Merge pull request #1325 from Mbed-TLS/pre-2.28.9-upstream-merge
Merge upstream/mbedtls2.28 into mbedtls2.28-restricted
diff --git a/3rdparty/everest/include/everest/kremlin/c_endianness.h b/3rdparty/everest/include/everest/kremlin/c_endianness.h
index 5cfde5d..1b0d0eb 100644
--- a/3rdparty/everest/include/everest/kremlin/c_endianness.h
+++ b/3rdparty/everest/include/everest/kremlin/c_endianness.h
@@ -7,6 +7,8 @@
#include <string.h>
#include <inttypes.h>
+#include "kremlin/internal/callconv.h"
+
/******************************************************************************/
/* Implementing C.fst (part 2: endian-ness macros) */
/******************************************************************************/
diff --git a/3rdparty/everest/include/everest/kremlin/internal/callconv.h b/3rdparty/everest/include/everest/kremlin/internal/callconv.h
index bf631ff..8ff8ca5 100644
--- a/3rdparty/everest/include/everest/kremlin/internal/callconv.h
+++ b/3rdparty/everest/include/everest/kremlin/internal/callconv.h
@@ -27,8 +27,10 @@
/* Since KreMLin emits the inline keyword unconditionally, we follow the
* guidelines at https://gcc.gnu.org/onlinedocs/gcc/Inline.html and make this
* __inline__ to ensure the code compiles with -std=c90 and earlier. */
-#ifdef __GNUC__
+#if defined(__GNUC__)
# define inline __inline__
+#elif defined(_MSC_VER)
+# define inline __inline
#endif
/* GCC-specific attribute syntax; everyone else gets the standard C inline
diff --git a/3rdparty/everest/include/everest/vs2010/inttypes.h b/3rdparty/everest/include/everest/vs2010/inttypes.h
deleted file mode 100644
index 77003be..0000000
--- a/3rdparty/everest/include/everest/vs2010/inttypes.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Custom inttypes.h for VS2010 KreMLin requires these definitions,
- * but VS2010 doesn't provide them.
- *
- * Copyright 2016-2018 INRIA and Microsoft Corporation
- * SPDX-License-Identifier: Apache-2.0
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
- */
-
-#ifndef _INTTYPES_H_VS2010
-#define _INTTYPES_H_VS2010
-
-#include <stdint.h>
-
-#ifdef _MSC_VER
-#define inline __inline
-#endif
-
-/* VS2010 unsigned long == 8 bytes */
-
-#define PRIu64 "I64u"
-
-#endif
diff --git a/3rdparty/everest/include/everest/vs2010/stdbool.h b/3rdparty/everest/include/everest/vs2010/stdbool.h
deleted file mode 100644
index dcae6d8..0000000
--- a/3rdparty/everest/include/everest/vs2010/stdbool.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Custom stdbool.h for VS2010 KreMLin requires these definitions,
- * but VS2010 doesn't provide them.
- *
- * Copyright 2016-2018 INRIA and Microsoft Corporation
- * SPDX-License-Identifier: Apache-2.0
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
- */
-
-#ifndef _STDBOOL_H_VS2010
-#define _STDBOOL_H_VS2010
-
-typedef int bool;
-
-static bool true = 1;
-static bool false = 0;
-
-#endif
diff --git a/ChangeLog.d/fix-key-derive-bad-state-error.txt b/ChangeLog.d/fix-key-derive-bad-state-error.txt
new file mode 100644
index 0000000..0bccf77
--- /dev/null
+++ b/ChangeLog.d/fix-key-derive-bad-state-error.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix issue where psa_key_derivation_input_integer() is not detecting
+ bad state after an operation has been aborted.
diff --git a/ChangeLog.d/fix-msvc-version-guard-format-zu.txt b/ChangeLog.d/fix-msvc-version-guard-format-zu.txt
new file mode 100644
index 0000000..2713f6c
--- /dev/null
+++ b/ChangeLog.d/fix-msvc-version-guard-format-zu.txt
@@ -0,0 +1,9 @@
+Bugfix
+ * Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that
+ occurred whenever SSL debugging was enabled on a copy of Mbed TLS built
+ with Visual Studio 2013 or MinGW.
+ Fixes #10017.
+ * Remove Everest Visual Studio 2010 compatibility headers, which could
+ shadow standard CRT headers inttypes.h and stdbool.h with incomplete
+ implementatios if placed on the include path, eg. when building Mbed TLS
+ with the .sln file shipped with the project.
diff --git a/SECURITY.md b/SECURITY.md
index 732335b..d6c8f43 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -135,3 +135,22 @@
- Use cryptographic mechanisms that are not based on block ciphers. In
particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.
+
+#### Formatting of X.509 certificates and certificate signing requests
+
+When parsing X.509 certificates and certificate signing requests (CSRs),
+Mbed TLS does not check that they are strictly compliant with X.509 and other
+relevant standards. In the case of signed certificates, the signing party is
+assumed to have performed this validation (and the certificate is trusted to
+be correctly formatted as long as the signature is correct).
+Similarly, CSRs are implicitly trusted by Mbed TLS to be standards-compliant.
+
+**Warning!** Mbed TLS must not be used to sign untrusted CSRs unless extra
+validation is performed separately to ensure that they are compliant to the
+relevant specifications. This makes Mbed TLS on its own unsuitable for use in
+a Certificate Authority (CA).
+
+However, Mbed TLS aims to protect against memory corruption and other
+undefined behavior when parsing certificates and CSRs. If a CSR or signed
+certificate causes undefined behavior when it is parsed by Mbed TLS, that
+is considered a security vulnerability.
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 9590dd3..a67eb60 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -2330,6 +2330,10 @@
* That is, the APIs enabled by this option are not covered by the usual
* promises of API stability.
*
+ * \warning In multithreaded applications, you must also enable
+ * #MBEDTLS_THREADING_C, unless only one thread ever calls PSA functions
+ * (`psa_xxx()`), including indirect calls through SSL/TLS, X.509 or PK.
+ *
* Requires: MBEDTLS_PSA_CRYPTO_C.
*
* Uncomment this to enable internal use of PSA Crypto and new associated APIs.
@@ -3429,6 +3433,14 @@
*
* Enable the Platform Security Architecture cryptography API.
*
+ * \note In multithreaded applications, you must enable #MBEDTLS_THREADING_C,
+ * unless only one thread ever calls `psa_xxx()` functions.
+ * That includes indirect calls, such as:
+ * - indirect calls from PK, X.509 or SSL functions when
+ * #MBEDTLS_USE_PSA_CRYPTO is enabled;
+ * - any other call to a function that requires calling psa_crypto_init()
+ * beforehand.
+ *
* Module: library/psa_crypto.c
*
* Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C,
@@ -3645,11 +3657,29 @@
/**
* \def MBEDTLS_THREADING_C
*
- * Enable the threading abstraction layer.
- * By default Mbed TLS assumes it is used in a non-threaded environment or that
- * contexts are not shared between threads. If you do intend to use contexts
+ * Traditionally, Mbed TLS assumes it is used in a non-threaded environment or
+ * that contexts are not shared between threads. If you do intend to use contexts
* between threads, you will need to enable this layer to prevent race
- * conditions. See also our Knowledge Base article about threading:
+ * conditions.
+ *
+ * The PSA subsystem has an implicit shared context. Therefore, you must
+ * enable this option if more than one thread may use any part of
+ * Mbed TLS that is implemented on top of the PSA subsystem.
+ *
+ * You must enable this option in multithreaded applications where more than
+ * one thread performs any of the following operations:
+ *
+ * - Any call to a PSA function (`psa_xxx()`).
+ * - Any call to a TLS, X.509 or PK function (`mbedtls_ssl_xxx()`,
+ * `mbedtls_x509_xxx()`, `mbedtls_pkcs7_xxx()`, `mbedtls_pk_xxx()`)
+ * if `MBEDTLS_USE_PSA_CRYPTO` is enabled (regardless of whether individual
+ * TLS, X.509 or PK contexts are shared between threads).
+ * - Any use of a cryptographic context if the same context is used in
+ * multiple threads.
+ * - Any call to a function where the documentation specifies that
+ * psa_crypto_init() must be called prior to that function.
+ *
+ * See also our Knowledge Base article about threading:
* https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading
*
* Module: library/threading.c
diff --git a/include/mbedtls/debug.h b/include/mbedtls/debug.h
index c29c40e..1da0726 100644
--- a/include/mbedtls/debug.h
+++ b/include/mbedtls/debug.h
@@ -108,16 +108,16 @@
*
* This module provides debugging functions.
*/
-#if (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800)
+#if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900)
#include <inttypes.h>
#define MBEDTLS_PRINTF_SIZET PRIuPTR
#define MBEDTLS_PRINTF_LONGLONG "I64d"
#else \
- /* (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800) */
+ /* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) */
#define MBEDTLS_PRINTF_SIZET "zu"
#define MBEDTLS_PRINTF_LONGLONG "lld"
#endif \
- /* (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800) */
+ /* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) */
#ifdef __cplusplus
extern "C" {
diff --git a/include/mbedtls/net_sockets.h b/include/mbedtls/net_sockets.h
index 1a12c9c..5f5202f 100644
--- a/include/mbedtls/net_sockets.h
+++ b/include/mbedtls/net_sockets.h
@@ -226,7 +226,7 @@
/**
* \brief Write at most 'len' characters. If no error occurs,
- * the actual amount read is returned.
+ * the actual amount written is returned.
*
* \param ctx Socket
* \param buf The buffer to read from
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 755465e..8b14611 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -5262,6 +5262,12 @@
psa_status_t status;
psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
+ if (kdf_alg == PSA_ALG_NONE) {
+ /* This is a blank or aborted operation. */
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
status = psa_key_derivation_check_input_type(step, key_type);
if (status != PSA_SUCCESS) {
goto exit;
diff --git a/tests/suites/test_suite_debug.data b/tests/suites/test_suite_debug.data
index 0b88695..734c8e7 100644
--- a/tests/suites/test_suite_debug.data
+++ b/tests/suites/test_suite_debug.data
@@ -1,3 +1,9 @@
+printf "%" MBEDTLS_PRINTF_SIZET, 0
+printf_int_expr:PRINTF_SIZET:sizeof(size_t):0:"0"
+
+printf "%" MBEDTLS_PRINTF_LONGLONG, 0
+printf_int_expr:PRINTF_LONGLONG:sizeof(long long):0:"0"
+
Debug print msg (threshold 1, level 0)
debug_print_msg_threshold:1:0:"MyFile":999:"MyFile(0999)\: Text message, 2 == 2\n"
diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function
index 9ece280..15605c7 100644
--- a/tests/suites/test_suite_debug.function
+++ b/tests/suites/test_suite_debug.function
@@ -2,12 +2,28 @@
#include "mbedtls/debug.h"
#include "string.h"
+#if defined(_WIN32)
+# include <stdlib.h>
+# include <crtdbg.h>
+#endif
+
+typedef enum {
+ PRINTF_SIZET,
+ PRINTF_LONGLONG,
+} printf_format_indicator_t;
+
+const char *const printf_formats[] = {
+ [PRINTF_SIZET] = "%" MBEDTLS_PRINTF_SIZET,
+ [PRINTF_LONGLONG] = "%" MBEDTLS_PRINTF_LONGLONG,
+};
+
struct buffer_data {
char buf[2000];
char *ptr;
};
-void string_debug(void *data, int level, const char *file, int line, const char *str)
+#if defined(MBEDTLS_SSL_TLS_C)
+static void string_debug(void *data, int level, const char *file, int line, const char *str)
{
struct buffer_data *buffer = (struct buffer_data *) data;
char *p = buffer->ptr;
@@ -42,14 +58,77 @@
buffer->ptr = p;
}
+#endif /* MBEDTLS_SSL_TLS_C */
+
+#if defined(_WIN32)
+static void noop_invalid_parameter_handler(
+ const wchar_t *expression,
+ const wchar_t *function,
+ const wchar_t *file,
+ unsigned int line,
+ uintptr_t pReserved)
+{
+ (void) expression;
+ (void) function;
+ (void) file;
+ (void) line;
+ (void) pReserved;
+}
+#endif /* _WIN32 */
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
- * depends_on:MBEDTLS_DEBUG_C:MBEDTLS_SSL_TLS_C
+ * depends_on:MBEDTLS_DEBUG_C
* END_DEPENDENCIES
*/
/* BEGIN_CASE */
+void printf_int_expr(int format_indicator, intmax_t sizeof_x, intmax_t x, char *result)
+{
+#if defined(_WIN32)
+ /* Windows treats any invalid format specifiers passsed to the CRT as fatal assertion failures.
+ Disable this behaviour temporarily, so the rest of the test cases can complete. */
+ _invalid_parameter_handler saved_handler =
+ _set_invalid_parameter_handler(noop_invalid_parameter_handler);
+
+ // Disable assertion pop-up window in Debug builds
+ int saved_report_mode = _CrtSetReportMode(_CRT_ASSERT, _CRTDBG_REPORT_MODE);
+ _CrtSetReportMode(_CRT_ASSERT, _CRTDBG_MODE_DEBUG);
+#endif
+
+ const char *format = printf_formats[format_indicator];
+ char *output = NULL;
+ const size_t n = strlen(result);
+
+ /* Nominal case: buffer just large enough */
+ TEST_CALLOC(output, n + 1);
+ if ((size_t) sizeof_x <= sizeof(int)) { // Any smaller integers would be promoted to an int due to calling a vararg function
+ TEST_EQUAL(n, mbedtls_snprintf(output, n + 1, format, (int) x));
+ } else if (sizeof_x == sizeof(long)) {
+ TEST_EQUAL(n, mbedtls_snprintf(output, n + 1, format, (long) x));
+ } else if (sizeof_x == sizeof(long long)) {
+ TEST_EQUAL(n, mbedtls_snprintf(output, n + 1, format, (long long) x));
+ } else {
+ TEST_FAIL(
+ "sizeof_x <= sizeof(int) || sizeof_x == sizeof(long) || sizeof_x == sizeof(long long)");
+ }
+ TEST_MEMORY_COMPARE(result, n + 1, output, n + 1);
+
+exit:
+ mbedtls_free(output);
+ output = NULL;
+
+#if defined(_WIN32)
+ // Restore default Windows behaviour
+ _set_invalid_parameter_handler(saved_handler);
+ _CrtSetReportMode(_CRT_ASSERT, saved_report_mode);
+ (void) saved_report_mode;
+#endif
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_TLS_C */
void debug_print_msg_threshold(int threshold, int level, char *file,
int line, char *result_str)
{
@@ -80,7 +159,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_TLS_C */
void mbedtls_debug_print_ret(char *file, int line, char *text, int value,
char *result_str)
{
@@ -109,7 +188,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_TLS_C */
void mbedtls_debug_print_buf(char *file, int line, char *text,
data_t *data, char *result_str)
{
@@ -138,7 +217,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_TLS_C:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
void mbedtls_debug_print_crt(char *crt_file, char *file, int line,
char *prefix, char *result_str)
{
@@ -172,7 +251,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_BIGNUM_C */
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_TLS_C:MBEDTLS_BIGNUM_C */
void mbedtls_debug_print_mpi(char *value, char *file, int line,
char *prefix, char *result_str)
{
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index c7e85aa..515fd37 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -3482,6 +3482,10 @@
depends_on:PSA_WANT_ALG_ECDH:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
derive_input:PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_HKDF(PSA_ALG_SHA_256)):PSA_KEY_DERIVATION_INPUT_SALT:PSA_KEY_TYPE_NONE:"":PSA_SUCCESS:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"c88f01f510d9ac3f70a292daa2316de544e9aab8afe84049c62a9c57862d1433":PSA_SUCCESS:0:UNUSED:"":UNUSED:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+PSA key derivation: reject calling input functions without calling setup
+depends_on:PSA_WANT_ALG_SHA_256
+derive_input:PSA_ALG_NONE:PSA_KEY_DERIVATION_INPUT_SEED:PSA_KEY_TYPE_NONE:"":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_SECRET:PSA_KEY_TYPE_DERIVE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ERROR_BAD_STATE:PSA_KEY_DERIVATION_INPUT_LABEL:PSA_KEY_TYPE_DERIVE:"61206c6162656c":PSA_ERROR_BAD_STATE:PSA_KEY_TYPE_NONE:PSA_ERROR_BAD_STATE
+
PSA key derivation over capacity: HKDF
depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256
derive_over_capacity:PSA_ALG_HKDF(PSA_ALG_SHA_256)
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 02b30d2..1685599 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -4524,7 +4524,9 @@
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
psa_set_key_algorithm(&attributes, alg);
- PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
+ if (alg != PSA_ALG_NONE) {
+ PSA_ASSERT(psa_key_derivation_setup(&operation, alg));
+ }
for (i = 0; i < ARRAY_LENGTH(steps); i++) {
mbedtls_test_set_step(i);