|
1 | 1 | Mbed TLS ChangeLog (Sorted per branch, date) |
2 | 2 |
|
| 3 | += Mbed TLS 3.6.1 branch released 2024-08-30 |
| 4 | + |
| 5 | +API changes |
| 6 | + * The experimental functions psa_generate_key_ext() and |
| 7 | + psa_key_derivation_output_key_ext() are no longer declared when compiling |
| 8 | + in C++. This resolves a build failure under C++ compilers that do not |
| 9 | + support flexible array members (a C99 feature not adopted by C++). |
| 10 | + Fixes #9020. |
| 11 | + |
| 12 | +Default behavior changes |
| 13 | + * In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT && |
| 14 | + !MBEDTLS_PSA_CRYPTO_C), do not automatically enable local crypto when the |
| 15 | + corresponding PSA mechanism is enabled, since the server provides the |
| 16 | + crypto. Fixes #9126. |
| 17 | + * A TLS handshake may now call psa_crypto_init() if TLS 1.3 is enabled. |
| 18 | + This can happen even if TLS 1.3 is offered but eventually not selected |
| 19 | + in the protocol version negotiation. |
| 20 | + * By default, the handling of TLS 1.3 tickets by the Mbed TLS client is now |
| 21 | + disabled at runtime. Applications that were using TLS 1.3 tickets |
| 22 | + signalled by MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET return values now |
| 23 | + need to enable the handling of TLS 1.3 tickets through the new |
| 24 | + mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets() API. |
| 25 | + |
| 26 | +New deprecations |
| 27 | + * The experimental functions psa_generate_key_ext() and |
| 28 | + psa_key_derivation_output_key_ext() are deprecated in favor of |
| 29 | + psa_generate_key_custom() and psa_key_derivation_output_key_custom(). |
| 30 | + They have almost exactly the same interface, but the variable-length |
| 31 | + data is passed in a separate parameter instead of a flexible array |
| 32 | + member. |
| 33 | + * The following cryptographic mechanisms are planned to be removed |
| 34 | + in Mbed TLS 4.0: |
| 35 | + - DES (including 3DES). |
| 36 | + - PKCS#1v1.5 encryption/decryption (RSAES-PKCS1-v1_5). |
| 37 | + (OAEP, PSS, and PKCS#1v1.5 signature are staying.) |
| 38 | + - Finite-field Diffie-Hellman with custom groups. |
| 39 | + (RFC 7919 groups remain supported.) |
| 40 | + - Elliptic curves of size 225 bits or less. |
| 41 | + * The following cipher suites are planned to be removed from (D)TLS 1.2 |
| 42 | + in Mbed TLS 4.0: |
| 43 | + - TLS_RSA_* (including TLS_RSA_PSK_*), i.e. cipher suites using |
| 44 | + RSA decryption. |
| 45 | + (RSA signatures, i.e. TLS_ECDHE_RSA_*, are staying.) |
| 46 | + - TLS_ECDH_*, i.e. cipher suites using static ECDH. |
| 47 | + (Ephemeral ECDH, i.e. TLS_ECDHE_*, is staying.) |
| 48 | + - TLS_DHE_*, i.e. cipher suites using finite-field Diffie-Hellman. |
| 49 | + (Ephemeral ECDH, i.e. TLS_ECDHE_*, is staying.) |
| 50 | + - TLS_*CBC*, i.e. all cipher suites using CBC. |
| 51 | + * The following low-level application interfaces are planned to be removed |
| 52 | + from the public API in Mbed TLS 4.0: |
| 53 | + - Hashes: hkdf.h, md5.h, ripemd160.h, sha1.h, sha3.h, sha256.h, sha512.h; |
| 54 | + - Random generation: ctr_drbg.h, hmac_drbg.h, entropy.h; |
| 55 | + - Ciphers and modes: aes.h, aria.h, camellia.h, chacha20.h, chachapoly.h, |
| 56 | + cipher.h, cmac.h, gcm.h, poly1305.h; |
| 57 | + - Private key encryption mechanisms: pkcs5.h, pkcs12.h. |
| 58 | + - Asymmetric cryptography: bignum.h, dhm.h, ecdh.h, ecdsa.h, ecjpake.h, |
| 59 | + ecp.h, rsa.h. |
| 60 | + The cryptographic mechanisms remain present, but they will only be |
| 61 | + accessible via the PSA API (psa_xxx functions introduced gradually |
| 62 | + starting with Mbed TLS 2.17) and, where relevant, `pk.h`. |
| 63 | + For guidance on migrating application code to the PSA API, please consult |
| 64 | + the PSA transition guide (docs/psa-transition.md). |
| 65 | + * The following integration interfaces are planned to be removed |
| 66 | + in Mbed TLS 4.0: |
| 67 | + - MBEDTLS_xxx_ALT replacement of cryptographic modules and functions. |
| 68 | + Use PSA transparent drivers instead. |
| 69 | + - MBEDTLS_PK_RSA_ALT and MBEDTLS_PSA_CRYPTO_SE_C. |
| 70 | + Use PSA opaque drivers instead. |
| 71 | + |
| 72 | +Features |
| 73 | + * When the new compilation option MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, |
| 74 | + the number of volatile PSA keys is virtually unlimited, at the expense |
| 75 | + of increased code size. This option is off by default, but enabled in |
| 76 | + the default mbedtls_config.h. Fixes #9216. |
| 77 | + |
| 78 | +Security |
| 79 | + * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does |
| 80 | + not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when |
| 81 | + MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled. |
| 82 | + CVE-2024-45157 |
| 83 | + * Fix a stack buffer overflow in mbedtls_ecdsa_der_to_raw() and |
| 84 | + mbedtls_ecdsa_raw_to_der() when the bits parameter is larger than the |
| 85 | + largest supported curve. In some configurations with PSA disabled, |
| 86 | + all values of bits are affected. This never happens in internal library |
| 87 | + calls, but can affect applications that call these functions directly. |
| 88 | + CVE-2024-45158 |
| 89 | + * With TLS 1.3, when a server enables optional authentication of the |
| 90 | + client, if the client-provided certificate does not have appropriate values |
| 91 | + in keyUsage or extKeyUsage extensions, then the return value of |
| 92 | + mbedtls_ssl_get_verify_result() would incorrectly have the |
| 93 | + MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_EXT_KEY_USAGE bits |
| 94 | + clear. As a result, an attacker that had a certificate valid for uses other |
| 95 | + than TLS client authentication could be able to use it for TLS client |
| 96 | + authentication anyway. Only TLS 1.3 servers were affected, and only with |
| 97 | + optional authentication (required would abort the handshake with a fatal |
| 98 | + alert). |
| 99 | + CVE-2024-45159 |
| 100 | + |
| 101 | +Bugfix |
| 102 | + * Fix TLS 1.3 client build and runtime when support for session tickets is |
| 103 | + disabled (MBEDTLS_SSL_SESSION_TICKETS configuration option). Fixes #6395. |
| 104 | + * Fix compilation error when memcpy() is a function-like macros. Fixes #8994. |
| 105 | + * MBEDTLS_ASN1_PARSE_C and MBEDTLS_ASN1_WRITE_C are now automatically enabled |
| 106 | + as soon as MBEDTLS_RSA_C is enabled. Fixes #9041. |
| 107 | + * Fix undefined behaviour (incrementing a NULL pointer by zero length) when |
| 108 | + passing in zero length additional data to multipart AEAD. |
| 109 | + * Fix rare concurrent access bug where attempting to operate on a |
| 110 | + non-existent key while concurrently creating a new key could potentially |
| 111 | + corrupt the key store. |
| 112 | + * Fix error handling when creating a key in a dynamic secure element |
| 113 | + (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition, |
| 114 | + the creation could return PSA_SUCCESS but using or destroying the key |
| 115 | + would not work. Fixes #8537. |
| 116 | + * Fix issue of redefinition warning messages for _GNU_SOURCE in |
| 117 | + entropy_poll.c and sha_256.c. There was a build warning during |
| 118 | + building for linux platform. |
| 119 | + Resolves #9026 |
| 120 | + * Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled. |
| 121 | + * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in |
| 122 | + CMAC is enabled, but no built-in unauthenticated cipher is enabled. |
| 123 | + Fixes #9209. |
| 124 | + * Fix redefinition warnings when SECP192R1 and/or SECP192K1 are disabled. |
| 125 | + Fixes #9029. |
| 126 | + * Fix psa_cipher_decrypt() with CCM* rejecting messages less than 3 bytes |
| 127 | + long. Credit to Cryptofuzz. Fixes #9314. |
| 128 | + * Fix interference between PSA volatile keys and built-in keys |
| 129 | + when MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled and |
| 130 | + MBEDTLS_PSA_KEY_SLOT_COUNT is more than 4096. |
| 131 | + * Document and enforce the limitation of mbedtls_psa_register_se_key() |
| 132 | + to persistent keys. Resolves #9253. |
| 133 | + * Fix Clang compilation error when MBEDTLS_USE_PSA_CRYPTO is enabled |
| 134 | + but MBEDTLS_DHM_C is disabled. Reported by Michael Schuster in #9188. |
| 135 | + * Fix server mode only build when MBEDTLS_SSL_SRV_C is enabled but |
| 136 | + MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186. |
| 137 | + * When MBEDTLS_PSA_CRYPTO_C was disabled and MBEDTLS_ECDSA_C enabled, |
| 138 | + some code was defining 0-size arrays, resulting in compilation errors. |
| 139 | + Fixed by disabling the offending code in configurations without PSA |
| 140 | + Crypto, where it never worked. Fixes #9311. |
| 141 | + * Fix unintended performance regression when using short RSA public keys. |
| 142 | + Fixes #9232. |
| 143 | + * Fixes an issue where some TLS 1.2 clients could not connect to an |
| 144 | + Mbed TLS 3.6.0 server, due to incorrect handling of |
| 145 | + legacy_compression_methods in the ClientHello. |
| 146 | + Fixes #8995, #9243. |
| 147 | + * Fix TLS connections failing when the handshake selects TLS 1.3 |
| 148 | + in an application that does not call psa_crypto_init(). |
| 149 | + Fixes #9072. |
| 150 | + * Fix TLS connection failure in applications using an Mbed TLS client in |
| 151 | + the default configuration connecting to a TLS 1.3 server sending tickets. |
| 152 | + See the documentation of |
| 153 | + mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets() for more |
| 154 | + information. |
| 155 | + Fixes #8749. |
| 156 | + * Fix a memory leak that could occur when failing to process an RSA |
| 157 | + key through some PSA functions due to low memory conditions. |
| 158 | + * Fixed a regression introduced in 3.6.0 where the CA callback set with |
| 159 | + mbedtls_ssl_conf_ca_cb() would stop working when connections were |
| 160 | + upgraded to TLS 1.3. Fixed by adding support for the CA callback with TLS |
| 161 | + 1.3. |
| 162 | + * Fixed a regression introduced in 3.6.0 where clients that relied on |
| 163 | + optional/none authentication mode, by calling mbedtls_ssl_conf_authmode() |
| 164 | + with MBEDTLS_SSL_VERIFY_OPTIONAL or MBEDTLS_SSL_VERIFY_NONE, would stop |
| 165 | + working when connections were upgraded to TLS 1.3. Fixed by adding |
| 166 | + support for optional/none with TLS 1.3 as well. Note that the TLS 1.3 |
| 167 | + standard makes server authentication mandatory; users are advised not to |
| 168 | + use authmode none, and to carefully check the results when using optional |
| 169 | + mode. |
| 170 | + * Fixed a regression introduced in 3.6.0 where context-specific certificate |
| 171 | + verify callbacks, set with mbedtls_ssl_set_verify() as opposed to |
| 172 | + mbedtls_ssl_conf_verify(), would stop working when connections were |
| 173 | + upgraded to TLS 1.3. Fixed by adding support for context-specific verify |
| 174 | + callback in TLS 1.3. |
| 175 | + |
| 176 | +Changes |
| 177 | + * Warn if mbedtls/check_config.h is included manually, as this can |
| 178 | + lead to spurious errors. Error if a *adjust*.h header is included |
| 179 | + manually, as this can lead to silently inconsistent configurations, |
| 180 | + potentially resulting in buffer overflows. |
| 181 | + When migrating from Mbed TLS 2.x, if you had a custom config.h that |
| 182 | + included check_config.h, remove this inclusion from the Mbed TLS 3.x |
| 183 | + configuration file (renamed to mbedtls_config.h). This change was made |
| 184 | + in Mbed TLS 3.0, but was not announced in a changelog entry at the time. |
| 185 | + |
3 | 186 | = Mbed TLS 3.6.0 branch released 2024-03-28 |
4 | 187 |
|
5 | 188 | API changes |
@@ -144,6 +327,7 @@ Security |
144 | 327 | * Fix a stack buffer overread (less than 256 bytes) when parsing a TLS 1.3 |
145 | 328 | ClientHello in a TLS 1.3 server supporting some PSK key exchange mode. A |
146 | 329 | malicious client could cause information disclosure or a denial of service. |
| 330 | + Fixes CVE-2024-30166. |
147 | 331 | * Passing buffers that are stored in untrusted memory as arguments |
148 | 332 | to PSA functions is now secure by default. |
149 | 333 | The PSA core now protects against modification of inputs or exposure |
|
0 commit comments