Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-35409: Releases · Mbed-TLS/mbedtls

An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.2.0. In some configurations, an unauthenticated attacker can send an invalid ClientHello message to a DTLS server that causes a heap-based buffer over-read of up to 255 bytes. This can cause a server crash or possibly information disclosure based on error responses. Affected configurations have MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled and MBEDTLS_SSL_IN_CONTENT_LEN less than a threshold that depends on the configuration: 258 bytes if using mbedtls_ssl_cookie_check, and possibly up to 571 bytes with a custom cookie check function.

CVE
#vulnerability#mac#windows#microsoft#linux#git#oracle#c++#perl#buffer_overflow#auth#ssl

Description

This release is functionally identical to 3.2.0, but includes a file that was missing from the 3.2.0 release (see #6084). It includes all of the changes that went into 3.2.0, which are described here: https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.2.0

Security Advisories

For full details, please see the following link:

https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html

Release Notes

Bugfix

  • Add missing generated file library/ssl_debug_helpers_generated.c

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

d0e77a020f69ad558efc660d3106481b75bd3056d6301c31564e04a0faae88cc mbedtls-3.2.1.tar.gz
efeac7fb687d19a7c7dc60f5e60265edd528244856cf3db2e2aecacece08b23f mbedtls-3.2.1.zip

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Cmake build error

There is a minor issue building with Cmake relating to a missing generated file (as per #6084). To work around this, please build once with make before running cmake. We are currently preparing 3.2.1, which will fix this (with no other changes).

Security Advisories

For full details, please see the following link:

https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html

Release Notes

Default behavior changes

  • mbedtls_cipher_set_iv will now fail with ChaCha20 and ChaCha20+Poly1305
    for IV lengths other than 12. The library was silently overwriting this
    length with 12, but did not inform the caller about it. Fixes #4301.

Requirement changes

  • The library will no longer compile out of the box on a platform without
    setbuf(). If your platform does not have setbuf(), you can configure an
    alternative function by enabling MBEDTLS_PLATFORM_SETBUF_ALT or
    MBEDTLS_PLATFORM_SETBUF_MACRO.

New deprecations

  • Deprecate mbedtls_ssl_conf_max_version() and
    mbedtls_ssl_conf_min_version() in favor of
    mbedtls_ssl_conf_max_tls_version() and
    mbedtls_ssl_conf_min_tls_version().
  • Deprecate mbedtls_cipher_setup_psa(). Use psa_aead_xxx() or
    psa_cipher_xxx() directly instead.
  • Secure element drivers enabled by MBEDTLS_PSA_CRYPTO_SE_C are deprecated.
    This was intended as an experimental feature, but had not been explicitly
    documented as such. Use opaque drivers with the interface enabled by
    MBEDTLS_PSA_CRYPTO_DRIVERS instead.
  • Deprecate mbedtls_ssl_conf_sig_hashes() in favor of the more generic
    mbedtls_ssl_conf_sig_algs(). Signature algorithms for the TLS 1.2 and
    TLS 1.3 handshake should now be configured with
    mbedtls_ssl_conf_sig_algs().

Features

  • Add accessor to obtain ciphersuite id from ssl context.
  • Add accessors to get members from ciphersuite info.
  • Add mbedtls_ssl_ticket_rotate() for external ticket rotation.
  • Add accessor to get the raw buffer pointer from a PEM context.
  • The structures mbedtls_ssl_config and mbedtls_ssl_context now store
    a piece of user data which is reserved for the application. The user
    data can be either a pointer or an integer.
  • Add an accessor function to get the configuration associated with
    an SSL context.
  • Add a function to access the protocol version from an SSL context in a
    form that’s easy to compare. Fixes #5407.
  • Add function mbedtls_md_info_from_ctx() to recall the message digest
    information that was used to set up a message digest context.
  • Add ALPN support in TLS 1.3 clients.
  • Add server certificate selection callback near end of Client Hello.
    Register callback with mbedtls_ssl_conf_cert_cb().
  • Provide mechanism to reset handshake cert list by calling
    mbedtls_ssl_set_hs_own_cert() with NULL value for own_cert param.
  • Add accessor mbedtls_ssl_get_hs_sni() to retrieve SNI from within
    cert callback (mbedtls_ssl_conf_cert_cb()) during handshake.
  • The X.509 module now uses PSA hash acceleration if present.
  • Add support for psa crypto key derivation for elliptic curve
    keys. Fixes #3260.
  • Add function mbedtls_timing_get_final_delay() to access the private
    final delay field in an mbedtls_timing_delay_context, as requested in
    #5183.
    * Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when
    PSA Crypto is enabled.
  • Add function mbedtls_ecp_export() to export ECP key pair parameters.
    Fixes #4838.
  • Add function mbedtls_ssl_is_handshake_over() to enable querying if the SSL
    Handshake has completed or not, and thus whether to continue calling
    mbedtls_ssl_handshake_step(), requested in #4383.
  • Add the function mbedtls_ssl_get_own_cid() to access our own connection id
    within mbedtls_ssl_context, as requested in #5184.
  • Introduce mbedtls_ssl_hs_cb_t typedef for use with
    mbedtls_ssl_conf_cert_cb() and perhaps future callbacks
    during TLS handshake.
  • Add functions mbedtls_ssl_conf_max_tls_version() and
    mbedtls_ssl_conf_min_tls_version() that use a single value to specify
    the protocol version.
    * Extend the existing PSA_ALG_TLS12_PSK_TO_MS() algorithm to support
    mixed-PSK. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
    holding the other secret.
  • When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
    feature requirements in the file named by the new macro
    MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default psa/crypto_config.h.
    Furthermore you may name an additional file to include after the main
    file with the macro MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.
  • Add the function mbedtls_x509_crt_has_ext_type() to access the ext types
    field within mbedtls_x509_crt context, as requested in #5585.
  • Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
  • Add support for the ARMv8 SHA-2 acceleration instructions when building
    for Aarch64.
  • Add support for authentication of TLS 1.3 clients by TLS 1.3 servers.
  • Add support for server HelloRetryRequest message. The TLS 1.3 client is
    now capable of negotiating another shared secret if the one sent in its
    first ClientHello was not suitable to the server.
  • Add support for client-side TLS version negotiation. If both TLS 1.2 and
    TLS 1.3 protocols are enabled in the build of Mbed TLS, the TLS client now
    negotiates TLS 1.3 or TLS 1.2 with TLS servers.
  • Enable building of Mbed TLS with TLS 1.3 protocol support but without TLS
    1.2 protocol support.
  • Mbed TLS provides an implementation of a TLS 1.3 server (ephemeral key
    establishment only). See docs/architecture/tls13-support.md for a
    description of the support. The MBEDTLS_SSL_PROTO_TLS1_3 and
    MBEDTLS_SSL_SRV_C configuration options control this.
  • Add accessors to configure DN hints for certificate request:
    mbedtls_ssl_conf_dn_hints() and mbedtls_ssl_set_hs_dn_hints()
  • The configuration option MBEDTLS_USE_PSA_CRYPTO, which previously
    affected only a limited subset of crypto operations in TLS, X.509 and PK,
    now causes most of them to be done using PSA Crypto; see
    docs/use-psa-crypto.md for the list of exceptions.
  • The function mbedtls_pk_setup_opaque() now supports RSA key pairs as well.
    Opaque keys can now be used everywhere a private key is expected in the
    TLS and X.509 modules.
  • Opaque pre-shared keys for TLS, provisioned with
    mbedtls_ssl_conf_psk_opaque() or mbedtls_ssl_set_hs_psk_opaque(), which
    previously only worked for “pure” PSK key exchange, now can also be used
    for the “mixed” PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
  • cmake now detects if it is being built as a sub-project, and in that case
    disables the target export/installation and package configuration.
  • Make USE_PSA_CRYPTO compatible with KEY_ID_ENCODES_OWNER. Fixes #5259.
  • Add example programs cipher_aead_demo.c, md_hmac_demo.c, aead_demo.c
    and hmac_demo.c, which use PSA and the md/cipher interfaces side
    by side in order to illustrate how the operation is performed in PSA.
    Addresses #5208.

Security

  • Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
    module before freeing them. These buffers contain secret key material, and
    could thus potentially leak the key through freed heap.
  • Fix potential memory leak inside mbedtls_ssl_cache_set() with
    an invalid session id length.
  • Add the platform function mbedtls_setbuf() to allow buffering to be
    disabled on stdio files, to stop secrets loaded from said files being
    potentially left in memory after file operations. Reported by
    Glenn Strauss.
  • Fix a potential heap buffer overread in TLS 1.2 server-side when
    MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
    mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
    is selected. This may result in an application crash or potentially an
    information leak.
  • Fix a buffer overread in DTLS ClientHello parsing in servers with
    MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client
    or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
    after the end of the SSL input buffer. The buffer overread only happens
    when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
    the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(),
    and possibly up to 571 bytes with a custom cookie check function.
    Reported by the Cybeats PSI Team.
  • Fix a buffer overread in TLS 1.3 Certificate parsing. An unauthenticated
    client or server could cause an MbedTLS server or client to overread up
    to 64 kBytes of data and potentially overread the input buffer by that
    amount minus the size of the input buffer. As overread data undergoes
    various checks, the likelihood of reaching the boundary of the input
    buffer is rather small but increases as its size
    MBEDTLS_SSL_IN_CONTENT_LEN decreases.
  • Fix check of certificate key usage in TLS 1.3. The usage of the public key
    provided by a client or server certificate for authentication was not
    checked properly when validating the certificate. This could cause a
    client or server to be able to authenticate itself through a certificate
    to an Mbed TLS TLS 1.3 server or client while it does not own a proper
    certificate to do so.

Bugfix

  • Declare or use PSA_WANT_ALG_CCM_STAR_NO_TAG following the general
    pattern for PSA_WANT_xxx symbols. Previously you had to specify
    PSA_WANT_ALG_CCM for PSA_ALG_CCM_STAR_NO_TAG.
  • Fix a memory leak if mbedtls_ssl_config_defaults() is called twice.
  • Fixed swap of client and server random bytes when exporting them alongside
    TLS 1.3 handshake and application traffic secret.
  • Fix several bugs (warnings, compiler and linker errors, test failures)
    in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
  • Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was
    enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
    client would fail to check that the curve selected by the server for
    ECDHE was indeed one that was offered. As a result, the client would
    accept any curve that it supported, even if that curve was not allowed
    according to its configuration. Fixes #5291.
  • The TLS 1.3 implementation is now compatible with the
    MBEDTLS_USE_PSA_CRYPTO configuration option.
  • Fix unit tests that used 0 as the file UID. This failed on some
    implementations of PSA ITS. Fixes #3838.
  • Fix mbedtls_ssl_get_version() not reporting TLSv1.3. Fixes #5406.
  • Fix API violation in mbedtls_md_process() test by adding a call to
    mbedtls_md_starts(). Fixes #2227.
  • Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests
    to catch bad uses of time.h.
  • Fix a race condition in out-of-source builds with CMake when generated data
    files are already present. Fixes #5374.
  • Fix the library search path when building a shared library with CMake
    on Windows.
  • Fix bug in the alert sending function mbedtls_ssl_send_alert_message()
    potentially leading to corrupted alert messages being sent in case
    the function needs to be re-called after initially returning
    MBEDTLS_SSL_WANT_WRITE. Fixes #1916.
  • In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but not
    MBEDTLS_DEBUG_C, DTLS handshakes using CID would crash due to a null
    pointer dereference. Fix this. Fixes #3998.
    The fix was released, but not announced, in Mbed TLS 3.1.0.
  • Fix incorrect documentation of mbedtls_x509_crt_profile. The previous
    documentation stated that the allowed_pks field applies to signatures
    only, but in fact it does apply to the public key type of the end entity
    certificate, too. Fixes #1992.
  • Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
    not NULL and val_len is zero.
  • Fix compilation error with mingw32. Fixed by Cameron Cawley in #4211.
  • Fix compilation error when using C++ Builder on Windows. Reported by
    Miroslav Mastny in #4015.
  • psa_raw_key_agreement() now returns PSA_ERROR_BUFFER_TOO_SMALL when
    applicable. Fixes #5735.
  • Fix a bug in the x25519 example program where the removal of
    MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. Fixes #4901 and
    #3191.
  • Fix a TLS 1.3 handshake failure when the peer Finished message has not
    been received yet when we first try to fetch it.
  • Encode X.509 dates before 1/1/2000 as UTCTime rather than
    GeneralizedTime. Fixes #5465.
  • Add mbedtls_x509_dn_get_next function to return the next relative DN in
    an X509 name, to allow walking the name list. Fixes #5431.
    * Fix order value of curve x448.
  • Fix string representation of DNs when outputting values containing commas
    and other special characters, conforming to RFC 1779. Fixes #769.
  • Silence a warning from GCC 12 in the selftest program. Fixes #5974.
  • Fix check_config.h to check that we have MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
    when MBEDTLS_SSL_PROTO_TLS1_3 is specified, and make this and other
    dependencies explicit in the documentation. Fixes #5610.
  • Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of 0.
  • Fix a TLS 1.3 handshake failure when the first attempt to send the client
    Finished message on the network cannot be satisfied. Fixes #5499.
  • Fix resource leaks in mbedtls_pk_parse_public_key() in low
    memory conditions.
  • Fix server connection identifier setting for outgoing encrypted records
    on DTLS 1.2 session resumption. After DTLS 1.2 session resumption with
    connection identifier, the Mbed TLS client now properly sends the server
    connection identifier in encrypted record headers. Fix #5872.
  • Fix a null pointer dereference when performing some operations on zero
    represented with 0 limbs (specifically mbedtls_mpi_mod_int() dividing
    by 2, and mbedtls_mpi_write_string() in base 2).
  • Fix record sizes larger than 16384 being sometimes accepted despite being
    non-compliant. This could not lead to a buffer overflow. In particular,
    application data size was already checked correctly.
  • Fix MBEDTLS_SVC_KEY_ID_GET_KEY_ID() and MBEDTLS_SVC_KEY_ID_GET_OWNER_ID()
    which have been broken, resulting in compilation errors, since Mbed TLS
    3.0.
  • Ensure that TLS 1.2 ciphersuite/certificate and key selection takes into
    account not just the type of the key (RSA vs EC) but also what it can
    actually do. Resolves #5831.
  • Fix CMake windows host detection, especially when cross compiling.
  • Fix an error in make where the absence of a generated file caused
    make to break on a clean checkout. Fixes #5340.
  • Work around an MSVC ARM64 compiler bug causing incorrect behaviour
    in mbedtls_mpi_exp_mod(). Reported by Tautvydas Žilys in #5467.
  • Removed the prompt to exit from all windows build programs that was causing
    issues in CI/CD environments.

Changes

  • The file library/psa_crypto_driver_wrappers.c is now generated
    from a template. In the future, the generation will support
    driver descriptions. For the time being, to customize this file,
    see docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
  • Return PSA_ERROR_INVALID_ARGUMENT if the algorithm passed to one-shot
    AEAD functions is not an AEAD algorithm. This aligns them with the
    multipart functions, and the PSA Crypto API 1.1 specification.
  • In mbedtls_pk_parse_key(), if no password is provided, don’t allocate a
    temporary variable on the heap. Suggested by Sergey Kanatov in #5304.
  • Assume source files are in UTF-8 when using MSVC with CMake.
  • Fix runtime library install location when building with CMake and MinGW.
    DLLs are now installed in the bin directory instead of lib.
  • cmake: Use GnuInstallDirs to customize install directories
    Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR
    variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if
    LIB_INSTALL_DIR is set.
  • Add a CMake option that enables static linking of the runtime library
    in Microsoft Visual C++ compiler. Contributed by Microplankton.
  • In CMake builds, add aliases for libraries so that the normal MbedTLS::*
    targets work when MbedTLS is built as a subdirectory. This allows the
    use of FetchContent, as requested in #5688.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

53201dbe4f44446b983970cafc9bdc49a2e5a3b505ec4d871d17bcf274e189e2 mbedtls-3.2.0.tar.gz
b54bec8cf6584a71774428768d099636bd2db2faa6452352492d9c5c69c2f8cb mbedtls-3.2.0.zip

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following link:

https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html

Release Notes

Default behavior changes

  • mbedtls_cipher_set_iv will now fail with ChaCha20 and ChaCha20+Poly1305
    for IV lengths other than 12. The library was silently overwriting this
    length with 12, but did not inform the caller about it. Fixes #4301.

Features

  • When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
    feature requirements in the file named by the new macro
    MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default psa/crypto_config.h.
    Furthermore you may name an additional file to include after the main
    file with the macro MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.

Security

  • Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
    module before freeing them. These buffers contain secret key material, and
    could thus potentially leak the key through freed heap.
  • Fix a potential heap buffer overread in TLS 1.2 server-side when
    MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
    mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
    is selected. This may result in an application crash or potentially an
    information leak.
  • Fix a buffer overread in DTLS ClientHello parsing in servers with
    MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client
    or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
    after the end of the SSL input buffer. The buffer overread only happens
    when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
    the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(),
    and possibly up to 571 bytes with a custom cookie check function.
    Reported by the Cybeats PSI Team.

Bugfix

  • Fix a memory leak if mbedtls_ssl_config_defaults() is called twice.
  • Fix several bugs (warnings, compiler and linker errors, test failures)
    in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
  • Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was
    enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
    client would fail to check that the curve selected by the server for
    ECDHE was indeed one that was offered. As a result, the client would
    accept any curve that it supported, even if that curve was not allowed
    according to its configuration. Fixes #5291.
  • Fix unit tests that used 0 as the file UID. This failed on some
    implementations of PSA ITS. Fixes #3838.
  • Fix API violation in mbedtls_md_process() test by adding a call to
    mbedtls_md_starts(). Fixes #2227.
  • Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests
    to catch bad uses of time.h.
  • Fix the library search path when building a shared library with CMake
    on Windows.
  • Fix bug in the alert sending function mbedtls_ssl_send_alert_message()
    potentially leading to corrupted alert messages being sent in case
    the function needs to be re-called after initially returning
    MBEDTLS_SSL_WANT_WRITE. Fixes #1916.
  • In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but none of
    MBEDTLS_SSL_HW_RECORD_ACCEL, MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C,
    DTLS handshakes using CID would crash due to a null pointer dereference.
    Fix this. Fixes #3998.
  • Fix incorrect documentation of mbedtls_x509_crt_profile. The previous
    documentation stated that the allowed_pks field applies to signatures
    only, but in fact it does apply to the public key type of the end entity
    certificate, too. Fixes #1992.
  • Fix PSA cipher multipart operations using ARC4. Previously, an IV was
    required but discarded. Now, an IV is rejected, as it should be.
  • Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
    not NULL and val_len is zero.
  • psa_raw_key_agreement() now returns PSA_ERROR_BUFFER_TOO_SMALL when
    applicable. Fixes #5735.
  • Fix a bug in the x25519 example program where the removal of
    MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. Fixes #4901 and
    #3191.
  • Encode X.509 dates before 1/1/2000 as UTCTime rather than
    GeneralizedTime. Fixes #5465.
  • Fix order value of curve x448.
  • Fix string representation of DNs when outputting values containing commas
    and other special characters, conforming to RFC 1779. Fixes #769.
  • Silence a warning from GCC 12 in the selftest program. Fixes #5974.
  • Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of 0.
  • Fix resource leaks in mbedtls_pk_parse_public_key() in low
    memory conditions.
  • Fix server connection identifier setting for outgoing encrypted records
    on DTLS 1.2 session resumption. After DTLS 1.2 session resumption with
    connection identifier, the Mbed TLS client now properly sends the server
    connection identifier in encrypted record headers. Fix #5872.
  • Fix a null pointer dereference when performing some operations on zero
    represented with 0 limbs (specifically mbedtls_mpi_mod_int() dividing
    by 2, and mbedtls_mpi_write_string() in base 2).
  • Fix record sizes larger than 16384 being sometimes accepted despite being
    non-compliant. This could not lead to a buffer overflow. In particular,
    application data size was already checked correctly.

Changes

  • Assume source files are in UTF-8 when using MSVC with CMake.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

6797a7b6483ef589deeab8d33d401ed235d7be25eeecda1be8ddfed406d40ff4 mbedtls-2.28.1.tar.gz
b67866fc781934d9c6a322489a1efdc79ef545bf242a3bfa7cffd3c393d377c1 mbedtls-2.28.1.zip

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Security Advisories

For full details, please see the following links:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12

Release Notes

API changes

  • New error code for GCM: MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL.
    Alternative GCM implementations are expected to verify
    the length of the provided output buffers and to return the
    MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the buffer length is too small.
  • You can configure groups for a TLS key exchange with the new function
    mbedtls_ssl_conf_groups(). It extends mbedtls_ssl_conf_curves().
  • Declare a number of structure fields as public: the fields of
    mbedtls_ecp_curve_info, the fields describing the result of ASN.1 and
    X.509 parsing, and finally the field fd of mbedtls_net_context on
    POSIX/Unix-like platforms.

Requirement changes

  • Sign-magnitude and one’s complement representations for signed integers are
    not supported. Two’s complement is the only supported representation.

New deprecations

  • Deprecate mbedtls_ssl_conf_curves() in favor of the more generic
    mbedtls_ssl_conf_groups().

Removals

  • Remove the partial support for running unit tests via Greentea on Mbed OS,
    which had been unmaintained since 2018.

Features

  • Enable support for Curve448 via the PSA API. Contributed by
    Archana Madhavan in #4626. Fixes #3399 and #4249.
  • The identifier of the CID TLS extension can be configured by defining
    MBEDTLS_TLS_EXT_CID at compile time.
  • Implement the PSA multipart AEAD interface, currently supporting
    ChaChaPoly and GCM.
  • Warn if errors from certain functions are ignored. This is currently
    supported on GCC-like compilers and on MSVC and can be configured through
    the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
    (where supported) for critical functions where ignoring the return
    value is almost always a bug. Enable the new configuration option
    MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
    is currently implemented in the AES, DES and md modules, and will be
    extended to other modules in the future.
  • Add missing PSA macros declared by PSA Crypto API 1.0.0:
    PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL.
  • Add support for CCM*-no-tag cipher to the PSA.
    Currently only 13-byte long IV’s are supported.
    For decryption a minimum of 16-byte long input is expected.
    These restrictions may be subject to change.
  • Add new API mbedtls_ct_memcmp for constant time buffer comparison.
  • Add functions to get the IV and block size from cipher_info structs.
  • Add functions to check if a cipher supports variable IV or key size.
  • Add the internal implementation of and support for CCM to the PSA multipart
    AEAD interface.
  • Mbed TLS provides a minimum viable implementation of the TLS 1.3
    protocol. See docs/architecture/tls13-support.md for the definition of
    the TLS 1.3 Minimum Viable Product (MVP). The MBEDTLS_SSL_PROTO_TLS1_3
    configuration option controls the enablement of the support. The APIs
    mbedtls_ssl_conf_min_version() and mbedtls_ssl_conf_max_version() allow
    to select the 1.3 version of the protocol to establish a TLS connection.
  • Add PSA API definition for ARIA.

Security

  • Zeroize several intermediate variables used to calculate the expected
    value when verifying a MAC or AEAD tag. This hardens the library in
    case the value leaks through a memory disclosure vulnerability. For
    example, a memory disclosure vulnerability could have allowed a
    man-in-the-middle to inject fake ciphertext into a DTLS connection.
  • In psa_aead_generate_nonce(), do not read back from the output buffer.
    This fixes a potential policy bypass or decryption oracle vulnerability
    if the output buffer is in memory that is shared with an untrusted
    application.
  • In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
    from the output buffer. This fixes a potential policy bypass or decryption
    oracle vulnerability if the output buffer is in memory that is shared with
    an untrusted application.
  • Fix a double-free that happened after mbedtls_ssl_set_session() or
    mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
    (out of memory). After that, calling mbedtls_ssl_session_free()
    and mbedtls_ssl_free() would cause an internal session buffer to
    be free()'d twice.

Bugfix

  • Stop using reserved identifiers as local variables. Fixes #4630.
  • The GNU makefiles invoke python3 in preference to python except on Windows.
    The check was accidentally not performed when cross-compiling for Windows
    on Linux. Fix this. Fixes #4774.
  • Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
    PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type.
  • Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
  • Don’t use the obsolete header path sys/fcntl.h in unit tests.
    These header files cause compilation errors in musl.
    Fixes #4969.
  • Fix missing constraints on x86_64 and aarch64 assembly code
    for bignum multiplication that broke some bignum operations with
    (at least) Clang 12.
    Fixes #4116, #4786, #4917, #4962.
  • Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
  • Failures of alternative implementations of AES or DES single-block
    functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
    MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
    This does not concern the implementation provided with Mbed TLS,
    where this function cannot fail, or full-module replacements with
    MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
  • Some failures of HMAC operations were ignored. These failures could only
    happen with an alternative implementation of the underlying hash module.
  • Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
  • Fix compile-time or run-time errors in PSA
    AEAD functions when ChachaPoly is disabled. Fixes #5065.
  • Remove PSA’a AEAD finish/verify output buffer limitation for GCM.
    The requirement of minimum 15 bytes for output buffer in
    psa_aead_finish() and psa_aead_verify() does not apply to the built-in
    implementation of GCM.
  • Move GCM’s update output buffer length verification from PSA AEAD to
    the built-in implementation of the GCM.
    The requirement for output buffer size to be equal or greater then
    input buffer size is valid only for the built-in implementation of GCM.
    Alternative GCM implementations can process whole blocks only.
  • Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
    MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
  • Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
    This algorithm now accepts only the same salt length for verification
    that it produces when signing, as documented. Use the new algorithm
    PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.
  • The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
    for algorithm values that fully encode the hashing step, as per the PSA
    Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
    PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
    all algorithms that can be used with psa_{sign,verify}_hash(), including
    these two.
  • Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
    not to list other shared libraries they need.
  • Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
    exceeds 2^32. Fixes #4884.
  • Fix an uninitialized variable warning in test_suite_ssl.function with GCC
    version 11.
  • Fix the build when no SHA2 module is included. Fixes #4930.
  • Fix the build when only the bignum module is included. Fixes #4929.
  • Fix a potential invalid pointer dereference and infinite loop bugs in
    pkcs12 functions when the password is empty. Fix the documentation to
    better describe the inputs to these functions and their possible values.
    Fixes #5136.
  • The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC
    operations psa_mac_compute() and psa_mac_sign_setup().
  • The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC
    operations psa_mac_verify() and psa_mac_verify_setup().

Changes

  • Explicitly mark the fields mbedtls_ssl_session.exported and
    mbedtls_ssl_config.respect_cli_pref as private. This was an
    oversight during the run-up to the release of Mbed TLS 3.0.
    The fields were never intended to be public.
  • Implement multi-part CCM API.
    The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
    mbedtls_ccm_update_ad(), mbedtls_ccm_update(), mbedtls_ccm_finish()
    were introduced in mbedTLS 3.0 release, however their implementation was
    postponed until now.
    Implemented functions support chunked data input for both CCM and CCM*
    algorithms.
  • Remove MBEDTLS_SSL_EXPORT_KEYS, making it always on and increasing the
    code size by about 80B on an M0 build. This option only gated an ability
    to set a callback, but was deemed unnecessary as it was yet another define
    to remember when writing tests, or test configurations. Fixes #4653.
  • Improve the performance of base64 constant-flow code. The result is still
    slower than the original non-constant-flow implementation, but much faster
    than the previous constant-flow implementation. Fixes #4814.
  • Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
    For CCM* encryption/decryption without authentication, input
    length will be ignored.
  • Indicate in the error returned if the nonce length used with
    ChaCha20-Poly1305 is invalid, and not just unsupported.
  • The mbedcrypto library includes a new source code module constant_time.c,
    containing various functions meant to resist timing side channel attacks.
    This module does not have a separate configuration option, and functions
    from this module will be included in the build as required. Currently
    most of the interface of this module is private and may change at any
    time.
  • The generated configuration-independent files are now automatically
    generated by the CMake build system on Unix-like systems. This is not
    yet supported when cross-compiling.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

b02df6f68dd1537e115a8497d5c173dc71edc55ad084756e57a30f951b725acd mbedtls-3.1.0.tar.gz
8ec791eaed8332c50cade2bcc17b75ae5931ac00824a761b5aa4e7586645b72b mbedtls-3.1.0.zip

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following links:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12

Release Notes

API changes

  • Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a
    different order. This only affects applications that define such
    structures directly or serialize them.

Requirement changes

  • Sign-magnitude and one’s complement representations for signed integers are
    not supported. Two’s complement is the only supported representation.

Removals

  • Remove config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES,
    which allowed SHA-1 in the default TLS configuration for certificate
    signing. It was intended to facilitate the transition in environments
    with SHA-1 certificates. SHA-1 is considered a weak message digest and
    its use constitutes a security risk.
  • Remove the partial support for running unit tests via Greentea on Mbed OS,
    which had been unmaintained since 2018.

Features

  • The identifier of the CID TLS extension can be configured by defining
    MBEDTLS_TLS_EXT_CID at compile time.
  • Warn if errors from certain functions are ignored. This is currently
    supported on GCC-like compilers and on MSVC and can be configured through
    the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
    (where supported) for critical functions where ignoring the return
    value is almost always a bug. Enable the new configuration option
    MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
    is currently implemented in the AES, DES and md modules, and will be
    extended to other modules in the future.
  • Add missing PSA macros declared by PSA Crypto API 1.0.0:
    PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL.
  • Add new API mbedtls_ct_memcmp for constant time buffer comparison.
  • Add PSA API definition for ARIA.

Security

  • Zeroize several intermediate variables used to calculate the expected
    value when verifying a MAC or AEAD tag. This hardens the library in
    case the value leaks through a memory disclosure vulnerability. For
    example, a memory disclosure vulnerability could have allowed a
    man-in-the-middle to inject fake ciphertext into a DTLS connection.
  • In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
    from the output buffer. This fixes a potential policy bypass or decryption
    oracle vulnerability if the output buffer is in memory that is shared with
    an untrusted application.
  • Fix a double-free that happened after mbedtls_ssl_set_session() or
    mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
    (out of memory). After that, calling mbedtls_ssl_session_free()
    and mbedtls_ssl_free() would cause an internal session buffer to
    be free()'d twice.

Bugfix

  • Stop using reserved identifiers as local variables. Fixes #4630.
  • The GNU makefiles invoke python3 in preference to python except on Windows.
    The check was accidentally not performed when cross-compiling for Windows
    on Linux. Fix this. Fixes #4774.
  • Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
    PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type.
  • Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
  • Don’t use the obsolete header path sys/fcntl.h in unit tests.
    These header files cause compilation errors in musl.
    Fixes #4969.
  • Fix missing constraints on x86_64 and aarch64 assembly code
    for bignum multiplication that broke some bignum operations with
    (at least) Clang 12.
    Fixes #4116, #4786, #4917, #4962.
  • Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
  • Failures of alternative implementations of AES or DES single-block
    functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
    MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
    This does not concern the implementation provided with Mbed TLS,
    where this function cannot fail, or full-module replacements with
    MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
  • Some failures of HMAC operations were ignored. These failures could only
    happen with an alternative implementation of the underlying hash module.
  • Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
  • Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
    MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
  • Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
    This algorithm now accepts only the same salt length for verification
    that it produces when signing, as documented. Use the new algorithm
    PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.
  • The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
    for algorithm values that fully encode the hashing step, as per the PSA
    Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
    PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
    all algorithms that can be used with psa_{sign,verify}_hash(), including
    these two.
  • Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
    not to list other shared libraries they need.
  • Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
    exceeds 2^32. Fixes #4884.
  • Fix an uninitialized variable warning in test_suite_ssl.function with GCC
    version 11.
  • Fix the build when no SHA2 module is included. Fixes #4930.
  • Fix the build when only the bignum module is included. Fixes #4929.
  • Fix a potential invalid pointer dereference and infinite loop bugs in
    pkcs12 functions when the password is empty. Fix the documentation to
    better describe the inputs to these functions and their possible values.
    Fixes #5136.
  • The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC
    operations psa_mac_compute() and psa_mac_sign_setup().
  • The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC
    operations psa_mac_verify() and psa_mac_verify_setup().

Changes

  • Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be
    disabled by default.
  • Improve the performance of base64 constant-flow code. The result is still
    slower than the original non-constant-flow implementation, but much faster
    than the previous constant-flow implementation. Fixes #4814.
  • Indicate in the error returned if the nonce length used with
    ChaCha20-Poly1305 is invalid, and not just unsupported.
  • The mbedcrypto library includes a new source code module constant_time.c,
    containing various functions meant to resist timing side channel attacks.
    This module does not have a separate configuration option, and functions
    from this module will be included in the build as required. Currently
    most of the interface of this module is private and may change at any
    time.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

6519579b836ed78cc549375c7c18b111df5717e86ca0eeff4cb64b2674f424cc mbedtls-2.28.0.tar.gz
80cf41f5f3f625436e3a800e9708e60a25206cd5d81968ba8dd9f3e8becd37e6 mbedtls-2.28.0.zip

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

This is the last release of the 2.16 long-time support branch. Users who want a long-time branch should move to mbedtls-2.28, which is backward-compatible and will be supported for at least 3 years.

Security Advisories

For full details, please see the following links:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12

Release Notes

Security

  • Zeroize several intermediate variables used to calculate the expected
    value when verifying a MAC or AEAD tag. This hardens the library in
    case the value leaks through a memory disclosure vulnerability. For
    example, a memory disclosure vulnerability could have allowed a
    man-in-the-middle to inject fake ciphertext into a DTLS connection.
  • Fix a double-free that happened after mbedtls_ssl_set_session() or
    mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
    (out of memory). After that, calling mbedtls_ssl_session_free()
    and mbedtls_ssl_free() would cause an internal session buffer to
    be free()'d twice.

Bugfix

  • Stop using reserved identifiers as local variables. Fixes #4630.
  • The GNU makefiles invoke python3 in preference to python except on Windows.
    The check was accidentally not performed when cross-compiling for Windows
    on Linux. Fix this. Fixes #4774.
  • Mark basic constraints critical as appropriate. Note that the previous
    entry for this fix in the 2.16.10 changelog was in error, and it was not
    included in the 2.16.10 release as was stated.
    Make ‘mbedtls_x509write_crt_set_basic_constraints’ consistent with RFC
    5280 4.2.1.9 which says: “Conforming CAs MUST include this extension in
    all CA certificates that contain public keys used to validate digital
    signatures on certificates and MUST mark the extension as critical in
    such certificates.” Previous to this change, the extension was always
    marked as non-critical. This was fixed by #4044.
  • Fix missing constraints on x86_64 assembly code for bignum multiplication
    that broke some bignum operations with (at least) Clang 12.
    Fixes #4116, #4786, #4917.
  • Failures of alternative implementations of AES or DES single-block
    functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
    MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
    This does not concern the implementation provided with Mbed TLS,
    where this function cannot fail, or full-module replacements with
    MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
  • Some failures of HMAC operations were ignored. These failures could only
    happen with an alternative implementation of the underlying hash module.
  • Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
    MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
  • Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
    exceeds 2^32. Fixes #4884.
  • Fix the build when no SHA2 module is included. Fixes #4930.
  • Fix the build when only the bignum module is included. Fixes #4929.
  • Fix a potential invalid pointer dereference and infinite loop bugs in
    pkcs12 functions when the password is empty. Fix the documentation to
    better describe the inputs to these functions and their possible values.
    Fixes #5136.

Changes

  • Improve the performance of base64 constant-flow code. The result is still
    slower than the original non-constant-flow implementation, but much faster
    than the previous constant-flow implementation. Fixes #4814.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

294871ab1864a65d0b74325e9219d5bcd6e91c34a3c59270c357bb9ae4d5c393 mbedtls-2.16.12.tar.gz
1a3169e7016e7a737ea7904a7108aac7f97668f79baee6165dee9ba596cf7c10 mbedtls-2.16.12.zip

Description

This release of Mbed TLS provides bug fixes, enhancements and new features, including many changes that are not API-compatible with earlier versions of Mbed TLS. This release includes fixes for security issues.

For details on the steps required to migrate from Mbed TLS version 2.x to Mbed TLS version 3.0.0, please refer to the migration guide.

Security Advisories

For full details, please see the following links:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2

Release Notes

API changes

  • Remove HAVEGE module.
    The design of HAVEGE makes it unsuitable for microcontrollers. Platforms
    with a more complex CPU usually have an operating system interface that
    provides better randomness. Instead of HAVEGE, declare OS or hardware RNG
    interfaces with mbedtls_entropy_add_source() and/or use an entropy seed
    file created securely during device provisioning. See
    https://tls.mbed.org/kb/how-to/add-entropy-sources-to-entropy-pool for
    more information.
  • Add missing const attributes to API functions.
  • Remove helpers for the transition from Mbed TLS 1.3 to Mbed TLS 2.0: the
    header compat-1.3.h and the script rename.pl.
  • Remove certs module from the API.
    Transfer keys and certificates embedded in the library to the test
    component. This contributes to minimizing library API and discourages
    users from using unsafe keys in production.
  • Move alt helpers and definitions.
    Various helpers and definitions available for use in alt implementations
    have been moved out of the include/ directory and into the library/
    directory. The files concerned are ecp_internal.h and rsa_internal.h
    which have also been renamed to ecp_internal_alt.h and rsa_alt_helpers.h
    respectively.
  • Move internal headers.
    Header files that were only meant for the library’s internal use and
    were not meant to be used in application code have been moved out of
    the include/ directory. The headers concerned are bn_mul.h, aesni.h,
    padlock.h, entropy_poll.h and *_internal.h.
  • Drop support for parsing SSLv2 ClientHello
    (MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO).
  • Drop support for SSLv3 (MBEDTLS_SSL_PROTO_SSL3).
  • Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
  • Drop support for RC4 TLS ciphersuites.
  • Drop support for single-DES ciphersuites.
  • Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.
  • Update AEAD output size macros to bring them in line with the PSA Crypto
    API version 1.0 spec. This version of the spec parameterizes them on the
    key type used, as well as the key bit-size in the case of
    PSA_AEAD_TAG_LENGTH.
  • Add configuration option MBEDTLS_X509_REMOVE_INFO which
    removes the mbedtls_x509_*_info(), mbedtls_debug_print_crt()
    as well as other functions and constants only used by
    those functions. This reduces the code footprint by
    several kB.
  • Remove SSL error codes MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED
    and MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH which are never
    returned from the public SSL API.
  • Remove MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE and return
    MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL instead.
  • The output parameter of mbedtls_sha512_finish, mbedtls_sha512,
    mbedtls_sha256_finish and mbedtls_sha256 now has a pointer type
    rather than array type. This removes spurious warnings in some compilers
    when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
    the hash size.
  • Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388.
  • The interface of the GCM module has changed to remove restrictions on
    how the input to multipart operations is broken down. mbedtls_gcm_finish()
    now takes extra output parameters for the last partial output block.
    mbedtls_gcm_update() now takes extra parameters for the output length.
    The software implementation always produces the full output at each
    call to mbedtls_gcm_update(), but alternative implementations activated
    by MBEDTLS_GCM_ALT may delay partial blocks to the next call to
    mbedtls_gcm_update() or mbedtls_gcm_finish(). Furthermore, applications
    no longer pass the associated data to mbedtls_gcm_starts(), but to the
    new function mbedtls_gcm_update_ad().
    These changes are backward compatible for users of the cipher API.
  • Replace MBEDTLS_SHA512_NO_SHA384 config option with MBEDTLS_SHA384_C.
    This separates config option enabling the SHA384 algorithm from option
    enabling the SHA512 algorithm. Fixes #4034.
  • Introduce MBEDTLS_SHA224_C.
    This separates config option enabling the SHA224 algorithm from option
    enabling SHA256.
  • The getter and setter API of the SSL session cache (used for
    session-ID based session resumption) has changed to that of
    a key-value store with keys being session IDs and values
    being opaque instances of mbedtls_ssl_session.
  • Remove the mode parameter from RSA operation functions. Signature and
    decryption functions now always use the private key and verification and
    encryption use the public key. Verification functions also no longer have
    RNG parameters.
  • Modify semantics of mbedtls_ssl_conf_[opaque_]psk():
    In Mbed TLS 2.X, the API prescribes that later calls overwrite
    the effect of earlier calls. In Mbed TLS 3.0, calling
    mbedtls_ssl_conf_[opaque_]psk() more than once will fail,
    leaving the PSK that was configured first intact.
    Support for more than one PSK may be added in 3.X.
  • The function mbedtls_x509write_csr_set_extension() has an extra parameter
    which allows to mark an extension as critical. Fixes #4055.
  • For multi-part AEAD operations with the cipher module, calling
    mbedtls_cipher_finish() is now mandatory. Previously the documentation
    was unclear on this point, and this function happened to never do
    anything with the currently implemented AEADs, so in practice it was
    possible to skip calling it, which is no longer supported.
  • The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
    instead of computing tables in runtime. Thus, this option now increase
    code size, and it does not increase RAM usage in runtime anymore.
  • Remove the SSL APIs mbedtls_ssl_get_input_max_frag_len() and
    mbedtls_ssl_get_output_max_frag_len(), and add a new API
    mbedtls_ssl_get_max_in_record_payload(), complementing the existing
    mbedtls_ssl_get_max_out_record_payload().
    Uses of mbedtls_ssl_get_input_max_frag_len() and
    mbedtls_ssl_get_input_max_frag_len() should be replaced by
    mbedtls_ssl_get_max_in_record_payload() and
    mbedtls_ssl_get_max_out_record_payload(), respectively.
  • mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA
    key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding()
    after initializing the context. mbedtls_rsa_set_padding() now returns an
    error if its parameters are invalid.
  • Replace MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE by a runtime
    configuration function mbedtls_ssl_conf_preference_order(). Fixes #4398.
  • Instead of accessing the len field of a DHM context, which is no longer
    supported, use the new function mbedtls_dhm_get_len() .
  • In modules that implement cryptographic hash functions, many functions
    mbedtls_xxx() now return int instead of void, and the corresponding
    function mbedtls_xxx_ret() which was identical except for returning int
    has been removed. This also concerns mbedtls_xxx_drbg_update(). See the
    migration guide for more information. Fixes #4212.
  • For all functions that take a random number generator (RNG) as a
    parameter, this parameter is now mandatory (that is, NULL is not an
    acceptable value). Functions which previously accepted NULL and now
    reject it are: the X.509 CRT and CSR writing functions; the PK and RSA
    sign and decrypt function; mbedtls_rsa_private(); the functions
    in DHM and ECDH that compute the shared secret; the scalar multiplication
    functions in ECP.
  • The following functions now require an RNG parameter:
    mbedtls_ecp_check_pub_priv(), mbedtls_pk_check_pair(),
    mbedtls_pk_parse_key(), mbedtls_pk_parse_keyfile().
  • mbedtls_ssl_conf_export_keys_ext_cb() and
    mbedtls_ssl_conf_export_keys_cb() have been removed and
    replaced by a new API mbedtls_ssl_set_export_keys_cb().
    Raw keys and IVs are no longer passed to the callback.
    Further, callbacks now receive an additional parameter
    indicating the type of secret that’s being exported,
    paving the way for the larger number of secrets
    in TLS 1.3. Finally, the key export callback and
    context are now connection-specific.
  • Signature functions in the RSA and PK modules now require the hash
    length parameter to be the size of the hash input. For RSA signatures
    other than raw PKCS#1 v1.5, this must match the output size of the
    specified hash algorithm.
  • The functions mbedtls_pk_sign(), mbedtls_pk_sign_restartable(),
    mbedtls_ecdsa_write_signature() and
    mbedtls_ecdsa_write_signature_restartable() now take an extra parameter
    indicating the size of the output buffer for the signature.
  • Implement one-shot cipher functions, psa_cipher_encrypt and
    psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
    specification.
  • Direct access to fields of structures declared in public headers is no
    longer supported except for fields that are documented public. Use accessor
    functions instead. For more information, see the migration guide entry
    "Most structure fields are now private".
  • mbedtls_ssl_get_session_pointer() has been removed, and
    mbedtls_ssl_{set,get}_session() may now only be called once for any given
    SSL context.

Default behavior changes

  • Enable by default the functionalities which have no reason to be disabled.
    They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
    Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
  • Some default policies for X.509 certificate verification and TLS have
    changed: curves and hashes weaker than 255 bits are no longer accepted
    by default. The default order in TLS now favors faster curves over larger
    curves.

Requirement changes

  • The library now uses the %zu format specifier with the printf() family of
    functions, so requires a toolchain that supports it. This change does not
    affect the maintained LTS branches, so when contributing changes please
    bear this in mind and do not add them to backported code.
  • If you build the development version of Mbed TLS, rather than an official
    release, some configuration-independent files are now generated at build
    time rather than checked into source control. This includes some library
    source files as well as the Visual Studio solution. Perl, Python 3 and a
    C compiler for the host platform are required. See “Generated source files
    in the development branch” in README.md for more information.
  • Refresh the minimum supported versions of tools to build the
    library. CMake versions older than 3.10.2 and Python older
    than 3.6 are no longer supported.

Removals

  • Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
    compile-time option, which was off by default. Users should not trust
    certificates signed with SHA-1 due to the known attacks against SHA-1.
    If needed, SHA-1 certificates can still be verified by using a custom
    verification profile.
  • Removed deprecated things in psa/crypto_compat.h. Fixes #4284
  • Removed deprecated functions from hashing modules. Fixes #4280.
  • Remove PKCS#11 library wrapper. PKCS#11 has limited functionality,
    lacks automated tests and has scarce documentation. Also, PSA Crypto
    provides a more flexible private key management.
    More details on PCKS#11 wrapper removal can be found in the mailing list
    https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
  • Remove deprecated error codes. Fix #4283
  • Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option. Fixes #4416.
  • Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
    compile-time option. This option has been inactive for a long time.
    Please use the lifetime parameter of mbedtls_ssl_ticket_setup()
    instead.
  • Remove the following deprecated functions and constants of hex-encoded
    primes based on RFC 5114 and RFC 3526 from library code and tests:
    mbedtls_aes_encrypt(), mbedtls_aes_decrypt(), mbedtls_mpi_is_prime(),
    mbedtls_cipher_auth_encrypt(), mbedtls_cipher_auth_decrypt(),
    mbedtls_ctr_drbg_update(), mbedtls_hmac_drbg_update(),
    mbedtls_ecdsa_write_signature_det(), mbedtls_ecdsa_sign_det(),
    mbedtls_ssl_conf_dh_param(), mbedtls_ssl_get_max_frag_len(),
    MBEDTLS_DHM_RFC5114_MODP_2048_P, MBEDTLS_DHM_RFC5114_MODP_2048_G,
    MBEDTLS_DHM_RFC3526_MODP_2048_P, MBEDTLS_DHM_RFC3526_MODP_2048_G,
    MBEDTLS_DHM_RFC3526_MODP_3072_P, MBEDTLS_DHM_RFC3526_MODP_3072_G,
    MBEDTLS_DHM_RFC3526_MODP_4096_P, MBEDTLS_DHM_RFC3526_MODP_4096_G.
    Remove the deprecated file: include/mbedtls/net.h. Fixes #4282.
  • Remove MBEDTLS_SSL_MAX_CONTENT_LEN configuration option, since
    MBEDTLS_SSL_IN_CONTENT_LEN and MBEDTLS_SSL_OUT_CONTENT_LEN replace
    it. Fixes #4362.
  • Remove the MBEDTLS_SSL_RECORD_CHECKING option and enable by default its
    previous action. Fixes #4361.
  • Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for
    CBC record splitting, fallback SCSV, and the ability to configure
    ciphersuites per version, which are no longer relevant. This removes the
    configuration options MBEDTLS_SSL_PROTO_TLS1,
    MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING and
    MBEDTLS_SSL_FALLBACK_SCSV as well as the functions
    mbedtls_ssl_conf_cbc_record_splitting(),
    mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback(),
    and mbedtls_ssl_conf_ciphersuites_for_version(). Fixes #4286.
  • The RSA module no longer supports private-key operations with the public
    key and vice versa.
  • Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403.
  • Remove all the 3DES ciphersuites:
    MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
    MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
    MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
    MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
    MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
    MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
    MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
    MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
    MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA. Remove the
    MBEDTLS_REMOVE_3DES_CIPHERSUITES option which is no longer relevant.
    Fixes #4367.
  • Remove the MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option and let the code
    behave as if it was always disabled. Fixes #4386.
  • Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for
    backward compatibility which is no longer supported. Addresses #4404.
  • Remove the following macros: MBEDTLS_CHECK_PARAMS,
    MBEDTLS_CHECK_PARAMS_ASSERT, MBEDTLS_PARAM_FAILED,
    MBEDTLS_PARAM_FAILED_ALT. Fixes #4313.
  • Remove the MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h
    option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
    migration path. Fixes #4378.
  • Remove the MBEDTLS_X509_CHECK_KEY_USAGE and
    MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code
    behave as if they were always enabled. Fixes #4405.
  • MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is
    now determined automatically based on supported curves.
  • Remove the following functions: mbedtls_timing_self_test(),
    mbedtls_hardclock_poll(), mbedtls_timing_hardclock() and
    mbedtls_set_alarm(). Fixes #4083.
  • The configuration option MBEDTLS_ECP_NO_INTERNAL_RNG has been removed as
    it no longer had any effect.
  • Remove all support for MD2, MD4, RC4, Blowfish and XTEA. This removes the
    corresponding modules and all their APIs and related configuration
    options. Fixes #4084.
  • Remove MBEDTLS_SSL_TRUNCATED_HMAC and also remove
    MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT config option. Users are better served by
    using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
    See issue #4341 for more details.
  • Remove the compile-time option
    MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE.

Features

  • Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
    signature with a specific salt length. This function allows to validate
    test cases provided in the NIST’s CAVP test suite. Contributed by Cédric
    Meuter in PR #3183.
  • Added support for built-in driver keys through the PSA opaque crypto
    driver interface. Refer to the documentation of
    MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
  • Implement psa_sign_message() and psa_verify_message().
  • The multi-part GCM interface (mbedtls_gcm_update() or
    mbedtls_cipher_update()) no longer requires the size of partial inputs to
    be a multiple of 16.
  • The multi-part GCM interface now supports chunked associated data through
    multiple calls to mbedtls_gcm_update_ad().
  • The new function mbedtls_mpi_random() generates a random value in a
    given range uniformly.
  • Alternative implementations of the AES, DHM, ECJPAKE, ECP, RSA and timing
    modules had undocumented constraints on their context types. These
    constraints have been relaxed.
    See docs/architecture/alternative-implementations.md for the remaining
    constraints.
  • The new functions mbedtls_dhm_get_len() and mbedtls_dhm_get_bitlen()
    query the size of the modulus in a Diffie-Hellman context.
  • The new function mbedtls_dhm_get_value() copy a field out of a
    Diffie-Hellman context.
  • Use the new function mbedtls_ecjpake_set_point_format() to select the
    point format for ECJPAKE instead of accessing the point_format field
    directly, which is no longer supported.
  • Implement psa_mac_compute() and psa_mac_verify() as defined in the
    PSA Cryptograpy API 1.0.0 specification.

Security

  • Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
    private keys and of blinding values for DHM and elliptic curves (ECP)
    computations. Reported by FlorianF89 in #4245.
  • Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
    An adversary who is capable of very precise timing measurements could
    learn partial information about the leading bits of the nonce used for the
    signature, allowing the recovery of the private key after observing a
    large number of signature operations. This completes a partial fix in
    Mbed TLS 2.20.0.
    • An adversary with access to precise enough information about memory
      accesses (typically, an untrusted operating system attacking a secure
      enclave) could recover an RSA private key after observing the victim
      performing a single private-key operation. Found and reported by
      Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG.
    • An adversary with access to precise enough timing information (typically, a
      co-located process) could recover a Curve25519 or Curve448 static ECDH key
      after inputting a chosen public key and observing the victim performing the
      corresponding private-key operation. Found and reported by Leila Batina,
      Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.

Bugfix

  • Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
    lead to the seed file corruption in case if the path to the seed file is
    equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
    Krasnoshchok in #3616.
  • PSA functions creating a key now return PSA_ERROR_INVALID_ARGUMENT rather
    than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
    to create is not valid, bringing them in line with version 1.0.0 of the
    specification. Fix #4271.
  • Add printf function attributes to mbedtls_debug_print_msg to ensure we
    get printf format specifier warnings.
  • PSA functions other than psa_open_key now return PSA_ERROR_INVALID_HANDLE
    rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
    in line with version 1.0.0 of the specification. Fix #4162.
  • Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
    zero. Fixes #1792
  • Fix some cases in the bignum module where the library constructed an
    unintended representation of the value 0 which was not processed
    correctly by some bignum operations. This could happen when
    mbedtls_mpi_read_string() was called on "-0", or when
    mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
    the arguments being negative and the other being 0. Fixes #4643.
  • Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
    defined. Fixes #4217.
  • Fix an incorrect error code when parsing a PKCS#8 private key.
  • In a TLS client, enforce the Diffie-Hellman minimum parameter size
    set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
    minimum size was rounded down to the nearest multiple of 8.
  • In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
    defined to specific values. If the code is used in a context
    where these are already defined, this can result in a compilation
    error. Instead, assume that if they are defined, the values will
    be adequate to build Mbed TLS.
  • With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built
    nonetheless, resulting in undefined reference errors when building a
    shared library. Reported by Guillermo Garcia M. in #4411.
  • The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
    when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
    was disabled. Fix the dependency. Fixes #4472.
  • Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
  • Fix test suite code on platforms where int32_t is not int, such as
    Arm Cortex-M. Fixes #4530.
  • Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
    directive in a header and a missing initialization in the self-test.
  • Fix a missing initialization in the Camellia self-test, affecting
    MBEDTLS_CAMELLIA_ALT implementations.
  • Restore the ability to configure PSA via Mbed TLS options to support RSA
    key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
    is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
    Fixes #4512.
  • Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
    (when the encrypt-then-MAC extension is not in use) with some ALT
    implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
    the affected side to wrongly reject valid messages. Fixes #4118.
  • Remove outdated check-config.h check that prevented implementing the
    timing module on Mbed OS. Fixes #4633.
  • Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
    about missing inputs.
  • Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
    MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
  • Fix a resource leak in a test suite with an alternative AES
    implementation. Fixes #4176.
  • Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
    could notably be triggered by setting the TLS debug level to 3 or above
    and using a Montgomery curve for the key exchange. Reported by lhuang04
    in #4578. Fixes #4608.
  • psa_verify_hash() was relying on implementation-specific behavior of
    mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
    implementations. This reliance is now removed. Fixes #3990.
  • Disallow inputs of length different from the corresponding hash when
    signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates
    that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.)
  • Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
    A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
    could not be triggered by code that constructed A with one of the
    mbedtls_mpi_read_xxx functions (including in particular TLS code) since
    those always built an mpi object with at least one limb.
    Credit to OSS-Fuzz. Fixes #4641.
  • Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
    effect on Mbed TLS’s internal use of mbedtls_mpi_gcd(), but may affect
    applications that call mbedtls_mpi_gcd() directly. Fixes #4642.
  • The PSA API no longer allows the creation or destruction of keys with a
    read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
    can now only be used as intended, for keys that cannot be modified through
    normal use of the API.
  • When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
    in all the right places. Include it from crypto_platform.h, which is
    the natural place. Fixes #4649.
  • Fix which alert is sent in some cases to conform to the
    applicable RFC: on an invalid Finished message value, an
    invalid max_fragment_length extension, or an
    unsupported extension used by the server.
  • Correct (change from 12 to 13 bytes) the value of the macro describing the
    maximum nonce length returned by psa_aead_generate_nonce().

Changes

  • Fix the setting of the read timeout in the DTLS sample programs.
  • Add extra printf compiler warning flags to builds.
  • Fix memsan build false positive in x509_crt.c with clang 11
  • There is ongoing work for the next release (= Mbed TLS 3.0.0 branch to
    be released 2021-xx-xx), including various API-breaking changes.
  • Alternative implementations of CMAC may now opt to not support 3DES as a
    CMAC block cipher, and still pass the CMAC self test.
  • Remove the AES sample application programs/aes/aescrypt2 which shows
    bad cryptographic practice. Fix #1906.
  • Remove configs/config-psa-crypto.h, which no longer had any intended
    differences from the default configuration, but had accidentally diverged.
  • When building the test suites with GNU make, invoke python3 or python, not
    python2, which is no longer supported upstream.
  • fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
    When that flag is on, standard GNU C printf format specifiers
    should be used.
  • Replace MBEDTLS_SSL_CID_PADDING_GRANULARITY and
    MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY with a new single unified option
    MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY. Fixes #4335.
  • Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage
    during ECC operations at a negligible performance cost.
  • mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and
    mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs
    when their input has length 0. Note that this is an implementation detail
    and can change at any time, so this change should be transparent, but it
    may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
    now writing an empty string where it previously wrote one or more
    zero digits when operating from values constructed with an mpi_read
    function and some mpi operations.
  • Add CMake package config generation for CMake projects consuming Mbed TLS.
  • config.h has been split into build_info.h and mbedtls_config.h
    build_info.h is intended to be included from C code directly, while
    mbedtls_config.h is intended to be edited by end users wishing to
    change the build configuration, and should generally only be included from
    build_info.h.
  • The handling of MBEDTLS_CONFIG_FILE has been moved into build_info.h.
  • A config file version symbol, MBEDTLS_CONFIG_VERSION was introduced.
    Defining it to a particular value will ensure that Mbed TLS interprets
    the config file in a way that’s compatible with the config file format
    used by the Mbed TLS release whose MBEDTLS_VERSION_NUMBER has the same
    value.
    The only value supported by Mbed TLS 3.0.0 is 0x03000000.
  • Various changes to which alert and/or error code may be returned
  • during the TLS handshake.
  • Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when
    PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
    when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
    is also applied when loading a key from storage.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

525bfde06e024c1218047dee1c8b4c89312df1a4b5658711009086cda5dfaa55 mbedtls-3.0.0.tar.gz
896286b2cec7a8331dc4491940b58585f5f91b9a76c281280fa21ba51d224c1b mbedtls-3.0.0.zip

Description

This release of Mbed TLS provides bug fixes, enhancements and new features. This release includes fixes for security issues.

Security Advisories

For full details, please see the following links:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2

Release Notes

API changes

  • Update AEAD output size macros to bring them in line with the PSA Crypto
    API version 1.0 spec. This version of the spec parameterizes them on the
    key type used, as well as the key bit-size in the case of
    PSA_AEAD_TAG_LENGTH.
    The old versions of these macros were renamed and deprecated as follows:
    • PSA_AEAD_TAG_LENGTH -> PSA_AEAD_TAG_LENGTH_1_ARG
    • PSA_AEAD_ENCRYPT_OUTPUT_SIZE -> PSA_AEAD_ENCRYPT_OUTPUT_SIZE_2_ARG
    • PSA_AEAD_DECRYPT_OUTPUT_SIZE -> PSA_AEAD_DECRYPT_OUTPUT_SIZE_2_ARG
    • PSA_AEAD_UPDATE_OUTPUT_SIZE -> PSA_AEAD_UPDATE_OUTPUT_SIZE_2_ARG
    • PSA_AEAD_FINISH_OUTPUT_SIZE -> PSA_AEAD_FINISH_OUTPUT_SIZE_1_ARG
    • PSA_AEAD_VERIFY_OUTPUT_SIZE -> PSA_AEAD_VERIFY_OUTPUT_SIZE_1_ARG
  • Implement one-shot cipher functions, psa_cipher_encrypt and
    psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
    specification.

Requirement changes

  • The library now uses the %zu format specifier with the printf() family of
    functions, so requires a toolchain that supports it. This change does not
    affect the maintained LTS branches, so when contributing changes please
    bear this in mind and do not add them to backported code.

Features

  • Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
    signature with a specific salt length. This function allows to validate
    test cases provided in the NIST’s CAVP test suite. Contributed by Cédric
    Meuter in PR #3183.
  • Added support for built-in driver keys through the PSA opaque crypto
    driver interface. Refer to the documentation of
    MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
  • Implement psa_sign_message() and psa_verify_message().
  • The new function mbedtls_mpi_random() generates a random value in a
    given range uniformly.
  • Implement psa_mac_compute() and psa_mac_verify() as defined in the
    PSA Cryptograpy API 1.0.0 specification.
  • MBEDTLS_ECP_MAX_BITS is now determined automatically from the configured
    curves and no longer needs to be configured explicitly to save RAM.

Security

  • Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
    private keys and of blinding values for DHM and elliptic curves (ECP)
    computations. Reported by FlorianF89 in #4245.
  • Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
    An adversary who is capable of very precise timing measurements could
    learn partial information about the leading bits of the nonce used for the
    signature, allowing the recovery of the private key after observing a
    large number of signature operations. This completes a partial fix in
    Mbed TLS 2.20.0.
    • It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is
      too small, leading to buffer overflows in ECC operations. Fail the build
      in such a case.
    • An adversary with access to precise enough information about memory
      accesses (typically, an untrusted operating system attacking a secure
      enclave) could recover an RSA private key after observing the victim
      performing a single private-key operation. Found and reported by
      Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG.
    • An adversary with access to precise enough timing information (typically, a
      co-located process) could recover a Curve25519 or Curve448 static ECDH key
      after inputting a chosen public key and observing the victim performing the
      corresponding private-key operation. Found and reported by Leila Batina,
      Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.

Bugfix

  • Add printf function attributes to mbedtls_debug_print_msg to ensure we
    get printf format specifier warnings.
  • Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
    lead to seed file corruption in the case where the path to the seed file is
    equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
    Krasnoshchok in #3616.
  • PSA functions other than psa_open_key now return PSA_ERROR_INVALID_HANDLE
    rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
    in line with version 1.0.0 of the specification. Fix #4162.
  • PSA functions creating a key now return PSA_ERROR_INVALID_ARGUMENT rather
    than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
    to create is not valid, bringing them in line with version 1.0.0 of the
    specification. Fix #4271.
  • Fix some cases in the bignum module where the library constructed an
    unintended representation of the value 0 which was not processed
    correctly by some bignum operations. This could happen when
    mbedtls_mpi_read_string() was called on "-0", or when
    mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
    the arguments being negative and the other being 0. Fixes #4643.
  • Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
    zero. Fixes #1792
  • Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
    defined. Fixes #4217.
  • Fix an incorrect error code when parsing a PKCS#8 private key.
  • In a TLS client, enforce the Diffie-Hellman minimum parameter size
    set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
    minimum size was rounded down to the nearest multiple of 8.
  • In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
    defined to specific values. If the code is used in a context
    where these are already defined, this can result in a compilation
    error. Instead, assume that if they are defined, the values will
    be adequate to build Mbed TLS.
  • The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
    when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
    was disabled. Fix the dependency. Fixes #4472.
  • Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
  • With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built
    nonetheless, resulting in undefined reference errors when building a
    shared library. Reported by Guillermo Garcia M. in #4411.
  • Fix test suite code on platforms where int32_t is not int, such as
    Arm Cortex-M. Fixes #4530.
  • Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
    directive in a header and a missing initialization in the self-test.
  • Fix a missing initialization in the Camellia self-test, affecting
    MBEDTLS_CAMELLIA_ALT implementations.
  • Restore the ability to configure PSA via Mbed TLS options to support RSA
    key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
    is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
    Fixes #4512.
  • Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
    (when the encrypt-then-MAC extension is not in use) with some ALT
    implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
    the affected side to wrongly reject valid messages. Fixes #4118.
  • Remove outdated check-config.h check that prevented implementing the
    timing module on Mbed OS. Fixes #4633.
  • Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
    about missing inputs.
  • Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
    MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
  • Fix a resource leak in a test suite with an alternative AES
    implementation. Fixes #4176.
  • Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
    could notably be triggered by setting the TLS debug level to 3 or above
    and using a Montgomery curve for the key exchange. Reported by lhuang04
    in #4578. Fixes #4608.
  • psa_verify_hash() was relying on implementation-specific behavior of
    mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
    implementations. This reliance is now removed. Fixes #3990.
  • Disallow inputs of length different from the corresponding hash when
    signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates
    that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.)
  • Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
    A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
    could not be triggered by code that constructed A with one of the
    mbedtls_mpi_read_xxx functions (including in particular TLS code) since
    those always built an mpi object with at least one limb.
    Credit to OSS-Fuzz. Fixes #4641.
  • Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
    effect on Mbed TLS’s internal use of mbedtls_mpi_gcd(), but may affect
    applications that call mbedtls_mpi_gcd() directly. Fixes #4642.
  • The PSA API no longer allows the creation or destruction of keys with a
    read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
    can now only be used as intended, for keys that cannot be modified through
    normal use of the API.
  • When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
    in all the right places. Include it from crypto_platform.h, which is
    the natural place. Fixes #4649.
  • mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and
    restartable variants now always honor the specified hash length if
    nonzero. Before, for RSA, hash_len was ignored in favor of the length of
    the specified hash algorithm.
  • Fix which alert is sent in some cases to conform to the
    applicable RFC: on an invalid Finished message value, an
    invalid max_fragment_length extension, or an
    unsupported extension used by the server.
  • Correct (change from 12 to 13 bytes) the value of the macro describing the
    maximum nonce length returned by psa_aead_generate_nonce().

Changes

  • Add extra printf compiler warning flags to builds.
  • Fix memsan build false positive in x509_crt.c with Clang 11
  • Fix the setting of the read timeout in the DTLS sample programs.
  • Remove the AES sample application programs/aes/aescrypt2 which shows
    bad cryptographic practice. Fix #1906.
  • Alternative implementations of CMAC may now opt to not support 3DES as a
    CMAC block cipher, and still pass the CMAC self test.
  • Remove configs/config-psa-crypto.h, which was identical to the default
    configuration except for having some extra cryptographic mechanisms
    enabled and for unintended differences. This configuration was primarily
    intended to demonstrate the PSA API, and lost most of its usefulness when
    MBEDTLS_PSA_CRYPTO_C became enabled by default.
  • When building the test suites with GNU make, invoke python3 or python, not
    python2, which is no longer supported upstream.
    * When using session cache based session resumption on the server,
    double-check that custom session cache implementations return
    sessions which are consistent with the negotiated ciphersuite
    and compression method.
  • Fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
    When that flag is on, standard GNU C printf format specifiers
    should be used.
  • Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage
    during ECC operations at a negligible performance cost.
  • mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and
    mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs
    when their input has length 0. Note that this is an implementation detail
    and can change at any time, so this change should be transparent, but it
    may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
    now writing an empty string where it previously wrote one or more
    zero digits when operating from values constructed with an mpi_read
    function and some mpi operations.
  • Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when
    PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
    when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
    is also applied when loading a key from storage.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

2a07856e541f0e5f6eaee4f78018c52f25bd244ed76f9020dea54a8b02cac6ea mbedtls-2.27.0.tar.gz
e580970a766fdaba2b70bcf3e69de34a67684e7f23a815b97f79771382c43651 mbedtls-2.27.0.zip

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Security Advisories

For full details, please see the following links:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2

Release Notes

Security

  • Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
    private keys and of blinding values for DHM and elliptic curves (ECP)
    computations. Reported by FlorianF89 in #4245.
  • Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
    An adversary who is capable of very precise timing measurements could
    learn partial information about the leading bits of the nonce used for the
    signature, allowing the recovery of the private key after observing a
    large number of signature operations. This completes a partial fix in
    Mbed TLS 2.16.4.
  • It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is
    too small, leading to buffer overflows in ECC operations. Fail the build
    in such a case.
  • An adversary with access to precise enough information about memory
    accesses (typically, an untrusted operating system attacking a secure
    enclave) could recover an RSA private key after observing the victim
    performing a single private-key operation. Found and reported by
    Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG.
  • An adversary with access to precise enough timing information (typically, a
    co-located process) could recover a Curve25519 or Curve448 static ECDH key
    after inputting a chosen public key and observing the victim performing the
    corresponding private-key operation. Found and reported by Leila Batina,
    Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.

Bugfix

  • Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
    lead to the seed file corruption in case if the path to the seed file is
    equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
    Krasnoshchok in #3616.
  • Fix some cases in the bignum module where the library constructed an
    unintended representation of the value 0 which was not processed
    correctly by some bignum operations. This could happen when
    mbedtls_mpi_read_string() was called on "-0", or when
    mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
    the arguments being negative and the other being 0. Fixes #4643.
  • Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
    defined. Fixes #4217.
  • Fix an incorrect error code when parsing a PKCS#8 private key.
  • In a TLS client, enforce the Diffie-Hellman minimum parameter size
    set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
    minimum size was rounded down to the nearest multiple of 8.
  • In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
    defined to specific values. If the code is used in a context
    where these are already defined, this can result in a compilation
    error. Instead, assume that if they are defined, the values will
    be adequate to build Mbed TLS.
  • The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
    when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
    was disabled. Fix the dependency. Fixes #4472.
  • Fix test suite code on platforms where int32_t is not int, such as
    Arm Cortex-M. Fixes #4530.
  • Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
    directive in a header and a missing initialization in the self-test.
  • Fix a missing initialization in the Camellia self-test, affecting
    MBEDTLS_CAMELLIA_ALT implementations.
  • Fix a regression introduced in 2.16.8 which broke (D)TLS CBC ciphersuites
    (when the encrypt-then-MAC extension is not in use) with some ALT
    implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
    the affected side to wrongly reject valid messages. Fixes #4118.
  • Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
    MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
  • Fix a resource leak in a test suite with an alternative AES
    implementation. Fixes #4176.
  • Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs.
    Reported by lhuang04 in #4578. Fixes #4608.
  • Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
    A=0 represented with 0 limbs. This bug could not be triggered by code
    that constructed A with one of the mbedtls_mpi_read_xxx functions
    (including in particular TLS code) since those always built an mpi object
    with at least one limb. Credit to OSS-Fuzz. Fixes #4641.
  • Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
    effect on Mbed TLS’s internal use of mbedtls_mpi_gcd(), but may affect
    applications that call mbedtls_mpi_gcd() directly. Fixes #4642.
  • mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and
    restartable variants now require at least the specified hash length if
    nonzero. Before, for RSA, hash_len was ignored in favor of the length of
    the specified hash algorithm.
  • Fix which alert is sent in some cases to conform to the
    applicable RFC: on an invalid Finished message value, an
    invalid max_fragment_length extension, or an
    unsupported extension used by the server.

Changes

  • Fix the setting of the read timeout in the DTLS sample programs.
  • Remove the AES sample application programs/aes/aescrypt2 which shows
    bad cryptographic practice. Fix #1906.
  • When building the test suites with GNU make, invoke python3 or python, not
    python2. The build still works with either Python 2.7 or 3.5+, but we
    recommend using a version of Python that is supported upstream.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

c18e7e9abf95e69e425260493720470021384a1728417042060a35d0b7b18b41 mbedtls-2.16.11.tar.gz
c75ec6a654fc9ef487904172633758d6f61d88a0d53329c79657221043bdb6f4 mbedtls-2.16.11.zip

Description

This release of Mbed TLS provides bug fixes, minor enhancements and new features. This release includes fixes for security issues.

API changes

  • Renamed the PSA Crypto API output buffer size macros to bring them in line
    with version 1.0.0 of the specification.
  • The API glue function mbedtls_ecc_group_of_psa() now takes the curve size
    in bits rather than bytes, with an additional flag to indicate if the
    size may have been rounded up to a whole number of bytes.
  • Renamed the PSA Crypto API AEAD tag length macros to bring them in line
    with version 1.0.0 of the specification.

Default behavior changes

  • In mbedtls_rsa_context objects, the ver field was formerly documented
    as always 0. It is now reserved for internal purposes and may take
    different values.

New deprecations

  • PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE,
    PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and
    PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names
    deprecated.
  • PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH
    have been renamed, and the old names deprecated.

Features

  • The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG.
    CTR_DRBG is used by default if it is available, but you can override
    this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time.
    Fix #3354.
  • Automatic fallback to a software implementation of ECP when
    MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off
    through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK.
  • The PSA crypto subsystem can now be configured to use less static RAM by
    tweaking the setting for the maximum amount of keys simultaneously in RAM.
    MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that
    can exist simultaneously. It has a sensible default if not overridden.
  • Partial implementation of the PSA crypto driver interface: Mbed TLS can
    now use an external random generator instead of the library’s own
    entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
    and see the documentation of mbedtls_psa_external_get_random() for details.
  • Applications using both mbedtls_xxx and psa_xxx functions (for example,
    applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA
    random generator with mbedtls_xxx functions. See the documentation of
    mbedtls_psa_get_random() for details.
  • In the PSA API, the policy for a MAC or AEAD algorithm can specify a
    minimum MAC or tag length thanks to the new wildcards
    PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and
    PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG.

Security

  • Fix a security reduction in CTR_DRBG when the initial seeding obtained a
    nonce from entropy. Applications were affected if they called
    mbedtls_ctr_drbg_set_nonce_len(), if they called
    mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
    length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
    In such cases, a random nonce was necessary to achieve the advertised
    security strength, but the code incorrectly used a constant instead of
    entropy from the nonce.
    Found by John Stroebel in #3819 and fixed in #3973.
  • Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
    |A| - |B| where |B| is larger than |A| and has more limbs (so the
    function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
    applications calling mbedtls_mpi_sub_abs() directly are affected:
    all calls inside the library were safe since this function is
    only called with |A| >= |B|. Reported by Guido Vranken in #4042.
  • Fix an errorneous estimation for an internal buffer in
    mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
    value the function might fail to write a private RSA keys of the largest
    supported size.
    Found by Daniel Otte, reported in #4093 and fixed in #4094.
  • Fix a stack buffer overflow with mbedtls_net_poll() and
    mbedtls_net_recv_timeout() when given a file descriptor that is
    beyond FD_SETSIZE. Reported by FigBug in #4169.
  • Guard against strong local side channel attack against base64 tables by
    making access aceess to them use constant flow code. (CVE-2021-24119)

Bugfix

  • Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
  • Fix memory leak that occured when calling psa_close_key() on a
    wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined.
  • Fix an incorrect error code if an RSA private operation glitched.
  • Fix a memory leak in an error case in psa_generate_derived_key_internal().
  • Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
    is enabled, on platforms where initializing a mutex allocates resources.
    This was a regression introduced in the previous release. Reported in
    #4017, #4045 and #4071.
  • Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
    twice is safe. This happens for RSA when some Mbed TLS library functions
    fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
    enabled on platforms where freeing a mutex twice is not safe.
  • Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
    when MBEDTLS_THREADING_C is enabled on platforms where initializing
    a mutex allocates resources.
  • Fixes a bug where, if the library was configured to include support for
    both the old SE interface and the new PSA driver interface, external keys were
    not loaded from storage. This was fixed by #3996.
  • This change makes ‘mbedtls_x509write_crt_set_basic_constraints’
    consistent with RFC 5280 4.2.1.9 which says: “Conforming CAs MUST
    include this extension in all CA certificates that contain public keys
    used to validate digital signatures on certificates and MUST mark the
    extension as critical in such certificates.” Previous to this change,
    the extension was always marked as non-critical. This was fixed by
    #3698.

Changes

  • A new library C file psa_crypto_client.c has been created to contain
    the PSA code needed by a PSA crypto client when the PSA crypto
    implementation is not included into the library.
  • On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module
    now uses the getrandom syscall instead of reading from /dev/urandom.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

37949e823c7e1f6695fc56858578df355da0770c284b1c1304cfc8b396d539cd mbedtls-2.26.0.tar.gz
23a7437284fb07c136891cb981a065b9541b7f78d97e3671fe07c7ce59c2f3b3 mbedtls-2.26.0.zip

Related news

Gentoo Linux Security Advisory 202301-08

Gentoo Linux Security Advisory 202301-8 - Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could result in arbitrary code execution. Versions less than 2.28.1 are affected.

CVE-2021-24117: util-lookup/cve-vulnerability-publication.md at main · UzL-ITS/util-lookup

In Apache Teaclave Rust SGX SDK 1.1.3, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.

CVE-2021-24119: Releases · Mbed-TLS/mbedtls

In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907