Skip to content

Commit

Permalink
Merge pull request #36823 from akien-mga/mbedtls-2.16.5
Browse files Browse the repository at this point in the history
mbedtls: Update to upstream version 2.16.5
  • Loading branch information
akien-mga authored Mar 5, 2020
2 parents 93f7c63 + e435bed commit da05ca6
Show file tree
Hide file tree
Showing 12 changed files with 125 additions and 124 deletions.
5 changes: 1 addition & 4 deletions thirdparty/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -281,7 +281,7 @@ changes are marked with `// -- GODOT --` comments.
## mbedtls

- Upstream: https://tls.mbed.org/
- Version: 2.16.4
- Version: 2.16.5
- License: Apache 2.0

File extracted from upstream release tarball (`-apache.tgz` variant):
Expand All @@ -291,9 +291,6 @@ File extracted from upstream release tarball (`-apache.tgz` variant):
- LICENSE and apache-2.0.txt files
- Applied the patch in `thirdparty/mbedtls/patches/1453.diff` (PR 1453).
Soon to be merged upstream. Check it out at next update.
- Applied the patch in `thirdparty/mbedtls/patches/padlock.diff`. This disables VIA
padlock support which defines a symbol `unsupported` which clashes with
a symbol in libwebsockets.
- Added 2 files `godot_core_mbedtls_platform.{c,h}` providing configuration
for light bundling with core.

Expand Down
4 changes: 1 addition & 3 deletions thirdparty/mbedtls/include/mbedtls/config.h
Original file line number Diff line number Diff line change
Expand Up @@ -2542,9 +2542,7 @@
*
* This modules adds support for the VIA PadLock on x86.
*/
// -- GODOT start --
// #define MBEDTLS_PADLOCK_C
// -- GODOT end --
#define MBEDTLS_PADLOCK_C

/**
* \def MBEDTLS_PEM_PARSE_C
Expand Down
8 changes: 4 additions & 4 deletions thirdparty/mbedtls/include/mbedtls/version.h
Original file line number Diff line number Diff line change
Expand Up @@ -40,16 +40,16 @@
*/
#define MBEDTLS_VERSION_MAJOR 2
#define MBEDTLS_VERSION_MINOR 16
#define MBEDTLS_VERSION_PATCH 4
#define MBEDTLS_VERSION_PATCH 5

/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
#define MBEDTLS_VERSION_NUMBER 0x02100400
#define MBEDTLS_VERSION_STRING "2.16.4"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.16.4"
#define MBEDTLS_VERSION_NUMBER 0x02100500
#define MBEDTLS_VERSION_STRING "2.16.5"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.16.5"

#if defined(MBEDTLS_VERSION_C)

Expand Down
5 changes: 3 additions & 2 deletions thirdparty/mbedtls/library/bignum.c
Original file line number Diff line number Diff line change
Expand Up @@ -157,9 +157,10 @@ int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs )
if( nblimbs > MBEDTLS_MPI_MAX_LIMBS )
return( MBEDTLS_ERR_MPI_ALLOC_FAILED );

/* Actually resize up in this case */
/* Actually resize up if there are currently fewer than nblimbs limbs. */
if( X->n <= nblimbs )
return( mbedtls_mpi_grow( X, nblimbs ) );
/* After this point, then X->n > nblimbs and in particular X->n > 0. */

for( i = X->n - 1; i > 0; i-- )
if( X->p[i] != 0 )
Expand Down Expand Up @@ -198,7 +199,7 @@ int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y )
if( X == Y )
return( 0 );

if( Y->p == NULL )
if( Y->n == 0 )
{
mbedtls_mpi_free( X );
return( 0 );
Expand Down
14 changes: 4 additions & 10 deletions thirdparty/mbedtls/library/cipher.c
Original file line number Diff line number Diff line change
Expand Up @@ -361,6 +361,10 @@ int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *i

*olen = 0;
block_size = mbedtls_cipher_get_block_size( ctx );
if ( 0 == block_size )
{
return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
}

if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
{
Expand Down Expand Up @@ -396,11 +400,6 @@ int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *i
}
#endif

if ( 0 == block_size )
{
return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
}

if( input == output &&
( ctx->unprocessed_len != 0 || ilen % block_size ) )
{
Expand Down Expand Up @@ -459,11 +458,6 @@ int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *i
*/
if( 0 != ilen )
{
if( 0 == block_size )
{
return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
}

/* Encryption: only cache partial blocks
* Decryption w/ padding: always keep at least one whole block
* Decryption w/o padding: only cache partial blocks
Expand Down
4 changes: 2 additions & 2 deletions thirdparty/mbedtls/library/ecdsa.c
Original file line number Diff line number Diff line change
Expand Up @@ -297,7 +297,7 @@ static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
*p_sign_tries = 0;
do
{
if( *p_sign_tries++ > 10 )
if( (*p_sign_tries)++ > 10 )
{
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
goto cleanup;
Expand All @@ -310,7 +310,7 @@ static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
*p_key_tries = 0;
do
{
if( *p_key_tries++ > 10 )
if( (*p_key_tries)++ > 10 )
{
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
goto cleanup;
Expand Down
29 changes: 7 additions & 22 deletions thirdparty/mbedtls/library/entropy_poll.c
Original file line number Diff line number Diff line change
Expand Up @@ -61,43 +61,28 @@
#define _WIN32_WINNT 0x0400
#endif
#include <windows.h>
#include <bcrypt.h>
#if defined(_MSC_VER) && _MSC_VER <= 1600
/* Visual Studio 2010 and earlier issue a warning when both <stdint.h> and
* <intsafe.h> are included, as they redefine a number of <TYPE>_MAX constants.
* These constants are guaranteed to be the same, though, so we suppress the
* warning when including intsafe.h.
*/
#pragma warning( push )
#pragma warning( disable : 4005 )
#endif
#include <intsafe.h>
#if defined(_MSC_VER) && _MSC_VER <= 1600
#pragma warning( pop )
#endif
#include <wincrypt.h>

int mbedtls_platform_entropy_poll( void *data, unsigned char *output, size_t len,
size_t *olen )
{
ULONG len_as_ulong = 0;
HCRYPTPROV provider;
((void) data);
*olen = 0;

/*
* BCryptGenRandom takes ULONG for size, which is smaller than size_t on
* 64-bit Windows platforms. Ensure len's value can be safely converted into
* a ULONG.
*/
if ( FAILED( SizeTToULong( len, &len_as_ulong ) ) )
if( CryptAcquireContext( &provider, NULL, NULL,
PROV_RSA_FULL, CRYPT_VERIFYCONTEXT ) == FALSE )
{
return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
}

if ( !BCRYPT_SUCCESS( BCryptGenRandom( NULL, output, len_as_ulong, BCRYPT_USE_SYSTEM_PREFERRED_RNG ) ) )
if( CryptGenRandom( provider, (DWORD) len, output ) == FALSE )
{
CryptReleaseContext( provider, 0 );
return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
}

CryptReleaseContext( provider, 0 );
*olen = len;

return( 0 );
Expand Down
120 changes: 88 additions & 32 deletions thirdparty/mbedtls/library/pkparse.c
Original file line number Diff line number Diff line change
Expand Up @@ -677,6 +677,32 @@ int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
}

#if defined(MBEDTLS_RSA_C)
/*
* Wrapper around mbedtls_asn1_get_mpi() that rejects zero.
*
* The value zero is:
* - never a valid value for an RSA parameter
* - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete().
*
* Since values can't be omitted in PKCS#1, passing a zero value to
* rsa_complete() would be incorrect, so reject zero values early.
*/
static int asn1_get_nonzero_mpi( unsigned char **p,
const unsigned char *end,
mbedtls_mpi *X )
{
int ret;

ret = mbedtls_asn1_get_mpi( p, end, X );
if( ret != 0 )
return( ret );

if( mbedtls_mpi_cmp_int( X, 0 ) == 0 )
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );

return( 0 );
}

/*
* Parse a PKCS#1 encoded private RSA key
*/
Expand Down Expand Up @@ -729,54 +755,84 @@ static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa,
}

/* Import N */
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_INTEGER ) ) != 0 ||
( ret = mbedtls_rsa_import_raw( rsa, p, len, NULL, 0, NULL, 0,
NULL, 0, NULL, 0 ) ) != 0 )
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
( ret = mbedtls_rsa_import( rsa, &T, NULL, NULL,
NULL, NULL ) ) != 0 )
goto cleanup;
p += len;

/* Import E */
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_INTEGER ) ) != 0 ||
( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0,
NULL, 0, p, len ) ) != 0 )
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
NULL, &T ) ) != 0 )
goto cleanup;
p += len;

/* Import D */
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_INTEGER ) ) != 0 ||
( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0,
p, len, NULL, 0 ) ) != 0 )
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
&T, NULL ) ) != 0 )
goto cleanup;
p += len;

/* Import P */
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_INTEGER ) ) != 0 ||
( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, p, len, NULL, 0,
NULL, 0, NULL, 0 ) ) != 0 )
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
( ret = mbedtls_rsa_import( rsa, NULL, &T, NULL,
NULL, NULL ) ) != 0 )
goto cleanup;
p += len;

/* Import Q */
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_INTEGER ) ) != 0 ||
( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, p, len,
NULL, 0, NULL, 0 ) ) != 0 )
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
( ret = mbedtls_rsa_import( rsa, NULL, NULL, &T,
NULL, NULL ) ) != 0 )
goto cleanup;
p += len;

/* Complete the RSA private key */
if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 )
goto cleanup;
#if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT)
/*
* The RSA CRT parameters DP, DQ and QP are nominally redundant, in
* that they can be easily recomputed from D, P and Q. However by
* parsing them from the PKCS1 structure it is possible to avoid
* recalculating them which both reduces the overhead of loading
* RSA private keys into memory and also avoids side channels which
* can arise when computing those values, since all of D, P, and Q
* are secret. See https://eprint.iacr.org/2020/055 for a
* description of one such attack.
*/

/* Import DP */
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
( ret = mbedtls_mpi_copy( &rsa->DP, &T ) ) != 0 )
goto cleanup;

/* Import DQ */
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
( ret = mbedtls_mpi_copy( &rsa->DQ, &T ) ) != 0 )
goto cleanup;

/* Import QP */
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
( ret = mbedtls_mpi_copy( &rsa->QP, &T ) ) != 0 )
goto cleanup;

#else
/* Verify existance of the CRT params */
if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 )
goto cleanup;
#endif

/* Check optional parameters */
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ||
( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 ||
( ret = mbedtls_asn1_get_mpi( &p, end, &T ) ) != 0 )
/* rsa_complete() doesn't complete anything with the default
* implementation but is still called:
* - for the benefit of alternative implementation that may want to
* pre-compute stuff beyond what's provided (eg Montgomery factors)
* - as is also sanity-checks the key
*
* Furthermore, we also check the public part for consistency with
* mbedtls_pk_parse_pubkey(), as it includes size minima for example.
*/
if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 ||
( ret = mbedtls_rsa_check_pubkey( rsa ) ) != 0 )
{
goto cleanup;
}

if( p != end )
{
Expand Down
11 changes: 10 additions & 1 deletion thirdparty/mbedtls/library/rsa.c
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,9 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
{
int ret = 0;
int have_N, have_P, have_Q, have_D, have_E;
#if !defined(MBEDTLS_RSA_NO_CRT)
int have_DP, have_DQ, have_QP;
#endif
int n_missing, pq_missing, d_missing, is_pub, is_priv;

RSA_VALIDATE_RET( ctx != NULL );
Expand All @@ -259,6 +262,12 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );

#if !defined(MBEDTLS_RSA_NO_CRT)
have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 );
have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 );
have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 );
#endif

/*
* Check whether provided parameters are enough
* to deduce all others. The following incomplete
Expand Down Expand Up @@ -324,7 +333,7 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
*/

#if !defined(MBEDTLS_RSA_NO_CRT)
if( is_priv )
if( is_priv && ! ( have_DP && have_DQ && have_QP ) )
{
ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
&ctx->DP, &ctx->DQ, &ctx->QP );
Expand Down
Loading

0 comments on commit da05ca6

Please sign in to comment.