Mbed TLS 2.23.0

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory.

Default behavior changes

• In the experimental PSA secure element interface, change the encoding of key lifetimes to encode a persistence level and the location. Although C prototypes do not effectively change, code calling psa_register_se_driver() must be modified to pass the driver's location instead of the keys' lifetime. If the library is upgraded on an existing device, keys created with the old lifetime value will not be readable or removable through Mbed TLS after the upgrade.

Features

• New functions in the error module return constant strings for high- and low-level error codes, complementing mbedtls_strerror() which constructs a string for any error code, including compound ones, but requires a writable buffer. Contributed by Gaurav Aggarwal in #3176.
• The new utility programs/ssl/ssl_context_info prints a human-readable dump of an SSL context saved with mbedtls_ssl_context_save().
• Add support for midipix, a POSIX layer for Microsoft Windows.
• Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows parsing unsupported certificate extensions via user provided callback. Contributed by Nicola Di Lieto nicola.dilieto@gmail.com in #3243 as a solution to #3241.
• Pass the "certificate policies" extension to the callback supplied to mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported policies (#3419).
• Added support to entropy_poll for the kern.arandom syscall supported on some BSD systems. Contributed by Nia Alarie in #3423.
• Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239

Security

• Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394.
• Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
• Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246.

Bugfix

• Fix the Visual Studio Release x64 build configuration for mbedtls itself. Completes a previous fix in Mbed TLS 2.19 that only fixed the build for the example programs. Reported in #1430 and fix contributed by irwir.
• Fix undefined behavior in X.509 certificate parsing if the pathLenConstraint basic constraint value is equal to INT_MAX. The actual effect with almost every compiler is the intended behavior, so this is unlikely to be exploitable anywhere. #3192
• Fix issue with a detected HW accelerated record error not being exposed due to shadowed variable. Contributed by Sander Visser in #3310.
• Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a NULL pointer argument. Contributed by Sander Visser in #3312.
• Fix potential linker errors on dual world platforms by inlining mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately from psa_crypto.c. Fixes #3300.
• Remove dead code in X.509 certificate parsing. Contributed by irwir in #2855.
• Include asn1.h in error.c. Fixes #3328 reported by David Hu.
• Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz() when PRNG function fails. Contributed by Jonas Lejeune in #3318.
• Remove unused macros from MSVC projects. Reported in #3297 and fix submitted in #3333 by irwir.
• Add additional bounds checks in ssl_write_client_hello() preventing output buffer overflow if the configuration declared a buffer that was too small.
• Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and fix submitted in #3421 by Nia Alarie.
• Fix building library/net_sockets.c and the ssl_mail_client program on NetBSD. Contributed by Nia Alarie in #3422.
• Fix false positive uninitialised variable reported by cpp-check. Contributed by Sander Visser in #3311.
• Update iv and len context pointers manually when reallocating buffers using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues when receiving a connection with CID, when these fields were shifted in ssl_parse_record_header().

Changes

• Fix warnings about signedness issues in format strings. The build is now clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen in #3153.
• Fix minor performance issue in operations on Curve25519 caused by using a suboptimal modular reduction in one place. Found and fix contributed by Aurelien Jarno in #3209.
• Combine identical cases in switch statements in md.c. Contributed by irwir in #3208.
• Simplify a bounds check in ssl_write_certificate_request(). Contributed by irwir in #3150.
• Unify the example programs termination to call mbedtls_exit() instead of using a return command. This has been done to enable customization of the behavior in bare metal environments.
• Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?". Contributed by Koh M. Nakagawa in #3326.
• Use FindPython3 when cmake version >= 3.15.0
• Abort the ClientHello writing function as soon as some extension doesn't fit into the record buffer. Previously, such extensions were silently dropped. As a consequence, the TLS handshake now fails when the output buffer is not large enough to hold the ClientHello.
• The unit tests now rely on header files in tests/include/test and source files in tests/src. When building with make or cmake, the files in tests/src are compiled and the resulting object linked into each test executable.
• The ECP module, enabled by MBEDTLS_ECP_C, now depends on MBEDTLS_CTR_DRBG_C or MBEDTLS_HMAC_DRBG_C for some side-channel coutermeasures. If side channels are not a concern, this dependency can be avoided by enabling the new option MBEDTLS_ECP_NO_INTERNAL_RNG.
• Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes Martinho. #3147
• Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported in #3182 and fix submitted by irwir. #3217
• Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

9933fe6b5991d5308e183a5a07454f76d7054721ba269d0c3811b227cb629e7a  mbedtls-2.23.0.tar.gz
bbf9c3cc6b7603f2f15bbba7badcf6cf188a9d5aaa63c4df2d61213f459c2f5f  mbedtls-2.23.0.zip

Mbed TLS 2.16.7

Description

Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch, and provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory.

Security

• Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394.
• Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
• Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246.

Bugfix

• Fix the Visual Studio Release x64 build configuration for mbedtls itself. Completes a previous fix in Mbed TLS 2.16.3 that only fixed the build for the example programs. Reported in #1430 and fix contributed by irwir.
• Fix undefined behavior in X.509 certificate parsing if the pathLenConstraint basic constraint value is equal to INT_MAX. The actual effect with almost every compiler is the intended behavior, so this is unlikely to be exploitable anywhere. #3197
• Include asn1.h in error.c. Fixes #3328 reported by David Hu.
• Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz() when PRNG function fails. Contributed by Jonas Lejeune in #3318.
• Add additional bounds checks in ssl_write_client_hello() preventing output buffer overflow if the configuration declared a buffer that was too small.

Changes

• Unify the example programs termination to call mbedtls_exit() instead of using a return command. This has been done to enable customization of the behavior in bare metal environments.
• Abort the ClientHello writing function as soon as some extension doesn't fit into the record buffer. Previously, such extensions were silently dropped. As a consequence, the TLS handshake now fails when the output buffer is not large enough to hold the ClientHello.
• The ECP module, enabled by MBEDTLS_ECP_C, now depends on MBEDTLS_CTR_DRBG_C, MBEDTLS_HMAC_DRBG_C, MBEDTLS_SHA512_C or MBEDTLS_SHA256_C for some side-channel coutermeasures. If side channels are not a concern, this dependency can be avoided by enabling the new option MBEDTLS_ECP_NO_INTERNAL_RNG.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

c95b11557ee97d2bdfd48cd57cf9b648a6cddd2ca879e3c35c4e7525f2871992  mbedtls-2.16.7.tar.gz
6ee853f8dbbe662b7647b454c9635ed7f2b3c78293e064c1be74c7cfd97d080b  mbedtls-2.16.7.zip

Mbed TLS 2.7.16

Description

Mbed TLS 2.7.16 is a maintenance release of the Mbed TLS 2.7 branch, and provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory.

Security

• Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394.
• Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
• Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246.

Bugfix

• Fix the Visual Studio Release x64 build configuration for mbedtls itself. Completes a previous fix in Mbed TLS 2.7.12 that only fixed the build for the example programs. Reported in #1430 and fix contributed by irwir.
• Fix undefined behavior in X.509 certificate parsing if the pathLenConstraint basic constraint value is equal to INT_MAX. The actual effect with almost every compiler is the intended behavior, so this is unlikely to be exploitable anywhere. #3196
• Include asn1.h in error.c. Fixes #3328 reported by David Hu.
• Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz() when PRNG function fails. Contributed by Jonas Lejeune in #3318.
• Add additional bounds checks in ssl_write_client_hello() preventing output buffer overflow if the configuration declared a buffer that was too small.

Changes

• Unify the example programs termination to call mbedtls_exit() instead of using a return command. This has been done to enable customization of the behavior in bare metal environments.
• Abort the ClientHello writing function as soon as some extension doesn't fit into the record buffer. Previously, such extensions were silently dropped. As a consequence, the TLS handshake now fails when the output buffer is not large enough to hold the ClientHello.
• The ECP module, enabled by MBEDTLS_ECP_C, now depends on MBEDTLS_CTR_DRBG_C, MBEDTLS_HMAC_DRBG_C, MBEDTLS_SHA512_C or MBEDTLS_SHA256_C for some side-channel coutermeasures. If side channels are not a concern, this dependency can be avoided by enabling the new option MBEDTLS_ECP_NO_INTERNAL_RNG.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

571420852b771a61d54dc61881ae744363f5fcd9c274f7d6874a5d2913107ad4  mbedtls-2.7.16.tar.gz
da3229f4f842c6dbcec5d9d4f8790b02a53cc7125dbdf681a97936d3d877a992  mbedtls-2.7.16.zip

Mbed TLS 2.7.15

Description

Mbed TLS 2.7.15 is a maintenance release of the Mbed TLS 2.7 branch, and provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory.

Security

• Fix side channel in ECC code that allowed an adversary with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) to fully recover an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya, Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
• Fix a potentially remotely exploitable buffer overread in a DTLS client when parsing the Hello Verify Request message.
• Fix bug in DTLS handling of new associations with the same parameters (RFC 6347 section 4.2.8): after sending its HelloVerifyRequest, the server would end up with corrupted state and only send invalid records to the client. An attacker able to send forged UDP packets to the server could use that to obtain a Denial of Service. This could only happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h (which it is by default).

Bugfix

• Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
• Fix a function name in a debug message. Contributed by Ercan Ozturk in #3013.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Mbed TLS 2.16.6

Description

Mbed TLS 2.16.6 is a maintenance release of the Mbed TLS 2.16 branch, and provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory.

Security

• Fix side channel in ECC code that allowed an adversary with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) to fully recover an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya, Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
• Fix a potentially remotely exploitable buffer overread in a DTLS client when parsing the Hello Verify Request message.

Bugfix

• Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
• Fix a function name in a debug message. Contributed by Ercan Ozturk in #3013.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Mbed TLS 2.16.5

Description

Mbed TLS 2.16.5 is a maintenance release of the Mbed TLS 2.16 branch, and provides bug fixes and minor enhancements. This release brings fixes for a security issue, as described in more detail in our security advisory.

Security

• Fix potential memory overread when performing an ECDSA signature operation. The overread only happens with cryptographically low probability (of the order of 2^-n where n is the bitsize of the curve) unless the RNG is broken, and could result in information disclosure or denial of service (application crash or extra resource consumption). Found by Auke Zeilstra and Peter Schwabe, using static analysis.
• To avoid a side channel vulnerability when parsing an RSA private key, read all the CRT parameters from the DER structure rather than reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob Brumley. Reported and fix contributed by Jack Lloyd. ARMmbed/mbed-crypto#352

Bugfix

• Fix an unchecked call to mbedtls_md() in the x509write module.
• Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some RSA keys that would later be rejected by functions expecting private keys. Found by Catena cyber using oss-fuzz (issue 20467).
• Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some RSA keys with invalid values by silently fixing those values.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Mbed TLS 2.7.14

Description

Mbed TLS 2.7.14 is a maintenance release of the Mbed TLS 2.7 branch, and provides bug fixes and minor enhancements. This release brings fixes for a security issue, as described in more detail in our security advisory.

Security

• To avoid a side channel vulnerability when parsing an RSA private key, read all the CRT parameters from the DER structure rather than reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob Brumley. Reported and fix contributed by Jack Lloyd. ARMmbed/mbed-crypto#352

Bugfix

• Fix an unchecked call to mbedtls_md() in the x509write module.
• Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some RSA keys that would later be rejected by functions expecting private keys. Found by Catena cyber using oss-fuzz (issue 20467).
• Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some RSA keys with invalid values by silently fixing those values.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Mbed TLS 2.7.13

Description

Mbed TLS 2.7.13 is a maintenance release of the Mbed TLS 2.7 branch, and provides bug fixes and minor enhancements. This release brings fixes for a security issue, as described in more detail in our security advisory.

Security

• Fix side channel vulnerability in ECDSA. Our bignum implementation is not constant time/constant trace, so side channel attacks can retrieve the blinded value, factor it (as it is smaller than RSA keys and not guaranteed to have only large prime factors), and then, by brute force, recover the key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
• Zeroize local variables in mbedtls_internal_aes_encrypt() and mbedtls_internal_aes_decrypt() before exiting the function. The value of these variables can be used to recover the last round key. To follow best practice and to limit the impact of buffer overread vulnerabilities (like Heartbleed) we need to zeroize them before exiting the function. Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University).
• Fix side channel vulnerability in ECDSA key generation. Obtaining precise timings on the comparison in the key generation enabled the attacker to learn leading bits of the ephemeral key used during ECDSA signatures and to recover the private key.
• Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught failures could happen with alternative implementations of AES. Bug reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri, Sectra.

Bugfix

• Support mbedtls_hmac_drbg_set_entropy_len() and mbedtls_ctr_drbg_set_entropy_len() before the DRBG is seeded. Before, the initial seeding always reset the entropy length to the compile-time default.

Changes

• Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx() from the cipher abstraction layer. Fixes #2198.
• Clarify how the interface of the CTR_DRBG and HMAC modules relates to NIST SP 800-90A. In particular CTR_DRBG requires an explicit nonce to achieve a 256-bit strength if MBEDTLS_ENTROPY_FORCE_SHA256 is set.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Mbed TLS 2.16.4

Description

Mbed TLS 2.16.4 is a maintenance release of the Mbed TLS 2.16 branch, and provides bug fixes and minor enhancements. This release brings fixes for a security issue, as described in more detail in our security advisory.

Security

• Fix side channel vulnerability in ECDSA. Our bignum implementation is not constant time/constant trace, so side channel attacks can retrieve the blinded value, factor it (as it is smaller than RSA keys and not guaranteed to have only large prime factors), and then, by brute force, recover the key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
• Zeroize local variables in mbedtls_internal_aes_encrypt() and mbedtls_internal_aes_decrypt() before exiting the function. The value of these variables can be used to recover the last round key. To follow best practice and to limit the impact of buffer overread vulnerabilities (like Heartbleed) we need to zeroize them before exiting the function. Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai, Grant
  Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University).
• Fix side channel vulnerability in ECDSA key generation. Obtaining precise timings on the comparison in the key generation enabled the attacker to learn leading bits of the ephemeral key used during ECDSA signatures and to recover the private key. Reported by Jeremy Dubeuf.
• Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught failures could happen with alternative implementations of AES. Bug reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri, Sectra.

Bugfix

• Remove redundant line for getting the bitlen of a bignum, since the variable holding the returned value is overwritten a line after. Found by irwir in #2377.
• Support mbedtls_hmac_drbg_set_entropy_len() and mbedtls_ctr_drbg_set_entropy_len() before the DRBG is seeded. Before, the initial seeding always reset the entropy length to the compile-time default.

Changes

• Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx() from the cipher abstraction layer. Fixes #2198.
• Clarify how the interface of the CTR_DRBG and HMAC modules relates to NIST SP 800-90A. In particular CTR_DRBG requires an explicit nonce to achieve a 256-bit strength if MBEDTLS_ENTROPY_FORCE_SHA256 is set.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Mbed TLS 2.7.12

Description

Mbed TLS 2.7.12 is a maintenance release of the Mbed TLS 2.7 branch, and
provides bug fixes and minor enhancements.

Security

• Fix a missing error detection in ECJPAKE. This could have caused a predictable shared secret if a hardware accelerator failed and the other side of the key exchange had a similar bug.
• When writing a private EC key, use a constant size for the private value, as specified in RFC 5915. Previously, the value was written as an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit of information on average and could cause the value to be 1 byte too large for the output buffer.
• The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to implement blinding. Because of this for the same key and message the same blinding value was generated. This reduced the effectiveness of the countermeasure and leaked information about the private key through side channels. Reported by Jack Lloyd.

API Changes

• The new function mbedtls_ecdsa_sign_det_ext() is similar to mbedtls_ecdsa_sign_det() but allows passing an external RNG for the purpose of blinding.
• The new function mbedtls_ecp_gen_privkey() allows to generate a private key without generating the public part of the pair.

Bugfix

• Fix to allow building test suites with any warning that detects unused functions. Fixes #1628.
• Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
• Remove redundant include file in timing.c. Fixes #2640 reported by irwir.
• Fix Visual Studio Release x64 build configuration by inheriting PlatformToolset from the project configuration. Fixes #1430 reported by irwir.
• Enable Suite B with subset of ECP curves. Make sure the code compiles even if some curves are not defined. Fixes #1591 reported by dbedev.
• Fix misuse of signed arithmetic in the HAVEGE module. #2598
• Update test certificates that were about to expire. Reported by Bernhard M. Wiedemann in #2357.
• Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256.
• Fix memory leak in in mpi_miller_rabin(). Contributed by Jens Wiklander jens.wiklander@linaro.org in #2363.

Changes

• Make make clean clean all programs always. Fixes #1862.

Who should update

We recommend all affected users should update to take advantage of the bug
fixes contained in this release at an appropriate point in their development
lifecycle.