[zep noup] interface: mbedtls: align Mbed TLS headers to v3.6.5

TF-M holds a copy of Mbed TLS header files and prior to this commit they were aligned to Mbed TLS v3.6.3. This commit updates them to what's in release v3.6.5. This commit will be removed in the next TF-M release that includes Mbed TLS v3.6.5. Signed-off-by: Valerio Setti <vsetti@baylibre.com>

Author: valeriosetti

interface/include/mbedtls/bignum.h

@@ -12,6 +12,7 @@
 #include "mbedtls/private_access.h"
 
 #include "mbedtls/build_info.h"
+#include "mbedtls/platform_util.h"
 
 #include <stddef.h>
 #include <stdint.h>
@@ -928,7 +929,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
  * be relevant in applications like deterministic ECDSA.
  */
 int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /** Generate a random number uniformly in a range.
@@ -966,13 +967,14 @@ int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
 int mbedtls_mpi_random(mbedtls_mpi *X,
  mbedtls_mpi_sint min,
  const mbedtls_mpi *N,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /**
  * \brief Compute the greatest common divisor: G = gcd(A, B)
  *
  * \param G The destination MPI. This must point to an initialized MPI.
+ * This will always be positive or 0.
  * \param A The first operand. This must point to an initialized MPI.
  * \param B The second operand. This must point to an initialized MPI.
  *
@@ -987,10 +989,12 @@ int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A,
  * \brief Compute the modular inverse: X = A^-1 mod N
  *
  * \param X The destination MPI. This must point to an initialized MPI.
+ * The value returned on success will be between [1, N-1].
  * \param A The MPI to calculate the modular inverse of. This must point
- * to an initialized MPI.
+ * to an initialized MPI. This value can be negative, in which
+ * case a positive answer will still be returned in \p X.
  * \param N The base of the modular inversion. This must point to an
- * initialized MPI.
+ * initialized MPI and be greater than one.
  *
  * \return \c 0 if successful.
  * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
@@ -1030,7 +1034,7 @@ int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
  * \return Another negative error code on other kinds of failure.
  */
 int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 /**
  * \brief Flags for mbedtls_mpi_gen_prime()
@@ -1063,7 +1067,7 @@ typedef enum {
  * \c 3 and #MBEDTLS_MPI_MAX_BITS.
  */
 int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 #if defined(MBEDTLS_SELF_TEST)

interface/include/mbedtls/build_info.h

@@ -26,16 +26,16 @@
  */
 #define MBEDTLS_VERSION_MAJOR 3
 #define MBEDTLS_VERSION_MINOR 6
-#define MBEDTLS_VERSION_PATCH 3
+#define MBEDTLS_VERSION_PATCH 5
 
 /**
  * The single version number has the following structure:
  * MMNNPP00
  * Major version | Minor version | Patch version
  */
-#define MBEDTLS_VERSION_NUMBER 0x03060300
-#define MBEDTLS_VERSION_STRING "3.6.3"
-#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.6.3"
+#define MBEDTLS_VERSION_NUMBER 0x03060500
+#define MBEDTLS_VERSION_STRING "3.6.5"
+#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.6.5"
 
 /* Macros for build-time platform detection */
 

interface/include/mbedtls/cipher.h

@@ -329,8 +329,15 @@ typedef struct mbedtls_cipher_context_t {
  /** Padding functions to use, if relevant for
  * the specific cipher mode.
  */
- void(*MBEDTLS_PRIVATE(add_padding))(unsigned char *output, size_t olen, size_t data_len);
- int(*MBEDTLS_PRIVATE(get_padding))(unsigned char *input, size_t ilen, size_t *data_len);
+ void(*MBEDTLS_PRIVATE(add_padding))(unsigned char *output, size_t olen,
+ size_t data_len);
+ /* Report invalid-padding condition through the output parameter
+ * invalid_padding. To minimize changes in Mbed TLS 3.6, where this
+ * declaration is in a public header, use the public type size_t
+ * rather than the internal type mbedtls_ct_condition_t. */
+ int(*MBEDTLS_PRIVATE(get_padding))(unsigned char *input, size_t ilen,
+ size_t *data_len,
+ size_t *invalid_padding);
 #endif
 
  /** Buffer for input that has not been processed yet. */
@@ -878,23 +885,24 @@ int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
  *
  * \note With non-AEAD ciphers, the order of calls for each message
  * is as follows:
- * 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce.
- * 2. mbedtls_cipher_reset()
- * 3. mbedtls_cipher_update() one or more times
- * 4. mbedtls_cipher_finish()
+ * 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce;
+ * 2. mbedtls_cipher_reset();
+ * 3. mbedtls_cipher_update() zero, one or more times;
+ * 4. mbedtls_cipher_finish_padded() (recommended for decryption
+ * if the mode uses padding) or mbedtls_cipher_finish().
  * .
  * This sequence can be repeated to encrypt or decrypt multiple
  * messages with the same key.
  *
  * \note With AEAD ciphers, the order of calls for each message
  * is as follows:
- * 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce.
- * 2. mbedtls_cipher_reset()
- * 3. mbedtls_cipher_update_ad()
- * 4. mbedtls_cipher_update() one or more times
- * 5. mbedtls_cipher_finish()
+ * 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce;
+ * 2. mbedtls_cipher_reset();
+ * 3. mbedtls_cipher_update_ad();
+ * 4. mbedtls_cipher_update() zero, one or more times;
+ * 5. mbedtls_cipher_finish() (or mbedtls_cipher_finish_padded());
  * 6. mbedtls_cipher_check_tag() (for decryption) or
- * mbedtls_cipher_write_tag() (for encryption).
+ *  mbedtls_cipher_write_tag() (for encryption).
  * .
  * This sequence can be repeated to encrypt or decrypt multiple
  * messages with the same key.
@@ -930,7 +938,8 @@ int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
  * many block-sized blocks of data as possible to output.
  * Any data that cannot be written immediately is either
  * added to the next block, or flushed when
- * mbedtls_cipher_finish() is called.
+ * mbedtls_cipher_finish() or mbedtls_cipher_finish_padded()
+ * is called.
  * Exception: For MBEDTLS_MODE_ECB, expects a single block
  * in size. For example, 16 Bytes for AES.
  *
@@ -964,30 +973,97 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx,
  * contained in it is padded to the size of
  * the last block, and written to the \p output buffer.
  *
+ * \warning This function reports invalid padding through an error
+ * code. Adversaries may be able to decrypt encrypted
+ * data if they can submit chosen ciphertexts and
+ * detect whether it has valid padding or not,
+ * either through direct observation or through a side
+ * channel such as timing. This is known as a
+ * padding oracle attack.
+ * Therefore applications that call this function for
+ * decryption with a cipher that involves padding
+ * should take care around error handling. Preferably,
+ * such applications should use
+ * mbedtls_cipher_finish_padded() instead of this function.
+ *
  * \param ctx The generic cipher context. This must be initialized and
  * bound to a key.
  * \param output The buffer to write data to. This needs to be a writable
  * buffer of at least block_size Bytes.
  * \param olen The length of the data written to the \p output buffer.
  * This may not be \c NULL.
+ * Note that when decrypting in a mode with padding,
+ * the actual output length is sensitive and may be
+ * used to mount a padding oracle attack (see warning
+ * above), although less efficiently than through
+ * the invalid-padding condition.
  *
  * \return \c 0 on success.
  * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
  * parameter-verification failure.
  * \return #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
  * expecting a full block but not receiving one.
  * \return #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
- * while decrypting.
+ * while decrypting. Note that invalid-padding errors
+ * should be handled carefully; see the warning above.
  * \return A cipher-specific error code on failure.
  */
 int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
  unsigned char *output, size_t *olen);
 
+/**
+ * \brief The generic cipher finalization function. If data still
+ * needs to be flushed from an incomplete block, the data
+ * contained in it is padded to the size of
+ * the last block, and written to the \p output buffer.
+ *
+ * \note This function is similar to mbedtls_cipher_finish().
+ * The only difference is that it reports invalid padding
+ * decryption differently, through the \p invalid_padding
+ * parameter rather than an error code.
+ * For encryption, and in modes without padding (including
+ * all authenticated modes), this function is identical
+ * to mbedtls_cipher_finish().
+ *
+ * \param[in,out] ctx The generic cipher context. This must be initialized and
+ * bound to a key.
+ * \param[out] output The buffer to write data to. This needs to be a writable
+ * buffer of at least block_size Bytes.
+ * \param[out] olen The length of the data written to the \p output buffer.
+ * This may not be \c NULL.
+ * Note that when decrypting in a mode with padding,
+ * the actual output length is sensitive and may be
+ * used to mount a padding oracle attack (see warning
+ * on mbedtls_cipher_finish()).
+ * \param[out] invalid_padding
+ * If this function returns \c 0 on decryption,
+ * \p *invalid_padding is \c 0 if the ciphertext was
+ * valid, and all-bits-one if the ciphertext had invalid
+ * padding.
+ * On encryption, or in a mode without padding (including
+ * all authenticated modes), \p *invalid_padding is \c 0
+ * on success.
+ * The value in \p *invalid_padding is unspecified if
+ * this function returns a nonzero status.
+ *
+ * \return \c 0 on success.
+ * Also \c 0 for decryption with invalid padding.
+ * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ * parameter-verification failure.
+ * \return #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
+ * expecting a full block but not receiving one.
+ * \return A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_finish_padded(mbedtls_cipher_context_t *ctx,
+ unsigned char *output, size_t *olen,
+ size_t *invalid_padding);
+
 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
 /**
  * \brief This function writes a tag for AEAD ciphers.
  * Currently supported with GCM and ChaCha20+Poly1305.
- * This must be called after mbedtls_cipher_finish().
+ * This must be called after mbedtls_cipher_finish()
+ * or mbedtls_cipher_finish_padded().
  *
  * \param ctx The generic cipher context. This must be initialized,
  * bound to a key, and have just completed a cipher
@@ -1006,7 +1082,8 @@ int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
 /**
  * \brief This function checks the tag for AEAD ciphers.
  * Currently supported with GCM and ChaCha20+Poly1305.
- * This must be called after mbedtls_cipher_finish().
+ * This must be called after mbedtls_cipher_finish()
+ * or mbedtls_cipher_finish_padded().
  *
  * \param ctx The generic cipher context. This must be initialized.
  * \param tag The buffer holding the tag. This must be a readable

interface/include/mbedtls/config_psa.h

@@ -34,7 +34,7 @@
  * before we deduce what built-ins are required. */
 #include "psa/crypto_adjust_config_key_pair_types.h"
 
-#if defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(MBEDTLS_PSA_CRYPTO_C) || defined(MCUBOOT_USE_PSA_CRYPTO)
 /* If we are implementing PSA crypto ourselves, then we want to enable the
  * required built-ins. Otherwise, PSA features will be provided by the server. */
 #include "mbedtls/config_adjust_legacy_from_psa.h"

interface/include/mbedtls/dhm.h

@@ -183,7 +183,7 @@ int mbedtls_dhm_read_params(mbedtls_dhm_context *ctx,
  */
 int mbedtls_dhm_make_params(mbedtls_dhm_context *ctx, int x_size,
  unsigned char *output, size_t *olen,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /**
@@ -250,7 +250,7 @@ int mbedtls_dhm_read_public(mbedtls_dhm_context *ctx,
  */
 int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx, int x_size,
  unsigned char *output, size_t olen,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /**
@@ -281,7 +281,7 @@ int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx, int x_size,
  */
 int mbedtls_dhm_calc_secret(mbedtls_dhm_context *ctx,
  unsigned char *output, size_t output_size, size_t *olen,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /**

interface/include/mbedtls/ecdh.h

@@ -189,7 +189,7 @@ int mbedtls_ecdh_can_do(mbedtls_ecp_group_id gid);
  * \c MBEDTLS_MPI_XXX error code on failure.
  */
 int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /**
@@ -225,7 +225,7 @@ int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_
  */
 int mbedtls_ecdh_compute_shared(mbedtls_ecp_group *grp, mbedtls_mpi *z,
  const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /**
@@ -290,7 +290,7 @@ void mbedtls_ecdh_free(mbedtls_ecdh_context *ctx);
  */
 int mbedtls_ecdh_make_params(mbedtls_ecdh_context *ctx, size_t *olen,
  unsigned char *buf, size_t blen,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /**
@@ -372,7 +372,7 @@ int mbedtls_ecdh_get_params(mbedtls_ecdh_context *ctx,
  */
 int mbedtls_ecdh_make_public(mbedtls_ecdh_context *ctx, size_t *olen,
  unsigned char *buf, size_t blen,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /**
@@ -428,7 +428,7 @@ int mbedtls_ecdh_read_public(mbedtls_ecdh_context *ctx,
  */
 int mbedtls_ecdh_calc_secret(mbedtls_ecdh_context *ctx, size_t *olen,
  unsigned char *buf, size_t blen,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 #if defined(MBEDTLS_ECP_RESTARTABLE)