7604915cce
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
5833 lines
313 KiB
Text
5833 lines
313 KiB
Text
Mbed TLS ChangeLog (Sorted per branch, date)
|
||
|
||
= Mbed TLS 3.5.1 branch released 2023-11-06
|
||
|
||
Changes
|
||
* Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
|
||
license. Users may choose which license they take the code under.
|
||
|
||
Bugfix
|
||
* Fix accidental omission of MBEDTLS_TARGET_PREFIX in 3rdparty modules
|
||
in CMake.
|
||
|
||
= Mbed TLS 3.5.0 branch released 2023-10-05
|
||
|
||
API changes
|
||
* Mbed TLS 3.4 introduced support for omitting the built-in implementation
|
||
of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
|
||
there was a flaw in the logic checking if the built-in implementation, in
|
||
that it failed to check if all the relevant curves were supported by the
|
||
accelerator. As a result, it was possible to declare no curves as
|
||
accelerated and still have the built-in implementation compiled out.
|
||
Starting with this release, it is necessary to declare which curves are
|
||
accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be
|
||
considered not accelerated, and the built-in implementation of the curves
|
||
and any algorithm possible using them will be included in the build.
|
||
* Add new millisecond time type `mbedtls_ms_time_t` and `mbedtls_ms_time()`
|
||
function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
|
||
can be created using an ALT interface.
|
||
|
||
Requirement changes
|
||
* Officially require Python 3.8 now that earlier versions are out of support.
|
||
* Minimum required Windows version is now Windows Vista, or
|
||
Windows Server 2008.
|
||
|
||
New deprecations
|
||
* PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and
|
||
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
|
||
are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
|
||
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC,
|
||
IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
|
||
the capabilities of the PSA side for either key.
|
||
* MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
|
||
MBEDTLS_MAX_BLOCK_LENGTH (if you intended what the name suggests:
|
||
maximum size of any supported block cipher) or the new name
|
||
MBEDTLS_CMAC_MAX_BLOCK_SIZE (if you intended the actual semantics:
|
||
maximum size of a block cipher supported by the CMAC module).
|
||
* mbedtls_pkcs5_pbes2() and mbedtls_pkcs12_pbe() functions are now
|
||
deprecated in favor of mbedtls_pkcs5_pbes2_ext() and
|
||
mbedtls_pkcs12_pbe_ext() as they offer more security by checking
|
||
for overflow of the output buffer and reporting the actual length
|
||
of the output.
|
||
|
||
Features
|
||
* All modules that use hashes or HMAC can now take advantage of PSA Crypto
|
||
drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
|
||
been called. Previously (in 3.3), this was restricted to a few modules,
|
||
and only in builds where MBEDTLS_MD_C was disabled; in particular the
|
||
entropy module was not covered which meant an external RNG had to be
|
||
provided - these limitations are lifted in this version. A new set of
|
||
feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used
|
||
to check for availability of hash algorithms, regardless of whether
|
||
they're provided by a built-in implementation, a driver or both. See
|
||
docs/driver-only-builds.md.
|
||
* When a PSA driver for ECDH is present, it is now possible to disable
|
||
MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
|
||
key exchanges based on ECDH(E) to work, this requires
|
||
MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
|
||
TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
|
||
as PSA does not have an API for restartable ECDH yet.
|
||
* When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
|
||
a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
|
||
if not required by another module) and still get support for ECC keys and
|
||
algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
|
||
for details.
|
||
* Add parsing of directoryName subtype for subjectAltName extension in
|
||
x509 certificates.
|
||
* Add support for server-side TLS version negotiation. If both TLS 1.2 and
|
||
TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or
|
||
TLS 1.3 depending on the capabilities and preferences of TLS clients.
|
||
Fixes #6867.
|
||
* X.509 hostname verification now supports IPAddress Subject Alternate Names.
|
||
* Add support for reading and writing X25519 and X448
|
||
public and private keys in RFC 8410 format using the existing PK APIs.
|
||
* When parsing X.509 certificates, support the extensions
|
||
SignatureKeyIdentifier and AuthorityKeyIdentifier.
|
||
* Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
|
||
if no PAKE algorithms are requested
|
||
* Add support for the FFDH algorithm and DH key types in PSA, with
|
||
parameters from RFC 7919. This includes a built-in implementation based
|
||
on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative
|
||
implementations of FFDH through the driver entry points.
|
||
* It is now possible to generate certificates with SubjectAltNames.
|
||
Currently supported subtypes: DnsName, UniformResourceIdentifier,
|
||
IP address, OtherName, and DirectoryName, as defined in RFC 5280.
|
||
See mbedtls_x509write_crt_set_subject_alternative_name for
|
||
more information.
|
||
* X.509 hostname verification now partially supports URI Subject Alternate
|
||
Names. Only exact matching, without any normalization procedures
|
||
described in 7.4 of RFC5280, will result in a positive URI verification.
|
||
* Add function mbedtls_oid_from_numeric_string() to parse an OID from a
|
||
string to a DER-encoded mbedtls_asn1_buf.
|
||
* Add SHA-3 family hash functions.
|
||
* Add support to restrict AES to 128-bit keys in order to save code size.
|
||
A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be
|
||
used to enable this feature.
|
||
* AES performance improvements. Uplift varies by platform,
|
||
toolchain, optimisation flags and mode.
|
||
Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
|
||
On Aarch64, uplift is typically around 20 - 110%.
|
||
When compiling with gcc -Os on Aarch64, AES-XTS improves
|
||
by 4.5x.
|
||
* Add support for PBKDF2-HMAC through the PSA API.
|
||
* New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
|
||
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
|
||
or DH) were introduced in order to have finer accuracy in defining the
|
||
PSA capabilities for each key. These capabilities, named yyy above, can be
|
||
any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE.
|
||
- DERIVE is only available for ECC keys, not for RSA or DH ones.
|
||
- implementations are free to enable more than what it was strictly
|
||
requested. For example BASIC internally enables IMPORT and EXPORT
|
||
(useful for testing purposes), but this might change in the future.
|
||
* Add support for FFDH key exchange in TLS 1.3.
|
||
This is automatically enabled as soon as PSA_WANT_ALG_FFDH
|
||
and the ephemeral or psk-ephemeral key exchange mode are enabled.
|
||
By default, all groups are offered; the list of groups can be
|
||
configured using the existing API function mbedtls_ssl_conf_groups().
|
||
* Improve mbedtls_x509_time performance and reduce memory use.
|
||
* Reduce syscalls to time() during certificate verification.
|
||
* Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
|
||
setting the CMake variable of the same name at configuration time.
|
||
* Add getter (mbedtls_ssl_cache_get_timeout()) to access
|
||
`mbedtls_ssl_cache_context.timeout`.
|
||
* Add getter (mbedtls_ssl_get_hostname()) to access
|
||
`mbedtls_ssl_context.hostname`.
|
||
* Add getter (mbedtls_ssl_conf_get_endpoint()) to access
|
||
`mbedtls_ssl_config.endpoint`.
|
||
* Support for "opaque" (PSA-held) ECC keys in the PK module has been
|
||
extended: it is now possible to use mbedtls_pk_write_key_der(),
|
||
mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and
|
||
mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes
|
||
allow it).
|
||
* The documentation of mbedtls_ecp_group now describes the optimized
|
||
representation of A for some curves. Fixes #8045.
|
||
* Add a possibility to generate CSR's with RCF822 and directoryName subtype
|
||
of subjectAltName extension in x509 certificates.
|
||
* Add support for PBKDF2-CMAC through the PSA API.
|
||
* New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When
|
||
using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
|
||
disables the plain C implementation and the run-time detection for the
|
||
CPU feature, which reduces code size and avoids the vulnerability of the
|
||
plain C implementation.
|
||
* Accept arbitrary AttributeType and AttributeValue in certificate
|
||
Distinguished Names using RFC 4514 syntax.
|
||
* Applications using ECC over secp256r1 through the PSA API can use a
|
||
new implementation with a much smaller footprint, but some minor
|
||
usage restrictions. See the documentation of the new configuration
|
||
option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.
|
||
|
||
Security
|
||
* Fix a case where potentially sensitive information held in memory would not
|
||
be completely zeroized during TLS 1.2 handshake, in both server and client
|
||
configurations.
|
||
* In configurations with ARIA or Camellia but not AES, the value of
|
||
MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might
|
||
suggest. This did not affect any library code, because this macro was
|
||
only used in relation with CMAC which does not support these ciphers.
|
||
This may affect application code that uses this macro.
|
||
* Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should
|
||
review the size of the output buffer passed to this function, and note
|
||
that the output after decryption may include CBC padding. Consider moving
|
||
to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext()
|
||
which checks for overflow of the output buffer and reports the actual
|
||
length of the output.
|
||
* Improve padding calculations in CBC decryption, NIST key unwrapping and
|
||
RSA OAEP decryption. With the previous implementation, some compilers
|
||
(notably recent versions of Clang and IAR) could produce non-constant
|
||
time code, which could allow a padding oracle attack if the attacker
|
||
has access to precise timing measurements.
|
||
* Updates to constant-time C code so that compilers are less likely to use
|
||
conditional instructions, which can have an observable difference in
|
||
timing. (Clang has been seen to do this.) Also introduce assembly
|
||
implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
|
||
guaranteed not to use conditional instructions.
|
||
* Fix definition of MBEDTLS_MD_MAX_BLOCK_SIZE, which was too
|
||
small when MBEDTLS_SHA384_C was defined and MBEDTLS_SHA512_C was
|
||
undefined. Mbed TLS itself was unaffected by this, but user code
|
||
which used MBEDTLS_MD_MAX_BLOCK_SIZE could be affected. The only
|
||
release containing this bug was Mbed TLS 3.4.0.
|
||
* Fix a buffer overread when parsing short TLS application data records in
|
||
null-cipher cipher suites. Credit to OSS-Fuzz.
|
||
* Fix a remotely exploitable heap buffer overflow in TLS handshake parsing.
|
||
In TLS 1.3, all configurations are affected except PSK-only ones, and
|
||
both clients and servers are affected.
|
||
In TLS 1.2, the affected configurations are those with
|
||
MBEDTLS_USE_PSA_CRYPTO and ECDH enabled but DHM and RSA disabled,
|
||
and only servers are affected, not clients.
|
||
Credit to OSS-Fuzz.
|
||
|
||
Bugfix
|
||
* Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and
|
||
PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
|
||
than all built-in ones and RSA is disabled.
|
||
Resolves #6622.
|
||
* Add missing md.h includes to some of the external programs from
|
||
the programs directory. Without this, even though the configuration
|
||
was sufficient for a particular program to work, it would only print
|
||
a message that one of the required defines is missing.
|
||
* Fix declaration of mbedtls_ecdsa_sign_det_restartable() function
|
||
in the ecdsa.h header file. There was a build warning when the
|
||
configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined.
|
||
Resolves #7407.
|
||
* Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
|
||
MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
|
||
* Fix missing PSA initialization in sample programs when
|
||
MBEDTLS_USE_PSA_CRYPTO is enabled.
|
||
* Fix the J-PAKE driver interface for user and peer to accept any values
|
||
(previously accepted values were limited to "client" or "server").
|
||
* Fix clang and armclang compilation error when targeting certain Arm
|
||
M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
|
||
SecurCore SC000). Fixes #1077.
|
||
* Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when
|
||
built with MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT but don't have a
|
||
way to detect the crypto extensions required. A warning is still issued.
|
||
* Fixed an issue that caused compile errors when using CMake and the IAR
|
||
toolchain.
|
||
* Fix very high stack usage in SSL debug code. Reported by Maximilian
|
||
Gerhardt in #7804.
|
||
* Fix a compilation failure in the constant_time module when
|
||
building for arm64_32 (e.g., for watchos). Reported by Paulo
|
||
Coutinho in #7787.
|
||
* Fix crypt_and_hash decryption fail when used with a stream cipher
|
||
mode of operation due to the input not being multiple of block size.
|
||
Resolves #7417.
|
||
* Fix a bug in which mbedtls_x509_string_to_names() would return success
|
||
when given a invalid name string if it did not contain '=' or ','.
|
||
* Fix compilation warnings in aes.c, which prevented the
|
||
example TF-M configuration in configs/ from building cleanly:
|
||
tfm_mbedcrypto_config_profile_medium.h with
|
||
crypto_config_profile_medium.h.
|
||
* In TLS 1.3, fix handshake failure when a client in its ClientHello
|
||
proposes an handshake based on PSK only key exchange mode or at least
|
||
one of the key exchange modes using ephemeral keys to a server that
|
||
supports only the PSK key exchange mode.
|
||
* Fix CCM* with no tag being not supported in a build with CCM as the only
|
||
symmetric encryption algorithm and the PSA configuration enabled.
|
||
* Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.
|
||
* Fix a compilation error on some platforms when including mbedtls/ssl.h
|
||
with all TLS support disabled. Fixes #6628.
|
||
* Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
|
||
using ECC key. The certificate was rejected by some crypto frameworks.
|
||
Fixes #2924.
|
||
* Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
|
||
is called with zero length and padlock is not enabled.
|
||
* Fix compile failure due to empty enum in cipher_wrap.c, when building
|
||
with a very minimal configuration. Fixes #7625.
|
||
* Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
|
||
signature can silently return an incorrect result in low memory conditions.
|
||
* Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
|
||
MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
|
||
* Fix IAR compiler warnings.
|
||
* Fix an issue when parsing an otherName subject alternative name into a
|
||
mbedtls_x509_san_other_name struct. The type-id of the otherName was not
|
||
copied to the struct. This meant that the struct had incomplete
|
||
information about the otherName SAN and contained uninitialized memory.
|
||
* Fix the detection of HardwareModuleName otherName SANs. These were being
|
||
detected by comparing the wrong field and the check was erroneously
|
||
inverted.
|
||
* Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG
|
||
enabled, where some low-level modules required by requested PSA crypto
|
||
features were not getting automatically enabled. Fixes #7420.
|
||
* Fix undefined symbols in some builds using TLS 1.3 with a custom
|
||
configuration file.
|
||
* Fix log level for the got supported group message. Fixes #6765
|
||
* Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
|
||
error code on failure. Before, they returned 1 to indicate failure in
|
||
some cases involving a missing entry or a full cache.
|
||
* mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys.
|
||
* Fix the build with CMake when Everest or P256-m is enabled through
|
||
a user configuration file or the compiler command line. Fixes #8165.
|
||
|
||
Changes
|
||
* Enable Arm / Thumb bignum assembly for most Arm platforms when
|
||
compiling with gcc, clang or armclang and -O0.
|
||
* Enforce minimum RSA key size when generating a key
|
||
to avoid accidental misuse.
|
||
* Use heap memory to allocate DER encoded RSA private key.
|
||
This reduces stack usage significantly for RSA signature
|
||
operations when MBEDTLS_PSA_CRYPTO_C is defined.
|
||
* Update Windows code to use BCryptGenRandom and wcslen, and
|
||
ensure that conversions between size_t, ULONG, and int are
|
||
always done safely. Original contribution by Kevin Kane #635, #730
|
||
followed by Simon Butcher #1453.
|
||
* Users integrating their own PSA drivers should be aware that
|
||
the file library/psa_crypto_driver_wrappers.c has been renamed
|
||
to psa_crypto_driver_wrappers_no_static.c.
|
||
* When using CBC with the cipher module, the requirement to call
|
||
mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting
|
||
this call accidentally applied a default padding mode chosen at compile
|
||
time.
|
||
|
||
= Mbed TLS 3.4.1 branch released 2023-08-04
|
||
|
||
Bugfix
|
||
* Fix builds on Windows with clang
|
||
|
||
Changes
|
||
* Update test data to avoid failures of unit tests after 2023-08-07.
|
||
|
||
= Mbed TLS 3.4.0 branch released 2023-03-28
|
||
|
||
Default behavior changes
|
||
* The default priority order of TLS 1.3 cipher suites has been modified to
|
||
follow the same rules as the TLS 1.2 cipher suites (see
|
||
ssl_ciphersuites.c). The preferred cipher suite is now
|
||
TLS_CHACHA20_POLY1305_SHA256.
|
||
|
||
New deprecations
|
||
* mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
|
||
mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
|
||
direct dependency of X509 on BIGNUM_C.
|
||
* PSA to mbedtls error translation is now unified in psa_util.h,
|
||
deprecating mbedtls_md_error_from_psa. Each file that performs error
|
||
translation should define its own version of PSA_TO_MBEDTLS_ERR,
|
||
optionally providing file-specific error pairs. Please see psa_util.h for
|
||
more details.
|
||
|
||
Features
|
||
* Added partial support for parsing the PKCS #7 Cryptographic Message
|
||
Syntax, as defined in RFC 2315. Currently, support is limited to the
|
||
following:
|
||
- Only the signed-data content type, version 1 is supported.
|
||
- Only DER encoding is supported.
|
||
- Only a single digest algorithm per message is supported.
|
||
- Certificates must be in X.509 format. A message must have either 0
|
||
or 1 certificates.
|
||
- There is no support for certificate revocation lists.
|
||
- The authenticated and unauthenticated attribute fields of SignerInfo
|
||
must be empty.
|
||
Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
|
||
contributing this feature, and to Demi-Marie Obenour for contributing
|
||
various improvements, tests and bug fixes.
|
||
* General performance improvements by accessing multiple bytes at a time.
|
||
Fixes #1666.
|
||
* Improvements to use of unaligned and byte-swapped memory, reducing code
|
||
size and improving performance (depending on compiler and target
|
||
architecture).
|
||
* Add support for reading points in compressed format
|
||
(MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary()
|
||
(and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
|
||
(all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves
|
||
except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1)
|
||
* SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively.
|
||
This helps in saving code size when some of the above hashes are not
|
||
required.
|
||
* Add parsing of V3 extensions (key usage, Netscape cert-type,
|
||
Subject Alternative Names) in x509 Certificate Sign Requests.
|
||
* Use HOSTCC (if it is set) when compiling C code during generation of the
|
||
configuration-independent files. This allows them to be generated when
|
||
CC is set for cross compilation.
|
||
* Add parsing of uniformResourceIdentifier subtype for subjectAltName
|
||
extension in x509 certificates.
|
||
* Add an interruptible version of sign and verify hash to the PSA interface,
|
||
backed by internal library support for ECDSA signing and verification.
|
||
* Add parsing of rfc822Name subtype for subjectAltName
|
||
extension in x509 certificates.
|
||
* The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and
|
||
MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for
|
||
the headers "psa/crypto_platform.h" and "psa/crypto_struct.h".
|
||
* When a PSA driver for ECDSA is present, it is now possible to disable
|
||
MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
|
||
and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled.
|
||
Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not
|
||
supported in those builds yet, as driver support for interruptible ECDSA
|
||
operations is not present yet.
|
||
* Add a driver dispatch layer for EC J-PAKE, enabling alternative
|
||
implementations of EC J-PAKE through the driver entry points.
|
||
* Add new API mbedtls_ssl_cache_remove for cache entry removal by
|
||
its session id.
|
||
* Add support to include the SubjectAltName extension to a CSR.
|
||
* Add support for AES with the Armv8-A Cryptographic Extension on
|
||
64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
|
||
be used to enable this feature. Run-time detection is supported
|
||
under Linux only.
|
||
* When a PSA driver for EC J-PAKE is present, it is now possible to disable
|
||
MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
|
||
corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs
|
||
to be enabled.
|
||
* Add functions mbedtls_rsa_get_padding_mode() and mbedtls_rsa_get_md_alg()
|
||
to read non-public fields for padding mode and hash id from
|
||
an mbedtls_rsa_context, as requested in #6917.
|
||
* AES-NI is now supported with Visual Studio.
|
||
* AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
|
||
is disabled, when compiling with GCC or Clang or a compatible compiler
|
||
for a target CPU that supports the requisite instructions (for example
|
||
gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
|
||
compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
|
||
* It is now possible to use a PSA-held (opaque) password with the TLS 1.2
|
||
ECJPAKE key exchange, using the new API function
|
||
mbedtls_ssl_set_hs_ecjpake_password_opaque().
|
||
|
||
Security
|
||
* Use platform-provided secure zeroization function where possible, such as
|
||
explicit_bzero().
|
||
* Zeroize SSL cache entries when they are freed.
|
||
* Fix a potential heap buffer overread in TLS 1.3 client-side when
|
||
MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
|
||
* Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
|
||
Arm, so that these systems are no longer vulnerable to timing side-channel
|
||
attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
|
||
Reported by Demi Marie Obenour.
|
||
* MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
|
||
builds that couldn't compile the GCC-style assembly implementation
|
||
(most notably builds with Visual Studio), leaving them vulnerable to
|
||
timing side-channel attacks. There is now an intrinsics-based AES-NI
|
||
implementation as a fallback for when the assembly one cannot be used.
|
||
|
||
Bugfix
|
||
* Fix possible integer overflow in mbedtls_timing_hardclock(), which
|
||
could cause a crash in programs/test/benchmark.
|
||
* Fix IAR compiler warnings. Fixes #6924.
|
||
* Fix a bug in the build where directory names containing spaces were
|
||
causing generate_errors.pl to error out resulting in a build failure.
|
||
Fixes issue #6879.
|
||
* In TLS 1.3, when using a ticket for session resumption, tweak its age
|
||
calculation on the client side. It prevents a server with more accurate
|
||
ticket timestamps (typically timestamps in milliseconds) compared to the
|
||
Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
|
||
than the age computed and transmitted by the client and thus potentially
|
||
reject the ticket. Fix #6623.
|
||
* Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
|
||
defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
|
||
* List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
|
||
be toggled with config.py.
|
||
* The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be
|
||
used on a shared secret from a key agreement since its input must be
|
||
an ECC public key. Reject this properly.
|
||
* mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
|
||
whose binary representation is longer than 20 bytes. This was already
|
||
forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
|
||
enforced also at code level.
|
||
* Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
|
||
Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
|
||
Aaron Ucko under Valgrind.
|
||
* Fix behavior of certain sample programs which could, when run with no
|
||
arguments, access uninitialized memory in some cases. Fixes #6700 (which
|
||
was found by TrustInSoft Analyzer during REDOCS'22) and #1120.
|
||
* Fix parsing of X.509 SubjectAlternativeName extension. Previously,
|
||
malformed alternative name components were not caught during initial
|
||
certificate parsing, but only on subsequent calls to
|
||
mbedtls_x509_parse_subject_alt_name(). Fixes #2838.
|
||
* Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it
|
||
possible to verify RSA PSS signatures with the pk module, which was
|
||
inadvertently broken since Mbed TLS 3.0.
|
||
* Fix bug in conversion from OID to string in
|
||
mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
|
||
correctly.
|
||
* Reject OIDs with overlong-encoded subidentifiers when converting
|
||
them to a string.
|
||
* Reject OIDs with subidentifier values exceeding UINT_MAX. Such
|
||
subidentifiers can be valid, but Mbed TLS cannot currently handle them.
|
||
* Reject OIDs that have unterminated subidentifiers, or (equivalently)
|
||
have the most-significant bit set in their last byte.
|
||
* Silence warnings from clang -Wdocumentation about empty \retval
|
||
descriptions, which started appearing with Clang 15. Fixes #6960.
|
||
* Fix the handling of renegotiation attempts in TLS 1.3. They are now
|
||
systematically rejected.
|
||
* Fix an unused-variable warning in TLS 1.3-only builds if
|
||
MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200.
|
||
* Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
|
||
len argument is 0 and buffer is NULL.
|
||
* Allow setting user and peer identifiers for EC J-PAKE operation
|
||
instead of role in PAKE PSA Crypto API as described in the specification.
|
||
This is a partial fix that allows only "client" and "server" identifiers.
|
||
* Fix a compilation error when PSA Crypto is built with support for
|
||
TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125.
|
||
* In the TLS 1.3 server, select the preferred client cipher suite, not the
|
||
least preferred. The selection error was introduced in Mbed TLS 3.3.0.
|
||
* Fix TLS 1.3 session resumption when the established pre-shared key is
|
||
384 bits long. That is the length of pre-shared keys created under a
|
||
session where the cipher suite is TLS_AES_256_GCM_SHA384.
|
||
* Fix an issue when compiling with MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
|
||
enabled, which required specifying compiler flags enabling SHA3 Crypto
|
||
Extensions, where some compilers would emit EOR3 instructions in other
|
||
modules, which would then fail if run on a CPU without the SHA3
|
||
extensions. Fixes #5758.
|
||
|
||
Changes
|
||
* Install the .cmake files into CMAKE_INSTALL_LIBDIR/cmake/MbedTLS,
|
||
typically /usr/lib/cmake/MbedTLS.
|
||
* Mixed-endian systems are explicitly not supported any more.
|
||
* When MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ECDSA_DETERMINISTIC are both
|
||
defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA
|
||
signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to
|
||
the behaviour without it, where deterministic ECDSA was already used.
|
||
* Visual Studio: Rename the directory containing Visual Studio files from
|
||
visualc/VS2010 to visualc/VS2013 as we do not support building with versions
|
||
older than 2013. Update the solution file to specify VS2013 as a minimum.
|
||
* programs/x509/cert_write:
|
||
- now it accepts the serial number in 2 different formats: decimal and
|
||
hex. They cannot be used simultaneously
|
||
- "serial" is used for the decimal format and it's limted in size to
|
||
unsigned long long int
|
||
- "serial_hex" is used for the hex format; max length here is
|
||
MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2
|
||
* The C code follows a new coding style. This is transparent for users but
|
||
affects contributors and maintainers of local patches. For more
|
||
information, see
|
||
https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
|
||
* Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
|
||
As tested in issue 6790, the correlation between this define and
|
||
RSA decryption performance has changed lately due to security fixes.
|
||
To fix the performance degradation when using default values the
|
||
window was reduced from 6 to 2, a value that gives the best or close
|
||
to best results when tested on Cortex-M4 and Intel i7.
|
||
* When enabling MBEDTLS_SHA256_USE_A64_CRYPTO_* or
|
||
MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
|
||
compiler target flags on the command line; the library now sets target
|
||
options within the appropriate modules.
|
||
|
||
= Mbed TLS 3.3.0 branch released 2022-12-14
|
||
|
||
Default behavior changes
|
||
* Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05
|
||
of the IETF draft, and was marked experimental and disabled by default.
|
||
It is now no longer experimental, and implements the final version from
|
||
RFC 9146, which is not interoperable with the draft-05 version.
|
||
If you need to communicate with peers that use earlier versions of
|
||
Mbed TLS, then you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
|
||
to 1, but then you won't be able to communicate with peers that use the
|
||
standard (non-draft) version.
|
||
If you need to interoperate with both classes of peers with the
|
||
same build of Mbed TLS, please let us know about your situation on the
|
||
mailing list or GitHub.
|
||
|
||
Requirement changes
|
||
* When building with PSA drivers using generate_driver_wrappers.py, or
|
||
when building the library from the development branch rather than
|
||
from a release, the Python module jsonschema is now necessary, in
|
||
addition to jinja2. The official list of required Python modules is
|
||
maintained in scripts/basic.requirements.txt and may change again
|
||
in the future.
|
||
|
||
New deprecations
|
||
* Deprecate mbedtls_asn1_free_named_data().
|
||
Use mbedtls_asn1_free_named_data_list()
|
||
or mbedtls_asn1_free_named_data_list_shallow().
|
||
|
||
Features
|
||
* Support rsa_pss_rsae_* signature algorithms in TLS 1.2.
|
||
* make: enable building unversioned shared library, with e.g.:
|
||
"SHARED=1 SOEXT_TLS=so SOEXT_X509=so SOEXT_CRYPTO=so make lib"
|
||
resulting in library names like "libmbedtls.so" rather than
|
||
"libmbedcrypto.so.11".
|
||
* Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
|
||
Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
|
||
are supported in this implementation.
|
||
* Some modules can now use PSA drivers for hashes, including with no
|
||
built-in implementation present, but only in some configurations.
|
||
- RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
|
||
hashes from PSA when (and only when) MBEDTLS_MD_C is disabled.
|
||
- PEM parsing of encrypted files now uses MD-5 from PSA when (and only
|
||
when) MBEDTLS_MD5_C is disabled.
|
||
See the documentation of the corresponding macros in mbedtls_config.h for
|
||
details.
|
||
Note that some modules are not able to use hashes from PSA yet, including
|
||
the entropy module. As a consequence, for now the only way to build with
|
||
all hashes only provided by drivers (no built-in hash) is to use
|
||
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
|
||
* When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now
|
||
properly negotiate/accept hashes based on their availability in PSA.
|
||
As a consequence, they now work in configurations where the built-in
|
||
implementations of (some) hashes are excluded and those hashes are only
|
||
provided by PSA drivers. (See previous entry for limitation on RSA-PSS
|
||
though: that module only use hashes from PSA when MBEDTLS_MD_C is off).
|
||
* Add support for opaque keys as the private keys associated to certificates
|
||
for authentication in TLS 1.3.
|
||
* Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
|
||
Signature verification is production-ready, but generation is for testing
|
||
purposes only. This currently only supports one parameter set
|
||
(LMS_SHA256_M32_H10), meaning that each private key can be used to sign
|
||
1024 messages. As such, it is not intended for use in TLS, but instead
|
||
for verification of assets transmitted over an insecure channel,
|
||
particularly firmware images.
|
||
* Add the LM-OTS post-quantum-safe one-time signature scheme, which is
|
||
required for LMS. This can be used independently, but each key can only
|
||
be used to sign one message so is impractical for most circumstances.
|
||
* Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
|
||
The pre-shared keys can be provisioned externally or via the ticket
|
||
mechanism (session resumption).
|
||
The ticket mechanism is supported when the configuration option
|
||
MBEDTLS_SSL_SESSION_TICKETS is enabled.
|
||
New options MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED
|
||
control the support for the three possible TLS 1.3 key exchange modes.
|
||
* cert_write: support for setting extended key usage attributes. A
|
||
corresponding new public API call has been added in the library,
|
||
mbedtls_x509write_crt_set_ext_key_usage().
|
||
* cert_write: support for writing certificate files in either PEM
|
||
or DER format.
|
||
* The PSA driver wrapper generator generate_driver_wrappers.py now
|
||
supports a subset of the driver description language, including
|
||
the following entry points: import_key, export_key, export_public_key,
|
||
get_builtin_key, copy_key.
|
||
* The new functions mbedtls_asn1_free_named_data_list() and
|
||
mbedtls_asn1_free_named_data_list_shallow() simplify the management
|
||
of memory in named data lists in X.509 structures.
|
||
* The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
|
||
Additional PSA key slots will be allocated in the process of such key
|
||
exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and
|
||
MBEDTLS_USE_PSA_CRYPTO.
|
||
* Add support for DTLS Connection ID as defined by RFC 9146, controlled by
|
||
MBEDTLS_SSL_DTLS_CONNECTION_ID (enabled by default) and configured with
|
||
mbedtls_ssl_set_cid().
|
||
* Add a driver dispatch layer for raw key agreement, enabling alternative
|
||
implementations of raw key agreement through the key_agreement driver
|
||
entry point. This entry point is specified in the proposed PSA driver
|
||
interface, but had not yet been implemented.
|
||
* Add an ad-hoc key derivation function handling EC J-PAKE to PMS
|
||
calculation that can be used to derive the session secret in TLS 1.2,
|
||
as described in draft-cragie-tls-ecjpake-01. This can be achieved by
|
||
using PSA_ALG_TLS12_ECJPAKE_TO_PMS as the key derivation algorithm.
|
||
|
||
Security
|
||
* Fix potential heap buffer overread and overwrite in DTLS if
|
||
MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
|
||
MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
|
||
* Fix an issue where an adversary with access to precise enough information
|
||
about memory accesses (typically, an untrusted operating system attacking
|
||
a secure enclave) could recover an RSA private key after observing the
|
||
victim performing a single private-key operation if the window size used
|
||
for the exponentiation was 3 or smaller. Found and reported by Zili KOU,
|
||
Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
|
||
and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
|
||
and Test in Europe 2023.
|
||
|
||
Bugfix
|
||
* Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
|
||
* Fix an issue with in-tree CMake builds in releases with GEN_FILES
|
||
turned off: if a shipped file was missing from the working directory,
|
||
it could be turned into a symbolic link to itself.
|
||
* Fix a long-standing build failure when building x86 PIC code with old
|
||
gcc (4.x). The code will be slower, but will compile. We do however
|
||
recommend upgrading to a more recent compiler instead. Fixes #1910.
|
||
* Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
|
||
Contributed by Kazuyuki Kimura to fix #2020.
|
||
* Use double quotes to include private header file psa_crypto_cipher.h.
|
||
Fixes 'file not found with <angled> include' error
|
||
when building with Xcode.
|
||
* Fix handling of broken symlinks when loading certificates using
|
||
mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
|
||
broken link is encountered, skip the broken link and continue parsing
|
||
other certificate files. Contributed by Eduardo Silva in #2602.
|
||
* Fix an interoperability failure between an Mbed TLS client with both
|
||
TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server that supports
|
||
rsa_pss_rsae_* signature algorithms. This failed because Mbed TLS
|
||
advertised support for PSS in both TLS 1.2 and 1.3, but only
|
||
actually supported PSS in TLS 1.3.
|
||
* Fix a compilation error when using CMake with an IAR toolchain.
|
||
Fixes #5964.
|
||
* Fix a build error due to a missing prototype warning when
|
||
MBEDTLS_DEPRECATED_REMOVED is enabled.
|
||
* Fix mbedtls_ctr_drbg_free() on an initialized but unseeded context. When
|
||
MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an
|
||
uninitialized context.
|
||
* Fix a build issue on Windows using CMake where the source and build
|
||
directories could not be on different drives. Fixes #5751.
|
||
* Fix bugs and missing dependencies when building and testing
|
||
configurations with only one encryption type enabled in TLS 1.2.
|
||
* Provide the missing definition of mbedtls_setbuf() in some configurations
|
||
with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196.
|
||
* Fix compilation errors when trying to build with
|
||
PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
|
||
* Fix memory leak in ssl_parse_certificate_request() caused by
|
||
mbedtls_x509_get_name() not freeing allocated objects in case of error.
|
||
Change mbedtls_x509_get_name() to clean up allocated objects on error.
|
||
* Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
|
||
MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408.
|
||
* Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
|
||
MBEDTLS_PK_PARSE_C. Fixes #6409.
|
||
* Fix ECDSA verification, where it was not always validating the
|
||
public key. This bug meant that it was possible to verify a
|
||
signature with an invalid public key, in some cases. Reported by
|
||
Guido Vranken using Cryptofuzz in #4420.
|
||
* Fix a possible null pointer dereference if a memory allocation fails
|
||
in TLS PRF code. Reported by Michael Madsen in #6516.
|
||
* Fix TLS 1.3 session resumption. Fixes #6488.
|
||
* Add a configuration check to exclude optional client authentication
|
||
in TLS 1.3 (where it is forbidden).
|
||
* Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
|
||
bytes when parsing certificates containing a binary RFC 4108
|
||
HardwareModuleName as a Subject Alternative Name extension. Hardware
|
||
serial numbers are now rendered in hex format. Fixes #6262.
|
||
* Fix bug in error reporting in dh_genprime.c where upon failure,
|
||
the error code returned by mbedtls_mpi_write_file() is overwritten
|
||
and therefore not printed.
|
||
* In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
|
||
with A > 0 created an unintended representation of the value 0 which was
|
||
not processed correctly by some bignum operations. Fix this. This had no
|
||
consequence on cryptography code, but might affect applications that call
|
||
bignum directly and use negative numbers.
|
||
* Fix a bug whereby the list of signature algorithms sent as part of
|
||
the TLS 1.2 server certificate request would get corrupted, meaning the
|
||
first algorithm would not get sent and an entry consisting of two random
|
||
bytes would be sent instead. Found by Serban Bejan and Dudek Sebastian.
|
||
* Fix undefined behavior (typically harmless in practice) of
|
||
mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int()
|
||
when both operands are 0 and the left operand is represented with 0 limbs.
|
||
* Fix undefined behavior (typically harmless in practice) when some bignum
|
||
functions receive the most negative value of mbedtls_mpi_sint. Credit
|
||
to OSS-Fuzz. Fixes #6597.
|
||
* Fix undefined behavior (typically harmless in practice) in PSA ECB
|
||
encryption and decryption.
|
||
* Move some SSL-specific code out of libmbedcrypto where it had been placed
|
||
accidentally.
|
||
* Fix a build error when compiling the bignum module for some Arm platforms.
|
||
Fixes #6089, #6124, #6217.
|
||
|
||
Changes
|
||
* Add the ability to query PSA_WANT_xxx macros to query_compile_time_config.
|
||
* Calling AEAD tag-specific functions for non-AEAD algorithms (which
|
||
should not be done - they are documented for use only by AES-GCM and
|
||
ChaCha20+Poly1305) now returns MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
|
||
instead of success (0).
|
||
|
||
= Mbed TLS 3.2.1 branch released 2022-07-12
|
||
|
||
Bugfix
|
||
* Re-add missing generated file library/psa_crypto_driver_wrappers.c
|
||
|
||
= Mbed TLS 3.2.0 branch released 2022-07-11
|
||
|
||
Default behavior changes
|
||
* mbedtls_cipher_set_iv will now fail with ChaCha20 and ChaCha20+Poly1305
|
||
for IV lengths other than 12. The library was silently overwriting this
|
||
length with 12, but did not inform the caller about it. Fixes #4301.
|
||
|
||
Requirement changes
|
||
* The library will no longer compile out of the box on a platform without
|
||
setbuf(). If your platform does not have setbuf(), you can configure an
|
||
alternative function by enabling MBEDTLS_PLATFORM_SETBUF_ALT or
|
||
MBEDTLS_PLATFORM_SETBUF_MACRO.
|
||
|
||
New deprecations
|
||
* Deprecate mbedtls_ssl_conf_max_version() and
|
||
mbedtls_ssl_conf_min_version() in favor of
|
||
mbedtls_ssl_conf_max_tls_version() and
|
||
mbedtls_ssl_conf_min_tls_version().
|
||
* Deprecate mbedtls_cipher_setup_psa(). Use psa_aead_xxx() or
|
||
psa_cipher_xxx() directly instead.
|
||
* Secure element drivers enabled by MBEDTLS_PSA_CRYPTO_SE_C are deprecated.
|
||
This was intended as an experimental feature, but had not been explicitly
|
||
documented as such. Use opaque drivers with the interface enabled by
|
||
MBEDTLS_PSA_CRYPTO_DRIVERS instead.
|
||
* Deprecate mbedtls_ssl_conf_sig_hashes() in favor of the more generic
|
||
mbedtls_ssl_conf_sig_algs(). Signature algorithms for the TLS 1.2 and
|
||
TLS 1.3 handshake should now be configured with
|
||
mbedtls_ssl_conf_sig_algs().
|
||
|
||
Features
|
||
* Add accessor to obtain ciphersuite id from ssl context.
|
||
* Add accessors to get members from ciphersuite info.
|
||
* Add mbedtls_ssl_ticket_rotate() for external ticket rotation.
|
||
* Add accessor to get the raw buffer pointer from a PEM context.
|
||
* The structures mbedtls_ssl_config and mbedtls_ssl_context now store
|
||
a piece of user data which is reserved for the application. The user
|
||
data can be either a pointer or an integer.
|
||
* Add an accessor function to get the configuration associated with
|
||
an SSL context.
|
||
* Add a function to access the protocol version from an SSL context in a
|
||
form that's easy to compare. Fixes #5407.
|
||
* Add function mbedtls_md_info_from_ctx() to recall the message digest
|
||
information that was used to set up a message digest context.
|
||
* Add ALPN support in TLS 1.3 clients.
|
||
* Add server certificate selection callback near end of Client Hello.
|
||
Register callback with mbedtls_ssl_conf_cert_cb().
|
||
* Provide mechanism to reset handshake cert list by calling
|
||
mbedtls_ssl_set_hs_own_cert() with NULL value for own_cert param.
|
||
* Add accessor mbedtls_ssl_get_hs_sni() to retrieve SNI from within
|
||
cert callback (mbedtls_ssl_conf_cert_cb()) during handshake.
|
||
* The X.509 module now uses PSA hash acceleration if present.
|
||
* Add support for psa crypto key derivation for elliptic curve
|
||
keys. Fixes #3260.
|
||
* Add function mbedtls_timing_get_final_delay() to access the private
|
||
final delay field in an mbedtls_timing_delay_context, as requested in
|
||
#5183.
|
||
* Add mbedtls_pk_sign_ext() which allows generating RSA-PSS signatures when
|
||
PSA Crypto is enabled.
|
||
* Add function mbedtls_ecp_export() to export ECP key pair parameters.
|
||
Fixes #4838.
|
||
* Add function mbedtls_ssl_is_handshake_over() to enable querying if the SSL
|
||
Handshake has completed or not, and thus whether to continue calling
|
||
mbedtls_ssl_handshake_step(), requested in #4383.
|
||
* Add the function mbedtls_ssl_get_own_cid() to access our own connection id
|
||
within mbedtls_ssl_context, as requested in #5184.
|
||
* Introduce mbedtls_ssl_hs_cb_t typedef for use with
|
||
mbedtls_ssl_conf_cert_cb() and perhaps future callbacks
|
||
during TLS handshake.
|
||
* Add functions mbedtls_ssl_conf_max_tls_version() and
|
||
mbedtls_ssl_conf_min_tls_version() that use a single value to specify
|
||
the protocol version.
|
||
* Extend the existing PSA_ALG_TLS12_PSK_TO_MS() algorithm to support
|
||
mixed-PSK. Add an optional input PSA_KEY_DERIVATION_INPUT_OTHER_SECRET
|
||
holding the other secret.
|
||
* When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
|
||
feature requirements in the file named by the new macro
|
||
MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default psa/crypto_config.h.
|
||
Furthermore you may name an additional file to include after the main
|
||
file with the macro MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.
|
||
* Add the function mbedtls_x509_crt_has_ext_type() to access the ext types
|
||
field within mbedtls_x509_crt context, as requested in #5585.
|
||
* Add HKDF-Expand and HKDF-Extract as separate algorithms in the PSA API.
|
||
* Add support for the ARMv8 SHA-2 acceleration instructions when building
|
||
for Aarch64.
|
||
* Add support for authentication of TLS 1.3 clients by TLS 1.3 servers.
|
||
* Add support for server HelloRetryRequest message. The TLS 1.3 client is
|
||
now capable of negotiating another shared secret if the one sent in its
|
||
first ClientHello was not suitable to the server.
|
||
* Add support for client-side TLS version negotiation. If both TLS 1.2 and
|
||
TLS 1.3 protocols are enabled in the build of Mbed TLS, the TLS client now
|
||
negotiates TLS 1.3 or TLS 1.2 with TLS servers.
|
||
* Enable building of Mbed TLS with TLS 1.3 protocol support but without TLS
|
||
1.2 protocol support.
|
||
* Mbed TLS provides an implementation of a TLS 1.3 server (ephemeral key
|
||
establishment only). See docs/architecture/tls13-support.md for a
|
||
description of the support. The MBEDTLS_SSL_PROTO_TLS1_3 and
|
||
MBEDTLS_SSL_SRV_C configuration options control this.
|
||
* Add accessors to configure DN hints for certificate request:
|
||
mbedtls_ssl_conf_dn_hints() and mbedtls_ssl_set_hs_dn_hints()
|
||
* The configuration option MBEDTLS_USE_PSA_CRYPTO, which previously
|
||
affected only a limited subset of crypto operations in TLS, X.509 and PK,
|
||
now causes most of them to be done using PSA Crypto; see
|
||
docs/use-psa-crypto.md for the list of exceptions.
|
||
* The function mbedtls_pk_setup_opaque() now supports RSA key pairs as well.
|
||
Opaque keys can now be used everywhere a private key is expected in the
|
||
TLS and X.509 modules.
|
||
* Opaque pre-shared keys for TLS, provisioned with
|
||
mbedtls_ssl_conf_psk_opaque() or mbedtls_ssl_set_hs_psk_opaque(), which
|
||
previously only worked for "pure" PSK key exchange, now can also be used
|
||
for the "mixed" PSK key exchanges as well: ECDHE-PSK, DHE-PSK, RSA-PSK.
|
||
* cmake now detects if it is being built as a sub-project, and in that case
|
||
disables the target export/installation and package configuration.
|
||
* Make USE_PSA_CRYPTO compatible with KEY_ID_ENCODES_OWNER. Fixes #5259.
|
||
* Add example programs cipher_aead_demo.c, md_hmac_demo.c, aead_demo.c
|
||
and hmac_demo.c, which use PSA and the md/cipher interfaces side
|
||
by side in order to illustrate how the operation is performed in PSA.
|
||
Addresses #5208.
|
||
|
||
Security
|
||
* Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
|
||
module before freeing them. These buffers contain secret key material, and
|
||
could thus potentially leak the key through freed heap.
|
||
* Fix potential memory leak inside mbedtls_ssl_cache_set() with
|
||
an invalid session id length.
|
||
* Add the platform function mbedtls_setbuf() to allow buffering to be
|
||
disabled on stdio files, to stop secrets loaded from said files being
|
||
potentially left in memory after file operations. Reported by
|
||
Glenn Strauss.
|
||
* Fix a potential heap buffer overread in TLS 1.2 server-side when
|
||
MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
|
||
mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
|
||
is selected. This may result in an application crash or potentially an
|
||
information leak.
|
||
* Fix a buffer overread in DTLS ClientHello parsing in servers with
|
||
MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client
|
||
or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
|
||
after the end of the SSL input buffer. The buffer overread only happens
|
||
when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
|
||
the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(),
|
||
and possibly up to 571 bytes with a custom cookie check function.
|
||
Reported by the Cybeats PSI Team.
|
||
* Fix a buffer overread in TLS 1.3 Certificate parsing. An unauthenticated
|
||
client or server could cause an MbedTLS server or client to overread up
|
||
to 64 kBytes of data and potentially overread the input buffer by that
|
||
amount minus the size of the input buffer. As overread data undergoes
|
||
various checks, the likelihood of reaching the boundary of the input
|
||
buffer is rather small but increases as its size
|
||
MBEDTLS_SSL_IN_CONTENT_LEN decreases.
|
||
* Fix check of certificate key usage in TLS 1.3. The usage of the public key
|
||
provided by a client or server certificate for authentication was not
|
||
checked properly when validating the certificate. This could cause a
|
||
client or server to be able to authenticate itself through a certificate
|
||
to an Mbed TLS TLS 1.3 server or client while it does not own a proper
|
||
certificate to do so.
|
||
|
||
Bugfix
|
||
* Declare or use PSA_WANT_ALG_CCM_STAR_NO_TAG following the general
|
||
pattern for PSA_WANT_xxx symbols. Previously you had to specify
|
||
PSA_WANT_ALG_CCM for PSA_ALG_CCM_STAR_NO_TAG.
|
||
* Fix a memory leak if mbedtls_ssl_config_defaults() is called twice.
|
||
* Fixed swap of client and server random bytes when exporting them alongside
|
||
TLS 1.3 handshake and application traffic secret.
|
||
* Fix several bugs (warnings, compiler and linker errors, test failures)
|
||
in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
|
||
* Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was
|
||
enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
|
||
client would fail to check that the curve selected by the server for
|
||
ECDHE was indeed one that was offered. As a result, the client would
|
||
accept any curve that it supported, even if that curve was not allowed
|
||
according to its configuration. Fixes #5291.
|
||
* The TLS 1.3 implementation is now compatible with the
|
||
MBEDTLS_USE_PSA_CRYPTO configuration option.
|
||
* Fix unit tests that used 0 as the file UID. This failed on some
|
||
implementations of PSA ITS. Fixes #3838.
|
||
* Fix mbedtls_ssl_get_version() not reporting TLSv1.3. Fixes #5406.
|
||
* Fix API violation in mbedtls_md_process() test by adding a call to
|
||
mbedtls_md_starts(). Fixes #2227.
|
||
* Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests
|
||
to catch bad uses of time.h.
|
||
* Fix a race condition in out-of-source builds with CMake when generated data
|
||
files are already present. Fixes #5374.
|
||
* Fix the library search path when building a shared library with CMake
|
||
on Windows.
|
||
* Fix bug in the alert sending function mbedtls_ssl_send_alert_message()
|
||
potentially leading to corrupted alert messages being sent in case
|
||
the function needs to be re-called after initially returning
|
||
MBEDTLS_SSL_WANT_WRITE. Fixes #1916.
|
||
* In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but not
|
||
MBEDTLS_DEBUG_C, DTLS handshakes using CID would crash due to a null
|
||
pointer dereference. Fix this. Fixes #3998.
|
||
The fix was released, but not announced, in Mbed TLS 3.1.0.
|
||
* Fix incorrect documentation of mbedtls_x509_crt_profile. The previous
|
||
documentation stated that the `allowed_pks` field applies to signatures
|
||
only, but in fact it does apply to the public key type of the end entity
|
||
certificate, too. Fixes #1992.
|
||
* Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
|
||
not NULL and val_len is zero.
|
||
* Fix compilation error with mingw32. Fixed by Cameron Cawley in #4211.
|
||
* Fix compilation error when using C++ Builder on Windows. Reported by
|
||
Miroslav Mastny in #4015.
|
||
* psa_raw_key_agreement() now returns PSA_ERROR_BUFFER_TOO_SMALL when
|
||
applicable. Fixes #5735.
|
||
* Fix a bug in the x25519 example program where the removal of
|
||
MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. Fixes #4901 and
|
||
#3191.
|
||
* Fix a TLS 1.3 handshake failure when the peer Finished message has not
|
||
been received yet when we first try to fetch it.
|
||
* Encode X.509 dates before 1/1/2000 as UTCTime rather than
|
||
GeneralizedTime. Fixes #5465.
|
||
* Add mbedtls_x509_dn_get_next function to return the next relative DN in
|
||
an X509 name, to allow walking the name list. Fixes #5431.
|
||
* Fix order value of curve x448.
|
||
* Fix string representation of DNs when outputting values containing commas
|
||
and other special characters, conforming to RFC 1779. Fixes #769.
|
||
* Silence a warning from GCC 12 in the selftest program. Fixes #5974.
|
||
* Fix check_config.h to check that we have MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
|
||
when MBEDTLS_SSL_PROTO_TLS1_3 is specified, and make this and other
|
||
dependencies explicit in the documentation. Fixes #5610.
|
||
* Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of 0.
|
||
* Fix a TLS 1.3 handshake failure when the first attempt to send the client
|
||
Finished message on the network cannot be satisfied. Fixes #5499.
|
||
* Fix resource leaks in mbedtls_pk_parse_public_key() in low
|
||
memory conditions.
|
||
* Fix server connection identifier setting for outgoing encrypted records
|
||
on DTLS 1.2 session resumption. After DTLS 1.2 session resumption with
|
||
connection identifier, the Mbed TLS client now properly sends the server
|
||
connection identifier in encrypted record headers. Fix #5872.
|
||
* Fix a null pointer dereference when performing some operations on zero
|
||
represented with 0 limbs (specifically mbedtls_mpi_mod_int() dividing
|
||
by 2, and mbedtls_mpi_write_string() in base 2).
|
||
* Fix record sizes larger than 16384 being sometimes accepted despite being
|
||
non-compliant. This could not lead to a buffer overflow. In particular,
|
||
application data size was already checked correctly.
|
||
* Fix MBEDTLS_SVC_KEY_ID_GET_KEY_ID() and MBEDTLS_SVC_KEY_ID_GET_OWNER_ID()
|
||
which have been broken, resulting in compilation errors, since Mbed TLS
|
||
3.0.
|
||
* Ensure that TLS 1.2 ciphersuite/certificate and key selection takes into
|
||
account not just the type of the key (RSA vs EC) but also what it can
|
||
actually do. Resolves #5831.
|
||
* Fix CMake windows host detection, especially when cross compiling.
|
||
* Fix an error in make where the absence of a generated file caused
|
||
make to break on a clean checkout. Fixes #5340.
|
||
* Work around an MSVC ARM64 compiler bug causing incorrect behaviour
|
||
in mbedtls_mpi_exp_mod(). Reported by Tautvydas Žilys in #5467.
|
||
* Removed the prompt to exit from all windows build programs, which was causing
|
||
issues in CI/CD environments.
|
||
|
||
Changes
|
||
* The file library/psa_crypto_driver_wrappers.c is now generated
|
||
from a template. In the future, the generation will support
|
||
driver descriptions. For the time being, to customize this file,
|
||
see docs/proposed/psa-driver-wrappers-codegen-migration-guide.md
|
||
* Return PSA_ERROR_INVALID_ARGUMENT if the algorithm passed to one-shot
|
||
AEAD functions is not an AEAD algorithm. This aligns them with the
|
||
multipart functions, and the PSA Crypto API 1.1 specification.
|
||
* In mbedtls_pk_parse_key(), if no password is provided, don't allocate a
|
||
temporary variable on the heap. Suggested by Sergey Kanatov in #5304.
|
||
* Assume source files are in UTF-8 when using MSVC with CMake.
|
||
* Fix runtime library install location when building with CMake and MinGW.
|
||
DLLs are now installed in the bin directory instead of lib.
|
||
* cmake: Use GnuInstallDirs to customize install directories
|
||
Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR
|
||
variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if
|
||
LIB_INSTALL_DIR is set.
|
||
* Add a CMake option that enables static linking of the runtime library
|
||
in Microsoft Visual C++ compiler. Contributed by Microplankton.
|
||
* In CMake builds, add aliases for libraries so that the normal MbedTLS::*
|
||
targets work when MbedTLS is built as a subdirectory. This allows the
|
||
use of FetchContent, as requested in #5688.
|
||
|
||
= mbed TLS 3.1.0 branch released 2021-12-17
|
||
|
||
API changes
|
||
* New error code for GCM: MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL.
|
||
Alternative GCM implementations are expected to verify
|
||
the length of the provided output buffers and to return the
|
||
MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the buffer length is too small.
|
||
* You can configure groups for a TLS key exchange with the new function
|
||
mbedtls_ssl_conf_groups(). It extends mbedtls_ssl_conf_curves().
|
||
* Declare a number of structure fields as public: the fields of
|
||
mbedtls_ecp_curve_info, the fields describing the result of ASN.1 and
|
||
X.509 parsing, and finally the field fd of mbedtls_net_context on
|
||
POSIX/Unix-like platforms.
|
||
|
||
Requirement changes
|
||
* Sign-magnitude and one's complement representations for signed integers are
|
||
not supported. Two's complement is the only supported representation.
|
||
|
||
New deprecations
|
||
* Deprecate mbedtls_ssl_conf_curves() in favor of the more generic
|
||
mbedtls_ssl_conf_groups().
|
||
|
||
Removals
|
||
* Remove the partial support for running unit tests via Greentea on Mbed OS,
|
||
which had been unmaintained since 2018.
|
||
|
||
Features
|
||
* Enable support for Curve448 via the PSA API. Contributed by
|
||
Archana Madhavan in #4626. Fixes #3399 and #4249.
|
||
* The identifier of the CID TLS extension can be configured by defining
|
||
MBEDTLS_TLS_EXT_CID at compile time.
|
||
* Implement the PSA multipart AEAD interface, currently supporting
|
||
ChaChaPoly and GCM.
|
||
* Warn if errors from certain functions are ignored. This is currently
|
||
supported on GCC-like compilers and on MSVC and can be configured through
|
||
the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
|
||
(where supported) for critical functions where ignoring the return
|
||
value is almost always a bug. Enable the new configuration option
|
||
MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
|
||
is currently implemented in the AES, DES and md modules, and will be
|
||
extended to other modules in the future.
|
||
* Add missing PSA macros declared by PSA Crypto API 1.0.0:
|
||
PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL.
|
||
* Add support for CCM*-no-tag cipher to the PSA.
|
||
Currently only 13-byte long IV's are supported.
|
||
For decryption a minimum of 16-byte long input is expected.
|
||
These restrictions may be subject to change.
|
||
* Add new API mbedtls_ct_memcmp for constant time buffer comparison.
|
||
* Add functions to get the IV and block size from cipher_info structs.
|
||
* Add functions to check if a cipher supports variable IV or key size.
|
||
* Add the internal implementation of and support for CCM to the PSA multipart
|
||
AEAD interface.
|
||
* Mbed TLS provides a minimum viable implementation of the TLS 1.3
|
||
protocol. See docs/architecture/tls13-support.md for the definition of
|
||
the TLS 1.3 Minimum Viable Product (MVP). The MBEDTLS_SSL_PROTO_TLS1_3
|
||
configuration option controls the enablement of the support. The APIs
|
||
mbedtls_ssl_conf_min_version() and mbedtls_ssl_conf_max_version() allow
|
||
to select the 1.3 version of the protocol to establish a TLS connection.
|
||
* Add PSA API definition for ARIA.
|
||
|
||
Security
|
||
* Zeroize several intermediate variables used to calculate the expected
|
||
value when verifying a MAC or AEAD tag. This hardens the library in
|
||
case the value leaks through a memory disclosure vulnerability. For
|
||
example, a memory disclosure vulnerability could have allowed a
|
||
man-in-the-middle to inject fake ciphertext into a DTLS connection.
|
||
* In psa_aead_generate_nonce(), do not read back from the output buffer.
|
||
This fixes a potential policy bypass or decryption oracle vulnerability
|
||
if the output buffer is in memory that is shared with an untrusted
|
||
application.
|
||
* In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
|
||
from the output buffer. This fixes a potential policy bypass or decryption
|
||
oracle vulnerability if the output buffer is in memory that is shared with
|
||
an untrusted application.
|
||
* Fix a double-free that happened after mbedtls_ssl_set_session() or
|
||
mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
|
||
(out of memory). After that, calling mbedtls_ssl_session_free()
|
||
and mbedtls_ssl_free() would cause an internal session buffer to
|
||
be free()'d twice.
|
||
|
||
Bugfix
|
||
* Stop using reserved identifiers as local variables. Fixes #4630.
|
||
* The GNU makefiles invoke python3 in preference to python except on Windows.
|
||
The check was accidentally not performed when cross-compiling for Windows
|
||
on Linux. Fix this. Fixes #4774.
|
||
* Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
|
||
PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type.
|
||
* Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
|
||
* Don't use the obsolete header path sys/fcntl.h in unit tests.
|
||
These header files cause compilation errors in musl.
|
||
Fixes #4969.
|
||
* Fix missing constraints on x86_64 and aarch64 assembly code
|
||
for bignum multiplication that broke some bignum operations with
|
||
(at least) Clang 12.
|
||
Fixes #4116, #4786, #4917, #4962.
|
||
* Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
|
||
* Failures of alternative implementations of AES or DES single-block
|
||
functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
|
||
MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
|
||
This does not concern the implementation provided with Mbed TLS,
|
||
where this function cannot fail, or full-module replacements with
|
||
MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
|
||
* Some failures of HMAC operations were ignored. These failures could only
|
||
happen with an alternative implementation of the underlying hash module.
|
||
* Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
|
||
* Fix compile-time or run-time errors in PSA
|
||
AEAD functions when ChachaPoly is disabled. Fixes #5065.
|
||
* Remove PSA'a AEAD finish/verify output buffer limitation for GCM.
|
||
The requirement of minimum 15 bytes for output buffer in
|
||
psa_aead_finish() and psa_aead_verify() does not apply to the built-in
|
||
implementation of GCM.
|
||
* Move GCM's update output buffer length verification from PSA AEAD to
|
||
the built-in implementation of the GCM.
|
||
The requirement for output buffer size to be equal or greater then
|
||
input buffer size is valid only for the built-in implementation of GCM.
|
||
Alternative GCM implementations can process whole blocks only.
|
||
* Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
|
||
MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
|
||
* Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
|
||
This algorithm now accepts only the same salt length for verification
|
||
that it produces when signing, as documented. Use the new algorithm
|
||
PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.
|
||
* The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
|
||
for algorithm values that fully encode the hashing step, as per the PSA
|
||
Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
|
||
PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
|
||
all algorithms that can be used with psa_{sign,verify}_hash(), including
|
||
these two.
|
||
* Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
|
||
not to list other shared libraries they need.
|
||
* Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
|
||
exceeds 2^32. Fixes #4884.
|
||
* Fix an uninitialized variable warning in test_suite_ssl.function with GCC
|
||
version 11.
|
||
* Fix the build when no SHA2 module is included. Fixes #4930.
|
||
* Fix the build when only the bignum module is included. Fixes #4929.
|
||
* Fix a potential invalid pointer dereference and infinite loop bugs in
|
||
pkcs12 functions when the password is empty. Fix the documentation to
|
||
better describe the inputs to these functions and their possible values.
|
||
Fixes #5136.
|
||
* The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC
|
||
operations psa_mac_compute() and psa_mac_sign_setup().
|
||
* The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC
|
||
operations psa_mac_verify() and psa_mac_verify_setup().
|
||
|
||
Changes
|
||
* Explicitly mark the fields mbedtls_ssl_session.exported and
|
||
mbedtls_ssl_config.respect_cli_pref as private. This was an
|
||
oversight during the run-up to the release of Mbed TLS 3.0.
|
||
The fields were never intended to be public.
|
||
* Implement multi-part CCM API.
|
||
The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
|
||
mbedtls_ccm_update_ad(), mbedtls_ccm_update(), mbedtls_ccm_finish()
|
||
were introduced in mbedTLS 3.0 release, however their implementation was
|
||
postponed until now.
|
||
Implemented functions support chunked data input for both CCM and CCM*
|
||
algorithms.
|
||
* Remove MBEDTLS_SSL_EXPORT_KEYS, making it always on and increasing the
|
||
code size by about 80B on an M0 build. This option only gated an ability
|
||
to set a callback, but was deemed unnecessary as it was yet another define
|
||
to remember when writing tests, or test configurations. Fixes #4653.
|
||
* Improve the performance of base64 constant-flow code. The result is still
|
||
slower than the original non-constant-flow implementation, but much faster
|
||
than the previous constant-flow implementation. Fixes #4814.
|
||
* Ignore plaintext/ciphertext lengths for CCM*-no-tag operations.
|
||
For CCM* encryption/decryption without authentication, input
|
||
length will be ignored.
|
||
* Indicate in the error returned if the nonce length used with
|
||
ChaCha20-Poly1305 is invalid, and not just unsupported.
|
||
* The mbedcrypto library includes a new source code module constant_time.c,
|
||
containing various functions meant to resist timing side channel attacks.
|
||
This module does not have a separate configuration option, and functions
|
||
from this module will be included in the build as required. Currently
|
||
most of the interface of this module is private and may change at any
|
||
time.
|
||
* The generated configuration-independent files are now automatically
|
||
generated by the CMake build system on Unix-like systems. This is not
|
||
yet supported when cross-compiling.
|
||
|
||
= Mbed TLS 3.0.0 branch released 2021-07-07
|
||
|
||
API changes
|
||
* Remove HAVEGE module.
|
||
The design of HAVEGE makes it unsuitable for microcontrollers. Platforms
|
||
with a more complex CPU usually have an operating system interface that
|
||
provides better randomness. Instead of HAVEGE, declare OS or hardware RNG
|
||
interfaces with mbedtls_entropy_add_source() and/or use an entropy seed
|
||
file created securely during device provisioning. See
|
||
https://mbed-tls.readthedocs.io/en/latest/kb/how-to/add-entropy-sources-to-entropy-pool/ for
|
||
more information.
|
||
* Add missing const attributes to API functions.
|
||
* Remove helpers for the transition from Mbed TLS 1.3 to Mbed TLS 2.0: the
|
||
header compat-1.3.h and the script rename.pl.
|
||
* Remove certs module from the API.
|
||
Transfer keys and certificates embedded in the library to the test
|
||
component. This contributes to minimizing library API and discourages
|
||
users from using unsafe keys in production.
|
||
* Move alt helpers and definitions.
|
||
Various helpers and definitions available for use in alt implementations
|
||
have been moved out of the include/ directory and into the library/
|
||
directory. The files concerned are ecp_internal.h and rsa_internal.h
|
||
which have also been renamed to ecp_internal_alt.h and rsa_alt_helpers.h
|
||
respectively.
|
||
* Move internal headers.
|
||
Header files that were only meant for the library's internal use and
|
||
were not meant to be used in application code have been moved out of
|
||
the include/ directory. The headers concerned are bn_mul.h, aesni.h,
|
||
padlock.h, entropy_poll.h and *_internal.h.
|
||
* Drop support for parsing SSLv2 ClientHello
|
||
(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO).
|
||
* Drop support for SSLv3 (MBEDTLS_SSL_PROTO_SSL3).
|
||
* Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
|
||
* Drop support for RC4 TLS ciphersuites.
|
||
* Drop support for single-DES ciphersuites.
|
||
* Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.
|
||
* Update AEAD output size macros to bring them in line with the PSA Crypto
|
||
API version 1.0 spec. This version of the spec parameterizes them on the
|
||
key type used, as well as the key bit-size in the case of
|
||
PSA_AEAD_TAG_LENGTH.
|
||
* Add configuration option MBEDTLS_X509_REMOVE_INFO which
|
||
removes the mbedtls_x509_*_info(), mbedtls_debug_print_crt()
|
||
as well as other functions and constants only used by
|
||
those functions. This reduces the code footprint by
|
||
several kB.
|
||
* Remove SSL error codes `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED`
|
||
and `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` which are never
|
||
returned from the public SSL API.
|
||
* Remove `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` and return
|
||
`MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead.
|
||
* The output parameter of mbedtls_sha512_finish, mbedtls_sha512,
|
||
mbedtls_sha256_finish and mbedtls_sha256 now has a pointer type
|
||
rather than array type. This removes spurious warnings in some compilers
|
||
when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
|
||
the hash size.
|
||
* Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388.
|
||
* The interface of the GCM module has changed to remove restrictions on
|
||
how the input to multipart operations is broken down. mbedtls_gcm_finish()
|
||
now takes extra output parameters for the last partial output block.
|
||
mbedtls_gcm_update() now takes extra parameters for the output length.
|
||
The software implementation always produces the full output at each
|
||
call to mbedtls_gcm_update(), but alternative implementations activated
|
||
by MBEDTLS_GCM_ALT may delay partial blocks to the next call to
|
||
mbedtls_gcm_update() or mbedtls_gcm_finish(). Furthermore, applications
|
||
no longer pass the associated data to mbedtls_gcm_starts(), but to the
|
||
new function mbedtls_gcm_update_ad().
|
||
These changes are backward compatible for users of the cipher API.
|
||
* Replace MBEDTLS_SHA512_NO_SHA384 config option with MBEDTLS_SHA384_C.
|
||
This separates config option enabling the SHA384 algorithm from option
|
||
enabling the SHA512 algorithm. Fixes #4034.
|
||
* Introduce MBEDTLS_SHA224_C.
|
||
This separates config option enabling the SHA224 algorithm from option
|
||
enabling SHA256.
|
||
* The getter and setter API of the SSL session cache (used for
|
||
session-ID based session resumption) has changed to that of
|
||
a key-value store with keys being session IDs and values
|
||
being opaque instances of `mbedtls_ssl_session`.
|
||
* Remove the mode parameter from RSA operation functions. Signature and
|
||
decryption functions now always use the private key and verification and
|
||
encryption use the public key. Verification functions also no longer have
|
||
RNG parameters.
|
||
* Modify semantics of `mbedtls_ssl_conf_[opaque_]psk()`:
|
||
In Mbed TLS 2.X, the API prescribes that later calls overwrite
|
||
the effect of earlier calls. In Mbed TLS 3.0, calling
|
||
`mbedtls_ssl_conf_[opaque_]psk()` more than once will fail,
|
||
leaving the PSK that was configured first intact.
|
||
Support for more than one PSK may be added in 3.X.
|
||
* The function mbedtls_x509write_csr_set_extension() has an extra parameter
|
||
which allows to mark an extension as critical. Fixes #4055.
|
||
* For multi-part AEAD operations with the cipher module, calling
|
||
mbedtls_cipher_finish() is now mandatory. Previously the documentation
|
||
was unclear on this point, and this function happened to never do
|
||
anything with the currently implemented AEADs, so in practice it was
|
||
possible to skip calling it, which is no longer supported.
|
||
* The option MBEDTLS_ECP_FIXED_POINT_OPTIM use pre-computed comb tables
|
||
instead of computing tables in runtime. Thus, this option now increase
|
||
code size, and it does not increase RAM usage in runtime anymore.
|
||
* Remove the SSL APIs mbedtls_ssl_get_input_max_frag_len() and
|
||
mbedtls_ssl_get_output_max_frag_len(), and add a new API
|
||
mbedtls_ssl_get_max_in_record_payload(), complementing the existing
|
||
mbedtls_ssl_get_max_out_record_payload().
|
||
Uses of mbedtls_ssl_get_input_max_frag_len() and
|
||
mbedtls_ssl_get_input_max_frag_len() should be replaced by
|
||
mbedtls_ssl_get_max_in_record_payload() and
|
||
mbedtls_ssl_get_max_out_record_payload(), respectively.
|
||
* mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA
|
||
key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding()
|
||
after initializing the context. mbedtls_rsa_set_padding() now returns an
|
||
error if its parameters are invalid.
|
||
* Replace MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE by a runtime
|
||
configuration function mbedtls_ssl_conf_preference_order(). Fixes #4398.
|
||
* Instead of accessing the len field of a DHM context, which is no longer
|
||
supported, use the new function mbedtls_dhm_get_len() .
|
||
* In modules that implement cryptographic hash functions, many functions
|
||
mbedtls_xxx() now return int instead of void, and the corresponding
|
||
function mbedtls_xxx_ret() which was identical except for returning int
|
||
has been removed. This also concerns mbedtls_xxx_drbg_update(). See the
|
||
migration guide for more information. Fixes #4212.
|
||
* For all functions that take a random number generator (RNG) as a
|
||
parameter, this parameter is now mandatory (that is, NULL is not an
|
||
acceptable value). Functions which previously accepted NULL and now
|
||
reject it are: the X.509 CRT and CSR writing functions; the PK and RSA
|
||
sign and decrypt function; mbedtls_rsa_private(); the functions
|
||
in DHM and ECDH that compute the shared secret; the scalar multiplication
|
||
functions in ECP.
|
||
* The following functions now require an RNG parameter:
|
||
mbedtls_ecp_check_pub_priv(), mbedtls_pk_check_pair(),
|
||
mbedtls_pk_parse_key(), mbedtls_pk_parse_keyfile().
|
||
* mbedtls_ssl_conf_export_keys_ext_cb() and
|
||
mbedtls_ssl_conf_export_keys_cb() have been removed and
|
||
replaced by a new API mbedtls_ssl_set_export_keys_cb().
|
||
Raw keys and IVs are no longer passed to the callback.
|
||
Further, callbacks now receive an additional parameter
|
||
indicating the type of secret that's being exported,
|
||
paving the way for the larger number of secrets
|
||
in TLS 1.3. Finally, the key export callback and
|
||
context are now connection-specific.
|
||
* Signature functions in the RSA and PK modules now require the hash
|
||
length parameter to be the size of the hash input. For RSA signatures
|
||
other than raw PKCS#1 v1.5, this must match the output size of the
|
||
specified hash algorithm.
|
||
* The functions mbedtls_pk_sign(), mbedtls_pk_sign_restartable(),
|
||
mbedtls_ecdsa_write_signature() and
|
||
mbedtls_ecdsa_write_signature_restartable() now take an extra parameter
|
||
indicating the size of the output buffer for the signature.
|
||
* Implement one-shot cipher functions, psa_cipher_encrypt and
|
||
psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
|
||
specification.
|
||
* Direct access to fields of structures declared in public headers is no
|
||
longer supported except for fields that are documented public. Use accessor
|
||
functions instead. For more information, see the migration guide entry
|
||
"Most structure fields are now private".
|
||
* mbedtls_ssl_get_session_pointer() has been removed, and
|
||
mbedtls_ssl_{set,get}_session() may now only be called once for any given
|
||
SSL context.
|
||
|
||
Default behavior changes
|
||
* Enable by default the functionalities which have no reason to be disabled.
|
||
They are: ARIA block cipher, CMAC mode, elliptic curve J-PAKE library and
|
||
Key Wrapping mode as defined in NIST SP 800-38F. Fixes #4036.
|
||
* Some default policies for X.509 certificate verification and TLS have
|
||
changed: curves and hashes weaker than 255 bits are no longer accepted
|
||
by default. The default order in TLS now favors faster curves over larger
|
||
curves.
|
||
|
||
Requirement changes
|
||
* The library now uses the %zu format specifier with the printf() family of
|
||
functions, so requires a toolchain that supports it. This change does not
|
||
affect the maintained LTS branches, so when contributing changes please
|
||
bear this in mind and do not add them to backported code.
|
||
* If you build the development version of Mbed TLS, rather than an official
|
||
release, some configuration-independent files are now generated at build
|
||
time rather than checked into source control. This includes some library
|
||
source files as well as the Visual Studio solution. Perl, Python 3 and a
|
||
C compiler for the host platform are required. See “Generated source files
|
||
in the development branch” in README.md for more information.
|
||
* Refresh the minimum supported versions of tools to build the
|
||
library. CMake versions older than 3.10.2 and Python older
|
||
than 3.6 are no longer supported.
|
||
|
||
Removals
|
||
* Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
|
||
compile-time option, which was off by default. Users should not trust
|
||
certificates signed with SHA-1 due to the known attacks against SHA-1.
|
||
If needed, SHA-1 certificates can still be verified by using a custom
|
||
verification profile.
|
||
* Removed deprecated things in psa/crypto_compat.h. Fixes #4284
|
||
* Removed deprecated functions from hashing modules. Fixes #4280.
|
||
* Remove PKCS#11 library wrapper. PKCS#11 has limited functionality,
|
||
lacks automated tests and has scarce documentation. Also, PSA Crypto
|
||
provides a more flexible private key management.
|
||
More details on PCKS#11 wrapper removal can be found in the mailing list
|
||
https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-April/000024.html
|
||
* Remove deprecated error codes. Fix #4283
|
||
* Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option. Fixes #4416.
|
||
* Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
|
||
compile-time option. This option has been inactive for a long time.
|
||
Please use the `lifetime` parameter of `mbedtls_ssl_ticket_setup()`
|
||
instead.
|
||
* Remove the following deprecated functions and constants of hex-encoded
|
||
primes based on RFC 5114 and RFC 3526 from library code and tests:
|
||
mbedtls_aes_encrypt(), mbedtls_aes_decrypt(), mbedtls_mpi_is_prime(),
|
||
mbedtls_cipher_auth_encrypt(), mbedtls_cipher_auth_decrypt(),
|
||
mbedtls_ctr_drbg_update(), mbedtls_hmac_drbg_update(),
|
||
mbedtls_ecdsa_write_signature_det(), mbedtls_ecdsa_sign_det(),
|
||
mbedtls_ssl_conf_dh_param(), mbedtls_ssl_get_max_frag_len(),
|
||
MBEDTLS_DHM_RFC5114_MODP_2048_P, MBEDTLS_DHM_RFC5114_MODP_2048_G,
|
||
MBEDTLS_DHM_RFC3526_MODP_2048_P, MBEDTLS_DHM_RFC3526_MODP_2048_G,
|
||
MBEDTLS_DHM_RFC3526_MODP_3072_P, MBEDTLS_DHM_RFC3526_MODP_3072_G,
|
||
MBEDTLS_DHM_RFC3526_MODP_4096_P, MBEDTLS_DHM_RFC3526_MODP_4096_G.
|
||
Remove the deprecated file: include/mbedtls/net.h. Fixes #4282.
|
||
* Remove MBEDTLS_SSL_MAX_CONTENT_LEN configuration option, since
|
||
MBEDTLS_SSL_IN_CONTENT_LEN and MBEDTLS_SSL_OUT_CONTENT_LEN replace
|
||
it. Fixes #4362.
|
||
* Remove the MBEDTLS_SSL_RECORD_CHECKING option and enable by default its
|
||
previous action. Fixes #4361.
|
||
* Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for
|
||
CBC record splitting, fallback SCSV, and the ability to configure
|
||
ciphersuites per version, which are no longer relevant. This removes the
|
||
configuration options MBEDTLS_SSL_PROTO_TLS1,
|
||
MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING and
|
||
MBEDTLS_SSL_FALLBACK_SCSV as well as the functions
|
||
mbedtls_ssl_conf_cbc_record_splitting(),
|
||
mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback(),
|
||
and mbedtls_ssl_conf_ciphersuites_for_version(). Fixes #4286.
|
||
* The RSA module no longer supports private-key operations with the public
|
||
key and vice versa.
|
||
* Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403.
|
||
* Remove all the 3DES ciphersuites:
|
||
MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
|
||
MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
||
MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
||
MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
|
||
MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||
MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
|
||
MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
|
||
MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
|
||
MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA. Remove the
|
||
MBEDTLS_REMOVE_3DES_CIPHERSUITES option which is no longer relevant.
|
||
Fixes #4367.
|
||
* Remove the MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option and let the code
|
||
behave as if it was always disabled. Fixes #4386.
|
||
* Remove MBEDTLS_ECDH_LEGACY_CONTEXT config option since this was purely for
|
||
backward compatibility which is no longer supported. Addresses #4404.
|
||
* Remove the following macros: MBEDTLS_CHECK_PARAMS,
|
||
MBEDTLS_CHECK_PARAMS_ASSERT, MBEDTLS_PARAM_FAILED,
|
||
MBEDTLS_PARAM_FAILED_ALT. Fixes #4313.
|
||
* Remove the MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h
|
||
option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
|
||
migration path. Fixes #4378.
|
||
* Remove the MBEDTLS_X509_CHECK_KEY_USAGE and
|
||
MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code
|
||
behave as if they were always enabled. Fixes #4405.
|
||
* MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is
|
||
now determined automatically based on supported curves.
|
||
* Remove the following functions: mbedtls_timing_self_test(),
|
||
mbedtls_hardclock_poll(), mbedtls_timing_hardclock() and
|
||
mbedtls_set_alarm(). Fixes #4083.
|
||
* The configuration option MBEDTLS_ECP_NO_INTERNAL_RNG has been removed as
|
||
it no longer had any effect.
|
||
* Remove all support for MD2, MD4, RC4, Blowfish and XTEA. This removes the
|
||
corresponding modules and all their APIs and related configuration
|
||
options. Fixes #4084.
|
||
* Remove MBEDTLS_SSL_TRUNCATED_HMAC and also remove
|
||
MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT config option. Users are better served by
|
||
using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
|
||
See issue #4341 for more details.
|
||
* Remove the compile-time option
|
||
MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE.
|
||
|
||
Features
|
||
* Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
|
||
signature with a specific salt length. This function allows to validate
|
||
test cases provided in the NIST's CAVP test suite. Contributed by Cédric
|
||
Meuter in PR #3183.
|
||
* Added support for built-in driver keys through the PSA opaque crypto
|
||
driver interface. Refer to the documentation of
|
||
MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
|
||
* Implement psa_sign_message() and psa_verify_message().
|
||
* The multi-part GCM interface (mbedtls_gcm_update() or
|
||
mbedtls_cipher_update()) no longer requires the size of partial inputs to
|
||
be a multiple of 16.
|
||
* The multi-part GCM interface now supports chunked associated data through
|
||
multiple calls to mbedtls_gcm_update_ad().
|
||
* The new function mbedtls_mpi_random() generates a random value in a
|
||
given range uniformly.
|
||
* Alternative implementations of the AES, DHM, ECJPAKE, ECP, RSA and timing
|
||
modules had undocumented constraints on their context types. These
|
||
constraints have been relaxed.
|
||
See docs/architecture/alternative-implementations.md for the remaining
|
||
constraints.
|
||
* The new functions mbedtls_dhm_get_len() and mbedtls_dhm_get_bitlen()
|
||
query the size of the modulus in a Diffie-Hellman context.
|
||
* The new function mbedtls_dhm_get_value() copy a field out of a
|
||
Diffie-Hellman context.
|
||
* Use the new function mbedtls_ecjpake_set_point_format() to select the
|
||
point format for ECJPAKE instead of accessing the point_format field
|
||
directly, which is no longer supported.
|
||
* Implement psa_mac_compute() and psa_mac_verify() as defined in the
|
||
PSA Cryptograpy API 1.0.0 specification.
|
||
|
||
Security
|
||
* Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
|
||
private keys and of blinding values for DHM and elliptic curves (ECP)
|
||
computations. Reported by FlorianF89 in #4245.
|
||
* Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
|
||
An adversary who is capable of very precise timing measurements could
|
||
learn partial information about the leading bits of the nonce used for the
|
||
signature, allowing the recovery of the private key after observing a
|
||
large number of signature operations. This completes a partial fix in
|
||
Mbed TLS 2.20.0.
|
||
* Fix an issue where an adversary with access to precise enough information
|
||
about memory accesses (typically, an untrusted operating system attacking
|
||
a secure enclave) could recover an RSA private key after observing the
|
||
victim performing a single private-key operation. Found and reported by
|
||
Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG.
|
||
* Fix an issue where an adversary with access to precise enough timing
|
||
information (typically, a co-located process) could recover a Curve25519
|
||
or Curve448 static ECDH key after inputting a chosen public key and
|
||
observing the victim performing the corresponding private-key operation.
|
||
Found and reported by Leila Batina, Lukas Chmielewski, Björn Haase, Niels
|
||
Samwel and Peter Schwabe.
|
||
|
||
Bugfix
|
||
* Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
|
||
lead to the seed file corruption in case if the path to the seed file is
|
||
equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
|
||
Krasnoshchok in #3616.
|
||
* PSA functions creating a key now return PSA_ERROR_INVALID_ARGUMENT rather
|
||
than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
|
||
to create is not valid, bringing them in line with version 1.0.0 of the
|
||
specification. Fix #4271.
|
||
* Add printf function attributes to mbedtls_debug_print_msg to ensure we
|
||
get printf format specifier warnings.
|
||
* PSA functions other than psa_open_key now return PSA_ERROR_INVALID_HANDLE
|
||
rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
|
||
in line with version 1.0.0 of the specification. Fix #4162.
|
||
* Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
|
||
zero. Fixes #1792
|
||
* Fix some cases in the bignum module where the library constructed an
|
||
unintended representation of the value 0 which was not processed
|
||
correctly by some bignum operations. This could happen when
|
||
mbedtls_mpi_read_string() was called on "-0", or when
|
||
mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
|
||
the arguments being negative and the other being 0. Fixes #4643.
|
||
* Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
|
||
defined. Fixes #4217.
|
||
* Fix an incorrect error code when parsing a PKCS#8 private key.
|
||
* In a TLS client, enforce the Diffie-Hellman minimum parameter size
|
||
set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
|
||
minimum size was rounded down to the nearest multiple of 8.
|
||
* In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
|
||
defined to specific values. If the code is used in a context
|
||
where these are already defined, this can result in a compilation
|
||
error. Instead, assume that if they are defined, the values will
|
||
be adequate to build Mbed TLS.
|
||
* With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built
|
||
nonetheless, resulting in undefined reference errors when building a
|
||
shared library. Reported by Guillermo Garcia M. in #4411.
|
||
* The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
|
||
when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
|
||
was disabled. Fix the dependency. Fixes #4472.
|
||
* Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
|
||
* Fix test suite code on platforms where int32_t is not int, such as
|
||
Arm Cortex-M. Fixes #4530.
|
||
* Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
|
||
directive in a header and a missing initialization in the self-test.
|
||
* Fix a missing initialization in the Camellia self-test, affecting
|
||
MBEDTLS_CAMELLIA_ALT implementations.
|
||
* Restore the ability to configure PSA via Mbed TLS options to support RSA
|
||
key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
|
||
is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
|
||
Fixes #4512.
|
||
* Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
|
||
(when the encrypt-then-MAC extension is not in use) with some ALT
|
||
implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
|
||
the affected side to wrongly reject valid messages. Fixes #4118.
|
||
* Remove outdated check-config.h check that prevented implementing the
|
||
timing module on Mbed OS. Fixes #4633.
|
||
* Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
|
||
about missing inputs.
|
||
* Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
|
||
MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
|
||
* Fix a resource leak in a test suite with an alternative AES
|
||
implementation. Fixes #4176.
|
||
* Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
|
||
could notably be triggered by setting the TLS debug level to 3 or above
|
||
and using a Montgomery curve for the key exchange. Reported by lhuang04
|
||
in #4578. Fixes #4608.
|
||
* psa_verify_hash() was relying on implementation-specific behavior of
|
||
mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
|
||
implementations. This reliance is now removed. Fixes #3990.
|
||
* Disallow inputs of length different from the corresponding hash when
|
||
signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates
|
||
that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.)
|
||
* Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
|
||
A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
|
||
could not be triggered by code that constructed A with one of the
|
||
mbedtls_mpi_read_xxx functions (including in particular TLS code) since
|
||
those always built an mpi object with at least one limb.
|
||
Credit to OSS-Fuzz. Fixes #4641.
|
||
* Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
|
||
effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect
|
||
applications that call mbedtls_mpi_gcd() directly. Fixes #4642.
|
||
* The PSA API no longer allows the creation or destruction of keys with a
|
||
read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
|
||
can now only be used as intended, for keys that cannot be modified through
|
||
normal use of the API.
|
||
* When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
|
||
in all the right places. Include it from crypto_platform.h, which is
|
||
the natural place. Fixes #4649.
|
||
* Fix which alert is sent in some cases to conform to the
|
||
applicable RFC: on an invalid Finished message value, an
|
||
invalid max_fragment_length extension, or an
|
||
unsupported extension used by the server.
|
||
* Correct (change from 12 to 13 bytes) the value of the macro describing the
|
||
maximum nonce length returned by psa_aead_generate_nonce().
|
||
|
||
Changes
|
||
* Fix the setting of the read timeout in the DTLS sample programs.
|
||
* Add extra printf compiler warning flags to builds.
|
||
* Fix memsan build false positive in x509_crt.c with clang 11
|
||
* Alternative implementations of CMAC may now opt to not support 3DES as a
|
||
CMAC block cipher, and still pass the CMAC self test.
|
||
* Remove the AES sample application programs/aes/aescrypt2 which shows
|
||
bad cryptographic practice. Fix #1906.
|
||
* Remove configs/config-psa-crypto.h, which no longer had any intended
|
||
differences from the default configuration, but had accidentally diverged.
|
||
* When building the test suites with GNU make, invoke python3 or python, not
|
||
python2, which is no longer supported upstream.
|
||
* fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
|
||
When that flag is on, standard GNU C printf format specifiers
|
||
should be used.
|
||
* Replace MBEDTLS_SSL_CID_PADDING_GRANULARITY and
|
||
MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY with a new single unified option
|
||
MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY. Fixes #4335.
|
||
* Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage
|
||
during ECC operations at a negligible performance cost.
|
||
* mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and
|
||
mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs
|
||
when their input has length 0. Note that this is an implementation detail
|
||
and can change at any time, so this change should be transparent, but it
|
||
may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
|
||
now writing an empty string where it previously wrote one or more
|
||
zero digits when operating from values constructed with an mpi_read
|
||
function and some mpi operations.
|
||
* Add CMake package config generation for CMake projects consuming Mbed TLS.
|
||
* config.h has been split into build_info.h and mbedtls_config.h
|
||
build_info.h is intended to be included from C code directly, while
|
||
mbedtls_config.h is intended to be edited by end users wishing to
|
||
change the build configuration, and should generally only be included from
|
||
build_info.h.
|
||
* The handling of MBEDTLS_CONFIG_FILE has been moved into build_info.h.
|
||
* A config file version symbol, MBEDTLS_CONFIG_VERSION was introduced.
|
||
Defining it to a particular value will ensure that Mbed TLS interprets
|
||
the config file in a way that's compatible with the config file format
|
||
used by the Mbed TLS release whose MBEDTLS_VERSION_NUMBER has the same
|
||
value.
|
||
The only value supported by Mbed TLS 3.0.0 is 0x03000000.
|
||
* Various changes to which alert and/or error code may be returned
|
||
* during the TLS handshake.
|
||
* Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when
|
||
PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
|
||
when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
|
||
is also applied when loading a key from storage.
|
||
|
||
= mbed TLS 2.26.0 branch released 2021-03-08
|
||
|
||
API changes
|
||
* Renamed the PSA Crypto API output buffer size macros to bring them in line
|
||
with version 1.0.0 of the specification.
|
||
* The API glue function mbedtls_ecc_group_of_psa() now takes the curve size
|
||
in bits rather than bytes, with an additional flag to indicate if the
|
||
size may have been rounded up to a whole number of bytes.
|
||
* Renamed the PSA Crypto API AEAD tag length macros to bring them in line
|
||
with version 1.0.0 of the specification.
|
||
|
||
Default behavior changes
|
||
* In mbedtls_rsa_context objects, the ver field was formerly documented
|
||
as always 0. It is now reserved for internal purposes and may take
|
||
different values.
|
||
|
||
New deprecations
|
||
* PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE,
|
||
PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and
|
||
PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names
|
||
deprecated.
|
||
* PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH
|
||
have been renamed, and the old names deprecated.
|
||
|
||
Features
|
||
* The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG.
|
||
CTR_DRBG is used by default if it is available, but you can override
|
||
this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time.
|
||
Fix #3354.
|
||
* Automatic fallback to a software implementation of ECP when
|
||
MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off
|
||
through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK.
|
||
* The PSA crypto subsystem can now be configured to use less static RAM by
|
||
tweaking the setting for the maximum amount of keys simultaneously in RAM.
|
||
MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that
|
||
can exist simultaneously. It has a sensible default if not overridden.
|
||
* Partial implementation of the PSA crypto driver interface: Mbed TLS can
|
||
now use an external random generator instead of the library's own
|
||
entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
|
||
and see the documentation of mbedtls_psa_external_get_random() for details.
|
||
* Applications using both mbedtls_xxx and psa_xxx functions (for example,
|
||
applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA
|
||
random generator with mbedtls_xxx functions. See the documentation of
|
||
mbedtls_psa_get_random() for details.
|
||
* In the PSA API, the policy for a MAC or AEAD algorithm can specify a
|
||
minimum MAC or tag length thanks to the new wildcards
|
||
PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and
|
||
PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG.
|
||
|
||
Security
|
||
* Fix a security reduction in CTR_DRBG when the initial seeding obtained a
|
||
nonce from entropy. Applications were affected if they called
|
||
mbedtls_ctr_drbg_set_nonce_len(), if they called
|
||
mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
|
||
length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
|
||
In such cases, a random nonce was necessary to achieve the advertised
|
||
security strength, but the code incorrectly used a constant instead of
|
||
entropy from the nonce.
|
||
Found by John Stroebel in #3819 and fixed in #3973.
|
||
* Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|
||
|A| - |B| where |B| is larger than |A| and has more limbs (so the
|
||
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
|
||
applications calling mbedtls_mpi_sub_abs() directly are affected:
|
||
all calls inside the library were safe since this function is
|
||
only called with |A| >= |B|. Reported by Guido Vranken in #4042.
|
||
* Fix an errorneous estimation for an internal buffer in
|
||
mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
|
||
value the function might fail to write a private RSA keys of the largest
|
||
supported size.
|
||
Found by Daniel Otte, reported in #4093 and fixed in #4094.
|
||
* Fix a stack buffer overflow with mbedtls_net_poll() and
|
||
mbedtls_net_recv_timeout() when given a file descriptor that is
|
||
beyond FD_SETSIZE. Reported by FigBug in #4169.
|
||
* Guard against strong local side channel attack against base64 tables by
|
||
making access aceess to them use constant flow code.
|
||
|
||
Bugfix
|
||
* Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
|
||
* Fix memory leak that occured when calling psa_close_key() on a
|
||
wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined.
|
||
* Fix an incorrect error code if an RSA private operation glitched.
|
||
* Fix a memory leak in an error case in psa_generate_derived_key_internal().
|
||
* Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
|
||
is enabled, on platforms where initializing a mutex allocates resources.
|
||
This was a regression introduced in the previous release. Reported in
|
||
#4017, #4045 and #4071.
|
||
* Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
|
||
twice is safe. This happens for RSA when some Mbed TLS library functions
|
||
fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
|
||
enabled on platforms where freeing a mutex twice is not safe.
|
||
* Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
|
||
when MBEDTLS_THREADING_C is enabled on platforms where initializing
|
||
a mutex allocates resources.
|
||
* Fixes a bug where, if the library was configured to include support for
|
||
both the old SE interface and the new PSA driver interface, external keys were
|
||
not loaded from storage. This was fixed by #3996.
|
||
* This change makes 'mbedtls_x509write_crt_set_basic_constraints'
|
||
consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST
|
||
include this extension in all CA certificates that contain public keys
|
||
used to validate digital signatures on certificates and MUST mark the
|
||
extension as critical in such certificates." Previous to this change,
|
||
the extension was always marked as non-critical. This was fixed by
|
||
#3698.
|
||
|
||
Changes
|
||
* A new library C file psa_crypto_client.c has been created to contain
|
||
the PSA code needed by a PSA crypto client when the PSA crypto
|
||
implementation is not included into the library.
|
||
* On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module
|
||
now uses the getrandom syscall instead of reading from /dev/urandom.
|
||
|
||
= mbed TLS 2.25.0 branch released 2020-12-11
|
||
|
||
API changes
|
||
* The numerical values of the PSA Crypto API macros have been updated to
|
||
conform to version 1.0.0 of the specification.
|
||
* PSA_ALG_STREAM_CIPHER replaces PSA_ALG_CHACHA20 and PSA_ALG_ARC4.
|
||
The underlying stream cipher is determined by the key type
|
||
(PSA_KEY_TYPE_CHACHA20 or PSA_KEY_TYPE_ARC4).
|
||
* The functions mbedtls_cipher_auth_encrypt() and
|
||
mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts,
|
||
as they have no way to check if the output buffer is large enough.
|
||
Please use mbedtls_cipher_auth_encrypt_ext() and
|
||
mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
|
||
Cryptofuzz. Fixes #3665.
|
||
|
||
Requirement changes
|
||
* Update the minimum required CMake version to 2.8.12. This silences a
|
||
warning on CMake 3.19.0. #3801
|
||
|
||
New deprecations
|
||
* PSA_ALG_CHACHA20 and PSA_ALG_ARC4 have been deprecated.
|
||
Use PSA_ALG_STREAM_CIPHER instead.
|
||
* The functions mbedtls_cipher_auth_encrypt() and
|
||
mbedtls_cipher_auth_decrypt() are deprecated in favour of the new
|
||
functions mbedtls_cipher_auth_encrypt_ext() and
|
||
mbedtls_cipher_auth_decrypt_ext(). Please note that with AEAD ciphers,
|
||
these new functions always append the tag to the ciphertext, and include
|
||
the tag in the ciphertext length.
|
||
|
||
Features
|
||
* Partial implementation of the new PSA Crypto accelerator APIs. (Symmetric
|
||
ciphers, asymmetric signing/verification and key generation, validate_key
|
||
entry point, and export_public_key interface.)
|
||
* Add support for ECB to the PSA cipher API.
|
||
* In PSA, allow using a key declared with a base key agreement algorithm
|
||
in combined key agreement and derivation operations, as long as the key
|
||
agreement algorithm in use matches the algorithm the key was declared with.
|
||
This is currently non-standard behaviour, but expected to make it into a
|
||
future revision of the PSA Crypto standard.
|
||
* Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls,
|
||
mbedcrypto, mbedx509 and apidoc CMake target names. This can be used by
|
||
external CMake projects that include this one to avoid CMake target name
|
||
clashes. The default value of this variable is "", so default target names
|
||
are unchanged.
|
||
* Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
|
||
Pascal, improved by Ron Eldor.
|
||
* In the PSA API, it is no longer necessary to open persistent keys:
|
||
operations now accept the key identifier. The type psa_key_handle_t is now
|
||
identical to psa_key_id_t instead of being platform-defined. This bridges
|
||
the last major gap to compliance with the PSA Cryptography specification
|
||
version 1.0.0. Opening persistent keys is still supported for backward
|
||
compatibility, but will be deprecated and later removed in future
|
||
releases.
|
||
* PSA_AEAD_NONCE_LENGTH, PSA_AEAD_NONCE_MAX_SIZE, PSA_CIPHER_IV_LENGTH and
|
||
PSA_CIPHER_IV_MAX_SIZE macros have been added as defined in version
|
||
1.0.0 of the PSA Crypto API specification.
|
||
|
||
Security
|
||
* The functions mbedtls_cipher_auth_encrypt() and
|
||
mbedtls_cipher_auth_decrypt() would write past the minimum documented
|
||
size of the output buffer when used with NIST_KW. As a result, code using
|
||
those functions as documented with NIST_KW could have a buffer overwrite
|
||
of up to 15 bytes, with consequences ranging up to arbitrary code
|
||
execution depending on the location of the output buffer.
|
||
* Limit the size of calculations performed by mbedtls_mpi_exp_mod to
|
||
MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when
|
||
generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
|
||
* A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
|
||
which is how most uses of randomization in asymmetric cryptography
|
||
(including key generation, intermediate value randomization and blinding)
|
||
are implemented. This could cause failures or the silent use of non-random
|
||
values. A random generator can fail if it needs reseeding and cannot not
|
||
obtain entropy, or due to an internal failure (which, for Mbed TLS's own
|
||
CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).
|
||
* Fix a compliance issue whereby we were not checking the tag on the
|
||
algorithm parameters (only the size) when comparing the signature in the
|
||
description part of the cert to the real signature. This meant that a
|
||
NULL algorithm parameters entry would look identical to an array of REAL
|
||
(size zero) to the library and thus the certificate would be considered
|
||
valid. However, if the parameters do not match in *any* way then the
|
||
certificate should be considered invalid, and indeed OpenSSL marks these
|
||
certs as invalid when mbedtls did not.
|
||
Many thanks to guidovranken who found this issue via differential fuzzing
|
||
and reported it in #3629.
|
||
* Zeroising of local buffers and variables which are used for calculations
|
||
in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(),
|
||
mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process()
|
||
functions to erase sensitive data from memory. Reported by
|
||
Johan Malmgren and Johan Uppman Bruce from Sectra.
|
||
|
||
Bugfix
|
||
* Fix an invalid (but nonzero) return code from mbedtls_pk_parse_subpubkey()
|
||
when the input has trailing garbage. Fixes #2512.
|
||
* Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is
|
||
enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294.
|
||
* Include the psa_constant_names generated source code in the source tree
|
||
instead of generating it at build time. Fixes #3524.
|
||
* Fix rsa_prepare_blinding() to retry when the blinding value is not
|
||
invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This
|
||
addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
|
||
Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin).
|
||
Fixes #3647.
|
||
* Use socklen_t on Android and other POSIX-compliant system
|
||
* Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
|
||
Fix #3432.
|
||
* Consistently return PSA_ERROR_INVALID_ARGUMENT on invalid cipher input
|
||
sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the
|
||
psa_cipher_* functions compliant with the PSA Crypto API specification.
|
||
* mbedtls_ecp_curve_list() now lists Curve25519 and Curve448 under the names
|
||
"x25519" and "x448". These curves support ECDH but not ECDSA. If you need
|
||
only the curves that support ECDSA, filter the list with
|
||
mbedtls_ecdsa_can_do().
|
||
* Fix psa_generate_key() returning an error when asked to generate
|
||
an ECC key pair on Curve25519 or secp244k1.
|
||
* Fix psa_key_derivation_output_key() to allow the output of a combined key
|
||
agreement and subsequent key derivation operation to be used as a key
|
||
inside of the PSA Crypto core.
|
||
* Fix handling of EOF against 0xff bytes and on platforms with unsigned
|
||
chars. Fixes a build failure on platforms where char is unsigned. Fixes
|
||
#3794.
|
||
* Fix an off-by-one error in the additional data length check for
|
||
CCM, which allowed encryption with a non-standard length field.
|
||
Fixes #3719.
|
||
* Correct the default IV size for mbedtls_cipher_info_t structures using
|
||
MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs.
|
||
* Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is
|
||
defined. Fix contributed in #3571.
|
||
* Fix conditions for including string.h in error.c. Fixes #3866.
|
||
* psa_set_key_id() now also sets the lifetime to persistent for keys located
|
||
in a secure element.
|
||
* Attempting to create a volatile key with a non-zero key identifier now
|
||
fails. Previously the key identifier was just ignored when creating a
|
||
volatile key.
|
||
* Attempting to create or register a key with a key identifier in the vendor
|
||
range now fails.
|
||
* Fix build failures on GCC 11. Fixes #3782.
|
||
* Add missing arguments of debug message in mbedtls_ssl_decrypt_buf.
|
||
* Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative
|
||
(an error condition) and the second operand was aliased to the result.
|
||
* Fix a case in elliptic curve arithmetic where an out-of-memory condition
|
||
could go undetected, resulting in an incorrect result.
|
||
* In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed().
|
||
Fixes #2927.
|
||
* In PEM writing functions, fill the trailing part of the buffer with null
|
||
bytes. This guarantees that the corresponding parsing function can read
|
||
the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem
|
||
until this property was inadvertently broken in Mbed TLS 2.19.0.
|
||
Fixes #3682.
|
||
* Fix a build failure that occurred with the MBEDTLS_AES_SETKEY_DEC_ALT
|
||
option on. In this configuration key management methods that are required
|
||
for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail.
|
||
Fixes #3818. Reported by John Stroebel.
|
||
|
||
Changes
|
||
* Reduce stack usage significantly during sliding window exponentiation.
|
||
Reported in #3591 and fix contributed in #3592 by Daniel Otte.
|
||
* The PSA persistent storage format is updated to always store the key bits
|
||
attribute. No automatic upgrade path is provided. Previously stored keys
|
||
must be erased, or manually upgraded based on the key storage format
|
||
specification (docs/architecture/mbed-crypto-storage-specification.md).
|
||
Fixes #3740.
|
||
* Remove the zeroization of a pointer variable in AES rounds. It was valid
|
||
but spurious and misleading since it looked like a mistaken attempt to
|
||
zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
|
||
Leti, France.
|
||
|
||
= mbed TLS 2.24.0 branch released 2020-09-01
|
||
|
||
API changes
|
||
* In the PSA API, rename the types of elliptic curve and Diffie-Hellman
|
||
group families to psa_ecc_family_t and psa_dh_family_t, in line with the
|
||
PSA Crypto API specification version 1.0.0.
|
||
Rename associated macros as well:
|
||
PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx
|
||
PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx
|
||
PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY
|
||
PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY
|
||
|
||
Default behavior changes
|
||
* Stop storing persistent information about externally stored keys created
|
||
through PSA Crypto with a volatile lifetime. Reported in #3288 and
|
||
contributed by Steven Cooreman in #3382.
|
||
|
||
Features
|
||
* The new function mbedtls_ecp_write_key() exports private ECC keys back to
|
||
a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key().
|
||
* Support building on e2k (Elbrus) architecture: correctly enable
|
||
-Wformat-signedness, and fix the code that causes signed-one-bit-field
|
||
and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
|
||
<akemi_homura@kurisa.ch>.
|
||
|
||
Security
|
||
* Fix a vulnerability in the verification of X.509 certificates when
|
||
matching the expected common name (the cn argument of
|
||
mbedtls_x509_crt_verify()) with the actual certificate name: when the
|
||
subjecAltName extension is present, the expected name was compared to any
|
||
name in that extension regardless of its type. This means that an
|
||
attacker could for example impersonate a 4-bytes or 16-byte domain by
|
||
getting a certificate for the corresponding IPv4 or IPv6 (this would
|
||
require the attacker to control that IP address, though). Similar attacks
|
||
using other subjectAltName name types might be possible. Found and
|
||
reported by kFYatek in #3498.
|
||
* When checking X.509 CRLs, a certificate was only considered as revoked if
|
||
its revocationDate was in the past according to the local clock if
|
||
available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
|
||
certificates were never considered as revoked. On builds with
|
||
MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
|
||
example, an untrusted OS attacking a secure enclave) could prevent
|
||
revocation of certificates via CRLs. Fixed by no longer checking the
|
||
revocationDate field, in accordance with RFC 5280. Reported by
|
||
yuemonangong in #3340. Reported independently and fixed by
|
||
Raoul Strackx and Jethro Beekman in #3433.
|
||
* In (D)TLS record decryption, when using a CBC ciphersuites without the
|
||
Encrypt-then-Mac extension, use constant code flow memory access patterns
|
||
to extract and check the MAC. This is an improvement to the existing
|
||
countermeasure against Lucky 13 attacks. The previous countermeasure was
|
||
effective against network-based attackers, but less so against local
|
||
attackers. The new countermeasure defends against local attackers, even
|
||
if they have access to fine-grained measurements. In particular, this
|
||
fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz,
|
||
Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler
|
||
(University of Florida) and Dave Tian (Purdue University).
|
||
* Fix side channel in RSA private key operations and static (finite-field)
|
||
Diffie-Hellman. An adversary with precise enough timing and memory access
|
||
information (typically an untrusted operating system attacking a secure
|
||
enclave) could bypass an existing counter-measure (base blinding) and
|
||
potentially fully recover the private key.
|
||
* Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
|
||
Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
|
||
for pinpointing the problematic code.
|
||
* Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused
|
||
application data from memory. Reported in #689 by
|
||
Johan Uppman Bruce of Sectra.
|
||
|
||
Bugfix
|
||
* Library files installed after a CMake build no longer have execute
|
||
permission.
|
||
* Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol
|
||
redefinition if the function is inlined.
|
||
Reported in #3451 and fix contributed in #3452 by okhowang.
|
||
* Fix the endianness of Curve25519 keys imported/exported through the PSA
|
||
APIs. psa_import_key and psa_export_key will now correctly expect/output
|
||
Montgomery keys in little-endian as defined by RFC7748. Contributed by
|
||
Steven Cooreman in #3425.
|
||
* Fix build errors when the only enabled elliptic curves are Montgomery
|
||
curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
|
||
also fixes missing declarations reported by Steven Cooreman in #1147.
|
||
* Fix self-test failure when the only enabled short Weierstrass elliptic
|
||
curve is secp192k1. Fixes #2017.
|
||
* PSA key import will now correctly import a Curve25519/Curve448 public key
|
||
instead of erroring out. Contributed by Steven Cooreman in #3492.
|
||
* Use arc4random_buf on NetBSD instead of rand implementation with cyclical
|
||
lower bits. Fix contributed in #3540.
|
||
* Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory
|
||
conditions. Reported and fix suggested by Guido Vranken in #3486.
|
||
* Fix bug in redirection of unit test outputs on platforms where stdout is
|
||
defined as a macro. First reported in #2311 and fix contributed in #3528.
|
||
|
||
Changes
|
||
* Only pass -Wformat-signedness to versions of GCC that support it. Reported
|
||
in #3478 and fix contributed in #3479 by okhowang.
|
||
* Reduce the stack consumption of mbedtls_x509write_csr_der() which
|
||
previously could lead to stack overflow on constrained devices.
|
||
Contributed by Doru Gucea and Simon Leet in #3464.
|
||
* Undefine the ASSERT macro before defining it locally, in case it is defined
|
||
in a platform header. Contributed by Abdelatif Guettouche in #3557.
|
||
* Update copyright notices to use Linux Foundation guidance. As a result,
|
||
the copyright of contributors other than Arm is now acknowledged, and the
|
||
years of publishing are no longer tracked in the source files. This also
|
||
eliminates the need for the lines declaring the files to be part of
|
||
MbedTLS. Fixes #3457.
|
||
* Add the command line parameter key_pwd to the ssl_client2 and ssl_server2
|
||
example applications which allows to provide a password for the key file
|
||
specified through the existing key_file argument. This allows the use of
|
||
these applications with password-protected key files. Analogously but for
|
||
ssl_server2 only, add the command line parameter key_pwd2 which allows to
|
||
set a password for the key file provided through the existing key_file2
|
||
argument.
|
||
|
||
= mbed TLS 2.23.0 branch released 2020-07-01
|
||
|
||
Default behavior changes
|
||
* In the experimental PSA secure element interface, change the encoding of
|
||
key lifetimes to encode a persistence level and the location. Although C
|
||
prototypes do not effectively change, code calling
|
||
psa_register_se_driver() must be modified to pass the driver's location
|
||
instead of the keys' lifetime. If the library is upgraded on an existing
|
||
device, keys created with the old lifetime value will not be readable or
|
||
removable through Mbed TLS after the upgrade.
|
||
|
||
Features
|
||
* New functions in the error module return constant strings for
|
||
high- and low-level error codes, complementing mbedtls_strerror()
|
||
which constructs a string for any error code, including compound
|
||
ones, but requires a writable buffer. Contributed by Gaurav Aggarwal
|
||
in #3176.
|
||
* The new utility programs/ssl/ssl_context_info prints a human-readable
|
||
dump of an SSL context saved with mbedtls_ssl_context_save().
|
||
* Add support for midipix, a POSIX layer for Microsoft Windows.
|
||
* Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows
|
||
parsing unsupported certificate extensions via user provided callback.
|
||
Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as
|
||
a solution to #3241.
|
||
* Pass the "certificate policies" extension to the callback supplied to
|
||
mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported
|
||
policies (#3419).
|
||
* Added support to entropy_poll for the kern.arandom syscall supported on
|
||
some BSD systems. Contributed by Nia Alarie in #3423.
|
||
* Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239
|
||
|
||
Security
|
||
* Fix a side channel vulnerability in modular exponentiation that could
|
||
reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
|
||
Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
|
||
of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul
|
||
Strackx (Fortanix) in #3394.
|
||
* Fix side channel in mbedtls_ecp_check_pub_priv() and
|
||
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
|
||
private key that didn't include the uncompressed public key), as well as
|
||
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
|
||
f_rng argument. An attacker with access to precise enough timing and
|
||
memory access information (typically an untrusted operating system
|
||
attacking a secure enclave) could fully recover the ECC private key.
|
||
Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
|
||
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
|
||
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
|
||
macros). This would cause the original Lucky 13 attack to be possible in
|
||
those configurations, allowing an active network attacker to recover
|
||
plaintext after repeated timing measurements under some conditions.
|
||
Reported and fix suggested by Luc Perneel in #3246.
|
||
|
||
Bugfix
|
||
* Fix the Visual Studio Release x64 build configuration for mbedtls itself.
|
||
Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
|
||
the example programs. Reported in #1430 and fix contributed by irwir.
|
||
* Fix undefined behavior in X.509 certificate parsing if the
|
||
pathLenConstraint basic constraint value is equal to INT_MAX.
|
||
The actual effect with almost every compiler is the intended
|
||
behavior, so this is unlikely to be exploitable anywhere. #3192
|
||
* Fix issue with a detected HW accelerated record error not being exposed
|
||
due to shadowed variable. Contributed by Sander Visser in #3310.
|
||
* Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
|
||
NULL pointer argument. Contributed by Sander Visser in #3312.
|
||
* Fix potential linker errors on dual world platforms by inlining
|
||
mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately
|
||
from psa_crypto.c. Fixes #3300.
|
||
* Remove dead code in X.509 certificate parsing. Contributed by irwir in
|
||
#2855.
|
||
* Include asn1.h in error.c. Fixes #3328 reported by David Hu.
|
||
* Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
|
||
when PRNG function fails. Contributed by Jonas Lejeune in #3318.
|
||
* Remove unused macros from MSVC projects. Reported in #3297 and fix
|
||
submitted in #3333 by irwir.
|
||
* Add additional bounds checks in ssl_write_client_hello() preventing
|
||
output buffer overflow if the configuration declared a buffer that was
|
||
too small.
|
||
* Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and
|
||
fix submitted in #3421 by Nia Alarie.
|
||
* Fix building library/net_sockets.c and the ssl_mail_client program on
|
||
NetBSD. Contributed by Nia Alarie in #3422.
|
||
* Fix false positive uninitialised variable reported by cpp-check.
|
||
Contributed by Sander Visser in #3311.
|
||
* Update iv and len context pointers manually when reallocating buffers
|
||
using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues
|
||
when receiving a connection with CID, when these fields were shifted
|
||
in ssl_parse_record_header().
|
||
|
||
Changes
|
||
* Fix warnings about signedness issues in format strings. The build is now
|
||
clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
|
||
in #3153.
|
||
* Fix minor performance issue in operations on Curve25519 caused by using a
|
||
suboptimal modular reduction in one place. Found and fix contributed by
|
||
Aurelien Jarno in #3209.
|
||
* Combine identical cases in switch statements in md.c. Contributed
|
||
by irwir in #3208.
|
||
* Simplify a bounds check in ssl_write_certificate_request(). Contributed
|
||
by irwir in #3150.
|
||
* Unify the example programs termination to call mbedtls_exit() instead of
|
||
using a return command. This has been done to enable customization of the
|
||
behavior in bare metal environments.
|
||
* Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
|
||
Contributed by Koh M. Nakagawa in #3326.
|
||
* Use FindPython3 when cmake version >= 3.15.0
|
||
* Abort the ClientHello writing function as soon as some extension doesn't
|
||
fit into the record buffer. Previously, such extensions were silently
|
||
dropped. As a consequence, the TLS handshake now fails when the output
|
||
buffer is not large enough to hold the ClientHello.
|
||
* The unit tests now rely on header files in tests/include/test and source
|
||
files in tests/src. When building with make or cmake, the files in
|
||
tests/src are compiled and the resulting object linked into each test
|
||
executable.
|
||
* The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
|
||
`MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
|
||
coutermeasures. If side channels are not a concern, this dependency can
|
||
be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
|
||
* Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes
|
||
Martinho. #3147
|
||
* Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported
|
||
in #3182 and fix submitted by irwir. #3217
|
||
* Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
|
||
|
||
= mbed TLS 2.22.0 branch released 2020-04-14
|
||
|
||
New deprecations
|
||
* Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL that enables function hooks in the
|
||
SSL module for hardware acceleration of individual records.
|
||
* Deprecate mbedtls_ssl_get_max_frag_len() in favour of
|
||
mbedtls_ssl_get_output_max_frag_len() and
|
||
mbedtls_ssl_get_input_max_frag_len() to be more precise about which max
|
||
fragment length is desired.
|
||
|
||
Security
|
||
* Fix issue in DTLS handling of new associations with the same parameters
|
||
(RFC 6347 section 4.2.8): an attacker able to send forged UDP packets to
|
||
the server could cause it to drop established associations with
|
||
legitimate clients, resulting in a Denial of Service. This could only
|
||
happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h
|
||
(which it is by default).
|
||
* Fix side channel in ECC code that allowed an adversary with access to
|
||
precise enough timing and memory access information (typically an
|
||
untrusted operating system attacking a secure enclave) to fully recover
|
||
an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya,
|
||
Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
|
||
* Fix a potentially remotely exploitable buffer overread in a
|
||
DTLS client when parsing the Hello Verify Request message.
|
||
|
||
Features
|
||
* The new build option MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH automatically
|
||
resizes the I/O buffers before and after handshakes, reducing the memory
|
||
consumption during application data transfer.
|
||
|
||
Bugfix
|
||
* Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and
|
||
MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
|
||
* Remove a spurious check in ssl_parse_client_psk_identity that triggered
|
||
a warning with some compilers. Fix contributed by irwir in #2856.
|
||
* Fix a function name in a debug message. Contributed by Ercan Ozturk in
|
||
#3013.
|
||
|
||
Changes
|
||
* Mbed Crypto is no longer a Git submodule. The crypto part of the library
|
||
is back directly in the present repository.
|
||
* Split mbedtls_ssl_get_max_frag_len() into
|
||
mbedtls_ssl_get_output_max_frag_len() and
|
||
mbedtls_ssl_get_input_max_frag_len() to ensure that a sufficient input
|
||
buffer is allocated by the server (if MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
|
||
is defined), regardless of what MFL was configured for it.
|
||
|
||
= mbed TLS 2.21.0 branch released 2020-02-20
|
||
|
||
New deprecations
|
||
* Deprecate MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO that enables parsing
|
||
SSLv2 ClientHello messages.
|
||
* Deprecate MBEDTLS_SSL_PROTO_SSL3 that enables support for SSLv3.
|
||
* Deprecate for MBEDTLS_PKCS11_C, the wrapper around the pkcs11-helper
|
||
library which allows TLS authentication to use keys stored in a
|
||
PKCS#11 token such as a smartcard.
|
||
|
||
Security
|
||
* Fix potential memory overread when performing an ECDSA signature
|
||
operation. The overread only happens with cryptographically low
|
||
probability (of the order of 2^-n where n is the bitsize of the curve)
|
||
unless the RNG is broken, and could result in information disclosure or
|
||
denial of service (application crash or extra resource consumption).
|
||
Found by Auke Zeilstra and Peter Schwabe, using static analysis.
|
||
* To avoid a side channel vulnerability when parsing an RSA private key,
|
||
read all the CRT parameters from the DER structure rather than
|
||
reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob
|
||
Brumley. Reported and fix contributed by Jack Lloyd.
|
||
ARMmbed/mbed-crypto#352
|
||
|
||
Features
|
||
* The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
|
||
support without SHA-384.
|
||
|
||
API changes
|
||
* Change the encoding of key types and curves in the PSA API. The new
|
||
values are aligned with the upcoming release of the PSA Crypto API
|
||
specification version 1.0.0. The main change which may break some
|
||
existing code is that elliptic curve key types no longer encode the
|
||
exact curve: a psa_ecc_curve_t or psa_key_type_t value only encodes
|
||
a curve family and the key size determines the exact curve (for example,
|
||
PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1). ARMmbed/mbed-crypto#330
|
||
|
||
Bugfix
|
||
* Fix an unchecked call to mbedtls_md() in the x509write module.
|
||
* Fix build failure with MBEDTLS_ZLIB_SUPPORT enabled. Reported by
|
||
Jack Lloyd in #2859. Fix submitted by jiblime in #2963.
|
||
* Fix some false-positive uninitialized variable warnings in X.509. Fix
|
||
contributed by apple-ihack-geek in #2663.
|
||
* Fix a possible error code mangling in psa_mac_verify_finish() when
|
||
a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
|
||
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
|
||
RSA keys that would later be rejected by functions expecting private
|
||
keys. Found by Catena cyber using oss-fuzz (issue 20467).
|
||
* Fix a bug in mbedtls_pk_parse_key() that would cause it to
|
||
accept some RSA keys with invalid values by silently fixing those values.
|
||
|
||
= mbed TLS 2.20.0 branch released 2020-01-15
|
||
|
||
Default behavior changes
|
||
* The initial seeding of a CTR_DRBG instance makes a second call to the
|
||
entropy function to obtain entropy for a nonce if the entropy size is less
|
||
than 3/2 times the key size. In case you want to disable the extra call to
|
||
grab entropy, you can call mbedtls_ctr_drbg_set_nonce_len() to force the
|
||
nonce length to 0.
|
||
|
||
Security
|
||
* Enforce that mbedtls_entropy_func() gathers a total of
|
||
MBEDTLS_ENTROPY_BLOCK_SIZE bytes or more from strong sources. In the
|
||
default configuration, on a platform with a single entropy source, the
|
||
entropy module formerly only grabbed 32 bytes, which is good enough for
|
||
security if the source is genuinely strong, but less than the expected 64
|
||
bytes (size of the entropy accumulator).
|
||
* Zeroize local variables in mbedtls_internal_aes_encrypt() and
|
||
mbedtls_internal_aes_decrypt() before exiting the function. The value of
|
||
these variables can be used to recover the last round key. To follow best
|
||
practice and to limit the impact of buffer overread vulnerabilities (like
|
||
Heartbleed) we need to zeroize them before exiting the function.
|
||
Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
|
||
Grant Hernandez, and Kevin Butler (University of Florida) and
|
||
Dave Tian (Purdue University).
|
||
* Fix side channel vulnerability in ECDSA. Our bignum implementation is not
|
||
constant time/constant trace, so side channel attacks can retrieve the
|
||
blinded value, factor it (as it is smaller than RSA keys and not guaranteed
|
||
to have only large prime factors), and then, by brute force, recover the
|
||
key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
|
||
* Fix side channel vulnerability in ECDSA key generation. Obtaining precise
|
||
timings on the comparison in the key generation enabled the attacker to
|
||
learn leading bits of the ephemeral key used during ECDSA signatures and to
|
||
recover the private key. Reported by Jeremy Dubeuf.
|
||
* Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
|
||
failures could happen with alternative implementations of AES. Bug
|
||
reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
|
||
Sectra.
|
||
|
||
Features
|
||
* Key derivation inputs in the PSA API can now either come from a key object
|
||
or from a buffer regardless of the step type.
|
||
* The CTR_DRBG module can grab a nonce from the entropy source during the
|
||
initial seeding. The default nonce length is chosen based on the key size
|
||
to achieve the security strength defined by NIST SP 800-90A. You can
|
||
change it with mbedtls_ctr_drbg_set_nonce_len().
|
||
* Add ENUMERATED tag support to the ASN.1 module. Contributed by
|
||
msopiha-linaro in ARMmbed/mbed-crypto#307.
|
||
|
||
API changes
|
||
* In the PSA API, forbid zero-length keys. To pass a zero-length input to a
|
||
key derivation function, use a buffer instead (this is now always
|
||
possible).
|
||
* Rename psa_asymmetric_sign() to psa_sign_hash() and
|
||
psa_asymmetric_verify() to psa_verify_hash().
|
||
|
||
Bugfix
|
||
* Fix an incorrect size in a debugging message. Reported and fix
|
||
submitted by irwir. Fixes #2717.
|
||
* Fix an unused variable warning when compiling without DTLS.
|
||
Reported and fix submitted by irwir. Fixes #2800.
|
||
* Remove a useless assignment. Reported and fix submitted by irwir.
|
||
Fixes #2801.
|
||
* Fix a buffer overflow in the PSA HMAC code when using a long key with an
|
||
unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
|
||
* Fix mbedtls_asn1_get_int to support any number of leading zeros. Credit
|
||
to OSS-Fuzz for finding a bug in an intermediate version of the fix.
|
||
* Fix mbedtls_asn1_get_bitstring_null to correctly parse bitstrings of at
|
||
most 2 bytes.
|
||
* mbedtls_ctr_drbg_set_entropy_len() and
|
||
mbedtls_hmac_drbg_set_entropy_len() now work if you call them before
|
||
mbedtls_ctr_drbg_seed() or mbedtls_hmac_drbg_seed().
|
||
|
||
Changes
|
||
* Remove the technical possibility to define custom mbedtls_md_info
|
||
structures, which was exposed only in an internal header.
|
||
* psa_close_key(0) and psa_destroy_key(0) now succeed (doing nothing, as
|
||
before).
|
||
* Variables containing error codes are now initialized to an error code
|
||
rather than success, so that coding mistakes or memory corruption tends to
|
||
cause functions to return this error code rather than a success. There are
|
||
no known instances where this changes the behavior of the library: this is
|
||
merely a robustness improvement. ARMmbed/mbed-crypto#323
|
||
* Remove a useless call to mbedtls_ecp_group_free(). Contributed by
|
||
Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
|
||
* Speed up PBKDF2 by caching the digest calculation. Contributed by Jack
|
||
Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
|
||
* Small performance improvement of mbedtls_mpi_div_mpi(). Contributed by
|
||
Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
|
||
|
||
= mbed TLS 2.19.1 branch released 2019-09-16
|
||
|
||
Features
|
||
* Declare include headers as PUBLIC to propagate to CMake project consumers
|
||
Contributed by Zachary J. Fields in PR #2949.
|
||
* Add nss_keylog to ssl_client2 and ssl_server2, enabling easier analysis of
|
||
TLS sessions with tools like Wireshark.
|
||
|
||
API Changes
|
||
* Make client_random and server_random const in
|
||
mbedtls_ssl_export_keys_ext_t, so that the key exporter is discouraged
|
||
from modifying the client/server hello.
|
||
|
||
Bugfix
|
||
* Fix some false-positive uninitialized variable warnings in crypto. Fix
|
||
contributed by apple-ihack-geek in #2663.
|
||
|
||
= mbed TLS 2.19.0 branch released 2019-09-06
|
||
|
||
Security
|
||
* Fix a missing error detection in ECJPAKE. This could have caused a
|
||
predictable shared secret if a hardware accelerator failed and the other
|
||
side of the key exchange had a similar bug.
|
||
* When writing a private EC key, use a constant size for the private
|
||
value, as specified in RFC 5915. Previously, the value was written
|
||
as an ASN.1 INTEGER, which caused the size of the key to leak
|
||
about 1 bit of information on average and could cause the value to be
|
||
1 byte too large for the output buffer.
|
||
* The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
|
||
implement blinding. Because of this for the same key and message the same
|
||
blinding value was generated. This reduced the effectiveness of the
|
||
countermeasure and leaked information about the private key through side
|
||
channels. Reported by Jack Lloyd.
|
||
|
||
Features
|
||
* Add new API functions mbedtls_ssl_session_save() and
|
||
mbedtls_ssl_session_load() to allow serializing a session, for example to
|
||
store it in non-volatile storage, and later using it for TLS session
|
||
resumption.
|
||
* Add a new API function mbedtls_ssl_check_record() to allow checking that
|
||
an incoming record is valid, authentic and has not been seen before. This
|
||
feature can be used alongside Connection ID and SSL context serialisation.
|
||
The feature is enabled at compile-time by MBEDTLS_SSL_RECORD_CHECKING
|
||
option.
|
||
* New implementation of X25519 (ECDH using Curve25519) from Project Everest
|
||
(https://project-everest.github.io/). It can be enabled at compile time
|
||
with MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED. This implementation is formally
|
||
verified and significantly faster, but is only supported on x86 platforms
|
||
(32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
|
||
Christoph Wintersteiger from Microsoft Research.
|
||
* Add mbedtls_net_close(), enabling the building of forking servers where
|
||
the parent process closes the client socket and continue accepting, and
|
||
the child process closes the listening socket and handles the client
|
||
socket. Contributed by Robert Larsen in #2803.
|
||
|
||
API Changes
|
||
* Add DER-encoded test CRTs to library/certs.c, allowing
|
||
the example programs ssl_server2 and ssl_client2 to be run
|
||
if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254.
|
||
* The HAVEGE state type now uses uint32_t elements instead of int.
|
||
* The functions mbedtls_ecp_curve_list() and mbedtls_ecp_grp_id_list() now
|
||
list all curves for which at least one of ECDH or ECDSA is supported, not
|
||
just curves for which both are supported. Call mbedtls_ecdsa_can_do() or
|
||
mbedtls_ecdh_can_do() on each result to check whether each algorithm is
|
||
supported.
|
||
* The new function mbedtls_ecdsa_sign_det_ext() is similar to
|
||
mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
|
||
purpose of blinding.
|
||
|
||
New deprecations
|
||
* Deprecate mbedtls_ecdsa_sign_det() in favor of a functions that can take an
|
||
RNG function as an input.
|
||
* Calling mbedtls_ecdsa_write_signature() with NULL as the f_rng argument
|
||
is now deprecated.
|
||
|
||
Bugfix
|
||
* Fix missing bounds checks in X.509 parsing functions that could
|
||
lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
|
||
* Fix multiple X.509 functions previously returning ASN.1 low-level error
|
||
codes to always wrap these codes into X.509 high level error codes before
|
||
returning. Fixes #2431.
|
||
* Fix to allow building test suites with any warning that detects unused
|
||
functions. Fixes #1628.
|
||
* Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
|
||
* Remove redundant include file in timing.c. Fixes #2640 reported by irwir.
|
||
* Fix build failure when building with mingw on Windows by including
|
||
stdarg.h where needed. Fixes #2656.
|
||
* Fix Visual Studio Release x64 build configuration by inheriting
|
||
PlatformToolset from the project configuration. Fixes #1430 reported by
|
||
irwir.
|
||
* Enable Suite B with subset of ECP curves. Make sure the code compiles even
|
||
if some curves are not defined. Fixes #1591 reported by dbedev.
|
||
* Fix misuse of signed arithmetic in the HAVEGE module. #2598
|
||
* Avoid use of statically sized stack buffers for certificate writing.
|
||
This previously limited the maximum size of DER encoded certificates
|
||
in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
|
||
* Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716.
|
||
* Update test certificates that were about to expire. Reported by
|
||
Bernhard M. Wiedemann in #2357.
|
||
* Fix the build on ARMv5TE in ARM mode to not use assembly instructions
|
||
that are only available in Thumb mode. Fix contributed by Aurelien Jarno
|
||
in #2169.
|
||
* Fix propagation of restart contexts in restartable EC operations.
|
||
This could previously lead to segmentation faults in builds using an
|
||
address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
|
||
* Fix memory leak in in mpi_miller_rabin(). Contributed by
|
||
Jens Wiklander <jens.wiklander@linaro.org> in #2363
|
||
* Improve code clarity in x509_crt module, removing false-positive
|
||
uninitialized variable warnings on some recent toolchains (GCC8, etc).
|
||
Discovered and fixed by Andy Gross (Linaro), #2392.
|
||
* Fix bug in endianness conversion in bignum module. This lead to
|
||
functionally incorrect code on bigendian systems which don't have
|
||
__BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622.
|
||
|
||
Changes
|
||
* Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
|
||
* Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
|
||
suggests). #2671
|
||
* Make `make clean` clean all programs always. Fixes #1862.
|
||
* Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh,
|
||
docker-env.sh) to simplify running test suites on a Linux host. Contributed
|
||
by Peter Kolbus (Garmin).
|
||
* Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
|
||
test runs without variability. Contributed by Philippe Antoine (Catena
|
||
cyber) in #2681.
|
||
* Extended .gitignore to ignore Visual Studio artifacts. Fixed by ConfusedSushi.
|
||
* Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
|
||
Contributed by Philippe Antoine (Catena cyber).
|
||
* Remove the crypto part of the library from Mbed TLS. The crypto
|
||
code and tests are now only available via Mbed Crypto, which
|
||
Mbed TLS references as a Git submodule.
|
||
|
||
= mbed TLS 2.18.1 branch released 2019-07-12
|
||
|
||
Bugfix
|
||
* Fix build failure when building with mingw on Windows by including
|
||
stdarg.h where needed. Fixes #2656.
|
||
|
||
Changes
|
||
* Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by
|
||
Ashley Duncan in #2609.
|
||
|
||
= mbed TLS 2.18.0 branch released 2019-06-11
|
||
|
||
Features
|
||
* Add the Any Policy certificate policy oid, as defined in
|
||
rfc 5280 section 4.2.1.4.
|
||
* It is now possible to use NIST key wrap mode via the mbedtls_cipher API.
|
||
Contributed by Jack Lloyd and Fortanix Inc.
|
||
* Add the Wi-SUN Field Area Network (FAN) device extended key usage.
|
||
* Add the oid certificate policy x509 extension.
|
||
* It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest.
|
||
Contributed by Jack Lloyd and Fortanix Inc.
|
||
* Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
|
||
and the used tls-prf.
|
||
* Add public API for tls-prf function, according to requested enum.
|
||
* Add support for parsing otherName entries in the Subject Alternative Name
|
||
X.509 certificate extension, specifically type hardware module name,
|
||
as defined in RFC 4108 section 5.
|
||
* Add support for parsing certificate policies extension, as defined in
|
||
RFC 5280 section 4.2.1.4. Currently, only the "Any Policy" policy is
|
||
supported.
|
||
* List all SAN types in the subject_alt_names field of the certificate.
|
||
Resolves #459.
|
||
* Add support for draft-05 of the Connection ID extension, as specified
|
||
in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
|
||
The Connection ID extension allows to keep DTLS connections beyond the
|
||
lifetime of the underlying transport by adding a connection identifier
|
||
to the DTLS record header. This identifier can be used to associated an
|
||
incoming record with the correct connection data even after the peer has
|
||
changed its IP or port. The feature is enabled at compile-time by setting
|
||
MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
|
||
through the new APIs mbedtls_ssl_conf_cid() and mbedtls_ssl_set_cid().
|
||
|
||
|
||
API Changes
|
||
* Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
|
||
and the used tls-prf.
|
||
* Add public API for tls-prf function, according to requested enum.
|
||
|
||
Bugfix
|
||
* Fix private key DER output in the key_app_writer example. File contents
|
||
were shifted by one byte, creating an invalid ASN.1 tag. Fixed by
|
||
Christian Walther in #2239.
|
||
* Fix potential memory leak in X.509 self test. Found and fixed by
|
||
Junhwan Park, #2106.
|
||
* Reduce stack usage of hkdf tests. Fixes #2195.
|
||
* Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
|
||
used with negative inputs. Found by Guido Vranken in #2404. Credit to
|
||
OSS-Fuzz.
|
||
* Fix bugs in the AEAD test suite which would be exposed by ciphers which
|
||
either used both encrypt and decrypt key schedules, or which perform padding.
|
||
GCM and CCM were not affected. Fixed by Jack Lloyd.
|
||
* Fix incorrect default port number in ssl_mail_client example's usage.
|
||
Found and fixed by irwir. #2337
|
||
* Add psa_util.h to test/cpp_dummy_build to fix build_default_make_gcc_and_cxx.
|
||
Fixed by Peter Kolbus (Garmin). #2579
|
||
* Add missing parentheses around parameters in the definition of the
|
||
public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation
|
||
in case operators binding less strongly than subtraction were used
|
||
for the parameter.
|
||
* Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
|
||
sni entry parameter. Reported by inestlerode in #560.
|
||
* Set the next sequence of the subject_alt_name to NULL when deleting
|
||
sequence on failure. Found and fix suggested by Philippe Antoine.
|
||
Credit to OSS-Fuzz.
|
||
|
||
Changes
|
||
* Server's RSA certificate in certs.c was SHA-1 signed. In the default
|
||
mbedTLS configuration only SHA-2 signed certificates are accepted.
|
||
This certificate is used in the demo server programs, which lead the
|
||
client programs to fail at the peer's certificate verification
|
||
due to an unacceptable hash signature. The certificate has been
|
||
updated to one that is SHA-256 signed. Fix contributed by
|
||
Illya Gerasymchuk.
|
||
* Return from various debugging routines immediately if the
|
||
provided SSL context is unset.
|
||
* Remove dead code from bignum.c in the default configuration.
|
||
Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309.
|
||
* Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
|
||
Contributed by Peter Kolbus (Garmin).
|
||
* Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
|
||
improve clarity. Fixes #2258.
|
||
|
||
= mbed TLS 2.17.0 branch released 2019-03-19
|
||
|
||
Features
|
||
* Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`
|
||
which allows copy-less parsing of DER encoded X.509 CRTs,
|
||
at the cost of additional lifetime constraints on the input
|
||
buffer, but at the benefit of reduced RAM consumption.
|
||
* Add a new function mbedtls_asn1_write_named_bitstring() to write ASN.1
|
||
named bitstring in DER as required by RFC 5280 Appendix B.
|
||
* Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
|
||
from the default list (enabled by default). See
|
||
https://sweet32.info/SWEET32_CCS16.pdf.
|
||
|
||
API Changes
|
||
* Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`.
|
||
See the Features section for more information.
|
||
* Allow to opt in to the removal the API mbedtls_ssl_get_peer_cert()
|
||
for the benefit of saving RAM, by disabling the new compile-time
|
||
option MBEDTLS_SSL_KEEP_PEER_CERTIFICATE (enabled by default for
|
||
API stability). Disabling this option makes mbedtls_ssl_get_peer_cert()
|
||
always return NULL, and removes the peer_cert field from the
|
||
mbedtls_ssl_session structure which otherwise stores the peer's
|
||
certificate.
|
||
|
||
Security
|
||
* Make mbedtls_ecdh_get_params return an error if the second key
|
||
belongs to a different group from the first. Before, if an application
|
||
passed keys that belonged to different group, the first key's data was
|
||
interpreted according to the second group, which could lead to either
|
||
an error or a meaningless output from mbedtls_ecdh_get_params. In the
|
||
latter case, this could expose at most 5 bits of the private key.
|
||
|
||
Bugfix
|
||
* Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined
|
||
when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242.
|
||
* Run the AD too long test only if MBEDTLS_CCM_ALT is not defined.
|
||
Raised as a comment in #1996.
|
||
* Reduce the stack consumption of mbedtls_mpi_fill_random() which could
|
||
previously lead to a stack overflow on constrained targets.
|
||
* Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions
|
||
in the header files, which missed the precompilation check. #971
|
||
* Fix returning the value 1 when mbedtls_ecdsa_genkey failed.
|
||
* Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
|
||
* Remove the mbedtls namespacing from the header file, to fix a "file not found"
|
||
build error. Fixed by Haijun Gu #2319.
|
||
* Fix signed-to-unsigned integer conversion warning
|
||
in X.509 module. Fixes #2212.
|
||
* Reduce stack usage of `mpi_write_hlp()` by eliminating recursion.
|
||
Fixes #2190.
|
||
* Fix false failure in all.sh when backup files exist in include/mbedtls
|
||
(e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407.
|
||
* Ensure that unused bits are zero when writing ASN.1 bitstrings when using
|
||
mbedtls_asn1_write_bitstring().
|
||
* Fix issue when writing the named bitstrings in KeyUsage and NsCertType
|
||
extensions in CSRs and CRTs that caused these bitstrings to not be encoded
|
||
correctly as trailing zeroes were not accounted for as unused bits in the
|
||
leading content octet. Fixes #1610.
|
||
|
||
Changes
|
||
* Reduce RAM consumption during session renegotiation by not storing
|
||
the peer CRT chain and session ticket twice.
|
||
* Include configuration file in all header files that use configuration,
|
||
instead of relying on other header files that they include.
|
||
Inserted as an enhancement for #1371
|
||
* Add support for alternative CSR headers, as used by Microsoft and defined
|
||
in RFC 7468. Found by Michael Ernst. Fixes #767.
|
||
* Correct many misspellings. Fixed by MisterDA #2371.
|
||
* Provide an abstraction of vsnprintf to allow alternative implementations
|
||
for platforms that don't provide it. Based on contributions by Joris Aerts
|
||
and Nathaniel Wesley Filardo.
|
||
* Fix clobber list in MIPS assembly for large integer multiplication.
|
||
Previously, this could lead to functionally incorrect assembly being
|
||
produced by some optimizing compilers, showing up as failures in
|
||
e.g. RSA or ECC signature operations. Reported in #1722, fix suggested
|
||
by Aurelien Jarno and submitted by Jeffrey Martin.
|
||
* Reduce the complexity of the timing tests. They were assuming more than the
|
||
underlying OS actually guarantees.
|
||
* Fix configuration queries in ssl-opt.h. #2030
|
||
* Ensure that ssl-opt.h can be run in OS X. #2029
|
||
* Re-enable certain interoperability tests in ssl-opt.sh which had previously
|
||
been disabled for lack of a sufficiently recent version of GnuTLS on the CI.
|
||
* Ciphersuites based on 3DES now have the lowest priority by default when
|
||
they are enabled.
|
||
|
||
= mbed TLS 2.16.0 branch released 2018-12-21
|
||
|
||
Features
|
||
* Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation
|
||
of parameters in the API. This allows detection of obvious misuses of the
|
||
API, such as passing NULL pointers. The API of existing functions hasn't
|
||
changed, but requirements on parameters have been made more explicit in
|
||
the documentation. See the corresponding API documentation for each
|
||
function to see for which parameter values it is defined. This feature is
|
||
disabled by default. See its API documentation in config.h for additional
|
||
steps you have to take when enabling it.
|
||
|
||
API Changes
|
||
* The following functions in the random generator modules have been
|
||
deprecated and replaced as shown below. The new functions change
|
||
the return type from void to int to allow returning error codes when
|
||
using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest
|
||
primitive. Fixes #1798.
|
||
mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
|
||
mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
|
||
* Extend ECDH interface to enable alternative implementations.
|
||
* Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for
|
||
ARIA, CAMELLIA and Blowfish. These error codes will be replaced by
|
||
the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
|
||
* Additional parameter validation checks have been added for the following
|
||
modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
|
||
ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI.
|
||
Where modules have had parameter validation added, existing parameter
|
||
checks may have changed. Some modules, such as Chacha20 had existing
|
||
parameter validation whereas other modules had little. This has now been
|
||
changed so that the same level of validation is present in all modules, and
|
||
that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default
|
||
is off. That means that checks which were previously present by default
|
||
will no longer be.
|
||
|
||
New deprecations
|
||
* Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update
|
||
in favor of functions that can return an error code.
|
||
|
||
Bugfix
|
||
* Fix for Clang, which was reporting a warning for the bignum.c inline
|
||
assembly for AMD64 targets creating string literals greater than those
|
||
permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482.
|
||
* Fix runtime error in `mbedtls_platform_entropy_poll()` when run
|
||
through qemu user emulation. Reported and fix suggested by randombit
|
||
in #1212. Fixes #1212.
|
||
* Fix an unsafe bounds check when restoring an SSL session from a ticket.
|
||
This could lead to a buffer overflow, but only in case ticket authentication
|
||
was broken. Reported and fix suggested by Guido Vranken in #659.
|
||
* Add explicit integer to enumeration type casts to example program
|
||
programs/pkey/gen_key which previously led to compilation failure
|
||
on some toolchains. Reported by phoenixmcallister. Fixes #2170.
|
||
* Fix double initialization of ECC hardware that made some accelerators
|
||
hang.
|
||
* Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence
|
||
of check for certificate/key matching. Reported by Attila Molnar, #507.
|
||
|
||
= mbed TLS 2.15.1 branch released 2018-11-30
|
||
|
||
Changes
|
||
* Update the Mbed Crypto submodule to version 0.1.0b2.
|
||
|
||
= mbed TLS 2.15.0 branch released 2018-11-23
|
||
|
||
Features
|
||
* Add an experimental build option, USE_CRYPTO_SUBMODULE, to enable use of
|
||
Mbed Crypto as the source of the cryptography implementation.
|
||
* Add an experimental configuration option, MBEDTLS_PSA_CRYPTO_C, to enable
|
||
the PSA Crypto API from Mbed Crypto when additionally used with the
|
||
USE_CRYPTO_SUBMODULE build option.
|
||
|
||
Changes
|
||
* Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
|
||
from the cipher abstraction layer. Fixes #2198.
|
||
|
||
= mbed TLS 2.14.1 branch released 2018-11-30
|
||
|
||
Security
|
||
* Fix timing variations and memory access variations in RSA PKCS#1 v1.5
|
||
decryption that could lead to a Bleichenbacher-style padding oracle
|
||
attack. In TLS, this affects servers that accept ciphersuites based on
|
||
RSA decryption (i.e. ciphersuites whose name contains RSA but not
|
||
(EC)DH(E)). Discovered by Eyal Ronen (Weizmann Institute), Robert Gillham
|
||
(University of Adelaide), Daniel Genkin (University of Michigan),
|
||
Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom
|
||
(University of Adelaide, Data61). The attack is described in more detail
|
||
in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
|
||
* In mbedtls_mpi_write_binary(), don't leak the exact size of the number
|
||
via branching and memory access patterns. An attacker who could submit
|
||
a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
|
||
of the decryption and not its result could nonetheless decrypt RSA
|
||
plaintexts and forge RSA signatures. Other asymmetric algorithms may
|
||
have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
|
||
Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
|
||
* Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
|
||
modules.
|
||
|
||
API Changes
|
||
* The new functions mbedtls_ctr_drbg_update_ret() and
|
||
mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update()
|
||
and mbedtls_hmac_drbg_update() respectively, but the new functions
|
||
report errors whereas the old functions return void. We recommend that
|
||
applications use the new functions.
|
||
|
||
= mbed TLS 2.14.0 branch released 2018-11-19
|
||
|
||
Security
|
||
* Fix overly strict DN comparison when looking for CRLs belonging to a
|
||
particular CA. This previously led to ignoring CRLs when the CRL's issuer
|
||
name and the CA's subject name differed in their string encoding (e.g.,
|
||
one using PrintableString and the other UTF8String) or in the choice of
|
||
upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue
|
||
#1784.
|
||
* Fix a flawed bounds check in server PSK hint parsing. In case the
|
||
incoming message buffer was placed within the first 64KiB of address
|
||
space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
|
||
to trigger a memory access up to 64KiB beyond the incoming message buffer,
|
||
potentially leading to an application crash or information disclosure.
|
||
* Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
|
||
previous settings for the number of rounds made it practical for an
|
||
adversary to construct non-primes that would be erroneously accepted as
|
||
primes with high probability. This does not have an impact on the
|
||
security of TLS, but can matter in other contexts with numbers chosen
|
||
potentially by an adversary that should be prime and can be validated.
|
||
For example, the number of rounds was enough to securely generate RSA key
|
||
pairs or Diffie-Hellman parameters, but was insufficient to validate
|
||
Diffie-Hellman parameters properly.
|
||
See "Prime and Prejudice" by by Martin R. Albrecht and Jake Massimo and
|
||
Kenneth G. Paterson and Juraj Somorovsky.
|
||
|
||
Features
|
||
* Add support for temporarily suspending expensive ECC computations after
|
||
some configurable amount of operations. This is intended to be used in
|
||
constrained, single-threaded systems where ECC is time consuming and can
|
||
block other operations until they complete. This is disabled by default,
|
||
but can be enabled by MBEDTLS_ECP_RESTARTABLE at compile time and
|
||
configured by mbedtls_ecp_set_max_ops() at runtime. It applies to the new
|
||
xxx_restartable functions in ECP, ECDSA, PK and X.509 (CRL not supported
|
||
yet), and to existing functions in ECDH and SSL (currently only
|
||
implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
|
||
including client authentication).
|
||
* Add support for Arm CPU DSP extensions to accelerate asymmetric key
|
||
operations. On CPUs where the extensions are available, they can accelerate
|
||
MPI multiplications used in ECC and RSA cryptography. Contributed by
|
||
Aurelien Jarno.
|
||
* Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
|
||
signature always used a salt with the same length as the hash, and returned
|
||
an error if this was not possible. Now the salt size may be up to two bytes
|
||
shorter. This allows the library to support all hash and signature sizes
|
||
that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
|
||
* Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
|
||
than 256 bits limits the security of generated material to 128 bits.
|
||
|
||
API Changes
|
||
* Add a common error code of `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` for
|
||
a feature that is not supported by underlying alternative
|
||
implementations implementing cryptographic primitives. This is useful for
|
||
hardware accelerators that don't implement all options or features.
|
||
|
||
New deprecations
|
||
* All module specific errors following the form
|
||
MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not
|
||
supported are deprecated and are now replaced by the new equivalent
|
||
platform error.
|
||
* All module specific generic hardware acceleration errors following the
|
||
form MBEDTLS_ERR_XXX_HW_ACCEL_FAILED that are deprecated and are replaced
|
||
by the equivalent plaform error.
|
||
* Deprecate the function mbedtls_mpi_is_prime() in favor of
|
||
mbedtls_mpi_is_prime_ext() which allows specifying the number of
|
||
Miller-Rabin rounds.
|
||
|
||
Bugfix
|
||
* Fix wrong order of freeing in programs/ssl/ssl_server2 example
|
||
application leading to a memory leak in case both
|
||
MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set.
|
||
Fixes #2069.
|
||
* Fix a bug in the update function for SSL ticket keys which previously
|
||
invalidated keys of a lifetime of less than a 1s. Fixes #1968.
|
||
* Fix failure in hmac_drbg in the benchmark sample application, when
|
||
MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
|
||
* Fix a bug in the record decryption routine ssl_decrypt_buf()
|
||
which lead to accepting properly authenticated but improperly
|
||
padded records in case of CBC ciphersuites using Encrypt-then-MAC.
|
||
* Fix memory leak and freeing without initialization in the example
|
||
program programs/x509/cert_write. Fixes #1422.
|
||
* Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is
|
||
MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes #1091.
|
||
* Zeroize memory used for buffering or reassembling handshake messages
|
||
after use.
|
||
* Use `mbedtls_platform_zeroize()` instead of `memset()` for zeroization
|
||
of sensitive data in the example programs aescrypt2 and crypt_and_hash.
|
||
* Change the default string format used for various X.509 DN attributes to
|
||
UTF8String. Previously, the use of the PrintableString format led to
|
||
wildcards and non-ASCII characters being unusable in some DN attributes.
|
||
Reported by raprepo in #1860 and by kevinpt in #468. Fix contributed by
|
||
Thomas-Dee.
|
||
* Fix compilation failure for configurations which use compile time
|
||
replacements of standard calloc/free functions through the macros
|
||
MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO.
|
||
Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
|
||
|
||
Changes
|
||
* Removed support for Yotta as a build tool.
|
||
* Add tests for session resumption in DTLS.
|
||
* Close a test gap in (D)TLS between the client side and the server side:
|
||
test the handling of large packets and small packets on the client side
|
||
in the same way as on the server side.
|
||
* Change the dtls_client and dtls_server samples to work by default over
|
||
IPv6 and optionally by a build option over IPv4.
|
||
* Change the use of Windows threading to use Microsoft Visual C++ runtime
|
||
calls, rather than Win32 API calls directly. This is necessary to avoid
|
||
conflict with C runtime usage. Found and fixed by irwir.
|
||
* Remember the string format of X.509 DN attributes when replicating
|
||
X.509 DNs. Previously, DN attributes were always written in their default
|
||
string format (mostly PrintableString), which could lead to CRTs being
|
||
created which used PrintableStrings in the issuer field even though the
|
||
signing CA used UTF8Strings in its subject field; while X.509 compliant,
|
||
such CRTs were rejected in some applications, e.g. some versions of
|
||
Firefox, curl and GnuTLS. Reported in #1033 by Moschn. Fix contributed by
|
||
Thomas-Dee.
|
||
* Improve documentation of mbedtls_ssl_get_verify_result().
|
||
Fixes #517 reported by github-monoculture.
|
||
* Add MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and
|
||
use it to reduce error probability in RSA key generation to levels mandated
|
||
by FIPS-186-4.
|
||
|
||
= mbed TLS 2.13.1 branch released 2018-09-06
|
||
|
||
API Changes
|
||
* Extend the platform module with an abstraction mbedtls_platform_gmtime_r()
|
||
whose implementation should behave as a thread-safe version of gmtime().
|
||
This allows users to configure such an implementation at compile time when
|
||
the target system cannot be deduced automatically, by setting the option
|
||
MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to
|
||
automatically select implementations for Windows and POSIX C libraries.
|
||
|
||
Bugfix
|
||
* Fix build failures on platforms where only gmtime() is available but
|
||
neither gmtime_r() nor gmtime_s() are present. Fixes #1907.
|
||
|
||
= mbed TLS 2.13.0 branch released 2018-08-31
|
||
|
||
Security
|
||
* Fix an issue in the X.509 module which could lead to a buffer overread
|
||
during certificate extensions parsing. In case of receiving malformed
|
||
input (extensions length field equal to 0), an illegal read of one byte
|
||
beyond the input buffer is made. Found and analyzed by Nathan Crandall.
|
||
|
||
Features
|
||
* Add support for fragmentation of outgoing DTLS handshake messages. This
|
||
is controlled by the maximum fragment length as set locally or negotiated
|
||
with the peer, as well as by a new per-connection MTU option, set using
|
||
mbedtls_ssl_set_mtu().
|
||
* Add support for auto-adjustment of MTU to a safe value during the
|
||
handshake when flights do not get through (RFC 6347, section 4.1.1.1,
|
||
last paragraph).
|
||
* Add support for packing multiple records within a single datagram,
|
||
enabled by default.
|
||
* Add support for buffering out-of-order handshake messages in DTLS.
|
||
The maximum amount of RAM used for this can be controlled by the
|
||
compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
|
||
in mbedtls/config.h.
|
||
|
||
API Changes
|
||
* Add function mbedtls_ssl_set_datagram_packing() to configure
|
||
the use of datagram packing (enabled by default).
|
||
|
||
Bugfix
|
||
* Fix a potential memory leak in mbedtls_ssl_setup() function. An allocation
|
||
failure in the function could lead to other buffers being leaked.
|
||
* Fixes an issue with MBEDTLS_CHACHAPOLY_C which would not compile if
|
||
MBEDTLS_ARC4_C and MBEDTLS_CIPHER_NULL_CIPHER weren't also defined. #1890
|
||
* Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails.
|
||
Fix contributed by Espressif Systems.
|
||
* Add ecc extensions only if an ecc based ciphersuite is used.
|
||
This improves compliance to RFC 4492, and as a result, solves
|
||
interoperability issues with BouncyCastle. Raised by milenamil in #1157.
|
||
* Replace printf with mbedtls_printf in the ARIA module. Found by
|
||
TrinityTonic in #1908.
|
||
* Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
|
||
and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941.
|
||
* Fix a bug that caused SSL/TLS clients to incorrectly abort the handshake
|
||
with TLS versions 1.1 and earlier when the server requested authentication
|
||
without providing a list of CAs. This was due to an overly strict bounds
|
||
check in parsing the CertificateRequest message,
|
||
introduced in Mbed TLS 2.12.0. Fixes #1954.
|
||
* Fix a miscalculation of the maximum record expansion in
|
||
mbedtls_ssl_get_record_expansion() in case of ChachaPoly ciphersuites,
|
||
or CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes #1913, #1914.
|
||
* Fix undefined shifts with negative values in certificates parsing
|
||
(found by Catena cyber using oss-fuzz)
|
||
* Fix memory leak and free without initialization in pk_encrypt
|
||
and pk_decrypt example programs. Reported by Brace Stout. Fixes #1128.
|
||
* Remove redundant else statement. Raised by irwir. Fixes #1776.
|
||
|
||
Changes
|
||
* Copy headers preserving timestamps when doing a "make install".
|
||
Contributed by xueruini.
|
||
* Allow the forward declaration of public structs. Contributed by Dawid
|
||
Drozd. Fixes #1215 raised by randombit.
|
||
* Improve compatibility with some alternative CCM implementations by using
|
||
CCM test vectors from RAM.
|
||
* Add support for buffering of out-of-order handshake messages.
|
||
* Add warnings to the documentation of the HKDF module to reduce the risk
|
||
of misusing the mbedtls_hkdf_extract() and mbedtls_hkdf_expand()
|
||
functions. Fixes #1775. Reported by Brian J. Murray.
|
||
|
||
= mbed TLS 2.12.0 branch released 2018-07-25
|
||
|
||
Security
|
||
* Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
|
||
in (D)TLS 1.0 to 1.2, that allowed an active network attacker to
|
||
partially recover the plaintext of messages under some conditions by
|
||
exploiting timing measurements. With DTLS, the attacker could perform
|
||
this recovery by sending many messages in the same connection. With TLS
|
||
or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only
|
||
worked if the same secret (for example a HTTP Cookie) has been repeatedly
|
||
sent over connections manipulated by the attacker. Connections using GCM
|
||
or CCM instead of CBC, using hash sizes other than SHA-384, or using
|
||
Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
|
||
caused by a miscalculation (for SHA-384) in a countermeasure to the
|
||
original Lucky 13 attack. Found by Kenny Paterson, Eyal Ronen and Adi
|
||
Shamir.
|
||
* Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
|
||
1.2, that allowed a local attacker, able to execute code on the local
|
||
machine as well as manipulate network packets, to partially recover the
|
||
plaintext of messages under some conditions by using a cache attack
|
||
targeting an internal MD/SHA buffer. With TLS or if
|
||
mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if
|
||
the same secret (for example a HTTP Cookie) has been repeatedly sent over
|
||
connections manipulated by the attacker. Connections using GCM or CCM
|
||
instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
|
||
Found by Kenny Paterson, Eyal Ronen and Adi Shamir.
|
||
* Add a counter-measure against a vulnerability in TLS ciphersuites based
|
||
on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
|
||
execute code on the local machine as well as manipulate network packets,
|
||
to partially recover the plaintext of messages under some conditions (see
|
||
previous entry) by using a cache attack targeting the SSL input record
|
||
buffer. Connections using GCM or CCM instead of CBC or using
|
||
Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
|
||
Eyal Ronen and Adi Shamir.
|
||
|
||
Features
|
||
* Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
|
||
authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
|
||
by Daniel King.
|
||
* Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
|
||
* Add platform support for the Haiku OS. (https://www.haiku-os.org).
|
||
Contributed by Augustin Cavalier.
|
||
* Make the receive and transmit buffers independent sizes, for situations
|
||
where the outgoing buffer can be fixed at a smaller size than the incoming
|
||
buffer, which can save some RAM. If buffer lengths are kept equal, there
|
||
is no functional difference. Contributed by Angus Gratton, and also
|
||
independently contributed again by Paul Sokolovsky.
|
||
* Add support for key wrapping modes based on AES as defined by
|
||
NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
|
||
|
||
Bugfix
|
||
* Fix the key_app_writer example which was writing a leading zero byte which
|
||
was creating an invalid ASN.1 tag. Found by Aryeh R. Fixes #1257.
|
||
* Fix compilation error on C++, because of a variable named new.
|
||
Found and fixed by Hirotaka Niisato in #1783.
|
||
* Fix "no symbols" warning issued by ranlib when building on Mac OS X. Fix
|
||
contributed by tabascoeye.
|
||
* Clarify documentation for mbedtls_ssl_write() to include 0 as a valid
|
||
return value. Found by @davidwu2000. #839
|
||
* Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber,
|
||
Philippe Antoine. Fixes #1623.
|
||
* Remove unused headers included in x509.c. Found by Chris Hanson and fixed
|
||
by Brendan Shanks. Part of a fix for #992.
|
||
* Fix compilation error when MBEDTLS_ARC4_C is disabled and
|
||
MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
|
||
* Added length checks to some TLS parsing functions. Found and fixed by
|
||
Philippe Antoine from Catena cyber. #1663.
|
||
* Fix the inline assembly for the MPI multiply helper function for i386 and
|
||
i386 with SSE2. Found by László Langó. Fixes #1550
|
||
* Fix namespacing in header files. Remove the `mbedtls` namespacing in
|
||
the `#include` in the header files. Resolves #857
|
||
* Fix compiler warning of 'use before initialisation' in
|
||
mbedtls_pk_parse_key(). Found by Martin Boye Petersen and fixed by Dawid
|
||
Drozd. #1098
|
||
* Fix decryption for zero length messages (which contain all padding) when a
|
||
CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
|
||
such a message was wrongly reported as an invalid record and therefore lead
|
||
to the connection being terminated. Seen most often with OpenSSL using
|
||
TLS 1.0. Reported by @kFYatek and by Conor Murphy on the forum. Fix
|
||
contributed by Espressif Systems. Fixes #1632
|
||
* Fix ssl_client2 example to send application data with 0-length content
|
||
when the request_size argument is set to 0 as stated in the documentation.
|
||
Fixes #1833.
|
||
* Correct the documentation for `mbedtls_ssl_get_session()`. This API has
|
||
deep copy of the session, and the peer certificate is not lost. Fixes #926.
|
||
* Fix build using -std=c99. Fixed by Nick Wilson.
|
||
|
||
Changes
|
||
* Fail when receiving a TLS alert message with an invalid length, or invalid
|
||
zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
|
||
* Change the default behaviour of mbedtls_hkdf_extract() to return an error
|
||
when calling with a NULL salt and non-zero salt_len. Contributed by
|
||
Brian J Murray
|
||
* Change the shebang line in Perl scripts to look up perl in the PATH.
|
||
Contributed by fbrosson.
|
||
* Allow overriding the time on Windows via the platform-time abstraction.
|
||
Fixed by Nick Wilson.
|
||
* Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
|
||
|
||
= mbed TLS 2.11.0 branch released 2018-06-18
|
||
|
||
Features
|
||
* Add additional block mode, OFB (Output Feedback), to the AES module and
|
||
cipher abstraction module.
|
||
* Implement the HMAC-based extract-and-expand key derivation function
|
||
(HKDF) per RFC 5869. Contributed by Thomas Fossati.
|
||
* Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4.
|
||
* Add support for the XTS block cipher mode with AES (AES-XTS).
|
||
Contributed by Aorimn in pull request #414.
|
||
* In TLS servers, support offloading private key operations to an external
|
||
cryptoprocessor. Private key operations can be asynchronous to allow
|
||
non-blocking operation of the TLS server stack.
|
||
|
||
Bugfix
|
||
* Fix the cert_write example to handle certificates signed with elliptic
|
||
curves as well as RSA. Fixes #777 found by dbedev.
|
||
* Fix for redefinition of _WIN32_WINNT to avoid overriding a definition
|
||
used by user applications. Found and fixed by Fabio Alessandrelli.
|
||
* Fix compilation warnings with IAR toolchain, on 32 bit platform.
|
||
Reported by rahmanih in #683
|
||
* Fix braces in mbedtls_memory_buffer_alloc_status(). Found by sbranden, #552.
|
||
|
||
Changes
|
||
* Changed CMake defaults for IAR to treat all compiler warnings as errors.
|
||
* Changed the Clang parameters used in the CMake build files to work for
|
||
versions later than 3.6. Versions of Clang earlier than this may no longer
|
||
work. Fixes #1072
|
||
|
||
= mbed TLS 2.10.0 branch released 2018-06-06
|
||
|
||
Features
|
||
* Add support for ARIA cipher (RFC 5794) and associated TLS ciphersuites
|
||
(RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h
|
||
|
||
API Changes
|
||
* Extend the platform module with a util component that contains
|
||
functionality shared by multiple Mbed TLS modules. At this stage
|
||
platform_util.h (and its associated platform_util.c) only contain
|
||
mbedtls_platform_zeroize(), which is a critical function from a security
|
||
point of view. mbedtls_platform_zeroize() needs to be regularly tested
|
||
against compilers to ensure that calls to it are not removed from the
|
||
output binary as part of redundant code elimination optimizations.
|
||
Therefore, mbedtls_platform_zeroize() is moved to the platform module to
|
||
facilitate testing and maintenance.
|
||
|
||
Bugfix
|
||
* Fix an issue with MicroBlaze support in bn_mul.h which was causing the
|
||
build to fail. Found by zv-io. Fixes #1651.
|
||
|
||
Changes
|
||
* Support TLS testing in out-of-source builds using cmake. Fixes #1193.
|
||
* Fix redundant declaration of mbedtls_ssl_list_ciphersuites. Raised by
|
||
TrinityTonic. #1359.
|
||
|
||
= mbed TLS 2.9.0 branch released 2018-04-30
|
||
|
||
Security
|
||
* Fix an issue in the X.509 module which could lead to a buffer overread
|
||
during certificate validation. Additionally, the issue could also lead to
|
||
unnecessary callback checks being made or to some validation checks to be
|
||
omitted. The overread could be triggered remotely, while the other issues
|
||
would require a non DER-compliant certificate to be correctly signed by a
|
||
trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
|
||
luocm. Fixes #825.
|
||
* Fix the buffer length assertion in the ssl_parse_certificate_request()
|
||
function which led to an arbitrary overread of the message buffer. The
|
||
overreads could be caused by receiving a malformed message at the point
|
||
where an optional signature algorithms list is expected when the signature
|
||
algorithms section is too short. In builds with debug output, the overread
|
||
data is output with the debug data.
|
||
* Fix a client-side bug in the validation of the server's ciphersuite choice
|
||
which could potentially lead to the client accepting a ciphersuite it didn't
|
||
offer or a ciphersuite that cannot be used with the TLS or DTLS version
|
||
chosen by the server. This could lead to corruption of internal data
|
||
structures for some configurations.
|
||
|
||
Features
|
||
* Add an option, MBEDTLS_AES_FEWER_TABLES, to dynamically compute smaller AES
|
||
tables during runtime, thereby reducing the RAM/ROM footprint by ~6KiB.
|
||
Suggested and contributed by jkivilin in pull request #394.
|
||
* Add initial support for Curve448 (RFC 7748). Only mbedtls_ecp_mul() and
|
||
ECDH primitive functions (mbedtls_ecdh_gen_public(),
|
||
mbedtls_ecdh_compute_shared()) are supported for now. Contributed by
|
||
Nicholas Wilson in pull request #348.
|
||
|
||
API Changes
|
||
* Extend the public API with the function of mbedtls_net_poll() to allow user
|
||
applications to wait for a network context to become ready before reading
|
||
or writing.
|
||
* Add function mbedtls_ssl_check_pending() to the public API to allow
|
||
a check for whether more more data is pending to be processed in the
|
||
internal message buffers.
|
||
This function is necessary to determine when it is safe to idle on the
|
||
underlying transport in case event-driven IO is used.
|
||
|
||
Bugfix
|
||
* Fix a spurious uninitialized variable warning in cmac.c. Fix independently
|
||
contributed by Brian J Murray and David Brown.
|
||
* Add missing dependencies in test suites that led to build failures
|
||
in configurations that omit certain hashes or public-key algorithms.
|
||
Fixes #1040.
|
||
* Fix C89 incompatibility in benchmark.c. Contributed by Brendan Shanks.
|
||
#1353
|
||
* Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and
|
||
MBEDTLS_VERSION_FEATURES in some test suites. Contributed by
|
||
Deomid Ryabkov. Fixes #1299, #1475.
|
||
* Fix the Makefile build process for building shared libraries on Mac OS X.
|
||
Fixed by mnacamura.
|
||
* Fix parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was
|
||
unable to parse keys which had only the optional parameters field of the
|
||
ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379.
|
||
* Return the plaintext data more quickly on unpadded CBC decryption, as
|
||
stated in the mbedtls_cipher_update() documentation. Contributed by
|
||
Andy Leiserson.
|
||
* Fix overriding and ignoring return values when parsing and writing to
|
||
a file in pk_sign program. Found by kevlut in #1142.
|
||
* Restrict usage of error code MBEDTLS_ERR_SSL_WANT_READ to situations
|
||
where data needs to be fetched from the underlying transport in order
|
||
to make progress. Previously, this error code was also occasionally
|
||
returned when unexpected messages were being discarded, ignoring that
|
||
further messages could potentially already be pending to be processed
|
||
in the internal buffers; these cases led to deadlocks when event-driven
|
||
I/O was used. Found and reported by Hubert Mis in #772.
|
||
* Fix buffer length assertions in the ssl_parse_certificate_request()
|
||
function which leads to a potential one byte overread of the message
|
||
buffer.
|
||
* Fix invalid buffer sizes passed to zlib during record compression and
|
||
decompression.
|
||
* Fix the soversion of libmbedcrypto to match the soversion of the
|
||
maintained 2.7 branch. The soversion was increased in Mbed TLS
|
||
version 2.7.1 to reflect breaking changes in that release, but the
|
||
increment was missed in 2.8.0 and later releases outside of the 2.7 branch.
|
||
|
||
Changes
|
||
* Remove some redundant code in bignum.c. Contributed by Alexey Skalozub.
|
||
* Support cmake builds where Mbed TLS is a subproject. Fix contributed
|
||
independently by Matthieu Volat and Arne Schwabe.
|
||
* Improve testing in configurations that omit certain hashes or
|
||
public-key algorithms. Includes contributions by Gert van Dijk.
|
||
* Improve negative testing of X.509 parsing.
|
||
* Do not define global mutexes around readdir() and gmtime() in
|
||
configurations where the feature is disabled. Found and fixed by Gergely
|
||
Budai.
|
||
* Harden the function mbedtls_ssl_config_free() against misuse, so that it
|
||
doesn't leak memory if the user doesn't use mbedtls_ssl_conf_psk() and
|
||
instead incorrectly manipulates the configuration structure directly.
|
||
Found and fix submitted by junyeonLEE in #1220.
|
||
* Provide an empty implementation of mbedtls_pkcs5_pbes2() when
|
||
MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2
|
||
without PBES2. Fixed by Marcos Del Sol Vives.
|
||
* Add the order of the base point as N in the mbedtls_ecp_group structure
|
||
for Curve25519 (other curves had it already). Contributed by Nicholas
|
||
Wilson #481
|
||
* Improve the documentation of mbedtls_net_accept(). Contributed by Ivan
|
||
Krylov.
|
||
* Improve the documentation of mbedtls_ssl_write(). Suggested by
|
||
Paul Sokolovsky in #1356.
|
||
* Add an option in the Makefile to support ar utilities where the operation
|
||
letter must not be prefixed by '-', such as LLVM. Found and fixed by
|
||
Alex Hixon.
|
||
* Allow configuring the shared library extension by setting the DLEXT
|
||
environment variable when using the project makefiles.
|
||
* Optimize unnecessary zeroing in mbedtls_mpi_copy. Based on a contribution
|
||
by Alexey Skalozub in #405.
|
||
* In the SSL module, when f_send, f_recv or f_recv_timeout report
|
||
transmitting more than the required length, return an error. Raised by
|
||
Sam O'Connor in #1245.
|
||
* Improve robustness of mbedtls_ssl_derive_keys against the use of
|
||
HMAC functions with non-HMAC ciphersuites. Independently contributed
|
||
by Jiayuan Chen in #1377. Fixes #1437.
|
||
* Improve security of RSA key generation by including criteria from
|
||
FIPS 186-4. Contributed by Jethro Beekman. #1380
|
||
* Declare functions in header files even when an alternative implementation
|
||
of the corresponding module is activated by defining the corresponding
|
||
MBEDTLS_XXX_ALT macro. This means that alternative implementations do
|
||
not need to copy the declarations, and ensures that they will have the
|
||
same API.
|
||
* Add platform setup and teardown calls in test suites.
|
||
|
||
= mbed TLS 2.8.0 branch released 2018-03-16
|
||
|
||
Default behavior changes
|
||
* The truncated HMAC extension now conforms to RFC 6066. This means
|
||
that when both sides of a TLS connection negotiate the truncated
|
||
HMAC extension, Mbed TLS can now interoperate with other
|
||
compliant implementations, but this breaks interoperability with
|
||
prior versions of Mbed TLS. To restore the old behavior, enable
|
||
the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
|
||
config.h. Found by Andreas Walz (ivESK, Offenburg University of
|
||
Applied Sciences).
|
||
|
||
Security
|
||
* Fix implementation of the truncated HMAC extension. The previous
|
||
implementation allowed an offline 2^80 brute force attack on the
|
||
HMAC key of a single, uninterrupted connection (with no
|
||
resumption of the session).
|
||
* Verify results of RSA private key operations to defend
|
||
against Bellcore glitch attack.
|
||
* Fix a buffer overread in ssl_parse_server_key_exchange() that could cause
|
||
a crash on invalid input.
|
||
* Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a
|
||
crash on invalid input.
|
||
* Fix CRL parsing to reject CRLs containing unsupported critical
|
||
extensions. Found by Falko Strenzke and Evangelos Karatsiolis.
|
||
|
||
Features
|
||
* Extend PKCS#8 interface by introducing support for the entire SHA
|
||
algorithms family when encrypting private keys using PKCS#5 v2.0.
|
||
This allows reading encrypted PEM files produced by software that
|
||
uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
|
||
OpenVPN Inc. Fixes #1339
|
||
* Add support for public keys encoded in PKCS#1 format. #1122
|
||
|
||
New deprecations
|
||
* Deprecate support for record compression (configuration option
|
||
MBEDTLS_ZLIB_SUPPORT).
|
||
|
||
Bugfix
|
||
* Fix the name of a DHE parameter that was accidentally changed in 2.7.0.
|
||
Fixes #1358.
|
||
* Fix test_suite_pk to work on 64-bit ILP32 systems. #849
|
||
* Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates
|
||
with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct.
|
||
In the context of SSL, this resulted in handshake failure. Reported by
|
||
daniel in the Mbed TLS forum. #1351
|
||
* Fix Windows x64 builds with the included mbedTLS.sln file. #1347
|
||
* Fix setting version TLSv1 as minimal version, even if TLS 1
|
||
is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION
|
||
and MBEDTLS_SSL_MIN_MINOR_VERSION instead of
|
||
MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664
|
||
* Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE
|
||
only if __MINGW32__ not defined. Fix suggested by Thomas Glanzmann and
|
||
Nick Wilson on issue #355
|
||
* In test_suite_pk, pass valid parameters when testing for hash length
|
||
overflow. #1179
|
||
* Fix memory allocation corner cases in memory_buffer_alloc.c module. Found
|
||
by Guido Vranken. #639
|
||
* Log correct number of ciphersuites used in Client Hello message. #918
|
||
* Fix X509 CRT parsing that would potentially accept an invalid tag when
|
||
parsing the subject alternative names.
|
||
* Fix a possible arithmetic overflow in ssl_parse_server_key_exchange()
|
||
that could cause a key exchange to fail on valid data.
|
||
* Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that
|
||
could cause a key exchange to fail on valid data.
|
||
* Don't define mbedtls_aes_decrypt and mbedtls_aes_encrypt under
|
||
MBEDTLS_DEPRECATED_REMOVED. #1388
|
||
* Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
|
||
Found through fuzz testing.
|
||
|
||
Changes
|
||
* Fix tag lengths and value ranges in the documentation of CCM encryption.
|
||
Contributed by Mathieu Briand.
|
||
* Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky.
|
||
* Remove support for the library reference configuration for picocoin.
|
||
* MD functions deprecated in 2.7.0 are no longer inline, to provide
|
||
a migration path for those depending on the library's ABI.
|
||
* Clarify the documentation of mbedtls_ssl_setup.
|
||
* Use (void) when defining functions with no parameters. Contributed by
|
||
Joris Aerts. #678
|
||
|
||
= mbed TLS 2.7.0 branch released 2018-02-03
|
||
|
||
Security
|
||
* Fix a heap corruption issue in the implementation of the truncated HMAC
|
||
extension. When the truncated HMAC extension is enabled and CBC is used,
|
||
sending a malicious application packet could be used to selectively corrupt
|
||
6 bytes on the peer's heap, which could potentially lead to crash or remote
|
||
code execution. The issue could be triggered remotely from either side in
|
||
both TLS and DTLS. CVE-2018-0488
|
||
* Fix a buffer overflow in RSA-PSS verification when the hash was too large
|
||
for the key size, which could potentially lead to crash or remote code
|
||
execution. Found by Seth Terashima, Qualcomm Product Security Initiative,
|
||
Qualcomm Technologies Inc. CVE-2018-0487
|
||
* Fix buffer overflow in RSA-PSS verification when the unmasked data is all
|
||
zeros.
|
||
* Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding
|
||
64 KiB to the address of the SSL buffer and causing a wrap around.
|
||
* Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by
|
||
default enabled) maximum fragment length extension is disabled in the
|
||
config and the application data buffer passed to mbedtls_ssl_write
|
||
is larger than the internal message buffer (16384 bytes by default), the
|
||
latter overflows. The exploitability of this issue depends on whether the
|
||
application layer can be forced into sending such large packets. The issue
|
||
was independently reported by Tim Nordell via e-mail and by Florin Petriuc
|
||
and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022.
|
||
Fixes #707.
|
||
* Add a provision to prevent compiler optimizations breaking the time
|
||
constancy of mbedtls_ssl_safer_memcmp().
|
||
* Ensure that buffers are cleared after use if they contain sensitive data.
|
||
Changes were introduced in multiple places in the library.
|
||
* Set PEM buffer to zero before freeing it, to avoid decoded private keys
|
||
being leaked to memory after release.
|
||
* Fix dhm_check_range() failing to detect trivial subgroups and potentially
|
||
leaking 1 bit of the private key. Reported by prashantkspatil.
|
||
* Make mbedtls_mpi_read_binary() constant-time with respect to the input
|
||
data. Previously, trailing zero bytes were detected and omitted for the
|
||
sake of saving memory, but potentially leading to slight timing
|
||
differences. Reported by Marco Macchetti, Kudelski Group.
|
||
* Wipe stack buffer temporarily holding EC private exponent
|
||
after keypair generation.
|
||
* Fix a potential heap buffer over-read in ALPN extension parsing
|
||
(server-side). Could result in application crash, but only if an ALPN
|
||
name larger than 16 bytes had been configured on the server.
|
||
* Change default choice of DHE parameters from untrustworthy RFC 5114
|
||
to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
|
||
manner.
|
||
|
||
Features
|
||
* Allow comments in test data files.
|
||
* The selftest program can execute a subset of the tests based on command
|
||
line arguments.
|
||
* New unit tests for timing. Improve the self-test to be more robust
|
||
when run on a heavily-loaded machine.
|
||
* Add alternative implementation support for CCM and CMAC (MBEDTLS_CCM_ALT,
|
||
MBEDTLS_CMAC_ALT). Submitted by Steven Cooreman, Silicon Labs.
|
||
* Add support for alternative implementations of GCM, selected by the
|
||
configuration flag MBEDTLS_GCM_ALT.
|
||
* Add support for alternative implementations for ECDSA, controlled by new
|
||
configuration flags MBEDTLS_ECDSA_SIGN_ALT, MBEDTLS_ECDSA_VERIFY_ALT and
|
||
MBEDTLS_ECDSDA_GENKEY_AT in config.h.
|
||
The following functions from the ECDSA module can be replaced
|
||
with alternative implementation:
|
||
mbedtls_ecdsa_sign(), mbedtls_ecdsa_verify() and mbedtls_ecdsa_genkey().
|
||
* Add support for alternative implementation of ECDH, controlled by the
|
||
new configuration flags MBEDTLS_ECDH_COMPUTE_SHARED_ALT and
|
||
MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h.
|
||
The following functions from the ECDH module can be replaced
|
||
with an alternative implementation:
|
||
mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared().
|
||
* Add support for alternative implementation of ECJPAKE, controlled by
|
||
the new configuration flag MBEDTLS_ECJPAKE_ALT.
|
||
* Add mechanism to provide alternative implementation of the DHM module.
|
||
|
||
API Changes
|
||
* Extend RSA interface by multiple functions allowing structure-
|
||
independent setup and export of RSA contexts. Most notably,
|
||
mbedtls_rsa_import() and mbedtls_rsa_complete() are introduced for setting
|
||
up RSA contexts from partial key material and having them completed to the
|
||
needs of the implementation automatically. This allows to setup private RSA
|
||
contexts from keys consisting of N,D,E only, even if P,Q are needed for the
|
||
purpose or CRT and/or blinding.
|
||
* The configuration option MBEDTLS_RSA_ALT can be used to define alternative
|
||
implementations of the RSA interface declared in rsa.h.
|
||
* The following functions in the message digest modules (MD2, MD4, MD5,
|
||
SHA1, SHA256, SHA512) have been deprecated and replaced as shown below.
|
||
The new functions change the return type from void to int to allow
|
||
returning error codes when using MBEDTLS_<MODULE>_ALT.
|
||
mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
|
||
mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
|
||
mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
|
||
mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
|
||
|
||
New deprecations
|
||
* Deprecate usage of RSA primitives with non-matching key-type
|
||
(e.g. signing with a public key).
|
||
* Direct manipulation of structure fields of RSA contexts is deprecated.
|
||
Users are advised to use the extended RSA API instead.
|
||
* Deprecate usage of message digest functions that return void
|
||
(mbedtls_<MODULE>_starts, mbedtls_<MODULE>_update,
|
||
mbedtls_<MODULE>_finish and mbedtls_<MODULE>_process where <MODULE> is
|
||
any of MD2, MD4, MD5, SHA1, SHA256, SHA512) in favor of functions
|
||
that can return an error code.
|
||
* Deprecate untrustworthy DHE parameters from RFC 5114. Superseded by
|
||
parameters from RFC 3526 or the newly added parameters from RFC 7919.
|
||
* Deprecate hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc.
|
||
Supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN
|
||
etc.
|
||
* Deprecate mbedtls_ssl_conf_dh_param() for setting default DHE parameters
|
||
from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin()
|
||
accepting DHM parameters in binary form, matching the new constants.
|
||
|
||
Bugfix
|
||
* Fix ssl_parse_record_header() to silently discard invalid DTLS records
|
||
as recommended in RFC 6347 Section 4.1.2.7.
|
||
* Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times.
|
||
Found by projectgus and Jethro Beekman, #836.
|
||
* Fix usage help in ssl_server2 example. Found and fixed by Bei Lin.
|
||
* Parse signature algorithm extension when renegotiating. Previously,
|
||
renegotiated handshakes would only accept signatures using SHA-1
|
||
regardless of the peer's preferences, or fail if SHA-1 was disabled.
|
||
* Fix leap year calculation in x509_date_is_valid() to ensure that invalid
|
||
dates on leap years with 100 and 400 intervals are handled correctly. Found
|
||
by Nicholas Wilson. #694
|
||
* Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
|
||
accepted. Generating these signatures required the private key.
|
||
* Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
|
||
Found independently by Florian in the mbed TLS forum and by Mishamax.
|
||
#878, #1019.
|
||
* Fix variable used before assignment compilation warnings with IAR
|
||
toolchain. Found by gkerrien38.
|
||
* Fix unchecked return codes from AES, DES and 3DES functions in
|
||
pem_aes_decrypt(), pem_des_decrypt() and pem_des3_decrypt() respectively.
|
||
If a call to one of the functions of the cryptographic primitive modules
|
||
failed, the error may not be noticed by the function
|
||
mbedtls_pem_read_buffer() causing it to return invalid values. Found by
|
||
Guido Vranken. #756
|
||
* Include configuration file in md.h, to fix compilation warnings.
|
||
Reported by aaronmdjones in #1001
|
||
* Correct extraction of signature-type from PK instance in X.509 CRT and CSR
|
||
writing routines that prevented these functions to work with alternative
|
||
RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes #1011.
|
||
* Don't print X.509 version tag for v1 CRT's, and omit extensions for
|
||
non-v3 CRT's.
|
||
* Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024
|
||
* Fix net_would_block() to avoid modification by errno through fcntl() call.
|
||
Found by nkolban. Fixes #845.
|
||
* Fix handling of handshake messages in mbedtls_ssl_read() in case
|
||
MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
|
||
* Add a check for invalid private parameters in mbedtls_ecdsa_sign().
|
||
Reported by Yolan Romailler.
|
||
* Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
|
||
* Fix incorrect unit in benchmark output. #850
|
||
* Add size-checks for record and handshake message content, securing
|
||
fragile yet non-exploitable code-paths.
|
||
* Fix crash when calling mbedtls_ssl_cache_free() twice. Found by
|
||
MilenkoMitrovic, #1104
|
||
* Fix mbedtls_timing_alarm(0) on Unix and MinGW.
|
||
* Fix use of uninitialized memory in mbedtls_timing_get_timer() when reset=1.
|
||
* Fix possible memory leaks in mbedtls_gcm_self_test().
|
||
* Added missing return code checks in mbedtls_aes_self_test().
|
||
* Fix issues in RSA key generation program programs/x509/rsa_genkey and the
|
||
RSA test suite where the failure of CTR DRBG initialization lead to
|
||
freeing an RSA context and several MPI's without proper initialization
|
||
beforehand.
|
||
* Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue.
|
||
* Fix programs/pkey/dh_server.c so that it actually works with dh_client.c.
|
||
Found and fixed by Martijn de Milliano.
|
||
* Fix an issue in the cipher decryption with the mode
|
||
MBEDTLS_PADDING_ONE_AND_ZEROS that sometimes accepted invalid padding.
|
||
Note, this padding mode is not used by the TLS protocol. Found and fixed by
|
||
Micha Kraus.
|
||
* Fix the entropy.c module to not call mbedtls_sha256_starts() or
|
||
mbedtls_sha512_starts() in the mbedtls_entropy_init() function.
|
||
* Fix the entropy.c module to ensure that mbedtls_sha256_init() or
|
||
mbedtls_sha512_init() is called before operating on the relevant context
|
||
structure. Do not assume that zeroizing a context is a correct way to
|
||
reset it. Found independently by ccli8 on Github.
|
||
* In mbedtls_entropy_free(), properly free the message digest context.
|
||
* Fix status handshake status message in programs/ssl/dtls_client.c. Found
|
||
and fixed by muddog.
|
||
|
||
Changes
|
||
* Extend cert_write example program by options to set the certificate version
|
||
and the message digest. Further, allow enabling/disabling of authority
|
||
identifier, subject identifier and basic constraints extensions.
|
||
* Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In
|
||
particular, don't require P,Q if neither CRT nor blinding are
|
||
used. Reported and fix proposed independently by satur9nine and sliai
|
||
on GitHub.
|
||
* Only run AES-192 self-test if AES-192 is available. Fixes #963.
|
||
* Tighten the RSA PKCS#1 v1.5 signature verification code and remove the
|
||
undeclared dependency of the RSA module on the ASN.1 module.
|
||
* Update all internal usage of deprecated message digest functions to the
|
||
new ones with return codes. In particular, this modifies the
|
||
mbedtls_md_info_t structure. Propagate errors from these functions
|
||
everywhere except some locations in the ssl_tls.c module.
|
||
* Improve CTR_DRBG error handling by propagating underlying AES errors.
|
||
* Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography
|
||
modules where the software implementation can be replaced by a hardware
|
||
implementation.
|
||
* Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
|
||
throughout the library.
|
||
|
||
= mbed TLS 2.6.0 branch released 2017-08-10
|
||
|
||
Security
|
||
* Fix authentication bypass in SSL/TLS: when authmode is set to optional,
|
||
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's
|
||
X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA
|
||
(default: 8) intermediates, even when it was not trusted. This could be
|
||
triggered remotely from either side. (With authmode set to 'required'
|
||
(the default), the handshake was correctly aborted).
|
||
* Reliably wipe sensitive data after use in the AES example applications
|
||
programs/aes/aescrypt2 and programs/aes/crypt_and_hash.
|
||
Found by Laurent Simon.
|
||
|
||
Features
|
||
* Add the functions mbedtls_platform_setup() and mbedtls_platform_teardown()
|
||
and the context struct mbedtls_platform_context to perform
|
||
platform-specific setup and teardown operations. The macro
|
||
MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT allows the functions to be overridden
|
||
by the user in a platform_alt.h file. These new functions are required in
|
||
some embedded environments to provide a means of initialising underlying
|
||
cryptographic acceleration hardware.
|
||
|
||
API Changes
|
||
* Reverted API/ABI breaking changes introduced in mbed TLS 2.5.1, to make the
|
||
API consistent with mbed TLS 2.5.0. Specifically removed the inline
|
||
qualifier from the functions mbedtls_aes_decrypt, mbedtls_aes_encrypt,
|
||
mbedtls_ssl_ciphersuite_uses_ec and mbedtls_ssl_ciphersuite_uses_psk. Found
|
||
by James Cowgill. #978
|
||
* Certificate verification functions now set flags to -1 in case the full
|
||
chain was not verified due to an internal error (including in the verify
|
||
callback) or chain length limitations.
|
||
* With authmode set to optional, the TLS handshake is now aborted if the
|
||
verification of the peer's certificate failed due to an overlong chain or
|
||
a fatal error in the verify callback.
|
||
|
||
Bugfix
|
||
* Add a check if iv_len is zero in GCM, and return an error if it is zero.
|
||
Reported by roberto. #716
|
||
* Replace preprocessor condition from #if defined(MBEDTLS_THREADING_PTHREAD)
|
||
to #if defined(MBEDTLS_THREADING_C) as the library cannot assume they will
|
||
always be implemented by pthread support. #696
|
||
* Fix a resource leak on Windows platforms in mbedtls_x509_crt_parse_path(),
|
||
in the case of an error. Found by redplait. #590
|
||
* Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
|
||
Reported and fix suggested by guidovranken. #740
|
||
* Fix conditional preprocessor directives in bignum.h to enable 64-bit
|
||
compilation when using ARM Compiler 6.
|
||
* Fix a potential integer overflow in the version verification for DER
|
||
encoded X.509 CRLs. The overflow could enable maliciously constructed CRLs
|
||
to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
|
||
KNOX Security, Samsung Research America
|
||
* Fix potential integer overflow in the version verification for DER
|
||
encoded X.509 CSRs. The overflow could enable maliciously constructed CSRs
|
||
to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
|
||
KNOX Security, Samsung Research America
|
||
* Fix a potential integer overflow in the version verification for DER
|
||
encoded X.509 certificates. The overflow could enable maliciously
|
||
constructed certificates to bypass the certificate verification check.
|
||
* Fix a call to the libc function time() to call the platform abstraction
|
||
function mbedtls_time() instead. Found by wairua. #666
|
||
* Avoid shadowing of time and index functions through mbed TLS function
|
||
arguments. Found by inestlerode. #557.
|
||
|
||
Changes
|
||
* Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of
|
||
64-bit division. This is useful on embedded platforms where 64-bit division
|
||
created a dependency on external libraries. #708
|
||
* Removed mutexes from ECP hardware accelerator code. Now all hardware
|
||
accelerator code in the library leaves concurrency handling to the
|
||
platform. Reported by Steven Cooreman. #863
|
||
* Define the macro MBEDTLS_AES_ROM_TABLES in the configuration file
|
||
config-no-entropy.h to reduce the RAM footprint.
|
||
* Added a test script that can be hooked into git that verifies commits
|
||
before they are pushed.
|
||
* Improve documentation of PKCS1 decryption functions.
|
||
|
||
= mbed TLS 2.5.1 released 2017-06-21
|
||
|
||
Security
|
||
* Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
|
||
The issue could only happen client-side with renegotiation enabled.
|
||
Could result in DoS (application crash) or information leak
|
||
(if the application layer sent data read from mbedtls_ssl_read()
|
||
back to the server or to a third party). Can be triggered remotely.
|
||
* Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
|
||
certificate verification. SHA-1 can be turned back on with a compile-time
|
||
option if needed.
|
||
* Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to
|
||
detect it sometimes. Reported by Hugo Leisink. #810
|
||
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
|
||
potential Bleichenbacher/BERserk-style attack.
|
||
|
||
Bugfix
|
||
* Remove size zero arrays from ECJPAKE test suite. Size zero arrays are not
|
||
valid C and they prevented the test from compiling in Visual Studio 2015
|
||
and with GCC using the -Wpedantic compilation option.
|
||
* Fix insufficient support for signature-hash-algorithm extension,
|
||
resulting in compatibility problems with Chrome. Found by hfloyrd. #823
|
||
* Fix behaviour that hid the original cause of fatal alerts in some cases
|
||
when sending the alert failed. The fix makes sure not to hide the error
|
||
that triggered the alert.
|
||
* Fix SSLv3 renegotiation behaviour and stop processing data received from
|
||
peer after sending a fatal alert to refuse a renegotiation attempt.
|
||
Previous behaviour was to keep processing data even after the alert has
|
||
been sent.
|
||
* Accept empty trusted CA chain in authentication mode
|
||
MBEDTLS_SSL_VERIFY_OPTIONAL. Found by Jethro Beekman. #864
|
||
* Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate
|
||
fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
|
||
reflect bad EC curves within verification result.
|
||
* Fix bug that caused the modular inversion function to accept the invalid
|
||
modulus 1 and therefore to hang. Found by blaufish. #641.
|
||
* Fix incorrect sign computation in modular exponentiation when the base is
|
||
a negative MPI. Previously the result was always negative. Found by Guido
|
||
Vranken.
|
||
* Fix a numerical underflow leading to stack overflow in mpi_read_file()
|
||
that was triggered uppon reading an empty line. Found by Guido Vranken.
|
||
|
||
Changes
|
||
* Send fatal alerts in more cases. The previous behaviour was to skip
|
||
sending the fatal alert and just drop the connection.
|
||
* Clarify ECDSA documentation and improve the sample code to avoid
|
||
misunderstanding and potentially dangerous use of the API. Pointed out
|
||
by Jean-Philippe Aumasson.
|
||
|
||
= mbed TLS 2.5.0 branch released 2017-05-17
|
||
|
||
Security
|
||
* Wipe stack buffers in RSA private key operations
|
||
(rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt). Found by Laurent
|
||
Simon.
|
||
* Add exponent blinding to RSA private operations as a countermeasure
|
||
against side-channel attacks like the cache attack described in
|
||
https://arxiv.org/abs/1702.08719v2.
|
||
Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss,
|
||
Clémentine Maurice and Stefan Mangard.
|
||
|
||
Features
|
||
* Add hardware acceleration support for the Elliptic Curve Point module.
|
||
This involved exposing parts of the internal interface to enable
|
||
replacing the core functions and adding and alternative, module level
|
||
replacement support for enabling the extension of the interface.
|
||
* Add a new configuration option to 'mbedtls_ssl_config' to enable
|
||
suppressing the CA list in Certificate Request messages. The default
|
||
behaviour has not changed, namely every configured CAs name is included.
|
||
|
||
API Changes
|
||
* The following functions in the AES module have been deprecated and replaced
|
||
by the functions shown below. The new functions change the return type from
|
||
void to int to allow returning error codes when using MBEDTLS_AES_ALT,
|
||
MBEDTLS_AES_DECRYPT_ALT or MBEDTLS_AES_ENCRYPT_ALT.
|
||
mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
|
||
mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
|
||
|
||
Bugfix
|
||
* Remove macros from compat-1.3.h that correspond to deleted items from most
|
||
recent versions of the library. Found by Kyle Keen.
|
||
* Fixed issue in the Threading module that prevented mutexes from
|
||
initialising. Found by sznaider. #667 #843
|
||
* Add checks in the PK module for the RSA functions on 64-bit systems.
|
||
The PK and RSA modules use different types for passing hash length and
|
||
without these checks the type cast could lead to data loss. Found by Guido
|
||
Vranken.
|
||
|
||
= mbed TLS 2.4.2 branch released 2017-03-08
|
||
|
||
Security
|
||
* Add checks to prevent signature forgeries for very large messages while
|
||
using RSA through the PK module in 64-bit systems. The issue was caused by
|
||
some data loss when casting a size_t to an unsigned int value in the
|
||
functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and
|
||
mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
|
||
* Fixed potential livelock during the parsing of a CRL in PEM format in
|
||
mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing
|
||
characters after the footer could result in the execution of an infinite
|
||
loop. The issue can be triggered remotely. Found by Greg Zaverucha,
|
||
Microsoft.
|
||
* Removed MD5 from the allowed hash algorithms for CertificateRequest and
|
||
CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
|
||
Introduced by interoperability fix for #513.
|
||
* Fixed a bug that caused freeing a buffer that was allocated on the stack,
|
||
when verifying the validity of a key on secp224k1. This could be
|
||
triggered remotely for example with a maliciously constructed certificate
|
||
and potentially could lead to remote code execution on some platforms.
|
||
Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos
|
||
team. #569 CVE-2017-2784
|
||
|
||
Bugfix
|
||
* Fix output certificate verification flags set by x509_crt_verify_top() when
|
||
traversing a chain of trusted CA. The issue would cause both flags,
|
||
MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be
|
||
set when the verification conditions are not met regardless of the cause.
|
||
Found by Harm Verhagen and inestlerode. #665 #561
|
||
* Fix the redefinition of macro ssl_set_bio to an undefined symbol
|
||
mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
|
||
Found by omlib-lin. #673
|
||
* Fix unused variable/function compilation warnings in pem.c, x509_crt.c and
|
||
x509_csr.c that are reported when building mbed TLS with a config.h that
|
||
does not define MBEDTLS_PEM_PARSE_C. Found by omnium21. #562
|
||
* Fix incorrect renegotiation condition in ssl_check_ctr_renegotiate() that
|
||
would compare 64 bits of the record counter instead of 48 bits as indicated
|
||
in RFC 6347 Section 4.3.1. This could cause the execution of the
|
||
renegotiation routines at unexpected times when the protocol is DTLS. Found
|
||
by wariua. #687
|
||
* Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
|
||
the input string in PEM format to extract the different components. Found
|
||
by Eyal Itkin.
|
||
* Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
|
||
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
|
||
* Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
|
||
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
|
||
* Fixed potential arithmetic overflow in mbedtls_md2_update() that could
|
||
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
|
||
* Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
|
||
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
|
||
* Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng
|
||
Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
|
||
* Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused
|
||
by missing calls to mbedtls_pem_free() in cases when a
|
||
MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. Found and
|
||
fix proposed by Guido Vranken. #722
|
||
* Fixed the templates used to generate project and solution files for Visual
|
||
Studio 2015 as well as the files themselves, to remove a build warning
|
||
generated in Visual Studio 2015. Reported by Steve Valliere. #742
|
||
* Fix a resource leak in ssl_cookie, when using MBEDTLS_THREADING_C.
|
||
Raised and fix suggested by Alan Gillingham in the mbed TLS forum. #771
|
||
* Fix 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI
|
||
number to write in hexadecimal is negative and requires an odd number of
|
||
digits. Found and fixed by Guido Vranken.
|
||
* Fix unlisted DES configuration dependency in some pkparse test cases. Found
|
||
by inestlerode. #555
|
||
|
||
= mbed TLS 2.4.1 branch released 2016-12-13
|
||
|
||
Changes
|
||
* Update to CMAC test data, taken from - NIST Special Publication 800-38B -
|
||
Recommendation for Block Cipher Modes of Operation: The CMAC Mode for
|
||
Authentication – October 2016
|
||
|
||
= mbed TLS 2.4.0 branch released 2016-10-17
|
||
|
||
Security
|
||
* Removed the MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
|
||
with RFC-5116 and could lead to session key recovery in very long TLS
|
||
sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
|
||
TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
|
||
https://eprint.iacr.org/2016/475.pdf
|
||
* Fixed potential stack corruption in mbedtls_x509write_crt_der() and
|
||
mbedtls_x509write_csr_der() when the signature is copied to the buffer
|
||
without checking whether there is enough space in the destination. The
|
||
issue cannot be triggered remotely. Found by Jethro Beekman.
|
||
|
||
Features
|
||
* Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
|
||
NIST SP 800-38B, RFC-4493 and RFC-4615.
|
||
* Added hardware entropy selftest to verify that the hardware entropy source
|
||
is functioning correctly.
|
||
* Added a script to print build environment info for diagnostic use in test
|
||
scripts, which is also now called by all.sh.
|
||
* Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to
|
||
configure the maximum length of a file path that can be buffered when
|
||
calling mbedtls_x509_crt_parse_path().
|
||
* Added a configuration file config-no-entropy.h that configures the subset of
|
||
library features that do not require an entropy source.
|
||
* Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
|
||
to configure the minimum number of bytes for entropy sources using the
|
||
mbedtls_hardware_poll() function.
|
||
|
||
Bugfix
|
||
* Fix for platform time abstraction to avoid dependency issues where a build
|
||
may need time but not the standard C library abstraction, and added
|
||
configuration consistency checks to check_config.h
|
||
* Fix dependency issue in Makefile to allow parallel builds.
|
||
* Fix incorrect handling of block lengths in crypt_and_hash.c sample program,
|
||
when GCM is used. Found by udf2457. #441
|
||
* Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
|
||
enabled unless others were also present. Found by David Fernandez. #428
|
||
* Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
|
||
a contribution from Tobias Tangemann. #541
|
||
* Fixed cert_app.c sample program for debug output and for use when no root
|
||
certificates are provided.
|
||
* Fix conditional statement that would cause a 1 byte overread in
|
||
mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599
|
||
* Fixed pthread implementation to avoid unintended double initialisations
|
||
and double frees. Found by Niklas Amnebratt.
|
||
* Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
|
||
builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
|
||
by inestlerode. #559.
|
||
* Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
|
||
data structure until after error checks are successful. Found by
|
||
subramanyam-c. #622
|
||
* Fix documentation and implementation missmatch for function arguments of
|
||
mbedtls_gcm_finish(). Found by cmiatpaar. #602
|
||
* Guarantee that P>Q at RSA key generation. Found by inestlerode. #558
|
||
* Fix potential byte overread when verifying malformed SERVER_HELLO in
|
||
ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
|
||
* Fix check for validity of date when parsing in mbedtls_x509_get_time().
|
||
Found by subramanyam-c. #626
|
||
* Fix compatibility issue with Internet Explorer client authentication,
|
||
where the limited hash choices prevented the client from sending its
|
||
certificate. Found by teumas. #513
|
||
* Fix compilation without MBEDTLS_SELF_TEST enabled.
|
||
|
||
Changes
|
||
* Extended test coverage of special cases, and added new timing test suite.
|
||
* Removed self-tests from the basic-built-test.sh script, and added all
|
||
missing self-tests to the test suites, to ensure self-tests are only
|
||
executed once.
|
||
* Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
|
||
* Added support for a Yotta specific configuration file -
|
||
through the symbol YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE.
|
||
* Added optimization for code space for X.509/OID based on configured
|
||
features. Contributed by Aviv Palivoda.
|
||
* Renamed source file library/net.c to library/net_sockets.c to avoid
|
||
naming collision in projects which also have files with the common name
|
||
net.c. For consistency, the corresponding header file, net.h, is marked as
|
||
deprecated, and its contents moved to net_sockets.h.
|
||
* Changed the strategy for X.509 certificate parsing and validation, to no
|
||
longer disregard certificates with unrecognised fields.
|
||
|
||
= mbed TLS 2.3.0 branch released 2016-06-28
|
||
|
||
Security
|
||
* Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt
|
||
required by PKCS1 v2.2
|
||
* Fix potential integer overflow to buffer overflow in
|
||
mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt
|
||
(not triggerable remotely in (D)TLS).
|
||
* Fix a potential integer underflow to buffer overread in
|
||
mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
|
||
SSL/TLS.
|
||
|
||
Features
|
||
* Support for platform abstraction of the standard C library time()
|
||
function.
|
||
|
||
Bugfix
|
||
* Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three
|
||
arguments where the same (in-place doubling). Found and fixed by Janos
|
||
Follath. #309
|
||
* Fix potential build failures related to the 'apidoc' target, introduced
|
||
in the previous patch release. Found by Robert Scheck. #390 #391
|
||
* Fix issue in Makefile that prevented building using armar. #386
|
||
* Fix memory leak that occurred only when ECJPAKE was enabled and ECDHE and
|
||
ECDSA was disabled in config.h . The leak didn't occur by default.
|
||
* Fix an issue that caused valid certificates to be rejected whenever an
|
||
expired or not yet valid certificate was parsed before a valid certificate
|
||
in the trusted certificate list.
|
||
* Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the
|
||
buffer after DER certificates to be included in the raw representation.
|
||
* Fix issue that caused a hang when generating RSA keys of odd bitlength
|
||
* Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer
|
||
dereference possible.
|
||
* Fix issue that caused a crash if invalid curves were passed to
|
||
mbedtls_ssl_conf_curves. #373
|
||
* Fix issue in ssl_fork_server which was preventing it from functioning. #429
|
||
* Fix memory leaks in test framework
|
||
* Fix test in ssl-opt.sh that does not run properly with valgrind
|
||
* Fix unchecked calls to mmbedtls_md_setup(). Fix by Brian Murray. #502
|
||
|
||
Changes
|
||
* On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
|
||
don't use the optimized assembly for bignum multiplication. This removes
|
||
the need to pass -fomit-frame-pointer to avoid a build error with -O0.
|
||
* Disabled SSLv3 in the default configuration.
|
||
* Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey
|
||
Skalozub).
|
||
* Fix non-compliance server extension handling. Extensions for SSLv3 are now
|
||
ignored, as required by RFC6101.
|
||
|
||
= mbed TLS 2.2.1 released 2016-01-05
|
||
|
||
Security
|
||
* Fix potential double free when mbedtls_asn1_store_named_data() fails to
|
||
allocate memory. Only used for certificate generation, not triggerable
|
||
remotely in SSL/TLS. Found by Rafał Przywara. #367
|
||
* Disable MD5 handshake signatures in TLS 1.2 by default to prevent the
|
||
SLOTH attack on TLS 1.2 server authentication (other attacks from the
|
||
SLOTH paper do not apply to any version of mbed TLS or PolarSSL).
|
||
https://www.mitls.org/pages/attacks/SLOTH
|
||
|
||
Bugfix
|
||
* Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
|
||
* Fix bug in certificate validation that caused valid chains to be rejected
|
||
when the first intermediate certificate has pathLenConstraint=0. Found by
|
||
Nicholas Wilson. Introduced in mbed TLS 2.2.0. #280
|
||
* Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by
|
||
JayaraghavendranK. #372
|
||
* Fix suboptimal handling of unexpected records that caused interop issues
|
||
with some peers over unreliable links. Avoid dropping an entire DTLS
|
||
datagram if a single record in a datagram is unexpected, instead only
|
||
drop the record and look at subsequent records (if any are present) in
|
||
the same datagram. Found by jeannotlapin. #345
|
||
|
||
= mbed TLS 2.2.0 released 2015-11-04
|
||
|
||
Security
|
||
* Fix potential double free if mbedtls_ssl_conf_psk() is called more than
|
||
once and some allocation fails. Cannot be forced remotely. Found by Guido
|
||
Vranken, Intelworks.
|
||
* Fix potential heap corruption on Windows when
|
||
mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
|
||
triggered remotely. Found by Guido Vranken, Intelworks.
|
||
* Fix potential buffer overflow in some asn1_write_xxx() functions.
|
||
Cannot be triggered remotely unless you create X.509 certificates based
|
||
on untrusted input or write keys of untrusted origin. Found by Guido
|
||
Vranken, Intelworks.
|
||
* The X509 max_pathlen constraint was not enforced on intermediate
|
||
certificates. Found by Nicholas Wilson, fix and tests provided by
|
||
Janos Follath. #280 and #319
|
||
|
||
Features
|
||
* Experimental support for EC J-PAKE as defined in Thread 1.0.0.
|
||
Disabled by default as the specification might still change.
|
||
* Added a key extraction callback to accees the master secret and key
|
||
block. (Potential uses include EAP-TLS and Thread.)
|
||
|
||
Bugfix
|
||
* Self-signed certificates were not excluded from pathlen counting,
|
||
resulting in some valid X.509 being incorrectly rejected. Found and fix
|
||
provided by Janos Follath. #319
|
||
* Fix build error with configurations where ECDHE-PSK is the only key
|
||
exchange. Found and fix provided by Chris Hammond. #270
|
||
* Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
|
||
ECHD-ECDSA if the only key exchange. Multiple reports. #310
|
||
* Fixed a bug causing some handshakes to fail due to some non-fatal alerts
|
||
not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
|
||
* mbedtls_x509_crt_verify(_with_profile)() now also checks the key type and
|
||
size/curve against the profile. Before that, there was no way to set a
|
||
minimum key size for end-entity certificates with RSA keys. Found by
|
||
Matthew Page of Scannex Electronics Ltd.
|
||
* Fix failures in MPI on Sparc(64) due to use of bad assembly code.
|
||
Found by Kurt Danielson. #292
|
||
* Fix typo in name of the extKeyUsage OID. Found by inestlerode, #314
|
||
* Fix bug in ASN.1 encoding of booleans that caused generated CA
|
||
certificates to be rejected by some applications, including OS X
|
||
Keychain. Found and fixed by Jonathan Leroy, Inikup.
|
||
|
||
Changes
|
||
* Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1
|
||
or -1.
|
||
|
||
= mbed TLS 2.1.2 released 2015-10-06
|
||
|
||
Security
|
||
* Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
|
||
overflow of the hostname or session ticket. Found by Guido Vranken,
|
||
Intelworks.
|
||
* Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
|
||
once in the same handhake and mbedtls_ssl_conf_psk() was used.
|
||
Found and patch provided by Guido Vranken, Intelworks. Cannot be forced
|
||
remotely.
|
||
* Fix stack buffer overflow in pkcs12 decryption (used by
|
||
mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
|
||
Found by Guido Vranken, Intelworks. Not triggerable remotely.
|
||
* Fix potential buffer overflow in mbedtls_mpi_read_string().
|
||
Found by Guido Vranken, Intelworks. Not exploitable remotely in the context
|
||
of TLS, but might be in other uses. On 32 bit machines, requires reading a
|
||
string of close to or larger than 1GB to exploit; on 64 bit machines, would
|
||
require reading a string of close to or larger than 2^62 bytes.
|
||
* Fix potential random memory allocation in mbedtls_pem_read_buffer()
|
||
on crafted PEM input data. Found and fix provided by Guido Vranken,
|
||
Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you
|
||
accept PEM data from an untrusted source.
|
||
* Fix possible heap buffer overflow in base64_encoded() when the input
|
||
buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
|
||
Intelworks. Not trigerrable remotely in TLS.
|
||
* Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
|
||
the same mbedtls_ssl_config object and memory allocation fails. Found by
|
||
Guido Vranken, Intelworks. Cannot be forced remotely.
|
||
* Fix potential heap buffer overflow in servers that perform client
|
||
authentication against a crafted CA cert. Cannot be triggered remotely
|
||
unless you allow third parties to pick trust CAs for client auth.
|
||
Found by Guido Vranken, Intelworks.
|
||
|
||
Bugfix
|
||
* Fix compile error in net.c with musl libc. Found and patch provided by
|
||
zhasha (#278).
|
||
* Fix macroization of 'inline' keyword when building as C++. (#279)
|
||
|
||
Changes
|
||
* Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
|
||
domain names are compliant with RFC 1035.
|
||
* Fixed paths for check_config.h in example config files. (Found by bachp)
|
||
(#291)
|
||
|
||
= mbed TLS 2.1.1 released 2015-09-17
|
||
|
||
Security
|
||
* Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
|
||
signatures. (Found by Florian Weimer, Red Hat.)
|
||
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
|
||
* Fix possible client-side NULL pointer dereference (read) when the client
|
||
tries to continue the handshake after it failed (a misuse of the API).
|
||
(Found and patch provided by Fabian Foerg, Gotham Digital Science using
|
||
afl-fuzz.)
|
||
|
||
Bugfix
|
||
* Fix warning when using a 64bit platform. (found by embedthis) (#275)
|
||
* Fix off-by-one error in parsing Supported Point Format extension that
|
||
caused some handshakes to fail.
|
||
|
||
Changes
|
||
* Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile() to allow
|
||
use of mbedtls_x509_crt_profile_next. (found by NWilson)
|
||
* When a client initiates a reconnect from the same port as a live
|
||
connection, if cookie verification is available
|
||
(MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie
|
||
callbacks set with mbedtls_ssl_conf_dtls_cookies()), this will be
|
||
detected and mbedtls_ssl_read() will return
|
||
MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
|
||
handshake with the same context. (See RFC 6347 section 4.2.8.)
|
||
|
||
= mbed TLS 2.1.0 released 2015-09-04
|
||
|
||
Features
|
||
* Added support for yotta as a build system.
|
||
* Primary open source license changed to Apache 2.0 license.
|
||
|
||
Bugfix
|
||
* Fix segfault in the benchmark program when benchmarking DHM.
|
||
* Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
|
||
Leisink).
|
||
* Fix bug when parsing a ServerHello without extensions (found by David
|
||
Sears).
|
||
* Fix bug in CMake lists that caused libmbedcrypto.a not to be installed
|
||
(found by Benoit Lecocq).
|
||
* Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to be
|
||
installed (found by Rawi666).
|
||
* Fix compile error with armcc 5 with --gnu option.
|
||
* Fix bug in Makefile that caused programs not to be installed correctly
|
||
(found by robotanarchy) (#232).
|
||
* Fix bug in Makefile that prevented from installing without building the
|
||
tests (found by robotanarchy) (#232).
|
||
* Fix missing -static-libgcc when building shared libraries for Windows
|
||
with make.
|
||
* Fix link error when building shared libraries for Windows with make.
|
||
* Fix error when loading libmbedtls.so.
|
||
* Fix bug in mbedtls_ssl_conf_default() that caused the default preset to
|
||
be always used (found by dcb314) (#235)
|
||
* Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could
|
||
result trying to unlock an unlocked mutex on invalid input (found by
|
||
Fredrik Axelsson) (#257)
|
||
* Fix -Wshadow warnings (found by hnrkp) (#240)
|
||
* Fix memory corruption on client with overlong PSK identity, around
|
||
SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
|
||
Aleksandrs Saveljevs) (#238)
|
||
* Fix unused function warning when using MBEDTLS_MDx_ALT or
|
||
MBEDTLS_SHAxxx_ALT (found by Henrik) (#239)
|
||
* Fix memory corruption in pkey programs (found by yankuncheng) (#210)
|
||
|
||
Changes
|
||
* The PEM parser now accepts a trailing space at end of lines (#226).
|
||
* It is now possible to #include a user-provided configuration file at the
|
||
end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the
|
||
compiler's command line.
|
||
* When verifying a certificate chain, if an intermediate certificate is
|
||
trusted, no later cert is checked. (suggested by hannes-landeholm)
|
||
(#220).
|
||
* Prepend a "thread identifier" to debug messages (issue pointed out by
|
||
Hugo Leisink) (#210).
|
||
* Add mbedtls_ssl_get_max_frag_len() to query the current maximum fragment
|
||
length.
|
||
|
||
= mbed TLS 2.0.0 released 2015-07-13
|
||
|
||
Features
|
||
* Support for DTLS 1.0 and 1.2 (RFC 6347).
|
||
* Ability to override core functions from MDx, SHAx, AES and DES modules
|
||
with custom implementation (eg hardware accelerated), complementing the
|
||
ability to override the whole module.
|
||
* New server-side implementation of session tickets that rotate keys to
|
||
preserve forward secrecy, and allows sharing across multiple contexts.
|
||
* Added a concept of X.509 cerificate verification profile that controls
|
||
which algorithms and key sizes (curves for ECDSA) are acceptable.
|
||
* Expanded configurability of security parameters in the SSL module with
|
||
mbedtls_ssl_conf_dhm_min_bitlen() and mbedtls_ssl_conf_sig_hashes().
|
||
* Introduced a concept of presets for SSL security-relevant configuration
|
||
parameters.
|
||
|
||
API Changes
|
||
* The library has been split into libmbedcrypto, libmbedx509, libmbedtls.
|
||
You now need to link to all of them if you use TLS for example.
|
||
* All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace.
|
||
Some names have been further changed to make them more consistent.
|
||
Migration helpers scripts/rename.pl and include/mbedtls/compat-1.3.h are
|
||
provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
|
||
* Renamings of fields inside structures, not covered by the previous list:
|
||
mbedtls_cipher_info_t.key_length -> key_bitlen
|
||
mbedtls_cipher_context_t.key_length -> key_bitlen
|
||
mbedtls_ecp_curve_info.size -> bit_size
|
||
* Headers are now found in the 'mbedtls' directory (previously 'polarssl').
|
||
* The following _init() functions that could return errors have
|
||
been split into an _init() that returns void and another function that
|
||
should generally be the first function called on this context after init:
|
||
mbedtls_ssl_init() -> mbedtls_ssl_setup()
|
||
mbedtls_ccm_init() -> mbedtls_ccm_setkey()
|
||
mbedtls_gcm_init() -> mbedtls_gcm_setkey()
|
||
mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
|
||
mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
|
||
Note that for mbedtls_ssl_setup(), you need to be done setting up the
|
||
ssl_config structure before calling it.
|
||
* Most ssl_set_xxx() functions (all except ssl_set_bio(), ssl_set_hostname(),
|
||
ssl_set_session() and ssl_set_client_transport_id(), plus
|
||
ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx()
|
||
(see rename.pl and compat-1.3.h above) and their first argument's type
|
||
changed from ssl_context to ssl_config.
|
||
* ssl_set_bio() changed signature (contexts merged, order switched, one
|
||
additional callback for read-with-timeout).
|
||
* The following functions have been introduced and must be used in callback
|
||
implementations (SNI, PSK) instead of their *conf counterparts:
|
||
mbedtls_ssl_set_hs_own_cert()
|
||
mbedtls_ssl_set_hs_ca_chain()
|
||
mbedtls_ssl_set_hs_psk()
|
||
* mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now set
|
||
using mbedtls_ssl_set_hostname().
|
||
* mbedtls_ssl_conf_session_cache() changed prototype (only one context
|
||
pointer, parameters reordered).
|
||
* On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
|
||
place of mbedtls_ssl_conf_session_tickets() to enable session tickets.
|
||
* The SSL debug callback gained two new arguments (file name, line number).
|
||
* Debug modes were removed.
|
||
* mbedtls_ssl_conf_truncated_hmac() now returns void.
|
||
* mbedtls_memory_buffer_alloc_init() now returns void.
|
||
* X.509 verification flags are now an uint32_t. Affect the signature of:
|
||
mbedtls_ssl_get_verify_result()
|
||
mbedtls_x509_ctr_verify_info()
|
||
mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
|
||
mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
|
||
* The following functions changed prototype to avoid an in-out length
|
||
parameter:
|
||
mbedtls_base64_encode()
|
||
mbedtls_base64_decode()
|
||
mbedtls_mpi_write_string()
|
||
mbedtls_dhm_calc_secret()
|
||
* In the NET module, all "int" and "int *" arguments for file descriptors
|
||
changed type to "mbedtls_net_context *".
|
||
* net_accept() gained new arguments for the size of the client_ip buffer.
|
||
* In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now
|
||
return void.
|
||
* ecdsa_write_signature() gained an additional md_alg argument and
|
||
ecdsa_write_signature_det() was deprecated.
|
||
* pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
|
||
* Last argument of x509_crt_check_key_usage() and
|
||
mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
|
||
* test_ca_list (from certs.h) is renamed to test_cas_pem and is only
|
||
available if POLARSSL_PEM_PARSE_C is defined (it never worked without).
|
||
* Test certificates in certs.c are no longer guaranteed to be nul-terminated
|
||
strings; use the new *_len variables instead of strlen().
|
||
* Functions mbedtls_x509_xxx_parse(), mbedtls_pk_parse_key(),
|
||
mbedtls_pk_parse_public_key() and mbedtls_dhm_parse_dhm() now expect the
|
||
length parameter to include the terminating null byte for PEM input.
|
||
* Signature of mpi_mul_mpi() changed to make the last argument unsigned
|
||
* calloc() is now used instead of malloc() everywhere. API of platform
|
||
layer and the memory_buffer_alloc module changed accordingly.
|
||
(Thanks to Mansour Moufid for helping with the replacement.)
|
||
* Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
|
||
(support for renegotiation now needs explicit enabling in config.h).
|
||
* Split MBEDTLS_HAVE_TIME into MBEDTLS_HAVE_TIME and MBEDTLS_HAVE_TIME_DATE
|
||
in config.h
|
||
* net_connect() and net_bind() have a new 'proto' argument to choose
|
||
between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP.
|
||
Their 'port' argument type is changed to a string.
|
||
* Some constness fixes
|
||
|
||
Removals
|
||
* Removed mbedtls_ecp_group_read_string(). Only named groups are supported.
|
||
* Removed mbedtls_ecp_sub() and mbedtls_ecp_add(), use
|
||
mbedtls_ecp_muladd().
|
||
* Removed individual mdX_hmac, shaX_hmac, mdX_file and shaX_file functions
|
||
(use generic functions from md.h)
|
||
* Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a custom
|
||
waiting function.
|
||
* Removed test DHM parameters from the test certs module.
|
||
* Removed the PBKDF2 module (use PKCS5).
|
||
* Removed POLARSSL_ERROR_STRERROR_BC (use mbedtls_strerror()).
|
||
* Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
|
||
* Removed openssl.h (very partial OpenSSL compatibility layer).
|
||
* Configuration options POLARSSL_HAVE_LONGLONG was removed (now always on).
|
||
* Configuration options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 have
|
||
been removed (compiler is required to support 32-bit operations).
|
||
* Configuration option POLARSSL_HAVE_IPV6 was removed (always enabled).
|
||
* Removed test program o_p_test, the script compat.sh does more.
|
||
* Removed test program ssl_test, superseded by ssl-opt.sh.
|
||
* Removed helper script active-config.pl
|
||
|
||
New deprecations
|
||
* md_init_ctx() is deprecated in favour of md_setup(), that adds a third
|
||
argument (allowing memory savings if HMAC is not used)
|
||
|
||
Semi-API changes (technically public, morally private)
|
||
* Renamed a few headers to include _internal in the name. Those headers are
|
||
not supposed to be included by users.
|
||
* Changed md_info_t into an opaque structure (use md_get_xxx() accessors).
|
||
* Changed pk_info_t into an opaque structure.
|
||
* Changed cipher_base_t into an opaque structure.
|
||
* Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl.
|
||
* x509_crt.key_usage changed from unsigned char to unsigned int.
|
||
* Removed r and s from ecdsa_context
|
||
* Removed mode from des_context and des3_context
|
||
|
||
Default behavior changes
|
||
* The default minimum TLS version is now TLS 1.0.
|
||
* RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
|
||
default ciphersuite list returned by ssl_list_ciphersuites()
|
||
* Support for receiving SSLv2 ClientHello is now disabled by default at
|
||
compile time.
|
||
* The default authmode for SSL/TLS clients is now REQUIRED.
|
||
* Support for RSA_ALT contexts in the PK layer is now optional. Since is is
|
||
enabled in the default configuration, this is only noticeable if using a
|
||
custom config.h
|
||
* Default DHM parameters server-side upgraded from 1024 to 2048 bits.
|
||
* A minimum RSA key size of 2048 bits is now enforced during ceritificate
|
||
chain verification.
|
||
* Negotiation of truncated HMAC is now disabled by default on server too.
|
||
* The following functions are now case-sensitive:
|
||
mbedtls_cipher_info_from_string()
|
||
mbedtls_ecp_curve_info_from_name()
|
||
mbedtls_md_info_from_string()
|
||
mbedtls_ssl_ciphersuite_from_string()
|
||
mbedtls_version_check_feature()
|
||
|
||
Requirement changes
|
||
* The minimum MSVC version required is now 2010 (better C99 support).
|
||
* The NET layer now unconditionnaly relies on getaddrinfo() and select().
|
||
* Compiler is required to support C99 types such as long long and uint32_t.
|
||
|
||
API changes from the 1.4 preview branch
|
||
* ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with
|
||
new prototype, and mbedtls_ssl_set_read_timeout().
|
||
* The following functions now return void:
|
||
mbedtls_ssl_conf_transport()
|
||
mbedtls_ssl_conf_max_version()
|
||
mbedtls_ssl_conf_min_version()
|
||
* DTLS no longer hard-depends on TIMING_C, but uses a callback interface
|
||
instead, see mbedtls_ssl_set_timer_cb(), with the Timing module providing
|
||
an example implementation, see mbedtls_timing_delay_context and
|
||
mbedtls_timing_set/get_delay().
|
||
* With UDP sockets, it is no longer necessary to call net_bind() again
|
||
after a successful net_accept().
|
||
|
||
Changes
|
||
* mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now
|
||
thread-safe if MBEDTLS_THREADING_C is enabled.
|
||
* Reduced ROM fooprint of SHA-256 and added an option to reduce it even
|
||
more (at the expense of performance) MBEDTLS_SHA256_SMALLER.
|
||
|
||
= mbed TLS 1.3 branch
|
||
|
||
Security
|
||
* With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
|
||
extendedKeyUsage on the leaf certificate was lost (results not accessible
|
||
via ssl_get_verify_results()).
|
||
* Add countermeasure against "Lucky 13 strikes back" cache-based attack,
|
||
https://dl.acm.org/citation.cfm?id=2714625
|
||
|
||
Features
|
||
* Improve ECC performance by using more efficient doubling formulas
|
||
(contributed by Peter Dettman).
|
||
* Add x509_crt_verify_info() to display certificate verification results.
|
||
* Add support for reading DH parameters with privateValueLength included
|
||
(contributed by Daniel Kahn Gillmor).
|
||
* Add support for bit strings in X.509 names (request by Fredrik Axelsson).
|
||
* Add support for id-at-uniqueIdentifier in X.509 names.
|
||
* Add support for overriding snprintf() (except on Windows) and exit() in
|
||
the platform layer.
|
||
* Add an option to use macros instead of function pointers in the platform
|
||
layer (helps get rid of unwanted references).
|
||
* Improved Makefiles for Windows targets by fixing library targets and making
|
||
cross-compilation easier (thanks to Alon Bar-Lev).
|
||
* The benchmark program also prints heap usage for public-key primitives
|
||
if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined.
|
||
* New script ecc-heap.sh helps measuring the impact of ECC parameters on
|
||
speed and RAM (heap only for now) usage.
|
||
* New script memory.sh helps measuring the ROM and RAM requirements of two
|
||
reduced configurations (PSK-CCM and NSA suite B).
|
||
* Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce
|
||
warnings on use of deprecated functions (with GCC and Clang only).
|
||
* Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce
|
||
errors on use of deprecated functions.
|
||
|
||
Bugfix
|
||
* Fix compile errors with PLATFORM_NO_STD_FUNCTIONS.
|
||
* Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara).
|
||
* Fix bug in entropy.c when THREADING_C is also enabled that caused
|
||
entropy_free() to crash (thanks to Rafał Przywara).
|
||
* Fix memory leak when gcm_setkey() and ccm_setkey() are used more than
|
||
once on the same context.
|
||
* Fix bug in ssl_mail_client when password is longer that username (found
|
||
by Bruno Pape).
|
||
* Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules
|
||
(detected by Clang's 3.6 UBSan).
|
||
* mpi_size() and mpi_msb() would segfault when called on an mpi that is
|
||
initialized but not set (found by pravic).
|
||
* Fix detection of support for getrandom() on Linux (reported by syzzer) by
|
||
doing it at runtime (using uname) rather that compile time.
|
||
* Fix handling of symlinks by "make install" (found by Gaël PORTAY).
|
||
* Fix potential NULL pointer dereference (not trigerrable remotely) when
|
||
ssl_write() is called before the handshake is finished (introduced in
|
||
1.3.10) (first reported by Martin Blumenstingl).
|
||
* Fix bug in pk_parse_key() that caused some valid private EC keys to be
|
||
rejected.
|
||
* Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
|
||
* Fix thread safety bug in RSA operations (found by Fredrik Axelsson).
|
||
* Fix hardclock() (only used in the benchmarking program) with some
|
||
versions of mingw64 (found by kxjhlele).
|
||
* Fix warnings from mingw64 in timing.c (found by kxjklele).
|
||
* Fix potential unintended sign extension in asn1_get_len() on 64-bit
|
||
platforms.
|
||
* Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid).
|
||
* Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and
|
||
POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced
|
||
in 1.3.10).
|
||
* Add missing extern "C" guard in aesni.h (reported by amir zamani).
|
||
* Add missing dependency on SHA-256 in some x509 programs (reported by
|
||
Gergely Budai).
|
||
* Fix bug related to ssl_set_curves(): the client didn't check that the
|
||
curve picked by the server was actually allowed.
|
||
|
||
Changes
|
||
* Remove bias in mpi_gen_prime (contributed by Pascal Junod).
|
||
* Remove potential sources of timing variations (some contributed by Pascal
|
||
Junod).
|
||
* Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated.
|
||
* Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
|
||
* compat-1.2.h and openssl.h are deprecated.
|
||
* Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now
|
||
more flexible (warning: OFLAGS is not used any more) (see the README)
|
||
(contributed by Alon Bar-Lev).
|
||
* ssl_set_own_cert() no longer calls pk_check_pair() since the
|
||
performance impact was bad for some users (this was introduced in 1.3.10).
|
||
* Move from SHA-1 to SHA-256 in example programs using signatures
|
||
(suggested by Thorsten Mühlfelder).
|
||
* Remove some unneeded inclusions of header files from the standard library
|
||
"minimize" others (eg use stddef.h if only size_t is needed).
|
||
* Change #include lines in test files to use double quotes instead of angle
|
||
brackets for uniformity with the rest of the code.
|
||
* Remove dependency on sscanf() in X.509 parsing modules.
|
||
|
||
= mbed TLS 1.3.10 released 2015-02-09
|
||
Security
|
||
* NULL pointer dereference in the buffer-based allocator when the buffer is
|
||
full and polarssl_free() is called (found by Mark Hasemeyer)
|
||
(only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
|
||
not by default).
|
||
* Fix remotely-triggerable uninitialised pointer dereference caused by
|
||
crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
|
||
client certificate) (found using Codenomicon Defensics).
|
||
* Fix remotely-triggerable memory leak caused by crafted X.509 certificates
|
||
(TLS server is not affected if it doesn't ask for a client certificate)
|
||
(found using Codenomicon Defensics).
|
||
* Fix potential stack overflow while parsing crafted X.509 certificates
|
||
(TLS server is not affected if it doesn't ask for a client certificate)
|
||
(found using Codenomicon Defensics).
|
||
* Fix timing difference that could theoretically lead to a
|
||
Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
|
||
(reported by Sebastian Schinzel).
|
||
|
||
Features
|
||
* Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
|
||
* Add support for Extended Master Secret (draft-ietf-tls-session-hash).
|
||
* Add support for Encrypt-then-MAC (RFC 7366).
|
||
* Add function pk_check_pair() to test if public and private keys match.
|
||
* Add x509_crl_parse_der().
|
||
* Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
|
||
length of an X.509 verification chain.
|
||
* Support for renegotiation can now be disabled at compile-time
|
||
* Support for 1/n-1 record splitting, a countermeasure against BEAST.
|
||
* Certificate selection based on signature hash, preferring SHA-1 over SHA-2
|
||
for pre-1.2 clients when multiple certificates are available.
|
||
* Add support for getrandom() syscall on recent Linux kernels with Glibc or
|
||
a compatible enough libc (eg uClibc).
|
||
* Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime
|
||
while using the default ciphersuite list.
|
||
* Added new error codes and debug messages about selection of
|
||
ciphersuite/certificate.
|
||
|
||
Bugfix
|
||
* Stack buffer overflow if ctr_drbg_update() is called with too large
|
||
add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
|
||
* Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE
|
||
if memory_buffer_alloc_init() was called with buf not aligned and len not
|
||
a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely).
|
||
* User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found
|
||
by Julian Ospald).
|
||
* Fix potential undefined behaviour in Camellia.
|
||
* Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
|
||
multiple of 8 (found by Gergely Budai).
|
||
* Fix unchecked return code in x509_crt_parse_path() on Windows (found by
|
||
Peter Vaskovic).
|
||
* Fix assembly selection for MIPS64 (thanks to James Cowgill).
|
||
* ssl_get_verify_result() now works even if the handshake was aborted due
|
||
to a failed verification (found by Fredrik Axelsson).
|
||
* Skip writing and parsing signature_algorithm extension if none of the
|
||
key exchanges enabled needs certificates. This fixes a possible interop
|
||
issue with some servers when a zero-length extension was sent. (Reported
|
||
by Peter Dettman.)
|
||
* On a 0-length input, base64_encode() did not correctly set output length
|
||
(found by Hendrik van den Boogaard).
|
||
|
||
Changes
|
||
* Use deterministic nonces for AEAD ciphers in TLS by default (possible to
|
||
switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
|
||
* Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
|
||
* ssl_set_own_cert() now returns an error on key-certificate mismatch.
|
||
* Forbid repeated extensions in X.509 certificates.
|
||
* debug_print_buf() now prints a text view in addition to hexadecimal.
|
||
* A specific error is now returned when there are ciphersuites in common
|
||
but none of them is usable due to external factors such as no certificate
|
||
with a suitable (extended)KeyUsage or curve or no PSK set.
|
||
* It is now possible to disable negotiation of truncated HMAC server-side
|
||
at runtime with ssl_set_truncated_hmac().
|
||
* Example programs for SSL client and server now disable SSLv3 by default.
|
||
* Example programs for SSL client and server now disable RC4 by default.
|
||
* Use platform.h in all test suites and programs.
|
||
|
||
= PolarSSL 1.3.9 released 2014-10-20
|
||
Security
|
||
* Lowest common hash was selected from signature_algorithms extension in
|
||
TLS 1.2 (found by Darren Bane) (introduced in 1.3.8).
|
||
* Remotely-triggerable memory leak when parsing some X.509 certificates
|
||
(server is not affected if it doesn't ask for a client certificate)
|
||
(found using Codenomicon Defensics).
|
||
* Remotely-triggerable memory leak when parsing crafted ClientHello
|
||
(not affected if ECC support was compiled out) (found using Codenomicon
|
||
Defensics).
|
||
|
||
Bugfix
|
||
* Support escaping of commas in x509_string_to_names()
|
||
* Fix compile error in ssl_pthread_server (found by Julian Ospald).
|
||
* Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
|
||
* Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
|
||
* Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
|
||
* Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST
|
||
are defined but not POLARSSL_HAVE_TIME (found by Stephane Di Vito).
|
||
* Remove non-existent file from VS projects (found by Peter Vaskovic).
|
||
* ssl_read() could return non-application data records on server while
|
||
renegotation was pending, and on client when a HelloRequest was received.
|
||
* Server-initiated renegotiation would fail with non-blocking I/O if the
|
||
write callback returned WANT_WRITE when requesting renegotiation.
|
||
* ssl_close_notify() could send more than one message in some circumstances
|
||
with non-blocking I/O.
|
||
* Fix compiler warnings on iOS (found by Sander Niemeijer).
|
||
* x509_crt_parse() did not increase total_failed on PEM error
|
||
* Fix compile error with armcc in mpi_is_prime()
|
||
* Fix potential bad read in parsing ServerHello (found by Adrien
|
||
Vialletelle).
|
||
|
||
Changes
|
||
* Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
|
||
standard defining how to use SHA-2 with SSL 3.0).
|
||
* Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
|
||
ambiguous on how to encode some packets with SSL 3.0).
|
||
* Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if
|
||
RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger.
|
||
* ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
|
||
POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
|
||
* POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits
|
||
RSA keys.
|
||
* Accept spaces at end of line or end of buffer in base64_decode().
|
||
* X.509 certificates with more than one AttributeTypeAndValue per
|
||
RelativeDistinguishedName are not accepted any more.
|
||
|
||
= PolarSSL 1.3.8 released 2014-07-11
|
||
Security
|
||
* Fix length checking for AEAD ciphersuites (found by Codenomicon).
|
||
It was possible to crash the server (and client) using crafted messages
|
||
when a GCM suite was chosen.
|
||
|
||
Features
|
||
* Add CCM module and cipher mode to Cipher Layer
|
||
* Support for CCM and CCM_8 ciphersuites
|
||
* Support for parsing and verifying RSASSA-PSS signatures in the X.509
|
||
modules (certificates, CRLs and CSRs).
|
||
* Blowfish in the cipher layer now supports variable length keys.
|
||
* Add example config.h for PSK with CCM, optimized for low RAM usage.
|
||
* Optimize for RAM usage in example config.h for NSA Suite B profile.
|
||
* Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
|
||
from the default list (inactive by default).
|
||
* Add server-side enforcement of sent renegotiation requests
|
||
(ssl_set_renegotiation_enforced())
|
||
* Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
|
||
ciphersuites to use and save some memory if the list is small.
|
||
|
||
Changes
|
||
* Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
|
||
required on some platforms (e.g. OpenBSD)
|
||
* Migrate zeroizing of data to polarssl_zeroize() instead of memset()
|
||
against unwanted compiler optimizations
|
||
* md_list() now returns hashes strongest first
|
||
* Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
|
||
strongest offered by client.
|
||
* All public contexts have _init() and _free() functions now for simpler
|
||
usage pattern
|
||
|
||
Bugfix
|
||
* Fix in debug_print_msg()
|
||
* Enforce alignment in the buffer allocator even if buffer is not aligned
|
||
* Remove less-than-zero checks on unsigned numbers
|
||
* Stricter check on SSL ClientHello internal sizes compared to actual packet
|
||
size (found by TrustInSoft)
|
||
* Fix WSAStartup() return value check (found by Peter Vaskovic)
|
||
* Other minor issues (found by Peter Vaskovic)
|
||
* Fix symlink command for cross compiling with CMake (found by Andre
|
||
Heinecke)
|
||
* Fix DER output of gen_key app (found by Gergely Budai)
|
||
* Very small records were incorrectly rejected when truncated HMAC was in
|
||
use with some ciphersuites and versions (RC4 in all versions, CBC with
|
||
versions < TLS 1.1).
|
||
* Very large records using more than 224 bytes of padding were incorrectly
|
||
rejected with CBC-based ciphersuites and TLS >= 1.1
|
||
* Very large records using less padding could cause a buffer overread of up
|
||
to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
|
||
* Restore ability to use a v1 cert as a CA if trusted locally. (This had
|
||
been removed in 1.3.6.)
|
||
* Restore ability to locally trust a self-signed cert that is not a proper
|
||
CA for use as an end entity certificate. (This had been removed in
|
||
1.3.6.)
|
||
* Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
|
||
* Use \n\t rather than semicolons for bn_mul asm, since some assemblers
|
||
interpret semicolons as comment delimiters (found by Barry K. Nathan).
|
||
* Fix off-by-one error in parsing Supported Point Format extension that
|
||
caused some handshakes to fail.
|
||
* Fix possible miscomputation of the premaster secret with DHE-PSK key
|
||
exchange that caused some handshakes to fail with other implementations.
|
||
(Failure rate <= 1/255 with common DHM moduli.)
|
||
* Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
|
||
* Fix base64_decode() to return and check length correctly (in case of
|
||
tight buffers)
|
||
* Fix mpi_write_string() to write "00" as hex output for empty MPI (found
|
||
by Hui Dong)
|
||
|
||
= PolarSSL 1.3.7 released on 2014-05-02
|
||
Features
|
||
* debug_set_log_mode() added to determine raw or full logging
|
||
* debug_set_threshold() added to ignore messages over threshold level
|
||
* version_check_feature() added to check for compile-time options at
|
||
run-time
|
||
|
||
Changes
|
||
* POLARSSL_CONFIG_OPTIONS has been removed. All values are individually
|
||
checked and filled in the relevant module headers
|
||
* Debug module only outputs full lines instead of parts
|
||
* Better support for the different Attribute Types from IETF PKIX (RFC 5280)
|
||
* AES-NI now compiles with "old" assemblers too
|
||
* Ciphersuites based on RC4 now have the lowest priority by default
|
||
|
||
Bugfix
|
||
* Only iterate over actual certificates in ssl_write_certificate_request()
|
||
(found by Matthew Page)
|
||
* Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan
|
||
Karger)
|
||
* cert_write app should use subject of issuer certificate as issuer of cert
|
||
* Fix false reject in padding check in ssl_decrypt_buf() for CBC
|
||
ciphersuites, for full SSL frames of data.
|
||
* Improve interoperability by not writing extension length in ClientHello /
|
||
ServerHello when no extensions are present (found by Matthew Page)
|
||
* rsa_check_pubkey() now allows an E up to N
|
||
* On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
|
||
* mpi_fill_random() was creating numbers larger than requested on
|
||
big-endian platform when size was not an integer number of limbs
|
||
* Fix dependencies issues in X.509 test suite.
|
||
* Some parts of ssl_tls.c were compiled even when the module was disabled.
|
||
* Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
|
||
* Fix detection of Clang on some Apple platforms with CMake
|
||
(found by Barry K. Nathan)
|
||
|
||
= PolarSSL 1.3.6 released on 2014-04-11
|
||
|
||
Features
|
||
* Support for the ALPN SSL extension
|
||
* Add option 'use_dev_random' to gen_key application
|
||
* Enable verification of the keyUsage extension for CA and leaf
|
||
certificates (POLARSSL_X509_CHECK_KEY_USAGE)
|
||
* Enable verification of the extendedKeyUsage extension
|
||
(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
|
||
|
||
Changes
|
||
* x509_crt_info() now prints information about parsed extensions as well
|
||
* pk_verify() now returns a specific error code when the signature is valid
|
||
but shorter than the supplied length.
|
||
* Use UTC time to check certificate validity.
|
||
* Reject certificates with times not in UTC, per RFC 5280.
|
||
|
||
Security
|
||
* Avoid potential timing leak in ecdsa_sign() by blinding modular division.
|
||
(Found by Watson Ladd.)
|
||
* The notAfter date of some certificates was no longer checked since 1.3.5.
|
||
This affects certificates in the user-supplied chain except the top
|
||
certificate. If the user-supplied chain contains only one certificates,
|
||
it is not affected (ie, its notAfter date is properly checked).
|
||
* Prevent potential NULL pointer dereference in ssl_read_record() (found by
|
||
TrustInSoft)
|
||
|
||
Bugfix
|
||
* The length of various ClientKeyExchange messages was not properly checked.
|
||
* Some example server programs were not sending the close_notify alert.
|
||
* Potential memory leak in mpi_exp_mod() when error occurs during
|
||
calculation of RR.
|
||
* Fixed malloc/free default #define in platform.c (found by Gergely Budai).
|
||
* Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by
|
||
Gergely Budai).
|
||
* Fix #include path in ecdsa.h which wasn't accepted by some compilers.
|
||
(found by Gergely Budai)
|
||
* Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by
|
||
Shuo Chen).
|
||
* oid_get_numeric_string() used to truncate the output without returning an
|
||
error if the output buffer was just 1 byte too small.
|
||
* dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
|
||
* Calling pk_debug() on an RSA-alt key would segfault.
|
||
* pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
|
||
* Potential buffer overwrite in pem_write_buffer() because of low length
|
||
indication (found by Thijs Alkemade)
|
||
* EC curves constants, which should be only in ROM since 1.3.3, were also
|
||
stored in RAM due to missing 'const's (found by Gergely Budai).
|
||
|
||
= PolarSSL 1.3.5 released on 2014-03-26
|
||
Features
|
||
* HMAC-DRBG as a separate module
|
||
* Option to set the Curve preference order (disabled by default)
|
||
* Single Platform compatilibity layer (for memory / printf / fprintf)
|
||
* Ability to provide alternate timing implementation
|
||
* Ability to force the entropy module to use SHA-256 as its basis
|
||
(POLARSSL_ENTROPY_FORCE_SHA256)
|
||
* Testing script ssl-opt.sh added for testing 'live' ssl option
|
||
interoperability against OpenSSL and PolarSSL
|
||
* Support for reading EC keys that use SpecifiedECDomain in some cases.
|
||
* Entropy module now supports seed writing and reading
|
||
|
||
Changes
|
||
* Deprecated the Memory layer
|
||
* entropy_add_source(), entropy_update_manual() and entropy_gather()
|
||
now thread-safe if POLARSSL_THREADING_C defined
|
||
* Improvements to the CMake build system, contributed by Julian Ospald.
|
||
* Work around a bug of the version of Clang shipped by Apple with Mavericks
|
||
that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
|
||
* Revamped the compat.sh interoperatibility script to include support for
|
||
testing against GnuTLS
|
||
* Deprecated ssl_set_own_cert_rsa() and ssl_set_own_cert_rsa_alt()
|
||
* Improvements to tests/Makefile, contributed by Oden Eriksson.
|
||
|
||
Security
|
||
* Forbid change of server certificate during renegotiation to prevent
|
||
"triple handshake" attack when authentication mode is 'optional' (the
|
||
attack was already impossible when authentication is required).
|
||
* Check notBefore timestamp of certificates and CRLs from the future.
|
||
* Forbid sequence number wrapping
|
||
* Fixed possible buffer overflow with overlong PSK
|
||
* Possible remotely-triggered out-of-bounds memory access fixed (found by
|
||
TrustInSoft)
|
||
|
||
Bugfix
|
||
* ecp_gen_keypair() does more tries to prevent failure because of
|
||
statistics
|
||
* Fixed bug in RSA PKCS#1 v1.5 "reversed" operations
|
||
* Fixed testing with out-of-source builds using cmake
|
||
* Fixed version-major intolerance in server
|
||
* Fixed CMake symlinking on out-of-source builds
|
||
* Fixed dependency issues in test suite
|
||
* Programs rsa_sign_pss and rsa_verify_pss were not using PSS since 1.3.0
|
||
* Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
|
||
Alex Wilson.)
|
||
* ssl_cache was creating entries when max_entries=0 if TIMING_C was enabled.
|
||
* m_sleep() was sleeping twice too long on most Unix platforms.
|
||
* Fixed bug with session tickets and non-blocking I/O in the unlikely case
|
||
send() would return an EAGAIN error when sending the ticket.
|
||
* ssl_cache was leaking memory when reusing a timed out entry containing a
|
||
client certificate.
|
||
* ssl_srv was leaking memory when client presented a timed out ticket
|
||
containing a client certificate
|
||
* ssl_init() was leaving a dirty pointer in ssl_context if malloc of
|
||
out_ctr failed
|
||
* ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
|
||
of one of them failed
|
||
* Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts
|
||
* x509_get_current_time() uses localtime_r() to prevent thread issues
|
||
|
||
= PolarSSL 1.3.4 released on 2014-01-27
|
||
Features
|
||
* Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
|
||
* Support for RIPEMD-160
|
||
* Support for AES CFB8 mode
|
||
* Support for deterministic ECDSA (RFC 6979)
|
||
|
||
Bugfix
|
||
* Potential memory leak in bignum_selftest()
|
||
* Replaced expired test certificate
|
||
* ssl_mail_client now terminates lines with CRLF, instead of LF
|
||
* net module handles timeouts on blocking sockets better (found by Tilman
|
||
Sauerbeck)
|
||
* Assembly format fixes in bn_mul.h
|
||
|
||
Security
|
||
* Missing MPI_CHK calls added around unguarded mpi calls (found by
|
||
TrustInSoft)
|
||
|
||
= PolarSSL 1.3.3 released on 2013-12-31
|
||
Features
|
||
* EC key generation support in gen_key app
|
||
* Support for adhering to client ciphersuite order preference
|
||
(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
|
||
* Support for Curve25519
|
||
* Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
|
||
* Support for IPv6 in the NET module
|
||
* AES-NI support for AES, AES-GCM and AES key scheduling
|
||
* SSL Pthread-based server example added (ssl_pthread_server)
|
||
|
||
Changes
|
||
* gen_prime() speedup
|
||
* Speedup of ECP multiplication operation
|
||
* Relaxed some SHA2 ciphersuite's version requirements
|
||
* Dropped use of readdir_r() instead of readdir() with threading support
|
||
* More constant-time checks in the RSA module
|
||
* Split off curves from ecp.c into ecp_curves.c
|
||
* Curves are now stored fully in ROM
|
||
* Memory usage optimizations in ECP module
|
||
* Removed POLARSSL_THREADING_DUMMY
|
||
|
||
Bugfix
|
||
* Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
|
||
* Fixed X.509 hostname comparison (with non-regular characters)
|
||
* SSL now gracefully handles missing RNG
|
||
* Missing defines / cases for RSA_PSK key exchange
|
||
* crypt_and_hash app checks MAC before final decryption
|
||
* Potential memory leak in ssl_ticket_keys_init()
|
||
* Memory leak in benchmark application
|
||
* Fixed x509_crt_parse_path() bug on Windows platforms
|
||
* Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
|
||
TrustInSoft)
|
||
* Fixed potential overflow in certificate size verification in
|
||
ssl_write_certificate() (found by TrustInSoft)
|
||
|
||
Security
|
||
* Possible remotely-triggered out-of-bounds memory access fixed (found by
|
||
TrustInSoft)
|
||
|
||
= PolarSSL 1.3.2 released on 2013-11-04
|
||
Features
|
||
* PK tests added to test framework
|
||
* Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM)
|
||
* Support for Camellia-GCM mode and ciphersuites
|
||
|
||
Changes
|
||
* Padding checks in cipher layer are now constant-time
|
||
* Value comparisons in SSL layer are now constant-time
|
||
* Support for serialNumber, postalAddress and postalCode in X509 names
|
||
* SSL Renegotiation was refactored
|
||
|
||
Bugfix
|
||
* More stringent checks in cipher layer
|
||
* Server does not send out extensions not advertised by client
|
||
* Prevent possible alignment warnings on casting from char * to 'aligned *'
|
||
* Misc fixes and additions to dependency checks
|
||
* Const correctness
|
||
* cert_write with selfsign should use issuer_name as subject_name
|
||
* Fix ECDSA corner case: missing reduction mod N (found by DualTachyon)
|
||
* Defines to handle UEFI environment under MSVC
|
||
* Server-side initiated renegotiations send HelloRequest
|
||
|
||
= PolarSSL 1.3.1 released on 2013-10-15
|
||
Features
|
||
* Support for Brainpool curves and TLS ciphersuites (RFC 7027)
|
||
* Support for ECDHE-PSK key-exchange and ciphersuites
|
||
* Support for RSA-PSK key-exchange and ciphersuites
|
||
|
||
Changes
|
||
* RSA blinding locks for a smaller amount of time
|
||
* TLS compression only allocates working buffer once
|
||
* Introduced POLARSSL_HAVE_READDIR_R for systems without it
|
||
* config.h is more script-friendly
|
||
|
||
Bugfix
|
||
* Missing MSVC defines added
|
||
* Compile errors with POLARSSL_RSA_NO_CRT
|
||
* Header files with 'polarssl/'
|
||
* Const correctness
|
||
* Possible naming collision in dhm_context
|
||
* Better support for MSVC
|
||
* threading_set_alt() name
|
||
* Added missing x509write_crt_set_version()
|
||
|
||
= PolarSSL 1.3.0 released on 2013-10-01
|
||
Features
|
||
* Elliptic Curve Cryptography module added
|
||
* Elliptic Curve Diffie Hellman module added
|
||
* Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
|
||
(ECDHE-based ciphersuites)
|
||
* Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
|
||
(ECDSA-based ciphersuites)
|
||
* Ability to specify allowed ciphersuites based on the protocol version.
|
||
* PSK and DHE-PSK based ciphersuites added
|
||
* Memory allocation abstraction layer added
|
||
* Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
|
||
* Threading abstraction layer added (dummy / pthread / alternate)
|
||
* Public Key abstraction layer added
|
||
* Parsing Elliptic Curve keys
|
||
* Parsing Elliptic Curve certificates
|
||
* Support for max_fragment_length extension (RFC 6066)
|
||
* Support for truncated_hmac extension (RFC 6066)
|
||
* Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
|
||
(ISO/IEC 7816-4) padding and zero padding in the cipher layer
|
||
* Support for session tickets (RFC 5077)
|
||
* Certificate Request (CSR) generation with extensions (key_usage,
|
||
ns_cert_type)
|
||
* X509 Certificate writing with extensions (basic_constraints,
|
||
issuer_key_identifier, etc)
|
||
* Optional blinding for RSA, DHM and EC
|
||
* Support for multiple active certificate / key pairs in SSL servers for
|
||
the same host (Not to be confused with SNI!)
|
||
|
||
Changes
|
||
* Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
|
||
individually
|
||
* Introduced separate SSL Ciphersuites module that is based on
|
||
Cipher and MD information
|
||
* Internals for SSL module adapted to have separate IV pointer that is
|
||
dynamically set (Better support for hardware acceleration)
|
||
* Moved all OID functionality to a separate module. RSA function
|
||
prototypes for the RSA sign and verify functions changed as a result
|
||
* Split up the GCM module into a starts/update/finish cycle
|
||
* Client and server now filter sent and accepted ciphersuites on minimum
|
||
and maximum protocol version
|
||
* Ability to disable server_name extension (RFC 6066)
|
||
* Renamed error_strerror() to the less conflicting polarssl_strerror()
|
||
(Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC)
|
||
* SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
|
||
* All RSA operations require a random generator for blinding purposes
|
||
* X509 core refactored
|
||
* x509_crt_verify() now case insensitive for cn (RFC 6125 6.4)
|
||
* Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
|
||
* Support faulty X509 v1 certificates with extensions
|
||
(POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
|
||
|
||
Bugfix
|
||
* Fixed parse error in ssl_parse_certificate_request()
|
||
* zlib compression/decompression skipped on empty blocks
|
||
* Support for AIX header locations in net.c module
|
||
* Fixed file descriptor leaks
|
||
|
||
Security
|
||
* RSA blinding on CRT operations to counter timing attacks
|
||
(found by Cyril Arnaud and Pierre-Alain Fouque)
|
||
|
||
|
||
= Version 1.2.14 released 2015-05-??
|
||
|
||
Security
|
||
* Fix potential invalid memory read in the server, that allows a client to
|
||
crash it remotely (found by Caj Larsson).
|
||
* Fix potential invalid memory read in certificate parsing, that allows a
|
||
client to crash the server remotely if client authentication is enabled
|
||
(found using Codenomicon Defensics).
|
||
* Add countermeasure against "Lucky 13 strikes back" cache-based attack,
|
||
https://dl.acm.org/citation.cfm?id=2714625
|
||
|
||
Bugfix
|
||
* Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
|
||
* Fix hardclock() (only used in the benchmarking program) with some
|
||
versions of mingw64 (found by kxjhlele).
|
||
* Fix warnings from mingw64 in timing.c (found by kxjklele).
|
||
* Fix potential unintended sign extension in asn1_get_len() on 64-bit
|
||
platforms (found with Coverity Scan).
|
||
|
||
= Version 1.2.13 released 2015-02-16
|
||
Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
|
||
this will be made in the 1.2 branch at this point.
|
||
|
||
Security
|
||
* Fix remotely-triggerable uninitialised pointer dereference caused by
|
||
crafted X.509 certificate (TLS server is not affected if it doesn't ask
|
||
for a client certificate) (found using Codenomicon Defensics).
|
||
* Fix remotely-triggerable memory leak caused by crafted X.509 certificates
|
||
(TLS server is not affected if it doesn't ask for a client certificate)
|
||
(found using Codenomicon Defensics).
|
||
* Fix potential stack overflow while parsing crafted X.509 certificates
|
||
(TLS server is not affected if it doesn't ask for a client certificate)
|
||
found using Codenomicon Defensics).
|
||
* Fix buffer overread of size 1 when parsing crafted X.509 certificates
|
||
(TLS server is not affected if it doesn't ask for a client certificate).
|
||
|
||
Bugfix
|
||
* Fix potential undefined behaviour in Camellia.
|
||
* Fix memory leaks in PKCS#5 and PKCS#12.
|
||
* Stack buffer overflow if ctr_drbg_update() is called with too large
|
||
add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
|
||
* Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced
|
||
in 1.2.12).
|
||
* Fix unchecked return code in x509_crt_parse_path() on Windows (found by
|
||
Peter Vaskovic).
|
||
* Fix assembly selection for MIPS64 (thanks to James Cowgill).
|
||
* ssl_get_verify_result() now works even if the handshake was aborted due
|
||
to a failed verification (found by Fredrik Axelsson).
|
||
* Skip writing and parsing signature_algorithm extension if none of the
|
||
key exchanges enabled needs certificates. This fixes a possible interop
|
||
issue with some servers when a zero-length extension was sent. (Reported
|
||
by Peter Dettman.)
|
||
* On a 0-length input, base64_encode() did not correctly set output length
|
||
(found by Hendrik van den Boogaard).
|
||
|
||
Changes
|
||
* Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
|
||
* Forbid repeated extensions in X.509 certificates.
|
||
* Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
|
||
length of an X.509 verification chain (default = 8).
|
||
= Version 1.2.12 released 2014-10-24
|
||
|
||
Security
|
||
* Remotely-triggerable memory leak when parsing some X.509 certificates
|
||
(server is not affected if it doesn't ask for a client certificate).
|
||
(Found using Codenomicon Defensics.)
|
||
|
||
Bugfix
|
||
* Fix potential bad read in parsing ServerHello (found by Adrien
|
||
Vialletelle).
|
||
* ssl_close_notify() could send more than one message in some circumstances
|
||
with non-blocking I/O.
|
||
* x509_crt_parse() did not increase total_failed on PEM error
|
||
* Fix compiler warnings on iOS (found by Sander Niemeijer).
|
||
* Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
|
||
* Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
|
||
* ssl_read() could return non-application data records on server while
|
||
renegotation was pending, and on client when a HelloRequest was received.
|
||
* Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
|
||
|
||
Changes
|
||
* X.509 certificates with more than one AttributeTypeAndValue per
|
||
RelativeDistinguishedName are not accepted any more.
|
||
* ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
|
||
POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
|
||
* Accept spaces at end of line or end of buffer in base64_decode().
|
||
|
||
= Version 1.2.11 released 2014-07-11
|
||
Features
|
||
* Entropy module now supports seed writing and reading
|
||
|
||
Changes
|
||
* Introduced POLARSSL_HAVE_READDIR_R for systems without it
|
||
* Improvements to the CMake build system, contributed by Julian Ospald.
|
||
* Work around a bug of the version of Clang shipped by Apple with Mavericks
|
||
that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
|
||
* Improvements to tests/Makefile, contributed by Oden Eriksson.
|
||
* Use UTC time to check certificate validity.
|
||
* Reject certificates with times not in UTC, per RFC 5280.
|
||
* Migrate zeroizing of data to polarssl_zeroize() instead of memset()
|
||
against unwanted compiler optimizations
|
||
|
||
Security
|
||
* Forbid change of server certificate during renegotiation to prevent
|
||
"triple handshake" attack when authentication mode is optional (the
|
||
attack was already impossible when authentication is required).
|
||
* Check notBefore timestamp of certificates and CRLs from the future.
|
||
* Forbid sequence number wrapping
|
||
* Prevent potential NULL pointer dereference in ssl_read_record() (found by
|
||
TrustInSoft)
|
||
* Fix length checking for AEAD ciphersuites (found by Codenomicon).
|
||
It was possible to crash the server (and client) using crafted messages
|
||
when a GCM suite was chosen.
|
||
|
||
Bugfix
|
||
* Fixed X.509 hostname comparison (with non-regular characters)
|
||
* SSL now gracefully handles missing RNG
|
||
* crypt_and_hash app checks MAC before final decryption
|
||
* Fixed x509_crt_parse_path() bug on Windows platforms
|
||
* Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
|
||
TrustInSoft)
|
||
* Fixed potential overflow in certificate size verification in
|
||
ssl_write_certificate() (found by TrustInSoft)
|
||
* Fix ASM format in bn_mul.h
|
||
* Potential memory leak in bignum_selftest()
|
||
* Replaced expired test certificate
|
||
* ssl_mail_client now terminates lines with CRLF, instead of LF
|
||
* Fix bug in RSA PKCS#1 v1.5 "reversed" operations
|
||
* Fixed testing with out-of-source builds using cmake
|
||
* Fixed version-major intolerance in server
|
||
* Fixed CMake symlinking on out-of-source builds
|
||
* Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
|
||
Alex Wilson.)
|
||
* ssl_init() was leaving a dirty pointer in ssl_context if malloc of
|
||
out_ctr failed
|
||
* ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
|
||
of one of them failed
|
||
* x509_get_current_time() uses localtime_r() to prevent thread issues
|
||
* Some example server programs were not sending the close_notify alert.
|
||
* Potential memory leak in mpi_exp_mod() when error occurs during
|
||
calculation of RR.
|
||
* Improve interoperability by not writing extension length in ClientHello
|
||
when no extensions are present (found by Matthew Page)
|
||
* rsa_check_pubkey() now allows an E up to N
|
||
* On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
|
||
* mpi_fill_random() was creating numbers larger than requested on
|
||
big-endian platform when size was not an integer number of limbs
|
||
* Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
|
||
* Stricter check on SSL ClientHello internal sizes compared to actual packet
|
||
size (found by TrustInSoft)
|
||
* Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
|
||
* Use \n\t rather than semicolons for bn_mul asm, since some assemblers
|
||
interpret semicolons as comment delimiters (found by Barry K. Nathan).
|
||
* Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
|
||
* Fix base64_decode() to return and check length correctly (in case of
|
||
tight buffers)
|
||
|
||
= Version 1.2.10 released 2013-10-07
|
||
Changes
|
||
* Changed RSA blinding to a slower but thread-safe version
|
||
|
||
Bugfix
|
||
* Fixed memory leak in RSA as a result of introduction of blinding
|
||
* Fixed ssl_pkcs11_decrypt() prototype
|
||
* Fixed MSVC project files
|
||
|
||
= Version 1.2.9 released 2013-10-01
|
||
Changes
|
||
* x509_verify() now case insensitive for cn (RFC 6125 6.4)
|
||
|
||
Bugfix
|
||
* Fixed potential memory leak when failing to resume a session
|
||
* Fixed potential file descriptor leaks (found by Remi Gacogne)
|
||
* Minor fixes
|
||
|
||
Security
|
||
* Fixed potential heap buffer overflow on large hostname setting
|
||
* Fixed potential negative value misinterpretation in load_file()
|
||
* RSA blinding on CRT operations to counter timing attacks
|
||
(found by Cyril Arnaud and Pierre-Alain Fouque)
|
||
|
||
= Version 1.2.8 released 2013-06-19
|
||
Features
|
||
* Parsing of PKCS#8 encrypted private key files
|
||
* PKCS#12 PBE and derivation functions
|
||
* Centralized module option values in config.h to allow user-defined
|
||
settings without editing header files by using POLARSSL_CONFIG_OPTIONS
|
||
|
||
Changes
|
||
* HAVEGE random generator disabled by default
|
||
* Internally split up x509parse_key() into a (PEM) handler function
|
||
and specific DER parser functions for the PKCS#1 and unencrypted
|
||
PKCS#8 private key formats
|
||
* Added mechanism to provide alternative implementations for all
|
||
symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
|
||
config.h)
|
||
* PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated
|
||
old PBKDF2 module
|
||
|
||
Bugfix
|
||
* Secure renegotiation extension should only be sent in case client
|
||
supports secure renegotiation
|
||
* Fixed offset for cert_type list in ssl_parse_certificate_request()
|
||
* Fixed const correctness issues that have no impact on the ABI
|
||
* x509parse_crt() now better handles PEM error situations
|
||
* ssl_parse_certificate() now calls x509parse_crt_der() directly
|
||
instead of the x509parse_crt() wrapper that can also parse PEM
|
||
certificates
|
||
* x509parse_crtpath() is now reentrant and uses more portable stat()
|
||
* Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
|
||
* Fixed values for 2-key Triple DES in cipher layer
|
||
* ssl_write_certificate_request() can handle empty ca_chain
|
||
|
||
Security
|
||
* A possible DoS during the SSL Handshake, due to faulty parsing of
|
||
PEM-encoded certificates has been fixed (found by Jack Lloyd)
|
||
|
||
= Version 1.2.7 released 2013-04-13
|
||
Features
|
||
* Ability to specify allowed ciphersuites based on the protocol version.
|
||
|
||
Changes
|
||
* Default Blowfish keysize is now 128-bits
|
||
* Test suites made smaller to accommodate Raspberry Pi
|
||
|
||
Bugfix
|
||
* Fix for MPI assembly for ARM
|
||
* GCM adapted to support sizes > 2^29
|
||
|
||
= Version 1.2.6 released 2013-03-11
|
||
Bugfix
|
||
* Fixed memory leak in ssl_free() and ssl_reset() for active session
|
||
* Corrected GCM counter incrementation to use only 32-bits instead of
|
||
128-bits (found by Yawning Angel)
|
||
* Fixes for 64-bit compilation with MS Visual Studio
|
||
* Fixed net_bind() for specified IP addresses on little endian systems
|
||
* Fixed assembly code for ARM (Thumb and regular) for some compilers
|
||
|
||
Changes
|
||
* Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(),
|
||
rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and
|
||
PKCS#1 v2.1 functions
|
||
* Added support for custom labels when using rsa_rsaes_oaep_encrypt()
|
||
or rsa_rsaes_oaep_decrypt()
|
||
* Re-added handling for SSLv2 Client Hello when the define
|
||
POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
|
||
* The SSL session cache module (ssl_cache) now also retains peer_cert
|
||
information (not the entire chain)
|
||
|
||
Security
|
||
* Removed further timing differences during SSL message decryption in
|
||
ssl_decrypt_buf()
|
||
* Removed timing differences due to bad padding from
|
||
rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
|
||
operations
|
||
|
||
= Version 1.2.5 released 2013-02-02
|
||
Changes
|
||
* Allow enabling of dummy error_strerror() to support some use-cases
|
||
* Debug messages about padding errors during SSL message decryption are
|
||
disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
|
||
* Sending of security-relevant alert messages that do not break
|
||
interoperability can be switched on/off with the flag
|
||
POLARSSL_SSL_ALL_ALERT_MESSAGES
|
||
|
||
Security
|
||
* Removed timing differences during SSL message decryption in
|
||
ssl_decrypt_buf() due to badly formatted padding
|
||
|
||
= Version 1.2.4 released 2013-01-25
|
||
Changes
|
||
* More advanced SSL ciphersuite representation and moved to more dynamic
|
||
SSL core
|
||
* Added ssl_handshake_step() to allow single stepping the handshake process
|
||
|
||
Bugfix
|
||
* Memory leak when using RSA_PKCS_V21 operations fixed
|
||
* Handle future version properly in ssl_write_certificate_request()
|
||
* Correctly handle CertificateRequest message in client for <= TLS 1.1
|
||
without DN list
|
||
|
||
= Version 1.2.3 released 2012-11-26
|
||
Bugfix
|
||
* Server not always sending correct CertificateRequest message
|
||
|
||
= Version 1.2.2 released 2012-11-24
|
||
Changes
|
||
* Added p_hw_data to ssl_context for context specific hardware acceleration
|
||
data
|
||
* During verify trust-CA is only checked for expiration and CRL presence
|
||
|
||
Bugfixes
|
||
* Fixed client authentication compatibility
|
||
* Fixed dependency on POLARSSL_SHA4_C in SSL modules
|
||
|
||
= Version 1.2.1 released 2012-11-20
|
||
Changes
|
||
* Depth that the certificate verify callback receives is now numbered
|
||
bottom-up (Peer cert depth is 0)
|
||
|
||
Bugfixes
|
||
* Fixes for MSVC6
|
||
* Moved mpi_inv_mod() outside POLARSSL_GENPRIME
|
||
* Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
|
||
Pégourié-Gonnard)
|
||
* Fixed possible segfault in mpi_shift_r() (found by Manuel
|
||
Pégourié-Gonnard)
|
||
* Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
|
||
|
||
= Version 1.2.0 released 2012-10-31
|
||
Features
|
||
* Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak
|
||
ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by
|
||
default!
|
||
* Added support for wildcard certificates
|
||
* Added support for multi-domain certificates through the X509 Subject
|
||
Alternative Name extension
|
||
* Added preliminary ASN.1 buffer writing support
|
||
* Added preliminary X509 Certificate Request writing support
|
||
* Added key_app_writer example application
|
||
* Added cert_req example application
|
||
* Added base Galois Counter Mode (GCM) for AES
|
||
* Added TLS 1.2 support (RFC 5246)
|
||
* Added GCM suites to TLS 1.2 (RFC 5288)
|
||
* Added commandline error code convertor (util/strerror)
|
||
* Added support for Hardware Acceleration hooking in SSL/TLS
|
||
* Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and
|
||
example application (programs/ssl/o_p_test) (requires OpenSSL)
|
||
* Added X509 CA Path support
|
||
* Added Thumb assembly optimizations
|
||
* Added DEFLATE compression support as per RFC3749 (requires zlib)
|
||
* Added blowfish algorithm (Generic and cipher layer)
|
||
* Added PKCS#5 PBKDF2 key derivation function
|
||
* Added Secure Renegotiation (RFC 5746)
|
||
* Added predefined DHM groups from RFC 5114
|
||
* Added simple SSL session cache implementation
|
||
* Added ServerName extension parsing (SNI) at server side
|
||
* Added option to add minimum accepted SSL/TLS protocol version
|
||
|
||
Changes
|
||
* Removed redundant POLARSSL_DEBUG_MSG define
|
||
* AES code only check for Padlock once
|
||
* Fixed const-correctness mpi_get_bit()
|
||
* Documentation for mpi_lsb() and mpi_msb()
|
||
* Moved out_msg to out_hdr + 32 to support hardware acceleration
|
||
* Changed certificate verify behaviour to comply with RFC 6125 section 6.3
|
||
to not match CN if subjectAltName extension is present (Closes ticket #56)
|
||
* Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
|
||
POLARSSL_MODE_CFB, to also handle different block size CFB modes.
|
||
* Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation)
|
||
* Revamped session resumption handling
|
||
* Generalized external private key implementation handling (like PKCS#11)
|
||
in SSL/TLS
|
||
* Revamped x509_verify() and the SSL f_vrfy callback implementations
|
||
* Moved from unsigned long to fixed width uint32_t types throughout code
|
||
* Renamed ciphersuites naming scheme to IANA reserved names
|
||
|
||
Bugfix
|
||
* Fixed handling error in mpi_cmp_mpi() on longer B values (found by
|
||
Hui Dong)
|
||
* Fixed potential heap corruption in x509_name allocation
|
||
* Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
|
||
* mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
|
||
#52)
|
||
* Handle encryption with private key and decryption with public key as per
|
||
RFC 2313
|
||
* Handle empty certificate subject names
|
||
* Prevent reading over buffer boundaries on X509 certificate parsing
|
||
* mpi_add_abs() now correctly handles adding short numbers to long numbers
|
||
with carry rollover (found by Ruslan Yushchenko)
|
||
* Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
|
||
* Fixed MPI assembly for SPARC64 platform
|
||
|
||
Security
|
||
* Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
|
||
Vanderbeken)
|
||
|
||
= Version 1.1.8 released on 2013-10-01
|
||
Bugfix
|
||
* Fixed potential memory leak when failing to resume a session
|
||
* Fixed potential file descriptor leaks
|
||
|
||
Security
|
||
* Potential buffer-overflow for ssl_read_record() (independently found by
|
||
both TrustInSoft and Paul Brodeur of Leviathan Security Group)
|
||
* Potential negative value misinterpretation in load_file()
|
||
* Potential heap buffer overflow on large hostname setting
|
||
|
||
= Version 1.1.7 released on 2013-06-19
|
||
Changes
|
||
* HAVEGE random generator disabled by default
|
||
|
||
Bugfix
|
||
* x509parse_crt() now better handles PEM error situations
|
||
* ssl_parse_certificate() now calls x509parse_crt_der() directly
|
||
instead of the x509parse_crt() wrapper that can also parse PEM
|
||
certificates
|
||
* Fixed values for 2-key Triple DES in cipher layer
|
||
* ssl_write_certificate_request() can handle empty ca_chain
|
||
|
||
Security
|
||
* A possible DoS during the SSL Handshake, due to faulty parsing of
|
||
PEM-encoded certificates has been fixed (found by Jack Lloyd)
|
||
|
||
= Version 1.1.6 released on 2013-03-11
|
||
Bugfix
|
||
* Fixed net_bind() for specified IP addresses on little endian systems
|
||
|
||
Changes
|
||
* Allow enabling of dummy error_strerror() to support some use-cases
|
||
* Debug messages about padding errors during SSL message decryption are
|
||
disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
|
||
|
||
Security
|
||
* Removed timing differences during SSL message decryption in
|
||
ssl_decrypt_buf()
|
||
* Removed timing differences due to bad padding from
|
||
rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
|
||
operations
|
||
|
||
= Version 1.1.5 released on 2013-01-16
|
||
Bugfix
|
||
* Fixed MPI assembly for SPARC64 platform
|
||
* Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
|
||
* mpi_add_abs() now correctly handles adding short numbers to long numbers
|
||
with carry rollover
|
||
* Moved mpi_inv_mod() outside POLARSSL_GENPRIME
|
||
* Prevent reading over buffer boundaries on X509 certificate parsing
|
||
* mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
|
||
#52)
|
||
* Fixed possible segfault in mpi_shift_r() (found by Manuel
|
||
Pégourié-Gonnard)
|
||
* Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
|
||
Pégourié-Gonnard)
|
||
* Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
|
||
* Memory leak when using RSA_PKCS_V21 operations fixed
|
||
* Handle encryption with private key and decryption with public key as per
|
||
RFC 2313
|
||
* Fixes for MSVC6
|
||
|
||
Security
|
||
* Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
|
||
Vanderbeken)
|
||
|
||
= Version 1.1.4 released on 2012-05-31
|
||
Bugfix
|
||
* Correctly handle empty SSL/TLS packets (Found by James Yonan)
|
||
* Fixed potential heap corruption in x509_name allocation
|
||
* Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
|
||
|
||
= Version 1.1.3 released on 2012-04-29
|
||
Bugfix
|
||
* Fixed random MPI generation to not generate more size than requested.
|
||
|
||
= Version 1.1.2 released on 2012-04-26
|
||
Bugfix
|
||
* Fixed handling error in mpi_cmp_mpi() on longer B values (found by
|
||
Hui Dong)
|
||
|
||
Security
|
||
* Fixed potential memory corruption on miscrafted client messages (found by
|
||
Frama-C team at CEA LIST)
|
||
* Fixed generation of DHM parameters to correct length (found by Ruslan
|
||
Yushchenko)
|
||
|
||
= Version 1.1.1 released on 2012-01-23
|
||
Bugfix
|
||
* Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
|
||
(Closes ticket #47, found by Hugo Leisink)
|
||
* Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
|
||
* Fixed multiple compiler warnings for VS6 and armcc
|
||
* Fixed bug in CTR_CRBG selftest
|
||
|
||
= Version 1.1.0 released on 2011-12-22
|
||
Features
|
||
* Added ssl_session_reset() to allow better multi-connection pools of
|
||
SSL contexts without needing to set all non-connection-specific
|
||
data and pointers again. Adapted ssl_server to use this functionality.
|
||
* Added ssl_set_max_version() to allow clients to offer a lower maximum
|
||
supported version to a server to help buggy server implementations.
|
||
(Closes ticket #36)
|
||
* Added cipher_get_cipher_mode() and cipher_get_cipher_operation()
|
||
introspection functions (Closes ticket #40)
|
||
* Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
|
||
* Added a generic entropy accumulator that provides support for adding
|
||
custom entropy sources and added some generic and platform dependent
|
||
entropy sources
|
||
|
||
Changes
|
||
* Documentation for AES and Camellia in modes CTR and CFB128 clarified.
|
||
* Fixed rsa_encrypt and rsa_decrypt examples to use public key for
|
||
encryption and private key for decryption. (Closes ticket #34)
|
||
* Inceased maximum size of ASN1 length reads to 32-bits.
|
||
* Added an EXPLICIT tag number parameter to x509_get_ext()
|
||
* Added a separate CRL entry extension parsing function
|
||
* Separated the ASN.1 parsing code from the X.509 specific parsing code.
|
||
So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
|
||
* Changed the defined key-length of DES ciphers in cipher.h to include the
|
||
parity bits, to prevent mistakes in copying data. (Closes ticket #33)
|
||
* Loads of minimal changes to better support WINCE as a build target
|
||
(Credits go to Marco Lizza)
|
||
* Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory
|
||
trade-off
|
||
* Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
|
||
management (Closes ticket #44)
|
||
* Changed the used random function pointer to more flexible format. Renamed
|
||
havege_rand() to havege_random() to prevent mistakes. Lots of changes as
|
||
a consequence in library code and programs
|
||
* Moved all examples programs to use the new entropy and CTR_DRBG
|
||
* Added permissive certificate parsing to x509parse_crt() and
|
||
x509parse_crtfile(). With permissive parsing the parsing does not stop on
|
||
encountering a parse-error. Beware that the meaning of return values has
|
||
changed!
|
||
* All error codes are now negative. Even on mermory failures and IO errors.
|
||
|
||
Bugfix
|
||
* Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
|
||
ticket #37)
|
||
* Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag
|
||
before version numbers
|
||
* Allowed X509 key usage parsing to accept 4 byte values instead of the
|
||
standard 1 byte version sometimes used by Microsoft. (Closes ticket #38)
|
||
* Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
|
||
smaller than the hash length. (Closes ticket #41)
|
||
* If certificate serial is longer than 32 octets, serial number is now
|
||
appended with '....' after first 28 octets
|
||
* Improved build support for s390x and sparc64 in bignum.h
|
||
* Fixed MS Visual C++ name clash with int64 in sha4.h
|
||
* Corrected removal of leading "00:" in printing serial numbers in
|
||
certificates and CRLs
|
||
|
||
= Version 1.0.0 released on 2011-07-27
|
||
Features
|
||
* Expanded cipher layer with support for CFB128 and CTR mode
|
||
* Added rsa_encrypt and rsa_decrypt simple example programs.
|
||
|
||
Changes
|
||
* The generic cipher and message digest layer now have normal error
|
||
codes instead of integers
|
||
|
||
Bugfix
|
||
* Undid faulty bug fix in ssl_write() when flushing old data (Ticket
|
||
#18)
|
||
|
||
= Version 0.99-pre5 released on 2011-05-26
|
||
Features
|
||
* Added additional Cipher Block Modes to symmetric ciphers
|
||
(AES CTR, Camellia CTR, XTEA CBC) including the option to
|
||
enable and disable individual modes when needed
|
||
* Functions requiring File System functions can now be disabled
|
||
by undefining POLARSSL_FS_IO
|
||
* A error_strerror function() has been added to translate between
|
||
error codes and their description.
|
||
* Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter
|
||
functions.
|
||
* Added ssl_mail_client and ssl_fork_server as example programs.
|
||
|
||
Changes
|
||
* Major argument / variable rewrite. Introduced use of size_t
|
||
instead of int for buffer lengths and loop variables for
|
||
better unsigned / signed use. Renamed internal bigint types
|
||
t_int and t_dbl to t_uint and t_udbl in the process
|
||
* mpi_init() and mpi_free() now only accept a single MPI
|
||
argument and do not accept variable argument lists anymore.
|
||
* The error codes have been remapped and combining error codes
|
||
is now done with a PLUS instead of an OR as error codes
|
||
used are negative.
|
||
* Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv().
|
||
net_recv() now returns 0 on EOF instead of
|
||
POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns
|
||
POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function.
|
||
ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
|
||
after the handshake.
|
||
* Network functions now return POLARSSL_ERR_NET_WANT_READ or
|
||
POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous
|
||
POLARSSL_ERR_NET_TRY_AGAIN
|
||
|
||
= Version 0.99-pre4 released on 2011-04-01
|
||
Features
|
||
* Added support for PKCS#1 v2.1 encoding and thus support
|
||
for the RSAES-OAEP and RSASSA-PSS operations.
|
||
* Reading of Public Key files incorporated into default x509
|
||
functionality as well.
|
||
* Added mpi_fill_random() for centralized filling of big numbers
|
||
with random data (Fixed ticket #10)
|
||
|
||
Changes
|
||
* Debug print of MPI now removes leading zero octets and
|
||
displays actual bit size of the value.
|
||
* x509parse_key() (and as a consequence x509parse_keyfile())
|
||
does not zeroize memory in advance anymore. Use rsa_init()
|
||
before parsing a key or keyfile!
|
||
|
||
Bugfix
|
||
* Debug output of MPI's now the same independent of underlying
|
||
platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
|
||
Kiilerich and Mihai Militaru)
|
||
* Fixed bug in ssl_write() when flushing old data (Fixed ticket
|
||
#18, found by Nikolay Epifanov)
|
||
* Fixed proper handling of RSASSA-PSS verification with variable
|
||
length salt lengths
|
||
|
||
= Version 0.99-pre3 released on 2011-02-28
|
||
This release replaces version 0.99-pre2 which had possible copyright issues.
|
||
Features
|
||
* Parsing PEM private keys encrypted with DES and AES
|
||
are now supported as well (Fixes ticket #5)
|
||
* Added crl_app program to allow easy reading and
|
||
printing of X509 CRLs from file
|
||
|
||
Changes
|
||
* Parsing of PEM files moved to separate module (Fixes
|
||
ticket #13). Also possible to remove PEM support for
|
||
systems only using DER encoding
|
||
|
||
Bugfixes
|
||
* Corrected parsing of UTCTime dates before 1990 and
|
||
after 1950
|
||
* Support more exotic OID's when parsing certificates
|
||
(found by Mads Kiilerich)
|
||
* Support more exotic name representations when parsing
|
||
certificates (found by Mads Kiilerich)
|
||
* Replaced the expired test certificates
|
||
* Do not bail out if no client certificate specified. Try
|
||
to negotiate anonymous connection (Fixes ticket #12,
|
||
found by Boris Krasnovskiy)
|
||
|
||
Security fixes
|
||
* Fixed a possible Man-in-the-Middle attack on the
|
||
Diffie Hellman key exchange (thanks to Larry Highsmith,
|
||
Subreption LLC)
|
||
|
||
= Version 0.99-pre1 released on 2011-01-30
|
||
Features
|
||
Note: Most of these features have been donated by Fox-IT
|
||
* Added Doxygen source code documentation parts
|
||
* Added reading of DHM context from memory and file
|
||
* Improved X509 certificate parsing to include extended
|
||
certificate fields, including Key Usage
|
||
* Improved certificate verification and verification
|
||
against the available CRLs
|
||
* Detection for DES weak keys and parity bits added
|
||
* Improvements to support integration in other
|
||
applications:
|
||
+ Added generic message digest and cipher wrapper
|
||
+ Improved information about current capabilities,
|
||
status, objects and configuration
|
||
+ Added verification callback on certificate chain
|
||
verification to allow external blacklisting
|
||
+ Additional example programs to show usage
|
||
* Added support for PKCS#11 through the use of the
|
||
libpkcs11-helper library
|
||
|
||
Changes
|
||
* x509parse_time_expired() checks time in addition to
|
||
the existing date check
|
||
* The ciphers member of ssl_context and the cipher member
|
||
of ssl_session have been renamed to ciphersuites and
|
||
ciphersuite respectively. This clarifies the difference
|
||
with the generic cipher layer and is better naming
|
||
altogether
|
||
|
||
= Version 0.14.0 released on 2010-08-16
|
||
Features
|
||
* Added support for SSL_EDH_RSA_AES_128_SHA and
|
||
SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites
|
||
* Added compile-time and run-time version information
|
||
* Expanded ssl_client2 arguments for more flexibility
|
||
* Added support for TLS v1.1
|
||
|
||
Changes
|
||
* Made Makefile cleaner
|
||
* Removed dependency on rand() in rsa_pkcs1_encrypt().
|
||
Now using random fuction provided to function and
|
||
changed the prototype of rsa_pkcs1_encrypt(),
|
||
rsa_init() and rsa_gen_key().
|
||
* Some SSL defines were renamed in order to avoid
|
||
future confusion
|
||
|
||
Bug fixes
|
||
* Fixed CMake out of source build for tests (found by
|
||
kkert)
|
||
* rsa_check_private() now supports PKCS1v2 keys as well
|
||
* Fixed deadlock in rsa_pkcs1_encrypt() on failing random
|
||
generator
|
||
|
||
= Version 0.13.1 released on 2010-03-24
|
||
Bug fixes
|
||
* Fixed Makefile in library that was mistakenly merged
|
||
* Added missing const string fixes
|
||
|
||
= Version 0.13.0 released on 2010-03-21
|
||
Features
|
||
* Added option parsing for host and port selection to
|
||
ssl_client2
|
||
* Added support for GeneralizedTime in X509 parsing
|
||
* Added cert_app program to allow easy reading and
|
||
printing of X509 certificates from file or SSL
|
||
connection.
|
||
|
||
Changes
|
||
* Added const correctness for main code base
|
||
* X509 signature algorithm determination is now
|
||
in a function to allow easy future expansion
|
||
* Changed symmetric cipher functions to
|
||
identical interface (returning int result values)
|
||
* Changed ARC4 to use separate input/output buffer
|
||
* Added reset function for HMAC context as speed-up
|
||
for specific use-cases
|
||
|
||
Bug fixes
|
||
* Fixed bug resulting in failure to send the last
|
||
certificate in the chain in ssl_write_certificate() and
|
||
ssl_write_certificate_request() (found by fatbob)
|
||
* Added small fixes for compiler warnings on a Mac
|
||
(found by Frank de Brabander)
|
||
* Fixed algorithmic bug in mpi_is_prime() (found by
|
||
Smbat Tonoyan)
|
||
|
||
= Version 0.12.1 released on 2009-10-04
|
||
Changes
|
||
* Coverage test definitions now support 'depends_on'
|
||
tagging system.
|
||
* Tests requiring specific hashing algorithms now honor
|
||
the defines.
|
||
|
||
Bug fixes
|
||
* Changed typo in #ifdef in x509parse.c (found
|
||
by Eduardo)
|
||
|
||
= Version 0.12.0 released on 2009-07-28
|
||
Features
|
||
* Added CMake makefiles as alternative to regular Makefiles.
|
||
* Added preliminary Code Coverage tests for AES, ARC4,
|
||
Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
|
||
Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
|
||
and X509parse.
|
||
|
||
Changes
|
||
* Error codes are not (necessarily) negative. Keep
|
||
this is mind when checking for errors.
|
||
* RSA_RAW renamed to SIG_RSA_RAW for consistency.
|
||
* Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE.
|
||
* Changed interface for AES and Camellia setkey functions
|
||
to indicate invalid key lengths.
|
||
|
||
Bug fixes
|
||
* Fixed include location of endian.h on FreeBSD (found by
|
||
Gabriel)
|
||
* Fixed include location of endian.h and name clash on
|
||
Apples (found by Martin van Hensbergen)
|
||
* Fixed HMAC-MD2 by modifying md2_starts(), so that the
|
||
required HMAC ipad and opad variables are not cleared.
|
||
(found by code coverage tests)
|
||
* Prevented use of long long in bignum if
|
||
POLARSSL_HAVE_LONGLONG not defined (found by Giles
|
||
Bathgate).
|
||
* Fixed incorrect handling of negative strings in
|
||
mpi_read_string() (found by code coverage tests).
|
||
* Fixed segfault on handling empty rsa_context in
|
||
rsa_check_pubkey() and rsa_check_privkey() (found by
|
||
code coverage tests).
|
||
* Fixed incorrect handling of one single negative input
|
||
value in mpi_add_abs() (found by code coverage tests).
|
||
* Fixed incorrect handling of negative first input
|
||
value in mpi_sub_abs() (found by code coverage tests).
|
||
* Fixed incorrect handling of negative first input
|
||
value in mpi_mod_mpi() and mpi_mod_int(). Resulting
|
||
change also affects mpi_write_string() (found by code
|
||
coverage tests).
|
||
* Corrected is_prime() results for 0, 1 and 2 (found by
|
||
code coverage tests).
|
||
* Fixed Camellia and XTEA for 64-bit Windows systems.
|
||
|
||
= Version 0.11.1 released on 2009-05-17
|
||
* Fixed missing functionality for SHA-224, SHA-256, SHA384,
|
||
SHA-512 in rsa_pkcs1_sign()
|
||
|
||
= Version 0.11.0 released on 2009-05-03
|
||
* Fixed a bug in mpi_gcd() so that it also works when both
|
||
input numbers are even and added testcases to check
|
||
(found by Pierre Habouzit).
|
||
* Added support for SHA-224, SHA-256, SHA-384 and SHA-512
|
||
one way hash functions with the PKCS#1 v1.5 signing and
|
||
verification.
|
||
* Fixed minor bug regarding mpi_gcd located within the
|
||
POLARSSL_GENPRIME block.
|
||
* Fixed minor memory leak in x509parse_crt() and added better
|
||
handling of 'full' certificate chains (found by Mathias
|
||
Olsson).
|
||
* Centralized file opening and reading for x509 files into
|
||
load_file()
|
||
* Made definition of net_htons() endian-clean for big endian
|
||
systems (Found by Gernot).
|
||
* Undefining POLARSSL_HAVE_ASM now also handles prevents asm in
|
||
padlock and timing code.
|
||
* Fixed an off-by-one buffer allocation in ssl_set_hostname()
|
||
responsible for crashes and unwanted behaviour.
|
||
* Added support for Certificate Revocation List (CRL) parsing.
|
||
* Added support for CRL revocation to x509parse_verify() and
|
||
SSL/TLS code.
|
||
* Fixed compatibility of XTEA and Camellia on a 64-bit system
|
||
(found by Felix von Leitner).
|
||
|
||
= Version 0.10.0 released on 2009-01-12
|
||
* Migrated XySSL to PolarSSL
|
||
* Added XTEA symmetric cipher
|
||
* Added Camellia symmetric cipher
|
||
* Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA,
|
||
SSL_RSA_CAMELLIA_256_SHA and SSL_EDH_RSA_CAMELLIA_256_SHA
|
||
* Fixed dangerous bug that can cause a heap overflow in
|
||
rsa_pkcs1_decrypt (found by Christophe Devine)
|
||
|
||
================================================================
|
||
XySSL ChangeLog
|
||
|
||
= Version 0.9 released on 2008-03-16
|
||
|
||
* Added support for ciphersuite: SSL_RSA_AES_128_SHA
|
||
* Enabled support for large files by default in aescrypt2.c
|
||
* Preliminary openssl wrapper contributed by David Barrett
|
||
* Fixed a bug in ssl_write() that caused the same payload to
|
||
be sent twice in non-blocking mode when send returns EAGAIN
|
||
* Fixed ssl_parse_client_hello(): session id and challenge must
|
||
not be swapped in the SSLv2 ClientHello (found by Greg Robson)
|
||
* Added user-defined callback debug function (Krystian Kolodziej)
|
||
* Before freeing a certificate, properly zero out all cert. data
|
||
* Fixed the "mode" parameter so that encryption/decryption are
|
||
not swapped on PadLock; also fixed compilation on older versions
|
||
of gcc (bug reported by David Barrett)
|
||
* Correctly handle the case in padlock_xcryptcbc() when input or
|
||
output data is non-aligned by falling back to the software
|
||
implementation, as VIA Nehemiah cannot handle non-aligned buffers
|
||
* Fixed a memory leak in x509parse_crt() which was reported by Greg
|
||
Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
|
||
Matthew Page who reported several bugs
|
||
* Fixed x509_get_ext() to accept some rare certificates which have
|
||
an INTEGER instead of a BOOLEAN for BasicConstraints::cA.
|
||
* Added support on the client side for the TLS "hostname" extension
|
||
(patch contributed by David Patino)
|
||
* Make x509parse_verify() return BADCERT_CN_MISMATCH when an empty
|
||
string is passed as the CN (bug reported by spoofy)
|
||
* Added an option to enable/disable the BN assembly code
|
||
* Updated rsa_check_privkey() to verify that (D*E) = 1 % (P-1)*(Q-1)
|
||
* Disabled obsolete hash functions by default (MD2, MD4); updated
|
||
selftest and benchmark to not test ciphers that have been disabled
|
||
* Updated x509parse_cert_info() to correctly display byte 0 of the
|
||
serial number, setup correct server port in the ssl client example
|
||
* Fixed a critical denial-of-service with X.509 cert. verification:
|
||
peer may cause xyssl to loop indefinitely by sending a certificate
|
||
for which the RSA signature check fails (bug reported by Benoit)
|
||
* Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
|
||
HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
|
||
* Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
|
||
* Modified ssl_parse_client_key_exchange() to protect against
|
||
Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well
|
||
as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
|
||
* Updated rsa_gen_key() so that ctx->N is always nbits in size
|
||
* Fixed assembly PPC compilation errors on Mac OS X, thanks to
|
||
David Barrett and Dusan Semen
|
||
|
||
= Version 0.8 released on 2007-10-20
|
||
|
||
* Modified the HMAC functions to handle keys larger
|
||
than 64 bytes, thanks to Stephane Desneux and gary ng
|
||
* Fixed ssl_read_record() to properly update the handshake
|
||
message digests, which fixes IE6/IE7 client authentication
|
||
* Cleaned up the XYSSL* #defines, suggested by Azriel Fasten
|
||
* Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan
|
||
* Added user-defined callbacks for handling I/O and sessions
|
||
* Added lots of debugging output in the SSL/TLS functions
|
||
* Added preliminary X.509 cert. writing by Pascal Vizeli
|
||
* Added preliminary support for the VIA PadLock routines
|
||
* Added AES-CFB mode of operation, contributed by chmike
|
||
* Added an SSL/TLS stress testing program (ssl_test.c)
|
||
* Updated the RSA PKCS#1 code to allow choosing between
|
||
RSA_PUBLIC and RSA_PRIVATE, as suggested by David Barrett
|
||
* Updated ssl_read() to skip 0-length records from OpenSSL
|
||
* Fixed the make install target to comply with *BSD make
|
||
* Fixed a bug in mpi_read_binary() on 64-bit platforms
|
||
* mpi_is_prime() speedups, thanks to Kevin McLaughlin
|
||
* Fixed a long standing memory leak in mpi_is_prime()
|
||
* Replaced realloc with malloc in mpi_grow(), and set
|
||
the sign of zero as positive in mpi_init() (reported
|
||
by Jonathan M. McCune)
|
||
|
||
= Version 0.7 released on 2007-07-07
|
||
|
||
* Added support for the MicroBlaze soft-core processor
|
||
* Fixed a bug in ssl_tls.c which sometimes prevented SSL
|
||
connections from being established with non-blocking I/O
|
||
* Fixed a couple bugs in the VS6 and UNIX Makefiles
|
||
* Fixed the "PIC register ebx clobbered in asm" bug
|
||
* Added HMAC starts/update/finish support functions
|
||
* Added the SHA-224, SHA-384 and SHA-512 hash functions
|
||
* Fixed the net_set_*block routines, thanks to Andreas
|
||
* Added a few demonstration programs: md5sum, sha1sum,
|
||
dh_client, dh_server, rsa_genkey, rsa_sign, rsa_verify
|
||
* Added new bignum import and export helper functions
|
||
* Rewrote README.txt in program/ssl/ca to better explain
|
||
how to create a test PKI
|
||
|
||
= Version 0.6 released on 2007-04-01
|
||
|
||
* Ciphers used in SSL/TLS can now be disabled at compile
|
||
time, to reduce the memory footprint on embedded systems
|
||
* Added multiply assembly code for the TriCore and modified
|
||
havege_struct for this processor, thanks to David Patiño
|
||
* Added multiply assembly code for 64-bit PowerPCs,
|
||
thanks to Peking University and the OSU Open Source Lab
|
||
* Added experimental support of Quantum Cryptography
|
||
* Added support for autoconf, contributed by Arnaud Cornet
|
||
* Fixed "long long" compilation issues on IA-64 and PPC64
|
||
* Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
|
||
was not being correctly defined on ARM and MIPS
|
||
|
||
= Version 0.5 released on 2007-03-01
|
||
|
||
* Added multiply assembly code for SPARC and Alpha
|
||
* Added (beta) support for non-blocking I/O operations
|
||
* Implemented session resuming and client authentication
|
||
* Fixed some portability issues on WinCE, MINIX 3, Plan9
|
||
(thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
|
||
* Improved the performance of the EDH key exchange
|
||
* Fixed a bug that caused valid packets with a payload
|
||
size of 16384 bytes to be rejected
|
||
|
||
= Version 0.4 released on 2007-02-01
|
||
|
||
* Added support for Ephemeral Diffie-Hellman key exchange
|
||
* Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K
|
||
* Various improvement to the modular exponentiation code
|
||
* Rewrote the headers to generate the API docs with doxygen
|
||
* Fixed a bug in ssl_encrypt_buf (incorrect padding was
|
||
generated) and in ssl_parse_client_hello (max. client
|
||
version was not properly set), thanks to Didier Rebeix
|
||
* Fixed another bug in ssl_parse_client_hello: clients with
|
||
cipherlists larger than 96 bytes were incorrectly rejected
|
||
* Fixed a couple memory leak in x509_read.c
|
||
|
||
= Version 0.3 released on 2007-01-01
|
||
|
||
* Added server-side SSLv3 and TLSv1.0 support
|
||
* Multiple fixes to enhance the compatibility with g++,
|
||
thanks to Xosé Antón Otero Ferreira
|
||
* Fixed a bug in the CBC code, thanks to dowst; also,
|
||
the bignum code is no longer dependent on long long
|
||
* Updated rsa_pkcs1_sign to handle arbitrary large inputs
|
||
* Updated timing.c for improved compatibility with i386
|
||
and 486 processors, thanks to Arnaud Cornet
|
||
|
||
= Version 0.2 released on 2006-12-01
|
||
|
||
* Updated timing.c to support ARM and MIPS arch
|
||
* Updated the MPI code to support 8086 on MSVC 1.5
|
||
* Added the copyright notice at the top of havege.h
|
||
* Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang
|
||
* Fixed a bug reported by Adrian Rüegsegger in x509_read_key
|
||
* Fixed a bug reported by Torsten Lauter in ssl_read_record
|
||
* Fixed a bug in rsa_check_privkey that would wrongly cause
|
||
valid RSA keys to be dismissed (thanks to oldwolf)
|
||
* Fixed a bug in mpi_is_prime that caused some primes to fail
|
||
the Miller-Rabin primality test
|
||
|
||
I'd also like to thank Younès Hafri for the CRUX linux port,
|
||
Khalil Petit who added XySSL into pkgsrc and Arnaud Cornet
|
||
who maintains the Debian package :-)
|
||
|
||
= Version 0.1 released on 2006-11-01
|