Merge pull request #5859 from paul-elliott-arm/fix_ct_uninit_memory_access_2.28
Backport 2.28: Fix uninitialised memory access in constant time functions
diff --git a/ChangeLog.d/fix-x25519-program.txt b/ChangeLog.d/fix-x25519-program.txt
new file mode 100644
index 0000000..af60465
--- /dev/null
+++ b/ChangeLog.d/fix-x25519-program.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix a bug in x25519 example program where the removal of
+ MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. Fixes #4901 and
+ #3191.
diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h
index e280dbb..401ac39 100644
--- a/include/mbedtls/aes.h
+++ b/include/mbedtls/aes.h
@@ -564,7 +564,7 @@
* for example, with 96-bit random nonces, you should not encrypt
* more than 2**32 messages with the same key.
*
- * Note that for both stategies, sizes are measured in blocks and
+ * Note that for both strategies, sizes are measured in blocks and
* that an AES block is 16 bytes.
*
* \warning Upon return, \p stream_block contains sensitive data. Its
diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h
index 6e47272..d294c47 100644
--- a/include/mbedtls/aria.h
+++ b/include/mbedtls/aria.h
@@ -321,7 +321,7 @@
* for example, with 96-bit random nonces, you should not encrypt
* more than 2**32 messages with the same key.
*
- * Note that for both stategies, sizes are measured in blocks and
+ * Note that for both strategies, sizes are measured in blocks and
* that an ARIA block is 16 bytes.
*
* \warning Upon return, \p stream_block contains sensitive data. Its
diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h
index 9d2cff3..dd594c5 100644
--- a/include/mbedtls/bignum.h
+++ b/include/mbedtls/bignum.h
@@ -989,7 +989,7 @@
* generate yourself and that are supposed to be prime, then
* \p rounds should be at least the half of the security
* strength of the cryptographic algorithm. On the other hand,
- * if \p X is chosen uniformly or non-adversially (as is the
+ * if \p X is chosen uniformly or non-adversarially (as is the
* case when mbedtls_mpi_gen_prime calls this function), then
* \p rounds can be much lower.
*
diff --git a/include/mbedtls/blowfish.h b/include/mbedtls/blowfish.h
index 15a49c5..d5f8099 100644
--- a/include/mbedtls/blowfish.h
+++ b/include/mbedtls/blowfish.h
@@ -246,7 +246,7 @@
* The recommended way to ensure uniqueness is to use a message
* counter.
*
- * Note that for both stategies, sizes are measured in blocks and
+ * Note that for both strategies, sizes are measured in blocks and
* that a Blowfish block is 8 bytes.
*
* \warning Upon return, \p stream_block contains sensitive data. Its
diff --git a/include/mbedtls/camellia.h b/include/mbedtls/camellia.h
index 925a623..d39d932 100644
--- a/include/mbedtls/camellia.h
+++ b/include/mbedtls/camellia.h
@@ -273,7 +273,7 @@
* encrypted: for example, with 96-bit random nonces, you should
* not encrypt more than 2**32 messages with the same key.
*
- * Note that for both stategies, sizes are measured in blocks and
+ * Note that for both strategies, sizes are measured in blocks and
* that a CAMELLIA block is \c 16 Bytes.
*
* \warning Upon return, \p stream_block contains sensitive data. Its
diff --git a/include/mbedtls/chachapoly.h b/include/mbedtls/chachapoly.h
index c4ec7b5..ed568bc 100644
--- a/include/mbedtls/chachapoly.h
+++ b/include/mbedtls/chachapoly.h
@@ -161,7 +161,7 @@
* \param ctx The ChaCha20-Poly1305 context. This must be initialized
* and bound to a key.
* \param nonce The nonce/IV to use for the message.
- * This must be a redable buffer of length \c 12 Bytes.
+ * This must be a readable buffer of length \c 12 Bytes.
* \param mode The operation to perform: #MBEDTLS_CHACHAPOLY_ENCRYPT or
* #MBEDTLS_CHACHAPOLY_DECRYPT (discouraged, see warning).
*
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 6acd9b1..1cd6eb6 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -2918,7 +2918,7 @@
*
* Requires: MBEDTLS_MD_C
*
- * Uncomment to enable the HMAC_DRBG random number geerator.
+ * Uncomment to enable the HMAC_DRBG random number generator.
*/
#define MBEDTLS_HMAC_DRBG_C
diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h
index 9effa44..64a0bcc 100644
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
@@ -315,7 +315,7 @@
#if !defined(MBEDTLS_ECP_WINDOW_SIZE)
/*
* Maximum "window" size used for point multiplication.
- * Default: a point where higher memory usage yields disminishing performance
+ * Default: a point where higher memory usage yields diminishing performance
* returns.
* Minimum value: 2. Maximum value: 7.
*
diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h
index 1c39186..0186217 100644
--- a/include/mbedtls/oid.h
+++ b/include/mbedtls/oid.h
@@ -143,7 +143,7 @@
#define MBEDTLS_OID_AT_GIVEN_NAME MBEDTLS_OID_AT "\x2A" /**< id-at-givenName AttributeType:= {id-at 42} */
#define MBEDTLS_OID_AT_INITIALS MBEDTLS_OID_AT "\x2B" /**< id-at-initials AttributeType:= {id-at 43} */
#define MBEDTLS_OID_AT_GENERATION_QUALIFIER MBEDTLS_OID_AT "\x2C" /**< id-at-generationQualifier AttributeType:= {id-at 44} */
-#define MBEDTLS_OID_AT_UNIQUE_IDENTIFIER MBEDTLS_OID_AT "\x2D" /**< id-at-uniqueIdentifier AttributType:= {id-at 45} */
+#define MBEDTLS_OID_AT_UNIQUE_IDENTIFIER MBEDTLS_OID_AT "\x2D" /**< id-at-uniqueIdentifier AttributeType:= {id-at 45} */
#define MBEDTLS_OID_AT_DN_QUALIFIER MBEDTLS_OID_AT "\x2E" /**< id-at-dnQualifier AttributeType:= {id-at 46} */
#define MBEDTLS_OID_AT_PSEUDONYM MBEDTLS_OID_AT "\x41" /**< id-at-pseudonym AttributeType:= {id-at 65} */
diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h
index f3af3ac..cd112ab 100644
--- a/include/mbedtls/platform_util.h
+++ b/include/mbedtls/platform_util.h
@@ -198,7 +198,7 @@
*
* This macro has an empty expansion. It exists for documentation purposes:
* a #MBEDTLS_CHECK_RETURN_OPTIONAL annotation indicates that the function
- * has been analyzed for return-check usefuless, whereas the lack of
+ * has been analyzed for return-check usefulness, whereas the lack of
* an annotation indicates that the function has not been analyzed and its
* return-check usefulness is unknown.
*/
diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h
index ca0c6e1..062df73 100644
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h
@@ -687,7 +687,7 @@
* mode being set to #MBEDTLS_RSA_PRIVATE and might instead
* return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
*
- * \param ctx The initnialized RSA context to use.
+ * \param ctx The initialized RSA context to use.
* \param f_rng The RNG function to use. This is needed for padding
* generation and must be provided.
* \param p_rng The RNG context to be passed to \p f_rng. This may
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 8c2d8f8..5064ec5 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1152,7 +1152,7 @@
#endif
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
- /** Callback to create & write a cookie for ClientHello veirifcation */
+ /** Callback to create & write a cookie for ClientHello verification */
int (*f_cookie_write)( void *, unsigned char **, unsigned char *,
const unsigned char *, size_t );
/** Callback to verify validity of a ClientHello cookie */
@@ -2498,7 +2498,7 @@
* successfully cached, return 1 otherwise.
*
* \param conf SSL configuration
- * \param p_cache parmater (context) for both callbacks
+ * \param p_cache parameter (context) for both callbacks
* \param f_get_cache session get callback
* \param f_set_cache session set callback
*/
@@ -2529,7 +2529,7 @@
/**
* \brief Load serialized session data into a session structure.
* On client, this can be used for loading saved sessions
- * before resuming them with mbedstls_ssl_set_session().
+ * before resuming them with mbedtls_ssl_set_session().
* On server, this can be used for alternative implementations
* of session cache or session tickets.
*
@@ -3508,7 +3508,7 @@
* \c mbedtls_ssl_get_record_expansion().
*
* \note For DTLS, it is also possible to set a limit for the total
- * size of daragrams passed to the transport layer, including
+ * size of datagrams passed to the transport layer, including
* record overhead, see \c mbedtls_ssl_set_mtu().
*
* \param conf SSL configuration
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 70a4e4d..0f2885a 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -107,7 +107,7 @@
typedef struct mbedtls_x509_san_other_name
{
/**
- * The type_id is an OID as deifned in RFC 5280.
+ * The type_id is an OID as defined in RFC 5280.
* To check the value of the type id, you should use
* \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
*/
@@ -979,7 +979,7 @@
* \param is_ca is this a CA certificate
* \param max_pathlen maximum length of certificate chains below this
* certificate (only for CA certificates, -1 is
- * inlimited)
+ * unlimited)
*
* \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
*/
diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
index 9019ca9..f261e01 100644
--- a/include/psa/crypto_config.h
+++ b/include/psa/crypto_config.h
@@ -60,7 +60,6 @@
#define PSA_WANT_ALG_CMAC 1
#define PSA_WANT_ALG_CFB 1
#define PSA_WANT_ALG_CHACHA20_POLY1305 1
-#define PSA_WANT_ALG_CMAC 1
#define PSA_WANT_ALG_CTR 1
#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1
#define PSA_WANT_ALG_ECB_NO_PADDING 1
diff --git a/programs/pkey/ecdh_curve25519.c b/programs/pkey/ecdh_curve25519.c
index 67f1363..65b206a 100644
--- a/programs/pkey/ecdh_curve25519.c
+++ b/programs/pkey/ecdh_curve25519.c
@@ -34,12 +34,12 @@
#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
#endif /* MBEDTLS_PLATFORM_C */
-#if !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_ECDH_LEGACY_CONTEXT) || \
+#if !defined(MBEDTLS_ECDH_C) || \
!defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C)
int main( void )
{
- mbedtls_printf( "MBEDTLS_ECDH_C and/or MBEDTLS_ECDH_LEGACY_CONTEXT and/or "
+ mbedtls_printf( "MBEDTLS_ECDH_C and/or "
"MBEDTLS_ECP_DP_CURVE25519_ENABLED and/or "
"MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C "
"not defined\n" );
@@ -51,6 +51,8 @@
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/ecdh.h"
+#include <string.h>
+
int main( int argc, char *argv[] )
{
@@ -59,8 +61,15 @@
mbedtls_ecdh_context ctx_cli, ctx_srv;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
- unsigned char cli_to_srv[32], srv_to_cli[32];
+ unsigned char cli_to_srv[36], srv_to_cli[33];
const char pers[] = "ecdh";
+
+ size_t srv_olen;
+ size_t cli_olen;
+ unsigned char secret_cli[32] = { 0 };
+ unsigned char secret_srv[32] = { 0 };
+ const unsigned char *p_cli_to_srv = cli_to_srv;
+
((void) argc);
((void) argv);
@@ -71,15 +80,17 @@
/*
* Initialize random number generation
*/
- mbedtls_printf( " . Seeding the random number generator..." );
+ mbedtls_printf( " . Seed the random number generator..." );
fflush( stdout );
mbedtls_entropy_init( &entropy );
- if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
- (const unsigned char *) pers,
- sizeof pers ) ) != 0 )
+ if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func,
+ &entropy,
+ (const unsigned char *) pers,
+ sizeof pers ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n",
+ ret );
goto exit;
}
@@ -88,28 +99,23 @@
/*
* Client: initialize context and generate keypair
*/
- mbedtls_printf( " . Setting up client context..." );
+ mbedtls_printf( " . Set up client context, generate EC key pair..." );
fflush( stdout );
- ret = mbedtls_ecp_group_load( &ctx_cli.grp, MBEDTLS_ECP_DP_CURVE25519 );
+ ret = mbedtls_ecdh_setup( &ctx_cli, MBEDTLS_ECP_DP_CURVE25519 );
if( ret != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ecp_group_load returned %d\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ecdh_setup returned %d\n", ret );
goto exit;
}
- ret = mbedtls_ecdh_gen_public( &ctx_cli.grp, &ctx_cli.d, &ctx_cli.Q,
- mbedtls_ctr_drbg_random, &ctr_drbg );
+ ret = mbedtls_ecdh_make_params( &ctx_cli, &cli_olen, cli_to_srv,
+ sizeof( cli_to_srv ),
+ mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ecdh_gen_public returned %d\n", ret );
- goto exit;
- }
-
- ret = mbedtls_mpi_write_binary( &ctx_cli.Q.X, cli_to_srv, 32 );
- if( ret != 0 )
- {
- mbedtls_printf( " failed\n ! mbedtls_mpi_write_binary returned %d\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ecdh_make_params returned %d\n",
+ ret );
goto exit;
}
@@ -118,90 +124,70 @@
/*
* Server: initialize context and generate keypair
*/
- mbedtls_printf( " . Setting up server context..." );
+ mbedtls_printf( " . Server: read params, generate public key..." );
fflush( stdout );
- ret = mbedtls_ecp_group_load( &ctx_srv.grp, MBEDTLS_ECP_DP_CURVE25519 );
+ ret = mbedtls_ecdh_read_params( &ctx_srv, &p_cli_to_srv,
+ p_cli_to_srv + sizeof( cli_to_srv ) );
if( ret != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ecp_group_load returned %d\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ecdh_read_params returned %d\n",
+ ret );
goto exit;
}
- ret = mbedtls_ecdh_gen_public( &ctx_srv.grp, &ctx_srv.d, &ctx_srv.Q,
- mbedtls_ctr_drbg_random, &ctr_drbg );
+ ret = mbedtls_ecdh_make_public( &ctx_srv, &srv_olen, srv_to_cli,
+ sizeof( srv_to_cli ),
+ mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ecdh_gen_public returned %d\n", ret );
- goto exit;
- }
-
- ret = mbedtls_mpi_write_binary( &ctx_srv.Q.X, srv_to_cli, 32 );
- if( ret != 0 )
- {
- mbedtls_printf( " failed\n ! mbedtls_mpi_write_binary returned %d\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ecdh_make_public returned %d\n",
+ ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
- * Server: read peer's key and generate shared secret
+ * Client: read public key
*/
- mbedtls_printf( " . Server reading client key and computing secret..." );
+ mbedtls_printf( " . Client: read public key..." );
fflush( stdout );
- ret = mbedtls_mpi_lset( &ctx_srv.Qp.Z, 1 );
+ ret = mbedtls_ecdh_read_public( &ctx_cli, srv_to_cli,
+ sizeof( srv_to_cli ) );
if( ret != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_mpi_lset returned %d\n", ret );
- goto exit;
- }
-
- ret = mbedtls_mpi_read_binary( &ctx_srv.Qp.X, cli_to_srv, 32 );
- if( ret != 0 )
- {
- mbedtls_printf( " failed\n ! mbedtls_mpi_read_binary returned %d\n", ret );
- goto exit;
- }
-
- ret = mbedtls_ecdh_compute_shared( &ctx_srv.grp, &ctx_srv.z,
- &ctx_srv.Qp, &ctx_srv.d,
- mbedtls_ctr_drbg_random, &ctr_drbg );
- if( ret != 0 )
- {
- mbedtls_printf( " failed\n ! mbedtls_ecdh_compute_shared returned %d\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ecdh_read_public returned %d\n",
+ ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
- * Client: read peer's key and generate shared secret
+ * Calculate secrets
*/
- mbedtls_printf( " . Client reading server key and computing secret..." );
+ mbedtls_printf( " . Calculate secrets..." );
fflush( stdout );
- ret = mbedtls_mpi_lset( &ctx_cli.Qp.Z, 1 );
+ ret = mbedtls_ecdh_calc_secret( &ctx_cli, &cli_olen, secret_cli,
+ sizeof( secret_cli ),
+ mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_mpi_lset returned %d\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ecdh_calc_secret returned %d\n",
+ ret );
goto exit;
}
- ret = mbedtls_mpi_read_binary( &ctx_cli.Qp.X, srv_to_cli, 32 );
+ ret = mbedtls_ecdh_calc_secret( &ctx_srv, &srv_olen, secret_srv,
+ sizeof( secret_srv ),
+ mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_mpi_read_binary returned %d\n", ret );
- goto exit;
- }
-
- ret = mbedtls_ecdh_compute_shared( &ctx_cli.grp, &ctx_cli.z,
- &ctx_cli.Qp, &ctx_cli.d,
- mbedtls_ctr_drbg_random, &ctr_drbg );
- if( ret != 0 )
- {
- mbedtls_printf( " failed\n ! mbedtls_ecdh_compute_shared returned %d\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ecdh_calc_secret returned %d\n",
+ ret );
goto exit;
}
@@ -210,13 +196,13 @@
/*
* Verification: are the computed secrets equal?
*/
- mbedtls_printf( " . Checking if both computed secrets are equal..." );
+ mbedtls_printf( " . Check if both calculated secrets are equal..." );
fflush( stdout );
- ret = mbedtls_mpi_cmp_mpi( &ctx_cli.z, &ctx_srv.z );
- if( ret != 0 )
+ ret = memcmp( secret_srv, secret_cli, srv_olen );
+ if( ret != 0 || ( cli_olen != srv_olen ) )
{
- mbedtls_printf( " failed\n ! mbedtls_ecdh_compute_shared returned %d\n", ret );
+ mbedtls_printf( " failed\n ! Shared secrets not equal.\n" );
goto exit;
}