diff --git a/BRANCHES.md b/BRANCHES.md index 6240023dc..c7a6082ec 100644 --- a/BRANCHES.md +++ b/BRANCHES.md @@ -101,6 +101,6 @@ The following branches are currently maintained: - [`development`](https://github.com/Mbed-TLS/mbedtls/) - [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28) maintained until at least the end of 2024, see - . + . Users are urged to always use the latest version of a maintained branch. diff --git a/CMakeLists.txt b/CMakeLists.txt index f72de6420..64c105809 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -350,7 +350,7 @@ if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL) write_basic_package_version_file( "cmake/MbedTLSConfigVersion.cmake" COMPATIBILITY SameMajorVersion - VERSION 3.2.1) + VERSION 3.3.0) install( FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake" diff --git a/ChangeLog b/ChangeLog index cb277dc71..1404d3647 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,209 @@ Mbed TLS ChangeLog (Sorted per branch, date) += Mbed TLS 3.3.0 branch released 2022-12-14 + +Default behavior changes + * Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05 + of the IETF draft, and was marked experimental and disabled by default. + It is now no longer experimental, and implements the final version from + RFC 9146, which is not interoperable with the draft-05 version. + If you need to communicate with peers that use earlier versions of + Mbed TLS, then you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT + to 1, but then you won't be able to communicate with peers that use the + standard (non-draft) version. + If you need to interoperate with both classes of peers with the + same build of Mbed TLS, please let us know about your situation on the + mailing list or GitHub. + +Requirement changes + * When building with PSA drivers using generate_driver_wrappers.py, or + when building the library from the development branch rather than + from a release, the Python module jsonschema is now necessary, in + addition to jinja2. The official list of required Python modules is + maintained in scripts/basic.requirements.txt and may change again + in the future. + +New deprecations + * Deprecate mbedtls_asn1_free_named_data(). + Use mbedtls_asn1_free_named_data_list() + or mbedtls_asn1_free_named_data_list_shallow(). + +Features + * Support rsa_pss_rsae_* signature algorithms in TLS 1.2. + * make: enable building unversioned shared library, with e.g.: + "SHARED=1 SOEXT_TLS=so SOEXT_X509=so SOEXT_CRYPTO=so make lib" + resulting in library names like "libmbedtls.so" rather than + "libmbedcrypto.so.11". + * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API. + Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm + are supported in this implementation. + * Some modules can now use PSA drivers for hashes, including with no + built-in implementation present, but only in some configurations. + - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use + hashes from PSA when (and only when) MBEDTLS_MD_C is disabled. + - PEM parsing of encrypted files now uses MD-5 from PSA when (and only + when) MBEDTLS_MD5_C is disabled. + See the documentation of the corresponding macros in mbedtls_config.h for + details. + Note that some modules are not able to use hashes from PSA yet, including + the entropy module. As a consequence, for now the only way to build with + all hashes only provided by drivers (no built-in hash) is to use + MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. + * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now + properly negotiate/accept hashes based on their availability in PSA. + As a consequence, they now work in configurations where the built-in + implementations of (some) hashes are excluded and those hashes are only + provided by PSA drivers. (See previous entry for limitation on RSA-PSS + though: that module only use hashes from PSA when MBEDTLS_MD_C is off). + * Add support for opaque keys as the private keys associated to certificates + for authentication in TLS 1.3. + * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme. + Signature verification is production-ready, but generation is for testing + purposes only. This currently only supports one parameter set + (LMS_SHA256_M32_H10), meaning that each private key can be used to sign + 1024 messages. As such, it is not intended for use in TLS, but instead + for verification of assets transmitted over an insecure channel, + particularly firmware images. + * Add the LM-OTS post-quantum-safe one-time signature scheme, which is + required for LMS. This can be used independently, but each key can only + be used to sign one message so is impractical for most circumstances. + * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys. + The pre-shared keys can be provisioned externally or via the ticket + mechanism (session resumption). + The ticket mechanism is supported when the configuration option + MBEDTLS_SSL_SESSION_TICKETS is enabled. + New options MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED + control the support for the three possible TLS 1.3 key exchange modes. + * cert_write: support for setting extended key usage attributes. A + corresponding new public API call has been added in the library, + mbedtls_x509write_crt_set_ext_key_usage(). + * cert_write: support for writing certificate files in either PEM + or DER format. + * The PSA driver wrapper generator generate_driver_wrappers.py now + supports a subset of the driver description language, including + the following entry points: import_key, export_key, export_public_key, + get_builtin_key, copy_key. + * The new functions mbedtls_asn1_free_named_data_list() and + mbedtls_asn1_free_named_data_list_shallow() simplify the management + of memory in named data lists in X.509 structures. + * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API. + Additional PSA key slots will be allocated in the process of such key + exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and + MBEDTLS_USE_PSA_CRYPTO. + * Add support for DTLS Connection ID as defined by RFC 9146, controlled by + MBEDTLS_SSL_DTLS_CONNECTION_ID (enabled by default) and configured with + mbedtls_ssl_set_cid(). + * Add a driver dispatch layer for raw key agreement, enabling alternative + implementations of raw key agreement through the key_agreement driver + entry point. This entry point is specified in the proposed PSA driver + interface, but had not yet been implemented. + * Add an ad-hoc key derivation function handling EC J-PAKE to PMS + calculation that can be used to derive the session secret in TLS 1.2, + as described in draft-cragie-tls-ecjpake-01. This can be achieved by + using PSA_ALG_TLS12_ECJPAKE_TO_PMS as the key derivation algorithm. + +Security + * Fix potential heap buffer overread and overwrite in DTLS if + MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and + MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX. + * An adversary with access to precise enough information about memory + accesses (typically, an untrusted operating system attacking a secure + enclave) could recover an RSA private key after observing the victim + performing a single private-key operation if the window size used for the + exponentiation was 3 or smaller. Found and reported by Zili KOU, + Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks + and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation + and Test in Europe 2023. + +Bugfix + * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147. + * Fix an issue with in-tree CMake builds in releases with GEN_FILES + turned off: if a shipped file was missing from the working directory, + it could be turned into a symbolic link to itself. + * Fix a long-standing build failure when building x86 PIC code with old + gcc (4.x). The code will be slower, but will compile. We do however + recommend upgrading to a more recent compiler instead. Fixes #1910. + * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined. + Contributed by Kazuyuki Kimura to fix #2020. + * Use double quotes to include private header file psa_crypto_cipher.h. + Fixes 'file not found with include' error + when building with Xcode. + * Fix handling of broken symlinks when loading certificates using + mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a + broken link is encountered, skip the broken link and continue parsing + other certificate files. Contributed by Eduardo Silva in #2602. + * Fix an interoperability failure between an Mbed TLS client with both + TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server that supports + rsa_pss_rsae_* signature algorithms. This failed because Mbed TLS + advertised support for PSS in both TLS 1.2 and 1.3, but only + actually supported PSS in TLS 1.3. + * Fix a compilation error when using CMake with an IAR toolchain. + Fixes #5964. + * Fix a build error due to a missing prototype warning when + MBEDTLS_DEPRECATED_REMOVED is enabled. + * Fix mbedtls_ctr_drbg_free() on an initialized but unseeded context. When + MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an + uninitialized context. + * Fix a build issue on Windows using CMake where the source and build + directories could not be on different drives. Fixes #5751. + * Fix bugs and missing dependencies when building and testing + configurations with only one encryption type enabled in TLS 1.2. + * Provide the missing definition of mbedtls_setbuf() in some configurations + with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196. + * Fix compilation errors when trying to build with + PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305). + * Fix memory leak in ssl_parse_certificate_request() caused by + mbedtls_x509_get_name() not freeing allocated objects in case of error. + Change mbedtls_x509_get_name() to clean up allocated objects on error. + * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not + MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408. + * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not + MBEDTLS_PK_PARSE_C. Fixes #6409. + * Fix ECDSA verification, where it was not always validating the + public key. This bug meant that it was possible to verify a + signature with an invalid public key, in some cases. Reported by + Guido Vranken using Cryptofuzz in #4420. + * Fix a possible null pointer dereference if a memory allocation fails + in TLS PRF code. Reported by Michael Madsen in #6516. + * Fix TLS 1.3 session resumption. Fixes #6488. + * Add a configuration check to exclude optional client authentication + in TLS 1.3 (where it is forbidden). + * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable + bytes when parsing certificates containing a binary RFC 4108 + HardwareModuleName as a Subject Alternative Name extension. Hardware + serial numbers are now rendered in hex format. Fixes #6262. + * Fix bug in error reporting in dh_genprime.c where upon failure, + the error code returned by mbedtls_mpi_write_file() is overwritten + and therefore not printed. + * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A) + with A > 0 created an unintended representation of the value 0 which was + not processed correctly by some bignum operations. Fix this. This had no + consequence on cryptography code, but might affect applications that call + bignum directly and use negative numbers. + * Fix a bug whereby the list of signature algorithms sent as part of + the TLS 1.2 server certificate request would get corrupted, meaning the + first algorithm would not get sent and an entry consisting of two random + bytes would be sent instead. Found by Serban Bejan and Dudek Sebastian. + * Fix undefined behavior (typically harmless in practice) of + mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int() + when both operands are 0 and the left operand is represented with 0 limbs. + * Fix undefined behavior (typically harmless in practice) when some bignum + functions receive the most negative value of mbedtls_mpi_sint. Credit + to OSS-Fuzz. Fixes #6597. + * Fix undefined behavior (typically harmless in practice) in PSA ECB + encryption and decryption. + * Move some SSL-specific code out of libmbedcrypto where it had been placed + accidentally. + * Fix a build error when compiling the bignum module for some Arm platforms. + Fixes #6089, #6124, #6217. + +Changes + * Add the ability to query PSA_WANT_xxx macros to query_compile_time_config. + * Calling AEAD tag-specific functions for non-AEAD algorithms (which + should not be done - they are documented for use only by AES-GCM and + ChaCha20+Poly1305) now returns MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE + instead of success (0). + = Mbed TLS 3.2.1 branch released 2022-07-12 Bugfix @@ -249,7 +453,7 @@ Bugfix make to break on a clean checkout. Fixes #5340. * Work around an MSVC ARM64 compiler bug causing incorrect behaviour in mbedtls_mpi_exp_mod(). Reported by Tautvydas Žilys in #5467. - * Removed the prompt to exit from all windows build programs that was causing + * Removed the prompt to exit from all windows build programs, which was causing issues in CI/CD environments. Changes diff --git a/ChangeLog.d/LMS.txt b/ChangeLog.d/LMS.txt deleted file mode 100644 index 785bfcf84..000000000 --- a/ChangeLog.d/LMS.txt +++ /dev/null @@ -1,11 +0,0 @@ -Features - * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme. - Signature verification is production-ready, but generation is for testing - purposes only. This currently only supports one parameter set - (LMS_SHA256_M32_H10), meaning that each private key can be used to sign - 1024 messages. As such, it is not intended for use in TLS, but instead - for verification of assets transmitted over an insecure channel, - particularly firmware images. - * Add the LM-OTS post-quantum-safe one-time signature scheme, which is - required for LMS. This can be used independently, but each key can only - be used to sign one message so is impractical for most circumstances. diff --git a/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt b/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt deleted file mode 100644 index 0d409688e..000000000 --- a/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt +++ /dev/null @@ -1,8 +0,0 @@ -Features - * Support rsa_pss_rsae_* signature algorithms in TLS 1.2. -Bugfix - * Fix an interoperability failure between an Mbed TLS client with both - TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server that supports - rsa_pss_rsae_* signature algorithms. This failed because Mbed TLS - advertised support for PSS in both TLS 1.2 and 1.3, but only - actually supported PSS in TLS 1.3. diff --git a/ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt b/ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt deleted file mode 100644 index 1d59c2277..000000000 --- a/ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix a long-standing build failure when building x86 PIC code with old - gcc (4.x). The code will be slower, but will compile. We do however - recommend upgrading to a more recent compiler instead. Fixes #1910. diff --git a/ChangeLog.d/cert_write-set-extended-key-usages.txt b/ChangeLog.d/cert_write-set-extended-key-usages.txt deleted file mode 100644 index 18b7b040d..000000000 --- a/ChangeLog.d/cert_write-set-extended-key-usages.txt +++ /dev/null @@ -1,6 +0,0 @@ -Features - * cert_write: support for setting extended key usage attributes. A - corresponding new public API call has been added in the library, - mbedtls_x509write_crt_set_ext_key_usage(). - * cert_write: support for writing certificate files in either PEM - or DER format. diff --git a/ChangeLog.d/driver-only-hashes.txt b/ChangeLog.d/driver-only-hashes.txt deleted file mode 100644 index 6ccd199ba..000000000 --- a/ChangeLog.d/driver-only-hashes.txt +++ /dev/null @@ -1,19 +0,0 @@ -Features - * Some modules can now use PSA drivers for hashes, including with no - built-in implementation present, but only in some configurations. - - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use - hashes from PSA when (and only when) MBEDTLS_MD_C is disabled. - - PEM parsing of encrypted files now uses MD-5 from PSA when (and only - when) MBEDTLS_MD5_C is disabled. - See the documentation of the corresponding macros in mbedtls_config.h for - details. - Note that some modules are not able to use hashes from PSA yet, including - the entropy module. As a consequence, for now the only way to build with - all hashes only provided by drivers (no built-in hash) is to use - MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. - * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now - properly negotiate/accept hashes based on their availability in PSA. - As a consequence, they now work in configurations where the built-in - implementations of (some) hashes are excluded and those hashes are only - provided by PSA drivers. (See previous entry for limitation on RSA-PSS - though: that module only use hashes from PSA when MBEDTLS_MD_C is off). diff --git a/ChangeLog.d/dtls-connection-id.txt b/ChangeLog.d/dtls-connection-id.txt deleted file mode 100644 index 840f837d8..000000000 --- a/ChangeLog.d/dtls-connection-id.txt +++ /dev/null @@ -1,17 +0,0 @@ -Features - * Add support for DTLS Connection ID as defined by RFC 9146, controlled by - MBEDTLS_SSL_DTLS_CONNECTION_ID (enabled by default) and configured with - mbedtls_ssl_set_cid(). - -Default behavior changes - * Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05 - of the IETF draft, and was marked experimental and disabled by default. - It is now no longer experimental, and implements the final version from - RFC 9146, which is not interoperable with the draft-05 version. - If you need to communicate with peers that use earlier versions of - Mbed TLS, then you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT - to 1, but then you won't be able to communicate with peers that use the - standard (non-draft) version. - If you need to interoperate with both classes of peers with the - same build of Mbed TLS, please let us know about your situation on the - mailing list or GitHub. diff --git a/ChangeLog.d/ecdsa-verify-fixes.txt b/ChangeLog.d/ecdsa-verify-fixes.txt deleted file mode 100644 index b41b0461a..000000000 --- a/ChangeLog.d/ecdsa-verify-fixes.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix ECDSA verification, where it was not always validating the - public key. This bug meant that it was possible to verify a - signature with an invalid public key, in some cases. Reported by - Guido Vranken using Cryptofuzz in #4420. diff --git a/ChangeLog.d/ecjpake-in-tls.txt b/ChangeLog.d/ecjpake-in-tls.txt deleted file mode 100644 index b84caab86..000000000 --- a/ChangeLog.d/ecjpake-in-tls.txt +++ /dev/null @@ -1,5 +0,0 @@ -Features - * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API. - Additional PSA key slots will be allocated in the process of such key - exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and - MBEDTLS_USE_PSA_CRYPTO. diff --git a/ChangeLog.d/ecjpake_to_pms.txt b/ChangeLog.d/ecjpake_to_pms.txt deleted file mode 100644 index 4dd2075de..000000000 --- a/ChangeLog.d/ecjpake_to_pms.txt +++ /dev/null @@ -1,5 +0,0 @@ -API changes - * Add an ad-hoc key derivation function handling ECJPAKE to PMS - calculation that can be used to derive the session secret in TLS 1.2, - as described in draft-cragie-tls-ecjpake-01. This can be achieved by - using PSA_ALG_TLS12_ECJPAKE_TO_PMS as the key derivation algorithm. diff --git a/ChangeLog.d/extend-query_compile_time_config-to-psa_want.txt b/ChangeLog.d/extend-query_compile_time_config-to-psa_want.txt deleted file mode 100644 index 99b2ec4ee..000000000 --- a/ChangeLog.d/extend-query_compile_time_config-to-psa_want.txt +++ /dev/null @@ -1,2 +0,0 @@ -Changes - * Add the ability to query PSA_WANT_xxx macros to query_compile_time_config. diff --git a/ChangeLog.d/fix-aes-shallow-copying.txt b/ChangeLog.d/fix-aes-shallow-copying.txt deleted file mode 100644 index 0c119d628..000000000 --- a/ChangeLog.d/fix-aes-shallow-copying.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147. diff --git a/ChangeLog.d/fix-ctr-drbg-may-free-invalid-aes-context.txt b/ChangeLog.d/fix-ctr-drbg-may-free-invalid-aes-context.txt deleted file mode 100644 index fe62c28ed..000000000 --- a/ChangeLog.d/fix-ctr-drbg-may-free-invalid-aes-context.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix mbedtls_ctr_drbg_free() on an initialized but unseeded context. When - MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an - uninitialized context. diff --git a/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt b/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt deleted file mode 100644 index 1f9e0aa35..000000000 --- a/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt +++ /dev/null @@ -1,5 +0,0 @@ -Changes - * Calling AEAD tag-specific functions for non-AEAD algorithms (which - should not be done - they are documented for use only by AES-GCM and - ChaCha20+Poly1305) now returns MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE - instead of success (0). diff --git a/ChangeLog.d/fix-tls12server-sent-sigalgs.txt b/ChangeLog.d/fix-tls12server-sent-sigalgs.txt deleted file mode 100644 index b74c6ec20..000000000 --- a/ChangeLog.d/fix-tls12server-sent-sigalgs.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix a bug whereby the list of signature algorithms sent as part of - the TLS 1.2 server certificate request would get corrupted, meaning the - first algorithm would not get sent and an entry consisting of two random - bytes would be sent instead. Found by Serban Bejan and Dudek Sebastian. diff --git a/ChangeLog.d/fix_aead_psa_driver_build.txt b/ChangeLog.d/fix_aead_psa_driver_build.txt deleted file mode 100644 index a6d11d38d..000000000 --- a/ChangeLog.d/fix_aead_psa_driver_build.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix compilation errors when trying to build with - PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305). diff --git a/ChangeLog.d/fix_arm_compile_erorr.txt b/ChangeLog.d/fix_arm_compile_erorr.txt deleted file mode 100644 index 28c1d45e2..000000000 --- a/ChangeLog.d/fix_arm_compile_erorr.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a build error when compiling the bignum module for some Arm platforms. - Fixes #6089, #6124, #6217. diff --git a/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt b/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt deleted file mode 100644 index f0fa00046..000000000 --- a/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a build error due to a missing prototype warning when - MBEDTLS_DEPRECATED_REMOVED is enabled. diff --git a/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt b/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt deleted file mode 100644 index c7d269142..000000000 --- a/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix bugs and missing dependencies when building and testing - configurations with only one encryption type enabled in TLS 1.2. diff --git a/ChangeLog.d/fix_cmake_gen_files.txt b/ChangeLog.d/fix_cmake_gen_files.txt deleted file mode 100644 index cdec6e8a6..000000000 --- a/ChangeLog.d/fix_cmake_gen_files.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix an issue with in-tree CMake builds in releases with GEN_FILES - turned off: if a shipped file was missing from the working directory, - it could be turned into a symbolic link to itself. diff --git a/ChangeLog.d/fix_cmake_using_iar_toolchain.txt b/ChangeLog.d/fix_cmake_using_iar_toolchain.txt deleted file mode 100644 index 9ec6e0d6b..000000000 --- a/ChangeLog.d/fix_cmake_using_iar_toolchain.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a compilation error when using CMake with an IAR toolchain. - Fixes #5964. diff --git a/ChangeLog.d/fix_dh_genprime_error_reporting.txt b/ChangeLog.d/fix_dh_genprime_error_reporting.txt deleted file mode 100644 index 1c98947f3..000000000 --- a/ChangeLog.d/fix_dh_genprime_error_reporting.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix bug in error reporting in dh_genprime.c where upon failure, - the error code returned by mbedtls_mpi_write_file() is overwritten - and therefore not printed. diff --git a/ChangeLog.d/fix_hard_link_across_drives.txt b/ChangeLog.d/fix_hard_link_across_drives.txt deleted file mode 100644 index 46d05c0cf..000000000 --- a/ChangeLog.d/fix_hard_link_across_drives.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a build issue on Windows using CMake where the source and build - directories could not be on different drives. Fixes #5751. diff --git a/ChangeLog.d/fix_psa_crypto_cipher_h_include.txt b/ChangeLog.d/fix_psa_crypto_cipher_h_include.txt deleted file mode 100644 index bf2e65dd4..000000000 --- a/ChangeLog.d/fix_psa_crypto_cipher_h_include.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Use double quotes to include private header file psa_crypto_cipher.h. - Fixes 'file not found with include' error - when building with Xcode. diff --git a/ChangeLog.d/fix_tls13_session_resumption_fail_when_hostname_is_not_localhost.txt b/ChangeLog.d/fix_tls13_session_resumption_fail_when_hostname_is_not_localhost.txt deleted file mode 100644 index 9f5c6499d..000000000 --- a/ChangeLog.d/fix_tls13_session_resumption_fail_when_hostname_is_not_localhost.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix TLS 1.3 session resumption. Fixes #6488. - * Add a configuration check to exclude optional client authentication - in TLS 1.3 (where it is forbidden). diff --git a/ChangeLog.d/fix_x509_get_name_mem_leak.txt b/ChangeLog.d/fix_x509_get_name_mem_leak.txt deleted file mode 100644 index 358d1afa7..000000000 --- a/ChangeLog.d/fix_x509_get_name_mem_leak.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix memory leak in ssl_parse_certificate_request() caused by - mbedtls_x509_get_name() not freeing allocated objects in case of error. - Change mbedtls_x509_get_name() to clean up allocated objects on error. diff --git a/ChangeLog.d/fix_x509_info_hwmodulename.txt b/ChangeLog.d/fix_x509_info_hwmodulename.txt deleted file mode 100644 index 8b227cec3..000000000 --- a/ChangeLog.d/fix_x509_info_hwmodulename.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable - bytes when parsing certificates containing a binary RFC 4108 - HardwareModuleName as a Subject Alternative Name extension. Hardware - serial numbers are now rendered in hex format. Fixes #6262. diff --git a/ChangeLog.d/fix_zeroization.txt b/ChangeLog.d/fix_zeroization.txt deleted file mode 100644 index 8b00dcc98..000000000 --- a/ChangeLog.d/fix_zeroization.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a possible null pointer dereference if a memory allocation fails - in TLS PRF code. Reported by Michael Madsen in #6516. diff --git a/ChangeLog.d/mbedtls_asn1_type_free.txt b/ChangeLog.d/mbedtls_asn1_type_free.txt deleted file mode 100644 index 3459bbe2d..000000000 --- a/ChangeLog.d/mbedtls_asn1_type_free.txt +++ /dev/null @@ -1,8 +0,0 @@ -Features - * The new functions mbedtls_asn1_free_named_data_list() and - mbedtls_asn1_free_named_data_list_shallow() simplify the management - of memory in named data lists in X.509 structures. -New deprecations - * Deprecate mbedtls_asn1_free_named_data(). - Use mbedtls_asn1_free_named_data_list() - or mbedtls_asn1_free_named_data_list_shallow(). diff --git a/ChangeLog.d/move-ssl-modules.txt b/ChangeLog.d/move-ssl-modules.txt deleted file mode 100644 index f00e5ad83..000000000 --- a/ChangeLog.d/move-ssl-modules.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Move some SSL-specific code out of libmbedcrypto where it had been placed - accidentally. diff --git a/ChangeLog.d/mpi-add-0-ub.txt b/ChangeLog.d/mpi-add-0-ub.txt deleted file mode 100644 index 9f131a430..000000000 --- a/ChangeLog.d/mpi-add-0-ub.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix undefined behavior (typically harmless in practice) of - mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int() - when both operands are 0 and the left operand is represented with 0 limbs. diff --git a/ChangeLog.d/mpi-most-negative-sint.txt b/ChangeLog.d/mpi-most-negative-sint.txt deleted file mode 100644 index 5e775c482..000000000 --- a/ChangeLog.d/mpi-most-negative-sint.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix undefined behavior (typically harmless in practice) when some bignum - functions receive the most negative value of mbedtls_mpi_sint. Credit - to OSS-Fuzz. Fixes #6597. diff --git a/ChangeLog.d/muladdc_microblaze.txt b/ChangeLog.d/muladdc_microblaze.txt deleted file mode 100644 index 70fdff020..000000000 --- a/ChangeLog.d/muladdc_microblaze.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined. - Contributed by Kazuyuki Kimura to fix #2020. diff --git a/ChangeLog.d/negative-zero-from-add.txt b/ChangeLog.d/negative-zero-from-add.txt deleted file mode 100644 index 107d858d3..000000000 --- a/ChangeLog.d/negative-zero-from-add.txt +++ /dev/null @@ -1,6 +0,0 @@ -Bugfix - * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A) - with A > 0 created an unintended representation of the value 0 which was - not processed correctly by some bignum operations. Fix this. This had no - consequence on cryptography code, but might affect applications that call - bignum directly and use negative numbers. diff --git a/ChangeLog.d/nonversioned-library-soname.txt b/ChangeLog.d/nonversioned-library-soname.txt deleted file mode 100644 index 8d83a2d6d..000000000 --- a/ChangeLog.d/nonversioned-library-soname.txt +++ /dev/null @@ -1,5 +0,0 @@ -Features - * make: enable building unversioned shared library, with e.g.: - "SHARED=1 SOEXT_TLS=so SOEXT_X509=so SOEXT_CRYPTO=so make lib" - resulting in library names like "libmbedtls.so" rather than - "libmbedcrypto.so.11". diff --git a/ChangeLog.d/platform-setbuf.txt b/ChangeLog.d/platform-setbuf.txt deleted file mode 100644 index 844f70cf2..000000000 --- a/ChangeLog.d/platform-setbuf.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Provide the missing definition of mbedtls_setbuf() in some configurations - with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196. diff --git a/ChangeLog.d/psa-ecb-ub.txt b/ChangeLog.d/psa-ecb-ub.txt deleted file mode 100644 index 9d725ac70..000000000 --- a/ChangeLog.d/psa-ecb-ub.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix undefined behavior (typically harmless in practice) in PSA ECB - encryption and decryption. diff --git a/ChangeLog.d/psa_crypto_code_gen_1_1.txt b/ChangeLog.d/psa_crypto_code_gen_1_1.txt deleted file mode 100644 index e10a81c9a..000000000 --- a/ChangeLog.d/psa_crypto_code_gen_1_1.txt +++ /dev/null @@ -1,13 +0,0 @@ -Features - * The PSA driver wrapper generator generate_driver_wrappers.py now - supports a subset of the driver description language, including - the following entry points: import_key, export_key, export_public_key, - get_builtin_key, copy_key. - -Requirement changes - * When building with PSA drivers using generate_driver_wrappers.py, or - when building the library from the development branch rather than - from a release, the Python module jsonschema is now necessary, in - addition to jinja2. The official list of required Python modules is - maintained in scripts/basic.requirements.txt and may change again - in the future. diff --git a/ChangeLog.d/psa_crypto_pake.txt b/ChangeLog.d/psa_crypto_pake.txt deleted file mode 100644 index e0ae04638..000000000 --- a/ChangeLog.d/psa_crypto_pake.txt +++ /dev/null @@ -1,4 +0,0 @@ -Features - * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API. - Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm - are supported in this implementation. diff --git a/ChangeLog.d/psa_driver_wrapper_for_raw_key_agreement.txt b/ChangeLog.d/psa_driver_wrapper_for_raw_key_agreement.txt deleted file mode 100644 index b9c78a645..000000000 --- a/ChangeLog.d/psa_driver_wrapper_for_raw_key_agreement.txt +++ /dev/null @@ -1,5 +0,0 @@ -Features - * Add a driver dispatch layer for raw key agreement, enabling alternative - implementations of raw key agreement through the key_agreement driver - entry point. This entry point is specified in the proposed PSA driver - interface, but had not yet been implemented. diff --git a/ChangeLog.d/psa_rsa_needs_pk.txt b/ChangeLog.d/psa_rsa_needs_pk.txt deleted file mode 100644 index 995963d7e..000000000 --- a/ChangeLog.d/psa_rsa_needs_pk.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not - MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408. - * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not - MBEDTLS_PK_PARSE_C. Fixes #6409. diff --git a/ChangeLog.d/tls13-misc.txt b/ChangeLog.d/tls13-misc.txt deleted file mode 100644 index 673317328..000000000 --- a/ChangeLog.d/tls13-misc.txt +++ /dev/null @@ -1,8 +0,0 @@ -Features - * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys. - The pre-shared keys can be provisioned externally or via the ticket - mechanism (session resumption). - The ticket mechanism is supported when the configuration option - MBEDTLS_SSL_SESSION_TICKETS is enabled. - New options MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED - control the support for the three possible TLS 1.3 key exchange modes. diff --git a/ChangeLog.d/tls13_sig_alg_selection.txt b/ChangeLog.d/tls13_sig_alg_selection.txt deleted file mode 100644 index 8857750b4..000000000 --- a/ChangeLog.d/tls13_sig_alg_selection.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Add support for opaque keys as the private keys associated to certificates - for authentication in TLS 1.3. diff --git a/ChangeLog.d/x509-broken-symlink-handling.txt b/ChangeLog.d/x509-broken-symlink-handling.txt deleted file mode 100644 index 52288dc08..000000000 --- a/ChangeLog.d/x509-broken-symlink-handling.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix handling of broken symlinks when loading certificates using - mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a - broken link is encountered, skip the broken link and continue parsing - other certificate files. Contributed by Eduardo Silva in #2602. diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index c05042b87..7c6464fa9 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -22,7 +22,7 @@ */ /** - * @mainpage mbed TLS v3.2.1 source code documentation + * @mainpage mbed TLS v3.3.0 source code documentation * * This documentation describes the internal structure of mbed TLS. It was * automatically generated from specially formatted comment blocks in diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index f722d2817..0c744daaa 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -1,4 +1,4 @@ -PROJECT_NAME = "mbed TLS v3.2.1" +PROJECT_NAME = "mbed TLS v3.3.0" OUTPUT_DIRECTORY = ../apidoc/ FULL_PATH_NAMES = NO OPTIMIZE_OUTPUT_FOR_C = YES diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 362ce2fd5..049a120ef 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -37,17 +37,17 @@ * Major, Minor, Patchlevel */ #define MBEDTLS_VERSION_MAJOR 3 -#define MBEDTLS_VERSION_MINOR 2 -#define MBEDTLS_VERSION_PATCH 1 +#define MBEDTLS_VERSION_MINOR 3 +#define MBEDTLS_VERSION_PATCH 0 /** * The single version number has the following structure: * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x03020100 -#define MBEDTLS_VERSION_STRING "3.2.1" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 3.2.1" +#define MBEDTLS_VERSION_NUMBER 0x03030000 +#define MBEDTLS_VERSION_STRING "3.3.0" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 3.3.0" #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) #define _CRT_SECURE_NO_DEPRECATE 1 diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 8106dab59..c9714bbfb 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -282,7 +282,7 @@ endif(USE_STATIC_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY) set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR}) add_library(${mbedcrypto_target} SHARED ${src_crypto}) - set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.2.1 SOVERSION 12) + set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.3.0 SOVERSION 13) target_link_libraries(${mbedcrypto_target} PUBLIC ${libs}) if(TARGET everest) @@ -290,11 +290,11 @@ if(USE_SHARED_MBEDTLS_LIBRARY) endif() add_library(${mbedx509_target} SHARED ${src_x509}) - set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.2.1 SOVERSION 4) + set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.3.0 SOVERSION 4) target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target}) add_library(${mbedtls_target} SHARED ${src_tls}) - set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.2.1 SOVERSION 18) + set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.3.0 SOVERSION 19) target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target}) endif(USE_SHARED_MBEDTLS_LIBRARY) diff --git a/library/Makefile b/library/Makefile index 5073517ce..dd16d0615 100644 --- a/library/Makefile +++ b/library/Makefile @@ -47,9 +47,9 @@ LOCAL_CFLAGS += -fPIC -fpic endif endif -SOEXT_TLS?=so.18 +SOEXT_TLS?=so.19 SOEXT_X509?=so.4 -SOEXT_CRYPTO?=so.12 +SOEXT_CRYPTO?=so.13 # Set AR_DASH= (empty string) to use an ar implementation that does not accept # the - prefix for command line options (e.g. llvm-ar) diff --git a/library/bignum.c b/library/bignum.c index a68957a53..65708c9f3 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1590,11 +1590,11 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi *prec_RR ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t wbits, wsize, one = 1; + size_t window_bitsize; size_t i, j, nblimbs; size_t bufsize, nbits; mbedtls_mpi_uint ei, mm, state; - mbedtls_mpi RR, T, W[ 1 << MBEDTLS_MPI_WINDOW_SIZE ], WW, Apos; + mbedtls_mpi RR, T, W[ (size_t) 1 << MBEDTLS_MPI_WINDOW_SIZE ], WW, Apos; int neg; MPI_VALIDATE_RET( X != NULL ); @@ -1623,21 +1623,59 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, i = mbedtls_mpi_bitlen( E ); - wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 : + window_bitsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 : ( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1; #if( MBEDTLS_MPI_WINDOW_SIZE < 6 ) - if( wsize > MBEDTLS_MPI_WINDOW_SIZE ) - wsize = MBEDTLS_MPI_WINDOW_SIZE; + if( window_bitsize > MBEDTLS_MPI_WINDOW_SIZE ) + window_bitsize = MBEDTLS_MPI_WINDOW_SIZE; #endif + const size_t w_table_used_size = (size_t) 1 << window_bitsize; + + /* + * This function is not constant-trace: its memory accesses depend on the + * exponent value. To defend against timing attacks, callers (such as RSA + * and DHM) should use exponent blinding. However this is not enough if the + * adversary can find the exponent in a single trace, so this function + * takes extra precautions against adversaries who can observe memory + * access patterns. + * + * This function performs a series of multiplications by table elements and + * squarings, and we want the prevent the adversary from finding out which + * table element was used, and from distinguishing between multiplications + * and squarings. Firstly, when multiplying by an element of the window + * W[i], we do a constant-trace table lookup to obfuscate i. This leaves + * squarings as having a different memory access patterns from other + * multiplications. So secondly, we put the accumulator X in the table as + * well, and also do a constant-trace table lookup to multiply by X. + * + * This way, all multiplications take the form of a lookup-and-multiply. + * The number of lookup-and-multiply operations inside each iteration of + * the main loop still depends on the bits of the exponent, but since the + * other operations in the loop don't have an easily recognizable memory + * trace, an adversary is unlikely to be able to observe the exact + * patterns. + * + * An adversary may still be able to recover the exponent if they can + * observe both memory accesses and branches. However, branch prediction + * exploitation typically requires many traces of execution over the same + * data, which is defeated by randomized blinding. + * + * To achieve this, we make a copy of X and we use the table entry in each + * calculation from this point on. + */ + const size_t x_index = 0; + mbedtls_mpi_init( &W[x_index] ); + mbedtls_mpi_copy( &W[x_index], X ); + j = N->n + 1; /* All W[i] and X must have at least N->n limbs for the mpi_montmul() * and mpi_montred() calls later. Here we ensure that W[1] and X are * large enough, and later we'll grow other W[i] to the same length. * They must not be shrunk midway through this function! */ - MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[x_index], j ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1], j ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T, j * 2 ) ); @@ -1686,28 +1724,36 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, mpi_montmul( &W[1], &RR, N, mm, &T ); /* - * X = R^2 * R^-1 mod N = R mod N + * W[x_index] = R^2 * R^-1 mod N = R mod N */ - MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &RR ) ); - mpi_montred( X, N, mm, &T ); + MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[x_index], &RR ) ); + mpi_montred( &W[x_index], N, mm, &T ); - if( wsize > 1 ) + + if( window_bitsize > 1 ) { /* - * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1) + * W[i] = W[1] ^ i + * + * The first bit of the sliding window is always 1 and therefore we + * only need to store the second half of the table. + * + * (There are two special elements in the table: W[0] for the + * accumulator/result and W[1] for A in Montgomery form. Both of these + * are already set at this point.) */ - j = one << ( wsize - 1 ); + j = w_table_used_size / 2; MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[j], N->n + 1 ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[j], &W[1] ) ); - for( i = 0; i < wsize - 1; i++ ) + for( i = 0; i < window_bitsize - 1; i++ ) mpi_montmul( &W[j], &W[j], N, mm, &T ); /* * W[i] = W[i - 1] * W[1] */ - for( i = j + 1; i < ( one << wsize ); i++ ) + for( i = j + 1; i < w_table_used_size; i++ ) { MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) ); @@ -1719,7 +1765,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, nblimbs = E->n; bufsize = 0; nbits = 0; - wbits = 0; + size_t exponent_bits_in_window = 0; state = 0; while( 1 ) @@ -1747,9 +1793,10 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, if( ei == 0 && state == 1 ) { /* - * out of window, square X + * out of window, square W[x_index] */ - mpi_montmul( X, X, N, mm, &T ); + MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, x_index ) ); + mpi_montmul( &W[x_index], &WW, N, mm, &T ); continue; } @@ -1759,25 +1806,30 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, state = 2; nbits++; - wbits |= ( ei << ( wsize - nbits ) ); + exponent_bits_in_window |= ( ei << ( window_bitsize - nbits ) ); - if( nbits == wsize ) + if( nbits == window_bitsize ) { /* - * X = X^wsize R^-1 mod N + * W[x_index] = W[x_index]^window_bitsize R^-1 mod N */ - for( i = 0; i < wsize; i++ ) - mpi_montmul( X, X, N, mm, &T ); + for( i = 0; i < window_bitsize; i++ ) + { + MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, + x_index ) ); + mpi_montmul( &W[x_index], &WW, N, mm, &T ); + } /* - * X = X * W[wbits] R^-1 mod N + * W[x_index] = W[x_index] * W[exponent_bits_in_window] R^-1 mod N */ - MBEDTLS_MPI_CHK( mpi_select( &WW, W, (size_t) 1 << wsize, wbits ) ); - mpi_montmul( X, &WW, N, mm, &T ); + MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, + exponent_bits_in_window ) ); + mpi_montmul( &W[x_index], &WW, N, mm, &T ); state--; nbits = 0; - wbits = 0; + exponent_bits_in_window = 0; } } @@ -1786,31 +1838,45 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, */ for( i = 0; i < nbits; i++ ) { - mpi_montmul( X, X, N, mm, &T ); + MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, x_index ) ); + mpi_montmul( &W[x_index], &WW, N, mm, &T ); - wbits <<= 1; + exponent_bits_in_window <<= 1; - if( ( wbits & ( one << wsize ) ) != 0 ) - mpi_montmul( X, &W[1], N, mm, &T ); + if( ( exponent_bits_in_window & ( (size_t) 1 << window_bitsize ) ) != 0 ) + { + MBEDTLS_MPI_CHK( mpi_select( &WW, W, w_table_used_size, 1 ) ); + mpi_montmul( &W[x_index], &WW, N, mm, &T ); + } } /* - * X = A^E * R * R^-1 mod N = A^E mod N + * W[x_index] = A^E * R * R^-1 mod N = A^E mod N */ - mpi_montred( X, N, mm, &T ); + mpi_montred( &W[x_index], N, mm, &T ); if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 ) { - X->s = -1; - MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( X, N, X ) ); + W[x_index].s = -1; + MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &W[x_index], N, &W[x_index] ) ); } + /* + * Load the result in the output variable. + */ + mbedtls_mpi_copy( X, &W[x_index] ); + cleanup: - for( i = ( one << ( wsize - 1 ) ); i < ( one << wsize ); i++ ) + /* The first bit of the sliding window is always 1 and therefore the first + * half of the table was unused. */ + for( i = w_table_used_size/2; i < w_table_used_size; i++ ) mbedtls_mpi_free( &W[i] ); - mbedtls_mpi_free( &W[1] ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &Apos ); + mbedtls_mpi_free( &W[x_index] ); + mbedtls_mpi_free( &W[1] ); + mbedtls_mpi_free( &T ); + mbedtls_mpi_free( &Apos ); mbedtls_mpi_free( &WW ); if( prec_RR == NULL || prec_RR->p == NULL ) diff --git a/library/pkcs7.c b/library/pkcs7.c index 5b22afac9..9100980f6 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -253,6 +253,24 @@ static int pkcs7_get_signature( unsigned char **p, unsigned char *end, return( 0 ); } +static void pkcs7_free_signer_info( mbedtls_pkcs7_signer_info *signer ) +{ + mbedtls_x509_name *name_cur; + mbedtls_x509_name *name_prv; + + if( signer == NULL ) + return; + + name_cur = signer->issuer.next; + while( name_cur != NULL ) + { + name_prv = name_cur; + name_cur = name_cur->next; + mbedtls_free( name_prv ); + } + signer->issuer.next = NULL; +} + /** * SignerInfo ::= SEQUENCE { * version Version; @@ -329,33 +347,16 @@ static int pkcs7_get_signer_info( unsigned char **p, unsigned char *end, ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO; out: - if( asn1_ret != 0 ) + if( asn1_ret != 0 || ret != 0 ) + { + pkcs7_free_signer_info( signer ); ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO, asn1_ret ); - else if( ret != 0 ) - ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO; + } return( ret ); } -static void pkcs7_free_signer_info( mbedtls_pkcs7_signer_info *signer ) -{ - mbedtls_x509_name *name_cur; - mbedtls_x509_name *name_prv; - - if( signer == NULL ) - return; - - name_cur = signer->issuer.next; - while( name_cur != NULL ) - { - name_prv = name_cur; - name_cur = name_cur->next; - mbedtls_free( name_prv ); - } - signer->issuer.next = NULL; -} - /** * SignerInfos ::= SET of SignerInfo * Return number of signers added to the signed data, @@ -387,7 +388,7 @@ static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, ret = pkcs7_get_signer_info( p, end_set, signers_set ); if( ret != 0 ) - goto cleanup; + return( ret ); count++; mbedtls_pkcs7_signer_info *prev = signers_set; diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 89a251746..82549642f 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1149,7 +1149,7 @@ struct mbedtls_ssl_transform #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) uint8_t in_cid_len; uint8_t out_cid_len; - unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; + unsigned char in_cid [ MBEDTLS_SSL_CID_IN_LEN_MAX ]; unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index f3cbb628f..571d5adf4 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -68,7 +68,7 @@ pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-62139 pkcs7_get_signers_info_set error handling (4541044530479104) depends_on:MBEDTLS_RIPEMD160_C -pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +pkcs7_parse:"data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO PKCS7 Only Signed Data Parse Pass #15 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data index f131029d5..ea6fc62f9 100644 --- a/tests/suites/test_suite_version.data +++ b/tests/suites/test_suite_version.data @@ -1,8 +1,8 @@ Check compile time library version -check_compiletime_version:"3.2.1" +check_compiletime_version:"3.3.0" Check runtime library version -check_runtime_version:"3.2.1" +check_runtime_version:"3.3.0" Check for MBEDTLS_VERSION_C check_feature:"MBEDTLS_VERSION_C":0