|
1 | 1 | Mbed TLS ChangeLog (Sorted per branch, date) |
2 | 2 |
|
| 3 | += Mbed TLS 3.6.4 branch released 2025-06-30 |
| 4 | + |
| 5 | +Features |
| 6 | + * Add the function mbedtls_ssl_export_keying_material() which allows the |
| 7 | + client and server to extract additional shared symmetric keys from an SSL |
| 8 | + session, according to the TLS-Exporter specification in RFC 8446 and 5705. |
| 9 | + This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in |
| 10 | + mbedtls_config.h. |
| 11 | + |
| 12 | +Security |
| 13 | + * Fix a buffer overread in mbedtls_lms_import_public_key() when the input is |
| 14 | + less than 3 bytes. Reported by Linh Le and Ngan Nguyen from Calif. |
| 15 | + CVE-2025-49601 |
| 16 | + * Fix a vulnerability in LMS verification through which an adversary could |
| 17 | + get an invalid signature accepted if they could cause a hash accelerator |
| 18 | + to fail. Found and reported by Linh Le and Ngan Nguyen from Calif. |
| 19 | + CVE-2025-49600 |
| 20 | + * On x86/amd64 platforms, with some compilers, when the library is |
| 21 | + compiled with support for both AESNI and software AES and AESNI is |
| 22 | + available in hardware, an adversary with fine control over which |
| 23 | + threads make progress in a multithreaded program could force software |
| 24 | + AES to be used for some time when the program starts. This could allow |
| 25 | + the adversary to conduct timing attacks and potentially recover the |
| 26 | + key. In particular, this attacker model may be possible against an SGX |
| 27 | + enclave. |
| 28 | + The same vulnerability affects GCM acceleration, which could allow |
| 29 | + a similarly powerful adversary to craft GCM forgeries. |
| 30 | + CVE-2025-52496 |
| 31 | + * Fix possible use-after-free or double-free in code calling |
| 32 | + mbedtls_x509_string_to_names(). This was caused by the function calling |
| 33 | + mbedtls_asn1_free_named_data_list() on its head argument, while the |
| 34 | + documentation did no suggest it did, making it likely for callers relying |
| 35 | + on the documented behaviour to still hold pointers to memory blocks after |
| 36 | + they were free()d, resulting in high risk of use-after-free or double-free, |
| 37 | + with consequences ranging up to arbitrary code execution. |
| 38 | + In particular, the two sample programs x509/cert_write and x509/cert_req |
| 39 | + were affected (use-after-free if the san string contains more than one DN). |
| 40 | + Code that does not call mbedtls_string_to_names() directly is not affected. |
| 41 | + Found by Linh Le and Ngan Nguyen from Calif. |
| 42 | + CVE-2025-47917 |
| 43 | + * Fix a bug in mbedtls_asn1_store_named_data() where it would sometimes leave |
| 44 | + an item in the output list in an inconsistent state with val.p == NULL but |
| 45 | + val.len > 0. This impacts applications that call this function directly, |
| 46 | + or indirectly via mbedtls_x509_string_to_names() or one of the |
| 47 | + mbedtls_x509write_{crt,csr}_set_{subject,issuer}_name() functions. The |
| 48 | + inconsistent state of the output could then cause a NULL dereference either |
| 49 | + inside the same call to mbedtls_x509_string_to_names(), or in subsequent |
| 50 | + users of the output structure, such as mbedtls_x509_write_names(). This |
| 51 | + only affects applications that create (as opposed to consume) X.509 |
| 52 | + certificates, CSRs or CRLs, or that call mbedtls_asn1_store_named_data() |
| 53 | + directly. Found by Linh Le and Ngan Nguyen from Calif. |
| 54 | + CVE-2025-48965 |
| 55 | + * Fix an integer underflow that could occur when parsing malformed PEM |
| 56 | + keys, which could be used by an attacker capable of feeding encrypted |
| 57 | + PEM keys to a user. This could cause a crash or information disclosure. |
| 58 | + Found and reported by Linh Le and Ngan Nguyen from Calif. |
| 59 | + CVE-2025-52497 |
| 60 | + * Fix a timing side channel in the implementation of PKCS#7 padding |
| 61 | + which would allow an attacker who can request decryption of arbitrary |
| 62 | + ciphertexts to recover the plaintext through a timing oracle attack. |
| 63 | + Reported by Ka Lok Wu from Stony Brook University and Doria Tang from |
| 64 | + The Chinese University of Hong Kong. |
| 65 | + CVE-2025-49087 |
| 66 | + |
| 67 | +Bugfix |
| 68 | + * Fix failures of PSA multipart or interruptible operations when the |
| 69 | + library or the application is built with a compiler where |
| 70 | + "union foo x = {0}" does not initialize non-default members of the |
| 71 | + union, such as GCC 15 and some versions of Clang 18. This affected MAC |
| 72 | + multipart operations, MAC-based key derivation operations, interruptible |
| 73 | + signature, interruptible verification, and potentially other operations |
| 74 | + when using third-party drivers. This also affected one-shot MAC |
| 75 | + operations using the built-in implementation. Fixes #9814. |
| 76 | + * On entry to PSA driver entry points that set up a multipart operation |
| 77 | + ("xxx_setup"), the operation object is supposed to be all-bits-zero. |
| 78 | + This was sometimes not the case when an operation object is reused, |
| 79 | + or with compilers where "union foo x = {0}" does not initialize |
| 80 | + non-default members of the union. The PSA core now ensures that this |
| 81 | + guarantee is met in all cases. Fixes #9975. |
| 82 | + * Resolved build issue with C++ projects using Mbed TLS 3.6 when compiling |
| 83 | + with the MSVC toolset v142 and earlier. Fixes mbedtls issue #7087. |
| 84 | + * Silence spurious -Wunterminated-string-initialization warnings introduced |
| 85 | + by GCC 15. Fixes #9944. |
| 86 | + * Fix a sloppy check in LMS public key import, which could lead to accepting |
| 87 | + keys with a different LMS or LM-OTS types on some platforms. Specifically, |
| 88 | + this could happen on platforms where enum types are smaller than 32 bits |
| 89 | + and compiler optimization is enabled. Found and reported by Linh Le and |
| 90 | + Ngan Nguyen from Calif. |
| 91 | + * Fix a race condition on x86/amd64 platforms in AESNI support detection |
| 92 | + that could lead to using software AES in some threads at the very |
| 93 | + beginning of a multithreaded program. Reported by Solar Designer. |
| 94 | + Fixes #9840. |
| 95 | + * Fix mbedtls_base64_decode() on inputs that did not have the correct |
| 96 | + number of trailing equal signs, or had 4*k+1 digits. They were accepted |
| 97 | + as long as they had at most two trailing equal signs. They are now |
| 98 | + rejected. Furthermore, before, on inputs with too few equal signs, the |
| 99 | + function reported the correct size in *olen when it returned |
| 100 | + MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL, but truncated the output to the |
| 101 | + last multiple of 3 bytes. |
| 102 | + * When calling mbedtls_asn1_write_raw_buffer() with NULL, 0 as the last two |
| 103 | + arguments, undefined behaviour would be triggered, in the form of a call to |
| 104 | + memcpy(..., NULL, 0). This was harmless in practice, but could trigger |
| 105 | + complains from sanitizers or static analyzers. |
| 106 | + |
| 107 | +Changes |
| 108 | + * The function mbedtls_x509_string_to_names() now requires its head argument |
| 109 | + to point to NULL on entry. This makes it likely that existing risky uses of |
| 110 | + this function (see the entry in the Security section) will be detected and |
| 111 | + fixed. |
| 112 | + |
3 | 113 | = Mbed TLS 3.6.3 branch released 2025-03-24 |
4 | 114 |
|
5 | 115 | Default behavior changes |
|
0 commit comments