conf_is_tls13_only(conf)) {
+ if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported."));
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only."));
+ return 0;
+ }
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if (mbedtls_ssl_conf_is_tls12_only(conf)) {
+ MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only."));
+ return 0;
+ }
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) {
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2"));
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2."));
+ return 0;
+ }
+#endif
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid."));
+ return MBEDTLS_ERR_SSL_BAD_CONFIG;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_conf_check(const mbedtls_ssl_context *ssl)
+{
+ int ret;
+ ret = ssl_conf_version_check(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ /* RFC 8446 section 4.4.3
+ *
+ * If the verification fails, the receiver MUST terminate the handshake with
+ * a "decrypt_error" alert.
+ *
+ * If the client is configured as TLS 1.3 only with optional verify, return
+ * bad config.
+ *
+ */
+ if (mbedtls_ssl_conf_tls13_is_ephemeral_enabled(
+ (mbedtls_ssl_context *) ssl) &&
+ ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+ ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
+ ssl->conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
+ ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("Optional verify auth mode "
+ "is not available for TLS 1.3 client"));
+ return MBEDTLS_ERR_SSL_BAD_CONFIG;
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+ if (ssl->conf->f_rng == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
+ return MBEDTLS_ERR_SSL_NO_RNG;
+ }
+
+ /* Space for further checks */
+
+ return 0;
+}
+
+/*
+ * Setup an SSL context
+ */
+
+int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
+ const mbedtls_ssl_config *conf)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
+ size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
+
+ ssl->conf = conf;
+
+ if ((ret = ssl_conf_check(ssl)) != 0) {
+ return ret;
+ }
+ ssl->tls_version = ssl->conf->max_tls_version;
+
+ /*
+ * Prepare base structures
+ */
+
+ /* Set to NULL in case of an error condition */
+ ssl->out_buf = NULL;
+
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ ssl->in_buf_len = in_buf_len;
+#endif
+ ssl->in_buf = mbedtls_calloc(1, in_buf_len);
+ if (ssl->in_buf == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len));
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ goto error;
+ }
+
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ ssl->out_buf_len = out_buf_len;
+#endif
+ ssl->out_buf = mbedtls_calloc(1, out_buf_len);
+ if (ssl->out_buf == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len));
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ goto error;
+ }
+
+ mbedtls_ssl_reset_in_out_pointers(ssl);
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+ memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
+#endif
+
+ if ((ret = ssl_handshake_init(ssl)) != 0) {
+ goto error;
+ }
+
+ return 0;
+
+error:
+ mbedtls_free(ssl->in_buf);
+ mbedtls_free(ssl->out_buf);
+
+ ssl->conf = NULL;
+
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ ssl->in_buf_len = 0;
+ ssl->out_buf_len = 0;
+#endif
+ ssl->in_buf = NULL;
+ ssl->out_buf = NULL;
+
+ ssl->in_hdr = NULL;
+ ssl->in_ctr = NULL;
+ ssl->in_len = NULL;
+ ssl->in_iv = NULL;
+ ssl->in_msg = NULL;
+
+ ssl->out_hdr = NULL;
+ ssl->out_ctr = NULL;
+ ssl->out_len = NULL;
+ ssl->out_iv = NULL;
+ ssl->out_msg = NULL;
+
+ return ret;
+}
+
+/*
+ * Reset an initialized and used SSL context for re-use while retaining
+ * all application-set variables, function pointers and data.
+ *
+ * If partial is non-zero, keep data in the input buffer and client ID.
+ * (Use when a DTLS client reconnects from the same port.)
+ */
+void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
+ int partial)
+{
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ size_t in_buf_len = ssl->in_buf_len;
+ size_t out_buf_len = ssl->out_buf_len;
+#else
+ size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
+ size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
+#endif
+
+#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C)
+ partial = 0;
+#endif
+
+ /* Cancel any possibly running timer */
+ mbedtls_ssl_set_timer(ssl, 0);
+
+ mbedtls_ssl_reset_in_out_pointers(ssl);
+
+ /* Reset incoming message parsing */
+ ssl->in_offt = NULL;
+ ssl->nb_zero = 0;
+ ssl->in_msgtype = 0;
+ ssl->in_msglen = 0;
+ ssl->in_hslen = 0;
+ ssl->keep_current_message = 0;
+ ssl->transform_in = NULL;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ ssl->next_record_offset = 0;
+ ssl->in_epoch = 0;
+#endif
+
+ /* Keep current datagram if partial == 1 */
+ if (partial == 0) {
+ ssl->in_left = 0;
+ memset(ssl->in_buf, 0, in_buf_len);
+ }
+
+ ssl->send_alert = 0;
+
+ /* Reset outgoing message writing */
+ ssl->out_msgtype = 0;
+ ssl->out_msglen = 0;
+ ssl->out_left = 0;
+ memset(ssl->out_buf, 0, out_buf_len);
+ memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
+ ssl->transform_out = NULL;
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+ mbedtls_ssl_dtls_replay_reset(ssl);
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if (ssl->transform) {
+ mbedtls_ssl_transform_free(ssl->transform);
+ mbedtls_free(ssl->transform);
+ ssl->transform = NULL;
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ mbedtls_ssl_transform_free(ssl->transform_application);
+ mbedtls_free(ssl->transform_application);
+ ssl->transform_application = NULL;
+
+ if (ssl->handshake != NULL) {
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata);
+ mbedtls_free(ssl->handshake->transform_earlydata);
+ ssl->handshake->transform_earlydata = NULL;
+#endif
+
+ mbedtls_ssl_transform_free(ssl->handshake->transform_handshake);
+ mbedtls_free(ssl->handshake->transform_handshake);
+ ssl->handshake->transform_handshake = NULL;
+ }
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+}
+
+int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+ ssl->tls_version = ssl->conf->max_tls_version;
+
+ mbedtls_ssl_session_reset_msg_layer(ssl, partial);
+
+ /* Reset renegotiation state */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
+ ssl->renego_records_seen = 0;
+
+ ssl->verify_data_len = 0;
+ memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
+ memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
+#endif
+ ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
+
+ ssl->session_in = NULL;
+ ssl->session_out = NULL;
+ if (ssl->session) {
+ mbedtls_ssl_session_free(ssl->session);
+ mbedtls_free(ssl->session);
+ ssl->session = NULL;
+ }
+
+#if defined(MBEDTLS_SSL_ALPN)
+ ssl->alpn_chosen = NULL;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+ int free_cli_id = 1;
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
+ free_cli_id = (partial == 0);
+#endif
+ if (free_cli_id) {
+ mbedtls_free(ssl->cli_id);
+ ssl->cli_id = NULL;
+ ssl->cli_id_len = 0;
+ }
+#endif
+
+ if ((ret = ssl_handshake_init(ssl)) != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+/*
+ * Reset an initialized and used SSL context for re-use while retaining
+ * all application-set variables, function pointers and data.
+ */
+int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl)
+{
+ return mbedtls_ssl_session_reset_int(ssl, 0);
+}
+
+/*
+ * SSL set accessors
+ */
+void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint)
+{
+ conf->endpoint = endpoint;
+}
+
+void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport)
+{
+ conf->transport = transport;
+}
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode)
+{
+ conf->anti_replay = mode;
+}
+#endif
+
+void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit)
+{
+ conf->badmac_limit = limit;
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl,
+ unsigned allow_packing)
+{
+ ssl->disable_datagram_packing = !allow_packing;
+}
+
+void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf,
+ uint32_t min, uint32_t max)
+{
+ conf->hs_timeout_min = min;
+ conf->hs_timeout_max = max;
+}
+#endif
+
+void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode)
+{
+ conf->authmode = authmode;
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf,
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+ void *p_vrfy)
+{
+ conf->f_vrfy = f_vrfy;
+ conf->p_vrfy = p_vrfy;
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ conf->f_rng = f_rng;
+ conf->p_rng = p_rng;
+}
+
+void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf,
+ void (*f_dbg)(void *, int, const char *, int, const char *),
+ void *p_dbg)
+{
+ conf->f_dbg = f_dbg;
+ conf->p_dbg = p_dbg;
+}
+
+void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl,
+ void *p_bio,
+ mbedtls_ssl_send_t *f_send,
+ mbedtls_ssl_recv_t *f_recv,
+ mbedtls_ssl_recv_timeout_t *f_recv_timeout)
+{
+ ssl->p_bio = p_bio;
+ ssl->f_send = f_send;
+ ssl->f_recv = f_recv;
+ ssl->f_recv_timeout = f_recv_timeout;
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu)
+{
+ ssl->mtu = mtu;
+}
+#endif
+
+void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout)
+{
+ conf->read_timeout = timeout;
+}
+
+void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl,
+ void *p_timer,
+ mbedtls_ssl_set_timer_t *f_set_timer,
+ mbedtls_ssl_get_timer_t *f_get_timer)
+{
+ ssl->p_timer = p_timer;
+ ssl->f_set_timer = f_set_timer;
+ ssl->f_get_timer = f_get_timer;
+
+ /* Make sure we start with no timer running */
+ mbedtls_ssl_set_timer(ssl, 0);
+}
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
+ void *p_cache,
+ mbedtls_ssl_cache_get_t *f_get_cache,
+ mbedtls_ssl_cache_set_t *f_set_cache)
+{
+ conf->p_cache = p_cache;
+ conf->f_get_cache = f_get_cache;
+ conf->f_set_cache = f_set_cache;
+}
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (ssl == NULL ||
+ session == NULL ||
+ ssl->session_negotiate == NULL ||
+ ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (ssl->handshake->resume == 1) {
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
+
+ if (mbedtls_ssl_validate_ciphersuite(
+ ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3,
+ MBEDTLS_SSL_VERSION_TLS1_3) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.",
+ session->ciphersuite));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+ if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate,
+ session)) != 0) {
+ return ret;
+ }
+
+ ssl->handshake->resume = 1;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_CLI_C */
+
+void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf,
+ const int *ciphersuites)
+{
+ conf->ciphersuite_list = ciphersuites;
+}
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf,
+ const int kex_modes)
+{
+ conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
+}
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf,
+ int early_data_enabled)
+{
+ conf->early_data_enabled = early_data_enabled;
+}
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_conf_max_early_data_size(
+ mbedtls_ssl_config *conf, uint32_t max_early_data_size)
+{
+ conf->max_early_data_size = max_early_data_size;
+}
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf,
+ const mbedtls_x509_crt_profile *profile)
+{
+ conf->cert_profile = profile;
+}
+
+static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert)
+{
+ mbedtls_ssl_key_cert *cur = key_cert, *next;
+
+ while (cur != NULL) {
+ next = cur->next;
+ mbedtls_free(cur);
+ cur = next;
+ }
+}
+
+/* Append a new keycert entry to a (possibly empty) list */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_append_key_cert(mbedtls_ssl_key_cert **head,
+ mbedtls_x509_crt *cert,
+ mbedtls_pk_context *key)
+{
+ mbedtls_ssl_key_cert *new_cert;
+
+ if (cert == NULL) {
+ /* Free list if cert is null */
+ ssl_key_cert_free(*head);
+ *head = NULL;
+ return 0;
+ }
+
+ new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert));
+ if (new_cert == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ new_cert->cert = cert;
+ new_cert->key = key;
+ new_cert->next = NULL;
+
+ /* Update head if the list was null, else add to the end */
+ if (*head == NULL) {
+ *head = new_cert;
+ } else {
+ mbedtls_ssl_key_cert *cur = *head;
+ while (cur->next != NULL) {
+ cur = cur->next;
+ }
+ cur->next = new_cert;
+ }
+
+ return 0;
+}
+
+int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
+ mbedtls_x509_crt *own_cert,
+ mbedtls_pk_context *pk_key)
+{
+ return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key);
+}
+
+void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf,
+ mbedtls_x509_crt *ca_chain,
+ mbedtls_x509_crl *ca_crl)
+{
+ conf->ca_chain = ca_chain;
+ conf->ca_crl = ca_crl;
+
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+ /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
+ * cannot be used together. */
+ conf->f_ca_cb = NULL;
+ conf->p_ca_cb = NULL;
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+}
+
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
+ mbedtls_x509_crt_ca_cb_t f_ca_cb,
+ void *p_ca_cb)
+{
+ conf->f_ca_cb = f_ca_cb;
+ conf->p_ca_cb = p_ca_cb;
+
+ /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
+ * cannot be used together. */
+ conf->ca_chain = NULL;
+ conf->ca_crl = NULL;
+}
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl,
+ size_t *name_len)
+{
+ *name_len = ssl->handshake->sni_name_len;
+ return ssl->handshake->sni_name;
+}
+
+int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl,
+ mbedtls_x509_crt *own_cert,
+ mbedtls_pk_context *pk_key)
+{
+ return ssl_append_key_cert(&ssl->handshake->sni_key_cert,
+ own_cert, pk_key);
+}
+
+void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl,
+ mbedtls_x509_crt *ca_chain,
+ mbedtls_x509_crl *ca_crl)
+{
+ ssl->handshake->sni_ca_chain = ca_chain;
+ ssl->handshake->sni_ca_crl = ca_crl;
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl,
+ const mbedtls_x509_crt *crt)
+{
+ ssl->handshake->dn_hints = crt;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+
+void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl,
+ int authmode)
+{
+ ssl->handshake->sni_authmode = authmode;
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl,
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+ void *p_vrfy)
+{
+ ssl->f_vrfy = f_vrfy;
+ ssl->p_vrfy = p_vrfy;
+}
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
+static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
+
+static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common(
+ mbedtls_ssl_context *ssl,
+ mbedtls_svc_key_id_t pwd)
+{
+ psa_status_t status;
+ psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
+ const uint8_t *user = NULL;
+ size_t user_len = 0;
+ const uint8_t *peer = NULL;
+ size_t peer_len = 0;
+ psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE);
+ psa_pake_cs_set_primitive(&cipher_suite,
+ PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,
+ PSA_ECC_FAMILY_SECP_R1,
+ 256));
+ psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256);
+
+ status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
+ user = jpake_server_id;
+ user_len = sizeof(jpake_server_id);
+ peer = jpake_client_id;
+ peer_len = sizeof(jpake_client_id);
+ } else {
+ user = jpake_client_id;
+ user_len = sizeof(jpake_client_id);
+ peer = jpake_server_id;
+ peer_len = sizeof(jpake_server_id);
+ }
+
+ status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ ssl->handshake->psa_pake_ctx_is_ok = 1;
+
+ return PSA_SUCCESS;
+}
+
+int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
+ const unsigned char *pw,
+ size_t pw_len)
+{
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status;
+
+ if (ssl->handshake == NULL || ssl->conf == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /* Empty password is not valid */
+ if ((pw == NULL) || (pw_len == 0)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
+ psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE);
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
+
+ status = psa_import_key(&attributes, pw, pw_len,
+ &ssl->handshake->psa_pake_password);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+
+ status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl,
+ ssl->handshake->psa_pake_password);
+ if (status != PSA_SUCCESS) {
+ psa_destroy_key(ssl->handshake->psa_pake_password);
+ psa_pake_abort(&ssl->handshake->psa_pake_ctx);
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+
+ return 0;
+}
+
+int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl,
+ mbedtls_svc_key_id_t pwd)
+{
+ psa_status_t status;
+
+ if (ssl->handshake == NULL || ssl->conf == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (mbedtls_svc_key_id_is_null(pwd)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd);
+ if (status != PSA_SUCCESS) {
+ psa_pake_abort(&ssl->handshake->psa_pake_ctx);
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+
+ return 0;
+}
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
+ const unsigned char *pw,
+ size_t pw_len)
+{
+ mbedtls_ecjpake_role role;
+
+ if (ssl->handshake == NULL || ssl->conf == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /* Empty password is not valid */
+ if ((pw == NULL) || (pw_len == 0)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
+ role = MBEDTLS_ECJPAKE_SERVER;
+ } else {
+ role = MBEDTLS_ECJPAKE_CLIENT;
+ }
+
+ return mbedtls_ecjpake_setup(&ssl->handshake->ecjpake_ctx,
+ role,
+ MBEDTLS_MD_SHA256,
+ MBEDTLS_ECP_DP_SECP256R1,
+ pw, pw_len);
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
+int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf)
+{
+ if (conf->psk_identity == NULL ||
+ conf->psk_identity_len == 0) {
+ return 0;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
+ return 1;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ if (conf->psk != NULL && conf->psk_len != 0) {
+ return 1;
+ }
+
+ return 0;
+}
+
+static void ssl_conf_remove_psk(mbedtls_ssl_config *conf)
+{
+ /* Remove reference to existing PSK, if any. */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
+ /* The maintenance of the PSK key slot is the
+ * user's responsibility. */
+ conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ if (conf->psk != NULL) {
+ mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
+ conf->psk = NULL;
+ conf->psk_len = 0;
+ }
+
+ /* Remove reference to PSK identity, if any. */
+ if (conf->psk_identity != NULL) {
+ mbedtls_free(conf->psk_identity);
+ conf->psk_identity = NULL;
+ conf->psk_identity_len = 0;
+ }
+}
+
+/* This function assumes that PSK identity in the SSL config is unset.
+ * It checks that the provided identity is well-formed and attempts
+ * to make a copy of it in the SSL config.
+ * On failure, the PSK identity in the config remains unset. */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf,
+ unsigned char const *psk_identity,
+ size_t psk_identity_len)
+{
+ /* Identity len will be encoded on two bytes */
+ if (psk_identity == NULL ||
+ psk_identity_len == 0 ||
+ (psk_identity_len >> 16) != 0 ||
+ psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ conf->psk_identity = mbedtls_calloc(1, psk_identity_len);
+ if (conf->psk_identity == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ conf->psk_identity_len = psk_identity_len;
+ memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len);
+
+ return 0;
+}
+
+int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf,
+ const unsigned char *psk, size_t psk_len,
+ const unsigned char *psk_identity, size_t psk_identity_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* We currently only support one PSK, raw or opaque. */
+ if (mbedtls_ssl_conf_has_static_psk(conf)) {
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+
+ /* Check and set raw PSK */
+ if (psk == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ if (psk_len == 0) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ if (psk_len > MBEDTLS_PSK_MAX_LEN) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+ conf->psk_len = psk_len;
+ memcpy(conf->psk, psk, conf->psk_len);
+
+ /* Check and set PSK Identity */
+ ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len);
+ if (ret != 0) {
+ ssl_conf_remove_psk(conf);
+ }
+
+ return ret;
+}
+
+static void ssl_remove_psk(mbedtls_ssl_context *ssl)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
+ /* The maintenance of the external PSK key slot is the
+ * user's responsibility. */
+ if (ssl->handshake->psk_opaque_is_internal) {
+ psa_destroy_key(ssl->handshake->psk_opaque);
+ ssl->handshake->psk_opaque_is_internal = 0;
+ }
+ ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
+ }
+#else
+ if (ssl->handshake->psk != NULL) {
+ mbedtls_zeroize_and_free(ssl->handshake->psk,
+ ssl->handshake->psk_len);
+ ssl->handshake->psk_len = 0;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+}
+
+int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
+ const unsigned char *psk, size_t psk_len)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_key_attributes_t key_attributes = psa_key_attributes_init();
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_algorithm_t alg = PSA_ALG_NONE;
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ if (psk == NULL || ssl->handshake == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (psk_len > MBEDTLS_PSK_MAX_LEN) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ ssl_remove_psk(ssl);
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
+ if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
+ alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
+ } else {
+ alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
+ }
+ psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+ alg = PSA_ALG_HKDF_EXTRACT(PSA_ALG_ANY_HASH);
+ psa_set_key_usage_flags(&key_attributes,
+ PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+ psa_set_key_algorithm(&key_attributes, alg);
+ psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
+
+ status = psa_import_key(&key_attributes, psk, psk_len, &key);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+
+ /* Allow calling psa_destroy_key() on psk remove */
+ ssl->handshake->psk_opaque_is_internal = 1;
+ return mbedtls_ssl_set_hs_psk_opaque(ssl, key);
+#else
+ if ((ssl->handshake->psk = mbedtls_calloc(1, psk_len)) == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ ssl->handshake->psk_len = psk_len;
+ memcpy(ssl->handshake->psk, psk, ssl->handshake->psk_len);
+
+ return 0;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
+ mbedtls_svc_key_id_t psk,
+ const unsigned char *psk_identity,
+ size_t psk_identity_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* We currently only support one PSK, raw or opaque. */
+ if (mbedtls_ssl_conf_has_static_psk(conf)) {
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+
+ /* Check and set opaque PSK */
+ if (mbedtls_svc_key_id_is_null(psk)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ conf->psk_opaque = psk;
+
+ /* Check and set PSK Identity */
+ ret = ssl_conf_set_psk_identity(conf, psk_identity,
+ psk_identity_len);
+ if (ret != 0) {
+ ssl_conf_remove_psk(conf);
+ }
+
+ return ret;
+}
+
+int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl,
+ mbedtls_svc_key_id_t psk)
+{
+ if ((mbedtls_svc_key_id_is_null(psk)) ||
+ (ssl->handshake == NULL)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ ssl_remove_psk(ssl);
+ ssl->handshake->psk_opaque = psk;
+ return 0;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
+ int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
+ size_t),
+ void *p_psk)
+{
+ conf->f_psk = f_psk;
+ conf->p_psk = p_psk;
+}
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
+ psa_algorithm_t alg)
+{
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+ if (alg == PSA_ALG_CBC_NO_PADDING) {
+ return MBEDTLS_SSL_MODE_CBC;
+ }
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
+ if (PSA_ALG_IS_AEAD(alg)) {
+ return MBEDTLS_SSL_MODE_AEAD;
+ }
+ return MBEDTLS_SSL_MODE_STREAM;
+}
+
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+
+static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
+ mbedtls_cipher_mode_t mode)
+{
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+ if (mode == MBEDTLS_MODE_CBC) {
+ return MBEDTLS_SSL_MODE_CBC;
+ }
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
+
+#if defined(MBEDTLS_GCM_C) || \
+ defined(MBEDTLS_CCM_C) || \
+ defined(MBEDTLS_CHACHAPOLY_C)
+ if (mode == MBEDTLS_MODE_GCM ||
+ mode == MBEDTLS_MODE_CCM ||
+ mode == MBEDTLS_MODE_CHACHAPOLY) {
+ return MBEDTLS_SSL_MODE_AEAD;
+ }
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
+
+ return MBEDTLS_SSL_MODE_STREAM;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode(
+ mbedtls_ssl_mode_t base_mode,
+ int encrypt_then_mac)
+{
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
+ base_mode == MBEDTLS_SSL_MODE_CBC) {
+ return MBEDTLS_SSL_MODE_CBC_ETM;
+ }
+#else
+ (void) encrypt_then_mac;
+#endif
+ return base_mode;
+}
+
+mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
+ const mbedtls_ssl_transform *transform)
+{
+ mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode(
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ transform->psa_alg
+#else
+ mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc)
+#endif
+ );
+
+ int encrypt_then_mac = 0;
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ encrypt_then_mac = transform->encrypt_then_mac;
+#endif
+ return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
+}
+
+mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ int encrypt_then_mac,
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
+ const mbedtls_ssl_ciphersuite_t *suite)
+{
+ mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status;
+ psa_algorithm_t alg;
+ psa_key_type_t type;
+ size_t size;
+ status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) suite->cipher,
+ 0, &alg, &type, &size);
+ if (status == PSA_SUCCESS) {
+ base_mode = mbedtls_ssl_get_base_mode(alg);
+ }
+#else
+ const mbedtls_cipher_info_t *cipher =
+ mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) suite->cipher);
+ if (cipher != NULL) {
+ base_mode =
+ mbedtls_ssl_get_base_mode(
+ mbedtls_cipher_info_get_mode(cipher));
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ int encrypt_then_mac = 0;
+#endif
+ return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
+ size_t taglen,
+ psa_algorithm_t *alg,
+ psa_key_type_t *key_type,
+ size_t *key_size)
+{
+#if !defined(MBEDTLS_SSL_HAVE_CCM)
+ (void) taglen;
+#endif
+ switch (mbedtls_cipher_type) {
+#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
+ case MBEDTLS_CIPHER_AES_128_CBC:
+ *alg = PSA_ALG_CBC_NO_PADDING;
+ *key_type = PSA_KEY_TYPE_AES;
+ *key_size = 128;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
+ case MBEDTLS_CIPHER_AES_128_CCM:
+ *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
+ *key_type = PSA_KEY_TYPE_AES;
+ *key_size = 128;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
+ case MBEDTLS_CIPHER_AES_128_GCM:
+ *alg = PSA_ALG_GCM;
+ *key_type = PSA_KEY_TYPE_AES;
+ *key_size = 128;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
+ case MBEDTLS_CIPHER_AES_192_CCM:
+ *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
+ *key_type = PSA_KEY_TYPE_AES;
+ *key_size = 192;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
+ case MBEDTLS_CIPHER_AES_192_GCM:
+ *alg = PSA_ALG_GCM;
+ *key_type = PSA_KEY_TYPE_AES;
+ *key_size = 192;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
+ case MBEDTLS_CIPHER_AES_256_CBC:
+ *alg = PSA_ALG_CBC_NO_PADDING;
+ *key_type = PSA_KEY_TYPE_AES;
+ *key_size = 256;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
+ case MBEDTLS_CIPHER_AES_256_CCM:
+ *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
+ *key_type = PSA_KEY_TYPE_AES;
+ *key_size = 256;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
+ case MBEDTLS_CIPHER_AES_256_GCM:
+ *alg = PSA_ALG_GCM;
+ *key_type = PSA_KEY_TYPE_AES;
+ *key_size = 256;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
+ case MBEDTLS_CIPHER_ARIA_128_CBC:
+ *alg = PSA_ALG_CBC_NO_PADDING;
+ *key_type = PSA_KEY_TYPE_ARIA;
+ *key_size = 128;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
+ case MBEDTLS_CIPHER_ARIA_128_CCM:
+ *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
+ *key_type = PSA_KEY_TYPE_ARIA;
+ *key_size = 128;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
+ case MBEDTLS_CIPHER_ARIA_128_GCM:
+ *alg = PSA_ALG_GCM;
+ *key_type = PSA_KEY_TYPE_ARIA;
+ *key_size = 128;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
+ case MBEDTLS_CIPHER_ARIA_192_CCM:
+ *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
+ *key_type = PSA_KEY_TYPE_ARIA;
+ *key_size = 192;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
+ case MBEDTLS_CIPHER_ARIA_192_GCM:
+ *alg = PSA_ALG_GCM;
+ *key_type = PSA_KEY_TYPE_ARIA;
+ *key_size = 192;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
+ case MBEDTLS_CIPHER_ARIA_256_CBC:
+ *alg = PSA_ALG_CBC_NO_PADDING;
+ *key_type = PSA_KEY_TYPE_ARIA;
+ *key_size = 256;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
+ case MBEDTLS_CIPHER_ARIA_256_CCM:
+ *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
+ *key_type = PSA_KEY_TYPE_ARIA;
+ *key_size = 256;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
+ case MBEDTLS_CIPHER_ARIA_256_GCM:
+ *alg = PSA_ALG_GCM;
+ *key_type = PSA_KEY_TYPE_ARIA;
+ *key_size = 256;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
+ case MBEDTLS_CIPHER_CAMELLIA_128_CBC:
+ *alg = PSA_ALG_CBC_NO_PADDING;
+ *key_type = PSA_KEY_TYPE_CAMELLIA;
+ *key_size = 128;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
+ case MBEDTLS_CIPHER_CAMELLIA_128_CCM:
+ *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
+ *key_type = PSA_KEY_TYPE_CAMELLIA;
+ *key_size = 128;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
+ case MBEDTLS_CIPHER_CAMELLIA_128_GCM:
+ *alg = PSA_ALG_GCM;
+ *key_type = PSA_KEY_TYPE_CAMELLIA;
+ *key_size = 128;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
+ case MBEDTLS_CIPHER_CAMELLIA_192_CCM:
+ *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
+ *key_type = PSA_KEY_TYPE_CAMELLIA;
+ *key_size = 192;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
+ case MBEDTLS_CIPHER_CAMELLIA_192_GCM:
+ *alg = PSA_ALG_GCM;
+ *key_type = PSA_KEY_TYPE_CAMELLIA;
+ *key_size = 192;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
+ case MBEDTLS_CIPHER_CAMELLIA_256_CBC:
+ *alg = PSA_ALG_CBC_NO_PADDING;
+ *key_type = PSA_KEY_TYPE_CAMELLIA;
+ *key_size = 256;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
+ case MBEDTLS_CIPHER_CAMELLIA_256_CCM:
+ *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
+ *key_type = PSA_KEY_TYPE_CAMELLIA;
+ *key_size = 256;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
+ case MBEDTLS_CIPHER_CAMELLIA_256_GCM:
+ *alg = PSA_ALG_GCM;
+ *key_type = PSA_KEY_TYPE_CAMELLIA;
+ *key_size = 256;
+ break;
+#endif
+#if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY)
+ case MBEDTLS_CIPHER_CHACHA20_POLY1305:
+ *alg = PSA_ALG_CHACHA20_POLY1305;
+ *key_type = PSA_KEY_TYPE_CHACHA20;
+ *key_size = 256;
+ break;
+#endif
+ case MBEDTLS_CIPHER_NULL:
+ *alg = MBEDTLS_SSL_NULL_CIPHER;
+ *key_type = 0;
+ *key_size = 0;
+ break;
+ default:
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ return PSA_SUCCESS;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf,
+ const unsigned char *dhm_P, size_t P_len,
+ const unsigned char *dhm_G, size_t G_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_mpi_free(&conf->dhm_P);
+ mbedtls_mpi_free(&conf->dhm_G);
+
+ if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 ||
+ (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) {
+ mbedtls_mpi_free(&conf->dhm_P);
+ mbedtls_mpi_free(&conf->dhm_G);
+ return ret;
+ }
+
+ return 0;
+}
+
+int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_mpi_free(&conf->dhm_P);
+ mbedtls_mpi_free(&conf->dhm_G);
+
+ if ((ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_P,
+ &conf->dhm_P)) != 0 ||
+ (ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_G,
+ &conf->dhm_G)) != 0) {
+ mbedtls_mpi_free(&conf->dhm_P);
+ mbedtls_mpi_free(&conf->dhm_G);
+ return ret;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+/*
+ * Set the minimum length for Diffie-Hellman parameters
+ */
+void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf,
+ unsigned int bitlen)
+{
+ conf->dhm_min_bitlen = bitlen;
+}
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+#if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
+/*
+ * Set allowed/preferred hashes for handshake signatures
+ */
+void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf,
+ const int *hashes)
+{
+ conf->sig_hashes = hashes;
+}
+#endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */
+
+/* Configure allowed signature algorithms for handshake */
+void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
+ const uint16_t *sig_algs)
+{
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+ conf->sig_hashes = NULL;
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+ conf->sig_algs = sig_algs;
+}
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_ECP_C)
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/*
+ * Set the allowed elliptic curves
+ *
+ * mbedtls_ssl_setup() takes the provided list
+ * and translates it to a list of IANA TLS group identifiers,
+ * stored in ssl->handshake->group_list.
+ *
+ */
+void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
+ const mbedtls_ecp_group_id *curve_list)
+{
+ conf->curve_list = curve_list;
+ conf->group_list = NULL;
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#endif /* MBEDTLS_ECP_C */
+
+/*
+ * Set the allowed groups
+ */
+void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
+ const uint16_t *group_list)
+{
+#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ conf->curve_list = NULL;
+#endif
+ conf->group_list = group_list;
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
+{
+ /* Initialize to suppress unnecessary compiler warning */
+ size_t hostname_len = 0;
+
+ /* Check if new hostname is valid before
+ * making any change to current one */
+ if (hostname != NULL) {
+ hostname_len = strlen(hostname);
+
+ if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ }
+
+ /* Now it's clear that we will overwrite the old hostname,
+ * so we can free it safely */
+
+ if (ssl->hostname != NULL) {
+ mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
+ }
+
+ /* Passing NULL as hostname shall clear the old one */
+
+ if (hostname == NULL) {
+ ssl->hostname = NULL;
+ } else {
+ ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
+ if (ssl->hostname == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ memcpy(ssl->hostname, hostname, hostname_len);
+
+ ssl->hostname[hostname_len] = '\0';
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf,
+ int (*f_sni)(void *, mbedtls_ssl_context *,
+ const unsigned char *, size_t),
+ void *p_sni)
+{
+ conf->f_sni = f_sni;
+ conf->p_sni = p_sni;
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_ALPN)
+int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos)
+{
+ size_t cur_len, tot_len;
+ const char **p;
+
+ /*
+ * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
+ * MUST NOT be truncated."
+ * We check lengths now rather than later.
+ */
+ tot_len = 0;
+ for (p = protos; *p != NULL; p++) {
+ cur_len = strlen(*p);
+ tot_len += cur_len;
+
+ if ((cur_len == 0) ||
+ (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) ||
+ (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ }
+
+ conf->alpn_list = protos;
+
+ return 0;
+}
+
+const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl)
+{
+ return ssl->alpn_chosen;
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf,
+ int support_mki_value)
+{
+ conf->dtls_srtp_mki_support = support_mki_value;
+}
+
+int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
+ unsigned char *mki_value,
+ uint16_t mki_len)
+{
+ if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) {
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+
+ memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len);
+ ssl->dtls_srtp_info.mki_len = mki_len;
+ return 0;
+}
+
+int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf,
+ const mbedtls_ssl_srtp_profile *profiles)
+{
+ const mbedtls_ssl_srtp_profile *p;
+ size_t list_size = 0;
+
+ /* check the profiles list: all entry must be valid,
+ * its size cannot be more than the total number of supported profiles, currently 4 */
+ for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
+ list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
+ p++) {
+ if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) {
+ list_size++;
+ } else {
+ /* unsupported value, stop parsing and set the size to an error value */
+ list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
+ }
+ }
+
+ if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) {
+ conf->dtls_srtp_profile_list = NULL;
+ conf->dtls_srtp_profile_list_len = 0;
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ conf->dtls_srtp_profile_list = profiles;
+ conf->dtls_srtp_profile_list_len = list_size;
+
+ return 0;
+}
+
+void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl,
+ mbedtls_dtls_srtp_info *dtls_srtp_info)
+{
+ dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
+ /* do not copy the mki value if there is no chosen profile */
+ if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
+ dtls_srtp_info->mki_len = 0;
+ } else {
+ dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
+ memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
+ ssl->dtls_srtp_info.mki_len);
+ }
+}
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor)
+{
+ conf->max_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
+}
+
+void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor)
+{
+ conf->min_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
+ char cert_req_ca_list)
+{
+ conf->cert_req_ca_list = cert_req_ca_list;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm)
+{
+ conf->encrypt_then_mac = etm;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems)
+{
+ conf->extended_ms = ems;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code)
+{
+ if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
+ ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ conf->mfl_code = mfl_code;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy)
+{
+ conf->allow_legacy_renegotiation = allow_legacy;
+}
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation)
+{
+ conf->disable_renegotiation = renegotiation;
+}
+
+void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records)
+{
+ conf->renego_max_records = max_records;
+}
+
+void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,
+ const unsigned char period[8])
+{
+ memcpy(conf->renego_period, period, 8);
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_CLI_C)
+void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
+{
+ conf->session_tickets = use_tickets;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf,
+ uint16_t num_tickets)
+{
+ conf->new_session_tickets_count = num_tickets;
+}
+#endif
+
+void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf,
+ mbedtls_ssl_ticket_write_t *f_ticket_write,
+ mbedtls_ssl_ticket_parse_t *f_ticket_parse,
+ void *p_ticket)
+{
+ conf->f_ticket_write = f_ticket_write;
+ conf->f_ticket_parse = f_ticket_parse;
+ conf->p_ticket = p_ticket;
+}
+#endif
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl,
+ mbedtls_ssl_export_keys_t *f_export_keys,
+ void *p_export_keys)
+{
+ ssl->f_export_keys = f_export_keys;
+ ssl->p_export_keys = p_export_keys;
+}
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+void mbedtls_ssl_conf_async_private_cb(
+ mbedtls_ssl_config *conf,
+ mbedtls_ssl_async_sign_t *f_async_sign,
+ mbedtls_ssl_async_decrypt_t *f_async_decrypt,
+ mbedtls_ssl_async_resume_t *f_async_resume,
+ mbedtls_ssl_async_cancel_t *f_async_cancel,
+ void *async_config_data)
+{
+ conf->f_async_sign_start = f_async_sign;
+ conf->f_async_decrypt_start = f_async_decrypt;
+ conf->f_async_resume = f_async_resume;
+ conf->f_async_cancel = f_async_cancel;
+ conf->p_async_config_data = async_config_data;
+}
+
+void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf)
+{
+ return conf->p_async_config_data;
+}
+
+void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl)
+{
+ if (ssl->handshake == NULL) {
+ return NULL;
+ } else {
+ return ssl->handshake->user_async_ctx;
+ }
+}
+
+void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl,
+ void *ctx)
+{
+ if (ssl->handshake != NULL) {
+ ssl->handshake->user_async_ctx = ctx;
+ }
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+/*
+ * SSL get accessors
+ */
+uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl)
+{
+ if (ssl->session != NULL) {
+ return ssl->session->verify_result;
+ }
+
+ if (ssl->session_negotiate != NULL) {
+ return ssl->session_negotiate->verify_result;
+ }
+
+ return 0xFFFFFFFF;
+}
+
+int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl)
+{
+ if (ssl == NULL || ssl->session == NULL) {
+ return 0;
+ }
+
+ return ssl->session->ciphersuite;
+}
+
+const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl)
+{
+ if (ssl == NULL || ssl->session == NULL) {
+ return NULL;
+ }
+
+ return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite);
+}
+
+const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ switch (ssl->tls_version) {
+ case MBEDTLS_SSL_VERSION_TLS1_2:
+ return "DTLSv1.2";
+ default:
+ return "unknown (DTLS)";
+ }
+ }
+#endif
+
+ switch (ssl->tls_version) {
+ case MBEDTLS_SSL_VERSION_TLS1_2:
+ return "TLSv1.2";
+ case MBEDTLS_SSL_VERSION_TLS1_3:
+ return "TLSv1.3";
+ default:
+ return "unknown";
+ }
+}
+
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+
+size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
+{
+ const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+ size_t record_size_limit = max_len;
+
+ if (ssl->session != NULL &&
+ ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
+ ssl->session->record_size_limit < max_len) {
+ record_size_limit = ssl->session->record_size_limit;
+ }
+
+ // TODO: this is currently untested
+ /* During a handshake, use the value being negotiated */
+ if (ssl->session_negotiate != NULL &&
+ ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
+ ssl->session_negotiate->record_size_limit < max_len) {
+ record_size_limit = ssl->session_negotiate->record_size_limit;
+ }
+
+ return record_size_limit;
+}
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
+{
+ size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
+ size_t read_mfl;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+ ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) {
+ return ssl_mfl_code_to_length(ssl->conf->mfl_code);
+ }
+#endif
+
+ /* Check if a smaller max length was negotiated */
+ if (ssl->session_out != NULL) {
+ read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
+ if (read_mfl < max_len) {
+ max_len = read_mfl;
+ }
+ }
+
+ /* During a handshake, use the value being negotiated */
+ if (ssl->session_negotiate != NULL) {
+ read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
+ if (read_mfl < max_len) {
+ max_len = read_mfl;
+ }
+ }
+
+ return max_len;
+}
+
+size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl)
+{
+ size_t max_len;
+
+ /*
+ * Assume mfl_code is correct since it was checked when set
+ */
+ max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code);
+
+ /* Check if a smaller max length was negotiated */
+ if (ssl->session_out != NULL &&
+ ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) {
+ max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
+ }
+
+ /* During a handshake, use the value being negotiated */
+ if (ssl->session_negotiate != NULL &&
+ ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) {
+ max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
+ }
+
+ return max_len;
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl)
+{
+ /* Return unlimited mtu for client hello messages to avoid fragmentation. */
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+ (ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
+ ssl->state == MBEDTLS_SSL_SERVER_HELLO)) {
+ return 0;
+ }
+
+ if (ssl->handshake == NULL || ssl->handshake->mtu == 0) {
+ return ssl->mtu;
+ }
+
+ if (ssl->mtu == 0) {
+ return ssl->handshake->mtu;
+ }
+
+ return ssl->mtu < ssl->handshake->mtu ?
+ ssl->mtu : ssl->handshake->mtu;
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
+{
+ size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
+ !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \
+ !defined(MBEDTLS_SSL_PROTO_DTLS)
+ (void) ssl;
+#endif
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+ const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
+
+ if (max_len > mfl) {
+ max_len = mfl;
+ }
+#endif
+
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl);
+
+ if (max_len > record_size_limit) {
+ max_len = record_size_limit;
+ }
+#endif
+
+ if (ssl->transform_out != NULL &&
+ ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+ /*
+ * In TLS 1.3 case, when records are protected, `max_len` as computed
+ * above is the maximum length of the TLSInnerPlaintext structure that
+ * along the plaintext payload contains the inner content type (one byte)
+ * and some zero padding. Given the algorithm used for padding
+ * in mbedtls_ssl_encrypt_buf(), compute the maximum length for
+ * the plaintext payload. Round down to a multiple of
+ * MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY and
+ * subtract 1.
+ */
+ max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
+ MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
+ const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
+ const int ret = mbedtls_ssl_get_record_expansion(ssl);
+ const size_t overhead = (size_t) ret;
+
+ if (ret < 0) {
+ return ret;
+ }
+
+ if (mtu <= overhead) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion"));
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+
+ if (max_len > mtu - overhead) {
+ max_len = mtu - overhead;
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
+ !defined(MBEDTLS_SSL_PROTO_DTLS) && \
+ !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ ((void) ssl);
+#endif
+
+ return (int) max_len;
+}
+
+int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl)
+{
+ size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
+
+#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+ (void) ssl;
+#endif
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+ const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl);
+
+ if (max_len > mfl) {
+ max_len = mfl;
+ }
+#endif
+
+ return (int) max_len;
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl)
+{
+ if (ssl == NULL || ssl->session == NULL) {
+ return NULL;
+ }
+
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ return ssl->session->peer_cert;
+#else
+ return NULL;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
+ mbedtls_ssl_session *dst)
+{
+ int ret;
+
+ if (ssl == NULL ||
+ dst == NULL ||
+ ssl->session == NULL ||
+ ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
+ * idempotent: Each session can only be exported once.
+ *
+ * (This is in preparation for TLS 1.3 support where we will
+ * need the ability to export multiple sessions (aka tickets),
+ * which will be achieved by calling mbedtls_ssl_get_session()
+ * multiple times until it fails.)
+ *
+ * Check whether we have already exported the current session,
+ * and fail if so.
+ */
+ if (ssl->session->exported == 1) {
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+
+ ret = mbedtls_ssl_session_copy(dst, ssl->session);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* Remember that we've exported the session. */
+ ssl->session->exported = 1;
+ return 0;
+}
+#endif /* MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+
+/* Serialization of TLS 1.2 sessions
+ *
+ * For more detail, see the description of ssl_session_save().
+ */
+static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
+ unsigned char *buf,
+ size_t buf_len)
+{
+ unsigned char *p = buf;
+ size_t used = 0;
+
+#if defined(MBEDTLS_HAVE_TIME)
+ uint64_t start;
+#endif
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ size_t cert_len;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+ /*
+ * Time
+ */
+#if defined(MBEDTLS_HAVE_TIME)
+ used += 8;
+
+ if (used <= buf_len) {
+ start = (uint64_t) session->start;
+
+ MBEDTLS_PUT_UINT64_BE(start, p, 0);
+ p += 8;
+ }
+#endif /* MBEDTLS_HAVE_TIME */
+
+ /*
+ * Basic mandatory fields
+ */
+ used += 1 /* id_len */
+ + sizeof(session->id)
+ + sizeof(session->master)
+ + 4; /* verify_result */
+
+ if (used <= buf_len) {
+ *p++ = MBEDTLS_BYTE_0(session->id_len);
+ memcpy(p, session->id, 32);
+ p += 32;
+
+ memcpy(p, session->master, 48);
+ p += 48;
+
+ MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0);
+ p += 4;
+ }
+
+ /*
+ * Peer's end-entity certificate
+ */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ if (session->peer_cert == NULL) {
+ cert_len = 0;
+ } else {
+ cert_len = session->peer_cert->raw.len;
+ }
+
+ used += 3 + cert_len;
+
+ if (used <= buf_len) {
+ *p++ = MBEDTLS_BYTE_2(cert_len);
+ *p++ = MBEDTLS_BYTE_1(cert_len);
+ *p++ = MBEDTLS_BYTE_0(cert_len);
+
+ if (session->peer_cert != NULL) {
+ memcpy(p, session->peer_cert->raw.p, cert_len);
+ p += cert_len;
+ }
+ }
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ if (session->peer_cert_digest != NULL) {
+ used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
+ if (used <= buf_len) {
+ *p++ = (unsigned char) session->peer_cert_digest_type;
+ *p++ = (unsigned char) session->peer_cert_digest_len;
+ memcpy(p, session->peer_cert_digest,
+ session->peer_cert_digest_len);
+ p += session->peer_cert_digest_len;
+ }
+ } else {
+ used += 2;
+ if (used <= buf_len) {
+ *p++ = (unsigned char) MBEDTLS_MD_NONE;
+ *p++ = 0;
+ }
+ }
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+ /*
+ * Session ticket if any, plus associated data
+ */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_CLI_C)
+ if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
+
+ if (used <= buf_len) {
+ *p++ = MBEDTLS_BYTE_2(session->ticket_len);
+ *p++ = MBEDTLS_BYTE_1(session->ticket_len);
+ *p++ = MBEDTLS_BYTE_0(session->ticket_len);
+
+ if (session->ticket != NULL) {
+ memcpy(p, session->ticket, session->ticket_len);
+ p += session->ticket_len;
+ }
+
+ MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
+ p += 4;
+ }
+ }
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
+ if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
+ used += 8;
+
+ if (used <= buf_len) {
+ MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
+ p += 8;
+ }
+ }
+#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+ /*
+ * Misc extension-related info
+ */
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+ used += 1;
+
+ if (used <= buf_len) {
+ *p++ = session->mfl_code;
+ }
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ used += 1;
+
+ if (used <= buf_len) {
+ *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac);
+ }
+#endif
+
+ return used;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls12_session_load(mbedtls_ssl_session *session,
+ const unsigned char *buf,
+ size_t len)
+{
+#if defined(MBEDTLS_HAVE_TIME)
+ uint64_t start;
+#endif
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ size_t cert_len;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+ const unsigned char *p = buf;
+ const unsigned char * const end = buf + len;
+
+ /*
+ * Time
+ */
+#if defined(MBEDTLS_HAVE_TIME)
+ if (8 > (size_t) (end - p)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ start = MBEDTLS_GET_UINT64_BE(p, 0);
+ p += 8;
+
+ session->start = (time_t) start;
+#endif /* MBEDTLS_HAVE_TIME */
+
+ /*
+ * Basic mandatory fields
+ */
+ if (1 + 32 + 48 + 4 > (size_t) (end - p)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ session->id_len = *p++;
+ memcpy(session->id, p, 32);
+ p += 32;
+
+ memcpy(session->master, p, 48);
+ p += 48;
+
+ session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0);
+ p += 4;
+
+ /* Immediately clear invalid pointer values that have been read, in case
+ * we exit early before we replaced them with valid ones. */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ session->peer_cert = NULL;
+#else
+ session->peer_cert_digest = NULL;
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+ session->ticket = NULL;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+ /*
+ * Peer certificate
+ */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ /* Deserialize CRT from the end of the ticket. */
+ if (3 > (size_t) (end - p)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ cert_len = MBEDTLS_GET_UINT24_BE(p, 0);
+ p += 3;
+
+ if (cert_len != 0) {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (cert_len > (size_t) (end - p)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
+
+ if (session->peer_cert == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ mbedtls_x509_crt_init(session->peer_cert);
+
+ if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert,
+ p, cert_len)) != 0) {
+ mbedtls_x509_crt_free(session->peer_cert);
+ mbedtls_free(session->peer_cert);
+ session->peer_cert = NULL;
+ return ret;
+ }
+
+ p += cert_len;
+ }
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ /* Deserialize CRT digest from the end of the ticket. */
+ if (2 > (size_t) (end - p)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
+ session->peer_cert_digest_len = (size_t) *p++;
+
+ if (session->peer_cert_digest_len != 0) {
+ const mbedtls_md_info_t *md_info =
+ mbedtls_md_info_from_type(session->peer_cert_digest_type);
+ if (md_info == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (session->peer_cert_digest_len > (size_t) (end - p)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ session->peer_cert_digest =
+ mbedtls_calloc(1, session->peer_cert_digest_len);
+ if (session->peer_cert_digest == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ memcpy(session->peer_cert_digest, p,
+ session->peer_cert_digest_len);
+ p += session->peer_cert_digest_len;
+ }
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+ /*
+ * Session ticket and associated data
+ */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_CLI_C)
+ if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ if (3 > (size_t) (end - p)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0);
+ p += 3;
+
+ if (session->ticket_len != 0) {
+ if (session->ticket_len > (size_t) (end - p)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ session->ticket = mbedtls_calloc(1, session->ticket_len);
+ if (session->ticket == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ memcpy(session->ticket, p, session->ticket_len);
+ p += session->ticket_len;
+ }
+
+ if (4 > (size_t) (end - p)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
+ p += 4;
+ }
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
+ if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
+ if (8 > (size_t) (end - p)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
+ p += 8;
+ }
+#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+ /*
+ * Misc extension-related info
+ */
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+ if (1 > (size_t) (end - p)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ session->mfl_code = *p++;
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ if (1 > (size_t) (end - p)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ session->encrypt_then_mac = *p++;
+#endif
+
+ /* Done, should have consumed entire buffer */
+ if (p != end) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ return 0;
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+/* Serialization of TLS 1.3 sessions:
+ *
+ * For more detail, see the description of ssl_session_save().
+ */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
+ unsigned char *buf,
+ size_t buf_len,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+#if defined(MBEDTLS_SSL_CLI_C) && \
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ size_t hostname_len = (session->hostname == NULL) ?
+ 0 : strlen(session->hostname) + 1;
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C) && \
+ defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
+ const size_t alpn_len = (session->ticket_alpn == NULL) ?
+ 0 : strlen(session->ticket_alpn) + 1;
+#endif
+ size_t needed = 4 /* ticket_age_add */
+ + 1 /* ticket_flags */
+ + 1; /* resumption_key length */
+
+ *olen = 0;
+
+ if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ needed += session->resumption_key_len; /* resumption_key */
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ needed += 4; /* max_early_data_size */
+#endif
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ needed += 2; /* record_size_limit */
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
+#if defined(MBEDTLS_HAVE_TIME)
+ needed += 8; /* ticket_creation_time or ticket_reception_time */
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
+ needed += 2 /* alpn_len */
+ + alpn_len; /* alpn */
+#endif
+ }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+ if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ needed += 2 /* hostname_len */
+ + hostname_len; /* hostname */
+#endif
+
+ needed += 4 /* ticket_lifetime */
+ + 2; /* ticket_len */
+
+ /* Check size_t overflow */
+ if (session->ticket_len > SIZE_MAX - needed) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ needed += session->ticket_len; /* ticket */
+ }
+#endif /* MBEDTLS_SSL_CLI_C */
+
+ *olen = needed;
+ if (needed > buf_len) {
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0);
+ p[4] = session->ticket_flags;
+
+ /* save resumption_key */
+ p[5] = session->resumption_key_len;
+ p += 6;
+ memcpy(p, session->resumption_key, session->resumption_key_len);
+ p += session->resumption_key_len;
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0);
+ p += 4;
+#endif
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0);
+ p += 2;
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
+#if defined(MBEDTLS_HAVE_TIME)
+ MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
+ p += 8;
+#endif /* MBEDTLS_HAVE_TIME */
+
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
+ MBEDTLS_PUT_UINT16_BE(alpn_len, p, 0);
+ p += 2;
+
+ if (alpn_len > 0) {
+ /* save chosen alpn */
+ memcpy(p, session->ticket_alpn, alpn_len);
+ p += alpn_len;
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
+ }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+ if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
+ p += 2;
+ if (hostname_len > 0) {
+ /* save host name */
+ memcpy(p, session->hostname, hostname_len);
+ p += hostname_len;
+ }
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_HAVE_TIME)
+ MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0);
+ p += 8;
+#endif
+ MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
+ p += 4;
+
+ MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0);
+ p += 2;
+
+ if (session->ticket != NULL && session->ticket_len > 0) {
+ memcpy(p, session->ticket, session->ticket_len);
+ p += session->ticket_len;
+ }
+ }
+#endif /* MBEDTLS_SSL_CLI_C */
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_session_load(mbedtls_ssl_session *session,
+ const unsigned char *buf,
+ size_t len)
+{
+ const unsigned char *p = buf;
+ const unsigned char *end = buf + len;
+
+ if (end - p < 6) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0);
+ session->ticket_flags = p[4];
+
+ /* load resumption_key */
+ session->resumption_key_len = p[5];
+ p += 6;
+
+ if (end - p < session->resumption_key_len) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (sizeof(session->resumption_key) < session->resumption_key_len) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ memcpy(session->resumption_key, p, session->resumption_key_len);
+ p += session->resumption_key_len;
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ if (end - p < 4) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0);
+ p += 4;
+#endif
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ if (end - p < 2) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
+#if defined(MBEDTLS_HAVE_TIME)
+ if (end - p < 8) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
+ p += 8;
+#endif /* MBEDTLS_HAVE_TIME */
+
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
+ size_t alpn_len;
+
+ if (end - p < 2) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ alpn_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ if (end - p < (long int) alpn_len) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (alpn_len > 0) {
+ int ret = mbedtls_ssl_session_set_ticket_alpn(session, (char *) p);
+ if (ret != 0) {
+ return ret;
+ }
+ p += alpn_len;
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
+ }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+ if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ size_t hostname_len;
+ /* load host name */
+ if (end - p < 2) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ hostname_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ if (end - p < (long int) hostname_len) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ if (hostname_len > 0) {
+ session->hostname = mbedtls_calloc(1, hostname_len);
+ if (session->hostname == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+ memcpy(session->hostname, p, hostname_len);
+ p += hostname_len;
+ }
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_HAVE_TIME)
+ if (end - p < 8) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ session->ticket_reception_time = MBEDTLS_GET_UINT64_BE(p, 0);
+ p += 8;
+#endif
+ if (end - p < 4) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
+ p += 4;
+
+ if (end - p < 2) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ if (end - p < (long int) session->ticket_len) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ if (session->ticket_len > 0) {
+ session->ticket = mbedtls_calloc(1, session->ticket_len);
+ if (session->ticket == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+ memcpy(session->ticket, p, session->ticket_len);
+ p += session->ticket_len;
+ }
+ }
+#endif /* MBEDTLS_SSL_CLI_C */
+
+ return 0;
+
+}
+#else /* MBEDTLS_SSL_SESSION_TICKETS */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
+ unsigned char *buf,
+ size_t buf_len,
+ size_t *olen)
+{
+ ((void) session);
+ ((void) buf);
+ ((void) buf_len);
+ *olen = 0;
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+}
+
+static int ssl_tls13_session_load(const mbedtls_ssl_session *session,
+ unsigned char *buf,
+ size_t buf_len)
+{
+ ((void) session);
+ ((void) buf);
+ ((void) buf_len);
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+}
+#endif /* !MBEDTLS_SSL_SESSION_TICKETS */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+/*
+ * Define ticket header determining Mbed TLS version
+ * and structure of the ticket.
+ */
+
+/*
+ * Define bitflag determining compile-time settings influencing
+ * structure of serialized SSL sessions.
+ */
+
+#if defined(MBEDTLS_HAVE_TIME)
+#define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
+#endif /* MBEDTLS_HAVE_TIME */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 0
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
+#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+#define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+#define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+#define SSL_SERIALIZED_SESSION_CONFIG_SNI 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_SNI 0
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
+#if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) && \
+ defined(MBEDTLS_SSL_EARLY_DATA)
+#define SSL_SERIALIZED_SESSION_CONFIG_ALPN 1
+#else
+#define SSL_SERIALIZED_SESSION_CONFIG_ALPN 0
+#endif /* MBEDTLS_SSL_ALPN */
+
+#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
+#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
+#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
+#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
+#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4
+#define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5
+#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT 6
+#define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7
+#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8
+#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9
+#define SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT 10
+
+#define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
+ ((uint16_t) ( \
+ (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \
+ (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \
+ (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \
+ SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \
+ (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \
+ (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \
+ (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \
+ (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << \
+ SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \
+ (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \
+ (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \
+ SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \
+ (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \
+ SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT) | \
+ (SSL_SERIALIZED_SESSION_CONFIG_ALPN << \
+ SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT)))
+
+static const unsigned char ssl_serialized_session_header[] = {
+ MBEDTLS_VERSION_MAJOR,
+ MBEDTLS_VERSION_MINOR,
+ MBEDTLS_VERSION_PATCH,
+ MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
+ MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
+};
+
+/*
+ * Serialize a session in the following format:
+ * (in the presentation language of TLS, RFC 8446 section 3)
+ *
+ * TLS 1.2 session:
+ *
+ * struct {
+ * #if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ * opaque ticket<0..2^24-1>; // length 0 means no ticket
+ * uint32 ticket_lifetime;
+ * #endif
+ * } ClientOnlyData;
+ *
+ * struct {
+ * #if defined(MBEDTLS_HAVE_TIME)
+ * uint64 start_time;
+ * #endif
+ * uint8 session_id_len; // at most 32
+ * opaque session_id[32];
+ * opaque master[48]; // fixed length in the standard
+ * uint32 verify_result;
+ * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
+ * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
+ * #else
+ * uint8 peer_cert_digest_type;
+ * opaque peer_cert_digest<0..2^8-1>
+ * #endif
+ * select (endpoint) {
+ * case client: ClientOnlyData;
+ * case server: uint64 ticket_creation_time;
+ * };
+ * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+ * uint8 mfl_code; // up to 255 according to standard
+ * #endif
+ * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ * uint8 encrypt_then_mac; // 0 or 1
+ * #endif
+ * } serialized_session_tls12;
+ *
+ *
+ * TLS 1.3 Session:
+ *
+ * struct {
+ * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ * opaque hostname<0..2^16-1>;
+ * #endif
+ * #if defined(MBEDTLS_HAVE_TIME)
+ * uint64 ticket_reception_time;
+ * #endif
+ * uint32 ticket_lifetime;
+ * opaque ticket<1..2^16-1>;
+ * } ClientOnlyData;
+ *
+ * struct {
+ * uint32 ticket_age_add;
+ * uint8 ticket_flags;
+ * opaque resumption_key<0..255>;
+ * #if defined(MBEDTLS_SSL_EARLY_DATA)
+ * uint32 max_early_data_size;
+ * #endif
+ * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ * uint16 record_size_limit;
+ * #endif
+ * select ( endpoint ) {
+ * case client: ClientOnlyData;
+ * case server:
+ * #if defined(MBEDTLS_HAVE_TIME)
+ * uint64 ticket_creation_time;
+ * #endif
+ * #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
+ * opaque ticket_alpn<0..256>;
+ * #endif
+ * };
+ * } serialized_session_tls13;
+ *
+ *
+ * SSL session:
+ *
+ * struct {
+ *
+ * opaque mbedtls_version[3]; // library version: major, minor, patch
+ * opaque session_format[2]; // library-version specific 16-bit field
+ * // determining the format of the remaining
+ * // serialized data.
+ *
+ * Note: When updating the format, remember to keep
+ * these version+format bytes.
+ *
+ * // In this version, `session_format` determines
+ * // the setting of those compile-time
+ * // configuration options which influence
+ * // the structure of mbedtls_ssl_session.
+ *
+ * uint8_t minor_ver; // Protocol minor version. Possible values:
+ * // - TLS 1.2 (0x0303)
+ * // - TLS 1.3 (0x0304)
+ * uint8_t endpoint;
+ * uint16_t ciphersuite;
+ *
+ * select (serialized_session.tls_version) {
+ *
+ * case MBEDTLS_SSL_VERSION_TLS1_2:
+ * serialized_session_tls12 data;
+ * case MBEDTLS_SSL_VERSION_TLS1_3:
+ * serialized_session_tls13 data;
+ *
+ * };
+ *
+ * } serialized_session;
+ *
+ */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_session_save(const mbedtls_ssl_session *session,
+ unsigned char omit_header,
+ unsigned char *buf,
+ size_t buf_len,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+ size_t used = 0;
+ size_t remaining_len;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ size_t out_len;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#endif
+ if (session == NULL) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ if (!omit_header) {
+ /*
+ * Add Mbed TLS version identifier
+ */
+ used += sizeof(ssl_serialized_session_header);
+
+ if (used <= buf_len) {
+ memcpy(p, ssl_serialized_session_header,
+ sizeof(ssl_serialized_session_header));
+ p += sizeof(ssl_serialized_session_header);
+ }
+ }
+
+ /*
+ * TLS version identifier, endpoint, ciphersuite
+ */
+ used += 1 /* TLS version */
+ + 1 /* endpoint */
+ + 2; /* ciphersuite */
+ if (used <= buf_len) {
+ *p++ = MBEDTLS_BYTE_0(session->tls_version);
+ *p++ = session->endpoint;
+ MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0);
+ p += 2;
+ }
+
+ /* Forward to version-specific serialization routine. */
+ remaining_len = (buf_len >= used) ? buf_len - used : 0;
+ switch (session->tls_version) {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ case MBEDTLS_SSL_VERSION_TLS1_2:
+ used += ssl_tls12_session_save(session, p, remaining_len);
+ break;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ case MBEDTLS_SSL_VERSION_TLS1_3:
+ ret = ssl_tls13_session_save(session, p, remaining_len, &out_len);
+ if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
+ return ret;
+ }
+ used += out_len;
+ break;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+ default:
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+
+ *olen = used;
+ if (used > buf_len) {
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ return 0;
+}
+
+/*
+ * Public wrapper for ssl_session_save()
+ */
+int mbedtls_ssl_session_save(const mbedtls_ssl_session *session,
+ unsigned char *buf,
+ size_t buf_len,
+ size_t *olen)
+{
+ return ssl_session_save(session, 0, buf, buf_len, olen);
+}
+
+/*
+ * Deserialize session, see mbedtls_ssl_session_save() for format.
+ *
+ * This internal version is wrapped by a public function that cleans up in
+ * case of error, and has an extra option omit_header.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_session_load(mbedtls_ssl_session *session,
+ unsigned char omit_header,
+ const unsigned char *buf,
+ size_t len)
+{
+ const unsigned char *p = buf;
+ const unsigned char * const end = buf + len;
+ size_t remaining_len;
+
+
+ if (session == NULL) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ if (!omit_header) {
+ /*
+ * Check Mbed TLS version identifier
+ */
+
+ if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (memcmp(p, ssl_serialized_session_header,
+ sizeof(ssl_serialized_session_header)) != 0) {
+ return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
+ }
+ p += sizeof(ssl_serialized_session_header);
+ }
+
+ /*
+ * TLS version identifier, endpoint, ciphersuite
+ */
+ if (4 > (size_t) (end - p)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++);
+ session->endpoint = *p++;
+ session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ /* Dispatch according to TLS version. */
+ remaining_len = (size_t) (end - p);
+ switch (session->tls_version) {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ case MBEDTLS_SSL_VERSION_TLS1_2:
+ return ssl_tls12_session_load(session, p, remaining_len);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ case MBEDTLS_SSL_VERSION_TLS1_3:
+ return ssl_tls13_session_load(session, p, remaining_len);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+ default:
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+}
+
+/*
+ * Deserialize session: public wrapper for error cleaning
+ */
+int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
+ const unsigned char *buf,
+ size_t len)
+{
+ int ret = ssl_session_load(session, 0, buf, len);
+
+ if (ret != 0) {
+ mbedtls_ssl_session_free(session);
+ }
+
+ return ret;
+}
+
+/*
+ * Perform a single step of the SSL handshake
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /*
+ * We may have not been able to send to the peer all the handshake data
+ * that were written into the output buffer by the previous handshake step,
+ * if the write to the network callback returned with the
+ * #MBEDTLS_ERR_SSL_WANT_WRITE error code.
+ * We proceed to the next handshake step only when all data from the
+ * previous one have been sent to the peer, thus we make sure that this is
+ * the case here by calling `mbedtls_ssl_flush_output()`. The function may
+ * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case
+ * we have to wait before to go ahead.
+ * In the case of TLS 1.3, handshake step handlers do not send data to the
+ * peer. Data are only sent here and through
+ * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an
+ * alert occurred.
+ */
+ if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
+ return ret;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
+ if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
+ return ret;
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ return ret;
+}
+
+int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (ssl == NULL ||
+ ssl->conf == NULL ||
+ ssl->handshake == NULL ||
+ ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ ret = ssl_prepare_handshake_step(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_ssl_handle_pending_alert(ssl);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or
+ * MBEDTLS_SSL_IS_SERVER, this is the return code we give */
+ ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+
+#if defined(MBEDTLS_SSL_CLI_C)
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s",
+ mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state)));
+
+ switch (ssl->state) {
+ case MBEDTLS_SSL_HELLO_REQUEST:
+ ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+ ret = 0;
+ break;
+
+ case MBEDTLS_SSL_CLIENT_HELLO:
+ ret = mbedtls_ssl_write_client_hello(ssl);
+ break;
+
+ default:
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+ ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
+ } else {
+ ret = mbedtls_ssl_handshake_client_step(ssl);
+ }
+#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ ret = mbedtls_ssl_handshake_client_step(ssl);
+#else
+ ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
+#endif
+ }
+ }
+#endif /* MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+ ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
+ } else {
+ ret = mbedtls_ssl_handshake_server_step(ssl);
+ }
+#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ ret = mbedtls_ssl_handshake_server_step(ssl);
+#else
+ ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
+#endif
+ }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+ if (ret != 0) {
+ /* handshake_step return error. And it is same
+ * with alert_reason.
+ */
+ if (ssl->send_alert) {
+ ret = mbedtls_ssl_handle_pending_alert(ssl);
+ goto cleanup;
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+/*
+ * Perform the SSL handshake
+ */
+int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl)
+{
+ int ret = 0;
+
+ /* Sanity checks */
+
+ if (ssl == NULL || ssl->conf == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("You must use "
+ "mbedtls_ssl_set_timer_cb() for DTLS"));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake"));
+
+ /* Main handshake loop */
+ while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
+ ret = mbedtls_ssl_handshake_step(ssl);
+
+ if (ret != 0) {
+ break;
+ }
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake"));
+
+ return ret;
+}
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+#if defined(MBEDTLS_SSL_SRV_C)
+/*
+ * Write HelloRequest to request renegotiation on server
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_hello_request(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request"));
+
+ ssl->out_msglen = 4;
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+ ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
+
+ if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request"));
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_SRV_C */
+
+/*
+ * Actually renegotiate current connection, triggered by either:
+ * - any side: calling mbedtls_ssl_renegotiate(),
+ * - client: receiving a HelloRequest during mbedtls_ssl_read(),
+ * - server: receiving any handshake message on server during mbedtls_ssl_read() after
+ * the initial handshake is completed.
+ * If the handshake doesn't complete due to waiting for I/O, it will continue
+ * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
+ */
+int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate"));
+
+ if ((ret = ssl_handshake_init(ssl)) != 0) {
+ return ret;
+ }
+
+ /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
+ * the ServerHello will have message_seq = 1" */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
+ ssl->handshake->out_msg_seq = 1;
+ } else {
+ ssl->handshake->in_msg_seq = 1;
+ }
+ }
+#endif
+
+ ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+ ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
+
+ if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate"));
+
+ return 0;
+}
+
+/*
+ * Renegotiate current connection on client,
+ * or request renegotiation on server
+ */
+int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+ if (ssl == NULL || ssl->conf == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_SSL_SRV_C)
+ /* On server, just send the request */
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
+ if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
+
+ /* Did we already try/start sending HelloRequest? */
+ if (ssl->out_left != 0) {
+ return mbedtls_ssl_flush_output(ssl);
+ }
+
+ return ssl_write_hello_request(ssl);
+ }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+ /*
+ * On client, either start the renegotiation process or,
+ * if already in progress, continue the handshake
+ */
+ if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
+ if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret);
+ return ret;
+ }
+ } else {
+ if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
+ return ret;
+ }
+ }
+#endif /* MBEDTLS_SSL_CLI_C */
+
+ return ret;
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
+{
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ if (handshake == NULL) {
+ return;
+ }
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+ if (ssl->handshake->group_list_heap_allocated) {
+ mbedtls_free((void *) handshake->group_list);
+ }
+ handshake->group_list = NULL;
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+ if (ssl->handshake->sig_algs_heap_allocated) {
+ mbedtls_free((void *) handshake->sig_algs);
+ }
+ handshake->sig_algs = NULL;
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (ssl->handshake->certificate_request_context) {
+ mbedtls_free((void *) handshake->certificate_request_context);
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) {
+ ssl->conf->f_async_cancel(ssl);
+ handshake->async_in_progress = 0;
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_hash_abort(&handshake->fin_sha256_psa);
+#else
+ mbedtls_md_free(&handshake->fin_sha256);
+#endif
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_hash_abort(&handshake->fin_sha384_psa);
+#else
+ mbedtls_md_free(&handshake->fin_sha384);
+#endif
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+ mbedtls_dhm_free(&handshake->dhm_ctx);
+#endif
+#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
+ mbedtls_ecdh_free(&handshake->ecdh_ctx);
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_pake_abort(&handshake->psa_pake_ctx);
+ /*
+ * Opaque keys are not stored in the handshake's data and it's the user
+ * responsibility to destroy them. Clear ones, instead, are created by
+ * the TLS library and should be destroyed at the same level
+ */
+ if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) {
+ psa_destroy_key(handshake->psa_pake_password);
+ }
+ handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
+#else
+ mbedtls_ecjpake_free(&handshake->ecjpake_ctx);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_SSL_CLI_C)
+ mbedtls_free(handshake->ecjpake_cache);
+ handshake->ecjpake_cache = NULL;
+ handshake->ecjpake_cache_len = 0;
+#endif
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ /* explicit void pointer cast for buggy MS compiler */
+ mbedtls_free((void *) handshake->curves_tls_id);
+#endif
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
+ /* The maintenance of the external PSK key slot is the
+ * user's responsibility. */
+ if (ssl->handshake->psk_opaque_is_internal) {
+ psa_destroy_key(ssl->handshake->psk_opaque);
+ ssl->handshake->psk_opaque_is_internal = 0;
+ }
+ ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
+ }
+#else
+ if (handshake->psk != NULL) {
+ mbedtls_zeroize_and_free(handshake->psk, handshake->psk_len);
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ /*
+ * Free only the linked list wrapper, not the keys themselves
+ * since the belong to the SNI callback
+ */
+ ssl_key_cert_free(handshake->sni_key_cert);
+#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx);
+ if (handshake->ecrs_peer_cert != NULL) {
+ mbedtls_x509_crt_free(handshake->ecrs_peer_cert);
+ mbedtls_free(handshake->ecrs_peer_cert);
+ }
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+ !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ mbedtls_pk_free(&handshake->peer_pubkey);
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+#if defined(MBEDTLS_SSL_CLI_C) && \
+ (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
+ mbedtls_free(handshake->cookie);
+#endif /* MBEDTLS_SSL_CLI_C &&
+ ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ mbedtls_ssl_flight_free(handshake->flight);
+ mbedtls_ssl_buffering_free(ssl);
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
+ if (handshake->xxdh_psa_privkey_is_external == 0) {
+ psa_destroy_key(handshake->xxdh_psa_privkey);
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ mbedtls_ssl_transform_free(handshake->transform_handshake);
+ mbedtls_free(handshake->transform_handshake);
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ mbedtls_ssl_transform_free(handshake->transform_earlydata);
+ mbedtls_free(handshake->transform_earlydata);
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ /* If the buffers are too big - reallocate. Because of the way Mbed TLS
+ * processes datagrams and the fact that a datagram is allowed to have
+ * several records in it, it is possible that the I/O buffers are not
+ * empty at this stage */
+ handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl),
+ mbedtls_ssl_get_output_buflen(ssl));
+#endif
+
+ /* mbedtls_platform_zeroize MUST be last one in this function */
+ mbedtls_platform_zeroize(handshake,
+ sizeof(mbedtls_ssl_handshake_params));
+}
+
+void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
+{
+ if (session == NULL) {
+ return;
+ }
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ ssl_clear_peer_cert(session);
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ mbedtls_free(session->hostname);
+#endif
+ mbedtls_free(session->ticket);
+#endif
+
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && \
+ defined(MBEDTLS_SSL_SRV_C)
+ mbedtls_free(session->ticket_alpn);
+#endif
+
+ mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session));
+}
+
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
+#else
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
+#else
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_ALPN)
+#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
+#else
+#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
+#endif /* MBEDTLS_SSL_ALPN */
+
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
+#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
+#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
+
+#define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
+ ((uint32_t) ( \
+ (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \
+ SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \
+ (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \
+ SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \
+ (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \
+ SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \
+ (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \
+ 0u))
+
+static const unsigned char ssl_serialized_context_header[] = {
+ MBEDTLS_VERSION_MAJOR,
+ MBEDTLS_VERSION_MINOR,
+ MBEDTLS_VERSION_PATCH,
+ MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
+ MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
+ MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
+ MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
+ MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
+};
+
+/*
+ * Serialize a full SSL context
+ *
+ * The format of the serialized data is:
+ * (in the presentation language of TLS, RFC 8446 section 3)
+ *
+ * // header
+ * opaque mbedtls_version[3]; // major, minor, patch
+ * opaque context_format[5]; // version-specific field determining
+ * // the format of the remaining
+ * // serialized data.
+ * Note: When updating the format, remember to keep these
+ * version+format bytes. (We may make their size part of the API.)
+ *
+ * // session sub-structure
+ * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
+ * // transform sub-structure
+ * uint8 random[64]; // ServerHello.random+ClientHello.random
+ * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
+ * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
+ * // fields from ssl_context
+ * uint32 badmac_seen; // DTLS: number of records with failing MAC
+ * uint64 in_window_top; // DTLS: last validated record seq_num
+ * uint64 in_window; // DTLS: bitmask for replay protection
+ * uint8 disable_datagram_packing; // DTLS: only one record per datagram
+ * uint64 cur_out_ctr; // Record layer: outgoing sequence number
+ * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
+ * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
+ *
+ * Note that many fields of the ssl_context or sub-structures are not
+ * serialized, as they fall in one of the following categories:
+ *
+ * 1. forced value (eg in_left must be 0)
+ * 2. pointer to dynamically-allocated memory (eg session, transform)
+ * 3. value can be re-derived from other data (eg session keys from MS)
+ * 4. value was temporary (eg content of input buffer)
+ * 5. value will be provided by the user again (eg I/O callbacks and context)
+ */
+int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ size_t buf_len,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+ size_t used = 0;
+ size_t session_len;
+ int ret = 0;
+
+ /*
+ * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
+ * this function's documentation.
+ *
+ * These are due to assumptions/limitations in the implementation. Some of
+ * them are likely to stay (no handshake in progress) some might go away
+ * (only DTLS) but are currently used to simplify the implementation.
+ */
+ /* The initial handshake must be over */
+ if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over"));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ if (ssl->handshake != NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed"));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ /* Double-check that sub-structures are indeed ready */
+ if (ssl->transform == NULL || ssl->session == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready"));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ /* There must be no pending incoming or outgoing data */
+ if (mbedtls_ssl_check_pending(ssl) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data"));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ if (ssl->out_left != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data"));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ /* Protocol must be DTLS, not TLS */
+ if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported"));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ /* Version must be 1.2 */
+ if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported"));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ /* We must be using an AEAD ciphersuite */
+ if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported"));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ /* Renegotiation must not be enabled */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled"));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+#endif
+
+ /*
+ * Version and format identifier
+ */
+ used += sizeof(ssl_serialized_context_header);
+
+ if (used <= buf_len) {
+ memcpy(p, ssl_serialized_context_header,
+ sizeof(ssl_serialized_context_header));
+ p += sizeof(ssl_serialized_context_header);
+ }
+
+ /*
+ * Session (length + data)
+ */
+ ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len);
+ if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
+ return ret;
+ }
+
+ used += 4 + session_len;
+ if (used <= buf_len) {
+ MBEDTLS_PUT_UINT32_BE(session_len, p, 0);
+ p += 4;
+
+ ret = ssl_session_save(ssl->session, 1,
+ p, session_len, &session_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ p += session_len;
+ }
+
+ /*
+ * Transform
+ */
+ used += sizeof(ssl->transform->randbytes);
+ if (used <= buf_len) {
+ memcpy(p, ssl->transform->randbytes,
+ sizeof(ssl->transform->randbytes));
+ p += sizeof(ssl->transform->randbytes);
+ }
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ used += 2U + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
+ if (used <= buf_len) {
+ *p++ = ssl->transform->in_cid_len;
+ memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len);
+ p += ssl->transform->in_cid_len;
+
+ *p++ = ssl->transform->out_cid_len;
+ memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len);
+ p += ssl->transform->out_cid_len;
+ }
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+ /*
+ * Saved fields from top-level ssl_context structure
+ */
+ used += 4;
+ if (used <= buf_len) {
+ MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0);
+ p += 4;
+ }
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+ used += 16;
+ if (used <= buf_len) {
+ MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0);
+ p += 8;
+
+ MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0);
+ p += 8;
+ }
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ used += 1;
+ if (used <= buf_len) {
+ *p++ = ssl->disable_datagram_packing;
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+ if (used <= buf_len) {
+ memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
+ p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ used += 2;
+ if (used <= buf_len) {
+ MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0);
+ p += 2;
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+ {
+ const uint8_t alpn_len = ssl->alpn_chosen
+ ? (uint8_t) strlen(ssl->alpn_chosen)
+ : 0;
+
+ used += 1 + alpn_len;
+ if (used <= buf_len) {
+ *p++ = alpn_len;
+
+ if (ssl->alpn_chosen != NULL) {
+ memcpy(p, ssl->alpn_chosen, alpn_len);
+ p += alpn_len;
+ }
+ }
+ }
+#endif /* MBEDTLS_SSL_ALPN */
+
+ /*
+ * Done
+ */
+ *olen = used;
+
+ if (used > buf_len) {
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used);
+
+ return mbedtls_ssl_session_reset_int(ssl, 0);
+}
+
+/*
+ * Deserialize context, see mbedtls_ssl_context_save() for format.
+ *
+ * This internal version is wrapped by a public function that cleans up in
+ * case of error.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_context_load(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ const unsigned char *p = buf;
+ const unsigned char * const end = buf + len;
+ size_t session_len;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ tls_prf_fn prf_func = NULL;
+#endif
+
+ /*
+ * The context should have been freshly setup or reset.
+ * Give the user an error in case of obvious misuse.
+ * (Checking session is useful because it won't be NULL if we're
+ * renegotiating, or if the user mistakenly loaded a session first.)
+ */
+ if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
+ ssl->session != NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /*
+ * We can't check that the config matches the initial one, but we can at
+ * least check it matches the requirements for serializing.
+ */
+ if (
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
+#endif
+ ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
+ ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 ||
+ ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2
+ ) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len);
+
+ /*
+ * Check version identifier
+ */
+ if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ if (memcmp(p, ssl_serialized_context_header,
+ sizeof(ssl_serialized_context_header)) != 0) {
+ return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
+ }
+ p += sizeof(ssl_serialized_context_header);
+
+ /*
+ * Session
+ */
+ if ((size_t) (end - p) < 4) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ session_len = MBEDTLS_GET_UINT32_BE(p, 0);
+ p += 4;
+
+ /* This has been allocated by ssl_handshake_init(), called by
+ * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
+ ssl->session = ssl->session_negotiate;
+ ssl->session_in = ssl->session;
+ ssl->session_out = ssl->session;
+ ssl->session_negotiate = NULL;
+
+ if ((size_t) (end - p) < session_len) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ ret = ssl_session_load(ssl->session, 1, p, session_len);
+ if (ret != 0) {
+ mbedtls_ssl_session_free(ssl->session);
+ return ret;
+ }
+
+ p += session_len;
+
+ /*
+ * Transform
+ */
+
+ /* This has been allocated by ssl_handshake_init(), called by
+ * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ ssl->transform = ssl->transform_negotiate;
+ ssl->transform_in = ssl->transform;
+ ssl->transform_out = ssl->transform;
+ ssl->transform_negotiate = NULL;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite);
+ if (prf_func == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /* Read random bytes and populate structure */
+ if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ ret = ssl_tls12_populate_transform(ssl->transform,
+ ssl->session->ciphersuite,
+ ssl->session->master,
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ ssl->session->encrypt_then_mac,
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
+ prf_func,
+ p, /* currently pointing to randbytes */
+ MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */
+ ssl->conf->endpoint,
+ ssl);
+ if (ret != 0) {
+ return ret;
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+ p += sizeof(ssl->transform->randbytes);
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ /* Read connection IDs and store them */
+ if ((size_t) (end - p) < 1) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ ssl->transform->in_cid_len = *p++;
+
+ if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len);
+ p += ssl->transform->in_cid_len;
+
+ ssl->transform->out_cid_len = *p++;
+
+ if ((size_t) (end - p) < ssl->transform->out_cid_len) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len);
+ p += ssl->transform->out_cid_len;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+ /*
+ * Saved fields from top-level ssl_context structure
+ */
+ if ((size_t) (end - p) < 4) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0);
+ p += 4;
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+ if ((size_t) (end - p) < 16) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0);
+ p += 8;
+
+ ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0);
+ p += 8;
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if ((size_t) (end - p) < 1) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ ssl->disable_datagram_packing = *p++;
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr));
+ p += sizeof(ssl->cur_out_ctr);
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if ((size_t) (end - p) < 2) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ ssl->mtu = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+ {
+ uint8_t alpn_len;
+ const char **cur;
+
+ if ((size_t) (end - p) < 1) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ alpn_len = *p++;
+
+ if (alpn_len != 0 && ssl->conf->alpn_list != NULL) {
+ /* alpn_chosen should point to an item in the configured list */
+ for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
+ if (strlen(*cur) == alpn_len &&
+ memcmp(p, *cur, alpn_len) == 0) {
+ ssl->alpn_chosen = *cur;
+ break;
+ }
+ }
+ }
+
+ /* can only happen on conf mismatch */
+ if (alpn_len != 0 && ssl->alpn_chosen == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ p += alpn_len;
+ }
+#endif /* MBEDTLS_SSL_ALPN */
+
+ /*
+ * Forced fields from top-level ssl_context structure
+ *
+ * Most of them already set to the correct value by mbedtls_ssl_init() and
+ * mbedtls_ssl_reset(), so we only need to set the remaining ones.
+ */
+ ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
+ ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+
+ /* Adjust pointers for header fields of outgoing records to
+ * the given transform, accounting for explicit IV and CID. */
+ mbedtls_ssl_update_out_pointers(ssl, ssl->transform);
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ ssl->in_epoch = 1;
+#endif
+
+ /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
+ * which we don't want - otherwise we'd end up freeing the wrong transform
+ * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
+ * inappropriately. */
+ if (ssl->handshake != NULL) {
+ mbedtls_ssl_handshake_free(ssl);
+ mbedtls_free(ssl->handshake);
+ ssl->handshake = NULL;
+ }
+
+ /*
+ * Done - should have consumed entire buffer
+ */
+ if (p != end) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ return 0;
+}
+
+/*
+ * Deserialize context: public wrapper for error cleaning
+ */
+int mbedtls_ssl_context_load(mbedtls_ssl_context *context,
+ const unsigned char *buf,
+ size_t len)
+{
+ int ret = ssl_context_load(context, buf, len);
+
+ if (ret != 0) {
+ mbedtls_ssl_free(context);
+ }
+
+ return ret;
+}
+#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
+
+/*
+ * Free an SSL context
+ */
+void mbedtls_ssl_free(mbedtls_ssl_context *ssl)
+{
+ if (ssl == NULL) {
+ return;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> free"));
+
+ if (ssl->out_buf != NULL) {
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ size_t out_buf_len = ssl->out_buf_len;
+#else
+ size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
+#endif
+
+ mbedtls_zeroize_and_free(ssl->out_buf, out_buf_len);
+ ssl->out_buf = NULL;
+ }
+
+ if (ssl->in_buf != NULL) {
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ size_t in_buf_len = ssl->in_buf_len;
+#else
+ size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
+#endif
+
+ mbedtls_zeroize_and_free(ssl->in_buf, in_buf_len);
+ ssl->in_buf = NULL;
+ }
+
+ if (ssl->transform) {
+ mbedtls_ssl_transform_free(ssl->transform);
+ mbedtls_free(ssl->transform);
+ }
+
+ if (ssl->handshake) {
+ mbedtls_ssl_handshake_free(ssl);
+ mbedtls_free(ssl->handshake);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ mbedtls_ssl_transform_free(ssl->transform_negotiate);
+ mbedtls_free(ssl->transform_negotiate);
+#endif
+
+ mbedtls_ssl_session_free(ssl->session_negotiate);
+ mbedtls_free(ssl->session_negotiate);
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ mbedtls_ssl_transform_free(ssl->transform_application);
+ mbedtls_free(ssl->transform_application);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+ if (ssl->session) {
+ mbedtls_ssl_session_free(ssl->session);
+ mbedtls_free(ssl->session);
+ }
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ if (ssl->hostname != NULL) {
+ mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
+ }
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+ mbedtls_free(ssl->cli_id);
+#endif
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= free"));
+
+ /* Actually clear after last debug message */
+ mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context));
+}
+
+/*
+ * Initialize mbedtls_ssl_config
+ */
+void mbedtls_ssl_config_init(mbedtls_ssl_config *conf)
+{
+ memset(conf, 0, sizeof(mbedtls_ssl_config));
+}
+
+/* The selection should be the same as mbedtls_x509_crt_profile_default in
+ * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
+ * curves with a lower resource usage come first.
+ * See the documentation of mbedtls_ssl_conf_curves() for what we promise
+ * about this list.
+ */
+static const uint16_t ssl_preset_default_groups[] = {
+#if defined(MBEDTLS_ECP_HAVE_CURVE25519)
+ MBEDTLS_SSL_IANA_TLS_GROUP_X25519,
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
+ MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
+ MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
+#endif
+#if defined(MBEDTLS_ECP_HAVE_CURVE448)
+ MBEDTLS_SSL_IANA_TLS_GROUP_X448,
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP521R1)
+ MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
+#endif
+#if defined(MBEDTLS_ECP_HAVE_BP256R1)
+ MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1,
+#endif
+#if defined(MBEDTLS_ECP_HAVE_BP384R1)
+ MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1,
+#endif
+#if defined(MBEDTLS_ECP_HAVE_BP512R1)
+ MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
+#endif
+#if defined(PSA_WANT_ALG_FFDH)
+ MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048,
+ MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072,
+ MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096,
+ MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144,
+ MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192,
+#endif
+ MBEDTLS_SSL_IANA_TLS_GROUP_NONE
+};
+
+static const int ssl_preset_suiteb_ciphersuites[] = {
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ 0
+};
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+
+/* NOTICE:
+ * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following
+ * rules SHOULD be upheld.
+ * - No duplicate entries.
+ * - But if there is a good reason, do not change the order of the algorithms.
+ * - ssl_tls12_preset* is for TLS 1.2 use only.
+ * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
+ */
+static const uint16_t ssl_preset_default_sig_algs[] = {
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
+ defined(MBEDTLS_MD_CAN_SHA256) && \
+ defined(PSA_WANT_ECC_SECP_R1_256)
+ MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
+ // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
+ defined(MBEDTLS_MD_CAN_SHA384) && \
+ defined(PSA_WANT_ECC_SECP_R1_384)
+ MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
+ // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
+ defined(MBEDTLS_MD_CAN_SHA512) && \
+ defined(PSA_WANT_ECC_SECP_R1_521)
+ MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
+ // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
+#endif
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512)
+ MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
+#endif
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA384)
+ MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
+#endif
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256)
+ MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
+#endif
+
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
+ MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
+#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */
+
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384)
+ MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
+#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */
+
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
+ MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
+#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */
+
+ MBEDTLS_TLS_SIG_NONE
+};
+
+/* NOTICE: see above */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+static uint16_t ssl_tls12_preset_default_sig_algs[] = {
+
+#if defined(MBEDTLS_MD_CAN_SHA512)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
+#endif
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
+#endif
+#if defined(MBEDTLS_RSA_C)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
+#endif
+#endif /* MBEDTLS_MD_CAN_SHA512 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
+#endif
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
+#endif
+#if defined(MBEDTLS_RSA_C)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
+#endif
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
+#endif
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
+#endif
+#if defined(MBEDTLS_RSA_C)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
+#endif
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+ MBEDTLS_TLS_SIG_NONE
+};
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+/* NOTICE: see above */
+static const uint16_t ssl_preset_suiteb_sig_algs[] = {
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
+ defined(MBEDTLS_MD_CAN_SHA256) && \
+ defined(MBEDTLS_ECP_HAVE_SECP256R1)
+ MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
+ // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
+ defined(MBEDTLS_MD_CAN_SHA384) && \
+ defined(MBEDTLS_ECP_HAVE_SECP384R1)
+ MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
+ // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
+#endif
+
+ MBEDTLS_TLS_SIG_NONE
+};
+
+/* NOTICE: see above */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
+#endif
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
+#endif
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+
+ MBEDTLS_TLS_SIG_NONE
+};
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
+static const uint16_t ssl_preset_suiteb_groups[] = {
+#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
+ MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
+ MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
+#endif
+ MBEDTLS_SSL_IANA_TLS_GROUP_NONE
+};
+
+#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+/* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
+ * to make sure there are no duplicated signature algorithm entries. */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs)
+{
+ size_t i, j;
+ int ret = 0;
+
+ for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
+ for (j = 0; j < i; j++) {
+ if (sig_algs[i] != sig_algs[j]) {
+ continue;
+ }
+ mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET
+ ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n",
+ sig_algs[i], j, i);
+ ret = -1;
+ }
+ }
+ return ret;
+}
+
+#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
+/*
+ * Load default in mbedtls_ssl_config
+ */
+int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
+ int endpoint, int transport, int preset)
+{
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#endif
+
+#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+ if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) {
+ mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n");
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ }
+
+ if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) {
+ mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n");
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) {
+ mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n");
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ }
+
+ if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) {
+ mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n");
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
+ /* Use the functions here so that they are covered in tests,
+ * but otherwise access member directly for efficiency */
+ mbedtls_ssl_conf_endpoint(conf, endpoint);
+ mbedtls_ssl_conf_transport(conf, transport);
+
+ /*
+ * Things that are common to all presets
+ */
+#if defined(MBEDTLS_SSL_CLI_C)
+ if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
+#endif
+ }
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+ conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+ conf->f_cookie_write = ssl_cookie_write_dummy;
+ conf->f_cookie_check = ssl_cookie_check_dummy;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+ conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+ conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
+ conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
+ conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
+#endif
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
+ memset(conf->renego_period, 0x00, 2);
+ memset(conf->renego_period + 2, 0xFF, 6);
+#endif
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+ if (endpoint == MBEDTLS_SSL_IS_SERVER) {
+ const unsigned char dhm_p[] =
+ MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
+ const unsigned char dhm_g[] =
+ MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
+
+ if ((ret = mbedtls_ssl_conf_dh_param_bin(conf,
+ dhm_p, sizeof(dhm_p),
+ dhm_g, sizeof(dhm_g))) != 0) {
+ return ret;
+ }
+ }
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ mbedtls_ssl_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED);
+#if defined(MBEDTLS_SSL_SRV_C)
+ mbedtls_ssl_conf_max_early_data_size(conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE);
+#endif
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+ mbedtls_ssl_conf_new_session_tickets(
+ conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS);
+#endif
+ /*
+ * Allow all TLS 1.3 key exchange modes by default.
+ */
+ conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+ if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+ conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+#else
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+#endif
+ } else {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+ conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+ conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+ conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+#else
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+#endif
+ }
+
+ /*
+ * Preset-specific defaults
+ */
+ switch (preset) {
+ /*
+ * NSA Suite B
+ */
+ case MBEDTLS_SSL_PRESET_SUITEB:
+
+ conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
+#endif
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if (mbedtls_ssl_conf_is_tls12_only(conf)) {
+ conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
+ } else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+ conf->sig_algs = ssl_preset_suiteb_sig_algs;
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ conf->curve_list = NULL;
+#endif
+ conf->group_list = ssl_preset_suiteb_groups;
+ break;
+
+ /*
+ * Default
+ */
+ default:
+
+ conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ conf->cert_profile = &mbedtls_x509_crt_profile_default;
+#endif
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if (mbedtls_ssl_conf_is_tls12_only(conf)) {
+ conf->sig_algs = ssl_tls12_preset_default_sig_algs;
+ } else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+ conf->sig_algs = ssl_preset_default_sig_algs;
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+ conf->curve_list = NULL;
+#endif
+ conf->group_list = ssl_preset_default_groups;
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+ conf->dhm_min_bitlen = 1024;
+#endif
+ }
+
+ return 0;
+}
+
+/*
+ * Free mbedtls_ssl_config
+ */
+void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
+{
+#if defined(MBEDTLS_DHM_C)
+ mbedtls_mpi_free(&conf->dhm_P);
+ mbedtls_mpi_free(&conf->dhm_G);
+#endif
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
+ conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ if (conf->psk != NULL) {
+ mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
+ conf->psk = NULL;
+ conf->psk_len = 0;
+ }
+
+ if (conf->psk_identity != NULL) {
+ mbedtls_zeroize_and_free(conf->psk_identity, conf->psk_identity_len);
+ conf->psk_identity = NULL;
+ conf->psk_identity_len = 0;
+ }
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ ssl_key_cert_free(conf->key_cert);
+#endif
+
+ mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config));
+}
+
+#if defined(MBEDTLS_PK_C) && \
+ (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED))
+/*
+ * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
+ */
+unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
+{
+#if defined(MBEDTLS_RSA_C)
+ if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) {
+ return MBEDTLS_SSL_SIG_RSA;
+ }
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
+ if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) {
+ return MBEDTLS_SSL_SIG_ECDSA;
+ }
+#endif
+ return MBEDTLS_SSL_SIG_ANON;
+}
+
+unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)
+{
+ switch (type) {
+ case MBEDTLS_PK_RSA:
+ return MBEDTLS_SSL_SIG_RSA;
+ case MBEDTLS_PK_ECDSA:
+ case MBEDTLS_PK_ECKEY:
+ return MBEDTLS_SSL_SIG_ECDSA;
+ default:
+ return MBEDTLS_SSL_SIG_ANON;
+ }
+}
+
+mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
+{
+ switch (sig) {
+#if defined(MBEDTLS_RSA_C)
+ case MBEDTLS_SSL_SIG_RSA:
+ return MBEDTLS_PK_RSA;
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
+ case MBEDTLS_SSL_SIG_ECDSA:
+ return MBEDTLS_PK_ECDSA;
+#endif
+ default:
+ return MBEDTLS_PK_NONE;
+ }
+}
+#endif /* MBEDTLS_PK_C &&
+ ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */
+
+/*
+ * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
+ */
+mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
+{
+ switch (hash) {
+#if defined(MBEDTLS_MD_CAN_MD5)
+ case MBEDTLS_SSL_HASH_MD5:
+ return MBEDTLS_MD_MD5;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ case MBEDTLS_SSL_HASH_SHA1:
+ return MBEDTLS_MD_SHA1;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA224)
+ case MBEDTLS_SSL_HASH_SHA224:
+ return MBEDTLS_MD_SHA224;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ case MBEDTLS_SSL_HASH_SHA256:
+ return MBEDTLS_MD_SHA256;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ case MBEDTLS_SSL_HASH_SHA384:
+ return MBEDTLS_MD_SHA384;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA512)
+ case MBEDTLS_SSL_HASH_SHA512:
+ return MBEDTLS_MD_SHA512;
+#endif
+ default:
+ return MBEDTLS_MD_NONE;
+ }
+}
+
+/*
+ * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
+ */
+unsigned char mbedtls_ssl_hash_from_md_alg(int md)
+{
+ switch (md) {
+#if defined(MBEDTLS_MD_CAN_MD5)
+ case MBEDTLS_MD_MD5:
+ return MBEDTLS_SSL_HASH_MD5;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ case MBEDTLS_MD_SHA1:
+ return MBEDTLS_SSL_HASH_SHA1;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA224)
+ case MBEDTLS_MD_SHA224:
+ return MBEDTLS_SSL_HASH_SHA224;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ case MBEDTLS_MD_SHA256:
+ return MBEDTLS_SSL_HASH_SHA256;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ case MBEDTLS_MD_SHA384:
+ return MBEDTLS_SSL_HASH_SHA384;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA512)
+ case MBEDTLS_MD_SHA512:
+ return MBEDTLS_SSL_HASH_SHA512;
+#endif
+ default:
+ return MBEDTLS_SSL_HASH_NONE;
+ }
+}
+
+/*
+ * Check if a curve proposed by the peer is in our list.
+ * Return 0 if we're willing to use it, -1 otherwise.
+ */
+int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id)
+{
+ const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
+
+ if (group_list == NULL) {
+ return -1;
+ }
+
+ for (; *group_list != 0; group_list++) {
+ if (*group_list == tls_id) {
+ return 0;
+ }
+ }
+
+ return -1;
+}
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+/*
+ * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id.
+ */
+int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id)
+{
+ uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
+
+ if (tls_id == 0) {
+ return -1;
+ }
+
+ return mbedtls_ssl_check_curve_tls_id(ssl, tls_id);
+}
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+static const struct {
+ uint16_t tls_id;
+ mbedtls_ecp_group_id ecp_group_id;
+ psa_ecc_family_t psa_family;
+ uint16_t bits;
+} tls_id_match_table[] =
+{
+#if defined(MBEDTLS_ECP_HAVE_SECP521R1)
+ { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 },
+#endif
+#if defined(MBEDTLS_ECP_HAVE_BP512R1)
+ { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 },
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
+ { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 },
+#endif
+#if defined(MBEDTLS_ECP_HAVE_BP384R1)
+ { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 },
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
+ { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 },
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP256K1)
+ { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 },
+#endif
+#if defined(MBEDTLS_ECP_HAVE_BP256R1)
+ { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 },
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP224R1)
+ { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 },
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP224K1)
+ { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 },
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP192R1)
+ { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 },
+#endif
+#if defined(MBEDTLS_ECP_HAVE_SECP192K1)
+ { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 },
+#endif
+#if defined(MBEDTLS_ECP_HAVE_CURVE25519)
+ { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 },
+#endif
+#if defined(MBEDTLS_ECP_HAVE_CURVE448)
+ { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 },
+#endif
+ { 0, MBEDTLS_ECP_DP_NONE, 0, 0 },
+};
+
+int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
+ psa_key_type_t *type,
+ size_t *bits)
+{
+ for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
+ if (tls_id_match_table[i].tls_id == tls_id) {
+ if (type != NULL) {
+ *type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family);
+ }
+ if (bits != NULL) {
+ *bits = tls_id_match_table[i].bits;
+ }
+ return PSA_SUCCESS;
+ }
+ }
+
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)
+{
+ for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
+ if (tls_id_match_table[i].tls_id == tls_id) {
+ return tls_id_match_table[i].ecp_group_id;
+ }
+ }
+
+ return MBEDTLS_ECP_DP_NONE;
+}
+
+uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)
+{
+ for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE;
+ i++) {
+ if (tls_id_match_table[i].ecp_group_id == grp_id) {
+ return tls_id_match_table[i].tls_id;
+ }
+ }
+
+ return 0;
+}
+
+#if defined(MBEDTLS_DEBUG_C)
+static const struct {
+ uint16_t tls_id;
+ const char *name;
+} tls_id_curve_name_table[] =
+{
+ { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" },
+ { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" },
+ { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" },
+ { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" },
+ { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" },
+ { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" },
+ { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" },
+ { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" },
+ { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" },
+ { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" },
+ { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" },
+ { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" },
+ { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" },
+ { 0, NULL },
+};
+
+const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)
+{
+ for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) {
+ if (tls_id_curve_name_table[i].tls_id == tls_id) {
+ return tls_id_curve_name_table[i].name;
+ }
+ }
+
+ return NULL;
+}
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
+ const mbedtls_ssl_ciphersuite_t *ciphersuite,
+ int cert_endpoint,
+ uint32_t *flags)
+{
+ int ret = 0;
+ unsigned int usage = 0;
+ const char *ext_oid;
+ size_t ext_len;
+
+ if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) {
+ /* Server part of the key exchange */
+ switch (ciphersuite->key_exchange) {
+ case MBEDTLS_KEY_EXCHANGE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+ usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
+ break;
+
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+ usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
+ break;
+
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+ usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
+ break;
+
+ /* Don't use default: we want warnings when adding new values */
+ case MBEDTLS_KEY_EXCHANGE_NONE:
+ case MBEDTLS_KEY_EXCHANGE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+ usage = 0;
+ }
+ } else {
+ /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
+ usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
+ }
+
+ if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) {
+ *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
+ ret = -1;
+ }
+
+ if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) {
+ ext_oid = MBEDTLS_OID_SERVER_AUTH;
+ ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
+ } else {
+ ext_oid = MBEDTLS_OID_CLIENT_AUTH;
+ ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
+ }
+
+ if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
+ *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
+ ret = -1;
+ }
+
+ return ret;
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
+ const mbedtls_md_type_t md,
+ unsigned char *dst,
+ size_t dst_len,
+ size_t *olen)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_hash_operation_t *hash_operation_to_clone;
+ psa_hash_operation_t hash_operation = psa_hash_operation_init();
+
+ *olen = 0;
+
+ switch (md) {
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ case MBEDTLS_MD_SHA384:
+ hash_operation_to_clone = &ssl->handshake->fin_sha384_psa;
+ break;
+#endif
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ case MBEDTLS_MD_SHA256:
+ hash_operation_to_clone = &ssl->handshake->fin_sha256_psa;
+ break;
+#endif
+
+ default:
+ goto exit;
+ }
+
+ status = psa_hash_clone(hash_operation_to_clone, &hash_operation);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_finish(&hash_operation, dst, dst_len, olen);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+exit:
+#if !defined(MBEDTLS_MD_CAN_SHA384) && \
+ !defined(MBEDTLS_MD_CAN_SHA256)
+ (void) ssl;
+#endif
+ return PSA_TO_MBEDTLS_ERR(status);
+}
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_get_handshake_transcript_sha384(mbedtls_ssl_context *ssl,
+ unsigned char *dst,
+ size_t dst_len,
+ size_t *olen)
+{
+ int ret;
+ mbedtls_md_context_t sha384;
+
+ if (dst_len < 48) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ mbedtls_md_init(&sha384);
+ ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_md_finish(&sha384, dst)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
+ goto exit;
+ }
+
+ *olen = 48;
+
+exit:
+
+ mbedtls_md_free(&sha384);
+ return ret;
+}
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_get_handshake_transcript_sha256(mbedtls_ssl_context *ssl,
+ unsigned char *dst,
+ size_t dst_len,
+ size_t *olen)
+{
+ int ret;
+ mbedtls_md_context_t sha256;
+
+ if (dst_len < 32) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ mbedtls_md_init(&sha256);
+ ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if ((ret = mbedtls_md_finish(&sha256, dst)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
+ goto exit;
+ }
+
+ *olen = 32;
+
+exit:
+
+ mbedtls_md_free(&sha256);
+ return ret;
+}
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
+ const mbedtls_md_type_t md,
+ unsigned char *dst,
+ size_t dst_len,
+ size_t *olen)
+{
+ switch (md) {
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ case MBEDTLS_MD_SHA384:
+ return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen);
+#endif /* MBEDTLS_MD_CAN_SHA384*/
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ case MBEDTLS_MD_SHA256:
+ return ssl_get_handshake_transcript_sha256(ssl, dst, dst_len, olen);
+#endif /* MBEDTLS_MD_CAN_SHA256*/
+
+ default:
+#if !defined(MBEDTLS_MD_CAN_SHA384) && \
+ !defined(MBEDTLS_MD_CAN_SHA256)
+ (void) ssl;
+ (void) dst;
+ (void) dst_len;
+ (void) olen;
+#endif
+ break;
+ }
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+}
+
+#endif /* !MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+/* mbedtls_ssl_parse_sig_alg_ext()
+ *
+ * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
+ * value (TLS 1.3 RFC8446):
+ * enum {
+ * ....
+ * ecdsa_secp256r1_sha256( 0x0403 ),
+ * ecdsa_secp384r1_sha384( 0x0503 ),
+ * ecdsa_secp521r1_sha512( 0x0603 ),
+ * ....
+ * } SignatureScheme;
+ *
+ * struct {
+ * SignatureScheme supported_signature_algorithms<2..2^16-2>;
+ * } SignatureSchemeList;
+ *
+ * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
+ * value (TLS 1.2 RFC5246):
+ * enum {
+ * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
+ * sha512(6), (255)
+ * } HashAlgorithm;
+ *
+ * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
+ * SignatureAlgorithm;
+ *
+ * struct {
+ * HashAlgorithm hash;
+ * SignatureAlgorithm signature;
+ * } SignatureAndHashAlgorithm;
+ *
+ * SignatureAndHashAlgorithm
+ * supported_signature_algorithms<2..2^16-2>;
+ *
+ * The TLS 1.3 signature algorithm extension was defined to be a compatible
+ * generalization of the TLS 1.2 signature algorithm extension.
+ * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
+ * `SignatureScheme` field of TLS 1.3
+ *
+ */
+int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ const unsigned char *p = buf;
+ size_t supported_sig_algs_len = 0;
+ const unsigned char *supported_sig_algs_end;
+ uint16_t sig_alg;
+ uint32_t common_idx = 0;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ memset(ssl->handshake->received_sig_algs, 0,
+ sizeof(ssl->handshake->received_sig_algs));
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len);
+ supported_sig_algs_end = p + supported_sig_algs_len;
+ while (p < supported_sig_algs_end) {
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2);
+ sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+ MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s",
+ sig_alg,
+ mbedtls_ssl_sig_alg_to_str(sig_alg)));
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
+ (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) &&
+ mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) {
+ continue;
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+ MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s",
+ mbedtls_ssl_sig_alg_to_str(sig_alg)));
+
+ if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) {
+ ssl->handshake->received_sig_algs[common_idx] = sig_alg;
+ common_idx += 1;
+ }
+ }
+ /* Check that we consumed all the message. */
+ if (p != end) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("Signature algorithms extension length misaligned"));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+ MBEDTLS_ERR_SSL_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ if (common_idx == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common"));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE;
+ return 0;
+}
+
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+
+static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation,
+ mbedtls_svc_key_id_t key,
+ psa_algorithm_t alg,
+ const unsigned char *raw_psk, size_t raw_psk_length,
+ const unsigned char *seed, size_t seed_length,
+ const unsigned char *label, size_t label_length,
+ const unsigned char *other_secret,
+ size_t other_secret_length,
+ size_t capacity)
+{
+ psa_status_t status;
+
+ status = psa_key_derivation_setup(derivation, alg);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) {
+ status = psa_key_derivation_input_bytes(derivation,
+ PSA_KEY_DERIVATION_INPUT_SEED,
+ seed, seed_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ if (other_secret != NULL) {
+ status = psa_key_derivation_input_bytes(derivation,
+ PSA_KEY_DERIVATION_INPUT_OTHER_SECRET,
+ other_secret, other_secret_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ }
+
+ if (mbedtls_svc_key_id_is_null(key)) {
+ status = psa_key_derivation_input_bytes(
+ derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
+ raw_psk, raw_psk_length);
+ } else {
+ status = psa_key_derivation_input_key(
+ derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key);
+ }
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_key_derivation_input_bytes(derivation,
+ PSA_KEY_DERIVATION_INPUT_LABEL,
+ label, label_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ } else {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ status = psa_key_derivation_set_capacity(derivation, capacity);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ return PSA_SUCCESS;
+}
+
+#if defined(PSA_WANT_ALG_SHA_384) || \
+ defined(PSA_WANT_ALG_SHA_256)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int tls_prf_generic(mbedtls_md_type_t md_type,
+ const unsigned char *secret, size_t slen,
+ const char *label,
+ const unsigned char *random, size_t rlen,
+ unsigned char *dstbuf, size_t dlen)
+{
+ psa_status_t status;
+ psa_algorithm_t alg;
+ mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_derivation_operation_t derivation =
+ PSA_KEY_DERIVATION_OPERATION_INIT;
+
+ if (md_type == MBEDTLS_MD_SHA384) {
+ alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
+ } else {
+ alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
+ }
+
+ /* Normally a "secret" should be long enough to be impossible to
+ * find by brute force, and in particular should not be empty. But
+ * this PRF is also used to derive an IV, in particular in EAP-TLS,
+ * and for this use case it makes sense to have a 0-length "secret".
+ * Since the key API doesn't allow importing a key of length 0,
+ * keep master_key=0, which setup_psa_key_derivation() understands
+ * to mean a 0-length "secret" input. */
+ if (slen != 0) {
+ psa_key_attributes_t key_attributes = psa_key_attributes_init();
+ psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
+ psa_set_key_algorithm(&key_attributes, alg);
+ psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
+
+ status = psa_import_key(&key_attributes, secret, slen, &master_key);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+ }
+
+ status = setup_psa_key_derivation(&derivation,
+ master_key, alg,
+ NULL, 0,
+ random, rlen,
+ (unsigned char const *) label,
+ (size_t) strlen(label),
+ NULL, 0,
+ dlen);
+ if (status != PSA_SUCCESS) {
+ psa_key_derivation_abort(&derivation);
+ psa_destroy_key(master_key);
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+
+ status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen);
+ if (status != PSA_SUCCESS) {
+ psa_key_derivation_abort(&derivation);
+ psa_destroy_key(master_key);
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+
+ status = psa_key_derivation_abort(&derivation);
+ if (status != PSA_SUCCESS) {
+ psa_destroy_key(master_key);
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+
+ if (!mbedtls_svc_key_id_is_null(master_key)) {
+ status = psa_destroy_key(master_key);
+ }
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+
+ return 0;
+}
+#endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_MD_C) && \
+ (defined(MBEDTLS_MD_CAN_SHA256) || \
+ defined(MBEDTLS_MD_CAN_SHA384))
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int tls_prf_generic(mbedtls_md_type_t md_type,
+ const unsigned char *secret, size_t slen,
+ const char *label,
+ const unsigned char *random, size_t rlen,
+ unsigned char *dstbuf, size_t dlen)
+{
+ size_t nb;
+ size_t i, j, k, md_len;
+ unsigned char *tmp;
+ size_t tmp_len = 0;
+ unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
+ const mbedtls_md_info_t *md_info;
+ mbedtls_md_context_t md_ctx;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_md_init(&md_ctx);
+
+ if ((md_info = mbedtls_md_info_from_type(md_type)) == NULL) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ md_len = mbedtls_md_get_size(md_info);
+
+ tmp_len = md_len + strlen(label) + rlen;
+ tmp = mbedtls_calloc(1, tmp_len);
+ if (tmp == NULL) {
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ goto exit;
+ }
+
+ nb = strlen(label);
+ memcpy(tmp + md_len, label, nb);
+ memcpy(tmp + md_len + nb, random, rlen);
+ nb += rlen;
+
+ /*
+ * Compute P_<hash>(secret, label + random)[0..dlen]
+ */
+ if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_md_hmac_starts(&md_ctx, secret, slen);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_md_hmac_update(&md_ctx, tmp + md_len, nb);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ for (i = 0; i < dlen; i += md_len) {
+ ret = mbedtls_md_hmac_reset(&md_ctx);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len + nb);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_md_hmac_finish(&md_ctx, h_i);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_md_hmac_reset(&md_ctx);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ k = (i + md_len > dlen) ? dlen % md_len : md_len;
+
+ for (j = 0; j < k; j++) {
+ dstbuf[i + j] = h_i[j];
+ }
+ }
+
+exit:
+ mbedtls_md_free(&md_ctx);
+
+ if (tmp != NULL) {
+ mbedtls_platform_zeroize(tmp, tmp_len);
+ }
+
+ mbedtls_platform_zeroize(h_i, sizeof(h_i));
+
+ mbedtls_free(tmp);
+
+ return ret;
+}
+#endif /* MBEDTLS_MD_C && ( MBEDTLS_MD_CAN_SHA256 || MBEDTLS_MD_CAN_SHA384 ) */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int tls_prf_sha256(const unsigned char *secret, size_t slen,
+ const char *label,
+ const unsigned char *random, size_t rlen,
+ unsigned char *dstbuf, size_t dlen)
+{
+ return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen,
+ label, random, rlen, dstbuf, dlen);
+}
+#endif /* MBEDTLS_MD_CAN_SHA256*/
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int tls_prf_sha384(const unsigned char *secret, size_t slen,
+ const char *label,
+ const unsigned char *random, size_t rlen,
+ unsigned char *dstbuf, size_t dlen)
+{
+ return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen,
+ label, random, rlen, dstbuf, dlen);
+}
+#endif /* MBEDTLS_MD_CAN_SHA384*/
+
+/*
+ * Set appropriate PRF function and other SSL / TLS1.2 functions
+ *
+ * Inputs:
+ * - hash associated with the ciphersuite (only used by TLS 1.2)
+ *
+ * Outputs:
+ * - the tls_prf, calc_verify and calc_finished members of handshake structure
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake,
+ mbedtls_md_type_t hash)
+{
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ if (hash == MBEDTLS_MD_SHA384) {
+ handshake->tls_prf = tls_prf_sha384;
+ handshake->calc_verify = ssl_calc_verify_tls_sha384;
+ handshake->calc_finished = ssl_calc_finished_tls_sha384;
+ } else
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ {
+ (void) hash;
+ handshake->tls_prf = tls_prf_sha256;
+ handshake->calc_verify = ssl_calc_verify_tls_sha256;
+ handshake->calc_finished = ssl_calc_finished_tls_sha256;
+ }
+#else
+ {
+ (void) handshake;
+ (void) hash;
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+#endif
+
+ return 0;
+}
+
+/*
+ * Compute master secret if needed
+ *
+ * Parameters:
+ * [in/out] handshake
+ * [in] resume, premaster, extended_ms, calc_verify, tls_prf
+ * (PSA-PSK) ciphersuite_info, psk_opaque
+ * [out] premaster (cleared)
+ * [out] master
+ * [in] ssl: optionally used for debugging, EMS and PSA-PSK
+ * debug: conf->f_dbg, conf->p_dbg
+ * EMS: passed to calc_verify (debug + session_negotiate)
+ * PSA-PSA: conf
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
+ unsigned char *master,
+ const mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* cf. RFC 5246, Section 8.1:
+ * "The master secret is always exactly 48 bytes in length." */
+ size_t const master_secret_len = 48;
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+ unsigned char session_hash[48];
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+ /* The label for the KDF used for key expansion.
+ * This is either "master secret" or "extended master secret"
+ * depending on whether the Extended Master Secret extension
+ * is used. */
+ char const *lbl = "master secret";
+
+ /* The seed for the KDF used for key expansion.
+ * - If the Extended Master Secret extension is not used,
+ * this is ClientHello.Random + ServerHello.Random
+ * (see Sect. 8.1 in RFC 5246).
+ * - If the Extended Master Secret extension is used,
+ * this is the transcript of the handshake so far.
+ * (see Sect. 4 in RFC 7627). */
+ unsigned char const *seed = handshake->randbytes;
+ size_t seed_len = 64;
+
+#if !defined(MBEDTLS_DEBUG_C) && \
+ !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
+ !(defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
+ ssl = NULL; /* make sure we don't use it except for those cases */
+ (void) ssl;
+#endif
+
+ if (handshake->resume != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)"));
+ return 0;
+ }
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+ if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
+ lbl = "extended master secret";
+ seed = session_hash;
+ ret = handshake->calc_verify(ssl, session_hash, &seed_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret);
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret",
+ session_hash, seed_len);
+ }
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+ if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) {
+ /* Perform PSK-to-MS expansion in a single step. */
+ psa_status_t status;
+ psa_algorithm_t alg;
+ mbedtls_svc_key_id_t psk;
+ psa_key_derivation_operation_t derivation =
+ PSA_KEY_DERIVATION_OPERATION_INIT;
+ mbedtls_md_type_t hash_alg = (mbedtls_md_type_t) handshake->ciphersuite_info->mac;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion"));
+
+ psk = mbedtls_ssl_get_opaque_psk(ssl);
+
+ if (hash_alg == MBEDTLS_MD_SHA384) {
+ alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
+ } else {
+ alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
+ }
+
+ size_t other_secret_len = 0;
+ unsigned char *other_secret = NULL;
+
+ switch (handshake->ciphersuite_info->key_exchange) {
+ /* Provide other secret.
+ * Other secret is stored in premaster, where first 2 bytes hold the
+ * length of the other key.
+ */
+ case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+ /* For RSA-PSK other key length is always 48 bytes. */
+ other_secret_len = 48;
+ other_secret = handshake->premaster + 2;
+ break;
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+ case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+ other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0);
+ other_secret = handshake->premaster + 2;
+ break;
+ default:
+ break;
+ }
+
+ status = setup_psa_key_derivation(&derivation, psk, alg,
+ ssl->conf->psk, ssl->conf->psk_len,
+ seed, seed_len,
+ (unsigned char const *) lbl,
+ (size_t) strlen(lbl),
+ other_secret, other_secret_len,
+ master_secret_len);
+ if (status != PSA_SUCCESS) {
+ psa_key_derivation_abort(&derivation);
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+
+ status = psa_key_derivation_output_bytes(&derivation,
+ master,
+ master_secret_len);
+ if (status != PSA_SUCCESS) {
+ psa_key_derivation_abort(&derivation);
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+
+ status = psa_key_derivation_abort(&derivation);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+ } else
+#endif
+ {
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
+ psa_status_t status;
+ psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS;
+ psa_key_derivation_operation_t derivation =
+ PSA_KEY_DERIVATION_OPERATION_INIT;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE"));
+
+ handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE;
+
+ status = psa_key_derivation_setup(&derivation, alg);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+
+ status = psa_key_derivation_set_capacity(&derivation,
+ PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
+ if (status != PSA_SUCCESS) {
+ psa_key_derivation_abort(&derivation);
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+
+ status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx,
+ &derivation);
+ if (status != PSA_SUCCESS) {
+ psa_key_derivation_abort(&derivation);
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+
+ status = psa_key_derivation_output_bytes(&derivation,
+ handshake->premaster,
+ handshake->pmslen);
+ if (status != PSA_SUCCESS) {
+ psa_key_derivation_abort(&derivation);
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+
+ status = psa_key_derivation_abort(&derivation);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+ }
+#endif
+ ret = handshake->tls_prf(handshake->premaster, handshake->pmslen,
+ lbl, seed, seed_len,
+ master,
+ master_secret_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret",
+ handshake->premaster,
+ handshake->pmslen);
+
+ mbedtls_platform_zeroize(handshake->premaster,
+ sizeof(handshake->premaster));
+ }
+
+ return 0;
+}
+
+int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys"));
+
+ /* Set PRF, calc_verify and calc_finished function pointers */
+ ret = ssl_set_handshake_prfs(ssl->handshake,
+ (mbedtls_md_type_t) ciphersuite_info->mac);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret);
+ return ret;
+ }
+
+ /* Compute master secret if needed */
+ ret = ssl_compute_master(ssl->handshake,
+ ssl->session_negotiate->master,
+ ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret);
+ return ret;
+ }
+
+ /* Swap the client and server random values:
+ * - MS derivation wanted client+server (RFC 5246 8.1)
+ * - key derivation wants server+client (RFC 5246 6.3) */
+ {
+ unsigned char tmp[64];
+ memcpy(tmp, ssl->handshake->randbytes, 64);
+ memcpy(ssl->handshake->randbytes, tmp + 32, 32);
+ memcpy(ssl->handshake->randbytes + 32, tmp, 32);
+ mbedtls_platform_zeroize(tmp, sizeof(tmp));
+ }
+
+ /* Populate transform structure */
+ ret = ssl_tls12_populate_transform(ssl->transform_negotiate,
+ ssl->session_negotiate->ciphersuite,
+ ssl->session_negotiate->master,
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ ssl->session_negotiate->encrypt_then_mac,
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
+ ssl->handshake->tls_prf,
+ ssl->handshake->randbytes,
+ ssl->tls_version,
+ ssl->conf->endpoint,
+ ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret);
+ return ret;
+ }
+
+ /* We no longer need Server/ClientHello.random values */
+ mbedtls_platform_zeroize(ssl->handshake->randbytes,
+ sizeof(ssl->handshake->randbytes));
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys"));
+
+ return 0;
+}
+
+int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
+{
+ switch (md) {
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ case MBEDTLS_SSL_HASH_SHA384:
+ ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
+ break;
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ case MBEDTLS_SSL_HASH_SHA256:
+ ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
+ break;
+#endif
+ default:
+ return -1;
+ }
+#if !defined(MBEDTLS_MD_CAN_SHA384) && \
+ !defined(MBEDTLS_MD_CAN_SHA256)
+ (void) ssl;
+#endif
+ return 0;
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl,
+ const psa_hash_operation_t *hs_op,
+ size_t buffer_size,
+ unsigned char *hash,
+ size_t *hlen)
+{
+ psa_status_t status;
+ psa_hash_operation_t cloned_op = psa_hash_operation_init();
+
+#if !defined(MBEDTLS_DEBUG_C)
+ (void) ssl;
+#endif
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify"));
+ status = psa_hash_clone(hs_op, &cloned_op);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
+
+exit:
+ psa_hash_abort(&cloned_op);
+ return mbedtls_md_error_from_psa(status);
+}
+#else
+static int ssl_calc_verify_tls_legacy(const mbedtls_ssl_context *ssl,
+ const mbedtls_md_context_t *hs_ctx,
+ unsigned char *hash,
+ size_t *hlen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_md_context_t cloned_ctx;
+
+ mbedtls_md_init(&cloned_ctx);
+
+#if !defined(MBEDTLS_DEBUG_C)
+ (void) ssl;
+#endif
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify"));
+
+ ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_md_finish(&cloned_ctx, hash);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ *hlen = mbedtls_md_get_size(mbedtls_md_info_from_ctx(hs_ctx));
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
+
+exit:
+ mbedtls_md_free(&cloned_ctx);
+ return ret;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
+ unsigned char *hash,
+ size_t *hlen)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32,
+ hash, hlen);
+#else
+ return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha256,
+ hash, hlen);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+}
+#endif /* MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
+ unsigned char *hash,
+ size_t *hlen)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48,
+ hash, hlen);
+#else
+ return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha384,
+ hash, hlen);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+}
+#endif /* MBEDTLS_MD_CAN_SHA384 */
+
+#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex)
+{
+ unsigned char *p = ssl->handshake->premaster;
+ unsigned char *end = p + sizeof(ssl->handshake->premaster);
+ const unsigned char *psk = NULL;
+ size_t psk_len = 0;
+ int psk_ret = mbedtls_ssl_get_psk(ssl, &psk, &psk_len);
+
+ if (psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) {
+ /*
+ * This should never happen because the existence of a PSK is always
+ * checked before calling this function.
+ *
+ * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with
+ * the shared secret without PSK.
+ */
+ if (key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+ }
+
+ /*
+ * PMS = struct {
+ * opaque other_secret<0..2^16-1>;
+ * opaque psk<0..2^16-1>;
+ * };
+ * with "other_secret" depending on the particular key exchange
+ */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+ if (key_ex == MBEDTLS_KEY_EXCHANGE_PSK) {
+ if (end - p < 2) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
+ p += 2;
+
+ if (end < p || (size_t) (end - p) < psk_len) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ memset(p, 0, psk_len);
+ p += psk_len;
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+ if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
+ /*
+ * other_secret already set by the ClientKeyExchange message,
+ * and is 48 bytes long
+ */
+ if (end - p < 2) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ *p++ = 0;
+ *p++ = 48;
+ p += 48;
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+ if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+
+ /* Write length only when we know the actual value */
+ if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
+ p + 2, (size_t) (end - (p + 2)), &len,
+ ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
+ return ret;
+ }
+ MBEDTLS_PUT_UINT16_BE(len, p, 0);
+ p += 2 + len;
+
+ MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+ if (key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t zlen;
+
+ if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen,
+ p + 2, (size_t) (end - (p + 2)),
+ ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
+ return ret;
+ }
+
+ MBEDTLS_PUT_UINT16_BE(zlen, p, 0);
+ p += 2 + zlen;
+
+ MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+ MBEDTLS_DEBUG_ECDH_Z);
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+ {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /* opaque psk<0..2^16-1>; */
+ if (end - p < 2) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
+ p += 2;
+
+ if (end < p || (size_t) (end - p) < psk_len) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ memcpy(p, psk, psk_len);
+ p += psk_len;
+
+ ssl->handshake->pmslen = (size_t) (p - ssl->handshake->premaster);
+
+ return 0;
+}
+#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_hello_request(mbedtls_ssl_context *ssl);
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl)
+{
+ /* If renegotiation is not enforced, retransmit until we would reach max
+ * timeout if we were using the usual handshake doubling scheme */
+ if (ssl->conf->renego_max_records < 0) {
+ uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
+ unsigned char doublings = 1;
+
+ while (ratio != 0) {
+ ++doublings;
+ ratio >>= 1;
+ }
+
+ if (++ssl->renego_records_seen > doublings) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request"));
+ return 0;
+ }
+ }
+
+ return ssl_write_hello_request(ssl);
+}
+#endif
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
+
+/*
+ * Handshake functions
+ */
+#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+/* No certificate support -> dummy functions */
+int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
+{
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
+
+ if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
+ ssl->state++;
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+}
+
+int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
+{
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
+
+ if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
+ ssl->state++;
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+}
+
+#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+/* Some certificate support -> implement write and parse */
+
+int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ size_t i, n;
+ const mbedtls_x509_crt *crt;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
+
+ if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
+ ssl->state++;
+ return 0;
+ }
+
+#if defined(MBEDTLS_SSL_CLI_C)
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ if (ssl->handshake->client_auth == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
+ ssl->state++;
+ return 0;
+ }
+ }
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
+ if (mbedtls_ssl_own_cert(ssl) == NULL) {
+ /* Should never happen because we shouldn't have picked the
+ * ciphersuite if we don't have a certificate. */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+ }
+#endif
+
+ MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl));
+
+ /*
+ * 0 . 0 handshake type
+ * 1 . 3 handshake length
+ * 4 . 6 length of all certs
+ * 7 . 9 length of cert. 1
+ * 10 . n-1 peer certificate
+ * n . n+2 length of cert. 2
+ * n+3 . ... upper level cert, etc.
+ */
+ i = 7;
+ crt = mbedtls_ssl_own_cert(ssl);
+
+ while (crt != NULL) {
+ n = crt->raw.len;
+ if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET
+ " > %" MBEDTLS_PRINTF_SIZET,
+ i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ ssl->out_msg[i] = MBEDTLS_BYTE_2(n);
+ ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n);
+ ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n);
+
+ i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n);
+ i += n; crt = crt->next;
+ }
+
+ ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7);
+ ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7);
+ ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7);
+
+ ssl->out_msglen = i;
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+ ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
+
+ ssl->state++;
+
+ if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
+
+ return ret;
+}
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
+
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
+ unsigned char *crt_buf,
+ size_t crt_buf_len)
+{
+ mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
+
+ if (peer_crt == NULL) {
+ return -1;
+ }
+
+ if (peer_crt->raw.len != crt_buf_len) {
+ return -1;
+ }
+
+ return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len);
+}
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
+ unsigned char *crt_buf,
+ size_t crt_buf_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char const * const peer_cert_digest =
+ ssl->session->peer_cert_digest;
+ mbedtls_md_type_t const peer_cert_digest_type =
+ ssl->session->peer_cert_digest_type;
+ mbedtls_md_info_t const * const digest_info =
+ mbedtls_md_info_from_type(peer_cert_digest_type);
+ unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
+ size_t digest_len;
+
+ if (peer_cert_digest == NULL || digest_info == NULL) {
+ return -1;
+ }
+
+ digest_len = mbedtls_md_get_size(digest_info);
+ if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) {
+ return -1;
+ }
+
+ ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest);
+ if (ret != 0) {
+ return -1;
+ }
+
+ return memcmp(tmp_digest, peer_cert_digest, digest_len);
+}
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
+
+/*
+ * Once the certificate message is read, parse it into a cert chain and
+ * perform basic checks, but leave actual verification to the caller
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl,
+ mbedtls_x509_crt *chain)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
+ int crt_cnt = 0;
+#endif
+ size_t i, n;
+ uint8_t alert;
+
+ if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+ if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) {
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+ if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ i = mbedtls_ssl_hs_hdr_len(ssl);
+
+ /*
+ * Same message structure as in mbedtls_ssl_write_certificate()
+ */
+ n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
+
+ if (ssl->in_msg[i] != 0 ||
+ ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
+ i += 3;
+
+ /* Iterate through and parse the CRTs in the provided chain. */
+ while (i < ssl->in_hslen) {
+ /* Check that there's room for the next CRT's length fields. */
+ if (i + 3 > ssl->in_hslen) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
+ mbedtls_ssl_send_alert_message(ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
+ * anything beyond 2**16 ~ 64K. */
+ if (ssl->in_msg[i] != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
+ mbedtls_ssl_send_alert_message(ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
+ return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
+ }
+
+ /* Read length of the next CRT in the chain. */
+ n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
+ i += 3;
+
+ if (n < 128 || i + n > ssl->in_hslen) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
+ mbedtls_ssl_send_alert_message(ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /* Check if we're handling the first CRT in the chain. */
+#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
+ if (crt_cnt++ == 0 &&
+ ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+ ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
+ /* During client-side renegotiation, check that the server's
+ * end-CRTs hasn't changed compared to the initial handshake,
+ * mitigating the triple handshake attack. On success, reuse
+ * the original end-CRT instead of parsing it again. */
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation"));
+ if (ssl_check_peer_crt_unchanged(ssl,
+ &ssl->in_msg[i],
+ n) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation"));
+ mbedtls_ssl_send_alert_message(ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED);
+ return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
+ }
+
+ /* Now we can safely free the original chain. */
+ ssl_clear_peer_cert(ssl->session);
+ }
+#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
+
+ /* Parse the next certificate in the chain. */
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n);
+#else
+ /* If we don't need to store the CRT chain permanently, parse
+ * it in-place from the input buffer instead of making a copy. */
+ ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n);
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ switch (ret) {
+ case 0: /*ok*/
+ case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
+ /* Ignore certificate with an unknown algorithm: maybe a
+ prior certificate was already trusted. */
+ break;
+
+ case MBEDTLS_ERR_X509_ALLOC_FAILED:
+ alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
+ goto crt_parse_der_failed;
+
+ case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
+ alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+ goto crt_parse_der_failed;
+
+ default:
+ alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
+crt_parse_der_failed:
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert);
+ MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
+ return ret;
+ }
+
+ i += n;
+ }
+
+ MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain);
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_SRV_C)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl)
+{
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ return -1;
+ }
+
+ if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) &&
+ ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+ ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
+ memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate"));
+ return 0;
+ }
+ return -1;
+}
+#endif /* MBEDTLS_SSL_SRV_C */
+
+/* Check if a certificate message is expected.
+ * Return either
+ * - SSL_CERTIFICATE_EXPECTED, or
+ * - SSL_CERTIFICATE_SKIP
+ * indicating whether a Certificate message is expected or not.
+ */
+#define SSL_CERTIFICATE_EXPECTED 0
+#define SSL_CERTIFICATE_SKIP 1
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
+ int authmode)
+{
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+
+ if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
+ return SSL_CERTIFICATE_SKIP;
+ }
+
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
+ return SSL_CERTIFICATE_SKIP;
+ }
+
+ if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
+ ssl->session_negotiate->verify_result =
+ MBEDTLS_X509_BADCERT_SKIP_VERIFY;
+ return SSL_CERTIFICATE_SKIP;
+ }
+ }
+#else
+ ((void) authmode);
+#endif /* MBEDTLS_SSL_SRV_C */
+
+ return SSL_CERTIFICATE_EXPECTED;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
+ int authmode,
+ mbedtls_x509_crt *chain,
+ void *rs_ctx)
+{
+ int ret = 0;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+ int have_ca_chain = 0;
+
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
+ void *p_vrfy;
+
+ if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
+ return 0;
+ }
+
+ if (ssl->f_vrfy != NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
+ f_vrfy = ssl->f_vrfy;
+ p_vrfy = ssl->p_vrfy;
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
+ f_vrfy = ssl->conf->f_vrfy;
+ p_vrfy = ssl->conf->p_vrfy;
+ }
+
+ /*
+ * Main check: verify certificate
+ */
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+ if (ssl->conf->f_ca_cb != NULL) {
+ ((void) rs_ctx);
+ have_ca_chain = 1;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
+ ret = mbedtls_x509_crt_verify_with_ca_cb(
+ chain,
+ ssl->conf->f_ca_cb,
+ ssl->conf->p_ca_cb,
+ ssl->conf->cert_profile,
+ ssl->hostname,
+ &ssl->session_negotiate->verify_result,
+ f_vrfy, p_vrfy);
+ } else
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+ {
+ mbedtls_x509_crt *ca_chain;
+ mbedtls_x509_crl *ca_crl;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if (ssl->handshake->sni_ca_chain != NULL) {
+ ca_chain = ssl->handshake->sni_ca_chain;
+ ca_crl = ssl->handshake->sni_ca_crl;
+ } else
+#endif
+ {
+ ca_chain = ssl->conf->ca_chain;
+ ca_crl = ssl->conf->ca_crl;
+ }
+
+ if (ca_chain != NULL) {
+ have_ca_chain = 1;
+ }
+
+ ret = mbedtls_x509_crt_verify_restartable(
+ chain,
+ ca_chain, ca_crl,
+ ssl->conf->cert_profile,
+ ssl->hostname,
+ &ssl->session_negotiate->verify_result,
+ f_vrfy, p_vrfy, rs_ctx);
+ }
+
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
+ }
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+ return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+ }
+#endif
+
+ /*
+ * Secondary checks: always done, but change 'ret' only if it was 0
+ */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ {
+ const mbedtls_pk_context *pk = &chain->pk;
+
+ /* If certificate uses an EC key, make sure the curve is OK.
+ * This is a public key, so it can't be opaque, so can_do() is a good
+ * enough check to ensure pk_ec() is safe to use here. */
+ if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
+ /* and in the unlikely case the above assumption no longer holds
+ * we are making sure that pk_ec() here does not return a NULL
+ */
+ mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk);
+ if (grp_id == MBEDTLS_ECP_DP_NONE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("invalid group ID"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+ if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
+ ssl->session_negotiate->verify_result |=
+ MBEDTLS_X509_BADCERT_BAD_KEY;
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)"));
+ if (ret == 0) {
+ ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
+ }
+ }
+ }
+ }
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+ if (mbedtls_ssl_check_cert_usage(chain,
+ ciphersuite_info,
+ !ssl->conf->endpoint,
+ &ssl->session_negotiate->verify_result) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
+ if (ret == 0) {
+ ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
+ }
+ }
+
+ /* mbedtls_x509_crt_verify_with_profile is supposed to report a
+ * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
+ * with details encoded in the verification flags. All other kinds
+ * of error codes, including those from the user provided f_vrfy
+ * functions, are treated as fatal and lead to a failure of
+ * ssl_parse_certificate even if verification was optional. */
+ if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
+ (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+ ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
+ ret = 0;
+ }
+
+ if (have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
+ ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
+ }
+
+ if (ret != 0) {
+ uint8_t alert;
+
+ /* The certificate may have been rejected for several reasons.
+ Pick one and send the corresponding alert. Which alert to send
+ may be a subject of debate in some cases. */
+ if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) {
+ alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
+ alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) {
+ alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
+ alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE) {
+ alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) {
+ alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) {
+ alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
+ alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
+ alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
+ } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
+ alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
+ } else {
+ alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
+ }
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ alert);
+ }
+
+#if defined(MBEDTLS_DEBUG_C)
+ if (ssl->session_negotiate->verify_result != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
+ (unsigned int) ssl->session_negotiate->verify_result));
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
+ }
+#endif /* MBEDTLS_DEBUG_C */
+
+ return ret;
+}
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl,
+ unsigned char *start, size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ /* Remember digest of the peer's end-CRT. */
+ ssl->session_negotiate->peer_cert_digest =
+ mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN);
+ if (ssl->session_negotiate->peer_cert_digest == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed",
+ MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN));
+ mbedtls_ssl_send_alert_message(ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ ret = mbedtls_md(mbedtls_md_info_from_type(
+ MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE),
+ start, len,
+ ssl->session_negotiate->peer_cert_digest);
+
+ ssl->session_negotiate->peer_cert_digest_type =
+ MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
+ ssl->session_negotiate->peer_cert_digest_len =
+ MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
+
+ return ret;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl,
+ unsigned char *start, size_t len)
+{
+ unsigned char *end = start + len;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /* Make a copy of the peer's raw public key. */
+ mbedtls_pk_init(&ssl->handshake->peer_pubkey);
+ ret = mbedtls_pk_parse_subpubkey(&start, end,
+ &ssl->handshake->peer_pubkey);
+ if (ret != 0) {
+ /* We should have parsed the public key before. */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ return 0;
+}
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
+{
+ int ret = 0;
+ int crt_expected;
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
+ ? ssl->handshake->sni_authmode
+ : ssl->conf->authmode;
+#else
+ const int authmode = ssl->conf->authmode;
+#endif
+ void *rs_ctx = NULL;
+ mbedtls_x509_crt *chain = NULL;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
+
+ crt_expected = ssl_parse_certificate_coordinate(ssl, authmode);
+ if (crt_expected == SSL_CERTIFICATE_SKIP) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
+ goto exit;
+ }
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ssl->handshake->ecrs_enabled &&
+ ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) {
+ chain = ssl->handshake->ecrs_peer_cert;
+ ssl->handshake->ecrs_peer_cert = NULL;
+ goto crt_verify;
+ }
+#endif
+
+ if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+ /* mbedtls_ssl_read_record may have sent an alert already. We
+ let it decide whether to alert. */
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+ goto exit;
+ }
+
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (ssl_srv_check_client_no_crt_notification(ssl) == 0) {
+ ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
+
+ if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) {
+ ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
+ }
+
+ goto exit;
+ }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+ /* Clear existing peer CRT structure in case we tried to
+ * reuse a session but it failed, and allocate a new one. */
+ ssl_clear_peer_cert(ssl->session_negotiate);
+
+ chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
+ if (chain == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
+ sizeof(mbedtls_x509_crt)));
+ mbedtls_ssl_send_alert_message(ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ goto exit;
+ }
+ mbedtls_x509_crt_init(chain);
+
+ ret = ssl_parse_certificate_chain(ssl, chain);
+ if (ret != 0) {
+ goto exit;
+ }
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ssl->handshake->ecrs_enabled) {
+ ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
+ }
+
+crt_verify:
+ if (ssl->handshake->ecrs_enabled) {
+ rs_ctx = &ssl->handshake->ecrs_ctx;
+ }
+#endif
+
+ ret = ssl_parse_certificate_verify(ssl, authmode,
+ chain, rs_ctx);
+ if (ret != 0) {
+ goto exit;
+ }
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ {
+ unsigned char *crt_start, *pk_start;
+ size_t crt_len, pk_len;
+
+ /* We parse the CRT chain without copying, so
+ * these pointers point into the input buffer,
+ * and are hence still valid after freeing the
+ * CRT chain. */
+
+ crt_start = chain->raw.p;
+ crt_len = chain->raw.len;
+
+ pk_start = chain->pk_raw.p;
+ pk_len = chain->pk_raw.len;
+
+ /* Free the CRT structures before computing
+ * digest and copying the peer's public key. */
+ mbedtls_x509_crt_free(chain);
+ mbedtls_free(chain);
+ chain = NULL;
+
+ ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len);
+ if (ret != 0) {
+ goto exit;
+ }
+ }
+#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ /* Pass ownership to session structure. */
+ ssl->session_negotiate->peer_cert = chain;
+ chain = NULL;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
+
+exit:
+
+ if (ret == 0) {
+ ssl->state++;
+ }
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
+ ssl->handshake->ecrs_peer_cert = chain;
+ chain = NULL;
+ }
+#endif
+
+ if (chain != NULL) {
+ mbedtls_x509_crt_free(chain);
+ mbedtls_free(chain);
+ }
+
+ return ret;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx,
+ unsigned char *padbuf, size_t hlen,
+ unsigned char *buf, int from)
+{
+ unsigned int len = 12;
+ const char *sender;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status;
+ psa_hash_operation_t *hs_op = ctx;
+ psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT;
+ size_t hash_size;
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_md_context_t *hs_ctx = ctx;
+ mbedtls_md_context_t cloned_ctx;
+ mbedtls_md_init(&cloned_ctx);
+#endif
+
+ mbedtls_ssl_session *session = ssl->session_negotiate;
+ if (!session) {
+ session = ssl->session;
+ }
+
+ sender = (from == MBEDTLS_SSL_IS_CLIENT)
+ ? "client finished"
+ : "server finished";
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls"));
+
+ status = psa_hash_clone(hs_op, &cloned_op);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+ MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen);
+#else
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls"));
+
+ ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_md_finish(&cloned_ctx, padbuf);
+ if (ret != 0) {
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen);
+
+ /*
+ * TLSv1.2:
+ * hash = PRF( master, finished_label,
+ * Hash( handshake ) )[0.11]
+ */
+ ssl->handshake->tls_prf(session->master, 48, sender,
+ padbuf, hlen, buf, len);
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
+
+ mbedtls_platform_zeroize(padbuf, hlen);
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
+
+exit:
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_hash_abort(&cloned_op);
+ return mbedtls_md_error_from_psa(status);
+#else
+ mbedtls_md_free(&cloned_ctx);
+ return ret;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+}
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+static int ssl_calc_finished_tls_sha256(
+ mbedtls_ssl_context *ssl, unsigned char *buf, int from)
+{
+ unsigned char padbuf[32];
+ return ssl_calc_finished_tls_generic(ssl,
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ &ssl->handshake->fin_sha256_psa,
+#else
+ &ssl->handshake->fin_sha256,
+#endif
+ padbuf, sizeof(padbuf),
+ buf, from);
+}
+#endif /* MBEDTLS_MD_CAN_SHA256*/
+
+
+#if defined(MBEDTLS_MD_CAN_SHA384)
+static int ssl_calc_finished_tls_sha384(
+ mbedtls_ssl_context *ssl, unsigned char *buf, int from)
+{
+ unsigned char padbuf[48];
+ return ssl_calc_finished_tls_generic(ssl,
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ &ssl->handshake->fin_sha384_psa,
+#else
+ &ssl->handshake->fin_sha384,
+#endif
+ padbuf, sizeof(padbuf),
+ buf, from);
+}
+#endif /* MBEDTLS_MD_CAN_SHA384*/
+
+void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl)
+{
+ MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free"));
+
+ /*
+ * Free our handshake params
+ */
+ mbedtls_ssl_handshake_free(ssl);
+ mbedtls_free(ssl->handshake);
+ ssl->handshake = NULL;
+
+ /*
+ * Free the previous transform and switch in the current one
+ */
+ if (ssl->transform) {
+ mbedtls_ssl_transform_free(ssl->transform);
+ mbedtls_free(ssl->transform);
+ }
+ ssl->transform = ssl->transform_negotiate;
+ ssl->transform_negotiate = NULL;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free"));
+}
+
+void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl)
+{
+ int resume = ssl->handshake->resume;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
+ ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
+ ssl->renego_records_seen = 0;
+ }
+#endif
+
+ /*
+ * Free the previous session and switch in the current one
+ */
+ if (ssl->session) {
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ /* RFC 7366 3.1: keep the EtM state */
+ ssl->session_negotiate->encrypt_then_mac =
+ ssl->session->encrypt_then_mac;
+#endif
+
+ mbedtls_ssl_session_free(ssl->session);
+ mbedtls_free(ssl->session);
+ }
+ ssl->session = ssl->session_negotiate;
+ ssl->session_negotiate = NULL;
+
+ /*
+ * Add cache entry
+ */
+ if (ssl->conf->f_set_cache != NULL &&
+ ssl->session->id_len != 0 &&
+ resume == 0) {
+ if (ssl->conf->f_set_cache(ssl->conf->p_cache,
+ ssl->session->id,
+ ssl->session->id_len,
+ ssl->session) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session"));
+ }
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ ssl->handshake->flight != NULL) {
+ /* Cancel handshake timer */
+ mbedtls_ssl_set_timer(ssl, 0);
+
+ /* Keep last flight around in case we need to resend it:
+ * we need the handshake and transform structures for that */
+ MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform"));
+ } else
+#endif
+ mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
+
+ ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
+}
+
+int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
+{
+ int ret;
+ unsigned int hash_len;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished"));
+
+ mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate);
+
+ ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
+ }
+
+ /*
+ * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
+ * may define some other value. Currently (early 2016), no defined
+ * ciphersuite does this (and this is unlikely to change as activity has
+ * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
+ */
+ hash_len = 12;
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ ssl->verify_data_len = hash_len;
+ memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len);
+#endif
+
+ ssl->out_msglen = 4 + hash_len;
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+ ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
+
+ /*
+ * In case of session resuming, invert the client and server
+ * ChangeCipherSpec messages order.
+ */
+ if (ssl->handshake->resume != 0) {
+#if defined(MBEDTLS_SSL_CLI_C)
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+ }
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
+ ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
+ }
+#endif
+ } else {
+ ssl->state++;
+ }
+
+ /*
+ * Switch to our negotiated transform and session parameters for outbound
+ * data.
+ */
+ MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data"));
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ unsigned char i;
+
+ /* Remember current epoch settings for resending */
+ ssl->handshake->alt_transform_out = ssl->transform_out;
+ memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr,
+ sizeof(ssl->handshake->alt_out_ctr));
+
+ /* Set sequence_number to zero */
+ memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2);
+
+
+ /* Increment epoch */
+ for (i = 2; i > 0; i--) {
+ if (++ssl->cur_out_ctr[i - 1] != 0) {
+ break;
+ }
+ }
+
+ /* The loop goes to its end iff the counter is wrapping */
+ if (i == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap"));
+ return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
+ }
+ } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+ memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
+
+ ssl->transform_out = ssl->transform_negotiate;
+ ssl->session_out = ssl->session_negotiate;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ mbedtls_ssl_send_flight_completed(ssl);
+ }
+#endif
+
+ if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+ return ret;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
+ return ret;
+ }
+#endif
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished"));
+
+ return 0;
+}
+
+#define SSL_MAX_HASH_LEN 12
+
+int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned int hash_len = 12;
+ unsigned char buf[SSL_MAX_HASH_LEN];
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished"));
+
+ ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
+ }
+
+ if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+ goto exit;
+ }
+
+ if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+ ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ goto exit;
+ }
+
+ if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) {
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+ ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ goto exit;
+ }
+
+ if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ ret = MBEDTLS_ERR_SSL_DECODE_ERROR;
+ goto exit;
+ }
+
+ if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl),
+ buf, hash_len) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
+ ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ goto exit;
+ }
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ ssl->verify_data_len = hash_len;
+ memcpy(ssl->peer_verify_data, buf, hash_len);
+#endif
+
+ if (ssl->handshake->resume != 0) {
+#if defined(MBEDTLS_SSL_CLI_C)
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
+ }
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
+ ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+ }
+#endif
+ } else {
+ ssl->state++;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ mbedtls_ssl_recv_flight_completed(ssl);
+ }
+#endif
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished"));
+
+exit:
+ mbedtls_platform_zeroize(buf, hash_len);
+ return ret;
+}
+
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
+/*
+ * Helper to get TLS 1.2 PRF from ciphersuite
+ * (Duplicates bits of logic from ssl_set_handshake_prfs().)
+ */
+static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id)
+{
+ const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
+ mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
+ return tls_prf_sha384;
+ } else
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ {
+ if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) {
+ return tls_prf_sha256;
+ }
+ }
+#endif
+#if !defined(MBEDTLS_MD_CAN_SHA384) && \
+ !defined(MBEDTLS_MD_CAN_SHA256)
+ (void) ciphersuite_info;
+#endif
+
+ return NULL;
+}
+#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
+
+static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf)
+{
+ ((void) tls_prf);
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ if (tls_prf == tls_prf_sha384) {
+ return MBEDTLS_SSL_TLS_PRF_SHA384;
+ } else
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ if (tls_prf == tls_prf_sha256) {
+ return MBEDTLS_SSL_TLS_PRF_SHA256;
+ } else
+#endif
+ return MBEDTLS_SSL_TLS_PRF_NONE;
+}
+
+/*
+ * Populate a transform structure with session keys and all the other
+ * necessary information.
+ *
+ * Parameters:
+ * - [in/out]: transform: structure to populate
+ * [in] must be just initialised with mbedtls_ssl_transform_init()
+ * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
+ * - [in] ciphersuite
+ * - [in] master
+ * - [in] encrypt_then_mac
+ * - [in] tls_prf: pointer to PRF to use for key derivation
+ * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
+ * - [in] tls_version: TLS version
+ * - [in] endpoint: client or server
+ * - [in] ssl: used for:
+ * - ssl->conf->{f,p}_export_keys
+ * [in] optionally used for:
+ * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
+ int ciphersuite,
+ const unsigned char master[48],
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ int encrypt_then_mac,
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
+ ssl_tls_prf_t tls_prf,
+ const unsigned char randbytes[64],
+ mbedtls_ssl_protocol_version tls_version,
+ unsigned endpoint,
+ const mbedtls_ssl_context *ssl)
+{
+ int ret = 0;
+ unsigned char keyblk[256];
+ unsigned char *key1;
+ unsigned char *key2;
+ unsigned char *mac_enc;
+ unsigned char *mac_dec;
+ size_t mac_key_len = 0;
+ size_t iv_copy_len;
+ size_t keylen;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+ mbedtls_ssl_mode_t ssl_mode;
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+ const mbedtls_cipher_info_t *cipher_info;
+ const mbedtls_md_info_t *md_info;
+#endif /* !MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_key_type_t key_type;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_algorithm_t alg;
+ psa_algorithm_t mac_alg = 0;
+ size_t key_bits;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+#endif
+
+ /*
+ * Some data just needs copying into the structure
+ */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ transform->encrypt_then_mac = encrypt_then_mac;
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
+ transform->tls_version = tls_version;
+
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
+ memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes));
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
+ /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform
+ * generation separate. This should never happen. */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+ /*
+ * Get various info structures
+ */
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
+ if (ciphersuite_info == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found",
+ ciphersuite));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite(
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ encrypt_then_mac,
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
+ ciphersuite_info);
+
+ if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
+ transform->taglen =
+ ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher,
+ transform->taglen,
+ &alg,
+ &key_type,
+ &key_bits)) != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret);
+ goto end;
+ }
+#else
+ cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) ciphersuite_info->cipher);
+ if (cipher_info == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found",
+ ciphersuite_info->cipher));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mac_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
+ if (mac_alg == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found",
+ (unsigned) ciphersuite_info->mac));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+#else
+ md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
+ if (md_info == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %u not found",
+ (unsigned) ciphersuite_info->mac));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ /* Copy own and peer's CID if the use of the CID
+ * extension has been negotiated. */
+ if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform"));
+
+ transform->in_cid_len = ssl->own_cid_len;
+ memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len);
+ MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid,
+ transform->in_cid_len);
+
+ transform->out_cid_len = ssl->handshake->peer_cid_len;
+ memcpy(transform->out_cid, ssl->handshake->peer_cid,
+ ssl->handshake->peer_cid_len);
+ MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid,
+ transform->out_cid_len);
+ }
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+ /*
+ * Compute key block using the PRF
+ */
+ ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s",
+ mbedtls_ssl_get_ciphersuite_name(ciphersuite)));
+ MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48);
+ MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64);
+ MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256);
+
+ /*
+ * Determine the appropriate key, IV and MAC length.
+ */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ keylen = PSA_BITS_TO_BYTES(key_bits);
+#else
+ keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
+#endif
+
+#if defined(MBEDTLS_SSL_HAVE_AEAD)
+ if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
+ size_t explicit_ivlen;
+
+ transform->maclen = 0;
+ mac_key_len = 0;
+
+ /* All modes haves 96-bit IVs, but the length of the static parts vary
+ * with mode and version:
+ * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
+ * (to be concatenated with a dynamically chosen IV of 8 Bytes)
+ * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
+ * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
+ * sequence number).
+ */
+ transform->ivlen = 12;
+
+ int is_chachapoly = 0;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20);
+#else
+ is_chachapoly = (mbedtls_cipher_info_get_mode(cipher_info)
+ == MBEDTLS_MODE_CHACHAPOLY);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ if (is_chachapoly) {
+ transform->fixed_ivlen = 12;
+ } else {
+ transform->fixed_ivlen = 4;
+ }
+
+ /* Minimum length of encrypted record */
+ explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
+ transform->minlen = explicit_ivlen + transform->taglen;
+ } else
+#endif /* MBEDTLS_SSL_HAVE_AEAD */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+ if (ssl_mode == MBEDTLS_SSL_MODE_STREAM ||
+ ssl_mode == MBEDTLS_SSL_MODE_CBC ||
+ ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type);
+#else
+ size_t block_size = mbedtls_cipher_info_get_block_size(cipher_info);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ /* Get MAC length */
+ mac_key_len = PSA_HASH_LENGTH(mac_alg);
+#else
+ /* Initialize HMAC contexts */
+ if ((ret = mbedtls_md_setup(&transform->md_ctx_enc, md_info, 1)) != 0 ||
+ (ret = mbedtls_md_setup(&transform->md_ctx_dec, md_info, 1)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
+ goto end;
+ }
+
+ /* Get MAC length */
+ mac_key_len = mbedtls_md_get_size(md_info);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ transform->maclen = mac_key_len;
+
+ /* IV length */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg);
+#else
+ transform->ivlen = mbedtls_cipher_info_get_iv_size(cipher_info);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ /* Minimum length */
+ if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) {
+ transform->minlen = transform->maclen;
+ } else {
+ /*
+ * GenericBlockCipher:
+ * 1. if EtM is in use: one block plus MAC
+ * otherwise: * first multiple of blocklen greater than maclen
+ * 2. IV
+ */
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
+ transform->minlen = transform->maclen
+ + block_size;
+ } else
+#endif
+ {
+ transform->minlen = transform->maclen
+ + block_size
+ - transform->maclen % block_size;
+ }
+
+ if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
+ transform->minlen += transform->ivlen;
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ goto end;
+ }
+ }
+ } else
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
+ {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
+ (unsigned) keylen,
+ (unsigned) transform->minlen,
+ (unsigned) transform->ivlen,
+ (unsigned) transform->maclen));
+
+ /*
+ * Finally setup the cipher contexts, IVs and MAC secrets.
+ */
+#if defined(MBEDTLS_SSL_CLI_C)
+ if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ key1 = keyblk + mac_key_len * 2;
+ key2 = keyblk + mac_key_len * 2 + keylen;
+
+ mac_enc = keyblk;
+ mac_dec = keyblk + mac_key_len;
+
+ iv_copy_len = (transform->fixed_ivlen) ?
+ transform->fixed_ivlen : transform->ivlen;
+ memcpy(transform->iv_enc, key2 + keylen, iv_copy_len);
+ memcpy(transform->iv_dec, key2 + keylen + iv_copy_len,
+ iv_copy_len);
+ } else
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (endpoint == MBEDTLS_SSL_IS_SERVER) {
+ key1 = keyblk + mac_key_len * 2 + keylen;
+ key2 = keyblk + mac_key_len * 2;
+
+ mac_enc = keyblk + mac_key_len;
+ mac_dec = keyblk;
+
+ iv_copy_len = (transform->fixed_ivlen) ?
+ transform->fixed_ivlen : transform->ivlen;
+ memcpy(transform->iv_dec, key1 + keylen, iv_copy_len);
+ memcpy(transform->iv_enc, key1 + keylen + iv_copy_len,
+ iv_copy_len);
+ } else
+#endif /* MBEDTLS_SSL_SRV_C */
+ {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ goto end;
+ }
+
+ if (ssl->f_export_keys != NULL) {
+ ssl->f_export_keys(ssl->p_export_keys,
+ MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
+ master, 48,
+ randbytes + 32,
+ randbytes,
+ tls_prf_get_type(tls_prf));
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ transform->psa_alg = alg;
+
+ if (alg != MBEDTLS_SSL_NULL_CIPHER) {
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ if ((status = psa_import_key(&attributes,
+ key1,
+ PSA_BITS_TO_BYTES(key_bits),
+ &transform->psa_key_enc)) != PSA_SUCCESS) {
+ MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status);
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
+ goto end;
+ }
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
+
+ if ((status = psa_import_key(&attributes,
+ key2,
+ PSA_BITS_TO_BYTES(key_bits),
+ &transform->psa_key_dec)) != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
+ goto end;
+ }
+ }
+#else
+ if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc,
+ cipher_info)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
+ goto end;
+ }
+
+ if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec,
+ cipher_info)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
+ goto end;
+ }
+
+ if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1,
+ (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
+ MBEDTLS_ENCRYPT)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
+ goto end;
+ }
+
+ if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2,
+ (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
+ MBEDTLS_DECRYPT)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
+ goto end;
+ }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ if (mbedtls_cipher_info_get_mode(cipher_info) == MBEDTLS_MODE_CBC) {
+ if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_enc,
+ MBEDTLS_PADDING_NONE)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
+ goto end;
+ }
+
+ if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_dec,
+ MBEDTLS_PADDING_NONE)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
+ goto end;
+ }
+ }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
+ /* For HMAC-based ciphersuites, initialize the HMAC transforms.
+ For AEAD-based ciphersuites, there is nothing to do here. */
+ if (mac_key_len != 0) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg);
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
+ psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg));
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
+
+ if ((status = psa_import_key(&attributes,
+ mac_enc, mac_key_len,
+ &transform->psa_mac_enc)) != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
+ goto end;
+ }
+
+ if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) ||
+ ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING)
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED)
+#endif
+ )) {
+ /* mbedtls_ct_hmac() requires the key to be exportable */
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT |
+ PSA_KEY_USAGE_VERIFY_HASH);
+ } else {
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
+ }
+
+ if ((status = psa_import_key(&attributes,
+ mac_dec, mac_key_len,
+ &transform->psa_mac_dec)) != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
+ goto end;
+ }
+#else
+ ret = mbedtls_md_hmac_starts(&transform->md_ctx_enc, mac_enc, mac_key_len);
+ if (ret != 0) {
+ goto end;
+ }
+ ret = mbedtls_md_hmac_starts(&transform->md_ctx_dec, mac_dec, mac_key_len);
+ if (ret != 0) {
+ goto end;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ }
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
+
+ ((void) mac_dec);
+ ((void) mac_enc);
+
+end:
+ mbedtls_platform_zeroize(keyblk, sizeof(keyblk));
+ return ret;
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
+ defined(MBEDTLS_USE_PSA_CRYPTO)
+int mbedtls_psa_ecjpake_read_round(
+ psa_pake_operation_t *pake_ctx,
+ const unsigned char *buf,
+ size_t len, mbedtls_ecjpake_rounds_t round)
+{
+ psa_status_t status;
+ size_t input_offset = 0;
+ /*
+ * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
+ * At round two perform a single cycle
+ */
+ unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
+
+ for (; remaining_steps > 0; remaining_steps--) {
+ for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
+ step <= PSA_PAKE_STEP_ZK_PROOF;
+ ++step) {
+ /* Length is stored at the first byte */
+ size_t length = buf[input_offset];
+ input_offset += 1;
+
+ if (input_offset + length > len) {
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ status = psa_pake_input(pake_ctx, step,
+ buf + input_offset, length);
+ if (status != PSA_SUCCESS) {
+ return PSA_TO_MBEDTLS_ERR(status);
+ }
+
+ input_offset += length;
+ }
+ }
+
+ if (input_offset != len) {
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ return 0;
+}
+
+int mbedtls_psa_ecjpake_write_round(
+ psa_pake_operation_t *pake_ctx,
+ unsigned char *buf,
+ size_t len, size_t *olen,
+ mbedtls_ecjpake_rounds_t round)
+{
+ psa_status_t status;
+ size_t output_offset = 0;
+ size_t output_len;
+ /*
+ * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
+ * At round two perform a single cycle
+ */
+ unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
+
+ for (; remaining_steps > 0; remaining_steps--) {
+ for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
+ step <= PSA_PAKE_STEP_ZK_PROOF;
+ ++step) {
+ /*
+ * For each step, prepend 1 byte with the length of the data as
+ * given by psa_pake_output().
+ */
+ status = psa_pake_output(pake_ctx, step,
+ buf + output_offset + 1,
+ len - output_offset - 1,
+ &output_len);
+ if (status != PSA_SUCCESS) {
+ return PSA_TO_MBEDTLS_ERR(status);
+ }
+
+ *(buf + output_offset) = (uint8_t) output_len;
+
+ output_offset += output_len + 1;
+ }
+ }
+
+ *olen = output_offset;
+
+ return 0;
+}
+#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
+ unsigned char *hash, size_t *hashlen,
+ unsigned char *data, size_t data_len,
+ mbedtls_md_type_t md_alg)
+{
+ psa_status_t status;
+ psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
+ psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange"));
+
+ if ((status = psa_hash_setup(&hash_operation,
+ hash_alg)) != PSA_SUCCESS) {
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status);
+ goto exit;
+ }
+
+ if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes,
+ 64)) != PSA_SUCCESS) {
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
+ goto exit;
+ }
+
+ if ((status = psa_hash_update(&hash_operation,
+ data, data_len)) != PSA_SUCCESS) {
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
+ goto exit;
+ }
+
+ if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE,
+ hashlen)) != PSA_SUCCESS) {
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status);
+ goto exit;
+ }
+
+exit:
+ if (status != PSA_SUCCESS) {
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+ switch (status) {
+ case PSA_ERROR_NOT_SUPPORTED:
+ return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
+ case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
+ case PSA_ERROR_BUFFER_TOO_SMALL:
+ return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
+ case PSA_ERROR_INSUFFICIENT_MEMORY:
+ return MBEDTLS_ERR_MD_ALLOC_FAILED;
+ default:
+ return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+ }
+ }
+ return 0;
+}
+
+#else
+
+int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
+ unsigned char *hash, size_t *hashlen,
+ unsigned char *data, size_t data_len,
+ mbedtls_md_type_t md_alg)
+{
+ int ret = 0;
+ mbedtls_md_context_t ctx;
+ const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
+ *hashlen = mbedtls_md_get_size(md_info);
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Perform mbedtls-based computation of digest of ServerKeyExchange"));
+
+ mbedtls_md_init(&ctx);
+
+ /*
+ * digitally-signed struct {
+ * opaque client_random[32];
+ * opaque server_random[32];
+ * ServerDHParams params;
+ * };
+ */
+ if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
+ goto exit;
+ }
+ if ((ret = mbedtls_md_starts(&ctx)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_starts", ret);
+ goto exit;
+ }
+ if ((ret = mbedtls_md_update(&ctx, ssl->handshake->randbytes, 64)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
+ goto exit;
+ }
+ if ((ret = mbedtls_md_update(&ctx, data, data_len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
+ goto exit;
+ }
+ if ((ret = mbedtls_md_finish(&ctx, hash)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
+ goto exit;
+ }
+
+exit:
+ mbedtls_md_free(&ctx);
+
+ if (ret != 0) {
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+ }
+
+ return ret;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+
+/* Find the preferred hash for a given signature algorithm. */
+unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+ mbedtls_ssl_context *ssl,
+ unsigned int sig_alg)
+{
+ unsigned int i;
+ uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
+
+ if (sig_alg == MBEDTLS_SSL_SIG_ANON) {
+ return MBEDTLS_SSL_HASH_NONE;
+ }
+
+ for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
+ unsigned int hash_alg_received =
+ MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
+ received_sig_algs[i]);
+ unsigned int sig_alg_received =
+ MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
+ received_sig_algs[i]);
+
+ mbedtls_md_type_t md_alg =
+ mbedtls_ssl_md_alg_from_hash((unsigned char) hash_alg_received);
+ if (md_alg == MBEDTLS_MD_NONE) {
+ continue;
+ }
+
+ if (sig_alg == sig_alg_received) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) {
+ psa_algorithm_t psa_hash_alg =
+ mbedtls_md_psa_alg_from_type(md_alg);
+
+ if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
+ !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
+ PSA_ALG_ECDSA(psa_hash_alg),
+ PSA_KEY_USAGE_SIGN_HASH)) {
+ continue;
+ }
+
+ if (sig_alg_received == MBEDTLS_SSL_SIG_RSA &&
+ !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
+ PSA_ALG_RSA_PKCS1V15_SIGN(
+ psa_hash_alg),
+ PSA_KEY_USAGE_SIGN_HASH)) {
+ continue;
+ }
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ return hash_alg_received;
+ }
+ }
+
+ return MBEDTLS_SSL_HASH_NONE;
+}
+
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+int mbedtls_ssl_validate_ciphersuite(
+ const mbedtls_ssl_context *ssl,
+ const mbedtls_ssl_ciphersuite_t *suite_info,
+ mbedtls_ssl_protocol_version min_tls_version,
+ mbedtls_ssl_protocol_version max_tls_version)
+{
+ (void) ssl;
+
+ if (suite_info == NULL) {
+ return -1;
+ }
+
+ if ((suite_info->min_tls_version > max_tls_version) ||
+ (suite_info->max_tls_version < min_tls_version)) {
+ return -1;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+ ssl->handshake->psa_pake_ctx_is_ok != 1)
+#else
+ if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+ mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ {
+ return -1;
+ }
+#endif
+
+ /* Don't suggest PSK-based ciphersuite if no PSK is available. */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+ if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
+ mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
+ return -1;
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+/*
+ * Function for writing a signature algorithm extension.
+ *
+ * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
+ * value (TLS 1.3 RFC8446):
+ * enum {
+ * ....
+ * ecdsa_secp256r1_sha256( 0x0403 ),
+ * ecdsa_secp384r1_sha384( 0x0503 ),
+ * ecdsa_secp521r1_sha512( 0x0603 ),
+ * ....
+ * } SignatureScheme;
+ *
+ * struct {
+ * SignatureScheme supported_signature_algorithms<2..2^16-2>;
+ * } SignatureSchemeList;
+ *
+ * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
+ * value (TLS 1.2 RFC5246):
+ * enum {
+ * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
+ * sha512(6), (255)
+ * } HashAlgorithm;
+ *
+ * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
+ * SignatureAlgorithm;
+ *
+ * struct {
+ * HashAlgorithm hash;
+ * SignatureAlgorithm signature;
+ * } SignatureAndHashAlgorithm;
+ *
+ * SignatureAndHashAlgorithm
+ * supported_signature_algorithms<2..2^16-2>;
+ *
+ * The TLS 1.3 signature algorithm extension was defined to be a compatible
+ * generalization of the TLS 1.2 signature algorithm extension.
+ * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
+ * `SignatureScheme` field of TLS 1.3
+ *
+ */
+int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
+ const unsigned char *end, size_t *out_len)
+{
+ unsigned char *p = buf;
+ unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */
+ size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
+
+ *out_len = 0;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("adding signature_algorithms extension"));
+
+ /* Check if we have space for header and length field:
+ * - extension_type (2 bytes)
+ * - extension_data_length (2 bytes)
+ * - supported_signature_algorithms_length (2 bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
+ p += 6;
+
+ /*
+ * Write supported_signature_algorithms
+ */
+ supported_sig_alg = p;
+ const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
+ if (sig_alg == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_CONFIG;
+ }
+
+ for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("got signature scheme [%x] %s",
+ *sig_alg,
+ mbedtls_ssl_sig_alg_to_str(*sig_alg)));
+ if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
+ continue;
+ }
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+ MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0);
+ p += 2;
+ MBEDTLS_SSL_DEBUG_MSG(3, ("sent signature scheme [%x] %s",
+ *sig_alg,
+ mbedtls_ssl_sig_alg_to_str(*sig_alg)));
+ }
+
+ /* Length of supported_signature_algorithms */
+ supported_sig_alg_len = (size_t) (p - supported_sig_alg);
+ if (supported_sig_alg_len == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("No signature algorithms defined."));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, buf, 0);
+ MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len + 2, buf, 2);
+ MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len, buf, 4);
+
+ *out_len = (size_t) (p - buf);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SIG_ALG);
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+/*
+ * mbedtls_ssl_parse_server_name_ext
+ *
+ * Structure of server_name extension:
+ *
+ * enum {
+ * host_name(0), (255)
+ * } NameType;
+ * opaque HostName<1..2^16-1>;
+ *
+ * struct {
+ * NameType name_type;
+ * select (name_type) {
+ * case host_name: HostName;
+ * } name;
+ * } ServerName;
+ * struct {
+ * ServerName server_name_list<1..2^16-1>
+ * } ServerNameList;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const unsigned char *p = buf;
+ size_t server_name_list_len, hostname_len;
+ const unsigned char *server_name_list_end;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension"));
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ server_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, server_name_list_len);
+ server_name_list_end = p + server_name_list_len;
+ while (p < server_name_list_end) {
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 3);
+ hostname_len = MBEDTLS_GET_UINT16_BE(p, 1);
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end,
+ hostname_len + 3);
+
+ if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) {
+ /* sni_name is intended to be used only during the parsing of the
+ * ClientHello message (it is reset to NULL before the end of
+ * the message parsing). Thus it is ok to just point to the
+ * reception buffer and not make a copy of it.
+ */
+ ssl->handshake->sni_name = p + 3;
+ ssl->handshake->sni_name_len = hostname_len;
+ if (ssl->conf->f_sni == NULL) {
+ return 0;
+ }
+ ret = ssl->conf->f_sni(ssl->conf->p_sni,
+ ssl, p + 3, hostname_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret);
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME,
+ MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME);
+ return MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME;
+ }
+ return 0;
+ }
+
+ p += hostname_len + 3;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_ALPN)
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ const unsigned char *p = buf;
+ size_t protocol_name_list_len;
+ const unsigned char *protocol_name_list;
+ const unsigned char *protocol_name_list_end;
+ size_t protocol_name_len;
+
+ /* If ALPN not configured, just ignore the extension */
+ if (ssl->conf->alpn_list == NULL) {
+ return 0;
+ }
+
+ /*
+ * RFC7301, section 3.1
+ * opaque ProtocolName<1..2^8-1>;
+ *
+ * struct {
+ * ProtocolName protocol_name_list<2..2^16-1>
+ * } ProtocolNameList;
+ */
+
+ /*
+ * protocol_name_list_len 2 bytes
+ * protocol_name_len 1 bytes
+ * protocol_name >=1 byte
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
+
+ protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
+ protocol_name_list = p;
+ protocol_name_list_end = p + protocol_name_list_len;
+
+ /* Validate peer's list (lengths) */
+ while (p < protocol_name_list_end) {
+ protocol_name_len = *p++;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end,
+ protocol_name_len);
+ if (protocol_name_len == 0) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ p += protocol_name_len;
+ }
+
+ /* Use our order of preference */
+ for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
+ size_t const alpn_len = strlen(*alpn);
+ p = protocol_name_list;
+ while (p < protocol_name_list_end) {
+ protocol_name_len = *p++;
+ if (protocol_name_len == alpn_len &&
+ memcmp(p, *alpn, alpn_len) == 0) {
+ ssl->alpn_chosen = *alpn;
+ return 0;
+ }
+
+ p += protocol_name_len;
+ }
+ }
+
+ /* If we get here, no match was found */
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL,
+ MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL);
+ return MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL;
+}
+
+int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len)
+{
+ unsigned char *p = buf;
+ size_t protocol_name_len;
+ *out_len = 0;
+
+ if (ssl->alpn_chosen == NULL) {
+ return 0;
+ }
+
+ protocol_name_len = strlen(ssl->alpn_chosen);
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7 + protocol_name_len);
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server side, adding alpn extension"));
+ /*
+ * 0 . 1 ext identifier
+ * 2 . 3 ext length
+ * 4 . 5 protocol list length
+ * 6 . 6 protocol name length
+ * 7 . 7+n protocol name
+ */
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0);
+
+ *out_len = 7 + protocol_name_len;
+
+ MBEDTLS_PUT_UINT16_BE(protocol_name_len + 3, p, 2);
+ MBEDTLS_PUT_UINT16_BE(protocol_name_len + 1, p, 4);
+ /* Note: the length of the chosen protocol has been checked to be less
+ * than 255 bytes in `mbedtls_ssl_conf_alpn_protocols`.
+ */
+ p[6] = MBEDTLS_BYTE_0(protocol_name_len);
+
+ memcpy(p + 7, ssl->alpn_chosen, protocol_name_len);
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN);
+#endif
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
+ defined(MBEDTLS_SSL_CLI_C)
+int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
+ const char *hostname)
+{
+ /* Initialize to suppress unnecessary compiler warning */
+ size_t hostname_len = 0;
+
+ /* Check if new hostname is valid before
+ * making any change to current one */
+ if (hostname != NULL) {
+ hostname_len = strlen(hostname);
+
+ if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ }
+
+ /* Now it's clear that we will overwrite the old hostname,
+ * so we can free it safely */
+ if (session->hostname != NULL) {
+ mbedtls_zeroize_and_free(session->hostname,
+ strlen(session->hostname));
+ }
+
+ /* Passing NULL as hostname shall clear the old one */
+ if (hostname == NULL) {
+ session->hostname = NULL;
+ } else {
+ session->hostname = mbedtls_calloc(1, hostname_len + 1);
+ if (session->hostname == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ memcpy(session->hostname, hostname, hostname_len);
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
+ MBEDTLS_SSL_SESSION_TICKETS &&
+ MBEDTLS_SSL_SERVER_NAME_INDICATION &&
+ MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \
+ defined(MBEDTLS_SSL_ALPN)
+int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
+ const char *alpn)
+{
+ size_t alpn_len = 0;
+
+ if (alpn != NULL) {
+ alpn_len = strlen(alpn);
+
+ if (alpn_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+ }
+
+ if (session->ticket_alpn != NULL) {
+ mbedtls_zeroize_and_free(session->ticket_alpn,
+ strlen(session->ticket_alpn));
+ session->ticket_alpn = NULL;
+ }
+
+ if (alpn != NULL) {
+ session->ticket_alpn = mbedtls_calloc(alpn_len + 1, 1);
+ if (session->ticket_alpn == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+ memcpy(session->ticket_alpn, alpn, alpn_len);
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
+#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
new file mode 100644
index 0000000..eac6a3a
--- /dev/null
+++ b/library/ssl_tls12_client.c
@@ -0,0 +1,3601 @@
+/*
+ * TLS client-side functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
+
+#include "mbedtls/platform.h"
+
+#include "mbedtls/ssl.h"
+#include "ssl_client.h"
+#include "ssl_misc.h"
+#include "debug_internal.h"
+#include "mbedtls/error.h"
+#include "mbedtls/constant_time.h"
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa_util_internal.h"
+#include "psa/crypto.h"
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#include <string.h>
+
+#include <stdint.h>
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#include "mbedtls/platform_util.h"
+#endif
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+
+ *olen = 0;
+
+ /* We're always including a TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
+ * initial ClientHello, in which case also adding the renegotiation
+ * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
+ if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("client hello, adding renegotiation extension"));
+
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + ssl->verify_data_len);
+
+ /*
+ * Secure renegotiation
+ */
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
+ p += 2;
+
+ *p++ = 0x00;
+ *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len + 1);
+ *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len);
+
+ memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
+
+ *olen = 5 + ssl->verify_data_len;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+ (void) ssl; /* ssl used for debugging only */
+
+ *olen = 0;
+
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("client hello, adding supported_point_formats extension"));
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
+ p += 2;
+
+ *p++ = 0x00;
+ *p++ = 2;
+
+ *p++ = 1;
+ *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
+
+ *olen = 6;
+
+ return 0;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = buf;
+ size_t kkpp_len = 0;
+
+ *olen = 0;
+
+ /* Skip costly extension if we can't use EC J-PAKE anyway */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
+ return 0;
+ }
+#else
+ if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
+ return 0;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("client hello, adding ecjpake_kkpp extension"));
+
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
+ p += 2;
+
+ /*
+ * We may need to send ClientHello multiple times for Hello verification.
+ * We don't want to compute fresh values every time (both for performance
+ * and consistency reasons), so cache the extension content.
+ */
+ if (ssl->handshake->ecjpake_cache == NULL ||
+ ssl->handshake->ecjpake_cache_len == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters"));
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
+ p + 2, end - p - 2, &kkpp_len,
+ MBEDTLS_ECJPAKE_ROUND_ONE);
+ if (ret != 0) {
+ psa_destroy_key(ssl->handshake->psa_pake_password);
+ psa_pake_abort(&ssl->handshake->psa_pake_ctx);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
+ return ret;
+ }
+#else
+ ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
+ p + 2, end - p - 2, &kkpp_len,
+ ssl->conf->f_rng, ssl->conf->p_rng);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1,
+ "mbedtls_ecjpake_write_round_one", ret);
+ return ret;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len);
+ if (ssl->handshake->ecjpake_cache == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("allocation failed"));
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ memcpy(ssl->handshake->ecjpake_cache, p + 2, kkpp_len);
+ ssl->handshake->ecjpake_cache_len = kkpp_len;
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("re-using cached ecjpake parameters"));
+
+ kkpp_len = ssl->handshake->ecjpake_cache_len;
+ MBEDTLS_SSL_CHK_BUF_PTR(p + 2, end, kkpp_len);
+
+ memcpy(p + 2, ssl->handshake->ecjpake_cache, kkpp_len);
+ }
+
+ MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
+ p += 2;
+
+ *olen = kkpp_len + 4;
+
+ return 0;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_cid_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+ size_t ext_len;
+
+ /*
+ * struct {
+ * opaque cid<0..2^8-1>;
+ * } ConnectionId;
+ */
+
+ *olen = 0;
+ if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
+ ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
+ return 0;
+ }
+ MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding CID extension"));
+
+ /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
+ * which is at most 255, so the increment cannot overflow. */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, (unsigned) (ssl->own_cid_len + 5));
+
+ /* Add extension ID + size */
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
+ p += 2;
+ ext_len = (size_t) ssl->own_cid_len + 1;
+ MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
+ p += 2;
+
+ *p++ = (uint8_t) ssl->own_cid_len;
+ memcpy(p, ssl->own_cid, ssl->own_cid_len);
+
+ *olen = ssl->own_cid_len + 5;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+
+ *olen = 0;
+
+ if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("client hello, adding max_fragment_length extension"));
+
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5);
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
+ p += 2;
+
+ *p++ = 0x00;
+ *p++ = 1;
+
+ *p++ = ssl->conf->mfl_code;
+
+ *olen = 5;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+
+ *olen = 0;
+
+ if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("client hello, adding encrypt_then_mac extension"));
+
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
+ p += 2;
+
+ *p++ = 0x00;
+ *p++ = 0x00;
+
+ *olen = 4;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+
+ *olen = 0;
+
+ if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("client hello, adding extended_master_secret extension"));
+
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
+ p += 2;
+
+ *p++ = 0x00;
+ *p++ = 0x00;
+
+ *olen = 4;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+ size_t tlen = ssl->session_negotiate->ticket_len;
+
+ *olen = 0;
+
+ if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("client hello, adding session ticket extension"));
+
+ /* The addition is safe here since the ticket length is 16 bit. */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + tlen);
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
+ p += 2;
+
+ MBEDTLS_PUT_UINT16_BE(tlen, p, 0);
+ p += 2;
+
+ *olen = 4;
+
+ if (ssl->session_negotiate->ticket == NULL || tlen == 0) {
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen));
+
+ memcpy(p, ssl->session_negotiate->ticket, tlen);
+
+ *olen += tlen;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+ size_t protection_profiles_index = 0, ext_len = 0;
+ uint16_t mki_len = 0, profile_value = 0;
+
+ *olen = 0;
+
+ if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
+ (ssl->conf->dtls_srtp_profile_list == NULL) ||
+ (ssl->conf->dtls_srtp_profile_list_len == 0)) {
+ return 0;
+ }
+
+ /* RFC 5764 section 4.1.1
+ * uint8 SRTPProtectionProfile[2];
+ *
+ * struct {
+ * SRTPProtectionProfiles SRTPProtectionProfiles;
+ * opaque srtp_mki<0..255>;
+ * } UseSRTPData;
+ * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
+ */
+ if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
+ mki_len = ssl->dtls_srtp_info.mki_len;
+ }
+ /* Extension length = 2 bytes for profiles length,
+ * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ),
+ * 1 byte for srtp_mki vector length and the mki_len value
+ */
+ ext_len = 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding use_srtp extension"));
+
+ /* Check there is room in the buffer for the extension + 4 bytes
+ * - the extension tag (2 bytes)
+ * - the extension length (2 bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, ext_len + 4);
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, p, 0);
+ p += 2;
+
+ MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
+ p += 2;
+
+ /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
+ /* micro-optimization:
+ * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH
+ * which is lower than 127, so the upper byte of the length is always 0
+ * For the documentation, the more generic code is left in comments
+ * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
+ * >> 8 ) & 0xFF );
+ */
+ *p++ = 0;
+ *p++ = MBEDTLS_BYTE_0(2 * ssl->conf->dtls_srtp_profile_list_len);
+
+ for (protection_profiles_index = 0;
+ protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
+ protection_profiles_index++) {
+ profile_value = mbedtls_ssl_check_srtp_profile_value
+ (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]);
+ if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_write_use_srtp_ext, add profile: %04x",
+ profile_value));
+ MBEDTLS_PUT_UINT16_BE(profile_value, p, 0);
+ p += 2;
+ } else {
+ /*
+ * Note: we shall never arrive here as protection profiles
+ * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function
+ */
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("client hello, "
+ "illegal DTLS-SRTP protection profile %d",
+ ssl->conf->dtls_srtp_profile_list[protection_profiles_index]
+ ));
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ }
+ }
+
+ *p++ = mki_len & 0xFF;
+
+ if (mki_len != 0) {
+ memcpy(p, ssl->dtls_srtp_info.mki_value, mki_len);
+ /*
+ * Increment p to point to the current position.
+ */
+ p += mki_len;
+ MBEDTLS_SSL_DEBUG_BUF(3, "sending mki", ssl->dtls_srtp_info.mki_value,
+ ssl->dtls_srtp_info.mki_len);
+ }
+
+ /*
+ * total extension length: extension type (2 bytes)
+ * + extension length (2 bytes)
+ * + protection profile length (2 bytes)
+ * + 2 * number of protection profiles
+ * + srtp_mki vector length(1 byte)
+ * + mki value
+ */
+ *olen = p - buf;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ int uses_ec,
+ size_t *out_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = buf;
+ size_t ext_len = 0;
+
+ (void) ssl;
+ (void) end;
+ (void) uses_ec;
+ (void) ret;
+ (void) ext_len;
+
+ *out_len = 0;
+
+ /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
+ * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ if ((ret = ssl_write_renegotiation_ext(ssl, p, end, &ext_len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_renegotiation_ext", ret);
+ return ret;
+ }
+ p += ext_len;
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ if (uses_ec) {
+ if ((ret = ssl_write_supported_point_formats_ext(ssl, p, end,
+ &ext_len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_point_formats_ext", ret);
+ return ret;
+ }
+ p += ext_len;
+ }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ if ((ret = ssl_write_ecjpake_kkpp_ext(ssl, p, end, &ext_len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_ecjpake_kkpp_ext", ret);
+ return ret;
+ }
+ p += ext_len;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ if ((ret = ssl_write_cid_ext(ssl, p, end, &ext_len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_cid_ext", ret);
+ return ret;
+ }
+ p += ext_len;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+ if ((ret = ssl_write_max_fragment_length_ext(ssl, p, end,
+ &ext_len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_max_fragment_length_ext", ret);
+ return ret;
+ }
+ p += ext_len;
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ if ((ret = ssl_write_encrypt_then_mac_ext(ssl, p, end, &ext_len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_encrypt_then_mac_ext", ret);
+ return ret;
+ }
+ p += ext_len;
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+ if ((ret = ssl_write_extended_ms_ext(ssl, p, end, &ext_len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_extended_ms_ext", ret);
+ return ret;
+ }
+ p += ext_len;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+ if ((ret = ssl_write_use_srtp_ext(ssl, p, end, &ext_len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_use_srtp_ext", ret);
+ return ret;
+ }
+ p += ext_len;
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ if ((ret = ssl_write_session_ticket_ext(ssl, p, end, &ext_len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_session_ticket_ext", ret);
+ return ret;
+ }
+ p += ext_len;
+#endif
+
+ *out_len = (size_t) (p - buf);
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
+ /* Check verify-data in constant-time. The length OTOH is no secret */
+ if (len != 1 + ssl->verify_data_len * 2 ||
+ buf[0] != ssl->verify_data_len * 2 ||
+ mbedtls_ct_memcmp(buf + 1,
+ ssl->own_verify_data, ssl->verify_data_len) != 0 ||
+ mbedtls_ct_memcmp(buf + 1 + ssl->verify_data_len,
+ ssl->peer_verify_data, ssl->verify_data_len) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+ } else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+ {
+ if (len != 1 || buf[0] != 0x00) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("non-zero length renegotiation info"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+ }
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ /*
+ * server should use the extension only if we did,
+ * and if so the server's value should match ours (and len is always 1)
+ */
+ if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
+ len != 1 ||
+ buf[0] != ssl->conf->mfl_code) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("non-matching max fragment length extension"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ size_t peer_cid_len;
+
+ if ( /* CID extension only makes sense in DTLS */
+ ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
+ /* The server must only send the CID extension if we have offered it. */
+ ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension unexpected"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
+ return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+ }
+
+ if (len == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ peer_cid_len = *buf++;
+ len--;
+
+ if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ if (len != peer_cid_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
+ ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
+ memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
+ MBEDTLS_SSL_DEBUG_BUF(3, "Server CID", buf, peer_cid_len);
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
+ len != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("non-matching encrypt-then-MAC extension"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
+ return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+ }
+
+ ((void) buf);
+
+ ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
+ len != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("non-matching extended master secret extension"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
+ return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+ }
+
+ ((void) buf);
+
+ ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
+ len != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("non-matching session ticket extension"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
+ return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+ }
+
+ ((void) buf);
+
+ ssl->handshake->new_session_ticket = 1;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ size_t list_size;
+ const unsigned char *p;
+
+ if (len == 0 || (size_t) (buf[0] + 1) != len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ list_size = buf[0];
+
+ p = buf + 1;
+ while (list_size > 0) {
+ if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+ p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
+#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
+ ssl->handshake->ecdh_ctx.point_format = p[0];
+#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
+#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
+ p[0]);
+#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+ MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
+ return 0;
+ }
+
+ list_size--;
+ p++;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("no point format in common"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (ssl->handshake->ciphersuite_info->key_exchange !=
+ MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
+ return 0;
+ }
+
+ /* If we got here, we no longer need our cached extension */
+ mbedtls_free(ssl->handshake->ecjpake_cache);
+ ssl->handshake->ecjpake_cache = NULL;
+ ssl->handshake->ecjpake_cache_len = 0;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if ((ret = mbedtls_psa_ecjpake_read_round(
+ &ssl->handshake->psa_pake_ctx, buf, len,
+ MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
+ psa_destroy_key(ssl->handshake->psa_pake_password);
+ psa_pake_abort(&ssl->handshake->psa_pake_ctx);
+
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return ret;
+ }
+
+ return 0;
+#else
+ if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
+ buf, len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return ret;
+ }
+
+ return 0;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf, size_t len)
+{
+ size_t list_len, name_len;
+ const char **p;
+
+ /* If we didn't send it, the server shouldn't send it */
+ if (ssl->conf->alpn_list == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching ALPN extension"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
+ return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+ }
+
+ /*
+ * opaque ProtocolName<1..2^8-1>;
+ *
+ * struct {
+ * ProtocolName protocol_name_list<2..2^16-1>
+ * } ProtocolNameList;
+ *
+ * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
+ */
+
+ /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
+ if (len < 4) {
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ list_len = MBEDTLS_GET_UINT16_BE(buf, 0);
+ if (list_len != len - 2) {
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ name_len = buf[2];
+ if (name_len != list_len - 1) {
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /* Check that the server chosen protocol was in our list and save it */
+ for (p = ssl->conf->alpn_list; *p != NULL; p++) {
+ if (name_len == strlen(*p) &&
+ memcmp(buf + 3, *p, name_len) == 0) {
+ ssl->alpn_chosen = *p;
+ return 0;
+ }
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("ALPN extension: no matching protocol"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET;
+ size_t i, mki_len = 0;
+ uint16_t server_protection_profile_value = 0;
+
+ /* If use_srtp is not configured, just ignore the extension */
+ if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
+ (ssl->conf->dtls_srtp_profile_list == NULL) ||
+ (ssl->conf->dtls_srtp_profile_list_len == 0)) {
+ return 0;
+ }
+
+ /* RFC 5764 section 4.1.1
+ * uint8 SRTPProtectionProfile[2];
+ *
+ * struct {
+ * SRTPProtectionProfiles SRTPProtectionProfiles;
+ * opaque srtp_mki<0..255>;
+ * } UseSRTPData;
+
+ * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
+ *
+ */
+ if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
+ mki_len = ssl->dtls_srtp_info.mki_len;
+ }
+
+ /*
+ * Length is 5 + optional mki_value : one protection profile length (2 bytes)
+ * + protection profile (2 bytes)
+ * + mki_len(1 byte)
+ * and optional srtp_mki
+ */
+ if ((len < 5) || (len != (buf[4] + 5u))) {
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /*
+ * get the server protection profile
+ */
+
+ /*
+ * protection profile length must be 0x0002 as we must have only
+ * one protection profile in server Hello
+ */
+ if ((buf[0] != 0) || (buf[1] != 2)) {
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ server_protection_profile_value = (buf[2] << 8) | buf[3];
+ server_protection = mbedtls_ssl_check_srtp_profile_value(
+ server_protection_profile_value);
+ if (server_protection != MBEDTLS_TLS_SRTP_UNSET) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
+ mbedtls_ssl_get_srtp_profile_as_string(
+ server_protection)));
+ }
+
+ ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
+
+ /*
+ * Check we have the server profile in our list
+ */
+ for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
+ if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) {
+ ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
+ MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
+ mbedtls_ssl_get_srtp_profile_as_string(
+ server_protection)));
+ break;
+ }
+ }
+
+ /* If no match was found : server problem, it shall never answer with incompatible profile */
+ if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ /* If server does not use mki in its reply, make sure the client won't keep
+ * one as negotiated */
+ if (len == 5) {
+ ssl->dtls_srtp_info.mki_len = 0;
+ }
+
+ /*
+ * RFC5764:
+ * If the client detects a nonzero-length MKI in the server's response
+ * that is different than the one the client offered, then the client
+ * MUST abort the handshake and SHOULD send an invalid_parameter alert.
+ */
+ if (len > 5 && (buf[4] != mki_len ||
+ (memcmp(ssl->dtls_srtp_info.mki_value, &buf[5], mki_len)))) {
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+#if defined(MBEDTLS_DEBUG_C)
+ if (len > 5) {
+ MBEDTLS_SSL_DEBUG_BUF(3, "received mki", ssl->dtls_srtp_info.mki_value,
+ ssl->dtls_srtp_info.mki_len);
+ }
+#endif
+ return 0;
+}
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+/*
+ * Parse HelloVerifyRequest. Only called after verifying the HS type.
+ */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
+ uint16_t dtls_legacy_version;
+
+#if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ uint8_t cookie_len;
+#else
+ uint16_t cookie_len;
+#endif
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse hello verify request"));
+
+ /* Check that there is enough room for:
+ * - 2 bytes of version
+ * - 1 byte of cookie_len
+ */
+ if (mbedtls_ssl_hs_hdr_len(ssl) + 3 > ssl->in_msglen) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("incoming HelloVerifyRequest message is too short"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /*
+ * struct {
+ * ProtocolVersion server_version;
+ * opaque cookie<0..2^8-1>;
+ * } HelloVerifyRequest;
+ */
+ MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
+ dtls_legacy_version = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ /*
+ * Since the RFC is not clear on this point, accept DTLS 1.0 (0xfeff)
+ * The DTLS 1.3 (current draft) renames ProtocolVersion server_version to
+ * legacy_version and locks the value of legacy_version to 0xfefd (DTLS 1.2)
+ */
+ if (dtls_legacy_version != 0xfefd && dtls_legacy_version != 0xfeff) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server version"));
+
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
+
+ return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
+ }
+
+ cookie_len = *p++;
+ if ((ssl->in_msg + ssl->in_msglen) - p < cookie_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("cookie length does not match incoming message size"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ MBEDTLS_SSL_DEBUG_BUF(3, "cookie", p, cookie_len);
+
+ mbedtls_free(ssl->handshake->cookie);
+
+ ssl->handshake->cookie = mbedtls_calloc(1, cookie_len);
+ if (ssl->handshake->cookie == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", cookie_len));
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ memcpy(ssl->handshake->cookie, p, cookie_len);
+ ssl->handshake->cookie_len = cookie_len;
+
+ /* Start over at ClientHello */
+ ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+ ret = mbedtls_ssl_reset_checksum(ssl);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret);
+ return ret;
+ }
+
+ mbedtls_ssl_recv_flight_completed(ssl);
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse hello verify request"));
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
+{
+ int ret, i;
+ size_t n;
+ size_t ext_len;
+ unsigned char *buf, *ext;
+ unsigned char comp;
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ int renegotiation_info_seen = 0;
+#endif
+ int handshake_failure = 0;
+ const mbedtls_ssl_ciphersuite_t *suite_info;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello"));
+
+ if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+ /* No alert on a read error. */
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+ return ret;
+ }
+
+ buf = ssl->in_msg;
+
+ if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
+ ssl->renego_records_seen++;
+
+ if (ssl->conf->renego_max_records >= 0 &&
+ ssl->renego_records_seen > ssl->conf->renego_max_records) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("renegotiation requested, but not honored by server"));
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("non-handshake message during renegotiation"));
+
+ ssl->keep_current_message = 1;
+ return MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO;
+ }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ if (buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("received hello verify request"));
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
+ return ssl_parse_hello_verify_request(ssl);
+ } else {
+ /* We made it through the verification process */
+ mbedtls_free(ssl->handshake->cookie);
+ ssl->handshake->cookie = NULL;
+ ssl->handshake->cookie_len = 0;
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ if (ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len(ssl) ||
+ buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /*
+ * 0 . 1 server_version
+ * 2 . 33 random (maybe including 4 bytes of Unix time)
+ * 34 . 34 session_id length = n
+ * 35 . 34+n session_id
+ * 35+n . 36+n cipher_suite
+ * 37+n . 37+n compression_method
+ *
+ * 38+n . 39+n extensions length (optional)
+ * 40+n . .. extensions
+ */
+ buf += mbedtls_ssl_hs_hdr_len(ssl);
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", buf, 2);
+ ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
+ ssl->conf->transport);
+ ssl->session_negotiate->tls_version = ssl->tls_version;
+ ssl->session_negotiate->endpoint = ssl->conf->endpoint;
+
+ if (ssl->tls_version < ssl->conf->min_tls_version ||
+ ssl->tls_version > ssl->conf->max_tls_version) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ (
+ "server version out of bounds - min: [0x%x], server: [0x%x], max: [0x%x]",
+ (unsigned) ssl->conf->min_tls_version,
+ (unsigned) ssl->tls_version,
+ (unsigned) ssl->conf->max_tls_version));
+
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
+
+ return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %lu",
+ ((unsigned long) buf[2] << 24) |
+ ((unsigned long) buf[3] << 16) |
+ ((unsigned long) buf[4] << 8) |
+ ((unsigned long) buf[5])));
+
+ memcpy(ssl->handshake->randbytes + 32, buf + 2, 32);
+
+ n = buf[34];
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 2, 32);
+
+ if (n > 32) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) {
+ ext_len = MBEDTLS_GET_UINT16_BE(buf, 38 + n);
+
+ if ((ext_len > 0 && ext_len < 4) ||
+ ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ } else if (ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl) + 38 + n) {
+ ext_len = 0;
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /* ciphersuite (used later) */
+ i = (int) MBEDTLS_GET_UINT16_BE(buf, n + 35);
+
+ /*
+ * Read and check compression
+ */
+ comp = buf[37 + n];
+
+ if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("server hello, bad compression: %d", comp));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+
+ /*
+ * Initialize update checksum functions
+ */
+ ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i);
+ if (ssl->handshake->ciphersuite_info == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("ciphersuite info for %04x not found", (unsigned int) i));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ mbedtls_ssl_optimize_checksum(ssl, ssl->handshake->ciphersuite_info);
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
+ MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 35, n);
+
+ /*
+ * Check if the session can be resumed
+ */
+ if (ssl->handshake->resume == 0 || n == 0 ||
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
+#endif
+ ssl->session_negotiate->ciphersuite != i ||
+ ssl->session_negotiate->id_len != n ||
+ memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) {
+ ssl->state++;
+ ssl->handshake->resume = 0;
+#if defined(MBEDTLS_HAVE_TIME)
+ ssl->session_negotiate->start = mbedtls_time(NULL);
+#endif
+ ssl->session_negotiate->ciphersuite = i;
+ ssl->session_negotiate->id_len = n;
+ memcpy(ssl->session_negotiate->id, buf + 35, n);
+ } else {
+ ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
+ ssl->handshake->resume ? "a" : "no"));
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %04x", (unsigned) i));
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: %d",
+ buf[37 + n]));
+
+ /*
+ * Perform cipher suite validation in same way as in ssl_write_client_hello.
+ */
+ i = 0;
+ while (1) {
+ if (ssl->conf->ciphersuite_list[i] == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ if (ssl->conf->ciphersuite_list[i++] ==
+ ssl->session_negotiate->ciphersuite) {
+ break;
+ }
+ }
+
+ suite_info = mbedtls_ssl_ciphersuite_from_id(
+ ssl->session_negotiate->ciphersuite);
+ if (mbedtls_ssl_validate_ciphersuite(ssl, suite_info, ssl->tls_version,
+ ssl->tls_version) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("server hello, chosen ciphersuite: %s", suite_info->name));
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
+ ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
+ ssl->handshake->ecrs_enabled = 1;
+ }
+#endif
+
+ if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ ext = buf + 40 + n;
+
+ MBEDTLS_SSL_DEBUG_MSG(2,
+ ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
+ ext_len));
+
+ while (ext_len) {
+ unsigned int ext_id = MBEDTLS_GET_UINT16_BE(ext, 0);
+ unsigned int ext_size = MBEDTLS_GET_UINT16_BE(ext, 2);
+
+ if (ext_size + 4 > ext_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+ mbedtls_ssl_send_alert_message(
+ ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ switch (ext_id) {
+ case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ renegotiation_info_seen = 1;
+#endif
+
+ if ((ret = ssl_parse_renegotiation_info(ssl, ext + 4,
+ ext_size)) != 0) {
+ return ret;
+ }
+
+ break;
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+ case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("found max_fragment_length extension"));
+
+ if ((ret = ssl_parse_max_fragment_length_ext(ssl,
+ ext + 4, ext_size)) != 0) {
+ return ret;
+ }
+
+ break;
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ case MBEDTLS_TLS_EXT_CID:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
+
+ if ((ret = ssl_parse_cid_ext(ssl,
+ ext + 4,
+ ext_size)) != 0) {
+ return ret;
+ }
+
+ break;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt_then_mac extension"));
+
+ if ((ret = ssl_parse_encrypt_then_mac_ext(ssl,
+ ext + 4, ext_size)) != 0) {
+ return ret;
+ }
+
+ break;
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+ case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("found extended_master_secret extension"));
+
+ if ((ret = ssl_parse_extended_ms_ext(ssl,
+ ext + 4, ext_size)) != 0) {
+ return ret;
+ }
+
+ break;
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ case MBEDTLS_TLS_EXT_SESSION_TICKET:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found session_ticket extension"));
+
+ if ((ret = ssl_parse_session_ticket_ext(ssl,
+ ext + 4, ext_size)) != 0) {
+ return ret;
+ }
+
+ break;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("found supported_point_formats extension"));
+
+ if ((ret = ssl_parse_supported_point_formats_ext(ssl,
+ ext + 4, ext_size)) != 0) {
+ return ret;
+ }
+
+ break;
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake_kkpp extension"));
+
+ if ((ret = ssl_parse_ecjpake_kkpp(ssl,
+ ext + 4, ext_size)) != 0) {
+ return ret;
+ }
+
+ break;
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN)
+ case MBEDTLS_TLS_EXT_ALPN:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
+
+ if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size)) != 0) {
+ return ret;
+ }
+
+ break;
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+ case MBEDTLS_TLS_EXT_USE_SRTP:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
+
+ if ((ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size)) != 0) {
+ return ret;
+ }
+
+ break;
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+ default:
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("unknown extension found: %u (ignoring)", ext_id));
+ }
+
+ ext_len -= 4 + ext_size;
+ ext += 4 + ext_size;
+
+ if (ext_len > 0 && ext_len < 4) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ }
+
+ /*
+ * mbedtls_ssl_derive_keys() has to be called after the parsing of the
+ * extensions. It sets the transform data for the resumed session which in
+ * case of DTLS includes the server CID extracted from the CID extension.
+ */
+ if (ssl->handshake->resume) {
+ if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+ return ret;
+ }
+ }
+
+ /*
+ * Renegotiation security checks
+ */
+ if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+ ssl->conf->allow_legacy_renegotiation ==
+ MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("legacy renegotiation, breaking off handshake"));
+ handshake_failure = 1;
+ }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+ ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
+ renegotiation_info_seen == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("renegotiation_info extension missing (secure)"));
+ handshake_failure = 1;
+ } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+ ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+ ssl->conf->allow_legacy_renegotiation ==
+ MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
+ handshake_failure = 1;
+ } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+ ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+ renegotiation_info_seen == 1) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("renegotiation_info extension present (legacy)"));
+ handshake_failure = 1;
+ }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+ if (handshake_failure == 1) {
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
+
+ return 0;
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl,
+ unsigned char **p,
+ unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ size_t dhm_actual_bitlen;
+
+ /*
+ * Ephemeral DH parameters:
+ *
+ * struct {
+ * opaque dh_p<1..2^16-1>;
+ * opaque dh_g<1..2^16-1>;
+ * opaque dh_Ys<1..2^16-1>;
+ * } ServerDHParams;
+ */
+ if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx,
+ p, end)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret);
+ return ret;
+ }
+
+ dhm_actual_bitlen = mbedtls_dhm_get_bitlen(&ssl->handshake->dhm_ctx);
+ if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
+ dhm_actual_bitlen,
+ ssl->conf->dhm_min_bitlen));
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
+ MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
+ MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
+
+ return ret;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
+ unsigned char **p,
+ unsigned char *end)
+{
+ uint16_t tls_id;
+ size_t ecpoint_len;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+ psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
+ size_t ec_bits = 0;
+
+ /*
+ * struct {
+ * ECParameters curve_params;
+ * ECPoint public;
+ * } ServerECDHParams;
+ *
+ * 1 curve_type (must be "named_curve")
+ * 2..3 NamedCurve
+ * 4 ECPoint.len
+ * 5+ ECPoint contents
+ */
+ if (end - *p < 4) {
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /* First byte is curve_type; only named_curve is handled */
+ if (*(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) {
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ /* Next two bytes are the namedcurve value */
+ tls_id = MBEDTLS_GET_UINT16_BE(*p, 0);
+ *p += 2;
+
+ /* Check it's a curve we offered */
+ if (mbedtls_ssl_check_curve_tls_id(ssl, tls_id) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(2,
+ ("bad server key exchange message (ECDHE curve): %u",
+ (unsigned) tls_id));
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ /* Convert EC's TLS ID to PSA key type. */
+ if (mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
+ &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+ handshake->xxdh_psa_type = key_type;
+ handshake->xxdh_psa_bits = ec_bits;
+
+ /* Keep a copy of the peer's public key */
+ ecpoint_len = *(*p)++;
+ if ((size_t) (end - *p) < ecpoint_len) {
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ memcpy(handshake->xxdh_psa_peerkey, *p, ecpoint_len);
+ handshake->xxdh_psa_peerkey_len = ecpoint_len;
+ *p += ecpoint_len;
+
+ return 0;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#else
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl)
+{
+ uint16_t tls_id;
+ mbedtls_ecp_group_id grp_id;
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+ grp_id = ssl->handshake->ecdh_ctx.grp.id;
+#else
+ grp_id = ssl->handshake->ecdh_ctx.grp_id;
+#endif
+
+ tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
+ if (tls_id == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s",
+ mbedtls_ssl_get_curve_name_from_tls_id(tls_id)));
+
+ if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
+ return -1;
+ }
+
+ MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+ MBEDTLS_DEBUG_ECDH_QP);
+
+ return 0;
+}
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
+ unsigned char **p,
+ unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+ /*
+ * Ephemeral ECDH parameters:
+ *
+ * struct {
+ * ECParameters curve_params;
+ * ECPoint public;
+ * } ServerECDHParams;
+ */
+ if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx,
+ (const unsigned char **) p, end)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret);
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+ ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+ }
+#endif
+ return ret;
+ }
+
+ if (ssl_check_server_ecdh_params(ssl) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("bad server key exchange message (ECDHE curve)"));
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ return ret;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
+ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#endif /* !MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
+ unsigned char **p,
+ unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ uint16_t len;
+ ((void) ssl);
+
+ /*
+ * PSK parameters:
+ *
+ * opaque psk_identity_hint<0..2^16-1>;
+ */
+ if (end - (*p) < 2) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("bad server key exchange message (psk_identity_hint length)"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ len = MBEDTLS_GET_UINT16_BE(*p, 0);
+ *p += 2;
+
+ if (end - (*p) < len) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("bad server key exchange message (psk_identity_hint length)"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /*
+ * Note: we currently ignore the PSK identity hint, as we only allow one
+ * PSK to be provisioned on the client. This could be changed later if
+ * someone needs that feature.
+ */
+ *p += len;
+ ret = 0;
+
+ return ret;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+/*
+ * Generate a pre-master secret and encrypt it with the server's RSA key
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
+ size_t offset, size_t *olen,
+ size_t pms_offset)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len_bytes = 2;
+ unsigned char *p = ssl->handshake->premaster + pms_offset;
+ mbedtls_pk_context *peer_pk;
+
+ if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms"));
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ /*
+ * Generate (part of) the pre-master as
+ * struct {
+ * ProtocolVersion client_version;
+ * opaque random[46];
+ * } PreMasterSecret;
+ */
+ mbedtls_ssl_write_version(p, ssl->conf->transport,
+ MBEDTLS_SSL_VERSION_TLS1_2);
+
+ if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
+ return ret;
+ }
+
+ ssl->handshake->pmslen = 48;
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ peer_pk = &ssl->handshake->peer_pubkey;
+#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ if (ssl->session_negotiate->peer_cert == NULL) {
+ /* Should never happen */
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+ peer_pk = &ssl->session_negotiate->peer_cert->pk;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+ /*
+ * Now write it out, encrypted
+ */
+ if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch"));
+ return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
+ }
+
+ if ((ret = mbedtls_pk_encrypt(peer_pk,
+ p, ssl->handshake->pmslen,
+ ssl->out_msg + offset + len_bytes, olen,
+ MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
+ ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret);
+ return ret;
+ }
+
+ if (len_bytes == 2) {
+ MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset);
+ *olen += 2;
+ }
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ /* We don't need the peer's public key anymore. Free it. */
+ mbedtls_pk_free(peer_pk);
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ return 0;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_pk_context *peer_pk;
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ peer_pk = &ssl->handshake->peer_pubkey;
+#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ if (ssl->session_negotiate->peer_cert == NULL) {
+ /* Should never happen */
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+ peer_pk = &ssl->session_negotiate->peer_cert->pk;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+ /* This is a public key, so it can't be opaque, so can_do() is a good
+ * enough check to ensure pk_ec() is safe to use below. */
+ if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECKEY)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
+ return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
+ }
+
+#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk);
+#endif /* !defined(MBEDTLS_PK_USE_PSA_EC_DATA) */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ uint16_t tls_id = 0;
+ psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
+ mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(peer_pk);
+
+ if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
+ return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
+ }
+
+ tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
+ if (tls_id == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("ECC group %u not suported",
+ grp_id));
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ /* If the above conversion to TLS ID was fine, then also this one will be,
+ so there is no need to check the return value here */
+ mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
+ &ssl->handshake->xxdh_psa_bits);
+
+ ssl->handshake->xxdh_psa_type = key_type;
+
+ /* Store peer's public key in psa format. */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ memcpy(ssl->handshake->xxdh_psa_peerkey, peer_pk->pub_raw, peer_pk->pub_raw_len);
+ ssl->handshake->xxdh_psa_peerkey_len = peer_pk->pub_raw_len;
+ ret = 0;
+#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ size_t olen = 0;
+ ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q,
+ MBEDTLS_ECP_PF_UNCOMPRESSED, &olen,
+ ssl->handshake->xxdh_psa_peerkey,
+ sizeof(ssl->handshake->xxdh_psa_peerkey));
+
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret);
+ return ret;
+ }
+ ssl->handshake->xxdh_psa_peerkey_len = olen;
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+ if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
+ MBEDTLS_ECDH_THEIRS)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
+ return ret;
+ }
+
+ if (ssl_check_server_ecdh_params(ssl) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
+ return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ /* We don't need the peer's public key anymore. Free it,
+ * so that more RAM is available for upcoming expensive
+ * operations like ECDHE. */
+ mbedtls_pk_free(peer_pk);
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+ return ret;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
+ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+ unsigned char *p = NULL, *end = NULL;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange"));
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
+ ssl->state++;
+ return 0;
+ }
+ ((void) p);
+ ((void) end);
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
+ if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
+ ssl->state++;
+ return 0;
+ }
+ ((void) p);
+ ((void) end);
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ssl->handshake->ecrs_enabled &&
+ ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) {
+ goto start_processing;
+ }
+#endif
+
+ if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+ return ret;
+ }
+
+ if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+ /*
+ * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
+ * doesn't use a psk_identity_hint
+ */
+ if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) {
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
+ /* Current message is probably either
+ * CertificateRequest or ServerHelloDone */
+ ssl->keep_current_message = 1;
+ goto exit;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("server key exchange message must not be skipped"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ssl->handshake->ecrs_enabled) {
+ ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
+ }
+
+start_processing:
+#endif
+ p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
+ end = ssl->in_msg + ssl->in_hslen;
+ MBEDTLS_SSL_DEBUG_BUF(3, "server key exchange", p, (size_t) (end - p));
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
+ if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ } /* FALLTHROUGH */
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
+ ; /* nothing more to do */
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
+ if (ssl_parse_server_dh_params(ssl, &p, end) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
+ if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ /*
+ * The first 3 bytes are:
+ * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
+ * [1, 2] elliptic curve's TLS ID
+ *
+ * However since we only support secp256r1 for now, we check only
+ * that TLS ID here
+ */
+ uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE(p, 1);
+ uint16_t exp_tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
+ MBEDTLS_ECP_DP_SECP256R1);
+
+ if (exp_tls_id == 0) {
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+
+ if ((*p != MBEDTLS_ECP_TLS_NAMED_CURVE) ||
+ (read_tls_id != exp_tls_id)) {
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ p += 3;
+
+ if ((ret = mbedtls_psa_ecjpake_read_round(
+ &ssl->handshake->psa_pake_ctx, p, end - p,
+ MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
+ psa_destroy_key(ssl->handshake->psa_pake_password);
+ psa_pake_abort(&ssl->handshake->psa_pake_ctx);
+
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+#else
+ ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
+ p, end - p);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+ {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+ if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
+ size_t sig_len, hashlen;
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+
+ mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
+ mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
+ unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
+ size_t params_len = (size_t) (p - params);
+ void *rs_ctx = NULL;
+ uint16_t sig_alg;
+
+ mbedtls_pk_context *peer_pk;
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ peer_pk = &ssl->handshake->peer_pubkey;
+#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ if (ssl->session_negotiate->peer_cert == NULL) {
+ /* Should never happen */
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+ peer_pk = &ssl->session_negotiate->peer_cert->pk;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+ /*
+ * Handle the digitally-signed structure
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
+ if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
+ sig_alg, &pk_alg, &md_alg) != 0 &&
+ !mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg) &&
+ !mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("bad server key exchange message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+ p += 2;
+
+ if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("bad server key exchange message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ /*
+ * Read signature
+ */
+
+ if (p > end - 2) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ sig_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ if (p != end - sig_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "signature", p, sig_len);
+
+ /*
+ * Compute the hash that has been signed
+ */
+ if (md_alg != MBEDTLS_MD_NONE) {
+ ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
+ params, params_len,
+ md_alg);
+ if (ret != 0) {
+ return ret;
+ }
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
+
+ /*
+ * Verify signature
+ */
+ if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
+ }
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ssl->handshake->ecrs_enabled) {
+ rs_ctx = &ssl->handshake->ecrs_ctx.pk;
+ }
+#endif
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
+ mbedtls_pk_rsassa_pss_options rsassa_pss_options;
+ rsassa_pss_options.mgf1_hash_id = md_alg;
+ rsassa_pss_options.expected_salt_len =
+ mbedtls_md_get_size_from_type(md_alg);
+ if (rsassa_pss_options.expected_salt_len == 0) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ ret = mbedtls_pk_verify_ext(pk_alg, &rsassa_pss_options,
+ peer_pk,
+ md_alg, hash, hashlen,
+ p, sig_len);
+ } else
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+ ret = mbedtls_pk_verify_restartable(peer_pk,
+ md_alg, hash, hashlen, p, sig_len, rs_ctx);
+
+ if (ret != 0) {
+ int send_alert_msg = 1;
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ send_alert_msg = (ret != MBEDTLS_ERR_ECP_IN_PROGRESS);
+#endif
+ if (send_alert_msg) {
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
+ }
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+ ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+ }
+#endif
+ return ret;
+ }
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ /* We don't need the peer's public key anymore. Free it,
+ * so that more RAM is available for upcoming expensive
+ * operations like ECDHE. */
+ mbedtls_pk_free(peer_pk);
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
+
+exit:
+ ssl->state++;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange"));
+
+ return 0;
+}
+
+#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
+{
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
+
+ if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
+ ssl->state++;
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+}
+#else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *buf;
+ size_t n = 0;
+ size_t cert_type_len = 0, dn_len = 0;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+ size_t sig_alg_len;
+#if defined(MBEDTLS_DEBUG_C)
+ unsigned char *sig_alg;
+ unsigned char *dn;
+#endif
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
+
+ if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
+ ssl->state++;
+ return 0;
+ }
+
+ if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+ return ret;
+ }
+
+ if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+ ssl->state++;
+ ssl->handshake->client_auth =
+ (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST);
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("got %s certificate request",
+ ssl->handshake->client_auth ? "a" : "no"));
+
+ if (ssl->handshake->client_auth == 0) {
+ /* Current message is probably the ServerHelloDone */
+ ssl->keep_current_message = 1;
+ goto exit;
+ }
+
+ /*
+ * struct {
+ * ClientCertificateType certificate_types<1..2^8-1>;
+ * SignatureAndHashAlgorithm
+ * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
+ * DistinguishedName certificate_authorities<0..2^16-1>;
+ * } CertificateRequest;
+ *
+ * Since we only support a single certificate on clients, let's just
+ * ignore all the information that's supposed to help us pick a
+ * certificate.
+ *
+ * We could check that our certificate matches the request, and bail out
+ * if it doesn't, but it's simpler to just send the certificate anyway,
+ * and give the server the opportunity to decide if it should terminate
+ * the connection when it doesn't like our certificate.
+ *
+ * Same goes for the hash in TLS 1.2's signature_algorithms: at this
+ * point we only have one hash available (see comments in
+ * write_certificate_verify), so let's just use what we have.
+ *
+ * However, we still minimally parse the message to check it is at least
+ * superficially sane.
+ */
+ buf = ssl->in_msg;
+
+ /* certificate_types */
+ if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ cert_type_len = buf[mbedtls_ssl_hs_hdr_len(ssl)];
+ n = cert_type_len;
+
+ /*
+ * In the subsequent code there are two paths that read from buf:
+ * * the length of the signature algorithms field (if minor version of
+ * SSL is 3),
+ * * distinguished name length otherwise.
+ * Both reach at most the index:
+ * ...hdr_len + 2 + n,
+ * therefore the buffer length at this point must be greater than that
+ * regardless of the actual code path.
+ */
+ if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 2 + n) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /* supported_signature_algorithms */
+ sig_alg_len = MBEDTLS_GET_UINT16_BE(buf, mbedtls_ssl_hs_hdr_len(ssl) + 1 + n);
+
+ /*
+ * The furthest access in buf is in the loop few lines below:
+ * sig_alg[i + 1],
+ * where:
+ * sig_alg = buf + ...hdr_len + 3 + n,
+ * max(i) = sig_alg_len - 1.
+ * Therefore the furthest access is:
+ * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
+ * which reduces to:
+ * buf[...hdr_len + 3 + n + sig_alg_len],
+ * which is one less than we need the buf to be.
+ */
+ if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 3 + n + sig_alg_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+#if defined(MBEDTLS_DEBUG_C)
+ sig_alg = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n;
+ for (size_t i = 0; i < sig_alg_len; i += 2) {
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("Supported Signature Algorithm found: %02x %02x",
+ sig_alg[i], sig_alg[i + 1]));
+ }
+#endif
+
+ n += 2 + sig_alg_len;
+
+ /* certificate_authorities */
+ dn_len = MBEDTLS_GET_UINT16_BE(buf, mbedtls_ssl_hs_hdr_len(ssl) + 1 + n);
+
+ n += dn_len;
+ if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+#if defined(MBEDTLS_DEBUG_C)
+ dn = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n - dn_len;
+ for (size_t i = 0, dni_len = 0; i < dn_len; i += 2 + dni_len) {
+ unsigned char *p = dn + i + 2;
+ mbedtls_x509_name name;
+ size_t asn1_len;
+ char s[MBEDTLS_X509_MAX_DN_NAME_SIZE];
+ memset(&name, 0, sizeof(name));
+ dni_len = MBEDTLS_GET_UINT16_BE(dn + i, 0);
+ if (dni_len > dn_len - i - 2 ||
+ mbedtls_asn1_get_tag(&p, p + dni_len, &asn1_len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) != 0 ||
+ mbedtls_x509_get_name(&p, p + asn1_len, &name) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("DN hint: %.*s",
+ mbedtls_x509_dn_gets(s, sizeof(s), &name), s));
+ mbedtls_asn1_free_named_data_list_shallow(name.next);
+ }
+#endif
+
+exit:
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
+
+ return 0;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello done"));
+
+ if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+ return ret;
+ }
+
+ if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+ if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) ||
+ ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ mbedtls_ssl_recv_flight_completed(ssl);
+ }
+#endif
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello done"));
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ size_t header_len;
+ size_t content_len;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange"));
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
+ /*
+ * DHM key exchange -- send G^X mod P
+ */
+ content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
+
+ MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4);
+ header_len = 6;
+
+ ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
+ (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
+ &ssl->out_msg[header_len], content_len,
+ ssl->conf->f_rng, ssl->conf->p_rng);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
+ MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
+
+ if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
+ ssl->handshake->premaster,
+ MBEDTLS_PREMASTER_SIZE,
+ &ssl->handshake->pmslen,
+ ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_attributes_t key_attributes;
+
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ header_len = 4;
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
+
+ /*
+ * Generate EC private key for ECDHE exchange.
+ */
+
+ /* The master secret is obtained from the shared ECDH secret by
+ * applying the TLS 1.2 PRF with a specific salt and label. While
+ * the PSA Crypto API encourages combining key agreement schemes
+ * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
+ * yet support the provisioning of salt + label to the KDF.
+ * For the time being, we therefore need to split the computation
+ * of the ECDH secret and the application of the TLS 1.2 PRF. */
+ key_attributes = psa_key_attributes_init();
+ psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
+ psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
+ psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
+ psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
+
+ /* Generate ECDH private key. */
+ status = psa_generate_key(&key_attributes,
+ &handshake->xxdh_psa_privkey);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+
+ /* Export the public part of the ECDH private key from PSA.
+ * The export format is an ECPoint structure as expected by TLS,
+ * but we just need to add a length byte before that. */
+ unsigned char *own_pubkey = ssl->out_msg + header_len + 1;
+ unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+ size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
+ size_t own_pubkey_len;
+
+ status = psa_export_public_key(handshake->xxdh_psa_privkey,
+ own_pubkey, own_pubkey_max_len,
+ &own_pubkey_len);
+ if (status != PSA_SUCCESS) {
+ psa_destroy_key(handshake->xxdh_psa_privkey);
+ handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+
+ ssl->out_msg[header_len] = (unsigned char) own_pubkey_len;
+ content_len = own_pubkey_len + 1;
+
+ /* The ECDH secret is the premaster secret used for key derivation. */
+
+ /* Compute ECDH shared secret. */
+ status = psa_raw_key_agreement(PSA_ALG_ECDH,
+ handshake->xxdh_psa_privkey,
+ handshake->xxdh_psa_peerkey,
+ handshake->xxdh_psa_peerkey_len,
+ ssl->handshake->premaster,
+ sizeof(ssl->handshake->premaster),
+ &ssl->handshake->pmslen);
+
+ destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
+ handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+
+ if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
+ }
+#else
+ /*
+ * ECDH key exchange -- send client public value
+ */
+ header_len = 4;
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ssl->handshake->ecrs_enabled) {
+ if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) {
+ goto ecdh_calc_secret;
+ }
+
+ mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx);
+ }
+#endif
+
+ ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
+ &content_len,
+ &ssl->out_msg[header_len], 1000,
+ ssl->conf->f_rng, ssl->conf->p_rng);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+ ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+ }
+#endif
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+ MBEDTLS_DEBUG_ECDH_Q);
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ssl->handshake->ecrs_enabled) {
+ ssl->handshake->ecrs_n = content_len;
+ ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
+ }
+
+ecdh_calc_secret:
+ if (ssl->handshake->ecrs_enabled) {
+ content_len = ssl->handshake->ecrs_n;
+ }
+#endif
+ if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
+ &ssl->handshake->pmslen,
+ ssl->handshake->premaster,
+ MBEDTLS_MPI_MAX_SIZE,
+ ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+ ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+ }
+#endif
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+ MBEDTLS_DEBUG_ECDH_Z);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_attributes_t key_attributes;
+
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ /*
+ * opaque psk_identity<0..2^16-1>;
+ */
+ if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
+ /* We don't offer PSK suites if we don't have a PSK,
+ * and we check that the server's choice is among the
+ * ciphersuites we offered, so this should never happen. */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /* uint16 to store content length */
+ const size_t content_len_size = 2;
+
+ header_len = 4;
+
+ if (header_len + content_len_size + ssl->conf->psk_identity_len
+ > MBEDTLS_SSL_OUT_CONTENT_LEN) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("psk identity too long or SSL buffer too short"));
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ unsigned char *p = ssl->out_msg + header_len;
+
+ *p++ = MBEDTLS_BYTE_1(ssl->conf->psk_identity_len);
+ *p++ = MBEDTLS_BYTE_0(ssl->conf->psk_identity_len);
+ header_len += content_len_size;
+
+ memcpy(p, ssl->conf->psk_identity,
+ ssl->conf->psk_identity_len);
+ p += ssl->conf->psk_identity_len;
+
+ header_len += ssl->conf->psk_identity_len;
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
+
+ /*
+ * Generate EC private key for ECDHE exchange.
+ */
+
+ /* The master secret is obtained from the shared ECDH secret by
+ * applying the TLS 1.2 PRF with a specific salt and label. While
+ * the PSA Crypto API encourages combining key agreement schemes
+ * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
+ * yet support the provisioning of salt + label to the KDF.
+ * For the time being, we therefore need to split the computation
+ * of the ECDH secret and the application of the TLS 1.2 PRF. */
+ key_attributes = psa_key_attributes_init();
+ psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
+ psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
+ psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
+ psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
+
+ /* Generate ECDH private key. */
+ status = psa_generate_key(&key_attributes,
+ &handshake->xxdh_psa_privkey);
+ if (status != PSA_SUCCESS) {
+ return PSA_TO_MBEDTLS_ERR(status);
+ }
+
+ /* Export the public part of the ECDH private key from PSA.
+ * The export format is an ECPoint structure as expected by TLS,
+ * but we just need to add a length byte before that. */
+ unsigned char *own_pubkey = p + 1;
+ unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+ size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
+ size_t own_pubkey_len = 0;
+
+ status = psa_export_public_key(handshake->xxdh_psa_privkey,
+ own_pubkey, own_pubkey_max_len,
+ &own_pubkey_len);
+ if (status != PSA_SUCCESS) {
+ psa_destroy_key(handshake->xxdh_psa_privkey);
+ handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+ return PSA_TO_MBEDTLS_ERR(status);
+ }
+
+ *p = (unsigned char) own_pubkey_len;
+ content_len = own_pubkey_len + 1;
+
+ /* As RFC 5489 section 2, the premaster secret is formed as follows:
+ * - a uint16 containing the length (in octets) of the ECDH computation
+ * - the octet string produced by the ECDH computation
+ * - a uint16 containing the length (in octets) of the PSK
+ * - the PSK itself
+ */
+ unsigned char *pms = ssl->handshake->premaster;
+ const unsigned char * const pms_end = pms +
+ sizeof(ssl->handshake->premaster);
+ /* uint16 to store length (in octets) of the ECDH computation */
+ const size_t zlen_size = 2;
+ size_t zlen = 0;
+
+ /* Perform ECDH computation after the uint16 reserved for the length */
+ status = psa_raw_key_agreement(PSA_ALG_ECDH,
+ handshake->xxdh_psa_privkey,
+ handshake->xxdh_psa_peerkey,
+ handshake->xxdh_psa_peerkey_len,
+ pms + zlen_size,
+ pms_end - (pms + zlen_size),
+ &zlen);
+
+ destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
+ handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+
+ if (status != PSA_SUCCESS) {
+ return PSA_TO_MBEDTLS_ERR(status);
+ } else if (destruction_status != PSA_SUCCESS) {
+ return PSA_TO_MBEDTLS_ERR(destruction_status);
+ }
+
+ /* Write the ECDH computation length before the ECDH computation */
+ MBEDTLS_PUT_UINT16_BE(zlen, pms, 0);
+ pms += zlen_size + zlen;
+ } else
+#endif /* MBEDTLS_USE_PSA_CRYPTO &&
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+ if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) {
+ /*
+ * opaque psk_identity<0..2^16-1>;
+ */
+ if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
+ /* We don't offer PSK suites if we don't have a PSK,
+ * and we check that the server's choice is among the
+ * ciphersuites we offered, so this should never happen. */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ header_len = 4;
+ content_len = ssl->conf->psk_identity_len;
+
+ if (header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("psk identity too long or SSL buffer too short"));
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
+ ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
+
+ memcpy(ssl->out_msg + header_len,
+ ssl->conf->psk_identity,
+ ssl->conf->psk_identity_len);
+ header_len += ssl->conf->psk_identity_len;
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
+ content_len = 0;
+ } else
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
+ if ((ret = ssl_write_encrypted_pms(ssl, header_len,
+ &content_len, 2)) != 0) {
+ return ret;
+ }
+ } else
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
+ /*
+ * ClientDiffieHellmanPublic public (DHM send G^X mod P)
+ */
+ content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
+
+ if (header_len + 2 + content_len >
+ MBEDTLS_SSL_OUT_CONTENT_LEN) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("psk identity or DHM size too long or SSL buffer too short"));
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
+ ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
+
+ ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
+ (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
+ &ssl->out_msg[header_len], content_len,
+ ssl->conf->f_rng, ssl->conf->p_rng);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
+ return ret;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ unsigned char *pms = ssl->handshake->premaster;
+ unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
+ size_t pms_len;
+
+ /* Write length only when we know the actual value */
+ if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
+ pms + 2, pms_end - (pms + 2), &pms_len,
+ ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
+ return ret;
+ }
+ MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
+ pms += 2 + pms_len;
+
+ MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
+#endif
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
+ /*
+ * ClientECDiffieHellmanPublic public;
+ */
+ ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
+ &content_len,
+ &ssl->out_msg[header_len],
+ MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
+ ssl->conf->f_rng, ssl->conf->p_rng);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+ MBEDTLS_DEBUG_ECDH_Q);
+ } else
+#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+ {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+ if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
+ (mbedtls_key_exchange_type_t) ciphersuite_info->
+ key_exchange)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1,
+ "mbedtls_ssl_psk_derive_premaster", ret);
+ return ret;
+ }
+#endif /* !MBEDTLS_USE_PSA_CRYPTO */
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
+ header_len = 4;
+ if ((ret = ssl_write_encrypted_pms(ssl, header_len,
+ &content_len, 0)) != 0) {
+ return ret;
+ }
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
+ header_len = 4;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ unsigned char *out_p = ssl->out_msg + header_len;
+ unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
+ header_len;
+ ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
+ out_p, end_p - out_p, &content_len,
+ MBEDTLS_ECJPAKE_ROUND_TWO);
+ if (ret != 0) {
+ psa_destroy_key(ssl->handshake->psa_pake_password);
+ psa_pake_abort(&ssl->handshake->psa_pake_ctx);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
+ return ret;
+ }
+#else
+ ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx,
+ ssl->out_msg + header_len,
+ MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
+ &content_len,
+ ssl->conf->f_rng, ssl->conf->p_rng);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
+ return ret;
+ }
+
+ ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
+ ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
+ ssl->conf->f_rng, ssl->conf->p_rng);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
+ return ret;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+ {
+ ((void) ciphersuite_info);
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ ssl->out_msglen = header_len + content_len;
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+ ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
+
+ ssl->state++;
+
+ if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client key exchange"));
+
+ return 0;
+}
+
+#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
+{
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
+
+ if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
+ return ret;
+ }
+
+ if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
+ ssl->state++;
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+}
+#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+ size_t n = 0, offset = 0;
+ unsigned char hash[48];
+ unsigned char *hash_start = hash;
+ mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
+ size_t hashlen;
+ void *rs_ctx = NULL;
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf);
+#else
+ size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf);
+#endif
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ssl->handshake->ecrs_enabled &&
+ ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign) {
+ goto sign;
+ }
+#endif
+
+ if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
+ return ret;
+ }
+
+ if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
+ ssl->state++;
+ return 0;
+ }
+
+ if (ssl->handshake->client_auth == 0 ||
+ mbedtls_ssl_own_cert(ssl) == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
+ ssl->state++;
+ return 0;
+ }
+
+ if (mbedtls_ssl_own_key(ssl) == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key for certificate"));
+ return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
+ }
+
+ /*
+ * Make a signature of the handshake digests
+ */
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ssl->handshake->ecrs_enabled) {
+ ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
+ }
+
+sign:
+#endif
+
+ ret = ssl->handshake->calc_verify(ssl, hash, &hashlen);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
+ return ret;
+ }
+
+ /*
+ * digitally-signed struct {
+ * opaque handshake_messages[handshake_messages_length];
+ * };
+ *
+ * Taking shortcut here. We assume that the server always allows the
+ * PRF Hash function and has sent it in the allowed signature
+ * algorithms list received in the Certificate Request message.
+ *
+ * Until we encounter a server that does not, we will take this
+ * shortcut.
+ *
+ * Reason: Otherwise we should have running hashes for SHA512 and
+ * SHA224 in order to satisfy 'weird' needs from the server
+ * side.
+ */
+ if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
+ md_alg = MBEDTLS_MD_SHA384;
+ ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
+ } else {
+ md_alg = MBEDTLS_MD_SHA256;
+ ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
+ }
+ ssl->out_msg[5] = mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl));
+
+ /* Info from md_alg will be used instead */
+ hashlen = 0;
+ offset = 2;
+
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ssl->handshake->ecrs_enabled) {
+ rs_ctx = &ssl->handshake->ecrs_ctx.pk;
+ }
+#endif
+
+ if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl),
+ md_alg, hash_start, hashlen,
+ ssl->out_msg + 6 + offset,
+ out_buf_len - 6 - offset,
+ &n,
+ ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
+#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
+ if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+ ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+ }
+#endif
+ return ret;
+ }
+
+ MBEDTLS_PUT_UINT16_BE(n, ssl->out_msg, offset + 4);
+
+ ssl->out_msglen = 6 + n + offset;
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+ ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
+
+ ssl->state++;
+
+ if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify"));
+
+ return ret;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ uint32_t lifetime;
+ size_t ticket_len;
+ unsigned char *ticket;
+ const unsigned char *msg;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
+
+ if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+ return ret;
+ }
+
+ if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+ /*
+ * struct {
+ * uint32 ticket_lifetime_hint;
+ * opaque ticket<0..2^16-1>;
+ * } NewSessionTicket;
+ *
+ * 0 . 3 ticket_lifetime_hint
+ * 4 . 5 ticket_len (n)
+ * 6 . 5+n ticket content
+ */
+ if (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
+ ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len(ssl)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
+
+ lifetime = MBEDTLS_GET_UINT32_BE(msg, 0);
+
+ ticket_len = MBEDTLS_GET_UINT16_BE(msg, 4);
+
+ if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len));
+
+ /* We're not waiting for a NewSessionTicket message any more */
+ ssl->handshake->new_session_ticket = 0;
+ ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+
+ /*
+ * Zero-length ticket means the server changed his mind and doesn't want
+ * to send a ticket after all, so just forget it
+ */
+ if (ticket_len == 0) {
+ return 0;
+ }
+
+ if (ssl->session != NULL && ssl->session->ticket != NULL) {
+ mbedtls_zeroize_and_free(ssl->session->ticket,
+ ssl->session->ticket_len);
+ ssl->session->ticket = NULL;
+ ssl->session->ticket_len = 0;
+ }
+
+ mbedtls_zeroize_and_free(ssl->session_negotiate->ticket,
+ ssl->session_negotiate->ticket_len);
+ ssl->session_negotiate->ticket = NULL;
+ ssl->session_negotiate->ticket_len = 0;
+
+ if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ memcpy(ticket, msg + 6, ticket_len);
+
+ ssl->session_negotiate->ticket = ticket;
+ ssl->session_negotiate->ticket_len = ticket_len;
+ ssl->session_negotiate->ticket_lifetime = lifetime;
+
+ /*
+ * RFC 5077 section 3.4:
+ * "If the client receives a session ticket from the server, then it
+ * discards any Session ID that was sent in the ServerHello."
+ */
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket in use, discarding session id"));
+ ssl->session_negotiate->id_len = 0;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+/*
+ * SSL handshake -- client side -- single step
+ */
+int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
+{
+ int ret = 0;
+
+ /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
+ * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
+ ssl->handshake->new_session_ticket != 0) {
+ ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET;
+ }
+#endif
+
+ switch (ssl->state) {
+ case MBEDTLS_SSL_HELLO_REQUEST:
+ ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+ break;
+
+ /*
+ * ==> ClientHello
+ */
+ case MBEDTLS_SSL_CLIENT_HELLO:
+ ret = mbedtls_ssl_write_client_hello(ssl);
+ break;
+
+ /*
+ * <== ServerHello
+ * Certificate
+ * ( ServerKeyExchange )
+ * ( CertificateRequest )
+ * ServerHelloDone
+ */
+ case MBEDTLS_SSL_SERVER_HELLO:
+ ret = ssl_parse_server_hello(ssl);
+ break;
+
+ case MBEDTLS_SSL_SERVER_CERTIFICATE:
+ ret = mbedtls_ssl_parse_certificate(ssl);
+ break;
+
+ case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
+ ret = ssl_parse_server_key_exchange(ssl);
+ break;
+
+ case MBEDTLS_SSL_CERTIFICATE_REQUEST:
+ ret = ssl_parse_certificate_request(ssl);
+ break;
+
+ case MBEDTLS_SSL_SERVER_HELLO_DONE:
+ ret = ssl_parse_server_hello_done(ssl);
+ break;
+
+ /*
+ * ==> ( Certificate/Alert )
+ * ClientKeyExchange
+ * ( CertificateVerify )
+ * ChangeCipherSpec
+ * Finished
+ */
+ case MBEDTLS_SSL_CLIENT_CERTIFICATE:
+ ret = mbedtls_ssl_write_certificate(ssl);
+ break;
+
+ case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
+ ret = ssl_write_client_key_exchange(ssl);
+ break;
+
+ case MBEDTLS_SSL_CERTIFICATE_VERIFY:
+ ret = ssl_write_certificate_verify(ssl);
+ break;
+
+ case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
+ ret = mbedtls_ssl_write_change_cipher_spec(ssl);
+ break;
+
+ case MBEDTLS_SSL_CLIENT_FINISHED:
+ ret = mbedtls_ssl_write_finished(ssl);
+ break;
+
+ /*
+ * <== ( NewSessionTicket )
+ * ChangeCipherSpec
+ * Finished
+ */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ case MBEDTLS_SSL_NEW_SESSION_TICKET:
+ ret = ssl_parse_new_session_ticket(ssl);
+ break;
+#endif
+
+ case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
+ ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
+ break;
+
+ case MBEDTLS_SSL_SERVER_FINISHED:
+ ret = mbedtls_ssl_parse_finished(ssl);
+ break;
+
+ case MBEDTLS_SSL_FLUSH_BUFFERS:
+ MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
+ ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+ break;
+
+ case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
+ mbedtls_ssl_handshake_wrapup(ssl);
+ break;
+
+ default:
+ MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ return ret;
+}
+
+#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_2 */
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
new file mode 100644
index 0000000..b49a8ae
--- /dev/null
+++ b/library/ssl_tls12_server.c
@@ -0,0 +1,4432 @@
+/*
+ * TLS server-side functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
+
+#include "mbedtls/platform.h"
+
+#include "mbedtls/ssl.h"
+#include "ssl_misc.h"
+#include "debug_internal.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform_util.h"
+#include "constant_time_internal.h"
+#include "mbedtls/constant_time.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+#endif
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
+ const unsigned char *info,
+ size_t ilen)
+{
+ if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ mbedtls_free(ssl->cli_id);
+
+ if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ memcpy(ssl->cli_id, info, ilen);
+ ssl->cli_id_len = ilen;
+
+ return 0;
+}
+
+void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
+ mbedtls_ssl_cookie_write_t *f_cookie_write,
+ mbedtls_ssl_cookie_check_t *f_cookie_check,
+ void *p_cookie)
+{
+ conf->f_cookie_write = f_cookie_write;
+ conf->f_cookie_check = f_cookie_check;
+ conf->p_cookie = p_cookie;
+}
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf)
+{
+ if (conf->f_psk != NULL) {
+ return 1;
+ }
+
+ if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) {
+ return 0;
+ }
+
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
+ return 1;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ if (conf->psk != NULL && conf->psk_len != 0) {
+ return 1;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
+ /* Check verify-data in constant-time. The length OTOH is no secret */
+ if (len != 1 + ssl->verify_data_len ||
+ buf[0] != ssl->verify_data_len ||
+ mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data,
+ ssl->verify_data_len) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+ } else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+ {
+ if (len != 1 || buf[0] != 0x0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+ }
+
+ return 0;
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+/*
+ * Function for parsing a supported groups (TLS 1.3) or supported elliptic
+ * curves (TLS 1.2) extension.
+ *
+ * The "extension_data" field of a supported groups extension contains a
+ * "NamedGroupList" value (TLS 1.3 RFC8446):
+ * enum {
+ * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
+ * x25519(0x001D), x448(0x001E),
+ * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
+ * ffdhe6144(0x0103), ffdhe8192(0x0104),
+ * ffdhe_private_use(0x01FC..0x01FF),
+ * ecdhe_private_use(0xFE00..0xFEFF),
+ * (0xFFFF)
+ * } NamedGroup;
+ * struct {
+ * NamedGroup named_group_list<2..2^16-1>;
+ * } NamedGroupList;
+ *
+ * The "extension_data" field of a supported elliptic curves extension contains
+ * a "NamedCurveList" value (TLS 1.2 RFC 8422):
+ * enum {
+ * deprecated(1..22),
+ * secp256r1 (23), secp384r1 (24), secp521r1 (25),
+ * x25519(29), x448(30),
+ * reserved (0xFE00..0xFEFF),
+ * deprecated(0xFF01..0xFF02),
+ * (0xFFFF)
+ * } NamedCurve;
+ * struct {
+ * NamedCurve named_curve_list<2..2^16-1>
+ * } NamedCurveList;
+ *
+ * The TLS 1.3 supported groups extension was defined to be a compatible
+ * generalization of the TLS 1.2 supported elliptic curves extension. They both
+ * share the same extension identifier.
+ *
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ size_t list_size, our_size;
+ const unsigned char *p;
+ uint16_t *curves_tls_id;
+
+ if (len < 2) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ list_size = MBEDTLS_GET_UINT16_BE(buf, 0);
+ if (list_size + 2 != len ||
+ list_size % 2 != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /* Should never happen unless client duplicates the extension */
+ if (ssl->handshake->curves_tls_id != NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ /* Don't allow our peer to make us allocate too much memory,
+ * and leave room for a final 0 */
+ our_size = list_size / 2 + 1;
+ if (our_size > MBEDTLS_ECP_DP_MAX) {
+ our_size = MBEDTLS_ECP_DP_MAX;
+ }
+
+ if ((curves_tls_id = mbedtls_calloc(our_size,
+ sizeof(*curves_tls_id))) == NULL) {
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ ssl->handshake->curves_tls_id = curves_tls_id;
+
+ p = buf + 2;
+ while (list_size > 0 && our_size > 1) {
+ uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0);
+
+ if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) !=
+ MBEDTLS_ECP_DP_NONE) {
+ *curves_tls_id++ = curr_tls_id;
+ our_size--;
+ }
+
+ list_size -= 2;
+ p += 2;
+ }
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ size_t list_size;
+ const unsigned char *p;
+
+ if (len == 0 || (size_t) (buf[0] + 1) != len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ list_size = buf[0];
+
+ p = buf + 1;
+ while (list_size > 0) {
+ if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+ p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
+#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
+ ssl->handshake->ecdh_ctx.point_format = p[0];
+#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
+#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
+ p[0]);
+#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+ MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
+ return 0;
+ }
+
+ list_size--;
+ p++;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (ssl->handshake->psa_pake_ctx_is_ok != 1)
+#else
+ if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
+ return 0;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if ((ret = mbedtls_psa_ecjpake_read_round(
+ &ssl->handshake->psa_pake_ctx, buf, len,
+ MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
+ psa_destroy_key(ssl->handshake->psa_pake_password);
+ psa_pake_abort(&ssl->handshake->psa_pake_ctx);
+
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+
+ return ret;
+ }
+#else
+ if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
+ buf, len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+ return ret;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ /* Only mark the extension as OK when we're sure it is */
+ ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
+
+ return 0;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ ssl->session_negotiate->mfl_code = buf[0];
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ size_t peer_cid_len;
+
+ /* CID extension only makes sense in DTLS */
+ if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ /*
+ * struct {
+ * opaque cid<0..2^8-1>;
+ * } ConnectionId;
+ */
+
+ if (len < 1) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ peer_cid_len = *buf++;
+ len--;
+
+ if (len != peer_cid_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /* Ignore CID if the user has disabled its use. */
+ if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
+ /* Leave ssl->handshake->cid_in_use in its default
+ * value of MBEDTLS_SSL_CID_DISABLED. */
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled"));
+ return 0;
+ }
+
+ if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
+ ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
+ memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
+ MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len);
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ if (len != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ ((void) buf);
+
+ if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) {
+ ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ if (len != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ ((void) buf);
+
+ if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
+ ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ size_t len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_session session;
+
+ mbedtls_ssl_session_init(&session);
+
+ if (ssl->conf->f_ticket_parse == NULL ||
+ ssl->conf->f_ticket_write == NULL) {
+ return 0;
+ }
+
+ /* Remember the client asked us to send a new ticket */
+ ssl->handshake->new_session_ticket = 1;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len));
+
+ if (len == 0) {
+ return 0;
+ }
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating"));
+ return 0;
+ }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+ /*
+ * Failures are ok: just ignore the ticket and proceed.
+ */
+ if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
+ buf, len)) != 0) {
+ mbedtls_ssl_session_free(&session);
+
+ if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
+ } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
+ } else {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret);
+ }
+
+ return 0;
+ }
+
+ /*
+ * Keep the session ID sent by the client, since we MUST send it back to
+ * inform them we're accepting the ticket (RFC 5077 section 3.4)
+ */
+ session.id_len = ssl->session_negotiate->id_len;
+ memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
+
+ mbedtls_ssl_session_free(ssl->session_negotiate);
+ memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
+
+ /* Zeroize instead of free as we copied the content */
+ mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session));
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket"));
+
+ ssl->handshake->resume = 1;
+
+ /* Don't send a new ticket after all, this one is OK */
+ ssl->handshake->new_session_ticket = 0;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len)
+{
+ mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
+ size_t i, j;
+ size_t profile_length;
+ uint16_t mki_length;
+ /*! 2 bytes for profile length and 1 byte for mki len */
+ const size_t size_of_lengths = 3;
+
+ /* If use_srtp is not configured, just ignore the extension */
+ if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
+ (ssl->conf->dtls_srtp_profile_list == NULL) ||
+ (ssl->conf->dtls_srtp_profile_list_len == 0)) {
+ return 0;
+ }
+
+ /* RFC5764 section 4.1.1
+ * uint8 SRTPProtectionProfile[2];
+ *
+ * struct {
+ * SRTPProtectionProfiles SRTPProtectionProfiles;
+ * opaque srtp_mki<0..255>;
+ * } UseSRTPData;
+
+ * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
+ */
+
+ /*
+ * Min length is 5: at least one protection profile(2 bytes)
+ * and length(2 bytes) + srtp_mki length(1 byte)
+ * Check here that we have at least 2 bytes of protection profiles length
+ * and one of srtp_mki length
+ */
+ if (len < size_of_lengths) {
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
+
+ /* first 2 bytes are protection profile length(in bytes) */
+ profile_length = (buf[0] << 8) | buf[1];
+ buf += 2;
+
+ /* The profile length cannot be bigger than input buffer size - lengths fields */
+ if (profile_length > len - size_of_lengths ||
+ profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ /*
+ * parse the extension list values are defined in
+ * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
+ */
+ for (j = 0; j < profile_length; j += 2) {
+ uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
+ client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value);
+
+ if (client_protection != MBEDTLS_TLS_SRTP_UNSET) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
+ mbedtls_ssl_get_srtp_profile_as_string(
+ client_protection)));
+ } else {
+ continue;
+ }
+ /* check if suggested profile is in our list */
+ for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
+ if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
+ ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
+ MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
+ mbedtls_ssl_get_srtp_profile_as_string(
+ client_protection)));
+ break;
+ }
+ }
+ if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) {
+ break;
+ }
+ }
+ buf += profile_length; /* buf points to the mki length */
+ mki_length = *buf;
+ buf++;
+
+ if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
+ mki_length + profile_length + size_of_lengths != len) {
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /* Parse the mki only if present and mki is supported locally */
+ if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
+ mki_length > 0) {
+ ssl->dtls_srtp_info.mki_len = mki_length;
+
+ memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value,
+ ssl->dtls_srtp_info.mki_len);
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+/*
+ * Auxiliary functions for ServerHello parsing and related actions
+ */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/*
+ * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
+ */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_check_key_curve(mbedtls_pk_context *pk,
+ uint16_t *curves_tls_id)
+{
+ uint16_t *curr_tls_id = curves_tls_id;
+ mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk);
+ mbedtls_ecp_group_id curr_grp_id;
+
+ while (*curr_tls_id != 0) {
+ curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
+ if (curr_grp_id == grp_id) {
+ return 0;
+ }
+ curr_tls_id++;
+ }
+
+ return -1;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED */
+
+/*
+ * Try picking a certificate for this ciphersuite,
+ * return 0 on success and -1 on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_pick_cert(mbedtls_ssl_context *ssl,
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
+{
+ mbedtls_ssl_key_cert *cur, *list;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_algorithm_t pk_alg =
+ mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info);
+ psa_key_usage_t pk_usage =
+ mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info);
+#else
+ mbedtls_pk_type_t pk_alg =
+ mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ uint32_t flags;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if (ssl->handshake->sni_key_cert != NULL) {
+ list = ssl->handshake->sni_key_cert;
+ } else
+#endif
+ list = ssl->conf->key_cert;
+
+ int pk_alg_is_none = 0;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ pk_alg_is_none = (pk_alg == PSA_ALG_NONE);
+#else
+ pk_alg_is_none = (pk_alg == MBEDTLS_PK_NONE);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ if (pk_alg_is_none) {
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate"));
+
+ if (list == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
+ return -1;
+ }
+
+ for (cur = list; cur != NULL; cur = cur->next) {
+ flags = 0;
+ MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate",
+ cur->cert);
+
+ int key_type_matches = 0;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
+ ssl->conf->f_async_decrypt_start != NULL ||
+ mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
+ mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
+#else
+ key_type_matches = (
+ mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+#else
+ key_type_matches = mbedtls_pk_can_do(&cur->cert->pk, pk_alg);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ if (!key_type_matches) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
+ continue;
+ }
+
+ /*
+ * This avoids sending the client a cert it'll reject based on
+ * keyUsage or other extensions.
+ *
+ * It also allows the user to provision different certificates for
+ * different uses based on keyUsage, eg if they want to avoid signing
+ * and decrypting with the same RSA key.
+ */
+ if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
+ MBEDTLS_SSL_IS_SERVER, &flags) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
+ "(extended) key usage extension"));
+ continue;
+ }
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
+ if (pk_alg == MBEDTLS_PK_ECDSA &&
+ ssl_check_key_curve(&cur->cert->pk,
+ ssl->handshake->curves_tls_id) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
+ continue;
+ }
+#endif
+
+ /* If we get there, we got a winner */
+ break;
+ }
+
+ /* Do not update ssl->handshake->key_cert unless there is a match */
+ if (cur != NULL) {
+ ssl->handshake->key_cert = cur;
+ MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate",
+ ssl->handshake->key_cert->cert);
+ return 0;
+ }
+
+ return -1;
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/*
+ * Check if a given ciphersuite is suitable for use with our config/keys/etc
+ * Sets ciphersuite_info only if the suite matches.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
+ const mbedtls_ssl_ciphersuite_t **ciphersuite_info)
+{
+ const mbedtls_ssl_ciphersuite_t *suite_info;
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+ mbedtls_pk_type_t sig_type;
+#endif
+
+ suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
+ if (suite_info == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)",
+ (unsigned int) suite_id, suite_info->name));
+
+ if (suite_info->min_tls_version > ssl->tls_version ||
+ suite_info->max_tls_version < ssl->tls_version) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version"));
+ return 0;
+ }
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+ (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake "
+ "not configured or ext missing"));
+ return 0;
+ }
+#endif
+
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
+ if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
+ (ssl->handshake->curves_tls_id == NULL ||
+ ssl->handshake->curves_tls_id[0] == 0)) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
+ "no common elliptic curve"));
+ return 0;
+ }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+ /* If the ciphersuite requires a pre-shared key and we don't
+ * have one, skip it now rather than failing later */
+ if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
+ ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key"));
+ return 0;
+ }
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ /*
+ * Final check: if ciphersuite requires us to have a
+ * certificate/key of a particular type:
+ * - select the appropriate certificate if we have one, or
+ * - try the next ciphersuite if we don't
+ * This must be done last since we modify the key_cert list.
+ */
+ if (ssl_pick_cert(ssl, suite_info) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
+ "no suitable certificate"));
+ return 0;
+ }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+ /* If the ciphersuite requires signing, check whether
+ * a suitable hash algorithm is present. */
+ sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
+ if (sig_type != MBEDTLS_PK_NONE &&
+ mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+ ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
+ "for signature algorithm %u", (unsigned) sig_type));
+ return 0;
+ }
+
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+ *ciphersuite_info = suite_info;
+ return 0;
+}
+
+/* This function doesn't alert on errors that happen early during
+ ClientHello parsing because they might indicate that the client is
+ not talking SSL/TLS at all and would not understand our alert. */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
+{
+ int ret, got_common_suite;
+ size_t i, j;
+ size_t ciph_offset, comp_offset, ext_offset;
+ size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ size_t cookie_offset, cookie_len;
+#endif
+ unsigned char *buf, *p, *ext;
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ int renegotiation_info_seen = 0;
+#endif
+ int handshake_failure = 0;
+ const int *ciphersuites;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+
+ /* If there is no signature-algorithm extension present,
+ * we need to fall back to the default values for allowed
+ * signature-hash pairs. */
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+ int sig_hash_alg_ext_present = 0;
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
+
+ int renegotiating;
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+read_record_header:
+#endif
+ /*
+ * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
+ * otherwise read it ourselves manually in order to support SSLv2
+ * ClientHello, which doesn't use the same record layer format.
+ * Otherwise in a scenario of TLS 1.3/TLS 1.2 version negotiation, the
+ * ClientHello has been already fully fetched by the TLS 1.3 code and the
+ * flag ssl->keep_current_message is raised.
+ */
+ renegotiating = 0;
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
+#endif
+ if (!renegotiating && !ssl->keep_current_message) {
+ if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
+ /* No alert on a read error. */
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
+ return ret;
+ }
+ }
+
+ buf = ssl->in_hdr;
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
+
+ /*
+ * TLS Client Hello
+ *
+ * Record layer:
+ * 0 . 0 message type
+ * 1 . 2 protocol version
+ * 3 . 11 DTLS: epoch + record sequence number
+ * 3 . 4 message length
+ */
+ MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d",
+ buf[0]));
+
+ if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d",
+ MBEDTLS_GET_UINT16_BE(ssl->in_len, 0)));
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]",
+ buf[1], buf[2]));
+
+ /* For DTLS if this is the initial handshake, remember the client sequence
+ * number to use it in our next message (RFC 6347 4.2.1) */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
+#endif
+ ) {
+ /* Epoch should be 0 for initial handshakes */
+ if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2,
+ sizeof(ssl->cur_out_ctr) - 2);
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+ if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding"));
+ ssl->next_record_offset = 0;
+ ssl->in_left = 0;
+ goto read_record_header;
+ }
+
+ /* No MAC to check yet, so we can update right now */
+ mbedtls_ssl_dtls_replay_update(ssl);
+#endif
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ msg_len = MBEDTLS_GET_UINT16_BE(ssl->in_len, 0);
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
+ /* Set by mbedtls_ssl_read_record() */
+ msg_len = ssl->in_hslen;
+ } else
+#endif
+ {
+ if (ssl->keep_current_message) {
+ ssl->keep_current_message = 0;
+ } else {
+ if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ if ((ret = mbedtls_ssl_fetch_input(ssl,
+ mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
+ return ret;
+ }
+
+ /* Done reading this record, get ready for the next one */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
+ } else
+#endif
+ ssl->in_left = 0;
+ }
+ }
+
+ buf = ssl->in_msg;
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
+
+ ret = ssl->handshake->update_checksum(ssl, buf, msg_len);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
+ return ret;
+ }
+
+ /*
+ * Handshake layer:
+ * 0 . 0 handshake type
+ * 1 . 3 handshake length
+ * 4 . 5 DTLS only: message sequence number
+ * 6 . 8 DTLS only: fragment offset
+ * 9 . 11 DTLS only: fragment length
+ */
+ if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0]));
+
+ if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+ {
+ size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1);
+ MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u",
+ (unsigned) handshake_len));
+
+ /* The record layer has a record size limit of 2^14 - 1 and
+ * fragmentation is not supported, so buf[1] should be zero. */
+ if (buf[1] != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
+ (unsigned) buf[1]));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /* We don't support fragmentation of ClientHello (yet?) */
+ if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
+ (unsigned) msg_len,
+ (unsigned) mbedtls_ssl_hs_hdr_len(ssl),
+ (unsigned) handshake_len));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ /*
+ * Copy the client's handshake message_seq on initial handshakes,
+ * check sequence number on renego.
+ */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
+ /* This couldn't be done in ssl_prepare_handshake_record() */
+ unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
+ if (cli_msg_seq != ssl->handshake->in_msg_seq) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
+ "%u (expected %u)", cli_msg_seq,
+ ssl->handshake->in_msg_seq));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ ssl->handshake->in_msg_seq++;
+ } else
+#endif
+ {
+ unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
+ ssl->handshake->out_msg_seq = cli_msg_seq;
+ ssl->handshake->in_msg_seq = cli_msg_seq + 1;
+ }
+ {
+ /*
+ * For now we don't support fragmentation, so make sure
+ * fragment_offset == 0 and fragment_length == length
+ */
+ size_t fragment_offset, fragment_length, length;
+ fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
+ fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
+ length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
+ MBEDTLS_SSL_DEBUG_MSG(
+ 4, ("fragment_offset=%u fragment_length=%u length=%u",
+ (unsigned) fragment_offset, (unsigned) fragment_length,
+ (unsigned) length));
+ if (fragment_offset != 0 || length != fragment_length) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported"));
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+ }
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ buf += mbedtls_ssl_hs_hdr_len(ssl);
+ msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
+
+ /*
+ * ClientHello layout:
+ * 0 . 1 protocol version
+ * 2 . 33 random bytes (starting with 4 bytes of Unix time)
+ * 34 . 34 session id length (1 byte)
+ * 35 . 34+x session id, where x = session id length from byte 34
+ * 35+x . 35+x DTLS only: cookie length (1 byte)
+ * 36+x . .. DTLS only: cookie
+ * .. . .. ciphersuite list length (2 bytes)
+ * .. . .. ciphersuite list
+ * .. . .. compression alg. list length (1 byte)
+ * .. . .. compression alg. list
+ * .. . .. extensions length (2 bytes, optional)
+ * .. . .. extensions (optional)
+ */
+
+ /*
+ * Minimal length (with everything empty and extensions omitted) is
+ * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
+ * read at least up to session id length without worrying.
+ */
+ if (msg_len < 38) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /*
+ * Check and save the protocol version
+ */
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2);
+
+ ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
+ ssl->conf->transport);
+ ssl->session_negotiate->tls_version = ssl->tls_version;
+ ssl->session_negotiate->endpoint = ssl->conf->endpoint;
+
+ if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
+ return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
+ }
+
+ /*
+ * Save client random (inc. Unix time)
+ */
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32);
+
+ memcpy(ssl->handshake->randbytes, buf + 2, 32);
+
+ /*
+ * Check the session ID length and save session ID
+ */
+ sess_len = buf[34];
+
+ if (sess_len > sizeof(ssl->session_negotiate->id) ||
+ sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len);
+
+ ssl->session_negotiate->id_len = sess_len;
+ memset(ssl->session_negotiate->id, 0,
+ sizeof(ssl->session_negotiate->id));
+ memcpy(ssl->session_negotiate->id, buf + 35,
+ ssl->session_negotiate->id_len);
+
+ /*
+ * Check the cookie length and content
+ */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ cookie_offset = 35 + sess_len;
+ cookie_len = buf[cookie_offset];
+
+ if (cookie_offset + 1 + cookie_len + 2 > msg_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
+ buf + cookie_offset + 1, cookie_len);
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+ if (ssl->conf->f_cookie_check != NULL
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
+#endif
+ ) {
+ if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
+ buf + cookie_offset + 1, cookie_len,
+ ssl->cli_id, ssl->cli_id_len) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed"));
+ ssl->handshake->cookie_verify_result = 1;
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed"));
+ ssl->handshake->cookie_verify_result = 0;
+ }
+ } else
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+ {
+ /* We know we didn't send a cookie, so it should be empty */
+ if (cookie_len != 0) {
+ /* This may be an attacker's probe, so don't send an alert */
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped"));
+ }
+
+ /*
+ * Check the ciphersuitelist length (will be parsed later)
+ */
+ ciph_offset = cookie_offset + 1 + cookie_len;
+ } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+ ciph_offset = 35 + sess_len;
+
+ ciph_len = MBEDTLS_GET_UINT16_BE(buf, ciph_offset);
+
+ if (ciph_len < 2 ||
+ ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
+ (ciph_len % 2) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
+ buf + ciph_offset + 2, ciph_len);
+
+ /*
+ * Check the compression algorithm's length.
+ * The list contents are ignored because implementing
+ * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only
+ * option supported by Mbed TLS.
+ */
+ comp_offset = ciph_offset + 2 + ciph_len;
+
+ comp_len = buf[comp_offset];
+
+ if (comp_len < 1 ||
+ comp_len > 16 ||
+ comp_len + comp_offset + 1 > msg_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression",
+ buf + comp_offset + 1, comp_len);
+
+ /*
+ * Check the extension length
+ */
+ ext_offset = comp_offset + 1 + comp_len;
+ if (msg_len > ext_offset) {
+ if (msg_len < ext_offset + 2) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ ext_len = MBEDTLS_GET_UINT16_BE(buf, ext_offset);
+
+ if (msg_len != ext_offset + 2 + ext_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ } else {
+ ext_len = 0;
+ }
+
+ ext = buf + ext_offset + 2;
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len);
+
+ while (ext_len != 0) {
+ unsigned int ext_id;
+ unsigned int ext_size;
+ if (ext_len < 4) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ ext_id = MBEDTLS_GET_UINT16_BE(ext, 0);
+ ext_size = MBEDTLS_GET_UINT16_BE(ext, 2);
+
+ if (ext_size + 4 > ext_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ switch (ext_id) {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ case MBEDTLS_TLS_EXT_SERVERNAME:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
+ ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4,
+ ext + 4 + ext_size);
+ if (ret != 0) {
+ return ret;
+ }
+ break;
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+ case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ renegotiation_info_seen = 1;
+#endif
+
+ ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
+ if (ret != 0) {
+ return ret;
+ }
+ break;
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+ case MBEDTLS_TLS_EXT_SIG_ALG:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
+
+ ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size);
+ if (ret != 0) {
+ return ret;
+ }
+
+ sig_hash_alg_ext_present = 1;
+ break;
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
+
+ ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size);
+ if (ret != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension"));
+ ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
+
+ ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
+ if (ret != 0) {
+ return ret;
+ }
+ break;
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || \
+ MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension"));
+
+ ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
+ if (ret != 0) {
+ return ret;
+ }
+ break;
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+ case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension"));
+
+ ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
+ if (ret != 0) {
+ return ret;
+ }
+ break;
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ case MBEDTLS_TLS_EXT_CID:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
+
+ ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
+ if (ret != 0) {
+ return ret;
+ }
+ break;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension"));
+
+ ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
+ if (ret != 0) {
+ return ret;
+ }
+ break;
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+ case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension"));
+
+ ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
+ if (ret != 0) {
+ return ret;
+ }
+ break;
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ case MBEDTLS_TLS_EXT_SESSION_TICKET:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension"));
+
+ ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
+ if (ret != 0) {
+ return ret;
+ }
+ break;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+ case MBEDTLS_TLS_EXT_ALPN:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
+
+ ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4,
+ ext + 4 + ext_size);
+ if (ret != 0) {
+ return ret;
+ }
+ break;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+ case MBEDTLS_TLS_EXT_USE_SRTP:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
+
+ ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
+ if (ret != 0) {
+ return ret;
+ }
+ break;
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+ default:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)",
+ ext_id));
+ }
+
+ ext_len -= 4 + ext_size;
+ ext += 4 + ext_size;
+ }
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+
+ /*
+ * Try to fall back to default hash SHA1 if the client
+ * hasn't provided any preferred signature-hash combinations.
+ */
+ if (!sig_hash_alg_ext_present) {
+ uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
+ const uint16_t default_sig_algs[] = {
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
+ MBEDTLS_SSL_HASH_SHA1),
+#endif
+#if defined(MBEDTLS_RSA_C)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA,
+ MBEDTLS_SSL_HASH_SHA1),
+#endif
+ MBEDTLS_TLS_SIG_NONE
+ };
+
+ MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0])
+ <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE,
+ "default_sig_algs is too big");
+
+ memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs));
+ }
+
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
+ /*
+ * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+ */
+ for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
+ if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
+ "during renegotiation"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+#endif
+ ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+ break;
+ }
+ }
+
+ /*
+ * Renegotiation security checks
+ */
+ if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
+ ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
+ handshake_failure = 1;
+ }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+ ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
+ renegotiation_info_seen == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)"));
+ handshake_failure = 1;
+ } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+ ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+ ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
+ handshake_failure = 1;
+ } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+ ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+ renegotiation_info_seen == 1) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)"));
+ handshake_failure = 1;
+ }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+ if (handshake_failure == 1) {
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ /*
+ * Server certification selection (after processing TLS extensions)
+ */
+ if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
+ return ret;
+ }
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ ssl->handshake->sni_name = NULL;
+ ssl->handshake->sni_name_len = 0;
+#endif
+
+ /*
+ * Search for a matching ciphersuite
+ * (At the end because we need information from the EC-based extensions
+ * and certificate from the SNI callback triggered by the SNI extension
+ * or certificate from server certificate selection callback.)
+ */
+ got_common_suite = 0;
+ ciphersuites = ssl->conf->ciphersuite_list;
+ ciphersuite_info = NULL;
+
+ if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) {
+ for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
+ for (i = 0; ciphersuites[i] != 0; i++) {
+ if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
+ continue;
+ }
+
+ got_common_suite = 1;
+
+ if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
+ &ciphersuite_info)) != 0) {
+ return ret;
+ }
+
+ if (ciphersuite_info != NULL) {
+ goto have_ciphersuite;
+ }
+ }
+ }
+ } else {
+ for (i = 0; ciphersuites[i] != 0; i++) {
+ for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
+ if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
+ continue;
+ }
+
+ got_common_suite = 1;
+
+ if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
+ &ciphersuite_info)) != 0) {
+ return ret;
+ }
+
+ if (ciphersuite_info != NULL) {
+ goto have_ciphersuite;
+ }
+ }
+ }
+ }
+
+ if (got_common_suite) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
+ "but none of them usable"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+have_ciphersuite:
+ MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
+
+ ssl->session_negotiate->ciphersuite = ciphersuites[i];
+ ssl->handshake->ciphersuite_info = ciphersuite_info;
+
+ ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ mbedtls_ssl_recv_flight_completed(ssl);
+ }
+#endif
+
+ /* Debugging-only output for testsuite */
+#if defined(MBEDTLS_DEBUG_C) && \
+ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+ mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
+ if (sig_alg != MBEDTLS_PK_NONE) {
+ unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+ ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
+ MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u",
+ sig_hash));
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm "
+ "%u - should not happen", (unsigned) sig_alg));
+ }
+#endif
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+ size_t ext_len;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+ *olen = 0;
+
+ /* Skip writing the extension if we don't want to use it or if
+ * the client hasn't offered it. */
+ if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) {
+ return;
+ }
+
+ /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
+ * which is at most 255, so the increment cannot overflow. */
+ if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
+ return;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension"));
+
+ /*
+ * struct {
+ * opaque cid<0..2^8-1>;
+ * } ConnectionId;
+ */
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
+ p += 2;
+ ext_len = (size_t) ssl->own_cid_len + 1;
+ MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
+ p += 2;
+
+ *p++ = (uint8_t) ssl->own_cid_len;
+ memcpy(p, ssl->own_cid, ssl->own_cid_len);
+
+ *olen = ssl->own_cid_len + 5;
+}
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+ const mbedtls_ssl_ciphersuite_t *suite = NULL;
+
+ /*
+ * RFC 7366: "If a server receives an encrypt-then-MAC request extension
+ * from a client and then selects a stream or Authenticated Encryption
+ * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
+ * encrypt-then-MAC response extension back to the client."
+ */
+ suite = mbedtls_ssl_ciphersuite_from_id(
+ ssl->session_negotiate->ciphersuite);
+ if (suite == NULL) {
+ ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
+ } else {
+ mbedtls_ssl_mode_t ssl_mode =
+ mbedtls_ssl_get_mode_from_ciphersuite(
+ ssl->session_negotiate->encrypt_then_mac,
+ suite);
+
+ if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) {
+ ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
+ }
+ }
+
+ if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
+ *olen = 0;
+ return;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension"));
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
+ p += 2;
+
+ *p++ = 0x00;
+ *p++ = 0x00;
+
+ *olen = 4;
+}
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+
+ if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
+ *olen = 0;
+ return;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret "
+ "extension"));
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
+ p += 2;
+
+ *p++ = 0x00;
+ *p++ = 0x00;
+
+ *olen = 4;
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+
+ if (ssl->handshake->new_session_ticket == 0) {
+ *olen = 0;
+ return;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension"));
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
+ p += 2;
+
+ *p++ = 0x00;
+ *p++ = 0x00;
+
+ *olen = 4;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+
+ if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
+ *olen = 0;
+ return;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension"));
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
+ p += 2;
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
+ *p++ = 0x00;
+ *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
+ *p++ = ssl->verify_data_len * 2 & 0xFF;
+
+ memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
+ p += ssl->verify_data_len;
+ memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
+ p += ssl->verify_data_len;
+ } else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+ {
+ *p++ = 0x00;
+ *p++ = 0x01;
+ *p++ = 0x00;
+ }
+
+ *olen = (size_t) (p - buf);
+}
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+
+ if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
+ *olen = 0;
+ return;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension"));
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
+ p += 2;
+
+ *p++ = 0x00;
+ *p++ = 1;
+
+ *p++ = ssl->session_negotiate->mfl_code;
+
+ *olen = 5;
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ size_t *olen)
+{
+ unsigned char *p = buf;
+ ((void) ssl);
+
+ if ((ssl->handshake->cli_exts &
+ MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) {
+ *olen = 0;
+ return;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension"));
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
+ p += 2;
+
+ *p++ = 0x00;
+ *p++ = 2;
+
+ *p++ = 1;
+ *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
+
+ *olen = 6;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ size_t *olen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = buf;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+ size_t kkpp_len;
+
+ *olen = 0;
+
+ /* Skip costly computation if not needed */
+ if (ssl->handshake->ciphersuite_info->key_exchange !=
+ MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
+ return;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension"));
+
+ if (end - p < 4) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
+ return;
+ }
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
+ p += 2;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
+ p + 2, (size_t) (end - p - 2), &kkpp_len,
+ MBEDTLS_ECJPAKE_ROUND_ONE);
+ if (ret != 0) {
+ psa_destroy_key(ssl->handshake->psa_pake_password);
+ psa_pake_abort(&ssl->handshake->psa_pake_ctx);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
+ return;
+ }
+#else
+ ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
+ p + 2, (size_t) (end - p - 2), &kkpp_len,
+ ssl->conf->f_rng, ssl->conf->p_rng);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret);
+ return;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
+ p += 2;
+
+ *olen = kkpp_len + 4;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS)
+static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ size_t *olen)
+{
+ size_t mki_len = 0, ext_len = 0;
+ uint16_t profile_value = 0;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+ *olen = 0;
+
+ if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
+ (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
+ return;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension"));
+
+ if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
+ mki_len = ssl->dtls_srtp_info.mki_len;
+ }
+
+ /* The extension total size is 9 bytes :
+ * - 2 bytes for the extension tag
+ * - 2 bytes for the total size
+ * - 2 bytes for the protection profile length
+ * - 2 bytes for the protection profile
+ * - 1 byte for the mki length
+ * + the actual mki length
+ * Check we have enough room in the output buffer */
+ if ((size_t) (end - buf) < mki_len + 9) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
+ return;
+ }
+
+ /* extension */
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0);
+ /*
+ * total length 5 and mki value: only one profile(2 bytes)
+ * and length(2 bytes) and srtp_mki )
+ */
+ ext_len = 5 + mki_len;
+ MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2);
+
+ /* protection profile length: 2 */
+ buf[4] = 0x00;
+ buf[5] = 0x02;
+ profile_value = mbedtls_ssl_check_srtp_profile_value(
+ ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
+ if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
+ MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6);
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile"));
+ return;
+ }
+
+ buf[8] = mki_len & 0xFF;
+ memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
+
+ *olen = 9 + mki_len;
+}
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = ssl->out_msg + 4;
+ unsigned char *cookie_len_byte;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request"));
+
+ /*
+ * struct {
+ * ProtocolVersion server_version;
+ * opaque cookie<0..2^8-1>;
+ * } HelloVerifyRequest;
+ */
+
+ /* The RFC is not clear on this point, but sending the actual negotiated
+ * version looks like the most interoperable thing to do. */
+ mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
+ MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
+ p += 2;
+
+ /* If we get here, f_cookie_check is not null */
+ if (ssl->conf->f_cookie_write == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /* Skip length byte until we know the length */
+ cookie_len_byte = p++;
+
+ if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
+ &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
+ ssl->cli_id, ssl->cli_id_len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret);
+ return ret;
+ }
+
+ *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1));
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
+
+ ssl->out_msglen = (size_t) (p - ssl->out_msg);
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+ ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
+
+ ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
+
+ if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+ return ret;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
+ return ret;
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request"));
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+
+static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl)
+{
+ int ret;
+ mbedtls_ssl_session session_tmp;
+ mbedtls_ssl_session * const session = ssl->session_negotiate;
+
+ /* Resume is 0 by default, see ssl_handshake_init().
+ * It may be already set to 1 by ssl_parse_session_ticket_ext(). */
+ if (ssl->handshake->resume == 1) {
+ return;
+ }
+ if (session->id_len == 0) {
+ return;
+ }
+ if (ssl->conf->f_get_cache == NULL) {
+ return;
+ }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
+ return;
+ }
+#endif
+
+ mbedtls_ssl_session_init(&session_tmp);
+
+ ret = ssl->conf->f_get_cache(ssl->conf->p_cache,
+ session->id,
+ session->id_len,
+ &session_tmp);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ if (session->ciphersuite != session_tmp.ciphersuite) {
+ /* Mismatch between cached and negotiated session */
+ goto exit;
+ }
+
+ /* Move semantics */
+ mbedtls_ssl_session_free(session);
+ *session = session_tmp;
+ memset(&session_tmp, 0, sizeof(session_tmp));
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache"));
+ ssl->handshake->resume = 1;
+
+exit:
+
+ mbedtls_ssl_session_free(&session_tmp);
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
+{
+#if defined(MBEDTLS_HAVE_TIME)
+ mbedtls_time_t t;
+#endif
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t olen, ext_len = 0, n;
+ unsigned char *buf, *p;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ ssl->handshake->cookie_verify_result != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated"));
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
+
+ return ssl_write_hello_verify_request(ssl);
+ }
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+
+ /*
+ * 0 . 0 handshake type
+ * 1 . 3 handshake length
+ * 4 . 5 protocol version
+ * 6 . 9 UNIX time()
+ * 10 . 37 random bytes
+ */
+ buf = ssl->out_msg;
+ p = buf + 4;
+
+ mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
+ p += 2;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
+ buf[4], buf[5]));
+
+#if defined(MBEDTLS_HAVE_TIME)
+ t = mbedtls_time(NULL);
+ MBEDTLS_PUT_UINT32_BE(t, p, 0);
+ p += 4;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
+ (long long) t));
+#else
+ if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
+ return ret;
+ }
+
+ p += 4;
+#endif /* MBEDTLS_HAVE_TIME */
+
+ if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) {
+ return ret;
+ }
+ p += 20;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ /*
+ * RFC 8446
+ * TLS 1.3 has a downgrade protection mechanism embedded in the server's
+ * random value. TLS 1.3 servers which negotiate TLS 1.2 or below in
+ * response to a ClientHello MUST set the last 8 bytes of their Random
+ * value specially in their ServerHello.
+ */
+ if (mbedtls_ssl_conf_is_tls13_enabled(ssl->conf)) {
+ static const unsigned char magic_tls12_downgrade_string[] =
+ { 'D', 'O', 'W', 'N', 'G', 'R', 'D', 1 };
+
+ MBEDTLS_STATIC_ASSERT(
+ sizeof(magic_tls12_downgrade_string) == 8,
+ "magic_tls12_downgrade_string does not have the expected size");
+
+ memcpy(p, magic_tls12_downgrade_string,
+ sizeof(magic_tls12_downgrade_string));
+ } else
+#endif
+ {
+ if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) {
+ return ret;
+ }
+ }
+ p += 8;
+
+ memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
+
+ ssl_handle_id_based_session_resumption(ssl);
+
+ if (ssl->handshake->resume == 0) {
+ /*
+ * New session, create a new session id,
+ * unless we're about to issue a session ticket
+ */
+ ssl->state++;
+
+#if defined(MBEDTLS_HAVE_TIME)
+ ssl->session_negotiate->start = mbedtls_time(NULL);
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ if (ssl->handshake->new_session_ticket != 0) {
+ ssl->session_negotiate->id_len = n = 0;
+ memset(ssl->session_negotiate->id, 0, 32);
+ } else
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+ {
+ ssl->session_negotiate->id_len = n = 32;
+ if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
+ n)) != 0) {
+ return ret;
+ }
+ }
+ } else {
+ /*
+ * Resuming a session
+ */
+ n = ssl->session_negotiate->id_len;
+ ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+
+ if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
+ return ret;
+ }
+ }
+
+ /*
+ * 38 . 38 session id length
+ * 39 . 38+n session id
+ * 39+n . 40+n chosen ciphersuite
+ * 41+n . 41+n chosen compression alg.
+ * 42+n . 43+n extensions length
+ * 44+n . 43+n+m extensions
+ */
+ *p++ = (unsigned char) ssl->session_negotiate->id_len;
+ memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
+ p += ssl->session_negotiate->id_len;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
+ MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n);
+ MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
+ ssl->handshake->resume ? "a" : "no"));
+
+ MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
+ p += 2;
+ *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL);
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s",
+ mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X",
+ (unsigned int) MBEDTLS_SSL_COMPRESS_NULL));
+
+ /*
+ * First write extensions, then the total length
+ */
+ ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
+ ext_len += olen;
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+ ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
+ ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
+ ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+ ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
+ ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+ ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
+ ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
+ ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ const mbedtls_ssl_ciphersuite_t *suite =
+ mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite);
+ if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) {
+ ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
+ ext_len += olen;
+ }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
+ ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ALPN)
+ unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
+ if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen))
+ != 0) {
+ return ret;
+ }
+
+ ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+ ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
+ ext_len += olen;
+#endif
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
+ ext_len));
+
+ if (ext_len > 0) {
+ MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
+ p += 2 + ext_len;
+ }
+
+ ssl->out_msglen = (size_t) (p - buf);
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+ ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
+
+ ret = mbedtls_ssl_write_handshake_msg(ssl);
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
+
+ return ret;
+}
+
+#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
+{
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
+
+ if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
+ ssl->state++;
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+}
+#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+ uint16_t dn_size, total_dn_size; /* excluding length bytes */
+ size_t ct_len, sa_len; /* including length bytes */
+ unsigned char *buf, *p;
+ const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+ const mbedtls_x509_crt *crt;
+ int authmode;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
+
+ ssl->state++;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
+ authmode = ssl->handshake->sni_authmode;
+ } else
+#endif
+ authmode = ssl->conf->authmode;
+
+ if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) ||
+ authmode == MBEDTLS_SSL_VERIFY_NONE) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
+ return 0;
+ }
+
+ /*
+ * 0 . 0 handshake type
+ * 1 . 3 handshake length
+ * 4 . 4 cert type count
+ * 5 .. m-1 cert types
+ * m .. m+1 sig alg length (TLS 1.2 only)
+ * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
+ * n .. n+1 length of all DNs
+ * n+2 .. n+3 length of DN 1
+ * n+4 .. ... Distinguished Name #1
+ * ... .. ... length of DN 2, etc.
+ */
+ buf = ssl->out_msg;
+ p = buf + 4;
+
+ /*
+ * Supported certificate types
+ *
+ * ClientCertificateType certificate_types<1..2^8-1>;
+ * enum { (255) } ClientCertificateType;
+ */
+ ct_len = 0;
+
+#if defined(MBEDTLS_RSA_C)
+ p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
+ p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
+#endif
+
+ p[0] = (unsigned char) ct_len++;
+ p += ct_len;
+
+ sa_len = 0;
+
+ /*
+ * Add signature_algorithms for verify (TLS 1.2)
+ *
+ * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
+ *
+ * struct {
+ * HashAlgorithm hash;
+ * SignatureAlgorithm signature;
+ * } SignatureAndHashAlgorithm;
+ *
+ * enum { (255) } HashAlgorithm;
+ * enum { (255) } SignatureAlgorithm;
+ */
+ const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
+ if (sig_alg == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_CONFIG;
+ }
+
+ for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
+ unsigned char hash = MBEDTLS_BYTE_1(*sig_alg);
+
+ if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) {
+ continue;
+ }
+ if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
+ continue;
+ }
+
+ /* Write elements at offsets starting from 1 (offset 0 is for the
+ * length). Thus the offset of each element is the length of the
+ * partial list including that element. */
+ sa_len += 2;
+ MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len);
+
+ }
+
+ /* Fill in list length. */
+ MBEDTLS_PUT_UINT16_BE(sa_len, p, 0);
+ sa_len += 2;
+ p += sa_len;
+
+ /*
+ * DistinguishedName certificate_authorities<0..2^16-1>;
+ * opaque DistinguishedName<1..2^16-1>;
+ */
+ p += 2;
+
+ total_dn_size = 0;
+
+ if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
+ /* NOTE: If trusted certificates are provisioned
+ * via a CA callback (configured through
+ * `mbedtls_ssl_conf_ca_cb()`, then the
+ * CertificateRequest is currently left empty. */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if (ssl->handshake->dn_hints != NULL) {
+ crt = ssl->handshake->dn_hints;
+ } else
+#endif
+ if (ssl->conf->dn_hints != NULL) {
+ crt = ssl->conf->dn_hints;
+ } else
+#endif
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if (ssl->handshake->sni_ca_chain != NULL) {
+ crt = ssl->handshake->sni_ca_chain;
+ } else
+#endif
+ crt = ssl->conf->ca_chain;
+
+ while (crt != NULL && crt->version != 0) {
+ /* It follows from RFC 5280 A.1 that this length
+ * can be represented in at most 11 bits. */
+ dn_size = (uint16_t) crt->subject_raw.len;
+
+ if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short"));
+ break;
+ }
+
+ MBEDTLS_PUT_UINT16_BE(dn_size, p, 0);
+ p += 2;
+ memcpy(p, crt->subject_raw.p, dn_size);
+ p += dn_size;
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
+
+ total_dn_size += (unsigned short) (2 + dn_size);
+ crt = crt->next;
+ }
+ }
+
+ ssl->out_msglen = (size_t) (p - buf);
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+ ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
+ MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
+
+ ret = mbedtls_ssl_write_handshake_msg(ssl);
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
+
+ return ret;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+
+#if (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED))
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_pk_context *pk;
+ mbedtls_pk_type_t pk_type;
+ psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
+ unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
+ size_t key_len;
+#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ uint16_t tls_id = 0;
+ psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
+ mbedtls_ecp_group_id grp_id;
+ mbedtls_ecp_keypair *key;
+#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
+
+ pk = mbedtls_ssl_own_key(ssl);
+
+ if (pk == NULL) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ pk_type = mbedtls_pk_get_type(pk);
+
+ switch (pk_type) {
+ case MBEDTLS_PK_OPAQUE:
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ case MBEDTLS_PK_ECKEY:
+ case MBEDTLS_PK_ECKEY_DH:
+ case MBEDTLS_PK_ECDSA:
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
+ if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
+ return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
+ }
+
+ /* Get the attributes of the key previously parsed by PK module in
+ * order to extract its type and length (in bits). */
+ status = psa_get_key_attributes(pk->priv_id, &key_attributes);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ goto exit;
+ }
+ ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
+ ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes);
+
+ if (pk_type == MBEDTLS_PK_OPAQUE) {
+ /* Opaque key is created by the user (externally from Mbed TLS)
+ * so we assume it already has the right algorithm and flags
+ * set. Just copy its ID as reference. */
+ ssl->handshake->xxdh_psa_privkey = pk->priv_id;
+ ssl->handshake->xxdh_psa_privkey_is_external = 1;
+ } else {
+ /* PK_ECKEY[_DH] and PK_ECDSA instead as parsed from the PK
+ * module and only have ECDSA capabilities. Since we need
+ * them for ECDH later, we export and then re-import them with
+ * proper flags and algorithm. Of course We also set key's type
+ * and bits that we just got above. */
+ key_attributes = psa_key_attributes_init();
+ psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
+ psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
+ psa_set_key_type(&key_attributes,
+ PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
+ psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
+
+ status = psa_export_key(pk->priv_id, buf, sizeof(buf), &key_len);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ goto exit;
+ }
+ status = psa_import_key(&key_attributes, buf, key_len,
+ &ssl->handshake->xxdh_psa_privkey);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ goto exit;
+ }
+
+ /* Set this key as owned by the TLS library: it will be its duty
+ * to clear it exit. */
+ ssl->handshake->xxdh_psa_privkey_is_external = 0;
+ }
+
+ ret = 0;
+ break;
+#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ case MBEDTLS_PK_ECKEY:
+ case MBEDTLS_PK_ECKEY_DH:
+ case MBEDTLS_PK_ECDSA:
+ key = mbedtls_pk_ec_rw(*pk);
+ grp_id = mbedtls_pk_get_ec_group_id(pk);
+ if (grp_id == MBEDTLS_ECP_DP_NONE) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+ tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
+ if (tls_id == 0) {
+ /* This elliptic curve is not supported */
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ /* If the above conversion to TLS ID was fine, then also this one will
+ be, so there is no need to check the return value here */
+ mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
+ &ssl->handshake->xxdh_psa_bits);
+
+ ssl->handshake->xxdh_psa_type = key_type;
+
+ key_attributes = psa_key_attributes_init();
+ psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
+ psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
+ psa_set_key_type(&key_attributes,
+ PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
+ psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
+
+ ret = mbedtls_ecp_write_key_ext(key, &key_len, buf, sizeof(buf));
+ if (ret != 0) {
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+ break;
+ }
+
+ status = psa_import_key(&key_attributes, buf, key_len,
+ &ssl->handshake->xxdh_psa_privkey);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+ break;
+ }
+
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+ ret = 0;
+ break;
+#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
+ default:
+ ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
+ }
+
+exit:
+ psa_reset_key_attributes(&key_attributes);
+ mbedtls_platform_zeroize(buf, sizeof(buf));
+
+ return ret;
+}
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
+ if (private_key == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("got no server private key"));
+ return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
+ }
+
+ if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_ECKEY)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
+ return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
+ }
+
+ if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
+ mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)),
+ MBEDTLS_ECDH_OURS)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
+ return ret;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
+ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
+ defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
+ size_t *signature_len)
+{
+ /* Append the signature to ssl->out_msg, leaving 2 bytes for the
+ * signature length which will be added in ssl_write_server_key_exchange
+ * after the call to ssl_prepare_server_key_exchange.
+ * ssl_write_server_key_exchange also takes care of incrementing
+ * ssl->out_msglen. */
+ unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
+ size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
+ - sig_start);
+ int ret = ssl->conf->f_async_resume(ssl,
+ sig_start, signature_len, sig_max_len);
+ if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
+ ssl->handshake->async_in_progress = 0;
+ mbedtls_ssl_set_async_operation_data(ssl, NULL);
+ }
+ MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret);
+ return ret;
+}
+#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
+ defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
+
+/* Prepare the ServerKeyExchange message, up to and including
+ * calculating the signature if any, but excluding formatting the
+ * signature and sending the message. */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
+ size_t *signature_len)
+{
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+ unsigned char *dig_signed = NULL;
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
+
+ (void) ciphersuite_info; /* unused in some configurations */
+#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+ (void) signature_len;
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf);
+#else
+ size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf);
+#endif
+#endif
+
+ ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
+
+ /*
+ *
+ * Part 1: Provide key exchange parameters for chosen ciphersuite.
+ *
+ */
+
+ /*
+ * - ECJPAKE key exchanges
+ */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
+ unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
+ ssl->out_msglen;
+ size_t output_offset = 0;
+ size_t output_len = 0;
+
+ /*
+ * The first 3 bytes are:
+ * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
+ * [1, 2] elliptic curve's TLS ID
+ *
+ * However since we only support secp256r1 for now, we hardcode its
+ * TLS ID here
+ */
+ uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
+ MBEDTLS_ECP_DP_SECP256R1);
+ if (tls_id == 0) {
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+ *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE;
+ MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1);
+ output_offset += 3;
+
+ ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
+ out_p + output_offset,
+ end_p - out_p - output_offset, &output_len,
+ MBEDTLS_ECJPAKE_ROUND_TWO);
+ if (ret != 0) {
+ psa_destroy_key(ssl->handshake->psa_pake_password);
+ psa_pake_abort(&ssl->handshake->psa_pake_ctx);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
+ return ret;
+ }
+
+ output_offset += output_len;
+ ssl->out_msglen += output_offset;
+#else
+ size_t len = 0;
+
+ ret = mbedtls_ecjpake_write_round_two(
+ &ssl->handshake->ecjpake_ctx,
+ ssl->out_msg + ssl->out_msglen,
+ MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
+ ssl->conf->f_rng, ssl->conf->p_rng);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
+ return ret;
+ }
+
+ ssl->out_msglen += len;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+ /*
+ * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
+ * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
+ * we use empty support identity hints here.
+ **/
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
+ ssl->out_msg[ssl->out_msglen++] = 0x00;
+ ssl->out_msg[ssl->out_msglen++] = 0x00;
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+ /*
+ * - DHE key exchanges
+ */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
+ if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+
+ if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set"));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /*
+ * Ephemeral DH parameters:
+ *
+ * struct {
+ * opaque dh_p<1..2^16-1>;
+ * opaque dh_g<1..2^16-1>;
+ * opaque dh_Ys<1..2^16-1>;
+ * } ServerDHParams;
+ */
+ if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx,
+ &ssl->conf->dhm_P,
+ &ssl->conf->dhm_G)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret);
+ return ret;
+ }
+
+ if ((ret = mbedtls_dhm_make_params(
+ &ssl->handshake->dhm_ctx,
+ (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
+ ssl->out_msg + ssl->out_msglen, &len,
+ ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret);
+ return ret;
+ }
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+ dig_signed = ssl->out_msg + ssl->out_msglen;
+#endif
+
+ ssl->out_msglen += len;
+
+ MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
+ MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
+ MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
+ MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */
+
+ /*
+ * - ECDHE key exchanges
+ */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
+ if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) {
+ /*
+ * Ephemeral ECDH parameters:
+ *
+ * struct {
+ * ECParameters curve_params;
+ * ECPoint public;
+ * } ServerECDHParams;
+ */
+ uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
+ const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+
+ /* Match our preference list against the offered curves */
+ if ((group_list == NULL) || (curr_tls_id == NULL)) {
+ return MBEDTLS_ERR_SSL_BAD_CONFIG;
+ }
+ for (; *group_list != 0; group_list++) {
+ for (curr_tls_id = ssl->handshake->curves_tls_id;
+ *curr_tls_id != 0; curr_tls_id++) {
+ if (*curr_tls_id == *group_list) {
+ goto curve_matching_done;
+ }
+ }
+ }
+
+curve_matching_done:
+ if (*curr_tls_id == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s",
+ mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id)));
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+ psa_key_attributes_t key_attributes;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+ uint8_t *p = ssl->out_msg + ssl->out_msglen;
+ const size_t header_size = 4; // curve_type(1), namedcurve(2),
+ // data length(1)
+ const size_t data_length_size = 1;
+ psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
+ size_t ec_bits = 0;
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
+
+ /* Convert EC's TLS ID to PSA key type. */
+ if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id,
+ &key_type,
+ &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse."));
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+ handshake->xxdh_psa_type = key_type;
+ handshake->xxdh_psa_bits = ec_bits;
+
+ key_attributes = psa_key_attributes_init();
+ psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
+ psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
+ psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
+ psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
+
+ /*
+ * ECParameters curve_params
+ *
+ * First byte is curve_type, always named_curve
+ */
+ *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
+
+ /*
+ * Next two bytes are the namedcurve value
+ */
+ MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0);
+ p += 2;
+
+ /* Generate ECDH private key. */
+ status = psa_generate_key(&key_attributes,
+ &handshake->xxdh_psa_privkey);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
+ return ret;
+ }
+
+ /*
+ * ECPoint public
+ *
+ * First byte is data length.
+ * It will be filled later. p holds now the data length location.
+ */
+
+ /* Export the public part of the ECDH private key from PSA.
+ * Make one byte space for the length.
+ */
+ unsigned char *own_pubkey = p + data_length_size;
+
+ size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN
+ - (own_pubkey - ssl->out_msg));
+
+ status = psa_export_public_key(handshake->xxdh_psa_privkey,
+ own_pubkey, own_pubkey_max_len,
+ &len);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
+ (void) psa_destroy_key(handshake->xxdh_psa_privkey);
+ handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+ return ret;
+ }
+
+ /* Store the length of the exported public key. */
+ *p = (uint8_t) len;
+
+ /* Determine full message length. */
+ len += header_size;
+#else
+ mbedtls_ecp_group_id curr_grp_id =
+ mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
+
+ if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx,
+ curr_grp_id)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret);
+ return ret;
+ }
+
+ if ((ret = mbedtls_ecdh_make_params(
+ &ssl->handshake->ecdh_ctx, &len,
+ ssl->out_msg + ssl->out_msglen,
+ MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
+ ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+ MBEDTLS_DEBUG_ECDH_Q);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+ dig_signed = ssl->out_msg + ssl->out_msglen;
+#endif
+
+ ssl->out_msglen += len;
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
+
+ /*
+ *
+ * Part 2: For key exchanges involving the server signing the
+ * exchange parameters, compute and add the signature here.
+ *
+ */
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+ if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
+ if (dig_signed == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ size_t dig_signed_len = (size_t) (ssl->out_msg + ssl->out_msglen - dig_signed);
+ size_t hashlen = 0;
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /*
+ * 2.1: Choose hash algorithm:
+ * For TLS 1.2, obey signature-hash-algorithm extension
+ * to choose appropriate hash.
+ */
+
+ mbedtls_pk_type_t sig_alg =
+ mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
+
+ unsigned char sig_hash =
+ (unsigned char) mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+ ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
+
+ mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash);
+
+ /* For TLS 1.2, obey signature-hash-algorithm extension
+ * (RFC 5246, Sec. 7.4.1.4.1). */
+ if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ /* (... because we choose a cipher suite
+ * only if there is a matching hash.) */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg));
+
+ /*
+ * 2.2: Compute the hash to be signed
+ */
+ if (md_alg != MBEDTLS_MD_NONE) {
+ ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
+ dig_signed,
+ dig_signed_len,
+ md_alg);
+ if (ret != 0) {
+ return ret;
+ }
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
+
+ /*
+ * 2.3: Compute and add the signature
+ */
+ /*
+ * We need to specify signature and hash algorithm explicitly through
+ * a prefix to the signature.
+ *
+ * struct {
+ * HashAlgorithm hash;
+ * SignatureAlgorithm signature;
+ * } SignatureAndHashAlgorithm;
+ *
+ * struct {
+ * SignatureAndHashAlgorithm algorithm;
+ * opaque signature<0..2^16-1>;
+ * } DigitallySigned;
+ *
+ */
+
+ ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg);
+ ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg);
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if (ssl->conf->f_async_sign_start != NULL) {
+ ret = ssl->conf->f_async_sign_start(ssl,
+ mbedtls_ssl_own_cert(ssl),
+ md_alg, hash, hashlen);
+ switch (ret) {
+ case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
+ /* act as if f_async_sign was null */
+ break;
+ case 0:
+ ssl->handshake->async_in_progress = 1;
+ return ssl_resume_server_key_exchange(ssl, signature_len);
+ case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
+ ssl->handshake->async_in_progress = 1;
+ return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
+ default:
+ MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret);
+ return ret;
+ }
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+ if (mbedtls_ssl_own_key(ssl) == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key"));
+ return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
+ }
+
+ /* Append the signature to ssl->out_msg, leaving 2 bytes for the
+ * signature length which will be added in ssl_write_server_key_exchange
+ * after the call to ssl_prepare_server_key_exchange.
+ * ssl_write_server_key_exchange also takes care of incrementing
+ * ssl->out_msglen. */
+ if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
+ md_alg, hash, hashlen,
+ ssl->out_msg + ssl->out_msglen + 2,
+ out_buf_len - ssl->out_msglen - 2,
+ signature_len,
+ ssl->conf->f_rng,
+ ssl->conf->p_rng)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
+ return ret;
+ }
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
+
+ return 0;
+}
+
+/* Prepare the ServerKeyExchange message and send it. For ciphersuites
+ * that do not include a ServerKeyExchange message, do nothing. Either
+ * way, if successful, move on to the next step in the SSL state
+ * machine. */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t signature_len = 0;
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange"));
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
+ /* Extract static ECDH parameters and abort if ServerKeyExchange
+ * is not needed. */
+ if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) {
+ /* For suites involving ECDH, extract DH parameters
+ * from certificate at this point. */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
+ if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) {
+ ret = ssl_get_ecdh_params_from_cert(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
+ return ret;
+ }
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
+
+ /* Key exchanges not involving ephemeral keys don't use
+ * ServerKeyExchange, so end here. */
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
+ ssl->state++;
+ return 0;
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
+ defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ /* If we have already prepared the message and there is an ongoing
+ * signature operation, resume signing. */
+ if (ssl->handshake->async_in_progress != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation"));
+ ret = ssl_resume_server_key_exchange(ssl, &signature_len);
+ } else
+#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
+ defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
+ {
+ /* ServerKeyExchange is needed. Prepare the message. */
+ ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
+ }
+
+ if (ret != 0) {
+ /* If we're starting to write a new message, set ssl->out_msglen
+ * to 0. But if we're resuming after an asynchronous message,
+ * out_msglen is the amount of data written so far and mst be
+ * preserved. */
+ if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)"));
+ } else {
+ ssl->out_msglen = 0;
+ }
+ return ret;
+ }
+
+ /* If there is a signature, write its length.
+ * ssl_prepare_server_key_exchange already wrote the signature
+ * itself at its proper place in the output buffer. */
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
+ if (signature_len != 0) {
+ ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len);
+ ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len);
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "my signature",
+ ssl->out_msg + ssl->out_msglen,
+ signature_len);
+
+ /* Skip over the already-written signature */
+ ssl->out_msglen += signature_len;
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
+
+ /* Add header and send. */
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+ ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
+
+ ssl->state++;
+
+ if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange"));
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done"));
+
+ ssl->out_msglen = 4;
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+ ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
+
+ ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ mbedtls_ssl_send_flight_completed(ssl);
+ }
+#endif
+
+ if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+ return ret;
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
+ return ret;
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done"));
+
+ return 0;
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p,
+ const unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ size_t n;
+
+ /*
+ * Receive G^Y mod P, premaster = (G^Y)^X mod P
+ */
+ if (*p + 2 > end) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ n = MBEDTLS_GET_UINT16_BE(*p, 0);
+ *p += 2;
+
+ if (*p + n > end) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ *p += n;
+
+ MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
+
+ return ret;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
+ unsigned char *peer_pms,
+ size_t *peer_pmslen,
+ size_t peer_pmssize)
+{
+ int ret = ssl->conf->f_async_resume(ssl,
+ peer_pms, peer_pmslen, peer_pmssize);
+ if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
+ ssl->handshake->async_in_progress = 0;
+ mbedtls_ssl_set_async_operation_data(ssl, NULL);
+ }
+ MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
+ return ret;
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
+ const unsigned char *p,
+ const unsigned char *end,
+ unsigned char *peer_pms,
+ size_t *peer_pmslen,
+ size_t peer_pmssize)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
+ if (own_cert == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
+ return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
+ }
+ mbedtls_pk_context *public_key = &own_cert->pk;
+ mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
+ size_t len = mbedtls_pk_get_len(public_key);
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ /* If we have already started decoding the message and there is an ongoing
+ * decryption operation, resume signing. */
+ if (ssl->handshake->async_in_progress != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
+ return ssl_resume_decrypt_pms(ssl,
+ peer_pms, peer_pmslen, peer_pmssize);
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+ /*
+ * Prepare to decrypt the premaster using own private RSA key
+ */
+ if (p + 2 > end) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ if (*p++ != MBEDTLS_BYTE_1(len) ||
+ *p++ != MBEDTLS_BYTE_0(len)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ if (p + len != end) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /*
+ * Decrypt the premaster secret
+ */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if (ssl->conf->f_async_decrypt_start != NULL) {
+ ret = ssl->conf->f_async_decrypt_start(ssl,
+ mbedtls_ssl_own_cert(ssl),
+ p, len);
+ switch (ret) {
+ case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
+ /* act as if f_async_decrypt_start was null */
+ break;
+ case 0:
+ ssl->handshake->async_in_progress = 1;
+ return ssl_resume_decrypt_pms(ssl,
+ peer_pms,
+ peer_pmslen,
+ peer_pmssize);
+ case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
+ ssl->handshake->async_in_progress = 1;
+ return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
+ default:
+ MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
+ return ret;
+ }
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+ if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
+ return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
+ }
+
+ ret = mbedtls_pk_decrypt(private_key, p, len,
+ peer_pms, peer_pmslen, peer_pmssize,
+ ssl->conf->f_rng, ssl->conf->p_rng);
+ return ret;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
+ const unsigned char *p,
+ const unsigned char *end,
+ size_t pms_offset)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *pms = ssl->handshake->premaster + pms_offset;
+ unsigned char ver[2];
+ unsigned char fake_pms[48], peer_pms[48];
+ size_t peer_pmslen;
+ mbedtls_ct_condition_t diff;
+
+ /* In case of a failure in decryption, the decryption may write less than
+ * 2 bytes of output, but we always read the first two bytes. It doesn't
+ * matter in the end because diff will be nonzero in that case due to
+ * ret being nonzero, and we only care whether diff is 0.
+ * But do initialize peer_pms and peer_pmslen for robustness anyway. This
+ * also makes memory analyzers happy (don't access uninitialized memory,
+ * even if it's an unsigned char). */
+ peer_pms[0] = peer_pms[1] = ~0;
+ peer_pmslen = 0;
+
+ ret = ssl_decrypt_encrypted_pms(ssl, p, end,
+ peer_pms,
+ &peer_pmslen,
+ sizeof(peer_pms));
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
+ return ret;
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+ mbedtls_ssl_write_version(ver, ssl->conf->transport,
+ ssl->session_negotiate->tls_version);
+
+ /* Avoid data-dependent branches while checking for invalid
+ * padding, to protect against timing-based Bleichenbacher-type
+ * attacks. */
+ diff = mbedtls_ct_bool(ret);
+ diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pmslen, 48));
+ diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[0], ver[0]));
+ diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[1], ver[1]));
+
+ /*
+ * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
+ * must not cause the connection to end immediately; instead, send a
+ * bad_record_mac later in the handshake.
+ * To protect against timing-based variants of the attack, we must
+ * not have any branch that depends on whether the decryption was
+ * successful. In particular, always generate the fake premaster secret,
+ * regardless of whether it will ultimately influence the output or not.
+ */
+ ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
+ if (ret != 0) {
+ /* It's ok to abort on an RNG failure, since this does not reveal
+ * anything about the RSA decryption. */
+ return ret;
+ }
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+ if (diff != MBEDTLS_CT_FALSE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+ }
+#endif
+
+ if (sizeof(ssl->handshake->premaster) < pms_offset ||
+ sizeof(ssl->handshake->premaster) - pms_offset < 48) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+ ssl->handshake->pmslen = 48;
+
+ /* Set pms to either the true or the fake PMS, without
+ * data-dependent branches. */
+ mbedtls_ct_memcpy_if(diff, pms, fake_pms, peer_pms, ssl->handshake->pmslen);
+
+ return 0;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
+ const unsigned char *end)
+{
+ int ret = 0;
+ uint16_t n;
+
+ if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key"));
+ return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
+ }
+
+ /*
+ * Receive client pre-shared key identity name
+ */
+ if (end - *p < 2) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ n = MBEDTLS_GET_UINT16_BE(*p, 0);
+ *p += 2;
+
+ if (n == 0 || n > end - *p) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ if (ssl->conf->f_psk != NULL) {
+ if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) {
+ ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
+ }
+ } else {
+ /* Identity is not a big secret since clients send it in the clear,
+ * but treat it carefully anyway, just in case */
+ if (n != ssl->conf->psk_identity_len ||
+ mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
+ ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
+ }
+ }
+
+ if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
+ MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n);
+ mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY);
+ return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
+ }
+
+ *p += n;
+
+ return 0;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+ unsigned char *p, *end;
+
+ ciphersuite_info = ssl->handshake->ciphersuite_info;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
+ (defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED))
+ if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) &&
+ (ssl->handshake->async_in_progress != 0)) {
+ /* We've already read a record and there is an asynchronous
+ * operation in progress to decrypt it. So skip reading the
+ * record. */
+ MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
+ } else
+#endif
+ if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+ return ret;
+ }
+
+ p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
+ end = ssl->in_msg + ssl->in_hslen;
+
+ if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+ if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
+ if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
+ return ret;
+ }
+
+ if (p != end) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
+ ssl->handshake->premaster,
+ MBEDTLS_PREMASTER_SIZE,
+ &ssl->handshake->pmslen,
+ ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ size_t data_len = (size_t) (*p++);
+ size_t buf_len = (size_t) (end - p);
+ psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Read the peer's public key."));
+
+ /*
+ * We must have at least two bytes (1 for length, at least 1 for data)
+ */
+ if (buf_len < 2) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length: %" MBEDTLS_PRINTF_SIZET,
+ buf_len));
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ if (data_len < 1 || data_len > buf_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length: %" MBEDTLS_PRINTF_SIZET
+ " > %" MBEDTLS_PRINTF_SIZET,
+ data_len, buf_len));
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ /* Store peer's ECDH public key. */
+ if (data_len > sizeof(handshake->xxdh_psa_peerkey)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %" MBEDTLS_PRINTF_SIZET
+ " > %" MBEDTLS_PRINTF_SIZET,
+ data_len,
+ sizeof(handshake->xxdh_psa_peerkey)));
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+ memcpy(handshake->xxdh_psa_peerkey, p, data_len);
+ handshake->xxdh_psa_peerkey_len = data_len;
+
+ /* Compute ECDH shared secret. */
+ status = psa_raw_key_agreement(
+ PSA_ALG_ECDH, handshake->xxdh_psa_privkey,
+ handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
+ handshake->premaster, sizeof(handshake->premaster),
+ &handshake->pmslen);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
+ if (handshake->xxdh_psa_privkey_is_external == 0) {
+ (void) psa_destroy_key(handshake->xxdh_psa_privkey);
+ }
+ handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+ return ret;
+ }
+
+ if (handshake->xxdh_psa_privkey_is_external == 0) {
+ status = psa_destroy_key(handshake->xxdh_psa_privkey);
+
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
+ return ret;
+ }
+ }
+ handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+#else
+ if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
+ p, (size_t) (end - p))) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+ MBEDTLS_DEBUG_ECDH_QP);
+
+ if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
+ &ssl->handshake->pmslen,
+ ssl->handshake->premaster,
+ MBEDTLS_MPI_MAX_SIZE,
+ ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+ MBEDTLS_DEBUG_ECDH_Z);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
+ if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
+ return ret;
+ }
+
+ if (p != end) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+ if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
+ (mbedtls_key_exchange_type_t) ciphersuite_info->
+ key_exchange)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
+ return ret;
+ }
+#endif /* !MBEDTLS_USE_PSA_CRYPTO */
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if (ssl->handshake->async_in_progress != 0) {
+ /* There is an asynchronous operation in progress to
+ * decrypt the encrypted premaster secret, so skip
+ * directly to resuming this operation. */
+ MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed"));
+ /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
+ * won't actually use it, but maintain p anyway for robustness. */
+ p += ssl->conf->psk_identity_len + 2;
+ } else
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+ if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
+ return ret;
+ }
+
+ if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret);
+ return ret;
+ }
+
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+ if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
+ (mbedtls_key_exchange_type_t) ciphersuite_info->
+ key_exchange)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
+ return ret;
+ }
+#endif /* !MBEDTLS_USE_PSA_CRYPTO */
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
+ if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
+ return ret;
+ }
+ if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
+ return ret;
+ }
+
+ if (p != end) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ unsigned char *pms = ssl->handshake->premaster;
+ unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
+ size_t pms_len;
+
+ /* Write length only when we know the actual value */
+ if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
+ pms + 2, pms_end - (pms + 2), &pms_len,
+ ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
+ return ret;
+ }
+ MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
+ pms += 2 + pms_len;
+
+ MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
+#else
+ if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
+ (mbedtls_key_exchange_type_t) ciphersuite_info->
+ key_exchange)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
+ return ret;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
+ uint8_t ecpoint_len;
+
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
+ psa_destroy_key(handshake->xxdh_psa_privkey);
+ handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+ return ret;
+ }
+
+ /* Keep a copy of the peer's public key */
+ if (p >= end) {
+ psa_destroy_key(handshake->xxdh_psa_privkey);
+ handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ ecpoint_len = *(p++);
+ if ((size_t) (end - p) < ecpoint_len) {
+ psa_destroy_key(handshake->xxdh_psa_privkey);
+ handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
+ the sizes of the FFDH keys which are at least 2048 bits.
+ The size of the array is thus greater than 256 bytes which is greater than any
+ possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
+#if !defined(PSA_WANT_ALG_FFDH)
+ if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
+ psa_destroy_key(handshake->xxdh_psa_privkey);
+ handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+#else
+ MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
+ "peer key buffer too small");
+#endif
+
+ memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len);
+ handshake->xxdh_psa_peerkey_len = ecpoint_len;
+ p += ecpoint_len;
+
+ /* As RFC 5489 section 2, the premaster secret is formed as follows:
+ * - a uint16 containing the length (in octets) of the ECDH computation
+ * - the octet string produced by the ECDH computation
+ * - a uint16 containing the length (in octets) of the PSK
+ * - the PSK itself
+ */
+ unsigned char *psm = ssl->handshake->premaster;
+ const unsigned char * const psm_end =
+ psm + sizeof(ssl->handshake->premaster);
+ /* uint16 to store length (in octets) of the ECDH computation */
+ const size_t zlen_size = 2;
+ size_t zlen = 0;
+
+ /* Compute ECDH shared secret. */
+ status = psa_raw_key_agreement(PSA_ALG_ECDH,
+ handshake->xxdh_psa_privkey,
+ handshake->xxdh_psa_peerkey,
+ handshake->xxdh_psa_peerkey_len,
+ psm + zlen_size,
+ psm_end - (psm + zlen_size),
+ &zlen);
+
+ destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
+ handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+
+ if (status != PSA_SUCCESS) {
+ return PSA_TO_MBEDTLS_ERR(status);
+ } else if (destruction_status != PSA_SUCCESS) {
+ return PSA_TO_MBEDTLS_ERR(destruction_status);
+ }
+
+ /* Write the ECDH computation length before the ECDH computation */
+ MBEDTLS_PUT_UINT16_BE(zlen, psm, 0);
+ psm += zlen_size + zlen;
+
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+ if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
+ return ret;
+ }
+
+ if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
+ p, (size_t) (end - p))) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
+ MBEDTLS_DEBUG_ECDH_QP);
+
+ if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
+ (mbedtls_key_exchange_type_t) ciphersuite_info->
+ key_exchange)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
+ return ret;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
+ if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
+ return ret;
+ }
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if ((ret = mbedtls_psa_ecjpake_read_round(
+ &ssl->handshake->psa_pake_ctx, p, (size_t) (end - p),
+ MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
+ psa_destroy_key(ssl->handshake->psa_pake_password);
+ psa_pake_abort(&ssl->handshake->psa_pake_ctx);
+
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
+ return ret;
+ }
+#else
+ ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
+ p, (size_t) (end - p));
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
+ ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
+ ssl->conf->f_rng, ssl->conf->p_rng);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
+ return ret;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ } else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+ {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
+ return ret;
+ }
+
+ ssl->state++;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
+
+ return 0;
+}
+
+#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
+{
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
+
+ if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
+ ssl->state++;
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+}
+#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ size_t i, sig_len;
+ unsigned char hash[48];
+ unsigned char *hash_start = hash;
+ size_t hashlen;
+ mbedtls_pk_type_t pk_alg;
+ mbedtls_md_type_t md_alg;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+ mbedtls_pk_context *peer_pk;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
+
+ if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
+ ssl->state++;
+ return 0;
+ }
+
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ if (ssl->session_negotiate->peer_cert == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
+ ssl->state++;
+ return 0;
+ }
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ if (ssl->session_negotiate->peer_cert_digest == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
+ ssl->state++;
+ return 0;
+ }
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+ /* Read the message without adding it to the checksum */
+ ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret);
+ return ret;
+ }
+
+ ssl->state++;
+
+ /* Process the message contents */
+ if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
+ ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+ i = mbedtls_ssl_hs_hdr_len(ssl);
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ peer_pk = &ssl->handshake->peer_pubkey;
+#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ if (ssl->session_negotiate->peer_cert == NULL) {
+ /* Should never happen */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+ peer_pk = &ssl->session_negotiate->peer_cert->pk;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
+ /*
+ * struct {
+ * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
+ * opaque signature<0..2^16-1>;
+ * } DigitallySigned;
+ */
+ if (i + 2 > ssl->in_hslen) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /*
+ * Hash
+ */
+ md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
+
+ if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
+ " for verify message"));
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+#if !defined(MBEDTLS_MD_SHA1)
+ if (MBEDTLS_MD_SHA1 == md_alg) {
+ hash_start += 16;
+ }
+#endif
+
+ /* Info from md_alg will be used instead */
+ hashlen = 0;
+
+ i++;
+
+ /*
+ * Signature
+ */
+ if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
+ == MBEDTLS_PK_NONE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
+ " for verify message"));
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ /*
+ * Check the certificate's key type matches the signature alg
+ */
+ if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ i++;
+
+ if (i + 2 > ssl->in_hslen) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ sig_len = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i);
+ i += 2;
+
+ if (i + sig_len != ssl->in_hslen) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /* Calculate hash and verify signature */
+ {
+ size_t dummy_hlen;
+ ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
+ return ret;
+ }
+ }
+
+ if ((ret = mbedtls_pk_verify(peer_pk,
+ md_alg, hash_start, hashlen,
+ ssl->in_msg + i, sig_len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
+ return ret;
+ }
+
+ ret = mbedtls_ssl_update_handshake_status(ssl);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
+
+ return ret;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t tlen;
+ uint32_t lifetime;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket"));
+
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+ ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
+
+ /*
+ * struct {
+ * uint32 ticket_lifetime_hint;
+ * opaque ticket<0..2^16-1>;
+ * } NewSessionTicket;
+ *
+ * 4 . 7 ticket_lifetime_hint (0 = unspecified)
+ * 8 . 9 ticket_len (n)
+ * 10 . 9+n ticket content
+ */
+
+#if defined(MBEDTLS_HAVE_TIME)
+ ssl->session_negotiate->ticket_creation_time = mbedtls_ms_time();
+#endif
+ if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
+ ssl->session_negotiate,
+ ssl->out_msg + 10,
+ ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
+ &tlen, &lifetime)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret);
+ tlen = 0;
+ }
+
+ MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4);
+ MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8);
+ ssl->out_msglen = 10 + tlen;
+
+ /*
+ * Morally equivalent to updating ssl->state, but NewSessionTicket and
+ * ChangeCipherSpec share the same state.
+ */
+ ssl->handshake->new_session_ticket = 0;
+
+ if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+/*
+ * SSL handshake -- server side -- single step
+ */
+int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
+{
+ int ret = 0;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
+
+ switch (ssl->state) {
+ case MBEDTLS_SSL_HELLO_REQUEST:
+ ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+ break;
+
+ /*
+ * <== ClientHello
+ */
+ case MBEDTLS_SSL_CLIENT_HELLO:
+ ret = ssl_parse_client_hello(ssl);
+ break;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
+ return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED;
+#endif
+
+ /*
+ * ==> ServerHello
+ * Certificate
+ * ( ServerKeyExchange )
+ * ( CertificateRequest )
+ * ServerHelloDone
+ */
+ case MBEDTLS_SSL_SERVER_HELLO:
+ ret = ssl_write_server_hello(ssl);
+ break;
+
+ case MBEDTLS_SSL_SERVER_CERTIFICATE:
+ ret = mbedtls_ssl_write_certificate(ssl);
+ break;
+
+ case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
+ ret = ssl_write_server_key_exchange(ssl);
+ break;
+
+ case MBEDTLS_SSL_CERTIFICATE_REQUEST:
+ ret = ssl_write_certificate_request(ssl);
+ break;
+
+ case MBEDTLS_SSL_SERVER_HELLO_DONE:
+ ret = ssl_write_server_hello_done(ssl);
+ break;
+
+ /*
+ * <== ( Certificate/Alert )
+ * ClientKeyExchange
+ * ( CertificateVerify )
+ * ChangeCipherSpec
+ * Finished
+ */
+ case MBEDTLS_SSL_CLIENT_CERTIFICATE:
+ ret = mbedtls_ssl_parse_certificate(ssl);
+ break;
+
+ case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
+ ret = ssl_parse_client_key_exchange(ssl);
+ break;
+
+ case MBEDTLS_SSL_CERTIFICATE_VERIFY:
+ ret = ssl_parse_certificate_verify(ssl);
+ break;
+
+ case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
+ ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
+ break;
+
+ case MBEDTLS_SSL_CLIENT_FINISHED:
+ ret = mbedtls_ssl_parse_finished(ssl);
+ break;
+
+ /*
+ * ==> ( NewSessionTicket )
+ * ChangeCipherSpec
+ * Finished
+ */
+ case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ if (ssl->handshake->new_session_ticket != 0) {
+ ret = ssl_write_new_session_ticket(ssl);
+ } else
+#endif
+ ret = mbedtls_ssl_write_change_cipher_spec(ssl);
+ break;
+
+ case MBEDTLS_SSL_SERVER_FINISHED:
+ ret = mbedtls_ssl_write_finished(ssl);
+ break;
+
+ case MBEDTLS_SSL_FLUSH_BUFFERS:
+ MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
+ ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+ break;
+
+ case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
+ mbedtls_ssl_handshake_wrapup(ssl);
+ break;
+
+ default:
+ MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ return ret;
+}
+
+void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order)
+{
+ conf->respect_cli_pref = order;
+}
+
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
new file mode 100644
index 0000000..7fcc394
--- /dev/null
+++ b/library/ssl_tls13_client.c
@@ -0,0 +1,3181 @@
+/*
+ * TLS 1.3 client-side functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+#include <string.h>
+
+#include "debug_internal.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform.h"
+
+#include "ssl_misc.h"
+#include "ssl_client.h"
+#include "ssl_tls13_keys.h"
+#include "ssl_debug_helpers.h"
+#include "mbedtls/psa_util.h"
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+#endif
+
+/* Write extensions */
+
+/*
+ * ssl_tls13_write_supported_versions_ext():
+ *
+ * struct {
+ * ProtocolVersion versions<2..254>;
+ * } SupportedVersions;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len)
+{
+ unsigned char *p = buf;
+ unsigned char versions_len = (ssl->handshake->min_tls_version <=
+ MBEDTLS_SSL_VERSION_TLS1_2) ? 4 : 2;
+
+ *out_len = 0;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported versions extension"));
+
+ /* Check if we have space to write the extension:
+ * - extension_type (2 bytes)
+ * - extension_data_length (2 bytes)
+ * - versions_length (1 byte )
+ * - versions (2 or 4 bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + versions_len);
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0);
+ MBEDTLS_PUT_UINT16_BE(versions_len + 1, p, 2);
+ p += 4;
+
+ /* Length of versions */
+ *p++ = versions_len;
+
+ /* Write values of supported versions.
+ * They are defined by the configuration.
+ * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
+ */
+ mbedtls_ssl_write_version(p, MBEDTLS_SSL_TRANSPORT_STREAM,
+ MBEDTLS_SSL_VERSION_TLS1_3);
+ MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:4]"));
+
+
+ if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) {
+ mbedtls_ssl_write_version(p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,
+ MBEDTLS_SSL_VERSION_TLS1_2);
+ MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:3]"));
+ }
+
+ *out_len = 5 + versions_len;
+
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(
+ ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ ((void) ssl);
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
+ if (mbedtls_ssl_read_version(buf, ssl->conf->transport) !=
+ MBEDTLS_SSL_VERSION_TLS1_3) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected version"));
+
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ if (&buf[2] != end) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("supported_versions ext data length incorrect"));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+ MBEDTLS_ERR_SSL_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_ALPN)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_alpn_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf, size_t len)
+{
+ const unsigned char *p = buf;
+ const unsigned char *end = buf + len;
+ size_t protocol_name_list_len, protocol_name_len;
+ const unsigned char *protocol_name_list_end;
+
+ /* If we didn't send it, the server shouldn't send it */
+ if (ssl->conf->alpn_list == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /*
+ * opaque ProtocolName<1..2^8-1>;
+ *
+ * struct {
+ * ProtocolName protocol_name_list<2..2^16-1>
+ * } ProtocolNameList;
+ *
+ * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
+ */
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
+ protocol_name_list_end = p + protocol_name_list_len;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 1);
+ protocol_name_len = *p++;
+
+ /* Check that the server chosen protocol was in our list and save it */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, protocol_name_len);
+ for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
+ if (protocol_name_len == strlen(*alpn) &&
+ memcmp(p, *alpn, protocol_name_len) == 0) {
+ ssl->alpn_chosen = *alpn;
+ return 0;
+ }
+ }
+
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)
+{
+ uint16_t group_id = ssl->handshake->offered_group_id;
+
+ if (group_id == 0) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+ if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
+ mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ /* Destroy generated private key. */
+ status = psa_destroy_key(ssl->handshake->xxdh_psa_privkey);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
+ return ret;
+ }
+
+ ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+ return 0;
+ } else
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
+ if (0 /* other KEMs? */) {
+ /* Do something */
+ }
+
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+}
+
+/*
+ * Functions for writing key_share extension.
+ */
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
+ uint16_t *group_id)
+{
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+
+#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
+ const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
+ /* Pick first available ECDHE group compatible with TLS 1.3 */
+ if (group_list == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_CONFIG;
+ }
+
+ for (; *group_list != 0; group_list++) {
+#if defined(PSA_WANT_ALG_ECDH)
+ if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
+ *group_list, NULL, NULL) == PSA_SUCCESS) &&
+ mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
+ *group_id = *group_list;
+ return 0;
+ }
+#endif
+#if defined(PSA_WANT_ALG_FFDH)
+ if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
+ *group_id = *group_list;
+ return 0;
+ }
+#endif
+ }
+#else
+ ((void) ssl);
+ ((void) group_id);
+#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
+
+ return ret;
+}
+
+/*
+ * ssl_tls13_write_key_share_ext
+ *
+ * Structure of key_share extension in ClientHello:
+ *
+ * struct {
+ * NamedGroup group;
+ * opaque key_exchange<1..2^16-1>;
+ * } KeyShareEntry;
+ * struct {
+ * KeyShareEntry client_shares<0..2^16-1>;
+ * } KeyShareClientHello;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len)
+{
+ unsigned char *p = buf;
+ unsigned char *client_shares; /* Start of client_shares */
+ size_t client_shares_len; /* Length of client_shares */
+ uint16_t group_id;
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+ *out_len = 0;
+
+ /* Check if we have space for header and length fields:
+ * - extension_type (2 bytes)
+ * - extension_data_length (2 bytes)
+ * - client_shares_length (2 bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
+ p += 6;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("client hello: adding key share extension"));
+
+ /* HRR could already have requested something else. */
+ group_id = ssl->handshake->offered_group_id;
+ if (!mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) &&
+ !mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_get_default_group_id(ssl,
+ &group_id));
+ }
+
+ /*
+ * Dispatch to type-specific key generation function.
+ *
+ * So far, we're only supporting ECDHE. With the introduction
+ * of PQC KEMs, we'll want to have multiple branches, one per
+ * type of KEM, and dispatch to the corresponding crypto. And
+ * only one key share entry is allowed.
+ */
+ client_shares = p;
+#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
+ if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
+ mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
+ /* Pointer to group */
+ unsigned char *group = p;
+ /* Length of key_exchange */
+ size_t key_exchange_len = 0;
+
+ /* Check there is space for header of KeyShareEntry
+ * - group (2 bytes)
+ * - key_exchange_length (2 bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
+ p += 4;
+ ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
+ ssl, group_id, p, end, &key_exchange_len);
+ p += key_exchange_len;
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* Write group */
+ MBEDTLS_PUT_UINT16_BE(group_id, group, 0);
+ /* Write key_exchange_length */
+ MBEDTLS_PUT_UINT16_BE(key_exchange_len, group, 2);
+ } else
+#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
+ if (0 /* other KEMs? */) {
+ /* Do something */
+ } else {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /* Length of client_shares */
+ client_shares_len = p - client_shares;
+ if (client_shares_len == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("No key share defined."));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+ /* Write extension_type */
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);
+ /* Write extension_data_length */
+ MBEDTLS_PUT_UINT16_BE(client_shares_len + 2, buf, 2);
+ /* Write client_shares_length */
+ MBEDTLS_PUT_UINT16_BE(client_shares_len, buf, 4);
+
+ /* Update offered_group_id field */
+ ssl->handshake->offered_group_id = group_id;
+
+ /* Output the total length of key_share extension. */
+ *out_len = p - buf;
+
+ MBEDTLS_SSL_DEBUG_BUF(
+ 3, "client hello, key_share extension", buf, *out_len);
+
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
+
+cleanup:
+
+ return ret;
+}
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
+
+/*
+ * ssl_tls13_parse_hrr_key_share_ext()
+ * Parse key_share extension in Hello Retry Request
+ *
+ * struct {
+ * NamedGroup selected_group;
+ * } KeyShareHelloRetryRequest;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
+ const unsigned char *p = buf;
+ int selected_group;
+ int found = 0;
+
+ const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
+ if (group_list == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_CONFIG;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "key_share extension", p, end - buf);
+
+ /* Read selected_group */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ selected_group = MBEDTLS_GET_UINT16_BE(p, 0);
+ MBEDTLS_SSL_DEBUG_MSG(3, ("selected_group ( %d )", selected_group));
+
+ /* Upon receipt of this extension in a HelloRetryRequest, the client
+ * MUST first verify that the selected_group field corresponds to a
+ * group which was provided in the "supported_groups" extension in the
+ * original ClientHello.
+ * The supported_group was based on the info in ssl->conf->group_list.
+ *
+ * If the server provided a key share that was not sent in the ClientHello
+ * then the client MUST abort the handshake with an "illegal_parameter" alert.
+ */
+ for (; *group_list != 0; group_list++) {
+#if defined(PSA_WANT_ALG_ECDH)
+ if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
+ if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
+ *group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||
+ *group_list != selected_group) {
+ found = 1;
+ break;
+ }
+ }
+#endif /* PSA_WANT_ALG_ECDH */
+#if defined(PSA_WANT_ALG_FFDH)
+ if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
+ found = 1;
+ break;
+ }
+#endif /* PSA_WANT_ALG_FFDH */
+ }
+
+ /* Client MUST verify that the selected_group field does not
+ * correspond to a group which was provided in the "key_share"
+ * extension in the original ClientHello. If the server sent an
+ * HRR message with a key share already provided in the
+ * ClientHello then the client MUST abort the handshake with
+ * an "illegal_parameter" alert.
+ */
+ if (found == 0 || selected_group == ssl->handshake->offered_group_id) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid key share in HRR"));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ /* Remember server's preference for next ClientHello */
+ ssl->handshake->offered_group_id = selected_group;
+
+ return 0;
+#else /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
+ (void) ssl;
+ (void) buf;
+ (void) end;
+ return MBEDTLS_ERR_SSL_BAD_CONFIG;
+#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
+}
+
+/*
+ * ssl_tls13_parse_key_share_ext()
+ * Parse key_share extension in Server Hello
+ *
+ * struct {
+ * KeyShareEntry server_share;
+ * } KeyShareServerHello;
+ * struct {
+ * NamedGroup group;
+ * opaque key_exchange<1..2^16-1>;
+ * } KeyShareEntry;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const unsigned char *p = buf;
+ uint16_t group, offered_group;
+
+ /* ...
+ * NamedGroup group; (2 bytes)
+ * ...
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ group = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ /* Check that the chosen group matches the one we offered. */
+ offered_group = ssl->handshake->offered_group_id;
+ if (offered_group != group) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("Invalid server key share, our group %u, their group %u",
+ (unsigned) offered_group, (unsigned) group));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+ if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
+ mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
+ MBEDTLS_SSL_DEBUG_MSG(2,
+ ("DHE group name: %s", mbedtls_ssl_named_group_to_str(group)));
+ ret = mbedtls_ssl_tls13_read_public_xxdhe_share(ssl, p, end - p);
+ if (ret != 0) {
+ return ret;
+ }
+ } else
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
+ if (0 /* other KEMs? */) {
+ /* Do something */
+ } else {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ return ret;
+}
+
+/*
+ * ssl_tls13_parse_cookie_ext()
+ * Parse cookie extension in Hello Retry Request
+ *
+ * struct {
+ * opaque cookie<1..2^16-1>;
+ * } Cookie;
+ *
+ * When sending a HelloRetryRequest, the server MAY provide a "cookie"
+ * extension to the client (this is an exception to the usual rule that
+ * the only extensions that may be sent are those that appear in the
+ * ClientHello). When sending the new ClientHello, the client MUST copy
+ * the contents of the extension received in the HelloRetryRequest into
+ * a "cookie" extension in the new ClientHello. Clients MUST NOT use
+ * cookies in their initial ClientHello in subsequent connections.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_cookie_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ uint16_t cookie_len;
+ const unsigned char *p = buf;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ /* Retrieve length field of cookie */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ cookie_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cookie_len);
+ MBEDTLS_SSL_DEBUG_BUF(3, "cookie extension", p, cookie_len);
+
+ mbedtls_free(handshake->cookie);
+ handshake->cookie_len = 0;
+ handshake->cookie = mbedtls_calloc(1, cookie_len);
+ if (handshake->cookie == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("alloc failed ( %ud bytes )",
+ cookie_len));
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ memcpy(handshake->cookie, p, cookie_len);
+ handshake->cookie_len = cookie_len;
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_cookie_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len)
+{
+ unsigned char *p = buf;
+ *out_len = 0;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ if (handshake->cookie == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("no cookie to send; skip extension"));
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
+ handshake->cookie,
+ handshake->cookie_len);
+
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, handshake->cookie_len + 6);
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding cookie extension"));
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_COOKIE, p, 0);
+ MBEDTLS_PUT_UINT16_BE(handshake->cookie_len + 2, p, 2);
+ MBEDTLS_PUT_UINT16_BE(handshake->cookie_len, p, 4);
+ p += 6;
+
+ /* Cookie */
+ memcpy(p, handshake->cookie, handshake->cookie_len);
+
+ *out_len = handshake->cookie_len + 6;
+
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_COOKIE);
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+/*
+ * ssl_tls13_write_psk_key_exchange_modes_ext() structure:
+ *
+ * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;
+ *
+ * struct {
+ * PskKeyExchangeMode ke_modes<1..255>;
+ * } PskKeyExchangeModes;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len)
+{
+ unsigned char *p = buf;
+ int ke_modes_len = 0;
+
+ ((void) ke_modes_len);
+ *out_len = 0;
+
+ /* Skip writing extension if no PSK key exchange mode
+ * is enabled in the config.
+ */
+ if (!mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));
+ return 0;
+ }
+
+ /* Require 7 bytes of data, otherwise fail,
+ * even if extension might be shorter.
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7);
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ("client hello, adding psk_key_exchange_modes extension"));
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0);
+
+ /* Skip extension length (2 bytes) and
+ * ke_modes length (1 byte) for now.
+ */
+ p += 5;
+
+ if (mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl)) {
+ *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
+ ke_modes_len++;
+
+ MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));
+ }
+
+ if (mbedtls_ssl_conf_tls13_is_psk_enabled(ssl)) {
+ *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
+ ke_modes_len++;
+
+ MBEDTLS_SSL_DEBUG_MSG(4, ("Adding pure PSK key exchange mode"));
+ }
+
+ /* Now write the extension and ke_modes length */
+ MBEDTLS_PUT_UINT16_BE(ke_modes_len + 1, buf, 2);
+ buf[4] = ke_modes_len;
+
+ *out_len = p - buf;
+
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(
+ ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES);
+
+ return 0;
+}
+
+static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)
+{
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
+
+ if (ciphersuite_info != NULL) {
+ return mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
+ }
+
+ return PSA_ALG_NONE;
+}
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)
+{
+ mbedtls_ssl_session *session = ssl->session_negotiate;
+ return ssl->handshake->resume &&
+ session != NULL && session->ticket != NULL &&
+ mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
+ ssl, mbedtls_ssl_tls13_session_get_ticket_flags(
+ session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));
+}
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl)
+{
+ mbedtls_ssl_session *session = ssl->session_negotiate;
+ return ssl->handshake->resume &&
+ session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
+ mbedtls_ssl_tls13_session_ticket_allow_early_data(session) &&
+ mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, session->ciphersuite);
+}
+#endif
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_ticket_get_identity(mbedtls_ssl_context *ssl,
+ psa_algorithm_t *hash_alg,
+ const unsigned char **identity,
+ size_t *identity_len)
+{
+ mbedtls_ssl_session *session = ssl->session_negotiate;
+
+ if (!ssl_tls13_has_configured_ticket(ssl)) {
+ return -1;
+ }
+
+ *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);
+ *identity = session->ticket;
+ *identity_len = session->ticket_len;
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl,
+ psa_algorithm_t *hash_alg,
+ const unsigned char **psk,
+ size_t *psk_len)
+{
+
+ mbedtls_ssl_session *session = ssl->session_negotiate;
+
+ if (!ssl_tls13_has_configured_ticket(ssl)) {
+ return -1;
+ }
+
+ *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);
+ *psk = session->resumption_key;
+ *psk_len = session->resumption_key_len;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_psk_get_identity(mbedtls_ssl_context *ssl,
+ psa_algorithm_t *hash_alg,
+ const unsigned char **identity,
+ size_t *identity_len)
+{
+
+ if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
+ return -1;
+ }
+
+ *hash_alg = PSA_ALG_SHA_256;
+ *identity = ssl->conf->psk_identity;
+ *identity_len = ssl->conf->psk_identity_len;
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_psk_get_psk(mbedtls_ssl_context *ssl,
+ psa_algorithm_t *hash_alg,
+ const unsigned char **psk,
+ size_t *psk_len)
+{
+
+ if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
+ return -1;
+ }
+
+ *hash_alg = PSA_ALG_SHA_256;
+ *psk = ssl->conf->psk;
+ *psk_len = ssl->conf->psk_len;
+ return 0;
+}
+
+static int ssl_tls13_get_configured_psk_count(mbedtls_ssl_context *ssl)
+{
+ int configured_psk_count = 0;
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ if (ssl_tls13_has_configured_ticket(ssl)) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket is configured"));
+ configured_psk_count++;
+ }
+#endif
+ if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("PSK is configured"));
+ configured_psk_count++;
+ }
+ return configured_psk_count;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_identity(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ const unsigned char *identity,
+ size_t identity_len,
+ uint32_t obfuscated_ticket_age,
+ size_t *out_len)
+{
+ ((void) ssl);
+ *out_len = 0;
+
+ /*
+ * - identity_len (2 bytes)
+ * - identity (psk_identity_len bytes)
+ * - obfuscated_ticket_age (4 bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6 + identity_len);
+
+ MBEDTLS_PUT_UINT16_BE(identity_len, buf, 0);
+ memcpy(buf + 2, identity, identity_len);
+ MBEDTLS_PUT_UINT32_BE(obfuscated_ticket_age, buf, 2 + identity_len);
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "write identity", buf, 6 + identity_len);
+
+ *out_len = 6 + identity_len;
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ int psk_type,
+ psa_algorithm_t hash_alg,
+ const unsigned char *psk,
+ size_t psk_len,
+ size_t *out_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char binder_len;
+ unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ size_t transcript_len = 0;
+
+ *out_len = 0;
+
+ binder_len = PSA_HASH_LENGTH(hash_alg);
+
+ /*
+ * - binder_len (1 bytes)
+ * - binder (binder_len bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1 + binder_len);
+
+ buf[0] = binder_len;
+
+ /* Get current state of handshake transcript. */
+ ret = mbedtls_ssl_get_handshake_transcript(
+ ssl, mbedtls_md_type_from_psa_alg(hash_alg),
+ transcript, sizeof(transcript), &transcript_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_ssl_tls13_create_psk_binder(ssl, hash_alg,
+ psk, psk_len, psk_type,
+ transcript, buf + 1);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_create_psk_binder", ret);
+ return ret;
+ }
+ MBEDTLS_SSL_DEBUG_BUF(4, "write binder", buf, 1 + binder_len);
+
+ *out_len = 1 + binder_len;
+
+ return 0;
+}
+
+/*
+ * mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:
+ *
+ * struct {
+ * opaque identity<1..2^16-1>;
+ * uint32 obfuscated_ticket_age;
+ * } PskIdentity;
+ *
+ * opaque PskBinderEntry<32..255>;
+ *
+ * struct {
+ * PskIdentity identities<7..2^16-1>;
+ * PskBinderEntry binders<33..2^16-1>;
+ * } OfferedPsks;
+ *
+ * struct {
+ * select (Handshake.msg_type) {
+ * case client_hello: OfferedPsks;
+ * ...
+ * };
+ * } PreSharedKeyExtension;
+ *
+ */
+int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
+ mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,
+ size_t *out_len, size_t *binders_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int configured_psk_count = 0;
+ unsigned char *p = buf;
+ psa_algorithm_t hash_alg = PSA_ALG_NONE;
+ const unsigned char *identity;
+ size_t identity_len;
+ size_t l_binders_len = 0;
+ size_t output_len;
+
+ *out_len = 0;
+ *binders_len = 0;
+
+ /* Check if we have any PSKs to offer. If no, skip pre_shared_key */
+ configured_psk_count = ssl_tls13_get_configured_psk_count(ssl);
+ if (configured_psk_count == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("skip pre_shared_key extensions"));
+ return 0;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(4, ("Pre-configured PSK number = %d",
+ configured_psk_count));
+
+ /* Check if we have space to write the extension, binders included.
+ * - extension_type (2 bytes)
+ * - extension_data_len (2 bytes)
+ * - identities_len (2 bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
+ p += 6;
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ if (ssl_tls13_ticket_get_identity(
+ ssl, &hash_alg, &identity, &identity_len) == 0) {
+#if defined(MBEDTLS_HAVE_TIME)
+ mbedtls_ms_time_t now = mbedtls_ms_time();
+ mbedtls_ssl_session *session = ssl->session_negotiate;
+ /* The ticket age has been checked to be smaller than the
+ * `ticket_lifetime` in ssl_prepare_client_hello() which is smaller than
+ * 7 days (enforced in ssl_tls13_parse_new_session_ticket()) . Thus the
+ * cast to `uint32_t` of the ticket age is safe. */
+ uint32_t obfuscated_ticket_age =
+ (uint32_t) (now - session->ticket_reception_time);
+ obfuscated_ticket_age += session->ticket_age_add;
+
+ ret = ssl_tls13_write_identity(ssl, p, end,
+ identity, identity_len,
+ obfuscated_ticket_age,
+ &output_len);
+#else
+ ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len,
+ 0, &output_len);
+#endif /* MBEDTLS_HAVE_TIME */
+ if (ret != 0) {
+ return ret;
+ }
+
+ p += output_len;
+ l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);
+ }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+ if (ssl_tls13_psk_get_identity(
+ ssl, &hash_alg, &identity, &identity_len) == 0) {
+
+ ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len, 0,
+ &output_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ p += output_len;
+ l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("client hello, adding pre_shared_key extension, "
+ "omitting PSK binder list"));
+
+ /* Take into account the two bytes for the length of the binders. */
+ l_binders_len += 2;
+ /* Check if there is enough space for binders */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, l_binders_len);
+
+ /*
+ * - extension_type (2 bytes)
+ * - extension_data_len (2 bytes)
+ * - identities_len (2 bytes)
+ */
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0);
+ MBEDTLS_PUT_UINT16_BE(p - buf - 4 + l_binders_len, buf, 2);
+ MBEDTLS_PUT_UINT16_BE(p - buf - 6, buf, 4);
+
+ *out_len = (p - buf) + l_binders_len;
+ *binders_len = l_binders_len;
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key identities", buf, p - buf);
+
+ return 0;
+}
+
+int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
+ mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = buf;
+ psa_algorithm_t hash_alg = PSA_ALG_NONE;
+ const unsigned char *psk;
+ size_t psk_len;
+ size_t output_len;
+
+ /* Check if we have space to write binders_len.
+ * - binders_len (2 bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+ p += 2;
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ if (ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {
+
+ ret = ssl_tls13_write_binder(ssl, p, end,
+ MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,
+ hash_alg, psk, psk_len,
+ &output_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += output_len;
+ }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+ if (ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {
+
+ ret = ssl_tls13_write_binder(ssl, p, end,
+ MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,
+ hash_alg, psk, psk_len,
+ &output_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += output_len;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding PSK binder list."));
+
+ /*
+ * - binders_len (2 bytes)
+ */
+ MBEDTLS_PUT_UINT16_BE(p - buf - 2, buf, 0);
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key binders", buf, p - buf);
+
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(
+ ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);
+
+ return 0;
+}
+
+/*
+ * struct {
+ * opaque identity<1..2^16-1>;
+ * uint32 obfuscated_ticket_age;
+ * } PskIdentity;
+ *
+ * opaque PskBinderEntry<32..255>;
+ *
+ * struct {
+ *
+ * select (Handshake.msg_type) {
+ * ...
+ * case server_hello: uint16 selected_identity;
+ * };
+ *
+ * } PreSharedKeyExtension;
+ *
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int selected_identity;
+ const unsigned char *psk;
+ size_t psk_len;
+ psa_algorithm_t hash_alg;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
+ selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0);
+ ssl->handshake->selected_identity = (uint16_t) selected_identity;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity));
+
+ if (selected_identity >= ssl_tls13_get_configured_psk_count(ssl)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid PSK identity."));
+
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) {
+ ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
+ } else
+#endif
+ if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
+ ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len);
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+ if (ret != 0) {
+ return ret;
+ }
+
+ if (mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac)
+ != hash_alg) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("Invalid ciphersuite for external psk."));
+
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
+ return ret;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
+
+int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = buf;
+ size_t ext_len;
+
+ *out_len = 0;
+
+ /* Write supported_versions extension
+ *
+ * Supported Versions Extension is mandatory with TLS 1.3.
+ */
+ ret = ssl_tls13_write_supported_versions_ext(ssl, p, end, &ext_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += ext_len;
+
+ /* Echo the cookie if the server provided one in its preceding
+ * HelloRetryRequest message.
+ */
+ ret = ssl_tls13_write_cookie_ext(ssl, p, end, &ext_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += ext_len;
+
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ ret = mbedtls_ssl_tls13_write_record_size_limit_ext(
+ ssl, p, end, &ext_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += ext_len;
+#endif
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+ if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
+ ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += ext_len;
+ }
+#endif
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ /* In the first ClientHello, write the early data indication extension if
+ * necessary and update the early data state.
+ * If an HRR has been received and thus we are currently writing the
+ * second ClientHello, the second ClientHello must not contain an early
+ * data extension and the early data state must stay as it is:
+ * MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT or
+ * MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED.
+ */
+ if (!ssl->handshake->hello_retry_request_flag) {
+ if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) &&
+ ssl_tls13_early_data_has_valid_ticket(ssl) &&
+ ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
+ ret = mbedtls_ssl_tls13_write_early_data_ext(
+ ssl, 0, p, end, &ext_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += ext_len;
+
+ ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT;
+ } else {
+ ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT;
+ }
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+ /* For PSK-based key exchange we need the pre_shared_key extension
+ * and the psk_key_exchange_modes extension.
+ *
+ * The pre_shared_key extension MUST be the last extension in the
+ * ClientHello. Servers MUST check that it is the last extension and
+ * otherwise fail the handshake with an "illegal_parameter" alert.
+ *
+ * Add the psk_key_exchange_modes extension.
+ */
+ ret = ssl_tls13_write_psk_key_exchange_modes_ext(ssl, p, end, &ext_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += ext_len;
+#endif
+
+ *out_len = p - buf;
+
+ return 0;
+}
+
+int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)
+{
+ ((void) ssl);
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_algorithm_t hash_alg = PSA_ALG_NONE;
+ const unsigned char *psk;
+ size_t psk_len;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+
+ if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("Set hs psk for early data when writing the first psk"));
+
+ ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "ssl_tls13_ticket_get_psk", ret);
+ return ret;
+ }
+
+ ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
+ return ret;
+ }
+
+ /*
+ * Early data are going to be encrypted using the ciphersuite
+ * associated with the pre-shared key used for the handshake.
+ * Note that if the server rejects early data, the handshake
+ * based on the pre-shared key may complete successfully
+ * with a selected ciphersuite different from the ciphersuite
+ * associated with the pre-shared key. Only the hashes of the
+ * two ciphersuites have to be the same. In that case, the
+ * encrypted handshake data and application data are
+ * encrypted using a different ciphersuite than the one used for
+ * the rejected early data.
+ */
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
+ ssl->session_negotiate->ciphersuite);
+ ssl->handshake->ciphersuite_info = ciphersuite_info;
+
+ /* Enable psk and psk_ephemeral to make stage early happy */
+ ssl->handshake->key_exchange_mode =
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
+
+ /* Start the TLS 1.3 key schedule:
+ * Set the PSK and derive early secret.
+ */
+ ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);
+ return ret;
+ }
+
+ /* Derive early data key material */
+ ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_tls13_compute_early_transform", ret);
+ return ret;
+ }
+
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);
+#else
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("Switch to early data keys for outbound traffic"));
+ mbedtls_ssl_set_outbound_transform(
+ ssl, ssl->handshake->transform_earlydata);
+ ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE;
+#endif
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+ return 0;
+}
+/*
+ * Functions for parsing and processing Server Hello
+ */
+
+/**
+ * \brief Detect if the ServerHello contains a supported_versions extension
+ * or not.
+ *
+ * \param[in] ssl SSL context
+ * \param[in] buf Buffer containing the ServerHello message
+ * \param[in] end End of the buffer containing the ServerHello message
+ *
+ * \return 0 if the ServerHello does not contain a supported_versions extension
+ * \return 1 if the ServerHello contains a supported_versions extension
+ * \return A negative value if an error occurred while parsing the ServerHello.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_is_supported_versions_ext_present(
+ mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ const unsigned char *p = buf;
+ size_t legacy_session_id_echo_len;
+ const unsigned char *supported_versions_data;
+ const unsigned char *supported_versions_data_end;
+
+ /*
+ * Check there is enough data to access the legacy_session_id_echo vector
+ * length:
+ * - legacy_version 2 bytes
+ * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes
+ * - legacy_session_id_echo length 1 byte
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3);
+ p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;
+ legacy_session_id_echo_len = *p;
+
+ /*
+ * Jump to the extensions, jumping over:
+ * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes
+ * - cipher_suite 2 bytes
+ * - legacy_compression_method 1 byte
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len + 4);
+ p += legacy_session_id_echo_len + 4;
+
+ return mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
+ ssl, p, end,
+ &supported_versions_data, &supported_versions_data_end);
+}
+
+/* Returns a negative value on failure, and otherwise
+ * - 1 if the last eight bytes of the ServerHello random bytes indicate that
+ * the server is TLS 1.3 capable but negotiating TLS 1.2 or below.
+ * - 0 otherwise
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ /* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */
+ static const unsigned char magic_downgrade_string[] =
+ { 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };
+ const unsigned char *last_eight_bytes_of_random;
+ unsigned char last_byte_of_random;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2);
+ last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;
+
+ if (memcmp(last_eight_bytes_of_random,
+ magic_downgrade_string,
+ sizeof(magic_downgrade_string)) == 0) {
+ last_byte_of_random = last_eight_bytes_of_random[7];
+ return last_byte_of_random == 0 ||
+ last_byte_of_random == 1;
+ }
+
+ return 0;
+}
+
+/* Returns a negative value on failure, and otherwise
+ * - SSL_SERVER_HELLO or
+ * - SSL_SERVER_HELLO_HRR
+ * to indicate which message is expected and to be parsed next.
+ */
+#define SSL_SERVER_HELLO 0
+#define SSL_SERVER_HELLO_HRR 1
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+
+ /* Check whether this message is a HelloRetryRequest ( HRR ) message.
+ *
+ * Server Hello and HRR are only distinguished by Random set to the
+ * special value of the SHA-256 of "HelloRetryRequest".
+ *
+ * struct {
+ * ProtocolVersion legacy_version = 0x0303;
+ * Random random;
+ * opaque legacy_session_id_echo<0..32>;
+ * CipherSuite cipher_suite;
+ * uint8 legacy_compression_method = 0;
+ * Extension extensions<6..2^16-1>;
+ * } ServerHello;
+ *
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(
+ buf, end, 2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic));
+
+ if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
+ sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) {
+ return SSL_SERVER_HELLO_HRR;
+ }
+
+ return SSL_SERVER_HELLO;
+}
+
+/*
+ * Returns a negative value on failure, and otherwise
+ * - SSL_SERVER_HELLO or
+ * - SSL_SERVER_HELLO_HRR or
+ * - SSL_SERVER_HELLO_TLS1_2
+ */
+#define SSL_SERVER_HELLO_TLS1_2 2
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_is_supported_versions_ext_present(
+ ssl, buf, end));
+
+ if (ret == 0) {
+ MBEDTLS_SSL_PROC_CHK_NEG(
+ ssl_tls13_is_downgrade_negotiation(ssl, buf, end));
+
+ /* If the server is negotiating TLS 1.2 or below and:
+ * . we did not propose TLS 1.2 or
+ * . the server responded it is TLS 1.3 capable but negotiating a lower
+ * version of the protocol and thus we are under downgrade attack
+ * abort the handshake with an "illegal parameter" alert.
+ */
+ if (handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ /*
+ * Version 1.2 of the protocol has been negotiated, set the
+ * ssl->keep_current_message flag for the ServerHello to be kept and
+ * parsed as a TLS 1.2 ServerHello. We also change ssl->tls_version to
+ * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
+ * will dispatch to the TLS 1.2 state machine.
+ */
+ ssl->keep_current_message = 1;
+ ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
+ buf, (size_t) (end - buf)));
+
+ if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
+ ret = ssl_tls13_reset_key_share(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+
+ return SSL_SERVER_HELLO_TLS1_2;
+ }
+
+ ssl->session_negotiate->tls_version = ssl->tls_version;
+ ssl->session_negotiate->endpoint = ssl->conf->endpoint;
+
+ handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
+
+ ret = ssl_server_hello_is_hrr(ssl, buf, end);
+ switch (ret) {
+ case SSL_SERVER_HELLO:
+ MBEDTLS_SSL_DEBUG_MSG(2, ("received ServerHello message"));
+ break;
+ case SSL_SERVER_HELLO_HRR:
+ MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message"));
+ /* If a client receives a second HelloRetryRequest in the same
+ * connection (i.e., where the ClientHello was itself in response
+ * to a HelloRetryRequest), it MUST abort the handshake with an
+ * "unexpected_message" alert.
+ */
+ if (handshake->hello_retry_request_flag) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received"));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
+ MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+ /*
+ * Clients must abort the handshake with an "illegal_parameter"
+ * alert if the HelloRetryRequest would not result in any change
+ * in the ClientHello.
+ * In a PSK only key exchange that what we expect.
+ */
+ if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("Unexpected HRR in pure PSK key exchange."));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ handshake->hello_retry_request_flag = 1;
+
+ break;
+ }
+
+cleanup:
+
+ return ret;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context *ssl,
+ const unsigned char **buf,
+ const unsigned char *end)
+{
+ const unsigned char *p = *buf;
+ size_t legacy_session_id_echo_len;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
+ legacy_session_id_echo_len = *p++;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len);
+
+ /* legacy_session_id_echo */
+ if (ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
+ memcmp(ssl->session_negotiate->id, p, legacy_session_id_echo_len) != 0) {
+ MBEDTLS_SSL_DEBUG_BUF(3, "Expected Session ID",
+ ssl->session_negotiate->id,
+ ssl->session_negotiate->id_len);
+ MBEDTLS_SSL_DEBUG_BUF(3, "Received Session ID", p,
+ legacy_session_id_echo_len);
+
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ p += legacy_session_id_echo_len;
+ *buf = p;
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "Session ID", ssl->session_negotiate->id,
+ ssl->session_negotiate->id_len);
+ return 0;
+}
+
+/* Parse ServerHello message and configure context
+ *
+ * struct {
+ * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
+ * Random random;
+ * opaque legacy_session_id_echo<0..32>;
+ * CipherSuite cipher_suite;
+ * uint8 legacy_compression_method = 0;
+ * Extension extensions<6..2^16-1>;
+ * } ServerHello;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end,
+ int is_hrr)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const unsigned char *p = buf;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+ size_t extensions_len;
+ const unsigned char *extensions_end;
+ uint16_t cipher_suite;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+ int fatal_alert = 0;
+ uint32_t allowed_extensions_mask;
+ int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
+ MBEDTLS_SSL_HS_SERVER_HELLO;
+
+ /*
+ * Check there is space for minimal fields
+ *
+ * - legacy_version ( 2 bytes)
+ * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
+ * - legacy_session_id_echo ( 1 byte ), minimum size
+ * - cipher_suite ( 2 bytes)
+ * - legacy_compression_method ( 1 byte )
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6);
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "server hello", p, end - p);
+ MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", p, 2);
+
+ /* ...
+ * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
+ * ...
+ * with ProtocolVersion defined as:
+ * uint16 ProtocolVersion;
+ */
+ if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=
+ MBEDTLS_SSL_VERSION_TLS1_2) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
+ MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
+ ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
+ goto cleanup;
+ }
+ p += 2;
+
+ /* ...
+ * Random random;
+ * ...
+ * with Random defined as:
+ * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
+ */
+ if (!is_hrr) {
+ memcpy(&handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
+ MBEDTLS_SERVER_HELLO_RANDOM_LEN);
+ MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",
+ p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
+ }
+ p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
+
+ /* ...
+ * opaque legacy_session_id_echo<0..32>;
+ * ...
+ */
+ if (ssl_tls13_check_server_hello_session_id_echo(ssl, &p, end) != 0) {
+ fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
+ goto cleanup;
+ }
+
+ /* ...
+ * CipherSuite cipher_suite;
+ * ...
+ * with CipherSuite defined as:
+ * uint8 CipherSuite[2];
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
+ /*
+ * Check whether this ciphersuite is valid and offered.
+ */
+ if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
+ ssl->tls_version,
+ ssl->tls_version) != 0) ||
+ !mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {
+ fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
+ }
+ /*
+ * If we received an HRR before and that the proposed selected
+ * ciphersuite in this server hello is not the same as the one
+ * proposed in the HRR, we abort the handshake and send an
+ * "illegal_parameter" alert.
+ */
+ else if ((!is_hrr) && handshake->hello_retry_request_flag &&
+ (cipher_suite != ssl->session_negotiate->ciphersuite)) {
+ fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
+ }
+
+ if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("invalid ciphersuite(%04x) parameter",
+ cipher_suite));
+ goto cleanup;
+ }
+
+ /* Configure ciphersuites */
+ mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info);
+
+ handshake->ciphersuite_info = ciphersuite_info;
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s",
+ cipher_suite, ciphersuite_info->name));
+
+#if defined(MBEDTLS_HAVE_TIME)
+ ssl->session_negotiate->start = mbedtls_time(NULL);
+#endif /* MBEDTLS_HAVE_TIME */
+
+ /* ...
+ * uint8 legacy_compression_method = 0;
+ * ...
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
+ if (p[0] != MBEDTLS_SSL_COMPRESS_NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));
+ fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
+ goto cleanup;
+ }
+ p++;
+
+ /* ...
+ * Extension extensions<6..2^16-1>;
+ * ...
+ * struct {
+ * ExtensionType extension_type; (2 bytes)
+ * opaque extension_data<0..2^16-1>;
+ * } Extension;
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ /* Check extensions do not go beyond the buffer of data. */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
+ extensions_end = p + extensions_len;
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "server hello extensions", p, extensions_len);
+
+ handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
+ allowed_extensions_mask = is_hrr ?
+ MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :
+ MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;
+
+ while (p < extensions_end) {
+ unsigned int extension_type;
+ size_t extension_data_len;
+ const unsigned char *extension_data_end;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
+ extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
+ extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
+ p += 4;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
+ extension_data_end = p + extension_data_len;
+
+ ret = mbedtls_ssl_tls13_check_received_extension(
+ ssl, hs_msg_type, extension_type, allowed_extensions_mask);
+ if (ret != 0) {
+ return ret;
+ }
+
+ switch (extension_type) {
+ case MBEDTLS_TLS_EXT_COOKIE:
+
+ ret = ssl_tls13_parse_cookie_ext(ssl,
+ p, extension_data_end);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1,
+ "ssl_tls13_parse_cookie_ext",
+ ret);
+ goto cleanup;
+ }
+ break;
+
+ case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
+ ret = ssl_tls13_parse_supported_versions_ext(ssl,
+ p,
+ extension_data_end);
+ if (ret != 0) {
+ goto cleanup;
+ }
+ break;
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+ case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));
+
+ if ((ret = ssl_tls13_parse_server_pre_shared_key_ext(
+ ssl, p, extension_data_end)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, ("ssl_tls13_parse_server_pre_shared_key_ext"), ret);
+ return ret;
+ }
+ break;
+#endif
+
+ case MBEDTLS_TLS_EXT_KEY_SHARE:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));
+ if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
+ fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
+ goto cleanup;
+ }
+
+ if (is_hrr) {
+ ret = ssl_tls13_parse_hrr_key_share_ext(ssl,
+ p, extension_data_end);
+ } else {
+ ret = ssl_tls13_parse_key_share_ext(ssl,
+ p, extension_data_end);
+ }
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1,
+ "ssl_tls13_parse_key_share_ext",
+ ret);
+ goto cleanup;
+ }
+ break;
+
+ default:
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ goto cleanup;
+ }
+
+ p += extension_data_len;
+ }
+
+ MBEDTLS_SSL_PRINT_EXTS(3, hs_msg_type, handshake->received_extensions);
+
+cleanup:
+
+ if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
+ MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
+ ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+ } else if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+ return ret;
+}
+
+#if defined(MBEDTLS_DEBUG_C)
+static const char *ssl_tls13_get_kex_mode_str(int mode)
+{
+ switch (mode) {
+ case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:
+ return "psk";
+ case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:
+ return "ephemeral";
+ case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:
+ return "psk_ephemeral";
+ default:
+ return "unknown mode";
+ }
+}
+#endif /* MBEDTLS_DEBUG_C */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ /* Determine the key exchange mode:
+ * 1) If both the pre_shared_key and key_share extensions were received
+ * then the key exchange mode is PSK with EPHEMERAL.
+ * 2) If only the pre_shared_key extension was received then the key
+ * exchange mode is PSK-only.
+ * 3) If only the key_share extension was received then the key
+ * exchange mode is EPHEMERAL-only.
+ */
+ switch (handshake->received_extensions &
+ (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
+ MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) {
+ /* Only the pre_shared_key extension was received */
+ case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY):
+ handshake->key_exchange_mode =
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
+ break;
+
+ /* Only the key_share extension was received */
+ case MBEDTLS_SSL_EXT_MASK(KEY_SHARE):
+ handshake->key_exchange_mode =
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
+ break;
+
+ /* Both the pre_shared_key and key_share extensions were received */
+ case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
+ MBEDTLS_SSL_EXT_MASK(KEY_SHARE)):
+ handshake->key_exchange_mode =
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
+ break;
+
+ /* Neither pre_shared_key nor key_share extension was received */
+ default:
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown key exchange."));
+ ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ goto cleanup;
+ }
+
+ if (!mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
+ ssl, handshake->key_exchange_mode)) {
+ ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ MBEDTLS_SSL_DEBUG_MSG(
+ 2, ("Key exchange mode(%s) is not supported.",
+ ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
+ goto cleanup;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ("Selected key exchange mode: %s",
+ ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
+
+ /* Start the TLS 1.3 key scheduling if not already done.
+ *
+ * If we proposed early data then we have already derived an
+ * early secret using the selected PSK and its associated hash.
+ * It means that if the negotiated key exchange mode is psk or
+ * psk_ephemeral, we have already correctly computed the
+ * early secret and thus we do not do it again. In all other
+ * cases we compute it here.
+ */
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT ||
+ handshake->key_exchange_mode ==
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)
+#endif
+ {
+ ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);
+ goto cleanup;
+ }
+ }
+
+ ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1,
+ "mbedtls_ssl_tls13_compute_handshake_transform",
+ ret);
+ goto cleanup;
+ }
+
+ mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake);
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));
+ ssl->session_in = ssl->session_negotiate;
+
+cleanup:
+ if (ret != 0) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
+ }
+
+ return ret;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_ssl_session_reset_msg_layer(ssl, 0);
+
+ /*
+ * We are going to re-generate a shared secret corresponding to the group
+ * selected by the server, which is different from the group for which we
+ * generated a shared secret in the first client hello.
+ * Thus, reset the shared secret.
+ */
+ ret = ssl_tls13_reset_key_share(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id;
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ if (ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) {
+ ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED;
+ }
+#endif
+
+ return 0;
+}
+
+/*
+ * Wait and parse ServerHello handshake message.
+ * Handler for MBEDTLS_SSL_SERVER_HELLO
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *buf = NULL;
+ size_t buf_len = 0;
+ int is_hrr = 0;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
+
+ ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len);
+ if (ret < 0) {
+ goto cleanup;
+ } else {
+ is_hrr = (ret == SSL_SERVER_HELLO_HRR);
+ }
+
+ if (ret == SSL_SERVER_HELLO_TLS1_2) {
+ ret = 0;
+ goto cleanup;
+ }
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_server_hello(ssl, buf,
+ buf + buf_len,
+ is_hrr));
+ if (is_hrr) {
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));
+ }
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len));
+
+ if (is_hrr) {
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ /* If not offering early data, the client sends a dummy CCS record
+ * immediately before its second flight. This may either be before
+ * its second ClientHello or before its encrypted handshake flight.
+ */
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);
+#else
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+ } else {
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_server_hello(ssl));
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
+ }
+
+cleanup:
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= %s ( %s )", __func__,
+ is_hrr ? "HelloRetryRequest" : "ServerHello"));
+ return ret;
+}
+
+/*
+ *
+ * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
+ *
+ * The EncryptedExtensions message contains any extensions which
+ * should be protected, i.e., any which are not needed to establish
+ * the cryptographic context.
+ */
+
+/* Parse EncryptedExtensions message
+ * struct {
+ * Extension extensions<0..2^16-1>;
+ * } EncryptedExtensions;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ int ret = 0;
+ size_t extensions_len;
+ const unsigned char *p = buf;
+ const unsigned char *extensions_end;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
+ extensions_end = p + extensions_len;
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "encrypted extensions", p, extensions_len);
+
+ handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
+
+ while (p < extensions_end) {
+ unsigned int extension_type;
+ size_t extension_data_len;
+
+ /*
+ * struct {
+ * ExtensionType extension_type; (2 bytes)
+ * opaque extension_data<0..2^16-1>;
+ * } Extension;
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
+ extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
+ extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
+ p += 4;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
+
+ ret = mbedtls_ssl_tls13_check_received_extension(
+ ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,
+ MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE);
+ if (ret != 0) {
+ return ret;
+ }
+
+ switch (extension_type) {
+#if defined(MBEDTLS_SSL_ALPN)
+ case MBEDTLS_TLS_EXT_ALPN:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
+
+ if ((ret = ssl_tls13_parse_alpn_ext(
+ ssl, p, (size_t) extension_data_len)) != 0) {
+ return ret;
+ }
+
+ break;
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ case MBEDTLS_TLS_EXT_EARLY_DATA:
+
+ if (extension_data_len != 0) {
+ /* The message must be empty. */
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+ MBEDTLS_ERR_SSL_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ break;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
+
+ ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
+ ssl, p, p + extension_data_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);
+ return ret;
+ }
+ break;
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
+ default:
+ MBEDTLS_SSL_PRINT_EXT(
+ 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
+ extension_type, "( ignored )");
+ break;
+ }
+
+ p += extension_data_len;
+ }
+
+ if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) &&
+ (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH))) {
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ (
+ "Record size limit extension cannot be used with max fragment length extension"));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
+ handshake->received_extensions);
+
+ /* Check that we consumed all the message. */
+ if (p != end) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("EncryptedExtension lengths misaligned"));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+ MBEDTLS_ERR_SSL_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ return ret;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
+{
+ int ret;
+ unsigned char *buf;
+ size_t buf_len;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions"));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
+ &buf, &buf_len));
+
+ /* Process the message contents */
+ MBEDTLS_SSL_PROC_CHK(
+ ssl_tls13_parse_encrypted_extensions(ssl, buf, buf + buf_len));
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {
+ /* RFC8446 4.2.11
+ * If the server supplies an "early_data" extension, the
+ * client MUST verify that the server's selected_identity
+ * is 0. If any other value is returned, the client MUST
+ * abort the handshake with an "illegal_parameter" alert.
+ *
+ * RFC 8446 4.2.10
+ * In order to accept early data, the server MUST have accepted a PSK
+ * cipher suite and selected the first key offered in the client's
+ * "pre_shared_key" extension. In addition, it MUST verify that the
+ * following values are the same as those associated with the
+ * selected PSK:
+ * - The TLS version number
+ * - The selected cipher suite
+ * - The selected ALPN [RFC7301] protocol, if any
+ *
+ * The server has sent an early data extension in its Encrypted
+ * Extension message thus accepted to receive early data. We
+ * check here that the additional constraints on the handshake
+ * parameters, when early data are exchanged, are met,
+ * namely:
+ * - a PSK has been selected for the handshake
+ * - the selected PSK for the handshake was the first one proposed
+ * by the client.
+ * - the selected ciphersuite for the handshake is the ciphersuite
+ * associated with the selected PSK.
+ */
+ if ((!mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) ||
+ handshake->selected_identity != 0 ||
+ handshake->ciphersuite_info->id !=
+ ssl->session_negotiate->ciphersuite) {
+
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED;
+ } else if (ssl->early_data_state !=
+ MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) {
+ ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED;
+ }
+#endif
+
+ /*
+ * In case the client has proposed a PSK associated with a ticket,
+ * `ssl->session_negotiate->ciphersuite` still contains at this point the
+ * identifier of the ciphersuite associated with the ticket. This is that
+ * way because, if an exchange of early data is agreed upon, we need
+ * it to check that the ciphersuite selected for the handshake is the
+ * ticket ciphersuite (see above). This information is not needed
+ * anymore thus we can now set it to the identifier of the ciphersuite
+ * used in this session under negotiation.
+ */
+ ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
+ buf, buf_len));
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+ if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
+ } else {
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
+ }
+#else
+ ((void) ssl);
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
+#endif
+
+cleanup:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse encrypted extensions"));
+ return ret;
+
+}
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+/*
+ * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA
+ *
+ * RFC 8446 section 4.5
+ *
+ * struct {} EndOfEarlyData;
+ *
+ * If the server sent an "early_data" extension in EncryptedExtensions, the
+ * client MUST send an EndOfEarlyData message after receiving the server
+ * Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message.
+ */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *buf = NULL;
+ size_t buf_len;
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData"));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
+ &buf, &buf_len));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum(
+ ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0));
+
+ MBEDTLS_SSL_PROC_CHK(
+ mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0));
+
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
+
+cleanup:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData"));
+ return ret;
+}
+
+int mbedtls_ssl_get_early_data_status(mbedtls_ssl_context *ssl)
+{
+ if ((ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) ||
+ (!mbedtls_ssl_is_handshake_over(ssl))) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ switch (ssl->early_data_state) {
+ case MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT:
+ return MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED;
+ break;
+
+ case MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED:
+ return MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
+ break;
+
+ case MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED:
+ return MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;
+ break;
+
+ default:
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+}
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+/*
+ * STATE HANDLING: CertificateRequest
+ *
+ */
+#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0
+#define SSL_CERTIFICATE_REQUEST_SKIP 1
+/* Coordination:
+ * Deals with the ambiguity of not knowing if a CertificateRequest
+ * will be sent. Returns a negative code on failure, or
+ * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST
+ * - SSL_CERTIFICATE_REQUEST_SKIP
+ * indicating if a Certificate Request is expected or not.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+ return ret;
+ }
+ ssl->keep_current_message = 1;
+
+ if ((ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) &&
+ (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST)) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("got a certificate request"));
+ return SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("got no certificate request"));
+
+ return SSL_CERTIFICATE_REQUEST_SKIP;
+}
+
+/*
+ * ssl_tls13_parse_certificate_request()
+ * Parse certificate request
+ * struct {
+ * opaque certificate_request_context<0..2^8-1>;
+ * Extension extensions<2..2^16-1>;
+ * } CertificateRequest;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_certificate_request(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const unsigned char *p = buf;
+ size_t certificate_request_context_len = 0;
+ size_t extensions_len = 0;
+ const unsigned char *extensions_end;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ /* ...
+ * opaque certificate_request_context<0..2^8-1>
+ * ...
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
+ certificate_request_context_len = (size_t) p[0];
+ p += 1;
+
+ if (certificate_request_context_len > 0) {
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_request_context_len);
+ MBEDTLS_SSL_DEBUG_BUF(3, "Certificate Request Context",
+ p, certificate_request_context_len);
+
+ handshake->certificate_request_context =
+ mbedtls_calloc(1, certificate_request_context_len);
+ if (handshake->certificate_request_context == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+ memcpy(handshake->certificate_request_context, p,
+ certificate_request_context_len);
+ p += certificate_request_context_len;
+ }
+
+ /* ...
+ * Extension extensions<2..2^16-1>;
+ * ...
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
+ extensions_end = p + extensions_len;
+
+ handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
+
+ while (p < extensions_end) {
+ unsigned int extension_type;
+ size_t extension_data_len;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
+ extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
+ extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
+ p += 4;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
+
+ ret = mbedtls_ssl_tls13_check_received_extension(
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,
+ MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR);
+ if (ret != 0) {
+ return ret;
+ }
+
+ switch (extension_type) {
+ case MBEDTLS_TLS_EXT_SIG_ALG:
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("found signature algorithms extension"));
+ ret = mbedtls_ssl_parse_sig_alg_ext(ssl, p,
+ p + extension_data_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ break;
+
+ default:
+ MBEDTLS_SSL_PRINT_EXT(
+ 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
+ extension_type, "( ignored )");
+ break;
+ }
+
+ p += extension_data_len;
+ }
+
+ MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
+ handshake->received_extensions);
+
+ /* Check that we consumed all the message. */
+ if (p != end) {
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("CertificateRequest misaligned"));
+ goto decode_error;
+ }
+
+ /* RFC 8446 section 4.3.2
+ *
+ * The "signature_algorithms" extension MUST be specified
+ */
+ if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(SIG_ALG)) == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("no signature algorithms extension found"));
+ goto decode_error;
+ }
+
+ ssl->handshake->client_auth = 1;
+ return 0;
+
+decode_error:
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+ MBEDTLS_ERR_SSL_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+}
+
+/*
+ * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
+
+ MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));
+
+ if (ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST) {
+ unsigned char *buf;
+ size_t buf_len;
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
+ &buf, &buf_len));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(
+ ssl, buf, buf + buf_len));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
+ buf, buf_len));
+ } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
+ ret = 0;
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ goto cleanup;
+ }
+
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);
+
+cleanup:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
+ return ret;
+}
+
+/*
+ * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_process_server_certificate(mbedtls_ssl_context *ssl)
+{
+ int ret;
+
+ ret = mbedtls_ssl_tls13_process_certificate(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);
+ return 0;
+}
+
+/*
+ * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
+{
+ int ret;
+
+ ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
+ return 0;
+}
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+/*
+ * Handler for MBEDTLS_SSL_SERVER_FINISHED
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl)
+{
+ int ret;
+
+ ret = mbedtls_ssl_tls13_process_finished_message(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_ssl_tls13_compute_application_transform(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
+ return ret;
+ }
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED) {
+ ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED;
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);
+ } else
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+ {
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED);
+#else
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+ }
+
+ return 0;
+}
+
+/*
+ * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_client_certificate(mbedtls_ssl_context *ssl)
+{
+ int non_empty_certificate_msg = 0;
+
+ MBEDTLS_SSL_DEBUG_MSG(1,
+ ("Switch to handshake traffic keys for outbound traffic"));
+ mbedtls_ssl_set_outbound_transform(ssl, ssl->handshake->transform_handshake);
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+ if (ssl->handshake->client_auth) {
+ int ret = mbedtls_ssl_tls13_write_certificate(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+
+ if (mbedtls_ssl_own_cert(ssl) != NULL) {
+ non_empty_certificate_msg = 1;
+ }
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate"));
+ }
+#endif
+
+ if (non_empty_certificate_msg) {
+ mbedtls_ssl_handshake_set_state(ssl,
+ MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate verify"));
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
+ }
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+/*
+ * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context *ssl)
+{
+ int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);
+
+ if (ret == 0) {
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
+ }
+
+ return ret;
+}
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+/*
+ * Handler for MBEDTLS_SSL_CLIENT_FINISHED
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl)
+{
+ int ret;
+
+ ret = mbedtls_ssl_tls13_write_finished_message(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret);
+ return ret;
+ }
+
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_FLUSH_BUFFERS);
+ return 0;
+}
+
+/*
+ * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_flush_buffers(mbedtls_ssl_context *ssl)
+{
+ MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
+ return 0;
+}
+
+/*
+ * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
+{
+
+ mbedtls_ssl_tls13_handshake_wrapup(ssl);
+
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+/* From RFC 8446 section 4.2.10
+ *
+ * struct {
+ * select (Handshake.msg_type) {
+ * case new_session_ticket: uint32 max_early_data_size;
+ * ...
+ * };
+ * } EarlyDataIndication;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_new_session_ticket_early_data_ext(
+ mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ mbedtls_ssl_session *session = ssl->session;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 4);
+
+ session->max_early_data_size = MBEDTLS_GET_UINT32_BE(buf, 0);
+ mbedtls_ssl_tls13_session_set_ticket_flags(
+ session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ("received max_early_data_size: %u",
+ (unsigned int) session->max_early_data_size));
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+ const unsigned char *p = buf;
+
+
+ handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
+
+ while (p < end) {
+ unsigned int extension_type;
+ size_t extension_data_len;
+ int ret;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
+ extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
+ extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
+ p += 4;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extension_data_len);
+
+ ret = mbedtls_ssl_tls13_check_received_extension(
+ ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,
+ MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST);
+ if (ret != 0) {
+ return ret;
+ }
+
+ switch (extension_type) {
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ case MBEDTLS_TLS_EXT_EARLY_DATA:
+ ret = ssl_tls13_parse_new_session_ticket_early_data_ext(
+ ssl, p, p + extension_data_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "ssl_tls13_parse_new_session_ticket_early_data_ext",
+ ret);
+ }
+ break;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+ default:
+ MBEDTLS_SSL_PRINT_EXT(
+ 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
+ extension_type, "( ignored )");
+ break;
+ }
+
+ p += extension_data_len;
+ }
+
+ MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
+ handshake->received_extensions);
+
+ return 0;
+}
+
+/*
+ * From RFC8446, page 74
+ *
+ * struct {
+ * uint32 ticket_lifetime;
+ * uint32 ticket_age_add;
+ * opaque ticket_nonce<0..255>;
+ * opaque ticket<1..2^16-1>;
+ * Extension extensions<0..2^16-2>;
+ * } NewSessionTicket;
+ *
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ unsigned char **ticket_nonce,
+ size_t *ticket_nonce_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = buf;
+ mbedtls_ssl_session *session = ssl->session;
+ size_t ticket_len;
+ unsigned char *ticket;
+ size_t extensions_len;
+
+ *ticket_nonce = NULL;
+ *ticket_nonce_len = 0;
+ /*
+ * ticket_lifetime 4 bytes
+ * ticket_age_add 4 bytes
+ * ticket_nonce_len 1 byte
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 9);
+
+ session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("ticket_lifetime: %u",
+ (unsigned int) session->ticket_lifetime));
+ if (session->ticket_lifetime >
+ MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime exceeds 7 days."));
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4);
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("ticket_age_add: %u",
+ (unsigned int) session->ticket_age_add));
+
+ *ticket_nonce_len = p[8];
+ p += 9;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, *ticket_nonce_len);
+ *ticket_nonce = p;
+ MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len);
+ p += *ticket_nonce_len;
+
+ /* Ticket */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ticket_len);
+ MBEDTLS_SSL_DEBUG_BUF(3, "received ticket", p, ticket_len);
+
+ /* Check if we previously received a ticket already. */
+ if (session->ticket != NULL || session->ticket_len > 0) {
+ mbedtls_free(session->ticket);
+ session->ticket = NULL;
+ session->ticket_len = 0;
+ }
+
+ if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+ memcpy(ticket, p, ticket_len);
+ p += ticket_len;
+ session->ticket = ticket;
+ session->ticket_len = ticket_len;
+
+ /* Clear all flags in ticket_flags */
+ mbedtls_ssl_tls13_session_clear_ticket_flags(
+ session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "ticket extension", p, extensions_len);
+
+ ret = ssl_tls13_parse_new_session_ticket_exts(ssl, p, p + extensions_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1,
+ "ssl_tls13_parse_new_session_ticket_exts",
+ ret);
+ return ret;
+ }
+
+ return 0;
+}
+
+/* Non negative return values for ssl_tls13_postprocess_new_session_ticket().
+ * - POSTPROCESS_NEW_SESSION_TICKET_SIGNAL, all good, we have to signal the
+ * application that a valid ticket has been received.
+ * - POSTPROCESS_NEW_SESSION_TICKET_DISCARD, no fatal error, we keep the
+ * connection alive but we do not signal the ticket to the application.
+ */
+#define POSTPROCESS_NEW_SESSION_TICKET_SIGNAL 0
+#define POSTPROCESS_NEW_SESSION_TICKET_DISCARD 1
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,
+ unsigned char *ticket_nonce,
+ size_t ticket_nonce_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_session *session = ssl->session;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+ psa_algorithm_t psa_hash_alg;
+ int hash_length;
+
+ if (session->ticket_lifetime == 0) {
+ return POSTPROCESS_NEW_SESSION_TICKET_DISCARD;
+ }
+
+#if defined(MBEDTLS_HAVE_TIME)
+ /* Store ticket creation time */
+ session->ticket_reception_time = mbedtls_ms_time();
+#endif
+
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
+ if (ciphersuite_info == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ psa_hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
+ hash_length = PSA_HASH_LENGTH(psa_hash_alg);
+ if (hash_length == -1 ||
+ (size_t) hash_length > sizeof(session->resumption_key)) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",
+ session->app_secrets.resumption_master_secret,
+ hash_length);
+
+ /* Compute resumption key
+ *
+ * HKDF-Expand-Label( resumption_master_secret,
+ * "resumption", ticket_nonce, Hash.length )
+ */
+ ret = mbedtls_ssl_tls13_hkdf_expand_label(
+ psa_hash_alg,
+ session->app_secrets.resumption_master_secret,
+ hash_length,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),
+ ticket_nonce,
+ ticket_nonce_len,
+ session->resumption_key,
+ hash_length);
+
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(2,
+ "Creating the ticket-resumed PSK failed",
+ ret);
+ return ret;
+ }
+
+ session->resumption_key_len = hash_length;
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",
+ session->resumption_key,
+ session->resumption_key_len);
+
+ /* Set ticket_flags depends on the selected key exchange modes */
+ mbedtls_ssl_tls13_session_set_ticket_flags(
+ session, ssl->conf->tls13_kex_modes);
+ MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
+
+ return POSTPROCESS_NEW_SESSION_TICKET_SIGNAL;
+}
+
+/*
+ * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_process_new_session_ticket(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *buf;
+ size_t buf_len;
+ unsigned char *ticket_nonce;
+ size_t ticket_nonce_len;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
+ &buf, &buf_len));
+
+ /*
+ * We are about to update (maybe only partially) ticket data thus block
+ * any session export for the time being.
+ */
+ ssl->session->exported = 1;
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_new_session_ticket(
+ ssl, buf, buf + buf_len,
+ &ticket_nonce, &ticket_nonce_len));
+
+ MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_postprocess_new_session_ticket(
+ ssl, ticket_nonce, ticket_nonce_len));
+
+ switch (ret) {
+ case POSTPROCESS_NEW_SESSION_TICKET_SIGNAL:
+ /*
+ * All good, we have received a new valid ticket, session data can
+ * be exported now and we signal the ticket to the application.
+ */
+ ssl->session->exported = 0;
+ ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;
+ break;
+
+ case POSTPROCESS_NEW_SESSION_TICKET_DISCARD:
+ ret = 0;
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Discard new session ticket"));
+ break;
+
+ default:
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
+
+cleanup:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
+ return ret;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)
+{
+ int ret = 0;
+
+ switch (ssl->state) {
+ case MBEDTLS_SSL_HELLO_REQUEST:
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
+ break;
+
+ case MBEDTLS_SSL_CLIENT_HELLO:
+ ret = mbedtls_ssl_write_client_hello(ssl);
+ break;
+
+ case MBEDTLS_SSL_SERVER_HELLO:
+ ret = ssl_tls13_process_server_hello(ssl);
+ break;
+
+ case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
+ ret = ssl_tls13_process_encrypted_extensions(ssl);
+ break;
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+ case MBEDTLS_SSL_CERTIFICATE_REQUEST:
+ ret = ssl_tls13_process_certificate_request(ssl);
+ break;
+
+ case MBEDTLS_SSL_SERVER_CERTIFICATE:
+ ret = ssl_tls13_process_server_certificate(ssl);
+ break;
+
+ case MBEDTLS_SSL_CERTIFICATE_VERIFY:
+ ret = ssl_tls13_process_certificate_verify(ssl);
+ break;
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+ case MBEDTLS_SSL_SERVER_FINISHED:
+ ret = ssl_tls13_process_server_finished(ssl);
+ break;
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ case MBEDTLS_SSL_END_OF_EARLY_DATA:
+ ret = ssl_tls13_write_end_of_early_data(ssl);
+ break;
+#endif
+
+ case MBEDTLS_SSL_CLIENT_CERTIFICATE:
+ ret = ssl_tls13_write_client_certificate(ssl);
+ break;
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+ case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
+ ret = ssl_tls13_write_client_certificate_verify(ssl);
+ break;
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+ case MBEDTLS_SSL_CLIENT_FINISHED:
+ ret = ssl_tls13_write_client_finished(ssl);
+ break;
+
+ case MBEDTLS_SSL_FLUSH_BUFFERS:
+ ret = ssl_tls13_flush_buffers(ssl);
+ break;
+
+ case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
+ ret = ssl_tls13_handshake_wrapup(ssl);
+ break;
+
+ /*
+ * Injection of dummy-CCS's for middlebox compatibility
+ */
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
+ ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
+ if (ret != 0) {
+ break;
+ }
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
+ break;
+
+ case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
+ ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
+ if (ret != 0) {
+ break;
+ }
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
+ break;
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
+ ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
+ if (ret == 0) {
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
+
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("Switch to early data keys for outbound traffic"));
+ mbedtls_ssl_set_outbound_transform(
+ ssl, ssl->handshake->transform_earlydata);
+ ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE;
+ }
+ break;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
+ ret = ssl_tls13_process_new_session_ticket(ssl);
+ break;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+ default:
+ MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ return ret;
+}
+
+#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
new file mode 100644
index 0000000..d448a05
--- /dev/null
+++ b/library/ssl_tls13_generic.c
@@ -0,0 +1,1853 @@
+/*
+ * TLS 1.3 functionality shared between client and server
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+#include <string.h>
+
+#include "mbedtls/error.h"
+#include "debug_internal.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/constant_time.h"
+#include "psa/crypto.h"
+#include "mbedtls/psa_util.h"
+
+#include "ssl_misc.h"
+#include "ssl_tls13_invasive.h"
+#include "ssl_tls13_keys.h"
+#include "ssl_debug_helpers.h"
+
+#include "psa/crypto.h"
+#include "psa_util_internal.h"
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+#endif
+
+const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
+ MBEDTLS_SERVER_HELLO_RANDOM_LEN] =
+{ 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
+ 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
+ 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
+ 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C };
+
+int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl,
+ unsigned hs_type,
+ unsigned char **buf,
+ size_t *buf_len)
+{
+ int ret;
+
+ if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+ goto cleanup;
+ }
+
+ if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
+ ssl->in_msg[0] != hs_type) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Receive unexpected handshake message."));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
+ MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+ ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ goto cleanup;
+ }
+
+ /*
+ * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
+ * ...
+ * HandshakeType msg_type;
+ * uint24 length;
+ * ...
+ */
+ *buf = ssl->in_msg + 4;
+ *buf_len = ssl->in_hslen - 4;
+
+cleanup:
+
+ return ret;
+}
+
+int mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
+ mbedtls_ssl_context *ssl,
+ const unsigned char *buf, const unsigned char *end,
+ const unsigned char **supported_versions_data,
+ const unsigned char **supported_versions_data_end)
+{
+ const unsigned char *p = buf;
+ size_t extensions_len;
+ const unsigned char *extensions_end;
+
+ *supported_versions_data = NULL;
+ *supported_versions_data_end = NULL;
+
+ /* Case of no extension */
+ if (p == end) {
+ return 0;
+ }
+
+ /* ...
+ * Extension extensions<x..2^16-1>;
+ * ...
+ * struct {
+ * ExtensionType extension_type; (2 bytes)
+ * opaque extension_data<0..2^16-1>;
+ * } Extension;
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ /* Check extensions do not go beyond the buffer of data. */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
+ extensions_end = p + extensions_len;
+
+ while (p < extensions_end) {
+ unsigned int extension_type;
+ size_t extension_data_len;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
+ extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
+ extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
+ p += 4;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
+
+ if (extension_type == MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS) {
+ *supported_versions_data = p;
+ *supported_versions_data_end = p + extension_data_len;
+ return 1;
+ }
+ p += extension_data_len;
+ }
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+/*
+ * STATE HANDLING: Read CertificateVerify
+ */
+/* Macro to express the maximum length of the verify structure.
+ *
+ * The structure is computed per TLS 1.3 specification as:
+ * - 64 bytes of octet 32,
+ * - 33 bytes for the context string
+ * (which is either "TLS 1.3, client CertificateVerify"
+ * or "TLS 1.3, server CertificateVerify"),
+ * - 1 byte for the octet 0x0, which serves as a separator,
+ * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
+ * (depending on the size of the transcript_hash)
+ *
+ * This results in a total size of
+ * - 130 bytes for a SHA256-based transcript hash, or
+ * (64 + 33 + 1 + 32 bytes)
+ * - 146 bytes for a SHA384-based transcript hash.
+ * (64 + 33 + 1 + 48 bytes)
+ *
+ */
+#define SSL_VERIFY_STRUCT_MAX_SIZE (64 + \
+ 33 + \
+ 1 + \
+ MBEDTLS_TLS1_3_MD_MAX_SIZE \
+ )
+
+/*
+ * The ssl_tls13_create_verify_structure() creates the verify structure.
+ * As input, it requires the transcript hash.
+ *
+ * The caller has to ensure that the buffer has size at least
+ * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
+ */
+static void ssl_tls13_create_verify_structure(const unsigned char *transcript_hash,
+ size_t transcript_hash_len,
+ unsigned char *verify_buffer,
+ size_t *verify_buffer_len,
+ int from)
+{
+ size_t idx;
+
+ /* RFC 8446, Section 4.4.3:
+ *
+ * The digital signature [in the CertificateVerify message] is then
+ * computed over the concatenation of:
+ * - A string that consists of octet 32 (0x20) repeated 64 times
+ * - The context string
+ * - A single 0 byte which serves as the separator
+ * - The content to be signed
+ */
+ memset(verify_buffer, 0x20, 64);
+ idx = 64;
+
+ if (from == MBEDTLS_SSL_IS_CLIENT) {
+ memcpy(verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(client_cv));
+ idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv);
+ } else { /* from == MBEDTLS_SSL_IS_SERVER */
+ memcpy(verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(server_cv));
+ idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv);
+ }
+
+ verify_buffer[idx++] = 0x0;
+
+ memcpy(verify_buffer + idx, transcript_hash, transcript_hash_len);
+ idx += transcript_hash_len;
+
+ *verify_buffer_len = idx;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end,
+ const unsigned char *verify_buffer,
+ size_t verify_buffer_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ const unsigned char *p = buf;
+ uint16_t algorithm;
+ size_t signature_len;
+ mbedtls_pk_type_t sig_alg;
+ mbedtls_md_type_t md_alg;
+ psa_algorithm_t hash_alg = PSA_ALG_NONE;
+ unsigned char verify_hash[PSA_HASH_MAX_SIZE];
+ size_t verify_hash_len;
+
+ void const *options = NULL;
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ mbedtls_pk_rsassa_pss_options rsassa_pss_options;
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+
+ /*
+ * struct {
+ * SignatureScheme algorithm;
+ * opaque signature<0..2^16-1>;
+ * } CertificateVerify;
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ algorithm = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ /* RFC 8446 section 4.4.3
+ *
+ * If the CertificateVerify message is sent by a server, the signature
+ * algorithm MUST be one offered in the client's "signature_algorithms"
+ * extension unless no valid certificate chain can be produced without
+ * unsupported algorithms
+ *
+ * RFC 8446 section 4.4.2.2
+ *
+ * If the client cannot construct an acceptable chain using the provided
+ * certificates and decides to abort the handshake, then it MUST abort the
+ * handshake with an appropriate certificate-related alert
+ * (by default, "unsupported_certificate").
+ *
+ * Check if algorithm is an offered signature algorithm.
+ */
+ if (!mbedtls_ssl_sig_alg_is_offered(ssl, algorithm)) {
+ /* algorithm not in offered signature algorithms list */
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Received signature algorithm(%04x) is not "
+ "offered.",
+ (unsigned int) algorithm));
+ goto error;
+ }
+
+ if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
+ algorithm, &sig_alg, &md_alg) != 0) {
+ goto error;
+ }
+
+ hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
+ if (hash_alg == 0) {
+ goto error;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate Verify: Signature algorithm ( %04x )",
+ (unsigned int) algorithm));
+
+ /*
+ * Check the certificate's key type matches the signature alg
+ */
+ if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, sig_alg)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("signature algorithm doesn't match cert key"));
+ goto error;
+ }
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ signature_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, signature_len);
+
+ status = psa_hash_compute(hash_alg,
+ verify_buffer,
+ verify_buffer_len,
+ verify_hash,
+ sizeof(verify_hash),
+ &verify_hash_len);
+ if (status != PSA_SUCCESS) {
+ MBEDTLS_SSL_DEBUG_RET(1, "hash computation PSA error", status);
+ goto error;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ if (sig_alg == MBEDTLS_PK_RSASSA_PSS) {
+ rsassa_pss_options.mgf1_hash_id = md_alg;
+
+ rsassa_pss_options.expected_salt_len = PSA_HASH_LENGTH(hash_alg);
+ options = (const void *) &rsassa_pss_options;
+ }
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+
+ if ((ret = mbedtls_pk_verify_ext(sig_alg, options,
+ &ssl->session_negotiate->peer_cert->pk,
+ md_alg, verify_hash, verify_hash_len,
+ p, signature_len)) == 0) {
+ return 0;
+ }
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret);
+
+error:
+ /* RFC 8446 section 4.4.3
+ *
+ * If the verification fails, the receiver MUST terminate the handshake
+ * with a "decrypt_error" alert.
+ */
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+
+}
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
+{
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
+ size_t verify_buffer_len;
+ unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ size_t transcript_len;
+ unsigned char *buf;
+ size_t buf_len;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
+
+ MBEDTLS_SSL_PROC_CHK(
+ mbedtls_ssl_tls13_fetch_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len));
+
+ /* Need to calculate the hash of the transcript first
+ * before reading the message since otherwise it gets
+ * included in the transcript
+ */
+ ret = mbedtls_ssl_get_handshake_transcript(
+ ssl,
+ (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac,
+ transcript, sizeof(transcript),
+ &transcript_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
+ MBEDTLS_ERR_SSL_INTERNAL_ERROR);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "handshake hash", transcript, transcript_len);
+
+ /* Create verify structure */
+ ssl_tls13_create_verify_structure(transcript,
+ transcript_len,
+ verify_buffer,
+ &verify_buffer_len,
+ (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) ?
+ MBEDTLS_SSL_IS_SERVER :
+ MBEDTLS_SSL_IS_CLIENT);
+
+ /* Process the message contents */
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_verify(
+ ssl, buf, buf + buf_len,
+ verify_buffer, verify_buffer_len));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
+ buf, buf_len));
+
+cleanup:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_process_certificate_verify", ret);
+ return ret;
+#else
+ ((void) ssl);
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+}
+
+/*
+ *
+ * STATE HANDLING: Incoming Certificate.
+ *
+ */
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+/*
+ * Structure of Certificate message:
+ *
+ * enum {
+ * X509(0),
+ * RawPublicKey(2),
+ * (255)
+ * } CertificateType;
+ *
+ * struct {
+ * select (certificate_type) {
+ * case RawPublicKey:
+ * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
+ * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
+ * case X509:
+ * opaque cert_data<1..2^24-1>;
+ * };
+ * Extension extensions<0..2^16-1>;
+ * } CertificateEntry;
+ *
+ * struct {
+ * opaque certificate_request_context<0..2^8-1>;
+ * CertificateEntry certificate_list<0..2^24-1>;
+ * } Certificate;
+ *
+ */
+
+/* Parse certificate chain send by the server. */
+MBEDTLS_CHECK_RETURN_CRITICAL
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t certificate_request_context_len = 0;
+ size_t certificate_list_len = 0;
+ const unsigned char *p = buf;
+ const unsigned char *certificate_list_end;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
+ certificate_request_context_len = p[0];
+ certificate_list_len = MBEDTLS_GET_UINT24_BE(p, 1);
+ p += 4;
+
+ /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
+ * support anything beyond 2^16 = 64K.
+ */
+ if ((certificate_request_context_len != 0) ||
+ (certificate_list_len >= 0x10000)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+ MBEDTLS_ERR_SSL_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /* In case we tried to reuse a session but it failed */
+ if (ssl->session_negotiate->peer_cert != NULL) {
+ mbedtls_x509_crt_free(ssl->session_negotiate->peer_cert);
+ mbedtls_free(ssl->session_negotiate->peer_cert);
+ }
+
+ if (certificate_list_len == 0) {
+ ssl->session_negotiate->peer_cert = NULL;
+ ret = 0;
+ goto exit;
+ }
+
+ if ((ssl->session_negotiate->peer_cert =
+ mbedtls_calloc(1, sizeof(mbedtls_x509_crt))) == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
+ sizeof(mbedtls_x509_crt)));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
+ MBEDTLS_ERR_SSL_ALLOC_FAILED);
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ mbedtls_x509_crt_init(ssl->session_negotiate->peer_cert);
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_list_len);
+ certificate_list_end = p + certificate_list_len;
+ while (p < certificate_list_end) {
+ size_t cert_data_len, extensions_len;
+ const unsigned char *extensions_end;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, 3);
+ cert_data_len = MBEDTLS_GET_UINT24_BE(p, 0);
+ p += 3;
+
+ /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
+ * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
+ * check that we have a minimum of 128 bytes of data, this is not
+ * clear why we need that though.
+ */
+ if ((cert_data_len < 128) || (cert_data_len >= 0x10000)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad Certificate message"));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+ MBEDTLS_ERR_SSL_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, cert_data_len);
+ ret = mbedtls_x509_crt_parse_der(ssl->session_negotiate->peer_cert,
+ p, cert_data_len);
+
+ switch (ret) {
+ case 0: /*ok*/
+ break;
+ case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
+ /* Ignore certificate with an unknown algorithm: maybe a
+ prior certificate was already trusted. */
+ break;
+
+ case MBEDTLS_ERR_X509_ALLOC_FAILED:
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
+ MBEDTLS_ERR_X509_ALLOC_FAILED);
+ MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
+ return ret;
+
+ case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
+ MBEDTLS_ERR_X509_UNKNOWN_VERSION);
+ MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
+ return ret;
+
+ default:
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
+ ret);
+ MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
+ return ret;
+ }
+
+ p += cert_data_len;
+
+ /* Certificate extensions length */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, 2);
+ extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, certificate_list_end, extensions_len);
+
+ extensions_end = p + extensions_len;
+ handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
+
+ while (p < extensions_end) {
+ unsigned int extension_type;
+ size_t extension_data_len;
+
+ /*
+ * struct {
+ * ExtensionType extension_type; (2 bytes)
+ * opaque extension_data<0..2^16-1>;
+ * } Extension;
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
+ extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
+ extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
+ p += 4;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
+
+ ret = mbedtls_ssl_tls13_check_received_extension(
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type,
+ MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT);
+ if (ret != 0) {
+ return ret;
+ }
+
+ switch (extension_type) {
+ default:
+ MBEDTLS_SSL_PRINT_EXT(
+ 3, MBEDTLS_SSL_HS_CERTIFICATE,
+ extension_type, "( ignored )");
+ break;
+ }
+
+ p += extension_data_len;
+ }
+
+ MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE,
+ handshake->received_extensions);
+ }
+
+exit:
+ /* Check that all the message is consumed. */
+ if (p != end) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad Certificate message"));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+ MBEDTLS_ERR_SSL_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate",
+ ssl->session_negotiate->peer_cert);
+
+ return ret;
+}
+#else
+MBEDTLS_CHECK_RETURN_CRITICAL
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ ((void) ssl);
+ ((void) buf);
+ ((void) end);
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+}
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+/* Validate certificate chain sent by the server. */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
+{
+ int ret = 0;
+ int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
+ mbedtls_x509_crt *ca_chain;
+ mbedtls_x509_crl *ca_crl;
+ const char *ext_oid;
+ size_t ext_len;
+ uint32_t verify_result = 0;
+
+ /* If SNI was used, overwrite authentication mode
+ * from the configuration. */
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
+ authmode = ssl->handshake->sni_authmode;
+ } else
+#endif
+ authmode = ssl->conf->authmode;
+ }
+#endif
+
+ /*
+ * If the peer hasn't sent a certificate ( i.e. it sent
+ * an empty certificate chain ), this is reflected in the peer CRT
+ * structure being unset.
+ * Check for that and handle it depending on the
+ * authentication mode.
+ */
+ if (ssl->session_negotiate->peer_cert == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate"));
+
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
+ /* The client was asked for a certificate but didn't send
+ * one. The client should know what's going on, so we
+ * don't send an alert.
+ */
+ ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
+ if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) {
+ return 0;
+ } else {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_NO_CERT,
+ MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE);
+ return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
+ }
+ }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_NO_CERT,
+ MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE);
+ return MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE;
+ }
+#endif /* MBEDTLS_SSL_CLI_C */
+ }
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if (ssl->handshake->sni_ca_chain != NULL) {
+ ca_chain = ssl->handshake->sni_ca_chain;
+ ca_crl = ssl->handshake->sni_ca_crl;
+ } else
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+ {
+ ca_chain = ssl->conf->ca_chain;
+ ca_crl = ssl->conf->ca_crl;
+ }
+
+ /*
+ * Main check: verify certificate
+ */
+ ret = mbedtls_x509_crt_verify_with_profile(
+ ssl->session_negotiate->peer_cert,
+ ca_chain, ca_crl,
+ ssl->conf->cert_profile,
+ ssl->hostname,
+ &verify_result,
+ ssl->conf->f_vrfy, ssl->conf->p_vrfy);
+
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
+ }
+
+ /*
+ * Secondary checks: always done, but change 'ret' only if it was 0
+ */
+ if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ ext_oid = MBEDTLS_OID_SERVER_AUTH;
+ ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
+ } else {
+ ext_oid = MBEDTLS_OID_CLIENT_AUTH;
+ ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
+ }
+
+ if ((mbedtls_x509_crt_check_key_usage(
+ ssl->session_negotiate->peer_cert,
+ MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0) ||
+ (mbedtls_x509_crt_check_extended_key_usage(
+ ssl->session_negotiate->peer_cert,
+ ext_oid, ext_len) != 0)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
+ if (ret == 0) {
+ ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
+ }
+ }
+
+ /* mbedtls_x509_crt_verify_with_profile is supposed to report a
+ * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
+ * with details encoded in the verification flags. All other kinds
+ * of error codes, including those from the user provided f_vrfy
+ * functions, are treated as fatal and lead to a failure of
+ * mbedtls_ssl_tls13_parse_certificate even if verification was optional.
+ */
+ if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
+ (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+ ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
+ ret = 0;
+ }
+
+ if (ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
+ ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
+ }
+
+ if (ret != 0) {
+ /* The certificate may have been rejected for several reasons.
+ Pick one and send the corresponding alert. Which alert to send
+ may be a subject of debate in some cases. */
+ if (verify_result & MBEDTLS_X509_BADCERT_OTHER) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret);
+ } else if (verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret);
+ } else if (verify_result & (MBEDTLS_X509_BADCERT_KEY_USAGE |
+ MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
+ MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
+ MBEDTLS_X509_BADCERT_BAD_PK |
+ MBEDTLS_X509_BADCERT_BAD_KEY)) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret);
+ } else if (verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret);
+ } else if (verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret);
+ } else if (verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret);
+ } else {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret);
+ }
+ }
+
+#if defined(MBEDTLS_DEBUG_C)
+ if (verify_result != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
+ (unsigned int) verify_result));
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
+ }
+#endif /* MBEDTLS_DEBUG_C */
+
+ ssl->session_negotiate->verify_result = verify_result;
+ return ret;
+}
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
+{
+ ((void) ssl);
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+}
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+ unsigned char *buf;
+ size_t buf_len;
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE,
+ &buf, &buf_len));
+
+ /* Parse the certificate chain sent by the peer. */
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_parse_certificate(ssl, buf,
+ buf + buf_len));
+ /* Validate the certificate chain and set the verification results. */
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_validate_certificate(ssl));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, buf_len));
+
+cleanup:
+#else /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+ (void) ssl;
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
+ return ret;
+}
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+/*
+ * enum {
+ * X509(0),
+ * RawPublicKey(2),
+ * (255)
+ * } CertificateType;
+ *
+ * struct {
+ * select (certificate_type) {
+ * case RawPublicKey:
+ * // From RFC 7250 ASN.1_subjectPublicKeyInfo
+ * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
+ *
+ * case X509:
+ * opaque cert_data<1..2^24-1>;
+ * };
+ * Extension extensions<0..2^16-1>;
+ * } CertificateEntry;
+ *
+ * struct {
+ * opaque certificate_request_context<0..2^8-1>;
+ * CertificateEntry certificate_list<0..2^24-1>;
+ * } Certificate;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_certificate_body(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len)
+{
+ const mbedtls_x509_crt *crt = mbedtls_ssl_own_cert(ssl);
+ unsigned char *p = buf;
+ unsigned char *certificate_request_context =
+ ssl->handshake->certificate_request_context;
+ unsigned char certificate_request_context_len =
+ ssl->handshake->certificate_request_context_len;
+ unsigned char *p_certificate_list_len;
+
+
+ /* ...
+ * opaque certificate_request_context<0..2^8-1>;
+ * ...
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, certificate_request_context_len + 1);
+ *p++ = certificate_request_context_len;
+ if (certificate_request_context_len > 0) {
+ memcpy(p, certificate_request_context, certificate_request_context_len);
+ p += certificate_request_context_len;
+ }
+
+ /* ...
+ * CertificateEntry certificate_list<0..2^24-1>;
+ * ...
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3);
+ p_certificate_list_len = p;
+ p += 3;
+
+ MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", crt);
+
+ while (crt != NULL) {
+ size_t cert_data_len = crt->raw.len;
+
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, cert_data_len + 3 + 2);
+ MBEDTLS_PUT_UINT24_BE(cert_data_len, p, 0);
+ p += 3;
+
+ memcpy(p, crt->raw.p, cert_data_len);
+ p += cert_data_len;
+ crt = crt->next;
+
+ /* Currently, we don't have any certificate extensions defined.
+ * Hence, we are sending an empty extension with length zero.
+ */
+ MBEDTLS_PUT_UINT16_BE(0, p, 0);
+ p += 2;
+ }
+
+ MBEDTLS_PUT_UINT24_BE(p - p_certificate_list_len - 3,
+ p_certificate_list_len, 0);
+
+ *out_len = p - buf;
+
+ MBEDTLS_SSL_PRINT_EXTS(
+ 3, MBEDTLS_SSL_HS_CERTIFICATE, ssl->handshake->sent_extensions);
+
+ return 0;
+}
+
+int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl)
+{
+ int ret;
+ unsigned char *buf;
+ size_t buf_len, msg_len;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_body(ssl,
+ buf,
+ buf + buf_len,
+ &msg_len));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, msg_len));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
+ ssl, buf_len, msg_len));
+cleanup:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
+ return ret;
+}
+
+/*
+ * STATE HANDLING: Output Certificate Verify
+ */
+int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg,
+ mbedtls_pk_context *key)
+{
+ mbedtls_pk_type_t pk_type = (mbedtls_pk_type_t) mbedtls_ssl_sig_from_pk(key);
+ size_t key_size = mbedtls_pk_get_bitlen(key);
+
+ switch (pk_type) {
+ case MBEDTLS_SSL_SIG_ECDSA:
+ switch (key_size) {
+ case 256:
+ return
+ sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
+
+ case 384:
+ return
+ sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
+
+ case 521:
+ return
+ sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
+ default:
+ break;
+ }
+ break;
+
+ case MBEDTLS_SSL_SIG_RSA:
+ switch (sig_alg) {
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: /* Intentional fallthrough */
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: /* Intentional fallthrough */
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
+ return 1;
+
+ default:
+ break;
+ }
+ break;
+
+ default:
+ break;
+ }
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = buf;
+ mbedtls_pk_context *own_key;
+
+ unsigned char handshake_hash[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ size_t handshake_hash_len;
+ unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
+ size_t verify_buffer_len;
+
+ uint16_t *sig_alg = ssl->handshake->received_sig_algs;
+ size_t signature_len = 0;
+
+ *out_len = 0;
+
+ own_key = mbedtls_ssl_own_key(ssl);
+ if (own_key == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ ret = mbedtls_ssl_get_handshake_transcript(
+ ssl, (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac,
+ handshake_hash, sizeof(handshake_hash), &handshake_hash_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "handshake hash",
+ handshake_hash,
+ handshake_hash_len);
+
+ ssl_tls13_create_verify_structure(handshake_hash, handshake_hash_len,
+ verify_buffer, &verify_buffer_len,
+ ssl->conf->endpoint);
+
+ /*
+ * struct {
+ * SignatureScheme algorithm;
+ * opaque signature<0..2^16-1>;
+ * } CertificateVerify;
+ */
+ /* Check there is space for the algorithm identifier (2 bytes) and the
+ * signature length (2 bytes).
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
+
+ for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
+ mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
+ psa_algorithm_t psa_algorithm = PSA_ALG_NONE;
+ unsigned char verify_hash[PSA_HASH_MAX_SIZE];
+ size_t verify_hash_len;
+
+ if (!mbedtls_ssl_sig_alg_is_offered(ssl, *sig_alg)) {
+ continue;
+ }
+
+ if (!mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(*sig_alg)) {
+ continue;
+ }
+
+ if (!mbedtls_ssl_tls13_check_sig_alg_cert_key_match(*sig_alg, own_key)) {
+ continue;
+ }
+
+ if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
+ *sig_alg, &pk_type, &md_alg) != 0) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /* Hash verify buffer with indicated hash function */
+ psa_algorithm = mbedtls_md_psa_alg_from_type(md_alg);
+ status = psa_hash_compute(psa_algorithm,
+ verify_buffer,
+ verify_buffer_len,
+ verify_hash, sizeof(verify_hash),
+ &verify_hash_len);
+ if (status != PSA_SUCCESS) {
+ return PSA_TO_MBEDTLS_ERR(status);
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
+
+ if ((ret = mbedtls_pk_sign_ext(pk_type, own_key,
+ md_alg, verify_hash, verify_hash_len,
+ p + 4, (size_t) (end - (p + 4)), &signature_len,
+ ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature failed with %s",
+ mbedtls_ssl_sig_alg_to_str(*sig_alg)));
+ MBEDTLS_SSL_DEBUG_RET(2, "mbedtls_pk_sign_ext", ret);
+
+ /* The signature failed. This is possible if the private key
+ * was not suitable for the signature operation as purposely we
+ * did not check its suitability completely. Let's try with
+ * another signature algorithm.
+ */
+ continue;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature with %s",
+ mbedtls_ssl_sig_alg_to_str(*sig_alg)));
+
+ break;
+ }
+
+ if (*sig_alg == MBEDTLS_TLS1_3_SIG_NONE) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("no suitable signature algorithm"));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0);
+ MBEDTLS_PUT_UINT16_BE(signature_len, p, 2);
+
+ *out_len = 4 + signature_len;
+
+ return 0;
+}
+
+int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl)
+{
+ int ret = 0;
+ unsigned char *buf;
+ size_t buf_len, msg_len;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
+ &buf, &buf_len));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_verify_body(
+ ssl, buf, buf + buf_len, &msg_len));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
+ buf, msg_len));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
+ ssl, buf_len, msg_len));
+
+cleanup:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify"));
+ return ret;
+}
+
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+/*
+ *
+ * STATE HANDLING: Incoming Finished message.
+ */
+/*
+ * Implementation
+ */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_preprocess_finished_message(mbedtls_ssl_context *ssl)
+{
+ int ret;
+
+ ret = mbedtls_ssl_tls13_calculate_verify_data(
+ ssl,
+ ssl->handshake->state_local.finished_in.digest,
+ sizeof(ssl->handshake->state_local.finished_in.digest),
+ &ssl->handshake->state_local.finished_in.digest_len,
+ ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
+ MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_calculate_verify_data", ret);
+ return ret;
+ }
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_finished_message(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ /*
+ * struct {
+ * opaque verify_data[Hash.length];
+ * } Finished;
+ */
+ const unsigned char *expected_verify_data =
+ ssl->handshake->state_local.finished_in.digest;
+ size_t expected_verify_data_len =
+ ssl->handshake->state_local.finished_in.digest_len;
+ /* Structural validation */
+ if ((size_t) (end - buf) != expected_verify_data_len) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
+
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+ MBEDTLS_ERR_SSL_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "verify_data (self-computed):",
+ expected_verify_data,
+ expected_verify_data_len);
+ MBEDTLS_SSL_DEBUG_BUF(4, "verify_data (received message):", buf,
+ expected_verify_data_len);
+
+ /* Semantic validation */
+ if (mbedtls_ct_memcmp(buf,
+ expected_verify_data,
+ expected_verify_data_len) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
+
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+ return 0;
+}
+
+int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *buf;
+ size_t buf_len;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished message"));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len));
+
+ /* Preprocessing step: Compute handshake digest */
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_preprocess_finished_message(ssl));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_finished_message(
+ ssl, buf, buf + buf_len));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_FINISHED, buf, buf_len));
+
+cleanup:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished message"));
+ return ret;
+}
+
+/*
+ *
+ * STATE HANDLING: Write and send Finished message.
+ *
+ */
+/*
+ * Implement
+ */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_prepare_finished_message(mbedtls_ssl_context *ssl)
+{
+ int ret;
+
+ /* Compute transcript of handshake up to now. */
+ ret = mbedtls_ssl_tls13_calculate_verify_data(ssl,
+ ssl->handshake->state_local.finished_out.digest,
+ sizeof(ssl->handshake->state_local.finished_out.
+ digest),
+ &ssl->handshake->state_local.finished_out.digest_len,
+ ssl->conf->endpoint);
+
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "calculate_verify_data failed", ret);
+ return ret;
+ }
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_finished_message_body(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len)
+{
+ size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
+ /*
+ * struct {
+ * opaque verify_data[Hash.length];
+ * } Finished;
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(buf, end, verify_data_len);
+
+ memcpy(buf, ssl->handshake->state_local.finished_out.digest,
+ verify_data_len);
+
+ *out_len = verify_data_len;
+ return 0;
+}
+
+/* Main entry point: orchestrates the other functions */
+int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *buf;
+ size_t buf_len, msg_len;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished message"));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_finished_message(ssl));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
+ MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_finished_message_body(
+ ssl, buf, buf + buf_len, &msg_len));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
+ MBEDTLS_SSL_HS_FINISHED, buf, msg_len));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
+ ssl, buf_len, msg_len));
+cleanup:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished message"));
+ return ret;
+}
+
+void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
+{
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to application keys for inbound traffic"));
+ mbedtls_ssl_set_inbound_transform(ssl, ssl->transform_application);
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to application keys for outbound traffic"));
+ mbedtls_ssl_set_outbound_transform(ssl, ssl->transform_application);
+
+ /*
+ * Free the previous session and switch to the current one.
+ */
+ if (ssl->session) {
+ mbedtls_ssl_session_free(ssl->session);
+ mbedtls_free(ssl->session);
+ }
+ ssl->session = ssl->session_negotiate;
+ ssl->session_negotiate = NULL;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
+}
+
+/*
+ *
+ * STATE HANDLING: Write ChangeCipherSpec
+ *
+ */
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_change_cipher_spec_body(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *olen)
+{
+ ((void) ssl);
+
+ MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1);
+ buf[0] = 1;
+ *olen = 1;
+
+ return 0;
+}
+
+int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec"));
+
+ /* Only one CCS to send. */
+ if (ssl->handshake->ccs_sent) {
+ ret = 0;
+ goto cleanup;
+ }
+
+ /* Write CCS message */
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_change_cipher_spec_body(
+ ssl, ssl->out_msg,
+ ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
+ &ssl->out_msglen));
+
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
+
+ /* Dispatch message */
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl, 0));
+
+ ssl->handshake->ccs_sent = 1;
+
+cleanup:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write change cipher spec"));
+ return ret;
+}
+
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+
+/* Early Data Indication Extension
+ *
+ * struct {
+ * select ( Handshake.msg_type ) {
+ * case new_session_ticket: uint32 max_early_data_size;
+ * case client_hello: Empty;
+ * case encrypted_extensions: Empty;
+ * };
+ * } EarlyDataIndication;
+ */
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
+ int in_new_session_ticket,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *out_len)
+{
+ unsigned char *p = buf;
+
+#if defined(MBEDTLS_SSL_SRV_C)
+ const size_t needed = in_new_session_ticket ? 8 : 4;
+#else
+ const size_t needed = 4;
+ ((void) in_new_session_ticket);
+#endif
+
+ *out_len = 0;
+
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, needed);
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EARLY_DATA, p, 0);
+ MBEDTLS_PUT_UINT16_BE(needed - 4, p, 2);
+
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (in_new_session_ticket) {
+ MBEDTLS_PUT_UINT32_BE(ssl->conf->max_early_data_size, p, 4);
+ MBEDTLS_SSL_DEBUG_MSG(
+ 4, ("Sent max_early_data_size=%u",
+ (unsigned int) ssl->conf->max_early_data_size));
+ }
+#endif
+
+ *out_len = needed;
+
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_EARLY_DATA);
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_SRV_C)
+int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl,
+ size_t early_data_len)
+{
+ /*
+ * This function should be called only while an handshake is in progress
+ * and thus a session under negotiation. Add a sanity check to detect a
+ * misuse.
+ */
+ if (ssl->session_negotiate == NULL) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /* RFC 8446 section 4.6.1
+ *
+ * A server receiving more than max_early_data_size bytes of 0-RTT data
+ * SHOULD terminate the connection with an "unexpected_message" alert.
+ * Note that if it is still possible to send early_data_len bytes of early
+ * data, it means that early_data_len is smaller than max_early_data_size
+ * (type uint32_t) and can fit in an uint32_t. We use this further
+ * down.
+ */
+ if (early_data_len >
+ (ssl->session_negotiate->max_early_data_size -
+ ssl->total_early_data_size)) {
+
+ MBEDTLS_SSL_DEBUG_MSG(
+ 2, ("EarlyData: Too much early data received, %u + %" MBEDTLS_PRINTF_SIZET " > %u",
+ ssl->total_early_data_size, early_data_len,
+ ssl->session_negotiate->max_early_data_size));
+
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
+ MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+ /*
+ * early_data_len has been checked to be less than max_early_data_size
+ * that is uint32_t. Its cast to an uint32_t below is thus safe. We need
+ * the cast to appease some compilers.
+ */
+ ssl->total_early_data_size += (uint32_t) early_data_len;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_SRV_C */
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+/* Reset SSL context and update hash for handling HRR.
+ *
+ * Replace Transcript-Hash(X) by
+ * Transcript-Hash( message_hash ||
+ * 00 00 Hash.length ||
+ * X )
+ * A few states of the handshake are preserved, including:
+ * - session ID
+ * - session ticket
+ * - negotiated ciphersuite
+ */
+int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char hash_transcript[PSA_HASH_MAX_SIZE + 4];
+ size_t hash_len;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->handshake->ciphersuite_info;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Reset SSL session for HRR"));
+
+ ret = mbedtls_ssl_get_handshake_transcript(ssl, (mbedtls_md_type_t) ciphersuite_info->mac,
+ hash_transcript + 4,
+ PSA_HASH_MAX_SIZE,
+ &hash_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_get_handshake_transcript", ret);
+ return ret;
+ }
+
+ hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH;
+ hash_transcript[1] = 0;
+ hash_transcript[2] = 0;
+ hash_transcript[3] = (unsigned char) hash_len;
+
+ hash_len += 4;
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "Truncated handshake transcript",
+ hash_transcript, hash_len);
+
+ /* Reset running hash and replace it with a hash of the transcript */
+ ret = mbedtls_ssl_reset_checksum(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
+ return ret;
+ }
+ ret = ssl->handshake->update_checksum(ssl, hash_transcript, hash_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
+ return ret;
+ }
+
+ return ret;
+}
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+
+int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t buf_len)
+{
+ uint8_t *p = (uint8_t *) buf;
+ const uint8_t *end = buf + buf_len;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ /* Get size of the TLS opaque key_exchange field of the KeyShareEntry struct. */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ uint16_t peerkey_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ /* Check if key size is consistent with given buffer length. */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, peerkey_len);
+
+ /* Store peer's ECDH/FFDH public key. */
+ if (peerkey_len > sizeof(handshake->xxdh_psa_peerkey)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %u > %" MBEDTLS_PRINTF_SIZET,
+ (unsigned) peerkey_len,
+ sizeof(handshake->xxdh_psa_peerkey)));
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+ memcpy(handshake->xxdh_psa_peerkey, p, peerkey_len);
+ handshake->xxdh_psa_peerkey_len = peerkey_len;
+
+ return 0;
+}
+
+#if defined(PSA_WANT_ALG_FFDH)
+static psa_status_t mbedtls_ssl_get_psa_ffdh_info_from_tls_id(
+ uint16_t tls_id, size_t *bits, psa_key_type_t *key_type)
+{
+ switch (tls_id) {
+#if defined(PSA_WANT_DH_RFC7919_2048)
+ case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048:
+ *bits = 2048;
+ *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
+ return PSA_SUCCESS;
+#endif /* PSA_WANT_DH_RFC7919_2048 */
+#if defined(PSA_WANT_DH_RFC7919_3072)
+ case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072:
+ *bits = 3072;
+ *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
+ return PSA_SUCCESS;
+#endif /* PSA_WANT_DH_RFC7919_3072 */
+#if defined(PSA_WANT_DH_RFC7919_4096)
+ case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096:
+ *bits = 4096;
+ *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
+ return PSA_SUCCESS;
+#endif /* PSA_WANT_DH_RFC7919_4096 */
+#if defined(PSA_WANT_DH_RFC7919_6144)
+ case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144:
+ *bits = 6144;
+ *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
+ return PSA_SUCCESS;
+#endif /* PSA_WANT_DH_RFC7919_6144 */
+#if defined(PSA_WANT_DH_RFC7919_8192)
+ case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192:
+ *bits = 8192;
+ *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
+ return PSA_SUCCESS;
+#endif /* PSA_WANT_DH_RFC7919_8192 */
+ default:
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+}
+#endif /* PSA_WANT_ALG_FFDH */
+
+int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
+ mbedtls_ssl_context *ssl,
+ uint16_t named_group,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len)
+{
+ psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ psa_key_attributes_t key_attributes;
+ size_t own_pubkey_len;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+ size_t bits = 0;
+ psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
+ psa_algorithm_t alg = PSA_ALG_NONE;
+ size_t buf_size = (size_t) (end - buf);
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH/FFDH computation."));
+
+ /* Convert EC's TLS ID to PSA key type. */
+#if defined(PSA_WANT_ALG_ECDH)
+ if (mbedtls_ssl_get_psa_curve_info_from_tls_id(
+ named_group, &key_type, &bits) == PSA_SUCCESS) {
+ alg = PSA_ALG_ECDH;
+ }
+#endif
+#if defined(PSA_WANT_ALG_FFDH)
+ if (mbedtls_ssl_get_psa_ffdh_info_from_tls_id(named_group, &bits,
+ &key_type) == PSA_SUCCESS) {
+ alg = PSA_ALG_FFDH;
+ }
+#endif
+
+ if (key_type == PSA_KEY_TYPE_NONE) {
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ if (buf_size < PSA_BITS_TO_BYTES(bits)) {
+ return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ }
+
+ handshake->xxdh_psa_type = key_type;
+ ssl->handshake->xxdh_psa_bits = bits;
+
+ key_attributes = psa_key_attributes_init();
+ psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
+ psa_set_key_algorithm(&key_attributes, alg);
+ psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
+ psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
+
+ /* Generate ECDH/FFDH private key. */
+ status = psa_generate_key(&key_attributes,
+ &handshake->xxdh_psa_privkey);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
+ return ret;
+
+ }
+
+ /* Export the public part of the ECDH/FFDH private key from PSA. */
+ status = psa_export_public_key(handshake->xxdh_psa_privkey,
+ buf, buf_size,
+ &own_pubkey_len);
+
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
+ return ret;
+ }
+
+ *out_len = own_pubkey_len;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
+
+/* RFC 8446 section 4.2
+ *
+ * If an implementation receives an extension which it recognizes and which is
+ * not specified for the message in which it appears, it MUST abort the handshake
+ * with an "illegal_parameter" alert.
+ *
+ */
+int mbedtls_ssl_tls13_check_received_extension(
+ mbedtls_ssl_context *ssl,
+ int hs_msg_type,
+ unsigned int received_extension_type,
+ uint32_t hs_msg_allowed_extensions_mask)
+{
+ uint32_t extension_mask = mbedtls_ssl_get_extension_mask(
+ received_extension_type);
+
+ MBEDTLS_SSL_PRINT_EXT(
+ 3, hs_msg_type, received_extension_type, "received");
+
+ if ((extension_mask & hs_msg_allowed_extensions_mask) == 0) {
+ MBEDTLS_SSL_PRINT_EXT(
+ 3, hs_msg_type, received_extension_type, "is illegal");
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ ssl->handshake->received_extensions |= extension_mask;
+ /*
+ * If it is a message containing extension responses, check that we
+ * previously sent the extension.
+ */
+ switch (hs_msg_type) {
+ case MBEDTLS_SSL_HS_SERVER_HELLO:
+ case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
+ case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
+ case MBEDTLS_SSL_HS_CERTIFICATE:
+ /* Check if the received extension is sent by peer message.*/
+ if ((ssl->handshake->sent_extensions & extension_mask) != 0) {
+ return 0;
+ }
+ break;
+ default:
+ return 0;
+ }
+
+ MBEDTLS_SSL_PRINT_EXT(
+ 3, hs_msg_type, received_extension_type, "is unsupported");
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
+ MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
+ return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+}
+
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+
+/* RFC 8449, section 4:
+ *
+ * The ExtensionData of the "record_size_limit" extension is
+ * RecordSizeLimit:
+ * uint16 RecordSizeLimit;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ const unsigned char *p = buf;
+ uint16_t record_size_limit;
+ const size_t extension_data_len = end - buf;
+
+ if (extension_data_len !=
+ MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH) {
+ MBEDTLS_SSL_DEBUG_MSG(2,
+ ("record_size_limit extension has invalid length: %"
+ MBEDTLS_PRINTF_SIZET " Bytes",
+ extension_data_len));
+
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("RecordSizeLimit: %u Bytes", record_size_limit));
+
+ /* RFC 8449, section 4:
+ *
+ * Endpoints MUST NOT send a "record_size_limit" extension with a value
+ * smaller than 64. An endpoint MUST treat receipt of a smaller value
+ * as a fatal error and generate an "illegal_parameter" alert.
+ */
+ if (record_size_limit < MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid record size limit : %u Bytes",
+ record_size_limit));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ ssl->session_negotiate->record_size_limit = record_size_limit;
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *out_len)
+{
+ unsigned char *p = buf;
+ *out_len = 0;
+
+ MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_IN_CONTENT_LEN >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN,
+ "MBEDTLS_SSL_IN_CONTENT_LEN is less than the "
+ "minimum record size limit");
+
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT, p, 0);
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH,
+ p, 2);
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_IN_CONTENT_LEN, p, 4);
+
+ *out_len = 6;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Sent RecordSizeLimit: %d Bytes",
+ MBEDTLS_SSL_IN_CONTENT_LEN));
+
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT);
+
+ return 0;
+}
+
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
+#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls13_invasive.h b/library/ssl_tls13_invasive.h
new file mode 100644
index 0000000..b4506f7
--- /dev/null
+++ b/library/ssl_tls13_invasive.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_SSL_TLS13_INVASIVE_H
+#define MBEDTLS_SSL_TLS13_INVASIVE_H
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+#include "psa/crypto.h"
+
+#if defined(MBEDTLS_TEST_HOOKS)
+int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end);
+#endif /* MBEDTLS_TEST_HOOKS */
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#endif /* MBEDTLS_SSL_TLS13_INVASIVE_H */
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
new file mode 100644
index 0000000..739414e
--- /dev/null
+++ b/library/ssl_tls13_keys.c
@@ -0,0 +1,1885 @@
+/*
+ * TLS 1.3 key schedule
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+#include <stdint.h>
+#include <string.h>
+
+#include "mbedtls/hkdf.h"
+#include "debug_internal.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform.h"
+
+#include "ssl_misc.h"
+#include "ssl_tls13_keys.h"
+#include "ssl_tls13_invasive.h"
+
+#include "psa/crypto.h"
+#include "mbedtls/psa_util.h"
+
+/* Define a local translating function to save code size by not using too many
+ * arguments in each translating place. */
+static int local_err_translation(psa_status_t status)
+{
+ return psa_status_to_mbedtls(status, psa_to_ssl_errors,
+ ARRAY_LENGTH(psa_to_ssl_errors),
+ psa_generic_status_to_mbedtls);
+}
+#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
+
+#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \
+ .name = string,
+
+struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels =
+{
+ /* This seems to work in C, despite the string literal being one
+ * character too long due to the 0-termination. */
+ MBEDTLS_SSL_TLS1_3_LABEL_LIST
+};
+
+#undef MBEDTLS_SSL_TLS1_3_LABEL
+
+/*
+ * This function creates a HkdfLabel structure used in the TLS 1.3 key schedule.
+ *
+ * The HkdfLabel is specified in RFC 8446 as follows:
+ *
+ * struct HkdfLabel {
+ * uint16 length; // Length of expanded key material
+ * opaque label<7..255>; // Always prefixed by "tls13 "
+ * opaque context<0..255>; // Usually a communication transcript hash
+ * };
+ *
+ * Parameters:
+ * - desired_length: Length of expanded key material
+ * Even though the standard allows expansion to up to
+ * 2**16 Bytes, TLS 1.3 never uses expansion to more than
+ * 255 Bytes, so we require `desired_length` to be at most
+ * 255. This allows us to save a few Bytes of code by
+ * hardcoding the writing of the high bytes.
+ * - (label, label_len): label + label length, without "tls13 " prefix
+ * The label length MUST be less than or equal to
+ * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN
+ * It is the caller's responsibility to ensure this.
+ * All (label, label length) pairs used in TLS 1.3
+ * can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN().
+ * - (ctx, ctx_len): context + context length
+ * The context length MUST be less than or equal to
+ * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN
+ * It is the caller's responsibility to ensure this.
+ * - dst: Target buffer for HkdfLabel structure,
+ * This MUST be a writable buffer of size
+ * at least SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN Bytes.
+ * - dst_len: Pointer at which to store the actual length of
+ * the HkdfLabel structure on success.
+ */
+
+static const char tls13_label_prefix[6] = "tls13 ";
+
+#define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN(label_len, context_len) \
+ (2 /* expansion length */ \
+ + 1 /* label length */ \
+ + label_len \
+ + 1 /* context length */ \
+ + context_len)
+
+#define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \
+ SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \
+ sizeof(tls13_label_prefix) + \
+ MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN, \
+ MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN)
+
+static void ssl_tls13_hkdf_encode_label(
+ size_t desired_length,
+ const unsigned char *label, size_t label_len,
+ const unsigned char *ctx, size_t ctx_len,
+ unsigned char *dst, size_t *dst_len)
+{
+ size_t total_label_len =
+ sizeof(tls13_label_prefix) + label_len;
+ size_t total_hkdf_lbl_len =
+ SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN(total_label_len, ctx_len);
+
+ unsigned char *p = dst;
+
+ /* Add the size of the expanded key material.
+ * We're hardcoding the high byte to 0 here assuming that we never use
+ * TLS 1.3 HKDF key expansion to more than 255 Bytes. */
+#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255
+#error "The implementation of ssl_tls13_hkdf_encode_label() is not fit for the \
+ value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN"
+#endif
+
+ *p++ = 0;
+ *p++ = MBEDTLS_BYTE_0(desired_length);
+
+ /* Add label incl. prefix */
+ *p++ = MBEDTLS_BYTE_0(total_label_len);
+ memcpy(p, tls13_label_prefix, sizeof(tls13_label_prefix));
+ p += sizeof(tls13_label_prefix);
+ memcpy(p, label, label_len);
+ p += label_len;
+
+ /* Add context value */
+ *p++ = MBEDTLS_BYTE_0(ctx_len);
+ if (ctx_len != 0) {
+ memcpy(p, ctx, ctx_len);
+ }
+
+ /* Return total length to the caller. */
+ *dst_len = total_hkdf_lbl_len;
+}
+
+int mbedtls_ssl_tls13_hkdf_expand_label(
+ psa_algorithm_t hash_alg,
+ const unsigned char *secret, size_t secret_len,
+ const unsigned char *label, size_t label_len,
+ const unsigned char *ctx, size_t ctx_len,
+ unsigned char *buf, size_t buf_len)
+{
+ unsigned char hkdf_label[SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN];
+ size_t hkdf_label_len = 0;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_derivation_operation_t operation =
+ PSA_KEY_DERIVATION_OPERATION_INIT;
+
+ if (label_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN) {
+ /* Should never happen since this is an internal
+ * function, and we know statically which labels
+ * are allowed. */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ if (ctx_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN) {
+ /* Should not happen, as above. */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ if (buf_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN) {
+ /* Should not happen, as above. */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ if (!PSA_ALG_IS_HASH(hash_alg)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ ssl_tls13_hkdf_encode_label(buf_len,
+ label, label_len,
+ ctx, ctx_len,
+ hkdf_label,
+ &hkdf_label_len);
+
+ status = psa_key_derivation_setup(&operation, PSA_ALG_HKDF_EXPAND(hash_alg));
+
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ status = psa_key_derivation_input_bytes(&operation,
+ PSA_KEY_DERIVATION_INPUT_SECRET,
+ secret,
+ secret_len);
+
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ status = psa_key_derivation_input_bytes(&operation,
+ PSA_KEY_DERIVATION_INPUT_INFO,
+ hkdf_label,
+ hkdf_label_len);
+
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ status = psa_key_derivation_output_bytes(&operation,
+ buf,
+ buf_len);
+
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+cleanup:
+ abort_status = psa_key_derivation_abort(&operation);
+ status = (status == PSA_SUCCESS ? abort_status : status);
+ mbedtls_platform_zeroize(hkdf_label, hkdf_label_len);
+ return PSA_TO_MBEDTLS_ERR(status);
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_make_traffic_key(
+ psa_algorithm_t hash_alg,
+ const unsigned char *secret, size_t secret_len,
+ unsigned char *key, size_t key_len,
+ unsigned char *iv, size_t iv_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = mbedtls_ssl_tls13_hkdf_expand_label(
+ hash_alg,
+ secret, secret_len,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(key),
+ NULL, 0,
+ key, key_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_ssl_tls13_hkdf_expand_label(
+ hash_alg,
+ secret, secret_len,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(iv),
+ NULL, 0,
+ iv, iv_len);
+ return ret;
+}
+
+/*
+ * The traffic keying material is generated from the following inputs:
+ *
+ * - One secret value per sender.
+ * - A purpose value indicating the specific value being generated
+ * - The desired lengths of key and IV.
+ *
+ * The expansion itself is based on HKDF:
+ *
+ * [sender]_write_key = HKDF-Expand-Label( Secret, "key", "", key_length )
+ * [sender]_write_iv = HKDF-Expand-Label( Secret, "iv" , "", iv_length )
+ *
+ * [sender] denotes the sending side and the Secret value is provided
+ * by the function caller. Note that we generate server and client side
+ * keys in a single function call.
+ */
+int mbedtls_ssl_tls13_make_traffic_keys(
+ psa_algorithm_t hash_alg,
+ const unsigned char *client_secret,
+ const unsigned char *server_secret, size_t secret_len,
+ size_t key_len, size_t iv_len,
+ mbedtls_ssl_key_set *keys)
+{
+ int ret = 0;
+
+ ret = ssl_tls13_make_traffic_key(
+ hash_alg, client_secret, secret_len,
+ keys->client_write_key, key_len,
+ keys->client_write_iv, iv_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = ssl_tls13_make_traffic_key(
+ hash_alg, server_secret, secret_len,
+ keys->server_write_key, key_len,
+ keys->server_write_iv, iv_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ keys->key_len = key_len;
+ keys->iv_len = iv_len;
+
+ return 0;
+}
+
+int mbedtls_ssl_tls13_derive_secret(
+ psa_algorithm_t hash_alg,
+ const unsigned char *secret, size_t secret_len,
+ const unsigned char *label, size_t label_len,
+ const unsigned char *ctx, size_t ctx_len,
+ int ctx_hashed,
+ unsigned char *dstbuf, size_t dstbuf_len)
+{
+ int ret;
+ unsigned char hashed_context[PSA_HASH_MAX_SIZE];
+ if (ctx_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED) {
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = psa_hash_compute(hash_alg, ctx, ctx_len, hashed_context,
+ PSA_HASH_LENGTH(hash_alg), &ctx_len);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ return ret;
+ }
+ } else {
+ if (ctx_len > sizeof(hashed_context)) {
+ /* This should never happen since this function is internal
+ * and the code sets `ctx_hashed` correctly.
+ * Let's double-check nonetheless to not run at the risk
+ * of getting a stack overflow. */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ memcpy(hashed_context, ctx, ctx_len);
+ }
+
+ return mbedtls_ssl_tls13_hkdf_expand_label(hash_alg,
+ secret, secret_len,
+ label, label_len,
+ hashed_context, ctx_len,
+ dstbuf, dstbuf_len);
+
+}
+
+int mbedtls_ssl_tls13_evolve_secret(
+ psa_algorithm_t hash_alg,
+ const unsigned char *secret_old,
+ const unsigned char *input, size_t input_len,
+ unsigned char *secret_new)
+{
+ int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t hlen;
+ unsigned char tmp_secret[PSA_MAC_MAX_SIZE] = { 0 };
+ const unsigned char all_zeroes_input[MBEDTLS_TLS1_3_MD_MAX_SIZE] = { 0 };
+ const unsigned char *l_input = NULL;
+ size_t l_input_len;
+
+ psa_key_derivation_operation_t operation =
+ PSA_KEY_DERIVATION_OPERATION_INIT;
+
+ if (!PSA_ALG_IS_HASH(hash_alg)) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ hlen = PSA_HASH_LENGTH(hash_alg);
+
+ /* For non-initial runs, call Derive-Secret( ., "derived", "")
+ * on the old secret. */
+ if (secret_old != NULL) {
+ ret = mbedtls_ssl_tls13_derive_secret(
+ hash_alg,
+ secret_old, hlen,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(derived),
+ NULL, 0, /* context */
+ MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
+ tmp_secret, hlen);
+ if (ret != 0) {
+ goto cleanup;
+ }
+ }
+
+ ret = 0;
+
+ if (input != NULL && input_len != 0) {
+ l_input = input;
+ l_input_len = input_len;
+ } else {
+ l_input = all_zeroes_input;
+ l_input_len = hlen;
+ }
+
+ status = psa_key_derivation_setup(&operation,
+ PSA_ALG_HKDF_EXTRACT(hash_alg));
+
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ status = psa_key_derivation_input_bytes(&operation,
+ PSA_KEY_DERIVATION_INPUT_SALT,
+ tmp_secret,
+ hlen);
+
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ status = psa_key_derivation_input_bytes(&operation,
+ PSA_KEY_DERIVATION_INPUT_SECRET,
+ l_input, l_input_len);
+
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ status = psa_key_derivation_output_bytes(&operation,
+ secret_new,
+ PSA_HASH_LENGTH(hash_alg));
+
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+cleanup:
+ abort_status = psa_key_derivation_abort(&operation);
+ status = (status == PSA_SUCCESS ? abort_status : status);
+ ret = (ret == 0 ? PSA_TO_MBEDTLS_ERR(status) : ret);
+ mbedtls_platform_zeroize(tmp_secret, sizeof(tmp_secret));
+ return ret;
+}
+
+int mbedtls_ssl_tls13_derive_early_secrets(
+ psa_algorithm_t hash_alg,
+ unsigned char const *early_secret,
+ unsigned char const *transcript, size_t transcript_len,
+ mbedtls_ssl_tls13_early_secrets *derived)
+{
+ int ret;
+ size_t const hash_len = PSA_HASH_LENGTH(hash_alg);
+
+ /* We should never call this function with an unknown hash,
+ * but add an assertion anyway. */
+ if (!PSA_ALG_IS_HASH(hash_alg)) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /*
+ * 0
+ * |
+ * v
+ * PSK -> HKDF-Extract = Early Secret
+ * |
+ * +-----> Derive-Secret(., "c e traffic", ClientHello)
+ * | = client_early_traffic_secret
+ * |
+ * +-----> Derive-Secret(., "e exp master", ClientHello)
+ * | = early_exporter_master_secret
+ * v
+ */
+
+ /* Create client_early_traffic_secret */
+ ret = mbedtls_ssl_tls13_derive_secret(
+ hash_alg,
+ early_secret, hash_len,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_e_traffic),
+ transcript, transcript_len,
+ MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
+ derived->client_early_traffic_secret,
+ hash_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* Create early exporter */
+ ret = mbedtls_ssl_tls13_derive_secret(
+ hash_alg,
+ early_secret, hash_len,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(e_exp_master),
+ transcript, transcript_len,
+ MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
+ derived->early_exporter_master_secret,
+ hash_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+int mbedtls_ssl_tls13_derive_handshake_secrets(
+ psa_algorithm_t hash_alg,
+ unsigned char const *handshake_secret,
+ unsigned char const *transcript, size_t transcript_len,
+ mbedtls_ssl_tls13_handshake_secrets *derived)
+{
+ int ret;
+ size_t const hash_len = PSA_HASH_LENGTH(hash_alg);
+
+ /* We should never call this function with an unknown hash,
+ * but add an assertion anyway. */
+ if (!PSA_ALG_IS_HASH(hash_alg)) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /*
+ *
+ * Handshake Secret
+ * |
+ * +-----> Derive-Secret( ., "c hs traffic",
+ * | ClientHello...ServerHello )
+ * | = client_handshake_traffic_secret
+ * |
+ * +-----> Derive-Secret( ., "s hs traffic",
+ * | ClientHello...ServerHello )
+ * | = server_handshake_traffic_secret
+ *
+ */
+
+ /*
+ * Compute client_handshake_traffic_secret with
+ * Derive-Secret( ., "c hs traffic", ClientHello...ServerHello )
+ */
+
+ ret = mbedtls_ssl_tls13_derive_secret(
+ hash_alg,
+ handshake_secret, hash_len,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_hs_traffic),
+ transcript, transcript_len,
+ MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
+ derived->client_handshake_traffic_secret,
+ hash_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /*
+ * Compute server_handshake_traffic_secret with
+ * Derive-Secret( ., "s hs traffic", ClientHello...ServerHello )
+ */
+
+ ret = mbedtls_ssl_tls13_derive_secret(
+ hash_alg,
+ handshake_secret, hash_len,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(s_hs_traffic),
+ transcript, transcript_len,
+ MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
+ derived->server_handshake_traffic_secret,
+ hash_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+int mbedtls_ssl_tls13_derive_application_secrets(
+ psa_algorithm_t hash_alg,
+ unsigned char const *application_secret,
+ unsigned char const *transcript, size_t transcript_len,
+ mbedtls_ssl_tls13_application_secrets *derived)
+{
+ int ret;
+ size_t const hash_len = PSA_HASH_LENGTH(hash_alg);
+
+ /* We should never call this function with an unknown hash,
+ * but add an assertion anyway. */
+ if (!PSA_ALG_IS_HASH(hash_alg)) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /* Generate {client,server}_application_traffic_secret_0
+ *
+ * Master Secret
+ * |
+ * +-----> Derive-Secret( ., "c ap traffic",
+ * | ClientHello...server Finished )
+ * | = client_application_traffic_secret_0
+ * |
+ * +-----> Derive-Secret( ., "s ap traffic",
+ * | ClientHello...Server Finished )
+ * | = server_application_traffic_secret_0
+ * |
+ * +-----> Derive-Secret( ., "exp master",
+ * | ClientHello...server Finished)
+ * | = exporter_master_secret
+ *
+ */
+
+ ret = mbedtls_ssl_tls13_derive_secret(
+ hash_alg,
+ application_secret, hash_len,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_ap_traffic),
+ transcript, transcript_len,
+ MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
+ derived->client_application_traffic_secret_N,
+ hash_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_ssl_tls13_derive_secret(
+ hash_alg,
+ application_secret, hash_len,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(s_ap_traffic),
+ transcript, transcript_len,
+ MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
+ derived->server_application_traffic_secret_N,
+ hash_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_ssl_tls13_derive_secret(
+ hash_alg,
+ application_secret, hash_len,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exp_master),
+ transcript, transcript_len,
+ MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
+ derived->exporter_master_secret,
+ hash_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+/* Generate resumption_master_secret for use with the ticket exchange.
+ *
+ * This is not integrated with mbedtls_ssl_tls13_derive_application_secrets()
+ * because it uses the transcript hash up to and including ClientFinished. */
+int mbedtls_ssl_tls13_derive_resumption_master_secret(
+ psa_algorithm_t hash_alg,
+ unsigned char const *application_secret,
+ unsigned char const *transcript, size_t transcript_len,
+ mbedtls_ssl_tls13_application_secrets *derived)
+{
+ int ret;
+ size_t const hash_len = PSA_HASH_LENGTH(hash_alg);
+
+ /* We should never call this function with an unknown hash,
+ * but add an assertion anyway. */
+ if (!PSA_ALG_IS_HASH(hash_alg)) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ ret = mbedtls_ssl_tls13_derive_secret(
+ hash_alg,
+ application_secret, hash_len,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(res_master),
+ transcript, transcript_len,
+ MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
+ derived->resumption_master_secret,
+ hash_len);
+
+ if (ret != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+/**
+ * \brief Transition into application stage of TLS 1.3 key schedule.
+ *
+ * The TLS 1.3 key schedule can be viewed as a simple state machine
+ * with states Initial -> Early -> Handshake -> Application, and
+ * this function represents the Handshake -> Application transition.
+ *
+ * In the handshake stage, ssl_tls13_generate_application_keys()
+ * can be used to derive the handshake traffic keys.
+ *
+ * \param ssl The SSL context to operate on. This must be in key schedule
+ * stage \c Handshake.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_key_schedule_stage_application(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+ psa_algorithm_t const hash_alg = mbedtls_md_psa_alg_from_type(
+ (mbedtls_md_type_t) handshake->ciphersuite_info->mac);
+
+ /*
+ * Compute MasterSecret
+ */
+ ret = mbedtls_ssl_tls13_evolve_secret(
+ hash_alg,
+ handshake->tls13_master_secrets.handshake,
+ NULL, 0,
+ handshake->tls13_master_secrets.app);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(
+ 4, "Master secret",
+ handshake->tls13_master_secrets.app, PSA_HASH_LENGTH(hash_alg));
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_calc_finished_core(psa_algorithm_t hash_alg,
+ unsigned char const *base_key,
+ unsigned char const *transcript,
+ unsigned char *dst,
+ size_t *dst_len)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t hash_len = PSA_HASH_LENGTH(hash_alg);
+ unsigned char finished_key[PSA_MAC_MAX_SIZE];
+ int ret;
+ psa_algorithm_t alg;
+
+ /* We should never call this function with an unknown hash,
+ * but add an assertion anyway. */
+ if (!PSA_ALG_IS_HASH(hash_alg)) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /* TLS 1.3 Finished message
+ *
+ * struct {
+ * opaque verify_data[Hash.length];
+ * } Finished;
+ *
+ * verify_data =
+ * HMAC( finished_key,
+ * Hash( Handshake Context +
+ * Certificate* +
+ * CertificateVerify* )
+ * )
+ *
+ * finished_key =
+ * HKDF-Expand-Label( BaseKey, "finished", "", Hash.length )
+ */
+
+ ret = mbedtls_ssl_tls13_hkdf_expand_label(
+ hash_alg, base_key, hash_len,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(finished),
+ NULL, 0,
+ finished_key, hash_len);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ alg = PSA_ALG_HMAC(hash_alg);
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
+
+ status = psa_import_key(&attributes, finished_key, hash_len, &key);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ goto exit;
+ }
+
+ status = psa_mac_compute(key, alg, transcript, hash_len,
+ dst, hash_len, dst_len);
+ ret = PSA_TO_MBEDTLS_ERR(status);
+
+exit:
+
+ status = psa_destroy_key(key);
+ if (ret == 0) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ }
+
+ mbedtls_platform_zeroize(finished_key, sizeof(finished_key));
+
+ return ret;
+}
+
+int mbedtls_ssl_tls13_calculate_verify_data(mbedtls_ssl_context *ssl,
+ unsigned char *dst,
+ size_t dst_len,
+ size_t *actual_len,
+ int from)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ size_t transcript_len;
+
+ unsigned char *base_key = NULL;
+ size_t base_key_len = 0;
+ mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets =
+ &ssl->handshake->tls13_hs_secrets;
+
+ mbedtls_md_type_t const md_type = (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac;
+
+ psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(
+ (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac);
+ size_t const hash_len = PSA_HASH_LENGTH(hash_alg);
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> mbedtls_ssl_tls13_calculate_verify_data"));
+
+ if (from == MBEDTLS_SSL_IS_CLIENT) {
+ base_key = tls13_hs_secrets->client_handshake_traffic_secret;
+ base_key_len = sizeof(tls13_hs_secrets->client_handshake_traffic_secret);
+ } else {
+ base_key = tls13_hs_secrets->server_handshake_traffic_secret;
+ base_key_len = sizeof(tls13_hs_secrets->server_handshake_traffic_secret);
+ }
+
+ if (dst_len < hash_len) {
+ ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+
+ ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type,
+ transcript, sizeof(transcript),
+ &transcript_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_get_handshake_transcript", ret);
+ goto exit;
+ }
+ MBEDTLS_SSL_DEBUG_BUF(4, "handshake hash", transcript, transcript_len);
+
+ ret = ssl_tls13_calc_finished_core(hash_alg, base_key,
+ transcript, dst, actual_len);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "verify_data for finished message", dst, hash_len);
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= mbedtls_ssl_tls13_calculate_verify_data"));
+
+exit:
+ /* Erase handshake secrets */
+ mbedtls_platform_zeroize(base_key, base_key_len);
+ mbedtls_platform_zeroize(transcript, sizeof(transcript));
+ return ret;
+}
+
+int mbedtls_ssl_tls13_create_psk_binder(mbedtls_ssl_context *ssl,
+ const psa_algorithm_t hash_alg,
+ unsigned char const *psk, size_t psk_len,
+ int psk_type,
+ unsigned char const *transcript,
+ unsigned char *result)
+{
+ int ret = 0;
+ unsigned char binder_key[PSA_MAC_MAX_SIZE];
+ unsigned char early_secret[PSA_MAC_MAX_SIZE];
+ size_t const hash_len = PSA_HASH_LENGTH(hash_alg);
+ size_t actual_len;
+
+#if !defined(MBEDTLS_DEBUG_C)
+ ssl = NULL; /* make sure we don't use it except for debug */
+ ((void) ssl);
+#endif
+
+ /* We should never call this function with an unknown hash,
+ * but add an assertion anyway. */
+ if (!PSA_ALG_IS_HASH(hash_alg)) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /*
+ * 0
+ * |
+ * v
+ * PSK -> HKDF-Extract = Early Secret
+ * |
+ * +-----> Derive-Secret(., "ext binder" | "res binder", "")
+ * | = binder_key
+ * v
+ */
+
+ ret = mbedtls_ssl_tls13_evolve_secret(hash_alg,
+ NULL, /* Old secret */
+ psk, psk_len, /* Input */
+ early_secret);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret);
+ goto exit;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "mbedtls_ssl_tls13_create_psk_binder",
+ early_secret, hash_len);
+
+ if (psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) {
+ ret = mbedtls_ssl_tls13_derive_secret(
+ hash_alg,
+ early_secret, hash_len,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(res_binder),
+ NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
+ binder_key, hash_len);
+ MBEDTLS_SSL_DEBUG_MSG(4, ("Derive Early Secret with 'res binder'"));
+ } else {
+ ret = mbedtls_ssl_tls13_derive_secret(
+ hash_alg,
+ early_secret, hash_len,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(ext_binder),
+ NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
+ binder_key, hash_len);
+ MBEDTLS_SSL_DEBUG_MSG(4, ("Derive Early Secret with 'ext binder'"));
+ }
+
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_derive_secret", ret);
+ goto exit;
+ }
+
+ /*
+ * The binding_value is computed in the same way as the Finished message
+ * but with the BaseKey being the binder_key.
+ */
+
+ ret = ssl_tls13_calc_finished_core(hash_alg, binder_key, transcript,
+ result, &actual_len);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "psk binder", result, actual_len);
+
+exit:
+
+ mbedtls_platform_zeroize(early_secret, sizeof(early_secret));
+ mbedtls_platform_zeroize(binder_key, sizeof(binder_key));
+ return ret;
+}
+
+int mbedtls_ssl_tls13_populate_transform(
+ mbedtls_ssl_transform *transform,
+ int endpoint, int ciphersuite,
+ mbedtls_ssl_key_set const *traffic_keys,
+ mbedtls_ssl_context *ssl /* DEBUG ONLY */)
+{
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+ int ret;
+ mbedtls_cipher_info_t const *cipher_info;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+ unsigned char const *key_enc;
+ unsigned char const *iv_enc;
+ unsigned char const *key_dec;
+ unsigned char const *iv_dec;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_key_type_t key_type;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_algorithm_t alg;
+ size_t key_bits;
+ psa_status_t status = PSA_SUCCESS;
+#endif
+
+#if !defined(MBEDTLS_DEBUG_C)
+ ssl = NULL; /* make sure we don't use it except for those cases */
+ (void) ssl;
+#endif
+
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
+ if (ciphersuite_info == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found",
+ ciphersuite));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+ cipher_info = mbedtls_cipher_info_from_type(ciphersuite_info->cipher);
+ if (cipher_info == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found",
+ ciphersuite_info->cipher));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /*
+ * Setup cipher contexts in target transform
+ */
+ if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc,
+ cipher_info)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
+ return ret;
+ }
+
+ if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec,
+ cipher_info)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
+ return ret;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (endpoint == MBEDTLS_SSL_IS_SERVER) {
+ key_enc = traffic_keys->server_write_key;
+ key_dec = traffic_keys->client_write_key;
+ iv_enc = traffic_keys->server_write_iv;
+ iv_dec = traffic_keys->client_write_iv;
+ } else
+#endif /* MBEDTLS_SSL_SRV_C */
+#if defined(MBEDTLS_SSL_CLI_C)
+ if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
+ key_enc = traffic_keys->client_write_key;
+ key_dec = traffic_keys->server_write_key;
+ iv_enc = traffic_keys->client_write_iv;
+ iv_dec = traffic_keys->server_write_iv;
+ } else
+#endif /* MBEDTLS_SSL_CLI_C */
+ {
+ /* should not happen */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ memcpy(transform->iv_enc, iv_enc, traffic_keys->iv_len);
+ memcpy(transform->iv_dec, iv_dec, traffic_keys->iv_len);
+
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+ if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc,
+ key_enc, (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
+ MBEDTLS_ENCRYPT)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
+ return ret;
+ }
+
+ if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec,
+ key_dec, (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
+ MBEDTLS_DECRYPT)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
+ return ret;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ /*
+ * Setup other fields in SSL transform
+ */
+
+ if ((ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG) != 0) {
+ transform->taglen = 8;
+ } else {
+ transform->taglen = 16;
+ }
+
+ transform->ivlen = traffic_keys->iv_len;
+ transform->maclen = 0;
+ transform->fixed_ivlen = transform->ivlen;
+ transform->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+
+ /* We add the true record content type (1 Byte) to the plaintext and
+ * then pad to the configured granularity. The minimum length of the
+ * type-extended and padded plaintext is therefore the padding
+ * granularity. */
+ transform->minlen =
+ transform->taglen + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY;
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ /*
+ * Setup psa keys and alg
+ */
+ if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher,
+ transform->taglen,
+ &alg,
+ &key_type,
+ &key_bits)) != PSA_SUCCESS) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_cipher_to_psa", PSA_TO_MBEDTLS_ERR(status));
+ return PSA_TO_MBEDTLS_ERR(status);
+ }
+
+ transform->psa_alg = alg;
+
+ if (alg != MBEDTLS_SSL_NULL_CIPHER) {
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ if ((status = psa_import_key(&attributes,
+ key_enc,
+ PSA_BITS_TO_BYTES(key_bits),
+ &transform->psa_key_enc)) != PSA_SUCCESS) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status));
+ return PSA_TO_MBEDTLS_ERR(status);
+ }
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
+
+ if ((status = psa_import_key(&attributes,
+ key_dec,
+ PSA_BITS_TO_BYTES(key_bits),
+ &transform->psa_key_dec)) != PSA_SUCCESS) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status));
+ return PSA_TO_MBEDTLS_ERR(status);
+ }
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_get_cipher_key_info(
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
+ size_t *key_len, size_t *iv_len)
+{
+ psa_key_type_t key_type;
+ psa_algorithm_t alg;
+ size_t taglen;
+ size_t key_bits;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ if (ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG) {
+ taglen = 8;
+ } else {
+ taglen = 16;
+ }
+
+ status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher, taglen,
+ &alg, &key_type, &key_bits);
+ if (status != PSA_SUCCESS) {
+ return PSA_TO_MBEDTLS_ERR(status);
+ }
+
+ *key_len = PSA_BITS_TO_BYTES(key_bits);
+
+ /* TLS 1.3 only have AEAD ciphers, IV length is unconditionally 12 bytes */
+ *iv_len = 12;
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+/*
+ * ssl_tls13_generate_early_key() generates the key necessary for protecting
+ * the early application data and handshake messages as described in section 7
+ * of RFC 8446.
+ *
+ * NOTE: Only one key is generated, the key for the traffic from the client to
+ * the server. The TLS 1.3 specification does not define a secret and thus
+ * a key for server early traffic.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_generate_early_key(mbedtls_ssl_context *ssl,
+ mbedtls_ssl_key_set *traffic_keys)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_md_type_t md_type;
+ psa_algorithm_t hash_alg;
+ size_t hash_len;
+ unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ size_t transcript_len;
+ size_t key_len = 0;
+ size_t iv_len = 0;
+ mbedtls_ssl_tls13_early_secrets tls13_early_secrets;
+
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ handshake->ciphersuite_info;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_generate_early_key"));
+
+ ret = ssl_tls13_get_cipher_key_info(ciphersuite_info, &key_len, &iv_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_get_cipher_key_info", ret);
+ goto cleanup;
+ }
+
+ md_type = (mbedtls_md_type_t) ciphersuite_info->mac;
+
+ hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
+ hash_len = PSA_HASH_LENGTH(hash_alg);
+
+ ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type,
+ transcript,
+ sizeof(transcript),
+ &transcript_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1,
+ "mbedtls_ssl_get_handshake_transcript",
+ ret);
+ goto cleanup;
+ }
+
+ ret = mbedtls_ssl_tls13_derive_early_secrets(
+ hash_alg, handshake->tls13_master_secrets.early,
+ transcript, transcript_len, &tls13_early_secrets);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_tls13_derive_early_secrets", ret);
+ goto cleanup;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(
+ 4, "Client early traffic secret",
+ tls13_early_secrets.client_early_traffic_secret, hash_len);
+
+ /*
+ * Export client handshake traffic secret
+ */
+ if (ssl->f_export_keys != NULL) {
+ ssl->f_export_keys(
+ ssl->p_export_keys,
+ MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET,
+ tls13_early_secrets.client_early_traffic_secret,
+ hash_len,
+ handshake->randbytes,
+ handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
+ MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */);
+ }
+
+ ret = ssl_tls13_make_traffic_key(
+ hash_alg,
+ tls13_early_secrets.client_early_traffic_secret,
+ hash_len, traffic_keys->client_write_key, key_len,
+ traffic_keys->client_write_iv, iv_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_make_traffic_key", ret);
+ goto cleanup;
+ }
+ traffic_keys->key_len = key_len;
+ traffic_keys->iv_len = iv_len;
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "client early write_key",
+ traffic_keys->client_write_key,
+ traffic_keys->key_len);
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "client early write_iv",
+ traffic_keys->client_write_iv,
+ traffic_keys->iv_len);
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_generate_early_key"));
+
+cleanup:
+ /* Erase early secrets and transcript */
+ mbedtls_platform_zeroize(
+ &tls13_early_secrets, sizeof(mbedtls_ssl_tls13_early_secrets));
+ mbedtls_platform_zeroize(transcript, sizeof(transcript));
+ return ret;
+}
+
+int mbedtls_ssl_tls13_compute_early_transform(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_key_set traffic_keys;
+ mbedtls_ssl_transform *transform_earlydata = NULL;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ /* Next evolution in key schedule: Establish early_data secret and
+ * key material. */
+ ret = ssl_tls13_generate_early_key(ssl, &traffic_keys);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_generate_early_key",
+ ret);
+ goto cleanup;
+ }
+
+ transform_earlydata = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
+ if (transform_earlydata == NULL) {
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ goto cleanup;
+ }
+
+ ret = mbedtls_ssl_tls13_populate_transform(
+ transform_earlydata,
+ ssl->conf->endpoint,
+ handshake->ciphersuite_info->id,
+ &traffic_keys,
+ ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_populate_transform", ret);
+ goto cleanup;
+ }
+ handshake->transform_earlydata = transform_earlydata;
+
+cleanup:
+ mbedtls_platform_zeroize(&traffic_keys, sizeof(traffic_keys));
+ if (ret != 0) {
+ mbedtls_free(transform_earlydata);
+ }
+
+ return ret;
+}
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+int mbedtls_ssl_tls13_key_schedule_stage_early(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ psa_algorithm_t hash_alg;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+ unsigned char *psk = NULL;
+ size_t psk_len = 0;
+
+ if (handshake->ciphersuite_info == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("cipher suite info not found"));
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) handshake->ciphersuite_info->mac);
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+ if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
+ ret = mbedtls_ssl_tls13_export_handshake_psk(ssl, &psk, &psk_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_export_handshake_psk",
+ ret);
+ return ret;
+ }
+ }
+#endif
+
+ ret = mbedtls_ssl_tls13_evolve_secret(hash_alg, NULL, psk, psk_len,
+ handshake->tls13_master_secrets.early);
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+ mbedtls_free((void *) psk);
+#endif
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "mbedtls_ssl_tls13_key_schedule_stage_early",
+ handshake->tls13_master_secrets.early,
+ PSA_HASH_LENGTH(hash_alg));
+ return 0;
+}
+
+/**
+ * \brief Compute TLS 1.3 handshake traffic keys.
+ *
+ * ssl_tls13_generate_handshake_keys() generates keys necessary for
+ * protecting the handshake messages, as described in Section 7 of
+ * RFC 8446.
+ *
+ * \param ssl The SSL context to operate on. This must be in
+ * key schedule stage \c Handshake, see
+ * ssl_tls13_key_schedule_stage_handshake().
+ * \param traffic_keys The address at which to store the handshake traffic
+ * keys. This must be writable but may be uninitialized.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_generate_handshake_keys(mbedtls_ssl_context *ssl,
+ mbedtls_ssl_key_set *traffic_keys)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_md_type_t md_type;
+ psa_algorithm_t hash_alg;
+ size_t hash_len;
+ unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ size_t transcript_len;
+ size_t key_len = 0;
+ size_t iv_len = 0;
+
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ handshake->ciphersuite_info;
+ mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets =
+ &handshake->tls13_hs_secrets;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_generate_handshake_keys"));
+
+ ret = ssl_tls13_get_cipher_key_info(ciphersuite_info, &key_len, &iv_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_get_cipher_key_info", ret);
+ return ret;
+ }
+
+ md_type = (mbedtls_md_type_t) ciphersuite_info->mac;
+
+ hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
+ hash_len = PSA_HASH_LENGTH(hash_alg);
+
+ ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type,
+ transcript,
+ sizeof(transcript),
+ &transcript_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1,
+ "mbedtls_ssl_get_handshake_transcript",
+ ret);
+ return ret;
+ }
+
+ ret = mbedtls_ssl_tls13_derive_handshake_secrets(
+ hash_alg, handshake->tls13_master_secrets.handshake,
+ transcript, transcript_len, tls13_hs_secrets);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_derive_handshake_secrets",
+ ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "Client handshake traffic secret",
+ tls13_hs_secrets->client_handshake_traffic_secret,
+ hash_len);
+ MBEDTLS_SSL_DEBUG_BUF(4, "Server handshake traffic secret",
+ tls13_hs_secrets->server_handshake_traffic_secret,
+ hash_len);
+
+ /*
+ * Export client handshake traffic secret
+ */
+ if (ssl->f_export_keys != NULL) {
+ ssl->f_export_keys(
+ ssl->p_export_keys,
+ MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET,
+ tls13_hs_secrets->client_handshake_traffic_secret,
+ hash_len,
+ handshake->randbytes,
+ handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
+ MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */);
+
+ ssl->f_export_keys(
+ ssl->p_export_keys,
+ MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET,
+ tls13_hs_secrets->server_handshake_traffic_secret,
+ hash_len,
+ handshake->randbytes,
+ handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
+ MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */);
+ }
+
+ ret = mbedtls_ssl_tls13_make_traffic_keys(
+ hash_alg,
+ tls13_hs_secrets->client_handshake_traffic_secret,
+ tls13_hs_secrets->server_handshake_traffic_secret,
+ hash_len, key_len, iv_len, traffic_keys);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_make_traffic_keys", ret);
+ goto exit;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "client_handshake write_key",
+ traffic_keys->client_write_key,
+ traffic_keys->key_len);
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "server_handshake write_key",
+ traffic_keys->server_write_key,
+ traffic_keys->key_len);
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "client_handshake write_iv",
+ traffic_keys->client_write_iv,
+ traffic_keys->iv_len);
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "server_handshake write_iv",
+ traffic_keys->server_write_iv,
+ traffic_keys->iv_len);
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_generate_handshake_keys"));
+
+exit:
+
+ return ret;
+}
+
+/**
+ * \brief Transition into handshake stage of TLS 1.3 key schedule.
+ *
+ * The TLS 1.3 key schedule can be viewed as a simple state machine
+ * with states Initial -> Early -> Handshake -> Application, and
+ * this function represents the Early -> Handshake transition.
+ *
+ * In the handshake stage, ssl_tls13_generate_handshake_keys()
+ * can be used to derive the handshake traffic keys.
+ *
+ * \param ssl The SSL context to operate on. This must be in key schedule
+ * stage \c Early.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+ psa_algorithm_t const hash_alg = mbedtls_md_psa_alg_from_type(
+ (mbedtls_md_type_t) handshake->ciphersuite_info->mac);
+ unsigned char *shared_secret = NULL;
+ size_t shared_secret_len = 0;
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+ /*
+ * Compute ECDHE secret used to compute the handshake secret from which
+ * client_handshake_traffic_secret and server_handshake_traffic_secret
+ * are derived in the handshake secret derivation stage.
+ */
+ if (mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
+ if (mbedtls_ssl_tls13_named_group_is_ecdhe(handshake->offered_group_id) ||
+ mbedtls_ssl_tls13_named_group_is_ffdh(handshake->offered_group_id)) {
+#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
+ psa_algorithm_t alg =
+ mbedtls_ssl_tls13_named_group_is_ecdhe(handshake->offered_group_id) ?
+ PSA_ALG_ECDH : PSA_ALG_FFDH;
+
+ /* Compute ECDH shared secret. */
+ psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+ psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+ status = psa_get_key_attributes(handshake->xxdh_psa_privkey,
+ &key_attributes);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ }
+
+ shared_secret_len = PSA_BITS_TO_BYTES(
+ psa_get_key_bits(&key_attributes));
+ shared_secret = mbedtls_calloc(1, shared_secret_len);
+ if (shared_secret == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ status = psa_raw_key_agreement(
+ alg, handshake->xxdh_psa_privkey,
+ handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
+ shared_secret, shared_secret_len, &shared_secret_len);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
+ goto cleanup;
+ }
+
+ status = psa_destroy_key(handshake->xxdh_psa_privkey);
+ if (status != PSA_SUCCESS) {
+ ret = PSA_TO_MBEDTLS_ERR(status);
+ MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
+ goto cleanup;
+ }
+
+ handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
+#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Group not supported."));
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+ }
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
+
+ /*
+ * Compute the Handshake Secret
+ */
+ ret = mbedtls_ssl_tls13_evolve_secret(
+ hash_alg, handshake->tls13_master_secrets.early,
+ shared_secret, shared_secret_len,
+ handshake->tls13_master_secrets.handshake);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret);
+ goto cleanup;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "Handshake secret",
+ handshake->tls13_master_secrets.handshake,
+ PSA_HASH_LENGTH(hash_alg));
+
+cleanup:
+ if (shared_secret != NULL) {
+ mbedtls_zeroize_and_free(shared_secret, shared_secret_len);
+ }
+
+ return ret;
+}
+
+/**
+ * \brief Compute TLS 1.3 application traffic keys.
+ *
+ * ssl_tls13_generate_application_keys() generates application traffic
+ * keys, since any record following a 1-RTT Finished message MUST be
+ * encrypted under the application traffic key.
+ *
+ * \param ssl The SSL context to operate on. This must be in
+ * key schedule stage \c Application, see
+ * ssl_tls13_key_schedule_stage_application().
+ * \param traffic_keys The address at which to store the application traffic
+ * keys. This must be writable but may be uninitialized.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_generate_application_keys(
+ mbedtls_ssl_context *ssl,
+ mbedtls_ssl_key_set *traffic_keys)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ /* Address at which to store the application secrets */
+ mbedtls_ssl_tls13_application_secrets * const app_secrets =
+ &ssl->session_negotiate->app_secrets;
+
+ /* Holding the transcript up to and including the ServerFinished */
+ unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ size_t transcript_len;
+
+ /* Variables relating to the hash for the chosen ciphersuite. */
+ mbedtls_md_type_t md_type;
+
+ psa_algorithm_t hash_alg;
+ size_t hash_len;
+
+ /* Variables relating to the cipher for the chosen ciphersuite. */
+ size_t key_len = 0, iv_len = 0;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive application traffic keys"));
+
+ /* Extract basic information about hash and ciphersuite */
+
+ ret = ssl_tls13_get_cipher_key_info(handshake->ciphersuite_info,
+ &key_len, &iv_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_get_cipher_key_info", ret);
+ goto cleanup;
+ }
+
+ md_type = (mbedtls_md_type_t) handshake->ciphersuite_info->mac;
+
+ hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) handshake->ciphersuite_info->mac);
+ hash_len = PSA_HASH_LENGTH(hash_alg);
+
+ /* Compute current handshake transcript. It's the caller's responsibility
+ * to call this at the right time, that is, after the ServerFinished. */
+
+ ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type,
+ transcript, sizeof(transcript),
+ &transcript_len);
+ if (ret != 0) {
+ goto cleanup;
+ }
+
+ /* Compute application secrets from master secret and transcript hash. */
+
+ ret = mbedtls_ssl_tls13_derive_application_secrets(
+ hash_alg, handshake->tls13_master_secrets.app,
+ transcript, transcript_len, app_secrets);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_tls13_derive_application_secrets", ret);
+ goto cleanup;
+ }
+
+ /* Derive first epoch of IV + Key for application traffic. */
+
+ ret = mbedtls_ssl_tls13_make_traffic_keys(
+ hash_alg,
+ app_secrets->client_application_traffic_secret_N,
+ app_secrets->server_application_traffic_secret_N,
+ hash_len, key_len, iv_len, traffic_keys);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_make_traffic_keys", ret);
+ goto cleanup;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "Client application traffic secret",
+ app_secrets->client_application_traffic_secret_N,
+ hash_len);
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "Server application traffic secret",
+ app_secrets->server_application_traffic_secret_N,
+ hash_len);
+
+ /*
+ * Export client/server application traffic secret 0
+ */
+ if (ssl->f_export_keys != NULL) {
+ ssl->f_export_keys(
+ ssl->p_export_keys,
+ MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET,
+ app_secrets->client_application_traffic_secret_N, hash_len,
+ handshake->randbytes,
+ handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
+ MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
+ a new constant for TLS 1.3! */);
+
+ ssl->f_export_keys(
+ ssl->p_export_keys,
+ MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET,
+ app_secrets->server_application_traffic_secret_N, hash_len,
+ handshake->randbytes,
+ handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
+ MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
+ a new constant for TLS 1.3! */);
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "client application_write_key:",
+ traffic_keys->client_write_key, key_len);
+ MBEDTLS_SSL_DEBUG_BUF(4, "server application write key",
+ traffic_keys->server_write_key, key_len);
+ MBEDTLS_SSL_DEBUG_BUF(4, "client application write IV",
+ traffic_keys->client_write_iv, iv_len);
+ MBEDTLS_SSL_DEBUG_BUF(4, "server application write IV",
+ traffic_keys->server_write_iv, iv_len);
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive application traffic keys"));
+
+cleanup:
+ /* randbytes is not used again */
+ mbedtls_platform_zeroize(ssl->handshake->randbytes,
+ sizeof(ssl->handshake->randbytes));
+
+ mbedtls_platform_zeroize(transcript, sizeof(transcript));
+ return ret;
+}
+
+int mbedtls_ssl_tls13_compute_handshake_transform(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_key_set traffic_keys;
+ mbedtls_ssl_transform *transform_handshake = NULL;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ /* Compute handshake secret */
+ ret = ssl_tls13_key_schedule_stage_handshake(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_derive_master_secret", ret);
+ goto cleanup;
+ }
+
+ /* Next evolution in key schedule: Establish handshake secret and
+ * key material. */
+ ret = ssl_tls13_generate_handshake_keys(ssl, &traffic_keys);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_generate_handshake_keys",
+ ret);
+ goto cleanup;
+ }
+
+ transform_handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
+ if (transform_handshake == NULL) {
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ goto cleanup;
+ }
+
+ ret = mbedtls_ssl_tls13_populate_transform(
+ transform_handshake,
+ ssl->conf->endpoint,
+ handshake->ciphersuite_info->id,
+ &traffic_keys,
+ ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_populate_transform", ret);
+ goto cleanup;
+ }
+ handshake->transform_handshake = transform_handshake;
+
+cleanup:
+ mbedtls_platform_zeroize(&traffic_keys, sizeof(traffic_keys));
+ if (ret != 0) {
+ mbedtls_free(transform_handshake);
+ }
+
+ return ret;
+}
+
+int mbedtls_ssl_tls13_compute_resumption_master_secret(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_md_type_t md_type;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+ unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
+ size_t transcript_len;
+
+ MBEDTLS_SSL_DEBUG_MSG(
+ 2, ("=> mbedtls_ssl_tls13_compute_resumption_master_secret"));
+
+ md_type = (mbedtls_md_type_t) handshake->ciphersuite_info->mac;
+
+ ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type,
+ transcript, sizeof(transcript),
+ &transcript_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_ssl_tls13_derive_resumption_master_secret(
+ mbedtls_md_psa_alg_from_type(md_type),
+ handshake->tls13_master_secrets.app,
+ transcript, transcript_len,
+ &ssl->session_negotiate->app_secrets);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* Erase master secrets */
+ mbedtls_platform_zeroize(&handshake->tls13_master_secrets,
+ sizeof(handshake->tls13_master_secrets));
+
+ MBEDTLS_SSL_DEBUG_BUF(
+ 4, "Resumption master secret",
+ ssl->session_negotiate->app_secrets.resumption_master_secret,
+ PSA_HASH_LENGTH(mbedtls_md_psa_alg_from_type(md_type)));
+
+ MBEDTLS_SSL_DEBUG_MSG(
+ 2, ("<= mbedtls_ssl_tls13_compute_resumption_master_secret"));
+ return 0;
+}
+
+int mbedtls_ssl_tls13_compute_application_transform(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_key_set traffic_keys;
+ mbedtls_ssl_transform *transform_application = NULL;
+
+ ret = ssl_tls13_key_schedule_stage_application(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1,
+ "ssl_tls13_key_schedule_stage_application", ret);
+ goto cleanup;
+ }
+
+ ret = ssl_tls13_generate_application_keys(ssl, &traffic_keys);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1,
+ "ssl_tls13_generate_application_keys", ret);
+ goto cleanup;
+ }
+
+ transform_application =
+ mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
+ if (transform_application == NULL) {
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ goto cleanup;
+ }
+
+ ret = mbedtls_ssl_tls13_populate_transform(
+ transform_application,
+ ssl->conf->endpoint,
+ ssl->handshake->ciphersuite_info->id,
+ &traffic_keys,
+ ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_populate_transform", ret);
+ goto cleanup;
+ }
+
+ ssl->transform_application = transform_application;
+
+cleanup:
+
+ mbedtls_platform_zeroize(&traffic_keys, sizeof(traffic_keys));
+ if (ret != 0) {
+ mbedtls_free(transform_application);
+ }
+ return ret;
+}
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl,
+ unsigned char **psk,
+ size_t *psk_len)
+{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ *psk_len = 0;
+ *psk = NULL;
+
+ if (mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ status = psa_get_key_attributes(ssl->handshake->psk_opaque, &key_attributes);
+ if (status != PSA_SUCCESS) {
+ return PSA_TO_MBEDTLS_ERR(status);
+ }
+
+ *psk_len = PSA_BITS_TO_BYTES(psa_get_key_bits(&key_attributes));
+ *psk = mbedtls_calloc(1, *psk_len);
+ if (*psk == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+
+ status = psa_export_key(ssl->handshake->psk_opaque,
+ (uint8_t *) *psk, *psk_len, psk_len);
+ if (status != PSA_SUCCESS) {
+ mbedtls_free((void *) *psk);
+ *psk = NULL;
+ return PSA_TO_MBEDTLS_ERR(status);
+ }
+ return 0;
+#else
+ *psk = ssl->handshake->psk;
+ *psk_len = ssl->handshake->psk_len;
+ if (*psk == NULL) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+ return 0;
+#endif /* !MBEDTLS_USE_PSA_CRYPTO */
+}
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h
new file mode 100644
index 0000000..d3a4c6c
--- /dev/null
+++ b/library/ssl_tls13_keys.h
@@ -0,0 +1,651 @@
+/*
+ * TLS 1.3 key schedule
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#if !defined(MBEDTLS_SSL_TLS1_3_KEYS_H)
+#define MBEDTLS_SSL_TLS1_3_KEYS_H
+
+/* This requires MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) to be defined at
+ * the point of use. See e.g. the definition of mbedtls_ssl_tls13_labels_union
+ * below. */
+#define MBEDTLS_SSL_TLS1_3_LABEL_LIST \
+ MBEDTLS_SSL_TLS1_3_LABEL(finished, "finished") \
+ MBEDTLS_SSL_TLS1_3_LABEL(resumption, "resumption") \
+ MBEDTLS_SSL_TLS1_3_LABEL(traffic_upd, "traffic upd") \
+ MBEDTLS_SSL_TLS1_3_LABEL(exporter, "exporter") \
+ MBEDTLS_SSL_TLS1_3_LABEL(key, "key") \
+ MBEDTLS_SSL_TLS1_3_LABEL(iv, "iv") \
+ MBEDTLS_SSL_TLS1_3_LABEL(c_hs_traffic, "c hs traffic") \
+ MBEDTLS_SSL_TLS1_3_LABEL(c_ap_traffic, "c ap traffic") \
+ MBEDTLS_SSL_TLS1_3_LABEL(c_e_traffic, "c e traffic") \
+ MBEDTLS_SSL_TLS1_3_LABEL(s_hs_traffic, "s hs traffic") \
+ MBEDTLS_SSL_TLS1_3_LABEL(s_ap_traffic, "s ap traffic") \
+ MBEDTLS_SSL_TLS1_3_LABEL(s_e_traffic, "s e traffic") \
+ MBEDTLS_SSL_TLS1_3_LABEL(e_exp_master, "e exp master") \
+ MBEDTLS_SSL_TLS1_3_LABEL(res_master, "res master") \
+ MBEDTLS_SSL_TLS1_3_LABEL(exp_master, "exp master") \
+ MBEDTLS_SSL_TLS1_3_LABEL(ext_binder, "ext binder") \
+ MBEDTLS_SSL_TLS1_3_LABEL(res_binder, "res binder") \
+ MBEDTLS_SSL_TLS1_3_LABEL(derived, "derived") \
+ MBEDTLS_SSL_TLS1_3_LABEL(client_cv, "TLS 1.3, client CertificateVerify") \
+ MBEDTLS_SSL_TLS1_3_LABEL(server_cv, "TLS 1.3, server CertificateVerify")
+
+#define MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED 0
+#define MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED 1
+
+#define MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL 0
+#define MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION 1
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \
+ const unsigned char name [sizeof(string) - 1];
+
+union mbedtls_ssl_tls13_labels_union {
+ MBEDTLS_SSL_TLS1_3_LABEL_LIST
+};
+struct mbedtls_ssl_tls13_labels_struct {
+ MBEDTLS_SSL_TLS1_3_LABEL_LIST
+};
+#undef MBEDTLS_SSL_TLS1_3_LABEL
+
+extern const struct mbedtls_ssl_tls13_labels_struct mbedtls_ssl_tls13_labels;
+
+#define MBEDTLS_SSL_TLS1_3_LBL_LEN(LABEL) \
+ sizeof(mbedtls_ssl_tls13_labels.LABEL)
+
+#define MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(LABEL) \
+ mbedtls_ssl_tls13_labels.LABEL, \
+ MBEDTLS_SSL_TLS1_3_LBL_LEN(LABEL)
+
+#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN \
+ sizeof(union mbedtls_ssl_tls13_labels_union)
+
+/* The maximum length of HKDF contexts used in the TLS 1.3 standard.
+ * Since contexts are always hashes of message transcripts, this can
+ * be approximated from above by the maximum hash size. */
+#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN \
+ PSA_HASH_MAX_SIZE
+
+/* Maximum desired length for expanded key material generated
+ * by HKDF-Expand-Label.
+ *
+ * Warning: If this ever needs to be increased, the implementation
+ * ssl_tls13_hkdf_encode_label() in ssl_tls13_keys.c needs to be
+ * adjusted since it currently assumes that HKDF key expansion
+ * is never used with more than 255 Bytes of output. */
+#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN 255
+
+/**
+ * \brief The \c HKDF-Expand-Label function from
+ * the TLS 1.3 standard RFC 8446.
+ *
+ * <tt>
+ * HKDF-Expand-Label( Secret, Label, Context, Length ) =
+ * HKDF-Expand( Secret, HkdfLabel, Length )
+ * </tt>
+ *
+ * \param hash_alg The identifier for the hash algorithm to use.
+ * \param secret The \c Secret argument to \c HKDF-Expand-Label.
+ * This must be a readable buffer of length
+ * \p secret_len Bytes.
+ * \param secret_len The length of \p secret in Bytes.
+ * \param label The \c Label argument to \c HKDF-Expand-Label.
+ * This must be a readable buffer of length
+ * \p label_len Bytes.
+ * \param label_len The length of \p label in Bytes.
+ * \param ctx The \c Context argument to \c HKDF-Expand-Label.
+ * This must be a readable buffer of length \p ctx_len Bytes.
+ * \param ctx_len The length of \p context in Bytes.
+ * \param buf The destination buffer to hold the expanded secret.
+ * This must be a writable buffer of length \p buf_len Bytes.
+ * \param buf_len The desired size of the expanded secret in Bytes.
+ *
+ * \returns \c 0 on success.
+ * \return A negative error code on failure.
+ */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_hkdf_expand_label(
+ psa_algorithm_t hash_alg,
+ const unsigned char *secret, size_t secret_len,
+ const unsigned char *label, size_t label_len,
+ const unsigned char *ctx, size_t ctx_len,
+ unsigned char *buf, size_t buf_len);
+
+/**
+ * \brief This function is part of the TLS 1.3 key schedule.
+ * It extracts key and IV for the actual client/server traffic
+ * from the client/server traffic secrets.
+ *
+ * From RFC 8446:
+ *
+ * <tt>
+ * [sender]_write_key = HKDF-Expand-Label(Secret, "key", "", key_length)
+ * [sender]_write_iv = HKDF-Expand-Label(Secret, "iv", "", iv_length)*
+ * </tt>
+ *
+ * \param hash_alg The identifier for the hash algorithm to be used
+ * for the HKDF-based expansion of the secret.
+ * \param client_secret The client traffic secret.
+ * This must be a readable buffer of size
+ * \p secret_len Bytes
+ * \param server_secret The server traffic secret.
+ * This must be a readable buffer of size
+ * \p secret_len Bytes
+ * \param secret_len Length of the secrets \p client_secret and
+ * \p server_secret in Bytes.
+ * \param key_len The desired length of the key to be extracted in Bytes.
+ * \param iv_len The desired length of the IV to be extracted in Bytes.
+ * \param keys The address of the structure holding the generated
+ * keys and IVs.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_make_traffic_keys(
+ psa_algorithm_t hash_alg,
+ const unsigned char *client_secret,
+ const unsigned char *server_secret, size_t secret_len,
+ size_t key_len, size_t iv_len,
+ mbedtls_ssl_key_set *keys);
+
+/**
+ * \brief The \c Derive-Secret function from the TLS 1.3 standard RFC 8446.
+ *
+ * <tt>
+ * Derive-Secret( Secret, Label, Messages ) =
+ * HKDF-Expand-Label( Secret, Label,
+ * Hash( Messages ),
+ * Hash.Length ) )
+ * </tt>
+ *
+ * \param hash_alg The identifier for the hash function used for the
+ * applications of HKDF.
+ * \param secret The \c Secret argument to the \c Derive-Secret function.
+ * This must be a readable buffer of length
+ * \p secret_len Bytes.
+ * \param secret_len The length of \p secret in Bytes.
+ * \param label The \c Label argument to the \c Derive-Secret function.
+ * This must be a readable buffer of length
+ * \p label_len Bytes.
+ * \param label_len The length of \p label in Bytes.
+ * \param ctx The hash of the \c Messages argument to the
+ * \c Derive-Secret function, or the \c Messages argument
+ * itself, depending on \p ctx_hashed.
+ * \param ctx_len The length of \p ctx in Bytes.
+ * \param ctx_hashed This indicates whether the \p ctx contains the hash of
+ * the \c Messages argument in the application of the
+ * \c Derive-Secret function
+ * (value MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED), or whether
+ * it is the content of \c Messages itself, in which case
+ * the function takes care of the hashing
+ * (value MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED).
+ * \param dstbuf The target buffer to write the output of
+ * \c Derive-Secret to. This must be a writable buffer of
+ * size \p dtsbuf_len Bytes.
+ * \param dstbuf_len The length of \p dstbuf in Bytes.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_derive_secret(
+ psa_algorithm_t hash_alg,
+ const unsigned char *secret, size_t secret_len,
+ const unsigned char *label, size_t label_len,
+ const unsigned char *ctx, size_t ctx_len,
+ int ctx_hashed,
+ unsigned char *dstbuf, size_t dstbuf_len);
+
+/**
+ * \brief Derive TLS 1.3 early data key material from early secret.
+ *
+ * This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret()
+ * with the appropriate labels.
+ *
+ * <tt>
+ * Early Secret
+ * |
+ * +-----> Derive-Secret(., "c e traffic", ClientHello)
+ * | = client_early_traffic_secret
+ * |
+ * +-----> Derive-Secret(., "e exp master", ClientHello)
+ * . = early_exporter_master_secret
+ * .
+ * .
+ * </tt>
+ *
+ * \note To obtain the actual key and IV for the early data traffic,
+ * the client secret derived by this function need to be
+ * further processed by mbedtls_ssl_tls13_make_traffic_keys().
+ *
+ * \note The binder key, which is also generated from the early secret,
+ * is omitted here. Its calculation is part of the separate routine
+ * mbedtls_ssl_tls13_create_psk_binder().
+ *
+ * \param hash_alg The hash algorithm associated with the PSK for which
+ * early data key material is being derived.
+ * \param early_secret The early secret from which the early data key material
+ * should be derived. This must be a readable buffer whose
+ * length is the digest size of the hash algorithm
+ * represented by \p md_size.
+ * \param transcript The transcript of the handshake so far, calculated with
+ * respect to \p hash_alg. This must be a readable buffer
+ * whose length is the digest size of the hash algorithm
+ * represented by \p md_size.
+ * \param derived The address of the structure in which to store
+ * the early data key material.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_derive_early_secrets(
+ psa_algorithm_t hash_alg,
+ unsigned char const *early_secret,
+ unsigned char const *transcript, size_t transcript_len,
+ mbedtls_ssl_tls13_early_secrets *derived);
+
+/**
+ * \brief Derive TLS 1.3 handshake key material from the handshake secret.
+ *
+ * This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret()
+ * with the appropriate labels from the standard.
+ *
+ * <tt>
+ * Handshake Secret
+ * |
+ * +-----> Derive-Secret( ., "c hs traffic",
+ * | ClientHello...ServerHello )
+ * | = client_handshake_traffic_secret
+ * |
+ * +-----> Derive-Secret( ., "s hs traffic",
+ * . ClientHello...ServerHello )
+ * . = server_handshake_traffic_secret
+ * .
+ * </tt>
+ *
+ * \note To obtain the actual key and IV for the encrypted handshake traffic,
+ * the client and server secret derived by this function need to be
+ * further processed by mbedtls_ssl_tls13_make_traffic_keys().
+ *
+ * \param hash_alg The hash algorithm associated with the ciphersuite
+ * that's being used for the connection.
+ * \param handshake_secret The handshake secret from which the handshake key
+ * material should be derived. This must be a readable
+ * buffer whose length is the digest size of the hash
+ * algorithm represented by \p md_size.
+ * \param transcript The transcript of the handshake so far, calculated
+ * with respect to \p hash_alg. This must be a readable
+ * buffer whose length is the digest size of the hash
+ * algorithm represented by \p md_size.
+ * \param derived The address of the structure in which to
+ * store the handshake key material.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_derive_handshake_secrets(
+ psa_algorithm_t hash_alg,
+ unsigned char const *handshake_secret,
+ unsigned char const *transcript, size_t transcript_len,
+ mbedtls_ssl_tls13_handshake_secrets *derived);
+
+/**
+ * \brief Derive TLS 1.3 application key material from the master secret.
+ *
+ * This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret()
+ * with the appropriate labels from the standard.
+ *
+ * <tt>
+ * Master Secret
+ * |
+ * +-----> Derive-Secret( ., "c ap traffic",
+ * | ClientHello...server Finished )
+ * | = client_application_traffic_secret_0
+ * |
+ * +-----> Derive-Secret( ., "s ap traffic",
+ * | ClientHello...Server Finished )
+ * | = server_application_traffic_secret_0
+ * |
+ * +-----> Derive-Secret( ., "exp master",
+ * . ClientHello...server Finished)
+ * . = exporter_master_secret
+ * .
+ * </tt>
+ *
+ * \note To obtain the actual key and IV for the (0-th) application traffic,
+ * the client and server secret derived by this function need to be
+ * further processed by mbedtls_ssl_tls13_make_traffic_keys().
+ *
+ * \param hash_alg The hash algorithm associated with the ciphersuite
+ * that's being used for the connection.
+ * \param master_secret The master secret from which the application key
+ * material should be derived. This must be a readable
+ * buffer whose length is the digest size of the hash
+ * algorithm represented by \p md_size.
+ * \param transcript The transcript of the handshake up to and including
+ * the ServerFinished message, calculated with respect
+ * to \p hash_alg. This must be a readable buffer whose
+ * length is the digest size of the hash algorithm
+ * represented by \p hash_alg.
+ * \param derived The address of the structure in which to
+ * store the application key material.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_derive_application_secrets(
+ psa_algorithm_t hash_alg,
+ unsigned char const *master_secret,
+ unsigned char const *transcript, size_t transcript_len,
+ mbedtls_ssl_tls13_application_secrets *derived);
+
+/**
+ * \brief Derive TLS 1.3 resumption master secret from the master secret.
+ *
+ * This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret()
+ * with the appropriate labels from the standard.
+ *
+ * \param hash_alg The hash algorithm used in the application for which
+ * key material is being derived.
+ * \param application_secret The application secret from which the resumption master
+ * secret should be derived. This must be a readable
+ * buffer whose length is the digest size of the hash
+ * algorithm represented by \p md_size.
+ * \param transcript The transcript of the handshake up to and including
+ * the ClientFinished message, calculated with respect
+ * to \p hash_alg. This must be a readable buffer whose
+ * length is the digest size of the hash algorithm
+ * represented by \p hash_alg.
+ * \param transcript_len The length of \p transcript in Bytes.
+ * \param derived The address of the structure in which to
+ * store the resumption master secret.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_derive_resumption_master_secret(
+ psa_algorithm_t hash_alg,
+ unsigned char const *application_secret,
+ unsigned char const *transcript, size_t transcript_len,
+ mbedtls_ssl_tls13_application_secrets *derived);
+
+/**
+ * \brief Compute the next secret in the TLS 1.3 key schedule
+ *
+ * The TLS 1.3 key schedule proceeds as follows to compute
+ * the three main secrets during the handshake: The early
+ * secret for early data, the handshake secret for all
+ * other encrypted handshake messages, and the master
+ * secret for all application traffic.
+ *
+ * <tt>
+ * 0
+ * |
+ * v
+ * PSK -> HKDF-Extract = Early Secret
+ * |
+ * v
+ * Derive-Secret( ., "derived", "" )
+ * |
+ * v
+ * (EC)DHE -> HKDF-Extract = Handshake Secret
+ * |
+ * v
+ * Derive-Secret( ., "derived", "" )
+ * |
+ * v
+ * 0 -> HKDF-Extract = Master Secret
+ * </tt>
+ *
+ * Each of the three secrets in turn is the basis for further
+ * key derivations, such as the derivation of traffic keys and IVs;
+ * see e.g. mbedtls_ssl_tls13_make_traffic_keys().
+ *
+ * This function implements one step in this evolution of secrets:
+ *
+ * <tt>
+ * old_secret
+ * |
+ * v
+ * Derive-Secret( ., "derived", "" )
+ * |
+ * v
+ * input -> HKDF-Extract = new_secret
+ * </tt>
+ *
+ * \param hash_alg The identifier for the hash function used for the
+ * applications of HKDF.
+ * \param secret_old The address of the buffer holding the old secret
+ * on function entry. If not \c NULL, this must be a
+ * readable buffer whose size matches the output size
+ * of the hash function represented by \p hash_alg.
+ * If \c NULL, an all \c 0 array will be used instead.
+ * \param input The address of the buffer holding the additional
+ * input for the key derivation (e.g., the PSK or the
+ * ephemeral (EC)DH secret). If not \c NULL, this must be
+ * a readable buffer whose size \p input_len Bytes.
+ * If \c NULL, an all \c 0 array will be used instead.
+ * \param input_len The length of \p input in Bytes.
+ * \param secret_new The address of the buffer holding the new secret
+ * on function exit. This must be a writable buffer
+ * whose size matches the output size of the hash
+ * function represented by \p hash_alg.
+ * This may be the same as \p secret_old.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_evolve_secret(
+ psa_algorithm_t hash_alg,
+ const unsigned char *secret_old,
+ const unsigned char *input, size_t input_len,
+ unsigned char *secret_new);
+
+/**
+ * \brief Calculate a TLS 1.3 PSK binder.
+ *
+ * \param ssl The SSL context. This is used for debugging only and may
+ * be \c NULL if MBEDTLS_DEBUG_C is disabled.
+ * \param hash_alg The hash algorithm associated to the PSK \p psk.
+ * \param psk The buffer holding the PSK for which to create a binder.
+ * \param psk_len The size of \p psk in bytes.
+ * \param psk_type This indicates whether the PSK \p psk is externally
+ * provisioned (#MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL) or a
+ * resumption PSK (#MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION).
+ * \param transcript The handshake transcript up to the point where the
+ * PSK binder calculation happens. This must be readable,
+ * and its size must be equal to the digest size of
+ * the hash algorithm represented by \p hash_alg.
+ * \param result The address at which to store the PSK binder on success.
+ * This must be writable, and its size must be equal to the
+ * digest size of the hash algorithm represented by
+ * \p hash_alg.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_create_psk_binder(mbedtls_ssl_context *ssl,
+ const psa_algorithm_t hash_alg,
+ unsigned char const *psk, size_t psk_len,
+ int psk_type,
+ unsigned char const *transcript,
+ unsigned char *result);
+
+/**
+ * \bref Setup an SSL transform structure representing the
+ * record protection mechanism used by TLS 1.3
+ *
+ * \param transform The SSL transform structure to be created. This must have
+ * been initialized through mbedtls_ssl_transform_init() and
+ * not used in any other way prior to calling this function.
+ * In particular, this function does not clean up the
+ * transform structure prior to installing the new keys.
+ * \param endpoint Indicates whether the transform is for the client
+ * (value #MBEDTLS_SSL_IS_CLIENT) or the server
+ * (value #MBEDTLS_SSL_IS_SERVER).
+ * \param ciphersuite The numerical identifier for the ciphersuite to use.
+ * This must be one of the identifiers listed in
+ * ssl_ciphersuites.h.
+ * \param traffic_keys The key material to use. No reference is stored in
+ * the SSL transform being generated, and the caller
+ * should destroy the key material afterwards.
+ * \param ssl (Debug-only) The SSL context to use for debug output
+ * in case of failure. This parameter is only needed if
+ * #MBEDTLS_DEBUG_C is set, and is ignored otherwise.
+ *
+ * \return \c 0 on success. In this case, \p transform is ready to
+ * be used with mbedtls_ssl_transform_decrypt() and
+ * mbedtls_ssl_transform_encrypt().
+ * \return A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform,
+ int endpoint,
+ int ciphersuite,
+ mbedtls_ssl_key_set const *traffic_keys,
+ mbedtls_ssl_context *ssl);
+
+/*
+ * TLS 1.3 key schedule evolutions
+ *
+ * Early -> Handshake -> Application
+ *
+ * Small wrappers around mbedtls_ssl_tls13_evolve_secret().
+ */
+
+/**
+ * \brief Begin TLS 1.3 key schedule by calculating early secret.
+ *
+ * The TLS 1.3 key schedule can be viewed as a simple state machine
+ * with states Initial -> Early -> Handshake -> Application, and
+ * this function represents the Initial -> Early transition.
+ *
+ * \param ssl The SSL context to operate on.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_key_schedule_stage_early(mbedtls_ssl_context *ssl);
+
+/**
+ * \brief Compute TLS 1.3 resumption master secret.
+ *
+ * \param ssl The SSL context to operate on. This must be in
+ * key schedule stage \c Application, see
+ * mbedtls_ssl_tls13_key_schedule_stage_application().
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_compute_resumption_master_secret(mbedtls_ssl_context *ssl);
+
+/**
+ * \brief Calculate the verify_data value for the client or server TLS 1.3
+ * Finished message.
+ *
+ * \param ssl The SSL context to operate on. This must be in
+ * key schedule stage \c Handshake, see
+ * mbedtls_ssl_tls13_key_schedule_stage_application().
+ * \param dst The address at which to write the verify_data value.
+ * \param dst_len The size of \p dst in bytes.
+ * \param actual_len The address at which to store the amount of data
+ * actually written to \p dst upon success.
+ * \param which The message to calculate the `verify_data` for:
+ * - #MBEDTLS_SSL_IS_CLIENT for the Client's Finished message
+ * - #MBEDTLS_SSL_IS_SERVER for the Server's Finished message
+ *
+ * \note Both client and server call this function twice, once to
+ * generate their own Finished message, and once to verify the
+ * peer's Finished message.
+
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_calculate_verify_data(mbedtls_ssl_context *ssl,
+ unsigned char *dst,
+ size_t dst_len,
+ size_t *actual_len,
+ int which);
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+/**
+ * \brief Compute TLS 1.3 early transform
+ *
+ * \param ssl The SSL context to operate on.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ *
+ * \warning The function does not compute the early master secret. Call
+ * mbedtls_ssl_tls13_key_schedule_stage_early() before to
+ * call this function to generate the early master secret.
+ * \note For a client/server endpoint, the function computes only the
+ * encryption/decryption part of the transform as the decryption/
+ * encryption part is not defined by the specification (no early
+ * traffic from the server to the client).
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_compute_early_transform(mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+/**
+ * \brief Compute TLS 1.3 handshake transform
+ *
+ * \param ssl The SSL context to operate on. The early secret must have been
+ * computed.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_compute_handshake_transform(mbedtls_ssl_context *ssl);
+
+/**
+ * \brief Compute TLS 1.3 application transform
+ *
+ * \param ssl The SSL context to operate on. The early secret must have been
+ * computed.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_compute_application_transform(mbedtls_ssl_context *ssl);
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+/**
+ * \brief Export TLS 1.3 PSK from handshake context
+ *
+ * \param[in] ssl The SSL context to operate on.
+ * \param[out] psk PSK output pointer.
+ * \param[out] psk_len Length of PSK.
+ *
+ * \returns \c 0 if there is a configured PSK and it was exported
+ * successfully.
+ * \returns A negative error code on failure.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl,
+ unsigned char **psk,
+ size_t *psk_len);
+#endif
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
new file mode 100644
index 0000000..2760d76
--- /dev/null
+++ b/library/ssl_tls13_server.c
@@ -0,0 +1,3599 @@
+/*
+ * TLS 1.3 server-side functions
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+#include "debug_internal.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/constant_time.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/psa_util.h"
+
+#include "ssl_misc.h"
+#include "ssl_tls13_keys.h"
+#include "ssl_debug_helpers.h"
+
+
+static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite(
+ mbedtls_ssl_context *ssl,
+ unsigned int cipher_suite)
+{
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+ if (!mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {
+ return NULL;
+ }
+
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
+ if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
+ ssl->tls_version,
+ ssl->tls_version) != 0)) {
+ return NULL;
+ }
+ return ciphersuite_info;
+}
+
+static void ssl_tls13_select_ciphersuite(
+ mbedtls_ssl_context *ssl,
+ const unsigned char *cipher_suites,
+ const unsigned char *cipher_suites_end,
+ int psk_ciphersuite_id,
+ psa_algorithm_t psk_hash_alg,
+ const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info)
+{
+ *selected_ciphersuite_info = NULL;
+
+ /*
+ * In a compliant ClientHello the byte-length of the list of ciphersuites
+ * is even and this function relies on this fact. This should have been
+ * checked in the main ClientHello parsing function. Double check here.
+ */
+ if ((cipher_suites_end - cipher_suites) & 1) {
+ return;
+ }
+
+ for (const unsigned char *p = cipher_suites;
+ p < cipher_suites_end; p += 2) {
+ /*
+ * "cipher_suites_end - p is even" is an invariant of the loop. As
+ * cipher_suites_end - p > 0, we have cipher_suites_end - p >= 2 and it
+ * is thus safe to read two bytes.
+ */
+ uint16_t id = MBEDTLS_GET_UINT16_BE(p, 0);
+
+ const mbedtls_ssl_ciphersuite_t *info =
+ ssl_tls13_validate_peer_ciphersuite(ssl, id);
+ if (info == NULL) {
+ continue;
+ }
+
+ /*
+ * If a valid PSK ciphersuite identifier has been passed in, we want
+ * an exact match.
+ */
+ if (psk_ciphersuite_id != 0) {
+ if (id != psk_ciphersuite_id) {
+ continue;
+ }
+ } else if (psk_hash_alg != PSA_ALG_NONE) {
+ if (mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac) !=
+ psk_hash_alg) {
+ continue;
+ }
+ }
+
+ *selected_ciphersuite_info = info;
+ return;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%x",
+ (unsigned) psk_ciphersuite_id, psk_hash_alg));
+}
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+/* From RFC 8446:
+ *
+ * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
+ * struct {
+ * PskKeyExchangeMode ke_modes<1..255>;
+ * } PskKeyExchangeModes;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ const unsigned char *p = buf;
+ size_t ke_modes_len;
+ int ke_modes = 0;
+
+ /* Read ke_modes length (1 Byte) */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
+ ke_modes_len = *p++;
+ /* Currently, there are only two PSK modes, so even without looking
+ * at the content, something's wrong if the list has more than 2 items. */
+ if (ke_modes_len > 2) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ke_modes_len);
+
+ while (ke_modes_len-- != 0) {
+ switch (*p++) {
+ case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE:
+ ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK KEX MODE"));
+ break;
+ case MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE:
+ ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK_EPHEMERAL KEX MODE"));
+ break;
+ default:
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+ }
+
+ ssl->handshake->tls13_kex_modes = ke_modes;
+ return 0;
+}
+
+/*
+ * Non-error return values of
+ * ssl_tls13_offered_psks_check_identity_match_ticket() and
+ * ssl_tls13_offered_psks_check_identity_match(). They are positive to
+ * not collide with error codes that are negative. Zero
+ * (SSL_TLS1_3_PSK_IDENTITY_MATCH) in case of success as it may be propagated
+ * up by the callers of this function as a generic success condition.
+ *
+ * The return value SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE means
+ * that the pre-shared-key identity matches that of a ticket or an externally-
+ * provisioned pre-shared-key. We have thus been able to retrieve the
+ * attributes of the pre-shared-key but at least one of them does not meet
+ * some criteria and the pre-shared-key cannot be used. For example, a ticket
+ * is expired or its version is not TLS 1.3. Note eventually that the return
+ * value SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE does not have
+ * anything to do with binder check. A binder check is done only when a
+ * suitable pre-shared-key has been selected and only for that selected
+ * pre-shared-key: if the binder check fails, we fail the handshake and we do
+ * not try to find another pre-shared-key for which the binder check would
+ * succeed as recommended by the specification.
+ */
+#define SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH 2
+#define SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE 1
+#define SSL_TLS1_3_PSK_IDENTITY_MATCH 0
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl);
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_offered_psks_check_identity_match_ticket(
+ mbedtls_ssl_context *ssl,
+ const unsigned char *identity,
+ size_t identity_len,
+ uint32_t obfuscated_ticket_age,
+ mbedtls_ssl_session *session)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *ticket_buffer;
+#if defined(MBEDTLS_HAVE_TIME)
+ mbedtls_ms_time_t now;
+ mbedtls_ms_time_t server_age;
+ uint32_t client_age;
+ mbedtls_ms_time_t age_diff;
+#endif
+
+ ((void) obfuscated_ticket_age);
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> check_identity_match_ticket"));
+
+ /* Ticket parser is not configured, Skip */
+ if (ssl->conf->f_ticket_parse == NULL || identity_len == 0) {
+ return SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH;
+ }
+
+ /* We create a copy of the encrypted ticket since the ticket parsing
+ * function is allowed to use its input buffer as an output buffer
+ * (in-place decryption). We do, however, need the original buffer for
+ * computing the PSK binder value.
+ */
+ ticket_buffer = mbedtls_calloc(1, identity_len);
+ if (ticket_buffer == NULL) {
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ }
+ memcpy(ticket_buffer, identity, identity_len);
+
+ ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket,
+ session,
+ ticket_buffer, identity_len);
+ switch (ret) {
+ case 0:
+ ret = SSL_TLS1_3_PSK_IDENTITY_MATCH;
+ break;
+
+ case MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
+ ret = SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE;
+ break;
+
+ case MBEDTLS_ERR_SSL_INVALID_MAC:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
+ ret = SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH;
+ break;
+
+ default:
+ MBEDTLS_SSL_DEBUG_RET(1, "ticket_parse", ret);
+ ret = SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH;
+ }
+
+ /* We delete the temporary buffer */
+ mbedtls_free(ticket_buffer);
+
+ if (ret != SSL_TLS1_3_PSK_IDENTITY_MATCH) {
+ goto exit;
+ }
+
+ /*
+ * The identity matches that of a ticket. Now check that it has suitable
+ * attributes and bet it will not be the case.
+ */
+ ret = SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE;
+
+ if (session->tls_version != MBEDTLS_SSL_VERSION_TLS1_3) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket TLS version is not 1.3."));
+ goto exit;
+ }
+
+#if defined(MBEDTLS_HAVE_TIME)
+ now = mbedtls_ms_time();
+
+ if (now < session->ticket_creation_time) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ("Invalid ticket creation time ( now = %" MBEDTLS_PRINTF_MS_TIME
+ ", creation_time = %" MBEDTLS_PRINTF_MS_TIME " )",
+ now, session->ticket_creation_time));
+ goto exit;
+ }
+
+ server_age = now - session->ticket_creation_time;
+
+ /* RFC 8446 section 4.6.1
+ *
+ * Servers MUST NOT use any value greater than 604800 seconds (7 days).
+ *
+ * RFC 8446 section 4.2.11.1
+ *
+ * Clients MUST NOT attempt to use tickets which have ages greater than
+ * the "ticket_lifetime" value which was provided with the ticket.
+ *
+ */
+ if (server_age > MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME * 1000) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ("Ticket age exceeds limitation ticket_age = %" MBEDTLS_PRINTF_MS_TIME,
+ server_age));
+ goto exit;
+ }
+
+ /* RFC 8446 section 4.2.10
+ *
+ * For PSKs provisioned via NewSessionTicket, a server MUST validate that
+ * the ticket age for the selected PSK identity (computed by subtracting
+ * ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) is
+ * within a small tolerance of the time since the ticket was issued.
+ *
+ * NOTE: The typical accuracy of an RTC crystal is ±100 to ±20 parts per
+ * million (360 to 72 milliseconds per hour). Default tolerance
+ * window is 6s, thus in the worst case clients and servers must
+ * sync up their system time every 6000/360/2~=8 hours.
+ */
+ client_age = obfuscated_ticket_age - session->ticket_age_add;
+ age_diff = server_age - (mbedtls_ms_time_t) client_age;
+ if (age_diff < -MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE ||
+ age_diff > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ("Ticket age outside tolerance window ( diff = %"
+ MBEDTLS_PRINTF_MS_TIME ")",
+ age_diff));
+ goto exit;
+ }
+#endif /* MBEDTLS_HAVE_TIME */
+
+ /*
+ * All good, we have found a suitable ticket.
+ */
+ ret = SSL_TLS1_3_PSK_IDENTITY_MATCH;
+
+exit:
+ if (ret != SSL_TLS1_3_PSK_IDENTITY_MATCH) {
+ mbedtls_ssl_session_free(session);
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= check_identity_match_ticket"));
+ return ret;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_offered_psks_check_identity_match(
+ mbedtls_ssl_context *ssl,
+ const unsigned char *identity,
+ size_t identity_len,
+ uint32_t obfuscated_ticket_age,
+ int *psk_type,
+ mbedtls_ssl_session *session)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ((void) session);
+ ((void) obfuscated_ticket_age);
+ *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "identity", identity, identity_len);
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ ret = ssl_tls13_offered_psks_check_identity_match_ticket(
+ ssl, identity, identity_len, obfuscated_ticket_age, session);
+ if (ret == SSL_TLS1_3_PSK_IDENTITY_MATCH) {
+ *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
+ ret = mbedtls_ssl_set_hs_psk(ssl,
+ session->resumption_key,
+ session->resumption_key_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "Ticket-resumed PSK:",
+ session->resumption_key,
+ session->resumption_key_len);
+ MBEDTLS_SSL_DEBUG_MSG(4, ("ticket: obfuscated_ticket_age: %u",
+ (unsigned) obfuscated_ticket_age));
+ return SSL_TLS1_3_PSK_IDENTITY_MATCH;
+ } else if (ret == SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE) {
+ return SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE;
+ }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+ /* Check identity with external configured function */
+ if (ssl->conf->f_psk != NULL) {
+ if (ssl->conf->f_psk(
+ ssl->conf->p_psk, ssl, identity, identity_len) == 0) {
+ return SSL_TLS1_3_PSK_IDENTITY_MATCH;
+ }
+ return SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(5, "identity", identity, identity_len);
+ /* Check identity with pre-configured psk */
+ if (ssl->conf->psk_identity != NULL &&
+ identity_len == ssl->conf->psk_identity_len &&
+ mbedtls_ct_memcmp(ssl->conf->psk_identity,
+ identity, identity_len) == 0) {
+ ret = mbedtls_ssl_set_hs_psk(ssl, ssl->conf->psk, ssl->conf->psk_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
+ return ret;
+ }
+ return SSL_TLS1_3_PSK_IDENTITY_MATCH;
+ }
+
+ return SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH;
+}
+
+/*
+ * Non-error return values of ssl_tls13_offered_psks_check_binder_match().
+ * They are positive to not collide with error codes that are negative. Zero
+ * (SSL_TLS1_3_BINDER_MATCH) in case of success as it may be propagated up
+ * by the callers of this function as a generic success condition.
+ */
+#define SSL_TLS1_3_BINDER_DOES_NOT_MATCH 1
+#define SSL_TLS1_3_BINDER_MATCH 0
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_offered_psks_check_binder_match(
+ mbedtls_ssl_context *ssl,
+ const unsigned char *binder, size_t binder_len,
+ int psk_type, psa_algorithm_t psk_hash_alg)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ unsigned char transcript[PSA_HASH_MAX_SIZE];
+ size_t transcript_len;
+ unsigned char *psk;
+ size_t psk_len;
+ unsigned char server_computed_binder[PSA_HASH_MAX_SIZE];
+
+ if (binder_len != PSA_HASH_LENGTH(psk_hash_alg)) {
+ return SSL_TLS1_3_BINDER_DOES_NOT_MATCH;
+ }
+
+ /* Get current state of handshake transcript. */
+ ret = mbedtls_ssl_get_handshake_transcript(
+ ssl, mbedtls_md_type_from_psa_alg(psk_hash_alg),
+ transcript, sizeof(transcript), &transcript_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_ssl_tls13_export_handshake_psk(ssl, &psk, &psk_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_ssl_tls13_create_psk_binder(ssl, psk_hash_alg,
+ psk, psk_len, psk_type,
+ transcript,
+ server_computed_binder);
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ mbedtls_free((void *) psk);
+#endif
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("PSK binder calculation failed."));
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( computed ): ",
+ server_computed_binder, transcript_len);
+ MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( received ): ", binder, binder_len);
+
+ if (mbedtls_ct_memcmp(server_computed_binder,
+ binder,
+ PSA_HASH_LENGTH(psk_hash_alg)) == 0) {
+ return SSL_TLS1_3_BINDER_MATCH;
+ }
+
+ mbedtls_platform_zeroize(server_computed_binder,
+ sizeof(server_computed_binder));
+ return SSL_TLS1_3_BINDER_DOES_NOT_MATCH;
+}
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_session_copy_ticket(mbedtls_ssl_session *dst,
+ const mbedtls_ssl_session *src)
+{
+ dst->ticket_age_add = src->ticket_age_add;
+ dst->ticket_flags = src->ticket_flags;
+ dst->resumption_key_len = src->resumption_key_len;
+ if (src->resumption_key_len == 0) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+ memcpy(dst->resumption_key, src->resumption_key, src->resumption_key_len);
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ dst->max_early_data_size = src->max_early_data_size;
+
+#if defined(MBEDTLS_SSL_ALPN)
+ int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn);
+ if (ret != 0) {
+ return ret;
+ }
+#endif /* MBEDTLS_SSL_ALPN */
+#endif /* MBEDTLS_SSL_EARLY_DATA*/
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+struct psk_attributes {
+ int type;
+ int key_exchange_mode;
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+};
+#define PSK_ATTRIBUTES_INIT { 0, 0, NULL }
+
+/* Parser for pre_shared_key extension in client hello
+ * struct {
+ * opaque identity<1..2^16-1>;
+ * uint32 obfuscated_ticket_age;
+ * } PskIdentity;
+ *
+ * opaque PskBinderEntry<32..255>;
+ *
+ * struct {
+ * PskIdentity identities<7..2^16-1>;
+ * PskBinderEntry binders<33..2^16-1>;
+ * } OfferedPsks;
+ *
+ * struct {
+ * select (Handshake.msg_type) {
+ * case client_hello: OfferedPsks;
+ * ....
+ * };
+ * } PreSharedKeyExtension;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_pre_shared_key_ext(
+ mbedtls_ssl_context *ssl,
+ const unsigned char *pre_shared_key_ext,
+ const unsigned char *pre_shared_key_ext_end,
+ const unsigned char *ciphersuites,
+ const unsigned char *ciphersuites_end,
+ struct psk_attributes *psk)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const unsigned char *identities = pre_shared_key_ext;
+ const unsigned char *p_identity_len;
+ size_t identities_len;
+ const unsigned char *identities_end;
+ const unsigned char *binders;
+ const unsigned char *p_binder_len;
+ size_t binders_len;
+ const unsigned char *binders_end;
+ int matched_identity = -1;
+ int identity_id = -1;
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key extension",
+ pre_shared_key_ext,
+ pre_shared_key_ext_end - pre_shared_key_ext);
+
+ /* identities_len 2 bytes
+ * identities_data >= 7 bytes
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(identities, pre_shared_key_ext_end, 7 + 2);
+ identities_len = MBEDTLS_GET_UINT16_BE(identities, 0);
+ p_identity_len = identities + 2;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, pre_shared_key_ext_end,
+ identities_len);
+ identities_end = p_identity_len + identities_len;
+
+ /* binders_len 2 bytes
+ * binders >= 33 bytes
+ */
+ binders = identities_end;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(binders, pre_shared_key_ext_end, 33 + 2);
+ binders_len = MBEDTLS_GET_UINT16_BE(binders, 0);
+ p_binder_len = binders + 2;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, pre_shared_key_ext_end, binders_len);
+ binders_end = p_binder_len + binders_len;
+
+ ret = ssl->handshake->update_checksum(ssl, pre_shared_key_ext,
+ identities_end - pre_shared_key_ext);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
+ return ret;
+ }
+
+ while (p_identity_len < identities_end && p_binder_len < binders_end) {
+ const unsigned char *identity;
+ size_t identity_len;
+ uint32_t obfuscated_ticket_age;
+ const unsigned char *binder;
+ size_t binder_len;
+ int psk_ciphersuite_id;
+ psa_algorithm_t psk_hash_alg;
+ int allowed_key_exchange_modes;
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ mbedtls_ssl_session session;
+ mbedtls_ssl_session_init(&session);
+#endif
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, identities_end, 2 + 1 + 4);
+ identity_len = MBEDTLS_GET_UINT16_BE(p_identity_len, 0);
+ identity = p_identity_len + 2;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(identity, identities_end, identity_len + 4);
+ obfuscated_ticket_age = MBEDTLS_GET_UINT32_BE(identity, identity_len);
+ p_identity_len += identity_len + 6;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, binders_end, 1 + 32);
+ binder_len = *p_binder_len;
+ binder = p_binder_len + 1;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(binder, binders_end, binder_len);
+ p_binder_len += binder_len + 1;
+
+ identity_id++;
+ if (matched_identity != -1) {
+ continue;
+ }
+
+ ret = ssl_tls13_offered_psks_check_identity_match(
+ ssl, identity, identity_len, obfuscated_ticket_age,
+ &psk->type, &session);
+ if (ret != SSL_TLS1_3_PSK_IDENTITY_MATCH) {
+ continue;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(4, ("found matched identity"));
+
+ switch (psk->type) {
+ case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL:
+ psk_ciphersuite_id = 0;
+ psk_hash_alg = PSA_ALG_SHA_256;
+ allowed_key_exchange_modes =
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
+ break;
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:
+ psk_ciphersuite_id = session.ciphersuite;
+ psk_hash_alg = PSA_ALG_NONE;
+ ssl->session_negotiate->ticket_flags = session.ticket_flags;
+ allowed_key_exchange_modes =
+ session.ticket_flags &
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
+ break;
+#endif
+ default:
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ psk->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
+
+ if ((allowed_key_exchange_modes &
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL) &&
+ ssl_tls13_key_exchange_is_psk_ephemeral_available(ssl)) {
+ psk->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
+ } else if ((allowed_key_exchange_modes &
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) &&
+ ssl_tls13_key_exchange_is_psk_available(ssl)) {
+ psk->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
+ }
+
+ if (psk->key_exchange_mode == MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable PSK key exchange mode"));
+ continue;
+ }
+
+ ssl_tls13_select_ciphersuite(ssl, ciphersuites, ciphersuites_end,
+ psk_ciphersuite_id, psk_hash_alg,
+ &psk->ciphersuite_info);
+
+ if (psk->ciphersuite_info == NULL) {
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ mbedtls_ssl_session_free(&session);
+#endif
+ /*
+ * We consider finding a ciphersuite suitable for the PSK as part
+ * of the validation of its binder. Thus if we do not find one, we
+ * abort the handshake with a decrypt_error alert.
+ */
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ ret = ssl_tls13_offered_psks_check_binder_match(
+ ssl, binder, binder_len, psk->type,
+ mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) psk->ciphersuite_info->mac));
+ if (ret != SSL_TLS1_3_BINDER_MATCH) {
+ /* For security reasons, the handshake should be aborted when we
+ * fail to validate a binder value. See RFC 8446 section 4.2.11.2
+ * and appendix E.6. */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ mbedtls_ssl_session_free(&session);
+#endif
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Invalid binder."));
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "ssl_tls13_offered_psks_check_binder_match", ret);
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
+ return ret;
+ }
+
+ matched_identity = identity_id;
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ if (psk->type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) {
+ ret = ssl_tls13_session_copy_ticket(ssl->session_negotiate,
+ &session);
+ mbedtls_ssl_session_free(&session);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+ }
+
+ if (p_identity_len != identities_end || p_binder_len != binders_end) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("pre_shared_key extension decode error"));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+ MBEDTLS_ERR_SSL_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /* Update the handshake transcript with the binder list. */
+ ret = ssl->handshake->update_checksum(
+ ssl, identities_end, (size_t) (binders_end - identities_end));
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
+ return ret;
+ }
+ if (matched_identity == -1) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("No usable PSK or ticket."));
+ return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
+ }
+
+ ssl->handshake->selected_identity = (uint16_t) matched_identity;
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Pre shared key found"));
+
+ return 0;
+}
+
+/*
+ * struct {
+ * select ( Handshake.msg_type ) {
+ * ....
+ * case server_hello:
+ * uint16 selected_identity;
+ * }
+ * } PreSharedKeyExtension;
+ */
+static int ssl_tls13_write_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *olen)
+{
+ unsigned char *p = (unsigned char *) buf;
+
+ *olen = 0;
+
+ int not_using_psk = 0;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ not_using_psk = (mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque));
+#else
+ not_using_psk = (ssl->handshake->psk == NULL);
+#endif
+ if (not_using_psk) {
+ /* We shouldn't have called this extension writer unless we've
+ * chosen to use a PSK. */
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding pre_shared_key extension"));
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0);
+ MBEDTLS_PUT_UINT16_BE(2, p, 2);
+
+ MBEDTLS_PUT_UINT16_BE(ssl->handshake->selected_identity, p, 4);
+
+ *olen = 6;
+
+ MBEDTLS_SSL_DEBUG_MSG(4, ("sent selected_identity: %u",
+ ssl->handshake->selected_identity));
+
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);
+
+ return 0;
+}
+
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
+
+/* From RFC 8446:
+ * struct {
+ * ProtocolVersion versions<2..254>;
+ * } SupportedVersions;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ const unsigned char *p = buf;
+ size_t versions_len;
+ const unsigned char *versions_end;
+ uint16_t tls_version;
+ int found_supported_version = 0;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
+ versions_len = p[0];
+ p += 1;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, versions_len);
+ versions_end = p + versions_len;
+ while (p < versions_end) {
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, versions_end, 2);
+ tls_version = mbedtls_ssl_read_version(p, ssl->conf->transport);
+ p += 2;
+
+ if (MBEDTLS_SSL_VERSION_TLS1_3 == tls_version) {
+ found_supported_version = 1;
+ break;
+ }
+
+ if ((MBEDTLS_SSL_VERSION_TLS1_2 == tls_version) &&
+ mbedtls_ssl_conf_is_tls12_enabled(ssl->conf)) {
+ found_supported_version = 1;
+ break;
+ }
+ }
+
+ if (!found_supported_version) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("No supported version found."));
+
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
+ MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
+ return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Negotiated version: [%04x]",
+ (unsigned int) tls_version));
+
+ return (int) tls_version;
+}
+
+#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
+/*
+ *
+ * From RFC 8446:
+ * enum {
+ * ... (0xFFFF)
+ * } NamedGroup;
+ * struct {
+ * NamedGroup named_group_list<2..2^16-1>;
+ * } NamedGroupList;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ const unsigned char *p = buf;
+ size_t named_group_list_len;
+ const unsigned char *named_group_list_end;
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "supported_groups extension", p, end - buf);
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ named_group_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, named_group_list_len);
+ named_group_list_end = p + named_group_list_len;
+ ssl->handshake->hrr_selected_group = 0;
+
+ while (p < named_group_list_end) {
+ uint16_t named_group;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, named_group_list_end, 2);
+ named_group = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+
+ MBEDTLS_SSL_DEBUG_MSG(2,
+ ("got named group: %s(%04x)",
+ mbedtls_ssl_named_group_to_str(named_group),
+ named_group));
+
+ if (!mbedtls_ssl_named_group_is_offered(ssl, named_group) ||
+ !mbedtls_ssl_named_group_is_supported(named_group) ||
+ ssl->handshake->hrr_selected_group != 0) {
+ continue;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2,
+ ("add named group %s(%04x) into received list.",
+ mbedtls_ssl_named_group_to_str(named_group),
+ named_group));
+
+ ssl->handshake->hrr_selected_group = named_group;
+ }
+
+ return 0;
+
+}
+#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
+
+#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+/*
+ * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
+ * extension is correct and stores the first acceptable key share and its
+ * associated group.
+ *
+ * Possible return values are:
+ * - 0: Successful processing of the client provided key share extension.
+ * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by
+ * the client does not match a group supported by the server. A
+ * HelloRetryRequest will be needed.
+ * - A negative value for fatal errors.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_key_shares_ext(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char const *p = buf;
+ unsigned char const *client_shares_end;
+ size_t client_shares_len;
+
+ /* From RFC 8446:
+ *
+ * struct {
+ * KeyShareEntry client_shares<0..2^16-1>;
+ * } KeyShareClientHello;
+ *
+ */
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
+ client_shares_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, client_shares_len);
+
+ ssl->handshake->offered_group_id = 0;
+ client_shares_end = p + client_shares_len;
+
+ /* We try to find a suitable key share entry and copy it to the
+ * handshake context. Later, we have to find out whether we can do
+ * something with the provided key share or whether we have to
+ * dismiss it and send a HelloRetryRequest message.
+ */
+
+ while (p < client_shares_end) {
+ uint16_t group;
+ size_t key_exchange_len;
+ const unsigned char *key_exchange;
+
+ /*
+ * struct {
+ * NamedGroup group;
+ * opaque key_exchange<1..2^16-1>;
+ * } KeyShareEntry;
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, 4);
+ group = MBEDTLS_GET_UINT16_BE(p, 0);
+ key_exchange_len = MBEDTLS_GET_UINT16_BE(p, 2);
+ p += 4;
+ key_exchange = p;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, key_exchange_len);
+ p += key_exchange_len;
+
+ /* Continue parsing even if we have already found a match,
+ * for input validation purposes.
+ */
+ if (!mbedtls_ssl_named_group_is_offered(ssl, group) ||
+ !mbedtls_ssl_named_group_is_supported(group) ||
+ ssl->handshake->offered_group_id != 0) {
+ continue;
+ }
+
+ /*
+ * ECDHE and FFDHE groups are supported
+ */
+ if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
+ mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH/FFDH group: %s (%04x)",
+ mbedtls_ssl_named_group_to_str(group),
+ group));
+ ret = mbedtls_ssl_tls13_read_public_xxdhe_share(
+ ssl, key_exchange - 2, key_exchange_len + 2);
+ if (ret != 0) {
+ return ret;
+ }
+
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(4, ("Unrecognized NamedGroup %u",
+ (unsigned) group));
+ continue;
+ }
+
+ ssl->handshake->offered_group_id = group;
+ }
+
+
+ if (ssl->handshake->offered_group_id == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("no matching key share"));
+ return SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH;
+ }
+ return 0;
+}
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_client_hello_has_exts(mbedtls_ssl_context *ssl,
+ int exts_mask)
+{
+ int masked = ssl->handshake->received_extensions & exts_mask;
+ return masked == exts_mask;
+}
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
+ mbedtls_ssl_context *ssl)
+{
+ return ssl_tls13_client_hello_has_exts(
+ ssl,
+ MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) |
+ MBEDTLS_SSL_EXT_MASK(KEY_SHARE) |
+ MBEDTLS_SSL_EXT_MASK(SIG_ALG));
+}
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
+ mbedtls_ssl_context *ssl)
+{
+ return ssl_tls13_client_hello_has_exts(
+ ssl,
+ MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
+ MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES));
+}
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED */
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
+ mbedtls_ssl_context *ssl)
+{
+ return ssl_tls13_client_hello_has_exts(
+ ssl,
+ MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) |
+ MBEDTLS_SSL_EXT_MASK(KEY_SHARE) |
+ MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
+ MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES));
+}
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED */
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl)
+{
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
+ return mbedtls_ssl_conf_tls13_is_psk_enabled(ssl) &&
+ mbedtls_ssl_tls13_is_psk_supported(ssl) &&
+ ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl);
+#else
+ ((void) ssl);
+ return 0;
+#endif
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl)
+{
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
+ return mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl) &&
+ mbedtls_ssl_tls13_is_psk_ephemeral_supported(ssl) &&
+ ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl);
+#else
+ ((void) ssl);
+ return 0;
+#endif
+}
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_key_exchange_is_ephemeral_available(mbedtls_ssl_context *ssl)
+{
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+ return mbedtls_ssl_conf_tls13_is_ephemeral_enabled(ssl) &&
+ ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl);
+#else
+ ((void) ssl);
+ return 0;
+#endif
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)
+{
+ switch (sig_alg) {
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
+ return PSA_ALG_ECDSA(PSA_ALG_SHA_256);
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
+ return PSA_ALG_ECDSA(PSA_ALG_SHA_384);
+ case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
+ return PSA_ALG_ECDSA(PSA_ALG_SHA_512);
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
+ return PSA_ALG_RSA_PSS(PSA_ALG_SHA_256);
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
+ return PSA_ALG_RSA_PSS(PSA_ALG_SHA_384);
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
+ return PSA_ALG_RSA_PSS(PSA_ALG_SHA_512);
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
+ return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256);
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
+ return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384);
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
+ return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_512);
+ default:
+ return PSA_ALG_NONE;
+ }
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+/*
+ * Pick best ( private key, certificate chain ) pair based on the signature
+ * algorithms supported by the client.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl)
+{
+ mbedtls_ssl_key_cert *key_cert, *key_cert_list;
+ const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if (ssl->handshake->sni_key_cert != NULL) {
+ key_cert_list = ssl->handshake->sni_key_cert;
+ } else
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+ key_cert_list = ssl->conf->key_cert;
+
+ if (key_cert_list == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
+ return -1;
+ }
+
+ for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
+ if (!mbedtls_ssl_sig_alg_is_offered(ssl, *sig_alg)) {
+ continue;
+ }
+
+ if (!mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(*sig_alg)) {
+ continue;
+ }
+
+ for (key_cert = key_cert_list; key_cert != NULL;
+ key_cert = key_cert->next) {
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_algorithm_t psa_alg = PSA_ALG_NONE;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ MBEDTLS_SSL_DEBUG_CRT(3, "certificate (chain) candidate",
+ key_cert->cert);
+
+ /*
+ * This avoids sending the client a cert it'll reject based on
+ * keyUsage or other extensions.
+ */
+ if (mbedtls_x509_crt_check_key_usage(
+ key_cert->cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0 ||
+ mbedtls_x509_crt_check_extended_key_usage(
+ key_cert->cert, MBEDTLS_OID_SERVER_AUTH,
+ MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH)) != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
+ "(extended) key usage extension"));
+ continue;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("ssl_tls13_pick_key_cert:"
+ "check signature algorithm %s [%04x]",
+ mbedtls_ssl_sig_alg_to_str(*sig_alg),
+ *sig_alg));
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg(*sig_alg);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ if (mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
+ *sig_alg, &key_cert->cert->pk)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ && psa_alg != PSA_ALG_NONE &&
+ mbedtls_pk_can_do_ext(&key_cert->cert->pk, psa_alg,
+ PSA_KEY_USAGE_SIGN_HASH) == 1
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ ) {
+ ssl->handshake->key_cert = key_cert;
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("ssl_tls13_pick_key_cert:"
+ "selected signature algorithm"
+ " %s [%04x]",
+ mbedtls_ssl_sig_alg_to_str(*sig_alg),
+ *sig_alg));
+ MBEDTLS_SSL_DEBUG_CRT(
+ 3, "selected certificate (chain)",
+ ssl->handshake->key_cert->cert);
+ return 0;
+ }
+ }
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("ssl_tls13_pick_key_cert:"
+ "no suitable certificate found"));
+ return -1;
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C &&
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+/*
+ *
+ * STATE HANDLING: ClientHello
+ *
+ * There are three possible classes of outcomes when parsing the ClientHello:
+ *
+ * 1) The ClientHello was well-formed and matched the server's configuration.
+ *
+ * In this case, the server progresses to sending its ServerHello.
+ *
+ * 2) The ClientHello was well-formed but didn't match the server's
+ * configuration.
+ *
+ * For example, the client might not have offered a key share which
+ * the server supports, or the server might require a cookie.
+ *
+ * In this case, the server sends a HelloRetryRequest.
+ *
+ * 3) The ClientHello was ill-formed
+ *
+ * In this case, we abort the handshake.
+ *
+ */
+
+/*
+ * Structure of this message:
+ *
+ * uint16 ProtocolVersion;
+ * opaque Random[32];
+ * uint8 CipherSuite[2]; // Cryptographic suite selector
+ *
+ * struct {
+ * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
+ * Random random;
+ * opaque legacy_session_id<0..32>;
+ * CipherSuite cipher_suites<2..2^16-2>;
+ * opaque legacy_compression_methods<1..2^8-1>;
+ * Extension extensions<8..2^16-1>;
+ * } ClientHello;
+ */
+
+#define SSL_CLIENT_HELLO_OK 0
+#define SSL_CLIENT_HELLO_HRR_REQUIRED 1
+#define SSL_CLIENT_HELLO_TLS1_2 2
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const unsigned char *p = buf;
+ const unsigned char *random;
+ size_t legacy_session_id_len;
+ const unsigned char *legacy_session_id;
+ size_t cipher_suites_len;
+ const unsigned char *cipher_suites;
+ const unsigned char *cipher_suites_end;
+ size_t extensions_len;
+ const unsigned char *extensions_end;
+ const unsigned char *supported_versions_data;
+ const unsigned char *supported_versions_data_end;
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+ int hrr_required = 0;
+ int no_usable_share_for_key_agreement = 0;
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+ int got_psk = 0;
+ struct psk_attributes psk = PSK_ATTRIBUTES_INIT;
+ const unsigned char *pre_shared_key_ext = NULL;
+ const unsigned char *pre_shared_key_ext_end = NULL;
+#endif
+
+ /*
+ * ClientHello layout:
+ * 0 . 1 protocol version
+ * 2 . 33 random bytes
+ * 34 . 34 session id length ( 1 byte )
+ * 35 . 34+x session id
+ * .. . .. ciphersuite list length ( 2 bytes )
+ * .. . .. ciphersuite list
+ * .. . .. compression alg. list length ( 1 byte )
+ * .. . .. compression alg. list
+ * .. . .. extensions length ( 2 bytes, optional )
+ * .. . .. extensions ( optional )
+ */
+
+ /*
+ * Minimal length ( with everything empty and extensions omitted ) is
+ * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
+ * read at least up to session id length without worrying.
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 38);
+
+ /* ...
+ * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
+ * ...
+ * with ProtocolVersion defined as:
+ * uint16 ProtocolVersion;
+ */
+ if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=
+ MBEDTLS_SSL_VERSION_TLS1_2) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
+ MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
+ return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
+ }
+ p += 2;
+
+ /* ...
+ * Random random;
+ * ...
+ * with Random defined as:
+ * opaque Random[32];
+ */
+ random = p;
+ p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
+
+ /* ...
+ * opaque legacy_session_id<0..32>;
+ * ...
+ */
+ legacy_session_id_len = *(p++);
+ legacy_session_id = p;
+
+ /*
+ * Check we have enough data for the legacy session identifier
+ * and the ciphersuite list length.
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_len + 2);
+ p += legacy_session_id_len;
+
+ /* ...
+ * CipherSuite cipher_suites<2..2^16-2>;
+ * ...
+ * with CipherSuite defined as:
+ * uint8 CipherSuite[2];
+ */
+ cipher_suites_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+ cipher_suites = p;
+
+ /*
+ * The length of the ciphersuite list has to be even.
+ */
+ if (cipher_suites_len & 1) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+ MBEDTLS_ERR_SSL_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+
+ /* Check we have enough data for the ciphersuite list, the legacy
+ * compression methods and the length of the extensions.
+ *
+ * cipher_suites cipher_suites_len bytes
+ * legacy_compression_methods 2 bytes
+ * extensions_len 2 bytes
+ */
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cipher_suites_len + 2 + 2);
+ p += cipher_suites_len;
+ cipher_suites_end = p;
+
+ /*
+ * Search for the supported versions extension and parse it to determine
+ * if the client supports TLS 1.3.
+ */
+ ret = mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
+ ssl, p + 2, end,
+ &supported_versions_data, &supported_versions_data_end);
+ if (ret < 0) {
+ MBEDTLS_SSL_DEBUG_RET(1,
+ ("mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts"), ret);
+ return ret;
+ }
+
+ if (ret == 0) {
+ return SSL_CLIENT_HELLO_TLS1_2;
+ }
+
+ if (ret == 1) {
+ ret = ssl_tls13_parse_supported_versions_ext(ssl,
+ supported_versions_data,
+ supported_versions_data_end);
+ if (ret < 0) {
+ MBEDTLS_SSL_DEBUG_RET(1,
+ ("ssl_tls13_parse_supported_versions_ext"), ret);
+ return ret;
+ }
+
+ /*
+ * The supported versions extension was parsed successfully as the
+ * value returned by ssl_tls13_parse_supported_versions_ext() is
+ * positive. The return value is then equal to
+ * MBEDTLS_SSL_VERSION_TLS1_2 or MBEDTLS_SSL_VERSION_TLS1_3, defining
+ * the TLS version to negotiate.
+ */
+ if (MBEDTLS_SSL_VERSION_TLS1_2 == ret) {
+ return SSL_CLIENT_HELLO_TLS1_2;
+ }
+ }
+
+ /*
+ * We negotiate TLS 1.3.
+ */
+ ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+ ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+ ssl->session_negotiate->endpoint = ssl->conf->endpoint;
+
+ /*
+ * We are negotiating the version 1.3 of the protocol. Do what we have
+ * postponed: copy of the client random bytes, copy of the legacy session
+ * identifier and selection of the TLS 1.3 cipher suite.
+ */
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes",
+ random, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
+ memcpy(&handshake->randbytes[0], random, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
+
+ if (legacy_session_id_len > sizeof(ssl->session_negotiate->id)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ ssl->session_negotiate->id_len = legacy_session_id_len;
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id",
+ legacy_session_id, legacy_session_id_len);
+ memcpy(&ssl->session_negotiate->id[0],
+ legacy_session_id, legacy_session_id_len);
+
+ /*
+ * Search for a matching ciphersuite
+ */
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello, list of cipher suites",
+ cipher_suites, cipher_suites_len);
+
+ ssl_tls13_select_ciphersuite(ssl, cipher_suites, cipher_suites_end,
+ 0, PSA_ALG_NONE, &handshake->ciphersuite_info);
+
+ if (handshake->ciphersuite_info == NULL) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+ ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %04x - %s",
+ ((unsigned) handshake->ciphersuite_info->id),
+ handshake->ciphersuite_info->name));
+
+ /* ...
+ * opaque legacy_compression_methods<1..2^8-1>;
+ * ...
+ */
+ if (p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+ p += 2;
+
+ /* ...
+ * Extension extensions<8..2^16-1>;
+ * ...
+ * with Extension defined as:
+ * struct {
+ * ExtensionType extension_type;
+ * opaque extension_data<0..2^16-1>;
+ * } Extension;
+ */
+ extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
+ p += 2;
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
+ extensions_end = p + extensions_len;
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", p, extensions_len);
+ handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
+
+ while (p < extensions_end) {
+ unsigned int extension_type;
+ size_t extension_data_len;
+ const unsigned char *extension_data_end;
+ uint32_t allowed_exts = MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH;
+
+ if (ssl->handshake->hello_retry_request_flag) {
+ /* Do not accept early data extension in 2nd ClientHello */
+ allowed_exts &= ~MBEDTLS_SSL_EXT_MASK(EARLY_DATA);
+ }
+
+ /* RFC 8446, section 4.2.11
+ *
+ * The "pre_shared_key" extension MUST be the last extension in the
+ * ClientHello (this facilitates implementation as described below).
+ * Servers MUST check that it is the last extension and otherwise fail
+ * the handshake with an "illegal_parameter" alert.
+ */
+ if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ("pre_shared_key is not last extension."));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
+ extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
+ extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
+ p += 4;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
+ extension_data_end = p + extension_data_len;
+
+ ret = mbedtls_ssl_tls13_check_received_extension(
+ ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type,
+ allowed_exts);
+ if (ret != 0) {
+ return ret;
+ }
+
+ switch (extension_type) {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ case MBEDTLS_TLS_EXT_SERVERNAME:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
+ ret = mbedtls_ssl_parse_server_name_ext(ssl, p,
+ extension_data_end);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_parse_servername_ext", ret);
+ return ret;
+ }
+ break;
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
+ case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found supported group extension"));
+
+ /* Supported Groups Extension
+ *
+ * When sent by the client, the "supported_groups" extension
+ * indicates the named groups which the client supports,
+ * ordered from most preferred to least preferred.
+ */
+ ret = ssl_tls13_parse_supported_groups_ext(
+ ssl, p, extension_data_end);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "ssl_tls13_parse_supported_groups_ext", ret);
+ return ret;
+ }
+
+ break;
+#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH*/
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+ case MBEDTLS_TLS_EXT_KEY_SHARE:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found key share extension"));
+
+ /*
+ * Key Share Extension
+ *
+ * When sent by the client, the "key_share" extension
+ * contains the endpoint's cryptographic parameters for
+ * ECDHE/DHE key establishment methods.
+ */
+ ret = ssl_tls13_parse_key_shares_ext(
+ ssl, p, extension_data_end);
+ if (ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("No usable share for key agreement."));
+ no_usable_share_for_key_agreement = 1;
+ }
+
+ if (ret < 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "ssl_tls13_parse_key_shares_ext", ret);
+ return ret;
+ }
+
+ break;
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
+
+ case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
+ /* Already parsed */
+ break;
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+ case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ("found psk key exchange modes extension"));
+
+ ret = ssl_tls13_parse_key_exchange_modes_ext(
+ ssl, p, extension_data_end);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "ssl_tls13_parse_key_exchange_modes_ext", ret);
+ return ret;
+ }
+
+ break;
+#endif
+
+ case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));
+ if ((handshake->received_extensions &
+ MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES)) == 0) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+ /* Delay processing of the PSK identity once we have
+ * found out which algorithms to use. We keep a pointer
+ * to the buffer and the size for later processing.
+ */
+ pre_shared_key_ext = p;
+ pre_shared_key_ext_end = extension_data_end;
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
+ break;
+
+#if defined(MBEDTLS_SSL_ALPN)
+ case MBEDTLS_TLS_EXT_ALPN:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
+
+ ret = mbedtls_ssl_parse_alpn_ext(ssl, p, extension_data_end);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, ("mbedtls_ssl_parse_alpn_ext"), ret);
+ return ret;
+ }
+ break;
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+ case MBEDTLS_TLS_EXT_SIG_ALG:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
+
+ ret = mbedtls_ssl_parse_sig_alg_ext(
+ ssl, p, extension_data_end);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_parse_sig_alg_ext", ret);
+ return ret;
+ }
+ break;
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
+ MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
+
+ ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
+ ssl, p, extension_data_end);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);
+ return ret;
+ }
+ break;
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+
+ default:
+ MBEDTLS_SSL_PRINT_EXT(
+ 3, MBEDTLS_SSL_HS_CLIENT_HELLO,
+ extension_type, "( ignored )");
+ break;
+ }
+
+ p += extension_data_len;
+ }
+
+ MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CLIENT_HELLO,
+ handshake->received_extensions);
+
+ ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl,
+ MBEDTLS_SSL_HS_CLIENT_HELLO,
+ p - buf);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_add_hs_hdr_to_checksum"), ret);
+ return ret;
+ }
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+ /* Update checksum with either
+ * - The entire content of the CH message, if no PSK extension is present
+ * - The content up to but excluding the PSK extension, if present.
+ * Always parse the pre-shared-key extension when present in the
+ * ClientHello even if some pre-requisites for PSK key exchange modes are
+ * not met. That way we always validate the syntax of the extension.
+ */
+ if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)) {
+ ret = handshake->update_checksum(ssl, buf,
+ pre_shared_key_ext - buf);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
+ return ret;
+ }
+ ret = ssl_tls13_parse_pre_shared_key_ext(ssl,
+ pre_shared_key_ext,
+ pre_shared_key_ext_end,
+ cipher_suites,
+ cipher_suites_end,
+ &psk);
+ if (ret == 0) {
+ got_psk = 1;
+ } else if (ret != MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "ssl_tls13_parse_pre_shared_key_ext", ret);
+ return ret;
+ }
+ } else
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
+ {
+ ret = handshake->update_checksum(ssl, buf, p - buf);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
+ return ret;
+ }
+ }
+
+ /*
+ * Determine the key exchange algorithm to use.
+ * There are three types of key exchanges supported in TLS 1.3:
+ * - (EC)DH with ECDSA,
+ * - (EC)DH with PSK,
+ * - plain PSK.
+ *
+ * The PSK-based key exchanges may additionally be used with 0-RTT.
+ *
+ * Our built-in order of preference is
+ * 1 ) (EC)DHE-PSK Mode ( psk_ephemeral )
+ * 2 ) Certificate Mode ( ephemeral )
+ * 3 ) Plain PSK Mode ( psk )
+ */
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+ if (got_psk && (psk.key_exchange_mode ==
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL)) {
+ handshake->key_exchange_mode =
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
+ MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral"));
+
+ } else
+#endif
+ if (ssl_tls13_key_exchange_is_ephemeral_available(ssl)) {
+ handshake->key_exchange_mode =
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
+ MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral"));
+
+ }
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+ else if (got_psk && (psk.key_exchange_mode ==
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK)) {
+ handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
+ MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk"));
+ }
+#endif
+ else {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1,
+ ("ClientHello message misses mandatory extensions."));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+ if (handshake->key_exchange_mode &
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL) {
+ handshake->ciphersuite_info = psk.ciphersuite_info;
+ ssl->session_negotiate->ciphersuite = psk.ciphersuite_info->id;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("Select PSK ciphersuite: %04x - %s",
+ ((unsigned) psk.ciphersuite_info->id),
+ psk.ciphersuite_info->name));
+
+ if (psk.type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) {
+ handshake->resume = 1;
+ }
+ }
+#endif
+
+ if (handshake->key_exchange_mode !=
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) {
+ hrr_required = (no_usable_share_for_key_agreement != 0);
+ }
+
+ mbedtls_ssl_optimize_checksum(ssl, handshake->ciphersuite_info);
+
+ return hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK;
+}
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+static int ssl_tls13_check_early_data_requirements(mbedtls_ssl_context *ssl)
+{
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+ if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_DISABLED) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1,
+ ("EarlyData: rejected, feature disabled in server configuration."));
+ return -1;
+ }
+
+ if (!handshake->resume) {
+ /* We currently support early data only in the case of PSKs established
+ via a NewSessionTicket message thus in the case of a session
+ resumption. */
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("EarlyData: rejected, not a session resumption."));
+ return -1;
+ }
+
+ /* RFC 8446 4.2.10
+ *
+ * In order to accept early data, the server MUST have accepted a PSK cipher
+ * suite and selected the first key offered in the client's "pre_shared_key"
+ * extension. In addition, it MUST verify that the following values are the
+ * same as those associated with the selected PSK:
+ * - The TLS version number
+ * - The selected cipher suite
+ * - The selected ALPN [RFC7301] protocol, if any
+ *
+ * NOTE:
+ * - The TLS version number is checked in
+ * ssl_tls13_offered_psks_check_identity_match_ticket().
+ */
+
+ if (handshake->selected_identity != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("EarlyData: rejected, the selected key in "
+ "`pre_shared_key` is not the first one."));
+ return -1;
+ }
+
+ if (handshake->ciphersuite_info->id !=
+ ssl->session_negotiate->ciphersuite) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("EarlyData: rejected, the selected ciphersuite is not the one "
+ "of the selected pre-shared key."));
+ return -1;
+
+ }
+
+ if (!mbedtls_ssl_tls13_session_ticket_allow_early_data(ssl->session_negotiate)) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1,
+ ("EarlyData: rejected, early_data not allowed in ticket "
+ "permission bits."));
+ return -1;
+ }
+
+#if defined(MBEDTLS_SSL_ALPN)
+ const char *alpn = mbedtls_ssl_get_alpn_protocol(ssl);
+ size_t alpn_len;
+
+ if (alpn == NULL && ssl->session_negotiate->ticket_alpn == NULL) {
+ return 0;
+ }
+
+ if (alpn != NULL) {
+ alpn_len = strlen(alpn);
+ }
+
+ if (alpn == NULL ||
+ ssl->session_negotiate->ticket_alpn == NULL ||
+ alpn_len != strlen(ssl->session_negotiate->ticket_alpn) ||
+ (memcmp(alpn, ssl->session_negotiate->ticket_alpn, alpn_len) != 0)) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("EarlyData: rejected, the selected ALPN is different "
+ "from the one associated with the pre-shared key."));
+ return -1;
+ }
+#endif
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+/* Update the handshake state machine */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl,
+ int hrr_required)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ /*
+ * Server certificate selection
+ */
+ if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
+ return ret;
+ }
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ ssl->handshake->sni_name = NULL;
+ ssl->handshake->sni_name_len = 0;
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+ ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1,
+ "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret);
+ return ret;
+ }
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ if (ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {
+ ssl->handshake->early_data_accepted =
+ (!hrr_required) && (ssl_tls13_check_early_data_requirements(ssl) == 0);
+
+ if (ssl->handshake->early_data_accepted) {
+ ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_tls13_compute_early_transform", ret);
+ return ret;
+ }
+ } else {
+ ssl->discard_early_data_record =
+ hrr_required ?
+ MBEDTLS_SSL_EARLY_DATA_DISCARD :
+ MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD;
+ }
+ }
+#else
+ ((void) hrr_required);
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+ return 0;
+}
+
+/*
+ * Main entry point from the state machine; orchestrates the otherfunctions.
+ */
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
+{
+
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *buf = NULL;
+ size_t buflen = 0;
+ int parse_client_hello_ret;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
+ &buf, &buflen));
+
+ MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_parse_client_hello(ssl, buf,
+ buf + buflen));
+ parse_client_hello_ret = ret; /* Store positive return value of
+ * parse_client_hello,
+ * as negative error codes are handled
+ * by MBEDTLS_SSL_PROC_CHK_NEG. */
+
+ /*
+ * Version 1.2 of the protocol has to be used for the handshake.
+ * If TLS 1.2 is not supported, abort the handshake. Otherwise, set the
+ * ssl->keep_current_message flag for the ClientHello to be kept and parsed
+ * as a TLS 1.2 ClientHello. We also change ssl->tls_version to
+ * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
+ * will dispatch to the TLS 1.2 state machine.
+ */
+ if (SSL_CLIENT_HELLO_TLS1_2 == parse_client_hello_ret) {
+ /* Check if server supports TLS 1.2 */
+ if (!mbedtls_ssl_conf_is_tls12_enabled(ssl->conf)) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("TLS 1.2 not supported."));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
+ MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
+ return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
+ }
+ ssl->keep_current_message = 1;
+ ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+ return 0;
+ }
+
+ MBEDTLS_SSL_PROC_CHK(
+ ssl_tls13_postprocess_client_hello(ssl, parse_client_hello_ret ==
+ SSL_CLIENT_HELLO_HRR_REQUIRED));
+
+ if (SSL_CLIENT_HELLO_OK == parse_client_hello_ret) {
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
+ } else {
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST);
+ }
+
+cleanup:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
+ return ret;
+}
+
+/*
+ * Handler for MBEDTLS_SSL_SERVER_HELLO
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *server_randbytes =
+ ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
+
+ if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, server_randbytes,
+ MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
+ return ret;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", server_randbytes,
+ MBEDTLS_SERVER_HELLO_RANDOM_LEN);
+
+#if defined(MBEDTLS_HAVE_TIME)
+ ssl->session_negotiate->start = mbedtls_time(NULL);
+#endif /* MBEDTLS_HAVE_TIME */
+
+ return ret;
+}
+
+/*
+ * ssl_tls13_write_server_hello_supported_versions_ext ():
+ *
+ * struct {
+ * ProtocolVersion selected_version;
+ * } SupportedVersions;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_server_hello_supported_versions_ext(
+ mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len)
+{
+ *out_len = 0;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, write selected version"));
+
+ /* Check if we have space to write the extension:
+ * - extension_type (2 bytes)
+ * - extension_data_length (2 bytes)
+ * - selected_version (2 bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6);
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, buf, 0);
+
+ MBEDTLS_PUT_UINT16_BE(2, buf, 2);
+
+ mbedtls_ssl_write_version(buf + 4,
+ ssl->conf->transport,
+ ssl->tls_version);
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [%04x]",
+ ssl->tls_version));
+
+ *out_len = 6;
+
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(
+ ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);
+
+ return 0;
+}
+
+
+
+/* Generate and export a single key share. For hybrid KEMs, this can
+ * be called multiple times with the different components of the hybrid. */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_generate_and_write_key_share(mbedtls_ssl_context *ssl,
+ uint16_t named_group,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ *out_len = 0;
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+ if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group) ||
+ mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) {
+ ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
+ ssl, named_group, buf, end, out_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange",
+ ret);
+ return ret;
+ }
+ } else
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
+ if (0 /* Other kinds of KEMs */) {
+ } else {
+ ((void) ssl);
+ ((void) named_group);
+ ((void) buf);
+ ((void) end);
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ return ret;
+}
+
+/*
+ * ssl_tls13_write_key_share_ext
+ *
+ * Structure of key_share extension in ServerHello:
+ *
+ * struct {
+ * NamedGroup group;
+ * opaque key_exchange<1..2^16-1>;
+ * } KeyShareEntry;
+ * struct {
+ * KeyShareEntry server_share;
+ * } KeyShareServerHello;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = buf;
+ uint16_t group = ssl->handshake->offered_group_id;
+ unsigned char *server_share = buf + 4;
+ size_t key_exchange_length;
+
+ *out_len = 0;
+
+ MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding key share extension"));
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("server hello, write selected_group: %s (%04x)",
+ mbedtls_ssl_named_group_to_str(group),
+ group));
+
+ /* Check if we have space for header and length fields:
+ * - extension_type (2 bytes)
+ * - extension_data_length (2 bytes)
+ * - group (2 bytes)
+ * - key_exchange_length (2 bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 8);
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, p, 0);
+ MBEDTLS_PUT_UINT16_BE(group, server_share, 0);
+ p += 8;
+
+ /* When we introduce PQC-ECDHE hybrids, we'll want to call this
+ * function multiple times. */
+ ret = ssl_tls13_generate_and_write_key_share(
+ ssl, group, server_share + 4, end, &key_exchange_length);
+ if (ret != 0) {
+ return ret;
+ }
+ p += key_exchange_length;
+
+ MBEDTLS_PUT_UINT16_BE(key_exchange_length, server_share + 2, 0);
+
+ MBEDTLS_PUT_UINT16_BE(p - server_share, buf, 2);
+
+ *out_len = p - buf;
+
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_hrr_key_share_ext(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len)
+{
+ uint16_t selected_group = ssl->handshake->hrr_selected_group;
+ /* key_share Extension
+ *
+ * struct {
+ * select (Handshake.msg_type) {
+ * ...
+ * case hello_retry_request:
+ * NamedGroup selected_group;
+ * ...
+ * };
+ * } KeyShare;
+ */
+
+ *out_len = 0;
+
+ /*
+ * For a pure PSK key exchange, there is no group to agree upon. The purpose
+ * of the HRR is then to transmit a cookie to force the client to demonstrate
+ * reachability at their apparent network address (primarily useful for DTLS).
+ */
+ if (!mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
+ return 0;
+ }
+
+ /* We should only send the key_share extension if the client's initial
+ * key share was not acceptable. */
+ if (ssl->handshake->offered_group_id != 0) {
+ MBEDTLS_SSL_DEBUG_MSG(4, ("Skip key_share extension in HRR"));
+ return 0;
+ }
+
+ if (selected_group == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("no matching named group found"));
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ /* Check if we have enough space:
+ * - extension_type (2 bytes)
+ * - extension_data_length (2 bytes)
+ * - selected_group (2 bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6);
+
+ MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);
+ MBEDTLS_PUT_UINT16_BE(2, buf, 2);
+ MBEDTLS_PUT_UINT16_BE(selected_group, buf, 4);
+
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("HRR selected_group: %s (%x)",
+ mbedtls_ssl_named_group_to_str(selected_group),
+ selected_group));
+
+ *out_len = 6;
+
+ mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
+
+ return 0;
+}
+
+/*
+ * Structure of ServerHello message:
+ *
+ * struct {
+ * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
+ * Random random;
+ * opaque legacy_session_id_echo<0..32>;
+ * CipherSuite cipher_suite;
+ * uint8 legacy_compression_method = 0;
+ * Extension extensions<6..2^16-1>;
+ * } ServerHello;
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_server_hello_body(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len,
+ int is_hrr)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = buf;
+ unsigned char *p_extensions_len;
+ size_t output_len;
+
+ *out_len = 0;
+ ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
+
+ /* ...
+ * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
+ * ...
+ * with ProtocolVersion defined as:
+ * uint16 ProtocolVersion;
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+ MBEDTLS_PUT_UINT16_BE(0x0303, p, 0);
+ p += 2;
+
+ /* ...
+ * Random random;
+ * ...
+ * with Random defined as:
+ * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
+ if (is_hrr) {
+ memcpy(p, mbedtls_ssl_tls13_hello_retry_request_magic,
+ MBEDTLS_SERVER_HELLO_RANDOM_LEN);
+ } else {
+ memcpy(p, &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN],
+ MBEDTLS_SERVER_HELLO_RANDOM_LEN);
+ }
+ MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",
+ p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
+ p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
+
+ /* ...
+ * opaque legacy_session_id_echo<0..32>;
+ * ...
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1 + ssl->session_negotiate->id_len);
+ *p++ = (unsigned char) ssl->session_negotiate->id_len;
+ if (ssl->session_negotiate->id_len > 0) {
+ memcpy(p, &ssl->session_negotiate->id[0],
+ ssl->session_negotiate->id_len);
+ p += ssl->session_negotiate->id_len;
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id,
+ ssl->session_negotiate->id_len);
+ }
+
+ /* ...
+ * CipherSuite cipher_suite;
+ * ...
+ * with CipherSuite defined as:
+ * uint8 CipherSuite[2];
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+ MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
+ p += 2;
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("server hello, chosen ciphersuite: %s ( id=%d )",
+ mbedtls_ssl_get_ciphersuite_name(
+ ssl->session_negotiate->ciphersuite),
+ ssl->session_negotiate->ciphersuite));
+
+ /* ...
+ * uint8 legacy_compression_method = 0;
+ * ...
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1);
+ *p++ = MBEDTLS_SSL_COMPRESS_NULL;
+
+ /* ...
+ * Extension extensions<6..2^16-1>;
+ * ...
+ * struct {
+ * ExtensionType extension_type; (2 bytes)
+ * opaque extension_data<0..2^16-1>;
+ * } Extension;
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+ p_extensions_len = p;
+ p += 2;
+
+ if ((ret = ssl_tls13_write_server_hello_supported_versions_ext(
+ ssl, p, end, &output_len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "ssl_tls13_write_server_hello_supported_versions_ext", ret);
+ return ret;
+ }
+ p += output_len;
+
+ if (mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
+ if (is_hrr) {
+ ret = ssl_tls13_write_hrr_key_share_ext(ssl, p, end, &output_len);
+ } else {
+ ret = ssl_tls13_write_key_share_ext(ssl, p, end, &output_len);
+ }
+ if (ret != 0) {
+ return ret;
+ }
+ p += output_len;
+ }
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+ if (!is_hrr && mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
+ ret = ssl_tls13_write_server_pre_shared_key_ext(ssl, p, end, &output_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_server_pre_shared_key_ext",
+ ret);
+ return ret;
+ }
+ p += output_len;
+ }
+#endif
+
+ MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "server hello extensions",
+ p_extensions_len, p - p_extensions_len);
+
+ *out_len = p - buf;
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "server hello", buf, *out_len);
+
+ MBEDTLS_SSL_PRINT_EXTS(
+ 3, is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
+ MBEDTLS_SSL_HS_SERVER_HELLO,
+ ssl->handshake->sent_extensions);
+
+ return ret;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_finalize_server_hello(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1,
+ "mbedtls_ssl_tls13_compute_handshake_transform",
+ ret);
+ return ret;
+ }
+
+ return ret;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_server_hello(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *buf;
+ size_t buf_len, msg_len;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_server_hello(ssl));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf,
+ buf + buf_len,
+ &msg_len,
+ 0));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
+ ssl, buf_len, msg_len));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_finalize_server_hello(ssl));
+
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ /* The server sends a dummy change_cipher_spec record immediately
+ * after its first handshake message. This may either be after
+ * a ServerHello or a HelloRetryRequest.
+ */
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO);
+#else
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+
+cleanup:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
+ return ret;
+}
+
+
+/*
+ * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_prepare_hello_retry_request(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ if (ssl->handshake->hello_retry_request_flag) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("Too many HRRs"));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+
+ /*
+ * Create stateless transcript hash for HRR
+ */
+ MBEDTLS_SSL_DEBUG_MSG(4, ("Reset transcript for HRR"));
+ ret = mbedtls_ssl_reset_transcript_for_hrr(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_transcript_for_hrr", ret);
+ return ret;
+ }
+ mbedtls_ssl_session_reset_msg_layer(ssl, 0);
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_hello_retry_request(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *buf;
+ size_t buf_len, msg_len;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello retry request"));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_hello_retry_request(ssl));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
+ &buf, &buf_len));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf,
+ buf + buf_len,
+ &msg_len,
+ 1));
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len));
+
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, buf_len,
+ msg_len));
+
+ ssl->handshake->hello_retry_request_flag = 1;
+
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ /* The server sends a dummy change_cipher_spec record immediately
+ * after its first handshake message. This may either be after
+ * a ServerHello or a HelloRetryRequest.
+ */
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST);
+#else
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+
+cleanup:
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello retry request"));
+ return ret;
+}
+
+/*
+ * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
+ */
+
+/*
+ * struct {
+ * Extension extensions<0..2 ^ 16 - 1>;
+ * } EncryptedExtensions;
+ *
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_encrypted_extensions_body(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = buf;
+ size_t extensions_len = 0;
+ unsigned char *p_extensions_len;
+ size_t output_len;
+
+ *out_len = 0;
+
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+ p_extensions_len = p;
+ p += 2;
+
+ ((void) ssl);
+ ((void) ret);
+ ((void) output_len);
+
+#if defined(MBEDTLS_SSL_ALPN)
+ ret = mbedtls_ssl_write_alpn_ext(ssl, p, end, &output_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += output_len;
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ if (ssl->handshake->early_data_accepted) {
+ ret = mbedtls_ssl_tls13_write_early_data_ext(
+ ssl, 0, p, end, &output_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += output_len;
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ if (ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) {
+ ret = mbedtls_ssl_tls13_write_record_size_limit_ext(
+ ssl, p, end, &output_len);
+ if (ret != 0) {
+ return ret;
+ }
+ p += output_len;
+ }
+#endif
+
+ extensions_len = (p - p_extensions_len) - 2;
+ MBEDTLS_PUT_UINT16_BE(extensions_len, p_extensions_len, 0);
+
+ *out_len = p - buf;
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "encrypted extensions", buf, *out_len);
+
+ MBEDTLS_SSL_PRINT_EXTS(
+ 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, ssl->handshake->sent_extensions);
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *buf;
+ size_t buf_len, msg_len;
+
+ mbedtls_ssl_set_outbound_transform(ssl,
+ ssl->handshake->transform_handshake);
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ("switching to handshake transform for outbound data"));
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write encrypted extensions"));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
+ &buf, &buf_len));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_encrypted_extensions_body(
+ ssl, buf, buf + buf_len, &msg_len));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
+ buf, msg_len));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
+ ssl, buf_len, msg_len));
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+ if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
+ } else {
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
+ }
+#else
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
+#endif
+
+cleanup:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write encrypted extensions"));
+ return ret;
+}
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+#define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0
+#define SSL_CERTIFICATE_REQUEST_SKIP 1
+/* Coordination:
+ * Check whether a CertificateRequest message should be written.
+ * Returns a negative code on failure, or
+ * - SSL_CERTIFICATE_REQUEST_SEND_REQUEST
+ * - SSL_CERTIFICATE_REQUEST_SKIP
+ * indicating if the writing of the CertificateRequest
+ * should be skipped or not.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)
+{
+ int authmode;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
+ authmode = ssl->handshake->sni_authmode;
+ } else
+#endif
+ authmode = ssl->conf->authmode;
+
+ if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
+ ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
+ return SSL_CERTIFICATE_REQUEST_SKIP;
+ }
+
+ ssl->handshake->certificate_request_sent = 1;
+
+ return SSL_CERTIFICATE_REQUEST_SEND_REQUEST;
+}
+
+/*
+ * struct {
+ * opaque certificate_request_context<0..2^8-1>;
+ * Extension extensions<2..2^16-1>;
+ * } CertificateRequest;
+ *
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_certificate_request_body(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *out_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = buf;
+ size_t output_len = 0;
+ unsigned char *p_extensions_len;
+
+ *out_len = 0;
+
+ /* Check if we have enough space:
+ * - certificate_request_context (1 byte)
+ * - extensions length (2 bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3);
+
+ /*
+ * Write certificate_request_context
+ */
+ /*
+ * We use a zero length context for the normal handshake
+ * messages. For post-authentication handshake messages
+ * this request context would be set to a non-zero value.
+ */
+ *p++ = 0x0;
+
+ /*
+ * Write extensions
+ */
+ /* The extensions must contain the signature_algorithms. */
+ p_extensions_len = p;
+ p += 2;
+ ret = mbedtls_ssl_write_sig_alg_ext(ssl, p, end, &output_len);
+ if (ret != 0) {
+ return ret;
+ }
+
+ p += output_len;
+ MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);
+
+ *out_len = p - buf;
+
+ MBEDTLS_SSL_PRINT_EXTS(
+ 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, ssl->handshake->sent_extensions);
+
+ return 0;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_certificate_request(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
+
+ MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));
+
+ if (ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST) {
+ unsigned char *buf;
+ size_t buf_len, msg_len;
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
+ &buf, &buf_len));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_request_body(
+ ssl, buf, buf + buf_len, &msg_len));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
+ buf, msg_len));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
+ ssl, buf_len, msg_len));
+ } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
+ ret = 0;
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ goto cleanup;
+ }
+
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);
+cleanup:
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
+ return ret;
+}
+
+/*
+ * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_server_certificate(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ if ((ssl_tls13_pick_key_cert(ssl) != 0) ||
+ mbedtls_ssl_own_cert(ssl) == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("No certificate available."));
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
+ return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
+ }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+ ret = mbedtls_ssl_tls13_write_certificate(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);
+ return 0;
+}
+
+/*
+ * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl)
+{
+ int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
+ return 0;
+}
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+/*
+ * RFC 8446 section A.2
+ *
+ * | Send ServerHello
+ * | K_send = handshake
+ * | Send EncryptedExtensions
+ * | [Send CertificateRequest]
+ * Can send | [Send Certificate + CertificateVerify]
+ * app data | Send Finished
+ * after --> | K_send = application
+ * here +--------+--------+
+ * No 0-RTT | | 0-RTT
+ * | |
+ * K_recv = handshake | | K_recv = early data
+ * [Skip decrypt errors] | +------> WAIT_EOED -+
+ * | | Recv | | Recv EndOfEarlyData
+ * | | early data | | K_recv = handshake
+ * | +------------+ |
+ * | |
+ * +> WAIT_FLIGHT2 <--------+
+ * |
+ * +--------+--------+
+ * No auth | | Client auth
+ * | |
+ * | v
+ * | WAIT_CERT
+ * | Recv | | Recv Certificate
+ * | empty | v
+ * | Certificate | WAIT_CV
+ * | | | Recv
+ * | v | CertificateVerify
+ * +-> WAIT_FINISHED <---+
+ * | Recv Finished
+ *
+ *
+ * The following function handles the state changes after WAIT_FLIGHT2 in the
+ * above diagram. We are not going to receive early data related messages
+ * anymore, prepare to receive the first handshake message of the client
+ * second flight.
+ */
+static void ssl_tls13_prepare_for_handshake_second_flight(
+ mbedtls_ssl_context *ssl)
+{
+ if (ssl->handshake->certificate_request_sent) {
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate"));
+ MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify"));
+
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
+ }
+}
+
+/*
+ * Handler for MBEDTLS_SSL_SERVER_FINISHED
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = mbedtls_ssl_tls13_write_finished_message(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_ssl_tls13_compute_application_transform(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
+ return ret;
+ }
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ if (ssl->handshake->early_data_accepted) {
+ /* See RFC 8446 section A.2 for more information */
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("Switch to early keys for inbound traffic. "
+ "( K_recv = early data )"));
+ mbedtls_ssl_set_inbound_transform(
+ ssl, ssl->handshake->transform_earlydata);
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);
+ return 0;
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("Switch to handshake keys for inbound traffic "
+ "( K_recv = handshake )"));
+ mbedtls_ssl_set_inbound_transform(ssl, ssl->handshake->transform_handshake);
+
+ ssl_tls13_prepare_for_handshake_second_flight(ssl);
+
+ return 0;
+}
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+/*
+ * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA
+ */
+#define SSL_GOT_END_OF_EARLY_DATA 0
+#define SSL_GOT_EARLY_DATA 1
+/* Coordination:
+ * Deals with the ambiguity of not knowing if the next message is an
+ * EndOfEarlyData message or an application message containing early data.
+ * Returns a negative code on failure, or
+ * - SSL_GOT_END_OF_EARLY_DATA
+ * - SSL_GOT_EARLY_DATA
+ * indicating which message is received.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_end_of_early_data_coordinate(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
+ return ret;
+ }
+ ssl->keep_current_message = 1;
+
+ if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+ ssl->in_msg[0] == MBEDTLS_SSL_HS_END_OF_EARLY_DATA) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Received an end_of_early_data message."));
+ return SSL_GOT_END_OF_EARLY_DATA;
+ }
+
+ if (ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
+ if (ssl->in_offt == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Received early data"));
+ /* Set the reading pointer */
+ ssl->in_offt = ssl->in_msg;
+ ret = mbedtls_ssl_tls13_check_early_data_len(ssl, ssl->in_msglen);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+ return SSL_GOT_EARLY_DATA;
+ }
+
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
+ MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+}
+
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_end_of_early_data(mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end)
+{
+ /* RFC 8446 section 4.5
+ *
+ * struct {} EndOfEarlyData;
+ */
+ if (buf != end) {
+ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+ MBEDTLS_ERR_SSL_DECODE_ERROR);
+ return MBEDTLS_ERR_SSL_DECODE_ERROR;
+ }
+ return 0;
+}
+
+/*
+ * RFC 8446 section A.2
+ *
+ * | Send ServerHello
+ * | K_send = handshake
+ * | Send EncryptedExtensions
+ * | [Send CertificateRequest]
+ * Can send | [Send Certificate + CertificateVerify]
+ * app data | Send Finished
+ * after --> | K_send = application
+ * here +--------+--------+
+ * No 0-RTT | | 0-RTT
+ * | |
+ * K_recv = handshake | | K_recv = early data
+ * [Skip decrypt errors] | +------> WAIT_EOED -+
+ * | | Recv | | Recv EndOfEarlyData
+ * | | early data | | K_recv = handshake
+ * | +------------+ |
+ * | |
+ * +> WAIT_FLIGHT2 <--------+
+ * |
+ * +--------+--------+
+ * No auth | | Client auth
+ * | |
+ * | v
+ * | WAIT_CERT
+ * | Recv | | Recv Certificate
+ * | empty | v
+ * | Certificate | WAIT_CV
+ * | | | Recv
+ * | v | CertificateVerify
+ * +-> WAIT_FINISHED <---+
+ * | Recv Finished
+ *
+ * The function handles actions and state changes from 0-RTT to WAIT_FLIGHT2 in
+ * the above diagram.
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_process_end_of_early_data(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_process_end_of_early_data"));
+
+ MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_end_of_early_data_coordinate(ssl));
+
+ if (ret == SSL_GOT_END_OF_EARLY_DATA) {
+ unsigned char *buf;
+ size_t buf_len;
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
+ &buf, &buf_len));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_end_of_early_data(
+ ssl, buf, buf + buf_len));
+
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("Switch to handshake keys for inbound traffic"
+ "( K_recv = handshake )"));
+ mbedtls_ssl_set_inbound_transform(
+ ssl, ssl->handshake->transform_handshake);
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
+ buf, buf_len));
+
+ ssl_tls13_prepare_for_handshake_second_flight(ssl);
+
+ } else if (ret == SSL_GOT_EARLY_DATA) {
+ ret = MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA;
+ goto cleanup;
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ goto cleanup;
+ }
+
+cleanup:
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_process_end_of_early_data"));
+ return ret;
+}
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+/*
+ * Handler for MBEDTLS_SSL_CLIENT_FINISHED
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_process_client_finished(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = mbedtls_ssl_tls13_process_finished_message(ssl);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_tls13_compute_resumption_master_secret", ret);
+ }
+
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
+ return 0;
+}
+
+/*
+ * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
+{
+ MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
+
+ mbedtls_ssl_tls13_handshake_wrapup(ssl);
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+/* TODO: Remove the check of SOME_PSK_ENABLED since SESSION_TICKETS requires
+ * SOME_PSK_ENABLED to be enabled. Here is just to make CI happy. It is
+ * expected to be resolved with issue#6395.
+ */
+ /* Sent NewSessionTicket message only when client supports PSK */
+ if (mbedtls_ssl_tls13_is_some_psk_supported(ssl)) {
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
+ } else
+#endif
+ {
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
+ }
+ return 0;
+}
+
+/*
+ * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
+ */
+#define SSL_NEW_SESSION_TICKET_SKIP 0
+#define SSL_NEW_SESSION_TICKET_WRITE 1
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_new_session_ticket_coordinate(mbedtls_ssl_context *ssl)
+{
+ /* Check whether the use of session tickets is enabled */
+ if (ssl->conf->f_ticket_write == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled,"
+ " callback is not set"));
+ return SSL_NEW_SESSION_TICKET_SKIP;
+ }
+ if (ssl->conf->new_session_tickets_count == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled,"
+ " configured count is zero"));
+ return SSL_NEW_SESSION_TICKET_SKIP;
+ }
+
+ if (ssl->handshake->new_session_tickets_count == 0) {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: all tickets have "
+ "been sent."));
+ return SSL_NEW_SESSION_TICKET_SKIP;
+ }
+
+ return SSL_NEW_SESSION_TICKET_WRITE;
+}
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
+ unsigned char *ticket_nonce,
+ size_t ticket_nonce_size)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_ssl_session *session = ssl->session;
+ mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+ psa_algorithm_t psa_hash_alg;
+ int hash_length;
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> prepare NewSessionTicket msg"));
+
+ /* Set ticket_flags depends on the advertised psk key exchange mode */
+ mbedtls_ssl_tls13_session_clear_ticket_flags(
+ session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+ mbedtls_ssl_tls13_session_set_ticket_flags(
+ session, ssl->handshake->tls13_kex_modes);
+#endif
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED &&
+ ssl->conf->max_early_data_size > 0) {
+ mbedtls_ssl_tls13_session_set_ticket_flags(
+ session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
+ session->max_early_data_size = ssl->conf->max_early_data_size;
+ }
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+ MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
+
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
+ if (session->ticket_alpn == NULL) {
+ ret = mbedtls_ssl_session_set_ticket_alpn(session, ssl->alpn_chosen);
+ if (ret != 0) {
+ return ret;
+ }
+ }
+#endif
+
+ /* Generate ticket_age_add */
+ if ((ret = ssl->conf->f_rng(ssl->conf->p_rng,
+ (unsigned char *) &session->ticket_age_add,
+ sizeof(session->ticket_age_add)) != 0)) {
+ MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_age_add", ret);
+ return ret;
+ }
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u",
+ (unsigned int) session->ticket_age_add));
+
+ /* Generate ticket_nonce */
+ ret = ssl->conf->f_rng(ssl->conf->p_rng, ticket_nonce, ticket_nonce_size);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_nonce", ret);
+ return ret;
+ }
+ MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:",
+ ticket_nonce, ticket_nonce_size);
+
+ ciphersuite_info =
+ (mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info;
+ psa_hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
+ hash_length = PSA_HASH_LENGTH(psa_hash_alg);
+ if (hash_length == -1 ||
+ (size_t) hash_length > sizeof(session->resumption_key)) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /* In this code the psk key length equals the length of the hash */
+ session->resumption_key_len = hash_length;
+ session->ciphersuite = ciphersuite_info->id;
+
+ /* Compute resumption key
+ *
+ * HKDF-Expand-Label( resumption_master_secret,
+ * "resumption", ticket_nonce, Hash.length )
+ */
+ ret = mbedtls_ssl_tls13_hkdf_expand_label(
+ psa_hash_alg,
+ session->app_secrets.resumption_master_secret,
+ hash_length,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),
+ ticket_nonce,
+ ticket_nonce_size,
+ session->resumption_key,
+ hash_length);
+
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(2,
+ "Creating the ticket-resumed PSK failed",
+ ret);
+ return ret;
+ }
+ MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",
+ session->resumption_key,
+ session->resumption_key_len);
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",
+ session->app_secrets.resumption_master_secret,
+ hash_length);
+
+ return 0;
+}
+
+/* This function creates a NewSessionTicket message in the following format:
+ *
+ * struct {
+ * uint32 ticket_lifetime;
+ * uint32 ticket_age_add;
+ * opaque ticket_nonce<0..255>;
+ * opaque ticket<1..2^16-1>;
+ * Extension extensions<0..2^16-2>;
+ * } NewSessionTicket;
+ *
+ * The ticket inside the NewSessionTicket message is an encrypted container
+ * carrying the necessary information so that the server is later able to
+ * re-start the communication.
+ *
+ * The following fields are placed inside the ticket by the
+ * f_ticket_write() function:
+ *
+ * - creation time (ticket_creation_time)
+ * - flags (ticket_flags)
+ * - age add (ticket_age_add)
+ * - key (resumption_key)
+ * - key length (resumption_key_len)
+ * - ciphersuite (ciphersuite)
+ * - max_early_data_size (max_early_data_size)
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ unsigned char *end,
+ size_t *out_len,
+ unsigned char *ticket_nonce,
+ size_t ticket_nonce_size)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p = buf;
+ mbedtls_ssl_session *session = ssl->session;
+ size_t ticket_len;
+ uint32_t ticket_lifetime;
+ unsigned char *p_extensions_len;
+
+ *out_len = 0;
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write NewSessionTicket msg"));
+
+ /*
+ * ticket_lifetime 4 bytes
+ * ticket_age_add 4 bytes
+ * ticket_nonce 1 + ticket_nonce_size bytes
+ * ticket >=2 bytes
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + 4 + 1 + ticket_nonce_size + 2);
+
+ /* Generate ticket and ticket_lifetime */
+#if defined(MBEDTLS_HAVE_TIME)
+ session->ticket_creation_time = mbedtls_ms_time();
+#endif
+ ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
+ session,
+ p + 9 + ticket_nonce_size + 2,
+ end,
+ &ticket_len,
+ &ticket_lifetime);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "write_ticket", ret);
+ return ret;
+ }
+
+ /* RFC 8446 section 4.6.1
+ *
+ * ticket_lifetime: Indicates the lifetime in seconds as a 32-bit
+ * unsigned integer in network byte order from the time of ticket
+ * issuance. Servers MUST NOT use any value greater than
+ * 604800 seconds (7 days) ...
+ */
+ if (ticket_lifetime > MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 1, ("Ticket lifetime (%u) is greater than 7 days.",
+ (unsigned int) ticket_lifetime));
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ MBEDTLS_PUT_UINT32_BE(ticket_lifetime, p, 0);
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime: %u",
+ (unsigned int) ticket_lifetime));
+
+ /* Write ticket_age_add */
+ MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 4);
+ MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u",
+ (unsigned int) session->ticket_age_add));
+
+ /* Write ticket_nonce */
+ p[8] = (unsigned char) ticket_nonce_size;
+ if (ticket_nonce_size > 0) {
+ memcpy(p + 9, ticket_nonce, ticket_nonce_size);
+ }
+ p += 9 + ticket_nonce_size;
+
+ /* Write ticket */
+ MBEDTLS_PUT_UINT16_BE(ticket_len, p, 0);
+ p += 2;
+ MBEDTLS_SSL_DEBUG_BUF(4, "ticket", p, ticket_len);
+ p += ticket_len;
+
+ /* Ticket Extensions
+ *
+ * Extension extensions<0..2^16-2>;
+ */
+ ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
+
+ MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
+ p_extensions_len = p;
+ p += 2;
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ if (mbedtls_ssl_tls13_session_ticket_allow_early_data(session)) {
+ size_t output_len;
+
+ if ((ret = mbedtls_ssl_tls13_write_early_data_ext(
+ ssl, 1, p, end, &output_len)) != 0) {
+ MBEDTLS_SSL_DEBUG_RET(
+ 1, "mbedtls_ssl_tls13_write_early_data_ext", ret);
+ return ret;
+ }
+ p += output_len;
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 4, ("early_data not allowed, "
+ "skip early_data extension in NewSessionTicket"));
+ }
+
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+ MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);
+
+ *out_len = p - buf;
+ MBEDTLS_SSL_DEBUG_BUF(4, "ticket", buf, *out_len);
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
+
+ MBEDTLS_SSL_PRINT_EXTS(
+ 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl->handshake->sent_extensions);
+
+ return 0;
+}
+
+/*
+ * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
+ */
+static int ssl_tls13_write_new_session_ticket(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_write_new_session_ticket_coordinate(ssl));
+
+ if (ret == SSL_NEW_SESSION_TICKET_WRITE) {
+ unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH];
+ unsigned char *buf;
+ size_t buf_len, msg_len;
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_new_session_ticket(
+ ssl, ticket_nonce, sizeof(ticket_nonce)));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
+ ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
+ &buf, &buf_len));
+
+ MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_new_session_ticket_body(
+ ssl, buf, buf + buf_len, &msg_len,
+ ticket_nonce, sizeof(ticket_nonce)));
+
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
+ ssl, buf_len, msg_len));
+
+ /* Limit session tickets count to one when resumption connection.
+ *
+ * See document of mbedtls_ssl_conf_new_session_tickets.
+ */
+ if (ssl->handshake->resume == 1) {
+ ssl->handshake->new_session_tickets_count = 0;
+ } else {
+ ssl->handshake->new_session_tickets_count--;
+ }
+
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH);
+ } else {
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
+ }
+
+cleanup:
+
+ return ret;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+/*
+ * TLS 1.3 State Machine -- server side
+ */
+int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL) {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG(2, ("tls13 server state: %s(%d)",
+ mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state),
+ ssl->state));
+
+ switch (ssl->state) {
+ /* start state */
+ case MBEDTLS_SSL_HELLO_REQUEST:
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
+ ret = 0;
+ break;
+
+ case MBEDTLS_SSL_CLIENT_HELLO:
+ ret = ssl_tls13_process_client_hello(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_process_client_hello", ret);
+ }
+ break;
+
+ case MBEDTLS_SSL_HELLO_RETRY_REQUEST:
+ ret = ssl_tls13_write_hello_retry_request(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_hello_retry_request", ret);
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_SSL_SERVER_HELLO:
+ ret = ssl_tls13_write_server_hello(ssl);
+ break;
+
+ case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
+ ret = ssl_tls13_write_encrypted_extensions(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_encrypted_extensions", ret);
+ return ret;
+ }
+ break;
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+ case MBEDTLS_SSL_CERTIFICATE_REQUEST:
+ ret = ssl_tls13_write_certificate_request(ssl);
+ break;
+
+ case MBEDTLS_SSL_SERVER_CERTIFICATE:
+ ret = ssl_tls13_write_server_certificate(ssl);
+ break;
+
+ case MBEDTLS_SSL_CERTIFICATE_VERIFY:
+ ret = ssl_tls13_write_certificate_verify(ssl);
+ break;
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+ /*
+ * Injection of dummy-CCS's for middlebox compatibility
+ */
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST:
+ ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
+ if (ret == 0) {
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
+ }
+ break;
+
+ case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:
+ ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
+ if (ret != 0) {
+ break;
+ }
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
+ break;
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+
+ case MBEDTLS_SSL_SERVER_FINISHED:
+ ret = ssl_tls13_write_server_finished(ssl);
+ break;
+
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ case MBEDTLS_SSL_END_OF_EARLY_DATA:
+ ret = ssl_tls13_process_end_of_early_data(ssl);
+ break;
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+
+ case MBEDTLS_SSL_CLIENT_FINISHED:
+ ret = ssl_tls13_process_client_finished(ssl);
+ break;
+
+ case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
+ ret = ssl_tls13_handshake_wrapup(ssl);
+ break;
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+ case MBEDTLS_SSL_CLIENT_CERTIFICATE:
+ ret = mbedtls_ssl_tls13_process_certificate(ssl);
+ if (ret == 0) {
+ if (ssl->session_negotiate->peer_cert != NULL) {
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);
+ } else {
+ MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify"));
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_CLIENT_FINISHED);
+ }
+ }
+ break;
+
+ case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
+ ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);
+ if (ret == 0) {
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_CLIENT_FINISHED);
+ }
+ break;
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
+ ret = ssl_tls13_write_new_session_ticket(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1,
+ "ssl_tls13_write_new_session_ticket ",
+ ret);
+ }
+ break;
+ case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH:
+ /* This state is necessary to do the flush of the New Session
+ * Ticket message written in MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
+ * as part of ssl_prepare_handshake_step.
+ */
+ ret = 0;
+
+ if (ssl->handshake->new_session_tickets_count == 0) {
+ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
+ } else {
+ mbedtls_ssl_handshake_set_state(
+ ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
+ }
+ break;
+
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+ default:
+ MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
+ return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ }
+
+ return ret;
+}
+
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/threading.c b/library/threading.c
new file mode 100644
index 0000000..85db243
--- /dev/null
+++ b/library/threading.c
@@ -0,0 +1,195 @@
+/*
+ * Threading abstraction layer
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/*
+ * Ensure gmtime_r is available even with -std=c99; must be defined before
+ * mbedtls_config.h, which pulls in glibc's features.h. Harmless on other platforms.
+ */
+#if !defined(_POSIX_C_SOURCE)
+#define _POSIX_C_SOURCE 200112L
+#endif
+
+#include "common.h"
+
+#if defined(MBEDTLS_THREADING_C)
+
+#include "mbedtls/threading.h"
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+
+#if !defined(_WIN32) && (defined(unix) || \
+ defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
+ defined(__MACH__)))
+#include <unistd.h>
+#endif /* !_WIN32 && (unix || __unix || __unix__ ||
+ * (__APPLE__ && __MACH__)) */
+
+#if !((defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L) || \
+ (defined(_POSIX_THREAD_SAFE_FUNCTIONS) && \
+ _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L))
+/*
+ * This is a convenience shorthand macro to avoid checking the long
+ * preprocessor conditions above. Ideally, we could expose this macro in
+ * platform_util.h and simply use it in platform_util.c, threading.c and
+ * threading.h. However, this macro is not part of the Mbed TLS public API, so
+ * we keep it private by only defining it in this file
+ */
+
+#if !(defined(_WIN32) && !defined(EFIX64) && !defined(EFI32))
+#define THREADING_USE_GMTIME
+#endif /* ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) ) */
+
+#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) || \
+ ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) && \
+ _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L ) ) */
+
+#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+static void threading_mutex_init_pthread(mbedtls_threading_mutex_t *mutex)
+{
+ if (mutex == NULL) {
+ return;
+ }
+
+ /* One problem here is that calling lock on a pthread mutex without first
+ * having initialised it is undefined behaviour. Obviously we cannot check
+ * this here in a thread safe manner without a significant performance
+ * hit, so state transitions are checked in tests only via the state
+ * variable. Please make sure any new mutex that gets added is exercised in
+ * tests; see tests/src/threading_helpers.c for more details. */
+ (void) pthread_mutex_init(&mutex->mutex, NULL);
+}
+
+static void threading_mutex_free_pthread(mbedtls_threading_mutex_t *mutex)
+{
+ if (mutex == NULL) {
+ return;
+ }
+
+ (void) pthread_mutex_destroy(&mutex->mutex);
+}
+
+static int threading_mutex_lock_pthread(mbedtls_threading_mutex_t *mutex)
+{
+ if (mutex == NULL) {
+ return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA;
+ }
+
+ if (pthread_mutex_lock(&mutex->mutex) != 0) {
+ return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+ }
+
+ return 0;
+}
+
+static int threading_mutex_unlock_pthread(mbedtls_threading_mutex_t *mutex)
+{
+ if (mutex == NULL) {
+ return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA;
+ }
+
+ if (pthread_mutex_unlock(&mutex->mutex) != 0) {
+ return MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+ }
+
+ return 0;
+}
+
+void (*mbedtls_mutex_init)(mbedtls_threading_mutex_t *) = threading_mutex_init_pthread;
+void (*mbedtls_mutex_free)(mbedtls_threading_mutex_t *) = threading_mutex_free_pthread;
+int (*mbedtls_mutex_lock)(mbedtls_threading_mutex_t *) = threading_mutex_lock_pthread;
+int (*mbedtls_mutex_unlock)(mbedtls_threading_mutex_t *) = threading_mutex_unlock_pthread;
+
+/*
+ * With pthreads we can statically initialize mutexes
+ */
+#define MUTEX_INIT = { PTHREAD_MUTEX_INITIALIZER, 1 }
+
+#endif /* MBEDTLS_THREADING_PTHREAD */
+
+#if defined(MBEDTLS_THREADING_ALT)
+static int threading_mutex_fail(mbedtls_threading_mutex_t *mutex)
+{
+ ((void) mutex);
+ return MBEDTLS_ERR_THREADING_BAD_INPUT_DATA;
+}
+static void threading_mutex_dummy(mbedtls_threading_mutex_t *mutex)
+{
+ ((void) mutex);
+ return;
+}
+
+void (*mbedtls_mutex_init)(mbedtls_threading_mutex_t *) = threading_mutex_dummy;
+void (*mbedtls_mutex_free)(mbedtls_threading_mutex_t *) = threading_mutex_dummy;
+int (*mbedtls_mutex_lock)(mbedtls_threading_mutex_t *) = threading_mutex_fail;
+int (*mbedtls_mutex_unlock)(mbedtls_threading_mutex_t *) = threading_mutex_fail;
+
+/*
+ * Set functions pointers and initialize global mutexes
+ */
+void mbedtls_threading_set_alt(void (*mutex_init)(mbedtls_threading_mutex_t *),
+ void (*mutex_free)(mbedtls_threading_mutex_t *),
+ int (*mutex_lock)(mbedtls_threading_mutex_t *),
+ int (*mutex_unlock)(mbedtls_threading_mutex_t *))
+{
+ mbedtls_mutex_init = mutex_init;
+ mbedtls_mutex_free = mutex_free;
+ mbedtls_mutex_lock = mutex_lock;
+ mbedtls_mutex_unlock = mutex_unlock;
+
+#if defined(MBEDTLS_FS_IO)
+ mbedtls_mutex_init(&mbedtls_threading_readdir_mutex);
+#endif
+#if defined(THREADING_USE_GMTIME)
+ mbedtls_mutex_init(&mbedtls_threading_gmtime_mutex);
+#endif
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ mbedtls_mutex_init(&mbedtls_threading_key_slot_mutex);
+ mbedtls_mutex_init(&mbedtls_threading_psa_globaldata_mutex);
+ mbedtls_mutex_init(&mbedtls_threading_psa_rngdata_mutex);
+#endif
+}
+
+/*
+ * Free global mutexes
+ */
+void mbedtls_threading_free_alt(void)
+{
+#if defined(MBEDTLS_FS_IO)
+ mbedtls_mutex_free(&mbedtls_threading_readdir_mutex);
+#endif
+#if defined(THREADING_USE_GMTIME)
+ mbedtls_mutex_free(&mbedtls_threading_gmtime_mutex);
+#endif
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ mbedtls_mutex_free(&mbedtls_threading_key_slot_mutex);
+ mbedtls_mutex_free(&mbedtls_threading_psa_globaldata_mutex);
+ mbedtls_mutex_free(&mbedtls_threading_psa_rngdata_mutex);
+#endif
+}
+#endif /* MBEDTLS_THREADING_ALT */
+
+/*
+ * Define global mutexes
+ */
+#ifndef MUTEX_INIT
+#define MUTEX_INIT
+#endif
+#if defined(MBEDTLS_FS_IO)
+mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex MUTEX_INIT;
+#endif
+#if defined(THREADING_USE_GMTIME)
+mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex MUTEX_INIT;
+#endif
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+mbedtls_threading_mutex_t mbedtls_threading_key_slot_mutex MUTEX_INIT;
+mbedtls_threading_mutex_t mbedtls_threading_psa_globaldata_mutex MUTEX_INIT;
+mbedtls_threading_mutex_t mbedtls_threading_psa_rngdata_mutex MUTEX_INIT;
+#endif
+
+#endif /* MBEDTLS_THREADING_C */
diff --git a/library/timing.c b/library/timing.c
new file mode 100644
index 0000000..58f1c1e
--- /dev/null
+++ b/library/timing.c
@@ -0,0 +1,154 @@
+/*
+ * Portable interface to the CPU cycle counter
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_TIMING_C)
+
+#include "mbedtls/timing.h"
+
+#if !defined(MBEDTLS_TIMING_ALT)
+
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+ !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+ !defined(__HAIKU__) && !defined(__midipix__)
+#error "This module only works on Unix and Windows, see MBEDTLS_TIMING_C in mbedtls_config.h"
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+
+#include <windows.h>
+#include <process.h>
+
+struct _hr_time {
+ LARGE_INTEGER start;
+};
+
+#else
+
+#include <unistd.h>
+#include <sys/types.h>
+#include <signal.h>
+/* time.h should be included independently of MBEDTLS_HAVE_TIME. If the
+ * platform matches the ifdefs above, it will be used. */
+#include <time.h>
+#include <sys/time.h>
+struct _hr_time {
+ struct timeval start;
+};
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+
+/**
+ * \brief Return the elapsed time in milliseconds
+ *
+ * \warning May change without notice
+ *
+ * \param val points to a timer structure
+ * \param reset If 0, query the elapsed time. Otherwise (re)start the timer.
+ *
+ * \return Elapsed time since the previous reset in ms. When
+ * restarting, this is always 0.
+ *
+ * \note To initialize a timer, call this function with reset=1.
+ *
+ * Determining the elapsed time and resetting the timer is not
+ * atomic on all platforms, so after the sequence
+ * `{ get_timer(1); ...; time1 = get_timer(1); ...; time2 =
+ * get_timer(0) }` the value time1+time2 is only approximately
+ * the delay since the first reset.
+ */
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+
+unsigned long mbedtls_timing_get_timer(struct mbedtls_timing_hr_time *val, int reset)
+{
+ struct _hr_time *t = (struct _hr_time *) val;
+
+ if (reset) {
+ QueryPerformanceCounter(&t->start);
+ return 0;
+ } else {
+ unsigned long delta;
+ LARGE_INTEGER now, hfreq;
+ QueryPerformanceCounter(&now);
+ QueryPerformanceFrequency(&hfreq);
+ delta = (unsigned long) ((now.QuadPart - t->start.QuadPart) * 1000ul
+ / hfreq.QuadPart);
+ return delta;
+ }
+}
+
+#else /* _WIN32 && !EFIX64 && !EFI32 */
+
+unsigned long mbedtls_timing_get_timer(struct mbedtls_timing_hr_time *val, int reset)
+{
+ struct _hr_time *t = (struct _hr_time *) val;
+
+ if (reset) {
+ gettimeofday(&t->start, NULL);
+ return 0;
+ } else {
+ unsigned long delta;
+ struct timeval now;
+ gettimeofday(&now, NULL);
+ delta = (now.tv_sec - t->start.tv_sec) * 1000ul
+ + (now.tv_usec - t->start.tv_usec) / 1000;
+ return delta;
+ }
+}
+
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+
+/*
+ * Set delays to watch
+ */
+void mbedtls_timing_set_delay(void *data, uint32_t int_ms, uint32_t fin_ms)
+{
+ mbedtls_timing_delay_context *ctx = (mbedtls_timing_delay_context *) data;
+
+ ctx->int_ms = int_ms;
+ ctx->fin_ms = fin_ms;
+
+ if (fin_ms != 0) {
+ (void) mbedtls_timing_get_timer(&ctx->timer, 1);
+ }
+}
+
+/*
+ * Get number of delays expired
+ */
+int mbedtls_timing_get_delay(void *data)
+{
+ mbedtls_timing_delay_context *ctx = (mbedtls_timing_delay_context *) data;
+ unsigned long elapsed_ms;
+
+ if (ctx->fin_ms == 0) {
+ return -1;
+ }
+
+ elapsed_ms = mbedtls_timing_get_timer(&ctx->timer, 0);
+
+ if (elapsed_ms >= ctx->fin_ms) {
+ return 2;
+ }
+
+ if (elapsed_ms >= ctx->int_ms) {
+ return 1;
+ }
+
+ return 0;
+}
+
+/*
+ * Get the final delay.
+ */
+uint32_t mbedtls_timing_get_final_delay(
+ const mbedtls_timing_delay_context *data)
+{
+ return data->fin_ms;
+}
+#endif /* !MBEDTLS_TIMING_ALT */
+#endif /* MBEDTLS_TIMING_C */
diff --git a/library/version.c b/library/version.c
new file mode 100644
index 0000000..0439733
--- /dev/null
+++ b/library/version.c
@@ -0,0 +1,32 @@
+/*
+ * Version information
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_VERSION_C)
+
+#include "mbedtls/version.h"
+#include <string.h>
+
+unsigned int mbedtls_version_get_number(void)
+{
+ return MBEDTLS_VERSION_NUMBER;
+}
+
+void mbedtls_version_get_string(char *string)
+{
+ memcpy(string, MBEDTLS_VERSION_STRING,
+ sizeof(MBEDTLS_VERSION_STRING));
+}
+
+void mbedtls_version_get_string_full(char *string)
+{
+ memcpy(string, MBEDTLS_VERSION_STRING_FULL,
+ sizeof(MBEDTLS_VERSION_STRING_FULL));
+}
+
+#endif /* MBEDTLS_VERSION_C */
diff --git a/library/version_features.c b/library/version_features.c
new file mode 100644
index 0000000..406161d
--- /dev/null
+++ b/library/version_features.c
@@ -0,0 +1,841 @@
+/*
+ * Version feature information
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_VERSION_C)
+
+#include "mbedtls/version.h"
+
+#include <string.h>
+
+static const char * const features[] = {
+#if defined(MBEDTLS_VERSION_FEATURES)
+ #if defined(MBEDTLS_HAVE_ASM)
+ "HAVE_ASM", //no-check-names
+#endif /* MBEDTLS_HAVE_ASM */
+#if defined(MBEDTLS_NO_UDBL_DIVISION)
+ "NO_UDBL_DIVISION", //no-check-names
+#endif /* MBEDTLS_NO_UDBL_DIVISION */
+#if defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
+ "NO_64BIT_MULTIPLICATION", //no-check-names
+#endif /* MBEDTLS_NO_64BIT_MULTIPLICATION */
+#if defined(MBEDTLS_HAVE_SSE2)
+ "HAVE_SSE2", //no-check-names
+#endif /* MBEDTLS_HAVE_SSE2 */
+#if defined(MBEDTLS_HAVE_TIME)
+ "HAVE_TIME", //no-check-names
+#endif /* MBEDTLS_HAVE_TIME */
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+ "HAVE_TIME_DATE", //no-check-names
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+#if defined(MBEDTLS_PLATFORM_MEMORY)
+ "PLATFORM_MEMORY", //no-check-names
+#endif /* MBEDTLS_PLATFORM_MEMORY */
+#if defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
+ "PLATFORM_NO_STD_FUNCTIONS", //no-check-names
+#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+#if defined(MBEDTLS_PLATFORM_SETBUF_ALT)
+ "PLATFORM_SETBUF_ALT", //no-check-names
+#endif /* MBEDTLS_PLATFORM_SETBUF_ALT */
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
+ "PLATFORM_EXIT_ALT", //no-check-names
+#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+ "PLATFORM_TIME_ALT", //no-check-names
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+ "PLATFORM_FPRINTF_ALT", //no-check-names
+#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+ "PLATFORM_PRINTF_ALT", //no-check-names
+#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+ "PLATFORM_SNPRINTF_ALT", //no-check-names
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT)
+ "PLATFORM_VSNPRINTF_ALT", //no-check-names
+#endif /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+ "PLATFORM_NV_SEED_ALT", //no-check-names
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+#if defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
+ "PLATFORM_SETUP_TEARDOWN_ALT", //no-check-names
+#endif /* MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
+#if defined(MBEDTLS_PLATFORM_MS_TIME_ALT)
+ "PLATFORM_MS_TIME_ALT", //no-check-names
+#endif /* MBEDTLS_PLATFORM_MS_TIME_ALT */
+#if defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+ "PLATFORM_GMTIME_R_ALT", //no-check-names
+#endif /* MBEDTLS_PLATFORM_GMTIME_R_ALT */
+#if defined(MBEDTLS_PLATFORM_ZEROIZE_ALT)
+ "PLATFORM_ZEROIZE_ALT", //no-check-names
+#endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+ "DEPRECATED_WARNING", //no-check-names
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+ "DEPRECATED_REMOVED", //no-check-names
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#if defined(MBEDTLS_TIMING_ALT)
+ "TIMING_ALT", //no-check-names
+#endif /* MBEDTLS_TIMING_ALT */
+#if defined(MBEDTLS_AES_ALT)
+ "AES_ALT", //no-check-names
+#endif /* MBEDTLS_AES_ALT */
+#if defined(MBEDTLS_ARIA_ALT)
+ "ARIA_ALT", //no-check-names
+#endif /* MBEDTLS_ARIA_ALT */
+#if defined(MBEDTLS_CAMELLIA_ALT)
+ "CAMELLIA_ALT", //no-check-names
+#endif /* MBEDTLS_CAMELLIA_ALT */
+#if defined(MBEDTLS_CCM_ALT)
+ "CCM_ALT", //no-check-names
+#endif /* MBEDTLS_CCM_ALT */
+#if defined(MBEDTLS_CHACHA20_ALT)
+ "CHACHA20_ALT", //no-check-names
+#endif /* MBEDTLS_CHACHA20_ALT */
+#if defined(MBEDTLS_CHACHAPOLY_ALT)
+ "CHACHAPOLY_ALT", //no-check-names
+#endif /* MBEDTLS_CHACHAPOLY_ALT */
+#if defined(MBEDTLS_CMAC_ALT)
+ "CMAC_ALT", //no-check-names
+#endif /* MBEDTLS_CMAC_ALT */
+#if defined(MBEDTLS_DES_ALT)
+ "DES_ALT", //no-check-names
+#endif /* MBEDTLS_DES_ALT */
+#if defined(MBEDTLS_DHM_ALT)
+ "DHM_ALT", //no-check-names
+#endif /* MBEDTLS_DHM_ALT */
+#if defined(MBEDTLS_ECJPAKE_ALT)
+ "ECJPAKE_ALT", //no-check-names
+#endif /* MBEDTLS_ECJPAKE_ALT */
+#if defined(MBEDTLS_GCM_ALT)
+ "GCM_ALT", //no-check-names
+#endif /* MBEDTLS_GCM_ALT */
+#if defined(MBEDTLS_NIST_KW_ALT)
+ "NIST_KW_ALT", //no-check-names
+#endif /* MBEDTLS_NIST_KW_ALT */
+#if defined(MBEDTLS_MD5_ALT)
+ "MD5_ALT", //no-check-names
+#endif /* MBEDTLS_MD5_ALT */
+#if defined(MBEDTLS_POLY1305_ALT)
+ "POLY1305_ALT", //no-check-names
+#endif /* MBEDTLS_POLY1305_ALT */
+#if defined(MBEDTLS_RIPEMD160_ALT)
+ "RIPEMD160_ALT", //no-check-names
+#endif /* MBEDTLS_RIPEMD160_ALT */
+#if defined(MBEDTLS_RSA_ALT)
+ "RSA_ALT", //no-check-names
+#endif /* MBEDTLS_RSA_ALT */
+#if defined(MBEDTLS_SHA1_ALT)
+ "SHA1_ALT", //no-check-names
+#endif /* MBEDTLS_SHA1_ALT */
+#if defined(MBEDTLS_SHA256_ALT)
+ "SHA256_ALT", //no-check-names
+#endif /* MBEDTLS_SHA256_ALT */
+#if defined(MBEDTLS_SHA512_ALT)
+ "SHA512_ALT", //no-check-names
+#endif /* MBEDTLS_SHA512_ALT */
+#if defined(MBEDTLS_ECP_ALT)
+ "ECP_ALT", //no-check-names
+#endif /* MBEDTLS_ECP_ALT */
+#if defined(MBEDTLS_MD5_PROCESS_ALT)
+ "MD5_PROCESS_ALT", //no-check-names
+#endif /* MBEDTLS_MD5_PROCESS_ALT */
+#if defined(MBEDTLS_RIPEMD160_PROCESS_ALT)
+ "RIPEMD160_PROCESS_ALT", //no-check-names
+#endif /* MBEDTLS_RIPEMD160_PROCESS_ALT */
+#if defined(MBEDTLS_SHA1_PROCESS_ALT)
+ "SHA1_PROCESS_ALT", //no-check-names
+#endif /* MBEDTLS_SHA1_PROCESS_ALT */
+#if defined(MBEDTLS_SHA256_PROCESS_ALT)
+ "SHA256_PROCESS_ALT", //no-check-names
+#endif /* MBEDTLS_SHA256_PROCESS_ALT */
+#if defined(MBEDTLS_SHA512_PROCESS_ALT)
+ "SHA512_PROCESS_ALT", //no-check-names
+#endif /* MBEDTLS_SHA512_PROCESS_ALT */
+#if defined(MBEDTLS_DES_SETKEY_ALT)
+ "DES_SETKEY_ALT", //no-check-names
+#endif /* MBEDTLS_DES_SETKEY_ALT */
+#if defined(MBEDTLS_DES_CRYPT_ECB_ALT)
+ "DES_CRYPT_ECB_ALT", //no-check-names
+#endif /* MBEDTLS_DES_CRYPT_ECB_ALT */
+#if defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
+ "DES3_CRYPT_ECB_ALT", //no-check-names
+#endif /* MBEDTLS_DES3_CRYPT_ECB_ALT */
+#if defined(MBEDTLS_AES_SETKEY_ENC_ALT)
+ "AES_SETKEY_ENC_ALT", //no-check-names
+#endif /* MBEDTLS_AES_SETKEY_ENC_ALT */
+#if defined(MBEDTLS_AES_SETKEY_DEC_ALT)
+ "AES_SETKEY_DEC_ALT", //no-check-names
+#endif /* MBEDTLS_AES_SETKEY_DEC_ALT */
+#if defined(MBEDTLS_AES_ENCRYPT_ALT)
+ "AES_ENCRYPT_ALT", //no-check-names
+#endif /* MBEDTLS_AES_ENCRYPT_ALT */
+#if defined(MBEDTLS_AES_DECRYPT_ALT)
+ "AES_DECRYPT_ALT", //no-check-names
+#endif /* MBEDTLS_AES_DECRYPT_ALT */
+#if defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)
+ "ECDH_GEN_PUBLIC_ALT", //no-check-names
+#endif /* MBEDTLS_ECDH_GEN_PUBLIC_ALT */
+#if defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT)
+ "ECDH_COMPUTE_SHARED_ALT", //no-check-names
+#endif /* MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
+#if defined(MBEDTLS_ECDSA_VERIFY_ALT)
+ "ECDSA_VERIFY_ALT", //no-check-names
+#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+ "ECDSA_SIGN_ALT", //no-check-names
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+#if defined(MBEDTLS_ECDSA_GENKEY_ALT)
+ "ECDSA_GENKEY_ALT", //no-check-names
+#endif /* MBEDTLS_ECDSA_GENKEY_ALT */
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+ "ECP_INTERNAL_ALT", //no-check-names
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+#if defined(MBEDTLS_ECP_NO_FALLBACK)
+ "ECP_NO_FALLBACK", //no-check-names
+#endif /* MBEDTLS_ECP_NO_FALLBACK */
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+ "ECP_RANDOMIZE_JAC_ALT", //no-check-names
+#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+ "ECP_ADD_MIXED_ALT", //no-check-names
+#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+ "ECP_DOUBLE_JAC_ALT", //no-check-names
+#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+ "ECP_NORMALIZE_JAC_MANY_ALT", //no-check-names
+#endif /* MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+ "ECP_NORMALIZE_JAC_ALT", //no-check-names
+#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+ "ECP_DOUBLE_ADD_MXZ_ALT", //no-check-names
+#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+ "ECP_RANDOMIZE_MXZ_ALT", //no-check-names
+#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+ "ECP_NORMALIZE_MXZ_ALT", //no-check-names
+#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+ "ENTROPY_HARDWARE_ALT", //no-check-names
+#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
+#if defined(MBEDTLS_AES_ROM_TABLES)
+ "AES_ROM_TABLES", //no-check-names
+#endif /* MBEDTLS_AES_ROM_TABLES */
+#if defined(MBEDTLS_AES_FEWER_TABLES)
+ "AES_FEWER_TABLES", //no-check-names
+#endif /* MBEDTLS_AES_FEWER_TABLES */
+#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
+ "AES_ONLY_128_BIT_KEY_LENGTH", //no-check-names
+#endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+ "AES_USE_HARDWARE_ONLY", //no-check-names
+#endif /* MBEDTLS_AES_USE_HARDWARE_ONLY */
+#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
+ "CAMELLIA_SMALL_MEMORY", //no-check-names
+#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
+#if defined(MBEDTLS_CHECK_RETURN_WARNING)
+ "CHECK_RETURN_WARNING", //no-check-names
+#endif /* MBEDTLS_CHECK_RETURN_WARNING */
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ "CIPHER_MODE_CBC", //no-check-names
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ "CIPHER_MODE_CFB", //no-check-names
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ "CIPHER_MODE_CTR", //no-check-names
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ "CIPHER_MODE_OFB", //no-check-names
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ "CIPHER_MODE_XTS", //no-check-names
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+ "CIPHER_NULL_CIPHER", //no-check-names
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+ "CIPHER_PADDING_PKCS7", //no-check-names
+#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
+#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
+ "CIPHER_PADDING_ONE_AND_ZEROS", //no-check-names
+#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
+ "CIPHER_PADDING_ZEROS_AND_LEN", //no-check-names
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
+ "CIPHER_PADDING_ZEROS", //no-check-names
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
+#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+ "CTR_DRBG_USE_128_BIT_KEY", //no-check-names
+#endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
+#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+ "ECDH_VARIANT_EVEREST_ENABLED", //no-check-names
+#endif /* MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+ "ECP_DP_SECP192R1_ENABLED", //no-check-names
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+ "ECP_DP_SECP224R1_ENABLED", //no-check-names
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+ "ECP_DP_SECP256R1_ENABLED", //no-check-names
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+ "ECP_DP_SECP384R1_ENABLED", //no-check-names
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+ "ECP_DP_SECP521R1_ENABLED", //no-check-names
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+ "ECP_DP_SECP192K1_ENABLED", //no-check-names
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+ "ECP_DP_SECP224K1_ENABLED", //no-check-names
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+ "ECP_DP_SECP256K1_ENABLED", //no-check-names
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+ "ECP_DP_BP256R1_ENABLED", //no-check-names
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+ "ECP_DP_BP384R1_ENABLED", //no-check-names
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+ "ECP_DP_BP512R1_ENABLED", //no-check-names
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+ "ECP_DP_CURVE25519_ENABLED", //no-check-names
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+ "ECP_DP_CURVE448_ENABLED", //no-check-names
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+ "ECP_NIST_OPTIM", //no-check-names
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ "ECP_RESTARTABLE", //no-check-names
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#if defined(MBEDTLS_ECP_WITH_MPI_UINT)
+ "ECP_WITH_MPI_UINT", //no-check-names
+#endif /* MBEDTLS_ECP_WITH_MPI_UINT */
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+ "ECDSA_DETERMINISTIC", //no-check-names
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+ "KEY_EXCHANGE_PSK_ENABLED", //no-check-names
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+ "KEY_EXCHANGE_DHE_PSK_ENABLED", //no-check-names
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+ "KEY_EXCHANGE_ECDHE_PSK_ENABLED", //no-check-names
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+ "KEY_EXCHANGE_RSA_PSK_ENABLED", //no-check-names
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+ "KEY_EXCHANGE_RSA_ENABLED", //no-check-names
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+ "KEY_EXCHANGE_DHE_RSA_ENABLED", //no-check-names
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+ "KEY_EXCHANGE_ECDHE_RSA_ENABLED", //no-check-names
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+ "KEY_EXCHANGE_ECDHE_ECDSA_ENABLED", //no-check-names
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+ "KEY_EXCHANGE_ECDH_ECDSA_ENABLED", //no-check-names
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+ "KEY_EXCHANGE_ECDH_RSA_ENABLED", //no-check-names
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ "KEY_EXCHANGE_ECJPAKE_ENABLED", //no-check-names
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+ "PK_PARSE_EC_EXTENDED", //no-check-names
+#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
+#if defined(MBEDTLS_PK_PARSE_EC_COMPRESSED)
+ "PK_PARSE_EC_COMPRESSED", //no-check-names
+#endif /* MBEDTLS_PK_PARSE_EC_COMPRESSED */
+#if defined(MBEDTLS_ERROR_STRERROR_DUMMY)
+ "ERROR_STRERROR_DUMMY", //no-check-names
+#endif /* MBEDTLS_ERROR_STRERROR_DUMMY */
+#if defined(MBEDTLS_GENPRIME)
+ "GENPRIME", //no-check-names
+#endif /* MBEDTLS_GENPRIME */
+#if defined(MBEDTLS_FS_IO)
+ "FS_IO", //no-check-names
+#endif /* MBEDTLS_FS_IO */
+#if defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+ "NO_DEFAULT_ENTROPY_SOURCES", //no-check-names
+#endif /* MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES */
+#if defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+ "NO_PLATFORM_ENTROPY", //no-check-names
+#endif /* MBEDTLS_NO_PLATFORM_ENTROPY */
+#if defined(MBEDTLS_ENTROPY_FORCE_SHA256)
+ "ENTROPY_FORCE_SHA256", //no-check-names
+#endif /* MBEDTLS_ENTROPY_FORCE_SHA256 */
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+ "ENTROPY_NV_SEED", //no-check-names
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+ "PSA_CRYPTO_KEY_ID_ENCODES_OWNER", //no-check-names
+#endif /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
+#if defined(MBEDTLS_MEMORY_DEBUG)
+ "MEMORY_DEBUG", //no-check-names
+#endif /* MBEDTLS_MEMORY_DEBUG */
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+ "MEMORY_BACKTRACE", //no-check-names
+#endif /* MBEDTLS_MEMORY_BACKTRACE */
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+ "PK_RSA_ALT_SUPPORT", //no-check-names
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+#if defined(MBEDTLS_PKCS1_V15)
+ "PKCS1_V15", //no-check-names
+#endif /* MBEDTLS_PKCS1_V15 */
+#if defined(MBEDTLS_PKCS1_V21)
+ "PKCS1_V21", //no-check-names
+#endif /* MBEDTLS_PKCS1_V21 */
+#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+ "PSA_CRYPTO_BUILTIN_KEYS", //no-check-names
+#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+ "PSA_CRYPTO_CLIENT", //no-check-names
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+ "PSA_CRYPTO_EXTERNAL_RNG", //no-check-names
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+#if defined(MBEDTLS_PSA_CRYPTO_SPM)
+ "PSA_CRYPTO_SPM", //no-check-names
+#endif /* MBEDTLS_PSA_CRYPTO_SPM */
+#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
+ "PSA_P256M_DRIVER_ENABLED", //no-check-names
+#endif /* MBEDTLS_PSA_P256M_DRIVER_ENABLED */
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+ "PSA_INJECT_ENTROPY", //no-check-names
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
+#if defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS)
+ "PSA_ASSUME_EXCLUSIVE_BUFFERS", //no-check-names
+#endif /* MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS */
+#if defined(MBEDTLS_RSA_NO_CRT)
+ "RSA_NO_CRT", //no-check-names
+#endif /* MBEDTLS_RSA_NO_CRT */
+#if defined(MBEDTLS_SELF_TEST)
+ "SELF_TEST", //no-check-names
+#endif /* MBEDTLS_SELF_TEST */
+#if defined(MBEDTLS_SHA256_SMALLER)
+ "SHA256_SMALLER", //no-check-names
+#endif /* MBEDTLS_SHA256_SMALLER */
+#if defined(MBEDTLS_SHA512_SMALLER)
+ "SHA512_SMALLER", //no-check-names
+#endif /* MBEDTLS_SHA512_SMALLER */
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
+ "SSL_ALL_ALERT_MESSAGES", //no-check-names
+#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ "SSL_DTLS_CONNECTION_ID", //no-check-names
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT)
+ "SSL_DTLS_CONNECTION_ID_COMPAT", //no-check-names
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ "SSL_ASYNC_PRIVATE", //no-check-names
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
+ "SSL_CONTEXT_SERIALIZATION", //no-check-names
+#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+ "SSL_DEBUG_ALL", //no-check-names
+#endif /* MBEDTLS_SSL_DEBUG_ALL */
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ "SSL_ENCRYPT_THEN_MAC", //no-check-names
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+ "SSL_EXTENDED_MASTER_SECRET", //no-check-names
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ "SSL_KEEP_PEER_CERTIFICATE", //no-check-names
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ "SSL_RENEGOTIATION", //no-check-names
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+ "SSL_MAX_FRAGMENT_LENGTH", //no-check-names
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
+ "SSL_RECORD_SIZE_LIMIT", //no-check-names
+#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ "SSL_PROTO_TLS1_2", //no-check-names
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ "SSL_PROTO_TLS1_3", //no-check-names
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+ "SSL_TLS1_3_COMPATIBILITY_MODE", //no-check-names
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
+ "SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED", //no-check-names
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED */
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+ "SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED", //no-check-names
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
+ "SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED", //no-check-names
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED */
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+ "SSL_EARLY_DATA", //no-check-names
+#endif /* MBEDTLS_SSL_EARLY_DATA */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ "SSL_PROTO_DTLS", //no-check-names
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_ALPN)
+ "SSL_ALPN", //no-check-names
+#endif /* MBEDTLS_SSL_ALPN */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+ "SSL_DTLS_ANTI_REPLAY", //no-check-names
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+ "SSL_DTLS_HELLO_VERIFY", //no-check-names
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+ "SSL_DTLS_SRTP", //no-check-names
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
+ "SSL_DTLS_CLIENT_PORT_REUSE", //no-check-names
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ "SSL_SESSION_TICKETS", //no-check-names
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ "SSL_SERVER_NAME_INDICATION", //no-check-names
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ "SSL_VARIABLE_BUFFER_LENGTH", //no-check-names
+#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN)
+ "TEST_CONSTANT_FLOW_MEMSAN", //no-check-names
+#endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND)
+ "TEST_CONSTANT_FLOW_VALGRIND", //no-check-names
+#endif /* MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND */
+#if defined(MBEDTLS_TEST_HOOKS)
+ "TEST_HOOKS", //no-check-names
+#endif /* MBEDTLS_TEST_HOOKS */
+#if defined(MBEDTLS_THREADING_ALT)
+ "THREADING_ALT", //no-check-names
+#endif /* MBEDTLS_THREADING_ALT */
+#if defined(MBEDTLS_THREADING_PTHREAD)
+ "THREADING_PTHREAD", //no-check-names
+#endif /* MBEDTLS_THREADING_PTHREAD */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ "USE_PSA_CRYPTO", //no-check-names
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+ "PSA_CRYPTO_CONFIG", //no-check-names
+#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
+#if defined(MBEDTLS_VERSION_FEATURES)
+ "VERSION_FEATURES", //no-check-names
+#endif /* MBEDTLS_VERSION_FEATURES */
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+ "X509_TRUSTED_CERTIFICATE_CALLBACK", //no-check-names
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+#if defined(MBEDTLS_X509_REMOVE_INFO)
+ "X509_REMOVE_INFO", //no-check-names
+#endif /* MBEDTLS_X509_REMOVE_INFO */
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ "X509_RSASSA_PSS_SUPPORT", //no-check-names
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+#if defined(MBEDTLS_AESNI_C)
+ "AESNI_C", //no-check-names
+#endif /* MBEDTLS_AESNI_C */
+#if defined(MBEDTLS_AESCE_C)
+ "AESCE_C", //no-check-names
+#endif /* MBEDTLS_AESCE_C */
+#if defined(MBEDTLS_AES_C)
+ "AES_C", //no-check-names
+#endif /* MBEDTLS_AES_C */
+#if defined(MBEDTLS_ASN1_PARSE_C)
+ "ASN1_PARSE_C", //no-check-names
+#endif /* MBEDTLS_ASN1_PARSE_C */
+#if defined(MBEDTLS_ASN1_WRITE_C)
+ "ASN1_WRITE_C", //no-check-names
+#endif /* MBEDTLS_ASN1_WRITE_C */
+#if defined(MBEDTLS_BASE64_C)
+ "BASE64_C", //no-check-names
+#endif /* MBEDTLS_BASE64_C */
+#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+ "BLOCK_CIPHER_NO_DECRYPT", //no-check-names
+#endif /* MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
+#if defined(MBEDTLS_BIGNUM_C)
+ "BIGNUM_C", //no-check-names
+#endif /* MBEDTLS_BIGNUM_C */
+#if defined(MBEDTLS_CAMELLIA_C)
+ "CAMELLIA_C", //no-check-names
+#endif /* MBEDTLS_CAMELLIA_C */
+#if defined(MBEDTLS_ARIA_C)
+ "ARIA_C", //no-check-names
+#endif /* MBEDTLS_ARIA_C */
+#if defined(MBEDTLS_CCM_C)
+ "CCM_C", //no-check-names
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHA20_C)
+ "CHACHA20_C", //no-check-names
+#endif /* MBEDTLS_CHACHA20_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ "CHACHAPOLY_C", //no-check-names
+#endif /* MBEDTLS_CHACHAPOLY_C */
+#if defined(MBEDTLS_CIPHER_C)
+ "CIPHER_C", //no-check-names
+#endif /* MBEDTLS_CIPHER_C */
+#if defined(MBEDTLS_CMAC_C)
+ "CMAC_C", //no-check-names
+#endif /* MBEDTLS_CMAC_C */
+#if defined(MBEDTLS_CTR_DRBG_C)
+ "CTR_DRBG_C", //no-check-names
+#endif /* MBEDTLS_CTR_DRBG_C */
+#if defined(MBEDTLS_DEBUG_C)
+ "DEBUG_C", //no-check-names
+#endif /* MBEDTLS_DEBUG_C */
+#if defined(MBEDTLS_DES_C)
+ "DES_C", //no-check-names
+#endif /* MBEDTLS_DES_C */
+#if defined(MBEDTLS_DHM_C)
+ "DHM_C", //no-check-names
+#endif /* MBEDTLS_DHM_C */
+#if defined(MBEDTLS_ECDH_C)
+ "ECDH_C", //no-check-names
+#endif /* MBEDTLS_ECDH_C */
+#if defined(MBEDTLS_ECDSA_C)
+ "ECDSA_C", //no-check-names
+#endif /* MBEDTLS_ECDSA_C */
+#if defined(MBEDTLS_ECJPAKE_C)
+ "ECJPAKE_C", //no-check-names
+#endif /* MBEDTLS_ECJPAKE_C */
+#if defined(MBEDTLS_ECP_C)
+ "ECP_C", //no-check-names
+#endif /* MBEDTLS_ECP_C */
+#if defined(MBEDTLS_ENTROPY_C)
+ "ENTROPY_C", //no-check-names
+#endif /* MBEDTLS_ENTROPY_C */
+#if defined(MBEDTLS_ERROR_C)
+ "ERROR_C", //no-check-names
+#endif /* MBEDTLS_ERROR_C */
+#if defined(MBEDTLS_GCM_C)
+ "GCM_C", //no-check-names
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_GCM_LARGE_TABLE)
+ "GCM_LARGE_TABLE", //no-check-names
+#endif /* MBEDTLS_GCM_LARGE_TABLE */
+#if defined(MBEDTLS_HKDF_C)
+ "HKDF_C", //no-check-names
+#endif /* MBEDTLS_HKDF_C */
+#if defined(MBEDTLS_HMAC_DRBG_C)
+ "HMAC_DRBG_C", //no-check-names
+#endif /* MBEDTLS_HMAC_DRBG_C */
+#if defined(MBEDTLS_LMS_C)
+ "LMS_C", //no-check-names
+#endif /* MBEDTLS_LMS_C */
+#if defined(MBEDTLS_LMS_PRIVATE)
+ "LMS_PRIVATE", //no-check-names
+#endif /* MBEDTLS_LMS_PRIVATE */
+#if defined(MBEDTLS_NIST_KW_C)
+ "NIST_KW_C", //no-check-names
+#endif /* MBEDTLS_NIST_KW_C */
+#if defined(MBEDTLS_MD_C)
+ "MD_C", //no-check-names
+#endif /* MBEDTLS_MD_C */
+#if defined(MBEDTLS_MD5_C)
+ "MD5_C", //no-check-names
+#endif /* MBEDTLS_MD5_C */
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+ "MEMORY_BUFFER_ALLOC_C", //no-check-names
+#endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
+#if defined(MBEDTLS_NET_C)
+ "NET_C", //no-check-names
+#endif /* MBEDTLS_NET_C */
+#if defined(MBEDTLS_OID_C)
+ "OID_C", //no-check-names
+#endif /* MBEDTLS_OID_C */
+#if defined(MBEDTLS_PADLOCK_C)
+ "PADLOCK_C", //no-check-names
+#endif /* MBEDTLS_PADLOCK_C */
+#if defined(MBEDTLS_PEM_PARSE_C)
+ "PEM_PARSE_C", //no-check-names
+#endif /* MBEDTLS_PEM_PARSE_C */
+#if defined(MBEDTLS_PEM_WRITE_C)
+ "PEM_WRITE_C", //no-check-names
+#endif /* MBEDTLS_PEM_WRITE_C */
+#if defined(MBEDTLS_PK_C)
+ "PK_C", //no-check-names
+#endif /* MBEDTLS_PK_C */
+#if defined(MBEDTLS_PK_PARSE_C)
+ "PK_PARSE_C", //no-check-names
+#endif /* MBEDTLS_PK_PARSE_C */
+#if defined(MBEDTLS_PK_WRITE_C)
+ "PK_WRITE_C", //no-check-names
+#endif /* MBEDTLS_PK_WRITE_C */
+#if defined(MBEDTLS_PKCS5_C)
+ "PKCS5_C", //no-check-names
+#endif /* MBEDTLS_PKCS5_C */
+#if defined(MBEDTLS_PKCS7_C)
+ "PKCS7_C", //no-check-names
+#endif /* MBEDTLS_PKCS7_C */
+#if defined(MBEDTLS_PKCS12_C)
+ "PKCS12_C", //no-check-names
+#endif /* MBEDTLS_PKCS12_C */
+#if defined(MBEDTLS_PLATFORM_C)
+ "PLATFORM_C", //no-check-names
+#endif /* MBEDTLS_PLATFORM_C */
+#if defined(MBEDTLS_POLY1305_C)
+ "POLY1305_C", //no-check-names
+#endif /* MBEDTLS_POLY1305_C */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ "PSA_CRYPTO_C", //no-check-names
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+ "PSA_CRYPTO_SE_C", //no-check-names
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+ "PSA_CRYPTO_STORAGE_C", //no-check-names
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
+#if defined(MBEDTLS_PSA_ITS_FILE_C)
+ "PSA_ITS_FILE_C", //no-check-names
+#endif /* MBEDTLS_PSA_ITS_FILE_C */
+#if defined(MBEDTLS_RIPEMD160_C)
+ "RIPEMD160_C", //no-check-names
+#endif /* MBEDTLS_RIPEMD160_C */
+#if defined(MBEDTLS_RSA_C)
+ "RSA_C", //no-check-names
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_SHA1_C)
+ "SHA1_C", //no-check-names
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA224_C)
+ "SHA224_C", //no-check-names
+#endif /* MBEDTLS_SHA224_C */
+#if defined(MBEDTLS_SHA256_C)
+ "SHA256_C", //no-check-names
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+ "SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT", //no-check-names
+#endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */
+#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
+ "SHA256_USE_A64_CRYPTO_IF_PRESENT", //no-check-names
+#endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT */
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+ "SHA256_USE_ARMV8_A_CRYPTO_ONLY", //no-check-names
+#endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */
+#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
+ "SHA256_USE_A64_CRYPTO_ONLY", //no-check-names
+#endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
+#if defined(MBEDTLS_SHA384_C)
+ "SHA384_C", //no-check-names
+#endif /* MBEDTLS_SHA384_C */
+#if defined(MBEDTLS_SHA512_C)
+ "SHA512_C", //no-check-names
+#endif /* MBEDTLS_SHA512_C */
+#if defined(MBEDTLS_SHA3_C)
+ "SHA3_C", //no-check-names
+#endif /* MBEDTLS_SHA3_C */
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
+ "SHA512_USE_A64_CRYPTO_IF_PRESENT", //no-check-names
+#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT */
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
+ "SHA512_USE_A64_CRYPTO_ONLY", //no-check-names
+#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
+#if defined(MBEDTLS_SSL_CACHE_C)
+ "SSL_CACHE_C", //no-check-names
+#endif /* MBEDTLS_SSL_CACHE_C */
+#if defined(MBEDTLS_SSL_COOKIE_C)
+ "SSL_COOKIE_C", //no-check-names
+#endif /* MBEDTLS_SSL_COOKIE_C */
+#if defined(MBEDTLS_SSL_TICKET_C)
+ "SSL_TICKET_C", //no-check-names
+#endif /* MBEDTLS_SSL_TICKET_C */
+#if defined(MBEDTLS_SSL_CLI_C)
+ "SSL_CLI_C", //no-check-names
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SRV_C)
+ "SSL_SRV_C", //no-check-names
+#endif /* MBEDTLS_SSL_SRV_C */
+#if defined(MBEDTLS_SSL_TLS_C)
+ "SSL_TLS_C", //no-check-names
+#endif /* MBEDTLS_SSL_TLS_C */
+#if defined(MBEDTLS_THREADING_C)
+ "THREADING_C", //no-check-names
+#endif /* MBEDTLS_THREADING_C */
+#if defined(MBEDTLS_TIMING_C)
+ "TIMING_C", //no-check-names
+#endif /* MBEDTLS_TIMING_C */
+#if defined(MBEDTLS_VERSION_C)
+ "VERSION_C", //no-check-names
+#endif /* MBEDTLS_VERSION_C */
+#if defined(MBEDTLS_X509_USE_C)
+ "X509_USE_C", //no-check-names
+#endif /* MBEDTLS_X509_USE_C */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ "X509_CRT_PARSE_C", //no-check-names
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+ "X509_CRL_PARSE_C", //no-check-names
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
+#if defined(MBEDTLS_X509_CSR_PARSE_C)
+ "X509_CSR_PARSE_C", //no-check-names
+#endif /* MBEDTLS_X509_CSR_PARSE_C */
+#if defined(MBEDTLS_X509_CREATE_C)
+ "X509_CREATE_C", //no-check-names
+#endif /* MBEDTLS_X509_CREATE_C */
+#if defined(MBEDTLS_X509_CRT_WRITE_C)
+ "X509_CRT_WRITE_C", //no-check-names
+#endif /* MBEDTLS_X509_CRT_WRITE_C */
+#if defined(MBEDTLS_X509_CSR_WRITE_C)
+ "X509_CSR_WRITE_C", //no-check-names
+#endif /* MBEDTLS_X509_CSR_WRITE_C */
+#endif /* MBEDTLS_VERSION_FEATURES */
+ NULL
+};
+
+int mbedtls_version_check_feature(const char *feature)
+{
+ const char * const *idx = features;
+
+ if (*idx == NULL) {
+ return -2;
+ }
+
+ if (feature == NULL) {
+ return -1;
+ }
+
+ if (strncmp(feature, "MBEDTLS_", 8)) {
+ return -1;
+ }
+
+ feature += 8;
+
+ while (*idx != NULL) {
+ if (!strcmp(*idx, feature)) {
+ return 0;
+ }
+ idx++;
+ }
+ return -1;
+}
+
+#endif /* MBEDTLS_VERSION_C */
diff --git a/library/x509.c b/library/x509.c
new file mode 100644
index 0000000..f97fb44
--- /dev/null
+++ b/library/x509.c
@@ -0,0 +1,1776 @@
+/*
+ * X.509 common functions for parsing and verification
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_X509_USE_C)
+
+#include "x509_internal.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/error.h"
+#include "mbedtls/oid.h"
+
+#include <stdio.h>
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#include "mbedtls/asn1write.h"
+
+#include "mbedtls/platform.h"
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+#include "mbedtls/platform_util.h"
+#include <time.h>
+#endif
+
+#define CHECK(code) \
+ do { \
+ if ((ret = (code)) != 0) { \
+ return ret; \
+ } \
+ } while (0)
+
+#define CHECK_RANGE(min, max, val) \
+ do { \
+ if ((val) < (min) || (val) > (max)) { \
+ return ret; \
+ } \
+ } while (0)
+
+/*
+ * CertificateSerialNumber ::= INTEGER
+ */
+int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_buf *serial)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((end - *p) < 1) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_SERIAL,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA);
+ }
+
+ if (**p != (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_PRIMITIVE | 2) &&
+ **p != MBEDTLS_ASN1_INTEGER) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_SERIAL,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+ }
+
+ serial->tag = *(*p)++;
+
+ if ((ret = mbedtls_asn1_get_len(p, end, &serial->len)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_SERIAL, ret);
+ }
+
+ serial->p = *p;
+ *p += serial->len;
+
+ return 0;
+}
+
+/* Get an algorithm identifier without parameters (eg for signatures)
+ *
+ * AlgorithmIdentifier ::= SEQUENCE {
+ * algorithm OBJECT IDENTIFIER,
+ * parameters ANY DEFINED BY algorithm OPTIONAL }
+ */
+int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_buf *alg)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((ret = mbedtls_asn1_get_alg_null(p, end, alg)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, ret);
+ }
+
+ return 0;
+}
+
+/*
+ * Parse an algorithm identifier with (optional) parameters
+ */
+int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_buf *alg, mbedtls_x509_buf *params)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((ret = mbedtls_asn1_get_alg(p, end, alg, params)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, ret);
+ }
+
+ return 0;
+}
+
+/*
+ * Convert md type to string
+ */
+#if !defined(MBEDTLS_X509_REMOVE_INFO) && defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+
+static inline const char *md_type_to_string(mbedtls_md_type_t md_alg)
+{
+ switch (md_alg) {
+#if defined(MBEDTLS_MD_CAN_MD5)
+ case MBEDTLS_MD_MD5:
+ return "MD5";
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA1)
+ case MBEDTLS_MD_SHA1:
+ return "SHA1";
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA224)
+ case MBEDTLS_MD_SHA224:
+ return "SHA224";
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA256)
+ case MBEDTLS_MD_SHA256:
+ return "SHA256";
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA384)
+ case MBEDTLS_MD_SHA384:
+ return "SHA384";
+#endif
+#if defined(MBEDTLS_MD_CAN_SHA512)
+ case MBEDTLS_MD_SHA512:
+ return "SHA512";
+#endif
+#if defined(MBEDTLS_MD_CAN_RIPEMD160)
+ case MBEDTLS_MD_RIPEMD160:
+ return "RIPEMD160";
+#endif
+ case MBEDTLS_MD_NONE:
+ return NULL;
+ default:
+ return NULL;
+ }
+}
+
+#endif /* !defined(MBEDTLS_X509_REMOVE_INFO) && defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) */
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+/*
+ * HashAlgorithm ::= AlgorithmIdentifier
+ *
+ * AlgorithmIdentifier ::= SEQUENCE {
+ * algorithm OBJECT IDENTIFIER,
+ * parameters ANY DEFINED BY algorithm OPTIONAL }
+ *
+ * For HashAlgorithm, parameters MUST be NULL or absent.
+ */
+static int x509_get_hash_alg(const mbedtls_x509_buf *alg, mbedtls_md_type_t *md_alg)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p;
+ const unsigned char *end;
+ mbedtls_x509_buf md_oid;
+ size_t len;
+
+ /* Make sure we got a SEQUENCE and setup bounds */
+ if (alg->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+ }
+
+ p = alg->p;
+ end = p + alg->len;
+
+ if (p >= end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA);
+ }
+
+ /* Parse md_oid */
+ md_oid.tag = *p;
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &md_oid.len, MBEDTLS_ASN1_OID)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, ret);
+ }
+
+ md_oid.p = p;
+ p += md_oid.len;
+
+ /* Get md_alg from md_oid */
+ if ((ret = mbedtls_oid_get_md_alg(&md_oid, md_alg)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, ret);
+ }
+
+ /* Make sure params is absent of NULL */
+ if (p == end) {
+ return 0;
+ }
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_NULL)) != 0 || len != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, ret);
+ }
+
+ if (p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * RSASSA-PSS-params ::= SEQUENCE {
+ * hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier,
+ * maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier,
+ * saltLength [2] INTEGER DEFAULT 20,
+ * trailerField [3] INTEGER DEFAULT 1 }
+ * -- Note that the tags in this Sequence are explicit.
+ *
+ * RFC 4055 (which defines use of RSASSA-PSS in PKIX) states that the value
+ * of trailerField MUST be 1, and PKCS#1 v2.2 doesn't even define any other
+ * option. Enforce this at parsing time.
+ */
+int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params,
+ mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
+ int *salt_len)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char *p;
+ const unsigned char *end, *end2;
+ size_t len;
+ mbedtls_x509_buf alg_id, alg_params;
+
+ /* First set everything to defaults */
+ *md_alg = MBEDTLS_MD_SHA1;
+ *mgf_md = MBEDTLS_MD_SHA1;
+ *salt_len = 20;
+
+ /* Make sure params is a SEQUENCE and setup bounds */
+ if (params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+ }
+
+ p = (unsigned char *) params->p;
+ end = p + params->len;
+
+ if (p == end) {
+ return 0;
+ }
+
+ /*
+ * HashAlgorithm
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
+ 0)) == 0) {
+ end2 = p + len;
+
+ /* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */
+ if ((ret = mbedtls_x509_get_alg_null(&p, end2, &alg_id)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_oid_get_md_alg(&alg_id, md_alg)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, ret);
+ }
+
+ if (p != end2) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+ } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, ret);
+ }
+
+ if (p == end) {
+ return 0;
+ }
+
+ /*
+ * MaskGenAlgorithm
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
+ 1)) == 0) {
+ end2 = p + len;
+
+ /* MaskGenAlgorithm ::= AlgorithmIdentifier (params = HashAlgorithm) */
+ if ((ret = mbedtls_x509_get_alg(&p, end2, &alg_id, &alg_params)) != 0) {
+ return ret;
+ }
+
+ /* Only MFG1 is recognised for now */
+ if (MBEDTLS_OID_CMP(MBEDTLS_OID_MGF1, &alg_id) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE,
+ MBEDTLS_ERR_OID_NOT_FOUND);
+ }
+
+ /* Parse HashAlgorithm */
+ if ((ret = x509_get_hash_alg(&alg_params, mgf_md)) != 0) {
+ return ret;
+ }
+
+ if (p != end2) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+ } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, ret);
+ }
+
+ if (p == end) {
+ return 0;
+ }
+
+ /*
+ * salt_len
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
+ 2)) == 0) {
+ end2 = p + len;
+
+ if ((ret = mbedtls_asn1_get_int(&p, end2, salt_len)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, ret);
+ }
+
+ if (p != end2) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+ } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, ret);
+ }
+
+ if (p == end) {
+ return 0;
+ }
+
+ /*
+ * trailer_field (if present, must be 1)
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
+ 3)) == 0) {
+ int trailer_field;
+
+ end2 = p + len;
+
+ if ((ret = mbedtls_asn1_get_int(&p, end2, &trailer_field)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, ret);
+ }
+
+ if (p != end2) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ if (trailer_field != 1) {
+ return MBEDTLS_ERR_X509_INVALID_ALG;
+ }
+ } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG, ret);
+ }
+
+ if (p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+
+/*
+ * AttributeTypeAndValue ::= SEQUENCE {
+ * type AttributeType,
+ * value AttributeValue }
+ *
+ * AttributeType ::= OBJECT IDENTIFIER
+ *
+ * AttributeValue ::= ANY DEFINED BY AttributeType
+ */
+static int x509_get_attr_type_value(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_name *cur)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+ mbedtls_x509_buf *oid;
+ mbedtls_x509_buf *val;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_NAME, ret);
+ }
+
+ end = *p + len;
+
+ if ((end - *p) < 1) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_NAME,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA);
+ }
+
+ oid = &cur->oid;
+ oid->tag = **p;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &oid->len, MBEDTLS_ASN1_OID)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_NAME, ret);
+ }
+
+ oid->p = *p;
+ *p += oid->len;
+
+ if ((end - *p) < 1) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_NAME,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA);
+ }
+
+ if (**p != MBEDTLS_ASN1_BMP_STRING && **p != MBEDTLS_ASN1_UTF8_STRING &&
+ **p != MBEDTLS_ASN1_T61_STRING && **p != MBEDTLS_ASN1_PRINTABLE_STRING &&
+ **p != MBEDTLS_ASN1_IA5_STRING && **p != MBEDTLS_ASN1_UNIVERSAL_STRING &&
+ **p != MBEDTLS_ASN1_BIT_STRING) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_NAME,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+ }
+
+ val = &cur->val;
+ val->tag = *(*p)++;
+
+ if ((ret = mbedtls_asn1_get_len(p, end, &val->len)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_NAME, ret);
+ }
+
+ val->p = *p;
+ *p += val->len;
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_NAME,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ cur->next = NULL;
+
+ return 0;
+}
+
+/*
+ * Name ::= CHOICE { -- only one possibility for now --
+ * rdnSequence RDNSequence }
+ *
+ * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+ *
+ * RelativeDistinguishedName ::=
+ * SET OF AttributeTypeAndValue
+ *
+ * AttributeTypeAndValue ::= SEQUENCE {
+ * type AttributeType,
+ * value AttributeValue }
+ *
+ * AttributeType ::= OBJECT IDENTIFIER
+ *
+ * AttributeValue ::= ANY DEFINED BY AttributeType
+ *
+ * The data structure is optimized for the common case where each RDN has only
+ * one element, which is represented as a list of AttributeTypeAndValue.
+ * For the general case we still use a flat list, but we mark elements of the
+ * same set so that they are "merged" together in the functions that consume
+ * this list, eg mbedtls_x509_dn_gets().
+ *
+ * On success, this function may allocate a linked list starting at cur->next
+ * that must later be free'd by the caller using mbedtls_free(). In error
+ * cases, this function frees all allocated memory internally and the caller
+ * has no freeing responsibilities.
+ */
+int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_name *cur)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t set_len;
+ const unsigned char *end_set;
+ mbedtls_x509_name *head = cur;
+
+ /* don't use recursion, we'd risk stack overflow if not optimized */
+ while (1) {
+ /*
+ * parse SET
+ */
+ if ((ret = mbedtls_asn1_get_tag(p, end, &set_len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET)) != 0) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_NAME, ret);
+ goto error;
+ }
+
+ end_set = *p + set_len;
+
+ while (1) {
+ if ((ret = x509_get_attr_type_value(p, end_set, cur)) != 0) {
+ goto error;
+ }
+
+ if (*p == end_set) {
+ break;
+ }
+
+ /* Mark this item as being no the only one in a set */
+ cur->next_merged = 1;
+
+ cur->next = mbedtls_calloc(1, sizeof(mbedtls_x509_name));
+
+ if (cur->next == NULL) {
+ ret = MBEDTLS_ERR_X509_ALLOC_FAILED;
+ goto error;
+ }
+
+ cur = cur->next;
+ }
+
+ /*
+ * continue until end of SEQUENCE is reached
+ */
+ if (*p == end) {
+ return 0;
+ }
+
+ cur->next = mbedtls_calloc(1, sizeof(mbedtls_x509_name));
+
+ if (cur->next == NULL) {
+ ret = MBEDTLS_ERR_X509_ALLOC_FAILED;
+ goto error;
+ }
+
+ cur = cur->next;
+ }
+
+error:
+ /* Skip the first element as we did not allocate it */
+ mbedtls_asn1_free_named_data_list_shallow(head->next);
+ head->next = NULL;
+
+ return ret;
+}
+
+static int x509_date_is_valid(const mbedtls_x509_time *t)
+{
+ unsigned int month_days;
+ unsigned int year;
+ switch (t->mon) {
+ case 1: case 3: case 5: case 7: case 8: case 10: case 12:
+ month_days = 31;
+ break;
+ case 4: case 6: case 9: case 11:
+ month_days = 30;
+ break;
+ case 2:
+ year = (unsigned int) t->year;
+ month_days = ((year & 3) || (!(year % 100)
+ && (year % 400)))
+ ? 28 : 29;
+ break;
+ default:
+ return MBEDTLS_ERR_X509_INVALID_DATE;
+ }
+
+ if ((unsigned int) (t->day - 1) >= month_days || /* (1 - days in month) */
+ /* (unsigned int) (t->mon - 1) >= 12 || */ /* (1 - 12) checked above */
+ (unsigned int) t->year > 9999 || /* (0 - 9999) */
+ (unsigned int) t->hour > 23 || /* (0 - 23) */
+ (unsigned int) t->min > 59 || /* (0 - 59) */
+ (unsigned int) t->sec > 59) { /* (0 - 59) */
+ return MBEDTLS_ERR_X509_INVALID_DATE;
+ }
+
+ return 0;
+}
+
+static int x509_parse2_int(const unsigned char *p)
+{
+ uint32_t d1 = p[0] - '0';
+ uint32_t d2 = p[1] - '0';
+ return (d1 < 10 && d2 < 10) ? (int) (d1 * 10 + d2) : -1;
+}
+
+/*
+ * Parse an ASN1_UTC_TIME (yearlen=2) or ASN1_GENERALIZED_TIME (yearlen=4)
+ * field.
+ */
+static int x509_parse_time(const unsigned char *p, mbedtls_x509_time *tm,
+ size_t yearlen)
+{
+ int x;
+
+ /*
+ * Parse year, month, day, hour, minute, second
+ */
+ tm->year = x509_parse2_int(p);
+ if (tm->year < 0) {
+ return MBEDTLS_ERR_X509_INVALID_DATE;
+ }
+
+ if (4 == yearlen) {
+ x = tm->year * 100;
+ p += 2;
+ tm->year = x509_parse2_int(p);
+ if (tm->year < 0) {
+ return MBEDTLS_ERR_X509_INVALID_DATE;
+ }
+ } else {
+ x = (tm->year < 50) ? 2000 : 1900;
+ }
+ tm->year += x;
+
+ tm->mon = x509_parse2_int(p + 2);
+ tm->day = x509_parse2_int(p + 4);
+ tm->hour = x509_parse2_int(p + 6);
+ tm->min = x509_parse2_int(p + 8);
+ tm->sec = x509_parse2_int(p + 10);
+
+ return x509_date_is_valid(tm);
+}
+
+/*
+ * Time ::= CHOICE {
+ * utcTime UTCTime,
+ * generalTime GeneralizedTime }
+ */
+int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_time *tm)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len, year_len;
+ unsigned char tag;
+
+ if ((end - *p) < 1) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA);
+ }
+
+ tag = **p;
+
+ if (tag == MBEDTLS_ASN1_UTC_TIME) {
+ year_len = 2;
+ } else if (tag == MBEDTLS_ASN1_GENERALIZED_TIME) {
+ year_len = 4;
+ } else {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+ }
+
+ (*p)++;
+ ret = mbedtls_asn1_get_len(p, end, &len);
+
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE, ret);
+ }
+
+ /* len is 12 or 14 depending on year_len, plus optional trailing 'Z' */
+ if (len != year_len + 10 &&
+ !(len == year_len + 11 && (*p)[(len - 1)] == 'Z')) {
+ return MBEDTLS_ERR_X509_INVALID_DATE;
+ }
+
+ (*p) += len;
+ return x509_parse_time(*p - len, tm, year_len);
+}
+
+int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+ int tag_type;
+
+ if ((end - *p) < 1) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_SIGNATURE,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA);
+ }
+
+ tag_type = **p;
+
+ if ((ret = mbedtls_asn1_get_bitstring_null(p, end, &len)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_SIGNATURE, ret);
+ }
+
+ sig->tag = tag_type;
+ sig->len = len;
+ sig->p = *p;
+
+ *p += len;
+
+ return 0;
+}
+
+/*
+ * Get signature algorithm from alg OID and optional parameters
+ */
+int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
+ mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
+ void **sig_opts)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (*sig_opts != NULL) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ if ((ret = mbedtls_oid_get_sig_alg(sig_oid, md_alg, pk_alg)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG, ret);
+ }
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ if (*pk_alg == MBEDTLS_PK_RSASSA_PSS) {
+ mbedtls_pk_rsassa_pss_options *pss_opts;
+
+ pss_opts = mbedtls_calloc(1, sizeof(mbedtls_pk_rsassa_pss_options));
+ if (pss_opts == NULL) {
+ return MBEDTLS_ERR_X509_ALLOC_FAILED;
+ }
+
+ ret = mbedtls_x509_get_rsassa_pss_params(sig_params,
+ md_alg,
+ &pss_opts->mgf1_hash_id,
+ &pss_opts->expected_salt_len);
+ if (ret != 0) {
+ mbedtls_free(pss_opts);
+ return ret;
+ }
+
+ *sig_opts = (void *) pss_opts;
+ } else
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+ {
+ /* Make sure parameters are absent or NULL */
+ if ((sig_params->tag != MBEDTLS_ASN1_NULL && sig_params->tag != 0) ||
+ sig_params->len != 0) {
+ return MBEDTLS_ERR_X509_INVALID_ALG;
+ }
+ }
+
+ return 0;
+}
+
+/*
+ * X.509 Extensions (No parsing of extensions, pointer should
+ * be either manually updated or extensions should be parsed!)
+ */
+int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_buf *ext, int tag)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+
+ /* Extension structure use EXPLICIT tagging. That is, the actual
+ * `Extensions` structure is wrapped by a tag-length pair using
+ * the respective context-specific tag. */
+ ret = mbedtls_asn1_get_tag(p, end, &ext->len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | tag);
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ ext->tag = MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | tag;
+ ext->p = *p;
+ end = *p + ext->len;
+
+ /*
+ * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
+ */
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ if (end != *p + len) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+static char nibble_to_hex_digit(int i)
+{
+ return (i < 10) ? (i + '0') : (i - 10 + 'A');
+}
+
+/*
+ * Store the name in printable form into buf; no more
+ * than size characters will be written
+ */
+int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t i, j, n, asn1_len_size, asn1_tag_size, asn1_tag_len_buf_start;
+ /* 6 is enough as our asn1 write functions only write one byte for the tag and at most five bytes for the length*/
+ unsigned char asn1_tag_len_buf[6];
+ unsigned char *asn1_len_p;
+ unsigned char c, merge = 0;
+ const mbedtls_x509_name *name;
+ const char *short_name = NULL;
+ char lowbits, highbits;
+ char s[MBEDTLS_X509_MAX_DN_NAME_SIZE], *p;
+ int print_hexstring;
+
+ memset(s, 0, sizeof(s));
+
+ name = dn;
+ p = buf;
+ n = size;
+
+ while (name != NULL) {
+ if (!name->oid.p) {
+ name = name->next;
+ continue;
+ }
+
+ if (name != dn) {
+ ret = mbedtls_snprintf(p, n, merge ? " + " : ", ");
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ }
+
+ print_hexstring = (name->val.tag != MBEDTLS_ASN1_UTF8_STRING) &&
+ (name->val.tag != MBEDTLS_ASN1_PRINTABLE_STRING) &&
+ (name->val.tag != MBEDTLS_ASN1_IA5_STRING);
+
+ if ((ret = mbedtls_oid_get_attr_short_name(&name->oid, &short_name)) == 0) {
+ ret = mbedtls_snprintf(p, n, "%s=", short_name);
+ } else {
+ if ((ret = mbedtls_oid_get_numeric_string(p, n, &name->oid)) > 0) {
+ n -= ret;
+ p += ret;
+ ret = mbedtls_snprintf(p, n, "=");
+ print_hexstring = 1;
+ } else if (ret == MBEDTLS_ERR_OID_BUF_TOO_SMALL) {
+ return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+ } else {
+ ret = mbedtls_snprintf(p, n, "\?\?=");
+ }
+ }
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if (print_hexstring) {
+ s[0] = '#';
+
+ asn1_len_p = asn1_tag_len_buf + sizeof(asn1_tag_len_buf);
+ if ((ret = mbedtls_asn1_write_len(&asn1_len_p, asn1_tag_len_buf, name->val.len)) < 0) {
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ }
+ asn1_len_size = ret;
+ if ((ret = mbedtls_asn1_write_tag(&asn1_len_p, asn1_tag_len_buf, name->val.tag)) < 0) {
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ }
+ asn1_tag_size = ret;
+ asn1_tag_len_buf_start = sizeof(asn1_tag_len_buf) - asn1_len_size - asn1_tag_size;
+ for (i = 0, j = 1; i < asn1_len_size + asn1_tag_size; i++) {
+ if (j + 1 >= sizeof(s) - 1) {
+ return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+ }
+ c = asn1_tag_len_buf[asn1_tag_len_buf_start+i];
+ lowbits = (c & 0x0F);
+ highbits = c >> 4;
+ s[j++] = nibble_to_hex_digit(highbits);
+ s[j++] = nibble_to_hex_digit(lowbits);
+ }
+ for (i = 0; i < name->val.len; i++) {
+ if (j + 1 >= sizeof(s) - 1) {
+ return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+ }
+ c = name->val.p[i];
+ lowbits = (c & 0x0F);
+ highbits = c >> 4;
+ s[j++] = nibble_to_hex_digit(highbits);
+ s[j++] = nibble_to_hex_digit(lowbits);
+ }
+ } else {
+ for (i = 0, j = 0; i < name->val.len; i++, j++) {
+ if (j >= sizeof(s) - 1) {
+ return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+ }
+
+ c = name->val.p[i];
+ // Special characters requiring escaping, RFC 4514 Section 2.4
+ if (c == '\0') {
+ return MBEDTLS_ERR_X509_INVALID_NAME;
+ } else {
+ if (strchr(",=+<>;\"\\", c) ||
+ ((i == 0) && strchr("# ", c)) ||
+ ((i == name->val.len-1) && (c == ' '))) {
+ if (j + 1 >= sizeof(s) - 1) {
+ return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+ }
+ s[j++] = '\\';
+ }
+ }
+ if (c < 32 || c >= 127) {
+ if (j + 3 >= sizeof(s) - 1) {
+ return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+ }
+ s[j++] = '\\';
+ lowbits = (c & 0x0F);
+ highbits = c >> 4;
+ s[j++] = nibble_to_hex_digit(highbits);
+ s[j] = nibble_to_hex_digit(lowbits);
+ } else {
+ s[j] = c;
+ }
+ }
+ }
+ s[j] = '\0';
+ ret = mbedtls_snprintf(p, n, "%s", s);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ merge = name->next_merged;
+ name = name->next;
+ }
+
+ return (int) (size - n);
+}
+
+/*
+ * Store the serial in printable form into buf; no more
+ * than size characters will be written
+ */
+int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *serial)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t i, n, nr;
+ char *p;
+
+ p = buf;
+ n = size;
+
+ nr = (serial->len <= 32)
+ ? serial->len : 28;
+
+ for (i = 0; i < nr; i++) {
+ if (i == 0 && nr > 1 && serial->p[i] == 0x0) {
+ continue;
+ }
+
+ ret = mbedtls_snprintf(p, n, "%02X%s",
+ serial->p[i], (i < nr - 1) ? ":" : "");
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ }
+
+ if (nr != serial->len) {
+ ret = mbedtls_snprintf(p, n, "....");
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ }
+
+ return (int) (size - n);
+}
+
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+/*
+ * Helper for writing signature algorithms
+ */
+int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
+ mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
+ const void *sig_opts)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ char *p = buf;
+ size_t n = size;
+ const char *desc = NULL;
+
+ ret = mbedtls_oid_get_sig_alg_desc(sig_oid, &desc);
+ if (ret != 0) {
+ ret = mbedtls_snprintf(p, n, "???");
+ } else {
+ ret = mbedtls_snprintf(p, n, "%s", desc);
+ }
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
+ const mbedtls_pk_rsassa_pss_options *pss_opts;
+
+ pss_opts = (const mbedtls_pk_rsassa_pss_options *) sig_opts;
+
+ const char *name = md_type_to_string(md_alg);
+ const char *mgf_name = md_type_to_string(pss_opts->mgf1_hash_id);
+
+ ret = mbedtls_snprintf(p, n, " (%s, MGF1-%s, 0x%02X)",
+ name ? name : "???",
+ mgf_name ? mgf_name : "???",
+ (unsigned int) pss_opts->expected_salt_len);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ }
+#else
+ ((void) pk_alg);
+ ((void) md_alg);
+ ((void) sig_opts);
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+
+ return (int) (size - n);
+}
+#endif /* MBEDTLS_X509_REMOVE_INFO */
+
+/*
+ * Helper for writing "RSA key size", "EC key size", etc
+ */
+int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name)
+{
+ char *p = buf;
+ size_t n = buf_size;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ ret = mbedtls_snprintf(p, n, "%s key size", name);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ return 0;
+}
+
+int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1,
+ const mbedtls_x509_time *t2)
+{
+ int x;
+
+ x = (((t1->year << 9) | (t1->mon << 5) | (t1->day)) -
+ ((t2->year << 9) | (t2->mon << 5) | (t2->day)));
+ if (x != 0) {
+ return x;
+ }
+
+ x = (((t1->hour << 12) | (t1->min << 6) | (t1->sec)) -
+ ((t2->hour << 12) | (t2->min << 6) | (t2->sec)));
+ return x;
+}
+
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+int mbedtls_x509_time_gmtime(mbedtls_time_t tt, mbedtls_x509_time *now)
+{
+ struct tm tm;
+
+ if (mbedtls_platform_gmtime_r(&tt, &tm) == NULL) {
+ return -1;
+ }
+
+ now->year = tm.tm_year + 1900;
+ now->mon = tm.tm_mon + 1;
+ now->day = tm.tm_mday;
+ now->hour = tm.tm_hour;
+ now->min = tm.tm_min;
+ now->sec = tm.tm_sec;
+ return 0;
+}
+
+static int x509_get_current_time(mbedtls_x509_time *now)
+{
+ return mbedtls_x509_time_gmtime(mbedtls_time(NULL), now);
+}
+
+int mbedtls_x509_time_is_past(const mbedtls_x509_time *to)
+{
+ mbedtls_x509_time now;
+
+ if (x509_get_current_time(&now) != 0) {
+ return 1;
+ }
+
+ return mbedtls_x509_time_cmp(to, &now) < 0;
+}
+
+int mbedtls_x509_time_is_future(const mbedtls_x509_time *from)
+{
+ mbedtls_x509_time now;
+
+ if (x509_get_current_time(&now) != 0) {
+ return 1;
+ }
+
+ return mbedtls_x509_time_cmp(from, &now) > 0;
+}
+
+#else /* MBEDTLS_HAVE_TIME_DATE */
+
+int mbedtls_x509_time_is_past(const mbedtls_x509_time *to)
+{
+ ((void) to);
+ return 0;
+}
+
+int mbedtls_x509_time_is_future(const mbedtls_x509_time *from)
+{
+ ((void) from);
+ return 0;
+}
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
+/* Common functions for parsing CRT and CSR. */
+#if defined(MBEDTLS_X509_CRT_PARSE_C) || defined(MBEDTLS_X509_CSR_PARSE_C)
+/*
+ * OtherName ::= SEQUENCE {
+ * type-id OBJECT IDENTIFIER,
+ * value [0] EXPLICIT ANY DEFINED BY type-id }
+ *
+ * HardwareModuleName ::= SEQUENCE {
+ * hwType OBJECT IDENTIFIER,
+ * hwSerialNum OCTET STRING }
+ *
+ * NOTE: we currently only parse and use otherName of type HwModuleName,
+ * as defined in RFC 4108.
+ */
+static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
+ mbedtls_x509_san_other_name *other_name)
+{
+ int ret = 0;
+ size_t len;
+ unsigned char *p = subject_alt_name->p;
+ const unsigned char *end = p + subject_alt_name->len;
+ mbedtls_x509_buf cur_oid;
+
+ if ((subject_alt_name->tag &
+ (MBEDTLS_ASN1_TAG_CLASS_MASK | MBEDTLS_ASN1_TAG_VALUE_MASK)) !=
+ (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME)) {
+ /*
+ * The given subject alternative name is not of type "othername".
+ */
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_OID)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ cur_oid.tag = MBEDTLS_ASN1_OID;
+ cur_oid.p = p;
+ cur_oid.len = len;
+
+ /*
+ * Only HwModuleName is currently supported.
+ */
+ if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) != 0) {
+ return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
+ }
+ other_name->type_id = cur_oid;
+
+ p += len;
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC)) !=
+ 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ if (end != p + len) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ if (end != p + len) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID;
+ other_name->value.hardware_module_name.oid.p = p;
+ other_name->value.hardware_module_name.oid.len = len;
+
+ p += len;
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING;
+ other_name->value.hardware_module_name.val.p = p;
+ other_name->value.hardware_module_name.val.len = len;
+ p += len;
+ if (p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+ return 0;
+}
+
+/* Check mbedtls_x509_get_subject_alt_name for detailed description.
+ *
+ * In some cases while parsing subject alternative names the sequence tag is optional
+ * (e.g. CertSerialNumber). This function is designed to handle such case.
+ */
+int mbedtls_x509_get_subject_alt_name_ext(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_sequence *subject_alt_name)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t tag_len;
+ mbedtls_asn1_sequence *cur = subject_alt_name;
+
+ while (*p < end) {
+ mbedtls_x509_subject_alternative_name tmp_san_name;
+ mbedtls_x509_buf tmp_san_buf;
+ memset(&tmp_san_name, 0, sizeof(tmp_san_name));
+
+ tmp_san_buf.tag = **p;
+ (*p)++;
+
+ if ((ret = mbedtls_asn1_get_len(p, end, &tag_len)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ tmp_san_buf.p = *p;
+ tmp_san_buf.len = tag_len;
+
+ if ((tmp_san_buf.tag & MBEDTLS_ASN1_TAG_CLASS_MASK) !=
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+ }
+
+ /*
+ * Check that the SAN is structured correctly by parsing it.
+ * The SAN structure is discarded afterwards.
+ */
+ ret = mbedtls_x509_parse_subject_alt_name(&tmp_san_buf, &tmp_san_name);
+ /*
+ * In case the extension is malformed, return an error,
+ * and clear the allocated sequences.
+ */
+ if (ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
+ mbedtls_asn1_sequence_free(subject_alt_name->next);
+ subject_alt_name->next = NULL;
+ return ret;
+ }
+
+ mbedtls_x509_free_subject_alt_name(&tmp_san_name);
+ /* Allocate and assign next pointer */
+ if (cur->buf.p != NULL) {
+ if (cur->next != NULL) {
+ return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
+ }
+
+ cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
+
+ if (cur->next == NULL) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_ALLOC_FAILED);
+ }
+
+ cur = cur->next;
+ }
+
+ cur->buf = tmp_san_buf;
+ *p += tmp_san_buf.len;
+ }
+
+ /* Set final sequence entry's next pointer to NULL */
+ cur->next = NULL;
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * SubjectAltName ::= GeneralNames
+ *
+ * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+ *
+ * GeneralName ::= CHOICE {
+ * otherName [0] OtherName,
+ * rfc822Name [1] IA5String,
+ * dNSName [2] IA5String,
+ * x400Address [3] ORAddress,
+ * directoryName [4] Name,
+ * ediPartyName [5] EDIPartyName,
+ * uniformResourceIdentifier [6] IA5String,
+ * iPAddress [7] OCTET STRING,
+ * registeredID [8] OBJECT IDENTIFIER }
+ *
+ * OtherName ::= SEQUENCE {
+ * type-id OBJECT IDENTIFIER,
+ * value [0] EXPLICIT ANY DEFINED BY type-id }
+ *
+ * EDIPartyName ::= SEQUENCE {
+ * nameAssigner [0] DirectoryString OPTIONAL,
+ * partyName [1] DirectoryString }
+ *
+ * We list all types, but use the following GeneralName types from RFC 5280:
+ * "dnsName", "uniformResourceIdentifier" and "hardware_module_name"
+ * of type "otherName", as defined in RFC 4108.
+ */
+int mbedtls_x509_get_subject_alt_name(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_sequence *subject_alt_name)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+
+ /* Get main sequence tag */
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ if (*p + len != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return mbedtls_x509_get_subject_alt_name_ext(p, end, subject_alt_name);
+}
+
+int mbedtls_x509_get_ns_cert_type(unsigned char **p,
+ const unsigned char *end,
+ unsigned char *ns_cert_type)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_x509_bitstring bs = { 0, 0, NULL };
+
+ if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ /* A bitstring with no flags set is still technically valid, as it will mean
+ that the certificate has no designated purpose at the time of creation. */
+ if (bs.len == 0) {
+ *ns_cert_type = 0;
+ return 0;
+ }
+
+ if (bs.len != 1) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_INVALID_LENGTH);
+ }
+
+ /* Get actual bitstring */
+ *ns_cert_type = *bs.p;
+ return 0;
+}
+
+int mbedtls_x509_get_key_usage(unsigned char **p,
+ const unsigned char *end,
+ unsigned int *key_usage)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t i;
+ mbedtls_x509_bitstring bs = { 0, 0, NULL };
+
+ if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ /* A bitstring with no flags set is still technically valid, as it will mean
+ that the certificate has no designated purpose at the time of creation. */
+ if (bs.len == 0) {
+ *key_usage = 0;
+ return 0;
+ }
+
+ /* Get actual bitstring */
+ *key_usage = 0;
+ for (i = 0; i < bs.len && i < sizeof(unsigned int); i++) {
+ *key_usage |= (unsigned int) bs.p[i] << (8*i);
+ }
+
+ return 0;
+}
+
+int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
+ mbedtls_x509_subject_alternative_name *san)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ switch (san_buf->tag &
+ (MBEDTLS_ASN1_TAG_CLASS_MASK |
+ MBEDTLS_ASN1_TAG_VALUE_MASK)) {
+ /*
+ * otherName
+ */
+ case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME):
+ {
+ mbedtls_x509_san_other_name other_name;
+
+ ret = x509_get_other_name(san_buf, &other_name);
+ if (ret != 0) {
+ return ret;
+ }
+
+ memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
+ san->type = MBEDTLS_X509_SAN_OTHER_NAME;
+ memcpy(&san->san.other_name,
+ &other_name, sizeof(other_name));
+
+ }
+ break;
+ /*
+ * uniformResourceIdentifier
+ */
+ case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER):
+ {
+ memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
+ san->type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER;
+
+ memcpy(&san->san.unstructured_name,
+ san_buf, sizeof(*san_buf));
+
+ }
+ break;
+ /*
+ * dNSName
+ */
+ case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME):
+ {
+ memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
+ san->type = MBEDTLS_X509_SAN_DNS_NAME;
+
+ memcpy(&san->san.unstructured_name,
+ san_buf, sizeof(*san_buf));
+ }
+ break;
+ /*
+ * IP address
+ */
+ case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_IP_ADDRESS):
+ {
+ memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
+ san->type = MBEDTLS_X509_SAN_IP_ADDRESS;
+ // Only IPv6 (16 bytes) and IPv4 (4 bytes) types are supported
+ if (san_buf->len == 4 || san_buf->len == 16) {
+ memcpy(&san->san.unstructured_name,
+ san_buf, sizeof(*san_buf));
+ } else {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+ }
+ break;
+ /*
+ * rfc822Name
+ */
+ case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_RFC822_NAME):
+ {
+ memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
+ san->type = MBEDTLS_X509_SAN_RFC822_NAME;
+ memcpy(&san->san.unstructured_name, san_buf, sizeof(*san_buf));
+ }
+ break;
+ /*
+ * directoryName
+ */
+ case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DIRECTORY_NAME):
+ {
+ size_t name_len;
+ unsigned char *p = san_buf->p;
+ memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
+ san->type = MBEDTLS_X509_SAN_DIRECTORY_NAME;
+
+ ret = mbedtls_asn1_get_tag(&p, p + san_buf->len, &name_len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+
+ if (ret != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_x509_get_name(&p, p + name_len,
+ &san->san.directory_name)) != 0) {
+ return ret;
+ }
+ }
+ break;
+ /*
+ * Type not supported
+ */
+ default:
+ return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
+ }
+ return 0;
+}
+
+void mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san)
+{
+ if (san->type == MBEDTLS_X509_SAN_DIRECTORY_NAME) {
+ mbedtls_asn1_free_named_data_list_shallow(san->san.directory_name.next);
+ }
+}
+
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
+ const mbedtls_x509_sequence
+ *subject_alt_name,
+ const char *prefix)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t i;
+ size_t n = *size;
+ char *p = *buf;
+ const mbedtls_x509_sequence *cur = subject_alt_name;
+ mbedtls_x509_subject_alternative_name san;
+ int parse_ret;
+
+ while (cur != NULL) {
+ memset(&san, 0, sizeof(san));
+ parse_ret = mbedtls_x509_parse_subject_alt_name(&cur->buf, &san);
+ if (parse_ret != 0) {
+ if (parse_ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
+ ret = mbedtls_snprintf(p, n, "\n%s <unsupported>", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ } else {
+ ret = mbedtls_snprintf(p, n, "\n%s <malformed>", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ }
+ cur = cur->next;
+ continue;
+ }
+
+ switch (san.type) {
+ /*
+ * otherName
+ */
+ case MBEDTLS_X509_SAN_OTHER_NAME:
+ {
+ mbedtls_x509_san_other_name *other_name = &san.san.other_name;
+
+ ret = mbedtls_snprintf(p, n, "\n%s otherName :", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME,
+ &other_name->type_id) == 0) {
+ ret = mbedtls_snprintf(p, n, "\n%s hardware module name :", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ ret =
+ mbedtls_snprintf(p, n, "\n%s hardware type : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_oid_get_numeric_string(p,
+ n,
+ &other_name->value.hardware_module_name.oid);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret =
+ mbedtls_snprintf(p, n, "\n%s hardware serial number : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ for (i = 0; i < other_name->value.hardware_module_name.val.len; i++) {
+ ret = mbedtls_snprintf(p,
+ n,
+ "%02X",
+ other_name->value.hardware_module_name.val.p[i]);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ }
+ }/* MBEDTLS_OID_ON_HW_MODULE_NAME */
+ }
+ break;
+ /*
+ * uniformResourceIdentifier
+ */
+ case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
+ {
+ ret = mbedtls_snprintf(p, n, "\n%s uniformResourceIdentifier : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ if (san.san.unstructured_name.len >= n) {
+ if (n > 0) {
+ *p = '\0';
+ }
+ return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+ }
+
+ memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len);
+ p += san.san.unstructured_name.len;
+ n -= san.san.unstructured_name.len;
+ }
+ break;
+ /*
+ * dNSName
+ * RFC822 Name
+ */
+ case MBEDTLS_X509_SAN_DNS_NAME:
+ case MBEDTLS_X509_SAN_RFC822_NAME:
+ {
+ const char *dns_name = "dNSName";
+ const char *rfc822_name = "rfc822Name";
+
+ ret = mbedtls_snprintf(p, n,
+ "\n%s %s : ",
+ prefix,
+ san.type ==
+ MBEDTLS_X509_SAN_DNS_NAME ? dns_name : rfc822_name);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ if (san.san.unstructured_name.len >= n) {
+ if (n > 0) {
+ *p = '\0';
+ }
+ return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+ }
+
+ memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len);
+ p += san.san.unstructured_name.len;
+ n -= san.san.unstructured_name.len;
+ }
+ break;
+ /*
+ * iPAddress
+ */
+ case MBEDTLS_X509_SAN_IP_ADDRESS:
+ {
+ ret = mbedtls_snprintf(p, n, "\n%s %s : ",
+ prefix, "iPAddress");
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ if (san.san.unstructured_name.len >= n) {
+ if (n > 0) {
+ *p = '\0';
+ }
+ return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+ }
+
+ unsigned char *ip = san.san.unstructured_name.p;
+ // Only IPv6 (16 bytes) and IPv4 (4 bytes) types are supported
+ if (san.san.unstructured_name.len == 4) {
+ ret = mbedtls_snprintf(p, n, "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ } else if (san.san.unstructured_name.len == 16) {
+ ret = mbedtls_snprintf(p, n,
+ "%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X",
+ ip[0], ip[1], ip[2], ip[3], ip[4], ip[5], ip[6],
+ ip[7], ip[8], ip[9], ip[10], ip[11], ip[12], ip[13],
+ ip[14], ip[15]);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ } else {
+ if (n > 0) {
+ *p = '\0';
+ }
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+ }
+ break;
+ /*
+ * directoryName
+ */
+ case MBEDTLS_X509_SAN_DIRECTORY_NAME:
+ {
+ ret = mbedtls_snprintf(p, n, "\n%s directoryName : ", prefix);
+ if (ret < 0 || (size_t) ret >= n) {
+ mbedtls_x509_free_subject_alt_name(&san);
+ }
+
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ ret = mbedtls_x509_dn_gets(p, n, &san.san.directory_name);
+
+ if (ret < 0) {
+ mbedtls_x509_free_subject_alt_name(&san);
+ if (n > 0) {
+ *p = '\0';
+ }
+ return ret;
+ }
+
+ p += ret;
+ n -= ret;
+ }
+ break;
+ /*
+ * Type not supported, skip item.
+ */
+ default:
+ ret = mbedtls_snprintf(p, n, "\n%s <unsupported>", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ break;
+ }
+
+ /* So far memory is freed only in the case of directoryName
+ * parsing succeeding, as mbedtls_x509_get_name allocates memory. */
+ mbedtls_x509_free_subject_alt_name(&san);
+ cur = cur->next;
+ }
+
+ *p = '\0';
+
+ *size = n;
+ *buf = p;
+
+ return 0;
+}
+
+#define PRINT_ITEM(i) \
+ do { \
+ ret = mbedtls_snprintf(p, n, "%s" i, sep); \
+ MBEDTLS_X509_SAFE_SNPRINTF; \
+ sep = ", "; \
+ } while (0)
+
+#define CERT_TYPE(type, name) \
+ do { \
+ if (ns_cert_type & (type)) { \
+ PRINT_ITEM(name); \
+ } \
+ } while (0)
+
+int mbedtls_x509_info_cert_type(char **buf, size_t *size,
+ unsigned char ns_cert_type)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t n = *size;
+ char *p = *buf;
+ const char *sep = "";
+
+ CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT, "SSL Client");
+ CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER, "SSL Server");
+ CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL, "Email");
+ CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING, "Object Signing");
+ CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_RESERVED, "Reserved");
+ CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CA, "SSL CA");
+ CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA, "Email CA");
+ CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA, "Object Signing CA");
+
+ *size = n;
+ *buf = p;
+
+ return 0;
+}
+
+#define KEY_USAGE(code, name) \
+ do { \
+ if ((key_usage) & (code)) { \
+ PRINT_ITEM(name); \
+ } \
+ } while (0)
+
+int mbedtls_x509_info_key_usage(char **buf, size_t *size,
+ unsigned int key_usage)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t n = *size;
+ char *p = *buf;
+ const char *sep = "";
+
+ KEY_USAGE(MBEDTLS_X509_KU_DIGITAL_SIGNATURE, "Digital Signature");
+ KEY_USAGE(MBEDTLS_X509_KU_NON_REPUDIATION, "Non Repudiation");
+ KEY_USAGE(MBEDTLS_X509_KU_KEY_ENCIPHERMENT, "Key Encipherment");
+ KEY_USAGE(MBEDTLS_X509_KU_DATA_ENCIPHERMENT, "Data Encipherment");
+ KEY_USAGE(MBEDTLS_X509_KU_KEY_AGREEMENT, "Key Agreement");
+ KEY_USAGE(MBEDTLS_X509_KU_KEY_CERT_SIGN, "Key Cert Sign");
+ KEY_USAGE(MBEDTLS_X509_KU_CRL_SIGN, "CRL Sign");
+ KEY_USAGE(MBEDTLS_X509_KU_ENCIPHER_ONLY, "Encipher Only");
+ KEY_USAGE(MBEDTLS_X509_KU_DECIPHER_ONLY, "Decipher Only");
+
+ *size = n;
+ *buf = p;
+
+ return 0;
+}
+#endif /* MBEDTLS_X509_REMOVE_INFO */
+#endif /* MBEDTLS_X509_CRT_PARSE_C || MBEDTLS_X509_CSR_PARSE_C */
+#endif /* MBEDTLS_X509_USE_C */
diff --git a/library/x509_create.c b/library/x509_create.c
new file mode 100644
index 0000000..839b5df
--- /dev/null
+++ b/library/x509_create.c
@@ -0,0 +1,563 @@
+/*
+ * X.509 base functions for creating certificates / CSRs
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_X509_CREATE_C)
+
+#include "x509_internal.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/error.h"
+#include "mbedtls/oid.h"
+
+#include <string.h>
+
+#include "mbedtls/platform.h"
+
+#include "mbedtls/asn1.h"
+
+/* Structure linking OIDs for X.509 DN AttributeTypes to their
+ * string representations and default string encodings used by Mbed TLS. */
+typedef struct {
+ const char *name; /* String representation of AttributeType, e.g.
+ * "CN" or "emailAddress". */
+ size_t name_len; /* Length of 'name', without trailing 0 byte. */
+ const char *oid; /* String representation of OID of AttributeType,
+ * as per RFC 5280, Appendix A.1. encoded as per
+ * X.690 */
+ int default_tag; /* The default character encoding used for the
+ * given attribute type, e.g.
+ * MBEDTLS_ASN1_UTF8_STRING for UTF-8. */
+} x509_attr_descriptor_t;
+
+#define ADD_STRLEN(s) s, sizeof(s) - 1
+
+/* X.509 DN attributes from RFC 5280, Appendix A.1. */
+static const x509_attr_descriptor_t x509_attrs[] =
+{
+ { ADD_STRLEN("CN"),
+ MBEDTLS_OID_AT_CN, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("commonName"),
+ MBEDTLS_OID_AT_CN, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("C"),
+ MBEDTLS_OID_AT_COUNTRY, MBEDTLS_ASN1_PRINTABLE_STRING },
+ { ADD_STRLEN("countryName"),
+ MBEDTLS_OID_AT_COUNTRY, MBEDTLS_ASN1_PRINTABLE_STRING },
+ { ADD_STRLEN("O"),
+ MBEDTLS_OID_AT_ORGANIZATION, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("organizationName"),
+ MBEDTLS_OID_AT_ORGANIZATION, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("L"),
+ MBEDTLS_OID_AT_LOCALITY, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("locality"),
+ MBEDTLS_OID_AT_LOCALITY, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("R"),
+ MBEDTLS_OID_PKCS9_EMAIL, MBEDTLS_ASN1_IA5_STRING },
+ { ADD_STRLEN("OU"),
+ MBEDTLS_OID_AT_ORG_UNIT, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("organizationalUnitName"),
+ MBEDTLS_OID_AT_ORG_UNIT, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("ST"),
+ MBEDTLS_OID_AT_STATE, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("stateOrProvinceName"),
+ MBEDTLS_OID_AT_STATE, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("emailAddress"),
+ MBEDTLS_OID_PKCS9_EMAIL, MBEDTLS_ASN1_IA5_STRING },
+ { ADD_STRLEN("serialNumber"),
+ MBEDTLS_OID_AT_SERIAL_NUMBER, MBEDTLS_ASN1_PRINTABLE_STRING },
+ { ADD_STRLEN("postalAddress"),
+ MBEDTLS_OID_AT_POSTAL_ADDRESS, MBEDTLS_ASN1_PRINTABLE_STRING },
+ { ADD_STRLEN("postalCode"),
+ MBEDTLS_OID_AT_POSTAL_CODE, MBEDTLS_ASN1_PRINTABLE_STRING },
+ { ADD_STRLEN("dnQualifier"),
+ MBEDTLS_OID_AT_DN_QUALIFIER, MBEDTLS_ASN1_PRINTABLE_STRING },
+ { ADD_STRLEN("title"),
+ MBEDTLS_OID_AT_TITLE, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("surName"),
+ MBEDTLS_OID_AT_SUR_NAME, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("SN"),
+ MBEDTLS_OID_AT_SUR_NAME, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("givenName"),
+ MBEDTLS_OID_AT_GIVEN_NAME, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("GN"),
+ MBEDTLS_OID_AT_GIVEN_NAME, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("initials"),
+ MBEDTLS_OID_AT_INITIALS, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("pseudonym"),
+ MBEDTLS_OID_AT_PSEUDONYM, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("generationQualifier"),
+ MBEDTLS_OID_AT_GENERATION_QUALIFIER, MBEDTLS_ASN1_UTF8_STRING },
+ { ADD_STRLEN("domainComponent"),
+ MBEDTLS_OID_DOMAIN_COMPONENT, MBEDTLS_ASN1_IA5_STRING },
+ { ADD_STRLEN("DC"),
+ MBEDTLS_OID_DOMAIN_COMPONENT, MBEDTLS_ASN1_IA5_STRING },
+ { NULL, 0, NULL, MBEDTLS_ASN1_NULL }
+};
+
+static const x509_attr_descriptor_t *x509_attr_descr_from_name(const char *name, size_t name_len)
+{
+ const x509_attr_descriptor_t *cur;
+
+ for (cur = x509_attrs; cur->name != NULL; cur++) {
+ if (cur->name_len == name_len &&
+ strncmp(cur->name, name, name_len) == 0) {
+ break;
+ }
+ }
+
+ if (cur->name == NULL) {
+ return NULL;
+ }
+
+ return cur;
+}
+
+static int hex_to_int(char c)
+{
+ return ('0' <= c && c <= '9') ? (c - '0') :
+ ('a' <= c && c <= 'f') ? (c - 'a' + 10) :
+ ('A' <= c && c <= 'F') ? (c - 'A' + 10) : -1;
+}
+
+static int hexpair_to_int(const char *hexpair)
+{
+ int n1 = hex_to_int(*hexpair);
+ int n2 = hex_to_int(*(hexpair + 1));
+
+ if (n1 != -1 && n2 != -1) {
+ return (n1 << 4) | n2;
+ } else {
+ return -1;
+ }
+}
+
+static int parse_attribute_value_string(const char *s,
+ int len,
+ unsigned char *data,
+ size_t *data_len)
+{
+ const char *c;
+ const char *end = s + len;
+ unsigned char *d = data;
+ int n;
+
+ for (c = s; c < end; c++) {
+ if (*c == '\\') {
+ c++;
+
+ /* Check for valid escaped characters as per RFC 4514 Section 3 */
+ if (c + 1 < end && (n = hexpair_to_int(c)) != -1) {
+ if (n == 0) {
+ return MBEDTLS_ERR_X509_INVALID_NAME;
+ }
+ *(d++) = n;
+ c++;
+ } else if (c < end && strchr(" ,=+<>#;\"\\", *c)) {
+ *(d++) = *c;
+ } else {
+ return MBEDTLS_ERR_X509_INVALID_NAME;
+ }
+ } else {
+ *(d++) = *c;
+ }
+
+ if (d - data == MBEDTLS_X509_MAX_DN_NAME_SIZE) {
+ return MBEDTLS_ERR_X509_INVALID_NAME;
+ }
+ }
+ *data_len = (size_t) (d - data);
+ return 0;
+}
+
+/** Parse a hexstring containing a DER-encoded string.
+ *
+ * \param s A string of \p len bytes hexadecimal digits.
+ * \param len Number of bytes to read from \p s.
+ * \param data Output buffer of size \p data_size.
+ * On success, it contains the payload that's DER-encoded
+ * in the input (content without the tag and length).
+ * If the DER tag is a string tag, the payload is guaranteed
+ * not to contain null bytes.
+ * \param data_size Length of the \p data buffer.
+ * \param data_len On success, the length of the parsed string.
+ * It is guaranteed to be less than
+ * #MBEDTLS_X509_MAX_DN_NAME_SIZE.
+ * \param tag The ASN.1 tag that the payload in \p data is encoded in.
+ *
+ * \retval 0 on success.
+ * \retval #MBEDTLS_ERR_X509_INVALID_NAME if \p s does not contain
+ * a valid hexstring,
+ * or if the decoded hexstring is not valid DER,
+ * or if the payload does not fit in \p data,
+ * or if the payload is more than
+ * #MBEDTLS_X509_MAX_DN_NAME_SIZE bytes,
+ * of if \p *tag is an ASN.1 string tag and the payload
+ * contains a null byte.
+ * \retval #MBEDTLS_ERR_X509_ALLOC_FAILED on low memory.
+ */
+static int parse_attribute_value_hex_der_encoded(const char *s,
+ size_t len,
+ unsigned char *data,
+ size_t data_size,
+ size_t *data_len,
+ int *tag)
+{
+ /* Step 1: preliminary length checks. */
+ /* Each byte is encoded by exactly two hexadecimal digits. */
+ if (len % 2 != 0) {
+ /* Odd number of hex digits */
+ return MBEDTLS_ERR_X509_INVALID_NAME;
+ }
+ size_t const der_length = len / 2;
+ if (der_length > MBEDTLS_X509_MAX_DN_NAME_SIZE + 4) {
+ /* The payload would be more than MBEDTLS_X509_MAX_DN_NAME_SIZE
+ * (after subtracting the ASN.1 tag and length). Reject this early
+ * to avoid allocating a large intermediate buffer. */
+ return MBEDTLS_ERR_X509_INVALID_NAME;
+ }
+ if (der_length < 1) {
+ /* Avoid empty-buffer shenanigans. A valid DER encoding is never
+ * empty. */
+ return MBEDTLS_ERR_X509_INVALID_NAME;
+ }
+
+ /* Step 2: Decode the hex string into an intermediate buffer. */
+ unsigned char *der = mbedtls_calloc(1, der_length);
+ if (der == NULL) {
+ return MBEDTLS_ERR_X509_ALLOC_FAILED;
+ }
+ /* Beyond this point, der needs to be freed on exit. */
+ for (size_t i = 0; i < der_length; i++) {
+ int c = hexpair_to_int(s + 2 * i);
+ if (c < 0) {
+ goto error;
+ }
+ der[i] = c;
+ }
+
+ /* Step 3: decode the DER. */
+ /* We've checked that der_length >= 1 above. */
+ *tag = der[0];
+ {
+ unsigned char *p = der + 1;
+ if (mbedtls_asn1_get_len(&p, der + der_length, data_len) != 0) {
+ goto error;
+ }
+ /* Now p points to the first byte of the payload inside der,
+ * and *data_len is the length of the payload. */
+
+ /* Step 4: payload validation */
+ if (*data_len > MBEDTLS_X509_MAX_DN_NAME_SIZE) {
+ goto error;
+ }
+ /* Strings must not contain null bytes. */
+ if (MBEDTLS_ASN1_IS_STRING_TAG(*tag)) {
+ for (size_t i = 0; i < *data_len; i++) {
+ if (p[i] == 0) {
+ goto error;
+ }
+ }
+ }
+
+ /* Step 5: output the payload. */
+ if (*data_len > data_size) {
+ goto error;
+ }
+ memcpy(data, p, *data_len);
+ }
+ mbedtls_free(der);
+
+ return 0;
+
+error:
+ mbedtls_free(der);
+ return MBEDTLS_ERR_X509_INVALID_NAME;
+}
+
+int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name)
+{
+ int ret = MBEDTLS_ERR_X509_INVALID_NAME;
+ int parse_ret = 0;
+ const char *s = name, *c = s;
+ const char *end = s + strlen(s);
+ mbedtls_asn1_buf oid = { .p = NULL, .len = 0, .tag = MBEDTLS_ASN1_NULL };
+ const x509_attr_descriptor_t *attr_descr = NULL;
+ int in_attr_type = 1;
+ int tag;
+ int numericoid = 0;
+ unsigned char data[MBEDTLS_X509_MAX_DN_NAME_SIZE];
+ size_t data_len = 0;
+
+ /* Clear existing chain if present */
+ mbedtls_asn1_free_named_data_list(head);
+
+ while (c <= end) {
+ if (in_attr_type && *c == '=') {
+ if ((attr_descr = x509_attr_descr_from_name(s, (size_t) (c - s))) == NULL) {
+ if ((mbedtls_oid_from_numeric_string(&oid, s, (size_t) (c - s))) != 0) {
+ return MBEDTLS_ERR_X509_INVALID_NAME;
+ } else {
+ numericoid = 1;
+ }
+ } else {
+ oid.len = strlen(attr_descr->oid);
+ oid.p = mbedtls_calloc(1, oid.len);
+ memcpy(oid.p, attr_descr->oid, oid.len);
+ numericoid = 0;
+ }
+
+ s = c + 1;
+ in_attr_type = 0;
+ }
+
+ if (!in_attr_type && ((*c == ',' && *(c-1) != '\\') || c == end)) {
+ if (s == c) {
+ mbedtls_free(oid.p);
+ return MBEDTLS_ERR_X509_INVALID_NAME;
+ } else if (*s == '#') {
+ /* We know that c >= s (loop invariant) and c != s (in this
+ * else branch), hence c - s - 1 >= 0. */
+ parse_ret = parse_attribute_value_hex_der_encoded(
+ s + 1, (size_t) (c - s) - 1,
+ data, sizeof(data), &data_len, &tag);
+ if (parse_ret != 0) {
+ mbedtls_free(oid.p);
+ return parse_ret;
+ }
+ } else {
+ if (numericoid) {
+ mbedtls_free(oid.p);
+ return MBEDTLS_ERR_X509_INVALID_NAME;
+ } else {
+ if ((parse_ret =
+ parse_attribute_value_string(s, (int) (c - s), data,
+ &data_len)) != 0) {
+ mbedtls_free(oid.p);
+ return parse_ret;
+ }
+ tag = attr_descr->default_tag;
+ }
+ }
+
+ mbedtls_asn1_named_data *cur =
+ mbedtls_asn1_store_named_data(head, (char *) oid.p, oid.len,
+ (unsigned char *) data,
+ data_len);
+ mbedtls_free(oid.p);
+ oid.p = NULL;
+ if (cur == NULL) {
+ return MBEDTLS_ERR_X509_ALLOC_FAILED;
+ }
+
+ // set tagType
+ cur->val.tag = tag;
+
+ while (c < end && *(c + 1) == ' ') {
+ c++;
+ }
+
+ s = c + 1;
+ in_attr_type = 1;
+
+ /* Successfully parsed one name, update ret to success */
+ ret = 0;
+ }
+ c++;
+ }
+ if (oid.p != NULL) {
+ mbedtls_free(oid.p);
+ }
+ return ret;
+}
+
+/* The first byte of the value in the mbedtls_asn1_named_data structure is reserved
+ * to store the critical boolean for us
+ */
+int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
+ int critical, const unsigned char *val, size_t val_len)
+{
+ mbedtls_asn1_named_data *cur;
+
+ if (val_len > (SIZE_MAX - 1)) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ if ((cur = mbedtls_asn1_store_named_data(head, oid, oid_len,
+ NULL, val_len + 1)) == NULL) {
+ return MBEDTLS_ERR_X509_ALLOC_FAILED;
+ }
+
+ cur->val.p[0] = critical;
+ memcpy(cur->val.p + 1, val, val_len);
+
+ return 0;
+}
+
+/*
+ * RelativeDistinguishedName ::=
+ * SET OF AttributeTypeAndValue
+ *
+ * AttributeTypeAndValue ::= SEQUENCE {
+ * type AttributeType,
+ * value AttributeValue }
+ *
+ * AttributeType ::= OBJECT IDENTIFIER
+ *
+ * AttributeValue ::= ANY DEFINED BY AttributeType
+ */
+static int x509_write_name(unsigned char **p,
+ unsigned char *start,
+ mbedtls_asn1_named_data *cur_name)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+ const char *oid = (const char *) cur_name->oid.p;
+ size_t oid_len = cur_name->oid.len;
+ const unsigned char *name = cur_name->val.p;
+ size_t name_len = cur_name->val.len;
+
+ // Write correct string tag and value
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tagged_string(p, start,
+ cur_name->val.tag,
+ (const char *) name,
+ name_len));
+ // Write OID
+ //
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_oid(p, start, oid,
+ oid_len));
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SET));
+
+ return (int) len;
+}
+
+int mbedtls_x509_write_names(unsigned char **p, unsigned char *start,
+ mbedtls_asn1_named_data *first)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+ mbedtls_asn1_named_data *cur = first;
+
+ while (cur != NULL) {
+ MBEDTLS_ASN1_CHK_ADD(len, x509_write_name(p, start, cur));
+ cur = cur->next;
+ }
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ return (int) len;
+}
+
+int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start,
+ const char *oid, size_t oid_len,
+ unsigned char *sig, size_t size,
+ mbedtls_pk_type_t pk_alg)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int write_null_par;
+ size_t len = 0;
+
+ if (*p < start || (size_t) (*p - start) < size) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ len = size;
+ (*p) -= len;
+ memcpy(*p, sig, len);
+
+ if (*p - start < 1) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
+
+ *--(*p) = 0;
+ len += 1;
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_BIT_STRING));
+
+ // Write OID
+ //
+ if (pk_alg == MBEDTLS_PK_ECDSA) {
+ /*
+ * The AlgorithmIdentifier's parameters field must be absent for DSA/ECDSA signature
+ * algorithms, see https://www.rfc-editor.org/rfc/rfc5480#page-17 and
+ * https://www.rfc-editor.org/rfc/rfc5758#section-3.
+ */
+ write_null_par = 0;
+ } else {
+ write_null_par = 1;
+ }
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_algorithm_identifier_ext(p, start, oid, oid_len,
+ 0, write_null_par));
+
+ return (int) len;
+}
+
+static int x509_write_extension(unsigned char **p, unsigned char *start,
+ mbedtls_asn1_named_data *ext)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start, ext->val.p + 1,
+ ext->val.len - 1));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, ext->val.len - 1));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_OCTET_STRING));
+
+ if (ext->val.p[0] != 0) {
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_bool(p, start, 1));
+ }
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start, ext->oid.p,
+ ext->oid.len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, ext->oid.len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_OID));
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ return (int) len;
+}
+
+/*
+ * Extension ::= SEQUENCE {
+ * extnID OBJECT IDENTIFIER,
+ * critical BOOLEAN DEFAULT FALSE,
+ * extnValue OCTET STRING
+ * -- contains the DER encoding of an ASN.1 value
+ * -- corresponding to the extension type identified
+ * -- by extnID
+ * }
+ */
+int mbedtls_x509_write_extensions(unsigned char **p, unsigned char *start,
+ mbedtls_asn1_named_data *first)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+ mbedtls_asn1_named_data *cur_ext = first;
+
+ while (cur_ext != NULL) {
+ MBEDTLS_ASN1_CHK_ADD(len, x509_write_extension(p, start, cur_ext));
+ cur_ext = cur_ext->next;
+ }
+
+ return (int) len;
+}
+
+#endif /* MBEDTLS_X509_CREATE_C */
diff --git a/library/x509_crl.c b/library/x509_crl.c
new file mode 100644
index 0000000..7901992
--- /dev/null
+++ b/library/x509_crl.c
@@ -0,0 +1,713 @@
+/*
+ * X.509 Certificate Revocation List (CRL) parsing
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+
+#include "mbedtls/x509_crl.h"
+#include "x509_internal.h"
+#include "mbedtls/error.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+#if defined(MBEDTLS_HAVE_TIME)
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+#include <windows.h>
+#else
+#include <time.h>
+#endif
+#endif
+
+#if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
+#include <stdio.h>
+#endif
+
+/*
+ * Version ::= INTEGER { v1(0), v2(1) }
+ */
+static int x509_crl_get_version(unsigned char **p,
+ const unsigned char *end,
+ int *ver)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((ret = mbedtls_asn1_get_int(p, end, ver)) != 0) {
+ if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ *ver = 0;
+ return 0;
+ }
+
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_VERSION, ret);
+ }
+
+ return 0;
+}
+
+/*
+ * X.509 CRL v2 extensions
+ *
+ * We currently don't parse any extension's content, but we do check that the
+ * list of extensions is well-formed and abort on critical extensions (that
+ * are unsupported as we don't support any extension so far)
+ */
+static int x509_get_crl_ext(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_buf *ext)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (*p == end) {
+ return 0;
+ }
+
+ /*
+ * crlExtensions [0] EXPLICIT Extensions OPTIONAL
+ * -- if present, version MUST be v2
+ */
+ if ((ret = mbedtls_x509_get_ext(p, end, ext, 0)) != 0) {
+ return ret;
+ }
+
+ end = ext->p + ext->len;
+
+ while (*p < end) {
+ /*
+ * Extension ::= SEQUENCE {
+ * extnID OBJECT IDENTIFIER,
+ * critical BOOLEAN DEFAULT FALSE,
+ * extnValue OCTET STRING }
+ */
+ int is_critical = 0;
+ const unsigned char *end_ext_data;
+ size_t len;
+
+ /* Get enclosing sequence tag */
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ end_ext_data = *p + len;
+
+ /* Get OID (currently ignored) */
+ if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
+ MBEDTLS_ASN1_OID)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+ *p += len;
+
+ /* Get optional critical */
+ if ((ret = mbedtls_asn1_get_bool(p, end_ext_data,
+ &is_critical)) != 0 &&
+ (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ /* Data should be octet string type */
+ if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
+ MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ /* Ignore data so far and just check its length */
+ *p += len;
+ if (*p != end_ext_data) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ /* Abort on (unsupported) critical extensions */
+ if (is_critical) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+ }
+ }
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * X.509 CRL v2 entry extensions (no extensions parsed yet.)
+ */
+static int x509_get_crl_entry_ext(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_buf *ext)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+
+ /* OPTIONAL */
+ if (end <= *p) {
+ return 0;
+ }
+
+ ext->tag = **p;
+ ext->p = *p;
+
+ /*
+ * Get CRL-entry extension sequence header
+ * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2
+ */
+ if ((ret = mbedtls_asn1_get_tag(p, end, &ext->len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ ext->p = NULL;
+ return 0;
+ }
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ end = *p + ext->len;
+
+ if (end != *p + ext->len) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ while (*p < end) {
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ *p += len;
+ }
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * X.509 CRL Entries
+ */
+static int x509_get_entries(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_crl_entry *entry)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t entry_len;
+ mbedtls_x509_crl_entry *cur_entry = entry;
+
+ if (*p == end) {
+ return 0;
+ }
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &entry_len,
+ MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED)) != 0) {
+ if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ return 0;
+ }
+
+ return ret;
+ }
+
+ end = *p + entry_len;
+
+ while (*p < end) {
+ size_t len2;
+ const unsigned char *end2;
+
+ cur_entry->raw.tag = **p;
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len2,
+ MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED)) != 0) {
+ return ret;
+ }
+
+ cur_entry->raw.p = *p;
+ cur_entry->raw.len = len2;
+ end2 = *p + len2;
+
+ if ((ret = mbedtls_x509_get_serial(p, end2, &cur_entry->serial)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_x509_get_time(p, end2,
+ &cur_entry->revocation_date)) != 0) {
+ return ret;
+ }
+
+ if ((ret = x509_get_crl_entry_ext(p, end2,
+ &cur_entry->entry_ext)) != 0) {
+ return ret;
+ }
+
+ if (*p < end) {
+ cur_entry->next = mbedtls_calloc(1, sizeof(mbedtls_x509_crl_entry));
+
+ if (cur_entry->next == NULL) {
+ return MBEDTLS_ERR_X509_ALLOC_FAILED;
+ }
+
+ cur_entry = cur_entry->next;
+ }
+ }
+
+ return 0;
+}
+
+/*
+ * Parse one CRLs in DER format and append it to the chained list
+ */
+int mbedtls_x509_crl_parse_der(mbedtls_x509_crl *chain,
+ const unsigned char *buf, size_t buflen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+ unsigned char *p = NULL, *end = NULL;
+ mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
+ mbedtls_x509_crl *crl = chain;
+
+ /*
+ * Check for valid input
+ */
+ if (crl == NULL || buf == NULL) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ memset(&sig_params1, 0, sizeof(mbedtls_x509_buf));
+ memset(&sig_params2, 0, sizeof(mbedtls_x509_buf));
+ memset(&sig_oid2, 0, sizeof(mbedtls_x509_buf));
+
+ /*
+ * Add new CRL on the end of the chain if needed.
+ */
+ while (crl->version != 0 && crl->next != NULL) {
+ crl = crl->next;
+ }
+
+ if (crl->version != 0 && crl->next == NULL) {
+ crl->next = mbedtls_calloc(1, sizeof(mbedtls_x509_crl));
+
+ if (crl->next == NULL) {
+ mbedtls_x509_crl_free(crl);
+ return MBEDTLS_ERR_X509_ALLOC_FAILED;
+ }
+
+ mbedtls_x509_crl_init(crl->next);
+ crl = crl->next;
+ }
+
+ /*
+ * Copy raw DER-encoded CRL
+ */
+ if (buflen == 0) {
+ return MBEDTLS_ERR_X509_INVALID_FORMAT;
+ }
+
+ p = mbedtls_calloc(1, buflen);
+ if (p == NULL) {
+ return MBEDTLS_ERR_X509_ALLOC_FAILED;
+ }
+
+ memcpy(p, buf, buflen);
+
+ crl->raw.p = p;
+ crl->raw.len = buflen;
+
+ end = p + buflen;
+
+ /*
+ * CertificateList ::= SEQUENCE {
+ * tbsCertList TBSCertList,
+ * signatureAlgorithm AlgorithmIdentifier,
+ * signatureValue BIT STRING }
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ mbedtls_x509_crl_free(crl);
+ return MBEDTLS_ERR_X509_INVALID_FORMAT;
+ }
+
+ if (len != (size_t) (end - p)) {
+ mbedtls_x509_crl_free(crl);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ /*
+ * TBSCertList ::= SEQUENCE {
+ */
+ crl->tbs.p = p;
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ mbedtls_x509_crl_free(crl);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
+ }
+
+ end = p + len;
+ crl->tbs.len = (size_t) (end - crl->tbs.p);
+
+ /*
+ * Version ::= INTEGER OPTIONAL { v1(0), v2(1) }
+ * -- if present, MUST be v2
+ *
+ * signature AlgorithmIdentifier
+ */
+ if ((ret = x509_crl_get_version(&p, end, &crl->version)) != 0 ||
+ (ret = mbedtls_x509_get_alg(&p, end, &crl->sig_oid, &sig_params1)) != 0) {
+ mbedtls_x509_crl_free(crl);
+ return ret;
+ }
+
+ if (crl->version < 0 || crl->version > 1) {
+ mbedtls_x509_crl_free(crl);
+ return MBEDTLS_ERR_X509_UNKNOWN_VERSION;
+ }
+
+ crl->version++;
+
+ if ((ret = mbedtls_x509_get_sig_alg(&crl->sig_oid, &sig_params1,
+ &crl->sig_md, &crl->sig_pk,
+ &crl->sig_opts)) != 0) {
+ mbedtls_x509_crl_free(crl);
+ return MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG;
+ }
+
+ /*
+ * issuer Name
+ */
+ crl->issuer_raw.p = p;
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ mbedtls_x509_crl_free(crl);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
+ }
+
+ if ((ret = mbedtls_x509_get_name(&p, p + len, &crl->issuer)) != 0) {
+ mbedtls_x509_crl_free(crl);
+ return ret;
+ }
+
+ crl->issuer_raw.len = (size_t) (p - crl->issuer_raw.p);
+
+ /*
+ * thisUpdate Time
+ * nextUpdate Time OPTIONAL
+ */
+ if ((ret = mbedtls_x509_get_time(&p, end, &crl->this_update)) != 0) {
+ mbedtls_x509_crl_free(crl);
+ return ret;
+ }
+
+ if ((ret = mbedtls_x509_get_time(&p, end, &crl->next_update)) != 0) {
+ if (ret != (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) &&
+ ret != (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA))) {
+ mbedtls_x509_crl_free(crl);
+ return ret;
+ }
+ }
+
+ /*
+ * revokedCertificates SEQUENCE OF SEQUENCE {
+ * userCertificate CertificateSerialNumber,
+ * revocationDate Time,
+ * crlEntryExtensions Extensions OPTIONAL
+ * -- if present, MUST be v2
+ * } OPTIONAL
+ */
+ if ((ret = x509_get_entries(&p, end, &crl->entry)) != 0) {
+ mbedtls_x509_crl_free(crl);
+ return ret;
+ }
+
+ /*
+ * crlExtensions EXPLICIT Extensions OPTIONAL
+ * -- if present, MUST be v2
+ */
+ if (crl->version == 2) {
+ ret = x509_get_crl_ext(&p, end, &crl->crl_ext);
+
+ if (ret != 0) {
+ mbedtls_x509_crl_free(crl);
+ return ret;
+ }
+ }
+
+ if (p != end) {
+ mbedtls_x509_crl_free(crl);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ end = crl->raw.p + crl->raw.len;
+
+ /*
+ * signatureAlgorithm AlgorithmIdentifier,
+ * signatureValue BIT STRING
+ */
+ if ((ret = mbedtls_x509_get_alg(&p, end, &sig_oid2, &sig_params2)) != 0) {
+ mbedtls_x509_crl_free(crl);
+ return ret;
+ }
+
+ if (crl->sig_oid.len != sig_oid2.len ||
+ memcmp(crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len) != 0 ||
+ sig_params1.len != sig_params2.len ||
+ (sig_params1.len != 0 &&
+ memcmp(sig_params1.p, sig_params2.p, sig_params1.len) != 0)) {
+ mbedtls_x509_crl_free(crl);
+ return MBEDTLS_ERR_X509_SIG_MISMATCH;
+ }
+
+ if ((ret = mbedtls_x509_get_sig(&p, end, &crl->sig)) != 0) {
+ mbedtls_x509_crl_free(crl);
+ return ret;
+ }
+
+ if (p != end) {
+ mbedtls_x509_crl_free(crl);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * Parse one or more CRLs and add them to the chained list
+ */
+int mbedtls_x509_crl_parse(mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen)
+{
+#if defined(MBEDTLS_PEM_PARSE_C)
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t use_len = 0;
+ mbedtls_pem_context pem;
+ int is_pem = 0;
+
+ if (chain == NULL || buf == NULL) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ do {
+ mbedtls_pem_init(&pem);
+
+ // Avoid calling mbedtls_pem_read_buffer() on non-null-terminated
+ // string
+ if (buflen == 0 || buf[buflen - 1] != '\0') {
+ ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+ } else {
+ ret = mbedtls_pem_read_buffer(&pem,
+ "-----BEGIN X509 CRL-----",
+ "-----END X509 CRL-----",
+ buf, NULL, 0, &use_len);
+ }
+
+ if (ret == 0) {
+ /*
+ * Was PEM encoded
+ */
+ is_pem = 1;
+
+ buflen -= use_len;
+ buf += use_len;
+
+ if ((ret = mbedtls_x509_crl_parse_der(chain,
+ pem.buf, pem.buflen)) != 0) {
+ mbedtls_pem_free(&pem);
+ return ret;
+ }
+ } else if (is_pem) {
+ mbedtls_pem_free(&pem);
+ return ret;
+ }
+
+ mbedtls_pem_free(&pem);
+ }
+ /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte.
+ * And a valid CRL cannot be less than 1 byte anyway. */
+ while (is_pem && buflen > 1);
+
+ if (is_pem) {
+ return 0;
+ } else
+#endif /* MBEDTLS_PEM_PARSE_C */
+ return mbedtls_x509_crl_parse_der(chain, buf, buflen);
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load one or more CRLs and add them to the chained list
+ */
+int mbedtls_x509_crl_parse_file(mbedtls_x509_crl *chain, const char *path)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t n;
+ unsigned char *buf;
+
+ if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_x509_crl_parse(chain, buf, n);
+
+ mbedtls_zeroize_and_free(buf, n);
+
+ return ret;
+}
+#endif /* MBEDTLS_FS_IO */
+
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+/*
+ * Return an informational string about the certificate.
+ */
+#define BEFORE_COLON 14
+#define BC "14"
+/*
+ * Return an informational string about the CRL.
+ */
+int mbedtls_x509_crl_info(char *buf, size_t size, const char *prefix,
+ const mbedtls_x509_crl *crl)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t n;
+ char *p;
+ const mbedtls_x509_crl_entry *entry;
+
+ p = buf;
+ n = size;
+
+ ret = mbedtls_snprintf(p, n, "%sCRL version : %d",
+ prefix, crl->version);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_snprintf(p, n, "\n%sissuer name : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ ret = mbedtls_x509_dn_gets(p, n, &crl->issuer);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_snprintf(p, n, "\n%sthis update : " \
+ "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+ crl->this_update.year, crl->this_update.mon,
+ crl->this_update.day, crl->this_update.hour,
+ crl->this_update.min, crl->this_update.sec);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_snprintf(p, n, "\n%snext update : " \
+ "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+ crl->next_update.year, crl->next_update.mon,
+ crl->next_update.day, crl->next_update.hour,
+ crl->next_update.min, crl->next_update.sec);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ entry = &crl->entry;
+
+ ret = mbedtls_snprintf(p, n, "\n%sRevoked certificates:",
+ prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ while (entry != NULL && entry->raw.len != 0) {
+ ret = mbedtls_snprintf(p, n, "\n%sserial number: ",
+ prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_x509_serial_gets(p, n, &entry->serial);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_snprintf(p, n, " revocation date: " \
+ "%04d-%02d-%02d %02d:%02d:%02d",
+ entry->revocation_date.year, entry->revocation_date.mon,
+ entry->revocation_date.day, entry->revocation_date.hour,
+ entry->revocation_date.min, entry->revocation_date.sec);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ entry = entry->next;
+ }
+
+ ret = mbedtls_snprintf(p, n, "\n%ssigned using : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_x509_sig_alg_gets(p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md,
+ crl->sig_opts);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_snprintf(p, n, "\n");
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ return (int) (size - n);
+}
+#endif /* MBEDTLS_X509_REMOVE_INFO */
+
+/*
+ * Initialize a CRL chain
+ */
+void mbedtls_x509_crl_init(mbedtls_x509_crl *crl)
+{
+ memset(crl, 0, sizeof(mbedtls_x509_crl));
+}
+
+/*
+ * Unallocate all CRL data
+ */
+void mbedtls_x509_crl_free(mbedtls_x509_crl *crl)
+{
+ mbedtls_x509_crl *crl_cur = crl;
+ mbedtls_x509_crl *crl_prv;
+ mbedtls_x509_crl_entry *entry_cur;
+ mbedtls_x509_crl_entry *entry_prv;
+
+ while (crl_cur != NULL) {
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ mbedtls_free(crl_cur->sig_opts);
+#endif
+
+ mbedtls_asn1_free_named_data_list_shallow(crl_cur->issuer.next);
+
+ entry_cur = crl_cur->entry.next;
+ while (entry_cur != NULL) {
+ entry_prv = entry_cur;
+ entry_cur = entry_cur->next;
+ mbedtls_zeroize_and_free(entry_prv,
+ sizeof(mbedtls_x509_crl_entry));
+ }
+
+ if (crl_cur->raw.p != NULL) {
+ mbedtls_zeroize_and_free(crl_cur->raw.p, crl_cur->raw.len);
+ }
+
+ crl_prv = crl_cur;
+ crl_cur = crl_cur->next;
+
+ mbedtls_platform_zeroize(crl_prv, sizeof(mbedtls_x509_crl));
+ if (crl_prv != crl) {
+ mbedtls_free(crl_prv);
+ }
+ }
+}
+
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
diff --git a/library/x509_crt.c b/library/x509_crt.c
new file mode 100644
index 0000000..2fd56fb
--- /dev/null
+++ b/library/x509_crt.c
@@ -0,0 +1,3301 @@
+/*
+ * X.509 certificate parsing and verification
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ *
+ * [SIRO] https://cabforum.org/wp-content/uploads/Chunghwatelecom201503cabforumV4.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+
+#include "mbedtls/x509_crt.h"
+#include "x509_internal.h"
+#include "mbedtls/error.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#include "psa_util_internal.h"
+#include "mbedtls/psa_util.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#include "pk_internal.h"
+
+#include "mbedtls/platform.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#else
+#include <time.h>
+#endif
+#endif
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#if !defined(_WIN32) || defined(EFIX64) || defined(EFI32)
+#include <sys/types.h>
+#include <sys/stat.h>
+#if defined(__MBED__)
+#include <platform/mbed_retarget.h>
+#else
+#include <dirent.h>
+#endif /* __MBED__ */
+#include <errno.h>
+#endif /* !_WIN32 || EFIX64 || EFI32 */
+#endif
+
+/*
+ * Item in a verification chain: cert and flags for it
+ */
+typedef struct {
+ mbedtls_x509_crt *crt;
+ uint32_t flags;
+} x509_crt_verify_chain_item;
+
+/*
+ * Max size of verification chain: end-entity + intermediates + trusted root
+ */
+#define X509_MAX_VERIFY_CHAIN_SIZE (MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2)
+
+/* Default profile. Do not remove items unless there are serious security
+ * concerns. */
+const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
+{
+ /* Hashes from SHA-256 and above. Note that this selection
+ * should be aligned with ssl_preset_default_hashes in ssl_tls.c. */
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
+ 0xFFFFFFF, /* Any PK alg */
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ /* Curves at or above 128-bit security level. Note that this selection
+ * should be aligned with ssl_preset_default_curves in ssl_tls.c. */
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP521R1) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP256R1) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP384R1) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP512R1) |
+ 0,
+#else /* MBEDTLS_PK_HAVE_ECC_KEYS */
+ 0,
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+ 2048,
+};
+
+/* Next-generation profile. Currently identical to the default, but may
+ * be tightened at any time. */
+const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
+{
+ /* Hashes from SHA-256 and above. */
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
+ 0xFFFFFFF, /* Any PK alg */
+#if defined(MBEDTLS_ECP_C)
+ /* Curves at or above 128-bit security level. */
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP521R1) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP256R1) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP384R1) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP512R1) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256K1),
+#else
+ 0,
+#endif
+ 2048,
+};
+
+/*
+ * NSA Suite B Profile
+ */
+const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
+{
+ /* Only SHA-256 and 384 */
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384),
+ /* Only ECDSA */
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_ECDSA) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_ECKEY),
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ /* Only NIST P-256 and P-384 */
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) |
+ MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1),
+#else /* MBEDTLS_PK_HAVE_ECC_KEYS */
+ 0,
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+ 0,
+};
+
+/*
+ * Empty / all-forbidden profile
+ */
+const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_none =
+{
+ 0,
+ 0,
+ 0,
+ (uint32_t) -1,
+};
+
+/*
+ * Check md_alg against profile
+ * Return 0 if md_alg is acceptable for this profile, -1 otherwise
+ */
+static int x509_profile_check_md_alg(const mbedtls_x509_crt_profile *profile,
+ mbedtls_md_type_t md_alg)
+{
+ if (md_alg == MBEDTLS_MD_NONE) {
+ return -1;
+ }
+
+ if ((profile->allowed_mds & MBEDTLS_X509_ID_FLAG(md_alg)) != 0) {
+ return 0;
+ }
+
+ return -1;
+}
+
+/*
+ * Check pk_alg against profile
+ * Return 0 if pk_alg is acceptable for this profile, -1 otherwise
+ */
+static int x509_profile_check_pk_alg(const mbedtls_x509_crt_profile *profile,
+ mbedtls_pk_type_t pk_alg)
+{
+ if (pk_alg == MBEDTLS_PK_NONE) {
+ return -1;
+ }
+
+ if ((profile->allowed_pks & MBEDTLS_X509_ID_FLAG(pk_alg)) != 0) {
+ return 0;
+ }
+
+ return -1;
+}
+
+/*
+ * Check key against profile
+ * Return 0 if pk is acceptable for this profile, -1 otherwise
+ */
+static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile,
+ const mbedtls_pk_context *pk)
+{
+ const mbedtls_pk_type_t pk_alg = mbedtls_pk_get_type(pk);
+
+#if defined(MBEDTLS_RSA_C)
+ if (pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS) {
+ if (mbedtls_pk_get_bitlen(pk) >= profile->rsa_min_bitlen) {
+ return 0;
+ }
+
+ return -1;
+ }
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
+ if (pk_alg == MBEDTLS_PK_ECDSA ||
+ pk_alg == MBEDTLS_PK_ECKEY ||
+ pk_alg == MBEDTLS_PK_ECKEY_DH) {
+ const mbedtls_ecp_group_id gid = mbedtls_pk_get_ec_group_id(pk);
+
+ if (gid == MBEDTLS_ECP_DP_NONE) {
+ return -1;
+ }
+
+ if ((profile->allowed_curves & MBEDTLS_X509_ID_FLAG(gid)) != 0) {
+ return 0;
+ }
+
+ return -1;
+ }
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
+ return -1;
+}
+
+/*
+ * Like memcmp, but case-insensitive and always returns -1 if different
+ */
+static int x509_memcasecmp(const void *s1, const void *s2, size_t len)
+{
+ size_t i;
+ unsigned char diff;
+ const unsigned char *n1 = s1, *n2 = s2;
+
+ for (i = 0; i < len; i++) {
+ diff = n1[i] ^ n2[i];
+
+ if (diff == 0) {
+ continue;
+ }
+
+ if (diff == 32 &&
+ ((n1[i] >= 'a' && n1[i] <= 'z') ||
+ (n1[i] >= 'A' && n1[i] <= 'Z'))) {
+ continue;
+ }
+
+ return -1;
+ }
+
+ return 0;
+}
+
+/*
+ * Return 0 if name matches wildcard, -1 otherwise
+ */
+static int x509_check_wildcard(const char *cn, const mbedtls_x509_buf *name)
+{
+ size_t i;
+ size_t cn_idx = 0, cn_len = strlen(cn);
+
+ /* We can't have a match if there is no wildcard to match */
+ if (name->len < 3 || name->p[0] != '*' || name->p[1] != '.') {
+ return -1;
+ }
+
+ for (i = 0; i < cn_len; ++i) {
+ if (cn[i] == '.') {
+ cn_idx = i;
+ break;
+ }
+ }
+
+ if (cn_idx == 0) {
+ return -1;
+ }
+
+ if (cn_len - cn_idx == name->len - 1 &&
+ x509_memcasecmp(name->p + 1, cn + cn_idx, name->len - 1) == 0) {
+ return 0;
+ }
+
+ return -1;
+}
+
+/*
+ * Compare two X.509 strings, case-insensitive, and allowing for some encoding
+ * variations (but not all).
+ *
+ * Return 0 if equal, -1 otherwise.
+ */
+static int x509_string_cmp(const mbedtls_x509_buf *a, const mbedtls_x509_buf *b)
+{
+ if (a->tag == b->tag &&
+ a->len == b->len &&
+ memcmp(a->p, b->p, b->len) == 0) {
+ return 0;
+ }
+
+ if ((a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING) &&
+ (b->tag == MBEDTLS_ASN1_UTF8_STRING || b->tag == MBEDTLS_ASN1_PRINTABLE_STRING) &&
+ a->len == b->len &&
+ x509_memcasecmp(a->p, b->p, b->len) == 0) {
+ return 0;
+ }
+
+ return -1;
+}
+
+/*
+ * Compare two X.509 Names (aka rdnSequence).
+ *
+ * See RFC 5280 section 7.1, though we don't implement the whole algorithm:
+ * we sometimes return unequal when the full algorithm would return equal,
+ * but never the other way. (In particular, we don't do Unicode normalisation
+ * or space folding.)
+ *
+ * Return 0 if equal, -1 otherwise.
+ */
+static int x509_name_cmp(const mbedtls_x509_name *a, const mbedtls_x509_name *b)
+{
+ /* Avoid recursion, it might not be optimised by the compiler */
+ while (a != NULL || b != NULL) {
+ if (a == NULL || b == NULL) {
+ return -1;
+ }
+
+ /* type */
+ if (a->oid.tag != b->oid.tag ||
+ a->oid.len != b->oid.len ||
+ memcmp(a->oid.p, b->oid.p, b->oid.len) != 0) {
+ return -1;
+ }
+
+ /* value */
+ if (x509_string_cmp(&a->val, &b->val) != 0) {
+ return -1;
+ }
+
+ /* structure of the list of sets */
+ if (a->next_merged != b->next_merged) {
+ return -1;
+ }
+
+ a = a->next;
+ b = b->next;
+ }
+
+ /* a == NULL == b */
+ return 0;
+}
+
+/*
+ * Reset (init or clear) a verify_chain
+ */
+static void x509_crt_verify_chain_reset(
+ mbedtls_x509_crt_verify_chain *ver_chain)
+{
+ size_t i;
+
+ for (i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++) {
+ ver_chain->items[i].crt = NULL;
+ ver_chain->items[i].flags = (uint32_t) -1;
+ }
+
+ ver_chain->len = 0;
+
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+ ver_chain->trust_ca_cb_result = NULL;
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+}
+
+/*
+ * Version ::= INTEGER { v1(0), v2(1), v3(2) }
+ */
+static int x509_get_version(unsigned char **p,
+ const unsigned char *end,
+ int *ver)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
+ 0)) != 0) {
+ if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ *ver = 0;
+ return 0;
+ }
+
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
+ }
+
+ end = *p + len;
+
+ if ((ret = mbedtls_asn1_get_int(p, end, ver)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_VERSION, ret);
+ }
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_VERSION,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * Validity ::= SEQUENCE {
+ * notBefore Time,
+ * notAfter Time }
+ */
+static int x509_get_dates(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_time *from,
+ mbedtls_x509_time *to)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE, ret);
+ }
+
+ end = *p + len;
+
+ if ((ret = mbedtls_x509_get_time(p, end, from)) != 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_x509_get_time(p, end, to)) != 0) {
+ return ret;
+ }
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * X.509 v2/v3 unique identifier (not parsed)
+ */
+static int x509_get_uid(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_buf *uid, int n)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if (*p == end) {
+ return 0;
+ }
+
+ uid->tag = **p;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &uid->len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
+ n)) != 0) {
+ if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ return 0;
+ }
+
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
+ }
+
+ uid->p = *p;
+ *p += uid->len;
+
+ return 0;
+}
+
+static int x509_get_basic_constraints(unsigned char **p,
+ const unsigned char *end,
+ int *ca_istrue,
+ int *max_pathlen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+
+ /*
+ * BasicConstraints ::= SEQUENCE {
+ * cA BOOLEAN DEFAULT FALSE,
+ * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
+ */
+ *ca_istrue = 0; /* DEFAULT FALSE */
+ *max_pathlen = 0; /* endless */
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ if (*p == end) {
+ return 0;
+ }
+
+ if ((ret = mbedtls_asn1_get_bool(p, end, ca_istrue)) != 0) {
+ if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ ret = mbedtls_asn1_get_int(p, end, ca_istrue);
+ }
+
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ if (*ca_istrue != 0) {
+ *ca_istrue = 1;
+ }
+ }
+
+ if (*p == end) {
+ return 0;
+ }
+
+ if ((ret = mbedtls_asn1_get_int(p, end, max_pathlen)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ /* Do not accept max_pathlen equal to INT_MAX to avoid a signed integer
+ * overflow, which is an undefined behavior. */
+ if (*max_pathlen == INT_MAX) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_INVALID_LENGTH);
+ }
+
+ (*max_pathlen)++;
+
+ return 0;
+}
+
+/*
+ * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+ *
+ * KeyPurposeId ::= OBJECT IDENTIFIER
+ */
+static int x509_get_ext_key_usage(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_sequence *ext_key_usage)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((ret = mbedtls_asn1_get_sequence_of(p, end, ext_key_usage, MBEDTLS_ASN1_OID)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ /* Sequence length must be >= 1 */
+ if (ext_key_usage->buf.p == NULL) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_INVALID_LENGTH);
+ }
+
+ return 0;
+}
+
+/*
+ * SubjectKeyIdentifier ::= KeyIdentifier
+ *
+ * KeyIdentifier ::= OCTET STRING
+ */
+static int x509_get_subject_key_id(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_buf *subject_key_id)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0u;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ subject_key_id->len = len;
+ subject_key_id->tag = MBEDTLS_ASN1_OCTET_STRING;
+ subject_key_id->p = *p;
+ *p += len;
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * AuthorityKeyIdentifier ::= SEQUENCE {
+ * keyIdentifier [0] KeyIdentifier OPTIONAL,
+ * authorityCertIssuer [1] GeneralNames OPTIONAL,
+ * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
+ *
+ * KeyIdentifier ::= OCTET STRING
+ */
+static int x509_get_authority_key_id(unsigned char **p,
+ unsigned char *end,
+ mbedtls_x509_authority *authority_key_id)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0u;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ if (*p + len != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC);
+
+ /* KeyIdentifier is an OPTIONAL field */
+ if (ret == 0) {
+ authority_key_id->keyIdentifier.len = len;
+ authority_key_id->keyIdentifier.p = *p;
+ /* Setting tag of the keyIdentfier intentionally to 0x04.
+ * Although the .keyIdentfier field is CONTEXT_SPECIFIC ([0] OPTIONAL),
+ * its tag with the content is the payload of on OCTET STRING primitive */
+ authority_key_id->keyIdentifier.tag = MBEDTLS_ASN1_OCTET_STRING;
+
+ *p += len;
+ } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ if (*p < end) {
+ /* Getting authorityCertIssuer using the required specific class tag [1] */
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
+ 1)) != 0) {
+ /* authorityCertIssuer and authorityCertSerialNumber MUST both
+ be present or both be absent. At this point we expect to have both. */
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+ /* "end" also includes the CertSerialNumber field so "len" shall be used */
+ ret = mbedtls_x509_get_subject_alt_name_ext(p,
+ (*p+len),
+ &authority_key_id->authorityCertIssuer);
+ if (ret != 0) {
+ return ret;
+ }
+
+ /* Getting authorityCertSerialNumber using the required specific class tag [2] */
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+ authority_key_id->authorityCertSerialNumber.len = len;
+ authority_key_id->authorityCertSerialNumber.p = *p;
+ authority_key_id->authorityCertSerialNumber.tag = MBEDTLS_ASN1_INTEGER;
+ *p += len;
+ }
+
+ if (*p != end) {
+ return MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+ }
+
+ return 0;
+}
+
+/*
+ * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
+ *
+ * anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 }
+ *
+ * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+ *
+ * PolicyInformation ::= SEQUENCE {
+ * policyIdentifier CertPolicyId,
+ * policyQualifiers SEQUENCE SIZE (1..MAX) OF
+ * PolicyQualifierInfo OPTIONAL }
+ *
+ * CertPolicyId ::= OBJECT IDENTIFIER
+ *
+ * PolicyQualifierInfo ::= SEQUENCE {
+ * policyQualifierId PolicyQualifierId,
+ * qualifier ANY DEFINED BY policyQualifierId }
+ *
+ * -- policyQualifierIds for Internet policy qualifiers
+ *
+ * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
+ * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
+ * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
+ *
+ * PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
+ *
+ * Qualifier ::= CHOICE {
+ * cPSuri CPSuri,
+ * userNotice UserNotice }
+ *
+ * CPSuri ::= IA5String
+ *
+ * UserNotice ::= SEQUENCE {
+ * noticeRef NoticeReference OPTIONAL,
+ * explicitText DisplayText OPTIONAL }
+ *
+ * NoticeReference ::= SEQUENCE {
+ * organization DisplayText,
+ * noticeNumbers SEQUENCE OF INTEGER }
+ *
+ * DisplayText ::= CHOICE {
+ * ia5String IA5String (SIZE (1..200)),
+ * visibleString VisibleString (SIZE (1..200)),
+ * bmpString BMPString (SIZE (1..200)),
+ * utf8String UTF8String (SIZE (1..200)) }
+ *
+ * NOTE: we only parse and use anyPolicy without qualifiers at this point
+ * as defined in RFC 5280.
+ */
+static int x509_get_certificate_policies(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_sequence *certificate_policies)
+{
+ int ret, parse_ret = 0;
+ size_t len;
+ mbedtls_asn1_buf *buf;
+ mbedtls_asn1_sequence *cur = certificate_policies;
+
+ /* Get main sequence tag */
+ ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ if (*p + len != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ /*
+ * Cannot be an empty sequence.
+ */
+ if (len == 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ while (*p < end) {
+ mbedtls_x509_buf policy_oid;
+ const unsigned char *policy_end;
+
+ /*
+ * Get the policy sequence
+ */
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ policy_end = *p + len;
+
+ if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len,
+ MBEDTLS_ASN1_OID)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ policy_oid.tag = MBEDTLS_ASN1_OID;
+ policy_oid.len = len;
+ policy_oid.p = *p;
+
+ /*
+ * Only AnyPolicy is currently supported when enforcing policy.
+ */
+ if (MBEDTLS_OID_CMP(MBEDTLS_OID_ANY_POLICY, &policy_oid) != 0) {
+ /*
+ * Set the parsing return code but continue parsing, in case this
+ * extension is critical.
+ */
+ parse_ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
+ }
+
+ /* Allocate and assign next pointer */
+ if (cur->buf.p != NULL) {
+ if (cur->next != NULL) {
+ return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
+ }
+
+ cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
+
+ if (cur->next == NULL) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_ALLOC_FAILED);
+ }
+
+ cur = cur->next;
+ }
+
+ buf = &(cur->buf);
+ buf->tag = policy_oid.tag;
+ buf->p = policy_oid.p;
+ buf->len = policy_oid.len;
+
+ *p += len;
+
+ /*
+ * If there is an optional qualifier, then *p < policy_end
+ * Check the Qualifier len to verify it doesn't exceed policy_end.
+ */
+ if (*p < policy_end) {
+ if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) !=
+ 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+ /*
+ * Skip the optional policy qualifiers.
+ */
+ *p += len;
+ }
+
+ if (*p != policy_end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+ }
+
+ /* Set final sequence entry's next pointer to NULL */
+ cur->next = NULL;
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return parse_ret;
+}
+
+/*
+ * X.509 v3 extensions
+ *
+ */
+static int x509_get_crt_ext(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_crt *crt,
+ mbedtls_x509_crt_ext_cb_t cb,
+ void *p_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+ unsigned char *end_ext_data, *start_ext_octet, *end_ext_octet;
+
+ if (*p == end) {
+ return 0;
+ }
+
+ if ((ret = mbedtls_x509_get_ext(p, end, &crt->v3_ext, 3)) != 0) {
+ return ret;
+ }
+
+ end = crt->v3_ext.p + crt->v3_ext.len;
+ while (*p < end) {
+ /*
+ * Extension ::= SEQUENCE {
+ * extnID OBJECT IDENTIFIER,
+ * critical BOOLEAN DEFAULT FALSE,
+ * extnValue OCTET STRING }
+ */
+ mbedtls_x509_buf extn_oid = { 0, 0, NULL };
+ int is_critical = 0; /* DEFAULT FALSE */
+ int ext_type = 0;
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ end_ext_data = *p + len;
+
+ /* Get extension ID */
+ if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &extn_oid.len,
+ MBEDTLS_ASN1_OID)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ extn_oid.tag = MBEDTLS_ASN1_OID;
+ extn_oid.p = *p;
+ *p += extn_oid.len;
+
+ /* Get optional critical */
+ if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, &is_critical)) != 0 &&
+ (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ /* Data should be octet string type */
+ if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
+ MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ start_ext_octet = *p;
+ end_ext_octet = *p + len;
+
+ if (end_ext_octet != end_ext_data) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ /*
+ * Detect supported extensions
+ */
+ ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
+
+ if (ret != 0) {
+ /* Give the callback (if any) a chance to handle the extension */
+ if (cb != NULL) {
+ ret = cb(p_ctx, crt, &extn_oid, is_critical, *p, end_ext_octet);
+ if (ret != 0 && is_critical) {
+ return ret;
+ }
+ *p = end_ext_octet;
+ continue;
+ }
+
+ /* No parser found, skip extension */
+ *p = end_ext_octet;
+
+ if (is_critical) {
+ /* Data is marked as critical: fail */
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+ }
+ continue;
+ }
+
+ /* Forbid repeated extensions */
+ if ((crt->ext_types & ext_type) != 0) {
+ return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
+ }
+
+ crt->ext_types |= ext_type;
+
+ switch (ext_type) {
+ case MBEDTLS_X509_EXT_BASIC_CONSTRAINTS:
+ /* Parse basic constraints */
+ if ((ret = x509_get_basic_constraints(p, end_ext_octet,
+ &crt->ca_istrue, &crt->max_pathlen)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_X509_EXT_KEY_USAGE:
+ /* Parse key usage */
+ if ((ret = mbedtls_x509_get_key_usage(p, end_ext_octet,
+ &crt->key_usage)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE:
+ /* Parse extended key usage */
+ if ((ret = x509_get_ext_key_usage(p, end_ext_octet,
+ &crt->ext_key_usage)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER:
+ /* Parse subject key identifier */
+ if ((ret = x509_get_subject_key_id(p, end_ext_data,
+ &crt->subject_key_id)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER:
+ /* Parse authority key identifier */
+ if ((ret = x509_get_authority_key_id(p, end_ext_octet,
+ &crt->authority_key_id)) != 0) {
+ return ret;
+ }
+ break;
+ case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
+ /* Parse subject alt name
+ * SubjectAltName ::= GeneralNames
+ */
+ if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_octet,
+ &crt->subject_alt_names)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_X509_EXT_NS_CERT_TYPE:
+ /* Parse netscape certificate type */
+ if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_octet,
+ &crt->ns_cert_type)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES:
+ /* Parse certificate policies type */
+ if ((ret = x509_get_certificate_policies(p, end_ext_octet,
+ &crt->certificate_policies)) != 0) {
+ /* Give the callback (if any) a chance to handle the extension
+ * if it contains unsupported policies */
+ if (ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE && cb != NULL &&
+ cb(p_ctx, crt, &extn_oid, is_critical,
+ start_ext_octet, end_ext_octet) == 0) {
+ break;
+ }
+
+ if (is_critical) {
+ return ret;
+ } else
+ /*
+ * If MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned, then we
+ * cannot interpret or enforce the policy. However, it is up to
+ * the user to choose how to enforce the policies,
+ * unless the extension is critical.
+ */
+ if (ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
+ return ret;
+ }
+ }
+ break;
+
+ default:
+ /*
+ * If this is a non-critical extension, which the oid layer
+ * supports, but there isn't an x509 parser for it,
+ * skip the extension.
+ */
+ if (is_critical) {
+ return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
+ } else {
+ *p = end_ext_octet;
+ }
+ }
+ }
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * Parse and fill a single X.509 certificate in DER format
+ */
+static int x509_crt_parse_der_core(mbedtls_x509_crt *crt,
+ const unsigned char *buf,
+ size_t buflen,
+ int make_copy,
+ mbedtls_x509_crt_ext_cb_t cb,
+ void *p_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+ unsigned char *p, *end, *crt_end;
+ mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
+
+ memset(&sig_params1, 0, sizeof(mbedtls_x509_buf));
+ memset(&sig_params2, 0, sizeof(mbedtls_x509_buf));
+ memset(&sig_oid2, 0, sizeof(mbedtls_x509_buf));
+
+ /*
+ * Check for valid input
+ */
+ if (crt == NULL || buf == NULL) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ /* Use the original buffer until we figure out actual length. */
+ p = (unsigned char *) buf;
+ len = buflen;
+ end = p + len;
+
+ /*
+ * Certificate ::= SEQUENCE {
+ * tbsCertificate TBSCertificate,
+ * signatureAlgorithm AlgorithmIdentifier,
+ * signatureValue BIT STRING }
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ mbedtls_x509_crt_free(crt);
+ return MBEDTLS_ERR_X509_INVALID_FORMAT;
+ }
+
+ end = crt_end = p + len;
+ crt->raw.len = (size_t) (crt_end - buf);
+ if (make_copy != 0) {
+ /* Create and populate a new buffer for the raw field. */
+ crt->raw.p = p = mbedtls_calloc(1, crt->raw.len);
+ if (crt->raw.p == NULL) {
+ return MBEDTLS_ERR_X509_ALLOC_FAILED;
+ }
+
+ memcpy(crt->raw.p, buf, crt->raw.len);
+ crt->own_buffer = 1;
+
+ p += crt->raw.len - len;
+ end = crt_end = p + len;
+ } else {
+ crt->raw.p = (unsigned char *) buf;
+ crt->own_buffer = 0;
+ }
+
+ /*
+ * TBSCertificate ::= SEQUENCE {
+ */
+ crt->tbs.p = p;
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ mbedtls_x509_crt_free(crt);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
+ }
+
+ end = p + len;
+ crt->tbs.len = (size_t) (end - crt->tbs.p);
+
+ /*
+ * Version ::= INTEGER { v1(0), v2(1), v3(2) }
+ *
+ * CertificateSerialNumber ::= INTEGER
+ *
+ * signature AlgorithmIdentifier
+ */
+ if ((ret = x509_get_version(&p, end, &crt->version)) != 0 ||
+ (ret = mbedtls_x509_get_serial(&p, end, &crt->serial)) != 0 ||
+ (ret = mbedtls_x509_get_alg(&p, end, &crt->sig_oid,
+ &sig_params1)) != 0) {
+ mbedtls_x509_crt_free(crt);
+ return ret;
+ }
+
+ if (crt->version < 0 || crt->version > 2) {
+ mbedtls_x509_crt_free(crt);
+ return MBEDTLS_ERR_X509_UNKNOWN_VERSION;
+ }
+
+ crt->version++;
+
+ if ((ret = mbedtls_x509_get_sig_alg(&crt->sig_oid, &sig_params1,
+ &crt->sig_md, &crt->sig_pk,
+ &crt->sig_opts)) != 0) {
+ mbedtls_x509_crt_free(crt);
+ return ret;
+ }
+
+ /*
+ * issuer Name
+ */
+ crt->issuer_raw.p = p;
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ mbedtls_x509_crt_free(crt);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
+ }
+
+ if ((ret = mbedtls_x509_get_name(&p, p + len, &crt->issuer)) != 0) {
+ mbedtls_x509_crt_free(crt);
+ return ret;
+ }
+
+ crt->issuer_raw.len = (size_t) (p - crt->issuer_raw.p);
+
+ /*
+ * Validity ::= SEQUENCE {
+ * notBefore Time,
+ * notAfter Time }
+ *
+ */
+ if ((ret = x509_get_dates(&p, end, &crt->valid_from,
+ &crt->valid_to)) != 0) {
+ mbedtls_x509_crt_free(crt);
+ return ret;
+ }
+
+ /*
+ * subject Name
+ */
+ crt->subject_raw.p = p;
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ mbedtls_x509_crt_free(crt);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
+ }
+
+ if (len && (ret = mbedtls_x509_get_name(&p, p + len, &crt->subject)) != 0) {
+ mbedtls_x509_crt_free(crt);
+ return ret;
+ }
+
+ crt->subject_raw.len = (size_t) (p - crt->subject_raw.p);
+
+ /*
+ * SubjectPublicKeyInfo
+ */
+ crt->pk_raw.p = p;
+ if ((ret = mbedtls_pk_parse_subpubkey(&p, end, &crt->pk)) != 0) {
+ mbedtls_x509_crt_free(crt);
+ return ret;
+ }
+ crt->pk_raw.len = (size_t) (p - crt->pk_raw.p);
+
+ /*
+ * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
+ * -- If present, version shall be v2 or v3
+ * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
+ * -- If present, version shall be v2 or v3
+ * extensions [3] EXPLICIT Extensions OPTIONAL
+ * -- If present, version shall be v3
+ */
+ if (crt->version == 2 || crt->version == 3) {
+ ret = x509_get_uid(&p, end, &crt->issuer_id, 1);
+ if (ret != 0) {
+ mbedtls_x509_crt_free(crt);
+ return ret;
+ }
+ }
+
+ if (crt->version == 2 || crt->version == 3) {
+ ret = x509_get_uid(&p, end, &crt->subject_id, 2);
+ if (ret != 0) {
+ mbedtls_x509_crt_free(crt);
+ return ret;
+ }
+ }
+
+ if (crt->version == 3) {
+ ret = x509_get_crt_ext(&p, end, crt, cb, p_ctx);
+ if (ret != 0) {
+ mbedtls_x509_crt_free(crt);
+ return ret;
+ }
+ }
+
+ if (p != end) {
+ mbedtls_x509_crt_free(crt);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ end = crt_end;
+
+ /*
+ * }
+ * -- end of TBSCertificate
+ *
+ * signatureAlgorithm AlgorithmIdentifier,
+ * signatureValue BIT STRING
+ */
+ if ((ret = mbedtls_x509_get_alg(&p, end, &sig_oid2, &sig_params2)) != 0) {
+ mbedtls_x509_crt_free(crt);
+ return ret;
+ }
+
+ if (crt->sig_oid.len != sig_oid2.len ||
+ memcmp(crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len) != 0 ||
+ sig_params1.tag != sig_params2.tag ||
+ sig_params1.len != sig_params2.len ||
+ (sig_params1.len != 0 &&
+ memcmp(sig_params1.p, sig_params2.p, sig_params1.len) != 0)) {
+ mbedtls_x509_crt_free(crt);
+ return MBEDTLS_ERR_X509_SIG_MISMATCH;
+ }
+
+ if ((ret = mbedtls_x509_get_sig(&p, end, &crt->sig)) != 0) {
+ mbedtls_x509_crt_free(crt);
+ return ret;
+ }
+
+ if (p != end) {
+ mbedtls_x509_crt_free(crt);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * Parse one X.509 certificate in DER format from a buffer and add them to a
+ * chained list
+ */
+static int mbedtls_x509_crt_parse_der_internal(mbedtls_x509_crt *chain,
+ const unsigned char *buf,
+ size_t buflen,
+ int make_copy,
+ mbedtls_x509_crt_ext_cb_t cb,
+ void *p_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_x509_crt *crt = chain, *prev = NULL;
+
+ /*
+ * Check for valid input
+ */
+ if (crt == NULL || buf == NULL) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ while (crt->version != 0 && crt->next != NULL) {
+ prev = crt;
+ crt = crt->next;
+ }
+
+ /*
+ * Add new certificate on the end of the chain if needed.
+ */
+ if (crt->version != 0 && crt->next == NULL) {
+ crt->next = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
+
+ if (crt->next == NULL) {
+ return MBEDTLS_ERR_X509_ALLOC_FAILED;
+ }
+
+ prev = crt;
+ mbedtls_x509_crt_init(crt->next);
+ crt = crt->next;
+ }
+
+ ret = x509_crt_parse_der_core(crt, buf, buflen, make_copy, cb, p_ctx);
+ if (ret != 0) {
+ if (prev) {
+ prev->next = NULL;
+ }
+
+ if (crt != chain) {
+ mbedtls_free(crt);
+ }
+
+ return ret;
+ }
+
+ return 0;
+}
+
+int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain,
+ const unsigned char *buf,
+ size_t buflen)
+{
+ return mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, 0, NULL, NULL);
+}
+
+int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain,
+ const unsigned char *buf,
+ size_t buflen,
+ int make_copy,
+ mbedtls_x509_crt_ext_cb_t cb,
+ void *p_ctx)
+{
+ return mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, make_copy, cb, p_ctx);
+}
+
+int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain,
+ const unsigned char *buf,
+ size_t buflen)
+{
+ return mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, 1, NULL, NULL);
+}
+
+/*
+ * Parse one or more PEM certificates from a buffer and add them to the chained
+ * list
+ */
+int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain,
+ const unsigned char *buf,
+ size_t buflen)
+{
+#if defined(MBEDTLS_PEM_PARSE_C)
+ int success = 0, first_error = 0, total_failed = 0;
+ int buf_format = MBEDTLS_X509_FORMAT_DER;
+#endif
+
+ /*
+ * Check for valid input
+ */
+ if (chain == NULL || buf == NULL) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ /*
+ * Determine buffer content. Buffer contains either one DER certificate or
+ * one or more PEM certificates.
+ */
+#if defined(MBEDTLS_PEM_PARSE_C)
+ if (buflen != 0 && buf[buflen - 1] == '\0' &&
+ strstr((const char *) buf, "-----BEGIN CERTIFICATE-----") != NULL) {
+ buf_format = MBEDTLS_X509_FORMAT_PEM;
+ }
+
+ if (buf_format == MBEDTLS_X509_FORMAT_DER) {
+ return mbedtls_x509_crt_parse_der(chain, buf, buflen);
+ }
+#else
+ return mbedtls_x509_crt_parse_der(chain, buf, buflen);
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+ if (buf_format == MBEDTLS_X509_FORMAT_PEM) {
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_pem_context pem;
+
+ /* 1 rather than 0 since the terminating NULL byte is counted in */
+ while (buflen > 1) {
+ size_t use_len;
+ mbedtls_pem_init(&pem);
+
+ /* If we get there, we know the string is null-terminated */
+ ret = mbedtls_pem_read_buffer(&pem,
+ "-----BEGIN CERTIFICATE-----",
+ "-----END CERTIFICATE-----",
+ buf, NULL, 0, &use_len);
+
+ if (ret == 0) {
+ /*
+ * Was PEM encoded
+ */
+ buflen -= use_len;
+ buf += use_len;
+ } else if (ret == MBEDTLS_ERR_PEM_BAD_INPUT_DATA) {
+ return ret;
+ } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+ mbedtls_pem_free(&pem);
+
+ /*
+ * PEM header and footer were found
+ */
+ buflen -= use_len;
+ buf += use_len;
+
+ if (first_error == 0) {
+ first_error = ret;
+ }
+
+ total_failed++;
+ continue;
+ } else {
+ break;
+ }
+
+ ret = mbedtls_x509_crt_parse_der(chain, pem.buf, pem.buflen);
+
+ mbedtls_pem_free(&pem);
+
+ if (ret != 0) {
+ /*
+ * Quit parsing on a memory error
+ */
+ if (ret == MBEDTLS_ERR_X509_ALLOC_FAILED) {
+ return ret;
+ }
+
+ if (first_error == 0) {
+ first_error = ret;
+ }
+
+ total_failed++;
+ continue;
+ }
+
+ success = 1;
+ }
+ }
+
+ if (success) {
+ return total_failed;
+ } else if (first_error) {
+ return first_error;
+ } else {
+ return MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT;
+ }
+#endif /* MBEDTLS_PEM_PARSE_C */
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load one or more certificates and add them to the chained list
+ */
+int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t n;
+ unsigned char *buf;
+
+ if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_x509_crt_parse(chain, buf, n);
+
+ mbedtls_zeroize_and_free(buf, n);
+
+ return ret;
+}
+
+int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
+{
+ int ret = 0;
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+ int w_ret;
+ WCHAR szDir[MAX_PATH];
+ char filename[MAX_PATH];
+ char *p;
+ size_t len = strlen(path);
+
+ WIN32_FIND_DATAW file_data;
+ HANDLE hFind;
+
+ if (len > MAX_PATH - 3) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ memset(szDir, 0, sizeof(szDir));
+ memset(filename, 0, MAX_PATH);
+ memcpy(filename, path, len);
+ filename[len++] = '\\';
+ p = filename + len;
+ filename[len++] = '*';
+
+ /*
+ * Note this function uses the code page CP_ACP which is the system default
+ * ANSI codepage. The input string is always described in BYTES and the
+ * output length is described in WCHARs.
+ */
+ w_ret = MultiByteToWideChar(CP_ACP, 0, filename, (int) len, szDir,
+ MAX_PATH - 3);
+ if (w_ret == 0) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ hFind = FindFirstFileW(szDir, &file_data);
+ if (hFind == INVALID_HANDLE_VALUE) {
+ return MBEDTLS_ERR_X509_FILE_IO_ERROR;
+ }
+
+ len = MAX_PATH - len;
+ do {
+ memset(p, 0, len);
+
+ if (file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
+ continue;
+ }
+ w_ret = WideCharToMultiByte(CP_ACP, 0, file_data.cFileName,
+ -1, p, (int) len, NULL, NULL);
+ if (w_ret == 0) {
+ ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+ goto cleanup;
+ }
+
+ w_ret = mbedtls_x509_crt_parse_file(chain, filename);
+ if (w_ret < 0) {
+ ret++;
+ } else {
+ ret += w_ret;
+ }
+ } while (FindNextFileW(hFind, &file_data) != 0);
+
+ if (GetLastError() != ERROR_NO_MORE_FILES) {
+ ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+ }
+
+cleanup:
+ FindClose(hFind);
+#else /* _WIN32 */
+ int t_ret;
+ int snp_ret;
+ struct stat sb;
+ struct dirent *entry;
+ char entry_name[MBEDTLS_X509_MAX_FILE_PATH_LEN];
+ DIR *dir = opendir(path);
+
+ if (dir == NULL) {
+ return MBEDTLS_ERR_X509_FILE_IO_ERROR;
+ }
+
+#if defined(MBEDTLS_THREADING_C)
+ if ((ret = mbedtls_mutex_lock(&mbedtls_threading_readdir_mutex)) != 0) {
+ closedir(dir);
+ return ret;
+ }
+#endif /* MBEDTLS_THREADING_C */
+
+ memset(&sb, 0, sizeof(sb));
+
+ while ((entry = readdir(dir)) != NULL) {
+ snp_ret = mbedtls_snprintf(entry_name, sizeof(entry_name),
+ "%s/%s", path, entry->d_name);
+
+ if (snp_ret < 0 || (size_t) snp_ret >= sizeof(entry_name)) {
+ ret = MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+ goto cleanup;
+ } else if (stat(entry_name, &sb) == -1) {
+ if (errno == ENOENT) {
+ /* Broken symbolic link - ignore this entry.
+ stat(2) will return this error for either (a) a dangling
+ symlink or (b) a missing file.
+ Given that we have just obtained the filename from readdir,
+ assume that it does exist and therefore treat this as a
+ dangling symlink. */
+ continue;
+ } else {
+ /* Some other file error; report the error. */
+ ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+ goto cleanup;
+ }
+ }
+
+ if (!S_ISREG(sb.st_mode)) {
+ continue;
+ }
+
+ // Ignore parse errors
+ //
+ t_ret = mbedtls_x509_crt_parse_file(chain, entry_name);
+ if (t_ret < 0) {
+ ret++;
+ } else {
+ ret += t_ret;
+ }
+ }
+
+cleanup:
+ closedir(dir);
+
+#if defined(MBEDTLS_THREADING_C)
+ if (mbedtls_mutex_unlock(&mbedtls_threading_readdir_mutex) != 0) {
+ ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+ }
+#endif /* MBEDTLS_THREADING_C */
+
+#endif /* _WIN32 */
+
+ return ret;
+}
+#endif /* MBEDTLS_FS_IO */
+
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+#define PRINT_ITEM(i) \
+ do { \
+ ret = mbedtls_snprintf(p, n, "%s" i, sep); \
+ MBEDTLS_X509_SAFE_SNPRINTF; \
+ sep = ", "; \
+ } while (0)
+
+#define CERT_TYPE(type, name) \
+ do { \
+ if (ns_cert_type & (type)) { \
+ PRINT_ITEM(name); \
+ } \
+ } while (0)
+
+#define KEY_USAGE(code, name) \
+ do { \
+ if (key_usage & (code)) { \
+ PRINT_ITEM(name); \
+ } \
+ } while (0)
+
+static int x509_info_ext_key_usage(char **buf, size_t *size,
+ const mbedtls_x509_sequence *extended_key_usage)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const char *desc;
+ size_t n = *size;
+ char *p = *buf;
+ const mbedtls_x509_sequence *cur = extended_key_usage;
+ const char *sep = "";
+
+ while (cur != NULL) {
+ if (mbedtls_oid_get_extended_key_usage(&cur->buf, &desc) != 0) {
+ desc = "???";
+ }
+
+ ret = mbedtls_snprintf(p, n, "%s%s", sep, desc);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ sep = ", ";
+
+ cur = cur->next;
+ }
+
+ *size = n;
+ *buf = p;
+
+ return 0;
+}
+
+static int x509_info_cert_policies(char **buf, size_t *size,
+ const mbedtls_x509_sequence *certificate_policies)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const char *desc;
+ size_t n = *size;
+ char *p = *buf;
+ const mbedtls_x509_sequence *cur = certificate_policies;
+ const char *sep = "";
+
+ while (cur != NULL) {
+ if (mbedtls_oid_get_certificate_policies(&cur->buf, &desc) != 0) {
+ desc = "???";
+ }
+
+ ret = mbedtls_snprintf(p, n, "%s%s", sep, desc);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ sep = ", ";
+
+ cur = cur->next;
+ }
+
+ *size = n;
+ *buf = p;
+
+ return 0;
+}
+
+/*
+ * Return an informational string about the certificate.
+ */
+#define BEFORE_COLON 18
+#define BC "18"
+int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
+ const mbedtls_x509_crt *crt)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t n;
+ char *p;
+ char key_size_str[BEFORE_COLON];
+
+ p = buf;
+ n = size;
+
+ if (NULL == crt) {
+ ret = mbedtls_snprintf(p, n, "\nCertificate is uninitialised!\n");
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ return (int) (size - n);
+ }
+
+ ret = mbedtls_snprintf(p, n, "%scert. version : %d\n",
+ prefix, crt->version);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ ret = mbedtls_snprintf(p, n, "%sserial number : ",
+ prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_x509_serial_gets(p, n, &crt->serial);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_snprintf(p, n, "\n%sissuer name : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ ret = mbedtls_x509_dn_gets(p, n, &crt->issuer);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_snprintf(p, n, "\n%ssubject name : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ ret = mbedtls_x509_dn_gets(p, n, &crt->subject);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_snprintf(p, n, "\n%sissued on : " \
+ "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+ crt->valid_from.year, crt->valid_from.mon,
+ crt->valid_from.day, crt->valid_from.hour,
+ crt->valid_from.min, crt->valid_from.sec);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_snprintf(p, n, "\n%sexpires on : " \
+ "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+ crt->valid_to.year, crt->valid_to.mon,
+ crt->valid_to.day, crt->valid_to.hour,
+ crt->valid_to.min, crt->valid_to.sec);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_snprintf(p, n, "\n%ssigned using : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_x509_sig_alg_gets(p, n, &crt->sig_oid, crt->sig_pk,
+ crt->sig_md, crt->sig_opts);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ /* Key size */
+ if ((ret = mbedtls_x509_key_size_helper(key_size_str, BEFORE_COLON,
+ mbedtls_pk_get_name(&crt->pk))) != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_snprintf(p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
+ (int) mbedtls_pk_get_bitlen(&crt->pk));
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ /*
+ * Optional extensions
+ */
+
+ if (crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) {
+ ret = mbedtls_snprintf(p, n, "\n%sbasic constraints : CA=%s", prefix,
+ crt->ca_istrue ? "true" : "false");
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if (crt->max_pathlen > 0) {
+ ret = mbedtls_snprintf(p, n, ", max_pathlen=%d", crt->max_pathlen - 1);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ }
+ }
+
+ if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
+ ret = mbedtls_snprintf(p, n, "\n%ssubject alt name :", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if ((ret = mbedtls_x509_info_subject_alt_name(&p, &n,
+ &crt->subject_alt_names,
+ prefix)) != 0) {
+ return ret;
+ }
+ }
+
+ if (crt->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) {
+ ret = mbedtls_snprintf(p, n, "\n%scert. type : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if ((ret = mbedtls_x509_info_cert_type(&p, &n, crt->ns_cert_type)) != 0) {
+ return ret;
+ }
+ }
+
+ if (crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) {
+ ret = mbedtls_snprintf(p, n, "\n%skey usage : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if ((ret = mbedtls_x509_info_key_usage(&p, &n, crt->key_usage)) != 0) {
+ return ret;
+ }
+ }
+
+ if (crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE) {
+ ret = mbedtls_snprintf(p, n, "\n%sext key usage : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if ((ret = x509_info_ext_key_usage(&p, &n,
+ &crt->ext_key_usage)) != 0) {
+ return ret;
+ }
+ }
+
+ if (crt->ext_types & MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES) {
+ ret = mbedtls_snprintf(p, n, "\n%scertificate policies : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if ((ret = x509_info_cert_policies(&p, &n,
+ &crt->certificate_policies)) != 0) {
+ return ret;
+ }
+ }
+
+ ret = mbedtls_snprintf(p, n, "\n");
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ return (int) (size - n);
+}
+
+struct x509_crt_verify_string {
+ int code;
+ const char *string;
+};
+
+#define X509_CRT_ERROR_INFO(err, err_str, info) { err, info },
+static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
+ MBEDTLS_X509_CRT_ERROR_INFO_LIST
+ { 0, NULL }
+};
+#undef X509_CRT_ERROR_INFO
+
+int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix,
+ uint32_t flags)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const struct x509_crt_verify_string *cur;
+ char *p = buf;
+ size_t n = size;
+
+ for (cur = x509_crt_verify_strings; cur->string != NULL; cur++) {
+ if ((flags & cur->code) == 0) {
+ continue;
+ }
+
+ ret = mbedtls_snprintf(p, n, "%s%s\n", prefix, cur->string);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ flags ^= cur->code;
+ }
+
+ if (flags != 0) {
+ ret = mbedtls_snprintf(p, n, "%sUnknown reason "
+ "(this should not happen)\n", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ }
+
+ return (int) (size - n);
+}
+#endif /* MBEDTLS_X509_REMOVE_INFO */
+
+int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt,
+ unsigned int usage)
+{
+ unsigned int usage_must, usage_may;
+ unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY
+ | MBEDTLS_X509_KU_DECIPHER_ONLY;
+
+ if ((crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) == 0) {
+ return 0;
+ }
+
+ usage_must = usage & ~may_mask;
+
+ if (((crt->key_usage & ~may_mask) & usage_must) != usage_must) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ usage_may = usage & may_mask;
+
+ if (((crt->key_usage & may_mask) | usage_may) != usage_may) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ return 0;
+}
+
+int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt,
+ const char *usage_oid,
+ size_t usage_len)
+{
+ const mbedtls_x509_sequence *cur;
+
+ /* Extension is not mandatory, absent means no restriction */
+ if ((crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE) == 0) {
+ return 0;
+ }
+
+ /*
+ * Look for the requested usage (or wildcard ANY) in our list
+ */
+ for (cur = &crt->ext_key_usage; cur != NULL; cur = cur->next) {
+ const mbedtls_x509_buf *cur_oid = &cur->buf;
+
+ if (cur_oid->len == usage_len &&
+ memcmp(cur_oid->p, usage_oid, usage_len) == 0) {
+ return 0;
+ }
+
+ if (MBEDTLS_OID_CMP(MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE, cur_oid) == 0) {
+ return 0;
+ }
+ }
+
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+}
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+/*
+ * Return 1 if the certificate is revoked, or 0 otherwise.
+ */
+int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
+{
+ const mbedtls_x509_crl_entry *cur = &crl->entry;
+
+ while (cur != NULL && cur->serial.len != 0) {
+ if (crt->serial.len == cur->serial.len &&
+ memcmp(crt->serial.p, cur->serial.p, crt->serial.len) == 0) {
+ return 1;
+ }
+
+ cur = cur->next;
+ }
+
+ return 0;
+}
+
+/*
+ * Check that the given certificate is not revoked according to the CRL.
+ * Skip validation if no CRL for the given CA is present.
+ */
+static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
+ mbedtls_x509_crl *crl_list,
+ const mbedtls_x509_crt_profile *profile,
+ const mbedtls_x509_time *now)
+{
+ int flags = 0;
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_algorithm_t psa_algorithm;
+#else
+ const mbedtls_md_info_t *md_info;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ size_t hash_length;
+
+ if (ca == NULL) {
+ return flags;
+ }
+
+ while (crl_list != NULL) {
+ if (crl_list->version == 0 ||
+ x509_name_cmp(&crl_list->issuer, &ca->subject) != 0) {
+ crl_list = crl_list->next;
+ continue;
+ }
+
+ /*
+ * Check if the CA is configured to sign CRLs
+ */
+ if (mbedtls_x509_crt_check_key_usage(ca,
+ MBEDTLS_X509_KU_CRL_SIGN) != 0) {
+ flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
+ break;
+ }
+
+ /*
+ * Check if CRL is correctly signed by the trusted CA
+ */
+ if (x509_profile_check_md_alg(profile, crl_list->sig_md) != 0) {
+ flags |= MBEDTLS_X509_BADCRL_BAD_MD;
+ }
+
+ if (x509_profile_check_pk_alg(profile, crl_list->sig_pk) != 0) {
+ flags |= MBEDTLS_X509_BADCRL_BAD_PK;
+ }
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_algorithm = mbedtls_md_psa_alg_from_type(crl_list->sig_md);
+ if (psa_hash_compute(psa_algorithm,
+ crl_list->tbs.p,
+ crl_list->tbs.len,
+ hash,
+ sizeof(hash),
+ &hash_length) != PSA_SUCCESS) {
+ /* Note: this can't happen except after an internal error */
+ flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
+ break;
+ }
+#else
+ md_info = mbedtls_md_info_from_type(crl_list->sig_md);
+ hash_length = mbedtls_md_get_size(md_info);
+ if (mbedtls_md(md_info,
+ crl_list->tbs.p,
+ crl_list->tbs.len,
+ hash) != 0) {
+ /* Note: this can't happen except after an internal error */
+ flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
+ break;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ if (x509_profile_check_key(profile, &ca->pk) != 0) {
+ flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+ }
+
+ if (mbedtls_pk_verify_ext(crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
+ crl_list->sig_md, hash, hash_length,
+ crl_list->sig.p, crl_list->sig.len) != 0) {
+ flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
+ break;
+ }
+
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+ /*
+ * Check for validity of CRL (Do not drop out)
+ */
+ if (mbedtls_x509_time_cmp(&crl_list->next_update, now) < 0) {
+ flags |= MBEDTLS_X509_BADCRL_EXPIRED;
+ }
+
+ if (mbedtls_x509_time_cmp(&crl_list->this_update, now) > 0) {
+ flags |= MBEDTLS_X509_BADCRL_FUTURE;
+ }
+#else
+ ((void) now);
+#endif
+
+ /*
+ * Check if certificate is revoked
+ */
+ if (mbedtls_x509_crt_is_revoked(crt, crl_list)) {
+ flags |= MBEDTLS_X509_BADCERT_REVOKED;
+ break;
+ }
+
+ crl_list = crl_list->next;
+ }
+
+ return flags;
+}
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
+
+/*
+ * Check the signature of a certificate by its parent
+ */
+static int x509_crt_check_signature(const mbedtls_x509_crt *child,
+ mbedtls_x509_crt *parent,
+ mbedtls_x509_crt_restart_ctx *rs_ctx)
+{
+ size_t hash_len;
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+ const mbedtls_md_info_t *md_info;
+ md_info = mbedtls_md_info_from_type(child->sig_md);
+ hash_len = mbedtls_md_get_size(md_info);
+
+ /* Note: hash errors can happen only after an internal error */
+ if (mbedtls_md(md_info, child->tbs.p, child->tbs.len, hash) != 0) {
+ return -1;
+ }
+#else
+ psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(child->sig_md);
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = psa_hash_compute(hash_alg,
+ child->tbs.p,
+ child->tbs.len,
+ hash,
+ sizeof(hash),
+ &hash_len);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+ }
+
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ /* Skip expensive computation on obvious mismatch */
+ if (!mbedtls_pk_can_do(&parent->pk, child->sig_pk)) {
+ return -1;
+ }
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA) {
+ return mbedtls_pk_verify_restartable(&parent->pk,
+ child->sig_md, hash, hash_len,
+ child->sig.p, child->sig.len, &rs_ctx->pk);
+ }
+#else
+ (void) rs_ctx;
+#endif
+
+ return mbedtls_pk_verify_ext(child->sig_pk, child->sig_opts, &parent->pk,
+ child->sig_md, hash, hash_len,
+ child->sig.p, child->sig.len);
+}
+
+/*
+ * Check if 'parent' is a suitable parent (signing CA) for 'child'.
+ * Return 0 if yes, -1 if not.
+ *
+ * top means parent is a locally-trusted certificate
+ */
+static int x509_crt_check_parent(const mbedtls_x509_crt *child,
+ const mbedtls_x509_crt *parent,
+ int top)
+{
+ int need_ca_bit;
+
+ /* Parent must be the issuer */
+ if (x509_name_cmp(&child->issuer, &parent->subject) != 0) {
+ return -1;
+ }
+
+ /* Parent must have the basicConstraints CA bit set as a general rule */
+ need_ca_bit = 1;
+
+ /* Exception: v1/v2 certificates that are locally trusted. */
+ if (top && parent->version < 3) {
+ need_ca_bit = 0;
+ }
+
+ if (need_ca_bit && !parent->ca_istrue) {
+ return -1;
+ }
+
+ if (need_ca_bit &&
+ mbedtls_x509_crt_check_key_usage(parent, MBEDTLS_X509_KU_KEY_CERT_SIGN) != 0) {
+ return -1;
+ }
+
+ return 0;
+}
+
+/*
+ * Find a suitable parent for child in candidates, or return NULL.
+ *
+ * Here suitable is defined as:
+ * 1. subject name matches child's issuer
+ * 2. if necessary, the CA bit is set and key usage allows signing certs
+ * 3. for trusted roots, the signature is correct
+ * (for intermediates, the signature is checked and the result reported)
+ * 4. pathlen constraints are satisfied
+ *
+ * If there's a suitable candidate which is also time-valid, return the first
+ * such. Otherwise, return the first suitable candidate (or NULL if there is
+ * none).
+ *
+ * The rationale for this rule is that someone could have a list of trusted
+ * roots with two versions on the same root with different validity periods.
+ * (At least one user reported having such a list and wanted it to just work.)
+ * The reason we don't just require time-validity is that generally there is
+ * only one version, and if it's expired we want the flags to state that
+ * rather than NOT_TRUSTED, as would be the case if we required it here.
+ *
+ * The rationale for rule 3 (signature for trusted roots) is that users might
+ * have two versions of the same CA with different keys in their list, and the
+ * way we select the correct one is by checking the signature (as we don't
+ * rely on key identifier extensions). (This is one way users might choose to
+ * handle key rollover, another relies on self-issued certs, see [SIRO].)
+ *
+ * Arguments:
+ * - [in] child: certificate for which we're looking for a parent
+ * - [in] candidates: chained list of potential parents
+ * - [out] r_parent: parent found (or NULL)
+ * - [out] r_signature_is_good: 1 if child signature by parent is valid, or 0
+ * - [in] top: 1 if candidates consists of trusted roots, ie we're at the top
+ * of the chain, 0 otherwise
+ * - [in] path_cnt: number of intermediates seen so far
+ * - [in] self_cnt: number of self-signed intermediates seen so far
+ * (will never be greater than path_cnt)
+ * - [in-out] rs_ctx: context for restarting operations
+ *
+ * Return value:
+ * - 0 on success
+ * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
+ */
+static int x509_crt_find_parent_in(
+ mbedtls_x509_crt *child,
+ mbedtls_x509_crt *candidates,
+ mbedtls_x509_crt **r_parent,
+ int *r_signature_is_good,
+ int top,
+ unsigned path_cnt,
+ unsigned self_cnt,
+ mbedtls_x509_crt_restart_ctx *rs_ctx,
+ const mbedtls_x509_time *now)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_x509_crt *parent, *fallback_parent;
+ int signature_is_good = 0, fallback_signature_is_good;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ /* did we have something in progress? */
+ if (rs_ctx != NULL && rs_ctx->parent != NULL) {
+ /* restore saved state */
+ parent = rs_ctx->parent;
+ fallback_parent = rs_ctx->fallback_parent;
+ fallback_signature_is_good = rs_ctx->fallback_signature_is_good;
+
+ /* clear saved state */
+ rs_ctx->parent = NULL;
+ rs_ctx->fallback_parent = NULL;
+ rs_ctx->fallback_signature_is_good = 0;
+
+ /* resume where we left */
+ goto check_signature;
+ }
+#endif
+
+ fallback_parent = NULL;
+ fallback_signature_is_good = 0;
+
+ for (parent = candidates; parent != NULL; parent = parent->next) {
+ /* basic parenting skills (name, CA bit, key usage) */
+ if (x509_crt_check_parent(child, parent, top) != 0) {
+ continue;
+ }
+
+ /* +1 because stored max_pathlen is 1 higher that the actual value */
+ if (parent->max_pathlen > 0 &&
+ (size_t) parent->max_pathlen < 1 + path_cnt - self_cnt) {
+ continue;
+ }
+
+ /* Signature */
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+check_signature:
+#endif
+ ret = x509_crt_check_signature(child, parent, rs_ctx);
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+ /* save state */
+ rs_ctx->parent = parent;
+ rs_ctx->fallback_parent = fallback_parent;
+ rs_ctx->fallback_signature_is_good = fallback_signature_is_good;
+
+ return ret;
+ }
+#else
+ (void) ret;
+#endif
+
+ signature_is_good = ret == 0;
+ if (top && !signature_is_good) {
+ continue;
+ }
+
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+ /* optional time check */
+ if (mbedtls_x509_time_cmp(&parent->valid_to, now) < 0 || /* past */
+ mbedtls_x509_time_cmp(&parent->valid_from, now) > 0) { /* future */
+ if (fallback_parent == NULL) {
+ fallback_parent = parent;
+ fallback_signature_is_good = signature_is_good;
+ }
+
+ continue;
+ }
+#else
+ ((void) now);
+#endif
+
+ *r_parent = parent;
+ *r_signature_is_good = signature_is_good;
+
+ break;
+ }
+
+ if (parent == NULL) {
+ *r_parent = fallback_parent;
+ *r_signature_is_good = fallback_signature_is_good;
+ }
+
+ return 0;
+}
+
+/*
+ * Find a parent in trusted CAs or the provided chain, or return NULL.
+ *
+ * Searches in trusted CAs first, and return the first suitable parent found
+ * (see find_parent_in() for definition of suitable).
+ *
+ * Arguments:
+ * - [in] child: certificate for which we're looking for a parent, followed
+ * by a chain of possible intermediates
+ * - [in] trust_ca: list of locally trusted certificates
+ * - [out] parent: parent found (or NULL)
+ * - [out] parent_is_trusted: 1 if returned `parent` is trusted, or 0
+ * - [out] signature_is_good: 1 if child signature by parent is valid, or 0
+ * - [in] path_cnt: number of links in the chain so far (EE -> ... -> child)
+ * - [in] self_cnt: number of self-signed certs in the chain so far
+ * (will always be no greater than path_cnt)
+ * - [in-out] rs_ctx: context for restarting operations
+ *
+ * Return value:
+ * - 0 on success
+ * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
+ */
+static int x509_crt_find_parent(
+ mbedtls_x509_crt *child,
+ mbedtls_x509_crt *trust_ca,
+ mbedtls_x509_crt **parent,
+ int *parent_is_trusted,
+ int *signature_is_good,
+ unsigned path_cnt,
+ unsigned self_cnt,
+ mbedtls_x509_crt_restart_ctx *rs_ctx,
+ const mbedtls_x509_time *now)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_x509_crt *search_list;
+
+ *parent_is_trusted = 1;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ /* restore then clear saved state if we have some stored */
+ if (rs_ctx != NULL && rs_ctx->parent_is_trusted != -1) {
+ *parent_is_trusted = rs_ctx->parent_is_trusted;
+ rs_ctx->parent_is_trusted = -1;
+ }
+#endif
+
+ while (1) {
+ search_list = *parent_is_trusted ? trust_ca : child->next;
+
+ ret = x509_crt_find_parent_in(child, search_list,
+ parent, signature_is_good,
+ *parent_is_trusted,
+ path_cnt, self_cnt, rs_ctx, now);
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+ /* save state */
+ rs_ctx->parent_is_trusted = *parent_is_trusted;
+ return ret;
+ }
+#else
+ (void) ret;
+#endif
+
+ /* stop here if found or already in second iteration */
+ if (*parent != NULL || *parent_is_trusted == 0) {
+ break;
+ }
+
+ /* prepare second iteration */
+ *parent_is_trusted = 0;
+ }
+
+ /* extra precaution against mistakes in the caller */
+ if (*parent == NULL) {
+ *parent_is_trusted = 0;
+ *signature_is_good = 0;
+ }
+
+ return 0;
+}
+
+/*
+ * Check if an end-entity certificate is locally trusted
+ *
+ * Currently we require such certificates to be self-signed (actually only
+ * check for self-issued as self-signatures are not checked)
+ */
+static int x509_crt_check_ee_locally_trusted(
+ mbedtls_x509_crt *crt,
+ mbedtls_x509_crt *trust_ca)
+{
+ mbedtls_x509_crt *cur;
+
+ /* must be self-issued */
+ if (x509_name_cmp(&crt->issuer, &crt->subject) != 0) {
+ return -1;
+ }
+
+ /* look for an exact match with trusted cert */
+ for (cur = trust_ca; cur != NULL; cur = cur->next) {
+ if (crt->raw.len == cur->raw.len &&
+ memcmp(crt->raw.p, cur->raw.p, crt->raw.len) == 0) {
+ return 0;
+ }
+ }
+
+ /* too bad */
+ return -1;
+}
+
+/*
+ * Build and verify a certificate chain
+ *
+ * Given a peer-provided list of certificates EE, C1, ..., Cn and
+ * a list of trusted certs R1, ... Rp, try to build and verify a chain
+ * EE, Ci1, ... Ciq [, Rj]
+ * such that every cert in the chain is a child of the next one,
+ * jumping to a trusted root as early as possible.
+ *
+ * Verify that chain and return it with flags for all issues found.
+ *
+ * Special cases:
+ * - EE == Rj -> return a one-element list containing it
+ * - EE, Ci1, ..., Ciq cannot be continued with a trusted root
+ * -> return that chain with NOT_TRUSTED set on Ciq
+ *
+ * Tests for (aspects of) this function should include at least:
+ * - trusted EE
+ * - EE -> trusted root
+ * - EE -> intermediate CA -> trusted root
+ * - if relevant: EE untrusted
+ * - if relevant: EE -> intermediate, untrusted
+ * with the aspect under test checked at each relevant level (EE, int, root).
+ * For some aspects longer chains are required, but usually length 2 is
+ * enough (but length 1 is not in general).
+ *
+ * Arguments:
+ * - [in] crt: the cert list EE, C1, ..., Cn
+ * - [in] trust_ca: the trusted list R1, ..., Rp
+ * - [in] ca_crl, profile: as in verify_with_profile()
+ * - [out] ver_chain: the built and verified chain
+ * Only valid when return value is 0, may contain garbage otherwise!
+ * Restart note: need not be the same when calling again to resume.
+ * - [in-out] rs_ctx: context for restarting operations
+ *
+ * Return value:
+ * - non-zero if the chain could not be fully built and examined
+ * - 0 is the chain was successfully built and examined,
+ * even if it was found to be invalid
+ */
+static int x509_crt_verify_chain(
+ mbedtls_x509_crt *crt,
+ mbedtls_x509_crt *trust_ca,
+ mbedtls_x509_crl *ca_crl,
+ mbedtls_x509_crt_ca_cb_t f_ca_cb,
+ void *p_ca_cb,
+ const mbedtls_x509_crt_profile *profile,
+ mbedtls_x509_crt_verify_chain *ver_chain,
+ mbedtls_x509_crt_restart_ctx *rs_ctx)
+{
+ /* Don't initialize any of those variables here, so that the compiler can
+ * catch potential issues with jumping ahead when restarting */
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ uint32_t *flags;
+ mbedtls_x509_crt_verify_chain_item *cur;
+ mbedtls_x509_crt *child;
+ mbedtls_x509_crt *parent;
+ int parent_is_trusted;
+ int child_is_trusted;
+ int signature_is_good;
+ unsigned self_cnt;
+ mbedtls_x509_crt *cur_trust_ca = NULL;
+ mbedtls_x509_time now;
+
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+ if (mbedtls_x509_time_gmtime(mbedtls_time(NULL), &now) != 0) {
+ return MBEDTLS_ERR_X509_FATAL_ERROR;
+ }
+#endif
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ /* resume if we had an operation in progress */
+ if (rs_ctx != NULL && rs_ctx->in_progress == x509_crt_rs_find_parent) {
+ /* restore saved state */
+ *ver_chain = rs_ctx->ver_chain; /* struct copy */
+ self_cnt = rs_ctx->self_cnt;
+
+ /* restore derived state */
+ cur = &ver_chain->items[ver_chain->len - 1];
+ child = cur->crt;
+ flags = &cur->flags;
+
+ goto find_parent;
+ }
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+ child = crt;
+ self_cnt = 0;
+ parent_is_trusted = 0;
+ child_is_trusted = 0;
+
+ while (1) {
+ /* Add certificate to the verification chain */
+ cur = &ver_chain->items[ver_chain->len];
+ cur->crt = child;
+ cur->flags = 0;
+ ver_chain->len++;
+ flags = &cur->flags;
+
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+ /* Check time-validity (all certificates) */
+ if (mbedtls_x509_time_cmp(&child->valid_to, &now) < 0) {
+ *flags |= MBEDTLS_X509_BADCERT_EXPIRED;
+ }
+
+ if (mbedtls_x509_time_cmp(&child->valid_from, &now) > 0) {
+ *flags |= MBEDTLS_X509_BADCERT_FUTURE;
+ }
+#endif
+
+ /* Stop here for trusted roots (but not for trusted EE certs) */
+ if (child_is_trusted) {
+ return 0;
+ }
+
+ /* Check signature algorithm: MD & PK algs */
+ if (x509_profile_check_md_alg(profile, child->sig_md) != 0) {
+ *flags |= MBEDTLS_X509_BADCERT_BAD_MD;
+ }
+
+ if (x509_profile_check_pk_alg(profile, child->sig_pk) != 0) {
+ *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
+ }
+
+ /* Special case: EE certs that are locally trusted */
+ if (ver_chain->len == 1 &&
+ x509_crt_check_ee_locally_trusted(child, trust_ca) == 0) {
+ return 0;
+ }
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+find_parent:
+#endif
+
+ /* Obtain list of potential trusted signers from CA callback,
+ * or use statically provided list. */
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+ if (f_ca_cb != NULL) {
+ mbedtls_x509_crt_free(ver_chain->trust_ca_cb_result);
+ mbedtls_free(ver_chain->trust_ca_cb_result);
+ ver_chain->trust_ca_cb_result = NULL;
+
+ ret = f_ca_cb(p_ca_cb, child, &ver_chain->trust_ca_cb_result);
+ if (ret != 0) {
+ return MBEDTLS_ERR_X509_FATAL_ERROR;
+ }
+
+ cur_trust_ca = ver_chain->trust_ca_cb_result;
+ } else
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+ {
+ ((void) f_ca_cb);
+ ((void) p_ca_cb);
+ cur_trust_ca = trust_ca;
+ }
+
+ /* Look for a parent in trusted CAs or up the chain */
+ ret = x509_crt_find_parent(child, cur_trust_ca, &parent,
+ &parent_is_trusted, &signature_is_good,
+ ver_chain->len - 1, self_cnt, rs_ctx,
+ &now);
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
+ /* save state */
+ rs_ctx->in_progress = x509_crt_rs_find_parent;
+ rs_ctx->self_cnt = self_cnt;
+ rs_ctx->ver_chain = *ver_chain; /* struct copy */
+
+ return ret;
+ }
+#else
+ (void) ret;
+#endif
+
+ /* No parent? We're done here */
+ if (parent == NULL) {
+ *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
+ return 0;
+ }
+
+ /* Count intermediate self-issued (not necessarily self-signed) certs.
+ * These can occur with some strategies for key rollover, see [SIRO],
+ * and should be excluded from max_pathlen checks. */
+ if (ver_chain->len != 1 &&
+ x509_name_cmp(&child->issuer, &child->subject) == 0) {
+ self_cnt++;
+ }
+
+ /* path_cnt is 0 for the first intermediate CA,
+ * and if parent is trusted it's not an intermediate CA */
+ if (!parent_is_trusted &&
+ ver_chain->len > MBEDTLS_X509_MAX_INTERMEDIATE_CA) {
+ /* return immediately to avoid overflow the chain array */
+ return MBEDTLS_ERR_X509_FATAL_ERROR;
+ }
+
+ /* signature was checked while searching parent */
+ if (!signature_is_good) {
+ *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
+ }
+
+ /* check size of signing key */
+ if (x509_profile_check_key(profile, &parent->pk) != 0) {
+ *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+ }
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+ /* Check trusted CA's CRL for the given crt */
+ *flags |= x509_crt_verifycrl(child, parent, ca_crl, profile, &now);
+#else
+ (void) ca_crl;
+#endif
+
+ /* prepare for next iteration */
+ child = parent;
+ parent = NULL;
+ child_is_trusted = parent_is_trusted;
+ signature_is_good = 0;
+ }
+}
+
+#ifdef _WIN32
+#ifdef _MSC_VER
+#pragma comment(lib, "ws2_32.lib")
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#else
+/* inet_pton() is not supported, fallback to software version */
+#define MBEDTLS_TEST_SW_INET_PTON
+#endif
+#elif defined(__sun)
+/* Solaris requires -lsocket -lnsl for inet_pton() */
+#elif defined(__has_include)
+#if __has_include(<sys/socket.h>)
+#include <sys/socket.h>
+#endif
+#if __has_include(<arpa/inet.h>)
+#include <arpa/inet.h>
+#endif
+#endif
+
+/* Use whether or not AF_INET6 is defined to indicate whether or not to use
+ * the platform inet_pton() or a local implementation (below). The local
+ * implementation may be used even in cases where the platform provides
+ * inet_pton(), e.g. when there are different includes required and/or the
+ * platform implementation requires dependencies on additional libraries.
+ * Specifically, Windows requires custom includes and additional link
+ * dependencies, and Solaris requires additional link dependencies.
+ * Also, as a coarse heuristic, use the local implementation if the compiler
+ * does not support __has_include(), or if the definition of AF_INET6 is not
+ * provided by headers included (or not) via __has_include() above.
+ * MBEDTLS_TEST_SW_INET_PTON is a bypass define to force testing of this code //no-check-names
+ * despite having a platform that has inet_pton. */
+#if !defined(AF_INET6) || defined(MBEDTLS_TEST_SW_INET_PTON) //no-check-names
+/* Definition located further below to possibly reduce compiler inlining */
+static int x509_inet_pton_ipv4(const char *src, void *dst);
+
+#define li_cton(c, n) \
+ (((n) = (c) - '0') <= 9 || (((n) = ((c)&0xdf) - 'A') <= 5 ? ((n) += 10) : 0))
+
+static int x509_inet_pton_ipv6(const char *src, void *dst)
+{
+ const unsigned char *p = (const unsigned char *) src;
+ int nonzero_groups = 0, num_digits, zero_group_start = -1;
+ uint16_t addr[8];
+ do {
+ /* note: allows excess leading 0's, e.g. 1:0002:3:... */
+ uint16_t group = num_digits = 0;
+ for (uint8_t digit; num_digits < 4; num_digits++) {
+ if (li_cton(*p, digit) == 0) {
+ break;
+ }
+ group = (group << 4) | digit;
+ p++;
+ }
+ if (num_digits != 0) {
+ MBEDTLS_PUT_UINT16_BE(group, addr, nonzero_groups);
+ nonzero_groups++;
+ if (*p == '\0') {
+ break;
+ } else if (*p == '.') {
+ /* Don't accept IPv4 too early or late */
+ if ((nonzero_groups == 0 && zero_group_start == -1) ||
+ nonzero_groups >= 7) {
+ break;
+ }
+
+ /* Walk back to prior ':', then parse as IPv4-mapped */
+ int steps = 4;
+ do {
+ p--;
+ steps--;
+ } while (*p != ':' && steps > 0);
+
+ if (*p != ':') {
+ break;
+ }
+ p++;
+ nonzero_groups--;
+ if (x509_inet_pton_ipv4((const char *) p,
+ addr + nonzero_groups) != 0) {
+ break;
+ }
+
+ nonzero_groups += 2;
+ p = (const unsigned char *) "";
+ break;
+ } else if (*p != ':') {
+ return -1;
+ }
+ } else {
+ /* Don't accept a second zero group or an invalid delimiter */
+ if (zero_group_start != -1 || *p != ':') {
+ return -1;
+ }
+ zero_group_start = nonzero_groups;
+
+ /* Accept a zero group at start, but it has to be a double colon */
+ if (zero_group_start == 0 && *++p != ':') {
+ return -1;
+ }
+
+ if (p[1] == '\0') {
+ ++p;
+ break;
+ }
+ }
+ ++p;
+ } while (nonzero_groups < 8);
+
+ if (*p != '\0') {
+ return -1;
+ }
+
+ if (zero_group_start != -1) {
+ if (nonzero_groups > 6) {
+ return -1;
+ }
+ int zero_groups = 8 - nonzero_groups;
+ int groups_after_zero = nonzero_groups - zero_group_start;
+
+ /* Move the non-zero part to after the zeroes */
+ if (groups_after_zero) {
+ memmove(addr + zero_group_start + zero_groups,
+ addr + zero_group_start,
+ groups_after_zero * sizeof(*addr));
+ }
+ memset(addr + zero_group_start, 0, zero_groups * sizeof(*addr));
+ } else {
+ if (nonzero_groups != 8) {
+ return -1;
+ }
+ }
+ memcpy(dst, addr, sizeof(addr));
+ return 0;
+}
+
+static int x509_inet_pton_ipv4(const char *src, void *dst)
+{
+ const unsigned char *p = (const unsigned char *) src;
+ uint8_t *res = (uint8_t *) dst;
+ uint8_t digit, num_digits = 0;
+ uint8_t num_octets = 0;
+ uint16_t octet;
+
+ do {
+ octet = num_digits = 0;
+ do {
+ digit = *p - '0';
+ if (digit > 9) {
+ break;
+ }
+
+ /* Don't allow leading zeroes. These might mean octal format,
+ * which this implementation does not support. */
+ if (octet == 0 && num_digits > 0) {
+ return -1;
+ }
+
+ octet = octet * 10 + digit;
+ num_digits++;
+ p++;
+ } while (num_digits < 3);
+
+ if (octet >= 256 || num_digits > 3 || num_digits == 0) {
+ return -1;
+ }
+ *res++ = (uint8_t) octet;
+ num_octets++;
+ } while (num_octets < 4 && *p++ == '.');
+ return num_octets == 4 && *p == '\0' ? 0 : -1;
+}
+
+#else
+
+static int x509_inet_pton_ipv6(const char *src, void *dst)
+{
+ return inet_pton(AF_INET6, src, dst) == 1 ? 0 : -1;
+}
+
+static int x509_inet_pton_ipv4(const char *src, void *dst)
+{
+ return inet_pton(AF_INET, src, dst) == 1 ? 0 : -1;
+}
+
+#endif /* !AF_INET6 || MBEDTLS_TEST_SW_INET_PTON */ //no-check-names
+
+size_t mbedtls_x509_crt_parse_cn_inet_pton(const char *cn, void *dst)
+{
+ return strchr(cn, ':') == NULL
+ ? x509_inet_pton_ipv4(cn, dst) == 0 ? 4 : 0
+ : x509_inet_pton_ipv6(cn, dst) == 0 ? 16 : 0;
+}
+
+/*
+ * Check for CN match
+ */
+static int x509_crt_check_cn(const mbedtls_x509_buf *name,
+ const char *cn, size_t cn_len)
+{
+ /* try exact match */
+ if (name->len == cn_len &&
+ x509_memcasecmp(cn, name->p, cn_len) == 0) {
+ return 0;
+ }
+
+ /* try wildcard match */
+ if (x509_check_wildcard(cn, name) == 0) {
+ return 0;
+ }
+
+ return -1;
+}
+
+static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san,
+ const char *cn, size_t cn_len)
+{
+ uint32_t ip[4];
+ cn_len = mbedtls_x509_crt_parse_cn_inet_pton(cn, ip);
+ if (cn_len == 0) {
+ return -1;
+ }
+
+ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
+ const unsigned char san_type = (unsigned char) cur->buf.tag &
+ MBEDTLS_ASN1_TAG_VALUE_MASK;
+ if (san_type == MBEDTLS_X509_SAN_IP_ADDRESS &&
+ cur->buf.len == cn_len && memcmp(cur->buf.p, ip, cn_len) == 0) {
+ return 0;
+ }
+ }
+
+ return -1;
+}
+
+static int x509_crt_check_san_uri(const mbedtls_x509_sequence *san,
+ const char *cn, size_t cn_len)
+{
+ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
+ const unsigned char san_type = (unsigned char) cur->buf.tag &
+ MBEDTLS_ASN1_TAG_VALUE_MASK;
+ if (san_type == MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER &&
+ cur->buf.len == cn_len && memcmp(cur->buf.p, cn, cn_len) == 0) {
+ return 0;
+ }
+ }
+
+ return -1;
+}
+
+/*
+ * Check for SAN match, see RFC 5280 Section 4.2.1.6
+ */
+static int x509_crt_check_san(const mbedtls_x509_sequence *san,
+ const char *cn, size_t cn_len)
+{
+ int san_ip = 0;
+ int san_uri = 0;
+ /* Prioritize DNS name over other subtypes due to popularity */
+ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
+ switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) {
+ case MBEDTLS_X509_SAN_DNS_NAME:
+ if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) {
+ return 0;
+ }
+ break;
+ case MBEDTLS_X509_SAN_IP_ADDRESS:
+ san_ip = 1;
+ break;
+ case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
+ san_uri = 1;
+ break;
+ /* (We may handle other types here later.) */
+ default: /* Unrecognized type */
+ break;
+ }
+ }
+ if (san_ip) {
+ if (x509_crt_check_san_ip(san, cn, cn_len) == 0) {
+ return 0;
+ }
+ }
+ if (san_uri) {
+ if (x509_crt_check_san_uri(san, cn, cn_len) == 0) {
+ return 0;
+ }
+ }
+
+ return -1;
+}
+
+/*
+ * Verify the requested CN - only call this if cn is not NULL!
+ */
+static void x509_crt_verify_name(const mbedtls_x509_crt *crt,
+ const char *cn,
+ uint32_t *flags)
+{
+ const mbedtls_x509_name *name;
+ size_t cn_len = strlen(cn);
+
+ if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
+ if (x509_crt_check_san(&crt->subject_alt_names, cn, cn_len) == 0) {
+ return;
+ }
+ } else {
+ for (name = &crt->subject; name != NULL; name = name->next) {
+ if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 &&
+ x509_crt_check_cn(&name->val, cn, cn_len) == 0) {
+ return;
+ }
+ }
+
+ }
+
+ *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
+}
+
+/*
+ * Merge the flags for all certs in the chain, after calling callback
+ */
+static int x509_crt_merge_flags_with_cb(
+ uint32_t *flags,
+ const mbedtls_x509_crt_verify_chain *ver_chain,
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+ void *p_vrfy)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned i;
+ uint32_t cur_flags;
+ const mbedtls_x509_crt_verify_chain_item *cur;
+
+ for (i = ver_chain->len; i != 0; --i) {
+ cur = &ver_chain->items[i-1];
+ cur_flags = cur->flags;
+
+ if (NULL != f_vrfy) {
+ if ((ret = f_vrfy(p_vrfy, cur->crt, (int) i-1, &cur_flags)) != 0) {
+ return ret;
+ }
+ }
+
+ *flags |= cur_flags;
+ }
+
+ return 0;
+}
+
+/*
+ * Verify the certificate validity, with profile, restartable version
+ *
+ * This function:
+ * - checks the requested CN (if any)
+ * - checks the type and size of the EE cert's key,
+ * as that isn't done as part of chain building/verification currently
+ * - builds and verifies the chain
+ * - then calls the callback and merges the flags
+ *
+ * The parameters pairs `trust_ca`, `ca_crl` and `f_ca_cb`, `p_ca_cb`
+ * are mutually exclusive: If `f_ca_cb != NULL`, it will be used by the
+ * verification routine to search for trusted signers, and CRLs will
+ * be disabled. Otherwise, `trust_ca` will be used as the static list
+ * of trusted signers, and `ca_crl` will be use as the static list
+ * of CRLs.
+ */
+static int x509_crt_verify_restartable_ca_cb(mbedtls_x509_crt *crt,
+ mbedtls_x509_crt *trust_ca,
+ mbedtls_x509_crl *ca_crl,
+ mbedtls_x509_crt_ca_cb_t f_ca_cb,
+ void *p_ca_cb,
+ const mbedtls_x509_crt_profile *profile,
+ const char *cn, uint32_t *flags,
+ int (*f_vrfy)(void *,
+ mbedtls_x509_crt *,
+ int,
+ uint32_t *),
+ void *p_vrfy,
+ mbedtls_x509_crt_restart_ctx *rs_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_pk_type_t pk_type;
+ mbedtls_x509_crt_verify_chain ver_chain;
+ uint32_t ee_flags;
+
+ *flags = 0;
+ ee_flags = 0;
+ x509_crt_verify_chain_reset(&ver_chain);
+
+ if (profile == NULL) {
+ ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ goto exit;
+ }
+
+ /* check name if requested */
+ if (cn != NULL) {
+ x509_crt_verify_name(crt, cn, &ee_flags);
+ }
+
+ /* Check the type and size of the key */
+ pk_type = mbedtls_pk_get_type(&crt->pk);
+
+ if (x509_profile_check_pk_alg(profile, pk_type) != 0) {
+ ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
+ }
+
+ if (x509_profile_check_key(profile, &crt->pk) != 0) {
+ ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+ }
+
+ /* Check the chain */
+ ret = x509_crt_verify_chain(crt, trust_ca, ca_crl,
+ f_ca_cb, p_ca_cb, profile,
+ &ver_chain, rs_ctx);
+
+ if (ret != 0) {
+ goto exit;
+ }
+
+ /* Merge end-entity flags */
+ ver_chain.items[0].flags |= ee_flags;
+
+ /* Build final flags, calling callback on the way if any */
+ ret = x509_crt_merge_flags_with_cb(flags, &ver_chain, f_vrfy, p_vrfy);
+
+exit:
+
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+ mbedtls_x509_crt_free(ver_chain.trust_ca_cb_result);
+ mbedtls_free(ver_chain.trust_ca_cb_result);
+ ver_chain.trust_ca_cb_result = NULL;
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ if (rs_ctx != NULL && ret != MBEDTLS_ERR_ECP_IN_PROGRESS) {
+ mbedtls_x509_crt_restart_free(rs_ctx);
+ }
+#endif
+
+ /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by
+ * the SSL module for authmode optional, but non-zero return from the
+ * callback means a fatal error so it shouldn't be ignored */
+ if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
+ ret = MBEDTLS_ERR_X509_FATAL_ERROR;
+ }
+
+ if (ret != 0) {
+ *flags = (uint32_t) -1;
+ return ret;
+ }
+
+ if (*flags != 0) {
+ return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
+ }
+
+ return 0;
+}
+
+
+/*
+ * Verify the certificate validity (default profile, not restartable)
+ */
+int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt,
+ mbedtls_x509_crt *trust_ca,
+ mbedtls_x509_crl *ca_crl,
+ const char *cn, uint32_t *flags,
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+ void *p_vrfy)
+{
+ return x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl,
+ NULL, NULL,
+ &mbedtls_x509_crt_profile_default,
+ cn, flags,
+ f_vrfy, p_vrfy, NULL);
+}
+
+/*
+ * Verify the certificate validity (user-chosen profile, not restartable)
+ */
+int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt,
+ mbedtls_x509_crt *trust_ca,
+ mbedtls_x509_crl *ca_crl,
+ const mbedtls_x509_crt_profile *profile,
+ const char *cn, uint32_t *flags,
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+ void *p_vrfy)
+{
+ return x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl,
+ NULL, NULL,
+ profile, cn, flags,
+ f_vrfy, p_vrfy, NULL);
+}
+
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+/*
+ * Verify the certificate validity (user-chosen profile, CA callback,
+ * not restartable).
+ */
+int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt,
+ mbedtls_x509_crt_ca_cb_t f_ca_cb,
+ void *p_ca_cb,
+ const mbedtls_x509_crt_profile *profile,
+ const char *cn, uint32_t *flags,
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+ void *p_vrfy)
+{
+ return x509_crt_verify_restartable_ca_cb(crt, NULL, NULL,
+ f_ca_cb, p_ca_cb,
+ profile, cn, flags,
+ f_vrfy, p_vrfy, NULL);
+}
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+
+int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt,
+ mbedtls_x509_crt *trust_ca,
+ mbedtls_x509_crl *ca_crl,
+ const mbedtls_x509_crt_profile *profile,
+ const char *cn, uint32_t *flags,
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+ void *p_vrfy,
+ mbedtls_x509_crt_restart_ctx *rs_ctx)
+{
+ return x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl,
+ NULL, NULL,
+ profile, cn, flags,
+ f_vrfy, p_vrfy, rs_ctx);
+}
+
+
+/*
+ * Initialize a certificate chain
+ */
+void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
+{
+ memset(crt, 0, sizeof(mbedtls_x509_crt));
+}
+
+/*
+ * Unallocate all certificate data
+ */
+void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
+{
+ mbedtls_x509_crt *cert_cur = crt;
+ mbedtls_x509_crt *cert_prv;
+
+ while (cert_cur != NULL) {
+ mbedtls_pk_free(&cert_cur->pk);
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ mbedtls_free(cert_cur->sig_opts);
+#endif
+
+ mbedtls_asn1_free_named_data_list_shallow(cert_cur->issuer.next);
+ mbedtls_asn1_free_named_data_list_shallow(cert_cur->subject.next);
+ mbedtls_asn1_sequence_free(cert_cur->ext_key_usage.next);
+ mbedtls_asn1_sequence_free(cert_cur->subject_alt_names.next);
+ mbedtls_asn1_sequence_free(cert_cur->certificate_policies.next);
+ mbedtls_asn1_sequence_free(cert_cur->authority_key_id.authorityCertIssuer.next);
+
+ if (cert_cur->raw.p != NULL && cert_cur->own_buffer) {
+ mbedtls_zeroize_and_free(cert_cur->raw.p, cert_cur->raw.len);
+ }
+
+ cert_prv = cert_cur;
+ cert_cur = cert_cur->next;
+
+ mbedtls_platform_zeroize(cert_prv, sizeof(mbedtls_x509_crt));
+ if (cert_prv != crt) {
+ mbedtls_free(cert_prv);
+ }
+ }
+}
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx *ctx)
+{
+ mbedtls_pk_restart_init(&ctx->pk);
+
+ ctx->parent = NULL;
+ ctx->fallback_parent = NULL;
+ ctx->fallback_signature_is_good = 0;
+
+ ctx->parent_is_trusted = -1;
+
+ ctx->in_progress = x509_crt_rs_none;
+ ctx->self_cnt = 0;
+ x509_crt_verify_chain_reset(&ctx->ver_chain);
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ mbedtls_pk_restart_free(&ctx->pk);
+ mbedtls_x509_crt_restart_init(ctx);
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt)
+{
+ if ((crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) != 0) {
+ return crt->MBEDTLS_PRIVATE(ca_istrue);
+ }
+ return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
+}
+
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
diff --git a/library/x509_csr.c b/library/x509_csr.c
new file mode 100644
index 0000000..813d644
--- /dev/null
+++ b/library/x509_csr.c
@@ -0,0 +1,639 @@
+/*
+ * X.509 Certificate Signing Request (CSR) parsing
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_X509_CSR_PARSE_C)
+
+#include "mbedtls/x509_csr.h"
+#include "x509_internal.h"
+#include "mbedtls/error.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+#if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
+#include <stdio.h>
+#endif
+
+/*
+ * Version ::= INTEGER { v1(0) }
+ */
+static int x509_csr_get_version(unsigned char **p,
+ const unsigned char *end,
+ int *ver)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ if ((ret = mbedtls_asn1_get_int(p, end, ver)) != 0) {
+ if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ *ver = 0;
+ return 0;
+ }
+
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_VERSION, ret);
+ }
+
+ return 0;
+}
+
+/*
+ * Parse CSR extension requests in DER format
+ */
+static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
+ unsigned char **p, const unsigned char *end,
+ mbedtls_x509_csr_ext_cb_t cb,
+ void *p_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+ unsigned char *end_ext_data, *end_ext_octet;
+
+ while (*p < end) {
+ mbedtls_x509_buf extn_oid = { 0, 0, NULL };
+ int is_critical = 0; /* DEFAULT FALSE */
+ int ext_type = 0;
+
+ /* Read sequence tag */
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ end_ext_data = *p + len;
+
+ /* Get extension ID */
+ if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &extn_oid.len,
+ MBEDTLS_ASN1_OID)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ extn_oid.tag = MBEDTLS_ASN1_OID;
+ extn_oid.p = *p;
+ *p += extn_oid.len;
+
+ /* Get optional critical */
+ if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, &is_critical)) != 0 &&
+ (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ /* Data should be octet string type */
+ if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
+ MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ end_ext_octet = *p + len;
+
+ if (end_ext_octet != end_ext_data) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ /*
+ * Detect supported extensions and skip unsupported extensions
+ */
+ ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
+
+ if (ret != 0) {
+ /* Give the callback (if any) a chance to handle the extension */
+ if (cb != NULL) {
+ ret = cb(p_ctx, csr, &extn_oid, is_critical, *p, end_ext_octet);
+ if (ret != 0 && is_critical) {
+ return ret;
+ }
+ *p = end_ext_octet;
+ continue;
+ }
+
+ /* No parser found, skip extension */
+ *p = end_ext_octet;
+
+ if (is_critical) {
+ /* Data is marked as critical: fail */
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+ }
+ continue;
+ }
+
+ /* Forbid repeated extensions */
+ if ((csr->ext_types & ext_type) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_INVALID_DATA);
+ }
+
+ csr->ext_types |= ext_type;
+
+ switch (ext_type) {
+ case MBEDTLS_X509_EXT_KEY_USAGE:
+ /* Parse key usage */
+ if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data,
+ &csr->key_usage)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
+ /* Parse subject alt name */
+ if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data,
+ &csr->subject_alt_names)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_X509_EXT_NS_CERT_TYPE:
+ /* Parse netscape certificate type */
+ if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data,
+ &csr->ns_cert_type)) != 0) {
+ return ret;
+ }
+ break;
+ default:
+ /*
+ * If this is a non-critical extension, which the oid layer
+ * supports, but there isn't an x509 parser for it,
+ * skip the extension.
+ */
+ if (is_critical) {
+ return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
+ } else {
+ *p = end_ext_octet;
+ }
+ }
+ }
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * Parse CSR attributes in DER format
+ */
+static int x509_csr_parse_attributes(mbedtls_x509_csr *csr,
+ const unsigned char *start, const unsigned char *end,
+ mbedtls_x509_csr_ext_cb_t cb,
+ void *p_ctx)
+{
+ int ret;
+ size_t len;
+ unsigned char *end_attr_data;
+ unsigned char **p = (unsigned char **) &start;
+
+ while (*p < end) {
+ mbedtls_x509_buf attr_oid = { 0, 0, NULL };
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+ end_attr_data = *p + len;
+
+ /* Get attribute ID */
+ if ((ret = mbedtls_asn1_get_tag(p, end_attr_data, &attr_oid.len,
+ MBEDTLS_ASN1_OID)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ attr_oid.tag = MBEDTLS_ASN1_OID;
+ attr_oid.p = *p;
+ *p += attr_oid.len;
+
+ /* Check that this is an extension-request attribute */
+ if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS9_CSR_EXT_REQ, &attr_oid) == 0) {
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) !=
+ 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ if ((ret = x509_csr_parse_extensions(csr, p, *p + len, cb, p_ctx)) != 0) {
+ return ret;
+ }
+
+ if (*p != end_attr_data) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+ }
+
+ *p = end_attr_data;
+ }
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * Parse a CSR in DER format
+ */
+static int mbedtls_x509_csr_parse_der_internal(mbedtls_x509_csr *csr,
+ const unsigned char *buf, size_t buflen,
+ mbedtls_x509_csr_ext_cb_t cb,
+ void *p_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+ unsigned char *p, *end;
+ mbedtls_x509_buf sig_params;
+
+ memset(&sig_params, 0, sizeof(mbedtls_x509_buf));
+
+ /*
+ * Check for valid input
+ */
+ if (csr == NULL || buf == NULL || buflen == 0) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ mbedtls_x509_csr_init(csr);
+
+ /*
+ * first copy the raw DER data
+ */
+ p = mbedtls_calloc(1, len = buflen);
+
+ if (p == NULL) {
+ return MBEDTLS_ERR_X509_ALLOC_FAILED;
+ }
+
+ memcpy(p, buf, buflen);
+
+ csr->raw.p = p;
+ csr->raw.len = len;
+ end = p + len;
+
+ /*
+ * CertificationRequest ::= SEQUENCE {
+ * certificationRequestInfo CertificationRequestInfo,
+ * signatureAlgorithm AlgorithmIdentifier,
+ * signature BIT STRING
+ * }
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ mbedtls_x509_csr_free(csr);
+ return MBEDTLS_ERR_X509_INVALID_FORMAT;
+ }
+
+ if (len != (size_t) (end - p)) {
+ mbedtls_x509_csr_free(csr);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ /*
+ * CertificationRequestInfo ::= SEQUENCE {
+ */
+ csr->cri.p = p;
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ mbedtls_x509_csr_free(csr);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
+ }
+
+ end = p + len;
+ csr->cri.len = (size_t) (end - csr->cri.p);
+
+ /*
+ * Version ::= INTEGER { v1(0) }
+ */
+ if ((ret = x509_csr_get_version(&p, end, &csr->version)) != 0) {
+ mbedtls_x509_csr_free(csr);
+ return ret;
+ }
+
+ if (csr->version != 0) {
+ mbedtls_x509_csr_free(csr);
+ return MBEDTLS_ERR_X509_UNKNOWN_VERSION;
+ }
+
+ csr->version++;
+
+ /*
+ * subject Name
+ */
+ csr->subject_raw.p = p;
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ mbedtls_x509_csr_free(csr);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
+ }
+
+ if ((ret = mbedtls_x509_get_name(&p, p + len, &csr->subject)) != 0) {
+ mbedtls_x509_csr_free(csr);
+ return ret;
+ }
+
+ csr->subject_raw.len = (size_t) (p - csr->subject_raw.p);
+
+ /*
+ * subjectPKInfo SubjectPublicKeyInfo
+ */
+ if ((ret = mbedtls_pk_parse_subpubkey(&p, end, &csr->pk)) != 0) {
+ mbedtls_x509_csr_free(csr);
+ return ret;
+ }
+
+ /*
+ * attributes [0] Attributes
+ *
+ * The list of possible attributes is open-ended, though RFC 2985
+ * (PKCS#9) defines a few in section 5.4. We currently don't support any,
+ * so we just ignore them. This is a safe thing to do as the worst thing
+ * that could happen is that we issue a certificate that does not match
+ * the requester's expectations - this cannot cause a violation of our
+ * signature policies.
+ */
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC)) !=
+ 0) {
+ mbedtls_x509_csr_free(csr);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
+ }
+
+ if ((ret = x509_csr_parse_attributes(csr, p, p + len, cb, p_ctx)) != 0) {
+ mbedtls_x509_csr_free(csr);
+ return ret;
+ }
+
+ p += len;
+
+ end = csr->raw.p + csr->raw.len;
+
+ /*
+ * signatureAlgorithm AlgorithmIdentifier,
+ * signature BIT STRING
+ */
+ if ((ret = mbedtls_x509_get_alg(&p, end, &csr->sig_oid, &sig_params)) != 0) {
+ mbedtls_x509_csr_free(csr);
+ return ret;
+ }
+
+ if ((ret = mbedtls_x509_get_sig_alg(&csr->sig_oid, &sig_params,
+ &csr->sig_md, &csr->sig_pk,
+ &csr->sig_opts)) != 0) {
+ mbedtls_x509_csr_free(csr);
+ return MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG;
+ }
+
+ if ((ret = mbedtls_x509_get_sig(&p, end, &csr->sig)) != 0) {
+ mbedtls_x509_csr_free(csr);
+ return ret;
+ }
+
+ if (p != end) {
+ mbedtls_x509_csr_free(csr);
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * Parse a CSR in DER format
+ */
+int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
+ const unsigned char *buf, size_t buflen)
+{
+ return mbedtls_x509_csr_parse_der_internal(csr, buf, buflen, NULL, NULL);
+}
+
+/*
+ * Parse a CSR in DER format with callback for unknown extensions
+ */
+int mbedtls_x509_csr_parse_der_with_ext_cb(mbedtls_x509_csr *csr,
+ const unsigned char *buf, size_t buflen,
+ mbedtls_x509_csr_ext_cb_t cb,
+ void *p_ctx)
+{
+ return mbedtls_x509_csr_parse_der_internal(csr, buf, buflen, cb, p_ctx);
+}
+
+/*
+ * Parse a CSR, allowing for PEM or raw DER encoding
+ */
+int mbedtls_x509_csr_parse(mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen)
+{
+#if defined(MBEDTLS_PEM_PARSE_C)
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t use_len;
+ mbedtls_pem_context pem;
+#endif
+
+ /*
+ * Check for valid input
+ */
+ if (csr == NULL || buf == NULL || buflen == 0) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+ /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+ if (buf[buflen - 1] == '\0') {
+ mbedtls_pem_init(&pem);
+ ret = mbedtls_pem_read_buffer(&pem,
+ "-----BEGIN CERTIFICATE REQUEST-----",
+ "-----END CERTIFICATE REQUEST-----",
+ buf, NULL, 0, &use_len);
+ if (ret == MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+ ret = mbedtls_pem_read_buffer(&pem,
+ "-----BEGIN NEW CERTIFICATE REQUEST-----",
+ "-----END NEW CERTIFICATE REQUEST-----",
+ buf, NULL, 0, &use_len);
+ }
+
+ if (ret == 0) {
+ /*
+ * Was PEM encoded, parse the result
+ */
+ ret = mbedtls_x509_csr_parse_der(csr, pem.buf, pem.buflen);
+ }
+
+ mbedtls_pem_free(&pem);
+ if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
+ return ret;
+ }
+ }
+#endif /* MBEDTLS_PEM_PARSE_C */
+ return mbedtls_x509_csr_parse_der(csr, buf, buflen);
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load a CSR into the structure
+ */
+int mbedtls_x509_csr_parse_file(mbedtls_x509_csr *csr, const char *path)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t n;
+ unsigned char *buf;
+
+ if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_x509_csr_parse(csr, buf, n);
+
+ mbedtls_zeroize_and_free(buf, n);
+
+ return ret;
+}
+#endif /* MBEDTLS_FS_IO */
+
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+#define BEFORE_COLON 14
+#define BC "14"
+/*
+ * Return an informational string about the CSR.
+ */
+int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix,
+ const mbedtls_x509_csr *csr)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t n;
+ char *p;
+ char key_size_str[BEFORE_COLON];
+
+ p = buf;
+ n = size;
+
+ ret = mbedtls_snprintf(p, n, "%sCSR version : %d",
+ prefix, csr->version);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_snprintf(p, n, "\n%ssubject name : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ ret = mbedtls_x509_dn_gets(p, n, &csr->subject);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_snprintf(p, n, "\n%ssigned using : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ ret = mbedtls_x509_sig_alg_gets(p, n, &csr->sig_oid, csr->sig_pk, csr->sig_md,
+ csr->sig_opts);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if ((ret = mbedtls_x509_key_size_helper(key_size_str, BEFORE_COLON,
+ mbedtls_pk_get_name(&csr->pk))) != 0) {
+ return ret;
+ }
+
+ ret = mbedtls_snprintf(p, n, "\n%s%-" BC "s: %d bits\n", prefix, key_size_str,
+ (int) mbedtls_pk_get_bitlen(&csr->pk));
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ /*
+ * Optional extensions
+ */
+
+ if (csr->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
+ ret = mbedtls_snprintf(p, n, "\n%ssubject alt name :", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if ((ret = mbedtls_x509_info_subject_alt_name(&p, &n,
+ &csr->subject_alt_names,
+ prefix)) != 0) {
+ return ret;
+ }
+ }
+
+ if (csr->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) {
+ ret = mbedtls_snprintf(p, n, "\n%scert. type : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if ((ret = mbedtls_x509_info_cert_type(&p, &n, csr->ns_cert_type)) != 0) {
+ return ret;
+ }
+ }
+
+ if (csr->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) {
+ ret = mbedtls_snprintf(p, n, "\n%skey usage : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if ((ret = mbedtls_x509_info_key_usage(&p, &n, csr->key_usage)) != 0) {
+ return ret;
+ }
+ }
+
+ if (csr->ext_types != 0) {
+ ret = mbedtls_snprintf(p, n, "\n");
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ }
+
+ return (int) (size - n);
+}
+#endif /* MBEDTLS_X509_REMOVE_INFO */
+
+/*
+ * Initialize a CSR
+ */
+void mbedtls_x509_csr_init(mbedtls_x509_csr *csr)
+{
+ memset(csr, 0, sizeof(mbedtls_x509_csr));
+}
+
+/*
+ * Unallocate all CSR data
+ */
+void mbedtls_x509_csr_free(mbedtls_x509_csr *csr)
+{
+ if (csr == NULL) {
+ return;
+ }
+
+ mbedtls_pk_free(&csr->pk);
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ mbedtls_free(csr->sig_opts);
+#endif
+
+ mbedtls_asn1_free_named_data_list_shallow(csr->subject.next);
+ mbedtls_asn1_sequence_free(csr->subject_alt_names.next);
+
+ if (csr->raw.p != NULL) {
+ mbedtls_zeroize_and_free(csr->raw.p, csr->raw.len);
+ }
+
+ mbedtls_platform_zeroize(csr, sizeof(mbedtls_x509_csr));
+}
+
+#endif /* MBEDTLS_X509_CSR_PARSE_C */
diff --git a/library/x509_internal.h b/library/x509_internal.h
new file mode 100644
index 0000000..8a2d2ed
--- /dev/null
+++ b/library/x509_internal.h
@@ -0,0 +1,86 @@
+/**
+ * \file x509.h
+ *
+ * \brief Internal part of the public "x509.h".
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_X509_INTERNAL_H
+#define MBEDTLS_X509_INTERNAL_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/x509.h"
+#include "mbedtls/asn1.h"
+#include "pk_internal.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+
+int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_name *cur);
+int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_buf *alg);
+int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_buf *alg, mbedtls_x509_buf *params);
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params,
+ mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
+ int *salt_len);
+#endif
+int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig);
+int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
+ mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
+ void **sig_opts);
+int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_time *t);
+int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_buf *serial);
+int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end,
+ mbedtls_x509_buf *ext, int tag);
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
+ mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
+ const void *sig_opts);
+#endif
+int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name);
+int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
+ int critical, const unsigned char *val,
+ size_t val_len);
+int mbedtls_x509_write_extensions(unsigned char **p, unsigned char *start,
+ mbedtls_asn1_named_data *first);
+int mbedtls_x509_write_names(unsigned char **p, unsigned char *start,
+ mbedtls_asn1_named_data *first);
+int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start,
+ const char *oid, size_t oid_len,
+ unsigned char *sig, size_t size,
+ mbedtls_pk_type_t pk_alg);
+int mbedtls_x509_get_ns_cert_type(unsigned char **p,
+ const unsigned char *end,
+ unsigned char *ns_cert_type);
+int mbedtls_x509_get_key_usage(unsigned char **p,
+ const unsigned char *end,
+ unsigned int *key_usage);
+int mbedtls_x509_get_subject_alt_name(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_sequence *subject_alt_name);
+int mbedtls_x509_get_subject_alt_name_ext(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_sequence *subject_alt_name);
+int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
+ const mbedtls_x509_sequence
+ *subject_alt_name,
+ const char *prefix);
+int mbedtls_x509_info_cert_type(char **buf, size_t *size,
+ unsigned char ns_cert_type);
+int mbedtls_x509_info_key_usage(char **buf, size_t *size,
+ unsigned int key_usage);
+
+int mbedtls_x509_write_set_san_common(mbedtls_asn1_named_data **extensions,
+ const mbedtls_x509_san_list *san_list);
+
+#endif /* MBEDTLS_X509_INTERNAL_H */
diff --git a/library/x509write.c b/library/x509write.c
new file mode 100644
index 0000000..4704900
--- /dev/null
+++ b/library/x509write.c
@@ -0,0 +1,174 @@
+/*
+ * X.509 internal, common functions for writing
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#include "common.h"
+#if defined(MBEDTLS_X509_CSR_WRITE_C) || defined(MBEDTLS_X509_CRT_WRITE_C)
+
+#include "mbedtls/x509_crt.h"
+#include "x509_internal.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/error.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+#include <stdint.h>
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#include "mbedtls/psa_util.h"
+#include "md_psa.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#define CHECK_OVERFLOW_ADD(a, b) \
+ do \
+ { \
+ if (a > SIZE_MAX - (b)) \
+ { \
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA; \
+ } \
+ a += b; \
+ } while (0)
+
+int mbedtls_x509_write_set_san_common(mbedtls_asn1_named_data **extensions,
+ const mbedtls_x509_san_list *san_list)
+{
+ int ret = 0;
+ const mbedtls_x509_san_list *cur;
+ unsigned char *buf;
+ unsigned char *p;
+ size_t len;
+ size_t buflen = 0;
+
+ /* Determine the maximum size of the SubjectAltName list */
+ for (cur = san_list; cur != NULL; cur = cur->next) {
+ /* Calculate size of the required buffer */
+ switch (cur->node.type) {
+ case MBEDTLS_X509_SAN_DNS_NAME:
+ case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
+ case MBEDTLS_X509_SAN_IP_ADDRESS:
+ case MBEDTLS_X509_SAN_RFC822_NAME:
+ /* length of value for each name entry,
+ * maximum 4 bytes for the length field,
+ * 1 byte for the tag/type.
+ */
+ CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len);
+ CHECK_OVERFLOW_ADD(buflen, 4 + 1);
+ break;
+ case MBEDTLS_X509_SAN_DIRECTORY_NAME:
+ {
+ const mbedtls_asn1_named_data *chunk = &cur->node.san.directory_name;
+ while (chunk != NULL) {
+ // Max 4 bytes for length, +1 for tag,
+ // additional 4 max for length, +1 for tag.
+ // See x509_write_name for more information.
+ CHECK_OVERFLOW_ADD(buflen, 4 + 1 + 4 + 1);
+ CHECK_OVERFLOW_ADD(buflen, chunk->oid.len);
+ CHECK_OVERFLOW_ADD(buflen, chunk->val.len);
+ chunk = chunk->next;
+ }
+ CHECK_OVERFLOW_ADD(buflen, 4 + 1);
+ break;
+ }
+ default:
+ /* Not supported - return. */
+ return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
+ }
+ }
+
+ /* Add the extra length field and tag */
+ CHECK_OVERFLOW_ADD(buflen, 4 + 1);
+
+ /* Allocate buffer */
+ buf = mbedtls_calloc(1, buflen);
+ if (buf == NULL) {
+ return MBEDTLS_ERR_ASN1_ALLOC_FAILED;
+ }
+ p = buf + buflen;
+
+ /* Write ASN.1-based structure */
+ cur = san_list;
+ len = 0;
+ while (cur != NULL) {
+ size_t single_san_len = 0;
+ switch (cur->node.type) {
+ case MBEDTLS_X509_SAN_DNS_NAME:
+ case MBEDTLS_X509_SAN_RFC822_NAME:
+ case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
+ case MBEDTLS_X509_SAN_IP_ADDRESS:
+ {
+ const unsigned char *unstructured_name =
+ (const unsigned char *) cur->node.san.unstructured_name.p;
+ size_t unstructured_name_len = cur->node.san.unstructured_name.len;
+
+ MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
+ mbedtls_asn1_write_raw_buffer(
+ &p, buf,
+ unstructured_name, unstructured_name_len));
+ MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len, mbedtls_asn1_write_len(
+ &p, buf, unstructured_name_len));
+ MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
+ mbedtls_asn1_write_tag(
+ &p, buf,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC | cur->node.type));
+ }
+ break;
+ case MBEDTLS_X509_SAN_DIRECTORY_NAME:
+ MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
+ mbedtls_x509_write_names(&p, buf,
+ (mbedtls_asn1_named_data *) &
+ cur->node
+ .san.directory_name));
+ MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
+ mbedtls_asn1_write_len(&p, buf, single_san_len));
+ MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
+ mbedtls_asn1_write_tag(&p, buf,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_X509_SAN_DIRECTORY_NAME));
+ break;
+ default:
+ /* Error out on an unsupported SAN */
+ ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
+ goto cleanup;
+ }
+ cur = cur->next;
+ /* check for overflow */
+ if (len > SIZE_MAX - single_san_len) {
+ ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+ len += single_san_len;
+ }
+
+ MBEDTLS_ASN1_CHK_CLEANUP_ADD(len, mbedtls_asn1_write_len(&p, buf, len));
+ MBEDTLS_ASN1_CHK_CLEANUP_ADD(len,
+ mbedtls_asn1_write_tag(&p, buf,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ ret = mbedtls_x509_set_extension(extensions,
+ MBEDTLS_OID_SUBJECT_ALT_NAME,
+ MBEDTLS_OID_SIZE(MBEDTLS_OID_SUBJECT_ALT_NAME),
+ 0,
+ buf + buflen - len, len);
+
+ /* If we exceeded the allocated buffer it means that maximum size of the SubjectAltName list
+ * was incorrectly calculated and memory is corrupted. */
+ if (p < buf) {
+ ret = MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+ }
+cleanup:
+ mbedtls_free(buf);
+ return ret;
+}
+
+#endif /* MBEDTLS_X509_CSR_WRITE_C || MBEDTLS_X509_CRT_WRITE_C */
diff --git a/library/x509write_crt.c b/library/x509write_crt.c
new file mode 100644
index 0000000..72f5a10
--- /dev/null
+++ b/library/x509write_crt.c
@@ -0,0 +1,682 @@
+/*
+ * X.509 certificate writing
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * References:
+ * - certificates: RFC 5280, updated by RFC 6818
+ * - CSRs: PKCS#10 v1.7 aka RFC 2986
+ * - attributes: PKCS#9 v2.0 aka RFC 2985
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_X509_CRT_WRITE_C)
+
+#include "mbedtls/x509_crt.h"
+#include "x509_internal.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/error.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/md.h"
+
+#include <string.h>
+#include <stdint.h>
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#include "psa_util_internal.h"
+#include "mbedtls/psa_util.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_x509write_cert));
+
+ ctx->version = MBEDTLS_X509_CRT_VERSION_3;
+}
+
+void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)
+{
+ mbedtls_asn1_free_named_data_list(&ctx->subject);
+ mbedtls_asn1_free_named_data_list(&ctx->issuer);
+ mbedtls_asn1_free_named_data_list(&ctx->extensions);
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_x509write_cert));
+}
+
+void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx,
+ int version)
+{
+ ctx->version = version;
+}
+
+void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx,
+ mbedtls_md_type_t md_alg)
+{
+ ctx->md_alg = md_alg;
+}
+
+void mbedtls_x509write_crt_set_subject_key(mbedtls_x509write_cert *ctx,
+ mbedtls_pk_context *key)
+{
+ ctx->subject_key = key;
+}
+
+void mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx,
+ mbedtls_pk_context *key)
+{
+ ctx->issuer_key = key;
+}
+
+int mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx,
+ const char *subject_name)
+{
+ return mbedtls_x509_string_to_names(&ctx->subject, subject_name);
+}
+
+int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx,
+ const char *issuer_name)
+{
+ return mbedtls_x509_string_to_names(&ctx->issuer, issuer_name);
+}
+
+#if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx,
+ const mbedtls_mpi *serial)
+{
+ int ret;
+ size_t tmp_len;
+
+ /* Ensure that the MPI value fits into the buffer */
+ tmp_len = mbedtls_mpi_size(serial);
+ if (tmp_len > MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ ctx->serial_len = tmp_len;
+
+ ret = mbedtls_mpi_write_binary(serial, ctx->serial, tmp_len);
+ if (ret < 0) {
+ return ret;
+ }
+
+ return 0;
+}
+#endif // MBEDTLS_BIGNUM_C && !MBEDTLS_DEPRECATED_REMOVED
+
+int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx,
+ unsigned char *serial, size_t serial_len)
+{
+ if (serial_len > MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ ctx->serial_len = serial_len;
+ memcpy(ctx->serial, serial, serial_len);
+
+ return 0;
+}
+
+int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx,
+ const char *not_before,
+ const char *not_after)
+{
+ if (strlen(not_before) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 ||
+ strlen(not_after) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+ strncpy(ctx->not_before, not_before, MBEDTLS_X509_RFC5280_UTC_TIME_LEN);
+ strncpy(ctx->not_after, not_after, MBEDTLS_X509_RFC5280_UTC_TIME_LEN);
+ ctx->not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
+ ctx->not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
+
+ return 0;
+}
+
+int mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *ctx,
+ const mbedtls_x509_san_list *san_list)
+{
+ return mbedtls_x509_write_set_san_common(&ctx->extensions, san_list);
+}
+
+
+int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx,
+ const char *oid, size_t oid_len,
+ int critical,
+ const unsigned char *val, size_t val_len)
+{
+ return mbedtls_x509_set_extension(&ctx->extensions, oid, oid_len,
+ critical, val, val_len);
+}
+
+int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx,
+ int is_ca, int max_pathlen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char buf[9];
+ unsigned char *c = buf + sizeof(buf);
+ size_t len = 0;
+
+ memset(buf, 0, sizeof(buf));
+
+ if (is_ca && max_pathlen > 127) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ if (is_ca) {
+ if (max_pathlen >= 0) {
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(&c, buf,
+ max_pathlen));
+ }
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_bool(&c, buf, 1));
+ }
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ return
+ mbedtls_x509write_crt_set_extension(ctx, MBEDTLS_OID_BASIC_CONSTRAINTS,
+ MBEDTLS_OID_SIZE(MBEDTLS_OID_BASIC_CONSTRAINTS),
+ is_ca, buf + sizeof(buf) - len, len);
+}
+
+#if defined(MBEDTLS_MD_CAN_SHA1)
+static int mbedtls_x509write_crt_set_key_identifier(mbedtls_x509write_cert *ctx,
+ int is_ca,
+ unsigned char tag)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
+ unsigned char *c = buf + sizeof(buf);
+ size_t len = 0;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t hash_length;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ memset(buf, 0, sizeof(buf));
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_pk_write_pubkey(&c,
+ buf,
+ is_ca ?
+ ctx->issuer_key :
+ ctx->subject_key));
+
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_hash_compute(PSA_ALG_SHA_1,
+ buf + sizeof(buf) - len,
+ len,
+ buf + sizeof(buf) - 20,
+ 20,
+ &hash_length);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+ }
+#else
+ ret = mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1),
+ buf + sizeof(buf) - len, len,
+ buf + sizeof(buf) - 20);
+ if (ret != 0) {
+ return ret;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ c = buf + sizeof(buf) - 20;
+ len = 20;
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, tag));
+
+ if (is_ca) { // writes AuthorityKeyIdentifier sequence
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_tag(&c,
+ buf,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+ }
+
+ if (is_ca) {
+ return mbedtls_x509write_crt_set_extension(ctx,
+ MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
+ MBEDTLS_OID_SIZE(
+ MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER),
+ 0, buf + sizeof(buf) - len, len);
+ } else {
+ return mbedtls_x509write_crt_set_extension(ctx,
+ MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER,
+ MBEDTLS_OID_SIZE(
+ MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER),
+ 0, buf + sizeof(buf) - len, len);
+ }
+}
+
+int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx)
+{
+ return mbedtls_x509write_crt_set_key_identifier(ctx,
+ 0,
+ MBEDTLS_ASN1_OCTET_STRING);
+}
+
+int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx)
+{
+ return mbedtls_x509write_crt_set_key_identifier(ctx,
+ 1,
+ (MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0));
+}
+#endif /* MBEDTLS_MD_CAN_SHA1 */
+
+int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx,
+ unsigned int key_usage)
+{
+ unsigned char buf[5] = { 0 }, ku[2] = { 0 };
+ unsigned char *c;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const unsigned int allowed_bits = MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
+ MBEDTLS_X509_KU_NON_REPUDIATION |
+ MBEDTLS_X509_KU_KEY_ENCIPHERMENT |
+ MBEDTLS_X509_KU_DATA_ENCIPHERMENT |
+ MBEDTLS_X509_KU_KEY_AGREEMENT |
+ MBEDTLS_X509_KU_KEY_CERT_SIGN |
+ MBEDTLS_X509_KU_CRL_SIGN |
+ MBEDTLS_X509_KU_ENCIPHER_ONLY |
+ MBEDTLS_X509_KU_DECIPHER_ONLY;
+
+ /* Check that nothing other than the allowed flags is set */
+ if ((key_usage & ~allowed_bits) != 0) {
+ return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
+ }
+
+ c = buf + 5;
+ MBEDTLS_PUT_UINT16_LE(key_usage, ku, 0);
+ ret = mbedtls_asn1_write_named_bitstring(&c, buf, ku, 9);
+
+ if (ret < 0) {
+ return ret;
+ } else if (ret < 3 || ret > 5) {
+ return MBEDTLS_ERR_X509_INVALID_FORMAT;
+ }
+
+ ret = mbedtls_x509write_crt_set_extension(ctx, MBEDTLS_OID_KEY_USAGE,
+ MBEDTLS_OID_SIZE(MBEDTLS_OID_KEY_USAGE),
+ 1, c, (size_t) ret);
+ if (ret != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx,
+ const mbedtls_asn1_sequence *exts)
+{
+ unsigned char buf[256];
+ unsigned char *c = buf + sizeof(buf);
+ int ret;
+ size_t len = 0;
+ const mbedtls_asn1_sequence *last_ext = NULL;
+ const mbedtls_asn1_sequence *ext;
+
+ memset(buf, 0, sizeof(buf));
+
+ /* We need at least one extension: SEQUENCE SIZE (1..MAX) OF KeyPurposeId */
+ if (exts == NULL) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+
+ /* Iterate over exts backwards, so we write them out in the requested order */
+ while (last_ext != exts) {
+ for (ext = exts; ext->next != last_ext; ext = ext->next) {
+ }
+ if (ext->buf.tag != MBEDTLS_ASN1_OID) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(&c, buf, ext->buf.p, ext->buf.len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, ext->buf.len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_OID));
+ last_ext = ext;
+ }
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_tag(&c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE));
+
+ return mbedtls_x509write_crt_set_extension(ctx,
+ MBEDTLS_OID_EXTENDED_KEY_USAGE,
+ MBEDTLS_OID_SIZE(MBEDTLS_OID_EXTENDED_KEY_USAGE),
+ 1, c, len);
+}
+
+int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx,
+ unsigned char ns_cert_type)
+{
+ unsigned char buf[4] = { 0 };
+ unsigned char *c;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ c = buf + 4;
+
+ ret = mbedtls_asn1_write_named_bitstring(&c, buf, &ns_cert_type, 8);
+ if (ret < 3 || ret > 4) {
+ return ret;
+ }
+
+ ret = mbedtls_x509write_crt_set_extension(ctx, MBEDTLS_OID_NS_CERT_TYPE,
+ MBEDTLS_OID_SIZE(MBEDTLS_OID_NS_CERT_TYPE),
+ 0, c, (size_t) ret);
+ if (ret != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+static int x509_write_time(unsigned char **p, unsigned char *start,
+ const char *t, size_t size)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len = 0;
+
+ /*
+ * write MBEDTLS_ASN1_UTC_TIME if year < 2050 (2 bytes shorter)
+ */
+ if (t[0] < '2' || (t[0] == '2' && t[1] == '0' && t[2] < '5')) {
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start,
+ (const unsigned char *) t + 2,
+ size - 2));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
+ MBEDTLS_ASN1_UTC_TIME));
+ } else {
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(p, start,
+ (const unsigned char *) t,
+ size));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start,
+ MBEDTLS_ASN1_GENERALIZED_TIME));
+ }
+
+ return (int) len;
+}
+
+int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
+ unsigned char *buf, size_t size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const char *sig_oid;
+ size_t sig_oid_len = 0;
+ unsigned char *c, *c2;
+ unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
+ size_t hash_length = 0;
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_algorithm_t psa_algorithm;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
+ size_t len = 0;
+ mbedtls_pk_type_t pk_alg;
+ int write_sig_null_par;
+
+ /*
+ * Prepare data to be signed at the end of the target buffer
+ */
+ c = buf + size;
+
+ /* Signature algorithm needed in TBS, and later for actual signature */
+
+ /* There's no direct way of extracting a signature algorithm
+ * (represented as an element of mbedtls_pk_type_t) from a PK instance. */
+ if (mbedtls_pk_can_do(ctx->issuer_key, MBEDTLS_PK_RSA)) {
+ pk_alg = MBEDTLS_PK_RSA;
+ } else if (mbedtls_pk_can_do(ctx->issuer_key, MBEDTLS_PK_ECDSA)) {
+ pk_alg = MBEDTLS_PK_ECDSA;
+ } else {
+ return MBEDTLS_ERR_X509_INVALID_ALG;
+ }
+
+ if ((ret = mbedtls_oid_get_oid_by_sig_alg(pk_alg, ctx->md_alg,
+ &sig_oid, &sig_oid_len)) != 0) {
+ return ret;
+ }
+
+ /*
+ * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
+ */
+
+ /* Only for v3 */
+ if (ctx->version == MBEDTLS_X509_CRT_VERSION_3) {
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_x509_write_extensions(&c,
+ buf, ctx->extensions));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_tag(&c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_tag(&c, buf,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+ MBEDTLS_ASN1_CONSTRUCTED | 3));
+ }
+
+ /*
+ * SubjectPublicKeyInfo
+ */
+ MBEDTLS_ASN1_CHK_ADD(pub_len,
+ mbedtls_pk_write_pubkey_der(ctx->subject_key,
+ buf, (size_t) (c - buf)));
+ c -= pub_len;
+ len += pub_len;
+
+ /*
+ * Subject ::= Name
+ */
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_x509_write_names(&c, buf,
+ ctx->subject));
+
+ /*
+ * Validity ::= SEQUENCE {
+ * notBefore Time,
+ * notAfter Time }
+ */
+ sub_len = 0;
+
+ MBEDTLS_ASN1_CHK_ADD(sub_len,
+ x509_write_time(&c, buf, ctx->not_after,
+ MBEDTLS_X509_RFC5280_UTC_TIME_LEN));
+
+ MBEDTLS_ASN1_CHK_ADD(sub_len,
+ x509_write_time(&c, buf, ctx->not_before,
+ MBEDTLS_X509_RFC5280_UTC_TIME_LEN));
+
+ len += sub_len;
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, sub_len));
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_tag(&c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ /*
+ * Issuer ::= Name
+ */
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_x509_write_names(&c, buf,
+ ctx->issuer));
+
+ /*
+ * Signature ::= AlgorithmIdentifier
+ */
+ if (pk_alg == MBEDTLS_PK_ECDSA) {
+ /*
+ * The AlgorithmIdentifier's parameters field must be absent for DSA/ECDSA signature
+ * algorithms, see https://www.rfc-editor.org/rfc/rfc5480#page-17 and
+ * https://www.rfc-editor.org/rfc/rfc5758#section-3.
+ */
+ write_sig_null_par = 0;
+ } else {
+ write_sig_null_par = 1;
+ }
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_algorithm_identifier_ext(&c, buf,
+ sig_oid, strlen(sig_oid),
+ 0, write_sig_null_par));
+
+ /*
+ * Serial ::= INTEGER
+ *
+ * Written data is:
+ * - "ctx->serial_len" bytes for the raw serial buffer
+ * - if MSb of "serial" is 1, then prepend an extra 0x00 byte
+ * - 1 byte for the length
+ * - 1 byte for the TAG
+ */
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(&c, buf,
+ ctx->serial, ctx->serial_len));
+ if (*c & 0x80) {
+ if (c - buf < 1) {
+ return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+ }
+ *(--c) = 0x0;
+ len++;
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf,
+ ctx->serial_len + 1));
+ } else {
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf,
+ ctx->serial_len));
+ }
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf,
+ MBEDTLS_ASN1_INTEGER));
+
+ /*
+ * Version ::= INTEGER { v1(0), v2(1), v3(2) }
+ */
+
+ /* Can be omitted for v1 */
+ if (ctx->version != MBEDTLS_X509_CRT_VERSION_1) {
+ sub_len = 0;
+ MBEDTLS_ASN1_CHK_ADD(sub_len,
+ mbedtls_asn1_write_int(&c, buf, ctx->version));
+ len += sub_len;
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_len(&c, buf, sub_len));
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_tag(&c, buf,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+ MBEDTLS_ASN1_CONSTRUCTED | 0));
+ }
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ /*
+ * Make signature
+ */
+
+ /* Compute hash of CRT. */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_algorithm = mbedtls_md_psa_alg_from_type(ctx->md_alg);
+
+ status = psa_hash_compute(psa_algorithm,
+ c,
+ len,
+ hash,
+ sizeof(hash),
+ &hash_length);
+ if (status != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+ }
+#else
+ if ((ret = mbedtls_md(mbedtls_md_info_from_type(ctx->md_alg), c,
+ len, hash)) != 0) {
+ return ret;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+
+ if ((ret = mbedtls_pk_sign(ctx->issuer_key, ctx->md_alg,
+ hash, hash_length, sig, sizeof(sig), &sig_len,
+ f_rng, p_rng)) != 0) {
+ return ret;
+ }
+
+ /* Move CRT to the front of the buffer to have space
+ * for the signature. */
+ memmove(buf, c, len);
+ c = buf + len;
+
+ /* Add signature at the end of the buffer,
+ * making sure that it doesn't underflow
+ * into the CRT buffer. */
+ c2 = buf + size;
+ MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len, mbedtls_x509_write_sig(&c2, c,
+ sig_oid, sig_oid_len,
+ sig, sig_len, pk_alg));
+
+ /*
+ * Memory layout after this step:
+ *
+ * buf c=buf+len c2 buf+size
+ * [CRT0,...,CRTn, UNUSED, ..., UNUSED, SIG0, ..., SIGm]
+ */
+
+ /* Move raw CRT to just before the signature. */
+ c = c2 - len;
+ memmove(c, buf, len);
+
+ len += sig_and_oid_len;
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE));
+
+ return (int) len;
+}
+
+#define PEM_BEGIN_CRT "-----BEGIN CERTIFICATE-----\n"
+#define PEM_END_CRT "-----END CERTIFICATE-----\n"
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *crt,
+ unsigned char *buf, size_t size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t olen;
+
+ if ((ret = mbedtls_x509write_crt_der(crt, buf, size,
+ f_rng, p_rng)) < 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_pem_write_buffer(PEM_BEGIN_CRT, PEM_END_CRT,
+ buf + size - ret, ret,
+ buf, size, &olen)) != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#endif /* MBEDTLS_X509_CRT_WRITE_C */
diff --git a/library/x509write_csr.c b/library/x509write_csr.c
new file mode 100644
index 0000000..d3ddbcc
--- /dev/null
+++ b/library/x509write_csr.c
@@ -0,0 +1,331 @@
+/*
+ * X.509 Certificate Signing Request writing
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+/*
+ * References:
+ * - CSRs: PKCS#10 v1.7 aka RFC 2986
+ * - attributes: PKCS#9 v2.0 aka RFC 2985
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_X509_CSR_WRITE_C)
+
+#include "x509_internal.h"
+#include "mbedtls/x509_csr.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/error.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#include "psa_util_internal.h"
+#include "mbedtls/psa_util.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#include <string.h>
+#include <stdlib.h>
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#include "mbedtls/platform.h"
+
+void mbedtls_x509write_csr_init(mbedtls_x509write_csr *ctx)
+{
+ memset(ctx, 0, sizeof(mbedtls_x509write_csr));
+}
+
+void mbedtls_x509write_csr_free(mbedtls_x509write_csr *ctx)
+{
+ mbedtls_asn1_free_named_data_list(&ctx->subject);
+ mbedtls_asn1_free_named_data_list(&ctx->extensions);
+
+ mbedtls_platform_zeroize(ctx, sizeof(mbedtls_x509write_csr));
+}
+
+void mbedtls_x509write_csr_set_md_alg(mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg)
+{
+ ctx->md_alg = md_alg;
+}
+
+void mbedtls_x509write_csr_set_key(mbedtls_x509write_csr *ctx, mbedtls_pk_context *key)
+{
+ ctx->key = key;
+}
+
+int mbedtls_x509write_csr_set_subject_name(mbedtls_x509write_csr *ctx,
+ const char *subject_name)
+{
+ return mbedtls_x509_string_to_names(&ctx->subject, subject_name);
+}
+
+int mbedtls_x509write_csr_set_extension(mbedtls_x509write_csr *ctx,
+ const char *oid, size_t oid_len,
+ int critical,
+ const unsigned char *val, size_t val_len)
+{
+ return mbedtls_x509_set_extension(&ctx->extensions, oid, oid_len,
+ critical, val, val_len);
+}
+
+int mbedtls_x509write_csr_set_subject_alternative_name(mbedtls_x509write_csr *ctx,
+ const mbedtls_x509_san_list *san_list)
+{
+ return mbedtls_x509_write_set_san_common(&ctx->extensions, san_list);
+}
+
+int mbedtls_x509write_csr_set_key_usage(mbedtls_x509write_csr *ctx, unsigned char key_usage)
+{
+ unsigned char buf[4] = { 0 };
+ unsigned char *c;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ c = buf + 4;
+
+ ret = mbedtls_asn1_write_named_bitstring(&c, buf, &key_usage, 8);
+ if (ret < 3 || ret > 4) {
+ return ret;
+ }
+
+ ret = mbedtls_x509write_csr_set_extension(ctx, MBEDTLS_OID_KEY_USAGE,
+ MBEDTLS_OID_SIZE(MBEDTLS_OID_KEY_USAGE),
+ 0, c, (size_t) ret);
+ if (ret != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+int mbedtls_x509write_csr_set_ns_cert_type(mbedtls_x509write_csr *ctx,
+ unsigned char ns_cert_type)
+{
+ unsigned char buf[4] = { 0 };
+ unsigned char *c;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ c = buf + 4;
+
+ ret = mbedtls_asn1_write_named_bitstring(&c, buf, &ns_cert_type, 8);
+ if (ret < 3 || ret > 4) {
+ return ret;
+ }
+
+ ret = mbedtls_x509write_csr_set_extension(ctx, MBEDTLS_OID_NS_CERT_TYPE,
+ MBEDTLS_OID_SIZE(MBEDTLS_OID_NS_CERT_TYPE),
+ 0, c, (size_t) ret);
+ if (ret != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+
+static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
+ unsigned char *buf,
+ size_t size,
+ unsigned char *sig, size_t sig_size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const char *sig_oid;
+ size_t sig_oid_len = 0;
+ unsigned char *c, *c2;
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+ size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
+ size_t len = 0;
+ mbedtls_pk_type_t pk_alg;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ size_t hash_len;
+ psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(ctx->md_alg);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ /* Write the CSR backwards starting from the end of buf */
+ c = buf + size;
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_x509_write_extensions(&c, buf,
+ ctx->extensions));
+
+ if (len) {
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_tag(
+ &c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE));
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_tag(
+ &c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET));
+
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_oid(
+ &c, buf, MBEDTLS_OID_PKCS9_CSR_EXT_REQ,
+ MBEDTLS_OID_SIZE(MBEDTLS_OID_PKCS9_CSR_EXT_REQ)));
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_tag(
+ &c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE));
+ }
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_tag(
+ &c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC));
+
+ MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_pk_write_pubkey_der(ctx->key,
+ buf, (size_t) (c - buf)));
+ c -= pub_len;
+ len += pub_len;
+
+ /*
+ * Subject ::= Name
+ */
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_x509_write_names(&c, buf,
+ ctx->subject));
+
+ /*
+ * Version ::= INTEGER { v1(0), v2(1), v3(2) }
+ */
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(&c, buf, 0));
+
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_tag(
+ &c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE));
+
+ /*
+ * Sign the written CSR data into the sig buffer
+ * Note: hash errors can happen only after an internal error
+ */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ if (psa_hash_compute(hash_alg,
+ c,
+ len,
+ hash,
+ sizeof(hash),
+ &hash_len) != PSA_SUCCESS) {
+ return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
+ }
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+ ret = mbedtls_md(mbedtls_md_info_from_type(ctx->md_alg), c, len, hash);
+ if (ret != 0) {
+ return ret;
+ }
+#endif
+ if ((ret = mbedtls_pk_sign(ctx->key, ctx->md_alg, hash, 0,
+ sig, sig_size, &sig_len,
+ f_rng, p_rng)) != 0) {
+ return ret;
+ }
+
+ if (mbedtls_pk_can_do(ctx->key, MBEDTLS_PK_RSA)) {
+ pk_alg = MBEDTLS_PK_RSA;
+ } else if (mbedtls_pk_can_do(ctx->key, MBEDTLS_PK_ECDSA)) {
+ pk_alg = MBEDTLS_PK_ECDSA;
+ } else {
+ return MBEDTLS_ERR_X509_INVALID_ALG;
+ }
+
+ if ((ret = mbedtls_oid_get_oid_by_sig_alg(pk_alg, ctx->md_alg,
+ &sig_oid, &sig_oid_len)) != 0) {
+ return ret;
+ }
+
+ /*
+ * Move the written CSR data to the start of buf to create space for
+ * writing the signature into buf.
+ */
+ memmove(buf, c, len);
+
+ /*
+ * Write sig and its OID into buf backwards from the end of buf.
+ * Note: mbedtls_x509_write_sig will check for c2 - ( buf + len ) < sig_len
+ * and return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if needed.
+ */
+ c2 = buf + size;
+ MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len,
+ mbedtls_x509_write_sig(&c2, buf + len, sig_oid, sig_oid_len,
+ sig, sig_len, pk_alg));
+
+ /*
+ * Compact the space between the CSR data and signature by moving the
+ * CSR data to the start of the signature.
+ */
+ c2 -= len;
+ memmove(c2, buf, len);
+
+ /* ASN encode the total size and tag the CSR data with it. */
+ len += sig_and_oid_len;
+ MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c2, buf, len));
+ MBEDTLS_ASN1_CHK_ADD(len,
+ mbedtls_asn1_write_tag(
+ &c2, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE));
+
+ /* Zero the unused bytes at the start of buf */
+ memset(buf, 0, (size_t) (c2 - buf));
+
+ return (int) len;
+}
+
+int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf,
+ size_t size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret;
+ unsigned char *sig;
+
+ if ((sig = mbedtls_calloc(1, MBEDTLS_PK_SIGNATURE_MAX_SIZE)) == NULL) {
+ return MBEDTLS_ERR_X509_ALLOC_FAILED;
+ }
+
+ ret = x509write_csr_der_internal(ctx, buf, size,
+ sig, MBEDTLS_PK_SIGNATURE_MAX_SIZE,
+ f_rng, p_rng);
+
+ mbedtls_free(sig);
+
+ return ret;
+}
+
+#define PEM_BEGIN_CSR "-----BEGIN CERTIFICATE REQUEST-----\n"
+#define PEM_END_CSR "-----END CERTIFICATE REQUEST-----\n"
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t olen = 0;
+
+ if ((ret = mbedtls_x509write_csr_der(ctx, buf, size,
+ f_rng, p_rng)) < 0) {
+ return ret;
+ }
+
+ if ((ret = mbedtls_pem_write_buffer(PEM_BEGIN_CSR, PEM_END_CSR,
+ buf + size - ret,
+ ret, buf, size, &olen)) != 0) {
+ return ret;
+ }
+
+ return 0;
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#endif /* MBEDTLS_X509_CSR_WRITE_C */