diff --git a/ChangeLog b/ChangeLog index 4dc0941fe..12191e111 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,82 @@ Mbed TLS ChangeLog (Sorted per branch, date) += Mbed TLS 4.1.0 branch released 2026-03-31 + +API changes + * MBEDTLS_TIMING_C now requires MBEDTLS_HAVE_TIME to be enabled in the + TF-PSA-Crypto configuration, unless MBEDTLS_TIMING_ALT is enabled. + As a benefit, platforms where the default implementation is not + supported now only need to implement MBEDTLS_PLATFORM_MS_TIME_ALT. + * When MBEDTLS_TIMING_ALT is enabled, the function + mbedtls_timing_get_timer() now returns unsigned long long instead + of unsigned long. + +Features + * Add the function mbedtls_ssl_get_fatal_alert(), which returns the type of + the last received fatal alert. This allows callers to retrieve more + detailed information when mbedtls_ssl_handshake(), + mbedtls_ssl_handshake_step(), or mbedtls_ssl_read() returns the generic + MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE error code. + * Function mbedtls_ssl_get_supported_group_list() is added to return the list + of supported groups IDs (curves and finite fields). + * MBEDTLS_SSL_IANA_TLS_GROUPS_INFO is added to allow defining the list of + mbedtls_ssl_iana_tls_group_info_t items which represent known TLS groups + with corresponding informations. + If MBEDTLS_DEBUG_C is also enabled then mbedtls_ssl_iana_tls_group_info is + also available as implementation of such list. + +Security + * The documentation of mbedtls_ssl_session_save(), + mbedtls_ssl_session_load(), mbedtls_ssl_context_save(), and + mbedtls_ssl_context_load() has been updated to clarify the responsibility + of the application to preserve the confidentiality and integrity of + serialized data, mitigating the risk of misuse of these APIs. + Credit to Haruto Kimura (Stella) and Eva Crystal (0xiviel) for + highlighting risks associated with tampered serialized data. + * Fix a NULL pointer dereference in mbedtls_x509_string_to_names() when + mbedtls_calloc() fails to allocate memory. This was caused by failing to + check whether mbedtls_calloc() returned NULL. Found and reported by + Haruto Kimura (Stella). + * Fix a limited buffer underflow in x509_inet_pton_ipv6(). In rare cases + (e.g. on platforms with memory protection when the overread crosses page + boundary) this could lead to DoS. Found and reported by Haruto Kimura + (Stella). CVE-2026-25833 + * Fix a bug in the TLS 1.2 client's signature algorithm check, which caused + the client to accept server key exchange messages signed with a signature + algorithm explicitly disallowed by the client. Found and reported by + EFR-GmbH and M. Heuft of Security-Research-Consulting GmbH. CVE-2026-25834 + * Fixed an issue in TLS 1.3 server handling of the second ClientHello, after + sending a HelloRetryRequest message. A man-in-the-middle attacker could + force a TLS 1.3 session resumption using a ticket to fall back to an + unintended TLS 1.2 session resumption with an all-zero master secret. + This could result in client authentication being bypassed and allow client + impersonation. + Found and reported by Jaehun Lee, Pohang University of Science and + Technology (POSTECH). + +Bugfix + * CMake now installs headers to `CMAKE_INSTALL_INCLUDEDIR` instead of the + hard-coded `include` directory. + * Fix CMake failure on Windows because of a native directory separator. + Fixes #10502. + * mbedtls_timing_get_delay() now correctly treats a timer as expired + after more than 2^32 ms (about 49 days) on platforms where long is + a 32-bit type. Fixes #10613. + * Support re-assembly of fragmented DTLS 1.2 ClientHello in Mbed TLS server. + * Support re-assembly of fragmented TLS 1.2 ClientHello in Mbed TLS server + even if TLS 1.3 support is disabled. This removes the main limitation on + support for re-assembly of fragmented handshake messages in TLS 1.2. + +Changes + * Add casts to some Enums to remove compiler errors thrown by IAR 6.5. + Removes Warning "mixed ENUM with other type". + * Tweak the detection of Unix-like platforms, which makes more system + interfaces (timing, threading) available on Haiku, QNX and Midipix. + * Harden mbedtls_ssl_get_verify_result() against misuse. + If the handshake has not yet been attempted, return -1u to indicate + that the result is not available. Previously the result of verification + was zero-initialized so the function would return 0 (indicating success). + = Mbed TLS 4.0.0 branch released 2025-10-15 API changes diff --git a/ChangeLog.d/alert-getter.txt b/ChangeLog.d/alert-getter.txt deleted file mode 100644 index da90cf31d..000000000 --- a/ChangeLog.d/alert-getter.txt +++ /dev/null @@ -1,6 +0,0 @@ -Features - * Add the function mbedtls_ssl_get_fatal_alert(), which returns the type of - the last received fatal alert. This allows callers to retrieve more - detailed information when mbedtls_ssl_handshake(), - mbedtls_ssl_handshake_step(), or mbedtls_ssl_read() returns the generic - MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE error code. diff --git a/ChangeLog.d/config_checks_generator-fix-windows-path.txt b/ChangeLog.d/config_checks_generator-fix-windows-path.txt deleted file mode 100644 index e5726cf77..000000000 --- a/ChangeLog.d/config_checks_generator-fix-windows-path.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix CMake failure on Windows because of a native directory separator. - Fixes #10502. diff --git a/ChangeLog.d/context_load_and_session_load_documentation.txt b/ChangeLog.d/context_load_and_session_load_documentation.txt deleted file mode 100644 index dbbbda1fe..000000000 --- a/ChangeLog.d/context_load_and_session_load_documentation.txt +++ /dev/null @@ -1,8 +0,0 @@ -Security - * The documentation of mbedtls_ssl_session_save(), - mbedtls_ssl_session_load(), mbedtls_ssl_context_save(), and - mbedtls_ssl_context_load() has been updated to clarify the responsibility - of the application to preserve the confidentiality and integrity of - serialized data, mitigating the risk of misuse of these APIs. - Credit to Haruto Kimura (Stella) and Eva Crystal (0xiviel) for - highlighting risks associated with tampered serialized data. diff --git a/ChangeLog.d/dtls-client-hello-defragmentation.txt b/ChangeLog.d/dtls-client-hello-defragmentation.txt deleted file mode 100644 index f5ff0b754..000000000 --- a/ChangeLog.d/dtls-client-hello-defragmentation.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Support re-assembly of fragmented DTLS 1.2 ClientHello in Mbed TLS server. - * Support re-assembly of fragmented TLS 1.2 ClientHello in Mbed TLS server - even if TLS 1.3 support is disabled. This removes the main limitation on - support for re-assembly of fragmented handshake messages in TLS 1.2. diff --git a/ChangeLog.d/fix-null-pointer-dereference.txt b/ChangeLog.d/fix-null-pointer-dereference.txt deleted file mode 100644 index 1dd7d6190..000000000 --- a/ChangeLog.d/fix-null-pointer-dereference.txt +++ /dev/null @@ -1,5 +0,0 @@ -Security - * Fix a NULL pointer dereference in mbedtls_x509_string_to_names() when - mbedtls_calloc() fails to allocate memory. This was caused by failing to - check whether mbedtls_calloc() returned NULL. Found and reported by - Haruto Kimura (Stella). diff --git a/ChangeLog.d/gnuinstalldirs_include.txt b/ChangeLog.d/gnuinstalldirs_include.txt deleted file mode 100644 index 7e0782d1e..000000000 --- a/ChangeLog.d/gnuinstalldirs_include.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * CMake now installs headers to `CMAKE_INSTALL_INCLUDEDIR` instead of the - hard-coded `include` directory. diff --git a/ChangeLog.d/iar-6.5fs.txt b/ChangeLog.d/iar-6.5fs.txt deleted file mode 100644 index 63e903b9c..000000000 --- a/ChangeLog.d/iar-6.5fs.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Add casts to some Enums to remove compiler errors thrown by IAR 6.5. - Removes Warning "mixed ENUM with other type". diff --git a/ChangeLog.d/inet_pton.txt b/ChangeLog.d/inet_pton.txt deleted file mode 100644 index 73b9aa6b1..000000000 --- a/ChangeLog.d/inet_pton.txt +++ /dev/null @@ -1,5 +0,0 @@ -Security - * Fix a limited buffer underflow in x509_inet_pton_ipv6(). In rare cases - (e.g. on platforms with memory protection when the overread crosses page - boundary) this could lead to DoS. Found and reported by Haruto Kimura - (Stella). CVE-2026-25833 diff --git a/ChangeLog.d/issue10349.txt b/ChangeLog.d/issue10349.txt deleted file mode 100644 index ab47659ed..000000000 --- a/ChangeLog.d/issue10349.txt +++ /dev/null @@ -1,8 +0,0 @@ -Features - * Function mbedtls_ssl_get_supported_group_list() is added to return the list - of supported groups IDs (curves and finite fields). - * MBEDTLS_SSL_IANA_TLS_GROUPS_INFO is added to allow defining the list of - mbedtls_ssl_iana_tls_group_info_t items which represent known TLS groups - with corresponding informations. - If MBEDTLS_DEBUG_C is also enabled then mbedtls_ssl_iana_tls_group_info is - also available as implementation of such list. diff --git a/ChangeLog.d/sig_algs_check.txt b/ChangeLog.d/sig_algs_check.txt deleted file mode 100644 index b0aed6dfd..000000000 --- a/ChangeLog.d/sig_algs_check.txt +++ /dev/null @@ -1,5 +0,0 @@ -Security - * Fix a bug in the TLS 1.2 client's signature algorithm check, which caused - the client to accept server key exchange messages signed with a signature - algorithm explicitly disallowed by the client. Found and reported by - EFR-GmbH and M. Heuft of Security-Research-Consulting GmbH. CVE-2026-25834 diff --git a/ChangeLog.d/timing.txt b/ChangeLog.d/timing.txt deleted file mode 100644 index b3943cdcf..000000000 --- a/ChangeLog.d/timing.txt +++ /dev/null @@ -1,13 +0,0 @@ -API changes - * MBEDTLS_TIMING_C now requires MBEDTLS_HAVE_TIME to be enabled in the - TF-PSA-Crypto configuration, unless MBEDTLS_TIMING_ALT is enabled. - As a benefit, platforms where the default implementation is not - supported now only need to implement MBEDTLS_PLATFORM_MS_TIME_ALT. - * When MBEDTLS_TIMING_ALT is enabled, the function - mbedtls_timing_get_timer() now returns unsigned long long instead - of unsigned long. - -Bugfix - * mbedtls_timing_get_delay() now correctly treats a timer as expired - after more than 2^32 ms (about 49 days) on platforms where long is - a 32-bit type. Fixes #10613. diff --git a/ChangeLog.d/tls12-2nd-client-hello.txt b/ChangeLog.d/tls12-2nd-client-hello.txt deleted file mode 100644 index 7513e0b94..000000000 --- a/ChangeLog.d/tls12-2nd-client-hello.txt +++ /dev/null @@ -1,9 +0,0 @@ -Security - * Fixed an issue in TLS 1.3 server handling of the second ClientHello, after - sending a HelloRetryRequest message. A man-in-the-middle attacker could - force a TLS 1.3 session resumption using a ticket to fall back to an - unintended TLS 1.2 session resumption with an all-zero master secret. - This could result in client authentication being bypassed and allow client - impersonation. - Found and reported by Jaehun Lee, Pohang University of Science and - Technology (POSTECH). diff --git a/ChangeLog.d/unistd.txt b/ChangeLog.d/unistd.txt deleted file mode 100644 index d2e4d4301..000000000 --- a/ChangeLog.d/unistd.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Tweak the detection of Unix-like platforms, which makes more system - interfaces (timing, threading) available on Haiku, QNX and Midipix. diff --git a/ChangeLog.d/verify-result-default-value.txt b/ChangeLog.d/verify-result-default-value.txt deleted file mode 100644 index 2cf3f0c21..000000000 --- a/ChangeLog.d/verify-result-default-value.txt +++ /dev/null @@ -1,5 +0,0 @@ -Changes - * Harden mbedtls_ssl_get_verify_result() against misuse. - If the handshake has not yet been attempted, return -1u to indicate - that the result is not available. Previously the result of verification - was zero-initialized so the function would return 0 (indicating success).