Merge remote-tracking branch 'restricted/pr/490' into development
diff --git a/.github/issue_template.md b/.github/issue_template.md
index 5e9d83d..7c31353 100644
--- a/.github/issue_template.md
+++ b/.github/issue_template.md
@@ -38,4 +38,4 @@
## Question
-**Please first check for answers in the [Mbed TLS knowledge Base](https://tls.mbed.org/kb), and preferably file an issue in the [Mbed TLS support forum](https://tls.mbed.org/discussions)**
+**Please first check for answers in the [Mbed TLS knowledge Base](https://tls.mbed.org/kb), and preferably file an issue in the [Mbed TLS support forum](https://forums.mbed.com/c/mbed-tls)**
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 2018d35..4dbe76e 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,5 +1,9 @@
cmake_minimum_required(VERSION 2.6)
-project("mbed TLS" C)
+if(TEST_CPP)
+ project("mbed TLS" C CXX)
+else()
+ project("mbed TLS" C)
+endif()
option(USE_PKCS11_HELPER_LIBRARY "Build mbed TLS with the pkcs11-helper library." OFF)
option(ENABLE_ZLIB_SUPPORT "Build mbed TLS with zlib library." OFF)
@@ -8,8 +12,13 @@
option(UNSAFE_BUILD "Allow unsafe builds. These builds ARE NOT SECURE." OFF)
+string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${CMAKE_C_COMPILER_ID}")
+string(REGEX MATCH "GNU" CMAKE_COMPILER_IS_GNU "${CMAKE_C_COMPILER_ID}")
+string(REGEX MATCH "IAR" CMAKE_COMPILER_IS_IAR "${CMAKE_C_COMPILER_ID}")
+string(REGEX MATCH "MSVC" CMAKE_COMPILER_IS_MSVC "${CMAKE_C_COMPILER_ID}")
+
# the test suites currently have compile errors with MSVC
-if(MSVC)
+if(CMAKE_COMPILER_IS_MSVC)
option(ENABLE_TESTING "Build mbed TLS tests." OFF)
else()
option(ENABLE_TESTING "Build mbed TLS tests." ON)
@@ -56,9 +65,37 @@
CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull"
FORCE)
+# Create a symbolic link from ${base_name} in the binary directory
+# to the corresponding path in the source directory.
+function(link_to_source base_name)
+ # Get OS dependent path to use in `execute_process`
+ file(TO_NATIVE_PATH "${CMAKE_CURRENT_BINARY_DIR}/${base_name}" link)
+ file(TO_NATIVE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}" target)
+
+ if (NOT EXISTS ${link})
+ if (CMAKE_HOST_UNIX)
+ set(command ln -s ${target} ${link})
+ else()
+ if (IS_DIRECTORY ${target})
+ set(command cmd.exe /c mklink /j ${link} ${target})
+ else()
+ set(command cmd.exe /c mklink /h ${link} ${target})
+ endif()
+ endif()
+
+ execute_process(COMMAND ${command}
+ RESULT_VARIABLE result
+ ERROR_VARIABLE output)
+
+ if (NOT ${result} EQUAL 0)
+ message(FATAL_ERROR "Could not create symbolic link for: ${target} --> ${output}")
+ endif()
+ endif()
+endfunction(link_to_source)
+
string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${CMAKE_C_COMPILER_ID}")
-if(CMAKE_COMPILER_IS_GNUCC)
+if(CMAKE_COMPILER_IS_GNU)
# some warnings we want are not available with old GCC versions
# note: starting with CMake 2.8 we could use CMAKE_C_COMPILER_VERSION
execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion
@@ -77,30 +114,34 @@
set(CMAKE_C_FLAGS_ASANDBG "-Werror -fsanitize=address -fno-common -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ")
set(CMAKE_C_FLAGS_CHECK "-Werror -Os")
set(CMAKE_C_FLAGS_CHECKFULL "${CMAKE_C_FLAGS_CHECK} -Wcast-qual")
-endif(CMAKE_COMPILER_IS_GNUCC)
+endif(CMAKE_COMPILER_IS_GNU)
if(CMAKE_COMPILER_IS_CLANG)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow")
set(CMAKE_C_FLAGS_RELEASE "-O2")
set(CMAKE_C_FLAGS_DEBUG "-O0 -g3")
set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
- set(CMAKE_C_FLAGS_ASAN "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover -O3")
- set(CMAKE_C_FLAGS_ASANDBG "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ")
+ set(CMAKE_C_FLAGS_ASAN "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3")
+ set(CMAKE_C_FLAGS_ASANDBG "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ")
set(CMAKE_C_FLAGS_MEMSAN "-Werror -fsanitize=memory -O3")
set(CMAKE_C_FLAGS_MEMSANDBG "-Werror -fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2")
set(CMAKE_C_FLAGS_CHECK "-Werror -Os")
endif(CMAKE_COMPILER_IS_CLANG)
-if(MSVC)
+if(CMAKE_COMPILER_IS_IAR)
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warn_about_c_style_casts --warnings_are_errors -Ohz")
+endif(CMAKE_COMPILER_IS_IAR)
+
+if(CMAKE_COMPILER_IS_MSVC)
# Strictest warnings, and treat as errors
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /W3")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX")
-endif(MSVC)
+endif(CMAKE_COMPILER_IS_MSVC)
if(CMAKE_BUILD_TYPE STREQUAL "Coverage")
- if(CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_CLANG)
+ if(CMAKE_COMPILER_IS_GNU OR CMAKE_COMPILER_IS_CLANG)
set(CMAKE_SHARED_LINKER_FLAGS "--coverage")
- endif(CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_CLANG)
+ endif(CMAKE_COMPILER_IS_GNU OR CMAKE_COMPILER_IS_CLANG)
endif(CMAKE_BUILD_TYPE STREQUAL "Coverage")
if(LIB_INSTALL_DIR)
@@ -164,3 +205,12 @@
)
endif(UNIX)
endif()
+
+# Make scripts needed for testing available in an out-of-source build.
+if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
+ link_to_source(scripts)
+ # Copy (don't link) DartConfiguration.tcl, needed for memcheck, to
+ # keep things simple with the sed commands in the memcheck target.
+ configure_file(${CMAKE_CURRENT_SOURCE_DIR}/DartConfiguration.tcl
+ ${CMAKE_CURRENT_BINARY_DIR}/DartConfiguration.tcl COPYONLY)
+endif()
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 3c6dc74..3433ed0 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -26,38 +26,70 @@
1. For quick merging, the contribution should be short, and concentrated on a single feature or topic. The larger the contribution is, the longer it would take to review it and merge it.
1. Mbed TLS is released under the Apache license, and as such, all the added files should include the Apache license header.
-Backports
----------
-Mbed TLS maintains some legacy branches, which are released as LTS versions. Mbed TLS should follow backwards compatibility rules, to fit with existing users. As such, backporting to these branches should be handled according to the following rules:
-
-1. If the contribution is a new feature or enhancement, no backporting is needed.
-1. Bug fixes should be backported to the legacy branches containing these bugs.
-1. Changes in the API do not require backporting. If a bug fix introduced a new API, such as new error codes, the bug fix should be implemented differently in the legacy branch.
+API/ABI Compatibility
+---------------------
+The project aims to minimise the impact on users upgrading to newer versions of the library and it should not be necessary for a user to make any changes to their own code to work with a newer version of the library. Unless the user has made an active decision to use newer features, a newer generation of the library or a change has been necessary due to a security issue or other significant software defect, no modifications to their own code should be necessary. To achieve this, API compatibility is maintained between different versions of Mbed TLS on the main development branch and in LTS (Long Term Support) branches.
-It would be highly appreciated if a contribution would be backported to a legacy branch in addition to the [development branch](https://github.com/ARMmbed/mbedtls/tree/development).
-At the moment, the legacy branches are:
-
-1. [mbedtls-1.3](https://github.com/ARMmbed/mbedtls/tree/mbedtls-1.3)
+To minimise such disruption to users, where a change to the interface is required, all changes to the ABI or API, even on the main development branch where new features are added, need to be justifiable by either being a significant enhancement, new feature or bug fix which is best resolved by an interface change.
+
+Where changes to an existing interface are necessary, functions in the public interface which need to be changed, are marked as 'deprecated'. This is done with the preprocessor symbols `MBEDTLS_DEPRECATED_WARNING` and `MBEDTLS_DEPRECATED_REMOVED`. Then, a new function with a new name but similar if not identical behaviour to the original function containing the necessary changes should be created alongside the existing deprecated function.
+
+When a build is made with the deprecation preprocessor symbols defined, a compiler warning will be generated to warn a user that the function will be removed at some point in the future, notifying users that they should change from the older deprecated function to the newer function at their own convenience.
+
+Therefore, no changes are permitted to the definition of functions in the public interface which will change the API. Instead the interface can only be changed by its extension. As described above, if a function needs to be changed, a new function needs to be created alongside it, with a new name, and whatever change is necessary, such as a new parameter or the addition of a return value.
+
+Periodically, the library will remove deprecated functions from the library which will be a breaking change in the API, but such changes will be made only in a planned, structured way that gives sufficient notice to users of the library.
+
+Long Term Support Branches
+--------------------------
+Mbed TLS maintains several LTS (Long Term Support) branches, which are maintained continuously for a given period. The LTS branches are provided to allow users of the library to have a maintained, stable version of the library which contains only security fixes and fixes for other defects, without encountering additional features or API extensions which may introduce issues or change the code size or RAM usage, which can be significant considerations on some platforms. To allow users to take advantage of the LTS branches, these branches maintain backwards compatibility for both the public API and ABI.
+
+When backporting to these branches please observe the following rules:
+
+ 1. Any change to the library which changes the API or ABI cannot be backported.
+
+ 2. All bug fixes that correct a defect that is also present in an LTS branch must be backported to that LTS branch. If a bug fix introduces a change to the API such as a new function, the fix should be reworked to avoid the API change. API changes without very strong justification are unlikely to be accepted.
+
+ 3. If a contribution is a new feature or enhancement, no backporting is required. Exceptions to this may be addtional test cases or quality improvements such as changes to build or test scripts.
+
+It would be highly appreciated if contributions are backported to LTS branches in addition to the [development branch](https://github.com/ARMmbed/mbedtls/tree/development) by contributors.
+
+Currently maintained LTS branches are:
+
1. [mbedtls-2.1](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.1)
+2. [mbedtls-2.7](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.7)
+
+
Tests
-----
-As mentioned, tests that show the correctness of the feature or bug fix should be added to the pull request, if no such tests exist.
-Mbed TLS includes an elaborate test suite in `tests/` that initially requires Perl to generate the tests files (e.g. `test_suite_mpi.c`). These files are generated from a `function file` (e.g. `suites/test_suite_mpi.function`) and a `data file` (e.g. `suites/test_suite_mpi.data`). The function file contains the test functions. The data file contains the test cases, specified as parameters that will be passed to the test function.
+As mentioned, tests that show the correctness of the feature or bug fix should be added to the pull request, if no such tests exist.
+
+Mbed TLS includes a comprehensive set of test suites in the `tests/` directory that are dynamically generated to produce the actual test source files (e.g. `test_suite_mpi.c`). These files are generated from a `function file` (e.g. `suites/test_suite_mpi.function`) and a `data file` (e.g. `suites/test_suite_mpi.data`). The function file contains the test functions. The data file contains the test cases, specified as parameters that will be passed to the test function.
+
+[A Knowledge Base article describing how to add additional tests is available on the Mbed TLS website](https://tls.mbed.org/kb/development/test_suites).
+
+A test script `tests/scripts/basic-build-test.sh` is available to show test coverage of the library. New code contributions should provide a similar level of code coverage to that which already exists for the library.
Sample applications, if needed, should be modified as well.
Continuous Integration Tests
----------------------------
-Once a PR has been made, the Continuous Integration (CI) tests are triggered and run. You should follow the result of the CI tests, and fix failures.
+Once a PR has been made, the Continuous Integration (CI) tests are triggered and run. You should follow the result of the CI tests, and fix failures.
+
It is advised to enable the [githooks scripts](https://github.com/ARMmbed/mbedtls/tree/development/tests/git-scripts) prior to pushing your changes, for catching some of the issues as early as possible.
Documentation
-------------
-Mbed TLS should be well documented. If documentation is needed, speak out!
+Mbed TLS is well documented, but if you think documentation is needed, speak out!
1. All interfaces should be documented through Doxygen. New APIs should introduce Doxygen documentation.
-1. Complex parts in the code should include comments.
-1. If needed, a Readme file is advised.
-1. If a [Knowledge Base (KB)](https://tls.mbed.org/kb) article should be added, write this as a comment in the PR description.
-1. A [ChangeLog](https://github.com/ARMmbed/mbedtls/blob/development/ChangeLog) entry should be added for this contribution.
+
+2. Complex parts in the code should include comments.
+
+3. If needed, a Readme file is advised.
+
+4. If a [Knowledge Base (KB)](https://tls.mbed.org/kb) article should be added, write this as a comment in the PR description.
+
+5. A [ChangeLog](https://github.com/ARMmbed/mbedtls/blob/development/ChangeLog) entry should be added for this contribution.
+
diff --git a/ChangeLog b/ChangeLog
index e4a05c7..c997b2c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -35,6 +35,106 @@
Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
Eyal Ronen and Adi Shamir.
+Features
+ * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
+ authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
+ by Daniel King (#485).
+ * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
+ * Add platform support for the Haiku OS. (https://www.haiku-os.org).
+ Contributed by Augustin Cavalier.
+ * Make the receive and transmit buffers independent sizes, for situations
+ where the outgoing buffer can be fixed at a smaller size than the incoming
+ buffer, which can save some RAM. If buffer lengths are kept equal, there
+ is no functional difference. Contributed by Angus Gratton, and also
+ independently contributed again by Paul Sokolovsky.
+ * Add support for key wrapping modes based on AES as defined by
+ NIST SP 800-38F algorithms KW and KWP and by RFC's 3394 and 5649.
+
+Bugfix
+ * Fix the key_app_writer example which was writing a leading zero byte which
+ was creating an invalid ASN.1 tag. Found by Aryeh R. Fixes #1257.
+ * Fix compilation error on C++, because of a variable named new.
+ Found and fixed by Hirotaka Niisato in #1783.
+ * Fix "no symbols" warning issued by ranlib when building on Mac OS X. Fix
+ contributed by tabascoeye in pull request #1600.
+ * Clarify documentation for mbedtls_ssl_write() to include 0 as a valid
+ return value. Found by @davidwu2000. #839
+ * Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber,
+ Philippe Antoine. Fixes #1623.
+ * Remove unused headers included in x509.c. Found by Chris Hanson and fixed
+ by Brendan Shanks. Part of a fix for #992.
+ * Fix compilation error when MBEDTLS_ARC4_C is disabled and
+ MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
+ * Fix the inline assembly for the MPI multiply helper function for i386 and
+ i386 with SSE2. Found by László Langó. Fixes #1550
+ * Fix namespacing in header files. Remove the `mbedtls` namespacing in
+ the `#include` in the header files. Resolves #857
+ * Fix compiler warning of 'use before initialisation' in
+ mbedtls_pk_parse_key(). Found by Martin Boye Petersen and fixed by Dawid
+ Drozd. #1098
+ * Fix decryption for zero length messages (which contain all padding) when a
+ CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
+ such a message was wrongly reported as an invalid record and therefore lead
+ to the connection being terminated. Seen most often with OpenSSL using
+ TLS 1.0. Reported by @kFYatek and by Conor Murphy on the forum. Fix
+ contributed by Espressif Systems. Fixes #1632
+ * Fail when receiving a TLS alert message with an invalid length, or invalid
+ zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
+ * Fix ssl_client2 example to send application data with 0-length content
+ when the request_size argument is set to 0 as stated in the documentation.
+ Fixes #1833.
+ * Change the default behaviour of mbedtls_hkdf_extract() to return an error
+ when calling with a NULL salt and non-zero salt_len. Contributed by
+ Brian J Murray
+ * Correct the documentation for `mbedtls_ssl_get_session()`.
+ This API has deep copy of the session, and the peer
+ certificate is not lost. Fixes #926.
+ * Fix build using -std=c99. Fixed by Nick Wilson.
+
+Changes
+ * Change the shebang line in Perl scripts to look up perl in the PATH.
+ Contributed by fbrosson.
+ * Allow overriding the time on Windows via the platform-time abstraction.
+ Fixed by Nick Wilson.
+ * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
+
+= mbed TLS 2.11.0 branch released 2018-06-18
+
+Features
+ * Add additional block mode, OFB (Output Feedback), to the AES module and
+ cipher abstraction module.
+ * Implement the HMAC-based extract-and-expand key derivation function
+ (HKDF) per RFC 5869. Contributed by Thomas Fossati.
+ * Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4.
+ * Add support for the XTS block cipher mode with AES (AES-XTS).
+ Contributed by Aorimn in pull request #414.
+ * In TLS servers, support offloading private key operations to an external
+ cryptoprocessor. Private key operations can be asynchronous to allow
+ non-blocking operation of the TLS server stack.
+
+Bugfix
+ * Fix the cert_write example to handle certificates signed with elliptic
+ curves as well as RSA. Fixes #777 found by dbedev.
+ * Fix for redefinition of _WIN32_WINNT to avoid overriding a definition
+ used by user applications. Found and fixed by Fabio Alessandrelli.
+ * Fix compilation warnings with IAR toolchain, on 32 bit platform.
+ Reported by rahmanih in #683
+ * Fix braces in mbedtls_memory_buffer_alloc_status(). Found by sbranden, #552.
+ * Added length checks to some TLS parsing functions. Found and fixed by
+ Philippe Antoine from Catena cyber. #1663.
+
+Changes
+ * Changed CMake defaults for IAR to treat all compiler warnings as errors.
+ * Changed the Clang parameters used in the CMake build files to work for
+ versions later than 3.6. Versions of Clang earlier than this may no longer
+ work. Fixes #1072
+
+= mbed TLS 2.10.0 branch released 2018-06-06
+
+Features
+ * Add support for ARIA cipher (RFC 5794) and associated TLS ciphersuites
+ (RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h
+
API Changes
* Extend the platform module with a util component that contains
functionality shared by multiple Mbed TLS modules. At this stage
@@ -46,6 +146,15 @@
Therefore, mbedtls_platform_zeroize() is moved to the platform module to
facilitate testing and maintenance.
+Bugfix
+ * Fix an issue with MicroBlaze support in bn_mul.h which was causing the
+ build to fail. Found by zv-io. Fixes #1651.
+
+Changes
+ * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
+ * Fix redundant declaration of mbedtls_ssl_list_ciphersuites. Raised by
+ TrinityTonic. #1359.
+
= mbed TLS 2.9.0 branch released 2018-04-30
Security
diff --git a/README.md b/README.md
index a2c3c6f..6345848 100644
--- a/README.md
+++ b/README.md
@@ -82,7 +82,7 @@
Depending on your platform, you might run into some issues. Please check the Makefiles in `library/`, `programs/` and `tests/` for options to manually add or remove for specific platforms. You can also check [the Mbed TLS Knowledge Base](https://tls.mbed.org/kb) for articles on your platform or issue.
-In case you find that you need to do something else as well, please let us know what, so we can add it to the [Mbed TLS knowledge base](https://tls.mbed.org/kb).
+In case you find that you need to do something else as well, please let us know what, so we can add it to the [Mbed TLS Knowledge Base](https://tls.mbed.org/kb).
### CMake
@@ -192,7 +192,7 @@
Porting Mbed TLS
----------------
-Mbed TLS can be ported to many different architectures, OS's and platforms. Before starting a port, you may find the following knowledge base articles useful:
+Mbed TLS can be ported to many different architectures, OS's and platforms. Before starting a port, you may find the following Knowledge Base articles useful:
- [Porting Mbed TLS to a new environment or OS](https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS)
- [What external dependencies does Mbed TLS rely on?](https://tls.mbed.org/kb/development/what-external-dependencies-does-mbedtls-rely-on)
@@ -211,7 +211,7 @@
### Making a Contribution
-1. [Check for open issues](https://github.com/ARMmbed/mbedtls/issues) or [start a discussion](https://tls.mbed.org/discussions) around a feature idea or a bug.
+1. [Check for open issues](https://github.com/ARMmbed/mbedtls/issues) or [start a discussion](https://forums.mbed.com/c/mbed-tls) around a feature idea or a bug.
2. Fork the [Mbed TLS repository on GitHub](https://github.com/ARMmbed/mbedtls) to start making your changes. As a general rule, you should use the "development" branch as a basis.
3. Write a test which shows that the bug was fixed or that the feature works as expected.
4. Send a pull request and bug us until it gets merged and published. Contributions may need some modifications, so work with us to get your change accepted. We will include your name in the ChangeLog :)
diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h
index a783e6b..c9b58dd 100644
--- a/configs/config-ccm-psk-tls1_2.h
+++ b/configs/config-ccm-psk-tls1_2.h
@@ -81,7 +81,7 @@
* both ends of the connection! (See comments in "mbedtls/ssl.h".)
* The optimal size here depends on the typical size of records.
*/
-#define MBEDTLS_SSL_MAX_CONTENT_LEN 512
+#define MBEDTLS_SSL_MAX_CONTENT_LEN 1024
#include "mbedtls/check_config.h"
diff --git a/configs/config-no-entropy.h b/configs/config-no-entropy.h
index b4a0930..7d34ad5 100644
--- a/configs/config-no-entropy.h
+++ b/configs/config-no-entropy.h
@@ -82,6 +82,7 @@
#define MBEDTLS_X509_USE_C
#define MBEDTLS_X509_CRT_PARSE_C
#define MBEDTLS_X509_CRL_PARSE_C
+//#define MBEDTLS_CMAC_C
/* Miscellaneous options */
#define MBEDTLS_AES_ROM_TABLES
diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index e27c221..ed78eb4 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -24,7 +24,7 @@
*/
/**
- * @mainpage mbed TLS v2.9.0 source code documentation
+ * @mainpage mbed TLS v2.11.0 source code documentation
*
* This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index 510fa85..fdeab7a 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -28,7 +28,7 @@
# identify the project. Note that if you do not use Doxywizard you need
# to put quotes around the project name if it contains spaces.
-PROJECT_NAME = "mbed TLS v2.9.0"
+PROJECT_NAME = "mbed TLS v2.11.0"
# The PROJECT_NUMBER tag can be used to enter a project or revision number.
# This could be handy for archiving the generated documentation or
diff --git a/include/CMakeLists.txt b/include/CMakeLists.txt
index 985a353..1b581a5 100644
--- a/include/CMakeLists.txt
+++ b/include/CMakeLists.txt
@@ -9,3 +9,8 @@
PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
endif(INSTALL_MBEDTLS_HEADERS)
+
+# Make config.h available in an out-of-source build. ssl-opt.sh requires it.
+if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
+ link_to_source(mbedtls)
+endif()
diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h
index 4686884..f6603d5 100644
--- a/include/mbedtls/aes.h
+++ b/include/mbedtls/aes.h
@@ -13,6 +13,11 @@
* <em>ISO/IEC 18033-2:2006: Information technology -- Security
* techniques -- Encryption algorithms -- Part 2: Asymmetric
* ciphers</em>.
+ *
+ * The AES-XTS block mode is standardized by NIST SP 800-38E
+ * <https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38e.pdf>
+ * and described in detail by IEEE P1619
+ * <https://ieeexplore.ieee.org/servlet/opac?punumber=4375278>.
*/
/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
@@ -89,6 +94,19 @@
}
mbedtls_aes_context;
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief The AES XTS context-type definition.
+ */
+typedef struct
+{
+ mbedtls_aes_context crypt; /*!< The AES context to use for AES block
+ encryption or decryption. */
+ mbedtls_aes_context tweak; /*!< The AES context used for tweak
+ computation. */
+} mbedtls_aes_xts_context;
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
#else /* MBEDTLS_AES_ALT */
#include "aes_alt.h"
#endif /* MBEDTLS_AES_ALT */
@@ -110,6 +128,25 @@
*/
void mbedtls_aes_free( mbedtls_aes_context *ctx );
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief This function initializes the specified AES XTS context.
+ *
+ * It must be the first API called before using
+ * the context.
+ *
+ * \param ctx The AES XTS context to initialize.
+ */
+void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx );
+
+/**
+ * \brief This function releases and clears the specified AES XTS context.
+ *
+ * \param ctx The AES XTS context to clear.
+ */
+void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx );
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
/**
* \brief This function sets the encryption key.
*
@@ -142,6 +179,44 @@
int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
unsigned int keybits );
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief This function prepares an XTS context for encryption and
+ * sets the encryption key.
+ *
+ * \param ctx The AES XTS context to which the key should be bound.
+ * \param key The encryption key. This is comprised of the XTS key1
+ * concatenated with the XTS key2.
+ * \param keybits The size of \p key passed in bits. Valid options are:
+ * <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
+ * <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
+ const unsigned char *key,
+ unsigned int keybits );
+
+/**
+ * \brief This function prepares an XTS context for decryption and
+ * sets the decryption key.
+ *
+ * \param ctx The AES XTS context to which the key should be bound.
+ * \param key The decryption key. This is comprised of the XTS key1
+ * concatenated with the XTS key2.
+ * \param keybits The size of \p key passed in bits. Valid options are:
+ * <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
+ * <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
+ const unsigned char *key,
+ unsigned int keybits );
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
/**
* \brief This function performs an AES single-block encryption or
* decryption operation.
@@ -213,6 +288,49 @@
unsigned char *output );
#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief This function performs an AES-XTS encryption or decryption
+ * operation for an entire XTS data unit.
+ *
+ * AES-XTS encrypts or decrypts blocks based on their location as
+ * defined by a data unit number. The data unit number must be
+ * provided by \p data_unit.
+ *
+ * NIST SP 800-38E limits the maximum size of a data unit to 2^20
+ * AES blocks. If the data unit is larger than this, this function
+ * returns #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH.
+ *
+ * \param ctx The AES XTS context to use for AES XTS operations.
+ * \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or
+ * #MBEDTLS_AES_DECRYPT.
+ * \param length The length of a data unit in bytes. This can be any
+ * length between 16 bytes and 2^24 bytes inclusive
+ * (between 1 and 2^20 block cipher blocks).
+ * \param data_unit The address of the data unit encoded as an array of 16
+ * bytes in little-endian format. For disk encryption, this
+ * is typically the index of the block device sector that
+ * contains the data.
+ * \param input The buffer holding the input data (which is an entire
+ * data unit). This function reads \p length bytes from \p
+ * input.
+ * \param output The buffer holding the output data (which is an entire
+ * data unit). This function writes \p length bytes to \p
+ * output.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH if \p length is
+ * smaller than an AES block in size (16 bytes) or if \p
+ * length is larger than 2^20 blocks (16 MiB).
+ */
+int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
+ int mode,
+ size_t length,
+ const unsigned char data_unit[16],
+ const unsigned char *input,
+ unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
#if defined(MBEDTLS_CIPHER_MODE_CFB)
/**
* \brief This function performs an AES-CFB128 encryption or decryption
@@ -296,6 +414,56 @@
unsigned char *output );
#endif /*MBEDTLS_CIPHER_MODE_CFB */
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/**
+ * \brief This function performs an AES-OFB (Output Feedback Mode)
+ * encryption or decryption operation.
+ *
+ * For OFB, you must set up the context with
+ * mbedtls_aes_setkey_enc(), regardless of whether you are
+ * performing an encryption or decryption operation. This is
+ * because OFB mode uses the same key schedule for encryption and
+ * decryption.
+ *
+ * The OFB operation is identical for encryption or decryption,
+ * therefore no operation mode needs to be specified.
+ *
+ * \note Upon exit, the content of iv, the Initialisation Vector, is
+ * updated so that you can call the same function again on the next
+ * block(s) of data and get the same result as if it was encrypted
+ * in one call. This allows a "streaming" usage, by initialising
+ * iv_off to 0 before the first call, and preserving its value
+ * between calls.
+ *
+ * For non-streaming use, the iv should be initialised on each call
+ * to a unique value, and iv_off set to 0 on each call.
+ *
+ * If you need to retain the contents of the initialisation vector,
+ * you must either save it manually or use the cipher module
+ * instead.
+ *
+ * \warning For the OFB mode, the initialisation vector must be unique
+ * every encryption operation. Reuse of an initialisation vector
+ * will compromise security.
+ *
+ * \param ctx The AES context to use for encryption or decryption.
+ * \param length The length of the input data.
+ * \param iv_off The offset in IV (updated after use).
+ * \param iv The initialization vector (updated after use).
+ * \param input The buffer holding the input data.
+ * \param output The buffer holding the output data.
+ *
+ * \return \c 0 on success.
+ */
+int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
+ size_t length,
+ size_t *iv_off,
+ unsigned char iv[16],
+ const unsigned char *input,
+ unsigned char *output );
+
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
#if defined(MBEDTLS_CIPHER_MODE_CTR)
/**
* \brief This function performs an AES-CTR encryption or decryption
@@ -310,7 +478,49 @@
* must use the context initialized with mbedtls_aes_setkey_enc()
* for both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
*
- * \warning You must keep the maximum use of your counter in mind.
+ * \warning You must never reuse a nonce value with the same key. Doing so
+ * would void the encryption for the two messages encrypted with
+ * the same nonce and key.
+ *
+ * There are two common strategies for managing nonces with CTR:
+ *
+ * 1. You can handle everything as a single message processed over
+ * successive calls to this function. In that case, you want to
+ * set \p nonce_counter and \p nc_off to 0 for the first call, and
+ * then preserve the values of \p nonce_counter, \p nc_off and \p
+ * stream_block across calls to this function as they will be
+ * updated by this function.
+ *
+ * With this strategy, you must not encrypt more than 2**128
+ * blocks of data with the same key.
+ *
+ * 2. You can encrypt separate messages by dividing the \p
+ * nonce_counter buffer in two areas: the first one used for a
+ * per-message nonce, handled by yourself, and the second one
+ * updated by this function internally.
+ *
+ * For example, you might reserve the first 12 bytes for the
+ * per-message nonce, and the last 4 bytes for internal use. In that
+ * case, before calling this function on a new message you need to
+ * set the first 12 bytes of \p nonce_counter to your chosen nonce
+ * value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
+ * stream_block to be ignored). That way, you can encrypt at most
+ * 2**96 messages of up to 2**32 blocks each with the same key.
+ *
+ * The per-message nonce (or information sufficient to reconstruct
+ * it) needs to be communicated with the ciphertext and must be unique.
+ * The recommended way to ensure uniqueness is to use a message
+ * counter. An alternative is to generate random nonces, but this
+ * limits the number of messages that can be securely encrypted:
+ * for example, with 96-bit random nonces, you should not encrypt
+ * more than 2**32 messages with the same key.
+ *
+ * Note that for both stategies, sizes are measured in blocks and
+ * that an AES block is 16 bytes.
+ *
+ * \warning Upon return, \p stream_block contains sensitive data. Its
+ * content must not be written to insecure storage and should be
+ * securely discarded as soon as it's no longer needed.
*
* \param ctx The AES context to use for encryption or decryption.
* \param length The length of the input data.
diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h
new file mode 100644
index 0000000..bae0621
--- /dev/null
+++ b/include/mbedtls/aria.h
@@ -0,0 +1,331 @@
+/**
+ * \file aria.h
+ *
+ * \brief ARIA block cipher
+ *
+ * The ARIA algorithm is a symmetric block cipher that can encrypt and
+ * decrypt information. It is defined by the Korean Agency for
+ * Technology and Standards (KATS) in <em>KS X 1213:2004</em> (in
+ * Korean, but see http://210.104.33.10/ARIA/index-e.html in English)
+ * and also described by the IETF in <em>RFC 5794</em>.
+ */
+/* Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_ARIA_H
+#define MBEDTLS_ARIA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_ARIA_ENCRYPT 1 /**< ARIA encryption. */
+#define MBEDTLS_ARIA_DECRYPT 0 /**< ARIA decryption. */
+
+#define MBEDTLS_ARIA_BLOCKSIZE 16 /**< ARIA block size in bytes. */
+#define MBEDTLS_ARIA_MAX_ROUNDS 16 /**< Maxiumum number of rounds in ARIA. */
+#define MBEDTLS_ARIA_MAX_KEYSIZE 32 /**< Maximum size of an ARIA key in bytes. */
+
+#define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH -0x005C /**< Invalid key length. */
+#define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */
+#define MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE -0x005A /**< Feature not available. For example, an unsupported ARIA key size. */
+#define MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED -0x0058 /**< ARIA hardware accelerator failed. */
+
+#if !defined(MBEDTLS_ARIA_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief The ARIA context-type definition.
+ */
+typedef struct
+{
+ unsigned char nr; /*!< The number of rounds (12, 14 or 16) */
+ /*! The ARIA round keys. */
+ uint32_t rk[MBEDTLS_ARIA_MAX_ROUNDS + 1][MBEDTLS_ARIA_BLOCKSIZE / 4];
+}
+mbedtls_aria_context;
+
+#else /* MBEDTLS_ARIA_ALT */
+#include "aria_alt.h"
+#endif /* MBEDTLS_ARIA_ALT */
+
+/**
+ * \brief This function initializes the specified ARIA context.
+ *
+ * It must be the first API called before using
+ * the context.
+ *
+ * \param ctx The ARIA context to initialize.
+ */
+void mbedtls_aria_init( mbedtls_aria_context *ctx );
+
+/**
+ * \brief This function releases and clears the specified ARIA context.
+ *
+ * \param ctx The ARIA context to clear.
+ */
+void mbedtls_aria_free( mbedtls_aria_context *ctx );
+
+/**
+ * \brief This function sets the encryption key.
+ *
+ * \param ctx The ARIA context to which the key should be bound.
+ * \param key The encryption key.
+ * \param keybits The size of data passed in bits. Valid options are:
+ * <ul><li>128 bits</li>
+ * <li>192 bits</li>
+ * <li>256 bits</li></ul>
+ *
+ * \return \c 0 on success or #MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH
+ * on failure.
+ */
+int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
+ const unsigned char *key,
+ unsigned int keybits );
+
+/**
+ * \brief This function sets the decryption key.
+ *
+ * \param ctx The ARIA context to which the key should be bound.
+ * \param key The decryption key.
+ * \param keybits The size of data passed. Valid options are:
+ * <ul><li>128 bits</li>
+ * <li>192 bits</li>
+ * <li>256 bits</li></ul>
+ *
+ * \return \c 0 on success, or #MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH on failure.
+ */
+int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
+ const unsigned char *key,
+ unsigned int keybits );
+
+/**
+ * \brief This function performs an ARIA single-block encryption or
+ * decryption operation.
+ *
+ * It performs encryption or decryption (depending on whether
+ * the key was set for encryption on decryption) on the input
+ * data buffer defined in the \p input parameter.
+ *
+ * mbedtls_aria_init(), and either mbedtls_aria_setkey_enc() or
+ * mbedtls_aria_setkey_dec() must be called before the first
+ * call to this API with the same context.
+ *
+ * \param ctx The ARIA context to use for encryption or decryption.
+ * \param input The 16-Byte buffer holding the input data.
+ * \param output The 16-Byte buffer holding the output data.
+
+ * \return \c 0 on success.
+ */
+int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
+ const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
+ unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief This function performs an ARIA-CBC encryption or decryption operation
+ * on full blocks.
+ *
+ * It performs the operation defined in the \p mode
+ * parameter (encrypt/decrypt), on the input data buffer defined in
+ * the \p input parameter.
+ *
+ * It can be called as many times as needed, until all the input
+ * data is processed. mbedtls_aria_init(), and either
+ * mbedtls_aria_setkey_enc() or mbedtls_aria_setkey_dec() must be called
+ * before the first call to this API with the same context.
+ *
+ * \note This function operates on aligned blocks, that is, the input size
+ * must be a multiple of the ARIA block size of 16 Bytes.
+ *
+ * \note Upon exit, the content of the IV is updated so that you can
+ * call the same function again on the next
+ * block(s) of data and get the same result as if it was
+ * encrypted in one call. This allows a "streaming" usage.
+ * If you need to retain the contents of the IV, you should
+ * either save it manually or use the cipher module instead.
+ *
+ *
+ * \param ctx The ARIA context to use for encryption or decryption.
+ * \param mode The ARIA operation: #MBEDTLS_ARIA_ENCRYPT or
+ * #MBEDTLS_ARIA_DECRYPT.
+ * \param length The length of the input data in Bytes. This must be a
+ * multiple of the block size (16 Bytes).
+ * \param iv Initialization vector (updated after use).
+ * \param input The buffer holding the input data.
+ * \param output The buffer holding the output data.
+ *
+ * \return \c 0 on success, or #MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH
+ * on failure.
+ */
+int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
+ int mode,
+ size_t length,
+ unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+ const unsigned char *input,
+ unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief This function performs an ARIA-CFB128 encryption or decryption
+ * operation.
+ *
+ * It performs the operation defined in the \p mode
+ * parameter (encrypt or decrypt), on the input data buffer
+ * defined in the \p input parameter.
+ *
+ * For CFB, you must set up the context with mbedtls_aria_setkey_enc(),
+ * regardless of whether you are performing an encryption or decryption
+ * operation, that is, regardless of the \p mode parameter. This is
+ * because CFB mode uses the same key schedule for encryption and
+ * decryption.
+ *
+ * \note Upon exit, the content of the IV is updated so that you can
+ * call the same function again on the next
+ * block(s) of data and get the same result as if it was
+ * encrypted in one call. This allows a "streaming" usage.
+ * If you need to retain the contents of the
+ * IV, you must either save it manually or use the cipher
+ * module instead.
+ *
+ *
+ * \param ctx The ARIA context to use for encryption or decryption.
+ * \param mode The ARIA operation: #MBEDTLS_ARIA_ENCRYPT or
+ * #MBEDTLS_ARIA_DECRYPT.
+ * \param length The length of the input data.
+ * \param iv_off The offset in IV (updated after use).
+ * \param iv The initialization vector (updated after use).
+ * \param input The buffer holding the input data.
+ * \param output The buffer holding the output data.
+ *
+ * \return \c 0 on success.
+ */
+int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
+ int mode,
+ size_t length,
+ size_t *iv_off,
+ unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+ const unsigned char *input,
+ unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief This function performs an ARIA-CTR encryption or decryption
+ * operation.
+ *
+ * This function performs the operation defined in the \p mode
+ * parameter (encrypt/decrypt), on the input data buffer
+ * defined in the \p input parameter.
+ *
+ * Due to the nature of CTR, you must use the same key schedule
+ * for both encryption and decryption operations. Therefore, you
+ * must use the context initialized with mbedtls_aria_setkey_enc()
+ * for both #MBEDTLS_ARIA_ENCRYPT and #MBEDTLS_ARIA_DECRYPT.
+ *
+ * \warning You must never reuse a nonce value with the same key. Doing so
+ * would void the encryption for the two messages encrypted with
+ * the same nonce and key.
+ *
+ * There are two common strategies for managing nonces with CTR:
+ *
+ * 1. You can handle everything as a single message processed over
+ * successive calls to this function. In that case, you want to
+ * set \p nonce_counter and \p nc_off to 0 for the first call, and
+ * then preserve the values of \p nonce_counter, \p nc_off and \p
+ * stream_block across calls to this function as they will be
+ * updated by this function.
+ *
+ * With this strategy, you must not encrypt more than 2**128
+ * blocks of data with the same key.
+ *
+ * 2. You can encrypt separate messages by dividing the \p
+ * nonce_counter buffer in two areas: the first one used for a
+ * per-message nonce, handled by yourself, and the second one
+ * updated by this function internally.
+ *
+ * For example, you might reserve the first 12 bytes for the
+ * per-message nonce, and the last 4 bytes for internal use. In that
+ * case, before calling this function on a new message you need to
+ * set the first 12 bytes of \p nonce_counter to your chosen nonce
+ * value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
+ * stream_block to be ignored). That way, you can encrypt at most
+ * 2**96 messages of up to 2**32 blocks each with the same key.
+ *
+ * The per-message nonce (or information sufficient to reconstruct
+ * it) needs to be communicated with the ciphertext and must be unique.
+ * The recommended way to ensure uniqueness is to use a message
+ * counter. An alternative is to generate random nonces, but this
+ * limits the number of messages that can be securely encrypted:
+ * for example, with 96-bit random nonces, you should not encrypt
+ * more than 2**32 messages with the same key.
+ *
+ * Note that for both stategies, sizes are measured in blocks and
+ * that an ARIA block is 16 bytes.
+ *
+ * \warning Upon return, \p stream_block contains sensitive data. Its
+ * content must not be written to insecure storage and should be
+ * securely discarded as soon as it's no longer needed.
+ *
+ * \param ctx The ARIA context to use for encryption or decryption.
+ * \param length The length of the input data.
+ * \param nc_off The offset in the current \p stream_block, for
+ * resuming within the current cipher stream. The
+ * offset pointer should be 0 at the start of a stream.
+ * \param nonce_counter The 128-bit nonce and counter.
+ * \param stream_block The saved stream block for resuming. This is
+ * overwritten by the function.
+ * \param input The buffer holding the input data.
+ * \param output The buffer holding the output data.
+ *
+ * \return \c 0 on success.
+ */
+int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
+ size_t length,
+ size_t *nc_off,
+ unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
+ unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
+ const unsigned char *input,
+ unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief Checkup routine.
+ *
+ * \return \c 0 on success, or \c 1 on failure.
+ */
+int mbedtls_aria_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* aria.h */
diff --git a/include/mbedtls/blowfish.h b/include/mbedtls/blowfish.h
index 22479be..985faa4 100644
--- a/include/mbedtls/blowfish.h
+++ b/include/mbedtls/blowfish.h
@@ -174,7 +174,46 @@
/**
* \brief Blowfish-CTR buffer encryption/decryption
*
- * Warning: You have to keep the maximum use of your counter in mind!
+ * \warning You must never reuse a nonce value with the same key. Doing so
+ * would void the encryption for the two messages encrypted with
+ * the same nonce and key.
+ *
+ * There are two common strategies for managing nonces with CTR:
+ *
+ * 1. You can handle everything as a single message processed over
+ * successive calls to this function. In that case, you want to
+ * set \p nonce_counter and \p nc_off to 0 for the first call, and
+ * then preserve the values of \p nonce_counter, \p nc_off and \p
+ * stream_block across calls to this function as they will be
+ * updated by this function.
+ *
+ * With this strategy, you must not encrypt more than 2**64
+ * blocks of data with the same key.
+ *
+ * 2. You can encrypt separate messages by dividing the \p
+ * nonce_counter buffer in two areas: the first one used for a
+ * per-message nonce, handled by yourself, and the second one
+ * updated by this function internally.
+ *
+ * For example, you might reserve the first 4 bytes for the
+ * per-message nonce, and the last 4 bytes for internal use. In that
+ * case, before calling this function on a new message you need to
+ * set the first 4 bytes of \p nonce_counter to your chosen nonce
+ * value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
+ * stream_block to be ignored). That way, you can encrypt at most
+ * 2**32 messages of up to 2**32 blocks each with the same key.
+ *
+ * The per-message nonce (or information sufficient to reconstruct
+ * it) needs to be communicated with the ciphertext and must be unique.
+ * The recommended way to ensure uniqueness is to use a message
+ * counter.
+ *
+ * Note that for both stategies, sizes are measured in blocks and
+ * that a Blowfish block is 8 bytes.
+ *
+ * \warning Upon return, \p stream_block contains sensitive data. Its
+ * content must not be written to insecure storage and should be
+ * securely discarded as soon as it's no longer needed.
*
* \param ctx Blowfish context
* \param length The length of the data
diff --git a/include/mbedtls/bn_mul.h b/include/mbedtls/bn_mul.h
index 354c1cc..b587317 100644
--- a/include/mbedtls/bn_mul.h
+++ b/include/mbedtls/bn_mul.h
@@ -49,7 +49,14 @@
/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
#if defined(__GNUC__) && \
( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 )
-#if defined(__i386__)
+
+/*
+ * Disable use of the i386 assembly code below if option -O0, to disable all
+ * compiler optimisations, is passed, detected with __OPTIMIZE__
+ * This is done as the number of registers used in the assembly code doesn't
+ * work with the -O0 option.
+ */
+#if defined(__i386__) && defined(__OPTIMIZE__)
#define MULADDC_INIT \
asm( \
@@ -142,7 +149,7 @@
"movl %%esi, %3 \n\t" \
: "=m" (t), "=m" (c), "=m" (d), "=m" (s) \
: "m" (t), "m" (s), "m" (d), "m" (c), "m" (b) \
- : "eax", "ecx", "edx", "esi", "edi" \
+ : "eax", "ebx", "ecx", "edx", "esi", "edi" \
);
#else
@@ -154,7 +161,7 @@
"movl %%esi, %3 \n\t" \
: "=m" (t), "=m" (c), "=m" (d), "=m" (s) \
: "m" (t), "m" (s), "m" (d), "m" (c), "m" (b) \
- : "eax", "ecx", "edx", "esi", "edi" \
+ : "eax", "ebx", "ecx", "edx", "esi", "edi" \
);
#endif /* SSE2 */
#endif /* i386 */
@@ -521,7 +528,7 @@
"swi r3, %2 \n\t" \
: "=m" (c), "=m" (d), "=m" (s) \
: "m" (s), "m" (d), "m" (c), "m" (b) \
- : "r3", "r4" "r5", "r6", "r7", "r8", \
+ : "r3", "r4", "r5", "r6", "r7", "r8", \
"r9", "r10", "r11", "r12", "r13" \
);
diff --git a/include/mbedtls/camellia.h b/include/mbedtls/camellia.h
index f0466bf..7e4721a 100644
--- a/include/mbedtls/camellia.h
+++ b/include/mbedtls/camellia.h
@@ -187,12 +187,54 @@
/**
* \brief CAMELLIA-CTR buffer encryption/decryption
*
- * Warning: You have to keep the maximum use of your counter in mind!
- *
* Note: Due to the nature of CTR you should use the same key schedule for
* both encryption and decryption. So a context initialized with
* mbedtls_camellia_setkey_enc() for both MBEDTLS_CAMELLIA_ENCRYPT and MBEDTLS_CAMELLIA_DECRYPT.
*
+ * \warning You must never reuse a nonce value with the same key. Doing so
+ * would void the encryption for the two messages encrypted with
+ * the same nonce and key.
+ *
+ * There are two common strategies for managing nonces with CTR:
+ *
+ * 1. You can handle everything as a single message processed over
+ * successive calls to this function. In that case, you want to
+ * set \p nonce_counter and \p nc_off to 0 for the first call, and
+ * then preserve the values of \p nonce_counter, \p nc_off and \p
+ * stream_block across calls to this function as they will be
+ * updated by this function.
+ *
+ * With this strategy, you must not encrypt more than 2**128
+ * blocks of data with the same key.
+ *
+ * 2. You can encrypt separate messages by dividing the \p
+ * nonce_counter buffer in two areas: the first one used for a
+ * per-message nonce, handled by yourself, and the second one
+ * updated by this function internally.
+ *
+ * For example, you might reserve the first 12 bytes for the
+ * per-message nonce, and the last 4 bytes for internal use. In that
+ * case, before calling this function on a new message you need to
+ * set the first 12 bytes of \p nonce_counter to your chosen nonce
+ * value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
+ * stream_block to be ignored). That way, you can encrypt at most
+ * 2**96 messages of up to 2**32 blocks each with the same key.
+ *
+ * The per-message nonce (or information sufficient to reconstruct
+ * it) needs to be communicated with the ciphertext and must be unique.
+ * The recommended way to ensure uniqueness is to use a message
+ * counter. An alternative is to generate random nonces, but this
+ * limits the number of messages that can be securely encrypted:
+ * for example, with 96-bit random nonces, you should not encrypt
+ * more than 2**32 messages with the same key.
+ *
+ * Note that for both stategies, sizes are measured in blocks and
+ * that a CAMELLIA block is 16 bytes.
+ *
+ * \warning Upon return, \p stream_block contains sensitive data. Its
+ * content must not be written to insecure storage and should be
+ * securely discarded as soon as it's no longer needed.
+ *
* \param ctx CAMELLIA context
* \param length The length of the data
* \param nc_off The offset in the current stream_block (for resuming
diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h
index 8585ce5..5d727e7 100644
--- a/include/mbedtls/ccm.h
+++ b/include/mbedtls/ccm.h
@@ -14,6 +14,18 @@
* <li>Nonce - A unique value that is assigned to the payload and the
* associated data.</li></ul>
*
+ * Definition of CCM:
+ * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
+ * RFC 3610 "Counter with CBC-MAC (CCM)"
+ *
+ * Related:
+ * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
+ *
+ * Definition of CCM*:
+ * IEEE 802.15.4 - IEEE Standard for Local and metropolitan area networks
+ * Integer representation is fixed most-significant-octet-first order and
+ * the representation of octets is most-significant-bit-first order. This is
+ * consistent with RFC 3610.
*/
/*
* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
@@ -102,7 +114,6 @@
/**
* \brief This function encrypts a buffer using CCM.
*
- *
* \note The tag is written to a separate buffer. To concatenate
* the \p tag with the \p output, as done in <em>RFC-3610:
* Counter with CBC-MAC (CCM)</em>, use
@@ -112,15 +123,17 @@
* \param ctx The CCM context to use for encryption.
* \param length The length of the input data in Bytes.
* \param iv Initialization vector (nonce).
- * \param iv_len The length of the IV in Bytes: 7, 8, 9, 10, 11, 12, or 13.
+ * \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ * or 13. The length L of the message length field is
+ * 15 - \p iv_len.
* \param add The additional data field.
* \param add_len The length of additional data in Bytes.
* Must be less than 2^16 - 2^8.
* \param input The buffer holding the input data.
* \param output The buffer holding the output data.
* Must be at least \p length Bytes wide.
- * \param tag The buffer holding the tag.
- * \param tag_len The length of the tag to generate in Bytes:
+ * \param tag The buffer holding the authentication field.
+ * \param tag_len The length of the authentication field to generate in Bytes:
* 4, 6, 8, 10, 12, 14 or 16.
*
* \return \c 0 on success.
@@ -133,21 +146,64 @@
unsigned char *tag, size_t tag_len );
/**
- * \brief This function performs a CCM authenticated decryption of a
- * buffer.
+ * \brief This function encrypts a buffer using CCM*.
*
- * \param ctx The CCM context to use for decryption.
+ * \note The tag is written to a separate buffer. To concatenate
+ * the \p tag with the \p output, as done in <em>RFC-3610:
+ * Counter with CBC-MAC (CCM)</em>, use
+ * \p tag = \p output + \p length, and make sure that the
+ * output buffer is at least \p length + \p tag_len wide.
+ *
+ * \note When using this function in a variable tag length context,
+ * the tag length has to be encoded into the \p iv passed to
+ * this function.
+ *
+ * \param ctx The CCM context to use for encryption.
* \param length The length of the input data in Bytes.
- * \param iv Initialization vector.
- * \param iv_len The length of the IV in Bytes: 7, 8, 9, 10, 11, 12, or 13.
+ * \param iv Initialization vector (nonce).
+ * \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ * or 13. The length L of the message length field is
+ * 15 - \p iv_len.
* \param add The additional data field.
* \param add_len The length of additional data in Bytes.
* Must be less than 2^16 - 2^8.
* \param input The buffer holding the input data.
* \param output The buffer holding the output data.
* Must be at least \p length Bytes wide.
- * \param tag The buffer holding the tag.
- * \param tag_len The length of the tag in Bytes.
+ * \param tag The buffer holding the authentication field.
+ * \param tag_len The length of the authentication field to generate in Bytes:
+ * 0, 4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \warning Passing 0 as \p tag_len means that the message is no
+ * longer authenticated.
+ *
+ * \return \c 0 on success.
+ * \return A CCM or cipher-specific error code on failure.
+ */
+int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *add, size_t add_len,
+ const unsigned char *input, unsigned char *output,
+ unsigned char *tag, size_t tag_len );
+
+/**
+ * \brief This function performs a CCM authenticated decryption of a
+ * buffer.
+ *
+ * \param ctx The CCM context to use for decryption.
+ * \param length The length of the input data in Bytes.
+ * \param iv Initialization vector (nonce).
+ * \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ * or 13. The length L of the message length field is
+ * 15 - \p iv_len.
+ * \param add The additional data field.
+ * \param add_len The length of additional data in Bytes.
+ * Must be less than 2^16 - 2^8.
+ * \param input The buffer holding the input data.
+ * \param output The buffer holding the output data.
+ * Must be at least \p length Bytes wide.
+ * \param tag The buffer holding the authentication field.
+ * \param tag_len The length of the authentication field in Bytes.
* 4, 6, 8, 10, 12, 14 or 16.
*
* \return \c 0 on success. This indicates that the message is authentic.
@@ -160,6 +216,43 @@
const unsigned char *input, unsigned char *output,
const unsigned char *tag, size_t tag_len );
+/**
+ * \brief This function performs a CCM* authenticated decryption of a
+ * buffer.
+ *
+ * \note When using this function in a variable tag length context,
+ * the tag length has to be decoded from \p iv and passed to
+ * this function as \p tag_len. (\p tag needs to be adjusted
+ * accordingly.)
+ *
+ * \param ctx The CCM context to use for decryption.
+ * \param length The length of the input data in Bytes.
+ * \param iv Initialization vector (nonce).
+ * \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ * or 13. The length L of the message length field is
+ * 15 - \p iv_len.
+ * \param add The additional data field.
+ * \param add_len The length of additional data in Bytes.
+ * Must be less than 2^16 - 2^8.
+ * \param input The buffer holding the input data.
+ * \param output The buffer holding the output data.
+ * Must be at least \p length Bytes wide.
+ * \param tag The buffer holding the authentication field.
+ * \param tag_len The length of the authentication field in Bytes.
+ * 0, 4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \warning Passing 0 as \p tag_len means that the message is no
+ * longer authenticated.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
+ * \return A cipher-specific error code on calculation failure.
+ */
+int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *add, size_t add_len,
+ const unsigned char *input, unsigned char *output,
+ const unsigned char *tag, size_t tag_len );
#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
/**
diff --git a/include/mbedtls/chacha20.h b/include/mbedtls/chacha20.h
new file mode 100644
index 0000000..47bd7d3
--- /dev/null
+++ b/include/mbedtls/chacha20.h
@@ -0,0 +1,212 @@
+/**
+ * \file chacha20.h
+ *
+ * \brief This file contains ChaCha20 definitions and functions.
+ *
+ * ChaCha20 is a stream cipher that can encrypt and decrypt
+ * information. ChaCha was created by Daniel Bernstein as a variant of
+ * its Salsa cipher https://cr.yp.to/chacha/chacha-20080128.pdf
+ * ChaCha20 is the variant with 20 rounds, that was also standardized
+ * in RFC 7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CHACHA20_H
+#define MBEDTLS_CHACHA20_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdint.h>
+#include <stddef.h>
+
+#define MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA -0x0051 /**< Invalid input parameter(s). */
+#define MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE -0x0053 /**< Feature not available. For example, s part of the API is not implemented. */
+#define MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED -0x0055 /**< Chacha20 hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_CHACHA20_ALT)
+
+typedef struct
+{
+ uint32_t state[16]; /*! The state (before round operations). */
+ uint8_t keystream8[64]; /*! Leftover keystream bytes. */
+ size_t keystream_bytes_used; /*! Number of keystream bytes already used. */
+}
+mbedtls_chacha20_context;
+
+#else /* MBEDTLS_CHACHA20_ALT */
+#include "chacha20_alt.h"
+#endif /* MBEDTLS_CHACHA20_ALT */
+
+/**
+ * \brief This function initializes the specified ChaCha20 context.
+ *
+ * It must be the first API called before using
+ * the context.
+ *
+ * It is usually followed by calls to
+ * \c mbedtls_chacha20_setkey() and
+ * \c mbedtls_chacha20_starts(), then one or more calls to
+ * to \c mbedtls_chacha20_update(), and finally to
+ * \c mbedtls_chacha20_free().
+ *
+ * \param ctx The ChaCha20 context to initialize.
+ */
+void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx );
+
+/**
+ * \brief This function releases and clears the specified ChaCha20 context.
+ *
+ * \param ctx The ChaCha20 context to clear.
+ */
+void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx );
+
+/**
+ * \brief This function sets the encryption/decryption key.
+ *
+ * \note After using this function, you must also call
+ * \c mbedtls_chacha20_starts() to set a nonce before you
+ * start encrypting/decrypting data with
+ * \c mbedtls_chacha_update().
+ *
+ * \param ctx The ChaCha20 context to which the key should be bound.
+ * \param key The encryption/decryption key. Must be 32 bytes in length.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or key is NULL.
+ */
+int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx,
+ const unsigned char key[32] );
+
+/**
+ * \brief This function sets the nonce and initial counter value.
+ *
+ * \note A ChaCha20 context can be re-used with the same key by
+ * calling this function to change the nonce.
+ *
+ * \warning You must never use the same nonce twice with the same key.
+ * This would void any confidentiality guarantees for the
+ * messages encrypted with the same nonce and key.
+ *
+ * \param ctx The ChaCha20 context to which the nonce should be bound.
+ * \param nonce The nonce. Must be 12 bytes in size.
+ * \param counter The initial counter value. This is usually 0.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or nonce is
+ * NULL.
+ */
+int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx,
+ const unsigned char nonce[12],
+ uint32_t counter );
+
+/**
+ * \brief This function encrypts or decrypts data.
+ *
+ * Since ChaCha20 is a stream cipher, the same operation is
+ * used for encrypting and decrypting data.
+ *
+ * \note The \p input and \p output pointers must either be equal or
+ * point to non-overlapping buffers.
+ *
+ * \note \c mbedtls_chacha20_setkey() and
+ * \c mbedtls_chacha20_starts() must be called at least once
+ * to setup the context before this function can be called.
+ *
+ * \note This function can be called multiple times in a row in
+ * order to encrypt of decrypt data piecewise with the same
+ * key and nonce.
+ *
+ * \param ctx The ChaCha20 context to use for encryption or decryption.
+ * \param size The length of the input data in bytes.
+ * \param input The buffer holding the input data.
+ * This pointer can be NULL if size == 0.
+ * \param output The buffer holding the output data.
+ * Must be able to hold \p size bytes.
+ * This pointer can be NULL if size == 0.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if the ctx, input, or
+ * output pointers are NULL.
+ */
+int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
+ size_t size,
+ const unsigned char *input,
+ unsigned char *output );
+
+/**
+ * \brief This function encrypts or decrypts data with ChaCha20 and
+ * the given key and nonce.
+ *
+ * Since ChaCha20 is a stream cipher, the same operation is
+ * used for encrypting and decrypting data.
+ *
+ * \warning You must never use the same (key, nonce) pair more than
+ * once. This would void any confidentiality guarantees for
+ * the messages encrypted with the same nonce and key.
+ *
+ * \note The \p input and \p output pointers must either be equal or
+ * point to non-overlapping buffers.
+ *
+ * \param key The encryption/decryption key. Must be 32 bytes in length.
+ * \param nonce The nonce. Must be 12 bytes in size.
+ * \param counter The initial counter value. This is usually 0.
+ * \param size The length of the input data in bytes.
+ * \param input The buffer holding the input data.
+ * This pointer can be NULL if size == 0.
+ * \param output The buffer holding the output data.
+ * Must be able to hold \p size bytes.
+ * This pointer can be NULL if size == 0.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if key, nonce, input,
+ * or output is NULL.
+ */
+int mbedtls_chacha20_crypt( const unsigned char key[32],
+ const unsigned char nonce[12],
+ uint32_t counter,
+ size_t size,
+ const unsigned char* input,
+ unsigned char* output );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief The ChaCha20 checkup routine.
+ *
+ * \return \c 0 on success.
+ * \return \c 1 on failure.
+ */
+int mbedtls_chacha20_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CHACHA20_H */
diff --git a/include/mbedtls/chachapoly.h b/include/mbedtls/chachapoly.h
new file mode 100644
index 0000000..42b2b23
--- /dev/null
+++ b/include/mbedtls/chachapoly.h
@@ -0,0 +1,355 @@
+/**
+ * \file chachapoly.h
+ *
+ * \brief This file contains the AEAD-ChaCha20-Poly1305 definitions and
+ * functions.
+ *
+ * ChaCha20-Poly1305 is an algorithm for Authenticated Encryption
+ * with Associated Data (AEAD) that can be used to encrypt and
+ * authenticate data. It is based on ChaCha20 and Poly1305 by Daniel
+ * Bernstein and was standardized in RFC 7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CHACHAPOLY_H
+#define MBEDTLS_CHACHAPOLY_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/* for shared error codes */
+#include "poly1305.h"
+
+#define MBEDTLS_ERR_CHACHAPOLY_BAD_STATE -0x0054 /**< The requested operation is not permitted in the current state. */
+#define MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED -0x0056 /**< Authenticated decryption failed: data was not authentic. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum
+{
+ MBEDTLS_CHACHAPOLY_ENCRYPT, /**< The mode value for performing encryption. */
+ MBEDTLS_CHACHAPOLY_DECRYPT /**< The mode value for performing decryption. */
+}
+mbedtls_chachapoly_mode_t;
+
+#if !defined(MBEDTLS_CHACHAPOLY_ALT)
+
+#include "chacha20.h"
+
+typedef struct
+{
+ mbedtls_chacha20_context chacha20_ctx; /**< The ChaCha20 context. */
+ mbedtls_poly1305_context poly1305_ctx; /**< The Poly1305 context. */
+ uint64_t aad_len; /**< The length (bytes) of the Additional Authenticated Data. */
+ uint64_t ciphertext_len; /**< The length (bytes) of the ciphertext. */
+ int state; /**< The current state of the context. */
+ mbedtls_chachapoly_mode_t mode; /**< Cipher mode (encrypt or decrypt). */
+}
+mbedtls_chachapoly_context;
+
+#else /* !MBEDTLS_CHACHAPOLY_ALT */
+#include "chachapoly_alt.h"
+#endif /* !MBEDTLS_CHACHAPOLY_ALT */
+
+/**
+ * \brief This function initializes the specified ChaCha20-Poly1305 context.
+ *
+ * It must be the first API called before using
+ * the context. It must be followed by a call to
+ * \c mbedtls_chachapoly_setkey() before any operation can be
+ * done, and to \c mbedtls_chachapoly_free() once all
+ * operations with that context have been finished.
+ *
+ * In order to encrypt or decrypt full messages at once, for
+ * each message you should make a single call to
+ * \c mbedtls_chachapoly_crypt_and_tag() or
+ * \c mbedtls_chachapoly_auth_decrypt().
+ *
+ * In order to encrypt messages piecewise, for each
+ * message you should make a call to
+ * \c mbedtls_chachapoly_starts(), then 0 or more calls to
+ * \c mbedtls_chachapoly_update_aad(), then 0 or more calls to
+ * \c mbedtls_chachapoly_update(), then one call to
+ * \c mbedtls_chachapoly_finish().
+ *
+ * \warning Decryption with the piecewise API is discouraged! Always
+ * use \c mbedtls_chachapoly_auth_decrypt() when possible!
+ *
+ * If however this is not possible because the data is too
+ * large to fit in memory, you need to:
+ *
+ * - call \c mbedtls_chachapoly_starts() and (if needed)
+ * \c mbedtls_chachapoly_update_aad() as above,
+ * - call \c mbedtls_chachapoly_update() multiple times and
+ * ensure its output (the plaintext) is NOT used in any other
+ * way than placing it in temporary storage at this point,
+ * - call \c mbedtls_chachapoly_finish() to compute the
+ * authentication tag and compared it in constant time to the
+ * tag received with the ciphertext.
+ *
+ * If the tags are not equal, you must immediately discard
+ * all previous outputs of \c mbedtls_chachapoly_update(),
+ * otherwise you can now safely use the plaintext.
+ *
+ * \param ctx The ChachaPoly context to initialize.
+ */
+void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx );
+
+/**
+ * \brief This function releases and clears the specified ChaCha20-Poly1305 context.
+ *
+ * \param ctx The ChachaPoly context to clear.
+ */
+void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx );
+
+/**
+ * \brief This function sets the ChaCha20-Poly1305 symmetric encryption key.
+ *
+ * \param ctx The ChaCha20-Poly1305 context to which the key should be
+ * bound.
+ * \param key The 256-bit (32 bytes) key.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
+ * if \p ctx or \p key are NULL.
+ */
+int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,
+ const unsigned char key[32] );
+
+/**
+ * \brief This function starts a ChaCha20-Poly1305 encryption or
+ * decryption operation.
+ *
+ * \warning You must never use the same nonce twice with the same key.
+ * This would void any confidentiality and authenticity
+ * guarantees for the messages encrypted with the same nonce
+ * and key.
+ *
+ * \note If the context is being used for AAD only (no data to
+ * encrypt or decrypt) then \p mode can be set to any value.
+ *
+ * \warning Decryption with the piecewise API is discouraged, see the
+ * warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ * \param nonce The nonce/IV to use for the message. Must be 12 bytes.
+ * \param mode The operation to perform: #MBEDTLS_CHACHAPOLY_ENCRYPT or
+ * #MBEDTLS_CHACHAPOLY_DECRYPT (discouraged, see warning).
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
+ * if \p ctx or \p mac are NULL.
+ */
+int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
+ const unsigned char nonce[12],
+ mbedtls_chachapoly_mode_t mode );
+
+/**
+ * \brief This function feeds additional data to be authenticated
+ * into an ongoing ChaCha20-Poly1305 operation.
+ *
+ * The Additional Authenticated Data (AAD), also called
+ * Associated Data (AD) is only authenticated but not
+ * encrypted nor included in the encrypted output. It is
+ * usually transmitted separately from the ciphertext or
+ * computed locally by each party.
+ *
+ * \note This function is called before data is encrypted/decrypted.
+ * I.e. call this function to process the AAD before calling
+ * \c mbedtls_chachapoly_update().
+ *
+ * You may call this function multiple times to process
+ * an arbitrary amount of AAD. It is permitted to call
+ * this function 0 times, if no AAD is used.
+ *
+ * This function cannot be called any more if data has
+ * been processed by \c mbedtls_chachapoly_update(),
+ * or if the context has been finished.
+ *
+ * \warning Decryption with the piecewise API is discouraged, see the
+ * warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx The ChaCha20-Poly1305 context to use.
+ * \param aad_len The length (in bytes) of the AAD. The length has no
+ * restrictions.
+ * \param aad Buffer containing the AAD.
+ * This pointer can be NULL if aad_len == 0.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
+ * if \p ctx or \p aad are NULL.
+ * \return #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ * if the operations has not been started or has been
+ * finished, or if the AAD has been finished.
+ */
+int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx,
+ const unsigned char *aad,
+ size_t aad_len );
+
+/**
+ * \brief Thus function feeds data to be encrypted or decrypted
+ * into an on-going ChaCha20-Poly1305
+ * operation.
+ *
+ * The direction (encryption or decryption) depends on the
+ * mode that was given when calling
+ * \c mbedtls_chachapoly_starts().
+ *
+ * You may call this function multiple times to process
+ * an arbitrary amount of data. It is permitted to call
+ * this function 0 times, if no data is to be encrypted
+ * or decrypted.
+ *
+ * \warning Decryption with the piecewise API is discouraged, see the
+ * warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx The ChaCha20-Poly1305 context to use.
+ * \param len The length (in bytes) of the data to encrypt or decrypt.
+ * \param input The buffer containing the data to encrypt or decrypt.
+ * This pointer can be NULL if len == 0.
+ * \param output The buffer to where the encrypted or decrypted data is written.
+ * Must be able to hold \p len bytes.
+ * This pointer can be NULL if len == 0.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
+ * if \p ctx, \p input, or \p output are NULL.
+ * \return #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ * if the operation has not been started or has been
+ * finished.
+ */
+int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
+ size_t len,
+ const unsigned char *input,
+ unsigned char *output );
+
+/**
+ * \brief This function finished the ChaCha20-Poly1305 operation and
+ * generates the MAC (authentication tag).
+ *
+ * \param ctx The ChaCha20-Poly1305 context to use.
+ * \param mac The buffer to where the 128-bit (16 bytes) MAC is written.
+ *
+ * \warning Decryption with the piecewise API is discouraged, see the
+ * warning on \c mbedtls_chachapoly_init().
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
+ * if \p ctx or \p mac are NULL.
+ * \return #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ * if the operation has not been started or has been
+ * finished.
+ */
+int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
+ unsigned char mac[16] );
+
+/**
+ * \brief This function performs a complete ChaCha20-Poly1305
+ * authenticated encryption with the previously-set key.
+ *
+ * \note Before using this function, you must set the key with
+ * \c mbedtls_chachapoly_setkey().
+ *
+ * \warning You must never use the same nonce twice with the same key.
+ * This would void any confidentiality and authenticity
+ * guarantees for the messages encrypted with the same nonce
+ * and key.
+ *
+ * \param ctx The ChaCha20-Poly1305 context to use (holds the key).
+ * \param length The length (in bytes) of the data to encrypt or decrypt.
+ * \param nonce The 96-bit (12 bytes) nonce/IV to use.
+ * \param aad The buffer containing the additional authenticated data (AAD).
+ * This pointer can be NULL if aad_len == 0.
+ * \param aad_len The length (in bytes) of the AAD data to process.
+ * \param input The buffer containing the data to encrypt or decrypt.
+ * This pointer can be NULL if ilen == 0.
+ * \param output The buffer to where the encrypted or decrypted data is written.
+ * This pointer can be NULL if ilen == 0.
+ * \param tag The buffer to where the computed 128-bit (16 bytes) MAC is written.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
+ * if one or more of the required parameters are NULL.
+ */
+int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
+ size_t length,
+ const unsigned char nonce[12],
+ const unsigned char *aad,
+ size_t aad_len,
+ const unsigned char *input,
+ unsigned char *output,
+ unsigned char tag[16] );
+
+/**
+ * \brief This function performs a complete ChaCha20-Poly1305
+ * authenticated decryption with the previously-set key.
+ *
+ * \note Before using this function, you must set the key with
+ * \c mbedtls_chachapoly_setkey().
+ *
+ * \param ctx The ChaCha20-Poly1305 context to use (holds the key).
+ * \param length The length (in bytes) of the data to decrypt.
+ * \param nonce The 96-bit (12 bytes) nonce/IV to use.
+ * \param aad The buffer containing the additional authenticated data (AAD).
+ * This pointer can be NULL if aad_len == 0.
+ * \param aad_len The length (in bytes) of the AAD data to process.
+ * \param tag The buffer holding the authentication tag.
+ * \param input The buffer containing the data to decrypt.
+ * This pointer can be NULL if ilen == 0.
+ * \param output The buffer to where the decrypted data is written.
+ * This pointer can be NULL if ilen == 0.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
+ * if one or more of the required parameters are NULL.
+ * \return #MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
+ * if the data was not authentic.
+ */
+int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
+ size_t length,
+ const unsigned char nonce[12],
+ const unsigned char *aad,
+ size_t aad_len,
+ const unsigned char tag[16],
+ const unsigned char *input,
+ unsigned char *output );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief The ChaCha20-Poly1305 checkup routine.
+ *
+ * \return \c 0 on success.
+ * \return \c 1 on failure.
+ */
+int mbedtls_chachapoly_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CHACHAPOLY_H */
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index be80332..9e6bb8a 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -4,7 +4,7 @@
* \brief Consistency checks for configuration options
*/
/*
- * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -87,6 +87,11 @@
#error "MBEDTLS_CMAC_C defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_NIST_KW_C) && \
+ ( !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CIPHER_C) )
+#error "MBEDTLS_NIST_KW_C defined, but not all prerequisites"
+#endif
+
#if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C)
#error "MBEDTLS_ECDH_C defined, but not all prerequisites"
#endif
@@ -191,6 +196,10 @@
#error "MBEDTLS_HAVEGE_C defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_HKDF_C) && !defined(MBEDTLS_MD_C)
+#error "MBEDTLS_HKDF_C defined, but not all prerequisites"
+#endif
+
#if defined(MBEDTLS_HMAC_DRBG_C) && !defined(MBEDTLS_MD_C)
#error "MBEDTLS_HMAC_DRBG_C defined, but not all prerequisites"
#endif
diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h
index 3ee2ab7..ea0ce98 100644
--- a/include/mbedtls/cipher.h
+++ b/include/mbedtls/cipher.h
@@ -37,7 +37,7 @@
#include <stddef.h>
-#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
#define MBEDTLS_CIPHER_MODE_AEAD
#endif
@@ -45,7 +45,7 @@
#define MBEDTLS_CIPHER_MODE_WITH_PADDING
#endif
-#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
#define MBEDTLS_CIPHER_MODE_STREAM
#endif
@@ -86,6 +86,8 @@
MBEDTLS_CIPHER_ID_CAMELLIA, /**< The Camellia cipher. */
MBEDTLS_CIPHER_ID_BLOWFISH, /**< The Blowfish cipher. */
MBEDTLS_CIPHER_ID_ARC4, /**< The RC4 cipher. */
+ MBEDTLS_CIPHER_ID_ARIA, /**< The Aria cipher. */
+ MBEDTLS_CIPHER_ID_CHACHA20, /**< The ChaCha20 cipher. */
} mbedtls_cipher_id_t;
/**
@@ -145,6 +147,31 @@
MBEDTLS_CIPHER_CAMELLIA_128_CCM, /**< Camellia cipher with 128-bit CCM mode. */
MBEDTLS_CIPHER_CAMELLIA_192_CCM, /**< Camellia cipher with 192-bit CCM mode. */
MBEDTLS_CIPHER_CAMELLIA_256_CCM, /**< Camellia cipher with 256-bit CCM mode. */
+ MBEDTLS_CIPHER_ARIA_128_ECB, /**< Aria cipher with 128-bit key and ECB mode. */
+ MBEDTLS_CIPHER_ARIA_192_ECB, /**< Aria cipher with 192-bit key and ECB mode. */
+ MBEDTLS_CIPHER_ARIA_256_ECB, /**< Aria cipher with 256-bit key and ECB mode. */
+ MBEDTLS_CIPHER_ARIA_128_CBC, /**< Aria cipher with 128-bit key and CBC mode. */
+ MBEDTLS_CIPHER_ARIA_192_CBC, /**< Aria cipher with 192-bit key and CBC mode. */
+ MBEDTLS_CIPHER_ARIA_256_CBC, /**< Aria cipher with 256-bit key and CBC mode. */
+ MBEDTLS_CIPHER_ARIA_128_CFB128, /**< Aria cipher with 128-bit key and CFB-128 mode. */
+ MBEDTLS_CIPHER_ARIA_192_CFB128, /**< Aria cipher with 192-bit key and CFB-128 mode. */
+ MBEDTLS_CIPHER_ARIA_256_CFB128, /**< Aria cipher with 256-bit key and CFB-128 mode. */
+ MBEDTLS_CIPHER_ARIA_128_CTR, /**< Aria cipher with 128-bit key and CTR mode. */
+ MBEDTLS_CIPHER_ARIA_192_CTR, /**< Aria cipher with 192-bit key and CTR mode. */
+ MBEDTLS_CIPHER_ARIA_256_CTR, /**< Aria cipher with 256-bit key and CTR mode. */
+ MBEDTLS_CIPHER_ARIA_128_GCM, /**< Aria cipher with 128-bit key and GCM mode. */
+ MBEDTLS_CIPHER_ARIA_192_GCM, /**< Aria cipher with 192-bit key and GCM mode. */
+ MBEDTLS_CIPHER_ARIA_256_GCM, /**< Aria cipher with 256-bit key and GCM mode. */
+ MBEDTLS_CIPHER_ARIA_128_CCM, /**< Aria cipher with 128-bit key and CCM mode. */
+ MBEDTLS_CIPHER_ARIA_192_CCM, /**< Aria cipher with 192-bit key and CCM mode. */
+ MBEDTLS_CIPHER_ARIA_256_CCM, /**< Aria cipher with 256-bit key and CCM mode. */
+ MBEDTLS_CIPHER_AES_128_OFB, /**< AES 128-bit cipher in OFB mode. */
+ MBEDTLS_CIPHER_AES_192_OFB, /**< AES 192-bit cipher in OFB mode. */
+ MBEDTLS_CIPHER_AES_256_OFB, /**< AES 256-bit cipher in OFB mode. */
+ MBEDTLS_CIPHER_AES_128_XTS, /**< AES 128-bit cipher in XTS block mode. */
+ MBEDTLS_CIPHER_AES_256_XTS, /**< AES 256-bit cipher in XTS block mode. */
+ MBEDTLS_CIPHER_CHACHA20, /**< ChaCha20 stream cipher. */
+ MBEDTLS_CIPHER_CHACHA20_POLY1305, /**< ChaCha20-Poly1305 AEAD cipher. */
} mbedtls_cipher_type_t;
/** Supported cipher modes. */
@@ -153,11 +180,13 @@
MBEDTLS_MODE_ECB, /**< The ECB cipher mode. */
MBEDTLS_MODE_CBC, /**< The CBC cipher mode. */
MBEDTLS_MODE_CFB, /**< The CFB cipher mode. */
- MBEDTLS_MODE_OFB, /**< The OFB cipher mode - unsupported. */
+ MBEDTLS_MODE_OFB, /**< The OFB cipher mode. */
MBEDTLS_MODE_CTR, /**< The CTR cipher mode. */
MBEDTLS_MODE_GCM, /**< The GCM cipher mode. */
MBEDTLS_MODE_STREAM, /**< The stream cipher mode. */
MBEDTLS_MODE_CCM, /**< The CCM cipher mode. */
+ MBEDTLS_MODE_XTS, /**< The XTS cipher mode. */
+ MBEDTLS_MODE_CHACHAPOLY, /**< The ChaCha-Poly cipher mode. */
} mbedtls_cipher_mode_t;
/** Supported cipher padding types. */
@@ -273,7 +302,8 @@
/** Number of Bytes that have not been processed yet. */
size_t unprocessed_len;
- /** Current IV or NONCE_COUNTER for CTR-mode. */
+ /** Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number
+ * for XTS-mode. */
unsigned char iv[MBEDTLS_MAX_IV_LENGTH];
/** IV size in Bytes, for ciphers with variable-length IVs. */
@@ -560,11 +590,11 @@
*/
int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx );
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
/**
* \brief This function adds additional data for AEAD ciphers.
- * Only supported with GCM. Must be called
- * exactly once, after mbedtls_cipher_reset().
+ * Currently supported with GCM and ChaCha20+Poly1305.
+ * Must be called exactly once, after mbedtls_cipher_reset().
*
* \param ctx The generic cipher context.
* \param ad The additional data to use.
@@ -575,7 +605,7 @@
*/
int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
const unsigned char *ad, size_t ad_len );
-#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
/**
* \brief The generic cipher update function. It encrypts or
@@ -633,10 +663,10 @@
int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
unsigned char *output, size_t *olen );
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
/**
* \brief This function writes a tag for AEAD ciphers.
- * Only supported with GCM.
+ * Currently supported with GCM and ChaCha20+Poly1305.
* Must be called after mbedtls_cipher_finish().
*
* \param ctx The generic cipher context.
@@ -651,7 +681,7 @@
/**
* \brief This function checks the tag for AEAD ciphers.
- * Only supported with GCM.
+ * Currently supported with GCM and ChaCha20+Poly1305.
* Must be called after mbedtls_cipher_finish().
*
* \param ctx The generic cipher context.
@@ -663,7 +693,7 @@
*/
int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
const unsigned char *tag, size_t tag_len );
-#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
/**
* \brief The generic all-in-one encryption/decryption function,
diff --git a/include/mbedtls/cipher_internal.h b/include/mbedtls/cipher_internal.h
index 969ff9c..c6def0b 100644
--- a/include/mbedtls/cipher_internal.h
+++ b/include/mbedtls/cipher_internal.h
@@ -64,6 +64,14 @@
unsigned char *output );
#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ /** Encrypt using OFB (Full length) */
+ int (*ofb_func)( void *ctx, size_t length, size_t *iv_off,
+ unsigned char *iv,
+ const unsigned char *input,
+ unsigned char *output );
+#endif
+
#if defined(MBEDTLS_CIPHER_MODE_CTR)
/** Encrypt using CTR */
int (*ctr_func)( void *ctx, size_t length, size_t *nc_off,
@@ -71,6 +79,13 @@
const unsigned char *input, unsigned char *output );
#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ /** Encrypt or decrypt using XTS. */
+ int (*xts_func)( void *ctx, mbedtls_operation_t mode, size_t length,
+ const unsigned char data_unit[16],
+ const unsigned char *input, unsigned char *output );
+#endif
+
#if defined(MBEDTLS_CIPHER_MODE_STREAM)
/** Encrypt using STREAM */
int (*stream_func)( void *ctx, size_t length,
diff --git a/include/mbedtls/cmac.h b/include/mbedtls/cmac.h
index 913c05f..a4fd552 100644
--- a/include/mbedtls/cmac.h
+++ b/include/mbedtls/cmac.h
@@ -28,7 +28,7 @@
#ifndef MBEDTLS_CMAC_H
#define MBEDTLS_CMAC_H
-#include "mbedtls/cipher.h"
+#include "cipher.h"
#ifdef __cplusplus
extern "C" {
diff --git a/include/mbedtls/compat-1.3.h b/include/mbedtls/compat-1.3.h
index 600a0f1..213b691 100644
--- a/include/mbedtls/compat-1.3.h
+++ b/include/mbedtls/compat-1.3.h
@@ -1378,7 +1378,8 @@
#define SSL_ANTI_REPLAY_ENABLED MBEDTLS_SSL_ANTI_REPLAY_ENABLED
#define SSL_ARC4_DISABLED MBEDTLS_SSL_ARC4_DISABLED
#define SSL_ARC4_ENABLED MBEDTLS_SSL_ARC4_ENABLED
-#define SSL_BUFFER_LEN MBEDTLS_SSL_BUFFER_LEN
+#define SSL_BUFFER_LEN ( ( ( MBEDTLS_SSL_IN_BUFFER_LEN ) < ( MBEDTLS_SSL_OUT_BUFFER_LEN ) ) \
+ ? ( MBEDTLS_SSL_IN_BUFFER_LEN ) : ( MBEDTLS_SSL_OUT_BUFFER_LEN ) )
#define SSL_CACHE_DEFAULT_MAX_ENTRIES MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES
#define SSL_CACHE_DEFAULT_TIMEOUT MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT
#define SSL_CBC_RECORD_SPLITTING_DISABLED MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 7c9acb2..70820be 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -8,7 +8,7 @@
* memory footprint.
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -48,10 +48,14 @@
* Requires support for asm() in compiler.
*
* Used in:
+ * library/aria.c
* library/timing.c
- * library/padlock.c
* include/mbedtls/bn_mul.h
*
+ * Required by:
+ * MBEDTLS_AESNI_C
+ * MBEDTLS_PADLOCK_C
+ *
* Comment to disable the use of assembly code.
*/
#define MBEDTLS_HAVE_ASM
@@ -85,6 +89,28 @@
//#define MBEDTLS_NO_UDBL_DIVISION
/**
+ * \def MBEDTLS_NO_64BIT_MULTIPLICATION
+ *
+ * The platform lacks support for 32x32 -> 64-bit multiplication.
+ *
+ * Used in:
+ * library/poly1305.c
+ *
+ * Some parts of the library may use multiplication of two unsigned 32-bit
+ * operands with a 64-bit result in order to speed up computations. On some
+ * platforms, this is not available in hardware and has to be implemented in
+ * software, usually in a library provided by the toolchain.
+ *
+ * Sometimes it is not desirable to have to link to that library. This option
+ * removes the dependency of that library on platforms that lack a hardware
+ * 64-bit multiplier by embedding a software implementation in Mbed TLS.
+ *
+ * Note that depending on the compiler, this may decrease performance compared
+ * to using the library function provided by the toolchain.
+ */
+//#define MBEDTLS_NO_64BIT_MULTIPLICATION
+
+/**
* \def MBEDTLS_HAVE_SSE2
*
* CPU supports SSE2 instruction set.
@@ -271,23 +297,29 @@
*/
//#define MBEDTLS_AES_ALT
//#define MBEDTLS_ARC4_ALT
+//#define MBEDTLS_ARIA_ALT
//#define MBEDTLS_BLOWFISH_ALT
//#define MBEDTLS_CAMELLIA_ALT
//#define MBEDTLS_CCM_ALT
+//#define MBEDTLS_CHACHA20_ALT
+//#define MBEDTLS_CHACHAPOLY_ALT
//#define MBEDTLS_CMAC_ALT
//#define MBEDTLS_DES_ALT
//#define MBEDTLS_DHM_ALT
//#define MBEDTLS_ECJPAKE_ALT
//#define MBEDTLS_GCM_ALT
+//#define MBEDTLS_NIST_KW_ALT
//#define MBEDTLS_MD2_ALT
//#define MBEDTLS_MD4_ALT
//#define MBEDTLS_MD5_ALT
+//#define MBEDTLS_POLY1305_ALT
//#define MBEDTLS_RIPEMD160_ALT
//#define MBEDTLS_RSA_ALT
//#define MBEDTLS_SHA1_ALT
//#define MBEDTLS_SHA256_ALT
//#define MBEDTLS_SHA512_ALT
//#define MBEDTLS_XTEA_ALT
+
/*
* When replacing the elliptic curve module, pleace consider, that it is
* implemented with two .c files:
@@ -510,6 +542,20 @@
#define MBEDTLS_CIPHER_MODE_CTR
/**
+ * \def MBEDTLS_CIPHER_MODE_OFB
+ *
+ * Enable Output Feedback mode (OFB) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_OFB
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_XTS
+ *
+ * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
+ */
+#define MBEDTLS_CIPHER_MODE_XTS
+
+/**
* \def MBEDTLS_CIPHER_NULL_CIPHER
*
* Enable NULL cipher.
@@ -1129,6 +1175,17 @@
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
/**
+ * \def MBEDTLS_SSL_ASYNC_PRIVATE
+ *
+ * Enable asynchronous external private key operations in SSL. This allows
+ * you to configure an SSL connection to call an external cryptographic
+ * module to perform private key operations instead of performing the
+ * operation inside the library.
+ *
+ */
+//#define MBEDTLS_SSL_ASYNC_PRIVATE
+
+/**
* \def MBEDTLS_SSL_DEBUG_ALL
*
* Enable the debug messages in SSL module for all issues.
@@ -1617,7 +1674,7 @@
* Enable the AES block cipher.
*
* Module: library/aes.c
- * Caller: library/ssl_tls.c
+ * Caller: library/cipher.c
* library/pem.c
* library/ctr_drbg.c
*
@@ -1692,7 +1749,7 @@
* Enable the ARCFOUR stream cipher.
*
* Module: library/arc4.c
- * Caller: library/ssl_tls.c
+ * Caller: library/cipher.c
*
* This module enables the following ciphersuites (if other requisites are
* enabled as well):
@@ -1786,7 +1843,7 @@
* Enable the Camellia block cipher.
*
* Module: library/camellia.c
- * Caller: library/ssl_tls.c
+ * Caller: library/cipher.c
*
* This module enables the following ciphersuites (if other requisites are
* enabled as well):
@@ -1836,6 +1893,58 @@
#define MBEDTLS_CAMELLIA_C
/**
+ * \def MBEDTLS_ARIA_C
+ *
+ * Enable the ARIA block cipher.
+ *
+ * Module: library/aria.c
+ * Caller: library/cipher.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *
+ * MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
+ */
+//#define MBEDTLS_ARIA_C
+
+/**
* \def MBEDTLS_CCM_C
*
* Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.
@@ -1862,6 +1971,26 @@
#define MBEDTLS_CERTS_C
/**
+ * \def MBEDTLS_CHACHA20_C
+ *
+ * Enable the ChaCha20 stream cipher.
+ *
+ * Module: library/chacha20.c
+ */
+#define MBEDTLS_CHACHA20_C
+
+/**
+ * \def MBEDTLS_CHACHAPOLY_C
+ *
+ * Enable the ChaCha20-Poly1305 AEAD algorithm.
+ *
+ * Module: library/chachapoly.c
+ *
+ * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
+ */
+#define MBEDTLS_CHACHAPOLY_C
+
+/**
* \def MBEDTLS_CIPHER_C
*
* Enable the generic cipher layer.
@@ -1921,7 +2050,7 @@
*
* Module: library/des.c
* Caller: library/pem.c
- * library/ssl_tls.c
+ * library/cipher.c
*
* This module enables the following ciphersuites (if other requisites are
* enabled as well):
@@ -2092,6 +2221,21 @@
//#define MBEDTLS_HAVEGE_C
/**
+ * \def MBEDTLS_HKDF_C
+ *
+ * Enable the HKDF algorithm (RFC 5869).
+ *
+ * Module: library/hkdf.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * This module adds support for the Hashed Message Authentication Code
+ * (HMAC)-based key derivation function (HKDF).
+ */
+#define MBEDTLS_HKDF_C
+
+/**
* \def MBEDTLS_HMAC_DRBG_C
*
* Enable the HMAC_DRBG random generator.
@@ -2106,6 +2250,19 @@
#define MBEDTLS_HMAC_DRBG_C
/**
+ * \def MBEDTLS_NIST_KW_C
+ *
+ * Enable the Key Wrapping mode for 128-bit block ciphers,
+ * as defined in NIST SP 800-38F. Only KW and KWP modes
+ * are supported. At the moment, only AES is approved by NIST.
+ *
+ * Module: library/nist_kw.c
+ *
+ * Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C
+ */
+//#define MBEDTLS_NIST_KW_C
+
+/**
* \def MBEDTLS_MD_C
*
* Enable the generic message digest layer.
@@ -2389,6 +2546,16 @@
#define MBEDTLS_PLATFORM_C
/**
+ * \def MBEDTLS_POLY1305_C
+ *
+ * Enable the Poly1305 MAC algorithm.
+ *
+ * Module: library/poly1305.c
+ * Caller: library/chachapoly.c
+ */
+#define MBEDTLS_POLY1305_C
+
+/**
* \def MBEDTLS_RIPEMD160_C
*
* Enable the RIPEMD-160 hash algorithm.
@@ -2798,7 +2965,51 @@
//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
/* SSL options */
-//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
+
+/** \def MBEDTLS_SSL_MAX_CONTENT_LEN
+ *
+ * Maximum fragment length in bytes.
+ *
+ * Determines the size of both the incoming and outgoing TLS I/O buffers.
+ *
+ * Uncommenting MBEDTLS_SSL_IN_CONTENT_LEN and/or MBEDTLS_SSL_OUT_CONTENT_LEN
+ * will override this length by setting maximum incoming and/or outgoing
+ * fragment length, respectively.
+ */
+//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384
+
+/** \def MBEDTLS_SSL_IN_CONTENT_LEN
+ *
+ * Maximum incoming fragment length in bytes.
+ *
+ * Uncomment to set the size of the inward TLS buffer independently of the
+ * outward buffer.
+ */
+//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384
+
+/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
+ *
+ * Maximum outgoing fragment length in bytes.
+ *
+ * Uncomment to set the size of the outward TLS buffer independently of the
+ * inward buffer.
+ *
+ * It is possible to save RAM by setting a smaller outward buffer, while keeping
+ * the default inward 16384 byte buffer to conform to the TLS specification.
+ *
+ * The minimum required outward buffer size is determined by the handshake
+ * protocol's usage. Handshaking will fail if the outward buffer is too small.
+ * The specific size requirement depends on the configured ciphers and any
+ * certificate data which is sent during the handshake.
+ *
+ * For absolute minimum RAM usage, it's best to enable
+ * MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This
+ * reduces both incoming and outgoing buffer sizes. However this is only
+ * guaranteed if the other end of the connection also supports the TLS
+ * max_fragment_len extension. Otherwise the connection may fail.
+ */
+//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384
+
//#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
@@ -2875,7 +3086,7 @@
/* \} name SECTION: Customisation configuration options */
/* Target and application specific configurations */
-//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "mbedtls/target_config.h"
+//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "target_config.h"
#if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
#include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE
diff --git a/include/mbedtls/ctr_drbg.h b/include/mbedtls/ctr_drbg.h
index dcbc047..3835d72 100644
--- a/include/mbedtls/ctr_drbg.h
+++ b/include/mbedtls/ctr_drbg.h
@@ -36,7 +36,7 @@
#include "aes.h"
#if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
+#include "threading.h"
#endif
#define MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED -0x0034 /**< The entropy source failed. */
diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h
index 786d02e..6b82d4f 100644
--- a/include/mbedtls/error.h
+++ b/include/mbedtls/error.h
@@ -4,7 +4,7 @@
* \brief Error to string translation
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -62,7 +62,8 @@
* DES 2 0x0032-0x0032 0x0033-0x0033
* CTR_DBRG 4 0x0034-0x003A
* ENTROPY 3 0x003C-0x0040 0x003D-0x003F
- * NET 11 0x0042-0x0052 0x0043-0x0045
+ * NET 13 0x0042-0x0052 0x0043-0x0049
+ * ARIA 4 0x0058-0x005E
* ASN1 7 0x0060-0x006C
* CMAC 1 0x007A-0x007A
* PBKDF2 1 0x007C-0x007C
@@ -76,6 +77,9 @@
* SHA1 1 0x0035-0x0035
* SHA256 1 0x0037-0x0037
* SHA512 1 0x0039-0x0039
+ * CHACHA20 3 0x0051-0x0055
+ * POLY1305 3 0x0057-0x005B
+ * CHACHAPOLY 2 0x0054-0x0056
*
* High-level module nr (3 bits - 0x0...-0x7...)
* Name ID Nr of Errors
@@ -88,8 +92,9 @@
* RSA 4 11
* ECP 4 9 (Started from top)
* MD 5 5
+ * HKDF 5 1 (Started from top)
* CIPHER 6 8
- * SSL 6 17 (Started from top)
+ * SSL 6 22 (Started from top)
* SSL 7 31
*
* Module dependent error code (5 bits 0x.00.-0x.F8.)
diff --git a/include/mbedtls/gcm.h b/include/mbedtls/gcm.h
index bec5577..87535ab 100644
--- a/include/mbedtls/gcm.h
+++ b/include/mbedtls/gcm.h
@@ -113,21 +113,41 @@
* the same as input buffer. If the buffers overlap, the output
* buffer must trail at least 8 Bytes behind the input buffer.
*
+ * \warning When this function performs a decryption, it outputs the
+ * authentication tag and does not verify that the data is
+ * authentic. You should use this function to perform encryption
+ * only. For decryption, use mbedtls_gcm_auth_decrypt() instead.
+ *
* \param ctx The GCM context to use for encryption or decryption.
- * \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or
- * #MBEDTLS_GCM_DECRYPT.
- * \param length The length of the input data. This must be a multiple of
- * 16 except in the last call before mbedtls_gcm_finish().
+ * \param mode The operation to perform:
+ * - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption.
+ * The ciphertext is written to \p output and the
+ * authentication tag is written to \p tag.
+ * - #MBEDTLS_GCM_DECRYPT to perform decryption.
+ * The plaintext is written to \p output and the
+ * authentication tag is written to \p tag.
+ * Note that this mode is not recommended, because it does
+ * not verify the authenticity of the data. For this reason,
+ * you should use mbedtls_gcm_auth_decrypt() instead of
+ * calling this function in decryption mode.
+ * \param length The length of the input data, which is equal to the length
+ * of the output data.
* \param iv The initialization vector.
* \param iv_len The length of the IV.
* \param add The buffer holding the additional data.
* \param add_len The length of the additional data.
- * \param input The buffer holding the input data.
- * \param output The buffer for holding the output data.
+ * \param input The buffer holding the input data. Its size is \b length.
+ * \param output The buffer for holding the output data. It must have room
+ * for \b length bytes.
* \param tag_len The length of the tag to generate.
* \param tag The buffer for holding the tag.
*
- * \return \c 0 on success.
+ * \return \c 0 if the encryption or decryption was performed
+ * successfully. Note that in #MBEDTLS_GCM_DECRYPT mode,
+ * this does not indicate that the data is authentic.
+ * \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths are not valid.
+ * \return #MBEDTLS_ERR_GCM_HW_ACCEL_FAILED or a cipher-specific
+ * error code if the encryption or decryption failed.
*/
int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
int mode,
@@ -150,19 +170,23 @@
* must trail at least 8 Bytes behind the input buffer.
*
* \param ctx The GCM context.
- * \param length The length of the input data. This must be a multiple
- * of 16 except in the last call before mbedtls_gcm_finish().
+ * \param length The length of the ciphertext to decrypt, which is also
+ * the length of the decrypted plaintext.
* \param iv The initialization vector.
* \param iv_len The length of the IV.
* \param add The buffer holding the additional data.
* \param add_len The length of the additional data.
- * \param tag The buffer holding the tag.
- * \param tag_len The length of the tag.
- * \param input The buffer holding the input data.
- * \param output The buffer for holding the output data.
+ * \param tag The buffer holding the tag to verify.
+ * \param tag_len The length of the tag to verify.
+ * \param input The buffer holding the ciphertext. Its size is \b length.
+ * \param output The buffer for holding the decrypted plaintext. It must
+ * have room for \b length bytes.
*
- * \return 0 if successful and authenticated.
- * \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match.
+ * \return \c 0 if successful and authenticated.
+ * \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match.
+ * \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths are not valid.
+ * \return #MBEDTLS_ERR_GCM_HW_ACCEL_FAILED or a cipher-specific
+ * error code if the decryption failed.
*/
int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
size_t length,
diff --git a/include/mbedtls/hkdf.h b/include/mbedtls/hkdf.h
new file mode 100644
index 0000000..6833e72
--- /dev/null
+++ b/include/mbedtls/hkdf.h
@@ -0,0 +1,125 @@
+/**
+ * \file hkdf.h
+ *
+ * \brief This file contains the HKDF interface.
+ *
+ * The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is
+ * specified by RFC 5869.
+ */
+/*
+ * Copyright (C) 2016-2018, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_HKDF_H
+#define MBEDTLS_HKDF_H
+
+#include "md.h"
+
+/**
+ * \name HKDF Error codes
+ * \{
+ */
+#define MBEDTLS_ERR_HKDF_BAD_INPUT_DATA -0x5F80 /**< Bad input parameters to function. */
+/* \} name */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief This is the HMAC-based Extract-and-Expand Key Derivation Function
+ * (HKDF).
+ *
+ * \param md A hash function; md.size denotes the length of the hash
+ * function output in bytes.
+ * \param salt An optional salt value (a non-secret random value);
+ * if the salt is not provided, a string of all zeros of
+ * md.size length is used as the salt.
+ * \param salt_len The length in bytes of the optional \p salt.
+ * \param ikm The input keying material.
+ * \param ikm_len The length in bytes of \p ikm.
+ * \param info An optional context and application specific information
+ * string. This can be a zero-length string.
+ * \param info_len The length of \p info in bytes.
+ * \param okm The output keying material of \p okm_len bytes.
+ * \param okm_len The length of the output keying material in bytes. This
+ * must be less than or equal to 255 * md.size bytes.
+ *
+ * \return 0 on success.
+ * \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
+ * \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
+ * MD layer.
+ */
+int mbedtls_hkdf( const mbedtls_md_info_t *md, const unsigned char *salt,
+ size_t salt_len, const unsigned char *ikm, size_t ikm_len,
+ const unsigned char *info, size_t info_len,
+ unsigned char *okm, size_t okm_len );
+
+/**
+ * \brief Take the input keying material \p ikm and extract from it a
+ * fixed-length pseudorandom key \p prk.
+ *
+ * \param md A hash function; md.size denotes the length of the
+ * hash function output in bytes.
+ * \param salt An optional salt value (a non-secret random value);
+ * if the salt is not provided, a string of all zeros
+ * of md.size length is used as the salt.
+ * \param salt_len The length in bytes of the optional \p salt.
+ * \param ikm The input keying material.
+ * \param ikm_len The length in bytes of \p ikm.
+ * \param[out] prk A pseudorandom key of at least md.size bytes.
+ *
+ * \return 0 on success.
+ * \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
+ * \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
+ * MD layer.
+ */
+int mbedtls_hkdf_extract( const mbedtls_md_info_t *md,
+ const unsigned char *salt, size_t salt_len,
+ const unsigned char *ikm, size_t ikm_len,
+ unsigned char *prk );
+
+/**
+ * \brief Expand the supplied \p prk into several additional pseudorandom
+ * keys, which is the output of the HKDF.
+ *
+ * \param md A hash function; md.size denotes the length of the hash
+ * function output in bytes.
+ * \param prk A pseudorandom key of at least md.size bytes. \p prk is usually,
+ * the output from the HKDF extract step.
+ * \param prk_len The length in bytes of \p prk.
+ * \param info An optional context and application specific information
+ * string. This can be a zero-length string.
+ * \param info_len The length of \p info in bytes.
+ * \param okm The output keying material of \p okm_len bytes.
+ * \param okm_len The length of the output keying material in bytes. This
+ * must be less than or equal to 255 * md.size bytes.
+ *
+ * \return 0 on success.
+ * \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
+ * \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
+ * MD layer.
+ */
+int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk,
+ size_t prk_len, const unsigned char *info,
+ size_t info_len, unsigned char *okm, size_t okm_len );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* hkdf.h */
diff --git a/include/mbedtls/hmac_drbg.h b/include/mbedtls/hmac_drbg.h
index e0821cf..2608de8 100644
--- a/include/mbedtls/hmac_drbg.h
+++ b/include/mbedtls/hmac_drbg.h
@@ -27,7 +27,7 @@
#include "md.h"
#if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
+#include "threading.h"
#endif
/*
diff --git a/include/mbedtls/net.h b/include/mbedtls/net.h
index 28ae821..6c13b53 100644
--- a/include/mbedtls/net.h
+++ b/include/mbedtls/net.h
@@ -1,7 +1,7 @@
/**
* \file net.h
*
- * \brief Deprecated header file that includes mbedtls/net_sockets.h
+ * \brief Deprecated header file that includes net_sockets.h
*
* \deprecated Superseded by mbedtls/net_sockets.h
*/
@@ -25,7 +25,7 @@
*/
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#include "mbedtls/net_sockets.h"
+#include "net_sockets.h"
#if defined(MBEDTLS_DEPRECATED_WARNING)
#warning "Deprecated header file: Superseded by mbedtls/net_sockets.h"
#endif /* MBEDTLS_DEPRECATED_WARNING */
diff --git a/include/mbedtls/net_sockets.h b/include/mbedtls/net_sockets.h
index 0f9b31e..9f07eeb 100644
--- a/include/mbedtls/net_sockets.h
+++ b/include/mbedtls/net_sockets.h
@@ -1,7 +1,23 @@
/**
* \file net_sockets.h
*
- * \brief Network communication functions
+ * \brief Network sockets abstraction layer to integrate Mbed TLS into a
+ * BSD-style sockets API.
+ *
+ * The network sockets module provides an example integration of the
+ * Mbed TLS library into a BSD sockets implementation. The module is
+ * intended to be an example of how Mbed TLS can be integrated into a
+ * networking stack, as well as to be Mbed TLS's network integration
+ * for its supported platforms.
+ *
+ * The module is intended only to be used with the Mbed TLS library and
+ * is not intended to be used by third party application software
+ * directly.
+ *
+ * The supported platforms are as follows:
+ * * Microsoft Windows and Windows CE
+ * * POSIX/Unix platforms including Linux, OS X
+ *
*/
/*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
diff --git a/include/mbedtls/nist_kw.h b/include/mbedtls/nist_kw.h
new file mode 100644
index 0000000..5a0f656
--- /dev/null
+++ b/include/mbedtls/nist_kw.h
@@ -0,0 +1,178 @@
+/**
+ * \file nist_kw.h
+ *
+ * \brief This file provides an API for key wrapping (KW) and key wrapping with
+ * padding (KWP) as defined in NIST SP 800-38F.
+ * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ *
+ * Key wrapping specifies a deterministic authenticated-encryption mode
+ * of operation, according to <em>NIST SP 800-38F: Recommendation for
+ * Block Cipher Modes of Operation: Methods for Key Wrapping</em>. Its
+ * purpose is to protect cryptographic keys.
+ *
+ * Its equivalent is RFC 3394 for KW, and RFC 5649 for KWP.
+ * https://tools.ietf.org/html/rfc3394
+ * https://tools.ietf.org/html/rfc5649
+ *
+ */
+/*
+ * Copyright (C) 2018, Arm Limited (or its affiliates), All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_NIST_KW_H
+#define MBEDTLS_NIST_KW_H
+
+#include "cipher.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum
+{
+ MBEDTLS_KW_MODE_KW = 0,
+ MBEDTLS_KW_MODE_KWP = 1
+} mbedtls_nist_kw_mode_t;
+
+#if !defined(MBEDTLS_NIST_KW_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief The key wrapping context-type definition. The key wrapping context is passed
+ * to the APIs called.
+ *
+ * \note The definition of this type may change in future library versions.
+ * Don't make any assumptions on this context!
+ */
+typedef struct {
+ mbedtls_cipher_context_t cipher_ctx; /*!< The cipher context used. */
+} mbedtls_nist_kw_context;
+
+#else /* MBEDTLS_NIST_key wrapping_ALT */
+#include "nist_kw_alt.h"
+#endif /* MBEDTLS_NIST_KW_ALT */
+
+/**
+ * \brief This function initializes the specified key wrapping context
+ * to make references valid and prepare the context
+ * for mbedtls_nist_kw_setkey() or mbedtls_nist_kw_free().
+ *
+ * \param ctx The key wrapping context to initialize.
+ *
+ */
+void mbedtls_nist_kw_init( mbedtls_nist_kw_context *ctx );
+
+/**
+ * \brief This function initializes the key wrapping context set in the
+ * \p ctx parameter and sets the encryption key.
+ *
+ * \param ctx The key wrapping context.
+ * \param cipher The 128-bit block cipher to use. Only AES is supported.
+ * \param key The Key Encryption Key (KEK).
+ * \param keybits The KEK size in bits. This must be acceptable by the cipher.
+ * \param is_wrap Specify whether the operation within the context is wrapping or unwrapping
+ *
+ * \return \c 0 on success.
+ * \return \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for any invalid input.
+ * \return \c MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE for 128-bit block ciphers
+ * which are not supported.
+ * \return cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_setkey( mbedtls_nist_kw_context *ctx,
+ mbedtls_cipher_id_t cipher,
+ const unsigned char *key,
+ unsigned int keybits,
+ const int is_wrap );
+
+/**
+ * \brief This function releases and clears the specified key wrapping context
+ * and underlying cipher sub-context.
+ *
+ * \param ctx The key wrapping context to clear.
+ */
+void mbedtls_nist_kw_free( mbedtls_nist_kw_context *ctx );
+
+/**
+ * \brief This function encrypts a buffer using key wrapping.
+ *
+ * \param ctx The key wrapping context to use for encryption.
+ * \param mode The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP)
+ * \param input The buffer holding the input data.
+ * \param in_len The length of the input data in Bytes.
+ * The input uses units of 8 Bytes called semiblocks.
+ * <ul><li>For KW mode: a multiple of 8 bytes between 16 and 2^57-8 inclusive. </li>
+ * <li>For KWP mode: any length between 1 and 2^32-1 inclusive.</li></ul>
+ * \param[out] output The buffer holding the output data.
+ * <ul><li>For KW mode: Must be at least 8 bytes larger than \p in_len.</li>
+ * <li>For KWP mode: Must be at least 8 bytes larger rounded up to a multiple of
+ * 8 bytes for KWP (15 bytes at most).</li></ul>
+ * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure.
+ * \param[in] out_size The capacity of the output buffer.
+ *
+ * \return \c 0 on success.
+ * \return \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length.
+ * \return cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_wrap( mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode,
+ const unsigned char *input, size_t in_len,
+ unsigned char *output, size_t* out_len, size_t out_size );
+
+/**
+ * \brief This function decrypts a buffer using key wrapping.
+ *
+ * \param ctx The key wrapping context to use for decryption.
+ * \param mode The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP)
+ * \param input The buffer holding the input data.
+ * \param in_len The length of the input data in Bytes.
+ * The input uses units of 8 Bytes called semiblocks.
+ * The input must be a multiple of semiblocks.
+ * <ul><li>For KW mode: a multiple of 8 bytes between 24 and 2^57 inclusive. </li>
+ * <li>For KWP mode: a multiple of 8 bytes between 16 and 2^32 inclusive.</li></ul>
+ * \param[out] output The buffer holding the output data.
+ * The output buffer's minimal length is 8 bytes shorter than \p in_len.
+ * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure.
+ * For KWP mode, the length could be up to 15 bytes shorter than \p in_len,
+ * depending on how much padding was added to the data.
+ * \param[in] out_size The capacity of the output buffer.
+ *
+ * \return \c 0 on success.
+ * \return \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length.
+ * \return \c MBEDTLS_ERR_CIPHER_AUTH_FAILED for verification failure of the ciphertext.
+ * \return cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode,
+ const unsigned char *input, size_t in_len,
+ unsigned char *output, size_t* out_len, size_t out_size);
+
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/**
+ * \brief The key wrapping checkup routine.
+ *
+ * \return \c 0 on success.
+ * \return \c 1 on failure.
+ */
+int mbedtls_nist_kw_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_NIST_KW_H */
diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h
index 408645e..f825548 100644
--- a/include/mbedtls/oid.h
+++ b/include/mbedtls/oid.h
@@ -97,6 +97,8 @@
/* ISO arc for standard certificate and CRL extensions */
#define MBEDTLS_OID_ID_CE MBEDTLS_OID_ISO_CCITT_DS "\x1D" /**< id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} */
+#define MBEDTLS_OID_NIST_ALG MBEDTLS_OID_GOV "\x03\x04" /** { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) */
+
/**
* Private Internet Extensions
* { iso(1) identified-organization(3) dod(6) internet(1)
@@ -219,12 +221,12 @@
#define MBEDTLS_OID_DIGEST_ALG_MD4 MBEDTLS_OID_RSA_COMPANY "\x02\x04" /**< id-mbedtls_md4 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 4 } */
#define MBEDTLS_OID_DIGEST_ALG_MD5 MBEDTLS_OID_RSA_COMPANY "\x02\x05" /**< id-mbedtls_md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5 } */
#define MBEDTLS_OID_DIGEST_ALG_SHA1 MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_OIW_SECSIG_SHA1 /**< id-mbedtls_sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 } */
-#define MBEDTLS_OID_DIGEST_ALG_SHA224 MBEDTLS_OID_GOV "\x03\x04\x02\x04" /**< id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } */
-#define MBEDTLS_OID_DIGEST_ALG_SHA256 MBEDTLS_OID_GOV "\x03\x04\x02\x01" /**< id-mbedtls_sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA224 MBEDTLS_OID_NIST_ALG "\x02\x04" /**< id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA256 MBEDTLS_OID_NIST_ALG "\x02\x01" /**< id-mbedtls_sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } */
-#define MBEDTLS_OID_DIGEST_ALG_SHA384 MBEDTLS_OID_GOV "\x03\x04\x02\x02" /**< id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA384 MBEDTLS_OID_NIST_ALG "\x02\x02" /**< id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } */
-#define MBEDTLS_OID_DIGEST_ALG_SHA512 MBEDTLS_OID_GOV "\x03\x04\x02\x03" /**< id-mbedtls_sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA512 MBEDTLS_OID_NIST_ALG "\x02\x03" /**< id-mbedtls_sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } */
#define MBEDTLS_OID_HMAC_SHA1 MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */
@@ -241,8 +243,21 @@
*/
#define MBEDTLS_OID_DES_CBC MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_OIW_SECSIG_ALG "\x07" /**< desCBC OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7 } */
#define MBEDTLS_OID_DES_EDE3_CBC MBEDTLS_OID_RSA_COMPANY "\x03\x07" /**< des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) -- us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } */
+#define MBEDTLS_OID_AES MBEDTLS_OID_NIST_ALG "\x01" /** aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } */
/*
+ * Key Wrapping algorithms
+ */
+/*
+ * RFC 5649
+ */
+#define MBEDTLS_OID_AES128_KW MBEDTLS_OID_AES "\x05" /** id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 } */
+#define MBEDTLS_OID_AES128_KWP MBEDTLS_OID_AES "\x08" /** id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 } */
+#define MBEDTLS_OID_AES192_KW MBEDTLS_OID_AES "\x19" /** id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 } */
+#define MBEDTLS_OID_AES192_KWP MBEDTLS_OID_AES "\x1c" /** id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 } */
+#define MBEDTLS_OID_AES256_KW MBEDTLS_OID_AES "\x2d" /** id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 } */
+#define MBEDTLS_OID_AES256_KWP MBEDTLS_OID_AES "\x30" /** id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 } */
+/*
* PKCS#5 OIDs
*/
#define MBEDTLS_OID_PKCS5_PBKDF2 MBEDTLS_OID_PKCS5 "\x0c" /**< id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12} */
diff --git a/include/mbedtls/platform.h b/include/mbedtls/platform.h
index bba7709..624cc64 100644
--- a/include/mbedtls/platform.h
+++ b/include/mbedtls/platform.h
@@ -40,7 +40,7 @@
#endif
#if defined(MBEDTLS_HAVE_TIME)
-#include "mbedtls/platform_time.h"
+#include "platform_time.h"
#endif
#ifdef __cplusplus
@@ -121,8 +121,8 @@
#else
/* For size_t */
#include <stddef.h>
-extern void * (*mbedtls_calloc)( size_t n, size_t size );
-extern void (*mbedtls_free)( void *ptr );
+extern void *mbedtls_calloc( size_t n, size_t size );
+extern void mbedtls_free( void *ptr );
/**
* \brief This function dynamically sets the memory-management
diff --git a/include/mbedtls/poly1305.h b/include/mbedtls/poly1305.h
new file mode 100644
index 0000000..54b50ab
--- /dev/null
+++ b/include/mbedtls/poly1305.h
@@ -0,0 +1,181 @@
+/**
+ * \file poly1305.h
+ *
+ * \brief This file contains Poly1305 definitions and functions.
+ *
+ * Poly1305 is a one-time message authenticator that can be used to
+ * authenticate messages. Poly1305-AES was created by Daniel
+ * Bernstein https://cr.yp.to/mac/poly1305-20050329.pdf The generic
+ * Poly1305 algorithm (not tied to AES) was also standardized in RFC
+ * 7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_POLY1305_H
+#define MBEDTLS_POLY1305_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdint.h>
+#include <stddef.h>
+
+#define MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA -0x0057 /**< Invalid input parameter(s). */
+#define MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE -0x0059 /**< Feature not available. For example, s part of the API is not implemented. */
+#define MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED -0x005B /**< Poly1305 hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_POLY1305_ALT)
+
+typedef struct
+{
+ uint32_t r[4]; /** The value for 'r' (low 128 bits of the key). */
+ uint32_t s[4]; /** The value for 's' (high 128 bits of the key). */
+ uint32_t acc[5]; /** The accumulator number. */
+ uint8_t queue[16]; /** The current partial block of data. */
+ size_t queue_len; /** The number of bytes stored in 'queue'. */
+}
+mbedtls_poly1305_context;
+
+#else /* MBEDTLS_POLY1305_ALT */
+#include "poly1305_alt.h"
+#endif /* MBEDTLS_POLY1305_ALT */
+
+/**
+ * \brief This function initializes the specified Poly1305 context.
+ *
+ * It must be the first API called before using
+ * the context.
+ *
+ * It is usually followed by a call to
+ * \c mbedtls_poly1305_starts(), then one or more calls to
+ * \c mbedtls_poly1305_update(), then one call to
+ * \c mbedtls_poly1305_finish(), then finally
+ * \c mbedtls_poly1305_free().
+ *
+ * \param ctx The Poly1305 context to initialize.
+ */
+void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx );
+
+/**
+ * \brief This function releases and clears the specified Poly1305 context.
+ *
+ * \param ctx The Poly1305 context to clear.
+ */
+void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx );
+
+/**
+ * \brief This function sets the one-time authentication key.
+ *
+ * \warning The key must be unique and unpredictable for each
+ * invocation of Poly1305.
+ *
+ * \param ctx The Poly1305 context to which the key should be bound.
+ * \param key The buffer containing the 256-bit key.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
+ * if ctx or key are NULL.
+ */
+int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx,
+ const unsigned char key[32] );
+
+/**
+ * \brief This functions feeds an input buffer into an ongoing
+ * Poly1305 computation.
+ *
+ * It is called between \c mbedtls_cipher_poly1305_starts() and
+ * \c mbedtls_cipher_poly1305_finish().
+ * It can be called repeatedly to process a stream of data.
+ *
+ * \param ctx The Poly1305 context to use for the Poly1305 operation.
+ * \param ilen The length of the input data (in bytes). Any value is accepted.
+ * \param input The buffer holding the input data.
+ * This pointer can be NULL if ilen == 0.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
+ * if ctx or input are NULL.
+ */
+int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
+ const unsigned char *input,
+ size_t ilen );
+
+/**
+ * \brief This function generates the Poly1305 Message
+ * Authentication Code (MAC).
+ *
+ * \param ctx The Poly1305 context to use for the Poly1305 operation.
+ * \param mac The buffer to where the MAC is written. Must be big enough
+ * to hold the 16-byte MAC.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
+ * if ctx or mac are NULL.
+ */
+int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx,
+ unsigned char mac[16] );
+
+/**
+ * \brief This function calculates the Poly1305 MAC of the input
+ * buffer with the provided key.
+ *
+ * \warning The key must be unique and unpredictable for each
+ * invocation of Poly1305.
+ *
+ * \param key The buffer containing the 256-bit key.
+ * \param ilen The length of the input data (in bytes). Any value is accepted.
+ * \param input The buffer holding the input data.
+ * This pointer can be NULL if ilen == 0.
+ * \param mac The buffer to where the MAC is written. Must be big enough
+ * to hold the 16-byte MAC.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
+ * if key, input, or mac are NULL.
+ */
+int mbedtls_poly1305_mac( const unsigned char key[32],
+ const unsigned char *input,
+ size_t ilen,
+ unsigned char mac[16] );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief The Poly1305 checkup routine.
+ *
+ * \return \c 0 on success.
+ * \return \c 1 on failure.
+ */
+int mbedtls_poly1305_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_POLY1305_H */
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index f91066d..2d511a8 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -62,7 +62,7 @@
#endif
#if defined(MBEDTLS_HAVE_TIME)
-#include "mbedtls/platform_time.h"
+#include "platform_time.h"
#endif
/*
@@ -120,6 +120,7 @@
#define MBEDTLS_ERR_SSL_NON_FATAL -0x6680 /**< The alert message received indicates a non-fatal error. */
#define MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH -0x6600 /**< Couldn't set the hash for verifying CertificateVerify */
#define MBEDTLS_ERR_SSL_CONTINUE_PROCESSING -0x6580 /**< Internal-only message signaling that further message-processing should be done */
+#define MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS -0x6500 /**< The asynchronous operation is not completed yet. */
/*
* Various constants
@@ -219,7 +220,7 @@
#endif
/*
- * Maxium fragment length in bytes,
+ * Maximum fragment length in bytes,
* determines the size of each of the two internal I/O buffers.
*
* Note: the RFC defines the default size of SSL / TLS messages. If you
@@ -233,6 +234,14 @@
#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
#endif
+#if !defined(MBEDTLS_SSL_IN_CONTENT_LEN)
+#define MBEDTLS_SSL_IN_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
+#endif
+
+#if !defined(MBEDTLS_SSL_OUT_CONTENT_LEN)
+#define MBEDTLS_SSL_OUT_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
+#endif
+
/* \} name SECTION: Module settings */
/*
@@ -536,7 +545,6 @@
*/
typedef int mbedtls_ssl_get_timer_t( void * ctx );
-
/* Defined below */
typedef struct mbedtls_ssl_session mbedtls_ssl_session;
typedef struct mbedtls_ssl_context mbedtls_ssl_context;
@@ -553,6 +561,218 @@
typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
#endif
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief Callback type: start external signature operation.
+ *
+ * This callback is called during an SSL handshake to start
+ * a signature decryption operation using an
+ * external processor. The parameter \p cert contains
+ * the public key; it is up to the callback function to
+ * determine how to access the associated private key.
+ *
+ * This function typically sends or enqueues a request, and
+ * does not wait for the operation to complete. This allows
+ * the handshake step to be non-blocking.
+ *
+ * The parameters \p ssl and \p cert are guaranteed to remain
+ * valid throughout the handshake. On the other hand, this
+ * function must save the contents of \p hash if the value
+ * is needed for later processing, because the \p hash buffer
+ * is no longer valid after this function returns.
+ *
+ * This function may call mbedtls_ssl_set_async_operation_data()
+ * to store an operation context for later retrieval
+ * by the resume or cancel callback.
+ *
+ * \note For RSA signatures, this function must produce output
+ * that is consistent with PKCS#1 v1.5 in the same way as
+ * mbedtls_rsa_pkcs1_sign(). Before the private key operation,
+ * apply the padding steps described in RFC 8017, section 9.2
+ * "EMSA-PKCS1-v1_5" as follows.
+ * - If \p md_alg is #MBEDTLS_MD_NONE, apply the PKCS#1 v1.5
+ * encoding, treating \p hash as the DigestInfo to be
+ * padded. In other words, apply EMSA-PKCS1-v1_5 starting
+ * from step 3, with `T = hash` and `tLen = hash_len`.
+ * - If `md_alg != MBEDTLS_MD_NONE`, apply the PKCS#1 v1.5
+ * encoding, treating \p hash as the hash to be encoded and
+ * padded. In other words, apply EMSA-PKCS1-v1_5 starting
+ * from step 2, with `digestAlgorithm` obtained by calling
+ * mbedtls_oid_get_oid_by_md() on \p md_alg.
+ *
+ * \note For ECDSA signatures, the output format is the DER encoding
+ * `Ecdsa-Sig-Value` defined in
+ * [RFC 4492 section 5.4](https://tools.ietf.org/html/rfc4492#section-5.4).
+ *
+ * \param ssl The SSL connection instance. It should not be
+ * modified other than via
+ * mbedtls_ssl_set_async_operation_data().
+ * \param cert Certificate containing the public key.
+ * In simple cases, this is one of the pointers passed to
+ * mbedtls_ssl_conf_own_cert() when configuring the SSL
+ * connection. However, if other callbacks are used, this
+ * property may not hold. For example, if an SNI callback
+ * is registered with mbedtls_ssl_conf_sni(), then
+ * this callback determines what certificate is used.
+ * \param md_alg Hash algorithm.
+ * \param hash Buffer containing the hash. This buffer is
+ * no longer valid when the function returns.
+ * \param hash_len Size of the \c hash buffer in bytes.
+ *
+ * \return 0 if the operation was started successfully and the SSL
+ * stack should call the resume callback immediately.
+ * \return #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ * was started successfully and the SSL stack should return
+ * immediately without calling the resume callback yet.
+ * \return #MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external
+ * processor does not support this key. The SSL stack will
+ * use the private key object instead.
+ * \return Any other error indicates a fatal failure and is
+ * propagated up the call chain. The callback should
+ * use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
+ * use \c MBEDTLS_ERR_SSL_xxx error codes except as
+ * directed in the documentation of this callback.
+ */
+typedef int mbedtls_ssl_async_sign_t( mbedtls_ssl_context *ssl,
+ mbedtls_x509_crt *cert,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash,
+ size_t hash_len );
+
+/**
+ * \brief Callback type: start external decryption operation.
+ *
+ * This callback is called during an SSL handshake to start
+ * an RSA decryption operation using an
+ * external processor. The parameter \p cert contains
+ * the public key; it is up to the callback function to
+ * determine how to access the associated private key.
+ *
+ * This function typically sends or enqueues a request, and
+ * does not wait for the operation to complete. This allows
+ * the handshake step to be non-blocking.
+ *
+ * The parameters \p ssl and \p cert are guaranteed to remain
+ * valid throughout the handshake. On the other hand, this
+ * function must save the contents of \p input if the value
+ * is needed for later processing, because the \p input buffer
+ * is no longer valid after this function returns.
+ *
+ * This function may call mbedtls_ssl_set_async_operation_data()
+ * to store an operation context for later retrieval
+ * by the resume or cancel callback.
+ *
+ * \warning RSA decryption as used in TLS is subject to a potential
+ * timing side channel attack first discovered by Bleichenbacher
+ * in 1998. This attack can be remotely exploitable
+ * in practice. To avoid this attack, you must ensure that
+ * if the callback performs an RSA decryption, the time it
+ * takes to execute and return the result does not depend
+ * on whether the RSA decryption succeeded or reported
+ * invalid padding.
+ *
+ * \param ssl The SSL connection instance. It should not be
+ * modified other than via
+ * mbedtls_ssl_set_async_operation_data().
+ * \param cert Certificate containing the public key.
+ * In simple cases, this is one of the pointers passed to
+ * mbedtls_ssl_conf_own_cert() when configuring the SSL
+ * connection. However, if other callbacks are used, this
+ * property may not hold. For example, if an SNI callback
+ * is registered with mbedtls_ssl_conf_sni(), then
+ * this callback determines what certificate is used.
+ * \param input Buffer containing the input ciphertext. This buffer
+ * is no longer valid when the function returns.
+ * \param input_len Size of the \p input buffer in bytes.
+ *
+ * \return 0 if the operation was started successfully and the SSL
+ * stack should call the resume callback immediately.
+ * \return #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ * was started successfully and the SSL stack should return
+ * immediately without calling the resume callback yet.
+ * \return #MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external
+ * processor does not support this key. The SSL stack will
+ * use the private key object instead.
+ * \return Any other error indicates a fatal failure and is
+ * propagated up the call chain. The callback should
+ * use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
+ * use \c MBEDTLS_ERR_SSL_xxx error codes except as
+ * directed in the documentation of this callback.
+ */
+typedef int mbedtls_ssl_async_decrypt_t( mbedtls_ssl_context *ssl,
+ mbedtls_x509_crt *cert,
+ const unsigned char *input,
+ size_t input_len );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/**
+ * \brief Callback type: resume external operation.
+ *
+ * This callback is called during an SSL handshake to resume
+ * an external operation started by the
+ * ::mbedtls_ssl_async_sign_t or
+ * ::mbedtls_ssl_async_decrypt_t callback.
+ *
+ * This function typically checks the status of a pending
+ * request or causes the request queue to make progress, and
+ * does not wait for the operation to complete. This allows
+ * the handshake step to be non-blocking.
+ *
+ * This function may call mbedtls_ssl_get_async_operation_data()
+ * to retrieve an operation context set by the start callback.
+ * It may call mbedtls_ssl_set_async_operation_data() to modify
+ * this context.
+ *
+ * Note that when this function returns a status other than
+ * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, it must free any
+ * resources associated with the operation.
+ *
+ * \param ssl The SSL connection instance. It should not be
+ * modified other than via
+ * mbedtls_ssl_set_async_operation_data().
+ * \param output Buffer containing the output (signature or decrypted
+ * data) on success.
+ * \param output_len On success, number of bytes written to \p output.
+ * \param output_size Size of the \p output buffer in bytes.
+ *
+ * \return 0 if output of the operation is available in the
+ * \p output buffer.
+ * \return #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ * is still in progress. Subsequent requests for progress
+ * on the SSL connection will call the resume callback
+ * again.
+ * \return Any other error means that the operation is aborted.
+ * The SSL handshake is aborted. The callback should
+ * use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
+ * use \c MBEDTLS_ERR_SSL_xxx error codes except as
+ * directed in the documentation of this callback.
+ */
+typedef int mbedtls_ssl_async_resume_t( mbedtls_ssl_context *ssl,
+ unsigned char *output,
+ size_t *output_len,
+ size_t output_size );
+
+/**
+ * \brief Callback type: cancel external operation.
+ *
+ * This callback is called if an SSL connection is closed
+ * while an asynchronous operation is in progress. Note that
+ * this callback is not called if the
+ * ::mbedtls_ssl_async_resume_t callback has run and has
+ * returned a value other than
+ * #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, since in that case
+ * the asynchronous operation has already completed.
+ *
+ * This function may call mbedtls_ssl_get_async_operation_data()
+ * to retrieve an operation context set by the start callback.
+ *
+ * \param ssl The SSL connection instance. It should not be
+ * modified.
+ */
+typedef void mbedtls_ssl_async_cancel_t( mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
/*
* This structure is used for storing current session data.
*/
@@ -669,6 +889,16 @@
mbedtls_x509_crl *ca_crl; /*!< trusted CAs CRLs */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ mbedtls_ssl_async_sign_t *f_async_sign_start; /*!< start asynchronous signature operation */
+ mbedtls_ssl_async_decrypt_t *f_async_decrypt_start; /*!< start asynchronous decryption operation */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+ mbedtls_ssl_async_resume_t *f_async_resume; /*!< resume asynchronous operation */
+ mbedtls_ssl_async_cancel_t *f_async_cancel; /*!< cancel asynchronous operation */
+ void *p_async_config_data; /*!< Configuration data set by mbedtls_ssl_conf_async_private_cb(). */
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
const int *sig_hashes; /*!< allowed signature hashes */
#endif
@@ -947,14 +1177,6 @@
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
/**
- * \brief Returns the list of ciphersuites supported by the SSL/TLS module.
- *
- * \return a statically allocated array of ciphersuites, the last
- * entry is 0.
- */
-const int *mbedtls_ssl_list_ciphersuites( void );
-
-/**
* \brief Return the name of the ciphersuite associated with the
* given ID
*
@@ -1315,6 +1537,85 @@
void *p_export_keys );
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+/**
+ * \brief Configure asynchronous private key operation callbacks.
+ *
+ * \param conf SSL configuration context
+ * \param f_async_sign Callback to start a signature operation. See
+ * the description of ::mbedtls_ssl_async_sign_t
+ * for more information. This may be \c NULL if the
+ * external processor does not support any signature
+ * operation; in this case the private key object
+ * associated with the certificate will be used.
+ * \param f_async_decrypt Callback to start a decryption operation. See
+ * the description of ::mbedtls_ssl_async_decrypt_t
+ * for more information. This may be \c NULL if the
+ * external processor does not support any decryption
+ * operation; in this case the private key object
+ * associated with the certificate will be used.
+ * \param f_async_resume Callback to resume an asynchronous operation. See
+ * the description of ::mbedtls_ssl_async_resume_t
+ * for more information. This may not be \c NULL unless
+ * \p f_async_sign and \p f_async_decrypt are both
+ * \c NULL.
+ * \param f_async_cancel Callback to cancel an asynchronous operation. See
+ * the description of ::mbedtls_ssl_async_cancel_t
+ * for more information. This may be \c NULL if
+ * no cleanup is needed.
+ * \param config_data A pointer to configuration data which can be
+ * retrieved with
+ * mbedtls_ssl_conf_get_async_config_data(). The
+ * library stores this value without dereferencing it.
+ */
+void mbedtls_ssl_conf_async_private_cb( mbedtls_ssl_config *conf,
+ mbedtls_ssl_async_sign_t *f_async_sign,
+ mbedtls_ssl_async_decrypt_t *f_async_decrypt,
+ mbedtls_ssl_async_resume_t *f_async_resume,
+ mbedtls_ssl_async_cancel_t *f_async_cancel,
+ void *config_data );
+
+/**
+ * \brief Retrieve the configuration data set by
+ * mbedtls_ssl_conf_async_private_cb().
+ *
+ * \param conf SSL configuration context
+ * \return The configuration data set by
+ * mbedtls_ssl_conf_async_private_cb().
+ */
+void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf );
+
+/**
+ * \brief Retrieve the asynchronous operation user context.
+ *
+ * \note This function may only be called while a handshake
+ * is in progress.
+ *
+ * \param ssl The SSL context to access.
+ *
+ * \return The asynchronous operation user context that was last
+ * set during the current handshake. If
+ * mbedtls_ssl_set_async_operation_data() has not yet been
+ * called during the current handshake, this function returns
+ * \c NULL.
+ */
+void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief Retrieve the asynchronous operation user context.
+ *
+ * \note This function may only be called while a handshake
+ * is in progress.
+ *
+ * \param ssl The SSL context to access.
+ * \param ctx The new value of the asynchronous operation user context.
+ * Call mbedtls_ssl_get_async_operation_data() later during the
+ * same handshake to retrieve this value.
+ */
+void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
+ void *ctx );
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
/**
* \brief Callback type: generate a cookie
*
@@ -2125,7 +2426,8 @@
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
/**
* \brief Set the maximum fragment length to emit and/or negotiate
- * (Default: MBEDTLS_SSL_MAX_CONTENT_LEN, usually 2^14 bytes)
+ * (Default: the smaller of MBEDTLS_SSL_IN_CONTENT_LEN and
+ * MBEDTLS_SSL_OUT_CONTENT_LEN, usually 2^14 bytes)
* (Server: set maximum fragment length to emit,
* usually negotiated by the client during handshake
* (Client: set maximum fragment length to emit *and*
@@ -2444,7 +2746,6 @@
* \brief Save session in order to resume it later (client-side only)
* Session data is copied to presented session structure.
*
- * \warning Currently, peer certificate is lost in the operation.
*
* \param ssl SSL context
* \param session session context
@@ -2452,7 +2753,18 @@
* \return 0 if successful,
* MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed,
* MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used server-side or
- * arguments are otherwise invalid
+ * arguments are otherwise invalid.
+ *
+ * \note Only the server certificate is copied, and not the full chain,
+ * so you should not attempt to validate the certificate again
+ * by calling \c mbedtls_x509_crt_verify() on it.
+ * Instead, you should use the results from the verification
+ * in the original handshake by calling \c mbedtls_ssl_get_verify_result()
+ * after loading the session again into a new SSL context
+ * using \c mbedtls_ssl_set_session().
+ *
+ * \note Once the session object is not needed anymore, you should
+ * free it by calling \c mbedtls_ssl_session_free().
*
* \sa mbedtls_ssl_set_session()
*/
@@ -2614,17 +2926,19 @@
* or MBEDTLS_ERR_SSL_WANT_WRITE or MBEDTLS_ERR_SSL_WANT_READ,
* or another negative error code.
*
- * \note If this function returns something other than a positive value
- * or MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using
- * the SSL context for reading or writing, and either free it or
- * call \c mbedtls_ssl_session_reset() on it before re-using it
- * for a new connection; the current connection must be closed.
+ * \note If this function returns something other than 0, a positive
+ * value or MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop
+ * using the SSL context for reading or writing, and either
+ * free it or call \c mbedtls_ssl_session_reset() on it before
+ * re-using it for a new connection; the current connection
+ * must be closed.
*
* \note When this function returns MBEDTLS_ERR_SSL_WANT_WRITE/READ,
* it must be called later with the *same* arguments,
- * until it returns a positive value. When the function returns
- * MBEDTLS_ERR_SSL_WANT_WRITE there may be some partial
- * data in the output buffer, however this is not yet sent.
+ * until it returns a value greater that or equal to 0. When
+ * the function returns MBEDTLS_ERR_SSL_WANT_WRITE there may be
+ * some partial data in the output buffer, however this is not
+ * yet sent.
*
* \note If the requested length is greater than the maximum
* fragment length (either the built-in limit or the one set
@@ -2633,6 +2947,9 @@
* - with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned.
* \c mbedtls_ssl_get_max_frag_len() may be used to query the
* active maximum fragment length.
+ *
+ * \note Attempting to write 0 bytes will result in an empty TLS
+ * application record being sent.
*/
int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len );
@@ -2725,6 +3042,9 @@
* \brief Free referenced items in an SSL session including the
* peer certificate and clear memory
*
+ * \note A session object can be freed even if the SSL context
+ * that was used to retrieve the session is still in use.
+ *
* \param session SSL session
*/
void mbedtls_ssl_session_free( mbedtls_ssl_session *session );
diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h
index 1d2aabc..cda8b48 100644
--- a/include/mbedtls/ssl_ciphersuites.h
+++ b/include/mbedtls/ssl_ciphersuites.h
@@ -169,6 +169,45 @@
#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256 0xC03A /**< Weak! No SSL3! */
#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384 0xC03B /**< Weak! No SSL3! */
+#define MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 0xC03C /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 0xC03D /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC044 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC045 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC04A /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC04B /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC04C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC04D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 0xC04E /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 0xC04F /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256 0xC050 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 0xC051 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC052 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC053 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05E /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05F /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC060 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC061 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 0xC062 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 0xC063 /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 0xC064 /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 0xC065 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC066 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC067 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 0xC068 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 0xC069 /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 0xC06A /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384 0xC06B /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 0xC06C /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 0xC06D /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 0xC06E /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 0xC06F /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC070 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC071 /**< TLS 1.2 */
+
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072 /**< Not in SSL3! */
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073 /**< Not in SSL3! */
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC074 /**< Not in SSL3! */
@@ -232,6 +271,15 @@
#define MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 0xC0FF /**< experimental */
+/* RFC 7905 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCAA /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAB /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAC /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAD /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAE /**< TLS 1.2 */
+
/* Reminder: update mbedtls_ssl_premaster_secret when adding a new key exchange.
* Reminder: update MBEDTLS_KEY_EXCHANGE__xxx below
*/
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 60b431a..d214703 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -143,32 +143,73 @@
#define MBEDTLS_SSL_PADDING_ADD 0
#endif
-#define MBEDTLS_SSL_PAYLOAD_LEN ( MBEDTLS_SSL_MAX_CONTENT_LEN \
- + MBEDTLS_SSL_COMPRESSION_ADD \
- + MBEDTLS_MAX_IV_LENGTH \
- + MBEDTLS_SSL_MAC_ADD \
- + MBEDTLS_SSL_PADDING_ADD \
- )
+#define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD + \
+ MBEDTLS_MAX_IV_LENGTH + \
+ MBEDTLS_SSL_MAC_ADD + \
+ MBEDTLS_SSL_PADDING_ADD \
+ )
+
+#define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
+ ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
+
+#define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
+ ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
+
+/* Maximum length we can advertise as our max content length for
+ RFC 6066 max_fragment_length extension negotiation purposes
+ (the lesser of both sizes, if they are unequal.)
+ */
+#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
+ (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
+ ? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \
+ : ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
+ )
/*
* Check that we obey the standard's message size bounds
*/
#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
-#error Bad configuration - record content too large.
+#error "Bad configuration - record content too large."
#endif
-#if MBEDTLS_SSL_PAYLOAD_LEN > 16384 + 2048
-#error Bad configuration - protected record payload too large.
+#if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
+#error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
#endif
+#if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
+#error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
+#endif
+
+#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
+#error "Bad configuration - incoming protected record payload too large."
+#endif
+
+#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
+#error "Bad configuration - outgoing protected record payload too large."
+#endif
+
+/* Calculate buffer sizes */
+
/* Note: Even though the TLS record header is only 5 bytes
long, we're internally using 8 bytes to store the
implicit sequence number. */
#define MBEDTLS_SSL_HEADER_LEN 13
-#define MBEDTLS_SSL_BUFFER_LEN \
- ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_PAYLOAD_LEN ) )
+#define MBEDTLS_SSL_IN_BUFFER_LEN \
+ ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
+
+#define MBEDTLS_SSL_OUT_BUFFER_LEN \
+ ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
+
+#ifdef MBEDTLS_ZLIB_SUPPORT
+/* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
+#define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \
+ ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN ) \
+ ? MBEDTLS_SSL_IN_BUFFER_LEN \
+ : MBEDTLS_SSL_OUT_BUFFER_LEN \
+ )
+#endif
/*
* TLS extension flags (for extensions with outgoing ServerHello content
@@ -243,6 +284,7 @@
mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
#if defined(MBEDTLS_SSL_PROTO_DTLS)
unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
@@ -307,6 +349,19 @@
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
int extended_ms; /*!< use Extended Master Secret? */
#endif
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ /** Asynchronous operation context. This field is meant for use by the
+ * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
+ * mbedtls_ssl_config::f_async_decrypt_start,
+ * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
+ * The library does not use it internally. */
+ void *user_async_ctx;
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
};
/*
@@ -410,9 +465,9 @@
* \brief Free referenced items in an SSL handshake context and clear
* memory
*
- * \param handshake SSL handshake context
+ * \param ssl SSL context
*/
-void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake );
+void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
@@ -630,7 +685,13 @@
volatile unsigned char diff = 0;
for( i = 0; i < n; i++ )
- diff |= A[i] ^ B[i];
+ {
+ /* Read volatile data in order before computing diff.
+ * This avoids IAR compiler warning:
+ * 'the order of volatile accesses is undefined ..' */
+ unsigned char x = A[i], y = B[i];
+ diff |= x ^ y;
+ }
return( diff );
}
@@ -646,9 +707,9 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_2)
int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
- unsigned char *output,
- unsigned char *data, size_t data_len,
- mbedtls_md_type_t md_alg );
+ unsigned char *hash, size_t *hashlen,
+ unsigned char *data, size_t data_len,
+ mbedtls_md_type_t md_alg );
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
MBEDTLS_SSL_PROTO_TLS1_2 */
diff --git a/include/mbedtls/threading.h b/include/mbedtls/threading.h
index aeea5d0..c25daa5 100644
--- a/include/mbedtls/threading.h
+++ b/include/mbedtls/threading.h
@@ -99,9 +99,6 @@
#if defined(MBEDTLS_FS_IO)
extern mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex;
#endif
-#if defined(MBEDTLS_HAVE_TIME_DATE)
-extern mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex;
-#endif
#endif /* MBEDTLS_THREADING_C */
#ifdef __cplusplus
diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h
index aa52ce2..c8050b9 100644
--- a/include/mbedtls/version.h
+++ b/include/mbedtls/version.h
@@ -39,7 +39,7 @@
* Major, Minor, Patchlevel
*/
#define MBEDTLS_VERSION_MAJOR 2
-#define MBEDTLS_VERSION_MINOR 9
+#define MBEDTLS_VERSION_MINOR 11
#define MBEDTLS_VERSION_PATCH 0
/**
@@ -47,9 +47,9 @@
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define MBEDTLS_VERSION_NUMBER 0x02090000
-#define MBEDTLS_VERSION_STRING "2.9.0"
-#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.9.0"
+#define MBEDTLS_VERSION_NUMBER 0x020B0000
+#define MBEDTLS_VERSION_STRING "2.11.0"
+#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.11.0"
#if defined(MBEDTLS_VERSION_C)
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 6177ca2..70fff52 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -6,6 +6,7 @@
aes.c
aesni.c
arc4.c
+ aria.c
asn1parse.c
asn1write.c
base64.c
@@ -13,6 +14,8 @@
blowfish.c
camellia.c
ccm.c
+ chacha20.c
+ chachapoly.c
cipher.c
cipher_wrap.c
cmac.c
@@ -29,6 +32,7 @@
error.c
gcm.c
havege.c
+ hkdf.c
hmac_drbg.c
md.c
md2.c
@@ -36,6 +40,7 @@
md5.c
md_wrap.c
memory_buffer_alloc.c
+ nist_kw.c
oid.c
padlock.c
pem.c
@@ -47,6 +52,7 @@
pkwrite.c
platform.c
platform_util.c
+ poly1305.c
ripemd160.c
rsa.c
rsa_internal.c
@@ -96,6 +102,17 @@
set(libs ${libs} ws2_32)
endif(WIN32)
+if(${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
+ SET(CMAKE_C_ARCHIVE_CREATE "<CMAKE_AR> Scr <TARGET> <LINK_FLAGS> <OBJECTS>")
+ SET(CMAKE_CXX_ARCHIVE_CREATE "<CMAKE_AR> Scr <TARGET> <LINK_FLAGS> <OBJECTS>")
+ SET(CMAKE_C_ARCHIVE_FINISH "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
+ SET(CMAKE_CXX_ARCHIVE_FINISH "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
+endif()
+
+if(HAIKU)
+ set(libs ${libs} network)
+endif(HAIKU)
+
if(USE_PKCS11_HELPER_LIBRARY)
set(libs ${libs} pkcs11-helper)
endif(USE_PKCS11_HELPER_LIBRARY)
@@ -142,15 +159,15 @@
if(USE_SHARED_MBEDTLS_LIBRARY)
add_library(mbedcrypto SHARED ${src_crypto})
- set_target_properties(mbedcrypto PROPERTIES VERSION 2.9.0 SOVERSION 2)
+ set_target_properties(mbedcrypto PROPERTIES VERSION 2.11.0 SOVERSION 3)
target_link_libraries(mbedcrypto ${libs})
add_library(mbedx509 SHARED ${src_x509})
- set_target_properties(mbedx509 PROPERTIES VERSION 2.9.0 SOVERSION 0)
+ set_target_properties(mbedx509 PROPERTIES VERSION 2.11.0 SOVERSION 0)
target_link_libraries(mbedx509 ${libs} mbedcrypto)
add_library(mbedtls SHARED ${src_tls})
- set_target_properties(mbedtls PROPERTIES VERSION 2.9.0 SOVERSION 10)
+ set_target_properties(mbedtls PROPERTIES VERSION 2.11.0 SOVERSION 11)
target_link_libraries(mbedtls ${libs} mbedx509)
install(TARGETS mbedtls mbedx509 mbedcrypto
diff --git a/library/Makefile b/library/Makefile
index b155c72..ac88d4c 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -21,6 +21,10 @@
# if were running on Windows build for Windows
ifdef WINDOWS
WINDOWS_BUILD=1
+else ifeq ($(shell uname -s),Darwin)
+ifeq ($(AR),ar)
+APPLE_BUILD ?= 1
+endif
endif
# To compile as a shared library:
@@ -31,42 +35,56 @@
endif
endif
-SOEXT_TLS=so.10
+SOEXT_TLS=so.11
SOEXT_X509=so.0
-SOEXT_CRYPTO=so.2
-
-# Set DLEXT=dylib to compile as a shared library for Mac OS X
-DLEXT ?= so
+SOEXT_CRYPTO=so.3
# Set AR_DASH= (empty string) to use an ar implentation that does not accept
# the - prefix for command line options (e.g. llvm-ar)
AR_DASH ?= -
-# Windows shared library extension:
+ARFLAGS = $(AR_DASH)src
+ifdef APPLE_BUILD
+ifneq ($(APPLE_BUILD),0)
+ARFLAGS = $(AR_DASH)Src
+RLFLAGS = -no_warning_for_no_symbols -c
+RL ?= ranlib
+endif
+endif
+
+DLEXT ?= so
ifdef WINDOWS_BUILD
-DLEXT=dll
+# Windows shared library extension:
+DLEXT = dll
+else ifdef APPLE_BUILD
+ifneq ($(APPLE_BUILD),0)
+# Mac OS X shared library extension:
+DLEXT = dylib
+endif
endif
OBJS_CRYPTO= aes.o aesni.o arc4.o \
- asn1parse.o asn1write.o base64.o \
- bignum.o blowfish.o camellia.o \
- ccm.o cipher.o cipher_wrap.o \
+ aria.o asn1parse.o asn1write.o \
+ base64.o bignum.o blowfish.o \
+ camellia.o ccm.o chacha20.o \
+ chachapoly.o cipher.o cipher_wrap.o \
cmac.o ctr_drbg.o des.o \
dhm.o ecdh.o ecdsa.o \
ecjpake.o ecp.o \
ecp_curves.o entropy.o entropy_poll.o \
error.o gcm.o havege.o \
+ hkdf.o \
hmac_drbg.o md.o md2.o \
md4.o md5.o md_wrap.o \
- memory_buffer_alloc.o oid.o \
- padlock.o pem.o pk.o \
- pk_wrap.o pkcs12.o pkcs5.o \
- pkparse.o pkwrite.o platform.o \
- platform_util.o ripemd160.o rsa_internal.o \
- rsa.o sha1.o sha256.o \
- sha512.o threading.o timing.o \
- version.o version_features.o \
- xtea.o
+ memory_buffer_alloc.o nist_kw.o \
+ oid.o padlock.o pem.o \
+ pk.o pk_wrap.o pkcs12.o \
+ pkcs5.o pkparse.o pkwrite.o \
+ platform.o platform_util.o poly1305.o \
+ ripemd160.o rsa_internal.o rsa.o \
+ sha1.o sha256.o sha512.o \
+ threading.o timing.o version.o \
+ version_features.o xtea.o
OBJS_X509= certs.o pkcs11.o x509.o \
x509_create.o x509_crl.o x509_crt.o \
@@ -95,9 +113,13 @@
# tls
libmbedtls.a: $(OBJS_TLS)
echo " AR $@"
- $(AR) $(AR_DASH)rc $@ $(OBJS_TLS)
+ $(AR) $(ARFLAGS) $@ $(OBJS_TLS)
+ifdef APPLE_BUILD
+ifneq ($(APPLE_BUILD),0)
echo " RL $@"
- $(AR) $(AR_DASH)s $@
+ $(RL) $(RLFLAGS) $@
+endif
+endif
libmbedtls.$(SOEXT_TLS): $(OBJS_TLS) libmbedx509.so
echo " LD $@"
@@ -118,9 +140,13 @@
# x509
libmbedx509.a: $(OBJS_X509)
echo " AR $@"
- $(AR) $(AR_DASH)rc $@ $(OBJS_X509)
+ $(AR) $(ARFLAGS) $@ $(OBJS_X509)
+ifdef APPLE_BUILD
+ifneq ($(APPLE_BUILD),0)
echo " RL $@"
- $(AR) $(AR_DASH)s $@
+ $(RL) $(RLFLAGS) $@
+endif
+endif
libmbedx509.$(SOEXT_X509): $(OBJS_X509) libmbedcrypto.so
echo " LD $@"
@@ -141,9 +167,13 @@
# crypto
libmbedcrypto.a: $(OBJS_CRYPTO)
echo " AR $@"
- $(AR) $(AR_DASH)rc $@ $(OBJS_CRYPTO)
+ $(AR) $(ARFLAGS) $@ $(OBJS_CRYPTO)
+ifdef APPLE_BUILD
+ifneq ($(APPLE_BUILD),0)
echo " RL $@"
- $(AR) $(AR_DASH)s $@
+ $(RL) $(RLFLAGS) $@
+endif
+endif
libmbedcrypto.$(SOEXT_CRYPTO): $(OBJS_CRYPTO)
echo " LD $@"
diff --git a/library/aes.c b/library/aes.c
index fea9b53..5c939bb 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -521,6 +521,20 @@
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
}
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
+{
+ mbedtls_aes_init( &ctx->crypt );
+ mbedtls_aes_init( &ctx->tweak );
+}
+
+void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
+{
+ mbedtls_aes_free( &ctx->crypt );
+ mbedtls_aes_free( &ctx->tweak );
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
/*
* AES key schedule (encryption)
*/
@@ -702,6 +716,78 @@
return( ret );
}
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
+ unsigned int keybits,
+ const unsigned char **key1,
+ unsigned int *key1bits,
+ const unsigned char **key2,
+ unsigned int *key2bits )
+{
+ const unsigned int half_keybits = keybits / 2;
+ const unsigned int half_keybytes = half_keybits / 8;
+
+ switch( keybits )
+ {
+ case 256: break;
+ case 512: break;
+ default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
+ }
+
+ *key1bits = half_keybits;
+ *key2bits = half_keybits;
+ *key1 = &key[0];
+ *key2 = &key[half_keybytes];
+
+ return 0;
+}
+
+int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
+ const unsigned char *key,
+ unsigned int keybits)
+{
+ int ret;
+ const unsigned char *key1, *key2;
+ unsigned int key1bits, key2bits;
+
+ ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
+ &key2, &key2bits );
+ if( ret != 0 )
+ return( ret );
+
+ /* Set the tweak key. Always set tweak key for the encryption mode. */
+ ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
+ if( ret != 0 )
+ return( ret );
+
+ /* Set crypt key for encryption. */
+ return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
+}
+
+int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
+ const unsigned char *key,
+ unsigned int keybits)
+{
+ int ret;
+ const unsigned char *key1, *key2;
+ unsigned int key1bits, key2bits;
+
+ ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
+ &key2, &key2bits );
+ if( ret != 0 )
+ return( ret );
+
+ /* Set the tweak key. Always set tweak key for encryption. */
+ ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
+ if( ret != 0 )
+ return( ret );
+
+ /* Set crypt key for decryption. */
+ return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
@@ -983,6 +1069,165 @@
}
#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+
+/* Endianess with 64 bits values */
+#ifndef GET_UINT64_LE
+#define GET_UINT64_LE(n,b,i) \
+{ \
+ (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
+ | ( (uint64_t) (b)[(i) + 6] << 48 ) \
+ | ( (uint64_t) (b)[(i) + 5] << 40 ) \
+ | ( (uint64_t) (b)[(i) + 4] << 32 ) \
+ | ( (uint64_t) (b)[(i) + 3] << 24 ) \
+ | ( (uint64_t) (b)[(i) + 2] << 16 ) \
+ | ( (uint64_t) (b)[(i) + 1] << 8 ) \
+ | ( (uint64_t) (b)[(i) ] ); \
+}
+#endif
+
+#ifndef PUT_UINT64_LE
+#define PUT_UINT64_LE(n,b,i) \
+{ \
+ (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
+ (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
+ (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
+ (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
+ (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
+ (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
+ (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
+ (b)[(i) ] = (unsigned char) ( (n) ); \
+}
+#endif
+
+typedef unsigned char mbedtls_be128[16];
+
+/*
+ * GF(2^128) multiplication function
+ *
+ * This function multiplies a field element by x in the polynomial field
+ * representation. It uses 64-bit word operations to gain speed but compensates
+ * for machine endianess and hence works correctly on both big and little
+ * endian machines.
+ */
+static void mbedtls_gf128mul_x_ble( unsigned char r[16],
+ const unsigned char x[16] )
+{
+ uint64_t a, b, ra, rb;
+
+ GET_UINT64_LE( a, x, 0 );
+ GET_UINT64_LE( b, x, 8 );
+
+ ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
+ rb = ( a >> 63 ) | ( b << 1 );
+
+ PUT_UINT64_LE( ra, r, 0 );
+ PUT_UINT64_LE( rb, r, 8 );
+}
+
+/*
+ * AES-XTS buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
+ int mode,
+ size_t length,
+ const unsigned char data_unit[16],
+ const unsigned char *input,
+ unsigned char *output )
+{
+ int ret;
+ size_t blocks = length / 16;
+ size_t leftover = length % 16;
+ unsigned char tweak[16];
+ unsigned char prev_tweak[16];
+ unsigned char tmp[16];
+
+ /* Sectors must be at least 16 bytes. */
+ if( length < 16 )
+ return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
+
+ /* NIST SP 80-38E disallows data units larger than 2**20 blocks. */
+ if( length > ( 1 << 20 ) * 16 )
+ return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
+
+ /* Compute the tweak. */
+ ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
+ data_unit, tweak );
+ if( ret != 0 )
+ return( ret );
+
+ while( blocks-- )
+ {
+ size_t i;
+
+ if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
+ {
+ /* We are on the last block in a decrypt operation that has
+ * leftover bytes, so we need to use the next tweak for this block,
+ * and this tweak for the lefover bytes. Save the current tweak for
+ * the leftovers and then update the current tweak for use on this,
+ * the last full block. */
+ memcpy( prev_tweak, tweak, sizeof( tweak ) );
+ mbedtls_gf128mul_x_ble( tweak, tweak );
+ }
+
+ for( i = 0; i < 16; i++ )
+ tmp[i] = input[i] ^ tweak[i];
+
+ ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
+ if( ret != 0 )
+ return( ret );
+
+ for( i = 0; i < 16; i++ )
+ output[i] = tmp[i] ^ tweak[i];
+
+ /* Update the tweak for the next block. */
+ mbedtls_gf128mul_x_ble( tweak, tweak );
+
+ output += 16;
+ input += 16;
+ }
+
+ if( leftover )
+ {
+ /* If we are on the leftover bytes in a decrypt operation, we need to
+ * use the previous tweak for these bytes (as saved in prev_tweak). */
+ unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
+
+ /* We are now on the final part of the data unit, which doesn't divide
+ * evenly by 16. It's time for ciphertext stealing. */
+ size_t i;
+ unsigned char *prev_output = output - 16;
+
+ /* Copy ciphertext bytes from the previous block to our output for each
+ * byte of cyphertext we won't steal. At the same time, copy the
+ * remainder of the input for this final round (since the loop bounds
+ * are the same). */
+ for( i = 0; i < leftover; i++ )
+ {
+ output[i] = prev_output[i];
+ tmp[i] = input[i] ^ t[i];
+ }
+
+ /* Copy ciphertext bytes from the previous block for input in this
+ * round. */
+ for( ; i < 16; i++ )
+ tmp[i] = prev_output[i] ^ t[i];
+
+ ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
+ if( ret != 0 )
+ return ret;
+
+ /* Write the result back to the previous block, overriding the previous
+ * output we copied. */
+ for( i = 0; i < 16; i++ )
+ prev_output[i] = tmp[i] ^ t[i];
+ }
+
+ return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
#if defined(MBEDTLS_CIPHER_MODE_CFB)
/*
* AES-CFB128 buffer encryption/decryption
@@ -1061,7 +1306,41 @@
return( 0 );
}
-#endif /*MBEDTLS_CIPHER_MODE_CFB */
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/*
+ * AES-OFB (Output Feedback Mode) buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
+ size_t length,
+ size_t *iv_off,
+ unsigned char iv[16],
+ const unsigned char *input,
+ unsigned char *output )
+{
+ int ret = 0;
+ size_t n = *iv_off;
+
+ while( length-- )
+ {
+ if( n == 0 )
+ {
+ ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
+ if( ret != 0 )
+ goto exit;
+ }
+ *output++ = *input++ ^ iv[n];
+
+ n = ( n + 1 ) & 0x0F;
+ }
+
+ *iv_off = n;
+
+exit:
+ return( ret );
+}
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
#if defined(MBEDTLS_CIPHER_MODE_CTR)
/*
@@ -1218,6 +1497,72 @@
};
#endif /* MBEDTLS_CIPHER_MODE_CFB */
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/*
+ * AES-OFB test vectors from:
+ *
+ * https://csrc.nist.gov/publications/detail/sp/800-38a/final
+ */
+static const unsigned char aes_test_ofb_key[3][32] =
+{
+ { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+ 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
+ { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
+ 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
+ 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
+ { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+ 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+ 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+ 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
+};
+
+static const unsigned char aes_test_ofb_iv[16] =
+{
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+};
+
+static const unsigned char aes_test_ofb_pt[64] =
+{
+ 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+ 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
+ 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
+ 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
+ 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
+ 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
+ 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
+ 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
+};
+
+static const unsigned char aes_test_ofb_ct[3][64] =
+{
+ { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
+ 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
+ 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
+ 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
+ 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
+ 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
+ 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
+ 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
+ { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
+ 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
+ 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
+ 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
+ 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
+ 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
+ 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
+ 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
+ { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
+ 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
+ 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
+ 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
+ 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
+ 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
+ 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
+ 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
#if defined(MBEDTLS_CIPHER_MODE_CTR)
/*
* AES-CTR test vectors from:
@@ -1281,6 +1626,74 @@
{ 16, 32, 36 };
#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/*
+ * AES-XTS test vectors from:
+ *
+ * IEEE P1619/D16 Annex B
+ * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
+ * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
+ */
+static const unsigned char aes_test_xts_key[][32] =
+{
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+ 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+ 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+ 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
+ { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
+ 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
+ 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+ 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
+};
+
+static const unsigned char aes_test_xts_pt32[][32] =
+{
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+ 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+ 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+ 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
+ { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+ 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+ 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+ 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
+};
+
+static const unsigned char aes_test_xts_ct32[][32] =
+{
+ { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
+ 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
+ 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
+ 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
+ { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
+ 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
+ 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
+ 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
+ { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
+ 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
+ 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
+ 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
+};
+
+static const unsigned char aes_test_xts_data_unit[][16] =
+{
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+};
+
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
/*
* Checkup routine
*/
@@ -1297,11 +1710,14 @@
#if defined(MBEDTLS_CIPHER_MODE_CBC)
unsigned char prv[16];
#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB)
+#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
+ defined(MBEDTLS_CIPHER_MODE_OFB)
size_t offset;
#endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
+#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
int len;
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
unsigned char nonce_counter[16];
unsigned char stream_block[16];
#endif
@@ -1509,6 +1925,69 @@
mbedtls_printf( "\n" );
#endif /* MBEDTLS_CIPHER_MODE_CFB */
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ /*
+ * OFB mode
+ */
+ for( i = 0; i < 6; i++ )
+ {
+ u = i >> 1;
+ keybits = 128 + u * 64;
+ mode = i & 1;
+
+ if( verbose != 0 )
+ mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
+ ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+ memcpy( iv, aes_test_ofb_iv, 16 );
+ memcpy( key, aes_test_ofb_key[u], keybits / 8 );
+
+ offset = 0;
+ ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
+ /*
+ * AES-192 is an optional feature that may be unavailable when
+ * there is an alternative underlying implementation i.e. when
+ * MBEDTLS_AES_ALT is defined.
+ */
+ if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
+ {
+ mbedtls_printf( "skipped\n" );
+ continue;
+ }
+ else if( ret != 0 )
+ {
+ goto exit;
+ }
+
+ if( mode == MBEDTLS_AES_DECRYPT )
+ {
+ memcpy( buf, aes_test_ofb_ct[u], 64 );
+ aes_tests = aes_test_ofb_pt;
+ }
+ else
+ {
+ memcpy( buf, aes_test_ofb_pt, 64 );
+ aes_tests = aes_test_ofb_ct[u];
+ }
+
+ ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
+ if( ret != 0 )
+ goto exit;
+
+ if( memcmp( buf, aes_tests, 64 ) != 0 )
+ {
+ ret = 1;
+ goto exit;
+ }
+
+ if( verbose != 0 )
+ mbedtls_printf( "passed\n" );
+ }
+
+ if( verbose != 0 )
+ mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
#if defined(MBEDTLS_CIPHER_MODE_CTR)
/*
* CTR mode
@@ -1561,6 +2040,73 @@
mbedtls_printf( "\n" );
#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ {
+ static const int num_tests =
+ sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
+ mbedtls_aes_xts_context ctx_xts;
+
+ /*
+ * XTS mode
+ */
+ mbedtls_aes_xts_init( &ctx_xts );
+
+ for( i = 0; i < num_tests << 1; i++ )
+ {
+ const unsigned char *data_unit;
+ u = i >> 1;
+ mode = i & 1;
+
+ if( verbose != 0 )
+ mbedtls_printf( " AES-XTS-128 (%s): ",
+ ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+ memset( key, 0, sizeof( key ) );
+ memcpy( key, aes_test_xts_key[u], 32 );
+ data_unit = aes_test_xts_data_unit[u];
+
+ len = sizeof( *aes_test_xts_ct32 );
+
+ if( mode == MBEDTLS_AES_DECRYPT )
+ {
+ ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
+ if( ret != 0)
+ goto exit;
+ memcpy( buf, aes_test_xts_ct32[u], len );
+ aes_tests = aes_test_xts_pt32[u];
+ }
+ else
+ {
+ ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
+ if( ret != 0)
+ goto exit;
+ memcpy( buf, aes_test_xts_pt32[u], len );
+ aes_tests = aes_test_xts_ct32[u];
+ }
+
+
+ ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
+ buf, buf );
+ if( ret != 0 )
+ goto exit;
+
+ if( memcmp( buf, aes_tests, len ) != 0 )
+ {
+ ret = 1;
+ goto exit;
+ }
+
+ if( verbose != 0 )
+ mbedtls_printf( "passed\n" );
+ }
+
+ if( verbose != 0 )
+ mbedtls_printf( "\n" );
+
+ mbedtls_aes_xts_free( &ctx_xts );
+ }
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
ret = 0;
exit:
diff --git a/library/aria.c b/library/aria.c
new file mode 100644
index 0000000..e9bcd6d
--- /dev/null
+++ b/library/aria.c
@@ -0,0 +1,1028 @@
+/*
+ * ARIA implementation
+ *
+ * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * This implementation is based on the following standards:
+ * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
+ * [2] https://tools.ietf.org/html/rfc5794
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ARIA_C)
+
+#include "mbedtls/aria.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_ARIA_ALT)
+
+#include "mbedtls/platform_util.h"
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+ !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE( n, b, i ) \
+{ \
+ (n) = ( (uint32_t) (b)[(i) ] ) \
+ | ( (uint32_t) (b)[(i) + 1] << 8 ) \
+ | ( (uint32_t) (b)[(i) + 2] << 16 ) \
+ | ( (uint32_t) (b)[(i) + 3] << 24 ); \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE( n, b, i ) \
+{ \
+ (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
+ (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
+ (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
+ (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
+}
+#endif
+
+/*
+ * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
+ *
+ * This is submatrix P1 in [1] Appendix B.1
+ *
+ * Common compilers fail to translate this to minimal number of instructions,
+ * so let's provide asm versions for common platforms with C fallback.
+ */
+#if defined(MBEDTLS_HAVE_ASM)
+#if defined(__arm__) /* rev16 available from v6 up */
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+ ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
+ __ARM_ARCH >= 6
+static inline uint32_t aria_p1( uint32_t x )
+{
+ uint32_t r;
+ __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
+ return( r );
+}
+#define ARIA_P1 aria_p1
+#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
+ ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
+static inline uint32_t aria_p1( uint32_t x )
+{
+ uint32_t r;
+ __asm( "rev16 r, x" );
+ return( r );
+}
+#define ARIA_P1 aria_p1
+#endif
+#endif /* arm */
+#if defined(__GNUC__) && \
+ defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
+/* I couldn't find an Intel equivalent of rev16, so two instructions */
+#define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
+#endif /* x86 gnuc */
+#endif /* MBEDTLS_HAVE_ASM && GNUC */
+#if !defined(ARIA_P1)
+#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
+#endif
+
+/*
+ * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
+ *
+ * This is submatrix P2 in [1] Appendix B.1
+ *
+ * Common compilers will translate this to a single instruction.
+ */
+#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
+
+/*
+ * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
+ *
+ * This is submatrix P3 in [1] Appendix B.1
+ *
+ * Some compilers fail to translate this to a single instruction,
+ * so let's provide asm versions for common platforms with C fallback.
+ */
+#if defined(MBEDTLS_HAVE_ASM)
+#if defined(__arm__) /* rev available from v6 up */
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+ ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
+ __ARM_ARCH >= 6
+static inline uint32_t aria_p3( uint32_t x )
+{
+ uint32_t r;
+ __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
+ return( r );
+}
+#define ARIA_P3 aria_p3
+#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
+ ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
+static inline uint32_t aria_p3( uint32_t x )
+{
+ uint32_t r;
+ __asm( "rev r, x" );
+ return( r );
+}
+#define ARIA_P3 aria_p3
+#endif
+#endif /* arm */
+#if defined(__GNUC__) && \
+ defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
+static inline uint32_t aria_p3( uint32_t x )
+{
+ __asm( "bswap %0" : "=r" (x) : "0" (x) );
+ return( x );
+}
+#define ARIA_P3 aria_p3
+#endif /* x86 gnuc */
+#endif /* MBEDTLS_HAVE_ASM && GNUC */
+#if !defined(ARIA_P3)
+#define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
+#endif
+
+/*
+ * ARIA Affine Transform
+ * (a, b, c, d) = state in/out
+ *
+ * If we denote the first byte of input by 0, ..., the last byte by f,
+ * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
+ *
+ * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
+ * rearrangements on adjacent pairs, output is:
+ *
+ * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
+ * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
+ * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
+ * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
+ * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
+ * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
+ * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
+ * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
+ *
+ * Note: another presentation of the A transform can be found as the first
+ * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
+ * The implementation below uses only P1 and P2 as they are sufficient.
+ */
+static inline void aria_a( uint32_t *a, uint32_t *b,
+ uint32_t *c, uint32_t *d )
+{
+ uint32_t ta, tb, tc;
+ ta = *b; // 4567
+ *b = *a; // 0123
+ *a = ARIA_P2( ta ); // 6745
+ tb = ARIA_P2( *d ); // efcd
+ *d = ARIA_P1( *c ); // 98ba
+ *c = ARIA_P1( tb ); // fedc
+ ta ^= *d; // 4567+98ba
+ tc = ARIA_P2( *b ); // 2301
+ ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
+ tb ^= ARIA_P2( *d ); // ba98+efcd
+ tc ^= ARIA_P1( *a ); // 2301+7654
+ *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
+ tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
+ *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
+ ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe
+ *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
+ tc = ARIA_P2( tc ); // 0123+5476
+ *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
+}
+
+/*
+ * ARIA Substitution Layer SL1 / SL2
+ * (a, b, c, d) = state in/out
+ * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
+ *
+ * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
+ * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
+ */
+static inline void aria_sl( uint32_t *a, uint32_t *b,
+ uint32_t *c, uint32_t *d,
+ const uint8_t sa[256], const uint8_t sb[256],
+ const uint8_t sc[256], const uint8_t sd[256] )
+{
+ *a = ( (uint32_t) sa[ *a & 0xFF] ) ^
+ (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
+ (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
+ (((uint32_t) sd[ *a >> 24 ]) << 24);
+ *b = ( (uint32_t) sa[ *b & 0xFF] ) ^
+ (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
+ (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
+ (((uint32_t) sd[ *b >> 24 ]) << 24);
+ *c = ( (uint32_t) sa[ *c & 0xFF] ) ^
+ (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
+ (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
+ (((uint32_t) sd[ *c >> 24 ]) << 24);
+ *d = ( (uint32_t) sa[ *d & 0xFF] ) ^
+ (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
+ (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
+ (((uint32_t) sd[ *d >> 24 ]) << 24);
+}
+
+/*
+ * S-Boxes
+ */
+static const uint8_t aria_sb1[256] =
+{
+ 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
+ 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
+ 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
+ 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
+ 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
+ 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
+ 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
+ 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
+ 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
+ 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
+ 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
+ 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
+ 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
+ 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
+ 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
+ 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
+ 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
+ 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
+ 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
+ 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
+ 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
+ 0xB0, 0x54, 0xBB, 0x16
+};
+
+static const uint8_t aria_sb2[256] =
+{
+ 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
+ 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
+ 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
+ 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
+ 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
+ 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
+ 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
+ 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
+ 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
+ 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
+ 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
+ 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
+ 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
+ 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
+ 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
+ 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
+ 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
+ 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
+ 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
+ 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
+ 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
+ 0xAF, 0xBA, 0xB5, 0x81
+};
+
+static const uint8_t aria_is1[256] =
+{
+ 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
+ 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
+ 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
+ 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
+ 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
+ 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
+ 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
+ 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
+ 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
+ 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
+ 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
+ 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
+ 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
+ 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
+ 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
+ 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
+ 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
+ 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
+ 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
+ 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
+ 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
+ 0x55, 0x21, 0x0C, 0x7D
+};
+
+static const uint8_t aria_is2[256] =
+{
+ 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
+ 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
+ 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
+ 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
+ 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
+ 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
+ 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
+ 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
+ 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
+ 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
+ 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
+ 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
+ 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
+ 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
+ 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
+ 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
+ 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
+ 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
+ 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
+ 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
+ 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
+ 0x03, 0xA2, 0xAC, 0x60
+};
+
+/*
+ * Helper for key schedule: r = FO( p, k ) ^ x
+ */
+static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
+ const uint32_t k[4], const uint32_t x[4] )
+{
+ uint32_t a, b, c, d;
+
+ a = p[0] ^ k[0];
+ b = p[1] ^ k[1];
+ c = p[2] ^ k[2];
+ d = p[3] ^ k[3];
+
+ aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
+ aria_a( &a, &b, &c, &d );
+
+ r[0] = a ^ x[0];
+ r[1] = b ^ x[1];
+ r[2] = c ^ x[2];
+ r[3] = d ^ x[3];
+}
+
+/*
+ * Helper for key schedule: r = FE( p, k ) ^ x
+ */
+static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
+ const uint32_t k[4], const uint32_t x[4] )
+{
+ uint32_t a, b, c, d;
+
+ a = p[0] ^ k[0];
+ b = p[1] ^ k[1];
+ c = p[2] ^ k[2];
+ d = p[3] ^ k[3];
+
+ aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
+ aria_a( &a, &b, &c, &d );
+
+ r[0] = a ^ x[0];
+ r[1] = b ^ x[1];
+ r[2] = c ^ x[2];
+ r[3] = d ^ x[3];
+}
+
+/*
+ * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
+ *
+ * We chose to store bytes into 32-bit words in little-endian format (see
+ * GET/PUT_UINT32_LE) so we need to reverse bytes here.
+ */
+static void aria_rot128( uint32_t r[4], const uint32_t a[4],
+ const uint32_t b[4], uint8_t n )
+{
+ uint8_t i, j;
+ uint32_t t, u;
+
+ const uint8_t n1 = n % 32; // bit offset
+ const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
+
+ j = ( n / 32 ) % 4; // initial word offset
+ t = ARIA_P3( b[j] ); // big endian
+ for( i = 0; i < 4; i++ )
+ {
+ j = ( j + 1 ) % 4; // get next word, big endian
+ u = ARIA_P3( b[j] );
+ t <<= n1; // rotate
+ t |= u >> n2;
+ t = ARIA_P3( t ); // back to little endian
+ r[i] = a[i] ^ t; // store
+ t = u; // move to next word
+ }
+}
+
+/*
+ * Set encryption key
+ */
+int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
+ const unsigned char *key, unsigned int keybits )
+{
+ /* round constant masks */
+ const uint32_t rc[3][4] =
+ {
+ { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
+ { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
+ { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
+ };
+
+ int i;
+ uint32_t w[4][4], *w2;
+
+ if( keybits != 128 && keybits != 192 && keybits != 256 )
+ return( MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH );
+
+ /* Copy key to W0 (and potential remainder to W1) */
+ GET_UINT32_LE( w[0][0], key, 0 );
+ GET_UINT32_LE( w[0][1], key, 4 );
+ GET_UINT32_LE( w[0][2], key, 8 );
+ GET_UINT32_LE( w[0][3], key, 12 );
+
+ memset( w[1], 0, 16 );
+ if( keybits >= 192 )
+ {
+ GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
+ GET_UINT32_LE( w[1][1], key, 20 );
+ }
+ if( keybits == 256 )
+ {
+ GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
+ GET_UINT32_LE( w[1][3], key, 28 );
+ }
+
+ i = ( keybits - 128 ) >> 6; // index: 0, 1, 2
+ ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
+
+ aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
+ i = i < 2 ? i + 1 : 0;
+ aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
+ i = i < 2 ? i + 1 : 0;
+ aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
+
+ for( i = 0; i < 4; i++ ) // create round keys
+ {
+ w2 = w[(i + 1) & 3];
+ aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
+ aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
+ aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
+ aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
+ }
+ aria_rot128( ctx->rk[16], w[0], w[1], 19 );
+
+ /* w holds enough info to reconstruct the round keys */
+ mbedtls_platform_zeroize( w, sizeof( w ) );
+
+ return( 0 );
+}
+
+/*
+ * Set decryption key
+ */
+int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
+ const unsigned char *key, unsigned int keybits )
+{
+ int i, j, k, ret;
+
+ ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
+ if( ret != 0 )
+ return( ret );
+
+ /* flip the order of round keys */
+ for( i = 0, j = ctx->nr; i < j; i++, j-- )
+ {
+ for( k = 0; k < 4; k++ )
+ {
+ uint32_t t = ctx->rk[i][k];
+ ctx->rk[i][k] = ctx->rk[j][k];
+ ctx->rk[j][k] = t;
+ }
+ }
+
+ /* apply affine transform to middle keys */
+ for( i = 1; i < ctx->nr; i++ )
+ {
+ aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
+ &ctx->rk[i][2], &ctx->rk[i][3] );
+ }
+
+ return( 0 );
+}
+
+/*
+ * Encrypt a block
+ */
+int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
+ const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
+ unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
+{
+ int i;
+
+ uint32_t a, b, c, d;
+
+ GET_UINT32_LE( a, input, 0 );
+ GET_UINT32_LE( b, input, 4 );
+ GET_UINT32_LE( c, input, 8 );
+ GET_UINT32_LE( d, input, 12 );
+
+ i = 0;
+ while( 1 )
+ {
+ a ^= ctx->rk[i][0];
+ b ^= ctx->rk[i][1];
+ c ^= ctx->rk[i][2];
+ d ^= ctx->rk[i][3];
+ i++;
+
+ aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
+ aria_a( &a, &b, &c, &d );
+
+ a ^= ctx->rk[i][0];
+ b ^= ctx->rk[i][1];
+ c ^= ctx->rk[i][2];
+ d ^= ctx->rk[i][3];
+ i++;
+
+ aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
+ if( i >= ctx->nr )
+ break;
+ aria_a( &a, &b, &c, &d );
+ }
+
+ /* final key mixing */
+ a ^= ctx->rk[i][0];
+ b ^= ctx->rk[i][1];
+ c ^= ctx->rk[i][2];
+ d ^= ctx->rk[i][3];
+
+ PUT_UINT32_LE( a, output, 0 );
+ PUT_UINT32_LE( b, output, 4 );
+ PUT_UINT32_LE( c, output, 8 );
+ PUT_UINT32_LE( d, output, 12 );
+
+ return( 0 );
+}
+
+/* Initialize context */
+void mbedtls_aria_init( mbedtls_aria_context *ctx )
+{
+ memset( ctx, 0, sizeof( mbedtls_aria_context ) );
+}
+
+/* Clear context */
+void mbedtls_aria_free( mbedtls_aria_context *ctx )
+{
+ if( ctx == NULL )
+ return;
+
+ mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * ARIA-CBC buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
+ int mode,
+ size_t length,
+ unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+ const unsigned char *input,
+ unsigned char *output )
+{
+ int i;
+ unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
+
+ if( length % MBEDTLS_ARIA_BLOCKSIZE )
+ return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
+
+ if( mode == MBEDTLS_ARIA_DECRYPT )
+ {
+ while( length > 0 )
+ {
+ memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
+ mbedtls_aria_crypt_ecb( ctx, input, output );
+
+ for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
+ output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+ memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
+
+ input += MBEDTLS_ARIA_BLOCKSIZE;
+ output += MBEDTLS_ARIA_BLOCKSIZE;
+ length -= MBEDTLS_ARIA_BLOCKSIZE;
+ }
+ }
+ else
+ {
+ while( length > 0 )
+ {
+ for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
+ output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+ mbedtls_aria_crypt_ecb( ctx, output, output );
+ memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
+
+ input += MBEDTLS_ARIA_BLOCKSIZE;
+ output += MBEDTLS_ARIA_BLOCKSIZE;
+ length -= MBEDTLS_ARIA_BLOCKSIZE;
+ }
+ }
+
+ return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * ARIA-CFB128 buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
+ int mode,
+ size_t length,
+ size_t *iv_off,
+ unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+ const unsigned char *input,
+ unsigned char *output )
+{
+ unsigned char c;
+ size_t n = *iv_off;
+
+ if( mode == MBEDTLS_ARIA_DECRYPT )
+ {
+ while( length-- )
+ {
+ if( n == 0 )
+ mbedtls_aria_crypt_ecb( ctx, iv, iv );
+
+ c = *input++;
+ *output++ = c ^ iv[n];
+ iv[n] = c;
+
+ n = ( n + 1 ) & 0x0F;
+ }
+ }
+ else
+ {
+ while( length-- )
+ {
+ if( n == 0 )
+ mbedtls_aria_crypt_ecb( ctx, iv, iv );
+
+ iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
+
+ n = ( n + 1 ) & 0x0F;
+ }
+ }
+
+ *iv_off = n;
+
+ return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * ARIA-CTR buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
+ size_t length,
+ size_t *nc_off,
+ unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
+ unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
+ const unsigned char *input,
+ unsigned char *output )
+{
+ int c, i;
+ size_t n = *nc_off;
+
+ while( length-- )
+ {
+ if( n == 0 ) {
+ mbedtls_aria_crypt_ecb( ctx, nonce_counter,
+ stream_block );
+
+ for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
+ if( ++nonce_counter[i - 1] != 0 )
+ break;
+ }
+ c = *input++;
+ *output++ = (unsigned char)( c ^ stream_block[n] );
+
+ n = ( n + 1 ) & 0x0F;
+ }
+
+ *nc_off = n;
+
+ return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#endif /* !MBEDTLS_ARIA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Basic ARIA ECB test vectors from RFC 5794
+ */
+static const uint8_t aria_test1_ecb_key[32] = // test key
+{
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
+ 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
+};
+
+static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
+{
+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
+ 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
+};
+
+static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
+{
+ { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
+ 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
+ { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
+ 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
+ { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
+ 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
+};
+
+/*
+ * Mode tests from "Test Vectors for ARIA" Version 1.0
+ * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
+ */
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
+ defined(MBEDTLS_CIPHER_MODE_CTR))
+static const uint8_t aria_test2_key[32] =
+{
+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
+ 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
+ 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
+};
+
+static const uint8_t aria_test2_pt[48] =
+{
+ 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
+ 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
+ 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
+ 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
+};
+#endif
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
+static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
+{
+ 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
+ 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
+};
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
+{
+ { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
+ 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
+ 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
+ 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
+ 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
+ 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
+ { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
+ 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
+ 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
+ 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
+ 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
+ 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
+ { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
+ 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
+ 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
+ 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
+ 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
+ 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
+{
+ { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
+ 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
+ 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
+ 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
+ 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
+ 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
+ { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
+ 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
+ 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
+ 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
+ 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
+ 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
+ { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
+ 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
+ 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
+ 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
+ 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
+ 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
+{
+ { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
+ 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
+ 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
+ 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
+ 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
+ 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
+ { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
+ 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
+ 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
+ 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
+ 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
+ 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
+ { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
+ 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
+ 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
+ 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
+ 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
+ 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#define ARIA_SELF_TEST_IF_FAIL \
+ { \
+ if( verbose ) \
+ printf( "failed\n" ); \
+ return( 1 ); \
+ } else { \
+ if( verbose ) \
+ printf( "passed\n" ); \
+ }
+
+/*
+ * Checkup routine
+ */
+int mbedtls_aria_self_test( int verbose )
+{
+ int i;
+ uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
+ mbedtls_aria_context ctx;
+
+#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
+ size_t j;
+#endif
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
+ defined(MBEDTLS_CIPHER_MODE_CFB) || \
+ defined(MBEDTLS_CIPHER_MODE_CTR))
+ uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
+#endif
+
+ /*
+ * Test set 1
+ */
+ for( i = 0; i < 3; i++ )
+ {
+ /* test ECB encryption */
+ if( verbose )
+ printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i );
+ mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
+ mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
+ if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
+ ARIA_SELF_TEST_IF_FAIL;
+
+ /* test ECB decryption */
+ if( verbose )
+ printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i );
+ mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
+ mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
+ if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
+ ARIA_SELF_TEST_IF_FAIL;
+ }
+ if( verbose )
+ printf( "\n" );
+
+ /*
+ * Test set 2
+ */
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ for( i = 0; i < 3; i++ )
+ {
+ /* Test CBC encryption */
+ if( verbose )
+ printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i );
+ mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+ memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
+ memset( buf, 0x55, sizeof( buf ) );
+ mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
+ aria_test2_pt, buf );
+ if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
+ ARIA_SELF_TEST_IF_FAIL;
+
+ /* Test CBC decryption */
+ if( verbose )
+ printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i );
+ mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
+ memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
+ memset( buf, 0xAA, sizeof( buf ) );
+ mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
+ aria_test2_cbc_ct[i], buf );
+ if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
+ ARIA_SELF_TEST_IF_FAIL;
+ }
+ if( verbose )
+ printf( "\n" );
+
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ for( i = 0; i < 3; i++ )
+ {
+ /* Test CFB encryption */
+ if( verbose )
+ printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i );
+ mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+ memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
+ memset( buf, 0x55, sizeof( buf ) );
+ j = 0;
+ mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
+ aria_test2_pt, buf );
+ if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
+ ARIA_SELF_TEST_IF_FAIL;
+
+ /* Test CFB decryption */
+ if( verbose )
+ printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i );
+ mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+ memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
+ memset( buf, 0xAA, sizeof( buf ) );
+ j = 0;
+ mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
+ iv, aria_test2_cfb_ct[i], buf );
+ if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
+ ARIA_SELF_TEST_IF_FAIL;
+ }
+ if( verbose )
+ printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ for( i = 0; i < 3; i++ )
+ {
+ /* Test CTR encryption */
+ if( verbose )
+ printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i );
+ mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+ memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
+ memset( buf, 0x55, sizeof( buf ) );
+ j = 0;
+ mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
+ aria_test2_pt, buf );
+ if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
+ ARIA_SELF_TEST_IF_FAIL;
+
+ /* Test CTR decryption */
+ if( verbose )
+ printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i );
+ mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+ memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
+ memset( buf, 0xAA, sizeof( buf ) );
+ j = 0;
+ mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
+ aria_test2_ctr_ct[i], buf );
+ if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
+ ARIA_SELF_TEST_IF_FAIL;
+ }
+ if( verbose )
+ printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+ return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ARIA_C */
diff --git a/library/asn1write.c b/library/asn1write.c
index c01c836..72acdf3 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -83,7 +83,9 @@
return( 4 );
}
+#if SIZE_MAX > 0xFFFFFFFF
if( len <= 0xFFFFFFFF )
+#endif
{
if( *p - start < 5 )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
@@ -96,7 +98,9 @@
return( 5 );
}
+#if SIZE_MAX > 0xFFFFFFFF
return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+#endif
}
int mbedtls_asn1_write_tag( unsigned char **p, unsigned char *start, unsigned char tag )
diff --git a/library/ccm.c b/library/ccm.c
index cf65209..804eaf8 100644
--- a/library/ccm.c
+++ b/library/ccm.c
@@ -152,8 +152,10 @@
* Check length requirements: SP800-38C A.1
* Additional requirement: a < 2^16 - 2^8 to simplify the code.
* 'length' checked later (when writing it to the first block)
+ *
+ * Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4).
*/
- if( tag_len < 4 || tag_len > 16 || tag_len % 2 != 0 )
+ if( tag_len == 2 || tag_len > 16 || tag_len % 2 != 0 )
return( MBEDTLS_ERR_CCM_BAD_INPUT );
/* Also implies q is within bounds */
@@ -302,7 +304,7 @@
/*
* Authenticated encryption
*/
-int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
const unsigned char *iv, size_t iv_len,
const unsigned char *add, size_t add_len,
const unsigned char *input, unsigned char *output,
@@ -312,10 +314,23 @@
add, add_len, input, output, tag, tag_len ) );
}
+int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *add, size_t add_len,
+ const unsigned char *input, unsigned char *output,
+ unsigned char *tag, size_t tag_len )
+{
+ if( tag_len == 0 )
+ return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+ return( mbedtls_ccm_star_encrypt_and_tag( ctx, length, iv, iv_len, add,
+ add_len, input, output, tag, tag_len ) );
+}
+
/*
* Authenticated decryption
*/
-int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
+int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
const unsigned char *iv, size_t iv_len,
const unsigned char *add, size_t add_len,
const unsigned char *input, unsigned char *output,
@@ -346,6 +361,18 @@
return( 0 );
}
+int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *add, size_t add_len,
+ const unsigned char *input, unsigned char *output,
+ const unsigned char *tag, size_t tag_len )
+{
+ if( tag_len == 0 )
+ return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+ return( mbedtls_ccm_star_auth_decrypt( ctx, length, iv, iv_len, add,
+ add_len, input, output, tag, tag_len ) );
+}
#endif /* !MBEDTLS_CCM_ALT */
#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
diff --git a/library/chacha20.c b/library/chacha20.c
new file mode 100644
index 0000000..d14a51e
--- /dev/null
+++ b/library/chacha20.c
@@ -0,0 +1,570 @@
+/**
+ * \file chacha20.c
+ *
+ * \brief ChaCha20 cipher.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ *
+ * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+
+#include "mbedtls/chacha20.h"
+#include "mbedtls/platform_util.h"
+
+#include <stddef.h>
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_CHACHA20_ALT)
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+ !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#define BYTES_TO_U32_LE( data, offset ) \
+ ( (uint32_t) data[offset] \
+ | (uint32_t) ( (uint32_t) data[( offset ) + 1] << 8 ) \
+ | (uint32_t) ( (uint32_t) data[( offset ) + 2] << 16 ) \
+ | (uint32_t) ( (uint32_t) data[( offset ) + 3] << 24 ) \
+ )
+
+#define ROTL32( value, amount ) \
+ ( (uint32_t) ( value << amount ) | ( value >> ( 32 - amount ) ) )
+
+#define CHACHA20_CTR_INDEX ( 12U )
+
+#define CHACHA20_BLOCK_SIZE_BYTES ( 4U * 16U )
+
+/**
+ * \brief ChaCha20 quarter round operation.
+ *
+ * The quarter round is defined as follows (from RFC 7539):
+ * 1. a += b; d ^= a; d <<<= 16;
+ * 2. c += d; b ^= c; b <<<= 12;
+ * 3. a += b; d ^= a; d <<<= 8;
+ * 4. c += d; b ^= c; b <<<= 7;
+ *
+ * \param state ChaCha20 state to modify.
+ * \param a The index of 'a' in the state.
+ * \param b The index of 'b' in the state.
+ * \param c The index of 'c' in the state.
+ * \param d The index of 'd' in the state.
+ */
+static inline void chacha20_quarter_round( uint32_t state[16],
+ size_t a,
+ size_t b,
+ size_t c,
+ size_t d )
+{
+ /* a += b; d ^= a; d <<<= 16; */
+ state[a] += state[b];
+ state[d] ^= state[a];
+ state[d] = ROTL32( state[d], 16 );
+
+ /* c += d; b ^= c; b <<<= 12 */
+ state[c] += state[d];
+ state[b] ^= state[c];
+ state[b] = ROTL32( state[b], 12 );
+
+ /* a += b; d ^= a; d <<<= 8; */
+ state[a] += state[b];
+ state[d] ^= state[a];
+ state[d] = ROTL32( state[d], 8 );
+
+ /* c += d; b ^= c; b <<<= 7; */
+ state[c] += state[d];
+ state[b] ^= state[c];
+ state[b] = ROTL32( state[b], 7 );
+}
+
+/**
+ * \brief Perform the ChaCha20 inner block operation.
+ *
+ * This function performs two rounds: the column round and the
+ * diagonal round.
+ *
+ * \param state The ChaCha20 state to update.
+ */
+static void chacha20_inner_block( uint32_t state[16] )
+{
+ chacha20_quarter_round( state, 0, 4, 8, 12 );
+ chacha20_quarter_round( state, 1, 5, 9, 13 );
+ chacha20_quarter_round( state, 2, 6, 10, 14 );
+ chacha20_quarter_round( state, 3, 7, 11, 15 );
+
+ chacha20_quarter_round( state, 0, 5, 10, 15 );
+ chacha20_quarter_round( state, 1, 6, 11, 12 );
+ chacha20_quarter_round( state, 2, 7, 8, 13 );
+ chacha20_quarter_round( state, 3, 4, 9, 14 );
+}
+
+/**
+ * \brief Generates a keystream block.
+ *
+ * \param initial_state The initial ChaCha20 state (key, nonce, counter).
+ * \param keystream Generated keystream bytes are written to this buffer.
+ */
+static void chacha20_block( const uint32_t initial_state[16],
+ unsigned char keystream[64] )
+{
+ uint32_t working_state[16];
+ size_t i;
+
+ memcpy( working_state,
+ initial_state,
+ CHACHA20_BLOCK_SIZE_BYTES );
+
+ for( i = 0U; i < 10U; i++ )
+ chacha20_inner_block( working_state );
+
+ working_state[ 0] += initial_state[ 0];
+ working_state[ 1] += initial_state[ 1];
+ working_state[ 2] += initial_state[ 2];
+ working_state[ 3] += initial_state[ 3];
+ working_state[ 4] += initial_state[ 4];
+ working_state[ 5] += initial_state[ 5];
+ working_state[ 6] += initial_state[ 6];
+ working_state[ 7] += initial_state[ 7];
+ working_state[ 8] += initial_state[ 8];
+ working_state[ 9] += initial_state[ 9];
+ working_state[10] += initial_state[10];
+ working_state[11] += initial_state[11];
+ working_state[12] += initial_state[12];
+ working_state[13] += initial_state[13];
+ working_state[14] += initial_state[14];
+ working_state[15] += initial_state[15];
+
+ for( i = 0U; i < 16; i++ )
+ {
+ size_t offset = i * 4U;
+
+ keystream[offset ] = (unsigned char)( working_state[i] );
+ keystream[offset + 1U] = (unsigned char)( working_state[i] >> 8 );
+ keystream[offset + 2U] = (unsigned char)( working_state[i] >> 16 );
+ keystream[offset + 3U] = (unsigned char)( working_state[i] >> 24 );
+ }
+
+ mbedtls_platform_zeroize( working_state, sizeof( working_state ) );
+}
+
+void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx )
+{
+ if( ctx != NULL )
+ {
+ mbedtls_platform_zeroize( ctx->state, sizeof( ctx->state ) );
+ mbedtls_platform_zeroize( ctx->keystream8, sizeof( ctx->keystream8 ) );
+
+ /* Initially, there's no keystream bytes available */
+ ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
+ }
+}
+
+void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx )
+{
+ if( ctx != NULL )
+ {
+ mbedtls_platform_zeroize( ctx, sizeof( mbedtls_chacha20_context ) );
+ }
+}
+
+int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx,
+ const unsigned char key[32] )
+{
+ if( ( ctx == NULL ) || ( key == NULL ) )
+ {
+ return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ }
+
+ /* ChaCha20 constants - the string "expand 32-byte k" */
+ ctx->state[0] = 0x61707865;
+ ctx->state[1] = 0x3320646e;
+ ctx->state[2] = 0x79622d32;
+ ctx->state[3] = 0x6b206574;
+
+ /* Set key */
+ ctx->state[4] = BYTES_TO_U32_LE( key, 0 );
+ ctx->state[5] = BYTES_TO_U32_LE( key, 4 );
+ ctx->state[6] = BYTES_TO_U32_LE( key, 8 );
+ ctx->state[7] = BYTES_TO_U32_LE( key, 12 );
+ ctx->state[8] = BYTES_TO_U32_LE( key, 16 );
+ ctx->state[9] = BYTES_TO_U32_LE( key, 20 );
+ ctx->state[10] = BYTES_TO_U32_LE( key, 24 );
+ ctx->state[11] = BYTES_TO_U32_LE( key, 28 );
+
+ return( 0 );
+}
+
+int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx,
+ const unsigned char nonce[12],
+ uint32_t counter )
+{
+ if( ( ctx == NULL ) || ( nonce == NULL ) )
+ {
+ return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ }
+
+ /* Counter */
+ ctx->state[12] = counter;
+
+ /* Nonce */
+ ctx->state[13] = BYTES_TO_U32_LE( nonce, 0 );
+ ctx->state[14] = BYTES_TO_U32_LE( nonce, 4 );
+ ctx->state[15] = BYTES_TO_U32_LE( nonce, 8 );
+
+ mbedtls_platform_zeroize( ctx->keystream8, sizeof( ctx->keystream8 ) );
+
+ /* Initially, there's no keystream bytes available */
+ ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
+
+ return( 0 );
+}
+
+int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
+ size_t size,
+ const unsigned char *input,
+ unsigned char *output )
+{
+ size_t offset = 0U;
+ size_t i;
+
+ if( ctx == NULL )
+ {
+ return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ }
+ else if( ( size > 0U ) && ( ( input == NULL ) || ( output == NULL ) ) )
+ {
+ /* input and output pointers are allowed to be NULL only if size == 0 */
+ return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ }
+
+ /* Use leftover keystream bytes, if available */
+ while( size > 0U && ctx->keystream_bytes_used < CHACHA20_BLOCK_SIZE_BYTES )
+ {
+ output[offset] = input[offset]
+ ^ ctx->keystream8[ctx->keystream_bytes_used];
+
+ ctx->keystream_bytes_used++;
+ offset++;
+ size--;
+ }
+
+ /* Process full blocks */
+ while( size >= CHACHA20_BLOCK_SIZE_BYTES )
+ {
+ /* Generate new keystream block and increment counter */
+ chacha20_block( ctx->state, ctx->keystream8 );
+ ctx->state[CHACHA20_CTR_INDEX]++;
+
+ for( i = 0U; i < 64U; i += 8U )
+ {
+ output[offset + i ] = input[offset + i ] ^ ctx->keystream8[i ];
+ output[offset + i+1] = input[offset + i+1] ^ ctx->keystream8[i+1];
+ output[offset + i+2] = input[offset + i+2] ^ ctx->keystream8[i+2];
+ output[offset + i+3] = input[offset + i+3] ^ ctx->keystream8[i+3];
+ output[offset + i+4] = input[offset + i+4] ^ ctx->keystream8[i+4];
+ output[offset + i+5] = input[offset + i+5] ^ ctx->keystream8[i+5];
+ output[offset + i+6] = input[offset + i+6] ^ ctx->keystream8[i+6];
+ output[offset + i+7] = input[offset + i+7] ^ ctx->keystream8[i+7];
+ }
+
+ offset += CHACHA20_BLOCK_SIZE_BYTES;
+ size -= CHACHA20_BLOCK_SIZE_BYTES;
+ }
+
+ /* Last (partial) block */
+ if( size > 0U )
+ {
+ /* Generate new keystream block and increment counter */
+ chacha20_block( ctx->state, ctx->keystream8 );
+ ctx->state[CHACHA20_CTR_INDEX]++;
+
+ for( i = 0U; i < size; i++)
+ {
+ output[offset + i] = input[offset + i] ^ ctx->keystream8[i];
+ }
+
+ ctx->keystream_bytes_used = size;
+
+ }
+
+ return( 0 );
+}
+
+int mbedtls_chacha20_crypt( const unsigned char key[32],
+ const unsigned char nonce[12],
+ uint32_t counter,
+ size_t data_len,
+ const unsigned char* input,
+ unsigned char* output )
+{
+ mbedtls_chacha20_context ctx;
+ int ret;
+
+ mbedtls_chacha20_init( &ctx );
+
+ ret = mbedtls_chacha20_setkey( &ctx, key );
+ if( ret != 0 )
+ goto cleanup;
+
+ ret = mbedtls_chacha20_starts( &ctx, nonce, counter );
+ if( ret != 0 )
+ goto cleanup;
+
+ ret = mbedtls_chacha20_update( &ctx, data_len, input, output );
+
+cleanup:
+ mbedtls_chacha20_free( &ctx );
+ return( ret );
+}
+
+#endif /* !MBEDTLS_CHACHA20_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_keys[2][32] =
+{
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+ },
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
+ }
+};
+
+static const unsigned char test_nonces[2][12] =
+{
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00
+ },
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02
+ }
+};
+
+static const uint32_t test_counters[2] =
+{
+ 0U,
+ 1U
+};
+
+static const unsigned char test_input[2][375] =
+{
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+ },
+ {
+ 0x41, 0x6e, 0x79, 0x20, 0x73, 0x75, 0x62, 0x6d,
+ 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x20, 0x74,
+ 0x6f, 0x20, 0x74, 0x68, 0x65, 0x20, 0x49, 0x45,
+ 0x54, 0x46, 0x20, 0x69, 0x6e, 0x74, 0x65, 0x6e,
+ 0x64, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x74,
+ 0x68, 0x65, 0x20, 0x43, 0x6f, 0x6e, 0x74, 0x72,
+ 0x69, 0x62, 0x75, 0x74, 0x6f, 0x72, 0x20, 0x66,
+ 0x6f, 0x72, 0x20, 0x70, 0x75, 0x62, 0x6c, 0x69,
+ 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x61,
+ 0x73, 0x20, 0x61, 0x6c, 0x6c, 0x20, 0x6f, 0x72,
+ 0x20, 0x70, 0x61, 0x72, 0x74, 0x20, 0x6f, 0x66,
+ 0x20, 0x61, 0x6e, 0x20, 0x49, 0x45, 0x54, 0x46,
+ 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
+ 0x74, 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x20,
+ 0x6f, 0x72, 0x20, 0x52, 0x46, 0x43, 0x20, 0x61,
+ 0x6e, 0x64, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x73,
+ 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+ 0x20, 0x6d, 0x61, 0x64, 0x65, 0x20, 0x77, 0x69,
+ 0x74, 0x68, 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65,
+ 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74,
+ 0x20, 0x6f, 0x66, 0x20, 0x61, 0x6e, 0x20, 0x49,
+ 0x45, 0x54, 0x46, 0x20, 0x61, 0x63, 0x74, 0x69,
+ 0x76, 0x69, 0x74, 0x79, 0x20, 0x69, 0x73, 0x20,
+ 0x63, 0x6f, 0x6e, 0x73, 0x69, 0x64, 0x65, 0x72,
+ 0x65, 0x64, 0x20, 0x61, 0x6e, 0x20, 0x22, 0x49,
+ 0x45, 0x54, 0x46, 0x20, 0x43, 0x6f, 0x6e, 0x74,
+ 0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e,
+ 0x22, 0x2e, 0x20, 0x53, 0x75, 0x63, 0x68, 0x20,
+ 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
+ 0x74, 0x73, 0x20, 0x69, 0x6e, 0x63, 0x6c, 0x75,
+ 0x64, 0x65, 0x20, 0x6f, 0x72, 0x61, 0x6c, 0x20,
+ 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
+ 0x74, 0x73, 0x20, 0x69, 0x6e, 0x20, 0x49, 0x45,
+ 0x54, 0x46, 0x20, 0x73, 0x65, 0x73, 0x73, 0x69,
+ 0x6f, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x73, 0x20,
+ 0x77, 0x65, 0x6c, 0x6c, 0x20, 0x61, 0x73, 0x20,
+ 0x77, 0x72, 0x69, 0x74, 0x74, 0x65, 0x6e, 0x20,
+ 0x61, 0x6e, 0x64, 0x20, 0x65, 0x6c, 0x65, 0x63,
+ 0x74, 0x72, 0x6f, 0x6e, 0x69, 0x63, 0x20, 0x63,
+ 0x6f, 0x6d, 0x6d, 0x75, 0x6e, 0x69, 0x63, 0x61,
+ 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6d, 0x61,
+ 0x64, 0x65, 0x20, 0x61, 0x74, 0x20, 0x61, 0x6e,
+ 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x6f,
+ 0x72, 0x20, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x2c,
+ 0x20, 0x77, 0x68, 0x69, 0x63, 0x68, 0x20, 0x61,
+ 0x72, 0x65, 0x20, 0x61, 0x64, 0x64, 0x72, 0x65,
+ 0x73, 0x73, 0x65, 0x64, 0x20, 0x74, 0x6f
+ }
+};
+
+static const unsigned char test_output[2][375] =
+{
+ {
+ 0x76, 0xb8, 0xe0, 0xad, 0xa0, 0xf1, 0x3d, 0x90,
+ 0x40, 0x5d, 0x6a, 0xe5, 0x53, 0x86, 0xbd, 0x28,
+ 0xbd, 0xd2, 0x19, 0xb8, 0xa0, 0x8d, 0xed, 0x1a,
+ 0xa8, 0x36, 0xef, 0xcc, 0x8b, 0x77, 0x0d, 0xc7,
+ 0xda, 0x41, 0x59, 0x7c, 0x51, 0x57, 0x48, 0x8d,
+ 0x77, 0x24, 0xe0, 0x3f, 0xb8, 0xd8, 0x4a, 0x37,
+ 0x6a, 0x43, 0xb8, 0xf4, 0x15, 0x18, 0xa1, 0x1c,
+ 0xc3, 0x87, 0xb6, 0x69, 0xb2, 0xee, 0x65, 0x86
+ },
+ {
+ 0xa3, 0xfb, 0xf0, 0x7d, 0xf3, 0xfa, 0x2f, 0xde,
+ 0x4f, 0x37, 0x6c, 0xa2, 0x3e, 0x82, 0x73, 0x70,
+ 0x41, 0x60, 0x5d, 0x9f, 0x4f, 0x4f, 0x57, 0xbd,
+ 0x8c, 0xff, 0x2c, 0x1d, 0x4b, 0x79, 0x55, 0xec,
+ 0x2a, 0x97, 0x94, 0x8b, 0xd3, 0x72, 0x29, 0x15,
+ 0xc8, 0xf3, 0xd3, 0x37, 0xf7, 0xd3, 0x70, 0x05,
+ 0x0e, 0x9e, 0x96, 0xd6, 0x47, 0xb7, 0xc3, 0x9f,
+ 0x56, 0xe0, 0x31, 0xca, 0x5e, 0xb6, 0x25, 0x0d,
+ 0x40, 0x42, 0xe0, 0x27, 0x85, 0xec, 0xec, 0xfa,
+ 0x4b, 0x4b, 0xb5, 0xe8, 0xea, 0xd0, 0x44, 0x0e,
+ 0x20, 0xb6, 0xe8, 0xdb, 0x09, 0xd8, 0x81, 0xa7,
+ 0xc6, 0x13, 0x2f, 0x42, 0x0e, 0x52, 0x79, 0x50,
+ 0x42, 0xbd, 0xfa, 0x77, 0x73, 0xd8, 0xa9, 0x05,
+ 0x14, 0x47, 0xb3, 0x29, 0x1c, 0xe1, 0x41, 0x1c,
+ 0x68, 0x04, 0x65, 0x55, 0x2a, 0xa6, 0xc4, 0x05,
+ 0xb7, 0x76, 0x4d, 0x5e, 0x87, 0xbe, 0xa8, 0x5a,
+ 0xd0, 0x0f, 0x84, 0x49, 0xed, 0x8f, 0x72, 0xd0,
+ 0xd6, 0x62, 0xab, 0x05, 0x26, 0x91, 0xca, 0x66,
+ 0x42, 0x4b, 0xc8, 0x6d, 0x2d, 0xf8, 0x0e, 0xa4,
+ 0x1f, 0x43, 0xab, 0xf9, 0x37, 0xd3, 0x25, 0x9d,
+ 0xc4, 0xb2, 0xd0, 0xdf, 0xb4, 0x8a, 0x6c, 0x91,
+ 0x39, 0xdd, 0xd7, 0xf7, 0x69, 0x66, 0xe9, 0x28,
+ 0xe6, 0x35, 0x55, 0x3b, 0xa7, 0x6c, 0x5c, 0x87,
+ 0x9d, 0x7b, 0x35, 0xd4, 0x9e, 0xb2, 0xe6, 0x2b,
+ 0x08, 0x71, 0xcd, 0xac, 0x63, 0x89, 0x39, 0xe2,
+ 0x5e, 0x8a, 0x1e, 0x0e, 0xf9, 0xd5, 0x28, 0x0f,
+ 0xa8, 0xca, 0x32, 0x8b, 0x35, 0x1c, 0x3c, 0x76,
+ 0x59, 0x89, 0xcb, 0xcf, 0x3d, 0xaa, 0x8b, 0x6c,
+ 0xcc, 0x3a, 0xaf, 0x9f, 0x39, 0x79, 0xc9, 0x2b,
+ 0x37, 0x20, 0xfc, 0x88, 0xdc, 0x95, 0xed, 0x84,
+ 0xa1, 0xbe, 0x05, 0x9c, 0x64, 0x99, 0xb9, 0xfd,
+ 0xa2, 0x36, 0xe7, 0xe8, 0x18, 0xb0, 0x4b, 0x0b,
+ 0xc3, 0x9c, 0x1e, 0x87, 0x6b, 0x19, 0x3b, 0xfe,
+ 0x55, 0x69, 0x75, 0x3f, 0x88, 0x12, 0x8c, 0xc0,
+ 0x8a, 0xaa, 0x9b, 0x63, 0xd1, 0xa1, 0x6f, 0x80,
+ 0xef, 0x25, 0x54, 0xd7, 0x18, 0x9c, 0x41, 0x1f,
+ 0x58, 0x69, 0xca, 0x52, 0xc5, 0xb8, 0x3f, 0xa3,
+ 0x6f, 0xf2, 0x16, 0xb9, 0xc1, 0xd3, 0x00, 0x62,
+ 0xbe, 0xbc, 0xfd, 0x2d, 0xc5, 0xbc, 0xe0, 0x91,
+ 0x19, 0x34, 0xfd, 0xa7, 0x9a, 0x86, 0xf6, 0xe6,
+ 0x98, 0xce, 0xd7, 0x59, 0xc3, 0xff, 0x9b, 0x64,
+ 0x77, 0x33, 0x8f, 0x3d, 0xa4, 0xf9, 0xcd, 0x85,
+ 0x14, 0xea, 0x99, 0x82, 0xcc, 0xaf, 0xb3, 0x41,
+ 0xb2, 0x38, 0x4d, 0xd9, 0x02, 0xf3, 0xd1, 0xab,
+ 0x7a, 0xc6, 0x1d, 0xd2, 0x9c, 0x6f, 0x21, 0xba,
+ 0x5b, 0x86, 0x2f, 0x37, 0x30, 0xe3, 0x7c, 0xfd,
+ 0xc4, 0xfd, 0x80, 0x6c, 0x22, 0xf2, 0x21
+ }
+};
+
+static const size_t test_lengths[2] =
+{
+ 64U,
+ 375U
+};
+
+#define ASSERT( cond, args ) \
+ do \
+ { \
+ if( ! ( cond ) ) \
+ { \
+ if( verbose != 0 ) \
+ mbedtls_printf args; \
+ \
+ return( -1 ); \
+ } \
+ } \
+ while( 0 )
+
+int mbedtls_chacha20_self_test( int verbose )
+{
+ unsigned char output[381];
+ unsigned i;
+ int ret;
+
+ for( i = 0U; i < 2U; i++ )
+ {
+ if( verbose != 0 )
+ mbedtls_printf( " ChaCha20 test %u ", i );
+
+ ret = mbedtls_chacha20_crypt( test_keys[i],
+ test_nonces[i],
+ test_counters[i],
+ test_lengths[i],
+ test_input[i],
+ output );
+
+ ASSERT( 0 == ret, ( "error code: %i\n", ret ) );
+
+ ASSERT( 0 == memcmp( output, test_output[i], test_lengths[i] ),
+ ( "failed (output)\n" ) );
+
+ if( verbose != 0 )
+ mbedtls_printf( "passed\n" );
+ }
+
+ if( verbose != 0 )
+ mbedtls_printf( "\n" );
+
+ return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* !MBEDTLS_CHACHA20_C */
diff --git a/library/chachapoly.c b/library/chachapoly.c
new file mode 100644
index 0000000..860f877
--- /dev/null
+++ b/library/chachapoly.c
@@ -0,0 +1,547 @@
+/**
+ * \file chachapoly.c
+ *
+ * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
+ *
+ * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+
+#include "mbedtls/chachapoly.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_CHACHAPOLY_ALT)
+
+#define CHACHAPOLY_STATE_INIT ( 0 )
+#define CHACHAPOLY_STATE_AAD ( 1 )
+#define CHACHAPOLY_STATE_CIPHERTEXT ( 2 ) /* Encrypting or decrypting */
+#define CHACHAPOLY_STATE_FINISHED ( 3 )
+
+/**
+ * \brief Adds nul bytes to pad the AAD for Poly1305.
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ */
+static int chachapoly_pad_aad( mbedtls_chachapoly_context *ctx )
+{
+ uint32_t partial_block_len = (uint32_t) ( ctx->aad_len % 16U );
+ unsigned char zeroes[15];
+
+ if( partial_block_len == 0U )
+ return( 0 );
+
+ memset( zeroes, 0, sizeof( zeroes ) );
+
+ return( mbedtls_poly1305_update( &ctx->poly1305_ctx,
+ zeroes,
+ 16U - partial_block_len ) );
+}
+
+/**
+ * \brief Adds nul bytes to pad the ciphertext for Poly1305.
+ *
+ * \param ctx The ChaCha20-Poly1305 context.
+ */
+static int chachapoly_pad_ciphertext( mbedtls_chachapoly_context *ctx )
+{
+ uint32_t partial_block_len = (uint32_t) ( ctx->ciphertext_len % 16U );
+ unsigned char zeroes[15];
+
+ if( partial_block_len == 0U )
+ return( 0 );
+
+ memset( zeroes, 0, sizeof( zeroes ) );
+ return( mbedtls_poly1305_update( &ctx->poly1305_ctx,
+ zeroes,
+ 16U - partial_block_len ) );
+}
+
+void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx )
+{
+ if( ctx != NULL )
+ {
+ mbedtls_chacha20_init( &ctx->chacha20_ctx );
+ mbedtls_poly1305_init( &ctx->poly1305_ctx );
+ ctx->aad_len = 0U;
+ ctx->ciphertext_len = 0U;
+ ctx->state = CHACHAPOLY_STATE_INIT;
+ ctx->mode = MBEDTLS_CHACHAPOLY_ENCRYPT;
+ }
+}
+
+void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx )
+{
+ if( ctx != NULL )
+ {
+ mbedtls_chacha20_free( &ctx->chacha20_ctx );
+ mbedtls_poly1305_free( &ctx->poly1305_ctx );
+ ctx->aad_len = 0U;
+ ctx->ciphertext_len = 0U;
+ ctx->state = CHACHAPOLY_STATE_INIT;
+ ctx->mode = MBEDTLS_CHACHAPOLY_ENCRYPT;
+ }
+}
+
+int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,
+ const unsigned char key[32] )
+{
+ int ret;
+
+ if( ( ctx == NULL ) || ( key == NULL ) )
+ {
+ return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ }
+
+ ret = mbedtls_chacha20_setkey( &ctx->chacha20_ctx, key );
+
+ return( ret );
+}
+
+int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
+ const unsigned char nonce[12],
+ mbedtls_chachapoly_mode_t mode )
+{
+ int ret;
+ unsigned char poly1305_key[64];
+
+ if( ( ctx == NULL ) || ( nonce == NULL ) )
+ {
+ return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ }
+
+ /* Set counter = 0, will be update to 1 when generating Poly1305 key */
+ ret = mbedtls_chacha20_starts( &ctx->chacha20_ctx, nonce, 0U );
+ if( ret != 0 )
+ goto cleanup;
+
+ /* Generate the Poly1305 key by getting the ChaCha20 keystream output with
+ * counter = 0. This is the same as encrypting a buffer of zeroes.
+ * Only the first 256-bits (32 bytes) of the key is used for Poly1305.
+ * The other 256 bits are discarded.
+ */
+ memset( poly1305_key, 0, sizeof( poly1305_key ) );
+ ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, sizeof( poly1305_key ),
+ poly1305_key, poly1305_key );
+ if( ret != 0 )
+ goto cleanup;
+
+ ret = mbedtls_poly1305_starts( &ctx->poly1305_ctx, poly1305_key );
+
+ if( ret == 0 )
+ {
+ ctx->aad_len = 0U;
+ ctx->ciphertext_len = 0U;
+ ctx->state = CHACHAPOLY_STATE_AAD;
+ ctx->mode = mode;
+ }
+
+cleanup:
+ mbedtls_platform_zeroize( poly1305_key, 64U );
+ return( ret );
+}
+
+int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx,
+ const unsigned char *aad,
+ size_t aad_len )
+{
+ if( ctx == NULL )
+ {
+ return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ }
+ else if( ( aad_len > 0U ) && ( aad == NULL ) )
+ {
+ /* aad pointer is allowed to be NULL if aad_len == 0 */
+ return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ }
+ else if( ctx->state != CHACHAPOLY_STATE_AAD )
+ {
+ return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+ }
+
+ ctx->aad_len += aad_len;
+
+ return( mbedtls_poly1305_update( &ctx->poly1305_ctx, aad, aad_len ) );
+}
+
+int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
+ size_t len,
+ const unsigned char *input,
+ unsigned char *output )
+{
+ int ret;
+
+ if( ctx == NULL )
+ {
+ return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ }
+ else if( ( len > 0U ) && ( ( input == NULL ) || ( output == NULL ) ) )
+ {
+ /* input and output pointers are allowed to be NULL if len == 0 */
+ return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ }
+ else if( ( ctx->state != CHACHAPOLY_STATE_AAD ) &&
+ ( ctx->state != CHACHAPOLY_STATE_CIPHERTEXT ) )
+ {
+ return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+ }
+
+ if( ctx->state == CHACHAPOLY_STATE_AAD )
+ {
+ ctx->state = CHACHAPOLY_STATE_CIPHERTEXT;
+
+ ret = chachapoly_pad_aad( ctx );
+ if( ret != 0 )
+ return( ret );
+ }
+
+ ctx->ciphertext_len += len;
+
+ if( ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT )
+ {
+ ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output );
+ if( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_poly1305_update( &ctx->poly1305_ctx, output, len );
+ if( ret != 0 )
+ return( ret );
+ }
+ else /* DECRYPT */
+ {
+ ret = mbedtls_poly1305_update( &ctx->poly1305_ctx, input, len );
+ if( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output );
+ if( ret != 0 )
+ return( ret );
+ }
+
+ return( 0 );
+}
+
+int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
+ unsigned char mac[16] )
+{
+ int ret;
+ unsigned char len_block[16];
+
+ if( ( ctx == NULL ) || ( mac == NULL ) )
+ {
+ return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ }
+ else if( ctx->state == CHACHAPOLY_STATE_INIT )
+ {
+ return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+ }
+
+ if( ctx->state == CHACHAPOLY_STATE_AAD )
+ {
+ ret = chachapoly_pad_aad( ctx );
+ if( ret != 0 )
+ return( ret );
+ }
+ else if( ctx->state == CHACHAPOLY_STATE_CIPHERTEXT )
+ {
+ ret = chachapoly_pad_ciphertext( ctx );
+ if( ret != 0 )
+ return( ret );
+ }
+
+ ctx->state = CHACHAPOLY_STATE_FINISHED;
+
+ /* The lengths of the AAD and ciphertext are processed by
+ * Poly1305 as the final 128-bit block, encoded as little-endian integers.
+ */
+ len_block[ 0] = (unsigned char)( ctx->aad_len );
+ len_block[ 1] = (unsigned char)( ctx->aad_len >> 8 );
+ len_block[ 2] = (unsigned char)( ctx->aad_len >> 16 );
+ len_block[ 3] = (unsigned char)( ctx->aad_len >> 24 );
+ len_block[ 4] = (unsigned char)( ctx->aad_len >> 32 );
+ len_block[ 5] = (unsigned char)( ctx->aad_len >> 40 );
+ len_block[ 6] = (unsigned char)( ctx->aad_len >> 48 );
+ len_block[ 7] = (unsigned char)( ctx->aad_len >> 56 );
+ len_block[ 8] = (unsigned char)( ctx->ciphertext_len );
+ len_block[ 9] = (unsigned char)( ctx->ciphertext_len >> 8 );
+ len_block[10] = (unsigned char)( ctx->ciphertext_len >> 16 );
+ len_block[11] = (unsigned char)( ctx->ciphertext_len >> 24 );
+ len_block[12] = (unsigned char)( ctx->ciphertext_len >> 32 );
+ len_block[13] = (unsigned char)( ctx->ciphertext_len >> 40 );
+ len_block[14] = (unsigned char)( ctx->ciphertext_len >> 48 );
+ len_block[15] = (unsigned char)( ctx->ciphertext_len >> 56 );
+
+ ret = mbedtls_poly1305_update( &ctx->poly1305_ctx, len_block, 16U );
+ if( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_poly1305_finish( &ctx->poly1305_ctx, mac );
+
+ return( ret );
+}
+
+static int chachapoly_crypt_and_tag( mbedtls_chachapoly_context *ctx,
+ mbedtls_chachapoly_mode_t mode,
+ size_t length,
+ const unsigned char nonce[12],
+ const unsigned char *aad,
+ size_t aad_len,
+ const unsigned char *input,
+ unsigned char *output,
+ unsigned char tag[16] )
+{
+ int ret;
+
+ ret = mbedtls_chachapoly_starts( ctx, nonce, mode );
+ if( ret != 0 )
+ goto cleanup;
+
+ ret = mbedtls_chachapoly_update_aad( ctx, aad, aad_len );
+ if( ret != 0 )
+ goto cleanup;
+
+ ret = mbedtls_chachapoly_update( ctx, length, input, output );
+ if( ret != 0 )
+ goto cleanup;
+
+ ret = mbedtls_chachapoly_finish( ctx, tag );
+
+cleanup:
+ return( ret );
+}
+
+int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
+ size_t length,
+ const unsigned char nonce[12],
+ const unsigned char *aad,
+ size_t aad_len,
+ const unsigned char *input,
+ unsigned char *output,
+ unsigned char tag[16] )
+{
+ return( chachapoly_crypt_and_tag( ctx, MBEDTLS_CHACHAPOLY_ENCRYPT,
+ length, nonce, aad, aad_len,
+ input, output, tag ) );
+}
+
+int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
+ size_t length,
+ const unsigned char nonce[12],
+ const unsigned char *aad,
+ size_t aad_len,
+ const unsigned char tag[16],
+ const unsigned char *input,
+ unsigned char *output )
+{
+ int ret;
+ unsigned char check_tag[16];
+ size_t i;
+ int diff;
+
+ if( tag == NULL )
+ return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+
+ if( ( ret = chachapoly_crypt_and_tag( ctx,
+ MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,
+ aad, aad_len, input, output, check_tag ) ) != 0 )
+ {
+ return( ret );
+ }
+
+ /* Check tag in "constant-time" */
+ for( diff = 0, i = 0; i < sizeof( check_tag ); i++ )
+ diff |= tag[i] ^ check_tag[i];
+
+ if( diff != 0 )
+ {
+ mbedtls_platform_zeroize( output, length );
+ return( MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED );
+ }
+
+ return( 0 );
+}
+
+#endif /* MBEDTLS_CHACHAPOLY_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_key[1][32] =
+{
+ {
+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
+ }
+};
+
+static const unsigned char test_nonce[1][12] =
+{
+ {
+ 0x07, 0x00, 0x00, 0x00, /* 32-bit common part */
+ 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47 /* 64-bit IV */
+ }
+};
+
+static const unsigned char test_aad[1][12] =
+{
+ {
+ 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
+ 0xc4, 0xc5, 0xc6, 0xc7
+ }
+};
+
+static const size_t test_aad_len[1] =
+{
+ 12U
+};
+
+static const unsigned char test_input[1][114] =
+{
+ {
+ 0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
+ 0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
+ 0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
+ 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
+ 0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
+ 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
+ 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
+ 0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
+ 0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
+ 0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
+ 0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
+ 0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
+ 0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
+ 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
+ 0x74, 0x2e
+ }
+};
+
+static const unsigned char test_output[1][114] =
+{
+ {
+ 0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
+ 0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
+ 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
+ 0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
+ 0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
+ 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
+ 0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
+ 0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
+ 0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
+ 0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
+ 0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
+ 0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
+ 0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
+ 0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
+ 0x61, 0x16
+ }
+};
+
+static const size_t test_input_len[1] =
+{
+ 114U
+};
+
+static const unsigned char test_mac[1][16] =
+{
+ {
+ 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
+ 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
+ }
+};
+
+#define ASSERT( cond, args ) \
+ do \
+ { \
+ if( ! ( cond ) ) \
+ { \
+ if( verbose != 0 ) \
+ mbedtls_printf args; \
+ \
+ return( -1 ); \
+ } \
+ } \
+ while( 0 )
+
+int mbedtls_chachapoly_self_test( int verbose )
+{
+ mbedtls_chachapoly_context ctx;
+ unsigned i;
+ int ret;
+ unsigned char output[200];
+ unsigned char mac[16];
+
+ for( i = 0U; i < 1U; i++ )
+ {
+ if( verbose != 0 )
+ mbedtls_printf( " ChaCha20-Poly1305 test %u ", i );
+
+ mbedtls_chachapoly_init( &ctx );
+
+ ret = mbedtls_chachapoly_setkey( &ctx, test_key[i] );
+ ASSERT( 0 == ret, ( "setkey() error code: %i\n", ret ) );
+
+ ret = mbedtls_chachapoly_encrypt_and_tag( &ctx,
+ test_input_len[i],
+ test_nonce[i],
+ test_aad[i],
+ test_aad_len[i],
+ test_input[i],
+ output,
+ mac );
+
+ ASSERT( 0 == ret, ( "crypt_and_tag() error code: %i\n", ret ) );
+
+ ASSERT( 0 == memcmp( output, test_output[i], test_input_len[i] ),
+ ( "failure (wrong output)\n" ) );
+
+ ASSERT( 0 == memcmp( mac, test_mac[i], 16U ),
+ ( "failure (wrong MAC)\n" ) );
+
+ mbedtls_chachapoly_free( &ctx );
+
+ if( verbose != 0 )
+ mbedtls_printf( "passed\n" );
+ }
+
+ if( verbose != 0 )
+ mbedtls_printf( "\n" );
+
+ return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CHACHAPOLY_C */
diff --git a/library/cipher.c b/library/cipher.c
index a5cd61c..7ae6c4a 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -38,6 +38,10 @@
#include <stdlib.h>
#include <string.h>
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
#if defined(MBEDTLS_GCM_C)
#include "mbedtls/gcm.h"
#endif
@@ -46,6 +50,10 @@
#include "mbedtls/ccm.h"
#endif
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
#if defined(MBEDTLS_CMAC_C)
#include "mbedtls/cmac.h"
#endif
@@ -57,9 +65,25 @@
#define mbedtls_free free
#endif
-#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
-#define MBEDTLS_CIPHER_MODE_STREAM
-#endif
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+/* Compare the contents of two buffers in constant time.
+ * Returns 0 if the contents are bitwise identical, otherwise returns
+ * a non-zero value.
+ * This is currently only used by GCM and ChaCha20+Poly1305.
+ */
+static int mbedtls_constant_time_memcmp( const void *v1, const void *v2, size_t len )
+{
+ const unsigned char *p1 = (const unsigned char*) v1;
+ const unsigned char *p2 = (const unsigned char*) v2;
+ size_t i;
+ unsigned char diff;
+
+ for( diff = 0, i = 0; i < len; i++ )
+ diff |= p1[i] ^ p2[i];
+
+ return (int)diff;
+}
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
static int supported_init = 0;
@@ -191,10 +215,11 @@
ctx->operation = operation;
/*
- * For CFB and CTR mode always use the encryption key schedule
+ * For OFB, CFB and CTR mode always use the encryption key schedule
*/
if( MBEDTLS_ENCRYPT == operation ||
MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
+ MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
{
return ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
@@ -231,6 +256,18 @@
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
}
+#if defined(MBEDTLS_CHACHA20_C)
+ if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 )
+ {
+ if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx,
+ iv,
+ 0U ) ) /* Initial counter value */
+ {
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+ }
+ }
+#endif
+
memcpy( ctx->iv, iv, actual_iv_size );
ctx->iv_size = actual_iv_size;
@@ -247,22 +284,45 @@
return( 0 );
}
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
const unsigned char *ad, size_t ad_len )
{
if( NULL == ctx || NULL == ctx->cipher_info )
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+#if defined(MBEDTLS_GCM_C)
if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
{
return mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
ctx->iv, ctx->iv_size, ad, ad_len );
}
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+ {
+ int result;
+ mbedtls_chachapoly_mode_t mode;
+
+ mode = ( ctx->operation == MBEDTLS_ENCRYPT )
+ ? MBEDTLS_CHACHAPOLY_ENCRYPT
+ : MBEDTLS_CHACHAPOLY_DECRYPT;
+
+ result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+ ctx->iv,
+ mode );
+ if ( result != 0 )
+ return( result );
+
+ return mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+ ad, ad_len );
+ }
+#endif
return( 0 );
}
-#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
size_t ilen, unsigned char *output, size_t *olen )
@@ -303,6 +363,15 @@
}
#endif
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
+ {
+ *olen = ilen;
+ return mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+ ilen, input, output );
+ }
+#endif
+
if ( 0 == block_size )
{
return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
@@ -424,6 +493,21 @@
}
#endif /* MBEDTLS_CIPHER_MODE_CFB */
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB )
+ {
+ if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx,
+ ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) )
+ {
+ return( ret );
+ }
+
+ *olen = ilen;
+
+ return( 0 );
+ }
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
#if defined(MBEDTLS_CIPHER_MODE_CTR)
if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
{
@@ -440,6 +524,27 @@
}
#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS )
+ {
+ if( ctx->unprocessed_len > 0 ) {
+ /* We can only process an entire data unit at a time. */
+ return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+ }
+
+ ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx,
+ ctx->operation, ilen, ctx->iv, input, output );
+ if( ret != 0 )
+ {
+ return( ret );
+ }
+
+ *olen = ilen;
+
+ return( 0 );
+ }
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
#if defined(MBEDTLS_CIPHER_MODE_STREAM)
if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
{
@@ -639,13 +744,21 @@
*olen = 0;
if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
+ MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
+ MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
{
return( 0 );
}
+ if ( ( MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type ) ||
+ ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
+ {
+ return( 0 );
+ }
+
if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
{
if( ctx->unprocessed_len != 0 )
@@ -757,7 +870,7 @@
}
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
unsigned char *tag, size_t tag_len )
{
@@ -767,8 +880,22 @@
if( MBEDTLS_ENCRYPT != ctx->operation )
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+#if defined(MBEDTLS_GCM_C)
if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
return mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx, tag, tag_len );
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+ {
+ /* Don't allow truncated MAC for Poly1305 */
+ if ( tag_len != 16U )
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+ return mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+ tag );
+ }
+#endif
return( 0 );
}
@@ -776,6 +903,7 @@
int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
const unsigned char *tag, size_t tag_len )
{
+ unsigned char check_tag[16];
int ret;
if( NULL == ctx || NULL == ctx->cipher_info ||
@@ -784,12 +912,9 @@
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
}
+#if defined(MBEDTLS_GCM_C)
if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
{
- unsigned char check_tag[16];
- size_t i;
- int diff;
-
if( tag_len > sizeof( check_tag ) )
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
@@ -800,18 +925,38 @@
}
/* Check the tag in "constant-time" */
- for( diff = 0, i = 0; i < tag_len; i++ )
- diff |= tag[i] ^ check_tag[i];
-
- if( diff != 0 )
+ if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
return( 0 );
}
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+ {
+ /* Don't allow truncated MAC for Poly1305 */
+ if ( tag_len != sizeof( check_tag ) )
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+ ret = mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+ check_tag );
+ if ( ret != 0 )
+ {
+ return( ret );
+ }
+
+ /* Check the tag in "constant-time" */
+ if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
+ return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
+
+ return( 0 );
+ }
+#endif /* MBEDTLS_CHACHAPOLY_C */
return( 0 );
}
-#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
/*
* Packet-oriented wrapper for non-AEAD modes
@@ -870,6 +1015,21 @@
tag, tag_len ) );
}
#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+ {
+ /* ChachaPoly has fixed length nonce and MAC (tag) */
+ if ( ( iv_len != ctx->cipher_info->iv_size ) ||
+ ( tag_len != 16U ) )
+ {
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+ }
+
+ *olen = ilen;
+ return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
+ ilen, iv, ad, ad_len, input, output, tag ) );
+ }
+#endif /* MBEDTLS_CHACHAPOLY_C */
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
}
@@ -916,6 +1076,28 @@
return( ret );
}
#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+ {
+ int ret;
+
+ /* ChachaPoly has fixed length nonce and MAC (tag) */
+ if ( ( iv_len != ctx->cipher_info->iv_size ) ||
+ ( tag_len != 16U ) )
+ {
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+ }
+
+ *olen = ilen;
+ ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen,
+ iv, ad, ad_len, tag, input, output );
+
+ if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED )
+ ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+
+ return( ret );
+ }
+#endif /* MBEDTLS_CHACHAPOLY_C */
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
}
diff --git a/library/cipher_wrap.c b/library/cipher_wrap.c
index dc76af8..893490a 100644
--- a/library/cipher_wrap.c
+++ b/library/cipher_wrap.c
@@ -33,6 +33,10 @@
#include "mbedtls/cipher_internal.h"
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
#if defined(MBEDTLS_AES_C)
#include "mbedtls/aes.h"
#endif
@@ -45,6 +49,10 @@
#include "mbedtls/camellia.h"
#endif
+#if defined(MBEDTLS_ARIA_C)
+#include "mbedtls/aria.h"
+#endif
+
#if defined(MBEDTLS_DES_C)
#include "mbedtls/des.h"
#endif
@@ -53,6 +61,10 @@
#include "mbedtls/blowfish.h"
#endif
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
#if defined(MBEDTLS_GCM_C)
#include "mbedtls/gcm.h"
#endif
@@ -138,6 +150,15 @@
}
#endif /* MBEDTLS_CIPHER_MODE_CFB */
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+static int aes_crypt_ofb_wrap( void *ctx, size_t length, size_t *iv_off,
+ unsigned char *iv, const unsigned char *input, unsigned char *output )
+{
+ return mbedtls_aes_crypt_ofb( (mbedtls_aes_context *) ctx, length, iv_off,
+ iv, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
#if defined(MBEDTLS_CIPHER_MODE_CTR)
static int aes_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off,
unsigned char *nonce_counter, unsigned char *stream_block,
@@ -148,6 +169,33 @@
}
#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int aes_crypt_xts_wrap( void *ctx, mbedtls_operation_t operation,
+ size_t length,
+ const unsigned char data_unit[16],
+ const unsigned char *input,
+ unsigned char *output )
+{
+ mbedtls_aes_xts_context *xts_ctx = ctx;
+ int mode;
+
+ switch( operation )
+ {
+ case MBEDTLS_ENCRYPT:
+ mode = MBEDTLS_AES_ENCRYPT;
+ break;
+ case MBEDTLS_DECRYPT:
+ mode = MBEDTLS_AES_DECRYPT;
+ break;
+ default:
+ return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ }
+
+ return mbedtls_aes_crypt_xts( xts_ctx, mode, length,
+ data_unit, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
static int aes_setkey_dec_wrap( void *ctx, const unsigned char *key,
unsigned int key_bitlen )
{
@@ -187,9 +235,15 @@
#if defined(MBEDTLS_CIPHER_MODE_CFB)
aes_crypt_cfb128_wrap,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ aes_crypt_ofb_wrap,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_CTR)
aes_crypt_ctr_wrap,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_STREAM)
NULL,
#endif
@@ -302,6 +356,41 @@
};
#endif /* MBEDTLS_CIPHER_MODE_CFB */
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+static const mbedtls_cipher_info_t aes_128_ofb_info = {
+ MBEDTLS_CIPHER_AES_128_OFB,
+ MBEDTLS_MODE_OFB,
+ 128,
+ "AES-128-OFB",
+ 16,
+ 0,
+ 16,
+ &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_ofb_info = {
+ MBEDTLS_CIPHER_AES_192_OFB,
+ MBEDTLS_MODE_OFB,
+ 192,
+ "AES-192-OFB",
+ 16,
+ 0,
+ 16,
+ &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_ofb_info = {
+ MBEDTLS_CIPHER_AES_256_OFB,
+ MBEDTLS_MODE_OFB,
+ 256,
+ "AES-256-OFB",
+ 16,
+ 0,
+ 16,
+ &aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
#if defined(MBEDTLS_CIPHER_MODE_CTR)
static const mbedtls_cipher_info_t aes_128_ctr_info = {
MBEDTLS_CIPHER_AES_128_CTR,
@@ -337,6 +426,92 @@
};
#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int xts_aes_setkey_enc_wrap( void *ctx, const unsigned char *key,
+ unsigned int key_bitlen )
+{
+ mbedtls_aes_xts_context *xts_ctx = ctx;
+ return( mbedtls_aes_xts_setkey_enc( xts_ctx, key, key_bitlen ) );
+}
+
+static int xts_aes_setkey_dec_wrap( void *ctx, const unsigned char *key,
+ unsigned int key_bitlen )
+{
+ mbedtls_aes_xts_context *xts_ctx = ctx;
+ return( mbedtls_aes_xts_setkey_dec( xts_ctx, key, key_bitlen ) );
+}
+
+static void *xts_aes_ctx_alloc( void )
+{
+ mbedtls_aes_xts_context *xts_ctx = mbedtls_calloc( 1, sizeof( *xts_ctx ) );
+
+ if( xts_ctx != NULL )
+ mbedtls_aes_xts_init( xts_ctx );
+
+ return( xts_ctx );
+}
+
+static void xts_aes_ctx_free( void *ctx )
+{
+ mbedtls_aes_xts_context *xts_ctx = ctx;
+
+ if( xts_ctx == NULL )
+ return;
+
+ mbedtls_aes_xts_free( xts_ctx );
+ mbedtls_free( xts_ctx );
+}
+
+static const mbedtls_cipher_base_t xts_aes_info = {
+ MBEDTLS_CIPHER_ID_AES,
+ NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ aes_crypt_xts_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ xts_aes_setkey_enc_wrap,
+ xts_aes_setkey_dec_wrap,
+ xts_aes_ctx_alloc,
+ xts_aes_ctx_free
+};
+
+static const mbedtls_cipher_info_t aes_128_xts_info = {
+ MBEDTLS_CIPHER_AES_128_XTS,
+ MBEDTLS_MODE_XTS,
+ 256,
+ "AES-128-XTS",
+ 16,
+ 0,
+ 16,
+ &xts_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_xts_info = {
+ MBEDTLS_CIPHER_AES_256_XTS,
+ MBEDTLS_MODE_XTS,
+ 512,
+ "AES-256-XTS",
+ 16,
+ 0,
+ 16,
+ &xts_aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
#if defined(MBEDTLS_GCM_C)
static int gcm_aes_setkey_wrap( void *ctx, const unsigned char *key,
unsigned int key_bitlen )
@@ -354,9 +529,15 @@
#if defined(MBEDTLS_CIPHER_MODE_CFB)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_CTR)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_STREAM)
NULL,
#endif
@@ -417,9 +598,15 @@
#if defined(MBEDTLS_CIPHER_MODE_CFB)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_CTR)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_STREAM)
NULL,
#endif
@@ -544,9 +731,15 @@
#if defined(MBEDTLS_CIPHER_MODE_CFB)
camellia_crypt_cfb128_wrap,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_CTR)
camellia_crypt_ctr_wrap,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_STREAM)
NULL,
#endif
@@ -711,9 +904,15 @@
#if defined(MBEDTLS_CIPHER_MODE_CFB)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_CTR)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_STREAM)
NULL,
#endif
@@ -774,9 +973,15 @@
#if defined(MBEDTLS_CIPHER_MODE_CFB)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_CTR)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_STREAM)
NULL,
#endif
@@ -822,6 +1027,382 @@
#endif /* MBEDTLS_CAMELLIA_C */
+#if defined(MBEDTLS_ARIA_C)
+
+static int aria_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+ const unsigned char *input, unsigned char *output )
+{
+ (void) operation;
+ return mbedtls_aria_crypt_ecb( (mbedtls_aria_context *) ctx, input,
+ output );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int aria_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation,
+ size_t length, unsigned char *iv,
+ const unsigned char *input, unsigned char *output )
+{
+ return mbedtls_aria_crypt_cbc( (mbedtls_aria_context *) ctx, operation, length, iv,
+ input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int aria_crypt_cfb128_wrap( void *ctx, mbedtls_operation_t operation,
+ size_t length, size_t *iv_off, unsigned char *iv,
+ const unsigned char *input, unsigned char *output )
+{
+ return mbedtls_aria_crypt_cfb128( (mbedtls_aria_context *) ctx, operation, length,
+ iv_off, iv, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int aria_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off,
+ unsigned char *nonce_counter, unsigned char *stream_block,
+ const unsigned char *input, unsigned char *output )
+{
+ return mbedtls_aria_crypt_ctr( (mbedtls_aria_context *) ctx, length, nc_off,
+ nonce_counter, stream_block, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+static int aria_setkey_dec_wrap( void *ctx, const unsigned char *key,
+ unsigned int key_bitlen )
+{
+ return mbedtls_aria_setkey_dec( (mbedtls_aria_context *) ctx, key, key_bitlen );
+}
+
+static int aria_setkey_enc_wrap( void *ctx, const unsigned char *key,
+ unsigned int key_bitlen )
+{
+ return mbedtls_aria_setkey_enc( (mbedtls_aria_context *) ctx, key, key_bitlen );
+}
+
+static void * aria_ctx_alloc( void )
+{
+ mbedtls_aria_context *ctx;
+ ctx = mbedtls_calloc( 1, sizeof( mbedtls_aria_context ) );
+
+ if( ctx == NULL )
+ return( NULL );
+
+ mbedtls_aria_init( ctx );
+
+ return( ctx );
+}
+
+static void aria_ctx_free( void *ctx )
+{
+ mbedtls_aria_free( (mbedtls_aria_context *) ctx );
+ mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t aria_info = {
+ MBEDTLS_CIPHER_ID_ARIA,
+ aria_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ aria_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ aria_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ aria_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ aria_setkey_enc_wrap,
+ aria_setkey_dec_wrap,
+ aria_ctx_alloc,
+ aria_ctx_free
+};
+
+static const mbedtls_cipher_info_t aria_128_ecb_info = {
+ MBEDTLS_CIPHER_ARIA_128_ECB,
+ MBEDTLS_MODE_ECB,
+ 128,
+ "ARIA-128-ECB",
+ 16,
+ 0,
+ 16,
+ &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_ecb_info = {
+ MBEDTLS_CIPHER_ARIA_192_ECB,
+ MBEDTLS_MODE_ECB,
+ 192,
+ "ARIA-192-ECB",
+ 16,
+ 0,
+ 16,
+ &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_ecb_info = {
+ MBEDTLS_CIPHER_ARIA_256_ECB,
+ MBEDTLS_MODE_ECB,
+ 256,
+ "ARIA-256-ECB",
+ 16,
+ 0,
+ 16,
+ &aria_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t aria_128_cbc_info = {
+ MBEDTLS_CIPHER_ARIA_128_CBC,
+ MBEDTLS_MODE_CBC,
+ 128,
+ "ARIA-128-CBC",
+ 16,
+ 0,
+ 16,
+ &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_cbc_info = {
+ MBEDTLS_CIPHER_ARIA_192_CBC,
+ MBEDTLS_MODE_CBC,
+ 192,
+ "ARIA-192-CBC",
+ 16,
+ 0,
+ 16,
+ &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_cbc_info = {
+ MBEDTLS_CIPHER_ARIA_256_CBC,
+ MBEDTLS_MODE_CBC,
+ 256,
+ "ARIA-256-CBC",
+ 16,
+ 0,
+ 16,
+ &aria_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t aria_128_cfb128_info = {
+ MBEDTLS_CIPHER_ARIA_128_CFB128,
+ MBEDTLS_MODE_CFB,
+ 128,
+ "ARIA-128-CFB128",
+ 16,
+ 0,
+ 16,
+ &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_cfb128_info = {
+ MBEDTLS_CIPHER_ARIA_192_CFB128,
+ MBEDTLS_MODE_CFB,
+ 192,
+ "ARIA-192-CFB128",
+ 16,
+ 0,
+ 16,
+ &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_cfb128_info = {
+ MBEDTLS_CIPHER_ARIA_256_CFB128,
+ MBEDTLS_MODE_CFB,
+ 256,
+ "ARIA-256-CFB128",
+ 16,
+ 0,
+ 16,
+ &aria_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t aria_128_ctr_info = {
+ MBEDTLS_CIPHER_ARIA_128_CTR,
+ MBEDTLS_MODE_CTR,
+ 128,
+ "ARIA-128-CTR",
+ 16,
+ 0,
+ 16,
+ &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_ctr_info = {
+ MBEDTLS_CIPHER_ARIA_192_CTR,
+ MBEDTLS_MODE_CTR,
+ 192,
+ "ARIA-192-CTR",
+ 16,
+ 0,
+ 16,
+ &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_ctr_info = {
+ MBEDTLS_CIPHER_ARIA_256_CTR,
+ MBEDTLS_MODE_CTR,
+ 256,
+ "ARIA-256-CTR",
+ 16,
+ 0,
+ 16,
+ &aria_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_GCM_C)
+static int gcm_aria_setkey_wrap( void *ctx, const unsigned char *key,
+ unsigned int key_bitlen )
+{
+ return mbedtls_gcm_setkey( (mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_ARIA,
+ key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t gcm_aria_info = {
+ MBEDTLS_CIPHER_ID_ARIA,
+ NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ gcm_aria_setkey_wrap,
+ gcm_aria_setkey_wrap,
+ gcm_ctx_alloc,
+ gcm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aria_128_gcm_info = {
+ MBEDTLS_CIPHER_ARIA_128_GCM,
+ MBEDTLS_MODE_GCM,
+ 128,
+ "ARIA-128-GCM",
+ 12,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ 16,
+ &gcm_aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_gcm_info = {
+ MBEDTLS_CIPHER_ARIA_192_GCM,
+ MBEDTLS_MODE_GCM,
+ 192,
+ "ARIA-192-GCM",
+ 12,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ 16,
+ &gcm_aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_gcm_info = {
+ MBEDTLS_CIPHER_ARIA_256_GCM,
+ MBEDTLS_MODE_GCM,
+ 256,
+ "ARIA-256-GCM",
+ 12,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ 16,
+ &gcm_aria_info
+};
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+static int ccm_aria_setkey_wrap( void *ctx, const unsigned char *key,
+ unsigned int key_bitlen )
+{
+ return mbedtls_ccm_setkey( (mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_ARIA,
+ key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t ccm_aria_info = {
+ MBEDTLS_CIPHER_ID_ARIA,
+ NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ ccm_aria_setkey_wrap,
+ ccm_aria_setkey_wrap,
+ ccm_ctx_alloc,
+ ccm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aria_128_ccm_info = {
+ MBEDTLS_CIPHER_ARIA_128_CCM,
+ MBEDTLS_MODE_CCM,
+ 128,
+ "ARIA-128-CCM",
+ 12,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ 16,
+ &ccm_aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_ccm_info = {
+ MBEDTLS_CIPHER_ARIA_192_CCM,
+ MBEDTLS_MODE_CCM,
+ 192,
+ "ARIA-192-CCM",
+ 12,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ 16,
+ &ccm_aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_ccm_info = {
+ MBEDTLS_CIPHER_ARIA_256_CCM,
+ MBEDTLS_MODE_CCM,
+ 256,
+ "ARIA-256-CCM",
+ 12,
+ MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+ 16,
+ &ccm_aria_info
+};
+#endif /* MBEDTLS_CCM_C */
+
+#endif /* MBEDTLS_ARIA_C */
+
#if defined(MBEDTLS_DES_C)
static int des_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
@@ -950,9 +1531,15 @@
#if defined(MBEDTLS_CIPHER_MODE_CFB)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_CTR)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_STREAM)
NULL,
#endif
@@ -995,9 +1582,15 @@
#if defined(MBEDTLS_CIPHER_MODE_CFB)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_CTR)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_STREAM)
NULL,
#endif
@@ -1040,9 +1633,15 @@
#if defined(MBEDTLS_CIPHER_MODE_CFB)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_CTR)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_STREAM)
NULL,
#endif
@@ -1149,9 +1748,15 @@
#if defined(MBEDTLS_CIPHER_MODE_CFB)
blowfish_crypt_cfb64_wrap,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_CTR)
blowfish_crypt_ctr_wrap,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_STREAM)
NULL,
#endif
@@ -1259,9 +1864,15 @@
#if defined(MBEDTLS_CIPHER_MODE_CFB)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_CTR)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_STREAM)
arc4_crypt_stream_wrap,
#endif
@@ -1283,6 +1894,162 @@
};
#endif /* MBEDTLS_ARC4_C */
+#if defined(MBEDTLS_CHACHA20_C)
+
+static int chacha20_setkey_wrap( void *ctx, const unsigned char *key,
+ unsigned int key_bitlen )
+{
+ if( key_bitlen != 256U )
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+ if ( 0 != mbedtls_chacha20_setkey( (mbedtls_chacha20_context*)ctx, key ) )
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+ return( 0 );
+}
+
+static int chacha20_stream_wrap( void *ctx, size_t length,
+ const unsigned char *input,
+ unsigned char *output )
+{
+ int ret;
+
+ ret = mbedtls_chacha20_update( ctx, length, input, output );
+ if( ret == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA )
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+ return( ret );
+}
+
+static void * chacha20_ctx_alloc( void )
+{
+ mbedtls_chacha20_context *ctx;
+ ctx = mbedtls_calloc( 1, sizeof( mbedtls_chacha20_context ) );
+
+ if( ctx == NULL )
+ return( NULL );
+
+ mbedtls_chacha20_init( ctx );
+
+ return( ctx );
+}
+
+static void chacha20_ctx_free( void *ctx )
+{
+ mbedtls_chacha20_free( (mbedtls_chacha20_context *) ctx );
+ mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t chacha20_base_info = {
+ MBEDTLS_CIPHER_ID_CHACHA20,
+ NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ chacha20_stream_wrap,
+#endif
+ chacha20_setkey_wrap,
+ chacha20_setkey_wrap,
+ chacha20_ctx_alloc,
+ chacha20_ctx_free
+};
+static const mbedtls_cipher_info_t chacha20_info = {
+ MBEDTLS_CIPHER_CHACHA20,
+ MBEDTLS_MODE_STREAM,
+ 256,
+ "CHACHA20",
+ 12,
+ 0,
+ 1,
+ &chacha20_base_info
+};
+#endif /* MBEDTLS_CHACHA20_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+
+static int chachapoly_setkey_wrap( void *ctx,
+ const unsigned char *key,
+ unsigned int key_bitlen )
+{
+ if( key_bitlen != 256U )
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+ if ( 0 != mbedtls_chachapoly_setkey( (mbedtls_chachapoly_context*)ctx, key ) )
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+ return( 0 );
+}
+
+static void * chachapoly_ctx_alloc( void )
+{
+ mbedtls_chachapoly_context *ctx;
+ ctx = mbedtls_calloc( 1, sizeof( mbedtls_chachapoly_context ) );
+
+ if( ctx == NULL )
+ return( NULL );
+
+ mbedtls_chachapoly_init( ctx );
+
+ return( ctx );
+}
+
+static void chachapoly_ctx_free( void *ctx )
+{
+ mbedtls_chachapoly_free( (mbedtls_chachapoly_context *) ctx );
+ mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t chachapoly_base_info = {
+ MBEDTLS_CIPHER_ID_CHACHA20,
+ NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ chachapoly_setkey_wrap,
+ chachapoly_setkey_wrap,
+ chachapoly_ctx_alloc,
+ chachapoly_ctx_free
+};
+static const mbedtls_cipher_info_t chachapoly_info = {
+ MBEDTLS_CIPHER_CHACHA20_POLY1305,
+ MBEDTLS_MODE_CHACHAPOLY,
+ 256,
+ "CHACHA20-POLY1305",
+ 12,
+ 0,
+ 1,
+ &chachapoly_base_info
+};
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
static int null_crypt_stream( void *ctx, size_t length,
const unsigned char *input,
@@ -1322,9 +2089,15 @@
#if defined(MBEDTLS_CIPHER_MODE_CFB)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_CTR)
NULL,
#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
#if defined(MBEDTLS_CIPHER_MODE_STREAM)
null_crypt_stream,
#endif
@@ -1362,11 +2135,20 @@
{ MBEDTLS_CIPHER_AES_192_CFB128, &aes_192_cfb128_info },
{ MBEDTLS_CIPHER_AES_256_CFB128, &aes_256_cfb128_info },
#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ { MBEDTLS_CIPHER_AES_128_OFB, &aes_128_ofb_info },
+ { MBEDTLS_CIPHER_AES_192_OFB, &aes_192_ofb_info },
+ { MBEDTLS_CIPHER_AES_256_OFB, &aes_256_ofb_info },
+#endif
#if defined(MBEDTLS_CIPHER_MODE_CTR)
{ MBEDTLS_CIPHER_AES_128_CTR, &aes_128_ctr_info },
{ MBEDTLS_CIPHER_AES_192_CTR, &aes_192_ctr_info },
{ MBEDTLS_CIPHER_AES_256_CTR, &aes_256_ctr_info },
#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ { MBEDTLS_CIPHER_AES_128_XTS, &aes_128_xts_info },
+ { MBEDTLS_CIPHER_AES_256_XTS, &aes_256_xts_info },
+#endif
#if defined(MBEDTLS_GCM_C)
{ MBEDTLS_CIPHER_AES_128_GCM, &aes_128_gcm_info },
{ MBEDTLS_CIPHER_AES_192_GCM, &aes_192_gcm_info },
@@ -1427,6 +2209,37 @@
#endif
#endif /* MBEDTLS_CAMELLIA_C */
+#if defined(MBEDTLS_ARIA_C)
+ { MBEDTLS_CIPHER_ARIA_128_ECB, &aria_128_ecb_info },
+ { MBEDTLS_CIPHER_ARIA_192_ECB, &aria_192_ecb_info },
+ { MBEDTLS_CIPHER_ARIA_256_ECB, &aria_256_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ { MBEDTLS_CIPHER_ARIA_128_CBC, &aria_128_cbc_info },
+ { MBEDTLS_CIPHER_ARIA_192_CBC, &aria_192_cbc_info },
+ { MBEDTLS_CIPHER_ARIA_256_CBC, &aria_256_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ { MBEDTLS_CIPHER_ARIA_128_CFB128, &aria_128_cfb128_info },
+ { MBEDTLS_CIPHER_ARIA_192_CFB128, &aria_192_cfb128_info },
+ { MBEDTLS_CIPHER_ARIA_256_CFB128, &aria_256_cfb128_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ { MBEDTLS_CIPHER_ARIA_128_CTR, &aria_128_ctr_info },
+ { MBEDTLS_CIPHER_ARIA_192_CTR, &aria_192_ctr_info },
+ { MBEDTLS_CIPHER_ARIA_256_CTR, &aria_256_ctr_info },
+#endif
+#if defined(MBEDTLS_GCM_C)
+ { MBEDTLS_CIPHER_ARIA_128_GCM, &aria_128_gcm_info },
+ { MBEDTLS_CIPHER_ARIA_192_GCM, &aria_192_gcm_info },
+ { MBEDTLS_CIPHER_ARIA_256_GCM, &aria_256_gcm_info },
+#endif
+#if defined(MBEDTLS_CCM_C)
+ { MBEDTLS_CIPHER_ARIA_128_CCM, &aria_128_ccm_info },
+ { MBEDTLS_CIPHER_ARIA_192_CCM, &aria_192_ccm_info },
+ { MBEDTLS_CIPHER_ARIA_256_CCM, &aria_256_ccm_info },
+#endif
+#endif /* MBEDTLS_ARIA_C */
+
#if defined(MBEDTLS_DES_C)
{ MBEDTLS_CIPHER_DES_ECB, &des_ecb_info },
{ MBEDTLS_CIPHER_DES_EDE_ECB, &des_ede_ecb_info },
@@ -1438,6 +2251,14 @@
#endif
#endif /* MBEDTLS_DES_C */
+#if defined(MBEDTLS_CHACHA20_C)
+ { MBEDTLS_CIPHER_CHACHA20, &chacha20_info },
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ { MBEDTLS_CIPHER_CHACHA20_POLY1305, &chachapoly_info },
+#endif
+
#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
{ MBEDTLS_CIPHER_NULL, &null_cipher_info },
#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
diff --git a/library/cmac.c b/library/cmac.c
index 4d7a1f1..5d101e1 100644
--- a/library/cmac.c
+++ b/library/cmac.c
@@ -828,6 +828,7 @@
mbedtls_cipher_free( &ctx );
}
+ ret = 0;
goto exit;
cleanup:
@@ -883,6 +884,7 @@
if( verbose != 0 )
mbedtls_printf( "passed\n" );
}
+ ret = 0;
exit:
return( ret );
diff --git a/library/entropy_poll.c b/library/entropy_poll.c
index 67900c4..040aa11 100644
--- a/library/entropy_poll.c
+++ b/library/entropy_poll.c
@@ -19,19 +19,25 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
+#if defined(__linux__)
+/* Ensure that syscall() is available even when compiling with -std=c99 */
+#define _GNU_SOURCE
+#endif
+
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
+#include <string.h>
+
#if defined(MBEDTLS_ENTROPY_C)
#include "mbedtls/entropy.h"
#include "mbedtls/entropy_poll.h"
#if defined(MBEDTLS_TIMING_C)
-#include <string.h>
#include "mbedtls/timing.h"
#endif
#if defined(MBEDTLS_HAVEGE_C)
@@ -44,7 +50,8 @@
#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
- !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__)
+ !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+ !defined(__HAIKU__)
#error "Platform entropy sources only work on Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in config.h"
#endif
diff --git a/library/error.c b/library/error.c
index be06dd2..774244b 100644
--- a/library/error.c
+++ b/library/error.c
@@ -49,6 +49,10 @@
#include "mbedtls/arc4.h"
#endif
+#if defined(MBEDTLS_ARIA_C)
+#include "mbedtls/aria.h"
+#endif
+
#if defined(MBEDTLS_BASE64_C)
#include "mbedtls/base64.h"
#endif
@@ -69,6 +73,14 @@
#include "mbedtls/ccm.h"
#endif
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
#if defined(MBEDTLS_CIPHER_C)
#include "mbedtls/cipher.h"
#endif
@@ -101,6 +113,10 @@
#include "mbedtls/gcm.h"
#endif
+#if defined(MBEDTLS_HKDF_C)
+#include "mbedtls/hkdf.h"
+#endif
+
#if defined(MBEDTLS_HMAC_DRBG_C)
#include "mbedtls/hmac_drbg.h"
#endif
@@ -149,6 +165,10 @@
#include "mbedtls/pkcs5.h"
#endif
+#if defined(MBEDTLS_POLY1305_C)
+#include "mbedtls/poly1305.h"
+#endif
+
#if defined(MBEDTLS_RIPEMD160_C)
#include "mbedtls/ripemd160.h"
#endif
@@ -493,6 +513,8 @@
mbedtls_snprintf( buf, buflen, "SSL - Couldn't set the hash for verifying CertificateVerify" );
if( use_ret == -(MBEDTLS_ERR_SSL_CONTINUE_PROCESSING) )
mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that further message-processing should be done" );
+ if( use_ret == -(MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) )
+ mbedtls_snprintf( buf, buflen, "SSL - The asynchronous operation is not completed yet" );
#endif /* MBEDTLS_SSL_TLS_C */
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
@@ -585,6 +607,17 @@
mbedtls_snprintf( buf, buflen, "ARC4 - ARC4 hardware accelerator failed" );
#endif /* MBEDTLS_ARC4_C */
+#if defined(MBEDTLS_ARIA_C)
+ if( use_ret == -(MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH) )
+ mbedtls_snprintf( buf, buflen, "ARIA - Invalid key length" );
+ if( use_ret == -(MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH) )
+ mbedtls_snprintf( buf, buflen, "ARIA - Invalid data input length" );
+ if( use_ret == -(MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE) )
+ mbedtls_snprintf( buf, buflen, "ARIA - Feature not available. For example, an unsupported ARIA key size" );
+ if( use_ret == -(MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED) )
+ mbedtls_snprintf( buf, buflen, "ARIA - ARIA hardware accelerator failed" );
+#endif /* MBEDTLS_ARIA_C */
+
#if defined(MBEDTLS_ASN1_PARSE_C)
if( use_ret == -(MBEDTLS_ERR_ASN1_OUT_OF_DATA) )
mbedtls_snprintf( buf, buflen, "ASN1 - Out of data when parsing an ASN1 data structure" );
@@ -655,6 +688,22 @@
mbedtls_snprintf( buf, buflen, "CCM - CCM hardware accelerator failed" );
#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHA20_C)
+ if( use_ret == -(MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA) )
+ mbedtls_snprintf( buf, buflen, "CHACHA20 - Invalid input parameter(s)" );
+ if( use_ret == -(MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE) )
+ mbedtls_snprintf( buf, buflen, "CHACHA20 - Feature not available. For example, s part of the API is not implemented" );
+ if( use_ret == -(MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED) )
+ mbedtls_snprintf( buf, buflen, "CHACHA20 - Chacha20 hardware accelerator failed" );
+#endif /* MBEDTLS_CHACHA20_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ if( use_ret == -(MBEDTLS_ERR_CHACHAPOLY_BAD_STATE) )
+ mbedtls_snprintf( buf, buflen, "CHACHAPOLY - The requested operation is not permitted in the current state" );
+ if( use_ret == -(MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) )
+ mbedtls_snprintf( buf, buflen, "CHACHAPOLY - Authenticated decryption failed: data was not authentic" );
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
#if defined(MBEDTLS_CMAC_C)
if( use_ret == -(MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED) )
mbedtls_snprintf( buf, buflen, "CMAC - CMAC hardware accelerator failed" );
@@ -700,6 +749,11 @@
mbedtls_snprintf( buf, buflen, "GCM - Bad input parameters to function" );
#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_HKDF_C)
+ if( use_ret == -(MBEDTLS_ERR_HKDF_BAD_INPUT_DATA) )
+ mbedtls_snprintf( buf, buflen, "HKDF - Bad input parameters to function" );
+#endif /* MBEDTLS_HKDF_C */
+
#if defined(MBEDTLS_HMAC_DRBG_C)
if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG) )
mbedtls_snprintf( buf, buflen, "HMAC_DRBG - Too many random requested in single call" );
@@ -767,6 +821,15 @@
mbedtls_snprintf( buf, buflen, "PADLOCK - Input data should be aligned" );
#endif /* MBEDTLS_PADLOCK_C */
+#if defined(MBEDTLS_POLY1305_C)
+ if( use_ret == -(MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA) )
+ mbedtls_snprintf( buf, buflen, "POLY1305 - Invalid input parameter(s)" );
+ if( use_ret == -(MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE) )
+ mbedtls_snprintf( buf, buflen, "POLY1305 - Feature not available. For example, s part of the API is not implemented" );
+ if( use_ret == -(MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED) )
+ mbedtls_snprintf( buf, buflen, "POLY1305 - Poly1305 hardware accelerator failed" );
+#endif /* MBEDTLS_POLY1305_C */
+
#if defined(MBEDTLS_RIPEMD160_C)
if( use_ret == -(MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED) )
mbedtls_snprintf( buf, buflen, "RIPEMD160 - RIPEMD160 hardware accelerator failed" );
diff --git a/library/hkdf.c b/library/hkdf.c
new file mode 100644
index 0000000..82d8a42
--- /dev/null
+++ b/library/hkdf.c
@@ -0,0 +1,192 @@
+/*
+ * HKDF implementation -- RFC 5869
+ *
+ * Copyright (C) 2016-2018, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_HKDF_C)
+
+#include <string.h>
+#include "mbedtls/hkdf.h"
+#include "mbedtls/platform_util.h"
+
+int mbedtls_hkdf( const mbedtls_md_info_t *md, const unsigned char *salt,
+ size_t salt_len, const unsigned char *ikm, size_t ikm_len,
+ const unsigned char *info, size_t info_len,
+ unsigned char *okm, size_t okm_len )
+{
+ int ret;
+ unsigned char prk[MBEDTLS_MD_MAX_SIZE];
+
+ ret = mbedtls_hkdf_extract( md, salt, salt_len, ikm, ikm_len, prk );
+
+ if( ret == 0 )
+ {
+ ret = mbedtls_hkdf_expand( md, prk, mbedtls_md_get_size( md ),
+ info, info_len, okm, okm_len );
+ }
+
+ mbedtls_platform_zeroize( prk, sizeof( prk ) );
+
+ return( ret );
+}
+
+int mbedtls_hkdf_extract( const mbedtls_md_info_t *md,
+ const unsigned char *salt, size_t salt_len,
+ const unsigned char *ikm, size_t ikm_len,
+ unsigned char *prk )
+{
+ unsigned char null_salt[MBEDTLS_MD_MAX_SIZE] = { '\0' };
+
+ if( salt == NULL )
+ {
+ size_t hash_len;
+
+ if( salt_len != 0 )
+ {
+ return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+ }
+
+ hash_len = mbedtls_md_get_size( md );
+
+ if( hash_len == 0 )
+ {
+ return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+ }
+
+ salt = null_salt;
+ salt_len = hash_len;
+ }
+
+ return( mbedtls_md_hmac( md, salt, salt_len, ikm, ikm_len, prk ) );
+}
+
+int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk,
+ size_t prk_len, const unsigned char *info,
+ size_t info_len, unsigned char *okm, size_t okm_len )
+{
+ size_t hash_len;
+ size_t where = 0;
+ size_t n;
+ size_t t_len = 0;
+ size_t i;
+ int ret = 0;
+ mbedtls_md_context_t ctx;
+ unsigned char t[MBEDTLS_MD_MAX_SIZE];
+
+ if( okm == NULL )
+ {
+ return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
+ }
+
+ hash_len = mbedtls_md_get_size( md );
+
+ if( prk_len < hash_len || hash_len == 0 )
+ {
+ return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
+ }
+
+ if( info == NULL )
+ {
+ info = (const unsigned char *) "";
+ info_len = 0;
+ }
+
+ n = okm_len / hash_len;
+
+ if( (okm_len % hash_len) != 0 )
+ {
+ n++;
+ }
+
+ /*
+ * Per RFC 5869 Section 2.3, okm_len must not exceed
+ * 255 times the hash length
+ */
+ if( n > 255 )
+ {
+ return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
+ }
+
+ mbedtls_md_init( &ctx );
+
+ if( (ret = mbedtls_md_setup( &ctx, md, 1) ) != 0 )
+ {
+ goto exit;
+ }
+
+ /*
+ * Compute T = T(1) | T(2) | T(3) | ... | T(N)
+ * Where T(N) is defined in RFC 5869 Section 2.3
+ */
+ for( i = 1; i <= n; i++ )
+ {
+ size_t num_to_copy;
+ unsigned char c = i & 0xff;
+
+ ret = mbedtls_md_hmac_starts( &ctx, prk, prk_len );
+ if( ret != 0 )
+ {
+ goto exit;
+ }
+
+ ret = mbedtls_md_hmac_update( &ctx, t, t_len );
+ if( ret != 0 )
+ {
+ goto exit;
+ }
+
+ ret = mbedtls_md_hmac_update( &ctx, info, info_len );
+ if( ret != 0 )
+ {
+ goto exit;
+ }
+
+ /* The constant concatenated to the end of each T(n) is a single octet.
+ * */
+ ret = mbedtls_md_hmac_update( &ctx, &c, 1 );
+ if( ret != 0 )
+ {
+ goto exit;
+ }
+
+ ret = mbedtls_md_hmac_finish( &ctx, t );
+ if( ret != 0 )
+ {
+ goto exit;
+ }
+
+ num_to_copy = i != n ? hash_len : okm_len - where;
+ memcpy( okm + where, t, num_to_copy );
+ where += hash_len;
+ t_len = hash_len;
+ }
+
+exit:
+ mbedtls_md_free( &ctx );
+ mbedtls_platform_zeroize( t, sizeof( t ) );
+
+ return( ret );
+}
+
+#endif /* MBEDTLS_HKDF_C */
diff --git a/library/memory_buffer_alloc.c b/library/memory_buffer_alloc.c
index ceaeda1..51ea7c4 100644
--- a/library/memory_buffer_alloc.c
+++ b/library/memory_buffer_alloc.c
@@ -518,7 +518,9 @@
heap.alloc_count, heap.free_count );
if( heap.first->next == NULL )
+ {
mbedtls_fprintf( stderr, "All memory de-allocated in stack buffer\n" );
+ }
else
{
mbedtls_fprintf( stderr, "Memory currently allocated:\n" );
diff --git a/library/net_sockets.c b/library/net_sockets.c
index 7b4a423..816b130 100644
--- a/library/net_sockets.c
+++ b/library/net_sockets.c
@@ -19,6 +19,11 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
+/* Enable definition of getaddrinfo() even when compiling with -std=c99. Must
+ * be set before config.h, which pulls in glibc's features.h indirectly.
+ * Harmless on other platforms. */
+#define _POSIX_C_SOURCE 200112L
+
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
@@ -28,7 +33,8 @@
#if defined(MBEDTLS_NET_C)
#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
- !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__)
+ !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+ !defined(__HAIKU__)
#error "This module only works on Unix and Windows, see MBEDTLS_NET_C in config.h"
#endif
@@ -47,11 +53,12 @@
#define IS_EINTR( ret ) ( ( ret ) == WSAEINTR )
-#ifdef _WIN32_WINNT
+#if !defined(_WIN32_WINNT) || (_WIN32_WINNT < 0x0501)
#undef _WIN32_WINNT
-#endif
/* Enables getaddrinfo() & Co */
#define _WIN32_WINNT 0x0501
+#endif
+
#include <ws2tcpip.h>
#include <winsock2.h>
diff --git a/library/nist_kw.c b/library/nist_kw.c
new file mode 100644
index 0000000..176af9f
--- /dev/null
+++ b/library/nist_kw.c
@@ -0,0 +1,755 @@
+/*
+ * Implementation of NIST SP 800-38F key wrapping, supporting KW and KWP modes
+ * only
+ *
+ * Copyright (C) 2018, Arm Limited (or its affiliates), All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * Definition of Key Wrapping:
+ * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ * RFC 3394 "Advanced Encryption Standard (AES) Key Wrap Algorithm"
+ * RFC 5649 "Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm"
+ *
+ * Note: RFC 3394 defines different methodology for intermediate operations for
+ * the wrapping and unwrapping operation than the definition in NIST SP 800-38F.
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_NIST_KW_C)
+
+#include "mbedtls/nist_kw.h"
+#include "mbedtls/platform_util.h"
+
+#include <stdint.h>
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#if !defined(MBEDTLS_NIST_KW_ALT)
+
+#define KW_SEMIBLOCK_LENGTH 8
+#define MIN_SEMIBLOCKS_COUNT 3
+
+/* constant-time buffer comparison */
+static inline unsigned char mbedtls_nist_kw_safer_memcmp( const void *a, const void *b, size_t n )
+{
+ size_t i;
+ volatile const unsigned char *A = (volatile const unsigned char *) a;
+ volatile const unsigned char *B = (volatile const unsigned char *) b;
+ volatile unsigned char diff = 0;
+
+ for( i = 0; i < n; i++ )
+ {
+ /* Read volatile data in order before computing diff.
+ * This avoids IAR compiler warning:
+ * 'the order of volatile accesses is undefined ..' */
+ unsigned char x = A[i], y = B[i];
+ diff |= x ^ y;
+ }
+
+ return( diff );
+}
+
+/*! The 64-bit default integrity check value (ICV) for KW mode. */
+static const unsigned char NIST_KW_ICV1[] = {0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6};
+/*! The 32-bit default integrity check value (ICV) for KWP mode. */
+static const unsigned char NIST_KW_ICV2[] = {0xA6, 0x59, 0x59, 0xA6};
+
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i) \
+do { \
+ (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
+ | ( (uint32_t) (b)[(i) + 1] << 16 ) \
+ | ( (uint32_t) (b)[(i) + 2] << 8 ) \
+ | ( (uint32_t) (b)[(i) + 3] ); \
+} while( 0 )
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i) \
+do { \
+ (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
+ (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
+ (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
+ (b)[(i) + 3] = (unsigned char) ( (n) ); \
+} while( 0 )
+#endif
+
+/*
+ * Initialize context
+ */
+void mbedtls_nist_kw_init( mbedtls_nist_kw_context *ctx )
+{
+ memset( ctx, 0, sizeof( mbedtls_nist_kw_context ) );
+}
+
+int mbedtls_nist_kw_setkey( mbedtls_nist_kw_context *ctx,
+ mbedtls_cipher_id_t cipher,
+ const unsigned char *key,
+ unsigned int keybits,
+ const int is_wrap )
+{
+ int ret;
+ const mbedtls_cipher_info_t *cipher_info;
+
+ cipher_info = mbedtls_cipher_info_from_values( cipher,
+ keybits,
+ MBEDTLS_MODE_ECB );
+ if( cipher_info == NULL )
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+ if( cipher_info->block_size != 16 )
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+ /*
+ * SP 800-38F currently defines AES cipher as the only block cipher allowed:
+ * "For KW and KWP, the underlying block cipher shall be approved, and the
+ * block size shall be 128 bits. Currently, the AES block cipher, with key
+ * lengths of 128, 192, or 256 bits, is the only block cipher that fits
+ * this profile."
+ * Currently we don't support other 128 bit block ciphers for key wrapping,
+ * such as Camellia and Aria.
+ */
+ if( cipher != MBEDTLS_CIPHER_ID_AES )
+ return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+
+ mbedtls_cipher_free( &ctx->cipher_ctx );
+
+ if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 )
+ return( ret );
+
+ if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits,
+ is_wrap ? MBEDTLS_ENCRYPT :
+ MBEDTLS_DECRYPT )
+ ) != 0 )
+ {
+ return( ret );
+ }
+
+ return( 0 );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_nist_kw_free( mbedtls_nist_kw_context *ctx )
+{
+ mbedtls_cipher_free( &ctx->cipher_ctx );
+ mbedtls_platform_zeroize( ctx, sizeof( mbedtls_nist_kw_context ) );
+}
+
+/*
+ * Helper function for Xoring the uint64_t "t" with the encrypted A.
+ * Defined in NIST SP 800-38F section 6.1
+ */
+static void calc_a_xor_t( unsigned char A[KW_SEMIBLOCK_LENGTH], uint64_t t )
+{
+ size_t i = 0;
+ for( i = 0; i < sizeof( t ); i++ )
+ {
+ A[i] ^= ( t >> ( ( sizeof( t ) - 1 - i ) * 8 ) ) & 0xff;
+ }
+}
+
+/*
+ * KW-AE as defined in SP 800-38F section 6.2
+ * KWP-AE as defined in SP 800-38F section 6.3
+ */
+int mbedtls_nist_kw_wrap( mbedtls_nist_kw_context *ctx,
+ mbedtls_nist_kw_mode_t mode,
+ const unsigned char *input, size_t in_len,
+ unsigned char *output, size_t *out_len, size_t out_size )
+{
+ int ret = 0;
+ size_t semiblocks = 0;
+ size_t s;
+ size_t olen, padlen = 0;
+ uint64_t t = 0;
+ unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+ unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
+ unsigned char *R2 = output + KW_SEMIBLOCK_LENGTH;
+ unsigned char *A = output;
+
+ *out_len = 0;
+ /*
+ * Generate the String to work on
+ */
+ if( mode == MBEDTLS_KW_MODE_KW )
+ {
+ if( out_size < in_len + KW_SEMIBLOCK_LENGTH )
+ {
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+ }
+
+ /*
+ * According to SP 800-38F Table 1, the plaintext length for KW
+ * must be between 2 to 2^54-1 semiblocks inclusive.
+ */
+ if( in_len < 16 ||
+#if SIZE_MAX > 0x1FFFFFFFFFFFFF8
+ in_len > 0x1FFFFFFFFFFFFF8 ||
+#endif
+ in_len % KW_SEMIBLOCK_LENGTH != 0 )
+ {
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+ }
+
+ memcpy( output, NIST_KW_ICV1, KW_SEMIBLOCK_LENGTH );
+ memmove( output + KW_SEMIBLOCK_LENGTH, input, in_len );
+ }
+ else
+ {
+ if( in_len % 8 != 0 )
+ {
+ padlen = ( 8 - ( in_len % 8 ) );
+ }
+
+ if( out_size < in_len + KW_SEMIBLOCK_LENGTH + padlen )
+ {
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+ }
+
+ /*
+ * According to SP 800-38F Table 1, the plaintext length for KWP
+ * must be between 1 and 2^32-1 octets inclusive.
+ */
+ if( in_len < 1
+#if SIZE_MAX > 0xFFFFFFFF
+ || in_len > 0xFFFFFFFF
+#endif
+ )
+ {
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+ }
+
+ memcpy( output, NIST_KW_ICV2, KW_SEMIBLOCK_LENGTH / 2 );
+ PUT_UINT32_BE( ( in_len & 0xffffffff ), output,
+ KW_SEMIBLOCK_LENGTH / 2 );
+
+ memcpy( output + KW_SEMIBLOCK_LENGTH, input, in_len );
+ memset( output + KW_SEMIBLOCK_LENGTH + in_len, 0, padlen );
+ }
+ semiblocks = ( ( in_len + padlen ) / KW_SEMIBLOCK_LENGTH ) + 1;
+
+ s = 6 * ( semiblocks - 1 );
+
+ if( mode == MBEDTLS_KW_MODE_KWP
+ && in_len <= KW_SEMIBLOCK_LENGTH )
+ {
+ memcpy( inbuff, output, 16 );
+ ret = mbedtls_cipher_update( &ctx->cipher_ctx,
+ inbuff, 16, output, &olen );
+ if( ret != 0 )
+ goto cleanup;
+ }
+ else
+ {
+ /*
+ * Do the wrapping function W, as defined in RFC 3394 section 2.2.1
+ */
+ if( semiblocks < MIN_SEMIBLOCKS_COUNT )
+ {
+ ret = MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+ /* Calculate intermediate values */
+ for( t = 1; t <= s; t++ )
+ {
+ memcpy( inbuff, A, KW_SEMIBLOCK_LENGTH );
+ memcpy( inbuff + KW_SEMIBLOCK_LENGTH, R2, KW_SEMIBLOCK_LENGTH );
+
+ ret = mbedtls_cipher_update( &ctx->cipher_ctx,
+ inbuff, 16, outbuff, &olen );
+ if( ret != 0 )
+ goto cleanup;
+
+ memcpy( A, outbuff, KW_SEMIBLOCK_LENGTH );
+ calc_a_xor_t( A, t );
+
+ memcpy( R2, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH );
+ R2 += KW_SEMIBLOCK_LENGTH;
+ if( R2 >= output + ( semiblocks * KW_SEMIBLOCK_LENGTH ) )
+ R2 = output + KW_SEMIBLOCK_LENGTH;
+ }
+ }
+
+ *out_len = semiblocks * KW_SEMIBLOCK_LENGTH;
+
+cleanup:
+
+ if( ret != 0)
+ {
+ memset( output, 0, semiblocks * KW_SEMIBLOCK_LENGTH );
+ }
+ mbedtls_platform_zeroize( inbuff, KW_SEMIBLOCK_LENGTH * 2 );
+ mbedtls_platform_zeroize( outbuff, KW_SEMIBLOCK_LENGTH * 2 );
+ mbedtls_cipher_finish( &ctx->cipher_ctx, NULL, &olen );
+ return( ret );
+}
+
+/*
+ * W-1 function as defined in RFC 3394 section 2.2.2
+ * This function assumes the following:
+ * 1. Output buffer is at least of size ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH.
+ * 2. The input buffer is of size semiblocks * KW_SEMIBLOCK_LENGTH.
+ * 3. Minimal number of semiblocks is 3.
+ * 4. A is a buffer to hold the first semiblock of the input buffer.
+ */
+static int unwrap( mbedtls_nist_kw_context *ctx,
+ const unsigned char *input, size_t semiblocks,
+ unsigned char A[KW_SEMIBLOCK_LENGTH],
+ unsigned char *output, size_t* out_len )
+{
+ int ret = 0;
+ const size_t s = 6 * ( semiblocks - 1 );
+ size_t olen;
+ uint64_t t = 0;
+ unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+ unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
+ unsigned char *R = output + ( semiblocks - 2 ) * KW_SEMIBLOCK_LENGTH;
+ *out_len = 0;
+
+ if( semiblocks < MIN_SEMIBLOCKS_COUNT )
+ {
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+ }
+
+ memcpy( A, input, KW_SEMIBLOCK_LENGTH );
+ memmove( output, input + KW_SEMIBLOCK_LENGTH, ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH );
+
+ /* Calculate intermediate values */
+ for( t = s; t >= 1; t-- )
+ {
+ calc_a_xor_t( A, t );
+
+ memcpy( inbuff, A, KW_SEMIBLOCK_LENGTH );
+ memcpy( inbuff + KW_SEMIBLOCK_LENGTH, R, KW_SEMIBLOCK_LENGTH );
+
+ ret = mbedtls_cipher_update( &ctx->cipher_ctx,
+ inbuff, 16, outbuff, &olen );
+ if( ret != 0 )
+ goto cleanup;
+
+ memcpy( A, outbuff, KW_SEMIBLOCK_LENGTH );
+
+ /* Set R as LSB64 of outbuff */
+ memcpy( R, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH );
+
+ if( R == output )
+ R = output + ( semiblocks - 2 ) * KW_SEMIBLOCK_LENGTH;
+ else
+ R -= KW_SEMIBLOCK_LENGTH;
+ }
+
+ *out_len = ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH;
+
+cleanup:
+ if( ret != 0)
+ memset( output, 0, ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH );
+ mbedtls_platform_zeroize( inbuff, sizeof( inbuff ) );
+ mbedtls_platform_zeroize( outbuff, sizeof( outbuff ) );
+
+ return( ret );
+}
+
+/*
+ * KW-AD as defined in SP 800-38F section 6.2
+ * KWP-AD as defined in SP 800-38F section 6.3
+ */
+int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx,
+ mbedtls_nist_kw_mode_t mode,
+ const unsigned char *input, size_t in_len,
+ unsigned char *output, size_t *out_len, size_t out_size )
+{
+ int ret = 0;
+ size_t i, olen;
+ unsigned char A[KW_SEMIBLOCK_LENGTH];
+ unsigned char diff, bad_padding = 0;
+
+ *out_len = 0;
+ if( out_size < in_len - KW_SEMIBLOCK_LENGTH )
+ {
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+ }
+
+ if( mode == MBEDTLS_KW_MODE_KW )
+ {
+ /*
+ * According to SP 800-38F Table 1, the ciphertext length for KW
+ * must be between 3 to 2^54 semiblocks inclusive.
+ */
+ if( in_len < 24 ||
+#if SIZE_MAX > 0x200000000000000
+ in_len > 0x200000000000000 ||
+#endif
+ in_len % KW_SEMIBLOCK_LENGTH != 0 )
+ {
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+ }
+
+ ret = unwrap( ctx, input, in_len / KW_SEMIBLOCK_LENGTH,
+ A, output, out_len );
+ if( ret != 0 )
+ goto cleanup;
+
+ /* Check ICV in "constant-time" */
+ diff = mbedtls_nist_kw_safer_memcmp( NIST_KW_ICV1, A, KW_SEMIBLOCK_LENGTH );
+
+ if( diff != 0 )
+ {
+ ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+ goto cleanup;
+ }
+
+ }
+ else if( mode == MBEDTLS_KW_MODE_KWP )
+ {
+ size_t padlen = 0;
+ uint32_t Plen;
+ /*
+ * According to SP 800-38F Table 1, the ciphertext length for KWP
+ * must be between 2 to 2^29 semiblocks inclusive.
+ */
+ if( in_len < KW_SEMIBLOCK_LENGTH * 2 ||
+#if SIZE_MAX > 0x100000000
+ in_len > 0x100000000 ||
+#endif
+ in_len % KW_SEMIBLOCK_LENGTH != 0 )
+ {
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+ }
+
+ if( in_len == KW_SEMIBLOCK_LENGTH * 2 )
+ {
+ unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+ ret = mbedtls_cipher_update( &ctx->cipher_ctx,
+ input, 16, outbuff, &olen );
+ if( ret != 0 )
+ goto cleanup;
+
+ memcpy( A, outbuff, KW_SEMIBLOCK_LENGTH );
+ memcpy( output, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH );
+ mbedtls_platform_zeroize( outbuff, sizeof( outbuff ) );
+ *out_len = KW_SEMIBLOCK_LENGTH;
+ }
+ else
+ {
+ /* in_len >= KW_SEMIBLOCK_LENGTH * 3 */
+ ret = unwrap( ctx, input, in_len / KW_SEMIBLOCK_LENGTH,
+ A, output, out_len );
+ if( ret != 0 )
+ goto cleanup;
+ }
+
+ /* Check ICV in "constant-time" */
+ diff = mbedtls_nist_kw_safer_memcmp( NIST_KW_ICV2, A, KW_SEMIBLOCK_LENGTH / 2 );
+
+ if( diff != 0 )
+ {
+ ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+ }
+
+ GET_UINT32_BE( Plen, A, KW_SEMIBLOCK_LENGTH / 2 );
+
+ /*
+ * Plen is the length of the plaintext, when the input is valid.
+ * If Plen is larger than the plaintext and padding, padlen will be
+ * larger than 8, because of the type wrap around.
+ */
+ padlen = in_len - KW_SEMIBLOCK_LENGTH - Plen;
+ if ( padlen > 7 )
+ {
+ padlen &= 7;
+ ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+ }
+
+ /* Check padding in "constant-time" */
+ for( diff = 0, i = 0; i < KW_SEMIBLOCK_LENGTH; i++ )
+ {
+ if( i >= KW_SEMIBLOCK_LENGTH - padlen )
+ diff |= output[*out_len - KW_SEMIBLOCK_LENGTH + i];
+ else
+ bad_padding |= output[*out_len - KW_SEMIBLOCK_LENGTH + i];
+ }
+
+ if( diff != 0 )
+ {
+ ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+ }
+
+ if( ret != 0 )
+ {
+ goto cleanup;
+ }
+ memset( output + Plen, 0, padlen );
+ *out_len = Plen;
+ }
+ else
+ {
+ ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+ goto cleanup;
+ }
+
+cleanup:
+ if( ret != 0 )
+ {
+ memset( output, 0, *out_len );
+ *out_len = 0;
+ }
+
+ mbedtls_platform_zeroize( &bad_padding, sizeof( bad_padding) );
+ mbedtls_platform_zeroize( &diff, sizeof( diff ) );
+ mbedtls_platform_zeroize( A, sizeof( A ) );
+ mbedtls_cipher_finish( &ctx->cipher_ctx, NULL, &olen );
+ return( ret );
+}
+
+#endif /* !MBEDTLS_NIST_KW_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+
+#define KW_TESTS 3
+
+/*
+ * Test vectors taken from NIST
+ * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/CAVP-TESTING-BLOCK-CIPHER-MODES#KW
+ */
+static const unsigned int key_len[KW_TESTS] = { 16, 24, 32 };
+
+static const unsigned char kw_key[KW_TESTS][32] = {
+ { 0x75, 0x75, 0xda, 0x3a, 0x93, 0x60, 0x7c, 0xc2,
+ 0xbf, 0xd8, 0xce, 0xc7, 0xaa, 0xdf, 0xd9, 0xa6 },
+ { 0x2d, 0x85, 0x26, 0x08, 0x1d, 0x02, 0xfb, 0x5b,
+ 0x85, 0xf6, 0x9a, 0xc2, 0x86, 0xec, 0xd5, 0x7d,
+ 0x40, 0xdf, 0x5d, 0xf3, 0x49, 0x47, 0x44, 0xd3 },
+ { 0x11, 0x2a, 0xd4, 0x1b, 0x48, 0x56, 0xc7, 0x25,
+ 0x4a, 0x98, 0x48, 0xd3, 0x0f, 0xdd, 0x78, 0x33,
+ 0x5b, 0x03, 0x9a, 0x48, 0xa8, 0x96, 0x2c, 0x4d,
+ 0x1c, 0xb7, 0x8e, 0xab, 0xd5, 0xda, 0xd7, 0x88 }
+};
+
+static const unsigned char kw_msg[KW_TESTS][40] = {
+ { 0x42, 0x13, 0x6d, 0x3c, 0x38, 0x4a, 0x3e, 0xea,
+ 0xc9, 0x5a, 0x06, 0x6f, 0xd2, 0x8f, 0xed, 0x3f },
+ { 0x95, 0xc1, 0x1b, 0xf5, 0x35, 0x3a, 0xfe, 0xdb,
+ 0x98, 0xfd, 0xd6, 0xc8, 0xca, 0x6f, 0xdb, 0x6d,
+ 0xa5, 0x4b, 0x74, 0xb4, 0x99, 0x0f, 0xdc, 0x45,
+ 0xc0, 0x9d, 0x15, 0x8f, 0x51, 0xce, 0x62, 0x9d,
+ 0xe2, 0xaf, 0x26, 0xe3, 0x25, 0x0e, 0x6b, 0x4c },
+ { 0x1b, 0x20, 0xbf, 0x19, 0x90, 0xb0, 0x65, 0xd7,
+ 0x98, 0xe1, 0xb3, 0x22, 0x64, 0xad, 0x50, 0xa8,
+ 0x74, 0x74, 0x92, 0xba, 0x09, 0xa0, 0x4d, 0xd1 }
+};
+
+static const size_t kw_msg_len[KW_TESTS] = { 16, 40, 24 };
+static const size_t kw_out_len[KW_TESTS] = { 24, 48, 32 };
+static const unsigned char kw_res[KW_TESTS][48] = {
+ { 0x03, 0x1f, 0x6b, 0xd7, 0xe6, 0x1e, 0x64, 0x3d,
+ 0xf6, 0x85, 0x94, 0x81, 0x6f, 0x64, 0xca, 0xa3,
+ 0xf5, 0x6f, 0xab, 0xea, 0x25, 0x48, 0xf5, 0xfb },
+ { 0x44, 0x3c, 0x6f, 0x15, 0x09, 0x83, 0x71, 0x91,
+ 0x3e, 0x5c, 0x81, 0x4c, 0xa1, 0xa0, 0x42, 0xec,
+ 0x68, 0x2f, 0x7b, 0x13, 0x6d, 0x24, 0x3a, 0x4d,
+ 0x6c, 0x42, 0x6f, 0xc6, 0x97, 0x15, 0x63, 0xe8,
+ 0xa1, 0x4a, 0x55, 0x8e, 0x09, 0x64, 0x16, 0x19,
+ 0xbf, 0x03, 0xfc, 0xaf, 0x90, 0xb1, 0xfc, 0x2d },
+ { 0xba, 0x8a, 0x25, 0x9a, 0x47, 0x1b, 0x78, 0x7d,
+ 0xd5, 0xd5, 0x40, 0xec, 0x25, 0xd4, 0x3d, 0x87,
+ 0x20, 0x0f, 0xda, 0xdc, 0x6d, 0x1f, 0x05, 0xd9,
+ 0x16, 0x58, 0x4f, 0xa9, 0xf6, 0xcb, 0xf5, 0x12 }
+};
+
+static const unsigned char kwp_key[KW_TESTS][32] = {
+ { 0x78, 0x65, 0xe2, 0x0f, 0x3c, 0x21, 0x65, 0x9a,
+ 0xb4, 0x69, 0x0b, 0x62, 0x9c, 0xdf, 0x3c, 0xc4 },
+ { 0xf5, 0xf8, 0x96, 0xa3, 0xbd, 0x2f, 0x4a, 0x98,
+ 0x23, 0xef, 0x16, 0x2b, 0x00, 0xb8, 0x05, 0xd7,
+ 0xde, 0x1e, 0xa4, 0x66, 0x26, 0x96, 0xa2, 0x58 },
+ { 0x95, 0xda, 0x27, 0x00, 0xca, 0x6f, 0xd9, 0xa5,
+ 0x25, 0x54, 0xee, 0x2a, 0x8d, 0xf1, 0x38, 0x6f,
+ 0x5b, 0x94, 0xa1, 0xa6, 0x0e, 0xd8, 0xa4, 0xae,
+ 0xf6, 0x0a, 0x8d, 0x61, 0xab, 0x5f, 0x22, 0x5a }
+};
+
+static const unsigned char kwp_msg[KW_TESTS][31] = {
+ { 0xbd, 0x68, 0x43, 0xd4, 0x20, 0x37, 0x8d, 0xc8,
+ 0x96 },
+ { 0x6c, 0xcd, 0xd5, 0x85, 0x18, 0x40, 0x97, 0xeb,
+ 0xd5, 0xc3, 0xaf, 0x3e, 0x47, 0xd0, 0x2c, 0x19,
+ 0x14, 0x7b, 0x4d, 0x99, 0x5f, 0x96, 0x43, 0x66,
+ 0x91, 0x56, 0x75, 0x8c, 0x13, 0x16, 0x8f },
+ { 0xd1 }
+};
+static const size_t kwp_msg_len[KW_TESTS] = { 9, 31, 1 };
+
+static const unsigned char kwp_res[KW_TESTS][48] = {
+ { 0x41, 0xec, 0xa9, 0x56, 0xd4, 0xaa, 0x04, 0x7e,
+ 0xb5, 0xcf, 0x4e, 0xfe, 0x65, 0x96, 0x61, 0xe7,
+ 0x4d, 0xb6, 0xf8, 0xc5, 0x64, 0xe2, 0x35, 0x00 },
+ { 0x4e, 0x9b, 0xc2, 0xbc, 0xbc, 0x6c, 0x1e, 0x13,
+ 0xd3, 0x35, 0xbc, 0xc0, 0xf7, 0x73, 0x6a, 0x88,
+ 0xfa, 0x87, 0x53, 0x66, 0x15, 0xbb, 0x8e, 0x63,
+ 0x8b, 0xcc, 0x81, 0x66, 0x84, 0x68, 0x17, 0x90,
+ 0x67, 0xcf, 0xa9, 0x8a, 0x9d, 0x0e, 0x33, 0x26 },
+ { 0x06, 0xba, 0x7a, 0xe6, 0xf3, 0x24, 0x8c, 0xfd,
+ 0xcf, 0x26, 0x75, 0x07, 0xfa, 0x00, 0x1b, 0xc4 }
+};
+static const size_t kwp_out_len[KW_TESTS] = { 24, 40, 16 };
+
+int mbedtls_nist_kw_self_test( int verbose )
+{
+ mbedtls_nist_kw_context ctx;
+ unsigned char out[48];
+ size_t olen;
+ int i;
+ int ret = 0;
+ mbedtls_nist_kw_init( &ctx );
+
+ for( i = 0; i < KW_TESTS; i++ )
+ {
+ if( verbose != 0 )
+ mbedtls_printf( " KW-AES-%u ", (unsigned int) key_len[i] * 8 );
+
+ ret = mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+ kw_key[i], key_len[i] * 8, 1 );
+ if( ret != 0 )
+ {
+ if( verbose != 0 )
+ mbedtls_printf( " KW: setup failed " );
+
+ goto end;
+ }
+
+ ret = mbedtls_nist_kw_wrap( &ctx, MBEDTLS_KW_MODE_KW, kw_msg[i],
+ kw_msg_len[i], out, &olen, sizeof( out ) );
+ if( ret != 0 || kw_out_len[i] != olen ||
+ memcmp( out, kw_res[i], kw_out_len[i] ) != 0 )
+ {
+ if( verbose != 0 )
+ mbedtls_printf( "failed. ");
+
+ ret = 1;
+ goto end;
+ }
+
+ if( ( ret = mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+ kw_key[i], key_len[i] * 8, 0 ) )
+ != 0 )
+ {
+ if( verbose != 0 )
+ mbedtls_printf( " KW: setup failed ");
+
+ goto end;
+ }
+
+ ret = mbedtls_nist_kw_unwrap( &ctx, MBEDTLS_KW_MODE_KW,
+ out, olen, out, &olen, sizeof( out ) );
+
+ if( ret != 0 || olen != kw_msg_len[i] ||
+ memcmp( out, kw_msg[i], kw_msg_len[i] ) != 0 )
+ {
+ if( verbose != 0 )
+ mbedtls_printf( "failed\n" );
+
+ ret = 1;
+ goto end;
+ }
+
+ if( verbose != 0 )
+ mbedtls_printf( " passed\n" );
+ }
+
+ for( i = 0; i < KW_TESTS; i++ )
+ {
+ olen = sizeof( out );
+ if( verbose != 0 )
+ mbedtls_printf( " KWP-AES-%u ", (unsigned int) key_len[i] * 8 );
+
+ ret = mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, kwp_key[i],
+ key_len[i] * 8, 1 );
+ if( ret != 0 )
+ {
+ if( verbose != 0 )
+ mbedtls_printf( " KWP: setup failed " );
+
+ goto end;
+ }
+ ret = mbedtls_nist_kw_wrap( &ctx, MBEDTLS_KW_MODE_KWP, kwp_msg[i],
+ kwp_msg_len[i], out, &olen, sizeof( out ) );
+
+ if( ret != 0 || kwp_out_len[i] != olen ||
+ memcmp( out, kwp_res[i], kwp_out_len[i] ) != 0 )
+ {
+ if( verbose != 0 )
+ mbedtls_printf( "failed. ");
+
+ ret = 1;
+ goto end;
+ }
+
+ if( ( ret = mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+ kwp_key[i], key_len[i] * 8, 0 ) )
+ != 0 )
+ {
+ if( verbose != 0 )
+ mbedtls_printf( " KWP: setup failed ");
+
+ goto end;
+ }
+
+ ret = mbedtls_nist_kw_unwrap( &ctx, MBEDTLS_KW_MODE_KWP, out,
+ olen, out, &olen, sizeof( out ) );
+
+ if( ret != 0 || olen != kwp_msg_len[i] ||
+ memcmp( out, kwp_msg[i], kwp_msg_len[i] ) != 0 )
+ {
+ if( verbose != 0 )
+ mbedtls_printf( "failed. ");
+
+ ret = 1;
+ goto end;
+ }
+
+ if( verbose != 0 )
+ mbedtls_printf( " passed\n" );
+ }
+end:
+ mbedtls_nist_kw_free( &ctx );
+
+ if( verbose != 0 )
+ mbedtls_printf( "\n" );
+
+ return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_NIST_KW_C */
diff --git a/library/pkcs5.c b/library/pkcs5.c
index 440a174..f04f0ab 100644
--- a/library/pkcs5.c
+++ b/library/pkcs5.c
@@ -249,8 +249,10 @@
memset( counter, 0, 4 );
counter[3] = 1;
+#if UINT_MAX > 0xFFFFFFFF
if( iteration_count > 0xFFFFFFFF )
return( MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA );
+#endif
while( key_length )
{
diff --git a/library/pkparse.c b/library/pkparse.c
index ccb7f54..d6ac987 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -1261,7 +1261,6 @@
return( ret );
#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
#else
- ((void) ret);
((void) pwd);
((void) pwdlen);
#endif /* MBEDTLS_PEM_PARSE_C */
diff --git a/library/platform.c b/library/platform.c
index 9e99287..b24b2fa 100644
--- a/library/platform.c
+++ b/library/platform.c
@@ -51,14 +51,24 @@
#define MBEDTLS_PLATFORM_STD_FREE platform_free_uninit
#endif /* !MBEDTLS_PLATFORM_STD_FREE */
-void * (*mbedtls_calloc)( size_t, size_t ) = MBEDTLS_PLATFORM_STD_CALLOC;
-void (*mbedtls_free)( void * ) = MBEDTLS_PLATFORM_STD_FREE;
+static void * (*mbedtls_calloc_func)( size_t, size_t ) = MBEDTLS_PLATFORM_STD_CALLOC;
+static void (*mbedtls_free_func)( void * ) = MBEDTLS_PLATFORM_STD_FREE;
+
+void * mbedtls_calloc( size_t nmemb, size_t size )
+{
+ return (*mbedtls_calloc_func)( nmemb, size );
+}
+
+void mbedtls_free( void * ptr )
+{
+ (*mbedtls_free_func)( ptr );
+}
int mbedtls_platform_set_calloc_free( void * (*calloc_func)( size_t, size_t ),
void (*free_func)( void * ) )
{
- mbedtls_calloc = calloc_func;
- mbedtls_free = free_func;
+ mbedtls_calloc_func = calloc_func;
+ mbedtls_free_func = free_func;
return( 0 );
}
#endif /* MBEDTLS_PLATFORM_MEMORY */
diff --git a/library/poly1305.c b/library/poly1305.c
new file mode 100644
index 0000000..e22d3af
--- /dev/null
+++ b/library/poly1305.c
@@ -0,0 +1,563 @@
+/**
+ * \file poly1305.c
+ *
+ * \brief Poly1305 authentication algorithm.
+ *
+ * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_POLY1305_C)
+
+#include "mbedtls/poly1305.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_POLY1305_ALT)
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+ !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#define POLY1305_BLOCK_SIZE_BYTES ( 16U )
+
+#define BYTES_TO_U32_LE( data, offset ) \
+ ( (uint32_t) data[offset] \
+ | (uint32_t) ( (uint32_t) data[( offset ) + 1] << 8 ) \
+ | (uint32_t) ( (uint32_t) data[( offset ) + 2] << 16 ) \
+ | (uint32_t) ( (uint32_t) data[( offset ) + 3] << 24 ) \
+ )
+
+/*
+ * Our implementation is tuned for 32-bit platforms with a 64-bit multiplier.
+ * However we provided an alternative for platforms without such a multiplier.
+ */
+#if defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
+static uint64_t mul64( uint32_t a, uint32_t b )
+{
+ /* a = al + 2**16 ah, b = bl + 2**16 bh */
+ const uint16_t al = (uint16_t) a;
+ const uint16_t bl = (uint16_t) b;
+ const uint16_t ah = a >> 16;
+ const uint16_t bh = b >> 16;
+
+ /* ab = al*bl + 2**16 (ah*bl + bl*bh) + 2**32 ah*bh */
+ const uint32_t lo = (uint32_t) al * bl;
+ const uint64_t me = (uint64_t)( (uint32_t) ah * bl ) + (uint32_t) al * bh;
+ const uint32_t hi = (uint32_t) ah * bh;
+
+ return( lo + ( me << 16 ) + ( (uint64_t) hi << 32 ) );
+}
+#else
+static inline uint64_t mul64( uint32_t a, uint32_t b )
+{
+ return( (uint64_t) a * b );
+}
+#endif
+
+
+/**
+ * \brief Process blocks with Poly1305.
+ *
+ * \param ctx The Poly1305 context.
+ * \param nblocks Number of blocks to process. Note that this
+ * function only processes full blocks.
+ * \param input Buffer containing the input block(s).
+ * \param needs_padding Set to 0 if the padding bit has already been
+ * applied to the input data before calling this
+ * function. Otherwise, set this parameter to 1.
+ */
+static void poly1305_process( mbedtls_poly1305_context *ctx,
+ size_t nblocks,
+ const unsigned char *input,
+ uint32_t needs_padding )
+{
+ uint64_t d0, d1, d2, d3;
+ uint32_t acc0, acc1, acc2, acc3, acc4;
+ uint32_t r0, r1, r2, r3;
+ uint32_t rs1, rs2, rs3;
+ size_t offset = 0U;
+ size_t i;
+
+ r0 = ctx->r[0];
+ r1 = ctx->r[1];
+ r2 = ctx->r[2];
+ r3 = ctx->r[3];
+
+ rs1 = r1 + ( r1 >> 2U );
+ rs2 = r2 + ( r2 >> 2U );
+ rs3 = r3 + ( r3 >> 2U );
+
+ acc0 = ctx->acc[0];
+ acc1 = ctx->acc[1];
+ acc2 = ctx->acc[2];
+ acc3 = ctx->acc[3];
+ acc4 = ctx->acc[4];
+
+ /* Process full blocks */
+ for( i = 0U; i < nblocks; i++ )
+ {
+ /* The input block is treated as a 128-bit little-endian integer */
+ d0 = BYTES_TO_U32_LE( input, offset + 0 );
+ d1 = BYTES_TO_U32_LE( input, offset + 4 );
+ d2 = BYTES_TO_U32_LE( input, offset + 8 );
+ d3 = BYTES_TO_U32_LE( input, offset + 12 );
+
+ /* Compute: acc += (padded) block as a 130-bit integer */
+ d0 += (uint64_t) acc0;
+ d1 += (uint64_t) acc1 + ( d0 >> 32U );
+ d2 += (uint64_t) acc2 + ( d1 >> 32U );
+ d3 += (uint64_t) acc3 + ( d2 >> 32U );
+ acc0 = (uint32_t) d0;
+ acc1 = (uint32_t) d1;
+ acc2 = (uint32_t) d2;
+ acc3 = (uint32_t) d3;
+ acc4 += (uint32_t) ( d3 >> 32U ) + needs_padding;
+
+ /* Compute: acc *= r */
+ d0 = mul64( acc0, r0 ) +
+ mul64( acc1, rs3 ) +
+ mul64( acc2, rs2 ) +
+ mul64( acc3, rs1 );
+ d1 = mul64( acc0, r1 ) +
+ mul64( acc1, r0 ) +
+ mul64( acc2, rs3 ) +
+ mul64( acc3, rs2 ) +
+ mul64( acc4, rs1 );
+ d2 = mul64( acc0, r2 ) +
+ mul64( acc1, r1 ) +
+ mul64( acc2, r0 ) +
+ mul64( acc3, rs3 ) +
+ mul64( acc4, rs2 );
+ d3 = mul64( acc0, r3 ) +
+ mul64( acc1, r2 ) +
+ mul64( acc2, r1 ) +
+ mul64( acc3, r0 ) +
+ mul64( acc4, rs3 );
+ acc4 *= r0;
+
+ /* Compute: acc %= (2^130 - 5) (partial remainder) */
+ d1 += ( d0 >> 32 );
+ d2 += ( d1 >> 32 );
+ d3 += ( d2 >> 32 );
+ acc0 = (uint32_t) d0;
+ acc1 = (uint32_t) d1;
+ acc2 = (uint32_t) d2;
+ acc3 = (uint32_t) d3;
+ acc4 = (uint32_t) ( d3 >> 32 ) + acc4;
+
+ d0 = (uint64_t) acc0 + ( acc4 >> 2 ) + ( acc4 & 0xFFFFFFFCU );
+ acc4 &= 3U;
+ acc0 = (uint32_t) d0;
+ d0 = (uint64_t) acc1 + ( d0 >> 32U );
+ acc1 = (uint32_t) d0;
+ d0 = (uint64_t) acc2 + ( d0 >> 32U );
+ acc2 = (uint32_t) d0;
+ d0 = (uint64_t) acc3 + ( d0 >> 32U );
+ acc3 = (uint32_t) d0;
+ d0 = (uint64_t) acc4 + ( d0 >> 32U );
+ acc4 = (uint32_t) d0;
+
+ offset += POLY1305_BLOCK_SIZE_BYTES;
+ }
+
+ ctx->acc[0] = acc0;
+ ctx->acc[1] = acc1;
+ ctx->acc[2] = acc2;
+ ctx->acc[3] = acc3;
+ ctx->acc[4] = acc4;
+}
+
+/**
+ * \brief Compute the Poly1305 MAC
+ *
+ * \param ctx The Poly1305 context.
+ * \param mac The buffer to where the MAC is written. Must be
+ * big enough to contain the 16-byte MAC.
+ */
+static void poly1305_compute_mac( const mbedtls_poly1305_context *ctx,
+ unsigned char mac[16] )
+{
+ uint64_t d;
+ uint32_t g0, g1, g2, g3, g4;
+ uint32_t acc0, acc1, acc2, acc3, acc4;
+ uint32_t mask;
+ uint32_t mask_inv;
+
+ acc0 = ctx->acc[0];
+ acc1 = ctx->acc[1];
+ acc2 = ctx->acc[2];
+ acc3 = ctx->acc[3];
+ acc4 = ctx->acc[4];
+
+ /* Before adding 's' we ensure that the accumulator is mod 2^130 - 5.
+ * We do this by calculating acc - (2^130 - 5), then checking if
+ * the 131st bit is set. If it is, then reduce: acc -= (2^130 - 5)
+ */
+
+ /* Calculate acc + -(2^130 - 5) */
+ d = ( (uint64_t) acc0 + 5U );
+ g0 = (uint32_t) d;
+ d = ( (uint64_t) acc1 + ( d >> 32 ) );
+ g1 = (uint32_t) d;
+ d = ( (uint64_t) acc2 + ( d >> 32 ) );
+ g2 = (uint32_t) d;
+ d = ( (uint64_t) acc3 + ( d >> 32 ) );
+ g3 = (uint32_t) d;
+ g4 = acc4 + (uint32_t) ( d >> 32U );
+
+ /* mask == 0xFFFFFFFF if 131st bit is set, otherwise mask == 0 */
+ mask = (uint32_t) 0U - ( g4 >> 2U );
+ mask_inv = ~mask;
+
+ /* If 131st bit is set then acc=g, otherwise, acc is unmodified */
+ acc0 = ( acc0 & mask_inv ) | ( g0 & mask );
+ acc1 = ( acc1 & mask_inv ) | ( g1 & mask );
+ acc2 = ( acc2 & mask_inv ) | ( g2 & mask );
+ acc3 = ( acc3 & mask_inv ) | ( g3 & mask );
+
+ /* Add 's' */
+ d = (uint64_t) acc0 + ctx->s[0];
+ acc0 = (uint32_t) d;
+ d = (uint64_t) acc1 + ctx->s[1] + ( d >> 32U );
+ acc1 = (uint32_t) d;
+ d = (uint64_t) acc2 + ctx->s[2] + ( d >> 32U );
+ acc2 = (uint32_t) d;
+ acc3 += ctx->s[3] + (uint32_t) ( d >> 32U );
+
+ /* Compute MAC (128 least significant bits of the accumulator) */
+ mac[ 0] = (unsigned char)( acc0 );
+ mac[ 1] = (unsigned char)( acc0 >> 8 );
+ mac[ 2] = (unsigned char)( acc0 >> 16 );
+ mac[ 3] = (unsigned char)( acc0 >> 24 );
+ mac[ 4] = (unsigned char)( acc1 );
+ mac[ 5] = (unsigned char)( acc1 >> 8 );
+ mac[ 6] = (unsigned char)( acc1 >> 16 );
+ mac[ 7] = (unsigned char)( acc1 >> 24 );
+ mac[ 8] = (unsigned char)( acc2 );
+ mac[ 9] = (unsigned char)( acc2 >> 8 );
+ mac[10] = (unsigned char)( acc2 >> 16 );
+ mac[11] = (unsigned char)( acc2 >> 24 );
+ mac[12] = (unsigned char)( acc3 );
+ mac[13] = (unsigned char)( acc3 >> 8 );
+ mac[14] = (unsigned char)( acc3 >> 16 );
+ mac[15] = (unsigned char)( acc3 >> 24 );
+}
+
+void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx )
+{
+ if( ctx != NULL )
+ {
+ mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) );
+ }
+}
+
+void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx )
+{
+ if( ctx != NULL )
+ {
+ mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) );
+ }
+}
+
+int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx,
+ const unsigned char key[32] )
+{
+ if( ctx == NULL || key == NULL )
+ {
+ return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ }
+
+ /* r &= 0x0ffffffc0ffffffc0ffffffc0fffffff */
+ ctx->r[0] = BYTES_TO_U32_LE( key, 0 ) & 0x0FFFFFFFU;
+ ctx->r[1] = BYTES_TO_U32_LE( key, 4 ) & 0x0FFFFFFCU;
+ ctx->r[2] = BYTES_TO_U32_LE( key, 8 ) & 0x0FFFFFFCU;
+ ctx->r[3] = BYTES_TO_U32_LE( key, 12 ) & 0x0FFFFFFCU;
+
+ ctx->s[0] = BYTES_TO_U32_LE( key, 16 );
+ ctx->s[1] = BYTES_TO_U32_LE( key, 20 );
+ ctx->s[2] = BYTES_TO_U32_LE( key, 24 );
+ ctx->s[3] = BYTES_TO_U32_LE( key, 28 );
+
+ /* Initial accumulator state */
+ ctx->acc[0] = 0U;
+ ctx->acc[1] = 0U;
+ ctx->acc[2] = 0U;
+ ctx->acc[3] = 0U;
+ ctx->acc[4] = 0U;
+
+ /* Queue initially empty */
+ mbedtls_platform_zeroize( ctx->queue, sizeof( ctx->queue ) );
+ ctx->queue_len = 0U;
+
+ return( 0 );
+}
+
+int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
+ const unsigned char *input,
+ size_t ilen )
+{
+ size_t offset = 0U;
+ size_t remaining = ilen;
+ size_t queue_free_len;
+ size_t nblocks;
+
+ if( ctx == NULL )
+ {
+ return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ }
+ else if( ( ilen > 0U ) && ( input == NULL ) )
+ {
+ /* input pointer is allowed to be NULL only if ilen == 0 */
+ return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ }
+
+ if( ( remaining > 0U ) && ( ctx->queue_len > 0U ) )
+ {
+ queue_free_len = ( POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len );
+
+ if( ilen < queue_free_len )
+ {
+ /* Not enough data to complete the block.
+ * Store this data with the other leftovers.
+ */
+ memcpy( &ctx->queue[ctx->queue_len],
+ input,
+ ilen );
+
+ ctx->queue_len += ilen;
+
+ remaining = 0U;
+ }
+ else
+ {
+ /* Enough data to produce a complete block */
+ memcpy( &ctx->queue[ctx->queue_len],
+ input,
+ queue_free_len );
+
+ ctx->queue_len = 0U;
+
+ poly1305_process( ctx, 1U, ctx->queue, 1U ); /* add padding bit */
+
+ offset += queue_free_len;
+ remaining -= queue_free_len;
+ }
+ }
+
+ if( remaining >= POLY1305_BLOCK_SIZE_BYTES )
+ {
+ nblocks = remaining / POLY1305_BLOCK_SIZE_BYTES;
+
+ poly1305_process( ctx, nblocks, &input[offset], 1U );
+
+ offset += nblocks * POLY1305_BLOCK_SIZE_BYTES;
+ remaining %= POLY1305_BLOCK_SIZE_BYTES;
+ }
+
+ if( remaining > 0U )
+ {
+ /* Store partial block */
+ ctx->queue_len = remaining;
+ memcpy( ctx->queue, &input[offset], remaining );
+ }
+
+ return( 0 );
+}
+
+int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx,
+ unsigned char mac[16] )
+{
+ if( ( ctx == NULL ) || ( mac == NULL ) )
+ {
+ return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ }
+
+ /* Process any leftover data */
+ if( ctx->queue_len > 0U )
+ {
+ /* Add padding bit */
+ ctx->queue[ctx->queue_len] = 1U;
+ ctx->queue_len++;
+
+ /* Pad with zeroes */
+ memset( &ctx->queue[ctx->queue_len],
+ 0,
+ POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len );
+
+ poly1305_process( ctx, 1U, /* Process 1 block */
+ ctx->queue, 0U ); /* Already padded above */
+ }
+
+ poly1305_compute_mac( ctx, mac );
+
+ return( 0 );
+}
+
+int mbedtls_poly1305_mac( const unsigned char key[32],
+ const unsigned char *input,
+ size_t ilen,
+ unsigned char mac[16] )
+{
+ mbedtls_poly1305_context ctx;
+ int ret;
+
+ mbedtls_poly1305_init( &ctx );
+
+ ret = mbedtls_poly1305_starts( &ctx, key );
+ if( ret != 0 )
+ goto cleanup;
+
+ ret = mbedtls_poly1305_update( &ctx, input, ilen );
+ if( ret != 0 )
+ goto cleanup;
+
+ ret = mbedtls_poly1305_finish( &ctx, mac );
+
+cleanup:
+ mbedtls_poly1305_free( &ctx );
+ return( ret );
+}
+
+#endif /* MBEDTLS_POLY1305_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_keys[2][32] =
+{
+ {
+ 0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33,
+ 0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8,
+ 0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd,
+ 0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b
+ },
+ {
+ 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
+ 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
+ 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
+ 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
+ }
+};
+
+static const unsigned char test_data[2][127] =
+{
+ {
+ 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72,
+ 0x61, 0x70, 0x68, 0x69, 0x63, 0x20, 0x46, 0x6f,
+ 0x72, 0x75, 0x6d, 0x20, 0x52, 0x65, 0x73, 0x65,
+ 0x61, 0x72, 0x63, 0x68, 0x20, 0x47, 0x72, 0x6f,
+ 0x75, 0x70
+ },
+ {
+ 0x27, 0x54, 0x77, 0x61, 0x73, 0x20, 0x62, 0x72,
+ 0x69, 0x6c, 0x6c, 0x69, 0x67, 0x2c, 0x20, 0x61,
+ 0x6e, 0x64, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
+ 0x6c, 0x69, 0x74, 0x68, 0x79, 0x20, 0x74, 0x6f,
+ 0x76, 0x65, 0x73, 0x0a, 0x44, 0x69, 0x64, 0x20,
+ 0x67, 0x79, 0x72, 0x65, 0x20, 0x61, 0x6e, 0x64,
+ 0x20, 0x67, 0x69, 0x6d, 0x62, 0x6c, 0x65, 0x20,
+ 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x77,
+ 0x61, 0x62, 0x65, 0x3a, 0x0a, 0x41, 0x6c, 0x6c,
+ 0x20, 0x6d, 0x69, 0x6d, 0x73, 0x79, 0x20, 0x77,
+ 0x65, 0x72, 0x65, 0x20, 0x74, 0x68, 0x65, 0x20,
+ 0x62, 0x6f, 0x72, 0x6f, 0x67, 0x6f, 0x76, 0x65,
+ 0x73, 0x2c, 0x0a, 0x41, 0x6e, 0x64, 0x20, 0x74,
+ 0x68, 0x65, 0x20, 0x6d, 0x6f, 0x6d, 0x65, 0x20,
+ 0x72, 0x61, 0x74, 0x68, 0x73, 0x20, 0x6f, 0x75,
+ 0x74, 0x67, 0x72, 0x61, 0x62, 0x65, 0x2e
+ }
+};
+
+static const size_t test_data_len[2] =
+{
+ 34U,
+ 127U
+};
+
+static const unsigned char test_mac[2][16] =
+{
+ {
+ 0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6,
+ 0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9
+ },
+ {
+ 0x45, 0x41, 0x66, 0x9a, 0x7e, 0xaa, 0xee, 0x61,
+ 0xe7, 0x08, 0xdc, 0x7c, 0xbc, 0xc5, 0xeb, 0x62
+ }
+};
+
+#define ASSERT( cond, args ) \
+ do \
+ { \
+ if( ! ( cond ) ) \
+ { \
+ if( verbose != 0 ) \
+ mbedtls_printf args; \
+ \
+ return( -1 ); \
+ } \
+ } \
+ while( 0 )
+
+int mbedtls_poly1305_self_test( int verbose )
+{
+ unsigned char mac[16];
+ unsigned i;
+ int ret;
+
+ for( i = 0U; i < 2U; i++ )
+ {
+ if( verbose != 0 )
+ mbedtls_printf( " Poly1305 test %u ", i );
+
+ ret = mbedtls_poly1305_mac( test_keys[i],
+ test_data[i],
+ test_data_len[i],
+ mac );
+ ASSERT( 0 == ret, ( "error code: %i\n", ret ) );
+
+ ASSERT( 0 == memcmp( mac, test_mac[i], 16U ), ( "failed (mac)\n" ) );
+
+ if( verbose != 0 )
+ mbedtls_printf( "passed\n" );
+ }
+
+ if( verbose != 0 )
+ mbedtls_printf( "\n" );
+
+ return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_POLY1305_C */
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 95e6163..59cdc7a 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -47,7 +47,7 @@
* 1. By key exchange:
* Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK
* 2. By key length and cipher:
- * AES-256 > Camellia-256 > AES-128 > Camellia-128 > 3DES
+ * ChaCha > AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-128 > 3DES
* 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8
* 4. By hash function used when relevant
* 5. By key exchange/auth again: EC > non-EC
@@ -57,6 +57,11 @@
#if defined(MBEDTLS_SSL_CIPHERSUITES)
MBEDTLS_SSL_CIPHERSUITES,
#else
+ /* Chacha-Poly ephemeral suites */
+ MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+
/* All AES-256 ephemeral suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
@@ -81,6 +86,14 @@
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+ /* All ARIA-256 ephemeral suites */
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+
/* All AES-128 ephemeral suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
@@ -105,12 +118,22 @@
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ /* All ARIA-128 ephemeral suites */
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+
/* All remaining >= 128-bit ephemeral suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
/* The PSK ephemeral suites */
+ MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+ MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM,
MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
@@ -121,6 +144,9 @@
MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8,
+ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM,
@@ -132,6 +158,9 @@
MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8,
+ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
@@ -161,6 +190,14 @@
MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+ /* All ARIA-256 suites */
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
+ MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
+ MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+
/* All AES-128 suites */
MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_RSA_WITH_AES_128_CCM,
@@ -183,27 +220,41 @@
MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+ /* All ARIA-128 suites */
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
+ MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
+ MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+
/* All remaining >= 128-bit suites */
MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
/* The RSA PSK suites */
+ MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+ MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+ MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
/* The PSK suites */
+ MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_PSK_WITH_AES_256_CCM,
MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384,
@@ -211,6 +262,8 @@
MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,
MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8,
+ MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
+ MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_PSK_WITH_AES_128_CCM,
@@ -219,6 +272,8 @@
MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8,
+ MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
+ MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
@@ -266,6 +321,75 @@
static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
{
+#if defined(MBEDTLS_CHACHAPOLY_C) && \
+ defined(MBEDTLS_SHA256_C) && \
+ defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
+ MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
+ MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+ { MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
+ MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+ { MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS-PSK-WITH-CHACHA20-POLY1305-SHA256",
+ MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+ { MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
+ MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+ { MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
+ MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+ { MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256",
+ MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+ MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#endif /* MBEDTLS_CHACHAPOLY_C &&
+ MBEDTLS_SHA256_C &&
+ MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
#if defined(MBEDTLS_AES_C)
#if defined(MBEDTLS_SHA1_C)
@@ -1688,6 +1812,365 @@
#endif /* MBEDTLS_DES_C */
#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
+#if defined(MBEDTLS_ARIA_C)
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+ "TLS-RSA-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+ "TLS-RSA-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+ "TLS-RSA-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+ "TLS-RSA-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+ "TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
+ "TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+ "TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
+ "TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
+ "TLS-PSK-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384,MBEDTLS_KEY_EXCHANGE_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
+ "TLS-PSK-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
+ "TLS-PSK-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
+ "TLS-PSK-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
+ "TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
+ "TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
+ "TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
+ "TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+ "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+ "TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+ "TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+ "TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+ "TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+ "TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+ "TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+ "TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+ "TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+ "TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
+ "TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
+ "TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
+ "TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
+ "TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+ "TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+ "TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+ "TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+ "TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+ "TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+ { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+ "TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384",
+ MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+ "TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+ { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+ "TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256",
+ MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+ 0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#endif /* MBEDTLS_ARIA_C */
+
+
{ 0, "",
MBEDTLS_CIPHER_NONE, MBEDTLS_MD_NONE, MBEDTLS_KEY_EXCHANGE_NONE,
0, 0, 0, 0, 0 }
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 7455e99..ba59c48 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -57,7 +57,7 @@
size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
size_t hostname_len;
*olen = 0;
@@ -127,7 +127,7 @@
size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
*olen = 0;
@@ -171,7 +171,7 @@
size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
size_t sig_alg_len = 0;
const int *md;
#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
@@ -256,7 +256,7 @@
size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
unsigned char *elliptic_curve_list = p + 6;
size_t elliptic_curve_len = 0;
const mbedtls_ecp_curve_info *info;
@@ -329,7 +329,7 @@
size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
*olen = 0;
@@ -362,7 +362,7 @@
{
int ret;
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
size_t kkpp_len;
*olen = 0;
@@ -439,7 +439,7 @@
size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
*olen = 0;
@@ -472,7 +472,7 @@
unsigned char *buf, size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
*olen = 0;
@@ -504,7 +504,7 @@
unsigned char *buf, size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
*olen = 0;
@@ -538,7 +538,7 @@
unsigned char *buf, size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
*olen = 0;
@@ -572,7 +572,7 @@
unsigned char *buf, size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
size_t tlen = ssl->session_negotiate->ticket_len;
*olen = 0;
@@ -616,7 +616,7 @@
unsigned char *buf, size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
size_t alpnlen = 0;
const char **cur;
@@ -1247,14 +1247,14 @@
size_t list_size;
const unsigned char *p;
- list_size = buf[0];
- if( list_size + 1 != len )
+ if( len == 0 || (size_t)( buf[0] + 1 ) != len )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
+ list_size = buf[0];
p = buf + 1;
while( list_size > 0 )
@@ -2117,7 +2117,7 @@
size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
unsigned char *p = ssl->handshake->premaster + pms_offset;
- if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN )
+ if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
@@ -2160,7 +2160,7 @@
if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
p, ssl->handshake->pmslen,
ssl->out_msg + offset + len_bytes, olen,
- MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes,
+ MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
@@ -2544,10 +2544,9 @@
defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( md_alg != MBEDTLS_MD_NONE )
{
- /* Info from md_alg will be used instead */
- hashlen = 0;
- ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, params,
- params_len, md_alg );
+ ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
+ params, params_len,
+ md_alg );
if( ret != 0 )
return( ret );
}
@@ -2559,8 +2558,7 @@
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
- MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
- (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
+ MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
if( ssl->session_negotiate->peer_cert == NULL )
{
@@ -2711,7 +2709,7 @@
* therefore the buffer length at this point must be greater than that
* regardless of the actual code path.
*/
- if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
+ if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
@@ -2928,7 +2926,7 @@
i = 4;
n = ssl->conf->psk_identity_len;
- if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
+ if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
"SSL buffer too short" ) );
@@ -2964,7 +2962,7 @@
*/
n = ssl->handshake->dhm_ctx.len;
- if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
+ if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
" or SSL buffer too short" ) );
@@ -2993,7 +2991,7 @@
* ClientECDiffieHellmanPublic public;
*/
ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
- &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i,
+ &ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i,
ssl->conf->f_rng, ssl->conf->p_rng );
if( ret != 0 )
{
@@ -3034,7 +3032,7 @@
i = 4;
ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
- ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n,
+ ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n,
ssl->conf->f_rng, ssl->conf->p_rng );
if( ret != 0 )
{
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 09b7a3f..52087ae 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -91,6 +91,13 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
+ if( len < 2 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+ }
servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
if( servername_list_size + 2 != len )
{
@@ -101,7 +108,7 @@
}
p = buf + 2;
- while( servername_list_size > 0 )
+ while( servername_list_size > 2 )
{
hostname_len = ( ( p[1] << 8 ) | p[2] );
if( hostname_len + 3 > servername_list_size )
@@ -205,6 +212,12 @@
mbedtls_md_type_t md_cur;
mbedtls_pk_type_t sig_cur;
+ if ( len < 2 ) {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+ }
sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
if( sig_alg_list_size + 2 != len ||
sig_alg_list_size % 2 != 0 )
@@ -273,6 +286,12 @@
const unsigned char *p;
const mbedtls_ecp_curve_info *curve_info, **curves;
+ if ( len < 2 ) {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+ }
list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
if( list_size + 2 != len ||
list_size % 2 != 0 )
@@ -332,14 +351,14 @@
size_t list_size;
const unsigned char *p;
- list_size = buf[0];
- if( list_size + 1 != len )
+ if( len == 0 || (size_t)( buf[0] + 1 ) != len )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
}
+ list_size = buf[0];
p = buf + 1;
while( list_size > 0 )
@@ -709,7 +728,7 @@
MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
cur->cert );
- if( ! mbedtls_pk_can_do( cur->key, pk_alg ) )
+ if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
continue;
@@ -733,7 +752,7 @@
#if defined(MBEDTLS_ECDSA_C)
if( pk_alg == MBEDTLS_PK_ECDSA &&
- ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
+ ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
continue;
@@ -1303,7 +1322,7 @@
else
#endif
{
- if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
+ if( msg_len > MBEDTLS_SSL_IN_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
@@ -1656,10 +1675,16 @@
while( ext_len != 0 )
{
- unsigned int ext_id = ( ( ext[0] << 8 )
- | ( ext[1] ) );
- unsigned int ext_size = ( ( ext[2] << 8 )
- | ( ext[3] ) );
+ unsigned int ext_id;
+ unsigned int ext_size;
+ if ( ext_len < 4 ) {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+ }
+ ext_id = ( ( ext[0] << 8 ) | ( ext[1] ) );
+ ext_size = ( ( ext[2] << 8 ) | ( ext[3] ) );
if( ext_size + 4 > ext_len )
{
@@ -2235,7 +2260,7 @@
{
int ret;
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
size_t kkpp_len;
*olen = 0;
@@ -2342,7 +2367,7 @@
cookie_len_byte = p++;
if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
- &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN,
+ &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
ssl->cli_id, ssl->cli_id_len ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
@@ -2638,7 +2663,7 @@
size_t dn_size, total_dn_size; /* excluding length bytes */
size_t ct_len, sa_len; /* including length bytes */
unsigned char *buf, *p;
- const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+ const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
const mbedtls_x509_crt *crt;
int authmode;
@@ -2828,54 +2853,56 @@
#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
-static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
+ defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
+ size_t *signature_len )
{
- int ret;
- size_t n = 0;
+ /* Append the signature to ssl->out_msg, leaving 2 bytes for the
+ * signature length which will be added in ssl_write_server_key_exchange
+ * after the call to ssl_prepare_server_key_exchange.
+ * ssl_write_server_key_exchange also takes care of incrementing
+ * ssl->out_msglen. */
+ unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
+ size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
+ - sig_start );
+ int ret = ssl->conf->f_async_resume( ssl,
+ sig_start, signature_len, sig_max_len );
+ if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+ {
+ ssl->handshake->async_in_progress = 0;
+ mbedtls_ssl_set_async_operation_data( ssl, NULL );
+ }
+ MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret );
+ return( ret );
+}
+#endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
+ defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
+
+/* Prepare the ServerKeyExchange message, up to and including
+ * calculating the signature if any, but excluding formatting the
+ * signature and sending the message. */
+static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
+ size_t *signature_len )
+{
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
ssl->transform_negotiate->ciphersuite_info;
-
#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
- unsigned char *p = ssl->out_msg + 4;
- size_t len;
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
- unsigned char *dig_signed = p;
- size_t dig_signed_len = 0;
+ unsigned char *dig_signed = NULL;
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
+ (void) ciphersuite_info; /* unused in some configurations */
+#if !defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+ (void) signature_len;
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+ ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
/*
*
- * Part 1: Extract static ECDH parameters and abort
- * if ServerKeyExchange not needed.
- *
- */
-
- /* For suites involving ECDH, extract DH parameters
- * from certificate at this point. */
-#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
- if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
- {
- ssl_get_ecdh_params_from_cert( ssl );
- }
-#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
-
- /* Key exchanges not involving ephemeral keys don't use
- * ServerKeyExchange, so end here. */
-#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
- if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
- {
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
- ssl->state++;
- return( 0 );
- }
-#endif /* MBEDTLS_KEY_EXCHANGE__NON_PFS__ENABLED */
-
- /*
- *
- * Part 2: Provide key exchange parameters for chosen ciphersuite.
+ * Part 1: Provide key exchange parameters for chosen ciphersuite.
*
*/
@@ -2885,18 +2912,21 @@
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
{
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+ int ret;
+ size_t len = 0;
- ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
- p, end - p, &len, ssl->conf->f_rng, ssl->conf->p_rng );
+ ret = mbedtls_ecjpake_write_round_two(
+ &ssl->handshake->ecjpake_ctx,
+ ssl->out_msg + ssl->out_msglen,
+ MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
+ ssl->conf->f_rng, ssl->conf->p_rng );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
return( ret );
}
- p += len;
- n += len;
+ ssl->out_msglen += len;
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
@@ -2910,10 +2940,8 @@
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
{
- *(p++) = 0x00;
- *(p++) = 0x00;
-
- n += 2;
+ ssl->out_msg[ssl->out_msglen++] = 0x00;
+ ssl->out_msg[ssl->out_msglen++] = 0x00;
}
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
@@ -2924,6 +2952,9 @@
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
{
+ int ret;
+ size_t len = 0;
+
if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
@@ -2947,21 +2978,21 @@
return( ret );
}
- if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx,
- (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
- p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+ if( ( ret = mbedtls_dhm_make_params(
+ &ssl->handshake->dhm_ctx,
+ (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
+ ssl->out_msg + ssl->out_msglen, &len,
+ ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
return( ret );
}
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
- dig_signed = p;
- dig_signed_len = len;
+ dig_signed = ssl->out_msg + ssl->out_msglen;
#endif
- p += len;
- n += len;
+ ssl->out_msglen += len;
MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
@@ -2986,6 +3017,8 @@
*/
const mbedtls_ecp_curve_info **curve = NULL;
const mbedtls_ecp_group_id *gid;
+ int ret;
+ size_t len = 0;
/* Match our preference list against the offered curves */
for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
@@ -3009,21 +3042,21 @@
return( ret );
}
- if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
- p, MBEDTLS_SSL_MAX_CONTENT_LEN - n,
- ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+ if( ( ret = mbedtls_ecdh_make_params(
+ &ssl->handshake->ecdh_ctx, &len,
+ ssl->out_msg + ssl->out_msglen,
+ MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
+ ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
return( ret );
}
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
- dig_signed = p;
- dig_signed_len = len;
+ dig_signed = ssl->out_msg + ssl->out_msglen;
#endif
- p += len;
- n += len;
+ ssl->out_msglen += len;
MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
}
@@ -3031,19 +3064,20 @@
/*
*
- * Part 3: For key exchanges involving the server signing the
+ * Part 2: For key exchanges involving the server signing the
* exchange parameters, compute and add the signature here.
*
*/
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
{
- size_t signature_len = 0;
- unsigned int hashlen = 0;
- unsigned char hash[64];
+ size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
+ size_t hashlen = 0;
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+ int ret;
/*
- * 3.1: Choose hash algorithm:
+ * 2.1: Choose hash algorithm:
* A: For TLS 1.2, obey signature-hash-algorithm extension
* to choose appropriate hash.
* B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
@@ -3090,7 +3124,7 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
/*
- * 3.2: Compute the hash to be signed
+ * 2.2: Compute the hash to be signed
*/
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1)
@@ -3110,9 +3144,7 @@
defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( md_alg != MBEDTLS_MD_NONE )
{
- /* Info from md_alg will be used instead */
- hashlen = 0;
- ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash,
+ ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
dig_signed,
dig_signed_len,
md_alg );
@@ -3127,18 +3159,11 @@
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
- MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
- (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
+ MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
/*
- * 3.3: Compute and add the signature
+ * 2.3: Compute and add the signature
*/
- if( mbedtls_ssl_own_key( ssl ) == NULL )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
- return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
- }
-
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
@@ -3158,33 +3183,150 @@
*
*/
- *(p++) = mbedtls_ssl_hash_from_md_alg( md_alg );
- *(p++) = mbedtls_ssl_sig_from_pk_alg( sig_alg );
-
- n += 2;
+ ssl->out_msg[ssl->out_msglen++] =
+ mbedtls_ssl_hash_from_md_alg( md_alg );
+ ssl->out_msg[ssl->out_msglen++] =
+ mbedtls_ssl_sig_from_pk_alg( sig_alg );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
- if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen,
- p + 2 , &signature_len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if( ssl->conf->f_async_sign_start != NULL )
+ {
+ ret = ssl->conf->f_async_sign_start( ssl,
+ mbedtls_ssl_own_cert( ssl ),
+ md_alg, hash, hashlen );
+ switch( ret )
+ {
+ case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
+ /* act as if f_async_sign was null */
+ break;
+ case 0:
+ ssl->handshake->async_in_progress = 1;
+ return( ssl_resume_server_key_exchange( ssl, signature_len ) );
+ case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
+ ssl->handshake->async_in_progress = 1;
+ return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+ default:
+ MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign_start", ret );
+ return( ret );
+ }
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+ if( mbedtls_ssl_own_key( ssl ) == NULL )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
+ return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+ }
+
+ /* Append the signature to ssl->out_msg, leaving 2 bytes for the
+ * signature length which will be added in ssl_write_server_key_exchange
+ * after the call to ssl_prepare_server_key_exchange.
+ * ssl_write_server_key_exchange also takes care of incrementing
+ * ssl->out_msglen. */
+ if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ),
+ md_alg, hash, hashlen,
+ ssl->out_msg + ssl->out_msglen + 2,
+ signature_len,
+ ssl->conf->f_rng,
+ ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
return( ret );
}
-
- *(p++) = (unsigned char)( signature_len >> 8 );
- *(p++) = (unsigned char)( signature_len );
- n += 2;
-
- MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
-
- n += signature_len;
}
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
- /* Done with actual work; add header and send. */
+ return( 0 );
+}
- ssl->out_msglen = 4 + n;
+/* Prepare the ServerKeyExchange message and send it. For ciphersuites
+ * that do not include a ServerKeyExchange message, do nothing. Either
+ * way, if successful, move on to the next step in the SSL state
+ * machine. */
+static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
+{
+ int ret;
+ size_t signature_len = 0;
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+ ssl->transform_negotiate->ciphersuite_info;
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
+
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
+ /* Extract static ECDH parameters and abort if ServerKeyExchange
+ * is not needed. */
+ if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
+ {
+ /* For suites involving ECDH, extract DH parameters
+ * from certificate at this point. */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
+ if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
+ {
+ ssl_get_ecdh_params_from_cert( ssl );
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
+
+ /* Key exchanges not involving ephemeral keys don't use
+ * ServerKeyExchange, so end here. */
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
+ ssl->state++;
+ return( 0 );
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
+ defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ /* If we have already prepared the message and there is an ongoing
+ * signature operation, resume signing. */
+ if( ssl->handshake->async_in_progress != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming signature operation" ) );
+ ret = ssl_resume_server_key_exchange( ssl, &signature_len );
+ }
+ else
+#endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
+ defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
+ {
+ /* ServerKeyExchange is needed. Prepare the message. */
+ ret = ssl_prepare_server_key_exchange( ssl, &signature_len );
+ }
+
+ if( ret != 0 )
+ {
+ /* If we're starting to write a new message, set ssl->out_msglen
+ * to 0. But if we're resuming after an asynchronous message,
+ * out_msglen is the amount of data written so far and mst be
+ * preserved. */
+ if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange (pending)" ) );
+ else
+ ssl->out_msglen = 0;
+ return( ret );
+ }
+
+ /* If there is a signature, write its length.
+ * ssl_prepare_server_key_exchange already wrote the signature
+ * itself at its proper place in the output buffer. */
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+ if( signature_len != 0 )
+ {
+ ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len >> 8 );
+ ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len );
+
+ MBEDTLS_SSL_DEBUG_BUF( 3, "my signature",
+ ssl->out_msg + ssl->out_msglen,
+ signature_len );
+
+ /* Skip over the already-written signature */
+ ssl->out_msglen += signature_len;
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+ /* Add header and send. */
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
@@ -3197,7 +3339,6 @@
}
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
-
return( 0 );
}
@@ -3272,33 +3413,59 @@
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
-static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
- const unsigned char *p,
- const unsigned char *end,
- size_t pms_offset )
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl,
+ unsigned char *peer_pms,
+ size_t *peer_pmslen,
+ size_t peer_pmssize )
+{
+ int ret = ssl->conf->f_async_resume( ssl,
+ peer_pms, peer_pmslen, peer_pmssize );
+ if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+ {
+ ssl->handshake->async_in_progress = 0;
+ mbedtls_ssl_set_async_operation_data( ssl, NULL );
+ }
+ MBEDTLS_SSL_DEBUG_RET( 2, "ssl_decrypt_encrypted_pms", ret );
+ return( ret );
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
+ const unsigned char *p,
+ const unsigned char *end,
+ unsigned char *peer_pms,
+ size_t *peer_pmslen,
+ size_t peer_pmssize )
{
int ret;
- size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) );
- unsigned char *pms = ssl->handshake->premaster + pms_offset;
- unsigned char ver[2];
- unsigned char fake_pms[48], peer_pms[48];
- unsigned char mask;
- size_t i, peer_pmslen;
- unsigned int diff;
+ mbedtls_pk_context *private_key = mbedtls_ssl_own_key( ssl );
+ mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert( ssl )->pk;
+ size_t len = mbedtls_pk_get_len( public_key );
- if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ /* If we have already started decoding the message and there is an ongoing
+ * decryption operation, resume signing. */
+ if( ssl->handshake->async_in_progress != 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
- return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming decryption operation" ) );
+ return( ssl_resume_decrypt_pms( ssl,
+ peer_pms, peer_pmslen, peer_pmssize ) );
}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
/*
- * Decrypt the premaster using own private RSA key
+ * Prepare to decrypt the premaster using own private RSA key
*/
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
{
+ if ( p + 2 > end ) {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+ return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+ }
if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
*p++ != ( ( len ) & 0xFF ) )
{
@@ -3314,30 +3481,120 @@
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
}
+ /*
+ * Decrypt the premaster secret
+ */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if( ssl->conf->f_async_decrypt_start != NULL )
+ {
+ ret = ssl->conf->f_async_decrypt_start( ssl,
+ mbedtls_ssl_own_cert( ssl ),
+ p, len );
+ switch( ret )
+ {
+ case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
+ /* act as if f_async_decrypt_start was null */
+ break;
+ case 0:
+ ssl->handshake->async_in_progress = 1;
+ return( ssl_resume_decrypt_pms( ssl,
+ peer_pms,
+ peer_pmslen,
+ peer_pmssize ) );
+ case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
+ ssl->handshake->async_in_progress = 1;
+ return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+ default:
+ MBEDTLS_SSL_DEBUG_RET( 1, "f_async_decrypt_start", ret );
+ return( ret );
+ }
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+ if( ! mbedtls_pk_can_do( private_key, MBEDTLS_PK_RSA ) )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
+ return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+ }
+
+ ret = mbedtls_pk_decrypt( private_key, p, len,
+ peer_pms, peer_pmslen, peer_pmssize,
+ ssl->conf->f_rng, ssl->conf->p_rng );
+ return( ret );
+}
+
+static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
+ const unsigned char *p,
+ const unsigned char *end,
+ size_t pms_offset )
+{
+ int ret;
+ unsigned char *pms = ssl->handshake->premaster + pms_offset;
+ unsigned char ver[2];
+ unsigned char fake_pms[48], peer_pms[48];
+ unsigned char mask;
+ size_t i, peer_pmslen;
+ unsigned int diff;
+
+ /* In case of a failure in decryption, the decryption may write less than
+ * 2 bytes of output, but we always read the first two bytes. It doesn't
+ * matter in the end because diff will be nonzero in that case due to
+ * peer_pmslen being less than 48, and we only care whether diff is 0.
+ * But do initialize peer_pms for robustness anyway. This also makes
+ * memory analyzers happy (don't access uninitialized memory, even
+ * if it's an unsigned char). */
+ peer_pms[0] = peer_pms[1] = ~0;
+
+ ret = ssl_decrypt_encrypted_pms( ssl, p, end,
+ peer_pms,
+ &peer_pmslen,
+ sizeof( peer_pms ) );
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if ( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+ return( ret );
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
- ssl->handshake->max_minor_ver,
- ssl->conf->transport, ver );
+ ssl->handshake->max_minor_ver,
+ ssl->conf->transport, ver );
+
+ /* Avoid data-dependent branches while checking for invalid
+ * padding, to protect against timing-based Bleichenbacher-type
+ * attacks. */
+ diff = (unsigned int) ret;
+ diff |= peer_pmslen ^ 48;
+ diff |= peer_pms[0] ^ ver[0];
+ diff |= peer_pms[1] ^ ver[1];
+
+ /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
+ /* MSVC has a warning about unary minus on unsigned, but this is
+ * well-defined and precisely what we want to do here */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+ mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
/*
* Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
* must not cause the connection to end immediately; instead, send a
* bad_record_mac later in the handshake.
- * Also, avoid data-dependant branches here to protect against
- * timing-based variants.
+ * To protect against timing-based variants of the attack, we must
+ * not have any branch that depends on whether the decryption was
+ * successful. In particular, always generate the fake premaster secret,
+ * regardless of whether it will ultimately influence the output or not.
*/
ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
if( ret != 0 )
+ {
+ /* It's ok to abort on an RNG failure, since this does not reveal
+ * anything about the RSA decryption. */
return( ret );
-
- ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len,
- peer_pms, &peer_pmslen,
- sizeof( peer_pms ),
- ssl->conf->f_rng, ssl->conf->p_rng );
-
- diff = (unsigned int) ret;
- diff |= peer_pmslen ^ 48;
- diff |= peer_pms[0] ^ ver[0];
- diff |= peer_pms[1] ^ ver[1];
+ }
#if defined(MBEDTLS_SSL_DEBUG_ALL)
if( diff != 0 )
@@ -3352,18 +3609,8 @@
}
ssl->handshake->pmslen = 48;
- /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
- /* MSVC has a warning about unary minus on unsigned, but this is
- * well-defined and precisely what we want to do here */
-#if defined(_MSC_VER)
-#pragma warning( push )
-#pragma warning( disable : 4146 )
-#endif
- mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
-#if defined(_MSC_VER)
-#pragma warning( pop )
-#endif
-
+ /* Set pms to either the true or the fake PMS, without
+ * data-dependent branches. */
for( i = 0; i < ssl->handshake->pmslen; i++ )
pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
@@ -3445,6 +3692,20 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
+ ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+ defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
+ if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) &&
+ ( ssl->handshake->async_in_progress != 0 ) )
+ {
+ /* We've already read a record and there is an asynchronous
+ * operation in progress to decrypt it. So skip reading the
+ * record. */
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "will resume decryption of previously-read record" ) );
+ }
+ else
+#endif
if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
@@ -3557,6 +3818,19 @@
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
{
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if ( ssl->handshake->async_in_progress != 0 )
+ {
+ /* There is an asynchronous operation in progress to
+ * decrypt the encrypted premaster secret, so skip
+ * directly to resuming this operation. */
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK identity already parsed" ) );
+ /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
+ * won't actually use it, but maintain p anyway for robustness. */
+ p += ssl->conf->psk_identity_len + 2;
+ }
+ else
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
@@ -3926,7 +4200,7 @@
if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
ssl->session_negotiate,
ssl->out_msg + 10,
- ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
+ ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
&tlen, &lifetime ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index d66c9cf..91f96c8 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -141,14 +141,24 @@
* } MaxFragmentLength;
* and we add 0 -> extension unused
*/
-static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] =
+static unsigned int ssl_mfl_code_to_length( int mfl )
{
- MBEDTLS_SSL_MAX_CONTENT_LEN, /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */
- 512, /* MBEDTLS_SSL_MAX_FRAG_LEN_512 */
- 1024, /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */
- 2048, /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */
- 4096, /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */
-};
+ switch( mfl )
+ {
+ case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
+ return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
+ case MBEDTLS_SSL_MAX_FRAG_LEN_512:
+ return 512;
+ case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
+ return 1024;
+ case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
+ return 2048;
+ case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
+ return 4096;
+ default:
+ return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
+ }
+}
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_CLI_C)
@@ -688,18 +698,32 @@
transform->keylen = cipher_info->key_bitlen / 8;
if( cipher_info->mode == MBEDTLS_MODE_GCM ||
- cipher_info->mode == MBEDTLS_MODE_CCM )
+ cipher_info->mode == MBEDTLS_MODE_CCM ||
+ cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
{
+ size_t taglen, explicit_ivlen;
+
transform->maclen = 0;
mac_key_len = 0;
+ /* All modes haves 96-bit IVs;
+ * GCM and CCM has 4 implicit and 8 explicit bytes
+ * ChachaPoly has all 12 bytes implicit
+ */
transform->ivlen = 12;
- transform->fixed_ivlen = 4;
+ if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
+ transform->fixed_ivlen = 12;
+ else
+ transform->fixed_ivlen = 4;
- /* Minimum length is expicit IV + tag */
- transform->minlen = transform->ivlen - transform->fixed_ivlen
- + ( transform->ciphersuite_info->flags &
- MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 );
+ /* All modes have 128-bit tags, except CCM_8 (ciphersuite flag) */
+ taglen = transform->ciphersuite_info->flags &
+ MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+
+
+ /* Minimum length of encrypted record */
+ explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
+ transform->minlen = explicit_ivlen + taglen;
}
else
{
@@ -956,11 +980,11 @@
if( ssl->compress_buf == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
- ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN );
+ ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
if( ssl->compress_buf == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
- MBEDTLS_SSL_BUFFER_LEN ) );
+ MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) );
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
}
}
@@ -1151,6 +1175,9 @@
* other_secret already set by the ClientKeyExchange message,
* and is 48 bytes long
*/
+ if( end - p < 2 )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
*p++ = 0;
*p++ = 48;
p += 48;
@@ -1272,7 +1299,7 @@
#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
( defined(MBEDTLS_CIPHER_MODE_CBC) && \
- ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) )
+ ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C)) )
#define SSL_SOME_MODES_USE_MAC
#endif
@@ -1318,11 +1345,11 @@
MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
ssl->out_msg, ssl->out_msglen );
- if( ssl->out_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
+ if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d",
(unsigned) ssl->out_msglen,
- MBEDTLS_SSL_MAX_CONTENT_LEN ) );
+ MBEDTLS_SSL_OUT_CONTENT_LEN ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
@@ -1415,17 +1442,26 @@
}
else
#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
-#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
+#if defined(MBEDTLS_GCM_C) || \
+ defined(MBEDTLS_CCM_C) || \
+ defined(MBEDTLS_CHACHAPOLY_C)
if( mode == MBEDTLS_MODE_GCM ||
- mode == MBEDTLS_MODE_CCM )
+ mode == MBEDTLS_MODE_CCM ||
+ mode == MBEDTLS_MODE_CHACHAPOLY )
{
int ret;
size_t enc_msglen, olen;
unsigned char *enc_msg;
unsigned char add_data[13];
- unsigned char taglen = ssl->transform_out->ciphersuite_info->flags &
+ unsigned char iv[12];
+ mbedtls_ssl_transform *transform = ssl->transform_out;
+ unsigned char taglen = transform->ciphersuite_info->flags &
MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+ size_t explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
+ /*
+ * Prepare additional authenticated data
+ */
memcpy( add_data, ssl->out_ctr, 8 );
add_data[8] = ssl->out_msgtype;
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
@@ -1433,44 +1469,57 @@
add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
add_data[12] = ssl->out_msglen & 0xFF;
- MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
- add_data, 13 );
+ MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
/*
* Generate IV
*/
- if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
+ if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
+ {
+ /* GCM and CCM: fixed || explicit (=seqnum) */
+ memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
+ memcpy( iv + transform->fixed_ivlen, ssl->out_ctr, 8 );
+ memcpy( ssl->out_iv, ssl->out_ctr, 8 );
+
+ }
+ else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
+ {
+ /* ChachaPoly: fixed XOR sequence number */
+ unsigned char i;
+
+ memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
+
+ for( i = 0; i < 8; i++ )
+ iv[i+4] ^= ssl->out_ctr[i];
+ }
+ else
{
/* Reminder if we ever add an AEAD mode with a different size */
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
- memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
- ssl->out_ctr, 8 );
- memcpy( ssl->out_iv, ssl->out_ctr, 8 );
-
- MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
- ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
+ MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
+ iv, transform->ivlen );
+ MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
+ ssl->out_iv, explicit_ivlen );
/*
- * Fix pointer positions and message length with added IV
+ * Fix message length with added IV
*/
enc_msg = ssl->out_msg;
enc_msglen = ssl->out_msglen;
- ssl->out_msglen += ssl->transform_out->ivlen -
- ssl->transform_out->fixed_ivlen;
+ ssl->out_msglen += explicit_ivlen;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
- "including %d bytes of padding",
- ssl->out_msglen, 0 ) );
+ "including 0 bytes of padding",
+ ssl->out_msglen ) );
/*
* Encrypt and authenticate
*/
- if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc,
- ssl->transform_out->iv_enc,
- ssl->transform_out->ivlen,
+ if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
+ iv, transform->ivlen,
add_data, 13,
enc_msg, enc_msglen,
enc_msg, &olen,
@@ -1494,7 +1543,7 @@
else
#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
- ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) )
+ ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
if( mode == MBEDTLS_MODE_CBC )
{
int ret;
@@ -1610,7 +1659,7 @@
}
else
#endif /* MBEDTLS_CIPHER_MODE_CBC &&
- ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */
+ ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
@@ -1630,7 +1679,6 @@
static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
{
- size_t i;
mbedtls_cipher_mode_t mode;
int auth_done = 0;
#if defined(SSL_SOME_MODES_USE_MAC)
@@ -1680,20 +1728,27 @@
}
else
#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
-#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
+#if defined(MBEDTLS_GCM_C) || \
+ defined(MBEDTLS_CCM_C) || \
+ defined(MBEDTLS_CHACHAPOLY_C)
if( mode == MBEDTLS_MODE_GCM ||
- mode == MBEDTLS_MODE_CCM )
+ mode == MBEDTLS_MODE_CCM ||
+ mode == MBEDTLS_MODE_CHACHAPOLY )
{
int ret;
size_t dec_msglen, olen;
unsigned char *dec_msg;
unsigned char *dec_msg_result;
unsigned char add_data[13];
- unsigned char taglen = ssl->transform_in->ciphersuite_info->flags &
+ unsigned char iv[12];
+ mbedtls_ssl_transform *transform = ssl->transform_in;
+ unsigned char taglen = transform->ciphersuite_info->flags &
MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
- size_t explicit_iv_len = ssl->transform_in->ivlen -
- ssl->transform_in->fixed_ivlen;
+ size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
+ /*
+ * Compute and update sizes
+ */
if( ssl->in_msglen < explicit_iv_len + taglen )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
@@ -1707,6 +1762,9 @@
dec_msg_result = ssl->in_msg;
ssl->in_msglen = dec_msglen;
+ /*
+ * Prepare additional authenticated data
+ */
memcpy( add_data, ssl->in_ctr, 8 );
add_data[8] = ssl->in_msgtype;
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
@@ -1714,23 +1772,43 @@
add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
add_data[12] = ssl->in_msglen & 0xFF;
- MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
- add_data, 13 );
+ MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
- memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
- ssl->in_iv,
- ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
+ /*
+ * Prepare IV
+ */
+ if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
+ {
+ /* GCM and CCM: fixed || explicit (transmitted) */
+ memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
+ memcpy( iv + transform->fixed_ivlen, ssl->in_iv, 8 );
- MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
- ssl->transform_in->ivlen );
+ }
+ else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
+ {
+ /* ChachaPoly: fixed XOR sequence number */
+ unsigned char i;
+
+ memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
+
+ for( i = 0; i < 8; i++ )
+ iv[i+4] ^= ssl->in_ctr[i];
+ }
+ else
+ {
+ /* Reminder if we ever add an AEAD mode with a different size */
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
/*
* Decrypt and authenticate
*/
if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
- ssl->transform_in->iv_dec,
- ssl->transform_in->ivlen,
+ iv, transform->ivlen,
add_data, 13,
dec_msg, dec_msglen,
dec_msg_result, &olen,
@@ -1754,7 +1832,7 @@
else
#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
- ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) )
+ ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
if( mode == MBEDTLS_MODE_CBC )
{
/*
@@ -1848,6 +1926,7 @@
*/
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
{
+ unsigned char i;
dec_msglen -= ssl->transform_in->ivlen;
ssl->in_msglen -= ssl->transform_in->ivlen;
@@ -1921,27 +2000,28 @@
* and fake check up to 256 bytes of padding
*/
size_t pad_count = 0, real_count = 1;
- size_t padding_idx = ssl->in_msglen - padlen - 1;
+ size_t padding_idx = ssl->in_msglen - padlen;
+ size_t i;
/*
* Padding is guaranteed to be incorrect if:
- * 1. padlen >= ssl->in_msglen
+ * 1. padlen > ssl->in_msglen
*
- * 2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN +
+ * 2. padding_idx > MBEDTLS_SSL_IN_CONTENT_LEN +
* ssl->transform_in->maclen
*
* In both cases we reset padding_idx to a safe value (0) to
* prevent out-of-buffer reads.
*/
- correct &= ( ssl->in_msglen >= padlen + 1 );
- correct &= ( padding_idx < MBEDTLS_SSL_MAX_CONTENT_LEN +
+ correct &= ( padlen <= ssl->in_msglen );
+ correct &= ( padding_idx <= MBEDTLS_SSL_IN_CONTENT_LEN +
ssl->transform_in->maclen );
padding_idx *= correct;
- for( i = 1; i <= 256; i++ )
+ for( i = 0; i < 256; i++ )
{
- real_count &= ( i <= padlen );
+ real_count &= ( i < padlen );
pad_count += real_count *
( ssl->in_msg[padding_idx + i] == padlen - 1 );
}
@@ -1966,7 +2046,7 @@
}
else
#endif /* MBEDTLS_CIPHER_MODE_CBC &&
- ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */
+ ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
@@ -2140,6 +2220,16 @@
if( ssl->in_msglen == 0 )
{
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
+ && ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
+ {
+ /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
ssl->nb_zero++;
/*
@@ -2164,6 +2254,7 @@
else
#endif
{
+ unsigned char i;
for( i = 8; i > ssl_ep_len( ssl ); i-- )
if( ++ssl->in_ctr[i - 1] != 0 )
break;
@@ -2213,7 +2304,7 @@
ssl->transform_out->ctx_deflate.next_in = msg_pre;
ssl->transform_out->ctx_deflate.avail_in = len_pre;
ssl->transform_out->ctx_deflate.next_out = msg_post;
- ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN - bytes_written;
+ ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_OUT_BUFFER_LEN - bytes_written;
ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
if( ret != Z_OK )
@@ -2222,7 +2313,7 @@
return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
}
- ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN -
+ ssl->out_msglen = MBEDTLS_SSL_OUT_BUFFER_LEN -
ssl->transform_out->ctx_deflate.avail_out - bytes_written;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
@@ -2260,7 +2351,7 @@
ssl->transform_in->ctx_inflate.next_in = msg_pre;
ssl->transform_in->ctx_inflate.avail_in = len_pre;
ssl->transform_in->ctx_inflate.next_out = msg_post;
- ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_BUFFER_LEN -
+ ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_IN_BUFFER_LEN -
header_bytes;
ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
@@ -2270,7 +2361,7 @@
return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
}
- ssl->in_msglen = MBEDTLS_SSL_BUFFER_LEN -
+ ssl->in_msglen = MBEDTLS_SSL_IN_BUFFER_LEN -
ssl->transform_in->ctx_inflate.avail_out - header_bytes;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
@@ -2345,7 +2436,7 @@
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
- if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
+ if( nb_want > MBEDTLS_SSL_IN_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@@ -2431,7 +2522,7 @@
}
else
{
- len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
+ len = MBEDTLS_SSL_IN_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
timeout = ssl->handshake->retransmit_timeout;
@@ -2885,12 +2976,12 @@
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
/* Make room for the additional DTLS fields */
- if( MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen < 8 )
+ if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
"size %u, maximum %u",
(unsigned) ( ssl->in_hslen - 4 ),
- (unsigned) ( MBEDTLS_SSL_MAX_CONTENT_LEN - 12 ) ) );
+ (unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
@@ -3103,7 +3194,7 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
msg_len ) );
- if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN )
+ if( ssl->in_hslen > MBEDTLS_SSL_IN_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) );
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
@@ -3207,7 +3298,7 @@
ssl->next_record_offset = new_remain - ssl->in_hdr;
ssl->in_left = ssl->next_record_offset + remain_len;
- if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN -
+ if( ssl->in_left > MBEDTLS_SSL_IN_BUFFER_LEN -
(size_t)( ssl->in_hdr - ssl->in_buf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) );
@@ -3583,7 +3674,7 @@
ssl->conf->p_cookie,
ssl->cli_id, ssl->cli_id_len,
ssl->in_buf, ssl->in_left,
- ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len );
+ ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
@@ -3680,7 +3771,7 @@
}
/* Check length against the size of our buffer */
- if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN
+ if( ssl->in_msglen > MBEDTLS_SSL_IN_BUFFER_LEN
- (size_t)( ssl->in_msg - ssl->in_buf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
@@ -3774,7 +3865,7 @@
if( ssl->transform_in == NULL )
{
if( ssl->in_msglen < 1 ||
- ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
+ ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@@ -3790,7 +3881,7 @@
#if defined(MBEDTLS_SSL_PROTO_SSL3)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
- ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN )
+ ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@@ -3803,7 +3894,7 @@
*/
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
ssl->in_msglen > ssl->transform_in->minlen +
- MBEDTLS_SSL_MAX_CONTENT_LEN + 256 )
+ MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@@ -3851,7 +3942,7 @@
MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
ssl->in_msg, ssl->in_msglen );
- if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
+ if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@@ -4183,6 +4274,16 @@
if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
{
+ if( ssl->in_msglen != 2 )
+ {
+ /* Note: Standard allows for more than one 2 byte alert
+ to be packed in a single message, but Mbed TLS doesn't
+ currently support this. */
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %d",
+ ssl->in_msglen ) );
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+ }
+
MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
ssl->in_msg[0], ssl->in_msg[1] ) );
@@ -4412,10 +4513,10 @@
while( crt != NULL )
{
n = crt->raw.len;
- if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i )
+ if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
- i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) );
+ i + 3 + n, MBEDTLS_SSL_OUT_CONTENT_LEN ) );
return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
}
@@ -4615,6 +4716,12 @@
while( i < ssl->in_hslen )
{
+ if ( i + 3 > ssl->in_hslen ) {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+ }
if( ssl->in_msg[i] != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
@@ -5289,7 +5396,7 @@
/*
* Free our handshake params
*/
- mbedtls_ssl_handshake_free( ssl->handshake );
+ mbedtls_ssl_handshake_free( ssl );
mbedtls_free( ssl->handshake );
ssl->handshake = NULL;
@@ -5644,7 +5751,7 @@
if( ssl->session_negotiate )
mbedtls_ssl_session_free( ssl->session_negotiate );
if( ssl->handshake )
- mbedtls_ssl_handshake_free( ssl->handshake );
+ mbedtls_ssl_handshake_free( ssl );
/*
* Either the pointers are now NULL or cleared properly and can be freed.
@@ -5749,17 +5856,23 @@
const mbedtls_ssl_config *conf )
{
int ret;
- const size_t len = MBEDTLS_SSL_BUFFER_LEN;
ssl->conf = conf;
/*
* Prepare base structures
*/
- if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL ||
- ( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL )
+ ssl->in_buf = mbedtls_calloc( 1, MBEDTLS_SSL_IN_BUFFER_LEN );
+ if( ssl->in_buf == NULL )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_IN_BUFFER_LEN) );
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+ }
+
+ ssl->out_buf = mbedtls_calloc( 1, MBEDTLS_SSL_OUT_BUFFER_LEN );
+ if( ssl->out_buf == NULL )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_OUT_BUFFER_LEN) );
mbedtls_free( ssl->in_buf );
ssl->in_buf = NULL;
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
@@ -5860,9 +5973,9 @@
ssl->transform_in = NULL;
ssl->transform_out = NULL;
- memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
+ memset( ssl->out_buf, 0, MBEDTLS_SSL_OUT_BUFFER_LEN );
if( partial == 0 )
- memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
+ memset( ssl->in_buf, 0, MBEDTLS_SSL_IN_BUFFER_LEN );
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
if( mbedtls_ssl_hw_record_reset != NULL )
@@ -6082,27 +6195,27 @@
mbedtls_x509_crt *cert,
mbedtls_pk_context *key )
{
- mbedtls_ssl_key_cert *new;
+ mbedtls_ssl_key_cert *new_cert;
- new = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
- if( new == NULL )
+ new_cert = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
+ if( new_cert == NULL )
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
- new->cert = cert;
- new->key = key;
- new->next = NULL;
+ new_cert->cert = cert;
+ new_cert->key = key;
+ new_cert->next = NULL;
/* Update head is the list was null, else add to the end */
if( *head == NULL )
{
- *head = new;
+ *head = new_cert;
}
else
{
mbedtls_ssl_key_cert *cur = *head;
while( cur->next != NULL )
cur = cur->next;
- cur->next = new;
+ cur->next = new_cert;
}
return( 0 );
@@ -6187,7 +6300,7 @@
/* Identity len will be encoded on two bytes */
if( ( psk_identity_len >> 16 ) != 0 ||
- psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
+ psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
{
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
@@ -6488,7 +6601,7 @@
int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
{
if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
- mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN )
+ ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
{
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
@@ -6567,6 +6680,43 @@
}
#endif
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+void mbedtls_ssl_conf_async_private_cb(
+ mbedtls_ssl_config *conf,
+ mbedtls_ssl_async_sign_t *f_async_sign,
+ mbedtls_ssl_async_decrypt_t *f_async_decrypt,
+ mbedtls_ssl_async_resume_t *f_async_resume,
+ mbedtls_ssl_async_cancel_t *f_async_cancel,
+ void *async_config_data )
+{
+ conf->f_async_sign_start = f_async_sign;
+ conf->f_async_decrypt_start = f_async_decrypt;
+ conf->f_async_resume = f_async_resume;
+ conf->f_async_cancel = f_async_cancel;
+ conf->p_async_config_data = async_config_data;
+}
+
+void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf )
+{
+ return( conf->p_async_config_data );
+}
+
+void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl )
+{
+ if( ssl->handshake == NULL )
+ return( NULL );
+ else
+ return( ssl->handshake->user_async_ctx );
+}
+
+void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
+ void *ctx )
+{
+ if( ssl->handshake != NULL )
+ ssl->handshake->user_async_ctx = ctx;
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
/*
* SSL get accessors
*/
@@ -6729,15 +6879,15 @@
/*
* Assume mfl_code is correct since it was checked when set
*/
- max_len = mfl_code_to_length[ssl->conf->mfl_code];
+ max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
/*
* Check if a smaller max length was negotiated
*/
if( ssl->session_out != NULL &&
- mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
+ ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
{
- max_len = mfl_code_to_length[ssl->session_out->mfl_code];
+ max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
}
return max_len;
@@ -7281,8 +7431,16 @@
}
/*
- * Send application data to be encrypted by the SSL layer,
- * taking care of max fragment length and buffer size
+ * Send application data to be encrypted by the SSL layer, taking care of max
+ * fragment length and buffer size.
+ *
+ * According to RFC 5246 Section 6.2.1:
+ *
+ * Zero-length fragments of Application data MAY be sent as they are
+ * potentially useful as a traffic analysis countermeasure.
+ *
+ * Therefore, it is possible that the input message length is 0 and the
+ * corresponding return code is 0 on success.
*/
static int ssl_write_real( mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len )
@@ -7291,7 +7449,7 @@
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
size_t max_len = mbedtls_ssl_get_max_frag_len( ssl );
#else
- size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN;
+ size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
if( len > max_len )
{
@@ -7310,6 +7468,12 @@
if( ssl->out_left != 0 )
{
+ /*
+ * The user has previously tried to send the data and
+ * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
+ * written. In this case, we expect the high-level write function
+ * (e.g. mbedtls_ssl_write()) to be called with the same parameters
+ */
if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
@@ -7318,6 +7482,11 @@
}
else
{
+ /*
+ * The user is trying to send a message the first time, so we need to
+ * copy the data into the internal buffers and setup the data structure
+ * to keep track of partial writes
+ */
ssl->out_msglen = len;
ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
memcpy( ssl->out_msg, buf, len );
@@ -7474,11 +7643,21 @@
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
-void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake )
+void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
{
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
if( handshake == NULL )
return;
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
+ {
+ ssl->conf->f_async_cancel( ssl );
+ handshake->async_in_progress = 0;
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1)
mbedtls_md5_free( &handshake->fin_md5 );
@@ -7583,20 +7762,20 @@
if( ssl->out_buf != NULL )
{
- mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_BUFFER_LEN );
+ mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_OUT_BUFFER_LEN );
mbedtls_free( ssl->out_buf );
}
if( ssl->in_buf != NULL )
{
- mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_BUFFER_LEN );
+ mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_IN_BUFFER_LEN );
mbedtls_free( ssl->in_buf );
}
#if defined(MBEDTLS_ZLIB_SUPPORT)
if( ssl->compress_buf != NULL )
{
- mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_BUFFER_LEN );
+ mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
mbedtls_free( ssl->compress_buf );
}
#endif
@@ -7609,7 +7788,7 @@
if( ssl->handshake )
{
- mbedtls_ssl_handshake_free( ssl->handshake );
+ mbedtls_ssl_handshake_free( ssl );
mbedtls_ssl_transform_free( ssl->transform_negotiate );
mbedtls_ssl_session_free( ssl->session_negotiate );
@@ -8376,13 +8555,14 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_2)
int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
- unsigned char *output,
- unsigned char *data, size_t data_len,
- mbedtls_md_type_t md_alg )
+ unsigned char *hash, size_t *hashlen,
+ unsigned char *data, size_t data_len,
+ mbedtls_md_type_t md_alg )
{
int ret = 0;
mbedtls_md_context_t ctx;
const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
+ *hashlen = mbedtls_md_get_size( md_info );
mbedtls_md_init( &ctx );
@@ -8413,7 +8593,7 @@
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
goto exit;
}
- if( ( ret = mbedtls_md_finish( &ctx, output ) ) != 0 )
+ if( ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
goto exit;
diff --git a/library/threading.c b/library/threading.c
index f1c3724..7a32e67 100644
--- a/library/threading.c
+++ b/library/threading.c
@@ -114,9 +114,6 @@
#if defined(MBEDTLS_FS_IO)
mbedtls_mutex_init( &mbedtls_threading_readdir_mutex );
#endif
-#if defined(MBEDTLS_HAVE_TIME_DATE)
- mbedtls_mutex_init( &mbedtls_threading_gmtime_mutex );
-#endif
}
/*
@@ -127,9 +124,6 @@
#if defined(MBEDTLS_FS_IO)
mbedtls_mutex_free( &mbedtls_threading_readdir_mutex );
#endif
-#if defined(MBEDTLS_HAVE_TIME_DATE)
- mbedtls_mutex_free( &mbedtls_threading_gmtime_mutex );
-#endif
}
#endif /* MBEDTLS_THREADING_ALT */
@@ -142,8 +136,5 @@
#if defined(MBEDTLS_FS_IO)
mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex MUTEX_INIT;
#endif
-#if defined(MBEDTLS_HAVE_TIME_DATE)
-mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex MUTEX_INIT;
-#endif
#endif /* MBEDTLS_THREADING_C */
diff --git a/library/timing.c b/library/timing.c
index 6a30e51..3e8139f 100644
--- a/library/timing.c
+++ b/library/timing.c
@@ -39,7 +39,8 @@
#if !defined(MBEDTLS_TIMING_ALT)
#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
- !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__)
+ !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+ !defined(__HAIKU__)
#error "This module only works on Unix and Windows, see MBEDTLS_TIMING_C in config.h"
#endif
diff --git a/library/version_features.c b/library/version_features.c
index a452caf..777b603 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -39,6 +39,9 @@
#if defined(MBEDTLS_NO_UDBL_DIVISION)
"MBEDTLS_NO_UDBL_DIVISION",
#endif /* MBEDTLS_NO_UDBL_DIVISION */
+#if defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
+ "MBEDTLS_NO_64BIT_MULTIPLICATION",
+#endif /* MBEDTLS_NO_64BIT_MULTIPLICATION */
#if defined(MBEDTLS_HAVE_SSE2)
"MBEDTLS_HAVE_SSE2",
#endif /* MBEDTLS_HAVE_SSE2 */
@@ -90,6 +93,9 @@
#if defined(MBEDTLS_ARC4_ALT)
"MBEDTLS_ARC4_ALT",
#endif /* MBEDTLS_ARC4_ALT */
+#if defined(MBEDTLS_ARIA_ALT)
+ "MBEDTLS_ARIA_ALT",
+#endif /* MBEDTLS_ARIA_ALT */
#if defined(MBEDTLS_BLOWFISH_ALT)
"MBEDTLS_BLOWFISH_ALT",
#endif /* MBEDTLS_BLOWFISH_ALT */
@@ -99,6 +105,12 @@
#if defined(MBEDTLS_CCM_ALT)
"MBEDTLS_CCM_ALT",
#endif /* MBEDTLS_CCM_ALT */
+#if defined(MBEDTLS_CHACHA20_ALT)
+ "MBEDTLS_CHACHA20_ALT",
+#endif /* MBEDTLS_CHACHA20_ALT */
+#if defined(MBEDTLS_CHACHAPOLY_ALT)
+ "MBEDTLS_CHACHAPOLY_ALT",
+#endif /* MBEDTLS_CHACHAPOLY_ALT */
#if defined(MBEDTLS_CMAC_ALT)
"MBEDTLS_CMAC_ALT",
#endif /* MBEDTLS_CMAC_ALT */
@@ -114,6 +126,9 @@
#if defined(MBEDTLS_GCM_ALT)
"MBEDTLS_GCM_ALT",
#endif /* MBEDTLS_GCM_ALT */
+#if defined(MBEDTLS_NIST_KW_ALT)
+ "MBEDTLS_NIST_KW_ALT",
+#endif /* MBEDTLS_NIST_KW_ALT */
#if defined(MBEDTLS_MD2_ALT)
"MBEDTLS_MD2_ALT",
#endif /* MBEDTLS_MD2_ALT */
@@ -123,6 +138,9 @@
#if defined(MBEDTLS_MD5_ALT)
"MBEDTLS_MD5_ALT",
#endif /* MBEDTLS_MD5_ALT */
+#if defined(MBEDTLS_POLY1305_ALT)
+ "MBEDTLS_POLY1305_ALT",
+#endif /* MBEDTLS_POLY1305_ALT */
#if defined(MBEDTLS_RIPEMD160_ALT)
"MBEDTLS_RIPEMD160_ALT",
#endif /* MBEDTLS_RIPEMD160_ALT */
@@ -252,6 +270,12 @@
#if defined(MBEDTLS_CIPHER_MODE_CTR)
"MBEDTLS_CIPHER_MODE_CTR",
#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ "MBEDTLS_CIPHER_MODE_OFB",
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ "MBEDTLS_CIPHER_MODE_XTS",
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
"MBEDTLS_CIPHER_NULL_CIPHER",
#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
@@ -402,6 +426,9 @@
#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
"MBEDTLS_SSL_ALL_ALERT_MESSAGES",
#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ "MBEDTLS_SSL_ASYNC_PRIVATE",
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
#if defined(MBEDTLS_SSL_DEBUG_ALL)
"MBEDTLS_SSL_DEBUG_ALL",
#endif /* MBEDTLS_SSL_DEBUG_ALL */
@@ -531,12 +558,21 @@
#if defined(MBEDTLS_CAMELLIA_C)
"MBEDTLS_CAMELLIA_C",
#endif /* MBEDTLS_CAMELLIA_C */
+#if defined(MBEDTLS_ARIA_C)
+ "MBEDTLS_ARIA_C",
+#endif /* MBEDTLS_ARIA_C */
#if defined(MBEDTLS_CCM_C)
"MBEDTLS_CCM_C",
#endif /* MBEDTLS_CCM_C */
#if defined(MBEDTLS_CERTS_C)
"MBEDTLS_CERTS_C",
#endif /* MBEDTLS_CERTS_C */
+#if defined(MBEDTLS_CHACHA20_C)
+ "MBEDTLS_CHACHA20_C",
+#endif /* MBEDTLS_CHACHA20_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ "MBEDTLS_CHACHAPOLY_C",
+#endif /* MBEDTLS_CHACHAPOLY_C */
#if defined(MBEDTLS_CIPHER_C)
"MBEDTLS_CIPHER_C",
#endif /* MBEDTLS_CIPHER_C */
@@ -579,9 +615,15 @@
#if defined(MBEDTLS_HAVEGE_C)
"MBEDTLS_HAVEGE_C",
#endif /* MBEDTLS_HAVEGE_C */
+#if defined(MBEDTLS_HKDF_C)
+ "MBEDTLS_HKDF_C",
+#endif /* MBEDTLS_HKDF_C */
#if defined(MBEDTLS_HMAC_DRBG_C)
"MBEDTLS_HMAC_DRBG_C",
#endif /* MBEDTLS_HMAC_DRBG_C */
+#if defined(MBEDTLS_NIST_KW_C)
+ "MBEDTLS_NIST_KW_C",
+#endif /* MBEDTLS_NIST_KW_C */
#if defined(MBEDTLS_MD_C)
"MBEDTLS_MD_C",
#endif /* MBEDTLS_MD_C */
@@ -633,6 +675,9 @@
#if defined(MBEDTLS_PLATFORM_C)
"MBEDTLS_PLATFORM_C",
#endif /* MBEDTLS_PLATFORM_C */
+#if defined(MBEDTLS_POLY1305_C)
+ "MBEDTLS_POLY1305_C",
+#endif /* MBEDTLS_POLY1305_C */
#if defined(MBEDTLS_RIPEMD160_C)
"MBEDTLS_RIPEMD160_C",
#endif /* MBEDTLS_RIPEMD160_C */
diff --git a/library/x509.c b/library/x509.c
index 371d6da..2e6795f 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -29,6 +29,10 @@
* http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
*/
+/* Ensure gmtime_r is available even with -std=c99; must be included before
+ * config.h, which pulls in glibc's features.h. Harmless on other platforms. */
+#define _POSIX_C_SOURCE 200112L
+
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
@@ -59,26 +63,13 @@
#define mbedtls_snprintf snprintf
#endif
-
#if defined(MBEDTLS_HAVE_TIME)
#include "mbedtls/platform_time.h"
#endif
-
-#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
-#include <windows.h>
-#else
+#if defined(MBEDTLS_HAVE_TIME_DATE)
#include <time.h>
#endif
-#if defined(MBEDTLS_FS_IO)
-#include <stdio.h>
-#if !defined(_WIN32)
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <dirent.h>
-#endif
-#endif
-
#define CHECK(code) if( ( ret = code ) != 0 ){ return( ret ); }
#define CHECK_RANGE(min, max, val) if( val < min || val > max ){ return( ret ); }
@@ -903,36 +894,18 @@
* Set the time structure to the current time.
* Return 0 on success, non-zero on failure.
*/
-#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
static int x509_get_current_time( mbedtls_x509_time *now )
{
- SYSTEMTIME st;
-
- GetSystemTime( &st );
-
- now->year = st.wYear;
- now->mon = st.wMonth;
- now->day = st.wDay;
- now->hour = st.wHour;
- now->min = st.wMinute;
- now->sec = st.wSecond;
-
- return( 0 );
-}
-#else
-static int x509_get_current_time( mbedtls_x509_time *now )
-{
- struct tm *lt;
+ struct tm *lt, tm_buf;
mbedtls_time_t tt;
int ret = 0;
-#if defined(MBEDTLS_THREADING_C)
- if( mbedtls_mutex_lock( &mbedtls_threading_gmtime_mutex ) != 0 )
- return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
-#endif
-
tt = mbedtls_time( NULL );
- lt = gmtime( &tt );
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+ lt = gmtime_s( &tm_buf, &tt ) == 0 ? &tm_buf : NULL;
+#else
+ lt = gmtime_r( &tt, &tm_buf );
+#endif
if( lt == NULL )
ret = -1;
@@ -946,14 +919,8 @@
now->sec = lt->tm_sec;
}
-#if defined(MBEDTLS_THREADING_C)
- if( mbedtls_mutex_unlock( &mbedtls_threading_gmtime_mutex ) != 0 )
- return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
-#endif
-
return( ret );
}
-#endif /* _WIN32 && !EFIX64 && !EFI32 */
/*
* Return 0 if before <= after, 1 otherwise
diff --git a/library/x509_csr.c b/library/x509_csr.c
index 3e8e8fb..f844257 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c
@@ -274,34 +274,25 @@
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
#if defined(MBEDTLS_PEM_PARSE_C)
- mbedtls_pem_init( &pem );
-
/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
- if( buf[buflen - 1] != '\0' )
- ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
- else
+ if( buf[buflen - 1] == '\0' )
+ {
+ mbedtls_pem_init( &pem );
ret = mbedtls_pem_read_buffer( &pem,
"-----BEGIN CERTIFICATE REQUEST-----",
"-----END CERTIFICATE REQUEST-----",
buf, NULL, 0, &use_len );
- if( ret == 0 )
- {
- /*
- * Was PEM encoded, parse the result
- */
- if( ( ret = mbedtls_x509_csr_parse_der( csr, pem.buf, pem.buflen ) ) != 0 )
- return( ret );
+ if( ret == 0 )
+ /*
+ * Was PEM encoded, parse the result
+ */
+ ret = mbedtls_x509_csr_parse_der( csr, pem.buf, pem.buflen );
mbedtls_pem_free( &pem );
- return( 0 );
+ if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+ return( ret );
}
- else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
- {
- mbedtls_pem_free( &pem );
- return( ret );
- }
- else
#endif /* MBEDTLS_PEM_PARSE_C */
return( mbedtls_x509_csr_parse_der( csr, buf, buflen ) );
}
diff --git a/programs/.gitignore b/programs/.gitignore
index ddfa1a4..0241896 100644
--- a/programs/.gitignore
+++ b/programs/.gitignore
@@ -45,6 +45,7 @@
test/benchmark
test/ecp-bench
test/selftest
+test/cpp_dummy_build
test/ssl_cert_test
test/udp_proxy
test/zeroize
diff --git a/programs/Makefile b/programs/Makefile
index 080e82d..b6d1fa2 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -4,9 +4,11 @@
CFLAGS ?= -O2
WARNING_CFLAGS ?= -Wall -W -Wdeclaration-after-statement
+WARNING_CXXFLAGS ?= -Wall -W
LDFLAGS ?=
LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64
+LOCAL_CXXFLAGS = $(WARNING_CXXFLAGS) -I../include -D_FILE_OFFSET_BITS=64
LOCAL_LDFLAGS = -L../library \
-lmbedtls$(SHARED_SUFFIX) \
-lmbedx509$(SHARED_SUFFIX) \
@@ -77,6 +79,10 @@
APPS += ssl/ssl_pthread_server$(EXEXT)
endif
+ifdef TEST_CPP
+APPS += test/cpp_dummy_build$(EXEXT)
+endif
+
.SILENT:
.PHONY: all clean list
@@ -242,6 +248,10 @@
echo " CC test/benchmark.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/benchmark.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+test/cpp_dummy_build$(EXEXT): test/cpp_dummy_build.cpp $(DEP)
+ echo " CXX test/cpp_dummy_build.cpp"
+ $(CXX) $(LOCAL_CXXFLAGS) $(CXXFLAGS) test/cpp_dummy_build.cpp $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
test/selftest$(EXEXT): test/selftest.c $(DEP)
echo " CC test/selftest.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/selftest.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
diff --git a/programs/aes/aescrypt2.c b/programs/aes/aescrypt2.c
index 4acf38d..69c4060 100644
--- a/programs/aes/aescrypt2.c
+++ b/programs/aes/aescrypt2.c
@@ -19,6 +19,11 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
+/* Enable definition of fileno() even when compiling with -std=c99. Must be
+ * set before config.h, which pulls in glibc's features.h indirectly.
+ * Harmless on other platforms. */
+#define _POSIX_C_SOURCE 1
+
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
@@ -29,9 +34,12 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_fprintf fprintf
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#include "mbedtls/aes.h"
#include "mbedtls/md.h"
@@ -71,7 +79,8 @@
#else
int main( int argc, char *argv[] )
{
- int ret = 1;
+ int ret = 0;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
unsigned int i, n;
int mode, lastn;
@@ -429,7 +438,7 @@
}
}
- ret = 0;
+ exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
if( fin )
@@ -452,6 +461,6 @@
mbedtls_aes_free( &aes_ctx );
mbedtls_md_free( &sha_ctx );
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_AES_C && MBEDTLS_SHA256_C && MBEDTLS_FS_IO */
diff --git a/programs/aes/crypt_and_hash.c b/programs/aes/crypt_and_hash.c
index 0e272eb..bc95eb9 100644
--- a/programs/aes/crypt_and_hash.c
+++ b/programs/aes/crypt_and_hash.c
@@ -20,6 +20,11 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
+/* Enable definition of fileno() even when compiling with -std=c99. Must be
+ * set before config.h, which pulls in glibc's features.h indirectly.
+ * Harmless on other platforms. */
+#define _POSIX_C_SOURCE 1
+
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
@@ -30,9 +35,12 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_fprintf fprintf
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_MD_C) && \
defined(MBEDTLS_FS_IO)
@@ -74,6 +82,7 @@
int main( int argc, char *argv[] )
{
int ret = 1, i, n;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
int mode;
size_t keylen, ilen, olen;
FILE *fkey, *fin = NULL, *fout = NULL;
@@ -526,7 +535,7 @@
}
}
- ret = 0;
+ exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
if( fin )
@@ -549,6 +558,6 @@
mbedtls_cipher_free( &cipher_ctx );
mbedtls_md_free( &md_ctx );
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_CIPHER_C && MBEDTLS_MD_C && MBEDTLS_FS_IO */
diff --git a/programs/hash/generic_sum.c b/programs/hash/generic_sum.c
index d1e81d4..bbe8d92 100644
--- a/programs/hash/generic_sum.c
+++ b/programs/hash/generic_sum.c
@@ -29,9 +29,12 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_fprintf fprintf
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_MD_C) && defined(MBEDTLS_FS_IO)
#include "mbedtls/md.h"
@@ -169,7 +172,8 @@
int main( int argc, char *argv[] )
{
- int ret, i;
+ int ret = 1, i;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
const mbedtls_md_info_t *md_info;
mbedtls_md_context_t md_ctx;
@@ -196,7 +200,7 @@
fflush( stdout ); getchar();
#endif
- return( 1 );
+ return( exit_code );
}
/*
@@ -206,12 +210,12 @@
if( md_info == NULL )
{
mbedtls_fprintf( stderr, "Message Digest '%s' not found\n", argv[1] );
- return( 1 );
+ return( exit_code );
}
if( mbedtls_md_setup( &md_ctx, md_info, 0 ) )
{
mbedtls_fprintf( stderr, "Failed to initialize context.\n" );
- return( 1 );
+ return( exit_code );
}
ret = 0;
@@ -224,9 +228,12 @@
for( i = 2; i < argc; i++ )
ret |= generic_print( md_info, argv[i] );
+ if ( ret == 0 )
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_md_free( &md_ctx );
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_MD_C && MBEDTLS_FS_IO */
diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c
index 0978408..3dadf48 100644
--- a/programs/pkey/dh_client.c
+++ b/programs/pkey/dh_client.c
@@ -29,9 +29,12 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_printf printf
-#define mbedtls_time_t time_t
-#endif
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define mbedtls_time_t time_t
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
@@ -71,7 +74,8 @@
{
FILE *f;
- int ret;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
size_t n, buflen;
mbedtls_net_context server_fd;
@@ -115,7 +119,6 @@
if( ( f = fopen( "rsa_pub.txt", "rb" ) ) == NULL )
{
- ret = 1;
mbedtls_printf( " failed\n ! Could not open rsa_pub.txt\n" \
" ! Please run rsa_genkey first\n\n" );
goto exit;
@@ -191,7 +194,6 @@
if( dhm.len < 64 || dhm.len > 512 )
{
- ret = 1;
mbedtls_printf( " failed\n ! Invalid DHM modulus size\n\n" );
goto exit;
}
@@ -207,7 +209,6 @@
if( ( n = (size_t) ( end - p ) ) != rsa.len )
{
- ret = 1;
mbedtls_printf( " failed\n ! Invalid RSA signature size\n\n" );
goto exit;
}
@@ -286,6 +287,8 @@
buf[16] = '\0';
mbedtls_printf( "\n . Plaintext is \"%s\"\n\n", (char *) buf );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_net_free( &server_fd );
@@ -301,7 +304,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_AES_C && MBEDTLS_DHM_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_NET_C && MBEDTLS_RSA_C && MBEDTLS_SHA256_C &&
diff --git a/programs/pkey/dh_genprime.c b/programs/pkey/dh_genprime.c
index 84a94a1..dbe9153 100644
--- a/programs/pkey/dh_genprime.c
+++ b/programs/pkey/dh_genprime.c
@@ -30,9 +30,11 @@
#else
#include <stdio.h>
#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_time_t time_t
-#endif
+#define mbedtls_printf printf
+#define mbedtls_time_t time_t
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_CTR_DRBG_C) || \
@@ -69,6 +71,7 @@
int main( int argc, char **argv )
{
int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_mpi G, P, Q;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
@@ -86,7 +89,7 @@
{
usage:
mbedtls_printf( USAGE );
- return( 1 );
+ return( exit_code );
}
for( i = 1; i < argc; i++ )
@@ -164,7 +167,6 @@
if( ( fout = fopen( "dh_prime.txt", "wb+" ) ) == NULL )
{
- ret = 1;
mbedtls_printf( " failed\n ! Could not create dh_prime.txt\n\n" );
goto exit;
}
@@ -180,6 +182,8 @@
mbedtls_printf( " ok\n\n" );
fclose( fout );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_mpi_free( &G ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q );
@@ -191,7 +195,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_FS_IO &&
MBEDTLS_CTR_DRBG_C && MBEDTLS_GENPRIME */
diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c
index 4304231..c4e2c39 100644
--- a/programs/pkey/dh_server.c
+++ b/programs/pkey/dh_server.c
@@ -29,9 +29,12 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_printf printf
-#define mbedtls_time_t time_t
-#endif
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define mbedtls_time_t time_t
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_AES_C) && defined(MBEDTLS_DHM_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_NET_C) && \
@@ -71,7 +74,8 @@
{
FILE *f;
- int ret;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
size_t n, buflen;
mbedtls_net_context listen_fd, client_fd;
@@ -121,7 +125,6 @@
if( ( f = fopen( "rsa_priv.txt", "rb" ) ) == NULL )
{
- ret = 1;
mbedtls_printf( " failed\n ! Could not open rsa_priv.txt\n" \
" ! Please run rsa_genkey first\n\n" );
goto exit;
@@ -164,7 +167,6 @@
if( ( f = fopen( "dh_prime.txt", "rb" ) ) == NULL )
{
- ret = 1;
mbedtls_printf( " failed\n ! Could not open dh_prime.txt\n" \
" ! Please run dh_genprime first\n\n" );
goto exit;
@@ -304,6 +306,8 @@
mbedtls_printf( "\n\n" );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q );
@@ -323,7 +327,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_AES_C && MBEDTLS_DHM_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_NET_C && MBEDTLS_RSA_C && MBEDTLS_SHA256_C &&
diff --git a/programs/pkey/ecdh_curve25519.c b/programs/pkey/ecdh_curve25519.c
index e7ead9a..5db0408 100644
--- a/programs/pkey/ecdh_curve25519.c
+++ b/programs/pkey/ecdh_curve25519.c
@@ -29,8 +29,11 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_ECDH_C) || \
!defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
@@ -51,7 +54,8 @@
int main( int argc, char *argv[] )
{
- int ret;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_ecdh_context ctx_cli, ctx_srv;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
@@ -218,6 +222,7 @@
mbedtls_printf( " ok\n" );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
@@ -231,7 +236,7 @@
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
- return( ret != 0 );
+ return( exit_code );
}
#endif /* MBEDTLS_ECDH_C && MBEDTLS_ECP_DP_CURVE25519_ENABLED &&
MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
diff --git a/programs/pkey/ecdsa.c b/programs/pkey/ecdsa.c
index b474060..c653df9 100644
--- a/programs/pkey/ecdsa.c
+++ b/programs/pkey/ecdsa.c
@@ -29,8 +29,11 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_ECDSA_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C)
@@ -98,7 +101,8 @@
int main( int argc, char *argv[] )
{
- int ret;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_ecdsa_context ctx_sign, ctx_verify;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
@@ -115,7 +119,6 @@
memset( sig, 0, sizeof( sig ) );
memset( message, 0x25, sizeof( message ) );
- ret = 1;
if( argc != 1 )
{
@@ -213,8 +216,6 @@
goto exit;
}
- ret = 0;
-
/*
* Verify signature
*/
@@ -231,6 +232,8 @@
mbedtls_printf( " ok\n" );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
#if defined(_WIN32)
@@ -243,7 +246,7 @@
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C &&
ECPARAMS */
diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c
index a7f5c90..f01bf5f 100644
--- a/programs/pkey/gen_key.c
+++ b/programs/pkey/gen_key.c
@@ -29,8 +29,11 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_PK_WRITE_C) && defined(MBEDTLS_FS_IO) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C)
@@ -186,7 +189,8 @@
int main( int argc, char *argv[] )
{
- int ret = 0;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_pk_context key;
char buf[1024];
int i;
@@ -214,7 +218,6 @@
if( argc == 0 )
{
usage:
- ret = 1;
mbedtls_printf( USAGE );
#if defined(MBEDTLS_ECP_C)
mbedtls_printf( " available ec_curve values:\n" );
@@ -222,7 +225,7 @@
mbedtls_printf( " %s (default)\n", curve_info->name );
while( ( ++curve_info )->name != NULL )
mbedtls_printf( " %s\n", curve_info->name );
-#endif
+#endif /* MBEDTLS_ECP_C */
goto exit;
}
@@ -411,9 +414,11 @@
mbedtls_printf( " ok\n" );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
- if( ret != 0 && ret != 1)
+ if( exit_code != MBEDTLS_EXIT_SUCCESS )
{
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror( ret, buf, sizeof( buf ) );
@@ -436,7 +441,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_PK_WRITE_C && MBEDTLS_PEM_WRITE_C && MBEDTLS_FS_IO &&
* MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
diff --git a/programs/pkey/key_app.c b/programs/pkey/key_app.c
index f1b548d..027b95f 100644
--- a/programs/pkey/key_app.c
+++ b/programs/pkey/key_app.c
@@ -29,8 +29,11 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_BIGNUM_C) && \
defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_FS_IO)
@@ -83,7 +86,8 @@
int main( int argc, char *argv[] )
{
- int ret = 0;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
char buf[1024];
int i;
char *p, *q;
@@ -105,7 +109,7 @@
{
usage:
mbedtls_printf( USAGE );
- goto exit;
+ goto cleanup;
}
opt.mode = DFL_MODE;
@@ -155,13 +159,13 @@
if( ( f = fopen( opt.password_file, "rb" ) ) == NULL )
{
mbedtls_printf( " failed\n ! fopen returned NULL\n" );
- goto exit;
+ goto cleanup;
}
if( fgets( buf, sizeof(buf), f ) == NULL )
{
fclose( f );
mbedtls_printf( "Error: fgets() failed to retrieve password\n" );
- goto exit;
+ goto cleanup;
}
fclose( f );
@@ -182,7 +186,7 @@
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -0x%04x\n", -ret );
- goto exit;
+ goto cleanup;
}
mbedtls_printf( " ok\n" );
@@ -200,17 +204,17 @@
( ret = mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP ) ) != 0 )
{
mbedtls_printf( " failed\n ! could not export RSA parameters\n\n" );
- goto exit;
+ goto cleanup;
}
- mbedtls_mpi_write_file( "N: ", &N, 16, NULL );
- mbedtls_mpi_write_file( "E: ", &E, 16, NULL );
- mbedtls_mpi_write_file( "D: ", &D, 16, NULL );
- mbedtls_mpi_write_file( "P: ", &P, 16, NULL );
- mbedtls_mpi_write_file( "Q: ", &Q, 16, NULL );
- mbedtls_mpi_write_file( "DP: ", &DP, 16, NULL );
- mbedtls_mpi_write_file( "DQ: ", &DQ, 16, NULL );
- mbedtls_mpi_write_file( "QP: ", &QP, 16, NULL );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "N: ", &N, 16, NULL ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "E: ", &E, 16, NULL ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "D: ", &D, 16, NULL ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "P: ", &P, 16, NULL ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q: ", &Q, 16, NULL ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "DP: ", &DP, 16, NULL ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "DQ: ", &DQ, 16, NULL ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "QP: ", &QP, 16, NULL ) );
}
else
#endif
@@ -218,16 +222,16 @@
if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_ECKEY )
{
mbedtls_ecp_keypair *ecp = mbedtls_pk_ec( pk );
- mbedtls_mpi_write_file( "Q(X): ", &ecp->Q.X, 16, NULL );
- mbedtls_mpi_write_file( "Q(Y): ", &ecp->Q.Y, 16, NULL );
- mbedtls_mpi_write_file( "Q(Z): ", &ecp->Q.Z, 16, NULL );
- mbedtls_mpi_write_file( "D : ", &ecp->d , 16, NULL );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(X): ", &ecp->Q.X, 16, NULL ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(Y): ", &ecp->Q.Y, 16, NULL ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(Z): ", &ecp->Q.Z, 16, NULL ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "D : ", &ecp->d , 16, NULL ) );
}
else
#endif
{
mbedtls_printf("Do not know how to print key information for this type\n" );
- goto exit;
+ goto cleanup;
}
}
else if( opt.mode == MODE_PUBLIC )
@@ -243,7 +247,7 @@
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_parse_public_keyfile returned -0x%04x\n", -ret );
- goto exit;
+ goto cleanup;
}
mbedtls_printf( " ok\n" );
@@ -258,10 +262,10 @@
NULL, &E ) ) != 0 )
{
mbedtls_printf( " failed\n ! could not export RSA parameters\n\n" );
- goto exit;
+ goto cleanup;
}
- mbedtls_mpi_write_file( "N: ", &N, 16, NULL );
- mbedtls_mpi_write_file( "E: ", &E, 16, NULL );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "N: ", &N, 16, NULL ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "E: ", &E, 16, NULL ) );
}
else
#endif
@@ -269,26 +273,28 @@
if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_ECKEY )
{
mbedtls_ecp_keypair *ecp = mbedtls_pk_ec( pk );
- mbedtls_mpi_write_file( "Q(X): ", &ecp->Q.X, 16, NULL );
- mbedtls_mpi_write_file( "Q(Y): ", &ecp->Q.Y, 16, NULL );
- mbedtls_mpi_write_file( "Q(Z): ", &ecp->Q.Z, 16, NULL );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(X): ", &ecp->Q.X, 16, NULL ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(Y): ", &ecp->Q.Y, 16, NULL ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(Z): ", &ecp->Q.Z, 16, NULL ) );
}
else
#endif
{
mbedtls_printf("Do not know how to print key information for this type\n" );
- goto exit;
+ goto cleanup;
}
}
else
goto usage;
-exit:
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
+cleanup:
#if defined(MBEDTLS_ERROR_C)
- if( ret != 0 )
+ if( exit_code != MBEDTLS_EXIT_SUCCESS )
{
- mbedtls_strerror( ret, buf, sizeof(buf) );
+ mbedtls_strerror( ret, buf, sizeof( buf ) );
mbedtls_printf( " ! Last error was: %s\n", buf );
}
#endif
@@ -303,6 +309,6 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO */
diff --git a/programs/pkey/key_app_writer.c b/programs/pkey/key_app_writer.c
index 52b0f8e..13602c2 100644
--- a/programs/pkey/key_app_writer.c
+++ b/programs/pkey/key_app_writer.c
@@ -29,8 +29,11 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_PK_WRITE_C) && defined(MBEDTLS_FS_IO)
#include "mbedtls/error.h"
@@ -128,7 +131,7 @@
return( ret );
len = ret;
- c = output_buf + sizeof(output_buf) - len - 1;
+ c = output_buf + sizeof(output_buf) - len;
}
if( ( f = fopen( output_file, "w" ) ) == NULL )
@@ -189,7 +192,8 @@
int main( int argc, char *argv[] )
{
- int ret = 0;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
char buf[1024];
int i;
char *p, *q;
@@ -210,7 +214,6 @@
if( argc == 0 )
{
usage:
- ret = 1;
mbedtls_printf( USAGE );
goto exit;
}
@@ -403,9 +406,11 @@
write_private_key( &key, opt.output_file );
}
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
- if( ret != 0 && ret != 1)
+ if( exit_code != MBEDTLS_EXIT_SUCCESS )
{
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror( ret, buf, sizeof( buf ) );
@@ -426,6 +431,6 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_PK_WRITE_C && MBEDTLS_FS_IO */
diff --git a/programs/pkey/mpi_demo.c b/programs/pkey/mpi_demo.c
index afe8957..365bdc4 100644
--- a/programs/pkey/mpi_demo.c
+++ b/programs/pkey/mpi_demo.c
@@ -29,8 +29,11 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_FS_IO)
#include "mbedtls/bignum.h"
@@ -47,7 +50,8 @@
#else
int main( void )
{
- int ret;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_mpi E, P, Q, N, H, D, X, Y, Z;
mbedtls_mpi_init( &E ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &N );
@@ -88,15 +92,16 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( " Z (decrypted) = Y^D mod N = ", &Z, 10, NULL ) );
mbedtls_printf( "\n" );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
cleanup:
mbedtls_mpi_free( &E ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &N );
mbedtls_mpi_free( &H ); mbedtls_mpi_free( &D ); mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y );
mbedtls_mpi_free( &Z );
- if( ret != 0 )
+ if( exit_code != MBEDTLS_EXIT_SUCCESS )
{
mbedtls_printf( "\nAn error occurred.\n" );
- ret = 1;
}
#if defined(_WIN32)
@@ -104,6 +109,6 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_FS_IO */
diff --git a/programs/pkey/pk_decrypt.c b/programs/pkey/pk_decrypt.c
index 32fbc75..00bd71e 100644
--- a/programs/pkey/pk_decrypt.c
+++ b/programs/pkey/pk_decrypt.c
@@ -29,8 +29,11 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_PK_PARSE_C) && \
defined(MBEDTLS_FS_IO) && defined(MBEDTLS_ENTROPY_C) && \
@@ -59,7 +62,8 @@
int main( int argc, char *argv[] )
{
FILE *f;
- int ret, c;
+ int ret = 1, c;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i, olen = 0;
mbedtls_pk_context pk;
mbedtls_entropy_context entropy;
@@ -71,7 +75,6 @@
mbedtls_ctr_drbg_init( &ctr_drbg );
memset(result, 0, sizeof( result ) );
- ret = 1;
if( argc != 2 )
{
@@ -110,8 +113,6 @@
/*
* Extract the RSA encrypted value from the text file
*/
- ret = 1;
-
if( ( f = fopen( "result-enc.txt", "rb" ) ) == NULL )
{
mbedtls_printf( "\n ! Could not open %s\n\n", "result-enc.txt" );
@@ -143,14 +144,14 @@
mbedtls_printf( "The decrypted result is: '%s'\n\n", result );
- ret = 0;
+ exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
#if defined(MBEDTLS_ERROR_C)
- if( ret != 0 )
+ if( exit_code != MBEDTLS_EXIT_SUCCESS )
{
mbedtls_strerror( ret, (char *) buf, sizeof(buf) );
mbedtls_printf( " ! Last error was: %s\n", buf );
@@ -162,7 +163,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO &&
MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
diff --git a/programs/pkey/pk_encrypt.c b/programs/pkey/pk_encrypt.c
index 7ca9d5a..400619c 100644
--- a/programs/pkey/pk_encrypt.c
+++ b/programs/pkey/pk_encrypt.c
@@ -29,9 +29,12 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_fprintf fprintf
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_PK_PARSE_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_FS_IO) && \
@@ -59,7 +62,8 @@
int main( int argc, char *argv[] )
{
FILE *f;
- int ret;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i, olen = 0;
mbedtls_pk_context pk;
mbedtls_entropy_context entropy;
@@ -68,7 +72,6 @@
unsigned char buf[512];
const char *pers = "mbedtls_pk_encrypt";
- ret = 1;
mbedtls_ctr_drbg_init( &ctr_drbg );
if( argc != 3 )
@@ -132,7 +135,6 @@
*/
if( ( f = fopen( "result-enc.txt", "wb+" ) ) == NULL )
{
- ret = 1;
mbedtls_printf( " failed\n ! Could not create %s\n\n", "result-enc.txt" );
goto exit;
}
@@ -145,12 +147,14 @@
mbedtls_printf( "\n . Done (created \"%s\")\n\n", "result-enc.txt" );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
#if defined(MBEDTLS_ERROR_C)
- if( ret != 0 )
+ if( exit_code != MBEDTLS_EXIT_SUCCESS )
{
mbedtls_strerror( ret, (char *) buf, sizeof(buf) );
mbedtls_printf( " ! Last error was: %s\n", buf );
@@ -162,7 +166,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_PK_PARSE_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */
diff --git a/programs/pkey/pk_sign.c b/programs/pkey/pk_sign.c
index 55df95e..7ec4675 100644
--- a/programs/pkey/pk_sign.c
+++ b/programs/pkey/pk_sign.c
@@ -30,9 +30,11 @@
#else
#include <stdio.h>
#include <stdlib.h>
-#define mbedtls_snprintf snprintf
-#define mbedtls_printf printf
-#endif
+#define mbedtls_snprintf snprintf
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_MD_C) || \
@@ -61,6 +63,7 @@
{
FILE *f;
int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_pk_context pk;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
@@ -134,14 +137,12 @@
if( ( f = fopen( filename, "wb+" ) ) == NULL )
{
- ret = 1;
mbedtls_printf( " failed\n ! Could not create %s\n\n", filename );
goto exit;
}
if( fwrite( buf, 1, olen, f ) != olen )
{
- ret = 1;
mbedtls_printf( "failed\n ! fwrite failed\n\n" );
fclose( f );
goto exit;
@@ -151,13 +152,15 @@
mbedtls_printf( "\n . Done (created \"%s\")\n\n", filename );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_pk_free( &pk );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
#if defined(MBEDTLS_ERROR_C)
- if( ret != 0 )
+ if( exit_code != MBEDTLS_EXIT_SUCCESS )
{
mbedtls_strerror( ret, (char *) buf, sizeof(buf) );
mbedtls_printf( " ! Last error was: %s\n", buf );
@@ -169,7 +172,7 @@
fflush( stdout ); getchar();
#endif
- return( ret ? EXIT_FAILURE : EXIT_SUCCESS );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_SHA256_C && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO &&
diff --git a/programs/pkey/pk_verify.c b/programs/pkey/pk_verify.c
index d35d17f..3c7709f 100644
--- a/programs/pkey/pk_verify.c
+++ b/programs/pkey/pk_verify.c
@@ -29,9 +29,12 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_snprintf snprintf
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_snprintf snprintf
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_MD_C) || \
!defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_PK_PARSE_C) || \
@@ -56,6 +59,7 @@
{
FILE *f;
int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i;
mbedtls_pk_context pk;
unsigned char hash[32];
@@ -87,7 +91,6 @@
/*
* Extract the signature from the file
*/
- ret = 1;
mbedtls_snprintf( filename, sizeof(filename), "%s.sig", argv[2] );
if( ( f = fopen( filename, "rb" ) ) == NULL )
@@ -125,13 +128,13 @@
mbedtls_printf( "\n . OK (the signature is valid)\n\n" );
- ret = 0;
+ exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_pk_free( &pk );
#if defined(MBEDTLS_ERROR_C)
- if( ret != 0 )
+ if( exit_code != MBEDTLS_EXIT_SUCCESS )
{
mbedtls_strerror( ret, (char *) buf, sizeof(buf) );
mbedtls_printf( " ! Last error was: %s\n", buf );
@@ -143,7 +146,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_SHA256_C &&
MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO */
diff --git a/programs/pkey/rsa_decrypt.c b/programs/pkey/rsa_decrypt.c
index 2da3fbf..0a252d2 100644
--- a/programs/pkey/rsa_decrypt.c
+++ b/programs/pkey/rsa_decrypt.c
@@ -30,11 +30,11 @@
#else
#include <stdio.h>
#include <stdlib.h>
-#define mbedtls_printf printf
-#define mbedtls_exit exit
+#define mbedtls_printf printf
+#define mbedtls_exit exit
#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_RSA_C) && \
defined(MBEDTLS_FS_IO) && defined(MBEDTLS_ENTROPY_C) && \
@@ -61,7 +61,9 @@
int main( int argc, char *argv[] )
{
FILE *f;
- int return_val, exit_val, c;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
+ int c;
size_t i;
mbedtls_rsa_context rsa;
mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
@@ -73,7 +75,6 @@
((void) argv);
memset(result, 0, sizeof( result ) );
- exit_val = MBEDTLS_EXIT_SUCCESS;
if( argc != 1 )
{
@@ -83,7 +84,7 @@
mbedtls_printf( "\n" );
#endif
- mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+ mbedtls_exit( exit_code );
}
mbedtls_printf( "\n . Seeding the random number generator..." );
@@ -96,14 +97,13 @@
mbedtls_mpi_init( &D ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &DP );
mbedtls_mpi_init( &DQ ); mbedtls_mpi_init( &QP );
- return_val = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func,
+ ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func,
&entropy, (const unsigned char *) pers,
strlen( pers ) );
- if( return_val != 0 )
+ if( ret != 0 )
{
- exit_val = MBEDTLS_EXIT_FAILURE;
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n",
- return_val );
+ ret );
goto exit;
}
@@ -112,40 +112,38 @@
if( ( f = fopen( "rsa_priv.txt", "rb" ) ) == NULL )
{
- exit_val = MBEDTLS_EXIT_FAILURE;
mbedtls_printf( " failed\n ! Could not open rsa_priv.txt\n" \
" ! Please run rsa_genkey first\n\n" );
goto exit;
}
- if( ( return_val = mbedtls_mpi_read_file( &N , 16, f ) ) != 0 ||
- ( return_val = mbedtls_mpi_read_file( &E , 16, f ) ) != 0 ||
- ( return_val = mbedtls_mpi_read_file( &D , 16, f ) ) != 0 ||
- ( return_val = mbedtls_mpi_read_file( &P , 16, f ) ) != 0 ||
- ( return_val = mbedtls_mpi_read_file( &Q , 16, f ) ) != 0 ||
- ( return_val = mbedtls_mpi_read_file( &DP , 16, f ) ) != 0 ||
- ( return_val = mbedtls_mpi_read_file( &DQ , 16, f ) ) != 0 ||
- ( return_val = mbedtls_mpi_read_file( &QP , 16, f ) ) != 0 )
+ if( ( ret = mbedtls_mpi_read_file( &N , 16, f ) ) != 0 ||
+ ( ret = mbedtls_mpi_read_file( &E , 16, f ) ) != 0 ||
+ ( ret = mbedtls_mpi_read_file( &D , 16, f ) ) != 0 ||
+ ( ret = mbedtls_mpi_read_file( &P , 16, f ) ) != 0 ||
+ ( ret = mbedtls_mpi_read_file( &Q , 16, f ) ) != 0 ||
+ ( ret = mbedtls_mpi_read_file( &DP , 16, f ) ) != 0 ||
+ ( ret = mbedtls_mpi_read_file( &DQ , 16, f ) ) != 0 ||
+ ( ret = mbedtls_mpi_read_file( &QP , 16, f ) ) != 0 )
{
- exit_val = MBEDTLS_EXIT_FAILURE;
mbedtls_printf( " failed\n ! mbedtls_mpi_read_file returned %d\n\n",
- return_val );
+ ret );
fclose( f );
goto exit;
}
fclose( f );
- if( ( return_val = mbedtls_rsa_import( &rsa, &N, &P, &Q, &D, &E ) ) != 0 )
+ if( ( ret = mbedtls_rsa_import( &rsa, &N, &P, &Q, &D, &E ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_rsa_import returned %d\n\n",
- return_val );
+ ret );
goto exit;
}
- if( ( return_val = mbedtls_rsa_complete( &rsa ) ) != 0 )
+ if( ( ret = mbedtls_rsa_complete( &rsa ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_rsa_complete returned %d\n\n",
- return_val );
+ ret );
goto exit;
}
@@ -154,7 +152,6 @@
*/
if( ( f = fopen( "result-enc.txt", "rb" ) ) == NULL )
{
- exit_val = MBEDTLS_EXIT_FAILURE;
mbedtls_printf( "\n ! Could not open %s\n\n", "result-enc.txt" );
goto exit;
}
@@ -169,7 +166,6 @@
if( i != rsa.len )
{
- exit_val = MBEDTLS_EXIT_FAILURE;
mbedtls_printf( "\n ! Invalid RSA signature format\n\n" );
goto exit;
}
@@ -180,14 +176,13 @@
mbedtls_printf( "\n . Decrypting the encrypted data" );
fflush( stdout );
- return_val = mbedtls_rsa_pkcs1_decrypt( &rsa, mbedtls_ctr_drbg_random,
+ ret = mbedtls_rsa_pkcs1_decrypt( &rsa, mbedtls_ctr_drbg_random,
&ctr_drbg, MBEDTLS_RSA_PRIVATE, &i,
buf, result, 1024 );
- if( return_val != 0 )
+ if( ret != 0 )
{
- exit_val = MBEDTLS_EXIT_FAILURE;
mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_decrypt returned %d\n\n",
- return_val );
+ ret );
goto exit;
}
@@ -195,6 +190,8 @@
mbedtls_printf( "The decrypted result is: '%s'\n\n", result );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
@@ -208,6 +205,6 @@
fflush( stdout ); getchar();
#endif
- return( exit_val );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && MBEDTLS_FS_IO */
diff --git a/programs/pkey/rsa_encrypt.c b/programs/pkey/rsa_encrypt.c
index 81c27d8..411657a 100644
--- a/programs/pkey/rsa_encrypt.c
+++ b/programs/pkey/rsa_encrypt.c
@@ -30,12 +30,12 @@
#else
#include <stdio.h>
#include <stdlib.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_exit exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
+#define mbedtls_fprintf fprintf
+#define mbedtls_printf printf
+#define mbedtls_exit exit
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_RSA_C) && \
defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_FS_IO) && \
@@ -61,7 +61,8 @@
int main( int argc, char *argv[] )
{
FILE *f;
- int return_val, exit_val;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i;
mbedtls_rsa_context rsa;
mbedtls_entropy_context entropy;
@@ -71,8 +72,6 @@
const char *pers = "rsa_encrypt";
mbedtls_mpi N, E;
- exit_val = MBEDTLS_EXIT_SUCCESS;
-
if( argc != 2 )
{
mbedtls_printf( "usage: rsa_encrypt <string of max 100 characters>\n" );
@@ -81,7 +80,7 @@
mbedtls_printf( "\n" );
#endif
- mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+ mbedtls_exit( exit_code );
}
mbedtls_printf( "\n . Seeding the random number generator..." );
@@ -92,14 +91,13 @@
mbedtls_ctr_drbg_init( &ctr_drbg );
mbedtls_entropy_init( &entropy );
- return_val = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func,
- &entropy, (const unsigned char *) pers,
- strlen( pers ) );
- if( return_val != 0 )
+ ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func,
+ &entropy, (const unsigned char *) pers,
+ strlen( pers ) );
+ if( ret != 0 )
{
- exit_val = MBEDTLS_EXIT_FAILURE;
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n",
- return_val );
+ ret );
goto exit;
}
@@ -108,35 +106,30 @@
if( ( f = fopen( "rsa_pub.txt", "rb" ) ) == NULL )
{
- exit_val = MBEDTLS_EXIT_FAILURE;
mbedtls_printf( " failed\n ! Could not open rsa_pub.txt\n" \
" ! Please run rsa_genkey first\n\n" );
goto exit;
}
- if( ( return_val = mbedtls_mpi_read_file( &N, 16, f ) ) != 0 ||
- ( return_val = mbedtls_mpi_read_file( &E, 16, f ) ) != 0 )
+ if( ( ret = mbedtls_mpi_read_file( &N, 16, f ) ) != 0 ||
+ ( ret = mbedtls_mpi_read_file( &E, 16, f ) ) != 0 )
{
- exit_val = MBEDTLS_EXIT_FAILURE;
mbedtls_printf( " failed\n ! mbedtls_mpi_read_file returned %d\n\n",
- return_val );
+ ret );
fclose( f );
goto exit;
}
fclose( f );
- if( ( return_val = mbedtls_rsa_import( &rsa, &N, NULL,
- NULL, NULL, &E ) ) != 0 )
+ if( ( ret = mbedtls_rsa_import( &rsa, &N, NULL, NULL, NULL, &E ) ) != 0 )
{
- exit_val = MBEDTLS_EXIT_FAILURE;
mbedtls_printf( " failed\n ! mbedtls_rsa_import returned %d\n\n",
- return_val );
+ ret );
goto exit;
}
if( strlen( argv[1] ) > 100 )
{
- exit_val = MBEDTLS_EXIT_FAILURE;
mbedtls_printf( " Input data larger than 100 characters.\n\n" );
goto exit;
}
@@ -149,14 +142,13 @@
mbedtls_printf( "\n . Generating the RSA encrypted value" );
fflush( stdout );
- return_val = mbedtls_rsa_pkcs1_encrypt( &rsa, mbedtls_ctr_drbg_random,
- &ctr_drbg, MBEDTLS_RSA_PUBLIC,
- strlen( argv[1] ), input, buf );
- if( return_val != 0 )
+ ret = mbedtls_rsa_pkcs1_encrypt( &rsa, mbedtls_ctr_drbg_random,
+ &ctr_drbg, MBEDTLS_RSA_PUBLIC,
+ strlen( argv[1] ), input, buf );
+ if( ret != 0 )
{
- exit_val = MBEDTLS_EXIT_FAILURE;
mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_encrypt returned %d\n\n",
- return_val );
+ ret );
goto exit;
}
@@ -165,7 +157,6 @@
*/
if( ( f = fopen( "result-enc.txt", "wb+" ) ) == NULL )
{
- exit_val = MBEDTLS_EXIT_FAILURE;
mbedtls_printf( " failed\n ! Could not create %s\n\n", "result-enc.txt" );
goto exit;
}
@@ -178,6 +169,8 @@
mbedtls_printf( "\n . Done (created \"%s\")\n\n", "result-enc.txt" );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E );
mbedtls_ctr_drbg_free( &ctr_drbg );
@@ -189,7 +182,7 @@
fflush( stdout ); getchar();
#endif
- return( exit_val );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */
diff --git a/programs/pkey/rsa_genkey.c b/programs/pkey/rsa_genkey.c
index 9399217..3359e14 100644
--- a/programs/pkey/rsa_genkey.c
+++ b/programs/pkey/rsa_genkey.c
@@ -29,8 +29,11 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME) && \
@@ -61,7 +64,8 @@
#else
int main( void )
{
- int ret;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_rsa_context rsa;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
@@ -105,14 +109,12 @@
( ret = mbedtls_rsa_export_crt( &rsa, &DP, &DQ, &QP ) ) != 0 )
{
mbedtls_printf( " failed\n ! could not export RSA parameters\n\n" );
- ret = 1;
goto exit;
}
if( ( fpub = fopen( "rsa_pub.txt", "wb+" ) ) == NULL )
{
mbedtls_printf( " failed\n ! could not open rsa_pub.txt for writing\n\n" );
- ret = 1;
goto exit;
}
@@ -129,7 +131,6 @@
if( ( fpriv = fopen( "rsa_priv.txt", "wb+" ) ) == NULL )
{
mbedtls_printf( " failed\n ! could not open rsa_priv.txt for writing\n" );
- ret = 1;
goto exit;
}
@@ -160,6 +161,8 @@
*/
mbedtls_printf( " ok\n\n" );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
if( fpub != NULL )
@@ -180,7 +183,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_RSA_C &&
MBEDTLS_GENPRIME && MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */
diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c
index 89018cb..b16fe5d 100644
--- a/programs/pkey/rsa_sign.c
+++ b/programs/pkey/rsa_sign.c
@@ -29,10 +29,13 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_snprintf snprintf
-#endif
+#include <stdlib.h>
+#define mbedtls_fprintf fprintf
+#define mbedtls_printf printf
+#define mbedtls_snprintf snprintf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_MD_C) || \
@@ -55,7 +58,8 @@
int main( int argc, char *argv[] )
{
FILE *f;
- int ret;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i;
mbedtls_rsa_context rsa;
unsigned char hash[32];
@@ -69,8 +73,6 @@
mbedtls_mpi_init( &D ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &DP );
mbedtls_mpi_init( &DQ ); mbedtls_mpi_init( &QP );
- ret = 1;
-
if( argc != 2 )
{
mbedtls_printf( "usage: rsa_sign <filename>\n" );
@@ -87,7 +89,6 @@
if( ( f = fopen( "rsa_priv.txt", "rb" ) ) == NULL )
{
- ret = 1;
mbedtls_printf( " failed\n ! Could not open rsa_priv.txt\n" \
" ! Please run rsa_genkey first\n\n" );
goto exit;
@@ -159,7 +160,6 @@
if( ( f = fopen( filename, "wb+" ) ) == NULL )
{
- ret = 1;
mbedtls_printf( " failed\n ! Could not create %s\n\n", argv[1] );
goto exit;
}
@@ -172,6 +172,8 @@
mbedtls_printf( "\n . Done (created \"%s\")\n\n", filename );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_rsa_free( &rsa );
@@ -184,7 +186,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && MBEDTLS_SHA256_C &&
MBEDTLS_FS_IO */
diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c
index 7b6f14d..b0b0f7e 100644
--- a/programs/pkey/rsa_sign_pss.c
+++ b/programs/pkey/rsa_sign_pss.c
@@ -29,9 +29,12 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_snprintf snprintf
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_snprintf snprintf
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \
@@ -61,6 +64,7 @@
{
FILE *f;
int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_pk_context pk;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
@@ -101,7 +105,6 @@
if( ( ret = mbedtls_pk_parse_keyfile( &pk, argv[1], "" ) ) != 0 )
{
- ret = 1;
mbedtls_printf( " failed\n ! Could not read key from '%s'\n", argv[1] );
mbedtls_printf( " ! mbedtls_pk_parse_public_keyfile returned %d\n\n", ret );
goto exit;
@@ -109,7 +112,6 @@
if( !mbedtls_pk_can_do( &pk, MBEDTLS_PK_RSA ) )
{
- ret = 1;
mbedtls_printf( " failed\n ! Key is not an RSA key\n" );
goto exit;
}
@@ -145,7 +147,6 @@
if( ( f = fopen( filename, "wb+" ) ) == NULL )
{
- ret = 1;
mbedtls_printf( " failed\n ! Could not create %s\n\n", filename );
goto exit;
}
@@ -161,6 +162,8 @@
mbedtls_printf( "\n . Done (created \"%s\")\n\n", filename );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_pk_free( &pk );
mbedtls_ctr_drbg_free( &ctr_drbg );
@@ -171,7 +174,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_RSA_C &&
MBEDTLS_SHA256_C && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO &&
diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c
index 1f827aa..6f88345 100644
--- a/programs/pkey/rsa_verify.c
+++ b/programs/pkey/rsa_verify.c
@@ -29,9 +29,12 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_printf printf
-#define mbedtls_snprintf snprintf
-#endif
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define mbedtls_snprintf snprintf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_MD_C) || \
@@ -54,7 +57,8 @@
int main( int argc, char *argv[] )
{
FILE *f;
- int ret, c;
+ int ret = 1, c;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i;
mbedtls_rsa_context rsa;
unsigned char hash[32];
@@ -62,7 +66,6 @@
char filename[512];
mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
- ret = 1;
if( argc != 2 )
{
@@ -100,7 +103,6 @@
/*
* Extract the RSA signature from the text file
*/
- ret = 1;
mbedtls_snprintf( filename, sizeof(filename), "%s.sig", argv[1] );
if( ( f = fopen( filename, "rb" ) ) == NULL )
@@ -146,7 +148,7 @@
mbedtls_printf( "\n . OK (the signature is valid)\n\n" );
- ret = 0;
+ exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
@@ -157,7 +159,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && MBEDTLS_SHA256_C &&
MBEDTLS_FS_IO */
diff --git a/programs/pkey/rsa_verify_pss.c b/programs/pkey/rsa_verify_pss.c
index 31b720f..7c9c68f 100644
--- a/programs/pkey/rsa_verify_pss.c
+++ b/programs/pkey/rsa_verify_pss.c
@@ -29,9 +29,12 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_snprintf snprintf
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_snprintf snprintf
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_SHA256_C) || \
@@ -60,6 +63,7 @@
{
FILE *f;
int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i;
mbedtls_pk_context pk;
unsigned char hash[32];
@@ -91,7 +95,6 @@
if( !mbedtls_pk_can_do( &pk, MBEDTLS_PK_RSA ) )
{
- ret = 1;
mbedtls_printf( " failed\n ! Key is not an RSA key\n" );
goto exit;
}
@@ -101,7 +104,6 @@
/*
* Extract the RSA signature from the file
*/
- ret = 1;
mbedtls_snprintf( filename, 512, "%s.sig", argv[2] );
if( ( f = fopen( filename, "rb" ) ) == NULL )
@@ -139,7 +141,7 @@
mbedtls_printf( "\n . OK (the signature is valid)\n\n" );
- ret = 0;
+ exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
mbedtls_pk_free( &pk );
@@ -149,7 +151,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && MBEDTLS_SHA256_C &&
MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO */
diff --git a/programs/random/gen_entropy.c b/programs/random/gen_entropy.c
index 792d381..a1eb386 100644
--- a/programs/random/gen_entropy.c
+++ b/programs/random/gen_entropy.c
@@ -29,9 +29,12 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_fprintf fprintf
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_FS_IO)
#include "mbedtls/entropy.h"
@@ -49,20 +52,21 @@
int main( int argc, char *argv[] )
{
FILE *f;
- int i, k, ret;
+ int i, k, ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_entropy_context entropy;
unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
if( argc < 2 )
{
mbedtls_fprintf( stderr, "usage: %s <output filename>\n", argv[0] );
- return( 1 );
+ return( exit_code );
}
if( ( f = fopen( argv[1], "wb+" ) ) == NULL )
{
mbedtls_printf( "failed to open '%s' for writing.\n", argv[1] );
- return( 1 );
+ return( exit_code );
}
mbedtls_entropy_init( &entropy );
@@ -72,7 +76,8 @@
ret = mbedtls_entropy_func( &entropy, buf, sizeof( buf ) );
if( ret != 0 )
{
- mbedtls_printf("failed!\n");
+ mbedtls_printf( " failed\n ! mbedtls_entropy_func returned -%04X\n",
+ ret );
goto cleanup;
}
@@ -83,7 +88,7 @@
fflush( stdout );
}
- ret = 0;
+ exit_code = MBEDTLS_EXIT_SUCCESS;
cleanup:
mbedtls_printf( "\n" );
@@ -91,6 +96,6 @@
fclose( f );
mbedtls_entropy_free( &entropy );
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_ENTROPY_C */
diff --git a/programs/random/gen_random_ctr_drbg.c b/programs/random/gen_random_ctr_drbg.c
index c76f99d..5ade946 100644
--- a/programs/random/gen_random_ctr_drbg.c
+++ b/programs/random/gen_random_ctr_drbg.c
@@ -29,9 +29,12 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_fprintf fprintf
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_CTR_DRBG_C) && defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_FS_IO)
@@ -52,7 +55,8 @@
int main( int argc, char *argv[] )
{
FILE *f;
- int i, k, ret;
+ int i, k, ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
unsigned char buf[1024];
@@ -62,13 +66,13 @@
if( argc < 2 )
{
mbedtls_fprintf( stderr, "usage: %s <output filename>\n", argv[0] );
- return( 1 );
+ return( exit_code );
}
if( ( f = fopen( argv[1], "wb+" ) ) == NULL )
{
mbedtls_printf( "failed to open '%s' for writing.\n", argv[1] );
- return( 1 );
+ return( exit_code );
}
mbedtls_entropy_init( &entropy );
@@ -116,7 +120,7 @@
fflush( stdout );
}
- ret = 0;
+ exit_code = MBEDTLS_EXIT_SUCCESS;
cleanup:
mbedtls_printf("\n");
@@ -125,6 +129,6 @@
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_CTR_DRBG_C && MBEDTLS_ENTROPY_C */
diff --git a/programs/random/gen_random_havege.c b/programs/random/gen_random_havege.c
index 6c31462..3fb3f01 100644
--- a/programs/random/gen_random_havege.c
+++ b/programs/random/gen_random_havege.c
@@ -29,9 +29,12 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_fprintf fprintf
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_HAVEGE_C) && defined(MBEDTLS_FS_IO)
#include "mbedtls/havege.h"
@@ -51,20 +54,21 @@
{
FILE *f;
time_t t;
- int i, k, ret = 0;
+ int i, k, ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_havege_state hs;
unsigned char buf[1024];
if( argc < 2 )
{
mbedtls_fprintf( stderr, "usage: %s <output filename>\n", argv[0] );
- return( 1 );
+ return( exit_code );
}
if( ( f = fopen( argv[1], "wb+" ) ) == NULL )
{
mbedtls_printf( "failed to open '%s' for writing.\n", argv[1] );
- return( 1 );
+ return( exit_code );
}
mbedtls_havege_init( &hs );
@@ -73,11 +77,10 @@
for( i = 0, k = 768; i < k; i++ )
{
- if( mbedtls_havege_random( &hs, buf, sizeof( buf ) ) != 0 )
+ if( ( ret = mbedtls_havege_random( &hs, buf, sizeof( buf ) ) ) != 0 )
{
- mbedtls_printf( "Failed to get random from source.\n" );
-
- ret = 1;
+ mbedtls_printf( " failed\n ! mbedtls_havege_random returned -0x%04X",
+ -ret );
goto exit;
}
@@ -93,9 +96,11 @@
mbedtls_printf(" \n ");
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_havege_free( &hs );
fclose( f );
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_HAVEGE_C */
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index 01cee13..bf7c013 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@@ -30,11 +30,13 @@
#else
#include <stdio.h>
#include <stdlib.h>
-#define mbedtls_time time
-#define mbedtls_time_t time_t
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#endif
+#define mbedtls_time time
+#define mbedtls_time_t time_t
+#define mbedtls_fprintf fprintf
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
@@ -80,7 +82,8 @@
int main( void )
{
- int ret, len;
+ int ret = 1, len;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_net_context server_fd;
uint32_t flags;
unsigned char buf[1024];
@@ -281,10 +284,12 @@
mbedtls_ssl_close_notify( &ssl );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
#ifdef MBEDTLS_ERROR_C
- if( ret != 0 )
+ if( exit_code != MBEDTLS_EXIT_SUCCESS )
{
char error_buf[100];
mbedtls_strerror( ret, error_buf, 100 );
@@ -305,7 +310,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
MBEDTLS_SSL_CLI_C && MBEDTLS_NET_C && MBEDTLS_RSA_C &&
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 5d8969d..0dd9e3f 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -246,8 +246,12 @@
" server_addr=%%s default: given by name\n" \
" server_port=%%d default: 4433\n" \
" request_page=%%s default: \".\"\n" \
- " request_size=%%d default: about 34 (basic request)\n" \
- " (minimum: 0, max: " MAX_REQUEST_SIZE_STR " )\n" \
+ " request_size=%%d default: about 34 (basic request)\n" \
+ " (minimum: 0, max: " MAX_REQUEST_SIZE_STR ")\n" \
+ " If 0, in the first exchange only an empty\n" \
+ " application data message is sent followed by\n" \
+ " a second non-empty message before attempting\n" \
+ " to read a response from the server\n" \
" debug_level=%%d default: 0 (disabled)\n" \
" nbio=%%d default: 0 (blocking I/O)\n" \
" options: 1 (non-blocking), 2 (added delays)\n" \
@@ -1663,10 +1667,13 @@
if( opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM )
{
- for( written = 0, frags = 0; written < len; written += ret, frags++ )
+ written = 0;
+ frags = 0;
+
+ do
{
while( ( ret = mbedtls_ssl_write( &ssl, buf + written,
- len - written ) ) <= 0 )
+ len - written ) ) < 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
@@ -1686,7 +1693,11 @@
#endif
}
}
+
+ frags++;
+ written += ret;
}
+ while( written < len );
}
else /* Not stream, so datagram */
{
@@ -1730,6 +1741,13 @@
mbedtls_printf( " %d bytes written in %d fragments\n\n%s\n",
written, frags, (char *) buf );
+ /* Send a non-empty request if request_size == 0 */
+ if ( len == 0 )
+ {
+ opt.request_size = DFL_REQUEST_SIZE;
+ goto send_request;
+ }
+
/*
* 7. Read the HTTP response
*/
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 7624896..1c3a806 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -29,10 +29,13 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#define mbedtls_time_t time_t
-#endif
+#include <stdlib.h>
+#define mbedtls_fprintf fprintf
+#define mbedtls_printf printf
+#define mbedtls_time_t time_t
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_CERTS_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_SSL_TLS_C) || \
@@ -95,7 +98,8 @@
int main( void )
{
- int ret, len, cnt = 0, pid;
+ int ret = 1, len, cnt = 0, pid;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_net_context listen_fd, client_fd;
unsigned char buf[1024];
const char *pers = "ssl_fork_server";
@@ -392,6 +396,8 @@
goto exit;
}
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_net_free( &client_fd );
mbedtls_net_free( &listen_fd );
@@ -408,7 +414,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_CERTS_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_SRV_C && MBEDTLS_NET_C &&
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 04b847a..d3b569c 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -19,6 +19,11 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
+/* Enable definition of gethostname() even when compiling with -std=c99. Must
+ * be set before config.h, which pulls in glibc's features.h indirectly.
+ * Harmless on other platforms. */
+#define _POSIX_C_SOURCE 200112L
+
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
@@ -30,11 +35,13 @@
#else
#include <stdio.h>
#include <stdlib.h>
-#define mbedtls_time time
-#define mbedtls_time_t time_t
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#endif
+#define mbedtls_time time
+#define mbedtls_time_t time_t
+#define mbedtls_fprintf fprintf
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
@@ -346,7 +353,8 @@
int main( int argc, char *argv[] )
{
- int ret = 0, len;
+ int ret = 1, len;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_net_context server_fd;
unsigned char buf[1024];
#if defined(MBEDTLS_BASE64_C)
@@ -499,8 +507,8 @@
mbedtls_test_cas_pem_len );
#else
{
- ret = 1;
mbedtls_printf("MBEDTLS_CERTS_C and/or MBEDTLS_PEM_PARSE_C not defined.");
+ goto exit;
}
#endif
if( ret < 0 )
@@ -529,8 +537,8 @@
mbedtls_test_cli_crt_len );
#else
{
- ret = -1;
mbedtls_printf("MBEDTLS_CERTS_C not defined.");
+ goto exit;
}
#endif
if( ret != 0 )
@@ -549,8 +557,8 @@
mbedtls_test_cli_key_len, NULL, 0 );
#else
{
- ret = -1;
mbedtls_printf("MBEDTLS_CERTS_C or MBEDTLS_PEM_PARSE_C not defined.");
+ goto exit;
}
#endif
if( ret != 0 )
@@ -819,6 +827,8 @@
mbedtls_ssl_close_notify( &ssl );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_net_free( &server_fd );
@@ -835,7 +845,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
MBEDTLS_SSL_CLI_C && MBEDTLS_NET_C && MBEDTLS_RSA_C **
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 6bfb210..7654a64 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -97,6 +97,10 @@
#include <windows.h>
#endif
+/* Size of memory to be allocated for the heap, when using the library's memory
+ * management and MBEDTLS_MEMORY_BUFFER_ALLOC_C is enabled. */
+#define MEMORY_HEAP_SIZE 120000
+
#define DFL_SERVER_ADDR NULL
#define DFL_SERVER_PORT "4433"
#define DFL_DEBUG_LEVEL 0
@@ -109,6 +113,10 @@
#define DFL_KEY_FILE ""
#define DFL_CRT_FILE2 ""
#define DFL_KEY_FILE2 ""
+#define DFL_ASYNC_OPERATIONS "-"
+#define DFL_ASYNC_PRIVATE_DELAY1 ( -1 )
+#define DFL_ASYNC_PRIVATE_DELAY2 ( -1 )
+#define DFL_ASYNC_PRIVATE_ERROR ( 0 )
#define DFL_PSK ""
#define DFL_PSK_IDENTITY "Client_identity"
#define DFL_ECJPAKE_PW NULL
@@ -196,6 +204,18 @@
#define USAGE_IO ""
#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+#define USAGE_SSL_ASYNC \
+ " async_operations=%%c... d=decrypt, s=sign (default: -=off)\n" \
+ " async_private_delay1=%%d Asynchronous delay for key_file or preloaded key\n" \
+ " async_private_delay2=%%d Asynchronous delay for key_file2 and sni\n" \
+ " default: -1 (not asynchronous)\n" \
+ " async_private_error=%%d Async callback error injection (default=0=none,\n" \
+ " 1=start, 2=cancel, 3=resume, negative=first time only)"
+#else
+#define USAGE_SSL_ASYNC ""
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
#define USAGE_PSK \
" psk=%%s default: \"\" (in hex, without 0x)\n" \
@@ -346,6 +366,7 @@
" cert_req_ca_list=%%d default: 1 (send ca list)\n" \
" options: 1 (send ca list), 0 (don't send)\n" \
USAGE_IO \
+ USAGE_SSL_ASYNC \
USAGE_SNI \
"\n" \
USAGE_PSK \
@@ -410,6 +431,10 @@
const char *key_file; /* the file with the server key */
const char *crt_file2; /* the file with the 2nd server certificate */
const char *key_file2; /* the file with the 2nd server key */
+ const char *async_operations; /* supported SSL asynchronous operations */
+ int async_private_delay1; /* number of times f_async_resume needs to be called for key 1, or -1 for no async */
+ int async_private_delay2; /* number of times f_async_resume needs to be called for key 2, or -1 for no async */
+ int async_private_error; /* inject error in async private callback */
const char *psk; /* the pre-shared key */
const char *psk_identity; /* the pre-shared key identity */
char *psk_list; /* list of PSK id/key pairs for callback */
@@ -841,6 +866,244 @@
};
#endif /* MBEDTLS_X509_CRT_PARSE_C */
+/** Return true if \p ret is a status code indicating that there is an
+ * operation in progress on an SSL connection, and false if it indicates
+ * success or a fatal error.
+ *
+ * The possible operations in progress are:
+ *
+ * - A read, when the SSL input buffer does not contain a full message.
+ * - A write, when the SSL output buffer contains some data that has not
+ * been sent over the network yet.
+ * - An asynchronous callback that has not completed yet. */
+static int mbedtls_status_is_ssl_in_progress( int ret )
+{
+ return( ret == MBEDTLS_ERR_SSL_WANT_READ ||
+ ret == MBEDTLS_ERR_SSL_WANT_WRITE ||
+ ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+}
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+typedef struct
+{
+ mbedtls_x509_crt *cert; /*!< Certificate corresponding to the key */
+ mbedtls_pk_context *pk; /*!< Private key */
+ unsigned delay; /*!< Number of resume steps to go through */
+ unsigned pk_owned : 1; /*!< Whether to free the pk object on exit */
+} ssl_async_key_slot_t;
+
+typedef enum {
+ SSL_ASYNC_INJECT_ERROR_NONE = 0, /*!< Let the callbacks succeed */
+ SSL_ASYNC_INJECT_ERROR_START, /*!< Inject error during start */
+ SSL_ASYNC_INJECT_ERROR_CANCEL, /*!< Close the connection after async start */
+ SSL_ASYNC_INJECT_ERROR_RESUME, /*!< Inject error during resume */
+#define SSL_ASYNC_INJECT_ERROR_MAX SSL_ASYNC_INJECT_ERROR_RESUME
+} ssl_async_inject_error_t;
+
+typedef struct
+{
+ ssl_async_key_slot_t slots[4]; /* key, key2, sni1, sni2 */
+ size_t slots_used;
+ ssl_async_inject_error_t inject_error;
+ int (*f_rng)(void *, unsigned char *, size_t);
+ void *p_rng;
+} ssl_async_key_context_t;
+
+int ssl_async_set_key( ssl_async_key_context_t *ctx,
+ mbedtls_x509_crt *cert,
+ mbedtls_pk_context *pk,
+ int pk_take_ownership,
+ unsigned delay )
+{
+ if( ctx->slots_used >= sizeof( ctx->slots ) / sizeof( *ctx->slots ) )
+ return( -1 );
+ ctx->slots[ctx->slots_used].cert = cert;
+ ctx->slots[ctx->slots_used].pk = pk;
+ ctx->slots[ctx->slots_used].delay = delay;
+ ctx->slots[ctx->slots_used].pk_owned = pk_take_ownership;
+ ++ctx->slots_used;
+ return( 0 );
+}
+
+#define SSL_ASYNC_INPUT_MAX_SIZE 512
+
+typedef enum
+{
+ ASYNC_OP_SIGN,
+ ASYNC_OP_DECRYPT,
+} ssl_async_operation_type_t;
+/* Note that the enum above and the array below need to be kept in sync!
+ * `ssl_async_operation_names[op]` is the name of op for each value `op`
+ * of type `ssl_async_operation_type_t`. */
+static const char *const ssl_async_operation_names[] =
+{
+ "sign",
+ "decrypt",
+};
+
+typedef struct
+{
+ unsigned slot;
+ ssl_async_operation_type_t operation_type;
+ mbedtls_md_type_t md_alg;
+ unsigned char input[SSL_ASYNC_INPUT_MAX_SIZE];
+ size_t input_len;
+ unsigned remaining_delay;
+} ssl_async_operation_context_t;
+
+static int ssl_async_start( mbedtls_ssl_context *ssl,
+ mbedtls_x509_crt *cert,
+ ssl_async_operation_type_t op_type,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *input,
+ size_t input_len )
+{
+ ssl_async_key_context_t *config_data =
+ mbedtls_ssl_conf_get_async_config_data( ssl->conf );
+ unsigned slot;
+ ssl_async_operation_context_t *ctx = NULL;
+ const char *op_name = ssl_async_operation_names[op_type];
+
+ {
+ char dn[100];
+ if( mbedtls_x509_dn_gets( dn, sizeof( dn ), &cert->subject ) > 0 )
+ mbedtls_printf( "Async %s callback: looking for DN=%s\n",
+ op_name, dn );
+ }
+
+ /* Look for a private key that matches the public key in cert.
+ * Since this test code has the private key inside Mbed TLS,
+ * we call mbedtls_pk_check_pair to match a private key with the
+ * public key. */
+ for( slot = 0; slot < config_data->slots_used; slot++ )
+ {
+ if( mbedtls_pk_check_pair( &cert->pk,
+ config_data->slots[slot].pk ) == 0 )
+ break;
+ }
+ if( slot == config_data->slots_used )
+ {
+ mbedtls_printf( "Async %s callback: no key matches this certificate.\n",
+ op_name );
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH );
+ }
+ mbedtls_printf( "Async %s callback: using key slot %u, delay=%u.\n",
+ op_name, slot, config_data->slots[slot].delay );
+
+ if( config_data->inject_error == SSL_ASYNC_INJECT_ERROR_START )
+ {
+ mbedtls_printf( "Async %s callback: injected error\n", op_name );
+ return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+ }
+
+ if( input_len > SSL_ASYNC_INPUT_MAX_SIZE )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+ ctx = mbedtls_calloc( 1, sizeof( *ctx ) );
+ if( ctx == NULL )
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+ ctx->slot = slot;
+ ctx->operation_type = op_type;
+ ctx->md_alg = md_alg;
+ memcpy( ctx->input, input, input_len );
+ ctx->input_len = input_len;
+ ctx->remaining_delay = config_data->slots[slot].delay;
+ mbedtls_ssl_set_async_operation_data( ssl, ctx );
+
+ if( ctx->remaining_delay == 0 )
+ return( 0 );
+ else
+ return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+}
+
+static int ssl_async_sign( mbedtls_ssl_context *ssl,
+ mbedtls_x509_crt *cert,
+ mbedtls_md_type_t md_alg,
+ const unsigned char *hash,
+ size_t hash_len )
+{
+ return( ssl_async_start( ssl, cert,
+ ASYNC_OP_SIGN, md_alg,
+ hash, hash_len ) );
+}
+
+static int ssl_async_decrypt( mbedtls_ssl_context *ssl,
+ mbedtls_x509_crt *cert,
+ const unsigned char *input,
+ size_t input_len )
+{
+ return( ssl_async_start( ssl, cert,
+ ASYNC_OP_DECRYPT, MBEDTLS_MD_NONE,
+ input, input_len ) );
+}
+
+static int ssl_async_resume( mbedtls_ssl_context *ssl,
+ unsigned char *output,
+ size_t *output_len,
+ size_t output_size )
+{
+ ssl_async_operation_context_t *ctx = mbedtls_ssl_get_async_operation_data( ssl );
+ ssl_async_key_context_t *config_data =
+ mbedtls_ssl_conf_get_async_config_data( ssl->conf );
+ ssl_async_key_slot_t *key_slot = &config_data->slots[ctx->slot];
+ int ret;
+ const char *op_name;
+
+ if( ctx->remaining_delay > 0 )
+ {
+ --ctx->remaining_delay;
+ mbedtls_printf( "Async resume (slot %u): call %u more times.\n",
+ ctx->slot, ctx->remaining_delay );
+ return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+ }
+
+ switch( ctx->operation_type )
+ {
+ case ASYNC_OP_DECRYPT:
+ ret = mbedtls_pk_decrypt( key_slot->pk,
+ ctx->input, ctx->input_len,
+ output, output_len, output_size,
+ config_data->f_rng, config_data->p_rng );
+ break;
+ case ASYNC_OP_SIGN:
+ ret = mbedtls_pk_sign( key_slot->pk,
+ ctx->md_alg,
+ ctx->input, ctx->input_len,
+ output, output_len,
+ config_data->f_rng, config_data->p_rng );
+ break;
+ default:
+ mbedtls_printf( "Async resume (slot %u): unknown operation type %ld. This shouldn't happen.\n",
+ ctx->slot, (long) ctx->operation_type );
+ mbedtls_free( ctx );
+ return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+ break;
+ }
+
+ op_name = ssl_async_operation_names[ctx->operation_type];
+
+ if( config_data->inject_error == SSL_ASYNC_INJECT_ERROR_RESUME )
+ {
+ mbedtls_printf( "Async resume callback: %s done but injected error\n",
+ op_name );
+ mbedtls_free( ctx );
+ return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+ }
+
+ mbedtls_printf( "Async resume (slot %u): %s done, status=%d.\n",
+ ctx->slot, op_name, ret );
+ mbedtls_free( ctx );
+ return( ret );
+}
+
+static void ssl_async_cancel( mbedtls_ssl_context *ssl )
+{
+ ssl_async_operation_context_t *ctx = mbedtls_ssl_get_async_operation_data( ssl );
+ mbedtls_printf( "Async cancel callback.\n" );
+ mbedtls_free( ctx );
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
/*
* Wait for an event from the underlying transport or the timer
* (Used in event-driven IO mode).
@@ -929,7 +1192,10 @@
mbedtls_x509_crt srvcert2;
mbedtls_pk_context pkey2;
int key_cert_init = 0, key_cert_init2 = 0;
-#endif
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ ssl_async_key_context_t ssl_async_keys;
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
mbedtls_dhm_context dhm;
#endif
@@ -950,7 +1216,7 @@
const char *alpn_list[ALPN_LIST_SIZE];
#endif
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
- unsigned char alloc_buf[100000];
+ unsigned char alloc_buf[MEMORY_HEAP_SIZE];
#endif
int i;
@@ -975,6 +1241,9 @@
mbedtls_pk_init( &pkey );
mbedtls_x509_crt_init( &srvcert2 );
mbedtls_pk_init( &pkey2 );
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ memset( &ssl_async_keys, 0, sizeof( ssl_async_keys ) );
+#endif
#endif
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
mbedtls_dhm_init( &dhm );
@@ -1032,6 +1301,10 @@
opt.key_file = DFL_KEY_FILE;
opt.crt_file2 = DFL_CRT_FILE2;
opt.key_file2 = DFL_KEY_FILE2;
+ opt.async_operations = DFL_ASYNC_OPERATIONS;
+ opt.async_private_delay1 = DFL_ASYNC_PRIVATE_DELAY1;
+ opt.async_private_delay2 = DFL_ASYNC_PRIVATE_DELAY2;
+ opt.async_private_error = DFL_ASYNC_PRIVATE_ERROR;
opt.psk = DFL_PSK;
opt.psk_identity = DFL_PSK_IDENTITY;
opt.psk_list = DFL_PSK_LIST;
@@ -1124,6 +1397,25 @@
opt.key_file2 = q;
else if( strcmp( p, "dhm_file" ) == 0 )
opt.dhm_file = q;
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ else if( strcmp( p, "async_operations" ) == 0 )
+ opt.async_operations = q;
+ else if( strcmp( p, "async_private_delay1" ) == 0 )
+ opt.async_private_delay1 = atoi( q );
+ else if( strcmp( p, "async_private_delay2" ) == 0 )
+ opt.async_private_delay2 = atoi( q );
+ else if( strcmp( p, "async_private_error" ) == 0 )
+ {
+ int n = atoi( q );
+ if( n < -SSL_ASYNC_INJECT_ERROR_MAX ||
+ n > SSL_ASYNC_INJECT_ERROR_MAX )
+ {
+ ret = 2;
+ goto usage;
+ }
+ opt.async_private_error = n;
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
else if( strcmp( p, "psk" ) == 0 )
opt.psk = q;
else if( strcmp( p, "psk_identity" ) == 0 )
@@ -2018,22 +2310,109 @@
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
}
if( key_cert_init )
- if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 )
+ {
+ mbedtls_pk_context *pk = &pkey;
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if( opt.async_private_delay1 >= 0 )
+ {
+ ret = ssl_async_set_key( &ssl_async_keys, &srvcert, pk, 0,
+ opt.async_private_delay1 );
+ if( ret < 0 )
+ {
+ mbedtls_printf( " Test error: ssl_async_set_key failed (%d)\n",
+ ret );
+ goto exit;
+ }
+ pk = NULL;
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+ if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, pk ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
+ }
if( key_cert_init2 )
- if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert2, &pkey2 ) ) != 0 )
+ {
+ mbedtls_pk_context *pk = &pkey2;
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if( opt.async_private_delay2 >= 0 )
+ {
+ ret = ssl_async_set_key( &ssl_async_keys, &srvcert2, pk, 0,
+ opt.async_private_delay2 );
+ if( ret < 0 )
+ {
+ mbedtls_printf( " Test error: ssl_async_set_key failed (%d)\n",
+ ret );
+ goto exit;
+ }
+ pk = NULL;
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+ if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert2, pk ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
goto exit;
}
-#endif
+ }
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if( opt.async_operations[0] != '-' )
+ {
+ mbedtls_ssl_async_sign_t *sign = NULL;
+ mbedtls_ssl_async_decrypt_t *decrypt = NULL;
+ const char *r;
+ for( r = opt.async_operations; *r; r++ )
+ {
+ switch( *r )
+ {
+ case 'd':
+ decrypt = ssl_async_decrypt;
+ break;
+ case 's':
+ sign = ssl_async_sign;
+ break;
+ }
+ }
+ ssl_async_keys.inject_error = ( opt.async_private_error < 0 ?
+ - opt.async_private_error :
+ opt.async_private_error );
+ ssl_async_keys.f_rng = mbedtls_ctr_drbg_random;
+ ssl_async_keys.p_rng = &ctr_drbg;
+ mbedtls_ssl_conf_async_private_cb( &conf,
+ sign,
+ decrypt,
+ ssl_async_resume,
+ ssl_async_cancel,
+ &ssl_async_keys );
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(SNI_OPTION)
if( opt.sni != NULL )
+ {
mbedtls_ssl_conf_sni( &conf, sni_callback, sni_info );
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if( opt.async_private_delay2 >= 0 )
+ {
+ sni_entry *cur;
+ for( cur = sni_info; cur != NULL; cur = cur->next )
+ {
+ ret = ssl_async_set_key( &ssl_async_keys,
+ cur->cert, cur->key, 1,
+ opt.async_private_delay2 );
+ if( ret < 0 )
+ {
+ mbedtls_printf( " Test error: ssl_async_set_key failed (%d)\n",
+ ret );
+ goto exit;
+ }
+ cur->key = NULL;
+ }
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+ }
#endif
#if defined(MBEDTLS_ECP_C)
@@ -2205,8 +2584,16 @@
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
- if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
- ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS &&
+ ssl_async_keys.inject_error == SSL_ASYNC_INJECT_ERROR_CANCEL )
+ {
+ mbedtls_printf( " cancelling on injected error\n" );
+ break;
+ }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+ if( ! mbedtls_status_is_ssl_in_progress( ret ) )
break;
/* For event-driven IO, wait for socket to become available */
@@ -2244,6 +2631,11 @@
}
#endif
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ if( opt.async_private_error < 0 )
+ /* Injected error only the first time round, to test reset */
+ ssl_async_keys.inject_error = SSL_ASYNC_INJECT_ERROR_NONE;
+#endif
goto reset;
}
else /* ret == 0 */
@@ -2324,8 +2716,7 @@
memset( buf, 0, sizeof( buf ) );
ret = mbedtls_ssl_read( &ssl, buf, len );
- if( ret == MBEDTLS_ERR_SSL_WANT_READ ||
- ret == MBEDTLS_ERR_SSL_WANT_WRITE )
+ if( mbedtls_status_is_ssl_in_progress( ret ) )
{
if( opt.event == 1 /* level triggered IO */ )
{
@@ -2425,7 +2816,7 @@
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
- while( 1 )
+ do
{
/* Without the call to `mbedtls_ssl_check_pending`, it might
* happen that the client sends application data in the same
@@ -2455,10 +2846,8 @@
* it can happen that the subsequent call to `mbedtls_ssl_read`
* returns `MBEDTLS_ERR_SSL_WANT_READ`, because the pending messages
* might be discarded (e.g. because they are retransmissions). */
- if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
- ret != MBEDTLS_ERR_SSL_WANT_WRITE )
- break;
}
+ while( mbedtls_status_is_ssl_in_progress( ret ) );
if( ret <= 0 )
{
@@ -2493,8 +2882,7 @@
while( ( ret = mbedtls_ssl_renegotiate( &ssl ) ) != 0 )
{
- if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
- ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ if( ! mbedtls_status_is_ssl_in_progress( ret ) )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_renegotiate returned %d\n\n", ret );
goto reset;
@@ -2537,8 +2925,7 @@
goto reset;
}
- if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
- ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ if( ! mbedtls_status_is_ssl_in_progress( ret ) )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret );
goto reset;
@@ -2562,8 +2949,7 @@
{
ret = mbedtls_ssl_write( &ssl, buf, len );
- if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
- ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ if( ! mbedtls_status_is_ssl_in_progress( ret ) )
break;
/* For event-driven IO, wait for socket to become available */
@@ -2641,6 +3027,17 @@
mbedtls_x509_crt_free( &srvcert2 );
mbedtls_pk_free( &pkey2 );
#endif
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+ for( i = 0; (size_t) i < ssl_async_keys.slots_used; i++ )
+ {
+ if( ssl_async_keys.slots[i].pk_owned )
+ {
+ mbedtls_pk_free( ssl_async_keys.slots[i].pk );
+ mbedtls_free( ssl_async_keys.slots[i].pk );
+ ssl_async_keys.slots[i].pk = NULL;
+ }
+ }
+#endif
#if defined(SNI_OPTION)
sni_free( sni_info );
#endif
diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt
index 0c5ce27..9ca0cb2 100644
--- a/programs/test/CMakeLists.txt
+++ b/programs/test/CMakeLists.txt
@@ -16,6 +16,11 @@
add_executable(benchmark benchmark.c)
target_link_libraries(benchmark ${libs})
+if(TEST_CPP)
+ add_executable(cpp_dummy_build cpp_dummy_build.cpp)
+ target_link_libraries(cpp_dummy_build ${libs})
+endif()
+
add_executable(ssl_cert_test ssl_cert_test.c)
target_link_libraries(ssl_cert_test ${libs})
diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c
index cecf3e3..5277ceb 100644
--- a/programs/test/benchmark.c
+++ b/programs/test/benchmark.c
@@ -54,21 +54,29 @@
#include "mbedtls/sha1.h"
#include "mbedtls/sha256.h"
#include "mbedtls/sha512.h"
+
#include "mbedtls/arc4.h"
#include "mbedtls/des.h"
#include "mbedtls/aes.h"
+#include "mbedtls/aria.h"
#include "mbedtls/blowfish.h"
#include "mbedtls/camellia.h"
+#include "mbedtls/chacha20.h"
#include "mbedtls/gcm.h"
#include "mbedtls/ccm.h"
+#include "mbedtls/chachapoly.h"
#include "mbedtls/cmac.h"
+#include "mbedtls/poly1305.h"
+
#include "mbedtls/havege.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/hmac_drbg.h"
+
#include "mbedtls/rsa.h"
#include "mbedtls/dhm.h"
#include "mbedtls/ecdsa.h"
#include "mbedtls/ecdh.h"
+
#include "mbedtls/error.h"
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
@@ -93,8 +101,9 @@
#define OPTIONS \
"md4, md5, ripemd160, sha1, sha256, sha512,\n" \
- "arc4, des3, des, camellia, blowfish,\n" \
- "aes_cbc, aes_gcm, aes_ccm, aes_cmac, des3_cmac,\n" \
+ "arc4, des3, des, camellia, blowfish, chacha20,\n" \
+ "aes_cbc, aes_gcm, aes_ccm, aes_ctx, chachapoly,\n" \
+ "aes_cmac, des3_cmac, poly1305\n" \
"havege, ctr_drbg, hmac_drbg\n" \
"rsa, dhm, ecdsa, ecdh.\n"
@@ -110,25 +119,34 @@
#define TIME_AND_TSC( TITLE, CODE ) \
do { \
unsigned long ii, jj, tsc; \
+ int ret = 0; \
\
mbedtls_printf( HEADER_FORMAT, TITLE ); \
fflush( stdout ); \
\
mbedtls_set_alarm( 1 ); \
- for( ii = 1; ! mbedtls_timing_alarmed; ii++ ) \
+ for( ii = 1; ret == 0 && ! mbedtls_timing_alarmed; ii++ ) \
{ \
- CODE; \
+ ret = CODE; \
} \
\
tsc = mbedtls_timing_hardclock(); \
- for( jj = 0; jj < 1024; jj++ ) \
+ for( jj = 0; ret == 0 && jj < 1024; jj++ ) \
{ \
- CODE; \
+ ret = CODE; \
} \
\
- mbedtls_printf( "%9lu KiB/s, %9lu cycles/byte\n", \
- ii * BUFSIZE / 1024, \
- ( mbedtls_timing_hardclock() - tsc ) / ( jj * BUFSIZE ) ); \
+ if( ret != 0 ) \
+ { \
+ PRINT_ERROR; \
+ } \
+ else \
+ { \
+ mbedtls_printf( "%9lu KiB/s, %9lu cycles/byte\n", \
+ ii * BUFSIZE / 1024, \
+ ( mbedtls_timing_hardclock() - tsc ) \
+ / ( jj * BUFSIZE ) ); \
+ } \
} while( 0 )
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && defined(MBEDTLS_MEMORY_DEBUG)
@@ -228,8 +246,10 @@
typedef struct {
char md4, md5, ripemd160, sha1, sha256, sha512,
arc4, des3, des,
- aes_cbc, aes_gcm, aes_ccm, aes_cmac, des3_cmac,
- camellia, blowfish,
+ aes_cbc, aes_gcm, aes_ccm, aes_xts, chachapoly,
+ aes_cmac, des3_cmac,
+ aria, camellia, blowfish, chacha20,
+ poly1305,
havege, ctr_drbg, hmac_drbg,
rsa, dhm, ecdsa, ecdh;
} todo_list;
@@ -274,18 +294,28 @@
todo.des = 1;
else if( strcmp( argv[i], "aes_cbc" ) == 0 )
todo.aes_cbc = 1;
+ else if( strcmp( argv[i], "aes_xts" ) == 0 )
+ todo.aes_xts = 1;
else if( strcmp( argv[i], "aes_gcm" ) == 0 )
todo.aes_gcm = 1;
else if( strcmp( argv[i], "aes_ccm" ) == 0 )
todo.aes_ccm = 1;
+ else if( strcmp( argv[i], "chachapoly" ) == 0 )
+ todo.chachapoly = 1;
else if( strcmp( argv[i], "aes_cmac" ) == 0 )
todo.aes_cmac = 1;
else if( strcmp( argv[i], "des3_cmac" ) == 0 )
todo.des3_cmac = 1;
+ else if( strcmp( argv[i], "aria" ) == 0 )
+ todo.aria = 1;
else if( strcmp( argv[i], "camellia" ) == 0 )
todo.camellia = 1;
else if( strcmp( argv[i], "blowfish" ) == 0 )
todo.blowfish = 1;
+ else if( strcmp( argv[i], "chacha20" ) == 0 )
+ todo.chacha20 = 1;
+ else if( strcmp( argv[i], "poly1305" ) == 0 )
+ todo.poly1305 = 1;
else if( strcmp( argv[i], "havege" ) == 0 )
todo.havege = 1;
else if( strcmp( argv[i], "ctr_drbg" ) == 0 )
@@ -419,6 +449,29 @@
mbedtls_aes_free( &aes );
}
#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ if( todo.aes_xts )
+ {
+ int keysize;
+ mbedtls_aes_xts_context ctx;
+
+ mbedtls_aes_xts_init( &ctx );
+ for( keysize = 128; keysize <= 256; keysize += 128 )
+ {
+ mbedtls_snprintf( title, sizeof( title ), "AES-XTS-%d", keysize );
+
+ memset( buf, 0, sizeof( buf ) );
+ memset( tmp, 0, sizeof( tmp ) );
+ mbedtls_aes_xts_setkey_enc( &ctx, tmp, keysize * 2 );
+
+ TIME_AND_TSC( title,
+ mbedtls_aes_crypt_xts( &ctx, MBEDTLS_AES_ENCRYPT, BUFSIZE,
+ tmp, buf, buf ) );
+
+ mbedtls_aes_xts_free( &ctx );
+ }
+ }
+#endif
#if defined(MBEDTLS_GCM_C)
if( todo.aes_gcm )
{
@@ -465,6 +518,26 @@
}
}
#endif
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ if( todo.chachapoly )
+ {
+ mbedtls_chachapoly_context chachapoly;
+
+ mbedtls_chachapoly_init( &chachapoly );
+ memset( buf, 0, sizeof( buf ) );
+ memset( tmp, 0, sizeof( tmp ) );
+
+ mbedtls_snprintf( title, sizeof( title ), "ChaCha20-Poly1305" );
+
+ mbedtls_chachapoly_setkey( &chachapoly, tmp );
+
+ TIME_AND_TSC( title,
+ mbedtls_chachapoly_encrypt_and_tag( &chachapoly,
+ BUFSIZE, tmp, NULL, 0, buf, buf, tmp ) );
+
+ mbedtls_chachapoly_free( &chachapoly );
+ }
+#endif
#if defined(MBEDTLS_CMAC_C)
if( todo.aes_cmac )
{
@@ -498,6 +571,28 @@
#endif /* MBEDTLS_CMAC_C */
#endif /* MBEDTLS_AES_C */
+#if defined(MBEDTLS_ARIA_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
+ if( todo.aria )
+ {
+ int keysize;
+ mbedtls_aria_context aria;
+ mbedtls_aria_init( &aria );
+ for( keysize = 128; keysize <= 256; keysize += 64 )
+ {
+ mbedtls_snprintf( title, sizeof( title ), "ARIA-CBC-%d", keysize );
+
+ memset( buf, 0, sizeof( buf ) );
+ memset( tmp, 0, sizeof( tmp ) );
+ mbedtls_aria_setkey_enc( &aria, tmp, keysize );
+
+ TIME_AND_TSC( title,
+ mbedtls_aria_crypt_cbc( &aria, MBEDTLS_ARIA_ENCRYPT,
+ BUFSIZE, tmp, buf, buf ) );
+ }
+ mbedtls_aria_free( &aria );
+ }
+#endif
+
#if defined(MBEDTLS_CAMELLIA_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
if( todo.camellia )
{
@@ -520,6 +615,20 @@
}
#endif
+#if defined(MBEDTLS_CHACHA20_C)
+ if ( todo.chacha20 )
+ {
+ TIME_AND_TSC( "ChaCha20", mbedtls_chacha20_crypt( buf, buf, 0U, BUFSIZE, buf, buf ) );
+ }
+#endif
+
+#if defined(MBEDTLS_POLY1305_C)
+ if ( todo.poly1305 )
+ {
+ TIME_AND_TSC( "Poly1305", mbedtls_poly1305_mac( buf, buf, BUFSIZE, buf ) );
+ }
+#endif
+
#if defined(MBEDTLS_BLOWFISH_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
if( todo.blowfish )
{
@@ -564,15 +673,13 @@
if( mbedtls_ctr_drbg_seed( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 )
mbedtls_exit(1);
TIME_AND_TSC( "CTR_DRBG (NOPR)",
- if( mbedtls_ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 )
- mbedtls_exit(1) );
+ mbedtls_ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) );
if( mbedtls_ctr_drbg_seed( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 )
mbedtls_exit(1);
mbedtls_ctr_drbg_set_prediction_resistance( &ctr_drbg, MBEDTLS_CTR_DRBG_PR_ON );
TIME_AND_TSC( "CTR_DRBG (PR)",
- if( mbedtls_ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 )
- mbedtls_exit(1) );
+ mbedtls_ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) );
mbedtls_ctr_drbg_free( &ctr_drbg );
}
#endif
@@ -592,8 +699,7 @@
if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 )
mbedtls_exit(1);
TIME_AND_TSC( "HMAC_DRBG SHA-1 (NOPR)",
- if( mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) != 0 )
- mbedtls_exit(1) );
+ mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) );
mbedtls_hmac_drbg_free( &hmac_drbg );
if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 )
@@ -601,8 +707,7 @@
mbedtls_hmac_drbg_set_prediction_resistance( &hmac_drbg,
MBEDTLS_HMAC_DRBG_PR_ON );
TIME_AND_TSC( "HMAC_DRBG SHA-1 (PR)",
- if( mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) != 0 )
- mbedtls_exit(1) );
+ mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) );
mbedtls_hmac_drbg_free( &hmac_drbg );
#endif
@@ -613,8 +718,7 @@
if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 )
mbedtls_exit(1);
TIME_AND_TSC( "HMAC_DRBG SHA-256 (NOPR)",
- if( mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) != 0 )
- mbedtls_exit(1) );
+ mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) );
mbedtls_hmac_drbg_free( &hmac_drbg );
if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 )
@@ -622,8 +726,7 @@
mbedtls_hmac_drbg_set_prediction_resistance( &hmac_drbg,
MBEDTLS_HMAC_DRBG_PR_ON );
TIME_AND_TSC( "HMAC_DRBG SHA-256 (PR)",
- if( mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) != 0 )
- mbedtls_exit(1) );
+ mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) );
mbedtls_hmac_drbg_free( &hmac_drbg );
#endif
}
diff --git a/programs/test/cpp_dummy_build.cpp b/programs/test/cpp_dummy_build.cpp
new file mode 100644
index 0000000..c652884
--- /dev/null
+++ b/programs/test/cpp_dummy_build.cpp
@@ -0,0 +1,119 @@
+/*
+ * This program is a dummy C++ program to ensure Mbed TLS library header files
+ * can be included and built with a C++ compiler.
+ *
+ * Copyright (C) 2018, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/aes.h"
+#include "mbedtls/aesni.h"
+#include "mbedtls/arc4.h"
+#include "mbedtls/aria.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/base64.h"
+#include "mbedtls/bignum.h"
+#include "mbedtls/blowfish.h"
+#include "mbedtls/bn_mul.h"
+#include "mbedtls/camellia.h"
+#include "mbedtls/ccm.h"
+#include "mbedtls/certs.h"
+#include "mbedtls/chacha20.h"
+#include "mbedtls/chachapoly.h"
+#include "mbedtls/check_config.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/cipher_internal.h"
+#include "mbedtls/cmac.h"
+#include "mbedtls/compat-1.3.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/debug.h"
+#include "mbedtls/des.h"
+#include "mbedtls/dhm.h"
+#include "mbedtls/ecdh.h"
+#include "mbedtls/ecdsa.h"
+#include "mbedtls/ecjpake.h"
+#include "mbedtls/ecp.h"
+#include "mbedtls/ecp_internal.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/entropy_poll.h"
+#include "mbedtls/error.h"
+#include "mbedtls/gcm.h"
+#include "mbedtls/havege.h"
+#include "mbedtls/hkdf.h"
+#include "mbedtls/hmac_drbg.h"
+#include "mbedtls/md.h"
+#include "mbedtls/md2.h"
+#include "mbedtls/md4.h"
+#include "mbedtls/md5.h"
+#include "mbedtls/md_internal.h"
+#include "mbedtls/net.h"
+#include "mbedtls/net_sockets.h"
+#include "mbedtls/nist_kw.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/padlock.h"
+#include "mbedtls/pem.h"
+#include "mbedtls/pk.h"
+#include "mbedtls/pk_internal.h"
+#include "mbedtls/pkcs11.h"
+#include "mbedtls/pkcs12.h"
+#include "mbedtls/pkcs5.h"
+#include "mbedtls/platform_time.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/poly1305.h"
+#include "mbedtls/ripemd160.h"
+#include "mbedtls/rsa.h"
+#include "mbedtls/rsa_internal.h"
+#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
+#include "mbedtls/sha512.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_cache.h"
+#include "mbedtls/ssl_ciphersuites.h"
+#include "mbedtls/ssl_cookie.h"
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/ssl_ticket.h"
+#include "mbedtls/threading.h"
+#include "mbedtls/timing.h"
+#include "mbedtls/version.h"
+#include "mbedtls/x509.h"
+#include "mbedtls/x509_crl.h"
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/x509_csr.h"
+#include "mbedtls/xtea.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#endif
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#include "mbedtls/memory_buffer_alloc.h"
+#endif
+
+int main()
+{
+ mbedtls_platform_context *ctx = NULL;
+ mbedtls_platform_setup(ctx);
+ mbedtls_printf("CPP Build test\n");
+ mbedtls_platform_teardown(ctx);
+}
diff --git a/programs/test/selftest.c b/programs/test/selftest.c
index 72a3734..f923a43 100644
--- a/programs/test/selftest.c
+++ b/programs/test/selftest.c
@@ -44,6 +44,10 @@
#include "mbedtls/des.h"
#include "mbedtls/aes.h"
#include "mbedtls/camellia.h"
+#include "mbedtls/aria.h"
+#include "mbedtls/chacha20.h"
+#include "mbedtls/poly1305.h"
+#include "mbedtls/chachapoly.h"
#include "mbedtls/base64.h"
#include "mbedtls/bignum.h"
#include "mbedtls/rsa.h"
@@ -53,6 +57,7 @@
#include "mbedtls/ecp.h"
#include "mbedtls/ecjpake.h"
#include "mbedtls/timing.h"
+#include "mbedtls/nist_kw.h"
#include <string.h>
@@ -204,9 +209,21 @@
#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_AES_C)
{"ccm", mbedtls_ccm_self_test},
#endif
+#if defined(MBEDTLS_NIST_KW_C) && defined(MBEDTLS_AES_C)
+ {"nist_kw", mbedtls_nist_kw_self_test},
+#endif
#if defined(MBEDTLS_CMAC_C)
{"cmac", mbedtls_cmac_self_test},
#endif
+#if defined(MBEDTLS_CHACHA20_C)
+ {"chacha20", mbedtls_chacha20_self_test},
+#endif
+#if defined(MBEDTLS_POLY1305_C)
+ {"poly1305", mbedtls_poly1305_self_test},
+#endif
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ {"chacha20-poly1305", mbedtls_chachapoly_self_test},
+#endif
#if defined(MBEDTLS_BASE64_C)
{"base64", mbedtls_base64_self_test},
#endif
@@ -225,6 +242,9 @@
#if defined(MBEDTLS_CAMELLIA_C)
{"camellia", mbedtls_camellia_self_test},
#endif
+#if defined(MBEDTLS_ARIA_C)
+ {"aria", mbedtls_aria_self_test},
+#endif
#if defined(MBEDTLS_CTR_DRBG_C)
{"ctr_drbg", mbedtls_ctr_drbg_self_test},
#endif
diff --git a/programs/test/ssl_cert_test.c b/programs/test/ssl_cert_test.c
index 9cfcd2d..fd3526f 100644
--- a/programs/test/ssl_cert_test.c
+++ b/programs/test/ssl_cert_test.c
@@ -29,9 +29,12 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_snprintf snprintf
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_snprintf snprintf
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_X509_CRT_PARSE_C) && \
defined(MBEDTLS_FS_IO) && defined(MBEDTLS_X509_CRL_PARSE_C)
@@ -80,7 +83,8 @@
int main( void )
{
- int ret, i;
+ int ret = 1, i;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_x509_crt cacert;
mbedtls_x509_crl crl;
char buf[10240];
@@ -210,7 +214,6 @@
if( ! mbedtls_pk_can_do( &clicert.pk, MBEDTLS_PK_RSA ) )
{
mbedtls_printf( " failed\n ! certificate's key is not RSA\n\n" );
- ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
goto exit;
}
@@ -241,6 +244,8 @@
mbedtls_pk_free( &pk );
}
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_x509_crt_free( &cacert );
mbedtls_x509_crl_free( &crl );
@@ -250,7 +255,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_RSA_C && MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_FS_IO &&
MBEDTLS_X509_CRL_PARSE_C */
diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c
index 5797f3d..55e0f24 100644
--- a/programs/test/udp_proxy.c
+++ b/programs/test/udp_proxy.c
@@ -37,10 +37,12 @@
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
-#define mbedtls_time time
-#define mbedtls_time_t time_t
-#define mbedtls_printf printf
-#endif
+#define mbedtls_time time
+#define mbedtls_time_t time_t
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_NET_C)
int main( void )
@@ -600,7 +602,8 @@
int main( int argc, char *argv[] )
{
- int ret;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_net_context listen_fd, client_fd, server_fd;
@@ -781,10 +784,12 @@
}
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
#ifdef MBEDTLS_ERROR_C
- if( ret != 0 )
+ if( exit_code != MBEDTLS_EXIT_SUCCESS )
{
char error_buf[100];
mbedtls_strerror( ret, error_buf, 100 );
@@ -802,7 +807,7 @@
fflush( stdout ); getchar();
#endif
- return( ret != 0 );
+ return( exit_code );
}
#endif /* MBEDTLS_NET_C */
diff --git a/programs/test/zeroize.c b/programs/test/zeroize.c
index 252438b..29cc0ac 100644
--- a/programs/test/zeroize.c
+++ b/programs/test/zeroize.c
@@ -66,7 +66,7 @@
char buf[BUFFER_LEN];
char *p = buf;
char *end = p + BUFFER_LEN;
- char c;
+ int c;
if( argc != 2 )
{
@@ -83,7 +83,7 @@
}
while( ( c = fgetc( fp ) ) != EOF && p < end - 1 )
- *p++ = c;
+ *p++ = (char)c;
*p = '\0';
if( p - buf != 0 )
diff --git a/programs/util/pem2der.c b/programs/util/pem2der.c
index ad2c6ac..73a9fb5 100644
--- a/programs/util/pem2der.c
+++ b/programs/util/pem2der.c
@@ -29,10 +29,13 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_free free
-#define mbedtls_calloc calloc
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_free free
+#define mbedtls_calloc calloc
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if defined(MBEDTLS_BASE64_C) && defined(MBEDTLS_FS_IO)
#include "mbedtls/error.h"
@@ -178,7 +181,8 @@
int main( int argc, char *argv[] )
{
- int ret = 0;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
unsigned char *pem_buffer = NULL;
unsigned char der_buffer[4096];
char buf[1024];
@@ -273,6 +277,8 @@
mbedtls_printf( " ok\n" );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
free( pem_buffer );
@@ -281,6 +287,6 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BASE64_C && MBEDTLS_FS_IO */
diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c
index c893ca8..c57ecca 100644
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c
@@ -30,11 +30,13 @@
#else
#include <stdio.h>
#include <stdlib.h>
-#define mbedtls_time time
-#define mbedtls_time_t time_t
-#define mbedtls_fprintf fprintf
-#define mbedtls_printf printf
-#endif
+#define mbedtls_time time
+#define mbedtls_time_t time_t
+#define mbedtls_fprintf fprintf
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
@@ -145,7 +147,8 @@
int main( int argc, char *argv[] )
{
- int ret = 0;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_net_context server_fd;
unsigned char buf[1024];
mbedtls_entropy_context entropy;
@@ -180,7 +183,6 @@
{
usage:
mbedtls_printf( USAGE );
- ret = 2;
goto exit;
}
@@ -252,19 +254,23 @@
if( strlen( opt.ca_path ) )
{
- ret = mbedtls_x509_crt_parse_path( &cacert, opt.ca_path );
+ if( ( ret = mbedtls_x509_crt_parse_path( &cacert, opt.ca_path ) ) < 0 )
+ {
+ mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_path returned -0x%x\n\n", -ret );
+ goto exit;
+ }
+
verify = 1;
}
else if( strlen( opt.ca_file ) )
{
- ret = mbedtls_x509_crt_parse_file( &cacert, opt.ca_file );
- verify = 1;
- }
+ if( ( ret = mbedtls_x509_crt_parse_file( &cacert, opt.ca_file ) ) < 0 )
+ {
+ mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file returned -0x%x\n\n", -ret );
+ goto exit;
+ }
- if( ret < 0 )
- {
- mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
- goto exit;
+ verify = 1;
}
mbedtls_printf( " ok (%d skipped)\n", ret );
@@ -332,8 +338,6 @@
cur = cur->next;
}
- ret = 0;
-
/*
* 1.3 Verify the certificate
*/
@@ -470,6 +474,8 @@
else
goto usage;
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_net_free( &server_fd );
@@ -485,10 +491,7 @@
fflush( stdout ); getchar();
#endif
- if( ret < 0 )
- ret = 1;
-
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
MBEDTLS_SSL_CLI_C && MBEDTLS_NET_C && MBEDTLS_RSA_C &&
diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c
index 30df216..a32ac50 100644
--- a/programs/x509/cert_req.c
+++ b/programs/x509/cert_req.c
@@ -29,8 +29,11 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_X509_CSR_WRITE_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_SHA256_C) || \
@@ -133,7 +136,8 @@
int main( int argc, char *argv[] )
{
- int ret = 0;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_pk_context key;
char buf[1024];
int i;
@@ -156,7 +160,6 @@
{
usage:
mbedtls_printf( USAGE );
- ret = 1;
goto exit;
}
@@ -317,9 +320,11 @@
mbedtls_printf( " ok\n" );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
- if( ret != 0 && ret != 1)
+ if( exit_code != MBEDTLS_EXIT_SUCCESS )
{
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror( ret, buf, sizeof( buf ) );
@@ -339,7 +344,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_X509_CSR_WRITE_C && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO &&
MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_PEM_WRITE_C */
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index 9cc582d..09a91e0 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -29,8 +29,11 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_X509_CRT_WRITE_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
@@ -211,7 +214,8 @@
int main( int argc, char *argv[] )
{
- int ret = 0;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
mbedtls_x509_crt issuer_crt;
mbedtls_pk_context loaded_issuer_key, loaded_subject_key;
mbedtls_pk_context *issuer_key = &loaded_issuer_key,
@@ -248,7 +252,6 @@
{
usage:
mbedtls_printf( USAGE );
- ret = 1;
goto exit;
}
@@ -607,15 +610,10 @@
//
if( strlen( opt.issuer_crt ) )
{
- if( !mbedtls_pk_can_do( &issuer_crt.pk, MBEDTLS_PK_RSA ) ||
- mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->N,
- &mbedtls_pk_rsa( *issuer_key )->N ) != 0 ||
- mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->E,
- &mbedtls_pk_rsa( *issuer_key )->E ) != 0 )
+ if( mbedtls_pk_check_pair( &issuer_crt.pk, issuer_key ) != 0 )
{
mbedtls_printf( " failed\n ! issuer_key does not match "
"issuer certificate\n\n" );
- ret = -1;
goto exit;
}
}
@@ -788,6 +786,8 @@
mbedtls_printf( " ok\n" );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_x509write_crt_free( &crt );
mbedtls_pk_free( &loaded_subject_key );
@@ -801,7 +801,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_X509_CRT_WRITE_C && MBEDTLS_X509_CRT_PARSE_C &&
MBEDTLS_FS_IO && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C &&
diff --git a/programs/x509/crl_app.c b/programs/x509/crl_app.c
index 210d19e..f831683 100644
--- a/programs/x509/crl_app.c
+++ b/programs/x509/crl_app.c
@@ -29,8 +29,11 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_X509_CRL_PARSE_C) || !defined(MBEDTLS_FS_IO)
@@ -67,7 +70,8 @@
int main( int argc, char *argv[] )
{
- int ret = 0;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
unsigned char buf[100000];
mbedtls_x509_crl crl;
int i;
@@ -131,6 +135,8 @@
mbedtls_printf( "%s\n", buf );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_x509_crl_free( &crl );
@@ -139,7 +145,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && MBEDTLS_X509_CRL_PARSE_C &&
MBEDTLS_FS_IO */
diff --git a/programs/x509/req_app.c b/programs/x509/req_app.c
index 8410a53..0f20c85 100644
--- a/programs/x509/req_app.c
+++ b/programs/x509/req_app.c
@@ -29,8 +29,11 @@
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#define mbedtls_printf printf
-#endif
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_X509_CSR_PARSE_C) || !defined(MBEDTLS_FS_IO)
@@ -67,7 +70,8 @@
int main( int argc, char *argv[] )
{
- int ret = 0;
+ int ret = 1;
+ int exit_code = MBEDTLS_EXIT_FAILURE;
unsigned char buf[100000];
mbedtls_x509_csr csr;
int i;
@@ -131,6 +135,8 @@
mbedtls_printf( "%s\n", buf );
+ exit_code = MBEDTLS_EXIT_SUCCESS;
+
exit:
mbedtls_x509_csr_free( &csr );
@@ -139,7 +145,7 @@
fflush( stdout ); getchar();
#endif
- return( ret );
+ return( exit_code );
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && MBEDTLS_X509_CSR_PARSE_C &&
MBEDTLS_FS_IO */
diff --git a/scripts/config.pl b/scripts/config.pl
index 5bf2785..3d2884c 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
#
# This file is part of mbed TLS (https://tls.mbed.org)
#
@@ -95,6 +95,7 @@
MBEDTLS_ZLIB_SUPPORT
MBEDTLS_PKCS11_C
MBEDTLS_NO_UDBL_DIVISION
+MBEDTLS_NO_64BIT_MULTIPLICATION
_ALT\s*$
);
diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl
index ac0fbff..ac171ed4a 100755
--- a/scripts/generate_errors.pl
+++ b/scripts/generate_errors.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
# Generate error.c
#
@@ -29,10 +29,10 @@
my $error_format_file = $data_dir.'/error.fmt';
-my @low_level_modules = qw( AES ARC4 ASN1 BASE64 BIGNUM BLOWFISH
- CAMELLIA CCM CMAC CTR_DRBG DES
- ENTROPY GCM HMAC_DRBG MD2 MD4 MD5
- NET OID PADLOCK PBKDF2 RIPEMD160
+my @low_level_modules = qw( AES ARC4 ARIA ASN1 BASE64 BIGNUM BLOWFISH
+ CAMELLIA CCM CHACHA20 CHACHAPOLY CMAC CTR_DRBG DES
+ ENTROPY GCM HKDF HMAC_DRBG MD2 MD4 MD5
+ NET OID PADLOCK PBKDF2 POLY1305 RIPEMD160
SHA1 SHA256 SHA512 THREADING XTEA );
my @high_level_modules = qw( CIPHER DHM ECP MD
PEM PK PKCS12 PKCS5
diff --git a/scripts/generate_features.pl b/scripts/generate_features.pl
index 2aa695c..1bd82ca 100755
--- a/scripts/generate_features.pl
+++ b/scripts/generate_features.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
#
use strict;
diff --git a/scripts/generate_visualc_files.pl b/scripts/generate_visualc_files.pl
index 8d36653..811c71f 100755
--- a/scripts/generate_visualc_files.pl
+++ b/scripts/generate_visualc_files.pl
@@ -1,8 +1,7 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
-# Generate files for MS Visual Studio:
-# - for VS6: main project (library) file, individual app files, workspace
-# - for VS2010: main file, individual apps, solution file
+# Generate main file, individual apps and solution files for MS Visual Studio
+# 2010
#
# Must be run from mbedTLS root or scripts directory.
# Takes no argument.
@@ -171,12 +170,22 @@
content_to_file( $out, $vsx_sln_file );
}
+sub del_vsx_files {
+ unlink glob "'$vsx_dir/*.$vsx_ext'";
+ unlink $vsx_main_file;
+ unlink $vsx_sln_file;
+}
+
sub main {
if( ! check_dirs() ) {
chdir '..' or die;
check_dirs or die "Must but run from mbedTLS root or scripts dir\n";
}
+ # Remove old files to ensure that, for example, project files from deleted
+ # apps are not kept
+ del_vsx_files();
+
my @app_list = get_app_list();
my @headers = <$header_dir/*.h>;
my @sources = <$source_dir/*.c>;
diff --git a/scripts/massif_max.pl b/scripts/massif_max.pl
index d1ce4ca..4e3342a 100755
--- a/scripts/massif_max.pl
+++ b/scripts/massif_max.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
# Parse a massif.out.xxx file and output peak total memory usage
diff --git a/scripts/output_env.sh b/scripts/output_env.sh
index e9ad8c5..c809d46 100755
--- a/scripts/output_env.sh
+++ b/scripts/output_env.sh
@@ -83,6 +83,11 @@
echo
fi
+if [ -n "${OPENSSL_NEXT+set}" ]; then
+ print_version "$OPENSSL_NEXT" "version" "openssl next version not found!"
+ echo
+fi
+
: ${GNUTLS_CLI:=gnutls-cli}
print_version "$GNUTLS_CLI" "--version" "gnuTLS client not found!" "head -n 1"
echo
diff --git a/scripts/rename.pl b/scripts/rename.pl
index c29519e..fb42809 100755
--- a/scripts/rename.pl
+++ b/scripts/rename.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
#
# This file is part of mbed TLS (https://tls.mbed.org)
#
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 16e19a9..52632f8 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -15,6 +15,11 @@
message(FATAL_ERROR "Cannot build test suites without Perl")
endif()
+# Enable definition of various functions used throughout the testsuite
+# (gethostname, strdup, fileno...) even when compiling with -std=c99. Harmless
+# on non-POSIX platforms.
+add_definitions("-D_POSIX_C_SOURCE=200809L")
+
function(add_test_suite suite_name)
if(ARGV1)
set(data_name ${ARGV1})
@@ -48,17 +53,23 @@
add_test_suite(aes aes.cbc)
add_test_suite(aes aes.cfb)
add_test_suite(aes aes.rest)
+add_test_suite(aes aes.xts)
add_test_suite(arc4)
+add_test_suite(aria)
add_test_suite(asn1write)
add_test_suite(base64)
add_test_suite(blowfish)
add_test_suite(camellia)
add_test_suite(ccm)
+add_test_suite(chacha20)
+add_test_suite(chachapoly)
add_test_suite(cipher cipher.aes)
add_test_suite(cipher cipher.arc4)
add_test_suite(cipher cipher.blowfish)
add_test_suite(cipher cipher.camellia)
add_test_suite(cipher cipher.ccm)
+add_test_suite(cipher cipher.chacha20)
+add_test_suite(cipher cipher.chachapoly)
add_test_suite(cipher cipher.des)
add_test_suite(cipher cipher.gcm)
add_test_suite(cipher cipher.null)
@@ -81,6 +92,7 @@
add_test_suite(gcm gcm.aes192_de)
add_test_suite(gcm gcm.aes256_de)
add_test_suite(gcm gcm.camellia)
+add_test_suite(hkdf)
add_test_suite(hmac_drbg hmac_drbg.misc)
add_test_suite(hmac_drbg hmac_drbg.no_reseed)
add_test_suite(hmac_drbg hmac_drbg.nopr)
@@ -89,6 +101,7 @@
add_test_suite(mdx)
add_test_suite(memory_buffer_alloc)
add_test_suite(mpi)
+add_test_suite(nist_kw)
add_test_suite(pem)
add_test_suite(pkcs1_v15)
add_test_suite(pkcs1_v21)
@@ -96,6 +109,7 @@
add_test_suite(pk)
add_test_suite(pkparse)
add_test_suite(pkwrite)
+add_test_suite(poly1305)
add_test_suite(shax)
add_test_suite(ssl)
add_test_suite(timing)
@@ -105,26 +119,11 @@
add_test_suite(x509parse)
add_test_suite(x509write)
-# Make data_files available in an out-of-source build
+# Make scripts and data files needed for testing available in an
+# out-of-source build.
if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
- # Get OS dependent path to use in `execute_process`
- file(TO_NATIVE_PATH "${CMAKE_CURRENT_BINARY_DIR}/data_files" link)
- file(TO_NATIVE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/data_files" target)
-
- if (NOT EXISTS ${link})
- if (CMAKE_HOST_UNIX)
- set(command ln -s ${target} ${link})
- else()
- set(command cmd.exe /c mklink /j ${link} ${target})
- endif()
-
- execute_process(COMMAND ${command}
- RESULT_VARIABLE result
- ERROR_VARIABLE output)
-
- if (NOT ${result} EQUAL 0)
- message(FATAL_ERROR "Could not create symbolic link for: ${target} --> ${output}")
- endif()
- endif()
+ link_to_source(compat.sh)
+ link_to_source(data_files)
+ link_to_source(scripts)
+ link_to_source(ssl-opt.sh)
endif()
-
diff --git a/tests/Makefile b/tests/Makefile
index d85617f..3632554 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -12,6 +12,11 @@
-lmbedx509$(SHARED_SUFFIX) \
-lmbedcrypto$(SHARED_SUFFIX)
+# Enable definition of various functions used throughout the testsuite
+# (gethostname, strdup, fileno...) even when compiling with -std=c99. Harmless
+# on non-POSIX platforms.
+LOCAL_CFLAGS += -D_POSIX_C_SOURCE=200809L
+
ifndef SHARED
DEP=../library/libmbedcrypto.a ../library/libmbedx509.a ../library/libmbedtls.a
else
@@ -46,13 +51,18 @@
endif
APPS = test_suite_aes.ecb$(EXEXT) test_suite_aes.cbc$(EXEXT) \
- test_suite_aes.cfb$(EXEXT) test_suite_aes.rest$(EXEXT) \
- test_suite_arc4$(EXEXT) test_suite_asn1write$(EXEXT) \
+ test_suite_aes.cfb$(EXEXT) test_suite_aes.ofb$(EXEXT) \
+ test_suite_aes.xts$(EXEXT) \
+ test_suite_aes.rest$(EXEXT) test_suite_arc4$(EXEXT) \
+ test_suite_aria$(EXEXT) test_suite_asn1write$(EXEXT) \
test_suite_base64$(EXEXT) test_suite_blowfish$(EXEXT) \
test_suite_camellia$(EXEXT) test_suite_ccm$(EXEXT) \
+ test_suite_chacha20$(EXEXT) test_suite_chachapoly$(EXEXT) \
test_suite_cmac$(EXEXT) \
+ test_suite_cipher.chachapoly$(EXEXT) \
test_suite_cipher.aes$(EXEXT) \
test_suite_cipher.arc4$(EXEXT) test_suite_cipher.ccm$(EXEXT) \
+ test_suite_cipher.chacha20$(EXEXT) \
test_suite_cipher.gcm$(EXEXT) \
test_suite_cipher.blowfish$(EXEXT) \
test_suite_cipher.camellia$(EXEXT) \
@@ -70,6 +80,7 @@
test_suite_gcm.aes192_en$(EXEXT) \
test_suite_gcm.aes256_en$(EXEXT) \
test_suite_gcm.camellia$(EXEXT) \
+ test_suite_hkdf$(EXEXT) \
test_suite_hmac_drbg.misc$(EXEXT) \
test_suite_hmac_drbg.no_reseed$(EXEXT) \
test_suite_hmac_drbg.nopr$(EXEXT) \
@@ -77,10 +88,12 @@
test_suite_md$(EXEXT) test_suite_mdx$(EXEXT) \
test_suite_memory_buffer_alloc$(EXEXT) \
test_suite_mpi$(EXEXT) \
+ test_suite_nist_kw$(EXEXT) \
test_suite_pem$(EXEXT) test_suite_pkcs1_v15$(EXEXT) \
test_suite_pkcs1_v21$(EXEXT) test_suite_pkcs5$(EXEXT) \
test_suite_pkparse$(EXEXT) test_suite_pkwrite$(EXEXT) \
test_suite_pk$(EXEXT) \
+ test_suite_poly1305$(EXEXT) \
test_suite_rsa$(EXEXT) test_suite_shax$(EXEXT) \
test_suite_ssl$(EXEXT) test_suite_timing$(EXEXT) \
test_suite_x509parse$(EXEXT) test_suite_x509write$(EXEXT) \
@@ -109,10 +122,18 @@
echo " Gen $@"
perl scripts/generate_code.pl suites test_suite_aes test_suite_aes.cfb
+test_suite_aes.ofb.c : suites/test_suite_aes.function suites/test_suite_aes.ofb.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
+ echo " Gen $@"
+ perl scripts/generate_code.pl suites test_suite_aes test_suite_aes.ofb
+
test_suite_aes.rest.c : suites/test_suite_aes.function suites/test_suite_aes.rest.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
echo " Gen $@"
perl scripts/generate_code.pl suites test_suite_aes test_suite_aes.rest
+test_suite_aes.xts.c : suites/test_suite_aes.function suites/test_suite_aes.xts.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
+ echo " Gen $@"
+ perl scripts/generate_code.pl suites test_suite_aes test_suite_aes.xts
+
test_suite_cipher.aes.c : suites/test_suite_cipher.function suites/test_suite_cipher.aes.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
echo " Gen $@"
perl scripts/generate_code.pl suites test_suite_cipher test_suite_cipher.aes
@@ -125,6 +146,14 @@
echo " Gen $@"
perl scripts/generate_code.pl suites test_suite_cipher test_suite_cipher.ccm
+test_suite_cipher.chacha20.c : suites/test_suite_cipher.function suites/test_suite_cipher.chacha20.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
+ echo " Gen $@"
+ perl scripts/generate_code.pl suites test_suite_cipher test_suite_cipher.chacha20
+
+test_suite_cipher.chachapoly.c : suites/test_suite_cipher.function suites/test_suite_cipher.chachapoly.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
+ echo " Gen $@"
+ perl scripts/generate_code.pl suites test_suite_cipher test_suite_cipher.chachapoly
+
test_suite_cipher.gcm.c : suites/test_suite_cipher.function suites/test_suite_cipher.gcm.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
echo " Gen $@"
perl scripts/generate_code.pl suites test_suite_cipher test_suite_cipher.gcm
@@ -177,6 +206,10 @@
echo " Gen $@"
perl scripts/generate_code.pl suites test_suite_gcm test_suite_gcm.camellia
+test_suite_hkdf.c : suites/test_suite_hkdf.function suites/test_suite_hkdf.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
+ echo " Gen $@"
+ perl scripts/generate_code.pl suites test_suite_hkdf test_suite_hkdf
+
test_suite_hmac_drbg.misc.c : suites/test_suite_hmac_drbg.function suites/test_suite_hmac_drbg.misc.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
echo " Gen $@"
perl scripts/generate_code.pl suites test_suite_hmac_drbg test_suite_hmac_drbg.misc
@@ -209,10 +242,18 @@
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+test_suite_aes.ofb$(EXEXT): test_suite_aes.ofb.c $(DEP)
+ echo " CC $<"
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
test_suite_aes.rest$(EXEXT): test_suite_aes.rest.c $(DEP)
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+test_suite_aes.xts$(EXEXT): test_suite_aes.xts.c $(DEP)
+ echo " CC $<"
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
test_suite_arc4$(EXEXT): test_suite_arc4.c $(DEP)
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
@@ -237,6 +278,14 @@
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+test_suite_chacha20$(EXEXT): test_suite_chacha20.c $(DEP)
+ echo " CC $<"
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
+test_suite_chachapoly$(EXEXT): test_suite_chachapoly.c $(DEP)
+ echo " CC $<"
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
test_suite_cmac$(EXEXT): test_suite_cmac.c $(DEP)
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
@@ -253,6 +302,14 @@
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+test_suite_cipher.chacha20$(EXEXT): test_suite_cipher.chacha20.c $(DEP)
+ echo " CC $<"
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
+test_suite_cipher.chachapoly$(EXEXT): test_suite_cipher.chachapoly.c $(DEP)
+ echo " CC $<"
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
test_suite_cipher.gcm$(EXEXT): test_suite_cipher.gcm.c $(DEP)
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
@@ -341,6 +398,10 @@
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+test_suite_hkdf$(EXEXT): test_suite_hkdf.c $(DEP)
+ echo " CC $<"
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
test_suite_hmac_drbg.misc$(EXEXT): test_suite_hmac_drbg.misc.c $(DEP)
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
@@ -373,6 +434,10 @@
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+test_suite_nist_kw$(EXEXT): test_suite_nist_kw.c $(DEP)
+ echo " CC $<"
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
test_suite_pem$(EXEXT): test_suite_pem.c $(DEP)
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
@@ -401,6 +466,10 @@
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+test_suite_poly1305$(EXEXT): test_suite_poly1305.c $(DEP)
+ echo " CC $<"
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
test_suite_rsa$(EXEXT): test_suite_rsa.c $(DEP)
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
@@ -437,6 +506,10 @@
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+test_suite_aria$(EXEXT): test_suite_aria.c $(DEP)
+ echo " CC $<"
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
clean:
ifndef WINDOWS
rm -f $(APPS) *.c
diff --git a/tests/compat.sh b/tests/compat.sh
index a2b2d5b..bf65e5e 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -42,6 +42,9 @@
PEER_GNUTLS=""
else
PEER_GNUTLS=" GnuTLS"
+ if [ $MINOR -lt 4 ]; then
+ GNUTLS_MINOR_LT_FOUR='x'
+ fi
fi
fi
else
@@ -53,7 +56,13 @@
VERIFIES="NO YES"
TYPES="ECDSA RSA PSK"
FILTER=""
-EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR' # avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL)
+# exclude:
+# - NULL: excluded from our default config
+# - RC4, single-DES: requires legacy OpenSSL/GnuTLS versions
+# avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL)
+# - ARIA: not in default config.h + requires OpenSSL >= 1.1.1
+# - ChachaPoly: requires OpenSSL >= 1.1.0
+EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR\|ARIA\|CHACHA20-POLY1305'
VERBOSE=""
MEMCHECK=0
PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
@@ -226,6 +235,9 @@
G_CIPHERS=""
}
+# Ciphersuites that can be used with all peers.
+# Since we currently have three possible peers, each ciphersuite should appear
+# three times: in each peer's list (with the name that this peer uses).
add_common_ciphersuites()
{
case $TYPE in
@@ -422,6 +434,16 @@
esac
}
+# Ciphersuites usable only with Mbed TLS and OpenSSL
+# Each ciphersuite should appear two times, once with its OpenSSL name, once
+# with its Mbed TLS name.
+#
+# NOTE: for some reason RSA-PSK doesn't work with OpenSSL,
+# so RSA-PSK ciphersuites need to go in other sections, see
+# https://github.com/ARMmbed/mbedtls/issues/1419
+#
+# ChachaPoly suites are here rather than in "common", as they were added in
+# GnuTLS in 3.5.0 and the CI only has 3.4.x so far.
add_openssl_ciphersuites()
{
case $TYPE in
@@ -451,12 +473,18 @@
TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 \
TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 \
TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 \
+ TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384 \
+ TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \
+ TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \
"
O_CIPHERS="$O_CIPHERS \
ECDH-ECDSA-AES128-SHA256 \
ECDH-ECDSA-AES256-SHA384 \
ECDH-ECDSA-AES128-GCM-SHA256 \
ECDH-ECDSA-AES256-GCM-SHA384 \
+ ECDHE-ECDSA-ARIA256-GCM-SHA384 \
+ ECDHE-ECDSA-ARIA128-GCM-SHA256 \
+ ECDHE-ECDSA-CHACHA20-POLY1305 \
"
fi
;;
@@ -470,13 +498,60 @@
DES-CBC-SHA \
EDH-RSA-DES-CBC-SHA \
"
+ if [ `minor_ver "$MODE"` -ge 3 ]
+ then
+ M_CIPHERS="$M_CIPHERS \
+ TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384 \
+ TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 \
+ TLS-RSA-WITH-ARIA-256-GCM-SHA384 \
+ TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \
+ TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \
+ TLS-RSA-WITH-ARIA-128-GCM-SHA256 \
+ TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \
+ TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \
+ "
+ O_CIPHERS="$O_CIPHERS \
+ ECDHE-ARIA256-GCM-SHA384 \
+ DHE-RSA-ARIA256-GCM-SHA384 \
+ ARIA256-GCM-SHA384 \
+ ECDHE-ARIA128-GCM-SHA256 \
+ DHE-RSA-ARIA128-GCM-SHA256 \
+ ARIA128-GCM-SHA256 \
+ DHE-RSA-CHACHA20-POLY1305 \
+ ECDHE-RSA-CHACHA20-POLY1305 \
+ "
+ fi
;;
"PSK")
+ if [ `minor_ver "$MODE"` -ge 3 ]
+ then
+ M_CIPHERS="$M_CIPHERS \
+ TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384 \
+ TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 \
+ TLS-PSK-WITH-ARIA-256-GCM-SHA384 \
+ TLS-PSK-WITH-ARIA-128-GCM-SHA256 \
+ TLS-PSK-WITH-CHACHA20-POLY1305-SHA256 \
+ TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \
+ TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \
+ "
+ O_CIPHERS="$O_CIPHERS \
+ DHE-PSK-ARIA256-GCM-SHA384 \
+ DHE-PSK-ARIA128-GCM-SHA256 \
+ PSK-ARIA256-GCM-SHA384 \
+ PSK-ARIA128-GCM-SHA256 \
+ DHE-PSK-CHACHA20-POLY1305 \
+ ECDHE-PSK-CHACHA20-POLY1305 \
+ PSK-CHACHA20-POLY1305 \
+ "
+ fi
;;
esac
}
+# Ciphersuites usable only with Mbed TLS and GnuTLS
+# Each ciphersuite should appear two times, once with its GnuTLS name, once
+# with its Mbed TLS name.
add_gnutls_ciphersuites()
{
case $TYPE in
@@ -489,12 +564,20 @@
TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
+ TLS-ECDHE-ECDSA-WITH-AES-128-CCM \
+ TLS-ECDHE-ECDSA-WITH-AES-256-CCM \
+ TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
+ TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \
"
G_CIPHERS="$G_CIPHERS \
+ECDHE-ECDSA:+CAMELLIA-128-CBC:+SHA256 \
+ECDHE-ECDSA:+CAMELLIA-256-CBC:+SHA384 \
+ECDHE-ECDSA:+CAMELLIA-128-GCM:+AEAD \
+ECDHE-ECDSA:+CAMELLIA-256-GCM:+AEAD \
+ +ECDHE-ECDSA:+AES-128-CCM:+AEAD \
+ +ECDHE-ECDSA:+AES-256-CCM:+AEAD \
+ +ECDHE-ECDSA:+AES-128-CCM-8:+AEAD \
+ +ECDHE-ECDSA:+AES-256-CCM-8:+AEAD \
"
fi
;;
@@ -524,6 +607,14 @@
TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256 \
TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
+ TLS-RSA-WITH-AES-128-CCM \
+ TLS-RSA-WITH-AES-256-CCM \
+ TLS-DHE-RSA-WITH-AES-128-CCM \
+ TLS-DHE-RSA-WITH-AES-256-CCM \
+ TLS-RSA-WITH-AES-128-CCM-8 \
+ TLS-RSA-WITH-AES-256-CCM-8 \
+ TLS-DHE-RSA-WITH-AES-128-CCM-8 \
+ TLS-DHE-RSA-WITH-AES-256-CCM-8 \
"
G_CIPHERS="$G_CIPHERS \
+ECDHE-RSA:+CAMELLIA-128-CBC:+SHA256 \
@@ -538,6 +629,14 @@
+DHE-RSA:+CAMELLIA-256-GCM:+AEAD \
+RSA:+CAMELLIA-128-GCM:+AEAD \
+RSA:+CAMELLIA-256-GCM:+AEAD \
+ +RSA:+AES-128-CCM:+AEAD \
+ +RSA:+AES-256-CCM:+AEAD \
+ +RSA:+AES-128-CCM-8:+AEAD \
+ +RSA:+AES-256-CCM-8:+AEAD \
+ +DHE-RSA:+AES-128-CCM:+AEAD \
+ +DHE-RSA:+AES-256-CCM:+AEAD \
+ +DHE-RSA:+AES-128-CCM-8:+AEAD \
+ +DHE-RSA:+AES-256-CCM-8:+AEAD \
"
fi
;;
@@ -609,6 +708,14 @@
TLS-PSK-WITH-AES-256-GCM-SHA384 \
TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 \
TLS-DHE-PSK-WITH-AES-256-GCM-SHA384 \
+ TLS-PSK-WITH-AES-128-CCM \
+ TLS-PSK-WITH-AES-256-CCM \
+ TLS-DHE-PSK-WITH-AES-128-CCM \
+ TLS-DHE-PSK-WITH-AES-256-CCM \
+ TLS-PSK-WITH-AES-128-CCM-8 \
+ TLS-PSK-WITH-AES-256-CCM-8 \
+ TLS-DHE-PSK-WITH-AES-128-CCM-8 \
+ TLS-DHE-PSK-WITH-AES-256-CCM-8 \
TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384 \
TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
@@ -639,6 +746,14 @@
+PSK:+AES-256-GCM:+AEAD \
+DHE-PSK:+AES-128-GCM:+AEAD \
+DHE-PSK:+AES-256-GCM:+AEAD \
+ +PSK:+AES-128-CCM:+AEAD \
+ +PSK:+AES-256-CCM:+AEAD \
+ +DHE-PSK:+AES-128-CCM:+AEAD \
+ +DHE-PSK:+AES-256-CCM:+AEAD \
+ +PSK:+AES-128-CCM-8:+AEAD \
+ +PSK:+AES-256-CCM-8:+AEAD \
+ +DHE-PSK:+AES-128-CCM-8:+AEAD \
+ +DHE-PSK:+AES-256-CCM-8:+AEAD \
+RSA-PSK:+CAMELLIA-128-GCM:+AEAD \
+RSA-PSK:+CAMELLIA-256-GCM:+AEAD \
+PSK:+CAMELLIA-128-GCM:+AEAD \
@@ -661,6 +776,9 @@
esac
}
+# Ciphersuites usable only with Mbed TLS (not currently supported by another
+# peer usable in this script). This provide only very rudimentaty testing, as
+# this is not interop testing, but it's better than nothing.
add_mbedtls_ciphersuites()
{
case $TYPE in
@@ -678,26 +796,26 @@
M_CIPHERS="$M_CIPHERS \
TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
- TLS-ECDHE-ECDSA-WITH-AES-128-CCM \
- TLS-ECDHE-ECDSA-WITH-AES-256-CCM \
- TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
- TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \
+ TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 \
+ TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 \
+ TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384 \
+ TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256 \
+ TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384 \
+ TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256 \
"
fi
;;
"RSA")
- if [ "$MODE" = "tls1_2" ];
+ if [ `minor_ver "$MODE"` -ge 3 ]
then
M_CIPHERS="$M_CIPHERS \
- TLS-RSA-WITH-AES-128-CCM \
- TLS-RSA-WITH-AES-256-CCM \
- TLS-DHE-RSA-WITH-AES-128-CCM \
- TLS-DHE-RSA-WITH-AES-256-CCM \
- TLS-RSA-WITH-AES-128-CCM-8 \
- TLS-RSA-WITH-AES-256-CCM-8 \
- TLS-DHE-RSA-WITH-AES-128-CCM-8 \
- TLS-DHE-RSA-WITH-AES-256-CCM-8 \
+ TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384 \
+ TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 \
+ TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 \
+ TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 \
+ TLS-RSA-WITH-ARIA-256-CBC-SHA384 \
+ TLS-RSA-WITH-ARIA-128-CBC-SHA256 \
"
fi
;;
@@ -715,17 +833,20 @@
TLS-RSA-PSK-WITH-NULL-SHA \
"
fi
- if [ "$MODE" = "tls1_2" ];
+ if [ `minor_ver "$MODE"` -ge 3 ]
then
M_CIPHERS="$M_CIPHERS \
- TLS-PSK-WITH-AES-128-CCM \
- TLS-PSK-WITH-AES-256-CCM \
- TLS-DHE-PSK-WITH-AES-128-CCM \
- TLS-DHE-PSK-WITH-AES-256-CCM \
- TLS-PSK-WITH-AES-128-CCM-8 \
- TLS-PSK-WITH-AES-256-CCM-8 \
- TLS-DHE-PSK-WITH-AES-128-CCM-8 \
- TLS-DHE-PSK-WITH-AES-256-CCM-8 \
+ TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384 \
+ TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256 \
+ TLS-PSK-WITH-ARIA-256-CBC-SHA384 \
+ TLS-PSK-WITH-ARIA-128-CBC-SHA256 \
+ TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384 \
+ TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256 \
+ TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384 \
+ TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256 \
+ TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384 \
+ TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256 \
+ TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256 \
"
fi
;;
@@ -761,10 +882,17 @@
exit 1;
esac
+ # GnuTLS < 3.4 will choke if we try to allow CCM-8
+ if [ -z "${GNUTLS_MINOR_LT_FOUR-}" ]; then
+ G_PRIO_CCM="+AES-256-CCM-8:+AES-128-CCM-8:"
+ else
+ G_PRIO_CCM=""
+ fi
+
M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1"
O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$MODE -dhparam data_files/dhparams.pem"
G_SERVER_ARGS="-p $PORT --http $G_MODE"
- G_SERVER_PRIO="NORMAL:+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
+ G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
# with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes
if is_dtls "$MODE"; then
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 6eb2502..d7d5a8c 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -35,6 +35,7 @@
# * GNU Make
# * CMake
# * GCC and Clang (recent enough for using ASan with gcc and MemSan with clang, or valgrind)
+# * G++
# * arm-gcc and mingw-gcc
# * ArmCC 5 and ArmCC 6, unless invoked with --no-armcc
# * Yotta build dependencies, unless invoked with --no-yotta
@@ -100,6 +101,7 @@
# Default commands, can be overriden by the environment
: ${OPENSSL:="openssl"}
: ${OPENSSL_LEGACY:="$OPENSSL"}
+: ${OPENSSL_NEXT:="$OPENSSL"}
: ${GNUTLS_CLI:="gnutls-cli"}
: ${GNUTLS_SERV:="gnutls-serv"}
: ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
@@ -144,15 +146,26 @@
--gnutls-legacy-serv=<GnuTLS_serv_path> GnuTLS server executable to use for legacy tests.
--openssl=<OpenSSL_path> OpenSSL executable to use for most tests.
--openssl-legacy=<OpenSSL_path> OpenSSL executable to use for legacy tests e.g. SSLv3.
+ --openssl-next=<OpenSSL_path> OpenSSL executable to use for recent things like ARIA
EOF
}
# remove built files as well as the cmake cache/config
cleanup()
{
+ if [ -n "${MBEDTLS_ROOT_DIR+set}" ]; then
+ cd "$MBEDTLS_ROOT_DIR"
+ fi
+
command make clean
- find . -name yotta -prune -o -iname '*cmake*' -not -name CMakeLists.txt -exec rm -rf {} \+
+ # Remove CMake artefacts
+ find . -name .git -prune -o -name yotta -prune -o \
+ -iname CMakeFiles -exec rm -rf {} \+ -o \
+ \( -iname cmake_install.cmake -o \
+ -iname CTestTestfile.cmake -o \
+ -iname CMakeCache.txt \) -exec rm {} \+
+ # Recover files overwritten by in-tree CMake builds
rm -f include/Makefile include/mbedtls/Makefile programs/*/Makefile
git update-index --no-skip-worktree Makefile library/Makefile programs/Makefile tests/Makefile
git checkout -- Makefile library/Makefile programs/Makefile tests/Makefile
@@ -208,13 +221,21 @@
check_tools()
{
for TOOL in "$@"; do
- if ! `hash "$TOOL" >/dev/null 2>&1`; then
+ if ! `type "$TOOL" >/dev/null 2>&1`; then
err_msg "$TOOL not found!"
exit 1
fi
done
}
+check_headers_in_cpp () {
+ ls include/mbedtls >headers.txt
+ <programs/test/cpp_dummy_build.cpp sed -n 's/"$//; s!^#include "mbedtls/!!p' |
+ sort |
+ diff headers.txt -
+ rm headers.txt
+}
+
while [ $# -gt 0 ]; do
case "$1" in
--armcc) RUN_ARMCC=1;;
@@ -235,6 +256,7 @@
--no-yotta) YOTTA=0;;
--openssl) shift; OPENSSL="$1";;
--openssl-legacy) shift; OPENSSL_LEGACY="$1";;
+ --openssl-next) shift; OPENSSL_NEXT="$1";;
--out-of-source-dir) shift; OUT_OF_SOURCE_DIR="$1";;
--random-seed) unset SEED;;
--release-test|-r) SEED=1;;
@@ -326,6 +348,7 @@
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo "${start_red}FAILED: $failure_count${end_color}$failure_summary"
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+ exit 1
elif [ -z "${1-}" ]; then
echo "SUCCESS :)"
fi
@@ -344,12 +367,19 @@
fi
}
+# to be used instead of ! for commands run with
+# record_status or if_build_succeeded
+not() {
+ ! "$@"
+}
+
msg "info: $0 configuration"
echo "MEMORY: $MEMORY"
echo "FORCE: $FORCE"
echo "SEED: ${SEED-"UNSET"}"
echo "OPENSSL: $OPENSSL"
echo "OPENSSL_LEGACY: $OPENSSL_LEGACY"
+echo "OPENSSL_NEXT: $OPENSSL_NEXT"
echo "GNUTLS_CLI: $GNUTLS_CLI"
echo "GNUTLS_SERV: $GNUTLS_SERV"
echo "GNUTLS_LEGACY_CLI: $GNUTLS_LEGACY_CLI"
@@ -374,7 +404,8 @@
fi
# Make sure the tools we need are available.
-check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$GNUTLS_CLI" "$GNUTLS_SERV" \
+check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$OPENSSL_NEXT" \
+ "$GNUTLS_CLI" "$GNUTLS_SERV" \
"$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV" "doxygen" "dot" \
"arm-none-eabi-gcc" "i686-w64-mingw32-gcc" "gdb"
if [ $RUN_ARMCC -ne 0 ]; then
@@ -505,6 +536,28 @@
msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min
tests/compat.sh -t RSA
+msg "build: small SSL_OUT_CONTENT_LEN (ASan build)"
+cleanup
+cp "$CONFIG_H" "$CONFIG_BAK"
+scripts/config.pl set MBEDTLS_SSL_IN_CONTENT_LEN 16384
+scripts/config.pl set MBEDTLS_SSL_OUT_CONTENT_LEN 4096
+CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+make
+
+msg "test: small SSL_OUT_CONTENT_LEN - ssl-opt.sh MFL and large packet tests"
+if_build_succeeded tests/ssl-opt.sh -f "Max fragment\|Large packet"
+
+msg "build: small SSL_IN_CONTENT_LEN (ASan build)"
+cleanup
+cp "$CONFIG_H" "$CONFIG_BAK"
+scripts/config.pl set MBEDTLS_SSL_IN_CONTENT_LEN 4096
+scripts/config.pl set MBEDTLS_SSL_OUT_CONTENT_LEN 16384
+CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+make
+
+msg "test: small SSL_IN_CONTENT_LEN - ssl-opt.sh MFL tests"
+if_build_succeeded tests/ssl-opt.sh -f "Max fragment"
+
msg "build: cmake, full config, clang" # ~ 50s
cleanup
cp "$CONFIG_H" "$CONFIG_BAK"
@@ -516,12 +569,33 @@
msg "test: main suites (full config)" # ~ 5s
make test
-msg "test: ssl-opt.sh default (full config)" # ~ 1s
-if_build_succeeded tests/ssl-opt.sh -f Default
+msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s
+if_build_succeeded tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
msg "test: compat.sh RC4, DES & NULL (full config)" # ~ 2 min
if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR'
+msg "test: compat.sh ARIA + ChachaPoly"
+if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
+
+msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s
+cleanup
+cp "$CONFIG_H" "$CONFIG_BAK"
+scripts/config.pl full
+scripts/config.pl set MBEDTLS_DEPRECATED_WARNING
+# Build with -O -Wextra to catch a maximum of issues.
+make CC=gcc CFLAGS='-O -Werror -Wall -Wextra' lib programs
+make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests
+
+msg "build: make, full config + DEPRECATED_REMOVED, clang -O" # ~ 30s
+# No cleanup, just tweak the configuration and rebuild
+make clean
+scripts/config.pl unset MBEDTLS_DEPRECATED_WARNING
+scripts/config.pl set MBEDTLS_DEPRECATED_REMOVED
+# Build with -O -Wextra to catch a maximum of issues.
+make CC=clang CFLAGS='-O -Werror -Wall -Wextra' lib programs
+make CC=clang CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests
+
msg "test/build: curves.pl (gcc)" # ~ 4 min
cleanup
record_status tests/scripts/curves.pl
@@ -542,6 +616,12 @@
cleanup
make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os'
+msg "test: verify header list in cpp_dummy_build.cpp"
+record_status check_headers_in_cpp
+
+msg "build: Unix make, incremental g++"
+make TEST_CPP=1
+
# Full configuration build, without platform support, file IO and net sockets.
# This should catch missing mbedtls_printf definitions, and by disabling file
# IO, it should catch missing '#include <stdio.h>'
@@ -598,6 +678,7 @@
scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux
make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0 -std=c99 -pedantic' lib
+# Run max fragment length tests with MFL disabled
msg "build: default config except MFL extension (ASan build)" # ~ 30s
cleanup
cp "$CONFIG_H" "$CONFIG_BAK"
@@ -608,6 +689,18 @@
msg "test: ssl-opt.sh, MFL-related tests"
if_build_succeeded tests/ssl-opt.sh -f "Max fragment length"
+msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)"
+cleanup
+cp "$CONFIG_H" "$CONFIG_BAK"
+scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+scripts/config.pl set MBEDTLS_SSL_IN_CONTENT_LEN 16384
+scripts/config.pl set MBEDTLS_SSL_OUT_CONTENT_LEN 4096
+CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+make
+
+msg "test: MFL tests (disabled MFL extension case) & large packet tests"
+if_build_succeeded tests/ssl-opt.sh -f "Max fragment length\|Large buffer"
+
msg "build: default config with MBEDTLS_TEST_NULL_ENTROPY (ASan build)"
cleanup
cp "$CONFIG_H" "$CONFIG_BAK"
@@ -658,15 +751,30 @@
fi
if uname -a | grep -F x86_64 >/dev/null; then
- msg "build: i386, make, gcc" # ~ 30s
+ # Build once with -O0, to compile out the i386 specific inline assembly
+ msg "build: i386, make, gcc -O0 (ASan build)" # ~ 30s
cleanup
- make CC=gcc CFLAGS='-Werror -Wall -Wextra -m32'
+ cp "$CONFIG_H" "$CONFIG_BAK"
+ scripts/config.pl full
+ make CC=gcc CFLAGS='-O0 -Werror -Wall -Wextra -m32 -fsanitize=address'
- msg "test: i386, make, gcc"
+ msg "test: i386, make, gcc -O0 (ASan build)"
+ make test
+
+ # Build again with -O1, to compile in the i386 specific inline assembly
+ msg "build: i386, make, gcc -O1 (ASan build)" # ~ 30s
+ cleanup
+ cp "$CONFIG_H" "$CONFIG_BAK"
+ scripts/config.pl full
+ make CC=gcc CFLAGS='-O1 -Werror -Wall -Wextra -m32 -fsanitize=address'
+
+ msg "test: i386, make, gcc -O1 (ASan build)"
make test
msg "build: 64-bit ILP32, make, gcc" # ~ 30s
cleanup
+ cp "$CONFIG_H" "$CONFIG_BAK"
+ scripts/config.pl full
make CC=gcc CFLAGS='-Werror -Wall -Wextra -mx32'
msg "test: 64-bit ILP32, make, gcc"
@@ -695,6 +803,31 @@
msg "test: gcc, force 64-bit bignum limbs"
make test
+
+msg "build: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s
+cleanup
+cp "$CONFIG_H" "$CONFIG_BAK"
+scripts/config.pl full
+scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
+scripts/config.pl set MBEDTLS_NO_UDBL_DIVISION
+make CFLAGS='-Werror -O1'
+
+msg "test: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s
+make test
+
+
+msg "build: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s
+cleanup
+cp "$CONFIG_H" "$CONFIG_BAK"
+scripts/config.pl full
+scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
+scripts/config.pl set MBEDTLS_NO_64BIT_MULTIPLICATION
+make CFLAGS='-Werror -O1'
+
+msg "test: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s
+make test
+
+
msg "build: arm-none-eabi-gcc, make" # ~ 10s
cleanup
cp "$CONFIG_H" "$CONFIG_BAK"
@@ -730,7 +863,27 @@
scripts/config.pl set MBEDTLS_NO_UDBL_DIVISION
make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -Wall -Wextra' lib
echo "Checking that software 64-bit division is not required"
-! grep __aeabi_uldiv library/*.o
+if_build_succeeded not grep __aeabi_uldiv library/*.o
+
+msg "build: arm-none-eabi-gcc MBEDTLS_NO_64BIT_MULTIPLICATION, make" # ~ 10s
+cleanup
+cp "$CONFIG_H" "$CONFIG_BAK"
+scripts/config.pl full
+scripts/config.pl unset MBEDTLS_NET_C
+scripts/config.pl unset MBEDTLS_TIMING_C
+scripts/config.pl unset MBEDTLS_FS_IO
+scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
+# following things are not in the default config
+scripts/config.pl unset MBEDTLS_HAVEGE_C # depends on timing.c
+scripts/config.pl unset MBEDTLS_THREADING_PTHREAD
+scripts/config.pl unset MBEDTLS_THREADING_C
+scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
+scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
+scripts/config.pl set MBEDTLS_NO_64BIT_MULTIPLICATION
+make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -O1 -march=armv6-m -mthumb' lib
+echo "Checking that software 64-bit multiplication is not required"
+if_build_succeeded not grep __aeabi_lmul library/*.o
msg "build: ARM Compiler 5, make"
cleanup
@@ -863,15 +1016,37 @@
msg "test: cmake 'out-of-source' build"
make test
+# Test an SSL option that requires an auxiliary script in test/scripts/.
+# Also ensure that there are no error messages such as
+# "No such file or directory", which would indicate that some required
+# file is missing (ssl-opt.sh tolerates the absence of some files so
+# may exit with status 0 but emit errors).
+if_build_succeeded ./tests/ssl-opt.sh -f 'Fallback SCSV: beginning of list' 2>ssl-opt.err
+if [ -s ssl-opt.err ]; then
+ cat ssl-opt.err >&2
+ record_status [ ! -s ssl-opt.err ]
+ rm ssl-opt.err
+fi
cd "$MBEDTLS_ROOT_DIR"
rm -rf "$OUT_OF_SOURCE_DIR"
+unset MBEDTLS_ROOT_DIR
+# Test that the function mbedtls_platform_zeroize() is not optimized away by
+# different combinations of compilers and optimization flags by using an
+# auxiliary GDB script. Unfortunately, GDB does not return error values to the
+# system in all cases that the script fails, so we must manually search the
+# output to check whether the pass string is present and no failure strings
+# were printed.
for optimization_flag in -O2 -O3 -Ofast -Os; do
for compiler in clang gcc; do
msg "test: $compiler $optimization_flag, mbedtls_platform_zeroize()"
cleanup
- CC="$compiler" DEBUG=1 CFLAGS="$optimization_flag" make programs
- gdb -x tests/scripts/test_zeroize.gdb -nw -batch -nx
+ make programs CC="$compiler" DEBUG=1 CFLAGS="$optimization_flag"
+ if_build_succeeded gdb -x tests/scripts/test_zeroize.gdb -nw -batch -nx 2>&1 | tee test_zeroize.log
+ if_build_succeeded [ -s test_zeroize.log ]
+ if_build_succeeded grep "The buffer was correctly zeroized" test_zeroize.log
+ if_build_succeeded not grep -i "error" test_zeroize.log
+ rm -f test_zeroize.log
done
done
diff --git a/tests/scripts/check-doxy-blocks.pl b/tests/scripts/check-doxy-blocks.pl
index b0fd696..4967699 100755
--- a/tests/scripts/check-doxy-blocks.pl
+++ b/tests/scripts/check-doxy-blocks.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
# Detect comment blocks that are likely meant to be doxygen blocks but aren't.
#
diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh
index 0400bc7..4976bac 100755
--- a/tests/scripts/check-generated-files.sh
+++ b/tests/scripts/check-generated-files.sh
@@ -1,6 +1,12 @@
-#!/bin/sh
+#! /usr/bin/env sh
-# check if generated files are up-to-date
+# This file is part of mbed TLS (https://tls.mbed.org)
+#
+# Copyright (c) 2018, ARM Limited, All Rights Reserved
+#
+# Purpose
+#
+# Check if generated files are up-to-date.
set -eu
@@ -11,14 +17,53 @@
check()
{
- FILE=$1
- SCRIPT=$2
+ SCRIPT=$1
+ TO_CHECK=$2
+ PATTERN=""
+ FILES=""
- cp $FILE $FILE.bak
+ if [ -d $TO_CHECK ]; then
+ for FILE in $TO_CHECK/*; do
+ FILES="$FILE $FILES"
+ done
+ else
+ FILES=$TO_CHECK
+ fi
+
+ for FILE in $FILES; do
+ cp $FILE $FILE.bak
+ done
+
$SCRIPT
- diff $FILE $FILE.bak
- mv $FILE.bak $FILE
+
+ # Compare the script output to the old files and remove backups
+ for FILE in $FILES; do
+ if ! diff $FILE $FILE.bak >/dev/null 2>&1; then
+ echo "'$FILE' was either modified or deleted by '$SCRIPT'"
+ exit 1
+ fi
+ mv $FILE.bak $FILE
+
+ if [ -d $TO_CHECK ]; then
+ # Create a grep regular expression that we can check against the
+ # directory contents to test whether new files have been created
+ if [ -z $PATTERN ]; then
+ PATTERN="$(basename $FILE)"
+ else
+ PATTERN="$PATTERN\|$(basename $FILE)"
+ fi
+ fi
+ done
+
+ if [ -d $TO_CHECK ]; then
+ # Check if there are any new files
+ if ls -1 $TO_CHECK | grep -v "$PATTERN" >/dev/null 2>&1; then
+ echo "Files were created by '$SCRIPT'"
+ exit 1
+ fi
+ fi
}
-check library/error.c scripts/generate_errors.pl
-check library/version_features.c scripts/generate_features.pl
+check scripts/generate_errors.pl library/error.c
+check scripts/generate_features.pl library/version_features.c
+check scripts/generate_visualc_files.pl visualc/VS2010
diff --git a/tests/scripts/curves.pl b/tests/scripts/curves.pl
index 0041814..ddc90c5 100755
--- a/tests/scripts/curves.pl
+++ b/tests/scripts/curves.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
# curves.pl
#
diff --git a/tests/scripts/depends-hashes.pl b/tests/scripts/depends-hashes.pl
index 29dcfb0..f57e7ed 100755
--- a/tests/scripts/depends-hashes.pl
+++ b/tests/scripts/depends-hashes.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
# depends-hashes.pl
#
diff --git a/tests/scripts/depends-pkalgs.pl b/tests/scripts/depends-pkalgs.pl
index 14c92b2..97a43e8 100755
--- a/tests/scripts/depends-pkalgs.pl
+++ b/tests/scripts/depends-pkalgs.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
# depends-pkalgs.pl
#
diff --git a/tests/scripts/gen_ctr_drbg.pl b/tests/scripts/gen_ctr_drbg.pl
index ee13024..3c074be 100755
--- a/tests/scripts/gen_ctr_drbg.pl
+++ b/tests/scripts/gen_ctr_drbg.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
#
# Based on NIST CTR_DRBG.rsp validation file
# Only uses AES-256-CTR cases that use a Derivation function
diff --git a/tests/scripts/gen_gcm_decrypt.pl b/tests/scripts/gen_gcm_decrypt.pl
index 6decac2..03809cb 100755
--- a/tests/scripts/gen_gcm_decrypt.pl
+++ b/tests/scripts/gen_gcm_decrypt.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
#
# Based on NIST gcmDecryptxxx.rsp validation files
# Only first 3 of every set used for compile time saving
diff --git a/tests/scripts/gen_gcm_encrypt.pl b/tests/scripts/gen_gcm_encrypt.pl
index 8adbbce..29ec677 100755
--- a/tests/scripts/gen_gcm_encrypt.pl
+++ b/tests/scripts/gen_gcm_encrypt.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
#
# Based on NIST gcmEncryptIntIVxxx.rsp validation files
# Only first 3 of every set used for compile time saving
diff --git a/tests/scripts/gen_pkcs1_v21_sign_verify.pl b/tests/scripts/gen_pkcs1_v21_sign_verify.pl
index 678e2f9..110cb4b 100755
--- a/tests/scripts/gen_pkcs1_v21_sign_verify.pl
+++ b/tests/scripts/gen_pkcs1_v21_sign_verify.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
#
use strict;
diff --git a/tests/scripts/key-exchanges.pl b/tests/scripts/key-exchanges.pl
index d167c67..3bf7ae3 100755
--- a/tests/scripts/key-exchanges.pl
+++ b/tests/scripts/key-exchanges.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
# key-exchanges.pl
#
diff --git a/tests/scripts/list-enum-consts.pl b/tests/scripts/list-enum-consts.pl
index 633e3fd..21c25b3 100755
--- a/tests/scripts/list-enum-consts.pl
+++ b/tests/scripts/list-enum-consts.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
use warnings;
use strict;
diff --git a/tests/scripts/recursion.pl b/tests/scripts/recursion.pl
index 3ad42b1..431e592 100755
--- a/tests/scripts/recursion.pl
+++ b/tests/scripts/recursion.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
# Find functions making recursive calls to themselves.
# (Multiple recursion where a() calls b() which calls a() not covered.)
diff --git a/tests/scripts/run-test-suites.pl b/tests/scripts/run-test-suites.pl
index 7e2974b..6279358 100755
--- a/tests/scripts/run-test-suites.pl
+++ b/tests/scripts/run-test-suites.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
# run-test-suites.pl
#
diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl
index b07329c..80d5f38 100755
--- a/tests/scripts/test-ref-configs.pl
+++ b/tests/scripts/test-ref-configs.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
# test-ref-configs.pl
#
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index c4a10a2..a1c7d04 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -21,6 +21,11 @@
set -u
+if cd $( dirname $0 ); then :; else
+ echo "cd $( dirname $0 ) failed" >&2
+ exit 1
+fi
+
# default values, can be overriden by the environment
: ${P_SRV:=../programs/ssl/ssl_server2}
: ${P_CLI:=../programs/ssl/ssl_client2}
@@ -178,6 +183,25 @@
fi
}
+# Calculate the input & output maximum content lengths set in the config
+MAX_CONTENT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN || echo "16384")
+MAX_IN_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_IN_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
+MAX_OUT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_OUT_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
+
+if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then
+ MAX_CONTENT_LEN="$MAX_IN_LEN"
+fi
+if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then
+ MAX_CONTENT_LEN="$MAX_OUT_LEN"
+fi
+
+# skip the next test if the SSL output buffer is less than 16KB
+requires_full_size_output_buffer() {
+ if [ "$MAX_OUT_LEN" -ne 16384 ]; then
+ SKIP_NEXT="YES"
+ fi
+}
+
# skip the next test if valgrind is in use
not_with_valgrind() {
if [ "$MEMCHECK" -gt 0 ]; then
@@ -308,7 +332,7 @@
done
}
else
- echo "Warning: lsof not available, wait_server_start = sleep $START_DELAY"
+ echo "Warning: lsof not available, wait_server_start = sleep"
wait_server_start() {
sleep "$START_DELAY"
}
@@ -626,11 +650,6 @@
# MAIN
#
-if cd $( dirname $0 ); then :; else
- echo "cd $( dirname $0 ) failed" >&2
- exit 1
-fi
-
get_options "$@"
# sanity checks, avoid an avalanche of errors
@@ -723,7 +742,7 @@
"$P_CLI" \
0 \
-s "Protocol is TLSv1.2" \
- -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
+ -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
-s "client hello v3, signature_algorithm ext: 6" \
-s "ECDHE curve: secp521r1" \
-S "error" \
@@ -734,20 +753,14 @@
"$P_CLI dtls=1" \
0 \
-s "Protocol is DTLSv1.2" \
- -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
+ -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
# Test current time in ServerHello
requires_config_enabled MBEDTLS_HAVE_TIME
-run_test "Default, ServerHello contains gmt_unix_time" \
+run_test "ServerHello contains gmt_unix_time" \
"$P_SRV debug_level=3" \
"$P_CLI debug_level=3" \
0 \
- -s "Protocol is TLSv1.2" \
- -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
- -s "client hello v3, signature_algorithm ext: 6" \
- -s "ECDHE curve: secp521r1" \
- -S "error" \
- -C "error" \
-f "check_server_hello_time" \
-F "check_server_hello_time"
@@ -1157,6 +1170,38 @@
-s "received FALLBACK_SCSV" \
-S "inapropriate fallback"
+# Test sending and receiving empty application data records
+
+run_test "Encrypt then MAC: empty application data record" \
+ "$P_SRV auth_mode=none debug_level=4 etm=1" \
+ "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
+ 0 \
+ -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
+ -s "dumping 'input payload after decrypt' (0 bytes)" \
+ -c "0 bytes written in 1 fragments"
+
+run_test "Default, no Encrypt then MAC: empty application data record" \
+ "$P_SRV auth_mode=none debug_level=4 etm=0" \
+ "$P_CLI auth_mode=none etm=0 request_size=0" \
+ 0 \
+ -s "dumping 'input payload after decrypt' (0 bytes)" \
+ -c "0 bytes written in 1 fragments"
+
+run_test "Encrypt then MAC, DTLS: empty application data record" \
+ "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
+ "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
+ 0 \
+ -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
+ -s "dumping 'input payload after decrypt' (0 bytes)" \
+ -c "0 bytes written in 1 fragments"
+
+run_test "Default, no Encrypt then MAC, DTLS: empty application data record" \
+ "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
+ "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
+ 0 \
+ -s "dumping 'input payload after decrypt' (0 bytes)" \
+ -c "0 bytes written in 1 fragments"
+
## ClientHello generated with
## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
## then manually twiddling the ciphersuite list.
@@ -1416,28 +1461,22 @@
# Tests for Max Fragment Length extension
-MAX_CONTENT_LEN_EXPECT='16384'
-MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
-
-if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
- printf "The ${CONFIG_H} file contains a value for the configuration of\n"
- printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
- printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
- printf "\n"
- printf "The tests assume this value and if it changes, the tests in this\n"
- printf "script should also be adjusted.\n"
- printf "\n"
-
+if [ "$MAX_CONTENT_LEN" -lt "4096" ]; then
+ printf "${CONFIG_H} defines MBEDTLS_SSL_MAX_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n"
exit 1
fi
+if [ $MAX_CONTENT_LEN -ne 16384 ]; then
+ printf "Using non-default maximum content length $MAX_CONTENT_LEN\n"
+fi
+
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_test "Max fragment length: enabled, default" \
"$P_SRV debug_level=3" \
"$P_CLI debug_level=3" \
0 \
- -c "Maximum fragment length is 16384" \
- -s "Maximum fragment length is 16384" \
+ -c "Maximum fragment length is $MAX_CONTENT_LEN" \
+ -s "Maximum fragment length is $MAX_CONTENT_LEN" \
-C "client hello, adding max_fragment_length extension" \
-S "found max fragment length extension" \
-S "server hello, max_fragment_length extension" \
@@ -1446,46 +1485,50 @@
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_test "Max fragment length: enabled, default, larger message" \
"$P_SRV debug_level=3" \
- "$P_CLI debug_level=3 request_size=16385" \
+ "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
0 \
- -c "Maximum fragment length is 16384" \
- -s "Maximum fragment length is 16384" \
+ -c "Maximum fragment length is $MAX_CONTENT_LEN" \
+ -s "Maximum fragment length is $MAX_CONTENT_LEN" \
-C "client hello, adding max_fragment_length extension" \
-S "found max fragment length extension" \
-S "server hello, max_fragment_length extension" \
-C "found max_fragment_length extension" \
- -c "16385 bytes written in 2 fragments" \
- -s "16384 bytes read" \
+ -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
+ -s "$MAX_CONTENT_LEN bytes read" \
-s "1 bytes read"
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_test "Max fragment length, DTLS: enabled, default, larger message" \
"$P_SRV debug_level=3 dtls=1" \
- "$P_CLI debug_level=3 dtls=1 request_size=16385" \
+ "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
1 \
- -c "Maximum fragment length is 16384" \
- -s "Maximum fragment length is 16384" \
+ -c "Maximum fragment length is $MAX_CONTENT_LEN" \
+ -s "Maximum fragment length is $MAX_CONTENT_LEN" \
-C "client hello, adding max_fragment_length extension" \
-S "found max fragment length extension" \
-S "server hello, max_fragment_length extension" \
-C "found max_fragment_length extension" \
-c "fragment larger than.*maximum "
+# Run some tests with MBEDTLS_SSL_MAX_FRAGMENT_LENGTH disabled
+# (session fragment length will be 16384 regardless of mbedtls
+# content length configuration.)
+
requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_test "Max fragment length: disabled, larger message" \
"$P_SRV debug_level=3" \
- "$P_CLI debug_level=3 request_size=16385" \
+ "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
0 \
-C "Maximum fragment length is 16384" \
-S "Maximum fragment length is 16384" \
- -c "16385 bytes written in 2 fragments" \
- -s "16384 bytes read" \
+ -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
+ -s "$MAX_CONTENT_LEN bytes read" \
-s "1 bytes read"
requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_test "Max fragment length DTLS: disabled, larger message" \
"$P_SRV debug_level=3 dtls=1" \
- "$P_CLI debug_level=3 dtls=1 request_size=16385" \
+ "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
1 \
-C "Maximum fragment length is 16384" \
-S "Maximum fragment length is 16384" \
@@ -1508,7 +1551,7 @@
"$P_SRV debug_level=3 max_frag_len=4096" \
"$P_CLI debug_level=3" \
0 \
- -c "Maximum fragment length is 16384" \
+ -c "Maximum fragment length is $MAX_CONTENT_LEN" \
-s "Maximum fragment length is 4096" \
-C "client hello, adding max_fragment_length extension" \
-S "found max fragment length extension" \
@@ -2376,6 +2419,7 @@
exit 1
fi
+requires_full_size_output_buffer
run_test "Authentication: server max_int chain, client default" \
"$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
key_file=data_files/dir-maxpath/09.key" \
@@ -2383,6 +2427,7 @@
0 \
-C "X509 - A fatal error occured"
+requires_full_size_output_buffer
run_test "Authentication: server max_int+1 chain, client default" \
"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
key_file=data_files/dir-maxpath/10.key" \
@@ -2390,6 +2435,7 @@
1 \
-c "X509 - A fatal error occured"
+requires_full_size_output_buffer
run_test "Authentication: server max_int+1 chain, client optional" \
"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
key_file=data_files/dir-maxpath/10.key" \
@@ -2398,6 +2444,7 @@
1 \
-c "X509 - A fatal error occured"
+requires_full_size_output_buffer
run_test "Authentication: server max_int+1 chain, client none" \
"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
key_file=data_files/dir-maxpath/10.key" \
@@ -2406,6 +2453,7 @@
0 \
-C "X509 - A fatal error occured"
+requires_full_size_output_buffer
run_test "Authentication: client max_int+1 chain, server default" \
"$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@@ -2413,6 +2461,7 @@
0 \
-S "X509 - A fatal error occured"
+requires_full_size_output_buffer
run_test "Authentication: client max_int+1 chain, server optional" \
"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@@ -2420,6 +2469,7 @@
1 \
-s "X509 - A fatal error occured"
+requires_full_size_output_buffer
run_test "Authentication: client max_int+1 chain, server required" \
"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@@ -2427,6 +2477,7 @@
1 \
-s "X509 - A fatal error occured"
+requires_full_size_output_buffer
run_test "Authentication: client max_int chain, server required" \
"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
"$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
@@ -2652,6 +2703,142 @@
-S "! The certificate is not correctly signed by the trusted CA" \
-s "The certificate has been revoked (is on a CRL)"
+# Tests for SNI and DTLS
+
+run_test "SNI: DTLS, no SNI callback" \
+ "$P_SRV debug_level=3 dtls=1 \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key" \
+ "$P_CLI server_name=localhost dtls=1" \
+ 0 \
+ -S "parse ServerName extension" \
+ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
+ -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
+
+run_test "SNI: DTLS, matching cert 1" \
+ "$P_SRV debug_level=3 dtls=1 \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+ "$P_CLI server_name=localhost dtls=1" \
+ 0 \
+ -s "parse ServerName extension" \
+ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
+ -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
+
+run_test "SNI: DTLS, matching cert 2" \
+ "$P_SRV debug_level=3 dtls=1 \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+ "$P_CLI server_name=polarssl.example dtls=1" \
+ 0 \
+ -s "parse ServerName extension" \
+ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
+ -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
+
+run_test "SNI: DTLS, no matching cert" \
+ "$P_SRV debug_level=3 dtls=1 \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+ "$P_CLI server_name=nonesuch.example dtls=1" \
+ 1 \
+ -s "parse ServerName extension" \
+ -s "ssl_sni_wrapper() returned" \
+ -s "mbedtls_ssl_handshake returned" \
+ -c "mbedtls_ssl_handshake returned" \
+ -c "SSL - A fatal alert message was received from our peer"
+
+run_test "SNI: DTLS, client auth no override: optional" \
+ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
+ "$P_CLI debug_level=3 server_name=localhost dtls=1" \
+ 0 \
+ -S "skip write certificate request" \
+ -C "skip parse certificate request" \
+ -c "got a certificate request" \
+ -C "skip write certificate" \
+ -C "skip write certificate verify" \
+ -S "skip parse certificate verify"
+
+run_test "SNI: DTLS, client auth override: none -> optional" \
+ "$P_SRV debug_level=3 auth_mode=none dtls=1 \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
+ "$P_CLI debug_level=3 server_name=localhost dtls=1" \
+ 0 \
+ -S "skip write certificate request" \
+ -C "skip parse certificate request" \
+ -c "got a certificate request" \
+ -C "skip write certificate" \
+ -C "skip write certificate verify" \
+ -S "skip parse certificate verify"
+
+run_test "SNI: DTLS, client auth override: optional -> none" \
+ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
+ "$P_CLI debug_level=3 server_name=localhost dtls=1" \
+ 0 \
+ -s "skip write certificate request" \
+ -C "skip parse certificate request" \
+ -c "got no certificate request" \
+ -c "skip write certificate" \
+ -c "skip write certificate verify" \
+ -s "skip parse certificate verify"
+
+run_test "SNI: DTLS, CA no override" \
+ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ ca_file=data_files/test-ca.crt \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
+ "$P_CLI debug_level=3 server_name=localhost dtls=1 \
+ crt_file=data_files/server6.crt key_file=data_files/server6.key" \
+ 1 \
+ -S "skip write certificate request" \
+ -C "skip parse certificate request" \
+ -c "got a certificate request" \
+ -C "skip write certificate" \
+ -C "skip write certificate verify" \
+ -S "skip parse certificate verify" \
+ -s "x509_verify_cert() returned" \
+ -s "! The certificate is not correctly signed by the trusted CA" \
+ -S "The certificate has been revoked (is on a CRL)"
+
+run_test "SNI: DTLS, CA override" \
+ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ ca_file=data_files/test-ca.crt \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
+ "$P_CLI debug_level=3 server_name=localhost dtls=1 \
+ crt_file=data_files/server6.crt key_file=data_files/server6.key" \
+ 0 \
+ -S "skip write certificate request" \
+ -C "skip parse certificate request" \
+ -c "got a certificate request" \
+ -C "skip write certificate" \
+ -C "skip write certificate verify" \
+ -S "skip parse certificate verify" \
+ -S "x509_verify_cert() returned" \
+ -S "! The certificate is not correctly signed by the trusted CA" \
+ -S "The certificate has been revoked (is on a CRL)"
+
+run_test "SNI: DTLS, CA override with CRL" \
+ "$P_SRV debug_level=3 auth_mode=optional \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
+ ca_file=data_files/test-ca.crt \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
+ "$P_CLI debug_level=3 server_name=localhost dtls=1 \
+ crt_file=data_files/server6.crt key_file=data_files/server6.key" \
+ 1 \
+ -S "skip write certificate request" \
+ -C "skip parse certificate request" \
+ -c "got a certificate request" \
+ -C "skip write certificate" \
+ -C "skip write certificate verify" \
+ -S "skip parse certificate verify" \
+ -s "x509_verify_cert() returned" \
+ -S "! The certificate is not correctly signed by the trusted CA" \
+ -s "The certificate has been revoked (is on a CRL)"
+
# Tests for non-blocking I/O: exercise a variety of handshake flows
run_test "Non-blocking I/O: basic handshake" \
@@ -3834,14 +4021,19 @@
# Test for large packets
+# How many fragments do we expect to write $1 bytes?
+fragments_for_write() {
+ echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))"
+}
+
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
run_test "Large packet SSLv3 BlockCipher" \
"$P_SRV min_version=ssl3" \
"$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
0 \
- -c "16384 bytes written in 1 fragments" \
- -s "Read from client: 16384 bytes read"
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
run_test "Large packet SSLv3 StreamCipher" \
@@ -3849,23 +4041,23 @@
"$P_CLI request_size=16384 force_version=ssl3 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
0 \
- -c "16384 bytes written in 1 fragments" \
- -s "Read from client: 16384 bytes read"
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large packet TLS 1.0 BlockCipher" \
"$P_SRV" \
"$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
0 \
- -c "16384 bytes written in 1 fragments" \
- -s "Read from client: 16384 bytes read"
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large packet TLS 1.0 BlockCipher, without EtM" \
"$P_SRV" \
"$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
0 \
- -s "Read from client: 16384 bytes read"
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \
@@ -3873,8 +4065,8 @@
"$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
0 \
- -c "16384 bytes written in 1 fragments" \
- -s "Read from client: 16384 bytes read"
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
@@ -3882,21 +4074,21 @@
"$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
0 \
- -s "Read from client: 16384 bytes read"
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large packet TLS 1.0 StreamCipher" \
"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
"$P_CLI request_size=16384 force_version=tls1 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
0 \
- -s "Read from client: 16384 bytes read"
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large packet TLS 1.0 StreamCipher, without EtM" \
"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
"$P_CLI request_size=16384 force_version=tls1 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
0 \
- -s "Read from client: 16384 bytes read"
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \
@@ -3904,7 +4096,7 @@
"$P_CLI request_size=16384 force_version=tls1 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
0 \
- -s "Read from client: 16384 bytes read"
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
@@ -3912,23 +4104,23 @@
"$P_CLI request_size=16384 force_version=tls1 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
0 \
- -c "16384 bytes written in 1 fragments" \
- -s "Read from client: 16384 bytes read"
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large packet TLS 1.1 BlockCipher" \
"$P_SRV" \
"$P_CLI request_size=16384 force_version=tls1_1 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
0 \
- -c "16384 bytes written in 1 fragments" \
- -s "Read from client: 16384 bytes read"
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large packet TLS 1.1 BlockCipher, without EtM" \
"$P_SRV" \
"$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
0 \
- -s "Read from client: 16384 bytes read"
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \
@@ -3936,7 +4128,7 @@
"$P_CLI request_size=16384 force_version=tls1_1 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
0 \
- -s "Read from client: 16384 bytes read"
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
@@ -3944,23 +4136,23 @@
"$P_CLI request_size=16384 force_version=tls1_1 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
0 \
- -s "Read from client: 16384 bytes read"
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large packet TLS 1.1 StreamCipher" \
"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
"$P_CLI request_size=16384 force_version=tls1_1 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
0 \
- -c "16384 bytes written in 1 fragments" \
- -s "Read from client: 16384 bytes read"
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large packet TLS 1.1 StreamCipher, without EtM" \
"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
"$P_CLI request_size=16384 force_version=tls1_1 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
0 \
- -c "16384 bytes written in 1 fragments" \
- -s "Read from client: 16384 bytes read"
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \
@@ -3968,7 +4160,7 @@
"$P_CLI request_size=16384 force_version=tls1_1 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
0 \
- -s "Read from client: 16384 bytes read"
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
@@ -3976,31 +4168,31 @@
"$P_CLI request_size=16384 force_version=tls1_1 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
0 \
- -c "16384 bytes written in 1 fragments" \
- -s "Read from client: 16384 bytes read"
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large packet TLS 1.2 BlockCipher" \
"$P_SRV" \
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
0 \
- -c "16384 bytes written in 1 fragments" \
- -s "Read from client: 16384 bytes read"
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large packet TLS 1.2 BlockCipher, without EtM" \
"$P_SRV" \
"$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
0 \
- -s "Read from client: 16384 bytes read"
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
"$P_SRV" \
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
0 \
- -c "16384 bytes written in 1 fragments" \
- -s "Read from client: 16384 bytes read"
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \
@@ -4008,7 +4200,7 @@
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
0 \
- -s "Read from client: 16384 bytes read"
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
@@ -4016,23 +4208,23 @@
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
0 \
- -c "16384 bytes written in 1 fragments" \
- -s "Read from client: 16384 bytes read"
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large packet TLS 1.2 StreamCipher" \
"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
0 \
- -c "16384 bytes written in 1 fragments" \
- -s "Read from client: 16384 bytes read"
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large packet TLS 1.2 StreamCipher, without EtM" \
"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
0 \
- -s "Read from client: 16384 bytes read"
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \
@@ -4040,7 +4232,7 @@
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
0 \
- -s "Read from client: 16384 bytes read"
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
@@ -4048,24 +4240,372 @@
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
0 \
- -c "16384 bytes written in 1 fragments" \
- -s "Read from client: 16384 bytes read"
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large packet TLS 1.2 AEAD" \
"$P_SRV" \
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
0 \
- -c "16384 bytes written in 1 fragments" \
- -s "Read from client: 16384 bytes read"
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
run_test "Large packet TLS 1.2 AEAD shorter tag" \
"$P_SRV" \
"$P_CLI request_size=16384 force_version=tls1_2 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
0 \
- -c "16384 bytes written in 1 fragments" \
- -s "Read from client: 16384 bytes read"
+ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+ -s "Read from client: $MAX_CONTENT_LEN bytes read"
+
+# Tests of asynchronous private key support in SSL
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: sign, delay=0" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=0 async_private_delay2=0" \
+ "$P_CLI" \
+ 0 \
+ -s "Async sign callback: using key slot " \
+ -s "Async resume (slot [0-9]): sign done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: sign, delay=1" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1" \
+ "$P_CLI" \
+ 0 \
+ -s "Async sign callback: using key slot " \
+ -s "Async resume (slot [0-9]): call 0 more times." \
+ -s "Async resume (slot [0-9]): sign done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: sign, delay=2" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=2 async_private_delay2=2" \
+ "$P_CLI" \
+ 0 \
+ -s "Async sign callback: using key slot " \
+ -U "Async sign callback: using key slot " \
+ -s "Async resume (slot [0-9]): call 1 more times." \
+ -s "Async resume (slot [0-9]): call 0 more times." \
+ -s "Async resume (slot [0-9]): sign done, status=0"
+
+# Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1
+# with RSA PKCS#1v1.5 as used in TLS 1.0/1.1.
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
+run_test "SSL async private: sign, RSA, TLS 1.1" \
+ "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \
+ async_operations=s async_private_delay1=0 async_private_delay2=0" \
+ "$P_CLI force_version=tls1_1" \
+ 0 \
+ -s "Async sign callback: using key slot " \
+ -s "Async resume (slot [0-9]): sign done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: sign, SNI" \
+ "$P_SRV debug_level=3 \
+ async_operations=s async_private_delay1=0 async_private_delay2=0 \
+ crt_file=data_files/server5.crt key_file=data_files/server5.key \
+ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+ "$P_CLI server_name=polarssl.example" \
+ 0 \
+ -s "Async sign callback: using key slot " \
+ -s "Async resume (slot [0-9]): sign done, status=0" \
+ -s "parse ServerName extension" \
+ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
+ -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: decrypt, delay=0" \
+ "$P_SRV \
+ async_operations=d async_private_delay1=0 async_private_delay2=0" \
+ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+ 0 \
+ -s "Async decrypt callback: using key slot " \
+ -s "Async resume (slot [0-9]): decrypt done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: decrypt, delay=1" \
+ "$P_SRV \
+ async_operations=d async_private_delay1=1 async_private_delay2=1" \
+ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+ 0 \
+ -s "Async decrypt callback: using key slot " \
+ -s "Async resume (slot [0-9]): call 0 more times." \
+ -s "Async resume (slot [0-9]): decrypt done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: decrypt RSA-PSK, delay=0" \
+ "$P_SRV psk=abc123 \
+ async_operations=d async_private_delay1=0 async_private_delay2=0" \
+ "$P_CLI psk=abc123 \
+ force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
+ 0 \
+ -s "Async decrypt callback: using key slot " \
+ -s "Async resume (slot [0-9]): decrypt done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: decrypt RSA-PSK, delay=1" \
+ "$P_SRV psk=abc123 \
+ async_operations=d async_private_delay1=1 async_private_delay2=1" \
+ "$P_CLI psk=abc123 \
+ force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
+ 0 \
+ -s "Async decrypt callback: using key slot " \
+ -s "Async resume (slot [0-9]): call 0 more times." \
+ -s "Async resume (slot [0-9]): decrypt done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: sign callback not present" \
+ "$P_SRV \
+ async_operations=d async_private_delay1=1 async_private_delay2=1" \
+ "$P_CLI; [ \$? -eq 1 ] &&
+ $P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+ 0 \
+ -S "Async sign callback" \
+ -s "! mbedtls_ssl_handshake returned" \
+ -s "The own private key or pre-shared key is not set, but needed" \
+ -s "Async resume (slot [0-9]): decrypt done, status=0" \
+ -s "Successful connection"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: decrypt callback not present" \
+ "$P_SRV debug_level=1 \
+ async_operations=s async_private_delay1=1 async_private_delay2=1" \
+ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA;
+ [ \$? -eq 1 ] && $P_CLI" \
+ 0 \
+ -S "Async decrypt callback" \
+ -s "! mbedtls_ssl_handshake returned" \
+ -s "got no RSA private key" \
+ -s "Async resume (slot [0-9]): sign done, status=0" \
+ -s "Successful connection"
+
+# key1: ECDSA, key2: RSA; use key1 from slot 0
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: slot 0 used with key1" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 \
+ key_file=data_files/server5.key crt_file=data_files/server5.crt \
+ key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
+ 0 \
+ -s "Async sign callback: using key slot 0," \
+ -s "Async resume (slot 0): call 0 more times." \
+ -s "Async resume (slot 0): sign done, status=0"
+
+# key1: ECDSA, key2: RSA; use key2 from slot 0
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: slot 0 used with key2" \
+ "$P_SRV \
+ async_operations=s async_private_delay2=1 \
+ key_file=data_files/server5.key crt_file=data_files/server5.crt \
+ key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+ 0 \
+ -s "Async sign callback: using key slot 0," \
+ -s "Async resume (slot 0): call 0 more times." \
+ -s "Async resume (slot 0): sign done, status=0"
+
+# key1: ECDSA, key2: RSA; use key2 from slot 1
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: slot 1 used with key2" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1 \
+ key_file=data_files/server5.key crt_file=data_files/server5.crt \
+ key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+ 0 \
+ -s "Async sign callback: using key slot 1," \
+ -s "Async resume (slot 1): call 0 more times." \
+ -s "Async resume (slot 1): sign done, status=0"
+
+# key1: ECDSA, key2: RSA; use key2 directly
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: fall back to transparent key" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 \
+ key_file=data_files/server5.key crt_file=data_files/server5.crt \
+ key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+ 0 \
+ -s "Async sign callback: no key matches this certificate."
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: sign, error in start" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1 \
+ async_private_error=1" \
+ "$P_CLI" \
+ 1 \
+ -s "Async sign callback: injected error" \
+ -S "Async resume" \
+ -S "Async cancel" \
+ -s "! mbedtls_ssl_handshake returned"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: sign, cancel after start" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1 \
+ async_private_error=2" \
+ "$P_CLI" \
+ 1 \
+ -s "Async sign callback: using key slot " \
+ -S "Async resume" \
+ -s "Async cancel"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: sign, error in resume" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1 \
+ async_private_error=3" \
+ "$P_CLI" \
+ 1 \
+ -s "Async sign callback: using key slot " \
+ -s "Async resume callback: sign done but injected error" \
+ -S "Async cancel" \
+ -s "! mbedtls_ssl_handshake returned"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: decrypt, error in start" \
+ "$P_SRV \
+ async_operations=d async_private_delay1=1 async_private_delay2=1 \
+ async_private_error=1" \
+ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+ 1 \
+ -s "Async decrypt callback: injected error" \
+ -S "Async resume" \
+ -S "Async cancel" \
+ -s "! mbedtls_ssl_handshake returned"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: decrypt, cancel after start" \
+ "$P_SRV \
+ async_operations=d async_private_delay1=1 async_private_delay2=1 \
+ async_private_error=2" \
+ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+ 1 \
+ -s "Async decrypt callback: using key slot " \
+ -S "Async resume" \
+ -s "Async cancel"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: decrypt, error in resume" \
+ "$P_SRV \
+ async_operations=d async_private_delay1=1 async_private_delay2=1 \
+ async_private_error=3" \
+ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+ 1 \
+ -s "Async decrypt callback: using key slot " \
+ -s "Async resume callback: decrypt done but injected error" \
+ -S "Async cancel" \
+ -s "! mbedtls_ssl_handshake returned"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: cancel after start then operate correctly" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1 \
+ async_private_error=-2" \
+ "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
+ 0 \
+ -s "Async cancel" \
+ -s "! mbedtls_ssl_handshake returned" \
+ -s "Async resume" \
+ -s "Successful connection"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: error in resume then operate correctly" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1 \
+ async_private_error=-3" \
+ "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
+ 0 \
+ -s "! mbedtls_ssl_handshake returned" \
+ -s "Async resume" \
+ -s "Successful connection"
+
+# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: cancel after start then fall back to transparent key" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_error=-2 \
+ key_file=data_files/server5.key crt_file=data_files/server5.crt \
+ key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
+ [ \$? -eq 1 ] &&
+ $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+ 0 \
+ -s "Async sign callback: using key slot 0" \
+ -S "Async resume" \
+ -s "Async cancel" \
+ -s "! mbedtls_ssl_handshake returned" \
+ -s "Async sign callback: no key matches this certificate." \
+ -s "Successful connection"
+
+# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test "SSL async private: sign, error in resume then fall back to transparent key" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_error=-3 \
+ key_file=data_files/server5.key crt_file=data_files/server5.crt \
+ key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
+ [ \$? -eq 1 ] &&
+ $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+ 0 \
+ -s "Async resume" \
+ -s "! mbedtls_ssl_handshake returned" \
+ -s "Async sign callback: no key matches this certificate." \
+ -s "Successful connection"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test "SSL async private: renegotiation: client-initiated; sign" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1 \
+ exchanges=2 renegotiation=1" \
+ "$P_CLI exchanges=2 renegotiation=1 renegotiate=1" \
+ 0 \
+ -s "Async sign callback: using key slot " \
+ -s "Async resume (slot [0-9]): sign done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test "SSL async private: renegotiation: server-initiated; sign" \
+ "$P_SRV \
+ async_operations=s async_private_delay1=1 async_private_delay2=1 \
+ exchanges=2 renegotiation=1 renegotiate=1" \
+ "$P_CLI exchanges=2 renegotiation=1" \
+ 0 \
+ -s "Async sign callback: using key slot " \
+ -s "Async resume (slot [0-9]): sign done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test "SSL async private: renegotiation: client-initiated; decrypt" \
+ "$P_SRV \
+ async_operations=d async_private_delay1=1 async_private_delay2=1 \
+ exchanges=2 renegotiation=1" \
+ "$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \
+ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+ 0 \
+ -s "Async decrypt callback: using key slot " \
+ -s "Async resume (slot [0-9]): decrypt done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test "SSL async private: renegotiation: server-initiated; decrypt" \
+ "$P_SRV \
+ async_operations=d async_private_delay1=1 async_private_delay2=1 \
+ exchanges=2 renegotiation=1 renegotiate=1" \
+ "$P_CLI exchanges=2 renegotiation=1 \
+ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+ 0 \
+ -s "Async decrypt callback: using key slot " \
+ -s "Async resume (slot [0-9]): decrypt done, status=0"
# Tests for DTLS HelloVerifyRequest
diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function
index f82694a..8f04885 100644
--- a/tests/suites/helpers.function
+++ b/tests/suites/helpers.function
@@ -36,6 +36,7 @@
#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
#include <unistd.h>
+#include <strings.h>
#endif
/*----------------------------------------------------------------------------*/
diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function
index bf65bda..b6e3104 100644
--- a/tests/suites/main_test.function
+++ b/tests/suites/main_test.function
@@ -226,12 +226,23 @@
return( cnt );
}
+#if defined(__GNUC__)
+/* At high optimization levels (e.g. gcc -O3), this function may be
+ * inlined in run_test_snprintf. This can trigger a spurious warning about
+ * potential misuse of snprintf from gcc -Wformat-truncation (observed with
+ * gcc 7.2). This warning makes tests in run_test_snprintf redundant on gcc
+ * only. They are still valid for other compilers. Avoid this warning by
+ * forbidding inlining of this function by gcc. */
+__attribute__((__noinline__))
+#endif
static int test_snprintf( size_t n, const char ref_buf[10], int ref_ret )
{
int ret;
char buf[10] = "xxxxxxxxx";
const char ref[10] = "xxxxxxxxx";
+ if( n >= sizeof( buf ) )
+ return( -1 );
ret = mbedtls_snprintf( buf, n, "%s", "123" );
if( ret < 0 || (size_t) ret >= n )
ret = -1;
diff --git a/tests/suites/test_suite_aes.function b/tests/suites/test_suite_aes.function
index c5f0eaa..e346dc7 100644
--- a/tests/suites/test_suite_aes.function
+++ b/tests/suites/test_suite_aes.function
@@ -151,6 +151,130 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
+void aes_encrypt_xts( char *hex_key_string, char *hex_data_unit_string,
+ char *hex_src_string, char *hex_dst_string )
+{
+ enum { AES_BLOCK_SIZE = 16 };
+ unsigned char *data_unit = NULL;
+ unsigned char *key = NULL;
+ unsigned char *src = NULL;
+ unsigned char *dst = NULL;
+ unsigned char *output = NULL;
+ mbedtls_aes_xts_context ctx;
+ size_t key_len, src_len, dst_len, data_unit_len;
+
+ mbedtls_aes_xts_init( &ctx );
+
+ data_unit = unhexify_alloc( hex_data_unit_string, &data_unit_len );
+ TEST_ASSERT( data_unit_len == AES_BLOCK_SIZE );
+
+ key = unhexify_alloc( hex_key_string, &key_len );
+ TEST_ASSERT( key_len % 2 == 0 );
+
+ src = unhexify_alloc( hex_src_string, &src_len );
+ dst = unhexify_alloc( hex_dst_string, &dst_len );
+ TEST_ASSERT( src_len == dst_len );
+
+ output = zero_alloc( dst_len );
+
+ TEST_ASSERT( mbedtls_aes_xts_setkey_enc( &ctx, key, key_len * 8 ) == 0 );
+ TEST_ASSERT( mbedtls_aes_crypt_xts( &ctx, MBEDTLS_AES_ENCRYPT, src_len,
+ data_unit, src, output ) == 0 );
+
+ TEST_ASSERT( memcmp( output, dst, dst_len ) == 0 );
+
+exit:
+ mbedtls_aes_xts_free( &ctx );
+ mbedtls_free( data_unit );
+ mbedtls_free( key );
+ mbedtls_free( src );
+ mbedtls_free( dst );
+ mbedtls_free( output );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
+void aes_decrypt_xts( char *hex_key_string, char *hex_data_unit_string,
+ char *hex_dst_string, char *hex_src_string )
+{
+ enum { AES_BLOCK_SIZE = 16 };
+ unsigned char *data_unit = NULL;
+ unsigned char *key = NULL;
+ unsigned char *src = NULL;
+ unsigned char *dst = NULL;
+ unsigned char *output = NULL;
+ mbedtls_aes_xts_context ctx;
+ size_t key_len, src_len, dst_len, data_unit_len;
+
+ mbedtls_aes_xts_init( &ctx );
+
+ data_unit = unhexify_alloc( hex_data_unit_string, &data_unit_len );
+ TEST_ASSERT( data_unit_len == AES_BLOCK_SIZE );
+
+ key = unhexify_alloc( hex_key_string, &key_len );
+ TEST_ASSERT( key_len % 2 == 0 );
+
+ src = unhexify_alloc( hex_src_string, &src_len );
+ dst = unhexify_alloc( hex_dst_string, &dst_len );
+ TEST_ASSERT( src_len == dst_len );
+
+ output = zero_alloc( dst_len );
+
+ TEST_ASSERT( mbedtls_aes_xts_setkey_dec( &ctx, key, key_len * 8 ) == 0 );
+ TEST_ASSERT( mbedtls_aes_crypt_xts( &ctx, MBEDTLS_AES_DECRYPT, src_len,
+ data_unit, src, output ) == 0 );
+
+ TEST_ASSERT( memcmp( output, dst, dst_len ) == 0 );
+
+exit:
+ mbedtls_aes_xts_free( &ctx );
+ mbedtls_free( data_unit );
+ mbedtls_free( key );
+ mbedtls_free( src );
+ mbedtls_free( dst );
+ mbedtls_free( output );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
+void aes_crypt_xts_size( int size, int retval )
+{
+ mbedtls_aes_xts_context ctx;
+ const unsigned char *src = NULL;
+ unsigned char *output = NULL;
+ unsigned char data_unit[16];
+ size_t length = size;
+
+ mbedtls_aes_xts_init( &ctx );
+ memset( data_unit, 0x00, sizeof( data_unit ) );
+
+
+ /* Note that this function will most likely crash on failure, as NULL
+ * parameters will be used. In the passing case, the length check in
+ * mbedtls_aes_crypt_xts() will prevent any accesses to parameters by
+ * exiting the function early. */
+ TEST_ASSERT( mbedtls_aes_crypt_xts( &ctx, MBEDTLS_AES_ENCRYPT, length, data_unit, src, output ) == retval );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
+void aes_crypt_xts_keysize( int size, int retval )
+{
+ mbedtls_aes_xts_context ctx;
+ const unsigned char *key = NULL;
+ size_t key_len = size;
+
+ mbedtls_aes_xts_init( &ctx );
+
+ TEST_ASSERT( mbedtls_aes_xts_setkey_enc( &ctx, key, key_len * 8 ) == retval );
+ TEST_ASSERT( mbedtls_aes_xts_setkey_dec( &ctx, key, key_len * 8 ) == retval );
+exit:
+ mbedtls_aes_xts_free( &ctx );
+}
+/* END_CASE */
+
+
/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
void aes_encrypt_cfb128( char *hex_key_string, char *hex_iv_string,
char *hex_src_string, char *hex_dst_string )
@@ -289,6 +413,63 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_OFB */
+void aes_encrypt_ofb( int fragment_size, char *hex_key_string,
+ char *hex_iv_string, char *hex_src_string,
+ char *hex_dst_string )
+{
+ unsigned char key_str[32];
+ unsigned char iv_str[16];
+ unsigned char src_str[64];
+ unsigned char dst_str[64];
+ unsigned char output[32];
+ mbedtls_aes_context ctx;
+ size_t iv_offset = 0;
+ int in_buffer_len;
+ unsigned char* src_str_next;
+ int key_len;
+
+ memset( key_str, 0x00, sizeof( key_str ) );
+ memset( iv_str, 0x00, sizeof( iv_str ) );
+ memset( src_str, 0x00, sizeof( src_str ) );
+ memset( dst_str, 0x00, sizeof( dst_str ) );
+ memset( output, 0x00, sizeof( output ) );
+ mbedtls_aes_init( &ctx );
+
+ TEST_ASSERT( strlen( hex_key_string ) <= ( 32 * 2 ) );
+ TEST_ASSERT( strlen( hex_iv_string ) <= ( 16 * 2 ) );
+ TEST_ASSERT( strlen( hex_src_string ) <= ( 64 * 2 ) );
+ TEST_ASSERT( strlen( hex_dst_string ) <= ( 64 * 2 ) );
+
+ key_len = unhexify( key_str, hex_key_string );
+ unhexify( iv_str, hex_iv_string );
+ in_buffer_len = unhexify( src_str, hex_src_string );
+
+ TEST_ASSERT( mbedtls_aes_setkey_enc( &ctx, key_str, key_len * 8 ) == 0 );
+ src_str_next = src_str;
+
+ while( in_buffer_len > 0 )
+ {
+ TEST_ASSERT( mbedtls_aes_crypt_ofb( &ctx, fragment_size, &iv_offset,
+ iv_str, src_str_next, output ) == 0 );
+
+ hexify( dst_str, output, fragment_size );
+ TEST_ASSERT( strncmp( (char *) dst_str, hex_dst_string,
+ ( 2 * fragment_size ) ) == 0 );
+
+ in_buffer_len -= fragment_size;
+ hex_dst_string += ( fragment_size * 2 );
+ src_str_next += fragment_size;
+
+ if( in_buffer_len < fragment_size )
+ fragment_size = in_buffer_len;
+ }
+
+exit:
+ mbedtls_aes_free( &ctx );
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
void aes_selftest()
{
diff --git a/tests/suites/test_suite_aes.ofb.data b/tests/suites/test_suite_aes.ofb.data
new file mode 100644
index 0000000..4b9d80e
--- /dev/null
+++ b/tests/suites/test_suite_aes.ofb.data
@@ -0,0 +1,35 @@
+# NIST Special Publication 800-38A
+# Recommendation for Block Cipher Modes of Operation
+# Test Vectors - Appendix F, Section F.4
+OFB-AES128.Encrypt - Single block
+depends_on:MBEDTLS_CIPHER_MODE_OFB
+aes_encrypt_ofb:16:"2b7e151628aed2a6abf7158809cf4f3c":"000102030405060708090a0b0c0d0e0f":"6bc1bee22e409f96e93d7e117393172a":"3b3fd92eb72dad20333449f8e83cfb4a"
+
+OFB-AES128.Encrypt - Partial blocks - 7 bytes
+depends_on:MBEDTLS_CIPHER_MODE_OFB
+aes_encrypt_ofb:5:"2b7e151628aed2a6abf7158809cf4f3c":"000102030405060708090a0b0c0d0e0f":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":"3b3fd92eb72dad20333449f8e83cfb4a7789508d16918f03f53c52dac54ed8259740051e9c5fecf64344f7a82260edcc304c6528f659c77866a510d9c1d6ae5e"
+
+OFB-AES128.Encrypt - Test NIST SP800-38A - F.4.1
+depends_on:MBEDTLS_CIPHER_MODE_OFB
+aes_encrypt_ofb:16:"2b7e151628aed2a6abf7158809cf4f3c":"000102030405060708090a0b0c0d0e0f":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":"3b3fd92eb72dad20333449f8e83cfb4a7789508d16918f03f53c52dac54ed8259740051e9c5fecf64344f7a82260edcc304c6528f659c77866a510d9c1d6ae5e"
+
+OFB-AES128.Decrypt - Test NIST SP800-38A - F.4.2
+depends_on:MBEDTLS_CIPHER_MODE_OFB
+aes_encrypt_ofb:16:"2b7e151628aed2a6abf7158809cf4f3c":"000102030405060708090a0b0c0d0e0f":"3b3fd92eb72dad20333449f8e83cfb4a7789508d16918f03f53c52dac54ed8259740051e9c5fecf64344f7a82260edcc304c6528f659c77866a510d9c1d6ae5e":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710"
+
+OFB-AES192.Encrypt - Test NIST SP800-38A - F.4.3
+depends_on:MBEDTLS_CIPHER_MODE_OFB
+aes_encrypt_ofb:16:"8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b":"000102030405060708090a0b0c0d0e0f":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":"cdc80d6fddf18cab34c25909c99a4174fcc28b8d4c63837c09e81700c11004018d9a9aeac0f6596f559c6d4daf59a5f26d9f200857ca6c3e9cac524bd9acc92a"
+
+OFB-AES192.Decrypt - Test NIST SP800-38A - F.4.4
+depends_on:MBEDTLS_CIPHER_MODE_OFB
+aes_encrypt_ofb:16:"8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b":"000102030405060708090a0b0c0d0e0f":"cdc80d6fddf18cab34c25909c99a4174fcc28b8d4c63837c09e81700c11004018d9a9aeac0f6596f559c6d4daf59a5f26d9f200857ca6c3e9cac524bd9acc92a":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710"
+
+OFB-AES256.Encrypt - Test NIST SP800-38A - F.4.5
+depends_on:MBEDTLS_CIPHER_MODE_OFB
+aes_encrypt_ofb:16:"603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4":"000102030405060708090a0b0c0d0e0f":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":"dc7e84bfda79164b7ecd8486985d38604febdc6740d20b3ac88f6ad82a4fb08d71ab47a086e86eedf39d1c5bba97c4080126141d67f37be8538f5a8be740e484"
+
+OFB-AES256.Decrypt - Test NIST SP800-38A - F.4.6
+depends_on:MBEDTLS_CIPHER_MODE_OFB
+aes_encrypt_ofb:16:"603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4":"000102030405060708090a0b0c0d0e0f":"dc7e84bfda79164b7ecd8486985d38604febdc6740d20b3ac88f6ad82a4fb08d71ab47a086e86eedf39d1c5bba97c4080126141d67f37be8538f5a8be740e484":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710"
+
diff --git a/tests/suites/test_suite_aes.xts.data b/tests/suites/test_suite_aes.xts.data
new file mode 100644
index 0000000..647819e
--- /dev/null
+++ b/tests/suites/test_suite_aes.xts.data
@@ -0,0 +1,158 @@
+#
+# Tests for expected errors (negative tests)
+#
+AES-128-XTS Encrypt Fail Sector Too Small (by 16 bytes)
+aes_crypt_xts_size:0:MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+
+AES-128-XTS Encrypt Fail Sector Too Small (by 1 byte)
+aes_crypt_xts_size:15:MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+
+AES-128-XTS Encrypt Fail Sector Too Large (by 1 byte)
+aes_crypt_xts_size:16777217:MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+
+AES-128-XTS Encrypt Fail Sector Too Large (by 1 block)
+aes_crypt_xts_size:16777232:MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+
+AES-0-XTS Setkey Fail Invalid Key Length
+aes_crypt_xts_keysize:0:MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+
+AES-4-XTS Setkey Fail Invalid Key Length
+aes_crypt_xts_keysize:1:MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+
+AES-64-XTS Setkey Fail Invalid Key Length
+aes_crypt_xts_keysize:16:MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+
+AES-192-XTS Setkey Fail Invalid Key Length
+aes_crypt_xts_keysize:48:MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+
+AES-384-XTS Setkey Fail Invalid Key Length
+aes_crypt_xts_keysize:96:MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+
+#
+# IEEE P1619/D16 Annex B Test Vectors
+# http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
+#
+# 128-bit keys with 32 byte sector
+#
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 1
+aes_encrypt_xts:"0000000000000000000000000000000000000000000000000000000000000000":"00000000000000000000000000000000":"0000000000000000000000000000000000000000000000000000000000000000":"917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 2
+aes_encrypt_xts:"1111111111111111111111111111111122222222222222222222222222222222":"33333333330000000000000000000000":"4444444444444444444444444444444444444444444444444444444444444444":"c454185e6a16936e39334038acef838bfb186fff7480adc4289382ecd6d394f0"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 3
+aes_encrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f022222222222222222222222222222222":"33333333330000000000000000000000":"4444444444444444444444444444444444444444444444444444444444444444":"af85336b597afc1a900b2eb21ec949d292df4c047e0b21532186a5971a227a89"
+
+#
+# 128-bit keys with 512 byte sector
+#
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 4
+aes_encrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"00000000000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412328063fd2aab53e5ea1e0a9f332500a5df9487d07a5c92cc512c8866c7e860ce93fdf166a24912b422976146ae20ce846bb7dc9ba94a767aaef20c0d61ad02655ea92dc4c4e41a8952c651d33174be51a10c421110e6d81588ede82103a252d8a750e8768defffed9122810aaeb99f9172af82b604dc4b8e51bcb08235a6f4341332e4ca60482a4ba1a03b3e65008fc5da76b70bf1690db4eae29c5f1badd03c5ccf2a55d705ddcd86d449511ceb7ec30bf12b1fa35b913f9f747a8afd1b130e94bff94effd01a91735ca1726acd0b197c4e5b03393697e126826fb6bbde8ecc1e08298516e2c9ed03ff3c1b7860f6de76d4cecd94c8119855ef5297ca67e9f3e7ff72b1e99785ca0a7e7720c5b36dc6d72cac9574c8cbbc2f801e23e56fd344b07f22154beba0f08ce8891e643ed995c94d9a69c9f1b5f499027a78572aeebd74d20cc39881c213ee770b1010e4bea718846977ae119f7a023ab58cca0ad752afe656bb3c17256a9f6e9bf19fdd5a38fc82bbe872c5539edb609ef4f79c203ebb140f2e583cb2ad15b4aa5b655016a8449277dbd477ef2c8d6c017db738b18deb4a427d1923ce3ff262735779a418f20a282df920147beabe421ee5319d0568"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 5
+aes_encrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"01000000000000000000000000000000":"27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412328063fd2aab53e5ea1e0a9f332500a5df9487d07a5c92cc512c8866c7e860ce93fdf166a24912b422976146ae20ce846bb7dc9ba94a767aaef20c0d61ad02655ea92dc4c4e41a8952c651d33174be51a10c421110e6d81588ede82103a252d8a750e8768defffed9122810aaeb99f9172af82b604dc4b8e51bcb08235a6f4341332e4ca60482a4ba1a03b3e65008fc5da76b70bf1690db4eae29c5f1badd03c5ccf2a55d705ddcd86d449511ceb7ec30bf12b1fa35b913f9f747a8afd1b130e94bff94effd01a91735ca1726acd0b197c4e5b03393697e126826fb6bbde8ecc1e08298516e2c9ed03ff3c1b7860f6de76d4cecd94c8119855ef5297ca67e9f3e7ff72b1e99785ca0a7e7720c5b36dc6d72cac9574c8cbbc2f801e23e56fd344b07f22154beba0f08ce8891e643ed995c94d9a69c9f1b5f499027a78572aeebd74d20cc39881c213ee770b1010e4bea718846977ae119f7a023ab58cca0ad752afe656bb3c17256a9f6e9bf19fdd5a38fc82bbe872c5539edb609ef4f79c203ebb140f2e583cb2ad15b4aa5b655016a8449277dbd477ef2c8d6c017db738b18deb4a427d1923ce3ff262735779a418f20a282df920147beabe421ee5319d0568":"264d3ca8512194fec312c8c9891f279fefdd608d0c027b60483a3fa811d65ee59d52d9e40ec5672d81532b38b6b089ce951f0f9c35590b8b978d175213f329bb1c2fd30f2f7f30492a61a532a79f51d36f5e31a7c9a12c286082ff7d2394d18f783e1a8e72c722caaaa52d8f065657d2631fd25bfd8e5baad6e527d763517501c68c5edc3cdd55435c532d7125c8614deed9adaa3acade5888b87bef641c4c994c8091b5bcd387f3963fb5bc37aa922fbfe3df4e5b915e6eb514717bdd2a74079a5073f5c4bfd46adf7d282e7a393a52579d11a028da4d9cd9c77124f9648ee383b1ac763930e7162a8d37f350b2f74b8472cf09902063c6b32e8c2d9290cefbd7346d1c779a0df50edcde4531da07b099c638e83a755944df2aef1aa31752fd323dcb710fb4bfbb9d22b925bc3577e1b8949e729a90bbafeacf7f7879e7b1147e28ba0bae940db795a61b15ecf4df8db07b824bb062802cc98a9545bb2aaeed77cb3fc6db15dcd7d80d7d5bc406c4970a3478ada8899b329198eb61c193fb6275aa8ca340344a75a862aebe92eee1ce032fd950b47d7704a3876923b4ad62844bf4a09c4dbe8b4397184b7471360c9564880aedddb9baa4af2e75394b08cd32ff479c57a07d3eab5d54de5f9738b8d27f27a9f0ab11799d7b7ffefb2704c95c6ad12c39f1e867a4b7b1d7818a4b753dfd2a89ccb45e001a03a867b187f225dd"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 6
+aes_encrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"02000000000000000000000000000000":"264d3ca8512194fec312c8c9891f279fefdd608d0c027b60483a3fa811d65ee59d52d9e40ec5672d81532b38b6b089ce951f0f9c35590b8b978d175213f329bb1c2fd30f2f7f30492a61a532a79f51d36f5e31a7c9a12c286082ff7d2394d18f783e1a8e72c722caaaa52d8f065657d2631fd25bfd8e5baad6e527d763517501c68c5edc3cdd55435c532d7125c8614deed9adaa3acade5888b87bef641c4c994c8091b5bcd387f3963fb5bc37aa922fbfe3df4e5b915e6eb514717bdd2a74079a5073f5c4bfd46adf7d282e7a393a52579d11a028da4d9cd9c77124f9648ee383b1ac763930e7162a8d37f350b2f74b8472cf09902063c6b32e8c2d9290cefbd7346d1c779a0df50edcde4531da07b099c638e83a755944df2aef1aa31752fd323dcb710fb4bfbb9d22b925bc3577e1b8949e729a90bbafeacf7f7879e7b1147e28ba0bae940db795a61b15ecf4df8db07b824bb062802cc98a9545bb2aaeed77cb3fc6db15dcd7d80d7d5bc406c4970a3478ada8899b329198eb61c193fb6275aa8ca340344a75a862aebe92eee1ce032fd950b47d7704a3876923b4ad62844bf4a09c4dbe8b4397184b7471360c9564880aedddb9baa4af2e75394b08cd32ff479c57a07d3eab5d54de5f9738b8d27f27a9f0ab11799d7b7ffefb2704c95c6ad12c39f1e867a4b7b1d7818a4b753dfd2a89ccb45e001a03a867b187f225dd":"fa762a3680b76007928ed4a4f49a9456031b704782e65e16cecb54ed7d017b5e18abd67b338e81078f21edb7868d901ebe9c731a7c18b5e6dec1d6a72e078ac9a4262f860beefa14f4e821018272e411a951502b6e79066e84252c3346f3aa62344351a291d4bedc7a07618bdea2af63145cc7a4b8d4070691ae890cd65733e7946e9021a1dffc4c59f159425ee6d50ca9b135fa6162cea18a939838dc000fb386fad086acce5ac07cb2ece7fd580b00cfa5e98589631dc25e8e2a3daf2ffdec26531659912c9d8f7a15e5865ea8fb5816d6207052bd7128cd743c12c8118791a4736811935eb982a532349e31dd401e0b660a568cb1a4711f552f55ded59f1f15bf7196b3ca12a91e488ef59d64f3a02bf45239499ac6176ae321c4a211ec545365971c5d3f4f09d4eb139bfdf2073d33180b21002b65cc9865e76cb24cd92c874c24c18350399a936ab3637079295d76c417776b94efce3a0ef7206b15110519655c956cbd8b2489405ee2b09a6b6eebe0c53790a12a8998378b33a5b71159625f4ba49d2a2fdba59fbf0897bc7aabd8d707dc140a80f0f309f835d3da54ab584e501dfa0ee977fec543f74186a802b9a37adb3e8291eca04d66520d229e60401e7282bef486ae059aa70696e0e305d777140a7a883ecdcb69b9ff938e8a4231864c69ca2c2043bed007ff3e605e014bcf518138dc3a25c5e236171a2d01d6"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 7
+aes_encrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"fd000000000000000000000000000000":"8e41b78c390b5af9d758bb214a67e9f6bf7727b09ac6124084c37611398fa45daad94868600ed391fb1acd4857a95b466e62ef9f4b377244d1c152e7b30d731aad30c716d214b707aed99eb5b5e580b3e887cf7497465651d4b60e6042051da3693c3b78c14489543be8b6ad0ba629565bba202313ba7b0d0c94a3252b676f46cc02ce0f8a7d34c0ed229129673c1f61aed579d08a9203a25aac3a77e9db60267996db38df637356d9dcd1632e369939f2a29d89345c66e05066f1a3677aef18dea4113faeb629e46721a66d0a7e785d3e29af2594eb67dfa982affe0aac058f6e15864269b135418261fc3afb089472cf68c45dd7f231c6249ba0255e1e033833fc4d00a3fe02132d7bc3873614b8aee34273581ea0325c81f0270affa13641d052d36f0757d484014354d02d6883ca15c24d8c3956b1bd027bcf41f151fd8023c5340e5606f37e90fdb87c86fb4fa634b3718a30bace06a66eaf8f63c4aa3b637826a87fe8cfa44282e92cb1615af3a28e53bc74c7cba1a0977be9065d0c1a5dec6c54ae38d37f37aa35283e048e5530a85c4e7a29d7b92ec0c3169cdf2a805c7604bce60049b9fb7b8eaac10f51ae23794ceba68bb58112e293b9b692ca721b37c662f8574ed4dba6f88e170881c82cddc1034a0ca7e284bf0962b6b26292d836fa9f73c1ac770eef0f2d3a1eaf61d3e03555fd424eedd67e18a18094f888":"d55f684f81f4426e9fde92a5ff02df2ac896af63962888a97910c1379e20b0a3b1db613fb7fe2e07004329ea5c22bfd33e3dbe4cf58cc608c2c26c19a2e2fe22f98732c2b5cb844cc6c0702d91e1d50fc4382a7eba5635cd602432a2306ac4ce82f8d70c8d9bc15f918fe71e74c622d5cf71178bf6e0b9cc9f2b41dd8dbe441c41cd0c73a6dc47a348f6702f9d0e9b1b1431e948e299b9ec2272ab2c5f0c7be86affa5dec87a0bee81d3d50007edaa2bcfccb35605155ff36ed8edd4a40dcd4b243acd11b2b987bdbfaf91a7cac27e9c5aea525ee53de7b2d3332c8644402b823e94a7db26276d2d23aa07180f76b4fd29b9c0823099c9d62c519880aee7e9697617c1497d47bf3e571950311421b6b734d38b0db91eb85331b91ea9f61530f54512a5a52a4bad589eb69781d537f23297bb459bdad2948a29e1550bf4787e0be95bb173cf5fab17dab7a13a052a63453d97ccec1a321954886b7a1299faaeecae35c6eaaca753b041b5e5f093bf83397fd21dd6b3012066fcc058cc32c3b09d7562dee29509b5839392c9ff05f51f3166aaac4ac5f238038a3045e6f72e48ef0fe8bc675e82c318a268e43970271bf119b81bf6a982746554f84e72b9f00280a320a08142923c23c883423ff949827f29bbacdc1ccdb04938ce6098c95ba6b32528f4ef78eed778b2e122ddfd1cbdd11d1c0a6783e011fc536d63d053260637"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 8
+aes_encrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"fe000000000000000000000000000000":"d55f684f81f4426e9fde92a5ff02df2ac896af63962888a97910c1379e20b0a3b1db613fb7fe2e07004329ea5c22bfd33e3dbe4cf58cc608c2c26c19a2e2fe22f98732c2b5cb844cc6c0702d91e1d50fc4382a7eba5635cd602432a2306ac4ce82f8d70c8d9bc15f918fe71e74c622d5cf71178bf6e0b9cc9f2b41dd8dbe441c41cd0c73a6dc47a348f6702f9d0e9b1b1431e948e299b9ec2272ab2c5f0c7be86affa5dec87a0bee81d3d50007edaa2bcfccb35605155ff36ed8edd4a40dcd4b243acd11b2b987bdbfaf91a7cac27e9c5aea525ee53de7b2d3332c8644402b823e94a7db26276d2d23aa07180f76b4fd29b9c0823099c9d62c519880aee7e9697617c1497d47bf3e571950311421b6b734d38b0db91eb85331b91ea9f61530f54512a5a52a4bad589eb69781d537f23297bb459bdad2948a29e1550bf4787e0be95bb173cf5fab17dab7a13a052a63453d97ccec1a321954886b7a1299faaeecae35c6eaaca753b041b5e5f093bf83397fd21dd6b3012066fcc058cc32c3b09d7562dee29509b5839392c9ff05f51f3166aaac4ac5f238038a3045e6f72e48ef0fe8bc675e82c318a268e43970271bf119b81bf6a982746554f84e72b9f00280a320a08142923c23c883423ff949827f29bbacdc1ccdb04938ce6098c95ba6b32528f4ef78eed778b2e122ddfd1cbdd11d1c0a6783e011fc536d63d053260637":"72efc1ebfe1ee25975a6eb3aa8589dda2b261f1c85bdab442a9e5b2dd1d7c3957a16fc08e526d4b1223f1b1232a11af274c3d70dac57f83e0983c498f1a6f1aecb021c3e70085a1e527f1ce41ee5911a82020161529cd82773762daf5459de94a0a82adae7e1703c808543c29ed6fb32d9e004327c1355180c995a07741493a09c21ba01a387882da4f62534b87bb15d60d197201c0fd3bf30c1500a3ecfecdd66d8721f90bcc4c17ee925c61b0a03727a9c0d5f5ca462fbfa0af1c2513a9d9d4b5345bd27a5f6e653f751693e6b6a2b8ead57d511e00e58c45b7b8d005af79288f5c7c22fd4f1bf7a898b03a5634c6a1ae3f9fae5de4f296a2896b23e7ed43ed14fa5a2803f4d28f0d3ffcf24757677aebdb47bb388378708948a8d4126ed1839e0da29a537a8c198b3c66ab00712dd261674bf45a73d67f76914f830ca014b65596f27e4cf62de66125a5566df9975155628b400fbfb3a29040ed50faffdbb18aece7c5c44693260aab386c0a37b11b114f1c415aebb653be468179428d43a4d8bc3ec38813eca30a13cf1bb18d524f1992d44d8b1a42ea30b22e6c95b199d8d182f8840b09d059585c31ad691fa0619ff038aca2c39a943421157361717c49d322028a74648113bd8c9d7ec77cf3c89c1ec8718ceff8516d96b34c3c614f10699c9abc4ed0411506223bea16af35c883accdbe1104eef0cfdb54e12fb230a"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 9
+aes_encrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"ff000000000000000000000000000000":"72efc1ebfe1ee25975a6eb3aa8589dda2b261f1c85bdab442a9e5b2dd1d7c3957a16fc08e526d4b1223f1b1232a11af274c3d70dac57f83e0983c498f1a6f1aecb021c3e70085a1e527f1ce41ee5911a82020161529cd82773762daf5459de94a0a82adae7e1703c808543c29ed6fb32d9e004327c1355180c995a07741493a09c21ba01a387882da4f62534b87bb15d60d197201c0fd3bf30c1500a3ecfecdd66d8721f90bcc4c17ee925c61b0a03727a9c0d5f5ca462fbfa0af1c2513a9d9d4b5345bd27a5f6e653f751693e6b6a2b8ead57d511e00e58c45b7b8d005af79288f5c7c22fd4f1bf7a898b03a5634c6a1ae3f9fae5de4f296a2896b23e7ed43ed14fa5a2803f4d28f0d3ffcf24757677aebdb47bb388378708948a8d4126ed1839e0da29a537a8c198b3c66ab00712dd261674bf45a73d67f76914f830ca014b65596f27e4cf62de66125a5566df9975155628b400fbfb3a29040ed50faffdbb18aece7c5c44693260aab386c0a37b11b114f1c415aebb653be468179428d43a4d8bc3ec38813eca30a13cf1bb18d524f1992d44d8b1a42ea30b22e6c95b199d8d182f8840b09d059585c31ad691fa0619ff038aca2c39a943421157361717c49d322028a74648113bd8c9d7ec77cf3c89c1ec8718ceff8516d96b34c3c614f10699c9abc4ed0411506223bea16af35c883accdbe1104eef0cfdb54e12fb230a":"3260ae8dad1f4a32c5cafe3ab0eb95549d461a67ceb9e5aa2d3afb62dece0553193ba50c75be251e08d1d08f1088576c7efdfaaf3f459559571e12511753b07af073f35da06af0ce0bbf6b8f5ccc5cea500ec1b211bd51f63b606bf6528796ca12173ba39b8935ee44ccce646f90a45bf9ccc567f0ace13dc2d53ebeedc81f58b2e41179dddf0d5a5c42f5d8506c1a5d2f8f59f3ea873cbcd0eec19acbf325423bd3dcb8c2b1bf1d1eaed0eba7f0698e4314fbeb2f1566d1b9253008cbccf45a2b0d9c5c9c21474f4076e02be26050b99dee4fd68a4cf890e496e4fcae7b70f94ea5a9062da0daeba1993d2ccd1dd3c244b8428801495a58b216547e7e847c46d1d756377b6242d2e5fb83bf752b54e0df71e889f3a2bb0f4c10805bf3c590376e3c24e22ff57f7fa965577375325cea5d920db94b9c336b455f6e894c01866fe9fbb8c8d3f70a2957285f6dfb5dcd8cbf54782f8fe7766d4723819913ac773421e3a31095866bad22c86a6036b2518b2059b4229d18c8c2ccbdf906c6cc6e82464ee57bddb0bebcb1dc645325bfb3e665ef7251082c88ebb1cf203bd779fdd38675713c8daadd17e1cabee432b09787b6ddf3304e38b731b45df5df51b78fcfb3d32466028d0ba36555e7e11ab0ee0666061d1645d962444bc47a38188930a84b4d561395c73c087021927ca638b7afc8a8679ccb84c26555440ec7f10445cd"
+
+#
+# 256-bit keys with 512 byte sector
+#
+AES-256-XTS Encrypt IEEE P1619/D16 Vector 10
+aes_encrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ff000000000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"1c3b3a102f770386e4836c99e370cf9bea00803f5e482357a4ae12d414a3e63b5d31e276f8fe4a8d66b317f9ac683f44680a86ac35adfc3345befecb4bb188fd5776926c49a3095eb108fd1098baec70aaa66999a72a82f27d848b21d4a741b0c5cd4d5fff9dac89aeba122961d03a757123e9870f8acf1000020887891429ca2a3e7a7d7df7b10355165c8b9a6d0a7de8b062c4500dc4cd120c0f7418dae3d0b5781c34803fa75421c790dfe1de1834f280d7667b327f6c8cd7557e12ac3a0f93ec05c52e0493ef31a12d3d9260f79a289d6a379bc70c50841473d1a8cc81ec583e9645e07b8d9670655ba5bbcfecc6dc3966380ad8fecb17b6ba02469a020a84e18e8f84252070c13e9f1f289be54fbc481457778f616015e1327a02b140f1505eb309326d68378f8374595c849d84f4c333ec4423885143cb47bd71c5edae9be69a2ffeceb1bec9de244fbe15992b11b77c040f12bd8f6a975a44a0f90c29a9abc3d4d893927284c58754cce294529f8614dcd2aba991925fedc4ae74ffac6e333b93eb4aff0479da9a410e4450e0dd7ae4c6e2910900575da401fc07059f645e8b7e9bfdef33943054ff84011493c27b3429eaedb4ed5376441a77ed43851ad77f16f541dfd269d50d6a5f14fb0aab1cbb4c1550be97f7ab4066193c4caa773dad38014bd2092fa755c824bb5e54c4f36ffda9fcea70b9c6e693e148c151"
+
+AES-256-XTS Encrypt IEEE P1619/D16 Vector 11
+aes_encrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ffff0000000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"77a31251618a15e6b92d1d66dffe7b50b50bad552305ba0217a610688eff7e11e1d0225438e093242d6db274fde801d4cae06f2092c728b2478559df58e837c2469ee4a4fa794e4bbc7f39bc026e3cb72c33b0888f25b4acf56a2a9804f1ce6d3d6e1dc6ca181d4b546179d55544aa7760c40d06741539c7e3cd9d2f6650b2013fd0eeb8c2b8e3d8d240ccae2d4c98320a7442e1c8d75a42d6e6cfa4c2eca1798d158c7aecdf82490f24bb9b38e108bcda12c3faf9a21141c3613b58367f922aaa26cd22f23d708dae699ad7cb40a8ad0b6e2784973dcb605684c08b8d6998c69aac049921871ebb65301a4619ca80ecb485a31d744223ce8ddc2394828d6a80470c092f5ba413c3378fa6054255c6f9df4495862bbb3287681f931b687c888abf844dfc8fc28331e579928cd12bd2390ae123cf03818d14dedde5c0c24c8ab018bfca75ca096f2d531f3d1619e785f1ada437cab92e980558b3dce1474afb75bfedbf8ff54cb2618e0244c9ac0d3c66fb51598cd2db11f9be39791abe447c63094f7c453b7ff87cb5bb36b7c79efb0872d17058b83b15ab0866ad8a58656c5a7e20dbdf308b2461d97c0ec0024a2715055249cf3b478ddd4740de654f75ca686e0d7345c69ed50cdc2a8b332b1f8824108ac937eb050585608ee734097fc09054fbff89eeaeea791f4a7ab1f9868294a4f9e27b42af8100cb9d59cef9645803"
+
+AES-256-XTS Encrypt IEEE P1619/D16 Vector 12
+aes_encrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ffffff00000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"e387aaa58ba483afa7e8eb469778317ecf4cf573aa9d4eac23f2cdf914e4e200a8b490e42ee646802dc6ee2b471b278195d60918ececb44bf79966f83faba0499298ebc699c0c8634715a320bb4f075d622e74c8c932004f25b41e361025b5a87815391f6108fc4afa6a05d9303c6ba68a128a55705d415985832fdeaae6c8e19110e84d1b1f199a2692119edc96132658f09da7c623efcec712537a3d94c0bf5d7e352ec94ae5797fdb377dc1551150721adf15bd26a8efc2fcaad56881fa9e62462c28f30ae1ceaca93c345cf243b73f542e2074a705bd2643bb9f7cc79bb6e7091ea6e232df0f9ad0d6cf502327876d82207abf2115cdacf6d5a48f6c1879a65b115f0f8b3cb3c59d15dd8c769bc014795a1837f3901b5845eb491adfefe097b1fa30a12fc1f65ba22905031539971a10f2f36c321bb51331cdefb39e3964c7ef079994f5b69b2edd83a71ef549971ee93f44eac3938fcdd61d01fa71799da3a8091c4c48aa9ed263ff0749df95d44fef6a0bb578ec69456aa5408ae32c7af08ad7ba8921287e3bbee31b767be06a0e705c864a769137df28292283ea81a2480241b44d9921cdbec1bc28dc1fda114bd8e5217ac9d8ebafa720e9da4f9ace231cc949e5b96fe76ffc21063fddc83a6b8679c00d35e09576a875305bed5f36ed242c8900dd1fa965bc950dfce09b132263a1eef52dd6888c309f5a7d712826"
+
+AES-256-XTS Encrypt IEEE P1619/D16 Vector 13
+aes_encrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ffffffff000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"bf53d2dade78e822a4d949a9bc6766b01b06a8ef70d26748c6a7fc36d80ae4c5520f7c4ab0ac8544424fa405162fef5a6b7f229498063618d39f0003cb5fb8d1c86b643497da1ff945c8d3bedeca4f479702a7a735f043ddb1d6aaade3c4a0ac7ca7f3fa5279bef56f82cd7a2f38672e824814e10700300a055e1630b8f1cb0e919f5e942010a416e2bf48cb46993d3cb6a51c19bacf864785a00bc2ecff15d350875b246ed53e68be6f55bd7e05cfc2b2ed6432198a6444b6d8c247fab941f569768b5c429366f1d3f00f0345b96123d56204c01c63b22ce78baf116e525ed90fdea39fa469494d3866c31e05f295ff21fea8d4e6e13d67e47ce722e9698a1c1048d68ebcde76b86fcf976eab8aa9790268b7068e017a8b9b749409514f1053027fd16c3786ea1bac5f15cb79711ee2abe82f5cf8b13ae73030ef5b9e4457e75d1304f988d62dd6fc4b94ed38ba831da4b7634971b6cd8ec325d9c61c00f1df73627ed3745a5e8489f3a95c69639c32cd6e1d537a85f75cc844726e8a72fc0077ad22000f1d5078f6b866318c668f1ad03d5a5fced5219f2eabbd0aa5c0f460d183f04404a0d6f469558e81fab24a167905ab4c7878502ad3e38fdbe62a41556cec37325759533ce8f25f367c87bb5578d667ae93f9e2fd99bcbc5f2fbba88cf6516139420fcff3b7361d86322c4bd84c82f335abb152c4a93411373aaa8220"
+
+AES-256-XTS Encrypt IEEE P1619/D16 Vector 14
+aes_encrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ffffffffff0000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"64497e5a831e4a932c09be3e5393376daa599548b816031d224bbf50a818ed2350eae7e96087c8a0db51ad290bd00c1ac1620857635bf246c176ab463be30b808da548081ac847b158e1264be25bb0910bbc92647108089415d45fab1b3d2604e8a8eff1ae4020cfa39936b66827b23f371b92200be90251e6d73c5f86de5fd4a950781933d79a28272b782a2ec313efdfcc0628f43d744c2dc2ff3dcb66999b50c7ca895b0c64791eeaa5f29499fb1c026f84ce5b5c72ba1083cddb5ce45434631665c333b60b11593fb253c5179a2c8db813782a004856a1653011e93fb6d876c18366dd8683f53412c0c180f9c848592d593f8609ca736317d356e13e2bff3a9f59cd9aeb19cd482593d8c46128bb32423b37a9adfb482b99453fbe25a41bf6feb4aa0bef5ed24bf73c762978025482c13115e4015aac992e5613a3b5c2f685b84795cb6e9b2656d8c88157e52c42f978d8634c43d06fea928f2822e465aa6576e9bf419384506cc3ce3c54ac1a6f67dc66f3b30191e698380bc999b05abce19dc0c6dcc2dd001ec535ba18deb2df1a101023108318c75dc98611a09dc48a0acdec676fabdf222f07e026f059b672b56e5cbc8e1d21bbd867dd927212054681d70ea737134cdfce93b6f82ae22423274e58a0821cc5502e2d0ab4585e94de6975be5e0b4efce51cd3e70c25a1fbbbd609d273ad5b0d59631c531f6a0a57b9"
+
+#
+# 128-bit keys with sector size not evenly divisible by 16 bytes
+#
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 15
+aes_encrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0":"9a785634120000000000000000000000":"000102030405060708090a0b0c0d0e0f10":"6c1625db4671522d3d7599601de7ca09ed"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 16
+aes_encrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0":"9a785634120000000000000000000000":"000102030405060708090a0b0c0d0e0f1011":"d069444b7a7e0cab09e24447d24deb1fedbf"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 17
+aes_encrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0":"9a785634120000000000000000000000":"000102030405060708090a0b0c0d0e0f101112":"e5df1351c0544ba1350b3363cd8ef4beedbf9d"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 18
+aes_encrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0":"9a785634120000000000000000000000":"000102030405060708090a0b0c0d0e0f10111213":"9d84c813f719aa2c7be3f66171c7c5c2edbf9dac"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 19
+aes_encrypt_xts:"e0e1e2e3e4e5e6e7e8e9eaebecedeeefc0c1c2c3c4c5c6c7c8c9cacbcccdcecf":"21436587a90000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"38b45812ef43a05bd957e545907e223b954ab4aaf088303ad910eadf14b42be68b2461149d8c8ba85f992be970bc621f1b06573f63e867bf5875acafa04e42ccbd7bd3c2a0fb1fff791ec5ec36c66ae4ac1e806d81fbf709dbe29e471fad38549c8e66f5345d7c1eb94f405d1ec785cc6f6a68f6254dd8339f9d84057e01a17741990482999516b5611a38f41bb6478e6f173f320805dd71b1932fc333cb9ee39936beea9ad96fa10fb4112b901734ddad40bc1878995f8e11aee7d141a2f5d48b7a4e1e7f0b2c04830e69a4fd1378411c2f287edf48c6c4e5c247a19680f7fe41cefbd49b582106e3616cbbe4dfb2344b2ae9519391f3e0fb4922254b1d6d2d19c6d4d537b3a26f3bcc51588b32f3eca0829b6a5ac72578fb814fb43cf80d64a233e3f997a3f02683342f2b33d25b492536b93becb2f5e1a8b82f5b883342729e8ae09d16938841a21a97fb543eea3bbff59f13c1a18449e398701c1ad51648346cbc04c27bb2da3b93a1372ccae548fb53bee476f9e9c91773b1bb19828394d55d3e1a20ed69113a860b6829ffa847224604435070221b257e8dff783615d2cae4803a93aa4334ab482a0afac9c0aeda70b45a481df5dec5df8cc0f423c77a5fd46cd312021d4b438862419a791be03bb4d97c0e59578542531ba466a83baf92cefc151b5cc1611a167893819b63fb8a6b18e86de60290fa72b797b0ce59f3"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 1
+aes_decrypt_xts:"0000000000000000000000000000000000000000000000000000000000000000":"00000000000000000000000000000000":"0000000000000000000000000000000000000000000000000000000000000000":"917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 2
+aes_decrypt_xts:"1111111111111111111111111111111122222222222222222222222222222222":"33333333330000000000000000000000":"4444444444444444444444444444444444444444444444444444444444444444":"c454185e6a16936e39334038acef838bfb186fff7480adc4289382ecd6d394f0"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 3
+aes_decrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"00000000000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412328063fd2aab53e5ea1e0a9f332500a5df9487d07a5c92cc512c8866c7e860ce93fdf166a24912b422976146ae20ce846bb7dc9ba94a767aaef20c0d61ad02655ea92dc4c4e41a8952c651d33174be51a10c421110e6d81588ede82103a252d8a750e8768defffed9122810aaeb99f9172af82b604dc4b8e51bcb08235a6f4341332e4ca60482a4ba1a03b3e65008fc5da76b70bf1690db4eae29c5f1badd03c5ccf2a55d705ddcd86d449511ceb7ec30bf12b1fa35b913f9f747a8afd1b130e94bff94effd01a91735ca1726acd0b197c4e5b03393697e126826fb6bbde8ecc1e08298516e2c9ed03ff3c1b7860f6de76d4cecd94c8119855ef5297ca67e9f3e7ff72b1e99785ca0a7e7720c5b36dc6d72cac9574c8cbbc2f801e23e56fd344b07f22154beba0f08ce8891e643ed995c94d9a69c9f1b5f499027a78572aeebd74d20cc39881c213ee770b1010e4bea718846977ae119f7a023ab58cca0ad752afe656bb3c17256a9f6e9bf19fdd5a38fc82bbe872c5539edb609ef4f79c203ebb140f2e583cb2ad15b4aa5b655016a8449277dbd477ef2c8d6c017db738b18deb4a427d1923ce3ff262735779a418f20a282df920147beabe421ee5319d0568"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 4
+aes_decrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"00000000000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412328063fd2aab53e5ea1e0a9f332500a5df9487d07a5c92cc512c8866c7e860ce93fdf166a24912b422976146ae20ce846bb7dc9ba94a767aaef20c0d61ad02655ea92dc4c4e41a8952c651d33174be51a10c421110e6d81588ede82103a252d8a750e8768defffed9122810aaeb99f9172af82b604dc4b8e51bcb08235a6f4341332e4ca60482a4ba1a03b3e65008fc5da76b70bf1690db4eae29c5f1badd03c5ccf2a55d705ddcd86d449511ceb7ec30bf12b1fa35b913f9f747a8afd1b130e94bff94effd01a91735ca1726acd0b197c4e5b03393697e126826fb6bbde8ecc1e08298516e2c9ed03ff3c1b7860f6de76d4cecd94c8119855ef5297ca67e9f3e7ff72b1e99785ca0a7e7720c5b36dc6d72cac9574c8cbbc2f801e23e56fd344b07f22154beba0f08ce8891e643ed995c94d9a69c9f1b5f499027a78572aeebd74d20cc39881c213ee770b1010e4bea718846977ae119f7a023ab58cca0ad752afe656bb3c17256a9f6e9bf19fdd5a38fc82bbe872c5539edb609ef4f79c203ebb140f2e583cb2ad15b4aa5b655016a8449277dbd477ef2c8d6c017db738b18deb4a427d1923ce3ff262735779a418f20a282df920147beabe421ee5319d0568"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 5
+aes_decrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"01000000000000000000000000000000":"27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412328063fd2aab53e5ea1e0a9f332500a5df9487d07a5c92cc512c8866c7e860ce93fdf166a24912b422976146ae20ce846bb7dc9ba94a767aaef20c0d61ad02655ea92dc4c4e41a8952c651d33174be51a10c421110e6d81588ede82103a252d8a750e8768defffed9122810aaeb99f9172af82b604dc4b8e51bcb08235a6f4341332e4ca60482a4ba1a03b3e65008fc5da76b70bf1690db4eae29c5f1badd03c5ccf2a55d705ddcd86d449511ceb7ec30bf12b1fa35b913f9f747a8afd1b130e94bff94effd01a91735ca1726acd0b197c4e5b03393697e126826fb6bbde8ecc1e08298516e2c9ed03ff3c1b7860f6de76d4cecd94c8119855ef5297ca67e9f3e7ff72b1e99785ca0a7e7720c5b36dc6d72cac9574c8cbbc2f801e23e56fd344b07f22154beba0f08ce8891e643ed995c94d9a69c9f1b5f499027a78572aeebd74d20cc39881c213ee770b1010e4bea718846977ae119f7a023ab58cca0ad752afe656bb3c17256a9f6e9bf19fdd5a38fc82bbe872c5539edb609ef4f79c203ebb140f2e583cb2ad15b4aa5b655016a8449277dbd477ef2c8d6c017db738b18deb4a427d1923ce3ff262735779a418f20a282df920147beabe421ee5319d0568":"264d3ca8512194fec312c8c9891f279fefdd608d0c027b60483a3fa811d65ee59d52d9e40ec5672d81532b38b6b089ce951f0f9c35590b8b978d175213f329bb1c2fd30f2f7f30492a61a532a79f51d36f5e31a7c9a12c286082ff7d2394d18f783e1a8e72c722caaaa52d8f065657d2631fd25bfd8e5baad6e527d763517501c68c5edc3cdd55435c532d7125c8614deed9adaa3acade5888b87bef641c4c994c8091b5bcd387f3963fb5bc37aa922fbfe3df4e5b915e6eb514717bdd2a74079a5073f5c4bfd46adf7d282e7a393a52579d11a028da4d9cd9c77124f9648ee383b1ac763930e7162a8d37f350b2f74b8472cf09902063c6b32e8c2d9290cefbd7346d1c779a0df50edcde4531da07b099c638e83a755944df2aef1aa31752fd323dcb710fb4bfbb9d22b925bc3577e1b8949e729a90bbafeacf7f7879e7b1147e28ba0bae940db795a61b15ecf4df8db07b824bb062802cc98a9545bb2aaeed77cb3fc6db15dcd7d80d7d5bc406c4970a3478ada8899b329198eb61c193fb6275aa8ca340344a75a862aebe92eee1ce032fd950b47d7704a3876923b4ad62844bf4a09c4dbe8b4397184b7471360c9564880aedddb9baa4af2e75394b08cd32ff479c57a07d3eab5d54de5f9738b8d27f27a9f0ab11799d7b7ffefb2704c95c6ad12c39f1e867a4b7b1d7818a4b753dfd2a89ccb45e001a03a867b187f225dd"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 6
+aes_decrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"02000000000000000000000000000000":"264d3ca8512194fec312c8c9891f279fefdd608d0c027b60483a3fa811d65ee59d52d9e40ec5672d81532b38b6b089ce951f0f9c35590b8b978d175213f329bb1c2fd30f2f7f30492a61a532a79f51d36f5e31a7c9a12c286082ff7d2394d18f783e1a8e72c722caaaa52d8f065657d2631fd25bfd8e5baad6e527d763517501c68c5edc3cdd55435c532d7125c8614deed9adaa3acade5888b87bef641c4c994c8091b5bcd387f3963fb5bc37aa922fbfe3df4e5b915e6eb514717bdd2a74079a5073f5c4bfd46adf7d282e7a393a52579d11a028da4d9cd9c77124f9648ee383b1ac763930e7162a8d37f350b2f74b8472cf09902063c6b32e8c2d9290cefbd7346d1c779a0df50edcde4531da07b099c638e83a755944df2aef1aa31752fd323dcb710fb4bfbb9d22b925bc3577e1b8949e729a90bbafeacf7f7879e7b1147e28ba0bae940db795a61b15ecf4df8db07b824bb062802cc98a9545bb2aaeed77cb3fc6db15dcd7d80d7d5bc406c4970a3478ada8899b329198eb61c193fb6275aa8ca340344a75a862aebe92eee1ce032fd950b47d7704a3876923b4ad62844bf4a09c4dbe8b4397184b7471360c9564880aedddb9baa4af2e75394b08cd32ff479c57a07d3eab5d54de5f9738b8d27f27a9f0ab11799d7b7ffefb2704c95c6ad12c39f1e867a4b7b1d7818a4b753dfd2a89ccb45e001a03a867b187f225dd":"fa762a3680b76007928ed4a4f49a9456031b704782e65e16cecb54ed7d017b5e18abd67b338e81078f21edb7868d901ebe9c731a7c18b5e6dec1d6a72e078ac9a4262f860beefa14f4e821018272e411a951502b6e79066e84252c3346f3aa62344351a291d4bedc7a07618bdea2af63145cc7a4b8d4070691ae890cd65733e7946e9021a1dffc4c59f159425ee6d50ca9b135fa6162cea18a939838dc000fb386fad086acce5ac07cb2ece7fd580b00cfa5e98589631dc25e8e2a3daf2ffdec26531659912c9d8f7a15e5865ea8fb5816d6207052bd7128cd743c12c8118791a4736811935eb982a532349e31dd401e0b660a568cb1a4711f552f55ded59f1f15bf7196b3ca12a91e488ef59d64f3a02bf45239499ac6176ae321c4a211ec545365971c5d3f4f09d4eb139bfdf2073d33180b21002b65cc9865e76cb24cd92c874c24c18350399a936ab3637079295d76c417776b94efce3a0ef7206b15110519655c956cbd8b2489405ee2b09a6b6eebe0c53790a12a8998378b33a5b71159625f4ba49d2a2fdba59fbf0897bc7aabd8d707dc140a80f0f309f835d3da54ab584e501dfa0ee977fec543f74186a802b9a37adb3e8291eca04d66520d229e60401e7282bef486ae059aa70696e0e305d777140a7a883ecdcb69b9ff938e8a4231864c69ca2c2043bed007ff3e605e014bcf518138dc3a25c5e236171a2d01d6"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 7
+aes_decrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"fd000000000000000000000000000000":"8e41b78c390b5af9d758bb214a67e9f6bf7727b09ac6124084c37611398fa45daad94868600ed391fb1acd4857a95b466e62ef9f4b377244d1c152e7b30d731aad30c716d214b707aed99eb5b5e580b3e887cf7497465651d4b60e6042051da3693c3b78c14489543be8b6ad0ba629565bba202313ba7b0d0c94a3252b676f46cc02ce0f8a7d34c0ed229129673c1f61aed579d08a9203a25aac3a77e9db60267996db38df637356d9dcd1632e369939f2a29d89345c66e05066f1a3677aef18dea4113faeb629e46721a66d0a7e785d3e29af2594eb67dfa982affe0aac058f6e15864269b135418261fc3afb089472cf68c45dd7f231c6249ba0255e1e033833fc4d00a3fe02132d7bc3873614b8aee34273581ea0325c81f0270affa13641d052d36f0757d484014354d02d6883ca15c24d8c3956b1bd027bcf41f151fd8023c5340e5606f37e90fdb87c86fb4fa634b3718a30bace06a66eaf8f63c4aa3b637826a87fe8cfa44282e92cb1615af3a28e53bc74c7cba1a0977be9065d0c1a5dec6c54ae38d37f37aa35283e048e5530a85c4e7a29d7b92ec0c3169cdf2a805c7604bce60049b9fb7b8eaac10f51ae23794ceba68bb58112e293b9b692ca721b37c662f8574ed4dba6f88e170881c82cddc1034a0ca7e284bf0962b6b26292d836fa9f73c1ac770eef0f2d3a1eaf61d3e03555fd424eedd67e18a18094f888":"d55f684f81f4426e9fde92a5ff02df2ac896af63962888a97910c1379e20b0a3b1db613fb7fe2e07004329ea5c22bfd33e3dbe4cf58cc608c2c26c19a2e2fe22f98732c2b5cb844cc6c0702d91e1d50fc4382a7eba5635cd602432a2306ac4ce82f8d70c8d9bc15f918fe71e74c622d5cf71178bf6e0b9cc9f2b41dd8dbe441c41cd0c73a6dc47a348f6702f9d0e9b1b1431e948e299b9ec2272ab2c5f0c7be86affa5dec87a0bee81d3d50007edaa2bcfccb35605155ff36ed8edd4a40dcd4b243acd11b2b987bdbfaf91a7cac27e9c5aea525ee53de7b2d3332c8644402b823e94a7db26276d2d23aa07180f76b4fd29b9c0823099c9d62c519880aee7e9697617c1497d47bf3e571950311421b6b734d38b0db91eb85331b91ea9f61530f54512a5a52a4bad589eb69781d537f23297bb459bdad2948a29e1550bf4787e0be95bb173cf5fab17dab7a13a052a63453d97ccec1a321954886b7a1299faaeecae35c6eaaca753b041b5e5f093bf83397fd21dd6b3012066fcc058cc32c3b09d7562dee29509b5839392c9ff05f51f3166aaac4ac5f238038a3045e6f72e48ef0fe8bc675e82c318a268e43970271bf119b81bf6a982746554f84e72b9f00280a320a08142923c23c883423ff949827f29bbacdc1ccdb04938ce6098c95ba6b32528f4ef78eed778b2e122ddfd1cbdd11d1c0a6783e011fc536d63d053260637"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 8
+aes_decrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"fe000000000000000000000000000000":"d55f684f81f4426e9fde92a5ff02df2ac896af63962888a97910c1379e20b0a3b1db613fb7fe2e07004329ea5c22bfd33e3dbe4cf58cc608c2c26c19a2e2fe22f98732c2b5cb844cc6c0702d91e1d50fc4382a7eba5635cd602432a2306ac4ce82f8d70c8d9bc15f918fe71e74c622d5cf71178bf6e0b9cc9f2b41dd8dbe441c41cd0c73a6dc47a348f6702f9d0e9b1b1431e948e299b9ec2272ab2c5f0c7be86affa5dec87a0bee81d3d50007edaa2bcfccb35605155ff36ed8edd4a40dcd4b243acd11b2b987bdbfaf91a7cac27e9c5aea525ee53de7b2d3332c8644402b823e94a7db26276d2d23aa07180f76b4fd29b9c0823099c9d62c519880aee7e9697617c1497d47bf3e571950311421b6b734d38b0db91eb85331b91ea9f61530f54512a5a52a4bad589eb69781d537f23297bb459bdad2948a29e1550bf4787e0be95bb173cf5fab17dab7a13a052a63453d97ccec1a321954886b7a1299faaeecae35c6eaaca753b041b5e5f093bf83397fd21dd6b3012066fcc058cc32c3b09d7562dee29509b5839392c9ff05f51f3166aaac4ac5f238038a3045e6f72e48ef0fe8bc675e82c318a268e43970271bf119b81bf6a982746554f84e72b9f00280a320a08142923c23c883423ff949827f29bbacdc1ccdb04938ce6098c95ba6b32528f4ef78eed778b2e122ddfd1cbdd11d1c0a6783e011fc536d63d053260637":"72efc1ebfe1ee25975a6eb3aa8589dda2b261f1c85bdab442a9e5b2dd1d7c3957a16fc08e526d4b1223f1b1232a11af274c3d70dac57f83e0983c498f1a6f1aecb021c3e70085a1e527f1ce41ee5911a82020161529cd82773762daf5459de94a0a82adae7e1703c808543c29ed6fb32d9e004327c1355180c995a07741493a09c21ba01a387882da4f62534b87bb15d60d197201c0fd3bf30c1500a3ecfecdd66d8721f90bcc4c17ee925c61b0a03727a9c0d5f5ca462fbfa0af1c2513a9d9d4b5345bd27a5f6e653f751693e6b6a2b8ead57d511e00e58c45b7b8d005af79288f5c7c22fd4f1bf7a898b03a5634c6a1ae3f9fae5de4f296a2896b23e7ed43ed14fa5a2803f4d28f0d3ffcf24757677aebdb47bb388378708948a8d4126ed1839e0da29a537a8c198b3c66ab00712dd261674bf45a73d67f76914f830ca014b65596f27e4cf62de66125a5566df9975155628b400fbfb3a29040ed50faffdbb18aece7c5c44693260aab386c0a37b11b114f1c415aebb653be468179428d43a4d8bc3ec38813eca30a13cf1bb18d524f1992d44d8b1a42ea30b22e6c95b199d8d182f8840b09d059585c31ad691fa0619ff038aca2c39a943421157361717c49d322028a74648113bd8c9d7ec77cf3c89c1ec8718ceff8516d96b34c3c614f10699c9abc4ed0411506223bea16af35c883accdbe1104eef0cfdb54e12fb230a"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 9
+aes_decrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"ff000000000000000000000000000000":"72efc1ebfe1ee25975a6eb3aa8589dda2b261f1c85bdab442a9e5b2dd1d7c3957a16fc08e526d4b1223f1b1232a11af274c3d70dac57f83e0983c498f1a6f1aecb021c3e70085a1e527f1ce41ee5911a82020161529cd82773762daf5459de94a0a82adae7e1703c808543c29ed6fb32d9e004327c1355180c995a07741493a09c21ba01a387882da4f62534b87bb15d60d197201c0fd3bf30c1500a3ecfecdd66d8721f90bcc4c17ee925c61b0a03727a9c0d5f5ca462fbfa0af1c2513a9d9d4b5345bd27a5f6e653f751693e6b6a2b8ead57d511e00e58c45b7b8d005af79288f5c7c22fd4f1bf7a898b03a5634c6a1ae3f9fae5de4f296a2896b23e7ed43ed14fa5a2803f4d28f0d3ffcf24757677aebdb47bb388378708948a8d4126ed1839e0da29a537a8c198b3c66ab00712dd261674bf45a73d67f76914f830ca014b65596f27e4cf62de66125a5566df9975155628b400fbfb3a29040ed50faffdbb18aece7c5c44693260aab386c0a37b11b114f1c415aebb653be468179428d43a4d8bc3ec38813eca30a13cf1bb18d524f1992d44d8b1a42ea30b22e6c95b199d8d182f8840b09d059585c31ad691fa0619ff038aca2c39a943421157361717c49d322028a74648113bd8c9d7ec77cf3c89c1ec8718ceff8516d96b34c3c614f10699c9abc4ed0411506223bea16af35c883accdbe1104eef0cfdb54e12fb230a":"3260ae8dad1f4a32c5cafe3ab0eb95549d461a67ceb9e5aa2d3afb62dece0553193ba50c75be251e08d1d08f1088576c7efdfaaf3f459559571e12511753b07af073f35da06af0ce0bbf6b8f5ccc5cea500ec1b211bd51f63b606bf6528796ca12173ba39b8935ee44ccce646f90a45bf9ccc567f0ace13dc2d53ebeedc81f58b2e41179dddf0d5a5c42f5d8506c1a5d2f8f59f3ea873cbcd0eec19acbf325423bd3dcb8c2b1bf1d1eaed0eba7f0698e4314fbeb2f1566d1b9253008cbccf45a2b0d9c5c9c21474f4076e02be26050b99dee4fd68a4cf890e496e4fcae7b70f94ea5a9062da0daeba1993d2ccd1dd3c244b8428801495a58b216547e7e847c46d1d756377b6242d2e5fb83bf752b54e0df71e889f3a2bb0f4c10805bf3c590376e3c24e22ff57f7fa965577375325cea5d920db94b9c336b455f6e894c01866fe9fbb8c8d3f70a2957285f6dfb5dcd8cbf54782f8fe7766d4723819913ac773421e3a31095866bad22c86a6036b2518b2059b4229d18c8c2ccbdf906c6cc6e82464ee57bddb0bebcb1dc645325bfb3e665ef7251082c88ebb1cf203bd779fdd38675713c8daadd17e1cabee432b09787b6ddf3304e38b731b45df5df51b78fcfb3d32466028d0ba36555e7e11ab0ee0666061d1645d962444bc47a38188930a84b4d561395c73c087021927ca638b7afc8a8679ccb84c26555440ec7f10445cd"
+
+AES-256-XTS Decrypt IEEE P1619/D16 Vector 10
+aes_decrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ff000000000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"1c3b3a102f770386e4836c99e370cf9bea00803f5e482357a4ae12d414a3e63b5d31e276f8fe4a8d66b317f9ac683f44680a86ac35adfc3345befecb4bb188fd5776926c49a3095eb108fd1098baec70aaa66999a72a82f27d848b21d4a741b0c5cd4d5fff9dac89aeba122961d03a757123e9870f8acf1000020887891429ca2a3e7a7d7df7b10355165c8b9a6d0a7de8b062c4500dc4cd120c0f7418dae3d0b5781c34803fa75421c790dfe1de1834f280d7667b327f6c8cd7557e12ac3a0f93ec05c52e0493ef31a12d3d9260f79a289d6a379bc70c50841473d1a8cc81ec583e9645e07b8d9670655ba5bbcfecc6dc3966380ad8fecb17b6ba02469a020a84e18e8f84252070c13e9f1f289be54fbc481457778f616015e1327a02b140f1505eb309326d68378f8374595c849d84f4c333ec4423885143cb47bd71c5edae9be69a2ffeceb1bec9de244fbe15992b11b77c040f12bd8f6a975a44a0f90c29a9abc3d4d893927284c58754cce294529f8614dcd2aba991925fedc4ae74ffac6e333b93eb4aff0479da9a410e4450e0dd7ae4c6e2910900575da401fc07059f645e8b7e9bfdef33943054ff84011493c27b3429eaedb4ed5376441a77ed43851ad77f16f541dfd269d50d6a5f14fb0aab1cbb4c1550be97f7ab4066193c4caa773dad38014bd2092fa755c824bb5e54c4f36ffda9fcea70b9c6e693e148c151"
+
+AES-256-XTS Decrypt IEEE P1619/D16 Vector 11
+aes_decrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ffff0000000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"77a31251618a15e6b92d1d66dffe7b50b50bad552305ba0217a610688eff7e11e1d0225438e093242d6db274fde801d4cae06f2092c728b2478559df58e837c2469ee4a4fa794e4bbc7f39bc026e3cb72c33b0888f25b4acf56a2a9804f1ce6d3d6e1dc6ca181d4b546179d55544aa7760c40d06741539c7e3cd9d2f6650b2013fd0eeb8c2b8e3d8d240ccae2d4c98320a7442e1c8d75a42d6e6cfa4c2eca1798d158c7aecdf82490f24bb9b38e108bcda12c3faf9a21141c3613b58367f922aaa26cd22f23d708dae699ad7cb40a8ad0b6e2784973dcb605684c08b8d6998c69aac049921871ebb65301a4619ca80ecb485a31d744223ce8ddc2394828d6a80470c092f5ba413c3378fa6054255c6f9df4495862bbb3287681f931b687c888abf844dfc8fc28331e579928cd12bd2390ae123cf03818d14dedde5c0c24c8ab018bfca75ca096f2d531f3d1619e785f1ada437cab92e980558b3dce1474afb75bfedbf8ff54cb2618e0244c9ac0d3c66fb51598cd2db11f9be39791abe447c63094f7c453b7ff87cb5bb36b7c79efb0872d17058b83b15ab0866ad8a58656c5a7e20dbdf308b2461d97c0ec0024a2715055249cf3b478ddd4740de654f75ca686e0d7345c69ed50cdc2a8b332b1f8824108ac937eb050585608ee734097fc09054fbff89eeaeea791f4a7ab1f9868294a4f9e27b42af8100cb9d59cef9645803"
+
+AES-256-XTS Decrypt IEEE P1619/D16 Vector 12
+aes_decrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ffffff00000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"e387aaa58ba483afa7e8eb469778317ecf4cf573aa9d4eac23f2cdf914e4e200a8b490e42ee646802dc6ee2b471b278195d60918ececb44bf79966f83faba0499298ebc699c0c8634715a320bb4f075d622e74c8c932004f25b41e361025b5a87815391f6108fc4afa6a05d9303c6ba68a128a55705d415985832fdeaae6c8e19110e84d1b1f199a2692119edc96132658f09da7c623efcec712537a3d94c0bf5d7e352ec94ae5797fdb377dc1551150721adf15bd26a8efc2fcaad56881fa9e62462c28f30ae1ceaca93c345cf243b73f542e2074a705bd2643bb9f7cc79bb6e7091ea6e232df0f9ad0d6cf502327876d82207abf2115cdacf6d5a48f6c1879a65b115f0f8b3cb3c59d15dd8c769bc014795a1837f3901b5845eb491adfefe097b1fa30a12fc1f65ba22905031539971a10f2f36c321bb51331cdefb39e3964c7ef079994f5b69b2edd83a71ef549971ee93f44eac3938fcdd61d01fa71799da3a8091c4c48aa9ed263ff0749df95d44fef6a0bb578ec69456aa5408ae32c7af08ad7ba8921287e3bbee31b767be06a0e705c864a769137df28292283ea81a2480241b44d9921cdbec1bc28dc1fda114bd8e5217ac9d8ebafa720e9da4f9ace231cc949e5b96fe76ffc21063fddc83a6b8679c00d35e09576a875305bed5f36ed242c8900dd1fa965bc950dfce09b132263a1eef52dd6888c309f5a7d712826"
+
+AES-256-XTS Decrypt IEEE P1619/D16 Vector 13
+aes_decrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ffffffff000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"bf53d2dade78e822a4d949a9bc6766b01b06a8ef70d26748c6a7fc36d80ae4c5520f7c4ab0ac8544424fa405162fef5a6b7f229498063618d39f0003cb5fb8d1c86b643497da1ff945c8d3bedeca4f479702a7a735f043ddb1d6aaade3c4a0ac7ca7f3fa5279bef56f82cd7a2f38672e824814e10700300a055e1630b8f1cb0e919f5e942010a416e2bf48cb46993d3cb6a51c19bacf864785a00bc2ecff15d350875b246ed53e68be6f55bd7e05cfc2b2ed6432198a6444b6d8c247fab941f569768b5c429366f1d3f00f0345b96123d56204c01c63b22ce78baf116e525ed90fdea39fa469494d3866c31e05f295ff21fea8d4e6e13d67e47ce722e9698a1c1048d68ebcde76b86fcf976eab8aa9790268b7068e017a8b9b749409514f1053027fd16c3786ea1bac5f15cb79711ee2abe82f5cf8b13ae73030ef5b9e4457e75d1304f988d62dd6fc4b94ed38ba831da4b7634971b6cd8ec325d9c61c00f1df73627ed3745a5e8489f3a95c69639c32cd6e1d537a85f75cc844726e8a72fc0077ad22000f1d5078f6b866318c668f1ad03d5a5fced5219f2eabbd0aa5c0f460d183f04404a0d6f469558e81fab24a167905ab4c7878502ad3e38fdbe62a41556cec37325759533ce8f25f367c87bb5578d667ae93f9e2fd99bcbc5f2fbba88cf6516139420fcff3b7361d86322c4bd84c82f335abb152c4a93411373aaa8220"
+
+AES-256-XTS Decrypt IEEE P1619/D16 Vector 14
+aes_decrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ffffffffff0000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"64497e5a831e4a932c09be3e5393376daa599548b816031d224bbf50a818ed2350eae7e96087c8a0db51ad290bd00c1ac1620857635bf246c176ab463be30b808da548081ac847b158e1264be25bb0910bbc92647108089415d45fab1b3d2604e8a8eff1ae4020cfa39936b66827b23f371b92200be90251e6d73c5f86de5fd4a950781933d79a28272b782a2ec313efdfcc0628f43d744c2dc2ff3dcb66999b50c7ca895b0c64791eeaa5f29499fb1c026f84ce5b5c72ba1083cddb5ce45434631665c333b60b11593fb253c5179a2c8db813782a004856a1653011e93fb6d876c18366dd8683f53412c0c180f9c848592d593f8609ca736317d356e13e2bff3a9f59cd9aeb19cd482593d8c46128bb32423b37a9adfb482b99453fbe25a41bf6feb4aa0bef5ed24bf73c762978025482c13115e4015aac992e5613a3b5c2f685b84795cb6e9b2656d8c88157e52c42f978d8634c43d06fea928f2822e465aa6576e9bf419384506cc3ce3c54ac1a6f67dc66f3b30191e698380bc999b05abce19dc0c6dcc2dd001ec535ba18deb2df1a101023108318c75dc98611a09dc48a0acdec676fabdf222f07e026f059b672b56e5cbc8e1d21bbd867dd927212054681d70ea737134cdfce93b6f82ae22423274e58a0821cc5502e2d0ab4585e94de6975be5e0b4efce51cd3e70c25a1fbbbd609d273ad5b0d59631c531f6a0a57b9"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 15
+aes_decrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0":"9a785634120000000000000000000000":"000102030405060708090a0b0c0d0e0f10":"6c1625db4671522d3d7599601de7ca09ed"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 16
+aes_decrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0":"9a785634120000000000000000000000":"000102030405060708090a0b0c0d0e0f1011":"d069444b7a7e0cab09e24447d24deb1fedbf"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 17
+aes_decrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0":"9a785634120000000000000000000000":"000102030405060708090a0b0c0d0e0f101112":"e5df1351c0544ba1350b3363cd8ef4beedbf9d"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 18
+aes_decrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0":"9a785634120000000000000000000000":"000102030405060708090a0b0c0d0e0f10111213":"9d84c813f719aa2c7be3f66171c7c5c2edbf9dac"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 19
+aes_decrypt_xts:"e0e1e2e3e4e5e6e7e8e9eaebecedeeefc0c1c2c3c4c5c6c7c8c9cacbcccdcecf":"21436587a90000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"38b45812ef43a05bd957e545907e223b954ab4aaf088303ad910eadf14b42be68b2461149d8c8ba85f992be970bc621f1b06573f63e867bf5875acafa04e42ccbd7bd3c2a0fb1fff791ec5ec36c66ae4ac1e806d81fbf709dbe29e471fad38549c8e66f5345d7c1eb94f405d1ec785cc6f6a68f6254dd8339f9d84057e01a17741990482999516b5611a38f41bb6478e6f173f320805dd71b1932fc333cb9ee39936beea9ad96fa10fb4112b901734ddad40bc1878995f8e11aee7d141a2f5d48b7a4e1e7f0b2c04830e69a4fd1378411c2f287edf48c6c4e5c247a19680f7fe41cefbd49b582106e3616cbbe4dfb2344b2ae9519391f3e0fb4922254b1d6d2d19c6d4d537b3a26f3bcc51588b32f3eca0829b6a5ac72578fb814fb43cf80d64a233e3f997a3f02683342f2b33d25b492536b93becb2f5e1a8b82f5b883342729e8ae09d16938841a21a97fb543eea3bbff59f13c1a18449e398701c1ad51648346cbc04c27bb2da3b93a1372ccae548fb53bee476f9e9c91773b1bb19828394d55d3e1a20ed69113a860b6829ffa847224604435070221b257e8dff783615d2cae4803a93aa4334ab482a0afac9c0aeda70b45a481df5dec5df8cc0f423c77a5fd46cd312021d4b438862419a791be03bb4d97c0e59578542531ba466a83baf92cefc151b5cc1611a167893819b63fb8a6b18e86de60290fa72b797b0ce59f3"
diff --git a/tests/suites/test_suite_aria.data b/tests/suites/test_suite_aria.data
new file mode 100644
index 0000000..8cb2d2a
--- /dev/null
+++ b/tests/suites/test_suite_aria.data
@@ -0,0 +1,98 @@
+ARIA-128-ECB Encrypt - RFC 5794
+aria_encrypt_ecb:"000102030405060708090a0b0c0d0e0f":"00112233445566778899aabbccddeeff":"d718fbd6ab644c739da95f3be6451778":0
+
+ARIA-128-ECB Decrypt - RFC 5794
+aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f":"d718fbd6ab644c739da95f3be6451778":"00112233445566778899aabbccddeeff":0
+
+ARIA-192-ECB Encrypt - RFC 5794
+aria_encrypt_ecb:"000102030405060708090a0b0c0d0e0f1011121314151617":"00112233445566778899aabbccddeeff":"26449c1805dbe7aa25a468ce263a9e79":0
+
+ARIA-192-ECB Decrypt - RFC 5794
+aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f1011121314151617":"26449c1805dbe7aa25a468ce263a9e79":"00112233445566778899aabbccddeeff":0
+
+ARIA-256-ECB_Encrypt - RFC 5794
+aria_encrypt_ecb:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"00112233445566778899aabbccddeeff":"f92bd7c79fb72e2f2b8f80c1972d24fc":0
+
+ARIA-256-ECB_Decrypt - RFC 5794
+aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"f92bd7c79fb72e2f2b8f80c1972d24fc":"00112233445566778899aabbccddeeff":0
+
+ARIA-128-ECB Decrypt - RFC 5794
+aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f":"d718fbd6ab644c739da95f3be6451778":"00112233445566778899aabbccddeeff":0
+
+ARIA-192-ECB Decrypt - RFC 5794
+aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f1011121314151617":"26449c1805dbe7aa25a468ce263a9e79":"00112233445566778899aabbccddeeff":0
+
+ARIA-256-ECB Decrypt - RFC 5794
+aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"f92bd7c79fb72e2f2b8f80c1972d24fc":"00112233445566778899aabbccddeeff":0
+
+ARIA-128-ECB Encrypt - Official Test Vectors 1.0
+aria_encrypt_ecb:"00112233445566778899aabbccddeeff":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"c6ecd08e22c30abdb215cf74e2075e6e29ccaac63448708d331b2f816c51b17d9e133d1528dbf0af5787c7f3a3f5c2bf6b6f345907a3055612ce072ff54de7d788424da6e8ccfe8172b391be499354165665ba7864917000a6eeb2ecb4a698edfc7887e7f556377614ab0a282293e6d884dbb84206cdb16ed1754e77a1f243fd086953f752cc1e46c7c794ae85537dcaec8dd721f55c93b6edfe2adea43873e8":0
+
+ARIA-128-ECB Decrypt - Official Test Vectors 1.0
+aria_decrypt_ecb:"00112233445566778899aabbccddeeff":"c6ecd08e22c30abdb215cf74e2075e6e29ccaac63448708d331b2f816c51b17d9e133d1528dbf0af5787c7f3a3f5c2bf6b6f345907a3055612ce072ff54de7d788424da6e8ccfe8172b391be499354165665ba7864917000a6eeb2ecb4a698edfc7887e7f556377614ab0a282293e6d884dbb84206cdb16ed1754e77a1f243fd086953f752cc1e46c7c794ae85537dcaec8dd721f55c93b6edfe2adea43873e8":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-192-ECB Encrypt - Official Test Vectors 1.0
+aria_encrypt_ecb:"00112233445566778899aabbccddeeff0011223344556677":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"8d1470625f59ebacb0e55b534b3e462b5f23d33bff78f46c3c15911f4a21809aaccad80b4bda915aa9dae6bcebe06a6c83f77fd5391acfe61de2f646b5d447edbfd5bb49b12fbb9145b227895a757b2af1f7188734863d7b8b6ede5a5b2f06a0a233c8523d2db778fb31b0e311f32700152f33861e9d040c83b5eb40cd88ea49975709dc629365a189f78a3ec40345fc6a5a307a8f9a4413091e007eca5645a0":0
+
+ARIA-192-ECB Decrypt - Official Test Vectors 1.0
+aria_decrypt_ecb:"00112233445566778899aabbccddeeff0011223344556677":"8d1470625f59ebacb0e55b534b3e462b5f23d33bff78f46c3c15911f4a21809aaccad80b4bda915aa9dae6bcebe06a6c83f77fd5391acfe61de2f646b5d447edbfd5bb49b12fbb9145b227895a757b2af1f7188734863d7b8b6ede5a5b2f06a0a233c8523d2db778fb31b0e311f32700152f33861e9d040c83b5eb40cd88ea49975709dc629365a189f78a3ec40345fc6a5a307a8f9a4413091e007eca5645a0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-256-ECB Encrypt - Official Test Vectors 1.0
+aria_encrypt_ecb:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"58a875e6044ad7fffa4f58420f7f442d8e191016f28e79aefc01e204773280d7018e5f7a938ec30711719953bae86542cd7ebc752474c1a5f6eaaace2a7e29462ee7dfa5afdb84177ead95ccd4b4bb6e1ed17b9534cff0a5fc2941429cfee2ee49c7adbeb7e9d1b0d2a8531d942079596a27ed79f5b1dd13ecd604b07a48885a3afa0627a0e4e60a3c703af292f1baa77b702f16c54aa74bc727ea95c7468b00":0
+
+ARIA-256-ECB Decrypt - Official Test Vectors 1.0
+aria_decrypt_ecb:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"58a875e6044ad7fffa4f58420f7f442d8e191016f28e79aefc01e204773280d7018e5f7a938ec30711719953bae86542cd7ebc752474c1a5f6eaaace2a7e29462ee7dfa5afdb84177ead95ccd4b4bb6e1ed17b9534cff0a5fc2941429cfee2ee49c7adbeb7e9d1b0d2a8531d942079596a27ed79f5b1dd13ecd604b07a48885a3afa0627a0e4e60a3c703af292f1baa77b702f16c54aa74bc727ea95c7468b00":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-128-CBC Encrypt - Official Test Vectors 1.0
+aria_encrypt_cbc:"00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"49d61860b14909109cef0d22a9268134fadf9fb23151e9645fba75018bdb1538b53334634bbf7d4cd4b5377033060c155fe3948ca75de1031e1d85619e0ad61eb419a866b3c2dbfd10a4ed18b22149f75897f0b8668b0c1c542c687778835fb7cd46e45f85eaa7072437dd9fa6793d6f8d4ccefc4eb1ac641ac1bd30b18c6d64c49bca137eb21c2e04da62712ca2b4f540c57112c38791852cfac7a5d19ed83a":0
+
+ARIA-128-CBC Decrypt - Official Test Vectors 1.0
+aria_decrypt_cbc:"00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"49d61860b14909109cef0d22a9268134fadf9fb23151e9645fba75018bdb1538b53334634bbf7d4cd4b5377033060c155fe3948ca75de1031e1d85619e0ad61eb419a866b3c2dbfd10a4ed18b22149f75897f0b8668b0c1c542c687778835fb7cd46e45f85eaa7072437dd9fa6793d6f8d4ccefc4eb1ac641ac1bd30b18c6d64c49bca137eb21c2e04da62712ca2b4f540c57112c38791852cfac7a5d19ed83a":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-192-CBC Encrypt - Official Test Vectors 1.0
+aria_encrypt_cbc:"00112233445566778899aabbccddeeff0011223344556677":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"afe6cf23974b533c672a826264ea785f4e4f7f780dc7f3f1e0962b80902386d514e9c3e77259de92dd1102ffab086c1ea52a71260db5920a83295c25320e421147ca45d532f327b856ea947cd2196ae2e040826548b4c891b0ed0ca6e714dbc4631998d548110d666b3d54c2a091955c6f05beb4f62309368696c9791fc4c551564a2637f194346ec45fbca6c72a5b4612e208d531d6c34cc5c64eac6bd0cf8c":0
+
+ARIA-192-CBC Decrypt - Official Test Vectors 1.0
+aria_decrypt_cbc:"00112233445566778899aabbccddeeff0011223344556677":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"afe6cf23974b533c672a826264ea785f4e4f7f780dc7f3f1e0962b80902386d514e9c3e77259de92dd1102ffab086c1ea52a71260db5920a83295c25320e421147ca45d532f327b856ea947cd2196ae2e040826548b4c891b0ed0ca6e714dbc4631998d548110d666b3d54c2a091955c6f05beb4f62309368696c9791fc4c551564a2637f194346ec45fbca6c72a5b4612e208d531d6c34cc5c64eac6bd0cf8c":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-256-CBC Encrypt - Official Test Vectors 1.0
+aria_encrypt_cbc:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"523a8a806ae621f155fdd28dbc34e1ab7b9b42432ad8b2efb96e23b13f0a6e52f36185d50ad002c5f601bee5493f118b243ee2e313642bffc3902e7b2efd9a12fa682edd2d23c8b9c5f043c18b17c1ec4b5867918270fbec1027c19ed6af833da5d620994668ca22f599791d292dd6273b2959082aafb7a996167cce1eec5f0cfd15f610d87e2dda9ba68ce1260ca54b222491418374294e7909b1e8551cd8de":0
+
+ARIA-256-CBC Decrypt - Official Test Vectors 1.0
+aria_decrypt_cbc:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"523a8a806ae621f155fdd28dbc34e1ab7b9b42432ad8b2efb96e23b13f0a6e52f36185d50ad002c5f601bee5493f118b243ee2e313642bffc3902e7b2efd9a12fa682edd2d23c8b9c5f043c18b17c1ec4b5867918270fbec1027c19ed6af833da5d620994668ca22f599791d292dd6273b2959082aafb7a996167cce1eec5f0cfd15f610d87e2dda9ba68ce1260ca54b222491418374294e7909b1e8551cd8de":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-128-CTR Encrypt - Official Test Vectors 1.0
+aria_encrypt_ctr:"00112233445566778899aabbccddeeff":"00000000000000000000000000000000":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"ac5d7de805a0bf1c57c854501af60fa11497e2a34519dea1569e91e5b5ccae2ff3bfa1bf975f4571f48be191613546c3911163c085f871f0e7ae5f2a085b81851c2a3ddf20ecb8fa51901aec8ee4ba32a35dab67bb72cd9140ad188a967ac0fbbdfa94ea6cce47dcf8525ab5a814cfeb2bb60ee2b126e2d9d847c1a9e96f9019e3e6a7fe40d3829afb73db1cc245646addb62d9b907baaafbe46a73dbc131d3d":0
+
+ARIA-192-CTR Encrypt - Official Test Vectors 1.0
+aria_encrypt_ctr:"00112233445566778899aabbccddeeff0011223344556677":"00000000000000000000000000000000":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"08625ca8fe569c19ba7af3760a6ed1cef4d199263e999dde14082dbba7560b79a4c6b456b8707dce751f9854f18893dfdb3f4e5afa539733e6f1e70b98ba37891f8f81e95df8efc26c7ce043504cb18958b865e4e316cd2aa1c97f31bf23dc046ef326b95a692a191ba0f2a41c5fe9ae070f236ff7078e703b42666caafbdd20bad74ac4c20c0f46c7ca24c151716575c947da16c90cfe1bf217a41cfebe7531":0
+
+ARIA-192-CTR Decrypt - Official Test Vectors 1.0
+aria_decrypt_ctr:"00112233445566778899aabbccddeeff0011223344556677":"00000000000000000000000000000000":"08625ca8fe569c19ba7af3760a6ed1cef4d199263e999dde14082dbba7560b79a4c6b456b8707dce751f9854f18893dfdb3f4e5afa539733e6f1e70b98ba37891f8f81e95df8efc26c7ce043504cb18958b865e4e316cd2aa1c97f31bf23dc046ef326b95a692a191ba0f2a41c5fe9ae070f236ff7078e703b42666caafbdd20bad74ac4c20c0f46c7ca24c151716575c947da16c90cfe1bf217a41cfebe7531":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-256-CTR Encrypt - Official Test Vectors 1.0
+aria_encrypt_ctr:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"00000000000000000000000000000000":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"30026c329666141721178b99c0a1f1b2f06940253f7b3089e2a30ea86aa3c88f5940f05ad7ee41d71347bb7261e348f18360473fdf7d4e7723bffb4411cc13f6cdd89f3bc7b9c768145022c7a74f14d7c305cd012a10f16050c23f1ae5c23f45998d13fbaa041e51619577e0772764896a5d4516d8ffceb3bf7e05f613edd9a60cdcedaff9cfcaf4e00d445a54334f73ab2cad944e51d266548e61c6eb0aa1cd":0
+
+ARIA-256-CTR Decrypt - Official Test Vectors 1.0
+aria_decrypt_ctr:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"00000000000000000000000000000000":"30026c329666141721178b99c0a1f1b2f06940253f7b3089e2a30ea86aa3c88f5940f05ad7ee41d71347bb7261e348f18360473fdf7d4e7723bffb4411cc13f6cdd89f3bc7b9c768145022c7a74f14d7c305cd012a10f16050c23f1ae5c23f45998d13fbaa041e51619577e0772764896a5d4516d8ffceb3bf7e05f613edd9a60cdcedaff9cfcaf4e00d445a54334f73ab2cad944e51d266548e61c6eb0aa1cd":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-128-CFB128 Encrypt - Official Test Vectors 1.0
+aria_encrypt_cfb128:"00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"3720e53ba7d615383406b09f0a05a200c07c21e6370f413a5d132500a68285017c61b434c7b7ca9685a51071861e4d4bb873b599b479e2d573dddeafba89f812ac6a9e44d554078eb3be94839db4b33da3f59c063123a7ef6f20e10579fa4fd239100ca73b52d4fcafeadee73f139f78f9b7614c2b3b9dbe010f87db06a89a9435f79ce8121431371f4e87b984e0230c22a6dacb32fc42dcc6accef33285bf11":0
+
+ARIA-128-CFB128 Decrypt - Official Test Vectors 1.0
+aria_decrypt_cfb128:"00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"3720e53ba7d615383406b09f0a05a200c07c21e6370f413a5d132500a68285017c61b434c7b7ca9685a51071861e4d4bb873b599b479e2d573dddeafba89f812ac6a9e44d554078eb3be94839db4b33da3f59c063123a7ef6f20e10579fa4fd239100ca73b52d4fcafeadee73f139f78f9b7614c2b3b9dbe010f87db06a89a9435f79ce8121431371f4e87b984e0230c22a6dacb32fc42dcc6accef33285bf11":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-192-CFB128 Encrypt - Official Test Vectors 1.0
+aria_encrypt_cfb128:"00112233445566778899aabbccddeeff0011223344556677":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"4171f7192bf4495494d2736129640f5c4d87a9a213664c9448477c6ecc2013598d9766952dd8c3868f17e36ef66fd84bfa45d1593d2d6ee3ea2115047d710d4fb66187caa3a315b3c8ea2d313962edcfe5a3e2028d5ba9a09fd5c65c19d3440e477f0cab0628ec6902c73ee02f1afee9f80115be7b9df82d1e28228e28581a20560e195cbb9e2b327bf56fd2d0ae5502e42c13e9b4015d4da42dc859252e7da4":0
+
+ARIA-192-CFB128 Decrypt - Official Test Vectors 1.0
+aria_decrypt_cfb128:"00112233445566778899aabbccddeeff0011223344556677":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"4171f7192bf4495494d2736129640f5c4d87a9a213664c9448477c6ecc2013598d9766952dd8c3868f17e36ef66fd84bfa45d1593d2d6ee3ea2115047d710d4fb66187caa3a315b3c8ea2d313962edcfe5a3e2028d5ba9a09fd5c65c19d3440e477f0cab0628ec6902c73ee02f1afee9f80115be7b9df82d1e28228e28581a20560e195cbb9e2b327bf56fd2d0ae5502e42c13e9b4015d4da42dc859252e7da4":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-256-CFB128 Encrypt - Official Test Vectors 1.0
+aria_encrypt_cfb128:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"26834705b0f2c0e2588d4a7f09009635f28bb93d8c31f870ec1e0bdb082b66fa402dd9c202be300c4517d196b14d4ce11dce97f7aaba54341b0d872cc9b63753a3e8556a14be6f7b3e27e3cfc39caf80f2a355aa50dc83c09c7b11828694f8e4aa726c528976b53f2c877f4991a3a8d28adb63bd751846ffb2350265e179d4990753ae8485ff9b4133ddad5875b84a90cbcfa62a045d726df71b6bda0eeca0be":0
+
+ARIA-256-CFB128 Decrypt - Official Test Vectors 1.0
+aria_decrypt_cfb128:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"26834705b0f2c0e2588d4a7f09009635f28bb93d8c31f870ec1e0bdb082b66fa402dd9c202be300c4517d196b14d4ce11dce97f7aaba54341b0d872cc9b63753a3e8556a14be6f7b3e27e3cfc39caf80f2a355aa50dc83c09c7b11828694f8e4aa726c528976b53f2c877f4991a3a8d28adb63bd751846ffb2350265e179d4990753ae8485ff9b4133ddad5875b84a90cbcfa62a045d726df71b6bda0eeca0be":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA Selftest
+aria_selftest:
diff --git a/tests/suites/test_suite_aria.function b/tests/suites/test_suite_aria.function
new file mode 100644
index 0000000..4e39078
--- /dev/null
+++ b/tests/suites/test_suite_aria.function
@@ -0,0 +1,338 @@
+/* BEGIN_HEADER */
+#include "mbedtls/aria.h"
+
+/* Maxium size of data used by test vectors
+ * WARNING: to be adapted if and when adding larger test cases */
+#define ARIA_MAX_DATASIZE 160
+
+/* Maximum sizes of hexified things */
+#define ARIA_MAX_KEY_STR ( 2 * MBEDTLS_ARIA_MAX_KEYSIZE + 1 )
+#define ARIA_BLOCK_STR ( 2 * MBEDTLS_ARIA_BLOCKSIZE + 1 )
+#define ARIA_MAX_DATA_STR ( 2 * ARIA_MAX_DATASIZE + 1 )
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_ARIA_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void aria_encrypt_ecb( char *hex_key_string, char *hex_src_string,
+ char *hex_dst_string, int setkey_result )
+{
+ unsigned char key_str[ARIA_MAX_KEY_STR];
+ unsigned char src_str[ARIA_MAX_DATA_STR];
+ unsigned char dst_str[ARIA_MAX_DATA_STR];
+ unsigned char output[ARIA_MAX_DATASIZE];
+ mbedtls_aria_context ctx;
+ int key_len, data_len, i;
+
+ memset( key_str, 0x00, sizeof( key_str ) );
+ memset( src_str, 0x00, sizeof( src_str ) );
+ memset( dst_str, 0x00, sizeof( dst_str ) );
+ memset( output, 0x00, sizeof( output ) );
+ mbedtls_aria_init( &ctx );
+
+ key_len = unhexify( key_str, hex_key_string );
+ data_len = unhexify( src_str, hex_src_string );
+
+ TEST_ASSERT( mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 )
+ == setkey_result );
+ if( setkey_result == 0 )
+ {
+ for( i = 0; i < data_len; i += MBEDTLS_ARIA_BLOCKSIZE )
+ {
+ TEST_ASSERT( mbedtls_aria_crypt_ecb( &ctx, src_str + i, output + i )
+ == 0 );
+ }
+ hexify( dst_str, output, data_len );
+
+ TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+ }
+
+exit:
+ mbedtls_aria_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void aria_decrypt_ecb( char *hex_key_string, char *hex_src_string,
+ char *hex_dst_string, int setkey_result )
+{
+ unsigned char key_str[ARIA_MAX_KEY_STR];
+ unsigned char src_str[ARIA_MAX_DATA_STR];
+ unsigned char dst_str[ARIA_MAX_DATA_STR];
+ unsigned char output[ARIA_MAX_DATASIZE];
+ mbedtls_aria_context ctx;
+ int key_len, data_len, i;
+
+ memset( key_str, 0x00, sizeof( key_str ) );
+ memset( src_str, 0x00, sizeof( src_str ) );
+ memset( dst_str, 0x00, sizeof( dst_str ) );
+ memset( output, 0x00, sizeof( output ) );
+ mbedtls_aria_init( &ctx );
+
+ key_len = unhexify( key_str, hex_key_string );
+ data_len = unhexify( src_str, hex_src_string );
+
+ TEST_ASSERT( mbedtls_aria_setkey_dec( &ctx, key_str, key_len * 8 )
+ == setkey_result );
+ if( setkey_result == 0 )
+ {
+ for( i = 0; i < data_len; i += MBEDTLS_ARIA_BLOCKSIZE )
+ {
+ TEST_ASSERT( mbedtls_aria_crypt_ecb( &ctx, src_str + i, output + i )
+ == 0 );
+ }
+ hexify( dst_str, output, data_len );
+
+ TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+ }
+
+exit:
+ mbedtls_aria_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
+void aria_encrypt_cbc( char *hex_key_string, char *hex_iv_string,
+ char *hex_src_string, char *hex_dst_string,
+ int cbc_result )
+{
+ unsigned char key_str[ARIA_MAX_KEY_STR];
+ unsigned char iv_str[ARIA_BLOCK_STR];
+ unsigned char src_str[ARIA_MAX_DATA_STR];
+ unsigned char dst_str[ARIA_MAX_DATA_STR];
+ unsigned char output[ARIA_MAX_DATASIZE];
+ mbedtls_aria_context ctx;
+ int key_len, data_len;
+
+ memset( key_str, 0x00, sizeof( key_str ) );
+ memset( iv_str, 0x00, sizeof( iv_str ) );
+ memset( src_str, 0x00, sizeof( src_str ) );
+ memset( dst_str, 0x00, sizeof( dst_str ) );
+ memset( output, 0x00, sizeof( output ) );
+ mbedtls_aria_init( &ctx );
+
+ key_len = unhexify( key_str, hex_key_string );
+ unhexify( iv_str, hex_iv_string );
+ data_len = unhexify( src_str, hex_src_string );
+
+ mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 );
+ TEST_ASSERT( mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, data_len,
+ iv_str, src_str, output )
+ == cbc_result );
+ if( cbc_result == 0 )
+ {
+ hexify( dst_str, output, data_len );
+
+ TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+ }
+
+exit:
+ mbedtls_aria_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
+void aria_decrypt_cbc( char *hex_key_string, char *hex_iv_string,
+ char *hex_src_string, char *hex_dst_string,
+ int cbc_result )
+{
+ unsigned char key_str[ARIA_MAX_KEY_STR];
+ unsigned char iv_str[ARIA_BLOCK_STR];
+ unsigned char src_str[ARIA_MAX_DATA_STR];
+ unsigned char dst_str[ARIA_MAX_DATA_STR];
+ unsigned char output[ARIA_MAX_DATASIZE];
+ mbedtls_aria_context ctx;
+ int key_len, data_len;
+
+ memset( key_str, 0x00, sizeof( key_str ) );
+ memset( iv_str, 0x00, sizeof( iv_str ) );
+ memset( src_str, 0x00, sizeof( src_str ) );
+ memset( dst_str, 0x00, sizeof( dst_str ) );
+ memset( output, 0x00, sizeof( output ) );
+ mbedtls_aria_init( &ctx );
+
+ key_len = unhexify( key_str, hex_key_string );
+ unhexify( iv_str, hex_iv_string );
+ data_len = unhexify( src_str, hex_src_string );
+
+ mbedtls_aria_setkey_dec( &ctx, key_str, key_len * 8 );
+ TEST_ASSERT( mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, data_len,
+ iv_str, src_str, output )
+ == cbc_result );
+ if( cbc_result == 0 )
+ {
+ hexify( dst_str, output, data_len );
+
+ TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+ }
+
+exit:
+ mbedtls_aria_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
+void aria_encrypt_cfb128( char *hex_key_string, char *hex_iv_string,
+ char *hex_src_string, char *hex_dst_string,
+ int result )
+{
+ unsigned char key_str[ARIA_MAX_KEY_STR];
+ unsigned char iv_str[ARIA_BLOCK_STR];
+ unsigned char src_str[ARIA_MAX_DATA_STR];
+ unsigned char dst_str[ARIA_MAX_DATA_STR];
+ unsigned char output[ARIA_MAX_DATASIZE];
+ mbedtls_aria_context ctx;
+ size_t iv_offset = 0;
+ int key_len, data_len;
+
+ memset( key_str, 0x00, sizeof( key_str ) );
+ memset( iv_str, 0x00, sizeof( iv_str ) );
+ memset( src_str, 0x00, sizeof( src_str ) );
+ memset( dst_str, 0x00, sizeof( dst_str ) );
+ memset( output, 0x00, sizeof( output ) );
+ mbedtls_aria_init( &ctx );
+
+ key_len = unhexify( key_str, hex_key_string );
+ unhexify( iv_str, hex_iv_string );
+ data_len = unhexify( src_str, hex_src_string );
+
+ mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 );
+ TEST_ASSERT( mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT,
+ data_len, &iv_offset, iv_str,
+ src_str, output )
+ == result );
+ hexify( dst_str, output, data_len );
+
+ TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+
+exit:
+ mbedtls_aria_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
+void aria_decrypt_cfb128( char *hex_key_string, char *hex_iv_string,
+ char *hex_src_string, char *hex_dst_string,
+ int result )
+{
+ unsigned char key_str[ARIA_MAX_KEY_STR];
+ unsigned char iv_str[ARIA_BLOCK_STR];
+ unsigned char src_str[ARIA_MAX_DATA_STR];
+ unsigned char dst_str[ARIA_MAX_DATA_STR];
+ unsigned char output[ARIA_MAX_DATASIZE];
+ mbedtls_aria_context ctx;
+ size_t iv_offset = 0;
+ int key_len, data_len;
+
+ memset( key_str, 0x00, sizeof( key_str ) );
+ memset( iv_str, 0x00, sizeof( iv_str ) );
+ memset( src_str, 0x00, sizeof( src_str ) );
+ memset( dst_str, 0x00, sizeof( dst_str ) );
+ memset( output, 0x00, sizeof( output ) );
+ mbedtls_aria_init( &ctx );
+
+ key_len = unhexify( key_str, hex_key_string );
+ unhexify( iv_str, hex_iv_string );
+ data_len = unhexify( src_str, hex_src_string );
+
+ mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 );
+ TEST_ASSERT( mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT,
+ data_len, &iv_offset, iv_str,
+ src_str, output )
+ == result );
+ hexify( dst_str, output, data_len );
+
+ TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+
+exit:
+ mbedtls_aria_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CTR */
+void aria_encrypt_ctr( char *hex_key_string, char *hex_iv_string,
+ char *hex_src_string, char *hex_dst_string,
+ int result )
+{
+ unsigned char key_str[ARIA_MAX_KEY_STR];
+ unsigned char iv_str[ARIA_BLOCK_STR];
+ unsigned char src_str[ARIA_MAX_DATA_STR];
+ unsigned char dst_str[ARIA_MAX_DATA_STR];
+ unsigned char output[ARIA_MAX_DATASIZE];
+ unsigned char blk[MBEDTLS_ARIA_BLOCKSIZE];
+ mbedtls_aria_context ctx;
+ size_t iv_offset = 0;
+ int key_len, data_len;
+
+ memset( key_str, 0x00, sizeof( key_str ) );
+ memset( iv_str, 0x00, sizeof( iv_str ) );
+ memset( src_str, 0x00, sizeof( src_str ) );
+ memset( dst_str, 0x00, sizeof( dst_str ) );
+ memset( output, 0x00, sizeof( output ) );
+ mbedtls_aria_init( &ctx );
+
+ key_len = unhexify( key_str, hex_key_string );
+ unhexify( iv_str, hex_iv_string );
+ data_len = unhexify( src_str, hex_src_string );
+
+ mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 );
+ TEST_ASSERT( mbedtls_aria_crypt_ctr( &ctx, data_len, &iv_offset, iv_str,
+ blk, src_str, output )
+ == result );
+ hexify( dst_str, output, data_len );
+
+ TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+
+exit:
+ mbedtls_aria_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CTR */
+void aria_decrypt_ctr( char *hex_key_string, char *hex_iv_string,
+ char *hex_src_string, char *hex_dst_string,
+ int result )
+{
+ unsigned char key_str[ARIA_MAX_KEY_STR];
+ unsigned char iv_str[ARIA_BLOCK_STR];
+ unsigned char src_str[ARIA_MAX_DATA_STR];
+ unsigned char dst_str[ARIA_MAX_DATA_STR];
+ unsigned char output[ARIA_MAX_DATASIZE];
+ unsigned char blk[MBEDTLS_ARIA_BLOCKSIZE];
+ mbedtls_aria_context ctx;
+ size_t iv_offset = 0;
+ int key_len, data_len;
+
+ memset( key_str, 0x00, sizeof( key_str ) );
+ memset( iv_str, 0x00, sizeof( iv_str ) );
+ memset( src_str, 0x00, sizeof( src_str ) );
+ memset( dst_str, 0x00, sizeof( dst_str ) );
+ memset( output, 0x00, sizeof( output ) );
+ mbedtls_aria_init( &ctx );
+
+ key_len = unhexify( key_str, hex_key_string );
+ unhexify( iv_str, hex_iv_string );
+ data_len = unhexify( src_str, hex_src_string );
+
+ mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 );
+ TEST_ASSERT( mbedtls_aria_crypt_ctr( &ctx, data_len, &iv_offset, iv_str,
+ blk, src_str, output )
+ == result );
+ hexify( dst_str, output, data_len );
+
+ TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+
+exit:
+ mbedtls_aria_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
+void aria_selftest()
+{
+ TEST_ASSERT( mbedtls_aria_self_test( 1 ) == 0 );
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_ccm.data b/tests/suites/test_suite_ccm.data
index 90ba42d..cad40d5 100644
--- a/tests/suites/test_suite_ccm.data
+++ b/tests/suites/test_suite_ccm.data
@@ -41,6 +41,39 @@
CCM lengths #8 msg too long for this IV length (2^16, q = 2)
ccm_lengths:65536:13:5:8:MBEDTLS_ERR_CCM_BAD_INPUT
+CCM lengths #9 tag length 0
+ccm_lengths:5:10:5:0:MBEDTLS_ERR_CCM_BAD_INPUT
+
+CCM* fixed tag lengths #1 all OK
+ccm_star_lengths:5:10:5:8:0
+
+CCM* fixed tag lengths #2 all OK - tag length 0
+ccm_star_lengths:5:10:5:0:0
+
+CCM* encrypt and tag #1
+depends_on:MBEDTLS_AES_C
+mbedtls_ccm_star_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"":"ACDE480000000001":"00000005":2:"08D0842143010000000048DEAC020500000055CF000051525354":"223BC1EC841AB553":0
+
+CCM* encrypt and tag #2
+depends_on:MBEDTLS_AES_C
+mbedtls_ccm_star_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"61626364":"ACDE480000000001":"00000005":4:"69DC842143020000000048DEAC010000000048DEAC0405000000":"D43E022B":0
+
+CCM* encrypt and tag #3
+depends_on:MBEDTLS_AES_C
+mbedtls_ccm_star_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"CE":"ACDE480000000001":"00000005":6:"2BDC842143020000000048DEACFFFF010000000048DEAC060500000001":"D84FDE529061F9C6F1":0
+
+CCM* auth decrypt tag #1
+depends_on:MBEDTLS_AES_C
+mbedtls_ccm_star_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"223BC1EC841AB553":"ACDE480000000001":"00000005":2:"08D0842143010000000048DEAC020500000055CF000051525354":"":0
+
+CCM* auth decrypt tag #2
+depends_on:MBEDTLS_AES_C
+mbedtls_ccm_star_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"D43E022B":"ACDE480000000001":"00000005":4:"69DC842143020000000048DEAC010000000048DEAC0405000000":"61626364":0
+
+CCM* auth decrypt tag #3
+depends_on:MBEDTLS_AES_C
+mbedtls_ccm_star_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"D84FDE529061F9C6F1":"ACDE480000000001":"00000005":6:"2BDC842143020000000048DEACFFFF010000000048DEAC060500000001":"CE":0
+
CCM encrypt and tag RFC 3610 #1
depends_on:MBEDTLS_AES_C
mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"00000003020100A0A1A2A3A4A5":"0001020304050607":"588C979A61C663D2F066D0C2C0F989806D5F6B61DAC38417E8D12CFDF926E0"
diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function
index 2f5c77c..58c8569 100644
--- a/tests/suites/test_suite_ccm.function
+++ b/tests/suites/test_suite_ccm.function
@@ -74,6 +74,47 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_AES_C */
+void ccm_star_lengths( int msg_len, int iv_len, int add_len, int tag_len,
+ int res )
+{
+ mbedtls_ccm_context ctx;
+ unsigned char key[16];
+ unsigned char msg[10];
+ unsigned char iv[14];
+ unsigned char add[10];
+ unsigned char out[10];
+ unsigned char tag[18];
+ int decrypt_ret;
+
+ mbedtls_ccm_init( &ctx );
+
+ memset( key, 0, sizeof( key ) );
+ memset( msg, 0, sizeof( msg ) );
+ memset( iv, 0, sizeof( iv ) );
+ memset( add, 0, sizeof( add ) );
+ memset( out, 0, sizeof( out ) );
+ memset( tag, 0, sizeof( tag ) );
+
+ TEST_ASSERT( mbedtls_ccm_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+ key, 8 * sizeof( key ) ) == 0 );
+
+ TEST_ASSERT( mbedtls_ccm_star_encrypt_and_tag( &ctx, msg_len, iv, iv_len,
+ add, add_len, msg, out, tag, tag_len ) == res );
+
+ decrypt_ret = mbedtls_ccm_star_auth_decrypt( &ctx, msg_len, iv, iv_len, add,
+ add_len, msg, out, tag, tag_len );
+
+ if( res == 0 && tag_len != 0 )
+ TEST_ASSERT( decrypt_ret == MBEDTLS_ERR_CCM_AUTH_FAILED );
+ else
+ TEST_ASSERT( decrypt_ret == res );
+
+exit:
+ mbedtls_ccm_free( &ctx );
+}
+/* END_CASE */
+
/* BEGIN_CASE */
void mbedtls_ccm_encrypt_and_tag( int cipher_id,
char *key_hex, char *msg_hex,
@@ -187,3 +228,140 @@
mbedtls_ccm_free( &ctx );
}
/* END_CASE */
+
+/* BEGIN_CASE */
+void mbedtls_ccm_star_encrypt_and_tag( int cipher_id,
+ char *key_hex, char *msg_hex,
+ char *source_address_hex, char *frame_counter_hex,
+ int sec_level, char *add_hex,
+ char *result_hex, int output_ret )
+{
+ unsigned char key[32];
+ unsigned char msg[50];
+ unsigned char iv[13];
+ unsigned char add[32];
+ unsigned char result[50];
+ unsigned char source_address[8];
+ unsigned char frame_counter[4];
+ mbedtls_ccm_context ctx;
+ size_t i, key_len, msg_len, iv_len, add_len, result_len, source_address_len, frame_counter_len, tag_len;
+ int ret;
+
+ mbedtls_ccm_init( &ctx );
+
+ memset( key, 0x00, sizeof( key ) );
+ memset( msg, 0x00, sizeof( msg ) );
+ memset( iv, 0x00, sizeof( iv ) );
+ memset( add, 0x00, sizeof( add ) );
+ memset( result, 0x00, sizeof( result ) );
+ memset( source_address, 0x00, sizeof( source_address ) );
+ memset( frame_counter, 0x00, sizeof( frame_counter ) );
+
+ key_len = unhexify( key, key_hex );
+ msg_len = unhexify( msg, msg_hex );
+ add_len = unhexify( add, add_hex );
+ result_len = unhexify( result, result_hex );
+ source_address_len = unhexify( source_address, source_address_hex );
+ frame_counter_len = unhexify( frame_counter, frame_counter_hex );
+
+ if( sec_level % 4 == 0)
+ tag_len = 0;
+ else
+ tag_len = 1 << ( sec_level % 4 + 1);
+
+ for( i = 0; i < source_address_len; i++ )
+ iv[i] = source_address[i];
+
+ for( i = 0; i < frame_counter_len; i++ )
+ iv[source_address_len + i] = frame_counter[i];
+
+ iv[source_address_len + frame_counter_len] = sec_level;
+ iv_len = sizeof( iv );
+
+ TEST_ASSERT( mbedtls_ccm_setkey( &ctx, cipher_id, key, key_len * 8 ) == 0 );
+
+ ret = mbedtls_ccm_star_encrypt_and_tag( &ctx, msg_len, iv, iv_len,
+ add, add_len, msg, msg, msg + msg_len, tag_len );
+
+ TEST_ASSERT( ret == output_ret );
+
+ TEST_ASSERT( memcmp( msg, result, result_len ) == 0 );
+
+ /* Check we didn't write past the end */
+ TEST_ASSERT( msg[result_len] == 0 && msg[result_len + 1] == 0 );
+
+exit:
+ mbedtls_ccm_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mbedtls_ccm_star_auth_decrypt( int cipher_id,
+ char *key_hex, char *msg_hex,
+ char *source_address_hex, char *frame_counter_hex,
+ int sec_level, char *add_hex,
+ char *result_hex, int output_ret )
+{
+ unsigned char key[32];
+ unsigned char msg[50];
+ unsigned char iv[13];
+ unsigned char add[32];
+ unsigned char tag[16];
+ unsigned char result[50];
+ unsigned char source_address[8];
+ unsigned char frame_counter[4];
+ mbedtls_ccm_context ctx;
+ size_t i, key_len, msg_len, iv_len, add_len, tag_len, result_len, source_address_len, frame_counter_len;
+ int ret;
+
+ mbedtls_ccm_init( &ctx );
+
+ memset( key, 0x00, sizeof( key ) );
+ memset( msg, 0x00, sizeof( msg ) );
+ memset( iv, 0x00, sizeof( iv ) );
+ memset( add, 0x00, sizeof( add ) );
+ memset( result, 0x00, sizeof( result ) );
+ memset( source_address, 0x00, sizeof( source_address ) );
+ memset( frame_counter, 0x00, sizeof( frame_counter ) );
+ memset( tag, 0x00, sizeof( tag ) );
+
+ key_len = unhexify( key, key_hex );
+ msg_len = unhexify( msg, msg_hex );
+ add_len = unhexify( add, add_hex );
+ result_len = unhexify( result, result_hex );
+ source_address_len = unhexify( source_address, source_address_hex );
+ frame_counter_len = unhexify( frame_counter, frame_counter_hex );
+
+ if( sec_level % 4 == 0)
+ tag_len = 0;
+ else
+ tag_len = 1 << ( sec_level % 4 + 1);
+
+ for( i = 0; i < source_address_len; i++ )
+ iv[i] = source_address[i];
+
+ for( i = 0; i < frame_counter_len; i++ )
+ iv[source_address_len + i] = frame_counter[i];
+
+ iv[source_address_len + frame_counter_len] = sec_level;
+ iv_len = sizeof( iv );
+
+ msg_len -= tag_len;
+ memcpy( tag, msg + msg_len, tag_len );
+
+ TEST_ASSERT( mbedtls_ccm_setkey( &ctx, cipher_id, key, key_len * 8 ) == 0 );
+
+ ret = mbedtls_ccm_star_auth_decrypt( &ctx, msg_len, iv, iv_len,
+ add, add_len, msg, msg, msg + msg_len, tag_len );
+
+ TEST_ASSERT( ret == output_ret );
+
+ TEST_ASSERT( memcmp( msg, result, result_len ) == 0 );
+
+ /* Check we didn't write past the end (where the original tag is) */
+ TEST_ASSERT( memcmp( msg + msg_len, tag, tag_len ) == 0 );
+
+exit:
+ mbedtls_ccm_free( &ctx );
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_chacha20.data b/tests/suites/test_suite_chacha20.data
new file mode 100644
index 0000000..3f9033e
--- /dev/null
+++ b/tests/suites/test_suite_chacha20.data
@@ -0,0 +1,29 @@
+ChaCha20 RFC 7539 Example and Test Vector (Encrypt)
+chacha20_crypt:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"000000000000004a00000000":1:"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":"6e2e359a2568f98041ba0728dd0d6981e97e7aec1d4360c20a27afccfd9fae0bf91b65c5524733ab8f593dabcd62b3571639d624e65152ab8f530c359f0861d807ca0dbf500d6a6156a38e088a22b65e52bc514d16ccf806818ce91ab77937365af90bbf74a35be6b40b8eedf2785e42874d"
+
+ChaCha20 RFC 7539 Example and Test Vector (Decrypt)
+chacha20_crypt:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"000000000000004a00000000":1:"6e2e359a2568f98041ba0728dd0d6981e97e7aec1d4360c20a27afccfd9fae0bf91b65c5524733ab8f593dabcd62b3571639d624e65152ab8f530c359f0861d807ca0dbf500d6a6156a38e088a22b65e52bc514d16ccf806818ce91ab77937365af90bbf74a35be6b40b8eedf2785e42874d":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e"
+
+ChaCha20 RFC 7539 Test Vector #1 (Encrypt)
+chacha20_crypt:"0000000000000000000000000000000000000000000000000000000000000000":"000000000000000000000000":0:"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":"76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586"
+
+ChaCha20 RFC 7539 Test Vector #1 (Decrypt)
+chacha20_crypt:"0000000000000000000000000000000000000000000000000000000000000000":"000000000000000000000000":0:"76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
+
+ChaCha20 RFC 7539 Test Vector #2 (Encrypt)
+chacha20_crypt:"0000000000000000000000000000000000000000000000000000000000000001":"000000000000000000000002":1:"416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f":"a3fbf07df3fa2fde4f376ca23e82737041605d9f4f4f57bd8cff2c1d4b7955ec2a97948bd3722915c8f3d337f7d370050e9e96d647b7c39f56e031ca5eb6250d4042e02785ececfa4b4bb5e8ead0440e20b6e8db09d881a7c6132f420e52795042bdfa7773d8a9051447b3291ce1411c680465552aa6c405b7764d5e87bea85ad00f8449ed8f72d0d662ab052691ca66424bc86d2df80ea41f43abf937d3259dc4b2d0dfb48a6c9139ddd7f76966e928e635553ba76c5c879d7b35d49eb2e62b0871cdac638939e25e8a1e0ef9d5280fa8ca328b351c3c765989cbcf3daa8b6ccc3aaf9f3979c92b3720fc88dc95ed84a1be059c6499b9fda236e7e818b04b0bc39c1e876b193bfe5569753f88128cc08aaa9b63d1a16f80ef2554d7189c411f5869ca52c5b83fa36ff216b9c1d30062bebcfd2dc5bce0911934fda79a86f6e698ced759c3ff9b6477338f3da4f9cd8514ea9982ccafb341b2384dd902f3d1ab7ac61dd29c6f21ba5b862f3730e37cfdc4fd806c22f221"
+
+ChaCha20 RFC 7539 Test Vector #2 (Decrypt)
+chacha20_crypt:"0000000000000000000000000000000000000000000000000000000000000001":"000000000000000000000002":1:"a3fbf07df3fa2fde4f376ca23e82737041605d9f4f4f57bd8cff2c1d4b7955ec2a97948bd3722915c8f3d337f7d370050e9e96d647b7c39f56e031ca5eb6250d4042e02785ececfa4b4bb5e8ead0440e20b6e8db09d881a7c6132f420e52795042bdfa7773d8a9051447b3291ce1411c680465552aa6c405b7764d5e87bea85ad00f8449ed8f72d0d662ab052691ca66424bc86d2df80ea41f43abf937d3259dc4b2d0dfb48a6c9139ddd7f76966e928e635553ba76c5c879d7b35d49eb2e62b0871cdac638939e25e8a1e0ef9d5280fa8ca328b351c3c765989cbcf3daa8b6ccc3aaf9f3979c92b3720fc88dc95ed84a1be059c6499b9fda236e7e818b04b0bc39c1e876b193bfe5569753f88128cc08aaa9b63d1a16f80ef2554d7189c411f5869ca52c5b83fa36ff216b9c1d30062bebcfd2dc5bce0911934fda79a86f6e698ced759c3ff9b6477338f3da4f9cd8514ea9982ccafb341b2384dd902f3d1ab7ac61dd29c6f21ba5b862f3730e37cfdc4fd806c22f221":"416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f"
+
+ChaCha20 RFC 7539 Test Vector #3 (Encrypt)
+chacha20_crypt:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000000000000000002":42:"2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e":"62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553ebf39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f7704c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1"
+
+ChaCha20 RFC 7539 Test Vector #3 (Decrypt)
+chacha20_crypt:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000000000000000002":42:"62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553ebf39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f7704c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1":"2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e"
+
+ChaCha20 Paremeter Validation
+chacha20_bad_params:
+
+ChaCha20 Selftest
+chacha20_self_test:
diff --git a/tests/suites/test_suite_chacha20.function b/tests/suites/test_suite_chacha20.function
new file mode 100644
index 0000000..669d91e
--- /dev/null
+++ b/tests/suites/test_suite_chacha20.function
@@ -0,0 +1,140 @@
+/* BEGIN_HEADER */
+#include "mbedtls/chacha20.h"
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_CHACHA20_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void chacha20_crypt( char *hex_key_string,
+ char *hex_nonce_string,
+ int counter,
+ char *hex_src_string,
+ char *hex_dst_string )
+{
+ unsigned char key_str[32]; /* size set by the standard */
+ unsigned char nonce_str[12]; /* size set by the standard */
+ unsigned char src_str[375]; /* max size of binary input */
+ unsigned char dst_str[751]; /* hex expansion of the above */
+ unsigned char output[751];
+ size_t key_len;
+ size_t nonce_len;
+ size_t src_len;
+ size_t dst_len;
+ mbedtls_chacha20_context ctx;
+
+ memset( key_str, 0x00, sizeof( key_str ) );
+ memset( nonce_str, 0x00, sizeof( nonce_str ) );
+ memset( src_str, 0x00, sizeof( src_str ) );
+ memset( dst_str, 0x00, sizeof( dst_str ) );
+ memset( output, 0x00, sizeof( output ) );
+
+ key_len = unhexify( key_str, hex_key_string );
+ nonce_len = unhexify( nonce_str, hex_nonce_string );
+ src_len = unhexify( src_str, hex_src_string );
+ dst_len = unhexify( dst_str, hex_dst_string );
+
+ TEST_ASSERT( src_len == dst_len );
+ TEST_ASSERT( key_len == 32U );
+ TEST_ASSERT( nonce_len == 12U );
+
+ /*
+ * Test the integrated API
+ */
+ TEST_ASSERT( mbedtls_chacha20_crypt( key_str, nonce_str, counter, src_len, src_str, output ) == 0 );
+
+ hexify( dst_str, output, src_len );
+ TEST_ASSERT( strcmp( (char*) dst_str, hex_dst_string ) == 0 );
+
+ /*
+ * Test the streaming API
+ */
+ mbedtls_chacha20_init( &ctx );
+
+ TEST_ASSERT( mbedtls_chacha20_setkey( &ctx, key_str ) == 0 );
+
+ TEST_ASSERT( mbedtls_chacha20_starts( &ctx, nonce_str, counter ) == 0 );
+
+ memset( output, 0x00, sizeof( output ) );
+ TEST_ASSERT( mbedtls_chacha20_update( &ctx, src_len, src_str, output ) == 0 );
+
+ hexify( dst_str, output, src_len );
+ TEST_ASSERT( strcmp( (char*) dst_str, hex_dst_string ) == 0 );
+
+ /*
+ * Test the streaming API again, piecewise
+ */
+
+ /* Don't free/init the context nor set the key again,
+ * in order to test that starts() does the right thing. */
+ TEST_ASSERT( mbedtls_chacha20_starts( &ctx, nonce_str, counter ) == 0 );
+
+ memset( output, 0x00, sizeof( output ) );
+ TEST_ASSERT( mbedtls_chacha20_update( &ctx, 1, src_str, output ) == 0 );
+ TEST_ASSERT( mbedtls_chacha20_update( &ctx, src_len - 1, src_str + 1, output + 1 ) == 0 );
+
+ hexify( dst_str, output, src_len );
+ TEST_ASSERT( strcmp( (char*) dst_str, hex_dst_string ) == 0 );
+
+ mbedtls_chacha20_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void chacha20_bad_params()
+{
+ unsigned char key[32];
+ unsigned char nonce[12];
+ unsigned char src[1];
+ unsigned char dst[1];
+ uint32_t counter = 0;
+ size_t len = sizeof( src );
+ mbedtls_chacha20_context ctx;
+
+ mbedtls_chacha20_init( NULL );
+ mbedtls_chacha20_free( NULL );
+
+ mbedtls_chacha20_init( &ctx );
+
+ TEST_ASSERT( mbedtls_chacha20_setkey( NULL, key )
+ == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chacha20_setkey( &ctx, NULL )
+ == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+
+ TEST_ASSERT( mbedtls_chacha20_starts( NULL, nonce, counter )
+ == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chacha20_starts( &ctx, NULL, counter )
+ == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+
+ TEST_ASSERT( mbedtls_chacha20_update( NULL, 0, src, dst )
+ == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chacha20_update( &ctx, len, NULL, dst )
+ == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chacha20_update( &ctx, len, src, NULL )
+ == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chacha20_update( &ctx, 0, NULL, NULL )
+ == 0 );
+
+ mbedtls_chacha20_free( &ctx );
+
+ TEST_ASSERT( mbedtls_chacha20_crypt( NULL, nonce, counter, 0, src, dst )
+ == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chacha20_crypt( key, NULL, counter, 0, src, dst )
+ == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chacha20_crypt( key, nonce, counter, len, NULL, dst )
+ == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chacha20_crypt( key, nonce, counter, len, src, NULL )
+ == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chacha20_crypt( key, nonce, counter, 0, NULL, NULL )
+ == 0 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
+void chacha20_self_test()
+{
+ TEST_ASSERT( mbedtls_chacha20_self_test( 1 ) == 0 );
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_chachapoly.data b/tests/suites/test_suite_chachapoly.data
new file mode 100644
index 0000000..34cb568
--- /dev/null
+++ b/tests/suites/test_suite_chachapoly.data
@@ -0,0 +1,27 @@
+ChaCha20-Poly1305 RFC 7539 Example and Test Vector (Encrypt)
+mbedtls_chachapoly_enc:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"1ae10b594f09e26a7e902ecbd0600691"
+
+ChaCha20-Poly1305 RFC 7539 Example and Test Vector (Decrypt)
+mbedtls_chachapoly_dec:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":"1ae10b594f09e26a7e902ecbd0600691":0
+
+ChaCha20-Poly1305 RFC 7539 Example and Test Vector (Decrypt, not authentic)
+mbedtls_chachapoly_dec:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":"1ae10b594f09e26a7e902ecbd0600690":MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
+
+ChaCha20-Poly1305 RFC 7539 Test Vector #1 (Encrypt)
+mbedtls_chachapoly_enc:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"f33388860000000000004e91":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"eead9d67890cbb22392336fea1851f38"
+
+ChaCha20-Poly1305 RFC 7539 Test Vector #1 (Decrypt)
+mbedtls_chachapoly_dec:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"f33388860000000000004e91":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d":"eead9d67890cbb22392336fea1851f38":0
+
+ChaCha20-Poly1305 RFC 7539 Test Vector #1 (Decrypt, not authentic)
+mbedtls_chachapoly_dec:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"f33388860000000000004e91":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d":"fead9d67890cbb22392336fea1851f38":MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
+
+ChaCha20-Poly1305 State Flow
+chachapoly_state:
+
+ChaCha20-Poly1305 Parameter Validation
+chachapoly_bad_params:
+
+ChaCha20-Poly1305 Selftest
+depends_on:MBEDTLS_SELF_TEST
+chachapoly_selftest:
diff --git a/tests/suites/test_suite_chachapoly.function b/tests/suites/test_suite_chachapoly.function
new file mode 100644
index 0000000..95dfd8a
--- /dev/null
+++ b/tests/suites/test_suite_chachapoly.function
@@ -0,0 +1,347 @@
+/* BEGIN_HEADER */
+#include "mbedtls/chachapoly.h"
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_CHACHAPOLY_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void mbedtls_chachapoly_enc( char *hex_key_string, char *hex_nonce_string, char *hex_aad_string, char *hex_input_string, char *hex_output_string, char *hex_mac_string )
+{
+ unsigned char key_str[32]; /* size set by the standard */
+ unsigned char nonce_str[12]; /* size set by the standard */
+ unsigned char aad_str[12]; /* max size of test data so far */
+ unsigned char input_str[265]; /* max size of binary input/output so far */
+ unsigned char output_str[265];
+ unsigned char output[265];
+ unsigned char mac_str[16]; /* size set by the standard */
+ unsigned char mac[16]; /* size set by the standard */
+ size_t input_len;
+ size_t output_len;
+ size_t aad_len;
+ size_t key_len;
+ size_t nonce_len;
+ size_t mac_len;
+ mbedtls_chachapoly_context ctx;
+
+ memset( key_str, 0x00, sizeof( key_str ) );
+ memset( nonce_str, 0x00, sizeof( nonce_str ) );
+ memset( aad_str, 0x00, sizeof( aad_str ) );
+ memset( input_str, 0x00, sizeof( input_str ) );
+ memset( output_str, 0x00, sizeof( output_str ) );
+ memset( mac_str, 0x00, sizeof( mac_str ) );
+
+ aad_len = unhexify( aad_str, hex_aad_string );
+ input_len = unhexify( input_str, hex_input_string );
+ output_len = unhexify( output_str, hex_output_string );
+ key_len = unhexify( key_str, hex_key_string );
+ nonce_len = unhexify( nonce_str, hex_nonce_string );
+ mac_len = unhexify( mac_str, hex_mac_string );
+
+ TEST_ASSERT( key_len == 32 );
+ TEST_ASSERT( nonce_len == 12 );
+ TEST_ASSERT( mac_len == 16 );
+
+ mbedtls_chachapoly_init( &ctx );
+
+ TEST_ASSERT( mbedtls_chachapoly_setkey( &ctx, key_str ) == 0 );
+
+ TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
+ input_len, nonce_str,
+ aad_str, aad_len,
+ input_str, output, mac ) == 0 );
+
+ TEST_ASSERT( memcmp( output_str, output, output_len ) == 0 );
+ TEST_ASSERT( memcmp( mac_str, mac, 16U ) == 0 );
+
+exit:
+ mbedtls_chachapoly_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mbedtls_chachapoly_dec( char *hex_key_string, char *hex_nonce_string, char *hex_aad_string, char *hex_input_string, char *hex_output_string, char *hex_mac_string, int ret_exp )
+{
+ unsigned char key_str[32]; /* size set by the standard */
+ unsigned char nonce_str[12]; /* size set by the standard */
+ unsigned char aad_str[12]; /* max size of test data so far */
+ unsigned char input_str[265]; /* max size of binary input/output so far */
+ unsigned char output_str[265];
+ unsigned char output[265];
+ unsigned char mac_str[16]; /* size set by the standard */
+ size_t input_len;
+ size_t output_len;
+ size_t aad_len;
+ size_t key_len;
+ size_t nonce_len;
+ size_t mac_len;
+ int ret;
+ mbedtls_chachapoly_context ctx;
+
+ memset( key_str, 0x00, sizeof( key_str ) );
+ memset( nonce_str, 0x00, sizeof( nonce_str ) );
+ memset( aad_str, 0x00, sizeof( aad_str ) );
+ memset( input_str, 0x00, sizeof( input_str ) );
+ memset( output_str, 0x00, sizeof( output_str ) );
+ memset( mac_str, 0x00, sizeof( mac_str ) );
+
+ aad_len = unhexify( aad_str, hex_aad_string );
+ input_len = unhexify( input_str, hex_input_string );
+ output_len = unhexify( output_str, hex_output_string );
+ key_len = unhexify( key_str, hex_key_string );
+ nonce_len = unhexify( nonce_str, hex_nonce_string );
+ mac_len = unhexify( mac_str, hex_mac_string );
+
+ TEST_ASSERT( key_len == 32 );
+ TEST_ASSERT( nonce_len == 12 );
+ TEST_ASSERT( mac_len == 16 );
+
+ mbedtls_chachapoly_init( &ctx );
+
+ TEST_ASSERT( mbedtls_chachapoly_setkey( &ctx, key_str ) == 0 );
+
+ ret = mbedtls_chachapoly_auth_decrypt( &ctx,
+ input_len, nonce_str,
+ aad_str, aad_len,
+ mac_str, input_str, output );
+
+ TEST_ASSERT( ret == ret_exp );
+ if( ret_exp == 0 )
+ {
+ TEST_ASSERT( memcmp( output_str, output, output_len ) == 0 );
+ }
+
+exit:
+ mbedtls_chachapoly_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void chachapoly_bad_params()
+{
+ unsigned char key[32];
+ unsigned char nonce[12];
+ unsigned char aad[1];
+ unsigned char input[1];
+ unsigned char output[1];
+ unsigned char mac[16];
+ size_t input_len = sizeof( input );
+ size_t aad_len = sizeof( aad );
+ mbedtls_chachapoly_context ctx;
+
+ memset( key, 0x00, sizeof( key ) );
+ memset( nonce, 0x00, sizeof( nonce ) );
+ memset( aad, 0x00, sizeof( aad ) );
+ memset( input, 0x00, sizeof( input ) );
+ memset( output, 0x00, sizeof( output ) );
+ memset( mac, 0x00, sizeof( mac ) );
+
+ mbedtls_chachapoly_init( NULL );
+ mbedtls_chachapoly_free( NULL );
+
+ mbedtls_chachapoly_init( &ctx );
+
+ TEST_ASSERT( mbedtls_chachapoly_setkey( NULL, key )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chachapoly_setkey( &ctx, NULL )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+
+ TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( NULL,
+ 0, nonce,
+ aad, 0,
+ input, output, mac )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
+ 0, NULL,
+ aad, 0,
+ input, output, mac )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
+ 0, nonce,
+ NULL, aad_len,
+ input, output, mac )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
+ input_len, nonce,
+ aad, 0,
+ NULL, output, mac )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
+ input_len, nonce,
+ aad, 0,
+ input, NULL, mac )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
+ 0, nonce,
+ aad, 0,
+ input, output, NULL )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+
+ TEST_ASSERT( mbedtls_chachapoly_auth_decrypt( NULL,
+ 0, nonce,
+ aad, 0,
+ mac, input, output )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chachapoly_auth_decrypt( &ctx,
+ 0, NULL,
+ aad, 0,
+ mac, input, output )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chachapoly_auth_decrypt( &ctx,
+ 0, nonce,
+ NULL, aad_len,
+ mac, input, output )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chachapoly_auth_decrypt( &ctx,
+ 0, nonce,
+ aad, 0,
+ NULL, input, output )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chachapoly_auth_decrypt( &ctx,
+ input_len, nonce,
+ aad, 0,
+ mac, NULL, output )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chachapoly_auth_decrypt( &ctx,
+ input_len, nonce,
+ aad, 0,
+ mac, input, NULL )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+
+ TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
+ 0, nonce,
+ aad, aad_len,
+ NULL, NULL, mac )
+ == 0 );
+ TEST_ASSERT( mbedtls_chachapoly_auth_decrypt( &ctx,
+ 0, nonce,
+ aad, aad_len,
+ mac, NULL, NULL )
+ == 0 );
+
+ TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
+ input_len, nonce,
+ NULL, 0,
+ input, output, mac )
+ == 0 );
+ TEST_ASSERT( mbedtls_chachapoly_auth_decrypt( &ctx,
+ input_len, nonce,
+ NULL, 0,
+ mac, input, output )
+ == 0 );
+
+ TEST_ASSERT( mbedtls_chachapoly_starts( NULL, nonce, MBEDTLS_CHACHAPOLY_ENCRYPT )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chachapoly_starts( &ctx, NULL, MBEDTLS_CHACHAPOLY_ENCRYPT )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+
+ TEST_ASSERT( mbedtls_chachapoly_update_aad( NULL, aad, aad_len )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, NULL, aad_len )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+
+ TEST_ASSERT( mbedtls_chachapoly_update( NULL, input_len, input, output )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, NULL, output )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, NULL )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+
+ TEST_ASSERT( mbedtls_chachapoly_finish( NULL, mac )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_chachapoly_finish( &ctx, NULL )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+
+exit:
+ mbedtls_chachapoly_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void chachapoly_state()
+{
+ unsigned char key[32];
+ unsigned char nonce[12];
+ unsigned char aad[1];
+ unsigned char input[1];
+ unsigned char output[1];
+ unsigned char mac[16];
+ size_t input_len = sizeof( input );
+ size_t aad_len = sizeof( aad );
+ mbedtls_chachapoly_context ctx;
+
+ memset( key, 0x00, sizeof( key ) );
+ memset( nonce, 0x00, sizeof( nonce ) );
+ memset( aad, 0x00, sizeof( aad ) );
+ memset( input, 0x00, sizeof( input ) );
+ memset( output, 0x00, sizeof( output ) );
+ memset( mac, 0x00, sizeof( mac ) );
+
+ /* Initial state: finish, update, update_aad forbidden */
+ mbedtls_chachapoly_init( &ctx );
+
+ TEST_ASSERT( mbedtls_chachapoly_finish( &ctx, mac )
+ == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+ TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, output )
+ == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+ TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
+ == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+
+ /* Still initial state: finish, update, update_aad forbidden */
+ TEST_ASSERT( mbedtls_chachapoly_setkey( &ctx, key )
+ == 0 );
+
+ TEST_ASSERT( mbedtls_chachapoly_finish( &ctx, mac )
+ == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+ TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, output )
+ == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+ TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
+ == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+
+ /* Starts -> finish OK */
+ TEST_ASSERT( mbedtls_chachapoly_starts( &ctx, nonce, MBEDTLS_CHACHAPOLY_ENCRYPT )
+ == 0 );
+ TEST_ASSERT( mbedtls_chachapoly_finish( &ctx, mac )
+ == 0 );
+
+ /* After finish: update, update_aad forbidden */
+ TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, output )
+ == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+ TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
+ == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+
+ /* Starts -> update* OK */
+ TEST_ASSERT( mbedtls_chachapoly_starts( &ctx, nonce, MBEDTLS_CHACHAPOLY_ENCRYPT )
+ == 0 );
+ TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, output )
+ == 0 );
+ TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, output )
+ == 0 );
+
+ /* After update: update_aad forbidden */
+ TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
+ == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+
+ /* Starts -> update_aad* -> finish OK */
+ TEST_ASSERT( mbedtls_chachapoly_starts( &ctx, nonce, MBEDTLS_CHACHAPOLY_ENCRYPT )
+ == 0 );
+ TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
+ == 0 );
+ TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
+ == 0 );
+ TEST_ASSERT( mbedtls_chachapoly_finish( &ctx, mac )
+ == 0 );
+
+exit:
+ mbedtls_chachapoly_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
+void chachapoly_selftest()
+{
+ TEST_ASSERT( mbedtls_chachapoly_self_test( 1 ) == 0 );
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_cipher.aes.data b/tests/suites/test_suite_cipher.aes.data
index e8e9a15..baab358 100644
--- a/tests/suites/test_suite_cipher.aes.data
+++ b/tests/suites/test_suite_cipher.aes.data
@@ -414,7 +414,7 @@
depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CFB
enc_dec_buf:MBEDTLS_CIPHER_AES_128_CFB128:"AES-128-CFB128":128:32:-1
-AES-128 CFB - Encrypt and decrypt 32 bytes
+AES-128 CFB - Encrypt and decrypt 33 bytes
depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CFB
enc_dec_buf:MBEDTLS_CIPHER_AES_128_CFB128:"AES-128-CFB128":128:33:-1
@@ -474,6 +474,382 @@
depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CFB
enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_CFB128:128:16:16:-1:16:16:16:16
+AES-128 OFB - Encrypt and decrypt 0 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:0:-1
+
+AES-128 OFB - Encrypt and decrypt 1 byte
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:1:-1
+
+AES-128 OFB - Encrypt and decrypt 2 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:2:-1
+
+AES-128 OFB - Encrypt and decrypt 7 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:7:-1
+
+AES-128 OFB - Encrypt and decrypt 8 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:8:-1
+
+AES-128 OFB - Encrypt and decrypt 9 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:9:-1
+
+AES-128 OFB - Encrypt and decrypt 15 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:15:-1
+
+AES-128 OFB - Encrypt and decrypt 16 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:16:-1
+
+AES-128 OFB - Encrypt and decrypt 17 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:17:-1
+
+AES-128 OFB - Encrypt and decrypt 31 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:31:-1
+
+AES-128 OFB - Encrypt and decrypt 32 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:32:-1
+
+AES-128 OFB - Encrypt and decrypt 33 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:33:-1
+
+AES-128 OFB - Encrypt and decrypt 47 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:47:-1
+
+AES-128 OFB - Encrypt and decrypt 48 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:48:-1
+
+AES-128 OFB - Encrypt and decrypt 49 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:49:-1
+
+AES-128 OFB - Encrypt and decrypt 0 bytes in multiple parts
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:0:0:-1:0:0:0:0
+
+AES-128 OFB - Encrypt and decrypt 1 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:1:0:-1:1:0:1:0
+
+AES-128 OFB - Encrypt and decrypt 1 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:0:1:-1:0:1:0:1
+
+AES-128 OFB - Encrypt and decrypt 16 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:16:0:-1:16:0:16:0
+
+AES-128 OFB - Encrypt and decrypt 16 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:0:16:-1:0:16:0:16
+
+AES-128 OFB - Encrypt and decrypt 16 bytes in multiple parts 3
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:1:15:-1:1:15:1:15
+
+AES-128 OFB - Encrypt and decrypt 16 bytes in multiple parts 4
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:15:1:-1:15:1:15:1
+
+AES-128 OFB - Encrypt and decrypt 22 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:15:7:-1:15:7:15:7
+
+AES-128 OFB - Encrypt and decrypt 22 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:16:6:-1:16:6:16:6
+
+AES-128 OFB - Encrypt and decrypt 23 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:17:6:-1:17:6:17:6
+
+AES-128 OFB - Encrypt and decrypt 32 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:16:16:-1:16:16:16:16
+
+AES-192 OFB - Encrypt and decrypt 0 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:0:-1
+
+AES-192 OFB - Encrypt and decrypt 1 byte
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:1:-1
+
+AES-192 OFB - Encrypt and decrypt 2 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:2:-1
+
+AES-192 OFB - Encrypt and decrypt 7 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:7:-1
+
+AES-192 OFB - Encrypt and decrypt 8 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:8:-1
+
+AES-192 OFB - Encrypt and decrypt 9 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:9:-1
+
+AES-192 OFB - Encrypt and decrypt 15 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:15:-1
+
+AES-192 OFB - Encrypt and decrypt 16 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:16:-1
+
+AES-192 OFB - Encrypt and decrypt 17 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:17:-1
+
+AES-192 OFB - Encrypt and decrypt 31 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:31:-1
+
+AES-192 OFB - Encrypt and decrypt 32 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:32:-1
+
+AES-192 OFB - Encrypt and decrypt 33 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:33:-1
+
+AES-192 OFB - Encrypt and decrypt 47 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:47:-1
+
+AES-192 OFB - Encrypt and decrypt 48 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:48:-1
+
+AES-192 OFB - Encrypt and decrypt 49 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:49:-1
+
+AES-192 OFB - Encrypt and decrypt 0 bytes in multiple parts
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:0:0:-1:0:0:0:0
+
+AES-192 OFB - Encrypt and decrypt 1 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:1:0:-1:1:0:1:0
+
+AES-192 OFB - Encrypt and decrypt 1 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:0:1:-1:0:1:0:1
+
+AES-192 OFB - Encrypt and decrypt 16 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:16:0:-1:16:0:16:0
+
+AES-192 OFB - Encrypt and decrypt 16 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:0:16:-1:0:16:0:16
+
+AES-192 OFB - Encrypt and decrypt 16 bytes in multiple parts 3
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:1:15:-1:1:15:1:15
+
+AES-192 OFB - Encrypt and decrypt 16 bytes in multiple parts 4
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:15:1:-1:15:1:15:1
+
+AES-192 OFB - Encrypt and decrypt 22 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:15:7:-1:15:7:15:7
+
+AES-192 OFB - Encrypt and decrypt 22 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:16:6:-1:16:6:16:6
+
+AES-192 OFB - Encrypt and decrypt 23 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:17:6:-1:17:6:17:6
+
+AES-192 OFB - Encrypt and decrypt 32 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:16:16:-1:16:16:16:16
+
+AES-256 OFB - Encrypt and decrypt 0 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:0:-1
+
+AES-256 OFB - Encrypt and decrypt 1 byte
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:1:-1
+
+AES-256 OFB - Encrypt and decrypt 2 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:2:-1
+
+AES-256 OFB - Encrypt and decrypt 7 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:7:-1
+
+AES-256 OFB - Encrypt and decrypt 8 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:8:-1
+
+AES-256 OFB - Encrypt and decrypt 9 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:9:-1
+
+AES-256 OFB - Encrypt and decrypt 15 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:15:-1
+
+AES-256 OFB - Encrypt and decrypt 16 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:16:-1
+
+AES-256 OFB - Encrypt and decrypt 17 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:17:-1
+
+AES-256 OFB - Encrypt and decrypt 31 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:31:-1
+
+AES-256 OFB - Encrypt and decrypt 32 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:32:-1
+
+AES-256 OFB - Encrypt and decrypt 33 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:33:-1
+
+AES-256 OFB - Encrypt and decrypt 47 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:47:-1
+
+AES-256 OFB - Encrypt and decrypt 48 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:48:-1
+
+AES-256 OFB - Encrypt and decrypt 49 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:49:-1
+
+AES-256 OFB - Encrypt and decrypt 0 bytes in multiple parts
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:0:0:-1:0:0:0:0
+
+AES-256 OFB - Encrypt and decrypt 1 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:1:0:-1:1:0:1:0
+
+AES-256 OFB - Encrypt and decrypt 1 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:0:1:-1:0:1:0:1
+
+AES-256 OFB - Encrypt and decrypt 16 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:16:0:-1:16:0:16:0
+
+AES-256 OFB - Encrypt and decrypt 16 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:0:16:-1:0:16:0:16
+
+AES-256 OFB - Encrypt and decrypt 16 bytes in multiple parts 3
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:1:15:-1:1:15:1:15
+
+AES-256 OFB - Encrypt and decrypt 16 bytes in multiple parts 4
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:15:1:-1:15:1:15:1
+
+AES-256 OFB - Encrypt and decrypt 22 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:15:7:-1:15:7:15:7
+
+AES-256 OFB - Encrypt and decrypt 22 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:16:6:-1:16:6:16:6
+
+AES-256 OFB - Encrypt and decrypt 23 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:17:6:-1:17:6:17:6
+
+AES-256 OFB - Encrypt and decrypt 32 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:16:16:-1:16:16:16:16
+
+AES-128 XTS - Encrypt and decrypt 16 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:16:-1
+
+AES-128 XTS - Encrypt and decrypt 17 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:17:-1
+
+AES-128 XTS - Encrypt and decrypt 31 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:31:-1
+
+AES-128 XTS - Encrypt and decrypt 32 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:32:-1
+
+AES-128 XTS - Encrypt and decrypt 33 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:33:-1
+
+AES-128 XTS - Encrypt and decrypt 47 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:47:-1
+
+AES-128 XTS - Encrypt and decrypt 48 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:48:-1
+
+AES-128 XTS - Encrypt and decrypt 49 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:49:-1
+
+AES-256 XTS - Encrypt and decrypt 16 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_XTS:"AES-256-XTS":512:16:-1
+
+AES-256 XTS - Encrypt and decrypt 17 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_XTS:"AES-256-XTS":512:17:-1
+
+AES-256 XTS - Encrypt and decrypt 31 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_XTS:"AES-256-XTS":512:31:-1
+
+AES-256 XTS - Encrypt and decrypt 32 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_XTS:"AES-256-XTS":512:32:-1
+
+AES-256 XTS - Encrypt and decrypt 33 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_XTS:"AES-256-XTS":512:33:-1
+
+AES-256 XTS - Encrypt and decrypt 47 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_XTS:"AES-256-XTS":512:47:-1
+
+AES-256 XTS - Encrypt and decrypt 48 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_XTS:"AES-256-XTS":512:48:-1
+
+AES-256 XTS - Encrypt and decrypt 49 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_XTS:"AES-256-XTS":512:49:-1
+
AES-128 CTR - Encrypt and decrypt 0 bytes
depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
enc_dec_buf:MBEDTLS_CIPHER_AES_128_CTR:"AES-128-CTR":128:0:-1
@@ -518,7 +894,7 @@
depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
enc_dec_buf:MBEDTLS_CIPHER_AES_128_CTR:"AES-128-CTR":128:32:-1
-AES-128 CTR - Encrypt and decrypt 32 bytes
+AES-128 CTR - Encrypt and decrypt 33 bytes
depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
enc_dec_buf:MBEDTLS_CIPHER_AES_128_CTR:"AES-128-CTR":128:33:-1
@@ -814,6 +1190,18 @@
depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CFB
decrypt_test_vec:MBEDTLS_CIPHER_AES_256_CFB128:-1:"ffffffffff800000000000000000000000000000000000000000000000000000":"00000000000000000000000000000000":"be66cfea2fecd6bf0ec7b4352c99bcaa":"00000000000000000000000000000000":"":"":0:0
+AES Decrypt test vector #7
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+decrypt_test_vec:MBEDTLS_CIPHER_AES_128_OFB:-1:"2B7E151628AED2A6ABF7158809CF4F3C":"000102030405060708090A0B0C0D0E0F":"3B3FD92EB72DAD20333449F8E83CFB4A7789508d16918f03f53c52dac54ed8259740051e9c5fecf64344f7a82260edcc304c6528f659c77866a510d9c1d6ae5e":"6BC1BEE22E409F96E93D7E117393172AAE2D8A571E03AC9C9EB76FAC45AF8E5130C81C46A35CE411E5FBC1191A0A52EFF69F2445DF4F9B17AD2B417BE66C3710":"":"":0:0:
+
+AES Decrypt test vector #8
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+decrypt_test_vec:MBEDTLS_CIPHER_AES_192_OFB:-1:"8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B":"000102030405060708090A0B0C0D0E0F":"CDC80D6FDDF18CAB34C25909C99A4174fcc28b8d4c63837c09e81700c11004018d9a9aeac0f6596f559c6d4daf59a5f26d9f200857ca6c3e9cac524bd9acc92a":"6BC1BEE22E409F96E93D7E117393172AAE2D8A571E03AC9C9EB76FAC45AF8E5130C81C46A35CE411E5FBC1191A0A52EFF69F2445DF4F9B17AD2B417BE66C3710":"":"":0:0:
+
+AES Decrypt test vector #9
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+decrypt_test_vec:MBEDTLS_CIPHER_AES_256_OFB:-1:"603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4":"000102030405060708090A0B0C0D0E0F":"DC7E84BFDA79164B7ECD8486985D38604febdc6740d20b3ac88f6ad82a4fb08d71ab47a086e86eedf39d1c5bba97c4080126141d67f37be8538f5a8be740e484":"6BC1BEE22E409F96E93D7E117393172AAE2D8A571E03AC9C9EB76FAC45AF8E5130C81C46A35CE411E5FBC1191A0A52EFF69F2445DF4F9B17AD2B417BE66C3710":"":"":0:0:
+
AES-128-ECB Encrypt NIST KAT #1
depends_on:MBEDTLS_AES_C
test_vec_ecb:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_ENCRYPT:"00000000000000000000000000000000":"f34481ec3cc627bacd5dc3fb08f273e6":"0336763e966d92595a567cc9ce537f5e":0
diff --git a/tests/suites/test_suite_cipher.chacha20.data b/tests/suites/test_suite_cipher.chacha20.data
new file mode 100644
index 0000000..c67e582
--- /dev/null
+++ b/tests/suites/test_suite_cipher.chacha20.data
@@ -0,0 +1,115 @@
+Decrypt empty buffer
+depends_on:MBEDTLS_CHACHA20_C
+dec_empty_buf:
+
+Chacha20 RFC 7539 Test Vector #1
+depends_on:MBEDTLS_CHACHA20_C
+decrypt_test_vec:MBEDTLS_CIPHER_CHACHA20:-1:"0000000000000000000000000000000000000000000000000000000000000000":"000000000000000000000000":"76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":"":"":0:0
+
+ChaCha20 Encrypt and decrypt 0 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:0:-1
+
+ChaCha20 Encrypt and decrypt 1 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:1:-1
+
+ChaCha20 Encrypt and decrypt 2 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:2:-1
+
+ChaCha20 Encrypt and decrypt 7 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:7:-1
+
+ChaCha20 Encrypt and decrypt 8 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:8:-1
+
+ChaCha20 Encrypt and decrypt 9 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:9:-1
+
+ChaCha20 Encrypt and decrypt 15 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:15:-1
+
+ChaCha20 Encrypt and decrypt 16 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:16:-1
+
+ChaCha20 Encrypt and decrypt 17 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:17:-1
+
+ChaCha20 Encrypt and decrypt 31 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:31:-1
+
+ChaCha20 Encrypt and decrypt 32 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:32:-1
+
+ChaCha20 Encrypt and decrypt 33 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:33:-1
+
+ChaCha20 Encrypt and decrypt 47 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:47:-1
+
+ChaCha20 Encrypt and decrypt 48 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:48:-1
+
+ChaCha20 Encrypt and decrypt 49 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:49:-1
+
+ChaCha20 Encrypt and decrypt 0 bytes in multiple parts 1
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:0:0:-1:0:0:0:0
+
+ChaCha20 Encrypt and decrypt 1 bytes in multiple parts 1
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:1:0:-1:1:0:1:0
+
+ChaCha20 Encrypt and decrypt 1 bytes in multiple parts 2
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:0:1:-1:0:1:0:1
+
+ChaCha20 Encrypt and decrypt 16 bytes in multiple parts 1
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:16:0:-1:16:0:16:0
+
+ChaCha20 Encrypt and decrypt 16 bytes in multiple parts 2
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:0:16:-1:0:16:0:16
+
+ChaCha20 Encrypt and decrypt 16 bytes in multiple parts 3
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:1:15:-1:1:15:1:15
+
+ChaCha20 Encrypt and decrypt 16 bytes in multiple parts 4
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:15:1:-1:15:1:15:1
+
+ChaCha20 Encrypt and decrypt 22 bytes in multiple parts 1
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:15:7:-1:15:7:15:7
+
+ChaCha20 Encrypt and decrypt 22 bytes in multiple parts 2
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:7:15:-1:7:15:7:15
+
+ChaCha20 Encrypt and decrypt 22 bytes in multiple parts 3
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:16:6:-1:16:6:16:6
+
+ChaCha20 Encrypt and decrypt 22 bytes in multiple parts 4
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:6:16:-1:6:16:6:16
+
+ChaCha20 Encrypt and decrypt 32 bytes in multiple parts
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:16:16:-1:16:16:16:16
diff --git a/tests/suites/test_suite_cipher.chachapoly.data b/tests/suites/test_suite_cipher.chachapoly.data
new file mode 100644
index 0000000..1760dc0
--- /dev/null
+++ b/tests/suites/test_suite_cipher.chachapoly.data
@@ -0,0 +1,123 @@
+Decrypt empty buffer
+depends_on:MBEDTLS_CHACHAPOLY_C:
+dec_empty_buf:
+
+ChaCha20+Poly1305 Encrypt and decrypt 0 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:0:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 1 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:1:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 2 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:2:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 7 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:7:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 8 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:8:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 9 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:9:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 15 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:15:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 16 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:16:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 17 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:17:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 31 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:31:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 32 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:32:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 33 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:33:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 47 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:47:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 48 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:48:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 49 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:49:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 0 bytes in multiple parts 1
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:0:0:-1:0:0:0:0
+
+ChaCha20+Poly1305 Encrypt and decrypt 1 bytes in multiple parts 1
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:1:0:-1:1:0:1:0
+
+ChaCha20+Poly1305 Encrypt and decrypt 1 bytes in multiple parts 2
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:0:1:-1:0:1:0:1
+
+ChaCha20+Poly1305 Encrypt and decrypt 16 bytes in multiple parts 1
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:16:0:-1:16:0:16:0
+
+ChaCha20+Poly1305 Encrypt and decrypt 16 bytes in multiple parts 2
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:0:16:-1:0:16:0:16
+
+ChaCha20+Poly1305 Encrypt and decrypt 16 bytes in multiple parts 3
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:1:15:-1:1:15:1:15
+
+ChaCha20+Poly1305 Encrypt and decrypt 16 bytes in multiple parts 4
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:15:1:-1:15:1:15:1
+
+ChaCha20+Poly1305 Encrypt and decrypt 22 bytes in multiple parts 1
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:15:7:-1:15:7:15:7
+
+ChaCha20+Poly1305 Encrypt and decrypt 22 bytes in multiple parts 2
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:7:15:-1:7:15:7:15
+
+ChaCha20+Poly1305 Encrypt and decrypt 22 bytes in multiple parts 3
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:16:6:-1:16:6:16:6
+
+ChaCha20+Poly1305 Encrypt and decrypt 22 bytes in multiple parts 4
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:6:16:-1:6:16:6:16
+
+ChaCha20+Poly1305 Encrypt and decrypt 32 bytes in multiple parts
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:16:16:-1:16:16:16:16
+
+ChaCha20+Poly1305 RFC 7539 Test Vector #1
+depends_on:MBEDTLS_CHACHAPOLY_C
+auth_crypt_tv:MBEDTLS_CIPHER_CHACHA20_POLY1305:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"f33388860000000000004e91":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"eead9d67890cbb22392336fea1851f38":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d"
+
+ChaCha20+Poly1305 RFC 7539 Test Vector #1 Unauthentic (1st bit flipped)
+depends_on:MBEDTLS_CHACHAPOLY_C
+auth_crypt_tv:MBEDTLS_CIPHER_CHACHA20_POLY1305:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"f33388860000000000004e91":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"6ead9d67890cbb22392336fea1851f38":"FAIL"
+
+Chacha20+Poly1305 RFC 7539 Test Vector #1 (streaming)
+depends_on:MBEDTLS_CHACHAPOLY_C
+decrypt_test_vec:MBEDTLS_CIPHER_CHACHA20_POLY1305:-1:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d":"f33388860000000000004e91":"eead9d67890cbb22392336fea1851f38":0:0
diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function
index 8f1109e..52526a8 100644
--- a/tests/suites/test_suite_cipher.function
+++ b/tests/suites/test_suite_cipher.function
@@ -60,7 +60,7 @@
TEST_ASSERT( mbedtls_cipher_reset( NULL ) == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
TEST_ASSERT( mbedtls_cipher_reset( &ctx ) == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
TEST_ASSERT( mbedtls_cipher_update_ad( NULL, buf, 0 )
== MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
TEST_ASSERT( mbedtls_cipher_update_ad( &ctx, buf, 0 )
@@ -77,7 +77,7 @@
TEST_ASSERT( mbedtls_cipher_finish( &ctx, buf, &olen )
== MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
TEST_ASSERT( mbedtls_cipher_write_tag( NULL, buf, olen )
== MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
TEST_ASSERT( mbedtls_cipher_write_tag( &ctx, buf, olen )
@@ -134,7 +134,7 @@
int length_val, int pad_mode )
{
size_t length = length_val, outlen, total_len, i, block_size;
- unsigned char key[32];
+ unsigned char key[64];
unsigned char iv[16];
unsigned char ad[13];
unsigned char tag[16];
@@ -195,7 +195,7 @@
TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_dec ) );
TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_enc ) );
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_dec, ad, sizeof( ad ) - i ) );
TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_enc, ad, sizeof( ad ) - i ) );
#endif
@@ -215,7 +215,7 @@
TEST_ASSERT( 0 == mbedtls_cipher_finish( &ctx_enc, encbuf + outlen, &outlen ) );
total_len += outlen;
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
TEST_ASSERT( 0 == mbedtls_cipher_write_tag( &ctx_enc, tag, sizeof( tag ) ) );
#endif
@@ -236,7 +236,7 @@
TEST_ASSERT( 0 == mbedtls_cipher_finish( &ctx_dec, decbuf + outlen, &outlen ) );
total_len += outlen;
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
TEST_ASSERT( 0 == mbedtls_cipher_check_tag( &ctx_dec, tag, sizeof( tag ) ) );
#endif
@@ -292,7 +292,7 @@
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx, iv, 16 ) );
TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx ) );
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx, NULL, 0 ) );
#endif
@@ -340,7 +340,7 @@
TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_dec ) );
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_dec, NULL, 0 ) );
#endif
@@ -416,7 +416,7 @@
TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_dec ) );
TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_enc ) );
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_dec, NULL, 0 ) );
TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_enc, NULL, 0 ) );
#endif
@@ -479,16 +479,16 @@
{
unsigned char key[50];
unsigned char iv[50];
- unsigned char cipher[200];
- unsigned char clear[200];
+ unsigned char cipher[265]; /* max length of test data so far */
+ unsigned char clear[265];
+ unsigned char output[265];
unsigned char ad[200];
unsigned char tag[20];
size_t key_len, iv_len, cipher_len, clear_len;
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
size_t ad_len, tag_len;
#endif
mbedtls_cipher_context_t ctx;
- unsigned char output[200];
size_t outlen, total_len;
mbedtls_cipher_init( &ctx );
@@ -505,7 +505,7 @@
iv_len = unhexify( iv, hex_iv );
cipher_len = unhexify( cipher, hex_cipher );
clear_len = unhexify( clear, hex_clear );
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
ad_len = unhexify( ad, hex_ad );
tag_len = unhexify( tag, hex_tag );
#else
@@ -525,7 +525,7 @@
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx, iv, iv_len ) );
TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx ) );
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx, ad, ad_len ) );
#endif
@@ -536,7 +536,7 @@
TEST_ASSERT( finish_result == mbedtls_cipher_finish( &ctx, output + outlen,
&outlen ) );
total_len += outlen;
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
TEST_ASSERT( tag_result == mbedtls_cipher_check_tag( &ctx, tag, tag_len ) );
#endif
@@ -560,14 +560,14 @@
int ret;
unsigned char key[50];
unsigned char iv[50];
- unsigned char cipher[200];
- unsigned char clear[200];
+ unsigned char cipher[265]; /* max size of test data so far */
+ unsigned char clear[265];
+ unsigned char output[267]; /* above + 2 (overwrite check) */
unsigned char ad[200];
unsigned char tag[20];
unsigned char my_tag[20];
size_t key_len, iv_len, cipher_len, clear_len, ad_len, tag_len;
mbedtls_cipher_context_t ctx;
- unsigned char output[200];
size_t outlen;
mbedtls_cipher_init( &ctx );
diff --git a/tests/suites/test_suite_dhm.data b/tests/suites/test_suite_dhm.data
index e351ebd..734fd97 100644
--- a/tests/suites/test_suite_dhm.data
+++ b/tests/suites/test_suite_dhm.data
@@ -19,10 +19,10 @@
Diffie-Hellman zero modulus
dhm_do_dhm:10:"0":10:"5":MBEDTLS_ERR_DHM_BAD_INPUT_DATA
-Diffie-Hallman load parameters from file
+Diffie-Hellman load parameters from file
dhm_file:"data_files/dhparams.pem":"9e35f430443a09904f3a39a979797d070df53378e79c2438bef4e761f3c714553328589b041c809be1d6c6b5f1fc9f47d3a25443188253a992a56818b37ba9de5a40d362e56eff0be5417474c125c199272c8fe41dea733df6f662c92ae76556e755d10c64e6a50968f67fc6ea73d0dca8569be2ba204e23580d8bca2f4975b3":"02":128
-Diffie-Hallman load parameters from file
+Diffie-Hellman load parameters from file
dhm_file:"data_files/dh.optlen.pem":"b3126aeaf47153c7d67f403030b292b5bd5a6c9eae1c137af34087fce2a36a578d70c5c560ad2bdb924c4a4dbee20a1671be7103ce87defa76908936803dbeca60c33e1289c1a03ac2c6c4e49405e5902fa0596a1cbaa895cc402d5213ed4a5f1f5ba8b5e1ed3da951a4c475afeb0ca660b7368c38c8e809f382d96ae19e60dc984e61cb42b5dfd723322acf327f9e413cda6400c15c5b2ea1fa34405d83982fba40e6d852da3d91019bf23511314254dc211a90833e5b1798ee52a78198c555644729ad92f060367c74ded37704adfc273a4a33fec821bd2ebd3bc051730e97a4dd14d2b766062592f5eec09d16bb50efebf2cc00dd3e0e3418e60ec84870f7":"800abfe7dc667aa17bcd7c04614bc221a65482ccc04b604602b0e131908a938ea11b48dc515dab7abcbb1e0c7fd66511edc0d86551b7632496e03df94357e1c4ea07a7ce1e381a2fcafdff5f5bf00df828806020e875c00926e4d011f88477a1b01927d73813cad4847c6396b9244621be2b00b63c659253318413443cd244215cd7fd4cbe796e82c6cf70f89cc0c528fb8e344809b31876e7ef739d5160d095c9684188b0c8755c7a468d47f56d6db9ea012924ecb0556fb71312a8d7c93bb2898ea08ee54eeb594548285f06a973cbbe2a0cb02e90f323fe045521f34c68354a6d3e95dbfff1eb64692edc0a44f3d3e408d0e479a541e779a6054259e2d854":256
Diffie-Hellman selftest
diff --git a/tests/suites/test_suite_hkdf.data b/tests/suites/test_suite_hkdf.data
new file mode 100644
index 0000000..1583736
--- /dev/null
+++ b/tests/suites/test_suite_hkdf.data
@@ -0,0 +1,98 @@
+HKDF extract fails with hash_len of 0
+test_hkdf_extract_ret:0:MBEDTLS_ERR_HKDF_BAD_INPUT_DATA
+
+HKDF expand fails with NULL okm
+test_hkdf_expand_ret:32:32:0:MBEDTLS_ERR_HKDF_BAD_INPUT_DATA
+
+HKDF expand fails with hash_len of 0
+test_hkdf_expand_ret:0:32:32:MBEDTLS_ERR_HKDF_BAD_INPUT_DATA
+
+HKDF expand fails with prk_len < hash_len
+test_hkdf_expand_ret:32:16:32:MBEDTLS_ERR_HKDF_BAD_INPUT_DATA
+
+HKDF expand fails with okm_len / hash_len > 255
+test_hkdf_expand_ret:32:32:8192:MBEDTLS_ERR_HKDF_BAD_INPUT_DATA
+
+HKDF RFC5869 Test Vector #1
+depends_on:MBEDTLS_SHA256_C
+test_hkdf:6:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"
+
+HKDF RFC5869 Test Vector #2
+depends_on:MBEDTLS_SHA256_C
+test_hkdf:6:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87"
+
+HKDF RFC5869 Test Vector #3
+depends_on:MBEDTLS_SHA256_C
+test_hkdf:6:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"":"8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8"
+
+HKDF RFC5869 Test Vector #4
+depends_on:MBEDTLS_SHA1_C
+test_hkdf:4:"0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":"085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896"
+
+HKDF RFC5869 Test Vector #5
+depends_on:MBEDTLS_SHA1_C
+test_hkdf:4:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4"
+
+HKDF RFC5869 Test Vector #6
+depends_on:MBEDTLS_SHA1_C
+test_hkdf:4:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"":"0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918"
+
+HKDF RFC5869 Test Vector #7
+depends_on:MBEDTLS_SHA1_C
+test_hkdf:4:"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":"":"":"2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48"
+
+HKDF RFC5869 Test Vector #1 Extract
+depends_on:MBEDTLS_SHA256_C
+test_hkdf_extract:6:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5"
+
+HKDF RFC5869 Test Vector #2 Extract
+depends_on:MBEDTLS_SHA256_C
+test_hkdf_extract:6:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":"06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244"
+
+HKDF RFC5869 Test Vector #3 Extract
+depends_on:MBEDTLS_SHA256_C
+test_hkdf_extract:6:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04"
+
+HKDF RFC5869 Test Vector #4 Extract
+depends_on:MBEDTLS_SHA1_C
+test_hkdf_extract:4:"0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243"
+
+HKDF RFC5869 Test Vector #5 Extract
+depends_on:MBEDTLS_SHA1_C
+test_hkdf_extract:4:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":"8adae09a2a307059478d309b26c4115a224cfaf6"
+
+HKDF RFC5869 Test Vector #6 Extract
+depends_on:MBEDTLS_SHA1_C
+test_hkdf_extract:4:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"da8c8a73c7fa77288ec6f5e7c297786aa0d32d01"
+
+HKDF RFC5869 Test Vector #7 Extract
+depends_on:MBEDTLS_SHA1_C
+test_hkdf_extract:4:"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":"":"2adccada18779e7c2077ad2eb19d3f3e731385dd"
+
+HKDF RFC5869 Test Vector #1 Expand
+depends_on:MBEDTLS_SHA256_C
+test_hkdf_expand:6:"f0f1f2f3f4f5f6f7f8f9":"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"
+
+HKDF RFC5869 Test Vector #2 Expand
+depends_on:MBEDTLS_SHA256_C
+test_hkdf_expand:6:"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244":"b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87"
+
+HKDF RFC5869 Test Vector #3 Expand
+depends_on:MBEDTLS_SHA256_C
+test_hkdf_expand:6:"":"19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04":"8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8"
+
+HKDF RFC5869 Test Vector #4 Expand
+depends_on:MBEDTLS_SHA1_C
+test_hkdf_expand:4:"f0f1f2f3f4f5f6f7f8f9":"9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243":"085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896"
+
+HKDF RFC5869 Test Vector #5 Expand
+depends_on:MBEDTLS_SHA1_C
+test_hkdf_expand:4:"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"8adae09a2a307059478d309b26c4115a224cfaf6":"0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4"
+
+HKDF RFC5869 Test Vector #6 Expand
+depends_on:MBEDTLS_SHA1_C
+test_hkdf_expand:4:"":"da8c8a73c7fa77288ec6f5e7c297786aa0d32d01":"0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918"
+
+HKDF RFC5869 Test Vector #7 Expand
+depends_on:MBEDTLS_SHA1_C
+test_hkdf_expand:4:"":"2adccada18779e7c2077ad2eb19d3f3e731385dd":"2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48"
diff --git a/tests/suites/test_suite_hkdf.function b/tests/suites/test_suite_hkdf.function
new file mode 100644
index 0000000..c85a51a
--- /dev/null
+++ b/tests/suites/test_suite_hkdf.function
@@ -0,0 +1,170 @@
+/* BEGIN_HEADER */
+#include "mbedtls/hkdf.h"
+#include "mbedtls/md_internal.h"
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_HKDF_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void test_hkdf( int md_alg, char *hex_ikm_string, char *hex_salt_string,
+ char *hex_info_string, char *hex_okm_string )
+{
+ int ret;
+ size_t ikm_len, salt_len, info_len, okm_len;
+ unsigned char ikm[1024] = { '\0' };
+ unsigned char salt[1024] = { '\0' };
+ unsigned char info[1024] = { '\0' };
+ unsigned char expected_okm[1024] = { '\0' };
+ unsigned char okm[1024] = { '\0' };
+ unsigned char okm_string[1000] = { '\0' };
+
+ const mbedtls_md_info_t *md = mbedtls_md_info_from_type( md_alg );
+ TEST_ASSERT( md != NULL );
+
+ ikm_len = unhexify( ikm, hex_ikm_string );
+ salt_len = unhexify( salt, hex_salt_string );
+ info_len = unhexify( info, hex_info_string );
+ okm_len = unhexify( expected_okm, hex_okm_string );
+
+ ret = mbedtls_hkdf( md, salt, salt_len, ikm, ikm_len, info, info_len, okm,
+ okm_len);
+ TEST_ASSERT( ret == 0 );
+
+ // Run hexify on it so that it looks nicer if the assertion fails
+ hexify( okm_string, okm, okm_len );
+ TEST_ASSERT( !strcmp( (char *)okm_string, hex_okm_string ) );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void test_hkdf_extract( int md_alg, char *hex_ikm_string,
+ char *hex_salt_string, char *hex_prk_string )
+{
+ int ret;
+ unsigned char *ikm = NULL;
+ unsigned char *salt = NULL;
+ unsigned char *prk = NULL;
+ unsigned char *output_prk = NULL;
+ size_t ikm_len, salt_len, prk_len, output_prk_len;
+
+ const mbedtls_md_info_t *md = mbedtls_md_info_from_type( md_alg );
+ TEST_ASSERT( md != NULL );
+
+ output_prk_len = mbedtls_md_get_size( md );
+ output_prk = mbedtls_calloc( 1, output_prk_len );
+
+ ikm = unhexify_alloc( hex_ikm_string, &ikm_len );
+ salt = unhexify_alloc( hex_salt_string, &salt_len );
+ prk = unhexify_alloc( hex_prk_string, &prk_len );
+ TEST_ASSERT( prk_len == output_prk_len );
+
+ ret = mbedtls_hkdf_extract( md, salt, salt_len, ikm, ikm_len, output_prk );
+ TEST_ASSERT( ret == 0 );
+
+ TEST_ASSERT( !memcmp( output_prk, prk, prk_len ) );
+
+exit:
+ mbedtls_free(ikm);
+ mbedtls_free(salt);
+ mbedtls_free(prk);
+ mbedtls_free(output_prk);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void test_hkdf_expand( int md_alg, char *hex_info_string,
+ char *hex_prk_string, char *hex_okm_string )
+{
+ enum { OKM_LEN = 1024 };
+ int ret;
+ unsigned char *info = NULL;
+ unsigned char *prk = NULL;
+ unsigned char *okm = NULL;
+ unsigned char *output_okm = NULL;
+ size_t info_len, prk_len, okm_len;
+
+ const mbedtls_md_info_t *md = mbedtls_md_info_from_type( md_alg );
+ TEST_ASSERT( md != NULL );
+
+ output_okm = mbedtls_calloc( OKM_LEN, 1 );
+
+ prk = unhexify_alloc( hex_prk_string, &prk_len );
+ info = unhexify_alloc( hex_info_string, &info_len );
+ okm = unhexify_alloc( hex_okm_string, &okm_len );
+ TEST_ASSERT( prk_len == mbedtls_md_get_size( md ) );
+ TEST_ASSERT( okm_len < OKM_LEN );
+
+ ret = mbedtls_hkdf_expand( md, prk, prk_len, info, info_len,
+ output_okm, OKM_LEN );
+ TEST_ASSERT( ret == 0 );
+ TEST_ASSERT( !memcmp( output_okm, okm, okm_len ) );
+
+exit:
+ mbedtls_free(info);
+ mbedtls_free(prk);
+ mbedtls_free(okm);
+ mbedtls_free(output_okm);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void test_hkdf_extract_ret( int hash_len, int ret )
+{
+ int output_ret;
+ unsigned char *salt = NULL;
+ unsigned char *ikm = NULL;
+ unsigned char *prk = NULL;
+ size_t salt_len, ikm_len;
+ struct mbedtls_md_info_t fake_md_info;
+
+ memset( &fake_md_info, 0, sizeof( fake_md_info ) );
+ fake_md_info.type = MBEDTLS_MD_NONE;
+ fake_md_info.size = hash_len;
+
+ prk = mbedtls_calloc( MBEDTLS_MD_MAX_SIZE, 1 );
+ salt_len = 0;
+ ikm_len = 0;
+
+ output_ret = mbedtls_hkdf_extract( &fake_md_info, salt, salt_len,
+ ikm, ikm_len, prk );
+ TEST_ASSERT( output_ret == ret );
+
+exit:
+ mbedtls_free(prk);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void test_hkdf_expand_ret( int hash_len, int prk_len, int okm_len, int ret )
+{
+ int output_ret;
+ unsigned char *info = NULL;
+ unsigned char *prk = NULL;
+ unsigned char *okm = NULL;
+ size_t info_len;
+ struct mbedtls_md_info_t fake_md_info;
+
+ memset( &fake_md_info, 0, sizeof( fake_md_info ) );
+ fake_md_info.type = MBEDTLS_MD_NONE;
+ fake_md_info.size = hash_len;
+
+ info_len = 0;
+
+ if (prk_len > 0)
+ prk = mbedtls_calloc( prk_len, 1 );
+
+ if (okm_len > 0)
+ okm = mbedtls_calloc( okm_len, 1 );
+
+ output_ret = mbedtls_hkdf_expand( &fake_md_info, prk, prk_len,
+ info, info_len, okm, okm_len );
+ TEST_ASSERT( output_ret == ret );
+
+exit:
+ mbedtls_free(prk);
+ mbedtls_free(okm);
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_nist_kw.data b/tests/suites/test_suite_nist_kw.data
new file mode 100644
index 0000000..eee4574
--- /dev/null
+++ b/tests/suites/test_suite_nist_kw.data
@@ -0,0 +1,462 @@
+NIST KW self test
+mbedtls_nist_kw_self_test:
+
+NIST KW mix contexts and modes
+mbedtls_nist_kw_mix_contexts:
+
+NIST KW init #1 wrapping AES-128: OK
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_setkey:MBEDTLS_CIPHER_ID_AES:128:1:0
+
+NIST KW init #2 unwrapping AES-128: OK
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_setkey:MBEDTLS_CIPHER_ID_AES:128:1:0
+
+NIST KW init #3 CAMELLIA-256: unsupported cipher
+depends_on:MBEDTLS_CAMELLIA_C
+mbedtls_nist_kw_setkey:MBEDTLS_CIPHER_ID_CAMELLIA:256:0:MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
+
+NIST KW init #4 AES-224: bad key size
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_setkey:MBEDTLS_CIPHER_ID_AES:224:1:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW init #5 BLOWFISH-128: bad cipher
+depends_on:MBEDTLS_BLOWFISH_C
+mbedtls_nist_kw_setkey:MBEDTLS_CIPHER_ID_BLOWFISH:128:0:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #1 KW plaintext OK (2 to 2^54 - 1 semiblocks)
+nist_kw_plaintext_lengths:16:24:MBEDTLS_KW_MODE_KW:0
+
+NIST KW lengths #2 KWP plaintext OK (1 to 2^32 - 1 octets)
+nist_kw_plaintext_lengths:5:16:MBEDTLS_KW_MODE_KWP:0
+
+NIST KW lengths #3 KW ciphertext OK (3 to 2^54 semiblocks)
+nist_kw_ciphertext_lengths:32:24:MBEDTLS_KW_MODE_KW:0
+
+NIST KW lengths #4 KWP ciphertext OK (2 to 2^29 semiblocks)
+nist_kw_ciphertext_lengths:24:16:MBEDTLS_KW_MODE_KWP:0
+
+NIST KW lengths #5 KW plaintext too short (2 to 2^54 - 1 semiblocks)
+nist_kw_plaintext_lengths:5:13:MBEDTLS_KW_MODE_KW:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #6 KWP plaintext too short (1 to 2^32 - 1 octets)
+nist_kw_plaintext_lengths:0:8:MBEDTLS_KW_MODE_KWP:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #8 KW ciphertext too short (3 to 2^54 semiblocks)
+nist_kw_ciphertext_lengths:16:8:MBEDTLS_KW_MODE_KW:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #9 KWP ciphertext too short (2 to 2^29 semiblocks)
+nist_kw_ciphertext_lengths:8:8:MBEDTLS_KW_MODE_KWP:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #10 KW plaintext not a multiple of semiblocks.
+nist_kw_plaintext_lengths:21:29:MBEDTLS_KW_MODE_KW:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #11 KW ciphertext not a multiple of semiblocks.
+nist_kw_ciphertext_lengths:34:26:MBEDTLS_KW_MODE_KW:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #12 KWP ciphertext not a multiple of semiblocks.
+nist_kw_ciphertext_lengths:30:22:MBEDTLS_KW_MODE_KWP:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #13 KW wrapping output buffer too short
+nist_kw_plaintext_lengths:16:16:MBEDTLS_KW_MODE_KW:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #14 KWP wrapping output buffer too short
+nist_kw_plaintext_lengths:5:10:MBEDTLS_KW_MODE_KWP:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #15 KW unwrapping output buffer too short
+nist_kw_ciphertext_lengths:32:16:MBEDTLS_KW_MODE_KW:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #16 KWP unwrapping output buffer too short
+nist_kw_ciphertext_lengths:24:12:MBEDTLS_KW_MODE_KWP:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW wrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 128 count 7
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"095e293f31e317ba6861114b95c90792":"64349d506ae85ecd84459c7a5c423f55":"97de4425572274bd7fb2d6688d5afd4454d992348d42a643"
+
+NIST KW wrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 256 count 11
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"ca8f6c56a9c9300549e9eae75a4604b8":"1542b8662136245162c64d45af1a982302f69f1d01a1a6bc29ef8facafbeaea0":"4d340c10bbbddf5b2014ded264bffce49901bd22adaee074b0f25a2d19c134eb3c7f38c5d0444766"
+
+NIST KW wrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 192 count 8
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"b4902b13ea73f17829b4e334fb359ec4":"2073399c7794c8b73dd782dc250dab31c80a8cba33477ab2":"37eda4eec3096135f5193c37bdeaf498b71e3a205c5638682fe746f236566b11"
+
+NIST KW wrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 320 count 14
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"579448a3d638f093742ae6b24d729849":"464d3162469899955d8bc8bfc0a22555bce609b2415bedf17a942abfe96ad4e124d4a832fbcff49f":"dadd1440a06946eabddf18e784b7719d36caa33cb626aa03aca057585584ea07a8714ecb90ceb232d6b0760845105fbb"
+
+NIST KW wrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"98311985c4661d7e811ee56070e6fecf":"18840c96813864ef3093b48cdde6ac5d78248b96d4a2cd1f15f0b56f98213dbf87e1ccad04e0d4f1954c233ea3e48fdad8f2b1156e54e19e3b5f4a66d2e9149032b876c51249165fe8c28e112a685b2d228a8ac308017574274af36a4ea3877bcc9850bafe8fc0e0a712faca0dea98396f9143bc5819fe4933a806e9b965133e3c695a45f0fbd6961798c400d7477287df64798b651e0d3009c13f7a2246c28f983509b9e5339919f2cdffcdfc550693cba9491c00334c4a62d878c4d0ca57b1104bc0174968ea8e3730b9e68db49678b23cd508ebe3e12e94b0ad3791023a8ef95473f0b32f906738f34e94e45a4480ad768072e1853adb63996b9ac27a1dade70804b82290a2274c6dcc3ccd40a8b38a56a5eb03f59075de015e8f9096f53549f6374e02da947fb849287a447f757cc340b6bded71d480988b6d2fcd984fba841470519830304667fef0a577b4cf84f76aef9deb84dde36abfbd76673c17113dbea7a3e24bf9b57a8fd17173a1ef91497b732b3fa8889bed58a503a0d3e20bc27ec4dbf5d13a93cbad05495e3df15e1fe34a3a6d6f648ea4aa60b2f114f30944ae593675dac2db188f90a3c483fb82cec0f0d295544d798b62cdcb51c6c036af1a341d78babf87b92609c1d866e311a46abccc8ba8c6a41420359bb061d7e752c0ed25990eef57c9f9e190572203f8c473edf8cfc8c26d34e37240f45ded97":"625aea9122b7b57b9f36446f9053acc42c6435a7f69d91b41547026f833291d488e477c7ccba698c143633a304f463d6af4a3e72c189234fcfc360013e65b07b7f7a36c529d3fdbbdbd6224bf100c14bc5354893b44790f54c739a2b1f5bda82d70fb600ed9b0606dbddea52e508b492b72d8779856274aaaaddc0a3edb6cfc788b603101bedfcc3f44baa62336bd950c2e349d5daf04f2e23ec2628893d214e277569c565e5e6aa8b72ffa14118a3b57f814b4deb179980b5eeefa4fd93f1751850466e929be537801babc2120f3ff1ffe5fea813ec7788eaf43f5ef657e5af48395c3ad11aaf741549090b58670695f7c95c68e00576ca18ef0313f2b4b757219fc8db3dc2db28721d6f912547ebfebcd96935c3100aa4e4df9955acae1b4e2c10df1166d46c4285ab631c6d2ce58ad3ae99c07c019dcd15958694055281ccd6f803af290431f188cc4c429e84a4c30fd9c63968dfd0951c417efb71921c207de172a9546bdd3e2bb35b45e140892c649f88c31a438f864e801a69f8010aa3d77a26601a7a89067c81b0f7e70d8e82f21f88c7d0bb0c8ca0db875d6c3f8c6f6d709bbb31c7da2e31f3571daa2c5ab13bfc16624cf35abd526e84269fb45bbd2fcd8c383d6fbb700bc4b5205b3ef8c4323dc0d9e0370e56a3d1e5e76aa4de082e4c2a0afd092845bd5dab52a45943181461b76e3984b95f48bea80a94944241d04b5634c86274e7"
+
+NIST KW wrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 128 count 7
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"13df8fa68a6e096b9b5bbaebb64ace2e6a05485b5cb7e43f":"3ee9367f631fb375ba47241966ad4ab8":"d0309b1291a06c595fcaa6dcf97817dbd7b7ad2cf48ddec2"
+
+NIST KW wrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 256 count 11
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"17c25023ac76a8af777a6f71c0c0f97931554b0a15a79222":"15227ef52412346e83a18c54a75374f69a24de6a07cfba9082596eeb5d758bb0":"0f8e2fe4f3a28c1fcebf20fef2bfd3489deb284e03d057337496285f4ffe62f074bafa0a0a6e44e4"
+
+NIST KW wrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 192 count 8
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"49d1c4ec51f2695ad7e47554efd24170ab03f628eba7d5fb":"8bf961097a6fa75694cf0ea47cfda23928fc433d5fc762e6":"dc72c58faca0dd662e5fefd05cd714987cc2470219db77baf779fca865f31529"
+
+NIST KW wrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 320 count 14
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"e06ebf0145b178ea45687abe366fdec559877dbc9300a653":"f0104e9546628d801c4f7e875f1ca4f385e915b0c7bd52ed158b6b42d7301f1df6dd5bfc80d0318a":"5b4b1d4ef349fcf5eb7d720d84b2e79fbabf3db18277ada0752b9883c21f0e24281854420e6751af8fbcc4b98be0c1d7"
+
+NIST KW wrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"932ed6ee1db1c4cf7fd81efce5609641cb5f3409563089dc":"da8dd9c1dc8cbf95b0fa280747c1007ecb086b7c944b0db4dfa3bdf6ed0c9725901cb838c2e30131250188c22bd92b068aa0871ce58a0c22307671612fc4884a655329851d54afd48a9d3a7f97976850d6fd842034548aee67df1272b06f155eb21966858731c3c35d4bb94a1ea351ef5a8c4779c077d648ec1c4f27cfaa48f47541a8f36831e35a961b076307bea928e1856e448d7695a0f7fbcd8c82800d12f530c2086f3b67bc5081d384010b47d327120def5c92f815aaae31d32893cdd18a71ba4e208445ff3a2f68a0a46689458b0f2d6d9cd3726284e56b4c020b97a82d4463f74098cfd7bd7a5f12157a0bc812266b8f2c215933cb67518f900602f0825538e05765318b6d31150007e410b92d5d957e119c5d94aadba193cf6da230387b1c5e6448515f9789a8867571ea82ad34dc5b912d6cd243bd4fc2f19d132bd8f1f5cef00a141e30ec4d3f7a546a215d5b0c7e70c3b0ec4fc34b66c4170bf403ef910dd3897caef33405827a55f943904c4e1b1aee4cc3ffd0ad27e316c164e2b5bbcf73df60d8859201b6602be01ba638aff468f3136120c117ca848ae161ecafade668e2d04b227437d4b91c6fc40ebd9490f211bcd21fd7005d200ef584f37aa2c4c769174551cec0d7f2936ae78f6c389382212703d0e7c82aef1a736056ed9c45e71439731537a2edb8a63741825c678a11c42e5b2281b43e203b0523":"76b6772984932bb6314d1eab8f625e044920f9494789e9a0ac2affd9a209cabb72ee83331a30472934e02ef28697d541a071eff9eb5c7dd49862f11384d46e8f4c2ddb084e76ef382117a285993e4a9f89e1e0ba6612f63b3c8a54784f940d7e6baf12cb67d27038e91d1ad4feceb5bc44daf7444f76fd140ec7a94869b4f99b9fcf6dd68e78c6a0a4794d55a1c91756ceb9d28b43d9c72b26fafc25c71e63dc175b29282d4a70813b833c35354983f29796909a9ba515cc5c37c58e95aa6f35b850500ea933b27a5922188c2da64680362602d71d169f853af0564b53bc613c15772ed82f89c2f8625670179a83536972332509e7ae4e0726271c5381501d3d88a3cc34a56d80e3e553b9b595e358615e92f361d695837734cdaddd7068c441b310aa511407b53806f1fed984a73862ea2ded1ee67d14feb5d8661ed94a62f5768829d6feea30db392bf24f0ea103fd2a60acf1fcd4bb2465641712113375bc2c8d73650795689f9061608b65e0e608f9948f5efcc0fba62c50b8cd97f67df2b0eec4f5a0cd354e982ae6a62070f4127b6556714bb2267d558112638f10c78be201ba165e57ac9cab6f3e35a762b7fe83b3c7c050b77174a4bf14eb2cac4d6d58a94f0c02727ad020a6a05d9ed145151d4f1ed41d5a6d06c50c0e1d5c24d09100d4f06c50d06a332a95845f4192ef577dc484e7acb91f0b2a57c1f8bef97c23294c59099eea13b3"
+
+NIST KW wrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 128 count 7
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"e823c6ef53b110eeb3f178871cf436887cca9df061d1f26409ec3b410033d967":"f90c279e9e6423804a6505e8effd924c":"0abb50b222af66058646156d106df7c85c28b708395eb9dd"
+
+NIST KW wrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 256 count 11
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"e5cca71056548467bc9c2849aba67cfe0fd74c44d514535d2314022a3f3e6ec8":"326b6da4dce95c94226b63c2d38c4e005c566191b00028b59cc788e0af5261cc":"2a4f331f451589fd103d9a9cbbeae5d5f5be7acf15aa6e21c45e09362263cf34b0ccab7c8a28dfed"
+
+NIST KW wrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 192 count 8
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"6a077f95496aba1bb80831280e7563f3a187e6d014342028349f766b791108ce":"a77b3ddac0e78c9176b7445f9ec349b2d85aa2f57e6cb362":"7c065be0a2173e0f14a3418779e7f3eb6eb7fbb7a3c20fd6c08b37d408bd9423"
+
+NIST KW wrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 320 count 14
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"752b21422647f1006de116360e88e2f6601eeb5aafd27cba56c20193fc1b941a":"a5948c20bc611187d688cb03caa04fb17774aa4f99ae3da5d821bcccfae950d72ca74b3a870008aa":"d71109224edc4233db8819aaca4db9c61ab5aad2806d0e985f1830acd8adde23ce75046b2057e0a23dec7a053bac6c4c"
+
+NIST KW wrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"931bf2c55eac657ae56fc0a9505a6ea7cc9af5162d844ccf01f19debfad09cbe":"aa8074a195abd88930825b947cbf3cca9810eb829d2e7a09f9e9cb1f8271986d00c5be478150fbbe990de8c61af879495274a60d83f98cfecb2473a35d86fba6ce839d259ede318a362e7abc1f8a18168606d5e680f456f1ca19942e67e5aee382536df7c28204b7842b99023336b735a861cf28363e7773d7b0bcf32b5fab14cb524249863fd7ce49a7a7882b53728f7ecd020393852494df09d9a69189ea713e730e002252af18864b948a642d7c0fb17b0cd5671f14ae340fb0e83b4bda920445927b8de8a82ac93158edbbd57fddcc1d908688770a07c27d2bdb7151d986e85cdf1606b0c1c959542e75090d8fdce9c2a9c162e6fd988746c9bc916ff3f20f054690173d143212b74c5a8961cd46663958744ca1334f6c1dfc13fa83c0a9cc229a1030c6c84d01751ffef54d0f9edb2a4851a187d02f097a5c716f8fbae29eae76738239516ed08c14f24f9378451e9e696742a4bcdd9e0ecba49fd05eb93698afaa1b0d5558521c7b4e77b15ca2612619bbd78f670a1562a9a0a0215fe64211115e60476525444b351a4f8ff5551dd198655423f3fcfb5967c4f77e25d3911504de1d034176d3ccecaeb31bd29677c7569c858ea24d7017ce0b31f1911f4fa14b2afa429c06115bc285ea8b90bbedbcc63f5f0829dddcb17e8f9d21bd71501679e514147e1957ccf986e7e96a0e63ded70a9d017162658a901f55b1001d":"6b75fa8070291ef7c89f5cc2060c56270f5077a6df65a8095cc76b717167e67af70dcce96de4aa32293c17d0812f666e1f42e7e662cef7a3148486d2be7f314631ed6606f326e9781c3ed6be1735bef8cd5d3ac7d2b45c4419ea61462baccc0ff87b83b9b6cc85278c0b20bc15e6baa0a15eedd9e99df82c8e61476529c98aebbc9d40d417f9af26e6da5d115acdd6007d83206c616a39fbe21c6331cc45af11c578532a7cac50aaba21f3cf317534564c2ee093ef127484aea62c7a90327fe9bbe8e45627974306d8cc7452e96033f0c8c30ba2d7fb644796a49c9b502d3db7d4995f920fe21962fd2b634c15be0d82e9cf0ae3fd2b6d45524e1003ab9788ee56cff3e2e62c5784061a5ff586b5907098b8ab54bb70fbc6cb066b071fedce10e013014d82162e3cc6f9be3b4067555907a4df55012a9b1001888c55dd94b4f8528bb29e7985ecb8a7958fc8559831db05002479b1f39e5de3659f3a6e8289d9b8ff4eaa3f864b1ea101d84b4c6138aa6ffb95dea4f825d23f5d368727ca0a8cacb74f7bfd70fccbc951db99f2f4a580425c31a8552fa27397cf8b7f420f13fdcddca553a5f31d8645615b98a88795fb4472bc7cd6e8e54707d7be1f3dd7d4871725f6bc0e65762f1e42e22c411fee6dfd8139068798c7ae9781c8e5bcf4732a83f9142edce36e1ee6e20142adf46c5abaea0ca78f61e16b6875927d4141f6b215da1f48748bd33c"
+
+NIST KWP wrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 8 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"d060e5faa705b6c600ecfcd5252bbfba":"3d":"28ccc6da03cd79b78c7207946fcee402"
+
+NIST KWP wrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 64 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"663ee3d40628059fe01a9766d5c1c31f":"1c6ccd67438f20de":"c2717ed6e51bb4314388cd26464f4d18"
+
+NIST KWP wrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 72 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"7865e20f3c21659ab4690b629cdf3cc4":"bd6843d420378dc896":"41eca956d4aa047eb5cf4efe659661e74db6f8c564e23500"
+
+NIST KWP wrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 248 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"02a92285d0baa874ac94f6648988d44f":"6ac78aff505805e3145fac44eaeb6ac92945ca12d9bc0b6fee8b1e5b983f37":"18b251cf54d2a51ac903af2fd008f6aa2b1bf491fa2e0458dba272866821e98ad037eae4af654811"
+
+NIST KWP wrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"6b8ba9cc9b31068ba175abfcc60c1338":"8af887c58dfbc38ee0423eefcc0e032dcc79dd116638ca65ad75dca2a2459f13934dbe61a62cb26d8bbddbabf9bf52bbe137ef1d3e30eacf0fe456ec808d6798dc29fe54fa1f784aa3c11cf39405009581d3f1d596843813a6685e503fac8535e0c06ecca8561b6a1f22c578eefb691912be2e1667946101ae8c3501e6c66eb17e14f2608c9ce6fbab4a1597ed49ccb3930b1060f98c97d8dc4ce81e35279c4d30d1bf86c9b919a3ce4f0109e77929e58c4c3aeb5de1ec5e0afa38ae896df9121c72c255141f2f5c9a51be5072547cf8a3b067404e62f9615a02479cf8c202e7feb2e258314e0ebe62878a5c4ecd4e9df7dab2e1fa9a7b532c2169acedb7998d5cd8a7118848ce7ee9fb2f68e28c2b279ddc064db70ad73c6dbe10c5e1c56a709c1407f93a727cce1075103a4009ae2f7731b7d71756eee119b828ef4ed61eff164935532a94fa8fe62dc2e22cf20f168ae65f4b6785286c253f365f29453a479dc2824b8bdabd962da3b76ae9c8a720155e158fe389c8cc7fa6ad522c951b5c236bf964b5b1bfb098a39835759b95404b72b17f7dbcda936177ae059269f41ecdac81a49f5bbfd2e801392a043ef06873550a67fcbc039f0b5d30ce490baa979dbbaf9e53d45d7e2dff26b2f7e6628ded694217a39f454b288e7906b79faf4a407a7d207646f93096a157f0d1dca05a7f92e318fc1ff62ce2de7f129b187053":"aea19443d7f8ad7d4501c1ecadc6b5e3f1c23c29eca608905f9cabdd46e34a55e1f7ac8308e75c903675982bda99173a2ba57d2ccf2e01a02589f89dfd4b3c7fd229ec91c9d0c46ea5dee3c048cd4611bfeadc9bf26daa1e02cb72e222cf3dab120dd1e8c2dd9bd58bbefa5d14526abd1e8d2170a6ba8283c243ec2fd5ef07030b1ef5f69f9620e4b17a3639341005887b9ffc793533594703e5dcae67bd0ce7a3c98ca65815a4d067f27e6e66d6636cebb789732566a52ac3970e14c37310dc2fcee0e739a16291029fd2b4d534e30445474b26711a8b3e1ee3cc88b09e8b1745b6cc0f067624ecb232db750b01fe5457fdea77b251b10fe95d3eeedb083bdf109c41dba26cc9654f787bf95735ff07070b175cea8b62302e6087b91a0415474605691099f1a9e2b626c4b3bb7aeb8ead9922bc3617cb427c669b88be5f98aea7edb8b0063bec80af4c081f89778d7c7242ddae88e8d3aff1f80e575e1aab4a5d115bc27636fd14d19bc59433f697635ecd870d17e7f5b004dee4001cddc34ab6e377eeb3fb08e9476970765105d93e4558fe3d4fc6fe053aab9c6cf032f1116e70c2d65f7c8cdeb6ad63ac4291f93d467ebbb29ead265c05ac684d20a6bef09b71830f717e08bcb4f9d3773bec928f66eeb64dc451e958e357ebbfef5a342df28707ac4b8e3e8c854e8d691cb92e87c0d57558e44cd754424865c229c9e1abb28e003b6819400b"
+
+NIST KWP wrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 8 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"959b4595778d7b860e08fcb5e24b11f118fd5d67089f2ea4":"65":"1cf986a0fb2208977c37a4c3830eba72"
+
+NIST KWP wrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 64 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"02dfb6662e0c1b95d34aaba7eb6c1fdd41c52b89213d5b18":"27361c34c2601fe6":"089f835f3210734aa1a2282c6ff30ef9"
+
+NIST KWP wrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 72 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"9464f1af6aabad076661328bcfd15777da16a288a2660009":"431527c3a644c106bb":"d9b257b400d808a0b0386af3be9154fc7f2fb2d7edc06201"
+
+NIST KWP wrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 248 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"df419ca84650ef28a1c5d1cb47917e4480a3aca4bd29dd5e":"3d84df372bc0b854c058441e952738ec79474b673c94e32dc78d23745fb5e7":"497e966414475938204c3b3d606d5160461c54dfdfe903b6624208d7cfc90bb403f384bfd54d1ed2"
+
+NIST KWP wrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"a85b4359ebd240012ec749459bc928eaa52c84e887ababb9":"9db71e2a2d40f6fcc1b8311167ae13fb101bdf7b5c4e078373c0c3cb3f3a3ca39a91a6985d3fdd48d93f2b5a09b2a69350da2846ce6a37d018dda95ddac93a92fda7b7c3bb6518dd78f367f70e34e0bf19dbba46fd13d3f3e0a1776350f27138c64b177aa39c54dc06184b320016b6305c2dea19fa6da634cd613d5a4f71bc045f555a1ccee39b8f1ab90840b5bae555932e08719bf38f72bc1057875e8c077a70629f46be91281b977ed6f2a71171a7cbaf8e0566e55da6220a85a7655758de3b372144ef76d0337d3133004c0db096b2c41f524f95706247a331d08a6ff72b425395fee8e1ad308ccfe5b0525c40803e529db72063731fe1644891bdc0d5961397006e1f5d6521ad4e5aee3544da101fd3cf6bcf879220a612b7016e5eefe7369f136086e8f5109ae83e8687519f2008406d20992b64ba1d27b436ea5db1fd734340f3b2279e026a96e3f9c5c7b99553e35ada9e1d7d708a73774718f9b7073c0889a298f212d47ff5960e04743070338f99b11687396da2120b8f132535c0911b04505c0e6c32590c82bf59486fadfbdc0f16a224b2f52082eb66201f041d64b34809e5e91cda89d80d78fe1e15862bcf84f65a301ae68d097c9be09f3411c11cf83225733dbc9306ad2630eb7994a0d112ba83dc542966414137fd008fbb7995f649edf844fe5ee86b94acade1a04f42dae21928b9b0cdde8cc66095772d":"72880f9f173f0ef4d99e3ae71f6f3b94f66a08aaa22be1d206faf431718c1a29bd0a574b1a28b69f0e64d56d3e43617dc73506a939b7de9005ef0ee3f02b9265e91a32aaec58b7ab990f39774f6769c9be9ced3339f6bf0159055abe237c4c755613a6c03271abea3bc89527f284a3e1557ae26b3910b779a77a128e773d11d7d641479d02f4888c989cbb8d928da0136b965531730a3c0c32404351f4c2390d996dff58985ed1d4f4021a5d6ccedf4555066a826a04055cdf8c9c44bdae26619390b3e22b064f86b28382094a3e299d55ab335ade601699e85f19d6f6f12407caf84ad47f03d75198691f1a9b2aa9ed95e508d8551b19601418922f3289fc1efc3abb1ebc2f4886dfe325cddfe25dd908e5aef8ad197ce2703e692b9c46a12201fa71ebc2e323ff8926ecc059ffeeacc0446d3f28496f17f1b4ad6504e4e24188862e25f3dfc36adc7f79920d88e6c53269cc4e5dbbebbba1a2347154683c840d178476ae11d6ce574c26b8b895957b8623807e8831b87b5639aeb415adf1bbef394046deb3bbe91a5c17f2f67131ae5f696352a488e3bed40df025e0a0846e0037847350fe8ae3cf73141d0ec550d82b89c05bbff7337bfe846411d3f0bd012e4de2fe5b83c7210214c0404b40e08abdd3f4bc441f9b6e1efdaa4ac13b85d139f670a6060a1ba8d2528bcd19f241d9ee5077d20c120f2b484c67c9c598b1b209824c3b8aec2b7b"
+
+NIST KWP wrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 8 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"0070492ff3aaa190496c72bb0affdb6fac7fa9cb32e6e91a46ea34863422f807":"39":"643a9706af6bd06410b70ee38f546bc2"
+
+NIST KWP wrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 64 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"c6e882f5b8e361e43bb3e54d5a7b8c690f485bcbec2dd2183c7e623f6b02c5fc":"99ae80eec64630ed":"de0680b34f7374539ad9b75f08f4d8e6"
+
+NIST KWP wrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 72 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"70da43aac823c6dd37d1109f5b18feb4503c973288989745e2cc1cc21d9570c6":"edf17d966ed896aee3":"d67b5b2ad15c645450e23b5e7b6d682f8ae20e716d470db7"
+
+NIST KWP wrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 248 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"e941febe4b683c02dce56194a86b72d4c569e1fc84bc7a6f24c3ae2b39bf5440":"c168cf12acb6679c24d424baa62ed56559caee163a4efa946478ad43d7dbd6":"4ad9979caa72fddff0876c0295a57fcf74e5980fec2cf622191ec6b5aebb75e0adebb12d0862ffae"
+
+NIST KWP wrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"20f31cded60b8ed8d9d3fd1e1fa6244e76c7cb7628bfd28a5d63ce8aa2c9494d":"f07225202842c8dede42215301e44b9bb7e625d3812f74f9b6ddbcd024ebd1f33e2cbf280b9004941f3cbf86c880a2357f88f92a6dcf8dad9da7dddcd00f3635efdff0af4382024e93c2af66b991e565eacca6b886f07178c9b4adad6f0d6ada5ff6aa7cd0712519a947a8089cea5e1e3e40ffe1806010b0149f9ffc7c4dd3c31b3d08d5ae1997c52369393d58611dff9bec501c1ab35e6ed3e7f9445a34e211010a8236686f154e0a5ae3433d6a844eb3884961aa6592216d93952b46bb58a4195aa80966ad0ccd4a7e23823912556a90d5ee9c3bb952ecbb9d895dabd3b11ab4f2e3a6c2582de50403289230ef4dc46e7c0d870a3f0cba9d643a0349503c1b162ddb6350e699589eb47bd563999f55a1adb6b78b52f006901b0427ea7d3394bb0adae4637b4f1ad5d5425e2c8ff3083506d7ad7ba4c7405a778b0a3a11760c96900a5256956cc9710091d073a19f46a985d004651fe2b6448ed761bf9bc81619cf273a6783d868d090753bf01318be21afd88d9f3a961a69f93e9d9fb822c80acc7b48cf14a08b5b7ef15c66975721b7cde9761a145b679155472a44dea8fedc0f86ae7ebf6283ecfde5f2444b51569e6723a7a19e28cdf8dec6791ccc14af95abad018f741575b343cb1a20a2a9adf4248f99728069a1e2e78ad8966c41c9918fb7019ef56c153a183a6247d22d9956564bb03075cbfd1b43d96818b28484":"a5b63618fc0c4512960f00a1f226d9837a90480baea75265453b9553b12a58c72153080842d7f8710f317f88fbbbf97caf879ab4bf416ba767ee9aeb34357f4a2d0e8b9571054d98e28804a70bc4d74807f2bfd95ee955bfdbb6f4d6969a0c3c3b541a514647d5cd8c9740ac3496095c3f145c50c97ec98b935158fbdf89705d5330015e48ece89188b8c1bcb2ad6825d865b375a9b9056b743dac720feeac033c9f757f6fe73dd7c4a747661b64cf490a0dd43b547cd791a5d78dac97efcd355f7ebac248fa2a33e4fad640dc34e0d40b0d36588aa32f0864c9446739a6b44ff84666d723bd7d646c5172cda932fec34ddaaba342b02a9604087ef042a2be4774194b5d32cb3fb112438fbf2801050b5424635fa2d3d3fb10332965c73e6669e65195310a3a30602640e9809179cdfc50de585aa1c0072423c626815d281a06eac3b6ffa137716318e288e3f9970e415ef0451bdc557968febf9eb6772c1f77cb8e95701246d9c567048142bb25e340351b87d7391822d9ee7fe51378bc0d08135f9f39cf44b348b87937939dc61f430dfe308cada632722e23aed5a0699e039cf0563ab8025163744b136a13ce3c62c748c89f5e17540f105e7c6ec9ba13515b504342f9e6dc7d65b9a633d8c0b5c9fa858dbb9b3a594406d478a81bb9abfa289730408c1e303c663a61d5caca00f615065312580042862397b9aa8c80ca812887664c439c8c68"
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 128 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"e63c2cb1a2c1282d473b66753494a591":"084532f86949dfb7be2cdf09d2b7505418e7bca5185661e1":"a26e8ee007ab90f599a1bc31cdabd5fe":0
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 256 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"83da6e02404d5abfd47d15da591840e2":"3f4cbf3a98029243da87a756b3c52553f91366f4ff4b103b2c73e68aa8ca81f01ebda35d718741ac":"67dfd627346ebd217849a5ba5bca6e9ce07a7747bed1ba119ec01503202a075a":0
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 192 count 7
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"e5c2fc20f9263da4f15b817874dd987d":"0538fdca42f1fd72afadbe689fa8a396996d734e4f082c8c4ef41ef11dc6246e":"35a261169f240dffe4701ce41f6dff986764afa6e84f63c9":0
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 320 count 8
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"3f5501341f617cae30dd0afbfa247c09":"72fcc9e5942344d11c3b23503b170e39cd635da3a83aa9ffb196cfb1d6eeae6dc5f5683238da6e9b49edbf95819bbbdf":"e2a34da9ea2ad66e130251f8a7798b87d7bd7601abc5ae8f7305b024ddb4b3e00351484165e16d25":0
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"adf44a10a05e64f2df87db52f3ae18d3":"a940cfea67b90c81b4ccd793f186dd7c6a3c0ff5a6feb5bbef99eaae2b14a979f1acee92b5e4cd750f40571804d380f470e1f5201a389476f97bf29f6699053f468bf102975895f4c1a679a46cf627b22c8d956679ce53775702899afa223c87621f859dccb876d317f2a486d0a4d4ad6ab7e2d9ebf7a956c394ffcff423377e21b274f8ca3a379273dc8de738c97bfd318871330abfe2539a49d4f03d0eef65856c01ebd426f2e76fab90466acbed8c4c9dc09898929d80244eed4fd51e7eff567c2b340e928f298ec00cc8839e1ce9ccdff40a7edd04e01440f2288c384c673de8a758ba50f6f910b8002e0786d2eb633da0ef7eff025f37b45f7c9b918863a56e2da1f3fcd12b990f959051289a1113054c38c135336f19672c86a51200763678cc4ef50ed290d96fec4afaa53af165aa7ebc11d787ab1c535a0abd00b477b914855759477df2afd516a85a66f8b91fb5f5e98232e601e249b3faa856bc6b26f1945f48542601bb4ff1c0dc46f44ae023c0a33ec9faa7467b1cdf1c08df7d00b800ef28e2f77f1e6941db9ce8e71fcf82a14cc8983614e2ce3cb4b3e976a8dec76e4309492ca68486d119cd566b9692d1a513ff30675737d1777a3a1a95b6588685b5a64d890cb8f79578fae8f1d22b83747bf876da582e56e5267ee8e734e0fa9271f5455c40fd599082c0acb442927643aeefffa5bca0a88c38671db14899adbb4819dd1e2d":"a2b43c25c5f530a6a29c5314319bee95e0ad5a630aa8dd614b3751205118e35117c31de7d1ac41f9d782ae8456ef0387cff49eecfbcedf2d9c0b18182f5e043e3202c527be77e6f0404a9746ea1b18978a916cd47d40093813a3b0ba1cb22280fd7f00a7fb4f8def6a0cc1ef848a45106fc389e0ea00652151b1e61dff2cf2be83fccfbccd4fdce86f19859ac927a3dd08645cf072c3525624b3845a532e5a37d99db5cc943a0a9d42be4bc81134f314fd9e22ebd386e7a896bc2d56c933326edb18120c072579989c5bbb1991993a698f2a19387612b25a303e699d12003072fbea6e45569444107ff9a17675f5454440a6c3cc02c1ba513e26502b74a0cb6d397ff6d7d11877100fbfb5370fd882892ba09635fa3fa78d5344fa00008f488395f04a7185ec7819dbf3b165ee52b35bb4ebd10354f2d85514b2fdc1f825a4a2968ba44b3ff2812d1acc13c24ac49c22343b6080f2a7e7efafe86c6435195cb742c35d8178fe20ede0ca08278db49faeca90f95b9b17fc1ffb9d7b1d064f2266d32bbb6f3e28f3b17deeb9faa64f7c127c90241579399294eaf1dac93346943a3cadfd84d7cae1aec66877e892cfa31b5ae35eaf7c35faa6f4cd9212ef7cb2cf9df5748ed8194c380c3298734e1ccb87d0feaf49be1d275142f8421727b5a6c3415fb30ca44ab598597d136bd6d12435ae6ec3db72f6b85462878d833dfe5e6f":0
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 128 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"5d4899ee66beff1bda1fc717a1ad4c50":"bb7fd0bce778bd775e4e88d904d26a7134364c53a6c493a0":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 256 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"84bc6ce7ee4fd9db512536669d0686da":"c383db930ffd02c0073ac2cc79ec289e6866bdcc6a135a3b776aa42f14ee04f9cca06ed6c0b22901":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 192 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"266b009e911bb55f9aa0661539a6fdd5":"db9c94e7236ec56982d7ddeb9427c24580bc1fb96db98ab19340e03670045b7a":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 320 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"51c2e3d090a74bfa10db090b63ae53aa":"598a16c226e6c848a78ca30fa514edc9467f704b529c02c5522d1890b4dc21588ed6c3b070ed952adc733d865eb9d468":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 4
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"6a7814a80acae9d03eda69cad200ffe5":"e1ebfaad7f6d46cd03c50ce4e9543ff01150e9a9a69c4bc8198fc08601ed71203e39375d600f69fd762b196bf50a7dee2be55574196005c8ad53234d789a9fa6f2f0eb7d7b53c7e39a7c70e9ef93c58bcd45c0f592fbcda19b5ea9a118bc2a0d49c8cf367d4c90823eafab86165db3aaa22eee9323de7d23b7729f7f088be9db421fc8256c20e5874bd0c8348c4a6e50436fc94136e568d0aa4c29d7b65136bb378ef010db091085c9c0802466d565eace2c0bd91648fa82f8045c57cc25c46bd8c9e4060ceb00e092f7beeaece1d4f8a2a01b5b1dc9de3c7d2ada7a44d4600085b7e76929198b9823b5ae0f74c652fb8793cae7c16cf062f39136789b213d1d500d560bda89bfc0df0e6bcb07fb4a48914e1af9058b73751aa4d98ef0363e48f9d1ed42230eca1b7b24631cbad80b2d4bfbc00ad1ab797c1c459214be8f64470b4d267ab576fc1d3c86a42610b8282437dc071336c325e606c2d36de1b24595f4888cfb2ddffb46557c964a4ac53ccc1d214d44ac84b8322c93db03bdf2a04b303de4f8482b8e7ee25030aa5ad8a8bfc5dd683726a0286486356f5a965599313a2c39034774ebf646fa7ccbda35316c54d443c6da466d9c95d716016326603c3989bd7545e3506333ab3e2ad7b45b225bc43ecb37e4c301b389e06b95f09b1a10beb5fd5320234fd6d488d5691ae2e078630f9f57dd0870cd617c30bd67ac8dbf4b3a8cf61067f7":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 128 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"26045402548ee6196fc0a60208ffde21137ddb1c6c5d2ba0":"fcd55c2c60ff6de19ec3e6b13490c2821f0c565abf10be2d":"94b8276743184d086962ce6c4e63bd53":0
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 256 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"b3a0aa60fb14b658e1eb1c1a5a8e1f60307c9b9faa2f1587":"fdeda2a10e51da1817af2ba4c9f200414aec67545f5e71c608e85d14da8c5567bf51dec4ff2d8c05":"65986b3a6a3658a66cb5beb302540bb032b36c76d040b24fe278a1473ad4c32f":0
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 192 count 6
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"f0ee8ab6f804a2629e163b58c1a9e9039b53ac60493df11d":"3593dda0daead2dcf850f8670b7d0692332f57068213a772a8244d058e5634d7":"401df0c06aa4c58a71b9438e11a11a239f577b6037adf350":0
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 320 count 8
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"579e58b2bf9c34c31e8c644faef6b698131624063fb2d795":"b39acd09d9bf9daaa89304f76402065cc3d863e12df8a966f037146db9619e7be5ccbf50206773c5eca35e36492ef4b7":"9c1f66267c2083a42f3da4e754a073c1ff151681e2bc070e6e4682065fd109088a096e72024fdcb0":0
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"366af2c7a1d7a1ee5a7c239fd526024472f674ab039bba25":"36fb77bd3890aa0a4a4d6f65d671156683c48214a327e5b2b0916c0031f9f4f2c643ca721aa22e84853096bcedd7ef57ab2ae05628099bdbb55111358a06c1e99233b94a568a3f59b06d8a64332acf888cb5bd1fe8ed344937137eff629bee3ad57c73344df80b303994889bbfcd0ec08b13b687ec909cc847f383d3ba91d108c84254af4ab4c22df19897fef44b62d88b0c1b269163de9a2db56a26c4dbd0481026d27e5003153eec761f21c02f4d04898dd3ed961ab158e572aaf3b828a30eedf62a8a7b0911eff27db48ce1b7bb79b14ba43d7ecc1f87c82664c99ea857746c99a993db5807f0fb06114c00428b85ddeb9cfb698d282b1d70eb7c17d4d12575e58103ef1ed37c558d7c312f0fb1d72cbadb84561a41e4745492c8b1eea557efb9f1e9664ee995aa82e7f2a1c86dabed0b2fecd9e938c796dbf2f9b4dc269545ece94e354ca3436e4c6936b51cea7abcd2e49fa263f79757c4b5a8d18c2c6a26435fbbaf3fc759bb323ffb962bdd445dc7e5c84f9d98812e7eae254d19a06ea378b1b262daf22b634dc30aaf9d911cfff0905e5e2cfdd7dde4dbca75729bf33ef6d27d5993f19c9a3e60fccf5fa201963cea0e7caec99d79f83435d11e3a90905103c302851c8d33cef77b39c104ad4d8f45abdb111780c46784e6fd6a78e57862350a671ecbf01dd936b8dae4ce4a91d86efad8b04724d7c17a89b1d43d8abd650f88e17f5df1":"40bc409ed0ba1966e733be4b2ff9d23691e6a9f44b0abebe971a47b4ebd51bb13bcf70bc1359f6b5e670be2e6b008ce9d219abd61ad20edd97aff7458b81e6114ea6d9c85a03400477b1a32f09ac5cd1a963731246011ef4908bacdbfae5e5921cba143b9395d17386e924db6ce40361740c6ae5acfdc979d45c8af70b443878adbb04bad439c9937a30bbecfc50b7005782bd01e3a87538220ca149286855129bd189f9bdb55ed1f7ab786f99c289032123c814e683db2f10970db79d2ef87f5a8a2cbbf7b9e2c447cb22d2a9d0f8c2b093a4d8aee57f0b05c2ac4f4ef780bad406b847d3c9d175f659105795236b072e96738043cbb8499292ad45acf7e576d8decdb635aeda6611da6c00a1badc11962dfa0643a83b865099de79416c86448280aad32f6797ef2fd879ba46abf36c9da45da4d0c936f6e25240cf30ffc79647720bf10ee18743f1ee3397dc0ed967445bb7b0df8eff0887d3f84abf20f0b2036837dd0308ed4a01f9d6447a9eccc9c471e75bd32f7d760216c326901ecd8590afcc2e697311e29f9d704dbeec409cc8c7fecc12fcf70cf9f718c12579fd17cef1e6bb44f89ad418005c2629a96275965f08c54a53e31cabcd4fb17021889bdcd4851ad33bb0d5438e55ba3b759dbf3c50fe20e6f3b8f1989f560818db1f2079b91b1e2d8bb22a7523c3137e9a30ab970f6019eca225e4b42bbe061f3b7b43":0
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 128 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"9200a0f688d86c0b6bfd9abeff66341684a373fe3f9a3057":"5c685c8596e374710fe327bafc45cd09190215fdcc03d010":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 256 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"95c9e644559919cace6f93f545dbfe48b130808ed66d0964":"7b8d1307e992221f6ffdcc7909d972d5f02e92187139cfd77f79345cb998bbdbabedb3ac00a6cdc4":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 192 count 7
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"ffdbcbd0abc94c7f15e5b6e8a7190f1ed4f01be11f4f7ccb":"e9ad95c8e9185a001509c50ae0098d45f7032575c7b8fd90a561716d2e5804fb":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 320 count 9
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"253a5cbe79a291c0af1a3d7460e7f284bd672cd026753fc4":"f71014ba711602df5cff2b93e86253775ea308bf83fde65fbc9a9a7852f87357330450072aaa3d6ef8dffbee20d2de7c":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"ff8666e4e538a6cf0a2a002b63716b06ec5f187785c2fc1b":"f5bfda19b535cf39e240d5b42db06f385fb002be273e46d9e5ceed6be4b5f636031bd0622ea0b3abd0087a7280844ce7260594201214e601ada0f686da6e9b45fedbe36c7d13db025746fa6bba2e540a417a29cdde32f9a7ff56325233bf60929bfd49f80e21acc23f3abf572d81e96b556f6f4f20a7e00c1cacd6fad07df30d40de593c99f73dbd61bf9d9d5269a56006ae85d588324f7e140d9775403af631e695f7856b1bcaa377aa7f4f12c68096a974ef703435102d7110f4eeaca787744c942be1186d132bff2b39f160157617bcead75ae59288880fc0e7db9877d854f553e90e1c917a99b8f357082c50bf3b71cd30d016f164ccb85bff50212bab13cca8dcfff0be984daead905ab13054eb12908a73f37ed42c5638a5a410ba182a2bee2caa84e76af2a715ddd24e837988ec475e506faa130f0241e08d92567a69c9645fc2be3945d65a77387cfa307562c9b6c7055f98956c547ccc109da9277292f47cf43e3cbc0d2e91c916e4fbd70df4a980e9430f5c1c8cfbd6c83f0f756c436bc07e86d5c75aec7e4c039349f71fbb959db709427a33869c523c3486be0095c1fd61ac912cafb9065b94916afd9166d73678ffbcc396a037ebe75e44cd824b2196903950b528f537c8baa70530251bfd8a6f37b202453993534c06aada0d1dbf760879d0898026997f1baf63e343e94ae076da7d41ea325dd23ff2a9cbee74baca05a538543d":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 128 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"e594f0067cedb74e883e7746d29ba725c884c25375323f367cf49d17ad0f567b":"3b51ae2b0e3ddeed94efd7bfdc22630187e1f7624d15ed78":"587e3f6c75644bb5c3db9c74714f5556":0
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 256 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"049c7bcba03e04395c2a22e6a9215cdae0f762b077b1244b443147f5695799fa":"776b1e91e935d1f80a537902186d6b00dfc6afc12000f1bde913df5d67407061db8227fcd08953d4":"e617831c7db8038fda4c59403775c3d435136a566f3509c273e1da1ef9f50aea":0
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 192 count 7
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"e86b9c1f74cc87ab8ca6a2fa1723fef173077e684345b90dacd3d485f587d320":"c97e8c25d498430300982cdcef592e34176e33e45cd59b19f7605f52e3c7b997":"261313cbea4b246e53affe1f84bd4c900c9b1d1842d79337":0
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 320 count 8
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"5b7f48b8ce77007481667e9900f3077a0c9407a70082b0de29bbfbd716a07149":"3ed16c7e4fed98d76092936e94fa5696c787ab63cb764e930fd37f917be4e7e60c90f327f0865d279e6c449b96301ed7":"4e0e6c45137efbf858ce896c815268a10d9869ef5668a90739b7eff99617691fe63b911afa53feca":0
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"9e92fc974e09541e6cdf1415575511436ac04a56db186bc0e60f0fac9bd58c6a":"201010a2a33fac1d20230bf5254204801de29e66cc44eb391b8e77284b3dbcfa3fabbdd4d9423d96af64ee0dde35786d79b7433021da27d6be753f91d2c1d63b40e9dc265b4a27cb2a61018a60ba5e29813c012b6acbf7d7d101ce227e45b5bc8a16c604c83a99ef35aaaa44fcd2033cddb6122db2dfb944d4b5c16dce911c5f4a1d8db46785534e7a090e31fd2192be64fe5b72efaa8b7965552bab4a20c8eac9a9e7b35e77df0277a90b0b1167e14a8be8d0bc37757354eff920ef93ad65c5a49b04bd553883efe9376811986002d4270d25c5749ee1454270a191084fdca53ae693f5a31b13929fbfd68b331a4fdd2259031f812ecf50d042a55fab302375057cb5b36735bcd2d75f745fd4a92580ecfd0fec44313ba9ca8cb1893f7a329638c17608c170de0ef68123c2233fea878fb1b49ec7478d9cf70591101bfd2d6b0328a27f7c497061b79289b6db4e46199c5db8121e9e1adcc8d64c85c27e329883775073d5f61b0bc470169ce8837b61fc23bbbe7e07d265b32cda5a94acea4bb2e52af17e13818a7ea424ca7fae7677caf405f04e37c2cad0c77eadfb4ead593f79ecbd8292e47b7838d775af9d9e252c6ceb147ccc2aadb01f8541871e5080109f9d94afc9103579bc9dbfcff8791d5eaa68521806590eeea74f411731b920a91c4f4542a60e6ffccb1285dd30e74292d5f37f33d4cb74742ac98c7a0475e069828dcd7d8301fc":"4b6f2257197b0692e6026d531bbe2f222a6764fe1cf277b0320a6bdf9efea0a3f304e94fd22372712f751aa377264b1600f3c1e7e0ada846082ab4885a5c9a51b1b25a593a269a7ca1b62a28f1a11b80fde57f0b9c0fc0e38e8edea8a294e18b4b1e0e24a5ae0e9d9fa0d8cf02378e592b322ff04c5a487332b5f58ad3fe9a0c20a205f6872c9e2d0c52c5b29c5c2f008444a3e8400b4822d39f646f9ed390c352615c4cca8cc0099ac1ec23ad7ef581ed33f9fd4a8a58eb240fc79bfc2df7c1606cc52fb97493fa59a0dc8dc01fdd9fc9fb51a2f1e9fd6a89cba67f001d105c456d99c3b1fd68dc9d01b1b8e0e4c2ed4eed63c0110ea6ee96b54eebcd56c5446dda210a9e143366014e72d5e4bf78bacc230641789ae7caa0e37682190d8007aad0a0983e7c970a6feb1112ee5920f628ba03493cc3b340aa9452e6698f818e6e409cd0a7f660094df05646ea0e6c6aa94e933f4fa4feae6207eb473f9d80e335d6020138f1fcd085a336bdea158823cd47079a89ac18bc8541918ccb6bbbe1aab5ba7d9c6b5fc9ba17cae707a556c2bf7d1f991f9a8ebe0f9aa6e395defecbb508cbbf68db8da443ce8fc40149c3c84314986615ca5685e5e2162ebc617929a7e402a6262a28e646d7f503253c30ff2e37ed6580676a9978aa2f5b4fe82e1c2fb83754fa855ee54a61e64a16b64a680732b14671ff55b3f2a6415233206188":0
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 128 count 4
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"08c936b25b567a0aa679c29f201bf8b190327df0c2563e39cee061f149f4d91b":"e227eb8ae9d239ccd8928adec39c28810ca9b3dc1f366444":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 256 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"605b22935f1eee56ba884bc7a869febc159ac306b66fb9767a7cc6ab7068dffa":"6607f5a64c8f9fd96dc6f9f735b06a193762cdbacfc367e410926c1bfe6dd715490adbad5b9697a6":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 192 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"81c93da5baa5157bf700fd38d7d67662670778b690cfbca9fe11e06268b35605":"875e1ca385586f83d1e23e44ca201006df04e1854e41b933fd607a7383ae1a39":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 320 count 4
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"c42c53da9bd5393e63818ecc1336ec6dfcf1d633e51ebb51c68fb0997c979e7a":"52f7b481f72bc2d41edade5388d38c2ff75765939576e49bab400040a14ff488848bef57d1502c06a3faad471f5c3178":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"7b51259246dd7252f6a7215fb11fbeabfabafb0f8856afae525af8feb81d3490":"c625853da9fdb8665264c30539a258ba61da8bbd214f3f493e292f686dce73c003aea5c4070ea94b19e486019b18a2f3f1d836b85414bab14eb99baa283cafffabc8498cf1151489a6a6a0d01e7041633c94f9cc6cc3dfcd661c9c4a0bf77d9be168eec29cb0efef33c74d2dad18ae2ac2b5efb519f4c1f12eaa7a7d7959e7a6dec681e4d1878b20054b7925d2da0b2f8730604445ff3fca3a06285a4a2d86648f10a2bc3cd422646f70224ec9025e7ce701c8b521c0392fd7d2ac883f2a37bb7e4d53a92a620e65e090b91dbcdd616a13b3948eb1b5a6b1bde80f03dad61aba3223fd91ca3df68b0749fd049813a7ab0268445793b16677bc1af00f877097cb14798777ac817d0df82507aec246f755ddf95b19bb56ef9f2e730bcf2863648d8b164656df37977d54eaf05063b0ee8ba61c2a2ba7dda8fae337d5f6ba965d9e643b4534ed9f4eea7b2b26680fff50260e245fa0d63139b40e2f152da3a976589e957be22cb0885cd582aa9468b08f08a22b486767a6b99c1778ecbd763ebfe2bd83c6191f4e8a84972e4920452b2b2dd28be5d7bda05dc3422419793ca8c26defd3b42b2cc99bbad98e7461f034abf137d7b3166c94e20bdba091653c6a17ccc4faf86a7ba6d2abc0ecada9103e73d9ee4659b6e991a1a209d2ebd96c24759c69ad13a03431ddc05abc20dc8581b1e526f4d98f6352ca4c77f5479db234125fa585ba275fbcbdbf":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 8 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"20501013aa1578ab32704a4287029098":"382179a39d75756f57763486d038b50f":"14":0
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 64 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"a099fff482dbaeb53aad84f81b916da0":"b831c7137facaed059cbf268767e230f":"0d24299443bcc444":0
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 72 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"4d49e260348172c38a79eb925b189b12":"54755a93ff5173aec60d1eaa8fd7d4090f00f638c2831aa9":"2bbe64479da7c45976":0
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 248 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"6a5a5ac4ccedf055d7562ac58ee7819c":"46904a5583e8a22f4b2f5aa8d071f5cbfc938130f1b33f2e6401aee7cccdef2159a89c9b682cfaf4":"33ac6837955300e569b29958985cdbd434c18208779a949d20b110b0b719e1":0
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"1dd51f0d3a0a784174ba81b2c9f89005":"e1bde6d2df3b8e48ca127f97b56b5dc2672b3736cc3157c7b80a0316ef1efbdbbce19fea23da831836ccd2e002b2c1dfad206b5cec358446b8434d7f4c39e65b0e0b50897642ffc34bfb3cb3e233aa9c1058ff0d4fd48e98bc8cc3d214c06d514dd97db2278093a308f91f4ae92626d85771fb1447b36a3467fff02ac7e81ddbd0fdbcd02d1acd4f053c989ef3dcc2c01e23bc2f6090f3e8c0ba5f0082341200b1c37b99daa9cb6fec78bce3429aec5badb9fd28fdbdbdc5d53570675a9e39535b4594095658ef950ecd79a162223b60d2eb91765e022dc6e1bbdd86f1bcc280ed9df350da08a801fa16a1bf2701947acfb08f19fdfcaa1d76f466a5de2458a78fb82f6af3e1be68f405a4289f25896f4c9830005c9e895c86e67eceab0ad544856071b8d9585835b5e85a07ab01515f7ab54f98dffb4ca49a15068eefc6a01f7f52fd1adbe3631c59f6f43f79d2b4f2a691e2b30bb1d43a848dc3ee39c7f2e50f0c9deb7ab51e33bf40903ac255bb1510fd61676a6c13c3c776b8aacc6cefb95e24973ebb11192e2692dd0c6a085b58f86e11cc28ee2194988c123e3666da7339c0a4ac6afbacc83f1f100fbb39efff7cc605c9213828224a17c476395aeb9bb0a3150fb8889a8c2a494c8c526203f261642bfa69a94b86de9e6d3d932fe20fffe4bd76d502c0d437a3e1d0d8727b7a8dc0e361967109e93566326b6c517663731c4c9bdd0295d8":"1a4eed4bf5b8d2e2a58f1f1277f164cc32cdadaed848f76fe634034082ff9aa1711870bf3936d01a2aa48de30de5143b9148cf56f4490f9d480dda0b672e8e17a012cd26cec3c68837bd5b2f9beb13e0110f21c6c36343e09e027f39557d1596d4ca406e3e7aa113e9bb8623106bae25f0ea23d46bc29970ba2596f83fe4f73a6f978a4d949fa7c271570a2ae5d2b50792d5ab5c43d455f359fb83c35ca3da37cd73cd66b6adce94d78ecdeabf667daa47ea70799af299e1d898ccf3fca6c42c6fff8cf2ec992f596fed4a0cdb502a00f9b5689302931d15cba691e2f8079a0411332438b714ace5234b91e4aebee8f8dda0e1968c2016fed350430a65d8d206c9436f40b79ce03083b8dc207d6960be1ce97007ed22a388ebb7b3d8f7d2b7d9f8f49731fbcb21e21db0cdd15674c795d5af2b2cd727f83e634e8c47157ed0c6873a5c9419e683f16f4a7827b444967812f9d1adb9201b89a0e66bbcf0591465f5d7036a21cdda0e10099feb819dfc37fdd3105120044dab716882d3971f312e3f4459006fd5a1eab08ff63edf6718f47ddaa37f7f40c9c372995f3aec97bc45e287b64fc8cf5559ab04a4d4d3ed482f5d61d3abd99cc87ee406da3ab9c9cd22ba3b8d191b26754aa94a2412f39e332d77fe72210adb0cbb5c96adebdbde036f1f1aaafad74a7ac2594f81efa734054e2e16dc931d49b970b81756862705fcd4":0
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 8 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"30be7ff51227f0eef786cb7be2482510":"7f61a0a8b2fe7803f2947d233ec3a255":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 64 count 7
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"9ad15907cd05d77b844816b1dd806c92":"7aa0e5d322363afbdd71b531e50d4935":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 72 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"2005cbe9cc66a35cafdff1af119ae6ce":"60f9c736ec3619efdcc7cccc6b90ae5cdb8bb9eceea5dd96":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 248 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"2c3b49efbf60ed01a3ef27ee24ac90b0":"5fa5a87bec09a3e05864656f8966cd38e1c4af48a06b1dab4ec9cca35dd0f92b54015fe5332bdef9":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"4b4c43c9de4fb4a2a7a7adafeabe2dbd":"6e4d08b8124f7d3e23303fac1a842014f95e3d71c438f8f1990307842796dc5e404ad81802e35c183fe000390a12c81ee684c5cf26c1d90e414cfffe6931b0f352936fcf0b31429eb5c7612cc359a15371390e518cf5c6a6bff1bb0348d14e2c39b98c9f30672ed2af1d96296df8b5567db25b9510a2083461810e119735490058ed1b46b7fdfa885041d8749f90a072b43ba49f2f51fbcda0dbf3cf99fca1d8f46330e5f6fe079d6679cfa26214c8831b782aaa023a2e0ea91050d277dab876aa6865f2bb3fc1a4a77db52f6179d5e5325993280948b6b7002b572829641d35ed3d735d8423e5b24673c4570ca25064fc2c2ad4840632536bcfaf2a7a814f3eaed92b4d501bc51c1719a0d8d8f420b66db845682bb41c88038cfedf13417143a3a701b521a9bf0bb639875a728c3b5ce6ca7e7a45bc75285c193902e6b5e7a4c6e720493d3937bf485e587bff894f70fd6165a1d0129cc673a992e0a4f5489d228a066b1df60002ec0521924f8d672cd1452fec927e58e75807b2a390256f920743fa4d0fc8f59f2469a595ef65095ca0c80adfc843e9e69b6d4a3f824af47b2bfbf2a7a6c1b650378f096f6f0bfabc752c8f279d4f45d56d09dce97962c119de3a64d83b93ea55066f24d4238a229ae86e6a7857af1d8aba823370a72fe358046049a84a70213ef31d9e77a722def8e21480e79b71299438070946bd459a7251707446c911e381":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 8 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"716da5cce5877d8f305b5478d671f6c73eb1bff4de15df07":"dbd5247ad2445575cafb00ee7707c218":"bf":0
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 64 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"b94bc10b85a8c2f74a66fa723a25ea1b398a4f627efe1ce0":"18eef64a022b2c7db27648cbb5f1d5e6":"19c0f2f78606fae7":0
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 72 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"f61cde8e515d59a8ca95efb1a98ed4216c4a9649151babf2":"83fce85e9bfc6ed784b052472e5780fee662f17a91faf1a9":"1c6883862ede37b31b":0
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 248 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"1c883af75147bae6f34205cd656ad30ec97e617456591ce6":"f24f6747711cf72fab0422026c6d548ccdba786d77ab900ac3fb8f39f116d38e92c82d5fd9a045dd":"bdd793f086d8733f69055bd79bbc448be857286e918fd4c54be4acf4eca5e4":0
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"1b38d4b366f844e71a8db6be2b77a05a9e81720d2d3f31ee":"62ddc158ecb048250bde439dc7aad34dbe7667d330a349026266c24cee9742953b623d1e247e501641b45b60cfbab665e68040ce06ebce478d9d77f5f344943a1edb14f0d9f165ecfe407031707961fedcd016559228bff5761cd6542944a5d86f9acf4e0a4114682c2312b8d4e8285d3efe1a7c1526642c73c332a9e484377a1c86714e3cb687781928c8a5fe28b4aa74e79f53ecd00793e00041b39b172e5fedef3d4164dcc6b2d2e47994e73f2ab048a4adb8cd94fcd7767314ae40f8cdbef2b26d25f74277a2f88f1de56342a0ec97fde4df2d052e6ebc62622f65725d845f670a647808666c7325725a3428e26fefe725c2badb8a8b8f04e30456bd1fd39fd0f7c782b7a2bc9d8c53922a54c5f103551271af6d7243133b96cd1c108811e4beb9a56472c1f9823a1e88832c5505e07cb93b9041f4b8d69cd27403680a18bb3848c269babbc52aaf568ee8245f4f72e177257103dd4bdffeee9b48e0660d6c2f4dfdce52462d0ed5cc5114dc0aa5a35601c9a644a1fdd3c57c3153e65a108eb94eea3bc9979a67a2f569eb7398a4bd24547c15faa361bb2950a379a1cad1737f56e7c210652aaea7581f39f07ee09a101fde8c34c3cfc404f2b8f682735fc4c721eceb4bd2295d8a74ee3cb858329509eba9049e7e791e04d8452b50c6e6225b94a8cc10ec1d262588fd2f05eee08113414e770c83caa84d310559286c393799117c177089a2":"b1c88d3e5648218ee085abcfcaf7f362f33e4d6de363cb84182af9f18a31475f0e14ae8eff76ca67455726392a110ca262b90d040abf49beb036db096be053d493787a67e983b63945277044acf648172c75b38d7f81dcd58e3bbcecb963dc95863877784ac04eba83481152c30b1ca9e9b78fe537deee6c95933e1b5fb414cfaf7ca1dbbae8b114f0538f4cbf433ef214b776faec9ce1d29f680f4c88ff7b9ba0e964898dd253f5f82ec9f25663ece9dbff5e284f63b0e0fd07fb13b41aa8359f1ba1666bcb26e65d28b1f899952beb28b8f902f048e31efb6ab4817cafc6d84c7f4676b50936715667a67df7ca965b3ab2a5fc472375b1446c810242eb1cb78b9ac496ed4715e0f89a4e1ae0e2724edd59c954f54196ab55ac1947528fa14e716b7707aeb023bd0a2242da7ac97f3feb7795d9be05cd5b1cc33095599ab4c4d8d583c9e2a4d4ed12b836722370569737fae2d6fa60c8a5b8a80fd71129fe29395746eb746528a8845c5a9d50e7bc4372e7f3f9c6333feec791529a6ae1bc0f620feb604f56969e4ea3445810c72dd0772856feb58f09796f461f7ab1b454c303c810eec7526aeb397520b6114f57a4d906e974e8d4a910afafbb0f030b18887b951052d18578022cb7e33408578cdca34f32012f62d3dd35cb74e9d0fecac52231c5cf5a34d470d3b5413644c4e2af1f1613093a3b0550f8df26d033a35b9b":0
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 8 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"df8f5124b1e03228f2b96f0df31924bac1d3b5d094da22e6":"230bb26c1ea9d5c8fcf7c122ea994f41":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 64 count 7
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"94c8dae772a43b5e00468e0947699b239dfe30ab5f90e2f6":"239c6bceee3583fe7825011e02f01cc0":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 72 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"d81b7162dc6e9e18bea6e258bddb53a1c9f22a4a7177d9dd":"4f3a2b7b229a665776f9cfa42e0c2a615a81f69cc0f0f465":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 248 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"688833d56cf1a0f492bf1f7e35c2fa6299a2b1b5ca2a2823":"4b7c17d7a7189e7955c03abb0ca95fc0c780953787972097ae596d46fe2a8cd75995e6309780ae5f":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"4b0faa630930b0ff8e624aeb4ddfa018a858cfa653132675":"1640db081e87ef7797a9f17509f5bc67d40beaef096131748f413cac3d2500462b61140b31bc3965958af51351903549e4a71db589a6bc67d72ec33b8605a25a539a2043704389e3e0781152dffa9b64d6ec186ed144847434345e6dccefbe26626eebc4c22e3957b2145c46fa11d7819d4195cb43a9db8d2de507c023607548b56a07628ce4c706939fde1bdef8364b2b8fb7db30fc5c8e99f29876130d9f71a8486d99f2c7fc09f646918d4c60e53c7b9f9a8a1e9a023d70448f6b79c3f35cc6b9ace0535147f7f27be66d918895b9106cc83eda1aacdc2bfb7daa75b2867ae63109ecbf9423526511c64c4261e395d9b5a68dd2503ada57cf1b8a18336b8d63d248ec4dedb6e30662336546c86ef83b53504bc3bedd85a027b6b9f0323bd9380d9ba696b77072d98f96b77f9b3ad9e219715122b2dd033529eaf7ecced8be6d1e6467b8e4a61105be9b7a7ce208b6dd6bd34481f80b3bf534fb87904d45986931a088480a8040047c681dc4e8ec1c625a5449d9ab28709d04989c4b1a4ef0f1e379d37fe6f0641b9e705207e9a0652463cd5da71cd50321116d4ff1cbae08063df336482eadc0d117bf119e01f2577afe182e7fa477ec53b754e347a2c742960b9bd355f969e6ae1df2210e75bb44c598b683dd4c8692f4cd1b92125ac9ed10ec4cef6289d3f815cb894e74dff0bb72d51c43cb420d74a31c681c10ad7f9258d77f1f186c926a":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 8 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"da862b25a629d328cf9fac7be0d6ead1cb2404e9bab87a2381a46eb1a81187c5":"5e01a2b9b8413f303a3578d2cc255fda":"d4":0
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 64 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"362586d516d38e4d58b50a441443e75064cf6d6cdb6420862932ba7b0480b0fd":"ea7ee0f5af3a271a9777838ed13c61af":"f1b92d0db744bfee":0
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 72 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"0e6d542f960c7e61ca190d7fd719fda157030a0a013164613a8c522b52ae685d":"b5cae8a82095abb3478ab167dbc0201d2f4dfc5f81bbe44e":"a957eb4ea02e68ba8b":0
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 248 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"0445b86d13b7b76c0089a63dec70c32fded9607af63714b7c3cc724f49c1c6e2":"7f63167976e71e43b7b135c8cd12148f826f56e73f6fb6e7f6cefa23c34302ff374d44dd66b6bb01":"7af8c3b32e61f8b5c027383a273927b8fd09b75692bd0b713ec8ecec0bdd2c":0
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"08f5c088acec18e6cf1f03a8f85d772e327e7fb07f8c2939eb554e84c42ab93d":"dff30fd43647d4be54cf2dfd6187e2ddffb55267313f980fb09c833a9c2bfa558a95861711f0acb2a5c7e731ba22f24a9c4dfdd9e9b0216e9088f817a175b9835b0e17615687a20f68c067205626494cd04fbabc0b3eea7c0a4cd6236bc8b3e52e721dfc357fb8a3722bfcc4c690d8f63dbb864bb6e3a15805aea7270f8eb748deebaa2d066fcda11c2e67221f9a91d2c29a6c79ffae76aa80a2590b4f9e35f623fbf2f8ceb2a205493077556a186e25e5bd52dcff7bcc6909b37a66c1d1431be1b363bb40da25386eaaf5fcabc7be6422a04434a21d1d3105328e7c56770b9f59b03395e4138f5f06fc7e6b80dab87b08caa7bfffc45a095c15263efd3f06c651ded6f58074efc20620d704997fc84721a0a8e9e5b9f5cd330bbb156b31d9d1b1c260e4a24535f30404dc5b2dd6b35d916a1391b25a7d8790be09d85483ed1522074a2785812005bda10dd55acb245b3bd3d9bb777dd23f9b02538ba1a114ba53386d7ca4d9524b2f8a18e0ffb21580b560540bb2146f08f04974b90eb324547d56222df95f44bc6e5f183bef283e4816fb1b2933f9c7c6726a245a495e304d8318d0008c51b0be8090f8f668fbc3f31e073be4b9e97468f4dd8c798e9d682868df493db8a85738b58cfd005190f365849072577772672c6f82555c65046eb34e86fe61103327a063bacbbe33cea7eaa3d1de45471b7269e1b6b38608626e323447a3d5fe0599a6":"8b68f66a3d2f59d419851b94d9a6f2f0e667f8125e11d463a6bc2cea46b12dcc40ce8018b204972c735fdd6d2d05b628f4905c6690f5ac5b1b51e12f3af2dc3ae9b9dab616f0a2a66a1ac197592fd5b15900547f32f54110b58d51a0340aa80e9eeb7b2e0eb97e80aa22ba918f2fe1c678c730ed5c3d8d24774f17d8ab6e01a06243d36e764df1dbb8af1faadbc55281f0242abd7a162c984fd0b05ab8b0bcaedffb2962024f009a8d7c9e71281c09f52ec0707ee3bbeb1ecb918be6ae3e9c1fabbcd3512af928db3ba6c109ff9e9839a616b2a53f092160a48222b84d53cd52490515ef93e1ebb33897263492ab8ec6fad2e633276ae367f76d7f926309478c0205d4f22506a451795dc98f5410d8f5d3e049cbedf381620861e7b4ae08f2d8a71abc1f230248cb636a2d7b4e7717ab2b7b5f2dc6e5b5a18e8043254208b50fd6f8929eaf974c48551233661ad67321b64d69245d536d9a8ca2a6a10966dddb9d2ce36641c9281c460ae524b077867258f638e6ac872cb5f5c6fb216b1ae60a9d0c5ea0dbcd060f255da26111175af4e9935df59ddade6a2a70cddff8cae6a98e4f3843c2dd59d09053b07b648a46f5de0eb21ebb192828279a386ea3eedf2cdc355d73d51111e8c1d522e059752bc56226a4225bcab713bfaaaec78167d7cfd33e913b26fda93ca7524aa8a8b17977c88ff9bc23ea810b4de59eac18d1523b":0
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 8 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"5fc3ef43eef256993fb00e6ccc90f60319f10a3bc9fe5ca4ec876c165e2a7720":"f3d922a948969acca293bc3daa027e48":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 64 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"398444df32841be9e699c64faa92630c834564b8384876dceb471c4056fc8299":"30032c9a3ed00d29512d8c725fa86a4b":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 72 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"64b69233fe392c0bcda28a931cc3527b1a8f29235c1adf6256556c685cb89b9f":"6b5fd75ad16eda04a8b29f1bc0411ae28befbad9e474f2d8":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 248 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"8c35fb77766d04f48d5b52275c5c5f31f568078419e5c2335918965fbe53cedd":"bacccb1714dbaa4908c2654aa8dbb1ddbddd8ab819429b026619fb1c0fa75a8247372b2feeab1e1d":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"1726706350c11e6883955f24ea11ab247ce3b2ab54d05e67ad9770b5564483dd":"b006f26a67d0e1e2cbeb5c23b6b300adc1526d1f17bbe964fe8237ae244878158e6b04cb488786b5258ac973c3a2eafd7fcf3a7ca6c825155659fbc53d112bc78b3a770cf059fdd5e68f2b4bfa36de3721231102e5041c947fba3d906bff39592ec3901a398da23035f1190e99b58659330cc2e856ee87ad4197dcc7d16e1f062275bced1ed5cd82163ae3e58da7368dc2aadac855385bd4fa0b8baadef608d0a5c27172d12b88c70b136eeccf37f36364361a990dc50815743cab1636e661bff04ca8345520c30b935a060b450526b1d6ac09170e5b0a327b88f42327b85c9a621d2ca745963c2815a2bfcf509d50b6058ed6e67f369b5608d2aa885238b67d1b8e0d83f9464aa473bf109350fcc02e360c2619236cbfbf895b607895530d8d3d2e41450750dad05b1c37ef15db7fb4707597ac252e8e58d4c1ab2713b427643d198164c908b5d8ff36e9700157284009c7b283633d8b27b378bb65eff8aa59b5fe5e6437a1d53a99c106c2c4d033d3d23950e313a10eb31d68524ae9f8e4f56437acf66db3e8f77407a15bbff4b393e5559908993146d93c673d2aeb7d4cb8fc8d0169de7ed6e2bbe6ce9958a0f5d201419e7acb17e47da827ba380d6b3ad3b5a8c2101c5fb501110c727169065f23297947f538ab3ec165d61edc1f6a9e1735e9b7fc06d4d3406cf8f9c6a68b196cf262324a986705fbc802cdd2e6b4ebcf68e6bb9e793ae644":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+KW AES-128 wrap rfc 3394
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"000102030405060708090A0B0C0D0E0F":"00112233445566778899AABBCCDDEEFF":"1FA68B0A8112B447AEF34BD8FB5A7B829D3E862371D2CFE5"
+
+KW AES-192 wrap rfc 3394
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"000102030405060708090A0B0C0D0E0F1011121314151617":"00112233445566778899AABBCCDDEEFF":"96778B25AE6CA435F92B5B97C050AED2468AB8A17AD84E5D"
+
+KW AES-256 wrap rfc 3394
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F":"00112233445566778899AABBCCDDEEFF":"64E8C3F9CE0F5BA263E9777905818A2A93C8191E7D6E8AE7"
+
+KW AES-128 unwrap rfc 3394
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"000102030405060708090A0B0C0D0E0F":"1FA68B0A8112B447AEF34BD8FB5A7B829D3E862371D2CFE5":"00112233445566778899AABBCCDDEEFF":0
+
+KW AES-192 unwrap rfc 3394
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"000102030405060708090A0B0C0D0E0F1011121314151617":"031D33264E15D33268F24EC260743EDCE1C6C7DDEE725A936BA814915C6762D2":"00112233445566778899AABBCCDDEEFF0001020304050607":0
+
+KW AES-256 unwrap rfc 3394
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F":"A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1":"00112233445566778899AABBCCDDEEFF0001020304050607":0
+
+KWP AES-192 wrap rfc 5649
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8":"c37b7e6492584340bed12207808941155068f738":"138bdeaa9b8fa7fc61f97742e72248ee5ae6ae5360d1ae6a5f54f373fa543b6a"
+
+KWP AES-192 wrap rfc 5649
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8":"466f7250617369":"afbeb0f07dfbf5419200f2ccb50bb24f"
diff --git a/tests/suites/test_suite_nist_kw.function b/tests/suites/test_suite_nist_kw.function
new file mode 100644
index 0000000..eb67c03
--- /dev/null
+++ b/tests/suites/test_suite_nist_kw.function
@@ -0,0 +1,343 @@
+/* BEGIN_HEADER */
+#include "mbedtls/nist_kw.h"
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_NIST_KW_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST:MBEDTLS_AES_C */
+void mbedtls_nist_kw_self_test( )
+{
+ TEST_ASSERT( mbedtls_nist_kw_self_test( 1 ) == 0 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_AES_C */
+void mbedtls_nist_kw_mix_contexts( )
+{
+ mbedtls_nist_kw_context ctx1, ctx2;
+ unsigned char key[16];
+ unsigned char plaintext[32];
+ unsigned char ciphertext1[40];
+ unsigned char ciphertext2[40];
+ size_t output_len, i;
+
+ memset( plaintext, 0, sizeof( plaintext ) );
+ memset( ciphertext1, 0, sizeof( ciphertext1 ) );
+ memset( ciphertext2, 0, sizeof( ciphertext2 ) );
+ memset( key, 0, sizeof( key ) );
+
+ /*
+ * 1. Check wrap and unwrap with two seperate contexts
+ */
+ mbedtls_nist_kw_init( &ctx1 );
+ mbedtls_nist_kw_init( &ctx2 );
+
+ TEST_ASSERT( mbedtls_nist_kw_setkey( &ctx1,
+ MBEDTLS_CIPHER_ID_AES,
+ key, sizeof( key ) * 8,
+ 1 ) == 0 );
+
+ TEST_ASSERT( mbedtls_nist_kw_wrap( &ctx1, MBEDTLS_KW_MODE_KW,
+ plaintext, sizeof( plaintext ),
+ ciphertext1, &output_len,
+ sizeof( ciphertext1 ) ) == 0 );
+ TEST_ASSERT( output_len == sizeof( ciphertext1 ) );
+
+ TEST_ASSERT( mbedtls_nist_kw_setkey( &ctx2,
+ MBEDTLS_CIPHER_ID_AES,
+ key, sizeof( key ) * 8,
+ 0 ) == 0 );
+
+ TEST_ASSERT( mbedtls_nist_kw_unwrap( &ctx2, MBEDTLS_KW_MODE_KW,
+ ciphertext1, output_len,
+ plaintext, &output_len,
+ sizeof( plaintext ) ) == 0 );
+
+ TEST_ASSERT( output_len == sizeof( plaintext ) );
+ for( i = 0; i < sizeof( plaintext ); i++ )
+ {
+ TEST_ASSERT( plaintext[i] == 0 );
+ }
+ mbedtls_nist_kw_free( &ctx1 );
+ mbedtls_nist_kw_free( &ctx2 );
+
+ /*
+ * 2. Check wrapping with two modes, on same context
+ */
+ mbedtls_nist_kw_init( &ctx1 );
+ mbedtls_nist_kw_init( &ctx2 );
+ output_len = sizeof( ciphertext1 );
+
+ TEST_ASSERT( mbedtls_nist_kw_setkey( &ctx1,
+ MBEDTLS_CIPHER_ID_AES,
+ key, sizeof( key ) * 8,
+ 1 ) == 0 );
+
+ TEST_ASSERT( mbedtls_nist_kw_wrap( &ctx1, MBEDTLS_KW_MODE_KW,
+ plaintext, sizeof( plaintext ),
+ ciphertext1, &output_len,
+ sizeof( ciphertext1 ) ) == 0 );
+ TEST_ASSERT( output_len == sizeof( ciphertext1 ) );
+
+ TEST_ASSERT( mbedtls_nist_kw_wrap( &ctx1, MBEDTLS_KW_MODE_KWP,
+ plaintext, sizeof( plaintext ),
+ ciphertext2, &output_len,
+ sizeof( ciphertext2 ) ) == 0 );
+
+ TEST_ASSERT( output_len == sizeof( ciphertext2 ) );
+
+ TEST_ASSERT( mbedtls_nist_kw_setkey( &ctx2,
+ MBEDTLS_CIPHER_ID_AES,
+ key, sizeof( key ) * 8,
+ 0 ) == 0 );
+
+ TEST_ASSERT( mbedtls_nist_kw_unwrap( &ctx2, MBEDTLS_KW_MODE_KW,
+ ciphertext1, sizeof( ciphertext1 ),
+ plaintext, &output_len,
+ sizeof( plaintext ) ) == 0 );
+
+ TEST_ASSERT( output_len == sizeof( plaintext ) );
+
+ for( i = 0; i < sizeof( plaintext ); i++ )
+ {
+ TEST_ASSERT( plaintext[i] == 0 );
+ }
+
+ TEST_ASSERT( mbedtls_nist_kw_unwrap( &ctx2, MBEDTLS_KW_MODE_KWP,
+ ciphertext2, sizeof( ciphertext2 ),
+ plaintext, &output_len,
+ sizeof( plaintext ) ) == 0 );
+
+ TEST_ASSERT( output_len == sizeof( plaintext ) );
+
+ for( i = 0; i < sizeof( plaintext ); i++ )
+ {
+ TEST_ASSERT( plaintext[i] == 0 );
+ }
+
+exit:
+ mbedtls_nist_kw_free( &ctx1 );
+ mbedtls_nist_kw_free( &ctx2 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mbedtls_nist_kw_setkey( int cipher_id, int key_size,
+ int is_wrap, int result )
+{
+ mbedtls_nist_kw_context ctx;
+ unsigned char key[32];
+ int ret;
+
+ mbedtls_nist_kw_init( &ctx );
+
+ memset( key, 0x2A, sizeof( key ) );
+ TEST_ASSERT( (unsigned) key_size <= 8 * sizeof( key ) );
+
+ ret = mbedtls_nist_kw_setkey( &ctx, cipher_id, key, key_size, is_wrap );
+ TEST_ASSERT( ret == result );
+
+exit:
+ mbedtls_nist_kw_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_AES_C */
+void nist_kw_plaintext_lengths( int in_len, int out_len, int mode, int res )
+{
+ mbedtls_nist_kw_context ctx;
+ unsigned char key[16];
+ unsigned char *plaintext = NULL;
+ unsigned char *ciphertext = NULL;
+ size_t output_len = out_len;
+
+ mbedtls_nist_kw_init( &ctx );
+
+ memset( key, 0, sizeof( key ) );
+
+ if (in_len == 0)
+ {
+ /* mbedtls_calloc can return NULL for zero-length buffers. Make sure we
+ * always have a plaintext buffer, even if the length is 0. */
+ plaintext = mbedtls_calloc( 1, 1 );
+ }
+ else
+ {
+ plaintext = mbedtls_calloc( 1, in_len );
+ }
+ TEST_ASSERT( plaintext != NULL );
+ ciphertext = mbedtls_calloc( 1, output_len );
+ TEST_ASSERT( ciphertext != NULL );
+
+ memset( plaintext, 0, in_len );
+ memset( ciphertext, 0, output_len );
+
+
+ TEST_ASSERT( mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+ key, 8 * sizeof( key ), 1 ) == 0 );
+
+ TEST_ASSERT( mbedtls_nist_kw_wrap( &ctx, mode, plaintext, in_len,
+ ciphertext, &output_len,
+ output_len ) == res );
+ if( res == 0 )
+ {
+ if( mode == MBEDTLS_KW_MODE_KWP )
+ TEST_ASSERT( output_len == (size_t) in_len + 8 -
+ ( in_len % 8 ) + 8 );
+ else
+ TEST_ASSERT( output_len == (size_t) in_len + 8 );
+ }
+ else
+ {
+ TEST_ASSERT( output_len == 0 );
+ }
+
+exit:
+ mbedtls_free( ciphertext );
+ mbedtls_free( plaintext );
+ mbedtls_nist_kw_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_AES_C */
+void nist_kw_ciphertext_lengths( int in_len, int out_len, int mode, int res )
+{
+ mbedtls_nist_kw_context ctx;
+ unsigned char key[16];
+ unsigned char *plaintext = NULL;
+ unsigned char *ciphertext = NULL;
+ int unwrap_ret;
+ size_t output_len = out_len;
+
+ mbedtls_nist_kw_init( &ctx );
+
+ memset( key, 0, sizeof( key ) );
+
+ plaintext = mbedtls_calloc( 1, output_len );
+ TEST_ASSERT( plaintext != NULL );
+ ciphertext = mbedtls_calloc( 1, in_len );
+ TEST_ASSERT( ciphertext != NULL );
+
+ memset( plaintext, 0, output_len );
+ memset( ciphertext, 0, in_len );
+
+
+ TEST_ASSERT( mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+ key, 8 * sizeof( key ), 0 ) == 0 );
+ unwrap_ret = mbedtls_nist_kw_unwrap( &ctx, mode, ciphertext, in_len,
+ plaintext, &output_len,
+ output_len );
+
+ if( res == 0 )
+ TEST_ASSERT( unwrap_ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED );
+ else
+ TEST_ASSERT( unwrap_ret == res );
+
+ TEST_ASSERT( output_len == 0 );
+
+exit:
+ mbedtls_free( ciphertext );
+ mbedtls_free( plaintext );
+ mbedtls_nist_kw_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mbedtls_nist_kw_wrap( int cipher_id, int mode,
+ char *key_hex, char *msg_hex,
+ char *result_hex )
+{
+ unsigned char key[32];
+ unsigned char msg[512];
+ unsigned char result[528];
+ unsigned char expected_result[528];
+ mbedtls_nist_kw_context ctx;
+ size_t key_len, msg_len, output_len, result_len, i, padlen;
+
+ mbedtls_nist_kw_init( &ctx );
+
+ memset( key, 0x00, sizeof( key ) );
+ memset( msg, 0x00, sizeof( msg ) );
+ memset( result, '+', sizeof( result ) );
+
+ key_len = unhexify( key, key_hex );
+ msg_len = unhexify( msg, msg_hex );
+ result_len = unhexify( expected_result, result_hex );
+ output_len = sizeof( result );
+
+ TEST_ASSERT( mbedtls_nist_kw_setkey( &ctx, cipher_id, key, key_len * 8, 1 )
+ == 0 );
+
+ /* Test with input == output */
+ TEST_ASSERT( mbedtls_nist_kw_wrap( &ctx, mode, msg, msg_len,
+ result, &output_len, sizeof( result ) ) == 0 );
+
+ TEST_ASSERT( output_len == result_len );
+
+ TEST_ASSERT( memcmp( expected_result, result, result_len ) == 0 );
+
+ padlen = ( msg_len % 8 != 0 ) ? 8 - (msg_len % 8 ) : 0;
+ /* Check that the function didn't write beyond the end of the buffer. */
+ for( i = msg_len + 8 + padlen; i < sizeof( result ); i++ )
+ {
+ TEST_ASSERT( result[i] == '+' );
+ }
+
+exit:
+ mbedtls_nist_kw_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mbedtls_nist_kw_unwrap( int cipher_id, int mode,
+ char *key_hex, char *msg_hex,
+ char *result_hex, int expected_ret )
+{
+ unsigned char key[32];
+ unsigned char msg[528];
+ unsigned char result[528];
+ unsigned char expected_result[528];
+ mbedtls_nist_kw_context ctx;
+ size_t key_len, msg_len, output_len, result_len, i;
+
+ mbedtls_nist_kw_init( &ctx );
+
+ memset( key, 0x00, sizeof( key ) );
+ memset( msg, 0x00, sizeof( msg ) );
+ memset( result, '+', sizeof( result ) );
+ memset( expected_result, 0x00, sizeof( expected_result ) );
+
+ key_len = unhexify( key, key_hex );
+ msg_len = unhexify( msg, msg_hex );
+ result_len = unhexify( expected_result, result_hex );
+ output_len = sizeof( result );
+
+ TEST_ASSERT( mbedtls_nist_kw_setkey( &ctx, cipher_id, key, key_len * 8, 0 )
+ == 0 );
+
+ /* Test with input == output */
+ TEST_ASSERT( mbedtls_nist_kw_unwrap( &ctx, mode, msg, msg_len,
+ result, &output_len, sizeof( result ) ) == expected_ret );
+ if( expected_ret == 0 )
+ {
+ TEST_ASSERT( output_len == result_len );
+ TEST_ASSERT( memcmp( expected_result, result, result_len ) == 0 );
+ }
+ else
+ {
+ TEST_ASSERT( output_len == 0 );
+ }
+
+ /* Check that the function didn't write beyond the end of the buffer. */
+ for( i = msg_len - 8; i < sizeof( result ); i++ )
+ {
+ TEST_ASSERT( result[i] == '+' );
+ }
+
+exit:
+ mbedtls_nist_kw_free( &ctx );
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_poly1305.data b/tests/suites/test_suite_poly1305.data
new file mode 100644
index 0000000..13912e9
--- /dev/null
+++ b/tests/suites/test_suite_poly1305.data
@@ -0,0 +1,42 @@
+Poly1305 RFC 7539 Example And Test Vector
+mbedtls_poly1305:"85d6be7857556d337f4452fe42d506a80103808afb0db2fd4abff6af4149f51b":"a8061dc1305136c6c22b8baf0c0127a9":"43727970746f6772617068696320466f72756d2052657365617263682047726f7570"
+
+Poly1305 RFC 7539 Test Vector #1
+mbedtls_poly1305:"0000000000000000000000000000000000000000000000000000000000000000":"00000000000000000000000000000000":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
+
+Poly1305 RFC 7539 Test Vector #2
+mbedtls_poly1305:"0000000000000000000000000000000036e5f6b5c5e06070f0efca96227a863e":"36e5f6b5c5e06070f0efca96227a863e":"416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f"
+
+Poly1305 RFC 7539 Test Vector #3
+mbedtls_poly1305:"36e5f6b5c5e06070f0efca96227a863e00000000000000000000000000000000":"f3477e7cd95417af89a6b8794c310cf0":"416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f"
+
+Poly1305 RFC 7539 Test Vector #4
+mbedtls_poly1305:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"4541669a7eaaee61e708dc7cbcc5eb62":"2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e"
+
+Poly1305 RFC 7539 Test Vector #5
+mbedtls_poly1305:"0200000000000000000000000000000000000000000000000000000000000000":"03000000000000000000000000000000":"ffffffffffffffffffffffffffffffff"
+
+Poly1305 RFC 7539 Test Vector #6
+mbedtls_poly1305:"02000000000000000000000000000000ffffffffffffffffffffffffffffffff":"03000000000000000000000000000000":"02000000000000000000000000000000"
+
+Poly1305 RFC 7539 Test Vector #7
+mbedtls_poly1305:"0100000000000000000000000000000000000000000000000000000000000000":"05000000000000000000000000000000":"fffffffffffffffffffffffffffffffff0ffffffffffffffffffffffffffffff11000000000000000000000000000000"
+
+Poly1305 RFC 7539 Test Vector #8
+mbedtls_poly1305:"0100000000000000000000000000000000000000000000000000000000000000":"00000000000000000000000000000000":"fffffffffffffffffffffffffffffffffbfefefefefefefefefefefefefefefe01010101010101010101010101010101"
+
+Poly1305 RFC 7539 Test Vector #9
+mbedtls_poly1305:"0200000000000000000000000000000000000000000000000000000000000000":"faffffffffffffffffffffffffffffff":"fdffffffffffffffffffffffffffffff"
+
+Poly1305 RFC 7539 Test Vector #10
+mbedtls_poly1305:"0100000000000000040000000000000000000000000000000000000000000000":"14000000000000005500000000000000":"e33594d7505e43b900000000000000003394d7505e4379cd01000000000000000000000000000000000000000000000001000000000000000000000000000000"
+
+Poly1305 RFC 7539 Test Vector #11
+mbedtls_poly1305:"0100000000000000040000000000000000000000000000000000000000000000":"13000000000000000000000000000000":"e33594d7505e43b900000000000000003394d7505e4379cd010000000000000000000000000000000000000000000000"
+
+Poly1305 Parameter validation
+poly1305_bad_params:
+
+Poly1305 Selftest
+depends_on:MBEDTLS_SELF_TEST
+poly1305_selftest:
diff --git a/tests/suites/test_suite_poly1305.function b/tests/suites/test_suite_poly1305.function
new file mode 100644
index 0000000..62d2ad9
--- /dev/null
+++ b/tests/suites/test_suite_poly1305.function
@@ -0,0 +1,140 @@
+/* BEGIN_HEADER */
+#include "mbedtls/poly1305.h"
+#include <stddef.h>
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_POLY1305_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void mbedtls_poly1305( char *hex_key_string, char *hex_mac_string, char *hex_src_string )
+{
+ unsigned char src_str[375]; /* max size of binary input */
+ unsigned char key[32]; /* size set by the standard */
+ unsigned char mac[16]; /* size set by the standard */
+ unsigned char mac_str[33]; /* hex expansion of the above */
+ size_t src_len;
+ mbedtls_poly1305_context ctx;
+
+ memset( src_str, 0x00, sizeof( src_str ) );
+ memset( mac_str, 0x00, sizeof( mac_str ) );
+ memset( key, 0x00, sizeof( key ) );
+ memset( mac, 0x00, sizeof( mac ) );
+
+ src_len = unhexify( src_str, hex_src_string );
+ unhexify( key, hex_key_string );
+
+ /*
+ * Test the integrated API
+ */
+ TEST_ASSERT( mbedtls_poly1305_mac( key, src_str, src_len, mac ) == 0 );
+
+ hexify( mac_str, mac, 16 );
+ TEST_ASSERT( strcmp( (char *) mac_str, hex_mac_string ) == 0 );
+
+ /*
+ * Test the streaming API
+ */
+ mbedtls_poly1305_init( &ctx );
+
+ TEST_ASSERT( mbedtls_poly1305_starts( &ctx, key ) == 0 );
+
+ TEST_ASSERT( mbedtls_poly1305_update( &ctx, src_str, src_len ) == 0 );
+
+ TEST_ASSERT( mbedtls_poly1305_finish( &ctx, mac ) == 0 );
+
+ hexify( mac_str, mac, 16 );
+ TEST_ASSERT( strcmp( (char *) mac_str, hex_mac_string ) == 0 );
+
+ /*
+ * Test the streaming API again, piecewise
+ */
+
+ /* Don't free/init the context, in order to test that starts() does the
+ * right thing. */
+ if( src_len >= 1 )
+ {
+ TEST_ASSERT( mbedtls_poly1305_starts( &ctx, key ) == 0 );
+
+ TEST_ASSERT( mbedtls_poly1305_update( &ctx, src_str, 1 ) == 0 );
+ TEST_ASSERT( mbedtls_poly1305_update( &ctx, src_str + 1, src_len - 1 ) == 0 );
+
+ TEST_ASSERT( mbedtls_poly1305_finish( &ctx, mac ) == 0 );
+
+ hexify( mac_str, mac, 16 );
+ TEST_ASSERT( strcmp( (char *) mac_str, hex_mac_string ) == 0 );
+ }
+
+ /*
+ * Again with more pieces
+ */
+ if( src_len >= 2 )
+ {
+ TEST_ASSERT( mbedtls_poly1305_starts( &ctx, key ) == 0 );
+
+ TEST_ASSERT( mbedtls_poly1305_update( &ctx, src_str, 1 ) == 0 );
+ TEST_ASSERT( mbedtls_poly1305_update( &ctx, src_str + 1, 1 ) == 0 );
+ TEST_ASSERT( mbedtls_poly1305_update( &ctx, src_str + 2, src_len - 2 ) == 0 );
+
+ TEST_ASSERT( mbedtls_poly1305_finish( &ctx, mac ) == 0 );
+
+ hexify( mac_str, mac, 16 );
+ TEST_ASSERT( strcmp( (char *) mac_str, hex_mac_string ) == 0 );
+ }
+
+ mbedtls_poly1305_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void poly1305_bad_params()
+{
+ unsigned char src[1];
+ unsigned char key[32];
+ unsigned char mac[16];
+ size_t src_len = sizeof( src );
+ mbedtls_poly1305_context ctx;
+
+ mbedtls_poly1305_init( NULL );
+ mbedtls_poly1305_free( NULL );
+
+ mbedtls_poly1305_init( &ctx );
+
+ TEST_ASSERT( mbedtls_poly1305_starts( NULL, key )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_poly1305_starts( &ctx, NULL )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+
+ TEST_ASSERT( mbedtls_poly1305_update( NULL, src, 0 )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_poly1305_update( &ctx, NULL, src_len )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_poly1305_update( &ctx, NULL, 0 )
+ == 0 );
+
+ TEST_ASSERT( mbedtls_poly1305_finish( NULL, mac )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_poly1305_finish( &ctx, NULL )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+
+ TEST_ASSERT( mbedtls_poly1305_mac( NULL, src, 0, mac )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_poly1305_mac( key, NULL, src_len, mac )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_poly1305_mac( key, src, 0, NULL )
+ == MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_poly1305_mac( key, NULL, 0, mac )
+ == 0 );
+
+ mbedtls_poly1305_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
+void poly1305_selftest()
+{
+ TEST_ASSERT( mbedtls_poly1305_self_test( 1 ) == 0 );
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index 0aca470..7631791 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
Check compiletime library version
-check_compiletime_version:"2.9.0"
+check_compiletime_version:"2.11.0"
Check runtime library version
-check_runtime_version:"2.9.0"
+check_runtime_version:"2.11.0"
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0
diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj
index 802cce7..73c92bd 100644
--- a/visualc/VS2010/mbedTLS.vcxproj
+++ b/visualc/VS2010/mbedTLS.vcxproj
@@ -149,6 +149,7 @@
<ClInclude Include="..\..\include\mbedtls\aes.h" />
<ClInclude Include="..\..\include\mbedtls\aesni.h" />
<ClInclude Include="..\..\include\mbedtls\arc4.h" />
+ <ClInclude Include="..\..\include\mbedtls\aria.h" />
<ClInclude Include="..\..\include\mbedtls\asn1.h" />
<ClInclude Include="..\..\include\mbedtls\asn1write.h" />
<ClInclude Include="..\..\include\mbedtls\base64.h" />
@@ -158,6 +159,8 @@
<ClInclude Include="..\..\include\mbedtls\camellia.h" />
<ClInclude Include="..\..\include\mbedtls\ccm.h" />
<ClInclude Include="..\..\include\mbedtls\certs.h" />
+ <ClInclude Include="..\..\include\mbedtls\chacha20.h" />
+ <ClInclude Include="..\..\include\mbedtls\chachapoly.h" />
<ClInclude Include="..\..\include\mbedtls\check_config.h" />
<ClInclude Include="..\..\include\mbedtls\cipher.h" />
<ClInclude Include="..\..\include\mbedtls\cipher_internal.h" />
@@ -178,6 +181,7 @@
<ClInclude Include="..\..\include\mbedtls\error.h" />
<ClInclude Include="..\..\include\mbedtls\gcm.h" />
<ClInclude Include="..\..\include\mbedtls\havege.h" />
+ <ClInclude Include="..\..\include\mbedtls\hkdf.h" />
<ClInclude Include="..\..\include\mbedtls\hmac_drbg.h" />
<ClInclude Include="..\..\include\mbedtls\md.h" />
<ClInclude Include="..\..\include\mbedtls\md2.h" />
@@ -187,6 +191,7 @@
<ClInclude Include="..\..\include\mbedtls\memory_buffer_alloc.h" />
<ClInclude Include="..\..\include\mbedtls\net.h" />
<ClInclude Include="..\..\include\mbedtls\net_sockets.h" />
+ <ClInclude Include="..\..\include\mbedtls\nist_kw.h" />
<ClInclude Include="..\..\include\mbedtls\oid.h" />
<ClInclude Include="..\..\include\mbedtls\padlock.h" />
<ClInclude Include="..\..\include\mbedtls\pem.h" />
@@ -198,6 +203,7 @@
<ClInclude Include="..\..\include\mbedtls\platform.h" />
<ClInclude Include="..\..\include\mbedtls\platform_time.h" />
<ClInclude Include="..\..\include\mbedtls\platform_util.h" />
+ <ClInclude Include="..\..\include\mbedtls\poly1305.h" />
<ClInclude Include="..\..\include\mbedtls\ripemd160.h" />
<ClInclude Include="..\..\include\mbedtls\rsa.h" />
<ClInclude Include="..\..\include\mbedtls\rsa_internal.h" />
@@ -223,6 +229,7 @@
<ClCompile Include="..\..\library\aes.c" />
<ClCompile Include="..\..\library\aesni.c" />
<ClCompile Include="..\..\library\arc4.c" />
+ <ClCompile Include="..\..\library\aria.c" />
<ClCompile Include="..\..\library\asn1parse.c" />
<ClCompile Include="..\..\library\asn1write.c" />
<ClCompile Include="..\..\library\base64.c" />
@@ -231,6 +238,8 @@
<ClCompile Include="..\..\library\camellia.c" />
<ClCompile Include="..\..\library\ccm.c" />
<ClCompile Include="..\..\library\certs.c" />
+ <ClCompile Include="..\..\library\chacha20.c" />
+ <ClCompile Include="..\..\library\chachapoly.c" />
<ClCompile Include="..\..\library\cipher.c" />
<ClCompile Include="..\..\library\cipher_wrap.c" />
<ClCompile Include="..\..\library\cmac.c" />
@@ -248,6 +257,7 @@
<ClCompile Include="..\..\library\error.c" />
<ClCompile Include="..\..\library\gcm.c" />
<ClCompile Include="..\..\library\havege.c" />
+ <ClCompile Include="..\..\library\hkdf.c" />
<ClCompile Include="..\..\library\hmac_drbg.c" />
<ClCompile Include="..\..\library\md.c" />
<ClCompile Include="..\..\library\md2.c" />
@@ -256,6 +266,7 @@
<ClCompile Include="..\..\library\md_wrap.c" />
<ClCompile Include="..\..\library\memory_buffer_alloc.c" />
<ClCompile Include="..\..\library\net_sockets.c" />
+ <ClCompile Include="..\..\library\nist_kw.c" />
<ClCompile Include="..\..\library\oid.c" />
<ClCompile Include="..\..\library\padlock.c" />
<ClCompile Include="..\..\library\pem.c" />
@@ -268,6 +279,7 @@
<ClCompile Include="..\..\library\pkwrite.c" />
<ClCompile Include="..\..\library\platform.c" />
<ClCompile Include="..\..\library\platform_util.c" />
+ <ClCompile Include="..\..\library\poly1305.c" />
<ClCompile Include="..\..\library\ripemd160.c" />
<ClCompile Include="..\..\library\rsa.c" />
<ClCompile Include="..\..\library\rsa_internal.c" />
diff --git a/visualc/VS2010/md5sum.vcxproj b/visualc/VS2010/md5sum.vcxproj
deleted file mode 100644
index 6f20e57..0000000
--- a/visualc/VS2010/md5sum.vcxproj
+++ /dev/null
@@ -1,170 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
- <ItemGroup Label="ProjectConfigurations">
- <ProjectConfiguration Include="Debug|Win32">
- <Configuration>Debug</Configuration>
- <Platform>Win32</Platform>
- </ProjectConfiguration>
- <ProjectConfiguration Include="Debug|x64">
- <Configuration>Debug</Configuration>
- <Platform>x64</Platform>
- </ProjectConfiguration>
- <ProjectConfiguration Include="Release|Win32">
- <Configuration>Release</Configuration>
- <Platform>Win32</Platform>
- </ProjectConfiguration>
- <ProjectConfiguration Include="Release|x64">
- <Configuration>Release</Configuration>
- <Platform>x64</Platform>
- </ProjectConfiguration>
- </ItemGroup>
- <ItemGroup>
- <ClCompile Include="..\..\programs\hash\md5sum.c" />
- </ItemGroup>
- <ItemGroup>
- <ProjectReference Include="mbedTLS.vcxproj">
- <Project>{46cf2d25-6a36-4189-b59c-e4815388e554}</Project>
- <LinkLibraryDependencies>true</LinkLibraryDependencies>
- </ProjectReference>
- </ItemGroup>
- <PropertyGroup Label="Globals">
- <ProjectGuid>{80FE1ECF-6992-A275-7973-E2976718D128}</ProjectGuid>
- <Keyword>Win32Proj</Keyword>
- <RootNamespace>md5sum</RootNamespace>
- </PropertyGroup>
- <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
- <ConfigurationType>Application</ConfigurationType>
- <UseDebugLibraries>true</UseDebugLibraries>
- <CharacterSet>Unicode</CharacterSet>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
- <ConfigurationType>Application</ConfigurationType>
- <UseDebugLibraries>true</UseDebugLibraries>
- <CharacterSet>Unicode</CharacterSet>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
- <ConfigurationType>Application</ConfigurationType>
- <UseDebugLibraries>false</UseDebugLibraries>
- <WholeProgramOptimization>true</WholeProgramOptimization>
- <CharacterSet>Unicode</CharacterSet>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
- <ConfigurationType>Application</ConfigurationType>
- <UseDebugLibraries>false</UseDebugLibraries>
- <WholeProgramOptimization>true</WholeProgramOptimization>
- <CharacterSet>Unicode</CharacterSet>
- <PlatformToolset>Windows7.1SDK</PlatformToolset>
- </PropertyGroup>
- <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
- <ImportGroup Label="ExtensionSettings">
- </ImportGroup>
- <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
- <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
- </ImportGroup>
- <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
- <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
- </ImportGroup>
- <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
- <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
- </ImportGroup>
- <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
- <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
- </ImportGroup>
- <PropertyGroup Label="UserMacros" />
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
- <LinkIncremental>true</LinkIncremental>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
- <LinkIncremental>true</LinkIncremental>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
- <LinkIncremental>false</LinkIncremental>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
- <LinkIncremental>false</LinkIncremental>
- </PropertyGroup>
- <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
- <ClCompile>
- <PrecompiledHeader>
- </PrecompiledHeader>
- <WarningLevel>Level3</WarningLevel>
- <Optimization>Disabled</Optimization>
- <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
- <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
- </ClCompile>
- <Link>
- <SubSystem>Console</SubSystem>
- <GenerateDebugInformation>true</GenerateDebugInformation>
- <ShowProgress>NotSet</ShowProgress>
- <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
- <AdditionalLibraryDirectories>Debug</AdditionalLibraryDirectories>
- </Link>
- <ProjectReference>
- <LinkLibraryDependencies>false</LinkLibraryDependencies>
- </ProjectReference>
- </ItemDefinitionGroup>
- <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
- <ClCompile>
- <PrecompiledHeader>
- </PrecompiledHeader>
- <WarningLevel>Level3</WarningLevel>
- <Optimization>Disabled</Optimization>
- <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
- <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
- </ClCompile>
- <Link>
- <SubSystem>Console</SubSystem>
- <GenerateDebugInformation>true</GenerateDebugInformation>
- <ShowProgress>NotSet</ShowProgress>
- <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
- <AdditionalLibraryDirectories>Debug</AdditionalLibraryDirectories>
- </Link>
- <ProjectReference>
- <LinkLibraryDependencies>false</LinkLibraryDependencies>
- </ProjectReference>
- </ItemDefinitionGroup>
- <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
- <ClCompile>
- <WarningLevel>Level3</WarningLevel>
- <PrecompiledHeader>
- </PrecompiledHeader>
- <Optimization>MaxSpeed</Optimization>
- <FunctionLevelLinking>true</FunctionLevelLinking>
- <IntrinsicFunctions>true</IntrinsicFunctions>
- <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
- <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
- </ClCompile>
- <Link>
- <SubSystem>Console</SubSystem>
- <GenerateDebugInformation>true</GenerateDebugInformation>
- <EnableCOMDATFolding>true</EnableCOMDATFolding>
- <OptimizeReferences>true</OptimizeReferences>
- <AdditionalLibraryDirectories>Release</AdditionalLibraryDirectories>
- <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
- </Link>
- </ItemDefinitionGroup>
- <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
- <ClCompile>
- <WarningLevel>Level3</WarningLevel>
- <PrecompiledHeader>
- </PrecompiledHeader>
- <Optimization>MaxSpeed</Optimization>
- <FunctionLevelLinking>true</FunctionLevelLinking>
- <IntrinsicFunctions>true</IntrinsicFunctions>
- <PreprocessorDefinitions>WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
- <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
- </ClCompile>
- <Link>
- <SubSystem>Console</SubSystem>
- <GenerateDebugInformation>true</GenerateDebugInformation>
- <EnableCOMDATFolding>true</EnableCOMDATFolding>
- <OptimizeReferences>true</OptimizeReferences>
- <AdditionalLibraryDirectories>Release</AdditionalLibraryDirectories>
- <AdditionalDependencies>%(AdditionalDependencies);</AdditionalDependencies>
- </Link>
- </ItemDefinitionGroup>
- <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
- <ImportGroup Label="ExtensionTargets">
- </ImportGroup>
-</Project>
diff --git a/visualc/VS2010/sha1sum.vcxproj b/visualc/VS2010/sha1sum.vcxproj
deleted file mode 100644
index 2c3674b..0000000
--- a/visualc/VS2010/sha1sum.vcxproj
+++ /dev/null
@@ -1,170 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
- <ItemGroup Label="ProjectConfigurations">
- <ProjectConfiguration Include="Debug|Win32">
- <Configuration>Debug</Configuration>
- <Platform>Win32</Platform>
- </ProjectConfiguration>
- <ProjectConfiguration Include="Debug|x64">
- <Configuration>Debug</Configuration>
- <Platform>x64</Platform>
- </ProjectConfiguration>
- <ProjectConfiguration Include="Release|Win32">
- <Configuration>Release</Configuration>
- <Platform>Win32</Platform>
- </ProjectConfiguration>
- <ProjectConfiguration Include="Release|x64">
- <Configuration>Release</Configuration>
- <Platform>x64</Platform>
- </ProjectConfiguration>
- </ItemGroup>
- <ItemGroup>
- <ClCompile Include="..\..\programs\hash\sha1sum.c" />
- </ItemGroup>
- <ItemGroup>
- <ProjectReference Include="mbedTLS.vcxproj">
- <Project>{46cf2d25-6a36-4189-b59c-e4815388e554}</Project>
- <LinkLibraryDependencies>true</LinkLibraryDependencies>
- </ProjectReference>
- </ItemGroup>
- <PropertyGroup Label="Globals">
- <ProjectGuid>{E91D12D7-01C0-357F-CAB1-8478B096743C}</ProjectGuid>
- <Keyword>Win32Proj</Keyword>
- <RootNamespace>sha1sum</RootNamespace>
- </PropertyGroup>
- <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
- <ConfigurationType>Application</ConfigurationType>
- <UseDebugLibraries>true</UseDebugLibraries>
- <CharacterSet>Unicode</CharacterSet>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
- <ConfigurationType>Application</ConfigurationType>
- <UseDebugLibraries>true</UseDebugLibraries>
- <CharacterSet>Unicode</CharacterSet>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
- <ConfigurationType>Application</ConfigurationType>
- <UseDebugLibraries>false</UseDebugLibraries>
- <WholeProgramOptimization>true</WholeProgramOptimization>
- <CharacterSet>Unicode</CharacterSet>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
- <ConfigurationType>Application</ConfigurationType>
- <UseDebugLibraries>false</UseDebugLibraries>
- <WholeProgramOptimization>true</WholeProgramOptimization>
- <CharacterSet>Unicode</CharacterSet>
- <PlatformToolset>Windows7.1SDK</PlatformToolset>
- </PropertyGroup>
- <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
- <ImportGroup Label="ExtensionSettings">
- </ImportGroup>
- <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
- <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
- </ImportGroup>
- <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
- <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
- </ImportGroup>
- <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
- <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
- </ImportGroup>
- <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
- <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
- </ImportGroup>
- <PropertyGroup Label="UserMacros" />
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
- <LinkIncremental>true</LinkIncremental>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
- <LinkIncremental>true</LinkIncremental>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
- <LinkIncremental>false</LinkIncremental>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
- <LinkIncremental>false</LinkIncremental>
- </PropertyGroup>
- <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
- <ClCompile>
- <PrecompiledHeader>
- </PrecompiledHeader>
- <WarningLevel>Level3</WarningLevel>
- <Optimization>Disabled</Optimization>
- <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
- <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
- </ClCompile>
- <Link>
- <SubSystem>Console</SubSystem>
- <GenerateDebugInformation>true</GenerateDebugInformation>
- <ShowProgress>NotSet</ShowProgress>
- <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
- <AdditionalLibraryDirectories>Debug</AdditionalLibraryDirectories>
- </Link>
- <ProjectReference>
- <LinkLibraryDependencies>false</LinkLibraryDependencies>
- </ProjectReference>
- </ItemDefinitionGroup>
- <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
- <ClCompile>
- <PrecompiledHeader>
- </PrecompiledHeader>
- <WarningLevel>Level3</WarningLevel>
- <Optimization>Disabled</Optimization>
- <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
- <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
- </ClCompile>
- <Link>
- <SubSystem>Console</SubSystem>
- <GenerateDebugInformation>true</GenerateDebugInformation>
- <ShowProgress>NotSet</ShowProgress>
- <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
- <AdditionalLibraryDirectories>Debug</AdditionalLibraryDirectories>
- </Link>
- <ProjectReference>
- <LinkLibraryDependencies>false</LinkLibraryDependencies>
- </ProjectReference>
- </ItemDefinitionGroup>
- <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
- <ClCompile>
- <WarningLevel>Level3</WarningLevel>
- <PrecompiledHeader>
- </PrecompiledHeader>
- <Optimization>MaxSpeed</Optimization>
- <FunctionLevelLinking>true</FunctionLevelLinking>
- <IntrinsicFunctions>true</IntrinsicFunctions>
- <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
- <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
- </ClCompile>
- <Link>
- <SubSystem>Console</SubSystem>
- <GenerateDebugInformation>true</GenerateDebugInformation>
- <EnableCOMDATFolding>true</EnableCOMDATFolding>
- <OptimizeReferences>true</OptimizeReferences>
- <AdditionalLibraryDirectories>Release</AdditionalLibraryDirectories>
- <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
- </Link>
- </ItemDefinitionGroup>
- <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
- <ClCompile>
- <WarningLevel>Level3</WarningLevel>
- <PrecompiledHeader>
- </PrecompiledHeader>
- <Optimization>MaxSpeed</Optimization>
- <FunctionLevelLinking>true</FunctionLevelLinking>
- <IntrinsicFunctions>true</IntrinsicFunctions>
- <PreprocessorDefinitions>WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
- <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
- </ClCompile>
- <Link>
- <SubSystem>Console</SubSystem>
- <GenerateDebugInformation>true</GenerateDebugInformation>
- <EnableCOMDATFolding>true</EnableCOMDATFolding>
- <OptimizeReferences>true</OptimizeReferences>
- <AdditionalLibraryDirectories>Release</AdditionalLibraryDirectories>
- <AdditionalDependencies>%(AdditionalDependencies);</AdditionalDependencies>
- </Link>
- </ItemDefinitionGroup>
- <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
- <ImportGroup Label="ExtensionTargets">
- </ImportGroup>
-</Project>
diff --git a/visualc/VS2010/sha2sum.vcxproj b/visualc/VS2010/sha2sum.vcxproj
deleted file mode 100644
index b1afb67..0000000
--- a/visualc/VS2010/sha2sum.vcxproj
+++ /dev/null
@@ -1,170 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
- <ItemGroup Label="ProjectConfigurations">
- <ProjectConfiguration Include="Debug|Win32">
- <Configuration>Debug</Configuration>
- <Platform>Win32</Platform>
- </ProjectConfiguration>
- <ProjectConfiguration Include="Debug|x64">
- <Configuration>Debug</Configuration>
- <Platform>x64</Platform>
- </ProjectConfiguration>
- <ProjectConfiguration Include="Release|Win32">
- <Configuration>Release</Configuration>
- <Platform>Win32</Platform>
- </ProjectConfiguration>
- <ProjectConfiguration Include="Release|x64">
- <Configuration>Release</Configuration>
- <Platform>x64</Platform>
- </ProjectConfiguration>
- </ItemGroup>
- <ItemGroup>
- <ClCompile Include="..\..\programs\hash\sha2sum.c" />
- </ItemGroup>
- <ItemGroup>
- <ProjectReference Include="mbedTLS.vcxproj">
- <Project>{46cf2d25-6a36-4189-b59c-e4815388e554}</Project>
- <LinkLibraryDependencies>true</LinkLibraryDependencies>
- </ProjectReference>
- </ItemGroup>
- <PropertyGroup Label="Globals">
- <ProjectGuid>{8C5CF095-A0A4-54FB-0D48-8DF2B7FE4CA5}</ProjectGuid>
- <Keyword>Win32Proj</Keyword>
- <RootNamespace>sha2sum</RootNamespace>
- </PropertyGroup>
- <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
- <ConfigurationType>Application</ConfigurationType>
- <UseDebugLibraries>true</UseDebugLibraries>
- <CharacterSet>Unicode</CharacterSet>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
- <ConfigurationType>Application</ConfigurationType>
- <UseDebugLibraries>true</UseDebugLibraries>
- <CharacterSet>Unicode</CharacterSet>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
- <ConfigurationType>Application</ConfigurationType>
- <UseDebugLibraries>false</UseDebugLibraries>
- <WholeProgramOptimization>true</WholeProgramOptimization>
- <CharacterSet>Unicode</CharacterSet>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
- <ConfigurationType>Application</ConfigurationType>
- <UseDebugLibraries>false</UseDebugLibraries>
- <WholeProgramOptimization>true</WholeProgramOptimization>
- <CharacterSet>Unicode</CharacterSet>
- <PlatformToolset>Windows7.1SDK</PlatformToolset>
- </PropertyGroup>
- <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
- <ImportGroup Label="ExtensionSettings">
- </ImportGroup>
- <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
- <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
- </ImportGroup>
- <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
- <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
- </ImportGroup>
- <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
- <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
- </ImportGroup>
- <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
- <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
- </ImportGroup>
- <PropertyGroup Label="UserMacros" />
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
- <LinkIncremental>true</LinkIncremental>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
- <LinkIncremental>true</LinkIncremental>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
- <LinkIncremental>false</LinkIncremental>
- </PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
- <LinkIncremental>false</LinkIncremental>
- </PropertyGroup>
- <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
- <ClCompile>
- <PrecompiledHeader>
- </PrecompiledHeader>
- <WarningLevel>Level3</WarningLevel>
- <Optimization>Disabled</Optimization>
- <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
- <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
- </ClCompile>
- <Link>
- <SubSystem>Console</SubSystem>
- <GenerateDebugInformation>true</GenerateDebugInformation>
- <ShowProgress>NotSet</ShowProgress>
- <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
- <AdditionalLibraryDirectories>Debug</AdditionalLibraryDirectories>
- </Link>
- <ProjectReference>
- <LinkLibraryDependencies>false</LinkLibraryDependencies>
- </ProjectReference>
- </ItemDefinitionGroup>
- <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
- <ClCompile>
- <PrecompiledHeader>
- </PrecompiledHeader>
- <WarningLevel>Level3</WarningLevel>
- <Optimization>Disabled</Optimization>
- <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
- <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
- </ClCompile>
- <Link>
- <SubSystem>Console</SubSystem>
- <GenerateDebugInformation>true</GenerateDebugInformation>
- <ShowProgress>NotSet</ShowProgress>
- <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
- <AdditionalLibraryDirectories>Debug</AdditionalLibraryDirectories>
- </Link>
- <ProjectReference>
- <LinkLibraryDependencies>false</LinkLibraryDependencies>
- </ProjectReference>
- </ItemDefinitionGroup>
- <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
- <ClCompile>
- <WarningLevel>Level3</WarningLevel>
- <PrecompiledHeader>
- </PrecompiledHeader>
- <Optimization>MaxSpeed</Optimization>
- <FunctionLevelLinking>true</FunctionLevelLinking>
- <IntrinsicFunctions>true</IntrinsicFunctions>
- <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
- <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
- </ClCompile>
- <Link>
- <SubSystem>Console</SubSystem>
- <GenerateDebugInformation>true</GenerateDebugInformation>
- <EnableCOMDATFolding>true</EnableCOMDATFolding>
- <OptimizeReferences>true</OptimizeReferences>
- <AdditionalLibraryDirectories>Release</AdditionalLibraryDirectories>
- <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
- </Link>
- </ItemDefinitionGroup>
- <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
- <ClCompile>
- <WarningLevel>Level3</WarningLevel>
- <PrecompiledHeader>
- </PrecompiledHeader>
- <Optimization>MaxSpeed</Optimization>
- <FunctionLevelLinking>true</FunctionLevelLinking>
- <IntrinsicFunctions>true</IntrinsicFunctions>
- <PreprocessorDefinitions>WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
- <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
- </ClCompile>
- <Link>
- <SubSystem>Console</SubSystem>
- <GenerateDebugInformation>true</GenerateDebugInformation>
- <EnableCOMDATFolding>true</EnableCOMDATFolding>
- <OptimizeReferences>true</OptimizeReferences>
- <AdditionalLibraryDirectories>Release</AdditionalLibraryDirectories>
- <AdditionalDependencies>%(AdditionalDependencies);</AdditionalDependencies>
- </Link>
- </ItemDefinitionGroup>
- <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
- <ImportGroup Label="ExtensionTargets">
- </ImportGroup>
-</Project>