Merge pull request #842 from ARMmbed/mbedtls-3.0.0rc0-pr

Mbedtls 3.0.0rc0 pr

BRANCHES.md

@@ -6,7 +6,7 @@ At any point in time, we have a number of maintained branches consisting of:
   this always contains the latest release, including all publicly available
   security fixes.
 - The [`development`](https://github.com/ARMmbed/mbedtls/tree/development) branch:
-  this is where the next major version of Mbed TLS (version 3.0) is being
+  this is where the current major version of Mbed TLS (version 3.x) is being
   prepared. It has API changes that make it incompatible with Mbed TLS 2.x,
   as well as all the new features and bug fixes and security fixes.
 - The [`development_2.x`](https://github.com/ARMmbed/mbedtls/tree/development_2.x) branch:

CMakeLists.txt

@@ -312,7 +312,7 @@ configure_package_config_file(
 write_basic_package_version_file(
     "cmake/MbedTLSConfigVersion.cmake"
         COMPATIBILITY SameMajorVersion
-        VERSION 2.26.0)
+        VERSION 3.0.0)
 
 install(
     FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"

ChangeLog

@@ -1,6 +1,6 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
-= Mbed TLS 3.0.0 branch released 2021-xx-xx
+= Mbed TLS 3.0.0 branch released 2021-07-07
 
 API changes
    * Remove HAVEGE module.
@@ -36,12 +36,149 @@ API changes
    * Drop support for RC4 TLS ciphersuites.
    * Drop support for single-DES ciphersuites.
    * Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.
+   * Update AEAD output size macros to bring them in line with the PSA Crypto
+     API version 1.0 spec. This version of the spec parameterizes them on the
+     key type used, as well as the key bit-size in the case of
+     PSA_AEAD_TAG_LENGTH.
+   * Add configuration option MBEDTLS_X509_REMOVE_INFO which
+     removes the mbedtls_x509_*_info(), mbedtls_debug_print_crt()
+     as well as other functions and constants only used by
+     those functions. This reduces the code footprint by
+     several kB.
+   * Remove SSL error codes `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED`
+     and `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` which are never
+     returned from the public SSL API.
+   * Remove `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` and return
+     `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead.
+   * The output parameter of mbedtls_sha512_finish, mbedtls_sha512,
+     mbedtls_sha256_finish and mbedtls_sha256 now has a pointer type
+     rather than array type. This removes spurious warnings in some compilers
+     when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
+     the hash size.
+   * Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388.
+   * The interface of the GCM module has changed to remove restrictions on
+     how the input to multipart operations is broken down. mbedtls_gcm_finish()
+     now takes extra output parameters for the last partial output block.
+     mbedtls_gcm_update() now takes extra parameters for the output length.
+     The software implementation always produces the full output at each
+     call to mbedtls_gcm_update(), but alternative implementations activated
+     by MBEDTLS_GCM_ALT may delay partial blocks to the next call to
+     mbedtls_gcm_update() or mbedtls_gcm_finish(). Furthermore, applications
+     no longer pass the associated data to mbedtls_gcm_starts(), but to the
+     new function mbedtls_gcm_update_ad().
+     These changes are backward compatible for users of the cipher API.
+   * Replace MBEDTLS_SHA512_NO_SHA384 config option with MBEDTLS_SHA384_C.
+     This separates config option enabling the SHA384 algorithm from option
+     enabling the SHA512 algorithm. Fixes #4034.
+   * Introduce MBEDTLS_SHA224_C.
+     This separates config option enabling the SHA224 algorithm from option
+     enabling SHA256.
+   * The getter and setter API of the SSL session cache (used for
+     session-ID based session resumption) has changed to that of
+     a key-value store with keys being session IDs and values
+     being opaque instances of `mbedtls_ssl_session`.
+   * Remove the mode parameter from RSA operation functions. Signature and
+     decryption functions now always use the private key and verification and
+     encryption use the public key. Verification functions also no longer have
+     RNG parameters.
+   * Modify semantics of `mbedtls_ssl_conf_[opaque_]psk()`:
+     In Mbed TLS 2.X, the API prescribes that later calls overwrite
+     the effect of earlier calls. In Mbed TLS 3.0, calling
+     `mbedtls_ssl_conf_[opaque_]psk()` more than once will fail,
+     leaving the PSK that was configured first intact.
+     Support for more than one PSK may be added in 3.X.
+   * The function mbedtls_x509write_csr_set_extension() has an extra parameter
+     which allows to mark an extension as critical. Fixes #4055.
+   * For multi-part AEAD operations with the cipher module, calling
+     mbedtls_cipher_finish() is now mandatory. Previously the documentation
+     was unclear on this point, and this function happened to never do
+     anything with the currently implemented AEADs, so in practice it was
+     possible to skip calling it, which is no longer supported.
+   * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
+     instead of computing tables in runtime. Thus, this option now increase
+     code size, and it does not increase RAM usage in runtime anymore.
+   * Remove the SSL APIs mbedtls_ssl_get_input_max_frag_len() and
+     mbedtls_ssl_get_output_max_frag_len(), and add a new API
+     mbedtls_ssl_get_max_in_record_payload(), complementing the existing
+     mbedtls_ssl_get_max_out_record_payload().
+     Uses of mbedtls_ssl_get_input_max_frag_len() and
+     mbedtls_ssl_get_input_max_frag_len() should be replaced by
+     mbedtls_ssl_get_max_in_record_payload() and
+     mbedtls_ssl_get_max_out_record_payload(), respectively.
+   * mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA
+     key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding()
+     after initializing the context. mbedtls_rsa_set_padding() now returns an
+     error if its parameters are invalid.
+   * Replace MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE by a runtime
+     configuration function mbedtls_ssl_conf_preference_order(). Fixes #4398.
+   * Instead of accessing the len field of a DHM context, which is no longer
+     supported, use the new function mbedtls_dhm_get_len() .
+   * In modules that implement cryptographic hash functions, many functions
+     mbedtls_xxx() now return int instead of void, and the corresponding
+     function mbedtls_xxx_ret() which was identical except for returning int
+     has been removed. This also concerns mbedtls_xxx_drbg_update(). See the
+     migration guide for more information. Fixes #4212.
+   * For all functions that take a random number generator (RNG) as a
+     parameter, this parameter is now mandatory (that is, NULL is not an
+     acceptable value). Functions which previously accepted NULL and now
+     reject it are: the X.509 CRT and CSR writing functions; the PK and RSA
+     sign and decrypt function; mbedtls_rsa_private(); the functions
+     in DHM and ECDH that compute the shared secret; the scalar multiplication
+     functions in ECP.
+   * The following functions now require an RNG parameter:
+     mbedtls_ecp_check_pub_priv(), mbedtls_pk_check_pair(),
+     mbedtls_pk_parse_key(), mbedtls_pk_parse_keyfile().
+   * mbedtls_ssl_conf_export_keys_ext_cb() and
+     mbedtls_ssl_conf_export_keys_cb() have been removed and
+     replaced by a new API mbedtls_ssl_set_export_keys_cb().
+     Raw keys and IVs are no longer passed to the callback.
+     Further, callbacks now receive an additional parameter
+     indicating the type of secret that's being exported,
+     paving the way for the larger number of secrets
+     in TLS 1.3. Finally, the key export callback and
+     context are now connection-specific.
+   * Signature functions in the RSA and PK modules now require the hash
+     length parameter to be the size of the hash input. For RSA signatures
+     other than raw PKCS#1 v1.5, this must match the output size of the
+     specified hash algorithm.
+   * The functions mbedtls_pk_sign(), mbedtls_pk_sign_restartable(),
+     mbedtls_ecdsa_write_signature() and
+     mbedtls_ecdsa_write_signature_restartable() now take an extra parameter
+     indicating the size of the output buffer for the signature.
+   * Implement one-shot cipher functions, psa_cipher_encrypt and
+     psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
+     specification.
+   * Direct access to fields of structures declared in public headers is no
+     longer supported except for fields that are documented public. Use accessor
+     functions instead. For more information, see the migration guide entry
+     "Most structure fields are now private".
+   * mbedtls_ssl_get_session_pointer() has been removed, and
+     mbedtls_ssl_{set,get}_session() may now only be called once for any given
+     SSL context.
+
+Default behavior changes
+   * Enable by default the functionalities which have no reason to be disabled.
+     They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
+     Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
+   * Some default policies for X.509 certificate verification and TLS have
+     changed: curves and hashes weaker than 255 bits are no longer accepted
+     by default. The default order in TLS now favors faster curves over larger
+     curves.
 
 Requirement changes
    * The library now uses the %zu format specifier with the printf() family of
      functions, so requires a toolchain that supports it. This change does not
      affect the maintained LTS branches, so when contributing changes please
      bear this in mind and do not add them to backported code.
+   * If you build the development version of Mbed TLS, rather than an official
+     release, some configuration-independent files are now generated at build
+     time rather than checked into source control. This includes some library
+     source files as well as the Visual Studio solution. Perl, Python 3 and a
+     C compiler for the host platform are required. See “Generated source files
+     in the development branch” in README.md for more information.
+   * Refresh the minimum supported versions of tools to build the
+     library. CMake versions older than 3.10.2 and Python older
+     than 3.6 are no longer supported.
 
 Removals
    * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
@@ -49,7 +186,6 @@ Removals
      certificates signed with SHA-1 due to the known attacks against SHA-1.
      If needed, SHA-1 certificates can still be verified by using a custom
      verification profile.
-
    * Removed deprecated things in psa/crypto_compat.h. Fixes #4284
    * Removed deprecated functions from hashing modules. Fixes #4280.
    * Remove PKCS#11 library wrapper. PKCS#11 has limited functionality,
@@ -58,12 +194,133 @@ Removals
      More details on PCKS#11 wrapper removal can be found in the mailing list
      https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
    * Remove deprecated error codes. Fix #4283
+   * Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option. Fixes #4416.
+   * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+     compile-time option. This option has been inactive for a long time.
+     Please use the `lifetime` parameter of `mbedtls_ssl_ticket_setup()`
+     instead.
+   * Remove the following deprecated functions and constants of hex-encoded
+     primes based on RFC 5114 and RFC 3526 from library code and tests:
+     mbedtls_aes_encrypt(), mbedtls_aes_decrypt(), mbedtls_mpi_is_prime(),
+     mbedtls_cipher_auth_encrypt(), mbedtls_cipher_auth_decrypt(),
+     mbedtls_ctr_drbg_update(), mbedtls_hmac_drbg_update(),
+     mbedtls_ecdsa_write_signature_det(), mbedtls_ecdsa_sign_det(),
+     mbedtls_ssl_conf_dh_param(), mbedtls_ssl_get_max_frag_len(),
+     MBEDTLS_DHM_RFC5114_MODP_2048_P, MBEDTLS_DHM_RFC5114_MODP_2048_G,
+     MBEDTLS_DHM_RFC3526_MODP_2048_P, MBEDTLS_DHM_RFC3526_MODP_2048_G,
+     MBEDTLS_DHM_RFC3526_MODP_3072_P, MBEDTLS_DHM_RFC3526_MODP_3072_G,
+     MBEDTLS_DHM_RFC3526_MODP_4096_P, MBEDTLS_DHM_RFC3526_MODP_4096_G.
+     Remove the deprecated file: include/mbedtls/net.h. Fixes #4282.
+   * Remove MBEDTLS_SSL_MAX_CONTENT_LEN configuration option, since
+     MBEDTLS_SSL_IN_CONTENT_LEN and MBEDTLS_SSL_OUT_CONTENT_LEN replace
+     it. Fixes #4362.
+   * Remove the MBEDTLS_SSL_RECORD_CHECKING option and enable by default its
+     previous action. Fixes #4361.
+   * Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for
+     CBC record splitting, fallback SCSV, and the ability to configure
+     ciphersuites per version, which are no longer relevant. This removes the
+     configuration options MBEDTLS_SSL_PROTO_TLS1,
+     MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING and
+     MBEDTLS_SSL_FALLBACK_SCSV as well as the functions
+     mbedtls_ssl_conf_cbc_record_splitting(),
+     mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback(),
+     and mbedtls_ssl_conf_ciphersuites_for_version(). Fixes #4286.
+   * The RSA module no longer supports private-key operations with the public
+     key and vice versa.
+   * Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403.
+   * Remove all the 3DES ciphersuites:
+     MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+     MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+     MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+     MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+     MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+     MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+     MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
+     MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
+     MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA. Remove the
+     MBEDTLS_REMOVE_3DES_CIPHERSUITES option which is no longer relevant.
+     Fixes #4367.
+   * Remove the MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option and let the code
+     behave as if it was always disabled. Fixes #4386.
+   * Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for
+     backward compatibility which is no longer supported. Addresses #4404.
+   * Remove the following macros: MBEDTLS_CHECK_PARAMS,
+     MBEDTLS_CHECK_PARAMS_ASSERT, MBEDTLS_PARAM_FAILED,
+     MBEDTLS_PARAM_FAILED_ALT. Fixes #4313.
+   * Remove the  MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h
+     option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
+     migration path. Fixes #4378.
+   * Remove the MBEDTLS_X509_CHECK_KEY_USAGE and
+     MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code
+     behave as if they were always enabled. Fixes #4405.
+   * MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is
+     now determined automatically based on supported curves.
+   * Remove the following functions: mbedtls_timing_self_test(),
+     mbedtls_hardclock_poll(), mbedtls_timing_hardclock() and
+     mbedtls_set_alarm(). Fixes #4083.
+   * The configuration option MBEDTLS_ECP_NO_INTERNAL_RNG has been removed as
+     it no longer had any effect.
+   * Remove all support for MD2, MD4, RC4, Blowfish and XTEA. This removes the
+     corresponding modules and all their APIs and related configuration
+     options. Fixes #4084.
+   * Remove MBEDTLS_SSL_TRUNCATED_HMAC and also remove
+     MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT config option. Users are better served by
+     using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
+     See issue #4341 for more details.
+   * Remove the compile-time option
+     MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE.
 
 Features
    * Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
      signature with a specific salt length. This function allows to validate
      test cases provided in the NIST's CAVP test suite. Contributed by Cédric
      Meuter in PR #3183.
+   * Added support for built-in driver keys through the PSA opaque crypto
+     driver interface. Refer to the documentation of
+     MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
+   * Implement psa_sign_message() and psa_verify_message().
+   * The multi-part GCM interface (mbedtls_gcm_update() or
+     mbedtls_cipher_update()) no longer requires the size of partial inputs to
+     be a multiple of 16.
+   * The multi-part GCM interface now supports chunked associated data through
+     multiple calls to mbedtls_gcm_update_ad().
+   * The new function mbedtls_mpi_random() generates a random value in a
+     given range uniformly.
+   * Alternative implementations of the AES, DHM, ECJPAKE, ECP, RSA and timing
+     modules had undocumented constraints on their context types. These
+     constraints have been relaxed.
+     See docs/architecture/alternative-implementations.md for the remaining
+     constraints.
+   * The new functions mbedtls_dhm_get_len() and mbedtls_dhm_get_bitlen()
+     query the size of the modulus in a Diffie-Hellman context.
+   * The new function mbedtls_dhm_get_value() copy a field out of a
+     Diffie-Hellman context.
+   * Use the new function mbedtls_ecjpake_set_point_format() to select the
+     point format for ECJPAKE instead of accessing the point_format field
+     directly, which is no longer supported.
+   * Implement psa_mac_compute() and psa_mac_verify() as defined in the
+     PSA Cryptograpy API 1.0.0 specification.
+
+Security
+   * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
+     private keys and of blinding values for DHM and elliptic curves (ECP)
+     computations. Reported by FlorianF89 in #4245.
+   * Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
+     An adversary who is capable of very precise timing measurements could
+     learn partial information about the leading bits of the nonce used for the
+     signature, allowing the recovery of the private key after observing a
+     large number of signature operations. This completes a partial fix in
+     Mbed TLS 2.20.0.
+   * An adversary with access to precise enough information about memory
+     accesses (typically, an untrusted operating system attacking a secure
+     enclave) could recover an RSA private key after observing the victim
+     performing a single private-key operation. Found and reported by
+     Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG.
+   * An adversary with access to precise enough timing information (typically, a
+     co-located process) could recover a Curve25519 or Curve448 static ECDH key
+     after inputting a chosen public key and observing the victim performing the
+     corresponding private-key operation. Found and reported by Leila Batina,
+     Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.
 
 Bugfix
    * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
@@ -87,13 +344,126 @@ Bugfix
      mbedtls_mpi_read_string() was called on "-0", or when
      mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
      the arguments being negative and the other being 0. Fixes #4643.
+   * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
+     defined. Fixes #4217.
+   * Fix an incorrect error code when parsing a PKCS#8 private key.
+   * In a TLS client, enforce the Diffie-Hellman minimum parameter size
+     set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
+     minimum size was rounded down to the nearest multiple of 8.
+   * In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
+     defined to specific values.  If the code is used in a context
+     where these are already defined, this can result in a compilation
+     error.  Instead, assume that if they are defined, the values will
+     be adequate to build Mbed TLS.
+   * With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built
+     nonetheless, resulting in undefined reference errors when building a
+     shared library. Reported by Guillermo Garcia M. in #4411.
+   * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
+     when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
+     was disabled. Fix the dependency. Fixes #4472.
+   * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
+   * Fix test suite code on platforms where int32_t is not int, such as
+     Arm Cortex-M. Fixes #4530.
+   * Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
+     directive in a header and a missing initialization in the self-test.
+   * Fix a missing initialization in the Camellia self-test, affecting
+     MBEDTLS_CAMELLIA_ALT implementations.
+   * Restore the ability to configure PSA via Mbed TLS options to support RSA
+     key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
+     is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
+     Fixes #4512.
+   * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
+     (when the encrypt-then-MAC extension is not in use) with some ALT
+     implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
+     the affected side to wrongly reject valid messages. Fixes #4118.
+   * Remove outdated check-config.h check that prevented implementing the
+     timing module on Mbed OS. Fixes #4633.
+   * Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
+     about missing inputs.
+   * Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
+     MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
+   * Fix a resource leak in a test suite with an alternative AES
+     implementation. Fixes #4176.
+   * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
+     could notably be triggered by setting the TLS debug level to 3 or above
+     and using a Montgomery curve for the key exchange. Reported by lhuang04
+     in #4578. Fixes #4608.
+   * psa_verify_hash() was relying on implementation-specific behavior of
+     mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
+     implementations. This reliance is now removed. Fixes #3990.
+   * Disallow inputs of length different from the corresponding hash when
+     signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates
+     that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.)
+   * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
+     A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
+     could not be triggered by code that constructed A with one of the
+     mbedtls_mpi_read_xxx functions (including in particular TLS code) since
+     those always built an mpi object with at least one limb.
+     Credit to OSS-Fuzz. Fixes #4641.
+   * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
+     effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect
+     applications that call mbedtls_mpi_gcd() directly. Fixes #4642.
+   * The PSA API no longer allows the creation or destruction of keys with a
+     read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
+     can now only be used as intended, for keys that cannot be modified through
+     normal use of the API.
+   * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
+     in all the right places. Include it from crypto_platform.h, which is
+     the natural place. Fixes #4649.
+   * Fix which alert is sent in some cases to conform to the
+     applicable RFC: on an invalid Finished message value, an
+     invalid max_fragment_length extension, or an
+     unsupported extension used by the server.
+   * Correct (change from 12 to 13 bytes) the value of the macro describing the
+     maximum nonce length returned by psa_aead_generate_nonce().
 
 Changes
    * Fix the setting of the read timeout in the DTLS sample programs.
    * Add extra printf compiler warning flags to builds.
    * Fix memsan build false positive in x509_crt.c with clang 11
-   * There is ongoing work for the next release (= Mbed TLS 3.0.0 branch to
-     be released 2021-xx-xx), including various API-breaking changes.
+   * Alternative implementations of CMAC may now opt to not support 3DES as a
+     CMAC block cipher, and still pass the CMAC self test.
+   * Remove the AES sample application programs/aes/aescrypt2 which shows
+     bad cryptographic practice. Fix #1906.
+   * Remove configs/config-psa-crypto.h, which no longer had any intended
+     differences from the default configuration, but had accidentally diverged.
+   * When building the test suites with GNU make, invoke python3 or python, not
+     python2, which is no longer supported upstream.
+   * fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
+     When that flag is on, standard GNU C printf format specifiers
+     should be used.
+   * Replace MBEDTLS_SSL_CID_PADDING_GRANULARITY and
+     MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY with a new single unified option
+     MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY. Fixes #4335.
+   * Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage
+     during ECC operations at a negligible performance cost.
+   * mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and
+     mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs
+     when their input has length 0. Note that this is an implementation detail
+     and can change at any time, so this change should be transparent, but it
+     may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
+     now writing an empty string where it previously wrote one or more
+     zero digits when operating from values constructed with an mpi_read
+     function and some mpi operations.
+   * Add CMake package config generation for CMake projects consuming Mbed TLS.
+   * config.h has been split into build_info.h and mbedtls_config.h
+     build_info.h is intended to be included from C code directly, while
+     mbedtls_config.h is intended to be edited by end users wishing to
+     change the build configuration, and should generally only be included from
+     build_info.h.
+   * The handling of MBEDTLS_CONFIG_FILE has been moved into build_info.h.
+   * A config file version symbol, MBEDTLS_CONFIG_VERSION was introduced.
+     Defining it to a particular value will ensure that Mbed TLS interprets
+     the config file in a way that's compatible with the config file format
+     used by the Mbed TLS release whose MBEDTLS_VERSION_NUMBER has the same
+     value.
+     The only value supported by Mbed TLS 3.0.0 is 0x03000000.
+   * Various changes to which alert and/or error code may be returned
+   * during the TLS handshake.
+   * Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when
+     PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
+     when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
+     is also applied when loading a key from storage.
 
 = mbed TLS 2.26.0 branch released 2021-03-08
 

ChangeLog.d/add-cmake-package-config.txt

@@ -1,2 +0,0 @@
-Changes
-   * Add CMake package config generation for CMake projects consuming Mbed TLS.

ChangeLog.d/add-missing-parenthesis.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
-     defined. Fixes #4217.

ChangeLog.d/aescrypt2.txt

@@ -1,3 +0,0 @@
-Changes
-   * Remove the AES sample application programs/aes/aescrypt2 which shows
-     bad cryptographic practice. Fix #1906.

ChangeLog.d/allow_alt_cmac_without_des.txt

@@ -1,3 +0,0 @@
-Changes
-   * Alternative implementations of CMAC may now opt to not support 3DES as a
-     CMAC block cipher, and still pass the CMAC self test.

ChangeLog.d/alt-context-relaxation.txt

@@ -1,6 +0,0 @@
-Features
-   * Alternative implementations of the AES, DHM, ECJPAKE, ECP, RSA and timing
-     modules had undocumented constraints on their context types. These
-     constraints have been relaxed.
-     See docs/architecture/alternative-implementations.md for the remaining
-     constraints.

ChangeLog.d/aria-alt.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
-     directive in a header and a missing initialization in the self-test.
-   * Fix a missing initialization in the Camellia self-test, affecting
-     MBEDTLS_CAMELLIA_ALT implementations.

ChangeLog.d/cipher-delayed-output.txt

@@ -1,6 +0,0 @@
-API changes
-   * For multi-part AEAD operations with the cipher module, calling
-     mbedtls_cipher_finish() is now mandatory. Previously the documentation
-     was unclear on this point, and this function happened to never do
-     anything with the currently implemented AEADs, so in practice it was
-     possible to skip calling it, which is no longer supported.

ChangeLog.d/ciphersuite-sha1-sha384-guard.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
-     when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
-     was disabled. Fix the dependency. Fixes #4472.

ChangeLog.d/ciphersuite-sha384-guard.txt

@@ -1,2 +0,0 @@
-Bugfix
-   * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.

ChangeLog.d/default-curves.txt

@@ -1,9 +0,0 @@
-Default behavior changes
-   * Some default policies for X.509 certificate verification and TLS have
-     changed: curves and hashes weaker than 255 bits are no longer accepted
-     by default. The default order in TLS now favors faster curves over larger
-     curves.
-
-Removals
-   * Remove the compile-time option
-     MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE.

ChangeLog.d/dhm-fields.txt

@@ -1,9 +0,0 @@
-Features
-   * The new functions mbedtls_dhm_get_len() and mbedtls_dhm_get_bitlen()
-     query the size of the modulus in a Diffie-Hellman context.
-   * The new function mbedtls_dhm_get_value() copy a field out of a
-     Diffie-Hellman context.
-
-API changes
-   * Instead of accessing the len field of a DHM context, which is no longer
-     supported, use the new function mbedtls_dhm_get_len() .

ChangeLog.d/dhm_min_bitlen.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * In a TLS client, enforce the Diffie-Hellman minimum parameter size
-     set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
-     minimum size was rounded down to the nearest multiple of 8.

ChangeLog.d/ecjpake-point_format.txt

@@ -1,4 +0,0 @@
-Features
-   * Use the new function mbedtls_ecjpake_set_point_format() to select the
-     point format for ECJPAKE instead of accessing the point_format field
-     directly, which is no longer supported.

ChangeLog.d/ecp-window-size.txt

@@ -1,3 +0,0 @@
-Changes
-   * Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage
-     during ECC operations at a negligible performance cost.

ChangeLog.d/ecp_max_bits.txt

@@ -1,3 +0,0 @@
-Removals
-   * MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is
-     now determined automatically based on supported curves.

ChangeLog.d/fix-mingw-build.txt

@@ -1,5 +0,0 @@
-Changes
-   * fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
-     When that flag is on, standard GNU C printf format specifiers
-     should be used.
-

ChangeLog.d/fix-pk-parse-key-error-code.txt

@@ -1,2 +0,0 @@
-Bugfix
-   * Fix an incorrect error code when parsing a PKCS#8 private key.

ChangeLog.d/fix-ssl-cf-hmac-alt.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
-     (when the encrypt-then-MAC extension is not in use) with some ALT
-     implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
-     the affected side to wrongly reject valid messages. Fixes #4118.

ChangeLog.d/fix_tls_alert_codes.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix which alert is sent in some cases to conform to the
-     applicable RFC: on an invalid Finished message value, an
-     invalid max_fragment_length extension, or an
-     unsupported extension used by the server.

ChangeLog.d/gcm-update.txt

@@ -1,19 +0,0 @@
-API changes
-   * The interface of the GCM module has changed to remove restrictions on
-     how the input to multipart operations is broken down. mbedtls_gcm_finish()
-     now takes an extra output parameter for the last partial output block.
-     mbedtls_gcm_update() now takes extra parameters for the output length.
-     The software implementation always produces the full output at each
-     call to mbedtls_gcm_update(), but alternative implementations activated
-     by MBEDTLS_GCM_ALT may delay partial blocks to the next call to
-     mbedtls_gcm_update() or mbedtls_gcm_finish(). Furthermore, applications
-     no longer pass the associated data to mbedtls_gcm_starts(), but to the
-     new function mbedtls_gcm_update_ad().
-     These changes are backward compatible for users of the cipher API.
-
-Features
-   * The multi-part GCM interface (mbedtls_gcm_update() or
-     mbedtls_cipher_update()) no longer requires the size of partial inputs to
-     be a multiple of 16.
-   * The multi-part GCM interface now supports chunked associated data through
-     multiple calls to mbedtls_gcm_update_ad().

ChangeLog.d/host_test-int32.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix test suite code on platforms where int32_t is not int, such as
-     Arm Cortex-M. Fixes #4530.

ChangeLog.d/implicit_key_usage_policy.txt

@@ -1,5 +0,0 @@
-Changes
-   * Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when
-     PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
-     when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
-     is also applied when loading a key from storage.

ChangeLog.d/issue4036.txt

@@ -1,5 +0,0 @@
-Default behavior changes
-   * Enable by default the functionalities which have no reason to be disabled.
-     They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
-     Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
-

ChangeLog.d/issue4055.txt

@@ -1,3 +0,0 @@
-API changes
-   * The function mbedtls_x509write_csr_set_extension() has an extra parameter
-     which allows to mark an extension as critical. Fixes #4055.

ChangeLog.d/issue4083.txt

@@ -1,4 +0,0 @@
-Removals
-    * Remove the following functions: mbedtls_timing_self_test(),
-      mbedtls_hardclock_poll(), mbedtls_timing_hardclock() and
-      mbedtls_set_alarm(). Fixes #4083.

ChangeLog.d/issue4084.txt

@@ -1,4 +0,0 @@
-Removals
-    * Remove all support for MD2, MD4, RC4, Blowfish and XTEA. This removes the
-      corresponding modules and all their APIs and related configuration
-      options. Fixes #4084.

ChangeLog.d/issue4128.txt

@@ -1,4 +0,0 @@
-API changes
-   * The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
-     instead of computing tables in runtime. Thus, this option now increase
-     code size, and it does not increase RAM usage in runtime anymore.

ChangeLog.d/issue4176.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix a resource leak in a test suite with an alternative AES
-     implementation. Fixes #4176.

ChangeLog.d/issue4212.txt

@@ -1,6 +0,0 @@
-API changes
-   * In modules that implement cryptographic hash functions, many functions
-     mbedtls_xxx() now return int instead of void, and the corresponding
-     function mbedtls_xxx_ret() which was identical except for returning int
-     has been removed. This also concerns mbedtls_xxx_drbg_update(). See the
-     migration guide for more information. Fixes #4212.

ChangeLog.d/issue4282.txt

@@ -1,13 +0,0 @@
-Removals
-   * Remove the following deprecated functions and constants of hex-encoded
-     primes based on RFC 5114 and RFC 3526 from library code and tests:
-     mbedtls_aes_encrypt(), mbedtls_aes_decrypt(), mbedtls_mpi_is_prime(),
-     mbedtls_cipher_auth_encrypt(), mbedtls_cipher_auth_decrypt(),
-     mbedtls_ctr_drbg_update(), mbedtls_hmac_drbg_update(),
-     mbedtls_ecdsa_write_signature_det(), mbedtls_ecdsa_sign_det(),
-     mbedtls_ssl_conf_dh_param(), mbedtls_ssl_get_max_frag_len(),
-     MBEDTLS_DHM_RFC5114_MODP_2048_P, MBEDTLS_DHM_RFC5114_MODP_2048_G,
-     MBEDTLS_DHM_RFC3526_MODP_2048_P, MBEDTLS_DHM_RFC3526_MODP_2048_G,
-     MBEDTLS_DHM_RFC3526_MODP_3072_P, MBEDTLS_DHM_RFC3526_MODP_3072_G,
-     MBEDTLS_DHM_RFC3526_MODP_4096_P, MBEDTLS_DHM_RFC3526_MODP_4096_G.
-     Remove the deprecated file: include/mbedtls/net.h. Fixes #4282.

ChangeLog.d/issue4286.txt

@@ -1,10 +0,0 @@
-Removals
-   * Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for
-     CBC record splitting, fallback SCSV, and the ability to configure
-     ciphersuites per version, which are no longer relevant. This removes the
-     configuration options MBEDTLS_SSL_PROTO_TLS1,
-     MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING and
-     MBEDTLS_SSL_FALLBACK_SCSV as well as the functions
-     mbedtls_ssl_conf_cbc_record_splitting(),
-     mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback(),
-     and mbedtls_ssl_conf_ciphersuites_for_version(). Fixes #4286.

ChangeLog.d/issue4313.txt

@@ -1,4 +0,0 @@
-Removals
-   * Remove the following macros: MBEDTLS_CHECK_PARAMS,
-     MBEDTLS_CHECK_PARAMS_ASSERT, MBEDTLS_PARAM_FAILED,
-     MBEDTLS_PARAM_FAILED_ALT. Fixes #4313.

ChangeLog.d/issue4335.txt

@@ -1,4 +0,0 @@
-Changes
-   * Replace MBEDTLS_SSL_CID_PADDING_GRANULARITY and
-     MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY with a new single unified option
-     MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY. Fixes #4335.

ChangeLog.d/issue4361.txt

@@ -1,3 +0,0 @@
-Removals
-   * Remove the MBEDTLS_SSL_RECORD_CHECKING option and enable by default its
-     previous action. Fixes #4361.

ChangeLog.d/issue4367.txt

@@ -1,13 +0,0 @@
-Removals
-   * Remove all the 3DES ciphersuites:
-     MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
-     MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
-     MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
-     MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
-     MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-     MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
-     MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
-     MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
-     MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA. Remove the
-     MBEDTLS_REMOVE_3DES_CIPHERSUITES option which is no longer relevant.
-     Fixes #4367.

ChangeLog.d/issue4378.txt

@@ -1,4 +0,0 @@
-Removals
-   * Remove the  MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h
-     option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
-     migration path. Fixes #4378.

ChangeLog.d/issue4386.txt

@@ -1,3 +0,0 @@
-Removals
-   * Remove the MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option and let the code
-     behave as if it was always disabled. Fixes #4386.

ChangeLog.d/issue4398.txt

@@ -1,3 +0,0 @@
-API changes
-    * Replace MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE by a runtime
-      configuration function mbedtls_ssl_conf_preference_order(). Fixes #4398.

ChangeLog.d/issue4403.txt

@@ -1,2 +0,0 @@
-Removals
-   * Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403.

ChangeLog.d/issue4405.txt

@@ -1,4 +0,0 @@
-Removals
-    * Remove the MBEDTLS_X509_CHECK_KEY_USAGE and
-      MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code
-      behave as if they were always enabled. Fixes #4405.

ChangeLog.d/key-export.txt

@@ -1,10 +0,0 @@
-API changes
-   * mbedtls_ssl_conf_export_keys_ext_cb() and
-     mbedtls_ssl_conf_export_keys_cb() have been removed and
-     replaced by a new API mbedtls_ssl_set_export_keys_cb().
-     Raw keys and IVs are no longer passed to the callback.
-     Further, callbacks now receive an additional parameter
-     indicating the type of secret that's being exported,
-     paving the way for the larger number of secrets
-     in TLS 1.3. Finally, the key export callback and
-     context are now connection-specific.

ChangeLog.d/make-generate-tests-python.txt

@@ -1,3 +0,0 @@
-Changes
-   * When building the test suites with GNU make, invoke python3 or python, not
-     python2, which is no longer supported upstream.

ChangeLog.d/mandatory-rng-param.txt

@@ -1,14 +0,0 @@
-API changes
-   * For all functions that take a random number generator (RNG) as a
-     parameter, this parameter is now mandatory (that is, NULL is not an
-     acceptable value). Functions which previously accepted NULL and now
-     reject it are: the X.509 CRT and CSR writing functions; the PK and RSA
-     sign and decrypt function; mbedtls_rsa_private(); the functions
-     in DHM and ECDH that compute the shared secret; the scalar multiplication
-     functions in ECP.
-   * The following functions now require an RNG parameter:
-     mbedtls_ecp_check_pub_priv(), mbedtls_pk_check_pair(),
-     mbedtls_pk_parse_key(), mbedtls_pk_parse_keyfile().
-Removals
-   * The configuration option MBEDTLS_ECP_NO_INTERNAL_RNG has been removed as
-     it no longer had any effect.

ChangeLog.d/max-record-payload-api.txt

@@ -1,9 +0,0 @@
-API changes
-   * Remove the SSL APIs mbedtls_ssl_get_input_max_frag_len() and
-     mbedtls_ssl_get_output_max_frag_len(), and add a new API
-     mbedtls_ssl_get_max_in_record_payload(), complementing the existing
-     mbedtls_ssl_get_max_out_record_payload().
-     Uses of mbedtls_ssl_get_input_max_frag_len() and
-     mbedtls_ssl_get_input_max_frag_len() should be replaced by
-     mbedtls_ssl_get_max_in_record_payload() and
-     mbedtls_ssl_get_max_out_record_payload(), respectively.

ChangeLog.d/mbed-can-do-timing.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Remove outdated check-config.h check that prevented implementing the
-     timing module on Mbed OS. Fixes #4633.

ChangeLog.d/mbedtls_debug_print_mpi.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
-     could notably be triggered by setting the TLS debug level to 3 or above
-     and using a Montgomery curve for the key exchange. Reported by lhuang04
-     in #4578. Fixes #4608.

ChangeLog.d/mpi_exp_mod-zero.txt

@@ -1,7 +0,0 @@
-Bugfix
-   * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
-     A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
-     could not be triggered by code that constructed A with one of the
-     mbedtls_mpi_read_xxx functions (including in particular TLS code) since
-     those always built an mpi object with at least one limb.
-     Credit to OSS-Fuzz. Fixes #4641.

ChangeLog.d/mpi_gcd-0.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
-     effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect
-     applications that call mbedtls_mpi_gcd() directly. Fixes #4642.

ChangeLog.d/mpi_random.txt

@@ -1,3 +0,0 @@
-Features
-   * The new function mbedtls_mpi_random() generates a random value in a
-     given range uniformly.

ChangeLog.d/mpi_read_zero.txt

@@ -1,9 +0,0 @@
-Changes
-   * mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and
-     mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs
-     when their input has length 0. Note that this is an implementation detail
-     and can change at any time, so this change should be transparent, but it
-     may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
-     now writing an empty string where it previously wrote one or more
-     zero digits when operating from values constructed with an mpi_read
-     function and some mpi operations.

ChangeLog.d/no-generated-files.txt

@@ -1,7 +0,0 @@
-Requirement changes
-   * If you build the development version of Mbed TLS, rather than an official
-     release, some configuration-independent files are now generated at build
-     time rather than checked into source control. This includes some library
-     source files as well as the Visual Studio solution. Perl, Python 3 and a
-     C compiler for the host platform are required. See “Generated source files
-     in the development branch” in README.md for more information.

ChangeLog.d/one-shot-mac.txt

@@ -1,3 +0,0 @@
-Features
-   * Implement psa_mac_compute() and psa_mac_verify() as defined in the
-     PSA Cryptograpy API 1.0.0 specification.

ChangeLog.d/one-shot_cipher_functions.txt

@@ -1,4 +0,0 @@
-API changes
-   * Implement one-shot cipher functions, psa_cipher_encrypt and
-     psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
-     specification.

ChangeLog.d/out_size.txt

@@ -1,5 +0,0 @@
-API changes
-   * The functions mbedtls_pk_sign(), mbedtls_pk_sign_restartable(),
-     mbedtls_ecdsa_write_signature() and
-     mbedtls_ecdsa_write_signature_restartable() now take an extra parameter
-     indicating the size of the output buffer for the signature.

ChangeLog.d/posix-define.txt

@@ -1,6 +0,0 @@
-Bugfix
-   * In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
-     defined to specific values.  If the code is used in a context
-     where these are already defined, this can result in a compilation
-     error.  Instead, assume that if they are defined, the values will
-     be adequate to build Mbed TLS.

ChangeLog.d/private-fields.txt

@@ -1,5 +0,0 @@
-API changes
-   * Direct access to fields of structures declared in public headers is no
-     longer supported except for fields that are documented public. Use accessor
-     functions instead. For more information, see the migration guide entry
-     "Most structure fields are now private".

ChangeLog.d/psa-aead-output-size-macros-1.0.txt

@@ -1,5 +0,0 @@
-API changes
-   * Update AEAD output size macros to bring them in line with the PSA Crypto
-     API version 1.0 spec. This version of the spec parameterizes them on the
-     key type used, as well as the key bit-size in the case of
-     PSA_AEAD_TAG_LENGTH.

ChangeLog.d/psa-builtin-keys-implementation.txt

@@ -1,4 +0,0 @@
-Features
-   * Added support for built-in driver keys through the PSA opaque crypto
-     driver interface. Refer to the documentation of
-     MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.

ChangeLog.d/psa-read-only-keys.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * The PSA API no longer allows the creation or destruction of keys with a
-     read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
-     can now only be used as intended, for keys that cannot be modified through
-     normal use of the API.

ChangeLog.d/psa-rsa-verify-alt-fix.txt

@@ -1,7 +0,0 @@
-Bugfix
-   * psa_verify_hash() was relying on implementation-specific behavior of
-     mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
-     implementations. This reliance is now removed. Fixes #3990.
-   * Disallow inputs of length different from the corresponding hash when
-     signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates
-     that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.)

ChangeLog.d/psa-without-genprime-fix.txt

@@ -1,5 +0,0 @@
-Bugfix
-   * Restore the ability to configure PSA via Mbed TLS options to support RSA
-     key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
-     is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
-     Fixes #4512.

ChangeLog.d/psa_key_derivation-bad_workflow.txt

@@ -1,3 +0,0 @@
-Bugfix
-   * Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
-     about missing inputs.

ChangeLog.d/psa_sign_message.txt

@@ -1,2 +0,0 @@
-Features
-   * Implement psa_sign_message() and psa_verify_message().

ChangeLog.d/random-range.txt

@@ -1,4 +0,0 @@
-Security
-* Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
-  private keys and of blinding values for DHM and elliptic curves (ECP)
-  computations. Reported by FlorianF89 in #4245.

ChangeLog.d/relaxed-psk-semantics.txt

@@ -1,7 +0,0 @@
-API changes
-    * Modify semantics of `mbedtls_ssl_conf_[opaque_]psk()`:
-      In Mbed TLS 2.X, the API prescribes that later calls overwrite
-      the effect of earlier calls. In Mbed TLS 3.0, calling
-      `mbedtls_ssl_conf_[opaque_]psk()` more than once will fail,
-      leaving the PSK that was configured first intact.
-      Support for more than one PSK may be added in 3.X.

ChangeLog.d/remove-config-psa-crypto.txt

@@ -1,3 +0,0 @@
-Changes
-   * Remove configs/config-psa-crypto.h, which no longer had any intended
-     differences from the default configuration, but had accidentally diverged.

ChangeLog.d/remove-enable-weak-ciphersuites.txt

@@ -1,2 +0,0 @@
-Removals
-   * Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option. Fixes #4416.

ChangeLog.d/remove-max-content-len.txt

@@ -1,4 +0,0 @@
-Removals
-   * Remove MBEDTLS_SSL_MAX_CONTENT_LEN configuration option, since
-     MBEDTLS_SSL_IN_CONTENT_LEN and MBEDTLS_SSL_OUT_CONTENT_LEN replace
-     it. Fixes #4362.

ChangeLog.d/remove-rsa-mode-parameter.txt

@@ -1,8 +0,0 @@
-Removals
-   * The RSA module no longer supports private-key operations with the public
-     key and vice versa.
-API changes
-   * Remove the mode parameter from RSA operation functions. Signature and
-     decryption functions now always use the private key and verification and
-     encryption use the public key. Verification functions also no longer have
-     RNG parameters.

ChangeLog.d/remove_null_entropy.txt

@@ -1,2 +0,0 @@
-API changes
-   * Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388.

ChangeLog.d/require-matching-hashlen-rsa.txt

@@ -1,5 +0,0 @@
-API changes
-   * Signature functions in the RSA and PK modules now require the hash
-     length parameter to be the size of the hash input. For RSA signatures
-     other than raw PKCS#1 v1.5, this must match the output size of the
-     specified hash algorithm.

ChangeLog.d/rm-ecdh-legacy-context-option.txt

@@ -1,3 +0,0 @@
-Removals
-   * Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for
-     backward compatibility which is no longer supported. Addresses #4404.

ChangeLog.d/rm-ticket-lifetime-option

@@ -1,5 +0,0 @@
-Removals
-   * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
-     compile-time option. This option has been inactive for a long time.
-     Please use the `lifetime` parameter of `mbedtls_ssl_ticket_setup()`
-     instead.

ChangeLog.d/rm-truncated-hmac-ext.txt

@@ -1,5 +0,0 @@
-Removals
-   * Remove MBEDTLS_SSL_TRUNCATED_HMAC and also remove
-     MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT config option. Users are better served by
-     using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
-     See issue #4341 for more details.

ChangeLog.d/rsa-padding.txt

@@ -1,5 +0,0 @@
-API changes
-   * mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA
-     key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding()
-     after initializing the context. mbedtls_rsa_set_padding() now returns an
-     error if its parameters are invalid.

ChangeLog.d/session-cache-api.txt

@@ -1,5 +0,0 @@
-API changes
-    * The getter and setter API of the SSL session cache (used for
-      session-ID based session resumption) has changed to that of
-      a key-value store with keys being session IDs and values
-      being opaque instances of `mbedtls_ssl_session`.

ChangeLog.d/sha224_sha384.txt

@@ -1,7 +0,0 @@
-API changes
-   * Replace MBEDTLS_SHA512_NO_SHA384 config option with MBEDTLS_SHA384_C.
-     This separates config option enabling the SHA384 algorithm from option
-     enabling the SHA512 algorithm. Fixes #4034.
-   * Introduce MBEDTLS_SHA224_C.
-     This separates config option enabling the SHA224 algorithm from option
-     enabling SHA256.

ChangeLog.d/sha512-output-type.txt

@@ -1,6 +0,0 @@
-API changes
-   * The output parameter of mbedtls_sha512_finish_ret, mbedtls_sha512_ret,
-     mbedtls_sha256_finish_ret and mbedtls_sha256_ret now has a pointer type
-     rather than array type. This removes spurious warnings in some compilers
-     when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
-     the hash size.

ChangeLog.d/split-config.txt

@@ -1,13 +0,0 @@
-Changes
-   * config.h has been split into build_info.h and mbedtls_config.h
-     build_info.h is intended to be included from C code directly, while
-     mbedtls_config.h is intended to be edited by end users wishing to
-     change the build configuration, and should generally only be included from
-     build_info.h.
-   * The handling of MBEDTLS_CONFIG_FILE has been moved into build_info.h.
-   * A config file version symbol, MBEDTLS_CONFIG_VERSION was introduced.
-     Defining it to a particular value will ensure that Mbed TLS interprets
-     the config file in a way that's compatible with the config file format
-     used by the Mbed TLS release whose MBEDTLS_VERSION_NUMBER has the same
-     value.
-     The only value supported by Mbed TLS 3.0.0 is 0x03000000.

ChangeLog.d/spm_build.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
-     in all the right places. Include it from crypto_platform.h, which is
-     the natural place. Fixes #4649.

ChangeLog.d/ssl-error-code-cleanup.txt

@@ -1,6 +0,0 @@
-API changes
-   * Remove SSL error codes `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED`
-     and `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` which are never
-     returned from the public SSL API.
-   * Remove `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` and return
-     `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead.

ChangeLog.d/tool-versions.txt

@@ -1,4 +0,0 @@
-Requirement changes
-   * Refresh the minimum supported versions of tools to build the
-     library. CMake versions older than 3.10.2 and Python older
-     than 3.6 are no longer supported.

ChangeLog.d/undefined_reference_without_psa.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built
-     nonetheless, resulting in undefined reference errors when building a
-     shared library. Reported by Guillermo Garcia M. in #4411.

ChangeLog.d/update_ssl_error_codes.txt

@@ -1,3 +0,0 @@
-Changes
-   * Various changes to which alert and/or error code may be returned
-   * during the TLS handshake.

ChangeLog.d/winsock.txt

@@ -1,4 +0,0 @@
-Bugfix
-   * Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
-     MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
-

ChangeLog.d/x509_remove_info.txt

@@ -1,6 +0,0 @@
-API changes
-   * Add configuration option MBEDTLS_X509_REMOVE_INFO which
-     removes the mbedtls_x509_*_info(), mbedtls_debug_print_crt()
-     as well as other functions and constants only used by
-     those functions. This reduces the code footprint by
-     several kB.

README.md

@@ -5,11 +5,6 @@ Mbed TLS is a C library that implements cryptographic primitives, X.509 certific
 
 Mbed TLS includes a reference implementation of the [PSA Cryptography API](#psa-cryptography-api). This is currently a preview for evaluation purposes only.
 
-Stability
----------
-
-**Warning: the [`development`](https://github.com/ARMmbed/mbedtls/tree/development) branch of Mbed TLS currently has an unstable API.** It is where work is happening on the next major release of Mbed TLS. Until Mbed TLS 3.0 is released, if you need a stable API, please use the branch [`development_2.x`](https://github.com/ARMmbed/mbedtls/tree/development_2.x) instead.
-
 Configuration
 -------------
 

docs/3.0-migration-guide.md

@@ -240,7 +240,7 @@ relevant as the countermeasure is now always on at no cost in code size.
 
 ### SHA-512 and SHA-256 output type change
 
-The output parameter of `mbedtls_sha256_finish_ret()`, `mbedtls_sha256_ret()`, `mbedtls_sha512_finish_ret()`, `mbedtls_sha512_ret()` now has a pointer type rather than array type. This makes no difference in terms of C semantics, but removes spurious warnings in some compilers when outputting a SHA-384 hash into a 48-byte buffer or a SHA-224 hash into a 28-byte buffer.
+The output parameter of `mbedtls_sha256_finish()`, `mbedtls_sha256()`, `mbedtls_sha512_finish()`, `mbedtls_sha512()` now has a pointer type rather than array type. This makes no difference in terms of C semantics, but removes spurious warnings in some compilers when outputting a SHA-384 hash into a 48-byte buffer or a SHA-224 hash into a 28-byte buffer.
 
 This makes no difference to a vast majority of applications. If your code takes a pointer to one of these functions, you may need to change the type of the pointer.
 

doxygen/input/doc_mainpage.h

@@ -22,7 +22,7 @@
  */
 
 /**
- * @mainpage mbed TLS v2.26.0 source code documentation
+ * @mainpage mbed TLS v3.0.0 source code documentation
  *
  * This documentation describes the internal structure of mbed TLS.  It was
  * automatically generated from specially formatted comment blocks in

doxygen/mbedtls.doxyfile

@@ -28,7 +28,7 @@ DOXYFILE_ENCODING      = UTF-8
 # identify the project. Note that if you do not use Doxywizard you need
 # to put quotes around the project name if it contains spaces.
 
-PROJECT_NAME           = "mbed TLS v2.26.0"
+PROJECT_NAME           = "mbed TLS v3.0.0"
 
 # The PROJECT_NUMBER tag can be used to enter a project or revision number.
 # This could be handy for archiving the generated documentation or

include/mbedtls/build_info.h

@@ -36,8 +36,8 @@
  * The version number x.y.z is split into three parts.
  * Major, Minor, Patchlevel
  */
-#define MBEDTLS_VERSION_MAJOR  2
-#define MBEDTLS_VERSION_MINOR  26
+#define MBEDTLS_VERSION_MAJOR  3
+#define MBEDTLS_VERSION_MINOR  0
 #define MBEDTLS_VERSION_PATCH  0
 
 /**
@@ -45,9 +45,9 @@
  *    MMNNPP00
  *    Major version | Minor version | Patch version
  */
-#define MBEDTLS_VERSION_NUMBER         0x021A0000
-#define MBEDTLS_VERSION_STRING         "2.26.0"
-#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.26.0"
+#define MBEDTLS_VERSION_NUMBER         0x03000000
+#define MBEDTLS_VERSION_STRING         "3.0.0"
+#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 3.0.0"
 
 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
 #define _CRT_SECURE_NO_DEPRECATE 1

library/CMakeLists.txt

@@ -188,7 +188,7 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
 
 if(USE_SHARED_MBEDTLS_LIBRARY)
     add_library(${mbedcrypto_target} SHARED ${src_crypto})
-    set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.26.0 SOVERSION 6)
+    set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.0.0 SOVERSION 10)
     target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
 
     if(TARGET everest)
@@ -196,11 +196,11 @@ if(USE_SHARED_MBEDTLS_LIBRARY)
     endif()
 
     add_library(${mbedx509_target} SHARED ${src_x509})
-    set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.26.0 SOVERSION 1)
+    set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.0.0 SOVERSION 4)
     target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
 
     add_library(${mbedtls_target} SHARED ${src_tls})
-    set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.26.0 SOVERSION 13)
+    set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.0.0 SOVERSION 16)
     target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
 endif(USE_SHARED_MBEDTLS_LIBRARY)
 

library/Makefile

@@ -41,9 +41,9 @@ LOCAL_CFLAGS += -fPIC -fpic
 endif
 endif
 
-SOEXT_TLS=so.13
-SOEXT_X509=so.1
-SOEXT_CRYPTO=so.6
+SOEXT_TLS=so.16
+SOEXT_X509=so.4
+SOEXT_CRYPTO=so.10
 
 # Set AR_DASH= (empty string) to use an ar implementation that does not accept
 # the - prefix for command line options (e.g. llvm-ar)

library/bignum.c

@@ -268,6 +268,36 @@ void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y )
     memcpy(  Y, &T, sizeof( mbedtls_mpi ) );
 }
 
+/**
+ * Select between two sign values in constant-time.
+ *
+ * This is functionally equivalent to second ? a : b but uses only bit
+ * operations in order to avoid branches.
+ *
+ * \param[in] a         The first sign; must be either +1 or -1.
+ * \param[in] b         The second sign; must be either +1 or -1.
+ * \param[in] second    Must be either 1 (return b) or 0 (return a).
+ *
+ * \return The selected sign value.
+ */
+static int mpi_safe_cond_select_sign( int a, int b, unsigned char second )
+{
+    /* In order to avoid questions about what we can reasonnably assume about
+     * the representations of signed integers, move everything to unsigned
+     * by taking advantage of the fact that a and b are either +1 or -1. */
+    unsigned ua = a + 1;
+    unsigned ub = b + 1;
+
+    /* second was 0 or 1, mask is 0 or 2 as are ua and ub */
+    const unsigned mask = second << 1;
+
+    /* select ua or ub */
+    unsigned ur = ( ua & ~mask ) | ( ub & mask );
+
+    /* ur is now 0 or 2, convert back to -1 or +1 */
+    return( (int) ur - 1 );
+}
+
 /*
  * Conditionally assign dest = src, without leaking information
  * about whether the assignment was made or not.
@@ -280,8 +310,23 @@ static void mpi_safe_cond_assign( size_t n,
                                   unsigned char assign )
 {
     size_t i;
+
+    /* MSVC has a warning about unary minus on unsigned integer types,
+     * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+    /* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */
+    const mbedtls_mpi_uint mask = -assign;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
     for( i = 0; i < n; i++ )
-        dest[i] = dest[i] * ( 1 - assign ) + src[i] * assign;
+        dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask );
 }
 
 /*
@@ -293,20 +338,34 @@ int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned
 {
     int ret = 0;
     size_t i;
+    mbedtls_mpi_uint limb_mask;
     MPI_VALIDATE_RET( X != NULL );
     MPI_VALIDATE_RET( Y != NULL );
 
+    /* MSVC has a warning about unary minus on unsigned integer types,
+     * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
     /* make sure assign is 0 or 1 in a time-constant manner */
-    assign = (assign | (unsigned char)-assign) >> 7;
+    assign = (assign | (unsigned char)-assign) >> (sizeof( assign ) * 8 - 1);
+    /* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */
+    limb_mask = -assign;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
 
     MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
 
-    X->s = X->s * ( 1 - assign ) + Y->s * assign;
+    X->s = mpi_safe_cond_select_sign( X->s, Y->s, assign );
 
     mpi_safe_cond_assign( Y->n, X->p, Y->p, assign );
 
     for( i = Y->n; i < X->n; i++ )
-        X->p[i] *= ( 1 - assign );
+        X->p[i] &= ~limb_mask;
 
 cleanup:
     return( ret );
@@ -322,6 +381,7 @@ int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char sw
 {
     int ret, s;
     size_t i;
+    mbedtls_mpi_uint limb_mask;
     mbedtls_mpi_uint tmp;
     MPI_VALIDATE_RET( X != NULL );
     MPI_VALIDATE_RET( Y != NULL );
@@ -329,22 +389,35 @@ int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char sw
     if( X == Y )
         return( 0 );
 
+    /* MSVC has a warning about unary minus on unsigned integer types,
+     * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
     /* make sure swap is 0 or 1 in a time-constant manner */
-    swap = (swap | (unsigned char)-swap) >> 7;
+    swap = (swap | (unsigned char)-swap) >> (sizeof( swap ) * 8 - 1);
+    /* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */
+    limb_mask = -swap;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
 
     MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
     MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
 
     s = X->s;
-    X->s = X->s * ( 1 - swap ) + Y->s * swap;
-    Y->s = Y->s * ( 1 - swap ) +    s * swap;
+    X->s = mpi_safe_cond_select_sign( X->s, Y->s, swap );
+    Y->s = mpi_safe_cond_select_sign( Y->s, s, swap );
 
 
     for( i = 0; i < X->n; i++ )
     {
         tmp = X->p[i];
-        X->p[i] = X->p[i] * ( 1 - swap ) + Y->p[i] * swap;
-        Y->p[i] = Y->p[i] * ( 1 - swap ) +     tmp * swap;
+        X->p[i] = ( X->p[i] & ~limb_mask ) | ( Y->p[i] & limb_mask );
+        Y->p[i] = ( Y->p[i] & ~limb_mask ) | (     tmp & limb_mask );
     }
 
 cleanup:
@@ -2154,6 +2227,71 @@ static void mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
     mpi_montmul( A, &U, N, mm, T );
 }
 
+/*
+ * Constant-flow boolean "equal" comparison:
+ * return x == y
+ *
+ * This function can be used to write constant-time code by replacing branches
+ * with bit operations - it can be used in conjunction with
+ * mbedtls_ssl_cf_mask_from_bit().
+ *
+ * This function is implemented without using comparison operators, as those
+ * might be translated to branches by some compilers on some platforms.
+ */
+static size_t mbedtls_mpi_cf_bool_eq( size_t x, size_t y )
+{
+    /* diff = 0 if x == y, non-zero otherwise */
+    const size_t diff = x ^ y;
+
+    /* MSVC has a warning about unary minus on unsigned integer types,
+     * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+    /* diff_msb's most significant bit is equal to x != y */
+    const size_t diff_msb = ( diff | (size_t) -diff );
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    /* diff1 = (x != y) ? 1 : 0 */
+    const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 );
+
+    return( 1 ^ diff1 );
+}
+
+/**
+ * Select an MPI from a table without leaking the index.
+ *
+ * This is functionally equivalent to mbedtls_mpi_copy(R, T[idx]) except it
+ * reads the entire table in order to avoid leaking the value of idx to an
+ * attacker able to observe memory access patterns.
+ *
+ * \param[out] R        Where to write the selected MPI.
+ * \param[in] T         The table to read from.
+ * \param[in] T_size    The number of elements in the table.
+ * \param[in] idx       The index of the element to select;
+ *                      this must satisfy 0 <= idx < T_size.
+ *
+ * \return \c 0 on success, or a negative error code.
+ */
+static int mpi_select( mbedtls_mpi *R, const mbedtls_mpi *T, size_t T_size, size_t idx )
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+    for( size_t i = 0; i < T_size; i++ )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( R, &T[i],
+                        (unsigned char) mbedtls_mpi_cf_bool_eq( i, idx ) ) );
+    }
+
+cleanup:
+    return( ret );
+}
+
 /*
  * Sliding-window exponentiation: X = A^E mod N  (HAC 14.85)
  */
@@ -2166,7 +2304,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
     size_t i, j, nblimbs;
     size_t bufsize, nbits;
     mbedtls_mpi_uint ei, mm, state;
-    mbedtls_mpi RR, T, W[ 1 << MBEDTLS_MPI_WINDOW_SIZE ], Apos;
+    mbedtls_mpi RR, T, W[ 1 << MBEDTLS_MPI_WINDOW_SIZE ], WW, Apos;
     int neg;
 
     MPI_VALIDATE_RET( X != NULL );
@@ -2190,6 +2328,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
     mpi_montg_init( &mm, N );
     mbedtls_mpi_init( &RR ); mbedtls_mpi_init( &T );
     mbedtls_mpi_init( &Apos );
+    mbedtls_mpi_init( &WW );
     memset( W, 0, sizeof( W ) );
 
     i = mbedtls_mpi_bitlen( E );
@@ -2343,7 +2482,8 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
             /*
              * X = X * W[wbits] R^-1 mod N
              */
-            mpi_montmul( X, &W[wbits], N, mm, &T );
+            MBEDTLS_MPI_CHK( mpi_select( &WW, W, (size_t) 1 << wsize, wbits ) );
+            mpi_montmul( X, &WW, N, mm, &T );
 
             state--;
             nbits = 0;
@@ -2381,6 +2521,7 @@ cleanup:
         mbedtls_mpi_free( &W[i] );
 
     mbedtls_mpi_free( &W[1] ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &Apos );
+    mbedtls_mpi_free( &WW );
 
     if( _RR == NULL || _RR->p == NULL )
         mbedtls_mpi_free( &RR );
@@ -2565,9 +2706,10 @@ int mbedtls_mpi_random( mbedtls_mpi *X,
 {
     int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
     int count;
-    unsigned cmp = 0;
+    unsigned lt_lower = 1, lt_upper = 0;
     size_t n_bits = mbedtls_mpi_bitlen( N );
     size_t n_bytes = ( n_bits + 7 ) / 8;
+    mbedtls_mpi lower_bound;
 
     if( min < 0 )
         return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
@@ -2593,10 +2735,14 @@ int mbedtls_mpi_random( mbedtls_mpi *X,
      */
     count = ( n_bytes > 4 ? 30 : 250 );
 
+    mbedtls_mpi_init( &lower_bound );
+
     /* Ensure that target MPI has exactly the same number of limbs
      * as the upper bound, even if the upper bound has leading zeros.
      * This is necessary for the mbedtls_mpi_lt_mpi_ct() check. */
     MBEDTLS_MPI_CHK( mbedtls_mpi_resize_clear( X, N->n ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &lower_bound, N->n ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &lower_bound, min ) );
 
     /*
      * Match the procedure given in RFC 6979 §3.3 (deterministic ECDSA)
@@ -2617,11 +2763,13 @@ int mbedtls_mpi_random( mbedtls_mpi *X,
             goto cleanup;
         }
 
-        MBEDTLS_MPI_CHK( mbedtls_mpi_lt_mpi_ct( X, N, &cmp ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lt_mpi_ct( X, &lower_bound, &lt_lower ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lt_mpi_ct( X, N, &lt_upper ) );
     }
-    while( mbedtls_mpi_cmp_int( X, min ) < 0 || cmp != 1 );
+    while( lt_lower != 0 || lt_upper == 0 );
 
 cleanup:
+    mbedtls_mpi_free( &lower_bound );
     return( ret );
 }
 

library/bn_mul.h

@@ -40,6 +40,46 @@
 
 #include "mbedtls/bignum.h"
 
+
+/*
+ * Conversion macros for embedded constants:
+ * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2
+ */
+#if defined(MBEDTLS_HAVE_INT32)
+
+#define MBEDTLS_BYTES_TO_T_UINT_4( a, b, c, d )               \
+    ( (mbedtls_mpi_uint) (a) <<  0 ) |                        \
+    ( (mbedtls_mpi_uint) (b) <<  8 ) |                        \
+    ( (mbedtls_mpi_uint) (c) << 16 ) |                        \
+    ( (mbedtls_mpi_uint) (d) << 24 )
+
+#define MBEDTLS_BYTES_TO_T_UINT_2( a, b )                   \
+    MBEDTLS_BYTES_TO_T_UINT_4( a, b, 0, 0 )
+
+#define MBEDTLS_BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
+    MBEDTLS_BYTES_TO_T_UINT_4( a, b, c, d ),                \
+    MBEDTLS_BYTES_TO_T_UINT_4( e, f, g, h )
+
+#else /* 64-bits */
+
+#define MBEDTLS_BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h )   \
+    ( (mbedtls_mpi_uint) (a) <<  0 ) |                        \
+    ( (mbedtls_mpi_uint) (b) <<  8 ) |                        \
+    ( (mbedtls_mpi_uint) (c) << 16 ) |                        \
+    ( (mbedtls_mpi_uint) (d) << 24 ) |                        \
+    ( (mbedtls_mpi_uint) (e) << 32 ) |                        \
+    ( (mbedtls_mpi_uint) (f) << 40 ) |                        \
+    ( (mbedtls_mpi_uint) (g) << 48 ) |                        \
+    ( (mbedtls_mpi_uint) (h) << 56 )
+
+#define MBEDTLS_BYTES_TO_T_UINT_4( a, b, c, d )             \
+    MBEDTLS_BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 )
+
+#define MBEDTLS_BYTES_TO_T_UINT_2( a, b )                   \
+    MBEDTLS_BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 )
+
+#endif /* bits in mbedtls_mpi_uint */
+
 #if defined(MBEDTLS_HAVE_ASM)
 
 #ifndef asm

library/ecp.c

@@ -77,6 +77,7 @@
 #include "mbedtls/platform_util.h"
 #include "mbedtls/error.h"
 
+#include "bn_mul.h"
 #include "ecp_invasive.h"
 
 #include <string.h>
@@ -2746,6 +2747,97 @@ int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
 #endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
 
 #if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)}
+#define ECP_MPI_INIT_ARRAY(x)   \
+    ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x)
+/*
+ * Constants for the two points other than 0, 1, -1 (mod p) in
+ * https://cr.yp.to/ecdh.html#validate
+ * See ecp_check_pubkey_x25519().
+ */
+static const mbedtls_mpi_uint x25519_bad_point_1[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8( 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae ),
+    MBEDTLS_BYTES_TO_T_UINT_8( 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a ),
+    MBEDTLS_BYTES_TO_T_UINT_8( 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd ),
+    MBEDTLS_BYTES_TO_T_UINT_8( 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 ),
+};
+static const mbedtls_mpi_uint x25519_bad_point_2[] = {
+    MBEDTLS_BYTES_TO_T_UINT_8( 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24 ),
+    MBEDTLS_BYTES_TO_T_UINT_8( 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b ),
+    MBEDTLS_BYTES_TO_T_UINT_8( 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86 ),
+    MBEDTLS_BYTES_TO_T_UINT_8( 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 ),
+};
+static const mbedtls_mpi ecp_x25519_bad_point_1 = ECP_MPI_INIT_ARRAY(
+        x25519_bad_point_1 );
+static const mbedtls_mpi ecp_x25519_bad_point_2 = ECP_MPI_INIT_ARRAY(
+        x25519_bad_point_2 );
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+/*
+ * Check that the input point is not one of the low-order points.
+ * This is recommended by the "May the Fourth" paper:
+ * https://eprint.iacr.org/2017/806.pdf
+ * Those points are never sent by an honest peer.
+ */
+static int ecp_check_bad_points_mx( const mbedtls_mpi *X, const mbedtls_mpi *P,
+                                    const mbedtls_ecp_group_id grp_id )
+{
+    int ret;
+    mbedtls_mpi XmP;
+
+    mbedtls_mpi_init( &XmP );
+
+    /* Reduce X mod P so that we only need to check values less than P.
+     * We know X < 2^256 so we can proceed by subtraction. */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &XmP, X ) );
+    while( mbedtls_mpi_cmp_mpi( &XmP, P ) >= 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &XmP, &XmP, P ) );
+
+    /* Check against the known bad values that are less than P. For Curve448
+     * these are 0, 1 and -1. For Curve25519 we check the values less than P
+     * from the following list: https://cr.yp.to/ecdh.html#validate */
+    if( mbedtls_mpi_cmp_int( &XmP, 1 ) <= 0 ) /* takes care of 0 and 1 */
+    {
+        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+        goto cleanup;
+    }
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+    if( grp_id == MBEDTLS_ECP_DP_CURVE25519 )
+    {
+        if( mbedtls_mpi_cmp_mpi( &XmP, &ecp_x25519_bad_point_1 ) == 0 )
+        {
+            ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+            goto cleanup;
+        }
+
+        if( mbedtls_mpi_cmp_mpi( &XmP, &ecp_x25519_bad_point_2 ) == 0 )
+        {
+            ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+            goto cleanup;
+        }
+    }
+#else
+    (void) grp_id;
+#endif
+
+    /* Final check: check if XmP + 1 is P (final because it changes XmP!) */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &XmP, &XmP, 1 ) );
+    if( mbedtls_mpi_cmp_mpi( &XmP, P ) == 0 )
+    {
+        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+        goto cleanup;
+    }
+
+    ret = 0;
+
+cleanup:
+    mbedtls_mpi_free( &XmP );
+
+    return( ret );
+}
+
 /*
  * Check validity of a public key for Montgomery curves with x-only schemes
  */
@@ -2757,7 +2849,13 @@ static int ecp_check_pubkey_mx( const mbedtls_ecp_group *grp, const mbedtls_ecp_
     if( mbedtls_mpi_size( &pt->X ) > ( grp->nbits + 7 ) / 8 )
         return( MBEDTLS_ERR_ECP_INVALID_KEY );
 
-    return( 0 );
+    /* Implicit in all standards (as they don't consider negative numbers):
+     * X must be non-negative. This is normally ensured by the way it's
+     * encoded for transmission, but let's be extra sure. */
+    if( mbedtls_mpi_cmp_int( &pt->X, 0 ) < 0 )
+        return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+    return( ecp_check_bad_points_mx( &pt->X, &grp->P, grp->id ) );
 }
 #endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */