cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-09-09 07:09:12 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1284 from mpg/mbedtls-2.28.9rc0-pr

Browse Source 
Mbedtls 2.28.9rc0 pr DO NOT MERGE
This commit is contained in:
David Horstmann 2024-08-29 15:24:32 +01:00 committed by GitHub
commit 5e146adef6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
15 changed files with 64 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
BRANCHES.md
View File

@ -107,9 +107,9 @@ The following branches are currently maintained:
- [`development`](https://github.com/Mbed-TLS/mbedtls/) - [`development`](https://github.com/Mbed-TLS/mbedtls/)
- [`mbedtls-3.6`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-3.6) - [`mbedtls-3.6`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-3.6)
maintained until March 2027, see maintained until March 2027, see
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0>. <https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.1>.
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28) - [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
maintained until the end of 2024, see maintained until the end of 2024, see
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.8>. <https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.9>.
Users are urged to always use the latest version of a maintained branch. Users are urged to always use the latest version of a maintained branch.

24
ChangeLog
View File

@ -1,5 +1,29 @@
Mbed TLS ChangeLog (Sorted per branch, date) Mbed TLS ChangeLog (Sorted per branch, date)
= Mbed TLS 2.28.9 branch released 2024-08-30
Security
* Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
CVE-2024-45157
Bugfix
* Fix the build in some configurations when check_config.h is not included.
Fix #9152.
* Fix issue of redefinition warning messages for _GNU_SOURCE in
entropy_poll.c and sha_256.c. There was a build warning during
building for linux platform.
Resolves #9026
* Fix error handling when creating a key in a dynamic secure element
(feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
the creation could return PSA_SUCCESS but using or destroying the key
would not work. Fixes #8537.
* Fix a memory leak that could occur when failing to process an RSA
key through some PSA functions due to low memory conditions.
* Document and enforce the limitation of mbedtls_psa_register_se_key()
to persistent keys. Resolves #9253.
= Mbed TLS 2.28.8 branch released 2024-03-28 = Mbed TLS 2.28.8 branch released 2024-03-28
Features Features

3
ChangeLog.d/build_without_check_config.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix the build in some configurations when check_config.h is not included.
Fix #9152.

5
ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt
View File

@ -1,5 +0,0 @@
Bugfix
* Fix issue of redefinition warning messages for _GNU_SOURCE in
entropy_poll.c and sha_256.c. There was a build warning during
building for linux platform.
Resolves #9026

5
ChangeLog.d/fix-secure-element-key-creation.txt
View File

@ -1,5 +0,0 @@
Bugfix
* Fix error handling when creating a key in a dynamic secure element
(feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
the creation could return PSA_SUCCESS but using or destroying the key
would not work. Fixes #8537.

3
ChangeLog.d/mbedtls_psa_register_se_key.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Document and enforce the limitation of mbedtls_psa_register_se_key()
to persistent keys. Resolves #9253.

2
doxygen/input/doc_mainpage.h
View File

@ -10,7 +10,7 @@
*/ */
/** /**
* @mainpage Mbed TLS v2.28.8 API Documentation * @mainpage Mbed TLS v2.28.9 API Documentation
* *
* This documentation describes the internal structure of Mbed TLS. It was * This documentation describes the internal structure of Mbed TLS. It was
* automatically generated from specially formatted comment blocks in * automatically generated from specially formatted comment blocks in

2
doxygen/mbedtls.doxyfile
View File

@ -1,4 +1,4 @@
PROJECT_NAME = "Mbed TLS v2.28.8" PROJECT_NAME = "Mbed TLS v2.28.9"
OUTPUT_DIRECTORY = ../apidoc/ OUTPUT_DIRECTORY = ../apidoc/
FULL_PATH_NAMES = NO FULL_PATH_NAMES = NO
OPTIMIZE_OUTPUT_FOR_C = YES OPTIMIZE_OUTPUT_FOR_C = YES

17
include/mbedtls/config.h
View File

@ -4020,11 +4020,18 @@
* Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the * Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the
* PSA crypto subsystem. * PSA crypto subsystem.
* *
* If this option is unset: * If this option is unset, the library chooses a hash (currently between
* - If CTR_DRBG is available, the PSA subsystem uses it rather than HMAC_DRBG. * #MBEDTLS_MD_SHA512 and #MBEDTLS_MD_SHA256) based on availability and
* - Otherwise, the PSA subsystem uses HMAC_DRBG with either * unspecified heuristics.
* #MBEDTLS_MD_SHA512 or #MBEDTLS_MD_SHA256 based on availability and *
* on unspecified heuristics. * \note The PSA crypto subsystem uses the first available mechanism amongst
* the following:
* - #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if enabled;
* - Entropy from #MBEDTLS_ENTROPY_C plus CTR_DRBG with AES
* if #MBEDTLS_CTR_DRBG_C is enabled;
* - Entropy from #MBEDTLS_ENTROPY_C plus HMAC_DRBG.
*
* A future version may reevaluate the prioritization of DRBG mechanisms.
*/ */
//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 //#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256

8
include/mbedtls/version.h
View File

@ -26,16 +26,16 @@
*/ */
#define MBEDTLS_VERSION_MAJOR 2 #define MBEDTLS_VERSION_MAJOR 2
#define MBEDTLS_VERSION_MINOR 28 #define MBEDTLS_VERSION_MINOR 28
#define MBEDTLS_VERSION_PATCH 8 #define MBEDTLS_VERSION_PATCH 9
/** /**
* The single version number has the following structure: * The single version number has the following structure:
* MMNNPP00 * MMNNPP00
* Major version | Minor version | Patch version * Major version | Minor version | Patch version
*/ */
#define MBEDTLS_VERSION_NUMBER 0x021C0800 #define MBEDTLS_VERSION_NUMBER 0x021C0900
#define MBEDTLS_VERSION_STRING "2.28.8" #define MBEDTLS_VERSION_STRING "2.28.9"
#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 2.28.8" #define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 2.28.9"
#if defined(MBEDTLS_VERSION_C) #if defined(MBEDTLS_VERSION_C)

6
library/CMakeLists.txt
View File

@ -206,15 +206,15 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
if(USE_SHARED_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY)
set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR}) set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
add_library(${mbedcrypto_target} SHARED ${src_crypto}) add_library(${mbedcrypto_target} SHARED ${src_crypto})
set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.28.8 SOVERSION 7) set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.28.9 SOVERSION 7)
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs}) target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
add_library(${mbedx509_target} SHARED ${src_x509}) add_library(${mbedx509_target} SHARED ${src_x509})
set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.28.8 SOVERSION 1) set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.28.9 SOVERSION 1)
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target}) target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
add_library(${mbedtls_target} SHARED ${src_tls}) add_library(${mbedtls_target} SHARED ${src_tls})
set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.28.8 SOVERSION 14) set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.28.9 SOVERSION 14)
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target}) target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
endif(USE_SHARED_MBEDTLS_LIBRARY) endif(USE_SHARED_MBEDTLS_LIBRARY)

13
library/psa_crypto_random_impl.h
View File

@ -39,13 +39,10 @@ int mbedtls_psa_get_random(void *p_rng,
#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
/* Choose a DRBG based on configuration and availability */ /* Choose a DRBG based on configuration and availability */
#if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE) #if defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/hmac_drbg.h"
#elif defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/ctr_drbg.h" #include "mbedtls/ctr_drbg.h"
#undef MBEDTLS_PSA_HMAC_DRBG_MD_TYPE
#elif defined(MBEDTLS_HMAC_DRBG_C) #elif defined(MBEDTLS_HMAC_DRBG_C)
@ -67,9 +64,11 @@ int mbedtls_psa_get_random(void *p_rng,
#error "No hash algorithm available for HMAC_DBRG." #error "No hash algorithm available for HMAC_DBRG."
#endif #endif
#else #else /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
#error "No DRBG module available for the psa_crypto module." #error "No DRBG module available for the psa_crypto module."
#endif
#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
#include "mbedtls/entropy.h" #include "mbedtls/entropy.h"

17
library/psa_crypto_rsa.c
View File

@ -215,16 +215,14 @@ psa_status_t mbedtls_psa_rsa_export_public_key(
status = mbedtls_psa_rsa_load_representation( status = mbedtls_psa_rsa_load_representation(
attributes->core.type, key_buffer, key_buffer_size, &rsa); attributes->core.type, key_buffer, key_buffer_size, &rsa);
if (status != PSA_SUCCESS) { if (status == PSA_SUCCESS) {
return status; status = mbedtls_psa_rsa_export_key(PSA_KEY_TYPE_RSA_PUBLIC_KEY,
rsa,
data,
data_size,
data_length);
} }
status = mbedtls_psa_rsa_export_key(PSA_KEY_TYPE_RSA_PUBLIC_KEY,
rsa,
data,
data_size,
data_length);
mbedtls_rsa_free(rsa); mbedtls_rsa_free(rsa);
mbedtls_free(rsa); mbedtls_free(rsa);
@ -286,6 +284,7 @@ psa_status_t mbedtls_psa_rsa_generate_key(
(unsigned int) attributes->core.bits, (unsigned int) attributes->core.bits,
exponent); exponent);
if (ret != 0) { if (ret != 0) {
mbedtls_rsa_free(&rsa);
return mbedtls_to_psa_error(ret); return mbedtls_to_psa_error(ret);
} }
@ -354,7 +353,7 @@ psa_status_t mbedtls_psa_rsa_sign_hash(
key_buffer_size, key_buffer_size,
&rsa); &rsa);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return status; goto exit;
} }
status = psa_rsa_decode_md_type(alg, hash_length, &md_alg); status = psa_rsa_decode_md_type(alg, hash_length, &md_alg);

2
pkgconfig/CMakeLists.txt
View File

@ -9,7 +9,7 @@ if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL)
set(PKGCONFIG_PROJECT_HOMEPAGE_URL "https://www.trustedfirmware.org/projects/mbed-tls/") set(PKGCONFIG_PROJECT_HOMEPAGE_URL "https://www.trustedfirmware.org/projects/mbed-tls/")
# Following the conventsion for DESCRIPTION and HOMEPAGE_URL, VERSION wasn't added until 3.0 and depends on policy CMP0048 # Following the conventsion for DESCRIPTION and HOMEPAGE_URL, VERSION wasn't added until 3.0 and depends on policy CMP0048
set(PKGCONFIG_VERSION 2.28.8) set(PKGCONFIG_VERSION 2.28.9)
configure_file(mbedcrypto.pc.in mbedcrypto.pc @ONLY) configure_file(mbedcrypto.pc.in mbedcrypto.pc @ONLY)
install(FILES install(FILES

4
tests/suites/test_suite_version.data
View File

@ -1,8 +1,8 @@
Check compile time library version Check compile time library version
check_compiletime_version:"2.28.8" check_compiletime_version:"2.28.9"
Check runtime library version Check runtime library version
check_runtime_version:"2.28.8" check_runtime_version:"2.28.9"
Check for MBEDTLS_VERSION_C Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0 check_feature:"MBEDTLS_VERSION_C":0