Import mbedtls-3.6.2
Imports Mbed TLS 3.6.2 from https://github.com/Mbed-TLS/mbedtls.git
tags mbedtls-3.6.2, v3.6.2
Files that are not needed are removed:
cd lib/libmbedtls
rm -rf mbedtls
cp -R path/to/mbedtls-3.6.2/mbedtls .
cd mbedtls
rm CMakeLists.txt DartConfiguration.tcl Makefile
rm .gitignore .travis.yml .pylintrc .globalrc .mypy.ini BRANCHES.md
rm include/.gitignore include/CMakeLists.txt library/.gitignore
rm library/CMakeLists.txt library/Makefile
rm -r cmake
rm -rf .git .github doxygen configs programs scripts tests visualc
rm -rf 3rdparty ChangeLog.d docs pkgconfig .gitmodules .readthedocs.yaml
rm library/mps_*
cd ..
git add mbedtls
This is a complete overwrite of previous code so earlier changes in the
previous branch import/mbedtls-3.6.0 will be added on top of this
commit.
Signed-off-by: Sungbae Yoo <sungbaey@nvidia.com>
diff --git a/lib/libmbedtls/mbedtls/library/psa_crypto.c b/lib/libmbedtls/mbedtls/library/psa_crypto.c
index 969c695..c4f41db 100644
--- a/lib/libmbedtls/mbedtls/library/psa_crypto.c
+++ b/lib/libmbedtls/mbedtls/library/psa_crypto.c
@@ -1210,15 +1210,15 @@
case PSA_SLOT_PENDING_DELETION:
/* In this state psa_wipe_key_slot() must only be called if the
* caller is the last reader. */
- if (slot->registered_readers != 1) {
- MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->registered_readers == 1);
+ if (slot->var.occupied.registered_readers != 1) {
+ MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->var.occupied.registered_readers == 1);
status = PSA_ERROR_CORRUPTION_DETECTED;
}
break;
case PSA_SLOT_FILLING:
/* In this state registered_readers must be 0. */
- if (slot->registered_readers != 0) {
- MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->registered_readers == 0);
+ if (slot->var.occupied.registered_readers != 0) {
+ MBEDTLS_TEST_HOOK_TEST_ASSERT(slot->var.occupied.registered_readers == 0);
status = PSA_ERROR_CORRUPTION_DETECTED;
}
break;
@@ -1232,6 +1232,11 @@
status = PSA_ERROR_CORRUPTION_DETECTED;
}
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+ size_t slice_index = slot->slice_index;
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+
+
/* Multipart operations may still be using the key. This is safe
* because all multipart operation objects are independent from
* the key slot: if they need to access the key after the setup
@@ -1242,6 +1247,17 @@
* zeroize because the metadata is not particularly sensitive.
* This memset also sets the slot's state to PSA_SLOT_EMPTY. */
memset(slot, 0, sizeof(*slot));
+
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
+ /* If the slot is already corrupted, something went deeply wrong,
+ * like a thread still using the slot or a stray pointer leading
+ * to the slot's memory being used for another object. Let the slot
+ * leak rather than make the corruption worse. */
+ if (status == PSA_SUCCESS) {
+ status = psa_free_key_slot(slice_index, slot);
+ }
+#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
+
return status;
}
@@ -1753,8 +1769,6 @@
psa_se_drv_table_entry_t **p_drv)
{
psa_status_t status;
- psa_key_id_t volatile_key_id;
- psa_key_slot_t *slot;
(void) method;
*p_drv = NULL;
@@ -1764,11 +1778,16 @@
return status;
}
+ int key_is_volatile = PSA_KEY_LIFETIME_IS_VOLATILE(attributes->lifetime);
+ psa_key_id_t volatile_key_id;
+
#if defined(MBEDTLS_THREADING_C)
PSA_THREADING_CHK_RET(mbedtls_mutex_lock(
&mbedtls_threading_key_slot_mutex));
#endif
- status = psa_reserve_free_key_slot(&volatile_key_id, p_slot);
+ status = psa_reserve_free_key_slot(
+ key_is_volatile ? &volatile_key_id : NULL,
+ p_slot);
#if defined(MBEDTLS_THREADING_C)
PSA_THREADING_CHK_RET(mbedtls_mutex_unlock(
&mbedtls_threading_key_slot_mutex));
@@ -1776,7 +1795,7 @@
if (status != PSA_SUCCESS) {
return status;
}
- slot = *p_slot;
+ psa_key_slot_t *slot = *p_slot;
/* We're storing the declared bit-size of the key. It's up to each
* creation mechanism to verify that this information is correct.
@@ -1787,7 +1806,7 @@
* definition. */
slot->attr = *attributes;
- if (PSA_KEY_LIFETIME_IS_VOLATILE(slot->attr.lifetime)) {
+ if (key_is_volatile) {
#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
slot->attr.id = volatile_key_id;
#else
@@ -1835,6 +1854,9 @@
status = psa_copy_key_material_into_slot(
slot, (uint8_t *) (&slot_number), sizeof(slot_number));
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
}
if (*p_drv == NULL && method == PSA_KEY_CREATION_REGISTER) {
@@ -2146,6 +2168,14 @@
return PSA_ERROR_NOT_SUPPORTED;
}
+ /* Not usable with volatile keys, even with an appropriate location,
+ * due to the API design.
+ * https://github.com/Mbed-TLS/mbedtls/issues/9253
+ */
+ if (PSA_KEY_LIFETIME_IS_VOLATILE(psa_get_key_lifetime(attributes))) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
status = psa_start_key_creation(PSA_KEY_CREATION_REGISTER, attributes,
&slot, &driver);
if (status != PSA_SUCCESS) {
@@ -4628,11 +4658,7 @@
goto exit;
}
- if (alg == PSA_ALG_CCM_STAR_NO_TAG &&
- input_length < PSA_BLOCK_CIPHER_BLOCK_LENGTH(slot->attr.type)) {
- status = PSA_ERROR_INVALID_ARGUMENT;
- goto exit;
- } else if (input_length < PSA_CIPHER_IV_LENGTH(slot->attr.type, alg)) {
+ if (input_length < PSA_CIPHER_IV_LENGTH(slot->attr.type, alg)) {
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
@@ -5194,6 +5220,12 @@
goto exit;
}
+ /* No input to add (zero length), nothing to do. */
+ if (input_length == 0) {
+ status = PSA_SUCCESS;
+ goto exit;
+ }
+
if (operation->lengths_set) {
if (operation->ad_remaining < input_length) {
status = PSA_ERROR_INVALID_ARGUMENT;
@@ -6407,27 +6439,28 @@
return status;
}
-static const psa_key_production_parameters_t default_production_parameters =
- PSA_KEY_PRODUCTION_PARAMETERS_INIT;
+static const psa_custom_key_parameters_t default_custom_production =
+ PSA_CUSTOM_KEY_PARAMETERS_INIT;
-int psa_key_production_parameters_are_default(
- const psa_key_production_parameters_t *params,
- size_t params_data_length)
+int psa_custom_key_parameters_are_default(
+ const psa_custom_key_parameters_t *custom,
+ size_t custom_data_length)
{
- if (params->flags != 0) {
+ if (custom->flags != 0) {
return 0;
}
- if (params_data_length != 0) {
+ if (custom_data_length != 0) {
return 0;
}
return 1;
}
-psa_status_t psa_key_derivation_output_key_ext(
+psa_status_t psa_key_derivation_output_key_custom(
const psa_key_attributes_t *attributes,
psa_key_derivation_operation_t *operation,
- const psa_key_production_parameters_t *params,
- size_t params_data_length,
+ const psa_custom_key_parameters_t *custom,
+ const uint8_t *custom_data,
+ size_t custom_data_length,
mbedtls_svc_key_id_t *key)
{
psa_status_t status;
@@ -6442,7 +6475,8 @@
return PSA_ERROR_INVALID_ARGUMENT;
}
- if (!psa_key_production_parameters_are_default(params, params_data_length)) {
+ (void) custom_data; /* We only accept 0-length data */
+ if (!psa_custom_key_parameters_are_default(custom, custom_data_length)) {
return PSA_ERROR_INVALID_ARGUMENT;
}
@@ -6477,14 +6511,29 @@
return status;
}
+psa_status_t psa_key_derivation_output_key_ext(
+ const psa_key_attributes_t *attributes,
+ psa_key_derivation_operation_t *operation,
+ const psa_key_production_parameters_t *params,
+ size_t params_data_length,
+ mbedtls_svc_key_id_t *key)
+{
+ return psa_key_derivation_output_key_custom(
+ attributes, operation,
+ (const psa_custom_key_parameters_t *) params,
+ params->data, params_data_length,
+ key);
+}
+
psa_status_t psa_key_derivation_output_key(
const psa_key_attributes_t *attributes,
psa_key_derivation_operation_t *operation,
mbedtls_svc_key_id_t *key)
{
- return psa_key_derivation_output_key_ext(attributes, operation,
- &default_production_parameters, 0,
- key);
+ return psa_key_derivation_output_key_custom(attributes, operation,
+ &default_custom_production,
+ NULL, 0,
+ key);
}
@@ -7858,15 +7907,18 @@
psa_status_t psa_generate_key_internal(
const psa_key_attributes_t *attributes,
- const psa_key_production_parameters_t *params, size_t params_data_length,
+ const psa_custom_key_parameters_t *custom,
+ const uint8_t *custom_data,
+ size_t custom_data_length,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_type_t type = attributes->type;
/* Only used for RSA */
- (void) params;
- (void) params_data_length;
+ (void) custom;
+ (void) custom_data;
+ (void) custom_data_length;
if (key_type_is_raw_bytes(type)) {
status = psa_generate_random_internal(key_buffer, key_buffer_size);
@@ -7884,7 +7936,7 @@
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
return mbedtls_psa_rsa_generate_key(attributes,
- params, params_data_length,
+ custom_data, custom_data_length,
key_buffer,
key_buffer_size,
key_buffer_length);
@@ -7916,10 +7968,11 @@
return PSA_SUCCESS;
}
-psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes,
- const psa_key_production_parameters_t *params,
- size_t params_data_length,
- mbedtls_svc_key_id_t *key)
+psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes,
+ const psa_custom_key_parameters_t *custom,
+ const uint8_t *custom_data,
+ size_t custom_data_length,
+ mbedtls_svc_key_id_t *key)
{
psa_status_t status;
psa_key_slot_t *slot = NULL;
@@ -7941,12 +7994,12 @@
#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
- if (params->flags != 0) {
+ if (custom->flags != 0) {
return PSA_ERROR_INVALID_ARGUMENT;
}
} else
#endif
- if (!psa_key_production_parameters_are_default(params, params_data_length)) {
+ if (!psa_custom_key_parameters_are_default(custom, custom_data_length)) {
return PSA_ERROR_INVALID_ARGUMENT;
}
@@ -7987,7 +8040,8 @@
}
status = psa_driver_wrapper_generate_key(attributes,
- params, params_data_length,
+ custom,
+ custom_data, custom_data_length,
slot->key.data, slot->key.bytes,
&slot->key.bytes);
if (status != PSA_SUCCESS) {
@@ -8005,12 +8059,25 @@
return status;
}
+psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes,
+ const psa_key_production_parameters_t *params,
+ size_t params_data_length,
+ mbedtls_svc_key_id_t *key)
+{
+ return psa_generate_key_custom(
+ attributes,
+ (const psa_custom_key_parameters_t *) params,
+ params->data, params_data_length,
+ key);
+}
+
psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
mbedtls_svc_key_id_t *key)
{
- return psa_generate_key_ext(attributes,
- &default_production_parameters, 0,
- key);
+ return psa_generate_key_custom(attributes,
+ &default_custom_production,
+ NULL, 0,
+ key);
}
/****************************************************************/