Mbed Crypto 1.1.0
Introduction
Mbed Crypto 1.1.0 has now been released.
The Mbed cryptography library is a reference implementation of the cryptography interface of the Arm Platform Security (PSA) architecture. Note that while this library is versioned as 1.1.0, the PSA APIs are under development and subject to change based on feedback. Mbed Crypto 1.1.0 implements PSA Crypto API 1.0b1. The next release of Mbed Crypto may not provide backwards compatibility with this release.
Features
- Keys may allow a second algorithm. Added to support RFC 4492 section 3.2 ECDSA_fixed_ECDH.
- Add a macro to get the bit size of an elliptic curve,
PSA_ECC_CURVE_BITS(). - Add the Any Policy certificate policy oid, as defined in RFC 5280 section 4.2.1.4.
- It is now possible to use NIST key wrap mode via the
mbedtls_cipherAPI. Contributed by Jack Lloyd and Fortanix Inc. - Add the Wi-SUN Field Area Network (FAN) device extended key usage.
- It is now possible to perform RSA PKCS v1.5 signatures with RIPEMD-160 digest. Contributed by Jack Lloyd and Fortanix Inc.
Bugfix
- Fix private key DER output in the
key_app_writerexample. File contents were shifted by one byte, creating an invalid ASN.1 tag. Fixed by Christian Walther in #2239. - Reduce stack usage of HKDF tests. Fixes #2195.
- Fix 1-byte buffer overflow in
mbedtls_mpi_write_string()when used with negative inputs. Found by Guido Vranken in #2404. Credit to OSS-Fuzz. - Fix bugs in the AEAD test suite which would be exposed by ciphers which either used both encrypt and decrypt key schedules, or which perform padding. GCM and CCM were not affected. Fixed by Jack Lloyd.
Security
- Make
mbedtls_ecdh_get_paramsreturn an error if the second key belongs to a different group from the first. Before, if an application passed keys that belonged to different group, the first key's data was interpreted according to the second group, which could lead to either an error or a meaningless output frommbedtls_ecdh_get_params. In the latter case, this could expose at most 5 bits of the private key.
Changes
- Removal of the X.509 and TLS modules from Mbed Crypto, which continue to be maintained within Mbed TLS.
- Removed the Diffie-Hellman examples which implemented a toy protocol inspired by TLS DH key exchange. For an example of how to use the DHM module, see the code that calls
mbedtls_dhm_xxxinssl_tls.candssl_cli.cin Mbed TLS. - Remove dead code from
bignum.cin the default configuration. Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309. - Add test for minimal value of
MBEDTLS_MPI_WINDOW_SIZEtoall.sh. Contributed by Peter Kolbus (Garmin). - Ensure that unused bits are zero when writing ASN.1 bitstrings when using
mbedtls_asn1_write_bitstring(). - Fix issue when writing the named bitstrings in
KeyUsageandNsCertType
extensions in CSRs and CRTs that caused these bitstrings to not be encoded
correctly as trailing zeroes were not accounted for as unused bits in the
leading content octet. Fixes #1610. - Add a new function
mbedtls_asn1_write_named_bitstring()to write ASN.1
named bitstring in DER as required by RFC 5280 Appendix B. - Fix false failure in all.sh when backup files exist in
include/mbedtls
(e.g.config.h.bak). Fixed by Peter Kolbus (Garmin) #2407.
Driver model
This release includes a specification of the interface that drivers for cryptography accelerators, entropy sources and secure elements must implement. This specification is a work in progress, provided for review purposes only. The implementation does not support drivers yet. The specification is provided in the distribution as docs/PSACryptoDriverModelSpec.pdf.
Intended future changes
The PSA Crypto API is still under development and subject to change based on feedback. The following is a list of major changes that we intend to make in the near future. This list may be revised without notice at any time.
Expected breaking changes from tracking the PSA Crypto API, to be addressed in Mbed Crypto 2.0.0