11mbed TLS ChangeLog (Sorted per branch, date)
22
3+ = mbed TLS 2.12.0 branch released 2018-07-25
4+
5+ Security
6+ * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
7+ in (D)TLS 1.0 to 1.2, that allowed an active network attacker to
8+ partially recover the plaintext of messages under some conditions by
9+ exploiting timing measurements. With DTLS, the attacker could perform
10+ this recovery by sending many messages in the same connection. With TLS
11+ or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only
12+ worked if the same secret (for example a HTTP Cookie) has been repeatedly
13+ sent over connections manipulated by the attacker. Connections using GCM
14+ or CCM instead of CBC, using hash sizes other than SHA-384, or using
15+ Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
16+ caused by a miscalculation (for SHA-384) in a countermeasure to the
17+ original Lucky 13 attack. Found by Kenny Paterson, Eyal Ronen and Adi
18+ Shamir.
19+ * Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
20+ 1.2, that allowed a local attacker, able to execute code on the local
21+ machine as well as manipulate network packets, to partially recover the
22+ plaintext of messages under some conditions by using a cache attack
23+ targetting an internal MD/SHA buffer. With TLS or if
24+ mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if
25+ the same secret (for example a HTTP Cookie) has been repeatedly sent over
26+ connections manipulated by the attacker. Connections using GCM or CCM
27+ instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
28+ Found by Kenny Paterson, Eyal Ronen and Adi Shamir.
29+ * Add a counter-measure against a vulnerability in TLS ciphersuites based
30+ on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
31+ execute code on the local machine as well as manipulate network packets,
32+ to partially recover the plaintext of messages under some conditions (see
33+ previous entry) by using a cache attack targeting the SSL input record
34+ buffer. Connections using GCM or CCM instead of CBC or using
35+ Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
36+ Eyal Ronen and Adi Shamir.
37+
38+ Features
39+ * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
40+ authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
41+ by Daniel King.
42+ * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
43+ * Add platform support for the Haiku OS. (https://www.haiku-os.org).
44+ Contributed by Augustin Cavalier.
45+ * Make the receive and transmit buffers independent sizes, for situations
46+ where the outgoing buffer can be fixed at a smaller size than the incoming
47+ buffer, which can save some RAM. If buffer lengths are kept equal, there
48+ is no functional difference. Contributed by Angus Gratton, and also
49+ independently contributed again by Paul Sokolovsky.
50+ * Add support for key wrapping modes based on AES as defined by
51+ NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
52+
53+ Bugfix
54+ * Fix the key_app_writer example which was writing a leading zero byte which
55+ was creating an invalid ASN.1 tag. Found by Aryeh R. Fixes #1257.
56+ * Fix compilation error on C++, because of a variable named new.
57+ Found and fixed by Hirotaka Niisato in #1783.
58+ * Fix "no symbols" warning issued by ranlib when building on Mac OS X. Fix
59+ contributed by tabascoeye.
60+ * Clarify documentation for mbedtls_ssl_write() to include 0 as a valid
61+ return value. Found by @davidwu2000. #839
62+ * Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber,
63+ Philippe Antoine. Fixes #1623.
64+ * Remove unused headers included in x509.c. Found by Chris Hanson and fixed
65+ by Brendan Shanks. Part of a fix for #992.
66+ * Fix compilation error when MBEDTLS_ARC4_C is disabled and
67+ MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
68+ * Added length checks to some TLS parsing functions. Found and fixed by
69+ Philippe Antoine from Catena cyber. #1663.
70+ * Fix the inline assembly for the MPI multiply helper function for i386 and
71+ i386 with SSE2. Found by László Langó. Fixes #1550
72+ * Fix namespacing in header files. Remove the `mbedtls` namespacing in
73+ the `#include` in the header files. Resolves #857
74+ * Fix compiler warning of 'use before initialisation' in
75+ mbedtls_pk_parse_key(). Found by Martin Boye Petersen and fixed by Dawid
76+ Drozd. #1098
77+ * Fix decryption for zero length messages (which contain all padding) when a
78+ CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
79+ such a message was wrongly reported as an invalid record and therefore lead
80+ to the connection being terminated. Seen most often with OpenSSL using
81+ TLS 1.0. Reported by @kFYatek and by Conor Murphy on the forum. Fix
82+ contributed by Espressif Systems. Fixes #1632
83+ * Fix ssl_client2 example to send application data with 0-length content
84+ when the request_size argument is set to 0 as stated in the documentation.
85+ Fixes #1833.
86+ * Correct the documentation for `mbedtls_ssl_get_session()`. This API has
87+ deep copy of the session, and the peer certificate is not lost. Fixes #926.
88+ * Fix build using -std=c99. Fixed by Nick Wilson.
89+
90+ Changes
91+ * Fail when receiving a TLS alert message with an invalid length, or invalid
92+ zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
93+ * Change the default behaviour of mbedtls_hkdf_extract() to return an error
94+ when calling with a NULL salt and non-zero salt_len. Contributed by
95+ Brian J Murray
96+ * Change the shebang line in Perl scripts to look up perl in the PATH.
97+ Contributed by fbrosson.
98+ * Allow overriding the time on Windows via the platform-time abstraction.
99+ Fixed by Nick Wilson.
100+ * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
101+
102+ = mbed TLS 2.11.0 branch released 2018-06-18
103+
104+ Features
105+ * Add additional block mode, OFB (Output Feedback), to the AES module and
106+ cipher abstraction module.
107+ * Implement the HMAC-based extract-and-expand key derivation function
108+ (HKDF) per RFC 5869. Contributed by Thomas Fossati.
109+ * Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4.
110+ * Add support for the XTS block cipher mode with AES (AES-XTS).
111+ Contributed by Aorimn in pull request #414.
112+ * In TLS servers, support offloading private key operations to an external
113+ cryptoprocessor. Private key operations can be asynchronous to allow
114+ non-blocking operation of the TLS server stack.
115+
116+ Bugfix
117+ * Fix the cert_write example to handle certificates signed with elliptic
118+ curves as well as RSA. Fixes #777 found by dbedev.
119+ * Fix for redefinition of _WIN32_WINNT to avoid overriding a definition
120+ used by user applications. Found and fixed by Fabio Alessandrelli.
121+ * Fix compilation warnings with IAR toolchain, on 32 bit platform.
122+ Reported by rahmanih in #683
123+ * Fix braces in mbedtls_memory_buffer_alloc_status(). Found by sbranden, #552.
124+
125+ Changes
126+ * Changed CMake defaults for IAR to treat all compiler warnings as errors.
127+ * Changed the Clang parameters used in the CMake build files to work for
128+ versions later than 3.6. Versions of Clang earlier than this may no longer
129+ work. Fixes #1072
130+
131+ = mbed TLS 2.10.0 branch released 2018-06-06
132+
133+ Features
134+ * Add support for ARIA cipher (RFC 5794) and associated TLS ciphersuites
135+ (RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h
136+
137+ API Changes
138+ * Extend the platform module with a util component that contains
139+ functionality shared by multiple Mbed TLS modules. At this stage
140+ platform_util.h (and its associated platform_util.c) only contain
141+ mbedtls_platform_zeroize(), which is a critical function from a security
142+ point of view. mbedtls_platform_zeroize() needs to be regularly tested
143+ against compilers to ensure that calls to it are not removed from the
144+ output binary as part of redundant code elimination optimizations.
145+ Therefore, mbedtls_platform_zeroize() is moved to the platform module to
146+ facilitate testing and maintenance.
147+
148+ Bugfix
149+ * Fix an issue with MicroBlaze support in bn_mul.h which was causing the
150+ build to fail. Found by zv-io. Fixes #1651.
151+
152+ Changes
153+ * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
154+ * Fix redundant declaration of mbedtls_ssl_list_ciphersuites. Raised by
155+ TrinityTonic. #1359.
156+
3157= mbed TLS 2.9.0 branch released 2018-04-30
4158
5159Security
@@ -1717,7 +1871,7 @@ Features
17171871 issuer_key_identifier, etc)
17181872 * Optional blinding for RSA, DHM and EC
17191873 * Support for multiple active certificate / key pairs in SSL servers for
1720- the same host (Not to be confused with SNI!)
1874+ the same host (Not to be confused with SNI!)
17211875
17221876Changes
17231877 * Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
@@ -1948,7 +2102,7 @@ Changes
19482102 PKCS#8 private key formats
19492103 * Added mechanism to provide alternative implementations for all
19502104 symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
1951- config.h)
2105+ config.h)
19522106 * PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated
19532107 old PBKDF2 module
19542108
@@ -1960,7 +2114,7 @@ Bugfix
19602114 * x509parse_crt() now better handles PEM error situations
19612115 * ssl_parse_certificate() now calls x509parse_crt_der() directly
19622116 instead of the x509parse_crt() wrapper that can also parse PEM
1963- certificates
2117+ certificates
19642118 * x509parse_crtpath() is now reentrant and uses more portable stat()
19652119 * Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
19662120 * Fixed values for 2-key Triple DES in cipher layer
@@ -2118,7 +2272,7 @@ Bugfix
21182272 * mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
21192273 #52)
21202274 * Handle encryption with private key and decryption with public key as per
2121- RFC 2313
2275+ RFC 2313
21222276 * Handle empty certificate subject names
21232277 * Prevent reading over buffer boundaries on X509 certificate parsing
21242278 * mpi_add_abs() now correctly handles adding short numbers to long numbers
@@ -2149,7 +2303,7 @@ Bugfix
21492303 * x509parse_crt() now better handles PEM error situations
21502304 * ssl_parse_certificate() now calls x509parse_crt_der() directly
21512305 instead of the x509parse_crt() wrapper that can also parse PEM
2152- certificates
2306+ certificates
21532307 * Fixed values for 2-key Triple DES in cipher layer
21542308 * ssl_write_certificate_request() can handle empty ca_chain
21552309
@@ -2230,16 +2384,16 @@ Bugfix
22302384Features
22312385 * Added ssl_session_reset() to allow better multi-connection pools of
22322386 SSL contexts without needing to set all non-connection-specific
2233- data and pointers again. Adapted ssl_server to use this functionality.
2387+ data and pointers again. Adapted ssl_server to use this functionality.
22342388 * Added ssl_set_max_version() to allow clients to offer a lower maximum
22352389 supported version to a server to help buggy server implementations.
2236- (Closes ticket #36)
2390+ (Closes ticket #36)
22372391 * Added cipher_get_cipher_mode() and cipher_get_cipher_operation()
22382392 introspection functions (Closes ticket #40)
22392393 * Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
22402394 * Added a generic entropy accumulator that provides support for adding
22412395 custom entropy sources and added some generic and platform dependent
2242- entropy sources
2396+ entropy sources
22432397
22442398Changes
22452399 * Documentation for AES and Camellia in modes CTR and CFB128 clarified.
@@ -2372,7 +2526,7 @@ Bugfixes
23722526 * Corrected parsing of UTCTime dates before 1990 and
23732527 after 1950
23742528 * Support more exotic OID's when parsing certificates
2375- (found by Mads Kiilerich)
2529+ (found by Mads Kiilerich)
23762530 * Support more exotic name representations when parsing
23772531 certificates (found by Mads Kiilerich)
23782532 * Replaced the expired test certificates
@@ -2402,7 +2556,7 @@ Note: Most of these features have been donated by Fox-IT
24022556 status, objects and configuration
24032557 + Added verification callback on certificate chain
24042558 verification to allow external blacklisting
2405- + Additional example programs to show usage
2559+ + Additional example programs to show usage
24062560 * Added support for PKCS#11 through the use of the
24072561 libpkcs11-helper library
24082562
0 commit comments