Mbedtls Versions Save

Description

This release of Mbed TLS provides new features, bug fixes and minor enhancements. This release includes fixes for security issues.

This release brings in improved multithreaded operations, record-size-limit, and early-data support and other TLS1.3 improvements. TLS1.3 support is now enabled by default.

Long-term support

Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with bug-fixes and security fixes until at least March 2027.

Security Advisories

For full details, please see the following link:

• PSA Crypto API with parameters in shared memory

:grey_exclamation: Release notes are trunctuated in GitHub's releases page: Please refer to the 3.6.0 release page.

Release Notes

API changes

• Remove tls13_ in mbedtls_ssl_tls13_conf_early_data() and mbedtls_ssl_tls13_conf_max_early_data_size() API names. Early data feature may not be TLS 1.3 specific in the future. Fixes #6909.

Default behavior changes

• psa_import_key() now only accepts RSA keys in the PSA standard formats. The undocumented ability to import other formats (PKCS#8, SubjectPublicKey, PEM) accepted by the pkparse module has been removed. Applications that need these formats can call mbedtls_pk_parse_{public,}key() followed by mbedtls_pk_import_into_psa().

Requirement changes

• Drop support for Visual Studio 2013 and 2015, and Arm Compiler 5.

New deprecations

• Rename the MBEDTLS_SHA256_USE_A64_CRYPTO_xxx config options to MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_xxx. The old names may still be used, but are deprecated.
• In the PSA API, domain parameters are no longer used for anything. They are deprecated and will be removed in a future version of the library.
• mbedtls_ecp_write_key() is deprecated in favor of mbedtls_ecp_write_key_ext().

Removals

• In the PSA API, the experimental way to encode the public exponent of an RSA key as a domain parameter is no longer supported. Use psa_generate_key_ext() instead.
• Temporary function mbedtls_pk_wrap_as_opaque() is removed. To mimic the same behavior mbedtls_pk_get_psa_attributes() and mbedtls_pk_import_into_psa() can be used to import a PK key into PSA, while mbedtls_pk_setup_opaque() can be used to wrap a PSA key into a opaque PK context.

Features

• Added an example program showing how to hash with the PSA API.
• Support Armv8-A Crypto Extension acceleration for SHA-256 when compiling for Thumb (T32) or 32-bit Arm (A32).
• AES-NI is now supported in Windows builds with clang and clang-cl. Resolves #8372.
• Add new mbedtls_x509_csr_parse_der_with_ext_cb() routine which allows parsing unsupported certificate extensions via user provided callback.
• Enable the new option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT to omit the decryption direction of block ciphers (AES, ARIA, Camellia). This affects both the low-level modules and the high-level APIs (the cipher and PSA interfaces). This option is incompatible with modes that use the decryption direction (ECB in PSA, CBC, XTS, KW) and with DES.
• Support use of Armv8-A Cryptographic Extensions for hardware acclerated AES when compiling for Thumb (T32) or 32-bit Arm (A32).
• If a cipher or AEAD mechanism has a PSA driver, you can now build the library without the corresponding built-in implementation. Generally speaking that requires both the key type and algorithm to be accelerated or they'll both be built in. However, for CCM and GCM the built-in implementation is able to take advantage of a driver that only accelerates the key type (that is, the block cipher primitive). See docs/driver-only-builds.md for full details and current limitations.
• The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to MBEDTLS_PSA_CRYPTO_C and PSA_WANT_KEY_TYPE_AES.
• Fewer modules depend on MBEDTLS_CIPHER_C, making it possible to save code size by disabling it in more circumstances. In particular, the CCM and GCM modules no longer depend on MBEDTLS_CIPHER_C. Also, MBEDTLS_PSA_CRYPTO can now be enabled without MBEDTLS_CIPHER_C if all unauthenticated (non-AEAD) ciphers are disabled, or if they're all fully provided by drivers. See docs/driver-only-builds.md for full details and current limitations; in particular, NIST_KW and PKCS5/PKCS12 decryption still unconditionally depend on MBEDTLS_CIPHER_C.
• Add support for record size limit extension as defined by RFC 8449 and configured with MBEDTLS_SSL_RECORD_SIZE_LIMIT. Application data sent and received will be fragmented according to Record size limits negotiated during handshake.
• Improve performance of AES-GCM, AES-CTR and CTR-DRBG when hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
• Add functions mbedtls_ecc_group_to_psa() and mbedtls_ecc_group_from_psa() to convert between Mbed TLS and PSA curve identifiers.
• Add utility functions to manipulate mbedtls_ecp_keypair objects, filling gaps made by making its fields private: mbedtls_ecp_set_public_key(), mbedtls_ecp_write_public_key(), mbedtls_ecp_keypair_calc_public(), mbedtls_ecp_keypair_get_group_id(). Fixes #5017, #5441, #8367, #8652.
• Add functions mbedtls_md_psa_alg_from_type() and mbedtls_md_type_from_psa_alg() to convert between mbedtls_md_type_t and psa_algorithm_t.
• Add partial platform support for z/OS.
• Improve performance for gcc (versions older than 9.3.0) and IAR.
• Add functions mbedtls_ecdsa_raw_to_der() and mbedtls_ecdsa_der_to_raw() to convert ECDSA signatures between raw and DER (ASN.1) formats.
• Add support for using AES-CBC 128, 192, and 256 bit schemes with PKCS#5 PBES2. Keys encrypted this way can now be parsed by PK parse.
• The new function mbedtls_rsa_get_bitlen() returns the length of the modulus in bits, i.e. the key size for an RSA key.
• Add pc files for pkg-config, e.g.: pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
• Add getter (mbedtls_ssl_session_get_ticket_creation_time()) to access mbedtls_ssl_session.ticket_creation_time.
• The new functions mbedtls_pk_get_psa_attributes() and mbedtls_pk_import_into_psa() provide a uniform way to create a PSA key from a PK key.
• The benchmark program now reports times for both ephemeral and static ECDH in all ECDH configurations.
• Add support for 8-bit GCM tables for Shoup's algorithm to speedup GCM operations when hardware accelerated AES is not present. Improves performance by around 30% on 64-bit Intel; 125% on Armv7-M.
• The new function psa_generate_key_ext() allows generating an RSA key pair with a custom public exponent.
• The new function mbedtls_ecp_write_key_ext() is similar to mbedtls_ecp_write_key(), but can be used without separately calculating the output length.
• Add new accessor to expose the private group id member of mbedtls_ecdh_context structure.
• Add new accessor to expose the MBEDTLS_PRIVATE(ca_istrue) member of mbedtls_x509_crt structure. This requires setting the MBEDTLS_X509_EXT_BASIC_CONSTRAINTS bit in the certificate's ext_types field.
• mbedtls_psa_get_random() is always available as soon as MBEDTLS_PSA_CRYPTO_CLIENT is enabled at build time and psa_crypto_init() is called at runtime. This together with MBEDTLS_PSA_RANDOM_STATE can be used as random number generator function (f_rng) and context (p_rng) in legacy functions.
• The new functions mbedtls_pk_copy_from_psa() and mbedtls_pk_copy_public_from_psa() provide ways to set up a PK context with the same content as a PSA key.
• Add new accessors to expose the private session-id, session-id length, and ciphersuite-id members of mbedtls_ssl_session structure. Add new accessor to expose the ciphersuite-id of mbedtls_ssl_ciphersuite_t structure.Design ref: #8529
• Mbed TLS now supports the writing and reading of TLS 1.3 early data (see docs/tls13-early-data.md). The support enablement is controlled at build time by the MBEDTLS_SSL_EARLY_DATA configuration option and at runtime by the mbedtls_ssl_conf_early_data() API (by default disabled in both cases).
• Add protection for multithreaded access to the PSA keystore and protection for multithreaded access to the the PSA global state, including concurrently calling psa_crypto_init() when MBEDTLS_THREADING_C and MBEDTLS_THREADING_PTHREAD are defined. See docs/architecture/psa-thread-safety/psa-thread-safety.md for more details. Resolves issues #3263 and #7945.

Security

• Fix a stack buffer overread (less than 256 bytes) when parsing a TLS 1.3 ClientHello in a TLS 1.3 server supporting some PSK key exchange mode. A malicious client could cause information disclosure or a denial of service.
• Passing buffers that are stored in untrusted memory as arguments to PSA functions is now secure by default. The PSA core now protects against modification of inputs or exposure of intermediate outputs during operations. This is currently implemented by copying buffers. This feature increases code size and memory usage. If buffers passed to PSA functions are owned exclusively by the PSA core for the duration of the function call (i.e. no buffer parameters are in shared memory), copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. Note that setting this option will cause input-output buffer overlap to be only partially supported (#3266). Fixes CVE-2024-28960.
• Restore the maximum TLS version to be negotiated to the configured one when an SSL context is reset with the mbedtls_ssl_session_reset() API. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2. Fixes #8654 reported by hey3e. Fixes CVE-2024-28755.
• When negotiating TLS version on server side, do not fall back to the TLS 1.2 implementation of the protocol if it is disabled.
  • If the TLS 1.2 implementation was disabled at build time, a TLS 1.2 client could put the TLS 1.3-only server in an infinite loop processing a TLS 1.2 ClientHello, resulting in a denial of service. Reported by Matthias Mucha and Thomas Blattmann, SICK AG.
  • If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client was able to successfully establish a TLS 1.2 connection with the server. Reported by alluettiv on GitHub. Fixes CVE-2024-28836.

Bugfix

• Fix the build with CMake when Everest or P256-m is enabled through a user configuration file or the compiler command line. Fixes #8165.
• Fix compilation error in C++ programs when MBEDTLS_ASN1_PARSE_C is disabled.
• Fix possible NULL dereference issue in X509 cert_req program if an entry in the san parameter is not separated by a colon.
• Fix possible NULL dereference issue in X509 cert_write program if an entry in the san parameter is not separated by a colon.
• Fix an inconsistency between implementations and usages of __cpuid, which mainly causes failures when building Windows target using mingw or clang. Fixes #8334 & #8332.
• Fix build failure in conda-forge. Fixes #8422.
• Fix parsing of CSRs with critical extensions.
• Switch to milliseconds as the unit for ticket creation and reception time instead of seconds. That avoids rounding errors when computing the age of tickets compared to peer using a millisecond clock (observed with GnuTLS). Fixes #6623.
• Fix TLS server accepting TLS 1.2 handshake while TLS 1.2 is disabled at runtime. Fixes #8593.
• Remove accidental introduction of RSA signature algorithms in TLS Suite B Profile. Fixes #8221.
• Fix unsupported PSA asymmetric encryption and decryption (psa_asymmetric_[en|de]crypt) with opaque keys. Resolves #8461.
• On Linux on ARMv8, fix a build error with SHA-256 and SHA-512 acceleration detection when the libc headers do not define the corresponding constant. Reported by valord577.
• Correct initial capacities for key derivation algorithms:TLS12_PRF, TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC
• Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a multiple of 8. Fixes #868.
• Avoid segmentation fault caused by releasing not initialized entropy resource in gen_key example. Fixes #8809.
• mbedtls_pem_read_buffer() now performs a check on the padding data of decrypted keys and it rejects invalid ones.
• Fix mbedtls_pk_sign(), mbedtls_pk_verify(), mbedtls_pk_decrypt() and mbedtls_pk_encrypt() on non-opaque RSA keys to honor the padding mode in the RSA context. Before, if MBEDTLS_USE_PSA_CRYPTO was enabled and the RSA context was configured for PKCS#1 v2.1 (PSS/OAEP), the sign/verify functions performed a PKCS#1 v1.5 signature instead and the encrypt/decrypt functions returned an error. Fixes #8824.
• Fix missing bitflags in SSL session serialization headers. Their absence allowed SSL sessions saved in one configuration to be loaded in a different, incompatible configuration.
• In TLS 1.3 clients, fix an interoperability problem due to the client generating a new random after a HelloRetryRequest. Fixes #8669.
• Fix the restoration of the ALPN when loading serialized connection with the mbedtls_ssl_context_load() API.
• Fix NULL pointer dereference in mbedtls_pk_verify_ext() when called using an opaque RSA context and specifying MBEDTLS_PK_RSASSA_PSS as key type.
• Fix RSA opaque keys always using PKCS1 v1.5 algorithms instead of the primary algorithm of the wrapped PSA key.
• Fully support arbitrary overlap between inputs and outputs of PSA functions. Note that overlap is still only partially supported when MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266).

Changes

• Use heap memory to allocate DER encoded public/private key. This reduces stack usage significantly for writing a public/private key to a PEM string.
• PSA_WANT_ALG_CCM and PSA_WANT_ALG_CCM_STAR_NO_TAG are no more synonyms and they are now treated separately. This means that they should be individually enabled in order to enable respective support; also the corresponding MBEDTLS_PSA_ACCEL symbol should be defined in case acceleration is required.
• Moved declaration of functions mbedtls_ecc_group_to_psa and mbedtls_ecc_group_of_psa from psa/crypto_extra.h to mbedtls/psa_util.h
• mbedtls_pk_sign_ext() is now always available, not just when PSA (MBEDTLS_PSA_CRYPTO_C) is enabled.
• Extended PSA Crypto configurations options for FFDH by making it possible to select only some of the parameters / groups, with the macros PSA_WANT_DH_RFC7919_XXXX. You now need to defined the corresponding macro for each size you want to support. Also, if you have an FFDH accelerator, you'll need to define the appropriate MBEDTLS_PSA_ACCEL macros to signal support for these domain parameters.
• RSA support in PSA no longer auto-enables the pkparse and pkwrite modules, saving code size when those are not otherwise enabled.
• mbedtls_mpi_exp_mod and code that uses it, notably RSA and DHM operations, have changed their speed/memory compromise as part of a proactive security improvement. The new default value of MBEDTLS_MPI_WINDOW_SIZE roughly preserves the current speed, at the expense of increasing memory consumption.
• Rename directory containing Visual Studio files from visualc/VS2013 to visualc/VS2017.
• The TLS 1.3 protocol is now enabled in the default configuration.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Note

:grey_exclamation: mbedtls-3.6.0.tar.bz2 are our official release files. source.tar.gz and source.zip are automatically generated snapshot's that github is generating. They do not include external depedencies, and can't be configured

Checksum

The SHA256 hashes for the archives are:

3ecf94fcfdaacafb757786a01b7538a61750ebd85c4b024f56ff8ba1490fcd38 mbedtls-3.6.0.tar.bz2

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following links:

• PSA Crypto API with parameters in shared memory

Release Notes

Features

• AES-NI is now supported in Windows builds with clang and clang-cl. Resolves #8372.
• Add pc files for pkg-config, e.g.: pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)

Security

• Passing buffers that are stored in untrusted memory as arguments to PSA functions is now secure by default. The PSA core now protects against modification of inputs or exposure of intermediate outputs during operations. This is currently implemented by copying buffers. This feature increases code size and memory usage. If buffers passed to PSA functions are owned exclusively by the PSA core for the duration of the function call (i.e. no buffer parameters are in shared memory), copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. Note that setting this option will cause input-output buffer overlap to be only partially supported (#3266). Fixes CVE-2024-28960.

Bugfix

• Fix the build with CMake when Everest is enabled through a user configuration file or the compiler command line. Fixes #8165.
• Fix an inconsistency between implementations and usages of __cpuid, which mainly causes failures when building Windows target using mingw or clang. Fixes #8334 & #8332.
• Correct initial capacities for key derivation algorithms: TLS12_PRF, TLS12_PSK_TO_MS.
• Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a multiple of 8. Fixes #868.
• Avoid segmentation fault caused by releasing not initialized entropy resource in gen_key example. Fixes #8809.
• Fix missing bitflags in SSL session serialization headers. Their absence allowed SSL sessions saved in one configuration to be loaded in a different, incompatible configuration.
• Fix the restoration of the ALPN when loading serialized connection with the mbedtls_ssl_context_load() API.
• Fully support arbitrary overlap between inputs and outputs of PSA functions. Note that overlap is still only partially supported when MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266).

Changes

• Use heap memory to allocate DER encoded public/private key. This reduces stack usage significantly for writing a public/private key to a PEM string.
• cmake: Use GnuInstallDirs to customize install directories Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if LIB_INSTALL_DIR is set.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Note

:grey_exclamation: mbedtls-2.28.8.tar.bz2 are our official release files. source.tar.gz and source.zip are automatically generated snapshot's that github is generating. They do not include external depedencies, and can't be configured

Checksum

The SHA256 hashes for the archives are: 241c68402cef653e586be3ce28d57da24598eb0df13fcdea9d99bfce58717132 mbedtls-2.28.8.tar.bz2

Description

This release of Mbed TLS provides fixes for security issues.

Security Advisories

For full details, please see the following link:

• Timing side channel in private key RSA operations.
• Buffer overflow in mbedtls_x509_set_extension.

Release Notes

Security

• Fix a timing side channel in private key RSA operations. This side channel could be sufficient for an attacker to recover the plaintext. A local attacker or a remote attacker who is close to the victim on the network might have precise enough timing measurements to exploit this. It requires the attacker to send a large number of messages for decryption. For details, see "Everlasting ROBOT: the Marvin Attack", Hubert Kario. Reported by Hubert Kario, Red Hat.
• Fix a failure to validate input when writing x509 extensions lengths which could result in an integer overflow, causing a zero-length buffer to be allocated to hold the extension. The extension would then be copied into the buffer, causing a heap buffer overflow.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

35890edf1a2c7a7e29eac3118d43302c3e1173e0df0ebaf5db56126dabe5bb05 v3.5.2.tar.gz eedecc468b3f8d052ef05a9d42bf63f04c8a1c50d1c5a94c251c681365a2c723 mbedtls-3.5.2.tar.gz

55c1525e7d5de18b84a1d1e5540950b4a3bac70e02889cf309919b2877cba63b v3.5.2.zip fea0c12622044ef0d594361e83b2c2b5e4ca56bc1b44126ccca50872c7d6d4f6 mbedtls-3.5.2.zip

The URLs below point to the archives named vX.Y.Z.... When checking hashes, please be aware that due to GitHub's use of the Content-Disposition header, some clients will download the vX.Y.Z... archive and save it with the filename mbedtls-X.Y.Z....

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following links:

• Timing side channel in private key RSA operations.
• Buffer overflow in mbedtls_x509_set_extension.

Release Notes

Security

• Fix a timing side channel in private key RSA operations. This side channel could be sufficient for an attacker to recover the plaintext. A local attacker or a remote attacker who is close to the victim on the network might have precise enough timing measurements to exploit this. It requires the attacker to send a large number of messages for decryption. For details, see "Everlasting ROBOT: the Marvin Attack", Hubert Kario. Reported by Hubert Kario, Red Hat.
• Fix a failure to validate input when writing x509 extensions lengths which could result in an integer overflow, causing a zero-length buffer to be allocated to hold the extension. The extension would then be copied into the buffer, causing a heap buffer overflow.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

4390bc4ab1ea9a1ddf3725f540d0f80838c656d1d7987a1cee8b4da43e4571de mbedtls-2.28.7.tar.gz 1df6073f0cf6a4e1953890bf5e0de2a8c7e6be50d6d6c69fa9fefcb1d14e981a v2.28.7.tar.gz

12f6e95435aa7510f74938fb1464d58c569c4b298b7044b7940758bbf6d5da04 mbedtls-2.28.7.zip 527ff2472f6c51436808242f4b626500555145a472ca0a2f30a3e68d52d9806e v2.28.7.zip

The URLs below point to the archives named vX.Y.Z.... When checking hashes, please be aware that due to GitHub's use of the Content-Disposition header, some clients will download the vX.Y.Z... archive and save it with the filename mbedtls-X.Y.Z....

Description

This release of Mbed TLS provides a license update, and a bugfix.

Release Notes

Changes

• Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later license. Users may choose which license they take the code under.

Bugfix

• Fix accidental omission of MBEDTLS_TARGET_PREFIX in 3rdparty modules in CMake.

Who should update

We recommend all users should update at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are: 2597419f1a4a79dd28e6f5edc5180aff7e83bd85548437e07dcf9f808ceccb76 mbedtls-3.5.1.tar.gz 959a492721ba036afc21f04d1836d874f93ac124cf47cf62c9bcd3a753e49bdb mbedtls-3.5.1.zip

Description

This release of Mbed TLS updates the license, but contains no other changes from 2.28.5.

Changes

• Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later license. Users may choose which license they take the code under.

Who should update

We recommend users who need to take Mbed TLS under a GPL-2.0-or-later license should update.

Checksum

The SHA256 hashes for the archives are: 737b088bb8877ff8f0fc404ebbc48f82486df3da4bfd5b28fa208a5967e42fb3 mbedtls-2.28.6.tar.gz 79e7679a1e88db56ee7c6e352ae6d24d67db2c2d102443343ea8938baa578d59 mbedtls-2.28.6.zip

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following links:

• Buffer overread in TLS stream cipher suites

Release Notes

Features

• The documentation of mbedtls_ecp_group now describes the optimized representation of A for some curves. Fixes #8045.

Security

• Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should review the size of the output buffer passed to this function, and note that the output after decryption may include CBC padding. Consider moving to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext() which checks for overflow of the output buffer and reports the actual length of the output.
• Improve padding calculations in CBC decryption, NIST key unwrapping and RSA OAEP decryption. With the previous implementation, some compilers (notably recent versions of Clang and IAR) could produce non-constant time code, which could allow a padding oracle attack if the attacker has access to precise timing measurements.
• Fix a buffer overread when parsing short TLS application data records in ARC4 or null-cipher cipher suites. Credit to OSS-Fuzz.

Bugfix

• Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when using ECC key. The certificate was rejected by some crypto frameworks. Fixes #2924.
• Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA signature can silently return an incorrect result in low memory conditions.
• Fix IAR compiler warnings. Fixes #7873, #4300.
• Fix an issue when parsing an otherName subject alternative name into a mbedtls_x509_san_other_name struct. The type-id of the otherName was not copied to the struct. This meant that the struct had incomplete information about the otherName SAN and contained uninitialized memory.
• Fix the detection of HardwareModuleName otherName SANs. These were being detected by comparing the wrong field and the check was erroneously inverted.
• Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
• Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx error code on failure. Before, they returned 1 to indicate failure in some cases involving a missing entry or a full cache.

Changes

• In configurations with ARIA or Camellia but not AES, the value of MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might suggest. This did not affect any library code, because this macro was only used in relation with CMAC which does not support these ciphers. Its value is now 16 if ARIA or Camellia are present. This may affect application code that uses this macro.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are: dbd42a11c26143aa8de1c07fd6ec6765395e86b06f583f051cfa60e8f0b23125 mbedtls-2.28.5.tar.gz d3a6c0a9746ccae0e36ab914064ce37b0e2d92ccca909e4fd5f8015b51f34456 mbedtls-2.28.5.zip

Description

This release of Mbed TLS provides new features, bug fixes and minor enhancements. This release includes fixes for security issues.

This release brings in significant code-size reductions, partly depending on configuration. In particular, the new options MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH and MBEDTLS_PSA_P256M_DRIVER_ENABLED may help you save code size.

Security Advisories

For full details, please see the following links:

• Buffer overread in TLS stream cipher suites
• Buffer overflow in TLS handshake parsing with ECDH

Release Notes

API changes

• Mbed TLS 3.4 introduced support for omitting the built-in implementation of ECDSA and/or EC J-PAKE when those are provided by a driver. However, there was a flaw in the logic checking if the built-in implementation, in that it failed to check if all the relevant curves were supported by the accelerator. As a result, it was possible to declare no curves as accelerated and still have the built-in implementation compiled out. Starting with this release, it is necessary to declare which curves are accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be considered not accelerated, and the built-in implementation of the curves and any algorithm possible using them will be included in the build.
• Add new millisecond time type mbedtls_ms_time_t and mbedtls_ms_time() function, needed for TLS 1.3 ticket lifetimes. Alternative implementations can be created using an ALT interface.

Requirement changes

• Officially require Python 3.8 now that earlier versions are out of support.
• Minimum required Windows version is now Windows Vista, or Windows Server 2008.

New deprecations

• PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA, are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC, IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about the capabilities of the PSA side for either key.
• MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of MBEDTLS_MAX_BLOCK_LENGTH (if you intended what the name suggests: maximum size of any supported block cipher) or the new name MBEDTLS_CMAC_MAX_BLOCK_SIZE (if you intended the actual semantics: maximum size of a block cipher supported by the CMAC module).
• mbedtls_pkcs5_pbes2() and mbedtls_pkcs12_pbe() functions are now deprecated in favor of mbedtls_pkcs5_pbes2_ext() and mbedtls_pkcs12_pbe_ext() as they offer more security by checking for overflow of the output buffer and reporting the actual length of the output.

Features

• All modules that use hashes or HMAC can now take advantage of PSA Crypto drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has been called. Previously (in 3.3), this was restricted to a few modules, and only in builds where MBEDTLS_MD_C was disabled; in particular the entropy module was not covered which meant an external RNG had to be provided - these limitations are lifted in this version. A new set of feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used to check for availability of hash algorithms, regardless of whether they're provided by a built-in implementation, a driver or both. See docs/driver-only-builds.md.
• When a PSA driver for ECDH is present, it is now possible to disable MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2 key exchanges based on ECDH(E) to work, this requires MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet, as PSA does not have an API for restartable ECDH yet.
• When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C if not required by another module) and still get support for ECC keys and algorithms in PSA, with some limitations. See docs/driver-only-builds.txt for details.
• Add parsing of directoryName subtype for subjectAltName extension in x509 certificates.
• Add support for server-side TLS version negotiation. If both TLS 1.2 and TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or TLS 1.3 depending on the capabilities and preferences of TLS clients. Fixes #6867.
• X.509 hostname verification now supports IPAddress Subject Alternate Names.
• Add support for reading and writing X25519 and X448 public and private keys in RFC 8410 format using the existing PK APIs.
• When parsing X.509 certificates, support the extensions SignatureKeyIdentifier and AuthorityKeyIdentifier.
• Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc) if no PAKE algorithms are requested
• Add support for the FFDH algorithm and DH key types in PSA, with parameters from RFC 7919. This includes a built-in implementation based on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative implementations of FFDH through the driver entry points.
• It is now possible to generate certificates with SubjectAltNames. Currently supported subtypes: DnsName, UniformResourceIdentifier, IP address, OtherName, and DirectoryName, as defined in RFC 5280. See mbedtls_x509write_crt_set_subject_alternative_name for more information.
• X.509 hostname verification now partially supports URI Subject Alternate Names. Only exact matching, without any normalization procedures described in 7.4 of RFC5280, will result in a positive URI verification.
• Add function mbedtls_oid_from_numeric_string() to parse an OID from a string to a DER-encoded mbedtls_asn1_buf.
• Add SHA-3 family hash functions.
• Add support to restrict AES to 128-bit keys in order to save code size. A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be used to enable this feature.
• AES performance improvements. Uplift varies by platform, toolchain, optimisation flags and mode. Aarch64, gcc -Os and CCM, GCM and XTS benefit the most. On Aarch64, uplift is typically around 20 - 110%. When compiling with gcc -Os on Aarch64, AES-XTS improves by 4.5x.
• Add support for PBKDF2-HMAC through the PSA API.
• New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA or DH) were introduced in order to have finer accuracy in defining the PSA capabilities for each key. These capabilities, named yyy above, can be any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE.
  • DERIVE is only available for ECC keys, not for RSA or DH ones.
  • implementations are free to enable more than what it was strictly requested. For example BASIC internally enables IMPORT and EXPORT (useful for testing purposes), but this might change in the future.
• Add support for FFDH key exchange in TLS 1.3. This is automatically enabled as soon as PSA_WANT_ALG_FFDH and the ephemeral or psk-ephemeral key exchange mode are enabled. By default, all groups are offered; the list of groups can be configured using the existing API function mbedtls_ssl_conf_groups().
• Improve mbedtls_x509_time performance and reduce memory use.
• Reduce syscalls to time() during certificate verification.
• Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by setting the CMake variable of the same name at configuration time.
• Add getter (mbedtls_ssl_cache_get_timeout()) to access mbedtls_ssl_cache_context.timeout.
• Add getter (mbedtls_ssl_get_hostname()) to access mbedtls_ssl_context.hostname.
• Add getter (mbedtls_ssl_conf_get_endpoint()) to access mbedtls_ssl_config.endpoint.
• Support for "opaque" (PSA-held) ECC keys in the PK module has been extended: it is now possible to use mbedtls_pk_write_key_der(), mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes allow it).
• The documentation of mbedtls_ecp_group now describes the optimized representation of A for some curves. Fixes #8045.
• Add a possibility to generate CSR's with RCF822 and directoryName subtype of subjectAltName extension in x509 certificates.
• Add support for PBKDF2-CMAC through the PSA API.
• New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option disables the plain C implementation and the run-time detection for the CPU feature, which reduces code size and avoids the vulnerability of the plain C implementation.
• Accept arbitrary AttributeType and AttributeValue in certificate Distinguished Names using RFC 4514 syntax.
• Applications using ECC over secp256r1 through the PSA API can use a new implementation with a much smaller footprint, but some minor usage restrictions. See the documentation of the new configuration option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.

Security

• Fix a case where potentially sensitive information held in memory would not be completely zeroized during TLS 1.2 handshake, in both server and client configurations.
• In configurations with ARIA or Camellia but not AES, the value of MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might suggest. This did not affect any library code, because this macro was only used in relation with CMAC which does not support these ciphers. This may affect application code that uses this macro.
• Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should review the size of the output buffer passed to this function, and note that the output after decryption may include CBC padding. Consider moving to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext() which checks for overflow of the output buffer and reports the actual length of the output.
• Improve padding calculations in CBC decryption, NIST key unwrapping and RSA OAEP decryption. With the previous implementation, some compilers (notably recent versions of Clang and IAR) could produce non-constant time code, which could allow a padding oracle attack if the attacker has access to precise timing measurements.
• Updates to constant-time C code so that compilers are less likely to use conditional instructions, which can have an observable difference in timing. (Clang has been seen to do this.) Also introduce assembly implementations for 32- and 64-bit Arm and for x86 and x86-64, which are guaranteed not to use conditional instructions.
• Fix definition of MBEDTLS_MD_MAX_BLOCK_SIZE, which was too small when MBEDTLS_SHA384_C was defined and MBEDTLS_SHA512_C was undefined. Mbed TLS itself was unaffected by this, but user code which used MBEDTLS_MD_MAX_BLOCK_SIZE could be affected. The only release containing this bug was Mbed TLS 3.4.0.
• Fix a buffer overread when parsing short TLS application data records in null-cipher cipher suites. Credit to OSS-Fuzz.
• Fix a remotely exploitable heap buffer overflow in TLS handshake parsing. In TLS 1.3, all configurations are affected except PSK-only ones, and both clients and servers are affected. In TLS 1.2, the affected configurations are those with MBEDTLS_USE_PSA_CRYPTO and ECDH enabled but DHM and RSA disabled, and only servers are affected, not clients. Credit to OSS-Fuzz.

Bugfix

• Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger than all built-in ones and RSA is disabled. Resolves #6622.
• Add missing md.h includes to some of the external programs from the programs directory. Without this, even though the configuration was sufficient for a particular program to work, it would only print a message that one of the required defines is missing.
• Fix declaration of mbedtls_ecdsa_sign_det_restartable() function in the ecdsa.h header file. There was a build warning when the configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined. Resolves #7407.
• Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
• Fix missing PSA initialization in sample programs when MBEDTLS_USE_PSA_CRYPTO is enabled.
• Fix the J-PAKE driver interface for user and peer to accept any values (previously accepted values were limited to "client" or "server").
• Fix clang and armclang compilation error when targeting certain Arm M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23, SecurCore SC000). Fixes #1077.
• Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when built with MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT but don't have a way to detect the crypto extensions required. A warning is still issued.
• Fixed an issue that caused compile errors when using CMake and the IAR toolchain.
• Fix very high stack usage in SSL debug code. Reported by Maximilian Gerhardt in #7804.
• Fix a compilation failure in the constant_time module when building for arm64_32 (e.g., for watchos). Reported by Paulo Coutinho in #7787.
• Fix crypt_and_hash decryption fail when used with a stream cipher mode of operation due to the input not being multiple of block size. Resolves #7417.
• Fix a bug in which mbedtls_x509_string_to_names() would return success when given a invalid name string if it did not contain '=' or ','.
• Fix compilation warnings in aes.c, which prevented the example TF-M configuration in configs/ from building cleanly: tfm_mbedcrypto_config_profile_medium.h with crypto_config_profile_medium.h.
• In TLS 1.3, fix handshake failure when a client in its ClientHello proposes an handshake based on PSK only key exchange mode or at least one of the key exchange modes using ephemeral keys to a server that supports only the PSK key exchange mode.
• Fix CCM* with no tag being not supported in a build with CCM as the only symmetric encryption algorithm and the PSA configuration enabled.
• Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.
• Fix a compilation error on some platforms when including mbedtls/ssl.h with all TLS support disabled. Fixes #6628.
• Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when using ECC key. The certificate was rejected by some crypto frameworks. Fixes #2924.
• Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc() is called with zero length and padlock is not enabled.
• Fix compile failure due to empty enum in cipher_wrap.c, when building with a very minimal configuration. Fixes #7625.
• Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA signature can silently return an incorrect result in low memory conditions.
• Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
• Fix IAR compiler warnings.
• Fix an issue when parsing an otherName subject alternative name into a mbedtls_x509_san_other_name struct. The type-id of the otherName was not copied to the struct. This meant that the struct had incomplete information about the otherName SAN and contained uninitialized memory.
• Fix the detection of HardwareModuleName otherName SANs. These were being detected by comparing the wrong field and the check was erroneously inverted.
• Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG enabled, where some low-level modules required by requested PSA crypto features were not getting automatically enabled. Fixes #7420.
• Fix undefined symbols in some builds using TLS 1.3 with a custom configuration file.
• Fix log level for the got supported group message. Fixes #6765
• Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx error code on failure. Before, they returned 1 to indicate failure in some cases involving a missing entry or a full cache.
• mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys.
• Fix the build with CMake when Everest or P256-m is enabled through a user configuration file or the compiler command line. Fixes #8165.

Changes

• Enable Arm / Thumb bignum assembly for most Arm platforms when compiling with gcc, clang or armclang and -O0.
• Enforce minimum RSA key size when generating a key to avoid accidental misuse.
• Use heap memory to allocate DER encoded RSA private key. This reduces stack usage significantly for RSA signature operations when MBEDTLS_PSA_CRYPTO_C is defined.
• Update Windows code to use BCryptGenRandom and wcslen, and ensure that conversions between size_t, ULONG, and int are always done safely. Original contribution by Kevin Kane #635, #730 followed by Simon Butcher #1453.
• Users integrating their own PSA drivers should be aware that the file library/psa_crypto_driver_wrappers.c has been renamed to psa_crypto_driver_wrappers_no_static.c.
• When using CBC with the cipher module, the requirement to call mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting this call accidentally applied a default padding mode chosen at compile time.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are: 02311fc8bd032d89ff9aee535dddb55458108dc0d4c5280638fc611aea7c5e4a mbedtls-3.5.0.tar.gz afa5e4474b5769380f84e64860ad3a37269f661bdc8b3f781767c63f7632e04f mbedtls-3.5.0.zip

Description

This release of Mbed TLS provides bug fixes and minor enhancements.

Security Advisories

There are no security advisories for this release.

Release Notes

Bugfix

• Fix builds on Windows with clang

Changes

• Update test data to avoid failures of unit tests after 2023-08-07.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

a420fcf7103e54e775c383e3751729b8fb2dcd087f6165befd13f28315f754f5 mbedtls-3.4.1.tar.gz ad10adf1f0b093302f9e74b02a5a5412274359a1f6b39034940934054ec3c7c6 mbedtls-3.4.1.zip

Description

This release of Mbed TLS provides bug fixes and minor enhancements.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

There are no security advisories for this release.

Release Notes

Features

• Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by setting the CMake variable of the same name at configuration time.

Bugfix

• Fix crypt_and_hash decryption fail when used with a stream cipher mode of operation, due to the input not being a multiple of the block size. Resolves #7417.
• Fix a bug where mbedtls_x509_string_to_names() would return success when given a invalid name string, if it did not contain '=' or ','.
• Fix missing PSA initialization in sample programs when MBEDTLS_USE_PSA_CRYPTO is enabled.
• Fix clang and armclang compilation error when targeting certain Arm M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23, SecurCore SC000). Fixes #1077.
• Fixed an issue that caused compile errors when using CMake and the IAR toolchain.
• Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.
• Fix builds on Windows with clang.
• Fix compilation warnings in aes.c for certain combinations of configuration options.
• Fix a compilation error on some platforms when including mbedtls/ssl.h with all TLS support disabled. Fixes #6628.

Changes

• Update test data to avoid failures of unit tests after 2023-08-07, and update expiring certififcates in the certs module.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Checksum

The SHA256 hashes for the archives are:

578c4dcd15bbff3f5cd56aa07cd4f850fc733634e3d5947be4f7157d5bfd81ac mbedtls-2.28.4.tar.gz c325bce754bcd26ae45af8fa38f67dcd45d2e23784cf818c4c97694903add530 mbedtls-2.28.4.zip