-
Notifications
You must be signed in to change notification settings - Fork 5
/
ChangeLog
3470 lines (3171 loc) · 176 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.16.7 branch released 2020-07-01
Security
* Fix a side channel vulnerability in modular exponentiation that could
reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul
Strackx (Fortanix) in #3394.
* Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
private key that didn't include the uncompressed public key), as well as
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
f_rng argument. An attacker with access to precise enough timing and
memory access information (typically an untrusted operating system
attacking a secure enclave) could fully recover the ECC private key.
Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
macros). This would cause the original Lucky 13 attack to be possible in
those configurations, allowing an active network attacker to recover
plaintext after repeated timing measurements under some conditions.
Reported and fix suggested by Luc Perneel in #3246.
Bugfix
* Fix the Visual Studio Release x64 build configuration for mbedtls itself.
Completes a previous fix in Mbed TLS 2.16.3 that only fixed the build for
the example programs. Reported in #1430 and fix contributed by irwir.
* Fix undefined behavior in X.509 certificate parsing if the
pathLenConstraint basic constraint value is equal to INT_MAX.
The actual effect with almost every compiler is the intended
behavior, so this is unlikely to be exploitable anywhere. #3197
* Include asn1.h in error.c. Fixes #3328 reported by David Hu.
* Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
when PRNG function fails. Contributed by Jonas Lejeune in #3318.
* Add additional bounds checks in ssl_write_client_hello() preventing
output buffer overflow if the configuration declared a buffer that was
too small.
Changes
* Unify the example programs termination to call mbedtls_exit() instead of
using a return command. This has been done to enable customization of the
behavior in bare metal environments.
* Abort the ClientHello writing function as soon as some extension doesn't
fit into the record buffer. Previously, such extensions were silently
dropped. As a consequence, the TLS handshake now fails when the output
buffer is not large enough to hold the ClientHello.
* The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
`MBEDTLS_CTR_DRBG_C`, `MBEDTLS_HMAC_DRBG_C`, `MBEDTLS_SHA512_C` or
`MBEDTLS_SHA256_C` for some side-channel coutermeasures. If side channels
are not a concern, this dependency can be avoided by enabling the new
option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
= mbed TLS 2.16.6 branch released 2020-04-14
Security
* Fix side channel in ECC code that allowed an adversary with access to
precise enough timing and memory access information (typically an
untrusted operating system attacking a secure enclave) to fully recover
an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya,
Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
* Fix a potentially remotely exploitable buffer overread in a
DTLS client when parsing the Hello Verify Request message.
Bugfix
* Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and
MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
* Fix a function name in a debug message. Contributed by Ercan Ozturk in
#3013.
= mbed TLS 2.16.5 branch released 2020-02-20
Security
* Fix potential memory overread when performing an ECDSA signature
operation. The overread only happens with cryptographically low
probability (of the order of 2^-n where n is the bitsize of the curve)
unless the RNG is broken, and could result in information disclosure or
denial of service (application crash or extra resource consumption).
Found by Auke Zeilstra and Peter Schwabe, using static analysis.
* To avoid a side channel vulnerability when parsing an RSA private key,
read all the CRT parameters from the DER structure rather than
reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob
Brumley. Reported and fix contributed by Jack Lloyd.
ARMmbed/mbed-crypto#352
Bugfix
* Fix an unchecked call to mbedtls_md() in the x509write module.
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys that would later be rejected by functions expecting private
keys. Found by Catena cyber using oss-fuzz (issue 20467).
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys with invalid values by silently fixing those values.
= mbed TLS 2.16.4 branch released 2020-01-15
Security
* Fix side channel vulnerability in ECDSA. Our bignum implementation is not
constant time/constant trace, so side channel attacks can retrieve the
blinded value, factor it (as it is smaller than RSA keys and not guaranteed
to have only large prime factors), and then, by brute force, recover the
key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
* Zeroize local variables in mbedtls_internal_aes_encrypt() and
mbedtls_internal_aes_decrypt() before exiting the function. The value of
these variables can be used to recover the last round key. To follow best
practice and to limit the impact of buffer overread vulnerabilities (like
Heartbleed) we need to zeroize them before exiting the function.
Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
Grant Hernandez, and Kevin Butler (University of Florida) and
Dave Tian (Purdue University).
* Fix side channel vulnerability in ECDSA key generation. Obtaining precise
timings on the comparison in the key generation enabled the attacker to
learn leading bits of the ephemeral key used during ECDSA signatures and to
recover the private key. Reported by Jeremy Dubeuf.
* Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
failures could happen with alternative implementations of AES. Bug
reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
Sectra.
Bugfix
* Remove redundant line for getting the bitlen of a bignum, since the variable
holding the returned value is overwritten a line after.
Found by irwir in #2377.
* Support mbedtls_hmac_drbg_set_entropy_len() and
mbedtls_ctr_drbg_set_entropy_len() before the DRBG is seeded. Before,
the initial seeding always reset the entropy length to the compile-time
default.
Changes
* Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
from the cipher abstraction layer. Fixes #2198.
* Clarify how the interface of the CTR_DRBG and HMAC modules relates to
NIST SP 800-90A. In particular CTR_DRBG requires an explicit nonce
to achieve a 256-bit strength if MBEDTLS_ENTROPY_FORCE_SHA256 is set.
= mbed TLS 2.16.3 branch released 2019-09-06
Security
* Fix a missing error detection in ECJPAKE. This could have caused a
predictable shared secret if a hardware accelerator failed and the other
side of the key exchange had a similar bug.
* The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
implement blinding. Because of this for the same key and message the same
blinding value was generated. This reduced the effectiveness of the
countermeasure and leaked information about the private key through side
channels. Reported by Jack Lloyd.
* When writing a private EC key, use a constant size for the private
value, as specified in RFC 5915. Previously, the value was written
as an ASN.1 INTEGER, which caused the size of the key to leak
about 1 bit of information on average and could cause the value to be
1 byte too large for the output buffer.
API Changes
* The new function mbedtls_ecdsa_sign_det_ext() is similar to
mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
purpose of blinding.
Bugfix
* Fix to allow building test suites with any warning that detects unused
functions. Fixes #1628.
* Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
* Remove redundant include file in timing.c. Fixes #2640 reported by irwir.
* Fix Visual Studio Release x64 build configuration by inheriting
PlatformToolset from the project configuration. Fixes #1430 reported by
irwir.
* Enable Suite B with subset of ECP curves. Make sure the code compiles even
if some curves are not defined. Fixes #1591 reported by dbedev.
* Fix misuse of signed arithmetic in the HAVEGE module. #2598
* Update test certificates that were about to expire. Reported by
Bernhard M. Wiedemann in #2357.
* Fix the build on ARMv5TE in ARM mode to not use assembly instructions
that are only available in Thumb mode. Fix contributed by Aurelien Jarno
in #2169.
* Fix undefined memset(NULL) call in test_suite_nist_kw.
* Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256.
* Fix propagation of restart contexts in restartable EC operations.
This could previously lead to segmentation faults in builds using an
address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
* Fix memory leak in in mpi_miller_rabin(). Contributed by
Jens Wiklander <jens.wiklander@linaro.org> in #2363
* Improve code clarity in x509_crt module, removing false-positive
uninitialized variable warnings on some recent toolchains (GCC8, etc).
Discovered and fixed by Andy Gross (Linaro), #2392.
* Zero length buffer check for undefined behavior in
mbedtls_platform_zeroize(). Fixes ARMmbed/mbed-crypto#49.
* Fix bug in endianness conversion in bignum module. This lead to
functionally incorrect code on bigendian systems which don't have
__BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622.
Changes
* Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
suggests). #2671
* Make `make clean` clean all programs always. Fixes #1862.
= mbed TLS 2.16.2 branch released 2019-06-11
Security
* Make mbedtls_ecdh_get_params return an error if the second key
belongs to a different group from the first. Before, if an application
passed keys that belonged to different group, the first key's data was
interpreted according to the second group, which could lead to either
an error or a meaningless output from mbedtls_ecdh_get_params. In the
latter case, this could expose at most 5 bits of the private key.
Bugfix
* Server's RSA certificate in certs.c was SHA-1 signed. In the default
mbedTLS configuration only SHA-2 signed certificates are accepted.
This certificate is used in the demo server programs, which lead the
client programs to fail at the peer's certificate verification
due to an unacceptable hash signature. The certificate has been
updated to one that is SHA-256 signed. Fix contributed by
Illya Gerasymchuk.
* Fix private key DER output in the key_app_writer example. File contents
were shifted by one byte, creating an invalid ASN.1 tag. Fixed by
Christian Walther in #2239.
* Fix potential memory leak in X.509 self test. Found and fixed by
Junhwan Park, #2106.
* Reduce stack usage of hkdf tests. Fixes #2195.
* Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
used with negative inputs. Found by Guido Vranken in #2404. Credit to
OSS-Fuzz.
* Fix bugs in the AEAD test suite which would be exposed by ciphers which
either used both encrypt and decrypt key schedules, or which perform padding.
GCM and CCM were not affected. Fixed by Jack Lloyd.
* Fix incorrect default port number in ssl_mail_client example's usage.
Found and fixed by irwir. #2337
* Add missing parentheses around parameters in the definition of the
public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation
in case operators binding less strongly than subtraction were used
for the parameter.
* Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
sni entry parameter. Reported by inestlerode in #560.
* Add DER-encoded test CRTs to library/certs.c, allowing
the example programs ssl_server2 and ssl_client2 to be run
if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254.
* Fix missing bounds checks in X.509 parsing functions that could
lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
* Fix multiple X.509 functions previously returning ASN.1 low-level error
codes to always wrap these codes into X.509 high level error codes before
returning. Fixes #2431.
Changes
* Return from various debugging routines immediately if the
provided SSL context is unset.
* Remove dead code from bignum.c in the default configuration.
Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309.
* Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
Contributed by Peter Kolbus (Garmin).
* Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
improve clarity. Fixes #2258.
* Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
= mbed TLS 2.16.1 branch released 2019-03-19
Features
* Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
from the default list (enabled by default). See
https://sweet32.info/SWEET32_CCS16.pdf.
Bugfix
* Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined
when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242.
* Run the AD too long test only if MBEDTLS_CCM_ALT is not defined.
Raised as a comment in #1996.
* Reduce the stack consumption of mbedtls_mpi_fill_random() which could
previously lead to a stack overflow on constrained targets.
* Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions
in the header files, which missed the precompilation check. #971
* Fix clobber list in MIPS assembly for large integer multiplication.
Previously, this could lead to functionally incorrect assembly being
produced by some optimizing compilers, showing up as failures in
e.g. RSA or ECC signature operations. Reported in #1722, fix suggested
by Aurelien Jarno and submitted by Jeffrey Martin.
* Fix signed-to-unsigned integer conversion warning
in X.509 module. Fixes #2212.
* Reduce stack usage of `mpi_write_hlp()` by eliminating recursion.
Fixes #2190.
* Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
* Remove the mbedtls namespacing from the header file, to fix a "file not found"
build error. Fixed by Haijun Gu #2319.
* Fix returning the value 1 when mbedtls_ecdsa_genkey failed.
* Fix false failure in all.sh when backup files exist in include/mbedtls
(e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407.
* Ensure that unused bits are zero when writing ASN.1 bitstrings when using
mbedtls_asn1_write_bitstring().
* Fix issue when writing the named bitstrings in KeyUsage and NsCertType
extensions in CSRs and CRTs that caused these bitstrings to not be encoded
correctly as trailing zeroes were not accounted for as unused bits in the
leading content octet. Fixes #1610.
Changes
* Include configuration file in all header files that use configuration,
instead of relying on other header files that they include.
Inserted as an enhancement for #1371
* Add support for alternative CSR headers, as used by Microsoft and defined
in RFC 7468. Found by Michael Ernst. Fixes #767.
* Fix configuration queries in ssl-opt.h. #2030
* Ensure that ssl-opt.h can be run in OS X. #2029
* Reduce the complexity of the timing tests. They were assuming more than the
underlying OS actually guarantees.
* Re-enable certain interoperability tests in ssl-opt.sh which had previously
been disabled for lack of a sufficiently recent version of GnuTLS on the CI.
* Ciphersuites based on 3DES now have the lowest priority by default when
they are enabled.
= mbed TLS 2.16.0 branch released 2018-12-21
Features
* Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation
of parameters in the API. This allows detection of obvious misuses of the
API, such as passing NULL pointers. The API of existing functions hasn't
changed, but requirements on parameters have been made more explicit in
the documentation. See the corresponding API documentation for each
function to see for which parameter values it is defined. This feature is
disabled by default. See its API documentation in config.h for additional
steps you have to take when enabling it.
API Changes
* The following functions in the random generator modules have been
deprecated and replaced as shown below. The new functions change
the return type from void to int to allow returning error codes when
using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest
primitive. Fixes #1798.
mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
* Extend ECDH interface to enable alternative implementations.
* Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for
ARIA, CAMELLIA and Blowfish. These error codes will be replaced by
the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
* Additional parameter validation checks have been added for the following
modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI.
Where modules have had parameter validation added, existing parameter
checks may have changed. Some modules, such as Chacha20 had existing
parameter validation whereas other modules had little. This has now been
changed so that the same level of validation is present in all modules, and
that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default
is off. That means that checks which were previously present by default
will no longer be.
New deprecations
* Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update
in favor of functions that can return an error code.
Bugfix
* Fix for Clang, which was reporting a warning for the bignum.c inline
assembly for AMD64 targets creating string literals greater than those
permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482.
* Fix runtime error in `mbedtls_platform_entropy_poll()` when run
through qemu user emulation. Reported and fix suggested by randombit
in #1212. Fixes #1212.
* Fix an unsafe bounds check when restoring an SSL session from a ticket.
This could lead to a buffer overflow, but only in case ticket authentication
was broken. Reported and fix suggested by Guido Vranken in #659.
* Add explicit integer to enumeration type casts to example program
programs/pkey/gen_key which previously led to compilation failure
on some toolchains. Reported by phoenixmcallister. Fixes #2170.
* Fix double initialization of ECC hardware that made some accelerators
hang.
* Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence
of check for certificate/key matching. Reported by Attila Molnar, #507.
= mbed TLS 2.14.1 branch released 2018-11-30
Security
* Fix timing variations and memory access variations in RSA PKCS#1 v1.5
decryption that could lead to a Bleichenbacher-style padding oracle
attack. In TLS, this affects servers that accept ciphersuites based on
RSA decryption (i.e. ciphersuites whose name contains RSA but not
(EC)DH(E)). Discovered by Eyal Ronen (Weizmann Institute), Robert Gillham
(University of Adelaide), Daniel Genkin (University of Michigan),
Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom
(University of Adelaide, Data61). The attack is described in more detail
in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
* In mbedtls_mpi_write_binary(), don't leak the exact size of the number
via branching and memory access patterns. An attacker who could submit
a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
of the decryption and not its result could nonetheless decrypt RSA
plaintexts and forge RSA signatures. Other asymmetric algorithms may
have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
* Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
modules.
API Changes
* The new functions mbedtls_ctr_drbg_update_ret() and
mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update()
and mbedtls_hmac_drbg_update() respectively, but the new functions
report errors whereas the old functions return void. We recommend that
applications use the new functions.
= mbed TLS 2.14.0 branch released 2018-11-19
Security
* Fix overly strict DN comparison when looking for CRLs belonging to a
particular CA. This previously led to ignoring CRLs when the CRL's issuer
name and the CA's subject name differed in their string encoding (e.g.,
one using PrintableString and the other UTF8String) or in the choice of
upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue
#1784.
* Fix a flawed bounds check in server PSK hint parsing. In case the
incoming message buffer was placed within the first 64KiB of address
space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
to trigger a memory access up to 64KiB beyond the incoming message buffer,
potentially leading to an application crash or information disclosure.
* Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
previous settings for the number of rounds made it practical for an
adversary to construct non-primes that would be erroneously accepted as
primes with high probability. This does not have an impact on the
security of TLS, but can matter in other contexts with numbers chosen
potentially by an adversary that should be prime and can be validated.
For example, the number of rounds was enough to securely generate RSA key
pairs or Diffie-Hellman parameters, but was insufficient to validate
Diffie-Hellman parameters properly.
See "Prime and Prejudice" by by Martin R. Albrecht and Jake Massimo and
Kenneth G. Paterson and Juraj Somorovsky.
Features
* Add support for temporarily suspending expensive ECC computations after
some configurable amount of operations. This is intended to be used in
constrained, single-threaded systems where ECC is time consuming and can
block other operations until they complete. This is disabled by default,
but can be enabled by MBEDTLS_ECP_RESTARTABLE at compile time and
configured by mbedtls_ecp_set_max_ops() at runtime. It applies to the new
xxx_restartable functions in ECP, ECDSA, PK and X.509 (CRL not supported
yet), and to existing functions in ECDH and SSL (currently only
implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
including client authentication).
* Add support for Arm CPU DSP extensions to accelerate asymmetric key
operations. On CPUs where the extensions are available, they can accelerate
MPI multiplications used in ECC and RSA cryptography. Contributed by
Aurelien Jarno.
* Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
signature always used a salt with the same length as the hash, and returned
an error if this was not possible. Now the salt size may be up to two bytes
shorter. This allows the library to support all hash and signature sizes
that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
* Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
than 256 bits limits the security of generated material to 128 bits.
API Changes
* Add a common error code of `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` for
a feature that is not supported by underlying alternative
implementations implementing cryptographic primitives. This is useful for
hardware accelerators that don't implement all options or features.
New deprecations
* All module specific errors following the form
MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not
supported are deprecated and are now replaced by the new equivalent
platform error.
* All module specific generic hardware acceleration errors following the
form MBEDTLS_ERR_XXX_HW_ACCEL_FAILED that are deprecated and are replaced
by the equivalent plaform error.
* Deprecate the function mbedtls_mpi_is_prime() in favor of
mbedtls_mpi_is_prime_ext() which allows specifying the number of
Miller-Rabin rounds.
Bugfix
* Fix wrong order of freeing in programs/ssl/ssl_server2 example
application leading to a memory leak in case both
MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set.
Fixes #2069.
* Fix a bug in the update function for SSL ticket keys which previously
invalidated keys of a lifetime of less than a 1s. Fixes #1968.
* Fix failure in hmac_drbg in the benchmark sample application, when
MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
* Fix a bug in the record decryption routine ssl_decrypt_buf()
which lead to accepting properly authenticated but improperly
padded records in case of CBC ciphersuites using Encrypt-then-MAC.
* Fix memory leak and freeing without initialization in the example
program programs/x509/cert_write. Fixes #1422.
* Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is
MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes #1091.
* Zeroize memory used for buffering or reassembling handshake messages
after use.
* Use `mbedtls_platform_zeroize()` instead of `memset()` for zeroization
of sensitive data in the example programs aescrypt2 and crypt_and_hash.
* Change the default string format used for various X.509 DN attributes to
UTF8String. Previously, the use of the PrintableString format led to
wildcards and non-ASCII characters being unusable in some DN attributes.
Reported by raprepo in #1860 and by kevinpt in #468. Fix contributed by
Thomas-Dee.
* Fix compilation failure for configurations which use compile time
replacements of standard calloc/free functions through the macros
MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO.
Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
Changes
* Removed support for Yotta as a build tool.
* Add tests for session resumption in DTLS.
* Close a test gap in (D)TLS between the client side and the server side:
test the handling of large packets and small packets on the client side
in the same way as on the server side.
* Change the dtls_client and dtls_server samples to work by default over
IPv6 and optionally by a build option over IPv4.
* Change the use of Windows threading to use Microsoft Visual C++ runtime
calls, rather than Win32 API calls directly. This is necessary to avoid
conflict with C runtime usage. Found and fixed by irwir.
* Remember the string format of X.509 DN attributes when replicating
X.509 DNs. Previously, DN attributes were always written in their default
string format (mostly PrintableString), which could lead to CRTs being
created which used PrintableStrings in the issuer field even though the
signing CA used UTF8Strings in its subject field; while X.509 compliant,
such CRTs were rejected in some applications, e.g. some versions of
Firefox, curl and GnuTLS. Reported in #1033 by Moschn. Fix contributed by
Thomas-Dee.
* Improve documentation of mbedtls_ssl_get_verify_result().
Fixes #517 reported by github-monoculture.
* Add MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and
use it to reduce error probability in RSA key generation to levels mandated
by FIPS-186-4.
= mbed TLS 2.13.1 branch released 2018-09-06
API Changes
* Extend the platform module with an abstraction mbedtls_platform_gmtime_r()
whose implementation should behave as a thread-safe version of gmtime().
This allows users to configure such an implementation at compile time when
the target system cannot be deduced automatically, by setting the option
MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to
automatically select implementations for Windows and POSIX C libraries.
Bugfix
* Fix build failures on platforms where only gmtime() is available but
neither gmtime_r() nor gmtime_s() are present. Fixes #1907.
= mbed TLS 2.13.0 branch released 2018-08-31
Security
* Fix an issue in the X.509 module which could lead to a buffer overread
during certificate extensions parsing. In case of receiving malformed
input (extensions length field equal to 0), an illegal read of one byte
beyond the input buffer is made. Found and analyzed by Nathan Crandall.
Features
* Add support for fragmentation of outgoing DTLS handshake messages. This
is controlled by the maximum fragment length as set locally or negotiated
with the peer, as well as by a new per-connection MTU option, set using
mbedtls_ssl_set_mtu().
* Add support for auto-adjustment of MTU to a safe value during the
handshake when flights do not get through (RFC 6347, section 4.1.1.1,
last paragraph).
* Add support for packing multiple records within a single datagram,
enabled by default.
* Add support for buffering out-of-order handshake messages in DTLS.
The maximum amount of RAM used for this can be controlled by the
compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
in mbedtls/config.h.
API Changes
* Add function mbedtls_ssl_set_datagram_packing() to configure
the use of datagram packing (enabled by default).
Bugfix
* Fix a potential memory leak in mbedtls_ssl_setup() function. An allocation
failure in the function could lead to other buffers being leaked.
* Fixes an issue with MBEDTLS_CHACHAPOLY_C which would not compile if
MBEDTLS_ARC4_C and MBEDTLS_CIPHER_NULL_CIPHER weren't also defined. #1890
* Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails.
Fix contributed by Espressif Systems.
* Add ecc extensions only if an ecc based ciphersuite is used.
This improves compliance to RFC 4492, and as a result, solves
interoperability issues with BouncyCastle. Raised by milenamil in #1157.
* Replace printf with mbedtls_printf in the ARIA module. Found by
TrinityTonic in #1908.
* Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941.
* Fix a bug that caused SSL/TLS clients to incorrectly abort the handshake
with TLS versions 1.1 and earlier when the server requested authentication
without providing a list of CAs. This was due to an overly strict bounds
check in parsing the CertificateRequest message,
introduced in Mbed TLS 2.12.0. Fixes #1954.
* Fix a miscalculation of the maximum record expansion in
mbedtls_ssl_get_record_expansion() in case of ChachaPoly ciphersuites,
or CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes #1913, #1914.
* Fix undefined shifts with negative values in certificates parsing
(found by Catena cyber using oss-fuzz)
* Fix memory leak and free without initialization in pk_encrypt
and pk_decrypt example programs. Reported by Brace Stout. Fixes #1128.
* Remove redundant else statement. Raised by irwir. Fixes #1776.
Changes
* Copy headers preserving timestamps when doing a "make install".
Contributed by xueruini.
* Allow the forward declaration of public structs. Contributed by Dawid
Drozd. Fixes #1215 raised by randombit.
* Improve compatibility with some alternative CCM implementations by using
CCM test vectors from RAM.
* Add support for buffering of out-of-order handshake messages.
* Add warnings to the documentation of the HKDF module to reduce the risk
of misusing the mbedtls_hkdf_extract() and mbedtls_hkdf_expand()
functions. Fixes #1775. Reported by Brian J. Murray.
= mbed TLS 2.12.0 branch released 2018-07-25
Security
* Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
in (D)TLS 1.0 to 1.2, that allowed an active network attacker to
partially recover the plaintext of messages under some conditions by
exploiting timing measurements. With DTLS, the attacker could perform
this recovery by sending many messages in the same connection. With TLS
or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only
worked if the same secret (for example a HTTP Cookie) has been repeatedly
sent over connections manipulated by the attacker. Connections using GCM
or CCM instead of CBC, using hash sizes other than SHA-384, or using
Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
caused by a miscalculation (for SHA-384) in a countermeasure to the
original Lucky 13 attack. Found by Kenny Paterson, Eyal Ronen and Adi
Shamir.
* Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
1.2, that allowed a local attacker, able to execute code on the local
machine as well as manipulate network packets, to partially recover the
plaintext of messages under some conditions by using a cache attack
targeting an internal MD/SHA buffer. With TLS or if
mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if
the same secret (for example a HTTP Cookie) has been repeatedly sent over
connections manipulated by the attacker. Connections using GCM or CCM
instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
Found by Kenny Paterson, Eyal Ronen and Adi Shamir.
* Add a counter-measure against a vulnerability in TLS ciphersuites based
on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
execute code on the local machine as well as manipulate network packets,
to partially recover the plaintext of messages under some conditions (see
previous entry) by using a cache attack targeting the SSL input record
buffer. Connections using GCM or CCM instead of CBC or using
Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
Eyal Ronen and Adi Shamir.
Features
* Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
by Daniel King.
* Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
* Add platform support for the Haiku OS. (https://www.haiku-os.org).
Contributed by Augustin Cavalier.
* Make the receive and transmit buffers independent sizes, for situations
where the outgoing buffer can be fixed at a smaller size than the incoming
buffer, which can save some RAM. If buffer lengths are kept equal, there
is no functional difference. Contributed by Angus Gratton, and also
independently contributed again by Paul Sokolovsky.
* Add support for key wrapping modes based on AES as defined by
NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
Bugfix
* Fix the key_app_writer example which was writing a leading zero byte which
was creating an invalid ASN.1 tag. Found by Aryeh R. Fixes #1257.
* Fix compilation error on C++, because of a variable named new.
Found and fixed by Hirotaka Niisato in #1783.
* Fix "no symbols" warning issued by ranlib when building on Mac OS X. Fix
contributed by tabascoeye.
* Clarify documentation for mbedtls_ssl_write() to include 0 as a valid
return value. Found by @davidwu2000. #839
* Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber,
Philippe Antoine. Fixes #1623.
* Remove unused headers included in x509.c. Found by Chris Hanson and fixed
by Brendan Shanks. Part of a fix for #992.
* Fix compilation error when MBEDTLS_ARC4_C is disabled and
MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
* Added length checks to some TLS parsing functions. Found and fixed by
Philippe Antoine from Catena cyber. #1663.
* Fix the inline assembly for the MPI multiply helper function for i386 and
i386 with SSE2. Found by László Langó. Fixes #1550
* Fix namespacing in header files. Remove the `mbedtls` namespacing in
the `#include` in the header files. Resolves #857
* Fix compiler warning of 'use before initialisation' in
mbedtls_pk_parse_key(). Found by Martin Boye Petersen and fixed by Dawid
Drozd. #1098
* Fix decryption for zero length messages (which contain all padding) when a
CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
such a message was wrongly reported as an invalid record and therefore lead
to the connection being terminated. Seen most often with OpenSSL using
TLS 1.0. Reported by @kFYatek and by Conor Murphy on the forum. Fix
contributed by Espressif Systems. Fixes #1632
* Fix ssl_client2 example to send application data with 0-length content
when the request_size argument is set to 0 as stated in the documentation.
Fixes #1833.
* Correct the documentation for `mbedtls_ssl_get_session()`. This API has
deep copy of the session, and the peer certificate is not lost. Fixes #926.
* Fix build using -std=c99. Fixed by Nick Wilson.
Changes
* Fail when receiving a TLS alert message with an invalid length, or invalid
zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
* Change the default behaviour of mbedtls_hkdf_extract() to return an error
when calling with a NULL salt and non-zero salt_len. Contributed by
Brian J Murray
* Change the shebang line in Perl scripts to look up perl in the PATH.
Contributed by fbrosson.
* Allow overriding the time on Windows via the platform-time abstraction.
Fixed by Nick Wilson.
* Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
= mbed TLS 2.11.0 branch released 2018-06-18
Features
* Add additional block mode, OFB (Output Feedback), to the AES module and
cipher abstraction module.
* Implement the HMAC-based extract-and-expand key derivation function
(HKDF) per RFC 5869. Contributed by Thomas Fossati.
* Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4.
* Add support for the XTS block cipher mode with AES (AES-XTS).
Contributed by Aorimn in pull request #414.
* In TLS servers, support offloading private key operations to an external
cryptoprocessor. Private key operations can be asynchronous to allow
non-blocking operation of the TLS server stack.
Bugfix
* Fix the cert_write example to handle certificates signed with elliptic
curves as well as RSA. Fixes #777 found by dbedev.
* Fix for redefinition of _WIN32_WINNT to avoid overriding a definition
used by user applications. Found and fixed by Fabio Alessandrelli.
* Fix compilation warnings with IAR toolchain, on 32 bit platform.
Reported by rahmanih in #683
* Fix braces in mbedtls_memory_buffer_alloc_status(). Found by sbranden, #552.
Changes
* Changed CMake defaults for IAR to treat all compiler warnings as errors.
* Changed the Clang parameters used in the CMake build files to work for
versions later than 3.6. Versions of Clang earlier than this may no longer
work. Fixes #1072
= mbed TLS 2.10.0 branch released 2018-06-06
Features
* Add support for ARIA cipher (RFC 5794) and associated TLS ciphersuites
(RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h
API Changes
* Extend the platform module with a util component that contains
functionality shared by multiple Mbed TLS modules. At this stage
platform_util.h (and its associated platform_util.c) only contain
mbedtls_platform_zeroize(), which is a critical function from a security
point of view. mbedtls_platform_zeroize() needs to be regularly tested
against compilers to ensure that calls to it are not removed from the
output binary as part of redundant code elimination optimizations.
Therefore, mbedtls_platform_zeroize() is moved to the platform module to
facilitate testing and maintenance.
Bugfix
* Fix an issue with MicroBlaze support in bn_mul.h which was causing the
build to fail. Found by zv-io. Fixes #1651.
Changes
* Support TLS testing in out-of-source builds using cmake. Fixes #1193.
* Fix redundant declaration of mbedtls_ssl_list_ciphersuites. Raised by
TrinityTonic. #1359.
= mbed TLS 2.9.0 branch released 2018-04-30
Security
* Fix an issue in the X.509 module which could lead to a buffer overread
during certificate validation. Additionally, the issue could also lead to
unnecessary callback checks being made or to some validation checks to be
omitted. The overread could be triggered remotely, while the other issues
would require a non DER-compliant certificate to be correctly signed by a
trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
luocm. Fixes #825.
* Fix the buffer length assertion in the ssl_parse_certificate_request()
function which led to an arbitrary overread of the message buffer. The
overreads could be caused by receiving a malformed message at the point
where an optional signature algorithms list is expected when the signature
algorithms section is too short. In builds with debug output, the overread
data is output with the debug data.
* Fix a client-side bug in the validation of the server's ciphersuite choice
which could potentially lead to the client accepting a ciphersuite it didn't
offer or a ciphersuite that cannot be used with the TLS or DTLS version
chosen by the server. This could lead to corruption of internal data
structures for some configurations.
Features
* Add an option, MBEDTLS_AES_FEWER_TABLES, to dynamically compute smaller AES
tables during runtime, thereby reducing the RAM/ROM footprint by ~6KiB.
Suggested and contributed by jkivilin in pull request #394.
* Add initial support for Curve448 (RFC 7748). Only mbedtls_ecp_mul() and
ECDH primitive functions (mbedtls_ecdh_gen_public(),
mbedtls_ecdh_compute_shared()) are supported for now. Contributed by
Nicholas Wilson in pull request #348.
API Changes
* Extend the public API with the function of mbedtls_net_poll() to allow user
applications to wait for a network context to become ready before reading
or writing.
* Add function mbedtls_ssl_check_pending() to the public API to allow
a check for whether more more data is pending to be processed in the
internal message buffers.
This function is necessary to determine when it is safe to idle on the
underlying transport in case event-driven IO is used.
Bugfix
* Fix a spurious uninitialized variable warning in cmac.c. Fix independently
contributed by Brian J Murray and David Brown.
* Add missing dependencies in test suites that led to build failures
in configurations that omit certain hashes or public-key algorithms.
Fixes #1040.
* Fix C89 incompatibility in benchmark.c. Contributed by Brendan Shanks.
#1353
* Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and
MBEDTLS_VERSION_FEATURES in some test suites. Contributed by
Deomid Ryabkov. Fixes #1299, #1475.
* Fix the Makefile build process for building shared libraries on Mac OS X.
Fixed by mnacamura.
* Fix parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was
unable to parse keys which had only the optional parameters field of the
ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379.
* Return the plaintext data more quickly on unpadded CBC decryption, as
stated in the mbedtls_cipher_update() documentation. Contributed by
Andy Leiserson.
* Fix overriding and ignoring return values when parsing and writing to
a file in pk_sign program. Found by kevlut in #1142.
* Restrict usage of error code MBEDTLS_ERR_SSL_WANT_READ to situations
where data needs to be fetched from the underlying transport in order
to make progress. Previously, this error code was also occasionally
returned when unexpected messages were being discarded, ignoring that
further messages could potentially already be pending to be processed
in the internal buffers; these cases led to deadlocks when event-driven
I/O was used. Found and reported by Hubert Mis in #772.
* Fix buffer length assertions in the ssl_parse_certificate_request()
function which leads to a potential one byte overread of the message
buffer.
* Fix invalid buffer sizes passed to zlib during record compression and
decompression.
* Fix the soversion of libmbedcrypto to match the soversion of the
maintained 2.7 branch. The soversion was increased in Mbed TLS
version 2.7.1 to reflect breaking changes in that release, but the
increment was missed in 2.8.0 and later releases outside of the 2.7 branch.
Changes
* Remove some redundant code in bignum.c. Contributed by Alexey Skalozub.
* Support cmake builds where Mbed TLS is a subproject. Fix contributed
independently by Matthieu Volat and Arne Schwabe.
* Improve testing in configurations that omit certain hashes or
public-key algorithms. Includes contributions by Gert van Dijk.
* Improve negative testing of X.509 parsing.
* Do not define global mutexes around readdir() and gmtime() in
configurations where the feature is disabled. Found and fixed by Gergely
Budai.
* Harden the function mbedtls_ssl_config_free() against misuse, so that it
doesn't leak memory if the user doesn't use mbedtls_ssl_conf_psk() and
instead incorrectly manipulates the configuration structure directly.
Found and fix submitted by junyeonLEE in #1220.
* Provide an empty implementation of mbedtls_pkcs5_pbes2() when
MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2
without PBES2. Fixed by Marcos Del Sol Vives.
* Add the order of the base point as N in the mbedtls_ecp_group structure
for Curve25519 (other curves had it already). Contributed by Nicholas
Wilson #481
* Improve the documentation of mbedtls_net_accept(). Contributed by Ivan
Krylov.
* Improve the documentation of mbedtls_ssl_write(). Suggested by
Paul Sokolovsky in #1356.
* Add an option in the Makefile to support ar utilities where the operation
letter must not be prefixed by '-', such as LLVM. Found and fixed by
Alex Hixon.
* Allow configuring the shared library extension by setting the DLEXT
environment variable when using the project makefiles.
* Optimize unnecessary zeroing in mbedtls_mpi_copy. Based on a contribution
by Alexey Skalozub in #405.
* In the SSL module, when f_send, f_recv or f_recv_timeout report
transmitting more than the required length, return an error. Raised by
Sam O'Connor in #1245.
* Improve robustness of mbedtls_ssl_derive_keys against the use of
HMAC functions with non-HMAC ciphersuites. Independently contributed
by Jiayuan Chen in #1377. Fixes #1437.
* Improve security of RSA key generation by including criteria from
FIPS 186-4. Contributed by Jethro Beekman. #1380
* Declare functions in header files even when an alternative implementation
of the corresponding module is activated by defining the corresponding
MBEDTLS_XXX_ALT macro. This means that alternative implementations do
not need to copy the declarations, and ensures that they will have the
same API.
* Add platform setup and teardown calls in test suites.
= mbed TLS 2.8.0 branch released 2018-03-16
Default behavior changes
* The truncated HMAC extension now conforms to RFC 6066. This means
that when both sides of a TLS connection negotiate the truncated
HMAC extension, Mbed TLS can now interoperate with other
compliant implementations, but this breaks interoperability with
prior versions of Mbed TLS. To restore the old behavior, enable
the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
config.h. Found by Andreas Walz (ivESK, Offenburg University of
Applied Sciences).
Security
* Fix implementation of the truncated HMAC extension. The previous
implementation allowed an offline 2^80 brute force attack on the
HMAC key of a single, uninterrupted connection (with no
resumption of the session).
* Verify results of RSA private key operations to defend
against Bellcore glitch attack.
* Fix a buffer overread in ssl_parse_server_key_exchange() that could cause
a crash on invalid input.
* Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a
crash on invalid input.
* Fix CRL parsing to reject CRLs containing unsupported critical
extensions. Found by Falko Strenzke and Evangelos Karatsiolis.
Features
* Extend PKCS#8 interface by introducing support for the entire SHA
algorithms family when encrypting private keys using PKCS#5 v2.0.
This allows reading encrypted PEM files produced by software that
uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
OpenVPN Inc. Fixes #1339
* Add support for public keys encoded in PKCS#1 format. #1122
New deprecations
* Deprecate support for record compression (configuration option
MBEDTLS_ZLIB_SUPPORT).
Bugfix
* Fix the name of a DHE parameter that was accidentally changed in 2.7.0.
Fixes #1358.
* Fix test_suite_pk to work on 64-bit ILP32 systems. #849
* Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates
with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct.
In the context of SSL, this resulted in handshake failure. Reported by
daniel in the Mbed TLS forum. #1351
* Fix Windows x64 builds with the included mbedTLS.sln file. #1347
* Fix setting version TLSv1 as minimal version, even if TLS 1
is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION
and MBEDTLS_SSL_MIN_MINOR_VERSION instead of
MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664
* Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE
only if __MINGW32__ not defined. Fix suggested by Thomas Glanzmann and
Nick Wilson on issue #355
* In test_suite_pk, pass valid parameters when testing for hash length
overflow. #1179
* Fix memory allocation corner cases in memory_buffer_alloc.c module. Found
by Guido Vranken. #639
* Log correct number of ciphersuites used in Client Hello message. #918
* Fix X509 CRT parsing that would potentially accept an invalid tag when
parsing the subject alternative names.
* Fix a possible arithmetic overflow in ssl_parse_server_key_exchange()
that could cause a key exchange to fail on valid data.
* Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that
could cause a key exchange to fail on valid data.
* Don't define mbedtls_aes_decrypt and mbedtls_aes_encrypt under
MBEDTLS_DEPRECATED_REMOVED. #1388
* Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
Found through fuzz testing.
Changes
* Fix tag lengths and value ranges in the documentation of CCM encryption.
Contributed by Mathieu Briand.
* Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky.
* Remove support for the library reference configuration for picocoin.
* MD functions deprecated in 2.7.0 are no longer inline, to provide
a migration path for those depending on the library's ABI.
* Clarify the documentation of mbedtls_ssl_setup.
* Use (void) when defining functions with no parameters. Contributed by
Joris Aerts. #678
= mbed TLS 2.7.0 branch released 2018-02-03
Security
* Fix a heap corruption issue in the implementation of the truncated HMAC
extension. When the truncated HMAC extension is enabled and CBC is used,
sending a malicious application packet could be used to selectively corrupt
6 bytes on the peer's heap, which could potentially lead to crash or remote
code execution. The issue could be triggered remotely from either side in
both TLS and DTLS. CVE-2018-0488
* Fix a buffer overflow in RSA-PSS verification when the hash was too large
for the key size, which could potentially lead to crash or remote code
execution. Found by Seth Terashima, Qualcomm Product Security Initiative,
Qualcomm Technologies Inc. CVE-2018-0487
* Fix buffer overflow in RSA-PSS verification when the unmasked data is all
zeros.
* Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding
64 KiB to the address of the SSL buffer and causing a wrap around.
* Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by
default enabled) maximum fragment length extension is disabled in the
config and the application data buffer passed to mbedtls_ssl_write
is larger than the internal message buffer (16384 bytes by default), the
latter overflows. The exploitability of this issue depends on whether the
application layer can be forced into sending such large packets. The issue
was independently reported by Tim Nordell via e-mail and by Florin Petriuc
and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022.
Fixes #707.
* Add a provision to prevent compiler optimizations breaking the time
constancy of mbedtls_ssl_safer_memcmp().
* Ensure that buffers are cleared after use if they contain sensitive data.
Changes were introduced in multiple places in the library.
* Set PEM buffer to zero before freeing it, to avoid decoded private keys
being leaked to memory after release.
* Fix dhm_check_range() failing to detect trivial subgroups and potentially
leaking 1 bit of the private key. Reported by prashantkspatil.
* Make mbedtls_mpi_read_binary() constant-time with respect to the input
data. Previously, trailing zero bytes were detected and omitted for the
sake of saving memory, but potentially leading to slight timing
differences. Reported by Marco Macchetti, Kudelski Group.
* Wipe stack buffer temporarily holding EC private exponent
after keypair generation.
* Fix a potential heap buffer over-read in ALPN extension parsing
(server-side). Could result in application crash, but only if an ALPN
name larger than 16 bytes had been configured on the server.
* Change default choice of DHE parameters from untrustworthy RFC 5114
to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
manner.