PolarSSL is now part of ARM Official announcement and rebranded as mbed TLS.

Mbed TLS 2.12.0, 2.7.5 and 2.1.14 released

Mbed TLS 2.12.0, 2.7.5 and 2.1.14 released

Description

Mbed TLS version 2.12.0 has now been released, in addition to maintenance releases for Mbed TLS 2.1 and Mbed TLS 1.3.

Mbed TLS 2.12.0 introduces some significant new features, such as support for the Chacha20 and Poly1305 cryptographic primitives and their associated ciphersuites. When hardware-accelerated AES is unavailable, Chacha20-Poly1305 performs better than software-implemented AES-GCM. Mbed TLS 2.12.0 also introduces also introduces AES based key wrapping as defined by NIST SP 800-38F, and the ability to independently define the size of the receive and transmit buffers to allow further memory optimization on constrained targets.

This release also addresses some significant security issues and resolves multiple defects. Mbed TLS 2.7.5 and 2.1.14 are maintenance releases, and intentionally do not contain new features to avoid changing the library interface and allow users to change library versions easily.

Some of the security issues addressed in this release are also significant and have been assigned the CVE codes, CVE-2018-0497 and CVE-2018-0498 and for which security advisories are being provided.

Security

  • (2.12, 2.7, 2.1) Fixed a vulnerability in the TLS ciphersuites based on use of CBC and SHA-384 in DTLS/TLS 1.0 to 1.2, that allowed an active network attacker to partially recover the plaintext of messages under certains conditions by exploiting timing side-channels. With DTLS, the attacker could perform this recovery by sending many messages in the same connection. With TLS or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if the same secret (for example a HTTP cookie) has been repeatedly sent over connections manipulated by the attacker. Connections using GCM or CCM instead of CBC, or using hash sizes other than SHA-384, or using Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was caused by a miscalculation for SHA-384 in a countermeasure to the original Lucky 13 attack. This issue has been allocated CVE-2018-0497. Found by Kenny Paterson, Eyal Ronen and Adi Shamir.

  • (2.12, 2.7, 2.1) Fixed a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker, with the ability to execute code on the local machine as well as to manipulate network packets, to partially recover the plaintext of messages under certain conditions by using a cache attack targetting an internal MD/SHA buffer. With TLS or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if the same secret (for example a HTTP cookie) has been repeatedly sent over connections manipulated by the attacker. Connections using GCM or CCM instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected. This issue along with the cache side-channel below has been allocated CVE-2018-0498. Found by Kenny Paterson, Eyal Ronen and Adi Shamir.

  • (2.12, 2.7, 2.1) Added a counter-measure against a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker with the ability to execute code on the local machine as well as manipulate network packets, to partially recover the plaintext of messages certain conditions (see previous entry) by using a cache attack targeting the SSL input record buffer. Connections using GCM or CCM instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected. This issue along with the cache side-channel above has been allocated CVE-2018-0498. Found by Kenny Paterson, Eyal Ronen and Adi Shamir.

Features

  • (2.12) Added new cryptographic primitives, the stream cipher Chacha20, one-time authenticator Poly1305 and AEAD construct Chacha20-Poly1305, as defined in RFC 7539. Contributed by Daniel King.

  • (2.12) Added support for the CHACHA20-POLY1305 ciphersuites from RFC 7905.

  • (2.12) Made the receive and transmit buffers independently configurable in size, for situations where the outgoing buffer can be fixed at a smaller size than the incoming buffer. On constrained platforms, this can be used to reduce RAM usage. When buffer lengths are kept the same size, there is no functional difference to the previous functionality. Contributed by Angus Gratton, and also independently contributed again by Paul Sokolovsky.

  • (2.12) Added support for the AES based key wrapping modes defined by NIST SP 800-38F algorithms KW and KWP and by RFC's 3394 and 5649.

  • (2.12) Added platform support for the Haiku OS. Contributed by Augustin Cavalier.

Bugfix

  • (2.12, 2.7, 2.1) Fixed the key_app_writer example which was creating an invalid ASN.1 tag by writing an additional leading zero byte. Found by Aryeh R. #1257.

  • (2.12, 2.7, 2.1) Fixed a C++ compilation error, caused by a variable named new. Found and fixed by Hirotaka Niisato. #1783.

  • (2.12) Fixed the "no symbols" warning issued by ranlib when building on Mac OS X. Fix contributed by tabascoeye.

  • (2.12, 2.7, 2.1) Clarified documentation for mbedtls_ssl_write() to include 0 as a valid return value. Found by @davidwu2000. #839.

  • (2.12, 2.7, 2.1) Fixed a memory leak in mbedtls_x509_csr_parse(). Found and fixed by catenacyber, Philippe Antoine. #1623.

  • (2.12, 2.7, 2.1) Added length checks to some TLS parsing functions. Found and fixed by Philippe Antoine from Catena cyber. #1663.

  • (2.12, 2.7, 2.1) Remove unused headers included in x509.c. Found by Chris Hanson and fixed by Brendan Shanks. #992.

  • (2.12, 2.7, 2.1) Fixed compilation error when MBEDTLS_ARC4_C is disabled and MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.

  • (2.12, 2.7, 2.1) Fixed the inline assembly for the MPI multiply helper function for i386 and i386 with SSE2. Found by László Langó. #1550.

  • (2.12, 2.7, 2.1) Fixed the namespacing in header files. Remove the mbedtls namespacing in the #include in the header files. #857.

  • (2.12, 2.7) Fixed a compiler warning of 'use before initialisation' in mbedtls_pk_parse_key(). Found by Martin Boye Petersen and fixed by Dawid Drozd.#1098.

  • (2.12, 2.7, 2.1) Fixed decryption of zero length messages (which contain all padding) when a CBC based ciphersuite was used together with Encrypt-then-MAC. Previously, such a message was wrongly reported as an invalid record and therefore lead to the connection being terminated. This was seen most often with OpenSSL using TLS 1.0. Reported by @kFYatek and by Conor Murphy on the forum. Fix contributed by Espressif Systems. #1632.

  • (2.12, 2.7, 2.1) Fixed the ssl_client2 example to send application data with 0-length content when the request_size argument is set to 0 as stated in the documentation. #1833.

  • (2.12, 2.7, 2.1) Corrected the documentation for mbedtls_ssl_get_session(). This API has deep copy of the session, and the peer certificate is not lost. #926.

  • (2.12) Fixed issues when building to the C99 standard, using -std=c99. Fixed by Nick Wilson.

Changes

  • (2.12, 2.7, 2.1) Fails when receiving a TLS alert message with an invalid length, or invalid zero-length messages when using TLS 1.2. Contributed by Espressif Systems.

  • (2.12) Changed the default behaviour of mbedtls_hkdf_extract() to return an error when calling with a NULL salt and non-zero salt length. Contributed by Brian J Murray

  • (2.12, 2.7, 2.1) Change the shebang line in Perl scripts to look up perl in the PATH. Contributed by fbrosson.

  • (2.12) Allow overriding the time on Windows via the platform-time abstraction. Fixed by Nick Wilson.

  • (2.12) Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Users of Mbed TLS 1.3 or any earlier version are recommended to upgrade to one of the maintained releases as Mbed TLS 1.3 has now reached its end-of-life.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. Mbed TLS 2.1 will not be supported after Autumn 2018. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. The latest long-term support branch is Mbed TLS 2.7.

Download links

Get your copy here:

Hashes

The hashes for mbedtls-2.12.0-apache.tgz are:

SHA-1: 84a22632322326d71f9ba2769b2f13edf1f90620
SHA-256: a2bed048f41a19ec7b4dd2e96649145bbd68a6955c3b51aeb7ccbf8908c3ce97

The hashes for mbedtls-2.12.0-gpl.tgz are:

SHA-1: 0dc9860b91515efb37ea28d3a2b0f8becaa04c33
SHA-256: 8661d19a896a5a7a232ed01ac7f05cf0ec3514798f18076c2c9ef965fbeb5a28

The hashes for mbedtls-2.7.5-apache.tgz are:

SHA-1: 180ca49e2bb6df3826113781b793529a81427ce3
SHA-256: a1302ad9094aabb9880d2755927b466a6bac8e02b68e04dee77321f3859e9b40

The hashes for mbedtls-2.7.5-gpl.tgz are:

SHA-1: 0f74d60421f304155a9fdcdbfeccddc2852d5f82
SHA-256: e9d797ded824e1ca7516faab7fa3c4c73c5bc3199b832a06f61ee8709df71a69

The hashes for mbedtls-2.1.14-apache.tgz are:

SHA-1: 05e8ac23c5c81cd133028ea014121c820f33050b
SHA-256: 782c91948ff07e86f353b5f6f781556b13123dd6df7d5ee36fbed887dfc6c324

The hashes for mbedtls-2.1.14-gpl.tgz are:

SHA-1: 2773d99d8fa40d0fd7bea764d9535300b32ed2c3
SHA-256: b3ae8f9deb6941833fe47e6d6b231bd9e48844e50e9d093eb11a06bb95d610df

Like this?

Section:
Releases

Author:


Published:


Last updated:
Jul 26, 2018

Sharing:


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.