Mbed TLS 2.16.9

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Security

• Limit the size of calculations performed by mbedtls_mpi_exp_mod to MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
• A failure of the random generator was ignored in mbedtls_mpi_fill_random(), which is how most uses of randomization in asymmetric cryptography (including key generation, intermediate value randomization and blinding) are implemented. This could cause failures or the silent use of non-random values. A random generator can fail if it needs reseeding and cannot not obtain entropy, or due to an internal failure (which, for Mbed TLS's own CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).
• Fix a compliance issue whereby we were not checking the tag on the algorithm parameters (only the size) when comparing the signature in the description part of the cert to the real signature. This meant that a NULL algorithm parameters entry would look identical to an array of REAL (size zero) to the library and thus the certificate would be considered valid. However, if the parameters do not match in any way then the certificate should be considered invalid, and indeed OpenSSL marks these certs as invalid when mbedtls did not. Many thanks to guidovranken who found this issue via differential fuzzing and reported it in #3629.
• Zeroising of local buffers and variables which are used for calculations in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() functions to erase sensitive data from memory. Reported by Johan Malmgren and Johan Uppman Bruce from Sectra.

Bugfix

• Fix an invalid (but nonzero) return code from mbedtls_pk_parse_subpubkey() when the input has trailing garbage. Fixes #2512.
• Fix rsa_prepare_blinding() to retry when the blinding value is not invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)). Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin). Fixes #3647.
• Fix the build when the macro _GNU_SOURCE is defined to a non-empty value. Fix #3432.
• Correct the default IV size for mbedtls_cipher_info_t structures using MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs.
• Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is defined. Fix contributed in #3571. Adopted for LTS branch 2.16 in #3602.
• Fix build failures on GCC 11. Fixes #3782.
• Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative (an error condition) and the second operand was aliased to the result.
• Fix a case in elliptic curve arithmetic where an out-of-memory condition could go undetected, resulting in an incorrect result.
• In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed().
  Fixes #2927.
• In PEM writing functions, fill the trailing part of the buffer with null bytes. This guarantees that the corresponding parsing function can read the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem until this property was inadvertently broken in Mbed TLS 2.19.0. Fixes #3682.
• Fix a build failure that occurred with the MBEDTLS_AES_SETKEY_DEC_ALT option on. In this configuration key management methods that are required for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail. Fixes #3818. Reported by John Stroebel.

Changes

• Reduce stack usage significantly during sliding window exponentiation. Reported in #3591 and fix contributed in #3592 by Daniel Otte.
• Remove the zeroization of a pointer variable in AES rounds. It was valid but spurious and misleading since it looked like a mistaken attempt to zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA Leti, France.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

fc17ff7d8c11d08f23ae2800a18269408ad2c24ea6bb8b9363e41a01c2425697  mbedtls-2.16.9.tar.gz
111300d0d307d738fb20596c358fda7129dfd5f5c682f055793262080ac50950  mbedtls-2.16.9.zip

Mbed TLS 2.7.18

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Security

• Limit the size of calculations performed by mbedtls_mpi_exp_mod to MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
• Fix a compliance issue whereby we were not checking the tag on the algorithm parameters (only the size) when comparing the signature in the description part of the cert to the real signature. This meant that a NULL algorithm parameters entry would look identical to an array of REAL (size zero) to the library and thus the certificate would be considered valid. However, if the parameters do not match in any way then the certificate should be considered invalid, and indeed OpenSSL marks these certs as invalid when mbedtls did not. Many thanks to guidovranken who found this issue via differential fuzzing and reported it in #3629.
• Zeroising of local buffers and variables which are used for calculations in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() functions to erase sensitive data from memory. Reported by Johan Malmgren and Johan Uppman Bruce from Sectra.

Bugfix

• Fix an invalid (but nonzero) return code from mbedtls_pk_parse_subpubkey() when the input has trailing garbage. Fixes #2512.
• Fix rsa_prepare_blinding() to retry when the blinding value is not invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)). Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin). Fixes #3647.
• Correct the default IV size for mbedtls_cipher_info_t structures using MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs.
• Fix build failures on GCC 11. Fixes #3782.
• Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative (an error condition) and the second operand was aliased to the result.
• Fix a case in elliptic curve arithmetic where an out-of-memory condition could go undetected, resulting in an incorrect result.
• In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed(). Fixes #2927.

Changes

• Reduce stack usage significantly during sliding window exponentiation. Reported in #3591 and fix contributed in #3592 by Daniel Otte.
• Remove the zeroization of a pointer variable in AES rounds. It was valid but spurious and misleading since it looked like a mistaken attempt to zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA Leti, France.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

f4a0f0c62e7016fa96f6ee78e2b8ba05d1f653c3aa2734fd73fbec02c3637e23  mbedtls-2.7.18.tar.gz
2b169bbf8c04ef9c9776a7ddb487b3387d4be2f3220a112c6d52111f643b9a22  mbedtls-2.7.18.zip

Mbed TLS 2.24.0

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues and the most notable of them are described in more detail in the security advisories.

API changes

• In the PSA API, rename the types of elliptic curve and Diffie-Hellman group families to psa_ecc_family_t and psa_dh_family_t, in line with the PSA Crypto API specification version 1.0.0. Rename associated macros as well:
  PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx
  PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx
  PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY
  PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY

Default behavior changes

• Stop storing persistent information about externally stored keys created through PSA Crypto with a volatile lifetime. Reported in #3288 and contributed by Steven Cooreman in #3382.

Features

• The new function mbedtls_ecp_write_key() exports private ECC keys back to a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key().
• Support building on e2k (Elbrus) architecture: correctly enable -Wformat-signedness, and fix the code that causes signed-one-bit-field and sign-compare warnings. Contributed by makise-homura (Igor Molchanov) [email protected].

Security

• Fix a vulnerability in the verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify()) with the actual certificate name: when the subjecAltName extension is present, the expected name was compared to any name in that extension regardless of its type. This means that an attacker could for example impersonate a 4-bytes or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 (this would require the attacker to control that IP address, though). Similar attacks using other subjectAltName name types might be possible. Found and reported by kFYatek in #3498.
• When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, certificates were never considered as revoked. On builds with MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for example, an untrusted OS attacking a secure enclave) could prevent revocation of certificates via CRLs. Fixed by no longer checking the revocationDate field, in accordance with RFC 5280. Reported by yuemonangong in #3340. Reported independently and fixed by Raoul Strackx and Jethro Beekman in #3433.
• In (D)TLS record decryption, when using a CBC ciphersuites without the Encrypt-then-Mac extension, use constant code flow memory access patterns to extract and check the MAC. This is an improvement to the existing countermeasure against Lucky 13 attacks. The previous countermeasure was effective against network-based attackers, but less so against local attackers. The new countermeasure defends against local attackers, even if they have access to fine-grained measurements. In particular, this fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University).
• Fix side channel in RSA private key operations and static (finite-field) Diffie-Hellman. An adversary with precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could bypass an existing counter-measure (base blinding) and potentially fully recover the private key.
• Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine for pinpointing the problematic code.
• Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused application data from memory. Reported in #689 by Johan Uppman Bruce of Sectra.

Bugfix

• Library files installed after a CMake build no longer have execute permission.
• Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol redefinition if the function is inlined. Reported in #3451 and fix contributed in #3452 by okhowang.
• Fix the endianness of Curve25519 keys imported/exported through the PSA APIs. psa_import_key and psa_export_key will now correctly expect/output Montgomery keys in little-endian as defined by RFC7748. Contributed by Steven Cooreman in #3425.
• Fix build errors when the only enabled elliptic curves are Montgomery curves. Raised by signpainter in #941 and by Taiki-San in #1412. This also fixes missing declarations reported by Steven Cooreman in #1147.
• Fix self-test failure when the only enabled short Weierstrass elliptic curve is secp192k1. Fixes #2017.
• PSA key import will now correctly import a Curve25519/Curve448 public key instead of erroring out. Contributed by Steven Cooreman in #3492.
• Use arc4random_buf on NetBSD instead of rand implementation with cyclical lower bits. Fix contributed in #3540.
• Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory conditions. Reported and fix suggested by Guido Vranken in #3486.
• Fix bug in redirection of unit test outputs on platforms where stdout is defined as a macro. First reported in #2311 and fix contributed in #3528.

Changes

• Only pass -Wformat-signedness to versions of GCC that support it. Reported in #3478 and fix contributed in #3479 by okhowang.
• Reduce the stack consumption of mbedtls_x509write_csr_der() which previously could lead to stack overflow on constrained devices. Contributed by Doru Gucea and Simon Leet in #3464.
• Undefine the ASSERT macro before defining it locally, in case it is defined in a platform header. Contributed by Abdelatif Guettouche in #3557.
• Update copyright notices to use Linux Foundation guidance. As a result, the copyright of contributors other than Arm is now acknowledged, and the years of publishing are no longer tracked in the source files. This also eliminates the need for the lines declaring the files to be part of MbedTLS. Fixes #3457.
• Add the command line parameter key_pwd to the ssl_client2 and ssl_server2 example applications which allows to provide a password for the key file specified through the existing key_file argument. This allows the use of these applications with password-protected key files. Analogously but for ssl_server2 only, add the command line parameter key_pwd2 which allows to set a password for the key file provided through the existing key_file2 argument.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

d436ae4892bd80329ca18a3960052fbb42d3f1f46c7519711d6763621ca6cfa0  mbedtls-2.24.0.tar.gz
d7b129288a957b1936ade3921504d5524e34a0dbe9f4d965df3416db9cfe0dae  mbedtls-2.24.0.zip

Mbed TLS 2.16.8

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues and the most notable of them are described in more detail in the security advisories.

Features

• Support building on e2k (Elbrus) architecture: correctly enable -Wformat-signedness, and fix the code that causes signed-one-bit-field and sign-compare warnings. Contributed by makise-homura (Igor Molchanov) [email protected].

Security

• When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, certificates were never considered as revoked. On builds with MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for example, an untrusted OS attacking a secure enclave) could prevent revocation of certificates via CRLs. Fixed by no longer checking the revocationDate field, in accordance with RFC 5280. Reported by yuemonangong in #3340. Reported independently and fixed by Raoul Strackx and Jethro Beekman in #3433.
• In (D)TLS record decryption, when using a CBC ciphersuites without the Encrypt-then-Mac extension, use constant code flow memory access patterns to extract and check the MAC. This is an improvement to the existing countermeasure against Lucky 13 attacks. The previous countermeasure was effective against network-based attackers, but less so against local attackers. The new countermeasure defends against local attackers, even if they have access to fine-grained measurements. In particular, this fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University).
• Fix side channel in RSA private key operations and static (finite-field) Diffie-Hellman. An adversary with precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could bypass an existing counter-measure (base blinding) and potentially fully recover the private key.
• Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine for pinpointing the problematic code.
• Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused application data from memory. Reported in #689 by Johan Uppman Bruce of Sectra.

Bugfix

• Avoid use of statically sized stack buffers for certificate writing. This previously limited the maximum size of DER encoded certificates in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
• Reduce the stack consumption of mbedtls_x509write_csr_der() which previously could lead to stack overflow on constrained devices. Contributed by Doru Gucea and Simon Leet in #3464.
• Use arc4random_buf on NetBSD instead of rand implementation with cyclical lower bits. Fix contributed in #3540.
• Fix building library/net_sockets.c and the ssl_mail_client program on NetBSD. NetBSD conditionals were added for the backport to avoid the risk of breaking a platform. Original fix contributed by Nia Alarie in #3422. Adapted for long-term support branch 2.16 in #3558.
• Fix bug in redirection of unit test outputs on platforms where stdout is defined as a macro. First reported in #2311 and fix contributed in #3528. Adopted for LTS branch 2.16 in #3601.

Changes

• Update copyright notices to use Linux Foundation guidance. As a result, the copyright of contributors other than Arm is now acknowledged, and the years of publishing are no longer tracked in the source files. This also eliminates the need for the lines declaring the files to be part of MbedTLS. Fixes #3457.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

fe9e3b15c3375943bdfebbbb20dd6b4f1147b3b5d926248bd835d73247407430  mbedtls-2.16.8.tar.gz
a2904aa4f8b23a3e3972f87ff1c7e450a128c38d00ac28ad183296607fe2d9d6  mbedtls-2.16.8.zip

Mbed TLS 2.7.17

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues and the most notable of them are described in more detail in the security advisories.

Features

• Support building on e2k (Elbrus) architecture: correctly enable -Wformat-signedness, and fix the code that causes signed-one-bit-field and sign-compare warnings. Contributed by makise-homura (Igor Molchanov) [email protected].

Security

• When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, certificates were never considered as revoked. On builds with MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for example, an untrusted OS attacking a secure enclave) could prevent revocation of certificates via CRLs. Fixed by no longer checking the revocationDate field, in accordance with RFC 5280. Reported by yuemonangong in #3340. Reported independently and fixed by Raoul Strackx and Jethro Beekman in #3433.
• In (D)TLS record decryption, when using a CBC ciphersuites without the Encrypt-then-Mac extension, use constant code flow memory access patterns to extract and check the MAC. This is an improvement to the existing countermeasure against Lucky 13 attacks. The previous countermeasure was effective against network-based attackers, but less so against local attackers. The new countermeasure defends against local attackers, even if they have access to fine-grained measurements. In particular, this fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University).
• Fix side channel in RSA private key operations and static (finite-field) Diffie-Hellman. An adversary with precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could bypass an existing counter-measure (base blinding) and potentially fully recover the private key.
• Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine for pinpointing the problematic code.
• Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused application data from memory. Reported in #689 by Johan Uppman Bruce of Sectra.

Bugfix

• Use arc4random_buf on NetBSD instead of rand implementation with cyclical lower bits. Fix contributed in #3540.
• Fix building library/net_sockets.c on NetBSD. NetBSD conditionals were added for the backport to avoid the risk of breaking a platform. Original fix contributed by Nia Alarie in #3422. Adopted for long-term support branch 2.7 in #3570.
• Fix bug in redirection of unit test outputs on platforms where stdout is defined as a macro. First reported in #2311 and fix contributed in #3528. Adopted for LTS branch 2.7 in #3600.

Changes

• Update copyright notices to use Linux Foundation guidance. As a result, the copyright of contributors other than Arm is now acknowledged, and the years of publishing are no longer tracked in the source files. This also eliminates the need for the lines declaring the files to be part of MbedTLS. Fixes #3457.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

fae5441631a8696d1eae71f61b8276d728b41a905954326019830cdaf0afeb42  mbedtls-2.7.17.tar.gz
a009059b0b4b882b884e8ef7013ff068b1254d8a2d98243e000c67b1737956b6  mbedtls-2.7.17.zip

Mbed TLS 2.23.0

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory.

Default behavior changes

• In the experimental PSA secure element interface, change the encoding of key lifetimes to encode a persistence level and the location. Although C prototypes do not effectively change, code calling psa_register_se_driver() must be modified to pass the driver's location instead of the keys' lifetime. If the library is upgraded on an existing device, keys created with the old lifetime value will not be readable or removable through Mbed TLS after the upgrade.

Features

• New functions in the error module return constant strings for high- and low-level error codes, complementing mbedtls_strerror() which constructs a string for any error code, including compound ones, but requires a writable buffer. Contributed by Gaurav Aggarwal in #3176.
• The new utility programs/ssl/ssl_context_info prints a human-readable dump of an SSL context saved with mbedtls_ssl_context_save().
• Add support for midipix, a POSIX layer for Microsoft Windows.
• Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows parsing unsupported certificate extensions via user provided callback. Contributed by Nicola Di Lieto [email protected] in #3243 as a solution to #3241.
• Pass the "certificate policies" extension to the callback supplied to mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported policies (#3419).
• Added support to entropy_poll for the kern.arandom syscall supported on some BSD systems. Contributed by Nia Alarie in #3423.
• Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239

Security

• Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394.
• Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
• Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246.

Bugfix

• Fix the Visual Studio Release x64 build configuration for mbedtls itself. Completes a previous fix in Mbed TLS 2.19 that only fixed the build for the example programs. Reported in #1430 and fix contributed by irwir.
• Fix undefined behavior in X.509 certificate parsing if the pathLenConstraint basic constraint value is equal to INT_MAX. The actual effect with almost every compiler is the intended behavior, so this is unlikely to be exploitable anywhere. #3192
• Fix issue with a detected HW accelerated record error not being exposed due to shadowed variable. Contributed by Sander Visser in #3310.
• Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a NULL pointer argument. Contributed by Sander Visser in #3312.
• Fix potential linker errors on dual world platforms by inlining mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately from psa_crypto.c. Fixes #3300.
• Remove dead code in X.509 certificate parsing. Contributed by irwir in #2855.
• Include asn1.h in error.c. Fixes #3328 reported by David Hu.
• Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz() when PRNG function fails. Contributed by Jonas Lejeune in #3318.
• Remove unused macros from MSVC projects. Reported in #3297 and fix submitted in #3333 by irwir.
• Add additional bounds checks in ssl_write_client_hello() preventing output buffer overflow if the configuration declared a buffer that was too small.
• Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and fix submitted in #3421 by Nia Alarie.
• Fix building library/net_sockets.c and the ssl_mail_client program on NetBSD. Contributed by Nia Alarie in #3422.
• Fix false positive uninitialised variable reported by cpp-check. Contributed by Sander Visser in #3311.
• Update iv and len context pointers manually when reallocating buffers using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues when receiving a connection with CID, when these fields were shifted in ssl_parse_record_header().

Changes

• Fix warnings about signedness issues in format strings. The build is now clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen in #3153.
• Fix minor performance issue in operations on Curve25519 caused by using a suboptimal modular reduction in one place. Found and fix contributed by Aurelien Jarno in #3209.
• Combine identical cases in switch statements in md.c. Contributed by irwir in #3208.
• Simplify a bounds check in ssl_write_certificate_request(). Contributed by irwir in #3150.
• Unify the example programs termination to call mbedtls_exit() instead of using a return command. This has been done to enable customization of the behavior in bare metal environments.
• Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?". Contributed by Koh M. Nakagawa in #3326.
• Use FindPython3 when cmake version >= 3.15.0
• Abort the ClientHello writing function as soon as some extension doesn't fit into the record buffer. Previously, such extensions were silently dropped. As a consequence, the TLS handshake now fails when the output buffer is not large enough to hold the ClientHello.
• The unit tests now rely on header files in tests/include/test and source files in tests/src. When building with make or cmake, the files in tests/src are compiled and the resulting object linked into each test executable.
• The ECP module, enabled by MBEDTLS_ECP_C, now depends on MBEDTLS_CTR_DRBG_C or MBEDTLS_HMAC_DRBG_C for some side-channel coutermeasures. If side channels are not a concern, this dependency can be avoided by enabling the new option MBEDTLS_ECP_NO_INTERNAL_RNG.
• Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes Martinho. #3147
• Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported in #3182 and fix submitted by irwir. #3217
• Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

9933fe6b5991d5308e183a5a07454f76d7054721ba269d0c3811b227cb629e7a  mbedtls-2.23.0.tar.gz
bbf9c3cc6b7603f2f15bbba7badcf6cf188a9d5aaa63c4df2d61213f459c2f5f  mbedtls-2.23.0.zip

Mbed TLS 2.16.7

Description

Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch, and provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory.

Security

• Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394.
• Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
• Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246.

Bugfix

• Fix the Visual Studio Release x64 build configuration for mbedtls itself. Completes a previous fix in Mbed TLS 2.16.3 that only fixed the build for the example programs. Reported in #1430 and fix contributed by irwir.
• Fix undefined behavior in X.509 certificate parsing if the pathLenConstraint basic constraint value is equal to INT_MAX. The actual effect with almost every compiler is the intended behavior, so this is unlikely to be exploitable anywhere. #3197
• Include asn1.h in error.c. Fixes #3328 reported by David Hu.
• Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz() when PRNG function fails. Contributed by Jonas Lejeune in #3318.
• Add additional bounds checks in ssl_write_client_hello() preventing output buffer overflow if the configuration declared a buffer that was too small.

Changes

• Unify the example programs termination to call mbedtls_exit() instead of using a return command. This has been done to enable customization of the behavior in bare metal environments.
• Abort the ClientHello writing function as soon as some extension doesn't fit into the record buffer. Previously, such extensions were silently dropped. As a consequence, the TLS handshake now fails when the output buffer is not large enough to hold the ClientHello.
• The ECP module, enabled by MBEDTLS_ECP_C, now depends on MBEDTLS_CTR_DRBG_C, MBEDTLS_HMAC_DRBG_C, MBEDTLS_SHA512_C or MBEDTLS_SHA256_C for some side-channel coutermeasures. If side channels are not a concern, this dependency can be avoided by enabling the new option MBEDTLS_ECP_NO_INTERNAL_RNG.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

c95b11557ee97d2bdfd48cd57cf9b648a6cddd2ca879e3c35c4e7525f2871992  mbedtls-2.16.7.tar.gz
6ee853f8dbbe662b7647b454c9635ed7f2b3c78293e064c1be74c7cfd97d080b  mbedtls-2.16.7.zip

Mbed TLS 2.7.16

Description

Mbed TLS 2.7.16 is a maintenance release of the Mbed TLS 2.7 branch, and provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory.

Security

• Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394.
• Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
• Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246.

Bugfix

• Fix the Visual Studio Release x64 build configuration for mbedtls itself. Completes a previous fix in Mbed TLS 2.7.12 that only fixed the build for the example programs. Reported in #1430 and fix contributed by irwir.
• Fix undefined behavior in X.509 certificate parsing if the pathLenConstraint basic constraint value is equal to INT_MAX. The actual effect with almost every compiler is the intended behavior, so this is unlikely to be exploitable anywhere. #3196
• Include asn1.h in error.c. Fixes #3328 reported by David Hu.
• Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz() when PRNG function fails. Contributed by Jonas Lejeune in #3318.
• Add additional bounds checks in ssl_write_client_hello() preventing output buffer overflow if the configuration declared a buffer that was too small.

Changes

• Unify the example programs termination to call mbedtls_exit() instead of using a return command. This has been done to enable customization of the behavior in bare metal environments.
• Abort the ClientHello writing function as soon as some extension doesn't fit into the record buffer. Previously, such extensions were silently dropped. As a consequence, the TLS handshake now fails when the output buffer is not large enough to hold the ClientHello.
• The ECP module, enabled by MBEDTLS_ECP_C, now depends on MBEDTLS_CTR_DRBG_C, MBEDTLS_HMAC_DRBG_C, MBEDTLS_SHA512_C or MBEDTLS_SHA256_C for some side-channel coutermeasures. If side channels are not a concern, this dependency can be avoided by enabling the new option MBEDTLS_ECP_NO_INTERNAL_RNG.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

571420852b771a61d54dc61881ae744363f5fcd9c274f7d6874a5d2913107ad4  mbedtls-2.7.16.tar.gz
da3229f4f842c6dbcec5d9d4f8790b02a53cc7125dbdf681a97936d3d877a992  mbedtls-2.7.16.zip

Mbed TLS 2.7.15

Description

Mbed TLS 2.7.15 is a maintenance release of the Mbed TLS 2.7 branch, and provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory.

Security

• Fix side channel in ECC code that allowed an adversary with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) to fully recover an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya, Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
• Fix a potentially remotely exploitable buffer overread in a DTLS client when parsing the Hello Verify Request message.
• Fix bug in DTLS handling of new associations with the same parameters (RFC 6347 section 4.2.8): after sending its HelloVerifyRequest, the server would end up with corrupted state and only send invalid records to the client. An attacker able to send forged UDP packets to the server could use that to obtain a Denial of Service. This could only happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h (which it is by default).

Bugfix

• Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
• Fix a function name in a debug message. Contributed by Ercan Ozturk in #3013.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Mbed TLS 2.16.6

Description

Mbed TLS 2.16.6 is a maintenance release of the Mbed TLS 2.16 branch, and provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory.

Security

• Fix side channel in ECC code that allowed an adversary with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) to fully recover an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya, Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
• Fix a potentially remotely exploitable buffer overread in a DTLS client when parsing the Hello Verify Request message.

Bugfix

• Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
• Fix a function name in a debug message. Contributed by Ercan Ozturk in #3013.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.