Merge pull request #10675 from 0xc0170/update-mbedtls-2.18.0-rc1

Update mbedtls 2.18.0 rc1

Author: 0xc0170

components/TARGET_PSA/services/crypto/COMPONENT_SPE/psa_crypto_partition.c

@@ -1453,7 +1453,7 @@ static void psa_entropy_operation(void)
         }
 
         case PSA_IPC_CALL: {
-#if (defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO))
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
             unsigned char *seed = NULL;
             uint32_t bytes_read;
             size_t seed_size = msg.in_size[0];
@@ -1479,7 +1479,7 @@ static void psa_entropy_operation(void)
             mbedtls_free(seed);
 #else
             status = PSA_ERROR_NOT_SUPPORTED;
-#endif /* MBEDTLS_ENTROPY_NV_SEED && MBEDTLS_PSA_HAS_ITS_IO*/
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
             break;
         }
 

features/mbedtls/VERSION.txt

@@ -1 +1 @@
-mbedtls-2.17.0
+mbedtls-2.18.0-rc2

features/mbedtls/importer/Makefile

@@ -27,8 +27,8 @@
 #
 
 # Set the mbed TLS release to import (this can/should be edited before import)
-MBED_TLS_RELEASE ?= mbedtls-2.17.0
-MBED_TLS_REPO_URL ?= [email protected]:ARMmbed/mbedtls.git
+MBED_TLS_RELEASE ?= mbedtls-2.18.0-rc2
+MBED_TLS_REPO_URL ?= [email protected]:ARMmbed/mbedtls-restricted.git
 
 # Translate between mbed TLS namespace and mbed namespace
 TARGET_PREFIX:=../
@@ -41,6 +41,67 @@ MBED_TLS_DIR:=TARGET_IGNORE/mbedtls
 MBED_TLS_API:=$(MBED_TLS_DIR)/include/mbedtls
 MBED_TLS_GIT_CFG=$(MBED_TLS_DIR)/.git/config
 
+CRYPTO_SRC := \
+	$(TARGET_SRC)/aes.c \
+	$(TARGET_SRC)/aesni.c \
+	$(TARGET_SRC)/arc4.c \
+	$(TARGET_SRC)/aria.c \
+	$(TARGET_SRC)/asn1parse.c \
+	$(TARGET_SRC)/asn1write.c \
+	$(TARGET_SRC)/base64.c \
+	$(TARGET_SRC)/bignum.c \
+	$(TARGET_SRC)/blowfish.c \
+	$(TARGET_SRC)/camellia.c \
+	$(TARGET_SRC)/ccm.c \
+	$(TARGET_SRC)/chacha20.c \
+	$(TARGET_SRC)/chachapoly.c \
+	$(TARGET_SRC)/cipher.c \
+	$(TARGET_SRC)/cipher_wrap.c \
+	$(TARGET_SRC)/cmac.c \
+	$(TARGET_SRC)/ctr_drbg.c \
+	$(TARGET_SRC)/des.c \
+	$(TARGET_SRC)/dhm.c \
+	$(TARGET_SRC)/ecdh.c \
+	$(TARGET_SRC)/ecdsa.c \
+	$(TARGET_SRC)/ecjpake.c \
+	$(TARGET_SRC)/ecp.c \
+	$(TARGET_SRC)/ecp_curves.c \
+	$(TARGET_SRC)/entropy.c \
+	$(TARGET_SRC)/entropy_poll.c \
+	$(TARGET_SRC)/gcm.c \
+	$(TARGET_SRC)/havege.c \
+	$(TARGET_SRC)/hkdf.c \
+	$(TARGET_SRC)/hmac_drbg.c \
+	$(TARGET_SRC)/md.c \
+	$(TARGET_SRC)/md2.c \
+	$(TARGET_SRC)/md4.c \
+	$(TARGET_SRC)/md5.c \
+	$(TARGET_SRC)/md_wrap.c \
+	$(TARGET_SRC)/memory_buffer_alloc.c \
+	$(TARGET_SRC)/nist_kw.c \
+	$(TARGET_SRC)/oid.c \
+	$(TARGET_SRC)/padlock.c \
+	$(TARGET_SRC)/pem.c \
+	$(TARGET_SRC)/pk.c \
+	$(TARGET_SRC)/pk_wrap.c \
+	$(TARGET_SRC)/pkcs12.c \
+	$(TARGET_SRC)/pkcs5.c \
+	$(TARGET_SRC)/pkparse.c \
+	$(TARGET_SRC)/pkwrite.c \
+	$(TARGET_SRC)/platform.c \
+	$(TARGET_SRC)/platform_util.c \
+	$(TARGET_SRC)/poly1305.c \
+	$(TARGET_SRC)/ripemd160.c \
+	$(TARGET_SRC)/rsa_internal.c \
+	$(TARGET_SRC)/rsa.c \
+	$(TARGET_SRC)/sha1.c \
+	$(TARGET_SRC)/sha256.c \
+	$(TARGET_SRC)/sha512.c \
+	$(TARGET_SRC)/threading.c \
+	$(TARGET_SRC)/timing.c \
+	$(TARGET_SRC)/xtea.c \
+	# end
+
 .PHONY: all deploy deploy-tests rsync mbedtls clean update
 
 all: mbedtls
@@ -53,6 +114,9 @@ rsync:
 	rm -rf $(TARGET_SRC)
 	rsync -a --exclude='*.txt' $(MBED_TLS_DIR)/library/ $(TARGET_SRC)
 	#
+	# Remove files that duplicate Mbed Crypto
+	rm -rf $(CRYPTO_SRC)
+	#
 	# Copying mbed TLS headers to mbed includes...
 	rm -rf $(TARGET_INC)
 	mkdir -p $(TARGET_INC)
@@ -86,14 +150,16 @@ update: $(MBED_TLS_GIT_CFG)  $(MBED_TLS_HA_GIT_CFG)
 	# Updating to the specified mbed TLS library version
 	# (If it is not an initial checkout we will start with the repository
 	# being in a detached head state)
-	git -C $(MBED_TLS_DIR) checkout development
-	git -C $(MBED_TLS_DIR) pull --rebase origin development
+	git -C $(MBED_TLS_DIR) fetch
 	#
 	# Checking out the required release
 	git -C $(MBED_TLS_DIR) checkout $(MBED_TLS_RELEASE)
 	#
+	# Update and checkout git submodules
+	git -C $(MBED_TLS_DIR) submodule update --init --recursive
+	#
 	# Updating checked out version tag
-	echo $(MBED_TLS_RELEASE) > $(TARGET_PREFIX)VERSION.txt
+	git -C $(MBED_TLS_DIR) describe --tags --abbrev=12 --dirty --always > $(TARGET_PREFIX)VERSION.txt
 
 $(MBED_TLS_GIT_CFG):
 	rm -rf $(MBED_TLS_DIR)

features/mbedtls/inc/mbedtls/asn1write.h

@@ -33,11 +33,12 @@
 #include "asn1.h"
 
 #define MBEDTLS_ASN1_CHK_ADD(g, f)                      \
-    do {                                                \
-        if( ( ret = f ) < 0 )                           \
+    do                                                  \
+    {                                                   \
+        if( ( ret = (f) ) < 0 )                         \
             return( ret );                              \
         else                                            \
-            g += ret;                                   \
+            (g) += ret;                                 \
     } while( 0 )
 
 #ifdef __cplusplus

features/mbedtls/inc/mbedtls/bignum.h

@@ -46,7 +46,12 @@
 #define MBEDTLS_ERR_MPI_NOT_ACCEPTABLE                    -0x000E  /**< The input arguments are not acceptable. */
 #define MBEDTLS_ERR_MPI_ALLOC_FAILED                      -0x0010  /**< Memory allocation failed. */
 
-#define MBEDTLS_MPI_CHK(f) do { if( ( ret = f ) != 0 ) goto cleanup; } while( 0 )
+#define MBEDTLS_MPI_CHK(f)       \
+    do                           \
+    {                            \
+        if( ( ret = (f) ) != 0 ) \
+            goto cleanup;        \
+    } while( 0 )
 
 /*
  * Maximum size MPIs are allowed to grow to in number of limbs.
@@ -490,8 +495,24 @@ int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf,
                              size_t buflen );
 
 /**
- * \brief          Export an MPI into unsigned big endian binary data
- *                 of fixed size.
+ * \brief          Import X from unsigned binary data, little endian
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param buf      The input buffer. This must be a readable buffer of length
+ *                 \p buflen Bytes.
+ * \param buflen   The length of the input buffer \p p in Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_read_binary_le( mbedtls_mpi *X,
+                                const unsigned char *buf, size_t buflen );
+
+/**
+ * \brief          Export X into unsigned binary data, big endian.
+ *                 Always fills the whole buffer, which will start with zeros
+ *                 if the number is smaller.
  *
  * \param X        The source MPI. This must point to an initialized MPI.
  * \param buf      The output buffer. This must be a writable buffer of length
@@ -506,6 +527,24 @@ int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf,
 int mbedtls_mpi_write_binary( const mbedtls_mpi *X, unsigned char *buf,
                               size_t buflen );
 
+/**
+ * \brief          Export X into unsigned binary data, little endian.
+ *                 Always fills the whole buffer, which will end with zeros
+ *                 if the number is smaller.
+ *
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param buf      The output buffer. This must be a writable buffer of length
+ *                 \p buflen Bytes.
+ * \param buflen   The size of the output buffer \p buf in Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't
+ *                 large enough to hold the value of \p X.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_write_binary_le( const mbedtls_mpi *X,
+                                 unsigned char *buf, size_t buflen );
+
 /**
  * \brief          Perform a left-shift on an MPI: X <<= count
  *

features/mbedtls/inc/mbedtls/check_config.h

@@ -125,6 +125,11 @@
 #error "MBEDTLS_ECP_RESTARTABLE defined, but it cannot coexist with an alternative or PSA-based ECP implementation"
 #endif
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)           && \
+    ! defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+#error "MBEDTLS_ECP_RESTARTABLE defined, but not MBEDTLS_ECDH_LEGACY_CONTEXT"
+#endif
+
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) && !defined(MBEDTLS_HMAC_DRBG_C)
 #error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites"
 #endif
@@ -525,26 +530,25 @@
 #error "MBEDTLS_PSA_CRYPTO_SPM defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C) && defined(MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C)
-#error "Only one of MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C or MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C can be defined"
-#endif
-
 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) &&            \
-    !( defined(MBEDTLS_PSA_CRYPTO_C) &&                 \
-       ( defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C) ||  \
-         defined(MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C) ) )
+    ! defined(MBEDTLS_PSA_CRYPTO_C)
 #error "MBEDTLS_PSA_CRYPTO_STORAGE_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C) &&            \
-    !( defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) &&           \
-       defined(MBEDTLS_FS_IO) )
-#error "MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C defined, but not all prerequisites"
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY) &&      \
+    !( defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) && \
+       defined(MBEDTLS_ENTROPY_NV_SEED) )
+#error "MBEDTLS_PSA_INJECT_ENTROPY defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY) &&              \
+    !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+#error "MBEDTLS_PSA_INJECT_ENTROPY is not compatible with actual entropy sources"
 #endif
 
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C) &&             \
-    ! defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
-#error "MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C defined, but not all prerequisites"
+#if defined(MBEDTLS_PSA_ITS_FILE_C) && \
+    !defined(MBEDTLS_FS_IO)
+#error "MBEDTLS_PSA_ITS_FILE_C defined, but not all prerequisites"
 #endif
 
 #if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_BIGNUM_C) ||         \

features/mbedtls/inc/mbedtls/cipher.h

@@ -176,6 +176,12 @@ typedef enum {
     MBEDTLS_CIPHER_AES_256_XTS,          /**< AES 256-bit cipher in XTS block mode. */
     MBEDTLS_CIPHER_CHACHA20,             /**< ChaCha20 stream cipher. */
     MBEDTLS_CIPHER_CHACHA20_POLY1305,    /**< ChaCha20-Poly1305 AEAD cipher. */
+    MBEDTLS_CIPHER_AES_128_KW,           /**< AES cipher with 128-bit NIST KW mode. */
+    MBEDTLS_CIPHER_AES_192_KW,           /**< AES cipher with 192-bit NIST KW mode. */
+    MBEDTLS_CIPHER_AES_256_KW,           /**< AES cipher with 256-bit NIST KW mode. */
+    MBEDTLS_CIPHER_AES_128_KWP,          /**< AES cipher with 128-bit NIST KWP mode. */
+    MBEDTLS_CIPHER_AES_192_KWP,          /**< AES cipher with 192-bit NIST KWP mode. */
+    MBEDTLS_CIPHER_AES_256_KWP,          /**< AES cipher with 256-bit NIST KWP mode. */
 } mbedtls_cipher_type_t;
 
 /** Supported cipher modes. */
@@ -191,6 +197,8 @@ typedef enum {
     MBEDTLS_MODE_CCM,                    /**< The CCM cipher mode.         */
     MBEDTLS_MODE_XTS,                    /**< The XTS cipher mode.         */
     MBEDTLS_MODE_CHACHAPOLY,             /**< The ChaCha-Poly cipher mode. */
+    MBEDTLS_MODE_KW,                     /**< The SP800-38F KW mode */
+    MBEDTLS_MODE_KWP,                    /**< The SP800-38F KWP mode */
 } mbedtls_cipher_mode_t;
 
 /** Supported cipher padding types. */