Releases: Mbed-TLS/mbedtls
Releases · Mbed-TLS/mbedtls
Mbed TLS 3.5.2
Description
This release of Mbed TLS provides fixes for security issues.
Security Advisories
For full details, please see the following link:
Release Notes
Security
- Fix a timing side channel in private key RSA operations. This side channel
could be sufficient for an attacker to recover the plaintext. A local
attacker or a remote attacker who is close to the victim on the network
might have precise enough timing measurements to exploit this. It requires
the attacker to send a large number of messages for decryption. For
details, see "Everlasting ROBOT: the Marvin Attack", Hubert Kario. Reported
by Hubert Kario, Red Hat. - Fix a failure to validate input when writing x509 extensions lengths which
could result in an integer overflow, causing a zero-length buffer to be
allocated to hold the extension. The extension would then be copied into
the buffer, causing a heap buffer overflow.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Checksum
The SHA256 hashes for the archives are:
35890edf1a2c7a7e29eac3118d43302c3e1173e0df0ebaf5db56126dabe5bb05 v3.5.2.tar.gz
eedecc468b3f8d052ef05a9d42bf63f04c8a1c50d1c5a94c251c681365a2c723 mbedtls-3.5.2.tar.gz
55c1525e7d5de18b84a1d1e5540950b4a3bac70e02889cf309919b2877cba63b v3.5.2.zip
fea0c12622044ef0d594361e83b2c2b5e4ca56bc1b44126ccca50872c7d6d4f6 mbedtls-3.5.2.zip
The URLs below point to the archives named vX.Y.Z.... When checking hashes, please be aware that due to GitHub's use of the Content-Disposition header, some clients will download the vX.Y.Z... archive and save it with the filename mbedtls-X.Y.Z....
Mbed TLS 2.28.7
Description
This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.
Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.
Security Advisories
For full details, please see the following links:
Release Notes
Security
- Fix a timing side channel in private key RSA operations. This side channel
could be sufficient for an attacker to recover the plaintext. A local
attacker or a remote attacker who is close to the victim on the network
might have precise enough timing measurements to exploit this. It requires
the attacker to send a large number of messages for decryption. For
details, see "Everlasting ROBOT: the Marvin Attack", Hubert Kario. Reported
by Hubert Kario, Red Hat. - Fix a failure to validate input when writing x509 extensions lengths which
could result in an integer overflow, causing a zero-length buffer to be
allocated to hold the extension. The extension would then be copied into
the buffer, causing a heap buffer overflow.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Checksum
The SHA256 hashes for the archives are:
4390bc4ab1ea9a1ddf3725f540d0f80838c656d1d7987a1cee8b4da43e4571de mbedtls-2.28.7.tar.gz
1df6073f0cf6a4e1953890bf5e0de2a8c7e6be50d6d6c69fa9fefcb1d14e981a v2.28.7.tar.gz
12f6e95435aa7510f74938fb1464d58c569c4b298b7044b7940758bbf6d5da04 mbedtls-2.28.7.zip
527ff2472f6c51436808242f4b626500555145a472ca0a2f30a3e68d52d9806e v2.28.7.zip
The URLs below point to the archives named vX.Y.Z.... When checking hashes, please be aware that due to GitHub's use of the Content-Disposition header, some clients will download the vX.Y.Z... archive and save it with the filename mbedtls-X.Y.Z....
Mbed TLS 3.5.1
Description
This release of Mbed TLS provides a license update, and a bugfix.
Release Notes
Changes
- Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
license. Users may choose which license they take the code under.
Bugfix
- Fix accidental omission of MBEDTLS_TARGET_PREFIX in 3rdparty modules
in CMake.
Who should update
We recommend all users should update at an appropriate point in their development lifecycle.
Checksum
The SHA256 hashes for the archives are:
2597419f1a4a79dd28e6f5edc5180aff7e83bd85548437e07dcf9f808ceccb76 mbedtls-3.5.1.tar.gz
959a492721ba036afc21f04d1836d874f93ac124cf47cf62c9bcd3a753e49bdb mbedtls-3.5.1.zip
Mbed TLS 2.28.6
Description
This release of Mbed TLS updates the license, but contains no other changes from 2.28.5.
Changes
- Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
license. Users may choose which license they take the code under.
Who should update
We recommend users who need to take Mbed TLS under a GPL-2.0-or-later license should update.
Checksum
The SHA256 hashes for the archives are:
737b088bb8877ff8f0fc404ebbc48f82486df3da4bfd5b28fa208a5967e42fb3 mbedtls-2.28.6.tar.gz
79e7679a1e88db56ee7c6e352ae6d24d67db2c2d102443343ea8938baa578d59 mbedtls-2.28.6.zip
Mbed TLS 3.5.0
Description
This release of Mbed TLS provides new features, bug fixes and minor enhancements. This release includes fixes for security issues.
This release brings in significant code-size reductions, partly depending on configuration. In particular, the new options MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH and MBEDTLS_PSA_P256M_DRIVER_ENABLED may help you save code size.
Security Advisories
For full details, please see the following links:
Release Notes
API changes
- Mbed TLS 3.4 introduced support for omitting the built-in implementation
of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
there was a flaw in the logic checking if the built-in implementation, in
that it failed to check if all the relevant curves were supported by the
accelerator. As a result, it was possible to declare no curves as
accelerated and still have the built-in implementation compiled out.
Starting with this release, it is necessary to declare which curves are
accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be
considered not accelerated, and the built-in implementation of the curves
and any algorithm possible using them will be included in the build. - Add new millisecond time type
mbedtls_ms_time_tandmbedtls_ms_time()
function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
can be created using an ALT interface.
Requirement changes
- Officially require Python 3.8 now that earlier versions are out of support.
- Minimum required Windows version is now Windows Vista, or
Windows Server 2008.
New deprecations
- PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC,
IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
the capabilities of the PSA side for either key. - MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
MBEDTLS_MAX_BLOCK_LENGTH (if you intended what the name suggests:
maximum size of any supported block cipher) or the new name
MBEDTLS_CMAC_MAX_BLOCK_SIZE (if you intended the actual semantics:
maximum size of a block cipher supported by the CMAC module). - mbedtls_pkcs5_pbes2() and mbedtls_pkcs12_pbe() functions are now
deprecated in favor of mbedtls_pkcs5_pbes2_ext() and
mbedtls_pkcs12_pbe_ext() as they offer more security by checking
for overflow of the output buffer and reporting the actual length
of the output.
Features
- All modules that use hashes or HMAC can now take advantage of PSA Crypto
drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
been called. Previously (in 3.3), this was restricted to a few modules,
and only in builds where MBEDTLS_MD_C was disabled; in particular the
entropy module was not covered which meant an external RNG had to be
provided - these limitations are lifted in this version. A new set of
feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used
to check for availability of hash algorithms, regardless of whether
they're provided by a built-in implementation, a driver or both. See
docs/driver-only-builds.md. - When a PSA driver for ECDH is present, it is now possible to disable
MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
key exchanges based on ECDH(E) to work, this requires
MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
as PSA does not have an API for restartable ECDH yet. - When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
if not required by another module) and still get support for ECC keys and
algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
for details. - Add parsing of directoryName subtype for subjectAltName extension in
x509 certificates. - Add support for server-side TLS version negotiation. If both TLS 1.2 and
TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or
TLS 1.3 depending on the capabilities and preferences of TLS clients.
Fixes #6867. - X.509 hostname verification now supports IPAddress Subject Alternate Names.
- Add support for reading and writing X25519 and X448
public and private keys in RFC 8410 format using the existing PK APIs. - When parsing X.509 certificates, support the extensions
SignatureKeyIdentifier and AuthorityKeyIdentifier. - Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
if no PAKE algorithms are requested - Add support for the FFDH algorithm and DH key types in PSA, with
parameters from RFC 7919. This includes a built-in implementation based
on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative
implementations of FFDH through the driver entry points. - It is now possible to generate certificates with SubjectAltNames.
Currently supported subtypes: DnsName, UniformResourceIdentifier,
IP address, OtherName, and DirectoryName, as defined in RFC 5280.
See mbedtls_x509write_crt_set_subject_alternative_name for
more information. - X.509 hostname verification now partially supports URI Subject Alternate
Names. Only exact matching, without any normalization procedures
described in 7.4 of RFC5280, will result in a positive URI verification. - Add function mbedtls_oid_from_numeric_string() to parse an OID from a
string to a DER-encoded mbedtls_asn1_buf. - Add SHA-3 family hash functions.
- Add support to restrict AES to 128-bit keys in order to save code size.
A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be
used to enable this feature. - AES performance improvements. Uplift varies by platform,
toolchain, optimisation flags and mode.
Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
On Aarch64, uplift is typically around 20 - 110%.
When compiling with gcc -Os on Aarch64, AES-XTS improves
by 4.5x. - Add support for PBKDF2-HMAC through the PSA API.
- New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
or DH) were introduced in order to have finer accuracy in defining the
PSA capabilities for each key. These capabilities, named yyy above, can be
any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE.- DERIVE is only available for ECC keys, not for RSA or DH ones.
- implementations are free to enable more than what it was strictly
requested. For example BASIC internally enables IMPORT and EXPORT
(useful for testing purposes), but this might change in the future.
- Add support for FFDH key exchange in TLS 1.3.
This is automatically enabled as soon as PSA_WANT_ALG_FFDH
and the ephemeral or psk-ephemeral key exchange mode are enabled.
By default, all groups are offered; the list of groups can be
configured using the existing API function mbedtls_ssl_conf_groups(). - Improve mbedtls_x509_time performance and reduce memory use.
- Reduce syscalls to time() during certificate verification.
- Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
setting the CMake variable of the same name at configuration time. - Add getter (mbedtls_ssl_cache_get_timeout()) to access
mbedtls_ssl_cache_context.timeout. - Add getter (mbedtls_ssl_get_hostname()) to access
mbedtls_ssl_context.hostname. - Add getter (mbedtls_ssl_conf_get_endpoint()) to access
mbedtls_ssl_config.endpoint. - Support for "opaque" (PSA-held) ECC keys in the PK module has been
extended: it is now possible to use mbedtls_pk_write_key_der(),
mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and
mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes
allow it). - The documentation of mbedtls_ecp_group now describes the optimized
representation of A for some curves. Fixes #8045. - Add a possibility to generate CSR's with RCF822 and directoryName subtype
of subjectAltName extension in x509 certificates. - Add support for PBKDF2-CMAC through the PSA API.
- New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When
using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
disables the plain C implementation and the run-time detection for the
CPU feature, which reduces code size and avoids the vulnerability of the
plain C implementation. - Accept arbitrary AttributeType and AttributeValue in certificate
Distinguished Names using RFC 4514 syntax. - Applications using ECC over secp256r1 through the PSA API can use a
new implementation with a much smaller footprint, but some minor
usage restrictions. See the documentation of the new configuration
option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.
Security
- Fix a case where potentially sensitive information held in memory would not
be completely zeroized during TLS 1.2 handshake, in both server and client
configurations. - In configu...
Mbedtls 2.28.5
Description
This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.
Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.
Security Advisories
For full details, please see the following links:
Release Notes
Features
- The documentation of mbedtls_ecp_group now describes the optimized
representation of A for some curves. Fixes #8045.
Security
- Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should
review the size of the output buffer passed to this function, and note
that the output after decryption may include CBC padding. Consider moving
to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext()
which checks for overflow of the output buffer and reports the actual
length of the output. - Improve padding calculations in CBC decryption, NIST key unwrapping and
RSA OAEP decryption. With the previous implementation, some compilers
(notably recent versions of Clang and IAR) could produce non-constant
time code, which could allow a padding oracle attack if the attacker
has access to precise timing measurements. - Fix a buffer overread when parsing short TLS application data records in
ARC4 or null-cipher cipher suites. Credit to OSS-Fuzz.
Bugfix
- Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
using ECC key. The certificate was rejected by some crypto frameworks.
Fixes #2924. - Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
signature can silently return an incorrect result in low memory conditions. - Fix IAR compiler warnings. Fixes #7873, #4300.
- Fix an issue when parsing an otherName subject alternative name into a
mbedtls_x509_san_other_name struct. The type-id of the otherName was not
copied to the struct. This meant that the struct had incomplete
information about the otherName SAN and contained uninitialized memory. - Fix the detection of HardwareModuleName otherName SANs. These were being
detected by comparing the wrong field and the check was erroneously
inverted. - Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498. - Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
error code on failure. Before, they returned 1 to indicate failure in
some cases involving a missing entry or a full cache.
Changes
- In configurations with ARIA or Camellia but not AES, the value of
MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might
suggest. This did not affect any library code, because this macro was
only used in relation with CMAC which does not support these ciphers.
Its value is now 16 if ARIA or Camellia are present. This may affect
application code that uses this macro.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Checksum
The SHA256 hashes for the archives are:
dbd42a11c26143aa8de1c07fd6ec6765395e86b06f583f051cfa60e8f0b23125 mbedtls-2.28.5.tar.gz
d3a6c0a9746ccae0e36ab914064ce37b0e2d92ccca909e4fd5f8015b51f34456 mbedtls-2.28.5.zip
Mbed TLS 3.4.1
Description
This release of Mbed TLS provides bug fixes and minor enhancements.
Security Advisories
There are no security advisories for this release.
Release Notes
Bugfix
- Fix builds on Windows with clang
Changes
- Update test data to avoid failures of unit tests after 2023-08-07.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Checksum
The SHA256 hashes for the archives are:
a420fcf7103e54e775c383e3751729b8fb2dcd087f6165befd13f28315f754f5 mbedtls-3.4.1.tar.gz
ad10adf1f0b093302f9e74b02a5a5412274359a1f6b39034940934054ec3c7c6 mbedtls-3.4.1.zip
Mbed TLS 2.28.4
Description
This release of Mbed TLS provides bug fixes and minor enhancements.
Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.
Security Advisories
There are no security advisories for this release.
Release Notes
Features
- Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
setting the CMake variable of the same name at configuration time.
Bugfix
- Fix crypt_and_hash decryption fail when used with a stream cipher
mode of operation, due to the input not being a multiple of the block
size. Resolves #7417. - Fix a bug where mbedtls_x509_string_to_names() would return success
when given a invalid name string, if it did not contain '=' or ','. - Fix missing PSA initialization in sample programs when
MBEDTLS_USE_PSA_CRYPTO is enabled. - Fix clang and armclang compilation error when targeting certain Arm
M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
SecurCore SC000). Fixes #1077. - Fixed an issue that caused compile errors when using CMake and the IAR
toolchain. - Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.
- Fix builds on Windows with clang.
- Fix compilation warnings in aes.c for certain combinations
of configuration options. - Fix a compilation error on some platforms when including mbedtls/ssl.h
with all TLS support disabled. Fixes #6628.
Changes
- Update test data to avoid failures of unit tests after 2023-08-07, and
update expiring certififcates in the certs module.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Checksum
The SHA256 hashes for the archives are:
578c4dcd15bbff3f5cd56aa07cd4f850fc733634e3d5947be4f7157d5bfd81ac mbedtls-2.28.4.tar.gz
c325bce754bcd26ae45af8fa38f67dcd45d2e23784cf818c4c97694903add530 mbedtls-2.28.4.zip
Mbed TLS 3.4.0
Description
This release of Mbed TLS provides new features, bug fixes and minor enhancements. This release includes fixes for security issues.
Security Advisories
There are no security advisories for this release.
Release Notes
Default behavior changes
- The default priority order of TLS 1.3 cipher suites has been modified to
follow the same rules as the TLS 1.2 cipher suites (see
ssl_ciphersuites.c). The preferred cipher suite is now
TLS_CHACHA20_POLY1305_SHA256.
New deprecations
- mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
direct dependency of X509 on BIGNUM_C. - PSA to mbedtls error translation is now unified in psa_util.h,
deprecating mbedtls_md_error_from_psa. Each file that performs error
translation should define its own version of PSA_TO_MBEDTLS_ERR,
optionally providing file-specific error pairs. Please see psa_util.h for
more details.
Features
- Added partial support for parsing the PKCS #7 Cryptographic Message
Syntax, as defined in RFC 2315. Currently, support is limited to the
following:- Only the signed-data content type, version 1 is supported.
- Only DER encoding is supported.
- Only a single digest algorithm per message is supported.
- Certificates must be in X.509 format. A message must have either 0
or 1 certificates. - There is no support for certificate revocation lists.
- The authenticated and unauthenticated attribute fields of SignerInfo
must be empty.
Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
contributing this feature, and to Demi-Marie Obenour for contributing
various improvements, tests and bug fixes.
- General performance improvements by accessing multiple bytes at a time.
Fixes #1666. - Improvements to use of unaligned and byte-swapped memory, reducing code
size and improving performance (depending on compiler and target
architecture). - Add support for reading points in compressed format
(MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary()
(and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
(all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves
except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1) - SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively.
This helps in saving code size when some of the above hashes are not
required. - Add parsing of V3 extensions (key usage, Netscape cert-type,
Subject Alternative Names) in x509 Certificate Sign Requests. - Use HOSTCC (if it is set) when compiling C code during generation of the
configuration-independent files. This allows them to be generated when
CC is set for cross compilation. - Add parsing of uniformResourceIdentifier subtype for subjectAltName
extension in x509 certificates. - Add an interruptible version of sign and verify hash to the PSA interface,
backed by internal library support for ECDSA signing and verification. - Add parsing of rfc822Name subtype for subjectAltName
extension in x509 certificates. - The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and
MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for
the headers "psa/crypto_platform.h" and "psa/crypto_struct.h". - When a PSA driver for ECDSA is present, it is now possible to disable
MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled.
Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not
supported in those builds yet, as driver support for interruptible ECDSA
operations is not present yet. - Add a driver dispatch layer for EC J-PAKE, enabling alternative
implementations of EC J-PAKE through the driver entry points. - Add new API mbedtls_ssl_cache_remove for cache entry removal by
its session id. - Add support to include the SubjectAltName extension to a CSR.
- Add support for AES with the Armv8-A Cryptographic Extension on
64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
be used to enable this feature. Run-time detection is supported
under Linux only. - When a PSA driver for EC J-PAKE is present, it is now possible to disable
MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs
to be enabled. - Add functions mbedtls_rsa_get_padding_mode() and mbedtls_rsa_get_md_alg()
to read non-public fields for padding mode and hash id from
an mbedtls_rsa_context, as requested in #6917. - AES-NI is now supported with Visual Studio.
- AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
is disabled, when compiling with GCC or Clang or a compatible compiler
for a target CPU that supports the requisite instructions (for example
gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.) - It is now possible to use a PSA-held (opaque) password with the TLS 1.2
ECJPAKE key exchange, using the new API function
mbedtls_ssl_set_hs_ecjpake_password_opaque().
Security
- Use platform-provided secure zeroization function where possible, such as
explicit_bzero(). - Zeroize SSL cache entries when they are freed.
- Fix a potential heap buffer overread in TLS 1.3 client-side when
MBEDTLS_DEBUG_C is enabled. This may result in an application crash. - Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
Arm, so that these systems are no longer vulnerable to timing side-channel
attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
Reported by Demi Marie Obenour. - MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
builds that couldn't compile the GCC-style assembly implementation
(most notably builds with Visual Studio), leaving them vulnerable to
timing side-channel attacks. There is now an intrinsics-based AES-NI
implementation as a fallback for when the assembly one cannot be used.
Bugfix
- Fix possible integer overflow in mbedtls_timing_hardclock(), which
could cause a crash in programs/test/benchmark. - Fix IAR compiler warnings. Fixes #6924.
- Fix a bug in the build where directory names containing spaces were
causing generate_errors.pl to error out resulting in a build failure.
Fixes issue #6879. - In TLS 1.3, when using a ticket for session resumption, tweak its age
calculation on the client side. It prevents a server with more accurate
ticket timestamps (typically timestamps in milliseconds) compared to the
Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
than the age computed and transmitted by the client and thus potentially
reject the ticket. Fix #6623. - Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174. - List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
be toggled with config.py. - The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be
used on a shared secret from a key agreement since its input must be
an ECC public key. Reject this properly. - mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
whose binary representation is longer than 20 bytes. This was already
forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
enforced also at code level. - Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
Aaron Ucko under Valgrind. - Fix behavior of certain sample programs which could, when run with no
arguments, access uninitialized memory in some cases. Fixes #6700 (which
was found by TrustInSoft Analyzer during REDOCS'22) and #1120. - Fix parsing of X.509 SubjectAlternativeName extension. Previously,
malformed alternative name components were not caught during initial
certificate parsing, but only on subsequent calls to
mbedtls_x509_parse_subject_alt_name(). Fixes #2838. - Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it
possible to verify RSA PSS signatures with the pk module, which was
inadvertently broken since Mbed TLS 3.0. - Fix bug in conversion from OID to string in
mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
correctly. - Reject OIDs with overlong-encoded subidentifiers when converting
them to a string. - Reject OIDs with subidentifier values exceeding UINT_MAX. Such
subidentifiers can be valid, but Mbed TLS cannot currently handle them. - Reject OIDs that have unterminated subidentifiers, or (equivalently)
have the most-significant bit set in their last byte. - Silence warnings from clang -Wdocumentation about empty \retval
descriptions, which started appearing with Clang 15. Fixes #6960. - Fix the handling of renegotiation attempts in TLS 1.3. They are now
systematically rejected. - Fix an unused-variable warning in TLS 1.3-only builds if
MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200. - Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
len argument is 0 and buffer is NULL. - Allow setting user and peer identifiers for EC J-PAK...
Mbed TLS 2.28.3
Description
This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.
Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.
Security Advisories
There are no security advisories for this release.
Release Notes
Features
- Use HOSTCC (if it is set) when compiling C code during generation of the
configuration-independent files. This allows them to be generated when
CC is set for cross compilation. - AES-NI is now supported with Visual Studio.
- AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
is disabled, when compiling with GCC or Clang or a compatible compiler
for a target CPU that supports the requisite instructions (for example
gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
Security
- MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
builds that couldn't compile the GCC-style assembly implementation
(most notably builds with Visual Studio), leaving them vulnerable to
timing side-channel attacks. There is now an intrinsics-based AES-NI
implementation as a fallback for when the assembly one cannot be used.
Bugfix
- Fix a build issue on Windows where the source and build directory could
not be on different drives (#5751). - Fix possible integer overflow in mbedtls_timing_hardclock(), which
could cause a crash for certain platforms & compiler options. - Fix IAR compiler warnings. Fixes #6924.
- Fix a bug in the build where directory names containing spaces were
causing generate_errors.pl to error out resulting in a build failure.
Fixes issue #6879. - Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174. - Fix a build issue when defining MBEDTLS_TIMING_ALT and MBEDTLS_SELF_TEST.
The library would not link if the user didn't provide an external self-test
function. The self-test is now provided regardless of the choice of
internal/alternative timing implementation. Fixes #6923. - mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
whose binary representation is longer than 20 bytes. This was already
forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
enforced also at code level. - Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
Aaron Ucko under Valgrind. - Fix behavior of certain sample programs which could, when run with no
arguments, access uninitialized memory in some cases. Fixes #6700 (which
was found by TrustInSoft Analyzer during REDOCS'22) and #1120. - Fix build errors in test programs when MBEDTLS_CERTS_C is disabled.
Fixes #6243. - Fix parsing of X.509 SubjectAlternativeName extension. Previously,
malformed alternative name components were not caught during initial
certificate parsing, but only on subsequent calls to
mbedtls_x509_parse_subject_alt_name(). Fixes #2838. - Fix bug in conversion from OID to string in
mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
correctly. - Reject OIDs with overlong-encoded subidentifiers when converting
them to a string. - Reject OIDs with subidentifier values exceeding UINT_MAX. Such
subidentifiers can be valid, but Mbed TLS cannot currently handle them. - Reject OIDs that have unterminated subidentifiers, or (equivalently)
have the most-significant bit set in their last byte. - Silence a warning about an unused local variable in bignum.c on
some architectures. Fixes #7166. - Silence warnings from clang -Wdocumentation about empty \retval
descriptions, which started appearing with Clang 15. Fixes #6960. - Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
len argument is 0 and buffer is NULL.
Changes
- The C code follows a new coding style. This is transparent for users but
affects contributors and maintainers of local patches. For more
information, see
https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/ - Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
As tested in issue 6790, the correlation between this define and
RSA decryption performance has changed lately due to security fixes.
To fix the performance degradation when using default values the
window was reduced from 6 to 2, a value that gives the best or close
to best results when tested on Cortex-M4 and Intel i7.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Checksum
The SHA256 hashes for the archives are:
bdf7c5bbdc338da3edad89b2885d4f8668f9a6fffeba6ec17a60333e36dade6f mbedtls-2.28.3.tar.gz
0c0abbd6e33566c5c3c15af4fc19466c8edb62fa483d4ce98f1ba3f656656d2d mbedtls-2.28.3.zip