From 1e37886e197fe64022ffe8645b8841d1be3930cc Mon Sep 17 00:00:00 2001 From: Fabio Alessandrelli Date: Mon, 24 Mar 2025 19:11:37 +0100 Subject: [PATCH] mbedTLS: Update to version 3.6.3 (cherry picked from commit 0b0655aee4c60e9ddf98ec80a20782554f798c57) --- thirdparty/README.md | 5 +- .../mbedtls/include/mbedtls/build_info.h | 8 +- .../mbedtls/include/mbedtls/check_config.h | 8 + .../mbedtls/config_adjust_legacy_crypto.h | 75 +++- .../mbedtls/config_adjust_legacy_from_psa.h | 19 - .../config_adjust_psa_superset_legacy.h | 7 - thirdparty/mbedtls/include/mbedtls/debug.h | 6 +- thirdparty/mbedtls/include/mbedtls/entropy.h | 5 +- thirdparty/mbedtls/include/mbedtls/error.h | 2 +- thirdparty/mbedtls/include/mbedtls/gcm.h | 23 +- .../mbedtls/include/mbedtls/mbedtls_config.h | 129 +++++- .../mbedtls/include/mbedtls/net_sockets.h | 2 +- thirdparty/mbedtls/include/mbedtls/psa_util.h | 19 + thirdparty/mbedtls/include/mbedtls/ssl.h | 124 +++++- .../mbedtls/include/mbedtls/threading.h | 2 +- .../mbedtls/include/psa/crypto_config.h | 14 - thirdparty/mbedtls/include/psa/crypto_extra.h | 39 ++ thirdparty/mbedtls/include/psa/crypto_sizes.h | 25 ++ thirdparty/mbedtls/library/aesni.c | 8 +- thirdparty/mbedtls/library/bignum_core.c | 26 +- thirdparty/mbedtls/library/bignum_core.h | 26 +- thirdparty/mbedtls/library/ccm.c | 3 +- .../mbedtls/library/constant_time_impl.h | 17 +- thirdparty/mbedtls/library/ecp.c | 2 +- thirdparty/mbedtls/library/error.c | 6 +- thirdparty/mbedtls/library/net_sockets.c | 12 +- thirdparty/mbedtls/library/pk.c | 4 - thirdparty/mbedtls/library/psa_crypto.c | 182 ++++++++- .../mbedtls/library/psa_crypto_cipher.c | 3 - thirdparty/mbedtls/library/psa_crypto_core.h | 16 +- .../library/psa_crypto_driver_wrappers.h | 4 +- thirdparty/mbedtls/library/psa_crypto_ecp.c | 36 +- .../library/psa_crypto_slot_management.c | 4 +- .../mbedtls/library/psa_crypto_storage.h | 11 +- thirdparty/mbedtls/library/psa_util.c | 6 + thirdparty/mbedtls/library/ssl_client.c | 18 +- .../library/ssl_debug_helpers_generated.c | 2 +- thirdparty/mbedtls/library/ssl_misc.h | 17 +- thirdparty/mbedtls/library/ssl_msg.c | 195 +++++---- thirdparty/mbedtls/library/ssl_tls.c | 101 ++++- thirdparty/mbedtls/library/ssl_tls12_client.c | 2 +- thirdparty/mbedtls/library/ssl_tls13_client.c | 1 + thirdparty/mbedtls/library/ssl_tls13_server.c | 5 +- thirdparty/mbedtls/library/threading.c | 2 +- thirdparty/mbedtls/library/version_features.c | 6 + ...ment-incoming-tls-handshake-messages.patch | 373 ------------------ 46 files changed, 917 insertions(+), 683 deletions(-) delete mode 100644 thirdparty/mbedtls/patches/0002-pr-9981-defragment-incoming-tls-handshake-messages.patch diff --git a/thirdparty/README.md b/thirdparty/README.md index 309508fc4e8..0361eb6a348 100644 --- a/thirdparty/README.md +++ b/thirdparty/README.md @@ -606,7 +606,7 @@ File extracted from upstream source: ## mbedtls - Upstream: https://github.com/Mbed-TLS/mbedtls -- Version: 3.6.2 (107ea89daaefb9867ea9121002fbbdf926780e98, 2024) +- Version: 3.6.3 (22098d41c6620ce07cf8a0134d37302355e1e5ef, 2025) - License: Apache 2.0 File extracted from upstream release tarball: @@ -617,7 +617,7 @@ File extracted from upstream release tarball: - From `library/` to `thirdparty/mbedtls/library/`: - All `.c` and `.h` files - Except `bignum_mod.c`, `block_cipher.c`, `ecp_curves_new.c`, `lmots.c`, - `lms.c` + `lms.c`, `bignum_core_invasive.h` - The `LICENSE` file (edited to keep only the Apache 2.0 variant) - Added 2 files `godot_core_mbedtls_platform.c` and `godot_core_mbedtls_config.h` providing configuration for light bundling with core @@ -627,7 +627,6 @@ File extracted from upstream release tarball: Patches: - `0001-msvc-2019-psa-redeclaration.patch` (GH-90535) -- `0002-pr-9981-defragment-incoming-tls-handshake-messages.patch` (GH-103247) ## meshoptimizer diff --git a/thirdparty/mbedtls/include/mbedtls/build_info.h b/thirdparty/mbedtls/include/mbedtls/build_info.h index d91d2964b6a..e70c4d7cc5e 100644 --- a/thirdparty/mbedtls/include/mbedtls/build_info.h +++ b/thirdparty/mbedtls/include/mbedtls/build_info.h @@ -26,16 +26,16 @@ */ #define MBEDTLS_VERSION_MAJOR 3 #define MBEDTLS_VERSION_MINOR 6 -#define MBEDTLS_VERSION_PATCH 2 +#define MBEDTLS_VERSION_PATCH 3 /** * The single version number has the following structure: * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x03060200 -#define MBEDTLS_VERSION_STRING "3.6.2" -#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.6.2" +#define MBEDTLS_VERSION_NUMBER 0x03060300 +#define MBEDTLS_VERSION_STRING "3.6.3" +#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.6.3" /* Macros for build-time platform detection */ diff --git a/thirdparty/mbedtls/include/mbedtls/check_config.h b/thirdparty/mbedtls/include/mbedtls/check_config.h index 67a05f83b8b..aec5050b70a 100644 --- a/thirdparty/mbedtls/include/mbedtls/check_config.h +++ b/thirdparty/mbedtls/include/mbedtls/check_config.h @@ -247,6 +247,9 @@ #if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) && !defined(MBEDTLS_HAS_MEMSAN) #error "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN requires building with MemorySanitizer" #endif +#if defined(MBEDTLS_HAS_MEMSAN) && defined(MBEDTLS_HAVE_ASM) +#error "MemorySanitizer does not support assembly implementation" +#endif #undef MBEDTLS_HAS_MEMSAN // temporary macro defined above #if defined(MBEDTLS_CCM_C) && \ @@ -738,6 +741,11 @@ #error "MBEDTLS_PSA_INJECT_ENTROPY is not compatible with MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG" #endif +#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) && \ + defined(MBEDTLS_PSA_STATIC_KEY_SLOTS) +#error "MBEDTLS_PSA_KEY_STORE_DYNAMIC and MBEDTLS_PSA_STATIC_KEY_SLOTS cannot be defined simultaneously" +#endif + #if defined(MBEDTLS_PSA_ITS_FILE_C) && \ !defined(MBEDTLS_FS_IO) #error "MBEDTLS_PSA_ITS_FILE_C defined, but not all prerequisites" diff --git a/thirdparty/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h b/thirdparty/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h index 3ba987ebb2e..331ac9b2daa 100644 --- a/thirdparty/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h +++ b/thirdparty/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h @@ -48,6 +48,13 @@ #endif #endif /* _MINGW32__ || (_MSC_VER && (_MSC_VER <= 1900)) */ +/* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT + * is defined as well to include all PSA code. + */ +#if defined(MBEDTLS_PSA_CRYPTO_C) +#define MBEDTLS_PSA_CRYPTO_CLIENT +#endif /* MBEDTLS_PSA_CRYPTO_C */ + /* Auto-enable CIPHER_C when any of the unauthenticated ciphers is builtin * in PSA. */ #if defined(MBEDTLS_PSA_CRYPTO_C) && \ @@ -158,7 +165,66 @@ #define MBEDTLS_MD_SHA3_512_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#endif /* MBEDTLS_PSA_CRYPTO_C */ + +#elif defined(MBEDTLS_PSA_CRYPTO_CLIENT) + +#if defined(PSA_WANT_ALG_MD5) +#define MBEDTLS_MD_CAN_MD5 +#define MBEDTLS_MD_MD5_VIA_PSA +#define MBEDTLS_MD_SOME_PSA +#endif +#if defined(PSA_WANT_ALG_SHA_1) +#define MBEDTLS_MD_CAN_SHA1 +#define MBEDTLS_MD_SHA1_VIA_PSA +#define MBEDTLS_MD_SOME_PSA +#endif +#if defined(PSA_WANT_ALG_SHA_224) +#define MBEDTLS_MD_CAN_SHA224 +#define MBEDTLS_MD_SHA224_VIA_PSA +#define MBEDTLS_MD_SOME_PSA +#endif +#if defined(PSA_WANT_ALG_SHA_256) +#define MBEDTLS_MD_CAN_SHA256 +#define MBEDTLS_MD_SHA256_VIA_PSA +#define MBEDTLS_MD_SOME_PSA +#endif +#if defined(PSA_WANT_ALG_SHA_384) +#define MBEDTLS_MD_CAN_SHA384 +#define MBEDTLS_MD_SHA384_VIA_PSA +#define MBEDTLS_MD_SOME_PSA +#endif +#if defined(PSA_WANT_ALG_SHA_512) +#define MBEDTLS_MD_CAN_SHA512 +#define MBEDTLS_MD_SHA512_VIA_PSA +#define MBEDTLS_MD_SOME_PSA +#endif +#if defined(PSA_WANT_ALG_RIPEMD160) +#define MBEDTLS_MD_CAN_RIPEMD160 +#define MBEDTLS_MD_RIPEMD160_VIA_PSA +#define MBEDTLS_MD_SOME_PSA +#endif +#if defined(PSA_WANT_ALG_SHA3_224) +#define MBEDTLS_MD_CAN_SHA3_224 +#define MBEDTLS_MD_SHA3_224_VIA_PSA +#define MBEDTLS_MD_SOME_PSA +#endif +#if defined(PSA_WANT_ALG_SHA3_256) +#define MBEDTLS_MD_CAN_SHA3_256 +#define MBEDTLS_MD_SHA3_256_VIA_PSA +#define MBEDTLS_MD_SOME_PSA +#endif +#if defined(PSA_WANT_ALG_SHA3_384) +#define MBEDTLS_MD_CAN_SHA3_384 +#define MBEDTLS_MD_SHA3_384_VIA_PSA +#define MBEDTLS_MD_SOME_PSA +#endif +#if defined(PSA_WANT_ALG_SHA3_512) +#define MBEDTLS_MD_CAN_SHA3_512 +#define MBEDTLS_MD_SHA3_512_VIA_PSA +#define MBEDTLS_MD_SOME_PSA +#endif + +#endif /* !MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C */ /* Built-in implementations */ #if defined(MBEDTLS_MD5_C) @@ -352,13 +418,6 @@ #define MBEDTLS_PK_CAN_ECDSA_SOME #endif -/* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT - * is defined as well to include all PSA code. - */ -#if defined(MBEDTLS_PSA_CRYPTO_C) -#define MBEDTLS_PSA_CRYPTO_CLIENT -#endif /* MBEDTLS_PSA_CRYPTO_C */ - /* Helpers to state that each key is supported either on the builtin or PSA side. */ #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521) #define MBEDTLS_ECP_HAVE_SECP521R1 diff --git a/thirdparty/mbedtls/include/mbedtls/config_adjust_legacy_from_psa.h b/thirdparty/mbedtls/include/mbedtls/config_adjust_legacy_from_psa.h index 04bdae61bb3..48f1bab1ede 100644 --- a/thirdparty/mbedtls/include/mbedtls/config_adjust_legacy_from_psa.h +++ b/thirdparty/mbedtls/include/mbedtls/config_adjust_legacy_from_psa.h @@ -69,7 +69,6 @@ (defined(PSA_WANT_ECC_SECP_R1_384) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384)) || \ (defined(PSA_WANT_ECC_SECP_R1_521) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521)) || \ (defined(PSA_WANT_ECC_SECP_K1_192) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192)) || \ - (defined(PSA_WANT_ECC_SECP_K1_224) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224)) || \ (defined(PSA_WANT_ECC_SECP_K1_256) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256)) #define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES #define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES @@ -225,17 +224,6 @@ #endif /* missing accel */ #endif /* PSA_WANT_ECC_SECP_K1_192 */ -#if defined(PSA_WANT_ECC_SECP_K1_224) -#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224) || \ - defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \ - defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS) -#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_224 1 -#define MBEDTLS_ECP_DP_SECP224K1_ENABLED -/* https://github.com/Mbed-TLS/mbedtls/issues/3541 */ -#error "SECP224K1 is buggy via the PSA API in Mbed TLS." -#endif /* missing accel */ -#endif /* PSA_WANT_ECC_SECP_K1_224 */ - #if defined(PSA_WANT_ECC_SECP_K1_256) #if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \ defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \ @@ -782,13 +770,6 @@ #define PSA_HAVE_SOFT_BLOCK_CIPHER 1 #endif -#if defined(PSA_WANT_ALG_CBC_MAC) -#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_MAC) -#error "CBC-MAC is not yet supported via the PSA API in Mbed TLS." -#define MBEDTLS_PSA_BUILTIN_ALG_CBC_MAC 1 -#endif /* !MBEDTLS_PSA_ACCEL_ALG_CBC_MAC */ -#endif /* PSA_WANT_ALG_CBC_MAC */ - #if defined(PSA_WANT_ALG_CMAC) #if !defined(MBEDTLS_PSA_ACCEL_ALG_CMAC) || \ defined(PSA_HAVE_SOFT_BLOCK_CIPHER) diff --git a/thirdparty/mbedtls/include/mbedtls/config_adjust_psa_superset_legacy.h b/thirdparty/mbedtls/include/mbedtls/config_adjust_psa_superset_legacy.h index ef65cce0d9a..1a232cbb81e 100644 --- a/thirdparty/mbedtls/include/mbedtls/config_adjust_psa_superset_legacy.h +++ b/thirdparty/mbedtls/include/mbedtls/config_adjust_psa_superset_legacy.h @@ -136,13 +136,6 @@ #endif /* PSA_WANT_ECC_SECP_K1_192 */ #endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */ -/* SECP224K1 is buggy via the PSA API (https://github.com/Mbed-TLS/mbedtls/issues/3541) */ -#if 0 && defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) -#if !defined(PSA_WANT_ECC_SECP_K1_224) -#define PSA_WANT_ECC_SECP_K1_224 1 -#endif /* PSA_WANT_ECC_SECP_K1_224 */ -#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */ - #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) #if !defined(PSA_WANT_ECC_SECP_K1_256) #define PSA_WANT_ECC_SECP_K1_256 1 diff --git a/thirdparty/mbedtls/include/mbedtls/debug.h b/thirdparty/mbedtls/include/mbedtls/debug.h index 424ed4b3fd9..e6f5dadb146 100644 --- a/thirdparty/mbedtls/include/mbedtls/debug.h +++ b/thirdparty/mbedtls/include/mbedtls/debug.h @@ -108,16 +108,16 @@ * * This module provides debugging functions. */ -#if (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800) +#if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) #include #define MBEDTLS_PRINTF_SIZET PRIuPTR #define MBEDTLS_PRINTF_LONGLONG "I64d" #else \ - /* (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800) */ + /* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) */ #define MBEDTLS_PRINTF_SIZET "zu" #define MBEDTLS_PRINTF_LONGLONG "lld" #endif \ - /* (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800) */ + /* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) */ #if !defined(MBEDTLS_PRINTF_MS_TIME) #include diff --git a/thirdparty/mbedtls/include/mbedtls/entropy.h b/thirdparty/mbedtls/include/mbedtls/entropy.h index 20fd6872b89..6c64e3e4e15 100644 --- a/thirdparty/mbedtls/include/mbedtls/entropy.h +++ b/thirdparty/mbedtls/include/mbedtls/entropy.h @@ -17,12 +17,13 @@ #include "md.h" -#if defined(MBEDTLS_MD_CAN_SHA512) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) +#if (defined(MBEDTLS_MD_CAN_SHA512) || defined(PSA_WANT_ALG_SHA_512)) && \ + !defined(MBEDTLS_ENTROPY_FORCE_SHA256) #define MBEDTLS_ENTROPY_SHA512_ACCUMULATOR #define MBEDTLS_ENTROPY_MD MBEDTLS_MD_SHA512 #define MBEDTLS_ENTROPY_BLOCK_SIZE 64 /**< Block size of entropy accumulator (SHA-512) */ #else -#if defined(MBEDTLS_MD_CAN_SHA256) +#if (defined(MBEDTLS_MD_CAN_SHA256) || defined(PSA_WANT_ALG_SHA_256)) #define MBEDTLS_ENTROPY_SHA256_ACCUMULATOR #define MBEDTLS_ENTROPY_MD MBEDTLS_MD_SHA256 #define MBEDTLS_ENTROPY_BLOCK_SIZE 32 /**< Block size of entropy accumulator (SHA-256) */ diff --git a/thirdparty/mbedtls/include/mbedtls/error.h b/thirdparty/mbedtls/include/mbedtls/error.h index 186589ac5bc..635f7cd8429 100644 --- a/thirdparty/mbedtls/include/mbedtls/error.h +++ b/thirdparty/mbedtls/include/mbedtls/error.h @@ -81,7 +81,7 @@ * MD 5 5 * HKDF 5 1 (Started from top) * PKCS7 5 12 (Started from 0x5300) - * SSL 5 2 (Started from 0x5F00) + * SSL 5 3 (Started from 0x5F00) * CIPHER 6 8 (Started from 0x6080) * SSL 6 22 (Started from top, plus 0x6000) * SSL 7 20 (Started from 0x7000, gaps at diff --git a/thirdparty/mbedtls/include/mbedtls/gcm.h b/thirdparty/mbedtls/include/mbedtls/gcm.h index 98faa436126..390ed4c6d04 100644 --- a/thirdparty/mbedtls/include/mbedtls/gcm.h +++ b/thirdparty/mbedtls/include/mbedtls/gcm.h @@ -115,10 +115,9 @@ int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx, /** * \brief This function performs GCM encryption or decryption of a buffer. * - * \note For encryption, the output buffer can be the same as the - * input buffer. For decryption, the output buffer cannot be - * the same as input buffer. If the buffers overlap, the output - * buffer must trail at least 8 Bytes behind the input buffer. + * \note The output buffer \p output can be the same as the input + * buffer \p input. If \p output is greater than \p input, they + * cannot overlap. * * \warning When this function performs a decryption, it outputs the * authentication tag and does not verify that the data is @@ -179,9 +178,11 @@ int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx, * \brief This function performs a GCM authenticated decryption of a * buffer. * - * \note For decryption, the output buffer cannot be the same as - * input buffer. If the buffers overlap, the output buffer - * must trail at least 8 Bytes behind the input buffer. + * \note The output buffer \p output can be the same as the input + * buffer \p input. If \p output is greater than \p input, they + * cannot overlap. Implementations which require + * MBEDTLS_GCM_ALT to be enabled may not provide support for + * overlapping buffers. * * \param ctx The GCM context. This must be initialized. * \param length The length of the ciphertext to decrypt, which is also @@ -287,9 +288,11 @@ int mbedtls_gcm_update_ad(mbedtls_gcm_context *ctx, * to this function during an operation, then it is * correct to use \p output_size = \p input_length. * - * \note For decryption, the output buffer cannot be the same as - * input buffer. If the buffers overlap, the output buffer - * must trail at least 8 Bytes behind the input buffer. + * \note The output buffer \p output can be the same as the input + * buffer \p input. If \p output is greater than \p input, they + * cannot overlap. Implementations which require + * MBEDTLS_GCM_ALT to be enabled may not provide support for + * overlapping buffers. * * \param ctx The GCM context. This must be initialized. * \param input The buffer holding the input data. If \p input_length diff --git a/thirdparty/mbedtls/include/mbedtls/mbedtls_config.h b/thirdparty/mbedtls/include/mbedtls/mbedtls_config.h index bd3f71d5bc9..45feb5eccb7 100644 --- a/thirdparty/mbedtls/include/mbedtls/mbedtls_config.h +++ b/thirdparty/mbedtls/include/mbedtls/mbedtls_config.h @@ -1622,6 +1622,46 @@ */ //#define MBEDTLS_SSL_ASYNC_PRIVATE +/** \def MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + * + * In TLS clients, when a client authenticates a server through its + * certificate, the client normally checks three things: + * - the certificate chain must be valid; + * - the chain must start from a trusted CA; + * - the certificate must cover the server name that is expected by the client. + * + * Omitting any of these checks is generally insecure, and can allow a + * malicious server to impersonate a legitimate server. + * + * The third check may be safely skipped in some unusual scenarios, + * such as networks where eavesdropping is a risk but not active attacks, + * or a private PKI where the client equally trusts all servers that are + * accredited by the root CA. + * + * You should call mbedtls_ssl_set_hostname() with the expected server name + * before starting a TLS handshake on a client (unless the client is + * set up to only use PSK-based authentication, which does not rely on the + * host name). This configuration option controls what happens if a TLS client + * is configured with the authentication mode #MBEDTLS_SSL_VERIFY_REQUIRED + * (default), certificate authentication is enabled and the client does not + * call mbedtls_ssl_set_hostname(): + * + * - If this option is unset (default), the connection attempt is aborted + * with the error #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME. + * - If this option is set, the TLS library does not check the server name + * that the certificate is valid for. This is the historical behavior + * of Mbed TLS, but may be insecure as explained above. + * + * Enable this option for strict backward compatibility if you have + * determined that it is secure in the scenario where you are using + * Mbed TLS. + * + * \deprecated This option exists only for backward compatibility and will + * be removed in the next major version of Mbed TLS. + * + */ +//#define MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + /** * \def MBEDTLS_SSL_CONTEXT_SERIALIZATION * @@ -1807,6 +1847,11 @@ * running handshake hash) only use PSA crypto if * #MBEDTLS_USE_PSA_CRYPTO is enabled. * + * \note In multithreaded applications, you must also enable + * #MBEDTLS_THREADING_C, even if individual TLS contexts are not + * shared between threads, unless only one thread ever calls + * TLS functions. + * * Uncomment this macro to enable the support for TLS 1.3. */ #define MBEDTLS_SSL_PROTO_TLS1_3 @@ -2125,6 +2170,10 @@ * before calling any function from the SSL/TLS, X.509 or PK modules, except * for the various mbedtls_xxx_init() functions which can be called at any time. * + * \warning In multithreaded applications, you must also enable + * #MBEDTLS_THREADING_C, unless only one thread ever calls PSA functions + * (`psa_xxx()`), including indirect calls through SSL/TLS, X.509 or PK. + * * \note An important and desirable effect of this option is that it allows * PK, X.509 and TLS to take advantage of PSA drivers. For example, enabling * this option is what allows use of drivers for ECDSA, ECDH and EC J-PAKE in @@ -3211,7 +3260,18 @@ /** * \def MBEDTLS_PSA_CRYPTO_C * - * Enable the Platform Security Architecture cryptography API. + * Enable the Platform Security Architecture (PSA) cryptography API. + * + * \note In multithreaded applications, you must enable #MBEDTLS_THREADING_C, + * unless only one thread ever calls `psa_xxx()` functions. + * That includes indirect calls, such as: + * - performing a TLS handshake if support for TLS 1.3 is enabled; + * - using a TLS 1.3 connection; + * - indirect calls from PK, X.509 or SSL functions when + * #MBEDTLS_USE_PSA_CRYPTO is enabled; + * - indirect calls to calculate a hash when #MBEDTLS_MD_C is disabled; + * - any other call to a function that requires calling psa_crypto_init() + * beforehand. * * Module: library/psa_crypto.c * @@ -3268,6 +3328,26 @@ */ #define MBEDTLS_PSA_ITS_FILE_C +/** + * \def MBEDTLS_PSA_STATIC_KEY_SLOTS + * + * Statically preallocate memory to store keys' material in PSA instead + * of allocating it dynamically when required. This allows builds without a + * heap, if none of the enabled cryptographic implementations or other features + * require it. + * This feature affects both volatile and persistent keys which means that + * it's not possible to persistently store a key which is larger than + * #MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE. + * + * \note This feature comes with a (potentially) higher RAM usage since: + * - All the key slots are allocated no matter if they are used or not. + * - Each key buffer's length is #MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE bytes. + * + * Requires: MBEDTLS_PSA_CRYPTO_C + * + */ +//#define MBEDTLS_PSA_STATIC_KEY_SLOTS + /** * \def MBEDTLS_RIPEMD160_C * @@ -3611,10 +3691,38 @@ * \def MBEDTLS_THREADING_C * * Enable the threading abstraction layer. - * By default Mbed TLS assumes it is used in a non-threaded environment or that - * contexts are not shared between threads. If you do intend to use contexts + * + * Traditionally, Mbed TLS assumes it is used in a non-threaded environment or + * that contexts are not shared between threads. If you do intend to use contexts * between threads, you will need to enable this layer to prevent race - * conditions. See also our Knowledge Base article about threading: + * conditions. + * + * The PSA subsystem has an implicit shared context. Therefore, you must + * enable this option if more than one thread may use any part of + * Mbed TLS that is implemented on top of the PSA subsystem. + * + * You must enable this option in multithreaded applications where more than + * one thread performs any of the following operations: + * + * - Any call to a PSA function (`psa_xxx()`). + * - Any call to a TLS, X.509 or PK function (`mbedtls_ssl_xxx()`, + * `mbedtls_x509_xxx()`, `mbedtls_pkcs7_xxx()`, `mbedtls_pk_xxx()`) + * if `MBEDTLS_USE_PSA_CRYPTO` is enabled (regardless of whether individual + * TLS, X.509 or PK contexts are shared between threads). + * - A TLS 1.3 connection, regardless of the compile-time configuration. + * - Any library feature that calculates a hash, if `MBEDTLS_MD_C` is disabled. + * As an exception, algorithm-specific low-level modules do not require + * threading protection unless the contexts are shared between threads. + * - Any library feature that performs symmetric encryption or decryption, + * if `MBEDTLS_CIPHER_C` is disabled. + * As an exception, algorithm-specific low-level modules do not require + * threading protection unless the contexts are shared between threads. + * - Any use of a cryptographic context if the same context is used in + * multiple threads. + * - Any call to a function where the documentation specifies that + * psa_crypto_init() must be called prior to that function. + * + * See also our Knowledge Base article about threading: * https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading * * Module: library/threading.c @@ -4069,6 +4177,19 @@ */ //#define MBEDTLS_PSA_KEY_SLOT_COUNT 32 +/** + * \def MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE + * + * Define the size (in bytes) of each static key buffer when + * #MBEDTLS_PSA_STATIC_KEY_SLOTS is set. If not + * explicitly defined then it's automatically guessed from available PSA keys + * enabled in the build through PSA_WANT_xxx symbols. + * If required by the application this parameter can be set to higher values + * in order to store larger objects (ex: raw keys), but please note that this + * will increase RAM usage. + */ +//#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE 256 + /* RSA OPTIONS */ //#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024 /**< Minimum RSA key size that can be generated in bits (Minimum possible value is 128 bits) */ diff --git a/thirdparty/mbedtls/include/mbedtls/net_sockets.h b/thirdparty/mbedtls/include/mbedtls/net_sockets.h index 85c11971d80..8e69bc0fb37 100644 --- a/thirdparty/mbedtls/include/mbedtls/net_sockets.h +++ b/thirdparty/mbedtls/include/mbedtls/net_sockets.h @@ -229,7 +229,7 @@ int mbedtls_net_recv(void *ctx, unsigned char *buf, size_t len); /** * \brief Write at most 'len' characters. If no error occurs, - * the actual amount read is returned. + * the actual amount written is returned. * * \param ctx Socket * \param buf The buffer to read from diff --git a/thirdparty/mbedtls/include/mbedtls/psa_util.h b/thirdparty/mbedtls/include/mbedtls/psa_util.h index c78cc233335..b898f1f8d3e 100644 --- a/thirdparty/mbedtls/include/mbedtls/psa_util.h +++ b/thirdparty/mbedtls/include/mbedtls/psa_util.h @@ -161,6 +161,16 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa * \param[out] der_len On success it contains the amount of valid data * (in bytes) written to \p der. It's undefined * in case of failure. + * + * \note The behavior is undefined if \p der is null, + * even if \p der_size is 0. + * + * \return 0 if successful. + * \return #MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if \p der_size + * is too small or if \p bits is larger than the + * largest supported curve. + * \return #MBEDTLS_ERR_ASN1_INVALID_DATA if one of the + * numbers in the signature is 0. */ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_len, unsigned char *der, size_t der_size, size_t *der_len); @@ -177,6 +187,15 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l * \param[out] raw_len On success it is updated with the amount of valid * data (in bytes) written to \p raw. It's undefined * in case of failure. + * + * \return 0 if successful. + * \return #MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if \p raw_size + * is too small or if \p bits is larger than the + * largest supported curve. + * \return #MBEDTLS_ERR_ASN1_INVALID_DATA if the data in + * \p der is inconsistent with \p bits. + * \return An \c MBEDTLS_ERR_ASN1_xxx error code if + * \p der is malformed. */ int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_len, unsigned char *raw, size_t raw_size, size_t *raw_len); diff --git a/thirdparty/mbedtls/include/mbedtls/ssl.h b/thirdparty/mbedtls/include/mbedtls/ssl.h index 597da2571f8..f9b103e3827 100644 --- a/thirdparty/mbedtls/include/mbedtls/ssl.h +++ b/thirdparty/mbedtls/include/mbedtls/ssl.h @@ -166,6 +166,42 @@ #define MBEDTLS_ERR_SSL_VERSION_MISMATCH -0x5F00 /** Invalid value in SSL config */ #define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80 +/* Error space gap */ +/** Attempt to verify a certificate without an expected hostname. + * This is usually insecure. + * + * In TLS clients, when a client authenticates a server through its + * certificate, the client normally checks three things: + * - the certificate chain must be valid; + * - the chain must start from a trusted CA; + * - the certificate must cover the server name that is expected by the client. + * + * Omitting any of these checks is generally insecure, and can allow a + * malicious server to impersonate a legitimate server. + * + * The third check may be safely skipped in some unusual scenarios, + * such as networks where eavesdropping is a risk but not active attacks, + * or a private PKI where the client equally trusts all servers that are + * accredited by the root CA. + * + * You should call mbedtls_ssl_set_hostname() with the expected server name + * before starting a TLS handshake on a client (unless the client is + * set up to only use PSK-based authentication, which does not rely on the + * host name). If you have determined that server name verification is not + * required for security in your scenario, call mbedtls_ssl_set_hostname() + * with \p NULL as the server name. + * + * This error is raised if all of the following conditions are met: + * + * - A TLS client is configured with the authentication mode + * #MBEDTLS_SSL_VERIFY_REQUIRED (default). + * - Certificate authentication is enabled. + * - The client does not call mbedtls_ssl_set_hostname(). + * - The configuration option + * #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + * is not enabled. + */ +#define MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME -0x5D80 /* * Constants from RFC 8446 for TLS 1.3 PSK modes @@ -1893,8 +1929,35 @@ struct mbedtls_ssl_context { * User settings */ #if defined(MBEDTLS_X509_CRT_PARSE_C) - char *MBEDTLS_PRIVATE(hostname); /*!< expected peer CN for verification - (and SNI if available) */ + /** Expected peer CN for verification. + * + * Also used on clients for SNI, + * and for TLS 1.3 session resumption using tickets. + * + * The value of this field can be: + * - \p NULL in a newly initialized or reset context. + * - A heap-allocated copy of the last value passed to + * mbedtls_ssl_set_hostname(), if the last call had a non-null + * \p hostname argument. + * - A special value to indicate that mbedtls_ssl_set_hostname() + * was called with \p NULL (as opposed to never having been called). + * See `mbedtls_ssl_get_hostname_pointer()` in `ssl_tls.c`. + * + * If this field contains the value \p NULL and the configuration option + * #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + * is unset, on a TLS client, attempting to verify a server certificate + * results in the error + * #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME. + * + * If this field contains the special value described above, or if + * the value is \p NULL and the configuration option + * #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + * is set, then the peer name verification is skipped, which may be + * insecure, especially on a client. Furthermore, on a client, the + * server_name extension is not sent, and the server name is ignored + * in TLS 1.3 session resumption using tickets. + */ + char *MBEDTLS_PRIVATE(hostname); #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_ALPN) @@ -2002,6 +2065,14 @@ void mbedtls_ssl_init(mbedtls_ssl_context *ssl); * Calling mbedtls_ssl_setup again is not supported, even * if no session is active. * + * \warning After setting up a client context, if certificate-based + * authentication is enabled, you should call + * mbedtls_ssl_set_hostname() to specifiy the expected + * name of the server. Without this, in most scenarios, + * the TLS connection is insecure. See + * #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + * for more information. + * * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto * subsystem must have been initialized by calling * psa_crypto_init() before calling this function. @@ -3976,16 +4047,29 @@ void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf, #if defined(MBEDTLS_X509_CRT_PARSE_C) /** * \brief Set or reset the hostname to check against the received - * server certificate. It sets the ServerName TLS extension, - * too, if that extension is enabled. (client-side only) + * peer certificate. On a client, this also sets the + * ServerName TLS extension, if that extension is enabled. + * On a TLS 1.3 client, this also sets the server name in + * the session resumption ticket, if that feature is enabled. * * \param ssl SSL context - * \param hostname the server hostname, may be NULL to clear hostname - - * \note Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN. + * \param hostname The server hostname. This may be \c NULL to clear + * the hostname. * - * \return 0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on - * allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on + * \note Maximum hostname length #MBEDTLS_SSL_MAX_HOST_NAME_LEN. + * + * \note If the hostname is \c NULL on a client, then the server + * is not authenticated: it only needs to have a valid + * certificate, not a certificate matching its name. + * Therefore you should always call this function on a client, + * unless the connection is set up to only allow + * pre-shared keys, or in scenarios where server + * impersonation is not a concern. See the documentation of + * #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + * for more details. + * + * \return 0 if successful, #MBEDTLS_ERR_SSL_ALLOC_FAILED on + * allocation failure, #MBEDTLS_ERR_SSL_BAD_INPUT_DATA on * too long input hostname. * * Hostname set to the one provided on success (cleared @@ -4449,6 +4533,10 @@ void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf, * with \c mbedtls_ssl_read()), not handshake messages. * With DTLS, this affects both ApplicationData and handshake. * + * \note Defragmentation of TLS handshake messages is supported + * with some limitations. See the documentation of + * mbedtls_ssl_handshake() for details. + * * \note This sets the maximum length for a record's payload, * excluding record overhead that will be added to it, see * \c mbedtls_ssl_get_record_expansion(). @@ -4979,6 +5067,24 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, * if a negotiation involving TLS 1.3 takes place (this may * be the case even if TLS 1.3 is offered but eventually * not selected). + * + * \note In TLS, reception of fragmented handshake messages is + * supported with some limitations (those limitations do + * not apply to DTLS, where defragmentation is fully + * supported): + * - On an Mbed TLS server that only accepts TLS 1.2, + * the initial ClientHello message must not be fragmented. + * A TLS 1.2 ClientHello may be fragmented if the server + * also accepts TLS 1.3 connections (meaning + * that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the + * accepted versions have not been restricted with + * mbedtls_ssl_conf_max_tls_version() or the like). + * - The first fragment of a handshake message must be + * at least 4 bytes long. + * - Non-handshake records must not be interleaved between + * the fragments of a handshake message. (This is permitted + * in TLS 1.2 but not in TLS 1.3, but Mbed TLS rejects it + * even in TLS 1.2.) */ int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl); diff --git a/thirdparty/mbedtls/include/mbedtls/threading.h b/thirdparty/mbedtls/include/mbedtls/threading.h index d50d04ead10..b4df0e38beb 100644 --- a/thirdparty/mbedtls/include/mbedtls/threading.h +++ b/thirdparty/mbedtls/include/mbedtls/threading.h @@ -30,7 +30,7 @@ typedef struct mbedtls_threading_mutex_t { pthread_mutex_t MBEDTLS_PRIVATE(mutex); /* WARNING - state should only be accessed when holding the mutex lock in - * tests/src/threading_helpers.c, otherwise corruption can occur. + * framework/tests/src/threading_helpers.c, otherwise corruption can occur. * state will be 0 after a failed init or a free, and nonzero after a * successful init. This field is for testing only and thus not considered * part of the public API of Mbed TLS and may change without notice.*/ diff --git a/thirdparty/mbedtls/include/psa/crypto_config.h b/thirdparty/mbedtls/include/psa/crypto_config.h index 36e937ad35d..e0a8d60606d 100644 --- a/thirdparty/mbedtls/include/psa/crypto_config.h +++ b/thirdparty/mbedtls/include/psa/crypto_config.h @@ -38,10 +38,6 @@ #ifndef PSA_CRYPTO_CONFIG_H #define PSA_CRYPTO_CONFIG_H -/* - * CBC-MAC is not yet supported via the PSA API in Mbed TLS. - */ -//#define PSA_WANT_ALG_CBC_MAC 1 #define PSA_WANT_ALG_CBC_NO_PADDING 1 #define PSA_WANT_ALG_CBC_PKCS7 1 #define PSA_WANT_ALG_CCM 1 @@ -84,22 +80,12 @@ #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 #define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 -/* XTS is not yet supported via the PSA API in Mbed TLS. - * Note: when adding support, also adjust include/mbedtls/config_psa.h */ -//#define PSA_WANT_ALG_XTS 1 - #define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1 #define PSA_WANT_ECC_BRAINPOOL_P_R1_384 1 #define PSA_WANT_ECC_BRAINPOOL_P_R1_512 1 #define PSA_WANT_ECC_MONTGOMERY_255 1 #define PSA_WANT_ECC_MONTGOMERY_448 1 #define PSA_WANT_ECC_SECP_K1_192 1 -/* - * SECP224K1 is buggy via the PSA API in Mbed TLS - * (https://github.com/Mbed-TLS/mbedtls/issues/3541). Thus, do not enable it by - * default. - */ -//#define PSA_WANT_ECC_SECP_K1_224 1 #define PSA_WANT_ECC_SECP_K1_256 1 #define PSA_WANT_ECC_SECP_R1_192 1 #define PSA_WANT_ECC_SECP_R1_224 1 diff --git a/thirdparty/mbedtls/include/psa/crypto_extra.h b/thirdparty/mbedtls/include/psa/crypto_extra.h index d276cd4c7f7..e6c0f71532f 100644 --- a/thirdparty/mbedtls/include/psa/crypto_extra.h +++ b/thirdparty/mbedtls/include/psa/crypto_extra.h @@ -32,6 +32,16 @@ extern "C" { #define MBEDTLS_PSA_KEY_SLOT_COUNT 32 #endif +/* If the size of static key slots is not explicitly defined by the user, then + * set it to the maximum between PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE and + * PSA_CIPHER_MAX_KEY_LENGTH. + * See mbedtls_config.h for the definition. */ +#if !defined(MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE) +#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE \ + ((PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE > PSA_CIPHER_MAX_KEY_LENGTH) ? \ + PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE : PSA_CIPHER_MAX_KEY_LENGTH) +#endif /* !MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE*/ + /** \addtogroup attributes * @{ */ @@ -573,6 +583,35 @@ psa_status_t mbedtls_psa_platform_get_builtin_key( /** @} */ +/** \defgroup psa_crypto_client Functions defined by a client provider + * + * The functions in this group are meant to be implemented by providers of + * the PSA Crypto client interface. They are provided by the library when + * #MBEDTLS_PSA_CRYPTO_C is enabled. + * + * \note All functions in this group are experimental, as using + * alternative client interface providers is experimental. + * + * @{ + */ + +/** Check if PSA is capable of handling the specified hash algorithm. + * + * This means that PSA core was built with the corresponding PSA_WANT_ALG_xxx + * set and that psa_crypto_init has already been called. + * + * \note When using Mbed TLS version of PSA core (i.e. MBEDTLS_PSA_CRYPTO_C is + * set) for now this function only checks the state of the driver + * subsystem, not the algorithm. This might be improved in the future. + * + * \param hash_alg The hash algorithm. + * + * \return 1 if the PSA can handle \p hash_alg, 0 otherwise. + */ +int psa_can_do_hash(psa_algorithm_t hash_alg); + +/**@}*/ + /** \addtogroup crypto_types * @{ */ diff --git a/thirdparty/mbedtls/include/psa/crypto_sizes.h b/thirdparty/mbedtls/include/psa/crypto_sizes.h index 635ee98f802..87b8c39fa6d 100644 --- a/thirdparty/mbedtls/include/psa/crypto_sizes.h +++ b/thirdparty/mbedtls/include/psa/crypto_sizes.h @@ -1038,6 +1038,10 @@ PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS) #endif +#define PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE \ + ((PSA_EXPORT_KEY_PAIR_MAX_SIZE > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) ? \ + PSA_EXPORT_KEY_PAIR_MAX_SIZE : PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) + /** Sufficient output buffer size for psa_raw_key_agreement(). * * This macro returns a compile-time constant if its arguments are @@ -1085,6 +1089,27 @@ #define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE PSA_BITS_TO_BYTES(PSA_VENDOR_FFDH_MAX_KEY_BITS) #endif +/** Maximum key length for ciphers. + * + * Since there is no additional PSA_WANT_xxx symbol to specifiy the size of + * the key once a cipher is enabled (as it happens for asymmetric keys for + * example), the maximum key length is taken into account for each cipher. + * The resulting value will be the maximum cipher's key length given depending + * on which ciphers are enabled. + * + * Note: max value for AES used below would be doubled if XTS were enabled, but + * this mode is currently not supported in Mbed TLS implementation of PSA + * APIs. + */ +#if (defined(PSA_WANT_KEY_TYPE_AES) || defined(PSA_WANT_KEY_TYPE_ARIA) || \ + defined(PSA_WANT_KEY_TYPE_CAMELLIA) || defined(PSA_WANT_KEY_TYPE_CHACHA20)) +#define PSA_CIPHER_MAX_KEY_LENGTH 32u +#elif defined(PSA_WANT_KEY_TYPE_DES) +#define PSA_CIPHER_MAX_KEY_LENGTH 24u +#else +#define PSA_CIPHER_MAX_KEY_LENGTH 0u +#endif + /** The default IV size for a cipher algorithm, in bytes. * * The IV that is generated as part of a call to #psa_cipher_encrypt() is always diff --git a/thirdparty/mbedtls/library/aesni.c b/thirdparty/mbedtls/library/aesni.c index 8e5bd55ab90..4fc1cb918ba 100644 --- a/thirdparty/mbedtls/library/aesni.c +++ b/thirdparty/mbedtls/library/aesni.c @@ -489,7 +489,7 @@ int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx, "movdqu %%xmm0, (%4) \n\t" // export output : : "r" (ctx->nr), "r" (ctx->buf + ctx->rk_offset), "r" (mode), "r" (input), "r" (output) - : "memory", "cc", "xmm0", "xmm1"); + : "memory", "cc", "xmm0", "xmm1", "0", "1"); return 0; @@ -679,7 +679,7 @@ static void aesni_setkey_enc_128(unsigned char *rk, AESKEYGENA(xmm0_xmm1, "0x36") "call 1b \n\t" : : "r" (rk), "r" (key) - : "memory", "cc", "0"); + : "memory", "cc", "xmm0", "xmm1", "0"); } /* @@ -737,7 +737,7 @@ static void aesni_setkey_enc_192(unsigned char *rk, : : "r" (rk), "r" (key) - : "memory", "cc", "0"); + : "memory", "cc", "xmm0", "xmm1", "xmm2", "0"); } #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */ @@ -805,7 +805,7 @@ static void aesni_setkey_enc_256(unsigned char *rk, AESKEYGENA(xmm1_xmm2, "0x40") "call 1b \n\t" : : "r" (rk), "r" (key) - : "memory", "cc", "0"); + : "memory", "cc", "xmm0", "xmm1", "xmm2", "0"); } #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */ diff --git a/thirdparty/mbedtls/library/bignum_core.c b/thirdparty/mbedtls/library/bignum_core.c index 4231554b841..88582c2d384 100644 --- a/thirdparty/mbedtls/library/bignum_core.c +++ b/thirdparty/mbedtls/library/bignum_core.c @@ -747,8 +747,8 @@ static void exp_mod_precompute_window(const mbedtls_mpi_uint *A, } #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) -// Set to a default that is neither MBEDTLS_MPI_IS_PUBLIC nor MBEDTLS_MPI_IS_SECRET -int mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC + MBEDTLS_MPI_IS_SECRET + 1; +void (*mbedtls_safe_codepath_hook)(void) = NULL; +void (*mbedtls_unsafe_codepath_hook)(void) = NULL; #endif /* @@ -781,7 +781,9 @@ static inline void exp_mod_calc_first_bit_optionally_safe(const mbedtls_mpi_uint *E_bit_index = E_bits % biL; #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) - mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC; + if (mbedtls_unsafe_codepath_hook != NULL) { + mbedtls_unsafe_codepath_hook(); + } #endif } else { /* @@ -791,9 +793,8 @@ static inline void exp_mod_calc_first_bit_optionally_safe(const mbedtls_mpi_uint *E_limb_index = E_limbs; *E_bit_index = 0; #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) - // Only mark the codepath safe if there wasn't an unsafe codepath before - if (mbedtls_mpi_optionally_safe_codepath != MBEDTLS_MPI_IS_PUBLIC) { - mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_SECRET; + if (mbedtls_safe_codepath_hook != NULL) { + mbedtls_safe_codepath_hook(); } #endif } @@ -813,7 +814,9 @@ static inline void exp_mod_table_lookup_optionally_safe(mbedtls_mpi_uint *Wselec if (window_public == MBEDTLS_MPI_IS_PUBLIC) { memcpy(Wselect, Wtable + window * AN_limbs, AN_limbs * ciL); #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) - mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC; + if (mbedtls_unsafe_codepath_hook != NULL) { + mbedtls_unsafe_codepath_hook(); + } #endif } else { /* Select Wtable[window] without leaking window through @@ -821,9 +824,8 @@ static inline void exp_mod_table_lookup_optionally_safe(mbedtls_mpi_uint *Wselec mbedtls_mpi_core_ct_uint_table_lookup(Wselect, Wtable, AN_limbs, welem, window); #if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) - // Only mark the codepath safe if there wasn't an unsafe codepath before - if (mbedtls_mpi_optionally_safe_codepath != MBEDTLS_MPI_IS_PUBLIC) { - mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_SECRET; + if (mbedtls_safe_codepath_hook != NULL) { + mbedtls_safe_codepath_hook(); } #endif } @@ -857,8 +859,8 @@ static void mbedtls_mpi_core_exp_mod_optionally_safe(mbedtls_mpi_uint *X, /* We'll process the bits of E from most significant * (limb_index=E_limbs-1, E_bit_index=biL-1) to least significant * (limb_index=0, E_bit_index=0). */ - size_t E_limb_index; - size_t E_bit_index; + size_t E_limb_index = E_limbs; + size_t E_bit_index = 0; exp_mod_calc_first_bit_optionally_safe(E, E_limbs, E_public, &E_limb_index, &E_bit_index); diff --git a/thirdparty/mbedtls/library/bignum_core.h b/thirdparty/mbedtls/library/bignum_core.h index cf6485a1480..264ee635506 100644 --- a/thirdparty/mbedtls/library/bignum_core.h +++ b/thirdparty/mbedtls/library/bignum_core.h @@ -70,9 +70,7 @@ #include "common.h" -#if defined(MBEDTLS_BIGNUM_C) #include "mbedtls/bignum.h" -#endif #include "constant_time_internal.h" @@ -106,10 +104,17 @@ * } else { * // safe path * } - * not the other way round, in order to prevent misuse. (This is, if a value - * other than the two below is passed, default to the safe path.) */ + * not the other way round, in order to prevent misuse. (That is, if a value + * other than the two below is passed, default to the safe path.) + * + * The value of MBEDTLS_MPI_IS_PUBLIC is chosen in a way that is unlikely to happen by accident, but + * which can be used as an immediate value in a Thumb2 comparison (for code size). */ #define MBEDTLS_MPI_IS_PUBLIC 0x2a2a2a2a #define MBEDTLS_MPI_IS_SECRET 0 +#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) +// Default value for testing that is neither MBEDTLS_MPI_IS_PUBLIC nor MBEDTLS_MPI_IS_SECRET +#define MBEDTLS_MPI_IS_TEST 1 +#endif /** Count leading zero bits in a given integer. * @@ -817,17 +822,4 @@ void mbedtls_mpi_core_from_mont_rep(mbedtls_mpi_uint *X, mbedtls_mpi_uint mm, mbedtls_mpi_uint *T); -/* - * Can't define thread local variables with our abstraction layer: do nothing if threading is on. - */ -#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C) -extern int mbedtls_mpi_optionally_safe_codepath; - -static inline void mbedtls_mpi_optionally_safe_codepath_reset(void) -{ - // Set to a default that is neither MBEDTLS_MPI_IS_PUBLIC nor MBEDTLS_MPI_IS_SECRET - mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC + MBEDTLS_MPI_IS_SECRET + 1; -} -#endif - #endif /* MBEDTLS_BIGNUM_CORE_H */ diff --git a/thirdparty/mbedtls/library/ccm.c b/thirdparty/mbedtls/library/ccm.c index 45ed697dd32..969c6c781ba 100644 --- a/thirdparty/mbedtls/library/ccm.c +++ b/thirdparty/mbedtls/library/ccm.c @@ -170,11 +170,12 @@ static int ccm_calculate_first_block_if_ready(mbedtls_ccm_context *ctx) } /* CCM expects non-empty tag. - * CCM* allows empty tag. For CCM* without tag, ignore plaintext length. + * CCM* allows empty tag. For CCM* without tag, the tag calculation is skipped. */ if (ctx->tag_len == 0) { if (ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT || ctx->mode == MBEDTLS_CCM_STAR_DECRYPT) { ctx->plaintext_len = 0; + return 0; } else { return MBEDTLS_ERR_CCM_BAD_INPUT; } diff --git a/thirdparty/mbedtls/library/constant_time_impl.h b/thirdparty/mbedtls/library/constant_time_impl.h index 2a4574ba68f..aeaeecb7de3 100644 --- a/thirdparty/mbedtls/library/constant_time_impl.h +++ b/thirdparty/mbedtls/library/constant_time_impl.h @@ -36,24 +36,9 @@ #pragma GCC diagnostic ignored "-Wredundant-decls" #endif -/* Disable asm under Memsan because it confuses Memsan and generates false errors. - * - * We also disable under Valgrind by default, because it's more useful - * for Valgrind to test the plain C implementation. MBEDTLS_TEST_CONSTANT_FLOW_ASM //no-check-names - * may be set to permit building asm under Valgrind. - */ -#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) || \ - (defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND) && !defined(MBEDTLS_TEST_CONSTANT_FLOW_ASM)) //no-check-names -#define MBEDTLS_CT_NO_ASM -#elif defined(__has_feature) -#if __has_feature(memory_sanitizer) -#define MBEDTLS_CT_NO_ASM -#endif -#endif - /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ #if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && (!defined(__ARMCC_VERSION) || \ - __ARMCC_VERSION >= 6000000) && !defined(MBEDTLS_CT_NO_ASM) + __ARMCC_VERSION >= 6000000) #define MBEDTLS_CT_ASM #if (defined(__arm__) || defined(__thumb__) || defined(__thumb2__)) #define MBEDTLS_CT_ARM_ASM diff --git a/thirdparty/mbedtls/library/ecp.c b/thirdparty/mbedtls/library/ecp.c index 427059bb532..fdd00a59c59 100644 --- a/thirdparty/mbedtls/library/ecp.c +++ b/thirdparty/mbedtls/library/ecp.c @@ -3056,7 +3056,7 @@ int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp, /* see RFC 7748 sec. 5 para. 5 */ if (mbedtls_mpi_get_bit(d, 0) != 0 || mbedtls_mpi_get_bit(d, 1) != 0 || - mbedtls_mpi_bitlen(d) - 1 != grp->nbits) { /* mbedtls_mpi_bitlen is one-based! */ + mbedtls_mpi_bitlen(d) != grp->nbits + 1) { /* mbedtls_mpi_bitlen is one-based! */ return MBEDTLS_ERR_ECP_INVALID_KEY; } diff --git a/thirdparty/mbedtls/library/error.c b/thirdparty/mbedtls/library/error.c index 6ad7162ab57..297eccd0330 100644 --- a/thirdparty/mbedtls/library/error.c +++ b/thirdparty/mbedtls/library/error.c @@ -479,6 +479,8 @@ const char *mbedtls_high_level_strerr(int error_code) return( "SSL - An operation failed due to an unexpected version or configuration" ); case -(MBEDTLS_ERR_SSL_BAD_CONFIG): return( "SSL - Invalid value in SSL config" ); + case -(MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME): + return( "SSL - Attempt to verify a certificate without an expected hostname. This is usually insecure. In TLS clients, when a client authenticates a server through its certificate, the client normally checks three things: - the certificate chain must be valid; - the chain must start from a trusted CA; - the certificate must cover the server name that is expected by the client. Omitting any of these checks is generally insecure, and can allow a malicious server to impersonate a legitimate server. The third check may be safely skipped in some unusual scenarios, such as networks where eavesdropping is a risk but not active attacks, or a private PKI where the client equally trusts all servers that are accredited by the root CA. You should call mbedtls_ssl_set_hostname() with the expected server name before starting a TLS handshake on a client (unless the client is set up to only use PSK-based authentication, which does not rely on the host name). If you have determined that server name verification is not required for security in your scenario, call mbedtls_ssl_set_hostname() with \\p NULL as the server name. This error is raised if all of the following conditions are met: - A TLS client is configured with the authentication mode #MBEDTLS_SSL_VERIFY_REQUIRED (default). - Certificate authentication is enabled. - The client does not call mbedtls_ssl_set_hostname(). - The configuration option #MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME is not enabled" ); #endif /* MBEDTLS_SSL_TLS_C */ #if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C) @@ -873,8 +875,4 @@ void mbedtls_strerror(int ret, char *buf, size_t buflen) #endif /* MBEDTLS_ERROR_C */ -#if defined(MBEDTLS_TEST_HOOKS) -void (*mbedtls_test_hook_error_add)(int, int, const char *, int); -#endif - #endif /* MBEDTLS_ERROR_C || MBEDTLS_ERROR_STRERROR_DUMMY */ diff --git a/thirdparty/mbedtls/library/net_sockets.c b/thirdparty/mbedtls/library/net_sockets.c index ef89a88ef05..1419c787b9a 100644 --- a/thirdparty/mbedtls/library/net_sockets.c +++ b/thirdparty/mbedtls/library/net_sockets.c @@ -190,7 +190,7 @@ int mbedtls_net_connect(mbedtls_net_context *ctx, const char *host, break; } - close(ctx->fd); + mbedtls_net_close(ctx); ret = MBEDTLS_ERR_NET_CONNECT_FAILED; } @@ -237,13 +237,13 @@ int mbedtls_net_bind(mbedtls_net_context *ctx, const char *bind_ip, const char * n = 1; if (setsockopt(ctx->fd, SOL_SOCKET, SO_REUSEADDR, (const char *) &n, sizeof(n)) != 0) { - close(ctx->fd); + mbedtls_net_close(ctx); ret = MBEDTLS_ERR_NET_SOCKET_FAILED; continue; } if (bind(ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen) != 0) { - close(ctx->fd); + mbedtls_net_close(ctx); ret = MBEDTLS_ERR_NET_BIND_FAILED; continue; } @@ -251,7 +251,7 @@ int mbedtls_net_bind(mbedtls_net_context *ctx, const char *bind_ip, const char * /* Listen only makes sense for TCP */ if (proto == MBEDTLS_NET_PROTO_TCP) { if (listen(ctx->fd, MBEDTLS_NET_LISTEN_BACKLOG) != 0) { - close(ctx->fd); + mbedtls_net_close(ctx); ret = MBEDTLS_ERR_NET_LISTEN_FAILED; continue; } @@ -524,8 +524,8 @@ void mbedtls_net_usleep(unsigned long usec) #else struct timeval tv; tv.tv_sec = usec / 1000000; -#if defined(__unix__) || defined(__unix) || \ - (defined(__APPLE__) && defined(__MACH__)) +#if (defined(__unix__) || defined(__unix) || \ + (defined(__APPLE__) && defined(__MACH__))) && !defined(__DJGPP__) tv.tv_usec = (suseconds_t) usec % 1000000; #else tv.tv_usec = usec % 1000000; diff --git a/thirdparty/mbedtls/library/pk.c b/thirdparty/mbedtls/library/pk.c index 3fe51ea34fa..51f0c240885 100644 --- a/thirdparty/mbedtls/library/pk.c +++ b/thirdparty/mbedtls/library/pk.c @@ -35,10 +35,6 @@ #include #include -#define PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE \ - (PSA_EXPORT_KEY_PAIR_MAX_SIZE > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) ? \ - PSA_EXPORT_KEY_PAIR_MAX_SIZE : PSA_EXPORT_PUBLIC_KEY_MAX_SIZE - /* * Initialise a mbedtls_pk_context */ diff --git a/thirdparty/mbedtls/library/psa_crypto.c b/thirdparty/mbedtls/library/psa_crypto.c index c4f41db10b6..348c79cf431 100644 --- a/thirdparty/mbedtls/library/psa_crypto.c +++ b/thirdparty/mbedtls/library/psa_crypto.c @@ -705,6 +705,11 @@ MBEDTLS_STATIC_TESTABLE psa_status_t psa_mac_key_can_do( psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot, size_t buffer_length) { +#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS) + if (buffer_length > ((size_t) MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE)) { + return PSA_ERROR_NOT_SUPPORTED; + } +#else if (slot->key.data != NULL) { return PSA_ERROR_ALREADY_EXISTS; } @@ -713,6 +718,7 @@ psa_status_t psa_allocate_buffer_to_slot(psa_key_slot_t *slot, if (slot->key.data == NULL) { return PSA_ERROR_INSUFFICIENT_MEMORY; } +#endif slot->key.bytes = buffer_length; return PSA_SUCCESS; @@ -1177,11 +1183,18 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy( psa_status_t psa_remove_key_data_from_memory(psa_key_slot_t *slot) { +#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS) + if (slot->key.bytes > 0) { + mbedtls_platform_zeroize(slot->key.data, MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE); + } +#else if (slot->key.data != NULL) { mbedtls_zeroize_and_free(slot->key.data, slot->key.bytes); } slot->key.data = NULL; +#endif /* MBEDTLS_PSA_STATIC_KEY_SLOTS */ + slot->key.bytes = 0; return PSA_SUCCESS; @@ -2096,7 +2109,7 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes, * storage ( thus not in the case of importing a key in a secure element * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a * buffer to hold the imported key material. */ - if (slot->key.data == NULL) { + if (slot->key.bytes == 0) { if (psa_key_lifetime_is_external(attributes->lifetime)) { status = psa_driver_wrapper_get_key_buffer_size_from_key_data( attributes, data, data_length, &storage_size); @@ -2306,6 +2319,58 @@ exit: /* Message digests */ /****************************************************************/ +static int is_hash_supported(psa_algorithm_t alg) +{ + switch (alg) { +#if defined(PSA_WANT_ALG_MD5) + case PSA_ALG_MD5: + return 1; +#endif +#if defined(PSA_WANT_ALG_RIPEMD160) + case PSA_ALG_RIPEMD160: + return 1; +#endif +#if defined(PSA_WANT_ALG_SHA_1) + case PSA_ALG_SHA_1: + return 1; +#endif +#if defined(PSA_WANT_ALG_SHA_224) + case PSA_ALG_SHA_224: + return 1; +#endif +#if defined(PSA_WANT_ALG_SHA_256) + case PSA_ALG_SHA_256: + return 1; +#endif +#if defined(PSA_WANT_ALG_SHA_384) + case PSA_ALG_SHA_384: + return 1; +#endif +#if defined(PSA_WANT_ALG_SHA_512) + case PSA_ALG_SHA_512: + return 1; +#endif +#if defined(PSA_WANT_ALG_SHA3_224) + case PSA_ALG_SHA3_224: + return 1; +#endif +#if defined(PSA_WANT_ALG_SHA3_256) + case PSA_ALG_SHA3_256: + return 1; +#endif +#if defined(PSA_WANT_ALG_SHA3_384) + case PSA_ALG_SHA3_384: + return 1; +#endif +#if defined(PSA_WANT_ALG_SHA3_512) + case PSA_ALG_SHA3_512: + return 1; +#endif + default: + return 0; + } +} + psa_status_t psa_hash_abort(psa_hash_operation_t *operation) { /* Aborting a non-active operation is allowed */ @@ -2949,16 +3014,44 @@ static psa_status_t psa_sign_verify_check_alg(int input_is_message, if (!PSA_ALG_IS_SIGN_MESSAGE(alg)) { return PSA_ERROR_INVALID_ARGUMENT; } + } - if (PSA_ALG_IS_SIGN_HASH(alg)) { - if (!PSA_ALG_IS_HASH(PSA_ALG_SIGN_GET_HASH(alg))) { - return PSA_ERROR_INVALID_ARGUMENT; - } - } - } else { - if (!PSA_ALG_IS_SIGN_HASH(alg)) { - return PSA_ERROR_INVALID_ARGUMENT; - } + psa_algorithm_t hash_alg = 0; + if (PSA_ALG_IS_SIGN_HASH(alg)) { + hash_alg = PSA_ALG_SIGN_GET_HASH(alg); + } + + /* Now hash_alg==0 if alg by itself doesn't need a hash. + * This is good enough for sign-hash, but a guaranteed failure for + * sign-message which needs to hash first for all algorithms + * supported at the moment. */ + + if (hash_alg == 0 && input_is_message) { + return PSA_ERROR_INVALID_ARGUMENT; + } + if (hash_alg == PSA_ALG_ANY_HASH) { + return PSA_ERROR_INVALID_ARGUMENT; + } + /* Give up immediately if the hash is not supported. This has + * several advantages: + * - For mechanisms that don't use the hash at all (e.g. + * ECDSA verification, randomized ECDSA signature), without + * this check, the operation would succeed even though it has + * been given an invalid argument. This would not be insecure + * since the hash was not necessary, but it would be weird. + * - For mechanisms that do use the hash, we avoid an error + * deep inside the execution. In principle this doesn't matter, + * but there is a little more risk of a bug in error handling + * deep inside than in this preliminary check. + * - When calling a driver, the driver might be capable of using + * a hash that the core doesn't support. This could potentially + * result in a buffer overflow if the hash is larger than the + * maximum hash size assumed by the core. + * - Returning a consistent error makes it possible to test + * not-supported hashes in a consistent way. + */ + if (hash_alg != 0 && !is_hash_supported(hash_alg)) { + return PSA_ERROR_NOT_SUPPORTED; } return PSA_SUCCESS; @@ -3839,6 +3932,34 @@ uint32_t mbedtls_psa_verify_hash_get_num_ops( * defined( MBEDTLS_ECP_RESTARTABLE ) */ } +/* Detect supported interruptible sign/verify mechanisms precisely. + * This is not strictly needed: we could accept everything, and let the + * code fail later during complete() if the mechanism is unsupported + * (e.g. attempting deterministic ECDSA when only the randomized variant + * is available). But it's easier for applications and especially for our + * test code to detect all not-supported errors during start(). + * + * Note that this function ignores the hash component. The core code + * is supposed to check the hash part by calling is_hash_supported(). + */ +static inline int can_do_interruptible_sign_verify(psa_algorithm_t alg) +{ +#if defined(MBEDTLS_ECP_RESTARTABLE) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) + if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)) { + return 1; + } +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) + if (PSA_ALG_IS_RANDOMIZED_ECDSA(alg)) { + return 1; + } +#endif +#endif /* defined(MBEDTLS_ECP_RESTARTABLE) */ + (void) alg; + return 0; +} + psa_status_t mbedtls_psa_sign_hash_start( mbedtls_psa_sign_hash_interruptible_operation_t *operation, const psa_key_attributes_t *attributes, const uint8_t *key_buffer, @@ -3848,11 +3969,15 @@ psa_status_t mbedtls_psa_sign_hash_start( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; size_t required_hash_length; - if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) { + if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(attributes->type)) { return PSA_ERROR_NOT_SUPPORTED; } + psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type); + if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) { + return PSA_ERROR_INVALID_ARGUMENT; + } - if (!PSA_ALG_IS_ECDSA(alg)) { + if (!can_do_interruptible_sign_verify(alg)) { return PSA_ERROR_NOT_SUPPORTED; } @@ -4067,8 +4192,12 @@ psa_status_t mbedtls_psa_verify_hash_start( if (!PSA_KEY_TYPE_IS_ECC(attributes->type)) { return PSA_ERROR_NOT_SUPPORTED; } + psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY(attributes->type); + if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(curve)) { + return PSA_ERROR_INVALID_ARGUMENT; + } - if (!PSA_ALG_IS_ECDSA(alg)) { + if (!can_do_interruptible_sign_verify(alg)) { return PSA_ERROR_NOT_SUPPORTED; } @@ -6187,7 +6316,7 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; size_t m; - size_t m_bytes; + size_t m_bytes = 0; mbedtls_mpi_init(&k); mbedtls_mpi_init(&diff_N_2); @@ -6260,7 +6389,7 @@ cleanup: status = mbedtls_to_psa_error(ret); } if (status != PSA_SUCCESS) { - mbedtls_free(*data); + mbedtls_zeroize_and_free(*data, m_bytes); *data = NULL; } mbedtls_mpi_free(&k); @@ -6435,7 +6564,7 @@ static psa_status_t psa_generate_derived_key_internal( } exit: - mbedtls_free(data); + mbedtls_zeroize_and_free(data, bytes); return status; } @@ -7359,6 +7488,12 @@ static psa_status_t psa_key_derivation_input_internal( psa_status_t status; psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation); + if (kdf_alg == PSA_ALG_NONE) { + /* This is a blank or aborted operation. */ + status = PSA_ERROR_BAD_STATE; + goto exit; + } + status = psa_key_derivation_check_input_type(step, key_type); if (status != PSA_SUCCESS) { goto exit; @@ -7417,6 +7552,12 @@ static psa_status_t psa_key_derivation_input_integer_internal( psa_status_t status; psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg(operation); + if (kdf_alg == PSA_ALG_NONE) { + /* This is a blank or aborted operation. */ + status = PSA_ERROR_BAD_STATE; + goto exit; + } + #if defined(PSA_HAVE_SOFT_PBKDF2) if (PSA_ALG_IS_PBKDF2(kdf_alg)) { status = psa_pbkdf2_set_input_cost( @@ -7430,6 +7571,7 @@ static psa_status_t psa_key_derivation_input_integer_internal( status = PSA_ERROR_INVALID_ARGUMENT; } +exit: if (status != PSA_SUCCESS) { psa_key_derivation_abort(operation); } @@ -8013,7 +8155,7 @@ psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes, * storage ( thus not in the case of generating a key in a secure element * with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a * buffer to hold the generated key material. */ - if (slot->key.data == NULL) { + if (slot->key.bytes == 0) { if (PSA_KEY_LIFETIME_GET_LOCATION(attributes->lifetime) == PSA_KEY_LOCATION_LOCAL_STORAGE) { status = psa_validate_key_type_and_size_for_key_generation( @@ -9171,7 +9313,7 @@ psa_status_t psa_crypto_local_input_alloc(const uint8_t *input, size_t input_len return PSA_SUCCESS; error: - mbedtls_free(local_input->buffer); + mbedtls_zeroize_and_free(local_input->buffer, local_input->length); local_input->buffer = NULL; local_input->length = 0; return status; @@ -9179,7 +9321,7 @@ error: void psa_crypto_local_input_free(psa_crypto_local_input_t *local_input) { - mbedtls_free(local_input->buffer); + mbedtls_zeroize_and_free(local_input->buffer, local_input->length); local_input->buffer = NULL; local_input->length = 0; } @@ -9223,7 +9365,7 @@ psa_status_t psa_crypto_local_output_free(psa_crypto_local_output_t *local_outpu return status; } - mbedtls_free(local_output->buffer); + mbedtls_zeroize_and_free(local_output->buffer, local_output->length); local_output->buffer = NULL; local_output->length = 0; diff --git a/thirdparty/mbedtls/library/psa_crypto_cipher.c b/thirdparty/mbedtls/library/psa_crypto_cipher.c index 3216c948986..efc5813ff08 100644 --- a/thirdparty/mbedtls/library/psa_crypto_cipher.c +++ b/thirdparty/mbedtls/library/psa_crypto_cipher.c @@ -71,9 +71,6 @@ static psa_status_t mbedtls_cipher_validate_values( #if !defined(PSA_WANT_ALG_OFB) MBEDTLS_ASSUME(alg != PSA_ALG_OFB); #endif -#if !defined(PSA_WANT_ALG_XTS) - MBEDTLS_ASSUME(alg != PSA_ALG_XTS); -#endif #if !defined(PSA_WANT_ALG_ECB_NO_PADDING) MBEDTLS_ASSUME(alg != PSA_ALG_ECB_NO_PADDING); #endif diff --git a/thirdparty/mbedtls/library/psa_crypto_core.h b/thirdparty/mbedtls/library/psa_crypto_core.h index 21e7559f01c..c3c0770142a 100644 --- a/thirdparty/mbedtls/library/psa_crypto_core.h +++ b/thirdparty/mbedtls/library/psa_crypto_core.h @@ -24,18 +24,6 @@ #include "mbedtls/threading.h" #endif -/** - * Tell if PSA is ready for this hash. - * - * \note For now, only checks the state of the driver subsystem, - * not the algorithm. Might do more in the future. - * - * \param hash_alg The hash algorithm (ignored for now). - * - * \return 1 if the driver subsytem is ready, 0 otherwise. - */ -int psa_can_do_hash(psa_algorithm_t hash_alg); - /** * Tell if PSA is ready for this cipher. * @@ -155,7 +143,11 @@ typedef struct { /* Dynamically allocated key data buffer. * Format as specified in psa_export_key(). */ struct key_data { +#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS) + uint8_t data[MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE]; +#else uint8_t *data; +#endif size_t bytes; } key; } psa_key_slot_t; diff --git a/thirdparty/mbedtls/library/psa_crypto_driver_wrappers.h b/thirdparty/mbedtls/library/psa_crypto_driver_wrappers.h index b9015572084..0ed221b5018 100644 --- a/thirdparty/mbedtls/library/psa_crypto_driver_wrappers.h +++ b/thirdparty/mbedtls/library/psa_crypto_driver_wrappers.h @@ -306,8 +306,7 @@ static inline psa_status_t psa_driver_wrapper_sign_hash( #endif /* PSA_CRYPTO_DRIVER_TEST */ #if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED) if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) && - PSA_ALG_IS_ECDSA(alg) && - !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) && + PSA_ALG_IS_RANDOMIZED_ECDSA(alg) && PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 && psa_get_key_bits(attributes) == 256 ) { @@ -411,7 +410,6 @@ static inline psa_status_t psa_driver_wrapper_verify_hash( #if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED) if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) && PSA_ALG_IS_ECDSA(alg) && - !PSA_ALG_ECDSA_IS_DETERMINISTIC( alg ) && PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)) == PSA_ECC_FAMILY_SECP_R1 && psa_get_key_bits(attributes) == 256 ) { diff --git a/thirdparty/mbedtls/library/psa_crypto_ecp.c b/thirdparty/mbedtls/library/psa_crypto_ecp.c index 95baff6a0fa..48b90ef57d4 100644 --- a/thirdparty/mbedtls/library/psa_crypto_ecp.c +++ b/thirdparty/mbedtls/library/psa_crypto_ecp.c @@ -321,38 +321,36 @@ psa_status_t mbedtls_psa_ecp_generate_key( const psa_key_attributes_t *attributes, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) { - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( attributes->type); mbedtls_ecp_group_id grp_id = mbedtls_ecc_group_from_psa(curve, attributes->bits); - - const mbedtls_ecp_curve_info *curve_info = - mbedtls_ecp_curve_info_from_grp_id(grp_id); - mbedtls_ecp_keypair ecp; - - if (grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL) { + if (grp_id == MBEDTLS_ECP_DP_NONE) { return PSA_ERROR_NOT_SUPPORTED; } + mbedtls_ecp_keypair ecp; mbedtls_ecp_keypair_init(&ecp); - ret = mbedtls_ecp_gen_key(grp_id, &ecp, - mbedtls_psa_get_random, - MBEDTLS_PSA_RANDOM_STATE); + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + ret = mbedtls_ecp_group_load(&ecp.grp, grp_id); if (ret != 0) { - mbedtls_ecp_keypair_free(&ecp); - return mbedtls_to_psa_error(ret); + goto exit; } - status = mbedtls_to_psa_error( - mbedtls_ecp_write_key_ext(&ecp, key_buffer_length, - key_buffer, key_buffer_size)); + ret = mbedtls_ecp_gen_privkey(&ecp.grp, &ecp.d, + mbedtls_psa_get_random, + MBEDTLS_PSA_RANDOM_STATE); + if (ret != 0) { + goto exit; + } + ret = mbedtls_ecp_write_key_ext(&ecp, key_buffer_length, + key_buffer, key_buffer_size); + +exit: mbedtls_ecp_keypair_free(&ecp); - - return status; + return mbedtls_to_psa_error(ret); } #endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE */ diff --git a/thirdparty/mbedtls/library/psa_crypto_slot_management.c b/thirdparty/mbedtls/library/psa_crypto_slot_management.c index 9850d8c7505..358c7a2f2f9 100644 --- a/thirdparty/mbedtls/library/psa_crypto_slot_management.c +++ b/thirdparty/mbedtls/library/psa_crypto_slot_management.c @@ -35,9 +35,9 @@ MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_USER_MIN < PSA_KEY_ID_USER_MAX, "Empty user key ID range"); MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_VENDOR_MIN < PSA_KEY_ID_VENDOR_MAX, "Empty vendor key ID range"); -MBEDTLS_STATIC_ASSERT(MBEDTLS_PSA_KEY_ID_BUILTIN_MIN < MBEDTLS_PSA_KEY_ID_BUILTIN_MAX, +MBEDTLS_STATIC_ASSERT(MBEDTLS_PSA_KEY_ID_BUILTIN_MIN <= MBEDTLS_PSA_KEY_ID_BUILTIN_MAX, "Empty builtin key ID range"); -MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_VOLATILE_MIN < PSA_KEY_ID_VOLATILE_MAX, +MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_VOLATILE_MIN <= PSA_KEY_ID_VOLATILE_MAX, "Empty volatile key ID range"); MBEDTLS_STATIC_ASSERT(PSA_KEY_ID_USER_MAX < PSA_KEY_ID_VENDOR_MIN || diff --git a/thirdparty/mbedtls/library/psa_crypto_storage.h b/thirdparty/mbedtls/library/psa_crypto_storage.h index d7f5b189539..433ecdca514 100644 --- a/thirdparty/mbedtls/library/psa_crypto_storage.h +++ b/thirdparty/mbedtls/library/psa_crypto_storage.h @@ -21,9 +21,16 @@ extern "C" { #include #include -/* Limit the maximum key size in storage. This should have no effect - * since the key size is limited in memory. */ +/* Limit the maximum key size in storage. */ +#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS) +/* Reflect the maximum size for the key buffer. */ +#define PSA_CRYPTO_MAX_STORAGE_SIZE (MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE) +#else +/* Just set an upper boundary but it should have no effect since the key size + * is limited in memory. */ #define PSA_CRYPTO_MAX_STORAGE_SIZE (PSA_BITS_TO_BYTES(PSA_MAX_KEY_BITS)) +#endif + /* Sanity check: a file size must fit in 32 bits. Allow a generous * 64kB of metadata. */ #if PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000 diff --git a/thirdparty/mbedtls/library/psa_util.c b/thirdparty/mbedtls/library/psa_util.c index 679d00ea9b9..014e648ad11 100644 --- a/thirdparty/mbedtls/library/psa_util.c +++ b/thirdparty/mbedtls/library/psa_util.c @@ -440,6 +440,9 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l unsigned char *p = der + der_size; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + if (bits == 0) { + return MBEDTLS_ERR_ASN1_INVALID_DATA; + } if (raw_len != (2 * coordinate_len)) { return MBEDTLS_ERR_ASN1_INVALID_DATA; } @@ -559,6 +562,9 @@ int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_l size_t coordinate_size = PSA_BITS_TO_BYTES(bits); int ret; + if (bits == 0) { + return MBEDTLS_ERR_ASN1_INVALID_DATA; + } /* The output raw buffer should be at least twice the size of a raw * coordinate in order to store r and s. */ if (raw_size < coordinate_size * 2) { diff --git a/thirdparty/mbedtls/library/ssl_client.c b/thirdparty/mbedtls/library/ssl_client.c index 345e6089382..0bd00cd91a3 100644 --- a/thirdparty/mbedtls/library/ssl_client.c +++ b/thirdparty/mbedtls/library/ssl_client.c @@ -29,19 +29,20 @@ static int ssl_write_hostname_ext(mbedtls_ssl_context *ssl, size_t *olen) { unsigned char *p = buf; + const char *hostname = mbedtls_ssl_get_hostname_pointer(ssl); size_t hostname_len; *olen = 0; - if (ssl->hostname == NULL) { + if (hostname == NULL) { return 0; } MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding server name extension: %s", - ssl->hostname)); + hostname)); - hostname_len = strlen(ssl->hostname); + hostname_len = strlen(hostname); MBEDTLS_SSL_CHK_BUF_PTR(p, end, hostname_len + 9); @@ -85,7 +86,7 @@ static int ssl_write_hostname_ext(mbedtls_ssl_context *ssl, MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0); p += 2; - memcpy(p, ssl->hostname, hostname_len); + memcpy(p, hostname, hostname_len); *olen = hostname_len + 9; @@ -881,13 +882,14 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_SSL_SESSION_TICKETS) && \ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + const char *context_hostname = mbedtls_ssl_get_hostname_pointer(ssl); if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && ssl->handshake->resume) { - int hostname_mismatch = ssl->hostname != NULL || + int hostname_mismatch = context_hostname != NULL || session_negotiate->hostname != NULL; - if (ssl->hostname != NULL && session_negotiate->hostname != NULL) { + if (context_hostname != NULL && session_negotiate->hostname != NULL) { hostname_mismatch = strcmp( - ssl->hostname, session_negotiate->hostname) != 0; + context_hostname, session_negotiate->hostname) != 0; } if (hostname_mismatch) { @@ -898,7 +900,7 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl) } } else { return mbedtls_ssl_session_set_hostname(session_negotiate, - ssl->hostname); + context_hostname); } #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS && diff --git a/thirdparty/mbedtls/library/ssl_debug_helpers_generated.c b/thirdparty/mbedtls/library/ssl_debug_helpers_generated.c index 734c417b8bd..808fce73718 100644 --- a/thirdparty/mbedtls/library/ssl_debug_helpers_generated.c +++ b/thirdparty/mbedtls/library/ssl_debug_helpers_generated.c @@ -11,7 +11,7 @@ * */ -#include "common.h" +#include "ssl_misc.h" #if defined(MBEDTLS_DEBUG_C) diff --git a/thirdparty/mbedtls/library/ssl_misc.h b/thirdparty/mbedtls/library/ssl_misc.h index bfadac7be37..2afcaf97f85 100644 --- a/thirdparty/mbedtls/library/ssl_misc.h +++ b/thirdparty/mbedtls/library/ssl_misc.h @@ -11,6 +11,7 @@ #define MBEDTLS_SSL_MISC_H #include "mbedtls/build_info.h" +#include "common.h" #include "mbedtls/error.h" @@ -47,7 +48,7 @@ #include "ssl_ciphersuites_internal.h" #include "x509_internal.h" #include "pk_internal.h" -#include "common.h" + /* Shorthand for restartable ECC */ #if defined(MBEDTLS_ECP_RESTARTABLE) && \ @@ -2899,6 +2900,18 @@ int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( unsigned char *buf, unsigned char *end); #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) +/** Get the host name from the SSL context. + * + * \param[in] ssl SSL context + * + * \return The \p hostname pointer from the SSL context. + * \c NULL if mbedtls_ssl_set_hostname() has never been called on + * \p ssl or if it was last called with \p NULL. + */ +const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl); +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ + #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ defined(MBEDTLS_SSL_SESSION_TICKETS) && \ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ @@ -2982,6 +2995,7 @@ static inline void mbedtls_ssl_tls13_session_clear_ticket_flags( #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK \ (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) static inline int mbedtls_ssl_conf_get_session_tickets( const mbedtls_ssl_config *conf) { @@ -2989,6 +3003,7 @@ static inline int mbedtls_ssl_conf_get_session_tickets( MBEDTLS_SSL_SESSION_TICKETS_ENABLED : MBEDTLS_SSL_SESSION_TICKETS_DISABLED; } +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) static inline int mbedtls_ssl_conf_is_signal_new_session_tickets_enabled( diff --git a/thirdparty/mbedtls/library/ssl_msg.c b/thirdparty/mbedtls/library/ssl_msg.c index 08d197e08c4..4adaf7dc6f8 100644 --- a/thirdparty/mbedtls/library/ssl_msg.c +++ b/thirdparty/mbedtls/library/ssl_msg.c @@ -3221,16 +3221,19 @@ static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl) int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) { - /* First handshake fragment must at least include the header. */ - if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl) && ssl->in_hslen == 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET, - ssl->in_msglen)); - return MBEDTLS_ERR_SSL_INVALID_RECORD; - } + if (ssl->badmac_seen_or_in_hsfraglen == 0) { + /* The handshake message must at least include the header. + * We may not have the full message yet in case of fragmentation. + * To simplify the code, we insist on having the header (and in + * particular the handshake message length) in the first + * fragment. */ + if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) { + MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET, + ssl->in_msglen)); + return MBEDTLS_ERR_SSL_INVALID_RECORD; + } - if (ssl->in_hslen == 0) { ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl); - ssl->badmac_seen_or_in_hsfraglen = 0; } MBEDTLS_SSL_DEBUG_MSG(3, ("handshake message: msglen =" @@ -3238,6 +3241,14 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) MBEDTLS_PRINTF_SIZET, ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen)); + if (ssl->transform_in != NULL) { + MBEDTLS_SSL_DEBUG_MSG(4, ("decrypted handshake message:" + " iv-buf=%d hdr-buf=%d hdr-buf=%d", + (int) (ssl->in_iv - ssl->in_buf), + (int) (ssl->in_hdr - ssl->in_buf), + (int) (ssl->in_msg - ssl->in_buf))); + } + #if defined(MBEDTLS_SSL_PROTO_DTLS) if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -3297,67 +3308,103 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) } } else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - if (ssl->badmac_seen_or_in_hsfraglen <= ssl->in_hslen) { - int ret; + { + unsigned char *const reassembled_record_start = + ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; + unsigned char *const payload_start = + reassembled_record_start + mbedtls_ssl_in_hdr_len(ssl); + unsigned char *payload_end = payload_start + ssl->badmac_seen_or_in_hsfraglen; + /* How many more bytes we want to have a complete handshake message. */ const size_t hs_remain = ssl->in_hslen - ssl->badmac_seen_or_in_hsfraglen; + /* How many bytes of the current record are part of the first + * handshake message. There may be more handshake messages (possibly + * incomplete) in the same record; if so, we leave them after the + * current record, and ssl_consume_current_message() will take + * care of consuming the next handshake message. */ + const size_t hs_this_fragment_len = + ssl->in_msglen > hs_remain ? hs_remain : ssl->in_msglen; + (void) hs_this_fragment_len; + MBEDTLS_SSL_DEBUG_MSG(3, - ("handshake fragment: %u .. %" - MBEDTLS_PRINTF_SIZET " of %" - MBEDTLS_PRINTF_SIZET " msglen %" MBEDTLS_PRINTF_SIZET, + ("%s handshake fragment: %" MBEDTLS_PRINTF_SIZET + ", %u..%u of %" MBEDTLS_PRINTF_SIZET, + (ssl->badmac_seen_or_in_hsfraglen != 0 ? + "subsequent" : + hs_this_fragment_len == ssl->in_hslen ? + "sole" : + "initial"), + ssl->in_msglen, ssl->badmac_seen_or_in_hsfraglen, - (size_t) ssl->badmac_seen_or_in_hsfraglen + - (hs_remain <= ssl->in_msglen ? hs_remain : ssl->in_msglen), - ssl->in_hslen, ssl->in_msglen)); - if (ssl->in_msglen < hs_remain) { - /* ssl->in_msglen is a 25-bit value since it is the sum of the - * header length plus the payload length, the header length is 4 - * and the payload length was received on the wire encoded as - * 3 octets. We don't support 16-bit platforms; more specifically, - * we assume that both unsigned and size_t are at least 32 bits. - * Therefore there is no possible integer overflow here. - */ - ssl->badmac_seen_or_in_hsfraglen += (unsigned) ssl->in_msglen; - ssl->in_hdr = ssl->in_msg + ssl->in_msglen; + ssl->badmac_seen_or_in_hsfraglen + + (unsigned) hs_this_fragment_len, + ssl->in_hslen)); + + /* Move the received handshake fragment to have the whole message + * (at least the part received so far) in a single segment at a + * known offset in the input buffer. + * - When receiving a non-initial handshake fragment, append it to + * the initial segment. + * - Even the initial handshake fragment is moved, if it was + * encrypted with an explicit IV: decryption leaves the payload + * after the explicit IV, but here we move it to start where the + * IV was. + */ +#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) + size_t const in_buf_len = ssl->in_buf_len; +#else + size_t const in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; +#endif + if (payload_end + ssl->in_msglen > ssl->in_buf + in_buf_len) { + MBEDTLS_SSL_DEBUG_MSG(1, + ("Shouldn't happen: no room to move handshake fragment %" + MBEDTLS_PRINTF_SIZET " from %p to %p (buf=%p len=%" + MBEDTLS_PRINTF_SIZET ")", + ssl->in_msglen, + (void *) ssl->in_msg, (void *) payload_end, + (void *) ssl->in_buf, in_buf_len)); + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + } + memmove(payload_end, ssl->in_msg, ssl->in_msglen); + + ssl->badmac_seen_or_in_hsfraglen += (unsigned) ssl->in_msglen; + payload_end += ssl->in_msglen; + + if (ssl->badmac_seen_or_in_hsfraglen < ssl->in_hslen) { + MBEDTLS_SSL_DEBUG_MSG(3, ("Prepare: waiting for more handshake fragments " + "%u/%" MBEDTLS_PRINTF_SIZET, + ssl->badmac_seen_or_in_hsfraglen, ssl->in_hslen)); + ssl->in_hdr = payload_end; ssl->in_msglen = 0; mbedtls_ssl_update_in_pointers(ssl); return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; - } - if (ssl->badmac_seen_or_in_hsfraglen > 0) { - /* - * At in_first_hdr we have a sequence of records that cover the next handshake - * record, each with its own record header that we need to remove. - * Note that the reassembled record size may not equal the size of the message, - * there may be more messages after it, complete or partial. - */ - unsigned char *in_first_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; - unsigned char *p = in_first_hdr, *q = NULL; - size_t merged_rec_len = 0; - do { - mbedtls_record rec; - ret = ssl_parse_record_header(ssl, p, mbedtls_ssl_in_hdr_len(ssl), &rec); - if (ret != 0) { - return ret; - } - merged_rec_len += rec.data_len; - p = rec.buf + rec.buf_len; - if (q != NULL) { - memmove(q, rec.buf + rec.data_offset, rec.data_len); - q += rec.data_len; - } else { - q = p; - } - } while (merged_rec_len < ssl->in_hslen); - ssl->in_hdr = in_first_hdr; - mbedtls_ssl_update_in_pointers(ssl); - ssl->in_msglen = merged_rec_len; - /* Adjust message length. */ - MBEDTLS_PUT_UINT16_BE(merged_rec_len, ssl->in_len, 0); + } else { + ssl->in_msglen = ssl->badmac_seen_or_in_hsfraglen; ssl->badmac_seen_or_in_hsfraglen = 0; + ssl->in_hdr = reassembled_record_start; + mbedtls_ssl_update_in_pointers(ssl); + + /* Update the record length in the fully reassembled record */ + if (ssl->in_msglen > 0xffff) { + MBEDTLS_SSL_DEBUG_MSG(1, + ("Shouldn't happen: in_msglen=%" + MBEDTLS_PRINTF_SIZET " > 0xffff", + ssl->in_msglen)); + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + } + MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0); + + size_t record_len = mbedtls_ssl_in_hdr_len(ssl) + ssl->in_msglen; + (void) record_len; MBEDTLS_SSL_DEBUG_BUF(4, "reassembled record", - ssl->in_hdr, mbedtls_ssl_in_hdr_len(ssl) + merged_rec_len); + ssl->in_hdr, record_len); + if (ssl->in_hslen < ssl->in_msglen) { + MBEDTLS_SSL_DEBUG_MSG(3, + ("More handshake messages in the record: " + "%" MBEDTLS_PRINTF_SIZET " + %" MBEDTLS_PRINTF_SIZET, + ssl->in_hslen, + ssl->in_msglen - ssl->in_hslen)); + } } - } else { - return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; } return 0; @@ -4704,11 +4751,9 @@ static int ssl_consume_current_message(mbedtls_ssl_context *ssl) if (ssl->badmac_seen_or_in_hsfraglen != 0) { /* Not all handshake fragments have arrived, do not consume. */ - MBEDTLS_SSL_DEBUG_MSG(3, - ("waiting for more fragments (%u of %" - MBEDTLS_PRINTF_SIZET ", %" MBEDTLS_PRINTF_SIZET " left)", - ssl->badmac_seen_or_in_hsfraglen, ssl->in_hslen, - ssl->in_hslen - ssl->badmac_seen_or_in_hsfraglen)); + MBEDTLS_SSL_DEBUG_MSG(3, ("Consume: waiting for more handshake fragments " + "%u/%" MBEDTLS_PRINTF_SIZET, + ssl->badmac_seen_or_in_hsfraglen, ssl->in_hslen)); return 0; } @@ -5103,6 +5148,18 @@ int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + /* If we're in the middle of a fragmented TLS handshake message, + * we don't accept any other message type. For TLS 1.3, the spec forbids + * interleaving other message types between handshake fragments. For TLS + * 1.2, the spec does not forbid it but we do. */ + if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM && + ssl->badmac_seen_or_in_hsfraglen != 0 && + ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { + MBEDTLS_SSL_DEBUG_MSG(1, ("non-handshake message in the middle" + " of a fragmented handshake message")); + return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; + } + /* * Handle particular types of records */ @@ -5141,15 +5198,9 @@ int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { -#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) - MBEDTLS_SSL_DEBUG_MSG(1, + MBEDTLS_SSL_DEBUG_MSG(2, ("Ignore ChangeCipherSpec in TLS 1.3 compatibility mode")); return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; -#else - MBEDTLS_SSL_DEBUG_MSG(1, - ("ChangeCipherSpec invalid in TLS 1.3 without compatibility mode")); - return MBEDTLS_ERR_SSL_INVALID_RECORD; -#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ } #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ } diff --git a/thirdparty/mbedtls/library/ssl_tls.c b/thirdparty/mbedtls/library/ssl_tls.c index 7f742482526..3633cd40f9e 100644 --- a/thirdparty/mbedtls/library/ssl_tls.c +++ b/thirdparty/mbedtls/library/ssl_tls.c @@ -2769,6 +2769,51 @@ void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, } #if defined(MBEDTLS_X509_CRT_PARSE_C) + +/* A magic value for `ssl->hostname` indicating that + * mbedtls_ssl_set_hostname() has been called with `NULL`. + * If mbedtls_ssl_set_hostname() has never been called on `ssl`, then + * `ssl->hostname == NULL`. */ +static const char *const ssl_hostname_skip_cn_verification = ""; + +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +/** Whether mbedtls_ssl_set_hostname() has been called. + * + * \param[in] ssl SSL context + * + * \return \c 1 if mbedtls_ssl_set_hostname() has been called on \p ssl + * (including `mbedtls_ssl_set_hostname(ssl, NULL)`), + * otherwise \c 0. + */ +static int mbedtls_ssl_has_set_hostname_been_called( + const mbedtls_ssl_context *ssl) +{ + return ssl->hostname != NULL; +} +#endif + +/* Micro-optimization: don't export this function if it isn't needed outside + * of this source file. */ +#if !defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) +static +#endif +const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl) +{ + if (ssl->hostname == ssl_hostname_skip_cn_verification) { + return NULL; + } + return ssl->hostname; +} + +static void mbedtls_ssl_free_hostname(mbedtls_ssl_context *ssl) +{ + if (ssl->hostname != NULL && + ssl->hostname != ssl_hostname_skip_cn_verification) { + mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname)); + } + ssl->hostname = NULL; +} + int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname) { /* Initialize to suppress unnecessary compiler warning */ @@ -2786,18 +2831,21 @@ int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname) /* Now it's clear that we will overwrite the old hostname, * so we can free it safely */ - - if (ssl->hostname != NULL) { - mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname)); - } - - /* Passing NULL as hostname shall clear the old one */ + mbedtls_ssl_free_hostname(ssl); if (hostname == NULL) { - ssl->hostname = NULL; + /* Passing NULL as hostname clears the old one, but leaves a + * special marker to indicate that mbedtls_ssl_set_hostname() + * has been called. */ + /* ssl->hostname should be const, but isn't. We won't actually + * write to the buffer, so it's ok to cast away the const. */ + ssl->hostname = (char *) ssl_hostname_skip_cn_verification; } else { ssl->hostname = mbedtls_calloc(1, hostname_len + 1); if (ssl->hostname == NULL) { + /* mbedtls_ssl_set_hostname() has been called, but unsuccessfully. + * Leave ssl->hostname in the same state as if the function had + * not been called, i.e. a null pointer. */ return MBEDTLS_ERR_SSL_ALLOC_FAILED; } @@ -5583,9 +5631,7 @@ void mbedtls_ssl_free(mbedtls_ssl_context *ssl) } #if defined(MBEDTLS_X509_CRT_PARSE_C) - if (ssl->hostname != NULL) { - mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname)); - } + mbedtls_ssl_free_hostname(ssl); #endif #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) @@ -8323,6 +8369,7 @@ int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl) ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint); if (ret != 0) { MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret); + return ret; } /* @@ -8436,6 +8483,7 @@ int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl) ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1); if (ret != 0) { MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret); + return ret; } if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { @@ -9796,6 +9844,27 @@ int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, return ret; } +static int get_hostname_for_verification(mbedtls_ssl_context *ssl, + const char **hostname) +{ + if (!mbedtls_ssl_has_set_hostname_been_called(ssl)) { + MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate verification without having set hostname")); +#if !defined(MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME) + if (mbedtls_ssl_conf_get_endpoint(ssl->conf) == MBEDTLS_SSL_IS_CLIENT && + ssl->conf->authmode == MBEDTLS_SSL_VERIFY_REQUIRED) { + return MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME; + } +#endif + } + + *hostname = mbedtls_ssl_get_hostname_pointer(ssl); + if (*hostname == NULL) { + MBEDTLS_SSL_DEBUG_MSG(2, ("Certificate verification without CN verification")); + } + + return 0; +} + int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, int authmode, mbedtls_x509_crt *chain, @@ -9821,7 +9890,13 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, p_vrfy = ssl->conf->p_vrfy; } - int ret = 0; + const char *hostname = ""; + int ret = get_hostname_for_verification(ssl, &hostname); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "get_hostname_for_verification", ret); + return ret; + } + int have_ca_chain_or_callback = 0; #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) if (ssl->conf->f_ca_cb != NULL) { @@ -9834,7 +9909,7 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, ssl->conf->f_ca_cb, ssl->conf->p_ca_cb, ssl->conf->cert_profile, - ssl->hostname, + hostname, &ssl->session_negotiate->verify_result, f_vrfy, p_vrfy); } else @@ -9861,7 +9936,7 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, chain, ca_chain, ca_crl, ssl->conf->cert_profile, - ssl->hostname, + hostname, &ssl->session_negotiate->verify_result, f_vrfy, p_vrfy, rs_ctx); } diff --git a/thirdparty/mbedtls/library/ssl_tls12_client.c b/thirdparty/mbedtls/library/ssl_tls12_client.c index 9b2da5a39d3..75783d08f1a 100644 --- a/thirdparty/mbedtls/library/ssl_tls12_client.c +++ b/thirdparty/mbedtls/library/ssl_tls12_client.c @@ -1964,7 +1964,7 @@ static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl, ssl->out_msg + offset + len_bytes, olen, MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes, ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_encrypt", ret); return ret; } diff --git a/thirdparty/mbedtls/library/ssl_tls13_client.c b/thirdparty/mbedtls/library/ssl_tls13_client.c index b63b5e63c5b..78a069f7924 100644 --- a/thirdparty/mbedtls/library/ssl_tls13_client.c +++ b/thirdparty/mbedtls/library/ssl_tls13_client.c @@ -319,6 +319,7 @@ static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl, ssl, group_id, p, end, &key_exchange_len); p += key_exchange_len; if (ret != 0) { + MBEDTLS_SSL_DEBUG_MSG(1, ("client hello: failed generating xxdh key exchange")); return ret; } diff --git a/thirdparty/mbedtls/library/ssl_tls13_server.c b/thirdparty/mbedtls/library/ssl_tls13_server.c index 693edc7b0bc..5757d201805 100644 --- a/thirdparty/mbedtls/library/ssl_tls13_server.c +++ b/thirdparty/mbedtls/library/ssl_tls13_server.c @@ -92,7 +92,7 @@ static void ssl_tls13_select_ciphersuite( return; } - MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%lx", + MBEDTLS_SSL_DEBUG_MSG(1, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%lx", (unsigned) psk_ciphersuite_id, (unsigned long) psk_hash_alg)); } @@ -1380,6 +1380,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, } if (ret == 0) { + MBEDTLS_SSL_DEBUG_MSG(2, ("no supported_versions extension")); return SSL_CLIENT_HELLO_TLS1_2; } @@ -1401,6 +1402,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, * the TLS version to negotiate. */ if (MBEDTLS_SSL_VERSION_TLS1_2 == ret) { + MBEDTLS_SSL_DEBUG_MSG(2, ("supported_versions without 1.3")); return SSL_CLIENT_HELLO_TLS1_2; } } @@ -1985,6 +1987,7 @@ static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl) } ssl->keep_current_message = 1; ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2; + MBEDTLS_SSL_DEBUG_MSG(1, ("non-1.3 ClientHello left for later processing")); return 0; } diff --git a/thirdparty/mbedtls/library/threading.c b/thirdparty/mbedtls/library/threading.c index 85db243f213..fde7cea1d63 100644 --- a/thirdparty/mbedtls/library/threading.c +++ b/thirdparty/mbedtls/library/threading.c @@ -61,7 +61,7 @@ static void threading_mutex_init_pthread(mbedtls_threading_mutex_t *mutex) * this here in a thread safe manner without a significant performance * hit, so state transitions are checked in tests only via the state * variable. Please make sure any new mutex that gets added is exercised in - * tests; see tests/src/threading_helpers.c for more details. */ + * tests; see framework/tests/src/threading_helpers.c for more details. */ (void) pthread_mutex_init(&mutex->mutex, NULL); } diff --git a/thirdparty/mbedtls/library/version_features.c b/thirdparty/mbedtls/library/version_features.c index f542d9808f5..646cde23105 100644 --- a/thirdparty/mbedtls/library/version_features.c +++ b/thirdparty/mbedtls/library/version_features.c @@ -459,6 +459,9 @@ static const char * const features[] = { #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) "SSL_ASYNC_PRIVATE", //no-check-names #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ +#if defined(MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME) + "SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME", //no-check-names +#endif /* MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME */ #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) "SSL_CONTEXT_SERIALIZATION", //no-check-names #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ @@ -720,6 +723,9 @@ static const char * const features[] = { #if defined(MBEDTLS_PSA_ITS_FILE_C) "PSA_ITS_FILE_C", //no-check-names #endif /* MBEDTLS_PSA_ITS_FILE_C */ +#if defined(MBEDTLS_PSA_STATIC_KEY_SLOTS) + "PSA_STATIC_KEY_SLOTS", //no-check-names +#endif /* MBEDTLS_PSA_STATIC_KEY_SLOTS */ #if defined(MBEDTLS_RIPEMD160_C) "RIPEMD160_C", //no-check-names #endif /* MBEDTLS_RIPEMD160_C */ diff --git a/thirdparty/mbedtls/patches/0002-pr-9981-defragment-incoming-tls-handshake-messages.patch b/thirdparty/mbedtls/patches/0002-pr-9981-defragment-incoming-tls-handshake-messages.patch deleted file mode 100644 index 406bb14f990..00000000000 --- a/thirdparty/mbedtls/patches/0002-pr-9981-defragment-incoming-tls-handshake-messages.patch +++ /dev/null @@ -1,373 +0,0 @@ -diff --git a/thirdparty/README.md b/thirdparty/README.md -index 16a7661f5b..7ad8524e1a 100644 ---- a/thirdparty/README.md -+++ b/thirdparty/README.md -@@ -627,6 +627,7 @@ File extracted from upstream release tarball: - Patches: - - - `0001-msvc-2019-psa-redeclaration.patch` (GH-90535) -+- `0002-pr-9981-defragment-incoming-tls-handshake-messages.patch` (GH-102770) - - - ## meshoptimizer -diff --git a/thirdparty/mbedtls/include/mbedtls/ssl.h b/thirdparty/mbedtls/include/mbedtls/ssl.h -index 42fffbf860..597da2571f 100644 ---- a/thirdparty/mbedtls/include/mbedtls/ssl.h -+++ b/thirdparty/mbedtls/include/mbedtls/ssl.h -@@ -1724,7 +1724,16 @@ struct mbedtls_ssl_context { - int MBEDTLS_PRIVATE(early_data_state); - #endif - -- unsigned MBEDTLS_PRIVATE(badmac_seen); /*!< records with a bad MAC received */ -+ /** Multipurpose field. -+ * -+ * - DTLS: records with a bad MAC received. -+ * - TLS: accumulated length of handshake fragments (up to \c in_hslen). -+ * -+ * This field is multipurpose in order to preserve the ABI in the -+ * Mbed TLS 3.6 LTS branch. Until 3.6.2, it was only used in DTLS -+ * and called `badmac_seen`. -+ */ -+ unsigned MBEDTLS_PRIVATE(badmac_seen_or_in_hsfraglen); - - #if defined(MBEDTLS_X509_CRT_PARSE_C) - /** Callback to customize X.509 certificate chain verification */ -diff --git a/thirdparty/mbedtls/library/ssl_misc.h b/thirdparty/mbedtls/library/ssl_misc.h -index 98668798a8..bfadac7be3 100644 ---- a/thirdparty/mbedtls/library/ssl_misc.h -+++ b/thirdparty/mbedtls/library/ssl_misc.h -@@ -1829,10 +1829,11 @@ void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs); - MBEDTLS_CHECK_RETURN_CRITICAL - int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl); - --void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl); -+void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl); -+void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl); -+void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl); - void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl, - mbedtls_ssl_transform *transform); --void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl); - - MBEDTLS_CHECK_RETURN_CRITICAL - int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial); -diff --git a/thirdparty/mbedtls/library/ssl_msg.c b/thirdparty/mbedtls/library/ssl_msg.c -index ef722d7bdc..08d197e08c 100644 ---- a/thirdparty/mbedtls/library/ssl_msg.c -+++ b/thirdparty/mbedtls/library/ssl_msg.c -@@ -25,6 +25,7 @@ - #include "constant_time_internal.h" - #include "mbedtls/constant_time.h" - -+#include - #include - - #if defined(MBEDTLS_USE_PSA_CRYPTO) -@@ -3220,13 +3221,17 @@ static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl) - - int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) - { -- if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) { -+ /* First handshake fragment must at least include the header. */ -+ if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl) && ssl->in_hslen == 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET, - ssl->in_msglen)); - return MBEDTLS_ERR_SSL_INVALID_RECORD; - } - -- ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl); -+ if (ssl->in_hslen == 0) { -+ ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl); -+ ssl->badmac_seen_or_in_hsfraglen = 0; -+ } - - MBEDTLS_SSL_DEBUG_MSG(3, ("handshake message: msglen =" - " %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %" -@@ -3292,10 +3297,67 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) - } - } else - #endif /* MBEDTLS_SSL_PROTO_DTLS */ -- /* With TLS we don't handle fragmentation (for now) */ -- if (ssl->in_msglen < ssl->in_hslen) { -- MBEDTLS_SSL_DEBUG_MSG(1, ("TLS handshake fragmentation not supported")); -- return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; -+ if (ssl->badmac_seen_or_in_hsfraglen <= ssl->in_hslen) { -+ int ret; -+ const size_t hs_remain = ssl->in_hslen - ssl->badmac_seen_or_in_hsfraglen; -+ MBEDTLS_SSL_DEBUG_MSG(3, -+ ("handshake fragment: %u .. %" -+ MBEDTLS_PRINTF_SIZET " of %" -+ MBEDTLS_PRINTF_SIZET " msglen %" MBEDTLS_PRINTF_SIZET, -+ ssl->badmac_seen_or_in_hsfraglen, -+ (size_t) ssl->badmac_seen_or_in_hsfraglen + -+ (hs_remain <= ssl->in_msglen ? hs_remain : ssl->in_msglen), -+ ssl->in_hslen, ssl->in_msglen)); -+ if (ssl->in_msglen < hs_remain) { -+ /* ssl->in_msglen is a 25-bit value since it is the sum of the -+ * header length plus the payload length, the header length is 4 -+ * and the payload length was received on the wire encoded as -+ * 3 octets. We don't support 16-bit platforms; more specifically, -+ * we assume that both unsigned and size_t are at least 32 bits. -+ * Therefore there is no possible integer overflow here. -+ */ -+ ssl->badmac_seen_or_in_hsfraglen += (unsigned) ssl->in_msglen; -+ ssl->in_hdr = ssl->in_msg + ssl->in_msglen; -+ ssl->in_msglen = 0; -+ mbedtls_ssl_update_in_pointers(ssl); -+ return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; -+ } -+ if (ssl->badmac_seen_or_in_hsfraglen > 0) { -+ /* -+ * At in_first_hdr we have a sequence of records that cover the next handshake -+ * record, each with its own record header that we need to remove. -+ * Note that the reassembled record size may not equal the size of the message, -+ * there may be more messages after it, complete or partial. -+ */ -+ unsigned char *in_first_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; -+ unsigned char *p = in_first_hdr, *q = NULL; -+ size_t merged_rec_len = 0; -+ do { -+ mbedtls_record rec; -+ ret = ssl_parse_record_header(ssl, p, mbedtls_ssl_in_hdr_len(ssl), &rec); -+ if (ret != 0) { -+ return ret; -+ } -+ merged_rec_len += rec.data_len; -+ p = rec.buf + rec.buf_len; -+ if (q != NULL) { -+ memmove(q, rec.buf + rec.data_offset, rec.data_len); -+ q += rec.data_len; -+ } else { -+ q = p; -+ } -+ } while (merged_rec_len < ssl->in_hslen); -+ ssl->in_hdr = in_first_hdr; -+ mbedtls_ssl_update_in_pointers(ssl); -+ ssl->in_msglen = merged_rec_len; -+ /* Adjust message length. */ -+ MBEDTLS_PUT_UINT16_BE(merged_rec_len, ssl->in_len, 0); -+ ssl->badmac_seen_or_in_hsfraglen = 0; -+ MBEDTLS_SSL_DEBUG_BUF(4, "reassembled record", -+ ssl->in_hdr, mbedtls_ssl_in_hdr_len(ssl) + merged_rec_len); -+ } -+ } else { -+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - } - - return 0; -@@ -4640,6 +4702,16 @@ static int ssl_consume_current_message(mbedtls_ssl_context *ssl) - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; - } - -+ if (ssl->badmac_seen_or_in_hsfraglen != 0) { -+ /* Not all handshake fragments have arrived, do not consume. */ -+ MBEDTLS_SSL_DEBUG_MSG(3, -+ ("waiting for more fragments (%u of %" -+ MBEDTLS_PRINTF_SIZET ", %" MBEDTLS_PRINTF_SIZET " left)", -+ ssl->badmac_seen_or_in_hsfraglen, ssl->in_hslen, -+ ssl->in_hslen - ssl->badmac_seen_or_in_hsfraglen)); -+ return 0; -+ } -+ - /* - * Get next Handshake message in the current record - */ -@@ -4665,6 +4737,7 @@ static int ssl_consume_current_message(mbedtls_ssl_context *ssl) - ssl->in_msglen -= ssl->in_hslen; - memmove(ssl->in_msg, ssl->in_msg + ssl->in_hslen, - ssl->in_msglen); -+ MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0); - - MBEDTLS_SSL_DEBUG_BUF(4, "remaining content in record", - ssl->in_msg, ssl->in_msglen); -@@ -4967,10 +5040,12 @@ static int ssl_get_next_record(mbedtls_ssl_context *ssl) - return ret; - } - -- if (ssl->conf->badmac_limit != 0 && -- ++ssl->badmac_seen >= ssl->conf->badmac_limit) { -- MBEDTLS_SSL_DEBUG_MSG(1, ("too many records with bad MAC")); -- return MBEDTLS_ERR_SSL_INVALID_MAC; -+ if (ssl->conf->badmac_limit != 0) { -+ ++ssl->badmac_seen_or_in_hsfraglen; -+ if (ssl->badmac_seen_or_in_hsfraglen >= ssl->conf->badmac_limit) { -+ MBEDTLS_SSL_DEBUG_MSG(1, ("too many records with bad MAC")); -+ return MBEDTLS_ERR_SSL_INVALID_MAC; -+ } - } - - /* As above, invalid records cause -@@ -5345,7 +5420,7 @@ void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl) - } else - #endif - { -- ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; -+ ssl->in_ctr = ssl->in_buf; - ssl->in_len = ssl->in_hdr + 3; - #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - ssl->in_cid = ssl->in_len; -@@ -5361,24 +5436,35 @@ void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl) - * Setup an SSL context - */ - --void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl) -+void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl) -+{ -+#if defined(MBEDTLS_SSL_PROTO_DTLS) -+ if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { -+ ssl->in_hdr = ssl->in_buf; -+ } else -+#endif /* MBEDTLS_SSL_PROTO_DTLS */ -+ { -+ ssl->in_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; -+ } -+ -+ /* Derive other internal pointers. */ -+ mbedtls_ssl_update_in_pointers(ssl); -+} -+ -+void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl) - { - /* Set the incoming and outgoing record pointers. */ - #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { - ssl->out_hdr = ssl->out_buf; -- ssl->in_hdr = ssl->in_buf; - } else - #endif /* MBEDTLS_SSL_PROTO_DTLS */ - { - ssl->out_ctr = ssl->out_buf; -- ssl->out_hdr = ssl->out_buf + 8; -- ssl->in_hdr = ssl->in_buf + 8; -+ ssl->out_hdr = ssl->out_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; - } -- - /* Derive other internal pointers. */ - mbedtls_ssl_update_out_pointers(ssl, NULL /* no transform enabled */); -- mbedtls_ssl_update_in_pointers(ssl); - } - - /* -diff --git a/thirdparty/mbedtls/library/ssl_tls.c b/thirdparty/mbedtls/library/ssl_tls.c -index c773365bf6..7f74248252 100644 ---- a/thirdparty/mbedtls/library/ssl_tls.c -+++ b/thirdparty/mbedtls/library/ssl_tls.c -@@ -344,12 +344,13 @@ static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing, - size_t out_buf_new_len) - { - int modified = 0; -- size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0; -+ size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0, hdr_in = 0; - size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0; - if (ssl->in_buf != NULL) { - written_in = ssl->in_msg - ssl->in_buf; - iv_offset_in = ssl->in_iv - ssl->in_buf; - len_offset_in = ssl->in_len - ssl->in_buf; -+ hdr_in = ssl->in_hdr - ssl->in_buf; - if (downsizing ? - ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len : - ssl->in_buf_len < in_buf_new_len) { -@@ -381,7 +382,10 @@ static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing, - } - if (modified) { - /* Update pointers here to avoid doing it twice. */ -- mbedtls_ssl_reset_in_out_pointers(ssl); -+ ssl->in_hdr = ssl->in_buf + hdr_in; -+ mbedtls_ssl_update_in_pointers(ssl); -+ mbedtls_ssl_reset_out_pointers(ssl); -+ - /* Fields below might not be properly updated with record - * splitting or with CID, so they are manually updated here. */ - ssl->out_msg = ssl->out_buf + written_out; -@@ -1409,7 +1413,8 @@ int mbedtls_ssl_setup(mbedtls_ssl_context *ssl, - goto error; - } - -- mbedtls_ssl_reset_in_out_pointers(ssl); -+ mbedtls_ssl_reset_in_pointers(ssl); -+ mbedtls_ssl_reset_out_pointers(ssl); - - #if defined(MBEDTLS_SSL_DTLS_SRTP) - memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info)); -@@ -1474,7 +1479,8 @@ void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl, - /* Cancel any possibly running timer */ - mbedtls_ssl_set_timer(ssl, 0); - -- mbedtls_ssl_reset_in_out_pointers(ssl); -+ mbedtls_ssl_reset_in_pointers(ssl); -+ mbedtls_ssl_reset_out_pointers(ssl); - - /* Reset incoming message parsing */ - ssl->in_offt = NULL; -@@ -1485,6 +1491,12 @@ void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl, - ssl->keep_current_message = 0; - ssl->transform_in = NULL; - -+ /* TLS: reset in_hsfraglen, which is part of message parsing. -+ * DTLS: on a client reconnect, don't reset badmac_seen. */ -+ if (!partial) { -+ ssl->badmac_seen_or_in_hsfraglen = 0; -+ } -+ - #if defined(MBEDTLS_SSL_PROTO_DTLS) - ssl->next_record_offset = 0; - ssl->in_epoch = 0; -@@ -5014,7 +5026,7 @@ static const unsigned char ssl_serialized_context_header[] = { - * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value - * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use - * // fields from ssl_context -- * uint32 badmac_seen; // DTLS: number of records with failing MAC -+ * uint32 badmac_seen_or_in_hsfraglen; // DTLS: number of records with failing MAC - * uint64 in_window_top; // DTLS: last validated record seq_num - * uint64 in_window; // DTLS: bitmask for replay protection - * uint8 disable_datagram_packing; // DTLS: only one record per datagram -@@ -5156,7 +5168,7 @@ int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl, - */ - used += 4; - if (used <= buf_len) { -- MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0); -+ MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen_or_in_hsfraglen, p, 0); - p += 4; - } - -@@ -5386,7 +5398,7 @@ static int ssl_context_load(mbedtls_ssl_context *ssl, - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - -- ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0); -+ ssl->badmac_seen_or_in_hsfraglen = MBEDTLS_GET_UINT32_BE(p, 0); - p += 4; - - #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) -diff --git a/thirdparty/mbedtls/library/ssl_tls12_server.c b/thirdparty/mbedtls/library/ssl_tls12_server.c -index 03722ac33c..67df4284a4 100644 ---- a/thirdparty/mbedtls/library/ssl_tls12_server.c -+++ b/thirdparty/mbedtls/library/ssl_tls12_server.c -@@ -1057,28 +1057,6 @@ read_record_header: - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; - } -- { -- size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1); -- MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u", -- (unsigned) handshake_len)); -- -- /* The record layer has a record size limit of 2^14 - 1 and -- * fragmentation is not supported, so buf[1] should be zero. */ -- if (buf[1] != 0) { -- MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0", -- (unsigned) buf[1])); -- return MBEDTLS_ERR_SSL_DECODE_ERROR; -- } -- -- /* We don't support fragmentation of ClientHello (yet?) */ -- if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) { -- MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u", -- (unsigned) msg_len, -- (unsigned) mbedtls_ssl_hs_hdr_len(ssl), -- (unsigned) handshake_len)); -- return MBEDTLS_ERR_SSL_DECODE_ERROR; -- } -- } - - #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {