-
Notifications
You must be signed in to change notification settings - Fork 2.6k
/
ChangeLog
4513 lines (4147 loc) · 235 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.28.0 branch released 2021-12-17
API changes
* Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a
different order. This only affects applications that define such
structures directly or serialize them.
Requirement changes
* Sign-magnitude and one's complement representations for signed integers are
not supported. Two's complement is the only supported representation.
Removals
* Remove config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES,
which allowed SHA-1 in the default TLS configuration for certificate
signing. It was intended to facilitate the transition in environments
with SHA-1 certificates. SHA-1 is considered a weak message digest and
its use constitutes a security risk.
* Remove the partial support for running unit tests via Greentea on Mbed OS,
which had been unmaintained since 2018.
Features
* The identifier of the CID TLS extension can be configured by defining
MBEDTLS_TLS_EXT_CID at compile time.
* Warn if errors from certain functions are ignored. This is currently
supported on GCC-like compilers and on MSVC and can be configured through
the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
(where supported) for critical functions where ignoring the return
value is almost always a bug. Enable the new configuration option
MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
is currently implemented in the AES, DES and md modules, and will be
extended to other modules in the future.
* Add missing PSA macros declared by PSA Crypto API 1.0.0:
PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL.
* Add new API mbedtls_ct_memcmp for constant time buffer comparison.
* Add PSA API definition for ARIA.
Security
* Zeroize several intermediate variables used to calculate the expected
value when verifying a MAC or AEAD tag. This hardens the library in
case the value leaks through a memory disclosure vulnerability. For
example, a memory disclosure vulnerability could have allowed a
man-in-the-middle to inject fake ciphertext into a DTLS connection.
* In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
from the output buffer. This fixes a potential policy bypass or decryption
oracle vulnerability if the output buffer is in memory that is shared with
an untrusted application.
* Fix a double-free that happened after mbedtls_ssl_set_session() or
mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
(out of memory). After that, calling mbedtls_ssl_session_free()
and mbedtls_ssl_free() would cause an internal session buffer to
be free()'d twice.
Bugfix
* Stop using reserved identifiers as local variables. Fixes #4630.
* The GNU makefiles invoke python3 in preference to python except on Windows.
The check was accidentally not performed when cross-compiling for Windows
on Linux. Fix this. Fixes #4774.
* Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type.
* Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
* Don't use the obsolete header path sys/fcntl.h in unit tests.
These header files cause compilation errors in musl.
Fixes #4969.
* Fix missing constraints on x86_64 and aarch64 assembly code
for bignum multiplication that broke some bignum operations with
(at least) Clang 12.
Fixes #4116, #4786, #4917, #4962.
* Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
* Failures of alternative implementations of AES or DES single-block
functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
This does not concern the implementation provided with Mbed TLS,
where this function cannot fail, or full-module replacements with
MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
* Some failures of HMAC operations were ignored. These failures could only
happen with an alternative implementation of the underlying hash module.
* Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
* Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
* Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
This algorithm now accepts only the same salt length for verification
that it produces when signing, as documented. Use the new algorithm
PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.
* The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
for algorithm values that fully encode the hashing step, as per the PSA
Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
all algorithms that can be used with psa_{sign,verify}_hash(), including
these two.
* Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
not to list other shared libraries they need.
* Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
exceeds 2^32. Fixes #4884.
* Fix an uninitialized variable warning in test_suite_ssl.function with GCC
version 11.
* Fix the build when no SHA2 module is included. Fixes #4930.
* Fix the build when only the bignum module is included. Fixes #4929.
* Fix a potential invalid pointer dereference and infinite loop bugs in
pkcs12 functions when the password is empty. Fix the documentation to
better describe the inputs to these functions and their possible values.
Fixes #5136.
* The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC
operations psa_mac_compute() and psa_mac_sign_setup().
* The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC
operations psa_mac_verify() and psa_mac_verify_setup().
Changes
* Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be
disabled by default.
* Improve the performance of base64 constant-flow code. The result is still
slower than the original non-constant-flow implementation, but much faster
than the previous constant-flow implementation. Fixes #4814.
* Indicate in the error returned if the nonce length used with
ChaCha20-Poly1305 is invalid, and not just unsupported.
* The mbedcrypto library includes a new source code module constant_time.c,
containing various functions meant to resist timing side channel attacks.
This module does not have a separate configuration option, and functions
from this module will be included in the build as required. Currently
most of the interface of this module is private and may change at any
time.
= mbed TLS 2.27.0 branch released 2021-07-07
API changes
* Update AEAD output size macros to bring them in line with the PSA Crypto
API version 1.0 spec. This version of the spec parameterizes them on the
key type used, as well as the key bit-size in the case of
PSA_AEAD_TAG_LENGTH.
The old versions of these macros were renamed and deprecated as follows:
- PSA_AEAD_TAG_LENGTH -> PSA_AEAD_TAG_LENGTH_1_ARG
- PSA_AEAD_ENCRYPT_OUTPUT_SIZE -> PSA_AEAD_ENCRYPT_OUTPUT_SIZE_2_ARG
- PSA_AEAD_DECRYPT_OUTPUT_SIZE -> PSA_AEAD_DECRYPT_OUTPUT_SIZE_2_ARG
- PSA_AEAD_UPDATE_OUTPUT_SIZE -> PSA_AEAD_UPDATE_OUTPUT_SIZE_2_ARG
- PSA_AEAD_FINISH_OUTPUT_SIZE -> PSA_AEAD_FINISH_OUTPUT_SIZE_1_ARG
- PSA_AEAD_VERIFY_OUTPUT_SIZE -> PSA_AEAD_VERIFY_OUTPUT_SIZE_1_ARG
* Implement one-shot cipher functions, psa_cipher_encrypt and
psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
specification.
Requirement changes
* The library now uses the %zu format specifier with the printf() family of
functions, so requires a toolchain that supports it. This change does not
affect the maintained LTS branches, so when contributing changes please
bear this in mind and do not add them to backported code.
Features
* Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
signature with a specific salt length. This function allows to validate
test cases provided in the NIST's CAVP test suite. Contributed by Cédric
Meuter in PR #3183.
* Added support for built-in driver keys through the PSA opaque crypto
driver interface. Refer to the documentation of
MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
* Implement psa_sign_message() and psa_verify_message().
* The new function mbedtls_mpi_random() generates a random value in a
given range uniformly.
* Implement psa_mac_compute() and psa_mac_verify() as defined in the
PSA Cryptograpy API 1.0.0 specification.
* MBEDTLS_ECP_MAX_BITS is now determined automatically from the configured
curves and no longer needs to be configured explicitly to save RAM.
Security
* Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
private keys and of blinding values for DHM and elliptic curves (ECP)
computations. Reported by FlorianF89 in #4245.
* Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
An adversary who is capable of very precise timing measurements could
learn partial information about the leading bits of the nonce used for the
signature, allowing the recovery of the private key after observing a
large number of signature operations. This completes a partial fix in
Mbed TLS 2.20.0.
* It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is
too small, leading to buffer overflows in ECC operations. Fail the build
in such a case.
* An adversary with access to precise enough information about memory
accesses (typically, an untrusted operating system attacking a secure
enclave) could recover an RSA private key after observing the victim
performing a single private-key operation. Found and reported by
Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG.
* An adversary with access to precise enough timing information (typically, a
co-located process) could recover a Curve25519 or Curve448 static ECDH key
after inputting a chosen public key and observing the victim performing the
corresponding private-key operation. Found and reported by Leila Batina,
Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.
Bugfix
* Add printf function attributes to mbedtls_debug_print_msg to ensure we
get printf format specifier warnings.
* Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
lead to seed file corruption in the case where the path to the seed file is
equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
Krasnoshchok in #3616.
* PSA functions other than psa_open_key now return PSA_ERROR_INVALID_HANDLE
rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
in line with version 1.0.0 of the specification. Fix #4162.
* PSA functions creating a key now return PSA_ERROR_INVALID_ARGUMENT rather
than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
to create is not valid, bringing them in line with version 1.0.0 of the
specification. Fix #4271.
* Fix some cases in the bignum module where the library constructed an
unintended representation of the value 0 which was not processed
correctly by some bignum operations. This could happen when
mbedtls_mpi_read_string() was called on "-0", or when
mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
the arguments being negative and the other being 0. Fixes #4643.
* Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
zero. Fixes #1792
* Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
defined. Fixes #4217.
* Fix an incorrect error code when parsing a PKCS#8 private key.
* In a TLS client, enforce the Diffie-Hellman minimum parameter size
set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
minimum size was rounded down to the nearest multiple of 8.
* In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
defined to specific values. If the code is used in a context
where these are already defined, this can result in a compilation
error. Instead, assume that if they are defined, the values will
be adequate to build Mbed TLS.
* The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
was disabled. Fix the dependency. Fixes #4472.
* Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
* With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built
nonetheless, resulting in undefined reference errors when building a
shared library. Reported by Guillermo Garcia M. in #4411.
* Fix test suite code on platforms where int32_t is not int, such as
Arm Cortex-M. Fixes #4530.
* Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
directive in a header and a missing initialization in the self-test.
* Fix a missing initialization in the Camellia self-test, affecting
MBEDTLS_CAMELLIA_ALT implementations.
* Restore the ability to configure PSA via Mbed TLS options to support RSA
key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
Fixes #4512.
* Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
(when the encrypt-then-MAC extension is not in use) with some ALT
implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
the affected side to wrongly reject valid messages. Fixes #4118.
* Remove outdated check-config.h check that prevented implementing the
timing module on Mbed OS. Fixes #4633.
* Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
about missing inputs.
* Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
* Fix a resource leak in a test suite with an alternative AES
implementation. Fixes #4176.
* Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
could notably be triggered by setting the TLS debug level to 3 or above
and using a Montgomery curve for the key exchange. Reported by lhuang04
in #4578. Fixes #4608.
* psa_verify_hash() was relying on implementation-specific behavior of
mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
implementations. This reliance is now removed. Fixes #3990.
* Disallow inputs of length different from the corresponding hash when
signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates
that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.)
* Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
could not be triggered by code that constructed A with one of the
mbedtls_mpi_read_xxx functions (including in particular TLS code) since
those always built an mpi object with at least one limb.
Credit to OSS-Fuzz. Fixes #4641.
* Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect
applications that call mbedtls_mpi_gcd() directly. Fixes #4642.
* The PSA API no longer allows the creation or destruction of keys with a
read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
can now only be used as intended, for keys that cannot be modified through
normal use of the API.
* When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
in all the right places. Include it from crypto_platform.h, which is
the natural place. Fixes #4649.
* mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and
restartable variants now always honor the specified hash length if
nonzero. Before, for RSA, hash_len was ignored in favor of the length of
the specified hash algorithm.
* Fix which alert is sent in some cases to conform to the
applicable RFC: on an invalid Finished message value, an
invalid max_fragment_length extension, or an
unsupported extension used by the server.
* Correct (change from 12 to 13 bytes) the value of the macro describing the
maximum nonce length returned by psa_aead_generate_nonce().
Changes
* Add extra printf compiler warning flags to builds.
* Fix memsan build false positive in x509_crt.c with Clang 11
* Fix the setting of the read timeout in the DTLS sample programs.
* Remove the AES sample application programs/aes/aescrypt2 which shows
bad cryptographic practice. Fix #1906.
* Alternative implementations of CMAC may now opt to not support 3DES as a
CMAC block cipher, and still pass the CMAC self test.
* Remove configs/config-psa-crypto.h, which was identical to the default
configuration except for having some extra cryptographic mechanisms
enabled and for unintended differences. This configuration was primarily
intended to demonstrate the PSA API, and lost most of its usefulness when
MBEDTLS_PSA_CRYPTO_C became enabled by default.
* When building the test suites with GNU make, invoke python3 or python, not
python2, which is no longer supported upstream.
* When using session cache based session resumption on the server,
double-check that custom session cache implementations return
sessions which are consistent with the negotiated ciphersuite
and compression method.
* Fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
When that flag is on, standard GNU C printf format specifiers
should be used.
* Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage
during ECC operations at a negligible performance cost.
* mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and
mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs
when their input has length 0. Note that this is an implementation detail
and can change at any time, so this change should be transparent, but it
may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
now writing an empty string where it previously wrote one or more
zero digits when operating from values constructed with an mpi_read
function and some mpi operations.
* Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when
PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
is also applied when loading a key from storage.
= mbed TLS 2.26.0 branch released 2021-03-08
API changes
* Renamed the PSA Crypto API output buffer size macros to bring them in line
with version 1.0.0 of the specification.
* The API glue function mbedtls_ecc_group_of_psa() now takes the curve size
in bits rather than bytes, with an additional flag to indicate if the
size may have been rounded up to a whole number of bytes.
* Renamed the PSA Crypto API AEAD tag length macros to bring them in line
with version 1.0.0 of the specification.
Default behavior changes
* In mbedtls_rsa_context objects, the ver field was formerly documented
as always 0. It is now reserved for internal purposes and may take
different values.
New deprecations
* PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE,
PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and
PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names
deprecated.
* PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH
have been renamed, and the old names deprecated.
Features
* The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG.
CTR_DRBG is used by default if it is available, but you can override
this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time.
Fix #3354.
* Automatic fallback to a software implementation of ECP when
MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off
through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK.
* The PSA crypto subsystem can now be configured to use less static RAM by
tweaking the setting for the maximum amount of keys simultaneously in RAM.
MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that
can exist simultaneously. It has a sensible default if not overridden.
* Partial implementation of the PSA crypto driver interface: Mbed TLS can
now use an external random generator instead of the library's own
entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
and see the documentation of mbedtls_psa_external_get_random() for details.
* Applications using both mbedtls_xxx and psa_xxx functions (for example,
applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA
random generator with mbedtls_xxx functions. See the documentation of
mbedtls_psa_get_random() for details.
* In the PSA API, the policy for a MAC or AEAD algorithm can specify a
minimum MAC or tag length thanks to the new wildcards
PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and
PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG.
Security
* Fix a security reduction in CTR_DRBG when the initial seeding obtained a
nonce from entropy. Applications were affected if they called
mbedtls_ctr_drbg_set_nonce_len(), if they called
mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
In such cases, a random nonce was necessary to achieve the advertised
security strength, but the code incorrectly used a constant instead of
entropy from the nonce.
Found by John Stroebel in #3819 and fixed in #3973.
* Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|A| - |B| where |B| is larger than |A| and has more limbs (so the
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
applications calling mbedtls_mpi_sub_abs() directly are affected:
all calls inside the library were safe since this function is
only called with |A| >= |B|. Reported by Guido Vranken in #4042.
* Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
value the function might fail to write a private RSA keys of the largest
supported size.
Found by Daniel Otte, reported in #4093 and fixed in #4094.
* Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout() when given a file descriptor that is
beyond FD_SETSIZE. Reported by FigBug in #4169.
* Guard against strong local side channel attack against base64 tables by
making access aceess to them use constant flow code.
Bugfix
* Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
* Fix memory leak that occured when calling psa_close_key() on a
wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined.
* Fix an incorrect error code if an RSA private operation glitched.
* Fix a memory leak in an error case in psa_generate_derived_key_internal().
* Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
is enabled, on platforms where initializing a mutex allocates resources.
This was a regression introduced in the previous release. Reported in
#4017, #4045 and #4071.
* Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
twice is safe. This happens for RSA when some Mbed TLS library functions
fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
enabled on platforms where freeing a mutex twice is not safe.
* Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
when MBEDTLS_THREADING_C is enabled on platforms where initializing
a mutex allocates resources.
* Fixes a bug where, if the library was configured to include support for
both the old SE interface and the new PSA driver interface, external keys were
not loaded from storage. This was fixed by #3996.
* This change makes 'mbedtls_x509write_crt_set_basic_constraints'
consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST
include this extension in all CA certificates that contain public keys
used to validate digital signatures on certificates and MUST mark the
extension as critical in such certificates." Previous to this change,
the extension was always marked as non-critical. This was fixed by
#3698.
Changes
* A new library C file psa_crypto_client.c has been created to contain
the PSA code needed by a PSA crypto client when the PSA crypto
implementation is not included into the library.
* On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module
now uses the getrandom syscall instead of reading from /dev/urandom.
= mbed TLS 2.25.0 branch released 2020-12-11
API changes
* The numerical values of the PSA Crypto API macros have been updated to
conform to version 1.0.0 of the specification.
* PSA_ALG_STREAM_CIPHER replaces PSA_ALG_CHACHA20 and PSA_ALG_ARC4.
The underlying stream cipher is determined by the key type
(PSA_KEY_TYPE_CHACHA20 or PSA_KEY_TYPE_ARC4).
* The functions mbedtls_cipher_auth_encrypt() and
mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts,
as they have no way to check if the output buffer is large enough.
Please use mbedtls_cipher_auth_encrypt_ext() and
mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
Cryptofuzz. Fixes #3665.
Requirement changes
* Update the minimum required CMake version to 2.8.12. This silences a
warning on CMake 3.19.0. #3801
New deprecations
* PSA_ALG_CHACHA20 and PSA_ALG_ARC4 have been deprecated.
Use PSA_ALG_STREAM_CIPHER instead.
* The functions mbedtls_cipher_auth_encrypt() and
mbedtls_cipher_auth_decrypt() are deprecated in favour of the new
functions mbedtls_cipher_auth_encrypt_ext() and
mbedtls_cipher_auth_decrypt_ext(). Please note that with AEAD ciphers,
these new functions always append the tag to the ciphertext, and include
the tag in the ciphertext length.
Features
* Partial implementation of the new PSA Crypto accelerator APIs. (Symmetric
ciphers, asymmetric signing/verification and key generation, validate_key
entry point, and export_public_key interface.)
* Add support for ECB to the PSA cipher API.
* In PSA, allow using a key declared with a base key agreement algorithm
in combined key agreement and derivation operations, as long as the key
agreement algorithm in use matches the algorithm the key was declared with.
This is currently non-standard behaviour, but expected to make it into a
future revision of the PSA Crypto standard.
* Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls,
mbedcrypto, mbedx509 and apidoc CMake target names. This can be used by
external CMake projects that include this one to avoid CMake target name
clashes. The default value of this variable is "", so default target names
are unchanged.
* Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
Pascal, improved by Ron Eldor.
* In the PSA API, it is no longer necessary to open persistent keys:
operations now accept the key identifier. The type psa_key_handle_t is now
identical to psa_key_id_t instead of being platform-defined. This bridges
the last major gap to compliance with the PSA Cryptography specification
version 1.0.0. Opening persistent keys is still supported for backward
compatibility, but will be deprecated and later removed in future
releases.
* PSA_AEAD_NONCE_LENGTH, PSA_AEAD_NONCE_MAX_SIZE, PSA_CIPHER_IV_LENGTH and
PSA_CIPHER_IV_MAX_SIZE macros have been added as defined in version
1.0.0 of the PSA Crypto API specification.
Security
* The functions mbedtls_cipher_auth_encrypt() and
mbedtls_cipher_auth_decrypt() would write past the minimum documented
size of the output buffer when used with NIST_KW. As a result, code using
those functions as documented with NIST_KW could have a buffer overwrite
of up to 15 bytes, with consequences ranging up to arbitrary code
execution depending on the location of the output buffer.
* Limit the size of calculations performed by mbedtls_mpi_exp_mod to
MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when
generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
* A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
which is how most uses of randomization in asymmetric cryptography
(including key generation, intermediate value randomization and blinding)
are implemented. This could cause failures or the silent use of non-random
values. A random generator can fail if it needs reseeding and cannot not
obtain entropy, or due to an internal failure (which, for Mbed TLS's own
CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).
* Fix a compliance issue whereby we were not checking the tag on the
algorithm parameters (only the size) when comparing the signature in the
description part of the cert to the real signature. This meant that a
NULL algorithm parameters entry would look identical to an array of REAL
(size zero) to the library and thus the certificate would be considered
valid. However, if the parameters do not match in *any* way then the
certificate should be considered invalid, and indeed OpenSSL marks these
certs as invalid when mbedtls did not.
Many thanks to guidovranken who found this issue via differential fuzzing
and reported it in #3629.
* Zeroising of local buffers and variables which are used for calculations
in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(),
mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process()
functions to erase sensitive data from memory. Reported by
Johan Malmgren and Johan Uppman Bruce from Sectra.
Bugfix
* Fix an invalid (but non-zero) return code from mbedtls_pk_parse_subpubkey()
when the input has trailing garbage. Fixes #2512.
* Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is
enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294.
* Include the psa_constant_names generated source code in the source tree
instead of generating it at build time. Fixes #3524.
* Fix rsa_prepare_blinding() to retry when the blinding value is not
invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This
addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin).
Fixes #3647.
* Use socklen_t on Android and other POSIX-compliant system
* Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
Fix #3432.
* Consistently return PSA_ERROR_INVALID_ARGUMENT on invalid cipher input
sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the
psa_cipher_* functions compliant with the PSA Crypto API specification.
* mbedtls_ecp_curve_list() now lists Curve25519 and Curve448 under the names
"x25519" and "x448". These curves support ECDH but not ECDSA. If you need
only the curves that support ECDSA, filter the list with
mbedtls_ecdsa_can_do().
* Fix psa_generate_key() returning an error when asked to generate
an ECC key pair on Curve25519 or secp244k1.
* Fix psa_key_derivation_output_key() to allow the output of a combined key
agreement and subsequent key derivation operation to be used as a key
inside of the PSA Crypto core.
* Fix handling of EOF against 0xff bytes and on platforms with unsigned
chars. Fixes a build failure on platforms where char is unsigned. Fixes
#3794.
* Fix an off-by-one error in the additional data length check for
CCM, which allowed encryption with a non-standard length field.
Fixes #3719.
* Correct the default IV size for mbedtls_cipher_info_t structures using
MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs.
* Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is
defined. Fix contributed in #3571.
* Fix conditions for including string.h in error.c. Fixes #3866.
* psa_set_key_id() now also sets the lifetime to persistent for keys located
in a secure element.
* Attempting to create a volatile key with a non-zero key identifier now
fails. Previously the key identifier was just ignored when creating a
volatile key.
* Attempting to create or register a key with a key identifier in the vendor
range now fails.
* Fix build failures on GCC 11. Fixes #3782.
* Add missing arguments of debug message in mbedtls_ssl_decrypt_buf.
* Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative
(an error condition) and the second operand was aliased to the result.
* Fix a case in elliptic curve arithmetic where an out-of-memory condition
could go undetected, resulting in an incorrect result.
* In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed().
Fixes #2927.
* In PEM writing functions, fill the trailing part of the buffer with null
bytes. This guarantees that the corresponding parsing function can read
the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem
until this property was inadvertently broken in Mbed TLS 2.19.0.
Fixes #3682.
* Fix a build failure that occurred with the MBEDTLS_AES_SETKEY_DEC_ALT
option on. In this configuration key management methods that are required
for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail.
Fixes #3818. Reported by John Stroebel.
Changes
* Reduce stack usage significantly during sliding window exponentiation.
Reported in #3591 and fix contributed in #3592 by Daniel Otte.
* The PSA persistent storage format is updated to always store the key bits
attribute. No automatic upgrade path is provided. Previously stored keys
must be erased, or manually upgraded based on the key storage format
specification (docs/architecture/mbed-crypto-storage-specification.md).
Fixes #3740.
* Remove the zeroization of a pointer variable in AES rounds. It was valid
but spurious and misleading since it looked like a mistaken attempt to
zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
Leti, France.
= mbed TLS 2.24.0 branch released 2020-09-01
API changes
* In the PSA API, rename the types of elliptic curve and Diffie-Hellman
group families to psa_ecc_family_t and psa_dh_family_t, in line with the
PSA Crypto API specification version 1.0.0.
Rename associated macros as well:
PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx
PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx
PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY
PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY
Default behavior changes
* Stop storing persistent information about externally stored keys created
through PSA Crypto with a volatile lifetime. Reported in #3288 and
contributed by Steven Cooreman in #3382.
Features
* The new function mbedtls_ecp_write_key() exports private ECC keys back to
a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key().
* Support building on e2k (Elbrus) architecture: correctly enable
-Wformat-signedness, and fix the code that causes signed-one-bit-field
and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
Security
* Fix a vulnerability in the verification of X.509 certificates when
matching the expected common name (the cn argument of
mbedtls_x509_crt_verify()) with the actual certificate name: when the
subjecAltName extension is present, the expected name was compared to any
name in that extension regardless of its type. This means that an
attacker could for example impersonate a 4-bytes or 16-byte domain by
getting a certificate for the corresponding IPv4 or IPv6 (this would
require the attacker to control that IP address, though). Similar attacks
using other subjectAltName name types might be possible. Found and
reported by kFYatek in #3498.
* When checking X.509 CRLs, a certificate was only considered as revoked if
its revocationDate was in the past according to the local clock if
available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
certificates were never considered as revoked. On builds with
MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
example, an untrusted OS attacking a secure enclave) could prevent
revocation of certificates via CRLs. Fixed by no longer checking the
revocationDate field, in accordance with RFC 5280. Reported by
yuemonangong in #3340. Reported independently and fixed by
Raoul Strackx and Jethro Beekman in #3433.
* In (D)TLS record decryption, when using a CBC ciphersuites without the
Encrypt-then-Mac extension, use constant code flow memory access patterns
to extract and check the MAC. This is an improvement to the existing
countermeasure against Lucky 13 attacks. The previous countermeasure was
effective against network-based attackers, but less so against local
attackers. The new countermeasure defends against local attackers, even
if they have access to fine-grained measurements. In particular, this
fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz,
Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler
(University of Florida) and Dave Tian (Purdue University).
* Fix side channel in RSA private key operations and static (finite-field)
Diffie-Hellman. An adversary with precise enough timing and memory access
information (typically an untrusted operating system attacking a secure
enclave) could bypass an existing counter-measure (base blinding) and
potentially fully recover the private key.
* Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
for pinpointing the problematic code.
* Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused
application data from memory. Reported in #689 by
Johan Uppman Bruce of Sectra.
Bugfix
* Library files installed after a CMake build no longer have execute
permission.
* Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol
redefinition if the function is inlined.
Reported in #3451 and fix contributed in #3452 by okhowang.
* Fix the endianness of Curve25519 keys imported/exported through the PSA
APIs. psa_import_key and psa_export_key will now correctly expect/output
Montgomery keys in little-endian as defined by RFC7748. Contributed by
Steven Cooreman in #3425.
* Fix build errors when the only enabled elliptic curves are Montgomery
curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
also fixes missing declarations reported by Steven Cooreman in #1147.
* Fix self-test failure when the only enabled short Weierstrass elliptic
curve is secp192k1. Fixes #2017.
* PSA key import will now correctly import a Curve25519/Curve448 public key
instead of erroring out. Contributed by Steven Cooreman in #3492.
* Use arc4random_buf on NetBSD instead of rand implementation with cyclical
lower bits. Fix contributed in #3540.
* Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory
conditions. Reported and fix suggested by Guido Vranken in #3486.
* Fix bug in redirection of unit test outputs on platforms where stdout is
defined as a macro. First reported in #2311 and fix contributed in #3528.
Changes
* Only pass -Wformat-signedness to versions of GCC that support it. Reported
in #3478 and fix contributed in #3479 by okhowang.
* Reduce the stack consumption of mbedtls_x509write_csr_der() which
previously could lead to stack overflow on constrained devices.
Contributed by Doru Gucea and Simon Leet in #3464.
* Undefine the ASSERT macro before defining it locally, in case it is defined
in a platform header. Contributed by Abdelatif Guettouche in #3557.
* Update copyright notices to use Linux Foundation guidance. As a result,
the copyright of contributors other than Arm is now acknowledged, and the
years of publishing are no longer tracked in the source files. This also
eliminates the need for the lines declaring the files to be part of
MbedTLS. Fixes #3457.
* Add the command line parameter key_pwd to the ssl_client2 and ssl_server2
example applications which allows to provide a password for the key file
specified through the existing key_file argument. This allows the use of
these applications with password-protected key files. Analogously but for
ssl_server2 only, add the command line parameter key_pwd2 which allows to
set a password for the key file provided through the existing key_file2
argument.
= mbed TLS 2.23.0 branch released 2020-07-01
Default behavior changes
* In the experimental PSA secure element interface, change the encoding of
key lifetimes to encode a persistence level and the location. Although C
prototypes do not effectively change, code calling
psa_register_se_driver() must be modified to pass the driver's location
instead of the keys' lifetime. If the library is upgraded on an existing
device, keys created with the old lifetime value will not be readable or
removable through Mbed TLS after the upgrade.
Features
* New functions in the error module return constant strings for
high- and low-level error codes, complementing mbedtls_strerror()
which constructs a string for any error code, including compound
ones, but requires a writable buffer. Contributed by Gaurav Aggarwal
in #3176.
* The new utility programs/ssl/ssl_context_info prints a human-readable
dump of an SSL context saved with mbedtls_ssl_context_save().
* Add support for midipix, a POSIX layer for Microsoft Windows.
* Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows
parsing unsupported certificate extensions via user provided callback.
Contributed by Nicola Di Lieto <[email protected]> in #3243 as
a solution to #3241.
* Pass the "certificate policies" extension to the callback supplied to
mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported
policies (#3419).
* Added support to entropy_poll for the kern.arandom syscall supported on
some BSD systems. Contributed by Nia Alarie in #3423.
* Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239
Security
* Fix a side channel vulnerability in modular exponentiation that could
reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul
Strackx (Fortanix) in #3394.
* Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
private key that didn't include the uncompressed public key), as well as
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
f_rng argument. An attacker with access to precise enough timing and
memory access information (typically an untrusted operating system
attacking a secure enclave) could fully recover the ECC private key.
Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
macros). This would cause the original Lucky 13 attack to be possible in
those configurations, allowing an active network attacker to recover
plaintext after repeated timing measurements under some conditions.
Reported and fix suggested by Luc Perneel in #3246.
Bugfix
* Fix the Visual Studio Release x64 build configuration for mbedtls itself.
Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
the example programs. Reported in #1430 and fix contributed by irwir.
* Fix undefined behavior in X.509 certificate parsing if the
pathLenConstraint basic constraint value is equal to INT_MAX.
The actual effect with almost every compiler is the intended
behavior, so this is unlikely to be exploitable anywhere. #3192
* Fix issue with a detected HW accelerated record error not being exposed
due to shadowed variable. Contributed by Sander Visser in #3310.
* Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
NULL pointer argument. Contributed by Sander Visser in #3312.
* Fix potential linker errors on dual world platforms by inlining
mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately
from psa_crypto.c. Fixes #3300.
* Remove dead code in X.509 certificate parsing. Contributed by irwir in
#2855.
* Include asn1.h in error.c. Fixes #3328 reported by David Hu.
* Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
when PRNG function fails. Contributed by Jonas Lejeune in #3318.
* Remove unused macros from MSVC projects. Reported in #3297 and fix
submitted in #3333 by irwir.
* Add additional bounds checks in ssl_write_client_hello() preventing
output buffer overflow if the configuration declared a buffer that was
too small.
* Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and
fix submitted in #3421 by Nia Alarie.
* Fix building library/net_sockets.c and the ssl_mail_client program on
NetBSD. Contributed by Nia Alarie in #3422.
* Fix false positive uninitialised variable reported by cpp-check.
Contributed by Sander Visser in #3311.
* Update iv and len context pointers manually when reallocating buffers
using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues
when receiving a connection with CID, when these fields were shifted
in ssl_parse_record_header().
Changes
* Fix warnings about signedness issues in format strings. The build is now
clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
in #3153.
* Fix minor performance issue in operations on Curve25519 caused by using a
suboptimal modular reduction in one place. Found and fix contributed by
Aurelien Jarno in #3209.
* Combine identical cases in switch statements in md.c. Contributed
by irwir in #3208.
* Simplify a bounds check in ssl_write_certificate_request(). Contributed
by irwir in #3150.
* Unify the example programs termination to call mbedtls_exit() instead of
using a return command. This has been done to enable customization of the
behavior in bare metal environments.
* Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
Contributed by Koh M. Nakagawa in #3326.
* Use FindPython3 when cmake version >= 3.15.0
* Abort the ClientHello writing function as soon as some extension doesn't
fit into the record buffer. Previously, such extensions were silently
dropped. As a consequence, the TLS handshake now fails when the output
buffer is not large enough to hold the ClientHello.
* The unit tests now rely on header files in tests/include/test and source
files in tests/src. When building with make or cmake, the files in
tests/src are compiled and the resulting object linked into each test
executable.
* The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
`MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
coutermeasures. If side channels are not a concern, this dependency can
be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
* Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes
Martinho. #3147
* Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported
in #3182 and fix submitted by irwir. #3217
* Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
= mbed TLS 2.22.0 branch released 2020-04-14
New deprecations
* Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL that enables function hooks in the
SSL module for hardware acceleration of individual records.
* Deprecate mbedtls_ssl_get_max_frag_len() in favour of
mbedtls_ssl_get_output_max_frag_len() and
mbedtls_ssl_get_input_max_frag_len() to be more precise about which max
fragment length is desired.
Security
* Fix issue in DTLS handling of new associations with the same parameters
(RFC 6347 section 4.2.8): an attacker able to send forged UDP packets to
the server could cause it to drop established associations with
legitimate clients, resulting in a Denial of Service. This could only
happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h
(which it is by default).
* Fix side channel in ECC code that allowed an adversary with access to
precise enough timing and memory access information (typically an
untrusted operating system attacking a secure enclave) to fully recover
an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya,
Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
* Fix a potentially remotely exploitable buffer overread in a
DTLS client when parsing the Hello Verify Request message.
Features
* The new build option MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH automatically
resizes the I/O buffers before and after handshakes, reducing the memory
consumption during application data transfer.
Bugfix
* Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and
MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
* Remove a spurious check in ssl_parse_client_psk_identity that triggered
a warning with some compilers. Fix contributed by irwir in #2856.
* Fix a function name in a debug message. Contributed by Ercan Ozturk in
#3013.
Changes
* Mbed Crypto is no longer a Git submodule. The crypto part of the library
is back directly in the present repository.
* Split mbedtls_ssl_get_max_frag_len() into
mbedtls_ssl_get_output_max_frag_len() and
mbedtls_ssl_get_input_max_frag_len() to ensure that a sufficient input
buffer is allocated by the server (if MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
is defined), regardless of what MFL was configured for it.
= mbed TLS 2.21.0 branch released 2020-02-20
New deprecations
* Deprecate MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO that enables parsing
SSLv2 ClientHello messages.
* Deprecate MBEDTLS_SSL_PROTO_SSL3 that enables support for SSLv3.
* Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
library which allows TLS authentication to use keys stored in a
PKCS#11 token such as a smartcard.
Security
* Fix potential memory overread when performing an ECDSA signature
operation. The overread only happens with cryptographically low
probability (of the order of 2^-n where n is the bitsize of the curve)
unless the RNG is broken, and could result in information disclosure or
denial of service (application crash or extra resource consumption).
Found by Auke Zeilstra and Peter Schwabe, using static analysis.
* To avoid a side channel vulnerability when parsing an RSA private key,
read all the CRT parameters from the DER structure rather than
reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob
Brumley. Reported and fix contributed by Jack Lloyd.
ARMmbed/mbed-crypto#352
Features
* The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
support without SHA-384.
API changes
* Change the encoding of key types and curves in the PSA API. The new
values are aligned with the upcoming release of the PSA Crypto API
specification version 1.0.0. The main change which may break some
existing code is that elliptic curve key types no longer encode the
exact curve: a psa_ecc_curve_t or psa_key_type_t value only encodes
a curve family and the key size determines the exact curve (for example,
PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
Bugfix
* Fix an unchecked call to mbedtls_md() in the x509write module.
* Fix build failure with MBEDTLS_ZLIB_SUPPORT enabled. Reported by
Jack Lloyd in #2859. Fix submitted by jiblime in #2963.
* Fix some false-positive uninitialized variable warnings in X.509. Fix
contributed by apple-ihack-geek in #2663.
* Fix a possible error code mangling in psa_mac_verify_finish() when
a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys that would later be rejected by functions expecting private
keys. Found by Catena cyber using oss-fuzz (issue 20467).
* Fix a bug in mbedtls_pk_parse_key() that would cause it to
accept some RSA keys with invalid values by silently fixing those values.
= mbed TLS 2.20.0 branch released 2020-01-15
Default behavior changes
* The initial seeding of a CTR_DRBG instance makes a second call to the
entropy function to obtain entropy for a nonce if the entropy size is less
than 3/2 times the key size. In case you want to disable the extra call to
grab entropy, you can call mbedtls_ctr_drbg_set_nonce_len() to force the
nonce length to 0.
Security
* Enforce that mbedtls_entropy_func() gathers a total of
MBEDTLS_ENTROPY_BLOCK_SIZE bytes or more from strong sources. In the
default configuration, on a platform with a single entropy source, the
entropy module formerly only grabbed 32 bytes, which is good enough for
security if the source is genuinely strong, but less than the expected 64
bytes (size of the entropy accumulator).
* Zeroize local variables in mbedtls_internal_aes_encrypt() and
mbedtls_internal_aes_decrypt() before exiting the function. The value of
these variables can be used to recover the last round key. To follow best
practice and to limit the impact of buffer overread vulnerabilities (like
Heartbleed) we need to zeroize them before exiting the function.
Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
Grant Hernandez, and Kevin Butler (University of Florida) and
Dave Tian (Purdue University).
* Fix side channel vulnerability in ECDSA. Our bignum implementation is not
constant time/constant trace, so side channel attacks can retrieve the
blinded value, factor it (as it is smaller than RSA keys and not guaranteed
to have only large prime factors), and then, by brute force, recover the
key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
* Fix side channel vulnerability in ECDSA key generation. Obtaining precise
timings on the comparison in the key generation enabled the attacker to
learn leading bits of the ephemeral key used during ECDSA signatures and to
recover the private key. Reported by Jeremy Dubeuf.
* Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
failures could happen with alternative implementations of AES. Bug
reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
Sectra.
Features
* Key derivation inputs in the PSA API can now either come from a key object
or from a buffer regardless of the step type.
* The CTR_DRBG module can grab a nonce from the entropy source during the
initial seeding. The default nonce length is chosen based on the key size
to achieve the security strength defined by NIST SP 800-90A. You can
change it with mbedtls_ctr_drbg_set_nonce_len().
* Add ENUMERATED tag support to the ASN.1 module. Contributed by
msopiha-linaro in ARMmbed/mbed-crypto#307.
API changes
* In the PSA API, forbid zero-length keys. To pass a zero-length input to a
key derivation function, use a buffer instead (this is now always
possible).
* Rename psa_asymmetric_sign() to psa_sign_hash() and
psa_asymmetric_verify() to psa_verify_hash().
Bugfix
* Fix an incorrect size in a debugging message. Reported and fix
submitted by irwir. Fixes #2717.
* Fix an unused variable warning when compiling without DTLS.
Reported and fix submitted by irwir. Fixes #2800.
* Remove a useless assignment. Reported and fix submitted by irwir.
Fixes #2801.
* Fix a buffer overflow in the PSA HMAC code when using a long key with an
unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
* Fix mbedtls_asn1_get_int to support any number of leading zeros. Credit
to OSS-Fuzz for finding a bug in an intermediate version of the fix.
* Fix mbedtls_asn1_get_bitstring_null to correctly parse bitstrings of at