forked from Mbed-TLS/mbedtls
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
6109 lines (5689 loc) · 329 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Mbed TLS ChangeLog (Sorted per branch, date)
= Mbed TLS 3.6.0 branch released 2024-03-28
API changes
* Remove `tls13_` in mbedtls_ssl_tls13_conf_early_data() and
mbedtls_ssl_tls13_conf_max_early_data_size() API names. Early data
feature may not be TLS 1.3 specific in the future. Fixes #6909.
Default behavior changes
* psa_import_key() now only accepts RSA keys in the PSA standard formats.
The undocumented ability to import other formats (PKCS#8, SubjectPublicKey,
PEM) accepted by the pkparse module has been removed. Applications that
need these formats can call mbedtls_pk_parse_{public,}key() followed by
mbedtls_pk_import_into_psa().
Requirement changes
* Drop support for Visual Studio 2013 and 2015, and Arm Compiler 5.
New deprecations
* Rename the MBEDTLS_SHA256_USE_A64_CRYPTO_xxx config options to
MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_xxx. The old names may still
be used, but are deprecated.
* In the PSA API, domain parameters are no longer used for anything.
They are deprecated and will be removed in a future version of the
library.
* mbedtls_ecp_write_key() is deprecated in favor of
mbedtls_ecp_write_key_ext().
Removals
* In the PSA API, the experimental way to encode the public exponent of
an RSA key as a domain parameter is no longer supported. Use
psa_generate_key_ext() instead.
* Temporary function mbedtls_pk_wrap_as_opaque() is removed. To mimic the
same behavior mbedtls_pk_get_psa_attributes() and
mbedtls_pk_import_into_psa() can be used to import a PK key into PSA,
while mbedtls_pk_setup_opaque() can be used to wrap a PSA key into a opaque
PK context.
Features
* Added an example program showing how to hash with the PSA API.
* Support Armv8-A Crypto Extension acceleration for SHA-256
when compiling for Thumb (T32) or 32-bit Arm (A32).
* AES-NI is now supported in Windows builds with clang and clang-cl.
Resolves #8372.
* Add new mbedtls_x509_csr_parse_der_with_ext_cb() routine which allows
parsing unsupported certificate extensions via user provided callback.
* Enable the new option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT to omit
the decryption direction of block ciphers (AES, ARIA, Camellia).
This affects both the low-level modules and the high-level APIs
(the cipher and PSA interfaces). This option is incompatible with modes
that use the decryption direction (ECB in PSA, CBC, XTS, KW) and with DES.
* Support use of Armv8-A Cryptographic Extensions for hardware acclerated
AES when compiling for Thumb (T32) or 32-bit Arm (A32).
* If a cipher or AEAD mechanism has a PSA driver, you can now build the
library without the corresponding built-in implementation. Generally
speaking that requires both the key type and algorithm to be accelerated
or they'll both be built in. However, for CCM and GCM the built-in
implementation is able to take advantage of a driver that only
accelerates the key type (that is, the block cipher primitive). See
docs/driver-only-builds.md for full details and current limitations.
* The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is
disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
MBEDTLS_PSA_CRYPTO_C and PSA_WANT_KEY_TYPE_AES.
* Fewer modules depend on MBEDTLS_CIPHER_C, making it possible to save code
size by disabling it in more circumstances. In particular, the CCM and
GCM modules no longer depend on MBEDTLS_CIPHER_C. Also,
MBEDTLS_PSA_CRYPTO can now be enabled without MBEDTLS_CIPHER_C if all
unauthenticated (non-AEAD) ciphers are disabled, or if they're all
fully provided by drivers. See docs/driver-only-builds.md for full
details and current limitations; in particular, NIST_KW and PKCS5/PKCS12
decryption still unconditionally depend on MBEDTLS_CIPHER_C.
* Add support for record size limit extension as defined by RFC 8449
and configured with MBEDTLS_SSL_RECORD_SIZE_LIMIT.
Application data sent and received will be fragmented according to
Record size limits negotiated during handshake.
* Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
* Add functions mbedtls_ecc_group_to_psa() and mbedtls_ecc_group_from_psa()
to convert between Mbed TLS and PSA curve identifiers.
* Add utility functions to manipulate mbedtls_ecp_keypair objects, filling
gaps made by making its fields private: mbedtls_ecp_set_public_key(),
mbedtls_ecp_write_public_key(), mbedtls_ecp_keypair_calc_public(),
mbedtls_ecp_keypair_get_group_id(). Fixes #5017, #5441, #8367, #8652.
* Add functions mbedtls_md_psa_alg_from_type() and
mbedtls_md_type_from_psa_alg() to convert between mbedtls_md_type_t and
psa_algorithm_t.
* Add partial platform support for z/OS.
* Improve performance for gcc (versions older than 9.3.0) and IAR.
* Add functions mbedtls_ecdsa_raw_to_der() and mbedtls_ecdsa_der_to_raw() to
convert ECDSA signatures between raw and DER (ASN.1) formats.
* Add support for using AES-CBC 128, 192, and 256 bit schemes
with PKCS#5 PBES2. Keys encrypted this way can now be parsed by PK parse.
* The new function mbedtls_rsa_get_bitlen() returns the length of the modulus
in bits, i.e. the key size for an RSA key.
* Add pc files for pkg-config, e.g.:
pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
* Add getter (mbedtls_ssl_session_get_ticket_creation_time()) to access
`mbedtls_ssl_session.ticket_creation_time`.
* The new functions mbedtls_pk_get_psa_attributes() and
mbedtls_pk_import_into_psa() provide a uniform way to create a PSA
key from a PK key.
* The benchmark program now reports times for both ephemeral and static
ECDH in all ECDH configurations.
* Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
operations when hardware accelerated AES is not present. Improves
performance by around 30% on 64-bit Intel; 125% on Armv7-M.
* The new function psa_generate_key_ext() allows generating an RSA
key pair with a custom public exponent.
* The new function mbedtls_ecp_write_key_ext() is similar to
mbedtls_ecp_write_key(), but can be used without separately calculating
the output length.
* Add new accessor to expose the private group id member of
`mbedtls_ecdh_context` structure.
* Add new accessor to expose the `MBEDTLS_PRIVATE(ca_istrue)` member of
`mbedtls_x509_crt` structure. This requires setting
the MBEDTLS_X509_EXT_BASIC_CONSTRAINTS bit in the certificate's
ext_types field.
* mbedtls_psa_get_random() is always available as soon as
MBEDTLS_PSA_CRYPTO_CLIENT is enabled at build time and psa_crypto_init() is
called at runtime. This together with MBEDTLS_PSA_RANDOM_STATE can be
used as random number generator function (f_rng) and context (p_rng) in
legacy functions.
* The new functions mbedtls_pk_copy_from_psa() and
mbedtls_pk_copy_public_from_psa() provide ways to set up a PK context
with the same content as a PSA key.
* Add new accessors to expose the private session-id,
session-id length, and ciphersuite-id members of
`mbedtls_ssl_session` structure.
Add new accessor to expose the ciphersuite-id of
`mbedtls_ssl_ciphersuite_t` structure.Design ref: #8529
* Mbed TLS now supports the writing and reading of TLS 1.3 early data (see
docs/tls13-early-data.md). The support enablement is controlled at build
time by the MBEDTLS_SSL_EARLY_DATA configuration option and at runtime by
the mbedtls_ssl_conf_early_data() API (by default disabled in both cases).
* Add protection for multithreaded access to the PSA keystore and protection
for multithreaded access to the the PSA global state, including
concurrently calling psa_crypto_init() when MBEDTLS_THREADING_C and
MBEDTLS_THREADING_PTHREAD are defined. See
docs/architecture/psa-thread-safety/psa-thread-safety.md for more details.
Resolves issues #3263 and #7945.
Security
* Fix a stack buffer overread (less than 256 bytes) when parsing a TLS 1.3
ClientHello in a TLS 1.3 server supporting some PSK key exchange mode. A
malicious client could cause information disclosure or a denial of service.
Fixes CVE-2024-30166.
* Passing buffers that are stored in untrusted memory as arguments
to PSA functions is now secure by default.
The PSA core now protects against modification of inputs or exposure
of intermediate outputs during operations. This is currently implemented
by copying buffers.
This feature increases code size and memory usage. If buffers passed to
PSA functions are owned exclusively by the PSA core for the duration of
the function call (i.e. no buffer parameters are in shared memory),
copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS.
Note that setting this option will cause input-output buffer overlap to
be only partially supported (#3266).
Fixes CVE-2024-28960.
* Restore the maximum TLS version to be negotiated to the configured one
when an SSL context is reset with the mbedtls_ssl_session_reset() API.
An attacker was able to prevent an Mbed TLS server from establishing any
TLS 1.3 connection potentially resulting in a Denial of Service or forced
version downgrade from TLS 1.3 to TLS 1.2. Fixes #8654 reported by hey3e.
Fixes CVE-2024-28755.
* When negotiating TLS version on server side, do not fall back to the
TLS 1.2 implementation of the protocol if it is disabled.
- If the TLS 1.2 implementation was disabled at build time, a TLS 1.2
client could put the TLS 1.3-only server in an infinite loop processing
a TLS 1.2 ClientHello, resulting in a denial of service. Reported by
Matthias Mucha and Thomas Blattmann, SICK AG.
- If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client
was able to successfully establish a TLS 1.2 connection with the server.
Reported by alluettiv on GitHub.
Fixes CVE-2024-28836.
Bugfix
* Fix the build with CMake when Everest or P256-m is enabled through
a user configuration file or the compiler command line. Fixes #8165.
* Fix compilation error in C++ programs when MBEDTLS_ASN1_PARSE_C is
disabled.
* Fix possible NULL dereference issue in X509 cert_req program if an entry
in the san parameter is not separated by a colon.
* Fix possible NULL dereference issue in X509 cert_write program if an entry
in the san parameter is not separated by a colon.
* Fix an inconsistency between implementations and usages of `__cpuid`,
which mainly causes failures when building Windows target using
mingw or clang. Fixes #8334 & #8332.
* Fix build failure in conda-forge. Fixes #8422.
* Fix parsing of CSRs with critical extensions.
* Switch to milliseconds as the unit for ticket creation and reception time
instead of seconds. That avoids rounding errors when computing the age of
tickets compared to peer using a millisecond clock (observed with GnuTLS).
Fixes #6623.
* Fix TLS server accepting TLS 1.2 handshake while TLS 1.2
is disabled at runtime. Fixes #8593.
* Remove accidental introduction of RSA signature algorithms
in TLS Suite B Profile. Fixes #8221.
* Fix unsupported PSA asymmetric encryption and decryption
(psa_asymmetric_[en|de]crypt) with opaque keys.
Resolves #8461.
* On Linux on ARMv8, fix a build error with SHA-256 and SHA-512
acceleration detection when the libc headers do not define the
corresponding constant. Reported by valord577.
* Correct initial capacities for key derivation algorithms:TLS12_PRF,
TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC
* Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
multiple of 8. Fixes #868.
* Avoid segmentation fault caused by releasing not initialized
entropy resource in gen_key example. Fixes #8809.
* mbedtls_pem_read_buffer() now performs a check on the padding data of
decrypted keys and it rejects invalid ones.
* Fix mbedtls_pk_sign(), mbedtls_pk_verify(), mbedtls_pk_decrypt() and
mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in
the RSA context. Before, if MBEDTLS_USE_PSA_CRYPTO was enabled and the
RSA context was configured for PKCS#1 v2.1 (PSS/OAEP), the sign/verify
functions performed a PKCS#1 v1.5 signature instead and the
encrypt/decrypt functions returned an error. Fixes #8824.
* Fix missing bitflags in SSL session serialization headers. Their absence
allowed SSL sessions saved in one configuration to be loaded in a
different, incompatible configuration.
* In TLS 1.3 clients, fix an interoperability problem due to the client
generating a new random after a HelloRetryRequest. Fixes #8669.
* Fix the restoration of the ALPN when loading serialized connection with
the mbedtls_ssl_context_load() API.
* Fix NULL pointer dereference in mbedtls_pk_verify_ext() when called using
an opaque RSA context and specifying MBEDTLS_PK_RSASSA_PSS as key type.
* Fix RSA opaque keys always using PKCS1 v1.5 algorithms instead of the
primary algorithm of the wrapped PSA key.
* Fully support arbitrary overlap between inputs and outputs of PSA
functions. Note that overlap is still only partially supported when
MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266).
Changes
* Use heap memory to allocate DER encoded public/private key.
This reduces stack usage significantly for writing a public/private
key to a PEM string.
* PSA_WANT_ALG_CCM and PSA_WANT_ALG_CCM_STAR_NO_TAG are no more synonyms and
they are now treated separately. This means that they should be
individually enabled in order to enable respective support; also the
corresponding MBEDTLS_PSA_ACCEL symbol should be defined in case
acceleration is required.
* Moved declaration of functions mbedtls_ecc_group_to_psa and
mbedtls_ecc_group_of_psa from psa/crypto_extra.h to mbedtls/psa_util.h
* mbedtls_pk_sign_ext() is now always available, not just when
PSA (MBEDTLS_PSA_CRYPTO_C) is enabled.
* Extended PSA Crypto configurations options for FFDH by making it possible
to select only some of the parameters / groups, with the macros
PSA_WANT_DH_RFC7919_XXXX. You now need to defined the corresponding macro
for each size you want to support. Also, if you have an FFDH accelerator,
you'll need to define the appropriate MBEDTLS_PSA_ACCEL macros to signal
support for these domain parameters.
* RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
saving code size when those are not otherwise enabled.
* mbedtls_mpi_exp_mod and code that uses it, notably RSA and DHM operations,
have changed their speed/memory compromise as part of a proactive security
improvement. The new default value of MBEDTLS_MPI_WINDOW_SIZE roughly
preserves the current speed, at the expense of increasing memory
consumption.
* Rename directory containing Visual Studio files from visualc/VS2013 to
visualc/VS2017.
* The TLS 1.3 protocol is now enabled in the default configuration.
= Mbed TLS 3.5.2 branch released 2024-01-26
Security
* Fix a timing side channel in private key RSA operations. This side channel
could be sufficient for an attacker to recover the plaintext. A local
attacker or a remote attacker who is close to the victim on the network
might have precise enough timing measurements to exploit this. It requires
the attacker to send a large number of messages for decryption. For
details, see "Everlasting ROBOT: the Marvin Attack", Hubert Kario. Reported
by Hubert Kario, Red Hat.
* Fix a failure to validate input when writing x509 extensions lengths which
could result in an integer overflow, causing a zero-length buffer to be
allocated to hold the extension. The extension would then be copied into
the buffer, causing a heap buffer overflow.
= Mbed TLS 3.5.1 branch released 2023-11-06
Changes
* Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
license. Users may choose which license they take the code under.
Bugfix
* Fix accidental omission of MBEDTLS_TARGET_PREFIX in 3rdparty modules
in CMake.
= Mbed TLS 3.5.0 branch released 2023-10-05
API changes
* Mbed TLS 3.4 introduced support for omitting the built-in implementation
of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
there was a flaw in the logic checking if the built-in implementation, in
that it failed to check if all the relevant curves were supported by the
accelerator. As a result, it was possible to declare no curves as
accelerated and still have the built-in implementation compiled out.
Starting with this release, it is necessary to declare which curves are
accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be
considered not accelerated, and the built-in implementation of the curves
and any algorithm possible using them will be included in the build.
* Add new millisecond time type `mbedtls_ms_time_t` and `mbedtls_ms_time()`
function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
can be created using an ALT interface.
Requirement changes
* Officially require Python 3.8 now that earlier versions are out of support.
* Minimum required Windows version is now Windows Vista, or
Windows Server 2008.
New deprecations
* PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC,
IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
the capabilities of the PSA side for either key.
* MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
MBEDTLS_MAX_BLOCK_LENGTH (if you intended what the name suggests:
maximum size of any supported block cipher) or the new name
MBEDTLS_CMAC_MAX_BLOCK_SIZE (if you intended the actual semantics:
maximum size of a block cipher supported by the CMAC module).
* mbedtls_pkcs5_pbes2() and mbedtls_pkcs12_pbe() functions are now
deprecated in favor of mbedtls_pkcs5_pbes2_ext() and
mbedtls_pkcs12_pbe_ext() as they offer more security by checking
for overflow of the output buffer and reporting the actual length
of the output.
Features
* All modules that use hashes or HMAC can now take advantage of PSA Crypto
drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
been called. Previously (in 3.3), this was restricted to a few modules,
and only in builds where MBEDTLS_MD_C was disabled; in particular the
entropy module was not covered which meant an external RNG had to be
provided - these limitations are lifted in this version. A new set of
feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used
to check for availability of hash algorithms, regardless of whether
they're provided by a built-in implementation, a driver or both. See
docs/driver-only-builds.md.
* When a PSA driver for ECDH is present, it is now possible to disable
MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
key exchanges based on ECDH(E) to work, this requires
MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
as PSA does not have an API for restartable ECDH yet.
* When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
if not required by another module) and still get support for ECC keys and
algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
for details.
* Add parsing of directoryName subtype for subjectAltName extension in
x509 certificates.
* Add support for server-side TLS version negotiation. If both TLS 1.2 and
TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or
TLS 1.3 depending on the capabilities and preferences of TLS clients.
Fixes #6867.
* X.509 hostname verification now supports IPAddress Subject Alternate Names.
* Add support for reading and writing X25519 and X448
public and private keys in RFC 8410 format using the existing PK APIs.
* When parsing X.509 certificates, support the extensions
SignatureKeyIdentifier and AuthorityKeyIdentifier.
* Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
if no PAKE algorithms are requested
* Add support for the FFDH algorithm and DH key types in PSA, with
parameters from RFC 7919. This includes a built-in implementation based
on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative
implementations of FFDH through the driver entry points.
* It is now possible to generate certificates with SubjectAltNames.
Currently supported subtypes: DnsName, UniformResourceIdentifier,
IP address, OtherName, and DirectoryName, as defined in RFC 5280.
See mbedtls_x509write_crt_set_subject_alternative_name for
more information.
* X.509 hostname verification now partially supports URI Subject Alternate
Names. Only exact matching, without any normalization procedures
described in 7.4 of RFC5280, will result in a positive URI verification.
* Add function mbedtls_oid_from_numeric_string() to parse an OID from a
string to a DER-encoded mbedtls_asn1_buf.
* Add SHA-3 family hash functions.
* Add support to restrict AES to 128-bit keys in order to save code size.
A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be
used to enable this feature.
* AES performance improvements. Uplift varies by platform,
toolchain, optimisation flags and mode.
Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
On Aarch64, uplift is typically around 20 - 110%.
When compiling with gcc -Os on Aarch64, AES-XTS improves
by 4.5x.
* Add support for PBKDF2-HMAC through the PSA API.
* New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
or DH) were introduced in order to have finer accuracy in defining the
PSA capabilities for each key. These capabilities, named yyy above, can be
any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE.
- DERIVE is only available for ECC keys, not for RSA or DH ones.
- implementations are free to enable more than what it was strictly
requested. For example BASIC internally enables IMPORT and EXPORT
(useful for testing purposes), but this might change in the future.
* Add support for FFDH key exchange in TLS 1.3.
This is automatically enabled as soon as PSA_WANT_ALG_FFDH
and the ephemeral or psk-ephemeral key exchange mode are enabled.
By default, all groups are offered; the list of groups can be
configured using the existing API function mbedtls_ssl_conf_groups().
* Improve mbedtls_x509_time performance and reduce memory use.
* Reduce syscalls to time() during certificate verification.
* Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
setting the CMake variable of the same name at configuration time.
* Add getter (mbedtls_ssl_cache_get_timeout()) to access
`mbedtls_ssl_cache_context.timeout`.
* Add getter (mbedtls_ssl_get_hostname()) to access
`mbedtls_ssl_context.hostname`.
* Add getter (mbedtls_ssl_conf_get_endpoint()) to access
`mbedtls_ssl_config.endpoint`.
* Support for "opaque" (PSA-held) ECC keys in the PK module has been
extended: it is now possible to use mbedtls_pk_write_key_der(),
mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and
mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes
allow it).
* The documentation of mbedtls_ecp_group now describes the optimized
representation of A for some curves. Fixes #8045.
* Add a possibility to generate CSR's with RCF822 and directoryName subtype
of subjectAltName extension in x509 certificates.
* Add support for PBKDF2-CMAC through the PSA API.
* New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When
using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
disables the plain C implementation and the run-time detection for the
CPU feature, which reduces code size and avoids the vulnerability of the
plain C implementation.
* Accept arbitrary AttributeType and AttributeValue in certificate
Distinguished Names using RFC 4514 syntax.
* Applications using ECC over secp256r1 through the PSA API can use a
new implementation with a much smaller footprint, but some minor
usage restrictions. See the documentation of the new configuration
option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.
Security
* Fix a case where potentially sensitive information held in memory would not
be completely zeroized during TLS 1.2 handshake, in both server and client
configurations.
* In configurations with ARIA or Camellia but not AES, the value of
MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might
suggest. This did not affect any library code, because this macro was
only used in relation with CMAC which does not support these ciphers.
This may affect application code that uses this macro.
* Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should
review the size of the output buffer passed to this function, and note
that the output after decryption may include CBC padding. Consider moving
to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext()
which checks for overflow of the output buffer and reports the actual
length of the output.
* Improve padding calculations in CBC decryption, NIST key unwrapping and
RSA OAEP decryption. With the previous implementation, some compilers
(notably recent versions of Clang and IAR) could produce non-constant
time code, which could allow a padding oracle attack if the attacker
has access to precise timing measurements.
* Updates to constant-time C code so that compilers are less likely to use
conditional instructions, which can have an observable difference in
timing. (Clang has been seen to do this.) Also introduce assembly
implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
guaranteed not to use conditional instructions.
* Fix definition of MBEDTLS_MD_MAX_BLOCK_SIZE, which was too
small when MBEDTLS_SHA384_C was defined and MBEDTLS_SHA512_C was
undefined. Mbed TLS itself was unaffected by this, but user code
which used MBEDTLS_MD_MAX_BLOCK_SIZE could be affected. The only
release containing this bug was Mbed TLS 3.4.0.
* Fix a buffer overread when parsing short TLS application data records in
null-cipher cipher suites. Credit to OSS-Fuzz.
* Fix a remotely exploitable heap buffer overflow in TLS handshake parsing.
In TLS 1.3, all configurations are affected except PSK-only ones, and
both clients and servers are affected.
In TLS 1.2, the affected configurations are those with
MBEDTLS_USE_PSA_CRYPTO and ECDH enabled but DHM and RSA disabled,
and only servers are affected, not clients.
Credit to OSS-Fuzz.
Bugfix
* Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and
PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
than all built-in ones and RSA is disabled.
Resolves #6622.
* Add missing md.h includes to some of the external programs from
the programs directory. Without this, even though the configuration
was sufficient for a particular program to work, it would only print
a message that one of the required defines is missing.
* Fix declaration of mbedtls_ecdsa_sign_det_restartable() function
in the ecdsa.h header file. There was a build warning when the
configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined.
Resolves #7407.
* Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
* Fix missing PSA initialization in sample programs when
MBEDTLS_USE_PSA_CRYPTO is enabled.
* Fix the J-PAKE driver interface for user and peer to accept any values
(previously accepted values were limited to "client" or "server").
* Fix clang and armclang compilation error when targeting certain Arm
M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
SecurCore SC000). Fixes #1077.
* Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when
built with MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT but don't have a
way to detect the crypto extensions required. A warning is still issued.
* Fixed an issue that caused compile errors when using CMake and the IAR
toolchain.
* Fix very high stack usage in SSL debug code. Reported by Maximilian
Gerhardt in #7804.
* Fix a compilation failure in the constant_time module when
building for arm64_32 (e.g., for watchos). Reported by Paulo
Coutinho in #7787.
* Fix crypt_and_hash decryption fail when used with a stream cipher
mode of operation due to the input not being multiple of block size.
Resolves #7417.
* Fix a bug in which mbedtls_x509_string_to_names() would return success
when given a invalid name string if it did not contain '=' or ','.
* Fix compilation warnings in aes.c, which prevented the
example TF-M configuration in configs/ from building cleanly:
tfm_mbedcrypto_config_profile_medium.h with
crypto_config_profile_medium.h.
* In TLS 1.3, fix handshake failure when a client in its ClientHello
proposes an handshake based on PSK only key exchange mode or at least
one of the key exchange modes using ephemeral keys to a server that
supports only the PSK key exchange mode.
* Fix CCM* with no tag being not supported in a build with CCM as the only
symmetric encryption algorithm and the PSA configuration enabled.
* Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.
* Fix a compilation error on some platforms when including mbedtls/ssl.h
with all TLS support disabled. Fixes #6628.
* Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
using ECC key. The certificate was rejected by some crypto frameworks.
Fixes #2924.
* Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
is called with zero length and padlock is not enabled.
* Fix compile failure due to empty enum in cipher_wrap.c, when building
with a very minimal configuration. Fixes #7625.
* Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
signature can silently return an incorrect result in low memory conditions.
* Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
* Fix IAR compiler warnings.
* Fix an issue when parsing an otherName subject alternative name into a
mbedtls_x509_san_other_name struct. The type-id of the otherName was not
copied to the struct. This meant that the struct had incomplete
information about the otherName SAN and contained uninitialized memory.
* Fix the detection of HardwareModuleName otherName SANs. These were being
detected by comparing the wrong field and the check was erroneously
inverted.
* Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG
enabled, where some low-level modules required by requested PSA crypto
features were not getting automatically enabled. Fixes #7420.
* Fix undefined symbols in some builds using TLS 1.3 with a custom
configuration file.
* Fix log level for the got supported group message. Fixes #6765
* Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
error code on failure. Before, they returned 1 to indicate failure in
some cases involving a missing entry or a full cache.
* mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys.
* Fix the build with CMake when Everest or P256-m is enabled through
a user configuration file or the compiler command line. Fixes #8165.
Changes
* Enable Arm / Thumb bignum assembly for most Arm platforms when
compiling with gcc, clang or armclang and -O0.
* Enforce minimum RSA key size when generating a key
to avoid accidental misuse.
* Use heap memory to allocate DER encoded RSA private key.
This reduces stack usage significantly for RSA signature
operations when MBEDTLS_PSA_CRYPTO_C is defined.
* Update Windows code to use BCryptGenRandom and wcslen, and
ensure that conversions between size_t, ULONG, and int are
always done safely. Original contribution by Kevin Kane #635, #730
followed by Simon Butcher #1453.
* Users integrating their own PSA drivers should be aware that
the file library/psa_crypto_driver_wrappers.c has been renamed
to psa_crypto_driver_wrappers_no_static.c.
* When using CBC with the cipher module, the requirement to call
mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting
this call accidentally applied a default padding mode chosen at compile
time.
= Mbed TLS 3.4.1 branch released 2023-08-04
Bugfix
* Fix builds on Windows with clang
Changes
* Update test data to avoid failures of unit tests after 2023-08-07.
= Mbed TLS 3.4.0 branch released 2023-03-28
Default behavior changes
* The default priority order of TLS 1.3 cipher suites has been modified to
follow the same rules as the TLS 1.2 cipher suites (see
ssl_ciphersuites.c). The preferred cipher suite is now
TLS_CHACHA20_POLY1305_SHA256.
New deprecations
* mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
direct dependency of X509 on BIGNUM_C.
* PSA to mbedtls error translation is now unified in psa_util.h,
deprecating mbedtls_md_error_from_psa. Each file that performs error
translation should define its own version of PSA_TO_MBEDTLS_ERR,
optionally providing file-specific error pairs. Please see psa_util.h for
more details.
Features
* Added partial support for parsing the PKCS #7 Cryptographic Message
Syntax, as defined in RFC 2315. Currently, support is limited to the
following:
- Only the signed-data content type, version 1 is supported.
- Only DER encoding is supported.
- Only a single digest algorithm per message is supported.
- Certificates must be in X.509 format. A message must have either 0
or 1 certificates.
- There is no support for certificate revocation lists.
- The authenticated and unauthenticated attribute fields of SignerInfo
must be empty.
Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
contributing this feature, and to Demi-Marie Obenour for contributing
various improvements, tests and bug fixes.
* General performance improvements by accessing multiple bytes at a time.
Fixes #1666.
* Improvements to use of unaligned and byte-swapped memory, reducing code
size and improving performance (depending on compiler and target
architecture).
* Add support for reading points in compressed format
(MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary()
(and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
(all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves
except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1)
* SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively.
This helps in saving code size when some of the above hashes are not
required.
* Add parsing of V3 extensions (key usage, Netscape cert-type,
Subject Alternative Names) in x509 Certificate Sign Requests.
* Use HOSTCC (if it is set) when compiling C code during generation of the
configuration-independent files. This allows them to be generated when
CC is set for cross compilation.
* Add parsing of uniformResourceIdentifier subtype for subjectAltName
extension in x509 certificates.
* Add an interruptible version of sign and verify hash to the PSA interface,
backed by internal library support for ECDSA signing and verification.
* Add parsing of rfc822Name subtype for subjectAltName
extension in x509 certificates.
* The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and
MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for
the headers "psa/crypto_platform.h" and "psa/crypto_struct.h".
* When a PSA driver for ECDSA is present, it is now possible to disable
MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled.
Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not
supported in those builds yet, as driver support for interruptible ECDSA
operations is not present yet.
* Add a driver dispatch layer for EC J-PAKE, enabling alternative
implementations of EC J-PAKE through the driver entry points.
* Add new API mbedtls_ssl_cache_remove for cache entry removal by
its session id.
* Add support to include the SubjectAltName extension to a CSR.
* Add support for AES with the Armv8-A Cryptographic Extension on
64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
be used to enable this feature. Run-time detection is supported
under Linux only.
* When a PSA driver for EC J-PAKE is present, it is now possible to disable
MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs
to be enabled.
* Add functions mbedtls_rsa_get_padding_mode() and mbedtls_rsa_get_md_alg()
to read non-public fields for padding mode and hash id from
an mbedtls_rsa_context, as requested in #6917.
* AES-NI is now supported with Visual Studio.
* AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
is disabled, when compiling with GCC or Clang or a compatible compiler
for a target CPU that supports the requisite instructions (for example
gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
* It is now possible to use a PSA-held (opaque) password with the TLS 1.2
ECJPAKE key exchange, using the new API function
mbedtls_ssl_set_hs_ecjpake_password_opaque().
Security
* Use platform-provided secure zeroization function where possible, such as
explicit_bzero().
* Zeroize SSL cache entries when they are freed.
* Fix a potential heap buffer overread in TLS 1.3 client-side when
MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
* Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
Arm, so that these systems are no longer vulnerable to timing side-channel
attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
Reported by Demi Marie Obenour.
* MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
builds that couldn't compile the GCC-style assembly implementation
(most notably builds with Visual Studio), leaving them vulnerable to
timing side-channel attacks. There is now an intrinsics-based AES-NI
implementation as a fallback for when the assembly one cannot be used.
Bugfix
* Fix possible integer overflow in mbedtls_timing_hardclock(), which
could cause a crash in programs/test/benchmark.
* Fix IAR compiler warnings. Fixes #6924.
* Fix a bug in the build where directory names containing spaces were
causing generate_errors.pl to error out resulting in a build failure.
Fixes issue #6879.
* In TLS 1.3, when using a ticket for session resumption, tweak its age
calculation on the client side. It prevents a server with more accurate
ticket timestamps (typically timestamps in milliseconds) compared to the
Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
than the age computed and transmitted by the client and thus potentially
reject the ticket. Fix #6623.
* Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
* List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
be toggled with config.py.
* The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be
used on a shared secret from a key agreement since its input must be
an ECC public key. Reject this properly.
* mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
whose binary representation is longer than 20 bytes. This was already
forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
enforced also at code level.
* Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
Aaron Ucko under Valgrind.
* Fix behavior of certain sample programs which could, when run with no
arguments, access uninitialized memory in some cases. Fixes #6700 (which
was found by TrustInSoft Analyzer during REDOCS'22) and #1120.
* Fix parsing of X.509 SubjectAlternativeName extension. Previously,
malformed alternative name components were not caught during initial
certificate parsing, but only on subsequent calls to
mbedtls_x509_parse_subject_alt_name(). Fixes #2838.
* Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it
possible to verify RSA PSS signatures with the pk module, which was
inadvertently broken since Mbed TLS 3.0.
* Fix bug in conversion from OID to string in
mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
correctly.
* Reject OIDs with overlong-encoded subidentifiers when converting
them to a string.
* Reject OIDs with subidentifier values exceeding UINT_MAX. Such
subidentifiers can be valid, but Mbed TLS cannot currently handle them.
* Reject OIDs that have unterminated subidentifiers, or (equivalently)
have the most-significant bit set in their last byte.
* Silence warnings from clang -Wdocumentation about empty \retval
descriptions, which started appearing with Clang 15. Fixes #6960.
* Fix the handling of renegotiation attempts in TLS 1.3. They are now
systematically rejected.
* Fix an unused-variable warning in TLS 1.3-only builds if
MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200.
* Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
len argument is 0 and buffer is NULL.
* Allow setting user and peer identifiers for EC J-PAKE operation
instead of role in PAKE PSA Crypto API as described in the specification.
This is a partial fix that allows only "client" and "server" identifiers.
* Fix a compilation error when PSA Crypto is built with support for
TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125.
* In the TLS 1.3 server, select the preferred client cipher suite, not the
least preferred. The selection error was introduced in Mbed TLS 3.3.0.
* Fix TLS 1.3 session resumption when the established pre-shared key is
384 bits long. That is the length of pre-shared keys created under a
session where the cipher suite is TLS_AES_256_GCM_SHA384.
* Fix an issue when compiling with MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
enabled, which required specifying compiler flags enabling SHA3 Crypto
Extensions, where some compilers would emit EOR3 instructions in other
modules, which would then fail if run on a CPU without the SHA3
extensions. Fixes #5758.
Changes
* Install the .cmake files into CMAKE_INSTALL_LIBDIR/cmake/MbedTLS,
typically /usr/lib/cmake/MbedTLS.
* Mixed-endian systems are explicitly not supported any more.
* When MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ECDSA_DETERMINISTIC are both
defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA
signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to
the behaviour without it, where deterministic ECDSA was already used.
* Visual Studio: Rename the directory containing Visual Studio files from
visualc/VS2010 to visualc/VS2013 as we do not support building with versions
older than 2013. Update the solution file to specify VS2013 as a minimum.
* programs/x509/cert_write:
- now it accepts the serial number in 2 different formats: decimal and
hex. They cannot be used simultaneously
- "serial" is used for the decimal format and it's limted in size to
unsigned long long int
- "serial_hex" is used for the hex format; max length here is
MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2
* The C code follows a new coding style. This is transparent for users but
affects contributors and maintainers of local patches. For more
information, see
https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
* Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
As tested in issue 6790, the correlation between this define and
RSA decryption performance has changed lately due to security fixes.
To fix the performance degradation when using default values the
window was reduced from 6 to 2, a value that gives the best or close
to best results when tested on Cortex-M4 and Intel i7.
* When enabling MBEDTLS_SHA256_USE_A64_CRYPTO_* or
MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
compiler target flags on the command line; the library now sets target
options within the appropriate modules.
= Mbed TLS 3.3.0 branch released 2022-12-14
Default behavior changes
* Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05
of the IETF draft, and was marked experimental and disabled by default.
It is now no longer experimental, and implements the final version from
RFC 9146, which is not interoperable with the draft-05 version.
If you need to communicate with peers that use earlier versions of
Mbed TLS, then you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
to 1, but then you won't be able to communicate with peers that use the
standard (non-draft) version.
If you need to interoperate with both classes of peers with the
same build of Mbed TLS, please let us know about your situation on the
mailing list or GitHub.
Requirement changes
* When building with PSA drivers using generate_driver_wrappers.py, or
when building the library from the development branch rather than
from a release, the Python module jsonschema is now necessary, in
addition to jinja2. The official list of required Python modules is
maintained in scripts/basic.requirements.txt and may change again
in the future.
New deprecations
* Deprecate mbedtls_asn1_free_named_data().
Use mbedtls_asn1_free_named_data_list()
or mbedtls_asn1_free_named_data_list_shallow().
Features
* Support rsa_pss_rsae_* signature algorithms in TLS 1.2.
* make: enable building unversioned shared library, with e.g.:
"SHARED=1 SOEXT_TLS=so SOEXT_X509=so SOEXT_CRYPTO=so make lib"
resulting in library names like "libmbedtls.so" rather than
"libmbedcrypto.so.11".
* Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
are supported in this implementation.
* Some modules can now use PSA drivers for hashes, including with no
built-in implementation present, but only in some configurations.
- RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
hashes from PSA when (and only when) MBEDTLS_MD_C is disabled.
- PEM parsing of encrypted files now uses MD-5 from PSA when (and only
when) MBEDTLS_MD5_C is disabled.
See the documentation of the corresponding macros in mbedtls_config.h for
details.
Note that some modules are not able to use hashes from PSA yet, including
the entropy module. As a consequence, for now the only way to build with
all hashes only provided by drivers (no built-in hash) is to use
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
* When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now
properly negotiate/accept hashes based on their availability in PSA.
As a consequence, they now work in configurations where the built-in
implementations of (some) hashes are excluded and those hashes are only
provided by PSA drivers. (See previous entry for limitation on RSA-PSS
though: that module only use hashes from PSA when MBEDTLS_MD_C is off).
* Add support for opaque keys as the private keys associated to certificates
for authentication in TLS 1.3.
* Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
Signature verification is production-ready, but generation is for testing
purposes only. This currently only supports one parameter set
(LMS_SHA256_M32_H10), meaning that each private key can be used to sign
1024 messages. As such, it is not intended for use in TLS, but instead
for verification of assets transmitted over an insecure channel,
particularly firmware images.
* Add the LM-OTS post-quantum-safe one-time signature scheme, which is
required for LMS. This can be used independently, but each key can only
be used to sign one message so is impractical for most circumstances.
* Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
The pre-shared keys can be provisioned externally or via the ticket
mechanism (session resumption).
The ticket mechanism is supported when the configuration option
MBEDTLS_SSL_SESSION_TICKETS is enabled.
New options MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED
control the support for the three possible TLS 1.3 key exchange modes.
* cert_write: support for setting extended key usage attributes. A
corresponding new public API call has been added in the library,
mbedtls_x509write_crt_set_ext_key_usage().
* cert_write: support for writing certificate files in either PEM
or DER format.
* The PSA driver wrapper generator generate_driver_wrappers.py now
supports a subset of the driver description language, including
the following entry points: import_key, export_key, export_public_key,
get_builtin_key, copy_key.
* The new functions mbedtls_asn1_free_named_data_list() and
mbedtls_asn1_free_named_data_list_shallow() simplify the management
of memory in named data lists in X.509 structures.
* The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
Additional PSA key slots will be allocated in the process of such key
exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and
MBEDTLS_USE_PSA_CRYPTO.
* Add support for DTLS Connection ID as defined by RFC 9146, controlled by
MBEDTLS_SSL_DTLS_CONNECTION_ID (enabled by default) and configured with
mbedtls_ssl_set_cid().
* Add a driver dispatch layer for raw key agreement, enabling alternative
implementations of raw key agreement through the key_agreement driver
entry point. This entry point is specified in the proposed PSA driver
interface, but had not yet been implemented.
* Add an ad-hoc key derivation function handling EC J-PAKE to PMS
calculation that can be used to derive the session secret in TLS 1.2,
as described in draft-cragie-tls-ecjpake-01. This can be achieved by
using PSA_ALG_TLS12_ECJPAKE_TO_PMS as the key derivation algorithm.
Security
* Fix potential heap buffer overread and overwrite in DTLS if
MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
* Fix an issue where an adversary with access to precise enough information
about memory accesses (typically, an untrusted operating system attacking
a secure enclave) could recover an RSA private key after observing the
victim performing a single private-key operation if the window size used
for the exponentiation was 3 or smaller. Found and reported by Zili KOU,
Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
and Test in Europe 2023.
Bugfix
* Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
* Fix an issue with in-tree CMake builds in releases with GEN_FILES
turned off: if a shipped file was missing from the working directory,
it could be turned into a symbolic link to itself.
* Fix a long-standing build failure when building x86 PIC code with old
gcc (4.x). The code will be slower, but will compile. We do however
recommend upgrading to a more recent compiler instead. Fixes #1910.
* Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
Contributed by Kazuyuki Kimura to fix #2020.
* Use double quotes to include private header file psa_crypto_cipher.h.
Fixes 'file not found with <angled> include' error
when building with Xcode.
* Fix handling of broken symlinks when loading certificates using
mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
broken link is encountered, skip the broken link and continue parsing
other certificate files. Contributed by Eduardo Silva in #2602.
* Fix an interoperability failure between an Mbed TLS client with both
TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server that supports
rsa_pss_rsae_* signature algorithms. This failed because Mbed TLS
advertised support for PSS in both TLS 1.2 and 1.3, but only
actually supported PSS in TLS 1.3.
* Fix a compilation error when using CMake with an IAR toolchain.
Fixes #5964.
* Fix a build error due to a missing prototype warning when
MBEDTLS_DEPRECATED_REMOVED is enabled.
* Fix mbedtls_ctr_drbg_free() on an initialized but unseeded context. When
MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an
uninitialized context.
* Fix a build issue on Windows using CMake where the source and build
directories could not be on different drives. Fixes #5751.
* Fix bugs and missing dependencies when building and testing
configurations with only one encryption type enabled in TLS 1.2.
* Provide the missing definition of mbedtls_setbuf() in some configurations
with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196.
* Fix compilation errors when trying to build with
PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
* Fix memory leak in ssl_parse_certificate_request() caused by
mbedtls_x509_get_name() not freeing allocated objects in case of error.
Change mbedtls_x509_get_name() to clean up allocated objects on error.
* Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408.
* Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
MBEDTLS_PK_PARSE_C. Fixes #6409.
* Fix ECDSA verification, where it was not always validating the
public key. This bug meant that it was possible to verify a
signature with an invalid public key, in some cases. Reported by
Guido Vranken using Cryptofuzz in #4420.
* Fix a possible null pointer dereference if a memory allocation fails
in TLS PRF code. Reported by Michael Madsen in #6516.
* Fix TLS 1.3 session resumption. Fixes #6488.
* Add a configuration check to exclude optional client authentication
in TLS 1.3 (where it is forbidden).
* Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
bytes when parsing certificates containing a binary RFC 4108
HardwareModuleName as a Subject Alternative Name extension. Hardware
serial numbers are now rendered in hex format. Fixes #6262.
* Fix bug in error reporting in dh_genprime.c where upon failure,
the error code returned by mbedtls_mpi_write_file() is overwritten
and therefore not printed.
* In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
with A > 0 created an unintended representation of the value 0 which was
not processed correctly by some bignum operations. Fix this. This had no
consequence on cryptography code, but might affect applications that call
bignum directly and use negative numbers.
* Fix a bug whereby the list of signature algorithms sent as part of
the TLS 1.2 server certificate request would get corrupted, meaning the
first algorithm would not get sent and an entry consisting of two random
bytes would be sent instead. Found by Serban Bejan and Dudek Sebastian.
* Fix undefined behavior (typically harmless in practice) of
mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int()
when both operands are 0 and the left operand is represented with 0 limbs.
* Fix undefined behavior (typically harmless in practice) when some bignum
functions receive the most negative value of mbedtls_mpi_sint. Credit
to OSS-Fuzz. Fixes #6597.
* Fix undefined behavior (typically harmless in practice) in PSA ECB
encryption and decryption.
* Move some SSL-specific code out of libmbedcrypto where it had been placed
accidentally.
* Fix a build error when compiling the bignum module for some Arm platforms.
Fixes #6089, #6124, #6217.
Changes
* Add the ability to query PSA_WANT_xxx macros to query_compile_time_config.
* Calling AEAD tag-specific functions for non-AEAD algorithms (which
should not be done - they are documented for use only by AES-GCM and
ChaCha20+Poly1305) now returns MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
instead of success (0).
= Mbed TLS 3.2.1 branch released 2022-07-12