|
1 | 1 | Mbed TLS ChangeLog (Sorted per branch, date) |
2 | 2 |
|
| 3 | += Mbed TLS 3.6.0 branch released 2024-03-28 |
| 4 | + |
| 5 | +API changes |
| 6 | + * Remove `tls13_` in mbedtls_ssl_tls13_conf_early_data() and |
| 7 | + mbedtls_ssl_tls13_conf_max_early_data_size() API names. Early data |
| 8 | + feature may not be TLS 1.3 specific in the future. Fixes #6909. |
| 9 | + |
| 10 | +Default behavior changes |
| 11 | + * psa_import_key() now only accepts RSA keys in the PSA standard formats. |
| 12 | + The undocumented ability to import other formats (PKCS#8, SubjectPublicKey, |
| 13 | + PEM) accepted by the pkparse module has been removed. Applications that |
| 14 | + need these formats can call mbedtls_pk_parse_{public,}key() followed by |
| 15 | + mbedtls_pk_import_into_psa(). |
| 16 | + |
| 17 | +Requirement changes |
| 18 | + * Drop support for Visual Studio 2013 and 2015, and Arm Compiler 5. |
| 19 | + |
| 20 | +New deprecations |
| 21 | + * Rename the MBEDTLS_SHA256_USE_A64_CRYPTO_xxx config options to |
| 22 | + MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_xxx. The old names may still |
| 23 | + be used, but are deprecated. |
| 24 | + * In the PSA API, domain parameters are no longer used for anything. |
| 25 | + They are deprecated and will be removed in a future version of the |
| 26 | + library. |
| 27 | + * mbedtls_ecp_write_key() is deprecated in favor of |
| 28 | + mbedtls_ecp_write_key_ext(). |
| 29 | + |
| 30 | +Removals |
| 31 | + * In the PSA API, the experimental way to encode the public exponent of |
| 32 | + an RSA key as a domain parameter is no longer supported. Use |
| 33 | + psa_generate_key_ext() instead. |
| 34 | + * Temporary function mbedtls_pk_wrap_as_opaque() is removed. To mimic the |
| 35 | + same behavior mbedtls_pk_get_psa_attributes() and |
| 36 | + mbedtls_pk_import_into_psa() can be used to import a PK key into PSA, |
| 37 | + while mbedtls_pk_setup_opaque() can be used to wrap a PSA key into a opaque |
| 38 | + PK context. |
| 39 | + |
| 40 | +Features |
| 41 | + * Added an example program showing how to hash with the PSA API. |
| 42 | + * Support Armv8-A Crypto Extension acceleration for SHA-256 |
| 43 | + when compiling for Thumb (T32) or 32-bit Arm (A32). |
| 44 | + * AES-NI is now supported in Windows builds with clang and clang-cl. |
| 45 | + Resolves #8372. |
| 46 | + * Add new mbedtls_x509_csr_parse_der_with_ext_cb() routine which allows |
| 47 | + parsing unsupported certificate extensions via user provided callback. |
| 48 | + * Enable the new option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT to omit |
| 49 | + the decryption direction of block ciphers (AES, ARIA, Camellia). |
| 50 | + This affects both the low-level modules and the high-level APIs |
| 51 | + (the cipher and PSA interfaces). This option is incompatible with modes |
| 52 | + that use the decryption direction (ECB in PSA, CBC, XTS, KW) and with DES. |
| 53 | + * Support use of Armv8-A Cryptographic Extensions for hardware acclerated |
| 54 | + AES when compiling for Thumb (T32) or 32-bit Arm (A32). |
| 55 | + * If a cipher or AEAD mechanism has a PSA driver, you can now build the |
| 56 | + library without the corresponding built-in implementation. Generally |
| 57 | + speaking that requires both the key type and algorithm to be accelerated |
| 58 | + or they'll both be built in. However, for CCM and GCM the built-in |
| 59 | + implementation is able to take advantage of a driver that only |
| 60 | + accelerates the key type (that is, the block cipher primitive). See |
| 61 | + docs/driver-only-builds.md for full details and current limitations. |
| 62 | + * The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is |
| 63 | + disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to |
| 64 | + MBEDTLS_PSA_CRYPTO_C and PSA_WANT_KEY_TYPE_AES. |
| 65 | + * Fewer modules depend on MBEDTLS_CIPHER_C, making it possible to save code |
| 66 | + size by disabling it in more circumstances. In particular, the CCM and |
| 67 | + GCM modules no longer depend on MBEDTLS_CIPHER_C. Also, |
| 68 | + MBEDTLS_PSA_CRYPTO can now be enabled without MBEDTLS_CIPHER_C if all |
| 69 | + unauthenticated (non-AEAD) ciphers are disabled, or if they're all |
| 70 | + fully provided by drivers. See docs/driver-only-builds.md for full |
| 71 | + details and current limitations; in particular, NIST_KW and PKCS5/PKCS12 |
| 72 | + decryption still unconditionally depend on MBEDTLS_CIPHER_C. |
| 73 | + * Add support for record size limit extension as defined by RFC 8449 |
| 74 | + and configured with MBEDTLS_SSL_RECORD_SIZE_LIMIT. |
| 75 | + Application data sent and received will be fragmented according to |
| 76 | + Record size limits negotiated during handshake. |
| 77 | + * Improve performance of AES-GCM, AES-CTR and CTR-DRBG when |
| 78 | + hardware accelerated AES is not present (around 13-23% on 64-bit Arm). |
| 79 | + * Add functions mbedtls_ecc_group_to_psa() and mbedtls_ecc_group_from_psa() |
| 80 | + to convert between Mbed TLS and PSA curve identifiers. |
| 81 | + * Add utility functions to manipulate mbedtls_ecp_keypair objects, filling |
| 82 | + gaps made by making its fields private: mbedtls_ecp_set_public_key(), |
| 83 | + mbedtls_ecp_write_public_key(), mbedtls_ecp_keypair_calc_public(), |
| 84 | + mbedtls_ecp_keypair_get_group_id(). Fixes #5017, #5441, #8367, #8652. |
| 85 | + * Add functions mbedtls_md_psa_alg_from_type() and |
| 86 | + mbedtls_md_type_from_psa_alg() to convert between mbedtls_md_type_t and |
| 87 | + psa_algorithm_t. |
| 88 | + * Add partial platform support for z/OS. |
| 89 | + * Improve performance for gcc (versions older than 9.3.0) and IAR. |
| 90 | + * Add functions mbedtls_ecdsa_raw_to_der() and mbedtls_ecdsa_der_to_raw() to |
| 91 | + convert ECDSA signatures between raw and DER (ASN.1) formats. |
| 92 | + * Add support for using AES-CBC 128, 192, and 256 bit schemes |
| 93 | + with PKCS#5 PBES2. Keys encrypted this way can now be parsed by PK parse. |
| 94 | + * The new function mbedtls_rsa_get_bitlen() returns the length of the modulus |
| 95 | + in bits, i.e. the key size for an RSA key. |
| 96 | + * Add pc files for pkg-config, e.g.: |
| 97 | + pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509) |
| 98 | + * Add getter (mbedtls_ssl_session_get_ticket_creation_time()) to access |
| 99 | + `mbedtls_ssl_session.ticket_creation_time`. |
| 100 | + * The new functions mbedtls_pk_get_psa_attributes() and |
| 101 | + mbedtls_pk_import_into_psa() provide a uniform way to create a PSA |
| 102 | + key from a PK key. |
| 103 | + * The benchmark program now reports times for both ephemeral and static |
| 104 | + ECDH in all ECDH configurations. |
| 105 | + * Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM |
| 106 | + operations when hardware accelerated AES is not present. Improves |
| 107 | + performance by around 30% on 64-bit Intel; 125% on Armv7-M. |
| 108 | + * The new function psa_generate_key_ext() allows generating an RSA |
| 109 | + key pair with a custom public exponent. |
| 110 | + * The new function mbedtls_ecp_write_key_ext() is similar to |
| 111 | + mbedtls_ecp_write_key(), but can be used without separately calculating |
| 112 | + the output length. |
| 113 | + * Add new accessor to expose the private group id member of |
| 114 | + `mbedtls_ecdh_context` structure. |
| 115 | + * Add new accessor to expose the `MBEDTLS_PRIVATE(ca_istrue)` member of |
| 116 | + `mbedtls_x509_crt` structure. This requires setting |
| 117 | + the MBEDTLS_X509_EXT_BASIC_CONSTRAINTS bit in the certificate's |
| 118 | + ext_types field. |
| 119 | + * mbedtls_psa_get_random() is always available as soon as |
| 120 | + MBEDTLS_PSA_CRYPTO_CLIENT is enabled at build time and psa_crypto_init() is |
| 121 | + called at runtime. This together with MBEDTLS_PSA_RANDOM_STATE can be |
| 122 | + used as random number generator function (f_rng) and context (p_rng) in |
| 123 | + legacy functions. |
| 124 | + * The new functions mbedtls_pk_copy_from_psa() and |
| 125 | + mbedtls_pk_copy_public_from_psa() provide ways to set up a PK context |
| 126 | + with the same content as a PSA key. |
| 127 | + * Add new accessors to expose the private session-id, |
| 128 | + session-id length, and ciphersuite-id members of |
| 129 | + `mbedtls_ssl_session` structure. |
| 130 | + Add new accessor to expose the ciphersuite-id of |
| 131 | + `mbedtls_ssl_ciphersuite_t` structure.Design ref: #8529 |
| 132 | + * Mbed TLS now supports the writing and reading of TLS 1.3 early data (see |
| 133 | + docs/tls13-early-data.md). The support enablement is controlled at build |
| 134 | + time by the MBEDTLS_SSL_EARLY_DATA configuration option and at runtime by |
| 135 | + the mbedtls_ssl_conf_early_data() API (by default disabled in both cases). |
| 136 | + * Add protection for multithreaded access to the PSA keystore and protection |
| 137 | + for multithreaded access to the the PSA global state, including |
| 138 | + concurrently calling psa_crypto_init() when MBEDTLS_THREADING_C and |
| 139 | + MBEDTLS_THREADING_PTHREAD are defined. See |
| 140 | + docs/architecture/psa-thread-safety/psa-thread-safety.md for more details. |
| 141 | + Resolves issues #3263 and #7945. |
| 142 | + |
| 143 | +Security |
| 144 | + * Fix a stack buffer overread (less than 256 bytes) when parsing a TLS 1.3 |
| 145 | + ClientHello in a TLS 1.3 server supporting some PSK key exchange mode. A |
| 146 | + malicious client could cause information disclosure or a denial of service. |
| 147 | + * Passing buffers that are stored in untrusted memory as arguments |
| 148 | + to PSA functions is now secure by default. |
| 149 | + The PSA core now protects against modification of inputs or exposure |
| 150 | + of intermediate outputs during operations. This is currently implemented |
| 151 | + by copying buffers. |
| 152 | + This feature increases code size and memory usage. If buffers passed to |
| 153 | + PSA functions are owned exclusively by the PSA core for the duration of |
| 154 | + the function call (i.e. no buffer parameters are in shared memory), |
| 155 | + copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. |
| 156 | + Note that setting this option will cause input-output buffer overlap to |
| 157 | + be only partially supported (#3266). |
| 158 | + Fixes CVE-2024-28960. |
| 159 | + * Restore the maximum TLS version to be negotiated to the configured one |
| 160 | + when an SSL context is reset with the mbedtls_ssl_session_reset() API. |
| 161 | + An attacker was able to prevent an Mbed TLS server from establishing any |
| 162 | + TLS 1.3 connection potentially resulting in a Denial of Service or forced |
| 163 | + version downgrade from TLS 1.3 to TLS 1.2. Fixes #8654 reported by hey3e. |
| 164 | + Fixes CVE-2024-28755. |
| 165 | + * When negotiating TLS version on server side, do not fall back to the |
| 166 | + TLS 1.2 implementation of the protocol if it is disabled. |
| 167 | + - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2 |
| 168 | + client could put the TLS 1.3-only server in an infinite loop processing |
| 169 | + a TLS 1.2 ClientHello, resulting in a denial of service. Reported by |
| 170 | + Matthias Mucha and Thomas Blattmann, SICK AG. |
| 171 | + - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client |
| 172 | + was able to successfully establish a TLS 1.2 connection with the server. |
| 173 | + Reported by alluettiv on GitHub. |
| 174 | + Fixes CVE-2024-28836. |
| 175 | + |
| 176 | +Bugfix |
| 177 | + * Fix the build with CMake when Everest or P256-m is enabled through |
| 178 | + a user configuration file or the compiler command line. Fixes #8165. |
| 179 | + * Fix compilation error in C++ programs when MBEDTLS_ASN1_PARSE_C is |
| 180 | + disabled. |
| 181 | + * Fix possible NULL dereference issue in X509 cert_req program if an entry |
| 182 | + in the san parameter is not separated by a colon. |
| 183 | + * Fix possible NULL dereference issue in X509 cert_write program if an entry |
| 184 | + in the san parameter is not separated by a colon. |
| 185 | + * Fix an inconsistency between implementations and usages of `__cpuid`, |
| 186 | + which mainly causes failures when building Windows target using |
| 187 | + mingw or clang. Fixes #8334 & #8332. |
| 188 | + * Fix build failure in conda-forge. Fixes #8422. |
| 189 | + * Fix parsing of CSRs with critical extensions. |
| 190 | + * Switch to milliseconds as the unit for ticket creation and reception time |
| 191 | + instead of seconds. That avoids rounding errors when computing the age of |
| 192 | + tickets compared to peer using a millisecond clock (observed with GnuTLS). |
| 193 | + Fixes #6623. |
| 194 | + * Fix TLS server accepting TLS 1.2 handshake while TLS 1.2 |
| 195 | + is disabled at runtime. Fixes #8593. |
| 196 | + * Remove accidental introduction of RSA signature algorithms |
| 197 | + in TLS Suite B Profile. Fixes #8221. |
| 198 | + * Fix unsupported PSA asymmetric encryption and decryption |
| 199 | + (psa_asymmetric_[en|de]crypt) with opaque keys. |
| 200 | + Resolves #8461. |
| 201 | + * On Linux on ARMv8, fix a build error with SHA-256 and SHA-512 |
| 202 | + acceleration detection when the libc headers do not define the |
| 203 | + corresponding constant. Reported by valord577. |
| 204 | + * Correct initial capacities for key derivation algorithms:TLS12_PRF, |
| 205 | + TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC |
| 206 | + * Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a |
| 207 | + multiple of 8. Fixes #868. |
| 208 | + * Avoid segmentation fault caused by releasing not initialized |
| 209 | + entropy resource in gen_key example. Fixes #8809. |
| 210 | + * mbedtls_pem_read_buffer() now performs a check on the padding data of |
| 211 | + decrypted keys and it rejects invalid ones. |
| 212 | + * Fix mbedtls_pk_sign(), mbedtls_pk_verify(), mbedtls_pk_decrypt() and |
| 213 | + mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in |
| 214 | + the RSA context. Before, if MBEDTLS_USE_PSA_CRYPTO was enabled and the |
| 215 | + RSA context was configured for PKCS#1 v2.1 (PSS/OAEP), the sign/verify |
| 216 | + functions performed a PKCS#1 v1.5 signature instead and the |
| 217 | + encrypt/decrypt functions returned an error. Fixes #8824. |
| 218 | + * Fix missing bitflags in SSL session serialization headers. Their absence |
| 219 | + allowed SSL sessions saved in one configuration to be loaded in a |
| 220 | + different, incompatible configuration. |
| 221 | + * In TLS 1.3 clients, fix an interoperability problem due to the client |
| 222 | + generating a new random after a HelloRetryRequest. Fixes #8669. |
| 223 | + * Fix the restoration of the ALPN when loading serialized connection with |
| 224 | + the mbedtls_ssl_context_load() API. |
| 225 | + * Fix NULL pointer dereference in mbedtls_pk_verify_ext() when called using |
| 226 | + an opaque RSA context and specifying MBEDTLS_PK_RSASSA_PSS as key type. |
| 227 | + * Fix RSA opaque keys always using PKCS1 v1.5 algorithms instead of the |
| 228 | + primary algorithm of the wrapped PSA key. |
| 229 | + * Fully support arbitrary overlap between inputs and outputs of PSA |
| 230 | + functions. Note that overlap is still only partially supported when |
| 231 | + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266). |
| 232 | + |
| 233 | +Changes |
| 234 | + * Use heap memory to allocate DER encoded public/private key. |
| 235 | + This reduces stack usage significantly for writing a public/private |
| 236 | + key to a PEM string. |
| 237 | + * PSA_WANT_ALG_CCM and PSA_WANT_ALG_CCM_STAR_NO_TAG are no more synonyms and |
| 238 | + they are now treated separately. This means that they should be |
| 239 | + individually enabled in order to enable respective support; also the |
| 240 | + corresponding MBEDTLS_PSA_ACCEL symbol should be defined in case |
| 241 | + acceleration is required. |
| 242 | + * Moved declaration of functions mbedtls_ecc_group_to_psa and |
| 243 | + mbedtls_ecc_group_of_psa from psa/crypto_extra.h to mbedtls/psa_util.h |
| 244 | + * mbedtls_pk_sign_ext() is now always available, not just when |
| 245 | + PSA (MBEDTLS_PSA_CRYPTO_C) is enabled. |
| 246 | + * Extended PSA Crypto configurations options for FFDH by making it possible |
| 247 | + to select only some of the parameters / groups, with the macros |
| 248 | + PSA_WANT_DH_RFC7919_XXXX. You now need to defined the corresponding macro |
| 249 | + for each size you want to support. Also, if you have an FFDH accelerator, |
| 250 | + you'll need to define the appropriate MBEDTLS_PSA_ACCEL macros to signal |
| 251 | + support for these domain parameters. |
| 252 | + * RSA support in PSA no longer auto-enables the pkparse and pkwrite modules, |
| 253 | + saving code size when those are not otherwise enabled. |
| 254 | + * mbedtls_mpi_exp_mod and code that uses it, notably RSA and DHM operations, |
| 255 | + have changed their speed/memory compromise as part of a proactive security |
| 256 | + improvement. The new default value of MBEDTLS_MPI_WINDOW_SIZE roughly |
| 257 | + preserves the current speed, at the expense of increasing memory |
| 258 | + consumption. |
| 259 | + * Rename directory containing Visual Studio files from visualc/VS2013 to |
| 260 | + visualc/VS2017. |
| 261 | + * The TLS 1.3 protocol is now enabled in the default configuration. |
| 262 | + |
3 | 263 | = Mbed TLS 3.5.2 branch released 2024-01-26 |
4 | 264 |
|
5 | 265 | Security |
|
0 commit comments