From 74755e484ce35e23ceeec9a3324e1857094c7ea7 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 8 Mar 2021 18:35:44 +0000 Subject: [PATCH] Update Changelog for 2.26.0 Signed-off-by: Dave Rodgman --- ChangeLog | 111 ++++++++++++++++++ ChangeLog.d/basic-constraints-critical.txt | 8 -- ChangeLog.d/drbg-mutex.txt | 5 - ChangeLog.d/external-wrapped-keys.txt | 4 - ChangeLog.d/fix_psa_crypto_leak.txt | 2 - ChangeLog.d/getentropy.txt | 3 - ChangeLog.d/issue3819.txt | 10 -- ChangeLog.d/issue4093.txt | 6 - ...make_base64_table_access_constant_flow.txt | 4 - ChangeLog.d/mbedtls_ecc_group_of_psa.txt | 4 - ChangeLog.d/mbedtls_psa_get_random.txt | 9 -- ChangeLog.d/mpi_sub_abs.txt | 7 -- ChangeLog.d/net_poll-fd_setsize.txt | 4 - ChangeLog.d/no_ecp_fallback.txt | 4 - ChangeLog.d/programs-ssl-use-after-scope.txt | 2 - ...ypto-api-rename-aead-tag-length-macros.txt | 7 -- ChangeLog.d/psa-crypto-client.txt | 4 - ChangeLog.d/psa-crypto-hmac-drbg.txt | 5 - .../psa-crypto-new-wildcard-policies.txt | 5 - ...rypto-rename-output-buffer-size-macros.txt | 9 -- ...a_allow_tweaking_library_configuration.txt | 5 - ChangeLog.d/psa_close_key_memory_leak_fix.txt | 3 - ChangeLog.d/rsa-mutex.txt | 13 -- ChangeLog.d/rsa_private-ret.txt | 2 - 24 files changed, 111 insertions(+), 125 deletions(-) delete mode 100644 ChangeLog.d/basic-constraints-critical.txt delete mode 100644 ChangeLog.d/drbg-mutex.txt delete mode 100644 ChangeLog.d/external-wrapped-keys.txt delete mode 100644 ChangeLog.d/fix_psa_crypto_leak.txt delete mode 100644 ChangeLog.d/getentropy.txt delete mode 100644 ChangeLog.d/issue3819.txt delete mode 100644 ChangeLog.d/issue4093.txt delete mode 100644 ChangeLog.d/make_base64_table_access_constant_flow.txt delete mode 100644 ChangeLog.d/mbedtls_ecc_group_of_psa.txt delete mode 100644 ChangeLog.d/mbedtls_psa_get_random.txt delete mode 100644 ChangeLog.d/mpi_sub_abs.txt delete mode 100644 ChangeLog.d/net_poll-fd_setsize.txt delete mode 100644 ChangeLog.d/no_ecp_fallback.txt delete mode 100644 ChangeLog.d/programs-ssl-use-after-scope.txt delete mode 100644 ChangeLog.d/psa-crypto-api-rename-aead-tag-length-macros.txt delete mode 100644 ChangeLog.d/psa-crypto-client.txt delete mode 100644 ChangeLog.d/psa-crypto-hmac-drbg.txt delete mode 100644 ChangeLog.d/psa-crypto-new-wildcard-policies.txt delete mode 100644 ChangeLog.d/psa-crypto-rename-output-buffer-size-macros.txt delete mode 100644 ChangeLog.d/psa_allow_tweaking_library_configuration.txt delete mode 100644 ChangeLog.d/psa_close_key_memory_leak_fix.txt delete mode 100644 ChangeLog.d/rsa-mutex.txt delete mode 100644 ChangeLog.d/rsa_private-ret.txt diff --git a/ChangeLog b/ChangeLog index 184bd0913..a6d4adfa1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,116 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS 2.26.0 branch released 2021-03-08 + +API changes + * Renamed the PSA Crypto API output buffer size macros to bring them in line + with version 1.0.0 of the specification. + * The API glue function mbedtls_ecc_group_of_psa() now takes the curve size + in bits rather than bytes, with an additional flag to indicate if the + size may have been rounded up to a whole number of bytes. + * Renamed the PSA Crypto API AEAD tag length macros to bring them in line + with version 1.0.0 of the specification. + +Default behavior changes + * In mbedtls_rsa_context objects, the ver field was formerly documented + as always 0. It is now reserved for internal purposes and may take + different values. + +New deprecations + * PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE, + PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and + PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names + deprecated. + * PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH + have been renamed, and the old names deprecated. + +Features + * The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG. + CTR_DRBG is used by default if it is available, but you can override + this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time. + Fix #3354. + * Automatic fallback to a software implementation of ECP when + MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off + through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK. + * The PSA crypto subsystem can now be configured to use less static RAM by + tweaking the setting for the maximum amount of keys simultaneously in RAM. + MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that + can exist simultaneously. It has a sensible default if not overridden. + * Partial implementation of the PSA crypto driver interface: Mbed TLS can + now use an external random generator instead of the library's own + entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG + and see the documentation of mbedtls_psa_external_get_random() for details. + * Applications using both mbedtls_xxx and psa_xxx functions (for example, + applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA + random generator with mbedtls_xxx functions. See the documentation of + mbedtls_psa_get_random() for details. + * In the PSA API, the policy for a MAC or AEAD algorithm can specify a + minimum MAC or tag length thanks to the new wildcards + PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and + PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG. + +Security + * Fix a security reduction in CTR_DRBG when the initial seeding obtained a + nonce from entropy. Applications were affected if they called + mbedtls_ctr_drbg_set_nonce_len(), if they called + mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key + length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256. + In such cases, a random nonce was necessary to achieve the advertised + security strength, but the code incorrectly used a constant instead of + entropy from the nonce. + Found by John Stroebel in #3819 and fixed in #3973. + * Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating + |A| - |B| where |B| is larger than |A| and has more limbs (so the + function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only + applications calling mbedtls_mpi_sub_abs() directly are affected: + all calls inside the library were safe since this function is + only called with |A| >= |B|. Reported by Guido Vranken in #4042. + * Fix an errorneous estimation for an internal buffer in + mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd + value the function might fail to write a private RSA keys of the largest + supported size. + Found by Daniel Otte, reported in #4093 and fixed in #4094. + * Fix a stack buffer overflow with mbedtls_net_poll() and + mbedtls_net_recv_timeout() when given a file descriptor that is + beyond FD_SETSIZE. Reported by FigBug in #4169. + * Guard against strong local side channel attack against base64 tables by + making access aceess to them use constant flow code. + +Bugfix + * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c + * Fix memory leak that occured when calling psa_close_key() on a + wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined. + * Fix an incorrect error code if an RSA private operation glitched. + * Fix a memory leak in an error case in psa_generate_derived_key_internal(). + * Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C + is enabled, on platforms where initializing a mutex allocates resources. + This was a regression introduced in the previous release. Reported in + #4017, #4045 and #4071. + * Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free() + twice is safe. This happens for RSA when some Mbed TLS library functions + fail. Such a double-free was not safe when MBEDTLS_THREADING_C was + enabled on platforms where freeing a mutex twice is not safe. + * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key() + when MBEDTLS_THREADING_C is enabled on platforms where initializing + a mutex allocates resources. + * Fixes a bug where, if the library was configured to include support for + both the old SE interface and the new PSA driver interface, external keys were + not loaded from storage. This was fixed by #3996. + * This change makes 'mbedtls_x509write_crt_set_basic_constraints' + consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST + include this extension in all CA certificates that contain public keys + used to validate digital signatures on certificates and MUST mark the + extension as critical in such certificates." Previous to this change, + the extension was always marked as non-critical. This was fixed by + #3698. + +Changes + * A new library C file psa_crypto_client.c has been created to contain + the PSA code needed by a PSA crypto client when the PSA crypto + implementation is not included into the library. + * On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module + now uses the getrandom syscall instead of reading from /dev/urandom. + = mbed TLS 2.25.0 branch released 2020-12-11 API changes diff --git a/ChangeLog.d/basic-constraints-critical.txt b/ChangeLog.d/basic-constraints-critical.txt deleted file mode 100644 index 72e706ed5..000000000 --- a/ChangeLog.d/basic-constraints-critical.txt +++ /dev/null @@ -1,8 +0,0 @@ -Bugfix - * This change makes 'mbedtls_x509write_crt_set_basic_constraints' - consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST - include this extension in all CA certificates that contain public keys - used to validate digital signatures on certificates and MUST mark the - extension as critical in such certificates." Previous to this change, - the extension was always marked as non-critical. This was fixed by - #3698. diff --git a/ChangeLog.d/drbg-mutex.txt b/ChangeLog.d/drbg-mutex.txt deleted file mode 100644 index 3ac5abfa8..000000000 --- a/ChangeLog.d/drbg-mutex.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C - is enabled, on platforms where initializing a mutex allocates resources. - This was a regression introduced in the previous release. Reported in - #4017, #4045 and #4071. diff --git a/ChangeLog.d/external-wrapped-keys.txt b/ChangeLog.d/external-wrapped-keys.txt deleted file mode 100644 index ca29e0dab..000000000 --- a/ChangeLog.d/external-wrapped-keys.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fixes a bug where, if the library was configured to include support for - both the old SE interface and the new PSA driver interface, external keys were - not loaded from storage. This was fixed by #3996. diff --git a/ChangeLog.d/fix_psa_crypto_leak.txt b/ChangeLog.d/fix_psa_crypto_leak.txt deleted file mode 100644 index 6f9e5feb3..000000000 --- a/ChangeLog.d/fix_psa_crypto_leak.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix a memory leak in an error case in psa_generate_derived_key_internal(). diff --git a/ChangeLog.d/getentropy.txt b/ChangeLog.d/getentropy.txt deleted file mode 100644 index 460798f58..000000000 --- a/ChangeLog.d/getentropy.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module - now uses the getrandom syscall instead of reading from /dev/urandom. diff --git a/ChangeLog.d/issue3819.txt b/ChangeLog.d/issue3819.txt deleted file mode 100644 index e41520f46..000000000 --- a/ChangeLog.d/issue3819.txt +++ /dev/null @@ -1,10 +0,0 @@ -Security - * Fix a security reduction in CTR_DRBG when the initial seeding obtained a - nonce from entropy. Applications were affected if they called - mbedtls_ctr_drbg_set_nonce_len(), if they called - mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key - length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256. - In such cases, a random nonce was necessary to achieve the advertised - security strength, but the code incorrectly used a constant instead of - entropy from the nonce. - Found by John Stroebel in #3819 and fixed in #3973. diff --git a/ChangeLog.d/issue4093.txt b/ChangeLog.d/issue4093.txt deleted file mode 100644 index f6985cfd4..000000000 --- a/ChangeLog.d/issue4093.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * Fix an errorneous estimation for an internal buffer in - mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd - value the function might fail to write a private RSA keys of the largest - supported size. - Found by Daniel Otte, reported in #4093 and fixed in #4094. diff --git a/ChangeLog.d/make_base64_table_access_constant_flow.txt b/ChangeLog.d/make_base64_table_access_constant_flow.txt deleted file mode 100644 index 733c972d0..000000000 --- a/ChangeLog.d/make_base64_table_access_constant_flow.txt +++ /dev/null @@ -1,4 +0,0 @@ -Security - * Guard against strong local side channel attack against base64 tables by - making access aceess to them use constant flow code. - diff --git a/ChangeLog.d/mbedtls_ecc_group_of_psa.txt b/ChangeLog.d/mbedtls_ecc_group_of_psa.txt deleted file mode 100644 index bce4c66e2..000000000 --- a/ChangeLog.d/mbedtls_ecc_group_of_psa.txt +++ /dev/null @@ -1,4 +0,0 @@ -API changes - * The API glue function mbedtls_ecc_group_of_psa() now takes the curve size - in bits rather than bytes, with an additional flag to indicate if the - size may have been rounded up to a whole number of bytes. diff --git a/ChangeLog.d/mbedtls_psa_get_random.txt b/ChangeLog.d/mbedtls_psa_get_random.txt deleted file mode 100644 index f6e6b0966..000000000 --- a/ChangeLog.d/mbedtls_psa_get_random.txt +++ /dev/null @@ -1,9 +0,0 @@ -Features - * Partial implementation of the PSA crypto driver interface: Mbed TLS can - now use an external random generator instead of the library's own - entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG - and see the documentation of mbedtls_psa_external_get_random() for details. - * Applications using both mbedtls_xxx and psa_xxx functions (for example, - applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA - random generator with mbedtls_xxx functions. See the documentation of - mbedtls_psa_get_random() for details. diff --git a/ChangeLog.d/mpi_sub_abs.txt b/ChangeLog.d/mpi_sub_abs.txt deleted file mode 100644 index 9f34ee74b..000000000 --- a/ChangeLog.d/mpi_sub_abs.txt +++ /dev/null @@ -1,7 +0,0 @@ -Security - * Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating - |A| - |B| where |B| is larger than |A| and has more limbs (so the - function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only - applications calling mbedtls_mpi_sub_abs() directly are affected: - all calls inside the library were safe since this function is - only called with |A| >= |B|. Reported by Guido Vranken in #4042. diff --git a/ChangeLog.d/net_poll-fd_setsize.txt b/ChangeLog.d/net_poll-fd_setsize.txt deleted file mode 100644 index e4db8c7e3..000000000 --- a/ChangeLog.d/net_poll-fd_setsize.txt +++ /dev/null @@ -1,4 +0,0 @@ -Security - * Fix a stack buffer overflow with mbedtls_net_poll() and - mbedtls_net_recv_timeout() when given a file descriptor that is - beyond FD_SETSIZE. Reported by FigBug in #4169. diff --git a/ChangeLog.d/no_ecp_fallback.txt b/ChangeLog.d/no_ecp_fallback.txt deleted file mode 100644 index f61d3117d..000000000 --- a/ChangeLog.d/no_ecp_fallback.txt +++ /dev/null @@ -1,4 +0,0 @@ -Features - * Automatic fallback to a software implementation of ECP when - MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off - through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK. diff --git a/ChangeLog.d/programs-ssl-use-after-scope.txt b/ChangeLog.d/programs-ssl-use-after-scope.txt deleted file mode 100644 index 64bea61a4..000000000 --- a/ChangeLog.d/programs-ssl-use-after-scope.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c diff --git a/ChangeLog.d/psa-crypto-api-rename-aead-tag-length-macros.txt b/ChangeLog.d/psa-crypto-api-rename-aead-tag-length-macros.txt deleted file mode 100644 index 58c5e4fb4..000000000 --- a/ChangeLog.d/psa-crypto-api-rename-aead-tag-length-macros.txt +++ /dev/null @@ -1,7 +0,0 @@ -API changes - * Renamed the PSA Crypto API AEAD tag length macros to bring them in line - with version 1.0.0 of the specification. - -New deprecations - * PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH - have been renamed, and the old names deprecated. diff --git a/ChangeLog.d/psa-crypto-client.txt b/ChangeLog.d/psa-crypto-client.txt deleted file mode 100644 index 3070ee95b..000000000 --- a/ChangeLog.d/psa-crypto-client.txt +++ /dev/null @@ -1,4 +0,0 @@ -Changes - * A new library C file psa_crypto_client.c has been created to contain - the PSA code needed by a PSA crypto client when the PSA crypto - implementation is not included into the library. diff --git a/ChangeLog.d/psa-crypto-hmac-drbg.txt b/ChangeLog.d/psa-crypto-hmac-drbg.txt deleted file mode 100644 index 18a0d1b56..000000000 --- a/ChangeLog.d/psa-crypto-hmac-drbg.txt +++ /dev/null @@ -1,5 +0,0 @@ -Features - * The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG. - CTR_DRBG is used by default if it is available, but you can override - this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time. - Fix #3354. diff --git a/ChangeLog.d/psa-crypto-new-wildcard-policies.txt b/ChangeLog.d/psa-crypto-new-wildcard-policies.txt deleted file mode 100644 index 56fbbc9b5..000000000 --- a/ChangeLog.d/psa-crypto-new-wildcard-policies.txt +++ /dev/null @@ -1,5 +0,0 @@ -Features - * In the PSA API, the policy for a MAC or AEAD algorithm can specify a - minimum MAC or tag length thanks to the new wildcards - PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and - PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG. diff --git a/ChangeLog.d/psa-crypto-rename-output-buffer-size-macros.txt b/ChangeLog.d/psa-crypto-rename-output-buffer-size-macros.txt deleted file mode 100644 index 1e8fb5f82..000000000 --- a/ChangeLog.d/psa-crypto-rename-output-buffer-size-macros.txt +++ /dev/null @@ -1,9 +0,0 @@ -API changes - * Renamed the PSA Crypto API output buffer size macros to bring them in line - with version 1.0.0 of the specification. - -New deprecations - * PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE, - PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and - PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names - deprecated. diff --git a/ChangeLog.d/psa_allow_tweaking_library_configuration.txt b/ChangeLog.d/psa_allow_tweaking_library_configuration.txt deleted file mode 100644 index 78b082cde..000000000 --- a/ChangeLog.d/psa_allow_tweaking_library_configuration.txt +++ /dev/null @@ -1,5 +0,0 @@ -Features - * The PSA crypto subsystem can now be configured to use less static RAM by - tweaking the setting for the maximum amount of keys simultaneously in RAM. - MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that - can exist simultaneously. It has a sensible default if not overridden. diff --git a/ChangeLog.d/psa_close_key_memory_leak_fix.txt b/ChangeLog.d/psa_close_key_memory_leak_fix.txt deleted file mode 100644 index 91ce17411..000000000 --- a/ChangeLog.d/psa_close_key_memory_leak_fix.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix memory leak that occured when calling psa_close_key() on a - wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined. diff --git a/ChangeLog.d/rsa-mutex.txt b/ChangeLog.d/rsa-mutex.txt deleted file mode 100644 index 2a477a9cb..000000000 --- a/ChangeLog.d/rsa-mutex.txt +++ /dev/null @@ -1,13 +0,0 @@ -Bugfix - * Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free() - twice is safe. This happens for RSA when some Mbed TLS library functions - fail. Such a double-free was not safe when MBEDTLS_THREADING_C was - enabled on platforms where freeing a mutex twice is not safe. - * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key() - when MBEDTLS_THREADING_C is enabled on platforms where initializing - a mutex allocates resources. - -Default behavior changes - * In mbedtls_rsa_context objects, the ver field was formerly documented - as always 0. It is now reserved for internal purposes and may take - different values. diff --git a/ChangeLog.d/rsa_private-ret.txt b/ChangeLog.d/rsa_private-ret.txt deleted file mode 100644 index b965cea77..000000000 --- a/ChangeLog.d/rsa_private-ret.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix an incorrect error code if an RSA private operation glitched.