mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-01-27 06:35:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #986 from Mbed-TLS/merge-back-3.3.0-3

Browse Source 
Merge back 3.3.0 3
This commit is contained in:
Dave Rodgman 2022-12-14 19:18:05 +00:00 committed by GitHub
commit 01f6e61781
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
56 changed files with 348 additions and 303 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
BRANCHES.md
View File

@ -101,6 +101,6 @@ The following branches are currently maintained:
- [`development`](https://github.com/Mbed-TLS/mbedtls/)
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
maintained until at least the end of 2024, see
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.0>.
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2>.
Users are urged to always use the latest version of a maintained branch.

2
CMakeLists.txt
View File

@ -350,7 +350,7 @@ if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL)
write_basic_package_version_file(
"cmake/MbedTLSConfigVersion.cmake"
COMPATIBILITY SameMajorVersion
VERSION 3.2.1)
VERSION 3.3.0)
install(
FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"

206
ChangeLog
View File

@ -1,5 +1,209 @@
Mbed TLS ChangeLog (Sorted per branch, date)
= Mbed TLS 3.3.0 branch released 2022-12-14
Default behavior changes
* Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05
of the IETF draft, and was marked experimental and disabled by default.
It is now no longer experimental, and implements the final version from
RFC 9146, which is not interoperable with the draft-05 version.
If you need to communicate with peers that use earlier versions of
Mbed TLS, then you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
to 1, but then you won't be able to communicate with peers that use the
standard (non-draft) version.
If you need to interoperate with both classes of peers with the
same build of Mbed TLS, please let us know about your situation on the
mailing list or GitHub.
Requirement changes
* When building with PSA drivers using generate_driver_wrappers.py, or
when building the library from the development branch rather than
from a release, the Python module jsonschema is now necessary, in
addition to jinja2. The official list of required Python modules is
maintained in scripts/basic.requirements.txt and may change again
in the future.
New deprecations
* Deprecate mbedtls_asn1_free_named_data().
Use mbedtls_asn1_free_named_data_list()
or mbedtls_asn1_free_named_data_list_shallow().
Features
* Support rsa_pss_rsae_* signature algorithms in TLS 1.2.
* make: enable building unversioned shared library, with e.g.:
"SHARED=1 SOEXT_TLS=so SOEXT_X509=so SOEXT_CRYPTO=so make lib"
resulting in library names like "libmbedtls.so" rather than
"libmbedcrypto.so.11".
* Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
are supported in this implementation.
* Some modules can now use PSA drivers for hashes, including with no
built-in implementation present, but only in some configurations.
- RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
hashes from PSA when (and only when) MBEDTLS_MD_C is disabled.
- PEM parsing of encrypted files now uses MD-5 from PSA when (and only
when) MBEDTLS_MD5_C is disabled.
See the documentation of the corresponding macros in mbedtls_config.h for
details.
Note that some modules are not able to use hashes from PSA yet, including
the entropy module. As a consequence, for now the only way to build with
all hashes only provided by drivers (no built-in hash) is to use
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
* When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now
properly negotiate/accept hashes based on their availability in PSA.
As a consequence, they now work in configurations where the built-in
implementations of (some) hashes are excluded and those hashes are only
provided by PSA drivers. (See previous entry for limitation on RSA-PSS
though: that module only use hashes from PSA when MBEDTLS_MD_C is off).
* Add support for opaque keys as the private keys associated to certificates
for authentication in TLS 1.3.
* Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
Signature verification is production-ready, but generation is for testing
purposes only. This currently only supports one parameter set
(LMS_SHA256_M32_H10), meaning that each private key can be used to sign
1024 messages. As such, it is not intended for use in TLS, but instead
for verification of assets transmitted over an insecure channel,
particularly firmware images.
* Add the LM-OTS post-quantum-safe one-time signature scheme, which is
required for LMS. This can be used independently, but each key can only
be used to sign one message so is impractical for most circumstances.
* Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
The pre-shared keys can be provisioned externally or via the ticket
mechanism (session resumption).
The ticket mechanism is supported when the configuration option
MBEDTLS_SSL_SESSION_TICKETS is enabled.
New options MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED
control the support for the three possible TLS 1.3 key exchange modes.
* cert_write: support for setting extended key usage attributes. A
corresponding new public API call has been added in the library,
mbedtls_x509write_crt_set_ext_key_usage().
* cert_write: support for writing certificate files in either PEM
or DER format.
* The PSA driver wrapper generator generate_driver_wrappers.py now
supports a subset of the driver description language, including
the following entry points: import_key, export_key, export_public_key,
get_builtin_key, copy_key.
* The new functions mbedtls_asn1_free_named_data_list() and
mbedtls_asn1_free_named_data_list_shallow() simplify the management
of memory in named data lists in X.509 structures.
* The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
Additional PSA key slots will be allocated in the process of such key
exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and
MBEDTLS_USE_PSA_CRYPTO.
* Add support for DTLS Connection ID as defined by RFC 9146, controlled by
MBEDTLS_SSL_DTLS_CONNECTION_ID (enabled by default) and configured with
mbedtls_ssl_set_cid().
* Add a driver dispatch layer for raw key agreement, enabling alternative
implementations of raw key agreement through the key_agreement driver
entry point. This entry point is specified in the proposed PSA driver
interface, but had not yet been implemented.
* Add an ad-hoc key derivation function handling EC J-PAKE to PMS
calculation that can be used to derive the session secret in TLS 1.2,
as described in draft-cragie-tls-ecjpake-01. This can be achieved by
using PSA_ALG_TLS12_ECJPAKE_TO_PMS as the key derivation algorithm.
Security
* Fix potential heap buffer overread and overwrite in DTLS if
MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
* An adversary with access to precise enough information about memory
accesses (typically, an untrusted operating system attacking a secure
enclave) could recover an RSA private key after observing the victim
performing a single private-key operation if the window size used for the
exponentiation was 3 or smaller. Found and reported by Zili KOU,
Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
and Test in Europe 2023.
Bugfix
* Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
* Fix an issue with in-tree CMake builds in releases with GEN_FILES
turned off: if a shipped file was missing from the working directory,
it could be turned into a symbolic link to itself.
* Fix a long-standing build failure when building x86 PIC code with old
gcc (4.x). The code will be slower, but will compile. We do however
recommend upgrading to a more recent compiler instead. Fixes #1910.
* Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
Contributed by Kazuyuki Kimura to fix #2020.
* Use double quotes to include private header file psa_crypto_cipher.h.
Fixes 'file not found with <angled> include' error
when building with Xcode.
* Fix handling of broken symlinks when loading certificates using
mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
broken link is encountered, skip the broken link and continue parsing
other certificate files. Contributed by Eduardo Silva in #2602.
* Fix an interoperability failure between an Mbed TLS client with both
TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server that supports
rsa_pss_rsae_* signature algorithms. This failed because Mbed TLS
advertised support for PSS in both TLS 1.2 and 1.3, but only
actually supported PSS in TLS 1.3.
* Fix a compilation error when using CMake with an IAR toolchain.
Fixes #5964.
* Fix a build error due to a missing prototype warning when
MBEDTLS_DEPRECATED_REMOVED is enabled.
* Fix mbedtls_ctr_drbg_free() on an initialized but unseeded context. When
MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an
uninitialized context.
* Fix a build issue on Windows using CMake where the source and build
directories could not be on different drives. Fixes #5751.
* Fix bugs and missing dependencies when building and testing
configurations with only one encryption type enabled in TLS 1.2.
* Provide the missing definition of mbedtls_setbuf() in some configurations
with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196.
* Fix compilation errors when trying to build with
PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
* Fix memory leak in ssl_parse_certificate_request() caused by
mbedtls_x509_get_name() not freeing allocated objects in case of error.
Change mbedtls_x509_get_name() to clean up allocated objects on error.
* Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408.
* Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
MBEDTLS_PK_PARSE_C. Fixes #6409.
* Fix ECDSA verification, where it was not always validating the
public key. This bug meant that it was possible to verify a
signature with an invalid public key, in some cases. Reported by
Guido Vranken using Cryptofuzz in #4420.
* Fix a possible null pointer dereference if a memory allocation fails
in TLS PRF code. Reported by Michael Madsen in #6516.
* Fix TLS 1.3 session resumption. Fixes #6488.
* Add a configuration check to exclude optional client authentication
in TLS 1.3 (where it is forbidden).
* Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
bytes when parsing certificates containing a binary RFC 4108
HardwareModuleName as a Subject Alternative Name extension. Hardware
serial numbers are now rendered in hex format. Fixes #6262.
* Fix bug in error reporting in dh_genprime.c where upon failure,
the error code returned by mbedtls_mpi_write_file() is overwritten
and therefore not printed.
* In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
with A > 0 created an unintended representation of the value 0 which was
not processed correctly by some bignum operations. Fix this. This had no
consequence on cryptography code, but might affect applications that call
bignum directly and use negative numbers.
* Fix a bug whereby the list of signature algorithms sent as part of
the TLS 1.2 server certificate request would get corrupted, meaning the
first algorithm would not get sent and an entry consisting of two random
bytes would be sent instead. Found by Serban Bejan and Dudek Sebastian.
* Fix undefined behavior (typically harmless in practice) of
mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int()
when both operands are 0 and the left operand is represented with 0 limbs.
* Fix undefined behavior (typically harmless in practice) when some bignum
functions receive the most negative value of mbedtls_mpi_sint. Credit
to OSS-Fuzz. Fixes #6597.
* Fix undefined behavior (typically harmless in practice) in PSA ECB
encryption and decryption.
* Move some SSL-specific code out of libmbedcrypto where it had been placed
accidentally.
* Fix a build error when compiling the bignum module for some Arm platforms.
Fixes #6089, #6124, #6217.
Changes
* Add the ability to query PSA_WANT_xxx macros to query_compile_time_config.
* Calling AEAD tag-specific functions for non-AEAD algorithms (which
should not be done - they are documented for use only by AES-GCM and
ChaCha20+Poly1305) now returns MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
instead of success (0).
= Mbed TLS 3.2.1 branch released 2022-07-12
Bugfix
@ -249,7 +453,7 @@ Bugfix
make to break on a clean checkout. Fixes #5340.
* Work around an MSVC ARM64 compiler bug causing incorrect behaviour
in mbedtls_mpi_exp_mod(). Reported by Tautvydas Žilys in #5467.
* Removed the prompt to exit from all windows build programs that was causing
* Removed the prompt to exit from all windows build programs, which was causing
issues in CI/CD environments.
Changes

11
ChangeLog.d/LMS.txt
View File

@ -1,11 +0,0 @@
Features
* Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
Signature verification is production-ready, but generation is for testing
purposes only. This currently only supports one parameter set
(LMS_SHA256_M32_H10), meaning that each private key can be used to sign
1024 messages. As such, it is not intended for use in TLS, but instead
for verification of assets transmitted over an insecure channel,
particularly firmware images.
* Add the LM-OTS post-quantum-safe one-time signature scheme, which is
required for LMS. This can be used independently, but each key can only
be used to sign one message so is impractical for most circumstances.

8
ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt
View File

@ -1,8 +0,0 @@
Features
* Support rsa_pss_rsae_* signature algorithms in TLS 1.2.
Bugfix
* Fix an interoperability failure between an Mbed TLS client with both
TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server that supports
rsa_pss_rsae_* signature algorithms. This failed because Mbed TLS
advertised support for PSS in both TLS 1.2 and 1.3, but only
actually supported PSS in TLS 1.3.

4
ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix a long-standing build failure when building x86 PIC code with old
gcc (4.x). The code will be slower, but will compile. We do however
recommend upgrading to a more recent compiler instead. Fixes #1910.

6
ChangeLog.d/cert_write-set-extended-key-usages.txt
View File

@ -1,6 +0,0 @@
Features
* cert_write: support for setting extended key usage attributes. A
corresponding new public API call has been added in the library,
mbedtls_x509write_crt_set_ext_key_usage().
* cert_write: support for writing certificate files in either PEM
or DER format.

19
ChangeLog.d/driver-only-hashes.txt
View File

@ -1,19 +0,0 @@
Features
* Some modules can now use PSA drivers for hashes, including with no
built-in implementation present, but only in some configurations.
- RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
hashes from PSA when (and only when) MBEDTLS_MD_C is disabled.
- PEM parsing of encrypted files now uses MD-5 from PSA when (and only
when) MBEDTLS_MD5_C is disabled.
See the documentation of the corresponding macros in mbedtls_config.h for
details.
Note that some modules are not able to use hashes from PSA yet, including
the entropy module. As a consequence, for now the only way to build with
all hashes only provided by drivers (no built-in hash) is to use
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
* When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now
properly negotiate/accept hashes based on their availability in PSA.
As a consequence, they now work in configurations where the built-in
implementations of (some) hashes are excluded and those hashes are only
provided by PSA drivers. (See previous entry for limitation on RSA-PSS
though: that module only use hashes from PSA when MBEDTLS_MD_C is off).

17
ChangeLog.d/dtls-connection-id.txt
View File

@ -1,17 +0,0 @@
Features
* Add support for DTLS Connection ID as defined by RFC 9146, controlled by
MBEDTLS_SSL_DTLS_CONNECTION_ID (enabled by default) and configured with
mbedtls_ssl_set_cid().
Default behavior changes
* Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05
of the IETF draft, and was marked experimental and disabled by default.
It is now no longer experimental, and implements the final version from
RFC 9146, which is not interoperable with the draft-05 version.
If you need to communicate with peers that use earlier versions of
Mbed TLS, then you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
to 1, but then you won't be able to communicate with peers that use the
standard (non-draft) version.
If you need to interoperate with both classes of peers with the
same build of Mbed TLS, please let us know about your situation on the
mailing list or GitHub.

5
ChangeLog.d/ecdsa-verify-fixes.txt
View File

@ -1,5 +0,0 @@
Bugfix
* Fix ECDSA verification, where it was not always validating the
public key. This bug meant that it was possible to verify a
signature with an invalid public key, in some cases. Reported by
Guido Vranken using Cryptofuzz in #4420.

5
ChangeLog.d/ecjpake-in-tls.txt
View File

@ -1,5 +0,0 @@
Features
* The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
Additional PSA key slots will be allocated in the process of such key
exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and
MBEDTLS_USE_PSA_CRYPTO.

5
ChangeLog.d/ecjpake_to_pms.txt
View File

@ -1,5 +0,0 @@
API changes
* Add an ad-hoc key derivation function handling ECJPAKE to PMS
calculation that can be used to derive the session secret in TLS 1.2,
as described in draft-cragie-tls-ecjpake-01. This can be achieved by
using PSA_ALG_TLS12_ECJPAKE_TO_PMS as the key derivation algorithm.

2
ChangeLog.d/extend-query_compile_time_config-to-psa_want.txt
View File

@ -1,2 +0,0 @@
Changes
* Add the ability to query PSA_WANT_xxx macros to query_compile_time_config.

2
ChangeLog.d/fix-aes-shallow-copying.txt
View File

@ -1,2 +0,0 @@
Bugfix
* Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.

4
ChangeLog.d/fix-ctr-drbg-may-free-invalid-aes-context.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix mbedtls_ctr_drbg_free() on an initialized but unseeded context. When
MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an
uninitialized context.

5
ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt
View File

@ -1,5 +0,0 @@
Changes
* Calling AEAD tag-specific functions for non-AEAD algorithms (which
should not be done - they are documented for use only by AES-GCM and
ChaCha20+Poly1305) now returns MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
instead of success (0).

5
ChangeLog.d/fix-tls12server-sent-sigalgs.txt
View File

@ -1,5 +0,0 @@
Bugfix
* Fix a bug whereby the list of signature algorithms sent as part of
the TLS 1.2 server certificate request would get corrupted, meaning the
first algorithm would not get sent and an entry consisting of two random
bytes would be sent instead. Found by Serban Bejan and Dudek Sebastian.

3
ChangeLog.d/fix_aead_psa_driver_build.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix compilation errors when trying to build with
PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).

3
ChangeLog.d/fix_arm_compile_erorr.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix a build error when compiling the bignum module for some Arm platforms.
Fixes #6089, #6124, #6217.

3
ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix a build error due to a missing prototype warning when
MBEDTLS_DEPRECATED_REMOVED is enabled.

3
ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix bugs and missing dependencies when building and testing
configurations with only one encryption type enabled in TLS 1.2.

4
ChangeLog.d/fix_cmake_gen_files.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix an issue with in-tree CMake builds in releases with GEN_FILES
turned off: if a shipped file was missing from the working directory,
it could be turned into a symbolic link to itself.

3
ChangeLog.d/fix_cmake_using_iar_toolchain.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix a compilation error when using CMake with an IAR toolchain.
Fixes #5964.

4
ChangeLog.d/fix_dh_genprime_error_reporting.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix bug in error reporting in dh_genprime.c where upon failure,
the error code returned by mbedtls_mpi_write_file() is overwritten
and therefore not printed.

3
ChangeLog.d/fix_hard_link_across_drives.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix a build issue on Windows using CMake where the source and build
directories could not be on different drives. Fixes #5751.

4
ChangeLog.d/fix_psa_crypto_cipher_h_include.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Use double quotes to include private header file psa_crypto_cipher.h.
Fixes 'file not found with <angled> include' error
when building with Xcode.

4
ChangeLog.d/fix_tls13_session_resumption_fail_when_hostname_is_not_localhost.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix TLS 1.3 session resumption. Fixes #6488.
* Add a configuration check to exclude optional client authentication
in TLS 1.3 (where it is forbidden).

4
ChangeLog.d/fix_x509_get_name_mem_leak.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix memory leak in ssl_parse_certificate_request() caused by
mbedtls_x509_get_name() not freeing allocated objects in case of error.
Change mbedtls_x509_get_name() to clean up allocated objects on error.

5
ChangeLog.d/fix_x509_info_hwmodulename.txt
View File

@ -1,5 +0,0 @@
Bugfix
* Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
bytes when parsing certificates containing a binary RFC 4108
HardwareModuleName as a Subject Alternative Name extension. Hardware
serial numbers are now rendered in hex format. Fixes #6262.

3
ChangeLog.d/fix_zeroization.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix a possible null pointer dereference if a memory allocation fails
in TLS PRF code. Reported by Michael Madsen in #6516.

8
ChangeLog.d/mbedtls_asn1_type_free.txt
View File

@ -1,8 +0,0 @@
Features
* The new functions mbedtls_asn1_free_named_data_list() and
mbedtls_asn1_free_named_data_list_shallow() simplify the management
of memory in named data lists in X.509 structures.
New deprecations
* Deprecate mbedtls_asn1_free_named_data().
Use mbedtls_asn1_free_named_data_list()
or mbedtls_asn1_free_named_data_list_shallow().

3
ChangeLog.d/move-ssl-modules.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Move some SSL-specific code out of libmbedcrypto where it had been placed
accidentally.

4
ChangeLog.d/mpi-add-0-ub.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix undefined behavior (typically harmless in practice) of
mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int()
when both operands are 0 and the left operand is represented with 0 limbs.

4
ChangeLog.d/mpi-most-negative-sint.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix undefined behavior (typically harmless in practice) when some bignum
functions receive the most negative value of mbedtls_mpi_sint. Credit
to OSS-Fuzz. Fixes #6597.

3
ChangeLog.d/muladdc_microblaze.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
Contributed by Kazuyuki Kimura to fix #2020.

6
ChangeLog.d/negative-zero-from-add.txt
View File

@ -1,6 +0,0 @@
Bugfix
* In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
with A > 0 created an unintended representation of the value 0 which was
not processed correctly by some bignum operations. Fix this. This had no
consequence on cryptography code, but might affect applications that call
bignum directly and use negative numbers.

5
ChangeLog.d/nonversioned-library-soname.txt
View File

@ -1,5 +0,0 @@
Features
* make: enable building unversioned shared library, with e.g.:
"SHARED=1 SOEXT_TLS=so SOEXT_X509=so SOEXT_CRYPTO=so make lib"
resulting in library names like "libmbedtls.so" rather than
"libmbedcrypto.so.11".

3
ChangeLog.d/platform-setbuf.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Provide the missing definition of mbedtls_setbuf() in some configurations
with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196.

3
ChangeLog.d/psa-ecb-ub.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix undefined behavior (typically harmless in practice) in PSA ECB
encryption and decryption.

13
ChangeLog.d/psa_crypto_code_gen_1_1.txt
View File

@ -1,13 +0,0 @@
Features
* The PSA driver wrapper generator generate_driver_wrappers.py now
supports a subset of the driver description language, including
the following entry points: import_key, export_key, export_public_key,
get_builtin_key, copy_key.
Requirement changes
* When building with PSA drivers using generate_driver_wrappers.py, or
when building the library from the development branch rather than
from a release, the Python module jsonschema is now necessary, in
addition to jinja2. The official list of required Python modules is
maintained in scripts/basic.requirements.txt and may change again
in the future.

4
ChangeLog.d/psa_crypto_pake.txt
View File

@ -1,4 +0,0 @@
Features
* Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
are supported in this implementation.

5
ChangeLog.d/psa_driver_wrapper_for_raw_key_agreement.txt
View File

@ -1,5 +0,0 @@
Features
* Add a driver dispatch layer for raw key agreement, enabling alternative
implementations of raw key agreement through the key_agreement driver
entry point. This entry point is specified in the proposed PSA driver
interface, but had not yet been implemented.

5
ChangeLog.d/psa_rsa_needs_pk.txt
View File

@ -1,5 +0,0 @@
Bugfix
* Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408.
* Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
MBEDTLS_PK_PARSE_C. Fixes #6409.

8
ChangeLog.d/tls13-misc.txt
View File

@ -1,8 +0,0 @@
Features
* Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
The pre-shared keys can be provisioned externally or via the ticket
mechanism (session resumption).
The ticket mechanism is supported when the configuration option
MBEDTLS_SSL_SESSION_TICKETS is enabled.
New options MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED
control the support for the three possible TLS 1.3 key exchange modes.

3
ChangeLog.d/tls13_sig_alg_selection.txt
View File

@ -1,3 +0,0 @@
Features
* Add support for opaque keys as the private keys associated to certificates
for authentication in TLS 1.3.

5
ChangeLog.d/x509-broken-symlink-handling.txt
View File

@ -1,5 +0,0 @@
Bugfix
* Fix handling of broken symlinks when loading certificates using
mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
broken link is encountered, skip the broken link and continue parsing
other certificate files. Contributed by Eduardo Silva in #2602.

2
doxygen/input/doc_mainpage.h
View File

@ -22,7 +22,7 @@
*/
/**
* @mainpage mbed TLS v3.2.1 source code documentation
* @mainpage mbed TLS v3.3.0 source code documentation
*
* This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in

2
doxygen/mbedtls.doxyfile
View File

@ -1,4 +1,4 @@
PROJECT_NAME = "mbed TLS v3.2.1"
PROJECT_NAME = "mbed TLS v3.3.0"
OUTPUT_DIRECTORY = ../apidoc/
FULL_PATH_NAMES = NO
OPTIMIZE_OUTPUT_FOR_C = YES

10
include/mbedtls/build_info.h
View File

@ -37,17 +37,17 @@
* Major, Minor, Patchlevel
*/
#define MBEDTLS_VERSION_MAJOR 3
#define MBEDTLS_VERSION_MINOR 2
#define MBEDTLS_VERSION_PATCH 1
#define MBEDTLS_VERSION_MINOR 3
#define MBEDTLS_VERSION_PATCH 0
/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
#define MBEDTLS_VERSION_NUMBER 0x03020100
#define MBEDTLS_VERSION_STRING "3.2.1"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 3.2.1"
#define MBEDTLS_VERSION_NUMBER 0x03030000
#define MBEDTLS_VERSION_STRING "3.3.0"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 3.3.0"
#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
#define _CRT_SECURE_NO_DEPRECATE 1

6
library/CMakeLists.txt
View File

@ -282,7 +282,7 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
if(USE_SHARED_MBEDTLS_LIBRARY)
set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
add_library(${mbedcrypto_target} SHARED ${src_crypto})
set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.2.1 SOVERSION 12)
set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.3.0 SOVERSION 13)
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
if(TARGET everest)
@ -290,11 +290,11 @@ if(USE_SHARED_MBEDTLS_LIBRARY)
endif()
add_library(${mbedx509_target} SHARED ${src_x509})
set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.2.1 SOVERSION 4)
set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.3.0 SOVERSION 4)
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
add_library(${mbedtls_target} SHARED ${src_tls})
set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.2.1 SOVERSION 18)
set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.3.0 SOVERSION 19)
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
endif(USE_SHARED_MBEDTLS_LIBRARY)

4
library/Makefile
View File

@ -47,9 +47,9 @@ LOCAL_CFLAGS += -fPIC -fpic
endif
endif
SOEXT_TLS?=so.18
SOEXT_TLS?=so.19
SOEXT_X509?=so.4
SOEXT_CRYPTO?=so.12
SOEXT_CRYPTO?=so.13
# Set AR_DASH= (empty string) to use an ar implementation that does not accept
# the - prefix for command line options (e.g. llvm-ar)

138
library/bignum.c
View File

@ -1590,11 +1590,11 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
mbedtls_mpi *prec_RR )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t wbits, wsize, one = 1;
size_t window_bitsize;
size_t i, j, nblimbs;
size_t bufsize, nbits;
mbedtls_mpi_uint ei, mm, state;
mbedtls_mpi RR, T, W[ 1 << MBEDTLS_MPI_WINDOW_SIZE ], WW, Apos;
mbedtls_mpi RR, T, W[ (size_t) 1 << MBEDTLS_MPI_WINDOW_SIZE ], WW, Apos;
int neg;
MPI_VALIDATE_RET( X != NULL );
@ -1623,21 +1623,59 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
i = mbedtls_mpi_bitlen( E );
wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
window_bitsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1;
#if( MBEDTLS_MPI_WINDOW_SIZE < 6 )
if( wsize > MBEDTLS_MPI_WINDOW_SIZE )
wsize = MBEDTLS_MPI_WINDOW_SIZE;
if( window_bitsize > MBEDTLS_MPI_WINDOW_SIZE )
window_bitsize = MBEDTLS_MPI_WINDOW_SIZE;
#endif
const size_t w_table_used_size = (size_t) 1 << window_bitsize;
/*
* This function is not constant-trace: its memory accesses depend on the
* exponent value. To defend against timing attacks, callers (such as RSA
* and DHM) should use exponent blinding. However this is not enough if the
* adversary can find the exponent in a single trace, so this function
* takes extra precautions against adversaries who can observe memory
* access patterns.
*
* This function performs a series of multiplications by table elements and
* squarings, and we want the prevent the adversary from finding out which
* table element was used, and from distinguishing between multiplications
* and squarings. Firstly, when multiplying by an element of the window
* W[i], we do a constant-trace table lookup to obfuscate i. This leaves
* squarings as having a different memory access patterns from other
* multiplications. So secondly, we put the accumulator X in the table as
* well, and also do a constant-trace table lookup to multiply by X.
*
* This way, all multiplications take the form of a lookup-and-multiply.
* The number of lookup-and-multiply operations inside each iteration of
* the main loop still depends on the bits of the exponent, but since the
* other operations in the loop don't have an easily recognizable memory
* trace, an adversary is unlikely to be able to observe the exact
* patterns.
*
* An adversary may still be able to recover the exponent if they can
* observe both memory accesses and branches. However, branch prediction
* exploitation typically requires many traces of execution over the same
* data, which is defeated by randomized blinding.
*
* To achieve this, we make a copy of X and we use the table entry in each
* calculation from this point on.
*/
const size_t x_index = 0;
mbedtls_mpi_init( &W[x_index] );
mbedtls_mpi_copy( &W[x_index], X );
j = N->n + 1;
/* All W[i] and X must have at least N->n limbs for the mpi_montmul()
* and mpi_montred() calls later. Here we ensure that W[1] and X are
* large enough, and later we'll grow other W[i] to the same length.
* They must not be shrunk midway through this function!
*/
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[x_index], j ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1], j ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T, j * 2 ) );
@ -1686,28 +1724,36 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
mpi_montmul( &W[1], &RR, N, mm, &T );
/*
* X = R^2 * R^-1 mod N = R mod N
* W[x_index] = R^2 * R^-1 mod N = R mod N
*/
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &RR ) );
mpi_montred( X, N, mm, &T );
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[x_index], &RR ) );
mpi_montred( &W[x_index], N, mm, &T );
if( wsize > 1 )
if( window_bitsize > 1 )
{
/*
* W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
* W[i] = W[1] ^ i
*
* The first bit of the sliding window is always 1 and therefore we
* only need to store the second half of the table.
*
* (There are two special elements in the table: W[0] for the
* accumulator/result and W[1] for A in Montgomery form. Both of these
* are already set at this point.)
*/
j = one << ( wsize - 1 );
j = w_table_used_size / 2;
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[j], N->n + 1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[j], &W[1] ) );
for( i = 0; i < wsize - 1; i++ )
for( i = 0; i < window_bitsize - 1; i++ )
mpi_montmul( &W[j], &W[j], N, mm, &T );
/*
* W[i] = W[i - 1] * W[1]
*/
for( i = j + 1; i < ( one << wsize ); i++ )
for( i = j + 1; i < w_table_used_size; i++ )
{
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) );
@ -1719,7 +1765,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
nblimbs = E->n;
bufsize = 0;
nbits = 0;
wbits = 0;
size_t exponent_bits_in_window = 0;
state = 0;
while( 1 )
@ -1747,9 +1793,10 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
if( ei == 0 && state == 1 )
{
/*
* out of window, square X
* out of window, square W[x_index]
*/
mpi_montmul( X, X, N, mm, &T );
MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, x_index ) );
mpi_montmul( &W[x_index], &WW, N, mm, &T );
continue;
}
@ -1759,25 +1806,30 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
state = 2;
nbits++;
wbits |= ( ei << ( wsize - nbits ) );
exponent_bits_in_window |= ( ei << ( window_bitsize - nbits ) );
if( nbits == wsize )
if( nbits == window_bitsize )
{
/*
* X = X^wsize R^-1 mod N
* W[x_index] = W[x_index]^window_bitsize R^-1 mod N
*/
for( i = 0; i < wsize; i++ )
mpi_montmul( X, X, N, mm, &T );
for( i = 0; i < window_bitsize; i++ )
{
MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size,
x_index ) );
mpi_montmul( &W[x_index], &WW, N, mm, &T );
}
/*
* X = X * W[wbits] R^-1 mod N
* W[x_index] = W[x_index] * W[exponent_bits_in_window] R^-1 mod N
*/
MBEDTLS_MPI_CHK( mpi_select( &WW, W, (size_t) 1 << wsize, wbits ) );
mpi_montmul( X, &WW, N, mm, &T );
MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size,
exponent_bits_in_window ) );
mpi_montmul( &W[x_index], &WW, N, mm, &T );
state--;
nbits = 0;
wbits = 0;
exponent_bits_in_window = 0;
}
}
@ -1786,31 +1838,45 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
*/
for( i = 0; i < nbits; i++ )
{
mpi_montmul( X, X, N, mm, &T );
MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, x_index ) );
mpi_montmul( &W[x_index], &WW, N, mm, &T );
wbits <<= 1;
exponent_bits_in_window <<= 1;
if( ( wbits & ( one << wsize ) ) != 0 )
mpi_montmul( X, &W[1], N, mm, &T );
if( ( exponent_bits_in_window & ( (size_t) 1 << window_bitsize ) ) != 0 )
{
MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, 1 ) );
mpi_montmul( &W[x_index], &WW, N, mm, &T );
}
}
/*
* X = A^E * R * R^-1 mod N = A^E mod N
* W[x_index] = A^E * R * R^-1 mod N = A^E mod N
*/
mpi_montred( X, N, mm, &T );
mpi_montred( &W[x_index], N, mm, &T );
if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 )
{
X->s = -1;
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( X, N, X ) );
W[x_index].s = -1;
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &W[x_index], N, &W[x_index] ) );
}
/*
* Load the result in the output variable.
*/
mbedtls_mpi_copy( X, &W[x_index] );
cleanup:
for( i = ( one << ( wsize - 1 ) ); i < ( one << wsize ); i++ )
/* The first bit of the sliding window is always 1 and therefore the first
* half of the table was unused. */
for( i = w_table_used_size/2; i < w_table_used_size; i++ )
mbedtls_mpi_free( &W[i] );
mbedtls_mpi_free( &W[1] ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &Apos );
mbedtls_mpi_free( &W[x_index] );
mbedtls_mpi_free( &W[1] );
mbedtls_mpi_free( &T );
mbedtls_mpi_free( &Apos );
mbedtls_mpi_free( &WW );
if( prec_RR == NULL || prec_RR->p == NULL )

45
library/pkcs7.c
View File

@ -253,6 +253,24 @@ static int pkcs7_get_signature( unsigned char **p, unsigned char *end,
return( 0 );
}
static void pkcs7_free_signer_info( mbedtls_pkcs7_signer_info *signer )
{
mbedtls_x509_name *name_cur;
mbedtls_x509_name *name_prv;
if( signer == NULL )
return;
name_cur = signer->issuer.next;
while( name_cur != NULL )
{
name_prv = name_cur;
name_cur = name_cur->next;
mbedtls_free( name_prv );
}
signer->issuer.next = NULL;
}
/**
* SignerInfo ::= SEQUENCE {
* version Version;
@ -329,33 +347,16 @@ static int pkcs7_get_signer_info( unsigned char **p, unsigned char *end,
ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO;
out:
if( asn1_ret != 0 )
if( asn1_ret != 0 || ret != 0 )
{
pkcs7_free_signer_info( signer );
ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,
asn1_ret );
else if( ret != 0 )
ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO;
}
return( ret );
}
static void pkcs7_free_signer_info( mbedtls_pkcs7_signer_info *signer )
{
mbedtls_x509_name *name_cur;
mbedtls_x509_name *name_prv;
if( signer == NULL )
return;
name_cur = signer->issuer.next;
while( name_cur != NULL )
{
name_prv = name_cur;
name_cur = name_cur->next;
mbedtls_free( name_prv );
}
signer->issuer.next = NULL;
}
/**
* SignerInfos ::= SET of SignerInfo
* Return number of signers added to the signed data,
@ -387,7 +388,7 @@ static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end,
ret = pkcs7_get_signer_info( p, end_set, signers_set );
if( ret != 0 )
goto cleanup;
return( ret );
count++;
mbedtls_pkcs7_signer_info *prev = signers_set;

2
library/ssl_misc.h
View File

@ -1149,7 +1149,7 @@ struct mbedtls_ssl_transform
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
uint8_t in_cid_len;
uint8_t out_cid_len;
unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
unsigned char in_cid [ MBEDTLS_SSL_CID_IN_LEN_MAX ];
unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */

2
tests/suites/test_suite_pkcs7.data
View File

@ -68,7 +68,7 @@ pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-62139
pkcs7_get_signers_info_set error handling (4541044530479104)
depends_on:MBEDTLS_RIPEMD160_C
pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
pkcs7_parse:"data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO
PKCS7 Only Signed Data Parse Pass #15
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C

4
tests/suites/test_suite_version.data
View File

@ -1,8 +1,8 @@
Check compile time library version
check_compiletime_version:"3.2.1"
check_compiletime_version:"3.3.0"
Check runtime library version
check_runtime_version:"3.2.1"
check_runtime_version:"3.3.0"
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0