From 42649d9270d9f75b63d55b08a10d334d266d3905 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 23 Nov 2022 14:15:57 +0100 Subject: [PATCH 1/6] Fix NULL+0 undefined behavior in ECB encryption and decryption psa_cipher_encrypt() and psa_cipher_decrypt() sometimes add a zero offset to a null pointer when the cipher does not use an IV. This is undefined behavior, although it works as naively expected on most platforms. This can cause a crash with modern Clang+ASan (depending on compiler optimizations). Signed-off-by: Gilles Peskine --- ChangeLog.d/psa-ecb-ub.txt | 3 ++ library/common.h | 37 +++++++++++++++++++++ library/psa_crypto.c | 4 +-- library/psa_crypto_cipher.c | 23 +++++++------ tests/suites/test_suite_psa_crypto.function | 5 +-- 5 files changed, 58 insertions(+), 14 deletions(-) create mode 100644 ChangeLog.d/psa-ecb-ub.txt diff --git a/ChangeLog.d/psa-ecb-ub.txt b/ChangeLog.d/psa-ecb-ub.txt new file mode 100644 index 000000000..9d725ac70 --- /dev/null +++ b/ChangeLog.d/psa-ecb-ub.txt @@ -0,0 +1,3 @@ +Bugfix + * Fix undefined behavior (typically harmless in practice) in PSA ECB + encryption and decryption. diff --git a/library/common.h b/library/common.h index a630fcc45..53598228b 100644 --- a/library/common.h +++ b/library/common.h @@ -25,6 +25,7 @@ #include "mbedtls/build_info.h" +#include #include /** Helper to define a function as static except when building invasive tests. @@ -68,6 +69,42 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c */ #define MBEDTLS_ALLOW_PRIVATE_ACCESS +/** Return an offset into a buffer. + * + * This is just the addition of an offset to a pointer, except that this + * function also accepts an offset of 0 into a buffer whose pointer is null. + * + * \param p Pointer to a buffer of at least n bytes. + * This may be \p NULL if \p n is zero. + * \param n An offset in bytes. + * \return Pointer to offset \p n in the buffer \p p. + * Note that this is only a valid pointer if the size of the + * buffer is at least \p n + 1. + */ +static inline unsigned char *mbedtls_buffer_offset( + unsigned char *p, size_t n ) +{ + return( p == NULL ? NULL : p + n ); +} + +/** Return an offset into a read-only buffer. + * + * This is just the addition of an offset to a pointer, except that this + * function also accepts an offset of 0 into a buffer whose pointer is null. + * + * \param p Pointer to a buffer of at least n bytes. + * This may be \p NULL if \p n is zero. + * \param n An offset in bytes. + * \return Pointer to offset \p n in the buffer \p p. + * Note that this is only a valid pointer if the size of the + * buffer is at least \p n + 1. + */ +static inline const unsigned char *mbedtls_buffer_offset_const( + const unsigned char *p, size_t n ) +{ + return( p == NULL ? NULL : p + n ); +} + /** Byte Reading Macros * * Given a multi-byte integer \p x, MBEDTLS_BYTE_n retrieves the n-th diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 8c9deffad..e881f2f3c 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3454,8 +3454,8 @@ psa_status_t psa_cipher_encrypt( mbedtls_svc_key_id_t key, status = psa_driver_wrapper_cipher_encrypt( &attributes, slot->key.data, slot->key.bytes, alg, local_iv, default_iv_length, input, input_length, - output + default_iv_length, output_size - default_iv_length, - output_length ); + mbedtls_buffer_offset( output, default_iv_length ), + output_size - default_iv_length, output_length ); exit: unlock_status = psa_unlock_key_slot( slot ); diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index 70dc74d74..91a0e3b30 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -516,10 +516,10 @@ psa_status_t mbedtls_psa_cipher_encrypt( if( status != PSA_SUCCESS ) goto exit; - status = mbedtls_psa_cipher_finish( &operation, - output + update_output_length, - output_size - update_output_length, - &finish_output_length ); + status = mbedtls_psa_cipher_finish( + &operation, + mbedtls_buffer_offset( output, update_output_length ), + output_size - update_output_length, &finish_output_length ); if( status != PSA_SUCCESS ) goto exit; @@ -563,17 +563,20 @@ psa_status_t mbedtls_psa_cipher_decrypt( goto exit; } - status = mbedtls_psa_cipher_update( &operation, input + operation.iv_length, - input_length - operation.iv_length, - output, output_size, &olength ); + status = mbedtls_psa_cipher_update( + &operation, + mbedtls_buffer_offset_const( input, operation.iv_length ), + input_length - operation.iv_length, + output, output_size, &olength ); if( status != PSA_SUCCESS ) goto exit; accumulated_length = olength; - status = mbedtls_psa_cipher_finish( &operation, output + accumulated_length, - output_size - accumulated_length, - &olength ); + status = mbedtls_psa_cipher_finish( + &operation, + mbedtls_buffer_offset( output, accumulated_length ), + output_size - accumulated_length, &olength ); if( status != PSA_SUCCESS ) goto exit; diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index ca1614bef..1f3b3b64a 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -4,6 +4,7 @@ #include "mbedtls/asn1.h" #include "mbedtls/asn1write.h" #include "mbedtls/oid.h" +#include "common.h" /* For MBEDTLS_CTR_DRBG_MAX_REQUEST, knowing that psa_generate_random() * uses mbedtls_ctr_drbg internally. */ @@ -3983,7 +3984,7 @@ void cipher_alg_without_iv( int alg_arg, int key_type_arg, data_t *key_data, TEST_LE_U( length, output_buffer_size ); output_length += length; PSA_ASSERT( psa_cipher_finish( &operation, - output + output_length, + mbedtls_buffer_offset( output, output_length ), output_buffer_size - output_length, &length ) ); output_length += length; @@ -4001,7 +4002,7 @@ void cipher_alg_without_iv( int alg_arg, int key_type_arg, data_t *key_data, TEST_LE_U( length, output_buffer_size ); output_length += length; PSA_ASSERT( psa_cipher_finish( &operation, - output + output_length, + mbedtls_buffer_offset( output, output_length ), output_buffer_size - output_length, &length ) ); output_length += length; From 6157fee306e581f12d4affc2b7eec2f5cb72d556 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 23 Nov 2022 16:13:13 +0100 Subject: [PATCH 2/6] Unify defintions of inline for MSVC (and old armcc?) Having multiple definitions was cumbersome, and meant we might forget the definition when adding an inline definition to a file that didn't have one before (as I did when I added an inline definition in common.h). Resolves #6649. Signed-off-by: Gilles Peskine --- include/mbedtls/aes.h | 5 ----- include/mbedtls/build_info.h | 6 ++++++ include/mbedtls/cipher.h | 5 ----- include/mbedtls/error.h | 5 ----- include/mbedtls/pem.h | 5 ----- include/mbedtls/pk.h | 5 ----- 6 files changed, 6 insertions(+), 25 deletions(-) diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index c35901122..1cd20fe06 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -61,11 +61,6 @@ /** Invalid input data. */ #define MBEDTLS_ERR_AES_BAD_INPUT_DATA -0x0021 -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #ifdef __cplusplus extern "C" { #endif diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 170cbebbe..362ce2fd5 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -53,6 +53,12 @@ #define _CRT_SECURE_NO_DEPRECATE 1 #endif +/* Define `inline` on some non-C99-compliant compilers. */ +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ + !defined(inline) && !defined(__cplusplus) +#define inline __inline +#endif + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/mbedtls_config.h" #else diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index a3f52ea71..151da1d83 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -46,11 +46,6 @@ #define MBEDTLS_CIPHER_MODE_STREAM #endif -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /** The selected feature is not available. */ #define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 /** Bad input parameters. */ diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index eb8391311..04e089605 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -26,11 +26,6 @@ #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /** * Error code layout. * diff --git a/include/mbedtls/pem.h b/include/mbedtls/pem.h index c75a1246a..a4c6fb89f 100644 --- a/include/mbedtls/pem.h +++ b/include/mbedtls/pem.h @@ -27,11 +27,6 @@ #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /** * \name PEM Error codes * These error codes are returned in case of errors reading the diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 867961d32..db0bfacab 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -44,11 +44,6 @@ #include "psa/crypto.h" #endif -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /** Memory allocation failed. */ #define MBEDTLS_ERR_PK_ALLOC_FAILED -0x3F80 /** Type mismatch, eg attempt to encrypt with an ECDSA key */ From 4bdb9fbfa2fed35bffd675e56ed9028b08387520 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 24 Nov 2022 22:21:15 +0100 Subject: [PATCH 3/6] Enable all ciphers in OpenSSL >=1.1.0 OpenSSL may be configured to support features such as cipher suites or protocol versions that are disabled by default. Enable them all: we're testing, we don't care about enabling insecure stuff. This is not needed with the builds of OpenSSL that we're currently using on the Jenkins CI, but it's needed with more recent versions such as typically found on developer machines, and with future CI additions. The syntax to do that was only introduced in OpenSSL 1.1.0; fortunately we don't need to do anything special with earlier versions. With OpenSSL 1.1.1f on Ubuntu 20.04, this allows SHA-1 in certificates, which is still needed for a few test cases in ssl-opt.sh. Curiously, this is also needed for the cipher suite TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 (and no other, including other DHE-PSK or ARIA cipher suites). Signed-off-by: Gilles Peskine --- tests/compat.sh | 14 ++++++++++++++ tests/ssl-opt.sh | 14 ++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/tests/compat.sh b/tests/compat.sh index d68121712..529c2c542 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -595,6 +595,20 @@ setup_arguments() G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE" G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL" + # Newer versions of OpenSSL have a syntax to enable all "ciphers", even + # low-security ones. This covers not just cipher suites but also protocol + # versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on + # OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in + # OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find + # a way to discover it from -help, so check the openssl version. + case $($OPENSSL_CMD version) in + "OpenSSL 0"*|"OpenSSL 1.0"*) :;; + *) + O_CLIENT_ARGS="$O_CLIENT_ARGS -cipher ALL@SECLEVEL=0" + O_SERVER_ARGS="$O_SERVER_ARGS -cipher ALL@SECLEVEL=0" + ;; + esac + if [ "X$VERIFY" = "XYES" ]; then M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index b460c67dc..c6f6e2963 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1689,6 +1689,20 @@ if [ -n "${OPENSSL_LEGACY:-}" ]; then O_LEGACY_CLI="$O_LEGACY_CLI -connect 127.0.0.1:+SRV_PORT" fi +# Newer versions of OpenSSL have a syntax to enable all "ciphers", even +# low-security ones. This covers not just cipher suites but also protocol +# versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on +# OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in +# OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find +# a way to discover it from -help, so check the openssl version. +case $($OPENSSL_CMD version) in + "OpenSSL 0"*|"OpenSSL 1.0"*) :;; + *) + O_CLI="$O_CLI -cipher ALL@SECLEVEL=0" + O_SRV="$O_SRV -cipher ALL@SECLEVEL=0" + ;; +esac + if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT" O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT" From 187db00399dc05c1e1ad29adf55a9f480334a780 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 23 Nov 2022 14:30:00 +0100 Subject: [PATCH 4/6] Update the Travis "full" build to use modern Clang Don't use an all.sh component because there isn't one that does what we want (modern Clang with ASan, and test everything). * We need to set CC explicitly or tweak PATH, because clang in $PATH on Travis focal instances is Clang 7 which is too old (we want Clang 10). * Travis lacks the array of versions of openssl and gnutls that we normally use for testing, so we need to exclude some tests (or build our own multiple versions of openssl and gnutls). The SSL test exclusions are ad hoc and based on what currently works. Signed-off-by: Gilles Peskine --- .travis.yml | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 67cb3ca61..eaf817a7b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -25,8 +25,40 @@ jobs: - tests/scripts/all.sh -k build_arm_linux_gnueabi_gcc_arm5vte build_arm_none_eabi_gcc_m0plus - name: full configuration + os: linux + dist: focal + addons: + apt: + packages: + - clang-10 + - gnutls-bin script: - - tests/scripts/all.sh -k test_full_cmake_gcc_asan + # Do a manual build+test sequence rather than using all.sh, + # because there's no all.sh component that does what we want, + # which is a build with Clang >= 10 and ASan, running all the SSL + # testing. + # - The clang executable in the default PATH is Clang 7 on + # Travis's focal instances, but we want Clang >= 10. + # - Running all the SSL testing requires a specific set of + # OpenSSL and GnuTLS versions and we don't want to bother + # with those on Travis. + # So we explicitly select clang-10 as the compiler, and we + # have ad hoc restrictions on SSL testing based on what is + # passing at the time of writing. We will remove these limitations + # gradually. + - make generated_files + - make CC=clang-10 CFLAGS='-Werror -Wall -Wextra -fsanitize=address,undefined -fno-sanitize-recover=all -O2' LDFLAGS='-Werror -Wall -Wextra -fsanitize=address,undefined -fno-sanitize-recover=all' + - make test + - programs/test/selftest + - tests/scripts/test_psa_constant_names.py + - tests/ssl-opt.sh + # Modern OpenSSL does not support fixed ECDH or null ciphers. + - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH-' + - tests/scripts/travis-log-failure.sh + # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it. + - tests/compat.sh -p GnuTLS -e 'CAMELLIA' + - tests/scripts/travis-log-failure.sh + - tests/context-info.sh - name: Windows os: windows From 5a34b36bbd329254dd0a305fe32019d5cba6aa66 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Nov 2022 13:26:18 +0100 Subject: [PATCH 5/6] Remove more now-redundant definitions of inline Signed-off-by: Gilles Peskine --- include/psa/crypto_platform.h | 5 ----- library/aria.c | 5 ----- library/chacha20.c | 5 ----- library/debug.c | 5 ----- library/ecp.c | 5 ----- library/ecp_curves.c | 5 ----- library/mps_reader.c | 5 ----- library/poly1305.c | 5 ----- library/ssl_misc.h | 5 ----- 9 files changed, 45 deletions(-) diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h index 47ab1cf9f..573b33c85 100644 --- a/include/psa/crypto_platform.h +++ b/include/psa/crypto_platform.h @@ -45,11 +45,6 @@ /* PSA requires several types which C99 provides in stdint.h. */ #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) /* Building for the PSA Crypto service on a PSA platform, a key owner is a PSA diff --git a/library/aria.c b/library/aria.c index 924f95283..5e52eea91 100644 --- a/library/aria.c +++ b/library/aria.c @@ -37,11 +37,6 @@ #include "mbedtls/platform_util.h" -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /* Parameter validation macros */ #define ARIA_VALIDATE_RET( cond ) \ MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA ) diff --git a/library/chacha20.c b/library/chacha20.c index e53eb82f5..85d7461aa 100644 --- a/library/chacha20.c +++ b/library/chacha20.c @@ -36,11 +36,6 @@ #if !defined(MBEDTLS_CHACHA20_ALT) -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #define ROTL32( value, amount ) \ ( (uint32_t) ( (value) << (amount) ) | ( (value) >> ( 32 - (amount) ) ) ) diff --git a/library/debug.c b/library/debug.c index bdbf6dd11..6114a460f 100644 --- a/library/debug.c +++ b/library/debug.c @@ -30,11 +30,6 @@ #include #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #define DEBUG_BUF_SIZE 512 static int debug_threshold = 0; diff --git a/library/ecp.c b/library/ecp.c index 37f6090a8..cd7d5543c 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -88,11 +88,6 @@ #include "ecp_internal_alt.h" -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #if defined(MBEDTLS_SELF_TEST) /* * Counts of point addition and doubling, and field multiplications. diff --git a/library/ecp_curves.c b/library/ecp_curves.c index 7b142370d..5cd2828f7 100644 --- a/library/ecp_curves.c +++ b/library/ecp_curves.c @@ -39,11 +39,6 @@ #define ECP_VALIDATE( cond ) \ MBEDTLS_INTERNAL_VALIDATE( cond ) -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)} #define ECP_MPI_INIT_ARRAY(x) \ diff --git a/library/mps_reader.c b/library/mps_reader.c index 36958b46b..6f823bde1 100644 --- a/library/mps_reader.c +++ b/library/mps_reader.c @@ -29,11 +29,6 @@ #include -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #if defined(MBEDTLS_MPS_ENABLE_TRACE) static int mbedtls_mps_trace_id = MBEDTLS_MPS_TRACE_BIT_READER; #endif /* MBEDTLS_MPS_ENABLE_TRACE */ diff --git a/library/poly1305.c b/library/poly1305.c index 0850f66a3..4d0cdee25 100644 --- a/library/poly1305.c +++ b/library/poly1305.c @@ -32,11 +32,6 @@ #if !defined(MBEDTLS_POLY1305_ALT) -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - #define POLY1305_BLOCK_SIZE_BYTES ( 16U ) /* diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 4d7f63547..59910e4ea 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -56,11 +56,6 @@ #include "common.h" -#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ - !defined(inline) && !defined(__cplusplus) -#define inline __inline -#endif - /* Shorthand for restartable ECC */ #if defined(MBEDTLS_ECP_RESTARTABLE) && \ defined(MBEDTLS_SSL_CLI_C) && \ From 7d23778178582afa9033bcbb2264300bac3767c6 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Nov 2022 13:34:59 +0100 Subject: [PATCH 6/6] Explain why p + n isn't good enough Signed-off-by: Gilles Peskine --- library/common.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/common.h b/library/common.h index 53598228b..25d5294e1 100644 --- a/library/common.h +++ b/library/common.h @@ -73,6 +73,9 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c * * This is just the addition of an offset to a pointer, except that this * function also accepts an offset of 0 into a buffer whose pointer is null. + * (`p + n` has undefined behavior when `p` is null, even when `n == 0`. + * A null pointer is a valid buffer pointer when the size is 0, for example + * as the result of `malloc(0)` on some platforms.) * * \param p Pointer to a buffer of at least n bytes. * This may be \p NULL if \p n is zero. @@ -89,8 +92,7 @@ static inline unsigned char *mbedtls_buffer_offset( /** Return an offset into a read-only buffer. * - * This is just the addition of an offset to a pointer, except that this - * function also accepts an offset of 0 into a buffer whose pointer is null. + * Similar to mbedtls_buffer_offset(), but for const pointers. * * \param p Pointer to a buffer of at least n bytes. * This may be \p NULL if \p n is zero.