summaryrefslogtreecommitdiff
path: root/thirdparty/mbedtls/include
diff options
context:
space:
mode:
Diffstat (limited to 'thirdparty/mbedtls/include')
-rw-r--r--thirdparty/mbedtls/include/mbedtls/aes.h76
-rw-r--r--thirdparty/mbedtls/include/mbedtls/aesni.h46
-rw-r--r--thirdparty/mbedtls/include/mbedtls/arc4.h3
-rw-r--r--thirdparty/mbedtls/include/mbedtls/aria.h105
-rw-r--r--thirdparty/mbedtls/include/mbedtls/asn1write.h310
-rw-r--r--thirdparty/mbedtls/include/mbedtls/bignum.h807
-rw-r--r--thirdparty/mbedtls/include/mbedtls/blowfish.h143
-rw-r--r--thirdparty/mbedtls/include/mbedtls/bn_mul.h44
-rw-r--r--thirdparty/mbedtls/include/mbedtls/camellia.h219
-rw-r--r--thirdparty/mbedtls/include/mbedtls/ccm.h115
-rw-r--r--thirdparty/mbedtls/include/mbedtls/chacha20.h56
-rw-r--r--thirdparty/mbedtls/include/mbedtls/chachapoly.h85
-rw-r--r--thirdparty/mbedtls/include/mbedtls/check_config.h15
-rw-r--r--thirdparty/mbedtls/include/mbedtls/cipher.h237
-rw-r--r--thirdparty/mbedtls/include/mbedtls/cmac.h1
-rw-r--r--thirdparty/mbedtls/include/mbedtls/config.h252
-rw-r--r--thirdparty/mbedtls/include/mbedtls/ctr_drbg.h66
-rw-r--r--thirdparty/mbedtls/include/mbedtls/debug.h36
-rw-r--r--thirdparty/mbedtls/include/mbedtls/des.h6
-rw-r--r--thirdparty/mbedtls/include/mbedtls/dhm.h172
-rw-r--r--thirdparty/mbedtls/include/mbedtls/ecdh.h288
-rw-r--r--thirdparty/mbedtls/include/mbedtls/ecdsa.h326
-rw-r--r--thirdparty/mbedtls/include/mbedtls/ecjpake.h145
-rw-r--r--thirdparty/mbedtls/include/mbedtls/ecp.h590
-rw-r--r--thirdparty/mbedtls/include/mbedtls/entropy.h4
-rw-r--r--thirdparty/mbedtls/include/mbedtls/error.h13
-rw-r--r--thirdparty/mbedtls/include/mbedtls/gcm.h100
-rw-r--r--thirdparty/mbedtls/include/mbedtls/havege.h2
-rw-r--r--thirdparty/mbedtls/include/mbedtls/hkdf.h14
-rw-r--r--thirdparty/mbedtls/include/mbedtls/hmac_drbg.h32
-rw-r--r--thirdparty/mbedtls/include/mbedtls/md.h5
-rw-r--r--thirdparty/mbedtls/include/mbedtls/md2.h3
-rw-r--r--thirdparty/mbedtls/include/mbedtls/md4.h3
-rw-r--r--thirdparty/mbedtls/include/mbedtls/md5.h3
-rw-r--r--thirdparty/mbedtls/include/mbedtls/net_sockets.h2
-rw-r--r--thirdparty/mbedtls/include/mbedtls/oid.h3
-rw-r--r--thirdparty/mbedtls/include/mbedtls/padlock.h34
-rw-r--r--thirdparty/mbedtls/include/mbedtls/pem.h2
-rw-r--r--thirdparty/mbedtls/include/mbedtls/pk.h221
-rw-r--r--thirdparty/mbedtls/include/mbedtls/pk_internal.h23
-rw-r--r--thirdparty/mbedtls/include/mbedtls/pkcs11.h3
-rw-r--r--thirdparty/mbedtls/include/mbedtls/pkcs12.h4
-rw-r--r--thirdparty/mbedtls/include/mbedtls/pkcs5.h4
-rw-r--r--thirdparty/mbedtls/include/mbedtls/platform.h6
-rw-r--r--thirdparty/mbedtls/include/mbedtls/platform_util.h123
-rw-r--r--thirdparty/mbedtls/include/mbedtls/poly1305.h55
-rw-r--r--thirdparty/mbedtls/include/mbedtls/ripemd160.h4
-rw-r--r--thirdparty/mbedtls/include/mbedtls/rsa.h596
-rw-r--r--thirdparty/mbedtls/include/mbedtls/sha1.h64
-rw-r--r--thirdparty/mbedtls/include/mbedtls/sha256.h91
-rw-r--r--thirdparty/mbedtls/include/mbedtls/sha512.h91
-rw-r--r--thirdparty/mbedtls/include/mbedtls/ssl.h380
-rw-r--r--thirdparty/mbedtls/include/mbedtls/ssl_cookie.h2
-rw-r--r--thirdparty/mbedtls/include/mbedtls/ssl_internal.h74
-rw-r--r--thirdparty/mbedtls/include/mbedtls/ssl_ticket.h4
-rw-r--r--thirdparty/mbedtls/include/mbedtls/threading.h16
-rw-r--r--thirdparty/mbedtls/include/mbedtls/timing.h2
-rw-r--r--thirdparty/mbedtls/include/mbedtls/version.h8
-rw-r--r--thirdparty/mbedtls/include/mbedtls/x509_crt.h139
-rw-r--r--thirdparty/mbedtls/include/mbedtls/xtea.h4
60 files changed, 4449 insertions, 1828 deletions
diff --git a/thirdparty/mbedtls/include/mbedtls/aes.h b/thirdparty/mbedtls/include/mbedtls/aes.h
index f6603d5962..b42e564efc 100644
--- a/thirdparty/mbedtls/include/mbedtls/aes.h
+++ b/thirdparty/mbedtls/include/mbedtls/aes.h
@@ -60,7 +60,11 @@
/* Error codes in range 0x0021-0x0025 */
#define MBEDTLS_ERR_AES_BAD_INPUT_DATA -0x0021 /**< Invalid input data. */
+
+/* MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE is deprecated and should not be used. */
#define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE -0x0023 /**< Feature not available. For example, an unsupported AES key size. */
+
+/* MBEDTLS_ERR_AES_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_AES_HW_ACCEL_FAILED -0x0025 /**< AES hardware accelerator failed. */
#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
@@ -79,7 +83,7 @@ extern "C" {
/**
* \brief The AES context-type definition.
*/
-typedef struct
+typedef struct mbedtls_aes_context
{
int nr; /*!< The number of rounds. */
uint32_t *rk; /*!< AES round keys. */
@@ -98,7 +102,7 @@ mbedtls_aes_context;
/**
* \brief The AES XTS context-type definition.
*/
-typedef struct
+typedef struct mbedtls_aes_xts_context
{
mbedtls_aes_context crypt; /*!< The AES context to use for AES block
encryption or decryption. */
@@ -117,7 +121,7 @@ typedef struct
* It must be the first API called before using
* the context.
*
- * \param ctx The AES context to initialize.
+ * \param ctx The AES context to initialize. This must not be \c NULL.
*/
void mbedtls_aes_init( mbedtls_aes_context *ctx );
@@ -125,6 +129,8 @@ void mbedtls_aes_init( mbedtls_aes_context *ctx );
* \brief This function releases and clears the specified AES context.
*
* \param ctx The AES context to clear.
+ * If this is \c NULL, this function does nothing.
+ * Otherwise, the context must have been at least initialized.
*/
void mbedtls_aes_free( mbedtls_aes_context *ctx );
@@ -135,7 +141,7 @@ void mbedtls_aes_free( mbedtls_aes_context *ctx );
* It must be the first API called before using
* the context.
*
- * \param ctx The AES XTS context to initialize.
+ * \param ctx The AES XTS context to initialize. This must not be \c NULL.
*/
void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx );
@@ -143,6 +149,8 @@ void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx );
* \brief This function releases and clears the specified AES XTS context.
*
* \param ctx The AES XTS context to clear.
+ * If this is \c NULL, this function does nothing.
+ * Otherwise, the context must have been at least initialized.
*/
void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx );
#endif /* MBEDTLS_CIPHER_MODE_XTS */
@@ -151,7 +159,9 @@ void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx );
* \brief This function sets the encryption key.
*
* \param ctx The AES context to which the key should be bound.
+ * It must be initialized.
* \param key The encryption key.
+ * This must be a readable buffer of size \p keybits bits.
* \param keybits The size of data passed in bits. Valid options are:
* <ul><li>128 bits</li>
* <li>192 bits</li>
@@ -167,7 +177,9 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
* \brief This function sets the decryption key.
*
* \param ctx The AES context to which the key should be bound.
+ * It must be initialized.
* \param key The decryption key.
+ * This must be a readable buffer of size \p keybits bits.
* \param keybits The size of data passed. Valid options are:
* <ul><li>128 bits</li>
* <li>192 bits</li>
@@ -185,8 +197,10 @@ int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
* sets the encryption key.
*
* \param ctx The AES XTS context to which the key should be bound.
+ * It must be initialized.
* \param key The encryption key. This is comprised of the XTS key1
* concatenated with the XTS key2.
+ * This must be a readable buffer of size \p keybits bits.
* \param keybits The size of \p key passed in bits. Valid options are:
* <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
* <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
@@ -203,8 +217,10 @@ int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
* sets the decryption key.
*
* \param ctx The AES XTS context to which the key should be bound.
+ * It must be initialized.
* \param key The decryption key. This is comprised of the XTS key1
* concatenated with the XTS key2.
+ * This must be a readable buffer of size \p keybits bits.
* \param keybits The size of \p key passed in bits. Valid options are:
* <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
* <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
@@ -230,10 +246,13 @@ int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
* call to this API with the same context.
*
* \param ctx The AES context to use for encryption or decryption.
+ * It must be initialized and bound to a key.
* \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or
* #MBEDTLS_AES_DECRYPT.
- * \param input The 16-Byte buffer holding the input data.
- * \param output The 16-Byte buffer holding the output data.
+ * \param input The buffer holding the input data.
+ * It must be readable and at least \c 16 Bytes long.
+ * \param output The buffer where the output data will be written.
+ * It must be writeable and at least \c 16 Bytes long.
* \return \c 0 on success.
*/
@@ -256,8 +275,8 @@ int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
* mbedtls_aes_setkey_enc() or mbedtls_aes_setkey_dec() must be called
* before the first call to this API with the same context.
*
- * \note This function operates on aligned blocks, that is, the input size
- * must be a multiple of the AES block size of 16 Bytes.
+ * \note This function operates on full blocks, that is, the input size
+ * must be a multiple of the AES block size of \c 16 Bytes.
*
* \note Upon exit, the content of the IV is updated so that you can
* call the same function again on the next
@@ -268,13 +287,17 @@ int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
*
*
* \param ctx The AES context to use for encryption or decryption.
+ * It must be initialized and bound to a key.
* \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or
* #MBEDTLS_AES_DECRYPT.
* \param length The length of the input data in Bytes. This must be a
- * multiple of the block size (16 Bytes).
+ * multiple of the block size (\c 16 Bytes).
* \param iv Initialization vector (updated after use).
+ * It must be a readable and writeable buffer of \c 16 Bytes.
* \param input The buffer holding the input data.
+ * It must be readable and of size \p length Bytes.
* \param output The buffer holding the output data.
+ * It must be writeable and of size \p length Bytes.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
@@ -302,9 +325,10 @@ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
* returns #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH.
*
* \param ctx The AES XTS context to use for AES XTS operations.
+ * It must be initialized and bound to a key.
* \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or
* #MBEDTLS_AES_DECRYPT.
- * \param length The length of a data unit in bytes. This can be any
+ * \param length The length of a data unit in Bytes. This can be any
* length between 16 bytes and 2^24 bytes inclusive
* (between 1 and 2^20 block cipher blocks).
* \param data_unit The address of the data unit encoded as an array of 16
@@ -312,15 +336,15 @@ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
* is typically the index of the block device sector that
* contains the data.
* \param input The buffer holding the input data (which is an entire
- * data unit). This function reads \p length bytes from \p
+ * data unit). This function reads \p length Bytes from \p
* input.
* \param output The buffer holding the output data (which is an entire
- * data unit). This function writes \p length bytes to \p
+ * data unit). This function writes \p length Bytes to \p
* output.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH if \p length is
- * smaller than an AES block in size (16 bytes) or if \p
+ * smaller than an AES block in size (16 Bytes) or if \p
* length is larger than 2^20 blocks (16 MiB).
*/
int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
@@ -356,13 +380,18 @@ int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
*
*
* \param ctx The AES context to use for encryption or decryption.
+ * It must be initialized and bound to a key.
* \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or
* #MBEDTLS_AES_DECRYPT.
- * \param length The length of the input data.
+ * \param length The length of the input data in Bytes.
* \param iv_off The offset in IV (updated after use).
+ * It must point to a valid \c size_t.
* \param iv The initialization vector (updated after use).
+ * It must be a readable and writeable buffer of \c 16 Bytes.
* \param input The buffer holding the input data.
+ * It must be readable and of size \p length Bytes.
* \param output The buffer holding the output data.
+ * It must be writeable and of size \p length Bytes.
*
* \return \c 0 on success.
*/
@@ -397,12 +426,16 @@ int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
*
*
* \param ctx The AES context to use for encryption or decryption.
+ * It must be initialized and bound to a key.
* \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or
* #MBEDTLS_AES_DECRYPT
* \param length The length of the input data.
* \param iv The initialization vector (updated after use).
+ * It must be a readable and writeable buffer of \c 16 Bytes.
* \param input The buffer holding the input data.
+ * It must be readable and of size \p length Bytes.
* \param output The buffer holding the output data.
+ * It must be writeable and of size \p length Bytes.
*
* \return \c 0 on success.
*/
@@ -447,11 +480,16 @@ int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
* will compromise security.
*
* \param ctx The AES context to use for encryption or decryption.
+ * It must be initialized and bound to a key.
* \param length The length of the input data.
* \param iv_off The offset in IV (updated after use).
+ * It must point to a valid \c size_t.
* \param iv The initialization vector (updated after use).
+ * It must be a readable and writeable buffer of \c 16 Bytes.
* \param input The buffer holding the input data.
+ * It must be readable and of size \p length Bytes.
* \param output The buffer holding the output data.
+ * It must be writeable and of size \p length Bytes.
*
* \return \c 0 on success.
*/
@@ -523,15 +561,21 @@ int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
* securely discarded as soon as it's no longer needed.
*
* \param ctx The AES context to use for encryption or decryption.
+ * It must be initialized and bound to a key.
* \param length The length of the input data.
* \param nc_off The offset in the current \p stream_block, for
* resuming within the current cipher stream. The
* offset pointer should be 0 at the start of a stream.
+ * It must point to a valid \c size_t.
* \param nonce_counter The 128-bit nonce and counter.
+ * It must be a readable-writeable buffer of \c 16 Bytes.
* \param stream_block The saved stream block for resuming. This is
* overwritten by the function.
+ * It must be a readable-writeable buffer of \c 16 Bytes.
* \param input The buffer holding the input data.
+ * It must be readable and of size \p length Bytes.
* \param output The buffer holding the output data.
+ * It must be writeable and of size \p length Bytes.
*
* \return \c 0 on success.
*/
@@ -584,7 +628,7 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
* \brief Deprecated internal AES block encryption function
* without return value.
*
- * \deprecated Superseded by mbedtls_aes_encrypt_ext() in 2.5.0.
+ * \deprecated Superseded by mbedtls_internal_aes_encrypt()
*
* \param ctx The AES context to use for encryption.
* \param input Plaintext block.
@@ -598,7 +642,7 @@ MBEDTLS_DEPRECATED void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
* \brief Deprecated internal AES block decryption function
* without return value.
*
- * \deprecated Superseded by mbedtls_aes_decrypt_ext() in 2.5.0.
+ * \deprecated Superseded by mbedtls_internal_aes_decrypt()
*
* \param ctx The AES context to use for decryption.
* \param input Ciphertext block.
diff --git a/thirdparty/mbedtls/include/mbedtls/aesni.h b/thirdparty/mbedtls/include/mbedtls/aesni.h
index 746baa0e17..0196f49b87 100644
--- a/thirdparty/mbedtls/include/mbedtls/aesni.h
+++ b/thirdparty/mbedtls/include/mbedtls/aesni.h
@@ -2,6 +2,9 @@
* \file aesni.h
*
* \brief AES-NI for hardware AES acceleration on some Intel processors
+ *
+ * \warning These functions are only for internal use by other library
+ * functions; you must not call them directly.
*/
/*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
@@ -42,7 +45,10 @@ extern "C" {
#endif
/**
- * \brief AES-NI features detection routine
+ * \brief Internal function to detect the AES-NI feature in CPUs.
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
*
* \param what The feature to detect
* (MBEDTLS_AESNI_AES or MBEDTLS_AESNI_CLMUL)
@@ -52,7 +58,10 @@ extern "C" {
int mbedtls_aesni_has_support( unsigned int what );
/**
- * \brief AES-NI AES-ECB block en(de)cryption
+ * \brief Internal AES-NI AES-ECB block encryption and decryption
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
*
* \param ctx AES context
* \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
@@ -62,12 +71,15 @@ int mbedtls_aesni_has_support( unsigned int what );
* \return 0 on success (cannot fail)
*/
int mbedtls_aesni_crypt_ecb( mbedtls_aes_context *ctx,
- int mode,
- const unsigned char input[16],
- unsigned char output[16] );
+ int mode,
+ const unsigned char input[16],
+ unsigned char output[16] );
/**
- * \brief GCM multiplication: c = a * b in GF(2^128)
+ * \brief Internal GCM multiplication: c = a * b in GF(2^128)
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
*
* \param c Result
* \param a First operand
@@ -77,21 +89,29 @@ int mbedtls_aesni_crypt_ecb( mbedtls_aes_context *ctx,
* elements of GF(2^128) as per the GCM spec.
*/
void mbedtls_aesni_gcm_mult( unsigned char c[16],
- const unsigned char a[16],
- const unsigned char b[16] );
+ const unsigned char a[16],
+ const unsigned char b[16] );
/**
- * \brief Compute decryption round keys from encryption round keys
+ * \brief Internal round key inversion. This function computes
+ * decryption round keys from the encryption round keys.
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
*
* \param invkey Round keys for the equivalent inverse cipher
* \param fwdkey Original round keys (for encryption)
* \param nr Number of rounds (that is, number of round keys minus one)
*/
void mbedtls_aesni_inverse_key( unsigned char *invkey,
- const unsigned char *fwdkey, int nr );
+ const unsigned char *fwdkey,
+ int nr );
/**
- * \brief Perform key expansion (for encryption)
+ * \brief Internal key expansion for encryption
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
*
* \param rk Destination buffer where the round keys are written
* \param key Encryption key
@@ -100,8 +120,8 @@ void mbedtls_aesni_inverse_key( unsigned char *invkey,
* \return 0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
*/
int mbedtls_aesni_setkey_enc( unsigned char *rk,
- const unsigned char *key,
- size_t bits );
+ const unsigned char *key,
+ size_t bits );
#ifdef __cplusplus
}
diff --git a/thirdparty/mbedtls/include/mbedtls/arc4.h b/thirdparty/mbedtls/include/mbedtls/arc4.h
index f11fc5be0a..c43f4065f1 100644
--- a/thirdparty/mbedtls/include/mbedtls/arc4.h
+++ b/thirdparty/mbedtls/include/mbedtls/arc4.h
@@ -36,6 +36,7 @@
#include <stddef.h>
+/* MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED -0x0019 /**< ARC4 hardware accelerator failed. */
#ifdef __cplusplus
@@ -53,7 +54,7 @@ extern "C" {
* security risk. We recommend considering stronger ciphers instead.
*
*/
-typedef struct
+typedef struct mbedtls_arc4_context
{
int x; /*!< permutation index */
int y; /*!< permutation index */
diff --git a/thirdparty/mbedtls/include/mbedtls/aria.h b/thirdparty/mbedtls/include/mbedtls/aria.h
index bae0621b23..1e8956ed13 100644
--- a/thirdparty/mbedtls/include/mbedtls/aria.h
+++ b/thirdparty/mbedtls/include/mbedtls/aria.h
@@ -39,6 +39,8 @@
#include <stddef.h>
#include <stdint.h>
+#include "platform_util.h"
+
#define MBEDTLS_ARIA_ENCRYPT 1 /**< ARIA encryption. */
#define MBEDTLS_ARIA_DECRYPT 0 /**< ARIA decryption. */
@@ -46,9 +48,18 @@
#define MBEDTLS_ARIA_MAX_ROUNDS 16 /**< Maxiumum number of rounds in ARIA. */
#define MBEDTLS_ARIA_MAX_KEYSIZE 32 /**< Maximum size of an ARIA key in bytes. */
-#define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH -0x005C /**< Invalid key length. */
-#define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x005C )
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#define MBEDTLS_ERR_ARIA_BAD_INPUT_DATA -0x005C /**< Bad input data. */
+
+#define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */
+
+/* MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE is deprecated and should not be used.
+ */
#define MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE -0x005A /**< Feature not available. For example, an unsupported ARIA key size. */
+
+/* MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED -0x0058 /**< ARIA hardware accelerator failed. */
#if !defined(MBEDTLS_ARIA_ALT)
@@ -62,7 +73,7 @@ extern "C" {
/**
* \brief The ARIA context-type definition.
*/
-typedef struct
+typedef struct mbedtls_aria_context
{
unsigned char nr; /*!< The number of rounds (12, 14 or 16) */
/*! The ARIA round keys. */
@@ -80,14 +91,16 @@ mbedtls_aria_context;
* It must be the first API called before using
* the context.
*
- * \param ctx The ARIA context to initialize.
+ * \param ctx The ARIA context to initialize. This must not be \c NULL.
*/
void mbedtls_aria_init( mbedtls_aria_context *ctx );
/**
* \brief This function releases and clears the specified ARIA context.
*
- * \param ctx The ARIA context to clear.
+ * \param ctx The ARIA context to clear. This may be \c NULL, in which
+ * case this function returns immediately. If it is not \c NULL,
+ * it must point to an initialized ARIA context.
*/
void mbedtls_aria_free( mbedtls_aria_context *ctx );
@@ -95,14 +108,16 @@ void mbedtls_aria_free( mbedtls_aria_context *ctx );
* \brief This function sets the encryption key.
*
* \param ctx The ARIA context to which the key should be bound.
- * \param key The encryption key.
- * \param keybits The size of data passed in bits. Valid options are:
+ * This must be initialized.
+ * \param key The encryption key. This must be a readable buffer
+ * of size \p keybits Bits.
+ * \param keybits The size of \p key in Bits. Valid options are:
* <ul><li>128 bits</li>
* <li>192 bits</li>
* <li>256 bits</li></ul>
*
- * \return \c 0 on success or #MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH
- * on failure.
+ * \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
const unsigned char *key,
@@ -112,13 +127,16 @@ int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
* \brief This function sets the decryption key.
*
* \param ctx The ARIA context to which the key should be bound.
- * \param key The decryption key.
+ * This must be initialized.
+ * \param key The decryption key. This must be a readable buffer
+ * of size \p keybits Bits.
* \param keybits The size of data passed. Valid options are:
* <ul><li>128 bits</li>
* <li>192 bits</li>
* <li>256 bits</li></ul>
*
- * \return \c 0 on success, or #MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH on failure.
+ * \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
const unsigned char *key,
@@ -137,10 +155,12 @@ int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
* call to this API with the same context.
*
* \param ctx The ARIA context to use for encryption or decryption.
+ * This must be initialized and bound to a key.
* \param input The 16-Byte buffer holding the input data.
* \param output The 16-Byte buffer holding the output data.
* \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
@@ -172,16 +192,21 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
*
*
* \param ctx The ARIA context to use for encryption or decryption.
- * \param mode The ARIA operation: #MBEDTLS_ARIA_ENCRYPT or
- * #MBEDTLS_ARIA_DECRYPT.
+ * This must be initialized and bound to a key.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_ARIA_ENCRYPT for encryption, or
+ * #MBEDTLS_ARIA_DECRYPT for decryption.
* \param length The length of the input data in Bytes. This must be a
* multiple of the block size (16 Bytes).
* \param iv Initialization vector (updated after use).
- * \param input The buffer holding the input data.
- * \param output The buffer holding the output data.
+ * This must be a readable buffer of size 16 Bytes.
+ * \param input The buffer holding the input data. This must
+ * be a readable buffer of length \p length Bytes.
+ * \param output The buffer holding the output data. This must
+ * be a writable buffer of length \p length Bytes.
*
- * \return \c 0 on success, or #MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH
- * on failure.
+ * \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
int mode,
@@ -216,15 +241,22 @@ int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
*
*
* \param ctx The ARIA context to use for encryption or decryption.
- * \param mode The ARIA operation: #MBEDTLS_ARIA_ENCRYPT or
- * #MBEDTLS_ARIA_DECRYPT.
- * \param length The length of the input data.
+ * This must be initialized and bound to a key.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_ARIA_ENCRYPT for encryption, or
+ * #MBEDTLS_ARIA_DECRYPT for decryption.
+ * \param length The length of the input data \p input in Bytes.
* \param iv_off The offset in IV (updated after use).
+ * This must not be larger than 15.
* \param iv The initialization vector (updated after use).
- * \param input The buffer holding the input data.
- * \param output The buffer holding the output data.
+ * This must be a readable buffer of size 16 Bytes.
+ * \param input The buffer holding the input data. This must
+ * be a readable buffer of length \p length Bytes.
+ * \param output The buffer holding the output data. This must
+ * be a writable buffer of length \p length Bytes.
*
* \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
int mode,
@@ -294,17 +326,24 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
* securely discarded as soon as it's no longer needed.
*
* \param ctx The ARIA context to use for encryption or decryption.
- * \param length The length of the input data.
- * \param nc_off The offset in the current \p stream_block, for
- * resuming within the current cipher stream. The
- * offset pointer should be 0 at the start of a stream.
- * \param nonce_counter The 128-bit nonce and counter.
- * \param stream_block The saved stream block for resuming. This is
- * overwritten by the function.
- * \param input The buffer holding the input data.
- * \param output The buffer holding the output data.
- *
- * \return \c 0 on success.
+ * This must be initialized and bound to a key.
+ * \param length The length of the input data \p input in Bytes.
+ * \param nc_off The offset in Bytes in the current \p stream_block,
+ * for resuming within the current cipher stream. The
+ * offset pointer should be \c 0 at the start of a
+ * stream. This must not be larger than \c 15 Bytes.
+ * \param nonce_counter The 128-bit nonce and counter. This must point to
+ * a read/write buffer of length \c 16 bytes.
+ * \param stream_block The saved stream block for resuming. This must
+ * point to a read/write buffer of length \c 16 bytes.
+ * This is overwritten by the function.
+ * \param input The buffer holding the input data. This must
+ * be a readable buffer of length \p length Bytes.
+ * \param output The buffer holding the output data. This must
+ * be a writable buffer of length \p length Bytes.
+ *
+ * \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
size_t length,
diff --git a/thirdparty/mbedtls/include/mbedtls/asn1write.h b/thirdparty/mbedtls/include/mbedtls/asn1write.h
index f76fc807d0..76c1780b59 100644
--- a/thirdparty/mbedtls/include/mbedtls/asn1write.h
+++ b/thirdparty/mbedtls/include/mbedtls/asn1write.h
@@ -26,191 +26,272 @@
#include "asn1.h"
-#define MBEDTLS_ASN1_CHK_ADD(g, f) do { if( ( ret = f ) < 0 ) return( ret ); else \
- g += ret; } while( 0 )
+#define MBEDTLS_ASN1_CHK_ADD(g, f) \
+ do { \
+ if( ( ret = f ) < 0 ) \
+ return( ret ); \
+ else \
+ g += ret; \
+ } while( 0 )
#ifdef __cplusplus
extern "C" {
#endif
/**
- * \brief Write a length field in ASN.1 format
- * Note: function works backwards in data buffer
+ * \brief Write a length field in ASN.1 format.
*
- * \param p reference to current position pointer
- * \param start start of the buffer (for bounds-checking)
- * \param len the length to write
+ * \note This function works backwards in data buffer.
*
- * \return the length written or a negative error code
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
+ * \param len The length value to write.
+ *
+ * \return The number of bytes written to \p p on success.
+ * \return A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
*/
-int mbedtls_asn1_write_len( unsigned char **p, unsigned char *start, size_t len );
-
+int mbedtls_asn1_write_len( unsigned char **p, unsigned char *start,
+ size_t len );
/**
- * \brief Write a ASN.1 tag in ASN.1 format
- * Note: function works backwards in data buffer
+ * \brief Write an ASN.1 tag in ASN.1 format.
+ *
+ * \note This function works backwards in data buffer.
*
- * \param p reference to current position pointer
- * \param start start of the buffer (for bounds-checking)
- * \param tag the tag to write
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
+ * \param tag The tag to write.
*
- * \return the length written or a negative error code
+ * \return The number of bytes written to \p p on success.
+ * \return A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
*/
int mbedtls_asn1_write_tag( unsigned char **p, unsigned char *start,
- unsigned char tag );
+ unsigned char tag );
/**
- * \brief Write raw buffer data
- * Note: function works backwards in data buffer
+ * \brief Write raw buffer data.
*
- * \param p reference to current position pointer
- * \param start start of the buffer (for bounds-checking)
- * \param buf data buffer to write
- * \param size length of the data buffer
+ * \note This function works backwards in data buffer.
*
- * \return the length written or a negative error code
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
+ * \param buf The data buffer to write.
+ * \param size The length of the data buffer.
+ *
+ * \return The number of bytes written to \p p on success.
+ * \return A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
*/
int mbedtls_asn1_write_raw_buffer( unsigned char **p, unsigned char *start,
- const unsigned char *buf, size_t size );
+ const unsigned char *buf, size_t size );
#if defined(MBEDTLS_BIGNUM_C)
/**
- * \brief Write a big number (MBEDTLS_ASN1_INTEGER) in ASN.1 format
- * Note: function works backwards in data buffer
+ * \brief Write a arbitrary-precision number (#MBEDTLS_ASN1_INTEGER)
+ * in ASN.1 format.
+ *
+ * \note This function works backwards in data buffer.
*
- * \param p reference to current position pointer
- * \param start start of the buffer (for bounds-checking)
- * \param X the MPI to write
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
+ * \param X The MPI to write.
*
- * \return the length written or a negative error code
+ * \return The number of bytes written to \p p on success.
+ * \return A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
*/
-int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start, const mbedtls_mpi *X );
+int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start,
+ const mbedtls_mpi *X );
#endif /* MBEDTLS_BIGNUM_C */
/**
- * \brief Write a NULL tag (MBEDTLS_ASN1_NULL) with zero data in ASN.1 format
- * Note: function works backwards in data buffer
+ * \brief Write a NULL tag (#MBEDTLS_ASN1_NULL) with zero data
+ * in ASN.1 format.
+ *
+ * \note This function works backwards in data buffer.
*
- * \param p reference to current position pointer
- * \param start start of the buffer (for bounds-checking)
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
*
- * \return the length written or a negative error code
+ * \return The number of bytes written to \p p on success.
+ * \return A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
*/
int mbedtls_asn1_write_null( unsigned char **p, unsigned char *start );
/**
- * \brief Write an OID tag (MBEDTLS_ASN1_OID) and data in ASN.1 format
- * Note: function works backwards in data buffer
+ * \brief Write an OID tag (#MBEDTLS_ASN1_OID) and data
+ * in ASN.1 format.
*
- * \param p reference to current position pointer
- * \param start start of the buffer (for bounds-checking)
- * \param oid the OID to write
- * \param oid_len length of the OID
+ * \note This function works backwards in data buffer.
*
- * \return the length written or a negative error code
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
+ * \param oid The OID to write.
+ * \param oid_len The length of the OID.
+ *
+ * \return The number of bytes written to \p p on success.
+ * \return A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
*/
int mbedtls_asn1_write_oid( unsigned char **p, unsigned char *start,
- const char *oid, size_t oid_len );
+ const char *oid, size_t oid_len );
/**
- * \brief Write an AlgorithmIdentifier sequence in ASN.1 format
- * Note: function works backwards in data buffer
+ * \brief Write an AlgorithmIdentifier sequence in ASN.1 format.
+ *
+ * \note This function works backwards in data buffer.
*
- * \param p reference to current position pointer
- * \param start start of the buffer (for bounds-checking)
- * \param oid the OID of the algorithm
- * \param oid_len length of the OID
- * \param par_len length of parameters, which must be already written.
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
+ * \param oid The OID of the algorithm to write.
+ * \param oid_len The length of the algorithm's OID.
+ * \param par_len The length of the parameters, which must be already written.
* If 0, NULL parameters are added
*
- * \return the length written or a negative error code
+ * \return The number of bytes written to \p p on success.
+ * \return A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
*/
-int mbedtls_asn1_write_algorithm_identifier( unsigned char **p, unsigned char *start,
- const char *oid, size_t oid_len,
- size_t par_len );
+int mbedtls_asn1_write_algorithm_identifier( unsigned char **p,
+ unsigned char *start,
+ const char *oid, size_t oid_len,
+ size_t par_len );
/**
- * \brief Write a boolean tag (MBEDTLS_ASN1_BOOLEAN) and value in ASN.1 format
- * Note: function works backwards in data buffer
+ * \brief Write a boolean tag (#MBEDTLS_ASN1_BOOLEAN) and value
+ * in ASN.1 format.
+ *
+ * \note This function works backwards in data buffer.
*
- * \param p reference to current position pointer
- * \param start start of the buffer (for bounds-checking)
- * \param boolean 0 or 1
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
+ * \param boolean The boolean value to write, either \c 0 or \c 1.
*
- * \return the length written or a negative error code
+ * \return The number of bytes written to \p p on success.
+ * \return A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
*/
-int mbedtls_asn1_write_bool( unsigned char **p, unsigned char *start, int boolean );
+int mbedtls_asn1_write_bool( unsigned char **p, unsigned char *start,
+ int boolean );
/**
- * \brief Write an int tag (MBEDTLS_ASN1_INTEGER) and value in ASN.1 format
- * Note: function works backwards in data buffer
+ * \brief Write an int tag (#MBEDTLS_ASN1_INTEGER) and value
+ * in ASN.1 format.
*
- * \param p reference to current position pointer
- * \param start start of the buffer (for bounds-checking)
- * \param val the integer value
+ * \note This function works backwards in data buffer.
*
- * \return the length written or a negative error code
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
+ * \param val The integer value to write.
+ *
+ * \return The number of bytes written to \p p on success.
+ * \return A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
*/
int mbedtls_asn1_write_int( unsigned char **p, unsigned char *start, int val );
/**
- * \brief Write a printable string tag (MBEDTLS_ASN1_PRINTABLE_STRING) and
- * value in ASN.1 format
- * Note: function works backwards in data buffer
+ * \brief Write a string in ASN.1 format using a specific
+ * string encoding tag.
+
+ * \note This function works backwards in data buffer.
+ *
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
+ * \param tag The string encoding tag to write, e.g.
+ * #MBEDTLS_ASN1_UTF8_STRING.
+ * \param text The string to write.
+ * \param text_len The length of \p text in bytes (which might
+ * be strictly larger than the number of characters).
+ *
+ * \return The number of bytes written to \p p on success.
+ * \return A negative error code on failure.
+ */
+int mbedtls_asn1_write_tagged_string( unsigned char **p, unsigned char *start,
+ int tag, const char *text,
+ size_t text_len );
+
+/**
+ * \brief Write a string in ASN.1 format using the PrintableString
+ * string encoding tag (#MBEDTLS_ASN1_PRINTABLE_STRING).
+ *
+ * \note This function works backwards in data buffer.
+ *
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
+ * \param text The string to write.
+ * \param text_len The length of \p text in bytes (which might
+ * be strictly larger than the number of characters).
+ *
+ * \return The number of bytes written to \p p on success.
+ * \return A negative error code on failure.
+ */
+int mbedtls_asn1_write_printable_string( unsigned char **p,
+ unsigned char *start,
+ const char *text, size_t text_len );
+
+/**
+ * \brief Write a UTF8 string in ASN.1 format using the UTF8String
+ * string encoding tag (#MBEDTLS_ASN1_PRINTABLE_STRING).
+ *
+ * \note This function works backwards in data buffer.
*
- * \param p reference to current position pointer
- * \param start start of the buffer (for bounds-checking)
- * \param text the text to write
- * \param text_len length of the text
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
+ * \param text The string to write.
+ * \param text_len The length of \p text in bytes (which might
+ * be strictly larger than the number of characters).
*
- * \return the length written or a negative error code
+ * \return The number of bytes written to \p p on success.
+ * \return A negative error code on failure.
*/
-int mbedtls_asn1_write_printable_string( unsigned char **p, unsigned char *start,
- const char *text, size_t text_len );
+int mbedtls_asn1_write_utf8_string( unsigned char **p, unsigned char *start,
+ const char *text, size_t text_len );
/**
- * \brief Write an IA5 string tag (MBEDTLS_ASN1_IA5_STRING) and
- * value in ASN.1 format
- * Note: function works backwards in data buffer
+ * \brief Write a string in ASN.1 format using the IA5String
+ * string encoding tag (#MBEDTLS_ASN1_IA5_STRING).
*
- * \param p reference to current position pointer
- * \param start start of the buffer (for bounds-checking)
- * \param text the text to write
- * \param text_len length of the text
+ * \note This function works backwards in data buffer.
*
- * \return the length written or a negative error code
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
+ * \param text The string to write.
+ * \param text_len The length of \p text in bytes (which might
+ * be strictly larger than the number of characters).
+ *
+ * \return The number of bytes written to \p p on success.
+ * \return A negative error code on failure.
*/
int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start,
- const char *text, size_t text_len );
+ const char *text, size_t text_len );
/**
- * \brief Write a bitstring tag (MBEDTLS_ASN1_BIT_STRING) and
- * value in ASN.1 format
- * Note: function works backwards in data buffer
+ * \brief Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and
+ * value in ASN.1 format.
+ *
+ * \note This function works backwards in data buffer.
*
- * \param p reference to current position pointer
- * \param start start of the buffer (for bounds-checking)
- * \param buf the bitstring
- * \param bits the total number of bits in the bitstring
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
+ * \param buf The bitstring to write.
+ * \param bits The total number of bits in the bitstring.
*
- * \return the length written or a negative error code
+ * \return The number of bytes written to \p p on success.
+ * \return A negative error code on failure.
*/
int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
- const unsigned char *buf, size_t bits );
+ const unsigned char *buf, size_t bits );
/**
- * \brief Write an octet string tag (MBEDTLS_ASN1_OCTET_STRING) and
- * value in ASN.1 format
- * Note: function works backwards in data buffer
+ * \brief Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING)
+ * and value in ASN.1 format.
+ *
+ * \note This function works backwards in data buffer.
*
- * \param p reference to current position pointer
- * \param start start of the buffer (for bounds-checking)
- * \param buf data buffer to write
- * \param size length of the data buffer
+ * \param p The reference to the current position pointer.
+ * \param start The start of the buffer, for bounds-checking.
+ * \param buf The buffer holding the data to write.
+ * \param size The length of the data buffer \p buf.
*
- * \return the length written or a negative error code
+ * \return The number of bytes written to \p p on success.
+ * \return A negative error code on failure.
*/
int mbedtls_asn1_write_octet_string( unsigned char **p, unsigned char *start,
- const unsigned char *buf, size_t size );
+ const unsigned char *buf, size_t size );
/**
* \brief Create or find a specific named_data entry for writing in a
@@ -218,15 +299,16 @@ int mbedtls_asn1_write_octet_string( unsigned char **p, unsigned char *start,
* a new entry is added to the head of the list.
* Warning: Destructive behaviour for the val data!
*
- * \param list Pointer to the location of the head of the list to seek
- * through (will be updated in case of a new entry)
- * \param oid The OID to look for
- * \param oid_len Size of the OID
- * \param val Data to store (can be NULL if you want to fill it by hand)
- * \param val_len Minimum length of the data buffer needed
+ * \param list The pointer to the location of the head of the list to seek
+ * through (will be updated in case of a new entry).
+ * \param oid The OID to look for.
+ * \param oid_len The size of the OID.
+ * \param val The data to store (can be \c NULL if you want to fill
+ * it by hand).
+ * \param val_len The minimum length of the data buffer needed.
*
- * \return NULL if if there was a memory allocation error, or a pointer
- * to the new / existing entry.
+ * \return A pointer to the new / existing entry on success.
+ * \return \c NULL if if there was a memory allocation error.
*/
mbedtls_asn1_named_data *mbedtls_asn1_store_named_data( mbedtls_asn1_named_data **list,
const char *oid, size_t oid_len,
diff --git a/thirdparty/mbedtls/include/mbedtls/bignum.h b/thirdparty/mbedtls/include/mbedtls/bignum.h
index 31383b1eb5..141a8e9adf 100644
--- a/thirdparty/mbedtls/include/mbedtls/bignum.h
+++ b/thirdparty/mbedtls/include/mbedtls/bignum.h
@@ -177,7 +177,7 @@ extern "C" {
/**
* \brief MPI structure
*/
-typedef struct
+typedef struct mbedtls_mpi
{
int s; /*!< integer sign */
size_t n; /*!< total # of limbs */
@@ -186,96 +186,115 @@ typedef struct
mbedtls_mpi;
/**
- * \brief Initialize one MPI (make internal references valid)
- * This just makes it ready to be set or freed,
+ * \brief Initialize an MPI context.
+ *
+ * This makes the MPI ready to be set or freed,
* but does not define a value for the MPI.
*
- * \param X One MPI to initialize.
+ * \param X The MPI context to initialize. This must not be \c NULL.
*/
void mbedtls_mpi_init( mbedtls_mpi *X );
/**
- * \brief Unallocate one MPI
+ * \brief This function frees the components of an MPI context.
*
- * \param X One MPI to unallocate.
+ * \param X The MPI context to be cleared. This may be \c NULL,
+ * in which case this function is a no-op. If it is
+ * not \c NULL, it must point to an initialized MPI.
*/
void mbedtls_mpi_free( mbedtls_mpi *X );
/**
- * \brief Enlarge to the specified number of limbs
+ * \brief Enlarge an MPI to the specified number of limbs.
*
- * This function does nothing if the MPI is already large enough.
+ * \note This function does nothing if the MPI is
+ * already large enough.
*
- * \param X MPI to grow
- * \param nblimbs The target number of limbs
+ * \param X The MPI to grow. It must be initialized.
+ * \param nblimbs The target number of limbs.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return Another negative error code on other kinds of failure.
*/
int mbedtls_mpi_grow( mbedtls_mpi *X, size_t nblimbs );
/**
- * \brief Resize down, keeping at least the specified number of limbs
+ * \brief This function resizes an MPI downwards, keeping at least the
+ * specified number of limbs.
*
* If \c X is smaller than \c nblimbs, it is resized up
* instead.
*
- * \param X MPI to shrink
- * \param nblimbs The minimum number of limbs to keep
+ * \param X The MPI to shrink. This must point to an initialized MPI.
+ * \param nblimbs The minimum number of limbs to keep.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
* (this can only happen when resizing up).
+ * \return Another negative error code on other kinds of failure.
*/
int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs );
/**
- * \brief Copy the contents of Y into X
+ * \brief Make a copy of an MPI.
+ *
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * \param Y The source MPI. This must point to an initialized MPI.
*
- * \param X Destination MPI. It is enlarged if necessary.
- * \param Y Source MPI.
+ * \note The limb-buffer in the destination MPI is enlarged
+ * if necessary to hold the value in the source MPI.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return Another negative error code on other kinds of failure.
*/
int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y );
/**
- * \brief Swap the contents of X and Y
+ * \brief Swap the contents of two MPIs.
*
- * \param X First MPI value
- * \param Y Second MPI value
+ * \param X The first MPI. It must be initialized.
+ * \param Y The second MPI. It must be initialized.
*/
void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y );
/**
- * \brief Safe conditional assignement X = Y if assign is 1
+ * \brief Perform a safe conditional copy of MPI which doesn't
+ * reveal whether the condition was true or not.
*
- * \param X MPI to conditionally assign to
- * \param Y Value to be assigned
- * \param assign 1: perform the assignment, 0: keep X's original value
- *
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ * \param X The MPI to conditionally assign to. This must point
+ * to an initialized MPI.
+ * \param Y The MPI to be assigned from. This must point to an
+ * initialized MPI.
+ * \param assign The condition deciding whether to perform the
+ * assignment or not. Possible values:
+ * * \c 1: Perform the assignment `X = Y`.
+ * * \c 0: Keep the original value of \p X.
*
* \note This function is equivalent to
- * if( assign ) mbedtls_mpi_copy( X, Y );
+ * `if( assign ) mbedtls_mpi_copy( X, Y );`
* except that it avoids leaking any information about whether
* the assignment was done or not (the above code may leak
* information through branch prediction and/or memory access
* patterns analysis).
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return Another negative error code on other kinds of failure.
*/
int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign );
/**
- * \brief Safe conditional swap X <-> Y if swap is 1
+ * \brief Perform a safe conditional swap which doesn't
+ * reveal whether the condition was true or not.
*
- * \param X First mbedtls_mpi value
- * \param Y Second mbedtls_mpi value
- * \param assign 1: perform the swap, 0: keep X and Y's original values
- *
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ * \param X The first MPI. This must be initialized.
+ * \param Y The second MPI. This must be initialized.
+ * \param assign The condition deciding whether to perform
+ * the swap or not. Possible values:
+ * * \c 1: Swap the values of \p X and \p Y.
+ * * \c 0: Keep the original values of \p X and \p Y.
*
* \note This function is equivalent to
* if( assign ) mbedtls_mpi_swap( X, Y );
@@ -283,415 +302,512 @@ int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned
* the assignment was done or not (the above code may leak
* information through branch prediction and/or memory access
* patterns analysis).
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return Another negative error code on other kinds of failure.
+ *
*/
int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char assign );
/**
- * \brief Set value from integer
+ * \brief Store integer value in MPI.
*
- * \param X MPI to set
- * \param z Value to use
+ * \param X The MPI to set. This must be initialized.
+ * \param z The value to use.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return Another negative error code on other kinds of failure.
*/
int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z );
/**
- * \brief Get a specific bit from X
+ * \brief Get a specific bit from an MPI.
*
- * \param X MPI to use
- * \param pos Zero-based index of the bit in X
+ * \param X The MPI to query. This must be initialized.
+ * \param pos Zero-based index of the bit to query.
*
- * \return Either a 0 or a 1
+ * \return \c 0 or \c 1 on success, depending on whether bit \c pos
+ * of \c X is unset or set.
+ * \return A negative error code on failure.
*/
int mbedtls_mpi_get_bit( const mbedtls_mpi *X, size_t pos );
/**
- * \brief Set a bit of X to a specific value of 0 or 1
+ * \brief Modify a specific bit in an MPI.
*
- * \note Will grow X if necessary to set a bit to 1 in a not yet
- * existing limb. Will not grow if bit should be set to 0
+ * \note This function will grow the target MPI if necessary to set a
+ * bit to \c 1 in a not yet existing limb. It will not grow if
+ * the bit should be set to \c 0.
*
- * \param X MPI to use
- * \param pos Zero-based index of the bit in X
- * \param val The value to set the bit to (0 or 1)
+ * \param X The MPI to modify. This must be initialized.
+ * \param pos Zero-based index of the bit to modify.
+ * \param val The desired value of bit \c pos: \c 0 or \c 1.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- * MBEDTLS_ERR_MPI_BAD_INPUT_DATA if val is not 0 or 1
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return Another negative error code on other kinds of failure.
*/
int mbedtls_mpi_set_bit( mbedtls_mpi *X, size_t pos, unsigned char val );
/**
- * \brief Return the number of zero-bits before the least significant
- * '1' bit
+ * \brief Return the number of bits of value \c 0 before the
+ * least significant bit of value \c 1.
+ *
+ * \note This is the same as the zero-based index of
+ * the least significant bit of value \c 1.
*
- * Note: Thus also the zero-based index of the least significant '1' bit
+ * \param X The MPI to query.
*
- * \param X MPI to use
+ * \return The number of bits of value \c 0 before the least significant
+ * bit of value \c 1 in \p X.
*/
size_t mbedtls_mpi_lsb( const mbedtls_mpi *X );
/**
* \brief Return the number of bits up to and including the most
- * significant '1' bit'
+ * significant bit of value \c 1.
*
- * Note: Thus also the one-based index of the most significant '1' bit
+ * * \note This is same as the one-based index of the most
+ * significant bit of value \c 1.
*
- * \param X MPI to use
+ * \param X The MPI to query. This must point to an initialized MPI.
+ *
+ * \return The number of bits up to and including the most
+ * significant bit of value \c 1.
*/
size_t mbedtls_mpi_bitlen( const mbedtls_mpi *X );
/**
- * \brief Return the total size in bytes
+ * \brief Return the total size of an MPI value in bytes.
+ *
+ * \param X The MPI to use. This must point to an initialized MPI.
*
- * \param X MPI to use
+ * \note The value returned by this function may be less than
+ * the number of bytes used to store \p X internally.
+ * This happens if and only if there are trailing bytes
+ * of value zero.
+ *
+ * \return The least number of bytes capable of storing
+ * the absolute value of \p X.
*/
size_t mbedtls_mpi_size( const mbedtls_mpi *X );
/**
- * \brief Import from an ASCII string
+ * \brief Import an MPI from an ASCII string.
*
- * \param X Destination MPI
- * \param radix Input numeric base
- * \param s Null-terminated string buffer
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * \param radix The numeric base of the input string.
+ * \param s Null-terminated string buffer.
*
- * \return 0 if successful, or a MBEDTLS_ERR_MPI_XXX error code
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s );
/**
- * \brief Export into an ASCII string
+ * \brief Export an MPI to an ASCII string.
*
- * \param X Source MPI
- * \param radix Output numeric base
- * \param buf Buffer to write the string to
- * \param buflen Length of buf
- * \param olen Length of the string written, including final NUL byte
+ * \param X The source MPI. This must point to an initialized MPI.
+ * \param radix The numeric base of the output string.
+ * \param buf The buffer to write the string to. This must be writable
+ * buffer of length \p buflen Bytes.
+ * \param buflen The available size in Bytes of \p buf.
+ * \param olen The address at which to store the length of the string
+ * written, including the final \c NULL byte. This must
+ * not be \c NULL.
*
- * \return 0 if successful, or a MBEDTLS_ERR_MPI_XXX error code.
- * *olen is always updated to reflect the amount
- * of data that has (or would have) been written.
+ * \note You can call this function with `buflen == 0` to obtain the
+ * minimum required buffer size in `*olen`.
*
- * \note Call this function with buflen = 0 to obtain the
- * minimum required buffer size in *olen.
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the target buffer \p buf
+ * is too small to hold the value of \p X in the desired base.
+ * In this case, `*olen` is nonetheless updated to contain the
+ * size of \p buf required for a successful call.
+ * \return Another negative error code on different kinds of failure.
*/
int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
char *buf, size_t buflen, size_t *olen );
#if defined(MBEDTLS_FS_IO)
/**
- * \brief Read MPI from a line in an opened file
- *
- * \param X Destination MPI
- * \param radix Input numeric base
- * \param fin Input file handle
+ * \brief Read an MPI from a line in an opened file.
*
- * \return 0 if successful, MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if
- * the file read buffer is too small or a
- * MBEDTLS_ERR_MPI_XXX error code
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * \param radix The numeric base of the string representation used
+ * in the source line.
+ * \param fin The input file handle to use. This must not be \c NULL.
*
* \note On success, this function advances the file stream
* to the end of the current line or to EOF.
*
- * The function returns 0 on an empty line.
+ * The function returns \c 0 on an empty line.
*
* Leading whitespaces are ignored, as is a
- * '0x' prefix for radix 16.
+ * '0x' prefix for radix \c 16.
*
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the file read buffer
+ * is too small.
+ * \return Another negative error code on failure.
*/
int mbedtls_mpi_read_file( mbedtls_mpi *X, int radix, FILE *fin );
/**
- * \brief Write X into an opened file, or stdout if fout is NULL
+ * \brief Export an MPI into an opened file.
*
- * \param p Prefix, can be NULL
- * \param X Source MPI
- * \param radix Output numeric base
- * \param fout Output file handle (can be NULL)
+ * \param p A string prefix to emit prior to the MPI data.
+ * For example, this might be a label, or "0x" when
+ * printing in base \c 16. This may be \c NULL if no prefix
+ * is needed.
+ * \param X The source MPI. This must point to an initialized MPI.
+ * \param radix The numeric base to be used in the emitted string.
+ * \param fout The output file handle. This may be \c NULL, in which case
+ * the output is written to \c stdout.
*
- * \return 0 if successful, or a MBEDTLS_ERR_MPI_XXX error code
- *
- * \note Set fout == NULL to print X on the console.
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
-int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X, int radix, FILE *fout );
+int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X,
+ int radix, FILE *fout );
#endif /* MBEDTLS_FS_IO */
/**
- * \brief Import X from unsigned binary data, big endian
+ * \brief Import an MPI from unsigned big endian binary data.
*
- * \param X Destination MPI
- * \param buf Input buffer
- * \param buflen Input buffer size
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * \param buf The input buffer. This must be a readable buffer of length
+ * \p buflen Bytes.
+ * \param buflen The length of the input buffer \p p in Bytes.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return Another negative error code on different kinds of failure.
*/
-int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen );
+int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf,
+ size_t buflen );
/**
- * \brief Export X into unsigned binary data, big endian.
- * Always fills the whole buffer, which will start with zeros
- * if the number is smaller.
+ * \brief Export an MPI into unsigned big endian binary data
+ * of fixed size.
*
- * \param X Source MPI
- * \param buf Output buffer
- * \param buflen Output buffer size
+ * \param X The source MPI. This must point to an initialized MPI.
+ * \param buf The output buffer. This must be a writable buffer of length
+ * \p buflen Bytes.
+ * \param buflen The size of the output buffer \p buf in Bytes.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if buf isn't large enough
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't
+ * large enough to hold the value of \p X.
+ * \return Another negative error code on different kinds of failure.
*/
-int mbedtls_mpi_write_binary( const mbedtls_mpi *X, unsigned char *buf, size_t buflen );
+int mbedtls_mpi_write_binary( const mbedtls_mpi *X, unsigned char *buf,
+ size_t buflen );
/**
- * \brief Left-shift: X <<= count
+ * \brief Perform a left-shift on an MPI: X <<= count
*
- * \param X MPI to shift
- * \param count Amount to shift
+ * \param X The MPI to shift. This must point to an initialized MPI.
+ * \param count The number of bits to shift by.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return Another negative error code on different kinds of failure.
*/
int mbedtls_mpi_shift_l( mbedtls_mpi *X, size_t count );
/**
- * \brief Right-shift: X >>= count
+ * \brief Perform a right-shift on an MPI: X >>= count
*
- * \param X MPI to shift
- * \param count Amount to shift
+ * \param X The MPI to shift. This must point to an initialized MPI.
+ * \param count The number of bits to shift by.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return Another negative error code on different kinds of failure.
*/
int mbedtls_mpi_shift_r( mbedtls_mpi *X, size_t count );
/**
- * \brief Compare unsigned values
+ * \brief Compare the absolute values of two MPIs.
*
- * \param X Left-hand MPI
- * \param Y Right-hand MPI
+ * \param X The left-hand MPI. This must point to an initialized MPI.
+ * \param Y The right-hand MPI. This must point to an initialized MPI.
*
- * \return 1 if |X| is greater than |Y|,
- * -1 if |X| is lesser than |Y| or
- * 0 if |X| is equal to |Y|
+ * \return \c 1 if `|X|` is greater than `|Y|`.
+ * \return \c -1 if `|X|` is lesser than `|Y|`.
+ * \return \c 0 if `|X|` is equal to `|Y|`.
*/
int mbedtls_mpi_cmp_abs( const mbedtls_mpi *X, const mbedtls_mpi *Y );
/**
- * \brief Compare signed values
+ * \brief Compare two MPIs.
*
- * \param X Left-hand MPI
- * \param Y Right-hand MPI
+ * \param X The left-hand MPI. This must point to an initialized MPI.
+ * \param Y The right-hand MPI. This must point to an initialized MPI.
*
- * \return 1 if X is greater than Y,
- * -1 if X is lesser than Y or
- * 0 if X is equal to Y
+ * \return \c 1 if \p X is greater than \p Y.
+ * \return \c -1 if \p X is lesser than \p Y.
+ * \return \c 0 if \p X is equal to \p Y.
*/
int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y );
/**
- * \brief Compare signed values
+ * \brief Compare an MPI with an integer.
*
- * \param X Left-hand MPI
- * \param z The integer value to compare to
+ * \param X The left-hand MPI. This must point to an initialized MPI.
+ * \param z The integer value to compare \p X to.
*
- * \return 1 if X is greater than z,
- * -1 if X is lesser than z or
- * 0 if X is equal to z
+ * \return \c 1 if \p X is greater than \p z.
+ * \return \c -1 if \p X is lesser than \p z.
+ * \return \c 0 if \p X is equal to \p z.
*/
int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z );
/**
- * \brief Unsigned addition: X = |A| + |B|
+ * \brief Perform an unsigned addition of MPIs: X = |A| + |B|
*
- * \param X Destination MPI
- * \param A Left-hand MPI
- * \param B Right-hand MPI
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * \param A The first summand. This must point to an initialized MPI.
+ * \param B The second summand. This must point to an initialized MPI.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return Another negative error code on different kinds of failure.
*/
-int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B );
+int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A,
+ const mbedtls_mpi *B );
/**
- * \brief Unsigned subtraction: X = |A| - |B|
+ * \brief Perform an unsigned subtraction of MPIs: X = |A| - |B|
+ *
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * \param A The minuend. This must point to an initialized MPI.
+ * \param B The subtrahend. This must point to an initialized MPI.
*
- * \param X Destination MPI
- * \param A Left-hand MPI
- * \param B Right-hand MPI
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p B is greater than \p A.
+ * \return Another negative error code on different kinds of failure.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_NEGATIVE_VALUE if B is greater than A
*/
-int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B );
+int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A,
+ const mbedtls_mpi *B );
/**
- * \brief Signed addition: X = A + B
+ * \brief Perform a signed addition of MPIs: X = A + B
*
- * \param X Destination MPI
- * \param A Left-hand MPI
- * \param B Right-hand MPI
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * \param A The first summand. This must point to an initialized MPI.
+ * \param B The second summand. This must point to an initialized MPI.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return Another negative error code on different kinds of failure.
*/
-int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B );
+int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A,
+ const mbedtls_mpi *B );
/**
- * \brief Signed subtraction: X = A - B
+ * \brief Perform a signed subtraction of MPIs: X = A - B
*
- * \param X Destination MPI
- * \param A Left-hand MPI
- * \param B Right-hand MPI
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * \param A The minuend. This must point to an initialized MPI.
+ * \param B The subtrahend. This must point to an initialized MPI.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return Another negative error code on different kinds of failure.
*/
-int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B );
+int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A,
+ const mbedtls_mpi *B );
/**
- * \brief Signed addition: X = A + b
+ * \brief Perform a signed addition of an MPI and an integer: X = A + b
*
- * \param X Destination MPI
- * \param A Left-hand MPI
- * \param b The integer value to add
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * \param A The first summand. This must point to an initialized MPI.
+ * \param b The second summand.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return Another negative error code on different kinds of failure.
*/
-int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b );
+int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A,
+ mbedtls_mpi_sint b );
/**
- * \brief Signed subtraction: X = A - b
+ * \brief Perform a signed subtraction of an MPI and an integer:
+ * X = A - b
*
- * \param X Destination MPI
- * \param A Left-hand MPI
- * \param b The integer value to subtract
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * \param A The minuend. This must point to an initialized MPI.
+ * \param b The subtrahend.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return Another negative error code on different kinds of failure.
*/
-int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b );
+int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A,
+ mbedtls_mpi_sint b );
/**
- * \brief Baseline multiplication: X = A * B
+ * \brief Perform a multiplication of two MPIs: X = A * B
+ *
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * \param A The first factor. This must point to an initialized MPI.
+ * \param B The second factor. This must point to an initialized MPI.
*
- * \param X Destination MPI
- * \param A Left-hand MPI
- * \param B Right-hand MPI
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return Another negative error code on different kinds of failure.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
*/
-int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B );
+int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A,
+ const mbedtls_mpi *B );
/**
- * \brief Baseline multiplication: X = A * b
+ * \brief Perform a multiplication of an MPI with an unsigned integer:
+ * X = A * b
*
- * \param X Destination MPI
- * \param A Left-hand MPI
- * \param b The unsigned integer value to multiply with
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * \param A The first factor. This must point to an initialized MPI.
+ * \param b The second factor.
*
- * \note b is unsigned
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return Another negative error code on different kinds of failure.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
*/
-int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b );
+int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A,
+ mbedtls_mpi_uint b );
/**
- * \brief Division by mbedtls_mpi: A = Q * B + R
+ * \brief Perform a division with remainder of two MPIs:
+ * A = Q * B + R
*
- * \param Q Destination MPI for the quotient
- * \param R Destination MPI for the rest value
- * \param A Left-hand MPI
- * \param B Right-hand MPI
+ * \param Q The destination MPI for the quotient.
+ * This may be \c NULL if the value of the
+ * quotient is not needed.
+ * \param R The destination MPI for the remainder value.
+ * This may be \c NULL if the value of the
+ * remainder is not needed.
+ * \param A The dividend. This must point to an initialized MPi.
+ * \param B The divisor. This must point to an initialized MPI.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- * MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if B == 0
- *
- * \note Either Q or R can be NULL.
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p B equals zero.
+ * \return Another negative error code on different kinds of failure.
*/
-int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B );
+int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+ const mbedtls_mpi *B );
/**
- * \brief Division by int: A = Q * b + R
- *
- * \param Q Destination MPI for the quotient
- * \param R Destination MPI for the rest value
- * \param A Left-hand MPI
- * \param b Integer to divide by
+ * \brief Perform a division with remainder of an MPI by an integer:
+ * A = Q * b + R
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- * MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if b == 0
+ * \param Q The destination MPI for the quotient.
+ * This may be \c NULL if the value of the
+ * quotient is not needed.
+ * \param R The destination MPI for the remainder value.
+ * This may be \c NULL if the value of the
+ * remainder is not needed.
+ * \param A The dividend. This must point to an initialized MPi.
+ * \param b The divisor.
*
- * \note Either Q or R can be NULL.
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p b equals zero.
+ * \return Another negative error code on different kinds of failure.
*/
-int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, mbedtls_mpi_sint b );
+int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+ mbedtls_mpi_sint b );
/**
- * \brief Modulo: R = A mod B
+ * \brief Perform a modular reduction. R = A mod B
*
- * \param R Destination MPI for the rest value
- * \param A Left-hand MPI
- * \param B Right-hand MPI
+ * \param R The destination MPI for the residue value.
+ * This must point to an initialized MPI.
+ * \param A The MPI to compute the residue of.
+ * This must point to an initialized MPI.
+ * \param B The base of the modular reduction.
+ * This must point to an initialized MPI.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p B equals zero.
+ * \return #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p B is negative.
+ * \return Another negative error code on different kinds of failure.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- * MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if B == 0,
- * MBEDTLS_ERR_MPI_NEGATIVE_VALUE if B < 0
*/
-int mbedtls_mpi_mod_mpi( mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B );
+int mbedtls_mpi_mod_mpi( mbedtls_mpi *R, const mbedtls_mpi *A,
+ const mbedtls_mpi *B );
/**
- * \brief Modulo: r = A mod b
+ * \brief Perform a modular reduction with respect to an integer.
+ * r = A mod b
*
- * \param r Destination mbedtls_mpi_uint
- * \param A Left-hand MPI
- * \param b Integer to divide by
+ * \param r The address at which to store the residue.
+ * This must not be \c NULL.
+ * \param A The MPI to compute the residue of.
+ * This must point to an initialized MPi.
+ * \param b The integer base of the modular reduction.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- * MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if b == 0,
- * MBEDTLS_ERR_MPI_NEGATIVE_VALUE if b < 0
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p b equals zero.
+ * \return #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p b is negative.
+ * \return Another negative error code on different kinds of failure.
*/
-int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b );
+int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A,
+ mbedtls_mpi_sint b );
/**
- * \brief Sliding-window exponentiation: X = A^E mod N
- *
- * \param X Destination MPI
- * \param A Left-hand MPI
- * \param E Exponent MPI
- * \param N Modular MPI
- * \param _RR Speed-up MPI used for recalculations
+ * \brief Perform a sliding-window exponentiation: X = A^E mod N
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- * MBEDTLS_ERR_MPI_BAD_INPUT_DATA if N is negative or even or
- * if E is negative
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * \param A The base of the exponentiation.
+ * This must point to an initialized MPI.
+ * \param E The exponent MPI. This must point to an initialized MPI.
+ * \param N The base for the modular reduction. This must point to an
+ * initialized MPI.
+ * \param _RR A helper MPI depending solely on \p N which can be used to
+ * speed-up multiple modular exponentiations for the same value
+ * of \p N. This may be \c NULL. If it is not \c NULL, it must
+ * point to an initialized MPI. If it hasn't been used after
+ * the call to mbedtls_mpi_init(), this function will compute
+ * the helper value and store it in \p _RR for reuse on
+ * subsequent calls to this function. Otherwise, the function
+ * will assume that \p _RR holds the helper value set by a
+ * previous call to mbedtls_mpi_exp_mod(), and reuse it.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \c N is negative or
+ * even, or if \c E is negative.
+ * \return Another negative error code on different kinds of failures.
*
- * \note _RR is used to avoid re-computing R*R mod N across
- * multiple calls, which speeds up things a bit. It can
- * be set to NULL if the extra performance is unneeded.
*/
-int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *E, const mbedtls_mpi *N, mbedtls_mpi *_RR );
+int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
+ const mbedtls_mpi *E, const mbedtls_mpi *N,
+ mbedtls_mpi *_RR );
/**
- * \brief Fill an MPI X with size bytes of random
+ * \brief Fill an MPI with a number of random bytes.
*
- * \param X Destination MPI
- * \param size Size in bytes
- * \param f_rng RNG function
- * \param p_rng RNG parameter
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * \param size The number of random bytes to generate.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG parameter to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng doesn't need a context argument.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return Another negative error code on failure.
*
- * \note The bytes obtained from the PRNG are interpreted
+ * \note The bytes obtained from the RNG are interpreted
* as a big-endian representation of an MPI; this can
* be relevant in applications like deterministic ECDSA.
*/
@@ -700,61 +816,130 @@ int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
void *p_rng );
/**
- * \brief Greatest common divisor: G = gcd(A, B)
- *
- * \param G Destination MPI
- * \param A Left-hand MPI
- * \param B Right-hand MPI
- *
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
- */
-int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B );
-
-/**
- * \brief Modular inverse: X = A^-1 mod N
+ * \brief Compute the greatest common divisor: G = gcd(A, B)
*
- * \param X Destination MPI
- * \param A Left-hand MPI
- * \param N Right-hand MPI
+ * \param G The destination MPI. This must point to an initialized MPI.
+ * \param A The first operand. This must point to an initialized MPI.
+ * \param B The second operand. This must point to an initialized MPI.
*
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- * MBEDTLS_ERR_MPI_BAD_INPUT_DATA if N is <= 1,
- MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if A has no inverse mod N.
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return Another negative error code on different kinds of failure.
*/
-int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N );
+int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A,
+ const mbedtls_mpi *B );
/**
- * \brief Miller-Rabin primality test
+ * \brief Compute the modular inverse: X = A^-1 mod N
*
- * \param X MPI to check
- * \param f_rng RNG function
- * \param p_rng RNG parameter
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * \param A The MPI to calculate the modular inverse of. This must point
+ * to an initialized MPI.
+ * \param N The base of the modular inversion. This must point to an
+ * initialized MPI.
*
- * \return 0 if successful (probably prime),
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- * MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if X is not prime
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p N is less than
+ * or equal to one.
+ * \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p has no modular inverse
+ * with respect to \p N.
*/
-int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
- int (*f_rng)(void *, unsigned char *, size_t),
- void *p_rng );
+int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
+ const mbedtls_mpi *N );
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
/**
- * \brief Prime number generation
- *
- * \param X Destination MPI
- * \param nbits Required size of X in bits
- * ( 3 <= nbits <= MBEDTLS_MPI_MAX_BITS )
- * \param dh_flag If 1, then (X-1)/2 will be prime too
- * \param f_rng RNG function
- * \param p_rng RNG parameter
- *
- * \return 0 if successful (probably prime),
- * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- * MBEDTLS_ERR_MPI_BAD_INPUT_DATA if nbits is < 3
- */
-int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int dh_flag,
+ * \brief Perform a Miller-Rabin primality test with error
+ * probability of 2<sup>-80</sup>.
+ *
+ * \deprecated Superseded by mbedtls_mpi_is_prime_ext() which allows
+ * specifying the number of Miller-Rabin rounds.
+ *
+ * \param X The MPI to check for primality.
+ * This must point to an initialized MPI.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG parameter to be passed to \p f_rng.
+ * This may be \c NULL if \p f_rng doesn't use a
+ * context parameter.
+ *
+ * \return \c 0 if successful, i.e. \p X is probably prime.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime.
+ * \return Another negative error code on other kinds of failure.
+ */
+MBEDTLS_DEPRECATED int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief Miller-Rabin primality test.
+ *
+ * \warning If \p X is potentially generated by an adversary, for example
+ * when validating cryptographic parameters that you didn't
+ * generate yourself and that are supposed to be prime, then
+ * \p rounds should be at least the half of the security
+ * strength of the cryptographic algorithm. On the other hand,
+ * if \p X is chosen uniformly or non-adversially (as is the
+ * case when mbedtls_mpi_gen_prime calls this function), then
+ * \p rounds can be much lower.
+ *
+ * \param X The MPI to check for primality.
+ * This must point to an initialized MPI.
+ * \param rounds The number of bases to perform the Miller-Rabin primality
+ * test for. The probability of returning 0 on a composite is
+ * at most 2<sup>-2*\p rounds</sup>.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG parameter to be passed to \p f_rng.
+ * This may be \c NULL if \p f_rng doesn't use
+ * a context parameter.
+ *
+ * \return \c 0 if successful, i.e. \p X is probably prime.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime.
+ * \return Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_is_prime_ext( const mbedtls_mpi *X, int rounds,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
+/**
+ * \brief Flags for mbedtls_mpi_gen_prime()
+ *
+ * Each of these flags is a constraint on the result X returned by
+ * mbedtls_mpi_gen_prime().
+ */
+typedef enum {
+ MBEDTLS_MPI_GEN_PRIME_FLAG_DH = 0x0001, /**< (X-1)/2 is prime too */
+ MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR = 0x0002, /**< lower error rate from 2<sup>-80</sup> to 2<sup>-128</sup> */
+} mbedtls_mpi_gen_prime_flag_t;
+
+/**
+ * \brief Generate a prime number.
+ *
+ * \param X The destination MPI to store the generated prime in.
+ * This must point to an initialized MPi.
+ * \param nbits The required size of the destination MPI in bits.
+ * This must be between \c 3 and #MBEDTLS_MPI_MAX_BITS.
+ * \param flags A mask of flags of type #mbedtls_mpi_gen_prime_flag_t.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG parameter to be passed to \p f_rng.
+ * This may be \c NULL if \p f_rng doesn't use
+ * a context parameter.
+ *
+ * \return \c 0 if successful, in which case \p X holds a
+ * probably prime number.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if `nbits` is not between
+ * \c 3 and #MBEDTLS_MPI_MAX_BITS.
+ */
+int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int flags,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
diff --git a/thirdparty/mbedtls/include/mbedtls/blowfish.h b/thirdparty/mbedtls/include/mbedtls/blowfish.h
index 985faa43f0..f01573dcaf 100644
--- a/thirdparty/mbedtls/include/mbedtls/blowfish.h
+++ b/thirdparty/mbedtls/include/mbedtls/blowfish.h
@@ -33,6 +33,8 @@
#include <stddef.h>
#include <stdint.h>
+#include "platform_util.h"
+
#define MBEDTLS_BLOWFISH_ENCRYPT 1
#define MBEDTLS_BLOWFISH_DECRYPT 0
#define MBEDTLS_BLOWFISH_MAX_KEY_BITS 448
@@ -40,9 +42,16 @@
#define MBEDTLS_BLOWFISH_ROUNDS 16 /**< Rounds to use. When increasing this value, make sure to extend the initialisation vectors */
#define MBEDTLS_BLOWFISH_BLOCKSIZE 8 /* Blowfish uses 64 bit blocks */
-#define MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH -0x0016 /**< Invalid key length. */
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x0016 )
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#define MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA -0x0016 /**< Bad input data. */
+
+#define MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH -0x0018 /**< Invalid data input length. */
+
+/* MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
#define MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED -0x0017 /**< Blowfish hardware accelerator failed. */
-#define MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH -0x0018 /**< Invalid data input length. */
#ifdef __cplusplus
extern "C" {
@@ -55,7 +64,7 @@ extern "C" {
/**
* \brief Blowfish context structure
*/
-typedef struct
+typedef struct mbedtls_blowfish_context
{
uint32_t P[MBEDTLS_BLOWFISH_ROUNDS + 2]; /*!< Blowfish round keys */
uint32_t S[4][256]; /*!< key dependent S-boxes */
@@ -67,40 +76,53 @@ mbedtls_blowfish_context;
#endif /* MBEDTLS_BLOWFISH_ALT */
/**
- * \brief Initialize Blowfish context
+ * \brief Initialize a Blowfish context.
*
- * \param ctx Blowfish context to be initialized
+ * \param ctx The Blowfish context to be initialized.
+ * This must not be \c NULL.
*/
void mbedtls_blowfish_init( mbedtls_blowfish_context *ctx );
/**
- * \brief Clear Blowfish context
+ * \brief Clear a Blowfish context.
*
- * \param ctx Blowfish context to be cleared
+ * \param ctx The Blowfish context to be cleared.
+ * This may be \c NULL, in which case this function
+ * returns immediately. If it is not \c NULL, it must
+ * point to an initialized Blowfish context.
*/
void mbedtls_blowfish_free( mbedtls_blowfish_context *ctx );
/**
- * \brief Blowfish key schedule
+ * \brief Perform a Blowfish key schedule operation.
*
- * \param ctx Blowfish context to be initialized
- * \param key encryption key
- * \param keybits must be between 32 and 448 bits
+ * \param ctx The Blowfish context to perform the key schedule on.
+ * \param key The encryption key. This must be a readable buffer of
+ * length \p keybits Bits.
+ * \param keybits The length of \p key in Bits. This must be between
+ * \c 32 and \c 448 and a multiple of \c 8.
*
- * \return 0 if successful, or MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
int mbedtls_blowfish_setkey( mbedtls_blowfish_context *ctx, const unsigned char *key,
unsigned int keybits );
/**
- * \brief Blowfish-ECB block encryption/decryption
+ * \brief Perform a Blowfish-ECB block encryption/decryption operation.
*
- * \param ctx Blowfish context
- * \param mode MBEDTLS_BLOWFISH_ENCRYPT or MBEDTLS_BLOWFISH_DECRYPT
- * \param input 8-byte input block
- * \param output 8-byte output block
+ * \param ctx The Blowfish context to use. This must be initialized
+ * and bound to a key.
+ * \param mode The mode of operation. Possible values are
+ * #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ * #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param input The input block. This must be a readable buffer
+ * of size \c 8 Bytes.
+ * \param output The output block. This must be a writable buffer
+ * of size \c 8 Bytes.
*
- * \return 0 if successful
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
int mbedtls_blowfish_crypt_ecb( mbedtls_blowfish_context *ctx,
int mode,
@@ -109,9 +131,7 @@ int mbedtls_blowfish_crypt_ecb( mbedtls_blowfish_context *ctx,
#if defined(MBEDTLS_CIPHER_MODE_CBC)
/**
- * \brief Blowfish-CBC buffer encryption/decryption
- * Length should be a multiple of the block
- * size (8 bytes)
+ * \brief Perform a Blowfish-CBC buffer encryption/decryption operation.
*
* \note Upon exit, the content of the IV is updated so that you can
* call the function same function again on the following
@@ -121,15 +141,22 @@ int mbedtls_blowfish_crypt_ecb( mbedtls_blowfish_context *ctx,
* IV, you should either save it manually or use the cipher
* module instead.
*
- * \param ctx Blowfish context
- * \param mode MBEDTLS_BLOWFISH_ENCRYPT or MBEDTLS_BLOWFISH_DECRYPT
- * \param length length of the input data
- * \param iv initialization vector (updated after use)
- * \param input buffer holding the input data
- * \param output buffer holding the output data
+ * \param ctx The Blowfish context to use. This must be initialized
+ * and bound to a key.
+ * \param mode The mode of operation. Possible values are
+ * #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ * #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param length The length of the input data in Bytes. This must be
+ * multiple of \c 8.
+ * \param iv The initialization vector. This must be a read/write buffer
+ * of length \c 8 Bytes. It is updated by this function.
+ * \param input The input data. This must be a readable buffer of length
+ * \p length Bytes.
+ * \param output The output data. This must be a writable buffer of length
+ * \p length Bytes.
*
- * \return 0 if successful, or
- * MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
int mbedtls_blowfish_crypt_cbc( mbedtls_blowfish_context *ctx,
int mode,
@@ -141,7 +168,7 @@ int mbedtls_blowfish_crypt_cbc( mbedtls_blowfish_context *ctx,
#if defined(MBEDTLS_CIPHER_MODE_CFB)
/**
- * \brief Blowfish CFB buffer encryption/decryption.
+ * \brief Perform a Blowfish CFB buffer encryption/decryption operation.
*
* \note Upon exit, the content of the IV is updated so that you can
* call the function same function again on the following
@@ -151,15 +178,25 @@ int mbedtls_blowfish_crypt_cbc( mbedtls_blowfish_context *ctx,
* IV, you should either save it manually or use the cipher
* module instead.
*
- * \param ctx Blowfish context
- * \param mode MBEDTLS_BLOWFISH_ENCRYPT or MBEDTLS_BLOWFISH_DECRYPT
- * \param length length of the input data
- * \param iv_off offset in IV (updated after use)
- * \param iv initialization vector (updated after use)
- * \param input buffer holding the input data
- * \param output buffer holding the output data
+ * \param ctx The Blowfish context to use. This must be initialized
+ * and bound to a key.
+ * \param mode The mode of operation. Possible values are
+ * #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ * #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param length The length of the input data in Bytes.
+ * \param iv_off The offset in the initialiation vector.
+ * The value pointed to must be smaller than \c 8 Bytes.
+ * It is updated by this function to support the aforementioned
+ * streaming usage.
+ * \param iv The initialization vector. This must be a read/write buffer
+ * of size \c 8 Bytes. It is updated after use.
+ * \param input The input data. This must be a readable buffer of length
+ * \p length Bytes.
+ * \param output The output data. This must be a writable buffer of length
+ * \p length Bytes.
*
- * \return 0 if successful
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx,
int mode,
@@ -172,7 +209,7 @@ int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx,
#if defined(MBEDTLS_CIPHER_MODE_CTR)
/**
- * \brief Blowfish-CTR buffer encryption/decryption
+ * \brief Perform a Blowfish-CTR buffer encryption/decryption operation.
*
* \warning You must never reuse a nonce value with the same key. Doing so
* would void the encryption for the two messages encrypted with
@@ -215,18 +252,24 @@ int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx,
* content must not be written to insecure storage and should be
* securely discarded as soon as it's no longer needed.
*
- * \param ctx Blowfish context
- * \param length The length of the data
+ * \param ctx The Blowfish context to use. This must be initialized
+ * and bound to a key.
+ * \param length The length of the input data in Bytes.
* \param nc_off The offset in the current stream_block (for resuming
- * within current cipher stream). The offset pointer to
- * should be 0 at the start of a stream.
- * \param nonce_counter The 64-bit nonce and counter.
- * \param stream_block The saved stream-block for resuming. Is overwritten
- * by the function.
- * \param input The input data stream
- * \param output The output data stream
- *
- * \return 0 if successful
+ * within current cipher stream). The offset pointer
+ * should be \c 0 at the start of a stream and must be
+ * smaller than \c 8. It is updated by this function.
+ * \param nonce_counter The 64-bit nonce and counter. This must point to a
+ * read/write buffer of length \c 8 Bytes.
+ * \param stream_block The saved stream-block for resuming. This must point to
+ * a read/write buffer of length \c 8 Bytes.
+ * \param input The input data. This must be a readable buffer of
+ * length \p length Bytes.
+ * \param output The output data. This must be a writable buffer of
+ * length \p length Bytes.
+ *
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
int mbedtls_blowfish_crypt_ctr( mbedtls_blowfish_context *ctx,
size_t length,
diff --git a/thirdparty/mbedtls/include/mbedtls/bn_mul.h b/thirdparty/mbedtls/include/mbedtls/bn_mul.h
index b587317d95..2f7b72fe4c 100644
--- a/thirdparty/mbedtls/include/mbedtls/bn_mul.h
+++ b/thirdparty/mbedtls/include/mbedtls/bn_mul.h
@@ -170,19 +170,19 @@
#define MULADDC_INIT \
asm( \
- "xorq %%r8, %%r8 \n\t"
+ "xorq %%r8, %%r8\n"
#define MULADDC_CORE \
- "movq (%%rsi), %%rax \n\t" \
- "mulq %%rbx \n\t" \
- "addq $8, %%rsi \n\t" \
- "addq %%rcx, %%rax \n\t" \
- "movq %%r8, %%rcx \n\t" \
- "adcq $0, %%rdx \n\t" \
- "nop \n\t" \
- "addq %%rax, (%%rdi) \n\t" \
- "adcq %%rdx, %%rcx \n\t" \
- "addq $8, %%rdi \n\t"
+ "movq (%%rsi), %%rax\n" \
+ "mulq %%rbx\n" \
+ "addq $8, %%rsi\n" \
+ "addq %%rcx, %%rax\n" \
+ "movq %%r8, %%rcx\n" \
+ "adcq $0, %%rdx\n" \
+ "nop \n" \
+ "addq %%rax, (%%rdi)\n" \
+ "adcq %%rdx, %%rcx\n" \
+ "addq $8, %%rdi\n"
#define MULADDC_STOP \
: "+c" (c), "+D" (d), "+S" (s) \
@@ -565,9 +565,8 @@
#endif /* TriCore */
/*
- * gcc -O0 by default uses r7 for the frame pointer, so it complains about our
- * use of r7 below, unless -fomit-frame-pointer is passed. Unfortunately,
- * passing that option is not easy when building with yotta.
+ * Note, gcc -O0 by default uses r7 for the frame pointer, so it complains about
+ * our use of r7 below, unless -fomit-frame-pointer is passed.
*
* On the other hand, -fomit-frame-pointer is implied by any -Ox options with
* x !=0, which we can detect using __OPTIMIZE__ (which is also defined by
@@ -637,6 +636,23 @@
"r6", "r7", "r8", "r9", "cc" \
);
+#elif defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1)
+
+#define MULADDC_INIT \
+ asm(
+
+#define MULADDC_CORE \
+ "ldr r0, [%0], #4 \n\t" \
+ "ldr r1, [%1] \n\t" \
+ "umaal r1, %2, %3, r0 \n\t" \
+ "str r1, [%1], #4 \n\t"
+
+#define MULADDC_STOP \
+ : "=r" (s), "=r" (d), "=r" (c) \
+ : "r" (b), "0" (s), "1" (d), "2" (c) \
+ : "r0", "r1", "memory" \
+ );
+
#else
#define MULADDC_INIT \
diff --git a/thirdparty/mbedtls/include/mbedtls/camellia.h b/thirdparty/mbedtls/include/mbedtls/camellia.h
index 7e4721af78..0f7c42c92d 100644
--- a/thirdparty/mbedtls/include/mbedtls/camellia.h
+++ b/thirdparty/mbedtls/include/mbedtls/camellia.h
@@ -33,11 +33,20 @@
#include <stddef.h>
#include <stdint.h>
+#include "platform_util.h"
+
#define MBEDTLS_CAMELLIA_ENCRYPT 1
#define MBEDTLS_CAMELLIA_DECRYPT 0
-#define MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH -0x0024 /**< Invalid key length. */
-#define MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH -0x0026 /**< Invalid data input length. */
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x0024 )
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#define MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA -0x0024 /**< Bad input data. */
+
+#define MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH -0x0026 /**< Invalid data input length. */
+
+/* MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
#define MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED -0x0027 /**< Camellia hardware accelerator failed. */
#ifdef __cplusplus
@@ -51,7 +60,7 @@ extern "C" {
/**
* \brief CAMELLIA context structure
*/
-typedef struct
+typedef struct mbedtls_camellia_context
{
int nr; /*!< number of rounds */
uint32_t rk[68]; /*!< CAMELLIA round keys */
@@ -63,52 +72,68 @@ mbedtls_camellia_context;
#endif /* MBEDTLS_CAMELLIA_ALT */
/**
- * \brief Initialize CAMELLIA context
+ * \brief Initialize a CAMELLIA context.
*
- * \param ctx CAMELLIA context to be initialized
+ * \param ctx The CAMELLIA context to be initialized.
+ * This must not be \c NULL.
*/
void mbedtls_camellia_init( mbedtls_camellia_context *ctx );
/**
- * \brief Clear CAMELLIA context
+ * \brief Clear a CAMELLIA context.
*
- * \param ctx CAMELLIA context to be cleared
+ * \param ctx The CAMELLIA context to be cleared. This may be \c NULL,
+ * in which case this function returns immediately. If it is not
+ * \c NULL, it must be initialized.
*/
void mbedtls_camellia_free( mbedtls_camellia_context *ctx );
/**
- * \brief CAMELLIA key schedule (encryption)
+ * \brief Perform a CAMELLIA key schedule operation for encryption.
*
- * \param ctx CAMELLIA context to be initialized
- * \param key encryption key
- * \param keybits must be 128, 192 or 256
+ * \param ctx The CAMELLIA context to use. This must be initialized.
+ * \param key The encryption key to use. This must be a readable buffer
+ * of size \p keybits Bits.
+ * \param keybits The length of \p key in Bits. This must be either \c 128,
+ * \c 192 or \c 256.
*
- * \return 0 if successful, or MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
-int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, const unsigned char *key,
- unsigned int keybits );
+int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
+ const unsigned char *key,
+ unsigned int keybits );
/**
- * \brief CAMELLIA key schedule (decryption)
+ * \brief Perform a CAMELLIA key schedule operation for decryption.
*
- * \param ctx CAMELLIA context to be initialized
- * \param key decryption key
- * \param keybits must be 128, 192 or 256
+ * \param ctx The CAMELLIA context to use. This must be initialized.
+ * \param key The decryption key. This must be a readable buffer
+ * of size \p keybits Bits.
+ * \param keybits The length of \p key in Bits. This must be either \c 128,
+ * \c 192 or \c 256.
*
- * \return 0 if successful, or MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
-int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx, const unsigned char *key,
- unsigned int keybits );
+int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
+ const unsigned char *key,
+ unsigned int keybits );
/**
- * \brief CAMELLIA-ECB block encryption/decryption
- *
- * \param ctx CAMELLIA context
- * \param mode MBEDTLS_CAMELLIA_ENCRYPT or MBEDTLS_CAMELLIA_DECRYPT
- * \param input 16-byte input block
- * \param output 16-byte output block
- *
- * \return 0 if successful
+ * \brief Perform a CAMELLIA-ECB block encryption/decryption operation.
+ *
+ * \param ctx The CAMELLIA context to use. This must be initialized
+ * and bound to a key.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param input The input block. This must be a readable buffer
+ * of size \c 16 Bytes.
+ * \param output The output block. This must be a writable buffer
+ * of size \c 16 Bytes.
+ *
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
int mode,
@@ -117,9 +142,7 @@ int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
#if defined(MBEDTLS_CIPHER_MODE_CBC)
/**
- * \brief CAMELLIA-CBC buffer encryption/decryption
- * Length should be a multiple of the block
- * size (16 bytes)
+ * \brief Perform a CAMELLIA-CBC buffer encryption/decryption operation.
*
* \note Upon exit, the content of the IV is updated so that you can
* call the function same function again on the following
@@ -129,15 +152,22 @@ int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
* IV, you should either save it manually or use the cipher
* module instead.
*
- * \param ctx CAMELLIA context
- * \param mode MBEDTLS_CAMELLIA_ENCRYPT or MBEDTLS_CAMELLIA_DECRYPT
- * \param length length of the input data
- * \param iv initialization vector (updated after use)
- * \param input buffer holding the input data
- * \param output buffer holding the output data
- *
- * \return 0 if successful, or
- * MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
+ * \param ctx The CAMELLIA context to use. This must be initialized
+ * and bound to a key.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param length The length in Bytes of the input data \p input.
+ * This must be a multiple of \c 16 Bytes.
+ * \param iv The initialization vector. This must be a read/write buffer
+ * of length \c 16 Bytes. It is updated to allow streaming
+ * use as explained above.
+ * \param input The buffer holding the input data. This must point to a
+ * readable buffer of length \p length Bytes.
+ * \param output The buffer holding the output data. This must point to a
+ * writable buffer of length \p length Bytes.
+ *
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
int mode,
@@ -149,11 +179,14 @@ int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
#if defined(MBEDTLS_CIPHER_MODE_CFB)
/**
- * \brief CAMELLIA-CFB128 buffer encryption/decryption
+ * \brief Perform a CAMELLIA-CFB128 buffer encryption/decryption
+ * operation.
*
- * Note: Due to the nature of CFB you should use the same key schedule for
- * both encryption and decryption. So a context initialized with
- * mbedtls_camellia_setkey_enc() for both MBEDTLS_CAMELLIA_ENCRYPT and CAMELLIE_DECRYPT.
+ * \note Due to the nature of CFB mode, you should use the same
+ * key for both encryption and decryption. In particular, calls
+ * to this function should be preceded by a key-schedule via
+ * mbedtls_camellia_setkey_enc() regardless of whether \p mode
+ * is #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
*
* \note Upon exit, the content of the IV is updated so that you can
* call the function same function again on the following
@@ -163,16 +196,24 @@ int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
* IV, you should either save it manually or use the cipher
* module instead.
*
- * \param ctx CAMELLIA context
- * \param mode MBEDTLS_CAMELLIA_ENCRYPT or MBEDTLS_CAMELLIA_DECRYPT
- * \param length length of the input data
- * \param iv_off offset in IV (updated after use)
- * \param iv initialization vector (updated after use)
- * \param input buffer holding the input data
- * \param output buffer holding the output data
- *
- * \return 0 if successful, or
- * MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
+ * \param ctx The CAMELLIA context to use. This must be initialized
+ * and bound to a key.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param length The length of the input data \p input. Any value is allowed.
+ * \param iv_off The current offset in the IV. This must be smaller
+ * than \c 16 Bytes. It is updated after this call to allow
+ * the aforementioned streaming usage.
+ * \param iv The initialization vector. This must be a read/write buffer
+ * of length \c 16 Bytes. It is updated after this call to
+ * allow the aforementioned streaming usage.
+ * \param input The buffer holding the input data. This must be a readable
+ * buffer of size \p length Bytes.
+ * \param output The buffer to hold the output data. This must be a writable
+ * buffer of length \p length Bytes.
+ *
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
int mode,
@@ -185,11 +226,13 @@ int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
#if defined(MBEDTLS_CIPHER_MODE_CTR)
/**
- * \brief CAMELLIA-CTR buffer encryption/decryption
+ * \brief Perform a CAMELLIA-CTR buffer encryption/decryption operation.
*
- * Note: Due to the nature of CTR you should use the same key schedule for
- * both encryption and decryption. So a context initialized with
- * mbedtls_camellia_setkey_enc() for both MBEDTLS_CAMELLIA_ENCRYPT and MBEDTLS_CAMELLIA_DECRYPT.
+ * *note Due to the nature of CTR mode, you should use the same
+ * key for both encryption and decryption. In particular, calls
+ * to this function should be preceded by a key-schedule via
+ * mbedtls_camellia_setkey_enc() regardless of whether \p mode
+ * is #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
*
* \warning You must never reuse a nonce value with the same key. Doing so
* would void the encryption for the two messages encrypted with
@@ -212,41 +255,49 @@ int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
* per-message nonce, handled by yourself, and the second one
* updated by this function internally.
*
- * For example, you might reserve the first 12 bytes for the
- * per-message nonce, and the last 4 bytes for internal use. In that
- * case, before calling this function on a new message you need to
- * set the first 12 bytes of \p nonce_counter to your chosen nonce
- * value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
- * stream_block to be ignored). That way, you can encrypt at most
- * 2**96 messages of up to 2**32 blocks each with the same key.
+ * For example, you might reserve the first \c 12 Bytes for the
+ * per-message nonce, and the last \c 4 Bytes for internal use.
+ * In that case, before calling this function on a new message you
+ * need to set the first \c 12 Bytes of \p nonce_counter to your
+ * chosen nonce value, the last four to \c 0, and \p nc_off to \c 0
+ * (which will cause \p stream_block to be ignored). That way, you
+ * can encrypt at most \c 2**96 messages of up to \c 2**32 blocks
+ * each with the same key.
*
* The per-message nonce (or information sufficient to reconstruct
- * it) needs to be communicated with the ciphertext and must be unique.
- * The recommended way to ensure uniqueness is to use a message
- * counter. An alternative is to generate random nonces, but this
- * limits the number of messages that can be securely encrypted:
- * for example, with 96-bit random nonces, you should not encrypt
- * more than 2**32 messages with the same key.
+ * it) needs to be communicated with the ciphertext and must be
+ * unique. The recommended way to ensure uniqueness is to use a
+ * message counter. An alternative is to generate random nonces,
+ * but this limits the number of messages that can be securely
+ * encrypted: for example, with 96-bit random nonces, you should
+ * not encrypt more than 2**32 messages with the same key.
*
* Note that for both stategies, sizes are measured in blocks and
- * that a CAMELLIA block is 16 bytes.
+ * that a CAMELLIA block is \c 16 Bytes.
*
* \warning Upon return, \p stream_block contains sensitive data. Its
* content must not be written to insecure storage and should be
* securely discarded as soon as it's no longer needed.
*
- * \param ctx CAMELLIA context
- * \param length The length of the data
- * \param nc_off The offset in the current stream_block (for resuming
+ * \param ctx The CAMELLIA context to use. This must be initialized
+ * and bound to a key.
+ * \param length The length of the input data \p input in Bytes.
+ * Any value is allowed.
+ * \param nc_off The offset in the current \p stream_block (for resuming
* within current cipher stream). The offset pointer to
- * should be 0 at the start of a stream.
- * \param nonce_counter The 128-bit nonce and counter.
- * \param stream_block The saved stream-block for resuming. Is overwritten
- * by the function.
- * \param input The input data stream
- * \param output The output data stream
- *
- * \return 0 if successful
+ * should be \c 0 at the start of a stream. It is updated
+ * at the end of this call.
+ * \param nonce_counter The 128-bit nonce and counter. This must be a read/write
+ * buffer of length \c 16 Bytes.
+ * \param stream_block The saved stream-block for resuming. This must be a
+ * read/write buffer of length \c 16 Bytes.
+ * \param input The input data stream. This must be a readable buffer of
+ * size \p length Bytes.
+ * \param output The output data stream. This must be a writable buffer
+ * of size \p length Bytes.
+ *
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
size_t length,
diff --git a/thirdparty/mbedtls/include/mbedtls/ccm.h b/thirdparty/mbedtls/include/mbedtls/ccm.h
index 5d727e7cca..3f6b8f6709 100644
--- a/thirdparty/mbedtls/include/mbedtls/ccm.h
+++ b/thirdparty/mbedtls/include/mbedtls/ccm.h
@@ -53,8 +53,9 @@
#define MBEDTLS_ERR_CCM_BAD_INPUT -0x000D /**< Bad input parameters to the function. */
#define MBEDTLS_ERR_CCM_AUTH_FAILED -0x000F /**< Authenticated decryption failed. */
-#define MBEDTLS_ERR_CCM_HW_ACCEL_FAILED -0x0011 /**< CCM hardware accelerator failed. */
+/* MBEDTLS_ERR_CCM_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_CCM_HW_ACCEL_FAILED -0x0011 /**< CCM hardware accelerator failed. */
#ifdef __cplusplus
extern "C" {
@@ -68,7 +69,8 @@ extern "C" {
* \brief The CCM context-type definition. The CCM context is passed
* to the APIs called.
*/
-typedef struct {
+typedef struct mbedtls_ccm_context
+{
mbedtls_cipher_context_t cipher_ctx; /*!< The cipher context used. */
}
mbedtls_ccm_context;
@@ -82,7 +84,7 @@ mbedtls_ccm_context;
* to make references valid, and prepare the context
* for mbedtls_ccm_setkey() or mbedtls_ccm_free().
*
- * \param ctx The CCM context to initialize.
+ * \param ctx The CCM context to initialize. This must not be \c NULL.
*/
void mbedtls_ccm_init( mbedtls_ccm_context *ctx );
@@ -90,9 +92,10 @@ void mbedtls_ccm_init( mbedtls_ccm_context *ctx );
* \brief This function initializes the CCM context set in the
* \p ctx parameter and sets the encryption key.
*
- * \param ctx The CCM context to initialize.
+ * \param ctx The CCM context to initialize. This must be an initialized
+ * context.
* \param cipher The 128-bit block cipher to use.
- * \param key The encryption key.
+ * \param key The encryption key. This must not be \c NULL.
* \param keybits The key size in bits. This must be acceptable by the cipher.
*
* \return \c 0 on success.
@@ -107,7 +110,8 @@ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
* \brief This function releases and clears the specified CCM context
* and underlying cipher sub-context.
*
- * \param ctx The CCM context to clear.
+ * \param ctx The CCM context to clear. If this is \c NULL, the function
+ * has no effect. Otherwise, this must be initialized.
*/
void mbedtls_ccm_free( mbedtls_ccm_context *ctx );
@@ -120,19 +124,27 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx );
* \p tag = \p output + \p length, and make sure that the
* output buffer is at least \p length + \p tag_len wide.
*
- * \param ctx The CCM context to use for encryption.
+ * \param ctx The CCM context to use for encryption. This must be
+ * initialized and bound to a key.
* \param length The length of the input data in Bytes.
- * \param iv Initialization vector (nonce).
+ * \param iv The initialization vector (nonce). This must be a readable
+ * buffer of at least \p iv_len Bytes.
* \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
* or 13. The length L of the message length field is
* 15 - \p iv_len.
- * \param add The additional data field.
+ * \param add The additional data field. If \p add_len is greater than
+ * zero, \p add must be a readable buffer of at least that
+ * length.
* \param add_len The length of additional data in Bytes.
- * Must be less than 2^16 - 2^8.
- * \param input The buffer holding the input data.
- * \param output The buffer holding the output data.
- * Must be at least \p length Bytes wide.
- * \param tag The buffer holding the authentication field.
+ * This must be less than `2^16 - 2^8`.
+ * \param input The buffer holding the input data. If \p length is greater
+ * than zero, \p input must be a readable buffer of at least
+ * that length.
+ * \param output The buffer holding the output data. If \p length is greater
+ * than zero, \p output must be a writable buffer of at least
+ * that length.
+ * \param tag The buffer holding the authentication field. This must be a
+ * readable buffer of at least \p tag_len Bytes.
* \param tag_len The length of the authentication field to generate in Bytes:
* 4, 6, 8, 10, 12, 14 or 16.
*
@@ -158,23 +170,30 @@ int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
* the tag length has to be encoded into the \p iv passed to
* this function.
*
- * \param ctx The CCM context to use for encryption.
+ * \param ctx The CCM context to use for encryption. This must be
+ * initialized and bound to a key.
* \param length The length of the input data in Bytes.
- * \param iv Initialization vector (nonce).
+ * \param iv The initialization vector (nonce). This must be a readable
+ * buffer of at least \p iv_len Bytes.
* \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
* or 13. The length L of the message length field is
* 15 - \p iv_len.
- * \param add The additional data field.
+ * \param add The additional data field. This must be a readable buffer of
+ * at least \p add_len Bytes.
* \param add_len The length of additional data in Bytes.
- * Must be less than 2^16 - 2^8.
- * \param input The buffer holding the input data.
- * \param output The buffer holding the output data.
- * Must be at least \p length Bytes wide.
- * \param tag The buffer holding the authentication field.
+ * This must be less than 2^16 - 2^8.
+ * \param input The buffer holding the input data. If \p length is greater
+ * than zero, \p input must be a readable buffer of at least
+ * that length.
+ * \param output The buffer holding the output data. If \p length is greater
+ * than zero, \p output must be a writable buffer of at least
+ * that length.
+ * \param tag The buffer holding the authentication field. This must be a
+ * readable buffer of at least \p tag_len Bytes.
* \param tag_len The length of the authentication field to generate in Bytes:
* 0, 4, 6, 8, 10, 12, 14 or 16.
*
- * \warning Passing 0 as \p tag_len means that the message is no
+ * \warning Passing \c 0 as \p tag_len means that the message is no
* longer authenticated.
*
* \return \c 0 on success.
@@ -190,20 +209,27 @@ int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
* \brief This function performs a CCM authenticated decryption of a
* buffer.
*
- * \param ctx The CCM context to use for decryption.
+ * \param ctx The CCM context to use for decryption. This must be
+ * initialized and bound to a key.
* \param length The length of the input data in Bytes.
- * \param iv Initialization vector (nonce).
+ * \param iv The initialization vector (nonce). This must be a readable
+ * buffer of at least \p iv_len Bytes.
* \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
* or 13. The length L of the message length field is
* 15 - \p iv_len.
- * \param add The additional data field.
+ * \param add The additional data field. This must be a readable buffer
+ * of at least that \p add_len Bytes..
* \param add_len The length of additional data in Bytes.
- * Must be less than 2^16 - 2^8.
- * \param input The buffer holding the input data.
- * \param output The buffer holding the output data.
- * Must be at least \p length Bytes wide.
- * \param tag The buffer holding the authentication field.
- * \param tag_len The length of the authentication field in Bytes.
+ * This must be less than 2^16 - 2^8.
+ * \param input The buffer holding the input data. If \p length is greater
+ * than zero, \p input must be a readable buffer of at least
+ * that length.
+ * \param output The buffer holding the output data. If \p length is greater
+ * than zero, \p output must be a writable buffer of at least
+ * that length.
+ * \param tag The buffer holding the authentication field. This must be a
+ * readable buffer of at least \p tag_len Bytes.
+ * \param tag_len The length of the authentication field to generate in Bytes:
* 4, 6, 8, 10, 12, 14 or 16.
*
* \return \c 0 on success. This indicates that the message is authentic.
@@ -225,23 +251,30 @@ int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
* this function as \p tag_len. (\p tag needs to be adjusted
* accordingly.)
*
- * \param ctx The CCM context to use for decryption.
+ * \param ctx The CCM context to use for decryption. This must be
+ * initialized and bound to a key.
* \param length The length of the input data in Bytes.
- * \param iv Initialization vector (nonce).
+ * \param iv The initialization vector (nonce). This must be a readable
+ * buffer of at least \p iv_len Bytes.
* \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
* or 13. The length L of the message length field is
* 15 - \p iv_len.
- * \param add The additional data field.
+ * \param add The additional data field. This must be a readable buffer of
+ * at least that \p add_len Bytes.
* \param add_len The length of additional data in Bytes.
- * Must be less than 2^16 - 2^8.
- * \param input The buffer holding the input data.
- * \param output The buffer holding the output data.
- * Must be at least \p length Bytes wide.
- * \param tag The buffer holding the authentication field.
+ * This must be less than 2^16 - 2^8.
+ * \param input The buffer holding the input data. If \p length is greater
+ * than zero, \p input must be a readable buffer of at least
+ * that length.
+ * \param output The buffer holding the output data. If \p length is greater
+ * than zero, \p output must be a writable buffer of at least
+ * that length.
+ * \param tag The buffer holding the authentication field. This must be a
+ * readable buffer of at least \p tag_len Bytes.
* \param tag_len The length of the authentication field in Bytes.
* 0, 4, 6, 8, 10, 12, 14 or 16.
*
- * \warning Passing 0 as \p tag_len means that the message is no
+ * \warning Passing \c 0 as \p tag_len means that the message is nos
* longer authenticated.
*
* \return \c 0 on success.
diff --git a/thirdparty/mbedtls/include/mbedtls/chacha20.h b/thirdparty/mbedtls/include/mbedtls/chacha20.h
index 47bd7d38b9..2ae5e6e5f4 100644
--- a/thirdparty/mbedtls/include/mbedtls/chacha20.h
+++ b/thirdparty/mbedtls/include/mbedtls/chacha20.h
@@ -43,7 +43,13 @@
#include <stddef.h>
#define MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA -0x0051 /**< Invalid input parameter(s). */
+
+/* MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE is deprecated and should not be
+ * used. */
#define MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE -0x0053 /**< Feature not available. For example, s part of the API is not implemented. */
+
+/* MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
#define MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED -0x0055 /**< Chacha20 hardware accelerator failed. */
#ifdef __cplusplus
@@ -52,7 +58,7 @@ extern "C" {
#if !defined(MBEDTLS_CHACHA20_ALT)
-typedef struct
+typedef struct mbedtls_chacha20_context
{
uint32_t state[16]; /*! The state (before round operations). */
uint8_t keystream8[64]; /*! Leftover keystream bytes. */
@@ -77,13 +83,18 @@ mbedtls_chacha20_context;
* \c mbedtls_chacha20_free().
*
* \param ctx The ChaCha20 context to initialize.
+ * This must not be \c NULL.
*/
void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx );
/**
- * \brief This function releases and clears the specified ChaCha20 context.
+ * \brief This function releases and clears the specified
+ * ChaCha20 context.
+ *
+ * \param ctx The ChaCha20 context to clear. This may be \c NULL,
+ * in which case this function is a no-op. If it is not
+ * \c NULL, it must point to an initialized context.
*
- * \param ctx The ChaCha20 context to clear.
*/
void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx );
@@ -96,7 +107,9 @@ void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx );
* \c mbedtls_chacha_update().
*
* \param ctx The ChaCha20 context to which the key should be bound.
- * \param key The encryption/decryption key. Must be 32 bytes in length.
+ * It must be initialized.
+ * \param key The encryption/decryption key. This must be \c 32 Bytes
+ * in length.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or key is NULL.
@@ -115,8 +128,9 @@ int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx,
* messages encrypted with the same nonce and key.
*
* \param ctx The ChaCha20 context to which the nonce should be bound.
- * \param nonce The nonce. Must be 12 bytes in size.
- * \param counter The initial counter value. This is usually 0.
+ * It must be initialized and bound to a key.
+ * \param nonce The nonce. This must be \c 12 Bytes in size.
+ * \param counter The initial counter value. This is usually \c 0.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or nonce is
@@ -144,16 +158,16 @@ int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx,
* key and nonce.
*
* \param ctx The ChaCha20 context to use for encryption or decryption.
- * \param size The length of the input data in bytes.
+ * It must be initialized and bound to a key and nonce.
+ * \param size The length of the input data in Bytes.
* \param input The buffer holding the input data.
- * This pointer can be NULL if size == 0.
+ * This pointer can be \c NULL if `size == 0`.
* \param output The buffer holding the output data.
- * Must be able to hold \p size bytes.
- * This pointer can be NULL if size == 0.
+ * This must be able to hold \p size Bytes.
+ * This pointer can be \c NULL if `size == 0`.
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if the ctx, input, or
- * output pointers are NULL.
+ * \return A negative error code on failure.
*/
int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
size_t size,
@@ -174,19 +188,19 @@ int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
* \note The \p input and \p output pointers must either be equal or
* point to non-overlapping buffers.
*
- * \param key The encryption/decryption key. Must be 32 bytes in length.
- * \param nonce The nonce. Must be 12 bytes in size.
- * \param counter The initial counter value. This is usually 0.
- * \param size The length of the input data in bytes.
+ * \param key The encryption/decryption key.
+ * This must be \c 32 Bytes in length.
+ * \param nonce The nonce. This must be \c 12 Bytes in size.
+ * \param counter The initial counter value. This is usually \c 0.
+ * \param size The length of the input data in Bytes.
* \param input The buffer holding the input data.
- * This pointer can be NULL if size == 0.
+ * This pointer can be \c NULL if `size == 0`.
* \param output The buffer holding the output data.
- * Must be able to hold \p size bytes.
- * This pointer can be NULL if size == 0.
+ * This must be able to hold \p size Bytes.
+ * This pointer can be \c NULL if `size == 0`.
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if key, nonce, input,
- * or output is NULL.
+ * \return A negative error code on failure.
*/
int mbedtls_chacha20_crypt( const unsigned char key[32],
const unsigned char nonce[12],
diff --git a/thirdparty/mbedtls/include/mbedtls/chachapoly.h b/thirdparty/mbedtls/include/mbedtls/chachapoly.h
index 42b2b230c5..49e615d278 100644
--- a/thirdparty/mbedtls/include/mbedtls/chachapoly.h
+++ b/thirdparty/mbedtls/include/mbedtls/chachapoly.h
@@ -60,7 +60,7 @@ mbedtls_chachapoly_mode_t;
#include "chacha20.h"
-typedef struct
+typedef struct mbedtls_chachapoly_context
{
mbedtls_chacha20_context chacha20_ctx; /**< The ChaCha20 context. */
mbedtls_poly1305_context poly1305_ctx; /**< The Poly1305 context. */
@@ -115,27 +115,29 @@ mbedtls_chachapoly_context;
* all previous outputs of \c mbedtls_chachapoly_update(),
* otherwise you can now safely use the plaintext.
*
- * \param ctx The ChachaPoly context to initialize.
+ * \param ctx The ChachaPoly context to initialize. Must not be \c NULL.
*/
void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx );
/**
- * \brief This function releases and clears the specified ChaCha20-Poly1305 context.
+ * \brief This function releases and clears the specified
+ * ChaCha20-Poly1305 context.
*
- * \param ctx The ChachaPoly context to clear.
+ * \param ctx The ChachaPoly context to clear. This may be \c NULL, in which
+ * case this function is a no-op.
*/
void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx );
/**
- * \brief This function sets the ChaCha20-Poly1305 symmetric encryption key.
+ * \brief This function sets the ChaCha20-Poly1305
+ * symmetric encryption key.
*
* \param ctx The ChaCha20-Poly1305 context to which the key should be
- * bound.
- * \param key The 256-bit (32 bytes) key.
+ * bound. This must be initialized.
+ * \param key The \c 256 Bit (\c 32 Bytes) key.
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
- * if \p ctx or \p key are NULL.
+ * \return A negative error code on failure.
*/
int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,
const unsigned char key[32] );
@@ -155,14 +157,15 @@ int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,
* \warning Decryption with the piecewise API is discouraged, see the
* warning on \c mbedtls_chachapoly_init().
*
- * \param ctx The ChaCha20-Poly1305 context.
- * \param nonce The nonce/IV to use for the message. Must be 12 bytes.
+ * \param ctx The ChaCha20-Poly1305 context. This must be initialized
+ * and bound to a key.
+ * \param nonce The nonce/IV to use for the message.
+ * This must be a redable buffer of length \c 12 Bytes.
* \param mode The operation to perform: #MBEDTLS_CHACHAPOLY_ENCRYPT or
* #MBEDTLS_CHACHAPOLY_DECRYPT (discouraged, see warning).
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
- * if \p ctx or \p mac are NULL.
+ * \return A negative error code on failure.
*/
int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
const unsigned char nonce[12],
@@ -193,11 +196,12 @@ int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
* \warning Decryption with the piecewise API is discouraged, see the
* warning on \c mbedtls_chachapoly_init().
*
- * \param ctx The ChaCha20-Poly1305 context to use.
- * \param aad_len The length (in bytes) of the AAD. The length has no
+ * \param ctx The ChaCha20-Poly1305 context. This must be initialized
+ * and bound to a key.
+ * \param aad_len The length in Bytes of the AAD. The length has no
* restrictions.
* \param aad Buffer containing the AAD.
- * This pointer can be NULL if aad_len == 0.
+ * This pointer can be \c NULL if `aad_len == 0`.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
@@ -227,20 +231,19 @@ int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx,
* \warning Decryption with the piecewise API is discouraged, see the
* warning on \c mbedtls_chachapoly_init().
*
- * \param ctx The ChaCha20-Poly1305 context to use.
+ * \param ctx The ChaCha20-Poly1305 context to use. This must be initialized.
* \param len The length (in bytes) of the data to encrypt or decrypt.
* \param input The buffer containing the data to encrypt or decrypt.
- * This pointer can be NULL if len == 0.
- * \param output The buffer to where the encrypted or decrypted data is written.
- * Must be able to hold \p len bytes.
- * This pointer can be NULL if len == 0.
+ * This pointer can be \c NULL if `len == 0`.
+ * \param output The buffer to where the encrypted or decrypted data is
+ * written. This must be able to hold \p len bytes.
+ * This pointer can be \c NULL if `len == 0`.
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
- * if \p ctx, \p input, or \p output are NULL.
* \return #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
* if the operation has not been started or has been
* finished.
+ * \return Another negative error code on other kinds of failure.
*/
int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
size_t len,
@@ -251,18 +254,17 @@ int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
* \brief This function finished the ChaCha20-Poly1305 operation and
* generates the MAC (authentication tag).
*
- * \param ctx The ChaCha20-Poly1305 context to use.
+ * \param ctx The ChaCha20-Poly1305 context to use. This must be initialized.
* \param mac The buffer to where the 128-bit (16 bytes) MAC is written.
*
* \warning Decryption with the piecewise API is discouraged, see the
* warning on \c mbedtls_chachapoly_init().
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
- * if \p ctx or \p mac are NULL.
* \return #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
* if the operation has not been started or has been
* finished.
+ * \return Another negative error code on other kinds of failure.
*/
int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
unsigned char mac[16] );
@@ -280,20 +282,21 @@ int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
* and key.
*
* \param ctx The ChaCha20-Poly1305 context to use (holds the key).
+ * This must be initialized.
* \param length The length (in bytes) of the data to encrypt or decrypt.
* \param nonce The 96-bit (12 bytes) nonce/IV to use.
- * \param aad The buffer containing the additional authenticated data (AAD).
- * This pointer can be NULL if aad_len == 0.
+ * \param aad The buffer containing the additional authenticated
+ * data (AAD). This pointer can be \c NULL if `aad_len == 0`.
* \param aad_len The length (in bytes) of the AAD data to process.
* \param input The buffer containing the data to encrypt or decrypt.
- * This pointer can be NULL if ilen == 0.
- * \param output The buffer to where the encrypted or decrypted data is written.
- * This pointer can be NULL if ilen == 0.
- * \param tag The buffer to where the computed 128-bit (16 bytes) MAC is written.
+ * This pointer can be \c NULL if `ilen == 0`.
+ * \param output The buffer to where the encrypted or decrypted data
+ * is written. This pointer can be \c NULL if `ilen == 0`.
+ * \param tag The buffer to where the computed 128-bit (16 bytes) MAC
+ * is written. This must not be \c NULL.
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
- * if one or more of the required parameters are NULL.
+ * \return A negative error code on failure.
*/
int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
size_t length,
@@ -312,22 +315,22 @@ int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
* \c mbedtls_chachapoly_setkey().
*
* \param ctx The ChaCha20-Poly1305 context to use (holds the key).
- * \param length The length (in bytes) of the data to decrypt.
- * \param nonce The 96-bit (12 bytes) nonce/IV to use.
+ * \param length The length (in Bytes) of the data to decrypt.
+ * \param nonce The \c 96 Bit (\c 12 bytes) nonce/IV to use.
* \param aad The buffer containing the additional authenticated data (AAD).
- * This pointer can be NULL if aad_len == 0.
+ * This pointer can be \c NULL if `aad_len == 0`.
* \param aad_len The length (in bytes) of the AAD data to process.
* \param tag The buffer holding the authentication tag.
+ * This must be a readable buffer of length \c 16 Bytes.
* \param input The buffer containing the data to decrypt.
- * This pointer can be NULL if ilen == 0.
+ * This pointer can be \c NULL if `ilen == 0`.
* \param output The buffer to where the decrypted data is written.
- * This pointer can be NULL if ilen == 0.
+ * This pointer can be \c NULL if `ilen == 0`.
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
- * if one or more of the required parameters are NULL.
* \return #MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
* if the data was not authentic.
+ * \return Another negative error code on other kinds of failure.
*/
int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
size_t length,
diff --git a/thirdparty/mbedtls/include/mbedtls/check_config.h b/thirdparty/mbedtls/include/mbedtls/check_config.h
index 9e6bb8a46a..b86e5807e0 100644
--- a/thirdparty/mbedtls/include/mbedtls/check_config.h
+++ b/thirdparty/mbedtls/include/mbedtls/check_config.h
@@ -108,6 +108,17 @@
#error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_ECP_RESTARTABLE) && \
+ ( defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT) || \
+ defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT) || \
+ defined(MBEDTLS_ECDSA_SIGN_ALT) || \
+ defined(MBEDTLS_ECDSA_VERIFY_ALT) || \
+ defined(MBEDTLS_ECDSA_GENKEY_ALT) || \
+ defined(MBEDTLS_ECP_INTERNAL_ALT) || \
+ defined(MBEDTLS_ECP_ALT) )
+#error "MBEDTLS_ECP_RESTARTABLE defined, but it cannot coexist with an alternative ECP implementation"
+#endif
+
#if defined(MBEDTLS_ECDSA_DETERMINISTIC) && !defined(MBEDTLS_HMAC_DRBG_C)
#error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites"
#endif
@@ -127,6 +138,10 @@
#error "MBEDTLS_ECP_C defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
+#error "MBEDTLS_PK_PARSE_C defined, but not all prerequesites"
+#endif
+
#if defined(MBEDTLS_ENTROPY_C) && (!defined(MBEDTLS_SHA512_C) && \
!defined(MBEDTLS_SHA256_C))
#error "MBEDTLS_ENTROPY_C defined, but not all prerequisites"
diff --git a/thirdparty/mbedtls/include/mbedtls/cipher.h b/thirdparty/mbedtls/include/mbedtls/cipher.h
index ea0ce983f1..922b6c32c6 100644
--- a/thirdparty/mbedtls/include/mbedtls/cipher.h
+++ b/thirdparty/mbedtls/include/mbedtls/cipher.h
@@ -36,6 +36,7 @@
#endif
#include <stddef.h>
+#include "mbedtls/platform_util.h"
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
#define MBEDTLS_CIPHER_MODE_AEAD
@@ -45,7 +46,8 @@
#define MBEDTLS_CIPHER_MODE_WITH_PADDING
#endif
-#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
+ defined(MBEDTLS_CHACHA20_C)
#define MBEDTLS_CIPHER_MODE_STREAM
#endif
@@ -61,6 +63,8 @@
#define MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED -0x6280 /**< Decryption of block requires a full block. */
#define MBEDTLS_ERR_CIPHER_AUTH_FAILED -0x6300 /**< Authentication failed (for AEAD modes). */
#define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT -0x6380 /**< The context is invalid. For example, because it was freed. */
+
+/* MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED -0x6400 /**< Cipher hardware accelerator failed. */
#define MBEDTLS_CIPHER_VARIABLE_IV_LEN 0x01 /**< Cipher accepts IVs of variable length. */
@@ -235,7 +239,8 @@ typedef struct mbedtls_cmac_context_t mbedtls_cmac_context_t;
* Cipher information. Allows calling cipher functions
* in a generic way.
*/
-typedef struct {
+typedef struct mbedtls_cipher_info_t
+{
/** Full cipher identifier. For example,
* MBEDTLS_CIPHER_AES_256_CBC.
*/
@@ -276,7 +281,8 @@ typedef struct {
/**
* Generic cipher context.
*/
-typedef struct {
+typedef struct mbedtls_cipher_context_t
+{
/** Information about the associated cipher. */
const mbedtls_cipher_info_t *cipher_info;
@@ -331,11 +337,12 @@ const int *mbedtls_cipher_list( void );
* \brief This function retrieves the cipher-information
* structure associated with the given cipher name.
*
- * \param cipher_name Name of the cipher to search for.
+ * \param cipher_name Name of the cipher to search for. This must not be
+ * \c NULL.
*
* \return The cipher information structure associated with the
* given \p cipher_name.
- * \return NULL if the associated cipher information is not found.
+ * \return \c NULL if the associated cipher information is not found.
*/
const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name );
@@ -347,7 +354,7 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher
*
* \return The cipher information structure associated with the
* given \p cipher_type.
- * \return NULL if the associated cipher information is not found.
+ * \return \c NULL if the associated cipher information is not found.
*/
const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type );
@@ -363,7 +370,7 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher
*
* \return The cipher information structure associated with the
* given \p cipher_id.
- * \return NULL if the associated cipher information is not found.
+ * \return \c NULL if the associated cipher information is not found.
*/
const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
int key_bitlen,
@@ -371,6 +378,8 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_ciph
/**
* \brief This function initializes a \p cipher_context as NONE.
+ *
+ * \param ctx The context to be initialized. This must not be \c NULL.
*/
void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx );
@@ -378,6 +387,10 @@ void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx );
* \brief This function frees and clears the cipher-specific
* context of \p ctx. Freeing \p ctx itself remains the
* responsibility of the caller.
+ *
+ * \param ctx The context to be freed. If this is \c NULL, the
+ * function has no effect, otherwise this must point to an
+ * initialized context.
*/
void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx );
@@ -387,7 +400,7 @@ void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx );
* structure with the appropriate values. It also clears
* the structure.
*
- * \param ctx The context to initialize. May not be NULL.
+ * \param ctx The context to initialize. This must be initialized.
* \param cipher_info The cipher to use.
*
* \return \c 0 on success.
@@ -400,19 +413,22 @@ void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx );
* In future versions, the caller will be required to call
* mbedtls_cipher_init() on the structure first.
*/
-int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info );
+int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,
+ const mbedtls_cipher_info_t *cipher_info );
/**
* \brief This function returns the block size of the given cipher.
*
- * \param ctx The context of the cipher. Must be initialized.
+ * \param ctx The context of the cipher. This must be initialized.
*
- * \return The size of the blocks of the cipher.
- * \return 0 if \p ctx has not been initialized.
+ * \return The block size of the underlying cipher.
+ * \return \c 0 if \p ctx has not been initialized.
*/
-static inline unsigned int mbedtls_cipher_get_block_size( const mbedtls_cipher_context_t *ctx )
+static inline unsigned int mbedtls_cipher_get_block_size(
+ const mbedtls_cipher_context_t *ctx )
{
- if( NULL == ctx || NULL == ctx->cipher_info )
+ MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 );
+ if( ctx->cipher_info == NULL )
return 0;
return ctx->cipher_info->block_size;
@@ -422,14 +438,16 @@ static inline unsigned int mbedtls_cipher_get_block_size( const mbedtls_cipher_c
* \brief This function returns the mode of operation for
* the cipher. For example, MBEDTLS_MODE_CBC.
*
- * \param ctx The context of the cipher. Must be initialized.
+ * \param ctx The context of the cipher. This must be initialized.
*
* \return The mode of operation.
* \return #MBEDTLS_MODE_NONE if \p ctx has not been initialized.
*/
-static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode( const mbedtls_cipher_context_t *ctx )
+static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(
+ const mbedtls_cipher_context_t *ctx )
{
- if( NULL == ctx || NULL == ctx->cipher_info )
+ MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, MBEDTLS_MODE_NONE );
+ if( ctx->cipher_info == NULL )
return MBEDTLS_MODE_NONE;
return ctx->cipher_info->mode;
@@ -439,15 +457,17 @@ static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode( const mbedtl
* \brief This function returns the size of the IV or nonce
* of the cipher, in Bytes.
*
- * \param ctx The context of the cipher. Must be initialized.
+ * \param ctx The context of the cipher. This must be initialized.
*
* \return The recommended IV size if no IV has been set.
* \return \c 0 for ciphers not using an IV or a nonce.
* \return The actual size if an IV has been set.
*/
-static inline int mbedtls_cipher_get_iv_size( const mbedtls_cipher_context_t *ctx )
+static inline int mbedtls_cipher_get_iv_size(
+ const mbedtls_cipher_context_t *ctx )
{
- if( NULL == ctx || NULL == ctx->cipher_info )
+ MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 );
+ if( ctx->cipher_info == NULL )
return 0;
if( ctx->iv_size != 0 )
@@ -459,14 +479,17 @@ static inline int mbedtls_cipher_get_iv_size( const mbedtls_cipher_context_t *ct
/**
* \brief This function returns the type of the given cipher.
*
- * \param ctx The context of the cipher. Must be initialized.
+ * \param ctx The context of the cipher. This must be initialized.
*
* \return The type of the cipher.
* \return #MBEDTLS_CIPHER_NONE if \p ctx has not been initialized.
*/
-static inline mbedtls_cipher_type_t mbedtls_cipher_get_type( const mbedtls_cipher_context_t *ctx )
+static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(
+ const mbedtls_cipher_context_t *ctx )
{
- if( NULL == ctx || NULL == ctx->cipher_info )
+ MBEDTLS_INTERNAL_VALIDATE_RET(
+ ctx != NULL, MBEDTLS_CIPHER_NONE );
+ if( ctx->cipher_info == NULL )
return MBEDTLS_CIPHER_NONE;
return ctx->cipher_info->type;
@@ -476,14 +499,16 @@ static inline mbedtls_cipher_type_t mbedtls_cipher_get_type( const mbedtls_ciphe
* \brief This function returns the name of the given cipher
* as a string.
*
- * \param ctx The context of the cipher. Must be initialized.
+ * \param ctx The context of the cipher. This must be initialized.
*
* \return The name of the cipher.
* \return NULL if \p ctx has not been not initialized.
*/
-static inline const char *mbedtls_cipher_get_name( const mbedtls_cipher_context_t *ctx )
+static inline const char *mbedtls_cipher_get_name(
+ const mbedtls_cipher_context_t *ctx )
{
- if( NULL == ctx || NULL == ctx->cipher_info )
+ MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 );
+ if( ctx->cipher_info == NULL )
return 0;
return ctx->cipher_info->name;
@@ -492,15 +517,18 @@ static inline const char *mbedtls_cipher_get_name( const mbedtls_cipher_context_
/**
* \brief This function returns the key length of the cipher.
*
- * \param ctx The context of the cipher. Must be initialized.
+ * \param ctx The context of the cipher. This must be initialized.
*
* \return The key length of the cipher in bits.
* \return #MBEDTLS_KEY_LENGTH_NONE if ctx \p has not been
* initialized.
*/
-static inline int mbedtls_cipher_get_key_bitlen( const mbedtls_cipher_context_t *ctx )
+static inline int mbedtls_cipher_get_key_bitlen(
+ const mbedtls_cipher_context_t *ctx )
{
- if( NULL == ctx || NULL == ctx->cipher_info )
+ MBEDTLS_INTERNAL_VALIDATE_RET(
+ ctx != NULL, MBEDTLS_KEY_LENGTH_NONE );
+ if( ctx->cipher_info == NULL )
return MBEDTLS_KEY_LENGTH_NONE;
return (int) ctx->cipher_info->key_bitlen;
@@ -509,14 +537,17 @@ static inline int mbedtls_cipher_get_key_bitlen( const mbedtls_cipher_context_t
/**
* \brief This function returns the operation of the given cipher.
*
- * \param ctx The context of the cipher. Must be initialized.
+ * \param ctx The context of the cipher. This must be initialized.
*
* \return The type of operation: #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
* \return #MBEDTLS_OPERATION_NONE if \p ctx has not been initialized.
*/
-static inline mbedtls_operation_t mbedtls_cipher_get_operation( const mbedtls_cipher_context_t *ctx )
+static inline mbedtls_operation_t mbedtls_cipher_get_operation(
+ const mbedtls_cipher_context_t *ctx )
{
- if( NULL == ctx || NULL == ctx->cipher_info )
+ MBEDTLS_INTERNAL_VALIDATE_RET(
+ ctx != NULL, MBEDTLS_OPERATION_NONE );
+ if( ctx->cipher_info == NULL )
return MBEDTLS_OPERATION_NONE;
return ctx->operation;
@@ -525,11 +556,11 @@ static inline mbedtls_operation_t mbedtls_cipher_get_operation( const mbedtls_ci
/**
* \brief This function sets the key to use with the given context.
*
- * \param ctx The generic cipher context. May not be NULL. Must have
- * been initialized using mbedtls_cipher_info_from_type()
- * or mbedtls_cipher_info_from_string().
- * \param key The key to use.
- * \param key_bitlen The key length to use, in bits.
+ * \param ctx The generic cipher context. This must be initialized and
+ * bound to a cipher information structure.
+ * \param key The key to use. This must be a readable buffer of at
+ * least \p key_bitlen Bits.
+ * \param key_bitlen The key length to use, in Bits.
* \param operation The operation that the key will be used for:
* #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
*
@@ -538,8 +569,10 @@ static inline mbedtls_operation_t mbedtls_cipher_get_operation( const mbedtls_ci
* parameter-verification failure.
* \return A cipher-specific error code on failure.
*/
-int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *key,
- int key_bitlen, const mbedtls_operation_t operation );
+int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
+ const unsigned char *key,
+ int key_bitlen,
+ const mbedtls_operation_t operation );
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
/**
@@ -548,7 +581,8 @@ int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *k
*
* The default passing mode is PKCS7 padding.
*
- * \param ctx The generic cipher context.
+ * \param ctx The generic cipher context. This must be initialized and
+ * bound to a cipher information structure.
* \param mode The padding mode.
*
* \return \c 0 on success.
@@ -557,7 +591,8 @@ int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *k
* \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if the cipher mode
* does not support padding.
*/
-int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode );
+int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
+ mbedtls_cipher_padding_t mode );
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
/**
@@ -567,8 +602,10 @@ int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_ciph
* \note Some ciphers do not use IVs nor nonce. For these
* ciphers, this function has no effect.
*
- * \param ctx The generic cipher context.
- * \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ * \param ctx The generic cipher context. This must be initialized and
+ * bound to a cipher information structure.
+ * \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers. This
+ * must be a readable buffer of at least \p iv_len Bytes.
* \param iv_len The IV length for ciphers with variable-size IV.
* This parameter is discarded by ciphers with fixed-size IV.
*
@@ -577,12 +614,13 @@ int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_ciph
* parameter-verification failure.
*/
int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
- const unsigned char *iv, size_t iv_len );
+ const unsigned char *iv,
+ size_t iv_len );
/**
* \brief This function resets the cipher state.
*
- * \param ctx The generic cipher context.
+ * \param ctx The generic cipher context. This must be initialized.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
@@ -594,11 +632,13 @@ int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx );
/**
* \brief This function adds additional data for AEAD ciphers.
* Currently supported with GCM and ChaCha20+Poly1305.
- * Must be called exactly once, after mbedtls_cipher_reset().
+ * This must be called exactly once, after
+ * mbedtls_cipher_reset().
*
- * \param ctx The generic cipher context.
- * \param ad The additional data to use.
- * \param ad_len the Length of \p ad.
+ * \param ctx The generic cipher context. This must be initialized.
+ * \param ad The additional data to use. This must be a readable
+ * buffer of at least \p ad_len Bytes.
+ * \param ad_len the Length of \p ad Bytes.
*
* \return \c 0 on success.
* \return A specific error code on failure.
@@ -622,14 +662,17 @@ int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
* mbedtls_cipher_finish(), must have \p ilen as a
* multiple of the block size of the cipher.
*
- * \param ctx The generic cipher context.
- * \param input The buffer holding the input data.
+ * \param ctx The generic cipher context. This must be initialized and
+ * bound to a key.
+ * \param input The buffer holding the input data. This must be a
+ * readable buffer of at least \p ilen Bytes.
* \param ilen The length of the input data.
- * \param output The buffer for the output data. Must be able to hold at
- * least \p ilen + block_size. Must not be the same buffer
- * as input.
+ * \param output The buffer for the output data. This must be able to
+ * hold at least `ilen + block_size`. This must not be the
+ * same buffer as \p input.
* \param olen The length of the output data, to be updated with the
- * actual number of Bytes written.
+ * actual number of Bytes written. This must not be
+ * \c NULL.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
@@ -647,9 +690,12 @@ int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *i
* contained in it is padded to the size of
* the last block, and written to the \p output buffer.
*
- * \param ctx The generic cipher context.
- * \param output The buffer to write data to. Needs block_size available.
+ * \param ctx The generic cipher context. This must be initialized and
+ * bound to a key.
+ * \param output The buffer to write data to. This needs to be a writable
+ * buffer of at least \p block_size Bytes.
* \param olen The length of the data written to the \p output buffer.
+ * This may not be \c NULL.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
@@ -667,10 +713,14 @@ int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
/**
* \brief This function writes a tag for AEAD ciphers.
* Currently supported with GCM and ChaCha20+Poly1305.
- * Must be called after mbedtls_cipher_finish().
- *
- * \param ctx The generic cipher context.
- * \param tag The buffer to write the tag to.
+ * This must be called after mbedtls_cipher_finish().
+ *
+ * \param ctx The generic cipher context. This must be initialized,
+ * bound to a key, and have just completed a cipher
+ * operation through mbedtls_cipher_finish() the tag for
+ * which should be written.
+ * \param tag The buffer to write the tag to. This must be a writable
+ * buffer of at least \p tag_len Bytes.
* \param tag_len The length of the tag to write.
*
* \return \c 0 on success.
@@ -682,10 +732,11 @@ int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
/**
* \brief This function checks the tag for AEAD ciphers.
* Currently supported with GCM and ChaCha20+Poly1305.
- * Must be called after mbedtls_cipher_finish().
+ * This must be called after mbedtls_cipher_finish().
*
- * \param ctx The generic cipher context.
- * \param tag The buffer holding the tag.
+ * \param ctx The generic cipher context. This must be initialized.
+ * \param tag The buffer holding the tag. This must be a readable
+ * buffer of at least \p tag_len Bytes.
* \param tag_len The length of the tag to check.
*
* \return \c 0 on success.
@@ -699,18 +750,22 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
* \brief The generic all-in-one encryption/decryption function,
* for all ciphers except AEAD constructs.
*
- * \param ctx The generic cipher context.
+ * \param ctx The generic cipher context. This must be initialized.
* \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ * This must be a readable buffer of at least \p iv_len
+ * Bytes.
* \param iv_len The IV length for ciphers with variable-size IV.
* This parameter is discarded by ciphers with fixed-size
* IV.
- * \param input The buffer holding the input data.
- * \param ilen The length of the input data.
- * \param output The buffer for the output data. Must be able to hold at
- * least \p ilen + block_size. Must not be the same buffer
- * as input.
+ * \param input The buffer holding the input data. This must be a
+ * readable buffer of at least \p ilen Bytes.
+ * \param ilen The length of the input data in Bytes.
+ * \param output The buffer for the output data. This must be able to
+ * hold at least `ilen + block_size`. This must not be the
+ * same buffer as \p input.
* \param olen The length of the output data, to be updated with the
- * actual number of Bytes written.
+ * actual number of Bytes written. This must not be
+ * \c NULL.
*
* \note Some ciphers do not use IVs nor nonce. For these
* ciphers, use \p iv = NULL and \p iv_len = 0.
@@ -733,19 +788,26 @@ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
/**
* \brief The generic autenticated encryption (AEAD) function.
*
- * \param ctx The generic cipher context.
+ * \param ctx The generic cipher context. This must be initialized and
+ * bound to a key.
* \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ * This must be a readable buffer of at least \p iv_len
+ * Bytes.
* \param iv_len The IV length for ciphers with variable-size IV.
* This parameter is discarded by ciphers with fixed-size IV.
- * \param ad The additional data to authenticate.
+ * \param ad The additional data to authenticate. This must be a
+ * readable buffer of at least \p ad_len Bytes.
* \param ad_len The length of \p ad.
- * \param input The buffer holding the input data.
+ * \param input The buffer holding the input data. This must be a
+ * readable buffer of at least \p ilen Bytes.
* \param ilen The length of the input data.
- * \param output The buffer for the output data.
- * Must be able to hold at least \p ilen.
+ * \param output The buffer for the output data. This must be able to
+ * hold at least \p ilen Bytes.
* \param olen The length of the output data, to be updated with the
- * actual number of Bytes written.
- * \param tag The buffer for the authentication tag.
+ * actual number of Bytes written. This must not be
+ * \c NULL.
+ * \param tag The buffer for the authentication tag. This must be a
+ * writable buffer of at least \p tag_len Bytes.
* \param tag_len The desired length of the authentication tag.
*
* \return \c 0 on success.
@@ -767,19 +829,26 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
* is zeroed out to prevent the unauthentic plaintext being
* used, making this interface safer.
*
- * \param ctx The generic cipher context.
+ * \param ctx The generic cipher context. This must be initialized and
+ * and bound to a key.
* \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ * This must be a readable buffer of at least \p iv_len
+ * Bytes.
* \param iv_len The IV length for ciphers with variable-size IV.
* This parameter is discarded by ciphers with fixed-size IV.
- * \param ad The additional data to be authenticated.
+ * \param ad The additional data to be authenticated. This must be a
+ * readable buffer of at least \p ad_len Bytes.
* \param ad_len The length of \p ad.
- * \param input The buffer holding the input data.
+ * \param input The buffer holding the input data. This must be a
+ * readable buffer of at least \p ilen Bytes.
* \param ilen The length of the input data.
* \param output The buffer for the output data.
- * Must be able to hold at least \p ilen.
+ * This must be able to hold at least \p ilen Bytes.
* \param olen The length of the output data, to be updated with the
- * actual number of Bytes written.
- * \param tag The buffer holding the authentication tag.
+ * actual number of Bytes written. This must not be
+ * \c NULL.
+ * \param tag The buffer holding the authentication tag. This must be
+ * a readable buffer of at least \p tag_len Bytes.
* \param tag_len The length of the authentication tag.
*
* \return \c 0 on success.
diff --git a/thirdparty/mbedtls/include/mbedtls/cmac.h b/thirdparty/mbedtls/include/mbedtls/cmac.h
index a4fd552565..c196793531 100644
--- a/thirdparty/mbedtls/include/mbedtls/cmac.h
+++ b/thirdparty/mbedtls/include/mbedtls/cmac.h
@@ -34,6 +34,7 @@
extern "C" {
#endif
+/* MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED -0x007A /**< CMAC hardware accelerator failed. */
#define MBEDTLS_AES_BLOCK_SIZE 16
diff --git a/thirdparty/mbedtls/include/mbedtls/config.h b/thirdparty/mbedtls/include/mbedtls/config.h
index 6daa8d103b..51d66291a5 100644
--- a/thirdparty/mbedtls/include/mbedtls/config.h
+++ b/thirdparty/mbedtls/include/mbedtls/config.h
@@ -137,12 +137,21 @@
/**
* \def MBEDTLS_HAVE_TIME_DATE
*
- * System has time.h and time(), gmtime() and the clock is correct.
+ * System has time.h, time(), and an implementation for
+ * mbedtls_platform_gmtime_r() (see below).
* The time needs to be correct (not necesarily very accurate, but at least
* the date should be correct). This is used to verify the validity period of
* X.509 certificates.
*
* Comment if your system does not have a correct clock.
+ *
+ * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that
+ * behaves similarly to the gmtime_r() function from the C standard. Refer to
+ * the documentation for mbedtls_platform_gmtime_r() for more information.
+ *
+ * \note It is possible to configure an implementation for
+ * mbedtls_platform_gmtime_r() at compile-time by using the macro
+ * MBEDTLS_PLATFORM_GMTIME_R_ALT.
*/
#define MBEDTLS_HAVE_TIME_DATE
@@ -247,6 +256,48 @@
*/
//#define MBEDTLS_DEPRECATED_REMOVED
+/**
+ * \def MBEDTLS_CHECK_PARAMS
+ *
+ * This configuration option controls whether the library validates more of
+ * the parameters passed to it.
+ *
+ * When this flag is not defined, the library only attempts to validate an
+ * input parameter if: (1) they may come from the outside world (such as the
+ * network, the filesystem, etc.) or (2) not validating them could result in
+ * internal memory errors such as overflowing a buffer controlled by the
+ * library. On the other hand, it doesn't attempt to validate parameters whose
+ * values are fully controlled by the application (such as pointers).
+ *
+ * When this flag is defined, the library additionally attempts to validate
+ * parameters that are fully controlled by the application, and should always
+ * be valid if the application code is fully correct and trusted.
+ *
+ * For example, when a function accepts as input a pointer to a buffer that may
+ * contain untrusted data, and its documentation mentions that this pointer
+ * must not be NULL:
+ * - the pointer is checked to be non-NULL only if this option is enabled
+ * - the content of the buffer is always validated
+ *
+ * When this flag is defined, if a library function receives a parameter that
+ * is invalid, it will:
+ * - invoke the macro MBEDTLS_PARAM_FAILED() which by default expands to a
+ * call to the function mbedtls_param_failed()
+ * - immediately return (with a specific error code unless the function
+ * returns void and can't communicate an error).
+ *
+ * When defining this flag, you also need to:
+ * - either provide a definition of the function mbedtls_param_failed() in
+ * your application (see platform_util.h for its prototype) as the library
+ * calls that function, but does not provide a default definition for it,
+ * - or provide a different definition of the macro MBEDTLS_PARAM_FAILED()
+ * below if the above mechanism is not flexible enough to suit your needs.
+ * See the documentation of this macro later in this file.
+ *
+ * Uncomment to enable validation of application-controlled parameters.
+ */
+//#define MBEDTLS_CHECK_PARAMS
+
/* \} name SECTION: System support */
/**
@@ -405,11 +456,11 @@
* unsigned char mbedtls_internal_ecp_grp_capable(
* const mbedtls_ecp_group *grp )
* int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
- * void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp )
+ * void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp )
* The mbedtls_internal_ecp_grp_capable function should return 1 if the
* replacement functions implement arithmetic for the given group and 0
* otherwise.
- * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are
+ * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_free are
* called before and after each point operation and provide an opportunity to
* implement optimized set up and tear down instructions.
*
@@ -669,6 +720,30 @@
#define MBEDTLS_ECP_NIST_OPTIM
/**
+ * \def MBEDTLS_ECP_RESTARTABLE
+ *
+ * Enable "non-blocking" ECC operations that can return early and be resumed.
+ *
+ * This allows various functions to pause by returning
+ * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module,
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in
+ * order to further progress and eventually complete their operation. This is
+ * controlled through mbedtls_ecp_set_max_ops() which limits the maximum
+ * number of ECC operations a function may perform before pausing; see
+ * mbedtls_ecp_set_max_ops() for more information.
+ *
+ * This is useful in non-threaded environments if you want to avoid blocking
+ * for too long on ECC (and, hence, X.509 or SSL/TLS) operations.
+ *
+ * Uncomment this macro to enable restartable ECC computations.
+ *
+ * \note This option only works with the default software implementation of
+ * elliptic curve functionality. It is incompatible with
+ * MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT and MBEDTLS_ECDSA_XXX_ALT.
+ */
+//#define MBEDTLS_ECP_RESTARTABLE
+
+/**
* \def MBEDTLS_ECDSA_DETERMINISTIC
*
* Enable deterministic ECDSA (RFC 6979).
@@ -1279,7 +1354,7 @@
/**
* \def MBEDTLS_SSL_RENEGOTIATION
*
- * Disable support for TLS renegotiation.
+ * Enable support for TLS renegotiation.
*
* The two main uses of renegotiation are (1) refresh keys on long-lived
* connections and (2) client authentication after the initial handshake.
@@ -2018,14 +2093,16 @@
/**
* \def MBEDTLS_CTR_DRBG_C
*
- * Enable the CTR_DRBG AES-256-based random generator.
+ * Enable the CTR_DRBG AES-based random generator.
+ * The CTR_DRBG generator uses AES-256 by default.
+ * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below.
*
* Module: library/ctr_drbg.c
* Caller:
*
* Requires: MBEDTLS_AES_C
*
- * This module provides the CTR_DRBG AES-256 random number generator.
+ * This module provides the CTR_DRBG AES random number generator.
*/
#define MBEDTLS_CTR_DRBG_C
@@ -2389,6 +2466,22 @@
#define MBEDTLS_OID_C
/**
+ * \def MBEDTLS_PADLOCK_C
+ *
+ * Enable VIA Padlock support on x86.
+ *
+ * Module: library/padlock.c
+ * Caller: library/aes.c
+ *
+ * Requires: MBEDTLS_HAVE_ASM
+ *
+ * This modules adds support for the VIA PadLock on x86.
+ */
+// -- GODOT start --
+// #define MBEDTLS_PADLOCK_C
+// -- GODOT end --
+
+/**
* \def MBEDTLS_PEM_PARSE_C
*
* Enable PEM decoding / parsing.
@@ -2896,6 +2989,7 @@
//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
+//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY /**< Use 128-bit key for CTR_DRBG - may reduce security (see ctr_drbg.h) */
/* HMAC_DRBG options */
//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
@@ -2946,6 +3040,36 @@
//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
+/**
+ * \brief This macro is invoked by the library when an invalid parameter
+ * is detected that is only checked with MBEDTLS_CHECK_PARAMS
+ * (see the documentation of that option for context).
+ *
+ * When you leave this undefined here, a default definition is
+ * provided that invokes the function mbedtls_param_failed(),
+ * which is declared in platform_util.h for the benefit of the
+ * library, but that you need to define in your application.
+ *
+ * When you define this here, this replaces the default
+ * definition in platform_util.h (which no longer declares the
+ * function mbedtls_param_failed()) and it is your responsibility
+ * to make sure this macro expands to something suitable (in
+ * particular, that all the necessary declarations are visible
+ * from within the library - you can ensure that by providing
+ * them in this file next to the macro definition).
+ *
+ * Note that you may define this macro to expand to nothing, in
+ * which case you don't have to worry about declarations or
+ * definitions. However, you will then be notified about invalid
+ * parameters only in non-void functions, and void function will
+ * just silently return early on invalid parameters, which
+ * partially negates the benefits of enabling
+ * #MBEDTLS_CHECK_PARAMS in the first place, so is discouraged.
+ *
+ * \param cond The expression that should evaluate to true, but doesn't.
+ */
+//#define MBEDTLS_PARAM_FAILED( cond ) assert( cond )
+
/* SSL Cache options */
//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */
//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
@@ -2954,31 +3078,65 @@
/** \def MBEDTLS_SSL_MAX_CONTENT_LEN
*
- * Maximum fragment length in bytes.
+ * Maximum length (in bytes) of incoming and outgoing plaintext fragments.
+ *
+ * This determines the size of both the incoming and outgoing TLS I/O buffers
+ * in such a way that both are capable of holding the specified amount of
+ * plaintext data, regardless of the protection mechanism used.
*
- * Determines the size of both the incoming and outgoing TLS I/O buffers.
+ * To configure incoming and outgoing I/O buffers separately, use
+ * #MBEDTLS_SSL_IN_CONTENT_LEN and #MBEDTLS_SSL_OUT_CONTENT_LEN,
+ * which overwrite the value set by this option.
*
- * Uncommenting MBEDTLS_SSL_IN_CONTENT_LEN and/or MBEDTLS_SSL_OUT_CONTENT_LEN
- * will override this length by setting maximum incoming and/or outgoing
- * fragment length, respectively.
+ * \note When using a value less than the default of 16KB on the client, it is
+ * recommended to use the Maximum Fragment Length (MFL) extension to
+ * inform the server about this limitation. On the server, there
+ * is no supported, standardized way of informing the client about
+ * restriction on the maximum size of incoming messages, and unless
+ * the limitation has been communicated by other means, it is recommended
+ * to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
+ * while keeping the default value of 16KB for the incoming buffer.
+ *
+ * Uncomment to set the maximum plaintext size of both
+ * incoming and outgoing I/O buffers.
*/
//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384
/** \def MBEDTLS_SSL_IN_CONTENT_LEN
*
- * Maximum incoming fragment length in bytes.
+ * Maximum length (in bytes) of incoming plaintext fragments.
+ *
+ * This determines the size of the incoming TLS I/O buffer in such a way
+ * that it is capable of holding the specified amount of plaintext data,
+ * regardless of the protection mechanism used.
+ *
+ * If this option is undefined, it inherits its value from
+ * #MBEDTLS_SSL_MAX_CONTENT_LEN.
+ *
+ * \note When using a value less than the default of 16KB on the client, it is
+ * recommended to use the Maximum Fragment Length (MFL) extension to
+ * inform the server about this limitation. On the server, there
+ * is no supported, standardized way of informing the client about
+ * restriction on the maximum size of incoming messages, and unless
+ * the limitation has been communicated by other means, it is recommended
+ * to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
+ * while keeping the default value of 16KB for the incoming buffer.
*
- * Uncomment to set the size of the inward TLS buffer independently of the
- * outward buffer.
+ * Uncomment to set the maximum plaintext size of the incoming I/O buffer
+ * independently of the outgoing I/O buffer.
*/
//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384
/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
*
- * Maximum outgoing fragment length in bytes.
+ * Maximum length (in bytes) of outgoing plaintext fragments.
*
- * Uncomment to set the size of the outward TLS buffer independently of the
- * inward buffer.
+ * This determines the size of the outgoing TLS I/O buffer in such a way
+ * that it is capable of holding the specified amount of plaintext data,
+ * regardless of the protection mechanism used.
+ *
+ * If this option undefined, it inherits its value from
+ * #MBEDTLS_SSL_MAX_CONTENT_LEN.
*
* It is possible to save RAM by setting a smaller outward buffer, while keeping
* the default inward 16384 byte buffer to conform to the TLS specification.
@@ -2988,14 +3146,28 @@
* The specific size requirement depends on the configured ciphers and any
* certificate data which is sent during the handshake.
*
- * For absolute minimum RAM usage, it's best to enable
- * MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This
- * reduces both incoming and outgoing buffer sizes. However this is only
- * guaranteed if the other end of the connection also supports the TLS
- * max_fragment_len extension. Otherwise the connection may fail.
+ * Uncomment to set the maximum plaintext size of the outgoing I/O buffer
+ * independently of the incoming I/O buffer.
*/
//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384
+/** \def MBEDTLS_SSL_DTLS_MAX_BUFFERING
+ *
+ * Maximum number of heap-allocated bytes for the purpose of
+ * DTLS handshake message reassembly and future message buffering.
+ *
+ * This should be at least 9/8 * MBEDTLSSL_IN_CONTENT_LEN
+ * to account for a reassembled handshake message of maximum size,
+ * together with its reassembly bitmap.
+ *
+ * A value of 2 * MBEDTLS_SSL_IN_CONTENT_LEN (32768 by default)
+ * should be sufficient for all practical situations as it allows
+ * to reassembly a large handshake message (such as a certificate)
+ * while buffering multiple smaller handshake messages.
+ *
+ */
+//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768
+
//#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
@@ -3069,25 +3241,33 @@
*/
//#define MBEDTLS_PLATFORM_ZEROIZE_ALT
-/* \} name SECTION: Customisation configuration options */
-
-/* Target and application specific configurations */
-//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "target_config.h"
+/**
+ * Uncomment the macro to let Mbed TLS use your alternate implementation of
+ * mbedtls_platform_gmtime_r(). This replaces the default implementation in
+ * platform_util.c.
+ *
+ * gmtime() is not a thread-safe function as defined in the C standard. The
+ * library will try to use safer implementations of this function, such as
+ * gmtime_r() when available. However, if Mbed TLS cannot identify the target
+ * system, the implementation of mbedtls_platform_gmtime_r() will default to
+ * using the standard gmtime(). In this case, calls from the library to
+ * gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_mutex
+ * if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside the
+ * library are also guarded with this mutex to avoid race conditions. However,
+ * if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will
+ * unconditionally use the implementation for mbedtls_platform_gmtime_r()
+ * supplied at compile time.
+ */
+//#define MBEDTLS_PLATFORM_GMTIME_R_ALT
-#if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
-#include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE
-#endif
+/* \} name SECTION: Customisation configuration options */
-/*
+/* Target and application specific configurations
+ *
* Allow user to override any previous default.
*
- * Use two macro names for that, as:
- * - with yotta the prefix YOTTA_CFG_ is forced
- * - without yotta is looks weird to have a YOTTA prefix.
*/
-#if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE)
-#include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE
-#elif defined(MBEDTLS_USER_CONFIG_FILE)
+#if defined(MBEDTLS_USER_CONFIG_FILE)
#include MBEDTLS_USER_CONFIG_FILE
#endif
diff --git a/thirdparty/mbedtls/include/mbedtls/ctr_drbg.h b/thirdparty/mbedtls/include/mbedtls/ctr_drbg.h
index 3835d7299b..10f9389d9f 100644
--- a/thirdparty/mbedtls/include/mbedtls/ctr_drbg.h
+++ b/thirdparty/mbedtls/include/mbedtls/ctr_drbg.h
@@ -8,8 +8,11 @@
* Recommendation for Random Number Generation Using Deterministic Random
* Bit Generators</em>.
*
- * The Mbed TLS implementation of CTR_DRBG uses AES-256 as the underlying
- * block cipher.
+ * The Mbed TLS implementation of CTR_DRBG uses AES-256 (default) or AES-128
+ * as the underlying block cipher.
+ *
+ * \warning Using 128-bit keys for CTR_DRBG limits the security of generated
+ * keys and operations that use random values generated to 128-bit security.
*/
/*
* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
@@ -45,7 +48,13 @@
#define MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR -0x003A /**< Read or write error in file. */
#define MBEDTLS_CTR_DRBG_BLOCKSIZE 16 /**< The block size used by the cipher. */
-#define MBEDTLS_CTR_DRBG_KEYSIZE 32 /**< The key size used by the cipher. */
+
+#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+#define MBEDTLS_CTR_DRBG_KEYSIZE 16 /**< The key size used by the cipher (compile-time choice: 128 bits). */
+#else
+#define MBEDTLS_CTR_DRBG_KEYSIZE 32 /**< The key size used by the cipher (compile-time choice: 256 bits). */
+#endif
+
#define MBEDTLS_CTR_DRBG_KEYBITS ( MBEDTLS_CTR_DRBG_KEYSIZE * 8 ) /**< The key size for the DRBG operation, in bits. */
#define MBEDTLS_CTR_DRBG_SEEDLEN ( MBEDTLS_CTR_DRBG_KEYSIZE + MBEDTLS_CTR_DRBG_BLOCKSIZE ) /**< The seed length, calculated as (counter + AES key). */
@@ -108,7 +117,7 @@ extern "C" {
/**
* \brief The CTR_DRBG context structure.
*/
-typedef struct
+typedef struct mbedtls_ctr_drbg_context
{
unsigned char counter[16]; /*!< The counter (V). */
int reseed_counter; /*!< The reseed counter. */
@@ -230,18 +239,20 @@ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
/**
* \brief This function updates the state of the CTR_DRBG context.
*
- * \note If \p add_len is greater than
- * #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT, only the first
- * #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT Bytes are used.
- * The remaining Bytes are silently discarded.
- *
* \param ctx The CTR_DRBG context.
* \param additional The data to update the state with.
- * \param add_len Length of \p additional data.
- *
+ * \param add_len Length of \p additional in bytes. This must be at
+ * most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if
+ * \p add_len is more than
+ * #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ * \return An error from the underlying AES cipher on failure.
*/
-void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
- const unsigned char *additional, size_t add_len );
+int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
+ const unsigned char *additional,
+ size_t add_len );
/**
* \brief This function updates a CTR_DRBG instance with additional
@@ -281,6 +292,35 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng,
int mbedtls_ctr_drbg_random( void *p_rng,
unsigned char *output, size_t output_len );
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief This function updates the state of the CTR_DRBG context.
+ *
+ * \deprecated Superseded by mbedtls_ctr_drbg_update_ret()
+ * in 2.16.0.
+ *
+ * \note If \p add_len is greater than
+ * #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT, only the first
+ * #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT Bytes are used.
+ * The remaining Bytes are silently discarded.
+ *
+ * \param ctx The CTR_DRBG context.
+ * \param additional The data to update the state with.
+ * \param add_len Length of \p additional data.
+ */
+MBEDTLS_DEPRECATED void mbedtls_ctr_drbg_update(
+ mbedtls_ctr_drbg_context *ctx,
+ const unsigned char *additional,
+ size_t add_len );
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
#if defined(MBEDTLS_FS_IO)
/**
* \brief This function writes a seed file.
diff --git a/thirdparty/mbedtls/include/mbedtls/debug.h b/thirdparty/mbedtls/include/mbedtls/debug.h
index ef8db67ff1..736444bb76 100644
--- a/thirdparty/mbedtls/include/mbedtls/debug.h
+++ b/thirdparty/mbedtls/include/mbedtls/debug.h
@@ -65,6 +65,11 @@
mbedtls_debug_print_crt( ssl, level, __FILE__, __LINE__, text, crt )
#endif
+#if defined(MBEDTLS_ECDH_C)
+#define MBEDTLS_SSL_DEBUG_ECDH( level, ecdh, attr ) \
+ mbedtls_debug_printf_ecdh( ssl, level, __FILE__, __LINE__, ecdh, attr )
+#endif
+
#else /* MBEDTLS_DEBUG_C */
#define MBEDTLS_SSL_DEBUG_MSG( level, args ) do { } while( 0 )
@@ -73,6 +78,7 @@
#define MBEDTLS_SSL_DEBUG_MPI( level, text, X ) do { } while( 0 )
#define MBEDTLS_SSL_DEBUG_ECP( level, text, X ) do { } while( 0 )
#define MBEDTLS_SSL_DEBUG_CRT( level, text, crt ) do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_ECDH( level, ecdh, attr ) do { } while( 0 )
#endif /* MBEDTLS_DEBUG_C */
@@ -221,6 +227,36 @@ void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
const char *text, const mbedtls_x509_crt *crt );
#endif
+#if defined(MBEDTLS_ECDH_C)
+typedef enum
+{
+ MBEDTLS_DEBUG_ECDH_Q,
+ MBEDTLS_DEBUG_ECDH_QP,
+ MBEDTLS_DEBUG_ECDH_Z,
+} mbedtls_debug_ecdh_attr;
+
+/**
+ * \brief Print a field of the ECDH structure in the SSL context to the debug
+ * output. This function is always used through the
+ * MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file
+ * and line number parameters.
+ *
+ * \param ssl SSL context
+ * \param level error level of the debug message
+ * \param file file the error has occurred in
+ * \param line line number the error has occurred in
+ * \param ecdh the ECDH context
+ * \param attr the identifier of the attribute being output
+ *
+ * \attention This function is intended for INTERNAL usage within the
+ * library only.
+ */
+void mbedtls_debug_printf_ecdh( const mbedtls_ssl_context *ssl, int level,
+ const char *file, int line,
+ const mbedtls_ecdh_context *ecdh,
+ mbedtls_debug_ecdh_attr attr );
+#endif
+
#ifdef __cplusplus
}
#endif
diff --git a/thirdparty/mbedtls/include/mbedtls/des.h b/thirdparty/mbedtls/include/mbedtls/des.h
index 6eb7d03bae..d62042d14e 100644
--- a/thirdparty/mbedtls/include/mbedtls/des.h
+++ b/thirdparty/mbedtls/include/mbedtls/des.h
@@ -42,6 +42,8 @@
#define MBEDTLS_DES_DECRYPT 0
#define MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH -0x0032 /**< The data input has an invalid length. */
+
+/* MBEDTLS_ERR_DES_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_DES_HW_ACCEL_FAILED -0x0033 /**< DES hardware accelerator failed. */
#define MBEDTLS_DES_KEY_SIZE 8
@@ -61,7 +63,7 @@ extern "C" {
* security risk. We recommend considering stronger ciphers
* instead.
*/
-typedef struct
+typedef struct mbedtls_des_context
{
uint32_t sk[32]; /*!< DES subkeys */
}
@@ -70,7 +72,7 @@ mbedtls_des_context;
/**
* \brief Triple-DES context structure
*/
-typedef struct
+typedef struct mbedtls_des3_context
{
uint32_t sk[96]; /*!< 3DES subkeys */
}
diff --git a/thirdparty/mbedtls/include/mbedtls/dhm.h b/thirdparty/mbedtls/include/mbedtls/dhm.h
index 75317a8e6d..a5452c199a 100644
--- a/thirdparty/mbedtls/include/mbedtls/dhm.h
+++ b/thirdparty/mbedtls/include/mbedtls/dhm.h
@@ -84,7 +84,10 @@
#define MBEDTLS_ERR_DHM_INVALID_FORMAT -0x3380 /**< The ASN.1 data is not formatted correctly. */
#define MBEDTLS_ERR_DHM_ALLOC_FAILED -0x3400 /**< Allocation of memory failed. */
#define MBEDTLS_ERR_DHM_FILE_IO_ERROR -0x3480 /**< Read or write of file failed. */
+
+/* MBEDTLS_ERR_DHM_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_DHM_HW_ACCEL_FAILED -0x3500 /**< DHM hardware accelerator failed. */
+
#define MBEDTLS_ERR_DHM_SET_GROUP_FAILED -0x3580 /**< Setting the modulus and generator failed. */
#ifdef __cplusplus
@@ -96,7 +99,7 @@ extern "C" {
/**
* \brief The DHM context structure.
*/
-typedef struct
+typedef struct mbedtls_dhm_context
{
size_t len; /*!< The size of \p P in Bytes. */
mbedtls_mpi P; /*!< The prime modulus. */
@@ -124,9 +127,15 @@ mbedtls_dhm_context;
void mbedtls_dhm_init( mbedtls_dhm_context *ctx );
/**
- * \brief This function parses the ServerKeyExchange parameters.
+ * \brief This function parses the DHM parameters in a
+ * TLS ServerKeyExchange handshake message
+ * (DHM modulus, generator, and public key).
*
- * \param ctx The DHM context.
+ * \note In a TLS handshake, this is the how the client
+ * sets up its DHM context from the server's public
+ * DHM key material.
+ *
+ * \param ctx The DHM context to use. This must be initialized.
* \param p On input, *p must be the start of the input buffer.
* On output, *p is updated to point to the end of the data
* that has been read. On success, this is the first byte
@@ -140,31 +149,37 @@ void mbedtls_dhm_init( mbedtls_dhm_context *ctx );
* \return An \c MBEDTLS_ERR_DHM_XXX error code on failure.
*/
int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx,
- unsigned char **p,
- const unsigned char *end );
+ unsigned char **p,
+ const unsigned char *end );
/**
- * \brief This function sets up and writes the ServerKeyExchange
- * parameters.
- *
- * \note The destination buffer must be large enough to hold
- * the reduced binary presentation of the modulus, the generator
- * and the public key, each wrapped with a 2-byte length field.
- * It is the responsibility of the caller to ensure that enough
- * space is available. Refer to \c mbedtls_mpi_size to computing
- * the byte-size of an MPI.
+ * \brief This function generates a DHM key pair and exports its
+ * public part together with the DHM parameters in the format
+ * used in a TLS ServerKeyExchange handshake message.
*
- * \note This function assumes that \c ctx->P and \c ctx->G
- * have already been properly set. For that, use
+ * \note This function assumes that the DHM parameters \c ctx->P
+ * and \c ctx->G have already been properly set. For that, use
* mbedtls_dhm_set_group() below in conjunction with
* mbedtls_mpi_read_binary() and mbedtls_mpi_read_string().
*
- * \param ctx The DHM context.
+ * \note In a TLS handshake, this is the how the server generates
+ * and exports its DHM key material.
+ *
+ * \param ctx The DHM context to use. This must be initialized
+ * and have the DHM parameters set. It may or may not
+ * already have imported the peer's public key.
* \param x_size The private key size in Bytes.
- * \param olen The number of characters written.
- * \param output The destination buffer.
- * \param f_rng The RNG function.
- * \param p_rng The RNG context.
+ * \param olen The address at which to store the number of Bytes
+ * written on success. This must not be \c NULL.
+ * \param output The destination buffer. This must be a writable buffer of
+ * sufficient size to hold the reduced binary presentation of
+ * the modulus, the generator and the public key, each wrapped
+ * with a 2-byte length field. It is the responsibility of the
+ * caller to ensure that enough space is available. Refer to
+ * mbedtls_mpi_size() to computing the byte-size of an MPI.
+ * \param f_rng The RNG function. Must not be \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng doesn't need a context parameter.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_DHM_XXX error code on failure.
@@ -177,12 +192,14 @@ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
/**
* \brief This function sets the prime modulus and generator.
*
- * \note This function can be used to set \p P, \p G
+ * \note This function can be used to set \c ctx->P, \c ctx->G
* in preparation for mbedtls_dhm_make_params().
*
- * \param ctx The DHM context.
- * \param P The MPI holding the DHM prime modulus.
- * \param G The MPI holding the DHM generator.
+ * \param ctx The DHM context to configure. This must be initialized.
+ * \param P The MPI holding the DHM prime modulus. This must be
+ * an initialized MPI.
+ * \param G The MPI holding the DHM generator. This must be an
+ * initialized MPI.
*
* \return \c 0 if successful.
* \return An \c MBEDTLS_ERR_DHM_XXX error code on failure.
@@ -192,11 +209,17 @@ int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx,
const mbedtls_mpi *G );
/**
- * \brief This function imports the public value of the peer, G^Y.
+ * \brief This function imports the raw public value of the peer.
+ *
+ * \note In a TLS handshake, this is the how the server imports
+ * the Client's public DHM key.
*
- * \param ctx The DHM context.
- * \param input The input buffer containing the G^Y value of the peer.
- * \param ilen The size of the input buffer.
+ * \param ctx The DHM context to use. This must be initialized and have
+ * its DHM parameters set, e.g. via mbedtls_dhm_set_group().
+ * It may or may not already have generated its own private key.
+ * \param input The input buffer containing the \c G^Y value of the peer.
+ * This must be a readable buffer of size \p ilen Bytes.
+ * \param ilen The size of the input buffer \p input in Bytes.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_DHM_XXX error code on failure.
@@ -205,21 +228,25 @@ int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx,
const unsigned char *input, size_t ilen );
/**
- * \brief This function creates its own private key, \c X, and
- * exports \c G^X.
+ * \brief This function creates a DHM key pair and exports
+ * the raw public key in big-endian format.
*
* \note The destination buffer is always fully written
* so as to contain a big-endian representation of G^X mod P.
- * If it is larger than ctx->len, it is padded accordingly
+ * If it is larger than \c ctx->len, it is padded accordingly
* with zero-bytes at the beginning.
*
- * \param ctx The DHM context.
+ * \param ctx The DHM context to use. This must be initialized and
+ * have the DHM parameters set. It may or may not already
+ * have imported the peer's public key.
* \param x_size The private key size in Bytes.
- * \param output The destination buffer.
- * \param olen The length of the destination buffer. Must be at least
- * equal to ctx->len (the size of \c P).
- * \param f_rng The RNG function.
- * \param p_rng The RNG context.
+ * \param output The destination buffer. This must be a writable buffer of
+ * size \p olen Bytes.
+ * \param olen The length of the destination buffer. This must be at least
+ * equal to `ctx->len` (the size of \c P).
+ * \param f_rng The RNG function. This must not be \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL
+ * if \p f_rng doesn't need a context argument.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_DHM_XXX error code on failure.
@@ -230,22 +257,27 @@ int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size,
void *p_rng );
/**
- * \brief This function derives and exports the shared secret
- * \c (G^Y)^X mod \c P.
+ * \brief This function derives and exports the shared secret
+ * \c (G^Y)^X mod \c P.
*
- * \note If \p f_rng is not NULL, it is used to blind the input as
- * a countermeasure against timing attacks. Blinding is used
- * only if our private key \c X is re-used, and not used
- * otherwise. We recommend always passing a non-NULL
- * \p f_rng argument.
+ * \note If \p f_rng is not \c NULL, it is used to blind the input as
+ * a countermeasure against timing attacks. Blinding is used
+ * only if our private key \c X is re-used, and not used
+ * otherwise. We recommend always passing a non-NULL
+ * \p f_rng argument.
*
- * \param ctx The DHM context.
- * \param output The destination buffer.
- * \param output_size The size of the destination buffer. Must be at least
- * the size of ctx->len (the size of \c P).
+ * \param ctx The DHM context to use. This must be initialized
+ * and have its own private key generated and the peer's
+ * public key imported.
+ * \param output The buffer to write the generated shared key to. This
+ * must be a writable buffer of size \p output_size Bytes.
+ * \param output_size The size of the destination buffer. This must be at
+ * least the size of \c ctx->len (the size of \c P).
* \param olen On exit, holds the actual number of Bytes written.
- * \param f_rng The RNG function, for blinding purposes.
- * \param p_rng The RNG context.
+ * \param f_rng The RNG function, for blinding purposes. This may
+ * b \c NULL if blinding isn't needed.
+ * \param p_rng The RNG context. This may be \c NULL if \p f_rng
+ * doesn't need a context argument.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_DHM_XXX error code on failure.
@@ -256,9 +288,12 @@ int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx,
void *p_rng );
/**
- * \brief This function frees and clears the components of a DHM context.
+ * \brief This function frees and clears the components
+ * of a DHM context.
*
- * \param ctx The DHM context to free and clear.
+ * \param ctx The DHM context to free and clear. This may be \c NULL,
+ * in which case this function is a no-op. If it is not \c NULL,
+ * it must point to an initialized DHM context.
*/
void mbedtls_dhm_free( mbedtls_dhm_context *ctx );
@@ -267,17 +302,19 @@ void mbedtls_dhm_free( mbedtls_dhm_context *ctx );
/**
* \brief This function parses DHM parameters in PEM or DER format.
*
- * \param dhm The DHM context to initialize.
- * \param dhmin The input buffer.
- * \param dhminlen The size of the buffer, including the terminating null
- * Byte for PEM data.
+ * \param dhm The DHM context to import the DHM parameters into.
+ * This must be initialized.
+ * \param dhmin The input buffer. This must be a readable buffer of
+ * length \p dhminlen Bytes.
+ * \param dhminlen The size of the input buffer \p dhmin, including the
+ * terminating \c NULL Byte for PEM data.
*
* \return \c 0 on success.
- * \return An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX error code
- * error code on failure.
+ * \return An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX error
+ * code on failure.
*/
int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin,
- size_t dhminlen );
+ size_t dhminlen );
#if defined(MBEDTLS_FS_IO)
/** \ingroup x509_module */
@@ -285,11 +322,13 @@ int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin,
* \brief This function loads and parses DHM parameters from a file.
*
* \param dhm The DHM context to load the parameters to.
+ * This must be initialized.
* \param path The filename to read the DHM parameters from.
+ * This must not be \c NULL.
*
* \return \c 0 on success.
- * \return An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX error code
- * error code on failure.
+ * \return An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX
+ * error code on failure.
*/
int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path );
#endif /* MBEDTLS_FS_IO */
@@ -350,15 +389,6 @@ int mbedtls_dhm_self_test( int verbose );
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED __attribute__((deprecated))
-MBEDTLS_DEPRECATED typedef char const * mbedtls_deprecated_constant_t;
-#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) \
- ( (mbedtls_deprecated_constant_t) ( VAL ) )
-#else
-#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) VAL
-#endif /* ! MBEDTLS_DEPRECATED_WARNING */
-
/**
* \warning The origin of the primes in RFC 5114 is not documented and
* their use therefore constitutes a security risk!
diff --git a/thirdparty/mbedtls/include/mbedtls/ecdh.h b/thirdparty/mbedtls/include/mbedtls/ecdh.h
index 5fdf55a88a..05b2b03970 100644
--- a/thirdparty/mbedtls/include/mbedtls/ecdh.h
+++ b/thirdparty/mbedtls/include/mbedtls/ecdh.h
@@ -36,6 +36,18 @@
#include "ecp.h"
+/*
+ * Use a backward compatible ECDH context.
+ *
+ * This flag is always enabled for now and future versions might add a
+ * configuration option that conditionally undefines this flag.
+ * The configuration option in question may have a different name.
+ *
+ * Features undefining this flag, must have a warning in their description in
+ * config.h stating that the feature breaks backward compatibility.
+ */
+#define MBEDTLS_ECDH_LEGACY_CONTEXT
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -49,11 +61,49 @@ typedef enum
MBEDTLS_ECDH_THEIRS, /**< The key of the peer. */
} mbedtls_ecdh_side;
+#if !defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+/**
+ * Defines the ECDH implementation used.
+ *
+ * Later versions of the library may add new variants, therefore users should
+ * not make any assumptions about them.
+ */
+typedef enum
+{
+ MBEDTLS_ECDH_VARIANT_NONE = 0, /*!< Implementation not defined. */
+ MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0,/*!< The default Mbed TLS implementation */
+} mbedtls_ecdh_variant;
+
+/**
+ * The context used by the default ECDH implementation.
+ *
+ * Later versions might change the structure of this context, therefore users
+ * should not make any assumptions about the structure of
+ * mbedtls_ecdh_context_mbed.
+ */
+typedef struct mbedtls_ecdh_context_mbed
+{
+ mbedtls_ecp_group grp; /*!< The elliptic curve used. */
+ mbedtls_mpi d; /*!< The private key. */
+ mbedtls_ecp_point Q; /*!< The public key. */
+ mbedtls_ecp_point Qp; /*!< The value of the public key of the peer. */
+ mbedtls_mpi z; /*!< The shared secret. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
+#endif
+} mbedtls_ecdh_context_mbed;
+#endif
+
/**
+ *
+ * \warning Performing multiple operations concurrently on the same
+ * ECDSA context is not supported; objects of this type
+ * should not be shared between multiple threads.
* \brief The ECDH context structure.
*/
-typedef struct
+typedef struct mbedtls_ecdh_context
{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
mbedtls_ecp_group grp; /*!< The elliptic curve used. */
mbedtls_mpi d; /*!< The private key. */
mbedtls_ecp_point Q; /*!< The public key. */
@@ -63,6 +113,29 @@ typedef struct
mbedtls_ecp_point Vi; /*!< The blinding value. */
mbedtls_ecp_point Vf; /*!< The unblinding value. */
mbedtls_mpi _d; /*!< The previous \p d. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ int restart_enabled; /*!< The flag for restartable mode. */
+ mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#else
+ uint8_t point_format; /*!< The format of point export in TLS messages
+ as defined in RFC 4492. */
+ mbedtls_ecp_group_id grp_id;/*!< The elliptic curve used. */
+ mbedtls_ecdh_variant var; /*!< The ECDH implementation/structure used. */
+ union
+ {
+ mbedtls_ecdh_context_mbed mbed_ecdh;
+ } ctx; /*!< Implementation-specific context. The
+ context in use is specified by the \c var
+ field. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ uint8_t restart_enabled; /*!< The flag for restartable mode. Functions of
+ an alternative implementation not supporting
+ restartable mode must return
+ MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error
+ if this flag is set. */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
}
mbedtls_ecdh_context;
@@ -76,16 +149,20 @@ mbedtls_ecdh_context;
*
* \see ecp.h
*
- * \param grp The ECP group.
+ * \param grp The ECP group to use. This must be initialized and have
+ * domain parameters loaded, for example through
+ * mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
* \param d The destination MPI (private key).
+ * This must be initialized.
* \param Q The destination point (public key).
- * \param f_rng The RNG function.
- * \param p_rng The RNG context.
+ * This must be initialized.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL in case \p f_rng doesn't need a context argument.
*
* \return \c 0 on success.
- * \return An \c MBEDTLS_ERR_ECP_XXX or
+ * \return Another \c MBEDTLS_ERR_ECP_XXX or
* \c MBEDTLS_MPI_XXX error code on failure.
- *
*/
int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
int (*f_rng)(void *, unsigned char *, size_t),
@@ -104,15 +181,25 @@ int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp
* countermeasures against side-channel attacks.
* For more information, see mbedtls_ecp_mul().
*
- * \param grp The ECP group.
+ * \param grp The ECP group to use. This must be initialized and have
+ * domain parameters loaded, for example through
+ * mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
* \param z The destination MPI (shared secret).
+ * This must be initialized.
* \param Q The public key from another party.
+ * This must be initialized.
* \param d Our secret exponent (private key).
- * \param f_rng The RNG function.
- * \param p_rng The RNG context.
+ * This must be initialized.
+ * \param f_rng The RNG function. This may be \c NULL if randomization
+ * of intermediate results during the ECP computations is
+ * not needed (discouraged). See the documentation of
+ * mbedtls_ecp_mul() for more.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng is \c NULL or doesn't need a
+ * context argument.
*
* \return \c 0 on success.
- * \return An \c MBEDTLS_ERR_ECP_XXX or
+ * \return Another \c MBEDTLS_ERR_ECP_XXX or
* \c MBEDTLS_MPI_XXX error code on failure.
*/
int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
@@ -123,39 +210,62 @@ int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
/**
* \brief This function initializes an ECDH context.
*
- * \param ctx The ECDH context to initialize.
+ * \param ctx The ECDH context to initialize. This must not be \c NULL.
*/
void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx );
/**
+ * \brief This function sets up the ECDH context with the information
+ * given.
+ *
+ * This function should be called after mbedtls_ecdh_init() but
+ * before mbedtls_ecdh_make_params(). There is no need to call
+ * this function before mbedtls_ecdh_read_params().
+ *
+ * This is the first function used by a TLS server for ECDHE
+ * ciphersuites.
+ *
+ * \param ctx The ECDH context to set up. This must be initialized.
+ * \param grp_id The group id of the group to set up the context for.
+ *
+ * \return \c 0 on success.
+ */
+int mbedtls_ecdh_setup( mbedtls_ecdh_context *ctx,
+ mbedtls_ecp_group_id grp_id );
+
+/**
* \brief This function frees a context.
*
- * \param ctx The context to free.
+ * \param ctx The context to free. This may be \c NULL, in which
+ * case this function does nothing. If it is not \c NULL,
+ * it must point to an initialized ECDH context.
*/
void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx );
/**
- * \brief This function generates a public key and a TLS
- * ServerKeyExchange payload.
- *
- * This is the first function used by a TLS server for ECDHE
- * ciphersuites.
+ * \brief This function generates an EC key pair and exports its
+ * in the format used in a TLS ServerKeyExchange handshake
+ * message.
*
- * \note This function assumes that the ECP group (grp) of the
- * \p ctx context has already been properly set,
- * for example, using mbedtls_ecp_group_load().
+ * This is the second function used by a TLS server for ECDHE
+ * ciphersuites. (It is called after mbedtls_ecdh_setup().)
*
* \see ecp.h
*
- * \param ctx The ECDH context.
- * \param olen The number of characters written.
- * \param buf The destination buffer.
- * \param blen The length of the destination buffer.
- * \param f_rng The RNG function.
- * \param p_rng The RNG context.
+ * \param ctx The ECDH context to use. This must be initialized
+ * and bound to a group, for example via mbedtls_ecdh_setup().
+ * \param olen The address at which to store the number of Bytes written.
+ * \param buf The destination buffer. This must be a writable buffer of
+ * length \p blen Bytes.
+ * \param blen The length of the destination buffer \p buf in Bytes.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL in case \p f_rng doesn't need a context argument.
*
* \return \c 0 on success.
- * \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
*/
int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
unsigned char *buf, size_t blen,
@@ -163,24 +273,32 @@ int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
void *p_rng );
/**
- * \brief This function parses and processes a TLS ServerKeyExhange
- * payload.
+ * \brief This function parses the ECDHE parameters in a
+ * TLS ServerKeyExchange handshake message.
*
- * This is the first function used by a TLS client for ECDHE
- * ciphersuites.
+ * \note In a TLS handshake, this is the how the client
+ * sets up its ECDHE context from the server's public
+ * ECDHE key material.
*
* \see ecp.h
*
- * \param ctx The ECDH context.
- * \param buf The pointer to the start of the input buffer.
- * \param end The address for one Byte past the end of the buffer.
+ * \param ctx The ECDHE context to use. This must be initialized.
+ * \param buf On input, \c *buf must be the start of the input buffer.
+ * On output, \c *buf is updated to point to the end of the
+ * data that has been read. On success, this is the first byte
+ * past the end of the ServerKeyExchange parameters.
+ * On error, this is the point at which an error has been
+ * detected, which is usually not useful except to debug
+ * failures.
+ * \param end The end of the input buffer.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
*
*/
int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx,
- const unsigned char **buf, const unsigned char *end );
+ const unsigned char **buf,
+ const unsigned char *end );
/**
* \brief This function sets up an ECDH context from an EC key.
@@ -191,36 +309,45 @@ int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx,
*
* \see ecp.h
*
- * \param ctx The ECDH context to set up.
- * \param key The EC key to use.
- * \param side Defines the source of the key: 1: Our key, or
- * 0: The key of the peer.
+ * \param ctx The ECDH context to set up. This must be initialized.
+ * \param key The EC key to use. This must be initialized.
+ * \param side Defines the source of the key. Possible values are:
+ * - #MBEDTLS_ECDH_OURS: The key is ours.
+ * - #MBEDTLS_ECDH_THEIRS: The key is that of the peer.
*
* \return \c 0 on success.
- * \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
*
*/
-int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx, const mbedtls_ecp_keypair *key,
- mbedtls_ecdh_side side );
+int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx,
+ const mbedtls_ecp_keypair *key,
+ mbedtls_ecdh_side side );
/**
- * \brief This function generates a public key and a TLS
- * ClientKeyExchange payload.
+ * \brief This function generates a public key and exports it
+ * as a TLS ClientKeyExchange payload.
*
* This is the second function used by a TLS client for ECDH(E)
* ciphersuites.
*
* \see ecp.h
*
- * \param ctx The ECDH context.
- * \param olen The number of Bytes written.
- * \param buf The destination buffer.
- * \param blen The size of the destination buffer.
- * \param f_rng The RNG function.
- * \param p_rng The RNG context.
+ * \param ctx The ECDH context to use. This must be initialized
+ * and bound to a group, the latter usually by
+ * mbedtls_ecdh_read_params().
+ * \param olen The address at which to store the number of Bytes written.
+ * This must not be \c NULL.
+ * \param buf The destination buffer. This must be a writable buffer
+ * of length \p blen Bytes.
+ * \param blen The size of the destination buffer \p buf in Bytes.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL in case \p f_rng doesn't need a context argument.
*
* \return \c 0 on success.
- * \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
*/
int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen,
unsigned char *buf, size_t blen,
@@ -228,23 +355,26 @@ int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen,
void *p_rng );
/**
- * \brief This function parses and processes a TLS ClientKeyExchange
- * payload.
+ * \brief This function parses and processes the ECDHE payload of a
+ * TLS ClientKeyExchange message.
*
- * This is the second function used by a TLS server for ECDH(E)
- * ciphersuites.
+ * This is the third function used by a TLS server for ECDH(E)
+ * ciphersuites. (It is called after mbedtls_ecdh_setup() and
+ * mbedtls_ecdh_make_params().)
*
* \see ecp.h
*
- * \param ctx The ECDH context.
- * \param buf The start of the input buffer.
- * \param blen The length of the input buffer.
+ * \param ctx The ECDH context to use. This must be initialized
+ * and bound to a group, for example via mbedtls_ecdh_setup().
+ * \param buf The pointer to the ClientKeyExchange payload. This must
+ * be a readable buffer of length \p blen Bytes.
+ * \param blen The length of the input buffer \p buf in Bytes.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
*/
int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx,
- const unsigned char *buf, size_t blen );
+ const unsigned char *buf, size_t blen );
/**
* \brief This function derives and exports the shared secret.
@@ -257,22 +387,46 @@ int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx,
* For more information, see mbedtls_ecp_mul().
*
* \see ecp.h
- *
- * \param ctx The ECDH context.
- * \param olen The number of Bytes written.
- * \param buf The destination buffer.
- * \param blen The length of the destination buffer.
- * \param f_rng The RNG function.
- * \param p_rng The RNG context.
+
+ * \param ctx The ECDH context to use. This must be initialized
+ * and have its own private key generated and the peer's
+ * public key imported.
+ * \param olen The address at which to store the total number of
+ * Bytes written on success. This must not be \c NULL.
+ * \param buf The buffer to write the generated shared key to. This
+ * must be a writable buffer of size \p blen Bytes.
+ * \param blen The length of the destination buffer \p buf in Bytes.
+ * \param f_rng The RNG function, for blinding purposes. This may
+ * b \c NULL if blinding isn't needed.
+ * \param p_rng The RNG context. This may be \c NULL if \p f_rng
+ * doesn't need a context argument.
*
* \return \c 0 on success.
- * \return An \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
*/
int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen,
unsigned char *buf, size_t blen,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief This function enables restartable EC computations for this
+ * context. (Default: disabled.)
+ *
+ * \see \c mbedtls_ecp_set_max_ops()
+ *
+ * \note It is not possible to safely disable restartable
+ * computations once enabled, except by free-ing the context,
+ * which cancels possible in-progress operations.
+ *
+ * \param ctx The ECDH context to use. This must be initialized.
+ */
+void mbedtls_ecdh_enable_restart( mbedtls_ecdh_context *ctx );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
#ifdef __cplusplus
}
#endif
diff --git a/thirdparty/mbedtls/include/mbedtls/ecdsa.h b/thirdparty/mbedtls/include/mbedtls/ecdsa.h
index ce1a03d791..40fdab3729 100644
--- a/thirdparty/mbedtls/include/mbedtls/ecdsa.h
+++ b/thirdparty/mbedtls/include/mbedtls/ecdsa.h
@@ -55,20 +55,71 @@
/** The maximal size of an ECDSA signature in Bytes. */
#define MBEDTLS_ECDSA_MAX_LEN ( 3 + 2 * ( 3 + MBEDTLS_ECP_MAX_BYTES ) )
+#ifdef __cplusplus
+extern "C" {
+#endif
+
/**
* \brief The ECDSA context structure.
+ *
+ * \warning Performing multiple operations concurrently on the same
+ * ECDSA context is not supported; objects of this type
+ * should not be shared between multiple threads.
*/
typedef mbedtls_ecp_keypair mbedtls_ecdsa_context;
-#ifdef __cplusplus
-extern "C" {
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief Internal restart context for ecdsa_verify()
+ *
+ * \note Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_ver mbedtls_ecdsa_restart_ver_ctx;
+
+/**
+ * \brief Internal restart context for ecdsa_sign()
+ *
+ * \note Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_sig mbedtls_ecdsa_restart_sig_ctx;
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/**
+ * \brief Internal restart context for ecdsa_sign_det()
+ *
+ * \note Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_det mbedtls_ecdsa_restart_det_ctx;
+#endif
+
+/**
+ * \brief General context for resuming ECDSA operations
+ */
+typedef struct
+{
+ mbedtls_ecp_restart_ctx ecp; /*!< base context for ECP restart and
+ shared administrative info */
+ mbedtls_ecdsa_restart_ver_ctx *ver; /*!< ecdsa_verify() sub-context */
+ mbedtls_ecdsa_restart_sig_ctx *sig; /*!< ecdsa_sign() sub-context */
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+ mbedtls_ecdsa_restart_det_ctx *det; /*!< ecdsa_sign_det() sub-context */
#endif
+} mbedtls_ecdsa_restart_ctx;
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_ecdsa_restart_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
/**
* \brief This function computes the ECDSA signature of a
* previously-hashed message.
*
- * \note The deterministic version is usually preferred.
+ * \note The deterministic version implemented in
+ * mbedtls_ecdsa_sign_det() is usually preferred.
*
* \note If the bitlength of the message hash is larger than the
* bitlength of the group order, then the hash is truncated
@@ -78,14 +129,22 @@ extern "C" {
*
* \see ecp.h
*
- * \param grp The ECP group.
- * \param r The first output integer.
- * \param s The second output integer.
- * \param d The private signing key.
- * \param buf The message hash.
- * \param blen The length of \p buf.
- * \param f_rng The RNG function.
- * \param p_rng The RNG context.
+ * \param grp The context for the elliptic curve to use.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param r The MPI context in which to store the first part
+ * the signature. This must be initialized.
+ * \param s The MPI context in which to store the second part
+ * the signature. This must be initialized.
+ * \param d The private signing key. This must be initialized.
+ * \param buf The content to be signed. This is usually the hash of
+ * the original data to be signed. This must be a readable
+ * buffer of length \p blen Bytes. It may be \c NULL if
+ * \p blen is zero.
+ * \param blen The length of \p buf in Bytes.
+ * \param f_rng The RNG function. This must not be \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng doesn't need a context parameter.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX
@@ -112,21 +171,29 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
*
* \see ecp.h
*
- * \param grp The ECP group.
- * \param r The first output integer.
- * \param s The second output integer.
- * \param d The private signing key.
- * \param buf The message hash.
- * \param blen The length of \p buf.
- * \param md_alg The MD algorithm used to hash the message.
+ * \param grp The context for the elliptic curve to use.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param r The MPI context in which to store the first part
+ * the signature. This must be initialized.
+ * \param s The MPI context in which to store the second part
+ * the signature. This must be initialized.
+ * \param d The private signing key. This must be initialized
+ * and setup, for example through mbedtls_ecp_gen_privkey().
+ * \param buf The hashed content to be signed. This must be a readable
+ * buffer of length \p blen Bytes. It may be \c NULL if
+ * \p blen is zero.
+ * \param blen The length of \p buf in Bytes.
+ * \param md_alg The hash algorithm used to hash the original data.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
* error code on failure.
*/
-int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
- const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
- mbedtls_md_type_t md_alg );
+int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+ mbedtls_mpi *s, const mbedtls_mpi *d,
+ const unsigned char *buf, size_t blen,
+ mbedtls_md_type_t md_alg );
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
/**
@@ -141,12 +208,19 @@ int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi
*
* \see ecp.h
*
- * \param grp The ECP group.
- * \param buf The message hash.
- * \param blen The length of \p buf.
- * \param Q The public key to use for verification.
+ * \param grp The ECP group to use.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param buf The hashed content that was signed. This must be a readable
+ * buffer of length \p blen Bytes. It may be \c NULL if
+ * \p blen is zero.
+ * \param blen The length of \p buf in Bytes.
+ * \param Q The public key to use for verification. This must be
+ * initialized and setup.
* \param r The first integer of the signature.
+ * This must be initialized.
* \param s The second integer of the signature.
+ * This must be initialized.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the signature
@@ -155,8 +229,9 @@ int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi
* error code on failure for any other reason.
*/
int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
- const unsigned char *buf, size_t blen,
- const mbedtls_ecp_point *Q, const mbedtls_mpi *r, const mbedtls_mpi *s);
+ const unsigned char *buf, size_t blen,
+ const mbedtls_ecp_point *Q, const mbedtls_mpi *r,
+ const mbedtls_mpi *s);
/**
* \brief This function computes the ECDSA signature and writes it
@@ -173,11 +248,6 @@ int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
* of the Digital Signature Algorithm (DSA) and Elliptic
* Curve Digital Signature Algorithm (ECDSA)</em>.
*
- * \note The \p sig buffer must be at least twice as large as the
- * size of the curve used, plus 9. For example, 73 Bytes if
- * a 256-bit curve is used. A buffer length of
- * #MBEDTLS_ECDSA_MAX_LEN is always safe.
- *
* \note If the bitlength of the message hash is larger than the
* bitlength of the group order, then the hash is truncated as
* defined in <em>Standards for Efficient Cryptography Group
@@ -186,25 +256,84 @@ int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
*
* \see ecp.h
*
- * \param ctx The ECDSA context.
+ * \param ctx The ECDSA context to use. This must be initialized
+ * and have a group and private key bound to it, for example
+ * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
* \param md_alg The message digest that was used to hash the message.
- * \param hash The message hash.
- * \param hlen The length of the hash.
- * \param sig The buffer that holds the signature.
- * \param slen The length of the signature written.
- * \param f_rng The RNG function.
- * \param p_rng The RNG context.
+ * \param hash The message hash to be signed. This must be a readable
+ * buffer of length \p blen Bytes.
+ * \param hlen The length of the hash \p hash in Bytes.
+ * \param sig The buffer to which to write the signature. This must be a
+ * writable buffer of length at least twice as large as the
+ * size of the curve used, plus 9. For example, 73 Bytes if
+ * a 256-bit curve is used. A buffer length of
+ * #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param slen The address at which to store the actual length of
+ * the signature written. Must not be \c NULL.
+ * \param f_rng The RNG function. This must not be \c NULL if
+ * #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
+ * it is unused and may be set to \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng is \c NULL or doesn't use a context.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
* \c MBEDTLS_ERR_ASN1_XXX error code on failure.
*/
-int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t md_alg,
+int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx,
+ mbedtls_md_type_t md_alg,
const unsigned char *hash, size_t hlen,
unsigned char *sig, size_t *slen,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
+/**
+ * \brief This function computes the ECDSA signature and writes it
+ * to a buffer, in a restartable way.
+ *
+ * \see \c mbedtls_ecdsa_write_signature()
+ *
+ * \note This function is like \c mbedtls_ecdsa_write_signature()
+ * but it can return early and restart according to the limit
+ * set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param ctx The ECDSA context to use. This must be initialized
+ * and have a group and private key bound to it, for example
+ * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
+ * \param md_alg The message digest that was used to hash the message.
+ * \param hash The message hash to be signed. This must be a readable
+ * buffer of length \p blen Bytes.
+ * \param hlen The length of the hash \p hash in Bytes.
+ * \param sig The buffer to which to write the signature. This must be a
+ * writable buffer of length at least twice as large as the
+ * size of the curve used, plus 9. For example, 73 Bytes if
+ * a 256-bit curve is used. A buffer length of
+ * #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param slen The address at which to store the actual length of
+ * the signature written. Must not be \c NULL.
+ * \param f_rng The RNG function. This must not be \c NULL if
+ * #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
+ * it is unused and may be set to \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng is \c NULL or doesn't use a context.
+ * \param rs_ctx The restart context to use. This may be \c NULL to disable
+ * restarting. If it is not \c NULL, it must point to an
+ * initialized restart context.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
+ * \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hlen,
+ unsigned char *sig, size_t *slen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_ecdsa_restart_ctx *rs_ctx );
+
#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_DEPRECATED_WARNING)
@@ -225,11 +354,6 @@ int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t
* \warning It is not thread-safe to use the same context in
* multiple threads.
*
- * \note The \p sig buffer must be at least twice as large as the
- * size of the curve used, plus 9. For example, 73 Bytes if a
- * 256-bit curve is used. A buffer length of
- * #MBEDTLS_ECDSA_MAX_LEN is always safe.
- *
* \note If the bitlength of the message hash is larger than the
* bitlength of the group order, then the hash is truncated as
* defined in <em>Standards for Efficient Cryptography Group
@@ -241,12 +365,20 @@ int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t
* \deprecated Superseded by mbedtls_ecdsa_write_signature() in
* Mbed TLS version 2.0 and later.
*
- * \param ctx The ECDSA context.
- * \param hash The message hash.
- * \param hlen The length of the hash.
- * \param sig The buffer that holds the signature.
- * \param slen The length of the signature written.
- * \param md_alg The MD algorithm used to hash the message.
+ * \param ctx The ECDSA context to use. This must be initialized
+ * and have a group and private key bound to it, for example
+ * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
+ * \param hash The message hash to be signed. This must be a readable
+ * buffer of length \p blen Bytes.
+ * \param hlen The length of the hash \p hash in Bytes.
+ * \param sig The buffer to which to write the signature. This must be a
+ * writable buffer of length at least twice as large as the
+ * size of the curve used, plus 9. For example, 73 Bytes if
+ * a 256-bit curve is used. A buffer length of
+ * #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param slen The address at which to store the actual length of
+ * the signature written. Must not be \c NULL.
+ * \param md_alg The message digest that was used to hash the message.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
@@ -271,11 +403,14 @@ int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
*
* \see ecp.h
*
- * \param ctx The ECDSA context.
- * \param hash The message hash.
- * \param hlen The size of the hash.
- * \param sig The signature to read and verify.
- * \param slen The size of \p sig.
+ * \param ctx The ECDSA context to use. This must be initialized
+ * and have a group and public key bound to it.
+ * \param hash The message hash that was signed. This must be a readable
+ * buffer of length \p size Bytes.
+ * \param hlen The size of the hash \p hash.
+ * \param sig The signature to read and verify. This must be a readable
+ * buffer of length \p slen Bytes.
+ * \param slen The size of \p sig in Bytes.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
@@ -289,15 +424,53 @@ int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
const unsigned char *sig, size_t slen );
/**
+ * \brief This function reads and verifies an ECDSA signature,
+ * in a restartable way.
+ *
+ * \see \c mbedtls_ecdsa_read_signature()
+ *
+ * \note This function is like \c mbedtls_ecdsa_read_signature()
+ * but it can return early and restart according to the limit
+ * set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param ctx The ECDSA context to use. This must be initialized
+ * and have a group and public key bound to it.
+ * \param hash The message hash that was signed. This must be a readable
+ * buffer of length \p size Bytes.
+ * \param hlen The size of the hash \p hash.
+ * \param sig The signature to read and verify. This must be a readable
+ * buffer of length \p slen Bytes.
+ * \param slen The size of \p sig in Bytes.
+ * \param rs_ctx The restart context to use. This may be \c NULL to disable
+ * restarting. If it is not \c NULL, it must point to an
+ * initialized restart context.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
+ * \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
+ * signature in \p sig, but its length is less than \p siglen.
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
+ * error code on failure for any other reason.
+ */
+int mbedtls_ecdsa_read_signature_restartable( mbedtls_ecdsa_context *ctx,
+ const unsigned char *hash, size_t hlen,
+ const unsigned char *sig, size_t slen,
+ mbedtls_ecdsa_restart_ctx *rs_ctx );
+
+/**
* \brief This function generates an ECDSA keypair on the given curve.
*
* \see ecp.h
*
* \param ctx The ECDSA context to store the keypair in.
+ * This must be initialized.
* \param gid The elliptic curve to use. One of the various
* \c MBEDTLS_ECP_DP_XXX macros depending on configuration.
- * \param f_rng The RNG function.
- * \param p_rng The RNG context.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng doesn't need a context argument.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX code on failure.
@@ -306,32 +479,59 @@ int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/**
- * \brief This function sets an ECDSA context from an EC key pair.
+ * \brief This function sets up an ECDSA context from an EC key pair.
*
* \see ecp.h
*
- * \param ctx The ECDSA context to set.
- * \param key The EC key to use.
+ * \param ctx The ECDSA context to setup. This must be initialized.
+ * \param key The EC key to use. This must be initialized and hold
+ * a private-public key pair or a public key. In the former
+ * case, the ECDSA context may be used for signature creation
+ * and verification after this call. In the latter case, it
+ * may be used for signature verification.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX code on failure.
*/
-int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key );
+int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx,
+ const mbedtls_ecp_keypair *key );
/**
* \brief This function initializes an ECDSA context.
*
* \param ctx The ECDSA context to initialize.
+ * This must not be \c NULL.
*/
void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx );
/**
* \brief This function frees an ECDSA context.
*
- * \param ctx The ECDSA context to free.
+ * \param ctx The ECDSA context to free. This may be \c NULL,
+ * in which case this function does nothing. If it
+ * is not \c NULL, it must be initialized.
*/
void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx );
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief Initialize a restart context.
+ *
+ * \param ctx The restart context to initialize.
+ * This must not be \c NULL.
+ */
+void mbedtls_ecdsa_restart_init( mbedtls_ecdsa_restart_ctx *ctx );
+
+/**
+ * \brief Free the components of a restart context.
+ *
+ * \param ctx The restart context to free. This may be \c NULL,
+ * in which case this function does nothing. If it
+ * is not \c NULL, it must be initialized.
+ */
+void mbedtls_ecdsa_restart_free( mbedtls_ecdsa_restart_ctx *ctx );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
#ifdef __cplusplus
}
#endif
diff --git a/thirdparty/mbedtls/include/mbedtls/ecjpake.h b/thirdparty/mbedtls/include/mbedtls/ecjpake.h
index cc2b316f5e..b967af8385 100644
--- a/thirdparty/mbedtls/include/mbedtls/ecjpake.h
+++ b/thirdparty/mbedtls/include/mbedtls/ecjpake.h
@@ -68,7 +68,7 @@ typedef enum {
* convetion from the Thread v1.0 spec. Correspondance is indicated in the
* description as a pair C: client name, S: server name
*/
-typedef struct
+typedef struct mbedtls_ecjpake_context
{
const mbedtls_md_info_t *md_info; /**< Hash to use */
mbedtls_ecp_group grp; /**< Elliptic curve */
@@ -92,28 +92,33 @@ typedef struct
#endif /* MBEDTLS_ECJPAKE_ALT */
/**
- * \brief Initialize a context
- * (just makes it ready for setup() or free()).
+ * \brief Initialize an ECJPAKE context.
*
- * \param ctx context to initialize
+ * \param ctx The ECJPAKE context to initialize.
+ * This must not be \c NULL.
*/
void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx );
/**
- * \brief Set up a context for use
+ * \brief Set up an ECJPAKE context for use.
*
* \note Currently the only values for hash/curve allowed by the
- * standard are MBEDTLS_MD_SHA256/MBEDTLS_ECP_DP_SECP256R1.
+ * standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1.
*
- * \param ctx context to set up
- * \param role Our role: client or server
- * \param hash hash function to use (MBEDTLS_MD_XXX)
- * \param curve elliptic curve identifier (MBEDTLS_ECP_DP_XXX)
- * \param secret pre-shared secret (passphrase)
- * \param len length of the shared secret
+ * \param ctx The ECJPAKE context to set up. This must be initialized.
+ * \param role The role of the caller. This must be either
+ * #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER.
+ * \param hash The identifier of the hash function to use,
+ * for example #MBEDTLS_MD_SHA256.
+ * \param curve The identifier of the elliptic curve to use,
+ * for example #MBEDTLS_ECP_DP_SECP256R1.
+ * \param secret The pre-shared secret (passphrase). This must be
+ * a readable buffer of length \p len Bytes. It need
+ * only be valid for the duration of this call.
+ * \param len The length of the pre-shared secret \p secret.
*
- * \return 0 if successfull,
- * a negative error code otherwise
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,
mbedtls_ecjpake_role role,
@@ -123,29 +128,34 @@ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,
size_t len );
/**
- * \brief Check if a context is ready for use
+ * \brief Check if an ECJPAKE context is ready for use.
*
- * \param ctx Context to check
+ * \param ctx The ECJPAKE context to check. This must be
+ * initialized.
*
- * \return 0 if the context is ready for use,
- * MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise
+ * \return \c 0 if the context is ready for use.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise.
*/
int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx );
/**
* \brief Generate and write the first round message
* (TLS: contents of the Client/ServerHello extension,
- * excluding extension type and length bytes)
+ * excluding extension type and length bytes).
*
- * \param ctx Context to use
- * \param buf Buffer to write the contents to
- * \param len Buffer size
- * \param olen Will be updated with the number of bytes written
- * \param f_rng RNG function
- * \param p_rng RNG parameter
+ * \param ctx The ECJPAKE context to use. This must be
+ * initialized and set up.
+ * \param buf The buffer to write the contents to. This must be a
+ * writable buffer of length \p len Bytes.
+ * \param len The length of \p buf in Bytes.
+ * \param olen The address at which to store the total number
+ * of Bytes written to \p buf. This must not be \c NULL.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG parameter to be passed to \p f_rng. This
+ * may be \c NULL if \p f_rng doesn't use a context.
*
- * \return 0 if successfull,
- * a negative error code otherwise
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx,
unsigned char *buf, size_t len, size_t *olen,
@@ -155,14 +165,16 @@ int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx,
/**
* \brief Read and process the first round message
* (TLS: contents of the Client/ServerHello extension,
- * excluding extension type and length bytes)
+ * excluding extension type and length bytes).
*
- * \param ctx Context to use
- * \param buf Pointer to extension contents
- * \param len Extension length
+ * \param ctx The ECJPAKE context to use. This must be initialized
+ * and set up.
+ * \param buf The buffer holding the first round message. This must
+ * be a readable buffer of length \p len Bytes.
+ * \param len The length in Bytes of \p buf.
*
- * \return 0 if successfull,
- * a negative error code otherwise
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx,
const unsigned char *buf,
@@ -170,17 +182,21 @@ int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx,
/**
* \brief Generate and write the second round message
- * (TLS: contents of the Client/ServerKeyExchange)
+ * (TLS: contents of the Client/ServerKeyExchange).
*
- * \param ctx Context to use
- * \param buf Buffer to write the contents to
- * \param len Buffer size
- * \param olen Will be updated with the number of bytes written
- * \param f_rng RNG function
- * \param p_rng RNG parameter
+ * \param ctx The ECJPAKE context to use. This must be initialized,
+ * set up, and already have performed round one.
+ * \param buf The buffer to write the round two contents to.
+ * This must be a writable buffer of length \p len Bytes.
+ * \param len The size of \p buf in Bytes.
+ * \param olen The address at which to store the total number of Bytes
+ * written to \p buf. This must not be \c NULL.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG parameter to be passed to \p f_rng. This
+ * may be \c NULL if \p f_rng doesn't use a context.
*
- * \return 0 if successfull,
- * a negative error code otherwise
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx,
unsigned char *buf, size_t len, size_t *olen,
@@ -189,14 +205,16 @@ int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx,
/**
* \brief Read and process the second round message
- * (TLS: contents of the Client/ServerKeyExchange)
+ * (TLS: contents of the Client/ServerKeyExchange).
*
- * \param ctx Context to use
- * \param buf Pointer to the message
- * \param len Message length
+ * \param ctx The ECJPAKE context to use. This must be initialized
+ * and set up and already have performed round one.
+ * \param buf The buffer holding the second round message. This must
+ * be a readable buffer of length \p len Bytes.
+ * \param len The length in Bytes of \p buf.
*
- * \return 0 if successfull,
- * a negative error code otherwise
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx,
const unsigned char *buf,
@@ -204,17 +222,21 @@ int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx,
/**
* \brief Derive the shared secret
- * (TLS: Pre-Master Secret)
+ * (TLS: Pre-Master Secret).
*
- * \param ctx Context to use
- * \param buf Buffer to write the contents to
- * \param len Buffer size
- * \param olen Will be updated with the number of bytes written
- * \param f_rng RNG function
- * \param p_rng RNG parameter
+ * \param ctx The ECJPAKE context to use. This must be initialized,
+ * set up and have performed both round one and two.
+ * \param buf The buffer to write the derived secret to. This must
+ * be a writable buffer of length \p len Bytes.
+ * \param len The length of \p buf in Bytes.
+ * \param olen The address at which to store the total number of Bytes
+ * written to \p buf. This must not be \c NULL.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG parameter to be passed to \p f_rng. This
+ * may be \c NULL if \p f_rng doesn't use a context.
*
- * \return 0 if successfull,
- * a negative error code otherwise
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
*/
int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
unsigned char *buf, size_t len, size_t *olen,
@@ -222,14 +244,15 @@ int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
void *p_rng );
/**
- * \brief Free a context's content
+ * \brief This clears an ECJPAKE context and frees any
+ * embedded data structure.
*
- * \param ctx context to free
+ * \param ctx The ECJPAKE context to free. This may be \c NULL,
+ * in which case this function does nothing. If it is not
+ * \c NULL, it must point to an initialized ECJPAKE context.
*/
void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx );
-
-
#if defined(MBEDTLS_SELF_TEST)
/**
diff --git a/thirdparty/mbedtls/include/mbedtls/ecp.h b/thirdparty/mbedtls/include/mbedtls/ecp.h
index 3a407986dd..de3a343cb6 100644
--- a/thirdparty/mbedtls/include/mbedtls/ecp.h
+++ b/thirdparty/mbedtls/include/mbedtls/ecp.h
@@ -49,8 +49,12 @@
#define MBEDTLS_ERR_ECP_RANDOM_FAILED -0x4D00 /**< Generation of random value, such as ephemeral key, failed. */
#define MBEDTLS_ERR_ECP_INVALID_KEY -0x4C80 /**< Invalid private or public key. */
#define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH -0x4C00 /**< The buffer contains a valid signature followed by more data. */
+
+/* MBEDTLS_ERR_ECP_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_ECP_HW_ACCEL_FAILED -0x4B80 /**< The ECP hardware accelerator failed. */
+#define MBEDTLS_ERR_ECP_IN_PROGRESS -0x4B00 /**< Operation in progress, call again with the same parameters to continue. */
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -92,7 +96,7 @@ typedef enum
/**
* Curve information, for use by other modules.
*/
-typedef struct
+typedef struct mbedtls_ecp_curve_info
{
mbedtls_ecp_group_id grp_id; /*!< An internal identifier. */
uint16_t tls_id; /*!< The TLS NamedCurve identifier. */
@@ -111,7 +115,7 @@ typedef struct
* Otherwise, \p X and \p Y are its standard (affine)
* coordinates.
*/
-typedef struct
+typedef struct mbedtls_ecp_point
{
mbedtls_mpi X; /*!< The X coordinate of the ECP point. */
mbedtls_mpi Y; /*!< The Y coordinate of the ECP point. */
@@ -155,8 +159,12 @@ mbedtls_ecp_point;
* additions or subtractions. Therefore, it is only an approximative modular
* reduction. It must return 0 on success and non-zero on failure.
*
+ * \note Alternative implementations must keep the group IDs distinct. If
+ * two group structures have the same ID, then they must be
+ * identical.
+ *
*/
-typedef struct
+typedef struct mbedtls_ecp_group
{
mbedtls_ecp_group_id id; /*!< An internal group identifier. */
mbedtls_mpi P; /*!< The prime modulus of the base field. */
@@ -181,6 +189,70 @@ typedef struct
}
mbedtls_ecp_group;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief Internal restart context for multiplication
+ *
+ * \note Opaque struct
+ */
+typedef struct mbedtls_ecp_restart_mul mbedtls_ecp_restart_mul_ctx;
+
+/**
+ * \brief Internal restart context for ecp_muladd()
+ *
+ * \note Opaque struct
+ */
+typedef struct mbedtls_ecp_restart_muladd mbedtls_ecp_restart_muladd_ctx;
+
+/**
+ * \brief General context for resuming ECC operations
+ */
+typedef struct
+{
+ unsigned ops_done; /*!< current ops count */
+ unsigned depth; /*!< call depth (0 = top-level) */
+ mbedtls_ecp_restart_mul_ctx *rsm; /*!< ecp_mul_comb() sub-context */
+ mbedtls_ecp_restart_muladd_ctx *ma; /*!< ecp_muladd() sub-context */
+} mbedtls_ecp_restart_ctx;
+
+/*
+ * Operation counts for restartable functions
+ */
+#define MBEDTLS_ECP_OPS_CHK 3 /*!< basic ops count for ecp_check_pubkey() */
+#define MBEDTLS_ECP_OPS_DBL 8 /*!< basic ops count for ecp_double_jac() */
+#define MBEDTLS_ECP_OPS_ADD 11 /*!< basic ops count for see ecp_add_mixed() */
+#define MBEDTLS_ECP_OPS_INV 120 /*!< empirical equivalent for mpi_mod_inv() */
+
+/**
+ * \brief Internal; for restartable functions in other modules.
+ * Check and update basic ops budget.
+ *
+ * \param grp Group structure
+ * \param rs_ctx Restart context
+ * \param ops Number of basic ops to do
+ *
+ * \return \c 0 if doing \p ops basic ops is still allowed,
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS otherwise.
+ */
+int mbedtls_ecp_check_budget( const mbedtls_ecp_group *grp,
+ mbedtls_ecp_restart_ctx *rs_ctx,
+ unsigned ops );
+
+/* Utility macro for checking and updating ops budget */
+#define MBEDTLS_ECP_BUDGET( ops ) \
+ MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, rs_ctx, \
+ (unsigned) (ops) ) );
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define MBEDTLS_ECP_BUDGET( ops ) /* no-op; for compatibility */
+
+/* We want to declare restartable versions of existing functions anyway */
+typedef void mbedtls_ecp_restart_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
/**
* \name SECTION: Module settings
*
@@ -251,7 +323,7 @@ mbedtls_ecp_group;
* \note Members are deliberately in the same order as in the
* ::mbedtls_ecdsa_context structure.
*/
-typedef struct
+typedef struct mbedtls_ecp_keypair
{
mbedtls_ecp_group grp; /*!< Elliptic curve and base point */
mbedtls_mpi d; /*!< our secret value */
@@ -270,6 +342,75 @@ mbedtls_ecp_keypair;
*/
#define MBEDTLS_ECP_TLS_NAMED_CURVE 3 /**< The named_curve of ECCurveType. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief Set the maximum number of basic operations done in a row.
+ *
+ * If more operations are needed to complete a computation,
+ * #MBEDTLS_ERR_ECP_IN_PROGRESS will be returned by the
+ * function performing the computation. It is then the
+ * caller's responsibility to either call again with the same
+ * parameters until it returns 0 or an error code; or to free
+ * the restart context if the operation is to be aborted.
+ *
+ * It is strictly required that all input parameters and the
+ * restart context be the same on successive calls for the
+ * same operation, but output parameters need not be the
+ * same; they must not be used until the function finally
+ * returns 0.
+ *
+ * This only applies to functions whose documentation
+ * mentions they may return #MBEDTLS_ERR_ECP_IN_PROGRESS (or
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS for functions in the
+ * SSL module). For functions that accept a "restart context"
+ * argument, passing NULL disables restart and makes the
+ * function equivalent to the function with the same name
+ * with \c _restartable removed. For functions in the ECDH
+ * module, restart is disabled unless the function accepts
+ * an "ECDH context" argument and
+ * mbedtls_ecdh_enable_restart() was previously called on
+ * that context. For function in the SSL module, restart is
+ * only enabled for specific sides and key exchanges
+ * (currently only for clients and ECDHE-ECDSA).
+ *
+ * \param max_ops Maximum number of basic operations done in a row.
+ * Default: 0 (unlimited).
+ * Lower (non-zero) values mean ECC functions will block for
+ * a lesser maximum amount of time.
+ *
+ * \note A "basic operation" is defined as a rough equivalent of a
+ * multiplication in GF(p) for the NIST P-256 curve.
+ * As an indication, with default settings, a scalar
+ * multiplication (full run of \c mbedtls_ecp_mul()) is:
+ * - about 3300 basic operations for P-256
+ * - about 9400 basic operations for P-384
+ *
+ * \note Very low values are not always respected: sometimes
+ * functions need to block for a minimum number of
+ * operations, and will do so even if max_ops is set to a
+ * lower value. That minimum depends on the curve size, and
+ * can be made lower by decreasing the value of
+ * \c MBEDTLS_ECP_WINDOW_SIZE. As an indication, here is the
+ * lowest effective value for various curves and values of
+ * that parameter (w for short):
+ * w=6 w=5 w=4 w=3 w=2
+ * P-256 208 208 160 136 124
+ * P-384 682 416 320 272 248
+ * P-521 1364 832 640 544 496
+ *
+ * \note This setting is currently ignored by Curve25519.
+ */
+void mbedtls_ecp_set_max_ops( unsigned max_ops );
+
+/**
+ * \brief Check if restart is enabled (max_ops != 0)
+ *
+ * \return \c 0 if \c max_ops == 0 (restart disabled)
+ * \return \c 1 otherwise (restart enabled)
+ */
+int mbedtls_ecp_restart_is_enabled( void );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
/**
* \brief This function retrieves the information defined in
* mbedtls_ecp_curve_info() for all supported curves in order
@@ -356,25 +497,51 @@ void mbedtls_ecp_point_free( mbedtls_ecp_point *pt );
/**
* \brief This function frees the components of an ECP group.
- * \param grp The group to free.
+ *
+ * \param grp The group to free. This may be \c NULL, in which
+ * case this function returns immediately. If it is not
+ * \c NULL, it must point to an initialized ECP group.
*/
void mbedtls_ecp_group_free( mbedtls_ecp_group *grp );
/**
* \brief This function frees the components of a key pair.
- * \param key The key pair to free.
+ *
+ * \param key The key pair to free. This may be \c NULL, in which
+ * case this function returns immediately. If it is not
+ * \c NULL, it must point to an initialized ECP key pair.
*/
void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key );
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief Initialize a restart context.
+ *
+ * \param ctx The restart context to initialize. This must
+ * not be \c NULL.
+ */
+void mbedtls_ecp_restart_init( mbedtls_ecp_restart_ctx *ctx );
+
+/**
+ * \brief Free the components of a restart context.
+ *
+ * \param ctx The restart context to free. This may be \c NULL, in which
+ * case this function returns immediately. If it is not
+ * \c NULL, it must point to an initialized restart context.
+ */
+void mbedtls_ecp_restart_free( mbedtls_ecp_restart_ctx *ctx );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
/**
* \brief This function copies the contents of point \p Q into
* point \p P.
*
- * \param P The destination point.
- * \param Q The source point.
+ * \param P The destination point. This must be initialized.
+ * \param Q The source point. This must be initialized.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return Another negative error code for other kinds of failure.
*/
int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q );
@@ -382,31 +549,35 @@ int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q );
* \brief This function copies the contents of group \p src into
* group \p dst.
*
- * \param dst The destination group.
- * \param src The source group.
+ * \param dst The destination group. This must be initialized.
+ * \param src The source group. This must be initialized.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return Another negative error code on other kinds of failure.
*/
-int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst, const mbedtls_ecp_group *src );
+int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst,
+ const mbedtls_ecp_group *src );
/**
- * \brief This function sets a point to zero.
+ * \brief This function sets a point to the point at infinity.
*
- * \param pt The point to set.
+ * \param pt The point to set. This must be initialized.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return Another negative error code on other kinds of failure.
*/
int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt );
/**
- * \brief This function checks if a point is zero.
+ * \brief This function checks if a point is the point at infinity.
*
- * \param pt The point to test.
+ * \param pt The point to test. This must be initialized.
*
* \return \c 1 if the point is zero.
* \return \c 0 if the point is non-zero.
+ * \return A negative error code on failure.
*/
int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt );
@@ -416,8 +587,8 @@ int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt );
* \note This assumes that the points are normalized. Otherwise,
* they may compare as "not equal" even if they are.
*
- * \param P The first point to compare.
- * \param Q The second point to compare.
+ * \param P The first point to compare. This must be initialized.
+ * \param Q The second point to compare. This must be initialized.
*
* \return \c 0 if the points are equal.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal.
@@ -429,7 +600,7 @@ int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P,
* \brief This function imports a non-zero point from two ASCII
* strings.
*
- * \param P The destination point.
+ * \param P The destination point. This must be initialized.
* \param radix The numeric base of the input.
* \param x The first affine coordinate, as a null-terminated string.
* \param y The second affine coordinate, as a null-terminated string.
@@ -444,15 +615,21 @@ int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix,
* \brief This function exports a point into unsigned binary data.
*
* \param grp The group to which the point should belong.
- * \param P The point to export.
- * \param format The point format. Should be an \c MBEDTLS_ECP_PF_XXX macro.
- * \param olen The length of the output.
- * \param buf The output buffer.
- * \param buflen The length of the output buffer.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param P The point to export. This must be initialized.
+ * \param format The point format. This must be either
+ * #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
+ * \param olen The address at which to store the length of
+ * the output in Bytes. This must not be \c NULL.
+ * \param buf The output buffer. This must be a writable buffer
+ * of length \p buflen Bytes.
+ * \param buflen The length of the output buffer \p buf in Bytes.
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA
- * or #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL on failure.
+ * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer
+ * is too small to hold the point.
+ * \return Another negative error code on other kinds of failure.
*/
int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *P,
int format, size_t *olen,
@@ -466,108 +643,158 @@ int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp, const mbedtls_
* for that.
*
* \param grp The group to which the point should belong.
- * \param P The point to import.
- * \param buf The input buffer.
- * \param ilen The length of the input.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param P The destination context to import the point to.
+ * This must be initialized.
+ * \param buf The input buffer. This must be a readable buffer
+ * of length \p ilen Bytes.
+ * \param ilen The length of the input buffer \p buf in Bytes.
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
* \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
* is not implemented.
- *
*/
-int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
- const unsigned char *buf, size_t ilen );
+int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *P,
+ const unsigned char *buf, size_t ilen );
/**
* \brief This function imports a point from a TLS ECPoint record.
*
- * \note On function return, \p buf is updated to point to immediately
+ * \note On function return, \p *buf is updated to point immediately
* after the ECPoint record.
*
- * \param grp The ECP group used.
+ * \param grp The ECP group to use.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
* \param pt The destination point.
* \param buf The address of the pointer to the start of the input buffer.
* \param len The length of the buffer.
*
* \return \c 0 on success.
- * \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization failure.
+ * \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization
+ * failure.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
*/
-int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
- const unsigned char **buf, size_t len );
+int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *pt,
+ const unsigned char **buf, size_t len );
/**
- * \brief This function exports a point as a TLS ECPoint record.
- *
- * \param grp The ECP group used.
- * \param pt The point format to export to. The point format is an
- * \c MBEDTLS_ECP_PF_XXX constant.
- * \param format The export format.
- * \param olen The length of the data written.
- * \param buf The buffer to write to.
- * \param blen The length of the buffer.
+ * \brief This function exports a point as a TLS ECPoint record
+ * defined in RFC 4492, Section 5.4.
+ *
+ * \param grp The ECP group to use.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param pt The point to be exported. This must be initialized.
+ * \param format The point format to use. This must be either
+ * #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
+ * \param olen The address at which to store the length in Bytes
+ * of the data written.
+ * \param buf The target buffer. This must be a writable buffer of
+ * length \p blen Bytes.
+ * \param blen The length of the target buffer \p buf in Bytes.
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA or
- * #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL on failure.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
+ * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer
+ * is too small to hold the exported point.
+ * \return Another negative error code on other kinds of failure.
*/
-int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt,
- int format, size_t *olen,
- unsigned char *buf, size_t blen );
+int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp,
+ const mbedtls_ecp_point *pt,
+ int format, size_t *olen,
+ unsigned char *buf, size_t blen );
/**
- * \brief This function sets a group using standardized domain parameters.
+ * \brief This function sets up an ECP group context
+ * from a standardized set of domain parameters.
*
* \note The index should be a value of the NamedCurve enum,
* as defined in <em>RFC-4492: Elliptic Curve Cryptography
* (ECC) Cipher Suites for Transport Layer Security (TLS)</em>,
* usually in the form of an \c MBEDTLS_ECP_DP_XXX macro.
*
- * \param grp The destination group.
+ * \param grp The group context to setup. This must be initialized.
* \param id The identifier of the domain parameter set to load.
*
- * \return \c 0 on success,
- * \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization failure.
- * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE for unkownn groups.
-
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't
+ * correspond to a known group.
+ * \return Another negative error code on other kinds of failure.
*/
int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id );
/**
- * \brief This function sets a group from a TLS ECParameters record.
+ * \brief This function sets up an ECP group context from a TLS
+ * ECParameters record as defined in RFC 4492, Section 5.4.
*
- * \note \p buf is updated to point right after the ECParameters record
- * on exit.
+ * \note The read pointer \p buf is updated to point right after
+ * the ECParameters record on exit.
*
- * \param grp The destination group.
+ * \param grp The group context to setup. This must be initialized.
* \param buf The address of the pointer to the start of the input buffer.
- * \param len The length of the buffer.
+ * \param len The length of the input buffer \c *buf in Bytes.
*
* \return \c 0 on success.
- * \return An \c MBEDTLS_ERR_MPI_XXX error code on initialization failure.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
+ * recognized.
+ * \return Another negative error code on other kinds of failure.
*/
-int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp, const unsigned char **buf, size_t len );
+int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp,
+ const unsigned char **buf, size_t len );
/**
- * \brief This function writes the TLS ECParameters record for a group.
+ * \brief This function extracts an elliptic curve group ID from a
+ * TLS ECParameters record as defined in RFC 4492, Section 5.4.
+ *
+ * \note The read pointer \p buf is updated to point right after
+ * the ECParameters record on exit.
+ *
+ * \param grp The address at which to store the group id.
+ * This must not be \c NULL.
+ * \param buf The address of the pointer to the start of the input buffer.
+ * \param len The length of the input buffer \c *buf in Bytes.
*
- * \param grp The ECP group used.
- * \param olen The number of Bytes written.
- * \param buf The buffer to write to.
- * \param blen The length of the buffer.
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
+ * recognized.
+ * \return Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_tls_read_group_id( mbedtls_ecp_group_id *grp,
+ const unsigned char **buf,
+ size_t len );
+/**
+ * \brief This function exports an elliptic curve as a TLS
+ * ECParameters record as defined in RFC 4492, Section 5.4.
+ *
+ * \param grp The ECP group to be exported.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param olen The address at which to store the number of Bytes written.
+ * This must not be \c NULL.
+ * \param buf The buffer to write to. This must be a writable buffer
+ * of length \p blen Bytes.
+ * \param blen The length of the output buffer \p buf in Bytes.
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL on failure.
+ * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output
+ * buffer is too small to hold the exported group.
+ * \return Another negative error code on other kinds of failure.
*/
-int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen,
- unsigned char *buf, size_t blen );
+int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp,
+ size_t *olen,
+ unsigned char *buf, size_t blen );
/**
- * \brief This function performs multiplication of a point by
- * an integer: \p R = \p m * \p P.
+ * \brief This function performs a scalar multiplication of a point
+ * by an integer: \p R = \p m * \p P.
*
* It is not thread-safe to use same group in multiple threads.
*
@@ -581,23 +808,63 @@ int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen,
* targeting these results. We recommend always providing
* a non-NULL \p f_rng. The overhead is negligible.
*
- * \param grp The ECP group.
- * \param R The destination point.
- * \param m The integer by which to multiply.
- * \param P The point to multiply.
- * \param f_rng The RNG function.
- * \param p_rng The RNG context.
+ * \param grp The ECP group to use.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param R The point in which to store the result of the calculation.
+ * This must be initialized.
+ * \param m The integer by which to multiply. This must be initialized.
+ * \param P The point to multiply. This must be initialized.
+ * \param f_rng The RNG function. This may be \c NULL if randomization
+ * of intermediate results isn't desired (discouraged).
+ * \param p_rng The RNG context to be passed to \p p_rng.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
* key, or \p P is not a valid public key.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return Another negative error code on other kinds of failure.
*/
int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
const mbedtls_mpi *m, const mbedtls_ecp_point *P,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/**
+ * \brief This function performs multiplication of a point by
+ * an integer: \p R = \p m * \p P in a restartable way.
+ *
+ * \see mbedtls_ecp_mul()
+ *
+ * \note This function does the same as \c mbedtls_ecp_mul(), but
+ * it can return early and restart according to the limit set
+ * with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param grp The ECP group to use.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param R The point in which to store the result of the calculation.
+ * This must be initialized.
+ * \param m The integer by which to multiply. This must be initialized.
+ * \param P The point to multiply. This must be initialized.
+ * \param f_rng The RNG function. This may be \c NULL if randomization
+ * of intermediate results isn't desired (discouraged).
+ * \param p_rng The RNG context to be passed to \p p_rng.
+ * \param rs_ctx The restart context (NULL disables restart).
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
+ * key, or \p P is not a valid public key.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_mul_restartable( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+ const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ mbedtls_ecp_restart_ctx *rs_ctx );
+
+/**
* \brief This function performs multiplication and addition of two
* points by integers: \p R = \p m * \p P + \p n * \p Q
*
@@ -606,24 +873,71 @@ int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
* \note In contrast to mbedtls_ecp_mul(), this function does not
* guarantee a constant execution flow and timing.
*
- * \param grp The ECP group.
- * \param R The destination point.
+ * \param grp The ECP group to use.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param R The point in which to store the result of the calculation.
+ * This must be initialized.
* \param m The integer by which to multiply \p P.
- * \param P The point to multiply by \p m.
+ * This must be initialized.
+ * \param P The point to multiply by \p m. This must be initialized.
* \param n The integer by which to multiply \p Q.
+ * This must be initialized.
* \param Q The point to be multiplied by \p n.
+ * This must be initialized.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
* valid private keys, or \p P or \p Q are not valid public
* keys.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return Another negative error code on other kinds of failure.
*/
int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
const mbedtls_mpi *m, const mbedtls_ecp_point *P,
const mbedtls_mpi *n, const mbedtls_ecp_point *Q );
/**
+ * \brief This function performs multiplication and addition of two
+ * points by integers: \p R = \p m * \p P + \p n * \p Q in a
+ * restartable way.
+ *
+ * \see \c mbedtls_ecp_muladd()
+ *
+ * \note This function works the same as \c mbedtls_ecp_muladd(),
+ * but it can return early and restart according to the limit
+ * set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param grp The ECP group to use.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param R The point in which to store the result of the calculation.
+ * This must be initialized.
+ * \param m The integer by which to multiply \p P.
+ * This must be initialized.
+ * \param P The point to multiply by \p m. This must be initialized.
+ * \param n The integer by which to multiply \p Q.
+ * This must be initialized.
+ * \param Q The point to be multiplied by \p n.
+ * This must be initialized.
+ * \param rs_ctx The restart context (NULL disables restart).
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
+ * valid private keys, or \p P or \p Q are not valid public
+ * keys.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_muladd_restartable(
+ mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+ const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+ const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
+ mbedtls_ecp_restart_ctx *rs_ctx );
+
+/**
* \brief This function checks that a point is a valid public key
* on this curve.
*
@@ -640,30 +954,60 @@ int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
* structures, such as ::mbedtls_ecdh_context or
* ::mbedtls_ecdsa_context.
*
- * \param grp The curve the point should lie on.
- * \param pt The point to check.
+ * \param grp The ECP group the point should belong to.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param pt The point to check. This must be initialized.
*
* \return \c 0 if the point is a valid public key.
- * \return #MBEDTLS_ERR_ECP_INVALID_KEY on failure.
+ * \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not
+ * a valid public key for the given curve.
+ * \return Another negative error code on other kinds of failure.
*/
-int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt );
+int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp,
+ const mbedtls_ecp_point *pt );
/**
- * \brief This function checks that an \p mbedtls_mpi is a valid private
- * key for this curve.
+ * \brief This function checks that an \p mbedtls_mpi is a
+ * valid private key for this curve.
*
* \note This function uses bare components rather than an
* ::mbedtls_ecp_keypair structure to ease use with other
* structures, such as ::mbedtls_ecdh_context or
* ::mbedtls_ecdsa_context.
*
- * \param grp The group used.
- * \param d The integer to check.
+ * \param grp The ECP group the private key should belong to.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param d The integer to check. This must be initialized.
*
* \return \c 0 if the point is a valid private key.
- * \return #MBEDTLS_ERR_ECP_INVALID_KEY on failure.
+ * \return #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid
+ * private key for the given curve.
+ * \return Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp,
+ const mbedtls_mpi *d );
+
+/**
+ * \brief This function generates a private key.
+ *
+ * \param grp The ECP group to generate a private key for.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param d The destination MPI (secret part). This must be initialized.
+ * \param f_rng The RNG function. This must not be \c NULL.
+ * \param p_rng The RNG parameter to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return \c 0 on success.
+ * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ * on failure.
*/
-int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp, const mbedtls_mpi *d );
+int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
+ mbedtls_mpi *d,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
/**
* \brief This function generates a keypair with a configurable base
@@ -674,22 +1018,29 @@ int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp, const mbedtls_mpi *
* structures, such as ::mbedtls_ecdh_context or
* ::mbedtls_ecdsa_context.
*
- * \param grp The ECP group.
- * \param G The chosen base point.
+ * \param grp The ECP group to generate a key pair for.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param G The base point to use. This must be initialized
+ * and belong to \p grp. It replaces the default base
+ * point \c grp->G used by mbedtls_ecp_gen_keypair().
* \param d The destination MPI (secret part).
+ * This must be initialized.
* \param Q The destination point (public part).
- * \param f_rng The RNG function.
- * \param p_rng The RNG context.
+ * This must be initialized.
+ * \param f_rng The RNG function. This must not be \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may
+ * be \c NULL if \p f_rng doesn't need a context argument.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
* on failure.
*/
int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
- const mbedtls_ecp_point *G,
- mbedtls_mpi *d, mbedtls_ecp_point *Q,
- int (*f_rng)(void *, unsigned char *, size_t),
- void *p_rng );
+ const mbedtls_ecp_point *G,
+ mbedtls_mpi *d, mbedtls_ecp_point *Q,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
/**
* \brief This function generates an ECP keypair.
@@ -699,34 +1050,42 @@ int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
* structures, such as ::mbedtls_ecdh_context or
* ::mbedtls_ecdsa_context.
*
- * \param grp The ECP group.
+ * \param grp The ECP group to generate a key pair for.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
* \param d The destination MPI (secret part).
+ * This must be initialized.
* \param Q The destination point (public part).
- * \param f_rng The RNG function.
- * \param p_rng The RNG context.
+ * This must be initialized.
+ * \param f_rng The RNG function. This must not be \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may
+ * be \c NULL if \p f_rng doesn't need a context argument.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
* on failure.
*/
-int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
- int (*f_rng)(void *, unsigned char *, size_t),
- void *p_rng );
+int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, mbedtls_mpi *d,
+ mbedtls_ecp_point *Q,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
/**
* \brief This function generates an ECP key.
*
* \param grp_id The ECP group identifier.
- * \param key The destination key.
- * \param f_rng The RNG function.
- * \param p_rng The RNG context.
+ * \param key The destination key. This must be initialized.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may
+ * be \c NULL if \p f_rng doesn't need a context argument.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
* on failure.
*/
int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
- int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
/**
* \brief This function checks that the keypair objects
@@ -734,16 +1093,19 @@ int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
* same public point, and that the private key in
* \p prv is consistent with the public key.
*
- * \param pub The keypair structure holding the public key.
- * If it contains a private key, that part is ignored.
+ * \param pub The keypair structure holding the public key. This
+ * must be initialized. If it contains a private key, that
+ * part is ignored.
* \param prv The keypair structure holding the full keypair.
+ * This must be initialized.
*
* \return \c 0 on success, meaning that the keys are valid and match.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match.
* \return An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX
* error code on calculation failure.
*/
-int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv );
+int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub,
+ const mbedtls_ecp_keypair *prv );
#if defined(MBEDTLS_SELF_TEST)
diff --git a/thirdparty/mbedtls/include/mbedtls/entropy.h b/thirdparty/mbedtls/include/mbedtls/entropy.h
index a5cb05a584..ca06dc3c58 100644
--- a/thirdparty/mbedtls/include/mbedtls/entropy.h
+++ b/thirdparty/mbedtls/include/mbedtls/entropy.h
@@ -107,7 +107,7 @@ typedef int (*mbedtls_entropy_f_source_ptr)(void *data, unsigned char *output, s
/**
* \brief Entropy source state
*/
-typedef struct
+typedef struct mbedtls_entropy_source_state
{
mbedtls_entropy_f_source_ptr f_source; /**< The entropy source callback */
void * p_source; /**< The callback data pointer */
@@ -120,7 +120,7 @@ mbedtls_entropy_source_state;
/**
* \brief Entropy context structure
*/
-typedef struct
+typedef struct mbedtls_entropy_context
{
int accumulator_started;
#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
diff --git a/thirdparty/mbedtls/include/mbedtls/error.h b/thirdparty/mbedtls/include/mbedtls/error.h
index 6b82d4fbbe..647a11a566 100644
--- a/thirdparty/mbedtls/include/mbedtls/error.h
+++ b/thirdparty/mbedtls/include/mbedtls/error.h
@@ -74,12 +74,13 @@
* MD4 1 0x002D-0x002D
* MD5 1 0x002F-0x002F
* RIPEMD160 1 0x0031-0x0031
- * SHA1 1 0x0035-0x0035
- * SHA256 1 0x0037-0x0037
- * SHA512 1 0x0039-0x0039
+ * SHA1 1 0x0035-0x0035 0x0073-0x0073
+ * SHA256 1 0x0037-0x0037 0x0074-0x0074
+ * SHA512 1 0x0039-0x0039 0x0075-0x0075
* CHACHA20 3 0x0051-0x0055
* POLY1305 3 0x0057-0x005B
* CHACHAPOLY 2 0x0054-0x0056
+ * PLATFORM 1 0x0070-0x0072
*
* High-level module nr (3 bits - 0x0...-0x7...)
* Name ID Nr of Errors
@@ -90,12 +91,12 @@
* DHM 3 11
* PK 3 15 (Started from top)
* RSA 4 11
- * ECP 4 9 (Started from top)
+ * ECP 4 10 (Started from top)
* MD 5 5
* HKDF 5 1 (Started from top)
* CIPHER 6 8
- * SSL 6 22 (Started from top)
- * SSL 7 31
+ * SSL 6 23 (Started from top)
+ * SSL 7 32
*
* Module dependent error code (5 bits 0x.00.-0x.F8.)
*/
diff --git a/thirdparty/mbedtls/include/mbedtls/gcm.h b/thirdparty/mbedtls/include/mbedtls/gcm.h
index 87535ab957..fccabb0d97 100644
--- a/thirdparty/mbedtls/include/mbedtls/gcm.h
+++ b/thirdparty/mbedtls/include/mbedtls/gcm.h
@@ -41,7 +41,10 @@
#define MBEDTLS_GCM_DECRYPT 0
#define MBEDTLS_ERR_GCM_AUTH_FAILED -0x0012 /**< Authenticated decryption failed. */
+
+/* MBEDTLS_ERR_GCM_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_GCM_HW_ACCEL_FAILED -0x0013 /**< GCM hardware accelerator failed. */
+
#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 /**< Bad input parameters to function. */
#ifdef __cplusplus
@@ -53,7 +56,8 @@ extern "C" {
/**
* \brief The GCM context structure.
*/
-typedef struct {
+typedef struct mbedtls_gcm_context
+{
mbedtls_cipher_context_t cipher_ctx; /*!< The cipher context used. */
uint64_t HL[16]; /*!< Precalculated HTable low. */
uint64_t HH[16]; /*!< Precalculated HTable high. */
@@ -81,7 +85,7 @@ mbedtls_gcm_context;
* cipher, nor set the key. For this purpose, use
* mbedtls_gcm_setkey().
*
- * \param ctx The GCM context to initialize.
+ * \param ctx The GCM context to initialize. This must not be \c NULL.
*/
void mbedtls_gcm_init( mbedtls_gcm_context *ctx );
@@ -89,9 +93,10 @@ void mbedtls_gcm_init( mbedtls_gcm_context *ctx );
* \brief This function associates a GCM context with a
* cipher algorithm and a key.
*
- * \param ctx The GCM context to initialize.
+ * \param ctx The GCM context. This must be initialized.
* \param cipher The 128-bit block cipher to use.
- * \param key The encryption key.
+ * \param key The encryption key. This must be a readable buffer of at
+ * least \p keybits bits.
* \param keybits The key size in bits. Valid options are:
* <ul><li>128 bits</li>
* <li>192 bits</li>
@@ -118,7 +123,8 @@ int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
* authentic. You should use this function to perform encryption
* only. For decryption, use mbedtls_gcm_auth_decrypt() instead.
*
- * \param ctx The GCM context to use for encryption or decryption.
+ * \param ctx The GCM context to use for encryption or decryption. This
+ * must be initialized.
* \param mode The operation to perform:
* - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption.
* The ciphertext is written to \p output and the
@@ -132,22 +138,28 @@ int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
* calling this function in decryption mode.
* \param length The length of the input data, which is equal to the length
* of the output data.
- * \param iv The initialization vector.
+ * \param iv The initialization vector. This must be a readable buffer of
+ * at least \p iv_len Bytes.
* \param iv_len The length of the IV.
- * \param add The buffer holding the additional data.
+ * \param add The buffer holding the additional data. This must be of at
+ * least that size in Bytes.
* \param add_len The length of the additional data.
- * \param input The buffer holding the input data. Its size is \b length.
- * \param output The buffer for holding the output data. It must have room
- * for \b length bytes.
+ * \param input The buffer holding the input data. If \p length is greater
+ * than zero, this must be a readable buffer of at least that
+ * size in Bytes.
+ * \param output The buffer for holding the output data. If \p length is greater
+ * than zero, this must be a writable buffer of at least that
+ * size in Bytes.
* \param tag_len The length of the tag to generate.
- * \param tag The buffer for holding the tag.
+ * \param tag The buffer for holding the tag. This must be a readable
+ * buffer of at least \p tag_len Bytes.
*
* \return \c 0 if the encryption or decryption was performed
* successfully. Note that in #MBEDTLS_GCM_DECRYPT mode,
* this does not indicate that the data is authentic.
- * \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths are not valid.
- * \return #MBEDTLS_ERR_GCM_HW_ACCEL_FAILED or a cipher-specific
- * error code if the encryption or decryption failed.
+ * \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
+ * not valid or a cipher-specific error code if the encryption
+ * or decryption failed.
*/
int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
int mode,
@@ -169,24 +181,30 @@ int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
* input buffer. If the buffers overlap, the output buffer
* must trail at least 8 Bytes behind the input buffer.
*
- * \param ctx The GCM context.
+ * \param ctx The GCM context. This must be initialized.
* \param length The length of the ciphertext to decrypt, which is also
* the length of the decrypted plaintext.
- * \param iv The initialization vector.
+ * \param iv The initialization vector. This must be a readable buffer
+ * of at least \p iv_len Bytes.
* \param iv_len The length of the IV.
- * \param add The buffer holding the additional data.
+ * \param add The buffer holding the additional data. This must be of at
+ * least that size in Bytes.
* \param add_len The length of the additional data.
- * \param tag The buffer holding the tag to verify.
+ * \param tag The buffer holding the tag to verify. This must be a
+ * readable buffer of at least \p tag_len Bytes.
* \param tag_len The length of the tag to verify.
- * \param input The buffer holding the ciphertext. Its size is \b length.
- * \param output The buffer for holding the decrypted plaintext. It must
- * have room for \b length bytes.
+ * \param input The buffer holding the ciphertext. If \p length is greater
+ * than zero, this must be a readable buffer of at least that
+ * size.
+ * \param output The buffer for holding the decrypted plaintext. If \p length
+ * is greater than zero, this must be a writable buffer of at
+ * least that size.
*
* \return \c 0 if successful and authenticated.
* \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match.
- * \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths are not valid.
- * \return #MBEDTLS_ERR_GCM_HW_ACCEL_FAILED or a cipher-specific
- * error code if the decryption failed.
+ * \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
+ * not valid or a cipher-specific error code if the decryption
+ * failed.
*/
int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
size_t length,
@@ -203,15 +221,16 @@ int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
* \brief This function starts a GCM encryption or decryption
* operation.
*
- * \param ctx The GCM context.
+ * \param ctx The GCM context. This must be initialized.
* \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or
* #MBEDTLS_GCM_DECRYPT.
- * \param iv The initialization vector.
+ * \param iv The initialization vector. This must be a readable buffer of
+ * at least \p iv_len Bytes.
* \param iv_len The length of the IV.
- * \param add The buffer holding the additional data, or NULL
- * if \p add_len is 0.
- * \param add_len The length of the additional data. If 0,
- * \p add is NULL.
+ * \param add The buffer holding the additional data, or \c NULL
+ * if \p add_len is \c 0.
+ * \param add_len The length of the additional data. If \c 0,
+ * \p add may be \c NULL.
*
* \return \c 0 on success.
*/
@@ -234,11 +253,15 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
* input buffer. If the buffers overlap, the output buffer
* must trail at least 8 Bytes behind the input buffer.
*
- * \param ctx The GCM context.
+ * \param ctx The GCM context. This must be initialized.
* \param length The length of the input data. This must be a multiple of
* 16 except in the last call before mbedtls_gcm_finish().
- * \param input The buffer holding the input data.
- * \param output The buffer for holding the output data.
+ * \param input The buffer holding the input data. If \p length is greater
+ * than zero, this must be a readable buffer of at least that
+ * size in Bytes.
+ * \param output The buffer for holding the output data. If \p length is
+ * greater than zero, this must be a writable buffer of at
+ * least that size in Bytes.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
@@ -255,9 +278,11 @@ int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
* It wraps up the GCM stream, and generates the
* tag. The tag can have a maximum length of 16 Bytes.
*
- * \param ctx The GCM context.
- * \param tag The buffer for holding the tag.
- * \param tag_len The length of the tag to generate. Must be at least four.
+ * \param ctx The GCM context. This must be initialized.
+ * \param tag The buffer for holding the tag. This must be a readable
+ * buffer of at least \p tag_len Bytes.
+ * \param tag_len The length of the tag to generate. This must be at least
+ * four.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
@@ -270,7 +295,8 @@ int mbedtls_gcm_finish( mbedtls_gcm_context *ctx,
* \brief This function clears a GCM context and the underlying
* cipher sub-context.
*
- * \param ctx The GCM context to clear.
+ * \param ctx The GCM context to clear. If this is \c NULL, the call has
+ * no effect. Otherwise, this must be initialized.
*/
void mbedtls_gcm_free( mbedtls_gcm_context *ctx );
diff --git a/thirdparty/mbedtls/include/mbedtls/havege.h b/thirdparty/mbedtls/include/mbedtls/havege.h
index d4cb3ed38d..57e8c40943 100644
--- a/thirdparty/mbedtls/include/mbedtls/havege.h
+++ b/thirdparty/mbedtls/include/mbedtls/havege.h
@@ -35,7 +35,7 @@ extern "C" {
/**
* \brief HAVEGE state structure
*/
-typedef struct
+typedef struct mbedtls_havege_state
{
int PT1, PT2, offset[2];
int pool[MBEDTLS_HAVEGE_COLLECT_SIZE];
diff --git a/thirdparty/mbedtls/include/mbedtls/hkdf.h b/thirdparty/mbedtls/include/mbedtls/hkdf.h
index 6833e7272e..e6ed7cde97 100644
--- a/thirdparty/mbedtls/include/mbedtls/hkdf.h
+++ b/thirdparty/mbedtls/include/mbedtls/hkdf.h
@@ -73,6 +73,11 @@ int mbedtls_hkdf( const mbedtls_md_info_t *md, const unsigned char *salt,
* \brief Take the input keying material \p ikm and extract from it a
* fixed-length pseudorandom key \p prk.
*
+ * \warning This function should only be used if the security of it has been
+ * studied and established in that particular context (eg. TLS 1.3
+ * key schedule). For standard HKDF security guarantees use
+ * \c mbedtls_hkdf instead.
+ *
* \param md A hash function; md.size denotes the length of the
* hash function output in bytes.
* \param salt An optional salt value (a non-secret random value);
@@ -97,10 +102,15 @@ int mbedtls_hkdf_extract( const mbedtls_md_info_t *md,
* \brief Expand the supplied \p prk into several additional pseudorandom
* keys, which is the output of the HKDF.
*
+ * \warning This function should only be used if the security of it has been
+ * studied and established in that particular context (eg. TLS 1.3
+ * key schedule). For standard HKDF security guarantees use
+ * \c mbedtls_hkdf instead.
+ *
* \param md A hash function; md.size denotes the length of the hash
* function output in bytes.
- * \param prk A pseudorandom key of at least md.size bytes. \p prk is usually,
- * the output from the HKDF extract step.
+ * \param prk A pseudorandom key of at least md.size bytes. \p prk is
+ * usually the output from the HKDF extract step.
* \param prk_len The length in bytes of \p prk.
* \param info An optional context and application specific information
* string. This can be a zero-length string.
diff --git a/thirdparty/mbedtls/include/mbedtls/hmac_drbg.h b/thirdparty/mbedtls/include/mbedtls/hmac_drbg.h
index 2608de8595..146367b9de 100644
--- a/thirdparty/mbedtls/include/mbedtls/hmac_drbg.h
+++ b/thirdparty/mbedtls/include/mbedtls/hmac_drbg.h
@@ -74,7 +74,7 @@ extern "C" {
/**
* HMAC_DRBG context.
*/
-typedef struct
+typedef struct mbedtls_hmac_drbg_context
{
/* Working state: the key K is not stored explicitely,
* but is implied by the HMAC context */
@@ -195,10 +195,13 @@ void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx,
* \param additional Additional data to update state with, or NULL
* \param add_len Length of additional data, or 0
*
+ * \return \c 0 on success, or an error from the underlying
+ * hash calculation.
+ *
* \note Additional data is optional, pass NULL and 0 as second
* third argument if no additional data is being used.
*/
-void mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx,
+int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx,
const unsigned char *additional, size_t add_len );
/**
@@ -257,6 +260,31 @@ int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len
*/
void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx );
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief HMAC_DRBG update state
+ *
+ * \deprecated Superseded by mbedtls_hmac_drbg_update_ret()
+ * in 2.16.0.
+ *
+ * \param ctx HMAC_DRBG context
+ * \param additional Additional data to update state with, or NULL
+ * \param add_len Length of additional data, or 0
+ *
+ * \note Additional data is optional, pass NULL and 0 as second
+ * third argument if no additional data is being used.
+ */
+MBEDTLS_DEPRECATED void mbedtls_hmac_drbg_update(
+ mbedtls_hmac_drbg_context *ctx,
+ const unsigned char *additional, size_t add_len );
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
#if defined(MBEDTLS_FS_IO)
/**
* \brief Write a seed file
diff --git a/thirdparty/mbedtls/include/mbedtls/md.h b/thirdparty/mbedtls/include/mbedtls/md.h
index 6b6f5c53dd..8bcf766a6c 100644
--- a/thirdparty/mbedtls/include/mbedtls/md.h
+++ b/thirdparty/mbedtls/include/mbedtls/md.h
@@ -39,6 +39,8 @@
#define MBEDTLS_ERR_MD_BAD_INPUT_DATA -0x5100 /**< Bad input parameters to function. */
#define MBEDTLS_ERR_MD_ALLOC_FAILED -0x5180 /**< Failed to allocate memory. */
#define MBEDTLS_ERR_MD_FILE_IO_ERROR -0x5200 /**< Opening or reading of file failed. */
+
+/* MBEDTLS_ERR_MD_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_MD_HW_ACCEL_FAILED -0x5280 /**< MD hardware accelerator failed. */
#ifdef __cplusplus
@@ -80,7 +82,8 @@ typedef struct mbedtls_md_info_t mbedtls_md_info_t;
/**
* The generic message-digest context.
*/
-typedef struct {
+typedef struct mbedtls_md_context_t
+{
/** Information about the associated message digest. */
const mbedtls_md_info_t *md_info;
diff --git a/thirdparty/mbedtls/include/mbedtls/md2.h b/thirdparty/mbedtls/include/mbedtls/md2.h
index 08e75b247b..f9bd98f804 100644
--- a/thirdparty/mbedtls/include/mbedtls/md2.h
+++ b/thirdparty/mbedtls/include/mbedtls/md2.h
@@ -37,6 +37,7 @@
#include <stddef.h>
+/* MBEDTLS_ERR_MD2_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_MD2_HW_ACCEL_FAILED -0x002B /**< MD2 hardware accelerator failed */
#ifdef __cplusplus
@@ -55,7 +56,7 @@ extern "C" {
* stronger message digests instead.
*
*/
-typedef struct
+typedef struct mbedtls_md2_context
{
unsigned char cksum[16]; /*!< checksum of the data block */
unsigned char state[48]; /*!< intermediate digest state */
diff --git a/thirdparty/mbedtls/include/mbedtls/md4.h b/thirdparty/mbedtls/include/mbedtls/md4.h
index 8ee4e5cabf..dc3c048949 100644
--- a/thirdparty/mbedtls/include/mbedtls/md4.h
+++ b/thirdparty/mbedtls/include/mbedtls/md4.h
@@ -38,6 +38,7 @@
#include <stddef.h>
#include <stdint.h>
+/* MBEDTLS_ERR_MD4_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_MD4_HW_ACCEL_FAILED -0x002D /**< MD4 hardware accelerator failed */
#ifdef __cplusplus
@@ -56,7 +57,7 @@ extern "C" {
* stronger message digests instead.
*
*/
-typedef struct
+typedef struct mbedtls_md4_context
{
uint32_t total[2]; /*!< number of bytes processed */
uint32_t state[4]; /*!< intermediate digest state */
diff --git a/thirdparty/mbedtls/include/mbedtls/md5.h b/thirdparty/mbedtls/include/mbedtls/md5.h
index 43ead4b747..6c3354fd30 100644
--- a/thirdparty/mbedtls/include/mbedtls/md5.h
+++ b/thirdparty/mbedtls/include/mbedtls/md5.h
@@ -37,6 +37,7 @@
#include <stddef.h>
#include <stdint.h>
+/* MBEDTLS_ERR_MD5_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_MD5_HW_ACCEL_FAILED -0x002F /**< MD5 hardware accelerator failed */
#ifdef __cplusplus
@@ -55,7 +56,7 @@ extern "C" {
* stronger message digests instead.
*
*/
-typedef struct
+typedef struct mbedtls_md5_context
{
uint32_t total[2]; /*!< number of bytes processed */
uint32_t state[4]; /*!< intermediate digest state */
diff --git a/thirdparty/mbedtls/include/mbedtls/net_sockets.h b/thirdparty/mbedtls/include/mbedtls/net_sockets.h
index 9f07eeb4d3..4c7ef00fe6 100644
--- a/thirdparty/mbedtls/include/mbedtls/net_sockets.h
+++ b/thirdparty/mbedtls/include/mbedtls/net_sockets.h
@@ -84,7 +84,7 @@ extern "C" {
* (eg two file descriptors for combined IPv4 + IPv6 support, or additional
* structures for hand-made UDP demultiplexing).
*/
-typedef struct
+typedef struct mbedtls_net_context
{
int fd; /**< The underlying file descriptor */
}
diff --git a/thirdparty/mbedtls/include/mbedtls/oid.h b/thirdparty/mbedtls/include/mbedtls/oid.h
index f82554844c..6fbd018aaa 100644
--- a/thirdparty/mbedtls/include/mbedtls/oid.h
+++ b/thirdparty/mbedtls/include/mbedtls/oid.h
@@ -403,7 +403,8 @@ extern "C" {
/**
* \brief Base OID descriptor structure
*/
-typedef struct {
+typedef struct mbedtls_oid_descriptor_t
+{
const char *asn1; /*!< OID ASN.1 representation */
size_t asn1_len; /*!< length of asn1 */
const char *name; /*!< official name (e.g. from RFC) */
diff --git a/thirdparty/mbedtls/include/mbedtls/padlock.h b/thirdparty/mbedtls/include/mbedtls/padlock.h
index 677936ebf8..7a5d083a95 100644
--- a/thirdparty/mbedtls/include/mbedtls/padlock.h
+++ b/thirdparty/mbedtls/include/mbedtls/padlock.h
@@ -3,6 +3,9 @@
*
* \brief VIA PadLock ACE for HW encryption/decryption supported by some
* processors
+ *
+ * \warning These functions are only for internal use by other library
+ * functions; you must not call them directly.
*/
/*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
@@ -57,7 +60,10 @@ extern "C" {
#endif
/**
- * \brief PadLock detection routine
+ * \brief Internal PadLock detection routine
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
*
* \param feature The feature to detect
*
@@ -66,7 +72,10 @@ extern "C" {
int mbedtls_padlock_has_support( int feature );
/**
- * \brief PadLock AES-ECB block en(de)cryption
+ * \brief Internal PadLock AES-ECB block en(de)cryption
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
*
* \param ctx AES context
* \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
@@ -76,12 +85,15 @@ int mbedtls_padlock_has_support( int feature );
* \return 0 if success, 1 if operation failed
*/
int mbedtls_padlock_xcryptecb( mbedtls_aes_context *ctx,
- int mode,
- const unsigned char input[16],
- unsigned char output[16] );
+ int mode,
+ const unsigned char input[16],
+ unsigned char output[16] );
/**
- * \brief PadLock AES-CBC buffer en(de)cryption
+ * \brief Internal PadLock AES-CBC buffer en(de)cryption
+ *
+ * \note This function is only for internal use by other library
+ * functions; you must not call it directly.
*
* \param ctx AES context
* \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
@@ -93,11 +105,11 @@ int mbedtls_padlock_xcryptecb( mbedtls_aes_context *ctx,
* \return 0 if success, 1 if operation failed
*/
int mbedtls_padlock_xcryptcbc( mbedtls_aes_context *ctx,
- int mode,
- size_t length,
- unsigned char iv[16],
- const unsigned char *input,
- unsigned char *output );
+ int mode,
+ size_t length,
+ unsigned char iv[16],
+ const unsigned char *input,
+ unsigned char *output );
#ifdef __cplusplus
}
diff --git a/thirdparty/mbedtls/include/mbedtls/pem.h b/thirdparty/mbedtls/include/mbedtls/pem.h
index 2cf4c0a709..fa82f7bdbd 100644
--- a/thirdparty/mbedtls/include/mbedtls/pem.h
+++ b/thirdparty/mbedtls/include/mbedtls/pem.h
@@ -51,7 +51,7 @@ extern "C" {
/**
* \brief PEM context structure
*/
-typedef struct
+typedef struct mbedtls_pem_context
{
unsigned char *buf; /*!< buffer for decoded data */
size_t buflen; /*!< length of the buffer */
diff --git a/thirdparty/mbedtls/include/mbedtls/pk.h b/thirdparty/mbedtls/include/mbedtls/pk.h
index ee06b2fd20..91950f9407 100644
--- a/thirdparty/mbedtls/include/mbedtls/pk.h
+++ b/thirdparty/mbedtls/include/mbedtls/pk.h
@@ -64,6 +64,8 @@
#define MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE -0x3A00 /**< Elliptic curve is unsupported (only NIST curves are supported). */
#define MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE -0x3980 /**< Unavailable feature, e.g. RSA disabled for RSA key. */
#define MBEDTLS_ERR_PK_SIG_LEN_MISMATCH -0x3900 /**< The buffer contains a valid signature followed by more data. */
+
+/* MBEDTLS_ERR_PK_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_PK_HW_ACCEL_FAILED -0x3880 /**< PK hardware accelerator failed. */
#ifdef __cplusplus
@@ -87,7 +89,7 @@ typedef enum {
* \brief Options for RSASSA-PSS signature verification.
* See \c mbedtls_rsa_rsassa_pss_verify_ext()
*/
-typedef struct
+typedef struct mbedtls_pk_rsassa_pss_options
{
mbedtls_md_type_t mgf1_hash_id;
int expected_salt_len;
@@ -107,7 +109,7 @@ typedef enum
/**
* \brief Item to send to the debug module
*/
-typedef struct
+typedef struct mbedtls_pk_debug_item
{
mbedtls_pk_debug_type type;
const char *name;
@@ -125,12 +127,26 @@ typedef struct mbedtls_pk_info_t mbedtls_pk_info_t;
/**
* \brief Public key container
*/
-typedef struct
+typedef struct mbedtls_pk_context
{
- const mbedtls_pk_info_t * pk_info; /**< Public key informations */
+ const mbedtls_pk_info_t * pk_info; /**< Public key information */
void * pk_ctx; /**< Underlying public key context */
} mbedtls_pk_context;
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief Context for resuming operations
+ */
+typedef struct
+{
+ const mbedtls_pk_info_t * pk_info; /**< Public key information */
+ void * rs_ctx; /**< Underlying restart context */
+} mbedtls_pk_restart_ctx;
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_pk_restart_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
#if defined(MBEDTLS_RSA_C)
/**
* Quick access to an RSA context inside a PK context.
@@ -181,20 +197,45 @@ typedef size_t (*mbedtls_pk_rsa_alt_key_len_func)( void *ctx );
const mbedtls_pk_info_t *mbedtls_pk_info_from_type( mbedtls_pk_type_t pk_type );
/**
- * \brief Initialize a mbedtls_pk_context (as NONE)
+ * \brief Initialize a #mbedtls_pk_context (as NONE).
+ *
+ * \param ctx The context to initialize.
+ * This must not be \c NULL.
*/
void mbedtls_pk_init( mbedtls_pk_context *ctx );
/**
- * \brief Free a mbedtls_pk_context
+ * \brief Free the components of a #mbedtls_pk_context.
+ *
+ * \param ctx The context to clear. It must have been initialized.
+ * If this is \c NULL, this function does nothing.
*/
void mbedtls_pk_free( mbedtls_pk_context *ctx );
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief Initialize a restart context
+ *
+ * \param ctx The context to initialize.
+ * This must not be \c NULL.
+ */
+void mbedtls_pk_restart_init( mbedtls_pk_restart_ctx *ctx );
+
+/**
+ * \brief Free the components of a restart context
+ *
+ * \param ctx The context to clear. It must have been initialized.
+ * If this is \c NULL, this function does nothing.
+ */
+void mbedtls_pk_restart_free( mbedtls_pk_restart_ctx *ctx );
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
/**
* \brief Initialize a PK context with the information given
* and allocates the type-specific PK subcontext.
*
- * \param ctx Context to initialize. Must be empty (type NONE).
+ * \param ctx Context to initialize. It must not have been set
+ * up yet (type #MBEDTLS_PK_NONE).
* \param info Information to use
*
* \return 0 on success,
@@ -210,7 +251,8 @@ int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info );
/**
* \brief Initialize an RSA-alt context
*
- * \param ctx Context to initialize. Must be empty (type NONE).
+ * \param ctx Context to initialize. It must not have been set
+ * up yet (type #MBEDTLS_PK_NONE).
* \param key RSA key pointer
* \param decrypt_func Decryption function
* \param sign_func Signing function
@@ -230,7 +272,7 @@ int mbedtls_pk_setup_rsa_alt( mbedtls_pk_context *ctx, void * key,
/**
* \brief Get the size in bits of the underlying key
*
- * \param ctx Context to use
+ * \param ctx The context to query. It must have been initialized.
*
* \return Key size in bits, or 0 on error
*/
@@ -238,7 +280,8 @@ size_t mbedtls_pk_get_bitlen( const mbedtls_pk_context *ctx );
/**
* \brief Get the length in bytes of the underlying key
- * \param ctx Context to use
+ *
+ * \param ctx The context to query. It must have been initialized.
*
* \return Key length in bytes, or 0 on error
*/
@@ -250,18 +293,21 @@ static inline size_t mbedtls_pk_get_len( const mbedtls_pk_context *ctx )
/**
* \brief Tell if a context can do the operation given by type
*
- * \param ctx Context to test
- * \param type Target type
+ * \param ctx The context to query. It must have been initialized.
+ * \param type The desired type.
*
- * \return 0 if context can't do the operations,
- * 1 otherwise.
+ * \return 1 if the context can do operations on the given type.
+ * \return 0 if the context cannot do the operations on the given
+ * type. This is always the case for a context that has
+ * been initialized but not set up, or that has been
+ * cleared with mbedtls_pk_free().
*/
int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type );
/**
* \brief Verify signature (including padding if relevant).
*
- * \param ctx PK context to use
+ * \param ctx The PK context to use. It must have been set up.
* \param md_alg Hash algorithm used (see notes)
* \param hash Hash of the message to sign
* \param hash_len Hash length or 0 (see notes)
@@ -287,12 +333,38 @@ int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
const unsigned char *sig, size_t sig_len );
/**
+ * \brief Restartable version of \c mbedtls_pk_verify()
+ *
+ * \note Performs the same job as \c mbedtls_pk_verify(), but can
+ * return early and restart according to the limit set with
+ * \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
+ * operations. For RSA, same as \c mbedtls_pk_verify().
+ *
+ * \param ctx The PK context to use. It must have been set up.
+ * \param md_alg Hash algorithm used (see notes)
+ * \param hash Hash of the message to sign
+ * \param hash_len Hash length or 0 (see notes)
+ * \param sig Signature to verify
+ * \param sig_len Signature length
+ * \param rs_ctx Restart context (NULL to disable restart)
+ *
+ * \return See \c mbedtls_pk_verify(), or
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_pk_verify_restartable( mbedtls_pk_context *ctx,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len,
+ mbedtls_pk_restart_ctx *rs_ctx );
+
+/**
* \brief Verify signature, with options.
* (Includes verification of the padding depending on type.)
*
* \param type Signature type (inc. possible padding type) to verify
* \param options Pointer to type-specific options, or NULL
- * \param ctx PK context to use
+ * \param ctx The PK context to use. It must have been set up.
* \param md_alg Hash algorithm used (see notes)
* \param hash Hash of the message to sign
* \param hash_len Hash length or 0 (see notes)
@@ -323,7 +395,8 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
/**
* \brief Make signature, including padding if relevant.
*
- * \param ctx PK context to use - must hold a private key
+ * \param ctx The PK context to use. It must have been set up
+ * with a private key.
* \param md_alg Hash algorithm used (see notes)
* \param hash Hash of the message to sign
* \param hash_len Hash length or 0 (see notes)
@@ -350,9 +423,40 @@ int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/**
+ * \brief Restartable version of \c mbedtls_pk_sign()
+ *
+ * \note Performs the same job as \c mbedtls_pk_sign(), but can
+ * return early and restart according to the limit set with
+ * \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
+ * operations. For RSA, same as \c mbedtls_pk_sign().
+ *
+ * \param ctx The PK context to use. It must have been set up
+ * with a private key.
+ * \param md_alg Hash algorithm used (see notes)
+ * \param hash Hash of the message to sign
+ * \param hash_len Hash length or 0 (see notes)
+ * \param sig Place to write the signature
+ * \param sig_len Number of bytes written
+ * \param f_rng RNG function
+ * \param p_rng RNG parameter
+ * \param rs_ctx Restart context (NULL to disable restart)
+ *
+ * \return See \c mbedtls_pk_sign(), or
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_pk_sign_restartable( mbedtls_pk_context *ctx,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ mbedtls_pk_restart_ctx *rs_ctx );
+
+/**
* \brief Decrypt message (including padding if relevant).
*
- * \param ctx PK context to use - must hold a private key
+ * \param ctx The PK context to use. It must have been set up
+ * with a private key.
* \param input Input to decrypt
* \param ilen Input size
* \param output Decrypted output
@@ -373,7 +477,7 @@ int mbedtls_pk_decrypt( mbedtls_pk_context *ctx,
/**
* \brief Encrypt message (including padding if relevant).
*
- * \param ctx PK context to use
+ * \param ctx The PK context to use. It must have been set up.
* \param input Message to encrypt
* \param ilen Message size
* \param output Encrypted output
@@ -404,7 +508,7 @@ int mbedtls_pk_check_pair( const mbedtls_pk_context *pub, const mbedtls_pk_conte
/**
* \brief Export debug information
*
- * \param ctx Context to use
+ * \param ctx The PK context to use. It must have been initialized.
* \param items Place to write debug items
*
* \return 0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA
@@ -414,7 +518,7 @@ int mbedtls_pk_debug( const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *item
/**
* \brief Access the type name
*
- * \param ctx Context to use
+ * \param ctx The PK context to use. It must have been initialized.
*
* \return Type name on success, or "invalid PK"
*/
@@ -423,9 +527,10 @@ const char * mbedtls_pk_get_name( const mbedtls_pk_context *ctx );
/**
* \brief Get the key type
*
- * \param ctx Context to use
+ * \param ctx The PK context to use. It must have been initialized.
*
- * \return Type on success, or MBEDTLS_PK_NONE
+ * \return Type on success.
+ * \return #MBEDTLS_PK_NONE for a context that has not been set up.
*/
mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx );
@@ -434,12 +539,22 @@ mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx );
/**
* \brief Parse a private key in PEM or DER format
*
- * \param ctx key to be initialized
- * \param key input buffer
- * \param keylen size of the buffer
- * (including the terminating null byte for PEM data)
- * \param pwd password for decryption (optional)
- * \param pwdlen size of the password
+ * \param ctx The PK context to fill. It must have been initialized
+ * but not set up.
+ * \param key Input buffer to parse.
+ * The buffer must contain the input exactly, with no
+ * extra trailing material. For PEM, the buffer must
+ * contain a null-terminated string.
+ * \param keylen Size of \b key in bytes.
+ * For PEM data, this includes the terminating null byte,
+ * so \p keylen must be equal to `strlen(key) + 1`.
+ * \param pwd Optional password for decryption.
+ * Pass \c NULL if expecting a non-encrypted key.
+ * Pass a string of \p pwdlen bytes if expecting an encrypted
+ * key; a non-encrypted key will also be accepted.
+ * The empty password is not supported.
+ * \param pwdlen Size of the password in bytes.
+ * Ignored if \p pwd is \c NULL.
*
* \note On entry, ctx must be empty, either freshly initialised
* with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
@@ -457,10 +572,15 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *ctx,
/**
* \brief Parse a public key in PEM or DER format
*
- * \param ctx key to be initialized
- * \param key input buffer
- * \param keylen size of the buffer
- * (including the terminating null byte for PEM data)
+ * \param ctx The PK context to fill. It must have been initialized
+ * but not set up.
+ * \param key Input buffer to parse.
+ * The buffer must contain the input exactly, with no
+ * extra trailing material. For PEM, the buffer must
+ * contain a null-terminated string.
+ * \param keylen Size of \b key in bytes.
+ * For PEM data, this includes the terminating null byte,
+ * so \p keylen must be equal to `strlen(key) + 1`.
*
* \note On entry, ctx must be empty, either freshly initialised
* with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
@@ -478,9 +598,14 @@ int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
/**
* \brief Load and parse a private key
*
- * \param ctx key to be initialized
+ * \param ctx The PK context to fill. It must have been initialized
+ * but not set up.
* \param path filename to read the private key from
- * \param password password to decrypt the file (can be NULL)
+ * \param password Optional password to decrypt the file.
+ * Pass \c NULL if expecting a non-encrypted key.
+ * Pass a null-terminated string if expecting an encrypted
+ * key; a non-encrypted key will also be accepted.
+ * The empty password is not supported.
*
* \note On entry, ctx must be empty, either freshly initialised
* with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
@@ -497,7 +622,8 @@ int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
/**
* \brief Load and parse a public key
*
- * \param ctx key to be initialized
+ * \param ctx The PK context to fill. It must have been initialized
+ * but not set up.
* \param path filename to read the public key from
*
* \note On entry, ctx must be empty, either freshly initialised
@@ -520,7 +646,7 @@ int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path )
* return value to determine where you should start
* using the buffer
*
- * \param ctx private to write away
+ * \param ctx PK context which must contain a valid private key.
* \param buf buffer to write to
* \param size size of the buffer
*
@@ -535,7 +661,7 @@ int mbedtls_pk_write_key_der( mbedtls_pk_context *ctx, unsigned char *buf, size_
* return value to determine where you should start
* using the buffer
*
- * \param ctx public key to write away
+ * \param ctx PK context which must contain a valid public or private key.
* \param buf buffer to write to
* \param size size of the buffer
*
@@ -548,9 +674,10 @@ int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *ctx, unsigned char *buf, si
/**
* \brief Write a public key to a PEM string
*
- * \param ctx public key to write away
- * \param buf buffer to write to
- * \param size size of the buffer
+ * \param ctx PK context which must contain a valid public or private key.
+ * \param buf Buffer to write to. The output includes a
+ * terminating null byte.
+ * \param size Size of the buffer in bytes.
*
* \return 0 if successful, or a specific error code
*/
@@ -559,9 +686,10 @@ int mbedtls_pk_write_pubkey_pem( mbedtls_pk_context *ctx, unsigned char *buf, si
/**
* \brief Write a private key to a PKCS#1 or SEC1 PEM string
*
- * \param ctx private to write away
- * \param buf buffer to write to
- * \param size size of the buffer
+ * \param ctx PK context which must contain a valid private key.
+ * \param buf Buffer to write to. The output includes a
+ * terminating null byte.
+ * \param size Size of the buffer in bytes.
*
* \return 0 if successful, or a specific error code
*/
@@ -580,7 +708,8 @@ int mbedtls_pk_write_key_pem( mbedtls_pk_context *ctx, unsigned char *buf, size_
*
* \param p the position in the ASN.1 data
* \param end end of the buffer
- * \param pk the key to fill
+ * \param pk The PK context to fill. It must have been initialized
+ * but not set up.
*
* \return 0 if successful, or a specific PK error code
*/
@@ -595,7 +724,7 @@ int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
*
* \param p reference to current position pointer
* \param start start of the buffer (for bounds-checking)
- * \param key public key to write away
+ * \param key PK context which must contain a valid public or private key.
*
* \return the length written or a negative error code
*/
diff --git a/thirdparty/mbedtls/include/mbedtls/pk_internal.h b/thirdparty/mbedtls/include/mbedtls/pk_internal.h
index 3dae0fc5b2..48b7a5f7bf 100644
--- a/thirdparty/mbedtls/include/mbedtls/pk_internal.h
+++ b/thirdparty/mbedtls/include/mbedtls/pk_internal.h
@@ -59,6 +59,21 @@ struct mbedtls_pk_info_t
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ /** Verify signature (restartable) */
+ int (*verify_rs_func)( void *ctx, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ const unsigned char *sig, size_t sig_len,
+ void *rs_ctx );
+
+ /** Make signature (restartable) */
+ int (*sign_rs_func)( void *ctx, mbedtls_md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng, void *rs_ctx );
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
/** Decrypt message */
int (*decrypt_func)( void *ctx, const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen, size_t osize,
@@ -80,6 +95,14 @@ struct mbedtls_pk_info_t
/** Free the given context */
void (*ctx_free_func)( void *ctx );
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+ /** Allocate the restart context */
+ void * (*rs_alloc_func)( void );
+
+ /** Free the restart context */
+ void (*rs_free_func)( void *rs_ctx );
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
/** Interface with the debug module */
void (*debug_func)( const void *ctx, mbedtls_pk_debug_item *items );
diff --git a/thirdparty/mbedtls/include/mbedtls/pkcs11.h b/thirdparty/mbedtls/include/mbedtls/pkcs11.h
index bf65c55a79..02427ddc1e 100644
--- a/thirdparty/mbedtls/include/mbedtls/pkcs11.h
+++ b/thirdparty/mbedtls/include/mbedtls/pkcs11.h
@@ -50,7 +50,8 @@ extern "C" {
/**
* Context for PKCS #11 private keys.
*/
-typedef struct {
+typedef struct mbedtls_pkcs11_context
+{
pkcs11h_certificate_t pkcs11h_cert;
int len;
} mbedtls_pkcs11_context;
diff --git a/thirdparty/mbedtls/include/mbedtls/pkcs12.h b/thirdparty/mbedtls/include/mbedtls/pkcs12.h
index a621ef5b15..69f04177c8 100644
--- a/thirdparty/mbedtls/include/mbedtls/pkcs12.h
+++ b/thirdparty/mbedtls/include/mbedtls/pkcs12.h
@@ -46,6 +46,8 @@
extern "C" {
#endif
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
/**
* \brief PKCS12 Password Based function (encryption / decryption)
* for pbeWithSHAAnd128BitRC4
@@ -87,6 +89,8 @@ int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode,
const unsigned char *input, size_t len,
unsigned char *output );
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
/**
* \brief The PKCS#12 derivation function uses a password and a salt
* to produce pseudo-random bits for a particular "purpose".
diff --git a/thirdparty/mbedtls/include/mbedtls/pkcs5.h b/thirdparty/mbedtls/include/mbedtls/pkcs5.h
index 9a3c9fddcc..d4bb36dfae 100644
--- a/thirdparty/mbedtls/include/mbedtls/pkcs5.h
+++ b/thirdparty/mbedtls/include/mbedtls/pkcs5.h
@@ -44,6 +44,8 @@
extern "C" {
#endif
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
/**
* \brief PKCS#5 PBES2 function
*
@@ -62,6 +64,8 @@ int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode,
const unsigned char *data, size_t datalen,
unsigned char *output );
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
/**
* \brief PKCS#5 PBKDF2 using HMAC
*
diff --git a/thirdparty/mbedtls/include/mbedtls/platform.h b/thirdparty/mbedtls/include/mbedtls/platform.h
index 624cc642ac..89fe8a7b19 100644
--- a/thirdparty/mbedtls/include/mbedtls/platform.h
+++ b/thirdparty/mbedtls/include/mbedtls/platform.h
@@ -43,6 +43,9 @@
#include "platform_time.h"
#endif
+#define MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED -0x0070 /**< Hardware accelerator failed */
+#define MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED -0x0072 /**< The requested feature is not supported by the platform */
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -315,7 +318,8 @@ int mbedtls_platform_set_nv_seed(
* \note This structure may be used to assist platform-specific
* setup or teardown operations.
*/
-typedef struct {
+typedef struct mbedtls_platform_context
+{
char dummy; /**< A placeholder member, as empty structs are not portable. */
}
mbedtls_platform_context;
diff --git a/thirdparty/mbedtls/include/mbedtls/platform_util.h b/thirdparty/mbedtls/include/mbedtls/platform_util.h
index 84f0732eeb..b0e72ad149 100644
--- a/thirdparty/mbedtls/include/mbedtls/platform_util.h
+++ b/thirdparty/mbedtls/include/mbedtls/platform_util.h
@@ -25,12 +25,104 @@
#ifndef MBEDTLS_PLATFORM_UTIL_H
#define MBEDTLS_PLATFORM_UTIL_H
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
#include <stddef.h>
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+#include "mbedtls/platform_time.h"
+#include <time.h>
+#endif /* MBEDTLS_HAVE_TIME_DATE */
#ifdef __cplusplus
extern "C" {
#endif
+#if defined(MBEDTLS_CHECK_PARAMS)
+
+#if defined(MBEDTLS_PARAM_FAILED)
+/** An alternative definition of MBEDTLS_PARAM_FAILED has been set in config.h.
+ *
+ * This flag can be used to check whether it is safe to assume that
+ * MBEDTLS_PARAM_FAILED() will expand to a call to mbedtls_param_failed().
+ */
+#define MBEDTLS_PARAM_FAILED_ALT
+#else /* MBEDTLS_PARAM_FAILED */
+#define MBEDTLS_PARAM_FAILED( cond ) \
+ mbedtls_param_failed( #cond, __FILE__, __LINE__ )
+
+/**
+ * \brief User supplied callback function for parameter validation failure.
+ * See #MBEDTLS_CHECK_PARAMS for context.
+ *
+ * This function will be called unless an alternative treatement
+ * is defined through the #MBEDTLS_PARAM_FAILED macro.
+ *
+ * This function can return, and the operation will be aborted, or
+ * alternatively, through use of setjmp()/longjmp() can resume
+ * execution in the application code.
+ *
+ * \param failure_condition The assertion that didn't hold.
+ * \param file The file where the assertion failed.
+ * \param line The line in the file where the assertion failed.
+ */
+void mbedtls_param_failed( const char *failure_condition,
+ const char *file,
+ int line );
+#endif /* MBEDTLS_PARAM_FAILED */
+
+/* Internal macro meant to be called only from within the library. */
+#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) \
+ do { \
+ if( !(cond) ) \
+ { \
+ MBEDTLS_PARAM_FAILED( cond ); \
+ return( ret ); \
+ } \
+ } while( 0 )
+
+/* Internal macro meant to be called only from within the library. */
+#define MBEDTLS_INTERNAL_VALIDATE( cond ) \
+ do { \
+ if( !(cond) ) \
+ { \
+ MBEDTLS_PARAM_FAILED( cond ); \
+ return; \
+ } \
+ } while( 0 )
+
+#else /* MBEDTLS_CHECK_PARAMS */
+
+/* Internal macros meant to be called only from within the library. */
+#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 )
+#define MBEDTLS_INTERNAL_VALIDATE( cond ) do { } while( 0 )
+
+#endif /* MBEDTLS_CHECK_PARAMS */
+
+/* Internal helper macros for deprecating API constants. */
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+/* Deliberately don't (yet) export MBEDTLS_DEPRECATED here
+ * to avoid conflict with other headers which define and use
+ * it, too. We might want to move all these definitions here at
+ * some point for uniformity. */
+#define MBEDTLS_DEPRECATED __attribute__((deprecated))
+MBEDTLS_DEPRECATED typedef char const * mbedtls_deprecated_string_constant_t;
+#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) \
+ ( (mbedtls_deprecated_string_constant_t) ( VAL ) )
+MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t;
+#define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( VAL ) \
+ ( (mbedtls_deprecated_numeric_constant_t) ( VAL ) )
+#undef MBEDTLS_DEPRECATED
+#else /* MBEDTLS_DEPRECATED_WARNING */
+#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) VAL
+#define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( VAL ) VAL
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
/**
* \brief Securely zeroize a buffer
*
@@ -55,6 +147,37 @@ extern "C" {
*/
void mbedtls_platform_zeroize( void *buf, size_t len );
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+/**
+ * \brief Platform-specific implementation of gmtime_r()
+ *
+ * The function is a thread-safe abstraction that behaves
+ * similarly to the gmtime_r() function from Unix/POSIX.
+ *
+ * Mbed TLS will try to identify the underlying platform and
+ * make use of an appropriate underlying implementation (e.g.
+ * gmtime_r() for POSIX and gmtime_s() for Windows). If this is
+ * not possible, then gmtime() will be used. In this case, calls
+ * from the library to gmtime() will be guarded by the mutex
+ * mbedtls_threading_gmtime_mutex if MBEDTLS_THREADING_C is
+ * enabled. It is recommended that calls from outside the library
+ * are also guarded by this mutex.
+ *
+ * If MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, then Mbed TLS will
+ * unconditionally use the alternative implementation for
+ * mbedtls_platform_gmtime_r() supplied by the user at compile time.
+ *
+ * \param tt Pointer to an object containing time (in seconds) since the
+ * epoch to be converted
+ * \param tm_buf Pointer to an object where the results will be stored
+ *
+ * \return Pointer to an object of type struct tm on success, otherwise
+ * NULL
+ */
+struct tm *mbedtls_platform_gmtime_r( const mbedtls_time_t *tt,
+ struct tm *tm_buf );
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
#ifdef __cplusplus
}
#endif
diff --git a/thirdparty/mbedtls/include/mbedtls/poly1305.h b/thirdparty/mbedtls/include/mbedtls/poly1305.h
index 54b50abc25..05866a2da6 100644
--- a/thirdparty/mbedtls/include/mbedtls/poly1305.h
+++ b/thirdparty/mbedtls/include/mbedtls/poly1305.h
@@ -43,7 +43,13 @@
#include <stddef.h>
#define MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA -0x0057 /**< Invalid input parameter(s). */
+
+/* MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE is deprecated and should not be
+ * used. */
#define MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE -0x0059 /**< Feature not available. For example, s part of the API is not implemented. */
+
+/* MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
#define MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED -0x005B /**< Poly1305 hardware accelerator failed. */
#ifdef __cplusplus
@@ -52,7 +58,7 @@ extern "C" {
#if !defined(MBEDTLS_POLY1305_ALT)
-typedef struct
+typedef struct mbedtls_poly1305_context
{
uint32_t r[4]; /** The value for 'r' (low 128 bits of the key). */
uint32_t s[4]; /** The value for 's' (high 128 bits of the key). */
@@ -78,14 +84,18 @@ mbedtls_poly1305_context;
* \c mbedtls_poly1305_finish(), then finally
* \c mbedtls_poly1305_free().
*
- * \param ctx The Poly1305 context to initialize.
+ * \param ctx The Poly1305 context to initialize. This must
+ * not be \c NULL.
*/
void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx );
/**
- * \brief This function releases and clears the specified Poly1305 context.
+ * \brief This function releases and clears the specified
+ * Poly1305 context.
*
- * \param ctx The Poly1305 context to clear.
+ * \param ctx The Poly1305 context to clear. This may be \c NULL, in which
+ * case this function is a no-op. If it is not \c NULL, it must
+ * point to an initialized Poly1305 context.
*/
void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx );
@@ -96,11 +106,11 @@ void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx );
* invocation of Poly1305.
*
* \param ctx The Poly1305 context to which the key should be bound.
- * \param key The buffer containing the 256-bit key.
+ * This must be initialized.
+ * \param key The buffer containing the \c 32 Byte (\c 256 Bit) key.
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
- * if ctx or key are NULL.
+ * \return A negative error code on failure.
*/
int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx,
const unsigned char key[32] );
@@ -114,13 +124,14 @@ int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx,
* It can be called repeatedly to process a stream of data.
*
* \param ctx The Poly1305 context to use for the Poly1305 operation.
- * \param ilen The length of the input data (in bytes). Any value is accepted.
+ * This must be initialized and bound to a key.
+ * \param ilen The length of the input data in Bytes.
+ * Any value is accepted.
* \param input The buffer holding the input data.
- * This pointer can be NULL if ilen == 0.
+ * This pointer can be \c NULL if `ilen == 0`.
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
- * if ctx or input are NULL.
+ * \return A negative error code on failure.
*/
int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
const unsigned char *input,
@@ -131,12 +142,12 @@ int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
* Authentication Code (MAC).
*
* \param ctx The Poly1305 context to use for the Poly1305 operation.
- * \param mac The buffer to where the MAC is written. Must be big enough
- * to hold the 16-byte MAC.
+ * This must be initialized and bound to a key.
+ * \param mac The buffer to where the MAC is written. This must
+ * be a writable buffer of length \c 16 Bytes.
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
- * if ctx or mac are NULL.
+ * \return A negative error code on failure.
*/
int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx,
unsigned char mac[16] );
@@ -148,16 +159,16 @@ int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx,
* \warning The key must be unique and unpredictable for each
* invocation of Poly1305.
*
- * \param key The buffer containing the 256-bit key.
- * \param ilen The length of the input data (in bytes). Any value is accepted.
+ * \param key The buffer containing the \c 32 Byte (\c 256 Bit) key.
+ * \param ilen The length of the input data in Bytes.
+ * Any value is accepted.
* \param input The buffer holding the input data.
- * This pointer can be NULL if ilen == 0.
- * \param mac The buffer to where the MAC is written. Must be big enough
- * to hold the 16-byte MAC.
+ * This pointer can be \c NULL if `ilen == 0`.
+ * \param mac The buffer to where the MAC is written. This must be
+ * a writable buffer of length \c 16 Bytes.
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
- * if key, input, or mac are NULL.
+ * \return A negative error code on failure.
*/
int mbedtls_poly1305_mac( const unsigned char key[32],
const unsigned char *input,
diff --git a/thirdparty/mbedtls/include/mbedtls/ripemd160.h b/thirdparty/mbedtls/include/mbedtls/ripemd160.h
index a0dac0c360..c74b7d2c6c 100644
--- a/thirdparty/mbedtls/include/mbedtls/ripemd160.h
+++ b/thirdparty/mbedtls/include/mbedtls/ripemd160.h
@@ -33,6 +33,8 @@
#include <stddef.h>
#include <stdint.h>
+/* MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
#define MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED -0x0031 /**< RIPEMD160 hardware accelerator failed */
#ifdef __cplusplus
@@ -46,7 +48,7 @@ extern "C" {
/**
* \brief RIPEMD-160 context structure
*/
-typedef struct
+typedef struct mbedtls_ripemd160_context
{
uint32_t total[2]; /*!< number of bytes processed */
uint32_t state[5]; /*!< intermediate digest state */
diff --git a/thirdparty/mbedtls/include/mbedtls/rsa.h b/thirdparty/mbedtls/include/mbedtls/rsa.h
index 19eb2ee74c..ed65a34452 100644
--- a/thirdparty/mbedtls/include/mbedtls/rsa.h
+++ b/thirdparty/mbedtls/include/mbedtls/rsa.h
@@ -55,7 +55,12 @@
#define MBEDTLS_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */
#define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */
#define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */
+
+/* MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION is deprecated and should not be used.
+ */
#define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION -0x4500 /**< The implementation does not offer the requested operation, for example, because of security violations or lack of functionality. */
+
+/* MBEDTLS_ERR_RSA_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_RSA_HW_ACCEL_FAILED -0x4580 /**< RSA hardware accelerator failed. */
/*
@@ -92,7 +97,7 @@ extern "C" {
* is deprecated. All manipulation should instead be done through
* the public interface functions.
*/
-typedef struct
+typedef struct mbedtls_rsa_context
{
int ver; /*!< Always 0.*/
size_t len; /*!< The size of \p N in Bytes. */
@@ -153,15 +158,16 @@ mbedtls_rsa_context;
* making signatures, but can be overriden for verifying them.
* If set to #MBEDTLS_MD_NONE, it is always overriden.
*
- * \param ctx The RSA context to initialize.
- * \param padding Selects padding mode: #MBEDTLS_RSA_PKCS_V15 or
- * #MBEDTLS_RSA_PKCS_V21.
- * \param hash_id The hash identifier of #mbedtls_md_type_t type, if
- * \p padding is #MBEDTLS_RSA_PKCS_V21.
+ * \param ctx The RSA context to initialize. This must not be \c NULL.
+ * \param padding The padding mode to use. This must be either
+ * #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21.
+ * \param hash_id The hash identifier of ::mbedtls_md_type_t type, if
+ * \p padding is #MBEDTLS_RSA_PKCS_V21. It is unused
+ * otherwise.
*/
void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
int padding,
- int hash_id);
+ int hash_id );
/**
* \brief This function imports a set of core parameters into an
@@ -183,11 +189,11 @@ void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
* for the lifetime of the RSA context being set up.
*
* \param ctx The initialized RSA context to store the parameters in.
- * \param N The RSA modulus, or NULL.
- * \param P The first prime factor of \p N, or NULL.
- * \param Q The second prime factor of \p N, or NULL.
- * \param D The private exponent, or NULL.
- * \param E The public exponent, or NULL.
+ * \param N The RSA modulus. This may be \c NULL.
+ * \param P The first prime factor of \p N. This may be \c NULL.
+ * \param Q The second prime factor of \p N. This may be \c NULL.
+ * \param D The private exponent. This may be \c NULL.
+ * \param E The public exponent. This may be \c NULL.
*
* \return \c 0 on success.
* \return A non-zero error code on failure.
@@ -217,16 +223,16 @@ int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
* for the lifetime of the RSA context being set up.
*
* \param ctx The initialized RSA context to store the parameters in.
- * \param N The RSA modulus, or NULL.
- * \param N_len The Byte length of \p N, ignored if \p N == NULL.
- * \param P The first prime factor of \p N, or NULL.
- * \param P_len The Byte length of \p P, ignored if \p P == NULL.
- * \param Q The second prime factor of \p N, or NULL.
- * \param Q_len The Byte length of \p Q, ignored if \p Q == NULL.
- * \param D The private exponent, or NULL.
- * \param D_len The Byte length of \p D, ignored if \p D == NULL.
- * \param E The public exponent, or NULL.
- * \param E_len The Byte length of \p E, ignored if \p E == NULL.
+ * \param N The RSA modulus. This may be \c NULL.
+ * \param N_len The Byte length of \p N; it is ignored if \p N == NULL.
+ * \param P The first prime factor of \p N. This may be \c NULL.
+ * \param P_len The Byte length of \p P; it ns ignored if \p P == NULL.
+ * \param Q The second prime factor of \p N. This may be \c NULL.
+ * \param Q_len The Byte length of \p Q; it is ignored if \p Q == NULL.
+ * \param D The private exponent. This may be \c NULL.
+ * \param D_len The Byte length of \p D; it is ignored if \p D == NULL.
+ * \param E The public exponent. This may be \c NULL.
+ * \param E_len The Byte length of \p E; it is ignored if \p E == NULL.
*
* \return \c 0 on success.
* \return A non-zero error code on failure.
@@ -281,7 +287,7 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx );
* zero Bytes.
*
* Possible reasons for returning
- * #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:<ul>
+ * #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul>
* <li>An alternative RSA implementation is in use, which
* stores the key externally, and either cannot or should
* not export it into RAM.</li>
@@ -294,14 +300,19 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx );
* the RSA context stays intact and remains usable.
*
* \param ctx The initialized RSA context.
- * \param N The MPI to hold the RSA modulus, or NULL.
- * \param P The MPI to hold the first prime factor of \p N, or NULL.
- * \param Q The MPI to hold the second prime factor of \p N, or NULL.
- * \param D The MPI to hold the private exponent, or NULL.
- * \param E The MPI to hold the public exponent, or NULL.
+ * \param N The MPI to hold the RSA modulus.
+ * This may be \c NULL if this field need not be exported.
+ * \param P The MPI to hold the first prime factor of \p N.
+ * This may be \c NULL if this field need not be exported.
+ * \param Q The MPI to hold the second prime factor of \p N.
+ * This may be \c NULL if this field need not be exported.
+ * \param D The MPI to hold the private exponent.
+ * This may be \c NULL if this field need not be exported.
+ * \param E The MPI to hold the public exponent.
+ * This may be \c NULL if this field need not be exported.
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION if exporting the
+ * \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the
* requested parameters cannot be done due to missing
* functionality or because of security policies.
* \return A non-zero return code on any other failure.
@@ -321,7 +332,7 @@ int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
* zero Bytes.
*
* Possible reasons for returning
- * #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:<ul>
+ * #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul>
* <li>An alternative RSA implementation is in use, which
* stores the key externally, and either cannot or should
* not export it into RAM.</li>
@@ -336,21 +347,24 @@ int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
* buffer pointers are NULL.
*
* \param ctx The initialized RSA context.
- * \param N The Byte array to store the RSA modulus, or NULL.
+ * \param N The Byte array to store the RSA modulus,
+ * or \c NULL if this field need not be exported.
* \param N_len The size of the buffer for the modulus.
- * \param P The Byte array to hold the first prime factor of \p N, or
- * NULL.
+ * \param P The Byte array to hold the first prime factor of \p N,
+ * or \c NULL if this field need not be exported.
* \param P_len The size of the buffer for the first prime factor.
- * \param Q The Byte array to hold the second prime factor of \p N, or
- * NULL.
+ * \param Q The Byte array to hold the second prime factor of \p N,
+ * or \c NULL if this field need not be exported.
* \param Q_len The size of the buffer for the second prime factor.
- * \param D The Byte array to hold the private exponent, or NULL.
+ * \param D The Byte array to hold the private exponent,
+ * or \c NULL if this field need not be exported.
* \param D_len The size of the buffer for the private exponent.
- * \param E The Byte array to hold the public exponent, or NULL.
+ * \param E The Byte array to hold the public exponent,
+ * or \c NULL if this field need not be exported.
* \param E_len The size of the buffer for the public exponent.
*
* \return \c 0 on success.
- * \return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION if exporting the
+ * \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the
* requested parameters cannot be done due to missing
* functionality or because of security policies.
* \return A non-zero return code on any other failure.
@@ -370,9 +384,12 @@ int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
* mbedtls_rsa_deduce_opt().
*
* \param ctx The initialized RSA context.
- * \param DP The MPI to hold D modulo P-1, or NULL.
- * \param DQ The MPI to hold D modulo Q-1, or NULL.
- * \param QP The MPI to hold modular inverse of Q modulo P, or NULL.
+ * \param DP The MPI to hold \c D modulo `P-1`,
+ * or \c NULL if it need not be exported.
+ * \param DQ The MPI to hold \c D modulo `Q-1`,
+ * or \c NULL if it need not be exported.
+ * \param QP The MPI to hold modular inverse of \c Q modulo \c P,
+ * or \c NULL if it need not be exported.
*
* \return \c 0 on success.
* \return A non-zero error code on failure.
@@ -385,13 +402,13 @@ int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
* \brief This function sets padding for an already initialized RSA
* context. See mbedtls_rsa_init() for details.
*
- * \param ctx The RSA context to be set.
- * \param padding Selects padding mode: #MBEDTLS_RSA_PKCS_V15 or
- * #MBEDTLS_RSA_PKCS_V21.
+ * \param ctx The initialized RSA context to be configured.
+ * \param padding The padding mode to use. This must be either
+ * #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21.
* \param hash_id The #MBEDTLS_RSA_PKCS_V21 hash identifier.
*/
void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
- int hash_id);
+ int hash_id );
/**
* \brief This function retrieves the length of RSA modulus in Bytes.
@@ -409,11 +426,14 @@ size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx );
* \note mbedtls_rsa_init() must be called before this function,
* to set up the RSA context.
*
- * \param ctx The RSA context used to hold the key.
- * \param f_rng The RNG function.
- * \param p_rng The RNG context.
+ * \param ctx The initialized RSA context used to hold the key.
+ * \param f_rng The RNG function to be used for key generation.
+ * This must not be \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng.
+ * This may be \c NULL if \p f_rng doesn't need a context.
* \param nbits The size of the public key in bits.
- * \param exponent The public exponent. For example, 65537.
+ * \param exponent The public exponent to use. For example, \c 65537.
+ * This must be odd and greater than \c 1.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -431,7 +451,7 @@ int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
* enough information is present to perform an RSA public key
* operation using mbedtls_rsa_public().
*
- * \param ctx The RSA context to check.
+ * \param ctx The initialized RSA context to check.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -470,7 +490,7 @@ int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx );
* parameters, which goes beyond what is effectively checkable
* by the library.</li></ul>
*
- * \param ctx The RSA context to check.
+ * \param ctx The initialized RSA context to check.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -482,8 +502,8 @@ int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx );
*
* It checks each of the contexts, and makes sure they match.
*
- * \param pub The RSA context holding the public key.
- * \param prv The RSA context holding the private key.
+ * \param pub The initialized RSA context holding the public key.
+ * \param prv The initialized RSA context holding the private key.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -494,18 +514,19 @@ int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
/**
* \brief This function performs an RSA public key operation.
*
+ * \param ctx The initialized RSA context to use.
+ * \param input The input buffer. This must be a readable buffer
+ * of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
+ * \param output The output buffer. This must be a writable buffer
+ * of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
+ *
* \note This function does not handle message padding.
*
* \note Make sure to set \p input[0] = 0 or ensure that
* input is smaller than \p N.
*
- * \note The input and output buffers must be large
- * enough. For example, 128 Bytes if RSA-1024 is used.
- *
- * \param ctx The RSA context.
- * \param input The input buffer.
- * \param output The output buffer.
- *
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
*/
@@ -516,9 +537,6 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
/**
* \brief This function performs an RSA private key operation.
*
- * \note The input and output buffers must be large
- * enough. For example, 128 Bytes if RSA-1024 is used.
- *
* \note Blinding is used if and only if a PRNG is provided.
*
* \note If blinding is used, both the base of exponentation
@@ -530,11 +548,18 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
* Future versions of the library may enforce the presence
* of a PRNG.
*
- * \param ctx The RSA context.
- * \param f_rng The RNG function. Needed for blinding.
- * \param p_rng The RNG context.
- * \param input The input buffer.
- * \param output The output buffer.
+ * \param ctx The initialized RSA context to use.
+ * \param f_rng The RNG function, used for blinding. It is discouraged
+ * and deprecated to pass \c NULL here, in which case
+ * blinding will be omitted.
+ * \param p_rng The RNG context to pass to \p f_rng. This may be \c NULL
+ * if \p f_rng is \c NULL or if \p f_rng doesn't need a context.
+ * \param input The input buffer. This must be a readable buffer
+ * of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
+ * \param output The output buffer. This must be a writable buffer
+ * of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -553,9 +578,6 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
* It is the generic wrapper for performing a PKCS#1 encryption
* operation using the \p mode from the context.
*
- * \note The input and output buffers must be as large as the size
- * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
* \deprecated It is deprecated and discouraged to call this function
* in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
* are likely to remove the \p mode argument and have it
@@ -563,16 +585,26 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
*
* \note Alternative implementations of RSA need not support
* mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \param ctx The RSA context.
- * \param f_rng The RNG function. Needed for padding, PKCS#1 v2.1
- * encoding, and #MBEDTLS_RSA_PRIVATE.
- * \param p_rng The RNG context.
- * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param ilen The length of the plaintext.
- * \param input The buffer holding the data to encrypt.
- * \param output The buffer used to hold the ciphertext.
+ * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx The initialized RSA context to use.
+ * \param f_rng The RNG to use. It is mandatory for PKCS#1 v2.1 padding
+ * encoding, and for PKCS#1 v1.5 padding encoding when used
+ * with \p mode set to #MBEDTLS_RSA_PUBLIC. For PKCS#1 v1.5
+ * padding encoding and \p mode set to #MBEDTLS_RSA_PRIVATE,
+ * it is used for blinding and should be provided in this
+ * case; see mbedtls_rsa_private() for more.
+ * \param p_rng The RNG context to be passed to \p f_rng. May be
+ * \c NULL if \p f_rng is \c NULL or if \p f_rng doesn't
+ * need a context argument.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param ilen The length of the plaintext in Bytes.
+ * \param input The input data to encrypt. This must be a readable
+ * buffer of size \p ilen Bytes. This must not be \c NULL.
+ * \param output The output buffer. This must be a writable buffer
+ * of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -588,9 +620,6 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
* \brief This function performs a PKCS#1 v1.5 encryption operation
* (RSAES-PKCS1-v1_5-ENCRYPT).
*
- * \note The output buffer must be as large as the size
- * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
* \deprecated It is deprecated and discouraged to call this function
* in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
* are likely to remove the \p mode argument and have it
@@ -598,16 +627,24 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
*
* \note Alternative implementations of RSA need not support
* mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \param ctx The RSA context.
- * \param f_rng The RNG function. Needed for padding and
- * #MBEDTLS_RSA_PRIVATE.
- * \param p_rng The RNG context.
- * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param ilen The length of the plaintext.
- * \param input The buffer holding the data to encrypt.
- * \param output The buffer used to hold the ciphertext.
+ * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx The initialized RSA context to use.
+ * \param f_rng The RNG function to use. It is needed for padding generation
+ * if \p mode is #MBEDTLS_RSA_PUBLIC. If \p mode is
+ * #MBEDTLS_RSA_PRIVATE (discouraged), it is used for
+ * blinding and should be provided; see mbedtls_rsa_private().
+ * \param p_rng The RNG context to be passed to \p f_rng. This may
+ * be \c NULL if \p f_rng is \c NULL or if \p f_rng
+ * doesn't need a context argument.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param ilen The length of the plaintext in Bytes.
+ * \param input The input data to encrypt. This must be a readable
+ * buffer of size \p ilen Bytes. This must not be \c NULL.
+ * \param output The output buffer. This must be a writable buffer
+ * of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -633,18 +670,25 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
*
* \note Alternative implementations of RSA need not support
* mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \param ctx The RSA context.
- * \param f_rng The RNG function. Needed for padding and PKCS#1 v2.1
- * encoding and #MBEDTLS_RSA_PRIVATE.
- * \param p_rng The RNG context.
- * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx The initnialized RSA context to use.
+ * \param f_rng The RNG function to use. This is needed for padding
+ * generation and must be provided.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may
+ * be \c NULL if \p f_rng doesn't need a context argument.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
* \param label The buffer holding the custom label to use.
- * \param label_len The length of the label.
- * \param ilen The length of the plaintext.
- * \param input The buffer holding the data to encrypt.
- * \param output The buffer used to hold the ciphertext.
+ * This must be a readable buffer of length \p label_len
+ * Bytes. It may be \c NULL if \p label_len is \c 0.
+ * \param label_len The length of the label in Bytes.
+ * \param ilen The length of the plaintext buffer \p input in Bytes.
+ * \param input The input data to encrypt. This must be a readable
+ * buffer of size \p ilen Bytes. This must not be \c NULL.
+ * \param output The output buffer. This must be a writable buffer
+ * of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -672,9 +716,6 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
* hold the decryption of the particular ciphertext provided,
* the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
*
- * \note The input buffer must be as large as the size
- * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
* \deprecated It is deprecated and discouraged to call this function
* in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
* are likely to remove the \p mode argument and have it
@@ -682,16 +723,25 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
*
* \note Alternative implementations of RSA need not support
* mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \param ctx The RSA context.
- * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng The RNG context.
- * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param olen The length of the plaintext.
- * \param input The buffer holding the encrypted data.
- * \param output The buffer used to hold the plaintext.
- * \param output_max_len The maximum length of the output buffer.
+ * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx The initialized RSA context to use.
+ * \param f_rng The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ * this is used for blinding and should be provided; see
+ * mbedtls_rsa_private() for more. If \p mode is
+ * #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param olen The address at which to store the length of
+ * the plaintext. This must not be \c NULL.
+ * \param input The ciphertext buffer. This must be a readable buffer
+ * of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
+ * \param output The buffer used to hold the plaintext. This must
+ * be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -715,9 +765,6 @@ int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
* hold the decryption of the particular ciphertext provided,
* the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
*
- * \note The input buffer must be as large as the size
- * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
* \deprecated It is deprecated and discouraged to call this function
* in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
* are likely to remove the \p mode argument and have it
@@ -725,16 +772,25 @@ int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
*
* \note Alternative implementations of RSA need not support
* mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \param ctx The RSA context.
- * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng The RNG context.
- * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param olen The length of the plaintext.
- * \param input The buffer holding the encrypted data.
- * \param output The buffer to hold the plaintext.
- * \param output_max_len The maximum length of the output buffer.
+ * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx The initialized RSA context to use.
+ * \param f_rng The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ * this is used for blinding and should be provided; see
+ * mbedtls_rsa_private() for more. If \p mode is
+ * #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param olen The address at which to store the length of
+ * the plaintext. This must not be \c NULL.
+ * \param input The ciphertext buffer. This must be a readable buffer
+ * of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
+ * \param output The buffer used to hold the plaintext. This must
+ * be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -760,9 +816,6 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
* ciphertext provided, the function returns
* #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
*
- * \note The input buffer must be as large as the size
- * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
* \deprecated It is deprecated and discouraged to call this function
* in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
* are likely to remove the \p mode argument and have it
@@ -770,18 +823,29 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
*
* \note Alternative implementations of RSA need not support
* mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \param ctx The RSA context.
- * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng The RNG context.
- * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx The initialized RSA context to use.
+ * \param f_rng The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ * this is used for blinding and should be provided; see
+ * mbedtls_rsa_private() for more. If \p mode is
+ * #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
* \param label The buffer holding the custom label to use.
- * \param label_len The length of the label.
- * \param olen The length of the plaintext.
- * \param input The buffer holding the encrypted data.
- * \param output The buffer to hold the plaintext.
- * \param output_max_len The maximum length of the output buffer.
+ * This must be a readable buffer of length \p label_len
+ * Bytes. It may be \c NULL if \p label_len is \c 0.
+ * \param label_len The length of the label in Bytes.
+ * \param olen The address at which to store the length of
+ * the plaintext. This must not be \c NULL.
+ * \param input The ciphertext buffer. This must be a readable buffer
+ * of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
+ * \param output The buffer used to hold the plaintext. This must
+ * be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -817,18 +881,30 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
*
* \note Alternative implementations of RSA need not support
* mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \param ctx The RSA context.
- * \param f_rng The RNG function. Needed for PKCS#1 v2.1 encoding and for
- * #MBEDTLS_RSA_PRIVATE.
- * \param p_rng The RNG context.
- * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx The initialized RSA context to use.
+ * \param f_rng The RNG function to use. If the padding mode is PKCS#1 v2.1,
+ * this must be provided. If the padding mode is PKCS#1 v1.5 and
+ * \p mode is #MBEDTLS_RSA_PRIVATE, it is used for blinding
+ * and should be provided; see mbedtls_rsa_private() for more
+ * more. It is ignored otherwise.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL
+ * if \p f_rng is \c NULL or doesn't need a context argument.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash The buffer holding the message digest.
- * \param sig The buffer to hold the ciphertext.
+ * \param hashlen The length of the message digest.
+ * Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash The buffer holding the message digest or raw data.
+ * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ * buffer of length \p hashlen Bytes. If \p md_alg is not
+ * #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ * the size of the hash corresponding to \p md_alg.
+ * \param sig The buffer to hold the signature. This must be a writable
+ * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
*
* \return \c 0 if the signing operation was successful.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -846,9 +922,6 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
* \brief This function performs a PKCS#1 v1.5 signature
* operation (RSASSA-PKCS1-v1_5-SIGN).
*
- * \note The \p sig buffer must be as large as the size
- * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
* \deprecated It is deprecated and discouraged to call this function
* in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
* are likely to remove the \p mode argument and have it
@@ -856,17 +929,29 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
*
* \note Alternative implementations of RSA need not support
* mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \param ctx The RSA context.
- * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng The RNG context.
- * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx The initialized RSA context to use.
+ * \param f_rng The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ * this is used for blinding and should be provided; see
+ * mbedtls_rsa_private() for more. If \p mode is
+ * #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL
+ * if \p f_rng is \c NULL or doesn't need a context argument.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash The buffer holding the message digest.
- * \param sig The buffer to hold the ciphertext.
+ * \param hashlen The length of the message digest.
+ * Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash The buffer holding the message digest or raw data.
+ * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ * buffer of length \p hashlen Bytes. If \p md_alg is not
+ * #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ * the size of the hash corresponding to \p md_alg.
+ * \param sig The buffer to hold the signature. This must be a writable
+ * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
*
* \return \c 0 if the signing operation was successful.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -884,9 +969,6 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
* \brief This function performs a PKCS#1 v2.1 PSS signature
* operation (RSASSA-PSS-SIGN).
*
- * \note The \p sig buffer must be as large as the size
- * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
* \note The \p hash_id in the RSA context is the one used for the
* encoding. \p md_alg in the function call is the type of hash
* that is encoded. According to <em>RFC-3447: Public-Key
@@ -894,6 +976,16 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
* Specifications</em> it is advised to keep both hashes the
* same.
*
+ * \note This function always uses the maximum possible salt size,
+ * up to the length of the payload hash. This choice of salt
+ * size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1
+ * v2.2) §9.1.1 step 3. Furthermore this function enforces a
+ * minimum salt size which is the hash size minus 2 bytes. If
+ * this minimum size is too large given the key size (the salt
+ * size, plus the hash size, plus 2 bytes must be no more than
+ * the key size in bytes), this function returns
+ * #MBEDTLS_ERR_RSA_BAD_INPUT_DATA.
+ *
* \deprecated It is deprecated and discouraged to call this function
* in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
* are likely to remove the \p mode argument and have it
@@ -901,18 +993,26 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
*
* \note Alternative implementations of RSA need not support
* mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \param ctx The RSA context.
- * \param f_rng The RNG function. Needed for PKCS#1 v2.1 encoding and for
- * #MBEDTLS_RSA_PRIVATE.
- * \param p_rng The RNG context.
- * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx The initialized RSA context to use.
+ * \param f_rng The RNG function. It must not be \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL
+ * if \p f_rng doesn't need a context argument.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash The buffer holding the message digest.
- * \param sig The buffer to hold the ciphertext.
+ * \param hashlen The length of the message digest.
+ * Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash The buffer holding the message digest or raw data.
+ * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ * buffer of length \p hashlen Bytes. If \p md_alg is not
+ * #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ * the size of the hash corresponding to \p md_alg.
+ * \param sig The buffer to hold the signature. This must be a writable
+ * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
*
* \return \c 0 if the signing operation was successful.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -933,9 +1033,6 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
* This is the generic wrapper for performing a PKCS#1
* verification using the mode from the context.
*
- * \note The \p sig buffer must be as large as the size
- * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
* \note For PKCS#1 v2.1 encoding, see comments on
* mbedtls_rsa_rsassa_pss_verify() about \p md_alg and
* \p hash_id.
@@ -947,17 +1044,28 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
*
* \note Alternative implementations of RSA need not support
* mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \param ctx The RSA public key context.
- * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng The RNG context.
- * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx The initialized RSA public key context to use.
+ * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ * this is used for blinding and should be provided; see
+ * mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash The buffer holding the message digest.
- * \param sig The buffer holding the ciphertext.
+ * \param hashlen The length of the message digest.
+ * This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash The buffer holding the message digest or raw data.
+ * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ * buffer of length \p hashlen Bytes. If \p md_alg is not
+ * #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ * the size of the hash corresponding to \p md_alg.
+ * \param sig The buffer holding the signature. This must be a readable
+ * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
*
* \return \c 0 if the verify operation was successful.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -975,9 +1083,6 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
* \brief This function performs a PKCS#1 v1.5 verification
* operation (RSASSA-PKCS1-v1_5-VERIFY).
*
- * \note The \p sig buffer must be as large as the size
- * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
* \deprecated It is deprecated and discouraged to call this function
* in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
* are likely to remove the \p mode argument and have it
@@ -985,17 +1090,28 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
*
* \note Alternative implementations of RSA need not support
* mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \param ctx The RSA public key context.
- * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng The RNG context.
- * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx The initialized RSA public key context to use.
+ * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ * this is used for blinding and should be provided; see
+ * mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash The buffer holding the message digest.
- * \param sig The buffer holding the ciphertext.
+ * \param hashlen The length of the message digest.
+ * This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash The buffer holding the message digest or raw data.
+ * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ * buffer of length \p hashlen Bytes. If \p md_alg is not
+ * #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ * the size of the hash corresponding to \p md_alg.
+ * \param sig The buffer holding the signature. This must be a readable
+ * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
*
* \return \c 0 if the verify operation was successful.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -1016,9 +1132,6 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
* The hash function for the MGF mask generating function
* is that specified in the RSA context.
*
- * \note The \p sig buffer must be as large as the size
- * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
* \note The \p hash_id in the RSA context is the one used for the
* verification. \p md_alg in the function call is the type of
* hash that is verified. According to <em>RFC-3447: Public-Key
@@ -1034,17 +1147,28 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
*
* \note Alternative implementations of RSA need not support
* mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \param ctx The RSA public key context.
- * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng The RNG context.
- * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx The initialized RSA public key context to use.
+ * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ * this is used for blinding and should be provided; see
+ * mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash The buffer holding the message digest.
- * \param sig The buffer holding the ciphertext.
+ * \param hashlen The length of the message digest.
+ * This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash The buffer holding the message digest or raw data.
+ * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ * buffer of length \p hashlen Bytes. If \p md_alg is not
+ * #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ * the size of the hash corresponding to \p md_alg.
+ * \param sig The buffer holding the signature. This must be a readable
+ * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
*
* \return \c 0 if the verify operation was successful.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -1070,19 +1194,29 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
*
* \note The \p hash_id in the RSA context is ignored.
*
- * \param ctx The RSA public key context.
- * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng The RNG context.
- * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param ctx The initialized RSA public key context to use.
+ * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ * this is used for blinding and should be provided; see
+ * mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode The mode of operation. This must be either
+ * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen The length of the message digest. Only used if \p md_alg is
- * #MBEDTLS_MD_NONE.
- * \param hash The buffer holding the message digest.
- * \param mgf1_hash_id The message digest used for mask generation.
- * \param expected_salt_len The length of the salt used in padding. Use
- * #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
- * \param sig The buffer holding the ciphertext.
+ * \param hashlen The length of the message digest.
+ * This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash The buffer holding the message digest or raw data.
+ * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ * buffer of length \p hashlen Bytes. If \p md_alg is not
+ * #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ * the size of the hash corresponding to \p md_alg.
+ * \param mgf1_hash_id The message digest used for mask generation.
+ * \param expected_salt_len The length of the salt used in padding. Use
+ * #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
+ * \param sig The buffer holding the signature. This must be a readable
+ * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus.
*
* \return \c 0 if the verify operation was successful.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@@ -1101,8 +1235,8 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
/**
* \brief This function copies the components of an RSA context.
*
- * \param dst The destination context.
- * \param src The source context.
+ * \param dst The destination context. This must be initialized.
+ * \param src The source context. This must be initialized.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure.
@@ -1112,7 +1246,9 @@ int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
/**
* \brief This function frees the components of an RSA key.
*
- * \param ctx The RSA Context to free.
+ * \param ctx The RSA context to free. May be \c NULL, in which case
+ * this function is a no-op. If it is not \c NULL, it must
+ * point to an initialized RSA context.
*/
void mbedtls_rsa_free( mbedtls_rsa_context *ctx );
diff --git a/thirdparty/mbedtls/include/mbedtls/sha1.h b/thirdparty/mbedtls/include/mbedtls/sha1.h
index 65a124c94b..38ea10b137 100644
--- a/thirdparty/mbedtls/include/mbedtls/sha1.h
+++ b/thirdparty/mbedtls/include/mbedtls/sha1.h
@@ -40,7 +40,9 @@
#include <stddef.h>
#include <stdint.h>
+/* MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED -0x0035 /**< SHA-1 hardware accelerator failed */
+#define MBEDTLS_ERR_SHA1_BAD_INPUT_DATA -0x0073 /**< SHA-1 input data was malformed. */
#ifdef __cplusplus
extern "C" {
@@ -58,7 +60,7 @@ extern "C" {
* stronger message digests instead.
*
*/
-typedef struct
+typedef struct mbedtls_sha1_context
{
uint32_t total[2]; /*!< The number of Bytes processed. */
uint32_t state[5]; /*!< The intermediate digest state. */
@@ -78,6 +80,7 @@ mbedtls_sha1_context;
* stronger message digests instead.
*
* \param ctx The SHA-1 context to initialize.
+ * This must not be \c NULL.
*
*/
void mbedtls_sha1_init( mbedtls_sha1_context *ctx );
@@ -89,7 +92,10 @@ void mbedtls_sha1_init( mbedtls_sha1_context *ctx );
* constitutes a security risk. We recommend considering
* stronger message digests instead.
*
- * \param ctx The SHA-1 context to clear.
+ * \param ctx The SHA-1 context to clear. This may be \c NULL,
+ * in which case this function does nothing. If it is
+ * not \c NULL, it must point to an initialized
+ * SHA-1 context.
*
*/
void mbedtls_sha1_free( mbedtls_sha1_context *ctx );
@@ -101,8 +107,8 @@ void mbedtls_sha1_free( mbedtls_sha1_context *ctx );
* constitutes a security risk. We recommend considering
* stronger message digests instead.
*
- * \param dst The SHA-1 context to clone to.
- * \param src The SHA-1 context to clone from.
+ * \param dst The SHA-1 context to clone to. This must be initialized.
+ * \param src The SHA-1 context to clone from. This must be initialized.
*
*/
void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
@@ -115,9 +121,10 @@ void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
* constitutes a security risk. We recommend considering
* stronger message digests instead.
*
- * \param ctx The SHA-1 context to initialize.
+ * \param ctx The SHA-1 context to initialize. This must be initialized.
*
* \return \c 0 on success.
+ * \return A negative error code on failure.
*
*/
int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx );
@@ -130,11 +137,14 @@ int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx );
* constitutes a security risk. We recommend considering
* stronger message digests instead.
*
- * \param ctx The SHA-1 context.
+ * \param ctx The SHA-1 context. This must be initialized
+ * and have a hash operation started.
* \param input The buffer holding the input data.
- * \param ilen The length of the input data.
+ * This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen The length of the input data \p input in Bytes.
*
* \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx,
const unsigned char *input,
@@ -148,10 +158,13 @@ int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx,
* constitutes a security risk. We recommend considering
* stronger message digests instead.
*
- * \param ctx The SHA-1 context.
- * \param output The SHA-1 checksum result.
+ * \param ctx The SHA-1 context to use. This must be initialized and
+ * have a hash operation started.
+ * \param output The SHA-1 checksum result. This must be a writable
+ * buffer of length \c 20 Bytes.
*
* \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx,
unsigned char output[20] );
@@ -163,10 +176,12 @@ int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx,
* constitutes a security risk. We recommend considering
* stronger message digests instead.
*
- * \param ctx The SHA-1 context.
- * \param data The data block being processed.
+ * \param ctx The SHA-1 context to use. This must be initialized.
+ * \param data The data block being processed. This must be a
+ * readable buffer of length \c 64 Bytes.
*
* \return \c 0 on success.
+ * \return A negative error code on failure.
*
*/
int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
@@ -187,7 +202,7 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
*
* \deprecated Superseded by mbedtls_sha1_starts_ret() in 2.7.0.
*
- * \param ctx The SHA-1 context to initialize.
+ * \param ctx The SHA-1 context to initialize. This must be initialized.
*
*/
MBEDTLS_DEPRECATED void mbedtls_sha1_starts( mbedtls_sha1_context *ctx );
@@ -202,9 +217,11 @@ MBEDTLS_DEPRECATED void mbedtls_sha1_starts( mbedtls_sha1_context *ctx );
*
* \deprecated Superseded by mbedtls_sha1_update_ret() in 2.7.0.
*
- * \param ctx The SHA-1 context.
+ * \param ctx The SHA-1 context. This must be initialized and
+ * have a hash operation started.
* \param input The buffer holding the input data.
- * \param ilen The length of the input data.
+ * This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen The length of the input data \p input in Bytes.
*
*/
MBEDTLS_DEPRECATED void mbedtls_sha1_update( mbedtls_sha1_context *ctx,
@@ -221,9 +238,10 @@ MBEDTLS_DEPRECATED void mbedtls_sha1_update( mbedtls_sha1_context *ctx,
*
* \deprecated Superseded by mbedtls_sha1_finish_ret() in 2.7.0.
*
- * \param ctx The SHA-1 context.
+ * \param ctx The SHA-1 context. This must be initialized and
+ * have a hash operation started.
* \param output The SHA-1 checksum result.
- *
+ * This must be a writable buffer of length \c 20 Bytes.
*/
MBEDTLS_DEPRECATED void mbedtls_sha1_finish( mbedtls_sha1_context *ctx,
unsigned char output[20] );
@@ -237,8 +255,9 @@ MBEDTLS_DEPRECATED void mbedtls_sha1_finish( mbedtls_sha1_context *ctx,
*
* \deprecated Superseded by mbedtls_internal_sha1_process() in 2.7.0.
*
- * \param ctx The SHA-1 context.
+ * \param ctx The SHA-1 context. This must be initialized.
* \param data The data block being processed.
+ * This must be a readable buffer of length \c 64 bytes.
*
*/
MBEDTLS_DEPRECATED void mbedtls_sha1_process( mbedtls_sha1_context *ctx,
@@ -261,10 +280,13 @@ MBEDTLS_DEPRECATED void mbedtls_sha1_process( mbedtls_sha1_context *ctx,
* stronger message digests instead.
*
* \param input The buffer holding the input data.
- * \param ilen The length of the input data.
+ * This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen The length of the input data \p input in Bytes.
* \param output The SHA-1 checksum result.
+ * This must be a writable buffer of length \c 20 Bytes.
*
* \return \c 0 on success.
+ * \return A negative error code on failure.
*
*/
int mbedtls_sha1_ret( const unsigned char *input,
@@ -293,8 +315,10 @@ int mbedtls_sha1_ret( const unsigned char *input,
* \deprecated Superseded by mbedtls_sha1_ret() in 2.7.0
*
* \param input The buffer holding the input data.
- * \param ilen The length of the input data.
- * \param output The SHA-1 checksum result.
+ * This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen The length of the input data \p input in Bytes.
+ * \param output The SHA-1 checksum result. This must be a writable
+ * buffer of size \c 20 Bytes.
*
*/
MBEDTLS_DEPRECATED void mbedtls_sha1( const unsigned char *input,
diff --git a/thirdparty/mbedtls/include/mbedtls/sha256.h b/thirdparty/mbedtls/include/mbedtls/sha256.h
index adf31a82ed..0e42f0abba 100644
--- a/thirdparty/mbedtls/include/mbedtls/sha256.h
+++ b/thirdparty/mbedtls/include/mbedtls/sha256.h
@@ -36,7 +36,9 @@
#include <stddef.h>
#include <stdint.h>
+/* MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED -0x0037 /**< SHA-256 hardware accelerator failed */
+#define MBEDTLS_ERR_SHA256_BAD_INPUT_DATA -0x0074 /**< SHA-256 input data was malformed. */
#ifdef __cplusplus
extern "C" {
@@ -53,7 +55,7 @@ extern "C" {
* checksum calculations. The choice between these two is
* made in the call to mbedtls_sha256_starts_ret().
*/
-typedef struct
+typedef struct mbedtls_sha256_context
{
uint32_t total[2]; /*!< The number of Bytes processed. */
uint32_t state[8]; /*!< The intermediate digest state. */
@@ -70,22 +72,24 @@ mbedtls_sha256_context;
/**
* \brief This function initializes a SHA-256 context.
*
- * \param ctx The SHA-256 context to initialize.
+ * \param ctx The SHA-256 context to initialize. This must not be \c NULL.
*/
void mbedtls_sha256_init( mbedtls_sha256_context *ctx );
/**
* \brief This function clears a SHA-256 context.
*
- * \param ctx The SHA-256 context to clear.
+ * \param ctx The SHA-256 context to clear. This may be \c NULL, in which
+ * case this function returns immediately. If it is not \c NULL,
+ * it must point to an initialized SHA-256 context.
*/
void mbedtls_sha256_free( mbedtls_sha256_context *ctx );
/**
* \brief This function clones the state of a SHA-256 context.
*
- * \param dst The destination context.
- * \param src The context to clone.
+ * \param dst The destination context. This must be initialized.
+ * \param src The context to clone. This must be initialized.
*/
void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
const mbedtls_sha256_context *src );
@@ -94,11 +98,12 @@ void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
* \brief This function starts a SHA-224 or SHA-256 checksum
* calculation.
*
- * \param ctx The context to initialize.
- * \param is224 Determines which function to use:
- * 0: Use SHA-256, or 1: Use SHA-224.
+ * \param ctx The context to use. This must be initialized.
+ * \param is224 This determines which function to use. This must be
+ * either \c 0 for SHA-256, or \c 1 for SHA-224.
*
* \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 );
@@ -106,11 +111,14 @@ int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 );
* \brief This function feeds an input buffer into an ongoing
* SHA-256 checksum calculation.
*
- * \param ctx The SHA-256 context.
- * \param input The buffer holding the data.
- * \param ilen The length of the input data.
+ * \param ctx The SHA-256 context. This must be initialized
+ * and have a hash operation started.
+ * \param input The buffer holding the data. This must be a readable
+ * buffer of length \p ilen Bytes.
+ * \param ilen The length of the input data in Bytes.
*
* \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
const unsigned char *input,
@@ -120,10 +128,13 @@ int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
* \brief This function finishes the SHA-256 operation, and writes
* the result to the output buffer.
*
- * \param ctx The SHA-256 context.
+ * \param ctx The SHA-256 context. This must be initialized
+ * and have a hash operation started.
* \param output The SHA-224 or SHA-256 checksum result.
+ * This must be a writable buffer of length \c 32 Bytes.
*
* \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
unsigned char output[32] );
@@ -133,10 +144,12 @@ int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
* the ongoing SHA-256 computation. This function is for
* internal use only.
*
- * \param ctx The SHA-256 context.
- * \param data The buffer holding one block of data.
+ * \param ctx The SHA-256 context. This must be initialized.
+ * \param data The buffer holding one block of data. This must
+ * be a readable buffer of length \c 64 Bytes.
*
* \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
const unsigned char data[64] );
@@ -151,12 +164,11 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
* \brief This function starts a SHA-224 or SHA-256 checksum
* calculation.
*
- *
* \deprecated Superseded by mbedtls_sha256_starts_ret() in 2.7.0.
*
- * \param ctx The context to initialize.
- * \param is224 Determines which function to use:
- * 0: Use SHA-256, or 1: Use SHA-224.
+ * \param ctx The context to use. This must be initialized.
+ * \param is224 Determines which function to use. This must be
+ * either \c 0 for SHA-256, or \c 1 for SHA-224.
*/
MBEDTLS_DEPRECATED void mbedtls_sha256_starts( mbedtls_sha256_context *ctx,
int is224 );
@@ -167,9 +179,11 @@ MBEDTLS_DEPRECATED void mbedtls_sha256_starts( mbedtls_sha256_context *ctx,
*
* \deprecated Superseded by mbedtls_sha256_update_ret() in 2.7.0.
*
- * \param ctx The SHA-256 context to initialize.
- * \param input The buffer holding the data.
- * \param ilen The length of the input data.
+ * \param ctx The SHA-256 context to use. This must be
+ * initialized and have a hash operation started.
+ * \param input The buffer holding the data. This must be a readable
+ * buffer of length \p ilen Bytes.
+ * \param ilen The length of the input data in Bytes.
*/
MBEDTLS_DEPRECATED void mbedtls_sha256_update( mbedtls_sha256_context *ctx,
const unsigned char *input,
@@ -181,8 +195,10 @@ MBEDTLS_DEPRECATED void mbedtls_sha256_update( mbedtls_sha256_context *ctx,
*
* \deprecated Superseded by mbedtls_sha256_finish_ret() in 2.7.0.
*
- * \param ctx The SHA-256 context.
- * \param output The SHA-224 or SHA-256 checksum result.
+ * \param ctx The SHA-256 context. This must be initialized and
+ * have a hash operation started.
+ * \param output The SHA-224 or SHA-256 checksum result. This must be
+ * a writable buffer of length \c 32 Bytes.
*/
MBEDTLS_DEPRECATED void mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
unsigned char output[32] );
@@ -194,8 +210,9 @@ MBEDTLS_DEPRECATED void mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
*
* \deprecated Superseded by mbedtls_internal_sha256_process() in 2.7.0.
*
- * \param ctx The SHA-256 context.
- * \param data The buffer holding one block of data.
+ * \param ctx The SHA-256 context. This must be initialized.
+ * \param data The buffer holding one block of data. This must be
+ * a readable buffer of size \c 64 Bytes.
*/
MBEDTLS_DEPRECATED void mbedtls_sha256_process( mbedtls_sha256_context *ctx,
const unsigned char data[64] );
@@ -213,11 +230,13 @@ MBEDTLS_DEPRECATED void mbedtls_sha256_process( mbedtls_sha256_context *ctx,
* The SHA-256 result is calculated as
* output = SHA-256(input buffer).
*
- * \param input The buffer holding the input data.
- * \param ilen The length of the input data.
- * \param output The SHA-224 or SHA-256 checksum result.
- * \param is224 Determines which function to use:
- * 0: Use SHA-256, or 1: Use SHA-224.
+ * \param input The buffer holding the data. This must be a readable
+ * buffer of length \p ilen Bytes.
+ * \param ilen The length of the input data in Bytes.
+ * \param output The SHA-224 or SHA-256 checksum result. This must
+ * be a writable buffer of length \c 32 Bytes.
+ * \param is224 Determines which function to use. This must be
+ * either \c 0 for SHA-256, or \c 1 for SHA-224.
*/
int mbedtls_sha256_ret( const unsigned char *input,
size_t ilen,
@@ -243,11 +262,13 @@ int mbedtls_sha256_ret( const unsigned char *input,
*
* \deprecated Superseded by mbedtls_sha256_ret() in 2.7.0.
*
- * \param input The buffer holding the data.
- * \param ilen The length of the input data.
- * \param output The SHA-224 or SHA-256 checksum result.
- * \param is224 Determines which function to use:
- * 0: Use SHA-256, or 1: Use SHA-224.
+ * \param input The buffer holding the data. This must be a readable
+ * buffer of length \p ilen Bytes.
+ * \param ilen The length of the input data in Bytes.
+ * \param output The SHA-224 or SHA-256 checksum result. This must be
+ * a writable buffer of length \c 32 Bytes.
+ * \param is224 Determines which function to use. This must be either
+ * \c 0 for SHA-256, or \c 1 for SHA-224.
*/
MBEDTLS_DEPRECATED void mbedtls_sha256( const unsigned char *input,
size_t ilen,
diff --git a/thirdparty/mbedtls/include/mbedtls/sha512.h b/thirdparty/mbedtls/include/mbedtls/sha512.h
index 5bb83f43bd..7b26cf5cc3 100644
--- a/thirdparty/mbedtls/include/mbedtls/sha512.h
+++ b/thirdparty/mbedtls/include/mbedtls/sha512.h
@@ -35,7 +35,9 @@
#include <stddef.h>
#include <stdint.h>
+/* MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED -0x0039 /**< SHA-512 hardware accelerator failed */
+#define MBEDTLS_ERR_SHA512_BAD_INPUT_DATA -0x0075 /**< SHA-512 input data was malformed. */
#ifdef __cplusplus
extern "C" {
@@ -52,7 +54,7 @@ extern "C" {
* checksum calculations. The choice between these two is
* made in the call to mbedtls_sha512_starts_ret().
*/
-typedef struct
+typedef struct mbedtls_sha512_context
{
uint64_t total[2]; /*!< The number of Bytes processed. */
uint64_t state[8]; /*!< The intermediate digest state. */
@@ -69,22 +71,26 @@ mbedtls_sha512_context;
/**
* \brief This function initializes a SHA-512 context.
*
- * \param ctx The SHA-512 context to initialize.
+ * \param ctx The SHA-512 context to initialize. This must
+ * not be \c NULL.
*/
void mbedtls_sha512_init( mbedtls_sha512_context *ctx );
/**
* \brief This function clears a SHA-512 context.
*
- * \param ctx The SHA-512 context to clear.
+ * \param ctx The SHA-512 context to clear. This may be \c NULL,
+ * in which case this function does nothing. If it
+ * is not \c NULL, it must point to an initialized
+ * SHA-512 context.
*/
void mbedtls_sha512_free( mbedtls_sha512_context *ctx );
/**
* \brief This function clones the state of a SHA-512 context.
*
- * \param dst The destination context.
- * \param src The context to clone.
+ * \param dst The destination context. This must be initialized.
+ * \param src The context to clone. This must be initialized.
*/
void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
const mbedtls_sha512_context *src );
@@ -93,11 +99,12 @@ void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
* \brief This function starts a SHA-384 or SHA-512 checksum
* calculation.
*
- * \param ctx The SHA-512 context to initialize.
- * \param is384 Determines which function to use:
- * 0: Use SHA-512, or 1: Use SHA-384.
+ * \param ctx The SHA-512 context to use. This must be initialized.
+ * \param is384 Determines which function to use. This must be
+ * either \c for SHA-512, or \c 1 for SHA-384.
*
* \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_sha512_starts_ret( mbedtls_sha512_context *ctx, int is384 );
@@ -105,11 +112,14 @@ int mbedtls_sha512_starts_ret( mbedtls_sha512_context *ctx, int is384 );
* \brief This function feeds an input buffer into an ongoing
* SHA-512 checksum calculation.
*
- * \param ctx The SHA-512 context.
- * \param input The buffer holding the input data.
- * \param ilen The length of the input data.
+ * \param ctx The SHA-512 context. This must be initialized
+ * and have a hash operation started.
+ * \param input The buffer holding the input data. This must
+ * be a readable buffer of length \p ilen Bytes.
+ * \param ilen The length of the input data in Bytes.
*
* \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx,
const unsigned char *input,
@@ -120,10 +130,13 @@ int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx,
* the result to the output buffer. This function is for
* internal use only.
*
- * \param ctx The SHA-512 context.
+ * \param ctx The SHA-512 context. This must be initialized
+ * and have a hash operation started.
* \param output The SHA-384 or SHA-512 checksum result.
+ * This must be a writable buffer of length \c 64 Bytes.
*
* \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
unsigned char output[64] );
@@ -132,10 +145,12 @@ int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
* \brief This function processes a single data block within
* the ongoing SHA-512 computation.
*
- * \param ctx The SHA-512 context.
- * \param data The buffer holding one block of data.
+ * \param ctx The SHA-512 context. This must be initialized.
+ * \param data The buffer holding one block of data. This
+ * must be a readable buffer of length \c 128 Bytes.
*
* \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
const unsigned char data[128] );
@@ -151,9 +166,9 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
*
* \deprecated Superseded by mbedtls_sha512_starts_ret() in 2.7.0
*
- * \param ctx The SHA-512 context to initialize.
- * \param is384 Determines which function to use:
- * 0: Use SHA-512, or 1: Use SHA-384.
+ * \param ctx The SHA-512 context to use. This must be initialized.
+ * \param is384 Determines which function to use. This must be either
+ * \c 0 for SHA-512 or \c 1 for SHA-384.
*/
MBEDTLS_DEPRECATED void mbedtls_sha512_starts( mbedtls_sha512_context *ctx,
int is384 );
@@ -164,9 +179,11 @@ MBEDTLS_DEPRECATED void mbedtls_sha512_starts( mbedtls_sha512_context *ctx,
*
* \deprecated Superseded by mbedtls_sha512_update_ret() in 2.7.0.
*
- * \param ctx The SHA-512 context.
- * \param input The buffer holding the data.
- * \param ilen The length of the input data.
+ * \param ctx The SHA-512 context. This must be initialized
+ * and have a hash operation started.
+ * \param input The buffer holding the data. This must be a readable
+ * buffer of length \p ilen Bytes.
+ * \param ilen The length of the input data in Bytes.
*/
MBEDTLS_DEPRECATED void mbedtls_sha512_update( mbedtls_sha512_context *ctx,
const unsigned char *input,
@@ -178,8 +195,10 @@ MBEDTLS_DEPRECATED void mbedtls_sha512_update( mbedtls_sha512_context *ctx,
*
* \deprecated Superseded by mbedtls_sha512_finish_ret() in 2.7.0.
*
- * \param ctx The SHA-512 context.
- * \param output The SHA-384 or SHA-512 checksum result.
+ * \param ctx The SHA-512 context. This must be initialized
+ * and have a hash operation started.
+ * \param output The SHA-384 or SHA-512 checksum result. This must
+ * be a writable buffer of size \c 64 Bytes.
*/
MBEDTLS_DEPRECATED void mbedtls_sha512_finish( mbedtls_sha512_context *ctx,
unsigned char output[64] );
@@ -191,8 +210,9 @@ MBEDTLS_DEPRECATED void mbedtls_sha512_finish( mbedtls_sha512_context *ctx,
*
* \deprecated Superseded by mbedtls_internal_sha512_process() in 2.7.0.
*
- * \param ctx The SHA-512 context.
- * \param data The buffer holding one block of data.
+ * \param ctx The SHA-512 context. This must be initialized.
+ * \param data The buffer holding one block of data. This must be
+ * a readable buffer of length \c 128 Bytes.
*/
MBEDTLS_DEPRECATED void mbedtls_sha512_process(
mbedtls_sha512_context *ctx,
@@ -211,13 +231,16 @@ MBEDTLS_DEPRECATED void mbedtls_sha512_process(
* The SHA-512 result is calculated as
* output = SHA-512(input buffer).
*
- * \param input The buffer holding the input data.
- * \param ilen The length of the input data.
+ * \param input The buffer holding the input data. This must be
+ * a readable buffer of length \p ilen Bytes.
+ * \param ilen The length of the input data in Bytes.
* \param output The SHA-384 or SHA-512 checksum result.
- * \param is384 Determines which function to use:
- * 0: Use SHA-512, or 1: Use SHA-384.
+ * This must be a writable buffer of length \c 64 Bytes.
+ * \param is384 Determines which function to use. This must be either
+ * \c 0 for SHA-512, or \c 1 for SHA-384.
*
* \return \c 0 on success.
+ * \return A negative error code on failure.
*/
int mbedtls_sha512_ret( const unsigned char *input,
size_t ilen,
@@ -242,11 +265,13 @@ int mbedtls_sha512_ret( const unsigned char *input,
*
* \deprecated Superseded by mbedtls_sha512_ret() in 2.7.0
*
- * \param input The buffer holding the data.
- * \param ilen The length of the input data.
- * \param output The SHA-384 or SHA-512 checksum result.
- * \param is384 Determines which function to use:
- * 0: Use SHA-512, or 1: Use SHA-384.
+ * \param input The buffer holding the data. This must be a
+ * readable buffer of length \p ilen Bytes.
+ * \param ilen The length of the input data in Bytes.
+ * \param output The SHA-384 or SHA-512 checksum result. This must
+ * be a writable buffer of length \c 64 Bytes.
+ * \param is384 Determines which function to use. This must be either
+ * \c 0 for SHA-512, or \c 1 for SHA-384.
*/
MBEDTLS_DEPRECATED void mbedtls_sha512( const unsigned char *input,
size_t ilen,
diff --git a/thirdparty/mbedtls/include/mbedtls/ssl.h b/thirdparty/mbedtls/include/mbedtls/ssl.h
index 2d511a8ea1..8106bb4ab0 100644
--- a/thirdparty/mbedtls/include/mbedtls/ssl.h
+++ b/thirdparty/mbedtls/include/mbedtls/ssl.h
@@ -121,6 +121,8 @@
#define MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH -0x6600 /**< Couldn't set the hash for verifying CertificateVerify */
#define MBEDTLS_ERR_SSL_CONTINUE_PROCESSING -0x6580 /**< Internal-only message signaling that further message-processing should be done */
#define MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS -0x6500 /**< The asynchronous operation is not completed yet. */
+#define MBEDTLS_ERR_SSL_EARLY_MESSAGE -0x6480 /**< Internal-only message signaling that a message arrived early. */
+#define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS -0x7000 /**< A cryptographic operation is in progress. Try again later. */
/*
* Various constants
@@ -242,6 +244,14 @@
#define MBEDTLS_SSL_OUT_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
#endif
+/*
+ * Maximum number of heap-allocated bytes for the purpose of
+ * DTLS handshake message reassembly and future message buffering.
+ */
+#if !defined(MBEDTLS_SSL_DTLS_MAX_BUFFERING)
+#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768
+#endif
+
/* \} name SECTION: Module settings */
/*
@@ -1022,14 +1032,14 @@ struct mbedtls_ssl_context
int renego_records_seen; /*!< Records since renego request, or with DTLS,
number of retransmissions of request if
renego_max_records is < 0 */
-#endif
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
int major_ver; /*!< equal to MBEDTLS_SSL_MAJOR_VERSION_3 */
int minor_ver; /*!< either 0 (SSL3) or 1 (TLS1.0) */
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
unsigned badmac_seen; /*!< records with a bad MAC received */
-#endif
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
mbedtls_ssl_send_t *f_send; /*!< Callback for network send */
mbedtls_ssl_recv_t *f_recv; /*!< Callback for network receive */
@@ -1085,11 +1095,11 @@ struct mbedtls_ssl_context
uint16_t in_epoch; /*!< DTLS epoch for incoming records */
size_t next_record_offset; /*!< offset of the next record in datagram
(equal to in_left if none) */
-#endif
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
uint64_t in_window_top; /*!< last validated record seq_num */
uint64_t in_window; /*!< bitmask for replay detection */
-#endif
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
size_t in_hslen; /*!< current handshake message length,
including the handshake header */
@@ -1098,6 +1108,11 @@ struct mbedtls_ssl_context
int keep_current_message; /*!< drop or reuse current message
on next call to record layer? */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ uint8_t disable_datagram_packing; /*!< Disable packing multiple records
+ * within a single datagram. */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
/*
* Record layer (outgoing data)
*/
@@ -1112,12 +1127,18 @@ struct mbedtls_ssl_context
size_t out_msglen; /*!< record header: message length */
size_t out_left; /*!< amount of data not yet written */
+ unsigned char cur_out_ctr[8]; /*!< Outgoing record sequence number. */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ uint16_t mtu; /*!< path mtu, used to fragment outgoing messages */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
#if defined(MBEDTLS_ZLIB_SUPPORT)
unsigned char *compress_buf; /*!< zlib data buffer */
-#endif
+#endif /* MBEDTLS_ZLIB_SUPPORT */
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
signed char split_done; /*!< current record already splitted? */
-#endif
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
/*
* PKI layer
@@ -1130,11 +1151,11 @@ struct mbedtls_ssl_context
#if defined(MBEDTLS_X509_CRT_PARSE_C)
char *hostname; /*!< expected peer CN for verification
(and SNI if available) */
-#endif
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_ALPN)
const char *alpn_chosen; /*!< negotiated protocol */
-#endif
+#endif /* MBEDTLS_SSL_ALPN */
/*
* Information for DTLS hello verify
@@ -1142,7 +1163,7 @@ struct mbedtls_ssl_context
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
unsigned char *cli_id; /*!< transport-level ID of the client */
size_t cli_id_len; /*!< length of cli_id */
-#endif
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
/*
* Secure renegotiation
@@ -1154,7 +1175,7 @@ struct mbedtls_ssl_context
size_t verify_data_len; /*!< length of verify data stored */
char own_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!< previous handshake verify data */
char peer_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!< previous handshake verify data */
-#endif
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
};
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
@@ -1374,6 +1395,52 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
mbedtls_ssl_recv_t *f_recv,
mbedtls_ssl_recv_timeout_t *f_recv_timeout );
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/**
+ * \brief Set the Maximum Tranport Unit (MTU).
+ * Special value: 0 means unset (no limit).
+ * This represents the maximum size of a datagram payload
+ * handled by the transport layer (usually UDP) as determined
+ * by the network link and stack. In practice, this controls
+ * the maximum size datagram the DTLS layer will pass to the
+ * \c f_send() callback set using \c mbedtls_ssl_set_bio().
+ *
+ * \note The limit on datagram size is converted to a limit on
+ * record payload by subtracting the current overhead of
+ * encapsulation and encryption/authentication if any.
+ *
+ * \note This can be called at any point during the connection, for
+ * example when a Path Maximum Transfer Unit (PMTU)
+ * estimate becomes available from other sources,
+ * such as lower (or higher) protocol layers.
+ *
+ * \note This setting only controls the size of the packets we send,
+ * and does not restrict the size of the datagrams we're
+ * willing to receive. Client-side, you can request the
+ * server to use smaller records with \c
+ * mbedtls_ssl_conf_max_frag_len().
+ *
+ * \note If both a MTU and a maximum fragment length have been
+ * configured (or negotiated with the peer), the resulting
+ * lower limit on record payload (see first note) is used.
+ *
+ * \note This can only be used to decrease the maximum size
+ * of datagrams (hence records, see first note) sent. It
+ * cannot be used to increase the maximum size of records over
+ * the limit set by #MBEDTLS_SSL_OUT_CONTENT_LEN.
+ *
+ * \note Values lower than the current record layer expansion will
+ * result in an error when trying to send data.
+ *
+ * \note Using record compression together with a non-zero MTU value
+ * will result in an error when trying to send data.
+ *
+ * \param ssl SSL context
+ * \param mtu Value of the path MTU in bytes
+ */
+void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu );
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
/**
* \brief Set the timeout period for mbedtls_ssl_read()
* (Default: no timeout.)
@@ -1757,6 +1824,38 @@ void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limi
#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+/**
+ * \brief Allow or disallow packing of multiple handshake records
+ * within a single datagram.
+ *
+ * \param ssl The SSL context to configure.
+ * \param allow_packing This determines whether datagram packing may
+ * be used or not. A value of \c 0 means that every
+ * record will be sent in a separate datagram; a
+ * value of \c 1 means that, if space permits,
+ * multiple handshake messages (including CCS) belonging to
+ * a single flight may be packed within a single datagram.
+ *
+ * \note This is enabled by default and should only be disabled
+ * for test purposes, or if datagram packing causes
+ * interoperability issues with peers that don't support it.
+ *
+ * \note Allowing datagram packing reduces the network load since
+ * there's less overhead if multiple messages share the same
+ * datagram. Also, it increases the handshake efficiency
+ * since messages belonging to a single datagram will not
+ * be reordered in transit, and so future message buffering
+ * or flight retransmission (if no buffering is used) as
+ * means to deal with reordering are needed less frequently.
+ *
+ * \note Application records are not affected by this option and
+ * are currently always sent in separate datagrams.
+ *
+ */
+void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
+ unsigned allow_packing );
+
/**
* \brief Set retransmit timeout values for the DTLS handshake.
* (DTLS only, no effect on TLS.)
@@ -1945,6 +2044,14 @@ void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
* whether it matches those preferences - the server can then
* decide what it wants to do with it.
*
+ * \note The provided \p pk_key needs to match the public key in the
+ * first certificate in \p own_cert, or all handshakes using
+ * that certificate will fail. It is your responsibility
+ * to ensure that; this function will not perform any check.
+ * You may use mbedtls_pk_check_pair() in order to perform
+ * this check yourself, but be aware that this function can
+ * be computationally expensive on some key types.
+ *
* \param conf SSL configuration
* \param own_cert own public certificate chain
* \param pk_key own private key
@@ -2433,6 +2540,18 @@ void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
* (Client: set maximum fragment length to emit *and*
* negotiate with the server during handshake)
*
+ * \note With TLS, this currently only affects ApplicationData (sent
+ * with \c mbedtls_ssl_read()), not handshake messages.
+ * With DTLS, this affects both ApplicationData and handshake.
+ *
+ * \note This sets the maximum length for a record's payload,
+ * excluding record overhead that will be added to it, see
+ * \c mbedtls_ssl_get_record_expansion().
+ *
+ * \note For DTLS, it is also possible to set a limit for the total
+ * size of daragrams passed to the transport layer, including
+ * record overhead, see \c mbedtls_ssl_set_mtu().
+ *
* \param conf SSL configuration
* \param mfl_code Code for maximum fragment length (allowed values:
* MBEDTLS_SSL_MAX_FRAG_LEN_512, MBEDTLS_SSL_MAX_FRAG_LEN_1024,
@@ -2663,13 +2782,14 @@ size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl );
/**
* \brief Return the result of the certificate verification
*
- * \param ssl SSL context
+ * \param ssl The SSL context to use.
*
- * \return 0 if successful,
- * -1 if result is not available (eg because the handshake was
- * aborted too early), or
- * a combination of BADCERT_xxx and BADCRL_xxx flags, see
- * x509.h
+ * \return \c 0 if the certificate verification was successful.
+ * \return \c -1u if the result is not available. This may happen
+ * e.g. if the handshake aborts early, or a verification
+ * callback returned a fatal error.
+ * \return A bitwise combination of \c MBEDTLS_X509_BADCERT_XXX
+ * and \c MBEDTLS_X509_BADCRL_XXX failure flags; see x509.h.
*/
uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl );
@@ -2695,6 +2815,9 @@ const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl );
* \brief Return the (maximum) number of bytes added by the record
* layer: header + encryption/MAC overhead (inc. padding)
*
+ * \note This function is not available (always returns an error)
+ * when record compression is enabled.
+ *
* \param ssl SSL context
*
* \return Current maximum record expansion in bytes, or
@@ -2709,6 +2832,23 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl );
* This is the value negotiated with peer if any,
* or the locally configured value.
*
+ * \sa mbedtls_ssl_conf_max_frag_len()
+ * \sa mbedtls_ssl_get_max_record_payload()
+ *
+ * \param ssl SSL context
+ *
+ * \return Current maximum fragment length.
+ */
+size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+/**
+ * \brief Return the current maximum outgoing record payload in bytes.
+ * This takes into account the config.h setting \c
+ * MBEDTLS_SSL_OUT_CONTENT_LEN, the configured and negotiated
+ * max fragment length extension if used, and for DTLS the
+ * path MTU as configured and current record expansion.
+ *
* \note With DTLS, \c mbedtls_ssl_write() will return an error if
* called with a larger length value.
* With TLS, \c mbedtls_ssl_write() will fragment the input if
@@ -2716,12 +2856,19 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl );
* to the caller to call \c mbedtls_ssl_write() again in
* order to send the remaining bytes if any.
*
+ * \note This function is not available (always returns an error)
+ * when record compression is enabled.
+ *
+ * \sa mbedtls_ssl_set_mtu()
+ * \sa mbedtls_ssl_get_max_frag_len()
+ * \sa mbedtls_ssl_get_record_expansion()
+ *
* \param ssl SSL context
*
- * \return Current maximum fragment length.
+ * \return Current maximum payload for an outgoing record,
+ * or a negative error code.
*/
-size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl );
-#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl );
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/**
@@ -2776,35 +2923,50 @@ int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session
*
* \param ssl SSL context
*
- * \return 0 if successful, or
- * MBEDTLS_ERR_SSL_WANT_READ or MBEDTLS_ERR_SSL_WANT_WRITE, or
- * MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED (see below), or
- * a specific SSL error code.
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
+ * if the handshake is incomplete and waiting for data to
+ * be available for reading from or writing to the underlying
+ * transport - in this case you must call this function again
+ * when the underlying transport is ready for the operation.
+ * \return #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
+ * operation is in progress (see
+ * mbedtls_ssl_conf_async_private_cb()) - in this case you
+ * must call this function again when the operation is ready.
+ * \return #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
+ * operation is in progress (see mbedtls_ecp_set_max_ops()) -
+ * in this case you must call this function again to complete
+ * the handshake when you're done attending other tasks.
+ * \return #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use
+ * and the client did not demonstrate reachability yet - in
+ * this case you must stop using the context (see below).
+ * \return Another SSL error code - in this case you must stop using
+ * the context (see below).
+ *
+ * \warning If this function returns something other than
+ * \c 0,
+ * #MBEDTLS_ERR_SSL_WANT_READ,
+ * #MBEDTLS_ERR_SSL_WANT_WRITE,
+ * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ * you must stop using the SSL context for reading or writing,
+ * and either free it or call \c mbedtls_ssl_session_reset()
+ * on it before re-using it for a new connection; the current
+ * connection must be closed.
*
- * If this function returns MBEDTLS_ERR_SSL_WANT_READ, the
- * handshake is unfinished and no further data is available
- * from the underlying transport. In this case, you must call
- * the function again at some later stage.
+ * \note If DTLS is in use, then you may choose to handle
+ * #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED specially for logging
+ * purposes, as it is an expected return value rather than an
+ * actual error, but you still need to reset/free the context.
*
* \note Remarks regarding event-driven DTLS:
- * If the function returns MBEDTLS_ERR_SSL_WANT_READ, no datagram
+ * If the function returns #MBEDTLS_ERR_SSL_WANT_READ, no datagram
* from the underlying transport layer is currently being processed,
* and it is safe to idle until the timer or the underlying transport
* signal a new event. This is not true for a successful handshake,
* in which case the datagram of the underlying transport that is
* currently being processed might or might not contain further
* DTLS records.
- *
- * \note If this function returns something other than 0 or
- * MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using
- * the SSL context for reading or writing, and either free it or
- * call \c mbedtls_ssl_session_reset() on it before re-using it
- * for a new connection; the current connection must be closed.
- *
- * \note If DTLS is in use, then you may choose to handle
- * MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED specially for logging
- * purposes, as it is an expected return value rather than an
- * actual error, but you still need to reset/free the context.
*/
int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl );
@@ -2812,20 +2974,21 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl );
* \brief Perform a single step of the SSL handshake
*
* \note The state of the context (ssl->state) will be at
- * the next state after execution of this function. Do not
+ * the next state after this function returns \c 0. Do not
* call this function if state is MBEDTLS_SSL_HANDSHAKE_OVER.
*
- * \note If this function returns something other than 0 or
- * MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using
- * the SSL context for reading or writing, and either free it or
- * call \c mbedtls_ssl_session_reset() on it before re-using it
- * for a new connection; the current connection must be closed.
- *
* \param ssl SSL context
*
- * \return 0 if successful, or
- * MBEDTLS_ERR_SSL_WANT_READ or MBEDTLS_ERR_SSL_WANT_WRITE, or
- * a specific SSL error code.
+ * \return See mbedtls_ssl_handshake().
+ *
+ * \warning If this function returns something other than \c 0,
+ * #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
+ * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using
+ * the SSL context for reading or writing, and either free it
+ * or call \c mbedtls_ssl_session_reset() on it before
+ * re-using it for a new connection; the current connection
+ * must be closed.
*/
int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl );
@@ -2840,13 +3003,18 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl );
* \param ssl SSL context
*
* \return 0 if successful, or any mbedtls_ssl_handshake() return
- * value.
+ * value except #MBEDTLS_ERR_SSL_CLIENT_RECONNECT that can't
+ * happen during a renegotiation.
+ *
+ * \warning If this function returns something other than \c 0,
+ * #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
+ * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using
+ * the SSL context for reading or writing, and either free it
+ * or call \c mbedtls_ssl_session_reset() on it before
+ * re-using it for a new connection; the current connection
+ * must be closed.
*
- * \note If this function returns something other than 0 or
- * MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using
- * the SSL context for reading or writing, and either free it or
- * call \c mbedtls_ssl_session_reset() on it before re-using it
- * for a new connection; the current connection must be closed.
*/
int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_RENEGOTIATION */
@@ -2858,42 +3026,56 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl );
* \param buf buffer that will hold the data
* \param len maximum number of bytes to read
*
- * \return One of the following:
- * - 0 if the read end of the underlying transport was closed,
- * - the (positive) number of bytes read, or
- * - a negative error code on failure.
- *
- * If MBEDTLS_ERR_SSL_WANT_READ is returned, no application data
- * is available from the underlying transport. In this case,
- * the function needs to be called again at some later stage.
- *
- * If MBEDTLS_ERR_SSL_WANT_WRITE is returned, a write is pending
- * but the underlying transport isn't available for writing. In this
- * case, the function needs to be called again at some later stage.
+ * \return The (positive) number of bytes read if successful.
+ * \return \c 0 if the read end of the underlying transport was closed
+ * - in this case you must stop using the context (see below).
+ * \return #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
+ * if the handshake is incomplete and waiting for data to
+ * be available for reading from or writing to the underlying
+ * transport - in this case you must call this function again
+ * when the underlying transport is ready for the operation.
+ * \return #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
+ * operation is in progress (see
+ * mbedtls_ssl_conf_async_private_cb()) - in this case you
+ * must call this function again when the operation is ready.
+ * \return #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
+ * operation is in progress (see mbedtls_ecp_set_max_ops()) -
+ * in this case you must call this function again to complete
+ * the handshake when you're done attending other tasks.
+ * \return #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server
+ * side of a DTLS connection and the client is initiating a
+ * new connection using the same source port. See below.
+ * \return Another SSL error code - in this case you must stop using
+ * the context (see below).
+ *
+ * \warning If this function returns something other than
+ * a positive value,
+ * #MBEDTLS_ERR_SSL_WANT_READ,
+ * #MBEDTLS_ERR_SSL_WANT_WRITE,
+ * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ * #MBEDTLS_ERR_SSL_CLIENT_RECONNECT,
+ * you must stop using the SSL context for reading or writing,
+ * and either free it or call \c mbedtls_ssl_session_reset()
+ * on it before re-using it for a new connection; the current
+ * connection must be closed.
*
- * When this function return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
+ * \note When this function returns #MBEDTLS_ERR_SSL_CLIENT_RECONNECT
* (which can only happen server-side), it means that a client
* is initiating a new connection using the same source port.
* You can either treat that as a connection close and wait
* for the client to resend a ClientHello, or directly
* continue with \c mbedtls_ssl_handshake() with the same
- * context (as it has beeen reset internally). Either way, you
- * should make sure this is seen by the application as a new
+ * context (as it has been reset internally). Either way, you
+ * must make sure this is seen by the application as a new
* connection: application state, if any, should be reset, and
* most importantly the identity of the client must be checked
* again. WARNING: not validating the identity of the client
* again, or not transmitting the new identity to the
* application layer, would allow authentication bypass!
*
- * \note If this function returns something other than a positive value
- * or MBEDTLS_ERR_SSL_WANT_READ/WRITE or MBEDTLS_ERR_SSL_CLIENT_RECONNECT,
- * you must stop using the SSL context for reading or writing,
- * and either free it or call \c mbedtls_ssl_session_reset() on it
- * before re-using it for a new connection; the current connection
- * must be closed.
- *
* \note Remarks regarding event-driven DTLS:
- * - If the function returns MBEDTLS_ERR_SSL_WANT_READ, no datagram
+ * - If the function returns #MBEDTLS_ERR_SSL_WANT_READ, no datagram
* from the underlying transport layer is currently being processed,
* and it is safe to idle until the timer or the underlying transport
* signal a new event.
@@ -2922,21 +3104,39 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
* \param buf buffer holding the data
* \param len how many bytes must be written
*
- * \return the number of bytes actually written (may be less than len),
- * or MBEDTLS_ERR_SSL_WANT_WRITE or MBEDTLS_ERR_SSL_WANT_READ,
- * or another negative error code.
- *
- * \note If this function returns something other than 0, a positive
- * value or MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop
- * using the SSL context for reading or writing, and either
- * free it or call \c mbedtls_ssl_session_reset() on it before
- * re-using it for a new connection; the current connection
- * must be closed.
+ * \return The (non-negative) number of bytes actually written if
+ * successful (may be less than \p len).
+ * \return #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
+ * if the handshake is incomplete and waiting for data to
+ * be available for reading from or writing to the underlying
+ * transport - in this case you must call this function again
+ * when the underlying transport is ready for the operation.
+ * \return #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
+ * operation is in progress (see
+ * mbedtls_ssl_conf_async_private_cb()) - in this case you
+ * must call this function again when the operation is ready.
+ * \return #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
+ * operation is in progress (see mbedtls_ecp_set_max_ops()) -
+ * in this case you must call this function again to complete
+ * the handshake when you're done attending other tasks.
+ * \return Another SSL error code - in this case you must stop using
+ * the context (see below).
+ *
+ * \warning If this function returns something other than
+ * a non-negative value,
+ * #MBEDTLS_ERR_SSL_WANT_READ,
+ * #MBEDTLS_ERR_SSL_WANT_WRITE,
+ * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ * you must stop using the SSL context for reading or writing,
+ * and either free it or call \c mbedtls_ssl_session_reset()
+ * on it before re-using it for a new connection; the current
+ * connection must be closed.
*
- * \note When this function returns MBEDTLS_ERR_SSL_WANT_WRITE/READ,
+ * \note When this function returns #MBEDTLS_ERR_SSL_WANT_WRITE/READ,
* it must be called later with the *same* arguments,
* until it returns a value greater that or equal to 0. When
- * the function returns MBEDTLS_ERR_SSL_WANT_WRITE there may be
+ * the function returns #MBEDTLS_ERR_SSL_WANT_WRITE there may be
* some partial data in the output buffer, however this is not
* yet sent.
*
diff --git a/thirdparty/mbedtls/include/mbedtls/ssl_cookie.h b/thirdparty/mbedtls/include/mbedtls/ssl_cookie.h
index 80b65bbbb9..6a0ad4fa96 100644
--- a/thirdparty/mbedtls/include/mbedtls/ssl_cookie.h
+++ b/thirdparty/mbedtls/include/mbedtls/ssl_cookie.h
@@ -50,7 +50,7 @@ extern "C" {
/**
* \brief Context for the default cookie functions.
*/
-typedef struct
+typedef struct mbedtls_ssl_cookie_ctx
{
mbedtls_md_context_t hmac_ctx; /*!< context for the HMAC portion */
#if !defined(MBEDTLS_HAVE_TIME)
diff --git a/thirdparty/mbedtls/include/mbedtls/ssl_internal.h b/thirdparty/mbedtls/include/mbedtls/ssl_internal.h
index d214703d77..97abb9f90b 100644
--- a/thirdparty/mbedtls/include/mbedtls/ssl_internal.h
+++ b/thirdparty/mbedtls/include/mbedtls/ssl_internal.h
@@ -93,6 +93,14 @@
#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+/* Shorthand for restartable ECC */
+#if defined(MBEDTLS_ECP_RESTARTABLE) && \
+ defined(MBEDTLS_SSL_CLI_C) && \
+ defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_SSL__ECP_RESTARTABLE
+#endif
+
#define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
#define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
@@ -155,6 +163,9 @@
#define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
+/* The maximum number of buffered handshake messages. */
+#define MBEDTLS_SSL_MAX_BUFFERED_HS 4
+
/* Maximum length we can advertise as our max content length for
RFC 6066 max_fragment_length extension negotiation purposes
(the lesser of both sizes, if they are unequal.)
@@ -284,7 +295,18 @@ struct mbedtls_ssl_handshake_params
mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+ int ecrs_enabled; /*!< Handshake supports EC restart? */
+ mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
+ enum { /* this complements ssl->state with info on intra-state operations */
+ ssl_ecrs_none = 0, /*!< nothing going on (yet) */
+ ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
+ ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
+ ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
+ ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
+ } ecrs_state; /*!< current (or last) operation */
+ size_t ecrs_n; /*!< place for saving a length */
+#endif
#if defined(MBEDTLS_SSL_PROTO_DTLS)
unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
@@ -294,18 +316,45 @@ struct mbedtls_ssl_handshake_params
unsigned char verify_cookie_len; /*!< Cli: cookie length
Srv: flag for sending a cookie */
- unsigned char *hs_msg; /*!< Reassembled handshake message */
-
uint32_t retransmit_timeout; /*!< Current value of timeout */
unsigned char retransmit_state; /*!< Retransmission state */
- mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
- mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
+ mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
+ mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
+ unsigned char *cur_msg_p; /*!< Position in current message */
unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
flight being received */
mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
resending messages */
unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter
for resending messages */
+
+ struct
+ {
+ size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
+ * buffers used for message buffering. */
+
+ uint8_t seen_ccs; /*!< Indicates if a CCS message has
+ * been seen in the current flight. */
+
+ struct mbedtls_ssl_hs_buffer
+ {
+ unsigned is_valid : 1;
+ unsigned is_fragmented : 1;
+ unsigned is_complete : 1;
+ unsigned char *data;
+ size_t data_len;
+ } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
+
+ struct
+ {
+ unsigned char *data;
+ size_t len;
+ unsigned epoch;
+ } future_record;
+
+ } buffering;
+
+ uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
#endif /* MBEDTLS_SSL_PROTO_DTLS */
/*
@@ -364,6 +413,8 @@ struct mbedtls_ssl_handshake_params
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
};
+typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
+
/*
* This structure contains a full set of runtime transform parameters
* either in negotiation or active.
@@ -478,7 +529,6 @@ int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
-int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl );
int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
@@ -490,7 +540,10 @@ void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
* of the logic of (D)TLS from the implementation
* of the secure transport.
*
- * \param ssl SSL context to use
+ * \param ssl The SSL context to use.
+ * \param update_hs_digest This indicates if the handshake digest
+ * should be automatically updated in case
+ * a handshake message is found.
*
* \return 0 or non-zero error code.
*
@@ -556,10 +609,12 @@ void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
* following the above definition.
*
*/
-int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
+ unsigned update_hs_digest );
int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
-int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
@@ -668,6 +723,7 @@ static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
#endif
/* Visible for testing purposes only */
diff --git a/thirdparty/mbedtls/include/mbedtls/ssl_ticket.h b/thirdparty/mbedtls/include/mbedtls/ssl_ticket.h
index 93ad46ac9c..b2686df09f 100644
--- a/thirdparty/mbedtls/include/mbedtls/ssl_ticket.h
+++ b/thirdparty/mbedtls/include/mbedtls/ssl_ticket.h
@@ -44,7 +44,7 @@ extern "C" {
/**
* \brief Information for session ticket protection
*/
-typedef struct
+typedef struct mbedtls_ssl_ticket_key
{
unsigned char name[4]; /*!< random key identifier */
uint32_t generation_time; /*!< key generation timestamp (seconds) */
@@ -55,7 +55,7 @@ mbedtls_ssl_ticket_key;
/**
* \brief Context for session ticket handling functions
*/
-typedef struct
+typedef struct mbedtls_ssl_ticket_context
{
mbedtls_ssl_ticket_key keys[2]; /*!< ticket protection keys */
unsigned char active; /*!< index of the currently active key */
diff --git a/thirdparty/mbedtls/include/mbedtls/threading.h b/thirdparty/mbedtls/include/mbedtls/threading.h
index c25daa5cdf..92e6e6b987 100644
--- a/thirdparty/mbedtls/include/mbedtls/threading.h
+++ b/thirdparty/mbedtls/include/mbedtls/threading.h
@@ -36,13 +36,16 @@
extern "C" {
#endif
+/* MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE is deprecated and should not be
+ * used. */
#define MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE -0x001A /**< The selected feature is not available. */
+
#define MBEDTLS_ERR_THREADING_BAD_INPUT_DATA -0x001C /**< Bad input parameters to function. */
#define MBEDTLS_ERR_THREADING_MUTEX_ERROR -0x001E /**< Locking / unlocking / free failed with error code. */
#if defined(MBEDTLS_THREADING_PTHREAD)
#include <pthread.h>
-typedef struct
+typedef struct mbedtls_threading_mutex_t
{
pthread_mutex_t mutex;
char is_valid;
@@ -99,6 +102,17 @@ extern int (*mbedtls_mutex_unlock)( mbedtls_threading_mutex_t *mutex );
#if defined(MBEDTLS_FS_IO)
extern mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex;
#endif
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+/* This mutex may or may not be used in the default definition of
+ * mbedtls_platform_gmtime_r(), but in order to determine that,
+ * we need to check POSIX features, hence modify _POSIX_C_SOURCE.
+ * With the current approach, this declaration is orphaned, lacking
+ * an accompanying definition, in case mbedtls_platform_gmtime_r()
+ * doesn't need it, but that's not a problem. */
+extern mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex;
+#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
+
#endif /* MBEDTLS_THREADING_C */
#ifdef __cplusplus
diff --git a/thirdparty/mbedtls/include/mbedtls/timing.h b/thirdparty/mbedtls/include/mbedtls/timing.h
index bbcb90688a..a965fe0d35 100644
--- a/thirdparty/mbedtls/include/mbedtls/timing.h
+++ b/thirdparty/mbedtls/include/mbedtls/timing.h
@@ -51,7 +51,7 @@ struct mbedtls_timing_hr_time
/**
* \brief Context for mbedtls_timing_set/get_delay()
*/
-typedef struct
+typedef struct mbedtls_timing_delay_context
{
struct mbedtls_timing_hr_time timer;
uint32_t int_ms;
diff --git a/thirdparty/mbedtls/include/mbedtls/version.h b/thirdparty/mbedtls/include/mbedtls/version.h
index eaf25d908c..56e7398a2a 100644
--- a/thirdparty/mbedtls/include/mbedtls/version.h
+++ b/thirdparty/mbedtls/include/mbedtls/version.h
@@ -39,7 +39,7 @@
* Major, Minor, Patchlevel
*/
#define MBEDTLS_VERSION_MAJOR 2
-#define MBEDTLS_VERSION_MINOR 12
+#define MBEDTLS_VERSION_MINOR 16
#define MBEDTLS_VERSION_PATCH 0
/**
@@ -47,9 +47,9 @@
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define MBEDTLS_VERSION_NUMBER 0x020C0000
-#define MBEDTLS_VERSION_STRING "2.12.0"
-#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.12.0"
+#define MBEDTLS_VERSION_NUMBER 0x02100000
+#define MBEDTLS_VERSION_STRING "2.16.0"
+#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.16.0"
#if defined(MBEDTLS_VERSION_C)
diff --git a/thirdparty/mbedtls/include/mbedtls/x509_crt.h b/thirdparty/mbedtls/include/mbedtls/x509_crt.h
index ac23cffe84..3dd5922486 100644
--- a/thirdparty/mbedtls/include/mbedtls/x509_crt.h
+++ b/thirdparty/mbedtls/include/mbedtls/x509_crt.h
@@ -105,7 +105,7 @@ mbedtls_x509_crt;
*
* All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
*/
-typedef struct
+typedef struct mbedtls_x509_crt_profile
{
uint32_t allowed_mds; /**< MDs for signatures */
uint32_t allowed_pks; /**< PK algs for signatures */
@@ -143,6 +143,63 @@ typedef struct mbedtls_x509write_cert
}
mbedtls_x509write_cert;
+/**
+ * Item in a verification chain: cert and flags for it
+ */
+typedef struct {
+ mbedtls_x509_crt *crt;
+ uint32_t flags;
+} mbedtls_x509_crt_verify_chain_item;
+
+/**
+ * Max size of verification chain: end-entity + intermediates + trusted root
+ */
+#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
+
+/**
+ * Verification chain as built by \c mbedtls_crt_verify_chain()
+ */
+typedef struct
+{
+ mbedtls_x509_crt_verify_chain_item items[MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE];
+ unsigned len;
+} mbedtls_x509_crt_verify_chain;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief Context for resuming X.509 verify operations
+ */
+typedef struct
+{
+ /* for check_signature() */
+ mbedtls_pk_restart_ctx pk;
+
+ /* for find_parent_in() */
+ mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */
+ mbedtls_x509_crt *fallback_parent;
+ int fallback_signature_is_good;
+
+ /* for find_parent() */
+ int parent_is_trusted; /* -1 if find_parent is not in progress */
+
+ /* for verify_chain() */
+ enum {
+ x509_crt_rs_none,
+ x509_crt_rs_find_parent,
+ } in_progress; /* none if no operation is in progress */
+ int self_cnt;
+ mbedtls_x509_crt_verify_chain ver_chain;
+
+} mbedtls_x509_crt_restart_ctx;
+
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_x509_crt_restart_ctx;
+
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/**
* Default security profile. Should provide a good balance between security
@@ -175,19 +232,34 @@ int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *bu
size_t buflen );
/**
- * \brief Parse one or more certificates and add them
- * to the chained list. Parses permissively. If some
- * certificates can be parsed, the result is the number
- * of failed certificates it encountered. If none complete
- * correctly, the first error is returned.
+ * \brief Parse one DER-encoded or one or more concatenated PEM-encoded
+ * certificates and add them to the chained list.
*
- * \param chain points to the start of the chain
- * \param buf buffer holding the certificate data in PEM or DER format
- * \param buflen size of the buffer
- * (including the terminating null byte for PEM data)
+ * For CRTs in PEM encoding, the function parses permissively:
+ * if at least one certificate can be parsed, the function
+ * returns the number of certificates for which parsing failed
+ * (hence \c 0 if all certificates were parsed successfully).
+ * If no certificate could be parsed, the function returns
+ * the first (negative) error encountered during parsing.
+ *
+ * PEM encoded certificates may be interleaved by other data
+ * such as human readable descriptions of their content, as
+ * long as the certificates are enclosed in the PEM specific
+ * '-----{BEGIN/END} CERTIFICATE-----' delimiters.
+ *
+ * \param chain The chain to which to add the parsed certificates.
+ * \param buf The buffer holding the certificate data in PEM or DER format.
+ * For certificates in PEM encoding, this may be a concatenation
+ * of multiple certificates; for DER encoding, the buffer must
+ * comprise exactly one certificate.
+ * \param buflen The size of \p buf, including the terminating \c NULL byte
+ * in case of PEM encoded data.
+ *
+ * \return \c 0 if all certificates were parsed successfully.
+ * \return The (positive) number of certificates that couldn't
+ * be parsed if parsing was partly successful (see above).
+ * \return A negative X509 or PEM error code otherwise.
*
- * \return 0 if all certificates parsed successfully, a positive number
- * if partly successful or a specific X509 or PEM error code
*/
int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
@@ -353,6 +425,37 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
+/**
+ * \brief Restartable version of \c mbedtls_crt_verify_with_profile()
+ *
+ * \note Performs the same job as \c mbedtls_crt_verify_with_profile()
+ * but can return early and restart according to the limit
+ * set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param crt a certificate (chain) to be verified
+ * \param trust_ca the list of trusted CAs
+ * \param ca_crl the list of CRLs for trusted CAs
+ * \param profile security profile for verification
+ * \param cn expected Common Name (can be set to
+ * NULL if the CN must not be verified)
+ * \param flags result of the verification
+ * \param f_vrfy verification function
+ * \param p_vrfy verification parameter
+ * \param rs_ctx restart context (NULL to disable restart)
+ *
+ * \return See \c mbedtls_crt_verify_with_profile(), or
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
+ mbedtls_x509_crt *trust_ca,
+ mbedtls_x509_crl *ca_crl,
+ const mbedtls_x509_crt_profile *profile,
+ const char *cn, uint32_t *flags,
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+ void *p_vrfy,
+ mbedtls_x509_crt_restart_ctx *rs_ctx );
+
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
/**
* \brief Check usage of certificate against keyUsage extension.
@@ -424,6 +527,18 @@ void mbedtls_x509_crt_init( mbedtls_x509_crt *crt );
* \param crt Certificate chain to free
*/
void mbedtls_x509_crt_free( mbedtls_x509_crt *crt );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief Initialize a restart context
+ */
+void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx );
+
+/**
+ * \brief Free the components of a restart context
+ */
+void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx );
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
/* \} name */
diff --git a/thirdparty/mbedtls/include/mbedtls/xtea.h b/thirdparty/mbedtls/include/mbedtls/xtea.h
index 8df708a3a5..6430c1318a 100644
--- a/thirdparty/mbedtls/include/mbedtls/xtea.h
+++ b/thirdparty/mbedtls/include/mbedtls/xtea.h
@@ -37,6 +37,8 @@
#define MBEDTLS_XTEA_DECRYPT 0
#define MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH -0x0028 /**< The data input has an invalid length. */
+
+/* MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED -0x0029 /**< XTEA hardware accelerator failed. */
#ifdef __cplusplus
@@ -50,7 +52,7 @@ extern "C" {
/**
* \brief XTEA context structure
*/
-typedef struct
+typedef struct mbedtls_xtea_context
{
uint32_t k[4]; /*!< key */
}