Headline

CVE-2021-24119: Releases · ARMmbed/mbedtls

In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.

3 years ago

CVE

Open in Source

#vulnerability #android #mac #windows #linux #dos #git

Description

This release of Mbed TLS provides bug fixes, enhancements and new features, including many changes that are not API-compatible with earlier versions of Mbed TLS. This release includes fixes for security issues.

For details on the steps required to migrate from Mbed TLS version 2.x to Mbed TLS version 3.0.0, please refer to the migration guide.

Security Advisories

For full details, please see the following links:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2

Release Notes

API changes

Remove HAVEGE module.
The design of HAVEGE makes it unsuitable for microcontrollers. Platforms
with a more complex CPU usually have an operating system interface that
provides better randomness. Instead of HAVEGE, declare OS or hardware RNG
interfaces with mbedtls_entropy_add_source() and/or use an entropy seed
file created securely during device provisioning. See
https://tls.mbed.org/kb/how-to/add-entropy-sources-to-entropy-pool for
more information.
Add missing const attributes to API functions.
Remove helpers for the transition from Mbed TLS 1.3 to Mbed TLS 2.0: the
header compat-1.3.h and the script rename.pl.
Remove certs module from the API.
Transfer keys and certificates embedded in the library to the test
component. This contributes to minimizing library API and discourages
users from using unsafe keys in production.
Move alt helpers and definitions.
Various helpers and definitions available for use in alt implementations
have been moved out of the include/ directory and into the library/
directory. The files concerned are ecp_internal.h and rsa_internal.h
which have also been renamed to ecp_internal_alt.h and rsa_alt_helpers.h
respectively.
Move internal headers.
Header files that were only meant for the library’s internal use and
were not meant to be used in application code have been moved out of
the include/ directory. The headers concerned are bn_mul.h, aesni.h,
padlock.h, entropy_poll.h and *_internal.h.
Drop support for parsing SSLv2 ClientHello
(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO).
Drop support for SSLv3 (MBEDTLS_SSL_PROTO_SSL3).
Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
Drop support for RC4 TLS ciphersuites.
Drop support for single-DES ciphersuites.
Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.
Update AEAD output size macros to bring them in line with the PSA Crypto
API version 1.0 spec. This version of the spec parameterizes them on the
key type used, as well as the key bit-size in the case of
PSA_AEAD_TAG_LENGTH.
Add configuration option MBEDTLS_X509_REMOVE_INFO which
removes the mbedtls_x509_*_info(), mbedtls_debug_print_crt()
as well as other functions and constants only used by
those functions. This reduces the code footprint by
several kB.
Remove SSL error codes MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED
and MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH which are never
returned from the public SSL API.
Remove MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE and return
MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL instead.
The output parameter of mbedtls_sha512_finish, mbedtls_sha512,
mbedtls_sha256_finish and mbedtls_sha256 now has a pointer type
rather than array type. This removes spurious warnings in some compilers
when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
the hash size.
Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388.
The interface of the GCM module has changed to remove restrictions on
how the input to multipart operations is broken down. mbedtls_gcm_finish()
now takes extra output parameters for the last partial output block.
mbedtls_gcm_update() now takes extra parameters for the output length.
The software implementation always produces the full output at each
call to mbedtls_gcm_update(), but alternative implementations activated
by MBEDTLS_GCM_ALT may delay partial blocks to the next call to
mbedtls_gcm_update() or mbedtls_gcm_finish(). Furthermore, applications
no longer pass the associated data to mbedtls_gcm_starts(), but to the
new function mbedtls_gcm_update_ad().
These changes are backward compatible for users of the cipher API.
Replace MBEDTLS_SHA512_NO_SHA384 config option with MBEDTLS_SHA384_C.
This separates config option enabling the SHA384 algorithm from option
enabling the SHA512 algorithm. Fixes #4034.
Introduce MBEDTLS_SHA224_C.
This separates config option enabling the SHA224 algorithm from option
enabling SHA256.
The getter and setter API of the SSL session cache (used for
session-ID based session resumption) has changed to that of
a key-value store with keys being session IDs and values
being opaque instances of mbedtls_ssl_session.
Remove the mode parameter from RSA operation functions. Signature and
decryption functions now always use the private key and verification and
encryption use the public key. Verification functions also no longer have
RNG parameters.
Modify semantics of mbedtls_ssl_conf_[opaque_]psk():
In Mbed TLS 2.X, the API prescribes that later calls overwrite
the effect of earlier calls. In Mbed TLS 3.0, calling
mbedtls_ssl_conf_[opaque_]psk() more than once will fail,
leaving the PSK that was configured first intact.
Support for more than one PSK may be added in 3.X.
The function mbedtls_x509write_csr_set_extension() has an extra parameter
which allows to mark an extension as critical. Fixes #4055.
For multi-part AEAD operations with the cipher module, calling
mbedtls_cipher_finish() is now mandatory. Previously the documentation
was unclear on this point, and this function happened to never do
anything with the currently implemented AEADs, so in practice it was
possible to skip calling it, which is no longer supported.
The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
instead of computing tables in runtime. Thus, this option now increase
code size, and it does not increase RAM usage in runtime anymore.
Remove the SSL APIs mbedtls_ssl_get_input_max_frag_len() and
mbedtls_ssl_get_output_max_frag_len(), and add a new API
mbedtls_ssl_get_max_in_record_payload(), complementing the existing
mbedtls_ssl_get_max_out_record_payload().
Uses of mbedtls_ssl_get_input_max_frag_len() and
mbedtls_ssl_get_input_max_frag_len() should be replaced by
mbedtls_ssl_get_max_in_record_payload() and
mbedtls_ssl_get_max_out_record_payload(), respectively.
mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA
key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding()
after initializing the context. mbedtls_rsa_set_padding() now returns an
error if its parameters are invalid.
Replace MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE by a runtime
configuration function mbedtls_ssl_conf_preference_order(). Fixes #4398.
Instead of accessing the len field of a DHM context, which is no longer
supported, use the new function mbedtls_dhm_get_len() .
In modules that implement cryptographic hash functions, many functions
mbedtls_xxx() now return int instead of void, and the corresponding
function mbedtls_xxx_ret() which was identical except for returning int
has been removed. This also concerns mbedtls_xxx_drbg_update(). See the
migration guide for more information. Fixes #4212.
For all functions that take a random number generator (RNG) as a
parameter, this parameter is now mandatory (that is, NULL is not an
acceptable value). Functions which previously accepted NULL and now
reject it are: the X.509 CRT and CSR writing functions; the PK and RSA
sign and decrypt function; mbedtls_rsa_private(); the functions
in DHM and ECDH that compute the shared secret; the scalar multiplication
functions in ECP.
The following functions now require an RNG parameter:
mbedtls_ecp_check_pub_priv(), mbedtls_pk_check_pair(),
mbedtls_pk_parse_key(), mbedtls_pk_parse_keyfile().
mbedtls_ssl_conf_export_keys_ext_cb() and
mbedtls_ssl_conf_export_keys_cb() have been removed and
replaced by a new API mbedtls_ssl_set_export_keys_cb().
Raw keys and IVs are no longer passed to the callback.
Further, callbacks now receive an additional parameter
indicating the type of secret that’s being exported,
paving the way for the larger number of secrets
in TLS 1.3. Finally, the key export callback and
context are now connection-specific.
Signature functions in the RSA and PK modules now require the hash
length parameter to be the size of the hash input. For RSA signatures
other than raw PKCS#1 v1.5, this must match the output size of the
specified hash algorithm.
The functions mbedtls_pk_sign(), mbedtls_pk_sign_restartable(),
mbedtls_ecdsa_write_signature() and
mbedtls_ecdsa_write_signature_restartable() now take an extra parameter
indicating the size of the output buffer for the signature.
Implement one-shot cipher functions, psa_cipher_encrypt and
psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
specification.
Direct access to fields of structures declared in public headers is no
longer supported except for fields that are documented public. Use accessor
functions instead. For more information, see the migration guide entry
"Most structure fields are now private".
mbedtls_ssl_get_session_pointer() has been removed, and
mbedtls_ssl_{set,get}_session() may now only be called once for any given
SSL context.

Default behavior changes

Enable by default the functionalities which have no reason to be disabled.
They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
Some default policies for X.509 certificate verification and TLS have
changed: curves and hashes weaker than 255 bits are no longer accepted
by default. The default order in TLS now favors faster curves over larger
curves.

Requirement changes

The library now uses the %zu format specifier with the printf() family of
functions, so requires a toolchain that supports it. This change does not
affect the maintained LTS branches, so when contributing changes please
bear this in mind and do not add them to backported code.
If you build the development version of Mbed TLS, rather than an official
release, some configuration-independent files are now generated at build
time rather than checked into source control. This includes some library
source files as well as the Visual Studio solution. Perl, Python 3 and a
C compiler for the host platform are required. See “Generated source files
in the development branch” in README.md for more information.
Refresh the minimum supported versions of tools to build the
library. CMake versions older than 3.10.2 and Python older
than 3.6 are no longer supported.

Removals

Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
compile-time option, which was off by default. Users should not trust
certificates signed with SHA-1 due to the known attacks against SHA-1.
If needed, SHA-1 certificates can still be verified by using a custom
verification profile.
Removed deprecated things in psa/crypto_compat.h. Fixes #4284
Removed deprecated functions from hashing modules. Fixes #4280.
Remove PKCS#11 library wrapper. PKCS#11 has limited functionality,
lacks automated tests and has scarce documentation. Also, PSA Crypto
provides a more flexible private key management.
More details on PCKS#11 wrapper removal can be found in the mailing list
https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
Remove deprecated error codes. Fix #4283
Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option. Fixes #4416.
Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
compile-time option. This option has been inactive for a long time.
Please use the lifetime parameter of mbedtls_ssl_ticket_setup()
instead.
Remove the following deprecated functions and constants of hex-encoded
primes based on RFC 5114 and RFC 3526 from library code and tests:
mbedtls_aes_encrypt(), mbedtls_aes_decrypt(), mbedtls_mpi_is_prime(),
mbedtls_cipher_auth_encrypt(), mbedtls_cipher_auth_decrypt(),
mbedtls_ctr_drbg_update(), mbedtls_hmac_drbg_update(),
mbedtls_ecdsa_write_signature_det(), mbedtls_ecdsa_sign_det(),
mbedtls_ssl_conf_dh_param(), mbedtls_ssl_get_max_frag_len(),
MBEDTLS_DHM_RFC5114_MODP_2048_P, MBEDTLS_DHM_RFC5114_MODP_2048_G,
MBEDTLS_DHM_RFC3526_MODP_2048_P, MBEDTLS_DHM_RFC3526_MODP_2048_G,
MBEDTLS_DHM_RFC3526_MODP_3072_P, MBEDTLS_DHM_RFC3526_MODP_3072_G,
MBEDTLS_DHM_RFC3526_MODP_4096_P, MBEDTLS_DHM_RFC3526_MODP_4096_G.
Remove the deprecated file: include/mbedtls/net.h. Fixes #4282.
Remove MBEDTLS_SSL_MAX_CONTENT_LEN configuration option, since
MBEDTLS_SSL_IN_CONTENT_LEN and MBEDTLS_SSL_OUT_CONTENT_LEN replace
it. Fixes #4362.
Remove the MBEDTLS_SSL_RECORD_CHECKING option and enable by default its
previous action. Fixes #4361.
Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for
CBC record splitting, fallback SCSV, and the ability to configure
ciphersuites per version, which are no longer relevant. This removes the
configuration options MBEDTLS_SSL_PROTO_TLS1,
MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING and
MBEDTLS_SSL_FALLBACK_SCSV as well as the functions
mbedtls_ssl_conf_cbc_record_splitting(),
mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback(),
and mbedtls_ssl_conf_ciphersuites_for_version(). Fixes #4286.
The RSA module no longer supports private-key operations with the public
key and vice versa.
Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403.
Remove all the 3DES ciphersuites:
MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA. Remove the
MBEDTLS_REMOVE_3DES_CIPHERSUITES option which is no longer relevant.
Fixes #4367.
Remove the MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option and let the code
behave as if it was always disabled. Fixes #4386.
Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for
backward compatibility which is no longer supported. Addresses #4404.
Remove the following macros: MBEDTLS_CHECK_PARAMS,
MBEDTLS_CHECK_PARAMS_ASSERT, MBEDTLS_PARAM_FAILED,
MBEDTLS_PARAM_FAILED_ALT. Fixes #4313.
Remove the MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h
option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
migration path. Fixes #4378.
Remove the MBEDTLS_X509_CHECK_KEY_USAGE and
MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code
behave as if they were always enabled. Fixes #4405.
MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is
now determined automatically based on supported curves.
Remove the following functions: mbedtls_timing_self_test(),
mbedtls_hardclock_poll(), mbedtls_timing_hardclock() and
mbedtls_set_alarm(). Fixes #4083.
The configuration option MBEDTLS_ECP_NO_INTERNAL_RNG has been removed as
it no longer had any effect.
Remove all support for MD2, MD4, RC4, Blowfish and XTEA. This removes the
corresponding modules and all their APIs and related configuration
options. Fixes #4084.
Remove MBEDTLS_SSL_TRUNCATED_HMAC and also remove
MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT config option. Users are better served by
using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
See issue #4341 for more details.
Remove the compile-time option
MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE.

Features

Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
signature with a specific salt length. This function allows to validate
test cases provided in the NIST’s CAVP test suite. Contributed by Cédric
Meuter in PR #3183.
Added support for built-in driver keys through the PSA opaque crypto
driver interface. Refer to the documentation of
MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
Implement psa_sign_message() and psa_verify_message().
The multi-part GCM interface (mbedtls_gcm_update() or
mbedtls_cipher_update()) no longer requires the size of partial inputs to
be a multiple of 16.
The multi-part GCM interface now supports chunked associated data through
multiple calls to mbedtls_gcm_update_ad().
The new function mbedtls_mpi_random() generates a random value in a
given range uniformly.
Alternative implementations of the AES, DHM, ECJPAKE, ECP, RSA and timing
modules had undocumented constraints on their context types. These
constraints have been relaxed.
See docs/architecture/alternative-implementations.md for the remaining
constraints.
The new functions mbedtls_dhm_get_len() and mbedtls_dhm_get_bitlen()
query the size of the modulus in a Diffie-Hellman context.
The new function mbedtls_dhm_get_value() copy a field out of a
Diffie-Hellman context.
Use the new function mbedtls_ecjpake_set_point_format() to select the
point format for ECJPAKE instead of accessing the point_format field
directly, which is no longer supported.
Implement psa_mac_compute() and psa_mac_verify() as defined in the
PSA Cryptograpy API 1.0.0 specification.

Security

Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
private keys and of blinding values for DHM and elliptic curves (ECP)
computations. Reported by FlorianF89 in #4245.
Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
An adversary who is capable of very precise timing measurements could
learn partial information about the leading bits of the nonce used for the
signature, allowing the recovery of the private key after observing a
large number of signature operations. This completes a partial fix in
Mbed TLS 2.20.0.
- An adversary with access to precise enough information about memory
  accesses (typically, an untrusted operating system attacking a secure
  enclave) could recover an RSA private key after observing the victim
  performing a single private-key operation. Found and reported by
  Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG.
- An adversary with access to precise enough timing information (typically, a
  co-located process) could recover a Curve25519 or Curve448 static ECDH key
  after inputting a chosen public key and observing the victim performing the
  corresponding private-key operation. Found and reported by Leila Batina,
  Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.

Bugfix

Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
lead to the seed file corruption in case if the path to the seed file is
equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
Krasnoshchok in #3616.
PSA functions creating a key now return PSA_ERROR_INVALID_ARGUMENT rather
than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
to create is not valid, bringing them in line with version 1.0.0 of the
specification. Fix #4271.
Add printf function attributes to mbedtls_debug_print_msg to ensure we
get printf format specifier warnings.
PSA functions other than psa_open_key now return PSA_ERROR_INVALID_HANDLE
rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
in line with version 1.0.0 of the specification. Fix #4162.
Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
zero. Fixes #1792
Fix some cases in the bignum module where the library constructed an
unintended representation of the value 0 which was not processed
correctly by some bignum operations. This could happen when
mbedtls_mpi_read_string() was called on "-0", or when
mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
the arguments being negative and the other being 0. Fixes #4643.
Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
defined. Fixes #4217.
Fix an incorrect error code when parsing a PKCS#8 private key.
In a TLS client, enforce the Diffie-Hellman minimum parameter size
set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
minimum size was rounded down to the nearest multiple of 8.
In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
defined to specific values. If the code is used in a context
where these are already defined, this can result in a compilation
error. Instead, assume that if they are defined, the values will
be adequate to build Mbed TLS.
With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built
nonetheless, resulting in undefined reference errors when building a
shared library. Reported by Guillermo Garcia M. in #4411.
The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
was disabled. Fix the dependency. Fixes #4472.
Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
Fix test suite code on platforms where int32_t is not int, such as
Arm Cortex-M. Fixes #4530.
Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
directive in a header and a missing initialization in the self-test.
Fix a missing initialization in the Camellia self-test, affecting
MBEDTLS_CAMELLIA_ALT implementations.
Restore the ability to configure PSA via Mbed TLS options to support RSA
key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
Fixes #4512.
Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
(when the encrypt-then-MAC extension is not in use) with some ALT
implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
the affected side to wrongly reject valid messages. Fixes #4118.
Remove outdated check-config.h check that prevented implementing the
timing module on Mbed OS. Fixes #4633.
Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
about missing inputs.
Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
Fix a resource leak in a test suite with an alternative AES
implementation. Fixes #4176.
Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
could notably be triggered by setting the TLS debug level to 3 or above
and using a Montgomery curve for the key exchange. Reported by lhuang04
in #4578. Fixes #4608.
psa_verify_hash() was relying on implementation-specific behavior of
mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
implementations. This reliance is now removed. Fixes #3990.
Disallow inputs of length different from the corresponding hash when
signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates
that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.)
Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
could not be triggered by code that constructed A with one of the
mbedtls_mpi_read_xxx functions (including in particular TLS code) since
those always built an mpi object with at least one limb.
Credit to OSS-Fuzz. Fixes #4641.
Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
effect on Mbed TLS’s internal use of mbedtls_mpi_gcd(), but may affect
applications that call mbedtls_mpi_gcd() directly. Fixes #4642.
The PSA API no longer allows the creation or destruction of keys with a
read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
can now only be used as intended, for keys that cannot be modified through
normal use of the API.
When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
in all the right places. Include it from crypto_platform.h, which is
the natural place. Fixes #4649.
Fix which alert is sent in some cases to conform to the
applicable RFC: on an invalid Finished message value, an
invalid max_fragment_length extension, or an
unsupported extension used by the server.
Correct (change from 12 to 13 bytes) the value of the macro describing the
maximum nonce length returned by psa_aead_generate_nonce().

Changes

Fix the setting of the read timeout in the DTLS sample programs.
Add extra printf compiler warning flags to builds.
Fix memsan build false positive in x509_crt.c with clang 11
There is ongoing work for the next release (= Mbed TLS 3.0.0 branch to
be released 2021-xx-xx), including various API-breaking changes.
Alternative implementations of CMAC may now opt to not support 3DES as a
CMAC block cipher, and still pass the CMAC self test.
Remove the AES sample application programs/aes/aescrypt2 which shows
bad cryptographic practice. Fix #1906.
Remove configs/config-psa-crypto.h, which no longer had any intended
differences from the default configuration, but had accidentally diverged.
When building the test suites with GNU make, invoke python3 or python, not
python2, which is no longer supported upstream.
fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
When that flag is on, standard GNU C printf format specifiers
should be used.
Replace MBEDTLS_SSL_CID_PADDING_GRANULARITY and
MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY with a new single unified option
MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY. Fixes #4335.
Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage
during ECC operations at a negligible performance cost.
mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and
mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs
when their input has length 0. Note that this is an implementation detail
and can change at any time, so this change should be transparent, but it
may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
now writing an empty string where it previously wrote one or more
zero digits when operating from values constructed with an mpi_read
function and some mpi operations.
Add CMake package config generation for CMake projects consuming Mbed TLS.
config.h has been split into build_info.h and mbedtls_config.h
build_info.h is intended to be included from C code directly, while
mbedtls_config.h is intended to be edited by end users wishing to
change the build configuration, and should generally only be included from
build_info.h.
The handling of MBEDTLS_CONFIG_FILE has been moved into build_info.h.
A config file version symbol, MBEDTLS_CONFIG_VERSION was introduced.
Defining it to a particular value will ensure that Mbed TLS interprets
the config file in a way that’s compatible with the config file format
used by the Mbed TLS release whose MBEDTLS_VERSION_NUMBER has the same
value.
The only value supported by Mbed TLS 3.0.0 is 0x03000000.
Various changes to which alert and/or error code may be returned
during the TLS handshake.
Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when
PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
is also applied when loading a key from storage.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

525bfde06e024c1218047dee1c8b4c89312df1a4b5658711009086cda5dfaa55 mbedtls-3.0.0.tar.gz
896286b2cec7a8331dc4491940b58585f5f91b9a76c281280fa21ba51d224c1b mbedtls-3.0.0.zip

Description

This release of Mbed TLS provides bug fixes, enhancements and new features. This release includes fixes for security issues.

Security Advisories

For full details, please see the following links:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2

Release Notes

API changes

Update AEAD output size macros to bring them in line with the PSA Crypto
API version 1.0 spec. This version of the spec parameterizes them on the
key type used, as well as the key bit-size in the case of
PSA_AEAD_TAG_LENGTH.
The old versions of these macros were renamed and deprecated as follows:
- PSA_AEAD_TAG_LENGTH -> PSA_AEAD_TAG_LENGTH_1_ARG
- PSA_AEAD_ENCRYPT_OUTPUT_SIZE -> PSA_AEAD_ENCRYPT_OUTPUT_SIZE_2_ARG
- PSA_AEAD_DECRYPT_OUTPUT_SIZE -> PSA_AEAD_DECRYPT_OUTPUT_SIZE_2_ARG
- PSA_AEAD_UPDATE_OUTPUT_SIZE -> PSA_AEAD_UPDATE_OUTPUT_SIZE_2_ARG
- PSA_AEAD_FINISH_OUTPUT_SIZE -> PSA_AEAD_FINISH_OUTPUT_SIZE_1_ARG
- PSA_AEAD_VERIFY_OUTPUT_SIZE -> PSA_AEAD_VERIFY_OUTPUT_SIZE_1_ARG
Implement one-shot cipher functions, psa_cipher_encrypt and
psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
specification.

Requirement changes

The library now uses the %zu format specifier with the printf() family of
functions, so requires a toolchain that supports it. This change does not
affect the maintained LTS branches, so when contributing changes please
bear this in mind and do not add them to backported code.

Features

Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
signature with a specific salt length. This function allows to validate
test cases provided in the NIST’s CAVP test suite. Contributed by Cédric
Meuter in PR #3183.
Added support for built-in driver keys through the PSA opaque crypto
driver interface. Refer to the documentation of
MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
Implement psa_sign_message() and psa_verify_message().
The new function mbedtls_mpi_random() generates a random value in a
given range uniformly.
Implement psa_mac_compute() and psa_mac_verify() as defined in the
PSA Cryptograpy API 1.0.0 specification.
MBEDTLS_ECP_MAX_BITS is now determined automatically from the configured
curves and no longer needs to be configured explicitly to save RAM.

Security

Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
private keys and of blinding values for DHM and elliptic curves (ECP)
computations. Reported by FlorianF89 in #4245.
Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
An adversary who is capable of very precise timing measurements could
learn partial information about the leading bits of the nonce used for the
signature, allowing the recovery of the private key after observing a
large number of signature operations. This completes a partial fix in
Mbed TLS 2.20.0.
- It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is
  too small, leading to buffer overflows in ECC operations. Fail the build
  in such a case.
- An adversary with access to precise enough information about memory
  accesses (typically, an untrusted operating system attacking a secure
  enclave) could recover an RSA private key after observing the victim
  performing a single private-key operation. Found and reported by
  Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG.
- An adversary with access to precise enough timing information (typically, a
  co-located process) could recover a Curve25519 or Curve448 static ECDH key
  after inputting a chosen public key and observing the victim performing the
  corresponding private-key operation. Found and reported by Leila Batina,
  Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.

Bugfix

Add printf function attributes to mbedtls_debug_print_msg to ensure we
get printf format specifier warnings.
Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
lead to seed file corruption in the case where the path to the seed file is
equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
Krasnoshchok in #3616.
PSA functions other than psa_open_key now return PSA_ERROR_INVALID_HANDLE
rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
in line with version 1.0.0 of the specification. Fix #4162.
PSA functions creating a key now return PSA_ERROR_INVALID_ARGUMENT rather
than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
to create is not valid, bringing them in line with version 1.0.0 of the
specification. Fix #4271.
Fix some cases in the bignum module where the library constructed an
unintended representation of the value 0 which was not processed
correctly by some bignum operations. This could happen when
mbedtls_mpi_read_string() was called on "-0", or when
mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
the arguments being negative and the other being 0. Fixes #4643.
Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
zero. Fixes #1792
Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
defined. Fixes #4217.
Fix an incorrect error code when parsing a PKCS#8 private key.
In a TLS client, enforce the Diffie-Hellman minimum parameter size
set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
minimum size was rounded down to the nearest multiple of 8.
In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
defined to specific values. If the code is used in a context
where these are already defined, this can result in a compilation
error. Instead, assume that if they are defined, the values will
be adequate to build Mbed TLS.
The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
was disabled. Fix the dependency. Fixes #4472.
Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built
nonetheless, resulting in undefined reference errors when building a
shared library. Reported by Guillermo Garcia M. in #4411.
Fix test suite code on platforms where int32_t is not int, such as
Arm Cortex-M. Fixes #4530.
Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
directive in a header and a missing initialization in the self-test.
Fix a missing initialization in the Camellia self-test, affecting
MBEDTLS_CAMELLIA_ALT implementations.
Restore the ability to configure PSA via Mbed TLS options to support RSA
key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
Fixes #4512.
Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
(when the encrypt-then-MAC extension is not in use) with some ALT
implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
the affected side to wrongly reject valid messages. Fixes #4118.
Remove outdated check-config.h check that prevented implementing the
timing module on Mbed OS. Fixes #4633.
Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
about missing inputs.
Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
Fix a resource leak in a test suite with an alternative AES
implementation. Fixes #4176.
Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
could notably be triggered by setting the TLS debug level to 3 or above
and using a Montgomery curve for the key exchange. Reported by lhuang04
in #4578. Fixes #4608.
psa_verify_hash() was relying on implementation-specific behavior of
mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
implementations. This reliance is now removed. Fixes #3990.
Disallow inputs of length different from the corresponding hash when
signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates
that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.)
Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
could not be triggered by code that constructed A with one of the
mbedtls_mpi_read_xxx functions (including in particular TLS code) since
those always built an mpi object with at least one limb.
Credit to OSS-Fuzz. Fixes #4641.
Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
effect on Mbed TLS’s internal use of mbedtls_mpi_gcd(), but may affect
applications that call mbedtls_mpi_gcd() directly. Fixes #4642.
The PSA API no longer allows the creation or destruction of keys with a
read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
can now only be used as intended, for keys that cannot be modified through
normal use of the API.
When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
in all the right places. Include it from crypto_platform.h, which is
the natural place. Fixes #4649.
mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and
restartable variants now always honor the specified hash length if
nonzero. Before, for RSA, hash_len was ignored in favor of the length of
the specified hash algorithm.
Fix which alert is sent in some cases to conform to the
applicable RFC: on an invalid Finished message value, an
invalid max_fragment_length extension, or an
unsupported extension used by the server.
Correct (change from 12 to 13 bytes) the value of the macro describing the
maximum nonce length returned by psa_aead_generate_nonce().

Changes

Add extra printf compiler warning flags to builds.
Fix memsan build false positive in x509_crt.c with Clang 11
Fix the setting of the read timeout in the DTLS sample programs.
Remove the AES sample application programs/aes/aescrypt2 which shows
bad cryptographic practice. Fix #1906.
Alternative implementations of CMAC may now opt to not support 3DES as a
CMAC block cipher, and still pass the CMAC self test.
Remove configs/config-psa-crypto.h, which was identical to the default
configuration except for having some extra cryptographic mechanisms
enabled and for unintended differences. This configuration was primarily
intended to demonstrate the PSA API, and lost most of its usefulness when
MBEDTLS_PSA_CRYPTO_C became enabled by default.
When building the test suites with GNU make, invoke python3 or python, not
python2, which is no longer supported upstream.
* When using session cache based session resumption on the server,
double-check that custom session cache implementations return
sessions which are consistent with the negotiated ciphersuite
and compression method.
Fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
When that flag is on, standard GNU C printf format specifiers
should be used.
Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage
during ECC operations at a negligible performance cost.
mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and
mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs
when their input has length 0. Note that this is an implementation detail
and can change at any time, so this change should be transparent, but it
may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
now writing an empty string where it previously wrote one or more
zero digits when operating from values constructed with an mpi_read
function and some mpi operations.
Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when
PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
is also applied when loading a key from storage.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

2a07856e541f0e5f6eaee4f78018c52f25bd244ed76f9020dea54a8b02cac6ea mbedtls-2.27.0.tar.gz
e580970a766fdaba2b70bcf3e69de34a67684e7f23a815b97f79771382c43651 mbedtls-2.27.0.zip

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Security Advisories

For full details, please see the following links:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2

Release Notes

Security

Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
private keys and of blinding values for DHM and elliptic curves (ECP)
computations. Reported by FlorianF89 in #4245.
Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
An adversary who is capable of very precise timing measurements could
learn partial information about the leading bits of the nonce used for the
signature, allowing the recovery of the private key after observing a
large number of signature operations. This completes a partial fix in
Mbed TLS 2.16.4.
It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is
too small, leading to buffer overflows in ECC operations. Fail the build
in such a case.
An adversary with access to precise enough information about memory
accesses (typically, an untrusted operating system attacking a secure
enclave) could recover an RSA private key after observing the victim
performing a single private-key operation. Found and reported by
Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG.
An adversary with access to precise enough timing information (typically, a
co-located process) could recover a Curve25519 or Curve448 static ECDH key
after inputting a chosen public key and observing the victim performing the
corresponding private-key operation. Found and reported by Leila Batina,
Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.

Bugfix

Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
lead to the seed file corruption in case if the path to the seed file is
equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
Krasnoshchok in #3616.
Fix some cases in the bignum module where the library constructed an
unintended representation of the value 0 which was not processed
correctly by some bignum operations. This could happen when
mbedtls_mpi_read_string() was called on "-0", or when
mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
the arguments being negative and the other being 0. Fixes #4643.
Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
defined. Fixes #4217.
Fix an incorrect error code when parsing a PKCS#8 private key.
In a TLS client, enforce the Diffie-Hellman minimum parameter size
set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
minimum size was rounded down to the nearest multiple of 8.
In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
defined to specific values. If the code is used in a context
where these are already defined, this can result in a compilation
error. Instead, assume that if they are defined, the values will
be adequate to build Mbed TLS.
The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
was disabled. Fix the dependency. Fixes #4472.
Fix test suite code on platforms where int32_t is not int, such as
Arm Cortex-M. Fixes #4530.
Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
directive in a header and a missing initialization in the self-test.
Fix a missing initialization in the Camellia self-test, affecting
MBEDTLS_CAMELLIA_ALT implementations.
Fix a regression introduced in 2.16.8 which broke (D)TLS CBC ciphersuites
(when the encrypt-then-MAC extension is not in use) with some ALT
implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
the affected side to wrongly reject valid messages. Fixes #4118.
Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
Fix a resource leak in a test suite with an alternative AES
implementation. Fixes #4176.
Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs.
Reported by lhuang04 in #4578. Fixes #4608.
Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
A=0 represented with 0 limbs. This bug could not be triggered by code
that constructed A with one of the mbedtls_mpi_read_xxx functions
(including in particular TLS code) since those always built an mpi object
with at least one limb. Credit to OSS-Fuzz. Fixes #4641.
Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
effect on Mbed TLS’s internal use of mbedtls_mpi_gcd(), but may affect
applications that call mbedtls_mpi_gcd() directly. Fixes #4642.
mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and
restartable variants now require at least the specified hash length if
nonzero. Before, for RSA, hash_len was ignored in favor of the length of
the specified hash algorithm.
Fix which alert is sent in some cases to conform to the
applicable RFC: on an invalid Finished message value, an
invalid max_fragment_length extension, or an
unsupported extension used by the server.

Changes

Fix the setting of the read timeout in the DTLS sample programs.
Remove the AES sample application programs/aes/aescrypt2 which shows
bad cryptographic practice. Fix #1906.
When building the test suites with GNU make, invoke python3 or python, not
python2. The build still works with either Python 2.7 or 3.5+, but we
recommend using a version of Python that is supported upstream.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

c18e7e9abf95e69e425260493720470021384a1728417042060a35d0b7b18b41 mbedtls-2.16.11.tar.gz
c75ec6a654fc9ef487904172633758d6f61d88a0d53329c79657221043bdb6f4 mbedtls-2.16.11.zip

Description

This release of Mbed TLS provides bug fixes, minor enhancements and new features. This release includes fixes for security issues.

API changes

Renamed the PSA Crypto API output buffer size macros to bring them in line
with version 1.0.0 of the specification.
The API glue function mbedtls_ecc_group_of_psa() now takes the curve size
in bits rather than bytes, with an additional flag to indicate if the
size may have been rounded up to a whole number of bytes.
Renamed the PSA Crypto API AEAD tag length macros to bring them in line
with version 1.0.0 of the specification.

Default behavior changes

In mbedtls_rsa_context objects, the ver field was formerly documented
as always 0. It is now reserved for internal purposes and may take
different values.

New deprecations

PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE,
PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and
PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names
deprecated.
PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH
have been renamed, and the old names deprecated.

Features

The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG.
CTR_DRBG is used by default if it is available, but you can override
this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time.
Fix #3354.
Automatic fallback to a software implementation of ECP when
MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off
through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK.
The PSA crypto subsystem can now be configured to use less static RAM by
tweaking the setting for the maximum amount of keys simultaneously in RAM.
MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that
can exist simultaneously. It has a sensible default if not overridden.
Partial implementation of the PSA crypto driver interface: Mbed TLS can
now use an external random generator instead of the library’s own
entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
and see the documentation of mbedtls_psa_external_get_random() for details.
Applications using both mbedtls_xxx and psa_xxx functions (for example,
applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA
random generator with mbedtls_xxx functions. See the documentation of
mbedtls_psa_get_random() for details.
In the PSA API, the policy for a MAC or AEAD algorithm can specify a
minimum MAC or tag length thanks to the new wildcards
PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and
PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG.

Security

Fix a security reduction in CTR_DRBG when the initial seeding obtained a
nonce from entropy. Applications were affected if they called
mbedtls_ctr_drbg_set_nonce_len(), if they called
mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
In such cases, a random nonce was necessary to achieve the advertised
security strength, but the code incorrectly used a constant instead of
entropy from the nonce.
Found by John Stroebel in #3819 and fixed in #3973.
Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|A| - |B| where |B| is larger than |A| and has more limbs (so the
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
applications calling mbedtls_mpi_sub_abs() directly are affected:
all calls inside the library were safe since this function is
only called with |A| >= |B|. Reported by Guido Vranken in #4042.
Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
value the function might fail to write a private RSA keys of the largest
supported size.
Found by Daniel Otte, reported in #4093 and fixed in #4094.
Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout() when given a file descriptor that is
beyond FD_SETSIZE. Reported by FigBug in #4169.
Guard against strong local side channel attack against base64 tables by
making access aceess to them use constant flow code. (CVE-2021-24119)

Bugfix

Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
Fix memory leak that occured when calling psa_close_key() on a
wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined.
Fix an incorrect error code if an RSA private operation glitched.
Fix a memory leak in an error case in psa_generate_derived_key_internal().
Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
is enabled, on platforms where initializing a mutex allocates resources.
This was a regression introduced in the previous release. Reported in
#4017, #4045 and #4071.
Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
twice is safe. This happens for RSA when some Mbed TLS library functions
fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
enabled on platforms where freeing a mutex twice is not safe.
Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
when MBEDTLS_THREADING_C is enabled on platforms where initializing
a mutex allocates resources.
Fixes a bug where, if the library was configured to include support for
both the old SE interface and the new PSA driver interface, external keys were
not loaded from storage. This was fixed by #3996.
This change makes ‘mbedtls_x509write_crt_set_basic_constraints’
consistent with RFC 5280 4.2.1.9 which says: “Conforming CAs MUST
include this extension in all CA certificates that contain public keys
used to validate digital signatures on certificates and MUST mark the
extension as critical in such certificates.” Previous to this change,
the extension was always marked as non-critical. This was fixed by
#3698.

Changes

A new library C file psa_crypto_client.c has been created to contain
the PSA code needed by a PSA crypto client when the PSA crypto
implementation is not included into the library.
On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module
now uses the getrandom syscall instead of reading from /dev/urandom.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

37949e823c7e1f6695fc56858578df355da0770c284b1c1304cfc8b396d539cd mbedtls-2.26.0.tar.gz
23a7437284fb07c136891cb981a065b9541b7f78d97e3671fe07c7ce59c2f3b3 mbedtls-2.26.0.zip

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Default behavior changes

In mbedtls_rsa_context objects, the ver field was formerly documented
as always 0. It is now reserved for internal purposes and may take
different values.

Security

Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|A| - |B| where |B| is larger than |A| and has more limbs (so the
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
applications calling mbedtls_mpi_sub_abs() directly are affected:
all calls inside the library were safe since this function is
only called with |A| >= |B|. Reported by Guido Vranken in #4042.
Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
value the function might fail to write a private RSA keys of the largest
supported size.
Found by Daniel Otte, reported in #4093 and fixed in #4094,
backported in #4100.
Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout() when given a file descriptor that is
beyond FD_SETSIZE. Reported by FigBug in #4169.
Guard against strong local side channel attack against base64 tables by
making access aceess to them use constant flow code. (CVE-2021-24119)

Bugfix

Fix an incorrect error code if an RSA private operation glitched.
Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
is enabled, on platforms where initializing a mutex allocates resources.
This was a regression introduced in the previous release. Reported in
#4017, #4045 and #4071.
Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
twice is safe. This happens for RSA when some Mbed TLS library functions
fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
enabled on platforms where freeing a mutex twice is not safe.
Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
when MBEDTLS_THREADING_C is enabled on platforms where initializing
a mutex allocates resources.
This change makes ‘mbedtls_x509write_crt_set_basic_constraints’
consistent with RFC 5280 4.2.1.9 which says: “Conforming CAs MUST
include this extension in all CA certificates that contain public keys
used to validate digital signatures on certificates and MUST mark the
extension as critical in such certificates.” Previous to this change,
the extension was always marked as non-critical. This was fixed by
#4044.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

96257bb03b30300b2f35f861ffe204ed957e9fd0329d80646fe57fc49f589b29 mbedtls-2.16.10.tar.gz
8a1537efd03dacdb0fc4bd6fddac0b0a49f91c229182268815e5980b9ffc555a mbedtls-2.16.10.zip

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Default behavior changes

In mbedtls_rsa_context objects, the ver field was formerly documented
as always 0. It is now reserved for internal purposes and may take
different values.

Security

Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|A| - |B| where |B| is larger than |A| and has more limbs (so the
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
applications calling mbedtls_mpi_sub_abs() directly are affected:
all calls inside the library were safe since this function is
only called with |A| >= |B|. Reported by Guido Vranken in #4042.
Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
value the function might fail to write a private RSA keys of the largest
supported size.
Found by Daniel Otte, reported in #4093 and fixed in #4094,
backported in #4099.
Fix a stack buffer overflow with mbedtls_net_recv_timeout() when given a
file descriptor that is beyond FD_SETSIZE. Reported by FigBug in #4169.
Guard against strong local side channel attack against base64 tables by
making access aceess to them use constant flow code. (CVE-2021-24119)

Bugfix

Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
is enabled, on platforms where initializing a mutex allocates resources.
This was a regression introduced in the previous release. Reported in
#4017, #4045 and #4071.
Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
twice is safe. This happens for RSA when some Mbed TLS library functions
fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
enabled on platforms where freeing a mutex twice is not safe.
Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
when MBEDTLS_THREADING_C is enabled on platforms where initializing
a mutex allocates resources.
Fix an incorrect error code if an RSA private operation glitched.
Fix the build of sample programs when MBEDTLS_PEM_C is enabled but
MBEDTLS_CERTS_C is disabled. Reported by Michael Schuster in #4206.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:
9a6e0b0386496fae6863e41968eb308034a74008e775a533750af483a38378d0 mbedtls-2.7.19.tar.gz
0f83d43f7de8866820d41db398b6640c8baebb358819223f9b2b3502f77db3d7 mbedtls-2.7.19.zip

Description

This release of Mbed TLS provides bug fixes, minor enhancements and new features. This release includes fixes for security issues.

API changes

The numerical values of the PSA Crypto API macros have been updated to conform to version 1.0.0 of the specification.
PSA_ALG_STREAM_CIPHER replaces PSA_ALG_CHACHA20 and PSA_ALG_ARC4. The underlying stream cipher is determined by the key type (PSA_KEY_TYPE_CHACHA20 or PSA_KEY_TYPE_ARC4).
The functions mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts, as they have no way to check if the output buffer is large enough. Please use mbedtls_cipher_auth_encrypt_ext() and mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and Cryptofuzz. Fixes #3665.

Requirement changes

Update the minimum required CMake version to 2.8.12. This silences a warning on CMake 3.19.0. #3801

New deprecations

PSA_KEY_TYPE_CHACHA20 and PSA_KEY_TYPE_ARC4 have been deprecated. Use PSA_ALG_STREAM_CIPHER instead.
The functions mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_decrypt() are deprecated in favour of the new functions mbedtls_cipher_auth_encrypt_ext() and mbedtls_cipher_auth_decrypt_ext(). Please note that with AEAD ciphers, these new functions always append the tag to the ciphertext, and include the tag in the ciphertext length.

Features

Partial implementation of the new PSA Crypto accelerator APIs. (Symmetric ciphers, asymmetric signing/verification and key generation, validate_key entry point, and export_public_key interface.)
Add support for ECB to the PSA cipher API.
In PSA, allow using a key declared with a base key agreement algorithm in combined key agreement and derivation operations, as long as the key agreement algorithm in use matches the algorithm the key was declared with. This is currently non-standard behaviour, but expected to make it into a future revision of the PSA Crypto standard.
Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls, mbedcrypto, mbedx509 and apidoc CMake target names. This can be used by external CMake projects that include this one to avoid CMake target name clashes. The default value of this variable is "", so default target names are unchanged.
Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan Pascal, improved by Ron Eldor.
In the PSA API, it is no longer necessary to open persistent keys: operations now accept the key identifier. The type psa_key_handle_t is now identical to psa_key_id_t instead of being platform-defined. This bridges the last major gap to compliance with the PSA Cryptography specification version 1.0.0. Opening persistent keys is still supported for backward compatibility, but will be deprecated and later removed in future releases.
PSA_AEAD_NONCE_LENGTH, PSA_AEAD_NONCE_MAX_SIZE, PSA_CIPHER_IV_LENGTH and PSA_CIPHER_IV_MAX_SIZE macros have been added as defined in version 1.0.0 of the PSA Crypto API specification.

Security

The functions mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_decrypt() would write past the minimum documented size of the output buffer when used with NIST_KW. As a result, code using those functions as documented with NIST_KW could have a buffer overwrite of up to 15 bytes, with consequences ranging up to arbitrary code execution depending on the location of the output buffer.
Limit the size of calculations performed by mbedtls_mpi_exp_mod to MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
A failure of the random generator was ignored in mbedtls_mpi_fill_random(), which is how most uses of randomization in asymmetric cryptography (including key generation, intermediate value randomization and blinding) are implemented. This could cause failures or the silent use of non-random values. A random generator can fail if it needs reseeding and cannot not obtain entropy, or due to an internal failure (which, for Mbed TLS’s own CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).
Fix a compliance issue whereby we were not checking the tag on the algorithm parameters (only the size) when comparing the signature in the description part of the cert to the real signature. This meant that a NULL algorithm parameters entry would look identical to an array of REAL (size zero) to the library and thus the certificate would be considered valid. However, if the parameters do not match in any way then the certificate should be considered invalid, and indeed OpenSSL marks these certs as invalid when mbedtls did not. Many thanks to guidovranken who found this issue via differential fuzzing and reported it in #3629.
Zeroising of local buffers and variables which are used for calculations in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() functions to erase sensitive data from memory. Reported by Johan Malmgren and Johan Uppman Bruce from Sectra.

Bugfix

Fix an invalid (but nonzero) return code from mbedtls_pk_parse_subpubkey() when the input has trailing garbage. Fixes #2512.
Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294.
Include the psa_constant_names generated source code in the source tree instead of generating it at build time. Fixes #3524.
Fix rsa_prepare_blinding() to retry when the blinding value is not invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)). Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin). Fixes #3647.
Use socklen_t on Android and other POSIX-compliant system
Fix the build when the macro _GNU_SOURCE is defined to a non-empty value. Fix #3432.
Consistently return PSA_ERROR_INVALID_ARGUMENT on invalid cipher input sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the psa_cipher_* functions compliant with the PSA Crypto API specification.
mbedtls_ecp_curve_list() now lists Curve25519 and Curve448 under the names “x25519” and "x448". These curves support ECDH but not ECDSA. If you need only the curves that support ECDSA, filter the list with mbedtls_ecdsa_can_do().
Fix psa_generate_key() returning an error when asked to generate an ECC key pair on Curve25519 or secp244k1.
Fix psa_key_derivation_output_key() to allow the output of a combined key agreement and subsequent key derivation operation to be used as a key inside of the PSA Crypto core.
Fix handling of EOF against 0xff bytes and on platforms with unsigned chars. Fixes a build failure on platforms where char is unsigned. Fixes #3794.
Fix an off-by-one error in the additional data length check for CCM, which allowed encryption with a non-standard length field. Fixes #3719.
Correct the default IV size for mbedtls_cipher_info_t structures using MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don’t use IVs.
Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is defined. Fix contributed in #3571.
Fix conditions for including string.h in error.c. Fixes #3866.
psa_set_key_id() now also sets the lifetime to persistent for keys located in a secure element.
Attempting to create a volatile key with a non-zero key identifier now fails. Previously the key identifier was just ignored when creating a volatile key.
Attempting to create or register a key with a key identifier in the vendor range now fails.
Fix build failures on GCC 11. Fixes #3782.
Add missing arguments of debug message in mbedtls_ssl_decrypt_buf.
Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative (an error condition) and the second operand was aliased to the result.
Fix a case in elliptic curve arithmetic where an out-of-memory condition could go undetected, resulting in an incorrect result.
In CTR_DRBG and HMAC_DRBG, don’t reset the reseed interval in seed(). Fixes #2927.
In PEM writing functions, fill the trailing part of the buffer with null bytes. This guarantees that the corresponding parsing function can read the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem until this property was inadvertently broken in Mbed TLS 2.19.0. Fixes #3682.
Fix a build failure that occurred with the MBEDTLS_AES_SETKEY_DEC_ALT option on. In this configuration key management methods that are required for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail. Fixes #3818. Reported by John Stroebel.

Changes

Reduce stack usage significantly during sliding window exponentiation. Reported in #3591 and fix contributed in #3592 by Daniel Otte.
The PSA persistent storage format is updated to always store the key bits attribute. No automatic upgrade path is provided. Previously stored keys must be erased, or manually upgraded based on the key storage format specification (docs/architecture/mbed-crypto-storage-specification.md). Fixes #3740.
Remove the zeroization of a pointer variable in AES rounds. It was valid but spurious and misleading since it looked like a mistaken attempt to zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA Leti, France.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

f838f670f51070bc6b4ebf0c084affd9574652ded435b064969f36ce4e8b586d  mbedtls-2.25.0.tar.gz
6bf01ef178925f7db3c9027344a50855b116f2defe4a24cbdc0220111a371597  mbedtls-2.25.0.zip

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Security

Limit the size of calculations performed by mbedtls_mpi_exp_mod to MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
A failure of the random generator was ignored in mbedtls_mpi_fill_random(), which is how most uses of randomization in asymmetric cryptography (including key generation, intermediate value randomization and blinding) are implemented. This could cause failures or the silent use of non-random values. A random generator can fail if it needs reseeding and cannot not obtain entropy, or due to an internal failure (which, for Mbed TLS’s own CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).
Fix a compliance issue whereby we were not checking the tag on the algorithm parameters (only the size) when comparing the signature in the description part of the cert to the real signature. This meant that a NULL algorithm parameters entry would look identical to an array of REAL (size zero) to the library and thus the certificate would be considered valid. However, if the parameters do not match in any way then the certificate should be considered invalid, and indeed OpenSSL marks these certs as invalid when mbedtls did not. Many thanks to guidovranken who found this issue via differential fuzzing and reported it in #3629.
Zeroising of local buffers and variables which are used for calculations in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() functions to erase sensitive data from memory. Reported by Johan Malmgren and Johan Uppman Bruce from Sectra.

Bugfix

Fix an invalid (but nonzero) return code from mbedtls_pk_parse_subpubkey() when the input has trailing garbage. Fixes #2512.
Fix rsa_prepare_blinding() to retry when the blinding value is not invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)). Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin). Fixes #3647.
Fix the build when the macro _GNU_SOURCE is defined to a non-empty value. Fix #3432.
Correct the default IV size for mbedtls_cipher_info_t structures using MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don’t use IVs.
Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is defined. Fix contributed in #3571. Adopted for LTS branch 2.16 in #3602.
Fix build failures on GCC 11. Fixes #3782.
Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative (an error condition) and the second operand was aliased to the result.
Fix a case in elliptic curve arithmetic where an out-of-memory condition could go undetected, resulting in an incorrect result.
In CTR_DRBG and HMAC_DRBG, don’t reset the reseed interval in seed().
Fixes #2927.
In PEM writing functions, fill the trailing part of the buffer with null bytes. This guarantees that the corresponding parsing function can read the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem until this property was inadvertently broken in Mbed TLS 2.19.0. Fixes #3682.
Fix a build failure that occurred with the MBEDTLS_AES_SETKEY_DEC_ALT option on. In this configuration key management methods that are required for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail. Fixes #3818. Reported by John Stroebel.

Changes

Reduce stack usage significantly during sliding window exponentiation. Reported in #3591 and fix contributed in #3592 by Daniel Otte.
Remove the zeroization of a pointer variable in AES rounds. It was valid but spurious and misleading since it looked like a mistaken attempt to zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA Leti, France.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

fc17ff7d8c11d08f23ae2800a18269408ad2c24ea6bb8b9363e41a01c2425697  mbedtls-2.16.9.tar.gz
111300d0d307d738fb20596c358fda7129dfd5f5c682f055793262080ac50950  mbedtls-2.16.9.zip

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Security

Limit the size of calculations performed by mbedtls_mpi_exp_mod to MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
Fix a compliance issue whereby we were not checking the tag on the algorithm parameters (only the size) when comparing the signature in the description part of the cert to the real signature. This meant that a NULL algorithm parameters entry would look identical to an array of REAL (size zero) to the library and thus the certificate would be considered valid. However, if the parameters do not match in any way then the certificate should be considered invalid, and indeed OpenSSL marks these certs as invalid when mbedtls did not. Many thanks to guidovranken who found this issue via differential fuzzing and reported it in #3629.
Zeroising of local buffers and variables which are used for calculations in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() functions to erase sensitive data from memory. Reported by Johan Malmgren and Johan Uppman Bruce from Sectra.

Bugfix

Fix an invalid (but nonzero) return code from mbedtls_pk_parse_subpubkey() when the input has trailing garbage. Fixes #2512.
Fix rsa_prepare_blinding() to retry when the blinding value is not invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)). Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin). Fixes #3647.
Correct the default IV size for mbedtls_cipher_info_t structures using MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don’t use IVs.
Fix build failures on GCC 11. Fixes #3782.
Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative (an error condition) and the second operand was aliased to the result.
Fix a case in elliptic curve arithmetic where an out-of-memory condition could go undetected, resulting in an incorrect result.
In CTR_DRBG and HMAC_DRBG, don’t reset the reseed interval in seed(). Fixes #2927.

Changes

Reduce stack usage significantly during sliding window exponentiation. Reported in #3591 and fix contributed in #3592 by Daniel Otte.
Remove the zeroization of a pointer variable in AES rounds. It was valid but spurious and misleading since it looked like a mistaken attempt to zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA Leti, France.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

f4a0f0c62e7016fa96f6ee78e2b8ba05d1f653c3aa2734fd73fbec02c3637e23  mbedtls-2.7.18.tar.gz
2b169bbf8c04ef9c9776a7ddb487b3387d4be2f3220a112c6d52111f643b9a22  mbedtls-2.7.18.zip

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues and the most notable of them are described in more detail in the security advisories.

API changes

In the PSA API, rename the types of elliptic curve and Diffie-Hellman group families to psa_ecc_family_t and psa_dh_family_t, in line with the PSA Crypto API specification version 1.0.0. Rename associated macros as well:
PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx
PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx
PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY
PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY

Default behavior changes

Stop storing persistent information about externally stored keys created through PSA Crypto with a volatile lifetime. Reported in #3288 and contributed by Steven Cooreman in #3382.

Features

The new function mbedtls_ecp_write_key() exports private ECC keys back to a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key().
Support building on e2k (Elbrus) architecture: correctly enable -Wformat-signedness, and fix the code that causes signed-one-bit-field and sign-compare warnings. Contributed by makise-homura (Igor Molchanov) [email protected].

Security

Fix a vulnerability in the verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify()) with the actual certificate name: when the subjecAltName extension is present, the expected name was compared to any name in that extension regardless of its type. This means that an attacker could for example impersonate a 4-bytes or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 (this would require the attacker to control that IP address, though). Similar attacks using other subjectAltName name types might be possible. Found and reported by kFYatek in #3498.
When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, certificates were never considered as revoked. On builds with MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for example, an untrusted OS attacking a secure enclave) could prevent revocation of certificates via CRLs. Fixed by no longer checking the revocationDate field, in accordance with RFC 5280. Reported by yuemonangong in #3340. Reported independently and fixed by Raoul Strackx and Jethro Beekman in #3433.
In (D)TLS record decryption, when using a CBC ciphersuites without the Encrypt-then-Mac extension, use constant code flow memory access patterns to extract and check the MAC. This is an improvement to the existing countermeasure against Lucky 13 attacks. The previous countermeasure was effective against network-based attackers, but less so against local attackers. The new countermeasure defends against local attackers, even if they have access to fine-grained measurements. In particular, this fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University).
Fix side channel in RSA private key operations and static (finite-field) Diffie-Hellman. An adversary with precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could bypass an existing counter-measure (base blinding) and potentially fully recover the private key.
Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine for pinpointing the problematic code.
Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused application data from memory. Reported in #689 by Johan Uppman Bruce of Sectra.

Bugfix

Library files installed after a CMake build no longer have execute permission.
Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol redefinition if the function is inlined. Reported in #3451 and fix contributed in #3452 by okhowang.
Fix the endianness of Curve25519 keys imported/exported through the PSA APIs. psa_import_key and psa_export_key will now correctly expect/output Montgomery keys in little-endian as defined by RFC7748. Contributed by Steven Cooreman in #3425.
Fix build errors when the only enabled elliptic curves are Montgomery curves. Raised by signpainter in #941 and by Taiki-San in #1412. This also fixes missing declarations reported by Steven Cooreman in #1147.
Fix self-test failure when the only enabled short Weierstrass elliptic curve is secp192k1. Fixes #2017.
PSA key import will now correctly import a Curve25519/Curve448 public key instead of erroring out. Contributed by Steven Cooreman in #3492.
Use arc4random_buf on NetBSD instead of rand implementation with cyclical lower bits. Fix contributed in #3540.
Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory conditions. Reported and fix suggested by Guido Vranken in #3486.
Fix bug in redirection of unit test outputs on platforms where stdout is defined as a macro. First reported in #2311 and fix contributed in #3528.

Changes

Only pass -Wformat-signedness to versions of GCC that support it. Reported in #3478 and fix contributed in #3479 by okhowang.
Reduce the stack consumption of mbedtls_x509write_csr_der() which previously could lead to stack overflow on constrained devices. Contributed by Doru Gucea and Simon Leet in #3464.
Undefine the ASSERT macro before defining it locally, in case it is defined in a platform header. Contributed by Abdelatif Guettouche in #3557.
Update copyright notices to use Linux Foundation guidance. As a result, the copyright of contributors other than Arm is now acknowledged, and the years of publishing are no longer tracked in the source files. This also eliminates the need for the lines declaring the files to be part of MbedTLS. Fixes #3457.
Add the command line parameter key_pwd to the ssl_client2 and ssl_server2 example applications which allows to provide a password for the key file specified through the existing key_file argument. This allows the use of these applications with password-protected key files. Analogously but for ssl_server2 only, add the command line parameter key_pwd2 which allows to set a password for the key file provided through the existing key_file2 argument.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

d436ae4892bd80329ca18a3960052fbb42d3f1f46c7519711d6763621ca6cfa0  mbedtls-2.24.0.tar.gz
d7b129288a957b1936ade3921504d5524e34a0dbe9f4d965df3416db9cfe0dae  mbedtls-2.24.0.zip

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

11 months ago

11 months ago

11 months ago

11 months ago

11 months ago