Skip to content

Releases: Mbed-TLS/mbedtls

Mbed TLS 3.6.2

15 Oct 12:35
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides the fix for a security vulnerability.

Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with bug-fixes and security fixes until at least March 2027.

Security Advisories

For full details, please see the following links:

Release notes are truncated in GitHub's releases page: Please refer to the 3.6.2 release page.

Release Notes

Security

  • Fix a buffer underrun in mbedtls_pk_write_key_der() when
    called on an opaque key, MBEDTLS_USE_PSA_CRYPTO is enabled,
    and the output buffer is smaller than the actual output.
    Fix a related buffer underrun in mbedtls_pk_write_key_pem()
    when called on an opaque RSA key, MBEDTLS_USE_PSA_CRYPTO is enabled
    and MBEDTLS_MPI_MAX_SIZE is smaller than needed for a 4096-bit RSA key.
    CVE-2024-49195

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Note

mbedtls-3.6.2.tar.bz2 is our official release file. source.tar.gz and source.zip are automatically generated snapshots that github generates. They do not include external dependencies, and can't be configured

Checksum

The SHA256 hash for the archive is:

8b54fb9bcf4d5a7078028e0520acddefb7900b3e66fec7f7175bb5b7d85ccdca mbedtls-3.6.2.tar.bz2

Mbed TLS 3.6.1

30 Aug 13:16
71c569d
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with bug-fixes and security fixes until at least March 2027.

Security Advisories

For full details, please see the following links:

Release notes are truncated in GitHub's releases page: Please refer to the 3.6.1 release page.

Release Notes

API changes

  • The experimental functions psa_generate_key_ext() and
    psa_key_derivation_output_key_ext() are no longer declared when compiling
    in C++. This resolves a build failure under C++ compilers that do not
    support flexible array members (a C99 feature not adopted by C++).
    Fixes #9020.

Default behavior changes

  • In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT &&
    !MBEDTLS_PSA_CRYPTO_C), do not automatically enable local crypto when the
    corresponding PSA mechanism is enabled, since the server provides the
    crypto. Fixes #9126.
  • A TLS handshake may now call psa_crypto_init() if TLS 1.3 is enabled.
    This can happen even if TLS 1.3 is offered but eventually not selected
    in the protocol version negotiation.
  • By default, the handling of TLS 1.3 tickets by the Mbed TLS client is now
    disabled at runtime. Applications that were using TLS 1.3 tickets
    signalled by MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET return values now
    need to enable the handling of TLS 1.3 tickets through the new
    mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets() API.

New deprecations

  • The experimental functions psa_generate_key_ext() and
    psa_key_derivation_output_key_ext() are deprecated in favor of
    psa_generate_key_custom() and psa_key_derivation_output_key_custom().
    They have almost exactly the same interface, but the variable-length
    data is passed in a separate parameter instead of a flexible array
    member.
  • The following cryptographic mechanisms are planned to be removed
    in Mbed TLS 4.0:
    • DES (including 3DES).
    • PKCS#1v1.5 encryption/decryption (RSAES-PKCS1-v1_5).
      (OAEP, PSS, and PKCS#1v1.5 signature are staying.)
    • Finite-field Diffie-Hellman with custom groups.
      (RFC 7919 groups remain supported.)
    • Elliptic curves of size 225 bits or less.
  • The following cipher suites are planned to be removed from (D)TLS 1.2
    in Mbed TLS 4.0:
    • TLS_RSA_* (including TLS_RSA_PSK_), i.e. cipher suites using
      RSA decryption.
      (RSA signatures, i.e. TLS_ECDHE_RSA_
      , are staying.)
    • TLS_ECDH_, i.e. cipher suites using static ECDH.
      (Ephemeral ECDH, i.e. TLS_ECDHE_
      , is staying.)
    • TLS_DHE_, i.e. cipher suites using finite-field Diffie-Hellman.
      (Ephemeral ECDH, i.e. TLS_ECDHE_
      , is staying.)
    • TLS_CBC, i.e. all cipher suites using CBC.
  • The following low-level application interfaces are planned to be removed
    from the public API in Mbed TLS 4.0:
    • Hashes: hkdf.h, md5.h, ripemd160.h, sha1.h, sha3.h, sha256.h, sha512.h;
    • Random generation: ctr_drbg.h, hmac_drbg.h, entropy.h;
    • Ciphers and modes: aes.h, aria.h, camellia.h, chacha20.h, chachapoly.h,
      cipher.h, cmac.h, gcm.h, poly1305.h;
    • Private key encryption mechanisms: pkcs5.h, pkcs12.h.
    • Asymmetric cryptography: bignum.h, dhm.h, ecdh.h, ecdsa.h, ecjpake.h,
      ecp.h, rsa.h.
      The cryptographic mechanisms remain present, but they will only be
      accessible via the PSA API (psa_xxx functions introduced gradually
      starting with Mbed TLS 2.17) and, where relevant, pk.h.
      For guidance on migrating application code to the PSA API, please consult
      the PSA transition guide (docs/psa-transition.md).
  • The following integration interfaces are planned to be removed
    in Mbed TLS 4.0:
    • MBEDTLS_xxx_ALT replacement of cryptographic modules and functions.
      Use PSA transparent drivers instead.
    • MBEDTLS_PK_RSA_ALT and MBEDTLS_PSA_CRYPTO_SE_C.
      Use PSA opaque drivers instead.

Features

  • When the new compilation option MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled,
    the number of volatile PSA keys is virtually unlimited, at the expense
    of increased code size. This option is off by default, but enabled in
    the default mbedtls_config.h. Fixes #9216.

Security

  • Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
    not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
    MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
    CVE-2024-45157
  • Fix a stack buffer overflow in mbedtls_ecdsa_der_to_raw() and
    mbedtls_ecdsa_raw_to_der() when the bits parameter is larger than the
    largest supported curve. In some configurations with PSA disabled,
    all values of bits are affected. This never happens in internal library
    calls, but can affect applications that call these functions directly.
    CVE-2024-45158
  • With TLS 1.3, when a server enables optional authentication of the
    client, if the client-provided certificate does not have appropriate values
    in keyUsage or extKeyUsage extensions, then the return value of
    mbedtls_ssl_get_verify_result() would incorrectly have the
    MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_EXT_KEY_USAGE bits
    clear. As a result, an attacker that had a certificate valid for uses other
    than TLS client authentication could be able to use it for TLS client
    authentication anyway. Only TLS 1.3 servers were affected, and only with
    optional authentication (required would abort the handshake with a fatal
    alert).
    CVE-2024-45159

Bugfix

  • Fix TLS 1.3 client build and runtime when support for session tickets is
    disabled (MBEDTLS_SSL_SESSION_TICKETS configuration option). Fixes #6395.
  • Fix compilation error when memcpy() is a function-like macros. Fixes #8994.
  • MBEDTLS_ASN1_PARSE_C and MBEDTLS_ASN1_WRITE_C are now automatically enabled
    as soon as MBEDTLS_RSA_C is enabled. Fixes #9041.
  • Fix undefined behaviour (incrementing a NULL pointer by zero length) when
    passing in zero length additional data to multipart AEAD.
  • Fix rare concurrent access bug where attempting to operate on a
    non-existent key while concurrently creating a new key could potentially
    corrupt the key store.
  • Fix error handling when creating a key in a dynamic secure element
    (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
    the creation could return PSA_SUCCESS but using or destroying the key
    would not work. Fixes #8537.
  • Fix issue of redefinition warning messages for _GNU_SOURCE in
    entropy_poll.c and sha_256.c. There was a build warning during
    building for linux platform.
    Resolves #9026
  • Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled.
  • Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in
    CMAC is enabled, but no built-in unauthenticated cipher is enabled.
    Fixes #9209.
  • Fix redefinition warnings when SECP192R1 and/or SECP192K1 are disabled.
    Fixes #9029.
  • Fix psa_cipher_decrypt() with CCM* rejecting messages less than 3 bytes
    long. Credit to Cryptofuzz. Fixes #9314.
  • Fix interference between PSA volatile keys and built-in keys
    when MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled and
    MBEDTLS_PSA_KEY_SLOT_COUNT is more than 4096.
  • Document and enforce the limitation of mbedtls_psa_register_se_key()
    to persistent keys. Resolves #9253.
  • Fix Clang compilation error when MBEDTLS_USE_PSA_CRYPTO is enabled
    but MBEDTLS_DHM_C is disabled. Reported by Michael Schuster in #9188.
  • Fix server mode only build when MBEDTLS_SSL_SRV_C is enabled but
    MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186.
  • When MBEDTLS_PSA_CRYPTO_C was disabled and MBEDTLS_ECDSA_C enabled,
    some code was defining 0-size arrays, resulting in compilation errors.
    Fixed by disabling the offending code in configurations without PSA
    Crypto, where it never worked. Fixes #9311.
  • Fix unintended performance regression when using short RSA public keys.
    Fixes #9232.
  • Fixes an issue where some TLS 1.2 clients could not connect to an
    Mbed TLS 3.6.0 server, due to incorrect handling of
    legacy_compression_methods in the ClientHello.
    Fixes #8995, #9243.
  • Fix TLS connections failing when the handshake selects TLS 1.3
    in an application that does not call psa_crypto_init().
    Fixes #9072.
  • Fix TLS connection failure in applications using an Mbed TLS client in
    the default configuration connecting to a TLS 1.3 server sending tickets.
    See the documentation of
    mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets() for more
    information.
    Fixes #8749.
  • Fix a memory leak that could occur when failing to process an RSA
    key through some PSA functions due to low memory conditions.
  • Fixed a regression introduced in 3.6.0 where the CA callback set with
    mbedtls_ssl_conf_ca_cb() would stop working when connections were...
Read more

Mbed TLS 2.28.9

30 Aug 13:15
5e146ad
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following links:

Release Notes

Security

  • Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
    not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
    MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
    CVE-2024-45157

Bugfix

  • Fix the build in some configurations when check_config.h is not included.
    Fix #9152.
  • Fix issue of redefinition warning messages for _GNU_SOURCE in
    entropy_poll.c and sha_256.c. There was a build warning during
    building for linux platform.
    Resolves #9026
  • Fix error handling when creating a key in a dynamic secure element
    (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
    the creation could return PSA_SUCCESS but using or destroying the key
    would not work. Fixes #8537.
  • Fix a memory leak that could occur when failing to process an RSA
    key through some PSA functions due to low memory conditions.
  • Document and enforce the limitation of mbedtls_psa_register_se_key()
    to persistent keys. Resolves #9253.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Note

mbedtls-2.28.9.tar.bz2 are our official release files. source.tar.gz and source.zip are automatically generated snapshot's that github is generating. They do not include external dependencies, and can't be configured

Checksum

The SHA256 hashes for the archives are:
e85ea97aaf78dd6c0a5ba2e54dd5932ffa15f39abfc189c26beef7684630c02b mbedtls-2.28.9.tar.bz2

Mbed TLS 3.6.0 LTS

28 Mar 15:05
2ca6c28
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides new features, bug fixes and minor enhancements. This release includes fixes for security issues.

This release brings in improved multithreaded operations, record-size-limit, and early-data support and other TLS1.3 improvements. TLS1.3 support is now enabled by default.

Long-term support

Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with bug-fixes and security fixes until at least March 2027.

Security Advisories

For full details, please see the following link:

Release notes are trunctuated in GitHub's releases page: Please refer to the 3.6.0 release page.

Release Notes

API changes

  • Remove tls13_ in mbedtls_ssl_tls13_conf_early_data() and
    mbedtls_ssl_tls13_conf_max_early_data_size() API names. Early data
    feature may not be TLS 1.3 specific in the future. Fixes #6909.

Default behavior changes

  • psa_import_key() now only accepts RSA keys in the PSA standard formats.
    The undocumented ability to import other formats (PKCS#8, SubjectPublicKey,
    PEM) accepted by the pkparse module has been removed. Applications that
    need these formats can call mbedtls_pk_parse_{public,}key() followed by
    mbedtls_pk_import_into_psa().

Requirement changes

  • Drop support for Visual Studio 2013 and 2015, and Arm Compiler 5.

New deprecations

  • Rename the MBEDTLS_SHA256_USE_A64_CRYPTO_xxx config options to
    MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_xxx. The old names may still
    be used, but are deprecated.
  • In the PSA API, domain parameters are no longer used for anything.
    They are deprecated and will be removed in a future version of the
    library.
  • mbedtls_ecp_write_key() is deprecated in favor of
    mbedtls_ecp_write_key_ext().

Removals

  • In the PSA API, the experimental way to encode the public exponent of
    an RSA key as a domain parameter is no longer supported. Use
    psa_generate_key_ext() instead.
  • Temporary function mbedtls_pk_wrap_as_opaque() is removed. To mimic the
    same behavior mbedtls_pk_get_psa_attributes() and
    mbedtls_pk_import_into_psa() can be used to import a PK key into PSA,
    while mbedtls_pk_setup_opaque() can be used to wrap a PSA key into a opaque
    PK context.

Features

  • Added an example program showing how to hash with the PSA API.
  • Support Armv8-A Crypto Extension acceleration for SHA-256
    when compiling for Thumb (T32) or 32-bit Arm (A32).
  • AES-NI is now supported in Windows builds with clang and clang-cl.
    Resolves #8372.
  • Add new mbedtls_x509_csr_parse_der_with_ext_cb() routine which allows
    parsing unsupported certificate extensions via user provided callback.
  • Enable the new option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT to omit
    the decryption direction of block ciphers (AES, ARIA, Camellia).
    This affects both the low-level modules and the high-level APIs
    (the cipher and PSA interfaces). This option is incompatible with modes
    that use the decryption direction (ECB in PSA, CBC, XTS, KW) and with DES.
  • Support use of Armv8-A Cryptographic Extensions for hardware acclerated
    AES when compiling for Thumb (T32) or 32-bit Arm (A32).
  • If a cipher or AEAD mechanism has a PSA driver, you can now build the
    library without the corresponding built-in implementation. Generally
    speaking that requires both the key type and algorithm to be accelerated
    or they'll both be built in. However, for CCM and GCM the built-in
    implementation is able to take advantage of a driver that only
    accelerates the key type (that is, the block cipher primitive). See
    docs/driver-only-builds.md for full details and current limitations.
  • The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is
    disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
    MBEDTLS_PSA_CRYPTO_C and PSA_WANT_KEY_TYPE_AES.
  • Fewer modules depend on MBEDTLS_CIPHER_C, making it possible to save code
    size by disabling it in more circumstances. In particular, the CCM and
    GCM modules no longer depend on MBEDTLS_CIPHER_C. Also,
    MBEDTLS_PSA_CRYPTO can now be enabled without MBEDTLS_CIPHER_C if all
    unauthenticated (non-AEAD) ciphers are disabled, or if they're all
    fully provided by drivers. See docs/driver-only-builds.md for full
    details and current limitations; in particular, NIST_KW and PKCS5/PKCS12
    decryption still unconditionally depend on MBEDTLS_CIPHER_C.
  • Add support for record size limit extension as defined by RFC 8449
    and configured with MBEDTLS_SSL_RECORD_SIZE_LIMIT.
    Application data sent and received will be fragmented according to
    Record size limits negotiated during handshake.
  • Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
    hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
  • Add functions mbedtls_ecc_group_to_psa() and mbedtls_ecc_group_from_psa()
    to convert between Mbed TLS and PSA curve identifiers.
  • Add utility functions to manipulate mbedtls_ecp_keypair objects, filling
    gaps made by making its fields private: mbedtls_ecp_set_public_key(),
    mbedtls_ecp_write_public_key(), mbedtls_ecp_keypair_calc_public(),
    mbedtls_ecp_keypair_get_group_id(). Fixes #5017, #5441, #8367, #8652.
  • Add functions mbedtls_md_psa_alg_from_type() and
    mbedtls_md_type_from_psa_alg() to convert between mbedtls_md_type_t and
    psa_algorithm_t.
  • Add partial platform support for z/OS.
  • Improve performance for gcc (versions older than 9.3.0) and IAR.
  • Add functions mbedtls_ecdsa_raw_to_der() and mbedtls_ecdsa_der_to_raw() to
    convert ECDSA signatures between raw and DER (ASN.1) formats.
  • Add support for using AES-CBC 128, 192, and 256 bit schemes
    with PKCS#5 PBES2. Keys encrypted this way can now be parsed by PK parse.
  • The new function mbedtls_rsa_get_bitlen() returns the length of the modulus
    in bits, i.e. the key size for an RSA key.
  • Add pc files for pkg-config, e.g.:
    pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
  • Add getter (mbedtls_ssl_session_get_ticket_creation_time()) to access
    mbedtls_ssl_session.ticket_creation_time.
  • The new functions mbedtls_pk_get_psa_attributes() and
    mbedtls_pk_import_into_psa() provide a uniform way to create a PSA
    key from a PK key.
  • The benchmark program now reports times for both ephemeral and static
    ECDH in all ECDH configurations.
  • Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM
    operations when hardware accelerated AES is not present. Improves
    performance by around 30% on 64-bit Intel; 125% on Armv7-M.
  • The new function psa_generate_key_ext() allows generating an RSA
    key pair with a custom public exponent.
  • The new function mbedtls_ecp_write_key_ext() is similar to
    mbedtls_ecp_write_key(), but can be used without separately calculating
    the output length.
  • Add new accessor to expose the private group id member of
    mbedtls_ecdh_context structure.
  • Add new accessor to expose the MBEDTLS_PRIVATE(ca_istrue) member of
    mbedtls_x509_crt structure. This requires setting
    the MBEDTLS_X509_EXT_BASIC_CONSTRAINTS bit in the certificate's
    ext_types field.
  • mbedtls_psa_get_random() is always available as soon as
    MBEDTLS_PSA_CRYPTO_CLIENT is enabled at build time and psa_crypto_init() is
    called at runtime. This together with MBEDTLS_PSA_RANDOM_STATE can be
    used as random number generator function (f_rng) and context (p_rng) in
    legacy functions.
  • The new functions mbedtls_pk_copy_from_psa() and
    mbedtls_pk_copy_public_from_psa() provide ways to set up a PK context
    with the same content as a PSA key.
  • Add new accessors to expose the private session-id,
    session-id length, and ciphersuite-id members of
    mbedtls_ssl_session structure.
    Add new accessor to expose the ciphersuite-id of
    mbedtls_ssl_ciphersuite_t structure.Design ref: #8529
  • Mbed TLS now supports the writing and reading of TLS 1.3 early data (see
    docs/tls13-early-data.md). The support enablement is controlled at build
    time by the MBEDTLS_SSL_EARLY_DATA configuration option and at runtime by
    the mbedtls_ssl_conf_early_data() API (by default disabled in both cases).
  • Add protection for multithreaded access to the PSA keystore and protection
    for multithreaded access to the the PSA global state, including
    concurrently calling psa_crypto_init() when MBEDTLS_THREADING_C and
    MBEDTLS_THREADING_PTHREAD are defined. See
    docs/architecture/psa-thread-safety/psa-thread-safety.md for more details.
    Resolves issues #3263 and #7945.

Security

  • Fix a stack buffer overread (less than 256 bytes) when parsing a TLS 1.3
    ClientHello in a TLS 1.3 server supporting some PSK key exchange mode. A
    malicious client could cause information disclosure or a denial of service.
  • Passing buffers that are stored in untrusted memory as arguments
    to PSA functions is now secure by default.
    The PSA core now protects against modification of inputs or exposure
    of intermediate outputs during operations. This is currently implemented
    by copying buffers.
    This feature increases code size and memory usage. If buffers passed to
    PSA functions are owned exclusively by the PSA core for the duration of
    the function call (i.e. no buffer parameters are in shared memory),
    copying...
Read more

Mbed TLS 2.28.8

28 Mar 15:04
5a764e5
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following links:

Release Notes

Features

  • AES-NI is now supported in Windows builds with clang and clang-cl.
    Resolves #8372.
  • Add pc files for pkg-config, e.g.:
    pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)

Security

  • Passing buffers that are stored in untrusted memory as arguments
    to PSA functions is now secure by default.
    The PSA core now protects against modification of inputs or exposure
    of intermediate outputs during operations. This is currently implemented
    by copying buffers.
    This feature increases code size and memory usage. If buffers passed to
    PSA functions are owned exclusively by the PSA core for the duration of
    the function call (i.e. no buffer parameters are in shared memory),
    copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS.
    Note that setting this option will cause input-output buffer overlap to
    be only partially supported (#3266).
    Fixes CVE-2024-28960.

Bugfix

  • Fix the build with CMake when Everest is enabled through
    a user configuration file or the compiler command line. Fixes #8165.
  • Fix an inconsistency between implementations and usages of __cpuid,
    which mainly causes failures when building Windows target using
    mingw or clang. Fixes #8334 & #8332.
  • Correct initial capacities for key derivation algorithms: TLS12_PRF,
    TLS12_PSK_TO_MS.
  • Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
    multiple of 8. Fixes #868.
  • Avoid segmentation fault caused by releasing not initialized
    entropy resource in gen_key example. Fixes #8809.
  • Fix missing bitflags in SSL session serialization headers. Their absence
    allowed SSL sessions saved in one configuration to be loaded in a
    different, incompatible configuration.
  • Fix the restoration of the ALPN when loading serialized connection with
    the mbedtls_ssl_context_load() API.
  • Fully support arbitrary overlap between inputs and outputs of PSA
    functions. Note that overlap is still only partially supported when
    MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266).

Changes

  • Use heap memory to allocate DER encoded public/private key.
    This reduces stack usage significantly for writing a public/private
    key to a PEM string.
  • cmake: Use GnuInstallDirs to customize install directories
    Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR
    variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if
    LIB_INSTALL_DIR is set.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Note

mbedtls-2.28.8.tar.bz2 are our official release files. source.tar.gz and source.zip are automatically generated snapshot's that github is generating. They do not include external depedencies, and can't be configured

Checksum

The SHA256 hashes for the archives are:
241c68402cef653e586be3ce28d57da24598eb0df13fcdea9d99bfce58717132 mbedtls-2.28.8.tar.bz2

Mbed TLS 3.5.2

26 Jan 10:18
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides fixes for security issues.

Security Advisories

For full details, please see the following link:

Release Notes

Security

  • Fix a timing side channel in private key RSA operations. This side channel
    could be sufficient for an attacker to recover the plaintext. A local
    attacker or a remote attacker who is close to the victim on the network
    might have precise enough timing measurements to exploit this. It requires
    the attacker to send a large number of messages for decryption. For
    details, see "Everlasting ROBOT: the Marvin Attack", Hubert Kario. Reported
    by Hubert Kario, Red Hat.
  • Fix a failure to validate input when writing x509 extensions lengths which
    could result in an integer overflow, causing a zero-length buffer to be
    allocated to hold the extension. The extension would then be copied into
    the buffer, causing a heap buffer overflow.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

35890edf1a2c7a7e29eac3118d43302c3e1173e0df0ebaf5db56126dabe5bb05 v3.5.2.tar.gz
eedecc468b3f8d052ef05a9d42bf63f04c8a1c50d1c5a94c251c681365a2c723 mbedtls-3.5.2.tar.gz

55c1525e7d5de18b84a1d1e5540950b4a3bac70e02889cf309919b2877cba63b v3.5.2.zip
fea0c12622044ef0d594361e83b2c2b5e4ca56bc1b44126ccca50872c7d6d4f6 mbedtls-3.5.2.zip

The URLs below point to the archives named vX.Y.Z.... When checking hashes, please be aware that due to GitHub's use of the Content-Disposition header, some clients will download the vX.Y.Z... archive and save it with the filename mbedtls-X.Y.Z....

Mbed TLS 2.28.7

26 Jan 10:18
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following links:

Release Notes

Security

  • Fix a timing side channel in private key RSA operations. This side channel
    could be sufficient for an attacker to recover the plaintext. A local
    attacker or a remote attacker who is close to the victim on the network
    might have precise enough timing measurements to exploit this. It requires
    the attacker to send a large number of messages for decryption. For
    details, see "Everlasting ROBOT: the Marvin Attack", Hubert Kario. Reported
    by Hubert Kario, Red Hat.
  • Fix a failure to validate input when writing x509 extensions lengths which
    could result in an integer overflow, causing a zero-length buffer to be
    allocated to hold the extension. The extension would then be copied into
    the buffer, causing a heap buffer overflow.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

4390bc4ab1ea9a1ddf3725f540d0f80838c656d1d7987a1cee8b4da43e4571de mbedtls-2.28.7.tar.gz
1df6073f0cf6a4e1953890bf5e0de2a8c7e6be50d6d6c69fa9fefcb1d14e981a v2.28.7.tar.gz

12f6e95435aa7510f74938fb1464d58c569c4b298b7044b7940758bbf6d5da04 mbedtls-2.28.7.zip
527ff2472f6c51436808242f4b626500555145a472ca0a2f30a3e68d52d9806e v2.28.7.zip

The URLs below point to the archives named vX.Y.Z.... When checking hashes, please be aware that due to GitHub's use of the Content-Disposition header, some clients will download the vX.Y.Z... archive and save it with the filename mbedtls-X.Y.Z....

Mbed TLS 3.5.1

08 Nov 18:00
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides a license update, and a bugfix.

Release Notes

Changes

  • Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
    license. Users may choose which license they take the code under.

Bugfix

  • Fix accidental omission of MBEDTLS_TARGET_PREFIX in 3rdparty modules
    in CMake.

Who should update

We recommend all users should update at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:
2597419f1a4a79dd28e6f5edc5180aff7e83bd85548437e07dcf9f808ceccb76 mbedtls-3.5.1.tar.gz
959a492721ba036afc21f04d1836d874f93ac124cf47cf62c9bcd3a753e49bdb mbedtls-3.5.1.zip

Mbed TLS 2.28.6

08 Nov 18:00
Compare
Choose a tag to compare

Description

This release of Mbed TLS updates the license, but contains no other changes from 2.28.5.

Changes

  • Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
    license. Users may choose which license they take the code under.

Who should update

We recommend users who need to take Mbed TLS under a GPL-2.0-or-later license should update.

Checksum

The SHA256 hashes for the archives are:
737b088bb8877ff8f0fc404ebbc48f82486df3da4bfd5b28fa208a5967e42fb3 mbedtls-2.28.6.tar.gz
79e7679a1e88db56ee7c6e352ae6d24d67db2c2d102443343ea8938baa578d59 mbedtls-2.28.6.zip

Mbed TLS 3.5.0

05 Oct 17:14
1ec6906
Compare
Choose a tag to compare

Description

This release of Mbed TLS provides new features, bug fixes and minor enhancements. This release includes fixes for security issues.

This release brings in significant code-size reductions, partly depending on configuration. In particular, the new options MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH and MBEDTLS_PSA_P256M_DRIVER_ENABLED may help you save code size.

Security Advisories

For full details, please see the following links:

Release Notes

API changes

  • Mbed TLS 3.4 introduced support for omitting the built-in implementation
    of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
    there was a flaw in the logic checking if the built-in implementation, in
    that it failed to check if all the relevant curves were supported by the
    accelerator. As a result, it was possible to declare no curves as
    accelerated and still have the built-in implementation compiled out.
    Starting with this release, it is necessary to declare which curves are
    accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be
    considered not accelerated, and the built-in implementation of the curves
    and any algorithm possible using them will be included in the build.
  • Add new millisecond time type mbedtls_ms_time_t and mbedtls_ms_time()
    function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
    can be created using an ALT interface.

Requirement changes

  • Officially require Python 3.8 now that earlier versions are out of support.
  • Minimum required Windows version is now Windows Vista, or
    Windows Server 2008.

New deprecations

  • PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and
    MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
    are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
    MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC,
    IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
    the capabilities of the PSA side for either key.
  • MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
    MBEDTLS_MAX_BLOCK_LENGTH (if you intended what the name suggests:
    maximum size of any supported block cipher) or the new name
    MBEDTLS_CMAC_MAX_BLOCK_SIZE (if you intended the actual semantics:
    maximum size of a block cipher supported by the CMAC module).
  • mbedtls_pkcs5_pbes2() and mbedtls_pkcs12_pbe() functions are now
    deprecated in favor of mbedtls_pkcs5_pbes2_ext() and
    mbedtls_pkcs12_pbe_ext() as they offer more security by checking
    for overflow of the output buffer and reporting the actual length
    of the output.

Features

  • All modules that use hashes or HMAC can now take advantage of PSA Crypto
    drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
    been called. Previously (in 3.3), this was restricted to a few modules,
    and only in builds where MBEDTLS_MD_C was disabled; in particular the
    entropy module was not covered which meant an external RNG had to be
    provided - these limitations are lifted in this version. A new set of
    feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used
    to check for availability of hash algorithms, regardless of whether
    they're provided by a built-in implementation, a driver or both. See
    docs/driver-only-builds.md.
  • When a PSA driver for ECDH is present, it is now possible to disable
    MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
    key exchanges based on ECDH(E) to work, this requires
    MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
    TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
    as PSA does not have an API for restartable ECDH yet.
  • When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
    a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
    if not required by another module) and still get support for ECC keys and
    algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
    for details.
  • Add parsing of directoryName subtype for subjectAltName extension in
    x509 certificates.
  • Add support for server-side TLS version negotiation. If both TLS 1.2 and
    TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or
    TLS 1.3 depending on the capabilities and preferences of TLS clients.
    Fixes #6867.
  • X.509 hostname verification now supports IPAddress Subject Alternate Names.
  • Add support for reading and writing X25519 and X448
    public and private keys in RFC 8410 format using the existing PK APIs.
  • When parsing X.509 certificates, support the extensions
    SignatureKeyIdentifier and AuthorityKeyIdentifier.
  • Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
    if no PAKE algorithms are requested
  • Add support for the FFDH algorithm and DH key types in PSA, with
    parameters from RFC 7919. This includes a built-in implementation based
    on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative
    implementations of FFDH through the driver entry points.
  • It is now possible to generate certificates with SubjectAltNames.
    Currently supported subtypes: DnsName, UniformResourceIdentifier,
    IP address, OtherName, and DirectoryName, as defined in RFC 5280.
    See mbedtls_x509write_crt_set_subject_alternative_name for
    more information.
  • X.509 hostname verification now partially supports URI Subject Alternate
    Names. Only exact matching, without any normalization procedures
    described in 7.4 of RFC5280, will result in a positive URI verification.
  • Add function mbedtls_oid_from_numeric_string() to parse an OID from a
    string to a DER-encoded mbedtls_asn1_buf.
  • Add SHA-3 family hash functions.
  • Add support to restrict AES to 128-bit keys in order to save code size.
    A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be
    used to enable this feature.
  • AES performance improvements. Uplift varies by platform,
    toolchain, optimisation flags and mode.
    Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
    On Aarch64, uplift is typically around 20 - 110%.
    When compiling with gcc -Os on Aarch64, AES-XTS improves
    by 4.5x.
  • Add support for PBKDF2-HMAC through the PSA API.
  • New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
    MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
    or DH) were introduced in order to have finer accuracy in defining the
    PSA capabilities for each key. These capabilities, named yyy above, can be
    any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE.
    • DERIVE is only available for ECC keys, not for RSA or DH ones.
    • implementations are free to enable more than what it was strictly
      requested. For example BASIC internally enables IMPORT and EXPORT
      (useful for testing purposes), but this might change in the future.
  • Add support for FFDH key exchange in TLS 1.3.
    This is automatically enabled as soon as PSA_WANT_ALG_FFDH
    and the ephemeral or psk-ephemeral key exchange mode are enabled.
    By default, all groups are offered; the list of groups can be
    configured using the existing API function mbedtls_ssl_conf_groups().
  • Improve mbedtls_x509_time performance and reduce memory use.
  • Reduce syscalls to time() during certificate verification.
  • Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
    setting the CMake variable of the same name at configuration time.
  • Add getter (mbedtls_ssl_cache_get_timeout()) to access
    mbedtls_ssl_cache_context.timeout.
  • Add getter (mbedtls_ssl_get_hostname()) to access
    mbedtls_ssl_context.hostname.
  • Add getter (mbedtls_ssl_conf_get_endpoint()) to access
    mbedtls_ssl_config.endpoint.
  • Support for "opaque" (PSA-held) ECC keys in the PK module has been
    extended: it is now possible to use mbedtls_pk_write_key_der(),
    mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and
    mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes
    allow it).
  • The documentation of mbedtls_ecp_group now describes the optimized
    representation of A for some curves. Fixes #8045.
  • Add a possibility to generate CSR's with RCF822 and directoryName subtype
    of subjectAltName extension in x509 certificates.
  • Add support for PBKDF2-CMAC through the PSA API.
  • New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When
    using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
    disables the plain C implementation and the run-time detection for the
    CPU feature, which reduces code size and avoids the vulnerability of the
    plain C implementation.
  • Accept arbitrary AttributeType and AttributeValue in certificate
    Distinguished Names using RFC 4514 syntax.
  • Applications using ECC over secp256r1 through the PSA API can use a
    new implementation with a much smaller footprint, but some minor
    usage restrictions. See the documentation of the new configuration
    option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.

Security

  • Fix a case where potentially sensitive information held in memory would not
    be completely zeroized during TLS 1.2 handshake, in both server and client
    configurations.
  • In configu...
Read more