Skip to content

Releases: Mbed-TLS/mbedtls

Mbed TLS 2.1.16

21 Nov 12:34
@simonbutcher simonbutcher
mbedtls-2.1.16
568ec7c
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Mbed TLS 2.1.16

Description

Mbed TLS 2.1.16 is a maintenance release, and contains no new features. It addresses three security issues and resolves multiple defects.

Security

  • Fixed overly strict comparison of the X.509 DN field when searching for CRLs belonging to a particular Certificate Authority (CA). This previously lead to ignoring CRLs when the issuer's name and the Certificate Authority's subject name differed in their string encoding, such as one using PrintableString and the other using UTF8String, or in the choice of upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue #1784.
  • Fixed a flawed bounds check in the server PSK hint parsing. When the incoming message buffer was placed within the first 64kB of address space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker to trigger a memory access up to 64kB beyond the incoming message buffer, potentially leading to application crash or information disclosure.
  • Fixed mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The previous settings for the number of rounds made it practical for an adversary to construct non-primes that would be erroneously accepted with a high probability as primes. This does not have an impact on the security of TLS, but can matter in other contexts with numbers chosen potentially by an adversary that should be prime and can be validated. For example, the number of rounds was enough to securely generate RSA key pairs or Diffie-Hellman parameters, but was insufficient to validate Diffie-Hellman parameters properly. See "Prime and Prejudice" by Martin R. Albrecht and Jake Massimo and Kenneth G. Paterson and Juraj Somorovsky.

Bugfix

  • Fixed the wrong order of memory deallocation in the example program programs/ssl/ssl_server2 leading to a memory leak in case both MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set. Fixes #2069.
  • Fixed a bug in the update function for SSL ticket keys which previously invalidated keys of a lifetime of less than a 1s. Fixes #1968.
  • Fixed a failure in HMAC-DRBG in the benchmark sample application, when MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
  • Fixed a bug in the record decryption routine ssl_decrypt_buf() which lead to accepting properly authenticated but improperly padded records in case of CBC ciphersuites using Encrypt-then-MAC.
  • Fixed a memory leak and freeing without initialization in the example program programs/x509/cert_write. Fixes #1422.
  • Now ignores the IV in mbedtls_cipher_set_iv() when the cipher mode is MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes #1091.
  • Zeroizes memory used for buffering or reassembling handshake messages after use.
  • Uses mbedtls_platform_zeroize() instead of memset() for zeroization of sensitive data in the example programs aescrypt2 and crypt_and_hash.
  • Fixed a compilation failure for configurations which use compile time replacements of the standard calloc/free functions through the macros MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO. Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
  • Fixed a potential build failure related to the apidoc target, introduced in the previous patch release. Found by Robert Scheck. ##390 ##391
  • Fixed programs/pkey/dh_server.c so that it works correctly with dh_client.c. Found and fixed by Martijn de Milliano.

Changes

  • Added tests for session resumption in DTLS.
  • Closed a test gap in (D)TLS between the client side and the server side, to test the handling of large packets and small packets on the client side in the same way as on the server side.
  • Changed the dtls_client and dtls_server examples to work by default over IPv6 and optionally by a build option over IPv4.
  • Changed the use of Windows threading to use Microsoft Visual C++ runtime calls, rather than Win32 API calls directly. This is necessary to avoid conflict with C runtime usage. Found and fixed by irwir.
  • Improved documentation of mbedtls_ssl_get_verify_result(). Fixes #517 reported by github-monoculture.
  • make apidoc now generates the documentation for the current configuration. Run scripts/apidoc_full.sh to generate the full documentation. This aligns the behavior with Mbed TLS versions 2.2 and later and reverts it back to how it behaved in version 2.1.3.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. There will be no further releases of Mbed TLS 2.1 after 2018. The latest long-term support branch is Mbed TLS 2.7.

Assets 2
Loading

Mbed TLS 2.13.0

13 Sep 11:39
@simonbutcher simonbutcher
mbedtls-2.13.0
c0a63bd
Compare
Choose a tag to compare
Mbed TLS 2.13.0

Description

Mbed TLS 2.13.0 introduces several new features improving our support for DTLS over low-bandwidth, high latency networks with high packet loss. Specifically:

  • Support for fragmentation of outgoing handshake messages, allowing the use of Mbed TLS across networks with datagram links with MTUs as low as 512 bytes, making it suitable for NB-IOT networks.
  • Grouping outgoing handshake messages in a single datagram, reducing both the network load and the likelihood of reordering effects.
  • Reordering handshake packets that have been received out of order, reducing the number of retransmissions necessary to complete a handshake, and therefore increasing handshake efficiency and reducing network load.

This release also addresses one security issue and resolves multiple defects.

Security

  • Fixed an issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing. A read of one byte beyond the limit of the input buffer was made, when the extensions length field was zero. Found by Nathan Crandall.

Features

  • Added support for fragmentation of outgoing DTLS handshake messages. This is controlled by the maximum fragment length set locally or negotiated with the peer, or alternatively by a new per-connection MTU (Maximum Transmission Unit) option, set using mbedtls_ssl_set_mtu().

  • Added support for the automatic adjustment of the MTU to a safe value during the handshake for when flights of messages are not received, as defined by (RFC 6347, section 4.1.1.1).

  • Added support for the packing of multiple records into a single datagram. This feature is enabled by default.

  • Added support for buffering of out-of-order handshake messages in DTLS. The maximum amount of RAM used for this can be controlled by the compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING as defined in the configuration file.

API Changes

  • Added the function mbedtls_ssl_set_datagram_packing() to configure the use of datagram packing. This feature is enabled by default.

Bugfixes

  • Fixed a potential memory leak in mbedtls_ssl_setup() function. An allocation failure in the function could lead to other buffers being leaked.

  • Fixed an issue with MBEDTLS_CHACHAPOLY_C which would not compile if MBEDTLS_ARC4_C and MBEDTLS_CIPHER_NULL_CIPHER weren't also defined, and an issue with the wrong test dependencies for MBEDTLS_ARC4_C. #1890.

  • Fixed a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails. Fix contributed by Espressif Systems.

  • ECC extensions are now only included if an ECC based ciphersuite is used. This improves compliance to (RFC 4492, and as a result, solves interoperability issues with BouncyCastle. Raised by milenamil in #1157.

  • Fixed a potential use-after-free issue in mbedtls_ssl_get_max_frag_len() and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941.

  • Fixed a miscalculation of the maximum record expansion in mbedtls_ssl_get_record_expansion() when using the Chacha-Poly1305 ciphersuites or any CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes #1913 and #1914.

  • Fixed a bug that caused SSL/TLS clients to incorrectly abort the handshake with TLS versions 1.1 and earlier when the server requested authentication without providing a list of CA's (Certificate Authorities). This was due to an overly strict bounds check in parsing the CertificateRequest message, introduced in Mbed TLS 2.12.0. Fixes #1954.

  • Fixed a memory leak and free without initialization in the pk_encrypt and pk_decrypt example programs. Reported by Brace Stout. Fixes #1128.

  • Fixed undefined shifts with negative values in certificates parsing. Fixed by Catena Cyber, with credit for finding the issue to OSS-Fuzz.

  • Replaced printf with mbedtls_printf() in the ARIA module. Found by TrinityTonic in #1908.

  • Removed a redundant else statement. Raised by irwir. Fixes #1776.

Changes

  • Improved interworking with some alternative Mbed OS hardware accelerated CCM implementations by using CCM test vectors from RAM.

  • Added support to preserve the timestamps of headers copied when doing a make install. Contributed by xueruini.

  • Forward declaration of structs in the public interface are now possible. Contributed by Dawid Drozd. Fixes #1215 raised by randombit.

  • Added support for buffering of out-of-order handshake messages. Original contribution by Bryce Kahle.

  • Added warnings to the documentation of the HKDF module to reduce the risk of misusing the mbedtls_hkdf_extract() and mbedtls_hkdf_expand() functions. Fixes #1775. Reported by Brian J. Murray.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Users of Mbed TLS 1.3 or any earlier version are recommended to upgrade to one of the maintained releases as Mbed TLS 1.3 has now reached its end-of-life.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. Mbed TLS 2.1 will not be supported after Autumn 2018. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. The latest long-term support branch is Mbed TLS 2.7.

Assets 2
Loading

Mbed TLS 2.7.6

13 Sep 11:34
@simonbutcher simonbutcher
mbedtls-2.7.6
eee169a
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Mbed TLS 2.7.6

Description

Mbed TLS 2.7.6 is a maintenance release, and contains no new features. It addresses one security issue and resolves multiple defects.

Security

  • Fixed an issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing. A read of one byte beyond the limit of the input buffer was made, when the extensions length field was zero. Found by Nathan Crandall.

Bugfix

  • Fixed a potential memory leak in mbedtls_ssl_setup() function. An allocation failure in the function could lead to other buffers being leaked.

  • Fixed an issue with MBEDTLS_CHACHAPOLY_C which would not compile if MBEDTLS_ARC4_C and MBEDTLS_CIPHER_NULL_CIPHER weren't also defined, and an issue with the wrong test dependencies for MBEDTLS_ARC4_C. #1890.

  • Fixed a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails. Fix contributed by Espressif Systems.

  • ECC extensions are now only included if an ECC based ciphersuite is used. This improves compliance to (RFC 4492, and as a result, solves interoperability issues with BouncyCastle. Raised by milenamil in #1157.

  • Fixed a potential use-after-free issue in mbedtls_ssl_get_max_frag_len() and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941.

  • Fixed a miscalculation of the maximum record expansion in mbedtls_ssl_get_record_expansion() when using the Chacha-Poly1305 ciphersuites or any CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes #1913 and #1914.

  • Fixed a bug that caused SSL/TLS clients to incorrectly abort the handshake with TLS versions 1.1 and earlier when the server requested authentication without providing a list of CA's (Certificate Authorities). This was due to an overly strict bounds check in parsing the CertificateRequest message, introduced in an earlier version. Fixes #1954.

  • Fixed a memory leak and free without initialization in the pk_encrypt and pk_decrypt example programs. Reported by Brace Stout. Fixes #1128.

  • Fixed undefined shifts with negative values in certificates parsing. Fixed by Catena Cyber, with credit for finding the issue to OSS-Fuzz.

Changes

  • Improved interworking with some alternative Mbed OS hardware accelerated CCM implementations by using CCM test vectors from RAM.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Users of Mbed TLS 1.3 or any earlier version are recommended to upgrade to one of the maintained releases as Mbed TLS 1.3 has now reached its end-of-life.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. Mbed TLS 2.1 will not be supported after Autumn 2018. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. The latest long-term support branch is Mbed TLS 2.7.

Assets 2
Loading

Mbed TLS 2.1.15

13 Sep 11:24
@simonbutcher simonbutcher
mbedtls-2.1.15
c4a33d5
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Mbed TLS 2.1.15

Description

Mbed TLS 2.1.15 is a maintenance release, and contains no new features. It addresses one security issue and resolves multiple defects.

Security

  • Fixed an issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing. A read of one byte beyond the limit of the input buffer was made, when the extensions length field was zero. Found by Nathan Crandall.

Bugfixes

  • Fixed a potential memory leak in mbedtls_ssl_setup() function. An allocation failure in the function could lead to other buffers being leaked.

  • Fixed an issue with MBEDTLS_CHACHAPOLY_C which would not compile if MBEDTLS_ARC4_C and MBEDTLS_CIPHER_NULL_CIPHER weren't also defined, and an issue with the wrong test dependencies for MBEDTLS_ARC4_C. #1890.

  • Fixed a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails. Fix contributed by Espressif Systems.

  • ECC extensions are now only included if an ECC based ciphersuite is used. This improves compliance to (RFC 4492, and as a result, solves interoperability issues with BouncyCastle. Raised by milenamil in #1157.

  • Fixed a potential use-after-free issue in mbedtls_ssl_get_max_frag_len() and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941.

  • Fixed a miscalculation of the maximum record expansion in mbedtls_ssl_get_record_expansion() when using the Chacha-Poly1305 ciphersuites or any CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes #1913 and #1914.

  • Fixed a bug that caused SSL/TLS clients to incorrectly abort the handshake with TLS versions 1.1 and earlier when the server requested authentication without providing a list of CA's (Certificate Authorities). This was due to an overly strict bounds check in parsing the CertificateRequest message, introduced in an earlier version. Fixes #1954.

  • Fixed a memory leak and free without initialization in the pk_encrypt and pk_decrypt example programs. Reported by Brace Stout. Fixes #1128.

  • Fixed undefined shifts with negative values in certificates parsing. Fixed by Catena Cyber, with credit for finding the issue to OSS-Fuzz.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Users of Mbed TLS 1.3 or any earlier version are recommended to upgrade to one of the maintained releases as Mbed TLS 1.3 has now reached its end-of-life.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. Mbed TLS 2.1 will not be supported after Autumn 2018. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. The latest long-term support branch is Mbed TLS 2.7.

Assets 2
Loading

Mbed TLS 2.7.5

26 Jul 21:03
@simonbutcher simonbutcher
mbedtls-2.7.5
5ef42fd
Compare
Choose a tag to compare
Mbed TLS 2.7.5

Mbed TLS 2.7.5

Description

Mbed TLS 2.7.5 is a maintenance release, and contains no new features. It addresses some significant security issues and resolves multiple defects. Some of the security issues addressed in this release are also significant and have been assigned the CVE codes, CVE-2018-0497 and CVE-2018-0498 and for which security advisories are being provided.

Security

  • Fixed a vulnerability in the TLS ciphersuites based on use of CBC and SHA-384 in DTLS/TLS 1.0 to 1.2, that allowed an active network attacker to partially recover the plaintext of messages under certains conditions by exploiting timing side-channels. With DTLS, the attacker could perform this recovery by sending many messages in the same connection. With TLS or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if the same secret (for example a HTTP cookie) has been repeatedly sent over connections manipulated by the attacker. Connections using GCM or CCM instead of CBC, or using hash sizes other than SHA-384, or using Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was caused by a miscalculation for SHA-384 in a countermeasure to the original Lucky 13 attack. This issue has been allocated CVE-2018-0497. Found by Kenny Paterson, Eyal Ronen and Adi Shamir.

  • Fixed a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker, with the ability to execute code on the local machine as well as to manipulate network packets, to partially recover the plaintext of messages under certain conditions by using a cache attack targetting an internal MD/SHA buffer. With TLS or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if the same secret (for example a HTTP cookie) has been repeatedly sent over connections manipulated by the attacker. Connections using GCM or CCM instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected. This issue along with the cache side-channel below has been allocated CVE-2018-0498. Found by Kenny Paterson, Eyal Ronen and Adi Shamir.

  • Added a counter-measure against a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker with the ability to execute code on the local machine as well as manipulate network packets, to partially recover the plaintext of messages certain conditions (see previous entry) by using a cache attack targeting the SSL input record buffer. Connections using GCM or CCM instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected. This issue along with the cache side-channel above has been allocated CVE-2018-0498. Found by Kenny Paterson, Eyal Ronen and Adi Shamir.

Bugfix

  • Fixed the key_app_writer example which was creating an invalid ASN.1 tag by writing an additional leading zero byte. Found by Aryeh R. #1257.

  • Fixed a C++ compilation error, caused by a variable named new. Found and fixed by Hirotaka Niisato. #1783.

  • Clarified documentation for mbedtls_ssl_write() to include 0 as a valid return value. Found by @davidwu2000. #839.

  • Fixed a memory leak in mbedtls_x509_csr_parse(). Found and fixed by catenacyber, Philippe Antoine. #1623.

  • Added length checks to some TLS parsing functions. Found and fixed by Philippe Antoine from Catena cyber. #1663.

  • Remove unused headers included in x509.c. Found by Chris Hanson and fixed by Brendan Shanks. #992.

  • Fixed compilation error when MBEDTLS_ARC4_C is disabled and MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.

  • Fixed the inline assembly for the MPI multiply helper function for i386 and i386 with SSE2. Found by László Langó. #1550.

  • Fixed the namespacing in header files. Remove the mbedtls namespacing in the #include in the header files. #857.

  • Fixed a compiler warning of 'use before initialisation' in mbedtls_pk_parse_key(). Found by Martin Boye Petersen and fixed by Dawid Drozd.#1098.

  • Fixed decryption of zero length messages (which contain all padding) when a CBC based ciphersuite was used together with Encrypt-then-MAC. Previously, such a message was wrongly reported as an invalid record and therefore lead to the connection being terminated. This was seen most often with OpenSSL using TLS 1.0. Reported by @kFYatek and by Conor Murphy on the forum. Fix contributed by Espressif Systems. #1632.

  • Fixed the ssl_client2 example to send application data with 0-length content when the request_size argument is set to 0 as stated in the documentation. #1833.

  • Corrected the documentation for mbedtls_ssl_get_session(). This API has deep copy of the session, and the peer certificate is not lost. #926.

Changes

  • Fails when receiving a TLS alert message with an invalid length, or invalid zero-length messages when using TLS 1.2. Contributed by Espressif Systems.

  • Change the shebang line in Perl scripts to look up perl in the PATH. Contributed by fbrosson.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Users of Mbed TLS 1.3 or any earlier version are recommended to upgrade to one of the maintained releases as Mbed TLS 1.3 has now reached its end-of-life.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. Mbed TLS 2.1 will not be supported after Autumn 2018. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. The latest long-term support branch is Mbed TLS 2.7.

Assets 2
Loading

Mbed TLS 2.12.0

26 Jul 20:08
@simonbutcher simonbutcher
mbedtls-2.12.0
6c34268
Compare
Choose a tag to compare
Mbed TLS 2.12.0

Mbed TLS 2.12.0

Description

Mbed TLS 2.12.0 introduces some significant new features, such as support for the Chacha20 and Poly1305 cryptographic primitives and their associated ciphersuites. When hardware-accelerated AES is unavailable, Chacha20-Poly1305 performs better than software-implemented AES-GCM. Mbed TLS 2.12.0 also introduces AES based key wrapping as defined by NIST SP 800-38F, and the ability to independently define the size of the receive and transmit buffers to allow further memory optimization on constrained targets.

This release also addresses some significant security issues and resolves multiple defects. Some of the security issues addressed in this release are also significant and have been assigned the CVE codes, CVE-2018-0497 and CVE-2018-0498 and for which security advisories are being provided.

Security

  • Fixed a vulnerability in the TLS ciphersuites based on use of CBC and SHA-384 in DTLS/TLS 1.0 to 1.2, that allowed an active network attacker to partially recover the plaintext of messages under certains conditions by exploiting timing side-channels. With DTLS, the attacker could perform this recovery by sending many messages in the same connection. With TLS or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if the same secret (for example a HTTP cookie) has been repeatedly sent over connections manipulated by the attacker. Connections using GCM or CCM instead of CBC, or using hash sizes other than SHA-384, or using Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was caused by a miscalculation for SHA-384 in a countermeasure to the original Lucky 13 attack. This issue has been allocated CVE-2018-0497. Found by Kenny Paterson, Eyal Ronen and Adi Shamir.

  • Fixed a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker, with the ability to execute code on the local machine as well as to manipulate network packets, to partially recover the plaintext of messages under certain conditions by using a cache attack targetting an internal MD/SHA buffer. With TLS or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if the same secret (for example a HTTP cookie) has been repeatedly sent over connections manipulated by the attacker. Connections using GCM or CCM instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected. This issue along with the cache side-channel below has been allocated CVE-2018-0498. Found by Kenny Paterson, Eyal Ronen and Adi Shamir.

  • Added a counter-measure against a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker with the ability to execute code on the local machine as well as manipulate network packets, to partially recover the plaintext of messages certain conditions (see previous entry) by using a cache attack targeting the SSL input record buffer. Connections using GCM or CCM instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected. This issue along with the cache side-channel above has been allocated CVE-2018-0498. Found by Kenny Paterson, Eyal Ronen and Adi Shamir.

Features

  • Added new cryptographic primitives, the stream cipher Chacha20, one-time authenticator Poly1305 and AEAD construct Chacha20-Poly1305, as defined in RFC 7539. Contributed by Daniel King.

  • Added support for the CHACHA20-POLY1305 ciphersuites from RFC 7905.

  • Made the receive and transmit buffers independently configurable in size, for situations where the outgoing buffer can be fixed at a smaller size than the incoming buffer. On constrained platforms, this can be used to reduce RAM usage. When buffer lengths are kept the same size, there is no functional difference to the previous functionality. Contributed by Angus Gratton, and also independently contributed again by Paul Sokolovsky.

  • Added support for the AES based key wrapping modes defined by NIST SP 800-38F algorithms KW and KWP and by RFC's 3394 and 5649.

  • Added platform support for the Haiku OS. Contributed by Augustin Cavalier.

Bugfix

  • Fixed the key_app_writer example which was creating an invalid ASN.1 tag by writing an additional leading zero byte. Found by Aryeh R. #1257.

  • Fixed a C++ compilation error, caused by a variable named new. Found and fixed by Hirotaka Niisato. #1783.

  • Fixed the "no symbols" warning issued by ranlib when building on Mac OS X. Fix contributed by tabascoeye.

  • Clarified documentation for mbedtls_ssl_write() to include 0 as a valid return value. Found by @davidwu2000. #839.

  • Fixed a memory leak in mbedtls_x509_csr_parse(). Found and fixed by catenacyber, Philippe Antoine. #1623.

  • Added length checks to some TLS parsing functions. Found and fixed by Philippe Antoine from Catena cyber. #1663.

  • Remove unused headers included in x509.c. Found by Chris Hanson and fixed by Brendan Shanks. #992.

  • Fixed compilation error when MBEDTLS_ARC4_C is disabled and MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.

  • Fixed the inline assembly for the MPI multiply helper function for i386 and i386 with SSE2. Found by László Langó. #1550.

  • Fixed the namespacing in header files. Remove the mbedtls namespacing in the #include in the header files. #857.

  • Fixed a compiler warning of 'use before initialisation' in mbedtls_pk_parse_key(). Found by Martin Boye Petersen and fixed by Dawid Drozd.#1098.

  • Fixed decryption of zero length messages (which contain all padding) when a CBC based ciphersuite was used together with Encrypt-then-MAC. Previously, such a message was wrongly reported as an invalid record and therefore lead to the connection being terminated. This was seen most often with OpenSSL using TLS 1.0. Reported by @kFYatek and by Conor Murphy on the forum. Fix contributed by Espressif Systems. #1632.

  • Fixed the ssl_client2 example to send application data with 0-length content when the request_size argument is set to 0 as stated in the documentation. #1833.

  • Corrected the documentation for mbedtls_ssl_get_session(). This API has deep copy of the session, and the peer certificate is not lost. #926.

  • Fixed issues when building to the C99 standard, using -std=c99. Fixed by Nick Wilson.

Changes

  • Fails when receiving a TLS alert message with an invalid length, or invalid zero-length messages when using TLS 1.2. Contributed by Espressif Systems.

  • Changed the default behaviour of mbedtls_hkdf_extract() to return an error when calling with a NULL salt and non-zero salt length. Contributed by Brian J Murray

  • Change the shebang line in Perl scripts to look up perl in the PATH. Contributed by fbrosson.

  • Allow overriding the time on Windows via the platform-time abstraction. Fixed by Nick Wilson.

  • Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Users of Mbed TLS 1.3 or any earlier version are recommended to upgrade to one of the maintained releases as Mbed TLS 1.3 has now reached its end-of-life.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. Mbed TLS 2.1 will not be supported after Autumn 2018. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. The latest long-term support branch is Mbed TLS 2.7.

Assets 2
Loading

Mbed TLS 2.1.14

26 Jul 21:19
@simonbutcher simonbutcher
mbedtls-2.1.14
2f7f2b1
Compare
Choose a tag to compare
Mbed TLS 2.1.14

Mbed TLS 2.1.14

Description

Mbed TLS 2.1.14 is a maintenance release, and contains no new features. It addresses some significant security issues and resolves multiple defects. Some of the security issues addressed in this release are also significant and have been assigned the CVE codes, CVE-2018-0497 and CVE-2018-0498 and for which security advisories are being provided.

Security

  • Fixed a vulnerability in the TLS ciphersuites based on use of CBC and SHA-384 in DTLS/TLS 1.0 to 1.2, that allowed an active network attacker to partially recover the plaintext of messages under certains conditions by exploiting timing side-channels. With DTLS, the attacker could perform this recovery by sending many messages in the same connection. With TLS or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if the same secret (for example a HTTP cookie) has been repeatedly sent over connections manipulated by the attacker. Connections using GCM or CCM instead of CBC, or using hash sizes other than SHA-384, or using Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was caused by a miscalculation for SHA-384 in a countermeasure to the original Lucky 13 attack. This issue has been allocated CVE-2018-0497. Found by Kenny Paterson, Eyal Ronen and Adi Shamir.

  • Fixed a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker, with the ability to execute code on the local machine as well as to manipulate network packets, to partially recover the plaintext of messages under certain conditions by using a cache attack targetting an internal MD/SHA buffer. With TLS or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if the same secret (for example a HTTP cookie) has been repeatedly sent over connections manipulated by the attacker. Connections using GCM or CCM instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected. This issue along with the cache side-channel below has been allocated CVE-2018-0498. Found by Kenny Paterson, Eyal Ronen and Adi Shamir.

  • Added a counter-measure against a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker with the ability to execute code on the local machine as well as manipulate network packets, to partially recover the plaintext of messages certain conditions (see previous entry) by using a cache attack targeting the SSL input record buffer. Connections using GCM or CCM instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected. This issue along with the cache side-channel above has been allocated CVE-2018-0498. Found by Kenny Paterson, Eyal Ronen and Adi Shamir.

Bugfix

  • Fixed the key_app_writer example which was creating an invalid ASN.1 tag by writing an additional leading zero byte. Found by Aryeh R. #1257.

  • Fixed a C++ compilation error, caused by a variable named new. Found and fixed by Hirotaka Niisato. #1783.

  • Clarified documentation for mbedtls_ssl_write() to include 0 as a valid return value. Found by @davidwu2000. #839.

  • Fixed a memory leak in mbedtls_x509_csr_parse(). Found and fixed by catenacyber, Philippe Antoine. #1623.

  • Added length checks to some TLS parsing functions. Found and fixed by Philippe Antoine from Catena cyber. #1663.

  • Remove unused headers included in x509.c. Found by Chris Hanson and fixed by Brendan Shanks. #992.

  • Fixed compilation error when MBEDTLS_ARC4_C is disabled and MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.

  • Fixed the inline assembly for the MPI multiply helper function for i386 and i386 with SSE2. Found by László Langó. #1550.

  • Fixed the namespacing in header files. Remove the mbedtls namespacing in the #include in the header files. #857.

  • Fixed decryption of zero length messages (which contain all padding) when a CBC based ciphersuite was used together with Encrypt-then-MAC. Previously, such a message was wrongly reported as an invalid record and therefore lead to the connection being terminated. This was seen most often with OpenSSL using TLS 1.0. Reported by @kFYatek and by Conor Murphy on the forum. Fix contributed by Espressif Systems. #1632.

  • Fixed the ssl_client2 example to send application data with 0-length content when the request_size argument is set to 0 as stated in the documentation. #1833.

  • Corrected the documentation for mbedtls_ssl_get_session(). This API has deep copy of the session, and the peer certificate is not lost. #926.

Changes

  • Fails when receiving a TLS alert message with an invalid length, or invalid zero-length messages when using TLS 1.2. Contributed by Espressif Systems.

  • Change the shebang line in Perl scripts to look up perl in the PATH. Contributed by fbrosson.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Users of Mbed TLS 1.3 or any earlier version are recommended to upgrade to one of the maintained releases as Mbed TLS 1.3 has now reached its end-of-life.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. Mbed TLS 2.1 will not be supported after Autumn 2018. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. The latest long-term support branch is Mbed TLS 2.7.

Assets 2
Loading