yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-02-02 18:20:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #873 from ARMmbed/mbedtls-2.28.0_merge_into_release

Browse source 
Mbedtls 2.28.0 merge into release
This commit is contained in:
Dave Rodgman 2021-12-17 11:22:26 +00:00 committed by GitHub
parent c97cc18fb8 8b3f26a5ac
commit 53c268e6a9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
44 changed files with 304 additions and 213 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
BRANCHES.md
View file

@ -48,8 +48,7 @@ The following branches are currently maintained:
- [master](https://github.com/ARMmbed/mbedtls/tree/master)
- [`development`](https://github.com/ARMmbed/mbedtls/)
- [`mbedtls-2.16`](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.16)
maintained until at least the end of 2021, see
<https://tls.mbed.org/tech-updates/blog/announcing-lts-branch-mbedtls-2.16>
- [`mbedtls-2.28`](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.28)
maintained until at least the end of 2024.
Users are urged to always use the latest version of a maintained branch.

121
ChangeLog
View file

@ -1,5 +1,126 @@
mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.28.0 branch released 2021-12-17
API changes
* Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a
different order. This only affects applications that define such
structures directly or serialize them.
Requirement changes
* Sign-magnitude and one's complement representations for signed integers are
not supported. Two's complement is the only supported representation.
Removals
* Remove config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES,
which allowed SHA-1 in the default TLS configuration for certificate
signing. It was intended to facilitate the transition in environments
with SHA-1 certificates. SHA-1 is considered a weak message digest and
its use constitutes a security risk.
* Remove the partial support for running unit tests via Greentea on Mbed OS,
which had been unmaintained since 2018.
Features
* The identifier of the CID TLS extension can be configured by defining
MBEDTLS_TLS_EXT_CID at compile time.
* Warn if errors from certain functions are ignored. This is currently
supported on GCC-like compilers and on MSVC and can be configured through
the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
(where supported) for critical functions where ignoring the return
value is almost always a bug. Enable the new configuration option
MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
is currently implemented in the AES, DES and md modules, and will be
extended to other modules in the future.
* Add missing PSA macros declared by PSA Crypto API 1.0.0:
PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL.
* Add new API mbedtls_ct_memcmp for constant time buffer comparison.
* Add PSA API definition for ARIA.
Security
* Zeroize several intermediate variables used to calculate the expected
value when verifying a MAC or AEAD tag. This hardens the library in
case the value leaks through a memory disclosure vulnerability. For
example, a memory disclosure vulnerability could have allowed a
man-in-the-middle to inject fake ciphertext into a DTLS connection.
* In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
from the output buffer. This fixes a potential policy bypass or decryption
oracle vulnerability if the output buffer is in memory that is shared with
an untrusted application.
* Fix a double-free that happened after mbedtls_ssl_set_session() or
mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
(out of memory). After that, calling mbedtls_ssl_session_free()
and mbedtls_ssl_free() would cause an internal session buffer to
be free()'d twice.
Bugfix
* Stop using reserved identifiers as local variables. Fixes #4630.
* The GNU makefiles invoke python3 in preference to python except on Windows.
The check was accidentally not performed when cross-compiling for Windows
on Linux. Fix this. Fixes #4774.
* Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type.
* Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
* Don't use the obsolete header path sys/fcntl.h in unit tests.
These header files cause compilation errors in musl.
Fixes #4969.
* Fix missing constraints on x86_64 and aarch64 assembly code
for bignum multiplication that broke some bignum operations with
(at least) Clang 12.
Fixes #4116, #4786, #4917, #4962.
* Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
* Failures of alternative implementations of AES or DES single-block
functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
This does not concern the implementation provided with Mbed TLS,
where this function cannot fail, or full-module replacements with
MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
* Some failures of HMAC operations were ignored. These failures could only
happen with an alternative implementation of the underlying hash module.
* Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
* Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
* Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
This algorithm now accepts only the same salt length for verification
that it produces when signing, as documented. Use the new algorithm
PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.
* The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
for algorithm values that fully encode the hashing step, as per the PSA
Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
all algorithms that can be used with psa_{sign,verify}_hash(), including
these two.
* Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
not to list other shared libraries they need.
* Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
exceeds 2^32. Fixes #4884.
* Fix an uninitialized variable warning in test_suite_ssl.function with GCC
version 11.
* Fix the build when no SHA2 module is included. Fixes #4930.
* Fix the build when only the bignum module is included. Fixes #4929.
* Fix a potential invalid pointer dereference and infinite loop bugs in
pkcs12 functions when the password is empty. Fix the documentation to
better describe the inputs to these functions and their possible values.
Fixes #5136.
* The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC
operations psa_mac_compute() and psa_mac_sign_setup().
* The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC
operations psa_mac_verify() and psa_mac_verify_setup().
Changes
* Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be
disabled by default.
* Improve the performance of base64 constant-flow code. The result is still
slower than the original non-constant-flow implementation, but much faster
than the previous constant-flow implementation. Fixes #4814.
* Indicate in the error returned if the nonce length used with
ChaCha20-Poly1305 is invalid, and not just unsupported.
* The mbedcrypto library includes a new source code module constant_time.c,
containing various functions meant to resist timing side channel attacks.
This module does not have a separate configuration option, and functions
from this module will be included in the build as required. Currently
most of the interface of this module is private and may change at any
time.
= mbed TLS 2.27.0 branch released 2021-07-07
API changes

4
ChangeLog.d/base64-ranges.txt
View file

@ -1,4 +0,0 @@
Changes
* Improve the performance of base64 constant-flow code. The result is still
slower than the original non-constant-flow implementation, but much faster
than the previous constant-flow implementation. Fixes #4814.

4
ChangeLog.d/bugfix-for-gcm-long-iv-size.txt
View file

@ -1,4 +0,0 @@
Bugfix
* Fix a bug in mbedtls_gcm_starts() when bits of iv are longer than 2^32.
* Fix #4884.

3
ChangeLog.d/build-without-sha.txt
View file

@ -1,3 +0,0 @@
Bugfix
* Fix the build when no SHA2 module is included. Fixes #4930.
* Fix the build when only the bignum module is included. Fixes #4929.

3
ChangeLog.d/chacha20-poly1305-invalid-nonce.txt
View file

@ -1,3 +0,0 @@
Changes
* Indicate in the error returned if the nonce length used with
ChaCha20-Poly1305 is invalid, and not just unsupported.

19
ChangeLog.d/check-return.txt
View file

@ -1,19 +0,0 @@
Bugfix
* Failures of alternative implementations of AES or DES single-block
functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
This does not concern the implementation provided with Mbed TLS,
where this function cannot fail, or full-module replacements with
MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
* Some failures of HMAC operations were ignored. These failures could only
happen with an alternative implementation of the underlying hash module.
Features
* Warn if errors from certain functions are ignored. This is currently
supported on GCC-like compilers and on MSVC and can be configured through
the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
(where supported) for critical functions where ignoring the return
value is almost always a bug. Enable the new configuration option
MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
is currently implemented in the AES, DES and md modules, and will be
extended to other modules in the future.

10
ChangeLog.d/constant_time_module.txt
View file

@ -1,10 +0,0 @@
Changes
* The mbedcrypto library includes a new source code module constant_time.c,
containing various functions meant to resist timing side channel attacks.
This module does not have a separate configuration option, and functions
from this module will be included in the build as required. Currently
most of the interface of this module is private and may change at any
time.
Features
* Add new API mbedtls_ct_memcmp for constant time buffer comparison.

5
ChangeLog.d/do-not-use-obsolete-header.txt
View file

@ -1,5 +0,0 @@
Bugfix
* Don't use the obsolete header path sys/fcntl.h in unit tests.
These header files cause compilation errors in musl.
Fixes #4969.

4
ChangeLog.d/fix-cipher-output-size-macros.txt
View file

@ -1,4 +0,0 @@
Bugfix
* Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type.

2
ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt
View file

@ -1,2 +0,0 @@
Bugfix
* Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.

3
ChangeLog.d/fix-needed-shared-libraries-linux.txt
View file

@ -1,3 +0,0 @@
Bugfix
* Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
not to list other shared libraries they need.

5
ChangeLog.d/fix-pkcs12-null-password.txt
View file

@ -1,5 +0,0 @@
Bugfix
* Fix a potential invalid pointer dereference and infinite loop bugs in
pkcs12 functions when the password is empty. Fix the documentation to
better describe the inputs to these functions and their possible values.
Fixes #5136.

2
ChangeLog.d/fix-psa_gen_key-status.txt
View file

@ -1,2 +0,0 @@
Bugfix
* Fix the error returned by psa_generate_key() for a public key. Fixes #4551.

3
ChangeLog.d/fix_compilation_ssl_tests.txt
View file

@ -1,3 +0,0 @@
Bugfix
* Fix an uninitialized variable warning in test_suite_ssl.function with GCC
version 11.

2
ChangeLog.d/issue4630.txt
View file

@ -1,2 +0,0 @@
Bugfix
* Stop using reserved identifiers as local variables. Fixes #4630.

6
ChangeLog.d/mac-zeroize.txt
View file

@ -1,6 +0,0 @@
Security
* Zeroize several intermediate variables used to calculate the expected
value when verifying a MAC or AEAD tag. This hardens the library in
case the value leaks through a memory disclosure vulnerability. For
example, a memory disclosure vulnerability could have allowed a
man-in-the-middle to inject fake ciphertext into a DTLS connection.

4
ChangeLog.d/makefile-python-windows.txt
View file

@ -1,4 +0,0 @@
Bugfix
* The GNU makefiles invoke python3 in preference to python except on Windows.
The check was accidentally not performed when cross-compiling for Windows
on Linux. Fix this. Fixes #4774.

5
ChangeLog.d/muladdc-memory.txt
View file

@ -1,5 +0,0 @@
Bugfix
* Fix missing constraints on x86_64 and aarch64 assembly code
for bignum multiplication that broke some bignum operations with
(at least) Clang 12.
Fixes #4116, #4786, #4917, #4962.

3
ChangeLog.d/no-strerror.txt
View file

@ -1,3 +0,0 @@
Bugfix
* Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
MBEDTLS_ERROR_STRERROR_DUMMY is enabled.

5
ChangeLog.d/psa_alg_rsa_pss.txt
View file

@ -1,5 +0,0 @@
Bugfix
* Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
This algorithm now accepts only the same salt length for verification
that it produces when signing, as documented. Use the new algorithm
PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.

2
ChangeLog.d/psa_cipher_update_ecp.txt
View file

@ -1,2 +0,0 @@
Bugfix
* Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.

11
ChangeLog.d/psa_crypto_api_macros.txt
View file

@ -1,11 +0,0 @@
Features
* Add missing PSA macros declared by PSA Crypto API 1.0.0:
PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL.
Bugfix
* The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
for algorithm values that fully encode the hashing step, as per the PSA
Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
all algorithms that can be used with psa_{sign,verify}_hash(), including
these two.

3
ChangeLog.d/remove-greentea-support.txt
View file

@ -1,3 +0,0 @@
Removals
* Remove the partial support for running unit tests via Greentea on Mbed OS,
which had been unmaintained since 2018.

10
ChangeLog.d/remove_default_alllow_sha1.txt
View file

@ -1,10 +0,0 @@
Removals
* Remove config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES,
which allowed SHA-1 in the default TLS configuration for certificate
signing. It was intended to facilitate the transition in environments
with SHA-1 certificates. SHA-1 is considered a weak message digest and
its use constitutes a security risk.
Changes
* Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be
disabled by default.

5
ChangeLog.d/semi-public-structure-fields.txt
View file

@ -1,5 +0,0 @@
API changes
* Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a
different order. This only affects applications that define such
structures directly or serialize them.

3
ChangeLog.d/tls_ext_cid-config.txt
View file

@ -1,3 +0,0 @@
Features
* The identifier of the CID TLS extension can be configured by defining
MBEDTLS_TLS_EXT_CID at compile time.

3
ChangeLog.d/twos_complement_representation.txt
View file

@ -1,3 +0,0 @@
Requirement changes
* Sign-magnitude and one's complement representations for signed integers are
not supported. Two's complement is the only supported representation.

2
doxygen/input/doc_mainpage.h
View file

@ -22,7 +22,7 @@
*/
/**
* @mainpage mbed TLS v2.27.0 source code documentation
* @mainpage mbed TLS v2.28.0 source code documentation
*
* This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in

2
doxygen/mbedtls.doxyfile
View file

@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8
# identify the project. Note that if you do not use Doxywizard you need
# to put quotes around the project name if it contains spaces.
PROJECT_NAME = "mbed TLS v2.27.0"
PROJECT_NAME = "mbed TLS v2.28.0"
# The PROJECT_NUMBER tag can be used to enter a project or revision number.
# This could be handy for archiving the generated documentation or

8
include/mbedtls/version.h
View file

@ -37,7 +37,7 @@
* Major, Minor, Patchlevel
*/
#define MBEDTLS_VERSION_MAJOR 2
#define MBEDTLS_VERSION_MINOR 27
#define MBEDTLS_VERSION_MINOR 28
#define MBEDTLS_VERSION_PATCH 0
/**
@ -45,9 +45,9 @@
* MMNNPP00
* Major version | Minor version | Patch version
*/
#define MBEDTLS_VERSION_NUMBER 0x021B0000
#define MBEDTLS_VERSION_STRING "2.27.0"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.27.0"
#define MBEDTLS_VERSION_NUMBER 0x021C0000
#define MBEDTLS_VERSION_STRING "2.28.0"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.28.0"
#if defined(MBEDTLS_VERSION_C)

6
library/CMakeLists.txt
View file

@ -203,15 +203,15 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
if(USE_SHARED_MBEDTLS_LIBRARY)
add_library(${mbedcrypto_target} SHARED ${src_crypto})
set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.27.0 SOVERSION 7)
set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.28.0 SOVERSION 7)
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
add_library(${mbedx509_target} SHARED ${src_x509})
set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.27.0 SOVERSION 1)
set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.28.0 SOVERSION 1)
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
add_library(${mbedtls_target} SHARED ${src_tls})
set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.27.0 SOVERSION 13)
set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.28.0 SOVERSION 14)
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
endif(USE_SHARED_MBEDTLS_LIBRARY)

2
library/Makefile
View file

@ -39,7 +39,7 @@ LOCAL_CFLAGS += -fPIC -fpic
endif
endif
SOEXT_TLS=so.13
SOEXT_TLS=so.14
SOEXT_X509=so.1
SOEXT_CRYPTO=so.7

91
library/psa_crypto.c
View file

@ -3396,8 +3396,8 @@ psa_status_t psa_cipher_generate_iv( psa_cipher_operation_t *operation,
size_t *iv_length )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
*iv_length = 0;
uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE];
size_t default_iv_length;
if( operation->id == 0 )
{
@ -3411,28 +3411,38 @@ psa_status_t psa_cipher_generate_iv( psa_cipher_operation_t *operation,
goto exit;
}
if( iv_size < operation->default_iv_length )
default_iv_length = operation->default_iv_length;
if( iv_size < default_iv_length )
{
status = PSA_ERROR_BUFFER_TOO_SMALL;
goto exit;
}
status = psa_generate_random( iv, operation->default_iv_length );
if( default_iv_length > PSA_CIPHER_IV_MAX_SIZE )
{
status = PSA_ERROR_GENERIC_ERROR;
goto exit;
}
status = psa_generate_random( local_iv, default_iv_length );
if( status != PSA_SUCCESS )
goto exit;
status = psa_driver_wrapper_cipher_set_iv( operation,
iv,
operation->default_iv_length );
local_iv, default_iv_length );
exit:
if( status == PSA_SUCCESS )
{
memcpy( iv, local_iv, default_iv_length );
*iv_length = default_iv_length;
operation->iv_set = 1;
*iv_length = operation->default_iv_length;
}
else
{
*iv_length = 0;
psa_cipher_abort( operation );
}
return( status );
}
@ -3573,50 +3583,67 @@ psa_status_t psa_cipher_encrypt( mbedtls_svc_key_id_t key,
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_slot_t *slot;
psa_key_type_t key_type;
size_t iv_length;
*output_length = 0;
psa_key_slot_t *slot = NULL;
uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE];
size_t default_iv_length = 0;
if( ! PSA_ALG_IS_CIPHER( alg ) )
return( PSA_ERROR_INVALID_ARGUMENT );
{
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_get_and_lock_key_slot_with_policy( key, &slot,
PSA_KEY_USAGE_ENCRYPT,
alg );
if( status != PSA_SUCCESS )
return( status );
goto exit;
psa_key_attributes_t attributes = {
.core = slot->attr
};
key_type = slot->attr.type;
iv_length = PSA_CIPHER_IV_LENGTH( key_type, alg );
if( iv_length > 0 )
default_iv_length = PSA_CIPHER_IV_LENGTH( slot->attr.type, alg );
if( default_iv_length > PSA_CIPHER_IV_MAX_SIZE )
{
if( output_size < iv_length )
status = PSA_ERROR_GENERIC_ERROR;
goto exit;
}
if( default_iv_length > 0 )
{
if( output_size < default_iv_length )
{
status = PSA_ERROR_BUFFER_TOO_SMALL;
goto exit;
}
status = psa_generate_random( output, iv_length );
status = psa_generate_random( local_iv, default_iv_length );
if( status != PSA_SUCCESS )
goto exit;
}
status = psa_driver_wrapper_cipher_encrypt(
&attributes, slot->key.data, slot->key.bytes,
alg, input, input_length,
output, output_size, output_length );
alg, local_iv, default_iv_length, input, input_length,
output + default_iv_length, output_size - default_iv_length,
output_length );
exit:
unlock_status = psa_unlock_key_slot( slot );
if( status == PSA_SUCCESS )
status = unlock_status;
return( ( status == PSA_SUCCESS ) ? unlock_status : status );
if( status == PSA_SUCCESS )
{
if( default_iv_length > 0 )
memcpy( output, local_iv, default_iv_length );
*output_length += default_iv_length;
}
else
*output_length = 0;
return( status );
}
psa_status_t psa_cipher_decrypt( mbedtls_svc_key_id_t key,
@ -3629,18 +3656,19 @@ psa_status_t psa_cipher_decrypt( mbedtls_svc_key_id_t key,
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_slot_t *slot;
*output_length = 0;
psa_key_slot_t *slot = NULL;
if( ! PSA_ALG_IS_CIPHER( alg ) )
return( PSA_ERROR_INVALID_ARGUMENT );
{
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_get_and_lock_key_slot_with_policy( key, &slot,
PSA_KEY_USAGE_DECRYPT,
alg );
if( status != PSA_SUCCESS )
return( status );
goto exit;
psa_key_attributes_t attributes = {
.core = slot->attr
@ -3659,8 +3687,13 @@ psa_status_t psa_cipher_decrypt( mbedtls_svc_key_id_t key,
exit:
unlock_status = psa_unlock_key_slot( slot );
if( status == PSA_SUCCESS )
status = unlock_status;
return( ( status == PSA_SUCCESS ) ? unlock_status : status );
if( status != PSA_SUCCESS )
*output_length = 0;
return( status );
}

45
library/psa_crypto_cipher.c
View file

@ -444,20 +444,21 @@ psa_status_t mbedtls_psa_cipher_abort(
return( PSA_SUCCESS );
}
psa_status_t mbedtls_psa_cipher_encrypt(
const psa_key_attributes_t *attributes,
const uint8_t *key_buffer,
size_t key_buffer_size,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
uint8_t *output,
size_t output_size,
size_t *output_length )
psa_status_t mbedtls_psa_cipher_encrypt( const psa_key_attributes_t *attributes,
const uint8_t *key_buffer,
size_t key_buffer_size,
psa_algorithm_t alg,
const uint8_t *iv,
size_t iv_length,
const uint8_t *input,
size_t input_length,
uint8_t *output,
size_t output_size,
size_t *output_length )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT;
size_t olength, accumulated_length;
size_t update_output_length, finish_output_length;
status = mbedtls_psa_cipher_encrypt_setup( &operation, attributes,
key_buffer, key_buffer_size,
@ -465,33 +466,25 @@ psa_status_t mbedtls_psa_cipher_encrypt(
if( status != PSA_SUCCESS )
goto exit;
accumulated_length = 0;
if( operation.iv_length > 0 )
if( iv_length > 0 )
{
status = mbedtls_psa_cipher_set_iv( &operation,
output, operation.iv_length );
status = mbedtls_psa_cipher_set_iv( &operation, iv, iv_length );
if( status != PSA_SUCCESS )
goto exit;
accumulated_length = operation.iv_length;
}
status = mbedtls_psa_cipher_update( &operation, input, input_length,
output + operation.iv_length,
output_size - operation.iv_length,
&olength );
output, output_size, &update_output_length );
if( status != PSA_SUCCESS )
goto exit;
accumulated_length += olength;
status = mbedtls_psa_cipher_finish( &operation, output + accumulated_length,
output_size - accumulated_length,
&olength );
status = mbedtls_psa_cipher_finish( &operation, output + update_output_length,
output_size - update_output_length,
&finish_output_length );
if( status != PSA_SUCCESS )
goto exit;
*output_length = accumulated_length + olength;
*output_length = update_output_length + finish_output_length;
exit:
if( status == PSA_SUCCESS )

18
library/psa_crypto_cipher.h
View file

@ -213,16 +213,12 @@ psa_status_t mbedtls_psa_cipher_abort( mbedtls_psa_cipher_operation_t *operation
* \param[in] alg The cipher algorithm to compute
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_CIPHER(\p alg) is true).
* \param[in] input Buffer containing the message to encrypt.
* \param[in] input_length Size of the \p input buffer in bytes.
* \param[in] iv Buffer containing the IV for encryption. The
* IV has been generated by the core.
* \param[in] iv_length Size of the \p iv in bytes.
* \param[in] input Buffer containing the message to encrypt.
* \param[in] input_length Size of the \p input buffer in bytes.
* \param[in,out] output Buffer where the output is to be written.
* The core has generated and written the IV
* at the beginning of this buffer before
* this function is called. The size of the IV
* is PSA_CIPHER_IV_LENGTH( key_type, alg ) where
* \c key_type is the type of the key identified
* by \p key and \p alg is the cipher algorithm
* to compute.
* \param[in] output_size Size of the \p output buffer in bytes.
* \param[out] output_length On success, the number of bytes that make up
* the returned output. Initialized to zero
@ -235,7 +231,7 @@ psa_status_t mbedtls_psa_cipher_abort( mbedtls_psa_cipher_operation_t *operation
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p output buffer is too small.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The size of \p iv is not acceptable for the chosen algorithm,
* The size \p iv_length is not acceptable for the chosen algorithm,
* or the chosen algorithm does not use an IV.
* The total input size passed to this operation is not valid for
* this particular algorithm. For example, the algorithm is a based
@ -249,6 +245,8 @@ psa_status_t mbedtls_psa_cipher_encrypt( const psa_key_attributes_t *attributes,
const uint8_t *key_buffer,
size_t key_buffer_size,
psa_algorithm_t alg,
const uint8_t *iv,
size_t iv_length,
const uint8_t *input,
size_t input_length,
uint8_t *output,

8
library/psa_crypto_driver_wrappers.c
View file

@ -778,6 +778,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt(
const uint8_t *key_buffer,
size_t key_buffer_size,
psa_algorithm_t alg,
const uint8_t *iv,
size_t iv_length,
const uint8_t *input,
size_t input_length,
uint8_t *output,
@ -799,6 +801,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt(
key_buffer,
key_buffer_size,
alg,
iv,
iv_length,
input,
input_length,
output,
@ -815,6 +819,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt(
key_buffer,
key_buffer_size,
alg,
iv,
iv_length,
input,
input_length,
output,
@ -832,6 +838,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt(
key_buffer,
key_buffer_size,
alg,
iv,
iv_length,
input,
input_length,
output,

2
library/psa_crypto_driver_wrappers.h
View file

@ -108,6 +108,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt(
const uint8_t *key_buffer,
size_t key_buffer_size,
psa_algorithm_t alg,
const uint8_t *iv,
size_t iv_length,
const uint8_t *input,
size_t input_length,
uint8_t *output,

4
library/ssl_tls.c
View file

@ -188,6 +188,10 @@ int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
mbedtls_ssl_session_free( dst );
memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
dst->ticket = NULL;
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)

2
tests/include/test/drivers/cipher.h
View file

@ -57,6 +57,7 @@ psa_status_t mbedtls_test_transparent_cipher_encrypt(
const psa_key_attributes_t *attributes,
const uint8_t *key, size_t key_length,
psa_algorithm_t alg,
const uint8_t *iv, size_t iv_length,
const uint8_t *input, size_t input_length,
uint8_t *output, size_t output_size, size_t *output_length);
@ -102,6 +103,7 @@ psa_status_t mbedtls_test_opaque_cipher_encrypt(
const psa_key_attributes_t *attributes,
const uint8_t *key, size_t key_length,
psa_algorithm_t alg,
const uint8_t *iv, size_t iv_length,
const uint8_t *input, size_t input_length,
uint8_t *output, size_t output_size, size_t *output_length);

11
tests/src/drivers/test_driver_cipher.c
View file

@ -48,6 +48,8 @@ psa_status_t mbedtls_test_transparent_cipher_encrypt(
const uint8_t *key_buffer,
size_t key_buffer_size,
psa_algorithm_t alg,
const uint8_t *iv,
size_t iv_length,
const uint8_t *input,
size_t input_length,
uint8_t *output,
@ -72,19 +74,17 @@ psa_status_t mbedtls_test_transparent_cipher_encrypt(
if( mbedtls_test_driver_cipher_hooks.forced_status != PSA_SUCCESS )
return( mbedtls_test_driver_cipher_hooks.forced_status );
psa_generate_random( output, PSA_CIPHER_IV_LENGTH( attributes->core.type, alg ) );
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER)
return( libtestdriver1_mbedtls_psa_cipher_encrypt(
(const libtestdriver1_psa_key_attributes_t *)attributes,
key_buffer, key_buffer_size,
alg, input, input_length,
alg, iv, iv_length, input, input_length,
output, output_size, output_length ) );
#elif defined(MBEDTLS_PSA_BUILTIN_CIPHER)
return( mbedtls_psa_cipher_encrypt(
attributes, key_buffer, key_buffer_size,
alg, input, input_length,
alg, iv, iv_length, input, input_length,
output, output_size, output_length ) );
#endif
@ -321,6 +321,7 @@ psa_status_t mbedtls_test_opaque_cipher_encrypt(
const psa_key_attributes_t *attributes,
const uint8_t *key, size_t key_length,
psa_algorithm_t alg,
const uint8_t *iv, size_t iv_length,
const uint8_t *input, size_t input_length,
uint8_t *output, size_t output_size, size_t *output_length)
{
@ -328,6 +329,8 @@ psa_status_t mbedtls_test_opaque_cipher_encrypt(
(void) key;
(void) key_length;
(void) alg;
(void) iv;
(void) iv_length;
(void) input;
(void) input_length;
(void) output;

11
tests/suites/test_suite_psa_crypto.function
View file

@ -2600,6 +2600,9 @@ void cipher_encrypt_alg_without_iv( int alg_arg,
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_type_t key_type = key_type_arg;
psa_algorithm_t alg = alg_arg;
psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
uint8_t iv[1] = { 0x5a };
size_t iv_length;
unsigned char *output = NULL;
size_t output_buffer_size = 0;
size_t output_length = 0;
@ -2617,6 +2620,14 @@ void cipher_encrypt_alg_without_iv( int alg_arg,
PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len,
&key ) );
PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) );
TEST_EQUAL( psa_cipher_set_iv( &operation, iv, sizeof( iv ) ),
PSA_ERROR_BAD_STATE );
PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) );
TEST_EQUAL( psa_cipher_generate_iv( &operation, iv, sizeof( iv ),
&iv_length ),
PSA_ERROR_BAD_STATE );
PSA_ASSERT( psa_cipher_encrypt( key, alg, input->x, input->len, output,
output_buffer_size, &output_length ) );
TEST_ASSERT( output_length <=

46
tests/suites/test_suite_psa_crypto_driver_wrappers.function
View file

@ -872,6 +872,39 @@ void cipher_entry_points( int alg_arg, int key_type_arg,
PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len,
&key ) );
/*
* Test encrypt failure
* First test that if we don't force a driver error, encryption is
* successfull, then force driver error.
*/
status = psa_cipher_encrypt(
key, alg, input->x, input->len,
output, output_buffer_size, &function_output_length );
TEST_EQUAL( mbedtls_test_driver_cipher_hooks.hits, 1 );
TEST_EQUAL( status, PSA_SUCCESS );
mbedtls_test_driver_cipher_hooks.hits = 0;
mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR;
/* Set the output buffer in a given state. */
for( size_t i = 0; i < output_buffer_size; i++ )
output[i] = 0xa5;
status = psa_cipher_encrypt(
key, alg, input->x, input->len,
output, output_buffer_size, &function_output_length );
TEST_EQUAL( mbedtls_test_driver_cipher_hooks.hits, 1 );
TEST_EQUAL( status, PSA_ERROR_GENERIC_ERROR );
/*
* Check that the output buffer is still in the same state.
* This will fail if the output buffer is used by the core to pass the IV
* it generated to the driver (and is not restored).
*/
for( size_t i = 0; i < output_buffer_size; i++ )
{
TEST_EQUAL( output[i], 0xa5 );
}
mbedtls_test_driver_cipher_hooks.hits = 0;
/* Test setup call, encrypt */
mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR;
status = psa_cipher_encrypt_setup( &operation, key, alg );
@ -923,10 +956,23 @@ void cipher_entry_points( int alg_arg, int key_type_arg,
mbedtls_test_driver_cipher_hooks.hits = 0;
mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR;
/* Set the output buffer in a given state. */
for( size_t i = 0; i < 16; i++ )
output[i] = 0xa5;
status = psa_cipher_generate_iv( &operation, output, 16, &function_output_length );
/* When generating the IV fails, it should call abort too */
TEST_EQUAL( mbedtls_test_driver_cipher_hooks.hits, 2 );
TEST_EQUAL( status, mbedtls_test_driver_cipher_hooks.forced_status );
/*
* Check that the output buffer is still in the same state.
* This will fail if the output buffer is used by the core to pass the IV
* it generated to the driver (and is not restored).
*/
for( size_t i = 0; i < 16; i++ )
{
TEST_EQUAL( output[i], 0xa5 );
}
/* Failure should prevent further operations from executing on the driver */
mbedtls_test_driver_cipher_hooks.hits = 0;
status = psa_cipher_update( &operation,

4
tests/suites/test_suite_version.data
View file

@ -1,8 +1,8 @@
Check compiletime library version
check_compiletime_version:"2.27.0"
check_compiletime_version:"2.28.0"
Check runtime library version
check_runtime_version:"2.27.0"
check_runtime_version:"2.28.0"
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0