|
1 | 1 | Mbed TLS ChangeLog (Sorted per branch, date) |
2 | 2 |
|
3 | | -= Mbed TLS 4.0.0-beta branch released 2025-07-04 |
4 | | - |
5 | | -API changes |
6 | | - * The experimental functions psa_generate_key_ext() and |
7 | | - psa_key_derivation_output_key_ext() have been replaced by |
8 | | - psa_generate_key_custom() and psa_key_derivation_output_key_custom(). |
9 | | - They have almost exactly the same interface, but the variable-length |
10 | | - data is passed in a separate parameter instead of a flexible array |
11 | | - member. This resolves a build failure under C++ compilers that do not |
12 | | - support flexible array members (a C99 feature not adopted by C++). |
13 | | - Fixes #9020. |
14 | | - * Align the mbedtls_ssl_ticket_setup() function with the PSA Crypto API. |
15 | | - Instead of taking a mbedtls_cipher_type_t as an argument, this function |
16 | | - now takes 3 new arguments: a PSA algorithm, key type and key size, to |
17 | | - specify the AEAD for ticket protection. |
18 | | - * The PSA and Mbed TLS error spaces are now unified. mbedtls_xxx() |
19 | | - functions can now return PSA_ERROR_xxx values. |
20 | | - There is no longer a distinction between "low-level" and "high-level" |
21 | | - Mbed TLS error codes. |
22 | | - This will not affect most applications since the error values are |
23 | | - between -32767 and -1 as before. |
24 | | - * All API functions now use the PSA random generator psa_generate_random() |
25 | | - internally. As a consequence, functions no longer take RNG parameters. |
26 | | - Please refer to the migration guide at : |
27 | | - tf-psa-crypto/docs/4.0-migration-guide.md. |
28 | | - |
29 | | -Default behavior changes |
30 | | - * In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT && |
31 | | - !MBEDTLS_PSA_CRYPTO_C), do not automatically enable local crypto when the |
32 | | - corresponding PSA mechanism is enabled, since the server provides the |
33 | | - crypto. Fixes #9126. |
34 | | - * The PK, X.509, PKCS7 and TLS modules now always use the PSA subsystem |
35 | | - to perform cryptographic operations, with a few exceptions documented |
36 | | - in docs/architecture/psa-migration/psa-limitations.md. This |
37 | | - corresponds to the behavior of Mbed TLS 3.x when |
38 | | - MBEDTLS_USE_PSA_CRYPTO is enabled. In effect, MBEDTLS_USE_PSA_CRYPTO |
39 | | - is now always enabled. |
40 | | - * psa_crypto_init() must be called before performing any cryptographic |
41 | | - operation, including indirect requests such as parsing a key or |
42 | | - certificate or starting a TLS handshake. |
43 | | - * The `PSA_WANT_XXX` symbols as defined in |
44 | | - tf-psa-crypto/include/psa/crypto_config.h are now always used in the |
45 | | - configuration of the cryptographic mechanisms exposed by the PSA API. |
46 | | - This corresponds to the configuration behavior of Mbed TLS 3.x when |
47 | | - MBEDTLS_PSA_CRYPTO_CONFIG is enabled. In effect, MBEDTLS_PSA_CRYPTO_CONFIG |
48 | | - is now always enabled and the configuration option has been removed. |
49 | | - * In TLS clients, if mbedtls_ssl_set_hostname() has not been called, |
50 | | - mbedtls_ssl_handshake() now fails with |
51 | | - MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME |
52 | | - if certificate-based authentication of the server is attempted. |
53 | | - This is because authenticating a server without knowing what name |
54 | | - to expect is usually insecure. |
55 | | - |
56 | | -Removals |
57 | | - * Drop support for VIA Padlock. Removes MBEDTLS_PADLOCK_C. |
58 | | - Fixes #5903. |
59 | | - * Drop support for crypto alt interface. Removes MBEDTLS_XXX_ALT options |
60 | | - at the module and function level for crypto mechanisms only. The remaining |
61 | | - alt interfaces for platform, threading and timing are unchanged. |
62 | | - Fixes #8149. |
63 | | - * Remove support for the RSA-PSK key exchange in TLS 1.2. |
64 | | - * Remove deprecated mbedtls_x509write_crt_set_serial(). The function was |
65 | | - already deprecated and superseded by |
66 | | - mbedtls_x509write_crt_set_serial_raw(). |
67 | | - * Remove the function mbedtls_ssl_conf_curves() which had been deprecated |
68 | | - in favour of mbedtls_ssl_conf_groups() since Mbed TLS 3.1. |
69 | | - * Remove support for the DHE-PSK key exchange in TLS 1.2. |
70 | | - * Remove support for the DHE-RSA key exchange in TLS 1.2. |
71 | | - * Following the removal of DHM module (#9972 and TF-PSA-Crypto#175) the |
72 | | - following SSL functions are removed: |
73 | | - - mbedtls_ssl_conf_dh_param_bin |
74 | | - - mbedtls_ssl_conf_dh_param_ctx |
75 | | - - mbedtls_ssl_conf_dhm_min_bitlen |
76 | | - * Remove support for the RSA key exchange in TLS 1.2. |
77 | | - * Remove mbedtls_low_level_strerr() and mbedtls_high_level_strerr(), |
78 | | - since these concepts no longer exists. There is just mbedtls_strerror(). |
79 | | - * Sample programs for the legacy crypto API have been removed. |
80 | | - pkey/rsa_genkey.c |
81 | | - pkey/pk_decrypt.c |
82 | | - pkey/dh_genprime.c |
83 | | - pkey/rsa_verify.c |
84 | | - pkey/mpi_demo.c |
85 | | - pkey/rsa_decrypt.c |
86 | | - pkey/key_app.c |
87 | | - pkey/dh_server.c |
88 | | - pkey/ecdh_curve25519.c |
89 | | - pkey/pk_encrypt.c |
90 | | - pkey/rsa_sign.c |
91 | | - pkey/key_app_writer.c |
92 | | - pkey/dh_client.c |
93 | | - pkey/ecdsa.c |
94 | | - pkey/rsa_encrypt.c |
95 | | - wince_main.c |
96 | | - aes/crypt_and_hash.c |
97 | | - random/gen_random_ctr_drbg.c |
98 | | - random/gen_entropy.c |
99 | | - hash/md_hmac_demo.c |
100 | | - hash/hello.c |
101 | | - hash/generic_sum.c |
102 | | - cipher/cipher_aead_demo.c |
103 | | - * Remove compat-2-x.h header from mbedtls. |
104 | | - * The library no longer offers interfaces to look up values by OID |
105 | | - or OID by enum values. |
106 | | - The header <mbedtls/oid.h> now only defines functions to convert |
107 | | - between binary and dotted string OID representations, and macros |
108 | | - for OID strings that are relevant to X.509. |
109 | | - The compilation option MBEDTLS_OID_C no longer |
110 | | - exists. OID tables are included in the build automatically as needed. |
111 | | - |
112 | | -Features |
113 | | - * When the new compilation option MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, |
114 | | - the number of volatile PSA keys is virtually unlimited, at the expense |
115 | | - of increased code size. This option is off by default, but enabled in |
116 | | - the default mbedtls_config.h. Fixes #9216. |
117 | | - * Add a new psa_key_agreement() PSA API to perform key agreement and return |
118 | | - an identifier for the newly created key. |
119 | | - * Added new configuration option MBEDTLS_PSA_STATIC_KEY_SLOTS, which |
120 | | - uses static storage for keys, enabling malloc-less use of key slots. |
121 | | - The size of each buffer is given by the option |
122 | | - MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE. By default it accommodates the |
123 | | - largest PSA key enabled in the build. |
124 | | - * Add an interruptible version of key agreement to the PSA interface. |
125 | | - See psa_key_agreement_iop_setup() and related functions. |
126 | | - * Add an interruptible version of generate key to the PSA interface. |
127 | | - See psa_generate_key_iop_setup() and related functions. |
128 | | - * Add the function mbedtls_ssl_export_keying_material() which allows the |
129 | | - client and server to extract additional shared symmetric keys from an SSL |
130 | | - session, according to the TLS-Exporter specification in RFC 8446 and 5705. |
131 | | - This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in |
132 | | - mbedtls_config.h. |
133 | | - |
134 | | -Security |
135 | | - * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does |
136 | | - not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when |
137 | | - MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled. |
138 | | - CVE-2024-45157 |
139 | | - * Fix a stack buffer overflow in mbedtls_ecdsa_der_to_raw() and |
140 | | - mbedtls_ecdsa_raw_to_der() when the bits parameter is larger than the |
141 | | - largest supported curve. In some configurations with PSA disabled, |
142 | | - all values of bits are affected. This never happens in internal library |
143 | | - calls, but can affect applications that call these functions directly. |
144 | | - CVE-2024-45158 |
145 | | - * With TLS 1.3, when a server enables optional authentication of the |
146 | | - client, if the client-provided certificate does not have appropriate values |
147 | | - in keyUsage or extKeyUsage extensions, then the return value of |
148 | | - mbedtls_ssl_get_verify_result() would incorrectly have the |
149 | | - MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_EXT_KEY_USAGE bits |
150 | | - clear. As a result, an attacker that had a certificate valid for uses other |
151 | | - than TLS client authentication could be able to use it for TLS client |
152 | | - authentication anyway. Only TLS 1.3 servers were affected, and only with |
153 | | - optional authentication (required would abort the handshake with a fatal |
154 | | - alert). |
155 | | - CVE-2024-45159 |
156 | | - * Fix a buffer underrun in mbedtls_pk_write_key_der() when |
157 | | - called on an opaque key, MBEDTLS_USE_PSA_CRYPTO is enabled, |
158 | | - and the output buffer is smaller than the actual output. |
159 | | - Fix a related buffer underrun in mbedtls_pk_write_key_pem() |
160 | | - when called on an opaque RSA key, MBEDTLS_USE_PSA_CRYPTO is enabled |
161 | | - and MBEDTLS_MPI_MAX_SIZE is smaller than needed for a 4096-bit RSA key. |
162 | | - CVE-2024-49195 |
163 | | - * Note that TLS clients should generally call mbedtls_ssl_set_hostname() |
164 | | - if they use certificate authentication (i.e. not pre-shared keys). |
165 | | - Otherwise, in many scenarios, the server could be impersonated. |
166 | | - The library will now prevent the handshake and return |
167 | | - MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME |
168 | | - if mbedtls_ssl_set_hostname() has not been called. |
169 | | - Reported by Daniel Stenberg. |
170 | | - CVE-2025-27809 |
171 | | - * Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed |
172 | | - or there was a cryptographic hardware failure when calculating the |
173 | | - Finished message, it could be calculated incorrectly. This would break |
174 | | - the security guarantees of the TLS handshake. |
175 | | - CVE-2025-27810 |
176 | | - * Fix possible use-after-free or double-free in code calling |
177 | | - mbedtls_x509_string_to_names(). This was caused by the function calling |
178 | | - mbedtls_asn1_free_named_data_list() on its head argument, while the |
179 | | - documentation did no suggest it did, making it likely for callers relying |
180 | | - on the documented behaviour to still hold pointers to memory blocks after |
181 | | - they were free()d, resulting in high risk of use-after-free or double-free, |
182 | | - with consequences ranging up to arbitrary code execution. |
183 | | - In particular, the two sample programs x509/cert_write and x509/cert_req |
184 | | - were affected (use-after-free if the san string contains more than one DN). |
185 | | - Code that does not call mbedtls_string_to_names() directly is not affected. |
186 | | - Found by Linh Le and Ngan Nguyen from Calif. |
187 | | - CVE-2025-47917 |
188 | | - * Fix a bug in mbedtls_x509_string_to_names() and the |
189 | | - mbedtls_x509write_{crt,csr}_set_{subject,issuer}_name() functions, |
190 | | - where some inputs would cause an inconsistent state to be reached, causing |
191 | | - a NULL dereference either in the function itself, or in subsequent |
192 | | - users of the output structure, such as mbedtls_x509_write_names(). This |
193 | | - only affects applications that create (as opposed to consume) X.509 |
194 | | - certificates, CSRs or CRLs. Found by Linh Le and Ngan Nguyen from Calif. |
195 | | - CVE-2025-48965 |
196 | | - |
197 | | -Bugfix |
198 | | - * Fix TLS 1.3 client build and runtime when support for session tickets is |
199 | | - disabled (MBEDTLS_SSL_SESSION_TICKETS configuration option). Fixes #6395. |
200 | | - * Fix compilation error when memcpy() is a function-like macros. Fixes #8994. |
201 | | - * MBEDTLS_ASN1_PARSE_C and MBEDTLS_ASN1_WRITE_C are now automatically enabled |
202 | | - as soon as MBEDTLS_RSA_C is enabled. Fixes #9041. |
203 | | - * Fix undefined behaviour (incrementing a NULL pointer by zero length) when |
204 | | - passing in zero length additional data to multipart AEAD. |
205 | | - * Fix rare concurrent access bug where attempting to operate on a |
206 | | - non-existent key while concurrently creating a new key could potentially |
207 | | - corrupt the key store. |
208 | | - * Fix error handling when creating a key in a dynamic secure element |
209 | | - (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition, |
210 | | - the creation could return PSA_SUCCESS but using or destroying the key |
211 | | - would not work. Fixes #8537. |
212 | | - * Fix issue of redefinition warning messages for _GNU_SOURCE in |
213 | | - entropy_poll.c and sha_256.c. There was a build warning during |
214 | | - building for linux platform. |
215 | | - Resolves #9026 |
216 | | - * Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled. |
217 | | - * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in |
218 | | - CMAC is enabled, but no built-in unauthenticated cipher is enabled. |
219 | | - Fixes #9209. |
220 | | - * Fix redefinition warnings when SECP192R1 and/or SECP192K1 are disabled. |
221 | | - Fixes #9029. |
222 | | - * Fix psa_cipher_decrypt() with CCM* rejecting messages less than 3 bytes |
223 | | - long. Credit to Cryptofuzz. Fixes #9314. |
224 | | - * Fix interference between PSA volatile keys and built-in keys |
225 | | - when MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled and |
226 | | - MBEDTLS_PSA_KEY_SLOT_COUNT is more than 4096. |
227 | | - * Document and enforce the limitation of mbedtls_psa_register_se_key() |
228 | | - to persistent keys. Resolves #9253. |
229 | | - * Fix Clang compilation error when MBEDTLS_USE_PSA_CRYPTO is enabled |
230 | | - but MBEDTLS_DHM_C is disabled. Reported by Michael Schuster in #9188. |
231 | | - * Fix server mode only build when MBEDTLS_SSL_SRV_C is enabled but |
232 | | - MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186. |
233 | | - * When MBEDTLS_PSA_CRYPTO_C was disabled and MBEDTLS_ECDSA_C enabled, |
234 | | - some code was defining 0-size arrays, resulting in compilation errors. |
235 | | - Fixed by disabling the offending code in configurations without PSA |
236 | | - Crypto, where it never worked. Fixes #9311. |
237 | | - * Fixes an issue where some TLS 1.2 clients could not connect to an |
238 | | - Mbed TLS 3.6.0 server, due to incorrect handling of |
239 | | - legacy_compression_methods in the ClientHello. |
240 | | - fixes #8995, #9243. |
241 | | - * Fix a memory leak that could occur when failing to process an RSA |
242 | | - key through some PSA functions due to low memory conditions. |
243 | | - * Fixed a regression introduced in 3.6.0 where the CA callback set with |
244 | | - mbedtls_ssl_conf_ca_cb() would stop working when connections were |
245 | | - upgraded to TLS 1.3. Fixed by adding support for the CA callback with TLS |
246 | | - 1.3. |
247 | | - * Fixed a regression introduced in 3.6.0 where clients that relied on |
248 | | - optional/none authentication mode, by calling mbedtls_ssl_conf_authmode() |
249 | | - with MBEDTLS_SSL_VERIFY_OPTIONAL or MBEDTLS_SSL_VERIFY_NONE, would stop |
250 | | - working when connections were upgraded to TLS 1.3. Fixed by adding |
251 | | - support for optional/none with TLS 1.3 as well. Note that the TLS 1.3 |
252 | | - standard makes server authentication mandatory; users are advised not to |
253 | | - use authmode none, and to carefully check the results when using optional |
254 | | - mode. |
255 | | - * Fixed a regression introduced in 3.6.0 where context-specific certificate |
256 | | - verify callbacks, set with mbedtls_ssl_set_verify() as opposed to |
257 | | - mbedtls_ssl_conf_verify(), would stop working when connections were |
258 | | - upgraded to TLS 1.3. Fixed by adding support for context-specific verify |
259 | | - callback in TLS 1.3. |
260 | | - * Fix unintended performance regression when using short RSA public keys. |
261 | | - Fixes #9232. |
262 | | - * When MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is disabled, work with |
263 | | - peers that have middlebox compatibility enabled, as long as no |
264 | | - problematic middlebox is in the way. Fixes #9551. |
265 | | - * Fix invalid JSON schemas for driver descriptions used by |
266 | | - generate_driver_wrappers.py. |
267 | | - * Use 'mbedtls_net_close' instead of 'close' in 'mbedtls_net_bind' |
268 | | - and 'mbedtls_net_connect' to prevent possible double close fd |
269 | | - problems. Fixes #9711. |
270 | | - * Fix undefined behavior in some cases when mbedtls_psa_raw_to_der() or |
271 | | - mbedtls_psa_der_to_raw() is called with bits=0. |
272 | | - * Fix compilation on MS-DOS DJGPP. Fixes #9813. |
273 | | - * Fix missing constraints on the AES-NI inline assembly which is used on |
274 | | - GCC-like compilers when building AES for generic x86_64 targets. This |
275 | | - may have resulted in incorrect code with some compilers, depending on |
276 | | - optimizations. Fixes #9819. |
277 | | - * Support re-assembly of fragmented handshake messages in TLS (both |
278 | | - 1.2 and 1.3). The lack of support was causing handshake failures with |
279 | | - some servers, especially with TLS 1.3 in practice. There are a few |
280 | | - limitations, notably a fragmented ClientHello is only supported when |
281 | | - TLS 1.3 support is enabled. See the documentation of |
282 | | - mbedtls_ssl_handshake() for details. |
283 | | - * Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that |
284 | | - occurred whenever SSL debugging was enabled on a copy of Mbed TLS built |
285 | | - with Visual Studio 2013 or MinGW. |
286 | | - Fixes #10017. |
287 | | - * Silence spurious -Wunterminated-string-initialization warnings introduced |
288 | | - by GCC 15. Fixes #9944. |
289 | | - |
290 | | -Changes |
291 | | - * Warn if mbedtls/check_config.h is included manually, as this can |
292 | | - lead to spurious errors. Error if a *adjust*.h header is included |
293 | | - manually, as this can lead to silently inconsistent configurations, |
294 | | - potentially resulting in buffer overflows. |
295 | | - When migrating from Mbed TLS 2.x, if you had a custom config.h that |
296 | | - included check_config.h, remove this inclusion from the Mbed TLS 3.x |
297 | | - configuration file (renamed to mbedtls_config.h). This change was made |
298 | | - in Mbed TLS 3.0, but was not announced in a changelog entry at the time. |
299 | | - * Functions regarding numeric string conversions for OIDs have been moved |
300 | | - from the OID module and now reside in X.509 module. This helps to reduce |
301 | | - the code size as these functions are not commonly used outside of X.509. |
302 | | - * Improve performance of PSA key generation with ECC keys: it no longer |
303 | | - computes the public key (which was immediately discarded). Fixes #9732. |
304 | | - * Cryptography and platform configuration options have been migrated |
305 | | - from the Mbed TLS library configuration file mbedtls_config.h to |
306 | | - crypto_config.h that will become the TF-PSA-Crypto configuration file, |
307 | | - see config-split.md for more information. The reference and test custom |
308 | | - configuration files respectively in configs/ and tests/configs/ have |
309 | | - been updated accordingly. |
310 | | - To migrate custom Mbed TLS configurations where |
311 | | - MBEDTLS_PSA_CRYPTO_CONFIG is disabled, you should first adapt them |
312 | | - to the PSA configuration scheme based on PSA_WANT_XXX symbols |
313 | | - (see psa-conditional-inclusion-c.md for more information). |
314 | | - To migrate custom Mbed TLS configurations where |
315 | | - MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you should migrate the |
316 | | - cryptographic and platform configuration options from mbedtls_config.h |
317 | | - to crypto_config.h (see config-split.md for more information and configs/ |
318 | | - for examples). |
319 | | - * Move the crypto part of the library (content of tf-psa-crypto directory) |
320 | | - from the Mbed TLS to the TF-PSA-Crypto repository. The crypto code and |
321 | | - tests development will now occur in TF-PSA-Crypto, which Mbed TLS |
322 | | - references as a Git submodule. |
323 | | - * The function mbedtls_x509_string_to_names() now requires its head argument |
324 | | - to point to NULL on entry. This makes it likely that existing risky uses of |
325 | | - this function (see the entry in the Security section) will be detected and |
326 | | - fixed. |
327 | | - |
328 | 3 | = Mbed TLS 3.6.0 branch released 2024-03-28 |
329 | 4 |
|
330 | 5 | API changes |
|
0 commit comments