./security/mbedtls, Lightweight, modular cryptographic and SSL/TLS library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.26.0, Package name: mbedtls-2.26.0, Maintainer: nia

mbed TLS (formerly known as PolarSSL) makes it trivially easy for developers
to include cryptographic and SSL/TLS capabilities in their (embedded)
products, facilitating this functionality with a minimal coding footprint.


Required to build:
[pkgtools/cwrappers]

Master sites:

SHA1: 1cb65fb2fb37a1c6e4216205cc10bee60300c35e
RMD160: c7c5ec41b4974d3b24897ac0d65ed3bcd50e50e8
Filesize: 3985.338 KB

Version history: (Expand)


CVS history: (Expand)


   2021-05-02 10:16:14 by Nia Alarie | Files touched by this commit (4) | Package updated
Log message:
mbedtls: update to 2.26.0

This release of Mbed TLS provides bug fixes, minor enhancements and new \ 
features. This release includes fixes for security issues.
API changes

    Renamed the PSA Crypto API output buffer size macros to bring them in line
    with version 1.0.0 of the specification.
    The API glue function mbedtls_ecc_group_of_psa() now takes the curve size
    in bits rather than bytes, with an additional flag to indicate if the
    size may have been rounded up to a whole number of bytes.
    Renamed the PSA Crypto API AEAD tag length macros to bring them in line
    with version 1.0.0 of the specification.

Default behavior changes

    In mbedtls_rsa_context objects, the ver field was formerly documented
    as always 0. It is now reserved for internal purposes and may take
    different values.

New deprecations

    PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE,
    PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and
    PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names
    deprecated.
    PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH
    have been renamed, and the old names deprecated.

Features

    The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG.
    CTR_DRBG is used by default if it is available, but you can override
    this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time.
    Fix #3354.
    Automatic fallback to a software implementation of ECP when
    MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off
    through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK.
    The PSA crypto subsystem can now be configured to use less static RAM by
    tweaking the setting for the maximum amount of keys simultaneously in RAM.
    MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that
    can exist simultaneously. It has a sensible default if not overridden.
    Partial implementation of the PSA crypto driver interface: Mbed TLS can
    now use an external random generator instead of the library's own
    entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
    and see the documentation of mbedtls_psa_external_get_random() for details.
    Applications using both mbedtls_xxx and psa_xxx functions (for example,
    applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA
    random generator with mbedtls_xxx functions. See the documentation of
    mbedtls_psa_get_random() for details.
    In the PSA API, the policy for a MAC or AEAD algorithm can specify a
    minimum MAC or tag length thanks to the new wildcards
    PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and
    PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG.

Security

    Fix a security reduction in CTR_DRBG when the initial seeding obtained a
    nonce from entropy. Applications were affected if they called
    mbedtls_ctr_drbg_set_nonce_len(), if they called
    mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
    length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
    In such cases, a random nonce was necessary to achieve the advertised
    security strength, but the code incorrectly used a constant instead of
    entropy from the nonce.
    Found by John Stroebel in #3819 and fixed in #3973.
    Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
    |A| - |B| where |B| is larger than |A| and has more limbs (so the
    function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
    applications calling mbedtls_mpi_sub_abs() directly are affected:
    all calls inside the library were safe since this function is
    only called with |A| >= |B|. Reported by Guido Vranken in #4042.
    Fix an errorneous estimation for an internal buffer in
    mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
    value the function might fail to write a private RSA keys of the largest
    supported size.
    Found by Daniel Otte, reported in #4093 and fixed in #4094.
    Fix a stack buffer overflow with mbedtls_net_poll() and
    mbedtls_net_recv_timeout() when given a file descriptor that is
    beyond FD_SETSIZE. Reported by FigBug in #4169.
    Guard against strong local side channel attack against base64 tables by
    making access aceess to them use constant flow code.

Bugfix

    Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
    Fix memory leak that occured when calling psa_close_key() on a
    wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined.
    Fix an incorrect error code if an RSA private operation glitched.
    Fix a memory leak in an error case in psa_generate_derived_key_internal().
    Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
    is enabled, on platforms where initializing a mutex allocates resources.
    This was a regression introduced in the previous release. Reported in
    #4017, #4045 and #4071.
    Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
    twice is safe. This happens for RSA when some Mbed TLS library functions
    fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
    enabled on platforms where freeing a mutex twice is not safe.
    Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
    when MBEDTLS_THREADING_C is enabled on platforms where initializing
    a mutex allocates resources.
    Fixes a bug where, if the library was configured to include support for
    both the old SE interface and the new PSA driver interface, external keys were
    not loaded from storage. This was fixed by #3996.
    This change makes 'mbedtls_x509write_crt_set_basic_constraints'
    consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST
    include this extension in all CA certificates that contain public keys
    used to validate digital signatures on certificates and MUST mark the
    extension as critical in such certificates." Previous to this change,
    the extension was always marked as non-critical. This was fixed by
    #3698.

Changes

    A new library C file psa_crypto_client.c has been created to contain
    the PSA code needed by a PSA crypto client when the PSA crypto
    implementation is not included into the library.
    On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module
    now uses the getrandom syscall instead of reading from /dev/urandom.

Who should update

We recommend all users should update to take advantage of the bug fixes \ 
contained in this release at an appropriate point in their development \ 
lifecycle.
   2020-10-27 01:06:59 by Michael Forney | Files touched by this commit (1)
Log message:
mbedtls: avoid implementation-defined find(1) usage

It is implementation-defined whether find(1) replaces {} in arguments
that are not exactly equal to {}, so use a for-loop instead.
   2020-09-03 22:30:56 by Nia Alarie | Files touched by this commit (3) | Package updated
Log message:
mbedtls: Update to 2.24.0

= mbed TLS 2.24.0 branch released 2020-09-01

API changes
   * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
     group families to psa_ecc_family_t and psa_dh_family_t, in line with the
     PSA Crypto API specification version 1.0.0.
     Rename associated macros as well:
     PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx
     PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx
     PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY
     PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY

Default behavior changes
   * Stop storing persistent information about externally stored keys created
     through PSA Crypto with a volatile lifetime. Reported in #3288 and
     contributed by Steven Cooreman in #3382.

Features
   * The new function mbedtls_ecp_write_key() exports private ECC keys back to
     a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key().
   * Support building on e2k (Elbrus) architecture: correctly enable
     -Wformat-signedness, and fix the code that causes signed-one-bit-field
     and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
     <akemi_homura@kurisa.ch>.

Security
   * Fix a vulnerability in the verification of X.509 certificates when
     matching the expected common name (the cn argument of
     mbedtls_x509_crt_verify()) with the actual certificate name: when the
     subjecAltName extension is present, the expected name was compared to any
     name in that extension regardless of its type. This means that an
     attacker could for example impersonate a 4-bytes or 16-byte domain by
     getting a certificate for the corresponding IPv4 or IPv6 (this would
     require the attacker to control that IP address, though). Similar attacks
     using other subjectAltName name types might be possible. Found and
     reported by kFYatek in #3498.
   * When checking X.509 CRLs, a certificate was only considered as revoked if
     its revocationDate was in the past according to the local clock if
     available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
     certificates were never considered as revoked. On builds with
     MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
     example, an untrusted OS attacking a secure enclave) could prevent
     revocation of certificates via CRLs. Fixed by no longer checking the
     revocationDate field, in accordance with RFC 5280. Reported by
     yuemonangong in #3340. Reported independently and fixed by
     Raoul Strackx and Jethro Beekman in #3433.
   * In (D)TLS record decryption, when using a CBC ciphersuites without the
     Encrypt-then-Mac extension, use constant code flow memory access patterns
     to extract and check the MAC. This is an improvement to the existing
     countermeasure against Lucky 13 attacks. The previous countermeasure was
     effective against network-based attackers, but less so against local
     attackers. The new countermeasure defends against local attackers, even
     if they have access to fine-grained measurements. In particular, this
     fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz,
     Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler
     (University of Florida) and Dave Tian (Purdue University).
   * Fix side channel in RSA private key operations and static (finite-field)
     Diffie-Hellman. An adversary with precise enough timing and memory access
     information (typically an untrusted operating system attacking a secure
     enclave) could bypass an existing counter-measure (base blinding) and
     potentially fully recover the private key.
   * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
     Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
     for pinpointing the problematic code.
   * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused
     application data from memory. Reported in #689 by
     Johan Uppman Bruce of Sectra.

Bugfix
   * Library files installed after a CMake build no longer have execute
     permission.
   * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol
     redefinition if the function is inlined.
     Reported in #3451 and fix contributed in #3452 by okhowang.
   * Fix the endianness of Curve25519 keys imported/exported through the PSA
     APIs. psa_import_key and psa_export_key will now correctly expect/output
     Montgomery keys in little-endian as defined by RFC7748. Contributed by
     Steven Cooreman in #3425.
   * Fix build errors when the only enabled elliptic curves are Montgomery
     curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
     also fixes missing declarations reported by Steven Cooreman in #1147.
   * Fix self-test failure when the only enabled short Weierstrass elliptic
     curve is secp192k1. Fixes #2017.
   * PSA key import will now correctly import a Curve25519/Curve448 public key
     instead of erroring out. Contributed by Steven Cooreman in #3492.
   * Use arc4random_buf on NetBSD instead of rand implementation with cyclical
     lower bits. Fix contributed in #3540.
   * Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory
     conditions. Reported and fix suggested by Guido Vranken in #3486.
   * Fix bug in redirection of unit test outputs on platforms where stdout is
     defined as a macro. First reported in #2311 and fix contributed in #3528.

Changes
   * Only pass -Wformat-signedness to versions of GCC that support it. Reported
     in #3478 and fix contributed in #3479 by okhowang.
   * Reduce the stack consumption of mbedtls_x509write_csr_der() which
     previously could lead to stack overflow on constrained devices.
     Contributed by Doru Gucea and Simon Leet in #3464.
   * Undefine the ASSERT macro before defining it locally, in case it is defined
     in a platform header. Contributed by Abdelatif Guettouche in #3557.
   * Update copyright notices to use Linux Foundation guidance. As a result,
     the copyright of contributors other than Arm is now acknowledged, and the
     years of publishing are no longer tracked in the source files. This also
     eliminates the need for the lines declaring the files to be part of
     MbedTLS. Fixes #3457.
   * Add the command line parameter key_pwd to the ssl_client2 and ssl_server2
     example applications which allows to provide a password for the key file
     specified through the existing key_file argument. This allows the use of
     these applications with password-protected key files. Analogously but for
     ssl_server2 only, add the command line parameter key_pwd2 which allows to
     set a password for the key file provided through the existing key_file2
     argument.
   2020-07-07 13:21:39 by Nia Alarie | Files touched by this commit (1)
Log message:
mbedtls: Set BUILDLINK_ABI_DEPENDS
   2020-07-07 13:16:38 by Nia Alarie | Files touched by this commit (1)
Log message:
mbedtls: force python3
   2020-07-07 13:16:10 by Nia Alarie | Files touched by this commit (9) | Package removed
Log message:
mbedtls: Update to 2.23.0

= mbed TLS 2.23.0 branch released 2020-07-01

Default behavior changes
   * In the experimental PSA secure element interface, change the encoding of
     key lifetimes to encode a persistence level and the location. Although C
     prototypes do not effectively change, code calling
     psa_register_se_driver() must be modified to pass the driver's location
     instead of the keys' lifetime. If the library is upgraded on an existing
     device, keys created with the old lifetime value will not be readable or
     removable through Mbed TLS after the upgrade.

Features
   * New functions in the error module return constant strings for
     high- and low-level error codes, complementing mbedtls_strerror()
     which constructs a string for any error code, including compound
     ones, but requires a writable buffer. Contributed by Gaurav Aggarwal
     in #3176.
   * The new utility programs/ssl/ssl_context_info prints a human-readable
     dump of an SSL context saved with mbedtls_ssl_context_save().
   * Add support for midipix, a POSIX layer for Microsoft Windows.
   * Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows
     parsing unsupported certificate extensions via user provided callback.
     Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as
     a solution to #3241.
   * Pass the "certificate policies" extension to the callback supplied to
     mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported
     policies (#3419).
   * Added support to entropy_poll for the kern.arandom syscall supported on
     some BSD systems. Contributed by Nia Alarie in #3423.
   * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239

Security
   * Fix a side channel vulnerability in modular exponentiation that could
     reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
     Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
     of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul
     Strackx (Fortanix) in #3394.
   * Fix side channel in mbedtls_ecp_check_pub_priv() and
     mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
     private key that didn't include the uncompressed public key), as well as
     mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
     f_rng argument. An attacker with access to precise enough timing and
     memory access information (typically an untrusted operating system
     attacking a secure enclave) could fully recover the ECC private key.
     Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
   * Fix issue in Lucky 13 counter-measure that could make it ineffective when
     hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
     macros). This would cause the original Lucky 13 attack to be possible in
     those configurations, allowing an active network attacker to recover
     plaintext after repeated timing measurements under some conditions.
     Reported and fix suggested by Luc Perneel in #3246.

Bugfix
   * Fix the Visual Studio Release x64 build configuration for mbedtls itself.
     Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
     the example programs. Reported in #1430 and fix contributed by irwir.
   * Fix undefined behavior in X.509 certificate parsing if the
     pathLenConstraint basic constraint value is equal to INT_MAX.
     The actual effect with almost every compiler is the intended
     behavior, so this is unlikely to be exploitable anywhere. #3192
   * Fix issue with a detected HW accelerated record error not being exposed
     due to shadowed variable. Contributed by Sander Visser in #3310.
   * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
     NULL pointer argument. Contributed by Sander Visser in #3312.
   * Fix potential linker errors on dual world platforms by inlining
     mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately
     from psa_crypto.c. Fixes #3300.
   * Remove dead code in X.509 certificate parsing. Contributed by irwir in
     #2855.
   * Include asn1.h in error.c. Fixes #3328 reported by David Hu.
   * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
     when PRNG function fails. Contributed by Jonas Lejeune in #3318.
   * Remove unused macros from MSVC projects. Reported in #3297 and fix
     submitted in #3333 by irwir.
   * Add additional bounds checks in ssl_write_client_hello() preventing
     output buffer overflow if the configuration declared a buffer that was
     too small.
   * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and
     fix submitted in #3421 by Nia Alarie.
   * Fix building library/net_sockets.c and the ssl_mail_client program on
     NetBSD. Contributed by Nia Alarie in #3422.
   * Fix false positive uninitialised variable reported by cpp-check.
     Contributed by Sander Visser in #3311.
   * Update iv and len context pointers manually when reallocating buffers
     using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues
     when receiving a connection with CID, when these fields were shifted
     in ssl_parse_record_header().

Changes
   * Fix warnings about signedness issues in format strings. The build is now
     clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
     in #3153.
   * Fix minor performance issue in operations on Curve25519 caused by using a
     suboptimal modular reduction in one place. Found and fix contributed by
     Aurelien Jarno in #3209.
   * Combine identical cases in switch statements in md.c. Contributed
     by irwir in #3208.
   * Simplify a bounds check in ssl_write_certificate_request(). Contributed
     by irwir in #3150.
   * Unify the example programs termination to call mbedtls_exit() instead of
     using a return command. This has been done to enable customization of the
     behavior in bare metal environments.
   * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
     Contributed by Koh M. Nakagawa in #3326.
   * Use FindPython3 when cmake version >= 3.15.0
   * Abort the ClientHello writing function as soon as some extension doesn't
     fit into the record buffer. Previously, such extensions were silently
     dropped. As a consequence, the TLS handshake now fails when the output
     buffer is not large enough to hold the ClientHello.
   * The unit tests now rely on header files in tests/include/test and source
     files in tests/src. When building with make or cmake, the files in
     tests/src are compiled and the resulting object linked into each test
     executable.
   * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
     `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
     coutermeasures. If side channels are not a concern, this dependency can
     be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
   * Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes
     Martinho. #3147
   * Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported
     in #3182 and fix submitted by irwir. #3217
   * Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
   2020-06-29 14:39:36 by Nia Alarie | Files touched by this commit (4) | Package updated
Log message:
mbedtls: Add KERN_ARND support.

Motivation: the default behaviour of reopening /dev/urandom repeatedly
for every 128 bytes of entropy required is _exceedingly_ slow on NetBSD.
Not helped is using fread(), which assumes a long-lived file and buffers
excessively. This change makes the standard gen_entropy tool run in
milliseconds instead of seconds when it generates 48K of randomness.

Not only that, but sysctl is a lot more robust in e.g. chroots, resource
limited processes, etc.

Risk: On NetBSD, the security properties of the previous and current
behaviour are identical.

Upstreamed: https://github.com/ARMmbed/mbedtls/pull/3423

Bump PKGREVISION.
   2020-06-11 13:43:50 by Nia Alarie | Files touched by this commit (6) | Package updated
Log message:
mbedtls: Update patches. Add links to PRs.