Merge pull request #10064 from davidhorstmann-arm/update-3.0-migration-guide-3.6
[Backport 3.6] Update the 3.0 migration guide
diff --git a/ChangeLog.d/fix-key-derive-bad-state-error.txt b/ChangeLog.d/fix-key-derive-bad-state-error.txt
new file mode 100644
index 0000000..0bccf77
--- /dev/null
+++ b/ChangeLog.d/fix-key-derive-bad-state-error.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix issue where psa_key_derivation_input_integer() is not detecting
+ bad state after an operation has been aborted.
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index ebc9276..e16f31a 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1807,6 +1807,11 @@
* running handshake hash) only use PSA crypto if
* #MBEDTLS_USE_PSA_CRYPTO is enabled.
*
+ * \note In multithreaded applications, you must also enable
+ * #MBEDTLS_THREADING_C, even if individual TLS contexts are not
+ * shared between threads, unless only one thread ever calls
+ * TLS functions.
+ *
* Uncomment this macro to enable the support for TLS 1.3.
*/
#define MBEDTLS_SSL_PROTO_TLS1_3
@@ -2125,6 +2130,10 @@
* before calling any function from the SSL/TLS, X.509 or PK modules, except
* for the various mbedtls_xxx_init() functions which can be called at any time.
*
+ * \warning In multithreaded applications, you must also enable
+ * #MBEDTLS_THREADING_C, unless only one thread ever calls PSA functions
+ * (`psa_xxx()`), including indirect calls through SSL/TLS, X.509 or PK.
+ *
* \note An important and desirable effect of this option is that it allows
* PK, X.509 and TLS to take advantage of PSA drivers. For example, enabling
* this option is what allows use of drivers for ECDSA, ECDH and EC J-PAKE in
@@ -3211,7 +3220,18 @@
/**
* \def MBEDTLS_PSA_CRYPTO_C
*
- * Enable the Platform Security Architecture cryptography API.
+ * Enable the Platform Security Architecture (PSA) cryptography API.
+ *
+ * \note In multithreaded applications, you must enable #MBEDTLS_THREADING_C,
+ * unless only one thread ever calls `psa_xxx()` functions.
+ * That includes indirect calls, such as:
+ * - performing a TLS handshake if support for TLS 1.3 is enabled;
+ * - using a TLS 1.3 connection;
+ * - indirect calls from PK, X.509 or SSL functions when
+ * #MBEDTLS_USE_PSA_CRYPTO is enabled;
+ * - indirect calls to calculate a hash when #MBEDTLS_MD_C is disabled;
+ * - any other call to a function that requires calling psa_crypto_init()
+ * beforehand.
*
* Module: library/psa_crypto.c
*
@@ -3631,10 +3651,38 @@
* \def MBEDTLS_THREADING_C
*
* Enable the threading abstraction layer.
- * By default Mbed TLS assumes it is used in a non-threaded environment or that
- * contexts are not shared between threads. If you do intend to use contexts
+ *
+ * Traditionally, Mbed TLS assumes it is used in a non-threaded environment or
+ * that contexts are not shared between threads. If you do intend to use contexts
* between threads, you will need to enable this layer to prevent race
- * conditions. See also our Knowledge Base article about threading:
+ * conditions.
+ *
+ * The PSA subsystem has an implicit shared context. Therefore, you must
+ * enable this option if more than one thread may use any part of
+ * Mbed TLS that is implemented on top of the PSA subsystem.
+ *
+ * You must enable this option in multithreaded applications where more than
+ * one thread performs any of the following operations:
+ *
+ * - Any call to a PSA function (`psa_xxx()`).
+ * - Any call to a TLS, X.509 or PK function (`mbedtls_ssl_xxx()`,
+ * `mbedtls_x509_xxx()`, `mbedtls_pkcs7_xxx()`, `mbedtls_pk_xxx()`)
+ * if `MBEDTLS_USE_PSA_CRYPTO` is enabled (regardless of whether individual
+ * TLS, X.509 or PK contexts are shared between threads).
+ * - A TLS 1.3 connection, regardless of the compile-time configuration.
+ * - Any library feature that calculates a hash, if `MBEDTLS_MD_C` is disabled.
+ * As an exception, algorithm-specific low-level modules do not require
+ * threading protection unless the contexts are shared between threads.
+ * - Any library feature that performs symmetric encryption or decryption,
+ * if `MBEDTLS_CIPHER_C` is disabled.
+ * As an exception, algorithm-specific low-level modules do not require
+ * threading protection unless the contexts are shared between threads.
+ * - Any use of a cryptographic context if the same context is used in
+ * multiple threads.
+ * - Any call to a function where the documentation specifies that
+ * psa_crypto_init() must be called prior to that function.
+ *
+ * See also our Knowledge Base article about threading:
* https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading
*
* Module: library/threading.c
diff --git a/include/mbedtls/net_sockets.h b/include/mbedtls/net_sockets.h
index 85c1197..8e69bc0 100644
--- a/include/mbedtls/net_sockets.h
+++ b/include/mbedtls/net_sockets.h
@@ -229,7 +229,7 @@
/**
* \brief Write at most 'len' characters. If no error occurs,
- * the actual amount read is returned.
+ * the actual amount written is returned.
*
* \param ctx Socket
* \param buf The buffer to read from
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index b576f95..3ec92cc 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -7488,6 +7488,12 @@
psa_status_t status;
psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
+ if (kdf_alg == PSA_ALG_NONE) {
+ /* This is a blank or aborted operation. */
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
status = psa_key_derivation_check_input_type(step, key_type);
if (status != PSA_SUCCESS) {
goto exit;
@@ -7546,6 +7552,12 @@
psa_status_t status;
psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
+ if (kdf_alg == PSA_ALG_NONE) {
+ /* This is a blank or aborted operation. */
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
#if defined(PSA_HAVE_SOFT_PBKDF2)
if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
status = psa_pbkdf2_set_input_cost(
@@ -7559,6 +7571,7 @@
status = PSA_ERROR_INVALID_ARGUMENT;
}
+exit:
if (status != PSA_SUCCESS) {
psa_key_derivation_abort(operation);
}
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index 8c53fdc..038d912 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -5567,11 +5567,11 @@
PSA key derivation: PBKDF2-HMAC-SHA256, salt and password before cost
depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
-derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
PSA key derivation: PBKDF2-HMAC-SHA256, password before cost
depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
-derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+derive_input:PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
PSA key derivation: PBKDF2-HMAC-SHA256, password bad key type
depends_on:PSA_WANT_ALG_PBKDF2_HMAC:PSA_WANT_ALG_SHA_256
@@ -5643,11 +5643,11 @@
PSA key derivation: PBKDF2-AES-CMAC-PRF-128, salt and password before cost
depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES
-derive_input:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+derive_input:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
PSA key derivation: PBKDF2-AES-CMAC-PRF-128, password before cost
depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES
-derive_input:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_ERROR_INVALID_ARGUMENT:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+derive_input:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_PASSWORD:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
PSA key derivation: PBKDF2-AES-CMAC-PRF-128, password bad key type
depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES
@@ -5697,6 +5697,10 @@
depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES
derive_input_invalid_cost:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_VENDOR_PBKDF2_MAX_ITERATIONS+1ULL
+PSA key derivation: reject calling input functions without calling setup
+depends_on:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_NONE:PSA_KEY_DERIVATION_INPUT_COST:INPUT_INTEGER:"01":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"73616c74":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_PASSWORD:PSA_KEY_TYPE_NONE:"706173737764":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+
PSA key derivation over capacity: HKDF
depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
derive_over_capacity:PSA_ALG_HKDF(PSA_ALG_SHA_256)
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 94bf28b..da6c1c4 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -8839,7 +8839,9 @@
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
psa_set_key_algorithm(&attributes, alg);
- PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
+ if (alg != PSA_ALG_NONE) {
+ PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
+ }
for (i = 0; i < ARRAY_LENGTH(steps); i++) {
mbedtls_test_set_step(i);