Skip to content

Mbed Crypto 3.0.1
Compare
Choose a tag to compare
@yanesca yanesca released this 21 Feb 09:39
· 243 commits to development since this release
mbedcrypto-3.0.1
1146b4e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Introduction

Mbed Crypto 3.0.1 has now been released. This release brings fixes for a security issue, as described in more detail in our security advisory.

The Mbed cryptography library is a reference implementation of the cryptography interface of the Arm Platform Security (PSA) architecture. Note that while this library is versioned as 3.0.1, the PSA APIs are under development and subject to change based on feedback. The next release of Mbed Crypto may not provide backwards compatibility with this release.

Default behavior changes

  • The initial seeding of a CTR_DRBG instance makes a second call to the entropy function to obtain entropy for a nonce if the entropy size is less than 3/2 times the key size. In case you want to disable the extra call to grab entropy, you can call mbedtls_ctr_drbg_set_nonce_len() to force the nonce length to 0.

Security

  • Enforce that mbedtls_entropy_func() gathers a total of MBEDTLS_ENTROPY_BLOCK_SIZE bytes or more from strong sources. In the default configuration, on a platform with a single entropy source, the entropy module formerly only grabbed 32 bytes, which is good enough for security if the source is genuinely strong, but less than the expected 64 bytes (size of the entropy accumulator).
  • Zeroize local variables in mbedtls_internal_aes_encrypt() and mbedtls_internal_aes_decrypt() before exiting the function. The value of these variables can be used to recover the last round key. To follow best practice and to limit the impact of buffer overread vulnerabilities (like Heartbleed) we need to zeroize them before exiting the function. Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University).
  • Fix side channel vulnerability in ECDSA. Our bignum implementation is not constant time/constant trace, so side channel attacks can retrieve the blinded value, factor it (as it is smaller than RSA keys and not guaranteed to have only large prime factors), and then, by brute force, recover the key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
  • Fix side channel vulnerability in ECDSA key generation. Obtaining precise timings on the comparison in the key generation enabled the attacker to learn leading bits of the ephemeral key used during ECDSA signatures and to recover the private key. Reported by Jeremy Dubeuf.
  • Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught failures could happen with alternative implementations of AES. Bug reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri, Sectra.

Features

  • Key derivation inputs in the PSA API can now either come from a key object or from a buffer regardless of the step type.
  • The CTR_DRBG module can grab a nonce from the entropy source during the initial seeding. The default nonce length is chosen based on the key size to achieve the security strength defined by NIST SP 800-90A. You can change it with mbedtls_ctr_drbg_set_nonce_len().
  • Add ENUMERATED tag support to the ASN.1 module. Contributed by msopiha-linaro.

API changes

  • In the PSA API, forbid zero-length keys. To pass a zero-length input to a key derivation function, use a buffer instead (this is now always possible).
  • Rename psa_asymmetric_sign() to psa_sign_hash() and psa_asymmetric_verify() to psa_verify_hash().

Bugfix

  • Fix a buffer overflow in the PSA HMAC code when using a long key with an unsupported algorithm.
  • Fix mbedtls_asn1_get_int to support any number of leading zeros. Credit to OSS-Fuzz for finding a bug in an intermediate version of the fix.
  • Fix mbedtls_asn1_get_bitstring_null to correctly parse bitstrings of at most 2 bytes.
  • mbedtls_ctr_drbg_set_entropy_len() and mbedtls_hmac_drbg_set_entropy_len() now work if you call them before mbedtls_ctr_drbg_seed() or mbedtls_hmac_drbg_seed().

Changes

  • Remove the technical possibility to define custom mbedtls_md_info structures, which was exposed only in an internal header.
  • psa_close_key(0) and psa_destroy_key(0) now succeed (doing nothing, as before).
  • Variables containing error codes are now initialized to an error code rather than success, so that coding mistakes or memory corruption tends to cause functions to return this error code rather than a success. There are no known instances where this changes the behavior of the library: this is merely a robustness improvement.
  • Remove a useless call to mbedtls_ecp_group_free(). Contributed by Alexander Krizhanovsky
  • Speed up PBKDF2 by caching the digest calculation. Contributed by Jack Lloyd and Fortanix Inc
  • Small performance improvement of mbedtls_mpi_div_mpi(). Contributed by Alexander Krizhanovsky

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Assets 2
Loading