Skip to content

Releases: Mbed-TLS/mbedtls

Mbedtls 2.28.5

05 Oct 17:15
47e8cc9
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following links:

Release Notes

Features

  • The documentation of mbedtls_ecp_group now describes the optimized
    representation of A for some curves. Fixes #8045.

Security

  • Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should
    review the size of the output buffer passed to this function, and note
    that the output after decryption may include CBC padding. Consider moving
    to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext()
    which checks for overflow of the output buffer and reports the actual
    length of the output.
  • Improve padding calculations in CBC decryption, NIST key unwrapping and
    RSA OAEP decryption. With the previous implementation, some compilers
    (notably recent versions of Clang and IAR) could produce non-constant
    time code, which could allow a padding oracle attack if the attacker
    has access to precise timing measurements.
  • Fix a buffer overread when parsing short TLS application data records in
    ARC4 or null-cipher cipher suites. Credit to OSS-Fuzz.

Bugfix

  • Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
    using ECC key. The certificate was rejected by some crypto frameworks.
    Fixes #2924.
  • Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
    signature can silently return an incorrect result in low memory conditions.
  • Fix IAR compiler warnings. Fixes #7873, #4300.
  • Fix an issue when parsing an otherName subject alternative name into a
    mbedtls_x509_san_other_name struct. The type-id of the otherName was not
    copied to the struct. This meant that the struct had incomplete
    information about the otherName SAN and contained uninitialized memory.
  • Fix the detection of HardwareModuleName otherName SANs. These were being
    detected by comparing the wrong field and the check was erroneously
    inverted.
  • Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
    MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
  • Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
    error code on failure. Before, they returned 1 to indicate failure in
    some cases involving a missing entry or a full cache.

Changes

  • In configurations with ARIA or Camellia but not AES, the value of
    MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might
    suggest. This did not affect any library code, because this macro was
    only used in relation with CMAC which does not support these ciphers.
    Its value is now 16 if ARIA or Camellia are present. This may affect
    application code that uses this macro.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:
dbd42a11c26143aa8de1c07fd6ec6765395e86b06f583f051cfa60e8f0b23125 mbedtls-2.28.5.tar.gz
d3a6c0a9746ccae0e36ab914064ce37b0e2d92ccca909e4fd5f8015b51f34456 mbedtls-2.28.5.zip

Mbed TLS 3.4.1

03 Aug 17:42
72718dd
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides bug fixes and minor enhancements.

Security Advisories

There are no security advisories for this release.

Release Notes

Bugfix

  • Fix builds on Windows with clang

Changes

  • Update test data to avoid failures of unit tests after 2023-08-07.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

a420fcf7103e54e775c383e3751729b8fb2dcd087f6165befd13f28315f754f5 mbedtls-3.4.1.tar.gz
ad10adf1f0b093302f9e74b02a5a5412274359a1f6b39034940934054ec3c7c6 mbedtls-3.4.1.zip

Mbed TLS 2.28.4

03 Aug 17:41
aeb97a1
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides bug fixes and minor enhancements.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

There are no security advisories for this release.

Release Notes

Features

  • Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
    setting the CMake variable of the same name at configuration time.

Bugfix

  • Fix crypt_and_hash decryption fail when used with a stream cipher
    mode of operation, due to the input not being a multiple of the block
    size. Resolves #7417.
  • Fix a bug where mbedtls_x509_string_to_names() would return success
    when given a invalid name string, if it did not contain '=' or ','.
  • Fix missing PSA initialization in sample programs when
    MBEDTLS_USE_PSA_CRYPTO is enabled.
  • Fix clang and armclang compilation error when targeting certain Arm
    M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
    SecurCore SC000). Fixes #1077.
  • Fixed an issue that caused compile errors when using CMake and the IAR
    toolchain.
  • Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.
  • Fix builds on Windows with clang.
  • Fix compilation warnings in aes.c for certain combinations
    of configuration options.
  • Fix a compilation error on some platforms when including mbedtls/ssl.h
    with all TLS support disabled. Fixes #6628.

Changes

  • Update test data to avoid failures of unit tests after 2023-08-07, and
    update expiring certififcates in the certs module.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

578c4dcd15bbff3f5cd56aa07cd4f850fc733634e3d5947be4f7157d5bfd81ac mbedtls-2.28.4.tar.gz
c325bce754bcd26ae45af8fa38f67dcd45d2e23784cf818c4c97694903add530 mbedtls-2.28.4.zip

Mbed TLS 3.4.0

28 Mar 12:50
1873d3b
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides new features, bug fixes and minor enhancements. This release includes fixes for security issues.

Security Advisories

There are no security advisories for this release.

Release Notes

Default behavior changes

  • The default priority order of TLS 1.3 cipher suites has been modified to
    follow the same rules as the TLS 1.2 cipher suites (see
    ssl_ciphersuites.c). The preferred cipher suite is now
    TLS_CHACHA20_POLY1305_SHA256.

New deprecations

  • mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
    mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
    direct dependency of X509 on BIGNUM_C.
  • PSA to mbedtls error translation is now unified in psa_util.h,
    deprecating mbedtls_md_error_from_psa. Each file that performs error
    translation should define its own version of PSA_TO_MBEDTLS_ERR,
    optionally providing file-specific error pairs. Please see psa_util.h for
    more details.

Features

  • Added partial support for parsing the PKCS #7 Cryptographic Message
    Syntax, as defined in RFC 2315. Currently, support is limited to the
    following:
    • Only the signed-data content type, version 1 is supported.
    • Only DER encoding is supported.
    • Only a single digest algorithm per message is supported.
    • Certificates must be in X.509 format. A message must have either 0
      or 1 certificates.
    • There is no support for certificate revocation lists.
    • The authenticated and unauthenticated attribute fields of SignerInfo
      must be empty.
      Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
      contributing this feature, and to Demi-Marie Obenour for contributing
      various improvements, tests and bug fixes.
  • General performance improvements by accessing multiple bytes at a time.
    Fixes #1666.
  • Improvements to use of unaligned and byte-swapped memory, reducing code
    size and improving performance (depending on compiler and target
    architecture).
  • Add support for reading points in compressed format
    (MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary()
    (and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
    (all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves
    except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1)
  • SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively.
    This helps in saving code size when some of the above hashes are not
    required.
  • Add parsing of V3 extensions (key usage, Netscape cert-type,
    Subject Alternative Names) in x509 Certificate Sign Requests.
  • Use HOSTCC (if it is set) when compiling C code during generation of the
    configuration-independent files. This allows them to be generated when
    CC is set for cross compilation.
  • Add parsing of uniformResourceIdentifier subtype for subjectAltName
    extension in x509 certificates.
  • Add an interruptible version of sign and verify hash to the PSA interface,
    backed by internal library support for ECDSA signing and verification.
  • Add parsing of rfc822Name subtype for subjectAltName
    extension in x509 certificates.
  • The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and
    MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for
    the headers "psa/crypto_platform.h" and "psa/crypto_struct.h".
  • When a PSA driver for ECDSA is present, it is now possible to disable
    MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
    and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled.
    Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not
    supported in those builds yet, as driver support for interruptible ECDSA
    operations is not present yet.
  • Add a driver dispatch layer for EC J-PAKE, enabling alternative
    implementations of EC J-PAKE through the driver entry points.
  • Add new API mbedtls_ssl_cache_remove for cache entry removal by
    its session id.
  • Add support to include the SubjectAltName extension to a CSR.
  • Add support for AES with the Armv8-A Cryptographic Extension on
    64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
    be used to enable this feature. Run-time detection is supported
    under Linux only.
  • When a PSA driver for EC J-PAKE is present, it is now possible to disable
    MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
    corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs
    to be enabled.
  • Add functions mbedtls_rsa_get_padding_mode() and mbedtls_rsa_get_md_alg()
    to read non-public fields for padding mode and hash id from
    an mbedtls_rsa_context, as requested in #6917.
  • AES-NI is now supported with Visual Studio.
  • AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
    is disabled, when compiling with GCC or Clang or a compatible compiler
    for a target CPU that supports the requisite instructions (for example
    gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
    compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
  • It is now possible to use a PSA-held (opaque) password with the TLS 1.2
    ECJPAKE key exchange, using the new API function
    mbedtls_ssl_set_hs_ecjpake_password_opaque().

Security

  • Use platform-provided secure zeroization function where possible, such as
    explicit_bzero().
  • Zeroize SSL cache entries when they are freed.
  • Fix a potential heap buffer overread in TLS 1.3 client-side when
    MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
  • Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
    Arm, so that these systems are no longer vulnerable to timing side-channel
    attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
    Reported by Demi Marie Obenour.
  • MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
    builds that couldn't compile the GCC-style assembly implementation
    (most notably builds with Visual Studio), leaving them vulnerable to
    timing side-channel attacks. There is now an intrinsics-based AES-NI
    implementation as a fallback for when the assembly one cannot be used.

Bugfix

  • Fix possible integer overflow in mbedtls_timing_hardclock(), which
    could cause a crash in programs/test/benchmark.
  • Fix IAR compiler warnings. Fixes #6924.
  • Fix a bug in the build where directory names containing spaces were
    causing generate_errors.pl to error out resulting in a build failure.
    Fixes issue #6879.
  • In TLS 1.3, when using a ticket for session resumption, tweak its age
    calculation on the client side. It prevents a server with more accurate
    ticket timestamps (typically timestamps in milliseconds) compared to the
    Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
    than the age computed and transmitted by the client and thus potentially
    reject the ticket. Fix #6623.
  • Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
    defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
  • List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
    be toggled with config.py.
  • The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be
    used on a shared secret from a key agreement since its input must be
    an ECC public key. Reject this properly.
  • mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
    whose binary representation is longer than 20 bytes. This was already
    forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
    enforced also at code level.
  • Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
    Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
    Aaron Ucko under Valgrind.
  • Fix behavior of certain sample programs which could, when run with no
    arguments, access uninitialized memory in some cases. Fixes #6700 (which
    was found by TrustInSoft Analyzer during REDOCS'22) and #1120.
  • Fix parsing of X.509 SubjectAlternativeName extension. Previously,
    malformed alternative name components were not caught during initial
    certificate parsing, but only on subsequent calls to
    mbedtls_x509_parse_subject_alt_name(). Fixes #2838.
  • Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it
    possible to verify RSA PSS signatures with the pk module, which was
    inadvertently broken since Mbed TLS 3.0.
  • Fix bug in conversion from OID to string in
    mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
    correctly.
  • Reject OIDs with overlong-encoded subidentifiers when converting
    them to a string.
  • Reject OIDs with subidentifier values exceeding UINT_MAX. Such
    subidentifiers can be valid, but Mbed TLS cannot currently handle them.
  • Reject OIDs that have unterminated subidentifiers, or (equivalently)
    have the most-significant bit set in their last byte.
  • Silence warnings from clang -Wdocumentation about empty \retval
    descriptions, which started appearing with Clang 15. Fixes #6960.
  • Fix the handling of renegotiation attempts in TLS 1.3. They are now
    systematically rejected.
  • Fix an unused-variable warning in TLS 1.3-only builds if
    MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200.
  • Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
    len argument is 0 and buffer is NULL.
  • Allow setting user and peer identifiers for EC J-PAK...
Read more

Mbed TLS 2.28.3

28 Mar 12:50
981743d
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

There are no security advisories for this release.

Release Notes

Features

  • Use HOSTCC (if it is set) when compiling C code during generation of the
    configuration-independent files. This allows them to be generated when
    CC is set for cross compilation.
  • AES-NI is now supported with Visual Studio.
  • AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
    is disabled, when compiling with GCC or Clang or a compatible compiler
    for a target CPU that supports the requisite instructions (for example
    gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
    compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)

Security

  • MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
    builds that couldn't compile the GCC-style assembly implementation
    (most notably builds with Visual Studio), leaving them vulnerable to
    timing side-channel attacks. There is now an intrinsics-based AES-NI
    implementation as a fallback for when the assembly one cannot be used.

Bugfix

  • Fix a build issue on Windows where the source and build directory could
    not be on different drives (#5751).
  • Fix possible integer overflow in mbedtls_timing_hardclock(), which
    could cause a crash for certain platforms & compiler options.
  • Fix IAR compiler warnings. Fixes #6924.
  • Fix a bug in the build where directory names containing spaces were
    causing generate_errors.pl to error out resulting in a build failure.
    Fixes issue #6879.
  • Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
    defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
  • Fix a build issue when defining MBEDTLS_TIMING_ALT and MBEDTLS_SELF_TEST.
    The library would not link if the user didn't provide an external self-test
    function. The self-test is now provided regardless of the choice of
    internal/alternative timing implementation. Fixes #6923.
  • mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
    whose binary representation is longer than 20 bytes. This was already
    forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
    enforced also at code level.
  • Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
    Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
    Aaron Ucko under Valgrind.
  • Fix behavior of certain sample programs which could, when run with no
    arguments, access uninitialized memory in some cases. Fixes #6700 (which
    was found by TrustInSoft Analyzer during REDOCS'22) and #1120.
  • Fix build errors in test programs when MBEDTLS_CERTS_C is disabled.
    Fixes #6243.
  • Fix parsing of X.509 SubjectAlternativeName extension. Previously,
    malformed alternative name components were not caught during initial
    certificate parsing, but only on subsequent calls to
    mbedtls_x509_parse_subject_alt_name(). Fixes #2838.
  • Fix bug in conversion from OID to string in
    mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
    correctly.
  • Reject OIDs with overlong-encoded subidentifiers when converting
    them to a string.
  • Reject OIDs with subidentifier values exceeding UINT_MAX. Such
    subidentifiers can be valid, but Mbed TLS cannot currently handle them.
  • Reject OIDs that have unterminated subidentifiers, or (equivalently)
    have the most-significant bit set in their last byte.
  • Silence a warning about an unused local variable in bignum.c on
    some architectures. Fixes #7166.
  • Silence warnings from clang -Wdocumentation about empty \retval
    descriptions, which started appearing with Clang 15. Fixes #6960.
  • Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
    len argument is 0 and buffer is NULL.

Changes

  • The C code follows a new coding style. This is transparent for users but
    affects contributors and maintainers of local patches. For more
    information, see
    https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
  • Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
    As tested in issue 6790, the correlation between this define and
    RSA decryption performance has changed lately due to security fixes.
    To fix the performance degradation when using default values the
    window was reduced from 6 to 2, a value that gives the best or close
    to best results when tested on Cortex-M4 and Intel i7.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

bdf7c5bbdc338da3edad89b2885d4f8668f9a6fffeba6ec17a60333e36dade6f mbedtls-2.28.3.tar.gz
0c0abbd6e33566c5c3c15af4fc19466c8edb62fa483d4ce98f1ba3f656656d2d mbedtls-2.28.3.zip

Mbed TLS 3.3.0

14 Dec 19:28
8c89224
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides new features, bug fixes and minor enhancements. This release includes fixes for security issues.

Security Advisories

There are no security advisories for this release.

Release Notes

Default behavior changes

  • Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05
    of the IETF draft, and was marked experimental and disabled by default.
    It is now no longer experimental, and implements the final version from
    RFC 9146, which is not interoperable with the draft-05 version.
    If you need to communicate with peers that use earlier versions of
    Mbed TLS, then you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
    to 1, but then you won't be able to communicate with peers that use the
    standard (non-draft) version.
    If you need to interoperate with both classes of peers with the
    same build of Mbed TLS, please let us know about your situation on the
    mailing list or GitHub.

Requirement changes

  • When building with PSA drivers using generate_driver_wrappers.py, or
    when building the library from the development branch rather than
    from a release, the Python module jsonschema is now necessary, in
    addition to jinja2. The official list of required Python modules is
    maintained in scripts/basic.requirements.txt and may change again
    in the future.

New deprecations

  • Deprecate mbedtls_asn1_free_named_data().
    Use mbedtls_asn1_free_named_data_list()
    or mbedtls_asn1_free_named_data_list_shallow().

Features

  • Support rsa_pss_rsae_* signature algorithms in TLS 1.2.
  • make: enable building unversioned shared library, with e.g.:
    "SHARED=1 SOEXT_TLS=so SOEXT_X509=so SOEXT_CRYPTO=so make lib"
    resulting in library names like "libmbedtls.so" rather than
    "libmbedcrypto.so.11".
  • Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
    Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
    are supported in this implementation.
  • Some modules can now use PSA drivers for hashes, including with no
    built-in implementation present, but only in some configurations.
    • RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
      hashes from PSA when (and only when) MBEDTLS_MD_C is disabled.
    • PEM parsing of encrypted files now uses MD-5 from PSA when (and only
      when) MBEDTLS_MD5_C is disabled.
      See the documentation of the corresponding macros in mbedtls_config.h for
      details.
      Note that some modules are not able to use hashes from PSA yet, including
      the entropy module. As a consequence, for now the only way to build with
      all hashes only provided by drivers (no built-in hash) is to use
      MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
  • When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now
    properly negotiate/accept hashes based on their availability in PSA.
    As a consequence, they now work in configurations where the built-in
    implementations of (some) hashes are excluded and those hashes are only
    provided by PSA drivers. (See previous entry for limitation on RSA-PSS
    though: that module only use hashes from PSA when MBEDTLS_MD_C is off).
  • Add support for opaque keys as the private keys associated to certificates
    for authentication in TLS 1.3.
  • Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
    Signature verification is production-ready, but generation is for testing
    purposes only. This currently only supports one parameter set
    (LMS_SHA256_M32_H10), meaning that each private key can be used to sign
    1024 messages. As such, it is not intended for use in TLS, but instead
    for verification of assets transmitted over an insecure channel,
    particularly firmware images.
  • Add the LM-OTS post-quantum-safe one-time signature scheme, which is
    required for LMS. This can be used independently, but each key can only
    be used to sign one message so is impractical for most circumstances.
  • Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
    The pre-shared keys can be provisioned externally or via the ticket
    mechanism (session resumption).
    The ticket mechanism is supported when the configuration option
    MBEDTLS_SSL_SESSION_TICKETS is enabled.
    New options MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED
    control the support for the three possible TLS 1.3 key exchange modes.
  • cert_write: support for setting extended key usage attributes. A
    corresponding new public API call has been added in the library,
    mbedtls_x509write_crt_set_ext_key_usage().
  • cert_write: support for writing certificate files in either PEM
    or DER format.
  • The PSA driver wrapper generator generate_driver_wrappers.py now
    supports a subset of the driver description language, including
    the following entry points: import_key, export_key, export_public_key,
    get_builtin_key, copy_key.
  • The new functions mbedtls_asn1_free_named_data_list() and
    mbedtls_asn1_free_named_data_list_shallow() simplify the management
    of memory in named data lists in X.509 structures.
  • The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
    Additional PSA key slots will be allocated in the process of such key
    exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and
    MBEDTLS_USE_PSA_CRYPTO.
  • Add support for DTLS Connection ID as defined by RFC 9146, controlled by
    MBEDTLS_SSL_DTLS_CONNECTION_ID (enabled by default) and configured with
    mbedtls_ssl_set_cid().
  • Add a driver dispatch layer for raw key agreement, enabling alternative
    implementations of raw key agreement through the key_agreement driver
    entry point. This entry point is specified in the proposed PSA driver
    interface, but had not yet been implemented.
  • Add an ad-hoc key derivation function handling EC J-PAKE to PMS
    calculation that can be used to derive the session secret in TLS 1.2,
    as described in draft-cragie-tls-ecjpake-01. This can be achieved by
    using PSA_ALG_TLS12_ECJPAKE_TO_PMS as the key derivation algorithm.

Security

  • Fix potential heap buffer overread and overwrite in DTLS if
    MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
    MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
  • An adversary with access to precise enough information about memory
    accesses (typically, an untrusted operating system attacking a secure
    enclave) could recover an RSA private key after observing the victim
    performing a single private-key operation if the window size used for the
    exponentiation was 3 or smaller. Found and reported by Zili KOU,
    Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
    and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
    and Test in Europe 2023.

Bugfix

  • Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
  • Fix an issue with in-tree CMake builds in releases with GEN_FILES
    turned off: if a shipped file was missing from the working directory,
    it could be turned into a symbolic link to itself.
  • Fix a long-standing build failure when building x86 PIC code with old
    gcc (4.x). The code will be slower, but will compile. We do however
    recommend upgrading to a more recent compiler instead. Fixes #1910.
  • Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
    Contributed by Kazuyuki Kimura to fix #2020.
  • Use double quotes to include private header file psa_crypto_cipher.h.
    Fixes 'file not found with include' error
    when building with Xcode.
  • Fix handling of broken symlinks when loading certificates using
    mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
    broken link is encountered, skip the broken link and continue parsing
    other certificate files. Contributed by Eduardo Silva in #2602.
  • Fix an interoperability failure between an Mbed TLS client with both
    TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server that supports
    rsa_pss_rsae_* signature algorithms. This failed because Mbed TLS
    advertised support for PSS in both TLS 1.2 and 1.3, but only
    actually supported PSS in TLS 1.3.
  • Fix a compilation error when using CMake with an IAR toolchain.
    Fixes #5964.
  • Fix a build error due to a missing prototype warning when
    MBEDTLS_DEPRECATED_REMOVED is enabled.
  • Fix mbedtls_ctr_drbg_free() on an initialized but unseeded context. When
    MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an
    uninitialized context.
  • Fix a build issue on Windows using CMake where the source and build
    directories could not be on different drives. Fixes #5751.
  • Fix bugs and missing dependencies when building and testing
    configurations with only one encryption type enabled in TLS 1.2.
  • Provide the missing definition of mbedtls_setbuf() in some configurations
    with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196.
  • Fix compilation errors when trying to build with
    PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
  • Fix memory leak in ssl_parse_certificate_request() caused by
    mbedtls_x509_get_name() not freeing allocated objects in case of error.
    Change mbedtls_x509_get_name() to clean up allocated objects on error.
  • Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
    MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408.
  • Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
    MBEDTLS_PK_PARSE_C. Fixes #6409.
  • Fix ECDSA verification, where it ...
Read more

Mbed TLS 2.28.2

14 Dec 19:27
89f040a
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

There are no security advisories for this release.

Release Notes

Security

  • Fix potential heap buffer overread and overwrite in DTLS if
    MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
    MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
  • An adversary with access to precise enough information about memory
    accesses (typically, an untrusted operating system attacking a secure
    enclave) could recover an RSA private key after observing the victim
    performing a single private-key operation if the window size used for the
    exponentiation was 3 or smaller. Found and reported by Zili KOU,
    Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
    and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
    and Test in Europe 2023.

Bugfix

  • Fix a long-standing build failure when building x86 PIC code with old
    gcc (4.x). The code will be slower, but will compile. We do however
    recommend upgrading to a more recent compiler instead. Fixes #1910.
  • Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
    Contributed by Kazuyuki Kimura to fix #2020.
  • Use double quotes to include private header file psa_crypto_cipher.h.
    Fixes 'file not found with include' error
    when building with Xcode.
  • Fix handling of broken symlinks when loading certificates using
    mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
    broken link is encountered, skip the broken link and continue parsing
    other certificate files. Contributed by Eduardo Silva in #2602.
  • Fix a compilation error when using CMake with an IAR toolchain.
    Fixes #5964.
  • Fix bugs and missing dependencies when building and testing
    configurations with only one encryption type enabled in TLS 1.2.
  • Provide the missing definition of mbedtls_setbuf() in some configurations
    with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196.
  • Fix compilation errors when trying to build with
    PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
  • Fix memory leak in ssl_parse_certificate_request() caused by
    mbedtls_x509_get_name() not freeing allocated objects in case of error.
    Change mbedtls_x509_get_name() to clean up allocated objects on error.
  • Fix checks on PK in check_config.h for builds with PSA and RSA. This does
    not change which builds actually work, only moving a link-time error to
    an early check.
  • Fix ECDSA verification, where it was not always validating the
    public key. This bug meant that it was possible to verify a
    signature with an invalid public key, in some cases. Reported by
    Guido Vranken using Cryptofuzz in #4420.
  • Fix a possible null pointer dereference if a memory allocation fails
    in TLS PRF code. Reported by Michael Madsen in #6516.
  • Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
    bytes when parsing certificates containing a binary RFC 4108
    HardwareModuleName as a Subject Alternative Name extension. Hardware
    serial numbers are now rendered in hex format. Fixes #6262.
  • Fix bug in error reporting in dh_genprime.c where upon failure,
    the error code returned by mbedtls_mpi_write_file() is overwritten
    and therefore not printed.
  • In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
    with A > 0 created an unintended representation of the value 0 which was
    not processed correctly by some bignum operations. Fix this. This had no
    consequence on cryptography code, but might affect applications that call
    bignum directly and use negative numbers.
  • Fix undefined behavior (typically harmless in practice) of
    mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int()
    when both operands are 0 and the left operand is represented with 0 limbs.
  • Fix undefined behavior (typically harmless in practice) when some bignum
    functions receive the most negative value of mbedtls_mpi_sint. Credit
    to OSS-Fuzz. Fixes #6597.
  • Fix undefined behavior (typically harmless in practice) in PSA ECB
    encryption and decryption.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

bc55232bf71fd66045122ba9050a29ea7cb2e8f99b064a9e6334a82f715881a0 mbedtls-2.28.2.tar.gz
4e4c4d5fd062dc29160edb916fb969878682221a142bda2be5db40e60125912c mbedtls-2.28.2.zip

Mbed TLS 3.2.1

12 Jul 15:27
Compare
Choose a tag to compare

Description

This release is functionally identical to 3.2.0, but includes a file that was missing from the 3.2.0 release (see #6084). It includes all of the changes that went into 3.2.0, which are described here: https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.2.0

Security Advisories

For full details, please see the following link:

https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html

Release Notes

Bugfix

  • Add missing generated file library/ssl_debug_helpers_generated.c

Visual Studio build issue

This release does not build out of the box on Visual Studio, because the project file is missing a reference to a file (see #6198 for details on the issue and how to address it).

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

d0e77a020f69ad558efc660d3106481b75bd3056d6301c31564e04a0faae88cc mbedtls-3.2.1.tar.gz
efeac7fb687d19a7c7dc60f5e60265edd528244856cf3db2e2aecacece08b23f mbedtls-3.2.1.zip

Mbed TLS 3.2.0

11 Jul 19:14
3aef767
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Cmake build error

There is a minor issue building with Cmake relating to a missing generated file (as per #6084). To work around this, please build once with make before running cmake. We are currently preparing 3.2.1, which will fix this (with no other changes).

Security Advisories

For full details, please see the following link:

https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html

Release Notes

Default behavior changes

  • mbedtls_cipher_set_iv will now fail with ChaCha20 and ChaCha20+Poly1305
    for IV lengths other than 12. The library was silently overwriting this
    length with 12, but did not inform the caller about it. Fixes #4301.

Requirement changes

  • The library will no longer compile out of the box on a platform without
    setbuf(). If your platform does not have setbuf(), you can configure an
    alternative function by enabling MBEDTLS_PLATFORM_SETBUF_ALT or
    MBEDTLS_PLATFORM_SETBUF_MACRO.

New deprecations

  • Deprecate mbedtls_ssl_conf_max_version() and
    mbedtls_ssl_conf_min_version() in favor of
    mbedtls_ssl_conf_max_tls_version() and
    mbedtls_ssl_conf_min_tls_version().
  • Deprecate mbedtls_cipher_setup_psa(). Use psa_aead_xxx() or
    psa_cipher_xxx() directly instead.
  • Secure element drivers enabled by MBEDTLS_PSA_CRYPTO_SE_C are deprecated.
    This was intended as an experimental feature, but had not been explicitly
    documented as such. Use opaque drivers with the interface enabled by
    MBEDTLS_PSA_CRYPTO_DRIVERS instead.
  • Deprecate mbedtls_ssl_conf_sig_hashes() in favor of the more generic
    mbedtls_ssl_conf_sig_algs(). Signature algorithms for the TLS 1.2 and
    TLS 1.3 handshake should now be configured with
    mbedtls_ssl_conf_sig_algs().

Features

  • Add accessor to obtain ciphersuite id from ssl context.
  • Add accessors to get members from ciphersuite info.
  • Add mbedtls_ssl_ticket_rotate() for external ticket rotation.
  • Add accessor to get the raw buffer pointer from a PEM context.
  • The structures mbedtls_ssl_config and mbedtls_ssl_context now store
    a piece of user data which is reserved for the application. The user
    data can be either a pointer or an integer.
  • Add an accessor function to get the configuration associated with
    an SSL context.
  • Add a function to access the protocol version from an SSL context in a
    form that's easy to compare. Fixes #5407.
  • Add function mbedtls_md_info_from_ctx() to recall the message digest
    information that was used to set up a message digest context.
  • Add ALPN support in TLS 1.3 clients.
  • Add server certificate selection callback near end of Client Hello.
    Register callback with mbedtls_ssl_conf_cert_cb().
  • Provide mechanism to reset handshake cert list by calling
    mbedtls_ssl_set_hs_own_cert() with NULL value for own_cert param.
  • Add accessor mbedtls_ssl_get_hs_sni() to retrieve SNI from within
    cert callback (mbedtls_ssl_conf_cert_cb()) during handshake.
  • The X.509 module now uses PSA hash acceleration if present.
  • Add support for psa crypto key derivation for elliptic curve
    keys. Fixes #3260.
  • Add function mbedtls_timing_get_final_delay() to access the private
    final delay field in an mbedtls_timing_delay_context, as requested in
    #5183.
    * Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when
    PSA Crypto is enabled.
  • Add function mbedtls_ecp_export() to export ECP key pair parameters.
    Fixes #4838.
  • Add function mbedtls_ssl_is_handshake_over() to enable querying if the SSL
    Handshake has completed or not, and thus whether to continue calling
    mbedtls_ssl_handshake_step(), requested in #4383.
  • Add the function mbedtls_ssl_get_own_cid() to access our own connection id
    within mbedtls_ssl_context, as requested in #5184.
  • Introduce mbedtls_ssl_hs_cb_t typedef for use with
    mbedtls_ssl_conf_cert_cb() and perhaps future callbacks
    during TLS handshake.
  • Add functions mbedtls_ssl_conf_max_tls_version() and
    mbedtls_ssl_conf_min_tls_version() that use a single value to specify
    the protocol version.
    * Extend the existing PSA_ALG_TLS12_PSK_TO_MS() algorithm to support
    mixed-PSK. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
    holding the other secret.
  • When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
    feature requirements in the file named by the new macro
    MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default psa/crypto_config.h.
    Furthermore you may name an additional file to include after the main
    file with the macro MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.
  • Add the function mbedtls_x509_crt_has_ext_type() to access the ext types
    field within mbedtls_x509_crt context, as requested in #5585.
  • Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
  • Add support for the ARMv8 SHA-2 acceleration instructions when building
    for Aarch64.
  • Add support for authentication of TLS 1.3 clients by TLS 1.3 servers.
  • Add support for server HelloRetryRequest message. The TLS 1.3 client is
    now capable of negotiating another shared secret if the one sent in its
    first ClientHello was not suitable to the server.
  • Add support for client-side TLS version negotiation. If both TLS 1.2 and
    TLS 1.3 protocols are enabled in the build of Mbed TLS, the TLS client now
    negotiates TLS 1.3 or TLS 1.2 with TLS servers.
  • Enable building of Mbed TLS with TLS 1.3 protocol support but without TLS
    1.2 protocol support.
  • Mbed TLS provides an implementation of a TLS 1.3 server (ephemeral key
    establishment only). See docs/architecture/tls13-support.md for a
    description of the support. The MBEDTLS_SSL_PROTO_TLS1_3 and
    MBEDTLS_SSL_SRV_C configuration options control this.
  • Add accessors to configure DN hints for certificate request:
    mbedtls_ssl_conf_dn_hints() and mbedtls_ssl_set_hs_dn_hints()
  • The configuration option MBEDTLS_USE_PSA_CRYPTO, which previously
    affected only a limited subset of crypto operations in TLS, X.509 and PK,
    now causes most of them to be done using PSA Crypto; see
    docs/use-psa-crypto.md for the list of exceptions.
  • The function mbedtls_pk_setup_opaque() now supports RSA key pairs as well.
    Opaque keys can now be used everywhere a private key is expected in the
    TLS and X.509 modules.
  • Opaque pre-shared keys for TLS, provisioned with
    mbedtls_ssl_conf_psk_opaque() or mbedtls_ssl_set_hs_psk_opaque(), which
    previously only worked for "pure" PSK key exchange, now can also be used
    for the "mixed" PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
  • cmake now detects if it is being built as a sub-project, and in that case
    disables the target export/installation and package configuration.
  • Make USE_PSA_CRYPTO compatible with KEY_ID_ENCODES_OWNER. Fixes #5259.
  • Add example programs cipher_aead_demo.c, md_hmac_demo.c, aead_demo.c
    and hmac_demo.c, which use PSA and the md/cipher interfaces side
    by side in order to illustrate how the operation is performed in PSA.
    Addresses #5208.

Security

  • Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
    module before freeing them. These buffers contain secret key material, and
    could thus potentially leak the key through freed heap.
  • Fix potential memory leak inside mbedtls_ssl_cache_set() with
    an invalid session id length.
  • Add the platform function mbedtls_setbuf() to allow buffering to be
    disabled on stdio files, to stop secrets loaded from said files being
    potentially left in memory after file operations. Reported by
    Glenn Strauss.
  • Fix a potential heap buffer overread in TLS 1.2 server-side when
    MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
    mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
    is selected. This may result in an application crash or potentially an
    information leak.
  • Fix a buffer overread in DTLS ClientHello parsing in servers with
    MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client
    or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
    after the end of the SSL input buffer. The buffer overread only happens
    when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
    the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(),
    and possibly up to 571 bytes with a custom cookie check function.
    Reported by the Cybeats PSI Team.
  • Fix a buffer overread in TLS 1.3 Certificate parsing. An unauthenticated
    client or server could cause an MbedTLS server or client to overread up
    to 64 kBytes of data and potentially overread the input buffer by that
    amount minus the size of the input buffer. As overread data undergoes
    various checks, the likelihood of reaching the boundary of the input
    buffer is rather small but increases as its size
    MBEDTLS_SSL_IN_CONTENT_LEN decreases.
  • Fix check of certificate key usage in TLS 1.3. The usage of the public key
    provided by a client or server certificate for authentication was not
    checked properly when validating the certificate. This could cause a
    client or server to be able to authenticate itself through a certificate
    to an Mbed TLS TLS 1.3 server or client while it does not own a proper
    certificate to do so.

Bugfix

  • Declare or use PSA_WANT_ALG_CC...
Read more

Mbed TLS 2.28.1

11 Jul 19:09
dd79db1
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following link:

https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html

Release Notes

Default behavior changes

  • mbedtls_cipher_set_iv will now fail with ChaCha20 and ChaCha20+Poly1305
    for IV lengths other than 12. The library was silently overwriting this
    length with 12, but did not inform the caller about it. Fixes #4301.

Features

  • When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
    feature requirements in the file named by the new macro
    MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default psa/crypto_config.h.
    Furthermore you may name an additional file to include after the main
    file with the macro MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.

Security

  • Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
    module before freeing them. These buffers contain secret key material, and
    could thus potentially leak the key through freed heap.
  • Fix a potential heap buffer overread in TLS 1.2 server-side when
    MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
    mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
    is selected. This may result in an application crash or potentially an
    information leak.
  • Fix a buffer overread in DTLS ClientHello parsing in servers with
    MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client
    or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
    after the end of the SSL input buffer. The buffer overread only happens
    when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
    the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(),
    and possibly up to 571 bytes with a custom cookie check function.
    Reported by the Cybeats PSI Team.

Bugfix

  • Fix a memory leak if mbedtls_ssl_config_defaults() is called twice.
  • Fix several bugs (warnings, compiler and linker errors, test failures)
    in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
  • Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was
    enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
    client would fail to check that the curve selected by the server for
    ECDHE was indeed one that was offered. As a result, the client would
    accept any curve that it supported, even if that curve was not allowed
    according to its configuration. Fixes #5291.
  • Fix unit tests that used 0 as the file UID. This failed on some
    implementations of PSA ITS. Fixes #3838.
  • Fix API violation in mbedtls_md_process() test by adding a call to
    mbedtls_md_starts(). Fixes #2227.
  • Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests
    to catch bad uses of time.h.
  • Fix the library search path when building a shared library with CMake
    on Windows.
  • Fix bug in the alert sending function mbedtls_ssl_send_alert_message()
    potentially leading to corrupted alert messages being sent in case
    the function needs to be re-called after initially returning
    MBEDTLS_SSL_WANT_WRITE. Fixes #1916.
  • In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but none of
    MBEDTLS_SSL_HW_RECORD_ACCEL, MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C,
    DTLS handshakes using CID would crash due to a null pointer dereference.
    Fix this. Fixes #3998.
  • Fix incorrect documentation of mbedtls_x509_crt_profile. The previous
    documentation stated that the allowed_pks field applies to signatures
    only, but in fact it does apply to the public key type of the end entity
    certificate, too. Fixes #1992.
  • Fix PSA cipher multipart operations using ARC4. Previously, an IV was
    required but discarded. Now, an IV is rejected, as it should be.
  • Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
    not NULL and val_len is zero.
  • psa_raw_key_agreement() now returns PSA_ERROR_BUFFER_TOO_SMALL when
    applicable. Fixes #5735.
  • Fix a bug in the x25519 example program where the removal of
    MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. Fixes #4901 and
    #3191.
  • Encode X.509 dates before 1/1/2000 as UTCTime rather than
    GeneralizedTime. Fixes #5465.
  • Fix order value of curve x448.
  • Fix string representation of DNs when outputting values containing commas
    and other special characters, conforming to RFC 1779. Fixes #769.
  • Silence a warning from GCC 12 in the selftest program. Fixes #5974.
  • Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of 0.
  • Fix resource leaks in mbedtls_pk_parse_public_key() in low
    memory conditions.
  • Fix server connection identifier setting for outgoing encrypted records
    on DTLS 1.2 session resumption. After DTLS 1.2 session resumption with
    connection identifier, the Mbed TLS client now properly sends the server
    connection identifier in encrypted record headers. Fix #5872.
  • Fix a null pointer dereference when performing some operations on zero
    represented with 0 limbs (specifically mbedtls_mpi_mod_int() dividing
    by 2, and mbedtls_mpi_write_string() in base 2).
  • Fix record sizes larger than 16384 being sometimes accepted despite being
    non-compliant. This could not lead to a buffer overflow. In particular,
    application data size was already checked correctly.

Changes

  • Assume source files are in UTF-8 when using MSVC with CMake.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

6797a7b6483ef589deeab8d33d401ed235d7be25eeecda1be8ddfed406d40ff4 mbedtls-2.28.1.tar.gz
b67866fc781934d9c6a322489a1efdc79ef545bf242a3bfa7cffd3c393d377c1 mbedtls-2.28.1.zip