From 55e81f4e59193cf289236ac69c392d8d888495b9 Mon Sep 17 00:00:00 2001 From: liuxiyao Date: Thu, 9 Nov 2023 08:51:12 +0000 Subject: [PATCH] patch for mbedtls v3.4.1 Signed-off-by: liuxiyao --- BUILD.gn | 2 + include/mbedtls/build_info.h | 4 ++ include/mbedtls/mbedtls_config.h | 2 +- library/pk_wrap.c | 2 +- library/platform_util.c | 1 + library/psa_crypto.c | 63 +++++++++++++--------------- library/psa_crypto_driver_wrappers.c | 25 +---------- library/psa_crypto_rsa.c | 2 +- 8 files changed, 40 insertions(+), 61 deletions(-) diff --git a/BUILD.gn b/BUILD.gn index 4d9052a1e..af83609ad 100755 --- a/BUILD.gn +++ b/BUILD.gn @@ -46,6 +46,7 @@ if (defined(ohos_lite)) { config("mbedtls_config") { include_dirs = MBEDTLS_INLCUDE_DIRS + include_dirs += [ "//third_party/bounds_checking_function/include" ] if (ohos_kernel_type == "liteos_m") { defines += [ "__unix__", @@ -124,6 +125,7 @@ if (defined(ohos_lite)) { import("//build/ohos.gni") config("mbedtls_config") { include_dirs = MBEDTLS_INLCUDE_DIRS + include_dirs += [ "//third_party/bounds_checking_function/include" ] } ohos_shared_library("mbedtls_shared") { diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index cffa05bde..1a38718ac 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -65,6 +65,10 @@ #include MBEDTLS_CONFIG_FILE #endif +#if !defined(MBEDTLS_ECP_RESTARTABLE) +#define MBEDTLS_ECP_RESTARTABLE +#endif + #if defined(MBEDTLS_CONFIG_VERSION) && ( \ MBEDTLS_CONFIG_VERSION < 0x03000000 || \ MBEDTLS_CONFIG_VERSION > MBEDTLS_VERSION_NUMBER) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index cc6d762f1..884832a14 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -731,7 +731,7 @@ * * Uncomment this macro to enable restartable ECC computations. */ -//#define MBEDTLS_ECP_RESTARTABLE +#define MBEDTLS_ECP_RESTARTABLE /** * \def MBEDTLS_ECDSA_DETERMINISTIC diff --git a/library/pk_wrap.c b/library/pk_wrap.c index f813b7250..27a41ac6a 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -1306,7 +1306,7 @@ static int rsa_alt_sign_wrap(void *ctx, mbedtls_md_type_t md_alg, { mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx; - if (UINT_MAX < hash_len) { + if ((int)UINT_MAX < (int)hash_len) { return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } diff --git a/library/platform_util.c b/library/platform_util.c index a88bb6c75..7b25c301d 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -39,6 +39,7 @@ #include "mbedtls/threading.h" #include +#include "securec.h" #ifndef __STDC_WANT_LIB_EXT1__ #define __STDC_WANT_LIB_EXT1__ 1 /* Ask for the C11 gmtime_s() and memset_s() if available */ diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 31f4f0ddb..2746fe931 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3081,6 +3081,7 @@ psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key, psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot; + psa_key_attributes_t attributes; (void) input; (void) input_length; @@ -3105,9 +3106,7 @@ psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key, goto exit; } - psa_key_attributes_t attributes = { - .core = slot->attr - }; + attributes.core = slot->attr; status = psa_driver_wrapper_asymmetric_encrypt( &attributes, slot->key.data, slot->key.bytes, @@ -3132,6 +3131,7 @@ psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key, psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot; + psa_key_attributes_t attributes; (void) input; (void) input_length; @@ -3155,9 +3155,7 @@ psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key, goto exit; } - psa_key_attributes_t attributes = { - .core = slot->attr - }; + attributes.core = slot->attr; status = psa_driver_wrapper_asymmetric_decrypt( &attributes, slot->key.data, slot->key.bytes, @@ -3614,7 +3612,6 @@ psa_status_t mbedtls_psa_sign_hash_complete( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; mbedtls_mpi r; mbedtls_mpi s; - psa_key_attributes_t attributes; mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); @@ -3930,6 +3927,7 @@ static psa_status_t psa_cipher_setup(psa_cipher_operation_t *operation, psa_key_usage_t usage = (cipher_operation == MBEDTLS_ENCRYPT ? PSA_KEY_USAGE_ENCRYPT : PSA_KEY_USAGE_DECRYPT); + psa_key_attributes_t attributes; /* A context must be freshly initialized before it can be set up. */ if (operation->id != 0) { @@ -3959,9 +3957,7 @@ static psa_status_t psa_cipher_setup(psa_cipher_operation_t *operation, } operation->default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg); - psa_key_attributes_t attributes = { - .core = slot->attr - }; + attributes.core = slot->attr; /* Try doing the operation through a driver before using software fallback. */ if (cipher_operation == MBEDTLS_ENCRYPT) { @@ -4008,7 +4004,7 @@ psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation, { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE]; - size_t default_iv_length; + size_t default_iv_length; if (operation->id == 0) { status = PSA_ERROR_BAD_STATE; @@ -4182,7 +4178,8 @@ psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key, psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot = NULL; uint8_t local_iv[PSA_CIPHER_IV_MAX_SIZE]; - size_t default_iv_length = 0; + size_t default_iv_length = 0; + psa_key_attributes_t attributes; if (!PSA_ALG_IS_CIPHER(alg)) { status = PSA_ERROR_INVALID_ARGUMENT; @@ -4196,9 +4193,7 @@ psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key, goto exit; } - psa_key_attributes_t attributes = { - .core = slot->attr - }; + attributes.core = slot->attr; default_iv_length = PSA_CIPHER_IV_LENGTH(slot->attr.type, alg); if (default_iv_length > PSA_CIPHER_IV_MAX_SIZE) { @@ -4252,7 +4247,8 @@ psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key, { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_slot_t *slot = NULL; + psa_key_slot_t *slot = NULL; + psa_key_attributes_t attributes; if (!PSA_ALG_IS_CIPHER(alg)) { status = PSA_ERROR_INVALID_ARGUMENT; @@ -4266,9 +4262,7 @@ psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key, goto exit; } - psa_key_attributes_t attributes = { - .core = slot->attr - }; + attributes.core = slot->attr; if (alg == PSA_ALG_CCM_STAR_NO_TAG && input_length < PSA_BLOCK_CIPHER_BLOCK_LENGTH(slot->attr.type)) { @@ -4517,6 +4511,7 @@ static psa_status_t psa_aead_setup(psa_aead_operation_t *operation, psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot = NULL; psa_key_usage_t key_usage = 0; + psa_key_attributes_t attributes; status = psa_aead_check_algorithm(alg); if (status != PSA_SUCCESS) { @@ -4546,10 +4541,7 @@ static psa_status_t psa_aead_setup(psa_aead_operation_t *operation, goto exit; } - - psa_key_attributes_t attributes = { - .core = slot->attr - }; + attributes.core = slot->attr; if ((status = psa_validate_tag_length(alg)) != PSA_SUCCESS) { goto exit; @@ -5548,6 +5540,8 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( mbedtls_mpi diff_N_2; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + size_t m; + size_t m_bytes; mbedtls_mpi_init(&k); mbedtls_mpi_init(&diff_N_2); @@ -5569,9 +5563,9 @@ static psa_status_t psa_generate_derived_ecc_key_weierstrass_helper( /* N is the boundary of the private key domain (ecp_group.N). */ /* Let m be the bit size of N. */ - size_t m = ecp_group.nbits; + m = ecp_group.nbits; - size_t m_bytes = PSA_BITS_TO_BYTES(m); + m_bytes = PSA_BITS_TO_BYTES(m); /* Calculate N - 2 - it will be needed later. */ MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&diff_N_2, &ecp_group.N, 2)); @@ -5714,6 +5708,7 @@ static psa_status_t psa_generate_derived_key_internal( size_t bytes = PSA_BITS_TO_BYTES(bits); size_t storage_size = bytes; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_key_attributes_t attributes; if (PSA_KEY_TYPE_IS_PUBLIC_KEY(slot->attr.type)) { return PSA_ERROR_INVALID_ARGUMENT; @@ -5768,9 +5763,7 @@ static psa_status_t psa_generate_derived_key_internal( } slot->attr.bits = (psa_key_bits_t) bits; - psa_key_attributes_t attributes = { - .core = slot->attr - }; + attributes.core = slot->attr; if (psa_key_lifetime_is_external(attributes.core.lifetime)) { status = psa_driver_wrapper_get_key_buffer_size(&attributes, @@ -6669,6 +6662,7 @@ psa_status_t psa_raw_key_agreement(psa_algorithm_t alg, psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot = NULL; + size_t expected_length = 0; if (!PSA_ALG_IS_KEY_AGREEMENT(alg)) { status = PSA_ERROR_INVALID_ARGUMENT; @@ -6688,7 +6682,7 @@ psa_status_t psa_raw_key_agreement(psa_algorithm_t alg, * PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() is exact so the point is moot. * If FFDH is implemented, PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE() can easily * be exact for it as well. */ - size_t expected_length = + expected_length = PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(slot->attr.type, slot->attr.bits); if (output_size < expected_length) { status = PSA_ERROR_BUFFER_TOO_SMALL; @@ -7334,6 +7328,8 @@ psa_status_t psa_pake_set_password_key( psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_slot_t *slot = NULL; + psa_key_attributes_t attributes; + psa_key_type_t type; if (operation->stage != PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { status = PSA_ERROR_BAD_STATE; @@ -7347,11 +7343,9 @@ psa_status_t psa_pake_set_password_key( goto exit; } - psa_key_attributes_t attributes = { - .core = slot->attr - }; + attributes.core = slot->attr; - psa_key_type_t type = psa_get_key_type(&attributes); + type = psa_get_key_type(&attributes); if (type != PSA_KEY_TYPE_PASSWORD && type != PSA_KEY_TYPE_PASSWORD_HASH) { @@ -7549,7 +7543,6 @@ static psa_crypto_driver_pake_step_t convert_jpake_computation_stage_to_driver_s default: return PSA_JPAKE_STEP_INVALID; } - return PSA_JPAKE_STEP_INVALID; } #endif /* PSA_WANT_ALG_JPAKE */ @@ -7716,7 +7709,7 @@ psa_status_t psa_pake_output( { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_crypto_driver_pake_step_t driver_step = PSA_JPAKE_STEP_INVALID; - *output_length = 0; + *output_length = 0; if (operation->stage == PSA_PAKE_OPERATION_STAGE_COLLECT_INPUTS) { status = psa_pake_complete_inputs(operation); diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c index 9e946e367..e2227b299 100644 --- a/library/psa_crypto_driver_wrappers.c +++ b/library/psa_crypto_driver_wrappers.c @@ -447,7 +447,7 @@ uint32_t psa_driver_wrapper_sign_hash_get_num_ops( #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ } - return( PSA_ERROR_INVALID_ARGUMENT ); + return (uint32_t)PSA_ERROR_INVALID_ARGUMENT; } uint32_t psa_driver_wrapper_verify_hash_get_num_ops( @@ -471,7 +471,7 @@ uint32_t psa_driver_wrapper_verify_hash_get_num_ops( } - return( PSA_ERROR_INVALID_ARGUMENT ); + return (uint32_t)PSA_ERROR_INVALID_ARGUMENT; } psa_status_t psa_driver_wrapper_sign_hash_start( @@ -516,15 +516,6 @@ psa_status_t psa_driver_wrapper_sign_hash_start( ( void ) status; return( PSA_ERROR_INVALID_ARGUMENT ); } - - ( void ) operation; - ( void ) key_buffer; - ( void ) key_buffer_size; - ( void ) alg; - ( void ) hash; - ( void ) hash_length; - - return( status ); } psa_status_t psa_driver_wrapper_sign_hash_complete( @@ -618,17 +609,6 @@ psa_status_t psa_driver_wrapper_verify_hash_start( ( void ) status; return( PSA_ERROR_INVALID_ARGUMENT ); } - - ( void ) operation; - ( void ) key_buffer; - ( void ) key_buffer_size; - ( void ) alg; - ( void ) hash; - ( void ) hash_length; - ( void ) signature; - ( void ) signature_length; - - return( status ); } psa_status_t psa_driver_wrapper_verify_hash_complete( @@ -2859,7 +2839,6 @@ psa_status_t psa_driver_wrapper_pake_setup( operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID; return status; #endif - return( PSA_ERROR_NOT_SUPPORTED ); /* Add cases for opaque driver here */ default: /* Key is declared with a lifetime not known to us */ diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 3ff589dc8..f78fc87a0 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -323,7 +323,7 @@ static psa_status_t psa_rsa_decode_md_type(psa_algorithm_t alg, /* The Mbed TLS RSA module uses an unsigned int for hash length * parameters. Validate that it fits so that we don't risk an * overflow later. */ - if (hash_length > UINT_MAX) { + if ((int)hash_length > (int)UINT_MAX) { return PSA_ERROR_INVALID_ARGUMENT; } -- Gitee