mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-12 12:40:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1103 from Mbed-TLS/mbedtls-3.5.0_mergeback

Browse Source 
Mbedtls 3.5.0 mergeback
This commit is contained in:
minosgalanakis 2023-10-05 17:33:21 +01:00 committed by GitHub
commit 8d487ad730
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
126 changed files with 2971 additions and 1447 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
3rdparty/everest/CMakeLists.txt vendored
View File

@ -1,9 +1,11 @@
add_library(everest set(everest_target "${MBEDTLS_TARGET_PREFIX}everest")
add_library(${everest_target}
library/everest.c library/everest.c
library/x25519.c library/x25519.c
library/Hacl_Curve25519_joined.c) library/Hacl_Curve25519_joined.c)
target_include_directories(everest target_include_directories(${everest_target}
PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include> PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include>
$<BUILD_INTERFACE:${MBEDTLS_DIR}/include> $<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
$<INSTALL_INTERFACE:include> $<INSTALL_INTERFACE:include>
@ -34,7 +36,7 @@ if(INSTALL_MBEDTLS_HEADERS)
endif(INSTALL_MBEDTLS_HEADERS) endif(INSTALL_MBEDTLS_HEADERS)
install(TARGETS everest install(TARGETS ${everest_target}
EXPORT MbedTLSTargets EXPORT MbedTLSTargets
DESTINATION ${CMAKE_INSTALL_LIBDIR} DESTINATION ${CMAKE_INSTALL_LIBDIR}
PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ) PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)

8
3rdparty/p256-m/CMakeLists.txt vendored
View File

@ -1,8 +1,10 @@
add_library(p256m set(p256m_target ${MBEDTLS_TARGET_PREFIX}p256m)
add_library(${p256m_target}
p256-m_driver_entrypoints.c p256-m_driver_entrypoints.c
p256-m/p256-m.c) p256-m/p256-m.c)
target_include_directories(p256m target_include_directories(${p256m_target}
PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}> PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}>
$<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/p256-m> $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/p256-m>
$<BUILD_INTERFACE:${MBEDTLS_DIR}/include> $<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
@ -32,7 +34,7 @@ if(INSTALL_MBEDTLS_HEADERS)
endif(INSTALL_MBEDTLS_HEADERS) endif(INSTALL_MBEDTLS_HEADERS)
install(TARGETS p256m install(TARGETS ${p256m_target}
EXPORT MbedTLSTargets EXPORT MbedTLSTargets
DESTINATION ${CMAKE_INSTALL_LIBDIR} DESTINATION ${CMAKE_INSTALL_LIBDIR}
PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ) PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)

2
BRANCHES.md
View File

@ -106,6 +106,6 @@ The following branches are currently maintained:
- [`development`](https://github.com/Mbed-TLS/mbedtls/) - [`development`](https://github.com/Mbed-TLS/mbedtls/)
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28) - [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
maintained until at least the end of 2024, see maintained until at least the end of 2024, see
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3>. <https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.5>.
Users are urged to always use the latest version of a maintained branch. Users are urged to always use the latest version of a maintained branch.

2
CMakeLists.txt
View File

@ -377,7 +377,7 @@ if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL)
write_basic_package_version_file( write_basic_package_version_file(
"cmake/MbedTLSConfigVersion.cmake" "cmake/MbedTLSConfigVersion.cmake"
COMPATIBILITY SameMajorVersion COMPATIBILITY SameMajorVersion
VERSION 3.4.1) VERSION 3.5.0)
install( install(
FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake" FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"

288
ChangeLog
View File

@ -1,5 +1,293 @@
Mbed TLS ChangeLog (Sorted per branch, date) Mbed TLS ChangeLog (Sorted per branch, date)
= Mbed TLS 3.5.0 branch released 2023-10-05
API changes
* Mbed TLS 3.4 introduced support for omitting the built-in implementation
of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
their was a flaw in the logic checking if the built-in implementation, in
that if failed to check if all the relevant curves were supported by the
accelerator. As a result, it was possible to declare no curves as
accelerated and still have the built-in implementation compiled out.
Starting with this release, it is necessary to declare which curves are
accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be
considered not accelerated, and the built-in implementation of the curves
and any algorithm possible using them will be included in the build.
* Add new millisecond time type `mbedtls_ms_time_t` and `mbedtls_ms_time()`
function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
can be created using an ALT interface.
Requirement changes
* Officially require Python 3.8 now that earlier versions are out of support.
* Minimum required Windows version is now Windows Vista, or
Windows Server 2008.
New deprecations
* PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC,
IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
the capabilities of the PSA side for either key.
* MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
MBEDTLS_MAX_BLOCK_LENGTH (if you intended what the name suggests:
maximum size of any supported block cipher) or the new name
MBEDTLS_CMAC_MAX_BLOCK_SIZE (if you intended the actual semantics:
maximum size of a block cipher supported by the CMAC module).
* mbedtls_pkcs5_pbes2() and mbedtls_pkcs12_pbe() functions are now
deprecated in favor of mbedtls_pkcs5_pbes2_ext() and
mbedtls_pkcs12_pbe_ext() as they offer more security by checking
for overflow of the output buffer and reporting the actual length
of the output.
Features
* All modules that use hashes or HMAC can now take advantage of PSA Crypto
drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
been called. Previously (in 3.3), this was restricted to a few modules,
and only in builds where MBEDTLS_MD_C was disabled; in particular the
entropy module was not covered which meant an external RNG had to be
provided - these limitations are lifted in this version. A new set of
feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used
to check for availability of hash algorithms, regardless of whether
they're provided by a built-in implementation, a driver or both. See
docs/driver-only-builds.md.
* When a PSA driver for ECDH is present, it is now possible to disable
MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
key exchanges based on ECDH(E) to work, this requires
MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
as PSA does not have an API for restartable ECDH yet.
* When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
if not required by another module) and still get support for ECC keys and
algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
for details.
* Add parsing of directoryName subtype for subjectAltName extension in
x509 certificates.
* Add support for server-side TLS version negotiation. If both TLS 1.2 and
TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or
TLS 1.3 depending on the capabilities and preferences of TLS clients.
Fixes #6867.
* X.509 hostname verification now supports IPAddress Subject Alternate Names.
* Add support for reading and writing X25519 and X448
public and private keys in RFC 8410 format using the existing PK APIs.
* When parsing X.509 certificates, support the extensions
SignatureKeyIdentifier and AuthorityKeyIdentifier.
* Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
if no PAKE algorithms are requested
* Add support for the FFDH algorithm and DH key types in PSA, with
parameters from RFC 7919. This includes a built-in implementation based
on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative
implementations of FFDH through the driver entry points.
* It is now possible to generate certificates with SubjectAltNames.
Currently supported subtypes: DnsName, UniformResourceIdentifier,
IP address, OtherName, and DirectoryName, as defined in RFC 5280.
See mbedtls_x509write_crt_set_subject_alternative_name for
more information.
* X.509 hostname verification now partially supports URI Subject Alternate
Names. Only exact matching, without any normalization procedures
described in 7.4 of RFC5280, will result in a positive URI verification.
* Add function mbedtls_oid_from_numeric_string() to parse an OID from a
string to a DER-encoded mbedtls_asn1_buf.
* Add SHA-3 family hash functions.
* Add support to restrict AES to 128-bit keys in order to save code size.
A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be
used to enable this feature.
* AES performance improvements. Uplift varies by platform,
toolchain, optimisation flags and mode.
Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
On Aarch64, uplift is typically around 20 - 110%.
When compiling with gcc -Os on Aarch64, AES-XTS improves
by 4.5x.
* Add support for PBKDF2-HMAC through the PSA API.
* New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
or DH) were introduced in order to have finer accuracy in defining the
PSA capabilities for each key. These capabilities, named yyy above, can be
any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE.
- DERIVE is only available for ECC keys, not for RSA or DH ones.
- implementations are free to enable more than what it was strictly
requested. For example BASIC internally enables IMPORT and EXPORT
(useful for testing purposes), but this might change in the future.
* Add support for FFDH key exchange in TLS 1.3.
This is automatically enabled as soon as PSA_WANT_ALG_FFDH
and the ephemeral or psk-ephemeral key exchange mode are enabled.
By default, all groups are offered; the list of groups can be
configured using the existing API function mbedtls_ssl_conf_groups().
* Improve mbedtls_x509_time performance and reduce memory use.
* Reduce syscalls to time() during certificate verification.
* Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
setting the CMake variable of the same name at configuration time.
* Add getter (mbedtls_ssl_cache_get_timeout()) to access
`mbedtls_ssl_cache_context.timeout`.
* Add getter (mbedtls_ssl_get_hostname()) to access
`mbedtls_ssl_context.hostname`.
* Add getter (mbedtls_ssl_conf_get_endpoint()) to access
`mbedtls_ssl_config.endpoint`.
* Support for "opaque" (PSA-held) ECC keys in the PK module has been
extended: it is now possible to use mbedtls_pk_write_key_der(),
mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and
mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes
allow it).
* The documentation of mbedtls_ecp_group now describes the optimized
representation of A for some curves. Fixes #8045.
* Add a possibility to generate CSR's with RCF822 and directoryName subtype
of subjectAltName extension in x509 certificates.
* Add support for PBKDF2-CMAC through the PSA API.
* New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When
using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
disables the plain C implementation and the run-time detection for the
CPU feature, which reduces code size and avoids the vulnerability of the
plain C implementation.
* Accept arbitrary AttributeType and AttributeValue in certificate
Distinguished Names using RFC 4514 syntax.
* Applications using ECC over secp256r1 through the PSA API can use a
new implementation with a much smaller footprint, but some minor
usage restrictions. See the documentation of the new configuration
option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.
Security
* Fix a case where potentially sensitive information held in memory would not
be completely zeroized during TLS 1.2 handshake, in both server and client
configurations.
* In configurations with ARIA or Camellia but not AES, the value of
MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might
suggest. This did not affect any library code, because this macro was
only used in relation with CMAC which does not support these ciphers.
This may affect application code that uses this macro.
* Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should
review the size of the output buffer passed to this function, and note
that the output after decryption may include CBC padding. Consider moving
to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext()
which checks for overflow of the output buffer and reports the actual
length of the output.
* Improve padding calculations in CBC decryption, NIST key unwrapping and
RSA OAEP decryption. With the previous implementation, some compilers
(notably recent versions of Clang and IAR) could produce non-constant
time code, which could allow a padding oracle attack if the attacker
has access to precise timing measurements.
* Updates to constant-time C code so that compilers are less likely to use
conditional instructions, which can have an observable difference in
timing. (Clang has been seen to do this.) Also introduce assembly
implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
guaranteed not to use conditional instructions.
* Fix definition of MBEDTLS_MD_MAX_BLOCK_SIZE, which was too
small when MBEDTLS_SHA384_C was defined and MBEDTLS_SHA512_C was
undefined. Mbed TLS itself was unaffected by this, but user code
which used MBEDTLS_MD_MAX_BLOCK_SIZE could be affected. The only
release containing this bug was Mbed TLS 3.4.0.
* Fix a buffer overread when parsing short TLS application data records in
null-cipher cipher suites. Credit to OSS-Fuzz.
* Fix a remotely exploitable heap buffer overflow in TLS handshake parsing.
In TLS 1.3, all configurations are affected except PSK-only ones, and
both clients and servers are affected.
In TLS 1.2, the affected configurations are those with
MBEDTLS_USE_PSA_CRYPTO and ECDH enabled but DHM and RSA disabled,
and only servers are affected, not clients.
Credit to OSS-Fuzz.
Bugfix
* Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and
PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
than all built-in ones and RSA is disabled.
Resolves #6622.
* Add missing md.h includes to some of the external programs from
the programs directory. Without this, even though the configuration
was sufficient for a particular program to work, it would only print
a message that one of the required defines is missing.
* Fix declaration of mbedtls_ecdsa_sign_det_restartable() function
in the ecdsa.h header file. There was a build warning when the
configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined.
Resolves #7407.
* Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
* Fix missing PSA initialization in sample programs when
MBEDTLS_USE_PSA_CRYPTO is enabled.
* Fix the J-PAKE driver interface for user and peer to accept any values
(previously accepted values were limited to "client" or "server").
* Fix clang and armclang compilation error when targeting certain Arm
M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
SecurCore SC000). Fixes #1077.
* Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when
built with MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT but don't have a
way to detect the crypto extensions required. A warning is still issued.
* Fixed an issue that caused compile errors when using CMake and the IAR
toolchain.
* Fix very high stack usage in SSL debug code. Reported by Maximilian
Gerhardt in #7804.
* Fix a compilation failure in the constant_time module when
building for arm64_32 (e.g., for watchos). Reported by Paulo
Coutinho in #7787.
* Fix crypt_and_hash decryption fail when used with a stream cipher
mode of operation due to the input not being multiple of block size.
Resolves #7417.
* Fix a bug in which mbedtls_x509_string_to_names() would return success
when given a invalid name string if it did not contain '=' or ','.
* Fix compilation warnings in aes.c, which prevented the
example TF-M configuration in configs/ from building cleanly:
tfm_mbedcrypto_config_profile_medium.h with
crypto_config_profile_medium.h.
* In TLS 1.3, fix handshake failure when a client in its ClientHello
proposes an handshake based on PSK only key exchange mode or at least
one of the key exchange modes using ephemeral keys to a server that
supports only the PSK key exchange mode.
* Fix CCM* with no tag being not supported in a build with CCM as the only
symmetric encryption algorithm and the PSA configuration enabled.
* Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.
* Fix a compilation error on some platforms when including mbedtls/ssl.h
with all TLS support disabled. Fixes #6628.
* Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
using ECC key. The certificate was rejected by some crypto frameworks.
Fixes #2924.
* Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
is called with zero length and padlock is not enabled.
* Fix compile failure due to empty enum in cipher_wrap.c, when building
with a very minimal configuration. Fixes #7625.
* Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
signature can silently return an incorrect result in low memory conditions.
* Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
* Fix IAR compiler warnings.
* Fix an issue when parsing an otherName subject alternative name into a
mbedtls_x509_san_other_name struct. The type-id of the otherName was not
copied to the struct. This meant that the struct had incomplete
information about the otherName SAN and contained uninitialized memory.
* Fix the detection of HardwareModuleName otherName SANs. These were being
detected by comparing the wrong field and the check was erroneously
inverted.
* Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG
enabled, where some low-level modules required by requested PSA crypto
features were not getting automatically enabled. Fixes #7420.
* Fix undefined symbols in some builds using TLS 1.3 with a custom
configuration file.
* Fix log level for the got supported group message. Fixes #6765
* Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
error code on failure. Before, they returned 1 to indicate failure in
some cases involving a missing entry or a full cache.
* mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys.
* Fix the build with CMake when Everest or P256-m is enabled through
a user configuration file or the compiler command line. Fixes #8165.
Changes
* Enable Arm / Thumb bignum assembly for most Arm platforms when
compiling with gcc, clang or armclang and -O0.
* Enforce minimum RSA key size when generating a key
to avoid accidental misuse.
* Use heap memory to allocate DER encoded RSA private key.
This reduces stack usage significantly for RSA signature
operations when MBEDTLS_PSA_CRYPTO_C is defined.
* Update Windows code to use BCryptGenRandom and wcslen, and
ensure that conversions between size_t, ULONG, and int are
always done safely. Original contribution by Kevin Kane #635, #730
followed by Simon Butcher #1453.
* Users integrating their own PSA drivers should be aware that
the file library/psa_crypto_driver_wrappers.c has been renamed
to psa_crypto_driver_wrappers_no_static.c.
* When using CBC with the cipher module, the requirement to call
mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting
this call accidentally applied a default padding mode chosen at compile
time.
= Mbed TLS 3.4.1 branch released 2023-08-04 = Mbed TLS 3.4.1 branch released 2023-08-04
Bugfix Bugfix

18
ChangeLog.d/Define-PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy.txt
View File

@ -1,18 +0,0 @@
New deprecations
* PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC,
IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
the capabilities of the PSA side for either key.
Features
* New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
or DH) were introduced in order to have finer accuracy in defining the
PSA capabilities for each key. These capabilities, named yyy above, can be
any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE.
- DERIVE is only available for ECC keys, not for RSA or DH ones.
- implementations are free to enable more than what it was strictly
requested. For example BASIC internally enables IMPORT and EXPORT
(useful for testing purposes), but this might change in the future.

4
ChangeLog.d/MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
error code on failure. Before, they returned 1 to indicate failure in
some cases involving a missing entry or a full cache.

3
ChangeLog.d/X509Parse_SignatureKeyId_AuthorityKeyId.txt
View File

@ -1,3 +0,0 @@
Features
* When parsing X.509 certificates, support the extensions
SignatureKeyIdentifier and AuthorityKeyIdentifier.

4
ChangeLog.d/add-aes-128bit-only.txt
View File

@ -1,4 +0,0 @@
Features
* Add support to restrict AES to 128-bit keys in order to save code size.
A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be
used to enable this feature.

6
ChangeLog.d/add-aes-hardware-only-option.txt
View File

@ -1,6 +0,0 @@
Features
* New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When
using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
disables the plain C implementation and the run-time detection for the
CPU feature, which reduces code size and avoids the vulnerability of the
plain C implementation.

3
ChangeLog.d/add-directoryname-san.txt
View File

@ -1,3 +0,0 @@
Features
* Add parsing of directoryName subtype for subjectAltName extension in
x509 certificates.

7
ChangeLog.d/add-getters-for-some-fields.txt
View File

@ -1,7 +0,0 @@
Features
* Add getter (mbedtls_ssl_cache_get_timeout()) to access
`mbedtls_ssl_cache_context.timeout`.
* Add getter (mbedtls_ssl_get_hostname()) to access
`mbedtls_ssl_context.hostname`.
* Add getter (mbedtls_ssl_conf_get_endpoint()) to access
`mbedtls_ssl_config.endpoint`.

5
ChangeLog.d/add-milliseconds-time-api.txt
View File

@ -1,5 +0,0 @@
API changes
* Add new millisecond time type `mbedtls_ms_time_t` and `mbedtls_ms_time()`
function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
can be created using an ALT interface.

5
ChangeLog.d/add-missing-md-includes.txt
View File

@ -1,5 +0,0 @@
Bugfix
* Add missing md.h includes to some of the external programs from
the programs directory. Without this, even though the configuration
was sufficient for a particular program to work, it would only print
a message that one of the required defines is missing.

2
ChangeLog.d/add-pbkdf2-cmac.txt
View File

@ -1,2 +0,0 @@
Features
* Add support for PBKDF2-CMAC through the PSA API.

2
ChangeLog.d/add-pbkdf2-hmac.txt
View File

@ -1,2 +0,0 @@
Features
* Add support for PBKDF2-HMAC through the PSA API.

3
ChangeLog.d/add-psa_want_alg_some_pake.txt
View File

@ -1,3 +0,0 @@
Features
* Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
if no PAKE algorithms are requested

3
ChangeLog.d/add-rfc822-directoryname-csr-gen.txt
View File

@ -1,3 +0,0 @@
Features
* Add a possibility to generate CSR's with RCF822 and directoryName subtype
of subjectAltName extension in x509 certificates.

6
ChangeLog.d/add-subjectAltName-certs.txt
View File

@ -1,6 +0,0 @@
Features
* It is now possible to generate certificates with SubjectAltNames.
Currently supported subtypes: DnsName, UniformResourceIdentifier,
IP address, OtherName, and DirectoryName, as defined in RFC 5280.
See mbedtls_x509write_crt_set_subject_alternative_name for
more information.

7
ChangeLog.d/aes-perf.txt
View File

@ -1,7 +0,0 @@
Features
* AES performance improvements. Uplift varies by platform,
toolchain, optimisation flags and mode.
Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
On Aarch64, uplift is typically around 20 - 110%.
When compiling with gcc -Os on Aarch64, AES-XTS improves
by 4.5x.

7
ChangeLog.d/armclang-compile-fix.txt
View File

@ -1,7 +0,0 @@
Bugfix
* Fix clang and armclang compilation error when targeting certain Arm
M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
SecurCore SC000). Fixes #1077.
Changes
* Enable Arm / Thumb bignum assembly for most Arm platforms when
compiling with gcc, clang or armclang and -O0.

4
ChangeLog.d/basic-uri-verification.txt
View File

@ -1,4 +0,0 @@
Features
* X.509 hostname verification now partially supports URI Subject Alternate
Names. Only exact matching, without any normalization procedures
described in 7.4 of RFC5280, will result in a positive URI verification.

3
ChangeLog.d/bugfix_iar_typo.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fixed an issue that caused compile errors when using CMake and the IAR
toolchain.

3
ChangeLog.d/cmake-pass-through-config-defines.txt
View File

@ -1,3 +0,0 @@
Features
* Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
setting the CMake variable of the same name at configuration time.

4
ChangeLog.d/config_psa-include-order.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG
enabled, where some low-level modules required by requested PSA crypto
features were not getting automatically enabled. Fixes #7420.

5
ChangeLog.d/driver-ffdh.txt
View File

@ -1,5 +0,0 @@
Features
* Add support for the FFDH algorithm and DH key types in PSA, with
parameters from RFC 7919. This includes a built-in implementation based
on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative
implementations of FFDH through the driver entry points.

23
ChangeLog.d/driver-only-ecc.txt
View File

@ -1,23 +0,0 @@
Features
* When a PSA driver for ECDH is present, it is now possible to disable
MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
key exchanges based on ECDH(E) to work, this requires
MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
as PSA does not have an API for restartable ECDH yet.
* When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
if not required by another module) and still get support for ECC keys and
algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
for details.
API changes
* Mbed TLS 3.4 introduced support for omitting the built-in implementation
of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
their was a flaw in the logic checking if the built-in implementation, in
that if failed to check if all the relevant curves were supported by the
accelerator. As a result, it was possible to declare no curves as
accelerated and still have the built-in implementation compiled out.
Starting with this release, it is necessary to declare which curves are
accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be
considered not accelerated, and the built-in implementation of the curves
and any algorithm possible using them will be included in the build.

11
ChangeLog.d/driver-only-hashes.txt
View File

@ -1,11 +0,0 @@
Features
* All modules that use hashes or HMAC can now take advantage of PSA Crypto
drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
been called. Previously (in 3.3), this was restricted to a few modules,
and only in builds where MBEDTLS_MD_C was disabled; in particular the
entropy module was not covered which meant an external RNG had to be
provided - these limitations are lifted in this version. A new set of
feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used
to check for availability of hash algorithms, regardless of whether
they're provided by a built-in implementation, a driver or both. See
docs/driver-only-builds.md.

3
ChangeLog.d/ec_jpake_user_peer_2.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix the J-PAKE driver interface for user and peer to accept any values
(previously accepted values were limited to "client" or "server").

3
ChangeLog.d/enforce-min-RSA-key-size.txt
View File

@ -1,3 +0,0 @@
Changes
* Enforce minimum RSA key size when generating a key
to avoid accidental misuse.

3
ChangeLog.d/extend-distinguished-names.txt
View File

@ -1,3 +0,0 @@
Features
* Accept arbitrary AttributeType and AttributeValue in certificate
Distinguished Names using RFC 4514 syntax.

6
ChangeLog.d/extend-pk-opaque-ecc.txt
View File

@ -1,6 +0,0 @@
Features
* Support for "opaque" (PSA-held) ECC keys in the PK module has been
extended: it is now possible to use mbedtls_pk_write_key_der(),
mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and
mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes
allow it).

6
ChangeLog.d/ffdh-tls-1-3.txt
View File

@ -1,6 +0,0 @@
Features
* Add support for FFDH key exchange in TLS 1.3.
This is automatically enabled as soon as PSA_WANT_ALG_FFDH
and the ephemeral or psk-ephemeral key exchange mode are enabled.
By default, all groups are offered; the list of groups can be
configured using the existing API function mbedtls_ssl_conf_groups().

3
ChangeLog.d/fix-a-few-unchecked-return.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
signature can silently return an incorrect result in low memory conditions.

3
ChangeLog.d/fix-aes-cbc-iv-corruption.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
is called with zero length and padlock is not enabled.

4
ChangeLog.d/fix-crypt_and_hash-decrypt-issue.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix crypt_and_hash decryption fail when used with a stream cipher
mode of operation due to the input not being multiple of block size.
Resolves #7417.

5
ChangeLog.d/fix-declaration-of-mbedtls_ecdsa_sign_det_restartable-function.txt
View File

@ -1,5 +0,0 @@
Bugfix
* Fix declaration of mbedtls_ecdsa_sign_det_restartable() function
in the ecdsa.h header file. There was a build warning when the
configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined.
Resolves #7407.

3
ChangeLog.d/fix-empty-enum.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix compile failure due to empty enum in cipher_wrap.c, when building
with a very minimal configuration. Fixes #7625.

5
ChangeLog.d/fix-hrr-in-psk-kem.txt
View File

@ -1,5 +0,0 @@
Bugfix
* In TLS 1.3, fix handshake failure when a client in its ClientHello
proposes an handshake based on PSK only key exchange mode or at least
one of the key exchange modes using ephemeral keys to a server that
supports only the PSK key exchange mode.

2
ChangeLog.d/fix-iar-compiler-warnings.txt
View File

@ -1,2 +0,0 @@
Bugfix
* Fix IAR compiler warnings.

4
ChangeLog.d/fix-ilp32.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix a compilation failure in the constant_time module when
building for arm64_32 (e.g., for watchos). Reported by Paulo
Coutinho in #7787.

2
ChangeLog.d/fix-log-level-msg.txt
View File

@ -1,2 +0,0 @@
Bugfix
* Fix log level for the got supported group message. Fixes #6765

3
ChangeLog.d/fix-string-to-names-retcode.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix a bug in which mbedtls_x509_string_to_names() would return success
when given a invalid name string if it did not contain '=' or ','.

5
ChangeLog.d/fix-tfm-build.txt
View File

@ -1,5 +0,0 @@
Bugfix
* Fix compilation warnings in aes.c, which prevented the
example TF-M configuration in configs/ from building cleanly:
tfm_mbedcrypto_config_profile_medium.h with
crypto_config_profile_medium.h.

4
ChangeLog.d/fix-tls-padbuf-zeroization.txt
View File

@ -1,4 +0,0 @@
Security
* Fix a case where potentially sensitive information held in memory would not
be completely zeroized during TLS 1.2 handshake, in both server and client
configurations.

4
ChangeLog.d/fix-unterminated-pragma-clang-attribute-push.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when
built with MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT but don't have a
way to detect the crypto extensions required. A warning is still issued.

3
ChangeLog.d/improve-doc-on-ecp-curve-optimized-representation.txt
View File

@ -1,3 +0,0 @@
Features
* The documentation of mbedtls_ecp_group now describes the optimized
representation of A for some curves. Fixes #8045.

8
ChangeLog.d/initialize-struct-get-other-name.txt
View File

@ -1,8 +0,0 @@
Bugfix
* Fix an issue when parsing an otherName subject alternative name into a
mbedtls_x509_san_other_name struct. The type-id of the otherName was not
copied to the struct. This meant that the struct had incomplete
information about the otherName SAN and contained uninitialized memory.
* Fix the detection of HardwareModuleName otherName SANs. These were being
detected by comparing the wrong field and the check was erroneously
inverted.

2
ChangeLog.d/inject-entropy.txt
View File

@ -1,2 +0,0 @@
Bugfix
* Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.

3
ChangeLog.d/mbedtls_ecdsa_can_do-unconditional-define.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.

3
ChangeLog.d/mbedtls_x509_time.txt
View File

@ -1,3 +0,0 @@
Features
* Improve mbedtls_x509_time performance and reduce memory use.
* Reduce syscalls to time() during certificate verification.

3
ChangeLog.d/misc-from-psa-crypto.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix CCM* with no tag being not supported in a build with CCM as the only
symmetric encryption algorithm and the PSA configuration enabled.

3
ChangeLog.d/oid-parse-from-numeric-string.txt
View File

@ -1,3 +0,0 @@
Features
* Add function mbedtls_oid_from_numeric_string() to parse an OID from a
string to a DER-encoded mbedtls_asn1_buf.

5
ChangeLog.d/p256-m.txt
View File

@ -1,5 +0,0 @@
Features
* Applications using ECC over secp256r1 through the PSA API can use a
new implementation with a much smaller footprint, but some minor
usage restrictions. See the documentation of the new configuration
option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.

3
ChangeLog.d/programs_psa_fix.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix missing PSA initialization in sample programs when
MBEDTLS_USE_PSA_CRYPTO is enabled.

3
ChangeLog.d/psa_crypto_user_config_file.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
MBEDTLS_PSA_CRYPTO_CONFIG is disabled.

2
ChangeLog.d/python3.8.txt
View File

@ -1,2 +0,0 @@
Requirement changes
* Officially require Python 3.8 now that earlier versions are out of support.

5
ChangeLog.d/rename_psa_crypto_driver_wrappers.txt
View File

@ -1,5 +0,0 @@
Changes
* Users intergrating their own PSA drivers should be aware that
the file library/psa_crypto_driver_wrappers.c has been renamed
to psa_crypto_driver_wrappers_no_static.c.

3
ChangeLog.d/rfc8410.txt
View File

@ -1,3 +0,0 @@
Features
* Add support for reading and writing X25519 and X448
public and private keys in RFC 8410 format using the existing PK APIs.

3
ChangeLog.d/sha3.txt
View File

@ -1,3 +0,0 @@
Features
* Add SHA-3 family hash functions.

5
ChangeLog.d/some-max-size-macro-are-too-small-when-psa-ecc-is-accelerated.txt
View File

@ -1,5 +0,0 @@
Bugfix
* Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and
PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
than all built-in ones and RSA is disabled.
Resolves #6622.

3
ChangeLog.d/ssl_debug_helpers-stack_usage.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix very high stack usage in SSL debug code. Reported by Maximilian
Gerhardt in #7804.

3
ChangeLog.d/ssl_premaster_secret-empty.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix a compilation error on some platforms when including mbedtls/ssl.h
with all TLS support disabled. Fixes #6628.

3
ChangeLog.d/tls13-custom-config.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix undefined symbols in some builds using TLS 1.3 with a custom
configuration file.

5
ChangeLog.d/tls13-server-version-negotiation.txt
View File

@ -1,5 +0,0 @@
Features
* Add support for server-side TLS version negotiation. If both TLS 1.2 and
TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or
TLS 1.3 depending on the capabilities and preferences of TLS clients.
Fixes #6867.

9
ChangeLog.d/updated_windows_apis.txt
View File

@ -1,9 +0,0 @@
Requirement changes
* Minimum required Windows version is now Windows Vista, or
Windows Server 2008.
Changes
* Update Windows code to use BCryptGenRandom and wcslen, and
ensure that conversions between size_t, ULONG, and int are
always done safely. Original contribution by Kevin Kane #635, #730
followed by Simon Butcher #1453.

4
ChangeLog.d/use_heap_rsa_signature.txt
View File

@ -1,4 +0,0 @@
Changes
* Use heap memory to allocate DER encoded RSA private key.
This reduces stack usage significantly for RSA signature
operations when MBEDTLS_PSA_CRYPTO_C is defined.

2
ChangeLog.d/verify-ip-sans-properly.txt
View File

@ -1,2 +0,0 @@
Features
* X.509 hostname verification now supports IPAddress Subject Alternate Names.

4
ChangeLog.d/x509-ec-algorithm-identifier-fix.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
using ECC key. The certificate was rejected by some crypto frameworks.
Fixes #2924.

9
SECURITY.md
View File

@ -135,3 +135,12 @@ Guide](docs/architecture/alternative-implementations.md) for more information.
- Use cryptographic mechanisms that are not based on block ciphers. In - Use cryptographic mechanisms that are not based on block ciphers. In
particular, for authenticated encryption, use ChaCha20/Poly1305 instead of particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG. block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.
#### Everest
The HACL* implementation of X25519 taken from the Everest project only protects
against remote timing attacks. (See their [Security
Policy](https://github.com/hacl-star/hacl-star/blob/main/SECURITY.md).)
The Everest variant is only used when `MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED`
configuration option is defined. This option is off by default.

2
doxygen/input/doc_mainpage.h
View File

@ -22,7 +22,7 @@
*/ */
/** /**
* @mainpage Mbed TLS v3.4.1 API Documentation * @mainpage Mbed TLS v3.5.0 API Documentation
* *
* This documentation describes the internal structure of Mbed TLS. It was * This documentation describes the internal structure of Mbed TLS. It was
* automatically generated from specially formatted comment blocks in * automatically generated from specially formatted comment blocks in

2
doxygen/mbedtls.doxyfile
View File

@ -1,4 +1,4 @@
PROJECT_NAME = "Mbed TLS v3.4.1" PROJECT_NAME = "Mbed TLS v3.5.0"
OUTPUT_DIRECTORY = ../apidoc/ OUTPUT_DIRECTORY = ../apidoc/
FULL_PATH_NAMES = NO FULL_PATH_NAMES = NO
OPTIMIZE_OUTPUT_FOR_C = YES OPTIMIZE_OUTPUT_FOR_C = YES

10
include/mbedtls/build_info.h
View File

@ -37,17 +37,17 @@
* Major, Minor, Patchlevel * Major, Minor, Patchlevel
*/ */
#define MBEDTLS_VERSION_MAJOR 3 #define MBEDTLS_VERSION_MAJOR 3
#define MBEDTLS_VERSION_MINOR 4 #define MBEDTLS_VERSION_MINOR 5
#define MBEDTLS_VERSION_PATCH 1 #define MBEDTLS_VERSION_PATCH 0
/** /**
* The single version number has the following structure: * The single version number has the following structure:
* MMNNPP00 * MMNNPP00
* Major version | Minor version | Patch version * Major version | Minor version | Patch version
*/ */
#define MBEDTLS_VERSION_NUMBER 0x03040100 #define MBEDTLS_VERSION_NUMBER 0x03050000
#define MBEDTLS_VERSION_STRING "3.4.1" #define MBEDTLS_VERSION_STRING "3.5.0"
#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.4.1" #define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.5.0"
/* Macros for build-time platform detection */ /* Macros for build-time platform detection */

1
include/mbedtls/cipher.h
View File

@ -852,7 +852,6 @@ int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
* \brief This function sets the padding mode, for cipher modes * \brief This function sets the padding mode, for cipher modes
* that use padding. * that use padding.
* *
* The default passing mode is PKCS7 padding.
* *
* \param ctx The generic cipher context. This must be initialized and * \param ctx The generic cipher context. This must be initialized and
* bound to a cipher information structure. * bound to a cipher information structure.

27
include/mbedtls/cmac.h
View File

@ -5,6 +5,7 @@
* *
* The Cipher-based Message Authentication Code (CMAC) Mode for * The Cipher-based Message Authentication Code (CMAC) Mode for
* Authentication is defined in <em>RFC-4493: The AES-CMAC Algorithm</em>. * Authentication is defined in <em>RFC-4493: The AES-CMAC Algorithm</em>.
* It is supported with AES and DES.
*/ */
/* /*
* Copyright The Mbed TLS Contributors * Copyright The Mbed TLS Contributors
@ -38,12 +39,30 @@ extern "C" {
#define MBEDTLS_AES_BLOCK_SIZE 16 #define MBEDTLS_AES_BLOCK_SIZE 16
#define MBEDTLS_DES3_BLOCK_SIZE 8 #define MBEDTLS_DES3_BLOCK_SIZE 8
/* We don't support Camellia or ARIA in this module */
#if defined(MBEDTLS_AES_C) #if defined(MBEDTLS_AES_C)
#define MBEDTLS_CIPHER_BLKSIZE_MAX 16 /**< The longest block used by CMAC is that of AES. */ #define MBEDTLS_CMAC_MAX_BLOCK_SIZE 16 /**< The longest block used by CMAC is that of AES. */
#else #else
#define MBEDTLS_CIPHER_BLKSIZE_MAX 8 /**< The longest block used by CMAC is that of 3DES. */ #define MBEDTLS_CMAC_MAX_BLOCK_SIZE 8 /**< The longest block used by CMAC is that of 3DES. */
#endif #endif
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
/** The longest block supported by the cipher module.
*
* \deprecated
* For the maximum block size of a cipher supported by the CMAC module,
* use #MBEDTLS_CMAC_MAX_BLOCK_SIZE.
* For the maximum block size of a cipher supported by the cipher module,
* use #MBEDTLS_MAX_BLOCK_LENGTH.
*/
/* Before Mbed TLS 3.5, this was the maximum block size supported by the CMAC
* module, so it didn't take Camellia or ARIA into account. Since the name
* of the macro doesn't even convey "CMAC", this was misleading. Now the size
* is sufficient for any cipher, but the name is defined in cmac.h for
* backward compatibility. */
#define MBEDTLS_CIPHER_BLKSIZE_MAX MBEDTLS_MAX_BLOCK_LENGTH
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#if !defined(MBEDTLS_CMAC_ALT) #if !defined(MBEDTLS_CMAC_ALT)
/** /**
@ -51,11 +70,11 @@ extern "C" {
*/ */
struct mbedtls_cmac_context_t { struct mbedtls_cmac_context_t {
/** The internal state of the CMAC algorithm. */ /** The internal state of the CMAC algorithm. */
unsigned char MBEDTLS_PRIVATE(state)[MBEDTLS_CIPHER_BLKSIZE_MAX]; unsigned char MBEDTLS_PRIVATE(state)[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
/** Unprocessed data - either data that was not block aligned and is still /** Unprocessed data - either data that was not block aligned and is still
* pending processing, or the final block. */ * pending processing, or the final block. */
unsigned char MBEDTLS_PRIVATE(unprocessed_block)[MBEDTLS_CIPHER_BLKSIZE_MAX]; unsigned char MBEDTLS_PRIVATE(unprocessed_block)[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
/** The length of data pending processing. */ /** The length of data pending processing. */
size_t MBEDTLS_PRIVATE(unprocessed_len); size_t MBEDTLS_PRIVATE(unprocessed_len);

8
include/mbedtls/config_adjust_legacy_crypto.h
View File

@ -184,4 +184,12 @@
#define MBEDTLS_PK_HAVE_ECC_KEYS #define MBEDTLS_PK_HAVE_ECC_KEYS
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */ #endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */
/* Historically pkparse did not check the CBC padding when decrypting
* a key. This was a bug, which is now fixed. As a consequence, pkparse
* now needs PKCS7 padding support, but existing configurations might not
* enable it, so we enable it here. */
#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PKCS5_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
#define MBEDTLS_CIPHER_PADDING_PKCS7
#endif
#endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H */ #endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H */

91
include/mbedtls/pkcs12.h
View File

@ -52,10 +52,30 @@ extern "C" {
#if defined(MBEDTLS_ASN1_PARSE_C) #if defined(MBEDTLS_ASN1_PARSE_C)
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
/** /**
* \brief PKCS12 Password Based function (encryption / decryption) * \brief PKCS12 Password Based function (encryption / decryption)
* for cipher-based and mbedtls_md-based PBE's * for cipher-based and mbedtls_md-based PBE's
* *
* \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must
* be enabled at compile time.
*
* \deprecated This function is deprecated and will be removed in a
* future version of the library.
* Please use mbedtls_pkcs12_pbe_ext() instead.
*
* \warning When decrypting:
* - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile
* time, this function validates the CBC padding and returns
* #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is
* invalid. Note that this can help active adversaries
* attempting to brute-forcing the password. Note also that
* there is no guarantee that an invalid password will be
* detected (the chances of a valid padding with a random
* password are about 1/255).
* - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile
* time, this function does not validate the CBC padding.
*
* \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure * \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure
* \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or * \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or
* #MBEDTLS_PKCS12_PBE_DECRYPT * #MBEDTLS_PKCS12_PBE_DECRYPT
@ -64,17 +84,78 @@ extern "C" {
* \param pwd Latin1-encoded password used. This may only be \c NULL when * \param pwd Latin1-encoded password used. This may only be \c NULL when
* \p pwdlen is 0. No null terminator should be used. * \p pwdlen is 0. No null terminator should be used.
* \param pwdlen length of the password (may be 0) * \param pwdlen length of the password (may be 0)
* \param input the input data * \param data the input data
* \param len data length * \param len data length
* \param output the output buffer * \param output Output buffer.
* On success, it contains the encrypted or decrypted data,
* possibly followed by the CBC padding.
* On failure, the content is indeterminate.
* For decryption, there must be enough room for \p len
* bytes.
* For encryption, there must be enough room for
* \p len + 1 bytes, rounded up to the block size of
* the block cipher identified by \p pbe_params.
* *
* \return 0 if successful, or a MBEDTLS_ERR_XXX code * \return 0 if successful, or a MBEDTLS_ERR_XXX code
*/ */
int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode, int MBEDTLS_DEPRECATED mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
mbedtls_cipher_type_t cipher_type,
mbedtls_md_type_t md_type,
const unsigned char *pwd, size_t pwdlen,
const unsigned char *data, size_t len,
unsigned char *output);
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
/**
* \brief PKCS12 Password Based function (encryption / decryption)
* for cipher-based and mbedtls_md-based PBE's
*
*
* \warning When decrypting:
* - This function validates the CBC padding and returns
* #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is
* invalid. Note that this can help active adversaries
* attempting to brute-forcing the password. Note also that
* there is no guarantee that an invalid password will be
* detected (the chances of a valid padding with a random
* password are about 1/255).
*
* \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure
* \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or
* #MBEDTLS_PKCS12_PBE_DECRYPT
* \param cipher_type the cipher used
* \param md_type the mbedtls_md used
* \param pwd Latin1-encoded password used. This may only be \c NULL when
* \p pwdlen is 0. No null terminator should be used.
* \param pwdlen length of the password (may be 0)
* \param data the input data
* \param len data length
* \param output Output buffer.
* On success, it contains the encrypted or decrypted data,
* possibly followed by the CBC padding.
* On failure, the content is indeterminate.
* For decryption, there must be enough room for \p len
* bytes.
* For encryption, there must be enough room for
* \p len + 1 bytes, rounded up to the block size of
* the block cipher identified by \p pbe_params.
* \param output_size size of output buffer.
* This must be big enough to accommodate for output plus
* padding data.
* \param output_len On success, length of actual data written to the output buffer.
*
* \return 0 if successful, or a MBEDTLS_ERR_XXX code
*/
int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type, mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
const unsigned char *pwd, size_t pwdlen, const unsigned char *pwd, size_t pwdlen,
const unsigned char *input, size_t len, const unsigned char *data, size_t len,
unsigned char *output); unsigned char *output, size_t output_size,
size_t *output_len);
#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
#endif /* MBEDTLS_ASN1_PARSE_C */ #endif /* MBEDTLS_ASN1_PARSE_C */

79
include/mbedtls/pkcs5.h
View File

@ -25,6 +25,7 @@
#define MBEDTLS_PKCS5_H #define MBEDTLS_PKCS5_H
#include "mbedtls/build_info.h" #include "mbedtls/build_info.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/asn1.h" #include "mbedtls/asn1.h"
#include "mbedtls/md.h" #include "mbedtls/md.h"
@ -50,23 +51,95 @@ extern "C" {
#if defined(MBEDTLS_ASN1_PARSE_C) #if defined(MBEDTLS_ASN1_PARSE_C)
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
/** /**
* \brief PKCS#5 PBES2 function * \brief PKCS#5 PBES2 function
* *
* \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must
* be enabled at compile time.
*
* \deprecated This function is deprecated and will be removed in a
* future version of the library.
* Please use mbedtls_pkcs5_pbes2_ext() instead.
*
* \warning When decrypting:
* - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile
* time, this function validates the CBC padding and returns
* #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is
* invalid. Note that this can help active adversaries
* attempting to brute-forcing the password. Note also that
* there is no guarantee that an invalid password will be
* detected (the chances of a valid padding with a random
* password are about 1/255).
* - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile
* time, this function does not validate the CBC padding.
*
* \param pbe_params the ASN.1 algorithm parameters * \param pbe_params the ASN.1 algorithm parameters
* \param mode either MBEDTLS_PKCS5_DECRYPT or MBEDTLS_PKCS5_ENCRYPT * \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT
* \param pwd password to use when generating key * \param pwd password to use when generating key
* \param pwdlen length of password * \param pwdlen length of password
* \param data data to process * \param data data to process
* \param datalen length of data * \param datalen length of data
* \param output output buffer * \param output Output buffer.
* On success, it contains the encrypted or decrypted data,
* possibly followed by the CBC padding.
* On failure, the content is indeterminate.
* For decryption, there must be enough room for \p datalen
* bytes.
* For encryption, there must be enough room for
* \p datalen + 1 bytes, rounded up to the block size of
* the block cipher identified by \p pbe_params.
* *
* \returns 0 on success, or a MBEDTLS_ERR_XXX code if verification fails. * \returns 0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
*/ */
int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode, int MBEDTLS_DEPRECATED mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
const unsigned char *pwd, size_t pwdlen, const unsigned char *pwd, size_t pwdlen,
const unsigned char *data, size_t datalen, const unsigned char *data, size_t datalen,
unsigned char *output); unsigned char *output);
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
/**
* \brief PKCS#5 PBES2 function
*
* \warning When decrypting:
* - This function validates the CBC padding and returns
* #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is
* invalid. Note that this can help active adversaries
* attempting to brute-forcing the password. Note also that
* there is no guarantee that an invalid password will be
* detected (the chances of a valid padding with a random
* password are about 1/255).
*
* \param pbe_params the ASN.1 algorithm parameters
* \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT
* \param pwd password to use when generating key
* \param pwdlen length of password
* \param data data to process
* \param datalen length of data
* \param output Output buffer.
* On success, it contains the decrypted data.
* On failure, the content is indetermidate.
* For decryption, there must be enough room for \p datalen
* bytes.
* For encryption, there must be enough room for
* \p datalen + 1 bytes, rounded up to the block size of
* the block cipher identified by \p pbe_params.
* \param output_size size of output buffer.
* This must be big enough to accommodate for output plus
* padding data.
* \param output_len On success, length of actual data written to the output buffer.
*
* \returns 0 on success, or a MBEDTLS_ERR_XXX code if parsing or decryption fails.
*/
int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
const unsigned char *pwd, size_t pwdlen,
const unsigned char *data, size_t datalen,
unsigned char *output, size_t output_size,
size_t *output_len);
#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
#endif /* MBEDTLS_ASN1_PARSE_C */ #endif /* MBEDTLS_ASN1_PARSE_C */

25
library/CMakeLists.txt
View File

@ -268,17 +268,20 @@ if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
${mbedtls_static_target}) ${mbedtls_static_target})
endif() endif()
set(p256m_target "${MBEDTLS_TARGET_PREFIX}p256m")
set(everest_target "${MBEDTLS_TARGET_PREFIX}everest")
if(USE_STATIC_MBEDTLS_LIBRARY) if(USE_STATIC_MBEDTLS_LIBRARY)
add_library(${mbedcrypto_static_target} STATIC ${src_crypto}) add_library(${mbedcrypto_static_target} STATIC ${src_crypto})
set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto) set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto)
target_link_libraries(${mbedcrypto_static_target} PUBLIC ${libs}) target_link_libraries(${mbedcrypto_static_target} PUBLIC ${libs})
if(TARGET everest) if(TARGET ${everest_target})
target_link_libraries(${mbedcrypto_static_target} PUBLIC everest) target_link_libraries(${mbedcrypto_static_target} PUBLIC ${everest_target})
endif() endif()
if(TARGET p256m) if(TARGET ${p256m_target})
target_link_libraries(${mbedcrypto_static_target} PUBLIC p256m) target_link_libraries(${mbedcrypto_static_target} PUBLIC ${p256m_target})
endif() endif()
add_library(${mbedx509_static_target} STATIC ${src_x509}) add_library(${mbedx509_static_target} STATIC ${src_x509})
@ -293,23 +296,23 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
if(USE_SHARED_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY)
set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR}) set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
add_library(${mbedcrypto_target} SHARED ${src_crypto}) add_library(${mbedcrypto_target} SHARED ${src_crypto})
set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.4.1 SOVERSION 14) set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.5.0 SOVERSION 15)
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs}) target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
if(TARGET everest) if(TARGET ${everest_target})
target_link_libraries(${mbedcrypto_target} PUBLIC everest) target_link_libraries(${mbedcrypto_target} PUBLIC ${everest_target})
endif() endif()
if(TARGET p256m) if(TARGET ${p256m_target})
target_link_libraries(${mbedcrypto_target} PUBLIC p256m) target_link_libraries(${mbedcrypto_target} PUBLIC ${p256m_target})
endif() endif()
add_library(${mbedx509_target} SHARED ${src_x509}) add_library(${mbedx509_target} SHARED ${src_x509})
set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.4.1 SOVERSION 5) set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.5.0 SOVERSION 6)
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target}) target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
add_library(${mbedtls_target} SHARED ${src_tls}) add_library(${mbedtls_target} SHARED ${src_tls})
set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.4.1 SOVERSION 19) set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.5.0 SOVERSION 20)
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target}) target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
endif(USE_SHARED_MBEDTLS_LIBRARY) endif(USE_SHARED_MBEDTLS_LIBRARY)

6
library/Makefile
View File

@ -51,9 +51,9 @@ LOCAL_CFLAGS += -fPIC -fpic
endif endif
endif endif
SOEXT_TLS?=so.19 SOEXT_TLS?=so.20
SOEXT_X509?=so.5 SOEXT_X509?=so.6
SOEXT_CRYPTO?=so.14 SOEXT_CRYPTO?=so.15
# Set AR_DASH= (empty string) to use an ar implementation that does not accept # Set AR_DASH= (empty string) to use an ar implementation that does not accept
# the - prefix for command line options (e.g. llvm-ar) # the - prefix for command line options (e.g. llvm-ar)

2
library/bignum.c
View File

@ -83,7 +83,7 @@ int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X,
* That is if X is negative (X_is_negative == 1), then X < Y is true and it * That is if X is negative (X_is_negative == 1), then X < Y is true and it
* is false if X is positive (X_is_negative == 0). * is false if X is positive (X_is_negative == 0).
*/ */
different_sign = mbedtls_ct_bool_xor(X_is_negative, Y_is_negative); // true if different sign different_sign = mbedtls_ct_bool_ne(X_is_negative, Y_is_negative); // true if different sign
result = mbedtls_ct_bool_and(different_sign, X_is_negative); result = mbedtls_ct_bool_and(different_sign, X_is_negative);
/* /*

8
library/ccm.c
View File

@ -33,6 +33,7 @@
#include "mbedtls/ccm.h" #include "mbedtls/ccm.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/constant_time.h"
#include <string.h> #include <string.h>
@ -532,13 +533,8 @@ static int mbedtls_ccm_compare_tags(const unsigned char *tag1,
const unsigned char *tag2, const unsigned char *tag2,
size_t tag_len) size_t tag_len)
{ {
unsigned char i;
int diff;
/* Check tag in "constant-time" */ /* Check tag in "constant-time" */
for (diff = 0, i = 0; i < tag_len; i++) { int diff = mbedtls_ct_memcmp(tag1, tag2, tag_len);
diff |= tag1[i] ^ tag2[i];
}
if (diff != 0) { if (diff != 0) {
return MBEDTLS_ERR_CCM_AUTH_FAILED; return MBEDTLS_ERR_CCM_AUTH_FAILED;

6
library/chachapoly.c
View File

@ -25,6 +25,7 @@
#include "mbedtls/chachapoly.h" #include "mbedtls/chachapoly.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/constant_time.h"
#include <string.h> #include <string.h>
@ -310,7 +311,6 @@ int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char check_tag[16]; unsigned char check_tag[16];
size_t i;
int diff; int diff;
if ((ret = chachapoly_crypt_and_tag(ctx, if ((ret = chachapoly_crypt_and_tag(ctx,
@ -320,9 +320,7 @@ int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,
} }
/* Check tag in "constant-time" */ /* Check tag in "constant-time" */
for (diff = 0, i = 0; i < sizeof(check_tag); i++) { diff = mbedtls_ct_memcmp(tag, check_tag, sizeof(check_tag));
diff |= tag[i] ^ check_tag[i];
}
if (diff != 0) { if (diff != 0) {
mbedtls_platform_zeroize(output, length); mbedtls_platform_zeroize(output, length);

87
library/cipher.c
View File

@ -30,6 +30,7 @@
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/constant_time.h" #include "mbedtls/constant_time.h"
#include "constant_time_internal.h"
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
@ -268,17 +269,6 @@ int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
ctx->cipher_info = cipher_info; ctx->cipher_info = cipher_info;
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
/*
* Ignore possible errors caused by a cipher mode that doesn't use padding
*/
#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
(void) mbedtls_cipher_set_padding_mode(ctx, MBEDTLS_PADDING_PKCS7);
#else
(void) mbedtls_cipher_set_padding_mode(ctx, MBEDTLS_PADDING_NONE);
#endif
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
return 0; return 0;
} }
@ -848,7 +838,7 @@ static int get_pkcs_padding(unsigned char *input, size_t input_len,
size_t *data_len) size_t *data_len)
{ {
size_t i, pad_idx; size_t i, pad_idx;
unsigned char padding_len, bad = 0; unsigned char padding_len;
if (NULL == input || NULL == data_len) { if (NULL == input || NULL == data_len) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
@ -857,18 +847,19 @@ static int get_pkcs_padding(unsigned char *input, size_t input_len,
padding_len = input[input_len - 1]; padding_len = input[input_len - 1];
*data_len = input_len - padding_len; *data_len = input_len - padding_len;
/* Avoid logical || since it results in a branch */ mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len);
bad |= padding_len > input_len; bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
bad |= padding_len == 0;
/* The number of bytes checked must be independent of padding_len, /* The number of bytes checked must be independent of padding_len,
* so pick input_len, which is usually 8 or 16 (one block) */ * so pick input_len, which is usually 8 or 16 (one block) */
pad_idx = input_len - padding_len; pad_idx = input_len - padding_len;
for (i = 0; i < input_len; i++) { for (i = 0; i < input_len; i++) {
bad |= (input[i] ^ padding_len) * (i >= pad_idx); mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx);
mbedtls_ct_condition_t different = mbedtls_ct_uint_ne(input[i], padding_len);
bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different));
} }
return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0); return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
} }
#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */ #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
@ -891,24 +882,28 @@ static void add_one_and_zeros_padding(unsigned char *output,
static int get_one_and_zeros_padding(unsigned char *input, size_t input_len, static int get_one_and_zeros_padding(unsigned char *input, size_t input_len,
size_t *data_len) size_t *data_len)
{ {
size_t i;
unsigned char done = 0, prev_done, bad;
if (NULL == input || NULL == data_len) { if (NULL == input || NULL == data_len) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
} }
bad = 0x80; mbedtls_ct_condition_t in_padding = MBEDTLS_CT_TRUE;
mbedtls_ct_condition_t bad = MBEDTLS_CT_TRUE;
*data_len = 0; *data_len = 0;
for (i = input_len; i > 0; i--) {
prev_done = done; for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) {
done |= (input[i - 1] != 0); mbedtls_ct_condition_t is_nonzero = mbedtls_ct_bool(input[i]);
*data_len |= (i - 1) * (done != prev_done);
bad ^= input[i - 1] * (done != prev_done); mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding);
*data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len);
bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad);
in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero));
} }
return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0); return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
} }
#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */ #endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
@ -932,7 +927,8 @@ static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
size_t *data_len) size_t *data_len)
{ {
size_t i, pad_idx; size_t i, pad_idx;
unsigned char padding_len, bad = 0; unsigned char padding_len;
mbedtls_ct_condition_t bad;
if (NULL == input || NULL == data_len) { if (NULL == input || NULL == data_len) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
@ -942,16 +938,19 @@ static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
*data_len = input_len - padding_len; *data_len = input_len - padding_len;
/* Avoid logical || since it results in a branch */ /* Avoid logical || since it results in a branch */
bad |= padding_len > input_len; bad = mbedtls_ct_uint_gt(padding_len, input_len);
bad |= padding_len == 0; bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
/* The number of bytes checked must be independent of padding_len */ /* The number of bytes checked must be independent of padding_len */
pad_idx = input_len - padding_len; pad_idx = input_len - padding_len;
for (i = 0; i < input_len - 1; i++) { for (i = 0; i < input_len - 1; i++) {
bad |= input[i] * (i >= pad_idx); mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx);
mbedtls_ct_condition_t nonzero_pad_byte;
nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i]));
bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte);
} }
return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0); return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
} }
#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */ #endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
@ -962,18 +961,14 @@ static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
static void add_zeros_padding(unsigned char *output, static void add_zeros_padding(unsigned char *output,
size_t output_len, size_t data_len) size_t output_len, size_t data_len)
{ {
size_t i; memset(output + data_len, 0, output_len - data_len);
for (i = data_len; i < output_len; i++) {
output[i] = 0x00;
}
} }
static int get_zeros_padding(unsigned char *input, size_t input_len, static int get_zeros_padding(unsigned char *input, size_t input_len,
size_t *data_len) size_t *data_len)
{ {
size_t i; size_t i;
unsigned char done = 0, prev_done; mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE, prev_done;
if (NULL == input || NULL == data_len) { if (NULL == input || NULL == data_len) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
@ -982,8 +977,8 @@ static int get_zeros_padding(unsigned char *input, size_t input_len,
*data_len = 0; *data_len = 0;
for (i = input_len; i > 0; i--) { for (i = input_len; i > 0; i--) {
prev_done = done; prev_done = done;
done |= (input[i-1] != 0); done = mbedtls_ct_bool_or(done, mbedtls_ct_uint_ne(input[i-1], 0));
*data_len |= i * (done != prev_done); *data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len);
} }
return 0; return 0;
@ -1027,6 +1022,16 @@ int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
*olen = 0; *olen = 0;
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
/* CBC mode requires padding so we make sure a call to
* mbedtls_cipher_set_padding_mode has been done successfully. */
if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
if (ctx->get_padding == NULL) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
}
#endif
if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||

18
library/cmac.c
View File

@ -114,7 +114,7 @@ static int cmac_generate_subkeys(mbedtls_cipher_context_t *ctx,
unsigned char *K1, unsigned char *K2) unsigned char *K1, unsigned char *K2)
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX]; unsigned char L[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
size_t olen, block_size; size_t olen, block_size;
mbedtls_platform_zeroize(L, sizeof(L)); mbedtls_platform_zeroize(L, sizeof(L));
@ -152,7 +152,7 @@ exit:
* We can't use the padding option from the cipher layer, as it only works for * We can't use the padding option from the cipher layer, as it only works for
* CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition. * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
*/ */
static void cmac_pad(unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX], static void cmac_pad(unsigned char padded_block[MBEDTLS_CMAC_MAX_BLOCK_SIZE],
size_t padded_block_len, size_t padded_block_len,
const unsigned char *last_block, const unsigned char *last_block,
size_t last_block_len) size_t last_block_len)
@ -283,9 +283,9 @@ int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx,
{ {
mbedtls_cmac_context_t *cmac_ctx; mbedtls_cmac_context_t *cmac_ctx;
unsigned char *state, *last_block; unsigned char *state, *last_block;
unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX]; unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX]; unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX]; unsigned char M_last[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t olen, block_size; size_t olen, block_size;
@ -332,7 +332,7 @@ exit:
mbedtls_platform_zeroize(cmac_ctx->unprocessed_block, mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
sizeof(cmac_ctx->unprocessed_block)); sizeof(cmac_ctx->unprocessed_block));
mbedtls_platform_zeroize(state, MBEDTLS_CIPHER_BLKSIZE_MAX); mbedtls_platform_zeroize(state, MBEDTLS_CMAC_MAX_BLOCK_SIZE);
return ret; return ret;
} }
@ -750,8 +750,8 @@ static int cmac_test_subkeys(int verbose,
int i, ret = 0; int i, ret = 0;
mbedtls_cipher_context_t ctx; mbedtls_cipher_context_t ctx;
const mbedtls_cipher_info_t *cipher_info; const mbedtls_cipher_info_t *cipher_info;
unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX]; unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX]; unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
cipher_info = mbedtls_cipher_info_from_type(cipher_type); cipher_info = mbedtls_cipher_info_from_type(cipher_type);
if (cipher_info == NULL) { if (cipher_info == NULL) {
@ -845,7 +845,7 @@ static int cmac_test_wth_cipher(int verbose,
{ {
const mbedtls_cipher_info_t *cipher_info; const mbedtls_cipher_info_t *cipher_info;
int i, ret = 0; int i, ret = 0;
unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX]; unsigned char output[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
cipher_info = mbedtls_cipher_info_from_type(cipher_type); cipher_info = mbedtls_cipher_info_from_type(cipher_type);
if (cipher_info == NULL) { if (cipher_info == NULL) {

48
library/constant_time.c
View File

@ -22,6 +22,7 @@
* might be translated to branches by some compilers on some platforms. * might be translated to branches by some compilers on some platforms.
*/ */
#include <stdint.h>
#include <limits.h> #include <limits.h>
#include "common.h" #include "common.h"
@ -120,9 +121,56 @@ int mbedtls_ct_memcmp(const void *a,
diff |= x ^ y; diff |= x ^ y;
} }
#if (INT_MAX < INT32_MAX)
/* We don't support int smaller than 32-bits, but if someone tried to build
* with this configuration, there is a risk that, for differing data, the
* only bits set in diff are in the top 16-bits, and would be lost by a
* simple cast from uint32 to int.
* This would have significant security implications, so protect against it. */
#error "mbedtls_ct_memcmp() requires minimum 32-bit ints"
#else
/* The bit-twiddling ensures that when we cast uint32_t to int, we are casting
* a value that is in the range 0..INT_MAX - a value larger than this would
* result in implementation defined behaviour.
*
* This ensures that the value returned by the function is non-zero iff
* diff is non-zero.
*/
return (int) ((diff & 0xffff) | (diff >> 16));
#endif
}
#if defined(MBEDTLS_NIST_KW_C)
int mbedtls_ct_memcmp_partial(const void *a,
const void *b,
size_t n,
size_t skip_head,
size_t skip_tail)
{
unsigned int diff = 0;
volatile const unsigned char *A = (volatile const unsigned char *) a;
volatile const unsigned char *B = (volatile const unsigned char *) b;
size_t valid_end = n - skip_tail;
for (size_t i = 0; i < n; i++) {
unsigned char x = A[i], y = B[i];
unsigned int d = x ^ y;
mbedtls_ct_condition_t valid = mbedtls_ct_bool_and(mbedtls_ct_uint_ge(i, skip_head),
mbedtls_ct_uint_lt(i, valid_end));
diff |= mbedtls_ct_uint_if_else_0(valid, d);
}
/* Since we go byte-by-byte, the only bits set will be in the bottom 8 bits, so the
* cast from uint to int is safe. */
return (int) diff; return (int) diff;
} }
#endif
#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
void mbedtls_ct_memmove_left(void *start, size_t total, size_t offset) void mbedtls_ct_memmove_left(void *start, size_t total, size_t offset)

34
library/constant_time_impl.h
View File

@ -429,7 +429,6 @@ static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low,
return (unsigned char) (~(low_mask | high_mask)) & to; return (unsigned char) (~(low_mask | high_mask)) & to;
} }
/* ============================================================================ /* ============================================================================
* Everything below here is trivial wrapper functions * Everything below here is trivial wrapper functions
*/ */
@ -448,6 +447,14 @@ static inline unsigned mbedtls_ct_uint_if(mbedtls_ct_condition_t condition,
return (unsigned) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1, (mbedtls_ct_uint_t) if0); return (unsigned) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1, (mbedtls_ct_uint_t) if0);
} }
static inline mbedtls_ct_condition_t mbedtls_ct_bool_if(mbedtls_ct_condition_t condition,
mbedtls_ct_condition_t if1,
mbedtls_ct_condition_t if0)
{
return (mbedtls_ct_condition_t) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1,
(mbedtls_ct_uint_t) if0);
}
#if defined(MBEDTLS_BIGNUM_C) #if defined(MBEDTLS_BIGNUM_C)
static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t condition, static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t condition,
@ -471,6 +478,12 @@ static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t conditio
return (unsigned) (condition & if1); return (unsigned) (condition & if1);
} }
static inline mbedtls_ct_condition_t mbedtls_ct_bool_if_else_0(mbedtls_ct_condition_t condition,
mbedtls_ct_condition_t if1)
{
return (mbedtls_ct_condition_t) (condition & if1);
}
#if defined(MBEDTLS_BIGNUM_C) #if defined(MBEDTLS_BIGNUM_C)
static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_condition_t condition, static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_condition_t condition,
@ -481,6 +494,23 @@ static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_conditio
#endif /* MBEDTLS_BIGNUM_C */ #endif /* MBEDTLS_BIGNUM_C */
static inline int mbedtls_ct_error_if(mbedtls_ct_condition_t condition, int if1, int if0)
{
/* Coverting int -> uint -> int here is safe, because we require if1 and if0 to be
* in the range -32767..0, and we require 32-bit int and uint types.
*
* This means that (0 <= -if0 < INT_MAX), so negating if0 is safe, and similarly for
* converting back to int.
*/
return -((int) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) (-if1),
(mbedtls_ct_uint_t) (-if0)));
}
static inline int mbedtls_ct_error_if_else_0(mbedtls_ct_condition_t condition, int if1)
{
return -((int) (condition & (-if1)));
}
static inline mbedtls_ct_condition_t mbedtls_ct_uint_eq(mbedtls_ct_uint_t x, static inline mbedtls_ct_condition_t mbedtls_ct_uint_eq(mbedtls_ct_uint_t x,
mbedtls_ct_uint_t y) mbedtls_ct_uint_t y)
{ {
@ -505,7 +535,7 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
return ~mbedtls_ct_uint_gt(x, y); return ~mbedtls_ct_uint_gt(x, y);
} }
static inline mbedtls_ct_condition_t mbedtls_ct_bool_xor(mbedtls_ct_condition_t x, static inline mbedtls_ct_condition_t mbedtls_ct_bool_ne(mbedtls_ct_condition_t x,
mbedtls_ct_condition_t y) mbedtls_ct_condition_t y)
{ {
return (mbedtls_ct_condition_t) (x ^ y); return (mbedtls_ct_condition_t) (x ^ y);

101
library/constant_time_internal.h
View File

@ -194,11 +194,11 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_ge(mbedtls_ct_uint_t x,
static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x, static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
mbedtls_ct_uint_t y); mbedtls_ct_uint_t y);
/** Boolean "xor" operation. /** Boolean not-equals operation.
* *
* Functionally equivalent to: * Functionally equivalent to:
* *
* \p x ^ \p y * \p x != \p y
* *
* \param x The first value to analyze. * \param x The first value to analyze.
* \param y The second value to analyze. * \param y The second value to analyze.
@ -206,10 +206,10 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
* \note This is more efficient than mbedtls_ct_uint_ne if both arguments are * \note This is more efficient than mbedtls_ct_uint_ne if both arguments are
* mbedtls_ct_condition_t. * mbedtls_ct_condition_t.
* *
* \return MBEDTLS_CT_TRUE if \p x ^ \p y, * \return MBEDTLS_CT_TRUE if \p x != \p y,
* otherwise MBEDTLS_CT_FALSE. * otherwise MBEDTLS_CT_FALSE.
*/ */
static inline mbedtls_ct_condition_t mbedtls_ct_bool_xor(mbedtls_ct_condition_t x, static inline mbedtls_ct_condition_t mbedtls_ct_bool_ne(mbedtls_ct_condition_t x,
mbedtls_ct_condition_t y); mbedtls_ct_condition_t y);
/** Boolean "and" operation. /** Boolean "and" operation.
@ -291,6 +291,22 @@ static inline unsigned mbedtls_ct_uint_if(mbedtls_ct_condition_t condition,
unsigned if1, unsigned if1,
unsigned if0); unsigned if0);
/** Choose between two mbedtls_ct_condition_t values.
*
* Functionally equivalent to:
*
* condition ? if1 : if0.
*
* \param condition Condition to test.
* \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
* \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE.
*
* \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
*/
static inline mbedtls_ct_condition_t mbedtls_ct_bool_if(mbedtls_ct_condition_t condition,
mbedtls_ct_condition_t if1,
mbedtls_ct_condition_t if0);
#if defined(MBEDTLS_BIGNUM_C) #if defined(MBEDTLS_BIGNUM_C)
/** Choose between two mbedtls_mpi_uint values. /** Choose between two mbedtls_mpi_uint values.
@ -327,6 +343,23 @@ static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t con
*/ */
static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t condition, unsigned if1); static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t condition, unsigned if1);
/** Choose between an mbedtls_ct_condition_t and 0.
*
* Functionally equivalent to:
*
* condition ? if1 : 0.
*
* Functionally equivalent to mbedtls_ct_bool_if(condition, if1, 0) but
* results in smaller code size.
*
* \param condition Condition to test.
* \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
*
* \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
*/
static inline mbedtls_ct_condition_t mbedtls_ct_bool_if_else_0(mbedtls_ct_condition_t condition,
mbedtls_ct_condition_t if1);
/** Choose between a size_t value and 0. /** Choose between a size_t value and 0.
* *
* Functionally equivalent to: * Functionally equivalent to:
@ -378,6 +411,35 @@ static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low,
unsigned char c, unsigned char c,
unsigned char t); unsigned char t);
/** Choose between two error values. The values must be in the range [-32767..0].
*
* Functionally equivalent to:
*
* condition ? if1 : if0.
*
* \param condition Condition to test.
* \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
* \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE.
*
* \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
*/
static inline int mbedtls_ct_error_if(mbedtls_ct_condition_t condition, int if1, int if0);
/** Choose between an error value and 0. The error value must be in the range [-32767..0].
*
* Functionally equivalent to:
*
* condition ? if1 : 0.
*
* Functionally equivalent to mbedtls_ct_error_if(condition, if1, 0) but
* results in smaller code size.
*
* \param condition Condition to test.
* \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
*
* \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
*/
static inline int mbedtls_ct_error_if_else_0(mbedtls_ct_condition_t condition, int if1);
/* ============================================================================ /* ============================================================================
* Block memory operations * Block memory operations
@ -492,6 +554,37 @@ void mbedtls_ct_memcpy_offset(unsigned char *dest,
size_t n); size_t n);
*/ */
#if defined(MBEDTLS_NIST_KW_C)
/** Constant-time buffer comparison without branches.
*
* Similar to mbedtls_ct_memcmp, except that the result only depends on part of
* the input data - differences in the head or tail are ignored. Functionally equivalent to:
*
* memcmp(a + skip_head, b + skip_head, size - skip_head - skip_tail)
*
* Time taken depends on \p n, but not on \p skip_head or \p skip_tail .
*
* Behaviour is undefined if ( \p skip_head + \p skip_tail) > \p n.
*
* \param a Secret. Pointer to the first buffer, containing at least \p n bytes. May not be NULL.
* \param b Secret. Pointer to the second buffer, containing at least \p n bytes. May not be NULL.
* \param n The number of bytes to examine (total size of the buffers).
* \param skip_head Secret. The number of bytes to treat as non-significant at the start of the buffer.
* These bytes will still be read.
* \param skip_tail Secret. The number of bytes to treat as non-significant at the end of the buffer.
* These bytes will still be read.
*
* \return Zero if the contents of the two buffers are the same, otherwise non-zero.
*/
int mbedtls_ct_memcmp_partial(const void *a,
const void *b,
size_t n,
size_t skip_head,
size_t skip_tail);
#endif
/* Include the implementation of static inline functions above. */ /* Include the implementation of static inline functions above. */
#include "constant_time_impl.h" #include "constant_time_impl.h"

6
library/gcm.c
View File

@ -35,6 +35,7 @@
#include "mbedtls/platform.h" #include "mbedtls/platform.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/constant_time.h"
#include <string.h> #include <string.h>
@ -601,7 +602,6 @@ int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char check_tag[16]; unsigned char check_tag[16];
size_t i;
int diff; int diff;
if ((ret = mbedtls_gcm_crypt_and_tag(ctx, MBEDTLS_GCM_DECRYPT, length, if ((ret = mbedtls_gcm_crypt_and_tag(ctx, MBEDTLS_GCM_DECRYPT, length,
@ -611,9 +611,7 @@ int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
} }
/* Check tag in "constant-time" */ /* Check tag in "constant-time" */
for (diff = 0, i = 0; i < tag_len; i++) { diff = mbedtls_ct_memcmp(tag, check_tag, tag_len);
diff |= tag[i] ^ check_tag[i];
}
if (diff != 0) { if (diff != 0) {
mbedtls_platform_zeroize(output, length); mbedtls_platform_zeroize(output, length);

22
library/nist_kw.c
View File

@ -35,6 +35,7 @@
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/constant_time.h" #include "mbedtls/constant_time.h"
#include "constant_time_internal.h"
#include <stdint.h> #include <stdint.h>
#include <string.h> #include <string.h>
@ -333,9 +334,9 @@ int mbedtls_nist_kw_unwrap(mbedtls_nist_kw_context *ctx,
unsigned char *output, size_t *out_len, size_t out_size) unsigned char *output, size_t *out_len, size_t out_size)
{ {
int ret = 0; int ret = 0;
size_t i, olen; size_t olen;
unsigned char A[KW_SEMIBLOCK_LENGTH]; unsigned char A[KW_SEMIBLOCK_LENGTH];
unsigned char diff, bad_padding = 0; int diff;
*out_len = 0; *out_len = 0;
if (out_size < in_len - KW_SEMIBLOCK_LENGTH) { if (out_size < in_len - KW_SEMIBLOCK_LENGTH) {
@ -420,19 +421,15 @@ int mbedtls_nist_kw_unwrap(mbedtls_nist_kw_context *ctx,
* larger than 8, because of the type wrap around. * larger than 8, because of the type wrap around.
*/ */
padlen = in_len - KW_SEMIBLOCK_LENGTH - Plen; padlen = in_len - KW_SEMIBLOCK_LENGTH - Plen;
if (padlen > 7) { ret = mbedtls_ct_error_if(mbedtls_ct_uint_gt(padlen, 7),
MBEDTLS_ERR_CIPHER_AUTH_FAILED, ret);
padlen &= 7; padlen &= 7;
ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
}
/* Check padding in "constant-time" */ /* Check padding in "constant-time" */
for (diff = 0, i = 0; i < KW_SEMIBLOCK_LENGTH; i++) { const uint8_t zero[KW_SEMIBLOCK_LENGTH] = { 0 };
if (i >= KW_SEMIBLOCK_LENGTH - padlen) { diff = mbedtls_ct_memcmp_partial(
diff |= output[*out_len - KW_SEMIBLOCK_LENGTH + i]; &output[*out_len - KW_SEMIBLOCK_LENGTH], zero,
} else { KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH - padlen, 0);
bad_padding |= output[*out_len - KW_SEMIBLOCK_LENGTH + i];
}
}
if (diff != 0) { if (diff != 0) {
ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
@ -454,7 +451,6 @@ cleanup:
*out_len = 0; *out_len = 0;
} }
mbedtls_platform_zeroize(&bad_padding, sizeof(bad_padding));
mbedtls_platform_zeroize(&diff, sizeof(diff)); mbedtls_platform_zeroize(&diff, sizeof(diff));
mbedtls_platform_zeroize(A, sizeof(A)); mbedtls_platform_zeroize(A, sizeof(A));

9
library/pk_internal.h
View File

@ -117,5 +117,14 @@ static inline mbedtls_ecp_group_id mbedtls_pk_get_group_id(const mbedtls_pk_cont
#endif /* MBEDTLS_ECP_HAVE_CURVE25519 || MBEDTLS_ECP_DP_CURVE448 */ #endif /* MBEDTLS_ECP_HAVE_CURVE25519 || MBEDTLS_ECP_DP_CURVE448 */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
#if defined(MBEDTLS_TEST_HOOKS)
MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der(
mbedtls_pk_context *pk,
unsigned char *key, size_t keylen,
const unsigned char *pwd, size_t pwdlen,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
#endif
#endif /* MBEDTLS_PK_INTERNAL_H */ #endif /* MBEDTLS_PK_INTERNAL_H */

70
library/pkcs12.c
View File

@ -129,18 +129,48 @@ static int pkcs12_pbe_derive_key_iv(mbedtls_asn1_buf *pbe_params, mbedtls_md_typ
#undef PKCS12_MAX_PWDLEN #undef PKCS12_MAX_PWDLEN
#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
const unsigned char *pwd, size_t pwdlen,
const unsigned char *data, size_t len,
unsigned char *output, size_t output_size,
size_t *output_len);
#endif
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode, int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type, mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
const unsigned char *pwd, size_t pwdlen, const unsigned char *pwd, size_t pwdlen,
const unsigned char *data, size_t len, const unsigned char *data, size_t len,
unsigned char *output) unsigned char *output)
{
size_t output_len = 0;
/* We assume caller of the function is providing a big enough output buffer
* so we pass output_size as SIZE_MAX to pass checks, However, no guarantees
* for the output size actually being correct.
*/
return mbedtls_pkcs12_pbe_ext(pbe_params, mode, cipher_type, md_type,
pwd, pwdlen, data, len, output, SIZE_MAX,
&output_len);
}
#endif
int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
const unsigned char *pwd, size_t pwdlen,
const unsigned char *data, size_t len,
unsigned char *output, size_t output_size,
size_t *output_len)
{ {
int ret, keylen = 0; int ret, keylen = 0;
unsigned char key[32]; unsigned char key[32];
unsigned char iv[16]; unsigned char iv[16];
const mbedtls_cipher_info_t *cipher_info; const mbedtls_cipher_info_t *cipher_info;
mbedtls_cipher_context_t cipher_ctx; mbedtls_cipher_context_t cipher_ctx;
size_t olen = 0; size_t finish_olen = 0;
unsigned int padlen = 0;
if (pwd == NULL && pwdlen != 0) { if (pwd == NULL && pwdlen != 0) {
return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA; return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
@ -153,6 +183,19 @@ int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
keylen = (int) mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8; keylen = (int) mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
if (output_size < len) {
return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
}
}
if (mode == MBEDTLS_PKCS12_PBE_ENCRYPT) {
padlen = cipher_info->block_size - (len % cipher_info->block_size);
if (output_size < (len + padlen)) {
return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
}
}
if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, md_type, pwd, pwdlen, if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, md_type, pwd, pwdlen,
key, keylen, key, keylen,
iv, mbedtls_cipher_info_get_iv_size(cipher_info))) != 0) { iv, mbedtls_cipher_info_get_iv_size(cipher_info))) != 0) {
@ -171,6 +214,25 @@ int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
goto exit; goto exit;
} }
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
/* PKCS12 uses CBC with PKCS7 padding */
mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
/* For historical reasons, when decrypting, this function works when
* decrypting even when support for PKCS7 padding is disabled. In this
* case, it ignores the padding, and so will never report a
* password mismatch.
*/
if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
padding = MBEDTLS_PADDING_NONE;
}
#endif
if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
goto exit;
}
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
if ((ret = if ((ret =
mbedtls_cipher_set_iv(&cipher_ctx, iv, mbedtls_cipher_set_iv(&cipher_ctx, iv,
mbedtls_cipher_info_get_iv_size(cipher_info))) != 0) { mbedtls_cipher_info_get_iv_size(cipher_info))) != 0) {
@ -182,14 +244,16 @@ int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
} }
if ((ret = mbedtls_cipher_update(&cipher_ctx, data, len, if ((ret = mbedtls_cipher_update(&cipher_ctx, data, len,
output, &olen)) != 0) { output, output_len)) != 0) {
goto exit; goto exit;
} }
if ((ret = mbedtls_cipher_finish(&cipher_ctx, output + olen, &olen)) != 0) { if ((ret = mbedtls_cipher_finish(&cipher_ctx, output + (*output_len), &finish_olen)) != 0) {
ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH; ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH;
} }
*output_len += finish_olen;
exit: exit:
mbedtls_platform_zeroize(key, sizeof(key)); mbedtls_platform_zeroize(key, sizeof(key));
mbedtls_platform_zeroize(iv, sizeof(iv)); mbedtls_platform_zeroize(iv, sizeof(iv));

63
library/pkcs5.c
View File

@ -111,10 +111,36 @@ static int pkcs5_parse_pbkdf2_params(const mbedtls_asn1_buf *params,
return 0; return 0;
} }
#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
const unsigned char *pwd, size_t pwdlen,
const unsigned char *data, size_t datalen,
unsigned char *output, size_t output_size,
size_t *output_len);
#endif
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode, int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
const unsigned char *pwd, size_t pwdlen, const unsigned char *pwd, size_t pwdlen,
const unsigned char *data, size_t datalen, const unsigned char *data, size_t datalen,
unsigned char *output) unsigned char *output)
{
size_t output_len = 0;
/* We assume caller of the function is providing a big enough output buffer
* so we pass output_size as SIZE_MAX to pass checks, However, no guarantees
* for the output size actually being correct.
*/
return mbedtls_pkcs5_pbes2_ext(pbe_params, mode, pwd, pwdlen, data,
datalen, output, SIZE_MAX, &output_len);
}
#endif
int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
const unsigned char *pwd, size_t pwdlen,
const unsigned char *data, size_t datalen,
unsigned char *output, size_t output_size,
size_t *output_len)
{ {
int ret, iterations = 0, keylen = 0; int ret, iterations = 0, keylen = 0;
unsigned char *p, *end; unsigned char *p, *end;
@ -122,10 +148,10 @@ int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
mbedtls_asn1_buf salt; mbedtls_asn1_buf salt;
mbedtls_md_type_t md_type = MBEDTLS_MD_SHA1; mbedtls_md_type_t md_type = MBEDTLS_MD_SHA1;
unsigned char key[32], iv[32]; unsigned char key[32], iv[32];
size_t olen = 0;
const mbedtls_cipher_info_t *cipher_info; const mbedtls_cipher_info_t *cipher_info;
mbedtls_cipher_type_t cipher_alg; mbedtls_cipher_type_t cipher_alg;
mbedtls_cipher_context_t cipher_ctx; mbedtls_cipher_context_t cipher_ctx;
unsigned int padlen = 0;
p = pbe_params->p; p = pbe_params->p;
end = p + pbe_params->len; end = p + pbe_params->len;
@ -183,6 +209,19 @@ int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
return MBEDTLS_ERR_PKCS5_INVALID_FORMAT; return MBEDTLS_ERR_PKCS5_INVALID_FORMAT;
} }
if (mode == MBEDTLS_PKCS5_DECRYPT) {
if (output_size < datalen) {
return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
}
}
if (mode == MBEDTLS_PKCS5_ENCRYPT) {
padlen = cipher_info->block_size - (datalen % cipher_info->block_size);
if (output_size < (datalen + padlen)) {
return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
}
}
mbedtls_cipher_init(&cipher_ctx); mbedtls_cipher_init(&cipher_ctx);
memcpy(iv, enc_scheme_params.p, enc_scheme_params.len); memcpy(iv, enc_scheme_params.p, enc_scheme_params.len);
@ -202,8 +241,28 @@ int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
goto exit; goto exit;
} }
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
/* PKCS5 uses CBC with PKCS7 padding (which is the same as
* "PKCS5 padding" except that it's typically only called PKCS5
* with 64-bit-block ciphers).
*/
mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
/* For historical reasons, when decrypting, this function works when
* decrypting even when support for PKCS7 padding is disabled. In this
* case, it ignores the padding, and so will never report a
* password mismatch.
*/
if (mode == MBEDTLS_DECRYPT) {
padding = MBEDTLS_PADDING_NONE;
}
#endif
if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
goto exit;
}
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
if ((ret = mbedtls_cipher_crypt(&cipher_ctx, iv, enc_scheme_params.len, if ((ret = mbedtls_cipher_crypt(&cipher_ctx, iv, enc_scheme_params.len,
data, datalen, output, &olen)) != 0) { data, datalen, output, output_len)) != 0) {
ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH; ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH;
} }

24
library/pkparse.c
View File

@ -1417,6 +1417,12 @@ static int pk_parse_key_pkcs8_unencrypted_der(
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG; return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
end = p + len;
if (end != (key + keylen)) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
return 0; return 0;
} }
@ -1430,7 +1436,7 @@ static int pk_parse_key_pkcs8_unencrypted_der(
* *
*/ */
#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
static int pk_parse_key_pkcs8_encrypted_der( MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der(
mbedtls_pk_context *pk, mbedtls_pk_context *pk,
unsigned char *key, size_t keylen, unsigned char *key, size_t keylen,
const unsigned char *pwd, size_t pwdlen, const unsigned char *pwd, size_t pwdlen,
@ -1445,6 +1451,7 @@ static int pk_parse_key_pkcs8_encrypted_der(
mbedtls_cipher_type_t cipher_alg; mbedtls_cipher_type_t cipher_alg;
mbedtls_md_type_t md_alg; mbedtls_md_type_t md_alg;
#endif #endif
size_t outlen = 0;
p = key; p = key;
end = p + keylen; end = p + keylen;
@ -1490,9 +1497,9 @@ static int pk_parse_key_pkcs8_encrypted_der(
*/ */
#if defined(MBEDTLS_PKCS12_C) #if defined(MBEDTLS_PKCS12_C)
if (mbedtls_oid_get_pkcs12_pbe_alg(&pbe_alg_oid, &md_alg, &cipher_alg) == 0) { if (mbedtls_oid_get_pkcs12_pbe_alg(&pbe_alg_oid, &md_alg, &cipher_alg) == 0) {
if ((ret = mbedtls_pkcs12_pbe(&pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT, if ((ret = mbedtls_pkcs12_pbe_ext(&pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT,
cipher_alg, md_alg, cipher_alg, md_alg,
pwd, pwdlen, p, len, buf)) != 0) { pwd, pwdlen, p, len, buf, len, &outlen)) != 0) {
if (ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH) { if (ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH) {
return MBEDTLS_ERR_PK_PASSWORD_MISMATCH; return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
} }
@ -1505,8 +1512,8 @@ static int pk_parse_key_pkcs8_encrypted_der(
#endif /* MBEDTLS_PKCS12_C */ #endif /* MBEDTLS_PKCS12_C */
#if defined(MBEDTLS_PKCS5_C) #if defined(MBEDTLS_PKCS5_C)
if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid) == 0) { if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid) == 0) {
if ((ret = mbedtls_pkcs5_pbes2(&pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen, if ((ret = mbedtls_pkcs5_pbes2_ext(&pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen,
p, len, buf)) != 0) { p, len, buf, len, &outlen)) != 0) {
if (ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH) { if (ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH) {
return MBEDTLS_ERR_PK_PASSWORD_MISMATCH; return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
} }
@ -1524,8 +1531,7 @@ static int pk_parse_key_pkcs8_encrypted_der(
if (decrypted == 0) { if (decrypted == 0) {
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
} }
return pk_parse_key_pkcs8_unencrypted_der(pk, buf, outlen, f_rng, p_rng);
return pk_parse_key_pkcs8_unencrypted_der(pk, buf, len, f_rng, p_rng);
} }
#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
@ -1644,7 +1650,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
key, NULL, 0, &len); key, NULL, 0, &len);
} }
if (ret == 0) { if (ret == 0) {
if ((ret = pk_parse_key_pkcs8_encrypted_der(pk, pem.buf, pem.buflen, if ((ret = mbedtls_pk_parse_key_pkcs8_encrypted_der(pk, pem.buf, pem.buflen,
pwd, pwdlen, f_rng, p_rng)) != 0) { pwd, pwdlen, f_rng, p_rng)) != 0) {
mbedtls_pk_free(pk); mbedtls_pk_free(pk);
} }
@ -1677,7 +1683,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
memcpy(key_copy, key, keylen); memcpy(key_copy, key, keylen);
ret = pk_parse_key_pkcs8_encrypted_der(pk, key_copy, keylen, ret = mbedtls_pk_parse_key_pkcs8_encrypted_der(pk, key_copy, keylen,
pwd, pwdlen, f_rng, p_rng); pwd, pwdlen, f_rng, p_rng);
mbedtls_zeroize_and_free(key_copy, keylen); mbedtls_zeroize_and_free(key_copy, keylen);

29
library/rsa.c
View File

@ -158,12 +158,10 @@ static int mbedtls_ct_rsaes_pkcs1_v15_unpadding(unsigned char *input,
* - OUTPUT_TOO_LARGE if the padding is good but the decrypted * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
* plaintext does not fit in the output buffer. * plaintext does not fit in the output buffer.
* - 0 if the padding is correct. */ * - 0 if the padding is correct. */
ret = -(int) mbedtls_ct_uint_if( ret = mbedtls_ct_error_if(
bad, bad,
(unsigned) (-(MBEDTLS_ERR_RSA_INVALID_PADDING)), MBEDTLS_ERR_RSA_INVALID_PADDING,
mbedtls_ct_uint_if_else_0( mbedtls_ct_error_if_else_0(output_too_large, MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE)
output_too_large,
(unsigned) (-(MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE)))
); );
/* If the padding is bad or the plaintext is too large, zero the /* If the padding is bad or the plaintext is too large, zero the
@ -1541,7 +1539,8 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t ilen, i, pad_len; size_t ilen, i, pad_len;
unsigned char *p, bad, pad_done; unsigned char *p;
mbedtls_ct_condition_t bad, in_padding;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
unsigned char lhash[MBEDTLS_MD_MAX_SIZE]; unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
unsigned int hlen; unsigned int hlen;
@ -1601,28 +1600,26 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
* Check contents, in "constant-time" * Check contents, in "constant-time"
*/ */
p = buf; p = buf;
bad = 0;
bad |= *p++; /* First byte must be 0 */ bad = mbedtls_ct_bool(*p++); /* First byte must be 0 */
p += hlen; /* Skip seed */ p += hlen; /* Skip seed */
/* Check lHash */ /* Check lHash */
for (i = 0; i < hlen; i++) { bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool(mbedtls_ct_memcmp(lhash, p, hlen)));
bad |= lhash[i] ^ *p++; p += hlen;
}
/* Get zero-padding len, but always read till end of buffer /* Get zero-padding len, but always read till end of buffer
* (minus one, for the 01 byte) */ * (minus one, for the 01 byte) */
pad_len = 0; pad_len = 0;
pad_done = 0; in_padding = MBEDTLS_CT_TRUE;
for (i = 0; i < ilen - 2 * hlen - 2; i++) { for (i = 0; i < ilen - 2 * hlen - 2; i++) {
pad_done |= p[i]; in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_uint_eq(p[i], 0));
pad_len += ((pad_done | (unsigned char) -pad_done) >> 7) ^ 1; pad_len += mbedtls_ct_uint_if_else_0(in_padding, 1);
} }
p += pad_len; p += pad_len;
bad |= *p++ ^ 0x01; bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_ne(*p++, 0x01));
/* /*
* The only information "leaked" is whether the padding was correct or not * The only information "leaked" is whether the padding was correct or not
@ -1630,7 +1627,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
* recommendations in PKCS#1 v2.2: an opponent cannot distinguish between * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
* the different error conditions. * the different error conditions.
*/ */
if (bad != 0) { if (bad != MBEDTLS_CT_FALSE) {
ret = MBEDTLS_ERR_RSA_INVALID_PADDING; ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
goto cleanup; goto cleanup;
} }

15
library/ssl_msg.c
View File

@ -1547,8 +1547,16 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM)
if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) { if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) {
if (rec->data_len < transform->maclen) {
MBEDTLS_SSL_DEBUG_MSG(1,
("Record too short for MAC:"
" %" MBEDTLS_PRINTF_SIZET " < %" MBEDTLS_PRINTF_SIZET,
rec->data_len, transform->maclen));
return MBEDTLS_ERR_SSL_INVALID_MAC;
}
/* The only supported stream cipher is "NULL", /* The only supported stream cipher is "NULL",
* so there's nothing to do here.*/ * so there's no encryption to do here.*/
} else } else
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */ #endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */
#if defined(MBEDTLS_GCM_C) || \ #if defined(MBEDTLS_GCM_C) || \
@ -2011,7 +2019,7 @@ hmac_failed_etm_enabled:
unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD] = { 0 }; unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD] = { 0 };
unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD] = { 0 }; unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD] = { 0 };
/* If the initial value of padlen was such that /* For CBC+MAC, If the initial value of padlen was such that
* data_len < maclen + padlen + 1, then padlen * data_len < maclen + padlen + 1, then padlen
* got reset to 1, and the initial check * got reset to 1, and the initial check
* data_len >= minlen + maclen + 1 * data_len >= minlen + maclen + 1
@ -2023,6 +2031,9 @@ hmac_failed_etm_enabled:
* subtracted either padlen + 1 (if the padding was correct) * subtracted either padlen + 1 (if the padding was correct)
* or 0 (if the padding was incorrect) since then, * or 0 (if the padding was incorrect) since then,
* hence data_len >= maclen in any case. * hence data_len >= maclen in any case.
*
* For stream ciphers, we checked above that
* data_len >= maclen.
*/ */
rec->data_len -= transform->maclen; rec->data_len -= transform->maclen;
ssl_extract_add_data_from_record(add_data, &add_data_len, rec, ssl_extract_add_data_from_record(add_data, &add_data_len, rec,

6
library/ssl_tls12_client.c
View File

@ -1727,7 +1727,7 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
unsigned char *end) unsigned char *end)
{ {
uint16_t tls_id; uint16_t tls_id;
uint8_t ecpoint_len; size_t ecpoint_len;
mbedtls_ssl_handshake_params *handshake = ssl->handshake; mbedtls_ssl_handshake_params *handshake = ssl->handshake;
psa_key_type_t key_type = PSA_KEY_TYPE_NONE; psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
size_t ec_bits = 0; size_t ec_bits = 0;
@ -1779,7 +1779,7 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_DECODE_ERROR; return MBEDTLS_ERR_SSL_DECODE_ERROR;
} }
if (ecpoint_len > PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)) { if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
} }
@ -2059,7 +2059,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q, ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q,
MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, MBEDTLS_ECP_PF_UNCOMPRESSED, &olen,
ssl->handshake->xxdh_psa_peerkey, ssl->handshake->xxdh_psa_peerkey,
MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH); sizeof(ssl->handshake->xxdh_psa_peerkey));
if (ret != 0) { if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret); MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret);

20
library/ssl_tls12_server.c
View File

@ -3718,22 +3718,32 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
psa_status_t status = PSA_ERROR_GENERIC_ERROR; psa_status_t status = PSA_ERROR_GENERIC_ERROR;
mbedtls_ssl_handshake_params *handshake = ssl->handshake; mbedtls_ssl_handshake_params *handshake = ssl->handshake;
MBEDTLS_SSL_DEBUG_MSG(1, ("Read the peer's public key.")); MBEDTLS_SSL_DEBUG_MSG(3, ("Read the peer's public key."));
/* /*
* We must have at least two bytes (1 for length, at least 1 for data) * We must have at least two bytes (1 for length, at least 1 for data)
*/ */
if (buf_len < 2) { if (buf_len < 2) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length")); MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length: %" MBEDTLS_PRINTF_SIZET,
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; buf_len));
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
} }
if (data_len < 1 || data_len > buf_len) { if (data_len < 1 || data_len > buf_len) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length")); MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length: %" MBEDTLS_PRINTF_SIZET
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; " > %" MBEDTLS_PRINTF_SIZET,
data_len, buf_len));
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
} }
/* Store peer's ECDH public key. */ /* Store peer's ECDH public key. */
if (data_len > sizeof(handshake->xxdh_psa_peerkey)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %" MBEDTLS_PRINTF_SIZET
" > %" MBEDTLS_PRINTF_SIZET,
data_len,
sizeof(handshake->xxdh_psa_peerkey)));
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
memcpy(handshake->xxdh_psa_peerkey, p, data_len); memcpy(handshake->xxdh_psa_peerkey, p, data_len);
handshake->xxdh_psa_peerkey_len = data_len; handshake->xxdh_psa_peerkey_len = data_len;

8
library/ssl_tls13_generic.c
View File

@ -1516,7 +1516,13 @@ int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
/* Check if key size is consistent with given buffer length. */ /* Check if key size is consistent with given buffer length. */
MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, peerkey_len); MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, peerkey_len);
/* Store peer's ECDH public key. */ /* Store peer's ECDH/FFDH public key. */
if (peerkey_len > sizeof(handshake->xxdh_psa_peerkey)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %u > %" MBEDTLS_PRINTF_SIZET,
(unsigned) peerkey_len,
sizeof(handshake->xxdh_psa_peerkey)));
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
memcpy(handshake->xxdh_psa_peerkey, p, peerkey_len); memcpy(handshake->xxdh_psa_peerkey, p, peerkey_len);
handshake->xxdh_psa_peerkey_len = peerkey_len; handshake->xxdh_psa_peerkey_len = peerkey_len;

129
library/x509_create.c
View File

@ -185,51 +185,107 @@ static int parse_attribute_value_string(const char *s,
return 0; return 0;
} }
static int parse_attribute_value_der_encoded(const char *s, /** Parse a hexstring containing a DER-encoded string.
int len, *
* \param s A string of \p len bytes hexadecimal digits.
* \param len Number of bytes to read from \p s.
* \param data Output buffer of size \p data_size.
* On success, it contains the payload that's DER-encoded
* in the input (content without the tag and length).
* If the DER tag is a string tag, the payload is guaranteed
* not to contain null bytes.
* \param data_size Length of the \p data buffer.
* \param data_len On success, the length of the parsed string.
* It is guaranteed to be less than
* #MBEDTLS_X509_MAX_DN_NAME_SIZE.
* \param tag The ASN.1 tag that the payload in \p data is encoded in.
*
* \retval 0 on success.
* \retval #MBEDTLS_ERR_X509_INVALID_NAME if \p s does not contain
* a valid hexstring,
* or if the decoded hexstring is not valid DER,
* or if the payload does not fit in \p data,
* or if the payload is more than
* #MBEDTLS_X509_MAX_DN_NAME_SIZE bytes,
* of if \p *tag is an ASN.1 string tag and the payload
* contains a null byte.
* \retval #MBEDTLS_ERR_X509_ALLOC_FAILED on low memory.
*/
static int parse_attribute_value_hex_der_encoded(const char *s,
size_t len,
unsigned char *data, unsigned char *data,
size_t data_size,
size_t *data_len, size_t *data_len,
int *tag) int *tag)
{ {
const char *c = s; /* Step 1: preliminary length checks. */
const char *end = c + len; /* Each byte is encoded by exactly two hexadecimal digits. */
unsigned char asn1_der_buf[MBEDTLS_X509_MAX_DN_NAME_SIZE]; if (len % 2 != 0) {
unsigned char *asn1_der_end; /* Odd number of hex digits */
unsigned char *p;
unsigned char *d = data;
int n;
/* Converting from hexstring to raw binary so we can use asn1parse.c */
if ((len < 5) || (*c != '#')) {
return MBEDTLS_ERR_X509_INVALID_NAME; return MBEDTLS_ERR_X509_INVALID_NAME;
} }
c++; size_t const der_length = len / 2;
if ((*tag = hexpair_to_int(c)) == -1) { if (der_length > MBEDTLS_X509_MAX_DN_NAME_SIZE + 4) {
/* The payload would be more than MBEDTLS_X509_MAX_DN_NAME_SIZE
* (after subtracting the ASN.1 tag and length). Reject this early
* to avoid allocating a large intermediate buffer. */
return MBEDTLS_ERR_X509_INVALID_NAME; return MBEDTLS_ERR_X509_INVALID_NAME;
} }
c += 2; if (der_length < 1) {
p = asn1_der_buf; /* Avoid empty-buffer shenanigans. A valid DER encoding is never
for (p = asn1_der_buf; c < end; c += 2) { * empty. */
if ((c + 1 >= end) || (n = hexpair_to_int(c)) == -1) {
return MBEDTLS_ERR_X509_INVALID_NAME;
}
if (MBEDTLS_ASN1_IS_STRING_TAG(*tag) && n == 0) {
return MBEDTLS_ERR_X509_INVALID_NAME;
}
*(p++) = n;
}
asn1_der_end = p;
p = asn1_der_buf;
if (mbedtls_asn1_get_len(&p, asn1_der_end, data_len) != 0) {
return MBEDTLS_ERR_X509_INVALID_NAME; return MBEDTLS_ERR_X509_INVALID_NAME;
} }
while (p < asn1_der_end) { /* Step 2: Decode the hex string into an intermediate buffer. */
*(d++) = *(p++); unsigned char *der = mbedtls_calloc(1, der_length);
if (der == NULL) {
return MBEDTLS_ERR_X509_ALLOC_FAILED;
} }
/* Beyond this point, der needs to be freed on exit. */
for (size_t i = 0; i < der_length; i++) {
int c = hexpair_to_int(s + 2 * i);
if (c < 0) {
goto error;
}
der[i] = c;
}
/* Step 3: decode the DER. */
/* We've checked that der_length >= 1 above. */
*tag = der[0];
unsigned char *p = der + 1;
if (mbedtls_asn1_get_len(&p, der + der_length, data_len) != 0) {
goto error;
}
/* Now p points to the first byte of the payload inside der,
* and *data_len is the length of the payload. */
/* Step 4: payload validation */
if (*data_len > MBEDTLS_X509_MAX_DN_NAME_SIZE) {
goto error;
}
/* Strings must not contain null bytes. */
if (MBEDTLS_ASN1_IS_STRING_TAG(*tag)) {
for (size_t i = 0; i < *data_len; i++) {
if (p[i] == 0) {
goto error;
}
}
}
/* Step 5: output the payload. */
if (*data_len > data_size) {
goto error;
}
memcpy(data, p, *data_len);
mbedtls_free(der);
return 0; return 0;
error:
mbedtls_free(der);
return MBEDTLS_ERR_X509_INVALID_NAME;
} }
int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name) int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name)
@ -273,11 +329,14 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam
mbedtls_free(oid.p); mbedtls_free(oid.p);
return MBEDTLS_ERR_X509_INVALID_NAME; return MBEDTLS_ERR_X509_INVALID_NAME;
} else if (*s == '#') { } else if (*s == '#') {
if ((parse_ret = /* We know that c >= s (loop invariant) and c != s (in this
parse_attribute_value_der_encoded(s, (int) (c - s), data, &data_len, * else branch), hence c - s - 1 >= 0. */
&tag)) != 0) { parse_ret = parse_attribute_value_hex_der_encoded(
s + 1, c - s - 1,
data, sizeof(data), &data_len, &tag);
if (parse_ret != 0) {
mbedtls_free(oid.p); mbedtls_free(oid.p);
return MBEDTLS_ERR_X509_INVALID_NAME; return parse_ret;
} }
} else { } else {
if (numericoid) { if (numericoid) {

Some files were not shown because too many files have changed in this diff Show More