lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

Merge branch 'mbedtls-2.28-restricted' into backport_asymmetric_encrypt_buffer_protection

Browse Source 
Signed-off-by: tom-daubney-arm <74920390+tom-daubney-arm@users.noreply.github.com>
This commit is contained in:
tom-daubney-arm
2024-02-28 15:43:48 +00:00
committed by GitHub
parent 2b614f9dad 6b01954e09
commit 24d60ad716
4 changed files with 330 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
library/gcm.c
View File

@ -241,7 +241,7 @@ int mbedtls_gcm_starts(mbedtls_gcm_context *ctx,
uint64_t iv_bits;
GCM_VALIDATE_RET(ctx != NULL);
GCM_VALIDATE_RET(iv != NULL);
GCM_VALIDATE_RET(iv_len == 0 || iv != NULL);
GCM_VALIDATE_RET(add_len == 0 || add != NULL);
/* IV and AD are limited to 2^64 bits, so 2^61 bytes */
@ -433,7 +433,7 @@ int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
GCM_VALIDATE_RET(ctx != NULL);
GCM_VALIDATE_RET(iv != NULL);
GCM_VALIDATE_RET(iv_len == 0 || iv != NULL);
GCM_VALIDATE_RET(add_len == 0 || add != NULL);
GCM_VALIDATE_RET(length == 0 || input != NULL);
GCM_VALIDATE_RET(length == 0 || output != NULL);
@ -470,7 +470,7 @@ int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
int diff;
GCM_VALIDATE_RET(ctx != NULL);
GCM_VALIDATE_RET(iv != NULL);
GCM_VALIDATE_RET(iv_len == 0 || iv != NULL);
GCM_VALIDATE_RET(add_len == 0 || add != NULL);
GCM_VALIDATE_RET(tag != NULL);
GCM_VALIDATE_RET(length == 0 || input != NULL);

259
library/psa_crypto.c
View File

@ -2320,10 +2320,11 @@ exit:
}
psa_status_t psa_hash_update(psa_hash_operation_t *operation,
const uint8_t *input,
const uint8_t *input_external,
size_t input_length)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
LOCAL_INPUT_DECLARE(input_external, input);
if (operation->id == 0) {
status = PSA_ERROR_BAD_STATE;
@ -2336,6 +2337,7 @@ psa_status_t psa_hash_update(psa_hash_operation_t *operation,
return PSA_SUCCESS;
}
LOCAL_INPUT_ALLOC(input_external, input_length, input);
status = psa_driver_wrapper_hash_update(operation, input, input_length);
exit:
@ -2343,32 +2345,57 @@ exit:
psa_hash_abort(operation);
}
LOCAL_INPUT_FREE(input_external, input);
return status;
}
psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
uint8_t *hash,
size_t hash_size,
size_t *hash_length)
static psa_status_t psa_hash_finish_internal(psa_hash_operation_t *operation,
uint8_t *hash,
size_t hash_size,
size_t *hash_length)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
*hash_length = 0;
if (operation->id == 0) {
return PSA_ERROR_BAD_STATE;
}
psa_status_t status = psa_driver_wrapper_hash_finish(
status = psa_driver_wrapper_hash_finish(
operation, hash, hash_size, hash_length);
psa_hash_abort(operation);
return status;
}
psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
uint8_t *hash_external,
size_t hash_size,
size_t *hash_length)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
LOCAL_OUTPUT_DECLARE(hash_external, hash);
LOCAL_OUTPUT_ALLOC(hash_external, hash_size, hash);
status = psa_hash_finish_internal(operation, hash, hash_size, hash_length);
#if defined(MBEDTLS_PSA_COPY_CALLER_BUFFERS)
exit:
#endif
LOCAL_OUTPUT_FREE(hash_external, hash);
return status;
}
psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
const uint8_t *hash,
const uint8_t *hash_external,
size_t hash_length)
{
uint8_t actual_hash[PSA_HASH_MAX_SIZE];
size_t actual_hash_length;
psa_status_t status = psa_hash_finish(
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
LOCAL_INPUT_DECLARE(hash_external, hash);
status = psa_hash_finish_internal(
operation,
actual_hash, sizeof(actual_hash),
&actual_hash_length);
@ -2382,6 +2409,7 @@ psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
goto exit;
}
LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
if (mbedtls_psa_safer_memcmp(hash, actual_hash, actual_hash_length) != 0) {
status = PSA_ERROR_INVALID_SIGNATURE;
}
@ -2391,36 +2419,55 @@ exit:
if (status != PSA_SUCCESS) {
psa_hash_abort(operation);
}
LOCAL_INPUT_FREE(hash_external, hash);
return status;
}
psa_status_t psa_hash_compute(psa_algorithm_t alg,
const uint8_t *input, size_t input_length,
uint8_t *hash, size_t hash_size,
const uint8_t *input_external, size_t input_length,
uint8_t *hash_external, size_t hash_size,
size_t *hash_length)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
LOCAL_INPUT_DECLARE(input_external, input);
LOCAL_OUTPUT_DECLARE(hash_external, hash);
*hash_length = 0;
if (!PSA_ALG_IS_HASH(alg)) {
return PSA_ERROR_INVALID_ARGUMENT;
}
return psa_driver_wrapper_hash_compute(alg, input, input_length,
hash, hash_size, hash_length);
LOCAL_INPUT_ALLOC(input_external, input_length, input);
LOCAL_OUTPUT_ALLOC(hash_external, hash_size, hash);
status = psa_driver_wrapper_hash_compute(alg, input, input_length,
hash, hash_size, hash_length);
#if defined(MBEDTLS_PSA_COPY_CALLER_BUFFERS)
exit:
#endif
LOCAL_INPUT_FREE(input_external, input);
LOCAL_OUTPUT_FREE(hash_external, hash);
return status;
}
psa_status_t psa_hash_compare(psa_algorithm_t alg,
const uint8_t *input, size_t input_length,
const uint8_t *hash, size_t hash_length)
const uint8_t *input_external, size_t input_length,
const uint8_t *hash_external, size_t hash_length)
{
uint8_t actual_hash[PSA_HASH_MAX_SIZE];
size_t actual_hash_length;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
LOCAL_INPUT_DECLARE(input_external, input);
LOCAL_INPUT_DECLARE(hash_external, hash);
if (!PSA_ALG_IS_HASH(alg)) {
return PSA_ERROR_INVALID_ARGUMENT;
status = PSA_ERROR_INVALID_ARGUMENT;
return status;
}
psa_status_t status = psa_driver_wrapper_hash_compute(
LOCAL_INPUT_ALLOC(input_external, input_length, input);
status = psa_driver_wrapper_hash_compute(
alg, input, input_length,
actual_hash, sizeof(actual_hash),
&actual_hash_length);
@ -2431,12 +2478,18 @@ psa_status_t psa_hash_compare(psa_algorithm_t alg,
status = PSA_ERROR_INVALID_SIGNATURE;
goto exit;
}
LOCAL_INPUT_ALLOC(hash_external, hash_length, hash);
if (mbedtls_psa_safer_memcmp(hash, actual_hash, actual_hash_length) != 0) {
status = PSA_ERROR_INVALID_SIGNATURE;
}
exit:
mbedtls_platform_zeroize(actual_hash, sizeof(actual_hash));
LOCAL_INPUT_FREE(input_external, input);
LOCAL_INPUT_FREE(hash_external, hash);
return status;
}
@ -2606,35 +2659,48 @@ psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
}
psa_status_t psa_mac_update(psa_mac_operation_t *operation,
const uint8_t *input,
const uint8_t *input_external,
size_t input_length)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
LOCAL_INPUT_DECLARE(input_external, input);
if (operation->id == 0) {
return PSA_ERROR_BAD_STATE;
status = PSA_ERROR_BAD_STATE;
return status;
}
/* Don't require hash implementations to behave correctly on a
* zero-length input, which may have an invalid pointer. */
if (input_length == 0) {
return PSA_SUCCESS;
status = PSA_SUCCESS;
return status;
}
psa_status_t status = psa_driver_wrapper_mac_update(operation,
input, input_length);
LOCAL_INPUT_ALLOC(input_external, input_length, input);
status = psa_driver_wrapper_mac_update(operation, input, input_length);
if (status != PSA_SUCCESS) {
psa_mac_abort(operation);
}
#if defined(MBEDTLS_PSA_COPY_CALLER_BUFFERS)
exit:
#endif
LOCAL_INPUT_FREE(input_external, input);
return status;
}
psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation,
uint8_t *mac,
uint8_t *mac_external,
size_t mac_size,
size_t *mac_length)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
LOCAL_OUTPUT_DECLARE(mac_external, mac);
LOCAL_OUTPUT_ALLOC(mac_external, mac_size, mac);
if (operation->id == 0) {
status = PSA_ERROR_BAD_STATE;
@ -2674,22 +2740,24 @@ exit:
operation->mac_size = 0;
}
if (mac_size > operation->mac_size) {
if ((mac != NULL) && (mac_size > operation->mac_size)) {
memset(&mac[operation->mac_size], '!',
mac_size - operation->mac_size);
}
abort_status = psa_mac_abort(operation);
LOCAL_OUTPUT_FREE(mac_external, mac);
return status == PSA_SUCCESS ? abort_status : status;
}
psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
const uint8_t *mac,
const uint8_t *mac_external,
size_t mac_length)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
LOCAL_INPUT_DECLARE(mac_external, mac);
if (operation->id == 0) {
status = PSA_ERROR_BAD_STATE;
@ -2706,11 +2774,13 @@ psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
goto exit;
}
LOCAL_INPUT_ALLOC(mac_external, mac_length, mac);
status = psa_driver_wrapper_mac_verify_finish(operation,
mac, mac_length);
exit:
abort_status = psa_mac_abort(operation);
LOCAL_INPUT_FREE(mac_external, mac);
return status == PSA_SUCCESS ? abort_status : status;
}
@ -2783,28 +2853,45 @@ exit:
psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
const uint8_t *input_external,
size_t input_length,
uint8_t *mac,
uint8_t *mac_external,
size_t mac_size,
size_t *mac_length)
{
return psa_mac_compute_internal(key, alg,
input, input_length,
mac, mac_size, mac_length, 1);
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
LOCAL_INPUT_DECLARE(input_external, input);
LOCAL_OUTPUT_DECLARE(mac_external, mac);
LOCAL_INPUT_ALLOC(input_external, input_length, input);
LOCAL_OUTPUT_ALLOC(mac_external, mac_size, mac);
status = psa_mac_compute_internal(key, alg,
input, input_length,
mac, mac_size, mac_length, 1);
#if defined(MBEDTLS_PSA_COPY_CALLER_BUFFERS)
exit:
#endif
LOCAL_INPUT_FREE(input_external, input);
LOCAL_OUTPUT_FREE(mac_external, mac);
return status;
}
psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
const uint8_t *input_external,
size_t input_length,
const uint8_t *mac,
const uint8_t *mac_external,
size_t mac_length)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
uint8_t actual_mac[PSA_MAC_MAX_SIZE];
size_t actual_mac_length;
LOCAL_INPUT_DECLARE(input_external, input);
LOCAL_INPUT_DECLARE(mac_external, mac);
LOCAL_INPUT_ALLOC(input_external, input_length, input);
status = psa_mac_compute_internal(key, alg,
input, input_length,
actual_mac, sizeof(actual_mac),
@ -2817,6 +2904,8 @@ psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key,
status = PSA_ERROR_INVALID_SIGNATURE;
goto exit;
}
LOCAL_INPUT_ALLOC(mac_external, mac_length, mac);
if (mbedtls_psa_safer_memcmp(mac, actual_mac, actual_mac_length) != 0) {
status = PSA_ERROR_INVALID_SIGNATURE;
goto exit;
@ -2824,6 +2913,8 @@ psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key,
exit:
mbedtls_platform_zeroize(actual_mac, sizeof(actual_mac));
LOCAL_INPUT_FREE(input_external, input);
LOCAL_INPUT_FREE(mac_external, mac);
return status;
}
@ -3897,19 +3988,24 @@ exit:
psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
const uint8_t *nonce,
const uint8_t *nonce_external,
size_t nonce_length,
const uint8_t *additional_data,
const uint8_t *additional_data_external,
size_t additional_data_length,
const uint8_t *plaintext,
const uint8_t *plaintext_external,
size_t plaintext_length,
uint8_t *ciphertext,
uint8_t *ciphertext_external,
size_t ciphertext_size,
size_t *ciphertext_length)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_slot_t *slot;
LOCAL_INPUT_DECLARE(nonce_external, nonce);
LOCAL_INPUT_DECLARE(additional_data_external, additional_data);
LOCAL_INPUT_DECLARE(plaintext_external, plaintext);
LOCAL_OUTPUT_DECLARE(ciphertext_external, ciphertext);
*ciphertext_length = 0;
if (!PSA_ALG_IS_AEAD(alg) || PSA_ALG_IS_WILDCARD(alg)) {
@ -3926,6 +4022,11 @@ psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
.core = slot->attr
};
LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
LOCAL_INPUT_ALLOC(additional_data_external, additional_data_length, additional_data);
LOCAL_INPUT_ALLOC(plaintext_external, plaintext_length, plaintext);
LOCAL_OUTPUT_ALLOC(ciphertext_external, ciphertext_size, ciphertext);
status = psa_driver_wrapper_aead_encrypt(
&attributes, slot->key.data, slot->key.bytes,
alg,
@ -3938,6 +4039,15 @@ psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
memset(ciphertext, 0, ciphertext_size);
}
/* Exit label is only used for buffer copying, prevent unused warnings. */
#if defined(MBEDTLS_PSA_COPY_CALLER_BUFFERS)
exit:
#endif
LOCAL_INPUT_FREE(nonce_external, nonce);
LOCAL_INPUT_FREE(additional_data_external, additional_data);
LOCAL_INPUT_FREE(plaintext_external, plaintext);
LOCAL_OUTPUT_FREE(ciphertext_external, ciphertext);
psa_unlock_key_slot(slot);
return status;
@ -3945,19 +4055,24 @@ psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
const uint8_t *nonce,
const uint8_t *nonce_external,
size_t nonce_length,
const uint8_t *additional_data,
const uint8_t *additional_data_external,
size_t additional_data_length,
const uint8_t *ciphertext,
const uint8_t *ciphertext_external,
size_t ciphertext_length,
uint8_t *plaintext,
uint8_t *plaintext_external,
size_t plaintext_size,
size_t *plaintext_length)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_slot_t *slot;
LOCAL_INPUT_DECLARE(nonce_external, nonce);
LOCAL_INPUT_DECLARE(additional_data_external, additional_data);
LOCAL_INPUT_DECLARE(ciphertext_external, ciphertext);
LOCAL_OUTPUT_DECLARE(plaintext_external, plaintext);
*plaintext_length = 0;
if (!PSA_ALG_IS_AEAD(alg) || PSA_ALG_IS_WILDCARD(alg)) {
@ -3974,6 +4089,12 @@ psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key,
.core = slot->attr
};
LOCAL_INPUT_ALLOC(nonce_external, nonce_length, nonce);
LOCAL_INPUT_ALLOC(additional_data_external, additional_data_length,
additional_data);
LOCAL_INPUT_ALLOC(ciphertext_external, ciphertext_length, ciphertext);
LOCAL_OUTPUT_ALLOC(plaintext_external, plaintext_size, plaintext);
status = psa_driver_wrapper_aead_decrypt(
&attributes, slot->key.data, slot->key.bytes,
alg,
@ -3986,6 +4107,15 @@ psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key,
memset(plaintext, 0, plaintext_size);
}
/* Exit label is only used for buffer copying, prevent unused warnings. */
#if defined(MBEDTLS_PSA_COPY_CALLER_BUFFERS)
exit:
#endif
LOCAL_INPUT_FREE(nonce_external, nonce);
LOCAL_INPUT_FREE(additional_data_external, additional_data);
LOCAL_INPUT_FREE(ciphertext_external, ciphertext);
LOCAL_OUTPUT_FREE(plaintext_external, plaintext);
psa_unlock_key_slot(slot);
return status;
@ -4379,10 +4509,12 @@ static psa_status_t psa_key_derivation_tls12_prf_read(
psa_status_t psa_key_derivation_output_bytes(
psa_key_derivation_operation_t *operation,
uint8_t *output,
uint8_t *output_external,
size_t output_length)
{
psa_status_t status;
LOCAL_OUTPUT_DECLARE(output_external, output);
psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
if (operation->alg == 0) {
@ -4390,13 +4522,6 @@ psa_status_t psa_key_derivation_output_bytes(
return PSA_ERROR_BAD_STATE;
}
if (output_length > operation->capacity) {
operation->capacity = 0;
/* Go through the error path to wipe all confidential data now
* that the operation object is useless. */
status = PSA_ERROR_INSUFFICIENT_DATA;
goto exit;
}
if (output_length == 0 && operation->capacity == 0) {
/* Edge case: this is a finished operation, and 0 bytes
* were requested. The right error in this case could
@ -4406,6 +4531,15 @@ psa_status_t psa_key_derivation_output_bytes(
* output_length > 0. */
return PSA_ERROR_INSUFFICIENT_DATA;
}
LOCAL_OUTPUT_ALLOC(output_external, output_length, output);
if (output_length > operation->capacity) {
operation->capacity = 0;
/* Go through the error path to wipe all confidential data now
* that the operation object is useless. */
status = PSA_ERROR_INSUFFICIENT_DATA;
goto exit;
}
operation->capacity -= output_length;
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
@ -4427,7 +4561,10 @@ psa_status_t psa_key_derivation_output_bytes(
* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
{
(void) kdf_alg;
return PSA_ERROR_BAD_STATE;
status = PSA_ERROR_BAD_STATE;
LOCAL_OUTPUT_FREE(output_external, output);
return status;
}
exit:
@ -4439,8 +4576,12 @@ exit:
psa_algorithm_t alg = operation->alg;
psa_key_derivation_abort(operation);
operation->alg = alg;
memset(output, '!', output_length);
if (output != NULL) {
memset(output, '!', output_length);
}
}
LOCAL_OUTPUT_FREE(output_external, output);
return status;
}
@ -4991,12 +5132,22 @@ exit:
psa_status_t psa_key_derivation_input_bytes(
psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step,
const uint8_t *data,
const uint8_t *data_external,
size_t data_length)
{
return psa_key_derivation_input_internal(operation, step,
PSA_KEY_TYPE_NONE,
data, data_length);
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
LOCAL_INPUT_DECLARE(data_external, data);
LOCAL_INPUT_ALLOC(data_external, data_length, data);
status = psa_key_derivation_input_internal(operation, step,
PSA_KEY_TYPE_NONE,
data, data_length);
#if defined(MBEDTLS_PSA_COPY_CALLER_BUFFERS)
exit:
#endif
LOCAL_INPUT_FREE(data_external, data);
return status;
}
psa_status_t psa_key_derivation_input_key(