1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-10 10:40:59 +03:00
Commit Graph

32172 Commits

Author SHA1 Message Date
bd6fb46ff6 Add a build with NV seed as the only entropy source
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-06-06 10:18:36 +02:00
582b6fbad3 We do support builds where NV seed is the only entropy source
We want to support builds where there are no platform entropy
sources (`MBEDTLS_NO_PLATFORM_ENTROPY` enabled), and no custom entropy
sources (`MBEDTLS_ENTROPY_HARDWARE_ALT` disabled), but
`mbedtls_entropy_init()` sets up a working entropy without needing to add
sources manually with `mbedtls_entropy_add_source()`
(`MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES` disabled) thanks to a nonvolatile seed
file injected outside the library's control (`MBEDTLS_ENTROPY_NV_SEED`
enabled).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-06-06 10:18:33 +02:00
84999d1a7b Fix mbedtls_base64_decode() accepting invalid inputs with 4n+1 digits
The last digit was ignored.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-06-05 16:15:41 +02:00
683a46e6c1 mbedtls_base64_decode: assert sloppy behavior with bad number of =
Add unit tests covering cases where the number of digits plus equal signs is
not a multiple of 4. These are invalid inputs, but they are currently
accepted as long as the number of equal signs is at most 2.

The tests assert the current behavior, not behavior that is desirable.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-06-05 16:15:41 +02:00
715bbf3e0c mbedtls_base64_decode: test the reported output length
Reinforce the unit test for `mbedtls_base64_decode()` with valid inputs to
systematically call the function with a smaller output buffer and with an
empty output buffer. Assert the reported necessary output length in those
cases.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-06-05 16:15:41 +02:00
c7beb847c9 test_suite_lms: Added negative test for corrupted Merkle path
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-05 09:23:59 +01:00
b72573853a test_suite_lms: Added a test for importing invalid sized key
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-05 09:23:59 +01:00
f84bc3f592 Added changelog for check return of merkle leaf
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-05 09:23:59 +01:00
3444757ac4 Added changelog for lms enum casting
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-05 09:23:59 +01:00
3b392af70d Added changelog for lms overread
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-05 09:23:59 +01:00
41422e1fc0 Fix change log entry
Signed-off-by: Alvaro Segura <alvaro.segura@gmail.com>
2025-06-05 09:10:54 +02:00
673e1eb608 Fix build test programs in MSVC (due to a warning treated as error in winbase.h)
Signed-off-by: Alvaro Segura <alvaro.segura@gmail.com>
2025-06-05 09:09:14 +02:00
9b3051fb10 Built-in lms driver: always zeroize output-buffer in create_merkle_leaf_value
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-04 16:23:57 +01:00
ae449bfca5 Built-in lms driver:Check return values of Merkle node creation
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-04 15:54:49 +01:00
caaffc1e7e Built-in lms/lmots driver: Harden public key import against enum truncation
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-04 15:54:46 +01:00
548e2dbf65 Built-in lms driver: Added input guard
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-04 15:20:38 +01:00
3f82706cb7 Merge pull request #1349 from felixc-arm/pem-integer-underflow-3.6
[3.6] Fix Integer Underflow when Decoding PEM Keys
2025-06-04 14:36:35 +01:00
42323eacc9 Add changelog
Signed-off-by: Felix Conway <felix.conway@arm.com>
2025-06-04 10:06:26 +01:00
6165e71589 Add fix for PEM underflow
Signed-off-by: Felix Conway <felix.conway@arm.com>
2025-06-04 10:06:26 +01:00
9325883d9f Add test using underflow-causing PEM keyfile
Signed-off-by: Felix Conway <felix.conway@arm.com>
2025-06-04 10:06:17 +01:00
1592639c1f Merge pull request #10182 from gilles-peskine-arm/f_rng-documentation-3.6
3.6 only: document f_rng callbacks
2025-06-03 15:34:23 +00:00
0050f5f394 Update framework with additional operation initialization checks
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-06-03 12:39:32 +02:00
e51bde06da Fix possible UB in mbedtls_asn1_write_raw_buffer()
This is mostly unrelated to other commits in this PR, except for the
fact that one of the added X.509 tests revealed that with UBSan.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-06-03 11:23:19 +02:00
381900520f Fix psa_pake_operation_s member types
As the definition of psa_pake_operation_s has
been moved the "xyt_t" structure types can not
be used anymore (defined later).

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2025-06-03 10:09:00 +02:00
d3324fd095 Move PAKE size calculation macros, cipher suite and operation structs
In crypto_extra.h, move PAKE size calculation macros,
the definition of psa_pake_cipher_suite_s and
psa_pake_operation_s just after PAKE type and values
definitions.

This aligns with the order of crypto header inclusions
in crypto.h: crypto_types.h, then crypto_values.h,
then crypto_sizes.h, and then crypto_struct.h.

Take care of keeping them outside of the pake Doxygen
group as they used to be.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2025-06-03 10:06:22 +02:00
23a0d48d1c Merge pull request #10196 from ronald-cron-arm/move-crypto-struct-inclusion
[Backport 3.6] Move the inclusion of crypto_sizes.h and crypto_struct.h in crypto.h
2025-05-28 15:51:09 +00:00
d9c141749b Merge pull request #1345 from davidhorstmann-arm/pkcs7-side-channel-missing-credit-3.6
Add credit to the reporters of the PKCS7 issue
2025-05-28 11:49:35 +02:00
4960825a94 Add change log
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2025-05-28 10:05:32 +02:00
3ea3635d2f Move the inclusion of crypto_sizes.h and crypto_struct.h in crypto.h
That way when API are declared, the types they use are defined.

This should resolve the issues related to psa_xyz_init functions
returning a structure described in #7087.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2025-05-28 10:02:12 +02:00
04fe95d95b Add ChangeLog entry
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-05-26 12:38:52 +02:00
12df5f3a16 Improve unit tests for mbedtls_asn1_store_named_data
Every time we check found->val.p we should also check found->val.len.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-05-26 10:55:59 +02:00
2df7ab7c0c Fix bug in mbedtls_asn1_store_named_data()
When passed a zero-length val, the function was free-ing the buffer as
the documentation suggests:

 * \param val_len   The minimum length of the data buffer needed.
 *                  If this is 0, do not allocate a buffer for the associated
 *                  data.
 *                  If the OID was already present, enlarge, shrink or free
 *                  the existing buffer to fit \p val_len.

However it kept the previous length, leaving the val structure in the
corresponding item in the output list in an inconsistent state:

    p == NULL but len != 0

As a result, functions that would try using this item in the list
(including the same function!) afterwards would trip an dereference the
NULL pointer.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-05-26 10:42:14 +02:00
13f86e689e Add tests for bug in mbedtls_x509_string_to_names()
The commented out tests cause crashes (in different ways) until the bug
is fixed; the first two test are passing already and are here mostly to
provide a reference point.

The bug report was using programs/x509/cert_write, but string_to_names()
is what it was really targetting, which is better for automated tests.
The strings used are a minor adapation of those from the report.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-05-22 13:18:49 +02:00
077f8e6353 Restore standard initializers in _init tests
Partially undo "Use short initializers for multipart operation structures",
only in test functions that specifically aim to test initializers. In these
functions, do try with the short initializers, but alongside the standard
ones.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-05-22 10:26:06 +02:00
93dd99571b Use short initializers for multipart operation structures
When initializing a multipart or interruptible operation structure, use an
auxiliary function that doesn't initialize union members to all-bits-zero.
Context: on most compilers, initializing a union to `{0}` initializes it to
all bits zero; but on some compilers, the trailing part of members other
than the first is left uninitialized. This way, we can run the tests on any
platform and validate that the code would work correctly on platforms where
union initialization is short.

This commit makes a systematic replacement in `test_suite_psa_crypto.function`
and `test_suite_psa_crypto_driver_wrappers.function`, which gives good
enough coverage.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-05-22 10:26:06 +02:00
1e9267c993 Merge pull request #1340 from mpg/fix-string-to-names-uaf-3.6
[3.6] Fix string to names memory management
2025-05-21 14:48:43 +02:00
8ac3eb9833 Avoid a useless copy in cert_{req,write}
I'm just trying to have a shorter name to avoid repeating a long
expression. This is a job for a pointer, not copying a struct.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-05-21 11:17:39 +02:00
1173786544 Merge pull request #10185 from rojer/tls_consts_3.6
Mark TLS 1.2 algo suite definitons const
2025-05-20 06:55:12 +00:00
fb5e2e5e46 Mark ssl_tls12_preset_suiteb_sig_algs const
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
2025-05-19 20:48:13 +01:00
e3aaf82a77 Mark ssl_tls12_preset_default_sig_algs const
To place in flash and save RAM on targets where this applies.

Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
2025-05-19 20:48:08 +01:00
dad206d25c Merge pull request #10168 from gilles-peskine-arm/union-initialization-gcc15-basic-fix-3.6
Backport 3.6: Fix insufficient union initialization in contexts
2025-05-19 10:31:47 +00:00
8429619a92 Fix type in ChangeLog
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-05-19 12:29:11 +02:00
8a6fc08607 Add comment on apparent type mismatch
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-05-19 12:28:42 +02:00
35f2220e37 Remove redundant free loop
This version is incomplete. I failed to noticed it when adding a more
complete version, making the existing one redundant.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-05-19 12:21:32 +02:00
addf8fc03e Fix ECDSA documentation: blinding is no longer optional
Since Mbed TLS 3.0, blinding is no longer optional in ECDSA.
`mbedtls_ecdsa_write_signature()` and
`mbedtls_ecdsa_write_signature_restartable()` error out if
`f_rng == NULL`. We forgot to update the function documentation.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-05-16 15:00:09 +02:00
c0b357d8b4 ECDSA is a special flower
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-05-16 14:59:42 +02:00
ed10e2ab87 Note functions that store the RNG callback in a context
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-05-16 14:24:50 +02:00
060c70e3ab Reference mbedtls_f_rng_t in public documentation
In public functions that take `f_rng, p_rng` callbacks, link to the
documentation of the callback which is attached to the type name
`mbedtls_f_rng_t`.

Resolves #5868.

```
grep -l -w 'f_rng)' include | xargs perl -i -pe 's/\Qint (*f_rng)(void *, unsigned char *, size_t)\E/mbedtls_f_rng_t *f_rng/g'
```
and include `platform_util.h` where needed.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-05-16 14:19:38 +02:00
1337d540ad Name and document the type of random generator callbacks
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-05-16 14:12:15 +02:00
ddbf8d030a Add credit to the reporters of the PKCS7 issue
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2025-05-14 15:45:00 +01:00