Release notes from mbed-crypto

mbedcrypto-3.1.0+renesas.1

2020-03-23T14:11:04Z

Unofficial release based on mbed-crypto 3.1.0 with Renesas unreviewed…

mbedcrypto-3.1.0+renesas.0

2020-03-16T16:26:28Z

Unofficial release based on mbed-crypto 3.1.0 with Renesas unreviewed…

mbedcrypto-2.0.0+renesas.0

2020-03-04T18:13:21Z

Unofficial release based on mbed-crypto 2.0 with Renesas unreviewed c…

Mbed Crypto 3.1.0

2020-02-21T09:39:22Z

Introduction

Mbed Crypto 3.1.0 has now been released. This release brings fixes for a security issue, as described in more detail in our security advisory.

The Mbed cryptography library is a reference implementation of the cryptography interface of the Arm Platform Security (PSA) architecture. Note that while this library is versioned as 3.1.0, the PSA APIs are under development and subject to change based on feedback. The next release of Mbed Crypto may not provide backwards compatibility with this release.

Security

Fix potential memory overread when performing an ECDSA signature operation. The overread only happens with cryptographically low probability (of the order of 2^-n where n is the bitsize of the curve) unless the RNG is broken, and could result in information disclosure or denial of service (application crash or extra resource consumption). Found by Auke Zeilstra and Peter Schwabe, using static analysis.
To avoid a side channel vulnerability when parsing an RSA private key, read all the CRT parameters from the DER structure rather than reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob Brumley. Reported and fix contributed by Jack Lloyd.

Features

The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512 support without SHA-384.

API Changes

Change the encoding of key types and curves in the PSA API. The new values are aligned with the upcoming release of the PSA Crypto API specification version 1.0.0. The main change which may break some existing code is that elliptic curve key types no longer encode the exact curve: a psa_ecc_curve_t or psa_key_type_t value only encodes a curve family and the key size determines the exact curve (for example, PSA_ECC_CURVE_SECP_R1 with 256 bits is P256R1).

Bugfix

Fix a possible error code mangling in psa_mac_verify_finish() when a cryptographic accelerator fails.
Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some RSA keys that would later be rejected by functions expecting private keys. Found by Catena cyber using oss-fuzz (issue 20467).
Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some RSA keys with invalid values by silently fixing those values.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Mbed Crypto 3.0.1

2020-02-21T09:39:43Z

Introduction

Mbed Crypto 3.0.1 has now been released. This release brings fixes for a security issue, as described in more detail in our security advisory.

The Mbed cryptography library is a reference implementation of the cryptography interface of the Arm Platform Security (PSA) architecture. Note that while this library is versioned as 3.0.1, the PSA APIs are under development and subject to change based on feedback. The next release of Mbed Crypto may not provide backwards compatibility with this release.

Default behavior changes

The initial seeding of a CTR_DRBG instance makes a second call to the entropy function to obtain entropy for a nonce if the entropy size is less than 3/2 times the key size. In case you want to disable the extra call to grab entropy, you can call mbedtls_ctr_drbg_set_nonce_len() to force the nonce length to 0.

Security

Enforce that mbedtls_entropy_func() gathers a total of MBEDTLS_ENTROPY_BLOCK_SIZE bytes or more from strong sources. In the default configuration, on a platform with a single entropy source, the entropy module formerly only grabbed 32 bytes, which is good enough for security if the source is genuinely strong, but less than the expected 64 bytes (size of the entropy accumulator).
Zeroize local variables in mbedtls_internal_aes_encrypt() and mbedtls_internal_aes_decrypt() before exiting the function. The value of these variables can be used to recover the last round key. To follow best practice and to limit the impact of buffer overread vulnerabilities (like Heartbleed) we need to zeroize them before exiting the function. Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University).
Fix side channel vulnerability in ECDSA. Our bignum implementation is not constant time/constant trace, so side channel attacks can retrieve the blinded value, factor it (as it is smaller than RSA keys and not guaranteed to have only large prime factors), and then, by brute force, recover the key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
Fix side channel vulnerability in ECDSA key generation. Obtaining precise timings on the comparison in the key generation enabled the attacker to learn leading bits of the ephemeral key used during ECDSA signatures and to recover the private key. Reported by Jeremy Dubeuf.
Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught failures could happen with alternative implementations of AES. Bug reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri, Sectra.

Features

Key derivation inputs in the PSA API can now either come from a key object or from a buffer regardless of the step type.
The CTR_DRBG module can grab a nonce from the entropy source during the initial seeding. The default nonce length is chosen based on the key size to achieve the security strength defined by NIST SP 800-90A. You can change it with mbedtls_ctr_drbg_set_nonce_len().
Add ENUMERATED tag support to the ASN.1 module. Contributed by msopiha-linaro.

API changes

In the PSA API, forbid zero-length keys. To pass a zero-length input to a key derivation function, use a buffer instead (this is now always possible).
Rename psa_asymmetric_sign() to psa_sign_hash() and psa_asymmetric_verify() to psa_verify_hash().

Bugfix

Fix a buffer overflow in the PSA HMAC code when using a long key with an unsupported algorithm.
Fix mbedtls_asn1_get_int to support any number of leading zeros. Credit to OSS-Fuzz for finding a bug in an intermediate version of the fix.
Fix mbedtls_asn1_get_bitstring_null to correctly parse bitstrings of at most 2 bytes.
mbedtls_ctr_drbg_set_entropy_len() and mbedtls_hmac_drbg_set_entropy_len() now work if you call them before mbedtls_ctr_drbg_seed() or mbedtls_hmac_drbg_seed().

Changes

Remove the technical possibility to define custom mbedtls_md_info structures, which was exposed only in an internal header.
psa_close_key(0) and psa_destroy_key(0) now succeed (doing nothing, as before).
Variables containing error codes are now initialized to an error code rather than success, so that coding mistakes or memory corruption tends to cause functions to return this error code rather than a success. There are no known instances where this changes the behavior of the library: this is merely a robustness improvement.
Remove a useless call to mbedtls_ecp_group_free(). Contributed by Alexander Krizhanovsky
Speed up PBKDF2 by caching the digest calculation. Contributed by Jack Lloyd and Fortanix Inc
Small performance improvement of mbedtls_mpi_div_mpi(). Contributed by Alexander Krizhanovsky

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

mbedcrypto-3.0.0

2020-01-15T18:29:58Z

Mbed Crypto 3.0.0

mbedcrypto-3.0.0d0

2019-12-20T11:37:58Z

Mbed Crypto 3.0.0d0

mbedcrypto-2.1.0d0

2019-10-15T12:58:00Z

Mbed Crypto 2.1.0d0

Mbed Crypto 2.0.0

2019-09-18T13:00:38Z

Introduction

Mbed Crypto 2.0.0 has now been released.

The Mbed cryptography library is a reference implementation of the cryptography interface of the Arm Platform Security (PSA) architecture. Note that while this library is versioned as 2.0.0, the PSA APIs are under development and subject to change based on feedback. The next release of Mbed Crypto may not provide backwards compatibility with this release.

Security

Fix a missing error detection in ECJPAKE. This could have caused a predictable shared secret if a hardware accelerator failed and the other side of the key exchange had a similar bug.
When writing a private EC key, use a constant size for the private value, as specified in RFC 5915. Previously, the value was written as an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit of information on average and could cause the value to be 1 byte too large for the output buffer.
The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to implement blinding. Because of this for the same key and message the same blinding value was generated. This reduced the effectiveness of the countermeasure and leaked information about the private key through side channels. Reported by Jack Lloyd.

Features

New implementation of X25519 (ECDH using Curve25519) from Project Everest (https://project-everest.github.io/). It can be enabled at compile time with MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED. This implementation is formally verified and significantly faster, but is only supported on x86 platforms (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by Christoph Wintersteiger from Microsoft Research.

API Changes

The new function mbedtls_ecdsa_sign_det_ext() is similar to mbedtls_ecdsa_sign_det() but allows passing an external RNG for the purpose of blinding.
The new function mbedtls_ecp_gen_privkey() allows to generate a private key without generating the public part of the pair.

PSA Crypto API 1.0b3 API breaking changes

Mbed Crypto tracks the upstream PSA Crypto API, so a number of breaking changes come in this release. Details on migration available in the section "Migrating from Mbed Crypto 1.x" below.

Use key attributes structures for key creation
Make generating or importing a key also allocate the key
Update key derivation functions to accept chunked inputs
Update key agreement API
Align PSA Crypto error codes with other PSA error codes
Rename functions for consistency with each other and the rest of PSA
Be consistent in use of stdint types

Bugfix

Fix to allow building test suites with any warning that detects unused functions. Fixes #1628.
Remove redundant include file in timing.c. Fixes ARMmbed/mbed-tls#2640 reported by irwir.
Fix Visual Studio Release x64 build configuration by inheriting PlatformToolset from the project configuration. Fixes ARMmbed/mbed-tls#1430 reported by irwir.
Enable Suite B with subset of ECP curves. Make sure the code compiles even if some curves are not defined. Fixes ARMmbed/mbed-tls#1591 reported by dbedev.
Fix misuse of signed arithmetic in the HAVEGE module. ARMmbed/mbed-tls#2598
Update test certificates that were about to expire. Reported by Bernhard M. Wiedemann in ARMmbed/mbed-tls#2357.
Fix the build on ARMv5TE in ARM mode to not use assembly instructions that are only available in Thumb mode. Fix contributed by Aurelien Jarno in ARMmbed/mbed-tls#2169.
Fix propagation of restart contexts in restartable EC operations. This could previously lead to segmentation faults in builds using an address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
Fix memory leak in in mpi_miller_rabin(). Contributed by Jens Wiklander jens.wiklander@linaro.org in ARMmbed/mbed-tls#2363
Fix bug in endianness conversion in bignum module. This lead to functionally incorrect code on bigendian systems which don't have BYTE_ORDER defined. Reported by Brendan Shanks. Fixes ARMmbed/mbed-tls#2622.
Fix undefined memset(NULL) call in test_suite_nist_kw.
Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256.
Zero length buffer check for undefined behavior in mbedtls_platform_zeroize(). Fixes #49.

Changes

Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h suggests). ARMmbed/mbed-tls#2671
Make make clean clean all programs always. Fixes ARMmbed/mbed-tls#1862.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Migrating from Mbed Crypto 1.x

Renaming of key pair names

Replace KEY_PAIR in names that would have used KEYPAIR in the previous API version. For example, PSA_KEY_TYPE_ECC_KEY_PAIR replaces PSA_KEY_TYPE_ECC_KEYPAIR.

Using persistent keys

Use psa_open_key() to open a persistent key. Previously, volatile keys could also be opened. With PSA Crypto API 1.0b3, keys are implicitly opened for you upon import, generation, or derivation.

psa_status_t psa_open_key(psa_key_id_t id,
                          psa_key_handle_t *handle);

Only persistent keys can be opened, so there is no need to pass the lifetime anymore.

It is no longer necessary to call psa_create_key() to make a key persistent. A key is persistent if it is created with a lifetime other than PSA_KEY_LIFETIME_VOLATILE. As part of key creation, use psa_set_key_id() to set both the key's persistent identifier and to set the lifetime to persistent and then call the key creation routine: like psa_generate_key() or psa_import_key()

Old	New
`psa_open_key()`	Only use for opening previously created persistent keys
`psa_create_key()`	`psa_set_key_id()` Keys with IDs are made persistent implicitly upon creation

Allocating keys

Key creation will implicitly allocate resources as necessary, so psa_allocate_key() has been removed from the API and is no longer needed.

Old	New
`psa_allocate_key()`	Not necessary. Delete calls to `psa_allocate_key()`.

Importing keys

Previously, you had create a policy structure and pass many function arguments to communicate the properties you wanted the imported key to have. Now, you describe them entirely within the attributes structure, passing only the attributes and data to psa_import_key().

Old	New
`psa_key_policy_init()`	`psa_key_attributes_init()`
`psa_key_policy_set_usage()`	`psa_set_key_usage_flags()`, `psa_set_key_algorithm()`
Pass key type to `psa_import_key()`	`psa_set_key_type()`
`psa_set_key_policy()`	Pass the attributes to psa_import_key()
`psa_import_key()`	`psa_import_key()`

Generating keys

Old	New
`psa_key_policy_init()`	`psa_key_attributes_init()`
`psa_key_policy_set_usage()`	`psa_set_key_usage_flags()`, `psa_set_key_algorithm()`
Pass key type to `psa_import_key()`	`psa_set_key_type()`
`psa_set_key_policy()`	Pass the attributes to psa_import_key()
`psa_generate_key()`	`psa_generate_key()`

Reading key policy or information

What used to be two functions with many parameters each is now one function that returns the attributes in one structure, in the same format you'd use to create new keys.

Old	New
`psa_get_key_policy()`, `psa_get_key_information()`	`psa_get_key_attributes()`

Deriving keys

The previous "generator" class of functions has been renamed to "key_derivation". The psa_crypto_generator_t structure was previously used to derive keys. Use of the psa_key_derivation_operation_t structure replaces psa_crypto_generator_t for deriving keys.

Old	New
`psa_crypto_generator_t`	`psa_key_derivation_operation_t`
`psa_generator_abort()`	`psa_key_derivation_abort()`
`psa_get_generator_capacity()`	`psa_key_derivation_get_capacity()`
Function parameter	`psa_key_derivation_set_capacity()`
`psa_generator_read()`	`psa_key_derivation_output_bytes()`
Use of generator with `PSA_ALG_SELECT_RAW`	`psa_raw_key_agreement()`
`psa_key_derivation()`	Deriving keys now uses key derivation objects and consists of multiple parts. See the getting started guide for details.

Key agreement

Old	New
`psa_key_agreement()`	`psa_key_derivation_setup()`, `psa_key_derivation_key_agreement()`, `psa_key_derivation_output_key()`

Hashing

Note: Not yet implemented in Mbed Crypto 2.0.0

The PSA Crypto API 1.0b3 adds a few new functions to help with hashing. Specifically, functions to perform one-shot computation or comparison of hashes.

Old	New
Many hash function calls	`psa_hash_compute()`
Many hash function calls	`psa_hash_compare()`

Computing or verifying a MAC

Note: Not yet implemented in Mbed Crypto 2.0.0

The PSA Crypto API 1.0b3 adds a few new functions to help with working with MACs. Specifically, functions to perform one-shot computation or comparison of MACs.

Old	New
Many MAC function calls	`psa_mac_compute()`
Many MAC function calls	`psa_mac_verify()`

Symmetric cryptography

Note: Not yet implemented in Mbed Crypto 2.0.0

The PSA Crypto API 1.0b3 adds a few new functions to help with working with symmetric ciphers. Specifically, functions to perform one-shot encryption or decryption. The types used by psa_cipher_generate_iv(), psa_cipher_set_iv(), and psa_cipher_update() have changed from unsigned char to uint8_t.

Old	New
Many cipher function calls	`psa_cipher_encrypt()`
Many cipher function calls	`psa_cipher_decrypt()`

Authenticated encryption

Note: Not yet implemented in Mbed Crypto 2.0.0

The PSA Crypto API 1.0b3 introduces multi-part authenticated encryption functions. The original one-shot AEAD functions still remain and aren't being replaced.

New functions for multipart AEAD

psa_aead_operation_init()
psa_aead_encrypt_setup()
psa_aead_decrypt_setup()
psa_aead_generate_nonce()
psa_aead_set_nonce()
psa_aead_set_lengths()
psa_aead_update_ad()
psa_aead_update()
psa_aead_finish()
psa_aead_verify()
psa_aead_abort()

Mbed Crypto entropy injection

Use of uint8_t replaces unsigned char in mbedtls_psa_inject_entropy(). The macro MBEDTLS_PSA_INJECT_ENTROPY replaces MBEDTLS_PSA_ENTROPY_INJECTION.

mbedcrypto-2.0.0d2

2019-09-06T07:58:52Z

Mbed Crypto 2.0.0d2