Merge branch 'development' into development-restricted
diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h
index 8a953b9..da2e66b 100644
--- a/include/mbedtls/dhm.h
+++ b/include/mbedtls/dhm.h
@@ -1,7 +1,15 @@
/**
* \file dhm.h
*
- * \brief Diffie-Hellman-Merkle key exchange
+ * \brief Diffie-Hellman-Merkle key exchange.
+ *
+ * <em>RFC-3526: More Modular Exponential (MODP) Diffie-Hellman groups for
+ * Internet Key Exchange (IKE)</em> defines a number of standardized
+ * Diffie-Hellman groups for IKE.
+ *
+ * <em>RFC-5114: Additional Diffie-Hellman Groups for Use with IETF
+ * Standards</em> defines a number of standardized Diffie-Hellman
+ * groups that can be used.
*
* \warning The security of the DHM key exchange relies on the proper choice
* of prime modulus - optimally, it should be a safe prime. The usage
@@ -30,7 +38,7 @@
*
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -45,9 +53,9 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*
- * This file is part of mbed TLS (https://tls.mbed.org)
- *
+ * This file is part of Mbed TLS (https://tls.mbed.org)
*/
+
#ifndef MBEDTLS_DHM_H
#define MBEDTLS_DHM_H
@@ -62,7 +70,7 @@
/*
* DHM Error codes
*/
-#define MBEDTLS_ERR_DHM_BAD_INPUT_DATA -0x3080 /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_DHM_BAD_INPUT_DATA -0x3080 /**< Bad input parameters. */
#define MBEDTLS_ERR_DHM_READ_PARAMS_FAILED -0x3100 /**< Reading of the DHM parameters failed. */
#define MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED -0x3180 /**< Making of the DHM parameters failed. */
#define MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED -0x3200 /**< Reading of the public values failed. */
@@ -70,7 +78,7 @@
#define MBEDTLS_ERR_DHM_CALC_SECRET_FAILED -0x3300 /**< Calculation of the DHM secret failed. */
#define MBEDTLS_ERR_DHM_INVALID_FORMAT -0x3380 /**< The ASN.1 data is not formatted correctly. */
#define MBEDTLS_ERR_DHM_ALLOC_FAILED -0x3400 /**< Allocation of memory failed. */
-#define MBEDTLS_ERR_DHM_FILE_IO_ERROR -0x3480 /**< Read/write of file failed. */
+#define MBEDTLS_ERR_DHM_FILE_IO_ERROR -0x3480 /**< Read or write of file failed. */
#define MBEDTLS_ERR_DHM_HW_ACCEL_FAILED -0x3500 /**< DHM hardware accelerator failed. */
#define MBEDTLS_ERR_DHM_SET_GROUP_FAILED -0x3580 /**< Setting the modulus and generator failed. */
@@ -79,35 +87,35 @@
#endif
/**
- * \brief DHM context structure
+ * \brief The DHM context structure.
*/
typedef struct
{
- size_t len; /*!< size(P) in chars */
- mbedtls_mpi P; /*!< prime modulus */
- mbedtls_mpi G; /*!< generator */
- mbedtls_mpi X; /*!< secret value */
- mbedtls_mpi GX; /*!< self = G^X mod P */
- mbedtls_mpi GY; /*!< peer = G^Y mod P */
- mbedtls_mpi K; /*!< key = GY^X mod P */
- mbedtls_mpi RP; /*!< cached R^2 mod P */
- mbedtls_mpi Vi; /*!< blinding value */
- mbedtls_mpi Vf; /*!< un-blinding value */
- mbedtls_mpi pX; /*!< previous X */
+ size_t len; /*!< The size of \p P in Bytes. */
+ mbedtls_mpi P; /*!< The prime modulus. */
+ mbedtls_mpi G; /*!< The generator. */
+ mbedtls_mpi X; /*!< Our secret value. */
+ mbedtls_mpi GX; /*!< Our public key = \c G^X mod \c P. */
+ mbedtls_mpi GY; /*!< The public key of the peer = \c G^Y mod \c P. */
+ mbedtls_mpi K; /*!< The shared secret = \c G^(XY) mod \c P. */
+ mbedtls_mpi RP; /*!< The cached value = \c R^2 mod \c P. */
+ mbedtls_mpi Vi; /*!< The blinding value. */
+ mbedtls_mpi Vf; /*!< The unblinding value. */
+ mbedtls_mpi pX; /*!< The previous \c X. */
}
mbedtls_dhm_context;
/**
- * \brief Initialize DHM context
+ * \brief This function initializes the DHM context.
*
- * \param ctx DHM context to be initialized
+ * \param ctx The DHM context to initialize.
*/
void mbedtls_dhm_init( mbedtls_dhm_context *ctx );
/**
- * \brief Parse the ServerKeyExchange parameters
+ * \brief This function parses the ServerKeyExchange parameters.
*
- * \param ctx DHM context
+ * \param ctx The DHM context.
* \param p On input, *p must be the start of the input buffer.
* On output, *p is updated to point to the end of the data
* that has been read. On success, this is the first byte
@@ -115,23 +123,25 @@
* On error, this is the point at which an error has been
* detected, which is usually not useful except to debug
* failures.
- * \param end end of buffer
+ * \param end The end of the input buffer.
*
- * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code
+ * \return \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code
+ * on failure.
*/
int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx,
unsigned char **p,
const unsigned char *end );
/**
- * \brief Setup and write the ServerKeyExchange parameters
+ * \brief This function sets up and writes the ServerKeyExchange
+ * parameters.
*
- * \param ctx DHM context
- * \param x_size private value size in bytes
- * \param output destination buffer
- * \param olen number of chars written
- * \param f_rng RNG function
- * \param p_rng RNG parameter
+ * \param ctx The DHM context.
+ * \param x_size The private value size in Bytes.
+ * \param olen The number of characters written.
+ * \param output The destination buffer.
+ * \param f_rng The RNG function.
+ * \param p_rng The RNG parameter.
*
* \note The destination buffer must be large enough to hold
* the reduced binary presentation of the modulus, the generator
@@ -140,12 +150,13 @@
* space is available. Refer to \c mbedtls_mpi_size to computing
* the byte-size of an MPI.
*
- * \note This function assumes that ctx->P and ctx->G
+ * \note This function assumes that \c ctx->P and \c ctx->G
* have already been properly set. For that, use
- * \c mbedtls_dhm_set_group below in conjunction with
- * \c mbedtls_mpi_read_binary and \c mbedtls_mpi_read_string.
+ * mbedtls_dhm_set_group() below in conjunction with
+ * mbedtls_mpi_read_binary() and mbedtls_mpi_read_string().
*
- * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code
+ * \return \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code
+ * on failure.
*/
int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
unsigned char *output, size_t *olen,
@@ -155,48 +166,52 @@
/**
* \brief Set prime modulus and generator
*
- * \param ctx DHM context
- * \param P MPI holding DHM prime modulus
- * \param G MPI holding DHM generator
+ * \param ctx The DHM context.
+ * \param P The MPI holding DHM prime modulus.
+ * \param G The MPI holding DHM generator.
*
* \note This function can be used to set P, G
* in preparation for \c mbedtls_dhm_make_params.
*
- * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code
+ * \return \c 0 if successful, or an \c MBEDTLS_ERR_DHM_XXX error code
+ * on failure.
*/
int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx,
const mbedtls_mpi *P,
const mbedtls_mpi *G );
/**
- * \brief Import the peer's public value G^Y
+ * \brief This function imports the public value G^Y of the peer.
*
- * \param ctx DHM context
- * \param input input buffer
- * \param ilen size of buffer
+ * \param ctx The DHM context.
+ * \param input The input buffer.
+ * \param ilen The size of the input buffer.
*
- * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code
+ * \return \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code
+ * on failure.
*/
int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx,
const unsigned char *input, size_t ilen );
/**
- * \brief Create own private value X and export G^X
+ * \brief This function creates its own private value \c X and
+ * exports \c G^X.
*
- * \param ctx DHM context
- * \param x_size private value size in bytes
- * \param output destination buffer
- * \param olen size of the destination buffer;
- * must be at least equal to the size of P, ctx->len
- * \param f_rng RNG function
- * \param p_rng RNG parameter
+ * \param ctx The DHM context.
+ * \param x_size The private value size in Bytes.
+ * \param output The destination buffer.
+ * \param olen The length of the destination buffer. Must be at least
+ equal to ctx->len (the size of \c P).
+ * \param f_rng The RNG function.
+ * \param p_rng The RNG parameter.
*
* \note The destination buffer will always be fully written
* so as to contain a big-endian presentation of G^X mod P.
* If it is larger than ctx->len, it will accordingly be
* padded with zero-bytes in the beginning.
*
- * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code
+ * \return \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code
+ * on failure.
*/
int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size,
unsigned char *output, size_t olen,
@@ -204,23 +219,25 @@
void *p_rng );
/**
- * \brief Derive and export the shared secret (G^Y)^X mod P
+ * \brief This function derives and exports the shared secret
+ * \c (G^Y)^X mod \c P.
*
- * \param ctx DHM context
- * \param output destination buffer
- * \param output_size size of the destination buffer, must be at
- * at least the size of ctx->len
- * \param olen on exit, holds the actual number of bytes written
- * \param f_rng RNG function, for blinding purposes
- * \param p_rng RNG parameter
+ * \param ctx The DHM context.
+ * \param output The destination buffer.
+ * \param output_size The size of the destination buffer. Must be at least
+ * the size of ctx->len.
+ * \param olen On exit, holds the actual number of Bytes written.
+ * \param f_rng The RNG function, for blinding purposes.
+ * \param p_rng The RNG parameter.
*
- * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code
+ * \return \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code
+ * on failure.
*
- * \note If non-NULL, f_rng is used to blind the input as
- * countermeasure against timing attacks. Blinding is
- * automatically used if and only if our secret value X is
- * re-used and costs nothing otherwise, so it is recommended
- * to always pass a non-NULL f_rng argument.
+ * \note If non-NULL, \p f_rng is used to blind the input as
+ * a countermeasure against timing attacks. Blinding is used
+ * only if our secret value \p X is re-used and omitted
+ * otherwise. Therefore, we recommend always passing a
+ * non-NULL \p f_rng argument.
*/
int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx,
unsigned char *output, size_t output_size, size_t *olen,
@@ -228,23 +245,24 @@
void *p_rng );
/**
- * \brief Free and clear the components of a DHM key
+ * \brief This function frees and clears the components of a DHM key.
*
- * \param ctx DHM context to free and clear
+ * \param ctx The DHM context to free and clear.
*/
void mbedtls_dhm_free( mbedtls_dhm_context *ctx );
#if defined(MBEDTLS_ASN1_PARSE_C)
/** \ingroup x509_module */
/**
- * \brief Parse DHM parameters in PEM or DER format
+ * \brief This function parses DHM parameters in PEM or DER format.
*
- * \param dhm DHM context to be initialized
- * \param dhmin input buffer
- * \param dhminlen size of the buffer
- * (including the terminating null byte for PEM data)
+ * \param dhm The DHM context to initialize.
+ * \param dhmin The input buffer.
+ * \param dhminlen The size of the buffer, including the terminating null
+ * Byte for PEM data.
*
- * \return 0 if successful, or a specific DHM or PEM error code
+ * \return \c 0 on success, or a specific DHM or PEM error code
+ * on failure.
*/
int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin,
size_t dhminlen );
@@ -252,12 +270,13 @@
#if defined(MBEDTLS_FS_IO)
/** \ingroup x509_module */
/**
- * \brief Load and parse DHM parameters
+ * \brief This function loads and parses DHM parameters from a file.
*
- * \param dhm DHM context to be initialized
- * \param path filename to read the DHM Parameters from
+ * \param dhm The DHM context to load the parameters to.
+ * \param path The filename to read the DHM parameters from.
*
- * \return 0 if successful, or a specific DHM or PEM error code
+ * \return \c 0 on success, or a specific DHM or PEM error code
+ * on failure.
*/
int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path );
#endif /* MBEDTLS_FS_IO */
@@ -276,9 +295,9 @@
#endif
/**
- * \brief Checkup routine
+ * \brief The DMH checkup routine.
*
- * \return 0 if successful, or 1 if the test failed
+ * \return \c 0 on success, or \c 1 on failure.
*/
int mbedtls_dhm_self_test( int verbose );
@@ -293,16 +312,16 @@
* when configuring the Diffie-Hellman parameters by hand
* through \c mbedtls_ssl_conf_dh_param.
*
- * Included are:
- * RFC 5114 2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup
- * RFC 3526 3. 2048-bit MODP Group
- * RFC 3526 4. 3072-bit MODP Group
- * RFC 3526 5. 4096-bit MODP Group
- * RFC 7919 A.1 ffdhe2048
- * RFC 7919 A.2 ffdhe3072
- * RFC 7919 A.3 ffdhe4096
- * RFC 7919 A.4 ffdhe6144
- * RFC 7919 A.5 ffdhe8192
+ * The following lists the source of the above groups in the standards:
+ * - RFC 5114 section 2.2: 2048-bit MODP Group with 224-bit Prime Order Subgroup
+ * - RFC 3526 section 3: 2048-bit MODP Group
+ * - RFC 3526 section 4: 3072-bit MODP Group
+ * - RFC 3526 section 5: 4096-bit MODP Group
+ * - RFC 7919 section A.1: ffdhe2048
+ * - RFC 7919 section A.2: ffdhe3072
+ * - RFC 7919 section A.3: ffdhe4096
+ * - RFC 7919 section A.4: ffdhe6144
+ * - RFC 7919 section A.5: ffdhe8192
*
* The constants with suffix "_p" denote the chosen prime moduli, while
* the constants with suffix "_g" denote the chosen generator
@@ -347,6 +366,12 @@
* replacement.
*/
+/**
+ * The hexadecimal presentation of the prime underlying the
+ * 2048-bit MODP Group with 224-bit Prime Order Subgroup, as defined
+ * in <em>RFC-5114: Additional Diffie-Hellman Groups for Use with
+ * IETF Standards</em>.
+ */
#define MBEDTLS_DHM_RFC5114_MODP_P \
MBEDTLS_DEPRECATED_STRING_CONSTANT( \
"AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" \
@@ -361,6 +386,11 @@
"C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71" \
"CF9DE5384E71B81C0AC4DFFE0C10E64F" )
+/**
+ * The hexadecimal presentation of the chosen generator of the 2048-bit MODP
+ * Group with 224-bit Prime Order Subgroup, as defined in <em>RFC-5114:
+ * Additional Diffie-Hellman Groups for Use with IETF Standards</em>.
+ */
#define MBEDTLS_DHM_RFC5114_MODP_2048_G \
MBEDTLS_DEPRECATED_STRING_CONSTANT( \
"AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF" \
@@ -376,13 +406,16 @@
"81BC087F2A7065B384B890D3191F2BFA" )
/**
+ * The hexadecimal presentation of the prime underlying the 2048-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ *
* \deprecated The hex-encoded primes from RFC 3625 are deprecated and
* superseded by the corresponding macros providing them as
* binary constants. Their hex-encoded constants are likely
* to be removed in a future version of the library.
*
*/
-
#define MBEDTLS_DHM_RFC3526_MODP_2048_P \
MBEDTLS_DEPRECATED_STRING_CONSTANT( \
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
@@ -397,9 +430,19 @@
"DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \
"15728E5A8AACAA68FFFFFFFFFFFFFFFF" )
+/**
+ * The hexadecimal presentation of the chosen generator of the 2048-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
#define MBEDTLS_DHM_RFC3526_MODP_2048_G \
MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
+/**
+ * The hexadecimal presentation of the prime underlying the 3072-bit MODP
+ * Group, as defined in <em>RFC-3072: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
#define MBEDTLS_DHM_RFC3526_MODP_3072_P \
MBEDTLS_DEPRECATED_STRING_CONSTANT( \
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
@@ -419,9 +462,19 @@
"BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \
"43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF" )
+/**
+ * The hexadecimal presentation of the chosen generator of the 3072-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
#define MBEDTLS_DHM_RFC3526_MODP_3072_G \
MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
+/**
+ * The hexadecimal presentation of the prime underlying the 4096-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
#define MBEDTLS_DHM_RFC3526_MODP_4096_P \
MBEDTLS_DEPRECATED_STRING_CONSTANT( \
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
@@ -447,6 +500,11 @@
"93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" \
"FFFFFFFFFFFFFFFF" )
+/**
+ * The hexadecimal presentation of the chosen generator of the 4096-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
#define MBEDTLS_DHM_RFC3526_MODP_4096_G \
MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )