From 6b32ac74e7aceb24582b3127a8955317de08e8a8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 1 Jul 2024 21:14:45 +0200 Subject: [PATCH 1/8] Document that MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not force HMAC MBEDTLS_PSA_HMAC_DRBG_MD_TYPE was documented and announced as causing the PSA DRBG to be HMAC_DRBG. However, that was never actually implemented: CTR_DRBG is prioritized if enabled. Since there is a simple workaround of disabling MBEDTLS_CTR_DRBG_C if you want to use HMAC_DRBG, we have decided to accept the actual behavior and fix the documentation. Signed-off-by: Gilles Peskine --- ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt | 4 ++++ include/mbedtls/config.h | 17 ++++++++++++----- 2 files changed, 16 insertions(+), 5 deletions(-) create mode 100644 ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt diff --git a/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt b/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt new file mode 100644 index 000000000000..079cd741dcf3 --- /dev/null +++ b/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt @@ -0,0 +1,4 @@ +Security + * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does + not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when + MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled. diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 4842fd494c9b..406ae3fc2da6 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -4020,11 +4020,18 @@ * Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the * PSA crypto subsystem. * - * If this option is unset: - * - If CTR_DRBG is available, the PSA subsystem uses it rather than HMAC_DRBG. - * - Otherwise, the PSA subsystem uses HMAC_DRBG with either - * #MBEDTLS_MD_SHA512 or #MBEDTLS_MD_SHA256 based on availability and - * on unspecified heuristics. + * If this option is unset, the library chooses a hash (currently between + * #MBEDTLS_MD_SHA512 and #MBEDTLS_MD_SHA256) based on availability and + * unspecified heuristics. + * + * \note The PSA crypto subsystem uses the first available mechanism amongst + * the following: + * - #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if enabled; + * - Entropy from #MBEDTLS_ENTROPY_C plus CTR_DRBG with AES + * if #MBEDTLS_CTR_DRBG_C is enabled; + * - Entropy from #MBEDTLS_ENTROPY_C plus HMAC_DRBG. + * + * A future version may reevaluate the prioritization of DRBG mechanisms. */ //#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 From e752eaf73a930651facfafcc5ac373cb66574a75 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 2 Jul 2024 15:47:22 +0200 Subject: [PATCH 2/8] Force MBEDTLS_PSA_HMAC_DRBG_MD_TYPE based on CTR_DRBG If MBEDTLS_CTR_DRBG_C is enabled, force MBEDTLS_PSA_HMAC_DRBG_MD_TYPE to be disabled. This resolves the former inconsistency in builds where MBEDTLS_PSA_HMAC_DRBG_MD_TYPE is explicitly defined but MBEDTLS_CTR_DRBG_C remains enabled, where PSA called the CTR_DRBG functions but other parts of the code based assumed that HMAC was in use, in particular error code conversions (leading to a test failure in test_suite_psa_crypto_init). Signed-off-by: Gilles Peskine --- library/psa_crypto_random_impl.h | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/library/psa_crypto_random_impl.h b/library/psa_crypto_random_impl.h index 6150fee120ff..d47e057f9b25 100644 --- a/library/psa_crypto_random_impl.h +++ b/library/psa_crypto_random_impl.h @@ -39,13 +39,10 @@ int mbedtls_psa_get_random(void *p_rng, #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ /* Choose a DRBG based on configuration and availability */ -#if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE) - -#include "mbedtls/hmac_drbg.h" - -#elif defined(MBEDTLS_CTR_DRBG_C) +#if defined(MBEDTLS_CTR_DRBG_C) #include "mbedtls/ctr_drbg.h" +#undef MBEDTLS_PSA_HMAC_DRBG_MD_TYPE #elif defined(MBEDTLS_HMAC_DRBG_C) @@ -67,9 +64,11 @@ int mbedtls_psa_get_random(void *p_rng, #error "No hash algorithm available for HMAC_DBRG." #endif -#else +#else /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/ + #error "No DRBG module available for the psa_crypto module." -#endif + +#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/ #include "mbedtls/entropy.h" From d9e16c48708380f6271264075d0ee82b7c29536e Mon Sep 17 00:00:00 2001 From: Gowtham Suresh Kumar Date: Mon, 19 Aug 2024 13:22:35 +0100 Subject: [PATCH 3/8] Free allocated memory where methods were returning without freeing Signed-off-by: Sam Berry Signed-off-by: Gowtham Suresh Kumar --- library/psa_crypto_rsa.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 3c569b17db07..3e878ad7ed6b 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -215,16 +215,14 @@ psa_status_t mbedtls_psa_rsa_export_public_key( status = mbedtls_psa_rsa_load_representation( attributes->core.type, key_buffer, key_buffer_size, &rsa); - if (status != PSA_SUCCESS) { - return status; + if (status == PSA_SUCCESS) { + status = mbedtls_psa_rsa_export_key(PSA_KEY_TYPE_RSA_PUBLIC_KEY, + rsa, + data, + data_size, + data_length); } - status = mbedtls_psa_rsa_export_key(PSA_KEY_TYPE_RSA_PUBLIC_KEY, - rsa, - data, - data_size, - data_length); - mbedtls_rsa_free(rsa); mbedtls_free(rsa); @@ -286,6 +284,7 @@ psa_status_t mbedtls_psa_rsa_generate_key( (unsigned int) attributes->core.bits, exponent); if (ret != 0) { + mbedtls_rsa_free(&rsa); return mbedtls_to_psa_error(ret); } @@ -354,7 +353,7 @@ psa_status_t mbedtls_psa_rsa_sign_hash( key_buffer_size, &rsa); if (status != PSA_SUCCESS) { - return status; + goto exit; } status = psa_rsa_decode_md_type(alg, hash_length, &md_alg); From 578f66e5f0c2a24c71a2205f3c56655361d8d1b0 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 21 Aug 2024 22:03:16 +0200 Subject: [PATCH 4/8] Changelog entry for the RSA memory leak Signed-off-by: Gilles Peskine --- .../mbedtls_psa_rsa_load_representation-memory_leak.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt diff --git a/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt b/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt new file mode 100644 index 000000000000..dba25af611cc --- /dev/null +++ b/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt @@ -0,0 +1,3 @@ +Bugfix + * Fix a memory leak that could occur when failing to process an RSA + key through some PSA functions due to low memory conditions. From 9f7cc4c14f58e63f1004a1468879f56429b2f24b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 26 Aug 2024 12:44:41 +0200 Subject: [PATCH 5/8] Bump version to 2.28.9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Soversions unchanged. Signed-off-by: Manuel Pégourié-Gonnard --- doxygen/input/doc_mainpage.h | 2 +- doxygen/mbedtls.doxyfile | 2 +- include/mbedtls/version.h | 8 ++++---- library/CMakeLists.txt | 6 +++--- pkgconfig/CMakeLists.txt | 2 +- tests/suites/test_suite_version.data | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index 7a240216be33..d7c64637f53d 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -10,7 +10,7 @@ */ /** - * @mainpage Mbed TLS v2.28.8 API Documentation + * @mainpage Mbed TLS v2.28.9 API Documentation * * This documentation describes the internal structure of Mbed TLS. It was * automatically generated from specially formatted comment blocks in diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 971a8b2af54b..b75597d10e02 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -1,4 +1,4 @@ -PROJECT_NAME = "Mbed TLS v2.28.8" +PROJECT_NAME = "Mbed TLS v2.28.9" OUTPUT_DIRECTORY = ../apidoc/ FULL_PATH_NAMES = NO OPTIMIZE_OUTPUT_FOR_C = YES diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h index bbe76b173929..66998bf560f1 100644 --- a/include/mbedtls/version.h +++ b/include/mbedtls/version.h @@ -26,16 +26,16 @@ */ #define MBEDTLS_VERSION_MAJOR 2 #define MBEDTLS_VERSION_MINOR 28 -#define MBEDTLS_VERSION_PATCH 8 +#define MBEDTLS_VERSION_PATCH 9 /** * The single version number has the following structure: * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x021C0800 -#define MBEDTLS_VERSION_STRING "2.28.8" -#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 2.28.8" +#define MBEDTLS_VERSION_NUMBER 0x021C0900 +#define MBEDTLS_VERSION_STRING "2.28.9" +#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 2.28.9" #if defined(MBEDTLS_VERSION_C) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index fc0950a2cb0a..8374979ecaae 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -206,15 +206,15 @@ endif(USE_STATIC_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY) set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR}) add_library(${mbedcrypto_target} SHARED ${src_crypto}) - set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.28.8 SOVERSION 7) + set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.28.9 SOVERSION 7) target_link_libraries(${mbedcrypto_target} PUBLIC ${libs}) add_library(${mbedx509_target} SHARED ${src_x509}) - set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.28.8 SOVERSION 1) + set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.28.9 SOVERSION 1) target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target}) add_library(${mbedtls_target} SHARED ${src_tls}) - set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.28.8 SOVERSION 14) + set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.28.9 SOVERSION 14) target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target}) endif(USE_SHARED_MBEDTLS_LIBRARY) diff --git a/pkgconfig/CMakeLists.txt b/pkgconfig/CMakeLists.txt index 40ef9fd1582a..158f9a84bdd4 100644 --- a/pkgconfig/CMakeLists.txt +++ b/pkgconfig/CMakeLists.txt @@ -9,7 +9,7 @@ if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL) set(PKGCONFIG_PROJECT_HOMEPAGE_URL "https://www.trustedfirmware.org/projects/mbed-tls/") # Following the conventsion for DESCRIPTION and HOMEPAGE_URL, VERSION wasn't added until 3.0 and depends on policy CMP0048 - set(PKGCONFIG_VERSION 2.28.8) + set(PKGCONFIG_VERSION 2.28.9) configure_file(mbedcrypto.pc.in mbedcrypto.pc @ONLY) install(FILES diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data index 148aa463dc43..fa1999af2f38 100644 --- a/tests/suites/test_suite_version.data +++ b/tests/suites/test_suite_version.data @@ -1,8 +1,8 @@ Check compile time library version -check_compiletime_version:"2.28.8" +check_compiletime_version:"2.28.9" Check runtime library version -check_runtime_version:"2.28.8" +check_runtime_version:"2.28.9" Check for MBEDTLS_VERSION_C check_feature:"MBEDTLS_VERSION_C":0 From c0743dd5c6ebddcc1cab1c92e8d74ef013d55fa8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 26 Aug 2024 12:48:10 +0200 Subject: [PATCH 6/8] Assemble ChangeLog MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog | 23 +++++++++++++++++++ ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt | 4 ---- ChangeLog.d/build_without_check_config.txt | 3 --- ...nation_warning_messages_for_GNU_SOURCE.txt | 5 ---- .../fix-secure-element-key-creation.txt | 5 ---- ChangeLog.d/mbedtls_psa_register_se_key.txt | 3 --- ...sa_rsa_load_representation-memory_leak.txt | 3 --- 7 files changed, 23 insertions(+), 23 deletions(-) delete mode 100644 ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt delete mode 100644 ChangeLog.d/build_without_check_config.txt delete mode 100644 ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt delete mode 100644 ChangeLog.d/fix-secure-element-key-creation.txt delete mode 100644 ChangeLog.d/mbedtls_psa_register_se_key.txt delete mode 100644 ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt diff --git a/ChangeLog b/ChangeLog index 4df6a665346b..f2c9db3f5b10 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,28 @@ Mbed TLS ChangeLog (Sorted per branch, date) += Mbed TLS 2.28.9 branch released 2024-08-30 + +Security + * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does + not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when + MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled. + +Bugfix + * Fix the build in some configurations when check_config.h is not included. + Fix #9152. + * Fix issue of redefinition warning messages for _GNU_SOURCE in + entropy_poll.c and sha_256.c. There was a build warning during + building for linux platform. + Resolves #9026 + * Fix error handling when creating a key in a dynamic secure element + (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition, + the creation could return PSA_SUCCESS but using or destroying the key + would not work. Fixes #8537. + * Fix a memory leak that could occur when failing to process an RSA + key through some PSA functions due to low memory conditions. + * Document and enforce the limitation of mbedtls_psa_register_se_key() + to persistent keys. Resolves #9253. + = Mbed TLS 2.28.8 branch released 2024-03-28 Features diff --git a/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt b/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt deleted file mode 100644 index 079cd741dcf3..000000000000 --- a/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt +++ /dev/null @@ -1,4 +0,0 @@ -Security - * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does - not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when - MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled. diff --git a/ChangeLog.d/build_without_check_config.txt b/ChangeLog.d/build_without_check_config.txt deleted file mode 100644 index b7f47667cf33..000000000000 --- a/ChangeLog.d/build_without_check_config.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix the build in some configurations when check_config.h is not included. - Fix #9152. diff --git a/ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt b/ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt deleted file mode 100644 index b5c26505c2b6..000000000000 --- a/ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix issue of redefinition warning messages for _GNU_SOURCE in - entropy_poll.c and sha_256.c. There was a build warning during - building for linux platform. - Resolves #9026 diff --git a/ChangeLog.d/fix-secure-element-key-creation.txt b/ChangeLog.d/fix-secure-element-key-creation.txt deleted file mode 100644 index 23a46c068d1b..000000000000 --- a/ChangeLog.d/fix-secure-element-key-creation.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix error handling when creating a key in a dynamic secure element - (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition, - the creation could return PSA_SUCCESS but using or destroying the key - would not work. Fixes #8537. diff --git a/ChangeLog.d/mbedtls_psa_register_se_key.txt b/ChangeLog.d/mbedtls_psa_register_se_key.txt deleted file mode 100644 index 2fc2751ac03f..000000000000 --- a/ChangeLog.d/mbedtls_psa_register_se_key.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Document and enforce the limitation of mbedtls_psa_register_se_key() - to persistent keys. Resolves #9253. diff --git a/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt b/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt deleted file mode 100644 index dba25af611cc..000000000000 --- a/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a memory leak that could occur when failing to process an RSA - key through some PSA functions due to low memory conditions. From 2cb0cc26a466bcbf0d552e32851ee8cb615420d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 26 Aug 2024 12:49:28 +0200 Subject: [PATCH 7/8] Update BRANCHES.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- BRANCHES.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/BRANCHES.md b/BRANCHES.md index bcceda883a53..9d5d7793457f 100644 --- a/BRANCHES.md +++ b/BRANCHES.md @@ -107,9 +107,9 @@ The following branches are currently maintained: - [`development`](https://github.com/Mbed-TLS/mbedtls/) - [`mbedtls-3.6`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-3.6) maintained until March 2027, see - . + . - [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28) maintained until the end of 2024, see - . + . Users are urged to always use the latest version of a maintained branch. From c45a5e881d0ea5c5fd42bd0cd8350830c5f3b5ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 29 Aug 2024 10:02:39 +0200 Subject: [PATCH 8/8] Add CVE ID to the ChangeLog MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index f2c9db3f5b10..d36ff4e4a88d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,7 @@ Security * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled. + CVE-2024-45157 Bugfix * Fix the build in some configurations when check_config.h is not included.