diff --git a/ChangeLog.d/context_load_and_session_load_documentation.txt b/ChangeLog.d/context_load_and_session_load_documentation.txt new file mode 100644 index 0000000000..200ab27bf1 --- /dev/null +++ b/ChangeLog.d/context_load_and_session_load_documentation.txt @@ -0,0 +1,8 @@ +Security + * The documentation of mbedtls_ssl_session_save(), + mbedtls_ssl_session_load(), mbedtls_ssl_context_save(), and + mbedtls_ssl_context_load() has been updated to clarify the responsibility + of the application to preserve the confidentiality and integrity of + serialized data, mitigating the risk of misuse of these APIs. + Credit to Haruto Kimura (Stella) for highlighting risks associated with + tampered serialized data. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 8f58b3e9c0..758e7823c2 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3156,6 +3156,27 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session * On server, this can be used for alternative implementations * of session cache or session tickets. * + * \warning The serialized data contains highly sensitive material, + * including a resumption key (TLS 1.3) or the master secret + * (TLS 1.2) from which the session's traffic keys are derived. + * + * The serialized data is not cryptographically protected. + * It is the responsibility of the user of the + * mbedtls_ssl_session_save() and + * mbedtls_ssl_session_load() APIs to ensure both its + * confidentiality and integrity while stored or transported. + * + * A breach of confidentiality could result in full compromise + * of the associated TLS session, including loss of + * confidentiality and integrity of past and future + * application data protected under that session. + * + * A breach of integrity may allow modification of the + * serialized data prior to restoration. As it represents + * trusted internal context, tampering could potentially result + * in arbitrary code execution or other severe compromise of + * the hosting process. + * * \warning If a peer certificate chain is associated with the session, * the serialized state will only contain the peer's * end-entity certificate and the result of the chain @@ -3194,6 +3215,19 @@ int mbedtls_ssl_session_load(mbedtls_ssl_session *session, * * \see mbedtls_ssl_session_load() * + * \warning The serialized data contains highly sensitive material, + * including a resumption key (TLS 1.3) or the master secret + * (TLS 1.2) from which the session's traffic keys are derived. + * + * The serialized data is not cryptographically protected. + * It is the responsibility of the user of the + * mbedtls_ssl_session_save() and + * mbedtls_ssl_session_load() APIs to ensure both its + * confidentiality and integrity while stored or transported. + * + * See the mbedtls_ssl_session_load() documentation for + * additional information. + * * \param session The session structure to be saved. * \param buf The buffer to write the serialized data to. It must be a * writeable buffer of at least \p buf_len bytes, or may be \c @@ -5275,6 +5309,19 @@ void mbedtls_ssl_free(mbedtls_ssl_context *ssl); * * \see mbedtls_ssl_context_load() * + * \warning The serialized data contains highly sensitive material, + * including the master secret from which the session's traffic + * keys are derived. + * + * The serialized data is not cryptographically protected. + * It is the responsibility of the user of the + * mbedtls_ssl_context_save() and + * mbedtls_ssl_context_load() APIs to ensure both its + * confidentiality and integrity while stored or transported. + * + * See the mbedtls_ssl_context_load() documentation for + * additional information. + * * \note The serialized data only contains the data that is * necessary to resume the connection: negotiated protocol * options, session identifier, keys, etc. @@ -5341,6 +5388,27 @@ int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl, * more than one context would cause severe security failures * including but not limited to loss of confidentiality. * + * \warning The serialized data contains highly sensitive material, + * including the master secret from which the session's traffic + * keys are derived. + * + * The serialized data is not cryptographically protected. + * It is the responsibility of the user of the + * mbedtls_ssl_context_save() and + * mbedtls_ssl_context_load() APIs to ensure both its + * confidentiality and integrity while stored or transported. + * + * A breach of confidentiality could result in full compromise + * of the associated TLS session, including loss of + * confidentiality and integrity of past and future + * application data protected under that session. + * + * A breach of integrity may allow modification of the + * serialized data prior to restoration. As it represents + * trusted internal context, tampering could potentially result + * in arbitrary code execution or other severe compromise of + * the hosting process. + * * \note Before calling this function, the SSL context must be * prepared in one of the two following ways. The first way is * to take a context freshly initialised with