[zep noup] interface: mbedtls: align Mbed TLS header files to v3.6.5

interface/include/mbedtls/bignum.h

@@ -12,6 +12,7 @@
 #include "mbedtls/private_access.h"
 
 #include "mbedtls/build_info.h"
+#include "mbedtls/platform_util.h"
 
 #include <stddef.h>
 #include <stdint.h>
@@ -928,7 +929,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
  * be relevant in applications like deterministic ECDSA.
  */
 int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /** Generate a random number uniformly in a range.
@@ -966,13 +967,14 @@ int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
 int mbedtls_mpi_random(mbedtls_mpi *X,
  mbedtls_mpi_sint min,
  const mbedtls_mpi *N,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /**
  * \brief Compute the greatest common divisor: G = gcd(A, B)
  *
  * \param G The destination MPI. This must point to an initialized MPI.
+ * This will always be positive or 0.
  * \param A The first operand. This must point to an initialized MPI.
  * \param B The second operand. This must point to an initialized MPI.
  *
@@ -987,10 +989,12 @@ int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A,
  * \brief Compute the modular inverse: X = A^-1 mod N
  *
  * \param X The destination MPI. This must point to an initialized MPI.
+ * The value returned on success will be between [1, N-1].
  * \param A The MPI to calculate the modular inverse of. This must point
- * to an initialized MPI.
+ * to an initialized MPI. This value can be negative, in which
+ * case a positive answer will still be returned in \p X.
  * \param N The base of the modular inversion. This must point to an
- * initialized MPI.
+ * initialized MPI and be greater than one.
  *
  * \return \c 0 if successful.
  * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
@@ -1030,7 +1034,7 @@ int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
  * \return Another negative error code on other kinds of failure.
  */
 int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 /**
  * \brief Flags for mbedtls_mpi_gen_prime()
@@ -1063,7 +1067,7 @@ typedef enum {
  * \c 3 and #MBEDTLS_MPI_MAX_BITS.
  */
 int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 #if defined(MBEDTLS_SELF_TEST)

interface/include/mbedtls/build_info.h

@@ -26,16 +26,16 @@
  */
 #define MBEDTLS_VERSION_MAJOR 3
 #define MBEDTLS_VERSION_MINOR 6
-#define MBEDTLS_VERSION_PATCH 3
+#define MBEDTLS_VERSION_PATCH 5
 
 /**
  * The single version number has the following structure:
  * MMNNPP00
  * Major version | Minor version | Patch version
  */
-#define MBEDTLS_VERSION_NUMBER 0x03060300
-#define MBEDTLS_VERSION_STRING "3.6.3"
-#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.6.3"
+#define MBEDTLS_VERSION_NUMBER 0x03060500
+#define MBEDTLS_VERSION_STRING "3.6.5"
+#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.6.5"
 
 /* Macros for build-time platform detection */
 

interface/include/mbedtls/cipher.h

@@ -329,8 +329,15 @@ typedef struct mbedtls_cipher_context_t {
  /** Padding functions to use, if relevant for
  * the specific cipher mode.
  */
- void(*MBEDTLS_PRIVATE(add_padding))(unsigned char *output, size_t olen, size_t data_len);
- int(*MBEDTLS_PRIVATE(get_padding))(unsigned char *input, size_t ilen, size_t *data_len);
+ void(*MBEDTLS_PRIVATE(add_padding))(unsigned char *output, size_t olen,
+ size_t data_len);
+ /* Report invalid-padding condition through the output parameter
+ * invalid_padding. To minimize changes in Mbed TLS 3.6, where this
+ * declaration is in a public header, use the public type size_t
+ * rather than the internal type mbedtls_ct_condition_t. */
+ int(*MBEDTLS_PRIVATE(get_padding))(unsigned char *input, size_t ilen,
+ size_t *data_len,
+ size_t *invalid_padding);
 #endif
 
  /** Buffer for input that has not been processed yet. */
@@ -878,23 +885,24 @@ int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
  *
  * \note With non-AEAD ciphers, the order of calls for each message
  * is as follows:
- * 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce.
- * 2. mbedtls_cipher_reset()
- * 3. mbedtls_cipher_update() one or more times
- * 4. mbedtls_cipher_finish()
+ * 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce;
+ * 2. mbedtls_cipher_reset();
+ * 3. mbedtls_cipher_update() zero, one or more times;
+ * 4. mbedtls_cipher_finish_padded() (recommended for decryption
+ * if the mode uses padding) or mbedtls_cipher_finish().
  * .
  * This sequence can be repeated to encrypt or decrypt multiple
  * messages with the same key.
  *
  * \note With AEAD ciphers, the order of calls for each message
  * is as follows:
- * 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce.
- * 2. mbedtls_cipher_reset()
- * 3. mbedtls_cipher_update_ad()
- * 4. mbedtls_cipher_update() one or more times
- * 5. mbedtls_cipher_finish()
+ * 1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce;
+ * 2. mbedtls_cipher_reset();
+ * 3. mbedtls_cipher_update_ad();
+ * 4. mbedtls_cipher_update() zero, one or more times;
+ * 5. mbedtls_cipher_finish() (or mbedtls_cipher_finish_padded());
  * 6. mbedtls_cipher_check_tag() (for decryption) or
- * mbedtls_cipher_write_tag() (for encryption).
+ *  mbedtls_cipher_write_tag() (for encryption).
  * .
  * This sequence can be repeated to encrypt or decrypt multiple
  * messages with the same key.
@@ -930,7 +938,8 @@ int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
  * many block-sized blocks of data as possible to output.
  * Any data that cannot be written immediately is either
  * added to the next block, or flushed when
- * mbedtls_cipher_finish() is called.
+ * mbedtls_cipher_finish() or mbedtls_cipher_finish_padded()
+ * is called.
  * Exception: For MBEDTLS_MODE_ECB, expects a single block
  * in size. For example, 16 Bytes for AES.
  *
@@ -964,30 +973,97 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx,
  * contained in it is padded to the size of
  * the last block, and written to the \p output buffer.
  *
+ * \warning This function reports invalid padding through an error
+ * code. Adversaries may be able to decrypt encrypted
+ * data if they can submit chosen ciphertexts and
+ * detect whether it has valid padding or not,
+ * either through direct observation or through a side
+ * channel such as timing. This is known as a
+ * padding oracle attack.
+ * Therefore applications that call this function for
+ * decryption with a cipher that involves padding
+ * should take care around error handling. Preferably,
+ * such applications should use
+ * mbedtls_cipher_finish_padded() instead of this function.
+ *
  * \param ctx The generic cipher context. This must be initialized and
  * bound to a key.
  * \param output The buffer to write data to. This needs to be a writable
  * buffer of at least block_size Bytes.
  * \param olen The length of the data written to the \p output buffer.
  * This may not be \c NULL.
+ * Note that when decrypting in a mode with padding,
+ * the actual output length is sensitive and may be
+ * used to mount a padding oracle attack (see warning
+ * above), although less efficiently than through
+ * the invalid-padding condition.
  *
  * \return \c 0 on success.
  * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
  * parameter-verification failure.
  * \return #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
  * expecting a full block but not receiving one.
  * \return #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
- * while decrypting.
+ * while decrypting. Note that invalid-padding errors
+ * should be handled carefully; see the warning above.
  * \return A cipher-specific error code on failure.
  */
 int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
  unsigned char *output, size_t *olen);
 
+/**
+ * \brief The generic cipher finalization function. If data still
+ * needs to be flushed from an incomplete block, the data
+ * contained in it is padded to the size of
+ * the last block, and written to the \p output buffer.
+ *
+ * \note This function is similar to mbedtls_cipher_finish().
+ * The only difference is that it reports invalid padding
+ * decryption differently, through the \p invalid_padding
+ * parameter rather than an error code.
+ * For encryption, and in modes without padding (including
+ * all authenticated modes), this function is identical
+ * to mbedtls_cipher_finish().
+ *
+ * \param[in,out] ctx The generic cipher context. This must be initialized and
+ * bound to a key.
+ * \param[out] output The buffer to write data to. This needs to be a writable
+ * buffer of at least block_size Bytes.
+ * \param[out] olen The length of the data written to the \p output buffer.
+ * This may not be \c NULL.
+ * Note that when decrypting in a mode with padding,
+ * the actual output length is sensitive and may be
+ * used to mount a padding oracle attack (see warning
+ * on mbedtls_cipher_finish()).
+ * \param[out] invalid_padding
+ * If this function returns \c 0 on decryption,
+ * \p *invalid_padding is \c 0 if the ciphertext was
+ * valid, and all-bits-one if the ciphertext had invalid
+ * padding.
+ * On encryption, or in a mode without padding (including
+ * all authenticated modes), \p *invalid_padding is \c 0
+ * on success.
+ * The value in \p *invalid_padding is unspecified if
+ * this function returns a nonzero status.
+ *
+ * \return \c 0 on success.
+ * Also \c 0 for decryption with invalid padding.
+ * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ * parameter-verification failure.
+ * \return #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
+ * expecting a full block but not receiving one.
+ * \return A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_finish_padded(mbedtls_cipher_context_t *ctx,
+ unsigned char *output, size_t *olen,
+ size_t *invalid_padding);
+
 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
 /**
  * \brief This function writes a tag for AEAD ciphers.
  * Currently supported with GCM and ChaCha20+Poly1305.
- * This must be called after mbedtls_cipher_finish().
+ * This must be called after mbedtls_cipher_finish()
+ * or mbedtls_cipher_finish_padded().
  *
  * \param ctx The generic cipher context. This must be initialized,
  * bound to a key, and have just completed a cipher
@@ -1006,7 +1082,8 @@ int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
 /**
  * \brief This function checks the tag for AEAD ciphers.
  * Currently supported with GCM and ChaCha20+Poly1305.
- * This must be called after mbedtls_cipher_finish().
+ * This must be called after mbedtls_cipher_finish()
+ * or mbedtls_cipher_finish_padded().
  *
  * \param ctx The generic cipher context. This must be initialized.
  * \param tag The buffer holding the tag. This must be a readable

interface/include/mbedtls/config_psa.h

@@ -34,7 +34,7 @@
  * before we deduce what built-ins are required. */
 #include "psa/crypto_adjust_config_key_pair_types.h"
 
-#if defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(MBEDTLS_PSA_CRYPTO_C) || defined(MCUBOOT_USE_PSA_CRYPTO)
 /* If we are implementing PSA crypto ourselves, then we want to enable the
  * required built-ins. Otherwise, PSA features will be provided by the server. */
 #include "mbedtls/config_adjust_legacy_from_psa.h"

interface/include/mbedtls/dhm.h

@@ -183,7 +183,7 @@ int mbedtls_dhm_read_params(mbedtls_dhm_context *ctx,
  */
 int mbedtls_dhm_make_params(mbedtls_dhm_context *ctx, int x_size,
  unsigned char *output, size_t *olen,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /**
@@ -250,7 +250,7 @@ int mbedtls_dhm_read_public(mbedtls_dhm_context *ctx,
  */
 int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx, int x_size,
  unsigned char *output, size_t olen,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /**
@@ -281,7 +281,7 @@ int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx, int x_size,
  */
 int mbedtls_dhm_calc_secret(mbedtls_dhm_context *ctx,
  unsigned char *output, size_t output_size, size_t *olen,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /**

interface/include/mbedtls/ecdh.h

@@ -189,7 +189,7 @@ int mbedtls_ecdh_can_do(mbedtls_ecp_group_id gid);
  * \c MBEDTLS_MPI_XXX error code on failure.
  */
 int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /**
@@ -225,7 +225,7 @@ int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_
  */
 int mbedtls_ecdh_compute_shared(mbedtls_ecp_group *grp, mbedtls_mpi *z,
  const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /**
@@ -290,7 +290,7 @@ void mbedtls_ecdh_free(mbedtls_ecdh_context *ctx);
  */
 int mbedtls_ecdh_make_params(mbedtls_ecdh_context *ctx, size_t *olen,
  unsigned char *buf, size_t blen,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /**
@@ -372,7 +372,7 @@ int mbedtls_ecdh_get_params(mbedtls_ecdh_context *ctx,
  */
 int mbedtls_ecdh_make_public(mbedtls_ecdh_context *ctx, size_t *olen,
  unsigned char *buf, size_t blen,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 /**
@@ -428,7 +428,7 @@ int mbedtls_ecdh_read_public(mbedtls_ecdh_context *ctx,
  */
 int mbedtls_ecdh_calc_secret(mbedtls_ecdh_context *ctx, size_t *olen,
  unsigned char *buf, size_t blen,
- int (*f_rng)(void *, unsigned char *, size_t),
+ mbedtls_f_rng_t *f_rng,
  void *p_rng);
 
 #if defined(MBEDTLS_ECP_RESTARTABLE)