Releases: Mbed-TLS/mbedtls
Releases · Mbed-TLS/mbedtls
Mbed TLS 3.1.0
Description
This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.
Security Advisories
For full details, please see the following links:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12
Release Notes
API changes
- New error code for GCM: MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL.
Alternative GCM implementations are expected to verify
the length of the provided output buffers and to return the
MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the buffer length is too small. - You can configure groups for a TLS key exchange with the new function
mbedtls_ssl_conf_groups(). It extends mbedtls_ssl_conf_curves(). - Declare a number of structure fields as public: the fields of
mbedtls_ecp_curve_info, the fields describing the result of ASN.1 and
X.509 parsing, and finally the field fd of mbedtls_net_context on
POSIX/Unix-like platforms.
Requirement changes
- Sign-magnitude and one's complement representations for signed integers are
not supported. Two's complement is the only supported representation.
New deprecations
- Deprecate mbedtls_ssl_conf_curves() in favor of the more generic
mbedtls_ssl_conf_groups().
Removals
- Remove the partial support for running unit tests via Greentea on Mbed OS,
which had been unmaintained since 2018.
Features
- Enable support for Curve448 via the PSA API. Contributed by
Archana Madhavan in #4626. Fixes #3399 and #4249. - The identifier of the CID TLS extension can be configured by defining
MBEDTLS_TLS_EXT_CID at compile time. - Implement the PSA multipart AEAD interface, currently supporting
ChaChaPoly and GCM. - Warn if errors from certain functions are ignored. This is currently
supported on GCC-like compilers and on MSVC and can be configured through
the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
(where supported) for critical functions where ignoring the return
value is almost always a bug. Enable the new configuration option
MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
is currently implemented in the AES, DES and md modules, and will be
extended to other modules in the future. - Add missing PSA macros declared by PSA Crypto API 1.0.0:
PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL. - Add support for CCM*-no-tag cipher to the PSA.
Currently only 13-byte long IV's are supported.
For decryption a minimum of 16-byte long input is expected.
These restrictions may be subject to change. - Add new API mbedtls_ct_memcmp for constant time buffer comparison.
- Add functions to get the IV and block size from cipher_info structs.
- Add functions to check if a cipher supports variable IV or key size.
- Add the internal implementation of and support for CCM to the PSA multipart
AEAD interface. - Mbed TLS provides a minimum viable implementation of the TLS 1.3
protocol. See docs/architecture/tls13-support.md for the definition of
the TLS 1.3 Minimum Viable Product (MVP). The MBEDTLS_SSL_PROTO_TLS1_3
configuration option controls the enablement of the support. The APIs
mbedtls_ssl_conf_min_version() and mbedtls_ssl_conf_max_version() allow
to select the 1.3 version of the protocol to establish a TLS connection. - Add PSA API definition for ARIA.
Security
- Zeroize several intermediate variables used to calculate the expected
value when verifying a MAC or AEAD tag. This hardens the library in
case the value leaks through a memory disclosure vulnerability. For
example, a memory disclosure vulnerability could have allowed a
man-in-the-middle to inject fake ciphertext into a DTLS connection. - In psa_aead_generate_nonce(), do not read back from the output buffer.
This fixes a potential policy bypass or decryption oracle vulnerability
if the output buffer is in memory that is shared with an untrusted
application. - In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
from the output buffer. This fixes a potential policy bypass or decryption
oracle vulnerability if the output buffer is in memory that is shared with
an untrusted application. - Fix a double-free that happened after mbedtls_ssl_set_session() or
mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
(out of memory). After that, calling mbedtls_ssl_session_free()
and mbedtls_ssl_free() would cause an internal session buffer to
be free()'d twice.
Bugfix
- Stop using reserved identifiers as local variables. Fixes #4630.
- The GNU makefiles invoke python3 in preference to python except on Windows.
The check was accidentally not performed when cross-compiling for Windows
on Linux. Fix this. Fixes #4774. - Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type. - Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
- Don't use the obsolete header path sys/fcntl.h in unit tests.
These header files cause compilation errors in musl.
Fixes #4969. - Fix missing constraints on x86_64 and aarch64 assembly code
for bignum multiplication that broke some bignum operations with
(at least) Clang 12.
Fixes #4116, #4786, #4917, #4962. - Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
- Failures of alternative implementations of AES or DES single-block
functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
This does not concern the implementation provided with Mbed TLS,
where this function cannot fail, or full-module replacements with
MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092. - Some failures of HMAC operations were ignored. These failures could only
happen with an alternative implementation of the underlying hash module. - Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
- Fix compile-time or run-time errors in PSA
AEAD functions when ChachaPoly is disabled. Fixes #5065. - Remove PSA'a AEAD finish/verify output buffer limitation for GCM.
The requirement of minimum 15 bytes for output buffer in
psa_aead_finish() and psa_aead_verify() does not apply to the built-in
implementation of GCM. - Move GCM's update output buffer length verification from PSA AEAD to
the built-in implementation of the GCM.
The requirement for output buffer size to be equal or greater then
input buffer size is valid only for the built-in implementation of GCM.
Alternative GCM implementations can process whole blocks only. - Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
MBEDTLS_ERROR_STRERROR_DUMMY is enabled. - Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
This algorithm now accepts only the same salt length for verification
that it produces when signing, as documented. Use the new algorithm
PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946. - The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
for algorithm values that fully encode the hashing step, as per the PSA
Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
all algorithms that can be used with psa_{sign,verify}_hash(), including
these two. - Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
not to list other shared libraries they need. - Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
exceeds 2^32. Fixes #4884. - Fix an uninitialized variable warning in test_suite_ssl.function with GCC
version 11. - Fix the build when no SHA2 module is included. Fixes #4930.
- Fix the build when only the bignum module is included. Fixes #4929.
- Fix a potential invalid pointer dereference and infinite loop bugs in
pkcs12 functions when the password is empty. Fix the documentation to
better describe the inputs to these functions and their possible values.
Fixes #5136. - The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC
operations psa_mac_compute() and psa_mac_sign_setup(). - The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC
operations psa_mac_verify() and psa_mac_verify_setup().
Changes
- Explicitly mark the fields mbedtls_ssl_session.exported and
mbedtls_ssl_config.respect_cli_pref as private. This was an
oversight during the run-up to the release of Mbed TLS 3.0.
The fields were never intended to be public. - Implement multi-part CCM API.
The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
mbedtls_ccm_update_ad(), mbedtls_ccm_update(), mbedtls_ccm_finish()
were introduced in mbedTLS 3.0 release, however their implementation was
postponed until now.
Implemented functions support chunked data input for both CCM and CCM*
algorithms. - Remove MBEDTLS_SSL_EXPORT_KEYS, making it always on and increasing the
code size by about 80B on an M0 build. This option only gated an ability
to set a callback, but was deemed unnecessary as it was yet another define
to remember when writing tests, or test configurations. Fixes #4653. - Improve the performance of base64 constant-flow code. The result is still
slower than the original ...
Mbed TLS 2.28.0
Description
This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.
Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.
Security Advisories
For full details, please see the following links:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12
Release Notes
API changes
- Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a
different order. This only affects applications that define such
structures directly or serialize them.
Requirement changes
- Sign-magnitude and one's complement representations for signed integers are
not supported. Two's complement is the only supported representation.
Removals
- Remove config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES,
which allowed SHA-1 in the default TLS configuration for certificate
signing. It was intended to facilitate the transition in environments
with SHA-1 certificates. SHA-1 is considered a weak message digest and
its use constitutes a security risk. - Remove the partial support for running unit tests via Greentea on Mbed OS,
which had been unmaintained since 2018.
Features
- The identifier of the CID TLS extension can be configured by defining
MBEDTLS_TLS_EXT_CID at compile time. - Warn if errors from certain functions are ignored. This is currently
supported on GCC-like compilers and on MSVC and can be configured through
the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
(where supported) for critical functions where ignoring the return
value is almost always a bug. Enable the new configuration option
MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
is currently implemented in the AES, DES and md modules, and will be
extended to other modules in the future. - Add missing PSA macros declared by PSA Crypto API 1.0.0:
PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL. - Add new API mbedtls_ct_memcmp for constant time buffer comparison.
- Add PSA API definition for ARIA.
Security
- Zeroize several intermediate variables used to calculate the expected
value when verifying a MAC or AEAD tag. This hardens the library in
case the value leaks through a memory disclosure vulnerability. For
example, a memory disclosure vulnerability could have allowed a
man-in-the-middle to inject fake ciphertext into a DTLS connection. - In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
from the output buffer. This fixes a potential policy bypass or decryption
oracle vulnerability if the output buffer is in memory that is shared with
an untrusted application. - Fix a double-free that happened after mbedtls_ssl_set_session() or
mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
(out of memory). After that, calling mbedtls_ssl_session_free()
and mbedtls_ssl_free() would cause an internal session buffer to
be free()'d twice.
Bugfix
- Stop using reserved identifiers as local variables. Fixes #4630.
- The GNU makefiles invoke python3 in preference to python except on Windows.
The check was accidentally not performed when cross-compiling for Windows
on Linux. Fix this. Fixes #4774. - Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type. - Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
- Don't use the obsolete header path sys/fcntl.h in unit tests.
These header files cause compilation errors in musl.
Fixes #4969. - Fix missing constraints on x86_64 and aarch64 assembly code
for bignum multiplication that broke some bignum operations with
(at least) Clang 12.
Fixes #4116, #4786, #4917, #4962. - Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
- Failures of alternative implementations of AES or DES single-block
functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
This does not concern the implementation provided with Mbed TLS,
where this function cannot fail, or full-module replacements with
MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092. - Some failures of HMAC operations were ignored. These failures could only
happen with an alternative implementation of the underlying hash module. - Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
- Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
MBEDTLS_ERROR_STRERROR_DUMMY is enabled. - Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
This algorithm now accepts only the same salt length for verification
that it produces when signing, as documented. Use the new algorithm
PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946. - The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
for algorithm values that fully encode the hashing step, as per the PSA
Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
all algorithms that can be used with psa_{sign,verify}_hash(), including
these two. - Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
not to list other shared libraries they need. - Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
exceeds 2^32. Fixes #4884. - Fix an uninitialized variable warning in test_suite_ssl.function with GCC
version 11. - Fix the build when no SHA2 module is included. Fixes #4930.
- Fix the build when only the bignum module is included. Fixes #4929.
- Fix a potential invalid pointer dereference and infinite loop bugs in
pkcs12 functions when the password is empty. Fix the documentation to
better describe the inputs to these functions and their possible values.
Fixes #5136. - The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC
operations psa_mac_compute() and psa_mac_sign_setup(). - The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC
operations psa_mac_verify() and psa_mac_verify_setup().
Changes
- Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be
disabled by default. - Improve the performance of base64 constant-flow code. The result is still
slower than the original non-constant-flow implementation, but much faster
than the previous constant-flow implementation. Fixes #4814. - Indicate in the error returned if the nonce length used with
ChaCha20-Poly1305 is invalid, and not just unsupported. - The mbedcrypto library includes a new source code module constant_time.c,
containing various functions meant to resist timing side channel attacks.
This module does not have a separate configuration option, and functions
from this module will be included in the build as required. Currently
most of the interface of this module is private and may change at any
time.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Checksum
The SHA256 hashes for the archives are:
6519579b836ed78cc549375c7c18b111df5717e86ca0eeff4cb64b2674f424cc mbedtls-2.28.0.tar.gz
80cf41f5f3f625436e3a800e9708e60a25206cd5d81968ba8dd9f3e8becd37e6 mbedtls-2.28.0.zip
Mbed TLS 2.16.12
Description
This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.
This is the last release of the 2.16 long-time support branch. Users who want a long-time branch should move to mbedtls-2.28, which is backward-compatible and will be supported for at least 3 years.
Security Advisories
For full details, please see the following links:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12
Release Notes
Security
- Zeroize several intermediate variables used to calculate the expected
value when verifying a MAC or AEAD tag. This hardens the library in
case the value leaks through a memory disclosure vulnerability. For
example, a memory disclosure vulnerability could have allowed a
man-in-the-middle to inject fake ciphertext into a DTLS connection. - Fix a double-free that happened after mbedtls_ssl_set_session() or
mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
(out of memory). After that, calling mbedtls_ssl_session_free()
and mbedtls_ssl_free() would cause an internal session buffer to
be free()'d twice.
Bugfix
- Stop using reserved identifiers as local variables. Fixes #4630.
- The GNU makefiles invoke python3 in preference to python except on Windows.
The check was accidentally not performed when cross-compiling for Windows
on Linux. Fix this. Fixes #4774. - Mark basic constraints critical as appropriate. Note that the previous
entry for this fix in the 2.16.10 changelog was in error, and it was not
included in the 2.16.10 release as was stated.
Make 'mbedtls_x509write_crt_set_basic_constraints' consistent with RFC
5280 4.2.1.9 which says: "Conforming CAs MUST include this extension in
all CA certificates that contain public keys used to validate digital
signatures on certificates and MUST mark the extension as critical in
such certificates." Previous to this change, the extension was always
marked as non-critical. This was fixed by #4044. - Fix missing constraints on x86_64 assembly code for bignum multiplication
that broke some bignum operations with (at least) Clang 12.
Fixes #4116, #4786, #4917. - Failures of alternative implementations of AES or DES single-block
functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
This does not concern the implementation provided with Mbed TLS,
where this function cannot fail, or full-module replacements with
MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092. - Some failures of HMAC operations were ignored. These failures could only
happen with an alternative implementation of the underlying hash module. - Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
MBEDTLS_ERROR_STRERROR_DUMMY is enabled. - Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
exceeds 2^32. Fixes #4884. - Fix the build when no SHA2 module is included. Fixes #4930.
- Fix the build when only the bignum module is included. Fixes #4929.
- Fix a potential invalid pointer dereference and infinite loop bugs in
pkcs12 functions when the password is empty. Fix the documentation to
better describe the inputs to these functions and their possible values.
Fixes #5136.
Changes
- Improve the performance of base64 constant-flow code. The result is still
slower than the original non-constant-flow implementation, but much faster
than the previous constant-flow implementation. Fixes #4814.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Checksum
The SHA256 hashes for the archives are:
294871ab1864a65d0b74325e9219d5bcd6e91c34a3c59270c357bb9ae4d5c393 mbedtls-2.16.12.tar.gz
1a3169e7016e7a737ea7904a7108aac7f97668f79baee6165dee9ba596cf7c10 mbedtls-2.16.12.zip
Mbed TLS 3.0.0
Description
This release of Mbed TLS provides bug fixes, enhancements and new features, including many changes that are not API-compatible with earlier versions of Mbed TLS. This release includes fixes for security issues.
For details on the steps required to migrate from Mbed TLS version 2.x to Mbed TLS version 3.0.0, please refer to the migration guide.
Security Advisories
For full details, please see the following links:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2
Release Notes
API changes
- Remove HAVEGE module.
The design of HAVEGE makes it unsuitable for microcontrollers. Platforms
with a more complex CPU usually have an operating system interface that
provides better randomness. Instead of HAVEGE, declare OS or hardware RNG
interfaces with mbedtls_entropy_add_source() and/or use an entropy seed
file created securely during device provisioning. See
https://tls.mbed.org/kb/how-to/add-entropy-sources-to-entropy-pool for
more information. - Add missing const attributes to API functions.
- Remove helpers for the transition from Mbed TLS 1.3 to Mbed TLS 2.0: the
header compat-1.3.h and the script rename.pl. - Remove certs module from the API.
Transfer keys and certificates embedded in the library to the test
component. This contributes to minimizing library API and discourages
users from using unsafe keys in production. - Move alt helpers and definitions.
Various helpers and definitions available for use in alt implementations
have been moved out of the include/ directory and into the library/
directory. The files concerned are ecp_internal.h and rsa_internal.h
which have also been renamed to ecp_internal_alt.h and rsa_alt_helpers.h
respectively. - Move internal headers.
Header files that were only meant for the library's internal use and
were not meant to be used in application code have been moved out of
the include/ directory. The headers concerned are bn_mul.h, aesni.h,
padlock.h, entropy_poll.h and *_internal.h. - Drop support for parsing SSLv2 ClientHello
(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO). - Drop support for SSLv3 (MBEDTLS_SSL_PROTO_SSL3).
- Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
- Drop support for RC4 TLS ciphersuites.
- Drop support for single-DES ciphersuites.
- Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.
- Update AEAD output size macros to bring them in line with the PSA Crypto
API version 1.0 spec. This version of the spec parameterizes them on the
key type used, as well as the key bit-size in the case of
PSA_AEAD_TAG_LENGTH. - Add configuration option MBEDTLS_X509_REMOVE_INFO which
removes the mbedtls_x509_*_info(), mbedtls_debug_print_crt()
as well as other functions and constants only used by
those functions. This reduces the code footprint by
several kB. - Remove SSL error codes
MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED
andMBEDTLS_ERR_SSL_INVALID_VERIFY_HASHwhich are never
returned from the public SSL API. - Remove
MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGEand return
MBEDTLS_ERR_SSL_BUFFER_TOO_SMALLinstead. - The output parameter of mbedtls_sha512_finish, mbedtls_sha512,
mbedtls_sha256_finish and mbedtls_sha256 now has a pointer type
rather than array type. This removes spurious warnings in some compilers
when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
the hash size. - Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388.
- The interface of the GCM module has changed to remove restrictions on
how the input to multipart operations is broken down. mbedtls_gcm_finish()
now takes extra output parameters for the last partial output block.
mbedtls_gcm_update() now takes extra parameters for the output length.
The software implementation always produces the full output at each
call to mbedtls_gcm_update(), but alternative implementations activated
by MBEDTLS_GCM_ALT may delay partial blocks to the next call to
mbedtls_gcm_update() or mbedtls_gcm_finish(). Furthermore, applications
no longer pass the associated data to mbedtls_gcm_starts(), but to the
new function mbedtls_gcm_update_ad().
These changes are backward compatible for users of the cipher API. - Replace MBEDTLS_SHA512_NO_SHA384 config option with MBEDTLS_SHA384_C.
This separates config option enabling the SHA384 algorithm from option
enabling the SHA512 algorithm. Fixes #4034. - Introduce MBEDTLS_SHA224_C.
This separates config option enabling the SHA224 algorithm from option
enabling SHA256. - The getter and setter API of the SSL session cache (used for
session-ID based session resumption) has changed to that of
a key-value store with keys being session IDs and values
being opaque instances ofmbedtls_ssl_session. - Remove the mode parameter from RSA operation functions. Signature and
decryption functions now always use the private key and verification and
encryption use the public key. Verification functions also no longer have
RNG parameters. - Modify semantics of
mbedtls_ssl_conf_[opaque_]psk():
In Mbed TLS 2.X, the API prescribes that later calls overwrite
the effect of earlier calls. In Mbed TLS 3.0, calling
mbedtls_ssl_conf_[opaque_]psk()more than once will fail,
leaving the PSK that was configured first intact.
Support for more than one PSK may be added in 3.X. - The function mbedtls_x509write_csr_set_extension() has an extra parameter
which allows to mark an extension as critical. Fixes #4055. - For multi-part AEAD operations with the cipher module, calling
mbedtls_cipher_finish() is now mandatory. Previously the documentation
was unclear on this point, and this function happened to never do
anything with the currently implemented AEADs, so in practice it was
possible to skip calling it, which is no longer supported. - The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
instead of computing tables in runtime. Thus, this option now increase
code size, and it does not increase RAM usage in runtime anymore. - Remove the SSL APIs mbedtls_ssl_get_input_max_frag_len() and
mbedtls_ssl_get_output_max_frag_len(), and add a new API
mbedtls_ssl_get_max_in_record_payload(), complementing the existing
mbedtls_ssl_get_max_out_record_payload().
Uses of mbedtls_ssl_get_input_max_frag_len() and
mbedtls_ssl_get_input_max_frag_len() should be replaced by
mbedtls_ssl_get_max_in_record_payload() and
mbedtls_ssl_get_max_out_record_payload(), respectively. - mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA
key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding()
after initializing the context. mbedtls_rsa_set_padding() now returns an
error if its parameters are invalid. - Replace MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE by a runtime
configuration function mbedtls_ssl_conf_preference_order(). Fixes #4398. - Instead of accessing the len field of a DHM context, which is no longer
supported, use the new function mbedtls_dhm_get_len() . - In modules that implement cryptographic hash functions, many functions
mbedtls_xxx() now return int instead of void, and the corresponding
function mbedtls_xxx_ret() which was identical except for returning int
has been removed. This also concerns mbedtls_xxx_drbg_update(). See the
migration guide for more information. Fixes #4212. - For all functions that take a random number generator (RNG) as a
parameter, this parameter is now mandatory (that is, NULL is not an
acceptable value). Functions which previously accepted NULL and now
reject it are: the X.509 CRT and CSR writing functions; the PK and RSA
sign and decrypt function; mbedtls_rsa_private(); the functions
in DHM and ECDH that compute the shared secret; the scalar multiplication
functions in ECP. - The following functions now require an RNG parameter:
mbedtls_ecp_check_pub_priv(), mbedtls_pk_check_pair(),
mbedtls_pk_parse_key(), mbedtls_pk_parse_keyfile(). - mbedtls_ssl_conf_export_keys_ext_cb() and
mbedtls_ssl_conf_export_keys_cb() have been removed and
replaced by a new API mbedtls_ssl_set_export_keys_cb().
Raw keys and IVs are no longer passed to the callback.
Further, callbacks now receive an additional parameter
indicating the type of secret that's being exported,
paving the way for the larger number of secrets
in TLS 1.3. Finally, the key export callback and
context are now connection-specific. - Signature functions in the RSA and PK modules now require the hash
length parameter to be the size of the hash input. For RSA signatures
other than raw PKCS#1 v1.5, this must match the output size of the
specified hash algorithm. - The functions mbedtls_pk_sign(), mbedtls_pk_sign_restartable(),
mbedtls_ecdsa_write_signature() and
mbedtls_ecdsa_write_signature_restartable() now take an extra parameter
indicating the size of the output buffer for the signature. - Implement one-shot cipher functions, psa_cipher_encrypt and
psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
specification. - Direct access to fields of structures declared in public headers is no
longer supported except for fiel...
Mbed TLS 2.27.0
Description
This release of Mbed TLS provides bug fixes, enhancements and new features. This release includes fixes for security issues.
Security Advisories
For full details, please see the following links:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2
Release Notes
API changes
- Update AEAD output size macros to bring them in line with the PSA Crypto
API version 1.0 spec. This version of the spec parameterizes them on the
key type used, as well as the key bit-size in the case of
PSA_AEAD_TAG_LENGTH.
The old versions of these macros were renamed and deprecated as follows:- PSA_AEAD_TAG_LENGTH -> PSA_AEAD_TAG_LENGTH_1_ARG
- PSA_AEAD_ENCRYPT_OUTPUT_SIZE -> PSA_AEAD_ENCRYPT_OUTPUT_SIZE_2_ARG
- PSA_AEAD_DECRYPT_OUTPUT_SIZE -> PSA_AEAD_DECRYPT_OUTPUT_SIZE_2_ARG
- PSA_AEAD_UPDATE_OUTPUT_SIZE -> PSA_AEAD_UPDATE_OUTPUT_SIZE_2_ARG
- PSA_AEAD_FINISH_OUTPUT_SIZE -> PSA_AEAD_FINISH_OUTPUT_SIZE_1_ARG
- PSA_AEAD_VERIFY_OUTPUT_SIZE -> PSA_AEAD_VERIFY_OUTPUT_SIZE_1_ARG
- Implement one-shot cipher functions, psa_cipher_encrypt and
psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
specification.
Requirement changes
- The library now uses the %zu format specifier with the printf() family of
functions, so requires a toolchain that supports it. This change does not
affect the maintained LTS branches, so when contributing changes please
bear this in mind and do not add them to backported code.
Features
- Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
signature with a specific salt length. This function allows to validate
test cases provided in the NIST's CAVP test suite. Contributed by Cédric
Meuter in PR #3183. - Added support for built-in driver keys through the PSA opaque crypto
driver interface. Refer to the documentation of
MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information. - Implement psa_sign_message() and psa_verify_message().
- The new function mbedtls_mpi_random() generates a random value in a
given range uniformly. - Implement psa_mac_compute() and psa_mac_verify() as defined in the
PSA Cryptograpy API 1.0.0 specification. - MBEDTLS_ECP_MAX_BITS is now determined automatically from the configured
curves and no longer needs to be configured explicitly to save RAM.
Security
- Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
private keys and of blinding values for DHM and elliptic curves (ECP)
computations. Reported by FlorianF89 in #4245. - Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
An adversary who is capable of very precise timing measurements could
learn partial information about the leading bits of the nonce used for the
signature, allowing the recovery of the private key after observing a
large number of signature operations. This completes a partial fix in
Mbed TLS 2.20.0.- It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is
too small, leading to buffer overflows in ECC operations. Fail the build
in such a case. - An adversary with access to precise enough information about memory
accesses (typically, an untrusted operating system attacking a secure
enclave) could recover an RSA private key after observing the victim
performing a single private-key operation. Found and reported by
Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG. - An adversary with access to precise enough timing information (typically, a
co-located process) could recover a Curve25519 or Curve448 static ECDH key
after inputting a chosen public key and observing the victim performing the
corresponding private-key operation. Found and reported by Leila Batina,
Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.
- It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is
Bugfix
- Add printf function attributes to mbedtls_debug_print_msg to ensure we
get printf format specifier warnings. - Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
lead to seed file corruption in the case where the path to the seed file is
equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
Krasnoshchok in #3616. - PSA functions other than psa_open_key now return PSA_ERROR_INVALID_HANDLE
rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
in line with version 1.0.0 of the specification. Fix #4162. - PSA functions creating a key now return PSA_ERROR_INVALID_ARGUMENT rather
than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
to create is not valid, bringing them in line with version 1.0.0 of the
specification. Fix #4271. - Fix some cases in the bignum module where the library constructed an
unintended representation of the value 0 which was not processed
correctly by some bignum operations. This could happen when
mbedtls_mpi_read_string() was called on "-0", or when
mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
the arguments being negative and the other being 0. Fixes #4643. - Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
zero. Fixes #1792 - Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
defined. Fixes #4217. - Fix an incorrect error code when parsing a PKCS#8 private key.
- In a TLS client, enforce the Diffie-Hellman minimum parameter size
set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
minimum size was rounded down to the nearest multiple of 8. - In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
defined to specific values. If the code is used in a context
where these are already defined, this can result in a compilation
error. Instead, assume that if they are defined, the values will
be adequate to build Mbed TLS. - The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
was disabled. Fix the dependency. Fixes #4472. - Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
- With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built
nonetheless, resulting in undefined reference errors when building a
shared library. Reported by Guillermo Garcia M. in #4411. - Fix test suite code on platforms where int32_t is not int, such as
Arm Cortex-M. Fixes #4530. - Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
directive in a header and a missing initialization in the self-test. - Fix a missing initialization in the Camellia self-test, affecting
MBEDTLS_CAMELLIA_ALT implementations. - Restore the ability to configure PSA via Mbed TLS options to support RSA
key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
Fixes #4512. - Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
(when the encrypt-then-MAC extension is not in use) with some ALT
implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
the affected side to wrongly reject valid messages. Fixes #4118. - Remove outdated check-config.h check that prevented implementing the
timing module on Mbed OS. Fixes #4633. - Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
about missing inputs. - Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465. - Fix a resource leak in a test suite with an alternative AES
implementation. Fixes #4176. - Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
could notably be triggered by setting the TLS debug level to 3 or above
and using a Montgomery curve for the key exchange. Reported by lhuang04
in #4578. Fixes #4608. - psa_verify_hash() was relying on implementation-specific behavior of
mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
implementations. This reliance is now removed. Fixes #3990. - Disallow inputs of length different from the corresponding hash when
signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates
that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.) - Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
could not be triggered by code that constructed A with one of the
mbedtls_mpi_read_xxx functions (including in particular TLS code) since
those always built an mpi object with at least one limb.
Credit to OSS-Fuzz. Fixes #4641. - Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect
applications that call mbedtls_mpi_gcd() directly. Fixes #4642. - The PSA API no longer allows the creation or destruction of keys with a
read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
can now only be used as intended, for keys that cannot be modified through
normal use of the API. - When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
in all the right places. Include it from crypto_platform.h, which is
the natural place. Fixes #4649. - mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and
restartab...
Mbed TLS 2.16.11
Description
This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.
Security Advisories
For full details, please see the following links:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2
Release Notes
Security
- Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
private keys and of blinding values for DHM and elliptic curves (ECP)
computations. Reported by FlorianF89 in #4245. - Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
An adversary who is capable of very precise timing measurements could
learn partial information about the leading bits of the nonce used for the
signature, allowing the recovery of the private key after observing a
large number of signature operations. This completes a partial fix in
Mbed TLS 2.16.4. - It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is
too small, leading to buffer overflows in ECC operations. Fail the build
in such a case. - An adversary with access to precise enough information about memory
accesses (typically, an untrusted operating system attacking a secure
enclave) could recover an RSA private key after observing the victim
performing a single private-key operation. Found and reported by
Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG. - An adversary with access to precise enough timing information (typically, a
co-located process) could recover a Curve25519 or Curve448 static ECDH key
after inputting a chosen public key and observing the victim performing the
corresponding private-key operation. Found and reported by Leila Batina,
Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.
Bugfix
- Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
lead to the seed file corruption in case if the path to the seed file is
equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
Krasnoshchok in #3616. - Fix some cases in the bignum module where the library constructed an
unintended representation of the value 0 which was not processed
correctly by some bignum operations. This could happen when
mbedtls_mpi_read_string() was called on "-0", or when
mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
the arguments being negative and the other being 0. Fixes #4643. - Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
defined. Fixes #4217. - Fix an incorrect error code when parsing a PKCS#8 private key.
- In a TLS client, enforce the Diffie-Hellman minimum parameter size
set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
minimum size was rounded down to the nearest multiple of 8. - In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
defined to specific values. If the code is used in a context
where these are already defined, this can result in a compilation
error. Instead, assume that if they are defined, the values will
be adequate to build Mbed TLS. - The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
was disabled. Fix the dependency. Fixes #4472. - Fix test suite code on platforms where int32_t is not int, such as
Arm Cortex-M. Fixes #4530. - Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
directive in a header and a missing initialization in the self-test. - Fix a missing initialization in the Camellia self-test, affecting
MBEDTLS_CAMELLIA_ALT implementations. - Fix a regression introduced in 2.16.8 which broke (D)TLS CBC ciphersuites
(when the encrypt-then-MAC extension is not in use) with some ALT
implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
the affected side to wrongly reject valid messages. Fixes #4118. - Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465. - Fix a resource leak in a test suite with an alternative AES
implementation. Fixes #4176. - Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs.
Reported by lhuang04 in #4578. Fixes #4608. - Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
A=0 represented with 0 limbs. This bug could not be triggered by code
that constructed A with one of the mbedtls_mpi_read_xxx functions
(including in particular TLS code) since those always built an mpi object
with at least one limb. Credit to OSS-Fuzz. Fixes #4641. - Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect
applications that call mbedtls_mpi_gcd() directly. Fixes #4642. - mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and
restartable variants now require at least the specified hash length if
nonzero. Before, for RSA, hash_len was ignored in favor of the length of
the specified hash algorithm. - Fix which alert is sent in some cases to conform to the
applicable RFC: on an invalid Finished message value, an
invalid max_fragment_length extension, or an
unsupported extension used by the server.
Changes
- Fix the setting of the read timeout in the DTLS sample programs.
- Remove the AES sample application programs/aes/aescrypt2 which shows
bad cryptographic practice. Fix #1906. - When building the test suites with GNU make, invoke python3 or python, not
python2. The build still works with either Python 2.7 or 3.5+, but we
recommend using a version of Python that is supported upstream.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Checksum
The SHA256 hashes for the archives are:
c18e7e9abf95e69e425260493720470021384a1728417042060a35d0b7b18b41 mbedtls-2.16.11.tar.gz
c75ec6a654fc9ef487904172633758d6f61d88a0d53329c79657221043bdb6f4 mbedtls-2.16.11.zip
Mbed TLS 2.26.0
Description
This release of Mbed TLS provides bug fixes, minor enhancements and new features. This release includes fixes for security issues.
API changes
- Renamed the PSA Crypto API output buffer size macros to bring them in line
with version 1.0.0 of the specification. - The API glue function mbedtls_ecc_group_of_psa() now takes the curve size
in bits rather than bytes, with an additional flag to indicate if the
size may have been rounded up to a whole number of bytes. - Renamed the PSA Crypto API AEAD tag length macros to bring them in line
with version 1.0.0 of the specification.
Default behavior changes
- In mbedtls_rsa_context objects, the ver field was formerly documented
as always 0. It is now reserved for internal purposes and may take
different values.
New deprecations
- PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE,
PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and
PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names
deprecated. - PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH
have been renamed, and the old names deprecated.
Features
- The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG.
CTR_DRBG is used by default if it is available, but you can override
this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time.
Fix #3354. - Automatic fallback to a software implementation of ECP when
MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off
through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK. - The PSA crypto subsystem can now be configured to use less static RAM by
tweaking the setting for the maximum amount of keys simultaneously in RAM.
MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that
can exist simultaneously. It has a sensible default if not overridden. - Partial implementation of the PSA crypto driver interface: Mbed TLS can
now use an external random generator instead of the library's own
entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
and see the documentation of mbedtls_psa_external_get_random() for details. - Applications using both mbedtls_xxx and psa_xxx functions (for example,
applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA
random generator with mbedtls_xxx functions. See the documentation of
mbedtls_psa_get_random() for details. - In the PSA API, the policy for a MAC or AEAD algorithm can specify a
minimum MAC or tag length thanks to the new wildcards
PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and
PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG.
Security
- Fix a security reduction in CTR_DRBG when the initial seeding obtained a
nonce from entropy. Applications were affected if they called
mbedtls_ctr_drbg_set_nonce_len(), if they called
mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
In such cases, a random nonce was necessary to achieve the advertised
security strength, but the code incorrectly used a constant instead of
entropy from the nonce.
Found by John Stroebel in #3819 and fixed in #3973. - Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|A| - |B| where |B| is larger than |A| and has more limbs (so the
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
applications calling mbedtls_mpi_sub_abs() directly are affected:
all calls inside the library were safe since this function is
only called with |A| >= |B|. Reported by Guido Vranken in #4042. - Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
value the function might fail to write a private RSA keys of the largest
supported size.
Found by Daniel Otte, reported in #4093 and fixed in #4094. - Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout() when given a file descriptor that is
beyond FD_SETSIZE. Reported by FigBug in #4169. - Guard against strong local side channel attack against base64 tables by
making access aceess to them use constant flow code. (CVE-2021-24119)
Bugfix
- Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
- Fix memory leak that occured when calling psa_close_key() on a
wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined. - Fix an incorrect error code if an RSA private operation glitched.
- Fix a memory leak in an error case in psa_generate_derived_key_internal().
- Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
is enabled, on platforms where initializing a mutex allocates resources.
This was a regression introduced in the previous release. Reported in
#4017, #4045 and #4071. - Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
twice is safe. This happens for RSA when some Mbed TLS library functions
fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
enabled on platforms where freeing a mutex twice is not safe. - Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
when MBEDTLS_THREADING_C is enabled on platforms where initializing
a mutex allocates resources. - Fixes a bug where, if the library was configured to include support for
both the old SE interface and the new PSA driver interface, external keys were
not loaded from storage. This was fixed by #3996. - This change makes 'mbedtls_x509write_crt_set_basic_constraints'
consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST
include this extension in all CA certificates that contain public keys
used to validate digital signatures on certificates and MUST mark the
extension as critical in such certificates." Previous to this change,
the extension was always marked as non-critical. This was fixed by
#3698.
Changes
- A new library C file psa_crypto_client.c has been created to contain
the PSA code needed by a PSA crypto client when the PSA crypto
implementation is not included into the library. - On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module
now uses the getrandom syscall instead of reading from /dev/urandom.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Checksum
The SHA256 hashes for the archives are:
37949e823c7e1f6695fc56858578df355da0770c284b1c1304cfc8b396d539cd mbedtls-2.26.0.tar.gz
23a7437284fb07c136891cb981a065b9541b7f78d97e3671fe07c7ce59c2f3b3 mbedtls-2.26.0.zip
Mbed TLS 2.16.10
Description
This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.
Default behavior changes
- In mbedtls_rsa_context objects, the ver field was formerly documented
as always 0. It is now reserved for internal purposes and may take
different values.
Security
- Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|A| - |B| where |B| is larger than |A| and has more limbs (so the
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
applications calling mbedtls_mpi_sub_abs() directly are affected:
all calls inside the library were safe since this function is
only called with |A| >= |B|. Reported by Guido Vranken in #4042. - Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
value the function might fail to write a private RSA keys of the largest
supported size.
Found by Daniel Otte, reported in #4093 and fixed in #4094,
backported in #4100. - Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout() when given a file descriptor that is
beyond FD_SETSIZE. Reported by FigBug in #4169. - Guard against strong local side channel attack against base64 tables by
making access aceess to them use constant flow code. (CVE-2021-24119)
Bugfix
- Fix an incorrect error code if an RSA private operation glitched.
- Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
is enabled, on platforms where initializing a mutex allocates resources.
This was a regression introduced in the previous release. Reported in
#4017, #4045 and #4071. - Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
twice is safe. This happens for RSA when some Mbed TLS library functions
fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
enabled on platforms where freeing a mutex twice is not safe. - Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
when MBEDTLS_THREADING_C is enabled on platforms where initializing
a mutex allocates resources. - This change makes 'mbedtls_x509write_crt_set_basic_constraints'
consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST
include this extension in all CA certificates that contain public keys
used to validate digital signatures on certificates and MUST mark the
extension as critical in such certificates." Previous to this change,
the extension was always marked as non-critical. This was fixed by
#4044.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Checksum
The SHA256 hashes for the archives are:
96257bb03b30300b2f35f861ffe204ed957e9fd0329d80646fe57fc49f589b29 mbedtls-2.16.10.tar.gz
8a1537efd03dacdb0fc4bd6fddac0b0a49f91c229182268815e5980b9ffc555a mbedtls-2.16.10.zip
Mbed TLS 2.7.19
Description
This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.
Default behavior changes
- In mbedtls_rsa_context objects, the ver field was formerly documented
as always 0. It is now reserved for internal purposes and may take
different values.
Security
- Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|A| - |B| where |B| is larger than |A| and has more limbs (so the
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
applications calling mbedtls_mpi_sub_abs() directly are affected:
all calls inside the library were safe since this function is
only called with |A| >= |B|. Reported by Guido Vranken in #4042. - Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
value the function might fail to write a private RSA keys of the largest
supported size.
Found by Daniel Otte, reported in #4093 and fixed in #4094,
backported in #4099. - Fix a stack buffer overflow with mbedtls_net_recv_timeout() when given a
file descriptor that is beyond FD_SETSIZE. Reported by FigBug in #4169. - Guard against strong local side channel attack against base64 tables by
making access aceess to them use constant flow code. (CVE-2021-24119)
Bugfix
- Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
is enabled, on platforms where initializing a mutex allocates resources.
This was a regression introduced in the previous release. Reported in
#4017, #4045 and #4071. - Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
twice is safe. This happens for RSA when some Mbed TLS library functions
fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
enabled on platforms where freeing a mutex twice is not safe. - Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
when MBEDTLS_THREADING_C is enabled on platforms where initializing
a mutex allocates resources. - Fix an incorrect error code if an RSA private operation glitched.
- Fix the build of sample programs when MBEDTLS_PEM_C is enabled but
MBEDTLS_CERTS_C is disabled. Reported by Michael Schuster in #4206.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Checksum
The SHA256 hashes for the archives are:
9a6e0b0386496fae6863e41968eb308034a74008e775a533750af483a38378d0 mbedtls-2.7.19.tar.gz
0f83d43f7de8866820d41db398b6640c8baebb358819223f9b2b3502f77db3d7 mbedtls-2.7.19.zip
Mbed TLS 2.25.0
Description
This release of Mbed TLS provides bug fixes, minor enhancements and new features. This release includes fixes for security issues.
API changes
- The numerical values of the PSA Crypto API macros have been updated to conform to version 1.0.0 of the specification.
- PSA_ALG_STREAM_CIPHER replaces PSA_ALG_CHACHA20 and PSA_ALG_ARC4. The underlying stream cipher is determined by the key type (PSA_KEY_TYPE_CHACHA20 or PSA_KEY_TYPE_ARC4).
- The functions mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts, as they have no way to check if the output buffer is large enough. Please use mbedtls_cipher_auth_encrypt_ext() and mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and Cryptofuzz. Fixes #3665.
Requirement changes
- Update the minimum required CMake version to 2.8.12. This silences a warning on CMake 3.19.0. #3801
New deprecations
- PSA_KEY_TYPE_CHACHA20 and PSA_KEY_TYPE_ARC4 have been deprecated. Use PSA_ALG_STREAM_CIPHER instead.
- The functions mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_decrypt() are deprecated in favour of the new functions mbedtls_cipher_auth_encrypt_ext() and mbedtls_cipher_auth_decrypt_ext(). Please note that with AEAD ciphers, these new functions always append the tag to the ciphertext, and include the tag in the ciphertext length.
Features
- Partial implementation of the new PSA Crypto accelerator APIs. (Symmetric ciphers, asymmetric signing/verification and key generation, validate_key entry point, and export_public_key interface.)
- Add support for ECB to the PSA cipher API.
- In PSA, allow using a key declared with a base key agreement algorithm in combined key agreement and derivation operations, as long as the key agreement algorithm in use matches the algorithm the key was declared with. This is currently non-standard behaviour, but expected to make it into a future revision of the PSA Crypto standard.
- Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls, mbedcrypto, mbedx509 and apidoc CMake target names. This can be used by external CMake projects that include this one to avoid CMake target name clashes. The default value of this variable is "", so default target names are unchanged.
- Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan Pascal, improved by Ron Eldor.
- In the PSA API, it is no longer necessary to open persistent keys: operations now accept the key identifier. The type psa_key_handle_t is now identical to psa_key_id_t instead of being platform-defined. This bridges the last major gap to compliance with the PSA Cryptography specification version 1.0.0. Opening persistent keys is still supported for backward compatibility, but will be deprecated and later removed in future releases.
- PSA_AEAD_NONCE_LENGTH, PSA_AEAD_NONCE_MAX_SIZE, PSA_CIPHER_IV_LENGTH and PSA_CIPHER_IV_MAX_SIZE macros have been added as defined in version 1.0.0 of the PSA Crypto API specification.
Security
- The functions mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_decrypt() would write past the minimum documented size of the output buffer when used with NIST_KW. As a result, code using those functions as documented with NIST_KW could have a buffer overwrite of up to 15 bytes, with consequences ranging up to arbitrary code execution depending on the location of the output buffer.
- Limit the size of calculations performed by mbedtls_mpi_exp_mod to MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
- A failure of the random generator was ignored in mbedtls_mpi_fill_random(), which is how most uses of randomization in asymmetric cryptography (including key generation, intermediate value randomization and blinding) are implemented. This could cause failures or the silent use of non-random values. A random generator can fail if it needs reseeding and cannot not obtain entropy, or due to an internal failure (which, for Mbed TLS's own CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).
- Fix a compliance issue whereby we were not checking the tag on the algorithm parameters (only the size) when comparing the signature in the description part of the cert to the real signature. This meant that a NULL algorithm parameters entry would look identical to an array of REAL (size zero) to the library and thus the certificate would be considered valid. However, if the parameters do not match in any way then the certificate should be considered invalid, and indeed OpenSSL marks these certs as invalid when mbedtls did not. Many thanks to guidovranken who found this issue via differential fuzzing and reported it in #3629.
- Zeroising of local buffers and variables which are used for calculations in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() functions to erase sensitive data from memory. Reported by Johan Malmgren and Johan Uppman Bruce from Sectra.
Bugfix
- Fix an invalid (but nonzero) return code from mbedtls_pk_parse_subpubkey() when the input has trailing garbage. Fixes #2512.
- Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294.
- Include the psa_constant_names generated source code in the source tree instead of generating it at build time. Fixes #3524.
- Fix rsa_prepare_blinding() to retry when the blinding value is not invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)). Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin). Fixes #3647.
- Use socklen_t on Android and other POSIX-compliant system
- Fix the build when the macro _GNU_SOURCE is defined to a non-empty value. Fix #3432.
- Consistently return PSA_ERROR_INVALID_ARGUMENT on invalid cipher input sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the psa_cipher_* functions compliant with the PSA Crypto API specification.
- mbedtls_ecp_curve_list() now lists Curve25519 and Curve448 under the names "x25519" and "x448". These curves support ECDH but not ECDSA. If you need only the curves that support ECDSA, filter the list with mbedtls_ecdsa_can_do().
- Fix psa_generate_key() returning an error when asked to generate an ECC key pair on Curve25519 or secp244k1.
- Fix psa_key_derivation_output_key() to allow the output of a combined key agreement and subsequent key derivation operation to be used as a key inside of the PSA Crypto core.
- Fix handling of EOF against 0xff bytes and on platforms with unsigned chars. Fixes a build failure on platforms where char is unsigned. Fixes #3794.
- Fix an off-by-one error in the additional data length check for CCM, which allowed encryption with a non-standard length field. Fixes #3719.
- Correct the default IV size for mbedtls_cipher_info_t structures using MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs.
- Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is defined. Fix contributed in #3571.
- Fix conditions for including string.h in error.c. Fixes #3866.
- psa_set_key_id() now also sets the lifetime to persistent for keys located in a secure element.
- Attempting to create a volatile key with a non-zero key identifier now fails. Previously the key identifier was just ignored when creating a volatile key.
- Attempting to create or register a key with a key identifier in the vendor range now fails.
- Fix build failures on GCC 11. Fixes #3782.
- Add missing arguments of debug message in mbedtls_ssl_decrypt_buf.
- Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative (an error condition) and the second operand was aliased to the result.
- Fix a case in elliptic curve arithmetic where an out-of-memory condition could go undetected, resulting in an incorrect result.
- In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed(). Fixes #2927.
- In PEM writing functions, fill the trailing part of the buffer with null bytes. This guarantees that the corresponding parsing function can read the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem until this property was inadvertently broken in Mbed TLS 2.19.0. Fixes #3682.
- Fix a build failure that occurred with the MBEDTLS_AES_SETKEY_DEC_ALT option on. In this configuration key management methods that are required for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail. Fixes #3818. Reported by John Stroebel.
Changes
- Reduce stack usage significantly during sliding window exponentiation. Reported in #3591 and fix contributed in #3592 by Daniel Otte.
- The PSA persistent storage format is updated to always store the key bits attribute. No automatic upgrade path is provided. Previously stored keys must be erased, or manually upgraded based on the key storage format specification (docs/architecture/mbed-crypto-storage-specification.md). Fixes #3740.
- Remove the zeroization of a pointer variable in AES rounds. It was valid but spurious and misleading since it looked like a mistaken attempt to zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA Leti, France.
Who should update
...