Merge pull request #4898 from mstarzyk-mobica/disable_defaults_sha1
Remove MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES in 2.28
diff --git a/ChangeLog.d/psa_cipher_update_ecp.txt b/ChangeLog.d/psa_cipher_update_ecp.txt
new file mode 100644
index 0000000..1c3fbc6
--- /dev/null
+++ b/ChangeLog.d/psa_cipher_update_ecp.txt
@@ -0,0 +1,2 @@
+Bugfix
+ * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
diff --git a/library/pkparse.c b/library/pkparse.c
index 3222ca2..535ed70 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -1380,8 +1380,11 @@
}
#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
- if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 )
+ ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen );
+ if( ret == 0 )
+ {
return( 0 );
+ }
mbedtls_pk_free( pk );
mbedtls_pk_init( pk );
diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c
index 2213ad0..6c4150b 100644
--- a/library/psa_crypto_cipher.c
+++ b/library/psa_crypto_cipher.c
@@ -258,16 +258,34 @@
iv, iv_length ) ) );
}
-/* Process input for which the algorithm is set to ECB mode. This requires
- * manual processing, since the PSA API is defined as being able to process
- * arbitrary-length calls to psa_cipher_update() with ECB mode, but the
- * underlying mbedtls_cipher_update only takes full blocks. */
+/** Process input for which the algorithm is set to ECB mode.
+ *
+ * This requires manual processing, since the PSA API is defined as being
+ * able to process arbitrary-length calls to psa_cipher_update() with ECB mode,
+ * but the underlying mbedtls_cipher_update only takes full blocks.
+ *
+ * \param ctx The mbedtls cipher context to use. It must have been
+ * set up for ECB.
+ * \param[in] input The input plaintext or ciphertext to process.
+ * \param input_length The number of bytes to process from \p input.
+ * This does not need to be aligned to a block boundary.
+ * If there is a partial block at the end of the input,
+ * it is stored in \p ctx for future processing.
+ * \param output The buffer where the output is written. It must be
+ * at least `BS * floor((p + input_length) / BS)` bytes
+ * long, where `p` is the number of bytes in the
+ * unprocessed partial block in \p ctx (with
+ * `0 <= p <= BS - 1`) and `BS` is the block size.
+ * \param output_length On success, the number of bytes written to \p output.
+ * \c 0 on error.
+ *
+ * \return #PSA_SUCCESS or an error from a hardware accelerator
+ */
static psa_status_t psa_cipher_update_ecb(
mbedtls_cipher_context_t *ctx,
const uint8_t *input,
size_t input_length,
uint8_t *output,
- size_t output_size,
size_t *output_length )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
@@ -307,7 +325,6 @@
goto exit;
output += internal_output_length;
- output_size -= internal_output_length;
*output_length += internal_output_length;
ctx->unprocessed_len = 0;
}
@@ -328,7 +345,6 @@
input += block_size;
output += internal_output_length;
- output_size -= internal_output_length;
*output_length += internal_output_length;
}
@@ -383,7 +399,6 @@
input,
input_length,
output,
- output_size,
output_length );
}
else