Skip to content

Commit

Permalink
Merge pull request #711 from ARMmbed/mbedtls-2.16.7r0-pr
Browse files Browse the repository at this point in the history
Prepare Release Candidate for Mbed TLS 2.16.7
  • Loading branch information
yanesca authored Jun 30, 2020
2 parents eab4a7a + 6c48d09 commit abc4602
Show file tree
Hide file tree
Showing 23 changed files with 605 additions and 49 deletions.
52 changes: 52 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,5 +1,57 @@
mbed TLS ChangeLog (Sorted per branch, date)

= mbed TLS 2.16.7 branch released 2020-07-01

Security
* Fix a side channel vulnerability in modular exponentiation that could
reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul
Strackx (Fortanix) in #3394.
* Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
private key that didn't include the uncompressed public key), as well as
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
f_rng argument. An attacker with access to precise enough timing and
memory access information (typically an untrusted operating system
attacking a secure enclave) could fully recover the ECC private key.
Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
macros). This would cause the original Lucky 13 attack to be possible in
those configurations, allowing an active network attacker to recover
plaintext after repeated timing measurements under some conditions.
Reported and fix suggested by Luc Perneel in #3246.

Bugfix
* Fix the Visual Studio Release x64 build configuration for mbedtls itself.
Completes a previous fix in Mbed TLS 2.16.3 that only fixed the build for
the example programs. Reported in #1430 and fix contributed by irwir.
* Fix undefined behavior in X.509 certificate parsing if the
pathLenConstraint basic constraint value is equal to INT_MAX.
The actual effect with almost every compiler is the intended
behavior, so this is unlikely to be exploitable anywhere. #3197
* Include asn1.h in error.c. Fixes #3328 reported by David Hu.
* Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
when PRNG function fails. Contributed by Jonas Lejeune in #3318.
* Add additional bounds checks in ssl_write_client_hello() preventing
output buffer overflow if the configuration declared a buffer that was
too small.

Changes
* Unify the example programs termination to call mbedtls_exit() instead of
using a return command. This has been done to enable customization of the
behavior in bare metal environments.
* Abort the ClientHello writing function as soon as some extension doesn't
fit into the record buffer. Previously, such extensions were silently
dropped. As a consequence, the TLS handshake now fails when the output
buffer is not large enough to hold the ClientHello.
* The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
`MBEDTLS_CTR_DRBG_C`, `MBEDTLS_HMAC_DRBG_C`, `MBEDTLS_SHA512_C` or
`MBEDTLS_SHA256_C` for some side-channel coutermeasures. If side channels
are not a concern, this dependency can be avoided by enabling the new
option `MBEDTLS_ECP_NO_INTERNAL_RNG`.

= mbed TLS 2.16.6 branch released 2020-04-14

Security
Expand Down
4 changes: 0 additions & 4 deletions ChangeLog.d/bugfix.txt

This file was deleted.

2 changes: 0 additions & 2 deletions ChangeLog.d/error-asn1.txt

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/fix-ecp-mul-memory-leak.txt

This file was deleted.

5 changes: 0 additions & 5 deletions ChangeLog.d/max_pathlen.txt

This file was deleted.

6 changes: 0 additions & 6 deletions ChangeLog.d/montmul-cmp-branch.txt

This file was deleted.

4 changes: 0 additions & 4 deletions ChangeLog.d/unified-exit-in-examples.txt

This file was deleted.

9 changes: 0 additions & 9 deletions ChangeLog.d/uniformize_bounds_checks.txt

This file was deleted.

2 changes: 1 addition & 1 deletion doxygen/input/doc_mainpage.h
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@
*/

/**
* @mainpage mbed TLS v2.16.6 source code documentation
* @mainpage mbed TLS v2.16.7 source code documentation
*
* This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in
Expand Down
2 changes: 1 addition & 1 deletion doxygen/mbedtls.doxyfile
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8
# identify the project. Note that if you do not use Doxywizard you need
# to put quotes around the project name if it contains spaces.

PROJECT_NAME = "mbed TLS v2.16.6"
PROJECT_NAME = "mbed TLS v2.16.7"

# The PROJECT_NUMBER tag can be used to enter a project or revision number.
# This could be handy for archiving the generated documentation or
Expand Down
10 changes: 10 additions & 0 deletions include/mbedtls/check_config.h
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,16 @@
#error "MBEDTLS_ECP_C defined, but not all prerequisites"
#endif

#if defined(MBEDTLS_ECP_C) && !( \
defined(MBEDTLS_ECP_ALT) || \
defined(MBEDTLS_CTR_DRBG_C) || \
defined(MBEDTLS_HMAC_DRBG_C) || \
defined(MBEDTLS_SHA512_C) || \
defined(MBEDTLS_SHA256_C) || \
defined(MBEDTLS_ECP_NO_INTERNAL_RNG))
#error "MBEDTLS_ECP_C requires a DRBG or SHA-2 module unless MBEDTLS_ECP_NO_INTERNAL_RNG is defined or an alternative implementation is used"
#endif

#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
#error "MBEDTLS_PK_PARSE_C defined, but not all prerequesites"
#endif
Expand Down
22 changes: 22 additions & 0 deletions include/mbedtls/config.h
Original file line number Diff line number Diff line change
Expand Up @@ -807,6 +807,28 @@
*/
#define MBEDTLS_ECP_NIST_OPTIM

/**
* \def MBEDTLS_ECP_NO_INTERNAL_RNG
*
* When this option is disabled, mbedtls_ecp_mul() will make use of an
* internal RNG when called with a NULL \c f_rng argument, in order to protect
* against some side-channel attacks.
*
* This protection introduces a dependency of the ECP module on one of the
* DRBG or SHA modules (HMAC-DRBG, CTR-DRBG, SHA-512 or SHA-256.) For very
* constrained applications that don't require this protection (for example,
* because you're only doing signature verification, so not manipulating any
* secret, or because local/physical side-channel attacks are outside your
* threat model), it might be desirable to get rid of that dependency.
*
* \warning Enabling this option makes some uses of ECP vulnerable to some
* side-channel attacks. Only enable it if you know that's not a problem for
* your use case.
*
* Uncomment this macro to disable some counter-measures in ECP.
*/
//#define MBEDTLS_ECP_NO_INTERNAL_RNG

/**
* \def MBEDTLS_ECP_RESTARTABLE
*
Expand Down
3 changes: 3 additions & 0 deletions include/mbedtls/ecp.h
Original file line number Diff line number Diff line change
Expand Up @@ -840,6 +840,9 @@ int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp,
* intermediate results to prevent potential timing attacks
* targeting these results. We recommend always providing
* a non-NULL \p f_rng. The overhead is negligible.
* Note: unless #MBEDTLS_ECP_NO_INTERNAL_RNG is defined, when
* \p f_rng is NULL, an internal RNG (seeded from the value
* of \p m) will be used instead.
*
* \param grp The ECP group to use.
* This must be initialized and have group parameters
Expand Down
2 changes: 2 additions & 0 deletions include/mbedtls/md.h
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,8 @@ typedef struct mbedtls_md_context_t
* \brief This function returns the list of digests supported by the
* generic digest module.
*
* \note The list starts with the strongest available hashes.
*
* \return A statically allocated array of digests. Each element
* in the returned list is an integer belonging to the
* message-digest enumeration #mbedtls_md_type_t.
Expand Down
8 changes: 4 additions & 4 deletions include/mbedtls/version.h
Original file line number Diff line number Diff line change
Expand Up @@ -67,16 +67,16 @@
*/
#define MBEDTLS_VERSION_MAJOR 2
#define MBEDTLS_VERSION_MINOR 16
#define MBEDTLS_VERSION_PATCH 6
#define MBEDTLS_VERSION_PATCH 7

/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
#define MBEDTLS_VERSION_NUMBER 0x02100600
#define MBEDTLS_VERSION_STRING "2.16.6"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.16.6"
#define MBEDTLS_VERSION_NUMBER 0x02100700
#define MBEDTLS_VERSION_STRING "2.16.7"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.16.7"

#if defined(MBEDTLS_VERSION_C)

Expand Down
6 changes: 3 additions & 3 deletions library/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -165,15 +165,15 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)

if(USE_SHARED_MBEDTLS_LIBRARY)
add_library(mbedcrypto SHARED ${src_crypto})
set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.6 SOVERSION 3)
set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.7 SOVERSION 3)
target_link_libraries(mbedcrypto ${libs})

add_library(mbedx509 SHARED ${src_x509})
set_target_properties(mbedx509 PROPERTIES VERSION 2.16.6 SOVERSION 0)
set_target_properties(mbedx509 PROPERTIES VERSION 2.16.7 SOVERSION 0)
target_link_libraries(mbedx509 ${libs} mbedcrypto)

add_library(mbedtls SHARED ${src_tls})
set_target_properties(mbedtls PROPERTIES VERSION 2.16.6 SOVERSION 12)
set_target_properties(mbedtls PROPERTIES VERSION 2.16.7 SOVERSION 12)
target_link_libraries(mbedtls ${libs} mbedx509)

install(TARGETS mbedtls mbedx509 mbedcrypto
Expand Down
Loading

0 comments on commit abc4602

Please sign in to comment.