diff --git a/BRANCHES.md b/BRANCHES.md index d5144188ea..ee91f76bb8 100644 --- a/BRANCHES.md +++ b/BRANCHES.md @@ -48,8 +48,7 @@ The following branches are currently maintained: - [master](https://github.com/ARMmbed/mbedtls/tree/master) - [`development`](https://github.com/ARMmbed/mbedtls/) -- [`mbedtls-2.16`](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.16) - maintained until at least the end of 2021, see - +- [`mbedtls-2.28`](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.28) + maintained until at least the end of 2024. Users are urged to always use the latest version of a maintained branch. diff --git a/ChangeLog b/ChangeLog index 89572ca0b9..021012a026 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,126 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS 2.28.0 branch released 2021-12-17 + +API changes + * Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a + different order. This only affects applications that define such + structures directly or serialize them. + +Requirement changes + * Sign-magnitude and one's complement representations for signed integers are + not supported. Two's complement is the only supported representation. + +Removals + * Remove config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES, + which allowed SHA-1 in the default TLS configuration for certificate + signing. It was intended to facilitate the transition in environments + with SHA-1 certificates. SHA-1 is considered a weak message digest and + its use constitutes a security risk. + * Remove the partial support for running unit tests via Greentea on Mbed OS, + which had been unmaintained since 2018. + +Features + * The identifier of the CID TLS extension can be configured by defining + MBEDTLS_TLS_EXT_CID at compile time. + * Warn if errors from certain functions are ignored. This is currently + supported on GCC-like compilers and on MSVC and can be configured through + the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled + (where supported) for critical functions where ignoring the return + value is almost always a bug. Enable the new configuration option + MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This + is currently implemented in the AES, DES and md modules, and will be + extended to other modules in the future. + * Add missing PSA macros declared by PSA Crypto API 1.0.0: + PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL. + * Add new API mbedtls_ct_memcmp for constant time buffer comparison. + * Add PSA API definition for ARIA. + +Security + * Zeroize several intermediate variables used to calculate the expected + value when verifying a MAC or AEAD tag. This hardens the library in + case the value leaks through a memory disclosure vulnerability. For + example, a memory disclosure vulnerability could have allowed a + man-in-the-middle to inject fake ciphertext into a DTLS connection. + * In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back + from the output buffer. This fixes a potential policy bypass or decryption + oracle vulnerability if the output buffer is in memory that is shared with + an untrusted application. + * Fix a double-free that happened after mbedtls_ssl_set_session() or + mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED + (out of memory). After that, calling mbedtls_ssl_session_free() + and mbedtls_ssl_free() would cause an internal session buffer to + be free()'d twice. + +Bugfix + * Stop using reserved identifiers as local variables. Fixes #4630. + * The GNU makefiles invoke python3 in preference to python except on Windows. + The check was accidentally not performed when cross-compiling for Windows + on Linux. Fix this. Fixes #4774. + * Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or + PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type. + * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935. + * Don't use the obsolete header path sys/fcntl.h in unit tests. + These header files cause compilation errors in musl. + Fixes #4969. + * Fix missing constraints on x86_64 and aarch64 assembly code + for bignum multiplication that broke some bignum operations with + (at least) Clang 12. + Fixes #4116, #4786, #4917, #4962. + * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled. + * Failures of alternative implementations of AES or DES single-block + functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT, + MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored. + This does not concern the implementation provided with Mbed TLS, + where this function cannot fail, or full-module replacements with + MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092. + * Some failures of HMAC operations were ignored. These failures could only + happen with an alternative implementation of the underlying hash module. + * Fix the error returned by psa_generate_key() for a public key. Fixes #4551. + * Fix the build of sample programs when neither MBEDTLS_ERROR_C nor + MBEDTLS_ERROR_STRERROR_DUMMY is enabled. + * Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length. + This algorithm now accepts only the same salt length for verification + that it produces when signing, as documented. Use the new algorithm + PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946. + * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved + for algorithm values that fully encode the hashing step, as per the PSA + Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and + PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers + all algorithms that can be used with psa_{sign,verify}_hash(), including + these two. + * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries + not to list other shared libraries they need. + * Fix a bug in mbedtls_gcm_starts() when the bit length of the iv + exceeds 2^32. Fixes #4884. + * Fix an uninitialized variable warning in test_suite_ssl.function with GCC + version 11. + * Fix the build when no SHA2 module is included. Fixes #4930. + * Fix the build when only the bignum module is included. Fixes #4929. + * Fix a potential invalid pointer dereference and infinite loop bugs in + pkcs12 functions when the password is empty. Fix the documentation to + better describe the inputs to these functions and their possible values. + Fixes #5136. + * The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC + operations psa_mac_compute() and psa_mac_sign_setup(). + * The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC + operations psa_mac_verify() and psa_mac_verify_setup(). + +Changes + * Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be + disabled by default. + * Improve the performance of base64 constant-flow code. The result is still + slower than the original non-constant-flow implementation, but much faster + than the previous constant-flow implementation. Fixes #4814. + * Indicate in the error returned if the nonce length used with + ChaCha20-Poly1305 is invalid, and not just unsupported. + * The mbedcrypto library includes a new source code module constant_time.c, + containing various functions meant to resist timing side channel attacks. + This module does not have a separate configuration option, and functions + from this module will be included in the build as required. Currently + most of the interface of this module is private and may change at any + time. + = mbed TLS 2.27.0 branch released 2021-07-07 API changes diff --git a/ChangeLog.d/base64-ranges.txt b/ChangeLog.d/base64-ranges.txt deleted file mode 100644 index e3f3862bfb..0000000000 --- a/ChangeLog.d/base64-ranges.txt +++ /dev/null @@ -1,4 +0,0 @@ -Changes - * Improve the performance of base64 constant-flow code. The result is still - slower than the original non-constant-flow implementation, but much faster - than the previous constant-flow implementation. Fixes #4814. diff --git a/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt b/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt deleted file mode 100644 index c04c4aa182..0000000000 --- a/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix a bug in mbedtls_gcm_starts() when bits of iv are longer than 2^32. - * Fix #4884. - diff --git a/ChangeLog.d/build-without-sha.txt b/ChangeLog.d/build-without-sha.txt deleted file mode 100644 index 78ba27694a..0000000000 --- a/ChangeLog.d/build-without-sha.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix the build when no SHA2 module is included. Fixes #4930. - * Fix the build when only the bignum module is included. Fixes #4929. diff --git a/ChangeLog.d/chacha20-poly1305-invalid-nonce.txt b/ChangeLog.d/chacha20-poly1305-invalid-nonce.txt deleted file mode 100644 index ca3f9aceea..0000000000 --- a/ChangeLog.d/chacha20-poly1305-invalid-nonce.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Indicate in the error returned if the nonce length used with - ChaCha20-Poly1305 is invalid, and not just unsupported. diff --git a/ChangeLog.d/check-return.txt b/ChangeLog.d/check-return.txt deleted file mode 100644 index 7d905da732..0000000000 --- a/ChangeLog.d/check-return.txt +++ /dev/null @@ -1,19 +0,0 @@ -Bugfix - * Failures of alternative implementations of AES or DES single-block - functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT, - MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored. - This does not concern the implementation provided with Mbed TLS, - where this function cannot fail, or full-module replacements with - MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092. - * Some failures of HMAC operations were ignored. These failures could only - happen with an alternative implementation of the underlying hash module. - -Features - * Warn if errors from certain functions are ignored. This is currently - supported on GCC-like compilers and on MSVC and can be configured through - the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled - (where supported) for critical functions where ignoring the return - value is almost always a bug. Enable the new configuration option - MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This - is currently implemented in the AES, DES and md modules, and will be - extended to other modules in the future. diff --git a/ChangeLog.d/constant_time_module.txt b/ChangeLog.d/constant_time_module.txt deleted file mode 100644 index ebb0b7fb96..0000000000 --- a/ChangeLog.d/constant_time_module.txt +++ /dev/null @@ -1,10 +0,0 @@ -Changes - * The mbedcrypto library includes a new source code module constant_time.c, - containing various functions meant to resist timing side channel attacks. - This module does not have a separate configuration option, and functions - from this module will be included in the build as required. Currently - most of the interface of this module is private and may change at any - time. - -Features - * Add new API mbedtls_ct_memcmp for constant time buffer comparison. diff --git a/ChangeLog.d/do-not-use-obsolete-header.txt b/ChangeLog.d/do-not-use-obsolete-header.txt deleted file mode 100644 index 9a57ef16b2..0000000000 --- a/ChangeLog.d/do-not-use-obsolete-header.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Don't use the obsolete header path sys/fcntl.h in unit tests. - These header files cause compilation errors in musl. - Fixes #4969. - diff --git a/ChangeLog.d/fix-cipher-output-size-macros.txt b/ChangeLog.d/fix-cipher-output-size-macros.txt deleted file mode 100644 index 4a4b971c83..0000000000 --- a/ChangeLog.d/fix-cipher-output-size-macros.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or - PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type. - diff --git a/ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt b/ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt deleted file mode 100644 index 6dc47244fe..0000000000 --- a/ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled. diff --git a/ChangeLog.d/fix-needed-shared-libraries-linux.txt b/ChangeLog.d/fix-needed-shared-libraries-linux.txt deleted file mode 100644 index 74ad3bc753..0000000000 --- a/ChangeLog.d/fix-needed-shared-libraries-linux.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries - not to list other shared libraries they need. diff --git a/ChangeLog.d/fix-pkcs12-null-password.txt b/ChangeLog.d/fix-pkcs12-null-password.txt deleted file mode 100644 index fae8195535..0000000000 --- a/ChangeLog.d/fix-pkcs12-null-password.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix a potential invalid pointer dereference and infinite loop bugs in - pkcs12 functions when the password is empty. Fix the documentation to - better describe the inputs to these functions and their possible values. - Fixes #5136. diff --git a/ChangeLog.d/fix-psa_gen_key-status.txt b/ChangeLog.d/fix-psa_gen_key-status.txt deleted file mode 100644 index 78609882f9..0000000000 --- a/ChangeLog.d/fix-psa_gen_key-status.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix the error returned by psa_generate_key() for a public key. Fixes #4551. diff --git a/ChangeLog.d/fix_compilation_ssl_tests.txt b/ChangeLog.d/fix_compilation_ssl_tests.txt deleted file mode 100644 index 202e5c4392..0000000000 --- a/ChangeLog.d/fix_compilation_ssl_tests.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix an uninitialized variable warning in test_suite_ssl.function with GCC - version 11. diff --git a/ChangeLog.d/issue4630.txt b/ChangeLog.d/issue4630.txt deleted file mode 100644 index 0bc4b99e59..0000000000 --- a/ChangeLog.d/issue4630.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Stop using reserved identifiers as local variables. Fixes #4630. diff --git a/ChangeLog.d/mac-zeroize.txt b/ChangeLog.d/mac-zeroize.txt deleted file mode 100644 index a43e34f845..0000000000 --- a/ChangeLog.d/mac-zeroize.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * Zeroize several intermediate variables used to calculate the expected - value when verifying a MAC or AEAD tag. This hardens the library in - case the value leaks through a memory disclosure vulnerability. For - example, a memory disclosure vulnerability could have allowed a - man-in-the-middle to inject fake ciphertext into a DTLS connection. diff --git a/ChangeLog.d/makefile-python-windows.txt b/ChangeLog.d/makefile-python-windows.txt deleted file mode 100644 index 57ccc1a39a..0000000000 --- a/ChangeLog.d/makefile-python-windows.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * The GNU makefiles invoke python3 in preference to python except on Windows. - The check was accidentally not performed when cross-compiling for Windows - on Linux. Fix this. Fixes #4774. diff --git a/ChangeLog.d/muladdc-memory.txt b/ChangeLog.d/muladdc-memory.txt deleted file mode 100644 index 218be5a605..0000000000 --- a/ChangeLog.d/muladdc-memory.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix missing constraints on x86_64 and aarch64 assembly code - for bignum multiplication that broke some bignum operations with - (at least) Clang 12. - Fixes #4116, #4786, #4917, #4962. diff --git a/ChangeLog.d/no-strerror.txt b/ChangeLog.d/no-strerror.txt deleted file mode 100644 index 69743a8715..0000000000 --- a/ChangeLog.d/no-strerror.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix the build of sample programs when neither MBEDTLS_ERROR_C nor - MBEDTLS_ERROR_STRERROR_DUMMY is enabled. diff --git a/ChangeLog.d/psa_alg_rsa_pss.txt b/ChangeLog.d/psa_alg_rsa_pss.txt deleted file mode 100644 index 5c6048fe6c..0000000000 --- a/ChangeLog.d/psa_alg_rsa_pss.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length. - This algorithm now accepts only the same salt length for verification - that it produces when signing, as documented. Use the new algorithm - PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946. diff --git a/ChangeLog.d/psa_cipher_update_ecp.txt b/ChangeLog.d/psa_cipher_update_ecp.txt deleted file mode 100644 index 1c3fbc6b18..0000000000 --- a/ChangeLog.d/psa_cipher_update_ecp.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935. diff --git a/ChangeLog.d/psa_crypto_api_macros.txt b/ChangeLog.d/psa_crypto_api_macros.txt deleted file mode 100644 index ff53e33c2d..0000000000 --- a/ChangeLog.d/psa_crypto_api_macros.txt +++ /dev/null @@ -1,11 +0,0 @@ -Features - * Add missing PSA macros declared by PSA Crypto API 1.0.0: - PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL. - -Bugfix - * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved - for algorithm values that fully encode the hashing step, as per the PSA - Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and - PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers - all algorithms that can be used with psa_{sign,verify}_hash(), including - these two. diff --git a/ChangeLog.d/remove-greentea-support.txt b/ChangeLog.d/remove-greentea-support.txt deleted file mode 100644 index af4df4baa1..0000000000 --- a/ChangeLog.d/remove-greentea-support.txt +++ /dev/null @@ -1,3 +0,0 @@ -Removals - * Remove the partial support for running unit tests via Greentea on Mbed OS, - which had been unmaintained since 2018. diff --git a/ChangeLog.d/remove_default_alllow_sha1.txt b/ChangeLog.d/remove_default_alllow_sha1.txt deleted file mode 100644 index 9ec10cf6bc..0000000000 --- a/ChangeLog.d/remove_default_alllow_sha1.txt +++ /dev/null @@ -1,10 +0,0 @@ -Removals - * Remove config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES, - which allowed SHA-1 in the default TLS configuration for certificate - signing. It was intended to facilitate the transition in environments - with SHA-1 certificates. SHA-1 is considered a weak message digest and - its use constitutes a security risk. - -Changes - * Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be - disabled by default. diff --git a/ChangeLog.d/semi-public-structure-fields.txt b/ChangeLog.d/semi-public-structure-fields.txt deleted file mode 100644 index 802f8de2b7..0000000000 --- a/ChangeLog.d/semi-public-structure-fields.txt +++ /dev/null @@ -1,5 +0,0 @@ -API changes - * Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a - different order. This only affects applications that define such - structures directly or serialize them. - diff --git a/ChangeLog.d/tls_ext_cid-config.txt b/ChangeLog.d/tls_ext_cid-config.txt deleted file mode 100644 index b7b1e72443..0000000000 --- a/ChangeLog.d/tls_ext_cid-config.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * The identifier of the CID TLS extension can be configured by defining - MBEDTLS_TLS_EXT_CID at compile time. diff --git a/ChangeLog.d/twos_complement_representation.txt b/ChangeLog.d/twos_complement_representation.txt deleted file mode 100644 index fa49859abc..0000000000 --- a/ChangeLog.d/twos_complement_representation.txt +++ /dev/null @@ -1,3 +0,0 @@ -Requirement changes - * Sign-magnitude and one's complement representations for signed integers are - not supported. Two's complement is the only supported representation. diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index 4ff63ce69a..5a0f3ecaff 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -22,7 +22,7 @@ */ /** - * @mainpage mbed TLS v2.27.0 source code documentation + * @mainpage mbed TLS v2.28.0 source code documentation * * This documentation describes the internal structure of mbed TLS. It was * automatically generated from specially formatted comment blocks in diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 186c1487ba..efd9ac6edf 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8 # identify the project. Note that if you do not use Doxywizard you need # to put quotes around the project name if it contains spaces. -PROJECT_NAME = "mbed TLS v2.27.0" +PROJECT_NAME = "mbed TLS v2.28.0" # The PROJECT_NUMBER tag can be used to enter a project or revision number. # This could be handy for archiving the generated documentation or diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h index 2740479f53..b1a92b2bcf 100644 --- a/include/mbedtls/version.h +++ b/include/mbedtls/version.h @@ -37,7 +37,7 @@ * Major, Minor, Patchlevel */ #define MBEDTLS_VERSION_MAJOR 2 -#define MBEDTLS_VERSION_MINOR 27 +#define MBEDTLS_VERSION_MINOR 28 #define MBEDTLS_VERSION_PATCH 0 /** @@ -45,9 +45,9 @@ * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x021B0000 -#define MBEDTLS_VERSION_STRING "2.27.0" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.27.0" +#define MBEDTLS_VERSION_NUMBER 0x021C0000 +#define MBEDTLS_VERSION_STRING "2.28.0" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.28.0" #if defined(MBEDTLS_VERSION_C) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 0cafd88817..0a600674db 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -203,15 +203,15 @@ endif(USE_STATIC_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY) add_library(${mbedcrypto_target} SHARED ${src_crypto}) - set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.27.0 SOVERSION 7) + set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.28.0 SOVERSION 7) target_link_libraries(${mbedcrypto_target} PUBLIC ${libs}) add_library(${mbedx509_target} SHARED ${src_x509}) - set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.27.0 SOVERSION 1) + set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.28.0 SOVERSION 1) target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target}) add_library(${mbedtls_target} SHARED ${src_tls}) - set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.27.0 SOVERSION 13) + set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.28.0 SOVERSION 14) target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target}) endif(USE_SHARED_MBEDTLS_LIBRARY) diff --git a/library/Makefile b/library/Makefile index 71a1bb00b5..54b0651dc4 100644 --- a/library/Makefile +++ b/library/Makefile @@ -39,7 +39,7 @@ LOCAL_CFLAGS += -fPIC -fpic endif endif -SOEXT_TLS=so.13 +SOEXT_TLS=so.14 SOEXT_X509=so.1 SOEXT_CRYPTO=so.7 diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a89430d4ea..e6dab33c77 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3396,8 +3396,8 @@ psa_status_t psa_cipher_generate_iv( psa_cipher_operation_t *operation, size_t *iv_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - - *iv_length = 0; + uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE]; + size_t default_iv_length; if( operation->id == 0 ) { @@ -3411,28 +3411,38 @@ psa_status_t psa_cipher_generate_iv( psa_cipher_operation_t *operation, goto exit; } - if( iv_size < operation->default_iv_length ) + default_iv_length = operation->default_iv_length; + if( iv_size < default_iv_length ) { status = PSA_ERROR_BUFFER_TOO_SMALL; goto exit; } - status = psa_generate_random( iv, operation->default_iv_length ); + if( default_iv_length > PSA_CIPHER_IV_MAX_SIZE ) + { + status = PSA_ERROR_GENERIC_ERROR; + goto exit; + } + + status = psa_generate_random( local_iv, default_iv_length ); if( status != PSA_SUCCESS ) goto exit; status = psa_driver_wrapper_cipher_set_iv( operation, - iv, - operation->default_iv_length ); + local_iv, default_iv_length ); exit: if( status == PSA_SUCCESS ) { + memcpy( iv, local_iv, default_iv_length ); + *iv_length = default_iv_length; operation->iv_set = 1; - *iv_length = operation->default_iv_length; } else + { + *iv_length = 0; psa_cipher_abort( operation ); + } return( status ); } @@ -3573,50 +3583,67 @@ psa_status_t psa_cipher_encrypt( mbedtls_svc_key_id_t key, { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_slot_t *slot; - psa_key_type_t key_type; - size_t iv_length; - - *output_length = 0; + psa_key_slot_t *slot = NULL; + uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE]; + size_t default_iv_length = 0; if( ! PSA_ALG_IS_CIPHER( alg ) ) - return( PSA_ERROR_INVALID_ARGUMENT ); + { + status = PSA_ERROR_INVALID_ARGUMENT; + goto exit; + } status = psa_get_and_lock_key_slot_with_policy( key, &slot, PSA_KEY_USAGE_ENCRYPT, alg ); if( status != PSA_SUCCESS ) - return( status ); + goto exit; psa_key_attributes_t attributes = { .core = slot->attr }; - key_type = slot->attr.type; - iv_length = PSA_CIPHER_IV_LENGTH( key_type, alg ); - - if( iv_length > 0 ) + default_iv_length = PSA_CIPHER_IV_LENGTH( slot->attr.type, alg ); + if( default_iv_length > PSA_CIPHER_IV_MAX_SIZE ) { - if( output_size < iv_length ) + status = PSA_ERROR_GENERIC_ERROR; + goto exit; + } + + if( default_iv_length > 0 ) + { + if( output_size < default_iv_length ) { status = PSA_ERROR_BUFFER_TOO_SMALL; goto exit; } - status = psa_generate_random( output, iv_length ); + status = psa_generate_random( local_iv, default_iv_length ); if( status != PSA_SUCCESS ) goto exit; } status = psa_driver_wrapper_cipher_encrypt( &attributes, slot->key.data, slot->key.bytes, - alg, input, input_length, - output, output_size, output_length ); + alg, local_iv, default_iv_length, input, input_length, + output + default_iv_length, output_size - default_iv_length, + output_length ); exit: unlock_status = psa_unlock_key_slot( slot ); + if( status == PSA_SUCCESS ) + status = unlock_status; - return( ( status == PSA_SUCCESS ) ? unlock_status : status ); + if( status == PSA_SUCCESS ) + { + if( default_iv_length > 0 ) + memcpy( output, local_iv, default_iv_length ); + *output_length += default_iv_length; + } + else + *output_length = 0; + + return( status ); } psa_status_t psa_cipher_decrypt( mbedtls_svc_key_id_t key, @@ -3629,18 +3656,19 @@ psa_status_t psa_cipher_decrypt( mbedtls_svc_key_id_t key, { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_slot_t *slot; - - *output_length = 0; + psa_key_slot_t *slot = NULL; if( ! PSA_ALG_IS_CIPHER( alg ) ) - return( PSA_ERROR_INVALID_ARGUMENT ); + { + status = PSA_ERROR_INVALID_ARGUMENT; + goto exit; + } status = psa_get_and_lock_key_slot_with_policy( key, &slot, PSA_KEY_USAGE_DECRYPT, alg ); if( status != PSA_SUCCESS ) - return( status ); + goto exit; psa_key_attributes_t attributes = { .core = slot->attr @@ -3659,8 +3687,13 @@ psa_status_t psa_cipher_decrypt( mbedtls_svc_key_id_t key, exit: unlock_status = psa_unlock_key_slot( slot ); + if( status == PSA_SUCCESS ) + status = unlock_status; - return( ( status == PSA_SUCCESS ) ? unlock_status : status ); + if( status != PSA_SUCCESS ) + *output_length = 0; + + return( status ); } diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index 6dfaae990e..1fb9172b76 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -444,20 +444,21 @@ psa_status_t mbedtls_psa_cipher_abort( return( PSA_SUCCESS ); } -psa_status_t mbedtls_psa_cipher_encrypt( - const psa_key_attributes_t *attributes, - const uint8_t *key_buffer, - size_t key_buffer_size, - psa_algorithm_t alg, - const uint8_t *input, - size_t input_length, - uint8_t *output, - size_t output_size, - size_t *output_length ) +psa_status_t mbedtls_psa_cipher_encrypt( const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, + size_t key_buffer_size, + psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, + const uint8_t *input, + size_t input_length, + uint8_t *output, + size_t output_size, + size_t *output_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT; - size_t olength, accumulated_length; + size_t update_output_length, finish_output_length; status = mbedtls_psa_cipher_encrypt_setup( &operation, attributes, key_buffer, key_buffer_size, @@ -465,33 +466,25 @@ psa_status_t mbedtls_psa_cipher_encrypt( if( status != PSA_SUCCESS ) goto exit; - accumulated_length = 0; - if( operation.iv_length > 0 ) + if( iv_length > 0 ) { - status = mbedtls_psa_cipher_set_iv( &operation, - output, operation.iv_length ); + status = mbedtls_psa_cipher_set_iv( &operation, iv, iv_length ); if( status != PSA_SUCCESS ) goto exit; - - accumulated_length = operation.iv_length; } status = mbedtls_psa_cipher_update( &operation, input, input_length, - output + operation.iv_length, - output_size - operation.iv_length, - &olength ); + output, output_size, &update_output_length ); if( status != PSA_SUCCESS ) goto exit; - accumulated_length += olength; - - status = mbedtls_psa_cipher_finish( &operation, output + accumulated_length, - output_size - accumulated_length, - &olength ); + status = mbedtls_psa_cipher_finish( &operation, output + update_output_length, + output_size - update_output_length, + &finish_output_length ); if( status != PSA_SUCCESS ) goto exit; - *output_length = accumulated_length + olength; + *output_length = update_output_length + finish_output_length; exit: if( status == PSA_SUCCESS ) diff --git a/library/psa_crypto_cipher.h b/library/psa_crypto_cipher.h index bb4657dcd1..fae98473c4 100644 --- a/library/psa_crypto_cipher.h +++ b/library/psa_crypto_cipher.h @@ -213,16 +213,12 @@ psa_status_t mbedtls_psa_cipher_abort( mbedtls_psa_cipher_operation_t *operation * \param[in] alg The cipher algorithm to compute * (\c PSA_ALG_XXX value such that * #PSA_ALG_IS_CIPHER(\p alg) is true). - * \param[in] input Buffer containing the message to encrypt. - * \param[in] input_length Size of the \p input buffer in bytes. + * \param[in] iv Buffer containing the IV for encryption. The + * IV has been generated by the core. + * \param[in] iv_length Size of the \p iv in bytes. + * \param[in] input Buffer containing the message to encrypt. + * \param[in] input_length Size of the \p input buffer in bytes. * \param[in,out] output Buffer where the output is to be written. - * The core has generated and written the IV - * at the beginning of this buffer before - * this function is called. The size of the IV - * is PSA_CIPHER_IV_LENGTH( key_type, alg ) where - * \c key_type is the type of the key identified - * by \p key and \p alg is the cipher algorithm - * to compute. * \param[in] output_size Size of the \p output buffer in bytes. * \param[out] output_length On success, the number of bytes that make up * the returned output. Initialized to zero @@ -235,7 +231,7 @@ psa_status_t mbedtls_psa_cipher_abort( mbedtls_psa_cipher_operation_t *operation * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p output buffer is too small. * \retval #PSA_ERROR_INVALID_ARGUMENT - * The size of \p iv is not acceptable for the chosen algorithm, + * The size \p iv_length is not acceptable for the chosen algorithm, * or the chosen algorithm does not use an IV. * The total input size passed to this operation is not valid for * this particular algorithm. For example, the algorithm is a based @@ -249,6 +245,8 @@ psa_status_t mbedtls_psa_cipher_encrypt( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c index cc826df1ec..16166fc5a5 100644 --- a/library/psa_crypto_driver_wrappers.c +++ b/library/psa_crypto_driver_wrappers.c @@ -778,6 +778,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, @@ -799,6 +801,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( key_buffer, key_buffer_size, alg, + iv, + iv_length, input, input_length, output, @@ -815,6 +819,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( key_buffer, key_buffer_size, alg, + iv, + iv_length, input, input_length, output, @@ -832,6 +838,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( key_buffer, key_buffer_size, alg, + iv, + iv_length, input, input_length, output, diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index 3ba96d9a58..7cb88a0b4e 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -108,6 +108,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f07b189c59..2e6469de83 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -188,6 +188,10 @@ int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst, mbedtls_ssl_session_free( dst ); memcpy( dst, src, sizeof( mbedtls_ssl_session ) ); +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) + dst->ticket = NULL; +#endif + #if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) diff --git a/tests/include/test/drivers/cipher.h b/tests/include/test/drivers/cipher.h index 4fe559618f..c1aa616b52 100644 --- a/tests/include/test/drivers/cipher.h +++ b/tests/include/test/drivers/cipher.h @@ -57,6 +57,7 @@ psa_status_t mbedtls_test_transparent_cipher_encrypt( const psa_key_attributes_t *attributes, const uint8_t *key, size_t key_length, psa_algorithm_t alg, + const uint8_t *iv, size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, size_t output_size, size_t *output_length); @@ -102,6 +103,7 @@ psa_status_t mbedtls_test_opaque_cipher_encrypt( const psa_key_attributes_t *attributes, const uint8_t *key, size_t key_length, psa_algorithm_t alg, + const uint8_t *iv, size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, size_t output_size, size_t *output_length); diff --git a/tests/src/drivers/test_driver_cipher.c b/tests/src/drivers/test_driver_cipher.c index 4f651b9377..30a8119aab 100644 --- a/tests/src/drivers/test_driver_cipher.c +++ b/tests/src/drivers/test_driver_cipher.c @@ -48,6 +48,8 @@ psa_status_t mbedtls_test_transparent_cipher_encrypt( const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, @@ -72,19 +74,17 @@ psa_status_t mbedtls_test_transparent_cipher_encrypt( if( mbedtls_test_driver_cipher_hooks.forced_status != PSA_SUCCESS ) return( mbedtls_test_driver_cipher_hooks.forced_status ); - psa_generate_random( output, PSA_CIPHER_IV_LENGTH( attributes->core.type, alg ) ); - #if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \ defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER) return( libtestdriver1_mbedtls_psa_cipher_encrypt( (const libtestdriver1_psa_key_attributes_t *)attributes, key_buffer, key_buffer_size, - alg, input, input_length, + alg, iv, iv_length, input, input_length, output, output_size, output_length ) ); #elif defined(MBEDTLS_PSA_BUILTIN_CIPHER) return( mbedtls_psa_cipher_encrypt( attributes, key_buffer, key_buffer_size, - alg, input, input_length, + alg, iv, iv_length, input, input_length, output, output_size, output_length ) ); #endif @@ -321,6 +321,7 @@ psa_status_t mbedtls_test_opaque_cipher_encrypt( const psa_key_attributes_t *attributes, const uint8_t *key, size_t key_length, psa_algorithm_t alg, + const uint8_t *iv, size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, size_t output_size, size_t *output_length) { @@ -328,6 +329,8 @@ psa_status_t mbedtls_test_opaque_cipher_encrypt( (void) key; (void) key_length; (void) alg; + (void) iv; + (void) iv_length; (void) input; (void) input_length; (void) output; diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 9ed1424233..eb9458fdee 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -2600,6 +2600,9 @@ void cipher_encrypt_alg_without_iv( int alg_arg, mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; psa_algorithm_t alg = alg_arg; + psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; + uint8_t iv[1] = { 0x5a }; + size_t iv_length; unsigned char *output = NULL; size_t output_buffer_size = 0; size_t output_length = 0; @@ -2617,6 +2620,14 @@ void cipher_encrypt_alg_without_iv( int alg_arg, PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, &key ) ); + PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); + TEST_EQUAL( psa_cipher_set_iv( &operation, iv, sizeof( iv ) ), + PSA_ERROR_BAD_STATE ); + PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); + TEST_EQUAL( psa_cipher_generate_iv( &operation, iv, sizeof( iv ), + &iv_length ), + PSA_ERROR_BAD_STATE ); + PSA_ASSERT( psa_cipher_encrypt( key, alg, input->x, input->len, output, output_buffer_size, &output_length ) ); TEST_ASSERT( output_length <= diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index ddbb0185f6..38c154e022 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -872,6 +872,39 @@ void cipher_entry_points( int alg_arg, int key_type_arg, PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, &key ) ); + /* + * Test encrypt failure + * First test that if we don't force a driver error, encryption is + * successfull, then force driver error. + */ + status = psa_cipher_encrypt( + key, alg, input->x, input->len, + output, output_buffer_size, &function_output_length ); + TEST_EQUAL( mbedtls_test_driver_cipher_hooks.hits, 1 ); + TEST_EQUAL( status, PSA_SUCCESS ); + mbedtls_test_driver_cipher_hooks.hits = 0; + + mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR; + /* Set the output buffer in a given state. */ + for( size_t i = 0; i < output_buffer_size; i++ ) + output[i] = 0xa5; + + status = psa_cipher_encrypt( + key, alg, input->x, input->len, + output, output_buffer_size, &function_output_length ); + TEST_EQUAL( mbedtls_test_driver_cipher_hooks.hits, 1 ); + TEST_EQUAL( status, PSA_ERROR_GENERIC_ERROR ); + /* + * Check that the output buffer is still in the same state. + * This will fail if the output buffer is used by the core to pass the IV + * it generated to the driver (and is not restored). + */ + for( size_t i = 0; i < output_buffer_size; i++ ) + { + TEST_EQUAL( output[i], 0xa5 ); + } + mbedtls_test_driver_cipher_hooks.hits = 0; + /* Test setup call, encrypt */ mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR; status = psa_cipher_encrypt_setup( &operation, key, alg ); @@ -923,10 +956,23 @@ void cipher_entry_points( int alg_arg, int key_type_arg, mbedtls_test_driver_cipher_hooks.hits = 0; mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR; + /* Set the output buffer in a given state. */ + for( size_t i = 0; i < 16; i++ ) + output[i] = 0xa5; + status = psa_cipher_generate_iv( &operation, output, 16, &function_output_length ); /* When generating the IV fails, it should call abort too */ TEST_EQUAL( mbedtls_test_driver_cipher_hooks.hits, 2 ); TEST_EQUAL( status, mbedtls_test_driver_cipher_hooks.forced_status ); + /* + * Check that the output buffer is still in the same state. + * This will fail if the output buffer is used by the core to pass the IV + * it generated to the driver (and is not restored). + */ + for( size_t i = 0; i < 16; i++ ) + { + TEST_EQUAL( output[i], 0xa5 ); + } /* Failure should prevent further operations from executing on the driver */ mbedtls_test_driver_cipher_hooks.hits = 0; status = psa_cipher_update( &operation, diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data index 9d4ae17657..60bd1b9d40 100644 --- a/tests/suites/test_suite_version.data +++ b/tests/suites/test_suite_version.data @@ -1,8 +1,8 @@ Check compiletime library version -check_compiletime_version:"2.27.0" +check_compiletime_version:"2.28.0" Check runtime library version -check_runtime_version:"2.27.0" +check_runtime_version:"2.28.0" Check for MBEDTLS_VERSION_C check_feature:"MBEDTLS_VERSION_C":0