From 33c6968d0fe27cf57ca808fde0bfb2ad502bd6ed Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 15 Jul 2021 09:38:11 +0200 Subject: [PATCH 01/18] test: psa cipher: Add unexpected IV setting/generation negative tests Signed-off-by: Ronald Cron --- tests/suites/test_suite_psa_crypto.function | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 9ed1424233..eb9458fdee 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -2600,6 +2600,9 @@ void cipher_encrypt_alg_without_iv( int alg_arg, mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t key_type = key_type_arg; psa_algorithm_t alg = alg_arg; + psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; + uint8_t iv[1] = { 0x5a }; + size_t iv_length; unsigned char *output = NULL; size_t output_buffer_size = 0; size_t output_length = 0; @@ -2617,6 +2620,14 @@ void cipher_encrypt_alg_without_iv( int alg_arg, PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, &key ) ); + PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); + TEST_EQUAL( psa_cipher_set_iv( &operation, iv, sizeof( iv ) ), + PSA_ERROR_BAD_STATE ); + PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) ); + TEST_EQUAL( psa_cipher_generate_iv( &operation, iv, sizeof( iv ), + &iv_length ), + PSA_ERROR_BAD_STATE ); + PSA_ASSERT( psa_cipher_encrypt( key, alg, input->x, input->len, output, output_buffer_size, &output_length ) ); TEST_ASSERT( output_length <= From 6fbc0577860d9967b4485f8a9cff815e74835ee0 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 9 Jul 2021 14:43:26 +0200 Subject: [PATCH 02/18] test: psa driver wrapper: Add non regression test for psa_cipher_generate_iv() Add non regression test for invalid usage of the output buffer in psa_cipher_generate_iv(). The output buffer should not be used to pass the IV to the driver as a local attacker could be able to control the used IV. Signed-off-by: Ronald Cron --- .../test_suite_psa_crypto_driver_wrappers.function | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index 6d78ad51a0..39de0ca219 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -923,10 +923,23 @@ void cipher_entry_points( int alg_arg, int key_type_arg, mbedtls_test_driver_cipher_hooks.hits = 0; mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR; + /* Set the output buffer in a given state. */ + for( size_t i = 0; i < 16; i++ ) + output[i] = 0xa5; + status = psa_cipher_generate_iv( &operation, output, 16, &function_output_length ); /* When generating the IV fails, it should call abort too */ TEST_EQUAL( mbedtls_test_driver_cipher_hooks.hits, 2 ); TEST_EQUAL( status, mbedtls_test_driver_cipher_hooks.forced_status ); + /* + * Check that the output buffer is still in the same state. + * This will fail if the output buffer is used by the core to pass the IV + * it generated to the driver (and is not restored). + */ + for( size_t i = 0; i < 16; i++ ) + { + TEST_EQUAL( output[i], 0xa5 ); + } /* Failure should prevent further operations from executing on the driver */ mbedtls_test_driver_cipher_hooks.hits = 0; status = psa_cipher_update( &operation, From c423acbe0f7957d8ef1e6036c2429c9f79c6f05e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 5 Jul 2021 12:31:44 +0200 Subject: [PATCH 03/18] psa: cipher: Fix invalid output buffer usage in psa_cipher_generate_iv() Don't use the output buffer in psa_cipher_generate_iv() to pass the generated IV to the driver as local attacker could potentially control it. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 5aed671811..5d716305bd 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3379,8 +3379,8 @@ psa_status_t psa_cipher_generate_iv( psa_cipher_operation_t *operation, size_t *iv_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - - *iv_length = 0; + uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE]; + size_t default_iv_length; if( operation->id == 0 ) { @@ -3394,28 +3394,38 @@ psa_status_t psa_cipher_generate_iv( psa_cipher_operation_t *operation, goto exit; } - if( iv_size < operation->default_iv_length ) + default_iv_length = operation->default_iv_length; + if( iv_size < default_iv_length ) { status = PSA_ERROR_BUFFER_TOO_SMALL; goto exit; } - status = psa_generate_random( iv, operation->default_iv_length ); + if( default_iv_length > PSA_CIPHER_IV_MAX_SIZE ) + { + status = PSA_ERROR_GENERIC_ERROR; + goto exit; + } + + status = psa_generate_random( local_iv, default_iv_length ); if( status != PSA_SUCCESS ) goto exit; status = psa_driver_wrapper_cipher_set_iv( operation, - iv, - operation->default_iv_length ); + local_iv, default_iv_length ); exit: if( status == PSA_SUCCESS ) { + memcpy( iv, local_iv, default_iv_length ); + *iv_length = default_iv_length; operation->iv_set = 1; - *iv_length = operation->default_iv_length; } else + { + *iv_length = 0; psa_cipher_abort( operation ); + } return( status ); } From 1637707929b776b69b19d6998d6c242a181a473b Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 8 Jul 2021 19:00:07 +0200 Subject: [PATCH 04/18] psa: cipher: Align APIs execution flow Align the execution of cipher one-shot APIs with that of cipher multi-part APIs: always exit through the exit-labelled section. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 36 ++++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 5d716305bd..20f525bf43 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3566,20 +3566,21 @@ psa_status_t psa_cipher_encrypt( mbedtls_svc_key_id_t key, { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_slot_t *slot; + psa_key_slot_t *slot = NULL; psa_key_type_t key_type; size_t iv_length; - *output_length = 0; - if( ! PSA_ALG_IS_CIPHER( alg ) ) - return( PSA_ERROR_INVALID_ARGUMENT ); + { + status = PSA_ERROR_INVALID_ARGUMENT; + goto exit; + } status = psa_get_and_lock_key_slot_with_policy( key, &slot, PSA_KEY_USAGE_ENCRYPT, alg ); if( status != PSA_SUCCESS ) - return( status ); + goto exit; psa_key_attributes_t attributes = { .core = slot->attr @@ -3608,8 +3609,13 @@ psa_status_t psa_cipher_encrypt( mbedtls_svc_key_id_t key, exit: unlock_status = psa_unlock_key_slot( slot ); + if( status == PSA_SUCCESS ) + status = unlock_status; - return( ( status == PSA_SUCCESS ) ? unlock_status : status ); + if( status != PSA_SUCCESS ) + *output_length = 0; + + return( status ); } psa_status_t psa_cipher_decrypt( mbedtls_svc_key_id_t key, @@ -3622,18 +3628,19 @@ psa_status_t psa_cipher_decrypt( mbedtls_svc_key_id_t key, { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_slot_t *slot; - - *output_length = 0; + psa_key_slot_t *slot = NULL; if( ! PSA_ALG_IS_CIPHER( alg ) ) - return( PSA_ERROR_INVALID_ARGUMENT ); + { + status = PSA_ERROR_INVALID_ARGUMENT; + goto exit; + } status = psa_get_and_lock_key_slot_with_policy( key, &slot, PSA_KEY_USAGE_DECRYPT, alg ); if( status != PSA_SUCCESS ) - return( status ); + goto exit; psa_key_attributes_t attributes = { .core = slot->attr @@ -3652,8 +3659,13 @@ psa_status_t psa_cipher_decrypt( mbedtls_svc_key_id_t key, exit: unlock_status = psa_unlock_key_slot( slot ); + if( status == PSA_SUCCESS ) + status = unlock_status; - return( ( status == PSA_SUCCESS ) ? unlock_status : status ); + if( status != PSA_SUCCESS ) + *output_length = 0; + + return( status ); } From e25351ad5baeedf8adad49bb8f6206998a2c90a2 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 9 Jul 2021 17:56:40 +0200 Subject: [PATCH 05/18] test: psa driver: Remove unnecessary IV generation Signed-off-by: Ronald Cron --- tests/src/drivers/test_driver_cipher.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/src/drivers/test_driver_cipher.c b/tests/src/drivers/test_driver_cipher.c index 6aca1938cb..2fe77c8c78 100644 --- a/tests/src/drivers/test_driver_cipher.c +++ b/tests/src/drivers/test_driver_cipher.c @@ -68,8 +68,6 @@ psa_status_t mbedtls_test_transparent_cipher_encrypt( if( mbedtls_test_driver_cipher_hooks.forced_status != PSA_SUCCESS ) return( mbedtls_test_driver_cipher_hooks.forced_status ); - psa_generate_random( output, PSA_CIPHER_IV_LENGTH( attributes->core.type, alg ) ); - return( mbedtls_transparent_test_driver_cipher_encrypt( attributes, key_buffer, key_buffer_size, alg, input, input_length, From a83316991461337fd3b477aa4f42362b5101a0fc Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 9 Jul 2021 09:19:35 +0200 Subject: [PATCH 06/18] psa: cipher: Add IV parameters to cipher_encrypt entry point Signed-off-by: Ronald Cron --- library/psa_crypto.c | 8 ++++--- library/psa_crypto_cipher.c | 32 +++++++++++++------------- library/psa_crypto_cipher.h | 20 ++++++++-------- library/psa_crypto_driver_wrappers.c | 8 +++++++ library/psa_crypto_driver_wrappers.h | 2 ++ tests/include/test/drivers/cipher.h | 2 ++ tests/src/drivers/test_driver_cipher.c | 7 +++++- 7 files changed, 49 insertions(+), 30 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 20f525bf43..028eafcaaa 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3604,15 +3604,17 @@ psa_status_t psa_cipher_encrypt( mbedtls_svc_key_id_t key, status = psa_driver_wrapper_cipher_encrypt( &attributes, slot->key.data, slot->key.bytes, - alg, input, input_length, - output, output_size, output_length ); + alg, output, iv_length, input, input_length, + output + iv_length, output_size - iv_length, output_length ); exit: unlock_status = psa_unlock_key_slot( slot ); if( status == PSA_SUCCESS ) status = unlock_status; - if( status != PSA_SUCCESS ) + if( status == PSA_SUCCESS ) + *output_length += iv_length; + else *output_length = 0; return( status ); diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index 713c3d17d1..22f5363844 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -472,6 +472,8 @@ static psa_status_t cipher_encrypt( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, @@ -480,38 +482,32 @@ static psa_status_t cipher_encrypt( const psa_key_attributes_t *attributes, { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT; - size_t olength, accumulated_length; + size_t update_output_length, finish_output_length; status = cipher_encrypt_setup( &operation, attributes, key_buffer, key_buffer_size, alg ); if( status != PSA_SUCCESS ) goto exit; - accumulated_length = 0; - if( operation.iv_length > 0 ) + if( iv_length > 0 ) { - status = cipher_set_iv( &operation, output, operation.iv_length ); + status = cipher_set_iv( &operation, iv, iv_length ); if( status != PSA_SUCCESS ) goto exit; - - accumulated_length = operation.iv_length; } status = cipher_update( &operation, input, input_length, - output + operation.iv_length, - output_size - operation.iv_length, - &olength ); + output, output_size, &update_output_length ); if( status != PSA_SUCCESS ) goto exit; - accumulated_length += olength; - - status = cipher_finish( &operation, output + accumulated_length, - output_size - accumulated_length, &olength ); + status = cipher_finish( &operation, output + update_output_length, + output_size - update_output_length, + &finish_output_length ); if( status != PSA_SUCCESS ) goto exit; - *output_length = accumulated_length + olength; + *output_length = update_output_length + finish_output_length; exit: if( status == PSA_SUCCESS ) @@ -627,6 +623,8 @@ psa_status_t mbedtls_psa_cipher_encrypt( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, @@ -634,7 +632,7 @@ psa_status_t mbedtls_psa_cipher_encrypt( const psa_key_attributes_t *attributes, size_t *output_length ) { return( cipher_encrypt( attributes, key_buffer, key_buffer_size, - alg, input, input_length, + alg, iv, iv_length, input, input_length, output, output_size, output_length ) ); } @@ -713,6 +711,8 @@ psa_status_t mbedtls_transparent_test_driver_cipher_encrypt( const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, @@ -720,7 +720,7 @@ psa_status_t mbedtls_transparent_test_driver_cipher_encrypt( size_t *output_length ) { return( cipher_encrypt( attributes, key_buffer, key_buffer_size, - alg, input, input_length, + alg, iv, iv_length, input, input_length, output, output_size, output_length ) ); } diff --git a/library/psa_crypto_cipher.h b/library/psa_crypto_cipher.h index 5971e8d3f0..76ff22acf7 100644 --- a/library/psa_crypto_cipher.h +++ b/library/psa_crypto_cipher.h @@ -213,16 +213,12 @@ psa_status_t mbedtls_psa_cipher_abort( mbedtls_psa_cipher_operation_t *operation * \param[in] alg The cipher algorithm to compute * (\c PSA_ALG_XXX value such that * #PSA_ALG_IS_CIPHER(\p alg) is true). - * \param[in] input Buffer containing the message to encrypt. - * \param[in] input_length Size of the \p input buffer in bytes. + * \param[in] iv Buffer containing the IV for encryption. The + * IV has been generated by the core. + * \param[in] iv_length Size of the \p iv in bytes. + * \param[in] input Buffer containing the message to encrypt. + * \param[in] input_length Size of the \p input buffer in bytes. * \param[in,out] output Buffer where the output is to be written. - * The core has generated and written the IV - * at the beginning of this buffer before - * this function is called. The size of the IV - * is PSA_CIPHER_IV_LENGTH( key_type, alg ) where - * \c key_type is the type of the key identified - * by \p key and \p alg is the cipher algorithm - * to compute. * \param[in] output_size Size of the \p output buffer in bytes. * \param[out] output_length On success, the number of bytes that make up * the returned output. Initialized to zero @@ -235,7 +231,7 @@ psa_status_t mbedtls_psa_cipher_abort( mbedtls_psa_cipher_operation_t *operation * \retval #PSA_ERROR_BUFFER_TOO_SMALL * The size of the \p output buffer is too small. * \retval #PSA_ERROR_INVALID_ARGUMENT - * The size of \p iv is not acceptable for the chosen algorithm, + * The size \p iv_length is not acceptable for the chosen algorithm, * or the chosen algorithm does not use an IV. * The total input size passed to this operation is not valid for * this particular algorithm. For example, the algorithm is a based @@ -249,6 +245,8 @@ psa_status_t mbedtls_psa_cipher_encrypt( const psa_key_attributes_t *attributes, const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, @@ -342,6 +340,8 @@ psa_status_t mbedtls_transparent_test_driver_cipher_encrypt( const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c index f7240ceacc..5fba955477 100644 --- a/library/psa_crypto_driver_wrappers.c +++ b/library/psa_crypto_driver_wrappers.c @@ -740,6 +740,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, @@ -761,6 +763,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( key_buffer, key_buffer_size, alg, + iv, + iv_length, input, input_length, output, @@ -777,6 +781,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( key_buffer, key_buffer_size, alg, + iv, + iv_length, input, input_length, output, @@ -794,6 +800,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( key_buffer, key_buffer_size, alg, + iv, + iv_length, input, input_length, output, diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index 38a6ee82a7..9eb08bc9f8 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -102,6 +102,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, diff --git a/tests/include/test/drivers/cipher.h b/tests/include/test/drivers/cipher.h index 4fe559618f..c1aa616b52 100644 --- a/tests/include/test/drivers/cipher.h +++ b/tests/include/test/drivers/cipher.h @@ -57,6 +57,7 @@ psa_status_t mbedtls_test_transparent_cipher_encrypt( const psa_key_attributes_t *attributes, const uint8_t *key, size_t key_length, psa_algorithm_t alg, + const uint8_t *iv, size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, size_t output_size, size_t *output_length); @@ -102,6 +103,7 @@ psa_status_t mbedtls_test_opaque_cipher_encrypt( const psa_key_attributes_t *attributes, const uint8_t *key, size_t key_length, psa_algorithm_t alg, + const uint8_t *iv, size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, size_t output_size, size_t *output_length); diff --git a/tests/src/drivers/test_driver_cipher.c b/tests/src/drivers/test_driver_cipher.c index 2fe77c8c78..9e0dc30c55 100644 --- a/tests/src/drivers/test_driver_cipher.c +++ b/tests/src/drivers/test_driver_cipher.c @@ -44,6 +44,8 @@ psa_status_t mbedtls_test_transparent_cipher_encrypt( const uint8_t *key_buffer, size_t key_buffer_size, psa_algorithm_t alg, + const uint8_t *iv, + size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, @@ -70,7 +72,7 @@ psa_status_t mbedtls_test_transparent_cipher_encrypt( return( mbedtls_transparent_test_driver_cipher_encrypt( attributes, key_buffer, key_buffer_size, - alg, input, input_length, + alg, iv, iv_length, input, input_length, output, output_size, output_length ) ); } @@ -244,6 +246,7 @@ psa_status_t mbedtls_test_opaque_cipher_encrypt( const psa_key_attributes_t *attributes, const uint8_t *key, size_t key_length, psa_algorithm_t alg, + const uint8_t *iv, size_t iv_length, const uint8_t *input, size_t input_length, uint8_t *output, size_t output_size, size_t *output_length) { @@ -251,6 +254,8 @@ psa_status_t mbedtls_test_opaque_cipher_encrypt( (void) key; (void) key_length; (void) alg; + (void) iv; + (void) iv_length; (void) input; (void) input_length; (void) output; From 3563210c102ae64ce5eecd92d3d4ff78c86b5bd5 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 9 Jul 2021 16:55:02 +0200 Subject: [PATCH 07/18] test: psa driver wrapper: Add cipher_encrypt negative testing Signed-off-by: Ronald Cron --- ..._suite_psa_crypto_driver_wrappers.function | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index 39de0ca219..49764634c9 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -872,6 +872,26 @@ void cipher_entry_points( int alg_arg, int key_type_arg, PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, &key ) ); + /* + * Test encrypt failure + * First test that if we don't force a driver error, encryption is + * successfull, then force driver error. + */ + status = psa_cipher_encrypt( + key, alg, input->x, input->len, + output, output_buffer_size, &function_output_length ); + TEST_EQUAL( mbedtls_test_driver_cipher_hooks.hits, 1 ); + TEST_EQUAL( status, PSA_SUCCESS ); + mbedtls_test_driver_cipher_hooks.hits = 0; + + mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR; + status = psa_cipher_encrypt( + key, alg, input->x, input->len, + output, output_buffer_size, &function_output_length ); + TEST_EQUAL( mbedtls_test_driver_cipher_hooks.hits, 1 ); + TEST_EQUAL( status, PSA_ERROR_GENERIC_ERROR ); + mbedtls_test_driver_cipher_hooks.hits = 0; + /* Test setup call, encrypt */ mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR; status = psa_cipher_encrypt_setup( &operation, key, alg ); From 732a6e250d6c4d41d97bde86b8f2643ccfcef9ea Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 9 Jul 2021 18:20:46 +0200 Subject: [PATCH 08/18] test: psa driver wrapper: Add non regression test for psa_cipher_encrypt() Add non regression test for invalid usage of the output buffer in psa_cipher_encrypt(). The output buffer should not be used to pass the IV to the driver as a local attacker could be able to control the used IV. Signed-off-by: Ronald Cron --- .../test_suite_psa_crypto_driver_wrappers.function | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index 49764634c9..74cc032420 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -885,11 +885,24 @@ void cipher_entry_points( int alg_arg, int key_type_arg, mbedtls_test_driver_cipher_hooks.hits = 0; mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR; + /* Set the output buffer in a given state. */ + for( size_t i = 0; i < output_buffer_size; i++ ) + output[i] = 0xa5; + status = psa_cipher_encrypt( key, alg, input->x, input->len, output, output_buffer_size, &function_output_length ); TEST_EQUAL( mbedtls_test_driver_cipher_hooks.hits, 1 ); TEST_EQUAL( status, PSA_ERROR_GENERIC_ERROR ); + /* + * Check that the output buffer is still in the same state. + * This will fail if the output buffer is used by the core to pass the IV + * it generated to the driver (and is not restored). + */ + for( size_t i = 0; i < output_buffer_size; i++ ) + { + TEST_EQUAL( output[i], 0xa5 ); + } mbedtls_test_driver_cipher_hooks.hits = 0; /* Test setup call, encrypt */ From 4c224fe3ccbe527a2b7d55a927f1f09511ff1b83 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 9 Jul 2021 18:44:58 +0200 Subject: [PATCH 09/18] psa: cipher: Fix invalid output buffer usage in psa_cipher_encrypt() Don't use the output buffer in psa_cipher_encrypt() to pass the generated IV to the driver as local attacker could potentially control it. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 028eafcaaa..3bf470b2f7 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3567,8 +3567,8 @@ psa_status_t psa_cipher_encrypt( mbedtls_svc_key_id_t key, psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot = NULL; - psa_key_type_t key_type; - size_t iv_length; + uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE]; + size_t default_iv_length = 0; if( ! PSA_ALG_IS_CIPHER( alg ) ) { @@ -3586,26 +3586,31 @@ psa_status_t psa_cipher_encrypt( mbedtls_svc_key_id_t key, .core = slot->attr }; - key_type = slot->attr.type; - iv_length = PSA_CIPHER_IV_LENGTH( key_type, alg ); - - if( iv_length > 0 ) + default_iv_length = PSA_CIPHER_IV_LENGTH( slot->attr.type, alg ); + if( default_iv_length > PSA_CIPHER_IV_MAX_SIZE ) { - if( output_size < iv_length ) + status = PSA_ERROR_GENERIC_ERROR; + goto exit; + } + + if( default_iv_length > 0 ) + { + if( output_size < default_iv_length ) { status = PSA_ERROR_BUFFER_TOO_SMALL; goto exit; } - status = psa_generate_random( output, iv_length ); + status = psa_generate_random( local_iv, default_iv_length ); if( status != PSA_SUCCESS ) goto exit; } status = psa_driver_wrapper_cipher_encrypt( &attributes, slot->key.data, slot->key.bytes, - alg, output, iv_length, input, input_length, - output + iv_length, output_size - iv_length, output_length ); + alg, local_iv, default_iv_length, input, input_length, + output + default_iv_length, output_size - default_iv_length, + output_length ); exit: unlock_status = psa_unlock_key_slot( slot ); @@ -3613,7 +3618,11 @@ exit: status = unlock_status; if( status == PSA_SUCCESS ) - *output_length += iv_length; + { + if( default_iv_length > 0 ) + memcpy( output, local_iv, default_iv_length ); + *output_length += default_iv_length; + } else *output_length = 0; From e7a5e985aecac876dace3029093f82bee6efc646 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 2 Dec 2021 11:26:07 +0100 Subject: [PATCH 10/18] Add change log Signed-off-by: Ronald Cron --- ChangeLog.d/fix-cipher-iv.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/fix-cipher-iv.txt diff --git a/ChangeLog.d/fix-cipher-iv.txt b/ChangeLog.d/fix-cipher-iv.txt new file mode 100644 index 0000000000..e7af6414ac --- /dev/null +++ b/ChangeLog.d/fix-cipher-iv.txt @@ -0,0 +1,5 @@ +Security + * In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back + from the output buffer. This fixes a potential policy bypass or decryption + oracle vulnerability if the output buffer is in memory that is shared with + an untrusted application. From 0f6c6bc0dcdecdbd4fe260c18401b40500330ee8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=90=B4=E6=95=AC=E8=BE=89?= <11137405@vivo.com> Date: Mon, 29 Nov 2021 10:46:35 +0800 Subject: [PATCH 11/18] [session] fix a session copy bug fix a possible double reference on 'ticket' when peer_cert/peer_cert_digest calloc failed. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 吴敬辉 <11137405@vivo.com> --- library/ssl_tls.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8195af2f93..41e6647271 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -188,6 +188,10 @@ int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst, mbedtls_ssl_session_free( dst ); memcpy( dst, src, sizeof( mbedtls_ssl_session ) ); +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) + dst->ticket = NULL; +#endif + #if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) From 0add7f96ac2b03da6d8fc615b78f7c3b39f3f019 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 8 Dec 2021 13:28:12 +0000 Subject: [PATCH 12/18] Add changelog entry for session copy bugfix Signed-off-by: David Horstmann --- ChangeLog.d/fix-session-copy-bug.txt | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ChangeLog.d/fix-session-copy-bug.txt diff --git a/ChangeLog.d/fix-session-copy-bug.txt b/ChangeLog.d/fix-session-copy-bug.txt new file mode 100644 index 0000000000..46e3d8ef61 --- /dev/null +++ b/ChangeLog.d/fix-session-copy-bug.txt @@ -0,0 +1,6 @@ +Bugfix + * Fix a double-free that happened after mbedtls_ssl_set_session() or + mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED + (out of memory). After that, calling mbedtls_ssl_session_free() + and mbedtls_ssl_free() would cause an internal session buffer to + be free()'d twice. From 04e920410d03873684ee2b2a96e492787b4cd51c Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 13 Dec 2021 17:50:41 +0000 Subject: [PATCH 13/18] Add missing changelog for ARIA (#5051) Signed-off-by: Dave Rodgman --- ChangeLog.d/aria.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/aria.txt diff --git a/ChangeLog.d/aria.txt b/ChangeLog.d/aria.txt new file mode 100644 index 0000000000..280a7c9be1 --- /dev/null +++ b/ChangeLog.d/aria.txt @@ -0,0 +1,3 @@ +Features + * Add PSA API definition for ARIA. + From 2d2fb47e45b8b9dd8382bd05da15bb8765960d74 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 14 Dec 2021 11:18:42 +0100 Subject: [PATCH 14/18] Add change log for #4883 Signed-off-by: Ronald Cron --- ChangeLog.d/fix-sign_verify-message-usage.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/fix-sign_verify-message-usage.txt diff --git a/ChangeLog.d/fix-sign_verify-message-usage.txt b/ChangeLog.d/fix-sign_verify-message-usage.txt new file mode 100644 index 0000000000..dd326ee5cb --- /dev/null +++ b/ChangeLog.d/fix-sign_verify-message-usage.txt @@ -0,0 +1,5 @@ +Bugfix + * The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC + operations psa_mac_compute() and psa_mac_sign_setup(). + * The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC + operations psa_mac_verify() and psa_mac_verify_setup(). From 0798a827c8f5df6c406a7cd5d2dcf48d527c963d Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 15 Dec 2021 11:48:21 +0000 Subject: [PATCH 15/18] Assemble changelog Signed-off-by: Dave Rodgman --- ChangeLog | 121 ++++++++++++++++++ ChangeLog.d/aria.txt | 3 - ChangeLog.d/base64-ranges.txt | 4 - ChangeLog.d/bugfix-for-gcm-long-iv-size.txt | 4 - ChangeLog.d/build-without-sha.txt | 3 - .../chacha20-poly1305-invalid-nonce.txt | 3 - ChangeLog.d/check-return.txt | 19 --- ChangeLog.d/constant_time_module.txt | 10 -- ChangeLog.d/do-not-use-obsolete-header.txt | 5 - ChangeLog.d/fix-cipher-iv.txt | 5 - ChangeLog.d/fix-cipher-output-size-macros.txt | 4 - .../fix-mbedtls_cipher_crypt-aes-ecb.txt | 2 - .../fix-needed-shared-libraries-linux.txt | 3 - ChangeLog.d/fix-pkcs12-null-password.txt | 5 - ChangeLog.d/fix-psa_gen_key-status.txt | 2 - ChangeLog.d/fix-session-copy-bug.txt | 6 - ChangeLog.d/fix-sign_verify-message-usage.txt | 5 - ChangeLog.d/fix_compilation_ssl_tests.txt | 3 - ChangeLog.d/issue4630.txt | 2 - ChangeLog.d/mac-zeroize.txt | 6 - ChangeLog.d/makefile-python-windows.txt | 4 - ChangeLog.d/muladdc-memory.txt | 5 - ChangeLog.d/no-strerror.txt | 3 - ChangeLog.d/psa_alg_rsa_pss.txt | 5 - ChangeLog.d/psa_cipher_update_ecp.txt | 2 - ChangeLog.d/psa_crypto_api_macros.txt | 11 -- ChangeLog.d/remove-greentea-support.txt | 3 - ChangeLog.d/remove_default_alllow_sha1.txt | 10 -- ChangeLog.d/semi-public-structure-fields.txt | 5 - ChangeLog.d/tls_ext_cid-config.txt | 3 - .../twos_complement_representation.txt | 3 - 31 files changed, 121 insertions(+), 148 deletions(-) delete mode 100644 ChangeLog.d/aria.txt delete mode 100644 ChangeLog.d/base64-ranges.txt delete mode 100644 ChangeLog.d/bugfix-for-gcm-long-iv-size.txt delete mode 100644 ChangeLog.d/build-without-sha.txt delete mode 100644 ChangeLog.d/chacha20-poly1305-invalid-nonce.txt delete mode 100644 ChangeLog.d/check-return.txt delete mode 100644 ChangeLog.d/constant_time_module.txt delete mode 100644 ChangeLog.d/do-not-use-obsolete-header.txt delete mode 100644 ChangeLog.d/fix-cipher-iv.txt delete mode 100644 ChangeLog.d/fix-cipher-output-size-macros.txt delete mode 100644 ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt delete mode 100644 ChangeLog.d/fix-needed-shared-libraries-linux.txt delete mode 100644 ChangeLog.d/fix-pkcs12-null-password.txt delete mode 100644 ChangeLog.d/fix-psa_gen_key-status.txt delete mode 100644 ChangeLog.d/fix-session-copy-bug.txt delete mode 100644 ChangeLog.d/fix-sign_verify-message-usage.txt delete mode 100644 ChangeLog.d/fix_compilation_ssl_tests.txt delete mode 100644 ChangeLog.d/issue4630.txt delete mode 100644 ChangeLog.d/mac-zeroize.txt delete mode 100644 ChangeLog.d/makefile-python-windows.txt delete mode 100644 ChangeLog.d/muladdc-memory.txt delete mode 100644 ChangeLog.d/no-strerror.txt delete mode 100644 ChangeLog.d/psa_alg_rsa_pss.txt delete mode 100644 ChangeLog.d/psa_cipher_update_ecp.txt delete mode 100644 ChangeLog.d/psa_crypto_api_macros.txt delete mode 100644 ChangeLog.d/remove-greentea-support.txt delete mode 100644 ChangeLog.d/remove_default_alllow_sha1.txt delete mode 100644 ChangeLog.d/semi-public-structure-fields.txt delete mode 100644 ChangeLog.d/tls_ext_cid-config.txt delete mode 100644 ChangeLog.d/twos_complement_representation.txt diff --git a/ChangeLog b/ChangeLog index 89572ca0b9..43d42a79f1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,126 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +API changes + * Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a + different order. This only affects applications that define such + structures directly or serialize them. + +Requirement changes + * Sign-magnitude and one's complement representations for signed integers are + not supported. Two's complement is the only supported representation. + +Removals + * Remove config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES, + which allowed SHA-1 in the default TLS configuration for certificate + signing. It was intended to facilitate the transition in environments + with SHA-1 certificates. SHA-1 is considered a weak message digest and + its use constitutes a security risk. + * Remove the partial support for running unit tests via Greentea on Mbed OS, + which had been unmaintained since 2018. + +Features + * The identifier of the CID TLS extension can be configured by defining + MBEDTLS_TLS_EXT_CID at compile time. + * Warn if errors from certain functions are ignored. This is currently + supported on GCC-like compilers and on MSVC and can be configured through + the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled + (where supported) for critical functions where ignoring the return + value is almost always a bug. Enable the new configuration option + MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This + is currently implemented in the AES, DES and md modules, and will be + extended to other modules in the future. + * Add missing PSA macros declared by PSA Crypto API 1.0.0: + PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL. + * Add new API mbedtls_ct_memcmp for constant time buffer comparison. + * Add PSA API definition for ARIA. + +Security + * Zeroize several intermediate variables used to calculate the expected + value when verifying a MAC or AEAD tag. This hardens the library in + case the value leaks through a memory disclosure vulnerability. For + example, a memory disclosure vulnerability could have allowed a + man-in-the-middle to inject fake ciphertext into a DTLS connection. + * In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back + from the output buffer. This fixes a potential policy bypass or decryption + oracle vulnerability if the output buffer is in memory that is shared with + an untrusted application. + +Bugfix + * Stop using reserved identifiers as local variables. Fixes #4630. + * The GNU makefiles invoke python3 in preference to python except on Windows. + The check was accidentally not performed when cross-compiling for Windows + on Linux. Fix this. Fixes #4774. + * Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or + PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type. + * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935. + * Don't use the obsolete header path sys/fcntl.h in unit tests. + These header files cause compilation errors in musl. + Fixes #4969. + * Fix missing constraints on x86_64 and aarch64 assembly code + for bignum multiplication that broke some bignum operations with + (at least) Clang 12. + Fixes #4116, #4786, #4917, #4962. + * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled. + * Failures of alternative implementations of AES or DES single-block + functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT, + MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored. + This does not concern the implementation provided with Mbed TLS, + where this function cannot fail, or full-module replacements with + MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092. + * Some failures of HMAC operations were ignored. These failures could only + happen with an alternative implementation of the underlying hash module. + * Fix the error returned by psa_generate_key() for a public key. Fixes #4551. + * Fix the build of sample programs when neither MBEDTLS_ERROR_C nor + MBEDTLS_ERROR_STRERROR_DUMMY is enabled. + * Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length. + This algorithm now accepts only the same salt length for verification + that it produces when signing, as documented. Use the new algorithm + PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946. + * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved + for algorithm values that fully encode the hashing step, as per the PSA + Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and + PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers + all algorithms that can be used with psa_{sign,verify}_hash(), including + these two. + * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries + not to list other shared libraries they need. + * Fix a bug in mbedtls_gcm_starts() when bits of iv are longer than 2^32. + * Fix #4884. + * Fix an uninitialized variable warning in test_suite_ssl.function with GCC + version 11. + * Fix the build when no SHA2 module is included. Fixes #4930. + * Fix the build when only the bignum module is included. Fixes #4929. + * Fix a potential invalid pointer dereference and infinite loop bugs in + pkcs12 functions when the password is empty. Fix the documentation to + better describe the inputs to these functions and their possible values. + Fixes #5136. + * Fix a double-free that happened after mbedtls_ssl_set_session() or + mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED + (out of memory). After that, calling mbedtls_ssl_session_free() + and mbedtls_ssl_free() would cause an internal session buffer to + be free()'d twice. + * The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC + operations psa_mac_compute() and psa_mac_sign_setup(). + * The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC + operations psa_mac_verify() and psa_mac_verify_setup(). + +Changes + * Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be + disabled by default. + * Improve the performance of base64 constant-flow code. The result is still + slower than the original non-constant-flow implementation, but much faster + than the previous constant-flow implementation. Fixes #4814. + * Indicate in the error returned if the nonce length used with + ChaCha20-Poly1305 is invalid, and not just unsupported. + * The mbedcrypto library includes a new source code module constant_time.c, + containing various functions meant to resist timing side channel attacks. + This module does not have a separate configuration option, and functions + from this module will be included in the build as required. Currently + most of the interface of this module is private and may change at any + time. + = mbed TLS 2.27.0 branch released 2021-07-07 API changes diff --git a/ChangeLog.d/aria.txt b/ChangeLog.d/aria.txt deleted file mode 100644 index 280a7c9be1..0000000000 --- a/ChangeLog.d/aria.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Add PSA API definition for ARIA. - diff --git a/ChangeLog.d/base64-ranges.txt b/ChangeLog.d/base64-ranges.txt deleted file mode 100644 index e3f3862bfb..0000000000 --- a/ChangeLog.d/base64-ranges.txt +++ /dev/null @@ -1,4 +0,0 @@ -Changes - * Improve the performance of base64 constant-flow code. The result is still - slower than the original non-constant-flow implementation, but much faster - than the previous constant-flow implementation. Fixes #4814. diff --git a/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt b/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt deleted file mode 100644 index c04c4aa182..0000000000 --- a/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix a bug in mbedtls_gcm_starts() when bits of iv are longer than 2^32. - * Fix #4884. - diff --git a/ChangeLog.d/build-without-sha.txt b/ChangeLog.d/build-without-sha.txt deleted file mode 100644 index 78ba27694a..0000000000 --- a/ChangeLog.d/build-without-sha.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix the build when no SHA2 module is included. Fixes #4930. - * Fix the build when only the bignum module is included. Fixes #4929. diff --git a/ChangeLog.d/chacha20-poly1305-invalid-nonce.txt b/ChangeLog.d/chacha20-poly1305-invalid-nonce.txt deleted file mode 100644 index ca3f9aceea..0000000000 --- a/ChangeLog.d/chacha20-poly1305-invalid-nonce.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Indicate in the error returned if the nonce length used with - ChaCha20-Poly1305 is invalid, and not just unsupported. diff --git a/ChangeLog.d/check-return.txt b/ChangeLog.d/check-return.txt deleted file mode 100644 index 7d905da732..0000000000 --- a/ChangeLog.d/check-return.txt +++ /dev/null @@ -1,19 +0,0 @@ -Bugfix - * Failures of alternative implementations of AES or DES single-block - functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT, - MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored. - This does not concern the implementation provided with Mbed TLS, - where this function cannot fail, or full-module replacements with - MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092. - * Some failures of HMAC operations were ignored. These failures could only - happen with an alternative implementation of the underlying hash module. - -Features - * Warn if errors from certain functions are ignored. This is currently - supported on GCC-like compilers and on MSVC and can be configured through - the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled - (where supported) for critical functions where ignoring the return - value is almost always a bug. Enable the new configuration option - MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This - is currently implemented in the AES, DES and md modules, and will be - extended to other modules in the future. diff --git a/ChangeLog.d/constant_time_module.txt b/ChangeLog.d/constant_time_module.txt deleted file mode 100644 index ebb0b7fb96..0000000000 --- a/ChangeLog.d/constant_time_module.txt +++ /dev/null @@ -1,10 +0,0 @@ -Changes - * The mbedcrypto library includes a new source code module constant_time.c, - containing various functions meant to resist timing side channel attacks. - This module does not have a separate configuration option, and functions - from this module will be included in the build as required. Currently - most of the interface of this module is private and may change at any - time. - -Features - * Add new API mbedtls_ct_memcmp for constant time buffer comparison. diff --git a/ChangeLog.d/do-not-use-obsolete-header.txt b/ChangeLog.d/do-not-use-obsolete-header.txt deleted file mode 100644 index 9a57ef16b2..0000000000 --- a/ChangeLog.d/do-not-use-obsolete-header.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Don't use the obsolete header path sys/fcntl.h in unit tests. - These header files cause compilation errors in musl. - Fixes #4969. - diff --git a/ChangeLog.d/fix-cipher-iv.txt b/ChangeLog.d/fix-cipher-iv.txt deleted file mode 100644 index e7af6414ac..0000000000 --- a/ChangeLog.d/fix-cipher-iv.txt +++ /dev/null @@ -1,5 +0,0 @@ -Security - * In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back - from the output buffer. This fixes a potential policy bypass or decryption - oracle vulnerability if the output buffer is in memory that is shared with - an untrusted application. diff --git a/ChangeLog.d/fix-cipher-output-size-macros.txt b/ChangeLog.d/fix-cipher-output-size-macros.txt deleted file mode 100644 index 4a4b971c83..0000000000 --- a/ChangeLog.d/fix-cipher-output-size-macros.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or - PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type. - diff --git a/ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt b/ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt deleted file mode 100644 index 6dc47244fe..0000000000 --- a/ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled. diff --git a/ChangeLog.d/fix-needed-shared-libraries-linux.txt b/ChangeLog.d/fix-needed-shared-libraries-linux.txt deleted file mode 100644 index 74ad3bc753..0000000000 --- a/ChangeLog.d/fix-needed-shared-libraries-linux.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries - not to list other shared libraries they need. diff --git a/ChangeLog.d/fix-pkcs12-null-password.txt b/ChangeLog.d/fix-pkcs12-null-password.txt deleted file mode 100644 index fae8195535..0000000000 --- a/ChangeLog.d/fix-pkcs12-null-password.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix a potential invalid pointer dereference and infinite loop bugs in - pkcs12 functions when the password is empty. Fix the documentation to - better describe the inputs to these functions and their possible values. - Fixes #5136. diff --git a/ChangeLog.d/fix-psa_gen_key-status.txt b/ChangeLog.d/fix-psa_gen_key-status.txt deleted file mode 100644 index 78609882f9..0000000000 --- a/ChangeLog.d/fix-psa_gen_key-status.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix the error returned by psa_generate_key() for a public key. Fixes #4551. diff --git a/ChangeLog.d/fix-session-copy-bug.txt b/ChangeLog.d/fix-session-copy-bug.txt deleted file mode 100644 index 46e3d8ef61..0000000000 --- a/ChangeLog.d/fix-session-copy-bug.txt +++ /dev/null @@ -1,6 +0,0 @@ -Bugfix - * Fix a double-free that happened after mbedtls_ssl_set_session() or - mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED - (out of memory). After that, calling mbedtls_ssl_session_free() - and mbedtls_ssl_free() would cause an internal session buffer to - be free()'d twice. diff --git a/ChangeLog.d/fix-sign_verify-message-usage.txt b/ChangeLog.d/fix-sign_verify-message-usage.txt deleted file mode 100644 index dd326ee5cb..0000000000 --- a/ChangeLog.d/fix-sign_verify-message-usage.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC - operations psa_mac_compute() and psa_mac_sign_setup(). - * The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC - operations psa_mac_verify() and psa_mac_verify_setup(). diff --git a/ChangeLog.d/fix_compilation_ssl_tests.txt b/ChangeLog.d/fix_compilation_ssl_tests.txt deleted file mode 100644 index 202e5c4392..0000000000 --- a/ChangeLog.d/fix_compilation_ssl_tests.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix an uninitialized variable warning in test_suite_ssl.function with GCC - version 11. diff --git a/ChangeLog.d/issue4630.txt b/ChangeLog.d/issue4630.txt deleted file mode 100644 index 0bc4b99e59..0000000000 --- a/ChangeLog.d/issue4630.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Stop using reserved identifiers as local variables. Fixes #4630. diff --git a/ChangeLog.d/mac-zeroize.txt b/ChangeLog.d/mac-zeroize.txt deleted file mode 100644 index a43e34f845..0000000000 --- a/ChangeLog.d/mac-zeroize.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * Zeroize several intermediate variables used to calculate the expected - value when verifying a MAC or AEAD tag. This hardens the library in - case the value leaks through a memory disclosure vulnerability. For - example, a memory disclosure vulnerability could have allowed a - man-in-the-middle to inject fake ciphertext into a DTLS connection. diff --git a/ChangeLog.d/makefile-python-windows.txt b/ChangeLog.d/makefile-python-windows.txt deleted file mode 100644 index 57ccc1a39a..0000000000 --- a/ChangeLog.d/makefile-python-windows.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * The GNU makefiles invoke python3 in preference to python except on Windows. - The check was accidentally not performed when cross-compiling for Windows - on Linux. Fix this. Fixes #4774. diff --git a/ChangeLog.d/muladdc-memory.txt b/ChangeLog.d/muladdc-memory.txt deleted file mode 100644 index 218be5a605..0000000000 --- a/ChangeLog.d/muladdc-memory.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix missing constraints on x86_64 and aarch64 assembly code - for bignum multiplication that broke some bignum operations with - (at least) Clang 12. - Fixes #4116, #4786, #4917, #4962. diff --git a/ChangeLog.d/no-strerror.txt b/ChangeLog.d/no-strerror.txt deleted file mode 100644 index 69743a8715..0000000000 --- a/ChangeLog.d/no-strerror.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix the build of sample programs when neither MBEDTLS_ERROR_C nor - MBEDTLS_ERROR_STRERROR_DUMMY is enabled. diff --git a/ChangeLog.d/psa_alg_rsa_pss.txt b/ChangeLog.d/psa_alg_rsa_pss.txt deleted file mode 100644 index 5c6048fe6c..0000000000 --- a/ChangeLog.d/psa_alg_rsa_pss.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length. - This algorithm now accepts only the same salt length for verification - that it produces when signing, as documented. Use the new algorithm - PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946. diff --git a/ChangeLog.d/psa_cipher_update_ecp.txt b/ChangeLog.d/psa_cipher_update_ecp.txt deleted file mode 100644 index 1c3fbc6b18..0000000000 --- a/ChangeLog.d/psa_cipher_update_ecp.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935. diff --git a/ChangeLog.d/psa_crypto_api_macros.txt b/ChangeLog.d/psa_crypto_api_macros.txt deleted file mode 100644 index ff53e33c2d..0000000000 --- a/ChangeLog.d/psa_crypto_api_macros.txt +++ /dev/null @@ -1,11 +0,0 @@ -Features - * Add missing PSA macros declared by PSA Crypto API 1.0.0: - PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL. - -Bugfix - * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved - for algorithm values that fully encode the hashing step, as per the PSA - Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and - PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers - all algorithms that can be used with psa_{sign,verify}_hash(), including - these two. diff --git a/ChangeLog.d/remove-greentea-support.txt b/ChangeLog.d/remove-greentea-support.txt deleted file mode 100644 index af4df4baa1..0000000000 --- a/ChangeLog.d/remove-greentea-support.txt +++ /dev/null @@ -1,3 +0,0 @@ -Removals - * Remove the partial support for running unit tests via Greentea on Mbed OS, - which had been unmaintained since 2018. diff --git a/ChangeLog.d/remove_default_alllow_sha1.txt b/ChangeLog.d/remove_default_alllow_sha1.txt deleted file mode 100644 index 9ec10cf6bc..0000000000 --- a/ChangeLog.d/remove_default_alllow_sha1.txt +++ /dev/null @@ -1,10 +0,0 @@ -Removals - * Remove config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES, - which allowed SHA-1 in the default TLS configuration for certificate - signing. It was intended to facilitate the transition in environments - with SHA-1 certificates. SHA-1 is considered a weak message digest and - its use constitutes a security risk. - -Changes - * Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be - disabled by default. diff --git a/ChangeLog.d/semi-public-structure-fields.txt b/ChangeLog.d/semi-public-structure-fields.txt deleted file mode 100644 index 802f8de2b7..0000000000 --- a/ChangeLog.d/semi-public-structure-fields.txt +++ /dev/null @@ -1,5 +0,0 @@ -API changes - * Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a - different order. This only affects applications that define such - structures directly or serialize them. - diff --git a/ChangeLog.d/tls_ext_cid-config.txt b/ChangeLog.d/tls_ext_cid-config.txt deleted file mode 100644 index b7b1e72443..0000000000 --- a/ChangeLog.d/tls_ext_cid-config.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * The identifier of the CID TLS extension can be configured by defining - MBEDTLS_TLS_EXT_CID at compile time. diff --git a/ChangeLog.d/twos_complement_representation.txt b/ChangeLog.d/twos_complement_representation.txt deleted file mode 100644 index fa49859abc..0000000000 --- a/ChangeLog.d/twos_complement_representation.txt +++ /dev/null @@ -1,3 +0,0 @@ -Requirement changes - * Sign-magnitude and one's complement representations for signed integers are - not supported. Two's complement is the only supported representation. From f00d9a2340ddaf107a879ce14d9741c6d2b29175 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 15 Dec 2021 11:52:54 +0000 Subject: [PATCH 16/18] Minor Changelog updates & fixes Signed-off-by: Dave Rodgman --- ChangeLog | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/ChangeLog b/ChangeLog index 43d42a79f1..021012a026 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,6 @@ mbed TLS ChangeLog (Sorted per branch, date) -= mbed TLS x.x.x branch released xxxx-xx-xx += mbed TLS 2.28.0 branch released 2021-12-17 API changes * Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a @@ -33,7 +33,7 @@ Features extended to other modules in the future. * Add missing PSA macros declared by PSA Crypto API 1.0.0: PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL. - * Add new API mbedtls_ct_memcmp for constant time buffer comparison. + * Add new API mbedtls_ct_memcmp for constant time buffer comparison. * Add PSA API definition for ARIA. Security @@ -46,6 +46,11 @@ Security from the output buffer. This fixes a potential policy bypass or decryption oracle vulnerability if the output buffer is in memory that is shared with an untrusted application. + * Fix a double-free that happened after mbedtls_ssl_set_session() or + mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED + (out of memory). After that, calling mbedtls_ssl_session_free() + and mbedtls_ssl_free() would cause an internal session buffer to + be free()'d twice. Bugfix * Stop using reserved identifiers as local variables. Fixes #4630. @@ -86,8 +91,8 @@ Bugfix these two. * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries not to list other shared libraries they need. - * Fix a bug in mbedtls_gcm_starts() when bits of iv are longer than 2^32. - * Fix #4884. + * Fix a bug in mbedtls_gcm_starts() when the bit length of the iv + exceeds 2^32. Fixes #4884. * Fix an uninitialized variable warning in test_suite_ssl.function with GCC version 11. * Fix the build when no SHA2 module is included. Fixes #4930. @@ -96,11 +101,6 @@ Bugfix pkcs12 functions when the password is empty. Fix the documentation to better describe the inputs to these functions and their possible values. Fixes #5136. - * Fix a double-free that happened after mbedtls_ssl_set_session() or - mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED - (out of memory). After that, calling mbedtls_ssl_session_free() - and mbedtls_ssl_free() would cause an internal session buffer to - be free()'d twice. * The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC operations psa_mac_compute() and psa_mac_sign_setup(). * The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC @@ -114,12 +114,12 @@ Changes than the previous constant-flow implementation. Fixes #4814. * Indicate in the error returned if the nonce length used with ChaCha20-Poly1305 is invalid, and not just unsupported. - * The mbedcrypto library includes a new source code module constant_time.c, - containing various functions meant to resist timing side channel attacks. - This module does not have a separate configuration option, and functions - from this module will be included in the build as required. Currently - most of the interface of this module is private and may change at any - time. + * The mbedcrypto library includes a new source code module constant_time.c, + containing various functions meant to resist timing side channel attacks. + This module does not have a separate configuration option, and functions + from this module will be included in the build as required. Currently + most of the interface of this module is private and may change at any + time. = mbed TLS 2.27.0 branch released 2021-07-07 From 29c3aee6a75ec44e07097647d5b1c34c65b9add8 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 13 Dec 2021 18:47:16 +0000 Subject: [PATCH 17/18] Update branch information in BRANCHES.md Signed-off-by: Dave Rodgman --- BRANCHES.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/BRANCHES.md b/BRANCHES.md index d5144188ea..ee91f76bb8 100644 --- a/BRANCHES.md +++ b/BRANCHES.md @@ -48,8 +48,7 @@ The following branches are currently maintained: - [master](https://github.com/ARMmbed/mbedtls/tree/master) - [`development`](https://github.com/ARMmbed/mbedtls/) -- [`mbedtls-2.16`](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.16) - maintained until at least the end of 2021, see - +- [`mbedtls-2.28`](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.28) + maintained until at least the end of 2024. Users are urged to always use the latest version of a maintained branch. From d41dab39c5f4c4fed56b346d56ece076c91016e1 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 15 Dec 2021 11:55:31 +0000 Subject: [PATCH 18/18] Bump version to 2.28.0 Executed ./scripts/bump_version.sh --version 2.28.0 --so-tls 14 Signed-off-by: Dave Rodgman --- doxygen/input/doc_mainpage.h | 2 +- doxygen/mbedtls.doxyfile | 2 +- include/mbedtls/version.h | 8 ++++---- library/CMakeLists.txt | 6 +++--- library/Makefile | 2 +- tests/suites/test_suite_version.data | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index 4ff63ce69a..5a0f3ecaff 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -22,7 +22,7 @@ */ /** - * @mainpage mbed TLS v2.27.0 source code documentation + * @mainpage mbed TLS v2.28.0 source code documentation * * This documentation describes the internal structure of mbed TLS. It was * automatically generated from specially formatted comment blocks in diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 186c1487ba..efd9ac6edf 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8 # identify the project. Note that if you do not use Doxywizard you need # to put quotes around the project name if it contains spaces. -PROJECT_NAME = "mbed TLS v2.27.0" +PROJECT_NAME = "mbed TLS v2.28.0" # The PROJECT_NUMBER tag can be used to enter a project or revision number. # This could be handy for archiving the generated documentation or diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h index 2740479f53..b1a92b2bcf 100644 --- a/include/mbedtls/version.h +++ b/include/mbedtls/version.h @@ -37,7 +37,7 @@ * Major, Minor, Patchlevel */ #define MBEDTLS_VERSION_MAJOR 2 -#define MBEDTLS_VERSION_MINOR 27 +#define MBEDTLS_VERSION_MINOR 28 #define MBEDTLS_VERSION_PATCH 0 /** @@ -45,9 +45,9 @@ * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x021B0000 -#define MBEDTLS_VERSION_STRING "2.27.0" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.27.0" +#define MBEDTLS_VERSION_NUMBER 0x021C0000 +#define MBEDTLS_VERSION_STRING "2.28.0" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.28.0" #if defined(MBEDTLS_VERSION_C) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 0cafd88817..0a600674db 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -203,15 +203,15 @@ endif(USE_STATIC_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY) add_library(${mbedcrypto_target} SHARED ${src_crypto}) - set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.27.0 SOVERSION 7) + set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.28.0 SOVERSION 7) target_link_libraries(${mbedcrypto_target} PUBLIC ${libs}) add_library(${mbedx509_target} SHARED ${src_x509}) - set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.27.0 SOVERSION 1) + set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.28.0 SOVERSION 1) target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target}) add_library(${mbedtls_target} SHARED ${src_tls}) - set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.27.0 SOVERSION 13) + set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.28.0 SOVERSION 14) target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target}) endif(USE_SHARED_MBEDTLS_LIBRARY) diff --git a/library/Makefile b/library/Makefile index 71a1bb00b5..54b0651dc4 100644 --- a/library/Makefile +++ b/library/Makefile @@ -39,7 +39,7 @@ LOCAL_CFLAGS += -fPIC -fpic endif endif -SOEXT_TLS=so.13 +SOEXT_TLS=so.14 SOEXT_X509=so.1 SOEXT_CRYPTO=so.7 diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data index 9d4ae17657..60bd1b9d40 100644 --- a/tests/suites/test_suite_version.data +++ b/tests/suites/test_suite_version.data @@ -1,8 +1,8 @@ Check compiletime library version -check_compiletime_version:"2.27.0" +check_compiletime_version:"2.28.0" Check runtime library version -check_runtime_version:"2.27.0" +check_runtime_version:"2.28.0" Check for MBEDTLS_VERSION_C check_feature:"MBEDTLS_VERSION_C":0