Merge pull request #2988 from piotr-now/iotssl-2954-custom-io-callbacks-to-ssl-unit-test
Changes in custom IO callbacks used in unit tests
diff --git a/ChangeLog b/ChangeLog
index ab8267f..be6b5d7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,59 @@
mbed TLS ChangeLog (Sorted per branch, date)
-= mbed TLS 2.20.0 branch released xxxx-xx-xx
+= mbed TLS 2.20.0 branch released 2020-01-15
+
+Default behavior changes
+ * The initial seeding of a CTR_DRBG instance makes a second call to the
+ entropy function to obtain entropy for a nonce if the entropy size is less
+ than 3/2 times the key size. In case you want to disable the extra call to
+ grab entropy, you can call mbedtls_ctr_drbg_set_nonce_len() to force the
+ nonce length to 0.
+
+Security
+ * Enforce that mbedtls_entropy_func() gathers a total of
+ MBEDTLS_ENTROPY_BLOCK_SIZE bytes or more from strong sources. In the
+ default configuration, on a platform with a single entropy source, the
+ entropy module formerly only grabbed 32 bytes, which is good enough for
+ security if the source is genuinely strong, but less than the expected 64
+ bytes (size of the entropy accumulator).
+ * Zeroize local variables in mbedtls_internal_aes_encrypt() and
+ mbedtls_internal_aes_decrypt() before exiting the function. The value of
+ these variables can be used to recover the last round key. To follow best
+ practice and to limit the impact of buffer overread vulnerabilities (like
+ Heartbleed) we need to zeroize them before exiting the function.
+ Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
+ Grant Hernandez, and Kevin Butler (University of Florida) and
+ Dave Tian (Purdue University).
+ * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
+ constant time/constant trace, so side channel attacks can retrieve the
+ blinded value, factor it (as it is smaller than RSA keys and not guaranteed
+ to have only large prime factors), and then, by brute force, recover the
+ key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
+ * Fix side channel vulnerability in ECDSA key generation. Obtaining precise
+ timings on the comparison in the key generation enabled the attacker to
+ learn leading bits of the ephemeral key used during ECDSA signatures and to
+ recover the private key. Reported by Jeremy Dubeuf.
+ * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
+ failures could happen with alternative implementations of AES. Bug
+ reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
+ Sectra.
+
+Features
+ * Key derivation inputs in the PSA API can now either come from a key object
+ or from a buffer regardless of the step type.
+ * The CTR_DRBG module can grab a nonce from the entropy source during the
+ initial seeding. The default nonce length is chosen based on the key size
+ to achieve the security strength defined by NIST SP 800-90A. You can
+ change it with mbedtls_ctr_drbg_set_nonce_len().
+ * Add ENUMERATED tag support to the ASN.1 module. Contributed by
+ msopiha-linaro in ARMmbed/mbed-crypto#307.
+
+API changes
+ * In the PSA API, forbid zero-length keys. To pass a zero-length input to a
+ key derivation function, use a buffer instead (this is now always
+ possible).
+ * Rename psa_asymmetric_sign() to psa_sign_hash() and
+ psa_asymmetric_verify() to psa_verify_hash().
Bugfix
* Fix an incorrect size in a debugging message. Reported and fix
@@ -9,6 +62,34 @@
Reported and fix submitted by irwir. Fixes #2800.
* Remove a useless assignment. Reported and fix submitted by irwir.
Fixes #2801.
+ * Fix a buffer overflow in the PSA HMAC code when using a long key with an
+ unsupported algorithm. Fixes ARMmbed/mbed-crypto#254.
+ * Fix mbedtls_asn1_get_int to support any number of leading zeros. Credit
+ to OSS-Fuzz for finding a bug in an intermediate version of the fix.
+ * Fix mbedtls_asn1_get_bitstring_null to correctly parse bitstrings of at
+ most 2 bytes.
+ * mbedtls_ctr_drbg_set_entropy_len() and
+ mbedtls_hmac_drbg_set_entropy_len() now work if you call them before
+ mbedtls_ctr_drbg_seed() or mbedtls_hmac_drbg_seed().
+ * Fix some false-positive uninitialized variable warnings. Fix contributed
+ by apple-ihack-geek in #2663.
+
+Changes
+ * Remove the technical possibility to define custom mbedtls_md_info
+ structures, which was exposed only in an internal header.
+ * psa_close_key(0) and psa_destroy_key(0) now succeed (doing nothing, as
+ before).
+ * Variables containing error codes are now initialized to an error code
+ rather than success, so that coding mistakes or memory corruption tends to
+ cause functions to return this error code rather than a success. There are
+ no known instances where this changes the behavior of the library: this is
+ merely a robustness improvement. ARMmbed/mbed-crypto#323
+ * Remove a useless call to mbedtls_ecp_group_free(). Contributed by
+ Alexander Krizhanovsky in ARMmbed/mbed-crypto#210.
+ * Speed up PBKDF2 by caching the digest calculation. Contributed by Jack
+ Lloyd and Fortanix Inc in ARMmbed/mbed-crypto#277.
+ * Small performance improvement of mbedtls_mpi_div_mpi(). Contributed by
+ Alexander Krizhanovsky in ARMmbed/mbed-crypto#308.
= mbed TLS 2.19.1 branch released 2019-09-16
diff --git a/crypto b/crypto
index 795c6ba..1146b4e 160000
--- a/crypto
+++ b/crypto
@@ -1 +1 @@
-Subproject commit 795c6bab62177f48f1457c1ffac93d0a1245beb0
+Subproject commit 1146b4e06011b69a6437e6b728f2af043a06ec19
diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index d5ead37..5b5aefb 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -24,7 +24,7 @@
*/
/**
- * @mainpage mbed TLS v2.19.1 source code documentation
+ * @mainpage mbed TLS v2.20.0 source code documentation
*
* This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index eb2d96e..47a9740 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -28,7 +28,7 @@
# identify the project. Note that if you do not use Doxywizard you need
# to put quotes around the project name if it contains spaces.
-PROJECT_NAME = "mbed TLS v2.19.1"
+PROJECT_NAME = "mbed TLS v2.20.0"
# The PROJECT_NUMBER tag can be used to enter a project or revision number.
# This could be handy for archiving the generated documentation or
diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h
index ae694ee..d4e5d54 100644
--- a/include/mbedtls/version.h
+++ b/include/mbedtls/version.h
@@ -39,17 +39,17 @@
* Major, Minor, Patchlevel
*/
#define MBEDTLS_VERSION_MAJOR 2
-#define MBEDTLS_VERSION_MINOR 19
-#define MBEDTLS_VERSION_PATCH 1
+#define MBEDTLS_VERSION_MINOR 20
+#define MBEDTLS_VERSION_PATCH 0
/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define MBEDTLS_VERSION_NUMBER 0x02130100
-#define MBEDTLS_VERSION_STRING "2.19.1"
-#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.19.1"
+#define MBEDTLS_VERSION_NUMBER 0x02140000
+#define MBEDTLS_VERSION_STRING "2.20.0"
+#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.20.0"
#if defined(MBEDTLS_VERSION_C)
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 5e36a5b..d990d43 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -174,14 +174,14 @@
if(USE_SHARED_MBEDTLS_LIBRARY)
add_library(mbedx509 SHARED ${src_x509})
- set_target_properties(mbedx509 PROPERTIES VERSION 2.19.1 SOVERSION 1)
+ set_target_properties(mbedx509 PROPERTIES VERSION 2.20.0 SOVERSION 1)
target_link_libraries(mbedx509 ${libs} mbedcrypto)
target_include_directories(mbedx509
PUBLIC ${MBEDTLS_DIR}/include/
PUBLIC ${MBEDTLS_DIR}/crypto/include/)
add_library(mbedtls SHARED ${src_tls})
- set_target_properties(mbedtls PROPERTIES VERSION 2.19.1 SOVERSION 13)
+ set_target_properties(mbedtls PROPERTIES VERSION 2.20.0 SOVERSION 13)
target_link_libraries(mbedtls ${libs} mbedx509)
target_include_directories(mbedtls
PUBLIC ${MBEDTLS_DIR}/include/
diff --git a/library/Makefile b/library/Makefile
index bc9363d..6fc110c 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -37,7 +37,7 @@
SOEXT_TLS=so.13
SOEXT_X509=so.1
-SOEXT_CRYPTO=so.3
+SOEXT_CRYPTO=so.4
# Set AR_DASH= (empty string) to use an ar implementation that does not accept
# the - prefix for command line options (e.g. llvm-ar)
diff --git a/programs/aes/aescrypt2.c b/programs/aes/aescrypt2.c
index 8242ea7..048028d 100644
--- a/programs/aes/aescrypt2.c
+++ b/programs/aes/aescrypt2.c
@@ -96,7 +96,7 @@
unsigned char IV[16];
unsigned char tmp[16];
unsigned char key[512];
- unsigned char digest[32];
+ unsigned char digest[64];
unsigned char buffer[1024];
unsigned char diff;
diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index b6dca23..ff0612b 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
Check compiletime library version
-check_compiletime_version:"2.19.1"
+check_compiletime_version:"2.20.0"
Check runtime library version
-check_runtime_version:"2.19.1"
+check_runtime_version:"2.20.0"
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0