diff --git a/BRANCHES.md b/BRANCHES.md index 49f7e289bb..78f8f69b49 100644 --- a/BRANCHES.md +++ b/BRANCHES.md @@ -106,6 +106,6 @@ The following branches are currently maintained: - [`development`](https://github.com/Mbed-TLS/mbedtls/) - [`mbedtls-3.6`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-3.6) maintained until March 2027, see - . + . Users are urged to always use the latest version of a maintained branch. diff --git a/ChangeLog b/ChangeLog index 1c48958e39..7de639e45a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,330 @@ Mbed TLS ChangeLog (Sorted per branch, date) += Mbed TLS 4.0.0-beta branch released 2025-07-04 + +API changes + * The experimental functions psa_generate_key_ext() and + psa_key_derivation_output_key_ext() have been replaced by + psa_generate_key_custom() and psa_key_derivation_output_key_custom(). + They have almost exactly the same interface, but the variable-length + data is passed in a separate parameter instead of a flexible array + member. This resolves a build failure under C++ compilers that do not + support flexible array members (a C99 feature not adopted by C++). + Fixes #9020. + * Align the mbedtls_ssl_ticket_setup() function with the PSA Crypto API. + Instead of taking a mbedtls_cipher_type_t as an argument, this function + now takes 3 new arguments: a PSA algorithm, key type and key size, to + specify the AEAD for ticket protection. + * The PSA and Mbed TLS error spaces are now unified. mbedtls_xxx() + functions can now return PSA_ERROR_xxx values. + There is no longer a distinction between "low-level" and "high-level" + Mbed TLS error codes. + This will not affect most applications since the error values are + between -32767 and -1 as before. + * All API functions now use the PSA random generator psa_get_random() + internally. As a consequence, functions no longer take RNG parameters. + Please refer to the migration guide at : + tf-psa-crypto/docs/4.0-migration-guide.md. + +Default behavior changes + * In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT && + !MBEDTLS_PSA_CRYPTO_C), do not automatically enable local crypto when the + corresponding PSA mechanism is enabled, since the server provides the + crypto. Fixes #9126. + * The PK, X.509, PKCS7 and TLS modules now always use the PSA subsystem + to perform cryptographic operations, with a few exceptions documented + in docs/architecture/psa-migration/psa-limitations.md. This + corresponds to the behavior of Mbed TLS 3.x when + MBEDTLS_USE_PSA_CRYPTO is enabled. In effect, MBEDTLS_USE_PSA_CRYPTO + is now always enabled. + * psa_crypto_init() must be called before performing any cryptographic + operation, including indirect requests such as parsing a key or + certificate or starting a TLS handshake. + * The `PSA_WANT_XXX` symbols as defined in + tf-psa-crypto/include/psa/crypto_config.h are now always used in the + configuration of the cryptographic mechanisms exposed by the PSA API. + This corresponds to the configuration behavior of Mbed TLS 3.x when + MBEDTLS_PSA_CRYPTO_CONFIG is enabled. In effect, MBEDTLS_PSA_CRYPTO_CONFIG + is now always enabled and the configuration option has been removed. + * In TLS clients, if mbedtls_ssl_set_hostname() has not been called, + mbedtls_ssl_handshake() now fails with + MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + if certificate-based authentication of the server is attempted. + This is because authenticating a server without knowing what name + to expect is usually insecure. + +Removals + * Drop support for VIA Padlock. Removes MBEDTLS_PADLOCK_C. + Fixes #5903. + * Drop support for crypto alt interface. Removes MBEDTLS_XXX_ALT options + at the module and function level for crypto mechanisms only. The remaining + alt interfaces for platform, threading and timing are unchanged. + Fixes #8149. + * Remove support for the RSA-PSK key exchange in TLS 1.2. + * Remove deprecated mbedtls_x509write_crt_set_serial(). The function was + already deprecated and superseeded by + mbedtls_x509write_crt_set_serial_raw(). + * Remove the function mbedtls_ssl_conf_curves() which had been deprecated + in favour of mbedtls_ssl_conf_groups() since Mbed TLS 3.1. + * Remove support for the DHE-PSK key exchange in TLS 1.2. + * Remove support for the DHE-RSA key exchange in TLS 1.2. + * Following the removal of DHM module (#9972 and TF-PSA-Crypto#175) the + following SSL functions are removed: + - mbedtls_ssl_conf_dh_param_bin + - mbedtls_ssl_conf_dh_param_ctx + - mbedtls_ssl_conf_dhm_min_bitlen + * Remove support for the RSA key exchange in TLS 1.2. + * Remove mbedtls_low_level_sterr() and mbedtls_high_level_strerr(), + since these concepts no longer exists. There is just mbedtls_strerror(). + * Removal of the following sample programs: + pkey/rsa_genkey.c + pkey/pk_decrypt.c + pkey/dh_genprime.c + pkey/rsa_verify.c + pkey/mpi_demo.c + pkey/rsa_decrypt.c + pkey/key_app.c + pkey/dh_server.c + pkey/ecdh_curve25519.c + pkey/pk_encrypt.c + pkey/rsa_sign.c + pkey/key_app_writer.c + pkey/dh_client.c + pkey/ecdsa.c + pkey/rsa_encrypt.c + wince_main.c + aes/crypt_and_hash.c + random/gen_random_ctr_drbg.c + random/gen_entropy.c + hash/md_hmac_demo.c + hash/hello.c + hash/generic_sum.c + cipher/cipher_aead_demo.c + * Remove compat-2-x.h header from mbedtls. + * The library no longer offers interfaces to look up values by OID + or OID by enum values. + The header now only defines functions to convert + between binary and dotted string OID representations, and macros + for OID strings that are relevant to X.509. + The compilation option MBEDTLS_OID_C no longer + exists. OID tables are included in the build automatically as needed. + +Features + * When the new compilation option MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, + the number of volatile PSA keys is virtually unlimited, at the expense + of increased code size. This option is off by default, but enabled in + the default mbedtls_config.h. Fixes #9216. + * Add a new psa_key_agreement() PSA API to perform key agreement and return + an identifier for the newly created key. + * Added new configuration option MBEDTLS_PSA_STATIC_KEY_SLOTS, which + uses static storage for keys, enabling malloc-less use of key slots. + The size of each buffer is given by the option + MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE. By default it accommodates the + largest PSA key enabled in the build. + * Add an interruptible version of key agreement to the PSA interface. + See psa_key_agreement_iop_setup() and related functions. + * Add an interruptible version of generate key to the PSA interface. + See psa_generate_key_iop_setup() and related functions. + * Add the function mbedtls_ssl_export_keying_material() which allows the + client and server to extract additional shared symmetric keys from an SSL + session, according to the TLS-Exporter specification in RFC 8446 and 5705. + This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in + mbedtls_config.h. + +Security + * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does + not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when + MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled. + CVE-2024-45157 + * Fix a stack buffer overflow in mbedtls_ecdsa_der_to_raw() and + mbedtls_ecdsa_raw_to_der() when the bits parameter is larger than the + largest supported curve. In some configurations with PSA disabled, + all values of bits are affected. This never happens in internal library + calls, but can affect applications that call these functions directly. + CVE-2024-45158 + * With TLS 1.3, when a server enables optional authentication of the + client, if the client-provided certificate does not have appropriate values + in keyUsage or extKeyUsage extensions, then the return value of + mbedtls_ssl_get_verify_result() would incorrectly have the + MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_EXT_KEY_USAGE bits + clear. As a result, an attacker that had a certificate valid for uses other + than TLS client authentication could be able to use it for TLS client + authentication anyway. Only TLS 1.3 servers were affected, and only with + optional authentication (required would abort the handshake with a fatal + alert). + CVE-2024-45159 + * Fix a buffer underrun in mbedtls_pk_write_key_der() when + called on an opaque key, MBEDTLS_USE_PSA_CRYPTO is enabled, + and the output buffer is smaller than the actual output. + Fix a related buffer underrun in mbedtls_pk_write_key_pem() + when called on an opaque RSA key, MBEDTLS_USE_PSA_CRYPTO is enabled + and MBEDTLS_MPI_MAX_SIZE is smaller than needed for a 4096-bit RSA key. + CVE-2024-49195 + * Note that TLS clients should generally call mbedtls_ssl_set_hostname() + if they use certificate authentication (i.e. not pre-shared keys). + Otherwise, in many scenarios, the server could be impersonated. + The library will now prevent the handshake and return + MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + if mbedtls_ssl_set_hostname() has not been called. + Reported by Daniel Stenberg. + CVE-2025-27809 + * Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed + or there was a cryptographic hardware failure when calculating the + Finished message, it could be calculated incorrectly. This would break + the security guarantees of the TLS handshake. + CVE-2025-27810 + * Fix possible use-after-free or double-free in code calling + mbedtls_x509_string_to_names(). This was caused by the function calling + mbedtls_asn1_free_named_data_list() on its head argument, while the + documentation did no suggest it did, making it likely for callers relying + on the documented behaviour to still hold pointers to memory blocks after + they were free()d, resulting in high risk of use-after-free or double-free, + with consequences ranging up to arbitrary code execution. + In particular, the two sample programs x509/cert_write and x509/cert_req + were affected (use-after-free if the san string contains more than one DN). + Code that does not call mbedtls_string_to_names() directly is not affected. + Found by Linh Le and Ngan Nguyen from Calif. + CVE-2025-47917 + * Fix a bug in mbedtls_x509_string_to_names() and the + mbedtls_x509write_{crt,csr}_set_{subject,issuer}_name() functions, + where some inputs would cause an inconsistent state to be reached, causing + a NULL dereference either in the function itself, or in subsequent + users of the output structure, such as mbedtls_x509_write_names(). This + only affects applications that create (as opposed to consume) X.509 + certificates, CSRs or CRLs. Found by Linh Le and Ngan Nguyen from Calif. + CVE-2025-48965 + +Bugfix + * Fix TLS 1.3 client build and runtime when support for session tickets is + disabled (MBEDTLS_SSL_SESSION_TICKETS configuration option). Fixes #6395. + * Fix compilation error when memcpy() is a function-like macros. Fixes #8994. + * MBEDTLS_ASN1_PARSE_C and MBEDTLS_ASN1_WRITE_C are now automatically enabled + as soon as MBEDTLS_RSA_C is enabled. Fixes #9041. + * Fix undefined behaviour (incrementing a NULL pointer by zero length) when + passing in zero length additional data to multipart AEAD. + * Fix rare concurrent access bug where attempting to operate on a + non-existent key while concurrently creating a new key could potentially + corrupt the key store. + * Fix error handling when creating a key in a dynamic secure element + (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition, + the creation could return PSA_SUCCESS but using or destroying the key + would not work. Fixes #8537. + * Fix issue of redefinition warning messages for _GNU_SOURCE in + entropy_poll.c and sha_256.c. There was a build warning during + building for linux platform. + Resolves #9026 + * Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled. + * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in + CMAC is enabled, but no built-in unauthenticated cipher is enabled. + Fixes #9209. + * Fix redefinition warnings when SECP192R1 and/or SECP192K1 are disabled. + Fixes #9029. + * Fix psa_cipher_decrypt() with CCM* rejecting messages less than 3 bytes + long. Credit to Cryptofuzz. Fixes #9314. + * Fix interference between PSA volatile keys and built-in keys + when MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled and + MBEDTLS_PSA_KEY_SLOT_COUNT is more than 4096. + * Document and enforce the limitation of mbedtls_psa_register_se_key() + to persistent keys. Resolves #9253. + * Fix Clang compilation error when MBEDTLS_USE_PSA_CRYPTO is enabled + but MBEDTLS_DHM_C is disabled. Reported by Michael Schuster in #9188. + * Fix server mode only build when MBEDTLS_SSL_SRV_C is enabled but + MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186. + * When MBEDTLS_PSA_CRYPTO_C was disabled and MBEDTLS_ECDSA_C enabled, + some code was defining 0-size arrays, resulting in compilation errors. + Fixed by disabling the offending code in configurations without PSA + Crypto, where it never worked. Fixes #9311. + * Fixes an issue where some TLS 1.2 clients could not connect to an + Mbed TLS 3.6.0 server, due to incorrect handling of + legacy_compression_methods in the ClientHello. + fixes #8995, #9243. + * Fix a memory leak that could occur when failing to process an RSA + key through some PSA functions due to low memory conditions. + * Fixed a regression introduced in 3.6.0 where the CA callback set with + mbedtls_ssl_conf_ca_cb() would stop working when connections were + upgraded to TLS 1.3. Fixed by adding support for the CA callback with TLS + 1.3. + * Fixed a regression introduced in 3.6.0 where clients that relied on + optional/none authentication mode, by calling mbedtls_ssl_conf_authmode() + with MBEDTLS_SSL_VERIFY_OPTIONAL or MBEDTLS_SSL_VERIFY_NONE, would stop + working when connections were upgraded to TLS 1.3. Fixed by adding + support for optional/none with TLS 1.3 as well. Note that the TLS 1.3 + standard makes server authentication mandatory; users are advised not to + use authmode none, and to carefully check the results when using optional + mode. + * Fixed a regression introduced in 3.6.0 where context-specific certificate + verify callbacks, set with mbedtls_ssl_set_verify() as opposed to + mbedtls_ssl_conf_verify(), would stop working when connections were + upgraded to TLS 1.3. Fixed by adding support for context-specific verify + callback in TLS 1.3. + * Fix unintended performance regression when using short RSA public keys. + Fixes #9232. + * When MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is disabled, work with + peers that have middlebox compatibility enabled, as long as no + problematic middlebox is in the way. Fixes #9551. + * Fix invalid JSON schemas for driver descriptions used by + generate_driver_wrappers.py. + * Use 'mbedtls_net_close' instead of 'close' in 'mbedtls_net_bind' + and 'mbedtls_net_connect' to prevent possible double close fd + problems. Fixes #9711. + * Fix undefined behavior in some cases when mbedtls_psa_raw_to_der() or + mbedtls_psa_der_to_raw() is called with bits=0. + * Fix compilation on MS-DOS DJGPP. Fixes #9813. + * Fix missing constraints on the AES-NI inline assembly which is used on + GCC-like compilers when building AES for generic x86_64 targets. This + may have resulted in incorrect code with some compilers, depending on + optimizations. Fixes #9819. + * Support re-assembly of fragmented handshake messages in TLS (both + 1.2 and 1.3). The lack of support was causing handshake failures with + some servers, especially with TLS 1.3 in practice. There are a few + limitations, notably a fragmented ClientHello is only supported when + TLS 1.3 support is enabled. See the documentation of + mbedtls_ssl_handshake() for details. + * Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that + occurred whenever SSL debugging was enabled on a copy of Mbed TLS built + with Visual Studio 2013 or MinGW. + Fixes #10017. + * Silence spurious -Wunterminated-string-initialization warnings introduced + by GCC 15. Fixes #9944. + +Changes + * Warn if mbedtls/check_config.h is included manually, as this can + lead to spurious errors. Error if a *adjust*.h header is included + manually, as this can lead to silently inconsistent configurations, + potentially resulting in buffer overflows. + When migrating from Mbed TLS 2.x, if you had a custom config.h that + included check_config.h, remove this inclusion from the Mbed TLS 3.x + configuration file (renamed to mbedtls_config.h). This change was made + in Mbed TLS 3.0, but was not announced in a changelog entry at the time. + * Functions regarding numeric string conversions for OIDs have been moved + from the OID module and now reside in X.509 module. This helps to reduce + the code size as these functions are not commonly used outside of X.509. + * Improve performance of PSA key generation with ECC keys: it no longer + computes the public key (which was immediately discarded). Fixes #9732. + * Cryptography and platform configuration options have been migrated + from the Mbed TLS library configuration file mbedtls_config.h to + crypto_config.h that will become the TF-PSA-Crypto configuration file, + see config-split.md for more information. The reference and test custom + configuration files respectively in configs/ and tests/configs/ have + been updated accordingly. + To migrate custom Mbed TLS configurations where + MBEDTLS_PSA_CRYPTO_CONFIG is disabled, you should first adapt them + to the PSA configuration scheme based on PSA_WANT_XXX symbols + (see psa-conditional-inclusion-c.md for more information). + To migrate custom Mbed TLS configurations where + MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you should migrate the + cryptographic and platform configuration options from mbedtls_config.h + to crypto_config.h (see config-split.md for more information and configs/ + for examples). + * Move the crypto part of the library (content of tf-psa-crypto directory) + from the Mbed TLS to the TF-PSA-Crypto repository. The crypto code and + tests development will now occur in TF-PSA-Crypto, which Mbed TLS + references as a Git submodule. + * The function mbedtls_x509_string_to_names() now requires its head argument + to point to NULL on entry. This makes it likely that existing risky uses of + this function (see the entry in the Security section) will be detected and + fixed. + = Mbed TLS 3.6.0 branch released 2024-03-28 API changes diff --git a/ChangeLog.d/9126.txt b/ChangeLog.d/9126.txt deleted file mode 100644 index 22939df86f..0000000000 --- a/ChangeLog.d/9126.txt +++ /dev/null @@ -1,5 +0,0 @@ -Default behavior changes - * In a PSA-client-only build (i.e. MBEDTLS_PSA_CRYPTO_CLIENT && - !MBEDTLS_PSA_CRYPTO_C), do not automatically enable local crypto when the - corresponding PSA mechanism is enabled, since the server provides the - crypto. Fixes #9126. diff --git a/ChangeLog.d/9302.txt b/ChangeLog.d/9302.txt deleted file mode 100644 index d61ba19632..0000000000 --- a/ChangeLog.d/9302.txt +++ /dev/null @@ -1,6 +0,0 @@ -Features - * Added new configuration option MBEDTLS_PSA_STATIC_KEY_SLOTS, which - uses static storage for keys, enabling malloc-less use of key slots. - The size of each buffer is given by the option - MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE. By default it accommodates the - largest PSA key enabled in the build. diff --git a/ChangeLog.d/9684.txt b/ChangeLog.d/9684.txt deleted file mode 100644 index 115ded87a0..0000000000 --- a/ChangeLog.d/9684.txt +++ /dev/null @@ -1,2 +0,0 @@ -Removals - * Remove support for the DHE-PSK key exchange in TLS 1.2. diff --git a/ChangeLog.d/9685.txt b/ChangeLog.d/9685.txt deleted file mode 100644 index 9820aff759..0000000000 --- a/ChangeLog.d/9685.txt +++ /dev/null @@ -1,2 +0,0 @@ -Removals - * Remove support for the DHE-RSA key exchange in TLS 1.2. diff --git a/ChangeLog.d/9690.txt b/ChangeLog.d/9690.txt deleted file mode 100644 index d00eb16bc9..0000000000 --- a/ChangeLog.d/9690.txt +++ /dev/null @@ -1,8 +0,0 @@ -Security - * Fix a buffer underrun in mbedtls_pk_write_key_der() when - called on an opaque key, MBEDTLS_USE_PSA_CRYPTO is enabled, - and the output buffer is smaller than the actual output. - Fix a related buffer underrun in mbedtls_pk_write_key_pem() - when called on an opaque RSA key, MBEDTLS_USE_PSA_CRYPTO is enabled - and MBEDTLS_MPI_MAX_SIZE is smaller than needed for a 4096-bit RSA key. - CVE-2024-49195 diff --git a/ChangeLog.d/9874.txt b/ChangeLog.d/9874.txt deleted file mode 100644 index a4d2e032ee..0000000000 --- a/ChangeLog.d/9874.txt +++ /dev/null @@ -1,5 +0,0 @@ -API changes - * Align the mbedtls_ssl_ticket_setup() function with the PSA Crypto API. - Instead of taking a mbedtls_cipher_type_t as an argument, this function - now takes 3 new arguments: a PSA algorithm, key type and key size, to - specify the AEAD for ticket protection. diff --git a/ChangeLog.d/9892.txt b/ChangeLog.d/9892.txt deleted file mode 100644 index cf9f9dc132..0000000000 --- a/ChangeLog.d/9892.txt +++ /dev/null @@ -1,4 +0,0 @@ -Removals - * Remove deprecated mbedtls_x509write_crt_set_serial(). The function was - already deprecated and superseded by - mbedtls_x509write_crt_set_serial_raw(). diff --git a/ChangeLog.d/9956.txt b/ChangeLog.d/9956.txt deleted file mode 100644 index cea4af1ec6..0000000000 --- a/ChangeLog.d/9956.txt +++ /dev/null @@ -1,6 +0,0 @@ -Removals - * Following the removal of DHM module (#9972 and TF-PSA-Crypto#175) the - following SSL functions are removed: - - mbedtls_ssl_conf_dh_param_bin - - mbedtls_ssl_conf_dh_param_ctx - - mbedtls_ssl_conf_dhm_min_bitlen diff --git a/ChangeLog.d/9964.txt b/ChangeLog.d/9964.txt deleted file mode 100644 index 30029f2d3f..0000000000 --- a/ChangeLog.d/9964.txt +++ /dev/null @@ -1,25 +0,0 @@ -Removals - * Sample programs for the legacy crypto API have been removed. - pkey/rsa_genkey.c - pkey/pk_decrypt.c - pkey/dh_genprime.c - pkey/rsa_verify.c - pkey/mpi_demo.c - pkey/rsa_decrypt.c - pkey/key_app.c - pkey/dh_server.c - pkey/ecdh_curve25519.c - pkey/pk_encrypt.c - pkey/rsa_sign.c - pkey/key_app_writer.c - pkey/dh_client.c - pkey/ecdsa.c - pkey/rsa_encrypt.c - wince_main.c - aes/crypt_and_hash.c - random/gen_random_ctr_drbg.c - random/gen_entropy.c - hash/md_hmac_demo.c - hash/hello.c - hash/generic_sum.c - cipher/cipher_aead_demo.c diff --git a/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt b/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt deleted file mode 100644 index 079cd741dc..0000000000 --- a/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt +++ /dev/null @@ -1,4 +0,0 @@ -Security - * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does - not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when - MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled. diff --git a/ChangeLog.d/add-psa-iop-generate-key.txt b/ChangeLog.d/add-psa-iop-generate-key.txt deleted file mode 100644 index 0f586ee197..0000000000 --- a/ChangeLog.d/add-psa-iop-generate-key.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Add an interruptible version of generate key to the PSA interface. - See psa_generate_key_iop_setup() and related functions. diff --git a/ChangeLog.d/add-psa-iop-key-agreement.txt b/ChangeLog.d/add-psa-iop-key-agreement.txt deleted file mode 100644 index 92dfde1843..0000000000 --- a/ChangeLog.d/add-psa-iop-key-agreement.txt +++ /dev/null @@ -1,4 +0,0 @@ -Features - * Add an interruptible version of key agreement to the PSA interface. - See psa_key_agreement_iop_setup() and related functions. - diff --git a/ChangeLog.d/add-psa-key-agreement.txt b/ChangeLog.d/add-psa-key-agreement.txt deleted file mode 100644 index 771e6e2602..0000000000 --- a/ChangeLog.d/add-psa-key-agreement.txt +++ /dev/null @@ -1,3 +0,0 @@ -Features - * Add a new psa_key_agreement() PSA API to perform key agreement and return - an identifier for the newly created key. diff --git a/ChangeLog.d/add-tls-exporter.txt b/ChangeLog.d/add-tls-exporter.txt deleted file mode 100644 index 1aea653e09..0000000000 --- a/ChangeLog.d/add-tls-exporter.txt +++ /dev/null @@ -1,6 +0,0 @@ -Features - * Add the function mbedtls_ssl_export_keying_material() which allows the - client and server to extract additional shared symmetric keys from an SSL - session, according to the TLS-Exporter specification in RFC 8446 and 5705. - This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in - mbedtls_config.h. diff --git a/ChangeLog.d/asn1-missing-guard-in-rsa.txt b/ChangeLog.d/asn1-missing-guard-in-rsa.txt deleted file mode 100644 index bb5b470881..0000000000 --- a/ChangeLog.d/asn1-missing-guard-in-rsa.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * MBEDTLS_ASN1_PARSE_C and MBEDTLS_ASN1_WRITE_C are now automatically enabled - as soon as MBEDTLS_RSA_C is enabled. Fixes #9041. diff --git a/ChangeLog.d/check-config.txt b/ChangeLog.d/check-config.txt deleted file mode 100644 index 8570a11757..0000000000 --- a/ChangeLog.d/check-config.txt +++ /dev/null @@ -1,9 +0,0 @@ -Changes - * Warn if mbedtls/check_config.h is included manually, as this can - lead to spurious errors. Error if a *adjust*.h header is included - manually, as this can lead to silently inconsistent configurations, - potentially resulting in buffer overflows. - When migrating from Mbed TLS 2.x, if you had a custom config.h that - included check_config.h, remove this inclusion from the Mbed TLS 3.x - configuration file (renamed to mbedtls_config.h). This change was made - in Mbed TLS 3.0, but was not announced in a changelog entry at the time. diff --git a/ChangeLog.d/configuration-split.txt b/ChangeLog.d/configuration-split.txt deleted file mode 100644 index f4d9bc63ac..0000000000 --- a/ChangeLog.d/configuration-split.txt +++ /dev/null @@ -1,16 +0,0 @@ -Changes - * Cryptography and platform configuration options have been migrated - from the Mbed TLS library configuration file mbedtls_config.h to - crypto_config.h that will become the TF-PSA-Crypto configuration file, - see config-split.md for more information. The reference and test custom - configuration files respectively in configs/ and tests/configs/ have - been updated accordingly. - To migrate custom Mbed TLS configurations where - MBEDTLS_PSA_CRYPTO_CONFIG is disabled, you should first adapt them - to the PSA configuration scheme based on PSA_WANT_XXX symbols - (see psa-conditional-inclusion-c.md for more information). - To migrate custom Mbed TLS configurations where - MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you should migrate the - cryptographic and platform configuration options from mbedtls_config.h - to crypto_config.h (see config-split.md for more information and configs/ - for examples). diff --git a/ChangeLog.d/dynamic-keystore.txt b/ChangeLog.d/dynamic-keystore.txt deleted file mode 100644 index c6aac3c991..0000000000 --- a/ChangeLog.d/dynamic-keystore.txt +++ /dev/null @@ -1,10 +0,0 @@ -Features - * When the new compilation option MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, - the number of volatile PSA keys is virtually unlimited, at the expense - of increased code size. This option is off by default, but enabled in - the default mbedtls_config.h. Fixes #9216. - -Bugfix - * Fix interference between PSA volatile keys and built-in keys - when MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled and - MBEDTLS_PSA_KEY_SLOT_COUNT is more than 4096. diff --git a/ChangeLog.d/ecdsa-conversion-overflow.txt b/ChangeLog.d/ecdsa-conversion-overflow.txt deleted file mode 100644 index 83b7f2f88b..0000000000 --- a/ChangeLog.d/ecdsa-conversion-overflow.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * Fix a stack buffer overflow in mbedtls_ecdsa_der_to_raw() and - mbedtls_ecdsa_raw_to_der() when the bits parameter is larger than the - largest supported curve. In some configurations with PSA disabled, - all values of bits are affected. This never happens in internal library - calls, but can affect applications that call these functions directly. diff --git a/ChangeLog.d/error-unification.txt b/ChangeLog.d/error-unification.txt deleted file mode 100644 index eddd42c9ea..0000000000 --- a/ChangeLog.d/error-unification.txt +++ /dev/null @@ -1,11 +0,0 @@ -API changes - * The PSA and Mbed TLS error spaces are now unified. mbedtls_xxx() - functions can now return PSA_ERROR_xxx values. - There is no longer a distinction between "low-level" and "high-level" - Mbed TLS error codes. - This will not affect most applications since the error values are - between -32767 and -1 as before. - -Removals - * Remove mbedtls_low_level_strerr() and mbedtls_high_level_strerr(), - since these concepts no longer exists. There is just mbedtls_strerror(). diff --git a/ChangeLog.d/fix-aesni-asm-clobbers.txt b/ChangeLog.d/fix-aesni-asm-clobbers.txt deleted file mode 100644 index 538f0c5115..0000000000 --- a/ChangeLog.d/fix-aesni-asm-clobbers.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix missing constraints on the AES-NI inline assembly which is used on - GCC-like compilers when building AES for generic x86_64 targets. This - may have resulted in incorrect code with some compilers, depending on - optimizations. Fixes #9819. diff --git a/ChangeLog.d/fix-clang-psa-build-without-dhm.txt b/ChangeLog.d/fix-clang-psa-build-without-dhm.txt deleted file mode 100644 index 7ae1c68a40..0000000000 --- a/ChangeLog.d/fix-clang-psa-build-without-dhm.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix Clang compilation error when MBEDTLS_USE_PSA_CRYPTO is enabled - but MBEDTLS_DHM_C is disabled. Reported by Michael Schuster in #9188. diff --git a/ChangeLog.d/fix-compilation-when-memcpy-is-function-like-macro.txt b/ChangeLog.d/fix-compilation-when-memcpy-is-function-like-macro.txt deleted file mode 100644 index 11e7d25392..0000000000 --- a/ChangeLog.d/fix-compilation-when-memcpy-is-function-like-macro.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix compilation error when memcpy() is a function-like macros. Fixes #8994. diff --git a/ChangeLog.d/fix-compilation-with-djgpp.txt b/ChangeLog.d/fix-compilation-with-djgpp.txt deleted file mode 100644 index 5b79fb69de..0000000000 --- a/ChangeLog.d/fix-compilation-with-djgpp.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix compilation on MS-DOS DJGPP. Fixes #9813. diff --git a/ChangeLog.d/fix-concurrently-loading-non-existent-keys.txt b/ChangeLog.d/fix-concurrently-loading-non-existent-keys.txt deleted file mode 100644 index 8a406a12e8..0000000000 --- a/ChangeLog.d/fix-concurrently-loading-non-existent-keys.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix rare concurrent access bug where attempting to operate on a - non-existent key while concurrently creating a new key could potentially - corrupt the key store. diff --git a/ChangeLog.d/fix-driver-schema-check.txt b/ChangeLog.d/fix-driver-schema-check.txt deleted file mode 100644 index 9b6d8acd6e..0000000000 --- a/ChangeLog.d/fix-driver-schema-check.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix invalid JSON schemas for driver descriptions used by - generate_driver_wrappers.py. diff --git a/ChangeLog.d/fix-legacy-compression-issue.txt b/ChangeLog.d/fix-legacy-compression-issue.txt deleted file mode 100644 index 2549af8733..0000000000 --- a/ChangeLog.d/fix-legacy-compression-issue.txt +++ /dev/null @@ -1,6 +0,0 @@ -Bugfix - * Fixes an issue where some TLS 1.2 clients could not connect to an - Mbed TLS 3.6.0 server, due to incorrect handling of - legacy_compression_methods in the ClientHello. - fixes #8995, #9243. - diff --git a/ChangeLog.d/fix-msvc-version-guard-format-zu.txt b/ChangeLog.d/fix-msvc-version-guard-format-zu.txt deleted file mode 100644 index eefda618ca..0000000000 --- a/ChangeLog.d/fix-msvc-version-guard-format-zu.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that - occurred whenever SSL debugging was enabled on a copy of Mbed TLS built - with Visual Studio 2013 or MinGW. - Fixes #10017. diff --git a/ChangeLog.d/fix-psa-cmac.txt b/ChangeLog.d/fix-psa-cmac.txt deleted file mode 100644 index e3c8aecc2d..0000000000 --- a/ChangeLog.d/fix-psa-cmac.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix the build when MBEDTLS_PSA_CRYPTO_CONFIG is enabled and the built-in - CMAC is enabled, but no built-in unauthenticated cipher is enabled. - Fixes #9209. diff --git a/ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt b/ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt deleted file mode 100644 index b5c26505c2..0000000000 --- a/ChangeLog.d/fix-redefination_warning_messages_for_GNU_SOURCE.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix issue of redefinition warning messages for _GNU_SOURCE in - entropy_poll.c and sha_256.c. There was a build warning during - building for linux platform. - Resolves #9026 diff --git a/ChangeLog.d/fix-rsa-performance-regression.txt b/ChangeLog.d/fix-rsa-performance-regression.txt deleted file mode 100644 index 603612a314..0000000000 --- a/ChangeLog.d/fix-rsa-performance-regression.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix unintended performance regression when using short RSA public keys. - Fixes #9232. diff --git a/ChangeLog.d/fix-secure-element-key-creation.txt b/ChangeLog.d/fix-secure-element-key-creation.txt deleted file mode 100644 index 23a46c068d..0000000000 --- a/ChangeLog.d/fix-secure-element-key-creation.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Fix error handling when creating a key in a dynamic secure element - (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition, - the creation could return PSA_SUCCESS but using or destroying the key - would not work. Fixes #8537. diff --git a/ChangeLog.d/fix-server-mode-only-build.txt b/ChangeLog.d/fix-server-mode-only-build.txt deleted file mode 100644 index d1d8341f79..0000000000 --- a/ChangeLog.d/fix-server-mode-only-build.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix server mode only build when MBEDTLS_SSL_SRV_C is enabled but - MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186. diff --git a/ChangeLog.d/fix-test-suite-pk-warnings.txt b/ChangeLog.d/fix-test-suite-pk-warnings.txt deleted file mode 100644 index 26042193cc..0000000000 --- a/ChangeLog.d/fix-test-suite-pk-warnings.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix redefinition warnings when SECP192R1 and/or SECP192K1 are disabled. - Fixes #9029. diff --git a/ChangeLog.d/fix_reporting_of_key_usage_issues.txt b/ChangeLog.d/fix_reporting_of_key_usage_issues.txt deleted file mode 100644 index b81fb426a7..0000000000 --- a/ChangeLog.d/fix_reporting_of_key_usage_issues.txt +++ /dev/null @@ -1,11 +0,0 @@ -Security - * With TLS 1.3, when a server enables optional authentication of the - client, if the client-provided certificate does not have appropriate values - in keyUsage or extKeyUsage extensions, then the return value of - mbedtls_ssl_get_verify_result() would incorrectly have the - MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_EXT_KEY_USAGE bits - clear. As a result, an attacker that had a certificate valid for uses other - than TLS client authentication could be able to use it for TLS client - authentication anyway. Only TLS 1.3 servers were affected, and only with - optional authentication (required would abort the handshake with a fatal - alert). diff --git a/ChangeLog.d/fix_ubsan_mp_aead_gcm.txt b/ChangeLog.d/fix_ubsan_mp_aead_gcm.txt deleted file mode 100644 index e4726a45d7..0000000000 --- a/ChangeLog.d/fix_ubsan_mp_aead_gcm.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix undefined behaviour (incrementing a NULL pointer by zero length) when - passing in zero length additional data to multipart AEAD. diff --git a/ChangeLog.d/mbedtls_psa_ecp_generate_key-no_public_key.txt b/ChangeLog.d/mbedtls_psa_ecp_generate_key-no_public_key.txt deleted file mode 100644 index 69c00e1a77..0000000000 --- a/ChangeLog.d/mbedtls_psa_ecp_generate_key-no_public_key.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Improve performance of PSA key generation with ECC keys: it no longer - computes the public key (which was immediately discarded). Fixes #9732. diff --git a/ChangeLog.d/mbedtls_psa_register_se_key.txt b/ChangeLog.d/mbedtls_psa_register_se_key.txt deleted file mode 100644 index 2fc2751ac0..0000000000 --- a/ChangeLog.d/mbedtls_psa_register_se_key.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Document and enforce the limitation of mbedtls_psa_register_se_key() - to persistent keys. Resolves #9253. diff --git a/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt b/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt deleted file mode 100644 index dba25af611..0000000000 --- a/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix a memory leak that could occur when failing to process an RSA - key through some PSA functions due to low memory conditions. diff --git a/ChangeLog.d/mbedtls_ssl_set_hostname.txt b/ChangeLog.d/mbedtls_ssl_set_hostname.txt deleted file mode 100644 index 250a5baafa..0000000000 --- a/ChangeLog.d/mbedtls_ssl_set_hostname.txt +++ /dev/null @@ -1,16 +0,0 @@ -Default behavior changes - * In TLS clients, if mbedtls_ssl_set_hostname() has not been called, - mbedtls_ssl_handshake() now fails with - MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME - if certificate-based authentication of the server is attempted. - This is because authenticating a server without knowing what name - to expect is usually insecure. - -Security - * Note that TLS clients should generally call mbedtls_ssl_set_hostname() - if they use certificate authentication (i.e. not pre-shared keys). - Otherwise, in many scenarios, the server could be impersonated. - The library will now prevent the handshake and return - MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME - if mbedtls_ssl_set_hostname() has not been called. - Reported by Daniel Stenberg. diff --git a/ChangeLog.d/oid.txt b/ChangeLog.d/oid.txt deleted file mode 100644 index 53828d85b1..0000000000 --- a/ChangeLog.d/oid.txt +++ /dev/null @@ -1,8 +0,0 @@ -Removals - * The library no longer offers interfaces to look up values by OID - or OID by enum values. - The header now only defines functions to convert - between binary and dotted string OID representations, and macros - for OID strings that are relevant to X.509. - The compilation option MBEDTLS_OID_C no longer - exists. OID tables are included in the build automatically as needed. diff --git a/ChangeLog.d/pk-norsa-warning.txt b/ChangeLog.d/pk-norsa-warning.txt deleted file mode 100644 index d00aa8a870..0000000000 --- a/ChangeLog.d/pk-norsa-warning.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bugfix - * Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled. diff --git a/ChangeLog.d/psa-always-on.txt b/ChangeLog.d/psa-always-on.txt deleted file mode 100644 index 45f4d9b101..0000000000 --- a/ChangeLog.d/psa-always-on.txt +++ /dev/null @@ -1,10 +0,0 @@ -Default behavior changes - * The PK, X.509, PKCS7 and TLS modules now always use the PSA subsystem - to perform cryptographic operations, with a few exceptions documented - in docs/architecture/psa-migration/psa-limitations.md. This - corresponds to the behavior of Mbed TLS 3.x when - MBEDTLS_USE_PSA_CRYPTO is enabled. In effect, MBEDTLS_USE_PSA_CRYPTO - is now always enabled. - * psa_crypto_init() must be called before performing any cryptographic - operation, including indirect requests such as parsing a key or - certificate or starting a TLS handshake. diff --git a/ChangeLog.d/psa-crypto-config-always-on.txt b/ChangeLog.d/psa-crypto-config-always-on.txt deleted file mode 100644 index d255f8c3c1..0000000000 --- a/ChangeLog.d/psa-crypto-config-always-on.txt +++ /dev/null @@ -1,7 +0,0 @@ -Default behavior changes - * The `PSA_WANT_XXX` symbols as defined in - tf-psa-crypto/include/psa/crypto_config.h are now always used in the - configuration of the cryptographic mechanisms exposed by the PSA API. - This corresponds to the configuration behavior of Mbed TLS 3.x when - MBEDTLS_PSA_CRYPTO_CONFIG is enabled. In effect, MBEDTLS_PSA_CRYPTO_CONFIG - is now always enabled and the configuration option has been removed. diff --git a/ChangeLog.d/psa_cipher_decrypt-ccm_star-iv_length_enforcement.txt b/ChangeLog.d/psa_cipher_decrypt-ccm_star-iv_length_enforcement.txt deleted file mode 100644 index 39e03b93ba..0000000000 --- a/ChangeLog.d/psa_cipher_decrypt-ccm_star-iv_length_enforcement.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix psa_cipher_decrypt() with CCM* rejecting messages less than 3 bytes - long. Credit to Cryptofuzz. Fixes #9314. diff --git a/ChangeLog.d/psa_generate_key_custom.txt b/ChangeLog.d/psa_generate_key_custom.txt deleted file mode 100644 index 3fc1bd7d1f..0000000000 --- a/ChangeLog.d/psa_generate_key_custom.txt +++ /dev/null @@ -1,9 +0,0 @@ -API changes - * The experimental functions psa_generate_key_ext() and - psa_key_derivation_output_key_ext() have been replaced by - psa_generate_key_custom() and psa_key_derivation_output_key_custom(). - They have almost exactly the same interface, but the variable-length - data is passed in a separate parameter instead of a flexible array - member. This resolves a build failure under C++ compilers that do not - support flexible array members (a C99 feature not adopted by C++). - Fixes #9020. diff --git a/ChangeLog.d/psa_util-bits-0.txt b/ChangeLog.d/psa_util-bits-0.txt deleted file mode 100644 index 9aa70ad978..0000000000 --- a/ChangeLog.d/psa_util-bits-0.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix undefined behavior in some cases when mbedtls_psa_raw_to_der() or - mbedtls_psa_der_to_raw() is called with bits=0. diff --git a/ChangeLog.d/psa_util_in_builds_without_psa.txt b/ChangeLog.d/psa_util_in_builds_without_psa.txt deleted file mode 100644 index 7c0866dd30..0000000000 --- a/ChangeLog.d/psa_util_in_builds_without_psa.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * When MBEDTLS_PSA_CRYPTO_C was disabled and MBEDTLS_ECDSA_C enabled, - some code was defining 0-size arrays, resulting in compilation errors. - Fixed by disabling the offending code in configurations without PSA - Crypto, where it never worked. Fixes #9311. diff --git a/ChangeLog.d/removal-of-rng.txt b/ChangeLog.d/removal-of-rng.txt deleted file mode 100644 index c7357e67b8..0000000000 --- a/ChangeLog.d/removal-of-rng.txt +++ /dev/null @@ -1,5 +0,0 @@ -API changes - * All API functions now use the PSA random generator psa_generate_random() - internally. As a consequence, functions no longer take RNG parameters. - Please refer to the migration guide at : - tf-psa-crypto/docs/4.0-migration-guide.md. diff --git a/ChangeLog.d/remove-compat-2.x.txt b/ChangeLog.d/remove-compat-2.x.txt deleted file mode 100644 index 37f012c217..0000000000 --- a/ChangeLog.d/remove-compat-2.x.txt +++ /dev/null @@ -1,2 +0,0 @@ -Removals - * Remove compat-2-x.h header from mbedtls. diff --git a/ChangeLog.d/remove_RSA_key_exchange.txt b/ChangeLog.d/remove_RSA_key_exchange.txt deleted file mode 100644 index f9baaf1701..0000000000 --- a/ChangeLog.d/remove_RSA_key_exchange.txt +++ /dev/null @@ -1,2 +0,0 @@ -Removals - * Remove support for the RSA key exchange in TLS 1.2. diff --git a/ChangeLog.d/replace-close-with-mbedtls_net_close.txt b/ChangeLog.d/replace-close-with-mbedtls_net_close.txt deleted file mode 100644 index 213cf55b40..0000000000 --- a/ChangeLog.d/replace-close-with-mbedtls_net_close.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Use 'mbedtls_net_close' instead of 'close' in 'mbedtls_net_bind' - and 'mbedtls_net_connect' to prevent possible double close fd - problems. Fixes #9711. diff --git a/ChangeLog.d/repo-split.txt b/ChangeLog.d/repo-split.txt deleted file mode 100644 index f03b5ed7fe..0000000000 --- a/ChangeLog.d/repo-split.txt +++ /dev/null @@ -1,5 +0,0 @@ -Changes - * Move the crypto part of the library (content of tf-psa-crypto directory) - from the Mbed TLS to the TF-PSA-Crypto repository. The crypto code and - tests development will now occur in TF-PSA-Crypto, which Mbed TLS - references as a Git submodule. diff --git a/ChangeLog.d/rm-ssl-conf-curves.txt b/ChangeLog.d/rm-ssl-conf-curves.txt deleted file mode 100644 index 4b29adc4c9..0000000000 --- a/ChangeLog.d/rm-ssl-conf-curves.txt +++ /dev/null @@ -1,4 +0,0 @@ -Removals - * Remove the function mbedtls_ssl_conf_curves() which had been deprecated - in favour of mbedtls_ssl_conf_groups() since Mbed TLS 3.1. - diff --git a/ChangeLog.d/split-numeric-string-conversions-out-of-the-oid-module.txt b/ChangeLog.d/split-numeric-string-conversions-out-of-the-oid-module.txt deleted file mode 100644 index 938e9eccb6..0000000000 --- a/ChangeLog.d/split-numeric-string-conversions-out-of-the-oid-module.txt +++ /dev/null @@ -1,4 +0,0 @@ -Changes - * Functions regarding numeric string conversions for OIDs have been moved - from the OID module and now reside in X.509 module. This helps to reduce - the code size as these functions are not commonly used outside of X.509. diff --git a/ChangeLog.d/tls-hs-defrag-in.txt b/ChangeLog.d/tls-hs-defrag-in.txt deleted file mode 100644 index 6bab02a029..0000000000 --- a/ChangeLog.d/tls-hs-defrag-in.txt +++ /dev/null @@ -1,7 +0,0 @@ -Bugfix - * Support re-assembly of fragmented handshake messages in TLS (both - 1.2 and 1.3). The lack of support was causing handshake failures with - some servers, especially with TLS 1.3 in practice. There are a few - limitations, notably a fragmented ClientHello is only supported when - TLS 1.3 support is enabled. See the documentation of - mbedtls_ssl_handshake() for details. diff --git a/ChangeLog.d/tls-key-exchange-rsa.txt b/ChangeLog.d/tls-key-exchange-rsa.txt deleted file mode 100644 index 4df6b3e303..0000000000 --- a/ChangeLog.d/tls-key-exchange-rsa.txt +++ /dev/null @@ -1,2 +0,0 @@ -Removals - * Remove support for the RSA-PSK key exchange in TLS 1.2. diff --git a/ChangeLog.d/tls12-check-finished-calc.txt b/ChangeLog.d/tls12-check-finished-calc.txt deleted file mode 100644 index cd52d32ffd..0000000000 --- a/ChangeLog.d/tls12-check-finished-calc.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed - or there was a cryptographic hardware failure when calculating the - Finished message, it could be calculated incorrectly. This would break - the security guarantees of the TLS handshake. - CVE-2025-27810 diff --git a/ChangeLog.d/tls13-cert-regressions.txt b/ChangeLog.d/tls13-cert-regressions.txt deleted file mode 100644 index 8dd8a327d6..0000000000 --- a/ChangeLog.d/tls13-cert-regressions.txt +++ /dev/null @@ -1,18 +0,0 @@ -Bugfix - * Fixed a regression introduced in 3.6.0 where the CA callback set with - mbedtls_ssl_conf_ca_cb() would stop working when connections were - upgraded to TLS 1.3. Fixed by adding support for the CA callback with TLS - 1.3. - * Fixed a regression introduced in 3.6.0 where clients that relied on - optional/none authentication mode, by calling mbedtls_ssl_conf_authmode() - with MBEDTLS_SSL_VERIFY_OPTIONAL or MBEDTLS_SSL_VERIFY_NONE, would stop - working when connections were upgraded to TLS 1.3. Fixed by adding - support for optional/none with TLS 1.3 as well. Note that the TLS 1.3 - standard makes server authentication mandatory; users are advised not to - use authmode none, and to carefully check the results when using optional - mode. - * Fixed a regression introduced in 3.6.0 where context-specific certificate - verify callbacks, set with mbedtls_ssl_set_verify() as opposed to - mbedtls_ssl_conf_verify(), would stop working when connections were - upgraded to TLS 1.3. Fixed by adding support for context-specific verify - callback in TLS 1.3. diff --git a/ChangeLog.d/tls13-middlebox-compat-disabled.txt b/ChangeLog.d/tls13-middlebox-compat-disabled.txt deleted file mode 100644 index f5331bc063..0000000000 --- a/ChangeLog.d/tls13-middlebox-compat-disabled.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * When MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is disabled, work with - peers that have middlebox compatibility enabled, as long as no - problematic middlebox is in the way. Fixes #9551. diff --git a/ChangeLog.d/tls13-without-tickets.txt b/ChangeLog.d/tls13-without-tickets.txt deleted file mode 100644 index 8ceef21ee5..0000000000 --- a/ChangeLog.d/tls13-without-tickets.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix TLS 1.3 client build and runtime when support for session tickets is - disabled (MBEDTLS_SSL_SESSION_TICKETS configuration option). Fixes #6395. diff --git a/ChangeLog.d/unterminated-string-initialization.txt b/ChangeLog.d/unterminated-string-initialization.txt deleted file mode 100644 index 75a72cae6b..0000000000 --- a/ChangeLog.d/unterminated-string-initialization.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Silence spurious -Wunterminated-string-initialization warnings introduced - by GCC 15. Fixes #9944. diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index 4eda5ba2aa..c1d0f36215 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -10,7 +10,7 @@ */ /** - * @mainpage Mbed TLS v4.0.0 API Documentation + * @mainpage Mbed TLS v4.0.0-beta API Documentation * * This documentation describes the application programming interface (API) * of Mbed TLS. diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index cc2c51eba7..04a4f170d0 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -1,4 +1,4 @@ -PROJECT_NAME = "Mbed TLS v4.0.0" +PROJECT_NAME = "Mbed TLS v4.0.0-beta" OUTPUT_DIRECTORY = ../apidoc/ FULL_PATH_NAMES = NO OPTIMIZE_OUTPUT_FOR_C = YES diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 2afcfb2f9f..b1a80e3011 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -329,7 +329,8 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn); * call to mbedtls_asn1_free_named_data_list(). * * \param[out] head Address in which to store the pointer to the head of the - * allocated list of mbedtls_x509_name + * allocated list of mbedtls_x509_name. Must point to NULL on + * entry. * \param[in] name The string representation of a DN to convert * * \return 0 on success, or a negative error code. diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index f896850f23..451dbfdb7c 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -171,7 +171,7 @@ if(USE_SHARED_MBEDTLS_LIBRARY) add_library(${mbedx509_target} SHARED ${src_x509}) set_base_compile_options(${mbedx509_target}) target_compile_options(${mbedx509_target} PRIVATE ${LIBS_C_FLAGS}) - set_target_properties(${mbedx509_target} PROPERTIES VERSION 4.0.0 SOVERSION 7) + set_target_properties(${mbedx509_target} PROPERTIES VERSION 4.0.0 SOVERSION 8) target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${tfpsacrypto_target}) add_library(${mbedtls_target} SHARED ${src_tls}) diff --git a/library/Makefile b/library/Makefile index 2f695c696b..a880f26171 100644 --- a/library/Makefile +++ b/library/Makefile @@ -82,7 +82,7 @@ endif endif SOEXT_TLS?=so.21 -SOEXT_X509?=so.7 +SOEXT_X509?=so.8 SOEXT_CRYPTO?=so.16 # Set AR_DASH= (empty string) to use an ar implementation that does not accept diff --git a/library/x509_create.c b/library/x509_create.c index e5ade5d997..17fc8fbeb5 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -468,8 +468,12 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam unsigned char data[MBEDTLS_X509_MAX_DN_NAME_SIZE]; size_t data_len = 0; - /* Clear existing chain if present */ - mbedtls_asn1_free_named_data_list(head); + /* Ensure the output parameter is not already populated. + * (If it were, overwriting it would likely cause a memory leak.) + */ + if (*head != NULL) { + return MBEDTLS_ERR_X509_BAD_INPUT_DATA; + } while (c <= end) { if (in_attr_type && *c == '=') { diff --git a/library/x509write_crt.c b/library/x509write_crt.c index e530ae8dbe..09c2328b1a 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -82,12 +82,14 @@ void mbedtls_x509write_crt_set_issuer_key(mbedtls_x509write_cert *ctx, int mbedtls_x509write_crt_set_subject_name(mbedtls_x509write_cert *ctx, const char *subject_name) { + mbedtls_asn1_free_named_data_list(&ctx->subject); return mbedtls_x509_string_to_names(&ctx->subject, subject_name); } int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, const char *issuer_name) { + mbedtls_asn1_free_named_data_list(&ctx->issuer); return mbedtls_x509_string_to_names(&ctx->issuer, issuer_name); } diff --git a/library/x509write_csr.c b/library/x509write_csr.c index b353d37de5..88adf794f7 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -64,6 +64,7 @@ void mbedtls_x509write_csr_set_key(mbedtls_x509write_csr *ctx, mbedtls_pk_contex int mbedtls_x509write_csr_set_subject_name(mbedtls_x509write_csr *ctx, const char *subject_name) { + mbedtls_asn1_free_named_data_list(&ctx->subject); return mbedtls_x509_string_to_names(&ctx->subject, subject_name); } diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c index f09e93863a..e59772ffda 100644 --- a/programs/x509/cert_req.c +++ b/programs/x509/cert_req.c @@ -150,7 +150,6 @@ int main(int argc, char *argv[]) mbedtls_ctr_drbg_context ctr_drbg; const char *pers = "csr example app"; mbedtls_x509_san_list *cur, *prev; - mbedtls_asn1_named_data *ext_san_dirname = NULL; #if defined(MBEDTLS_X509_CRT_PARSE_C) uint8_t ip[4] = { 0 }; #endif @@ -274,7 +273,15 @@ usage: cur->node.san.unstructured_name.len = sizeof(ip); } else if (strcmp(q, "DN") == 0) { cur->node.type = MBEDTLS_X509_SAN_DIRECTORY_NAME; - if ((ret = mbedtls_x509_string_to_names(&ext_san_dirname, + /* Work around an API mismatch between string_to_names() and + * mbedtls_x509_subject_alternative_name, which holds an + * actual mbedtls_x509_name while a pointer to one would be + * more convenient here. (Note mbedtls_x509_name and + * mbedtls_asn1_named_data are synonymous, again + * string_to_names() uses one while + * cur->node.san.directory_name is nominally the other.) */ + mbedtls_asn1_named_data *tmp_san_dirname = NULL; + if ((ret = mbedtls_x509_string_to_names(&tmp_san_dirname, subtype_value)) != 0) { mbedtls_strerror(ret, buf, sizeof(buf)); mbedtls_printf( @@ -283,7 +290,9 @@ usage: (unsigned int) -ret, buf); goto exit; } - cur->node.san.directory_name = *ext_san_dirname; + cur->node.san.directory_name = *tmp_san_dirname; + mbedtls_free(tmp_san_dirname); + tmp_san_dirname = NULL; } else { mbedtls_free(cur); goto usage; @@ -490,7 +499,6 @@ exit: } mbedtls_x509write_csr_free(&req); - mbedtls_asn1_free_named_data_list(&ext_san_dirname); mbedtls_pk_free(&key); mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); @@ -500,12 +508,21 @@ exit: cur = opt.san_list; while (cur != NULL) { - prev = cur; - cur = cur->next; - mbedtls_free(prev); + mbedtls_x509_san_list *next = cur->next; + /* Note: mbedtls_x509_free_subject_alt_name() is not what we want here. + * It's the right thing for entries that were parsed from a certificate, + * where pointers are to the raw certificate, but here all the + * pointers were allocated while parsing from a user-provided string. */ + if (cur->node.type == MBEDTLS_X509_SAN_DIRECTORY_NAME) { + mbedtls_x509_name *dn = &cur->node.san.directory_name; + mbedtls_free(dn->oid.p); + mbedtls_free(dn->val.p); + mbedtls_asn1_free_named_data_list(&dn->next); + } + mbedtls_free(cur); + cur = next; } - mbedtls_exit(exit_code); } #endif /* MBEDTLS_X509_CSR_WRITE_C && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO && diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 9776dc1c37..3cabff4b5a 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -310,7 +310,6 @@ int main(int argc, char *argv[]) mbedtls_ctr_drbg_context ctr_drbg; const char *pers = "crt example app"; mbedtls_x509_san_list *cur, *prev; - mbedtls_asn1_named_data *ext_san_dirname = NULL; uint8_t ip[4] = { 0 }; /* * Set to sane values @@ -593,7 +592,15 @@ usage: cur->node.san.unstructured_name.len = sizeof(ip); } else if (strcmp(q, "DN") == 0) { cur->node.type = MBEDTLS_X509_SAN_DIRECTORY_NAME; - if ((ret = mbedtls_x509_string_to_names(&ext_san_dirname, + /* Work around an API mismatch between string_to_names() and + * mbedtls_x509_subject_alternative_name, which holds an + * actual mbedtls_x509_name while a pointer to one would be + * more convenient here. (Note mbedtls_x509_name and + * mbedtls_asn1_named_data are synonymous, again + * string_to_names() uses one while + * cur->node.san.directory_name is nominally the other.) */ + mbedtls_asn1_named_data *tmp_san_dirname = NULL; + if ((ret = mbedtls_x509_string_to_names(&tmp_san_dirname, subtype_value)) != 0) { mbedtls_strerror(ret, buf, sizeof(buf)); mbedtls_printf( @@ -602,7 +609,9 @@ usage: (unsigned int) -ret, buf); goto exit; } - cur->node.san.directory_name = *ext_san_dirname; + cur->node.san.directory_name = *tmp_san_dirname; + mbedtls_free(tmp_san_dirname); + tmp_san_dirname = NULL; } else { mbedtls_free(cur); goto usage; @@ -991,10 +1000,26 @@ usage: exit_code = MBEDTLS_EXIT_SUCCESS; exit: + cur = opt.san_list; + while (cur != NULL) { + mbedtls_x509_san_list *next = cur->next; + /* Note: mbedtls_x509_free_subject_alt_name() is not what we want here. + * It's the right thing for entries that were parsed from a certificate, + * where pointers are to the raw certificate, but here all the + * pointers were allocated while parsing from a user-provided string. */ + if (cur->node.type == MBEDTLS_X509_SAN_DIRECTORY_NAME) { + mbedtls_x509_name *dn = &cur->node.san.directory_name; + mbedtls_free(dn->oid.p); + mbedtls_free(dn->val.p); + mbedtls_asn1_free_named_data_list(&dn->next); + } + mbedtls_free(cur); + cur = next; + } + #if defined(MBEDTLS_X509_CSR_PARSE_C) mbedtls_x509_csr_free(&csr); #endif /* MBEDTLS_X509_CSR_PARSE_C */ - mbedtls_asn1_free_named_data_list(&ext_san_dirname); mbedtls_x509_crt_free(&issuer_crt); mbedtls_x509write_crt_free(&crt); mbedtls_pk_free(&loaded_subject_key); diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index e4e08dafc0..4dcd967226 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -254,6 +254,27 @@ mbedtls_x509_string_to_names:"C=NL, O=Of\\CCspark, OU=PolarSSL":"C=NL, O=Of\\CCs X509 String to Names #20 (Reject empty AttributeValue) mbedtls_x509_string_to_names:"C=NL, O=, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME:0 +# Note: the behaviour is incorrect, output from string->names->string should be +# the same as the input, rather than just the last component, see +# https://github.com/Mbed-TLS/mbedtls/issues/10189 +# Still including tests for the current incorrect behaviour because of the +# variants below where we want to ensure at least that no memory corruption +# happens (which would be a lot worse than just a functional bug). +X509 String to Names (repeated OID) +mbedtls_x509_string_to_names:"CN=ab,CN=cd,CN=ef":"CN=ef":0:0 + +# Note: when a value starts with a # sign, it's treated as the hex encoding of +# the DER encoding of the value. Here, 0400 is a zero-length OCTET STRING. +# The tag actually doesn't matter for our purposes, only the length. +X509 String to Names (repeated OID, 1st is zero-length) +mbedtls_x509_string_to_names:"CN=#0400,CN=cd,CN=ef":"CN=ef":0:0 + +X509 String to Names (repeated OID, middle is zero-length) +mbedtls_x509_string_to_names:"CN=ab,CN=#0400,CN=ef":"CN=ef":0:0 + +X509 String to Names (repeated OID, last is zero-length) +mbedtls_x509_string_to_names:"CN=ab,CN=cd,CN=#0400":"CN=#0000":0:MAY_FAIL_GET_NAME + X509 Round trip test (Escaped characters) mbedtls_x509_string_to_names:"CN=Lu\\C4\\8Di\\C4\\87, O=Offspark, OU=PolarSSL":"CN=Lu\\C4\\8Di\\C4\\87, O=Offspark, OU=PolarSSL":0:0 diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 51a5d37584..224768ab4e 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -670,6 +670,11 @@ void mbedtls_x509_string_to_names(char *name, char *parsed_name, TEST_LE_S(1, ret); TEST_ASSERT(strcmp((char *) out, parsed_name) == 0); + /* Check that calling a 2nd time with the same param (now non-NULL) + * returns an error as expected. */ + ret = mbedtls_x509_string_to_names(&names, name); + TEST_EQUAL(ret, MBEDTLS_ERR_X509_BAD_INPUT_DATA); + exit: mbedtls_asn1_free_named_data_list(&names); diff --git a/tf-psa-crypto b/tf-psa-crypto index 3308677734..0cc63061c6 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit 3308677734bdb15d51abc652c2930b16d218470f +Subproject commit 0cc63061c6bfc141d64ec8ba562b4c7bca842a6c