kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/security/mbedtls/Makefile

53 lines
1.2 KiB
Makefile
Raw Normal View History

mbedtls: update to 2.26.0 This release of Mbed TLS provides bug fixes, minor enhancements and new features. This release includes fixes for security issues. API changes Renamed the PSA Crypto API output buffer size macros to bring them in line with version 1.0.0 of the specification. The API glue function mbedtls_ecc_group_of_psa() now takes the curve size in bits rather than bytes, with an additional flag to indicate if the size may have been rounded up to a whole number of bytes. Renamed the PSA Crypto API AEAD tag length macros to bring them in line with version 1.0.0 of the specification. Default behavior changes In mbedtls_rsa_context objects, the ver field was formerly documented as always 0. It is now reserved for internal purposes and may take different values. New deprecations PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE, PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names deprecated. PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH have been renamed, and the old names deprecated. Features The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG. CTR_DRBG is used by default if it is available, but you can override this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time. Fix #3354. Automatic fallback to a software implementation of ECP when MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK. The PSA crypto subsystem can now be configured to use less static RAM by tweaking the setting for the maximum amount of keys simultaneously in RAM. MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that can exist simultaneously. It has a sensible default if not overridden. Partial implementation of the PSA crypto driver interface: Mbed TLS can now use an external random generator instead of the library's own entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and see the documentation of mbedtls_psa_external_get_random() for details. Applications using both mbedtls_xxx and psa_xxx functions (for example, applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA random generator with mbedtls_xxx functions. See the documentation of mbedtls_psa_get_random() for details. In the PSA API, the policy for a MAC or AEAD algorithm can specify a minimum MAC or tag length thanks to the new wildcards PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG. Security Fix a security reduction in CTR_DRBG when the initial seeding obtained a nonce from entropy. Applications were affected if they called mbedtls_ctr_drbg_set_nonce_len(), if they called mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256. In such cases, a random nonce was necessary to achieve the advertised security strength, but the code incorrectly used a constant instead of entropy from the nonce. Found by John Stroebel in #3819 and fixed in #3973. Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating |A| - |B| where |B| is larger than |A| and has more limbs (so the function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only applications calling mbedtls_mpi_sub_abs() directly are affected: all calls inside the library were safe since this function is only called with |A| >= |B|. Reported by Guido Vranken in #4042. Fix an errorneous estimation for an internal buffer in mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd value the function might fail to write a private RSA keys of the largest supported size. Found by Daniel Otte, reported in #4093 and fixed in #4094. Fix a stack buffer overflow with mbedtls_net_poll() and mbedtls_net_recv_timeout() when given a file descriptor that is beyond FD_SETSIZE. Reported by FigBug in #4169. Guard against strong local side channel attack against base64 tables by making access aceess to them use constant flow code. Bugfix Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c Fix memory leak that occured when calling psa_close_key() on a wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined. Fix an incorrect error code if an RSA private operation glitched. Fix a memory leak in an error case in psa_generate_derived_key_internal(). Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C is enabled, on platforms where initializing a mutex allocates resources. This was a regression introduced in the previous release. Reported in #4017, #4045 and #4071. Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free() twice is safe. This happens for RSA when some Mbed TLS library functions fail. Such a double-free was not safe when MBEDTLS_THREADING_C was enabled on platforms where freeing a mutex twice is not safe. Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key() when MBEDTLS_THREADING_C is enabled on platforms where initializing a mutex allocates resources. Fixes a bug where, if the library was configured to include support for both the old SE interface and the new PSA driver interface, external keys were not loaded from storage. This was fixed by #3996. This change makes 'mbedtls_x509write_crt_set_basic_constraints' consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST include this extension in all CA certificates that contain public keys used to validate digital signatures on certificates and MUST mark the extension as critical in such certificates." Previous to this change, the extension was always marked as non-critical. This was fixed by #3698. Changes A new library C file psa_crypto_client.c has been created to contain the PSA code needed by a PSA crypto client when the PSA crypto implementation is not included into the library. On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module now uses the getrandom syscall instead of reading from /dev/urandom. Who should update We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
2021-05-02 10:16:13 +02:00
# $NetBSD: Makefile,v 1.21 2021/05/02 08:16:13 nia Exp $
Import mbed TLS 1.3.11 as security/mbedtls. This is former security/polarssl rebranded under a new name, keeping the same API though and providing the previous libs as symlinks, so should be used as as drop-in replacement for security/polarssl. Changelog since polarssl-1.3.9 follows. = mbed TLS 1.3.11 released 2015-06-04 Security * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and extendedKeyUsage on the leaf certificate was lost (results not accessible via ssl_get_verify_results()). * Add countermeasure against "Lucky 13 strikes back" cache-based attack, https://dl.acm.org/citation.cfm?id=2714625 Features * Improve ECC performance by using more efficient doubling formulas (contributed by Peter Dettman). * Add x509_crt_verify_info() to display certificate verification results. * Add support for reading DH parameters with privateValueLength included (contributed by Daniel Kahn Gillmor). * Add support for bit strings in X.509 names (request by Fredrik Axelsson). * Add support for id-at-uniqueIdentifier in X.509 names. * Add support for overriding snprintf() (except on Windows) and exit() in the platform layer. * Add an option to use macros instead of function pointers in the platform layer (helps get rid of unwanted references). * Improved Makefiles for Windows targets by fixing library targets and making cross-compilation easier (thanks to Alon Bar-Lev). * The benchmark program also prints heap usage for public-key primitives if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined. * New script ecc-heap.sh helps measuring the impact of ECC parameters on speed and RAM (heap only for now) usage. * New script memory.sh helps measuring the ROM and RAM requirements of two reduced configurations (PSK-CCM and NSA suite B). * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce warnings on use of deprecated functions (with GCC and Clang only). * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce errors on use of deprecated functions. Bugfix * Fix compile errors with PLATFORM_NO_STD_FUNCTIONS. * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara). * Fix bug in entropy.c when THREADING_C is also enabled that caused entropy_free() to crash (thanks to Rafał Przywara). * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than once on the same context. * Fix bug in ssl_mail_client when password is longer that username (found by Bruno Pape). * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules (detected by Clang's 3.6 UBSan). * mpi_size() and mpi_msb() would segfault when called on an mpi that is initialized but not set (found by pravic). * Fix detection of support for getrandom() on Linux (reported by syzzer) by doing it at runtime (using uname) rather that compile time. * Fix handling of symlinks by "make install" (found by Gaël PORTAY). * Fix potential NULL pointer dereference (not trigerrable remotely) when ssl_write() is called before the handshake is finished (introduced in 1.3.10) (first reported by Martin Blumenstingl). * Fix bug in pk_parse_key() that caused some valid private EC keys to be rejected. * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). * Fix thread safety bug in RSA operations (found by Fredrik Axelsson). * Fix hardclock() (only used in the benchmarking program) with some versions of mingw64 (found by kxjhlele). * Fix warnings from mingw64 in timing.c (found by kxjklele). * Fix potential unintended sign extension in asn1_get_len() on 64-bit platforms. * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid). * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced in 1.3.10). * Add missing extern "C" guard in aesni.h (reported by amir zamani). * Add missing dependency on SHA-256 in some x509 programs (reported by Gergely Budai). * Fix bug related to ssl_set_curves(): the client didn't check that the curve picked by the server was actually allowed. Changes * Remove bias in mpi_gen_prime (contributed by Pascal Junod). * Remove potential sources of timing variations (some contributed by Pascal Junod). * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated. * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated. * compat-1.2.h and openssl.h are deprecated. * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now more flexible (warning: OFLAGS is not used any more) (see the README) (contributed by Alon Bar-Lev). * ssl_set_own_cert() no longer calls pk_check_pair() since the performance impact was bad for some users (this was introduced in 1.3.10). * Move from SHA-1 to SHA-256 in example programs using signatures (suggested by Thorsten Mühlfelder). * Remove some unneeded inclusions of header files from the standard library "minimize" others (eg use stddef.h if only size_t is needed). * Change #include lines in test files to use double quotes instead of angle brackets for uniformity with the rest of the code. * Remove dependency on sscanf() in X.509 parsing modules. = mbed TLS 1.3.10 released 2015-02-09 Security * NULL pointer dereference in the buffer-based allocator when the buffer is full and polarssl_free() is called (found by Mark Hasemeyer) (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is not by default). * Fix remotely-triggerable uninitialised pointer dereference caused by crafted X.509 certificate (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix remotely-triggerable memory leak caused by crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix potential stack overflow while parsing crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix timing difference that could theoretically lead to a Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges (reported by Sebastian Schinzel). Features * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv). * Add support for Extended Master Secret (draft-ietf-tls-session-hash). * Add support for Encrypt-then-MAC (RFC 7366). * Add function pk_check_pair() to test if public and private keys match. * Add x509_crl_parse_der(). * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the length of an X.509 verification chain. * Support for renegotiation can now be disabled at compile-time * Support for 1/n-1 record splitting, a countermeasure against BEAST. * Certificate selection based on signature hash, preferring SHA-1 over SHA-2 for pre-1.2 clients when multiple certificates are available. * Add support for getrandom() syscall on recent Linux kernels with Glibc or a compatible enough libc (eg uClibc). * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime while using the default ciphersuite list. * Added new error codes and debug messages about selection of ciphersuite/certificate. Bugfix * Stack buffer overflow if ctr_drbg_update() is called with too large add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE if memory_buffer_alloc_init() was called with buf not aligned and len not a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely). * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found by Julian Ospald). * Fix potential undefined behaviour in Camellia. * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a multiple of 8 (found by Gergely Budai). * Fix unchecked return code in x509_crt_parse_path() on Windows (found by Peter Vaskovic). * Fix assembly selection for MIPS64 (thanks to James Cowgill). * ssl_get_verify_result() now works even if the handshake was aborted due to a failed verification (found by Fredrik Axelsson). * Skip writing and parsing signature_algorithm extension if none of the key exchanges enabled needs certificates. This fixes a possible interop issue with some servers when a zero-length extension was sent. (Reported by Peter Dettman.) * On a 0-length input, base64_encode() did not correctly set output length (found by Hendrik van den Boogaard). Changes * Use deterministic nonces for AEAD ciphers in TLS by default (possible to switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h). * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. * ssl_set_own_cert() now returns an error on key-certificate mismatch. * Forbid repeated extensions in X.509 certificates. * debug_print_buf() now prints a text view in addition to hexadecimal. * A specific error is now returned when there are ciphersuites in common but none of them is usable due to external factors such as no certificate with a suitable (extended)KeyUsage or curve or no PSK set. * It is now possible to disable negotiation of truncated HMAC server-side
2015-06-12 11:05:05 +02:00
mbedtls: update to 2.26.0 This release of Mbed TLS provides bug fixes, minor enhancements and new features. This release includes fixes for security issues. API changes Renamed the PSA Crypto API output buffer size macros to bring them in line with version 1.0.0 of the specification. The API glue function mbedtls_ecc_group_of_psa() now takes the curve size in bits rather than bytes, with an additional flag to indicate if the size may have been rounded up to a whole number of bytes. Renamed the PSA Crypto API AEAD tag length macros to bring them in line with version 1.0.0 of the specification. Default behavior changes In mbedtls_rsa_context objects, the ver field was formerly documented as always 0. It is now reserved for internal purposes and may take different values. New deprecations PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE, PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names deprecated. PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH have been renamed, and the old names deprecated. Features The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG. CTR_DRBG is used by default if it is available, but you can override this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time. Fix #3354. Automatic fallback to a software implementation of ECP when MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK. The PSA crypto subsystem can now be configured to use less static RAM by tweaking the setting for the maximum amount of keys simultaneously in RAM. MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that can exist simultaneously. It has a sensible default if not overridden. Partial implementation of the PSA crypto driver interface: Mbed TLS can now use an external random generator instead of the library's own entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and see the documentation of mbedtls_psa_external_get_random() for details. Applications using both mbedtls_xxx and psa_xxx functions (for example, applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA random generator with mbedtls_xxx functions. See the documentation of mbedtls_psa_get_random() for details. In the PSA API, the policy for a MAC or AEAD algorithm can specify a minimum MAC or tag length thanks to the new wildcards PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG. Security Fix a security reduction in CTR_DRBG when the initial seeding obtained a nonce from entropy. Applications were affected if they called mbedtls_ctr_drbg_set_nonce_len(), if they called mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256. In such cases, a random nonce was necessary to achieve the advertised security strength, but the code incorrectly used a constant instead of entropy from the nonce. Found by John Stroebel in #3819 and fixed in #3973. Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating |A| - |B| where |B| is larger than |A| and has more limbs (so the function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only applications calling mbedtls_mpi_sub_abs() directly are affected: all calls inside the library were safe since this function is only called with |A| >= |B|. Reported by Guido Vranken in #4042. Fix an errorneous estimation for an internal buffer in mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd value the function might fail to write a private RSA keys of the largest supported size. Found by Daniel Otte, reported in #4093 and fixed in #4094. Fix a stack buffer overflow with mbedtls_net_poll() and mbedtls_net_recv_timeout() when given a file descriptor that is beyond FD_SETSIZE. Reported by FigBug in #4169. Guard against strong local side channel attack against base64 tables by making access aceess to them use constant flow code. Bugfix Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c Fix memory leak that occured when calling psa_close_key() on a wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined. Fix an incorrect error code if an RSA private operation glitched. Fix a memory leak in an error case in psa_generate_derived_key_internal(). Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C is enabled, on platforms where initializing a mutex allocates resources. This was a regression introduced in the previous release. Reported in #4017, #4045 and #4071. Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free() twice is safe. This happens for RSA when some Mbed TLS library functions fail. Such a double-free was not safe when MBEDTLS_THREADING_C was enabled on platforms where freeing a mutex twice is not safe. Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key() when MBEDTLS_THREADING_C is enabled on platforms where initializing a mutex allocates resources. Fixes a bug where, if the library was configured to include support for both the old SE interface and the new PSA driver interface, external keys were not loaded from storage. This was fixed by #3996. This change makes 'mbedtls_x509write_crt_set_basic_constraints' consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST include this extension in all CA certificates that contain public keys used to validate digital signatures on certificates and MUST mark the extension as critical in such certificates." Previous to this change, the extension was always marked as non-critical. This was fixed by #3698. Changes A new library C file psa_crypto_client.c has been created to contain the PSA code needed by a PSA crypto client when the PSA crypto implementation is not included into the library. On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module now uses the getrandom syscall instead of reading from /dev/urandom. Who should update We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
2021-05-02 10:16:13 +02:00
DISTNAME= mbedtls-2.26.0
mbedtls: Update to 2.23.0 = mbed TLS 2.23.0 branch released 2020-07-01 Default behavior changes * In the experimental PSA secure element interface, change the encoding of key lifetimes to encode a persistence level and the location. Although C prototypes do not effectively change, code calling psa_register_se_driver() must be modified to pass the driver's location instead of the keys' lifetime. If the library is upgraded on an existing device, keys created with the old lifetime value will not be readable or removable through Mbed TLS after the upgrade. Features * New functions in the error module return constant strings for high- and low-level error codes, complementing mbedtls_strerror() which constructs a string for any error code, including compound ones, but requires a writable buffer. Contributed by Gaurav Aggarwal in #3176. * The new utility programs/ssl/ssl_context_info prints a human-readable dump of an SSL context saved with mbedtls_ssl_context_save(). * Add support for midipix, a POSIX layer for Microsoft Windows. * Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows parsing unsupported certificate extensions via user provided callback. Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as a solution to #3241. * Pass the "certificate policies" extension to the callback supplied to mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported policies (#3419). * Added support to entropy_poll for the kern.arandom syscall supported on some BSD systems. Contributed by Nia Alarie in #3423. * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239 Security * Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394. * Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley. * Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246. Bugfix * Fix the Visual Studio Release x64 build configuration for mbedtls itself. Completes a previous fix in Mbed TLS 2.19 that only fixed the build for the example programs. Reported in #1430 and fix contributed by irwir. * Fix undefined behavior in X.509 certificate parsing if the pathLenConstraint basic constraint value is equal to INT_MAX. The actual effect with almost every compiler is the intended behavior, so this is unlikely to be exploitable anywhere. #3192 * Fix issue with a detected HW accelerated record error not being exposed due to shadowed variable. Contributed by Sander Visser in #3310. * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a NULL pointer argument. Contributed by Sander Visser in #3312. * Fix potential linker errors on dual world platforms by inlining mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately from psa_crypto.c. Fixes #3300. * Remove dead code in X.509 certificate parsing. Contributed by irwir in #2855. * Include asn1.h in error.c. Fixes #3328 reported by David Hu. * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz() when PRNG function fails. Contributed by Jonas Lejeune in #3318. * Remove unused macros from MSVC projects. Reported in #3297 and fix submitted in #3333 by irwir. * Add additional bounds checks in ssl_write_client_hello() preventing output buffer overflow if the configuration declared a buffer that was too small. * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and fix submitted in #3421 by Nia Alarie. * Fix building library/net_sockets.c and the ssl_mail_client program on NetBSD. Contributed by Nia Alarie in #3422. * Fix false positive uninitialised variable reported by cpp-check. Contributed by Sander Visser in #3311. * Update iv and len context pointers manually when reallocating buffers using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues when receiving a connection with CID, when these fields were shifted in ssl_parse_record_header(). Changes * Fix warnings about signedness issues in format strings. The build is now clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen in #3153. * Fix minor performance issue in operations on Curve25519 caused by using a suboptimal modular reduction in one place. Found and fix contributed by Aurelien Jarno in #3209. * Combine identical cases in switch statements in md.c. Contributed by irwir in #3208. * Simplify a bounds check in ssl_write_certificate_request(). Contributed by irwir in #3150. * Unify the example programs termination to call mbedtls_exit() instead of using a return command. This has been done to enable customization of the behavior in bare metal environments. * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?". Contributed by Koh M. Nakagawa in #3326. * Use FindPython3 when cmake version >= 3.15.0 * Abort the ClientHello writing function as soon as some extension doesn't fit into the record buffer. Previously, such extensions were silently dropped. As a consequence, the TLS handshake now fails when the output buffer is not large enough to hold the ClientHello. * The unit tests now rely on header files in tests/include/test and source files in tests/src. When building with make or cmake, the files in tests/src are compiled and the resulting object linked into each test executable. * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel coutermeasures. If side channels are not a concern, this dependency can be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`. * Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes Martinho. #3147 * Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported in #3182 and fix submitted by irwir. #3217 * Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
2020-07-07 13:16:10 +02:00
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_GITHUB:=ARMmbed/}
GITHUB_TAG= ${DISTNAME}
Import mbed TLS 1.3.11 as security/mbedtls. This is former security/polarssl rebranded under a new name, keeping the same API though and providing the previous libs as symlinks, so should be used as as drop-in replacement for security/polarssl. Changelog since polarssl-1.3.9 follows. = mbed TLS 1.3.11 released 2015-06-04 Security * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and extendedKeyUsage on the leaf certificate was lost (results not accessible via ssl_get_verify_results()). * Add countermeasure against "Lucky 13 strikes back" cache-based attack, https://dl.acm.org/citation.cfm?id=2714625 Features * Improve ECC performance by using more efficient doubling formulas (contributed by Peter Dettman). * Add x509_crt_verify_info() to display certificate verification results. * Add support for reading DH parameters with privateValueLength included (contributed by Daniel Kahn Gillmor). * Add support for bit strings in X.509 names (request by Fredrik Axelsson). * Add support for id-at-uniqueIdentifier in X.509 names. * Add support for overriding snprintf() (except on Windows) and exit() in the platform layer. * Add an option to use macros instead of function pointers in the platform layer (helps get rid of unwanted references). * Improved Makefiles for Windows targets by fixing library targets and making cross-compilation easier (thanks to Alon Bar-Lev). * The benchmark program also prints heap usage for public-key primitives if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined. * New script ecc-heap.sh helps measuring the impact of ECC parameters on speed and RAM (heap only for now) usage. * New script memory.sh helps measuring the ROM and RAM requirements of two reduced configurations (PSK-CCM and NSA suite B). * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce warnings on use of deprecated functions (with GCC and Clang only). * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce errors on use of deprecated functions. Bugfix * Fix compile errors with PLATFORM_NO_STD_FUNCTIONS. * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara). * Fix bug in entropy.c when THREADING_C is also enabled that caused entropy_free() to crash (thanks to Rafał Przywara). * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than once on the same context. * Fix bug in ssl_mail_client when password is longer that username (found by Bruno Pape). * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules (detected by Clang's 3.6 UBSan). * mpi_size() and mpi_msb() would segfault when called on an mpi that is initialized but not set (found by pravic). * Fix detection of support for getrandom() on Linux (reported by syzzer) by doing it at runtime (using uname) rather that compile time. * Fix handling of symlinks by "make install" (found by Gaël PORTAY). * Fix potential NULL pointer dereference (not trigerrable remotely) when ssl_write() is called before the handshake is finished (introduced in 1.3.10) (first reported by Martin Blumenstingl). * Fix bug in pk_parse_key() that caused some valid private EC keys to be rejected. * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). * Fix thread safety bug in RSA operations (found by Fredrik Axelsson). * Fix hardclock() (only used in the benchmarking program) with some versions of mingw64 (found by kxjhlele). * Fix warnings from mingw64 in timing.c (found by kxjklele). * Fix potential unintended sign extension in asn1_get_len() on 64-bit platforms. * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid). * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced in 1.3.10). * Add missing extern "C" guard in aesni.h (reported by amir zamani). * Add missing dependency on SHA-256 in some x509 programs (reported by Gergely Budai). * Fix bug related to ssl_set_curves(): the client didn't check that the curve picked by the server was actually allowed. Changes * Remove bias in mpi_gen_prime (contributed by Pascal Junod). * Remove potential sources of timing variations (some contributed by Pascal Junod). * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated. * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated. * compat-1.2.h and openssl.h are deprecated. * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now more flexible (warning: OFLAGS is not used any more) (see the README) (contributed by Alon Bar-Lev). * ssl_set_own_cert() no longer calls pk_check_pair() since the performance impact was bad for some users (this was introduced in 1.3.10). * Move from SHA-1 to SHA-256 in example programs using signatures (suggested by Thorsten Mühlfelder). * Remove some unneeded inclusions of header files from the standard library "minimize" others (eg use stddef.h if only size_t is needed). * Change #include lines in test files to use double quotes instead of angle brackets for uniformity with the rest of the code. * Remove dependency on sscanf() in X.509 parsing modules. = mbed TLS 1.3.10 released 2015-02-09 Security * NULL pointer dereference in the buffer-based allocator when the buffer is full and polarssl_free() is called (found by Mark Hasemeyer) (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is not by default). * Fix remotely-triggerable uninitialised pointer dereference caused by crafted X.509 certificate (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix remotely-triggerable memory leak caused by crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix potential stack overflow while parsing crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix timing difference that could theoretically lead to a Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges (reported by Sebastian Schinzel). Features * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv). * Add support for Extended Master Secret (draft-ietf-tls-session-hash). * Add support for Encrypt-then-MAC (RFC 7366). * Add function pk_check_pair() to test if public and private keys match. * Add x509_crl_parse_der(). * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the length of an X.509 verification chain. * Support for renegotiation can now be disabled at compile-time * Support for 1/n-1 record splitting, a countermeasure against BEAST. * Certificate selection based on signature hash, preferring SHA-1 over SHA-2 for pre-1.2 clients when multiple certificates are available. * Add support for getrandom() syscall on recent Linux kernels with Glibc or a compatible enough libc (eg uClibc). * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime while using the default ciphersuite list. * Added new error codes and debug messages about selection of ciphersuite/certificate. Bugfix * Stack buffer overflow if ctr_drbg_update() is called with too large add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE if memory_buffer_alloc_init() was called with buf not aligned and len not a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely). * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found by Julian Ospald). * Fix potential undefined behaviour in Camellia. * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a multiple of 8 (found by Gergely Budai). * Fix unchecked return code in x509_crt_parse_path() on Windows (found by Peter Vaskovic). * Fix assembly selection for MIPS64 (thanks to James Cowgill). * ssl_get_verify_result() now works even if the handshake was aborted due to a failed verification (found by Fredrik Axelsson). * Skip writing and parsing signature_algorithm extension if none of the key exchanges enabled needs certificates. This fixes a possible interop issue with some servers when a zero-length extension was sent. (Reported by Peter Dettman.) * On a 0-length input, base64_encode() did not correctly set output length (found by Hendrik van den Boogaard). Changes * Use deterministic nonces for AEAD ciphers in TLS by default (possible to switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h). * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. * ssl_set_own_cert() now returns an error on key-certificate mismatch. * Forbid repeated extensions in X.509 certificates. * debug_print_buf() now prints a text view in addition to hexadecimal. * A specific error is now returned when there are ciphersuites in common but none of them is usable due to external factors such as no certificate with a suitable (extended)KeyUsage or curve or no PSK set. * It is now possible to disable negotiation of truncated HMAC server-side
2015-06-12 11:05:05 +02:00
mbedtls: Update to 2.23.0 = mbed TLS 2.23.0 branch released 2020-07-01 Default behavior changes * In the experimental PSA secure element interface, change the encoding of key lifetimes to encode a persistence level and the location. Although C prototypes do not effectively change, code calling psa_register_se_driver() must be modified to pass the driver's location instead of the keys' lifetime. If the library is upgraded on an existing device, keys created with the old lifetime value will not be readable or removable through Mbed TLS after the upgrade. Features * New functions in the error module return constant strings for high- and low-level error codes, complementing mbedtls_strerror() which constructs a string for any error code, including compound ones, but requires a writable buffer. Contributed by Gaurav Aggarwal in #3176. * The new utility programs/ssl/ssl_context_info prints a human-readable dump of an SSL context saved with mbedtls_ssl_context_save(). * Add support for midipix, a POSIX layer for Microsoft Windows. * Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows parsing unsupported certificate extensions via user provided callback. Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as a solution to #3241. * Pass the "certificate policies" extension to the callback supplied to mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported policies (#3419). * Added support to entropy_poll for the kern.arandom syscall supported on some BSD systems. Contributed by Nia Alarie in #3423. * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239 Security * Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394. * Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley. * Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246. Bugfix * Fix the Visual Studio Release x64 build configuration for mbedtls itself. Completes a previous fix in Mbed TLS 2.19 that only fixed the build for the example programs. Reported in #1430 and fix contributed by irwir. * Fix undefined behavior in X.509 certificate parsing if the pathLenConstraint basic constraint value is equal to INT_MAX. The actual effect with almost every compiler is the intended behavior, so this is unlikely to be exploitable anywhere. #3192 * Fix issue with a detected HW accelerated record error not being exposed due to shadowed variable. Contributed by Sander Visser in #3310. * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a NULL pointer argument. Contributed by Sander Visser in #3312. * Fix potential linker errors on dual world platforms by inlining mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately from psa_crypto.c. Fixes #3300. * Remove dead code in X.509 certificate parsing. Contributed by irwir in #2855. * Include asn1.h in error.c. Fixes #3328 reported by David Hu. * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz() when PRNG function fails. Contributed by Jonas Lejeune in #3318. * Remove unused macros from MSVC projects. Reported in #3297 and fix submitted in #3333 by irwir. * Add additional bounds checks in ssl_write_client_hello() preventing output buffer overflow if the configuration declared a buffer that was too small. * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and fix submitted in #3421 by Nia Alarie. * Fix building library/net_sockets.c and the ssl_mail_client program on NetBSD. Contributed by Nia Alarie in #3422. * Fix false positive uninitialised variable reported by cpp-check. Contributed by Sander Visser in #3311. * Update iv and len context pointers manually when reallocating buffers using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues when receiving a connection with CID, when these fields were shifted in ssl_parse_record_header(). Changes * Fix warnings about signedness issues in format strings. The build is now clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen in #3153. * Fix minor performance issue in operations on Curve25519 caused by using a suboptimal modular reduction in one place. Found and fix contributed by Aurelien Jarno in #3209. * Combine identical cases in switch statements in md.c. Contributed by irwir in #3208. * Simplify a bounds check in ssl_write_certificate_request(). Contributed by irwir in #3150. * Unify the example programs termination to call mbedtls_exit() instead of using a return command. This has been done to enable customization of the behavior in bare metal environments. * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?". Contributed by Koh M. Nakagawa in #3326. * Use FindPython3 when cmake version >= 3.15.0 * Abort the ClientHello writing function as soon as some extension doesn't fit into the record buffer. Previously, such extensions were silently dropped. As a consequence, the TLS handshake now fails when the output buffer is not large enough to hold the ClientHello. * The unit tests now rely on header files in tests/include/test and source files in tests/src. When building with make or cmake, the files in tests/src are compiled and the resulting object linked into each test executable. * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel coutermeasures. If side channels are not a concern, this dependency can be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`. * Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes Martinho. #3147 * Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported in #3182 and fix submitted by irwir. #3217 * Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
2020-07-07 13:16:10 +02:00
MAINTAINER= nia@NetBSD.org
mbedtls: Update to 2.16.3 = mbed TLS 2.16.3 branch released 2019-09-06 Security * Fix a missing error detection in ECJPAKE. This could have caused a predictable shared secret if a hardware accelerator failed and the other side of the key exchange had a similar bug. * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to implement blinding. Because of this for the same key and message the same blinding value was generated. This reduced the effectiveness of the countermeasure and leaked information about the private key through side channels. Reported by Jack Lloyd. * When writing a private EC key, use a constant size for the private value, as specified in RFC 5915. Previously, the value was written as an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit of information on average and could cause the value to be 1 byte too large for the output buffer. API Changes * The new function mbedtls_ecdsa_sign_det_ext() is similar to mbedtls_ecdsa_sign_det() but allows passing an external RNG for the purpose of blinding. Bugfix * Fix to allow building test suites with any warning that detects unused functions. Fixes #1628. * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture. * Remove redundant include file in timing.c. Fixes #2640 reported by irwir. * Fix Visual Studio Release x64 build configuration by inheriting PlatformToolset from the project configuration. Fixes #1430 reported by irwir. * Enable Suite B with subset of ECP curves. Make sure the code compiles even if some curves are not defined. Fixes #1591 reported by dbedev. * Fix misuse of signed arithmetic in the HAVEGE module. #2598 * Update test certificates that were about to expire. Reported by Bernhard M. Wiedemann in #2357. * Fix the build on ARMv5TE in ARM mode to not use assembly instructions that are only available in Thumb mode. Fix contributed by Aurelien Jarno in #2169. * Fix undefined memset(NULL) call in test_suite_nist_kw. * Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256. * Fix propagation of restart contexts in restartable EC operations. This could previously lead to segmentation faults in builds using an address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE. * Fix memory leak in in mpi_miller_rabin(). Contributed by Jens Wiklander <jens.wiklander@linaro.org> in #2363 * Improve code clarity in x509_crt module, removing false-positive uninitialized variable warnings on some recent toolchains (GCC8, etc). Discovered and fixed by Andy Gross (Linaro), #2392. * Zero length buffer check for undefined behavior in mbedtls_platform_zeroize(). Fixes ARMmbed/mbed-crypto#49. * Fix bug in endianness conversion in bignum module. This lead to functionally incorrect code on bigendian systems which don't have __BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622. Changes * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h suggests). #2671 * Make `make clean` clean all programs always. Fixes #1862. = mbed TLS 2.16.2 branch released 2019-06-11 Security * Make mbedtls_ecdh_get_params return an error if the second key belongs to a different group from the first. Before, if an application passed keys that belonged to different group, the first key's data was interpreted according to the second group, which could lead to either an error or a meaningless output from mbedtls_ecdh_get_params. In the latter case, this could expose at most 5 bits of the private key. Bugfix * Server's RSA certificate in certs.c was SHA-1 signed. In the default mbedTLS configuration only SHA-2 signed certificates are accepted. This certificate is used in the demo server programs, which lead the client programs to fail at the peer's certificate verification due to an unacceptable hash signature. The certificate has been updated to one that is SHA-256 signed. Fix contributed by Illya Gerasymchuk. * Fix private key DER output in the key_app_writer example. File contents were shifted by one byte, creating an invalid ASN.1 tag. Fixed by Christian Walther in #2239. * Fix potential memory leak in X.509 self test. Found and fixed by Junhwan Park, #2106. * Reduce stack usage of hkdf tests. Fixes #2195. * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when used with negative inputs. Found by Guido Vranken in #2404. Credit to OSS-Fuzz. * Fix bugs in the AEAD test suite which would be exposed by ciphers which either used both encrypt and decrypt key schedules, or which perform padding. GCM and CCM were not affected. Fixed by Jack Lloyd. * Fix incorrect default port number in ssl_mail_client example's usage. Found and fixed by irwir. #2337 * Add missing parentheses around parameters in the definition of the public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation in case operators binding less strongly than subtraction were used for the parameter. * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl sni entry parameter. Reported by inestlerode in #560. * Add DER-encoded test CRTs to library/certs.c, allowing the example programs ssl_server2 and ssl_client2 to be run if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254. * Fix missing bounds checks in X.509 parsing functions that could lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437. * Fix multiple X.509 functions previously returning ASN.1 low-level error codes to always wrap these codes into X.509 high level error codes before returning. Fixes #2431. Changes * Return from various debugging routines immediately if the provided SSL context is unset. * Remove dead code from bignum.c in the default configuration. Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309. * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh. Contributed by Peter Kolbus (Garmin). * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to improve clarity. Fixes #2258. * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821. = mbed TLS 2.16.1 branch released 2019-03-19 Features * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites from the default list (enabled by default). See https://sweet32.info/SWEET32_CCS16.pdf. Bugfix * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242. * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined. Raised as a comment in #1996. * Reduce the stack consumption of mbedtls_mpi_fill_random() which could previously lead to a stack overflow on constrained targets. * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions in the header files, which missed the precompilation check. #971 * Fix clobber list in MIPS assembly for large integer multiplication. Previously, this could lead to functionally incorrect assembly being produced by some optimizing compilers, showing up as failures in e.g. RSA or ECC signature operations. Reported in #1722, fix suggested by Aurelien Jarno and submitted by Jeffrey Martin. * Fix signed-to-unsigned integer conversion warning in X.509 module. Fixes #2212. * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion. Fixes #2190. * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326. * Remove the mbedtls namespacing from the header file, to fix a "file not found" build error. Fixed by Haijun Gu #2319. * Fix returning the value 1 when mbedtls_ecdsa_genkey failed. * Fix false failure in all.sh when backup files exist in include/mbedtls (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407. * Ensure that unused bits are zero when writing ASN.1 bitstrings when using mbedtls_asn1_write_bitstring(). * Fix issue when writing the named bitstrings in KeyUsage and NsCertType extensions in CSRs and CRTs that caused these bitstrings to not be encoded correctly as trailing zeroes were not accounted for as unused bits in the leading content octet. Fixes #1610. Changes * Include configuration file in all header files that use configuration, instead of relying on other header files that they include. Inserted as an enhancement for #1371 * Add support for alternative CSR headers, as used by Microsoft and defined in RFC 7468. Found by Michael Ernst. Fixes #767. * Fix configuration queries in ssl-opt.h. #2030 * Ensure that ssl-opt.h can be run in OS X. #2029 * Reduce the complexity of the timing tests. They were assuming more than the underlying OS actually guarantees. * Re-enable certain interoperability tests in ssl-opt.sh which had previously been disabled for lack of a sufficiently recent version of GnuTLS on the CI. * Ciphersuites based on 3DES now have the lowest priority by default when they are enabled. = mbed TLS 2.16.0 branch released 2018-12-21 Features * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation of parameters in the API. This allows detection of obvious misuses of the API, such as passing NULL pointers. The API of existing functions hasn't changed, but requirements on parameters have been made more explicit in the documentation. See the corresponding API documentation for each function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it. API Changes * The following functions in the random generator modules have been deprecated and replaced as shown below. The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest primitive. Fixes #1798. mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret() mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret() * Extend ECDH interface to enable alternative implementations. * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for ARIA, CAMELLIA and Blowfish. These error codes will be replaced by the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA. * Additional parameter validation checks have been added for the following modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH, ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI. Where modules have had parameter validation added, existing parameter checks may have changed. Some modules, such as Chacha20 had existing parameter validation whereas other modules had little. This has now been changed so that the same level of validation is present in all modules, and that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default is off. That means that checks which were previously present by default will no longer be. New deprecations * Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update in favor of functions that can return an error code. Bugfix * Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482. * Fix runtime error in `mbedtls_platform_entropy_poll()` when run through qemu user emulation. Reported and fix suggested by randombit in #1212. Fixes #1212. * Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659. * Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170. * Fix double initialization of ECC hardware that made some accelerators hang. * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.
2019-10-01 19:44:11 +02:00
HOMEPAGE= https://tls.mbed.org/
COMMENT= Lightweight, modular cryptographic and SSL/TLS library
LICENSE= apache-2.0
Import mbed TLS 1.3.11 as security/mbedtls. This is former security/polarssl rebranded under a new name, keeping the same API though and providing the previous libs as symlinks, so should be used as as drop-in replacement for security/polarssl. Changelog since polarssl-1.3.9 follows. = mbed TLS 1.3.11 released 2015-06-04 Security * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and extendedKeyUsage on the leaf certificate was lost (results not accessible via ssl_get_verify_results()). * Add countermeasure against "Lucky 13 strikes back" cache-based attack, https://dl.acm.org/citation.cfm?id=2714625 Features * Improve ECC performance by using more efficient doubling formulas (contributed by Peter Dettman). * Add x509_crt_verify_info() to display certificate verification results. * Add support for reading DH parameters with privateValueLength included (contributed by Daniel Kahn Gillmor). * Add support for bit strings in X.509 names (request by Fredrik Axelsson). * Add support for id-at-uniqueIdentifier in X.509 names. * Add support for overriding snprintf() (except on Windows) and exit() in the platform layer. * Add an option to use macros instead of function pointers in the platform layer (helps get rid of unwanted references). * Improved Makefiles for Windows targets by fixing library targets and making cross-compilation easier (thanks to Alon Bar-Lev). * The benchmark program also prints heap usage for public-key primitives if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined. * New script ecc-heap.sh helps measuring the impact of ECC parameters on speed and RAM (heap only for now) usage. * New script memory.sh helps measuring the ROM and RAM requirements of two reduced configurations (PSK-CCM and NSA suite B). * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce warnings on use of deprecated functions (with GCC and Clang only). * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce errors on use of deprecated functions. Bugfix * Fix compile errors with PLATFORM_NO_STD_FUNCTIONS. * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara). * Fix bug in entropy.c when THREADING_C is also enabled that caused entropy_free() to crash (thanks to Rafał Przywara). * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than once on the same context. * Fix bug in ssl_mail_client when password is longer that username (found by Bruno Pape). * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules (detected by Clang's 3.6 UBSan). * mpi_size() and mpi_msb() would segfault when called on an mpi that is initialized but not set (found by pravic). * Fix detection of support for getrandom() on Linux (reported by syzzer) by doing it at runtime (using uname) rather that compile time. * Fix handling of symlinks by "make install" (found by Gaël PORTAY). * Fix potential NULL pointer dereference (not trigerrable remotely) when ssl_write() is called before the handshake is finished (introduced in 1.3.10) (first reported by Martin Blumenstingl). * Fix bug in pk_parse_key() that caused some valid private EC keys to be rejected. * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). * Fix thread safety bug in RSA operations (found by Fredrik Axelsson). * Fix hardclock() (only used in the benchmarking program) with some versions of mingw64 (found by kxjhlele). * Fix warnings from mingw64 in timing.c (found by kxjklele). * Fix potential unintended sign extension in asn1_get_len() on 64-bit platforms. * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid). * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced in 1.3.10). * Add missing extern "C" guard in aesni.h (reported by amir zamani). * Add missing dependency on SHA-256 in some x509 programs (reported by Gergely Budai). * Fix bug related to ssl_set_curves(): the client didn't check that the curve picked by the server was actually allowed. Changes * Remove bias in mpi_gen_prime (contributed by Pascal Junod). * Remove potential sources of timing variations (some contributed by Pascal Junod). * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated. * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated. * compat-1.2.h and openssl.h are deprecated. * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now more flexible (warning: OFLAGS is not used any more) (see the README) (contributed by Alon Bar-Lev). * ssl_set_own_cert() no longer calls pk_check_pair() since the performance impact was bad for some users (this was introduced in 1.3.10). * Move from SHA-1 to SHA-256 in example programs using signatures (suggested by Thorsten Mühlfelder). * Remove some unneeded inclusions of header files from the standard library "minimize" others (eg use stddef.h if only size_t is needed). * Change #include lines in test files to use double quotes instead of angle brackets for uniformity with the rest of the code. * Remove dependency on sscanf() in X.509 parsing modules. = mbed TLS 1.3.10 released 2015-02-09 Security * NULL pointer dereference in the buffer-based allocator when the buffer is full and polarssl_free() is called (found by Mark Hasemeyer) (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is not by default). * Fix remotely-triggerable uninitialised pointer dereference caused by crafted X.509 certificate (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix remotely-triggerable memory leak caused by crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix potential stack overflow while parsing crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix timing difference that could theoretically lead to a Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges (reported by Sebastian Schinzel). Features * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv). * Add support for Extended Master Secret (draft-ietf-tls-session-hash). * Add support for Encrypt-then-MAC (RFC 7366). * Add function pk_check_pair() to test if public and private keys match. * Add x509_crl_parse_der(). * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the length of an X.509 verification chain. * Support for renegotiation can now be disabled at compile-time * Support for 1/n-1 record splitting, a countermeasure against BEAST. * Certificate selection based on signature hash, preferring SHA-1 over SHA-2 for pre-1.2 clients when multiple certificates are available. * Add support for getrandom() syscall on recent Linux kernels with Glibc or a compatible enough libc (eg uClibc). * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime while using the default ciphersuite list. * Added new error codes and debug messages about selection of ciphersuite/certificate. Bugfix * Stack buffer overflow if ctr_drbg_update() is called with too large add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE if memory_buffer_alloc_init() was called with buf not aligned and len not a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely). * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found by Julian Ospald). * Fix potential undefined behaviour in Camellia. * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a multiple of 8 (found by Gergely Budai). * Fix unchecked return code in x509_crt_parse_path() on Windows (found by Peter Vaskovic). * Fix assembly selection for MIPS64 (thanks to James Cowgill). * ssl_get_verify_result() now works even if the handshake was aborted due to a failed verification (found by Fredrik Axelsson). * Skip writing and parsing signature_algorithm extension if none of the key exchanges enabled needs certificates. This fixes a possible interop issue with some servers when a zero-length extension was sent. (Reported by Peter Dettman.) * On a 0-length input, base64_encode() did not correctly set output length (found by Hendrik van den Boogaard). Changes * Use deterministic nonces for AEAD ciphers in TLS by default (possible to switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h). * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. * ssl_set_own_cert() now returns an error on key-certificate mismatch. * Forbid repeated extensions in X.509 certificates. * debug_print_buf() now prints a text view in addition to hexadecimal. * A specific error is now returned when there are ciphersuites in common but none of them is usable due to external factors such as no certificate with a suitable (extended)KeyUsage or curve or no PSK set. * It is now possible to disable negotiation of truncated HMAC server-side
2015-06-12 11:05:05 +02:00
mbedtls: Update to 2.16.3 = mbed TLS 2.16.3 branch released 2019-09-06 Security * Fix a missing error detection in ECJPAKE. This could have caused a predictable shared secret if a hardware accelerator failed and the other side of the key exchange had a similar bug. * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to implement blinding. Because of this for the same key and message the same blinding value was generated. This reduced the effectiveness of the countermeasure and leaked information about the private key through side channels. Reported by Jack Lloyd. * When writing a private EC key, use a constant size for the private value, as specified in RFC 5915. Previously, the value was written as an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit of information on average and could cause the value to be 1 byte too large for the output buffer. API Changes * The new function mbedtls_ecdsa_sign_det_ext() is similar to mbedtls_ecdsa_sign_det() but allows passing an external RNG for the purpose of blinding. Bugfix * Fix to allow building test suites with any warning that detects unused functions. Fixes #1628. * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture. * Remove redundant include file in timing.c. Fixes #2640 reported by irwir. * Fix Visual Studio Release x64 build configuration by inheriting PlatformToolset from the project configuration. Fixes #1430 reported by irwir. * Enable Suite B with subset of ECP curves. Make sure the code compiles even if some curves are not defined. Fixes #1591 reported by dbedev. * Fix misuse of signed arithmetic in the HAVEGE module. #2598 * Update test certificates that were about to expire. Reported by Bernhard M. Wiedemann in #2357. * Fix the build on ARMv5TE in ARM mode to not use assembly instructions that are only available in Thumb mode. Fix contributed by Aurelien Jarno in #2169. * Fix undefined memset(NULL) call in test_suite_nist_kw. * Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256. * Fix propagation of restart contexts in restartable EC operations. This could previously lead to segmentation faults in builds using an address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE. * Fix memory leak in in mpi_miller_rabin(). Contributed by Jens Wiklander <jens.wiklander@linaro.org> in #2363 * Improve code clarity in x509_crt module, removing false-positive uninitialized variable warnings on some recent toolchains (GCC8, etc). Discovered and fixed by Andy Gross (Linaro), #2392. * Zero length buffer check for undefined behavior in mbedtls_platform_zeroize(). Fixes ARMmbed/mbed-crypto#49. * Fix bug in endianness conversion in bignum module. This lead to functionally incorrect code on bigendian systems which don't have __BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622. Changes * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h suggests). #2671 * Make `make clean` clean all programs always. Fixes #1862. = mbed TLS 2.16.2 branch released 2019-06-11 Security * Make mbedtls_ecdh_get_params return an error if the second key belongs to a different group from the first. Before, if an application passed keys that belonged to different group, the first key's data was interpreted according to the second group, which could lead to either an error or a meaningless output from mbedtls_ecdh_get_params. In the latter case, this could expose at most 5 bits of the private key. Bugfix * Server's RSA certificate in certs.c was SHA-1 signed. In the default mbedTLS configuration only SHA-2 signed certificates are accepted. This certificate is used in the demo server programs, which lead the client programs to fail at the peer's certificate verification due to an unacceptable hash signature. The certificate has been updated to one that is SHA-256 signed. Fix contributed by Illya Gerasymchuk. * Fix private key DER output in the key_app_writer example. File contents were shifted by one byte, creating an invalid ASN.1 tag. Fixed by Christian Walther in #2239. * Fix potential memory leak in X.509 self test. Found and fixed by Junhwan Park, #2106. * Reduce stack usage of hkdf tests. Fixes #2195. * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when used with negative inputs. Found by Guido Vranken in #2404. Credit to OSS-Fuzz. * Fix bugs in the AEAD test suite which would be exposed by ciphers which either used both encrypt and decrypt key schedules, or which perform padding. GCM and CCM were not affected. Fixed by Jack Lloyd. * Fix incorrect default port number in ssl_mail_client example's usage. Found and fixed by irwir. #2337 * Add missing parentheses around parameters in the definition of the public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation in case operators binding less strongly than subtraction were used for the parameter. * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl sni entry parameter. Reported by inestlerode in #560. * Add DER-encoded test CRTs to library/certs.c, allowing the example programs ssl_server2 and ssl_client2 to be run if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254. * Fix missing bounds checks in X.509 parsing functions that could lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437. * Fix multiple X.509 functions previously returning ASN.1 low-level error codes to always wrap these codes into X.509 high level error codes before returning. Fixes #2431. Changes * Return from various debugging routines immediately if the provided SSL context is unset. * Remove dead code from bignum.c in the default configuration. Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309. * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh. Contributed by Peter Kolbus (Garmin). * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to improve clarity. Fixes #2258. * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821. = mbed TLS 2.16.1 branch released 2019-03-19 Features * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites from the default list (enabled by default). See https://sweet32.info/SWEET32_CCS16.pdf. Bugfix * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242. * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined. Raised as a comment in #1996. * Reduce the stack consumption of mbedtls_mpi_fill_random() which could previously lead to a stack overflow on constrained targets. * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions in the header files, which missed the precompilation check. #971 * Fix clobber list in MIPS assembly for large integer multiplication. Previously, this could lead to functionally incorrect assembly being produced by some optimizing compilers, showing up as failures in e.g. RSA or ECC signature operations. Reported in #1722, fix suggested by Aurelien Jarno and submitted by Jeffrey Martin. * Fix signed-to-unsigned integer conversion warning in X.509 module. Fixes #2212. * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion. Fixes #2190. * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326. * Remove the mbedtls namespacing from the header file, to fix a "file not found" build error. Fixed by Haijun Gu #2319. * Fix returning the value 1 when mbedtls_ecdsa_genkey failed. * Fix false failure in all.sh when backup files exist in include/mbedtls (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407. * Ensure that unused bits are zero when writing ASN.1 bitstrings when using mbedtls_asn1_write_bitstring(). * Fix issue when writing the named bitstrings in KeyUsage and NsCertType extensions in CSRs and CRTs that caused these bitstrings to not be encoded correctly as trailing zeroes were not accounted for as unused bits in the leading content octet. Fixes #1610. Changes * Include configuration file in all header files that use configuration, instead of relying on other header files that they include. Inserted as an enhancement for #1371 * Add support for alternative CSR headers, as used by Microsoft and defined in RFC 7468. Found by Michael Ernst. Fixes #767. * Fix configuration queries in ssl-opt.h. #2030 * Ensure that ssl-opt.h can be run in OS X. #2029 * Reduce the complexity of the timing tests. They were assuming more than the underlying OS actually guarantees. * Re-enable certain interoperability tests in ssl-opt.sh which had previously been disabled for lack of a sufficiently recent version of GnuTLS on the CI. * Ciphersuites based on 3DES now have the lowest priority by default when they are enabled. = mbed TLS 2.16.0 branch released 2018-12-21 Features * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation of parameters in the API. This allows detection of obvious misuses of the API, such as passing NULL pointers. The API of existing functions hasn't changed, but requirements on parameters have been made more explicit in the documentation. See the corresponding API documentation for each function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it. API Changes * The following functions in the random generator modules have been deprecated and replaced as shown below. The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest primitive. Fixes #1798. mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret() mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret() * Extend ECDH interface to enable alternative implementations. * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for ARIA, CAMELLIA and Blowfish. These error codes will be replaced by the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA. * Additional parameter validation checks have been added for the following modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH, ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI. Where modules have had parameter validation added, existing parameter checks may have changed. Some modules, such as Chacha20 had existing parameter validation whereas other modules had little. This has now been changed so that the same level of validation is present in all modules, and that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default is off. That means that checks which were previously present by default will no longer be. New deprecations * Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update in favor of functions that can return an error code. Bugfix * Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482. * Fix runtime error in `mbedtls_platform_entropy_poll()` when run through qemu user emulation. Reported and fix suggested by randombit in #1212. Fixes #1212. * Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659. * Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170. * Fix double initialization of ECC hardware that made some accelerators hang. * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.
2019-10-01 19:44:11 +02:00
CONFLICTS+= polarssl-[0-9]*
SUPERSEDES+= polarssl-[0-9]*
Import mbed TLS 1.3.11 as security/mbedtls. This is former security/polarssl rebranded under a new name, keeping the same API though and providing the previous libs as symlinks, so should be used as as drop-in replacement for security/polarssl. Changelog since polarssl-1.3.9 follows. = mbed TLS 1.3.11 released 2015-06-04 Security * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and extendedKeyUsage on the leaf certificate was lost (results not accessible via ssl_get_verify_results()). * Add countermeasure against "Lucky 13 strikes back" cache-based attack, https://dl.acm.org/citation.cfm?id=2714625 Features * Improve ECC performance by using more efficient doubling formulas (contributed by Peter Dettman). * Add x509_crt_verify_info() to display certificate verification results. * Add support for reading DH parameters with privateValueLength included (contributed by Daniel Kahn Gillmor). * Add support for bit strings in X.509 names (request by Fredrik Axelsson). * Add support for id-at-uniqueIdentifier in X.509 names. * Add support for overriding snprintf() (except on Windows) and exit() in the platform layer. * Add an option to use macros instead of function pointers in the platform layer (helps get rid of unwanted references). * Improved Makefiles for Windows targets by fixing library targets and making cross-compilation easier (thanks to Alon Bar-Lev). * The benchmark program also prints heap usage for public-key primitives if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined. * New script ecc-heap.sh helps measuring the impact of ECC parameters on speed and RAM (heap only for now) usage. * New script memory.sh helps measuring the ROM and RAM requirements of two reduced configurations (PSK-CCM and NSA suite B). * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce warnings on use of deprecated functions (with GCC and Clang only). * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce errors on use of deprecated functions. Bugfix * Fix compile errors with PLATFORM_NO_STD_FUNCTIONS. * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara). * Fix bug in entropy.c when THREADING_C is also enabled that caused entropy_free() to crash (thanks to Rafał Przywara). * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than once on the same context. * Fix bug in ssl_mail_client when password is longer that username (found by Bruno Pape). * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules (detected by Clang's 3.6 UBSan). * mpi_size() and mpi_msb() would segfault when called on an mpi that is initialized but not set (found by pravic). * Fix detection of support for getrandom() on Linux (reported by syzzer) by doing it at runtime (using uname) rather that compile time. * Fix handling of symlinks by "make install" (found by Gaël PORTAY). * Fix potential NULL pointer dereference (not trigerrable remotely) when ssl_write() is called before the handshake is finished (introduced in 1.3.10) (first reported by Martin Blumenstingl). * Fix bug in pk_parse_key() that caused some valid private EC keys to be rejected. * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). * Fix thread safety bug in RSA operations (found by Fredrik Axelsson). * Fix hardclock() (only used in the benchmarking program) with some versions of mingw64 (found by kxjhlele). * Fix warnings from mingw64 in timing.c (found by kxjklele). * Fix potential unintended sign extension in asn1_get_len() on 64-bit platforms. * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid). * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced in 1.3.10). * Add missing extern "C" guard in aesni.h (reported by amir zamani). * Add missing dependency on SHA-256 in some x509 programs (reported by Gergely Budai). * Fix bug related to ssl_set_curves(): the client didn't check that the curve picked by the server was actually allowed. Changes * Remove bias in mpi_gen_prime (contributed by Pascal Junod). * Remove potential sources of timing variations (some contributed by Pascal Junod). * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated. * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated. * compat-1.2.h and openssl.h are deprecated. * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now more flexible (warning: OFLAGS is not used any more) (see the README) (contributed by Alon Bar-Lev). * ssl_set_own_cert() no longer calls pk_check_pair() since the performance impact was bad for some users (this was introduced in 1.3.10). * Move from SHA-1 to SHA-256 in example programs using signatures (suggested by Thorsten Mühlfelder). * Remove some unneeded inclusions of header files from the standard library "minimize" others (eg use stddef.h if only size_t is needed). * Change #include lines in test files to use double quotes instead of angle brackets for uniformity with the rest of the code. * Remove dependency on sscanf() in X.509 parsing modules. = mbed TLS 1.3.10 released 2015-02-09 Security * NULL pointer dereference in the buffer-based allocator when the buffer is full and polarssl_free() is called (found by Mark Hasemeyer) (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is not by default). * Fix remotely-triggerable uninitialised pointer dereference caused by crafted X.509 certificate (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix remotely-triggerable memory leak caused by crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix potential stack overflow while parsing crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix timing difference that could theoretically lead to a Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges (reported by Sebastian Schinzel). Features * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv). * Add support for Extended Master Secret (draft-ietf-tls-session-hash). * Add support for Encrypt-then-MAC (RFC 7366). * Add function pk_check_pair() to test if public and private keys match. * Add x509_crl_parse_der(). * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the length of an X.509 verification chain. * Support for renegotiation can now be disabled at compile-time * Support for 1/n-1 record splitting, a countermeasure against BEAST. * Certificate selection based on signature hash, preferring SHA-1 over SHA-2 for pre-1.2 clients when multiple certificates are available. * Add support for getrandom() syscall on recent Linux kernels with Glibc or a compatible enough libc (eg uClibc). * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime while using the default ciphersuite list. * Added new error codes and debug messages about selection of ciphersuite/certificate. Bugfix * Stack buffer overflow if ctr_drbg_update() is called with too large add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE if memory_buffer_alloc_init() was called with buf not aligned and len not a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely). * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found by Julian Ospald). * Fix potential undefined behaviour in Camellia. * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a multiple of 8 (found by Gergely Budai). * Fix unchecked return code in x509_crt_parse_path() on Windows (found by Peter Vaskovic). * Fix assembly selection for MIPS64 (thanks to James Cowgill). * ssl_get_verify_result() now works even if the handshake was aborted due to a failed verification (found by Fredrik Axelsson). * Skip writing and parsing signature_algorithm extension if none of the key exchanges enabled needs certificates. This fixes a possible interop issue with some servers when a zero-length extension was sent. (Reported by Peter Dettman.) * On a 0-length input, base64_encode() did not correctly set output length (found by Hendrik van den Boogaard). Changes * Use deterministic nonces for AEAD ciphers in TLS by default (possible to switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h). * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. * ssl_set_own_cert() now returns an error on key-certificate mismatch. * Forbid repeated extensions in X.509 certificates. * debug_print_buf() now prints a text view in addition to hexadecimal. * A specific error is now returned when there are ciphersuites in common but none of them is usable due to external factors such as no certificate with a suitable (extended)KeyUsage or curve or no PSK set. * It is now possible to disable negotiation of truncated HMAC server-side
2015-06-12 11:05:05 +02:00
mbedtls: Update to 2.16.3 = mbed TLS 2.16.3 branch released 2019-09-06 Security * Fix a missing error detection in ECJPAKE. This could have caused a predictable shared secret if a hardware accelerator failed and the other side of the key exchange had a similar bug. * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to implement blinding. Because of this for the same key and message the same blinding value was generated. This reduced the effectiveness of the countermeasure and leaked information about the private key through side channels. Reported by Jack Lloyd. * When writing a private EC key, use a constant size for the private value, as specified in RFC 5915. Previously, the value was written as an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit of information on average and could cause the value to be 1 byte too large for the output buffer. API Changes * The new function mbedtls_ecdsa_sign_det_ext() is similar to mbedtls_ecdsa_sign_det() but allows passing an external RNG for the purpose of blinding. Bugfix * Fix to allow building test suites with any warning that detects unused functions. Fixes #1628. * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture. * Remove redundant include file in timing.c. Fixes #2640 reported by irwir. * Fix Visual Studio Release x64 build configuration by inheriting PlatformToolset from the project configuration. Fixes #1430 reported by irwir. * Enable Suite B with subset of ECP curves. Make sure the code compiles even if some curves are not defined. Fixes #1591 reported by dbedev. * Fix misuse of signed arithmetic in the HAVEGE module. #2598 * Update test certificates that were about to expire. Reported by Bernhard M. Wiedemann in #2357. * Fix the build on ARMv5TE in ARM mode to not use assembly instructions that are only available in Thumb mode. Fix contributed by Aurelien Jarno in #2169. * Fix undefined memset(NULL) call in test_suite_nist_kw. * Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256. * Fix propagation of restart contexts in restartable EC operations. This could previously lead to segmentation faults in builds using an address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE. * Fix memory leak in in mpi_miller_rabin(). Contributed by Jens Wiklander <jens.wiklander@linaro.org> in #2363 * Improve code clarity in x509_crt module, removing false-positive uninitialized variable warnings on some recent toolchains (GCC8, etc). Discovered and fixed by Andy Gross (Linaro), #2392. * Zero length buffer check for undefined behavior in mbedtls_platform_zeroize(). Fixes ARMmbed/mbed-crypto#49. * Fix bug in endianness conversion in bignum module. This lead to functionally incorrect code on bigendian systems which don't have __BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622. Changes * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h suggests). #2671 * Make `make clean` clean all programs always. Fixes #1862. = mbed TLS 2.16.2 branch released 2019-06-11 Security * Make mbedtls_ecdh_get_params return an error if the second key belongs to a different group from the first. Before, if an application passed keys that belonged to different group, the first key's data was interpreted according to the second group, which could lead to either an error or a meaningless output from mbedtls_ecdh_get_params. In the latter case, this could expose at most 5 bits of the private key. Bugfix * Server's RSA certificate in certs.c was SHA-1 signed. In the default mbedTLS configuration only SHA-2 signed certificates are accepted. This certificate is used in the demo server programs, which lead the client programs to fail at the peer's certificate verification due to an unacceptable hash signature. The certificate has been updated to one that is SHA-256 signed. Fix contributed by Illya Gerasymchuk. * Fix private key DER output in the key_app_writer example. File contents were shifted by one byte, creating an invalid ASN.1 tag. Fixed by Christian Walther in #2239. * Fix potential memory leak in X.509 self test. Found and fixed by Junhwan Park, #2106. * Reduce stack usage of hkdf tests. Fixes #2195. * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when used with negative inputs. Found by Guido Vranken in #2404. Credit to OSS-Fuzz. * Fix bugs in the AEAD test suite which would be exposed by ciphers which either used both encrypt and decrypt key schedules, or which perform padding. GCM and CCM were not affected. Fixed by Jack Lloyd. * Fix incorrect default port number in ssl_mail_client example's usage. Found and fixed by irwir. #2337 * Add missing parentheses around parameters in the definition of the public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation in case operators binding less strongly than subtraction were used for the parameter. * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl sni entry parameter. Reported by inestlerode in #560. * Add DER-encoded test CRTs to library/certs.c, allowing the example programs ssl_server2 and ssl_client2 to be run if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254. * Fix missing bounds checks in X.509 parsing functions that could lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437. * Fix multiple X.509 functions previously returning ASN.1 low-level error codes to always wrap these codes into X.509 high level error codes before returning. Fixes #2431. Changes * Return from various debugging routines immediately if the provided SSL context is unset. * Remove dead code from bignum.c in the default configuration. Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309. * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh. Contributed by Peter Kolbus (Garmin). * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to improve clarity. Fixes #2258. * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821. = mbed TLS 2.16.1 branch released 2019-03-19 Features * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites from the default list (enabled by default). See https://sweet32.info/SWEET32_CCS16.pdf. Bugfix * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242. * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined. Raised as a comment in #1996. * Reduce the stack consumption of mbedtls_mpi_fill_random() which could previously lead to a stack overflow on constrained targets. * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions in the header files, which missed the precompilation check. #971 * Fix clobber list in MIPS assembly for large integer multiplication. Previously, this could lead to functionally incorrect assembly being produced by some optimizing compilers, showing up as failures in e.g. RSA or ECC signature operations. Reported in #1722, fix suggested by Aurelien Jarno and submitted by Jeffrey Martin. * Fix signed-to-unsigned integer conversion warning in X.509 module. Fixes #2212. * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion. Fixes #2190. * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326. * Remove the mbedtls namespacing from the header file, to fix a "file not found" build error. Fixed by Haijun Gu #2319. * Fix returning the value 1 when mbedtls_ecdsa_genkey failed. * Fix false failure in all.sh when backup files exist in include/mbedtls (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407. * Ensure that unused bits are zero when writing ASN.1 bitstrings when using mbedtls_asn1_write_bitstring(). * Fix issue when writing the named bitstrings in KeyUsage and NsCertType extensions in CSRs and CRTs that caused these bitstrings to not be encoded correctly as trailing zeroes were not accounted for as unused bits in the leading content octet. Fixes #1610. Changes * Include configuration file in all header files that use configuration, instead of relying on other header files that they include. Inserted as an enhancement for #1371 * Add support for alternative CSR headers, as used by Microsoft and defined in RFC 7468. Found by Michael Ernst. Fixes #767. * Fix configuration queries in ssl-opt.h. #2030 * Ensure that ssl-opt.h can be run in OS X. #2029 * Reduce the complexity of the timing tests. They were assuming more than the underlying OS actually guarantees. * Re-enable certain interoperability tests in ssl-opt.sh which had previously been disabled for lack of a sufficiently recent version of GnuTLS on the CI. * Ciphersuites based on 3DES now have the lowest priority by default when they are enabled. = mbed TLS 2.16.0 branch released 2018-12-21 Features * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation of parameters in the API. This allows detection of obvious misuses of the API, such as passing NULL pointers. The API of existing functions hasn't changed, but requirements on parameters have been made more explicit in the documentation. See the corresponding API documentation for each function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it. API Changes * The following functions in the random generator modules have been deprecated and replaced as shown below. The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest primitive. Fixes #1798. mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret() mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret() * Extend ECDH interface to enable alternative implementations. * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for ARIA, CAMELLIA and Blowfish. These error codes will be replaced by the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA. * Additional parameter validation checks have been added for the following modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH, ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI. Where modules have had parameter validation added, existing parameter checks may have changed. Some modules, such as Chacha20 had existing parameter validation whereas other modules had little. This has now been changed so that the same level of validation is present in all modules, and that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default is off. That means that checks which were previously present by default will no longer be. New deprecations * Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update in favor of functions that can return an error code. Bugfix * Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482. * Fix runtime error in `mbedtls_platform_entropy_poll()` when run through qemu user emulation. Reported and fix suggested by randombit in #1212. Fixes #1212. * Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659. * Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170. * Fix double initialization of ECC hardware that made some accelerators hang. * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.
2019-10-01 19:44:11 +02:00
USE_CMAKE= yes
USE_LANGUAGES= c99
mbedtls: Update to 2.23.0 = mbed TLS 2.23.0 branch released 2020-07-01 Default behavior changes * In the experimental PSA secure element interface, change the encoding of key lifetimes to encode a persistence level and the location. Although C prototypes do not effectively change, code calling psa_register_se_driver() must be modified to pass the driver's location instead of the keys' lifetime. If the library is upgraded on an existing device, keys created with the old lifetime value will not be readable or removable through Mbed TLS after the upgrade. Features * New functions in the error module return constant strings for high- and low-level error codes, complementing mbedtls_strerror() which constructs a string for any error code, including compound ones, but requires a writable buffer. Contributed by Gaurav Aggarwal in #3176. * The new utility programs/ssl/ssl_context_info prints a human-readable dump of an SSL context saved with mbedtls_ssl_context_save(). * Add support for midipix, a POSIX layer for Microsoft Windows. * Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows parsing unsupported certificate extensions via user provided callback. Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as a solution to #3241. * Pass the "certificate policies" extension to the callback supplied to mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported policies (#3419). * Added support to entropy_poll for the kern.arandom syscall supported on some BSD systems. Contributed by Nia Alarie in #3423. * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239 Security * Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394. * Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley. * Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246. Bugfix * Fix the Visual Studio Release x64 build configuration for mbedtls itself. Completes a previous fix in Mbed TLS 2.19 that only fixed the build for the example programs. Reported in #1430 and fix contributed by irwir. * Fix undefined behavior in X.509 certificate parsing if the pathLenConstraint basic constraint value is equal to INT_MAX. The actual effect with almost every compiler is the intended behavior, so this is unlikely to be exploitable anywhere. #3192 * Fix issue with a detected HW accelerated record error not being exposed due to shadowed variable. Contributed by Sander Visser in #3310. * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a NULL pointer argument. Contributed by Sander Visser in #3312. * Fix potential linker errors on dual world platforms by inlining mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately from psa_crypto.c. Fixes #3300. * Remove dead code in X.509 certificate parsing. Contributed by irwir in #2855. * Include asn1.h in error.c. Fixes #3328 reported by David Hu. * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz() when PRNG function fails. Contributed by Jonas Lejeune in #3318. * Remove unused macros from MSVC projects. Reported in #3297 and fix submitted in #3333 by irwir. * Add additional bounds checks in ssl_write_client_hello() preventing output buffer overflow if the configuration declared a buffer that was too small. * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and fix submitted in #3421 by Nia Alarie. * Fix building library/net_sockets.c and the ssl_mail_client program on NetBSD. Contributed by Nia Alarie in #3422. * Fix false positive uninitialised variable reported by cpp-check. Contributed by Sander Visser in #3311. * Update iv and len context pointers manually when reallocating buffers using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues when receiving a connection with CID, when these fields were shifted in ssl_parse_record_header(). Changes * Fix warnings about signedness issues in format strings. The build is now clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen in #3153. * Fix minor performance issue in operations on Curve25519 caused by using a suboptimal modular reduction in one place. Found and fix contributed by Aurelien Jarno in #3209. * Combine identical cases in switch statements in md.c. Contributed by irwir in #3208. * Simplify a bounds check in ssl_write_certificate_request(). Contributed by irwir in #3150. * Unify the example programs termination to call mbedtls_exit() instead of using a return command. This has been done to enable customization of the behavior in bare metal environments. * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?". Contributed by Koh M. Nakagawa in #3326. * Use FindPython3 when cmake version >= 3.15.0 * Abort the ClientHello writing function as soon as some extension doesn't fit into the record buffer. Previously, such extensions were silently dropped. As a consequence, the TLS handshake now fails when the output buffer is not large enough to hold the ClientHello. * The unit tests now rely on header files in tests/include/test and source files in tests/src. When building with make or cmake, the files in tests/src are compiled and the resulting object linked into each test executable. * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel coutermeasures. If side channels are not a concern, this dependency can be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`. * Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes Martinho. #3147 * Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported in #3182 and fix submitted by irwir. #3217 * Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
2020-07-07 13:16:10 +02:00
USE_TOOLS+= pkg-config
Import mbed TLS 1.3.11 as security/mbedtls. This is former security/polarssl rebranded under a new name, keeping the same API though and providing the previous libs as symlinks, so should be used as as drop-in replacement for security/polarssl. Changelog since polarssl-1.3.9 follows. = mbed TLS 1.3.11 released 2015-06-04 Security * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and extendedKeyUsage on the leaf certificate was lost (results not accessible via ssl_get_verify_results()). * Add countermeasure against "Lucky 13 strikes back" cache-based attack, https://dl.acm.org/citation.cfm?id=2714625 Features * Improve ECC performance by using more efficient doubling formulas (contributed by Peter Dettman). * Add x509_crt_verify_info() to display certificate verification results. * Add support for reading DH parameters with privateValueLength included (contributed by Daniel Kahn Gillmor). * Add support for bit strings in X.509 names (request by Fredrik Axelsson). * Add support for id-at-uniqueIdentifier in X.509 names. * Add support for overriding snprintf() (except on Windows) and exit() in the platform layer. * Add an option to use macros instead of function pointers in the platform layer (helps get rid of unwanted references). * Improved Makefiles for Windows targets by fixing library targets and making cross-compilation easier (thanks to Alon Bar-Lev). * The benchmark program also prints heap usage for public-key primitives if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined. * New script ecc-heap.sh helps measuring the impact of ECC parameters on speed and RAM (heap only for now) usage. * New script memory.sh helps measuring the ROM and RAM requirements of two reduced configurations (PSK-CCM and NSA suite B). * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce warnings on use of deprecated functions (with GCC and Clang only). * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce errors on use of deprecated functions. Bugfix * Fix compile errors with PLATFORM_NO_STD_FUNCTIONS. * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara). * Fix bug in entropy.c when THREADING_C is also enabled that caused entropy_free() to crash (thanks to Rafał Przywara). * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than once on the same context. * Fix bug in ssl_mail_client when password is longer that username (found by Bruno Pape). * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules (detected by Clang's 3.6 UBSan). * mpi_size() and mpi_msb() would segfault when called on an mpi that is initialized but not set (found by pravic). * Fix detection of support for getrandom() on Linux (reported by syzzer) by doing it at runtime (using uname) rather that compile time. * Fix handling of symlinks by "make install" (found by Gaël PORTAY). * Fix potential NULL pointer dereference (not trigerrable remotely) when ssl_write() is called before the handshake is finished (introduced in 1.3.10) (first reported by Martin Blumenstingl). * Fix bug in pk_parse_key() that caused some valid private EC keys to be rejected. * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). * Fix thread safety bug in RSA operations (found by Fredrik Axelsson). * Fix hardclock() (only used in the benchmarking program) with some versions of mingw64 (found by kxjhlele). * Fix warnings from mingw64 in timing.c (found by kxjklele). * Fix potential unintended sign extension in asn1_get_len() on 64-bit platforms. * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid). * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced in 1.3.10). * Add missing extern "C" guard in aesni.h (reported by amir zamani). * Add missing dependency on SHA-256 in some x509 programs (reported by Gergely Budai). * Fix bug related to ssl_set_curves(): the client didn't check that the curve picked by the server was actually allowed. Changes * Remove bias in mpi_gen_prime (contributed by Pascal Junod). * Remove potential sources of timing variations (some contributed by Pascal Junod). * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated. * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated. * compat-1.2.h and openssl.h are deprecated. * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now more flexible (warning: OFLAGS is not used any more) (see the README) (contributed by Alon Bar-Lev). * ssl_set_own_cert() no longer calls pk_check_pair() since the performance impact was bad for some users (this was introduced in 1.3.10). * Move from SHA-1 to SHA-256 in example programs using signatures (suggested by Thorsten Mühlfelder). * Remove some unneeded inclusions of header files from the standard library "minimize" others (eg use stddef.h if only size_t is needed). * Change #include lines in test files to use double quotes instead of angle brackets for uniformity with the rest of the code. * Remove dependency on sscanf() in X.509 parsing modules. = mbed TLS 1.3.10 released 2015-02-09 Security * NULL pointer dereference in the buffer-based allocator when the buffer is full and polarssl_free() is called (found by Mark Hasemeyer) (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is not by default). * Fix remotely-triggerable uninitialised pointer dereference caused by crafted X.509 certificate (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix remotely-triggerable memory leak caused by crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix potential stack overflow while parsing crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix timing difference that could theoretically lead to a Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges (reported by Sebastian Schinzel). Features * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv). * Add support for Extended Master Secret (draft-ietf-tls-session-hash). * Add support for Encrypt-then-MAC (RFC 7366). * Add function pk_check_pair() to test if public and private keys match. * Add x509_crl_parse_der(). * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the length of an X.509 verification chain. * Support for renegotiation can now be disabled at compile-time * Support for 1/n-1 record splitting, a countermeasure against BEAST. * Certificate selection based on signature hash, preferring SHA-1 over SHA-2 for pre-1.2 clients when multiple certificates are available. * Add support for getrandom() syscall on recent Linux kernels with Glibc or a compatible enough libc (eg uClibc). * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime while using the default ciphersuite list. * Added new error codes and debug messages about selection of ciphersuite/certificate. Bugfix * Stack buffer overflow if ctr_drbg_update() is called with too large add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE if memory_buffer_alloc_init() was called with buf not aligned and len not a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely). * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found by Julian Ospald). * Fix potential undefined behaviour in Camellia. * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a multiple of 8 (found by Gergely Budai). * Fix unchecked return code in x509_crt_parse_path() on Windows (found by Peter Vaskovic). * Fix assembly selection for MIPS64 (thanks to James Cowgill). * ssl_get_verify_result() now works even if the handshake was aborted due to a failed verification (found by Fredrik Axelsson). * Skip writing and parsing signature_algorithm extension if none of the key exchanges enabled needs certificates. This fixes a possible interop issue with some servers when a zero-length extension was sent. (Reported by Peter Dettman.) * On a 0-length input, base64_encode() did not correctly set output length (found by Hendrik van den Boogaard). Changes * Use deterministic nonces for AEAD ciphers in TLS by default (possible to switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h). * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. * ssl_set_own_cert() now returns an error on key-certificate mismatch. * Forbid repeated extensions in X.509 certificates. * debug_print_buf() now prints a text view in addition to hexadecimal. * A specific error is now returned when there are ciphersuites in common but none of them is usable due to external factors such as no certificate with a suitable (extended)KeyUsage or curve or no PSK set. * It is now possible to disable negotiation of truncated HMAC server-side
2015-06-12 11:05:05 +02:00
mbedtls: Update to 2.16.3 = mbed TLS 2.16.3 branch released 2019-09-06 Security * Fix a missing error detection in ECJPAKE. This could have caused a predictable shared secret if a hardware accelerator failed and the other side of the key exchange had a similar bug. * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to implement blinding. Because of this for the same key and message the same blinding value was generated. This reduced the effectiveness of the countermeasure and leaked information about the private key through side channels. Reported by Jack Lloyd. * When writing a private EC key, use a constant size for the private value, as specified in RFC 5915. Previously, the value was written as an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit of information on average and could cause the value to be 1 byte too large for the output buffer. API Changes * The new function mbedtls_ecdsa_sign_det_ext() is similar to mbedtls_ecdsa_sign_det() but allows passing an external RNG for the purpose of blinding. Bugfix * Fix to allow building test suites with any warning that detects unused functions. Fixes #1628. * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture. * Remove redundant include file in timing.c. Fixes #2640 reported by irwir. * Fix Visual Studio Release x64 build configuration by inheriting PlatformToolset from the project configuration. Fixes #1430 reported by irwir. * Enable Suite B with subset of ECP curves. Make sure the code compiles even if some curves are not defined. Fixes #1591 reported by dbedev. * Fix misuse of signed arithmetic in the HAVEGE module. #2598 * Update test certificates that were about to expire. Reported by Bernhard M. Wiedemann in #2357. * Fix the build on ARMv5TE in ARM mode to not use assembly instructions that are only available in Thumb mode. Fix contributed by Aurelien Jarno in #2169. * Fix undefined memset(NULL) call in test_suite_nist_kw. * Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256. * Fix propagation of restart contexts in restartable EC operations. This could previously lead to segmentation faults in builds using an address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE. * Fix memory leak in in mpi_miller_rabin(). Contributed by Jens Wiklander <jens.wiklander@linaro.org> in #2363 * Improve code clarity in x509_crt module, removing false-positive uninitialized variable warnings on some recent toolchains (GCC8, etc). Discovered and fixed by Andy Gross (Linaro), #2392. * Zero length buffer check for undefined behavior in mbedtls_platform_zeroize(). Fixes ARMmbed/mbed-crypto#49. * Fix bug in endianness conversion in bignum module. This lead to functionally incorrect code on bigendian systems which don't have __BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622. Changes * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h suggests). #2671 * Make `make clean` clean all programs always. Fixes #1862. = mbed TLS 2.16.2 branch released 2019-06-11 Security * Make mbedtls_ecdh_get_params return an error if the second key belongs to a different group from the first. Before, if an application passed keys that belonged to different group, the first key's data was interpreted according to the second group, which could lead to either an error or a meaningless output from mbedtls_ecdh_get_params. In the latter case, this could expose at most 5 bits of the private key. Bugfix * Server's RSA certificate in certs.c was SHA-1 signed. In the default mbedTLS configuration only SHA-2 signed certificates are accepted. This certificate is used in the demo server programs, which lead the client programs to fail at the peer's certificate verification due to an unacceptable hash signature. The certificate has been updated to one that is SHA-256 signed. Fix contributed by Illya Gerasymchuk. * Fix private key DER output in the key_app_writer example. File contents were shifted by one byte, creating an invalid ASN.1 tag. Fixed by Christian Walther in #2239. * Fix potential memory leak in X.509 self test. Found and fixed by Junhwan Park, #2106. * Reduce stack usage of hkdf tests. Fixes #2195. * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when used with negative inputs. Found by Guido Vranken in #2404. Credit to OSS-Fuzz. * Fix bugs in the AEAD test suite which would be exposed by ciphers which either used both encrypt and decrypt key schedules, or which perform padding. GCM and CCM were not affected. Fixed by Jack Lloyd. * Fix incorrect default port number in ssl_mail_client example's usage. Found and fixed by irwir. #2337 * Add missing parentheses around parameters in the definition of the public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation in case operators binding less strongly than subtraction were used for the parameter. * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl sni entry parameter. Reported by inestlerode in #560. * Add DER-encoded test CRTs to library/certs.c, allowing the example programs ssl_server2 and ssl_client2 to be run if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254. * Fix missing bounds checks in X.509 parsing functions that could lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437. * Fix multiple X.509 functions previously returning ASN.1 low-level error codes to always wrap these codes into X.509 high level error codes before returning. Fixes #2431. Changes * Return from various debugging routines immediately if the provided SSL context is unset. * Remove dead code from bignum.c in the default configuration. Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309. * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh. Contributed by Peter Kolbus (Garmin). * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to improve clarity. Fixes #2258. * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821. = mbed TLS 2.16.1 branch released 2019-03-19 Features * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites from the default list (enabled by default). See https://sweet32.info/SWEET32_CCS16.pdf. Bugfix * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242. * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined. Raised as a comment in #1996. * Reduce the stack consumption of mbedtls_mpi_fill_random() which could previously lead to a stack overflow on constrained targets. * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions in the header files, which missed the precompilation check. #971 * Fix clobber list in MIPS assembly for large integer multiplication. Previously, this could lead to functionally incorrect assembly being produced by some optimizing compilers, showing up as failures in e.g. RSA or ECC signature operations. Reported in #1722, fix suggested by Aurelien Jarno and submitted by Jeffrey Martin. * Fix signed-to-unsigned integer conversion warning in X.509 module. Fixes #2212. * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion. Fixes #2190. * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326. * Remove the mbedtls namespacing from the header file, to fix a "file not found" build error. Fixed by Haijun Gu #2319. * Fix returning the value 1 when mbedtls_ecdsa_genkey failed. * Fix false failure in all.sh when backup files exist in include/mbedtls (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407. * Ensure that unused bits are zero when writing ASN.1 bitstrings when using mbedtls_asn1_write_bitstring(). * Fix issue when writing the named bitstrings in KeyUsage and NsCertType extensions in CSRs and CRTs that caused these bitstrings to not be encoded correctly as trailing zeroes were not accounted for as unused bits in the leading content octet. Fixes #1610. Changes * Include configuration file in all header files that use configuration, instead of relying on other header files that they include. Inserted as an enhancement for #1371 * Add support for alternative CSR headers, as used by Microsoft and defined in RFC 7468. Found by Michael Ernst. Fixes #767. * Fix configuration queries in ssl-opt.h. #2030 * Ensure that ssl-opt.h can be run in OS X. #2029 * Reduce the complexity of the timing tests. They were assuming more than the underlying OS actually guarantees. * Re-enable certain interoperability tests in ssl-opt.sh which had previously been disabled for lack of a sufficiently recent version of GnuTLS on the CI. * Ciphersuites based on 3DES now have the lowest priority by default when they are enabled. = mbed TLS 2.16.0 branch released 2018-12-21 Features * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation of parameters in the API. This allows detection of obvious misuses of the API, such as passing NULL pointers. The API of existing functions hasn't changed, but requirements on parameters have been made more explicit in the documentation. See the corresponding API documentation for each function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it. API Changes * The following functions in the random generator modules have been deprecated and replaced as shown below. The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest primitive. Fixes #1798. mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret() mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret() * Extend ECDH interface to enable alternative implementations. * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for ARIA, CAMELLIA and Blowfish. These error codes will be replaced by the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA. * Additional parameter validation checks have been added for the following modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH, ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI. Where modules have had parameter validation added, existing parameter checks may have changed. Some modules, such as Chacha20 had existing parameter validation whereas other modules had little. This has now been changed so that the same level of validation is present in all modules, and that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default is off. That means that checks which were previously present by default will no longer be. New deprecations * Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update in favor of functions that can return an error code. Bugfix * Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482. * Fix runtime error in `mbedtls_platform_entropy_poll()` when run through qemu user emulation. Reported and fix suggested by randombit in #1212. Fixes #1212. * Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659. * Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170. * Fix double initialization of ECC hardware that made some accelerators hang. * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.
2019-10-01 19:44:11 +02:00
GCC_REQD+= 4.4
Import mbed TLS 1.3.11 as security/mbedtls. This is former security/polarssl rebranded under a new name, keeping the same API though and providing the previous libs as symlinks, so should be used as as drop-in replacement for security/polarssl. Changelog since polarssl-1.3.9 follows. = mbed TLS 1.3.11 released 2015-06-04 Security * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and extendedKeyUsage on the leaf certificate was lost (results not accessible via ssl_get_verify_results()). * Add countermeasure against "Lucky 13 strikes back" cache-based attack, https://dl.acm.org/citation.cfm?id=2714625 Features * Improve ECC performance by using more efficient doubling formulas (contributed by Peter Dettman). * Add x509_crt_verify_info() to display certificate verification results. * Add support for reading DH parameters with privateValueLength included (contributed by Daniel Kahn Gillmor). * Add support for bit strings in X.509 names (request by Fredrik Axelsson). * Add support for id-at-uniqueIdentifier in X.509 names. * Add support for overriding snprintf() (except on Windows) and exit() in the platform layer. * Add an option to use macros instead of function pointers in the platform layer (helps get rid of unwanted references). * Improved Makefiles for Windows targets by fixing library targets and making cross-compilation easier (thanks to Alon Bar-Lev). * The benchmark program also prints heap usage for public-key primitives if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined. * New script ecc-heap.sh helps measuring the impact of ECC parameters on speed and RAM (heap only for now) usage. * New script memory.sh helps measuring the ROM and RAM requirements of two reduced configurations (PSK-CCM and NSA suite B). * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce warnings on use of deprecated functions (with GCC and Clang only). * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce errors on use of deprecated functions. Bugfix * Fix compile errors with PLATFORM_NO_STD_FUNCTIONS. * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara). * Fix bug in entropy.c when THREADING_C is also enabled that caused entropy_free() to crash (thanks to Rafał Przywara). * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than once on the same context. * Fix bug in ssl_mail_client when password is longer that username (found by Bruno Pape). * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules (detected by Clang's 3.6 UBSan). * mpi_size() and mpi_msb() would segfault when called on an mpi that is initialized but not set (found by pravic). * Fix detection of support for getrandom() on Linux (reported by syzzer) by doing it at runtime (using uname) rather that compile time. * Fix handling of symlinks by "make install" (found by Gaël PORTAY). * Fix potential NULL pointer dereference (not trigerrable remotely) when ssl_write() is called before the handshake is finished (introduced in 1.3.10) (first reported by Martin Blumenstingl). * Fix bug in pk_parse_key() that caused some valid private EC keys to be rejected. * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). * Fix thread safety bug in RSA operations (found by Fredrik Axelsson). * Fix hardclock() (only used in the benchmarking program) with some versions of mingw64 (found by kxjhlele). * Fix warnings from mingw64 in timing.c (found by kxjklele). * Fix potential unintended sign extension in asn1_get_len() on 64-bit platforms. * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid). * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced in 1.3.10). * Add missing extern "C" guard in aesni.h (reported by amir zamani). * Add missing dependency on SHA-256 in some x509 programs (reported by Gergely Budai). * Fix bug related to ssl_set_curves(): the client didn't check that the curve picked by the server was actually allowed. Changes * Remove bias in mpi_gen_prime (contributed by Pascal Junod). * Remove potential sources of timing variations (some contributed by Pascal Junod). * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated. * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated. * compat-1.2.h and openssl.h are deprecated. * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now more flexible (warning: OFLAGS is not used any more) (see the README) (contributed by Alon Bar-Lev). * ssl_set_own_cert() no longer calls pk_check_pair() since the performance impact was bad for some users (this was introduced in 1.3.10). * Move from SHA-1 to SHA-256 in example programs using signatures (suggested by Thorsten Mühlfelder). * Remove some unneeded inclusions of header files from the standard library "minimize" others (eg use stddef.h if only size_t is needed). * Change #include lines in test files to use double quotes instead of angle brackets for uniformity with the rest of the code. * Remove dependency on sscanf() in X.509 parsing modules. = mbed TLS 1.3.10 released 2015-02-09 Security * NULL pointer dereference in the buffer-based allocator when the buffer is full and polarssl_free() is called (found by Mark Hasemeyer) (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is not by default). * Fix remotely-triggerable uninitialised pointer dereference caused by crafted X.509 certificate (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix remotely-triggerable memory leak caused by crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix potential stack overflow while parsing crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix timing difference that could theoretically lead to a Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges (reported by Sebastian Schinzel). Features * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv). * Add support for Extended Master Secret (draft-ietf-tls-session-hash). * Add support for Encrypt-then-MAC (RFC 7366). * Add function pk_check_pair() to test if public and private keys match. * Add x509_crl_parse_der(). * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the length of an X.509 verification chain. * Support for renegotiation can now be disabled at compile-time * Support for 1/n-1 record splitting, a countermeasure against BEAST. * Certificate selection based on signature hash, preferring SHA-1 over SHA-2 for pre-1.2 clients when multiple certificates are available. * Add support for getrandom() syscall on recent Linux kernels with Glibc or a compatible enough libc (eg uClibc). * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime while using the default ciphersuite list. * Added new error codes and debug messages about selection of ciphersuite/certificate. Bugfix * Stack buffer overflow if ctr_drbg_update() is called with too large add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE if memory_buffer_alloc_init() was called with buf not aligned and len not a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely). * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found by Julian Ospald). * Fix potential undefined behaviour in Camellia. * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a multiple of 8 (found by Gergely Budai). * Fix unchecked return code in x509_crt_parse_path() on Windows (found by Peter Vaskovic). * Fix assembly selection for MIPS64 (thanks to James Cowgill). * ssl_get_verify_result() now works even if the handshake was aborted due to a failed verification (found by Fredrik Axelsson). * Skip writing and parsing signature_algorithm extension if none of the key exchanges enabled needs certificates. This fixes a possible interop issue with some servers when a zero-length extension was sent. (Reported by Peter Dettman.) * On a 0-length input, base64_encode() did not correctly set output length (found by Hendrik van den Boogaard). Changes * Use deterministic nonces for AEAD ciphers in TLS by default (possible to switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h). * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. * ssl_set_own_cert() now returns an error on key-certificate mismatch. * Forbid repeated extensions in X.509 certificates. * debug_print_buf() now prints a text view in addition to hexadecimal. * A specific error is now returned when there are ciphersuites in common but none of them is usable due to external factors such as no certificate with a suitable (extended)KeyUsage or curve or no PSK set. * It is now possible to disable negotiation of truncated HMAC server-side
2015-06-12 11:05:05 +02:00
mbedtls: Update to 2.16.3 = mbed TLS 2.16.3 branch released 2019-09-06 Security * Fix a missing error detection in ECJPAKE. This could have caused a predictable shared secret if a hardware accelerator failed and the other side of the key exchange had a similar bug. * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to implement blinding. Because of this for the same key and message the same blinding value was generated. This reduced the effectiveness of the countermeasure and leaked information about the private key through side channels. Reported by Jack Lloyd. * When writing a private EC key, use a constant size for the private value, as specified in RFC 5915. Previously, the value was written as an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit of information on average and could cause the value to be 1 byte too large for the output buffer. API Changes * The new function mbedtls_ecdsa_sign_det_ext() is similar to mbedtls_ecdsa_sign_det() but allows passing an external RNG for the purpose of blinding. Bugfix * Fix to allow building test suites with any warning that detects unused functions. Fixes #1628. * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture. * Remove redundant include file in timing.c. Fixes #2640 reported by irwir. * Fix Visual Studio Release x64 build configuration by inheriting PlatformToolset from the project configuration. Fixes #1430 reported by irwir. * Enable Suite B with subset of ECP curves. Make sure the code compiles even if some curves are not defined. Fixes #1591 reported by dbedev. * Fix misuse of signed arithmetic in the HAVEGE module. #2598 * Update test certificates that were about to expire. Reported by Bernhard M. Wiedemann in #2357. * Fix the build on ARMv5TE in ARM mode to not use assembly instructions that are only available in Thumb mode. Fix contributed by Aurelien Jarno in #2169. * Fix undefined memset(NULL) call in test_suite_nist_kw. * Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256. * Fix propagation of restart contexts in restartable EC operations. This could previously lead to segmentation faults in builds using an address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE. * Fix memory leak in in mpi_miller_rabin(). Contributed by Jens Wiklander <jens.wiklander@linaro.org> in #2363 * Improve code clarity in x509_crt module, removing false-positive uninitialized variable warnings on some recent toolchains (GCC8, etc). Discovered and fixed by Andy Gross (Linaro), #2392. * Zero length buffer check for undefined behavior in mbedtls_platform_zeroize(). Fixes ARMmbed/mbed-crypto#49. * Fix bug in endianness conversion in bignum module. This lead to functionally incorrect code on bigendian systems which don't have __BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622. Changes * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h suggests). #2671 * Make `make clean` clean all programs always. Fixes #1862. = mbed TLS 2.16.2 branch released 2019-06-11 Security * Make mbedtls_ecdh_get_params return an error if the second key belongs to a different group from the first. Before, if an application passed keys that belonged to different group, the first key's data was interpreted according to the second group, which could lead to either an error or a meaningless output from mbedtls_ecdh_get_params. In the latter case, this could expose at most 5 bits of the private key. Bugfix * Server's RSA certificate in certs.c was SHA-1 signed. In the default mbedTLS configuration only SHA-2 signed certificates are accepted. This certificate is used in the demo server programs, which lead the client programs to fail at the peer's certificate verification due to an unacceptable hash signature. The certificate has been updated to one that is SHA-256 signed. Fix contributed by Illya Gerasymchuk. * Fix private key DER output in the key_app_writer example. File contents were shifted by one byte, creating an invalid ASN.1 tag. Fixed by Christian Walther in #2239. * Fix potential memory leak in X.509 self test. Found and fixed by Junhwan Park, #2106. * Reduce stack usage of hkdf tests. Fixes #2195. * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when used with negative inputs. Found by Guido Vranken in #2404. Credit to OSS-Fuzz. * Fix bugs in the AEAD test suite which would be exposed by ciphers which either used both encrypt and decrypt key schedules, or which perform padding. GCM and CCM were not affected. Fixed by Jack Lloyd. * Fix incorrect default port number in ssl_mail_client example's usage. Found and fixed by irwir. #2337 * Add missing parentheses around parameters in the definition of the public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation in case operators binding less strongly than subtraction were used for the parameter. * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl sni entry parameter. Reported by inestlerode in #560. * Add DER-encoded test CRTs to library/certs.c, allowing the example programs ssl_server2 and ssl_client2 to be run if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254. * Fix missing bounds checks in X.509 parsing functions that could lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437. * Fix multiple X.509 functions previously returning ASN.1 low-level error codes to always wrap these codes into X.509 high level error codes before returning. Fixes #2431. Changes * Return from various debugging routines immediately if the provided SSL context is unset. * Remove dead code from bignum.c in the default configuration. Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309. * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh. Contributed by Peter Kolbus (Garmin). * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to improve clarity. Fixes #2258. * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821. = mbed TLS 2.16.1 branch released 2019-03-19 Features * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites from the default list (enabled by default). See https://sweet32.info/SWEET32_CCS16.pdf. Bugfix * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242. * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined. Raised as a comment in #1996. * Reduce the stack consumption of mbedtls_mpi_fill_random() which could previously lead to a stack overflow on constrained targets. * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions in the header files, which missed the precompilation check. #971 * Fix clobber list in MIPS assembly for large integer multiplication. Previously, this could lead to functionally incorrect assembly being produced by some optimizing compilers, showing up as failures in e.g. RSA or ECC signature operations. Reported in #1722, fix suggested by Aurelien Jarno and submitted by Jeffrey Martin. * Fix signed-to-unsigned integer conversion warning in X.509 module. Fixes #2212. * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion. Fixes #2190. * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326. * Remove the mbedtls namespacing from the header file, to fix a "file not found" build error. Fixed by Haijun Gu #2319. * Fix returning the value 1 when mbedtls_ecdsa_genkey failed. * Fix false failure in all.sh when backup files exist in include/mbedtls (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407. * Ensure that unused bits are zero when writing ASN.1 bitstrings when using mbedtls_asn1_write_bitstring(). * Fix issue when writing the named bitstrings in KeyUsage and NsCertType extensions in CSRs and CRTs that caused these bitstrings to not be encoded correctly as trailing zeroes were not accounted for as unused bits in the leading content octet. Fixes #1610. Changes * Include configuration file in all header files that use configuration, instead of relying on other header files that they include. Inserted as an enhancement for #1371 * Add support for alternative CSR headers, as used by Microsoft and defined in RFC 7468. Found by Michael Ernst. Fixes #767. * Fix configuration queries in ssl-opt.h. #2030 * Ensure that ssl-opt.h can be run in OS X. #2029 * Reduce the complexity of the timing tests. They were assuming more than the underlying OS actually guarantees. * Re-enable certain interoperability tests in ssl-opt.sh which had previously been disabled for lack of a sufficiently recent version of GnuTLS on the CI. * Ciphersuites based on 3DES now have the lowest priority by default when they are enabled. = mbed TLS 2.16.0 branch released 2018-12-21 Features * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation of parameters in the API. This allows detection of obvious misuses of the API, such as passing NULL pointers. The API of existing functions hasn't changed, but requirements on parameters have been made more explicit in the documentation. See the corresponding API documentation for each function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it. API Changes * The following functions in the random generator modules have been deprecated and replaced as shown below. The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest primitive. Fixes #1798. mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret() mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret() * Extend ECDH interface to enable alternative implementations. * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for ARIA, CAMELLIA and Blowfish. These error codes will be replaced by the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA. * Additional parameter validation checks have been added for the following modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH, ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI. Where modules have had parameter validation added, existing parameter checks may have changed. Some modules, such as Chacha20 had existing parameter validation whereas other modules had little. This has now been changed so that the same level of validation is present in all modules, and that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default is off. That means that checks which were previously present by default will no longer be. New deprecations * Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update in favor of functions that can return an error code. Bugfix * Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482. * Fix runtime error in `mbedtls_platform_entropy_poll()` when run through qemu user emulation. Reported and fix suggested by randombit in #1212. Fixes #1212. * Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659. * Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170. * Fix double initialization of ECC hardware that made some accelerators hang. * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.
2019-10-01 19:44:11 +02:00
CMAKE_ARGS+= -Wno-dev
CMAKE_ARGS+= -DUSE_SHARED_MBEDTLS_LIBRARY=ON
mbedtls: Update to 2.23.0 = mbed TLS 2.23.0 branch released 2020-07-01 Default behavior changes * In the experimental PSA secure element interface, change the encoding of key lifetimes to encode a persistence level and the location. Although C prototypes do not effectively change, code calling psa_register_se_driver() must be modified to pass the driver's location instead of the keys' lifetime. If the library is upgraded on an existing device, keys created with the old lifetime value will not be readable or removable through Mbed TLS after the upgrade. Features * New functions in the error module return constant strings for high- and low-level error codes, complementing mbedtls_strerror() which constructs a string for any error code, including compound ones, but requires a writable buffer. Contributed by Gaurav Aggarwal in #3176. * The new utility programs/ssl/ssl_context_info prints a human-readable dump of an SSL context saved with mbedtls_ssl_context_save(). * Add support for midipix, a POSIX layer for Microsoft Windows. * Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows parsing unsupported certificate extensions via user provided callback. Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as a solution to #3241. * Pass the "certificate policies" extension to the callback supplied to mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported policies (#3419). * Added support to entropy_poll for the kern.arandom syscall supported on some BSD systems. Contributed by Nia Alarie in #3423. * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239 Security * Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394. * Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley. * Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246. Bugfix * Fix the Visual Studio Release x64 build configuration for mbedtls itself. Completes a previous fix in Mbed TLS 2.19 that only fixed the build for the example programs. Reported in #1430 and fix contributed by irwir. * Fix undefined behavior in X.509 certificate parsing if the pathLenConstraint basic constraint value is equal to INT_MAX. The actual effect with almost every compiler is the intended behavior, so this is unlikely to be exploitable anywhere. #3192 * Fix issue with a detected HW accelerated record error not being exposed due to shadowed variable. Contributed by Sander Visser in #3310. * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a NULL pointer argument. Contributed by Sander Visser in #3312. * Fix potential linker errors on dual world platforms by inlining mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately from psa_crypto.c. Fixes #3300. * Remove dead code in X.509 certificate parsing. Contributed by irwir in #2855. * Include asn1.h in error.c. Fixes #3328 reported by David Hu. * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz() when PRNG function fails. Contributed by Jonas Lejeune in #3318. * Remove unused macros from MSVC projects. Reported in #3297 and fix submitted in #3333 by irwir. * Add additional bounds checks in ssl_write_client_hello() preventing output buffer overflow if the configuration declared a buffer that was too small. * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and fix submitted in #3421 by Nia Alarie. * Fix building library/net_sockets.c and the ssl_mail_client program on NetBSD. Contributed by Nia Alarie in #3422. * Fix false positive uninitialised variable reported by cpp-check. Contributed by Sander Visser in #3311. * Update iv and len context pointers manually when reallocating buffers using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues when receiving a connection with CID, when these fields were shifted in ssl_parse_record_header(). Changes * Fix warnings about signedness issues in format strings. The build is now clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen in #3153. * Fix minor performance issue in operations on Curve25519 caused by using a suboptimal modular reduction in one place. Found and fix contributed by Aurelien Jarno in #3209. * Combine identical cases in switch statements in md.c. Contributed by irwir in #3208. * Simplify a bounds check in ssl_write_certificate_request(). Contributed by irwir in #3150. * Unify the example programs termination to call mbedtls_exit() instead of using a return command. This has been done to enable customization of the behavior in bare metal environments. * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?". Contributed by Koh M. Nakagawa in #3326. * Use FindPython3 when cmake version >= 3.15.0 * Abort the ClientHello writing function as soon as some extension doesn't fit into the record buffer. Previously, such extensions were silently dropped. As a consequence, the TLS handshake now fails when the output buffer is not large enough to hold the ClientHello. * The unit tests now rely on header files in tests/include/test and source files in tests/src. When building with make or cmake, the files in tests/src are compiled and the resulting object linked into each test executable. * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel coutermeasures. If side channels are not a concern, this dependency can be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`. * Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes Martinho. #3147 * Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported in #3182 and fix submitted by irwir. #3217 * Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
2020-07-07 13:16:10 +02:00
CMAKE_ARGS+= -DENABLE_PROGRAMS=ON
# Fails to build full suite on NetBSD due to strange tricks with stdout
CMAKE_ARGS+= -DENABLE_TESTING=OFF
CMAKE_ARGS+= -DMBEDTLS_FATAL_WARNINGS=OFF
mbedtls: Update to 2.16.3 = mbed TLS 2.16.3 branch released 2019-09-06 Security * Fix a missing error detection in ECJPAKE. This could have caused a predictable shared secret if a hardware accelerator failed and the other side of the key exchange had a similar bug. * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to implement blinding. Because of this for the same key and message the same blinding value was generated. This reduced the effectiveness of the countermeasure and leaked information about the private key through side channels. Reported by Jack Lloyd. * When writing a private EC key, use a constant size for the private value, as specified in RFC 5915. Previously, the value was written as an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit of information on average and could cause the value to be 1 byte too large for the output buffer. API Changes * The new function mbedtls_ecdsa_sign_det_ext() is similar to mbedtls_ecdsa_sign_det() but allows passing an external RNG for the purpose of blinding. Bugfix * Fix to allow building test suites with any warning that detects unused functions. Fixes #1628. * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture. * Remove redundant include file in timing.c. Fixes #2640 reported by irwir. * Fix Visual Studio Release x64 build configuration by inheriting PlatformToolset from the project configuration. Fixes #1430 reported by irwir. * Enable Suite B with subset of ECP curves. Make sure the code compiles even if some curves are not defined. Fixes #1591 reported by dbedev. * Fix misuse of signed arithmetic in the HAVEGE module. #2598 * Update test certificates that were about to expire. Reported by Bernhard M. Wiedemann in #2357. * Fix the build on ARMv5TE in ARM mode to not use assembly instructions that are only available in Thumb mode. Fix contributed by Aurelien Jarno in #2169. * Fix undefined memset(NULL) call in test_suite_nist_kw. * Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256. * Fix propagation of restart contexts in restartable EC operations. This could previously lead to segmentation faults in builds using an address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE. * Fix memory leak in in mpi_miller_rabin(). Contributed by Jens Wiklander <jens.wiklander@linaro.org> in #2363 * Improve code clarity in x509_crt module, removing false-positive uninitialized variable warnings on some recent toolchains (GCC8, etc). Discovered and fixed by Andy Gross (Linaro), #2392. * Zero length buffer check for undefined behavior in mbedtls_platform_zeroize(). Fixes ARMmbed/mbed-crypto#49. * Fix bug in endianness conversion in bignum module. This lead to functionally incorrect code on bigendian systems which don't have __BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622. Changes * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h suggests). #2671 * Make `make clean` clean all programs always. Fixes #1862. = mbed TLS 2.16.2 branch released 2019-06-11 Security * Make mbedtls_ecdh_get_params return an error if the second key belongs to a different group from the first. Before, if an application passed keys that belonged to different group, the first key's data was interpreted according to the second group, which could lead to either an error or a meaningless output from mbedtls_ecdh_get_params. In the latter case, this could expose at most 5 bits of the private key. Bugfix * Server's RSA certificate in certs.c was SHA-1 signed. In the default mbedTLS configuration only SHA-2 signed certificates are accepted. This certificate is used in the demo server programs, which lead the client programs to fail at the peer's certificate verification due to an unacceptable hash signature. The certificate has been updated to one that is SHA-256 signed. Fix contributed by Illya Gerasymchuk. * Fix private key DER output in the key_app_writer example. File contents were shifted by one byte, creating an invalid ASN.1 tag. Fixed by Christian Walther in #2239. * Fix potential memory leak in X.509 self test. Found and fixed by Junhwan Park, #2106. * Reduce stack usage of hkdf tests. Fixes #2195. * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when used with negative inputs. Found by Guido Vranken in #2404. Credit to OSS-Fuzz. * Fix bugs in the AEAD test suite which would be exposed by ciphers which either used both encrypt and decrypt key schedules, or which perform padding. GCM and CCM were not affected. Fixed by Jack Lloyd. * Fix incorrect default port number in ssl_mail_client example's usage. Found and fixed by irwir. #2337 * Add missing parentheses around parameters in the definition of the public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation in case operators binding less strongly than subtraction were used for the parameter. * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl sni entry parameter. Reported by inestlerode in #560. * Add DER-encoded test CRTs to library/certs.c, allowing the example programs ssl_server2 and ssl_client2 to be run if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254. * Fix missing bounds checks in X.509 parsing functions that could lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437. * Fix multiple X.509 functions previously returning ASN.1 low-level error codes to always wrap these codes into X.509 high level error codes before returning. Fixes #2431. Changes * Return from various debugging routines immediately if the provided SSL context is unset. * Remove dead code from bignum.c in the default configuration. Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309. * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh. Contributed by Peter Kolbus (Garmin). * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to improve clarity. Fixes #2258. * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821. = mbed TLS 2.16.1 branch released 2019-03-19 Features * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites from the default list (enabled by default). See https://sweet32.info/SWEET32_CCS16.pdf. Bugfix * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242. * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined. Raised as a comment in #1996. * Reduce the stack consumption of mbedtls_mpi_fill_random() which could previously lead to a stack overflow on constrained targets. * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions in the header files, which missed the precompilation check. #971 * Fix clobber list in MIPS assembly for large integer multiplication. Previously, this could lead to functionally incorrect assembly being produced by some optimizing compilers, showing up as failures in e.g. RSA or ECC signature operations. Reported in #1722, fix suggested by Aurelien Jarno and submitted by Jeffrey Martin. * Fix signed-to-unsigned integer conversion warning in X.509 module. Fixes #2212. * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion. Fixes #2190. * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326. * Remove the mbedtls namespacing from the header file, to fix a "file not found" build error. Fixed by Haijun Gu #2319. * Fix returning the value 1 when mbedtls_ecdsa_genkey failed. * Fix false failure in all.sh when backup files exist in include/mbedtls (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407. * Ensure that unused bits are zero when writing ASN.1 bitstrings when using mbedtls_asn1_write_bitstring(). * Fix issue when writing the named bitstrings in KeyUsage and NsCertType extensions in CSRs and CRTs that caused these bitstrings to not be encoded correctly as trailing zeroes were not accounted for as unused bits in the leading content octet. Fixes #1610. Changes * Include configuration file in all header files that use configuration, instead of relying on other header files that they include. Inserted as an enhancement for #1371 * Add support for alternative CSR headers, as used by Microsoft and defined in RFC 7468. Found by Michael Ernst. Fixes #767. * Fix configuration queries in ssl-opt.h. #2030 * Ensure that ssl-opt.h can be run in OS X. #2029 * Reduce the complexity of the timing tests. They were assuming more than the underlying OS actually guarantees. * Re-enable certain interoperability tests in ssl-opt.sh which had previously been disabled for lack of a sufficiently recent version of GnuTLS on the CI. * Ciphersuites based on 3DES now have the lowest priority by default when they are enabled. = mbed TLS 2.16.0 branch released 2018-12-21 Features * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation of parameters in the API. This allows detection of obvious misuses of the API, such as passing NULL pointers. The API of existing functions hasn't changed, but requirements on parameters have been made more explicit in the documentation. See the corresponding API documentation for each function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it. API Changes * The following functions in the random generator modules have been deprecated and replaced as shown below. The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest primitive. Fixes #1798. mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret() mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret() * Extend ECDH interface to enable alternative implementations. * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for ARIA, CAMELLIA and Blowfish. These error codes will be replaced by the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA. * Additional parameter validation checks have been added for the following modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH, ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI. Where modules have had parameter validation added, existing parameter checks may have changed. Some modules, such as Chacha20 had existing parameter validation whereas other modules had little. This has now been changed so that the same level of validation is present in all modules, and that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default is off. That means that checks which were previously present by default will no longer be. New deprecations * Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update in favor of functions that can return an error code. Bugfix * Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482. * Fix runtime error in `mbedtls_platform_entropy_poll()` when run through qemu user emulation. Reported and fix suggested by randombit in #1212. Fixes #1212. * Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659. * Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170. * Fix double initialization of ECC hardware that made some accelerators hang. * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.
2019-10-01 19:44:11 +02:00
MAKE_ENV+= RANLIB=${RANLIB:Q}
Import mbed TLS 1.3.11 as security/mbedtls. This is former security/polarssl rebranded under a new name, keeping the same API though and providing the previous libs as symlinks, so should be used as as drop-in replacement for security/polarssl. Changelog since polarssl-1.3.9 follows. = mbed TLS 1.3.11 released 2015-06-04 Security * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and extendedKeyUsage on the leaf certificate was lost (results not accessible via ssl_get_verify_results()). * Add countermeasure against "Lucky 13 strikes back" cache-based attack, https://dl.acm.org/citation.cfm?id=2714625 Features * Improve ECC performance by using more efficient doubling formulas (contributed by Peter Dettman). * Add x509_crt_verify_info() to display certificate verification results. * Add support for reading DH parameters with privateValueLength included (contributed by Daniel Kahn Gillmor). * Add support for bit strings in X.509 names (request by Fredrik Axelsson). * Add support for id-at-uniqueIdentifier in X.509 names. * Add support for overriding snprintf() (except on Windows) and exit() in the platform layer. * Add an option to use macros instead of function pointers in the platform layer (helps get rid of unwanted references). * Improved Makefiles for Windows targets by fixing library targets and making cross-compilation easier (thanks to Alon Bar-Lev). * The benchmark program also prints heap usage for public-key primitives if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined. * New script ecc-heap.sh helps measuring the impact of ECC parameters on speed and RAM (heap only for now) usage. * New script memory.sh helps measuring the ROM and RAM requirements of two reduced configurations (PSK-CCM and NSA suite B). * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce warnings on use of deprecated functions (with GCC and Clang only). * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce errors on use of deprecated functions. Bugfix * Fix compile errors with PLATFORM_NO_STD_FUNCTIONS. * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara). * Fix bug in entropy.c when THREADING_C is also enabled that caused entropy_free() to crash (thanks to Rafał Przywara). * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than once on the same context. * Fix bug in ssl_mail_client when password is longer that username (found by Bruno Pape). * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules (detected by Clang's 3.6 UBSan). * mpi_size() and mpi_msb() would segfault when called on an mpi that is initialized but not set (found by pravic). * Fix detection of support for getrandom() on Linux (reported by syzzer) by doing it at runtime (using uname) rather that compile time. * Fix handling of symlinks by "make install" (found by Gaël PORTAY). * Fix potential NULL pointer dereference (not trigerrable remotely) when ssl_write() is called before the handshake is finished (introduced in 1.3.10) (first reported by Martin Blumenstingl). * Fix bug in pk_parse_key() that caused some valid private EC keys to be rejected. * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). * Fix thread safety bug in RSA operations (found by Fredrik Axelsson). * Fix hardclock() (only used in the benchmarking program) with some versions of mingw64 (found by kxjhlele). * Fix warnings from mingw64 in timing.c (found by kxjklele). * Fix potential unintended sign extension in asn1_get_len() on 64-bit platforms. * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid). * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced in 1.3.10). * Add missing extern "C" guard in aesni.h (reported by amir zamani). * Add missing dependency on SHA-256 in some x509 programs (reported by Gergely Budai). * Fix bug related to ssl_set_curves(): the client didn't check that the curve picked by the server was actually allowed. Changes * Remove bias in mpi_gen_prime (contributed by Pascal Junod). * Remove potential sources of timing variations (some contributed by Pascal Junod). * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated. * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated. * compat-1.2.h and openssl.h are deprecated. * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now more flexible (warning: OFLAGS is not used any more) (see the README) (contributed by Alon Bar-Lev). * ssl_set_own_cert() no longer calls pk_check_pair() since the performance impact was bad for some users (this was introduced in 1.3.10). * Move from SHA-1 to SHA-256 in example programs using signatures (suggested by Thorsten Mühlfelder). * Remove some unneeded inclusions of header files from the standard library "minimize" others (eg use stddef.h if only size_t is needed). * Change #include lines in test files to use double quotes instead of angle brackets for uniformity with the rest of the code. * Remove dependency on sscanf() in X.509 parsing modules. = mbed TLS 1.3.10 released 2015-02-09 Security * NULL pointer dereference in the buffer-based allocator when the buffer is full and polarssl_free() is called (found by Mark Hasemeyer) (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is not by default). * Fix remotely-triggerable uninitialised pointer dereference caused by crafted X.509 certificate (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix remotely-triggerable memory leak caused by crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix potential stack overflow while parsing crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix timing difference that could theoretically lead to a Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges (reported by Sebastian Schinzel). Features * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv). * Add support for Extended Master Secret (draft-ietf-tls-session-hash). * Add support for Encrypt-then-MAC (RFC 7366). * Add function pk_check_pair() to test if public and private keys match. * Add x509_crl_parse_der(). * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the length of an X.509 verification chain. * Support for renegotiation can now be disabled at compile-time * Support for 1/n-1 record splitting, a countermeasure against BEAST. * Certificate selection based on signature hash, preferring SHA-1 over SHA-2 for pre-1.2 clients when multiple certificates are available. * Add support for getrandom() syscall on recent Linux kernels with Glibc or a compatible enough libc (eg uClibc). * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime while using the default ciphersuite list. * Added new error codes and debug messages about selection of ciphersuite/certificate. Bugfix * Stack buffer overflow if ctr_drbg_update() is called with too large add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE if memory_buffer_alloc_init() was called with buf not aligned and len not a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely). * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found by Julian Ospald). * Fix potential undefined behaviour in Camellia. * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a multiple of 8 (found by Gergely Budai). * Fix unchecked return code in x509_crt_parse_path() on Windows (found by Peter Vaskovic). * Fix assembly selection for MIPS64 (thanks to James Cowgill). * ssl_get_verify_result() now works even if the handshake was aborted due to a failed verification (found by Fredrik Axelsson). * Skip writing and parsing signature_algorithm extension if none of the key exchanges enabled needs certificates. This fixes a possible interop issue with some servers when a zero-length extension was sent. (Reported by Peter Dettman.) * On a 0-length input, base64_encode() did not correctly set output length (found by Hendrik van den Boogaard). Changes * Use deterministic nonces for AEAD ciphers in TLS by default (possible to switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h). * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. * ssl_set_own_cert() now returns an error on key-certificate mismatch. * Forbid repeated extensions in X.509 certificates. * debug_print_buf() now prints a text view in addition to hexadecimal. * A specific error is now returned when there are ciphersuites in common but none of them is usable due to external factors such as no certificate with a suitable (extended)KeyUsage or curve or no PSK set. * It is now possible to disable negotiation of truncated HMAC server-side
2015-06-12 11:05:05 +02:00
mbedtls: Update to 2.16.3 = mbed TLS 2.16.3 branch released 2019-09-06 Security * Fix a missing error detection in ECJPAKE. This could have caused a predictable shared secret if a hardware accelerator failed and the other side of the key exchange had a similar bug. * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to implement blinding. Because of this for the same key and message the same blinding value was generated. This reduced the effectiveness of the countermeasure and leaked information about the private key through side channels. Reported by Jack Lloyd. * When writing a private EC key, use a constant size for the private value, as specified in RFC 5915. Previously, the value was written as an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit of information on average and could cause the value to be 1 byte too large for the output buffer. API Changes * The new function mbedtls_ecdsa_sign_det_ext() is similar to mbedtls_ecdsa_sign_det() but allows passing an external RNG for the purpose of blinding. Bugfix * Fix to allow building test suites with any warning that detects unused functions. Fixes #1628. * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture. * Remove redundant include file in timing.c. Fixes #2640 reported by irwir. * Fix Visual Studio Release x64 build configuration by inheriting PlatformToolset from the project configuration. Fixes #1430 reported by irwir. * Enable Suite B with subset of ECP curves. Make sure the code compiles even if some curves are not defined. Fixes #1591 reported by dbedev. * Fix misuse of signed arithmetic in the HAVEGE module. #2598 * Update test certificates that were about to expire. Reported by Bernhard M. Wiedemann in #2357. * Fix the build on ARMv5TE in ARM mode to not use assembly instructions that are only available in Thumb mode. Fix contributed by Aurelien Jarno in #2169. * Fix undefined memset(NULL) call in test_suite_nist_kw. * Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256. * Fix propagation of restart contexts in restartable EC operations. This could previously lead to segmentation faults in builds using an address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE. * Fix memory leak in in mpi_miller_rabin(). Contributed by Jens Wiklander <jens.wiklander@linaro.org> in #2363 * Improve code clarity in x509_crt module, removing false-positive uninitialized variable warnings on some recent toolchains (GCC8, etc). Discovered and fixed by Andy Gross (Linaro), #2392. * Zero length buffer check for undefined behavior in mbedtls_platform_zeroize(). Fixes ARMmbed/mbed-crypto#49. * Fix bug in endianness conversion in bignum module. This lead to functionally incorrect code on bigendian systems which don't have __BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622. Changes * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h suggests). #2671 * Make `make clean` clean all programs always. Fixes #1862. = mbed TLS 2.16.2 branch released 2019-06-11 Security * Make mbedtls_ecdh_get_params return an error if the second key belongs to a different group from the first. Before, if an application passed keys that belonged to different group, the first key's data was interpreted according to the second group, which could lead to either an error or a meaningless output from mbedtls_ecdh_get_params. In the latter case, this could expose at most 5 bits of the private key. Bugfix * Server's RSA certificate in certs.c was SHA-1 signed. In the default mbedTLS configuration only SHA-2 signed certificates are accepted. This certificate is used in the demo server programs, which lead the client programs to fail at the peer's certificate verification due to an unacceptable hash signature. The certificate has been updated to one that is SHA-256 signed. Fix contributed by Illya Gerasymchuk. * Fix private key DER output in the key_app_writer example. File contents were shifted by one byte, creating an invalid ASN.1 tag. Fixed by Christian Walther in #2239. * Fix potential memory leak in X.509 self test. Found and fixed by Junhwan Park, #2106. * Reduce stack usage of hkdf tests. Fixes #2195. * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when used with negative inputs. Found by Guido Vranken in #2404. Credit to OSS-Fuzz. * Fix bugs in the AEAD test suite which would be exposed by ciphers which either used both encrypt and decrypt key schedules, or which perform padding. GCM and CCM were not affected. Fixed by Jack Lloyd. * Fix incorrect default port number in ssl_mail_client example's usage. Found and fixed by irwir. #2337 * Add missing parentheses around parameters in the definition of the public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation in case operators binding less strongly than subtraction were used for the parameter. * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl sni entry parameter. Reported by inestlerode in #560. * Add DER-encoded test CRTs to library/certs.c, allowing the example programs ssl_server2 and ssl_client2 to be run if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254. * Fix missing bounds checks in X.509 parsing functions that could lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437. * Fix multiple X.509 functions previously returning ASN.1 low-level error codes to always wrap these codes into X.509 high level error codes before returning. Fixes #2431. Changes * Return from various debugging routines immediately if the provided SSL context is unset. * Remove dead code from bignum.c in the default configuration. Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309. * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh. Contributed by Peter Kolbus (Garmin). * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to improve clarity. Fixes #2258. * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821. = mbed TLS 2.16.1 branch released 2019-03-19 Features * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites from the default list (enabled by default). See https://sweet32.info/SWEET32_CCS16.pdf. Bugfix * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242. * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined. Raised as a comment in #1996. * Reduce the stack consumption of mbedtls_mpi_fill_random() which could previously lead to a stack overflow on constrained targets. * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions in the header files, which missed the precompilation check. #971 * Fix clobber list in MIPS assembly for large integer multiplication. Previously, this could lead to functionally incorrect assembly being produced by some optimizing compilers, showing up as failures in e.g. RSA or ECC signature operations. Reported in #1722, fix suggested by Aurelien Jarno and submitted by Jeffrey Martin. * Fix signed-to-unsigned integer conversion warning in X.509 module. Fixes #2212. * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion. Fixes #2190. * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326. * Remove the mbedtls namespacing from the header file, to fix a "file not found" build error. Fixed by Haijun Gu #2319. * Fix returning the value 1 when mbedtls_ecdsa_genkey failed. * Fix false failure in all.sh when backup files exist in include/mbedtls (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407. * Ensure that unused bits are zero when writing ASN.1 bitstrings when using mbedtls_asn1_write_bitstring(). * Fix issue when writing the named bitstrings in KeyUsage and NsCertType extensions in CSRs and CRTs that caused these bitstrings to not be encoded correctly as trailing zeroes were not accounted for as unused bits in the leading content octet. Fixes #1610. Changes * Include configuration file in all header files that use configuration, instead of relying on other header files that they include. Inserted as an enhancement for #1371 * Add support for alternative CSR headers, as used by Microsoft and defined in RFC 7468. Found by Michael Ernst. Fixes #767. * Fix configuration queries in ssl-opt.h. #2030 * Ensure that ssl-opt.h can be run in OS X. #2029 * Reduce the complexity of the timing tests. They were assuming more than the underlying OS actually guarantees. * Re-enable certain interoperability tests in ssl-opt.sh which had previously been disabled for lack of a sufficiently recent version of GnuTLS on the CI. * Ciphersuites based on 3DES now have the lowest priority by default when they are enabled. = mbed TLS 2.16.0 branch released 2018-12-21 Features * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation of parameters in the API. This allows detection of obvious misuses of the API, such as passing NULL pointers. The API of existing functions hasn't changed, but requirements on parameters have been made more explicit in the documentation. See the corresponding API documentation for each function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it. API Changes * The following functions in the random generator modules have been deprecated and replaced as shown below. The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest primitive. Fixes #1798. mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret() mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret() * Extend ECDH interface to enable alternative implementations. * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for ARIA, CAMELLIA and Blowfish. These error codes will be replaced by the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA. * Additional parameter validation checks have been added for the following modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH, ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI. Where modules have had parameter validation added, existing parameter checks may have changed. Some modules, such as Chacha20 had existing parameter validation whereas other modules had little. This has now been changed so that the same level of validation is present in all modules, and that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default is off. That means that checks which were previously present by default will no longer be. New deprecations * Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update in favor of functions that can return an error code. Bugfix * Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482. * Fix runtime error in `mbedtls_platform_entropy_poll()` when run through qemu user emulation. Reported and fix suggested by randombit in #1212. Fixes #1212. * Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659. * Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170. * Fix double initialization of ECC hardware that made some accelerators hang. * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.
2019-10-01 19:44:11 +02:00
LDFLAGS.SunOS+= -lsocket
Import mbed TLS 1.3.11 as security/mbedtls. This is former security/polarssl rebranded under a new name, keeping the same API though and providing the previous libs as symlinks, so should be used as as drop-in replacement for security/polarssl. Changelog since polarssl-1.3.9 follows. = mbed TLS 1.3.11 released 2015-06-04 Security * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and extendedKeyUsage on the leaf certificate was lost (results not accessible via ssl_get_verify_results()). * Add countermeasure against "Lucky 13 strikes back" cache-based attack, https://dl.acm.org/citation.cfm?id=2714625 Features * Improve ECC performance by using more efficient doubling formulas (contributed by Peter Dettman). * Add x509_crt_verify_info() to display certificate verification results. * Add support for reading DH parameters with privateValueLength included (contributed by Daniel Kahn Gillmor). * Add support for bit strings in X.509 names (request by Fredrik Axelsson). * Add support for id-at-uniqueIdentifier in X.509 names. * Add support for overriding snprintf() (except on Windows) and exit() in the platform layer. * Add an option to use macros instead of function pointers in the platform layer (helps get rid of unwanted references). * Improved Makefiles for Windows targets by fixing library targets and making cross-compilation easier (thanks to Alon Bar-Lev). * The benchmark program also prints heap usage for public-key primitives if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined. * New script ecc-heap.sh helps measuring the impact of ECC parameters on speed and RAM (heap only for now) usage. * New script memory.sh helps measuring the ROM and RAM requirements of two reduced configurations (PSK-CCM and NSA suite B). * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce warnings on use of deprecated functions (with GCC and Clang only). * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce errors on use of deprecated functions. Bugfix * Fix compile errors with PLATFORM_NO_STD_FUNCTIONS. * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara). * Fix bug in entropy.c when THREADING_C is also enabled that caused entropy_free() to crash (thanks to Rafał Przywara). * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than once on the same context. * Fix bug in ssl_mail_client when password is longer that username (found by Bruno Pape). * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules (detected by Clang's 3.6 UBSan). * mpi_size() and mpi_msb() would segfault when called on an mpi that is initialized but not set (found by pravic). * Fix detection of support for getrandom() on Linux (reported by syzzer) by doing it at runtime (using uname) rather that compile time. * Fix handling of symlinks by "make install" (found by Gaël PORTAY). * Fix potential NULL pointer dereference (not trigerrable remotely) when ssl_write() is called before the handshake is finished (introduced in 1.3.10) (first reported by Martin Blumenstingl). * Fix bug in pk_parse_key() that caused some valid private EC keys to be rejected. * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). * Fix thread safety bug in RSA operations (found by Fredrik Axelsson). * Fix hardclock() (only used in the benchmarking program) with some versions of mingw64 (found by kxjhlele). * Fix warnings from mingw64 in timing.c (found by kxjklele). * Fix potential unintended sign extension in asn1_get_len() on 64-bit platforms. * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid). * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced in 1.3.10). * Add missing extern "C" guard in aesni.h (reported by amir zamani). * Add missing dependency on SHA-256 in some x509 programs (reported by Gergely Budai). * Fix bug related to ssl_set_curves(): the client didn't check that the curve picked by the server was actually allowed. Changes * Remove bias in mpi_gen_prime (contributed by Pascal Junod). * Remove potential sources of timing variations (some contributed by Pascal Junod). * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated. * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated. * compat-1.2.h and openssl.h are deprecated. * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now more flexible (warning: OFLAGS is not used any more) (see the README) (contributed by Alon Bar-Lev). * ssl_set_own_cert() no longer calls pk_check_pair() since the performance impact was bad for some users (this was introduced in 1.3.10). * Move from SHA-1 to SHA-256 in example programs using signatures (suggested by Thorsten Mühlfelder). * Remove some unneeded inclusions of header files from the standard library "minimize" others (eg use stddef.h if only size_t is needed). * Change #include lines in test files to use double quotes instead of angle brackets for uniformity with the rest of the code. * Remove dependency on sscanf() in X.509 parsing modules. = mbed TLS 1.3.10 released 2015-02-09 Security * NULL pointer dereference in the buffer-based allocator when the buffer is full and polarssl_free() is called (found by Mark Hasemeyer) (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is not by default). * Fix remotely-triggerable uninitialised pointer dereference caused by crafted X.509 certificate (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix remotely-triggerable memory leak caused by crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix potential stack overflow while parsing crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix timing difference that could theoretically lead to a Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges (reported by Sebastian Schinzel). Features * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv). * Add support for Extended Master Secret (draft-ietf-tls-session-hash). * Add support for Encrypt-then-MAC (RFC 7366). * Add function pk_check_pair() to test if public and private keys match. * Add x509_crl_parse_der(). * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the length of an X.509 verification chain. * Support for renegotiation can now be disabled at compile-time * Support for 1/n-1 record splitting, a countermeasure against BEAST. * Certificate selection based on signature hash, preferring SHA-1 over SHA-2 for pre-1.2 clients when multiple certificates are available. * Add support for getrandom() syscall on recent Linux kernels with Glibc or a compatible enough libc (eg uClibc). * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime while using the default ciphersuite list. * Added new error codes and debug messages about selection of ciphersuite/certificate. Bugfix * Stack buffer overflow if ctr_drbg_update() is called with too large add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE if memory_buffer_alloc_init() was called with buf not aligned and len not a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely). * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found by Julian Ospald). * Fix potential undefined behaviour in Camellia. * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a multiple of 8 (found by Gergely Budai). * Fix unchecked return code in x509_crt_parse_path() on Windows (found by Peter Vaskovic). * Fix assembly selection for MIPS64 (thanks to James Cowgill). * ssl_get_verify_result() now works even if the handshake was aborted due to a failed verification (found by Fredrik Axelsson). * Skip writing and parsing signature_algorithm extension if none of the key exchanges enabled needs certificates. This fixes a possible interop issue with some servers when a zero-length extension was sent. (Reported by Peter Dettman.) * On a 0-length input, base64_encode() did not correctly set output length (found by Hendrik van den Boogaard). Changes * Use deterministic nonces for AEAD ciphers in TLS by default (possible to switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h). * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. * ssl_set_own_cert() now returns an error on key-certificate mismatch. * Forbid repeated extensions in X.509 certificates. * debug_print_buf() now prints a text view in addition to hexadecimal. * A specific error is now returned when there are ciphersuites in common but none of them is usable due to external factors such as no certificate with a suitable (extended)KeyUsage or curve or no PSK set. * It is now possible to disable negotiation of truncated HMAC server-side
2015-06-12 11:05:05 +02:00
mbedtls: Update to 2.16.3 = mbed TLS 2.16.3 branch released 2019-09-06 Security * Fix a missing error detection in ECJPAKE. This could have caused a predictable shared secret if a hardware accelerator failed and the other side of the key exchange had a similar bug. * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to implement blinding. Because of this for the same key and message the same blinding value was generated. This reduced the effectiveness of the countermeasure and leaked information about the private key through side channels. Reported by Jack Lloyd. * When writing a private EC key, use a constant size for the private value, as specified in RFC 5915. Previously, the value was written as an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit of information on average and could cause the value to be 1 byte too large for the output buffer. API Changes * The new function mbedtls_ecdsa_sign_det_ext() is similar to mbedtls_ecdsa_sign_det() but allows passing an external RNG for the purpose of blinding. Bugfix * Fix to allow building test suites with any warning that detects unused functions. Fixes #1628. * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture. * Remove redundant include file in timing.c. Fixes #2640 reported by irwir. * Fix Visual Studio Release x64 build configuration by inheriting PlatformToolset from the project configuration. Fixes #1430 reported by irwir. * Enable Suite B with subset of ECP curves. Make sure the code compiles even if some curves are not defined. Fixes #1591 reported by dbedev. * Fix misuse of signed arithmetic in the HAVEGE module. #2598 * Update test certificates that were about to expire. Reported by Bernhard M. Wiedemann in #2357. * Fix the build on ARMv5TE in ARM mode to not use assembly instructions that are only available in Thumb mode. Fix contributed by Aurelien Jarno in #2169. * Fix undefined memset(NULL) call in test_suite_nist_kw. * Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256. * Fix propagation of restart contexts in restartable EC operations. This could previously lead to segmentation faults in builds using an address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE. * Fix memory leak in in mpi_miller_rabin(). Contributed by Jens Wiklander <jens.wiklander@linaro.org> in #2363 * Improve code clarity in x509_crt module, removing false-positive uninitialized variable warnings on some recent toolchains (GCC8, etc). Discovered and fixed by Andy Gross (Linaro), #2392. * Zero length buffer check for undefined behavior in mbedtls_platform_zeroize(). Fixes ARMmbed/mbed-crypto#49. * Fix bug in endianness conversion in bignum module. This lead to functionally incorrect code on bigendian systems which don't have __BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622. Changes * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h suggests). #2671 * Make `make clean` clean all programs always. Fixes #1862. = mbed TLS 2.16.2 branch released 2019-06-11 Security * Make mbedtls_ecdh_get_params return an error if the second key belongs to a different group from the first. Before, if an application passed keys that belonged to different group, the first key's data was interpreted according to the second group, which could lead to either an error or a meaningless output from mbedtls_ecdh_get_params. In the latter case, this could expose at most 5 bits of the private key. Bugfix * Server's RSA certificate in certs.c was SHA-1 signed. In the default mbedTLS configuration only SHA-2 signed certificates are accepted. This certificate is used in the demo server programs, which lead the client programs to fail at the peer's certificate verification due to an unacceptable hash signature. The certificate has been updated to one that is SHA-256 signed. Fix contributed by Illya Gerasymchuk. * Fix private key DER output in the key_app_writer example. File contents were shifted by one byte, creating an invalid ASN.1 tag. Fixed by Christian Walther in #2239. * Fix potential memory leak in X.509 self test. Found and fixed by Junhwan Park, #2106. * Reduce stack usage of hkdf tests. Fixes #2195. * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when used with negative inputs. Found by Guido Vranken in #2404. Credit to OSS-Fuzz. * Fix bugs in the AEAD test suite which would be exposed by ciphers which either used both encrypt and decrypt key schedules, or which perform padding. GCM and CCM were not affected. Fixed by Jack Lloyd. * Fix incorrect default port number in ssl_mail_client example's usage. Found and fixed by irwir. #2337 * Add missing parentheses around parameters in the definition of the public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation in case operators binding less strongly than subtraction were used for the parameter. * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl sni entry parameter. Reported by inestlerode in #560. * Add DER-encoded test CRTs to library/certs.c, allowing the example programs ssl_server2 and ssl_client2 to be run if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254. * Fix missing bounds checks in X.509 parsing functions that could lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437. * Fix multiple X.509 functions previously returning ASN.1 low-level error codes to always wrap these codes into X.509 high level error codes before returning. Fixes #2431. Changes * Return from various debugging routines immediately if the provided SSL context is unset. * Remove dead code from bignum.c in the default configuration. Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309. * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh. Contributed by Peter Kolbus (Garmin). * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to improve clarity. Fixes #2258. * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821. = mbed TLS 2.16.1 branch released 2019-03-19 Features * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites from the default list (enabled by default). See https://sweet32.info/SWEET32_CCS16.pdf. Bugfix * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242. * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined. Raised as a comment in #1996. * Reduce the stack consumption of mbedtls_mpi_fill_random() which could previously lead to a stack overflow on constrained targets. * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions in the header files, which missed the precompilation check. #971 * Fix clobber list in MIPS assembly for large integer multiplication. Previously, this could lead to functionally incorrect assembly being produced by some optimizing compilers, showing up as failures in e.g. RSA or ECC signature operations. Reported in #1722, fix suggested by Aurelien Jarno and submitted by Jeffrey Martin. * Fix signed-to-unsigned integer conversion warning in X.509 module. Fixes #2212. * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion. Fixes #2190. * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326. * Remove the mbedtls namespacing from the header file, to fix a "file not found" build error. Fixed by Haijun Gu #2319. * Fix returning the value 1 when mbedtls_ecdsa_genkey failed. * Fix false failure in all.sh when backup files exist in include/mbedtls (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407. * Ensure that unused bits are zero when writing ASN.1 bitstrings when using mbedtls_asn1_write_bitstring(). * Fix issue when writing the named bitstrings in KeyUsage and NsCertType extensions in CSRs and CRTs that caused these bitstrings to not be encoded correctly as trailing zeroes were not accounted for as unused bits in the leading content octet. Fixes #1610. Changes * Include configuration file in all header files that use configuration, instead of relying on other header files that they include. Inserted as an enhancement for #1371 * Add support for alternative CSR headers, as used by Microsoft and defined in RFC 7468. Found by Michael Ernst. Fixes #767. * Fix configuration queries in ssl-opt.h. #2030 * Ensure that ssl-opt.h can be run in OS X. #2029 * Reduce the complexity of the timing tests. They were assuming more than the underlying OS actually guarantees. * Re-enable certain interoperability tests in ssl-opt.sh which had previously been disabled for lack of a sufficiently recent version of GnuTLS on the CI. * Ciphersuites based on 3DES now have the lowest priority by default when they are enabled. = mbed TLS 2.16.0 branch released 2018-12-21 Features * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation of parameters in the API. This allows detection of obvious misuses of the API, such as passing NULL pointers. The API of existing functions hasn't changed, but requirements on parameters have been made more explicit in the documentation. See the corresponding API documentation for each function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it. API Changes * The following functions in the random generator modules have been deprecated and replaced as shown below. The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest primitive. Fixes #1798. mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret() mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret() * Extend ECDH interface to enable alternative implementations. * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for ARIA, CAMELLIA and Blowfish. These error codes will be replaced by the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA. * Additional parameter validation checks have been added for the following modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH, ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI. Where modules have had parameter validation added, existing parameter checks may have changed. Some modules, such as Chacha20 had existing parameter validation whereas other modules had little. This has now been changed so that the same level of validation is present in all modules, and that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default is off. That means that checks which were previously present by default will no longer be. New deprecations * Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update in favor of functions that can return an error code. Bugfix * Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482. * Fix runtime error in `mbedtls_platform_entropy_poll()` when run through qemu user emulation. Reported and fix suggested by randombit in #1212. Fixes #1212. * Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659. * Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170. * Fix double initialization of ECC hardware that made some accelerators hang. * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.
2019-10-01 19:44:11 +02:00
PYTHON_FOR_BUILD_ONLY= tool
mbedtls: force python3
2020-07-07 13:16:38 +02:00
PYTHON_VERSIONS_INCOMPATIBLE= 27
mbedtls: Update to 2.23.0 = mbed TLS 2.23.0 branch released 2020-07-01 Default behavior changes * In the experimental PSA secure element interface, change the encoding of key lifetimes to encode a persistence level and the location. Although C prototypes do not effectively change, code calling psa_register_se_driver() must be modified to pass the driver's location instead of the keys' lifetime. If the library is upgraded on an existing device, keys created with the old lifetime value will not be readable or removable through Mbed TLS after the upgrade. Features * New functions in the error module return constant strings for high- and low-level error codes, complementing mbedtls_strerror() which constructs a string for any error code, including compound ones, but requires a writable buffer. Contributed by Gaurav Aggarwal in #3176. * The new utility programs/ssl/ssl_context_info prints a human-readable dump of an SSL context saved with mbedtls_ssl_context_save(). * Add support for midipix, a POSIX layer for Microsoft Windows. * Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows parsing unsupported certificate extensions via user provided callback. Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as a solution to #3241. * Pass the "certificate policies" extension to the callback supplied to mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported policies (#3419). * Added support to entropy_poll for the kern.arandom syscall supported on some BSD systems. Contributed by Nia Alarie in #3423. * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239 Security * Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394. * Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley. * Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246. Bugfix * Fix the Visual Studio Release x64 build configuration for mbedtls itself. Completes a previous fix in Mbed TLS 2.19 that only fixed the build for the example programs. Reported in #1430 and fix contributed by irwir. * Fix undefined behavior in X.509 certificate parsing if the pathLenConstraint basic constraint value is equal to INT_MAX. The actual effect with almost every compiler is the intended behavior, so this is unlikely to be exploitable anywhere. #3192 * Fix issue with a detected HW accelerated record error not being exposed due to shadowed variable. Contributed by Sander Visser in #3310. * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a NULL pointer argument. Contributed by Sander Visser in #3312. * Fix potential linker errors on dual world platforms by inlining mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately from psa_crypto.c. Fixes #3300. * Remove dead code in X.509 certificate parsing. Contributed by irwir in #2855. * Include asn1.h in error.c. Fixes #3328 reported by David Hu. * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz() when PRNG function fails. Contributed by Jonas Lejeune in #3318. * Remove unused macros from MSVC projects. Reported in #3297 and fix submitted in #3333 by irwir. * Add additional bounds checks in ssl_write_client_hello() preventing output buffer overflow if the configuration declared a buffer that was too small. * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and fix submitted in #3421 by Nia Alarie. * Fix building library/net_sockets.c and the ssl_mail_client program on NetBSD. Contributed by Nia Alarie in #3422. * Fix false positive uninitialised variable reported by cpp-check. Contributed by Sander Visser in #3311. * Update iv and len context pointers manually when reallocating buffers using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues when receiving a connection with CID, when these fields were shifted in ssl_parse_record_header(). Changes * Fix warnings about signedness issues in format strings. The build is now clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen in #3153. * Fix minor performance issue in operations on Curve25519 caused by using a suboptimal modular reduction in one place. Found and fix contributed by Aurelien Jarno in #3209. * Combine identical cases in switch statements in md.c. Contributed by irwir in #3208. * Simplify a bounds check in ssl_write_certificate_request(). Contributed by irwir in #3150. * Unify the example programs termination to call mbedtls_exit() instead of using a return command. This has been done to enable customization of the behavior in bare metal environments. * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?". Contributed by Koh M. Nakagawa in #3326. * Use FindPython3 when cmake version >= 3.15.0 * Abort the ClientHello writing function as soon as some extension doesn't fit into the record buffer. Previously, such extensions were silently dropped. As a consequence, the TLS handshake now fails when the output buffer is not large enough to hold the ClientHello. * The unit tests now rely on header files in tests/include/test and source files in tests/src. When building with make or cmake, the files in tests/src are compiled and the resulting object linked into each test executable. * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel coutermeasures. If side channels are not a concern, this dependency can be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`. * Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes Martinho. #3147 * Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported in #3182 and fix submitted by irwir. #3217 * Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
2020-07-07 13:16:10 +02:00
# Prefix bundled programs so they don't conflict with other packages
post-install:
mbedtls: avoid implementation-defined find(1) usage It is implementation-defined whether find(1) replaces {} in arguments that are not exactly equal to {}, so use a for-loop instead.
2020-10-27 01:06:59 +01:00
cd ${DESTDIR}${PREFIX}/bin && for f in *; do \
${MV} "$$f" "mbedtls_$$f"; \
done
mbedtls: Update to 2.23.0 = mbed TLS 2.23.0 branch released 2020-07-01 Default behavior changes * In the experimental PSA secure element interface, change the encoding of key lifetimes to encode a persistence level and the location. Although C prototypes do not effectively change, code calling psa_register_se_driver() must be modified to pass the driver's location instead of the keys' lifetime. If the library is upgraded on an existing device, keys created with the old lifetime value will not be readable or removable through Mbed TLS after the upgrade. Features * New functions in the error module return constant strings for high- and low-level error codes, complementing mbedtls_strerror() which constructs a string for any error code, including compound ones, but requires a writable buffer. Contributed by Gaurav Aggarwal in #3176. * The new utility programs/ssl/ssl_context_info prints a human-readable dump of an SSL context saved with mbedtls_ssl_context_save(). * Add support for midipix, a POSIX layer for Microsoft Windows. * Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows parsing unsupported certificate extensions via user provided callback. Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as a solution to #3241. * Pass the "certificate policies" extension to the callback supplied to mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported policies (#3419). * Added support to entropy_poll for the kern.arandom syscall supported on some BSD systems. Contributed by Nia Alarie in #3423. * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239 Security * Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394. * Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley. * Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246. Bugfix * Fix the Visual Studio Release x64 build configuration for mbedtls itself. Completes a previous fix in Mbed TLS 2.19 that only fixed the build for the example programs. Reported in #1430 and fix contributed by irwir. * Fix undefined behavior in X.509 certificate parsing if the pathLenConstraint basic constraint value is equal to INT_MAX. The actual effect with almost every compiler is the intended behavior, so this is unlikely to be exploitable anywhere. #3192 * Fix issue with a detected HW accelerated record error not being exposed due to shadowed variable. Contributed by Sander Visser in #3310. * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a NULL pointer argument. Contributed by Sander Visser in #3312. * Fix potential linker errors on dual world platforms by inlining mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately from psa_crypto.c. Fixes #3300. * Remove dead code in X.509 certificate parsing. Contributed by irwir in #2855. * Include asn1.h in error.c. Fixes #3328 reported by David Hu. * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz() when PRNG function fails. Contributed by Jonas Lejeune in #3318. * Remove unused macros from MSVC projects. Reported in #3297 and fix submitted in #3333 by irwir. * Add additional bounds checks in ssl_write_client_hello() preventing output buffer overflow if the configuration declared a buffer that was too small. * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and fix submitted in #3421 by Nia Alarie. * Fix building library/net_sockets.c and the ssl_mail_client program on NetBSD. Contributed by Nia Alarie in #3422. * Fix false positive uninitialised variable reported by cpp-check. Contributed by Sander Visser in #3311. * Update iv and len context pointers manually when reallocating buffers using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues when receiving a connection with CID, when these fields were shifted in ssl_parse_record_header(). Changes * Fix warnings about signedness issues in format strings. The build is now clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen in #3153. * Fix minor performance issue in operations on Curve25519 caused by using a suboptimal modular reduction in one place. Found and fix contributed by Aurelien Jarno in #3209. * Combine identical cases in switch statements in md.c. Contributed by irwir in #3208. * Simplify a bounds check in ssl_write_certificate_request(). Contributed by irwir in #3150. * Unify the example programs termination to call mbedtls_exit() instead of using a return command. This has been done to enable customization of the behavior in bare metal environments. * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?". Contributed by Koh M. Nakagawa in #3326. * Use FindPython3 when cmake version >= 3.15.0 * Abort the ClientHello writing function as soon as some extension doesn't fit into the record buffer. Previously, such extensions were silently dropped. As a consequence, the TLS handshake now fails when the output buffer is not large enough to hold the ClientHello. * The unit tests now rely on header files in tests/include/test and source files in tests/src. When building with make or cmake, the files in tests/src are compiled and the resulting object linked into each test executable. * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel coutermeasures. If side channels are not a concern, this dependency can be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`. * Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes Martinho. #3147 * Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported in #3182 and fix submitted by irwir. #3217 * Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
2020-07-07 13:16:10 +02:00
do-test:
LD_LIBRARY_PATH=${WRKSRC}/library \
${WRKSRC}/programs/test/selftest
.include "options.mk"
mbedtls: Update to 2.16.3 = mbed TLS 2.16.3 branch released 2019-09-06 Security * Fix a missing error detection in ECJPAKE. This could have caused a predictable shared secret if a hardware accelerator failed and the other side of the key exchange had a similar bug. * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to implement blinding. Because of this for the same key and message the same blinding value was generated. This reduced the effectiveness of the countermeasure and leaked information about the private key through side channels. Reported by Jack Lloyd. * When writing a private EC key, use a constant size for the private value, as specified in RFC 5915. Previously, the value was written as an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit of information on average and could cause the value to be 1 byte too large for the output buffer. API Changes * The new function mbedtls_ecdsa_sign_det_ext() is similar to mbedtls_ecdsa_sign_det() but allows passing an external RNG for the purpose of blinding. Bugfix * Fix to allow building test suites with any warning that detects unused functions. Fixes #1628. * Fix typo in net_would_block(). Fixes #528 reported by github-monoculture. * Remove redundant include file in timing.c. Fixes #2640 reported by irwir. * Fix Visual Studio Release x64 build configuration by inheriting PlatformToolset from the project configuration. Fixes #1430 reported by irwir. * Enable Suite B with subset of ECP curves. Make sure the code compiles even if some curves are not defined. Fixes #1591 reported by dbedev. * Fix misuse of signed arithmetic in the HAVEGE module. #2598 * Update test certificates that were about to expire. Reported by Bernhard M. Wiedemann in #2357. * Fix the build on ARMv5TE in ARM mode to not use assembly instructions that are only available in Thumb mode. Fix contributed by Aurelien Jarno in #2169. * Fix undefined memset(NULL) call in test_suite_nist_kw. * Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256. * Fix propagation of restart contexts in restartable EC operations. This could previously lead to segmentation faults in builds using an address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE. * Fix memory leak in in mpi_miller_rabin(). Contributed by Jens Wiklander <jens.wiklander@linaro.org> in #2363 * Improve code clarity in x509_crt module, removing false-positive uninitialized variable warnings on some recent toolchains (GCC8, etc). Discovered and fixed by Andy Gross (Linaro), #2392. * Zero length buffer check for undefined behavior in mbedtls_platform_zeroize(). Fixes ARMmbed/mbed-crypto#49. * Fix bug in endianness conversion in bignum module. This lead to functionally incorrect code on bigendian systems which don't have __BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622. Changes * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h suggests). #2671 * Make `make clean` clean all programs always. Fixes #1862. = mbed TLS 2.16.2 branch released 2019-06-11 Security * Make mbedtls_ecdh_get_params return an error if the second key belongs to a different group from the first. Before, if an application passed keys that belonged to different group, the first key's data was interpreted according to the second group, which could lead to either an error or a meaningless output from mbedtls_ecdh_get_params. In the latter case, this could expose at most 5 bits of the private key. Bugfix * Server's RSA certificate in certs.c was SHA-1 signed. In the default mbedTLS configuration only SHA-2 signed certificates are accepted. This certificate is used in the demo server programs, which lead the client programs to fail at the peer's certificate verification due to an unacceptable hash signature. The certificate has been updated to one that is SHA-256 signed. Fix contributed by Illya Gerasymchuk. * Fix private key DER output in the key_app_writer example. File contents were shifted by one byte, creating an invalid ASN.1 tag. Fixed by Christian Walther in #2239. * Fix potential memory leak in X.509 self test. Found and fixed by Junhwan Park, #2106. * Reduce stack usage of hkdf tests. Fixes #2195. * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when used with negative inputs. Found by Guido Vranken in #2404. Credit to OSS-Fuzz. * Fix bugs in the AEAD test suite which would be exposed by ciphers which either used both encrypt and decrypt key schedules, or which perform padding. GCM and CCM were not affected. Fixed by Jack Lloyd. * Fix incorrect default port number in ssl_mail_client example's usage. Found and fixed by irwir. #2337 * Add missing parentheses around parameters in the definition of the public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation in case operators binding less strongly than subtraction were used for the parameter. * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl sni entry parameter. Reported by inestlerode in #560. * Add DER-encoded test CRTs to library/certs.c, allowing the example programs ssl_server2 and ssl_client2 to be run if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254. * Fix missing bounds checks in X.509 parsing functions that could lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437. * Fix multiple X.509 functions previously returning ASN.1 low-level error codes to always wrap these codes into X.509 high level error codes before returning. Fixes #2431. Changes * Return from various debugging routines immediately if the provided SSL context is unset. * Remove dead code from bignum.c in the default configuration. Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309. * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh. Contributed by Peter Kolbus (Garmin). * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to improve clarity. Fixes #2258. * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821. = mbed TLS 2.16.1 branch released 2019-03-19 Features * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites from the default list (enabled by default). See https://sweet32.info/SWEET32_CCS16.pdf. Bugfix * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242. * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined. Raised as a comment in #1996. * Reduce the stack consumption of mbedtls_mpi_fill_random() which could previously lead to a stack overflow on constrained targets. * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions in the header files, which missed the precompilation check. #971 * Fix clobber list in MIPS assembly for large integer multiplication. Previously, this could lead to functionally incorrect assembly being produced by some optimizing compilers, showing up as failures in e.g. RSA or ECC signature operations. Reported in #1722, fix suggested by Aurelien Jarno and submitted by Jeffrey Martin. * Fix signed-to-unsigned integer conversion warning in X.509 module. Fixes #2212. * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion. Fixes #2190. * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326. * Remove the mbedtls namespacing from the header file, to fix a "file not found" build error. Fixed by Haijun Gu #2319. * Fix returning the value 1 when mbedtls_ecdsa_genkey failed. * Fix false failure in all.sh when backup files exist in include/mbedtls (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407. * Ensure that unused bits are zero when writing ASN.1 bitstrings when using mbedtls_asn1_write_bitstring(). * Fix issue when writing the named bitstrings in KeyUsage and NsCertType extensions in CSRs and CRTs that caused these bitstrings to not be encoded correctly as trailing zeroes were not accounted for as unused bits in the leading content octet. Fixes #1610. Changes * Include configuration file in all header files that use configuration, instead of relying on other header files that they include. Inserted as an enhancement for #1371 * Add support for alternative CSR headers, as used by Microsoft and defined in RFC 7468. Found by Michael Ernst. Fixes #767. * Fix configuration queries in ssl-opt.h. #2030 * Ensure that ssl-opt.h can be run in OS X. #2029 * Reduce the complexity of the timing tests. They were assuming more than the underlying OS actually guarantees. * Re-enable certain interoperability tests in ssl-opt.sh which had previously been disabled for lack of a sufficiently recent version of GnuTLS on the CI. * Ciphersuites based on 3DES now have the lowest priority by default when they are enabled. = mbed TLS 2.16.0 branch released 2018-12-21 Features * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation of parameters in the API. This allows detection of obvious misuses of the API, such as passing NULL pointers. The API of existing functions hasn't changed, but requirements on parameters have been made more explicit in the documentation. See the corresponding API documentation for each function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it. API Changes * The following functions in the random generator modules have been deprecated and replaced as shown below. The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest primitive. Fixes #1798. mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret() mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret() * Extend ECDH interface to enable alternative implementations. * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for ARIA, CAMELLIA and Blowfish. These error codes will be replaced by the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA. * Additional parameter validation checks have been added for the following modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH, ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI. Where modules have had parameter validation added, existing parameter checks may have changed. Some modules, such as Chacha20 had existing parameter validation whereas other modules had little. This has now been changed so that the same level of validation is present in all modules, and that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default is off. That means that checks which were previously present by default will no longer be. New deprecations * Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update in favor of functions that can return an error code. Bugfix * Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482. * Fix runtime error in `mbedtls_platform_entropy_poll()` when run through qemu user emulation. Reported and fix suggested by randombit in #1212. Fixes #1212. * Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659. * Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170. * Fix double initialization of ECC hardware that made some accelerators hang. * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.
2019-10-01 19:44:11 +02:00
.include "../../lang/python/tool.mk"
Import mbed TLS 1.3.11 as security/mbedtls. This is former security/polarssl rebranded under a new name, keeping the same API though and providing the previous libs as symlinks, so should be used as as drop-in replacement for security/polarssl. Changelog since polarssl-1.3.9 follows. = mbed TLS 1.3.11 released 2015-06-04 Security * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and extendedKeyUsage on the leaf certificate was lost (results not accessible via ssl_get_verify_results()). * Add countermeasure against "Lucky 13 strikes back" cache-based attack, https://dl.acm.org/citation.cfm?id=2714625 Features * Improve ECC performance by using more efficient doubling formulas (contributed by Peter Dettman). * Add x509_crt_verify_info() to display certificate verification results. * Add support for reading DH parameters with privateValueLength included (contributed by Daniel Kahn Gillmor). * Add support for bit strings in X.509 names (request by Fredrik Axelsson). * Add support for id-at-uniqueIdentifier in X.509 names. * Add support for overriding snprintf() (except on Windows) and exit() in the platform layer. * Add an option to use macros instead of function pointers in the platform layer (helps get rid of unwanted references). * Improved Makefiles for Windows targets by fixing library targets and making cross-compilation easier (thanks to Alon Bar-Lev). * The benchmark program also prints heap usage for public-key primitives if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined. * New script ecc-heap.sh helps measuring the impact of ECC parameters on speed and RAM (heap only for now) usage. * New script memory.sh helps measuring the ROM and RAM requirements of two reduced configurations (PSK-CCM and NSA suite B). * Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce warnings on use of deprecated functions (with GCC and Clang only). * Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce errors on use of deprecated functions. Bugfix * Fix compile errors with PLATFORM_NO_STD_FUNCTIONS. * Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara). * Fix bug in entropy.c when THREADING_C is also enabled that caused entropy_free() to crash (thanks to Rafał Przywara). * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than once on the same context. * Fix bug in ssl_mail_client when password is longer that username (found by Bruno Pape). * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules (detected by Clang's 3.6 UBSan). * mpi_size() and mpi_msb() would segfault when called on an mpi that is initialized but not set (found by pravic). * Fix detection of support for getrandom() on Linux (reported by syzzer) by doing it at runtime (using uname) rather that compile time. * Fix handling of symlinks by "make install" (found by Gaël PORTAY). * Fix potential NULL pointer dereference (not trigerrable remotely) when ssl_write() is called before the handshake is finished (introduced in 1.3.10) (first reported by Martin Blumenstingl). * Fix bug in pk_parse_key() that caused some valid private EC keys to be rejected. * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). * Fix thread safety bug in RSA operations (found by Fredrik Axelsson). * Fix hardclock() (only used in the benchmarking program) with some versions of mingw64 (found by kxjhlele). * Fix warnings from mingw64 in timing.c (found by kxjklele). * Fix potential unintended sign extension in asn1_get_len() on 64-bit platforms. * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid). * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced in 1.3.10). * Add missing extern "C" guard in aesni.h (reported by amir zamani). * Add missing dependency on SHA-256 in some x509 programs (reported by Gergely Budai). * Fix bug related to ssl_set_curves(): the client didn't check that the curve picked by the server was actually allowed. Changes * Remove bias in mpi_gen_prime (contributed by Pascal Junod). * Remove potential sources of timing variations (some contributed by Pascal Junod). * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated. * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated. * compat-1.2.h and openssl.h are deprecated. * Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now more flexible (warning: OFLAGS is not used any more) (see the README) (contributed by Alon Bar-Lev). * ssl_set_own_cert() no longer calls pk_check_pair() since the performance impact was bad for some users (this was introduced in 1.3.10). * Move from SHA-1 to SHA-256 in example programs using signatures (suggested by Thorsten Mühlfelder). * Remove some unneeded inclusions of header files from the standard library "minimize" others (eg use stddef.h if only size_t is needed). * Change #include lines in test files to use double quotes instead of angle brackets for uniformity with the rest of the code. * Remove dependency on sscanf() in X.509 parsing modules. = mbed TLS 1.3.10 released 2015-02-09 Security * NULL pointer dereference in the buffer-based allocator when the buffer is full and polarssl_free() is called (found by Mark Hasemeyer) (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is not by default). * Fix remotely-triggerable uninitialised pointer dereference caused by crafted X.509 certificate (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix remotely-triggerable memory leak caused by crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix potential stack overflow while parsing crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix timing difference that could theoretically lead to a Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges (reported by Sebastian Schinzel). Features * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv). * Add support for Extended Master Secret (draft-ietf-tls-session-hash). * Add support for Encrypt-then-MAC (RFC 7366). * Add function pk_check_pair() to test if public and private keys match. * Add x509_crl_parse_der(). * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the length of an X.509 verification chain. * Support for renegotiation can now be disabled at compile-time * Support for 1/n-1 record splitting, a countermeasure against BEAST. * Certificate selection based on signature hash, preferring SHA-1 over SHA-2 for pre-1.2 clients when multiple certificates are available. * Add support for getrandom() syscall on recent Linux kernels with Glibc or a compatible enough libc (eg uClibc). * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime while using the default ciphersuite list. * Added new error codes and debug messages about selection of ciphersuite/certificate. Bugfix * Stack buffer overflow if ctr_drbg_update() is called with too large add_len (found by Jean-Philippe Aumasson) (not triggerable remotely). * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE if memory_buffer_alloc_init() was called with buf not aligned and len not a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely). * User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found by Julian Ospald). * Fix potential undefined behaviour in Camellia. * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a multiple of 8 (found by Gergely Budai). * Fix unchecked return code in x509_crt_parse_path() on Windows (found by Peter Vaskovic). * Fix assembly selection for MIPS64 (thanks to James Cowgill). * ssl_get_verify_result() now works even if the handshake was aborted due to a failed verification (found by Fredrik Axelsson). * Skip writing and parsing signature_algorithm extension if none of the key exchanges enabled needs certificates. This fixes a possible interop issue with some servers when a zero-length extension was sent. (Reported by Peter Dettman.) * On a 0-length input, base64_encode() did not correctly set output length (found by Hendrik van den Boogaard). Changes * Use deterministic nonces for AEAD ciphers in TLS by default (possible to switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h). * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined. * ssl_set_own_cert() now returns an error on key-certificate mismatch. * Forbid repeated extensions in X.509 certificates. * debug_print_buf() now prints a text view in addition to hexadecimal. * A specific error is now returned when there are ciphersuites in common but none of them is usable due to external factors such as no certificate with a suitable (extended)KeyUsage or curve or no PSK set. * It is now possible to disable negotiation of truncated HMAC server-side
2015-06-12 11:05:05 +02:00
.include "../../mk/pthread.buildlink3.mk"
.include "../../mk/bsd.pkg.mk"
Reference in a new issue Copy permalink