Merge pull request #5348 from davidhorstmann-arm/fix-ssl-debug-header-typo
Fix typo in python script method name
diff --git a/CMakeLists.txt b/CMakeLists.txt
index eae3b60..479487f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -344,7 +344,7 @@
write_basic_package_version_file(
"cmake/MbedTLSConfigVersion.cmake"
COMPATIBILITY SameMajorVersion
- VERSION 3.0.0)
+ VERSION 3.1.0)
install(
FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"
diff --git a/ChangeLog b/ChangeLog
index ebf8a36..71ba44d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,184 @@
mbed TLS ChangeLog (Sorted per branch, date)
+= mbed TLS 3.1.0 branch released 2021-12-17
+
+API changes
+ * New error code for GCM: MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL.
+ Alternative GCM implementations are expected to verify
+ the length of the provided output buffers and to return the
+ MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the buffer length is too small.
+ * You can configure groups for a TLS key exchange with the new function
+ mbedtls_ssl_conf_groups(). It extends mbedtls_ssl_conf_curves().
+ * Declare a number of structure fields as public: the fields of
+ mbedtls_ecp_curve_info, the fields describing the result of ASN.1 and
+ X.509 parsing, and finally the field fd of mbedtls_net_context on
+ POSIX/Unix-like platforms.
+
+Requirement changes
+ * Sign-magnitude and one's complement representations for signed integers are
+ not supported. Two's complement is the only supported representation.
+
+New deprecations
+ * Deprecate mbedtls_ssl_conf_curves() in favor of the more generic
+ mbedtls_ssl_conf_groups().
+
+Removals
+ * Remove the partial support for running unit tests via Greentea on Mbed OS,
+ which had been unmaintained since 2018.
+
+Features
+ * Enable support for Curve448 via the PSA API. Contributed by
+ Archana Madhavan in #4626. Fixes #3399 and #4249.
+ * The identifier of the CID TLS extension can be configured by defining
+ MBEDTLS_TLS_EXT_CID at compile time.
+ * Implement the PSA multipart AEAD interface, currently supporting
+ ChaChaPoly and GCM.
+ * Warn if errors from certain functions are ignored. This is currently
+ supported on GCC-like compilers and on MSVC and can be configured through
+ the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
+ (where supported) for critical functions where ignoring the return
+ value is almost always a bug. Enable the new configuration option
+ MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
+ is currently implemented in the AES, DES and md modules, and will be
+ extended to other modules in the future.
+ * Add missing PSA macros declared by PSA Crypto API 1.0.0:
+ PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL.
+ * Add support for CCM*-no-tag cipher to the PSA.
+ Currently only 13-byte long IV's are supported.
+ For decryption a minimum of 16-byte long input is expected.
+ These restrictions may be subject to change.
+ * Add new API mbedtls_ct_memcmp for constant time buffer comparison.
+ * Add functions to get the IV and block size from cipher_info structs.
+ * Add functions to check if a cipher supports variable IV or key size.
+ * Add the internal implementation of and support for CCM to the PSA multipart
+ AEAD interface.
+ * Mbed TLS provides a minimum viable implementation of the TLS 1.3
+ protocol. See docs/architecture/tls13-support.md for the definition of
+ the TLS 1.3 Minimum Viable Product (MVP). The MBEDTLS_SSL_PROTO_TLS1_3
+ configuration option controls the enablement of the support. The APIs
+ mbedtls_ssl_conf_min_version() and mbedtls_ssl_conf_max_version() allow
+ to select the 1.3 version of the protocol to establish a TLS connection.
+ * Add PSA API definition for ARIA.
+
+Security
+ * Zeroize several intermediate variables used to calculate the expected
+ value when verifying a MAC or AEAD tag. This hardens the library in
+ case the value leaks through a memory disclosure vulnerability. For
+ example, a memory disclosure vulnerability could have allowed a
+ man-in-the-middle to inject fake ciphertext into a DTLS connection.
+ * In psa_aead_generate_nonce(), do not read back from the output buffer.
+ This fixes a potential policy bypass or decryption oracle vulnerability
+ if the output buffer is in memory that is shared with an untrusted
+ application.
+ * In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
+ from the output buffer. This fixes a potential policy bypass or decryption
+ oracle vulnerability if the output buffer is in memory that is shared with
+ an untrusted application.
+ * Fix a double-free that happened after mbedtls_ssl_set_session() or
+ mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
+ (out of memory). After that, calling mbedtls_ssl_session_free()
+ and mbedtls_ssl_free() would cause an internal session buffer to
+ be free()'d twice.
+
+Bugfix
+ * Stop using reserved identifiers as local variables. Fixes #4630.
+ * The GNU makefiles invoke python3 in preference to python except on Windows.
+ The check was accidentally not performed when cross-compiling for Windows
+ on Linux. Fix this. Fixes #4774.
+ * Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
+ PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type.
+ * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
+ * Don't use the obsolete header path sys/fcntl.h in unit tests.
+ These header files cause compilation errors in musl.
+ Fixes #4969.
+ * Fix missing constraints on x86_64 and aarch64 assembly code
+ for bignum multiplication that broke some bignum operations with
+ (at least) Clang 12.
+ Fixes #4116, #4786, #4917, #4962.
+ * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
+ * Failures of alternative implementations of AES or DES single-block
+ functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
+ MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
+ This does not concern the implementation provided with Mbed TLS,
+ where this function cannot fail, or full-module replacements with
+ MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
+ * Some failures of HMAC operations were ignored. These failures could only
+ happen with an alternative implementation of the underlying hash module.
+ * Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
+ * Fix compile-time or run-time errors in PSA
+ AEAD functions when ChachaPoly is disabled. Fixes #5065.
+ * Remove PSA'a AEAD finish/verify output buffer limitation for GCM.
+ The requirement of minimum 15 bytes for output buffer in
+ psa_aead_finish() and psa_aead_verify() does not apply to the built-in
+ implementation of GCM.
+ * Move GCM's update output buffer length verification from PSA AEAD to
+ the built-in implementation of the GCM.
+ The requirement for output buffer size to be equal or greater then
+ input buffer size is valid only for the built-in implementation of GCM.
+ Alternative GCM implementations can process whole blocks only.
+ * Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
+ MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
+ * Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
+ This algorithm now accepts only the same salt length for verification
+ that it produces when signing, as documented. Use the new algorithm
+ PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.
+ * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
+ for algorithm values that fully encode the hashing step, as per the PSA
+ Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
+ PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
+ all algorithms that can be used with psa_{sign,verify}_hash(), including
+ these two.
+ * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
+ not to list other shared libraries they need.
+ * Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
+ exceeds 2^32. Fixes #4884.
+ * Fix an uninitialized variable warning in test_suite_ssl.function with GCC
+ version 11.
+ * Fix the build when no SHA2 module is included. Fixes #4930.
+ * Fix the build when only the bignum module is included. Fixes #4929.
+ * Fix a potential invalid pointer dereference and infinite loop bugs in
+ pkcs12 functions when the password is empty. Fix the documentation to
+ better describe the inputs to these functions and their possible values.
+ Fixes #5136.
+ * The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC
+ operations psa_mac_compute() and psa_mac_sign_setup().
+ * The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC
+ operations psa_mac_verify() and psa_mac_verify_setup().
+
+Changes
+ * Explicitly mark the fields mbedtls_ssl_session.exported and
+ mbedtls_ssl_config.respect_cli_pref as private. This was an
+ oversight during the run-up to the release of Mbed TLS 3.0.
+ The fields were never intended to be public.
+ * Implement multi-part CCM API.
+ The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
+ mbedtls_ccm_update_ad(), mbedtls_ccm_update(), mbedtls_ccm_finish()
+ were introduced in mbedTLS 3.0 release, however their implementation was
+ postponed until now.
+ Implemented functions support chunked data input for both CCM and CCM*
+ algorithms.
+ * Remove MBEDTLS_SSL_EXPORT_KEYS, making it always on and increasing the
+ code size by about 80B on an M0 build. This option only gated an ability
+ to set a callback, but was deemed unnecessary as it was yet another define
+ to remember when writing tests, or test configurations. Fixes #4653.
+ * Improve the performance of base64 constant-flow code. The result is still
+ slower than the original non-constant-flow implementation, but much faster
+ than the previous constant-flow implementation. Fixes #4814.
+ * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
+ For CCM* encryption/decryption without authentication, input
+ length will be ignored.
+ * Indicate in the error returned if the nonce length used with
+ ChaCha20-Poly1305 is invalid, and not just unsupported.
+ * The mbedcrypto library includes a new source code module constant_time.c,
+ containing various functions meant to resist timing side channel attacks.
+ This module does not have a separate configuration option, and functions
+ from this module will be included in the build as required. Currently
+ most of the interface of this module is private and may change at any
+ time.
+ * The generated configuration-independent files are now automatically
+ generated by the CMake build system on Unix-like systems. This is not
+ yet supported when cross-compiling.
+
= Mbed TLS 3.0.0 branch released 2021-07-07
API changes
diff --git a/ChangeLog.d/add_psa_m_aead.txt b/ChangeLog.d/add_psa_m_aead.txt
deleted file mode 100644
index fa4e7ac..0000000
--- a/ChangeLog.d/add_psa_m_aead.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Implement the PSA multipart AEAD interface, currently supporting
- ChaChaPoly and GCM.
diff --git a/ChangeLog.d/add_psa_m_aead_ccm.txt b/ChangeLog.d/add_psa_m_aead_ccm.txt
deleted file mode 100644
index d7588ee..0000000
--- a/ChangeLog.d/add_psa_m_aead_ccm.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Add the internal implementation of and support for CCM to the PSA multipart
- AEAD interface.
diff --git a/ChangeLog.d/additional_cipher_info_getters.txt b/ChangeLog.d/additional_cipher_info_getters.txt
deleted file mode 100644
index 5cb1ad6..0000000
--- a/ChangeLog.d/additional_cipher_info_getters.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Add functions to get the IV and block size from cipher_info structs.
- * Add functions to check if a cipher supports variable IV or key size.
diff --git a/ChangeLog.d/base64-ranges.txt b/ChangeLog.d/base64-ranges.txt
deleted file mode 100644
index e3f3862..0000000
--- a/ChangeLog.d/base64-ranges.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Changes
- * Improve the performance of base64 constant-flow code. The result is still
- slower than the original non-constant-flow implementation, but much faster
- than the previous constant-flow implementation. Fixes #4814.
diff --git a/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt b/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt
deleted file mode 100644
index c04c4aa..0000000
--- a/ChangeLog.d/bugfix-for-gcm-long-iv-size.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Fix a bug in mbedtls_gcm_starts() when bits of iv are longer than 2^32.
- * Fix #4884.
-
diff --git a/ChangeLog.d/build-without-sha.txt b/ChangeLog.d/build-without-sha.txt
deleted file mode 100644
index 78ba276..0000000
--- a/ChangeLog.d/build-without-sha.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix the build when no SHA2 module is included. Fixes #4930.
- * Fix the build when only the bignum module is included. Fixes #4929.
diff --git a/ChangeLog.d/ccm_star_no_tag.txt b/ChangeLog.d/ccm_star_no_tag.txt
deleted file mode 100644
index dbd25d1..0000000
--- a/ChangeLog.d/ccm_star_no_tag.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-Changes
- * Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
- For CCM* encryption/decryption without authentication, input
- length will be ignored.
-
-Features
- * Add support for CCM*-no-tag cipher to the PSA.
- Currently only 13-byte long IV's are supported.
- For decryption a minimum of 16-byte long input is expected.
- These restrictions may be subject to change.
diff --git a/ChangeLog.d/chacha20-poly1305-invalid-nonce.txt b/ChangeLog.d/chacha20-poly1305-invalid-nonce.txt
deleted file mode 100644
index ca3f9ac..0000000
--- a/ChangeLog.d/chacha20-poly1305-invalid-nonce.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Changes
- * Indicate in the error returned if the nonce length used with
- ChaCha20-Poly1305 is invalid, and not just unsupported.
diff --git a/ChangeLog.d/check-return.txt b/ChangeLog.d/check-return.txt
deleted file mode 100644
index 7d905da..0000000
--- a/ChangeLog.d/check-return.txt
+++ /dev/null
@@ -1,19 +0,0 @@
-Bugfix
- * Failures of alternative implementations of AES or DES single-block
- functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
- MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
- This does not concern the implementation provided with Mbed TLS,
- where this function cannot fail, or full-module replacements with
- MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
- * Some failures of HMAC operations were ignored. These failures could only
- happen with an alternative implementation of the underlying hash module.
-
-Features
- * Warn if errors from certain functions are ignored. This is currently
- supported on GCC-like compilers and on MSVC and can be configured through
- the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
- (where supported) for critical functions where ignoring the return
- value is almost always a bug. Enable the new configuration option
- MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
- is currently implemented in the AES, DES and md modules, and will be
- extended to other modules in the future.
diff --git a/ChangeLog.d/chunked_ccm.txt b/ChangeLog.d/chunked_ccm.txt
deleted file mode 100644
index 67faecc..0000000
--- a/ChangeLog.d/chunked_ccm.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Changes
- * Implement multi-part CCM API.
- The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
- mbedtls_ccm_update_ad(), mbedtls_ccm_update(), mbedtls_ccm_finish()
- were introduced in mbedTLS 3.0 release, however their implementation was
- postponed until now.
- Implemented functions support chunked data input for both CCM and CCM*
- algorithms.
diff --git a/ChangeLog.d/constant_time_module.txt b/ChangeLog.d/constant_time_module.txt
deleted file mode 100644
index ebb0b7f..0000000
--- a/ChangeLog.d/constant_time_module.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-Changes
- * The mbedcrypto library includes a new source code module constant_time.c,
- containing various functions meant to resist timing side channel attacks.
- This module does not have a separate configuration option, and functions
- from this module will be included in the build as required. Currently
- most of the interface of this module is private and may change at any
- time.
-
-Features
- * Add new API mbedtls_ct_memcmp for constant time buffer comparison.
diff --git a/ChangeLog.d/do-not-use-obsolete-header.txt b/ChangeLog.d/do-not-use-obsolete-header.txt
deleted file mode 100644
index 9a57ef1..0000000
--- a/ChangeLog.d/do-not-use-obsolete-header.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Don't use the obsolete header path sys/fcntl.h in unit tests.
- These header files cause compilation errors in musl.
- Fixes #4969.
-
diff --git a/ChangeLog.d/fix-cipher-output-size-macros.txt b/ChangeLog.d/fix-cipher-output-size-macros.txt
deleted file mode 100644
index 4a4b971..0000000
--- a/ChangeLog.d/fix-cipher-output-size-macros.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
- PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type.
-
diff --git a/ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt b/ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt
deleted file mode 100644
index 6dc4724..0000000
--- a/ChangeLog.d/fix-mbedtls_cipher_crypt-aes-ecb.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
diff --git a/ChangeLog.d/fix-needed-shared-libraries-linux.txt b/ChangeLog.d/fix-needed-shared-libraries-linux.txt
deleted file mode 100644
index 74ad3bc..0000000
--- a/ChangeLog.d/fix-needed-shared-libraries-linux.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
- not to list other shared libraries they need.
diff --git a/ChangeLog.d/fix-pkcs12-null-password.txt b/ChangeLog.d/fix-pkcs12-null-password.txt
deleted file mode 100644
index fae8195..0000000
--- a/ChangeLog.d/fix-pkcs12-null-password.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix a potential invalid pointer dereference and infinite loop bugs in
- pkcs12 functions when the password is empty. Fix the documentation to
- better describe the inputs to these functions and their possible values.
- Fixes #5136.
diff --git a/ChangeLog.d/fix-psa_gen_key-status.txt b/ChangeLog.d/fix-psa_gen_key-status.txt
deleted file mode 100644
index 7860988..0000000
--- a/ChangeLog.d/fix-psa_gen_key-status.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
diff --git a/ChangeLog.d/fix_compilation_ssl_tests.txt b/ChangeLog.d/fix_compilation_ssl_tests.txt
deleted file mode 100644
index 202e5c4..0000000
--- a/ChangeLog.d/fix_compilation_ssl_tests.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix an uninitialized variable warning in test_suite_ssl.function with GCC
- version 11.
diff --git a/ChangeLog.d/issue4630.txt b/ChangeLog.d/issue4630.txt
deleted file mode 100644
index 0bc4b99..0000000
--- a/ChangeLog.d/issue4630.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Stop using reserved identifiers as local variables. Fixes #4630.
diff --git a/ChangeLog.d/issue5065.txt b/ChangeLog.d/issue5065.txt
deleted file mode 100644
index 943ee47..0000000
--- a/ChangeLog.d/issue5065.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix compile-time or run-time errors in PSA
- AEAD functions when ChachaPoly is disabled. Fixes #5065.
diff --git a/ChangeLog.d/mac-zeroize.txt b/ChangeLog.d/mac-zeroize.txt
deleted file mode 100644
index a43e34f..0000000
--- a/ChangeLog.d/mac-zeroize.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Security
- * Zeroize several intermediate variables used to calculate the expected
- value when verifying a MAC or AEAD tag. This hardens the library in
- case the value leaks through a memory disclosure vulnerability. For
- example, a memory disclosure vulnerability could have allowed a
- man-in-the-middle to inject fake ciphertext into a DTLS connection.
diff --git a/ChangeLog.d/makefile-python-windows.txt b/ChangeLog.d/makefile-python-windows.txt
deleted file mode 100644
index 57ccc1a..0000000
--- a/ChangeLog.d/makefile-python-windows.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Bugfix
- * The GNU makefiles invoke python3 in preference to python except on Windows.
- The check was accidentally not performed when cross-compiling for Windows
- on Linux. Fix this. Fixes #4774.
diff --git a/ChangeLog.d/muladdc-memory.txt b/ChangeLog.d/muladdc-memory.txt
deleted file mode 100644
index 218be5a..0000000
--- a/ChangeLog.d/muladdc-memory.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix missing constraints on x86_64 and aarch64 assembly code
- for bignum multiplication that broke some bignum operations with
- (at least) Clang 12.
- Fixes #4116, #4786, #4917, #4962.
diff --git a/ChangeLog.d/no-strerror.txt b/ChangeLog.d/no-strerror.txt
deleted file mode 100644
index 69743a8..0000000
--- a/ChangeLog.d/no-strerror.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
- * Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
- MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
diff --git a/ChangeLog.d/psa_alg_rsa_pss.txt b/ChangeLog.d/psa_alg_rsa_pss.txt
deleted file mode 100644
index 5c6048f..0000000
--- a/ChangeLog.d/psa_alg_rsa_pss.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
- * Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
- This algorithm now accepts only the same salt length for verification
- that it produces when signing, as documented. Use the new algorithm
- PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.
diff --git a/ChangeLog.d/psa_cipher_update_ecp.txt b/ChangeLog.d/psa_cipher_update_ecp.txt
deleted file mode 100644
index 1c3fbc6..0000000
--- a/ChangeLog.d/psa_cipher_update_ecp.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
- * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
diff --git a/ChangeLog.d/psa_crypto_api_macros.txt b/ChangeLog.d/psa_crypto_api_macros.txt
deleted file mode 100644
index ff53e33..0000000
--- a/ChangeLog.d/psa_crypto_api_macros.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-Features
- * Add missing PSA macros declared by PSA Crypto API 1.0.0:
- PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL.
-
-Bugfix
- * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
- for algorithm values that fully encode the hashing step, as per the PSA
- Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
- PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
- all algorithms that can be used with psa_{sign,verify}_hash(), including
- these two.
diff --git a/ChangeLog.d/psa_curve448_key_support.txt b/ChangeLog.d/psa_curve448_key_support.txt
deleted file mode 100644
index d1870ed..0000000
--- a/ChangeLog.d/psa_curve448_key_support.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * Enable support for Curve448 via the PSA API. Contributed by
- Archana Madhavan in #4626. Fixes #3399 and #4249.
diff --git a/ChangeLog.d/psa_gcm_buffer_limitation.txt b/ChangeLog.d/psa_gcm_buffer_limitation.txt
deleted file mode 100644
index 0c07e24..0000000
--- a/ChangeLog.d/psa_gcm_buffer_limitation.txt
+++ /dev/null
@@ -1,16 +0,0 @@
-Bugfix
- * Remove PSA'a AEAD finish/verify output buffer limitation for GCM.
- The requirement of minimum 15 bytes for output buffer in
- psa_aead_finish() and psa_aead_verify() does not apply to the built-in
- implementation of GCM.
- * Move GCM's update output buffer length verification from PSA AEAD to
- the built-in implementation of the GCM.
- The requirement for output buffer size to be equal or greater then
- input buffer size is valid only for the built-in implementation of GCM.
- Alternative GCM implementations can process whole blocks only.
-
-API changes
- * New error code for GCM: MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL.
- Alternative GCM implementations are expected to verify
- the length of the provided output buffers and to return the
- MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the buffer length is too small.
diff --git a/ChangeLog.d/remove-greentea-support.txt b/ChangeLog.d/remove-greentea-support.txt
deleted file mode 100644
index af4df4b..0000000
--- a/ChangeLog.d/remove-greentea-support.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Removals
- * Remove the partial support for running unit tests via Greentea on Mbed OS,
- which had been unmaintained since 2018.
diff --git a/ChangeLog.d/remove-ssl-export-keys.txt b/ChangeLog.d/remove-ssl-export-keys.txt
deleted file mode 100644
index 1a4b31d..0000000
--- a/ChangeLog.d/remove-ssl-export-keys.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Changes
- * Remove MBEDTLS_SSL_EXPORT_KEYS, making it always on and increasing the
- code size by about 80B on an M0 build. This option only gated an ability
- to set a callback, but was deemed unnecessary as it was yet another define
- to remember when writing tests, or test configurations. Fixes #4653.
diff --git a/ChangeLog.d/session_export_private.txt b/ChangeLog.d/session_export_private.txt
deleted file mode 100644
index 5475824..0000000
--- a/ChangeLog.d/session_export_private.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Changes
- * Explicitly mark the fields mbedtls_ssl_session.exported and
- mbedtls_ssl_config.respect_cli_pref as private. This was an
- oversight during the run-up to the release of Mbed TLS 3.0.
- The fields were never intended to be public.
diff --git a/ChangeLog.d/tls13-mvp.txt b/ChangeLog.d/tls13-mvp.txt
deleted file mode 100644
index 2dd48cc..0000000
--- a/ChangeLog.d/tls13-mvp.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Features
- * Mbed TLS provides a minimum viable implementation of the TLS 1.3
- protocol. See docs/architecture/tls13-support.md for the definition of
- the TLS 1.3 Minimum Viable Product (MVP). The MBEDTLS_SSL_PROTO_TLS1_3
- configuration option controls the enablement of the support. The APIs
- mbedtls_ssl_conf_min_version() and mbedtls_ssl_conf_max_version() allow
- to select the 1.3 version of the protocol to establish a TLS connection.
diff --git a/ChangeLog.d/tls_ext_cid-config.txt b/ChangeLog.d/tls_ext_cid-config.txt
deleted file mode 100644
index b7b1e72..0000000
--- a/ChangeLog.d/tls_ext_cid-config.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Features
- * The identifier of the CID TLS extension can be configured by defining
- MBEDTLS_TLS_EXT_CID at compile time.
diff --git a/ChangeLog.d/twos_complement_representation.txt b/ChangeLog.d/twos_complement_representation.txt
deleted file mode 100644
index fa49859..0000000
--- a/ChangeLog.d/twos_complement_representation.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Requirement changes
- * Sign-magnitude and one's complement representations for signed integers are
- not supported. Two's complement is the only supported representation.
diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index 4ff18a3..1c2be1a 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -22,7 +22,7 @@
*/
/**
- * @mainpage mbed TLS v3.0.0 source code documentation
+ * @mainpage mbed TLS v3.1.0 source code documentation
*
* This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index 7a214c9..ea7afca 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -28,7 +28,7 @@
# identify the project. Note that if you do not use Doxywizard you need
# to put quotes around the project name if it contains spaces.
-PROJECT_NAME = "mbed TLS v3.0.0"
+PROJECT_NAME = "mbed TLS v3.1.0"
# The PROJECT_NUMBER tag can be used to enter a project or revision number.
# This could be handy for archiving the generated documentation or
diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index 23f85ba..cef6566 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -37,7 +37,7 @@
* Major, Minor, Patchlevel
*/
#define MBEDTLS_VERSION_MAJOR 3
-#define MBEDTLS_VERSION_MINOR 0
+#define MBEDTLS_VERSION_MINOR 1
#define MBEDTLS_VERSION_PATCH 0
/**
@@ -45,9 +45,9 @@
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define MBEDTLS_VERSION_NUMBER 0x03000000
-#define MBEDTLS_VERSION_STRING "3.0.0"
-#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 3.0.0"
+#define MBEDTLS_VERSION_NUMBER 0x03010000
+#define MBEDTLS_VERSION_STRING "3.1.0"
+#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 3.1.0"
#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
#define _CRT_SECURE_NO_DEPRECATE 1
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index add0784..1884db9 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -245,7 +245,7 @@
if(USE_SHARED_MBEDTLS_LIBRARY)
add_library(${mbedcrypto_target} SHARED ${src_crypto})
- set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.0.0 SOVERSION 10)
+ set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.1.0 SOVERSION 11)
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
if(TARGET everest)
@@ -253,11 +253,11 @@
endif()
add_library(${mbedx509_target} SHARED ${src_x509})
- set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.0.0 SOVERSION 4)
+ set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.1.0 SOVERSION 4)
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
add_library(${mbedtls_target} SHARED ${src_tls})
- set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.0.0 SOVERSION 16)
+ set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.1.0 SOVERSION 17)
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
endif(USE_SHARED_MBEDTLS_LIBRARY)
diff --git a/library/Makefile b/library/Makefile
index b936c23..0b5a43a 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -47,9 +47,9 @@
endif
endif
-SOEXT_TLS=so.16
+SOEXT_TLS=so.17
SOEXT_X509=so.4
-SOEXT_CRYPTO=so.10
+SOEXT_CRYPTO=so.11
# Set AR_DASH= (empty string) to use an ar implementation that does not accept
# the - prefix for command line options (e.g. llvm-ar)
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index f257651..829ed45 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3362,8 +3362,8 @@
size_t *iv_length )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-
- *iv_length = 0;
+ uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE];
+ size_t default_iv_length;
if( operation->id == 0 )
{
@@ -3377,28 +3377,38 @@
goto exit;
}
- if( iv_size < operation->default_iv_length )
+ default_iv_length = operation->default_iv_length;
+ if( iv_size < default_iv_length )
{
status = PSA_ERROR_BUFFER_TOO_SMALL;
goto exit;
}
- status = psa_generate_random( iv, operation->default_iv_length );
+ if( default_iv_length > PSA_CIPHER_IV_MAX_SIZE )
+ {
+ status = PSA_ERROR_GENERIC_ERROR;
+ goto exit;
+ }
+
+ status = psa_generate_random( local_iv, default_iv_length );
if( status != PSA_SUCCESS )
goto exit;
status = psa_driver_wrapper_cipher_set_iv( operation,
- iv,
- operation->default_iv_length );
+ local_iv, default_iv_length );
exit:
if( status == PSA_SUCCESS )
{
+ memcpy( iv, local_iv, default_iv_length );
+ *iv_length = default_iv_length;
operation->iv_set = 1;
- *iv_length = operation->default_iv_length;
}
else
+ {
+ *iv_length = 0;
psa_cipher_abort( operation );
+ }
return( status );
}
@@ -3539,50 +3549,67 @@
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
- psa_key_slot_t *slot;
- psa_key_type_t key_type;
- size_t iv_length;
-
- *output_length = 0;
+ psa_key_slot_t *slot = NULL;
+ uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE];
+ size_t default_iv_length = 0;
if( ! PSA_ALG_IS_CIPHER( alg ) )
- return( PSA_ERROR_INVALID_ARGUMENT );
+ {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
status = psa_get_and_lock_key_slot_with_policy( key, &slot,
PSA_KEY_USAGE_ENCRYPT,
alg );
if( status != PSA_SUCCESS )
- return( status );
+ goto exit;
psa_key_attributes_t attributes = {
.core = slot->attr
};
- key_type = slot->attr.type;
- iv_length = PSA_CIPHER_IV_LENGTH( key_type, alg );
-
- if( iv_length > 0 )
+ default_iv_length = PSA_CIPHER_IV_LENGTH( slot->attr.type, alg );
+ if( default_iv_length > PSA_CIPHER_IV_MAX_SIZE )
{
- if( output_size < iv_length )
+ status = PSA_ERROR_GENERIC_ERROR;
+ goto exit;
+ }
+
+ if( default_iv_length > 0 )
+ {
+ if( output_size < default_iv_length )
{
status = PSA_ERROR_BUFFER_TOO_SMALL;
goto exit;
}
- status = psa_generate_random( output, iv_length );
+ status = psa_generate_random( local_iv, default_iv_length );
if( status != PSA_SUCCESS )
goto exit;
}
status = psa_driver_wrapper_cipher_encrypt(
&attributes, slot->key.data, slot->key.bytes,
- alg, input, input_length,
- output, output_size, output_length );
+ alg, local_iv, default_iv_length, input, input_length,
+ output + default_iv_length, output_size - default_iv_length,
+ output_length );
exit:
unlock_status = psa_unlock_key_slot( slot );
+ if( status == PSA_SUCCESS )
+ status = unlock_status;
- return( ( status == PSA_SUCCESS ) ? unlock_status : status );
+ if( status == PSA_SUCCESS )
+ {
+ if( default_iv_length > 0 )
+ memcpy( output, local_iv, default_iv_length );
+ *output_length += default_iv_length;
+ }
+ else
+ *output_length = 0;
+
+ return( status );
}
psa_status_t psa_cipher_decrypt( mbedtls_svc_key_id_t key,
@@ -3595,18 +3622,19 @@
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
- psa_key_slot_t *slot;
-
- *output_length = 0;
+ psa_key_slot_t *slot = NULL;
if( ! PSA_ALG_IS_CIPHER( alg ) )
- return( PSA_ERROR_INVALID_ARGUMENT );
+ {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
status = psa_get_and_lock_key_slot_with_policy( key, &slot,
PSA_KEY_USAGE_DECRYPT,
alg );
if( status != PSA_SUCCESS )
- return( status );
+ goto exit;
psa_key_attributes_t attributes = {
.core = slot->attr
@@ -3630,8 +3658,13 @@
exit:
unlock_status = psa_unlock_key_slot( slot );
+ if( status == PSA_SUCCESS )
+ status = unlock_status;
- return( ( status == PSA_SUCCESS ) ? unlock_status : status );
+ if( status != PSA_SUCCESS )
+ *output_length = 0;
+
+ return( status );
}
@@ -3885,6 +3918,7 @@
size_t *nonce_length )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ uint8_t local_nonce[PSA_AEAD_NONCE_MAX_SIZE];
size_t required_nonce_size;
*nonce_length = 0;
@@ -3918,15 +3952,18 @@
goto exit;
}
- status = psa_generate_random( nonce, required_nonce_size );
+ status = psa_generate_random( local_nonce, required_nonce_size );
if( status != PSA_SUCCESS )
goto exit;
- status = psa_aead_set_nonce( operation, nonce, required_nonce_size );
+ status = psa_aead_set_nonce( operation, local_nonce, required_nonce_size );
exit:
if( status == PSA_SUCCESS )
+ {
+ memcpy( nonce, local_nonce, required_nonce_size );
*nonce_length = required_nonce_size;
+ }
else
psa_aead_abort( operation );
diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c
index 09bd28c..ae30e5f 100644
--- a/library/psa_crypto_cipher.c
+++ b/library/psa_crypto_cipher.c
@@ -449,6 +449,8 @@
const uint8_t *key_buffer,
size_t key_buffer_size,
psa_algorithm_t alg,
+ const uint8_t *iv,
+ size_t iv_length,
const uint8_t *input,
size_t input_length,
uint8_t *output,
@@ -457,7 +459,7 @@
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
mbedtls_psa_cipher_operation_t operation = MBEDTLS_PSA_CIPHER_OPERATION_INIT;
- size_t olength, accumulated_length;
+ size_t update_output_length, finish_output_length;
status = mbedtls_psa_cipher_encrypt_setup( &operation, attributes,
key_buffer, key_buffer_size,
@@ -465,33 +467,27 @@
if( status != PSA_SUCCESS )
goto exit;
- accumulated_length = 0;
- if( operation.iv_length > 0 )
+ if( iv_length > 0 )
{
- status = mbedtls_psa_cipher_set_iv( &operation,
- output, operation.iv_length );
+ status = mbedtls_psa_cipher_set_iv( &operation, iv, iv_length );
if( status != PSA_SUCCESS )
goto exit;
-
- accumulated_length = operation.iv_length;
}
status = mbedtls_psa_cipher_update( &operation, input, input_length,
- output + operation.iv_length,
- output_size - operation.iv_length,
- &olength );
+ output, output_size,
+ &update_output_length );
if( status != PSA_SUCCESS )
goto exit;
- accumulated_length += olength;
-
- status = mbedtls_psa_cipher_finish( &operation, output + accumulated_length,
- output_size - accumulated_length,
- &olength );
+ status = mbedtls_psa_cipher_finish( &operation,
+ output + update_output_length,
+ output_size - update_output_length,
+ &finish_output_length );
if( status != PSA_SUCCESS )
goto exit;
- *output_length = accumulated_length + olength;
+ *output_length = update_output_length + finish_output_length;
exit:
if( status == PSA_SUCCESS )
diff --git a/library/psa_crypto_cipher.h b/library/psa_crypto_cipher.h
index bb4657d..fae9847 100644
--- a/library/psa_crypto_cipher.h
+++ b/library/psa_crypto_cipher.h
@@ -213,16 +213,12 @@
* \param[in] alg The cipher algorithm to compute
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_CIPHER(\p alg) is true).
- * \param[in] input Buffer containing the message to encrypt.
- * \param[in] input_length Size of the \p input buffer in bytes.
+ * \param[in] iv Buffer containing the IV for encryption. The
+ * IV has been generated by the core.
+ * \param[in] iv_length Size of the \p iv in bytes.
+ * \param[in] input Buffer containing the message to encrypt.
+ * \param[in] input_length Size of the \p input buffer in bytes.
* \param[in,out] output Buffer where the output is to be written.
- * The core has generated and written the IV
- * at the beginning of this buffer before
- * this function is called. The size of the IV
- * is PSA_CIPHER_IV_LENGTH( key_type, alg ) where
- * \c key_type is the type of the key identified
- * by \p key and \p alg is the cipher algorithm
- * to compute.
* \param[in] output_size Size of the \p output buffer in bytes.
* \param[out] output_length On success, the number of bytes that make up
* the returned output. Initialized to zero
@@ -235,7 +231,7 @@
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p output buffer is too small.
* \retval #PSA_ERROR_INVALID_ARGUMENT
- * The size of \p iv is not acceptable for the chosen algorithm,
+ * The size \p iv_length is not acceptable for the chosen algorithm,
* or the chosen algorithm does not use an IV.
* The total input size passed to this operation is not valid for
* this particular algorithm. For example, the algorithm is a based
@@ -249,6 +245,8 @@
const uint8_t *key_buffer,
size_t key_buffer_size,
psa_algorithm_t alg,
+ const uint8_t *iv,
+ size_t iv_length,
const uint8_t *input,
size_t input_length,
uint8_t *output,
diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c
index 9679715..8d86478 100644
--- a/library/psa_crypto_driver_wrappers.c
+++ b/library/psa_crypto_driver_wrappers.c
@@ -873,6 +873,8 @@
const uint8_t *key_buffer,
size_t key_buffer_size,
psa_algorithm_t alg,
+ const uint8_t *iv,
+ size_t iv_length,
const uint8_t *input,
size_t input_length,
uint8_t *output,
@@ -894,6 +896,8 @@
key_buffer,
key_buffer_size,
alg,
+ iv,
+ iv_length,
input,
input_length,
output,
@@ -910,6 +914,8 @@
key_buffer,
key_buffer_size,
alg,
+ iv,
+ iv_length,
input,
input_length,
output,
@@ -927,6 +933,8 @@
key_buffer,
key_buffer_size,
alg,
+ iv,
+ iv_length,
input,
input_length,
output,
@@ -941,6 +949,8 @@
(void)key_buffer;
(void)key_buffer_size;
(void)alg;
+ (void)iv;
+ (void)iv_length;
(void)input;
(void)input_length;
(void)output;
diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h
index 6026b82..e09e4ed 100644
--- a/library/psa_crypto_driver_wrappers.h
+++ b/library/psa_crypto_driver_wrappers.h
@@ -119,6 +119,8 @@
const uint8_t *key_buffer,
size_t key_buffer_size,
psa_algorithm_t alg,
+ const uint8_t *iv,
+ size_t iv_length,
const uint8_t *input,
size_t input_length,
uint8_t *output,
diff --git a/tests/include/test/drivers/cipher.h b/tests/include/test/drivers/cipher.h
index 142f3b7..33a5e66 100644
--- a/tests/include/test/drivers/cipher.h
+++ b/tests/include/test/drivers/cipher.h
@@ -53,6 +53,7 @@
const psa_key_attributes_t *attributes,
const uint8_t *key, size_t key_length,
psa_algorithm_t alg,
+ const uint8_t *iv, size_t iv_length,
const uint8_t *input, size_t input_length,
uint8_t *output, size_t output_size, size_t *output_length);
@@ -98,6 +99,7 @@
const psa_key_attributes_t *attributes,
const uint8_t *key, size_t key_length,
psa_algorithm_t alg,
+ const uint8_t *iv, size_t iv_length,
const uint8_t *input, size_t input_length,
uint8_t *output, size_t output_size, size_t *output_length);
diff --git a/tests/src/drivers/test_driver_cipher.c b/tests/src/drivers/test_driver_cipher.c
index 3d1efb8..3536408 100644
--- a/tests/src/drivers/test_driver_cipher.c
+++ b/tests/src/drivers/test_driver_cipher.c
@@ -44,6 +44,8 @@
const uint8_t *key_buffer,
size_t key_buffer_size,
psa_algorithm_t alg,
+ const uint8_t *iv,
+ size_t iv_length,
const uint8_t *input,
size_t input_length,
uint8_t *output,
@@ -68,19 +70,17 @@
if( mbedtls_test_driver_cipher_hooks.forced_status != PSA_SUCCESS )
return( mbedtls_test_driver_cipher_hooks.forced_status );
- psa_generate_random( output, PSA_CIPHER_IV_LENGTH( attributes->core.type, alg ) );
-
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1) && \
defined(LIBTESTDRIVER1_MBEDTLS_PSA_BUILTIN_CIPHER)
return( libtestdriver1_mbedtls_psa_cipher_encrypt(
(const libtestdriver1_psa_key_attributes_t *)attributes,
key_buffer, key_buffer_size,
- alg, input, input_length,
+ alg, iv, iv_length, input, input_length,
output, output_size, output_length ) );
#elif defined(MBEDTLS_PSA_BUILTIN_CIPHER)
return( mbedtls_psa_cipher_encrypt(
attributes, key_buffer, key_buffer_size,
- alg, input, input_length,
+ alg, iv, iv_length, input, input_length,
output, output_size, output_length ) );
#endif
@@ -314,6 +314,7 @@
const psa_key_attributes_t *attributes,
const uint8_t *key, size_t key_length,
psa_algorithm_t alg,
+ const uint8_t *iv, size_t iv_length,
const uint8_t *input, size_t input_length,
uint8_t *output, size_t output_size, size_t *output_length)
{
@@ -321,6 +322,8 @@
(void) key;
(void) key_length;
(void) alg;
+ (void) iv;
+ (void) iv_length;
(void) input;
(void) input_length;
(void) output;
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index b6222b9..638a85c 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -2907,6 +2907,9 @@
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_type_t key_type = key_type_arg;
psa_algorithm_t alg = alg_arg;
+ psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
+ uint8_t iv[1] = { 0x5a };
+ size_t iv_length;
unsigned char *output = NULL;
size_t output_buffer_size = 0;
size_t output_length = 0;
@@ -2924,6 +2927,14 @@
PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len,
&key ) );
+ PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) );
+ TEST_EQUAL( psa_cipher_set_iv( &operation, iv, sizeof( iv ) ),
+ PSA_ERROR_BAD_STATE );
+ PSA_ASSERT( psa_cipher_encrypt_setup( &operation, key, alg ) );
+ TEST_EQUAL( psa_cipher_generate_iv( &operation, iv, sizeof( iv ),
+ &iv_length ),
+ PSA_ERROR_BAD_STATE );
+
PSA_ASSERT( psa_cipher_encrypt( key, alg, input->x, input->len, output,
output_buffer_size, &output_length ) );
TEST_ASSERT( output_length <=
diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function
index 8b7f413..64adba9 100644
--- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function
+++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function
@@ -872,6 +872,39 @@
PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len,
&key ) );
+ /*
+ * Test encrypt failure
+ * First test that if we don't force a driver error, encryption is
+ * successfull, then force driver error.
+ */
+ status = psa_cipher_encrypt(
+ key, alg, input->x, input->len,
+ output, output_buffer_size, &function_output_length );
+ TEST_EQUAL( mbedtls_test_driver_cipher_hooks.hits, 1 );
+ TEST_EQUAL( status, PSA_SUCCESS );
+ mbedtls_test_driver_cipher_hooks.hits = 0;
+
+ mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR;
+ /* Set the output buffer in a given state. */
+ for( size_t i = 0; i < output_buffer_size; i++ )
+ output[i] = 0xa5;
+
+ status = psa_cipher_encrypt(
+ key, alg, input->x, input->len,
+ output, output_buffer_size, &function_output_length );
+ TEST_EQUAL( mbedtls_test_driver_cipher_hooks.hits, 1 );
+ TEST_EQUAL( status, PSA_ERROR_GENERIC_ERROR );
+ /*
+ * Check that the output buffer is still in the same state.
+ * This will fail if the output buffer is used by the core to pass the IV
+ * it generated to the driver (and is not restored).
+ */
+ for( size_t i = 0; i < output_buffer_size; i++ )
+ {
+ TEST_EQUAL( output[i], 0xa5 );
+ }
+ mbedtls_test_driver_cipher_hooks.hits = 0;
+
/* Test setup call, encrypt */
mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR;
status = psa_cipher_encrypt_setup( &operation, key, alg );
@@ -923,10 +956,23 @@
mbedtls_test_driver_cipher_hooks.hits = 0;
mbedtls_test_driver_cipher_hooks.forced_status = PSA_ERROR_GENERIC_ERROR;
+ /* Set the output buffer in a given state. */
+ for( size_t i = 0; i < 16; i++ )
+ output[i] = 0xa5;
+
status = psa_cipher_generate_iv( &operation, output, 16, &function_output_length );
/* When generating the IV fails, it should call abort too */
TEST_EQUAL( mbedtls_test_driver_cipher_hooks.hits, 2 );
TEST_EQUAL( status, mbedtls_test_driver_cipher_hooks.forced_status );
+ /*
+ * Check that the output buffer is still in the same state.
+ * This will fail if the output buffer is used by the core to pass the IV
+ * it generated to the driver (and is not restored).
+ */
+ for( size_t i = 0; i < 16; i++ )
+ {
+ TEST_EQUAL( output[i], 0xa5 );
+ }
/* Failure should prevent further operations from executing on the driver */
mbedtls_test_driver_cipher_hooks.hits = 0;
status = psa_cipher_update( &operation,
diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index 0b5e426..0ce4a2e 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
Check compiletime library version
-check_compiletime_version:"3.0.0"
+check_compiletime_version:"3.1.0"
Check runtime library version
-check_runtime_version:"3.0.0"
+check_runtime_version:"3.1.0"
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0