mbed 1.3.10 has been released!
Wait, what? mbed TLS? Yes!
As part of the acquisition by ARM, PolarSSL has been rebranded as of today to mbed TLS to better show its fit inside the mbed ecosystem. You can read more about that in my blog post on the mbed Community site and in the official press release.
On the security front this release fixes the (mis-numbered) Security Advisory 2014-04. In addition it fixes two related memory leaks also found by Codenomicon Defensics and a theoretical timing based Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges.
New features include support for the new TLS extensions FALLBACK_SCSV, Extended Master Secret and Encrypt-Than-MAC.
In addition a number of bugs were fixed and default behaviour of the library was changed to provide more secure defaults.
Security Advisory 2014-04 was published two weeks ago to release a one-line fix for a potential remote code execution issue. In that same run Codenomicon Defensics found a potential remote memory leak (mind you, not a data leak), and a remote stack overflow (not a stack-based buffer overflow).
Sebastian Schinzel pointed us to a paper he co-authored describing a Bleichenbacher-style attack on the RSA and RSA-PSK key exchanges. The attack builds on top of a timing difference in the handshake when decrypting the PreMasterSecret. Since we carefully check for full PKCS#1 v1.5 and TLS compliance, the oracle provided by our timing difference is actually too weak to be exploitable in practice (would require upwards of 10^12 interactions in an ideal environment). Furthermore, our timings show that our side-channel is quite small (specifically, it is less than 3 microseconds) which means even more interactions would be required in a production environment. Then again, the potential is there, so we modified our code to now have a constant-time process.
This release primarily adds support for the FALLBACK_SCSV extension, the Extended Master Secret extension and the Encrypt-then-MAC extension.
In addition, to limit the attack surface, you can now at compile time disable support for renegotiation and limit the length of an X.509 verification chain.
For specific situation, you can now use 1/n-1 record splitting and the server now selects certificates based on signature hash, prefering SHA-1 over SHA-2 for pre-1.2 clients when multiple certificates are available.
More features can be found in the ChangeLog.
Important changes in this release include:
- Use deterministic nonces for AEAD ciphers in TLS by default (possible to switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
- Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
ssl_set_own_cert()now returns an error on key-certificate mismatch.
- Forbid repeated extensions in X.509 certificates.
debug_print_buf()now prints a text view in addition to hexadecimal.
- A specific error is now returned when there are ciphersuites in common but none of them is usable due to external factors such as no certificate with a suitable (extended)KeyUsage or curve or no PSK set.
- It is now possible to disable negotiation of truncated HMAC server-side
at runtime with
- Example programs for SSL client and server now disable SSLv3 by default.
- Example programs for SSL client and server now disable RC4 by default.
- Use platform.h in all test suites and programs.
- Stack buffer overflow if
ctr_drbg_update()is called with too large
add_len(found by Jean-Philippe Aumasson) (not triggerable remotely).
- Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE
memory_buffer_alloc_init()was called with
bufnot aligned and
lennot a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely).
- User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found by Julian Ospald).
- Fix potential undefined behaviour in Camellia.
- Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a multiple of 8 (found by Gergely Budai).
- Fix unchecked return code in
x509_crt_parse_path()on Windows (found by Peter Vaskovic).
- Fix assembly selection for MIPS64 (thanks to James Cowgill).
ssl_get_verify_result()now works even if the handshake was aborted due to a failed verification (found by Fredrik Axelsson).
- Skip writing and parsing signature_algorithm extension if none of the key exchanges enabled needs certificates. This fixes a possible interop issue with some servers when a zero-length extension was sent. (Reported by Peter Dettman.)
- On a 0-length input,
base64_encode()did not correctly set output length (found by Hendrik van den Boogaard).
More details can be found in the ChangeLog.
Who should update
We advise users of PolarSSL to update if they:
- use any version of the earlier PolarSSL library
Get your copy here: mbedtls-1.3.10-gpl.tgz
The hashes for mbedtls-1.3.10-gpl.tgz are:
SHA-1 : a3a94c7fd70ed173543a6024961407336a03b838 SHA-256: 746fd88e0c6623691fc56c4eed52e40a57b2da0ac80f6dd8995094aa6adb407e
Note: these hashes are for the current tarball (released 2015-02-16), which fixes the soname that had not been properly updated in the original tarball with make (cmake had the correct version). For reference, the original hashes were:
SHA-1 : 9eddfd8cfd5e6e05f78d7890852620d7c1f21baf SHA-256: d221b02acc96fda8259d9e57798dee9de72977902afb0c63e552b5510c6503a3