Description
This release of TF-PSA-Crypto provides new features, bug fixes and minor enhancements. This release includes fixes for security issues.
Security Advisories
For full details, please see the following links:
- Timing side-channel in RSA PKCS#1 v1.5 decryption
- ChaCha20 counter overflow can reuse keystream
- Side channel leak in ECC optimized modp
- Everest: lack of contributory behaviour due to improper input validation
- Out-of-bounds read when parsing a zero-length ECC public key
Release Notes
Security
- Fix a side channel in RSA PKCS#1 v1.5 decryption: error handling in the
library would reveal through timing the difference between success,
invalid padding, or output too large for buffer, giving rise to a
Bleichenbacher attack. Note that while the library now handles sensitive
errors in constant-time, RSA PKCS#1 v1.5 decryption remains inherently
dangerous, should be avoided when possible, and otherwise requires great
care in application code. Found by zhengg. CVE-2026-50587 - Added advice about compiler options in SECURITY.md.
- Reject ChaCha20 operations that would make the 32-bit block counter wrap
around, which could otherwise reuse keystream and compromise
confidentiality. Reported by jiliang. CVE-2026-50584 - Fix a side channel in ECC computations that allows a powerful local
attacker (typically, untrusted OS attacking a secure enclave) to fully
recover long-term secret keys. Found and reported by Alejandro Cabrera
Aldaya from Tampere University. CVE-2026-54435 - In configurations with MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED (non-default),
when doing ECDH key agreement with x25519, it was possible for the peer to
force the shared secret to all-zero by sending a low-order point. This is
only a problem for protocols that expect contributory behaviour, that is,
where neither party should be able to force the shared secret.
CVE-2026-54434 - Fix timing side channel in RSA key generation, prime generation and
primality testing, on platforms where division is not constant-time. At
this point this side channel is not known to be exploitable. Reported by
Bhargava Shastry, Ethereum Foundation. - Fix a 1-byte buffer overread when parsing a malformed ECC public key
in the PK module. CVE-2026-50583
Bugfix
- Fix a problem in library/alignment.h where the Zephyr Project use
a pre-defined macro '__packed' which collides with the IAR keyword
'__packed', causing the typedefs of unaligned types to remain aligned.
Fixes mbedtls issue #10334 - Doxygen documentation
apidocis now built into CMake's binary folder,
not in-tree. Fixes #381. - Fixed a bug which prevented the inclusion of standard C library header
files from the user provided configuration file. Fixes #784.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Note
❕
tf-psa-crypto-1.2.0.tar.bz2are our official release files.source.tar.gzandsource.zipare automatically generated snapshots that GitHub is generating. They do not include external dependencies, and can't be configured
Checksum
The SHA256 hashes for the archives are:
4de95b3719874625ed4649bfc824b9271c13fc358ca88d5e227134469ad02007