Merge pull request #1092 from Mbed-TLS/mbedtls-2.28.5rc0-pr

Mbedtls 2.28.5rc0 pr

BRANCHES.md

@@ -76,6 +76,6 @@ The following branches are currently maintained:
 - [`development`](https://github.com/Mbed-TLS/mbedtls/)
 - [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
  maintained until at least the end of 2024, see
- <https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.4>.
+ <https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.5>.
 
 Users are urged to always use the latest version of a maintained branch.

ChangeLog

@@ -1,5 +1,54 @@
 Mbed TLS ChangeLog (Sorted per branch, date)
 
+= Mbed TLS 2.28.5 branch released 2023-10-05
+
+Features
+ * The documentation of mbedtls_ecp_group now describes the optimized
+ representation of A for some curves. Fixes #8045.
+
+Security
+ * Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should
+ review the size of the output buffer passed to this function, and note
+ that the output after decryption may include CBC padding. Consider moving
+ to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext()
+ which checks for overflow of the output buffer and reports the actual
+ length of the output.
+ * Improve padding calculations in CBC decryption, NIST key unwrapping and
+ RSA OAEP decryption. With the previous implementation, some compilers
+ (notably recent versions of Clang and IAR) could produce non-constant
+ time code, which could allow a padding oracle attack if the attacker
+ has access to precise timing measurements.
+ * Fix a buffer overread when parsing short TLS application data records in
+ ARC4 or null-cipher cipher suites. Credit to OSS-Fuzz.
+
+Bugfix
+ * Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
+ using ECC key. The certificate was rejected by some crypto frameworks.
+ Fixes #2924.
+ * Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
+ signature can silently return an incorrect result in low memory conditions.
+ * Fix IAR compiler warnings. Fixes #7873, #4300.
+ * Fix an issue when parsing an otherName subject alternative name into a
+ mbedtls_x509_san_other_name struct. The type-id of the otherName was not
+ copied to the struct. This meant that the struct had incomplete
+ information about the otherName SAN and contained uninitialized memory.
+ * Fix the detection of HardwareModuleName otherName SANs. These were being
+ detected by comparing the wrong field and the check was erroneously
+ inverted.
+ * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
+ MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
+ * Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
+ error code on failure. Before, they returned 1 to indicate failure in
+ some cases involving a missing entry or a full cache.
+
+Changes
+ * In configurations with ARIA or Camellia but not AES, the value of
+ MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might
+ suggest. This did not affect any library code, because this macro was
+ only used in relation with CMAC which does not support these ciphers.
+ Its value is now 16 if ARIA or Camellia are present. This may affect
+ application code that uses this macro.
+
 = Mbed TLS 2.28.4 branch released 2023-08-04
 
 Features

doxygen/input/doc_mainpage.h

@@ -22,7 +22,7 @@
  */
 
 /**
- * @mainpage Mbed TLS v2.28.4 API Documentation
+ * @mainpage Mbed TLS v2.28.5 API Documentation
  *
  * This documentation describes the internal structure of Mbed TLS. It was
  * automatically generated from specially formatted comment blocks in

doxygen/mbedtls.doxyfile

@@ -1,4 +1,4 @@
-PROJECT_NAME = "Mbed TLS v2.28.4"
+PROJECT_NAME = "Mbed TLS v2.28.5"
 OUTPUT_DIRECTORY = ../apidoc/
 FULL_PATH_NAMES = NO
 OPTIMIZE_OUTPUT_FOR_C = YES

include/mbedtls/cipher.h

@@ -446,10 +446,29 @@ void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx);
 
 
 /**
- * \brief This function initializes a cipher context for
+ * \brief This function prepares a cipher context for
  * use with the given cipher primitive.
  *
- * \param ctx The context to initialize. This must be initialized.
+ * \warning In CBC mode, if mbedtls_cipher_set_padding_mode() is not called:
+ * - If MBEDTLS_CIPHER_PADDING_PKCS7 is enabled, the
+ * context will use PKCS7 padding.
+ * - Otherwise the context uses no padding and the input
+ * must be a whole number of blocks.
+ *
+ * \note After calling this function, you should call
+ * mbedtls_cipher_setkey() and, if the mode uses padding,
+ * mbedtls_cipher_set_padding_mode(), then for each
+ * message to encrypt or decrypt with this key, either:
+ * - mbedtls_cipher_crypt() for one-shot processing with
+ * non-AEAD modes;
+ * - mbedtls_cipher_auth_encrypt_ext() or
+ * mbedtls_cipher_auth_decrypt_ext() for one-shot
+ * processing with AEAD modes or NIST_KW;
+ * - for multi-part processing, see the documentation of
+ * mbedtls_cipher_reset().
+ *
+ * \param ctx The context to prepare. This must be initialized by
+ * a call to mbedtls_cipher_init() first.
  * \param cipher_info The cipher to use.
  *
  * \return \c 0 on success.
@@ -663,8 +682,6 @@ int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
  * \brief This function sets the padding mode, for cipher modes
  * that use padding.
  *
- * The default passing mode is PKCS7 padding.
- *
  * \param ctx The generic cipher context. This must be initialized and
  * bound to a cipher information structure.
  * \param mode The padding mode.
@@ -704,7 +721,29 @@ int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
 /**
  * \brief This function resets the cipher state.
  *
- * \param ctx The generic cipher context. This must be initialized.
+ * \note With non-AEAD ciphers, the order of calls for each message
+ * is as follows:
+ * 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce.
+ * 2. mbedtls_cipher_reset()
+ * 3. mbedtls_cipher_update() one or more times
+ * 4. mbedtls_cipher_finish()
+ * .
+ * This sequence can be repeated to encrypt or decrypt multiple
+ * messages with the same key.
+ *
+ * \note With AEAD ciphers, the order of calls for each message
+ * is as follows:
+ * 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce.
+ * 2. mbedtls_cipher_reset()
+ * 3. mbedtls_cipher_update_ad()
+ * 4. mbedtls_cipher_update() one or more times
+ * 5. mbedtls_cipher_check_tag() (for decryption) or
+ * mbedtls_cipher_write_tag() (for encryption).
+ * .
+ * This sequence can be repeated to encrypt or decrypt multiple
+ * messages with the same key.
+ *
+ * \param ctx The generic cipher context. This must be bound to a key.
  *
  * \return \c 0 on success.
  * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on

include/mbedtls/cmac.h

@@ -45,7 +45,11 @@ extern "C" {
 #define MBEDTLS_AES_BLOCK_SIZE 16
 #define MBEDTLS_DES3_BLOCK_SIZE 8
 
-#if defined(MBEDTLS_AES_C)
+
+/* Although the CMAC module does not support ARIA or CAMELLIA, we adjust the value of
+ * MBEDTLS_CIPHER_BLKSIZE_MAX to reflect these ciphers.
+ * This is done to avoid confusion, given the general-purpose name of the macro. */
+#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_ARIA_C) || defined(MBEDTLS_CAMELLIA_C)
 #define MBEDTLS_CIPHER_BLKSIZE_MAX 16 /**< The longest block used by CMAC is that of AES. */
 #else
 #define MBEDTLS_CIPHER_BLKSIZE_MAX 8 /**< The longest block used by CMAC is that of 3DES. */

include/mbedtls/pkcs12.h

@@ -79,6 +79,21 @@ int mbedtls_pkcs12_pbe_sha1_rc4_128(mbedtls_asn1_buf *pbe_params, int mode,
  * \brief PKCS12 Password Based function (encryption / decryption)
  * for cipher-based and mbedtls_md-based PBE's
  *
+ * \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must
+ * be enabled at compile time.
+ *
+ * \warning When decrypting:
+ * - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile
+ * time, this function validates the CBC padding and returns
+ * #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is
+ * invalid. Note that this can help active adversaries
+ * attempting to brute-forcing the password. Note also that
+ * there is no guarantee that an invalid password will be
+ * detected (the chances of a valid padding with a random
+ * password are about 1/255).
+ * - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile
+ * time, this function does not validate the CBC padding.
+ *
  * \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure
  * \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or
  * #MBEDTLS_PKCS12_PBE_DECRYPT
@@ -87,18 +102,77 @@ int mbedtls_pkcs12_pbe_sha1_rc4_128(mbedtls_asn1_buf *pbe_params, int mode,
  * \param pwd Latin1-encoded password used. This may only be \c NULL when
  * \p pwdlen is 0. No null terminator should be used.
  * \param pwdlen length of the password (may be 0)
- * \param input the input data
+ * \param data  the input data
  * \param len data length
- * \param output the output buffer
+ * \param output Output buffer.
+ * On success, it contains the encrypted or decrypted data,
+ * possibly followed by the CBC padding.
+ * On failure, the content is indeterminate.
+ * For decryption, there must be enough room for \p len
+ * bytes.
+ * For encryption, there must be enough room for
+ * \p len + 1 bytes, rounded up to the block size of
+ * the block cipher identified by \p pbe_params.
  *
  * \return 0 if successful, or a MBEDTLS_ERR_XXX code
  */
 int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
  mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
  const unsigned char *pwd, size_t pwdlen,
- const unsigned char *input, size_t len,
+ const unsigned char *data, size_t len,
  unsigned char *output);
 
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+
+/**
+ * \brief PKCS12 Password Based function (encryption / decryption)
+ * for cipher-based and mbedtls_md-based PBE's
+ *
+ *
+ * \warning When decrypting:
+ * - This function validates the CBC padding and returns
+ * #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is
+ * invalid. Note that this can help active adversaries
+ * attempting to brute-forcing the password. Note also that
+ * there is no guarantee that an invalid password will be
+ * detected (the chances of a valid padding with a random
+ * password are about 1/255).
+ *
+ * \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure
+ * \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or
+ * #MBEDTLS_PKCS12_PBE_DECRYPT
+ * \param cipher_type the cipher used
+ * \param md_type the mbedtls_md used
+ * \param pwd Latin1-encoded password used. This may only be \c NULL when
+ * \p pwdlen is 0. No null terminator should be used.
+ * \param pwdlen length of the password (may be 0)
+ * \param data the input data
+ * \param len data length
+ * \param output Output buffer.
+ * On success, it contains the encrypted or decrypted data,
+ * possibly followed by the CBC padding.
+ * On failure, the content is indeterminate.
+ * For decryption, there must be enough room for \p len
+ * bytes.
+ * For encryption, there must be enough room for
+ * \p len + 1 bytes, rounded up to the block size of
+ * the block cipher identified by \p pbe_params.
+ * \param output_size size of output buffer.
+ * This must be big enough to accommodate for output plus
+ * padding data.
+ * \param output_len On success, length of actual data written to the output buffer.
+ *
+ * \return 0 if successful, or a MBEDTLS_ERR_XXX code
+ */
+int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
+ mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
+ const unsigned char *pwd, size_t pwdlen,
+ const unsigned char *data, size_t len,
+ unsigned char *output, size_t output_size,
+ size_t *output_len);
+
+#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
+
 #endif /* MBEDTLS_ASN1_PARSE_C */
 
 /**

include/mbedtls/pkcs5.h

@@ -57,13 +57,36 @@ extern "C" {
 /**
  * \brief PKCS#5 PBES2 function
  *
+ * \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must
+ * be enabled at compile time.
+ *
+ * \warning When decrypting:
+ * - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile
+ * time, this function validates the CBC padding and returns
+ * #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is
+ * invalid. Note that this can help active adversaries
+ * attempting to brute-forcing the password. Note also that
+ * there is no guarantee that an invalid password will be
+ * detected (the chances of a valid padding with a random
+ * password are about 1/255).
+ * - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile
+ * time, this function does not validate the CBC padding.
+ *
  * \param pbe_params the ASN.1 algorithm parameters
- * \param mode either MBEDTLS_PKCS5_DECRYPT or MBEDTLS_PKCS5_ENCRYPT
+ * \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT
  * \param pwd password to use when generating key
  * \param pwdlen length of password
  * \param data data to process
  * \param datalen length of data
- * \param output output buffer
+ * \param output Output buffer.
+ * On success, it contains the encrypted or decrypted data,
+ * possibly followed by the CBC padding.
+ * On failure, the content is indeterminate.
+ * For decryption, there must be enough room for \p datalen
+ * bytes.
+ * For encryption, there must be enough room for
+ * \p datalen + 1 bytes, rounded up to the block size of
+ * the block cipher identified by \p pbe_params.
  *
  * \returns 0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
  */
@@ -72,6 +95,49 @@ int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
  const unsigned char *data, size_t datalen,
  unsigned char *output);
 
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+
+/**
+ * \brief PKCS#5 PBES2 function
+ *
+ * \warning When decrypting:
+ * - This function validates the CBC padding and returns
+ * #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is
+ * invalid. Note that this can help active adversaries
+ * attempting to brute-forcing the password. Note also that
+ * there is no guarantee that an invalid password will be
+ * detected (the chances of a valid padding with a random
+ * password are about 1/255).
+ *
+ * \param pbe_params the ASN.1 algorithm parameters
+ * \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT
+ * \param pwd password to use when generating key
+ * \param pwdlen length of password
+ * \param data data to process
+ * \param datalen length of data
+ * \param output Output buffer.
+ * On success, it contains the decrypted data.
+ * On failure, the content is indetermidate.
+ * For decryption, there must be enough room for \p datalen
+ * bytes.
+ * For encryption, there must be enough room for
+ * \p datalen + 1 bytes, rounded up to the block size of
+ * the block cipher identified by \p pbe_params.
+ * \param output_size size of output buffer.
+ * This must be big enough to accommodate for output plus
+ * padding data.
+ * \param output_len On success, length of actual data written to the output buffer.
+ *
+ * \returns 0 on success, or a MBEDTLS_ERR_XXX code if parsing or decryption fails.
+ */
+int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
+ const unsigned char *pwd, size_t pwdlen,
+ const unsigned char *data, size_t datalen,
+ unsigned char *output, size_t output_size,
+ size_t *output_len);
+
+#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
+
 #endif /* MBEDTLS_ASN1_PARSE_C */
 
 /**