rebase with latest 2.28 branch

BRANCHES.md

@@ -16,14 +16,22 @@ API compatibility in the `master` branch between major version changes. We
 also maintain ABI compatibility within LTS branches; see the next section for
 details.
 
-## Backwards Compatibility
+## Backwards Compatibility for application code
 
 We maintain API compatibility in released versions of Mbed TLS. If you have
 code that's working and secure with Mbed TLS x.y.z and does not rely on
 undocumented features, then you should be able to re-compile it without
 modification with any later release x.y'.z' with the same major version
 number, and your code will still build, be secure, and work.
 
+Note that this guarantee only applies if you either use the default
+compile-time configuration (`mbedtls/config.h`) or the same modified
+compile-time configuration. Changing compile-time configuration options can
+result in an incompatible API or ABI, although features will generally not
+affect unrelated features (for example, enabling or disabling a
+cryptographic algorithm does not break code that does not use that
+algorithm).
+
 There are rare exceptions: code that was relying on something that became
 insecure in the meantime (for example, crypto that was found to be weak) may
 need to be changed. In case security comes in conflict with backwards
@@ -42,6 +50,19 @@ increase code size for a security fix.)
 For contributors, see the [Backwards Compatibility section of
 CONTRIBUTING](CONTRIBUTING.md#backwards-compatibility).
 
+## Backward compatibility for the key store
+
+We maintain backward compatibility with previous versions of the
+PSA Crypto persistent storage since Mbed TLS 2.25.0, provided that the
+storage backend (PSA ITS implementation) is configured in a compatible way.
+We intend to maintain this backward compatibility throughout a major version
+of Mbed TLS (for example, all Mbed TLS 3.y versions will be able to read
+keys written under any Mbed TLS 3.x with x <= y).
+
+Mbed TLS 3.x can also read keys written by Mbed TLS 2.25.0 through 2.28.x
+LTS, but future major version upgrades (for example from 2.28.x/3.x to 4.y)
+may require the use of an upgrade tool.
+
 ## Current Branches
 
 The following branches are currently maintained:

CMakeLists.txt

@@ -222,7 +222,7 @@ if(CMAKE_COMPILER_IS_CLANG)
 endif(CMAKE_COMPILER_IS_CLANG)
 
 if(CMAKE_COMPILER_IS_IAR)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warn_about_c_style_casts --warnings_are_errors -Ohz")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warn_about_c_style_casts -Ohz")
 endif(CMAKE_COMPILER_IS_IAR)
 
 if(CMAKE_COMPILER_IS_MSVC)
@@ -243,6 +243,10 @@ if(MBEDTLS_FATAL_WARNINGS)
  set(CMAKE_C_FLAGS_ASANDBG "${CMAKE_C_FLAGS_ASANDBG} -Wno-error=cpp")
  endif(UNSAFE_BUILD)
  endif(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU)
+
+ if (CMAKE_COMPILER_IS_IAR)
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warning_are_errors")
+ endif(CMAKE_COMPILER_IS_IAR)
 endif(MBEDTLS_FATAL_WARNINGS)
 
 if(CMAKE_BUILD_TYPE STREQUAL "Coverage")

ChangeLog

@@ -1,4 +1,98 @@
-mbed TLS ChangeLog (Sorted per branch, date)
+Mbed TLS ChangeLog (Sorted per branch, date)
+
+= Mbed TLS 2.28.1 branch released 2022-07-11
+
+Default behavior changes
+ * mbedtls_cipher_set_iv will now fail with ChaCha20 and ChaCha20+Poly1305
+ for IV lengths other than 12. The library was silently overwriting this
+ length with 12, but did not inform the caller about it. Fixes #4301.
+
+Features
+ * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
+ feature requirements in the file named by the new macro
+ MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default psa/crypto_config.h.
+ Furthermore you may name an additional file to include after the main
+ file with the macro MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.
+
+Security
+ * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
+ module before freeing them. These buffers contain secret key material, and
+ could thus potentially leak the key through freed heap.
+ * Fix a potential heap buffer overread in TLS 1.2 server-side when
+ MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
+ mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
+ is selected. This may result in an application crash or potentially an
+ information leak.
+ * Fix a buffer overread in DTLS ClientHello parsing in servers with
+ MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client
+ or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
+ after the end of the SSL input buffer. The buffer overread only happens
+ when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
+ the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(),
+ and possibly up to 571 bytes with a custom cookie check function.
+ Reported by the Cybeats PSI Team.
+
+Bugfix
+ * Fix a memory leak if mbedtls_ssl_config_defaults() is called twice.
+ * Fix several bugs (warnings, compiler and linker errors, test failures)
+ in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
+ * Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was
+ enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
+ client would fail to check that the curve selected by the server for
+ ECDHE was indeed one that was offered. As a result, the client would
+ accept any curve that it supported, even if that curve was not allowed
+ according to its configuration. Fixes #5291.
+ * Fix unit tests that used 0 as the file UID. This failed on some
+ implementations of PSA ITS. Fixes #3838.
+ * Fix API violation in mbedtls_md_process() test by adding a call to
+ mbedtls_md_starts(). Fixes #2227.
+ * Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests
+ to catch bad uses of time.h.
+ * Fix the library search path when building a shared library with CMake
+ on Windows.
+ * Fix bug in the alert sending function mbedtls_ssl_send_alert_message()
+ potentially leading to corrupted alert messages being sent in case
+ the function needs to be re-called after initially returning
+ MBEDTLS_SSL_WANT_WRITE. Fixes #1916.
+ * In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but none of
+ MBEDTLS_SSL_HW_RECORD_ACCEL, MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C,
+ DTLS handshakes using CID would crash due to a null pointer dereference.
+ Fix this. Fixes #3998.
+ * Fix incorrect documentation of mbedtls_x509_crt_profile. The previous
+ documentation stated that the `allowed_pks` field applies to signatures
+ only, but in fact it does apply to the public key type of the end entity
+ certificate, too. Fixes #1992.
+ * Fix PSA cipher multipart operations using ARC4. Previously, an IV was
+ required but discarded. Now, an IV is rejected, as it should be.
+ * Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
+ not NULL and val_len is zero.
+ * psa_raw_key_agreement() now returns PSA_ERROR_BUFFER_TOO_SMALL when
+ applicable. Fixes #5735.
+ * Fix a bug in the x25519 example program where the removal of
+ MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. Fixes #4901 and
+ #3191.
+ * Encode X.509 dates before 1/1/2000 as UTCTime rather than
+ GeneralizedTime. Fixes #5465.
+ * Fix order value of curve x448.
+ * Fix string representation of DNs when outputting values containing commas
+ and other special characters, conforming to RFC 1779. Fixes #769.
+ * Silence a warning from GCC 12 in the selftest program. Fixes #5974.
+ * Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of 0.
+ * Fix resource leaks in mbedtls_pk_parse_public_key() in low
+ memory conditions.
+ * Fix server connection identifier setting for outgoing encrypted records
+ on DTLS 1.2 session resumption. After DTLS 1.2 session resumption with
+ connection identifier, the Mbed TLS client now properly sends the server
+ connection identifier in encrypted record headers. Fix #5872.
+ * Fix a null pointer dereference when performing some operations on zero
+ represented with 0 limbs (specifically mbedtls_mpi_mod_int() dividing
+ by 2, and mbedtls_mpi_write_string() in base 2).
+ * Fix record sizes larger than 16384 being sometimes accepted despite being
+ non-compliant. This could not lead to a buffer overflow. In particular,
+ application data size was already checked correctly.
+
+Changes
+ * Assume source files are in UTF-8 when using MSVC with CMake.
 
 = mbed TLS 2.28.0 branch released 2021-12-17
 

ChangeLog.d/bn_mul-fix-x86-pic-compilation-for-gcc-4.txt

@@ -0,0 +1,4 @@
+Bugfix
+ * Fix a long-standing build failure when building x86 PIC code with old
+ gcc (4.x). The code will be slower, but will compile. We do however
+ recommend upgrading to a more recent compiler instead. Fixes #1910.

ChangeLog.d/fix_cmake_using_iar_toolchain.txt

@@ -0,0 +1,3 @@
+Bugfix
+ * Fixed an issue that cause compile error using CMake IAR toolchain.
+ Fixes #5964.

ChangeLog.d/fix_psa_crypto_cipher_h_include.txt

@@ -0,0 +1,4 @@
+Bugfix
+ * Use double quotes to include private header file psa_crypto_cipher.h.
+ Fixes 'file not found with <angled> include' error
+ when building with Xcode.

ChangeLog.d/muladdc_microblaze.txt

@@ -0,0 +1,3 @@
+Bugfix
+ * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
+ Contributed by Kazuyuki Kimura to fix #2020.

ChangeLog.d/x509-broken-symlink-handling.txt

@@ -0,0 +1,5 @@
+Bugfix
+ * Fix handling of broken symlinks when loading certificates using
+ mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
+ broken link is encountered, skip the broken link and continue parsing
+ other certificate files. Contributed by Eduardo Silva in #2602.

SECURITY.md

@@ -1,4 +1,4 @@
-## Reporting Vulneratibilities
+## Reporting Vulnerabilities
 
 If you think you have found an Mbed TLS security vulnerability, then please
 send an email to the security team at