Stowage/godot
2
0
Fork 0
mirror of https://github.com/godotengine/godot.git synced 2025-10-19 07:53:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

mbedTLS: Update to version 3.6.3

Browse source
This commit is contained in:
Fabio Alessandrelli 2025-03-24 19:11:37 +01:00
parent bf1c2583f4
commit 0b0655aee4
46 changed files with 917 additions and 683 deletions
Download patch file Download diff file Expand all files Collapse all files

5
thirdparty/README.md vendored
View file

@ -605,7 +605,7 @@ File extracted from upstream source:
## mbedtls
- Upstream: https://github.com/Mbed-TLS/mbedtls
- Version: 3.6.2 (107ea89daaefb9867ea9121002fbbdf926780e98, 2024)
- Version: 3.6.3 (22098d41c6620ce07cf8a0134d37302355e1e5ef, 2025)
- License: Apache 2.0
File extracted from upstream release tarball:
@ -616,7 +616,7 @@ File extracted from upstream release tarball:
- From `library/` to `thirdparty/mbedtls/library/`:
- All `.c` and `.h` files
- Except `bignum_mod.c`, `block_cipher.c`, `ecp_curves_new.c`, `lmots.c`,
`lms.c`
`lms.c`, `bignum_core_invasive.h`
- The `LICENSE` file (edited to keep only the Apache 2.0 variant)
- Added 2 files `godot_core_mbedtls_platform.c` and `godot_core_mbedtls_config.h`
providing configuration for light bundling with core
@ -626,7 +626,6 @@ File extracted from upstream release tarball:
Patches:
- `0001-msvc-2019-psa-redeclaration.patch` (GH-90535)
- `0002-pr-9981-defragment-incoming-tls-handshake-messages.patch` (GH-103247)
## meshoptimizer

8
thirdparty/mbedtls/include/mbedtls/build_info.h vendored
View file

@ -26,16 +26,16 @@
*/
#define MBEDTLS_VERSION_MAJOR 3
#define MBEDTLS_VERSION_MINOR 6
#define MBEDTLS_VERSION_PATCH 2
#define MBEDTLS_VERSION_PATCH 3
/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
#define MBEDTLS_VERSION_NUMBER 0x03060200
#define MBEDTLS_VERSION_STRING "3.6.2"
#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.6.2"
#define MBEDTLS_VERSION_NUMBER 0x03060300
#define MBEDTLS_VERSION_STRING "3.6.3"
#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.6.3"
/* Macros for build-time platform detection */

8
thirdparty/mbedtls/include/mbedtls/check_config.h vendored
View file

@ -247,6 +247,9 @@
#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) && !defined(MBEDTLS_HAS_MEMSAN)
#error "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN requires building with MemorySanitizer"
#endif
#if defined(MBEDTLS_HAS_MEMSAN) && defined(MBEDTLS_HAVE_ASM)
#error "MemorySanitizer does not support assembly implementation"
#endif
#undef MBEDTLS_HAS_MEMSAN // temporary macro defined above
#if defined(MBEDTLS_CCM_C) && \
@ -738,6 +741,11 @@
#error "MBEDTLS_PSA_INJECT_ENTROPY is not compatible with MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG"
#endif
#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) && \
defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
#error "MBEDTLS_PSA_KEY_STORE_DYNAMIC and MBEDTLS_PSA_STATIC_KEY_SLOTS cannot be defined simultaneously"
#endif
#if defined(MBEDTLS_PSA_ITS_FILE_C) && \
!defined(MBEDTLS_FS_IO)
#error "MBEDTLS_PSA_ITS_FILE_C defined, but not all prerequisites"

75
thirdparty/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h vendored
View file

@ -48,6 +48,13 @@
#endif
#endif /* _MINGW32__ || (_MSC_VER && (_MSC_VER <= 1900)) */
/* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT
* is defined as well to include all PSA code.
*/
#if defined(MBEDTLS_PSA_CRYPTO_C)
#define MBEDTLS_PSA_CRYPTO_CLIENT
#endif /* MBEDTLS_PSA_CRYPTO_C */
/* Auto-enable CIPHER_C when any of the unauthenticated ciphers is builtin
* in PSA. */
#if defined(MBEDTLS_PSA_CRYPTO_C) && \
@ -158,7 +165,66 @@
#define MBEDTLS_MD_SHA3_512_VIA_PSA
#define MBEDTLS_MD_SOME_PSA
#endif
#endif /* MBEDTLS_PSA_CRYPTO_C */
#elif defined(MBEDTLS_PSA_CRYPTO_CLIENT)
#if defined(PSA_WANT_ALG_MD5)
#define MBEDTLS_MD_CAN_MD5
#define MBEDTLS_MD_MD5_VIA_PSA
#define MBEDTLS_MD_SOME_PSA
#endif
#if defined(PSA_WANT_ALG_SHA_1)
#define MBEDTLS_MD_CAN_SHA1
#define MBEDTLS_MD_SHA1_VIA_PSA
#define MBEDTLS_MD_SOME_PSA
#endif
#if defined(PSA_WANT_ALG_SHA_224)
#define MBEDTLS_MD_CAN_SHA224
#define MBEDTLS_MD_SHA224_VIA_PSA
#define MBEDTLS_MD_SOME_PSA
#endif
#if defined(PSA_WANT_ALG_SHA_256)
#define MBEDTLS_MD_CAN_SHA256
#define MBEDTLS_MD_SHA256_VIA_PSA
#define MBEDTLS_MD_SOME_PSA
#endif
#if defined(PSA_WANT_ALG_SHA_384)
#define MBEDTLS_MD_CAN_SHA384
#define MBEDTLS_MD_SHA384_VIA_PSA
#define MBEDTLS_MD_SOME_PSA
#endif
#if defined(PSA_WANT_ALG_SHA_512)
#define MBEDTLS_MD_CAN_SHA512
#define MBEDTLS_MD_SHA512_VIA_PSA
#define MBEDTLS_MD_SOME_PSA
#endif
#if defined(PSA_WANT_ALG_RIPEMD160)
#define MBEDTLS_MD_CAN_RIPEMD160
#define MBEDTLS_MD_RIPEMD160_VIA_PSA
#define MBEDTLS_MD_SOME_PSA
#endif
#if defined(PSA_WANT_ALG_SHA3_224)
#define MBEDTLS_MD_CAN_SHA3_224
#define MBEDTLS_MD_SHA3_224_VIA_PSA
#define MBEDTLS_MD_SOME_PSA
#endif
#if defined(PSA_WANT_ALG_SHA3_256)
#define MBEDTLS_MD_CAN_SHA3_256
#define MBEDTLS_MD_SHA3_256_VIA_PSA
#define MBEDTLS_MD_SOME_PSA
#endif
#if defined(PSA_WANT_ALG_SHA3_384)
#define MBEDTLS_MD_CAN_SHA3_384
#define MBEDTLS_MD_SHA3_384_VIA_PSA
#define MBEDTLS_MD_SOME_PSA
#endif
#if defined(PSA_WANT_ALG_SHA3_512)
#define MBEDTLS_MD_CAN_SHA3_512
#define MBEDTLS_MD_SHA3_512_VIA_PSA
#define MBEDTLS_MD_SOME_PSA
#endif
#endif /* !MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C */
/* Built-in implementations */
#if defined(MBEDTLS_MD5_C)
@ -352,13 +418,6 @@
#define MBEDTLS_PK_CAN_ECDSA_SOME
#endif
/* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT
* is defined as well to include all PSA code.
*/
#if defined(MBEDTLS_PSA_CRYPTO_C)
#define MBEDTLS_PSA_CRYPTO_CLIENT
#endif /* MBEDTLS_PSA_CRYPTO_C */
/* Helpers to state that each key is supported either on the builtin or PSA side. */
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521)
#define MBEDTLS_ECP_HAVE_SECP521R1

19
thirdparty/mbedtls/include/mbedtls/config_adjust_legacy_from_psa.h vendored
View file

@ -69,7 +69,6 @@
(defined(PSA_WANT_ECC_SECP_R1_384) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384)) || \
(defined(PSA_WANT_ECC_SECP_R1_521) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521)) || \
(defined(PSA_WANT_ECC_SECP_K1_192) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192)) || \
(defined(PSA_WANT_ECC_SECP_K1_224) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224)) || \
(defined(PSA_WANT_ECC_SECP_K1_256) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256))
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
@ -225,17 +224,6 @@
#endif /* missing accel */
#endif /* PSA_WANT_ECC_SECP_K1_192 */
#if defined(PSA_WANT_ECC_SECP_K1_224)
#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_224 1
#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
/* https://github.com/Mbed-TLS/mbedtls/issues/3541 */
#error "SECP224K1 is buggy via the PSA API in Mbed TLS."
#endif /* missing accel */
#endif /* PSA_WANT_ECC_SECP_K1_224 */
#if defined(PSA_WANT_ECC_SECP_K1_256)
#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
@ -782,13 +770,6 @@
#define PSA_HAVE_SOFT_BLOCK_CIPHER 1
#endif
#if defined(PSA_WANT_ALG_CBC_MAC)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_MAC)
#error "CBC-MAC is not yet supported via the PSA API in Mbed TLS."
#define MBEDTLS_PSA_BUILTIN_ALG_CBC_MAC 1
#endif /* !MBEDTLS_PSA_ACCEL_ALG_CBC_MAC */
#endif /* PSA_WANT_ALG_CBC_MAC */
#if defined(PSA_WANT_ALG_CMAC)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_CMAC) || \
defined(PSA_HAVE_SOFT_BLOCK_CIPHER)

7
thirdparty/mbedtls/include/mbedtls/config_adjust_psa_superset_legacy.h vendored
View file

@ -136,13 +136,6 @@
#endif /* PSA_WANT_ECC_SECP_K1_192 */
#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
/* SECP224K1 is buggy via the PSA API (https://github.com/Mbed-TLS/mbedtls/issues/3541) */
#if 0 && defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
#if !defined(PSA_WANT_ECC_SECP_K1_224)
#define PSA_WANT_ECC_SECP_K1_224 1
#endif /* PSA_WANT_ECC_SECP_K1_224 */
#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
#if !defined(PSA_WANT_ECC_SECP_K1_256)
#define PSA_WANT_ECC_SECP_K1_256 1

6
thirdparty/mbedtls/include/mbedtls/debug.h vendored
View file

@ -108,16 +108,16 @@
*
* This module provides debugging functions.
*/
#if (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800)
#if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900)
#include <inttypes.h>
#define MBEDTLS_PRINTF_SIZET PRIuPTR
#define MBEDTLS_PRINTF_LONGLONG "I64d"
#else \
/* (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800) */
/* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) */
#define MBEDTLS_PRINTF_SIZET "zu"
#define MBEDTLS_PRINTF_LONGLONG "lld"
#endif \
/* (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800) */
/* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) */
#if !defined(MBEDTLS_PRINTF_MS_TIME)
#include <inttypes.h>

5
thirdparty/mbedtls/include/mbedtls/entropy.h vendored
View file

@ -17,12 +17,13 @@
#include "md.h"
#if defined(MBEDTLS_MD_CAN_SHA512) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
#if (defined(MBEDTLS_MD_CAN_SHA512) || defined(PSA_WANT_ALG_SHA_512)) && \
!defined(MBEDTLS_ENTROPY_FORCE_SHA256)
#define MBEDTLS_ENTROPY_SHA512_ACCUMULATOR
#define MBEDTLS_ENTROPY_MD MBEDTLS_MD_SHA512
#define MBEDTLS_ENTROPY_BLOCK_SIZE 64 /**< Block size of entropy accumulator (SHA-512) */
#else
#if defined(MBEDTLS_MD_CAN_SHA256)
#if (defined(MBEDTLS_MD_CAN_SHA256) || defined(PSA_WANT_ALG_SHA_256))
#define MBEDTLS_ENTROPY_SHA256_ACCUMULATOR
#define MBEDTLS_ENTROPY_MD MBEDTLS_MD_SHA256
#define MBEDTLS_ENTROPY_BLOCK_SIZE 32 /**< Block size of entropy accumulator (SHA-256) */

2
thirdparty/mbedtls/include/mbedtls/error.h vendored
View file

@ -81,7 +81,7 @@
* MD 5 5
* HKDF 5 1 (Started from top)
* PKCS7 5 12 (Started from 0x5300)
* SSL 5 2 (Started from 0x5F00)
* SSL 5 3 (Started from 0x5F00)
* CIPHER 6 8 (Started from 0x6080)
* SSL 6 22 (Started from top, plus 0x6000)
* SSL 7 20 (Started from 0x7000, gaps at

23
thirdparty/mbedtls/include/mbedtls/gcm.h vendored
View file

@ -115,10 +115,9 @@ int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx,
/**
* \brief This function performs GCM encryption or decryption of a buffer.
*
* \note For encryption, the output buffer can be the same as the
* input buffer. For decryption, the output buffer cannot be
* the same as input buffer. If the buffers overlap, the output
* buffer must trail at least 8 Bytes behind the input buffer.
* \note The output buffer \p output can be the same as the input
* buffer \p input. If \p output is greater than \p input, they
* cannot overlap.
*
* \warning When this function performs a decryption, it outputs the
* authentication tag and does not verify that the data is
@ -179,9 +178,11 @@ int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx,
* \brief This function performs a GCM authenticated decryption of a
* buffer.
*
* \note For decryption, the output buffer cannot be the same as
* input buffer. If the buffers overlap, the output buffer
* must trail at least 8 Bytes behind the input buffer.
* \note The output buffer \p output can be the same as the input
* buffer \p input. If \p output is greater than \p input, they
* cannot overlap. Implementations which require
* MBEDTLS_GCM_ALT to be enabled may not provide support for
* overlapping buffers.
*
* \param ctx The GCM context. This must be initialized.
* \param length The length of the ciphertext to decrypt, which is also
@ -287,9 +288,11 @@ int mbedtls_gcm_update_ad(mbedtls_gcm_context *ctx,
* to this function during an operation, then it is
* correct to use \p output_size = \p input_length.
*
* \note For decryption, the output buffer cannot be the same as
* input buffer. If the buffers overlap, the output buffer
* must trail at least 8 Bytes behind the input buffer.
* \note The output buffer \p output can be the same as the input
* buffer \p input. If \p output is greater than \p input, they
* cannot overlap. Implementations which require
* MBEDTLS_GCM_ALT to be enabled may not provide support for
* overlapping buffers.
*
* \param ctx The GCM context. This must be initialized.
* \param input The buffer holding the input data. If \p input_length

129
thirdparty/mbedtls/include/mbedtls/mbedtls_config.h vendored
View file

@ -1622,6 +1622,46 @@
*/
//#define MBEDTLS_SSL_ASYNC_PRIVATE
/** \def MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
*
* In TLS clients, when a client authenticates a server through its
* certificate, the client normally checks three things:
* - the certificate chain must be valid;
* - the chain must start from a trusted CA;
* - the certificate must cover the server name that is expected by the client.
*
* Omitting any of these checks is generally insecure, and can allow a
* malicious server to impersonate a legitimate server.
*
* The third check may be safely skipped in some unusual scenarios,
* such as networks where eavesdropping is a risk but not active attacks,
* or a private PKI where the client equally trusts all servers that are
* accredited by the root CA.
*
* You should call mbedtls_ssl_set_hostname() with the expected server name
* before starting a TLS handshake on a client (unless the client is
* set up to only use PSK-based authentication, which does not rely on the
* host name). This configuration option controls what happens if a TLS client
* is configured with the authentication mode #MBEDTLS_SSL_VERIFY_REQUIRED
* (default), certificate authentication is enabled and the client does not
* call mbedtls_ssl_set_hostname():
*
* - If this option is unset (default), the connection attempt is aborted
* with the error #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.
* - If this option is set, the TLS library does not check the server name
* that the certificate is valid for. This is the historical behavior
* of Mbed TLS, but may be insecure as explained above.
*
* Enable this option for strict backward compatibility if you have
* determined that it is secure in the scenario where you are using
* Mbed TLS.
*
* \deprecated This option exists only for backward compatibility and will
* be removed in the next major version of Mbed TLS.
*
*/
//#define MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
/**
* \def MBEDTLS_SSL_CONTEXT_SERIALIZATION
*
@ -1807,6 +1847,11 @@
* running handshake hash) only use PSA crypto if
* #MBEDTLS_USE_PSA_CRYPTO is enabled.
*
* \note In multithreaded applications, you must also enable
* #MBEDTLS_THREADING_C, even if individual TLS contexts are not
* shared between threads, unless only one thread ever calls
* TLS functions.
*
* Uncomment this macro to enable the support for TLS 1.3.
*/
#define MBEDTLS_SSL_PROTO_TLS1_3
@ -2125,6 +2170,10 @@
* before calling any function from the SSL/TLS, X.509 or PK modules, except
* for the various mbedtls_xxx_init() functions which can be called at any time.
*
* \warning In multithreaded applications, you must also enable
* #MBEDTLS_THREADING_C, unless only one thread ever calls PSA functions
* (`psa_xxx()`), including indirect calls through SSL/TLS, X.509 or PK.
*
* \note An important and desirable effect of this option is that it allows
* PK, X.509 and TLS to take advantage of PSA drivers. For example, enabling
* this option is what allows use of drivers for ECDSA, ECDH and EC J-PAKE in
@ -3211,7 +3260,18 @@
/**
* \def MBEDTLS_PSA_CRYPTO_C
*
* Enable the Platform Security Architecture cryptography API.
* Enable the Platform Security Architecture (PSA) cryptography API.
*
* \note In multithreaded applications, you must enable #MBEDTLS_THREADING_C,
* unless only one thread ever calls `psa_xxx()` functions.
* That includes indirect calls, such as:
* - performing a TLS handshake if support for TLS 1.3 is enabled;
* - using a TLS 1.3 connection;
* - indirect calls from PK, X.509 or SSL functions when
* #MBEDTLS_USE_PSA_CRYPTO is enabled;
* - indirect calls to calculate a hash when #MBEDTLS_MD_C is disabled;
* - any other call to a function that requires calling psa_crypto_init()
* beforehand.
*
* Module: library/psa_crypto.c
*
@ -3268,6 +3328,26 @@
*/
#define MBEDTLS_PSA_ITS_FILE_C
/**
* \def MBEDTLS_PSA_STATIC_KEY_SLOTS
*
* Statically preallocate memory to store keys' material in PSA instead
* of allocating it dynamically when required. This allows builds without a
* heap, if none of the enabled cryptographic implementations or other features
* require it.
* This feature affects both volatile and persistent keys which means that
* it's not possible to persistently store a key which is larger than
* #MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE.
*
* \note This feature comes with a (potentially) higher RAM usage since:
* - All the key slots are allocated no matter if they are used or not.
* - Each key buffer's length is #MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE bytes.
*
* Requires: MBEDTLS_PSA_CRYPTO_C
*
*/
//#define MBEDTLS_PSA_STATIC_KEY_SLOTS
/**
* \def MBEDTLS_RIPEMD160_C
*
@ -3611,10 +3691,38 @@
* \def MBEDTLS_THREADING_C
*
* Enable the threading abstraction layer.
* By default Mbed TLS assumes it is used in a non-threaded environment or that
* contexts are not shared between threads. If you do intend to use contexts
*
* Traditionally, Mbed TLS assumes it is used in a non-threaded environment or
* that contexts are not shared between threads. If you do intend to use contexts
* between threads, you will need to enable this layer to prevent race
* conditions. See also our Knowledge Base article about threading:
* conditions.
*
* The PSA subsystem has an implicit shared context. Therefore, you must
* enable this option if more than one thread may use any part of
* Mbed TLS that is implemented on top of the PSA subsystem.
*
* You must enable this option in multithreaded applications where more than
* one thread performs any of the following operations:
*
* - Any call to a PSA function (`psa_xxx()`).
* - Any call to a TLS, X.509 or PK function (`mbedtls_ssl_xxx()`,
* `mbedtls_x509_xxx()`, `mbedtls_pkcs7_xxx()`, `mbedtls_pk_xxx()`)
* if `MBEDTLS_USE_PSA_CRYPTO` is enabled (regardless of whether individual
* TLS, X.509 or PK contexts are shared between threads).
* - A TLS 1.3 connection, regardless of the compile-time configuration.
* - Any library feature that calculates a hash, if `MBEDTLS_MD_C` is disabled.
* As an exception, algorithm-specific low-level modules do not require
* threading protection unless the contexts are shared between threads.
* - Any library feature that performs symmetric encryption or decryption,
* if `MBEDTLS_CIPHER_C` is disabled.
* As an exception, algorithm-specific low-level modules do not require
* threading protection unless the contexts are shared between threads.
* - Any use of a cryptographic context if the same context is used in
* multiple threads.
* - Any call to a function where the documentation specifies that
* psa_crypto_init() must be called prior to that function.
*
* See also our Knowledge Base article about threading:
* https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading
*
* Module: library/threading.c
@ -4069,6 +4177,19 @@
*/
//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
/**
* \def MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE
*
* Define the size (in bytes) of each static key buffer when
* #MBEDTLS_PSA_STATIC_KEY_SLOTS is set. If not
* explicitly defined then it's automatically guessed from available PSA keys
* enabled in the build through PSA_WANT_xxx symbols.
* If required by the application this parameter can be set to higher values
* in order to store larger objects (ex: raw keys), but please note that this
* will increase RAM usage.
*/
//#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE 256
/* RSA OPTIONS */
//#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024 /**< Minimum RSA key size that can be generated in bits (Minimum possible value is 128 bits) */

2
thirdparty/mbedtls/include/mbedtls/net_sockets.h vendored
View file

@ -229,7 +229,7 @@ int mbedtls_net_recv(void *ctx, unsigned char *buf, size_t len);
/**
* \brief Write at most 'len' characters. If no error occurs,
* the actual amount read is returned.
* the actual amount written is returned.
*
* \param ctx Socket
* \param buf The buffer to read from

19
thirdparty/mbedtls/include/mbedtls/psa_util.h vendored
View file

@ -161,6 +161,16 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa
* \param[out] der_len On success it contains the amount of valid data
* (in bytes) written to \p der. It's undefined
* in case of failure.
*
* \note The behavior is undefined if \p der is null,
* even if \p der_size is 0.
*
* \return 0 if successful.
* \return #MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if \p der_size
* is too small or if \p bits is larger than the
* largest supported curve.
* \return #MBEDTLS_ERR_ASN1_INVALID_DATA if one of the
* numbers in the signature is 0.
*/
int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_len,
unsigned char *der, size_t der_size, size_t *der_len);
@ -177,6 +187,15 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l
* \param[out] raw_len On success it is updated with the amount of valid
* data (in bytes) written to \p raw. It's undefined
* in case of failure.
*
* \return 0 if successful.
* \return #MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if \p raw_size
* is too small or if \p bits is larger than the
* largest supported curve.
* \return #MBEDTLS_ERR_ASN1_INVALID_DATA if the data in
* \p der is inconsistent with \p bits.
* \return An \c MBEDTLS_ERR_ASN1_xxx error code if
* \p der is malformed.
*/
int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_len,
unsigned char *raw, size_t raw_size, size_t *raw_len);

124
thirdparty/mbedtls/include/mbedtls/ssl.h vendored
View file

@ -166,6 +166,42 @@
#define MBEDTLS_ERR_SSL_VERSION_MISMATCH -0x5F00
/** Invalid value in SSL config */
#define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80
/* Error space gap */
/** Attempt to verify a certificate without an expected hostname.
* This is usually insecure.
*
* In TLS clients, when a client authenticates a server through its
* certificate, the client normally checks three things:
* - the certificate chain must be valid;
* - the chain must start from a trusted CA;
* - the certificate must cover the server name that is expected by the client.
*
* Omitting any of these checks is generally insecure, and can allow a
* malicious server to impersonate a legitimate server.
*
* The third check may be safely skipped in some unusual scenarios,
* such as networks where eavesdropping is a risk but not active attacks,
* or a private PKI where the client equally trusts all servers that are
* accredited by the root CA.
*
* You should call mbedtls_ssl_set_hostname() with the expected server name
* before starting a TLS handshake on a client (unless the client is
* set up to only use PSK-based authentication, which does not rely on the
* host name). If you have determined that server name verification is not
* required for security in your scenario, call mbedtls_ssl_set_hostname()
* with \p NULL as the server name.
*
* This error is raised if all of the following conditions are met:
*
* - A TLS client is configured with the authentication mode
* #MBEDTLS_SSL_VERIFY_REQUIRED (default).
* - Certificate authentication is enabled.
* - The client does not call mbedtls_ssl_set_hostname().
* - The configuration option
* #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
* is not enabled.
*/
#define MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME -0x5D80
/*
* Constants from RFC 8446 for TLS 1.3 PSK modes
@ -1893,8 +1929,35 @@ struct mbedtls_ssl_context {
* User settings
*/
#if defined(MBEDTLS_X509_CRT_PARSE_C)
char *MBEDTLS_PRIVATE(hostname); /*!< expected peer CN for verification
(and SNI if available) */
/** Expected peer CN for verification.
*
* Also used on clients for SNI,
* and for TLS 1.3 session resumption using tickets.
*
* The value of this field can be:
* - \p NULL in a newly initialized or reset context.
* - A heap-allocated copy of the last value passed to
* mbedtls_ssl_set_hostname(), if the last call had a non-null
* \p hostname argument.
* - A special value to indicate that mbedtls_ssl_set_hostname()
* was called with \p NULL (as opposed to never having been called).
* See `mbedtls_ssl_get_hostname_pointer()` in `ssl_tls.c`.
*
* If this field contains the value \p NULL and the configuration option
* #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
* is unset, on a TLS client, attempting to verify a server certificate
* results in the error
* #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.
*
* If this field contains the special value described above, or if
* the value is \p NULL and the configuration option
* #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
* is set, then the peer name verification is skipped, which may be
* insecure, especially on a client. Furthermore, on a client, the
* server_name extension is not sent, and the server name is ignored
* in TLS 1.3 session resumption using tickets.
*/
char *MBEDTLS_PRIVATE(hostname);
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_ALPN)
@ -2002,6 +2065,14 @@ void mbedtls_ssl_init(mbedtls_ssl_context *ssl);
* Calling mbedtls_ssl_setup again is not supported, even
* if no session is active.
*
* \warning After setting up a client context, if certificate-based
* authentication is enabled, you should call
* mbedtls_ssl_set_hostname() to specifiy the expected
* name of the server. Without this, in most scenarios,
* the TLS connection is insecure. See
* #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
* for more information.
*
* \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
* subsystem must have been initialized by calling
* psa_crypto_init() before calling this function.
@ -3976,16 +4047,29 @@ void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/**
* \brief Set or reset the hostname to check against the received
* server certificate. It sets the ServerName TLS extension,
* too, if that extension is enabled. (client-side only)
* peer certificate. On a client, this also sets the
* ServerName TLS extension, if that extension is enabled.
* On a TLS 1.3 client, this also sets the server name in
* the session resumption ticket, if that feature is enabled.
*
* \param ssl SSL context
* \param hostname the server hostname, may be NULL to clear hostname
* \note Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN.
* \param hostname The server hostname. This may be \c NULL to clear
* the hostname.
*
* \return 0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on
* allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on
* \note Maximum hostname length #MBEDTLS_SSL_MAX_HOST_NAME_LEN.
*
* \note If the hostname is \c NULL on a client, then the server
* is not authenticated: it only needs to have a valid
* certificate, not a certificate matching its name.
* Therefore you should always call this function on a client,
* unless the connection is set up to only allow
* pre-shared keys, or in scenarios where server
* impersonation is not a concern. See the documentation of
* #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
* for more details.
*
* \return 0 if successful, #MBEDTLS_ERR_SSL_ALLOC_FAILED on
* allocation failure, #MBEDTLS_ERR_SSL_BAD_INPUT_DATA on
* too long input hostname.
*
* Hostname set to the one provided on success (cleared
@ -4449,6 +4533,10 @@ void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
* with \c mbedtls_ssl_read()), not handshake messages.
* With DTLS, this affects both ApplicationData and handshake.
*
* \note Defragmentation of TLS handshake messages is supported
* with some limitations. See the documentation of
* mbedtls_ssl_handshake() for details.
*
* \note This sets the maximum length for a record's payload,
* excluding record overhead that will be added to it, see
* \c mbedtls_ssl_get_record_expansion().
@ -4979,6 +5067,24 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
* if a negotiation involving TLS 1.3 takes place (this may
* be the case even if TLS 1.3 is offered but eventually
* not selected).
*
* \note In TLS, reception of fragmented handshake messages is
* supported with some limitations (those limitations do
* not apply to DTLS, where defragmentation is fully
* supported):
* - On an Mbed TLS server that only accepts TLS 1.2,
* the initial ClientHello message must not be fragmented.
* A TLS 1.2 ClientHello may be fragmented if the server
* also accepts TLS 1.3 connections (meaning
* that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the
* accepted versions have not been restricted with
* mbedtls_ssl_conf_max_tls_version() or the like).
* - The first fragment of a handshake message must be
* at least 4 bytes long.
* - Non-handshake records must not be interleaved between
* the fragments of a handshake message. (This is permitted
* in TLS 1.2 but not in TLS 1.3, but Mbed TLS rejects it
* even in TLS 1.2.)
*/
int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl);

2
thirdparty/mbedtls/include/mbedtls/threading.h vendored
View file

@ -30,7 +30,7 @@ typedef struct mbedtls_threading_mutex_t {
pthread_mutex_t MBEDTLS_PRIVATE(mutex);
/* WARNING - state should only be accessed when holding the mutex lock in
* tests/src/threading_helpers.c, otherwise corruption can occur.
* framework/tests/src/threading_helpers.c, otherwise corruption can occur.
* state will be 0 after a failed init or a free, and nonzero after a
* successful init. This field is for testing only and thus not considered
* part of the public API of Mbed TLS and may change without notice.*/

14
thirdparty/mbedtls/include/psa/crypto_config.h vendored
View file

@ -38,10 +38,6 @@
#ifndef PSA_CRYPTO_CONFIG_H
#define PSA_CRYPTO_CONFIG_H
/*
* CBC-MAC is not yet supported via the PSA API in Mbed TLS.
*/
//#define PSA_WANT_ALG_CBC_MAC 1
#define PSA_WANT_ALG_CBC_NO_PADDING 1
#define PSA_WANT_ALG_CBC_PKCS7 1
#define PSA_WANT_ALG_CCM 1
@ -84,22 +80,12 @@
#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1
/* XTS is not yet supported via the PSA API in Mbed TLS.
* Note: when adding support, also adjust include/mbedtls/config_psa.h */
//#define PSA_WANT_ALG_XTS 1
#define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1
#define PSA_WANT_ECC_BRAINPOOL_P_R1_384 1
#define PSA_WANT_ECC_BRAINPOOL_P_R1_512 1
#define PSA_WANT_ECC_MONTGOMERY_255 1
#define PSA_WANT_ECC_MONTGOMERY_448 1
#define PSA_WANT_ECC_SECP_K1_192 1
/*
* SECP224K1 is buggy via the PSA API in Mbed TLS
* (https://github.com/Mbed-TLS/mbedtls/issues/3541). Thus, do not enable it by
* default.
*/
//#define PSA_WANT_ECC_SECP_K1_224 1
#define PSA_WANT_ECC_SECP_K1_256 1
#define PSA_WANT_ECC_SECP_R1_192 1
#define PSA_WANT_ECC_SECP_R1_224 1

39
thirdparty/mbedtls/include/psa/crypto_extra.h vendored
View file

@ -32,6 +32,16 @@ extern "C" {
#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
#endif
/* If the size of static key slots is not explicitly defined by the user, then
* set it to the maximum between PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE and
* PSA_CIPHER_MAX_KEY_LENGTH.
* See mbedtls_config.h for the definition. */
#if !defined(MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE)
#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE \
((PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE > PSA_CIPHER_MAX_KEY_LENGTH) ? \
PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE : PSA_CIPHER_MAX_KEY_LENGTH)
#endif /* !MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE*/
/** \addtogroup attributes
* @{
*/
@ -573,6 +583,35 @@ psa_status_t mbedtls_psa_platform_get_builtin_key(
/** @} */
/** \defgroup psa_crypto_client Functions defined by a client provider
*
* The functions in this group are meant to be implemented by providers of
* the PSA Crypto client interface. They are provided by the library when
* #MBEDTLS_PSA_CRYPTO_C is enabled.
*
* \note All functions in this group are experimental, as using
* alternative client interface providers is experimental.
*
* @{
*/
/** Check if PSA is capable of handling the specified hash algorithm.
*
* This means that PSA core was built with the corresponding PSA_WANT_ALG_xxx
* set and that psa_crypto_init has already been called.
*
* \note When using Mbed TLS version of PSA core (i.e. MBEDTLS_PSA_CRYPTO_C is
* set) for now this function only checks the state of the driver
* subsystem, not the algorithm. This might be improved in the future.
*
* \param hash_alg The hash algorithm.
*
* \return 1 if the PSA can handle \p hash_alg, 0 otherwise.
*/
int psa_can_do_hash(psa_algorithm_t hash_alg);
/**@}*/
/** \addtogroup crypto_types
* @{
*/

25
thirdparty/mbedtls/include/psa/crypto_sizes.h vendored
View file

@ -1038,6 +1038,10 @@
PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS)
#endif
#define PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE \
((PSA_EXPORT_KEY_PAIR_MAX_SIZE > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) ? \
PSA_EXPORT_KEY_PAIR_MAX_SIZE : PSA_EXPORT_PUBLIC_KEY_MAX_SIZE)
/** Sufficient output buffer size for psa_raw_key_agreement().
*
* This macro returns a compile-time constant if its arguments are
@ -1085,6 +1089,27 @@
#define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE PSA_BITS_TO_BYTES(PSA_VENDOR_FFDH_MAX_KEY_BITS)
#endif
/** Maximum key length for ciphers.
*
* Since there is no additional PSA_WANT_xxx symbol to specifiy the size of
* the key once a cipher is enabled (as it happens for asymmetric keys for
* example), the maximum key length is taken into account for each cipher.
* The resulting value will be the maximum cipher's key length given depending
* on which ciphers are enabled.
*
* Note: max value for AES used below would be doubled if XTS were enabled, but
* this mode is currently not supported in Mbed TLS implementation of PSA
* APIs.
*/
#if (defined(PSA_WANT_KEY_TYPE_AES) || defined(PSA_WANT_KEY_TYPE_ARIA) || \
defined(PSA_WANT_KEY_TYPE_CAMELLIA) || defined(PSA_WANT_KEY_TYPE_CHACHA20))
#define PSA_CIPHER_MAX_KEY_LENGTH 32u
#elif defined(PSA_WANT_KEY_TYPE_DES)
#define PSA_CIPHER_MAX_KEY_LENGTH 24u
#else
#define PSA_CIPHER_MAX_KEY_LENGTH 0u
#endif
/** The default IV size for a cipher algorithm, in bytes.
*
* The IV that is generated as part of a call to #psa_cipher_encrypt() is always

8
thirdparty/mbedtls/library/aesni.c vendored
View file

@ -489,7 +489,7 @@ int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx,
"movdqu %%xmm0, (%4) \n\t" // export output
:
: "r" (ctx->nr), "r" (ctx->buf + ctx->rk_offset), "r" (mode), "r" (input), "r" (output)
: "memory", "cc", "xmm0", "xmm1");
: "memory", "cc", "xmm0", "xmm1", "0", "1");
return 0;
@ -679,7 +679,7 @@ static void aesni_setkey_enc_128(unsigned char *rk,
AESKEYGENA(xmm0_xmm1, "0x36") "call 1b \n\t"
:
: "r" (rk), "r" (key)
: "memory", "cc", "0");
: "memory", "cc", "xmm0", "xmm1", "0");
}
/*
@ -737,7 +737,7 @@ static void aesni_setkey_enc_192(unsigned char *rk,
:
: "r" (rk), "r" (key)
: "memory", "cc", "0");
: "memory", "cc", "xmm0", "xmm1", "xmm2", "0");
}
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
@ -805,7 +805,7 @@ static void aesni_setkey_enc_256(unsigned char *rk,
AESKEYGENA(xmm1_xmm2, "0x40") "call 1b \n\t"
:
: "r" (rk), "r" (key)
: "memory", "cc", "0");
: "memory", "cc", "xmm0", "xmm1", "xmm2", "0");
}
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */

26
thirdparty/mbedtls/library/bignum_core.c vendored
View file

@ -747,8 +747,8 @@ static void exp_mod_precompute_window(const mbedtls_mpi_uint *A,
}
#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
// Set to a default that is neither MBEDTLS_MPI_IS_PUBLIC nor MBEDTLS_MPI_IS_SECRET
int mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC + MBEDTLS_MPI_IS_SECRET + 1;
void (*mbedtls_safe_codepath_hook)(void) = NULL;
void (*mbedtls_unsafe_codepath_hook)(void) = NULL;
#endif
/*
@ -781,7 +781,9 @@ static inline void exp_mod_calc_first_bit_optionally_safe(const mbedtls_mpi_uint
*E_bit_index = E_bits % biL;
#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC;
if (mbedtls_unsafe_codepath_hook != NULL) {
mbedtls_unsafe_codepath_hook();
}
#endif
} else {
/*
@ -791,9 +793,8 @@ static inline void exp_mod_calc_first_bit_optionally_safe(const mbedtls_mpi_uint
*E_limb_index = E_limbs;
*E_bit_index = 0;
#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
// Only mark the codepath safe if there wasn't an unsafe codepath before
if (mbedtls_mpi_optionally_safe_codepath != MBEDTLS_MPI_IS_PUBLIC) {
mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_SECRET;
if (mbedtls_safe_codepath_hook != NULL) {
mbedtls_safe_codepath_hook();
}
#endif
}
@ -813,7 +814,9 @@ static inline void exp_mod_table_lookup_optionally_safe(mbedtls_mpi_uint *Wselec
if (window_public == MBEDTLS_MPI_IS_PUBLIC) {
memcpy(Wselect, Wtable + window * AN_limbs, AN_limbs * ciL);
#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC;
if (mbedtls_unsafe_codepath_hook != NULL) {
mbedtls_unsafe_codepath_hook();
}
#endif
} else {
/* Select Wtable[window] without leaking window through
@ -821,9 +824,8 @@ static inline void exp_mod_table_lookup_optionally_safe(mbedtls_mpi_uint *Wselec
mbedtls_mpi_core_ct_uint_table_lookup(Wselect, Wtable,
AN_limbs, welem, window);
#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
// Only mark the codepath safe if there wasn't an unsafe codepath before
if (mbedtls_mpi_optionally_safe_codepath != MBEDTLS_MPI_IS_PUBLIC) {
mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_SECRET;
if (mbedtls_safe_codepath_hook != NULL) {
mbedtls_safe_codepath_hook();
}
#endif
}
@ -857,8 +859,8 @@ static void mbedtls_mpi_core_exp_mod_optionally_safe(mbedtls_mpi_uint *X,
/* We'll process the bits of E from most significant
* (limb_index=E_limbs-1, E_bit_index=biL-1) to least significant
* (limb_index=0, E_bit_index=0). */
size_t E_limb_index;
size_t E_bit_index;
size_t E_limb_index = E_limbs;
size_t E_bit_index = 0;
exp_mod_calc_first_bit_optionally_safe(E, E_limbs, E_public,
&E_limb_index, &E_bit_index);

26
thirdparty/mbedtls/library/bignum_core.h vendored
View file

@ -70,9 +70,7 @@
#include "common.h"
#if defined(MBEDTLS_BIGNUM_C)
#include "mbedtls/bignum.h"
#endif
#include "constant_time_internal.h"
@ -106,10 +104,17 @@
* } else {
* // safe path
* }
* not the other way round, in order to prevent misuse. (This is, if a value
* other than the two below is passed, default to the safe path.) */
* not the other way round, in order to prevent misuse. (That is, if a value
* other than the two below is passed, default to the safe path.)
*
* The value of MBEDTLS_MPI_IS_PUBLIC is chosen in a way that is unlikely to happen by accident, but
* which can be used as an immediate value in a Thumb2 comparison (for code size). */
#define MBEDTLS_MPI_IS_PUBLIC 0x2a2a2a2a
#define MBEDTLS_MPI_IS_SECRET 0
#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
// Default value for testing that is neither MBEDTLS_MPI_IS_PUBLIC nor MBEDTLS_MPI_IS_SECRET
#define MBEDTLS_MPI_IS_TEST 1
#endif
/** Count leading zero bits in a given integer.
*
@ -817,17 +822,4 @@ void mbedtls_mpi_core_from_mont_rep(mbedtls_mpi_uint *X,
mbedtls_mpi_uint mm,
mbedtls_mpi_uint *T);
/*
* Can't define thread local variables with our abstraction layer: do nothing if threading is on.
*/
#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
extern int mbedtls_mpi_optionally_safe_codepath;
static inline void mbedtls_mpi_optionally_safe_codepath_reset(void)
{
// Set to a default that is neither MBEDTLS_MPI_IS_PUBLIC nor MBEDTLS_MPI_IS_SECRET
mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC + MBEDTLS_MPI_IS_SECRET + 1;
}
#endif
#endif /* MBEDTLS_BIGNUM_CORE_H */

3
thirdparty/mbedtls/library/ccm.c vendored
View file

@ -170,11 +170,12 @@ static int ccm_calculate_first_block_if_ready(mbedtls_ccm_context *ctx)
}
/* CCM expects non-empty tag.
* CCM* allows empty tag. For CCM* without tag, ignore plaintext length.
* CCM* allows empty tag. For CCM* without tag, the tag calculation is skipped.
*/
if (ctx->tag_len == 0) {
if (ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT || ctx->mode == MBEDTLS_CCM_STAR_DECRYPT) {
ctx->plaintext_len = 0;
return 0;
} else {
return MBEDTLS_ERR_CCM_BAD_INPUT;
}

17
thirdparty/mbedtls/library/constant_time_impl.h vendored
View file

@ -36,24 +36,9 @@
#pragma GCC diagnostic ignored "-Wredundant-decls"
#endif
/* Disable asm under Memsan because it confuses Memsan and generates false errors.
*
* We also disable under Valgrind by default, because it's more useful
* for Valgrind to test the plain C implementation. MBEDTLS_TEST_CONSTANT_FLOW_ASM //no-check-names
* may be set to permit building asm under Valgrind.
*/
#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) || \
(defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND) && !defined(MBEDTLS_TEST_CONSTANT_FLOW_ASM)) //no-check-names
#define MBEDTLS_CT_NO_ASM
#elif defined(__has_feature)
#if __has_feature(memory_sanitizer)
#define MBEDTLS_CT_NO_ASM
#endif
#endif
/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && (!defined(__ARMCC_VERSION) || \
__ARMCC_VERSION >= 6000000) && !defined(MBEDTLS_CT_NO_ASM)
__ARMCC_VERSION >= 6000000)
#define MBEDTLS_CT_ASM
#if (defined(__arm__) || defined(__thumb__) || defined(__thumb2__))
#define MBEDTLS_CT_ARM_ASM

2
thirdparty/mbedtls/library/ecp.c vendored
View file

@ -3056,7 +3056,7 @@ int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp,
/* see RFC 7748 sec. 5 para. 5 */
if (mbedtls_mpi_get_bit(d, 0) != 0 ||
mbedtls_mpi_get_bit(d, 1) != 0 ||
mbedtls_mpi_bitlen(d) - 1 != grp->nbits) { /* mbedtls_mpi_bitlen is one-based! */
mbedtls_mpi_bitlen(d) != grp->nbits + 1) { /* mbedtls_mpi_bitlen is one-based! */
return MBEDTLS_ERR_ECP_INVALID_KEY;
}

6
thirdparty/mbedtls/library/error.c vendored
View file

@ -479,6 +479,8 @@ const char *mbedtls_high_level_strerr(int error_code)
return( "SSL - An operation failed due to an unexpected version or configuration" );
case -(MBEDTLS_ERR_SSL_BAD_CONFIG):
return( "SSL - Invalid value in SSL config" );
case -(MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME):
return( "SSL - Attempt to verify a certificate without an expected hostname. This is usually insecure. In TLS clients, when a client authenticates a server through its certificate, the client normally checks three things: - the certificate chain must be valid; - the chain must start from a trusted CA; - the certificate must cover the server name that is expected by the client. Omitting any of these checks is generally insecure, and can allow a malicious server to impersonate a legitimate server. The third check may be safely skipped in some unusual scenarios, such as networks where eavesdropping is a risk but not active attacks, or a private PKI where the client equally trusts all servers that are accredited by the root CA. You should call mbedtls_ssl_set_hostname() with the expected server name before starting a TLS handshake on a client (unless the client is set up to only use PSK-based authentication, which does not rely on the host name). If you have determined that server name verification is not required for security in your scenario, call mbedtls_ssl_set_hostname() with \\p NULL as the server name. This error is raised if all of the following conditions are met: - A TLS client is configured with the authentication mode #MBEDTLS_SSL_VERIFY_REQUIRED (default). - Certificate authentication is enabled. - The client does not call mbedtls_ssl_set_hostname(). - The configuration option #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME is not enabled" );
#endif /* MBEDTLS_SSL_TLS_C */
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
@ -873,8 +875,4 @@ void mbedtls_strerror(int ret, char *buf, size_t buflen)
#endif /* MBEDTLS_ERROR_C */
#if defined(MBEDTLS_TEST_HOOKS)
void (*mbedtls_test_hook_error_add)(int, int, const char *, int);
#endif
#endif /* MBEDTLS_ERROR_C || MBEDTLS_ERROR_STRERROR_DUMMY */

12
thirdparty/mbedtls/library/net_sockets.c vendored
View file

@ -190,7 +190,7 @@ int mbedtls_net_connect(mbedtls_net_context *ctx, const char *host,
break;
}
close(ctx->fd);
mbedtls_net_close(ctx);
ret = MBEDTLS_ERR_NET_CONNECT_FAILED;
}
@ -237,13 +237,13 @@ int mbedtls_net_bind(mbedtls_net_context *ctx, const char *bind_ip, const char *
n = 1;
if (setsockopt(ctx->fd, SOL_SOCKET, SO_REUSEADDR,
(const char *) &n, sizeof(n)) != 0) {
close(ctx->fd);
mbedtls_net_close(ctx);
ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
continue;
}
if (bind(ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen) != 0) {
close(ctx->fd);
mbedtls_net_close(ctx);
ret = MBEDTLS_ERR_NET_BIND_FAILED;
continue;
}
@ -251,7 +251,7 @@ int mbedtls_net_bind(mbedtls_net_context *ctx, const char *bind_ip, const char *
/* Listen only makes sense for TCP */
if (proto == MBEDTLS_NET_PROTO_TCP) {
if (listen(ctx->fd, MBEDTLS_NET_LISTEN_BACKLOG) != 0) {
close(ctx->fd);
mbedtls_net_close(ctx);
ret = MBEDTLS_ERR_NET_LISTEN_FAILED;
continue;
}
@ -524,8 +524,8 @@ void mbedtls_net_usleep(unsigned long usec)
#else
struct timeval tv;
tv.tv_sec = usec / 1000000;
#if defined(__unix__) || defined(__unix) || \
(defined(__APPLE__) && defined(__MACH__))
#if (defined(__unix__) || defined(__unix) || \
(defined(__APPLE__) && defined(__MACH__))) && !defined(__DJGPP__)
tv.tv_usec = (suseconds_t) usec % 1000000;
#else
tv.tv_usec = usec % 1000000;

4
thirdparty/mbedtls/library/pk.c vendored
View file

@ -35,10 +35,6 @@
#include <limits.h>
#include <stdint.h>
#define PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE \
(PSA_EXPORT_KEY_PAIR_MAX_SIZE > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) ? \
PSA_EXPORT_KEY_PAIR_MAX_SIZE : PSA_EXPORT_PUBLIC_KEY_MAX_SIZE
/*
* Initialise a mbedtls_pk_context
*/

182
thirdparty/mbedtls/library/psa_crypto.c vendored
View file

@ -705,6 +705,11 @@ MBEDTLS_STATIC_TESTABLE psa_status_t psa_mac_key_can_do(
psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot,
size_t buffer_length)
{
#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
if (buffer_length > ((size_t) MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE)) {
return PSA_ERROR_NOT_SUPPORTED;
}
#else
if (slot->key.data != NULL) {
return PSA_ERROR_ALREADY_EXISTS;
}
@ -713,6 +718,7 @@ psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot,
if (slot->key.data == NULL) {
return PSA_ERROR_INSUFFICIENT_MEMORY;
}
#endif
slot->key.bytes = buffer_length;
return PSA_SUCCESS;
@ -1177,11 +1183,18 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
psa_status_t psa_remove_key_data_from_memory(psa_key_slot_t *slot)
{
#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
if (slot->key.bytes > 0) {
mbedtls_platform_zeroize(slot->key.data, MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE);
}
#else
if (slot->key.data != NULL) {
mbedtls_zeroize_and_free(slot->key.data, slot->key.bytes);
}
slot->key.data = NULL;
#endif /* MBEDTLS_PSA_STATIC_KEY_SLOTS */
slot->key.bytes = 0;
return PSA_SUCCESS;
@ -2096,7 +2109,7 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
* storage ( thus not in the case of importing a key in a secure element
* with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
* buffer to hold the imported key material. */
if (slot->key.data == NULL) {
if (slot->key.bytes == 0) {
if (psa_key_lifetime_is_external(attributes->lifetime)) {
status = psa_driver_wrapper_get_key_buffer_size_from_key_data(
attributes, data, data_length, &storage_size);
@ -2306,6 +2319,58 @@ exit:
/* Message digests */
/****************************************************************/
static int is_hash_supported(psa_algorithm_t alg)
{
switch (alg) {
#if defined(PSA_WANT_ALG_MD5)
case PSA_ALG_MD5:
return 1;
#endif
#if defined(PSA_WANT_ALG_RIPEMD160)
case PSA_ALG_RIPEMD160:
return 1;
#endif
#if defined(PSA_WANT_ALG_SHA_1)
case PSA_ALG_SHA_1:
return 1;
#endif
#if defined(PSA_WANT_ALG_SHA_224)
case PSA_ALG_SHA_224:
return 1;
#endif
#if defined(PSA_WANT_ALG_SHA_256)
case PSA_ALG_SHA_256:
return 1;
#endif
#if defined(PSA_WANT_ALG_SHA_384)
case PSA_ALG_SHA_384:
return 1;
#endif
#if defined(PSA_WANT_ALG_SHA_512)
case PSA_ALG_SHA_512:
return 1;
#endif
#if defined(PSA_WANT_ALG_SHA3_224)
case PSA_ALG_SHA3_224:
return 1;
#endif
#if defined(PSA_WANT_ALG_SHA3_256)
case PSA_ALG_SHA3_256:
return 1;
#endif
#if defined(PSA_WANT_ALG_SHA3_384)
case PSA_ALG_SHA3_384:
return 1;
#endif
#if defined(PSA_WANT_ALG_SHA3_512)
case PSA_ALG_SHA3_512:
return 1;
#endif
default:
return 0;
}
}
psa_status_t psa_hash_abort(psa_hash_operation_t *operation)
{
/* Aborting a non-active operation is allowed */
@ -2949,16 +3014,44 @@ static psa_status_t psa_sign_verify_check_alg(int input_is_message,
if (!PSA_ALG_IS_SIGN_MESSAGE(alg)) {
return PSA_ERROR_INVALID_ARGUMENT;
}
}
if (PSA_ALG_IS_SIGN_HASH(alg)) {
if (!PSA_ALG_IS_HASH(PSA_ALG_SIGN_GET_HASH(alg))) {
return PSA_ERROR_INVALID_ARGUMENT;
}
}
} else {
if (!PSA_ALG_IS_SIGN_HASH(alg)) {
return PSA_ERROR_INVALID_ARGUMENT;
}
psa_algorithm_t hash_alg = 0;
if (PSA_ALG_IS_SIGN_HASH(alg)) {
hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
}
/* Now hash_alg==0 if alg by itself doesn't need a hash.
* This is good enough for sign-hash, but a guaranteed failure for
* sign-message which needs to hash first for all algorithms
* supported at the moment. */
if (hash_alg == 0 && input_is_message) {
return PSA_ERROR_INVALID_ARGUMENT;
}
if (hash_alg == PSA_ALG_ANY_HASH) {
return PSA_ERROR_INVALID_ARGUMENT;
}
/* Give up immediately if the hash is not supported. This has
* several advantages:
* - For mechanisms that don't use the hash at all (e.g.
* ECDSA verification, randomized ECDSA signature), without
* this check, the operation would succeed even though it has
* been given an invalid argument. This would not be insecure
* since the hash was not necessary, but it would be weird.
* - For mechanisms that do use the hash, we avoid an error
* deep inside the execution. In principle this doesn't matter,
* but there is a little more risk of a bug in error handling
* deep inside than in this preliminary check.
* - When calling a driver, the driver might be capable of using
* a hash that the core doesn't support. This could potentially
* result in a buffer overflow if the hash is larger than the
* maximum hash size assumed by the core.
* - Returning a consistent error makes it possible to test
* not-supported hashes in a consistent way.
*/
if (hash_alg != 0 && !is_hash_supported(hash_alg)) {
return PSA_ERROR_NOT_SUPPORTED;
}
return PSA_SUCCESS;
@ -3839,6 +3932,34 @@ uint32_t mbedtls_psa_verify_hash_get_num_ops(
* defined( MBEDTLS_ECP_RESTARTABLE ) */
}
/* Detect supported interruptible sign/verify mechanisms precisely.
* This is not strictly needed: we could accept everything, and let the
* code fail later during complete() if the mechanism is unsupported
* (e.g. attempting deterministic ECDSA when only the randomized variant
* is available). But it's easier for applications and especially for our
* test code to detect all not-supported errors during start().
*
* Note that this function ignores the hash component. The core code
* is supposed to check the hash part by calling is_hash_supported().
*/
static inline int can_do_interruptible_sign_verify(psa_algorithm_t alg)
{
#if defined(MBEDTLS_ECP_RESTARTABLE)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)) {
return 1;
}
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA)
if (PSA_ALG_IS_RANDOMIZED_ECDSA(alg)) {
return 1;
}
#endif
#endif /* defined(MBEDTLS_ECP_RESTARTABLE) */
(void) alg;
return 0;
}
psa_status_t mbedtls_psa_sign_hash_start(
mbedtls_psa_sign_hash_interruptible_operation_t *operation,
const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
@ -3848,11 +3969,15 @@ psa_status_t mbedtls_psa_sign_hash_start(
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t required_hash_length;
if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(attributes->type)) {
return PSA_ERROR_NOT_SUPPORTED;
}
psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type);
if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
return PSA_ERROR_INVALID_ARGUMENT;
}
if (!PSA_ALG_IS_ECDSA(alg)) {
if (!can_do_interruptible_sign_verify(alg)) {
return PSA_ERROR_NOT_SUPPORTED;
}
@ -4067,8 +4192,12 @@ psa_status_t mbedtls_psa_verify_hash_start(
if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) {
return PSA_ERROR_NOT_SUPPORTED;
}
psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type);
if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) {
return PSA_ERROR_INVALID_ARGUMENT;
}
if (!PSA_ALG_IS_ECDSA(alg)) {
if (!can_do_interruptible_sign_verify(alg)) {
return PSA_ERROR_NOT_SUPPORTED;
}
@ -6187,7 +6316,7 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper(
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t m;
size_t m_bytes;
size_t m_bytes = 0;
mbedtls_mpi_init(&k);
mbedtls_mpi_init(&diff_N_2);
@ -6260,7 +6389,7 @@ cleanup:
status = mbedtls_to_psa_error(ret);
}
if (status != PSA_SUCCESS) {
mbedtls_free(*data);
mbedtls_zeroize_and_free(*data, m_bytes);
*data = NULL;
}
mbedtls_mpi_free(&k);
@ -6435,7 +6564,7 @@ static psa_status_t psa_generate_derived_key_internal(
}
exit:
mbedtls_free(data);
mbedtls_zeroize_and_free(data, bytes);
return status;
}
@ -7359,6 +7488,12 @@ static psa_status_t psa_key_derivation_input_internal(
psa_status_t status;
psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
if (kdf_alg == PSA_ALG_NONE) {
/* This is a blank or aborted operation. */
status = PSA_ERROR_BAD_STATE;
goto exit;
}
status = psa_key_derivation_check_input_type(step, key_type);
if (status != PSA_SUCCESS) {
goto exit;
@ -7417,6 +7552,12 @@ static psa_status_t psa_key_derivation_input_integer_internal(
psa_status_t status;
psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation);
if (kdf_alg == PSA_ALG_NONE) {
/* This is a blank or aborted operation. */
status = PSA_ERROR_BAD_STATE;
goto exit;
}
#if defined(PSA_HAVE_SOFT_PBKDF2)
if (PSA_ALG_IS_PBKDF2(kdf_alg)) {
status = psa_pbkdf2_set_input_cost(
@ -7430,6 +7571,7 @@ static psa_status_t psa_key_derivation_input_integer_internal(
status = PSA_ERROR_INVALID_ARGUMENT;
}
exit:
if (status != PSA_SUCCESS) {
psa_key_derivation_abort(operation);
}
@ -8013,7 +8155,7 @@ psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes,
* storage ( thus not in the case of generating a key in a secure element
* with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
* buffer to hold the generated key material. */
if (slot->key.data == NULL) {
if (slot->key.bytes == 0) {
if (PSA_KEY_LIFETIME_GET_LOCATION(attributes->lifetime) ==
PSA_KEY_LOCATION_LOCAL_STORAGE) {
status = psa_validate_key_type_and_size_for_key_generation(
@ -9171,7 +9313,7 @@ psa_status_t psa_crypto_local_input_alloc(const uint8_t *input, size_t input_len
return PSA_SUCCESS;
error:
mbedtls_free(local_input->buffer);
mbedtls_zeroize_and_free(local_input->buffer, local_input->length);
local_input->buffer = NULL;
local_input->length = 0;
return status;
@ -9179,7 +9321,7 @@ error:
void psa_crypto_local_input_free(psa_crypto_local_input_t *local_input)
{
mbedtls_free(local_input->buffer);
mbedtls_zeroize_and_free(local_input->buffer, local_input->length);
local_input->buffer = NULL;
local_input->length = 0;
}
@ -9223,7 +9365,7 @@ psa_status_t psa_crypto_local_output_free(psa_crypto_local_output_t *local_outpu
return status;
}
mbedtls_free(local_output->buffer);
mbedtls_zeroize_and_free(local_output->buffer, local_output->length);
local_output->buffer = NULL;
local_output->length = 0;

3
thirdparty/mbedtls/library/psa_crypto_cipher.c vendored
View file

@ -71,9 +71,6 @@ static psa_status_t mbedtls_cipher_validate_values(
#if !defined(PSA_WANT_ALG_OFB)
MBEDTLS_ASSUME(alg != PSA_ALG_OFB);
#endif
#if !defined(PSA_WANT_ALG_XTS)
MBEDTLS_ASSUME(alg != PSA_ALG_XTS);
#endif
#if !defined(PSA_WANT_ALG_ECB_NO_PADDING)
MBEDTLS_ASSUME(alg != PSA_ALG_ECB_NO_PADDING);
#endif

16
thirdparty/mbedtls/library/psa_crypto_core.h vendored
View file

@ -24,18 +24,6 @@
#include "mbedtls/threading.h"
#endif
/**
* Tell if PSA is ready for this hash.
*
* \note For now, only checks the state of the driver subsystem,
* not the algorithm. Might do more in the future.
*
* \param hash_alg The hash algorithm (ignored for now).
*
* \return 1 if the driver subsytem is ready, 0 otherwise.
*/
int psa_can_do_hash(psa_algorithm_t hash_alg);
/**
* Tell if PSA is ready for this cipher.
*
@ -155,7 +143,11 @@ typedef struct {
/* Dynamically allocated key data buffer.
* Format as specified in psa_export_key(). */
struct key_data {
#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
uint8_t data[MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE];
#else
uint8_t *data;
#endif
size_t bytes;
} key;
} psa_key_slot_t;

4
thirdparty/mbedtls/library/psa_crypto_driver_wrappers.h vendored
View file

@ -306,8 +306,7 @@ static inline psa_status_t psa_driver_wrapper_sign_hash(
#endif /* PSA_CRYPTO_DRIVER_TEST */
#if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED)
if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
PSA_ALG_IS_ECDSA(alg) &&
!PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) &&
PSA_ALG_IS_RANDOMIZED_ECDSA(alg) &&
PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 &&
psa_get_key_bits(attributes) == 256 )
{
@ -411,7 +410,6 @@ static inline psa_status_t psa_driver_wrapper_verify_hash(
#if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED)
if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
PSA_ALG_IS_ECDSA(alg) &&
!PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) &&
PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 &&
psa_get_key_bits(attributes) == 256 )
{

36
thirdparty/mbedtls/library/psa_crypto_ecp.c vendored
View file

@ -321,38 +321,36 @@ psa_status_t mbedtls_psa_ecp_generate_key(
const psa_key_attributes_t *attributes,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(
attributes->type);
mbedtls_ecp_group_id grp_id =
mbedtls_ecc_group_from_psa(curve, attributes->bits);
const mbedtls_ecp_curve_info *curve_info =
mbedtls_ecp_curve_info_from_grp_id(grp_id);
mbedtls_ecp_keypair ecp;
if (grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL) {
if (grp_id == MBEDTLS_ECP_DP_NONE) {
return PSA_ERROR_NOT_SUPPORTED;
}
mbedtls_ecp_keypair ecp;
mbedtls_ecp_keypair_init(&ecp);
ret = mbedtls_ecp_gen_key(grp_id, &ecp,
mbedtls_psa_get_random,
MBEDTLS_PSA_RANDOM_STATE);
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
ret = mbedtls_ecp_group_load(&ecp.grp, grp_id);
if (ret != 0) {
mbedtls_ecp_keypair_free(&ecp);
return mbedtls_to_psa_error(ret);
goto exit;
}
status = mbedtls_to_psa_error(
mbedtls_ecp_write_key_ext(&ecp, key_buffer_length,
key_buffer, key_buffer_size));
ret = mbedtls_ecp_gen_privkey(&ecp.grp, &ecp.d,
mbedtls_psa_get_random,
MBEDTLS_PSA_RANDOM_STATE);
if (ret != 0) {
goto exit;
}
ret = mbedtls_ecp_write_key_ext(&ecp, key_buffer_length,
key_buffer, key_buffer_size);
exit:
mbedtls_ecp_keypair_free(&ecp);
return status;
return mbedtls_to_psa_error(ret);
}
#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE */

4
thirdparty/mbedtls/library/psa_crypto_slot_management.c vendored
View file

@ -35,9 +35,9 @@ MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_USER_MIN < PSA_KEY_ID_USER_MAX,
"Empty user key ID range");
MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_VENDOR_MIN < PSA_KEY_ID_VENDOR_MAX,
"Empty vendor key ID range");
MBEDTLS_STATIC_ASSERT(MBEDTLS_PSA_KEY_ID_BUILTIN_MIN < MBEDTLS_PSA_KEY_ID_BUILTIN_MAX,
MBEDTLS_STATIC_ASSERT(MBEDTLS_PSA_KEY_ID_BUILTIN_MIN <= MBEDTLS_PSA_KEY_ID_BUILTIN_MAX,
"Empty builtin key ID range");
MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_VOLATILE_MIN < PSA_KEY_ID_VOLATILE_MAX,
MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_VOLATILE_MIN <= PSA_KEY_ID_VOLATILE_MAX,
"Empty volatile key ID range");
MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_USER_MAX < PSA_KEY_ID_VENDOR_MIN ||

11
thirdparty/mbedtls/library/psa_crypto_storage.h vendored
View file

@ -21,9 +21,16 @@ extern "C" {
#include <stdint.h>
#include <string.h>
/* Limit the maximum key size in storage. This should have no effect
* since the key size is limited in memory. */
/* Limit the maximum key size in storage. */
#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
/* Reflect the maximum size for the key buffer. */
#define PSA_CRYPTO_MAX_STORAGE_SIZE (MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE)
#else
/* Just set an upper boundary but it should have no effect since the key size
* is limited in memory. */
#define PSA_CRYPTO_MAX_STORAGE_SIZE (PSA_BITS_TO_BYTES(PSA_MAX_KEY_BITS))
#endif
/* Sanity check: a file size must fit in 32 bits. Allow a generous
* 64kB of metadata. */
#if PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000

6
thirdparty/mbedtls/library/psa_util.c vendored
View file

@ -440,6 +440,9 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l
unsigned char *p = der + der_size;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
if (bits == 0) {
return MBEDTLS_ERR_ASN1_INVALID_DATA;
}
if (raw_len != (2 * coordinate_len)) {
return MBEDTLS_ERR_ASN1_INVALID_DATA;
}
@ -559,6 +562,9 @@ int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_l
size_t coordinate_size = PSA_BITS_TO_BYTES(bits);
int ret;
if (bits == 0) {
return MBEDTLS_ERR_ASN1_INVALID_DATA;
}
/* The output raw buffer should be at least twice the size of a raw
* coordinate in order to store r and s. */
if (raw_size < coordinate_size * 2) {

18
thirdparty/mbedtls/library/ssl_client.c vendored
View file

@ -29,19 +29,20 @@ static int ssl_write_hostname_ext(mbedtls_ssl_context *ssl,
size_t *olen)
{
unsigned char *p = buf;
const char *hostname = mbedtls_ssl_get_hostname_pointer(ssl);
size_t hostname_len;
*olen = 0;
if (ssl->hostname == NULL) {
if (hostname == NULL) {
return 0;
}
MBEDTLS_SSL_DEBUG_MSG(3,
("client hello, adding server name extension: %s",
ssl->hostname));
hostname));
hostname_len = strlen(ssl->hostname);
hostname_len = strlen(hostname);
MBEDTLS_SSL_CHK_BUF_PTR(p, end, hostname_len + 9);
@ -85,7 +86,7 @@ static int ssl_write_hostname_ext(mbedtls_ssl_context *ssl,
MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
p += 2;
memcpy(p, ssl->hostname, hostname_len);
memcpy(p, hostname, hostname_len);
*olen = hostname_len + 9;
@ -881,13 +882,14 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl)
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
defined(MBEDTLS_SSL_SESSION_TICKETS) && \
defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
const char *context_hostname = mbedtls_ssl_get_hostname_pointer(ssl);
if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
ssl->handshake->resume) {
int hostname_mismatch = ssl->hostname != NULL ||
int hostname_mismatch = context_hostname != NULL ||
session_negotiate->hostname != NULL;
if (ssl->hostname != NULL && session_negotiate->hostname != NULL) {
if (context_hostname != NULL && session_negotiate->hostname != NULL) {
hostname_mismatch = strcmp(
ssl->hostname, session_negotiate->hostname) != 0;
context_hostname, session_negotiate->hostname) != 0;
}
if (hostname_mismatch) {
@ -898,7 +900,7 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl)
}
} else {
return mbedtls_ssl_session_set_hostname(session_negotiate,
ssl->hostname);
context_hostname);
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
MBEDTLS_SSL_SESSION_TICKETS &&

2
thirdparty/mbedtls/library/ssl_debug_helpers_generated.c vendored
View file

@ -11,7 +11,7 @@
*
*/
#include "common.h"
#include "ssl_misc.h"
#if defined(MBEDTLS_DEBUG_C)

17
thirdparty/mbedtls/library/ssl_misc.h vendored
View file

@ -11,6 +11,7 @@
#define MBEDTLS_SSL_MISC_H
#include "mbedtls/build_info.h"
#include "common.h"
#include "mbedtls/error.h"
@ -47,7 +48,7 @@
#include "ssl_ciphersuites_internal.h"
#include "x509_internal.h"
#include "pk_internal.h"
#include "common.h"
/* Shorthand for restartable ECC */
#if defined(MBEDTLS_ECP_RESTARTABLE) && \
@ -2899,6 +2900,18 @@ int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
unsigned char *buf, unsigned char *end);
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
/** Get the host name from the SSL context.
*
* \param[in] ssl SSL context
*
* \return The \p hostname pointer from the SSL context.
* \c NULL if mbedtls_ssl_set_hostname() has never been called on
* \p ssl or if it was last called with \p NULL.
*/
const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl);
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
defined(MBEDTLS_SSL_SESSION_TICKETS) && \
defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
@ -2982,6 +2995,7 @@ static inline void mbedtls_ssl_tls13_session_clear_ticket_flags(
#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK \
(1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT)
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static inline int mbedtls_ssl_conf_get_session_tickets(
const mbedtls_ssl_config *conf)
{
@ -2989,6 +3003,7 @@ static inline int mbedtls_ssl_conf_get_session_tickets(
MBEDTLS_SSL_SESSION_TICKETS_ENABLED :
MBEDTLS_SSL_SESSION_TICKETS_DISABLED;
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
static inline int mbedtls_ssl_conf_is_signal_new_session_tickets_enabled(

195
thirdparty/mbedtls/library/ssl_msg.c vendored
View file

@ -3221,16 +3221,19 @@ static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl)
int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
{
/* First handshake fragment must at least include the header. */
if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl) && ssl->in_hslen == 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,
ssl->in_msglen));
return MBEDTLS_ERR_SSL_INVALID_RECORD;
}
if (ssl->badmac_seen_or_in_hsfraglen == 0) {
/* The handshake message must at least include the header.
* We may not have the full message yet in case of fragmentation.
* To simplify the code, we insist on having the header (and in
* particular the handshake message length) in the first
* fragment. */
if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,
ssl->in_msglen));
return MBEDTLS_ERR_SSL_INVALID_RECORD;
}
if (ssl->in_hslen == 0) {
ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl);
ssl->badmac_seen_or_in_hsfraglen = 0;
}
MBEDTLS_SSL_DEBUG_MSG(3, ("handshake message: msglen ="
@ -3238,6 +3241,14 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
MBEDTLS_PRINTF_SIZET,
ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen));
if (ssl->transform_in != NULL) {
MBEDTLS_SSL_DEBUG_MSG(4, ("decrypted handshake message:"
" iv-buf=%d hdr-buf=%d hdr-buf=%d",
(int) (ssl->in_iv - ssl->in_buf),
(int) (ssl->in_hdr - ssl->in_buf),
(int) (ssl->in_msg - ssl->in_buf)));
}
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -3297,67 +3308,103 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
}
} else
#endif /* MBEDTLS_SSL_PROTO_DTLS */
if (ssl->badmac_seen_or_in_hsfraglen <= ssl->in_hslen) {
int ret;
{
unsigned char *const reassembled_record_start =
ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
unsigned char *const payload_start =
reassembled_record_start + mbedtls_ssl_in_hdr_len(ssl);
unsigned char *payload_end = payload_start + ssl->badmac_seen_or_in_hsfraglen;
/* How many more bytes we want to have a complete handshake message. */
const size_t hs_remain = ssl->in_hslen - ssl->badmac_seen_or_in_hsfraglen;
/* How many bytes of the current record are part of the first
* handshake message. There may be more handshake messages (possibly
* incomplete) in the same record; if so, we leave them after the
* current record, and ssl_consume_current_message() will take
* care of consuming the next handshake message. */
const size_t hs_this_fragment_len =
ssl->in_msglen > hs_remain ? hs_remain : ssl->in_msglen;
(void) hs_this_fragment_len;
MBEDTLS_SSL_DEBUG_MSG(3,
("handshake fragment: %u .. %"
MBEDTLS_PRINTF_SIZET " of %"
MBEDTLS_PRINTF_SIZET " msglen %" MBEDTLS_PRINTF_SIZET,
("%s handshake fragment: %" MBEDTLS_PRINTF_SIZET
", %u..%u of %" MBEDTLS_PRINTF_SIZET,
(ssl->badmac_seen_or_in_hsfraglen != 0 ?
"subsequent" :
hs_this_fragment_len == ssl->in_hslen ?
"sole" :
"initial"),
ssl->in_msglen,
ssl->badmac_seen_or_in_hsfraglen,
(size_t) ssl->badmac_seen_or_in_hsfraglen +
(hs_remain <= ssl->in_msglen ? hs_remain : ssl->in_msglen),
ssl->in_hslen, ssl->in_msglen));
if (ssl->in_msglen < hs_remain) {
/* ssl->in_msglen is a 25-bit value since it is the sum of the
* header length plus the payload length, the header length is 4
* and the payload length was received on the wire encoded as
* 3 octets. We don't support 16-bit platforms; more specifically,
* we assume that both unsigned and size_t are at least 32 bits.
* Therefore there is no possible integer overflow here.
*/
ssl->badmac_seen_or_in_hsfraglen += (unsigned) ssl->in_msglen;
ssl->in_hdr = ssl->in_msg + ssl->in_msglen;
ssl->badmac_seen_or_in_hsfraglen +
(unsigned) hs_this_fragment_len,
ssl->in_hslen));
/* Move the received handshake fragment to have the whole message
* (at least the part received so far) in a single segment at a
* known offset in the input buffer.
* - When receiving a non-initial handshake fragment, append it to
* the initial segment.
* - Even the initial handshake fragment is moved, if it was
* encrypted with an explicit IV: decryption leaves the payload
* after the explicit IV, but here we move it to start where the
* IV was.
*/
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t const in_buf_len = ssl->in_buf_len;
#else
size_t const in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
#endif
if (payload_end + ssl->in_msglen > ssl->in_buf + in_buf_len) {
MBEDTLS_SSL_DEBUG_MSG(1,
("Shouldn't happen: no room to move handshake fragment %"
MBEDTLS_PRINTF_SIZET " from %p to %p (buf=%p len=%"
MBEDTLS_PRINTF_SIZET ")",
ssl->in_msglen,
(void *) ssl->in_msg, (void *) payload_end,
(void *) ssl->in_buf, in_buf_len));
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}
memmove(payload_end, ssl->in_msg, ssl->in_msglen);
ssl->badmac_seen_or_in_hsfraglen += (unsigned) ssl->in_msglen;
payload_end += ssl->in_msglen;
if (ssl->badmac_seen_or_in_hsfraglen < ssl->in_hslen) {
MBEDTLS_SSL_DEBUG_MSG(3, ("Prepare: waiting for more handshake fragments "
"%u/%" MBEDTLS_PRINTF_SIZET,
ssl->badmac_seen_or_in_hsfraglen, ssl->in_hslen));
ssl->in_hdr = payload_end;
ssl->in_msglen = 0;
mbedtls_ssl_update_in_pointers(ssl);
return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
}
if (ssl->badmac_seen_or_in_hsfraglen > 0) {
/*
* At in_first_hdr we have a sequence of records that cover the next handshake
* record, each with its own record header that we need to remove.
* Note that the reassembled record size may not equal the size of the message,
* there may be more messages after it, complete or partial.
*/
unsigned char *in_first_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
unsigned char *p = in_first_hdr, *q = NULL;
size_t merged_rec_len = 0;
do {
mbedtls_record rec;
ret = ssl_parse_record_header(ssl, p, mbedtls_ssl_in_hdr_len(ssl), &rec);
if (ret != 0) {
return ret;
}
merged_rec_len += rec.data_len;
p = rec.buf + rec.buf_len;
if (q != NULL) {
memmove(q, rec.buf + rec.data_offset, rec.data_len);
q += rec.data_len;
} else {
q = p;
}
} while (merged_rec_len < ssl->in_hslen);
ssl->in_hdr = in_first_hdr;
mbedtls_ssl_update_in_pointers(ssl);
ssl->in_msglen = merged_rec_len;
/* Adjust message length. */
MBEDTLS_PUT_UINT16_BE(merged_rec_len, ssl->in_len, 0);
} else {
ssl->in_msglen = ssl->badmac_seen_or_in_hsfraglen;
ssl->badmac_seen_or_in_hsfraglen = 0;
ssl->in_hdr = reassembled_record_start;
mbedtls_ssl_update_in_pointers(ssl);
/* Update the record length in the fully reassembled record */
if (ssl->in_msglen > 0xffff) {
MBEDTLS_SSL_DEBUG_MSG(1,
("Shouldn't happen: in_msglen=%"
MBEDTLS_PRINTF_SIZET " > 0xffff",
ssl->in_msglen));
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}
MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0);
size_t record_len = mbedtls_ssl_in_hdr_len(ssl) + ssl->in_msglen;
(void) record_len;
MBEDTLS_SSL_DEBUG_BUF(4, "reassembled record",
ssl->in_hdr, mbedtls_ssl_in_hdr_len(ssl) + merged_rec_len);
ssl->in_hdr, record_len);
if (ssl->in_hslen < ssl->in_msglen) {
MBEDTLS_SSL_DEBUG_MSG(3,
("More handshake messages in the record: "
"%" MBEDTLS_PRINTF_SIZET " + %" MBEDTLS_PRINTF_SIZET,
ssl->in_hslen,
ssl->in_msglen - ssl->in_hslen));
}
}
} else {
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}
return 0;
@ -4704,11 +4751,9 @@ static int ssl_consume_current_message(mbedtls_ssl_context *ssl)
if (ssl->badmac_seen_or_in_hsfraglen != 0) {
/* Not all handshake fragments have arrived, do not consume. */
MBEDTLS_SSL_DEBUG_MSG(3,
("waiting for more fragments (%u of %"
MBEDTLS_PRINTF_SIZET ", %" MBEDTLS_PRINTF_SIZET " left)",
ssl->badmac_seen_or_in_hsfraglen, ssl->in_hslen,
ssl->in_hslen - ssl->badmac_seen_or_in_hsfraglen));
MBEDTLS_SSL_DEBUG_MSG(3, ("Consume: waiting for more handshake fragments "
"%u/%" MBEDTLS_PRINTF_SIZET,
ssl->badmac_seen_or_in_hsfraglen, ssl->in_hslen));
return 0;
}
@ -5103,6 +5148,18 @@ int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
/* If we're in the middle of a fragmented TLS handshake message,
* we don't accept any other message type. For TLS 1.3, the spec forbids
* interleaving other message types between handshake fragments. For TLS
* 1.2, the spec does not forbid it but we do. */
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM &&
ssl->badmac_seen_or_in_hsfraglen != 0 &&
ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
MBEDTLS_SSL_DEBUG_MSG(1, ("non-handshake message in the middle"
" of a fragmented handshake message"));
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
}
/*
* Handle particular types of records
*/
@ -5141,15 +5198,9 @@ int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl)
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
MBEDTLS_SSL_DEBUG_MSG(1,
MBEDTLS_SSL_DEBUG_MSG(2,
("Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"));
return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
#else
MBEDTLS_SSL_DEBUG_MSG(1,
("ChangeCipherSpec invalid in TLS 1.3 without compatibility mode"));
return MBEDTLS_ERR_SSL_INVALID_RECORD;
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
}

101
thirdparty/mbedtls/library/ssl_tls.c vendored
View file

@ -2769,6 +2769,51 @@ void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/* A magic value for `ssl->hostname` indicating that
* mbedtls_ssl_set_hostname() has been called with `NULL`.
* If mbedtls_ssl_set_hostname() has never been called on `ssl`, then
* `ssl->hostname == NULL`. */
static const char *const ssl_hostname_skip_cn_verification = "";
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
/** Whether mbedtls_ssl_set_hostname() has been called.
*
* \param[in] ssl SSL context
*
* \return \c 1 if mbedtls_ssl_set_hostname() has been called on \p ssl
* (including `mbedtls_ssl_set_hostname(ssl, NULL)`),
* otherwise \c 0.
*/
static int mbedtls_ssl_has_set_hostname_been_called(
const mbedtls_ssl_context *ssl)
{
return ssl->hostname != NULL;
}
#endif
/* Micro-optimization: don't export this function if it isn't needed outside
* of this source file. */
#if !defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
static
#endif
const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl)
{
if (ssl->hostname == ssl_hostname_skip_cn_verification) {
return NULL;
}
return ssl->hostname;
}
static void mbedtls_ssl_free_hostname(mbedtls_ssl_context *ssl)
{
if (ssl->hostname != NULL &&
ssl->hostname != ssl_hostname_skip_cn_verification) {
mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
}
ssl->hostname = NULL;
}
int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
{
/* Initialize to suppress unnecessary compiler warning */
@ -2786,18 +2831,21 @@ int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
/* Now it's clear that we will overwrite the old hostname,
* so we can free it safely */
if (ssl->hostname != NULL) {
mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
}
/* Passing NULL as hostname shall clear the old one */
mbedtls_ssl_free_hostname(ssl);
if (hostname == NULL) {
ssl->hostname = NULL;
/* Passing NULL as hostname clears the old one, but leaves a
* special marker to indicate that mbedtls_ssl_set_hostname()
* has been called. */
/* ssl->hostname should be const, but isn't. We won't actually
* write to the buffer, so it's ok to cast away the const. */
ssl->hostname = (char *) ssl_hostname_skip_cn_verification;
} else {
ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
if (ssl->hostname == NULL) {
/* mbedtls_ssl_set_hostname() has been called, but unsuccessfully.
* Leave ssl->hostname in the same state as if the function had
* not been called, i.e. a null pointer. */
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
}
@ -5583,9 +5631,7 @@ void mbedtls_ssl_free(mbedtls_ssl_context *ssl)
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if (ssl->hostname != NULL) {
mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
}
mbedtls_ssl_free_hostname(ssl);
#endif
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
@ -8323,6 +8369,7 @@ int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
return ret;
}
/*
@ -8436,6 +8483,7 @@ int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
return ret;
}
if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
@ -9796,6 +9844,27 @@ int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
return ret;
}
static int get_hostname_for_verification(mbedtls_ssl_context *ssl,
const char **hostname)
{
if (!mbedtls_ssl_has_set_hostname_been_called(ssl)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate verification without having set hostname"));
#if !defined(MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME)
if (mbedtls_ssl_conf_get_endpoint(ssl->conf) == MBEDTLS_SSL_IS_CLIENT &&
ssl->conf->authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
return MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME;
}
#endif
}
*hostname = mbedtls_ssl_get_hostname_pointer(ssl);
if (*hostname == NULL) {
MBEDTLS_SSL_DEBUG_MSG(2, ("Certificate verification without CN verification"));
}
return 0;
}
int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
int authmode,
mbedtls_x509_crt *chain,
@ -9821,7 +9890,13 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
p_vrfy = ssl->conf->p_vrfy;
}
int ret = 0;
const char *hostname = "";
int ret = get_hostname_for_verification(ssl, &hostname);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "get_hostname_for_verification", ret);
return ret;
}
int have_ca_chain_or_callback = 0;
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
if (ssl->conf->f_ca_cb != NULL) {
@ -9834,7 +9909,7 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
ssl->conf->f_ca_cb,
ssl->conf->p_ca_cb,
ssl->conf->cert_profile,
ssl->hostname,
hostname,
&ssl->session_negotiate->verify_result,
f_vrfy, p_vrfy);
} else
@ -9861,7 +9936,7 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
chain,
ca_chain, ca_crl,
ssl->conf->cert_profile,
ssl->hostname,
hostname,
&ssl->session_negotiate->verify_result,
f_vrfy, p_vrfy, rs_ctx);
}

2
thirdparty/mbedtls/library/ssl_tls12_client.c vendored
View file

@ -1964,7 +1964,7 @@ static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
ssl->out_msg + offset + len_bytes, olen,
MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret);
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_encrypt", ret);
return ret;
}

1
thirdparty/mbedtls/library/ssl_tls13_client.c vendored
View file

@ -319,6 +319,7 @@ static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
ssl, group_id, p, end, &key_exchange_len);
p += key_exchange_len;
if (ret != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("client hello: failed generating xxdh key exchange"));
return ret;
}

5
thirdparty/mbedtls/library/ssl_tls13_server.c vendored
View file

@ -92,7 +92,7 @@ static void ssl_tls13_select_ciphersuite(
return;
}
MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%lx",
MBEDTLS_SSL_DEBUG_MSG(1, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%lx",
(unsigned) psk_ciphersuite_id,
(unsigned long) psk_hash_alg));
}
@ -1380,6 +1380,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
}
if (ret == 0) {
MBEDTLS_SSL_DEBUG_MSG(2, ("no supported_versions extension"));
return SSL_CLIENT_HELLO_TLS1_2;
}
@ -1401,6 +1402,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
* the TLS version to negotiate.
*/
if (MBEDTLS_SSL_VERSION_TLS1_2 == ret) {
MBEDTLS_SSL_DEBUG_MSG(2, ("supported_versions without 1.3"));
return SSL_CLIENT_HELLO_TLS1_2;
}
}
@ -1985,6 +1987,7 @@ static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
}
ssl->keep_current_message = 1;
ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
MBEDTLS_SSL_DEBUG_MSG(1, ("non-1.3 ClientHello left for later processing"));
return 0;
}

2
thirdparty/mbedtls/library/threading.c vendored
View file

@ -61,7 +61,7 @@ static void threading_mutex_init_pthread(mbedtls_threading_mutex_t *mutex)
* this here in a thread safe manner without a significant performance
* hit, so state transitions are checked in tests only via the state
* variable. Please make sure any new mutex that gets added is exercised in
* tests; see tests/src/threading_helpers.c for more details. */
* tests; see framework/tests/src/threading_helpers.c for more details. */
(void) pthread_mutex_init(&mutex->mutex, NULL);
}

6
thirdparty/mbedtls/library/version_features.c vendored
View file

@ -459,6 +459,9 @@ static const char * const features[] = {
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
"SSL_ASYNC_PRIVATE", //no-check-names
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
#if defined(MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME)
"SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME", //no-check-names
#endif /* MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME */
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
"SSL_CONTEXT_SERIALIZATION", //no-check-names
#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
@ -720,6 +723,9 @@ static const char * const features[] = {
#if defined(MBEDTLS_PSA_ITS_FILE_C)
"PSA_ITS_FILE_C", //no-check-names
#endif /* MBEDTLS_PSA_ITS_FILE_C */
#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
"PSA_STATIC_KEY_SLOTS", //no-check-names
#endif /* MBEDTLS_PSA_STATIC_KEY_SLOTS */
#if defined(MBEDTLS_RIPEMD160_C)
"RIPEMD160_C", //no-check-names
#endif /* MBEDTLS_RIPEMD160_C */

373
thirdparty/mbedtls/patches/0002-pr-9981-defragment-incoming-tls-handshake-messages.patch vendored
View file

@ -1,373 +0,0 @@
diff --git a/thirdparty/README.md b/thirdparty/README.md
index 16a7661f5b..7ad8524e1a 100644
--- a/thirdparty/README.md
+++ b/thirdparty/README.md
@@ -627,6 +627,7 @@ File extracted from upstream release tarball:
Patches:
- `0001-msvc-2019-psa-redeclaration.patch` (GH-90535)
+- `0002-pr-9981-defragment-incoming-tls-handshake-messages.patch` (GH-102770)
## meshoptimizer
diff --git a/thirdparty/mbedtls/include/mbedtls/ssl.h b/thirdparty/mbedtls/include/mbedtls/ssl.h
index 42fffbf860..597da2571f 100644
--- a/thirdparty/mbedtls/include/mbedtls/ssl.h
+++ b/thirdparty/mbedtls/include/mbedtls/ssl.h
@@ -1724,7 +1724,16 @@ struct mbedtls_ssl_context {
int MBEDTLS_PRIVATE(early_data_state);
#endif
- unsigned MBEDTLS_PRIVATE(badmac_seen); /*!< records with a bad MAC received */
+ /** Multipurpose field.
+ *
+ * - DTLS: records with a bad MAC received.
+ * - TLS: accumulated length of handshake fragments (up to \c in_hslen).
+ *
+ * This field is multipurpose in order to preserve the ABI in the
+ * Mbed TLS 3.6 LTS branch. Until 3.6.2, it was only used in DTLS
+ * and called `badmac_seen`.
+ */
+ unsigned MBEDTLS_PRIVATE(badmac_seen_or_in_hsfraglen);
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/** Callback to customize X.509 certificate chain verification */
diff --git a/thirdparty/mbedtls/library/ssl_misc.h b/thirdparty/mbedtls/library/ssl_misc.h
index 98668798a8..bfadac7be3 100644
--- a/thirdparty/mbedtls/library/ssl_misc.h
+++ b/thirdparty/mbedtls/library/ssl_misc.h
@@ -1829,10 +1829,11 @@ void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
+void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl);
void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
mbedtls_ssl_transform *transform);
-void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
diff --git a/thirdparty/mbedtls/library/ssl_msg.c b/thirdparty/mbedtls/library/ssl_msg.c
index ef722d7bdc..08d197e08c 100644
--- a/thirdparty/mbedtls/library/ssl_msg.c
+++ b/thirdparty/mbedtls/library/ssl_msg.c
@@ -25,6 +25,7 @@
#include "constant_time_internal.h"
#include "mbedtls/constant_time.h"
+#include <limits.h>
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -3220,13 +3221,17 @@ static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl)
int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
{
- if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) {
+ /* First handshake fragment must at least include the header. */
+ if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl) && ssl->in_hslen == 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,
ssl->in_msglen));
return MBEDTLS_ERR_SSL_INVALID_RECORD;
}
- ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl);
+ if (ssl->in_hslen == 0) {
+ ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl);
+ ssl->badmac_seen_or_in_hsfraglen = 0;
+ }
MBEDTLS_SSL_DEBUG_MSG(3, ("handshake message: msglen ="
" %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %"
@@ -3292,10 +3297,67 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
}
} else
#endif /* MBEDTLS_SSL_PROTO_DTLS */
- /* With TLS we don't handle fragmentation (for now) */
- if (ssl->in_msglen < ssl->in_hslen) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("TLS handshake fragmentation not supported"));
- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ if (ssl->badmac_seen_or_in_hsfraglen <= ssl->in_hslen) {
+ int ret;
+ const size_t hs_remain = ssl->in_hslen - ssl->badmac_seen_or_in_hsfraglen;
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("handshake fragment: %u .. %"
+ MBEDTLS_PRINTF_SIZET " of %"
+ MBEDTLS_PRINTF_SIZET " msglen %" MBEDTLS_PRINTF_SIZET,
+ ssl->badmac_seen_or_in_hsfraglen,
+ (size_t) ssl->badmac_seen_or_in_hsfraglen +
+ (hs_remain <= ssl->in_msglen ? hs_remain : ssl->in_msglen),
+ ssl->in_hslen, ssl->in_msglen));
+ if (ssl->in_msglen < hs_remain) {
+ /* ssl->in_msglen is a 25-bit value since it is the sum of the
+ * header length plus the payload length, the header length is 4
+ * and the payload length was received on the wire encoded as
+ * 3 octets. We don't support 16-bit platforms; more specifically,
+ * we assume that both unsigned and size_t are at least 32 bits.
+ * Therefore there is no possible integer overflow here.
+ */
+ ssl->badmac_seen_or_in_hsfraglen += (unsigned) ssl->in_msglen;
+ ssl->in_hdr = ssl->in_msg + ssl->in_msglen;
+ ssl->in_msglen = 0;
+ mbedtls_ssl_update_in_pointers(ssl);
+ return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+ }
+ if (ssl->badmac_seen_or_in_hsfraglen > 0) {
+ /*
+ * At in_first_hdr we have a sequence of records that cover the next handshake
+ * record, each with its own record header that we need to remove.
+ * Note that the reassembled record size may not equal the size of the message,
+ * there may be more messages after it, complete or partial.
+ */
+ unsigned char *in_first_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+ unsigned char *p = in_first_hdr, *q = NULL;
+ size_t merged_rec_len = 0;
+ do {
+ mbedtls_record rec;
+ ret = ssl_parse_record_header(ssl, p, mbedtls_ssl_in_hdr_len(ssl), &rec);
+ if (ret != 0) {
+ return ret;
+ }
+ merged_rec_len += rec.data_len;
+ p = rec.buf + rec.buf_len;
+ if (q != NULL) {
+ memmove(q, rec.buf + rec.data_offset, rec.data_len);
+ q += rec.data_len;
+ } else {
+ q = p;
+ }
+ } while (merged_rec_len < ssl->in_hslen);
+ ssl->in_hdr = in_first_hdr;
+ mbedtls_ssl_update_in_pointers(ssl);
+ ssl->in_msglen = merged_rec_len;
+ /* Adjust message length. */
+ MBEDTLS_PUT_UINT16_BE(merged_rec_len, ssl->in_len, 0);
+ ssl->badmac_seen_or_in_hsfraglen = 0;
+ MBEDTLS_SSL_DEBUG_BUF(4, "reassembled record",
+ ssl->in_hdr, mbedtls_ssl_in_hdr_len(ssl) + merged_rec_len);
+ }
+ } else {
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}
return 0;
@@ -4640,6 +4702,16 @@ static int ssl_consume_current_message(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
+ if (ssl->badmac_seen_or_in_hsfraglen != 0) {
+ /* Not all handshake fragments have arrived, do not consume. */
+ MBEDTLS_SSL_DEBUG_MSG(3,
+ ("waiting for more fragments (%u of %"
+ MBEDTLS_PRINTF_SIZET ", %" MBEDTLS_PRINTF_SIZET " left)",
+ ssl->badmac_seen_or_in_hsfraglen, ssl->in_hslen,
+ ssl->in_hslen - ssl->badmac_seen_or_in_hsfraglen));
+ return 0;
+ }
+
/*
* Get next Handshake message in the current record
*/
@@ -4665,6 +4737,7 @@ static int ssl_consume_current_message(mbedtls_ssl_context *ssl)
ssl->in_msglen -= ssl->in_hslen;
memmove(ssl->in_msg, ssl->in_msg + ssl->in_hslen,
ssl->in_msglen);
+ MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0);
MBEDTLS_SSL_DEBUG_BUF(4, "remaining content in record",
ssl->in_msg, ssl->in_msglen);
@@ -4967,10 +5040,12 @@ static int ssl_get_next_record(mbedtls_ssl_context *ssl)
return ret;
}
- if (ssl->conf->badmac_limit != 0 &&
- ++ssl->badmac_seen >= ssl->conf->badmac_limit) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("too many records with bad MAC"));
- return MBEDTLS_ERR_SSL_INVALID_MAC;
+ if (ssl->conf->badmac_limit != 0) {
+ ++ssl->badmac_seen_or_in_hsfraglen;
+ if (ssl->badmac_seen_or_in_hsfraglen >= ssl->conf->badmac_limit) {
+ MBEDTLS_SSL_DEBUG_MSG(1, ("too many records with bad MAC"));
+ return MBEDTLS_ERR_SSL_INVALID_MAC;
+ }
}
/* As above, invalid records cause
@@ -5345,7 +5420,7 @@ void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl)
} else
#endif
{
- ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+ ssl->in_ctr = ssl->in_buf;
ssl->in_len = ssl->in_hdr + 3;
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
ssl->in_cid = ssl->in_len;
@@ -5361,24 +5436,35 @@ void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl)
* Setup an SSL context
*/
-void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl)
+void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl)
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+ ssl->in_hdr = ssl->in_buf;
+ } else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+ {
+ ssl->in_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
+ }
+
+ /* Derive other internal pointers. */
+ mbedtls_ssl_update_in_pointers(ssl);
+}
+
+void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl)
{
/* Set the incoming and outgoing record pointers. */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
ssl->out_hdr = ssl->out_buf;
- ssl->in_hdr = ssl->in_buf;
} else
#endif /* MBEDTLS_SSL_PROTO_DTLS */
{
ssl->out_ctr = ssl->out_buf;
- ssl->out_hdr = ssl->out_buf + 8;
- ssl->in_hdr = ssl->in_buf + 8;
+ ssl->out_hdr = ssl->out_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
}
-
/* Derive other internal pointers. */
mbedtls_ssl_update_out_pointers(ssl, NULL /* no transform enabled */);
- mbedtls_ssl_update_in_pointers(ssl);
}
/*
diff --git a/thirdparty/mbedtls/library/ssl_tls.c b/thirdparty/mbedtls/library/ssl_tls.c
index c773365bf6..7f74248252 100644
--- a/thirdparty/mbedtls/library/ssl_tls.c
+++ b/thirdparty/mbedtls/library/ssl_tls.c
@@ -344,12 +344,13 @@ static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing,
size_t out_buf_new_len)
{
int modified = 0;
- size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
+ size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0, hdr_in = 0;
size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
if (ssl->in_buf != NULL) {
written_in = ssl->in_msg - ssl->in_buf;
iv_offset_in = ssl->in_iv - ssl->in_buf;
len_offset_in = ssl->in_len - ssl->in_buf;
+ hdr_in = ssl->in_hdr - ssl->in_buf;
if (downsizing ?
ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
ssl->in_buf_len < in_buf_new_len) {
@@ -381,7 +382,10 @@ static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing,
}
if (modified) {
/* Update pointers here to avoid doing it twice. */
- mbedtls_ssl_reset_in_out_pointers(ssl);
+ ssl->in_hdr = ssl->in_buf + hdr_in;
+ mbedtls_ssl_update_in_pointers(ssl);
+ mbedtls_ssl_reset_out_pointers(ssl);
+
/* Fields below might not be properly updated with record
* splitting or with CID, so they are manually updated here. */
ssl->out_msg = ssl->out_buf + written_out;
@@ -1409,7 +1413,8 @@ int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
goto error;
}
- mbedtls_ssl_reset_in_out_pointers(ssl);
+ mbedtls_ssl_reset_in_pointers(ssl);
+ mbedtls_ssl_reset_out_pointers(ssl);
#if defined(MBEDTLS_SSL_DTLS_SRTP)
memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
@@ -1474,7 +1479,8 @@ void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
/* Cancel any possibly running timer */
mbedtls_ssl_set_timer(ssl, 0);
- mbedtls_ssl_reset_in_out_pointers(ssl);
+ mbedtls_ssl_reset_in_pointers(ssl);
+ mbedtls_ssl_reset_out_pointers(ssl);
/* Reset incoming message parsing */
ssl->in_offt = NULL;
@@ -1485,6 +1491,12 @@ void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
ssl->keep_current_message = 0;
ssl->transform_in = NULL;
+ /* TLS: reset in_hsfraglen, which is part of message parsing.
+ * DTLS: on a client reconnect, don't reset badmac_seen. */
+ if (!partial) {
+ ssl->badmac_seen_or_in_hsfraglen = 0;
+ }
+
#if defined(MBEDTLS_SSL_PROTO_DTLS)
ssl->next_record_offset = 0;
ssl->in_epoch = 0;
@@ -5014,7 +5026,7 @@ static const unsigned char ssl_serialized_context_header[] = {
* uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
* uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
* // fields from ssl_context
- * uint32 badmac_seen; // DTLS: number of records with failing MAC
+ * uint32 badmac_seen_or_in_hsfraglen; // DTLS: number of records with failing MAC
* uint64 in_window_top; // DTLS: last validated record seq_num
* uint64 in_window; // DTLS: bitmask for replay protection
* uint8 disable_datagram_packing; // DTLS: only one record per datagram
@@ -5156,7 +5168,7 @@ int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
*/
used += 4;
if (used <= buf_len) {
- MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0);
+ MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen_or_in_hsfraglen, p, 0);
p += 4;
}
@@ -5386,7 +5398,7 @@ static int ssl_context_load(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
- ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0);
+ ssl->badmac_seen_or_in_hsfraglen = MBEDTLS_GET_UINT32_BE(p, 0);
p += 4;
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
diff --git a/thirdparty/mbedtls/library/ssl_tls12_server.c b/thirdparty/mbedtls/library/ssl_tls12_server.c
index 03722ac33c..67df4284a4 100644
--- a/thirdparty/mbedtls/library/ssl_tls12_server.c
+++ b/thirdparty/mbedtls/library/ssl_tls12_server.c
@@ -1057,28 +1057,6 @@ read_record_header:
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
}
- {
- size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1);
- MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u",
- (unsigned) handshake_len));
-
- /* The record layer has a record size limit of 2^14 - 1 and
- * fragmentation is not supported, so buf[1] should be zero. */
- if (buf[1] != 0) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
- (unsigned) buf[1]));
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
-
- /* We don't support fragmentation of ClientHello (yet?) */
- if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
- MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
- (unsigned) msg_len,
- (unsigned) mbedtls_ssl_hs_hdr_len(ssl),
- (unsigned) handshake_len));
- return MBEDTLS_ERR_SSL_DECODE_ERROR;
- }
- }
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {