---
- branch: MAIN
  date: Sun May  2 08:16:14 UTC 2021
  files:
  - new: '1.21'
    old: '1.20'
    path: pkgsrc/security/mbedtls/Makefile
    pathrev: pkgsrc/security/mbedtls/Makefile@1.21
    type: modified
  - new: '1.9'
    old: '1.8'
    path: pkgsrc/security/mbedtls/PLIST
    pathrev: pkgsrc/security/mbedtls/PLIST@1.9
    type: modified
  - new: '1.4'
    old: '1.3'
    path: pkgsrc/security/mbedtls/buildlink3.mk
    pathrev: pkgsrc/security/mbedtls/buildlink3.mk@1.4
    type: modified
  - new: '1.15'
    old: '1.14'
    path: pkgsrc/security/mbedtls/distinfo
    pathrev: pkgsrc/security/mbedtls/distinfo@1.15
    type: modified
  id: 20210502T081614Z.01b163d947bf7ebd8e0d3eb9672a726ab10faa43
  log: |
    mbedtls: update to 2.26.0

    This release of Mbed TLS provides bug fixes, minor enhancements and new features. This release includes fixes for security issues.
    API changes

        Renamed the PSA Crypto API output buffer size macros to bring them in line
        with version 1.0.0 of the specification.
        The API glue function mbedtls_ecc_group_of_psa() now takes the curve size
        in bits rather than bytes, with an additional flag to indicate if the
        size may have been rounded up to a whole number of bytes.
        Renamed the PSA Crypto API AEAD tag length macros to bring them in line
        with version 1.0.0 of the specification.

    Default behavior changes

        In mbedtls_rsa_context objects, the ver field was formerly documented
        as always 0. It is now reserved for internal purposes and may take
        different values.

    New deprecations

        PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE,
        PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and
        PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names
        deprecated.
        PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH
        have been renamed, and the old names deprecated.

    Features

        The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG.
        CTR_DRBG is used by default if it is available, but you can override
        this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time.
        Fix #3354.
        Automatic fallback to a software implementation of ECP when
        MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off
        through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK.
        The PSA crypto subsystem can now be configured to use less static RAM by
        tweaking the setting for the maximum amount of keys simultaneously in RAM.
        MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that
        can exist simultaneously. It has a sensible default if not overridden.
        Partial implementation of the PSA crypto driver interface: Mbed TLS can
        now use an external random generator instead of the library's own
        entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
        and see the documentation of mbedtls_psa_external_get_random() for details.
        Applications using both mbedtls_xxx and psa_xxx functions (for example,
        applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA
        random generator with mbedtls_xxx functions. See the documentation of
        mbedtls_psa_get_random() for details.
        In the PSA API, the policy for a MAC or AEAD algorithm can specify a
        minimum MAC or tag length thanks to the new wildcards
        PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and
        PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG.

    Security

        Fix a security reduction in CTR_DRBG when the initial seeding obtained a
        nonce from entropy. Applications were affected if they called
        mbedtls_ctr_drbg_set_nonce_len(), if they called
        mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
        length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
        In such cases, a random nonce was necessary to achieve the advertised
        security strength, but the code incorrectly used a constant instead of
        entropy from the nonce.
        Found by John Stroebel in #3819 and fixed in #3973.
        Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
        |A| - |B| where |B| is larger than |A| and has more limbs (so the
        function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
        applications calling mbedtls_mpi_sub_abs() directly are affected:
        all calls inside the library were safe since this function is
        only called with |A| >= |B|. Reported by Guido Vranken in #4042.
        Fix an errorneous estimation for an internal buffer in
        mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
        value the function might fail to write a private RSA keys of the largest
        supported size.
        Found by Daniel Otte, reported in #4093 and fixed in #4094.
        Fix a stack buffer overflow with mbedtls_net_poll() and
        mbedtls_net_recv_timeout() when given a file descriptor that is
        beyond FD_SETSIZE. Reported by FigBug in #4169.
        Guard against strong local side channel attack against base64 tables by
        making access aceess to them use constant flow code.

    Bugfix

        Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
        Fix memory leak that occured when calling psa_close_key() on a
        wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined.
        Fix an incorrect error code if an RSA private operation glitched.
        Fix a memory leak in an error case in psa_generate_derived_key_internal().
        Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
        is enabled, on platforms where initializing a mutex allocates resources.
        This was a regression introduced in the previous release. Reported in
        #4017, #4045 and #4071.
        Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
        twice is safe. This happens for RSA when some Mbed TLS library functions
        fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
        enabled on platforms where freeing a mutex twice is not safe.
        Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
        when MBEDTLS_THREADING_C is enabled on platforms where initializing
        a mutex allocates resources.
        Fixes a bug where, if the library was configured to include support for
        both the old SE interface and the new PSA driver interface, external keys were
        not loaded from storage. This was fixed by #3996.
        This change makes 'mbedtls_x509write_crt_set_basic_constraints'
        consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST
        include this extension in all CA certificates that contain public keys
        used to validate digital signatures on certificates and MUST mark the
        extension as critical in such certificates." Previous to this change,
        the extension was always marked as non-critical. This was fixed by
        #3698.

    Changes

        A new library C file psa_crypto_client.c has been created to contain
        the PSA code needed by a PSA crypto client when the PSA crypto
        implementation is not included into the library.
        On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module
        now uses the getrandom syscall instead of reading from /dev/urandom.

    Who should update

    We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/security/mbedtls'
  unixtime: '1619943374'
  user: nia