diff --git a/BRANCHES.md b/BRANCHES.md index 9d5d779345..cf86a9d070 100644 --- a/BRANCHES.md +++ b/BRANCHES.md @@ -107,7 +107,7 @@ The following branches are currently maintained: - [`development`](https://github.com/Mbed-TLS/mbedtls/) - [`mbedtls-3.6`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-3.6) maintained until March 2027, see - . + . - [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28) maintained until the end of 2024, see . diff --git a/CMakeLists.txt b/CMakeLists.txt index 6aed3d3b1d..fc85ae7b83 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -40,12 +40,12 @@ cmake_policy(SET CMP0012 NEW) if(TEST_CPP) project("Mbed TLS" LANGUAGES C CXX - VERSION 3.6.1 + VERSION 3.6.2 ) else() project("Mbed TLS" LANGUAGES C - VERSION 3.6.1 + VERSION 3.6.2 ) endif() @@ -229,7 +229,15 @@ if(CMAKE_COMPILER_IS_GNU) set(CMAKE_C_FLAGS_RELEASE "-O2") set(CMAKE_C_FLAGS_DEBUG "-O0 -g3") set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage") - set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3") + # Old GCC versions hit a performance problem with test_suite_pkwrite + # "Private keey write check EC" tests when building with Asan+UBSan + # and -O3: those tests take more than 100x time than normal, with + # test_suite_pkwrite taking >3h on the CI. Observed with GCC 5.4 on + # Ubuntu 16.04 x86_64 and GCC 6.5 on Ubuntu 18.04 x86_64. + # GCC 7.5 and above on Ubuntu 18.04 appear fine. + # To avoid the performance problem, we use -O2 here. It doesn't slow + # down much even with modern compiler versions. + set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O2") set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls") set(CMAKE_C_FLAGS_TSAN "-fsanitize=thread -O3") set(CMAKE_C_FLAGS_TSANDBG "-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls") @@ -452,7 +460,7 @@ if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL) write_basic_package_version_file( "cmake/MbedTLSConfigVersion.cmake" COMPATIBILITY SameMajorVersion - VERSION 3.6.1) + VERSION 3.6.2) install( FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake" diff --git a/ChangeLog b/ChangeLog index 8eb43fe65c..a88c9c5694 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,16 @@ Mbed TLS ChangeLog (Sorted per branch, date) += Mbed TLS 3.6.2 branch released 2024-10-14 + +Security + * Fix a buffer underrun in mbedtls_pk_write_key_der() when + called on an opaque key, MBEDTLS_USE_PSA_CRYPTO is enabled, + and the output buffer is smaller than the actual output. + Fix a related buffer underrun in mbedtls_pk_write_key_pem() + when called on an opaque RSA key, MBEDTLS_USE_PSA_CRYPTO is enabled + and MBEDTLS_MPI_MAX_SIZE is smaller than needed for a 4096-bit RSA key. + CVE-2024-49195 + = Mbed TLS 3.6.1 branch released 2024-08-30 API changes diff --git a/docs/architecture/psa-keystore-design.md b/docs/architecture/psa-keystore-design.md index cdd2cac3ab..be082a812a 100644 --- a/docs/architecture/psa-keystore-design.md +++ b/docs/architecture/psa-keystore-design.md @@ -67,7 +67,7 @@ Note that a slot must not be moved in memory while it is being read or written. There are three variants of the key store implementation, responding to different needs. * Hybrid key store ([static key slots](#static-key-store) with dynamic key data): the key store is a statically allocated array of slots, of size `MBEDTLS_PSA_KEY_SLOT_COUNT`. Key material is allocated on the heap. This is the historical implementation. It remains the default in the Mbed TLS 3.6 long-time support (LTS) branch when using a handwritten `mbedtls_config.h`, as is common on resource-constrained platforms, because the alternatives have tradeoffs (key size limit and larger RAM usage at rest for the static key store, larger code size and more risk due to code complexity for the dynamic key store). -* Fully [static key store](#static-key-store) (since Mbed TLS 3.6.2): the key store is a statically allocated array of slots, of size `MBEDTLS_PSA_KEY_SLOT_COUNT`. Each key slot contains the key representation directly, and the key representation must be no more than `MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE` bytes. This is intended for very constrained devices that do not have a heap. +* Fully [static key store](#static-key-store) (since Mbed TLS 3.6.3): the key store is a statically allocated array of slots, of size `MBEDTLS_PSA_KEY_SLOT_COUNT`. Each key slot contains the key representation directly, and the key representation must be no more than `MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE` bytes. This is intended for very constrained devices that do not have a heap. * [Dynamic key store](#dynamic-key-store) (since Mbed TLS 3.6.1): the key store is dynamically allocated as multiple slices on the heap, with a size that adjusts to the application's usage. Key material is allocated on the heap. Compared to the hybrid key store, the code size and RAM consumption are larger. This is intended for higher-end devices where applications are not expected to have a highly predicatable resource usage. This is the default implementation when using the default `mbedtls_config.h` file, as is common on platforms such as Linux, starting with Mbed TLS 3.6.1. #### Future improvement: merging the key store variants @@ -95,7 +95,7 @@ When creating a volatile key, the slice containing the slot and index of the slo The static key store is the historical implementation. The key store is a statically allocated array of slots, of size `MBEDTLS_PSA_KEY_SLOT_COUNT`. This value is an upper bound for the total number of volatile keys plus loaded keys. -Since Mbed TLS 3.6.2, there are two variants for the static key store: a hybrid variant (default), and a fully-static variant enabled by the configuration option `MBEDTLS_PSA_STATIC_KEY_SLOTS`. The two variants have the same key store management: the only difference is in how the memory for key data is managed. With fully static key slots, the key data is directly inside the slot, and limited to `MBEDTLS_PSA_KEY_SLOT_BUFFER_SIZE` bytes. With the hybrid key store, the slot contains a pointer to the key data, which is allocated on the heap. +Since Mbed TLS 3.6.3, there are two variants for the static key store: a hybrid variant (default), and a fully-static variant enabled by the configuration option `MBEDTLS_PSA_STATIC_KEY_SLOTS`. The two variants have the same key store management: the only difference is in how the memory for key data is managed. With fully static key slots, the key data is directly inside the slot, and limited to `MBEDTLS_PSA_KEY_SLOT_BUFFER_SIZE` bytes. With the hybrid key store, the slot contains a pointer to the key data, which is allocated on the heap. #### Volatile key identifiers in the static key store diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index 740bb19dee..d872818c37 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -10,7 +10,7 @@ */ /** - * @mainpage Mbed TLS v3.6.1 API Documentation + * @mainpage Mbed TLS v3.6.2 API Documentation * * This documentation describes the internal structure of Mbed TLS. It was * automatically generated from specially formatted comment blocks in diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 2a8282073b..281f062897 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -1,4 +1,4 @@ -PROJECT_NAME = "Mbed TLS v3.6.1" +PROJECT_NAME = "Mbed TLS v3.6.2" OUTPUT_DIRECTORY = ../apidoc/ FULL_PATH_NAMES = NO OPTIMIZE_OUTPUT_FOR_C = YES diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 8242ec6828..d91d2964b6 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -26,16 +26,16 @@ */ #define MBEDTLS_VERSION_MAJOR 3 #define MBEDTLS_VERSION_MINOR 6 -#define MBEDTLS_VERSION_PATCH 1 +#define MBEDTLS_VERSION_PATCH 2 /** * The single version number has the following structure: * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x03060100 -#define MBEDTLS_VERSION_STRING "3.6.1" -#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.6.1" +#define MBEDTLS_VERSION_NUMBER 0x03060200 +#define MBEDTLS_VERSION_STRING "3.6.2" +#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.6.2" /* Macros for build-time platform detection */ diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index e4d8f0d026..db20aabe52 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -300,7 +300,7 @@ endif(USE_STATIC_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY) set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR}) add_library(${mbedcrypto_target} SHARED ${src_crypto}) - set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.6.1 SOVERSION 16) + set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.6.2 SOVERSION 16) target_link_libraries(${mbedcrypto_target} PUBLIC ${libs}) if(TARGET ${everest_target}) @@ -312,11 +312,11 @@ if(USE_SHARED_MBEDTLS_LIBRARY) endif() add_library(${mbedx509_target} SHARED ${src_x509}) - set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.6.1 SOVERSION 7) + set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.6.2 SOVERSION 7) target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target}) add_library(${mbedtls_target} SHARED ${src_tls}) - set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.6.1 SOVERSION 21) + set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.6.2 SOVERSION 21) target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target}) endif(USE_SHARED_MBEDTLS_LIBRARY) diff --git a/library/pkwrite.c b/library/pkwrite.c index 5e009c565e..2a698448be 100644 --- a/library/pkwrite.c +++ b/library/pkwrite.c @@ -65,17 +65,21 @@ static int pk_write_rsa_der(unsigned char **p, unsigned char *buf, #if defined(MBEDTLS_USE_PSA_CRYPTO) if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) { uint8_t tmp[PSA_EXPORT_KEY_PAIR_MAX_SIZE]; - size_t len = 0, tmp_len = 0; + size_t tmp_len = 0; if (psa_export_key(pk->priv_id, tmp, sizeof(tmp), &tmp_len) != PSA_SUCCESS) { return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } + /* Ensure there's enough space in the provided buffer before copying data into it. */ + if (tmp_len > (size_t) (*p - buf)) { + mbedtls_platform_zeroize(tmp, sizeof(tmp)); + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } *p -= tmp_len; memcpy(*p, tmp, tmp_len); - len += tmp_len; mbedtls_platform_zeroize(tmp, sizeof(tmp)); - return (int) len; + return (int) tmp_len; } #endif /* MBEDTLS_USE_PSA_CRYPTO */ return mbedtls_rsa_write_key(mbedtls_pk_rsa(*pk), buf, p); @@ -125,6 +129,10 @@ static int pk_write_ec_pubkey(unsigned char **p, unsigned char *start, if (psa_export_public_key(pk->priv_id, buf, sizeof(buf), &len) != PSA_SUCCESS) { return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } + /* Ensure there's enough space in the provided buffer before copying data into it. */ + if (len > (size_t) (*p - start)) { + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } *p -= len; memcpy(*p, buf, len); return (int) len; diff --git a/tests/suites/test_suite_pkwrite.data b/tests/suites/test_suite_pkwrite.data index b1fb73bd24..30ccfbc75b 100644 --- a/tests/suites/test_suite_pkwrite.data +++ b/tests/suites/test_suite_pkwrite.data @@ -30,13 +30,16 @@ Public key write check EC 521 bits (DER) depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_SECP521R1 pk_write_pubkey_check:"../framework/data_files/ec_521_pub.der":TEST_DER -Public key write check EC Brainpool 512 bits -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_BP512R1 -pk_write_pubkey_check:"../framework/data_files/ec_bp512_pub.pem":TEST_PEM +## The pk_write_pubkey_check sometimes take ~3 hours to run with +## GCC+Asan on the CI in the full config. Comment out the slowest +## ones while we investigate and release 3.6.2. +# Public key write check EC Brainpool 512 bits +# depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_BP512R1 +# pk_write_pubkey_check:"../framework/data_files/ec_bp512_pub.pem":TEST_PEM -Public key write check EC Brainpool 512 bits (DER) -depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_BP512R1 -pk_write_pubkey_check:"../framework/data_files/ec_bp512_pub.der":TEST_DER +# Public key write check EC Brainpool 512 bits (DER) +# depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_ECP_HAVE_BP512R1 +# pk_write_pubkey_check:"../framework/data_files/ec_bp512_pub.der":TEST_DER Public key write check EC X25519 depends_on:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_PEM_PARSE_C:MBEDTLS_PEM_WRITE_C:MBEDTLS_ECP_HAVE_CURVE25519 diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function index 735c12547c..491bc489aa 100644 --- a/tests/suites/test_suite_pkwrite.function +++ b/tests/suites/test_suite_pkwrite.function @@ -2,6 +2,7 @@ #include "pk_internal.h" #include "mbedtls/pem.h" #include "mbedtls/oid.h" +#include "mbedtls/base64.h" #include "psa/crypto_sizes.h" typedef enum { @@ -73,6 +74,7 @@ static void pk_write_check_common(char *key_file, int is_public_key, int is_der) unsigned char *check_buf = NULL; unsigned char *start_buf; size_t buf_len, check_buf_len; + int expected_result; #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t opaque_id = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; @@ -109,6 +111,17 @@ static void pk_write_check_common(char *key_file, int is_public_key, int is_der) start_buf = buf; buf_len = check_buf_len; + if (is_der) { + expected_result = MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } else { + expected_result = MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL; + } + /* Intentionally pass a wrong size for the provided output buffer and check + * that the writing functions fails as expected. */ + for (size_t i = 1; i < buf_len; i++) { + TEST_EQUAL(pk_write_any_key(&key, &start_buf, &i, is_public_key, + is_der), expected_result); + } TEST_EQUAL(pk_write_any_key(&key, &start_buf, &buf_len, is_public_key, is_der), 0); @@ -127,6 +140,12 @@ static void pk_write_check_common(char *key_file, int is_public_key, int is_der) TEST_EQUAL(mbedtls_pk_setup_opaque(&key, opaque_id), 0); start_buf = buf; buf_len = check_buf_len; + /* Intentionally pass a wrong size for the provided output buffer and check + * that the writing functions fails as expected. */ + for (size_t i = 1; i < buf_len; i++) { + TEST_EQUAL(pk_write_any_key(&key, &start_buf, &i, is_public_key, + is_der), expected_result); + } TEST_EQUAL(pk_write_any_key(&key, &start_buf, &buf_len, is_public_key, is_der), 0); diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data index 670e06ba59..cc71a4eef9 100644 --- a/tests/suites/test_suite_version.data +++ b/tests/suites/test_suite_version.data @@ -1,8 +1,8 @@ Check compile time library version -check_compiletime_version:"3.6.1" +check_compiletime_version:"3.6.2" Check runtime library version -check_runtime_version:"3.6.1" +check_runtime_version:"3.6.2" Check for MBEDTLS_VERSION_C check_feature:"MBEDTLS_VERSION_C":0