CVE-2021-24119: Releases · Mbed-TLS/mbedtls

Mbed TLS 3.3.0

Description

This release of Mbed TLS provides new features, bug fixes and minor enhancements. This release includes fixes for security issues.

Security Advisories

There are no security advisories for this release.

Release Notes

Default behavior changes

• Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05
  of the IETF draft, and was marked experimental and disabled by default.
  It is now no longer experimental, and implements the final version from
  RFC 9146, which is not interoperable with the draft-05 version.
  If you need to communicate with peers that use earlier versions of
  Mbed TLS, then you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
  to 1, but then you won’t be able to communicate with peers that use the
  standard (non-draft) version.
  If you need to interoperate with both classes of peers with the
  same build of Mbed TLS, please let us know about your situation on the
  mailing list or GitHub.

Requirement changes

• When building with PSA drivers using generate_driver_wrappers.py, or
  when building the library from the development branch rather than
  from a release, the Python module jsonschema is now necessary, in
  addition to jinja2. The official list of required Python modules is
  maintained in scripts/basic.requirements.txt and may change again
  in the future.

New deprecations

• Deprecate mbedtls_asn1_free_named_data().
  Use mbedtls_asn1_free_named_data_list()
  or mbedtls_asn1_free_named_data_list_shallow().

Features

• Support rsa_pss_rsae_* signature algorithms in TLS 1.2.
• make: enable building unversioned shared library, with e.g.:
  “SHARED=1 SOEXT_TLS=so SOEXT_X509=so SOEXT_CRYPTO=so make lib”
  resulting in library names like “libmbedtls.so” rather than
  "libmbedcrypto.so.11".
• Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
  Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
  are supported in this implementation.
• Some modules can now use PSA drivers for hashes, including with no
  built-in implementation present, but only in some configurations.
  • RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
    hashes from PSA when (and only when) MBEDTLS_MD_C is disabled.
  • PEM parsing of encrypted files now uses MD-5 from PSA when (and only
    when) MBEDTLS_MD5_C is disabled.
    See the documentation of the corresponding macros in mbedtls_config.h for
    details.
    Note that some modules are not able to use hashes from PSA yet, including
    the entropy module. As a consequence, for now the only way to build with
    all hashes only provided by drivers (no built-in hash) is to use
    MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
• When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now
  properly negotiate/accept hashes based on their availability in PSA.
  As a consequence, they now work in configurations where the built-in
  implementations of (some) hashes are excluded and those hashes are only
  provided by PSA drivers. (See previous entry for limitation on RSA-PSS
  though: that module only use hashes from PSA when MBEDTLS_MD_C is off).
• Add support for opaque keys as the private keys associated to certificates
  for authentication in TLS 1.3.
• Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
  Signature verification is production-ready, but generation is for testing
  purposes only. This currently only supports one parameter set
  (LMS_SHA256_M32_H10), meaning that each private key can be used to sign
  1024 messages. As such, it is not intended for use in TLS, but instead
  for verification of assets transmitted over an insecure channel,
  particularly firmware images.
• Add the LM-OTS post-quantum-safe one-time signature scheme, which is
  required for LMS. This can be used independently, but each key can only
  be used to sign one message so is impractical for most circumstances.
• Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
  The pre-shared keys can be provisioned externally or via the ticket
  mechanism (session resumption).
  The ticket mechanism is supported when the configuration option
  MBEDTLS_SSL_SESSION_TICKETS is enabled.
  New options MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED
  control the support for the three possible TLS 1.3 key exchange modes.
• cert_write: support for setting extended key usage attributes. A
  corresponding new public API call has been added in the library,
  mbedtls_x509write_crt_set_ext_key_usage().
• cert_write: support for writing certificate files in either PEM
  or DER format.
• The PSA driver wrapper generator generate_driver_wrappers.py now
  supports a subset of the driver description language, including
  the following entry points: import_key, export_key, export_public_key,
  get_builtin_key, copy_key.
• The new functions mbedtls_asn1_free_named_data_list() and
  mbedtls_asn1_free_named_data_list_shallow() simplify the management
  of memory in named data lists in X.509 structures.
• The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
  Additional PSA key slots will be allocated in the process of such key
  exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and
  MBEDTLS_USE_PSA_CRYPTO.
• Add support for DTLS Connection ID as defined by RFC 9146, controlled by
  MBEDTLS_SSL_DTLS_CONNECTION_ID (enabled by default) and configured with
  mbedtls_ssl_set_cid().
• Add a driver dispatch layer for raw key agreement, enabling alternative
  implementations of raw key agreement through the key_agreement driver
  entry point. This entry point is specified in the proposed PSA driver
  interface, but had not yet been implemented.
• Add an ad-hoc key derivation function handling EC J-PAKE to PMS
  calculation that can be used to derive the session secret in TLS 1.2,
  as described in draft-cragie-tls-ecjpake-01. This can be achieved by
  using PSA_ALG_TLS12_ECJPAKE_TO_PMS as the key derivation algorithm.

Security

• Fix potential heap buffer overread and overwrite in DTLS if
  MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
  MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
• An adversary with access to precise enough information about memory
  accesses (typically, an untrusted operating system attacking a secure
  enclave) could recover an RSA private key after observing the victim
  performing a single private-key operation if the window size used for the
  exponentiation was 3 or smaller. Found and reported by Zili KOU,
  Wenjian HE, Sharad Sinha, and Wei ZHANG. See “Cache Side-channel Attacks
  and Defenses of the Sliding Window Algorithm in TEEs” - Design, Automation
  and Test in Europe 2023.

Bugfix

• Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
• Fix an issue with in-tree CMake builds in releases with GEN_FILES
  turned off: if a shipped file was missing from the working directory,
  it could be turned into a symbolic link to itself.
• Fix a long-standing build failure when building x86 PIC code with old
  gcc (4.x). The code will be slower, but will compile. We do however
  recommend upgrading to a more recent compiler instead. Fixes #1910.
• Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
  Contributed by Kazuyuki Kimura to fix #2020.
• Use double quotes to include private header file psa_crypto_cipher.h.
  Fixes ‘file not found with include’ error
  when building with Xcode.
• Fix handling of broken symlinks when loading certificates using
  mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
  broken link is encountered, skip the broken link and continue parsing
  other certificate files. Contributed by Eduardo Silva in #2602.
• Fix an interoperability failure between an Mbed TLS client with both
  TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server that supports
  rsa_pss_rsae_* signature algorithms. This failed because Mbed TLS
  advertised support for PSS in both TLS 1.2 and 1.3, but only
  actually supported PSS in TLS 1.3.
• Fix a compilation error when using CMake with an IAR toolchain.
  Fixes #5964.
• Fix a build error due to a missing prototype warning when
  MBEDTLS_DEPRECATED_REMOVED is enabled.
• Fix mbedtls_ctr_drbg_free() on an initialized but unseeded context. When
  MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an
  uninitialized context.
• Fix a build issue on Windows using CMake where the source and build
  directories could not be on different drives. Fixes #5751.
• Fix bugs and missing dependencies when building and testing
  configurations with only one encryption type enabled in TLS 1.2.
• Provide the missing definition of mbedtls_setbuf() in some configurations
  with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196.
• Fix compilation errors when trying to build with
  PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
• Fix memory leak in ssl_parse_certificate_request() caused by
  mbedtls_x509_get_name() not freeing allocated objects in case of error.
  Change mbedtls_x509_get_name() to clean up allocated objects on error.
• Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
  MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408.
• Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
  MBEDTLS_PK_PARSE_C. Fixes #6409.
• Fix ECDSA verification, where it …

Mbed TLS 2.28.2

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

There are no security advisories for this release.

Release Notes

Security

• Fix potential heap buffer overread and overwrite in DTLS if
  MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
  MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
• An adversary with access to precise enough information about memory
  accesses (typically, an untrusted operating system attacking a secure
  enclave) could recover an RSA private key after observing the victim
  performing a single private-key operation if the window size used for the
  exponentiation was 3 or smaller. Found and reported by Zili KOU,
  Wenjian HE, Sharad Sinha, and Wei ZHANG. See “Cache Side-channel Attacks
  and Defenses of the Sliding Window Algorithm in TEEs” - Design, Automation
  and Test in Europe 2023.

Bugfix

• Fix a long-standing build failure when building x86 PIC code with old
  gcc (4.x). The code will be slower, but will compile. We do however
  recommend upgrading to a more recent compiler instead. Fixes #1910.
• Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
  Contributed by Kazuyuki Kimura to fix #2020.
• Use double quotes to include private header file psa_crypto_cipher.h.
  Fixes ‘file not found with include’ error
  when building with Xcode.
• Fix handling of broken symlinks when loading certificates using
  mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
  broken link is encountered, skip the broken link and continue parsing
  other certificate files. Contributed by Eduardo Silva in #2602.
• Fix a compilation error when using CMake with an IAR toolchain.
  Fixes #5964.
• Fix bugs and missing dependencies when building and testing
  configurations with only one encryption type enabled in TLS 1.2.
• Provide the missing definition of mbedtls_setbuf() in some configurations
  with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196.
• Fix compilation errors when trying to build with
  PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
• Fix memory leak in ssl_parse_certificate_request() caused by
  mbedtls_x509_get_name() not freeing allocated objects in case of error.
  Change mbedtls_x509_get_name() to clean up allocated objects on error.
• Fix checks on PK in check_config.h for builds with PSA and RSA. This does
  not change which builds actually work, only moving a link-time error to
  an early check.
• Fix ECDSA verification, where it was not always validating the
  public key. This bug meant that it was possible to verify a
  signature with an invalid public key, in some cases. Reported by
  Guido Vranken using Cryptofuzz in #4420.
• Fix a possible null pointer dereference if a memory allocation fails
  in TLS PRF code. Reported by Michael Madsen in #6516.
• Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
  bytes when parsing certificates containing a binary RFC 4108
  HardwareModuleName as a Subject Alternative Name extension. Hardware
  serial numbers are now rendered in hex format. Fixes #6262.
• Fix bug in error reporting in dh_genprime.c where upon failure,
  the error code returned by mbedtls_mpi_write_file() is overwritten
  and therefore not printed.
• In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
  with A > 0 created an unintended representation of the value 0 which was
  not processed correctly by some bignum operations. Fix this. This had no
  consequence on cryptography code, but might affect applications that call
  bignum directly and use negative numbers.
• Fix undefined behavior (typically harmless in practice) of
  mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int()
  when both operands are 0 and the left operand is represented with 0 limbs.
• Fix undefined behavior (typically harmless in practice) when some bignum
  functions receive the most negative value of mbedtls_mpi_sint. Credit
  to OSS-Fuzz. Fixes #6597.
• Fix undefined behavior (typically harmless in practice) in PSA ECB
  encryption and decryption.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

bc55232bf71fd66045122ba9050a29ea7cb2e8f99b064a9e6334a82f715881a0 mbedtls-2.28.2.tar.gz
4e4c4d5fd062dc29160edb916fb969878682221a142bda2be5db40e60125912c mbedtls-2.28.2.zip

Mbed TLS 3.2.1

Description

This release is functionally identical to 3.2.0, but includes a file that was missing from the 3.2.0 release (see #6084). It includes all of the changes that went into 3.2.0, which are described here: https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.2.0

Security Advisories

For full details, please see the following link:

https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html

Release Notes

Bugfix

• Add missing generated file library/ssl_debug_helpers_generated.c

Visual Studio build issue

This release does not build out of the box on Visual Studio, because the project file is missing a reference to a file (see #6198 for details on the issue and how to address it).

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

d0e77a020f69ad558efc660d3106481b75bd3056d6301c31564e04a0faae88cc mbedtls-3.2.1.tar.gz
efeac7fb687d19a7c7dc60f5e60265edd528244856cf3db2e2aecacece08b23f mbedtls-3.2.1.zip

Mbed TLS 3.2.0

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Cmake build error

There is a minor issue building with Cmake relating to a missing generated file (as per #6084). To work around this, please build once with make before running cmake. We are currently preparing 3.2.1, which will fix this (with no other changes).

Security Advisories

For full details, please see the following link:

https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html

Release Notes

Default behavior changes

• mbedtls_cipher_set_iv will now fail with ChaCha20 and ChaCha20+Poly1305
  for IV lengths other than 12. The library was silently overwriting this
  length with 12, but did not inform the caller about it. Fixes #4301.

Requirement changes

• The library will no longer compile out of the box on a platform without
  setbuf(). If your platform does not have setbuf(), you can configure an
  alternative function by enabling MBEDTLS_PLATFORM_SETBUF_ALT or
  MBEDTLS_PLATFORM_SETBUF_MACRO.

New deprecations

• Deprecate mbedtls_ssl_conf_max_version() and
  mbedtls_ssl_conf_min_version() in favor of
  mbedtls_ssl_conf_max_tls_version() and
  mbedtls_ssl_conf_min_tls_version().
• Deprecate mbedtls_cipher_setup_psa(). Use psa_aead_xxx() or
  psa_cipher_xxx() directly instead.
• Secure element drivers enabled by MBEDTLS_PSA_CRYPTO_SE_C are deprecated.
  This was intended as an experimental feature, but had not been explicitly
  documented as such. Use opaque drivers with the interface enabled by
  MBEDTLS_PSA_CRYPTO_DRIVERS instead.
• Deprecate mbedtls_ssl_conf_sig_hashes() in favor of the more generic
  mbedtls_ssl_conf_sig_algs(). Signature algorithms for the TLS 1.2 and
  TLS 1.3 handshake should now be configured with
  mbedtls_ssl_conf_sig_algs().

Features

• Add accessor to obtain ciphersuite id from ssl context.
• Add accessors to get members from ciphersuite info.
• Add mbedtls_ssl_ticket_rotate() for external ticket rotation.
• Add accessor to get the raw buffer pointer from a PEM context.
• The structures mbedtls_ssl_config and mbedtls_ssl_context now store
  a piece of user data which is reserved for the application. The user
  data can be either a pointer or an integer.
• Add an accessor function to get the configuration associated with
  an SSL context.
• Add a function to access the protocol version from an SSL context in a
  form that’s easy to compare. Fixes #5407.
• Add function mbedtls_md_info_from_ctx() to recall the message digest
  information that was used to set up a message digest context.
• Add ALPN support in TLS 1.3 clients.
• Add server certificate selection callback near end of Client Hello.
  Register callback with mbedtls_ssl_conf_cert_cb().
• Provide mechanism to reset handshake cert list by calling
  mbedtls_ssl_set_hs_own_cert() with NULL value for own_cert param.
• Add accessor mbedtls_ssl_get_hs_sni() to retrieve SNI from within
  cert callback (mbedtls_ssl_conf_cert_cb()) during handshake.
• The X.509 module now uses PSA hash acceleration if present.
• Add support for psa crypto key derivation for elliptic curve
  keys. Fixes #3260.
• Add function mbedtls_timing_get_final_delay() to access the private
  final delay field in an mbedtls_timing_delay_context, as requested in
  #5183.
  * Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when
  PSA Crypto is enabled.
• Add function mbedtls_ecp_export() to export ECP key pair parameters.
  Fixes #4838.
• Add function mbedtls_ssl_is_handshake_over() to enable querying if the SSL
  Handshake has completed or not, and thus whether to continue calling
  mbedtls_ssl_handshake_step(), requested in #4383.
• Add the function mbedtls_ssl_get_own_cid() to access our own connection id
  within mbedtls_ssl_context, as requested in #5184.
• Introduce mbedtls_ssl_hs_cb_t typedef for use with
  mbedtls_ssl_conf_cert_cb() and perhaps future callbacks
  during TLS handshake.
• Add functions mbedtls_ssl_conf_max_tls_version() and
  mbedtls_ssl_conf_min_tls_version() that use a single value to specify
  the protocol version.
  * Extend the existing PSA_ALG_TLS12_PSK_TO_MS() algorithm to support
  mixed-PSK. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
  holding the other secret.
• When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
  feature requirements in the file named by the new macro
  MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default psa/crypto_config.h.
  Furthermore you may name an additional file to include after the main
  file with the macro MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.
• Add the function mbedtls_x509_crt_has_ext_type() to access the ext types
  field within mbedtls_x509_crt context, as requested in #5585.
• Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
• Add support for the ARMv8 SHA-2 acceleration instructions when building
  for Aarch64.
• Add support for authentication of TLS 1.3 clients by TLS 1.3 servers.
• Add support for server HelloRetryRequest message. The TLS 1.3 client is
  now capable of negotiating another shared secret if the one sent in its
  first ClientHello was not suitable to the server.
• Add support for client-side TLS version negotiation. If both TLS 1.2 and
  TLS 1.3 protocols are enabled in the build of Mbed TLS, the TLS client now
  negotiates TLS 1.3 or TLS 1.2 with TLS servers.
• Enable building of Mbed TLS with TLS 1.3 protocol support but without TLS
  1.2 protocol support.
• Mbed TLS provides an implementation of a TLS 1.3 server (ephemeral key
  establishment only). See docs/architecture/tls13-support.md for a
  description of the support. The MBEDTLS_SSL_PROTO_TLS1_3 and
  MBEDTLS_SSL_SRV_C configuration options control this.
• Add accessors to configure DN hints for certificate request:
  mbedtls_ssl_conf_dn_hints() and mbedtls_ssl_set_hs_dn_hints()
• The configuration option MBEDTLS_USE_PSA_CRYPTO, which previously
  affected only a limited subset of crypto operations in TLS, X.509 and PK,
  now causes most of them to be done using PSA Crypto; see
  docs/use-psa-crypto.md for the list of exceptions.
• The function mbedtls_pk_setup_opaque() now supports RSA key pairs as well.
  Opaque keys can now be used everywhere a private key is expected in the
  TLS and X.509 modules.
• Opaque pre-shared keys for TLS, provisioned with
  mbedtls_ssl_conf_psk_opaque() or mbedtls_ssl_set_hs_psk_opaque(), which
  previously only worked for “pure” PSK key exchange, now can also be used
  for the “mixed” PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
• cmake now detects if it is being built as a sub-project, and in that case
  disables the target export/installation and package configuration.
• Make USE_PSA_CRYPTO compatible with KEY_ID_ENCODES_OWNER. Fixes #5259.
• Add example programs cipher_aead_demo.c, md_hmac_demo.c, aead_demo.c
  and hmac_demo.c, which use PSA and the md/cipher interfaces side
  by side in order to illustrate how the operation is performed in PSA.
  Addresses #5208.

Security

• Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
  module before freeing them. These buffers contain secret key material, and
  could thus potentially leak the key through freed heap.
• Fix potential memory leak inside mbedtls_ssl_cache_set() with
  an invalid session id length.
• Add the platform function mbedtls_setbuf() to allow buffering to be
  disabled on stdio files, to stop secrets loaded from said files being
  potentially left in memory after file operations. Reported by
  Glenn Strauss.
• Fix a potential heap buffer overread in TLS 1.2 server-side when
  MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
  mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
  is selected. This may result in an application crash or potentially an
  information leak.
• Fix a buffer overread in DTLS ClientHello parsing in servers with
  MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client
  or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
  after the end of the SSL input buffer. The buffer overread only happens
  when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
  the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(),
  and possibly up to 571 bytes with a custom cookie check function.
  Reported by the Cybeats PSI Team.
• Fix a buffer overread in TLS 1.3 Certificate parsing. An unauthenticated
  client or server could cause an MbedTLS server or client to overread up
  to 64 kBytes of data and potentially overread the input buffer by that
  amount minus the size of the input buffer. As overread data undergoes
  various checks, the likelihood of reaching the boundary of the input
  buffer is rather small but increases as its size
  MBEDTLS_SSL_IN_CONTENT_LEN decreases.
• Fix check of certificate key usage in TLS 1.3. The usage of the public key
  provided by a client or server certificate for authentication was not
  checked properly when validating the certificate. This could cause a
  client or server to be able to authenticate itself through a certificate
  to an Mbed TLS TLS 1.3 server or client while it does not own a proper
  certificate to do so.

Bugfix

• Declare or use PSA_WANT_ALG_CC…

Mbed TLS 2.28.1

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following link:

https://mbed-tls.readthedocs.io/en/latest/security-advisories/advisories/mbedtls-security-advisory-2022-07.html

Release Notes

Default behavior changes

• mbedtls_cipher_set_iv will now fail with ChaCha20 and ChaCha20+Poly1305
  for IV lengths other than 12. The library was silently overwriting this
  length with 12, but did not inform the caller about it. Fixes #4301.

Features

• When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
  feature requirements in the file named by the new macro
  MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default psa/crypto_config.h.
  Furthermore you may name an additional file to include after the main
  file with the macro MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.

Security

• Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
  module before freeing them. These buffers contain secret key material, and
  could thus potentially leak the key through freed heap.
• Fix a potential heap buffer overread in TLS 1.2 server-side when
  MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
  mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
  is selected. This may result in an application crash or potentially an
  information leak.
• Fix a buffer overread in DTLS ClientHello parsing in servers with
  MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client
  or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
  after the end of the SSL input buffer. The buffer overread only happens
  when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
  the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(),
  and possibly up to 571 bytes with a custom cookie check function.
  Reported by the Cybeats PSI Team.

Bugfix

• Fix a memory leak if mbedtls_ssl_config_defaults() is called twice.
• Fix several bugs (warnings, compiler and linker errors, test failures)
  in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
• Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was
  enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
  client would fail to check that the curve selected by the server for
  ECDHE was indeed one that was offered. As a result, the client would
  accept any curve that it supported, even if that curve was not allowed
  according to its configuration. Fixes #5291.
• Fix unit tests that used 0 as the file UID. This failed on some
  implementations of PSA ITS. Fixes #3838.
• Fix API violation in mbedtls_md_process() test by adding a call to
  mbedtls_md_starts(). Fixes #2227.
• Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests
  to catch bad uses of time.h.
• Fix the library search path when building a shared library with CMake
  on Windows.
• Fix bug in the alert sending function mbedtls_ssl_send_alert_message()
  potentially leading to corrupted alert messages being sent in case
  the function needs to be re-called after initially returning
  MBEDTLS_SSL_WANT_WRITE. Fixes #1916.
• In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but none of
  MBEDTLS_SSL_HW_RECORD_ACCEL, MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C,
  DTLS handshakes using CID would crash due to a null pointer dereference.
  Fix this. Fixes #3998.
• Fix incorrect documentation of mbedtls_x509_crt_profile. The previous
  documentation stated that the allowed_pks field applies to signatures
  only, but in fact it does apply to the public key type of the end entity
  certificate, too. Fixes #1992.
• Fix PSA cipher multipart operations using ARC4. Previously, an IV was
  required but discarded. Now, an IV is rejected, as it should be.
• Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
  not NULL and val_len is zero.
• psa_raw_key_agreement() now returns PSA_ERROR_BUFFER_TOO_SMALL when
  applicable. Fixes #5735.
• Fix a bug in the x25519 example program where the removal of
  MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. Fixes #4901 and
  #3191.
• Encode X.509 dates before 1/1/2000 as UTCTime rather than
  GeneralizedTime. Fixes #5465.
• Fix order value of curve x448.
• Fix string representation of DNs when outputting values containing commas
  and other special characters, conforming to RFC 1779. Fixes #769.
• Silence a warning from GCC 12 in the selftest program. Fixes #5974.
• Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of 0.
• Fix resource leaks in mbedtls_pk_parse_public_key() in low
  memory conditions.
• Fix server connection identifier setting for outgoing encrypted records
  on DTLS 1.2 session resumption. After DTLS 1.2 session resumption with
  connection identifier, the Mbed TLS client now properly sends the server
  connection identifier in encrypted record headers. Fix #5872.
• Fix a null pointer dereference when performing some operations on zero
  represented with 0 limbs (specifically mbedtls_mpi_mod_int() dividing
  by 2, and mbedtls_mpi_write_string() in base 2).
• Fix record sizes larger than 16384 being sometimes accepted despite being
  non-compliant. This could not lead to a buffer overflow. In particular,
  application data size was already checked correctly.

Changes

• Assume source files are in UTF-8 when using MSVC with CMake.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

6797a7b6483ef589deeab8d33d401ed235d7be25eeecda1be8ddfed406d40ff4 mbedtls-2.28.1.tar.gz
b67866fc781934d9c6a322489a1efdc79ef545bf242a3bfa7cffd3c393d377c1 mbedtls-2.28.1.zip

Mbed TLS 3.1.0

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Security Advisories

For full details, please see the following links:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12

Release Notes

API changes

• New error code for GCM: MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL.
  Alternative GCM implementations are expected to verify
  the length of the provided output buffers and to return the
  MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the buffer length is too small.
• You can configure groups for a TLS key exchange with the new function
  mbedtls_ssl_conf_groups(). It extends mbedtls_ssl_conf_curves().
• Declare a number of structure fields as public: the fields of
  mbedtls_ecp_curve_info, the fields describing the result of ASN.1 and
  X.509 parsing, and finally the field fd of mbedtls_net_context on
  POSIX/Unix-like platforms.

Requirement changes

• Sign-magnitude and one’s complement representations for signed integers are
  not supported. Two’s complement is the only supported representation.

New deprecations

• Deprecate mbedtls_ssl_conf_curves() in favor of the more generic
  mbedtls_ssl_conf_groups().

Removals

• Remove the partial support for running unit tests via Greentea on Mbed OS,
  which had been unmaintained since 2018.

Features

• Enable support for Curve448 via the PSA API. Contributed by
  Archana Madhavan in #4626. Fixes #3399 and #4249.
• The identifier of the CID TLS extension can be configured by defining
  MBEDTLS_TLS_EXT_CID at compile time.
• Implement the PSA multipart AEAD interface, currently supporting
  ChaChaPoly and GCM.
• Warn if errors from certain functions are ignored. This is currently
  supported on GCC-like compilers and on MSVC and can be configured through
  the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
  (where supported) for critical functions where ignoring the return
  value is almost always a bug. Enable the new configuration option
  MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
  is currently implemented in the AES, DES and md modules, and will be
  extended to other modules in the future.
• Add missing PSA macros declared by PSA Crypto API 1.0.0:
  PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL.
• Add support for CCM*-no-tag cipher to the PSA.
  Currently only 13-byte long IV’s are supported.
  For decryption a minimum of 16-byte long input is expected.
  These restrictions may be subject to change.
• Add new API mbedtls_ct_memcmp for constant time buffer comparison.
• Add functions to get the IV and block size from cipher_info structs.
• Add functions to check if a cipher supports variable IV or key size.
• Add the internal implementation of and support for CCM to the PSA multipart
  AEAD interface.
• Mbed TLS provides a minimum viable implementation of the TLS 1.3
  protocol. See docs/architecture/tls13-support.md for the definition of
  the TLS 1.3 Minimum Viable Product (MVP). The MBEDTLS_SSL_PROTO_TLS1_3
  configuration option controls the enablement of the support. The APIs
  mbedtls_ssl_conf_min_version() and mbedtls_ssl_conf_max_version() allow
  to select the 1.3 version of the protocol to establish a TLS connection.
• Add PSA API definition for ARIA.

Security

• Zeroize several intermediate variables used to calculate the expected
  value when verifying a MAC or AEAD tag. This hardens the library in
  case the value leaks through a memory disclosure vulnerability. For
  example, a memory disclosure vulnerability could have allowed a
  man-in-the-middle to inject fake ciphertext into a DTLS connection.
• In psa_aead_generate_nonce(), do not read back from the output buffer.
  This fixes a potential policy bypass or decryption oracle vulnerability
  if the output buffer is in memory that is shared with an untrusted
  application.
• In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
  from the output buffer. This fixes a potential policy bypass or decryption
  oracle vulnerability if the output buffer is in memory that is shared with
  an untrusted application.
• Fix a double-free that happened after mbedtls_ssl_set_session() or
  mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
  (out of memory). After that, calling mbedtls_ssl_session_free()
  and mbedtls_ssl_free() would cause an internal session buffer to
  be free()'d twice.

Bugfix

• Stop using reserved identifiers as local variables. Fixes #4630.
• The GNU makefiles invoke python3 in preference to python except on Windows.
  The check was accidentally not performed when cross-compiling for Windows
  on Linux. Fix this. Fixes #4774.
• Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
  PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type.
• Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
• Don’t use the obsolete header path sys/fcntl.h in unit tests.
  These header files cause compilation errors in musl.
  Fixes #4969.
• Fix missing constraints on x86_64 and aarch64 assembly code
  for bignum multiplication that broke some bignum operations with
  (at least) Clang 12.
  Fixes #4116, #4786, #4917, #4962.
• Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
• Failures of alternative implementations of AES or DES single-block
  functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
  MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
  This does not concern the implementation provided with Mbed TLS,
  where this function cannot fail, or full-module replacements with
  MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
• Some failures of HMAC operations were ignored. These failures could only
  happen with an alternative implementation of the underlying hash module.
• Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
• Fix compile-time or run-time errors in PSA
  AEAD functions when ChachaPoly is disabled. Fixes #5065.
• Remove PSA’a AEAD finish/verify output buffer limitation for GCM.
  The requirement of minimum 15 bytes for output buffer in
  psa_aead_finish() and psa_aead_verify() does not apply to the built-in
  implementation of GCM.
• Move GCM’s update output buffer length verification from PSA AEAD to
  the built-in implementation of the GCM.
  The requirement for output buffer size to be equal or greater then
  input buffer size is valid only for the built-in implementation of GCM.
  Alternative GCM implementations can process whole blocks only.
• Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
  MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
• Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
  This algorithm now accepts only the same salt length for verification
  that it produces when signing, as documented. Use the new algorithm
  PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.
• The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
  for algorithm values that fully encode the hashing step, as per the PSA
  Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
  PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
  all algorithms that can be used with psa_{sign,verify}_hash(), including
  these two.
• Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
  not to list other shared libraries they need.
• Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
  exceeds 2^32. Fixes #4884.
• Fix an uninitialized variable warning in test_suite_ssl.function with GCC
  version 11.
• Fix the build when no SHA2 module is included. Fixes #4930.
• Fix the build when only the bignum module is included. Fixes #4929.
• Fix a potential invalid pointer dereference and infinite loop bugs in
  pkcs12 functions when the password is empty. Fix the documentation to
  better describe the inputs to these functions and their possible values.
  Fixes #5136.
• The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC
  operations psa_mac_compute() and psa_mac_sign_setup().
• The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC
  operations psa_mac_verify() and psa_mac_verify_setup().

Changes

• Explicitly mark the fields mbedtls_ssl_session.exported and
  mbedtls_ssl_config.respect_cli_pref as private. This was an
  oversight during the run-up to the release of Mbed TLS 3.0.
  The fields were never intended to be public.
• Implement multi-part CCM API.
  The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
  mbedtls_ccm_update_ad(), mbedtls_ccm_update(), mbedtls_ccm_finish()
  were introduced in mbedTLS 3.0 release, however their implementation was
  postponed until now.
  Implemented functions support chunked data input for both CCM and CCM*
  algorithms.
• Remove MBEDTLS_SSL_EXPORT_KEYS, making it always on and increasing the
  code size by about 80B on an M0 build. This option only gated an ability
  to set a callback, but was deemed unnecessary as it was yet another define
  to remember when writing tests, or test configurations. Fixes #4653.
• Improve the performance of base64 constant-flow code. The result is still
  slower than the original …

Mbed TLS 2.28.0

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following links:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12

Release Notes

API changes

• Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a
  different order. This only affects applications that define such
  structures directly or serialize them.

Requirement changes

• Sign-magnitude and one’s complement representations for signed integers are
  not supported. Two’s complement is the only supported representation.

Removals

• Remove config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES,
  which allowed SHA-1 in the default TLS configuration for certificate
  signing. It was intended to facilitate the transition in environments
  with SHA-1 certificates. SHA-1 is considered a weak message digest and
  its use constitutes a security risk.
• Remove the partial support for running unit tests via Greentea on Mbed OS,
  which had been unmaintained since 2018.

Features

• The identifier of the CID TLS extension can be configured by defining
  MBEDTLS_TLS_EXT_CID at compile time.
• Warn if errors from certain functions are ignored. This is currently
  supported on GCC-like compilers and on MSVC and can be configured through
  the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
  (where supported) for critical functions where ignoring the return
  value is almost always a bug. Enable the new configuration option
  MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
  is currently implemented in the AES, DES and md modules, and will be
  extended to other modules in the future.
• Add missing PSA macros declared by PSA Crypto API 1.0.0:
  PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL.
• Add new API mbedtls_ct_memcmp for constant time buffer comparison.
• Add PSA API definition for ARIA.

Security

• Zeroize several intermediate variables used to calculate the expected
  value when verifying a MAC or AEAD tag. This hardens the library in
  case the value leaks through a memory disclosure vulnerability. For
  example, a memory disclosure vulnerability could have allowed a
  man-in-the-middle to inject fake ciphertext into a DTLS connection.
• In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
  from the output buffer. This fixes a potential policy bypass or decryption
  oracle vulnerability if the output buffer is in memory that is shared with
  an untrusted application.
• Fix a double-free that happened after mbedtls_ssl_set_session() or
  mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
  (out of memory). After that, calling mbedtls_ssl_session_free()
  and mbedtls_ssl_free() would cause an internal session buffer to
  be free()'d twice.

Bugfix

• Stop using reserved identifiers as local variables. Fixes #4630.
• The GNU makefiles invoke python3 in preference to python except on Windows.
  The check was accidentally not performed when cross-compiling for Windows
  on Linux. Fix this. Fixes #4774.
• Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
  PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type.
• Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
• Don’t use the obsolete header path sys/fcntl.h in unit tests.
  These header files cause compilation errors in musl.
  Fixes #4969.
• Fix missing constraints on x86_64 and aarch64 assembly code
  for bignum multiplication that broke some bignum operations with
  (at least) Clang 12.
  Fixes #4116, #4786, #4917, #4962.
• Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
• Failures of alternative implementations of AES or DES single-block
  functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
  MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
  This does not concern the implementation provided with Mbed TLS,
  where this function cannot fail, or full-module replacements with
  MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
• Some failures of HMAC operations were ignored. These failures could only
  happen with an alternative implementation of the underlying hash module.
• Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
• Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
  MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
• Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
  This algorithm now accepts only the same salt length for verification
  that it produces when signing, as documented. Use the new algorithm
  PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.
• The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
  for algorithm values that fully encode the hashing step, as per the PSA
  Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
  PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
  all algorithms that can be used with psa_{sign,verify}_hash(), including
  these two.
• Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
  not to list other shared libraries they need.
• Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
  exceeds 2^32. Fixes #4884.
• Fix an uninitialized variable warning in test_suite_ssl.function with GCC
  version 11.
• Fix the build when no SHA2 module is included. Fixes #4930.
• Fix the build when only the bignum module is included. Fixes #4929.
• Fix a potential invalid pointer dereference and infinite loop bugs in
  pkcs12 functions when the password is empty. Fix the documentation to
  better describe the inputs to these functions and their possible values.
  Fixes #5136.
• The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC
  operations psa_mac_compute() and psa_mac_sign_setup().
• The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC
  operations psa_mac_verify() and psa_mac_verify_setup().

Changes

• Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be
  disabled by default.
• Improve the performance of base64 constant-flow code. The result is still
  slower than the original non-constant-flow implementation, but much faster
  than the previous constant-flow implementation. Fixes #4814.
• Indicate in the error returned if the nonce length used with
  ChaCha20-Poly1305 is invalid, and not just unsupported.
• The mbedcrypto library includes a new source code module constant_time.c,
  containing various functions meant to resist timing side channel attacks.
  This module does not have a separate configuration option, and functions
  from this module will be included in the build as required. Currently
  most of the interface of this module is private and may change at any
  time.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

6519579b836ed78cc549375c7c18b111df5717e86ca0eeff4cb64b2674f424cc mbedtls-2.28.0.tar.gz
80cf41f5f3f625436e3a800e9708e60a25206cd5d81968ba8dd9f3e8becd37e6 mbedtls-2.28.0.zip

Mbed TLS 2.16.12

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

This is the last release of the 2.16 long-time support branch. Users who want a long-time branch should move to mbedtls-2.28, which is backward-compatible and will be supported for at least 3 years.

Security Advisories

For full details, please see the following links:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12

Release Notes

Security

• Zeroize several intermediate variables used to calculate the expected
  value when verifying a MAC or AEAD tag. This hardens the library in
  case the value leaks through a memory disclosure vulnerability. For
  example, a memory disclosure vulnerability could have allowed a
  man-in-the-middle to inject fake ciphertext into a DTLS connection.
• Fix a double-free that happened after mbedtls_ssl_set_session() or
  mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
  (out of memory). After that, calling mbedtls_ssl_session_free()
  and mbedtls_ssl_free() would cause an internal session buffer to
  be free()'d twice.

Bugfix

• Stop using reserved identifiers as local variables. Fixes #4630.
• The GNU makefiles invoke python3 in preference to python except on Windows.
  The check was accidentally not performed when cross-compiling for Windows
  on Linux. Fix this. Fixes #4774.
• Mark basic constraints critical as appropriate. Note that the previous
  entry for this fix in the 2.16.10 changelog was in error, and it was not
  included in the 2.16.10 release as was stated.
  Make ‘mbedtls_x509write_crt_set_basic_constraints’ consistent with RFC
  5280 4.2.1.9 which says: “Conforming CAs MUST include this extension in
  all CA certificates that contain public keys used to validate digital
  signatures on certificates and MUST mark the extension as critical in
  such certificates.” Previous to this change, the extension was always
  marked as non-critical. This was fixed by #4044.
• Fix missing constraints on x86_64 assembly code for bignum multiplication
  that broke some bignum operations with (at least) Clang 12.
  Fixes #4116, #4786, #4917.
• Failures of alternative implementations of AES or DES single-block
  functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
  MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
  This does not concern the implementation provided with Mbed TLS,
  where this function cannot fail, or full-module replacements with
  MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
• Some failures of HMAC operations were ignored. These failures could only
  happen with an alternative implementation of the underlying hash module.
• Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
  MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
• Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
  exceeds 2^32. Fixes #4884.
• Fix the build when no SHA2 module is included. Fixes #4930.
• Fix the build when only the bignum module is included. Fixes #4929.
• Fix a potential invalid pointer dereference and infinite loop bugs in
  pkcs12 functions when the password is empty. Fix the documentation to
  better describe the inputs to these functions and their possible values.
  Fixes #5136.

Changes

• Improve the performance of base64 constant-flow code. The result is still
  slower than the original non-constant-flow implementation, but much faster
  than the previous constant-flow implementation. Fixes #4814.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

294871ab1864a65d0b74325e9219d5bcd6e91c34a3c59270c357bb9ae4d5c393 mbedtls-2.16.12.tar.gz
1a3169e7016e7a737ea7904a7108aac7f97668f79baee6165dee9ba596cf7c10 mbedtls-2.16.12.zip

Mbed TLS 3.0.0

Description

This release of Mbed TLS provides bug fixes, enhancements and new features, including many changes that are not API-compatible with earlier versions of Mbed TLS. This release includes fixes for security issues.

For details on the steps required to migrate from Mbed TLS version 2.x to Mbed TLS version 3.0.0, please refer to the migration guide.

Security Advisories

For full details, please see the following links:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2

Release Notes

API changes

• Remove HAVEGE module.
  The design of HAVEGE makes it unsuitable for microcontrollers. Platforms
  with a more complex CPU usually have an operating system interface that
  provides better randomness. Instead of HAVEGE, declare OS or hardware RNG
  interfaces with mbedtls_entropy_add_source() and/or use an entropy seed
  file created securely during device provisioning. See
  https://tls.mbed.org/kb/how-to/add-entropy-sources-to-entropy-pool for
  more information.
• Add missing const attributes to API functions.
• Remove helpers for the transition from Mbed TLS 1.3 to Mbed TLS 2.0: the
  header compat-1.3.h and the script rename.pl.
• Remove certs module from the API.
  Transfer keys and certificates embedded in the library to the test
  component. This contributes to minimizing library API and discourages
  users from using unsafe keys in production.
• Move alt helpers and definitions.
  Various helpers and definitions available for use in alt implementations
  have been moved out of the include/ directory and into the library/
  directory. The files concerned are ecp_internal.h and rsa_internal.h
  which have also been renamed to ecp_internal_alt.h and rsa_alt_helpers.h
  respectively.
• Move internal headers.
  Header files that were only meant for the library’s internal use and
  were not meant to be used in application code have been moved out of
  the include/ directory. The headers concerned are bn_mul.h, aesni.h,
  padlock.h, entropy_poll.h and *_internal.h.
• Drop support for parsing SSLv2 ClientHello
  (MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO).
• Drop support for SSLv3 (MBEDTLS_SSL_PROTO_SSL3).
• Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
• Drop support for RC4 TLS ciphersuites.
• Drop support for single-DES ciphersuites.
• Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.
• Update AEAD output size macros to bring them in line with the PSA Crypto
  API version 1.0 spec. This version of the spec parameterizes them on the
  key type used, as well as the key bit-size in the case of
  PSA_AEAD_TAG_LENGTH.
• Add configuration option MBEDTLS_X509_REMOVE_INFO which
  removes the mbedtls_x509_*_info(), mbedtls_debug_print_crt()
  as well as other functions and constants only used by
  those functions. This reduces the code footprint by
  several kB.
• Remove SSL error codes MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED
  and MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH which are never
  returned from the public SSL API.
• Remove MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE and return
  MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL instead.
• The output parameter of mbedtls_sha512_finish, mbedtls_sha512,
  mbedtls_sha256_finish and mbedtls_sha256 now has a pointer type
  rather than array type. This removes spurious warnings in some compilers
  when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
  the hash size.
• Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388.
• The interface of the GCM module has changed to remove restrictions on
  how the input to multipart operations is broken down. mbedtls_gcm_finish()
  now takes extra output parameters for the last partial output block.
  mbedtls_gcm_update() now takes extra parameters for the output length.
  The software implementation always produces the full output at each
  call to mbedtls_gcm_update(), but alternative implementations activated
  by MBEDTLS_GCM_ALT may delay partial blocks to the next call to
  mbedtls_gcm_update() or mbedtls_gcm_finish(). Furthermore, applications
  no longer pass the associated data to mbedtls_gcm_starts(), but to the
  new function mbedtls_gcm_update_ad().
  These changes are backward compatible for users of the cipher API.
• Replace MBEDTLS_SHA512_NO_SHA384 config option with MBEDTLS_SHA384_C.
  This separates config option enabling the SHA384 algorithm from option
  enabling the SHA512 algorithm. Fixes #4034.
• Introduce MBEDTLS_SHA224_C.
  This separates config option enabling the SHA224 algorithm from option
  enabling SHA256.
• The getter and setter API of the SSL session cache (used for
  session-ID based session resumption) has changed to that of
  a key-value store with keys being session IDs and values
  being opaque instances of mbedtls_ssl_session.
• Remove the mode parameter from RSA operation functions. Signature and
  decryption functions now always use the private key and verification and
  encryption use the public key. Verification functions also no longer have
  RNG parameters.
• Modify semantics of mbedtls_ssl_conf_[opaque_]psk():
  In Mbed TLS 2.X, the API prescribes that later calls overwrite
  the effect of earlier calls. In Mbed TLS 3.0, calling
  mbedtls_ssl_conf_[opaque_]psk() more than once will fail,
  leaving the PSK that was configured first intact.
  Support for more than one PSK may be added in 3.X.
• The function mbedtls_x509write_csr_set_extension() has an extra parameter
  which allows to mark an extension as critical. Fixes #4055.
• For multi-part AEAD operations with the cipher module, calling
  mbedtls_cipher_finish() is now mandatory. Previously the documentation
  was unclear on this point, and this function happened to never do
  anything with the currently implemented AEADs, so in practice it was
  possible to skip calling it, which is no longer supported.
• The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
  instead of computing tables in runtime. Thus, this option now increase
  code size, and it does not increase RAM usage in runtime anymore.
• Remove the SSL APIs mbedtls_ssl_get_input_max_frag_len() and
  mbedtls_ssl_get_output_max_frag_len(), and add a new API
  mbedtls_ssl_get_max_in_record_payload(), complementing the existing
  mbedtls_ssl_get_max_out_record_payload().
  Uses of mbedtls_ssl_get_input_max_frag_len() and
  mbedtls_ssl_get_input_max_frag_len() should be replaced by
  mbedtls_ssl_get_max_in_record_payload() and
  mbedtls_ssl_get_max_out_record_payload(), respectively.
• mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA
  key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding()
  after initializing the context. mbedtls_rsa_set_padding() now returns an
  error if its parameters are invalid.
• Replace MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE by a runtime
  configuration function mbedtls_ssl_conf_preference_order(). Fixes #4398.
• Instead of accessing the len field of a DHM context, which is no longer
  supported, use the new function mbedtls_dhm_get_len() .
• In modules that implement cryptographic hash functions, many functions
  mbedtls_xxx() now return int instead of void, and the corresponding
  function mbedtls_xxx_ret() which was identical except for returning int
  has been removed. This also concerns mbedtls_xxx_drbg_update(). See the
  migration guide for more information. Fixes #4212.
• For all functions that take a random number generator (RNG) as a
  parameter, this parameter is now mandatory (that is, NULL is not an
  acceptable value). Functions which previously accepted NULL and now
  reject it are: the X.509 CRT and CSR writing functions; the PK and RSA
  sign and decrypt function; mbedtls_rsa_private(); the functions
  in DHM and ECDH that compute the shared secret; the scalar multiplication
  functions in ECP.
• The following functions now require an RNG parameter:
  mbedtls_ecp_check_pub_priv(), mbedtls_pk_check_pair(),
  mbedtls_pk_parse_key(), mbedtls_pk_parse_keyfile().
• mbedtls_ssl_conf_export_keys_ext_cb() and
  mbedtls_ssl_conf_export_keys_cb() have been removed and
  replaced by a new API mbedtls_ssl_set_export_keys_cb().
  Raw keys and IVs are no longer passed to the callback.
  Further, callbacks now receive an additional parameter
  indicating the type of secret that’s being exported,
  paving the way for the larger number of secrets
  in TLS 1.3. Finally, the key export callback and
  context are now connection-specific.
• Signature functions in the RSA and PK modules now require the hash
  length parameter to be the size of the hash input. For RSA signatures
  other than raw PKCS#1 v1.5, this must match the output size of the
  specified hash algorithm.
• The functions mbedtls_pk_sign(), mbedtls_pk_sign_restartable(),
  mbedtls_ecdsa_write_signature() and
  mbedtls_ecdsa_write_signature_restartable() now take an extra parameter
  indicating the size of the output buffer for the signature.
• Implement one-shot cipher functions, psa_cipher_encrypt and
  psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
  specification.
• Direct access to fields of structures declared in public headers is no
  longer supported except for fiel…

Mbed TLS 2.27.0

Description

This release of Mbed TLS provides bug fixes, enhancements and new features. This release includes fixes for security issues.

Security Advisories

For full details, please see the following links:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2

Release Notes

API changes

• Update AEAD output size macros to bring them in line with the PSA Crypto
  API version 1.0 spec. This version of the spec parameterizes them on the
  key type used, as well as the key bit-size in the case of
  PSA_AEAD_TAG_LENGTH.
  The old versions of these macros were renamed and deprecated as follows:
  • PSA_AEAD_TAG_LENGTH -> PSA_AEAD_TAG_LENGTH_1_ARG
  • PSA_AEAD_ENCRYPT_OUTPUT_SIZE -> PSA_AEAD_ENCRYPT_OUTPUT_SIZE_2_ARG
  • PSA_AEAD_DECRYPT_OUTPUT_SIZE -> PSA_AEAD_DECRYPT_OUTPUT_SIZE_2_ARG
  • PSA_AEAD_UPDATE_OUTPUT_SIZE -> PSA_AEAD_UPDATE_OUTPUT_SIZE_2_ARG
  • PSA_AEAD_FINISH_OUTPUT_SIZE -> PSA_AEAD_FINISH_OUTPUT_SIZE_1_ARG
  • PSA_AEAD_VERIFY_OUTPUT_SIZE -> PSA_AEAD_VERIFY_OUTPUT_SIZE_1_ARG
• Implement one-shot cipher functions, psa_cipher_encrypt and
  psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
  specification.

Requirement changes

• The library now uses the %zu format specifier with the printf() family of
  functions, so requires a toolchain that supports it. This change does not
  affect the maintained LTS branches, so when contributing changes please
  bear this in mind and do not add them to backported code.

Features

• Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
  signature with a specific salt length. This function allows to validate
  test cases provided in the NIST’s CAVP test suite. Contributed by Cédric
  Meuter in PR #3183.
• Added support for built-in driver keys through the PSA opaque crypto
  driver interface. Refer to the documentation of
  MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
• Implement psa_sign_message() and psa_verify_message().
• The new function mbedtls_mpi_random() generates a random value in a
  given range uniformly.
• Implement psa_mac_compute() and psa_mac_verify() as defined in the
  PSA Cryptograpy API 1.0.0 specification.
• MBEDTLS_ECP_MAX_BITS is now determined automatically from the configured
  curves and no longer needs to be configured explicitly to save RAM.

Security

• Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
  private keys and of blinding values for DHM and elliptic curves (ECP)
  computations. Reported by FlorianF89 in #4245.
• Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
  An adversary who is capable of very precise timing measurements could
  learn partial information about the leading bits of the nonce used for the
  signature, allowing the recovery of the private key after observing a
  large number of signature operations. This completes a partial fix in
  Mbed TLS 2.20.0.
  • It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is
    too small, leading to buffer overflows in ECC operations. Fail the build
    in such a case.
  • An adversary with access to precise enough information about memory
    accesses (typically, an untrusted operating system attacking a secure
    enclave) could recover an RSA private key after observing the victim
    performing a single private-key operation. Found and reported by
    Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG.
  • An adversary with access to precise enough timing information (typically, a
    co-located process) could recover a Curve25519 or Curve448 static ECDH key
    after inputting a chosen public key and observing the victim performing the
    corresponding private-key operation. Found and reported by Leila Batina,
    Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.

Bugfix

• Add printf function attributes to mbedtls_debug_print_msg to ensure we
  get printf format specifier warnings.
• Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
  lead to seed file corruption in the case where the path to the seed file is
  equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
  Krasnoshchok in #3616.
• PSA functions other than psa_open_key now return PSA_ERROR_INVALID_HANDLE
  rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
  in line with version 1.0.0 of the specification. Fix #4162.
• PSA functions creating a key now return PSA_ERROR_INVALID_ARGUMENT rather
  than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
  to create is not valid, bringing them in line with version 1.0.0 of the
  specification. Fix #4271.
• Fix some cases in the bignum module where the library constructed an
  unintended representation of the value 0 which was not processed
  correctly by some bignum operations. This could happen when
  mbedtls_mpi_read_string() was called on "-0", or when
  mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
  the arguments being negative and the other being 0. Fixes #4643.
• Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
  zero. Fixes #1792
• Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
  defined. Fixes #4217.
• Fix an incorrect error code when parsing a PKCS#8 private key.
• In a TLS client, enforce the Diffie-Hellman minimum parameter size
  set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
  minimum size was rounded down to the nearest multiple of 8.
• In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
  defined to specific values. If the code is used in a context
  where these are already defined, this can result in a compilation
  error. Instead, assume that if they are defined, the values will
  be adequate to build Mbed TLS.
• The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
  when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
  was disabled. Fix the dependency. Fixes #4472.
• Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
• With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built
  nonetheless, resulting in undefined reference errors when building a
  shared library. Reported by Guillermo Garcia M. in #4411.
• Fix test suite code on platforms where int32_t is not int, such as
  Arm Cortex-M. Fixes #4530.
• Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
  directive in a header and a missing initialization in the self-test.
• Fix a missing initialization in the Camellia self-test, affecting
  MBEDTLS_CAMELLIA_ALT implementations.
• Restore the ability to configure PSA via Mbed TLS options to support RSA
  key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
  is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
  Fixes #4512.
• Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
  (when the encrypt-then-MAC extension is not in use) with some ALT
  implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
  the affected side to wrongly reject valid messages. Fixes #4118.
• Remove outdated check-config.h check that prevented implementing the
  timing module on Mbed OS. Fixes #4633.
• Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
  about missing inputs.
• Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
  MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
• Fix a resource leak in a test suite with an alternative AES
  implementation. Fixes #4176.
• Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
  could notably be triggered by setting the TLS debug level to 3 or above
  and using a Montgomery curve for the key exchange. Reported by lhuang04
  in #4578. Fixes #4608.
• psa_verify_hash() was relying on implementation-specific behavior of
  mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
  implementations. This reliance is now removed. Fixes #3990.
• Disallow inputs of length different from the corresponding hash when
  signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates
  that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.)
• Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
  A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
  could not be triggered by code that constructed A with one of the
  mbedtls_mpi_read_xxx functions (including in particular TLS code) since
  those always built an mpi object with at least one limb.
  Credit to OSS-Fuzz. Fixes #4641.
• Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
  effect on Mbed TLS’s internal use of mbedtls_mpi_gcd(), but may affect
  applications that call mbedtls_mpi_gcd() directly. Fixes #4642.
• The PSA API no longer allows the creation or destruction of keys with a
  read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
  can now only be used as intended, for keys that cannot be modified through
  normal use of the API.
• When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
  in all the right places. Include it from crypto_platform.h, which is
  the natural place. Fixes #4649.
• mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and
  restartab…