1
0
mirror of https://github.com/ARMmbed/mbedtls.git synced 2025-10-21 23:11:17 +08:00
Commit Graph

13620 Commits

Author SHA1 Message Date
Gilles Peskine
6cb9f35d8c Switch legacy cipher to constant-time invalid padding reporting
In internal `get_padding` functions, report whether the padding was invalid
through a separate output parameter, rather than the return code. Take
advantage of this to have `mbedtls_cipher_finish_padded()` be the easy path
that just passes the `invalid_padding` through. Make
`mbedtls_cipher_finish()` a wrapper around `mbedtls_cipher_finish_padded()`
that converts the invalid-padding output into an error code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-08-08 15:14:47 +02:00
Gilles Peskine
155de2ab77 New function mbedtls_cipher_finish_padded
New function `mbedtls_cipher_finish_padded()`, similar to
`mbedtls_cipher_finish()`, but reporting padding errors through a separate
output parameter. This makes it easier to avoid leaking the presence of a
padding error, especially through timing. Thus the new function is
recommended to defend against padding oracle attacks.

In this commit, implement this function naively, with timing that depends on
whether an error happened. A subsequent commit will make this function
constant-time.

Copy the test decrypt_test_vec and decrypt_test_vec_cf test cases into
variants that call `mbedtls_cipher_finish_padded()`.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-08-08 15:14:47 +02:00
Manuel Pégourié-Gonnard
ec35382a51 Try again to clarify connection with the paper
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-07-24 12:22:16 +02:00
Manuel Pégourié-Gonnard
efd242a0e5 Gracefully handle A_limbs > N_limbs and test it
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-07-24 11:10:59 +02:00
Manuel Pégourié-Gonnard
9361550c45 Tune comment about paper vs our code again
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-07-23 13:21:07 +02:00
Manuel Pégourié-Gonnard
dbda872369 Expand comment about adaptations from the paper
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-07-22 09:21:53 +02:00
Manuel Pégourié-Gonnard
ed711e1420 Clarify preconditions and impact if not met
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-07-22 09:00:52 +02:00
Manuel Pégourié-Gonnard
5972096114 Forbid uninteresting edge cases
A == N (as pointers) will not happen in pratice: in our context, it
would mean we know at compile time that A == N (as values), and we
wouldn't be calling this function if we knew that already.

N == 1 when I != NULL is also not going to happen: we don't care about
operations mod 1.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-07-18 09:40:14 +02:00
Manuel Pégourié-Gonnard
7fba466826 Unit-test mpi_core_div2_mod_odd()
This function has specific code to handle carries and it's not clear how
to exercises that code through the modinv function, so well, that's what
unit tests are for.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-07-18 09:40:14 +02:00
Manuel Pégourié-Gonnard
de5eeb5ce9 Relax and test aliasing rules
This is consistent with the general rules documented at the top of the
file:
- when computing GCD(A, N), there is no modular arithmetic, so the
  output can alias any of the inputs;
- when computing a modular inverse, N is the modulus, so it can't be
  aliased by any of the outputs (we'll use it for modular operations
  over the entire course of the function's execution).

But since this function has two modes of operations with different
aliasing rules (G can alias N only if I == NULL), I think it should
really be stated explicitly.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-07-18 09:40:14 +02:00
Manuel Pégourié-Gonnard
07a057756c bignum_core: Add mbedtls_mpi_core_gcd_modinv_odd()
This is a direct translation of sict_mi2() from
https://github.com/mpg/cryptohack/blob/main/ct-pres.py
which was presented in the book club's special session.

This commit only includes two test cases which is very little. Most of
the test cases will be generated by Python modules that belong  to the
framework. However we can't have the framework generate those before we
have the corresponding test function in the consuming branches. So,
extended tests are coming as a 2nd step, after the test function has
been merged.

(The test cases in .misc should stay, as they can be convenient when
working on the test function.)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-07-18 09:40:14 +02:00
minosgalanakis
1a22f21b74 Merge pull request #1381 from Mbed-TLS/mbedtls-3.6.4-mergeback
Mbedtls 3.6.4 merge-back pr
2025-06-30 22:06:11 +01:00
Minos Galanakis
5b9c7c5204 Revert "Added generated files"
This reverts commit 59e8b3a6b0.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-30 18:33:00 +01:00
Minos Galanakis
59e8b3a6b0 Added generated files
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-25 14:18:23 +01:00
Minos Galanakis
5374262f3b Version bump 3.6.4
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-25 14:07:55 +01:00
Minos Galanakis
f36277558a Merge remote-tracking branch 'restricted/mbedtls-3.6-restricted' into mbedtls-3.6.4rc0-pr
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-23 18:52:17 +01:00
David Horstmann
5e1e5b3e53 Merge pull request #10241 from ariwo17/backport-typo-fixes-3.6
[BACKPORT] Fixed some minor typos in comments.
2025-06-23 16:33:41 +00:00
David Horstmann
54ceaf7a53 Merge pull request #10200 from aslze/mbedtls-3.6
[3.6] Fix build C++ apps with MSVC
2025-06-19 14:25:50 +00:00
Ari Weiler-Ofek
fb2460ae0b Fixed some minor typos in comments.
Signed-off-by: Ari Weiler-Ofek <ari.weiler-ofek@arm.com>
2025-06-19 15:15:30 +01:00
Ronald Cron
7df899211a fix: additional MSVC v142 build issue with tls1.3 configuration enabled.
Signed-off-by: Cesar Cruz <cesar.cruz@philips.com>
Signed-off-by: ccrugoPhilips <cesar.cruz@philips.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2025-06-18 10:13:54 +02:00
David Horstmann
a84be59757 Merge pull request #1366 from gilles-peskine-arm/base64-decode-clean-3.6
Backport 3.6: mbedtls_base64_decode: fix sloppiness
2025-06-17 14:55:39 +01:00
Gilles Peskine
3c9ad42719 Merge pull request #1367 from gilles-peskine-arm/aesni_has_support-volatile-3.6
Backport 3.6: Fix race condition in mbedtls_aesni_has_support
2025-06-13 23:20:28 +02:00
Gilles Peskine
853cfbdced Add a note about processor memory reordering
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-06-12 18:30:45 +02:00
Felix Conway
766be1f8f4 Replace __attribute__((nonstring)) with macro MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING
This macro applies __attribute__((nonstring)) when the compiler supports
it

Signed-off-by: Felix Conway <felix.conway@arm.com>
2025-06-12 11:13:33 +01:00
Gilles Peskine
51dccfb2a6 Improve some explanations
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-06-11 18:47:31 +02:00
Felix Conway
2e1399f1e1 Add __attribute__ ((nonstring)) to remove unterminated-string-initialization warning
Signed-off-by: Felix Conway <felix.conway@arm.com>
2025-06-11 16:04:30 +01:00
Gilles Peskine
a79525239f Merge pull request #1359 from Mbed-TLS/bugfix_1351_1352_1353_lms_drivers_3.6bp
[3.6 Backport]Bugfix: lms/lmots driver hardening.
2025-06-10 19:08:15 +02:00
Manuel Pégourié-Gonnard
7ed3653c57 Merge pull request #1363 from gilles-peskine-arm/3.6-restricted-merge-20250606
Merge mbedtls-3.6 into mbedtls-3.6-restricted
2025-06-10 11:01:11 +02:00
Manuel Pégourié-Gonnard
cae443405e Merge pull request #1347 from mpg/fix-asn1-store-named-data-null-deref-3.6
Backport 3.6: Fix asn1 store named data null deref
2025-06-10 09:50:34 +02:00
Gilles Peskine
8c67ac0f7f Fix race condition in mbedtls_aesni_has_support
Fix a race condition in `mbedtls_aes_ni_has_support()` with some compilers.
A compiler could hoist the assignment `done = 1` above the assignment to `c`,
in which case if two threads call `mbedtls_aes_ni_has_support()` at almost
the same time, they could be interleaved as follows:

    Initially: done = 0, c = 0

    thread A                thread B
    if (!done)
      done = 1;                                     # hoisted
                            if (!done)
                                return c & what;    # wrong!
      c = cpuid();
    return c & what

This would lead to thread B using software AES even though AESNI was
available. This is a very minor performance bug. But also, given a very
powerful adversary who can block thread A indefinitely (which may be
possible when attacking an SGX enclave), thread B could use software AES for
a long time, opening the way to a timing side channel attack.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-06-09 23:48:34 +02:00
Gilles Peskine
2b3d6a8f28 mbedtls_base64_decode: insist on correct padding
Correct base64 input (excluding ignored characters such as spaces) consists
of exactly 4*k, 4*k-1 or 4*k-2 digits, followed by 0, 1 or 2 equal signs
respectively.

Previously, any number of trailing equal signs up to 2 was accepted, but if
there fewer than 4*k digits-or-equals, the last partial block was counted in
`*olen` in buffer-too-small mode, but was not output despite returning 0.

Now `mbedtls_base64_decode()` insists on correct padding. This is
backward-compatible since the only plausible useful inputs that used to be
accepted were inputs with 4*k-1 or 4*k-2 digits and no trailing equal signs,
and those led to invalid (truncated) output. Furthermore the function now
always reports the exact output size in buffer-too-small mode.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-06-09 23:01:21 +02:00
Minos Galanakis
df2f0aae81 lms.c: Updated documentation
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-06 14:35:07 +01:00
Gilles Peskine
7df273bb34 Merge remote-tracking branch 'mbedtls-3.6' into mbedtls-3.6-restricted 2025-06-06 10:46:03 +02:00
Gilles Peskine
84999d1a7b Fix mbedtls_base64_decode() accepting invalid inputs with 4n+1 digits
The last digit was ignored.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-06-05 16:15:41 +02:00
Minos Galanakis
9b3051fb10 Built-in lms driver: always zeroize output-buffer in create_merkle_leaf_value
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-04 16:23:57 +01:00
Minos Galanakis
ae449bfca5 Built-in lms driver:Check return values of Merkle node creation
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-04 15:54:49 +01:00
Minos Galanakis
caaffc1e7e Built-in lms/lmots driver: Harden public key import against enum truncation
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-04 15:54:46 +01:00
Minos Galanakis
548e2dbf65 Built-in lms driver: Added input guard
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-06-04 15:20:38 +01:00
David Horstmann
3f82706cb7 Merge pull request #1349 from felixc-arm/pem-integer-underflow-3.6
[3.6] Fix Integer Underflow when Decoding PEM Keys
2025-06-04 14:36:35 +01:00
Felix Conway
6165e71589 Add fix for PEM underflow
Signed-off-by: Felix Conway <felix.conway@arm.com>
2025-06-04 10:06:26 +01:00
Manuel Pégourié-Gonnard
e51bde06da Fix possible UB in mbedtls_asn1_write_raw_buffer()
This is mostly unrelated to other commits in this PR, except for the
fact that one of the added X.509 tests revealed that with UBSan.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-06-03 11:23:19 +02:00
Manuel Pégourié-Gonnard
2df7ab7c0c Fix bug in mbedtls_asn1_store_named_data()
When passed a zero-length val, the function was free-ing the buffer as
the documentation suggests:

 * \param val_len   The minimum length of the data buffer needed.
 *                  If this is 0, do not allocate a buffer for the associated
 *                  data.
 *                  If the OID was already present, enlarge, shrink or free
 *                  the existing buffer to fit \p val_len.

However it kept the previous length, leaving the val structure in the
corresponding item in the output list in an inconsistent state:

    p == NULL but len != 0

As a result, functions that would try using this item in the list
(including the same function!) afterwards would trip an dereference the
NULL pointer.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-05-26 10:42:14 +02:00
Manuel Pégourié-Gonnard
1e9267c993 Merge pull request #1340 from mpg/fix-string-to-names-uaf-3.6
[3.6] Fix string to names memory management
2025-05-21 14:48:43 +02:00
Deomid rojer Ryabkov
fb5e2e5e46 Mark ssl_tls12_preset_suiteb_sig_algs const
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
2025-05-19 20:48:13 +01:00
Deomid rojer Ryabkov
e3aaf82a77 Mark ssl_tls12_preset_default_sig_algs const
To place in flash and save RAM on targets where this applies.

Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
2025-05-19 20:48:08 +01:00
Gilles Peskine
91b29a0bd9 Grammar in comments
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-05-13 11:53:31 +02:00
Gilles Peskine
0e4907d4f5 Initialize MAC context in internal functions for one-shot MAC
In functions that bypass the API functions and call an internal MAC setup
function directly, make sure to initialize the driver-specific part of the
context. This is a union, and initializing the union to `{0}` only
guarantees that the first member of the union is initialized, not
necessarily the member used by the driver. Most compilers do initialize the
whole union to all-bits-zero, but some don't. With compilers that don't, the
lack of initialization caused failures of the affected operations. This
affected one-shot MAC operations using the built-in implementation.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-05-07 18:42:52 +02:00
Gilles Peskine
bbec1c1d25 Initialize MAC context in internal functions for KDF
In functions that bypass the API functions and call the MAC driver wrapper
`psa_driver_wrapper_mac_sign_setup()` directly, make
sure to initialize the driver-specific part of the context. This is a union,
and initializing the union to `{0}` only guarantees that the first member of
the union is initialized, not necessarily the member used by the driver.
Most compilers do initialize the whole union to all-bits-zero, but some
don't. With compilers that don't, the lack of initialization caused failures
of the affected operations. This affected several key derivation operations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-05-07 18:42:33 +02:00
Gilles Peskine
a7a480bb81 Initialize driver context in setup functions
In API functions that set up a multipart or interruptible operation, make
sure to initialize the driver-specific part of the context. This is a union,
and initializing the union to `{0}` only guarantees that the first member of
the union is initialized, not necessarily the member used by the driver.
Most compilers do initialize the whole union to all-bits-zero, but some
don't. With compilers that don't, the lack of initialization caused failures
of built-in MAC, interruptible-sign and interruptible-verify. It could also
cause failures for other operations with third-party drivers: we promise
that drivers' setup entry points receive a zero-initialized operation
structure, but this promise was not kept.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-05-07 18:41:59 +02:00
Manuel Pégourié-Gonnard
219c3368eb Merge pull request #1306 from davidhorstmann-arm/pkcs7-padding-side-channel-fix-3.6
[Backport 3.6] Fix side channel in PKCS7 padding
2025-05-06 09:34:40 +02:00